lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 16 Jun 2014 01:24:58 -0700
From: "Ben Lincoln (F7EFC8C9)" <F7EFC8C9@...eaththewaves.net>
To: fulldisclosure@...lists.org
Subject: [FD] [Tool] XXE exploit automation - On The Outside, Reaching In 0.2

This has been my weekend project off and on since February. I would 
still consider it in a "preview" state, but I also think it's far enough 
along to be useful to at least a few people.

The idea behind it is to use a Metasploit-style module system 
specifically for XXE exploit code. This allows a common interface, 
including the ability to automate downloads of numerous files, or 
automatically walk the directory structure if the vulnerable system is 
based on Java.

This initial release includes a number of different modules for four 
different vulnerable software packages:

CVE-2013-6407 - Apache Solr
SOS-12-007 - Squiz Matrix prior to version 4.6.5/4.8.1
CVE-2014-2205 - McAfee ePolicy Orchestrator from 4.6.0 to 4.6.7 (without 
Hotfix 940148)
CVE-2012-2239 - Mahara 1.4.x before 1.4.4, and 1.5.x before 1.5.3

To my knowledge, this is the first public release of exploit code for 
CVE-2013-6407 and CVE-2012-2239.

The Squiz Matrix and Mahara modules make use of On The Outside, Reaching 
In's co-conspirator She Wore A Mirrored Mask, which is an extremely 
lightweight webserver that pretends to be something innocuous (Apache 
Coyote 1.1 by default), but is actually used for Yunusov-Osipov-style 
out-of-band XXE data-exfiltration.

Again, these are really early versions, and the code is a bit of a mess, 
but they do work very effectively, at least if you run them under Python 
2.7.3. The code is GPLv3.

Main pages:

http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html
http://www.beneaththewaves.net/Software/She_Wore_A_Mirrored_Mask.html

In-depth tutorials:

http://www.beneaththewaves.net/Software/OTORI_-_Example_1_Apache_Solr.html
http://www.beneaththewaves.net/Software/OTORI_-_Example_2_Squiz_Matrix.html
http://www.beneaththewaves.net/Software/OTORI_-_Example_3_Mahara.html
http://www.beneaththewaves.net/Software/OTORI_-_Example_4_McAfee_ePO.html

Feedback is appreciated, and if anyone is able to make good use of them 
in a pen-test, I'd love to hear about it.

- Ben Lincoln

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists