Posts

Showing posts from 2012

Attacking Windows 8 with Java Exploit and Metasploit

Image
In the last post i was talking about how to obfuscate a Java exploit (CVE-2012-4681 link here ), now i want to show you how an attacker can use this obfuscated exploit for a  targeted attack. This is intended to be the second part of Wordpress Cookie Grabber video because i will show what you can do once you have compromised a website, frank's blog in this case. The victim will be only the administrator. The exploit code in the previous article just escape from java sandbox and launch windows calculator. What we want to do is launch something different, like a meterpreter reverse shell which will connect back to the attacker. Thus in the previous code we have to add a download & execute class/method. I opted for a new class but you can certainly add a method in the same class. This new class called NewClass (i'm lacking of fantasy) will download a meterpreter executable from a remote host and save it with the name fsc73B8.tmp.exe into temp folder, after that will be

Java Exploit Code Obfuscation and Antivirus Bypass/Evasion (CVE-2012-4681)

Image
Why not play a game where we try to make the latest (at time of writing) public java exploit ( CVE-2012-4681 ) undetected by all antivirus and see who will be the last to detect it ?. I think it will be a funny "challenge" because evading antivirus has always his charm. I will not use software obfuscators like proGuard, Allatori, Zelix KlassMaster etc... This because will not be funny. This is not intended to be an analysis or explanation because there are already great post here: http://immunityproducts.blogspot.com.ar/2012/08/java-0day-analysis-cve-2012-4681.html http://www.deependresearch.org/2012/08/java-7-vulnerability-analysis.html http://www.h-online.com/security/features/The-new-Java-0day-examined-1677789.html Before we start we need to make two considerations: From The Current Web-Delivered Java 0Day :  So while you may see a few links to Virustotal with the inevitable complaining that a scanner is missing a specific chunk of altered code along with innacc

Wordpress Cookie Grabber

Image
In a previous video  Wordpress XSS + Internet Explorer 8 Exploit  i showed you how you can use a Cross-site scripting vulnerability to redirect a victim with Internet Explorer to a malicious site containing an exploit for version 8. Another way, is to use it as cookie grabber. From wikipedia: A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is usually a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website. When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity. Basically, when a user visit the "infected" page all cookies of that domain will be sent to a script which will store informations in a file/db or sent via email to the attacker. After selecting our wordpress target (franksite.dot/wordpress) we use a vulnerability scanner called wpscan developed by ethicalhack3r

Google winning award email scam

Image
Just a quick post, because i've never seen this type of scam (using google as vector), but i think it's an old technique. I have won a cash price from google, but why gmail moved the email to spam section ? :( Attached pdf. Graphics seems to be created with paint, because is horrible. If they have to convince people to send their credentials, at least make a better template.

From XSS to NT AUTHORITY

Image
A lot of times i have seen Cross-site scripting vulnerabilities classified as low impact or not significant. Thus, this time i want to show you how an attacker can get administration privileges through a simple XSS. A couple of months ago i discovered an XSS vulnerability affecting the uk website of Orange http://www.orange.co.uk . I've emailed them a month ago (and two weeks ago) regarding this vulnerability, but i haven't received any response yet. From wikipedia: Orange is the flagship brand of the France Telecom group for mobile, landline and Internet businesses, with 226 million customers as of December 2011 and, under the brand Orange Business Services, is one of the world. How i found this XSS ? When you read an article, for example this one obesity_levels_could_be_cut_with_20_fat_tax , you can see  the users comments at the bottom of the page. If a user want to leave a comment, he must log in via google, facebook etc.... Once logged, the website create a profil

CartaSi phishing email part 2/2

Image
Behind this phishing emails there are several people or just one guy ? What i think is that there is only one guy because if you check the title of this script you see the write assembled by ME,  if it was a team should be written Assembled by XYZ team. Where is he from ? His mother language is romanian and i think he lives in Italy. As you can see below there are several files written in romanian and the stolen information are sent to a fastweb email that you cannot made if you don't leave in Italy. I was wrong in the previous article saying that the pisher hacked the webstie because was defaced by FERID23 from anti-armenia.org. I suppose that at the end of September 2011 this phisher found it, uploaded a shell and created several folders in this order: d3b (postepay information stealer) stf   (cartasi, uk paypal, banca intesa, it paypal, postepay, VISA) pastote  (cartasi, paypal, VISA, bancopostaclick) Taking a look to pastote folder we see that he uses a