Digital Offensive

Posted on Wednesday, 23rd September 2009 by Michael

Null Session Scanning

For a recent audit I was tasked with checking a class C network for null sessions. The task itself sounds simple doesn’t it? But I am not one to just run a quick scan without verifying my work. This caused a interesting discovery. My first run at the network I used NTscan and discovered 1 machine with a null session open. If this would of been correct then the client would of definitely improved their security posture since the last audit they had from another company. To verify my work I then ran xscan v3, though I prefer their older versions I could not find a working clean copy in the short time frame I had to use it. This scan returned 3 open machines. Now this was odd but I chalked it up to maybe another machine came up in the time frame it took to run the tools. The third scan I ran with a tool called netscan and this tool not only returned 16 machines open but returned all the drive information with their permissions. Now this totally baffled me, so I ran all three tools one after another and the same results came up. I also manually checked the machines that returned results and each one was indeed open. Now with this in mind I figured the only safest way to confirm what was truly open was to manual test the full class C using net commands. So to this I wrote a simple shell script for CYGWIN to verify the machine was up then to check it for null sessions. The script returned 26 null sessions, which I verified a sampling of them and confirmed my results. The script is attached. The script was not written with the ability to quickly change it with variables as I needed it quickly and did not have time to make it look real pretty. If you would like to customize the script please feel free to do it, or if you need help please feel free to ask.

Part 1:

Verify the node is up: ShareScan: http://genxweb.net/wp-content/uploads/2007/06/shareup.zip

This script will go through a txt file and verify that the ips inside the file are up and if they are up moves it to another file that will be used by the scanner to check for null sessions.

Part 2:

Check for null session: Scan Share: http://genxweb.net/wp-content/uploads/2007/06/scanshare.zip

This script takes the IP addresses that are up from the results from the first part of the script and runs the net use commands on them checking for null sessions. Error checking is basic as we use a simple truth statement && to say if it was mapped successfully then disconnect it.

Side note: I first published this article on my old site http://www.genxweb.net

Posted in Code | Comments (0)

Posted on Wednesday, 23rd September 2009 by Michael

PayPal Garage Sale Point of Sale system

So I am about to have a garage sale and want to accept credit cards so people can’t say they don’t have money so I search all over the internet and there is nothing in the form of a POS for paypal users. So what do I do I create a down and dirty one using a simple Batch file.

Check out the code below.

Title Yard Sale Pyapal Check Out
@echo off
cls
set /p ItemNo=Item No:
set /p ItemName=Item Name:
set /p Price=Price:
pause

echo ^<form target=”paypal” action=”https://www.paypal.com/cgi-bin/webscr” method=”post”^>>Out.htm
echo ^<input type=”hidden” name=”cmd” value=”_xclick”^>^<input type=”hidden” name=”amount” value=”%Price%”^>>>Out.htm
echo ^<input type=”hidden” name=”business” value=” you@your.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it “^>>>Ou
t.htm
echo ^<input type=”hidden” name=”item_name” value=”%ItemName%”^>>>Out.htm
echo ^<input type=”hidden” name=”item_number” value=”%ItemNo%”^>>>Out.htm
echo ^<input type=”hidden” name=”return” value=”www.divepa.com/thanks.html”^>>>Out.htm
echo ^<input type=”hidden” name=”cbt” value=”Continue”^>>>Out.htm
echo ^<input type=”image” src=”cart.jpeg” border=”0″ name=”submit” alt=”button”^>^</form^>>>Out.htm
echo ^<br^>^<br^> >>out.htm
echo You are purchasing item: %ItemName% for %Price% if you agree click the cart above and complete your transaction >>out.htm

pause
start /max “C:\Program Files\Internet Explorer\iexplore.exe” Out.htm

All you do is copy the above code into a notepad file and save the file as paypal.cmd then double click it and fill in the blanks. Make sure you change the email field first to your paypal email account.

Posted in Code | Comments (0)

Posted on Wednesday, 23rd September 2009 by Michael

PHPizabi: Possible vulnerability in information disclosure and database integrity

Vendor: Notified. I notified the vendor of this issue over three months ago and have not heard back from them regarding this threat. According to their website there has been no patches or core releases released since the ones I have listed below.

Version: PHPizabi 0.848b C1 HFP1 (Alicia)

Hot fixes: 848 Core HotFix Pack 3 0848bC1_HFP3.zip and below

Product Info:

“More than a simple script, dating script, or even just a matchmaker; PHPizabi is a feature rich social networking platform that integrates everything you need to jumpstart your community, dating site, or social networking portal right out of the box. PHPizabi is one of the most reliable, safe, and solid platforms on the market, offering your users features they could only dream of.”

Vulnerability:

In the default configuration and installation of this script the “system” dir is left open allowing indexing. When I discovered that the system dir was open I was able to download the configuration file that contained sensitive information about the site such as the database connection information including username and password.

To exploit

1)      Google: “Powered by PHPizabi”

2)      http://sitename.com/system/

3)      Download file open in editor.

Temp solutions:

1)      Add a .htacess to the system dir that says

a.       Options –Indexes

b.      Note this will not stop the attacker from using wget and http://sitename.com/system/config.inc.php from retrieving the file.

2)      Make sure that the database can only be accessed local.

a.       The host I had permission to test this on had the database open to remote connections.

Vendor should have the file die if trying to access it directly like they do if you try to access a file in the admin directory directly.

Tested on: This has been tested against my site www.xxxxxxxx.com I have done some edits to the code to protect my site and contacted the host about the database settings. Site address has been “X” out to protect it from people trying the attack against it.

Vulnerability Classification: Possible vulnerability in information disclosure and database integrity.

Thanks

Michael LaSalvia

www.digitaloffensive.com

Posted in Security Advisories | Comments (0)