5/8/2021 0 Comments Burp Offline Activation
The Accounts database information is also uploaded, which contains Sync tokens for the majority of the applications installed on your device, potentially taking control of all your online accounts and services The following screenshots have been provided by IFPDZ showing a selection of his findings.In the past few days, Myself and DaniyalSabyrkul have been working together researching Minacriss Services and how they operate.We put together a structured plan that would cover the entirety of his services.
Burp Offline Activation Activator Application AndThis operation included reverse engineering the MinaActivator application and the Server hosting his activation platform. Step 1 - Burp Suite Proxy I was responsible as part of this project to observe the operations of his Web Server which authorises device activations. My first action was finding all of the IP addresses related to Minacriss operations. I opened Hopper Dissasembler (Well worth the buy if youre considering it) to see if I could find any hardcoded IP addresses as strings in the binary. It seems the values were encoded and simply decoded at runtime. Lets go, Burp Suite Using Burp Suite Web Proxy (for intercepting the traffic from Mina Activator) and the well-known ping command, I was able to create a small list of the relevant IP addresses which we will use in Shodan to get an idea of where the relevant servers are hosted, and potential vulnerabilities. Step 2 - Shodan After very little work in Shodan, I indentified a few immediate areas of weakness in his services. The first being that SSH port ( 22 ) was exposed to the internet. This essentially means we can attempt a remote login to the server from our machine. My thought here is that maybe a firewall would block the traffic and would only allow traffic from a whitelisted IP address (A select list of IP addresses would be allowed to connect) for that port. I was able to repeatedly attempt logins from any IP address and there was no sort of lockout system in place. The second, more worrying discovery is that a MySQL instance was also running on this same server, directly exposed to the internet. This is extremely bad practise, and absolutely not necessary in almost any situation. There isnt much more to say here other than Minacriss is not too concerned about the data he is holding. In this case, its minamdm.com. This site features a login portal intented for resellers and end users, but could lead us into a central database holding even more values. I took note of some of the key details around these web-forms and was able to generate a valid login. Im not going to describe the specifics of discovering and exploiting the vulnerability to prevent any potential misuse as I cant verify the vulnerability has been fixed yet ( Minacriss servers are now offline ). However for now ill mention the attack type which turned out to be succesful was a form of SQL Injection. Burp Offline Activation Verification The IssueFollowing verification the issue is fixed, ill update this section with further details. ![]() Not so great, as this could reveal even more personal data. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |