lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: badpack3t at security-protocols.com (badpack3t)
Subject: Wood's Infinity Project 3.69a Remote Command Execution

This advisory is for "Wood's Infinity Project 3.69a" avaliable at:
http://exploit.wox.org/thecore/W-infscan-369a.zip

[17:10] * Now talking in #morning_wood
[17:10] * Topic is ''
[17:10] * Set by ChanServ on Wed Jun 11 04:19:51
[17:10] <b0iler> morning_wood knows security well?
[17:10] <b0iler> I need help.
[17:11] <b0iler> is this morning_wood?
[17:15] <{DWL}Vinyl> ya
[17:15] <{DWL}Vinyl> wassup
[17:15] <b0iler> you are any good at perl security?
[17:16] <{DWL}Vinyl> some ya
[17:16] <b0iler> I need help varifying if this vuln is exploitable.
[17:16] <{DWL}Vinyl> hey
[17:16] <{DWL}Vinyl> can you
[17:16] <{DWL}Vinyl> go to
[17:17] <{DWL}Vinyl> exploitlabs.com:6667
[17:17] <{DWL}Vinyl> .#0sec
[17:17] <{DWL}Vinyl> it my server

[17:17] * Now talking in #0sec
[17:17] * Topic is 'http://nothackers.org - 0day - Freedom of Voice -
Freedom of Choice'
[17:17] * Set by MrWood on Tue Jun 10 22:13:11
[17:17] <#0sec> Welcome to 0sec
[17:18] <b0iler>        @values = split(/\&/,$ENV{'QUERY_STRING'});
[17:18] <b0iler>        foreach $i (@values) {
[17:18] <b0iler>                ($varname, $mydata) = split(/=/,$i);
[17:18] <b0iler>                $FORM{$varname} = $mydata;
[17:18] <b0iler>        }
[17:18] <b0iler>        $host = "$FORM{'host'}";
[17:18] <b0iler>        $host =~ tr/+/ /;
[17:18] <b0iler>        $host =~ tr/\%/a/;
[17:18] <b0iler>         $host =~ tr/\;/b/;
[17:18] <b0iler>        $host =~ tr/</c/;
[17:19] <b0iler>        $host =~ tr/>/d/;
[17:19] <b0iler>        $host =~ tr/\|/e/;
[17:19] <b0iler>        $host =~ tr/\&/f/;
[17:19] <b0iler>        $host =~ tr/\^/g/;
[17:19] <b0iler>        $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;
[17:19] <b0iler>        $hostname = `$nslookuplocation $host`;
[17:19] <MrWood> shell code?
[17:19] <b0iler> ?
[17:19] <b0iler> .cgi?host=$(echo 'h0n0!')
[17:19] <MrWood> hehe
[17:19] <b0iler> that would execute commands on this server.. right?
[17:20] <MrWood> you want to run this on a remote server?
[17:20] <b0iler> this is in a .cgi
[17:20] <MrWood> havin the .pl on it first
[17:20] <MrWood> ?
[17:20] <b0iler> I want to find vulnerabilities in this .cgi
[17:20] <b0iler> I believe this is one.
[17:20] <MrWood> ahhh
[17:20] <b0iler> you see.. the programmer of this .cgi is not very
knowledgble.
[17:20] <MrWood> do you have a httpd with perl?
[17:21] <b0iler> I think they have problems in their code.
[17:21] <MrWood> if you uploaded the cgi to me
[17:21] <MrWood> i could let you access it on my box, but i run NT
[17:22] <MrWood> wtf is         $host =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
[17:22] <b0iler> that is converting url encoding into ascii
[17:22] <b0iler> %hexhex into ascii
[17:22] <MrWood> isint that hex for a serial port?
[17:23] <b0iler> MrWood: you already have the .cgi.
[17:23] <MrWood> i do?
[17:23] <b0iler> it is nph-exploitscanget.cgi
[17:23] <b0iler> you programmed it.
[17:23] <MrWood> where?
[17:23] <MrWood> url?
[17:23] <b0iler> http://exploit.wox.org/thecore/W-infscan-369a.zip
[17:24] <MrWood> the worst is'
[17:24] <MrWood> oon that
[17:24] <MrWood> there is a call
[17:24] <MrWood> to local nslookup
[17:24] <MrWood> if you replace
[17:24] <MrWood> 'nslookup'
[17:24] <MrWood> with ummm
[17:24] <MrWood> lets say
[17:25] <MrWood> tftp - yourhost.com get file.ext file.ext
[17:25] <MrWood> it should execute local
[17:25] <MrWood> :)
[17:25] <b0iler> what you say makes no sense at all.
[17:26] <MrWood> if you replace that call
[17:26] <MrWood> then upload it to remote server
[17:27] <b0iler> and get... *gasp* cgi privedges on a local server.  lol.
[17:27] <MrWood> it will execute the call you replaced when the script
hits that functionm
[17:27] <MrWood> yes
[17:27] <b0iler> I will be posting this log to FD list.
[17:30] <b0iler> your security list is a joke. your website is a joke.
your code is a joke.
[17:30] <MrWood> i have 3 advisorries on hold
[17:30] * Disconnected (Quit: joke.)

There is a massive xss problem in the 404 script mrwood uses.  here is PoC
for this 0day advisory: http://exploit.wox.org/<b>a</b>
There is a serious plain text password and default password problem in the
script avaliable at: http://take.candyfrom.us/bionet-logger1
-2.zip

There is also an advisory on 0day (http://nothackers.org) list's use of
it's own "wood-discloser" (some kind of strange full-discloser
mutation with no vendor notification, no exploit code, flakey
vulnerabilities, and "0days" which do not compile - they only form struct
ures of poorly written English sentances).  It claims it releases
information immediately, but as the log shows mrwood himself is withh
olding vulnerability information from the public.  According to mrwood's
own logic, this is putting 10trillion,billion,million people a
t risk from 0days and attack.  Wood-discloser will save us all from
attack!  Praise Ali!

peace out,

---------------------------
badpack3t
founder
www.security-protocols.com
---------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ