8/10/17

Rancher Server Docker Exploit

Utilizing Rancher Server, an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container. As the docker container executes command as uid 0 it is honored by the host operating system allowing the attacker to edit/create files owed by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server. The Docker image should exist on the target system or be a valid image from hub.docker.com. Use `check` with verbose mode to get a list of exploitable Rancher Hosts managed by the target system.


https://packetstormsecurity.com/files/144539/Rancher-Server-Docker-Exploit.html

5/10/17

Vulnerabilidad RCE en Tomcat (CVE-2017-12617): HTTP PUT + bypass jsp upload

El equipo de Apache Tomcat anunció que todas las versiones de Tomcat anteriores a la 9.0.1 (Beta), 8.5.23, 8.0.47 y 7.0.82 en todos los sistemas operativos contienen una vulnerabilidad de ejecución remota de código (RCE) si el servlet por defecto y/o el servlet WebDAV se configura con el parámetro readonly a false.

https://www.alphabot.com/security/blog/2017/java/Apache-Tomcat-RCE-CVE-2017-12617.html

http://www.hackplayers.com/2017/10/vulnerabilidad-rce-en-tomcat-cve-2017-12617.html

Para comprobar si un servidor es vulnerable sólo hay que chequear el init-param en el fichero web.xml correspondiente:
    <init-param>
        <param-name>readonly</param-name>
        <param-value>false</param-value>
    </init-param>

2/10/17

An exploit for Apache Struts CVE-2017-5638

struts-pwn

An exploit for Apache Struts CVE-2017-5638

Usage

Testing a single URL.

python struts-pwn.py --url 'http://example.com/struts2-showcase/index.action' -c 'id'

Testing a list of URLs.

python struts-pwn.py --list 'urls.txt' -c 'id'

Checking if the vulnerability exists against a single URL.

python struts-pwn.py --check --url 'http://example.com/struts2-showcase/index.action'

Checking if the vulnerability exists against a list of URLs.

python struts-pwn.py --check --list 'urls.txt'

Requirements

  • Python2 or Python3
  • requests

Legal Disclaimer

This project is made for educational and ethical testing purposes only. Usage of struts-pwn for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

License

The project is licensed under MIT License.

Author

Mazin Ahmed

Automated Pentest Recon Scanner



Sn1per is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.

parameth

parameth

This tool can be used to brute discover GET and POST parameters
Often when you are busting a directory for common files, you can identify scripts (for example test.php) that look like they need to be passed an unknown parameter. This hopefully can help find them.

24/9/17

BlueBorn

The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks. Ben Seri & Gregory Vishnepolsky




http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper-1.pdf?t=1505950263370