Posted on

Authorization bypass in Polycom

Good morning ethical hackers. Polycom HDX devices are popular worldwide for video conferencing. They are fit for meeting rooms and conference halls of various sizes as they support 1 to 3 displays. The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication.

So when all the conventional methods to get access to a network, this can work as an entry point of course if they are using this product. Let us see how this can be used in our pen test. Start Metasploit and load the exploit as shown below.

Set the target and check if it’s vulnerable as shown below using “check” command.

You can use the default payload or choose the required payload. I am using the below payload. After setting payload, type command “run” to run the exploit.  The exploit works as shown below.

That was about authorization bypass in Polycom. Want to learn about sql injection. Want to learn Ethical Hacking in Real World Scenarios. Subscribe to our Digital Magazine.

Posted on

File upload in webnms Framework

Good evening friends. Recently we have seen how to exploit server credential disclosure vulnerability in Webnms framework 5.2. This time around researchers found an arbitrary file upload vulnerability in the Webnms framework 5.2.

The Fileuploadservlet has a directory traversal vulnerability in the “filename” parameter which allows an unauthenticated user to upload a jsp file. We can only upload text files and to achieve RCE , they need to be dropped in ../jsp/ folder with names only as login.jsp or webstartXXX.jsp ( where XXX is string of any length).

Here is the code vulnerable to arbitrary file upload.

file upload 1Here are the names of the files that are uploaded in the process of exploitation. As you can see, the files are appended with random text.
 
file upload 2
 
Ok. Now let’s see how this exploit works. Start Metasploit and load the exploit as shown below.
 
file upload
 
We need to only set the target IP. The “check” command may not give you exact status of vulnerability as shown below.
 
 
 Set the meterpreter payload as shown below.
 
Type “run” command to execute the exploit. You should successfully get meterpreter session as shown below.
 
 
 

That’s all in File Upload in WebNMS Framework. Want to learn Ethical hacking in Real World scenarios. Subscribe to our Digital Magazine.

Posted on 2 Comments

DarkComet Server Remote File Download Exploit

Hello friends. A while ago, we saw Poison Ivy buffer overflow exploit. This exploit is just like the Poison Ivy exploit but this time we target Darkcomet RAT. ( We will learn more about Darkcomet and RAT’s later ). In this case we can just download a file from the system running Darkcomet server.

Start Metasploit and load the exploit as shown below. Type command “show options” to see the options we need.  Look at the options. Although you are familiar with the usual options, there are some new options like NEWVERSION, STORE_LOOT and TARGETFILE.

-NEWVERSION : This exploit works on all darkcomet versions from 3.2 to above. If the version we are targeting is above 5.1, we need to set this option to “true”.

-STORE_LOOT : If you set this option to true, the file we download will be stored in loot. If the option is false, the  contents of the file will be outputted to console.

-TARGETFILE : the file to be downloaded from the remote system.

Set the options as required. I have set store_loot option to false. If you don’t set any targetfile, by default it will download the config file of Darkcomet.

Let’s see by running the exploit. We can see the contents of Darkcomet configuration file as shown below.

Now let’s try to download another file. For this, we need the RC4 key of Darkcomet and the password you got in the config file is useless. But there is high probability that a password has not been set. Then we can just set the DC prefix as key and run the exploit as shown below.

Here I am trying to download the hosts file but encounter an error. It’s probably Windows UAC protecting us.

Now let’s create a text file in the admin folder called hello.txt with content as “hello hacker”. Now set this as target file and run the exploit. We can see that the text of the file is successfully displayed as shown below.

Posted on 1 Comment

Hack NAGIOS XI RCE with Metasploit

Hello Aspiring Hackers . In this howto, we will see how to hack nagios with Metasploit. Nagios, also known as Nagios Core, is a free and open source computer-software application that is used to  monitor systems, networks and infrastructure. It offers monitoring and alerting services for servers, switches, applications and services. It also alerts users when things go wrong and alerts them a second time when the problem has been resolved.

Versions of Nagios XI 5.2.7 and below suffer from SQL injection, auth bypass, file upload, command injection, and privilege escalation vulnerabilities. This exploit uses all these vulnerabilities to get a root shell on the victim’s machine. Now let’ see how this exploit works. Start Metasploit and load the module as shown below.

Let us set a new payload as shown below.

Set the target IP address as shown below. Use check command to see whether our target is vulnerable as shown below. If our target is vulnerable, type command “run” to execute our exploit. If everything goes right, we will get a shell on our target as shown below.

How to stay safe:

The current version of Nagios available is 5.29. Please update to the latest version.

That’s how we can hack nagios with Metasploit. See how to bypass Windows Applocker. Want to learn Ethical hacking in Real World Scenarios? subscribe to our Digital Magazine Now.

Posted on 3 Comments

Hacking Windows with PoisonIvy buffer overflow

Good Evening friends. Today we will learn about hacking Windows with PoisonIvy buffer overflow exploit. This exploit hacks a system using a vulnerability in a RAT. RAT stands for Remote Access Trojan and is a type of malware. It works when a hacker sends a malicious file to the victim and he clicks on it. When victim clicks the malicious file, it sends a  connection back to the hacker’s machine. The Hacker can control the victim’s machine using command & control server.  Using RAT’s, the hacker can

  • Block mouses and keyboards
  • Change the desktop wallpapers
  • Downloads, uploads, deletes, and rename files
  • Destroys hardware by overclocking
  • Drop viruses and worms
  • Edit Registry
  • Use your internet connection to perform denial of service attacks (DoS)
  • Format drives
  • Steal passwords, credit card numbers
  • Alter your web browser’s homepage
  • Hide desktop icons, task bar and file

(Data from Wikipedia )

The picture given below should explain the scenario. More about RATs later.

You can see the command and control server of Poison Ivy RAT below . Poison Ivy is one of the popular RAT’s and many variants of it are still active. It was used in RSA SecureID attack. Poison Ivy RAT  2.1.x versions suffer from a stack buffer overflow vulnerability. Using this vulnerability, the machines running C&C server can be hacked. So here, its a case of hacker getting hacked.

We will learn more about RATS in our next howtos. But now let us see how to hack a Windows machine running a PoisonIvy C&C server with PoisonIvy buffer overflow exploit. Open Metasploit and load the exploit as shown below. The only option necessary is RHOST. As shown below, this RAT runs on port number 3460. Set the RHOST and check whether the target is vulnerable.

Now, as the target is vulnerable, set the payload and hit on Run. You should get the meterpreter on the remote machine as shown below.

That was all about hacking Windows with PoisonIvy Buffer Overflow.