carnal0wnage [Shared Reader]

Tuesday, May 29, 2012

From LOW to PWNED [12] Trace.axd

Post [12] Trace.axd


"Trace.axd is an Http Handler for .Net  that can be used to view the trace details for an application. This file resides in the application’s root directory. A request to this file through a browser displays the trace log of the last n requests in time-order, where n is an integer determined by the value set by requestLimit=”[n]” in the application’s configuration file."
http://www.ucertify.com/article/what-is-traceaxd.html

It is a separate file to store tracing messages. If you have pageOutput set to true, your webpage will acquire a large table at the bottom. That will list lots of information—the trace information. trace.axd allows you to see traces on a separate page, which is always named trace.axd.
http://www.dotnetperls.com/trace

LOW? Actually a Medium.




What can I do with it?

  • Read ALL variables and data from HTTP requests
  • POST requests rock! ?

Discovery?

  • Metasploit
  • Vuln Scanners
Metasploit

Example

Main trace.axd page

Viewing a request

Post request with creds

-CG


Friday, May 25, 2012

From LOW to PWNED [11] Honorable Mention: Open NFS

Post [11] Honorable Mention: Open NFS

Open NFS mounts/shares are awesome.  talk about sometimes finding "The Goods".  More than once an organization has been backing up everyone's home directories to an NFS share with bad permissions.  so checking to see whats shared and what you can access is important.

Low? currently an "info" with Nessus 5


Anyway, you probably want to know about finding it. You have a few options.

standard portscanning (of course)

1. scan for port 111/2049
2. do showmount -e / showmount -a
3. metasploit module

example:
root@attacker]# showmount -e 192.168.0.1
Export list for 192.168.0.1:
/export/home/  (everyone)
/export/mnt/   (everyone)
/export/share/ (everyone)


3. look to see what's exported and who is mounting ("everyone" FTW)


To mount an NFS share use the following after first creating a directory on your local machine:

[root@attacker~]#mount -t nfs 192.168.0.1:/export/home /tmp/badperms

change directories to /tmp/badperms and you should see the contents of /export/home on 192.168.0.1

to abuse NFS you can check out the rest from http://www.vulnerabilityassessment.co.uk/nfs.htm it talks about tricking NFS to become users.  I'm going to put it here in case it goes missing later:

"You ask now, how do you circumvent file permissions and the use of the sticky bit, this is done with a little prior planning and slight of hand to confuse the remote machine.

If we have a /export/home/dave directory that we have gone into, we will see a number of files belonging to dave, some or all of which you may be able to read.  The one thing the system will give you is the owners UID on the remote system after issuing an ls -al command i.e.

-rwxr----- 517 wheel 898 daves_secret_doc

The permissions at the moment do not let you do anything with the file as you are not the owner (yet) and not a member of the group wheel.

Move away from the mount point and unmount the share
umount /local_dir

create a user called dave
useradd dave
passwd dave

Edit /etc/passwd and change the UID to 517

Remount the share as local root

Go into daves directory
cd dave

issue the command
su dave

As you are local root you can do this and as you have an account called dave you will not need a password

Now the quirky stuff - As the UID for your local account dave matches the username and UID of the remote, the remote system now thinks your his dave, hey presto you can now do whatever you want with daves_secret_doc."
NfSpy is supposed to assist with the above: https://github.com/bonsaiviking/NfSpy

nmap scripts to do additional info gathering

nfs-ls
nfs-showmount
nfs-statfs

Valsmith and hdmoore gave their tactical exploitation talk at defcon 15 and talked about NFS (file services section of the slidesvideo  white paper they also gave it at blackhat in a much longer format, unfortunately the video is broken into multiple 14 minute parts, so go Google for it (lazy)

Fun Reading:
Swiss Cyber Storm II Case: NFS Hacking: http://www.csnc.ch/misc/files/publications/2009_scsII_axel_neumann_NFS.pdf

Monday, May 21, 2012

From LOW to PWNED [10] Honorable Mention: FCKeditor

Post [10] Honorable Mention: FCKeditor

FCKeditor is bundled with seems-like everything (ColdFusion, Drupal plugins, WordPress plugins, other random CMSs) and has probably been responsible for countless hacks via file upload issues.

Examples:

http://www.exploit-db.com/exploits/12697/
http://www.exploit-db.com/exploits/15484/
http://www.exploit-db.com/exploits/17644/

Big O'l list on Exploit-DB

CVEdetails on FCKeditor.

LOW?

Actually most FCKeditors checks in Nessus I found were either Medium or High (hence honorable mention and not in the talk).



There is a good write-up of a classic case of FCKEditor abuse here:

http://secureyes.net/nw/assets/File-Upload-Vulnerability-in-FCKEditor.pdf

Google Dorks


inurl:/editor/filemanager/browser/default/connectors/[LANGUAGE]/connector.php

Friday, May 18, 2012

From LOW to PWNED [9] Apple Filing Protocol (AFP)

Post [9] Apple Filing Protocol (AFP)

The Apple Filing Protocol (AFP) is a network protocol that offers file services for Mac OS X and original Mac OS. In Mac OS X, AFP is one of several file services supported including Server Message Block (SMB), Network File System (NFS), File Transfer Protocol (FTP), and WebDAV.
http://en.wikipedia.org/wiki/Apple_Filing_Protocol

Lives on TCP port 548

LOW?




What can I do with it?

  • Read access to files/folders (always fun)
  • Write access (sometimes)
Discovery?
  • Vuln scanners (duh)
  • Nmap scripts
    • afp-showmount
    • afp-serverinfo
    • afp-ls
    • afp-brute
    • afp-path-vuln (directory traversal exploit)
Nmap examples


Connecting to AFP servers

Super easy if you have a Mac
Linux you can use Afpfs-ng





Window? dunno. Don't think so...



Tuesday, May 15, 2012

PowerShell, Shellcode, metasploit, x64

This is a quick blog post based on my slides from the May 2012 NovaHackers Meeting

Two posts got me started looking at PowerShell and its ability to execute shellcode

http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html

and

http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html


The first post talks about executing shellcode and gives the calc.exe example. These examples work on x64 and x86. yay!


The second post talks about doing something more than calc.exe...getting shell whooo hooooo

You can review the code but it only shows a x86/32bit shellcode. This will fail miserably on x64.


I was initially thought it would be an easy fix, just grab an x64 payload from MSF. Problem is there are no x64 http/https payloads...


CG was a sad panda.



This left me with two options:

Suck it up and use an existing x64 payload (like rev_tcp) or just pop calc.exe to prove how awesome i am during pentests

or

Invoke 32 bit PowerShell and run 32 bit shellcode (now we get http/https payloads)

So googling turned up a way to tell PowerShell to use the x86 version even on x64. The solution i used was here: http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx

You will need to set the execution policy for  v1.0 powershell, or possibly try a bypass technique.

I ended up adding this to Nicolas' code before it started doing its thing (line 24). It detects if its not x86 and just runs the shellcode with the x86 PowerShell.  You'll have to set the execution policy for it first.


[Byte[]]$sc = $sc32
if ($env:Processor_Architecture -ne "x86")
 {
  write-warning "WTF!  This is 64x, switching to 32x and continuing script."
   &"$env:windir\syswow64\windowspowershell\v1.0\powershell.exe" -noprofile -file $myinvocation.Mycommand.path -executionpolicy bypass
 exit
}


now it works



Remember that you have to migrate out of the PowerShell process.
Much like the office macro and shellcode exec, if user closes office, or you close exit powershell process shell goes bye-bye.

References:

http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html
http://www.exploit-monday.com/2011/11/powersyringe-powershell-based-codedll.html
http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
http://www.obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.html
http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx



Monday, May 14, 2012

From LOW to PWNED [8] Honorable Mention: Log File Injection

Post [8] Honorable Mention: Log File Injection

So this didn't make it into the talk, but was in the hidden slides...

not positive this is a "low" but a friend suggested it, so here you go.

Goes like this:
Request gets logged
Something malicious gets written commonly something like a one line PHP backdoor

  1. 1.  Use an LFI vulnerability to browse to page get shell
    1. Example 1:  Php Shell Injection On A Website Through Log Poisoning http://www.securitytube.net/video/167
    2. Rails 3.0.5 Log File Injection http://packetstormsecurity.org/files/99282/Rails-3.0.5-Log-File-Injection-Proof-Of-Concept.html
    3. http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
    4. Example 2: BURP SUITE - PART IV: LFI EXPLOIT via LOG INJECTION  http://kaoticcreations.blogspot.com/2011/12/burp-suite-part-iv-lfi-exploit-via-log_20.html
  2. 2. Wait for an admin to view logs and do whatever you did (XSS)
    1. Example 1: http://xforce.iss.net/xforce/xfdb/50170
    2. Example 2: http://www.securityfocus.com/archive/1/464471

Can also do fun stuff like this (TNS Logfile injection in Oracle)



Saturday, May 12, 2012

Update - Android & SSL Cert

Thanks to the comments left by Zach from our last Android post here, it has been brought to my attention there is an easier way to do all of this with the latest AVD (4.0.3).

After creating your AVD (4.0.3)...

Step 1 - Push PortSwiggerCA.crt up to the emulator's sd card (make sure you've added SD Card support to the AVD when creating it). 






Step 2 - Navigate to Settings > Security > Install Certificate from SD Card






Step 3 - Press Okay, enter a pin or password if asked






Step 4 - Following the install, if you'd like to shutdown the emulator and verify the settings have stuck, navigate to Settings > Security > Trusted Credentials and view the user pane. 






Step 5 - As always, if you'd like to proxy traffic from the emulator, leverage the http-proxy argument....




~cktricky



Android Emulator, Trusted CA, and Persistent Storage

UPDATE - An easier way to do this can be found on our update post here

Android periodically updates it's SDK and somtimes when this happens, old methods for importing a Trusted CA, necessary to proxy SSL traffic, will fail and you must find a new solution. Technically speaking, it's not necessarily the import that is the problem, it's saving those changes between restarts of the emulator. If you've worked with the emulator you'll note that after importing a Trusted CA such as BurpSuite's certificate, the changes only take effect once you've rebooted the emulator. In other words, you actually have to restart the emulator, and without these steps, you'll lose your updated Trusted CA list.


Using Android SDK 19, the solution was to move a temporary file and rename it. Let's begin:

After creating your Android Virtual Device (AVD) named "test"....

Step 1 - Run the emulator





Step 2 - While running, pull the cacerts.bks file






Step 3 - Get the keytool






Step 4 - Import the PortSwigger SSL Certificate into the cacerts.bks file w/ keytool
NOTE: Exporting PortSwigger SSL Certificate instructions here - http://carnal0wnage.attackresearch.com/2010/11/iphone-burp.html




Step 5 - Remount the emulator /system folder with read-write permissions





Step 6 - Push the cacerts.bks file up onto the emulator





Step 7 - Move the tmp file to your local avd directory and rename it to system.img





Step 8 - Restart, rm cacerts.bks, pull down the copy from emulator, ensure certificate still exists in cacerts.bks file






The reason this data persisted was because we moved the temporary copy (emultor-<random string>) from /tmp/android-<myname>/ and renamed it to system.img. Lastly, we placed the image file in the ~/.android/avd/test.avd/ directory.

hack on,

cktricky

Friday, May 11, 2012

From LOW to PWNED [7] HTTP PUT/WebDAV/SEARCH

Post [7] HTTP PUT/WebDAV/SEARCH

Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server.  Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.

LOW?


IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....

The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
     *Dirbusting and ruby FTW*

I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory.  VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.

Once you have a directory you want to test you can use cadaver to manually test, davtest, or Ryan Linn's metasploit module for testing for WebDAV.


I've also done some posts on webDAV in the past

http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html
http://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.html

hdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here: http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.html

Decent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdf

HTTP PUT

HTTP PUT/SEARCH usually gets rolled into



Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you.  I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.

Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.

metasploit has a module to test for PUT functionality as well.  

HTTP SEARCH

HTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.




Monday, May 7, 2012

From LOW to PWNED [6] SharePoint


Post [6] SharePoint

Misconfigured SharePoint  can be *really* useful. Examples of things you can do with it are:

  • User/Domain Enumeration
  • Access to useful files
Regular / Auth Protected SharePoint also gives you a point to conduct brute-force attacks against AD or SharePoint users.


We regularly find awesome stuff  once we have access to SharePoint. Its not uncommon to find service account passwords, alarm information, employee directories, all kinds of useful stuff.

LOW?


Finding SharePoint servers

random targets...lots of interesting things can be found with google dorks.


If you need to look at specific servers:

Stach and Liu's has released their SharePoint Diggity tools
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/

you can also roll your own
http://code.google.com/p/fuzzdb/source/browse/trunk/Discovery/PredictableRes/Sharepoint.fuzz.txt


Examples of open access



If you have credentials you can use web services calls to pull information from AD, from: http://blog.mindedsecurity.com/2011/07/athcon-2011-presentation.html


Stuff to read:
http://www.mindedsecurity.com/fileshare/Fedon_Athcon_June11.pdf
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/
https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29