Back… With exploits!

So, sovaldi finally my DNS issues and suchlike got sorted out, and the server has been migrated to a new host. Email is back as of a few hours ago (few issues with MX records and mailboxes or something and emails being delivered 10 times to me, but I think that will fix itself after a few days. I hope so anyway, because being bombed with 100 messages 10 times each is getting plenty bloody annoying).

Everything is upgraded to the new wordpress, no more nasty hacking the config files to get WP to work on a server not designed to run it.

So, while the site was “inactive”, I was working on a whole bunch of new content (and finishing old articles) to publish. Seeing as I have exams, I shall just leave a few gifts here for you to look at until they are over. dietrich may have something for you also :)

So, in order to keep everyone entertained for the next few days, check out the following piece of exploit engineering.

D-LINK DIR-300 and DIR-600 routers have a hilarious preauth remote root flaw in their web interface. A webpage called “command.php” that accepts a “cmd=$cmd” and executes it as root. EPIC FAIL. Why was that there? Ask D-LINK.

It was discovered by a German researcher, @s3cur1ty_de and you can read his original advisory here: http://www.s3cur1ty.de/m1adv2013-003

I had some free time in college, so I knocked up a quick PoC tool to exploit the flaw, and even managed to test the exploit on a friends router after class.

PoC Code: http://pastebin.com/raw.php?i=yPDKP86n

Remote Root

Remote Root

It delivers my customary user friendly shell interface, exploiting command injection. It can also autoenable TELNET and grant Telnet access, though this is seemingly less reliable, it hung when I tried it after rebooting the router.

Will be writing some more exploits, and maybe publishing them soon, so stay tuned ;)

Short Post – Smart 0day Hunting

Ok, ampoule so I had to notice the “Sammy FORGIT” guy dropping exploits all over Packetstorm and Exploit-DB lately. Most of them in WordPress plugins. You can check out the shit he is dropping here – http://packetstormsecurity.org/files/author/9818/

So, patient I had to take a look to see could I notice any “trick” he was using to find ALL THOSE VULNZ! I want the 0day too!

Lets look at two of the exploits as an example – if you look more there IS a discernable pattern, see , I promise you.

http://packetstormsecurity.org/files/113844/WordPress-LB-Mixed-Slideshow-1.0-Shell-Upload.html

http://packetstormsecurity.org/files/113898/e107-Hupsi-Fancybox-1.0.4-Shell-Upload.html

Now, what part of both of those is the vuln in?
/uploader/uploadify.php
/uploadify/upload.php
Now, is this just me, or are both using the Uploadify library?
Could be a coincidence, but I must look deeper! I must find MORE examples of this!

This file explains it:

http://packetstormsecurity.org/files/113576/WordPress-plugin-Foxypress-uploadify.php-Arbitrary-Code-Execution.html

So it is the “uploadify.php” file that is buggy as hell. Lets find more examples of this!

http://packetstormsecurity.org/files/113568/WordPress-Auctions-2.0.1.3-Shell-Upload.html

-> It has “vuln path” of uploadify/upload.php

http://packetstormsecurity.org/files/113283/WordPress-Foxypress-Shell-Upload.html

-> Has “vuln path” uploadify/uploadify.php

http://packetstormsecurity.org/files/113277/WordPress-HTML5-AV-Manager-0.2.7-Shell-Upload.html

-> Has “vuln path” uploadify/custom.php

http://packetstormsecurity.org/files/113274/WordPress-WP-Property-1.35.0-Shell-Upload.html

-> Has “vuln path” uploadify/uploadify.php

So, as you can see, all these use the “Uploadify” PHP library to handle file uploads. This library is the vulnerability that makes ALL these plugins buggy.
ANY software using a vulnerable library like that, is vulnerable to this bug.

So what does this all mean? Well, if you want the 0day to flood in, you should do as Sammy does. Look for libraries a lot of things use, and find vulns in THEM. The product may be secure, but its libraries are likely not. This way, you canhaz ALL the 0day you ever needed.

Now, excuse me while I SVN checkout the entire repo of WordPress plugins :P

Migrated!

Quick update, cure Migration to WordPress is going fairly well.

The old content can still be accessed at http://insecurety.net/index.OLD.html for those that want it, advice however it will all be eventually assimilated into this WordPress blog.

The team is also expanding, with new people coming onboard to share their work and collaborate on new things. So there should be a lot of awesome research and development done!

I am currently finishing off some research into Denial of Service attacks and migitations by posting a series of articles about how they work. I am starting with SYN floods and then just moving along.

As this summer kicks off,  Blackhat Academy is going to be relaunching their site soon, with lots of awesome new content. Having started contributing to their wiki, I have seen the absolutely amazing content they have over there. Go check it out – it is relaunching in June!

The subpages are not yet finished, and this site is still a work in progress (as always), but yeah.  Hope you find something you like here :)

Migration to WordPress: not as easy as it looked…

So, search when I thought “Lets move to stage two, migrate the site to a WordPress CMS”, I figured it would be fairly simple.

LOL, NO! Nothing is ever that simple. The host would not update PHP/MySQL because the ability to run WordPress was a “paid extra”. OK, fine.

Challenge Accepted Motherfuckers!

I mean seriously. Bitch, please. You tell me, a fucking hacker, that I cannot run WordPress on my own account because you want me to PAY for updates?

“So, how long did it take to make WordPress run?”

2 minutes. I basically patched wp-content/version.php to accept MY versions of PHP/MySQL instead of the hard coded minimums. It then worked.

Then came the challenge of lrn2wordpress. Themes, etc. Or rather, remembering why the fuck I installed it in the first place…

Anyways, gotta migrate content…