Posted by Trancer on Jan 26 2010

South River TechnologiesHere’s a local privilege escalation exploit I wrote, as a Metasploit Meterpreter script, for the South River Technologies WebDrive Service Bad Security Descriptor vulnerability.

This vulnerability was discovered by bellick of the Nine:Situations:Group and the original advisory can be found on the Nine:Situations:Group web site – South River Technologies WebDrive Service Bad Security Descriptor Local Elevation Of Privileges.
As you can understand from the advisory, local elevation of privileges is possible due to bad (empty actually) security descriptor of the South River Technologies WebDrive service.

This exploit was inspired by MC’s HP PML Driver HPZ12 privilege escalation exploit.
In this exploit I’ve also added a mitigation option, which will set correct service security descriptor configuration for SRT WebDrive. Note that the vulnerability is still unpatched, exploit tested on the latest version of SRT WebDrive.

The exploit was successfully tested on the following platforms:
– South River Technologies WebDrive 9.02 build 2232 on Microsoft Windows XP SP3.

Download srt_webdrive_priv.rb.
Also on Metasploit and exploit-db.

References:
CVE-2009-4606
OSVDB 59080
BID 37955
exploit-db 9970

Categories: Exploits, Metasploit


Posted by Trancer on Jan 25 2010

AOLWrote a new Metaspoit exploit module for the AOL 9.5 Phobos.Playlist ActiveX control Import() stack-based buffer overflow vulnerability.

This module exploits a stack-based buffer overflow within Phobos.dll of AOL 9.5. By setting an overly long value to ‘Import()’, an attacker can overrun a buffer and execute arbitrary code.

This vulnerability was found by Hellcode Research and was published recently by Dz_attacker. Still no patch from AOL, if you want to test it you can get the vulnerable package from the AOL 9.5 page.

The exploit was successfully tested on the following platforms:
– AOL 9.5 (Revision 4337.155) on Internet Explorer 7, Windows XP SP3

Phobos.dll version tested:
– File Version: 9.5.0.1
– ClassID: A105BD70-BF56-4D10-BC91-41C88321F47C
– RegKey Safe for Script: False
– RegKey Safe for Init: False
– Implements IObjectSafety: False
– KillBitSet: False

Due to the safe for initialization and safe for scripting settings of this ActiveX control, exploitation is possible only from Local Machine Zone, which means the victim must run the generated exploit file locally.

Download aol_phobos_bof.rb.
Also on Metasploit and exploit-db.

References:
OSVDB 61964
exploit-db 11204

Categories: Exploits, Metasploit


Posted by Trancer on Jan 22 2010

Hello everyone. If your in to exploit development or new to this and want to learn how to do it, here’s a series of tutorials by Peter Van Eeckhoutte (a.k.a corelanc0d3r), which I strongly recommend, that will give you solid knowledge in exploit writing.
Today Peter published the latest edition to his exploit writing tutorials about Win32 Egg Hunting. Check it out:

Enjoy the reading!

Categories: Exploitation


Posted by Trancer on Jan 21 2010

Hello readers,
From now on you can follow Recognize-Security on Twitter!
Check it out – twitter.com/rec_sec

Categories: Rec-Sec


Posted by Trancer on Jan 21 2010

cPanelSecurity Advisory for cPanel and WHM (WebHost Manager) versions 11.25.
Vulnerabilities found:

  • HTTP Response Splitting vulnerability
  • Open Redirection vulnerability

PDF Format cPanel HTTP Response Splitting Vulnerability – Security Advisory (PDF).
TXT Format cPanel HTTP Response Splitting Vulnerability – Security Advisory (TXT).

I’d like to point out the lame work of the cPanel Security Team on these vulnerabilities. Usually when I report a vulnerability, I get some kind of interaction with the vendor developers and/or the security team, most of the times I enjoy working with the people involved. In this case, the cPanel Security Team were unresponsive. Eventually I was forced to release the security advisory even though one of the vulnerabilities (the Open Redirection vulnerability) is still unpatched.

References:
BID 37902
OSVDB 61954
exploit-db 11211

Categories: Advisories


Posted by Trancer on Jan 21 2010

NmapA new version of Nmap Security Scanner released today which is the first stable release since 5.00 – Nmap 5.20.
This version got tons of improvements such as improved UDP scanning, new Nmap Scripting Engine scripts, updated OS and version detection and more.
Check out the Change log and announcement of Nmap 5.20.
Download Nmap 5.20.

Categories: Tools


Posted by Trancer on Jan 21 2010

BackTrack Linux 4A new version for the penetration testers and security experts favorite Linux distrobution released – BackTrack Linux 4.

This version offers new tools, new kernel and tons of bug fixes. And, BackTrack Linux is no longer a part of remote-exploit.org, it got a new home at backtrack-linux.org.

I used the new version for the last couple of days and find it to be very useful and cool, recommended!
Download BackTrack Linux 4.

Categories: Tools


Posted by Trancer on Dec 17 2009

Metasploit Unleashed - Mastering the FrameworkHello everyone,
I’d like to recommend a new and free online course brought to you by the great guys at Offensive Security, the creators of BackTrack Linux distribution.

Metasploit Unleashed – Mastering the Framework online course will give you a solid knowledge base to start working with the Metasploit Framework, from simple things such as lunching an exploit to post exploitation, Meterpreter scripting and more.

But the greatest thing about this course is its main purpose, which is to promote awareness and raise funds for underprivileged children in East Africa. So if you enjoy the course and find it useful, please make a donation to Hackers For Charity.

Categories: Exploitation, Metasploit


Posted by Trancer on Nov 18 2009

the Metasploit FrameworkThe guys at Rapid7 and the Metasploit team announced the release of version 3.3 of the framework. The new version ships with tons of improvments, bug fixes, new featues, exploits and auxilary modules. I really recommend it. For the complete list of changes read the announcment post by HD Moore – Metasploit Framework 3.3 released!
You can download the new version on Metasploit website.

Categories: Metasploit, Tools


Posted by Trancer on Nov 02 2009

The Microsoft Security Intelligence Report volume 7 (January through July 2009) released.
As usual in the Security Intelligence Report, Microsoft summarize the state of security and cyber-crime of the Internet, their products vulnerabilities and exploitation in-the-wild for the first half of 2009.
Microsoft Security Intelligence Report volume 7.

Categories: Security News


Posted by Trancer on Nov 01 2009

Rapid7 and MetasploitHello readers. If you didn’t heard about it already, on October 21st, 2009, the hackers favorite exploitation framework – the Metasploit Project was acquired by Rapid7, a vulnerability management, compliance, and penetration testing company. Yep, a commercial company.

The Metasploit Project creator, HD Moore, and one of the developers, Egypt, now got a full time job working on and developing the Metasploit Project. HD in the position of Chief Architect of Metasploit and Egypt as a core developer of Metasploit at Rapid7.

If you read this blog often you probably noticed that I’m a big supporter of the Metasploit Project. I use it on a daily basis, preforming penetration tests and exploit development while at work or at home for fun. As you may guess, my feelings about the acquisition are mixed. On one side this is a good thing, this is a big step for the Metasploit Project. Now it’ll grow and develop faster and rapidly and us, the users, will get a better, faster, more advanced and less buggy program, and I believe we’ll start seeing faster release cycles. But on the other side, now the Metasploit Project which was a free, open source, community driven project, is managed by a commercial company. I think the worst case scenario will be if Rapid7 decide to make Metasploit a commercial product, which will be a sad thing. This won’t be the first time it’ll happen to a good security product. The best example here is the Nessus vulnerability scanner which was acquired by Tenable Network Security back in 2005.

I hope the fate of the Metasploit Project won’t be the same as Nessus. HD Moore stated on the Metasploit blog that the project will remain free and open source. So, if that’s the case and long as the Metasploit Project will stay that way I think the users should be happy about it. I will continue to support the Metasploit Project and develop exploits and other modules for it and contribute in every way I can.
I guess all there’s left to say is congratulations to HD Moore and Egypt for the acquisition, keep on rocking.

References:
>> Metasploit Rising – HD Moore write about the acquisition on the Metasploit blog.
>> Rapid7 Acquires Metasploit – The Metasploit acquisition by Rapid7 CEO.
>> Rapid7 Acquisition FAQ – Questions and answers about the acquisition.
>> Metasploit + Rapid7 shakes up pen-test landscape – Ryan Naraine write about the penetration testing market changes followed by the acquisition.

Categories: Metasploit, Security News


Posted by Trancer on Oct 31 2009

Hello readers. Digital Whisper, the Israeli security\hacking\programming web magazine is out with a second issue.
This month issue features the following articles:

  • SSL & Trasport Layer Security Protocol by cp77fk4r
  • Manual Unpacking by Zerith
  • Virus Loading Techniques by cp77fk4r
  • RFID Hacking by cp77fk4r
  • Port Knocking by cp77fk4r
  • Kerberos v5 Protocol by cp77fk4r
  • DNS Cache Poisoning by cp77fk4r

You can download it here – Digital Whisper issue #2.

Have a great reading.

Categories: Security News


Older Posts »
Follow Recognize-Security on Twitter