Posts

Showing posts from May, 2015

HTTP.sys (IIS) DoS And Remote Code Execution

Image
Description:
Denial of Service (DoS) exploits are widely available to exploit CVE-2015-1635, a vulnerability in HTTP.sys, affecting Internet Information Server (IIS). The patch was released on Tuesday (April 14th) as part of Microsoft's Patch Tuesday. Due to the ease with which this vulnerability can be exploited, we recommend that you expedite patching this vulnerability.
Risk Critical CVSS Score 10.0 CVE CVE-2015-1635

Proof of Concept:Method 1: Download nmap script from the following https://github.com/pr4jwal/quick-scripts/blob/master/ms15-034.nse  Save the file in the script folder (/usr/share/nmap/scripts/) If the server is vulnerable it will show the following.

Learning gdb for Bufferoverflow on linux

Security tube smashing the stack part 1
Vulnerable code
#include <unistd.h>
#include <stdio.h>
GetInput()
{
   char buff[8];
   gets(buff);
   puts(buff);
}

int main()
{
   GetInput();
   return 0;
}


#way to compile
gcc -ggdb -mpreferred-stack-boundary=2 -o demo sec_tube.c

#way to overflow
printf "123456789abcdefgh" | ./demo



#GDB Commands
list  // to list the program
list 1 // to list first funcation
break 12  //to set the break poin on line 12
disas main // to disasamble main function
run // to run the program
s  //step fwd
x/8xw $esp  // get nxt 8 words from stack (prob)
print /x $eip   // to print value of eip

Analyzing Pegasus VM

Image
Hello everyone,
This is my first article. I hope it goes well. Here I will try to solve Pegasus VM found @  https://www.vulnhub.com/entry/pegasus-1,109/



Following are the first 3 steps I used for enumeration:1) Run Nmap (Port scanner)
2) Run Nikto (Application scanner)
3) Run dirb (directory buster)


Enumeration:
1) Initially I ran nmap with -sn (Ping sweep) to determine all the alive host in the segment.
Then scanned the IP with -A and -sV to enumerate further.



Got the open ports, services running on those ports.
 Lets check the website hosted.



2) Run nikto web application scanner for enumeration:



Nikto didn't help much this time. Except for platform information PHP/5.3.10-1ubuntu3.15

3) Run dirb as shown in the following screenshot for enumeration:



dirb didn't really help. After some manual analysis I came to know that the application sends back image for any random request.



And a file not found response when the extension .php is added to it.


After using dirb, directory buster and wfuzz …
Buffer overflow for Minishare 1.4.1
Coming soon!!!!!!!!!!!!!!!

Drop Box URL

https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0


Series of hex characters, to determine bad character for exploit development.

"\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10"
"\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20"
"\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30"
"\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40"
"\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50"
"\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60"
"\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70"
"\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80"
"\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90"
"\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0"
"\x…